├── 1999
└── README.md
├── 2000
└── README.md
├── 2001
└── README.md
├── 2002
└── README.md
├── 2003
└── README.md
├── 2004
└── README.md
├── 2005
└── README.md
├── 2006
└── README.md
├── 2007
└── README.md
├── 2008
└── README.md
├── 2009
└── README.md
├── 2010
└── README.md
├── 2011
└── README.md
├── 2012
└── README.md
├── 2013
└── README.md
├── 2014
└── README.md
├── 2015
└── README.md
├── 2016
└── README.md
├── 2017
└── README.md
├── 2018
└── README.md
├── 2019
└── README.md
├── 2020
└── README.md
├── 2021
└── README.md
├── 2022
└── README.md
├── 2023
└── README.md
├── 2024
└── README.md
├── 2025
└── README.md
├── .gitignore
├── LICENSE
├── PocOrExp.md
├── README.md
├── README.zh-CN.md
├── TOKENS
├── Today.md
├── blacklist.txt
├── download.py
├── exp.py
├── exp_async.py
├── exp_async_v2.py
├── requirements.txt
├── today.py
└── token_rate.py
/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 |
--------------------------------------------------------------------------------
/1999/README.md:
--------------------------------------------------------------------------------
1 | ## CVE-1999-1053
2 | guestbook.pl cleanses user-inserted SSI commands by removing text between "!--" and "--" separators, which allows remote attackers to execute arbitrary commands when guestbook.pl is run on Apache 1.3.9 and possibly other versions, since Apache allows other closing sequences besides "--".
3 |
4 |
5 |
6 | - [https://github.com/siunam321/CVE-1999-1053-PoC](https://github.com/siunam321/CVE-1999-1053-PoC) :  
7 |
8 | ## CVE-1999-0532
9 | A DNS server allows zone transfers.
10 |
11 |
12 |
13 | - [https://github.com/websecnl/Bulk_CVE-1999-0532_Scanner](https://github.com/websecnl/Bulk_CVE-1999-0532_Scanner) :  
14 |
15 | - [https://github.com/Rodney-O-C-Melby/dns-zone-transfer-test](https://github.com/Rodney-O-C-Melby/dns-zone-transfer-test) :  
16 |
17 | ## CVE-1999-0524
18 | ICMP information such as (1) netmask and (2) timestamp is allowed from arbitrary hosts.
19 |
20 |
21 |
22 | - [https://github.com/noraj/ChronoLeak](https://github.com/noraj/ChronoLeak) :  
23 |
24 | - [https://github.com/threatlabindonesia/CVE-1999-0524-ICMP-Timestamp-and-Address-Mask-Request-Exploit](https://github.com/threatlabindonesia/CVE-1999-0524-ICMP-Timestamp-and-Address-Mask-Request-Exploit) :  
25 |
26 | - [https://github.com/Ransc0rp1on/ICMP-Timestamp-POC](https://github.com/Ransc0rp1on/ICMP-Timestamp-POC) :  
27 |
28 | ## CVE-1999-0016
29 | Land IP denial of service.
30 |
31 |
32 |
33 | - [https://github.com/pexmee/CVE-1999-0016-Land-DOS-tool](https://github.com/pexmee/CVE-1999-0016-Land-DOS-tool) :  
34 |
35 | - [https://github.com/Pommaq/CVE-1999-0016-POC](https://github.com/Pommaq/CVE-1999-0016-POC) :  
36 |
37 | ## CVE-1999-0001
38 | ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets.
39 |
40 |
41 |
42 | - [https://github.com/MarcusGutierrez/complex-vulnerabilities](https://github.com/MarcusGutierrez/complex-vulnerabilities) :  
43 |
--------------------------------------------------------------------------------
/2000/README.md:
--------------------------------------------------------------------------------
1 | ## CVE-2000-0979
2 | File and Print Sharing service in Windows 95, Windows 98, and Windows Me does not properly check the password for a file share, which allows remote attackers to bypass share access controls by sending a 1-byte password that matches the first character of the real password, aka the "Share Level Password" vulnerability.
3 |
4 |
5 |
6 | - [https://github.com/Z6543/CVE-2000-0979](https://github.com/Z6543/CVE-2000-0979) :  
7 |
8 | ## CVE-2000-0649
9 | IIS 4.0 allows remote attackers to obtain the internal IP address of the server via an HTTP 1.0 request for a web page which is protected by basic authentication and has no realm defined.
10 |
11 |
12 |
13 | - [https://github.com/rafaelh/CVE-2000-0649](https://github.com/rafaelh/CVE-2000-0649) :  
14 |
15 | - [https://github.com/stevenvegar/cve-2000-0649](https://github.com/stevenvegar/cve-2000-0649) :  
16 |
17 | - [https://github.com/Downgraderz/PoC-CVE-2000-0649](https://github.com/Downgraderz/PoC-CVE-2000-0649) :  
18 |
19 | ## CVE-2000-0170
20 | Buffer overflow in the man program in Linux allows local users to gain privileges via the MANPAGER environmental variable.
21 |
22 |
23 |
24 | - [https://github.com/mike182/exploit](https://github.com/mike182/exploit) :  
25 |
26 | ## CVE-2000-0114
27 | Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory.
28 |
29 |
30 |
31 | - [https://github.com/Cappricio-Securities/CVE-2000-0114](https://github.com/Cappricio-Securities/CVE-2000-0114) :  
32 |
33 | - [https://github.com/adhamelhansye/CVE-2000-0114](https://github.com/adhamelhansye/CVE-2000-0114) :  
34 |
35 | - [https://github.com/Josekutty-K/frontpage-server-extensions-vulnerability-scanner](https://github.com/Josekutty-K/frontpage-server-extensions-vulnerability-scanner) :  
36 |
--------------------------------------------------------------------------------
/2001/README.md:
--------------------------------------------------------------------------------
1 | ## CVE-2001-1473
2 | The SSH-1 protocol allows remote servers to conduct man-in-the-middle attacks and replay a client challenge response to a target server by creating a Session ID that matches the Session ID of the target, but which uses a public key pair that is weaker than the target's public key, which allows the attacker to compute the corresponding private key and use the target's Session ID with the compromised key pair to masquerade as the target.
3 |
4 |
5 |
6 | - [https://github.com/s1mpl3c0d3/cvepoc](https://github.com/s1mpl3c0d3/cvepoc) :  
7 |
8 | ## CVE-2001-1442
9 | Buffer overflow in innfeed for ISC InterNetNews (INN) before 2.3.0 allows local users in the "news" group to gain privileges via a long -c command line argument.
10 |
11 |
12 |
13 | - [https://github.com/alt3kx/CVE-2001-1442](https://github.com/alt3kx/CVE-2001-1442) :  
14 |
15 | ## CVE-2001-0934
16 | Cooolsoft PowerFTP Server 2.03 allows remote attackers to obtain the physical path of the server root via the pwd command, which lists the full pathname.
17 |
18 |
19 |
20 | - [https://github.com/alt3kx/CVE-2001-0934](https://github.com/alt3kx/CVE-2001-0934) :  
21 |
22 | ## CVE-2001-0933
23 | Cooolsoft PowerFTP Server 2.03 allows remote attackers to list the contents of arbitrary drives via a ls (LIST) command that includes the drive letter as an argument, e.g. "ls C:".
24 |
25 |
26 |
27 | - [https://github.com/alt3kx/CVE-2001-0933](https://github.com/alt3kx/CVE-2001-0933) :  
28 |
29 | ## CVE-2001-0932
30 | Buffer overflow in Cooolsoft PowerFTP Server 2.03 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long command.
31 |
32 |
33 |
34 | - [https://github.com/alt3kx/CVE-2001-0932](https://github.com/alt3kx/CVE-2001-0932) :  
35 |
36 | ## CVE-2001-0931
37 | Directory traversal vulnerability in Cooolsoft PowerFTP Server 2.03 allows attackers to list or read arbitrary files and directories via a .. (dot dot) in (1) LS or (2) GET.
38 |
39 |
40 |
41 | - [https://github.com/alt3kx/CVE-2001-0931](https://github.com/alt3kx/CVE-2001-0931) :  
42 |
43 | ## CVE-2001-0758
44 | Directory traversal vulnerability in Shambala 4.5 allows remote attackers to escape the FTP root directory via "CWD ..." command.
45 |
46 |
47 |
48 | - [https://github.com/alt3kx/CVE-2001-0758](https://github.com/alt3kx/CVE-2001-0758) :  
49 |
50 | ## CVE-2001-0680
51 | Directory traversal vulnerability in ftpd in QPC QVT/Net 4.0 and AVT/Term 5.0 allows a remote attacker to traverse directories on the web server via a "dot dot" attack in a LIST (ls) command.
52 |
53 |
54 |
55 | - [https://github.com/alt3kx/CVE-2001-0680](https://github.com/alt3kx/CVE-2001-0680) :  
56 |
57 | ## CVE-2001-0550
58 | wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands via a "~{" argument to commands such as CWD, which is not properly handled by the glob function (ftpglob).
59 |
60 |
61 |
62 | - [https://github.com/gilberto47831/Network-Filesystem-Forensics](https://github.com/gilberto47831/Network-Filesystem-Forensics) :  
63 |
--------------------------------------------------------------------------------
/2002/README.md:
--------------------------------------------------------------------------------
1 | ## CVE-2002-20001
2 | The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.
3 |
4 |
5 |
6 | - [https://github.com/c0r0n3r/dheater](https://github.com/c0r0n3r/dheater) :  
7 |
8 | ## CVE-2002-2420
9 | site_searcher.cgi in Super Site Searcher allows remote attackers to execute arbitrary commands via shell metacharacters in the page parameter.
10 |
11 |
12 |
13 | - [https://github.com/krdsploit/CVE-2002-2420](https://github.com/krdsploit/CVE-2002-2420) :  
14 |
15 | ## CVE-2002-2154
16 | Directory traversal vulnerability in Monkey HTTP Daemon 0.1.4 allows remote attackers to read arbitrary files via .. (dot dot) sequences.
17 |
18 |
19 |
20 | - [https://github.com/Hirainsingadia/CVE-2002-2154](https://github.com/Hirainsingadia/CVE-2002-2154) :  
21 |
22 | ## CVE-2002-1614
23 | Buffer overflow in HP Tru64 UNIX allows local users to execute arbitrary code via a long argument to /usr/bin/at.
24 |
25 |
26 |
27 | - [https://github.com/wlensinas/CVE-2002-1614](https://github.com/wlensinas/CVE-2002-1614) :  
28 |
29 | ## CVE-2002-0991
30 | Buffer overflows in the cifslogin command for HP CIFS/9000 Client A.01.06 and earlier, based on the Sharity package, allows local users to gain root privileges via long (1) -U, (2) -D, (3) -P, (4) -S, (5) -N, or (6) -u parameters.
31 |
32 |
33 |
34 | - [https://github.com/alt3kx/CVE-2002-0991](https://github.com/alt3kx/CVE-2002-0991) :  
35 |
36 | ## CVE-2002-0748
37 | LabVIEW Web Server 5.1.1 through 6.1 allows remote attackers to cause a denial of service (crash) via an HTTP GET request that ends in two newline characters, instead of the expected carriage return/newline combinations.
38 |
39 |
40 |
41 | - [https://github.com/fauzanwijaya/CVE-2002-0748](https://github.com/fauzanwijaya/CVE-2002-0748) :  
42 |
43 | ## CVE-2002-0740
44 | Buffer overflow in slrnpull for the SLRN package, when installed setuid or setgid, allows local users to gain privileges via a long -d (SPOOLDIR) argument.
45 |
46 |
47 |
48 | - [https://github.com/alt3kx/CVE-2002-0740](https://github.com/alt3kx/CVE-2002-0740) :  
49 |
50 | ## CVE-2002-0448
51 | Xerver Free Web Server 2.10 and earlier allows remote attackers to cause a denial of service (crash) via an HTTP request that contains many "C:/" sequences.
52 |
53 |
54 |
55 | - [https://github.com/alt3kx/CVE-2002-0448](https://github.com/alt3kx/CVE-2002-0448) :  
56 |
57 | ## CVE-2002-0348
58 | service.cgi in Cobalt RAQ 4 allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via a long service argument.
59 |
60 |
61 |
62 | - [https://github.com/alt3kx/CVE-2002-0348](https://github.com/alt3kx/CVE-2002-0348) :  
63 |
64 | ## CVE-2002-0347
65 | Directory traversal vulnerability in Cobalt RAQ 4 allows remote attackers to read password-protected files, and possibly files outside the web root, via a .. (dot dot) in an HTTP request.
66 |
67 |
68 |
69 | - [https://github.com/alt3kx/CVE-2002-0347](https://github.com/alt3kx/CVE-2002-0347) :  
70 |
71 | ## CVE-2002-0346
72 | Cross-site scripting vulnerability in Cobalt RAQ 4 allows remote attackers to execute arbitrary script as other Cobalt users via Javascript in a URL to (1) service.cgi or (2) alert.cgi.
73 |
74 |
75 |
76 | - [https://github.com/alt3kx/CVE-2002-0346](https://github.com/alt3kx/CVE-2002-0346) :  
77 |
78 | ## CVE-2002-0289
79 | Buffer overflow in Phusion web server 1.0 allows remote attackers to cause a denial of service and execute arbitrary code via a long HTTP request.
80 |
81 |
82 |
83 | - [https://github.com/alt3kx/CVE-2002-0289](https://github.com/alt3kx/CVE-2002-0289) :  
84 |
85 | ## CVE-2002-0288
86 | Directory traversal vulnerability in Phusion web server 1.0 allows remote attackers to read arbitrary files via a ... (triple dot dot) in the HTTP request.
87 |
88 |
89 |
90 | - [https://github.com/alt3kx/CVE-2002-0288](https://github.com/alt3kx/CVE-2002-0288) :  
91 |
92 | ## CVE-2002-0201
93 | Cyberstop Web Server for Windows 0.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP GET request, possibly triggering a buffer overflow.
94 |
95 |
96 |
97 | - [https://github.com/alt3kx/CVE-2002-0201](https://github.com/alt3kx/CVE-2002-0201) :  
98 |
99 | ## CVE-2002-0200
100 | Cyberstop Web Server for Windows 0.1 allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name.
101 |
102 |
103 |
104 | - [https://github.com/alt3kx/CVE-2002-0200](https://github.com/alt3kx/CVE-2002-0200) :  
105 |
106 | ## CVE-2002-0082
107 | The dbm and shm session cache code in mod_ssl before 2.8.7-1.3.23, and Apache-SSL before 1.3.22+1.46, does not properly initialize memory using the i2d_SSL_SESSION function, which allows remote attackers to use a buffer overflow to execute arbitrary code via a large client certificate that is signed by a trusted Certificate Authority (CA), which produces a large serialized session.
108 |
109 |
110 |
111 | - [https://github.com/ratiros01/CVE-2002-0082](https://github.com/ratiros01/CVE-2002-0082) :  
112 |
--------------------------------------------------------------------------------
/2003/README.md:
--------------------------------------------------------------------------------
1 | ## CVE-2003-0358
2 | Buffer overflow in (1) nethack 3.4.0 and earlier, and (2) falconseye 1.9.3 and earlier, which is based on nethack, allows local users to gain privileges via a long -s command line option.
3 |
4 |
5 |
6 | - [https://github.com/gmh5225/CVE-2003-0358](https://github.com/gmh5225/CVE-2003-0358) :  
7 |
8 | - [https://github.com/fengjixuchui/CVE-2003-0358](https://github.com/fengjixuchui/CVE-2003-0358) :  
9 |
10 | ## CVE-2003-0282
11 | Directory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.
12 |
13 |
14 |
15 | - [https://github.com/angus-cx/cve-2003-0282](https://github.com/angus-cx/cve-2003-0282) :  
16 |
17 | ## CVE-2003-0264
18 | Multiple buffer overflows in SLMail 5.1.0.4420 allows remote attackers to execute arbitrary code via (1) a long EHLO argument to slmail.exe, (2) a long XTRN argument to slmail.exe, (3) a long string to POPPASSWD, or (4) a long password to the POP3 server.
19 |
20 |
21 |
22 | - [https://github.com/adenkiewicz/CVE-2003-0264](https://github.com/adenkiewicz/CVE-2003-0264) :  
23 |
24 | - [https://github.com/nobodyatall648/CVE-2003-0264](https://github.com/nobodyatall648/CVE-2003-0264) :  
25 |
26 | - [https://github.com/fyoderxx/slmail-exploit](https://github.com/fyoderxx/slmail-exploit) :  
27 |
28 | - [https://github.com/war4uthor/CVE-2003-0264](https://github.com/war4uthor/CVE-2003-0264) :  
29 |
30 | - [https://github.com/vrikodar/CVE-2003-0264_EXPLOIT](https://github.com/vrikodar/CVE-2003-0264_EXPLOIT) :  
31 |
32 | - [https://github.com/pwncone/CVE-2003-0264-SLmail-5.5](https://github.com/pwncone/CVE-2003-0264-SLmail-5.5) :  
33 |
34 | - [https://github.com/vaknin/SLMail5.5](https://github.com/vaknin/SLMail5.5) :  
35 |
36 | ## CVE-2003-0222
37 | Stack-based buffer overflow in Oracle Net Services for Oracle Database Server 9i release 2 and earlier allows attackers to execute arbitrary code via a "CREATE DATABASE LINK" query containing a connect string with a long USING parameter.
38 |
39 |
40 |
41 | - [https://github.com/phamthanhsang280477/CVE-2003-0222](https://github.com/phamthanhsang280477/CVE-2003-0222) :  
42 |
43 | ## CVE-2003-0201
44 | Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.
45 |
46 |
47 |
48 | - [https://github.com/KernelPan1k/trans2open-CVE-2003-0201](https://github.com/KernelPan1k/trans2open-CVE-2003-0201) :  
49 |
50 | - [https://github.com/Bakr-Ht/samba-trans2open-exploit-report](https://github.com/Bakr-Ht/samba-trans2open-exploit-report) :  
51 |
52 | ## CVE-2003-0172
53 | Buffer overflow in openlog function for PHP 4.3.1 on Windows operating system, and possibly other OSes, allows remote attackers to cause a crash and possibly execute arbitrary code via a long filename argument.
54 |
55 |
56 |
57 | - [https://github.com/cyberdesu/Remote-Buffer-overflow-CVE-2003-0172](https://github.com/cyberdesu/Remote-Buffer-overflow-CVE-2003-0172) :  
58 |
59 | ## CVE-2003-0001
60 | Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.
61 |
62 |
63 |
64 | - [https://github.com/marb08/etherleak-checker](https://github.com/marb08/etherleak-checker) :  
65 |
--------------------------------------------------------------------------------
/2004/README.md:
--------------------------------------------------------------------------------
1 | ## CVE-2004-2687
2 | distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.
3 |
4 |
5 |
6 | - [https://github.com/k4miyo/CVE-2004-2687](https://github.com/k4miyo/CVE-2004-2687) :  
7 |
8 | - [https://github.com/h3x0v3rl0rd/distccd_rce_CVE-2004-2687](https://github.com/h3x0v3rl0rd/distccd_rce_CVE-2004-2687) :  
9 |
10 | - [https://github.com/angelpimentell/distcc_cve_2004-2687_exploit](https://github.com/angelpimentell/distcc_cve_2004-2687_exploit) :  
11 |
12 | - [https://github.com/ss0wl/CVE-2004-2687_distcc_v1](https://github.com/ss0wl/CVE-2004-2687_distcc_v1) :  
13 |
14 | ## CVE-2004-2549
15 | Nortel Wireless LAN (WLAN) Access Point (AP) 2220, 2221, and 2225 allow remote attackers to cause a denial of service (service crash) via a TCP request with a large string, followed by 8 newline characters, to (1) the Telnet service on TCP port 23 and (2) the HTTP service on TCP port 80, possibly due to a buffer overflow.
16 |
17 |
18 |
19 | - [https://github.com/alt3kx/CVE-2004-2549](https://github.com/alt3kx/CVE-2004-2549) :  
20 |
21 | ## CVE-2004-2449
22 | Roger Wilco 1.4.1.6 and earlier or Roger Wilco Base Station 0.30a and earlier allows remote attackers to cause a denial of service (application crash) via a long, malformed UDP datagram.
23 |
24 |
25 |
26 | - [https://github.com/ParallelVisions/DoSTool](https://github.com/ParallelVisions/DoSTool) :  
27 |
28 | ## CVE-2004-2271
29 | Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.
30 |
31 |
32 |
33 | - [https://github.com/kkirsche/CVE-2004-2271](https://github.com/kkirsche/CVE-2004-2271) :  
34 |
35 | - [https://github.com/war4uthor/CVE-2004-2271](https://github.com/war4uthor/CVE-2004-2271) :  
36 |
37 | - [https://github.com/pwncone/CVE-2004-2271-MiniShare-1.4.1-BOF](https://github.com/pwncone/CVE-2004-2271-MiniShare-1.4.1-BOF) :  
38 |
39 | - [https://github.com/PercussiveElbow/CVE-2004-2271-MiniShare-1.4.1-Buffer-Overflow](https://github.com/PercussiveElbow/CVE-2004-2271-MiniShare-1.4.1-Buffer-Overflow) :  
40 |
41 | ## CVE-2004-2167
42 | Multiple buffer overflows in LaTeX2rtf 1.9.15, and possibly other versions, allow remote attackers to execute arbitrary code via (1) the expandmacro function, and possibly (2) Environments and (3) TranslateCommand.
43 |
44 |
45 |
46 | - [https://github.com/uzzzval/cve-2004-2167](https://github.com/uzzzval/cve-2004-2167) :  
47 |
48 | ## CVE-2004-1769
49 | The "Allow cPanel users to reset their password via email" feature in cPanel 9.1.0 build 34 and earlier, including 8.x, allows remote attackers to execute arbitrary code via the user parameter to resetpass.
50 |
51 |
52 |
53 | - [https://github.com/sinkaroid/shiguresh](https://github.com/sinkaroid/shiguresh) :  
54 |
55 | - [https://github.com/Redsplit/shiguresh](https://github.com/Redsplit/shiguresh) :  
56 |
57 | ## CVE-2004-1561
58 | Buffer overflow in Icecast 2.0.1 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a large number of headers.
59 |
60 |
61 |
62 | - [https://github.com/ivanitlearning/CVE-2004-1561](https://github.com/ivanitlearning/CVE-2004-1561) :  
63 |
64 | - [https://github.com/thel1nus/CVE-2004-1561-Notes](https://github.com/thel1nus/CVE-2004-1561-Notes) :  
65 |
66 | - [https://github.com/darrynb89/CVE-2004-1561](https://github.com/darrynb89/CVE-2004-1561) :  
67 |
68 | - [https://github.com/ratiros01/CVE-2004-1561](https://github.com/ratiros01/CVE-2004-1561) :  
69 |
70 | - [https://github.com/Danyw24/CVE-2004-1561-Icecast-Header-Overwrite-buffer-overflow-RCE-2.0.1-Win32-](https://github.com/Danyw24/CVE-2004-1561-Icecast-Header-Overwrite-buffer-overflow-RCE-2.0.1-Win32-) :  
71 |
72 | ## CVE-2004-1151
73 | Multiple buffer overflows in the (1) sys32_ni_syscall and (2) sys32_vm86_warning functions in sys_ia32.c for Linux 2.6.x may allow local attackers to modify kernel memory and gain privileges.
74 |
75 |
76 |
77 | - [https://github.com/lulugelian/CVE_2004_1151](https://github.com/lulugelian/CVE_2004_1151) :  
78 |
79 | - [https://github.com/lulugelian/CVE_TEST](https://github.com/lulugelian/CVE_TEST) :  
80 |
81 | ## CVE-2004-0789
82 | Multiple implementations of the DNS protocol, including (1) Poslib 1.0.2-1 and earlier as used by Posadis, (2) Axis Network products before firmware 3.13, and (3) Men & Mice Suite 2.2x before 2.2.3 and 3.5.x before 3.5.2, allow remote attackers to cause a denial of service (CPU and network bandwidth consumption) by triggering a communications loop via (a) DNS query packets with localhost as a spoofed source address, or (b) a response packet that triggers a response packet.
83 |
84 |
85 |
86 | - [https://github.com/HimmeL-Byte/CVE-2004-0789-DDOS](https://github.com/HimmeL-Byte/CVE-2004-0789-DDOS) :  
87 |
88 | ## CVE-2004-0558
89 | The Internet Printing Protocol (IPP) implementation in CUPS before 1.1.21 allows remote attackers to cause a denial of service (service hang) via a certain UDP packet to the IPP port.
90 |
91 |
92 |
93 | - [https://github.com/fibonascii/CVE-2004-0558](https://github.com/fibonascii/CVE-2004-0558) :  
94 |
--------------------------------------------------------------------------------
/2005/README.md:
--------------------------------------------------------------------------------
1 | ## CVE-2005-3299
2 | PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
3 |
4 |
5 |
6 | - [https://github.com/RizeKishimaro/CVE-2005-3299](https://github.com/RizeKishimaro/CVE-2005-3299) :  
7 |
8 | - [https://github.com/Cr0w-ui/-CVE-2005-3299-](https://github.com/Cr0w-ui/-CVE-2005-3299-) :  
9 |
10 | ## CVE-2005-2428
11 | Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, stores sensitive data from names.nsf in hidden form fields, which allows remote attackers to read the HTML source to obtain sensitive information such as (1) the password hash in the HTTPPassword field, (2) the password change date in the HTTPPasswordChangeDate field, (3) the client platform in the ClntPltfrm field, (4) the client machine name in the ClntMachine field, and (5) the client Lotus Domino release in the ClntBld field, a different vulnerability than CVE-2005-2696.
12 |
13 |
14 |
15 | - [https://github.com/schwankner/CVE-2005-2428-IBM-Lotus-Domino-R8-Password-Hash-Extraction-Exploit](https://github.com/schwankner/CVE-2005-2428-IBM-Lotus-Domino-R8-Password-Hash-Extraction-Exploit) :  
16 |
17 | ## CVE-2005-1794
18 | Microsoft Terminal Server using Remote Desktop Protocol (RDP) 5.2 stores an RSA private key in mstlsapi.dll and uses it to sign a certificate, which allows remote attackers to spoof public keys of legitimate servers and conduct man-in-the-middle attacks.
19 |
20 |
21 |
22 | - [https://github.com/InitRoot/CVE-2005-1794Scanner](https://github.com/InitRoot/CVE-2005-1794Scanner) :  
23 |
24 | ## CVE-2005-1125
25 | Race condition in libsafe 2.0.16 and earlier, when running in multi-threaded applications, allows attackers to bypass libsafe protection and exploit other vulnerabilities before the _libsafe_die function call is completed.
26 |
27 |
28 |
29 | - [https://github.com/tagatac/libsafe-CVE-2005-1125](https://github.com/tagatac/libsafe-CVE-2005-1125) :  
30 |
31 | ## CVE-2005-0603
32 | viewtopic.php in phpBB 2.0.12 and earlier allows remote attackers to obtain sensitive information via a highlight parameter containing invalid regular expression syntax, which reveals the path in a PHP error message.
33 |
34 |
35 |
36 | - [https://github.com/Parcer0/CVE-2005-0603-phpBB-2.0.12-Full-path-disclosure](https://github.com/Parcer0/CVE-2005-0603-phpBB-2.0.12-Full-path-disclosure) :  
37 |
38 | ## CVE-2005-0575
39 | Buffer overflow in Stormy Studios Knet 1.04c and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP GET request.
40 |
41 |
42 |
43 | - [https://github.com/MayaOfVeil/CVE-2005-0575](https://github.com/MayaOfVeil/CVE-2005-0575) :  
44 |
45 | ## CVE-2005-0452
46 | Multiple cross-site scripting (XSS) vulnerabilities in Microsoft ASP.NET (.Net) 1.0 and 1.1 to SP1 allow remote attackers to inject arbitrary HTML or web script via Unicode representations for ASCII fullwidth characters that are converted to normal ASCII characters, including "" and "".
47 |
48 |
49 |
50 | - [https://github.com/AndreyRusyaev/secreports](https://github.com/AndreyRusyaev/secreports) :  
51 |
--------------------------------------------------------------------------------
/2006/README.md:
--------------------------------------------------------------------------------
1 | ## CVE-2006-20001
2 | A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash.
3 |
4 | This issue affects Apache HTTP Server 2.4.54 and earlier.
5 |
6 |
7 |
8 | - [https://github.com/r1az4r/CVE-2006-20001](https://github.com/r1az4r/CVE-2006-20001) :  
9 |
10 | ## CVE-2006-6184
11 | Multiple stack-based buffer overflows in Allied Telesyn TFTP Server (AT-TFTP) 1.9, and possibly earlier, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a long filename in a (1) GET or (2) PUT command.
12 |
13 |
14 |
15 | - [https://github.com/shauntdergrigorian/cve-2006-6184](https://github.com/shauntdergrigorian/cve-2006-6184) :  
16 |
17 | - [https://github.com/b03902043/CVE-2006-6184](https://github.com/b03902043/CVE-2006-6184) :  
18 |
19 | ## CVE-2006-5051
20 | Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.
21 |
22 |
23 |
24 | - [https://github.com/bigb0x/CVE-2024-6387](https://github.com/bigb0x/CVE-2024-6387) :  
25 |
26 | - [https://github.com/anhvutuan/CVE-2024-6387-poc-1](https://github.com/anhvutuan/CVE-2024-6387-poc-1) :  
27 |
28 | - [https://github.com/sardine-web/CVE-2024-6387_Check](https://github.com/sardine-web/CVE-2024-6387_Check) :  
29 |
30 | ## CVE-2006-4814
31 | The mincore function in the Linux kernel before 2.4.33.6 does not properly lock access to user space, which has unspecified impact and attack vectors, possibly related to a deadlock.
32 |
33 |
34 |
35 | - [https://github.com/tagatac/linux-CVE-2006-4814](https://github.com/tagatac/linux-CVE-2006-4814) :  
36 |
37 | ## CVE-2006-4777
38 | Heap-based buffer overflow in the DirectAnimation Path Control (DirectAnimation.PathControl) COM object (daxctle.ocx) for Internet Explorer 6.0 SP1, on Chinese and possibly other Windows distributions, allows remote attackers to execute arbitrary code via unknown manipulations in arguments to the KeyFrame method, possibly related to an integer overflow, as demonstrated by daxctle2, and a different vulnerability than CVE-2006-4446.
39 |
40 |
41 |
42 | - [https://github.com/Mario1234/js-driveby-download-CVE-2006-4777](https://github.com/Mario1234/js-driveby-download-CVE-2006-4777) :  
43 |
44 | ## CVE-2006-3747
45 | Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2, when RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules.
46 |
47 |
48 |
49 | - [https://github.com/defensahacker/CVE-2006-3747](https://github.com/defensahacker/CVE-2006-3747) :  
50 |
51 | ## CVE-2006-3592
52 | Unspecified vulnerability in the command line interface (CLI) in Cisco Unified CallManager (CUCM) 5.0(1) through 5.0(3a) allows local users to execute arbitrary commands with elevated privileges via unspecified vectors, involving "certain CLI commands," aka bug CSCse11005.
53 |
54 |
55 |
56 | - [https://github.com/adenkiewicz/CVE-2006-3592](https://github.com/adenkiewicz/CVE-2006-3592) :  
57 |
58 | ## CVE-2006-3392
59 | Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files, as demonstrated using "..%01" sequences, which bypass the removal of "../" sequences before bytes such as "%01" are removed from the filename. NOTE: This is a different issue than CVE-2006-3274.
60 |
61 |
62 |
63 | - [https://github.com/IvanGlinkin/CVE-2006-3392](https://github.com/IvanGlinkin/CVE-2006-3392) :  
64 |
65 | - [https://github.com/oxagast/oxasploits](https://github.com/oxagast/oxasploits) :  
66 |
67 | - [https://github.com/brosck/CVE-2006-3392](https://github.com/brosck/CVE-2006-3392) :  
68 |
69 | - [https://github.com/g1vi/CVE-2006-3392](https://github.com/g1vi/CVE-2006-3392) :  
70 |
71 | - [https://github.com/0xtz/CVE-2006-3392](https://github.com/0xtz/CVE-2006-3392) :  
72 |
73 | - [https://github.com/Adel-kaka-dz/CVE-2006-3392](https://github.com/Adel-kaka-dz/CVE-2006-3392) :  
74 |
75 | - [https://github.com/kernel-cyber/CVE-2006-3392](https://github.com/kernel-cyber/CVE-2006-3392) :  
76 |
77 | - [https://github.com/gb21oc/ExploitWebmin](https://github.com/gb21oc/ExploitWebmin) :  
78 |
79 | ## CVE-2006-2842
80 | PHP remote file inclusion vulnerability in functions/plugin.php in SquirrelMail 1.4.6 and earlier, if register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter. NOTE: this issue has been disputed by third parties, who state that Squirrelmail provides prominent warnings to the administrator when register_globals is enabled. Since the varieties of administrator negligence are uncountable, perhaps this type of issue should not be included in CVE. However, the original developer has posted a security advisory, so there might be relevant real-world environments under which this vulnerability is applicable
81 |
82 |
83 |
84 | - [https://github.com/karthi-the-hacker/CVE-2006-2842](https://github.com/karthi-the-hacker/CVE-2006-2842) :  
85 |
86 | ## CVE-2006-1236
87 | Buffer overflow in the SetUp function in socket/request.c in CrossFire 1.9.0 allows remote attackers to execute arbitrary code via a long setup sound command, a different vulnerability than CVE-2006-1010.
88 |
89 |
90 |
91 | - [https://github.com/Axua/CVE-2006-1236](https://github.com/Axua/CVE-2006-1236) :  
92 |
93 | ## CVE-2006-0987
94 | The default configuration of ISC BIND before 9.4.1-P1, when configured as a caching name server, allows recursive queries and provides additional delegation information to arbitrary IP addresses, which allows remote attackers to cause a denial of service (traffic amplification) via DNS queries with spoofed source IP addresses.
95 |
96 |
97 |
98 | - [https://github.com/pcastagnaro/dns_amplification_scanner](https://github.com/pcastagnaro/dns_amplification_scanner) :  
99 |
100 | ## CVE-2006-0450
101 | phpBB 2.0.19 and earlier allows remote attackers to cause a denial of service (application crash) by (1) registering many users through profile.php or (2) using search.php to search in a certain way that confuses the database.
102 |
103 |
104 |
105 | - [https://github.com/Parcer0/CVE-2006-0450-phpBB-2.0.15-Multiple-DoS-Vulnerabilities](https://github.com/Parcer0/CVE-2006-0450-phpBB-2.0.15-Multiple-DoS-Vulnerabilities) :  
106 |
--------------------------------------------------------------------------------
/2007/README.md:
--------------------------------------------------------------------------------
1 | ## CVE-2007-6750
2 | The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris, related to the lack of the mod_reqtimeout module in versions before 2.2.15.
3 |
4 |
5 |
6 | - [https://github.com/Jeanpseven/slowl0ris](https://github.com/Jeanpseven/slowl0ris) :  
7 |
8 | ## CVE-2007-6638
9 | March Networks DVR 3204 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain usernames, passwords, device names, and IP addresses via a direct request for scripts/logfiles.tar.gz.
10 |
11 |
12 |
13 | - [https://github.com/alt3kx/CVE-2007-6638](https://github.com/alt3kx/CVE-2007-6638) :  
14 |
15 | ## CVE-2007-6377
16 | Stack-based buffer overflow in the PassThru functionality in ext.dll in BadBlue 2.72b and earlier allows remote attackers to execute arbitrary code via a long query string.
17 |
18 |
19 |
20 | - [https://github.com/Nicoslo/Windows-exploitation-BadBlue-2.7-CVE-2007-6377](https://github.com/Nicoslo/Windows-exploitation-BadBlue-2.7-CVE-2007-6377) :  
21 |
22 | ## CVE-2007-5962
23 | Memory leak in a certain Red Hat patch, applied to vsftpd 2.0.5 on Red Hat Enterprise Linux (RHEL) 5 and Fedora 6 through 8, and on Foresight Linux and rPath appliances, allows remote attackers to cause a denial of service (memory consumption) via a large number of CWD commands, as demonstrated by an attack on a daemon with the deny_file configuration option.
24 |
25 |
26 |
27 | - [https://github.com/antogit-sys/CVE-2007-5962](https://github.com/antogit-sys/CVE-2007-5962) :  
28 |
29 | ## CVE-2007-5036
30 | Multiple buffer overflows in the AirDefense Airsensor M520 with firmware 4.3.1.1 and 4.4.1.4 allow remote authenticated users to cause a denial of service (HTTPS service outage) via a crafted query string in an HTTPS request to (1) adLog.cgi, (2) post.cgi, or (3) ad.cgi, related to the "files filter."
31 |
32 |
33 |
34 | - [https://github.com/alt3kx/CVE-2007-5036](https://github.com/alt3kx/CVE-2007-5036) :  
35 |
36 | ## CVE-2007-4607
37 | Buffer overflow in the EasyMailSMTPObj ActiveX control in emsmtp.dll 6.0.1 in the Quiksoft EasyMail SMTP Object, as used in Postcast Server Pro 3.0.61 and other products, allows remote attackers to execute arbitrary code via a long argument to the SubmitToExpress method, a different vulnerability than CVE-2007-1029. NOTE: this may have been fixed in version 6.0.3.15.
38 |
39 |
40 |
41 | - [https://github.com/joeyrideout/CVE-2007-4607](https://github.com/joeyrideout/CVE-2007-4607) :  
42 |
43 | ## CVE-2007-4560
44 | clamav-milter in ClamAV before 0.91.2, when run in black hole mode, allows remote attackers to execute arbitrary commands via shell metacharacters that are used in a certain popen call, involving the "recipient field of sendmail."
45 |
46 |
47 |
48 | - [https://github.com/0x1sac/ClamAV-Milter-Sendmail-0.91.2-Remote-Code-Execution](https://github.com/0x1sac/ClamAV-Milter-Sendmail-0.91.2-Remote-Code-Execution) :  
49 |
50 | ## CVE-2007-4559
51 | Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.
52 |
53 |
54 |
55 | - [https://github.com/advanced-threat-research/Creosote](https://github.com/advanced-threat-research/Creosote) :  
56 |
57 | - [https://github.com/Ooscaar/MALW](https://github.com/Ooscaar/MALW) :  
58 |
59 | - [https://github.com/davidholiday/CVE-2007-4559](https://github.com/davidholiday/CVE-2007-4559) :  
60 |
61 | - [https://github.com/luigigubello/trellix-tarslip-patch-bypass](https://github.com/luigigubello/trellix-tarslip-patch-bypass) :  
62 |
63 | - [https://github.com/JamesDarf/wargame-tarpioka](https://github.com/JamesDarf/wargame-tarpioka) :  
64 |
65 | ## CVE-2007-3831
66 | PHP remote file inclusion in main.php in ISS Proventia Network IPS GX5108 1.3 and GX5008 1.5 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter.
67 |
68 |
69 |
70 | - [https://github.com/alt3kx/CVE-2007-3831](https://github.com/alt3kx/CVE-2007-3831) :  
71 |
72 | ## CVE-2007-3830
73 | Cross-site scripting (XSS) vulnerability in alert.php in ISS Proventia Network IPS GX5108 1.3 and GX5008 1.5 allows remote attackers to inject arbitrary web script or HTML via the reminder parameter.
74 |
75 |
76 |
77 | - [https://github.com/alt3kx/CVE-2007-3830](https://github.com/alt3kx/CVE-2007-3830) :  
78 |
79 | ## CVE-2007-3280
80 | The Database Link library (dblink) in PostgreSQL 8.1 implements functions via CREATE statements that map to arbitrary libraries based on the C programming language, which allows remote authenticated superusers to map and execute a function from any library, as demonstrated by using the system function in libc.so.6 to gain shell access.
81 |
82 |
83 |
84 | - [https://github.com/DenuwanJayasekara/CVE-Exploitation-Reports](https://github.com/DenuwanJayasekara/CVE-Exploitation-Reports) :  
85 |
86 | ## CVE-2007-2447
87 | The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management.
88 |
89 |
90 |
91 | - [https://github.com/amriunix/CVE-2007-2447](https://github.com/amriunix/CVE-2007-2447) :  
92 |
93 | - [https://github.com/Unix13/metasploitable2](https://github.com/Unix13/metasploitable2) :  
94 |
95 | - [https://github.com/h3x0v3rl0rd/CVE-2007-2447](https://github.com/h3x0v3rl0rd/CVE-2007-2447) :  
96 |
97 | - [https://github.com/Ziemni/CVE-2007-2447-in-Python](https://github.com/Ziemni/CVE-2007-2447-in-Python) :  
98 |
99 | - [https://github.com/Alien0ne/CVE-2007-2447](https://github.com/Alien0ne/CVE-2007-2447) :  
100 |
101 | - [https://github.com/xbufu/CVE-2007-2447](https://github.com/xbufu/CVE-2007-2447) :  
102 |
103 | - [https://github.com/ozuma/CVE-2007-2447](https://github.com/ozuma/CVE-2007-2447) :  
104 |
105 | - [https://github.com/3x1t1um/CVE-2007-2447](https://github.com/3x1t1um/CVE-2007-2447) :  
106 |
107 | - [https://github.com/Aviksaikat/CVE-2007-2447](https://github.com/Aviksaikat/CVE-2007-2447) :  
108 |
109 | - [https://github.com/s4msec/CVE-2007-2447](https://github.com/s4msec/CVE-2007-2447) :  
110 |
111 | - [https://github.com/Nosferatuvjr/Samba-Usermap-exploit](https://github.com/Nosferatuvjr/Samba-Usermap-exploit) :  
112 |
113 | - [https://github.com/b33m0x00/CVE-2007-2447](https://github.com/b33m0x00/CVE-2007-2447) :  
114 |
115 | - [https://github.com/b1fair/smb_usermap](https://github.com/b1fair/smb_usermap) :  
116 |
117 | - [https://github.com/0xKn/CVE-2007-2447](https://github.com/0xKn/CVE-2007-2447) :  
118 |
119 | - [https://github.com/testaross4/CVE-2007-2447](https://github.com/testaross4/CVE-2007-2447) :  
120 |
121 | - [https://github.com/G01d3nW01f/CVE-2007-2447](https://github.com/G01d3nW01f/CVE-2007-2447) :  
122 |
123 | - [https://github.com/foudadev/CVE-2007-2447](https://github.com/foudadev/CVE-2007-2447) :  
124 |
125 | - [https://github.com/xlcc4096/exploit-CVE-2007-2447](https://github.com/xlcc4096/exploit-CVE-2007-2447) :  
126 |
127 | - [https://github.com/JoseBarrios/CVE-2007-2447](https://github.com/JoseBarrios/CVE-2007-2447) :  
128 |
129 | - [https://github.com/Juantos/cve-2007-2447](https://github.com/Juantos/cve-2007-2447) :  
130 |
131 | - [https://github.com/bdunlap9/CVE-2007-2447_python](https://github.com/bdunlap9/CVE-2007-2447_python) :  
132 |
133 | - [https://github.com/elphon/CVE-2007-2447-Exploit](https://github.com/elphon/CVE-2007-2447-Exploit) :  
134 |
135 | - [https://github.com/IamLucif3r/CVE-2007-2447-Exploit](https://github.com/IamLucif3r/CVE-2007-2447-Exploit) :  
136 |
137 | - [https://github.com/MikeRega7/CVE-2007-2447-RCE](https://github.com/MikeRega7/CVE-2007-2447-RCE) :  
138 |
139 | - [https://github.com/ShivamDey/Samba-CVE-2007-2447-Exploit](https://github.com/ShivamDey/Samba-CVE-2007-2447-Exploit) :  
140 |
141 | - [https://github.com/HerculesRD/PyUsernameMapScriptRCE](https://github.com/HerculesRD/PyUsernameMapScriptRCE) :  
142 |
143 | - [https://github.com/3t4n/samba-3.0.24-CVE-2007-2447-vunerable-](https://github.com/3t4n/samba-3.0.24-CVE-2007-2447-vunerable-) :  
144 |
145 | - [https://github.com/WildfootW/CVE-2007-2447_Samba_3.0.25rc3](https://github.com/WildfootW/CVE-2007-2447_Samba_3.0.25rc3) :  
146 |
147 | ## CVE-2007-1858
148 | The default SSL cipher configuration in Apache Tomcat 4.1.28 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.17 uses certain insecure ciphers, including the anonymous cipher, which allows remote attackers to obtain sensitive information or have other, unspecified impacts.
149 |
150 |
151 |
152 | - [https://github.com/anthophilee/A2SV--SSL-VUL-Scan](https://github.com/anthophilee/A2SV--SSL-VUL-Scan) :  
153 |
154 | ## CVE-2007-1567
155 | Stack-based buffer overflow in War FTP Daemon 1.65, and possibly earlier, allows remote attackers to cause a denial of service or execute arbitrary code via unspecified vectors, as demonstrated by warftp_165.tar by Immunity. NOTE: this might be the same issue as CVE-1999-0256, CVE-2000-0131, or CVE-2006-2171, but due to Immunity's lack of details, this cannot be certain.
156 |
157 |
158 |
159 | - [https://github.com/war4uthor/CVE-2007-1567](https://github.com/war4uthor/CVE-2007-1567) :  
160 |
161 | ## CVE-2007-0843
162 | The ReadDirectoryChangesW API function on Microsoft Windows 2000, XP, Server 2003, and Vista does not check permissions for child objects, which allows local users to bypass permissions by opening a directory with LIST (READ) access and using ReadDirectoryChangesW to monitor changes of files that do not have LIST permissions, which can be leveraged to determine filenames, access times, and other sensitive information.
163 |
164 |
165 |
166 | - [https://github.com/z3APA3A/spydir](https://github.com/z3APA3A/spydir) :  
167 |
168 | ## CVE-2007-0038
169 | Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a large length value in the second (or later) anih block of a RIFF .ANI, cur, or .ico file, which results in memory corruption when processing cursors, animated cursors, and icons, a variant of CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred.
170 |
171 |
172 |
173 | - [https://github.com/Axua/CVE-2007-0038](https://github.com/Axua/CVE-2007-0038) :  
174 |
175 | - [https://github.com/Cheesse/cve2007-0038x64](https://github.com/Cheesse/cve2007-0038x64) :  
176 |
--------------------------------------------------------------------------------
/2008/README.md:
--------------------------------------------------------------------------------
1 | ## CVE-2008-7220
2 | Unspecified vulnerability in Prototype JavaScript framework (prototypejs) before 1.6.0.2 allows attackers to make "cross-site ajax requests" via unknown vectors.
3 |
4 |
5 |
6 | - [https://github.com/followboy1999/CVE-2008-7220](https://github.com/followboy1999/CVE-2008-7220) :  
7 |
8 | ## CVE-2008-6970
9 | SQL injection vulnerability in dosearch.inc.php in UBB.threads 7.3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the Forum[] array parameter.
10 |
11 |
12 |
13 | - [https://github.com/KyomaHooin/CVE-2008-6970](https://github.com/KyomaHooin/CVE-2008-6970) :  
14 |
15 | ## CVE-2008-6827
16 | The ListView control in the Client GUI (AClient.exe) in Symantec Altiris Deployment Solution 6.x before 6.9.355 SP1 allows local users to gain SYSTEM privileges and execute arbitrary commands via a "Shatter" style attack on the "command prompt" hidden GUI button to (1) overwrite the CommandLine parameter to cmd.exe to use SYSTEM privileges and (2) modify the DLL that is loaded using the LoadLibrary API function.
17 |
18 |
19 |
20 | - [https://github.com/alt3kx/CVE-2008-6827](https://github.com/alt3kx/CVE-2008-6827) :  
21 |
22 | ## CVE-2008-6806
23 | Unrestricted file upload vulnerability in includes/imageupload.php in 7Shop 1.1 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in images/artikel/.
24 |
25 |
26 |
27 | - [https://github.com/threatcode/CVE-2008-6806](https://github.com/threatcode/CVE-2008-6806) :  
28 |
29 | ## CVE-2008-5862
30 | Directory traversal vulnerability in webcamXP 5.3.2.375 and 5.3.2.410 build 2132 allows remote attackers to read arbitrary files via a ..%2F (encoded dot dot slash) in the URI.
31 |
32 |
33 |
34 | - [https://github.com/K3ysTr0K3R/CVE-2008-5862-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2008-5862-EXPLOIT) :  
35 |
36 | ## CVE-2008-5416
37 | Heap-based buffer overflow in Microsoft SQL Server 2000 SP4, 8.00.2050, 8.00.2039, and earlier; SQL Server 2000 Desktop Engine (MSDE 2000) SP4; SQL Server 2005 SP2 and 9.00.1399.06; SQL Server 2000 Desktop Engine (WMSDE) on Windows Server 2003 SP1 and SP2; and Windows Internal Database (WYukon) SP2 allows remote authenticated users to cause a denial of service (access violation exception) or execute arbitrary code by calling the sp_replwritetovarbin extended stored procedure with a set of invalid parameters that trigger memory overwrite, aka "SQL Server sp_replwritetovarbin Limited Memory Overwrite Vulnerability."
38 |
39 |
40 |
41 | - [https://github.com/SECFORCE/CVE-2008-5416](https://github.com/SECFORCE/CVE-2008-5416) :  
42 |
43 | ## CVE-2008-4687
44 | manage_proj_page.php in Mantis before 1.1.4 allows remote authenticated users to execute arbitrary code via a sort parameter containing PHP sequences, which are processed by create_function within the multi_sort function in core/utility_api.php.
45 |
46 |
47 |
48 | - [https://github.com/nmurilo/CVE-2008-4687-exploit](https://github.com/nmurilo/CVE-2008-4687-exploit) :  
49 |
50 | - [https://github.com/twisted007/mantis_rce](https://github.com/twisted007/mantis_rce) :  
51 |
52 | ## CVE-2008-4654
53 | Stack-based buffer overflow in the parse_master function in the Ty demux plugin (modules/demux/ty.c) in VLC Media Player 0.9.0 through 0.9.4 allows remote attackers to execute arbitrary code via a TiVo TY media file with a header containing a crafted size value.
54 |
55 |
56 |
57 | - [https://github.com/KernelErr/VLC-CVE-2008-4654-Exploit](https://github.com/KernelErr/VLC-CVE-2008-4654-Exploit) :  
58 |
59 | - [https://github.com/rnnsz/CVE-2008-4654](https://github.com/rnnsz/CVE-2008-4654) :  
60 |
61 | - [https://github.com/bongbongco/CVE-2008-4654](https://github.com/bongbongco/CVE-2008-4654) :  
62 |
63 | - [https://github.com/Hexastrike/CVE-2008-4654](https://github.com/Hexastrike/CVE-2008-4654) :  
64 |
65 | ## CVE-2008-4609
66 | The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors that manipulate information in the TCP state table, as demonstrated by sockstress.
67 |
68 |
69 |
70 | - [https://github.com/mrclki/sockstress](https://github.com/mrclki/sockstress) :  
71 |
72 | ## CVE-2008-4250
73 | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization, as exploited in the wild by Gimmiv.A in October 2008, aka "Server Service Vulnerability."
74 |
75 |
76 |
77 | - [https://github.com/thunderstrike9090/Conflicker_analysis_scripts](https://github.com/thunderstrike9090/Conflicker_analysis_scripts) :  
78 |
79 | - [https://github.com/NoTrustedx/Exploit_MS08-067](https://github.com/NoTrustedx/Exploit_MS08-067) :  
80 |
81 | ## CVE-2008-4109
82 | A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 on sid and lenny; and on other distributions such as SUSE uses functions that are not async-signal-safe in the signal handler for login timeouts, which allows remote attackers to cause a denial of service (connection slot exhaustion) via multiple login attempts. NOTE: this issue exists because of an incorrect fix for CVE-2006-5051.
83 |
84 |
85 |
86 | - [https://github.com/bigb0x/CVE-2024-6387](https://github.com/bigb0x/CVE-2024-6387) :  
87 |
88 | ## CVE-2008-3531
89 | Stack-based buffer overflow in sys/kern/vfs_mount.c in the kernel in FreeBSD 7.0 and 7.1, when vfs.usermount is enabled, allows local users to gain privileges via a crafted (1) mount or (2) nmount system call, related to copying of "user defined data" in "certain error conditions."
90 |
91 |
92 |
93 | - [https://github.com/test-one9/ps4-11.50.github.io](https://github.com/test-one9/ps4-11.50.github.io) :  
94 |
95 | ## CVE-2008-2938
96 | Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.
97 |
98 |
99 |
100 | - [https://github.com/Naramsim/Offensive](https://github.com/Naramsim/Offensive) :  
101 |
102 | ## CVE-2008-2019
103 | Simple Machines Forum (SMF), probably 1.1.4, relies on "randomly generated static" to hinder brute-force attacks on the WAV file (aka audio) CAPTCHA, which allows remote attackers to pass the CAPTCHA test via an automated attack that considers Hamming distances. NOTE: this issue reportedly exists because of an insufficient fix for CVE-2007-3308.
104 |
105 |
106 |
107 | - [https://github.com/TheRook/AudioCaptchaBypass-CVE-2008-2019](https://github.com/TheRook/AudioCaptchaBypass-CVE-2008-2019) :  
108 |
109 | ## CVE-2008-1613
110 | SQL injection vulnerability in ioRD.asp in RedDot CMS 7.5 Build 7.5.0.48, and possibly other versions including 6.5 and 7.0, allows remote attackers to execute arbitrary SQL commands via the LngId parameter.
111 |
112 |
113 |
114 | - [https://github.com/SECFORCE/CVE-2008-1613](https://github.com/SECFORCE/CVE-2008-1613) :  
115 |
116 | ## CVE-2008-1611
117 | Stack-based buffer overflow in TFTP Server SP 1.4 for Windows allows remote attackers to cause a denial of service or execute arbitrary code via a long filename in a read or write request.
118 |
119 |
120 |
121 | - [https://github.com/Axua/CVE-2008-1611](https://github.com/Axua/CVE-2008-1611) :  
122 |
123 | ## CVE-2008-1447
124 | The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug."
125 |
126 |
127 |
128 | - [https://github.com/hackingyseguridad/dnspoison](https://github.com/hackingyseguridad/dnspoison) :  
129 |
130 | ## CVE-2008-0244
131 | SAP MaxDB 7.6.03 build 007 and earlier allows remote attackers to execute arbitrary commands via "&&" and other shell metacharacters in exec_sdbinfo and other unspecified commands, which are executed when MaxDB invokes cons.exe.
132 |
133 |
134 |
135 | - [https://github.com/gregkcarson/sapmdbret](https://github.com/gregkcarson/sapmdbret) :  
136 |
137 | ## CVE-2008-0228
138 | Cross-site request forgery (CSRF) vulnerability in apply.cgi in the Linksys WRT54GL Wireless-G Broadband Router with firmware 4.30.9 allows remote attackers to perform actions as administrators.
139 |
140 |
141 |
142 | - [https://github.com/SpiderLabs/TWSL2011-007_iOS_code_workaround](https://github.com/SpiderLabs/TWSL2011-007_iOS_code_workaround) :  
143 |
144 | ## CVE-2008-0166
145 | OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.
146 |
147 |
148 |
149 | - [https://github.com/g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh) :  
150 |
151 | - [https://github.com/demining/Vulnerable-to-Debian-OpenSSL-bug-CVE-2008-0166](https://github.com/demining/Vulnerable-to-Debian-OpenSSL-bug-CVE-2008-0166) :  
152 |
153 | - [https://github.com/badkeys/debianopenssl](https://github.com/badkeys/debianopenssl) :  
154 |
155 | - [https://github.com/avarx/vulnkeys](https://github.com/avarx/vulnkeys) :  
156 |
157 | ## CVE-2008-0128
158 | The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
159 |
160 |
161 |
162 | - [https://github.com/ngyanch/4062-1](https://github.com/ngyanch/4062-1) :  
163 |
--------------------------------------------------------------------------------
/2009/README.md:
--------------------------------------------------------------------------------
1 | ## CVE-2009-5147
2 | DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
3 |
4 |
5 |
6 | - [https://github.com/vpereira/CVE-2009-5147](https://github.com/vpereira/CVE-2009-5147) :  
7 |
8 | - [https://github.com/zhangyongbo100/-Ruby-dl-handle.c-CVE-2009-5147-](https://github.com/zhangyongbo100/-Ruby-dl-handle.c-CVE-2009-5147-) :  
9 |
10 | ## CVE-2009-4660
11 | Stack-based buffer overflow in the AntServer Module (AntServer.exe) in BigAnt IM Server 2.50 allows remote attackers to execute arbitrary code via a long GET request to TCP port 6660.
12 |
13 |
14 |
15 | - [https://github.com/war4uthor/CVE-2009-4660](https://github.com/war4uthor/CVE-2009-4660) :  
16 |
17 | ## CVE-2009-4623
18 | Multiple PHP remote file inclusion vulnerabilities in Advanced Comment System 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the ACS_path parameter to (1) index.php and (2) admin.php in advanced_comment_system/. NOTE: this might only be a vulnerability when the administrator has not followed installation instructions in install.php. NOTE: this might be the same as CVE-2020-35598.
19 |
20 |
21 |
22 | - [https://github.com/kernel-cyber/CVE-2009-4623](https://github.com/kernel-cyber/CVE-2009-4623) :  
23 |
24 | - [https://github.com/MonsempesSamuel/CVE-2009-4623](https://github.com/MonsempesSamuel/CVE-2009-4623) :  
25 |
26 | - [https://github.com/hupe1980/CVE-2009-4623](https://github.com/hupe1980/CVE-2009-4623) :  
27 |
28 | ## CVE-2009-4140
29 | Unrestricted file upload vulnerability in ofc_upload_image.php in Open Flash Chart v2 Beta 1 through v2 Lug Wyrm Charmer, as used in Piwik 0.2.35 through 0.4.3, Woopra Analytics Plugin before 1.4.3.2, and possibly other products, when register_globals is enabled, allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension through the name parameter with the code in the HTTP_RAW_POST_DATA parameter, then accessing it via a direct request to the file in tmp-upload-images/.
30 |
31 |
32 |
33 | - [https://github.com/Alexeyan/CVE-2009-4137](https://github.com/Alexeyan/CVE-2009-4137) :  
34 |
35 | ## CVE-2009-4137
36 | The loadContentFromCookie function in core/Cookie.php in Piwik before 0.5 does not validate strings obtained from cookies before calling the unserialize function, which allows remote attackers to execute arbitrary code or upload arbitrary files via vectors related to the __destruct function in the Piwik_Config class; php://filter URIs; the __destruct functions in Zend Framework, as demonstrated by the Zend_Log destructor; the shutdown functions in Zend Framework, as demonstrated by the Zend_Log_Writer_Mail class; the render function in the Piwik_View class; Smarty templates; and the _eval function in Smarty.
37 |
38 |
39 |
40 | - [https://github.com/Alexeyan/CVE-2009-4137](https://github.com/Alexeyan/CVE-2009-4137) :  
41 |
42 | ## CVE-2009-4118
43 | The StartServiceCtrlDispatcher function in the cvpnd service (cvpnd.exe) in Cisco VPN client for Windows before 5.0.06.0100 does not properly handle an ERROR_FAILED_SERVICE_CONTROLLER_CONNECT error, which allows local users to cause a denial of service (service crash and VPN connection loss) via a manual start of cvpnd.exe while the cvpnd service is running.
44 |
45 |
46 |
47 | - [https://github.com/alt3kx/CVE-2009-4118](https://github.com/alt3kx/CVE-2009-4118) :  
48 |
49 | ## CVE-2009-4092
50 | Cross-site request forgery (CSRF) vulnerability in user.php in Simplog 0.9.3.2, and possibly earlier, allows remote attackers to hijack the authentication of administrators and users for requests that change passwords.
51 |
52 |
53 |
54 | - [https://github.com/xiaoyu-iid/Simplog-Exploit](https://github.com/xiaoyu-iid/Simplog-Exploit) :  
55 |
56 | ## CVE-2009-4049
57 | Heap-based buffer overflow in aswRdr.sys (aka the TDI RDR driver) in avast! Home and Professional 4.8.1356.0 allows local users to cause a denial of service (memory corruption) or possibly gain privileges via crafted arguments to IOCTL 0x80002024.
58 |
59 |
60 |
61 | - [https://github.com/fengjixuchui/CVE-2009-4049](https://github.com/fengjixuchui/CVE-2009-4049) :  
62 |
63 | ## CVE-2009-3555
64 | The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
65 |
66 |
67 |
68 | - [https://github.com/johnwchadwick/cve-2009-3555-test-server](https://github.com/johnwchadwick/cve-2009-3555-test-server) :  
69 |
70 | ## CVE-2009-3548
71 | The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.
72 |
73 |
74 |
75 | - [https://github.com/cocomelonc/vulnexipy](https://github.com/cocomelonc/vulnexipy) :  
76 |
77 | ## CVE-2009-3103
78 | Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information.
79 |
80 |
81 |
82 | - [https://github.com/sooklalad/ms09050](https://github.com/sooklalad/ms09050) :  
83 |
84 | - [https://github.com/Sic4rio/CVE-2009-3103---srv2.sys-SMB-Code-Execution-Python-MS09-050-](https://github.com/Sic4rio/CVE-2009-3103---srv2.sys-SMB-Code-Execution-Python-MS09-050-) :  
85 |
86 | - [https://github.com/sec13b/ms09-050_CVE-2009-3103](https://github.com/sec13b/ms09-050_CVE-2009-3103) :  
87 |
88 | ## CVE-2009-3036
89 | Cross-site scripting (XSS) vulnerability in the console in Symantec IM Manager 8.3 and 8.4 before 8.4.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
90 |
91 |
92 |
93 | - [https://github.com/brinhosa/CVE-2009-3036](https://github.com/brinhosa/CVE-2009-3036) :  
94 |
95 | ## CVE-2009-2698
96 | The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in the Linux kernel before 2.6.19 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving the MSG_MORE flag and a UDP socket.
97 |
98 |
99 |
100 | - [https://github.com/xiaoxiaoleo/CVE-2009-2698](https://github.com/xiaoxiaoleo/CVE-2009-2698) :  
101 |
102 | ## CVE-2009-2692
103 | The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.
104 |
105 |
106 |
107 | - [https://github.com/jdvalentini/CVE-2009-2692](https://github.com/jdvalentini/CVE-2009-2692) :  
108 |
109 | ## CVE-2009-2585
110 | SQL injection vulnerability in index.php in Mlffat 2.2 allows remote attackers to execute arbitrary SQL commands via a member cookie in an account editprofile action, a different vector than CVE-2009-1731.
111 |
112 |
113 |
114 | - [https://github.com/n4xh4ck5/CVE2009-2585_HP_Power_Manager_BoF](https://github.com/n4xh4ck5/CVE2009-2585_HP_Power_Manager_BoF) :  
115 |
116 | ## CVE-2009-2265
117 | Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to create executable files in arbitrary directories via directory traversal sequences in the input to unspecified connector modules, as exploited in the wild for remote code execution in July 2009, related to the file browser and the editor/filemanager/connectors/ directory.
118 |
119 |
120 |
121 | - [https://github.com/zaphoxx/zaphoxx-coldfusion](https://github.com/zaphoxx/zaphoxx-coldfusion) :  
122 |
123 | - [https://github.com/p1ckzi/CVE-2009-2265](https://github.com/p1ckzi/CVE-2009-2265) :  
124 |
125 | - [https://github.com/h3x0v3rl0rd/CVE-2009-2265](https://github.com/h3x0v3rl0rd/CVE-2009-2265) :  
126 |
127 | - [https://github.com/0xDTC/Adobe-ColdFusion-8-RCE-CVE-2009-2265](https://github.com/0xDTC/Adobe-ColdFusion-8-RCE-CVE-2009-2265) :  
128 |
129 | - [https://github.com/brunorhis/CVE2009-2265](https://github.com/brunorhis/CVE2009-2265) :  
130 |
131 | ## CVE-2009-1904
132 | The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type.
133 |
134 |
135 |
136 | - [https://github.com/NZKoz/bigdecimal-segfault-fix](https://github.com/NZKoz/bigdecimal-segfault-fix) :  
137 |
138 | ## CVE-2009-1437
139 | Stack-based buffer overflow in PortableApps CoolPlayer Portable (aka CoolPlayer+ Portable) 2.19.6 and earlier allows remote attackers to execute arbitrary code via a long string in a malformed playlist (.m3u) file. NOTE: this may overlap CVE-2008-3408.
140 |
141 |
142 |
143 | - [https://github.com/HanseSecure/CVE-2009-1437](https://github.com/HanseSecure/CVE-2009-1437) :  
144 |
145 | ## CVE-2009-1330
146 | Stack-based buffer overflow in Easy RM to MP3 Converter allows remote attackers to execute arbitrary code via a long filename in a playlist (.pls) file.
147 |
148 |
149 |
150 | - [https://github.com/adenkiewicz/CVE-2009-1330](https://github.com/adenkiewicz/CVE-2009-1330) :  
151 |
152 | - [https://github.com/war4uthor/CVE-2009-1330](https://github.com/war4uthor/CVE-2009-1330) :  
153 |
154 | - [https://github.com/exploitwritter/CVE-2009-1330_EasyRMToMp3Converter](https://github.com/exploitwritter/CVE-2009-1330_EasyRMToMp3Converter) :  
155 |
156 | ## CVE-2009-1324
157 | Stack-based buffer overflow in Mini-stream ASX to MP3 Converter 3.0.0.7 allows remote attackers to execute arbitrary code via a long URI in a playlist (.m3u) file.
158 |
159 |
160 |
161 | - [https://github.com/war4uthor/CVE-2009-1324](https://github.com/war4uthor/CVE-2009-1324) :  
162 |
163 | ## CVE-2009-1244
164 | Unspecified vulnerability in the virtual machine display function in VMware Workstation 6.5.1 and earlier; VMware Player 2.5.1 and earlier; VMware ACE 2.5.1 and earlier; VMware Server 1.x before 1.0.9 build 156507 and 2.x before 2.0.1 build 156745; VMware Fusion before 2.0.4 build 159196; VMware ESXi 3.5; and VMware ESX 3.0.2, 3.0.3, and 3.5 allows guest OS users to execute arbitrary code on the host OS via unknown vectors, a different vulnerability than CVE-2008-4916.
165 |
166 |
167 |
168 | - [https://github.com/piotrbania/vmware_exploit_pack_CVE-2009-1244](https://github.com/piotrbania/vmware_exploit_pack_CVE-2009-1244) :  
169 |
170 | ## CVE-2009-1151
171 | Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action.
172 |
173 |
174 |
175 | - [https://github.com/pagvac/pocs](https://github.com/pagvac/pocs) :  
176 |
177 | - [https://github.com/user20252228/ZmEu](https://github.com/user20252228/ZmEu) :  
178 |
179 | - [https://github.com/e-Thug/PhpMyAdmin](https://github.com/e-Thug/PhpMyAdmin) :  
180 |
181 | ## CVE-2009-0689
182 | Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.
183 |
184 |
185 |
186 | - [https://github.com/Fullmetal5/str2hax](https://github.com/Fullmetal5/str2hax) :  
187 |
188 | ## CVE-2009-0473
189 | Open redirect vulnerability in the web interface in the Rockwell Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge Module allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
190 |
191 |
192 |
193 | - [https://github.com/akbarq/CVE-2009-0473-check](https://github.com/akbarq/CVE-2009-0473-check) :  
194 |
195 | ## CVE-2009-0347
196 | Open redirect vulnerability in cs.html in the Autonomy (formerly Verity) Ultraseek search engine allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter.
197 |
198 |
199 |
200 | - [https://github.com/Cappricio-Securities/CVE-2009-0347](https://github.com/Cappricio-Securities/CVE-2009-0347) :  
201 |
202 | ## CVE-2009-0229
203 | The Windows Printing Service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 SP2 allows local users to read arbitrary files via a crafted separator page, aka "Print Spooler Read File Vulnerability."
204 |
205 |
206 |
207 | - [https://github.com/zveriu/CVE-2009-0229-PoC](https://github.com/zveriu/CVE-2009-0229-PoC) :  
208 |
209 | ## CVE-2009-0182
210 | Buffer overflow in VUPlayer 2.49 and earlier allows user-assisted attackers to execute arbitrary code via a long URL in a File line in a .pls file, as demonstrated by an http URL on a File1 line.
211 |
212 |
213 |
214 | - [https://github.com/nobodyatall648/CVE-2009-0182](https://github.com/nobodyatall648/CVE-2009-0182) :  
215 |
--------------------------------------------------------------------------------
/2010/README.md:
--------------------------------------------------------------------------------
1 | ## CVE-2010-5301
2 | Stack-based buffer overflow in Kolibri 2.0 allows remote attackers to execute arbitrary code via a long URI in a HEAD request.
3 |
4 |
5 |
6 | - [https://github.com/lem0nSec/CVE-2010-5301](https://github.com/lem0nSec/CVE-2010-5301) :  
7 |
8 | ## CVE-2010-5230
9 | Multiple untrusted search path vulnerabilities in MicroStation 7.1 allow local users to gain privileges via a Trojan horse (1) mptools.dll, (2) baseman.dll, (3) wintab32.dll, or (4) wintab.dll file in the current working directory, as demonstrated by a directory that contains a .hln or .rdl file. NOTE: some of these details are obtained from third party information.
10 |
11 |
12 |
13 | - [https://github.com/otofoto/CVE-2010-5230](https://github.com/otofoto/CVE-2010-5230) :  
14 |
15 | ## CVE-2010-4804
16 | The Android browser in Android before 2.3.4 allows remote attackers to obtain SD card contents via crafted content:// URIs, related to (1) BrowserActivity.java and (2) BrowserSettings.java in com/android/browser/.
17 |
18 |
19 |
20 | - [https://github.com/thomascannon/android-cve-2010-4804](https://github.com/thomascannon/android-cve-2010-4804) :  
21 |
22 | ## CVE-2010-4669
23 | The Neighbor Discovery (ND) protocol implementation in the IPv6 stack in Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7 allows remote attackers to cause a denial of service (CPU consumption and system hang) by sending many Router Advertisement (RA) messages with different source addresses, as demonstrated by the flood_router6 program in the thc-ipv6 package.
24 |
25 |
26 |
27 | - [https://github.com/wrong-commit/CVE-2010-4669](https://github.com/wrong-commit/CVE-2010-4669) :  
28 |
29 | ## CVE-2010-4476
30 | The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308.
31 |
32 |
33 |
34 | - [https://github.com/grzegorzblaszczyk/CVE-2010-4476-check](https://github.com/grzegorzblaszczyk/CVE-2010-4476-check) :  
35 |
36 | ## CVE-2010-4231
37 | Directory traversal vulnerability in the web-based administration interface on the Camtron CMNC-200 Full HD IP Camera and TecVoz CMNC-200 Megapixel IP Camera with firmware 1.102A-008 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI.
38 |
39 |
40 |
41 | - [https://github.com/K3ysTr0K3R/CVE-2010-4231-EXPLOIT](https://github.com/K3ysTr0K3R/CVE-2010-4231-EXPLOIT) :  
42 |
43 | ## CVE-2010-4221
44 | Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.
45 |
46 |
47 |
48 | - [https://github.com/M41doror/cve-2010-4221](https://github.com/M41doror/cve-2010-4221) :  
49 |
50 | ## CVE-2010-3971
51 | Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, as used in Microsoft Internet Explorer 6 through 8 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a self-referential @import rule in a stylesheet, aka "CSS Memory Corruption Vulnerability."
52 |
53 |
54 |
55 | - [https://github.com/nektra/CVE-2010-3971-hotpatch](https://github.com/nektra/CVE-2010-3971-hotpatch) :  
56 |
57 | ## CVE-2010-3904
58 | The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.
59 |
60 |
61 |
62 | - [https://github.com/redhatkaty/-cve-2010-3904-report](https://github.com/redhatkaty/-cve-2010-3904-report) :  
63 |
64 | ## CVE-2010-3847
65 | elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.
66 |
67 |
68 |
69 | - [https://github.com/magisterquis/cve-2010-3847](https://github.com/magisterquis/cve-2010-3847) :  
70 |
71 | ## CVE-2010-3600
72 | Unspecified vulnerability in the Client System Analyzer component in Oracle Database Server 11.1.0.7 and 11.2.0.1 and Enterprise Manager Grid Control 10.2.0.5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from a reliable third party coordinator that this issue involves an exposed JSP script that accepts XML uploads in conjunction with NULL bytes in an unspecified parameter that allow execution of arbitrary code.
73 |
74 |
75 |
76 | - [https://github.com/LAITRUNGMINHDUC/CVE-2010-3600-PythonHackOracle11gR2](https://github.com/LAITRUNGMINHDUC/CVE-2010-3600-PythonHackOracle11gR2) :  
77 |
78 | ## CVE-2010-3490
79 | Directory traversal vulnerability in page.recordings.php in the System Recordings component in the configuration interface in FreePBX 2.8.0 and earlier allows remote authenticated administrators to create arbitrary files via a .. (dot dot) in the usersnum parameter to admin/config.php, as demonstrated by creating a .php file under the web root.
80 |
81 |
82 |
83 | - [https://github.com/moayadalmalat/CVE-2010-3490](https://github.com/moayadalmalat/CVE-2010-3490) :  
84 |
85 | ## CVE-2010-3333
86 | Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability."
87 |
88 |
89 |
90 | - [https://github.com/Sunqiz/CVE-2010-3333-reproduction](https://github.com/Sunqiz/CVE-2010-3333-reproduction) :  
91 |
92 | - [https://github.com/whiteHat001/cve-2010-3333](https://github.com/whiteHat001/cve-2010-3333) :  
93 |
94 | - [https://github.com/chefphenix25/vuln-rabilit-windows7](https://github.com/chefphenix25/vuln-rabilit-windows7) :  
95 |
96 | ## CVE-2010-3332
97 | Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."
98 |
99 |
100 |
101 | - [https://github.com/bongbongco/MS10-070](https://github.com/bongbongco/MS10-070) :  
102 |
103 | ## CVE-2010-3301
104 | The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573 regression.
105 |
106 |
107 |
108 | - [https://github.com/n0lann/CVE2010-3301_compiled](https://github.com/n0lann/CVE2010-3301_compiled) :  
109 |
110 | ## CVE-2010-3124
111 | Untrusted search path vulnerability in bin/winvlc.c in VLC Media Player 1.1.3 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse wintab32.dll that is located in the same folder as a .mp3 file.
112 |
113 |
114 |
115 | - [https://github.com/KOBUKOVUI/DLL_Injection_On_VLC](https://github.com/KOBUKOVUI/DLL_Injection_On_VLC) :  
116 |
117 | - [https://github.com/Nhom6KTLT/CVE-2010-3124](https://github.com/Nhom6KTLT/CVE-2010-3124) :  
118 |
119 | ## CVE-2010-2626
120 | index.pl in Miyabi CGI Tools SEO Links 1.02 allows remote attackers to execute arbitrary commands via shell metacharacters in the fn command. NOTE: some of these details are obtained from third party information.
121 |
122 |
123 |
124 | - [https://github.com/oxagast/oxasploits](https://github.com/oxagast/oxasploits) :  
125 |
126 | ## CVE-2010-2553
127 | The Cinepak codec in Microsoft Windows XP SP2 and SP3, Windows Vista SP1 and SP2, and Windows 7 does not properly decompress media files, which allows remote attackers to execute arbitrary code via a crafted file, aka "Cinepak Codec Decompression Vulnerability."
128 |
129 |
130 |
131 | - [https://github.com/Sunqiz/cve-2010-2553-reproduction](https://github.com/Sunqiz/cve-2010-2553-reproduction) :  
132 |
133 | ## CVE-2010-2387
134 | vicious-extensions/ve-misc.c in GNOME Display Manager (gdm) 2.20.x before 2.20.11, when GDM debug is enabled, logs the user password when it contains invalid UTF8 encoded characters, which might allow local users to gain privileges by reading the information from syslog logs.
135 |
136 |
137 |
138 | - [https://github.com/LogSec/CVE-2010-2387](https://github.com/LogSec/CVE-2010-2387) :  
139 |
140 | ## CVE-2010-2075
141 | UnrealIRCd 3.2.8.1, as distributed on certain mirror sites from November 2009 through June 2010, contains an externally introduced modification (Trojan Horse) in the DEBUG3_DOLOG_SYSTEM macro, which allows remote attackers to execute arbitrary commands.
142 |
143 |
144 |
145 | - [https://github.com/MFernstrom/OffensivePascal-CVE-2010-2075](https://github.com/MFernstrom/OffensivePascal-CVE-2010-2075) :  
146 |
147 | - [https://github.com/FredBrave/CVE-2010-2075-UnrealIRCd-3.2.8.1](https://github.com/FredBrave/CVE-2010-2075-UnrealIRCd-3.2.8.1) :  
148 |
149 | - [https://github.com/chancej715/UnrealIRCd-3.2.8.1-Backdoor-Command-Execution](https://github.com/chancej715/UnrealIRCd-3.2.8.1-Backdoor-Command-Execution) :  
150 |
151 | - [https://github.com/JoseLRC97/UnrealIRCd-3.2.8.1-Backdoor-Command-Execution](https://github.com/JoseLRC97/UnrealIRCd-3.2.8.1-Backdoor-Command-Execution) :  
152 |
153 | - [https://github.com/abhinavsinghx/PenTest-Lab](https://github.com/abhinavsinghx/PenTest-Lab) :  
154 |
155 | ## CVE-2010-1938
156 | Off-by-one error in the __opiereadrec function in readrec.c in libopie in OPIE 2.4.1-test1 and earlier, as used on FreeBSD 6.4 through 8.1-PRERELEASE and other platforms, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long username, as demonstrated by a long USER command to the FreeBSD 8.0 ftpd.
157 |
158 |
159 |
160 | - [https://github.com/Nexxus67/cve-2010-1938](https://github.com/Nexxus67/cve-2010-1938) :  
161 |
162 | ## CVE-2010-1622
163 | SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
164 |
165 |
166 |
167 | - [https://github.com/DDuarte/springshell-rce-poc](https://github.com/DDuarte/springshell-rce-poc) :  
168 |
169 | - [https://github.com/E-bounce/cve-2010-1622_learning_environment](https://github.com/E-bounce/cve-2010-1622_learning_environment) :  
170 |
171 | - [https://github.com/HandsomeCat00/Spring-CVE-2010-1622](https://github.com/HandsomeCat00/Spring-CVE-2010-1622) :  
172 |
173 | - [https://github.com/strainerart/Spring4Shell](https://github.com/strainerart/Spring4Shell) :  
174 |
175 | ## CVE-2010-1598
176 | phpThumb.php in phpThumb() 1.7.9 and possibly other versions, when ImageMagick is installed, allows remote attackers to execute arbitrary commands via the fltr[] parameter, as discovered in the wild in April 2010. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
177 |
178 |
179 |
180 | - [https://github.com/connar/vulnerable_phpThumb](https://github.com/connar/vulnerable_phpThumb) :  
181 |
182 | ## CVE-2010-1411
183 | Multiple integer overflows in the Fax3SetupState function in tif_fax3.c in the FAX3 decoder in LibTIFF before 3.9.3, as used in ImageIO in Apple Mac OS X 10.5.8 and Mac OS X 10.6 before 10.6.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF file that triggers a heap-based buffer overflow.
184 |
185 |
186 |
187 | - [https://github.com/MAVProxyUser/httpfuzz-robomiller](https://github.com/MAVProxyUser/httpfuzz-robomiller) :  
188 |
189 | ## CVE-2010-1240
190 | Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, do not restrict the contents of one text field in the Launch File warning dialog, which makes it easier for remote attackers to trick users into executing an arbitrary local program that was specified in a PDF document, as demonstrated by a text field that claims that the Open button will enable the user to read an encrypted message.
191 |
192 |
193 |
194 | - [https://github.com/Jasmoon99/Embedded-PDF](https://github.com/Jasmoon99/Embedded-PDF) :  
195 |
196 | - [https://github.com/omarothmann/Embedded-Backdoor-Connection](https://github.com/omarothmann/Embedded-Backdoor-Connection) :  
197 |
198 | - [https://github.com/asepsaepdin/CVE-2010-1240](https://github.com/asepsaepdin/CVE-2010-1240) :  
199 |
200 | ## CVE-2010-1205
201 | Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before 1.4.3, as used in progressive applications, might allow remote attackers to execute arbitrary code via a PNG image that triggers an additional data row.
202 |
203 |
204 |
205 | - [https://github.com/mk219533/CVE-2010-1205](https://github.com/mk219533/CVE-2010-1205) :  
206 |
207 | ## CVE-2010-0738
208 | The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.
209 |
210 |
211 |
212 | - [https://github.com/gitcollect/jboss-autopwn](https://github.com/gitcollect/jboss-autopwn) :  
213 |
214 | - [https://github.com/1872892142/jboss-autopwn-1](https://github.com/1872892142/jboss-autopwn-1) :  
215 |
216 | ## CVE-2010-0426
217 | sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a pseudo-command is enabled, permits a match between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which allows local users to gain privileges via a crafted executable file, as demonstrated by a file named sudoedit in a user's home directory.
218 |
219 |
220 |
221 | - [https://github.com/t0kx/privesc-CVE-2010-0426](https://github.com/t0kx/privesc-CVE-2010-0426) :  
222 |
223 | - [https://github.com/g1vi/CVE-2010-0426](https://github.com/g1vi/CVE-2010-0426) :  
224 |
225 | - [https://github.com/cved-sources/cve-2010-0426](https://github.com/cved-sources/cve-2010-0426) :  
226 |
227 | ## CVE-2010-0232
228 | The kernel in Microsoft Windows NT 3.1 through Windows 7, including Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges by crafting a VDM_TIB data structure in the Thread Environment Block (TEB), and then calling the NtVdmControl function to start the Windows Virtual DOS Machine (aka NTVDM) subsystem, leading to improperly handled exceptions involving the #GP trap handler (nt!KiTrap0D), aka "Windows Kernel Exception Handler Vulnerability."
229 |
230 |
231 |
232 | - [https://github.com/azorfus/CVE-2010-0232](https://github.com/azorfus/CVE-2010-0232) :  
233 |
234 | ## CVE-2010-0219
235 | Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.
236 |
237 |
238 |
239 | - [https://github.com/veritas-rt/CVE-2010-0219](https://github.com/veritas-rt/CVE-2010-0219) :  
240 |
--------------------------------------------------------------------------------
/2011/README.md:
--------------------------------------------------------------------------------
1 | ## CVE-2011-5331
2 | Distributed Ruby (aka DRuby) 1.8 mishandles instance_eval.
3 |
4 |
5 |
6 | - [https://github.com/tomquinn8/CVE-2011-5331](https://github.com/tomquinn8/CVE-2011-5331) :  
7 |
8 | ## CVE-2011-4919
9 | mpack 1.6 has information disclosure via eavesdropping on mails sent by other users
10 |
11 |
12 |
13 | - [https://github.com/hartwork/mpacktrafficripper](https://github.com/hartwork/mpacktrafficripper) :  
14 |
15 | ## CVE-2011-4862
16 | Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.
17 |
18 |
19 |
20 | - [https://github.com/hdbreaker/GO-CVE-2011-4862](https://github.com/hdbreaker/GO-CVE-2011-4862) :  
21 |
22 | - [https://github.com/kpawar2410/CVE-2011-4862](https://github.com/kpawar2410/CVE-2011-4862) :  
23 |
24 | - [https://github.com/lol-fi/cve-2011-4862](https://github.com/lol-fi/cve-2011-4862) :  
25 |
26 | ## CVE-2011-4107
27 | The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
28 |
29 |
30 |
31 | - [https://github.com/SECFORCE/CVE-2011-4107](https://github.com/SECFORCE/CVE-2011-4107) :  
32 |
33 | ## CVE-2011-3872
34 | Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability."
35 |
36 |
37 |
38 | - [https://github.com/puppetlabs-toy-chest/puppetlabs-cve20113872](https://github.com/puppetlabs-toy-chest/puppetlabs-cve20113872) :  
39 |
40 | ## CVE-2011-3556
41 | Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI, a different vulnerability than CVE-2011-3557.
42 |
43 |
44 |
45 | - [https://github.com/sk4la/cve_2011_3556](https://github.com/sk4la/cve_2011_3556) :  
46 |
47 | ## CVE-2011-3389
48 | The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
49 |
50 |
51 |
52 | - [https://github.com/mpgn/BEAST-PoC](https://github.com/mpgn/BEAST-PoC) :  
53 |
54 | ## CVE-2011-3368
55 | The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.
56 |
57 |
58 |
59 | - [https://github.com/SECFORCE/CVE-2011-3368](https://github.com/SECFORCE/CVE-2011-3368) :  
60 |
61 | - [https://github.com/colorblindpentester/CVE-2011-3368](https://github.com/colorblindpentester/CVE-2011-3368) :  
62 |
63 | ## CVE-2011-3192
64 | The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.
65 |
66 |
67 |
68 | - [https://github.com/tkisason/KillApachePy](https://github.com/tkisason/KillApachePy) :  
69 |
70 | - [https://github.com/limkokholefork/CVE-2011-3192](https://github.com/limkokholefork/CVE-2011-3192) :  
71 |
72 | - [https://github.com/stcmjp/cve-2011-3192](https://github.com/stcmjp/cve-2011-3192) :  
73 |
74 | - [https://github.com/futurezayka/CVE-2011-3192](https://github.com/futurezayka/CVE-2011-3192) :  
75 |
76 | - [https://github.com/warmilk/http-Dos-Attack-Detection](https://github.com/warmilk/http-Dos-Attack-Detection) :  
77 |
78 | ## CVE-2011-3026
79 | Integer overflow in libpng, as used in Google Chrome before 17.0.963.56, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an integer truncation.
80 |
81 |
82 |
83 | - [https://github.com/argp/cve-2011-3026-firefox](https://github.com/argp/cve-2011-3026-firefox) :  
84 |
85 | ## CVE-2011-2894
86 | Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.
87 |
88 |
89 |
90 | - [https://github.com/pwntester/SpringBreaker](https://github.com/pwntester/SpringBreaker) :  
91 |
92 | ## CVE-2011-2523
93 | vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor which opens a shell on port 6200/tcp.
94 |
95 |
96 |
97 | - [https://github.com/padsalatushal/CVE-2011-2523](https://github.com/padsalatushal/CVE-2011-2523) :  
98 |
99 | - [https://github.com/NullBrunk/CVE-2011-2523](https://github.com/NullBrunk/CVE-2011-2523) :  
100 |
101 | - [https://github.com/4m3rr0r/CVE-2011-2523-poc](https://github.com/4m3rr0r/CVE-2011-2523-poc) :  
102 |
103 | - [https://github.com/Lynk4/CVE-2011-2523](https://github.com/Lynk4/CVE-2011-2523) :  
104 |
105 | - [https://github.com/cowsecurity/CVE-2011-2523](https://github.com/cowsecurity/CVE-2011-2523) :  
106 |
107 | - [https://github.com/nobodyatall648/CVE-2011-2523](https://github.com/nobodyatall648/CVE-2011-2523) :  
108 |
109 | - [https://github.com/MFernstrom/OffensivePascal-CVE-2011-2523](https://github.com/MFernstrom/OffensivePascal-CVE-2011-2523) :  
110 |
111 | - [https://github.com/Gill-Singh-A/vsFTP-2.3.4-Remote-Root-Shell-Exploit](https://github.com/Gill-Singh-A/vsFTP-2.3.4-Remote-Root-Shell-Exploit) :  
112 |
113 | - [https://github.com/everythingBlackkk/vsFTPd-Backdoor-Exploit-CVE-2011-2523-](https://github.com/everythingBlackkk/vsFTPd-Backdoor-Exploit-CVE-2011-2523-) :  
114 |
115 | - [https://github.com/0xB0y426/CVE-2011-2523-PoC](https://github.com/0xB0y426/CVE-2011-2523-PoC) :  
116 |
117 | - [https://github.com/0xSojalSec/-CVE-2011-2523](https://github.com/0xSojalSec/-CVE-2011-2523) :  
118 |
119 | - [https://github.com/Gr4ykt/CVE-2011-2523](https://github.com/Gr4ykt/CVE-2011-2523) :  
120 |
121 | - [https://github.com/0xSojalSec/CVE-2011-2523](https://github.com/0xSojalSec/CVE-2011-2523) :  
122 |
123 | - [https://github.com/madanokr001/CVE-2011-2523](https://github.com/madanokr001/CVE-2011-2523) :  
124 |
125 | - [https://github.com/vaishnavucv/CVE-2011-2523](https://github.com/vaishnavucv/CVE-2011-2523) :  
126 |
127 | - [https://github.com/sug4r-wr41th/CVE-2011-2523](https://github.com/sug4r-wr41th/CVE-2011-2523) :  
128 |
129 | - [https://github.com/XiangSi-Howard/CTF---CVE-2011-2523](https://github.com/XiangSi-Howard/CTF---CVE-2011-2523) :  
130 |
131 | - [https://github.com/Tenor-Z/SmileySploit](https://github.com/Tenor-Z/SmileySploit) :  
132 |
133 | - [https://github.com/Shubham-2k1/Exploit-CVE-2011-2523](https://github.com/Shubham-2k1/Exploit-CVE-2011-2523) :  
134 |
135 | - [https://github.com/AnugiArrawwala/CVE-Research](https://github.com/AnugiArrawwala/CVE-Research) :  
136 |
137 | - [https://github.com/Lychi3/vsftpd-backdoor](https://github.com/Lychi3/vsftpd-backdoor) :  
138 |
139 | - [https://github.com/davidlares/vsftpd-exploitation](https://github.com/davidlares/vsftpd-exploitation) :  
140 |
141 | - [https://github.com/HerculesRD/vsftpd2.3.4PyExploit](https://github.com/HerculesRD/vsftpd2.3.4PyExploit) :  
142 |
143 | - [https://github.com/vedpakhare/vsftpd-234-vuln-report](https://github.com/vedpakhare/vsftpd-234-vuln-report) :  
144 |
145 | - [https://github.com/JohanMV/explotacion-vsftpd-nmap_Laboratorio_1](https://github.com/JohanMV/explotacion-vsftpd-nmap_Laboratorio_1) :  
146 |
147 | - [https://github.com/Daniel1234mata/vsftpd-backdoor-exploit](https://github.com/Daniel1234mata/vsftpd-backdoor-exploit) :  
148 |
149 | ## CVE-2011-2461
150 | Cross-site scripting (XSS) vulnerability in the Adobe Flex SDK 3.x and 4.x before 4.6 allows remote attackers to inject arbitrary web script or HTML via vectors related to the loading of modules from different domains.
151 |
152 |
153 |
154 | - [https://github.com/ikkisoft/ParrotNG](https://github.com/ikkisoft/ParrotNG) :  
155 |
156 | - [https://github.com/edmondscommerce/CVE-2011-2461_Magento_Patch](https://github.com/edmondscommerce/CVE-2011-2461_Magento_Patch) :  
157 |
158 | - [https://github.com/u-maxx/magento-swf-patched-CVE-2011-2461](https://github.com/u-maxx/magento-swf-patched-CVE-2011-2461) :  
159 |
160 | ## CVE-2011-1974
161 | NDISTAPI.sys in the NDISTAPI driver in Remote Access Service (RAS) in Microsoft Windows XP SP2 and SP3 and Windows Server 2003 SP2 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "NDISTAPI Elevation of Privilege Vulnerability."
162 |
163 |
164 |
165 | - [https://github.com/hittlle/CVE-2011-1974-PoC](https://github.com/hittlle/CVE-2011-1974-PoC) :  
166 |
167 | ## CVE-2011-1720
168 | The SMTP server in Postfix before 2.5.13, 2.6.x before 2.6.10, 2.7.x before 2.7.4, and 2.8.x before 2.8.3, when certain Cyrus SASL authentication methods are enabled, does not create a new server handle after client authentication fails, which allows remote attackers to cause a denial of service (heap memory corruption and daemon crash) or possibly execute arbitrary code via an invalid AUTH command with one method followed by an AUTH command with a different method.
169 |
170 |
171 |
172 | - [https://github.com/nbeguier/postfix_exploit](https://github.com/nbeguier/postfix_exploit) :  
173 |
174 | ## CVE-2011-1575
175 | The STARTTLS implementation in ftp_parser.c in Pure-FTPd before 1.0.30 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted FTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
176 |
177 |
178 |
179 | - [https://github.com/masamoon/cve-2011-1575-poc](https://github.com/masamoon/cve-2011-1575-poc) :  
180 |
181 | ## CVE-2011-1571
182 | Unspecified vulnerability in the XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote attackers to execute arbitrary commands via unknown vectors.
183 |
184 |
185 |
186 | - [https://github.com/noobpk/CVE-2011-1571](https://github.com/noobpk/CVE-2011-1571) :  
187 |
188 | ## CVE-2011-1485
189 | Race condition in the pkexec utility and polkitd daemon in PolicyKit (aka polkit) 0.96 allows local users to gain privileges by executing a setuid program from pkexec, related to the use of the effective user ID instead of the real user ID.
190 |
191 |
192 |
193 | - [https://github.com/Pashkela/CVE-2011-1485](https://github.com/Pashkela/CVE-2011-1485) :  
194 |
195 | ## CVE-2011-1475
196 | The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for requests from different users."
197 |
198 |
199 |
200 | - [https://github.com/samaujs/CVE-2011-1475](https://github.com/samaujs/CVE-2011-1475) :  
201 |
202 | ## CVE-2011-1473
203 | OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment
204 |
205 |
206 |
207 | - [https://github.com/XDLDCG/bash-tls-reneg-attack](https://github.com/XDLDCG/bash-tls-reneg-attack) :  
208 |
209 | - [https://github.com/zjt674449039/cve-2011-1473](https://github.com/zjt674449039/cve-2011-1473) :  
210 |
211 | ## CVE-2011-1249
212 | The Ancillary Function Driver (AFD) in afd.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability."
213 |
214 |
215 |
216 | - [https://github.com/h3x0v3rl0rd/CVE-2011-1249](https://github.com/h3x0v3rl0rd/CVE-2011-1249) :  
217 |
218 | - [https://github.com/Madusanka99/OHTS](https://github.com/Madusanka99/OHTS) :  
219 |
220 | ## CVE-2011-1237
221 | Use-after-free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that leverages incorrect driver object management, a different vulnerability than other "Vulnerability Type 1" CVEs listed in MS11-034, aka "Win32k Use After Free Vulnerability."
222 |
223 |
224 |
225 | - [https://github.com/BrunoPujos/CVE-2011-1237](https://github.com/BrunoPujos/CVE-2011-1237) :  
226 |
227 | ## CVE-2011-0762
228 | The vsf_filename_passes_filter function in ls.c in vsftpd before 2.3.3 allows remote authenticated users to cause a denial of service (CPU consumption and process slot exhaustion) via crafted glob expressions in STAT commands in multiple FTP sessions, a different vulnerability than CVE-2010-2632.
229 |
230 |
231 |
232 | - [https://github.com/s3mPr1linux/CVE-2011-0762](https://github.com/s3mPr1linux/CVE-2011-0762) :  
233 |
234 | ## CVE-2011-0228
235 | The Data Security component in Apple iOS before 4.2.10 and 4.3.x before 4.3.5 does not check the basicConstraints parameter during validation of X.509 certificate chains, which allows man-in-the-middle attackers to spoof an SSL server by using a non-CA certificate to sign a certificate for an arbitrary domain.
236 |
237 |
238 |
239 | - [https://github.com/jan0/isslfix](https://github.com/jan0/isslfix) :  
240 |
241 | - [https://github.com/amil-ptl-test/ptl_cve_2011_0228](https://github.com/amil-ptl-test/ptl_cve_2011_0228) :  
242 |
243 | ## CVE-2011-0104
244 | Microsoft Excel 2002 SP3 and 2003 SP3, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HLink record in an Excel file, aka "Excel Buffer Overwrite Vulnerability."
245 |
246 |
247 |
248 | - [https://github.com/Sunqiz/CVE-2011-0104-reproduction](https://github.com/Sunqiz/CVE-2011-0104-reproduction) :  
249 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2021 ycdxsb
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | PocOrExp in Github
2 |
3 |
4 | 
5 | 
6 | 
7 | 
8 | 
9 |
10 |
11 | 
12 | 
13 | 
14 |
15 |
16 | > Aggregating existing Poc or Exp on Github, CVE information comes from the official CVE website.
17 | >
18 | > Note: Aggregation is only done through general CVE numbers, so for vulnerabilities with Windows-specific numbers like MS17-010 and famous vulnerabilities with nicknames, it's better to search for them yourself.
19 |
20 | ## Usage
21 | ```
22 | python3 exp.py -h
23 | usage: exp.py [-h]
24 | [-y {1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021,all}]
25 | [-i {y,n}] [-w {y,n}]
26 |
27 | CVE Details and Collect PocOrExp in Github
28 |
29 | optional arguments:
30 | -h, --help show this help message and exit
31 | -y {1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021,all}, --year {1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021,all}
32 | get Poc or CVE of certain year or all years
33 | -i {y,n}, --init {y,n}
34 | init or not
35 | -w {y,n}, --watch {y,n}
36 | keep an eye on them or not
37 | ```
38 |
39 | Parameter description:
40 | - -y specifies the year of CVEs to process
41 | - -i indicates whether it is the first initialization, y means initial, and will not process already handled CVEs, n means no, and will process already handled CVEs
42 | - -w monitors PoC changes: the current strategy is to update known CVEs with PoC from previous years, and all CVEs from the current year
43 |
44 | Steps to use:
45 | - STEP 1: Install dependencies
46 | ```
47 | pip3 install -r requirements.txt
48 | ```
49 |
50 | - STEP 2: Apply for a GitHub API token and write it into the TOKENS file in the project directory. The format is as follows, multiple tokens can be used:
51 |
52 | ```
53 | token:your_token
54 | ```
55 |
56 |
57 | - STEP 3: Process CVE information
58 | ```
59 | python3 exp.py -y 2021 -i y
60 | python3 exp.py -y all -i y
61 | ```
62 |
63 | - If you want to speed up the process, you can use the asynchronous script exp_async.py
64 |
65 | ## PocOrExps
66 | - [PocOrExp All](https://github.com/ycdxsb/PocOrExp_in_Github/blob/main/PocOrExp.md)
67 | - [2025](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2025/README.md)
68 | - [2024](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2024/README.md)
69 | - [2023](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2023/README.md)
70 | - [2022](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2022/README.md)
71 | - [2021](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2021/README.md)
72 | - [2020](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2020/README.md)
73 | - [2019](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2019/README.md)
74 | - [2018](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2018/README.md)
75 | - [2017](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2017/README.md)
76 | - [2016](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2016/README.md)
77 | - [2015](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2015/README.md)
78 | - [2014](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2014/README.md)
79 | - [2013](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2013/README.md)
80 | - [2012](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2012/README.md)
81 | - [2011](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2011/README.md)
82 | - [2010](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2010/README.md)
83 | - [2009](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2009/README.md)
84 | - [2008](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2008/README.md)
85 | - [2007](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2007/README.md)
86 | - [2006](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2006/README.md)
87 | - [2005](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2005/README.md)
88 | - [2004](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2004/README.md)
89 | - [2003](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2003/README.md)
90 | - [2002](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2002/README.md)
91 | - [2001](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2001/README.md)
92 | - [2000](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2000/README.md)
93 | - [1999](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/1999/README.md)
94 |
95 | ## Log
96 | - 2021-04-12: Fixed the issue of GitHub search returning results like CVE-2020-36184 when searching for CVE-2020-3618.
97 | - 2021-04-13: Switched to CVE official data due to missing CVE numbers on the NVD website, released an asynchronous script.
98 | - 2021-04-14: Completed the first round of PocOrExp crawling, now using 20 GitHub API tokens to poll all CVEs within 12 hours and update.
99 | - 2021-04-16: Added -w parameter.
100 | - 2021-04-17: Added a daily update script today.py. The update content can be seen in [Today](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/Today.md). You can modify it, for example, to send the `get_today_update` results to yourself through services like Dingding or wxpusher.
101 | - 2021-04-20: Found some non-PoC repos, removed them by adding a blacklist, and updated the asynchronous script to v2.
102 | - 2021-04-23: Discovered that some results in today's update are not recently updated repos due to the following reasons:
103 | - 1. The repo changed from private to public.
104 | - 2. When querying through the API, the script strategy is to take the top 30 results by star count, so when the number of other repos with the same CVE increases, they enter the top 30 list, appearing as newly added today. Found that only CVE-2019-0708 has more than 100 search results, so pagination was not used to crawl all. Changed to taking the top 100 results by star count each time.
105 | - 2021-04-30: [download](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/download.py) to download all PoC/Exp to prevent repo deletion by publishers. Please update git to the latest version to prevent attacks when cloning on Windows [CVE-2020-27955](https://github.com/yhsung/cve-2020-27955-poc).
106 | - 2021-05-19: Found some phishing attempts using CVE on GitHub, like [JamesGee](https://github.com/JamesGeee). No special handling, please be cautious.
107 | - 2024-09-01: If you are unable to find the POC/EXP on GitHub, you can also check here: https://pocorexps.nsa.im/
108 |
109 | ## Star History
110 | [](https://www.star-history.com/#ycdxsb/PocOrExp_in_Github&Date)
111 |
112 | ## Reference
113 | - https://github.com/nomi-sec/PoC-in-GitHub
114 |
--------------------------------------------------------------------------------
/README.zh-CN.md:
--------------------------------------------------------------------------------
1 | PocOrExp in Github
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 | > 聚合Github上已有的Poc或者Exp,CVE信息来自CVE官网
17 | >
18 | > 注意:只通过通用的CVE号聚合,因此对于MS17-010等Windows编号漏洞以及著名的有绰号的漏洞,还是自己检索一下比较好
19 |
20 | ## Usage
21 |
22 | ```
23 | python3 exp.py -h
24 | usage: exp.py [-h]
25 | [-y {1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021,all}]
26 | [-i {y,n}] [-w {y,n}]
27 |
28 | CVE Details and Collect PocOrExp in Github
29 |
30 | optional arguments:
31 | -h, --help show this help message and exit
32 | -y {1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021,all}, --year {1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021,all}
33 | get Poc or CVE of certain year or all years
34 | -i {y,n}, --init {y,n}
35 | init or not
36 | -w {y,n}, --watch {y,n}
37 | keep an eye on them or not
38 | ```
39 | 参数说明:
40 | - -y指定处理某年的CVE
41 | - -i说明是否为首次初始化,y表示初次,对于已处理的CVE不会处理,n表示否,会处理已处理的CVE
42 | - -w监控PoC变化:当前策略为更新本年前的已知有PoC的CVE,以及本年的所有CVE
43 |
44 | 使用步骤:
45 | - STEP1:安装依赖
46 |
47 | ```
48 | pip3 install -r requirements.txt
49 | ```
50 |
51 | - STEP2:申请github api token写入项目目录下的TOKENS文件中,格式如下,可以使用多个token:
52 |
53 | ```
54 | token:your_token
55 | ```
56 |
57 | - STEP3:处理cve信息
58 |
59 | ```
60 | python3 exp.py -y 2021 -i y
61 | python3 exp.py -y all -i y
62 | ```
63 |
64 | - 如果想要加快速度,可使用异步版脚本exp_async.py
65 |
66 | ## PocOrExps
67 | - [PocOrExp All](https://github.com/ycdxsb/PocOrExp_in_Github/blob/main/PocOrExp.md)
68 | - [2024](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2024/README.md)
69 | - [2023](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2023/README.md)
70 | - [2022](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2022/README.md)
71 | - [2021](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2021/README.md)
72 | - [2020](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2020/README.md)
73 | - [2019](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2019/README.md)
74 | - [2018](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2018/README.md)
75 | - [2017](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2017/README.md)
76 | - [2016](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2016/README.md)
77 | - [2015](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2015/README.md)
78 | - [2014](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2014/README.md)
79 | - [2013](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2013/README.md)
80 | - [2012](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2012/README.md)
81 | - [2011](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2011/README.md)
82 | - [2010](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2010/README.md)
83 | - [2009](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2009/README.md)
84 | - [2008](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2008/README.md)
85 | - [2007](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2007/README.md)
86 | - [2006](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2006/README.md)
87 | - [2005](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2005/README.md)
88 | - [2004](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2004/README.md)
89 | - [2003](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2003/README.md)
90 | - [2002](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2002/README.md)
91 | - [2001](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2001/README.md)
92 | - [2000](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/2000/README.md)
93 | - [1999](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/1999/README.md)
94 |
95 | ## Log
96 | - 20210412: 修复了github搜索时,例如搜索CVE-2020-3618,会搜索到CVE-2020-36184的结果的问题
97 | - 20210413: 由于NVD官网CVE编号缺失,改用CVE官网数据,发布异步版脚本
98 | - 20210414: 完成第一轮PocOrExp的爬取,目前使用20个github api token,可以做到12小时内轮询所有CVE并更新
99 | - 20210416: 增加-w参数
100 | - 20210417: 新增每日更新脚本today.py,更新内容见[Today](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/Today.md),可以在上面修改,例如将`get_today_update`的返回结果通过server酱,wxpusher等发送给自己
101 | - 20210420: 发现一些非PoC的repo, 通过增加黑名单去除,同时更新异步脚本v2。
102 | - 20210423: 发现今日更新的结果里有的repo并不是近期更新的,原因如下:
103 | - 1. repo从private转public
104 | - 2. 通过api查询时,脚本策略为取star数目前30的结果,因此当同一CVE的其他repo数目增加时,会进入前30列表中,表现为今日新增。统计发现按照CVE号搜索结果超过100的大洞只有CVE-2019-0708,因此不使用分页爬取所有,修改为每次取star数目前100的结果。
105 | - 20210430: [download](https://github.com/ycdxsb/PocOrExp_in_Github/tree/main/download.py)下载所有PoC/Exp,防止repo被发布者删除 !!请先更新
106 | git到最新版本,防止在windows下clone时被攻击[CVE-2020-27955](https://github.com/yhsung/cve-2020-27955-poc)。
107 | - 20210519: 发现一些用CVE在github钓鱼的人,比如[JamesGee](https://github.com/JamesGeee),不打算特殊处理,大家注意安全
108 |
109 | ## Star History
110 |
111 | [](https://www.star-history.com/#ycdxsb/PocOrExp_in_Github&Date)
112 |
113 | ## Reference
114 | - https://github.com/nomi-sec/PoC-in-GitHub
115 |
116 |
117 |
--------------------------------------------------------------------------------
/TOKENS:
--------------------------------------------------------------------------------
1 | token:your_token1
2 | token:your_token2
--------------------------------------------------------------------------------
/blacklist.txt:
--------------------------------------------------------------------------------
1 | https://github.com/fireaye/ioc-scanner-CVE-2021-31221
2 | https://github.com/f1reaye/ioc-scanner-CVE-2021-31221
3 | https://github.com/Umarovm/-Patched-McMaster-University-Blind-Command-Injection
4 | https://github.com/Umarovm/-Patched-McMaster-University-Blind-Command-Injection
5 | https://github.com/GoogleProjectZer0/CVE-2021-24268
6 | https://github.com/GoogleProjectZer0/CVE-2021-20708
7 | https://github.com/Ph4nt0m-b/CVE-2020-3187
8 | https://github.com/citrix/ioc-scanner-CVE-2019-19781
9 | https://github.com/fireeye/ioc-scanner-CVE-2019-19781
10 | https://github.com/quocquoc181/CVE-2018-9995
11 | https://github.com/r90tpass/cve-2021-22893
12 | https://github.com/r90tpass/CVE-2021-3222222
13 | https://github.com/tree-chtsec/weaponized-0604
14 | https://github.com/z3ox1s/PHPUnit-CVE-2017-9841
15 | https://github.com/HoangKien1020/CVE-2021-21389
16 | https://github.com/Byte-Master-101/CVE_2020_0041
17 | https://github.com/fierceoj/ownklok
18 | https://github.com/saitamang/CVE-2021-35475
19 | https://github.com/ollypwn
20 | https://github.com/momentn/CVE-2018-2894-Weblogic-
21 | https://github.com/Jabri1/cve-2020_6418-exploit
22 | https://github.com/0xIrison/PrintNightmare_Resolver
23 | https://github.com/arch3rPro/CVE-2020-22222
24 | https://github.com/whokilleddb/CVE-2019-15107
25 | https://github.com/13202311145/CVE-2021-1000000
26 | https://github.com/Hacker5preme/CVE-2019-19208-exploit
27 | https://github.com/AmIAHuman/CVE-2021-33909
28 | https://github.com/becrevex/Citrix_CVE-2019-19781
29 | https://github.com/becrevex/Telerik_CVE-2019-18935
30 | https://github.com/dorisroot1
31 | https://github.com/PandatiX/CVE-2021-28378
32 | https://github.com/IthacaLabs/CVE-2021-3327
33 | https://github.com/a00x90/CVE-2018-19320
34 | https://github.com/0nise/vuldebug
35 | https://github.com/0nise/CVE-2020-2555
36 | https://github.com/AlAIAL90
37 | https://github.com/nice0e3/CVE-2021-22986_F5_BIG_IP_GUI_Exploit
38 | https://github.com/s4e-lab/CVE-2021-30573-PoC-Google-Chrome
39 | https://github.com/papinnon/CVE-2019-5096-GoAhead-Web-Server-Dos-Exploit
40 | https://github.com/kahla-sec/CVE-2021-27850_POC
41 | https://github.com/R0fM1a/CVE-2021-40444-pocv
42 | https://github.com/sDreamForZzQ/CVE-2021-1234
43 | https://github.com/artsking/curl-7.64.1_CVE-2020-8286_WithPatch
44 | https://github.com/artsking/curl-7.64.1_CVE-2020-8285_WithPatch
45 | https://github.com/artsking
46 | https://github.com/minutesinch/CVE-2020-0041
47 | https://github.com/RyouYoo/CVE-2019-5420-RCE
48 | https://github.com/mandiant/ioc-scanner-CVE-2019-19781
49 | https://github.com/rpie/OpenSMTPD
50 | https://github.com/rockysec/CVE-2018-11236
51 | https://github.com/securitysphynx/cve-2021-40444_weaponized
52 |
53 | https://github.com/shrugly/hydra-0.1.8
54 | https://github.com/madhans23
55 | https://github.com/Nivaskumark
56 | https://github.com/Nate0634034090/-nate158.res.codeRex.sleepsession.type.to_s.eql-shell-
57 | https://github.com/rkxxz
58 | https://github.com/GD008/vuln
59 | https://github.com/r0ckysec/CVE-2021-26855_Exchange
60 | https://github.com/r0ckysec/CVE-2021-22005
61 | https://github.com/skyedai910/Vuln
62 | https://github.com/Fjowel/CVE-2022-37150-CVE-2022-37151-CVE-2022-37152
63 | https://github.com/watchdog2000/cve-2022-24637_open-web-analytics-info-disclosure-to-rce
64 | https://github.com/TakenoSite/Simple-CVE-2021-36260
65 | https://github.com/veritas501/CVE-2022-2639-PipeVersion
66 | https://github.com/TakenoSite/RemoteUploader-CVE-2021-36260
67 | https://github.com/CEOrbey/CVE-2022-36804-MASS-RCE
68 | https://github.com/expl0despl0it/CVE-2022-32548
69 | https://github.com/expl0despl0it
70 | https://github.com/sevous/CVE-2022-3236-RCE
71 | https://github.com/anetworkca/Free-World-iptv
72 | https://github.com/anetworkca/Steam-Deck-Driver-Guid
73 | https://github.com/anetworkca
74 | https://github.com/dickson0day
75 | https://github.com/gitzero0/ProxyNotShell
76 | https://github.com/kevibeaumont
77 | https://github.com/Goss1TheDog
78 | https://github.com/klinix5
79 | https://github.com/backcr4t
80 | https://github.com/Carl0sV1e1ra
81 | https://github.com/trhacknon/CVE-2022-22954_
82 | https://github.com/stat1st1c
83 | https://github.com/numencyber/VulnerabilityPoC
84 | https://github.com/sai-reddy2021
85 | https://github.com/b1ack0wl/vulnerability-write-up
86 | https://github.com/Adynervi/CVE-2022-41082-RCE-PoC
87 | https://github.com/timpen432/-Wh0Am1001-CVE-2023-21753
88 | https://github.com/Live-Hack-CVE
89 |
--------------------------------------------------------------------------------
/download.py:
--------------------------------------------------------------------------------
1 | def parse_readme(content):
2 | poc_or_exps = {}
3 | CVE_ID = ""
4 | cve_ids = []
5 | for line in content:
6 | if line.startswith('## CVE'):
7 | CVE_ID = "CVE"+line.split('CVE')[-1]
8 | cve_ids.append(CVE_ID)
9 | poc_or_exps[CVE_ID] = {}
10 | poc_or_exps[CVE_ID]['CVE_ID'] = CVE_ID
11 | poc_or_exps[CVE_ID]['CVE_DESCRIPTION'] = ""
12 | poc_or_exps[CVE_ID]['URL'] = []
13 | elif line.startswith('- ['):
14 | url = line.split('[')[1].split(']')[0]
15 | poc_or_exps[CVE_ID]['URL'].append(url)
16 | elif line.startswith('##'):
17 | continue
18 | else:
19 | poc_or_exps[CVE_ID]['CVE_DESCRIPTION'] = line
20 | return poc_or_exps,cve_ids
21 |
22 | from tqdm import tqdm
23 | import os
24 | cwd = os.path.abspath(os.path.dirname(__file__))
25 | repo_root = os.path.join(cwd,'repo')
26 |
27 | def clone_repos(urls):
28 | urls = list(set(urls))
29 | for url in tqdm(urls):
30 | author = url.split('/')[-2]
31 | repo_name = url.split('/')[-1]
32 | author_path = os.path.join(repo_root,author)
33 | if not os.path.exists(author_path):
34 | os.mkdir(author_path)
35 | repo_path = os.path.join(author_path,repo_name)
36 | if os.path.exists(repo_path):
37 | cmd = "cd %s && git pull" % repo_path
38 | else:
39 | cmd = "cd %s && git clone %s" % (author_path,url)
40 | os.system(cmd)
41 |
42 |
43 | if __name__=="__main__":
44 | if os.path.exists(os.path.join(cwd,"PocOrExp_in_Github")):
45 | cmd = "cd %s && git pull"%os.path.join(cwd,"PocOrExp_in_Github")
46 | else:
47 | cmd = "cd %s && git clone %s" % (cwd,"https://github.com/ycdxsb/PocOrExp_in_Github")
48 | os.system(cmd)
49 | if not os.path.exists(repo_root):
50 | os.mkdir(repo_root)
51 | with open(os.path.join(cwd,'PocOrExp_in_Github/PocOrExp.md')) as f:
52 | content = f.read().split('\n')
53 | poc_or_exps,cve_ids = parse_readme(content)
54 | urls = []
55 | for cve_id in cve_ids:
56 | urls+=poc_or_exps[cve_id]['URL']
57 | with open('urls','w') as f:
58 | f.write('\n'.join(urls))
59 | clone_repos(urls)
60 |
--------------------------------------------------------------------------------
/exp.py:
--------------------------------------------------------------------------------
1 | import json
2 | import os
3 | import shutil
4 | import requests
5 | import argparse
6 | import datetime
7 | import time
8 | from random import sample
9 | from tqdm import tqdm
10 | from loguru import logger
11 |
12 | DOWNLOAD_DIR = 'download'
13 | TOKEN_FILE = 'TOKENS'
14 | BLACKLIST_FILE = 'blacklist.txt'
15 | tokens = []
16 | blacklist = []
17 |
18 | def download_cve_xml(filename):
19 | base_url = "https://cve.mitre.org/data/downloads/"
20 | url = base_url + filename
21 | xml_content = requests.get(url, stream=True)
22 | with open(os.path.join(DOWNLOAD_DIR, filename), 'wb') as f:
23 | for chunk in xml_content:
24 | f.write(chunk)
25 |
26 | def download_cve_xml_all():
27 | filenames = ["allitems-cvrf-year-%d.xml"%year for year in range(1999,datetime.datetime.now().year+1)]
28 | for filename in filenames:
29 | download_cve_xml(filename)
30 |
31 | def parse_cve_xml(filename):
32 | with open(os.path.join(DOWNLOAD_DIR, filename),'rb') as f:
33 | content = f.read().split(b'\n')
34 | cve_infos = []
35 | cve_ids = []
36 | cve_descriptions = []
37 | for line in content:
38 | line = line.strip()
39 | if line.startswith(b""):
40 | cve_ids.append(line[5:-6].decode(encoding='utf-8'))
41 | if line.startswith(b''):
42 | cve_descriptions.append(line[37:-7].decode('utf-8',"ignore"))
43 | cve_infos = []
44 | if(len(cve_ids)!=len(cve_descriptions)):
45 | logger.error("xml of cve process error")
46 | exit(-1)
47 | else:
48 | for i in range(len(cve_ids)):
49 | cve_infos.append({'CVE_ID': cve_ids[i], 'CVE_DESCRIPTION': cve_descriptions[i]})
50 | return cve_infos
51 |
52 | def generate_markdown_year(year):
53 | year = str(year)
54 | filenames = os.listdir(year)
55 | filenames = [filename for filename in filenames if filename.startswith('CVE')]
56 | cve_number = [[int(filename.split('.')[0].split('-')[-1]),filename] for filename in filenames]
57 | cve_number.sort( key=lambda e:e[0], reverse=True)
58 | string = []
59 | for number in cve_number:
60 | filename = os.path.join(year,number[1])
61 | with open(filename,'r') as f:
62 | cve_info = json.load(f)
63 | if(cve_info['PocOrExp_NUM']==0):
64 | continue
65 | else:
66 | string.append("## %s" % cve_info['CVE_ID'])
67 | string.append("> %s\n" % cve_info['CVE_DESCRIPTION'])
68 | string.append("\n")
69 | for PocOrExp in cve_info['PocOrExp']:
70 | URL = PocOrExp['URL']
71 | AUTHOR = URL.split('/')[-2]
72 | PROJECT_NAME = URL.split('/')[-1]
73 | link = "- [%s](%s) : " % (URL,URL)
74 | stars = "" %(AUTHOR,PROJECT_NAME)
75 | forks = "" %(AUTHOR,PROJECT_NAME)
76 | string.append(" ".join([link,stars,forks])+'\n')
77 | with open(os.path.join(year,"README.md"),'w') as f:
78 | tmp = "\n".join(string)
79 | tmp = tmp.replace("<","")
80 | tmp = tmp.replace(">","")
81 | f.write(tmp)
82 | return string
83 |
84 | def generate_markdown():
85 | PocOrExps = []
86 | for year in list(range(1999, datetime.datetime.now().year+1))[::-1]:
87 | string = generate_markdown_year(year)
88 | PocOrExps.append('## %d' % year)
89 | PocOrExps = PocOrExps + string
90 | PocOrExps.append('\n')
91 | with open('PocOrExp.md','w') as f:
92 | tmp = '\n'.join(PocOrExps)
93 | tmp = tmp.replace("<","")
94 | tmp = tmp.replace(">","")
95 | f.write(tmp)
96 |
97 | def get_PocOrExp_in_github(CVE_ID,Other_ID = None):
98 | if(Other_ID == None):
99 | api = 'https://api.github.com/search/repositories?q="%s"&sort=stars&per_page=100' % CVE_ID
100 | else:
101 | api = 'https://api.github.com/search/repositories?q="%s" NOT "%s"&sort=stars&per_page=100' % (CVE_ID,Other_ID)
102 |
103 | windows = 0
104 | while(True):
105 | time.sleep(windows)
106 | token = sample(tokens,1)[0]
107 | headers = {"Authorization": "token "+token}
108 | req = requests.get(api, headers=headers).text
109 | req = json.loads(req)
110 | logger.info("CVE_ID: %s , token: %s"%(CVE_ID, token))
111 | if('items' in req):
112 | items = req['items']
113 | break
114 | else:
115 | windows = windows + 0.1
116 | PocOrExps = []
117 | for item in items:
118 | URL = item['html_url']
119 | flag = False
120 | for burl in blacklist:
121 | if URL.startswith(burl):
122 | flag = True
123 | break
124 | if flag:
125 | continue
126 | STARS_NUM = item['stargazers_count']
127 | FORKS_NUM = item['forks_count']
128 | DESCRIPTION = item['description']
129 | UPDATE_TIME = item['updated_at']
130 | PocOrExps.append({
131 | 'URL': URL,
132 | 'STARS_NUM': STARS_NUM,
133 | 'FORKS_NUM': FORKS_NUM,
134 | 'DESCRIPTION': DESCRIPTION,
135 | 'UPDATE_TIME': UPDATE_TIME
136 | })
137 | return PocOrExps
138 |
139 |
140 | def parse_arg():
141 | parser = argparse.ArgumentParser(
142 | description='CVE Details and Collect PocOrExp in Github')
143 | parser.add_argument('-y', '--year',required=False,default=None, choices=list(map(str,range(1999,datetime.datetime.now().year+1)))+['all'],
144 | help="get Poc or CVE of certain year or all years")
145 | parser.add_argument('-i','--init',required=False,default='n',choices=['y','n'],help = "init or not")
146 | parser.add_argument('-w','--watch',required=False,default='n',choices = ['y','n'],help = "keep an eye on them or not")
147 | args = parser.parse_args()
148 | return args
149 |
150 | def is_prefix(cve_ids,CVE_ID):
151 | for cve_id in cve_ids:
152 | if cve_id!= CVE_ID and cve_id.startswith(CVE_ID):
153 | return True
154 | return False
155 |
156 | def get_all_startswith_CVE_ID(cve_ids,CVE_ID):
157 | result = []
158 | for cve_id in cve_ids:
159 | if cve_id!= CVE_ID and cve_id.startswith(CVE_ID):
160 | result.append(cve_id)
161 | return result
162 |
163 | def process_cve(cve_infos,cve_ids,init = True):
164 | for item in tqdm(cve_infos):
165 | CVE_ID = item['CVE_ID']
166 | year = item['CVE_ID'].split("-")[1]
167 | dump_file = os.path.join(year, CVE_ID + '.json')
168 | PocOrExps = []
169 | if(not is_prefix(cve_ids,CVE_ID)):
170 | PocOrExps = get_PocOrExp_in_github(CVE_ID)
171 | else:
172 | PocOrExps = get_PocOrExp_in_github(CVE_ID)
173 | if(len(PocOrExps)!=0):
174 | other_ids = get_all_startswith_CVE_ID(cve_ids,CVE_ID)
175 | PocOrExps = get_PocOrExp_in_github(CVE_ID)
176 | for other_id in other_ids:
177 | tmp = get_PocOrExp_in_github(CVE_ID,other_id)
178 | urls_CVE_ID = []
179 | urls_Other_ID = []
180 | for PocOrExp in PocOrExps:
181 | urls_CVE_ID.append(PocOrExp['URL'])
182 | for PocOrExp in tmp:
183 | urls_Other_ID.append(PocOrExp['URL'])
184 | urls_CVE_ID = list(set(urls_CVE_ID) & set(urls_Other_ID))
185 | tmp = PocOrExps
186 | PocOrExps = []
187 | for PocOrExp in tmp:
188 | if(PocOrExp['URL'] in urls_CVE_ID):
189 | PocOrExps.append(PocOrExp)
190 | cve_info = {}
191 | cve_info['CVE_ID'] = item['CVE_ID']
192 | cve_info['CVE_DESCRIPTION'] = item['CVE_DESCRIPTION']
193 | cve_info['PocOrExp_NUM'] = len(PocOrExps)
194 | cve_info['PocOrExp'] = PocOrExps
195 | with open(dump_file, 'w') as f:
196 | json.dump(cve_info, f)
197 |
198 |
199 | def process_cve_year(year,init = True):
200 | filename = "allitems-cvrf-year-%d.xml"%year
201 | download_cve_xml(filename)
202 | cve_infos = parse_cve_xml(filename)
203 | cve_ids = []
204 | for item in cve_infos:
205 | cve_ids.append(item['CVE_ID'])
206 | tmp = []
207 | if(init):
208 | for item in cve_infos:
209 | CVE_ID = item['CVE_ID']
210 | year = item['CVE_ID'].split("-")[1]
211 | dump_file = os.path.join(year, CVE_ID + '.json')
212 | if(init and os.path.exists(dump_file)):
213 | continue
214 | else:
215 | tmp.append(item)
216 | cve_infos = tmp
217 | process_cve(cve_infos,cve_ids,init)
218 | generate_markdown()
219 |
220 | def process_cve_all(init = True):
221 | for year in list(range(1999,datetime.datetime.now().year+1))[::-1]:
222 | process_cve_year(year,init)
223 |
224 | def init():
225 | logger.add('PocOrExps.log',format="{time} {level} {message}",rotation="10 MB")
226 | if(not os.path.exists(DOWNLOAD_DIR)):
227 | os.mkdir(DOWNLOAD_DIR)
228 | for year in range(1999, datetime.datetime.now().year+1):
229 | if(not os.path.exists(str(year))):
230 | os.mkdir(str(year))
231 | if(not os.path.exists(TOKEN_FILE)):
232 | logger.error("TOKEN FILE NOT EXISTS!")
233 | exit(-1)
234 |
235 | global tokens
236 | with open(TOKEN_FILE) as f:
237 | content = f.readlines()
238 | for line in content:
239 | line = line.strip()
240 | if line.startswith("token:"):
241 | tokens.append(line.split(":")[-1])
242 | logger.info(tokens)
243 | if(len(tokens)==0):
244 | logger.error("NO TOKEN IN TOKEN FILE")
245 | exit(-1)
246 |
247 | global blacklist
248 | with open(BLACKLIST_FILE) as f:
249 | content = f.readlines()
250 | for line in content:
251 | line = line.strip()
252 | if(line!=""):
253 | blacklist.append(line)
254 |
255 | def update_year(year):
256 | filenames = os.listdir('%d'%year)
257 | filenames = [filename for filename in filenames if filename.startswith('CVE')]
258 | cve_ids = []
259 | cve_infos = []
260 | for filename in filenames:
261 | with open(os.path.join(str(year),filename)) as f:
262 | cve_info = json.load(f)
263 | cve_ids.append(cve_info['CVE_ID'])
264 | if(cve_info['PocOrExp_NUM']!=0):
265 | cve_infos.append({'CVE_ID':cve_info['CVE_ID'],'CVE_DESCRIPTION':cve_info['CVE_DESCRIPTION']})
266 | process_cve(cve_infos,cve_ids,False)
267 |
268 | def watch():
269 | '''
270 | 对今年以前的有Exp的CVE进行更新
271 | 对今年的CVE全部更新
272 | '''
273 | for year in list(range(1999,datetime.datetime.now().year))[::-1]:
274 | update_year(year)
275 | generate_markdown()
276 | process_cve_year(datetime.datetime.now().year,False)
277 | generate_markdown()
278 |
279 | def main():
280 | args = parse_arg()
281 | init()
282 | print(args)
283 | if(args.year == "all"):
284 | if(args.init == "y"):
285 | process_cve_all()
286 | elif(args.init == "n"):
287 | process_cve_all(False)
288 | elif(args.year):
289 | if(args.init == "y"):
290 | process_cve_year(int(args.year))
291 | elif(args.init == "n"):
292 | process_cve_year(int(args.year),False)
293 | if(args.watch == "y"):
294 | watch()
295 |
296 | if __name__=="__main__":
297 | main()
298 |
--------------------------------------------------------------------------------
/exp_async.py:
--------------------------------------------------------------------------------
1 | import json
2 | import os
3 | import shutil
4 | import argparse
5 | import datetime
6 | import time
7 | from random import sample
8 | from tqdm import tqdm
9 | from loguru import logger
10 | import asyncio
11 | import requests
12 | from aiohttp_requests import requests as aio_requests
13 |
14 | DOWNLOAD_DIR = 'download'
15 | TOKEN_FILE = 'TOKENS'
16 | BLACKLIST_FILE = 'blacklist.txt'
17 | tokens = []
18 | blacklist = []
19 |
20 | def download_cve_xml(filename):
21 | base_url = "https://cve.mitre.org/data/downloads/"
22 | url = base_url + filename
23 | xml_content = requests.get(url, stream=True)
24 | with open(os.path.join(DOWNLOAD_DIR, filename), 'wb') as f:
25 | for chunk in xml_content:
26 | f.write(chunk)
27 |
28 | def download_cve_xml_all():
29 | filenames = ["allitems-cvrf-year-%d.xml"%year for year in range(1999,datetime.datetime.now().year+1)]
30 | for filename in filenames:
31 | download_cve_xml(filename)
32 |
33 | def parse_cve_xml(filename):
34 | with open(os.path.join(DOWNLOAD_DIR, filename),'rb') as f:
35 | content = f.read().split(b'\n')
36 | cve_infos = []
37 | cve_ids = []
38 | cve_descriptions = []
39 | for line in content:
40 | line = line.strip()
41 | if line.startswith(b""):
42 | cve_ids.append(line[5:-6].decode(encoding='utf-8'))
43 | if line.startswith(b''):
44 | cve_descriptions.append(line[37:-7].decode('utf-8','ignore'))
45 | cve_infos = []
46 | if(len(cve_ids)!=len(cve_descriptions)):
47 | logger.error("xml of cve process error")
48 | exit(-1)
49 | else:
50 | for i in range(len(cve_ids)):
51 | cve_infos.append({'CVE_ID': cve_ids[i], 'CVE_DESCRIPTION': cve_descriptions[i]})
52 | return cve_infos
53 |
54 | def generate_markdown_year(year):
55 | year = str(year)
56 | filenames = os.listdir(year)
57 | filenames = [filename for filename in filenames if filename.startswith('CVE')]
58 | cve_number = [[int(filename.split('.')[0].split('-')[-1]),filename] for filename in filenames]
59 | cve_number.sort( key=lambda e:e[0], reverse=True)
60 | string = []
61 | for number in cve_number:
62 | filename = os.path.join(year,number[1])
63 | # print(filename)
64 | with open(filename,'r') as f:
65 | cve_info = json.load(f)
66 | if(cve_info['PocOrExp_NUM']==0):
67 | continue
68 | else:
69 | string.append("## %s" % cve_info['CVE_ID'])
70 | string.append("> %s\n" % cve_info['CVE_DESCRIPTION'])
71 | string.append("\n")
72 | for PocOrExp in cve_info['PocOrExp']:
73 | URL = PocOrExp['URL']
74 | AUTHOR = URL.split('/')[-2]
75 | PROJECT_NAME = URL.split('/')[-1]
76 | link = "- [%s](%s) : " % (URL,URL)
77 | stars = "" %(AUTHOR,PROJECT_NAME)
78 | forks = "" %(AUTHOR,PROJECT_NAME)
79 | string.append(" ".join([link,stars,forks])+'\n')
80 | with open(os.path.join(year,"README.md"),'w') as f:
81 | tmp = "\n".join(string)
82 | tmp = tmp.replace("<","")
83 | tmp = tmp.replace(">","")
84 | f.write(tmp)
85 | return string
86 |
87 | def generate_markdown():
88 | PocOrExps = []
89 | for year in list(range(1999, datetime.datetime.now().year+1))[::-1]:
90 | string = generate_markdown_year(year)
91 | PocOrExps.append('## %d' % year)
92 | PocOrExps = PocOrExps + string
93 | PocOrExps.append('\n')
94 | with open('PocOrExp.md','w') as f:
95 | tmp = '\n'.join(PocOrExps)
96 | tmp = tmp.replace("<","")
97 | tmp = tmp.replace(">","")
98 | f.write(tmp)
99 |
100 | async def get_PocOrExp_in_github(CVE_ID,Other_ID = None,token=None):
101 | if(Other_ID == None):
102 | api = 'https://api.github.com/search/repositories?q="%s"&sort=stars&per_page=100' % CVE_ID
103 | else:
104 | api = 'https://api.github.com/search/repositories?q="%s" NOT "%s"&sort=stars&per_page=100' % (CVE_ID,Other_ID)
105 |
106 | windows = 0.6
107 | while(True):
108 | time.sleep(windows)
109 | headers = {"Authorization": "token "+token}
110 | req = await aio_requests.get(api,headers = headers)
111 | req = await req.text()
112 | req = json.loads(req)
113 | logger.info("CVE_ID: %s , token: %s"%(CVE_ID, token))
114 | if('items' in req):
115 | items = req['items']
116 | break
117 | else:
118 | token = sample(tokens,1)[0]
119 | windows += 0.1
120 | PocOrExps = []
121 | for item in items:
122 | URL = item['html_url']
123 | flag = False
124 | for burl in blacklist:
125 | if URL.startswith(burl):
126 | flag = True
127 | break
128 | if flag:
129 | continue
130 | STARS_NUM = item['stargazers_count']
131 | FORKS_NUM = item['forks_count']
132 | DESCRIPTION = item['description']
133 | UPDATE_TIME = item['updated_at']
134 | PocOrExps.append({
135 | 'URL': URL,
136 | 'STARS_NUM': STARS_NUM,
137 | 'FORKS_NUM': FORKS_NUM,
138 | 'DESCRIPTION': DESCRIPTION,
139 | 'UPDATE_TIME': UPDATE_TIME
140 | })
141 | return PocOrExps
142 |
143 | def parse_arg():
144 | parser = argparse.ArgumentParser(
145 | description='CVE Details and Collect PocOrExp in Github')
146 | parser.add_argument('-y', '--year',required=False,default=None, choices=list(map(str,range(1999,datetime.datetime.now().year+1)))+['all'],
147 | help="get Poc or CVE of certain year or all years")
148 | parser.add_argument('-i','--init',required=False,default='n',choices=['y','n'],help = "init or not")
149 | parser.add_argument('-w','--watch',required=False,default='n',choices = ['y','n'],help = "keep an eye on them or not")
150 | args = parser.parse_args()
151 | return args
152 |
153 | def is_prefix(cve_ids,CVE_ID):
154 | for cve_id in cve_ids:
155 | if cve_id!= CVE_ID and cve_id.startswith(CVE_ID):
156 | return True
157 | return False
158 |
159 | def get_all_startswith_CVE_ID(cve_ids,CVE_ID):
160 | result = []
161 | for cve_id in cve_ids:
162 | if cve_id!= CVE_ID and cve_id.startswith(CVE_ID):
163 | result.append(cve_id)
164 | return result
165 |
166 | async def process_single_cve(cve_ids,item,token):
167 | CVE_ID = item['CVE_ID']
168 | year = item['CVE_ID'].split("-")[1]
169 | dump_file = os.path.join(year, CVE_ID + '.json')
170 | PocOrExps = []
171 | if(not is_prefix(cve_ids,CVE_ID)):
172 | PocOrExps = await get_PocOrExp_in_github(CVE_ID,None,token)
173 | else:
174 | PocOrExps = await get_PocOrExp_in_github(CVE_ID,None,token)
175 | if(len(PocOrExps)!=0):
176 | other_ids = get_all_startswith_CVE_ID(cve_ids,CVE_ID)
177 | PocOrExps = await get_PocOrExp_in_github(CVE_ID,None,token)
178 | for other_id in other_ids:
179 | tmp = await get_PocOrExp_in_github(CVE_ID,other_id,token)
180 | urls_CVE_ID = []
181 | urls_Other_ID = []
182 | for PocOrExp in PocOrExps:
183 | urls_CVE_ID.append(PocOrExp['URL'])
184 | for PocOrExp in tmp:
185 | urls_Other_ID.append(PocOrExp['URL'])
186 | urls_CVE_ID = list(set(urls_CVE_ID) & set(urls_Other_ID))
187 | tmp = PocOrExps
188 | PocOrExps = []
189 | for PocOrExp in tmp:
190 | if(PocOrExp['URL'] in urls_CVE_ID):
191 | PocOrExps.append(PocOrExp)
192 | cve_info = {}
193 | cve_info['CVE_ID'] = item['CVE_ID']
194 | cve_info['CVE_DESCRIPTION'] = item['CVE_DESCRIPTION']
195 | cve_info['PocOrExp_NUM'] = len(PocOrExps)
196 | cve_info['PocOrExp'] = PocOrExps
197 | with open(dump_file, 'w') as f:
198 | json.dump(cve_info, f)
199 |
200 |
201 | def process_cve(cve_infos,cve_ids,init = True):
202 | tasks = []
203 | for i in range(len(cve_infos)):
204 | tasks.append(asyncio.ensure_future(process_single_cve(cve_ids,cve_infos[i],tokens[i])))
205 | loop = asyncio.get_event_loop()
206 | loop.run_until_complete(asyncio.wait(tasks))
207 |
208 | def process_cve_year(year,init = True):
209 | filename = "allitems-cvrf-year-%d.xml"%year
210 | download_cve_xml(filename)
211 | cve_infos = parse_cve_xml(filename)
212 | cve_ids = []
213 | for item in cve_infos:
214 | cve_ids.append(item['CVE_ID'])
215 | tmp = []
216 | if(init):
217 | for item in cve_infos:
218 | CVE_ID = item['CVE_ID']
219 | year = item['CVE_ID'].split("-")[1]
220 | dump_file = os.path.join(year, CVE_ID + '.json')
221 | if(init and os.path.exists(dump_file)):
222 | continue
223 | else:
224 | tmp.append(item)
225 | cve_infos = tmp
226 | step = len(tokens)
227 | cve_infos_slice = [cve_infos[i:i+step] for i in range(0,len(cve_infos),step)]
228 | for cve_infos in tqdm(cve_infos_slice):
229 | process_cve(cve_infos,cve_ids,init)
230 | generate_markdown()
231 |
232 | def process_cve_all(init = True):
233 | for year in list(range(1999,datetime.datetime.now().year+1))[::-1]:
234 | process_cve_year(year,init)
235 |
236 | def init():
237 | logger.add('PocOrExps.log',format="{time} {level} {message}",rotation="10 MB")
238 | if(not os.path.exists(DOWNLOAD_DIR)):
239 | os.mkdir(DOWNLOAD_DIR)
240 | for year in range(1999, datetime.datetime.now().year+1):
241 | if(not os.path.exists(str(year))):
242 | os.mkdir(str(year))
243 | if(not os.path.exists(TOKEN_FILE)):
244 | logger.error("TOKEN FILE NOT EXISTS!")
245 | exit(-1)
246 |
247 | global tokens
248 | with open(TOKEN_FILE) as f:
249 | content = f.readlines()
250 | for line in content:
251 | line = line.strip()
252 | if line.startswith("token:"):
253 | tokens.append(line.split(":")[-1])
254 | logger.info(tokens)
255 | if(len(tokens)==0):
256 | logger.error("NO TOKEN IN TOKEN FILE")
257 | exit(-1)
258 |
259 | global blacklist
260 | with open(BLACKLIST_FILE) as f:
261 | content = f.readlines()
262 | for line in content:
263 | line = line.strip()
264 | if(line!=""):
265 | blacklist.append(line)
266 |
267 | def update_year(year):
268 | filenames = os.listdir('%d'%year)
269 | filenames = [filename for filename in filenames if filename.startswith('CVE')]
270 | cve_ids = []
271 | cve_infos = []
272 | for filename in filenames:
273 | with open(os.path.join(str(year),filename)) as f:
274 | cve_info = json.load(f)
275 | cve_ids.append(cve_info['CVE_ID'])
276 | if(cve_info['PocOrExp_NUM']!=0):
277 | cve_infos.append({'CVE_ID':cve_info['CVE_ID'],'CVE_DESCRIPTION':cve_info['CVE_DESCRIPTION']})
278 | process_cve(cve_infos,cve_ids,init)
279 |
280 | def watch():
281 | '''
282 | 对今年以前的有Exp的CVE进行更新
283 | 对今年的CVE全部更新
284 | '''
285 | for year in list(range(1999,datetime.datetime.now().year+1))[::-1]:
286 | update_year(year)
287 | generate_markdown()
288 | process_cve_year(datetime.datetime.now().year,False)
289 | generate_markdown()
290 |
291 | def main():
292 | args = parse_arg()
293 | init()
294 | print(args)
295 | if(args.year == "all"):
296 | if(args.init == "y"):
297 | process_cve_all()
298 | elif(args.init == "n"):
299 | process_cve_all(False)
300 | elif(args.year):
301 | if(args.init == "y"):
302 | process_cve_year(int(args.year))
303 | elif(args.init == "n"):
304 | process_cve_year(int(args.year),False)
305 | if(args.watch == "y"):
306 | watch()
307 |
308 | if __name__=="__main__":
309 | main()
310 |
--------------------------------------------------------------------------------
/exp_async_v2.py:
--------------------------------------------------------------------------------
1 | import json
2 | import os
3 | import shutil
4 | import argparse
5 | import datetime
6 | import time
7 | from random import sample
8 | from tqdm import tqdm
9 | from loguru import logger
10 | import asyncio
11 | import requests
12 | from aiohttp_requests import requests as aio_requests
13 |
14 | DOWNLOAD_DIR = 'download'
15 | TOKEN_FILE = 'TOKENS'
16 | BLACKLIST_FILE = 'blacklist.txt'
17 | tokens = []
18 | blacklist = []
19 |
20 | def download_cve_xml(filename):
21 | base_url = "https://cve.mitre.org/data/downloads/"
22 | url = base_url + filename
23 | logger.info(url)
24 | try:
25 | xml_content = requests.get(url, timeout = 600,stream=True)
26 | except Exception as e:
27 | logger.error("get cve xml file error!")
28 | exit(-1)
29 | with open(os.path.join(DOWNLOAD_DIR, filename), 'wb') as f:
30 | for chunk in xml_content:
31 | f.write(chunk)
32 |
33 | def download_cve_xml_all():
34 | filenames = ["allitems-cvrf-year-%d.xml"%year for year in range(1999,datetime.datetime.now().year+1)]
35 | for filename in filenames:
36 | download_cve_xml(filename)
37 |
38 | def parse_cve_xml(filename):
39 | with open(os.path.join(DOWNLOAD_DIR, filename),'rb') as f:
40 | content = f.read().split(b'\n')
41 | cve_infos = []
42 | cve_ids = []
43 | cve_descriptions = []
44 | for line in content:
45 | line = line.strip()
46 | if line.startswith(b""):
47 | cve_ids.append(line[5:-6].decode(encoding='utf-8'))
48 | if line.startswith(b''):
49 | cve_descriptions.append(line[37:-7].decode('utf-8','ignore'))
50 | cve_infos = []
51 | if(len(cve_ids)!=len(cve_descriptions)):
52 | logger.error("xml of cve process error")
53 | exit(-1)
54 | else:
55 | for i in range(len(cve_ids)):
56 | cve_infos.append({'CVE_ID': cve_ids[i], 'CVE_DESCRIPTION': cve_descriptions[i]})
57 | return cve_infos
58 |
59 | def generate_markdown_year(year):
60 | year = str(year)
61 | filenames = os.listdir(year)
62 | filenames = [filename for filename in filenames if filename.startswith('CVE')]
63 | cve_number = [[int(filename.split('.')[0].split('-')[-1]),filename] for filename in filenames]
64 | cve_number.sort( key=lambda e:e[0], reverse=True)
65 | string = []
66 | for number in cve_number:
67 | filename = os.path.join(year,number[1])
68 | # print(filename)
69 | with open(filename,'r') as f:
70 | cve_info = json.load(f)
71 | if(cve_info['PocOrExp_NUM']==0):
72 | continue
73 | else:
74 | string.append("## %s" % cve_info['CVE_ID'])
75 | string.append("> %s\n" % cve_info['CVE_DESCRIPTION'])
76 | string.append("\n")
77 | for PocOrExp in cve_info['PocOrExp']:
78 | URL = PocOrExp['URL']
79 | AUTHOR = URL.split('/')[-2]
80 | PROJECT_NAME = URL.split('/')[-1]
81 | link = "- [%s](%s) : " % (URL,URL)
82 | stars = "" %(AUTHOR,PROJECT_NAME)
83 | forks = "" %(AUTHOR,PROJECT_NAME)
84 | string.append(" ".join([link,stars,forks])+'\n')
85 | with open(os.path.join(year,"README.md"),'w') as f:
86 | tmp = "\n".join(string)
87 | tmp = tmp.replace("<","")
88 | tmp = tmp.replace(">","")
89 | f.write(tmp)
90 | return string
91 |
92 | def generate_markdown():
93 | PocOrExps = []
94 | for year in list(range(1999, datetime.datetime.now().year+1))[::-1]:
95 | string = generate_markdown_year(year)
96 | PocOrExps.append('## %d' % year)
97 | PocOrExps = PocOrExps + string
98 | PocOrExps.append('\n')
99 | with open('PocOrExp.md','w') as f:
100 | tmp = '\n'.join(PocOrExps)
101 | tmp = tmp.replace("<","")
102 | tmp = tmp.replace(">","")
103 | f.write(tmp)
104 |
105 | async def get_PocOrExp_in_github(CVE_ID,Other_ID = None,token=None):
106 | if(Other_ID == None):
107 | api = 'https://api.github.com/search/repositories?q="%s"&sort=stars&per_page=100' % CVE_ID
108 | else:
109 | api = 'https://api.github.com/search/repositories?q="%s" NOT "%s"&sort=stars&per_page=100' % (CVE_ID,Other_ID)
110 |
111 | windows = 0.3
112 | while(True):
113 | time.sleep(windows)
114 | headers = {"Authorization": "token "+token}
115 | req = await aio_requests.get(api,headers = headers)
116 | req = await req.text()
117 | req = json.loads(req)
118 | logger.info("CVE_ID: %s , token: %s"%(CVE_ID, token))
119 | if('items' in req):
120 | items = req['items']
121 | break
122 | else:
123 | token = sample(tokens,1)[0]
124 | windows += 0.1
125 | PocOrExps = []
126 | for item in items:
127 | URL = item['html_url']
128 | flag = False
129 | for burl in blacklist:
130 | if URL.startswith(burl):
131 | flag = True
132 | break
133 | if flag:
134 | continue
135 | STARS_NUM = item['stargazers_count']
136 | FORKS_NUM = item['forks_count']
137 | DESCRIPTION = item['description']
138 | UPDATE_TIME = item['updated_at']
139 | PocOrExps.append({
140 | 'URL': URL,
141 | 'STARS_NUM': STARS_NUM,
142 | 'FORKS_NUM': FORKS_NUM,
143 | 'DESCRIPTION': DESCRIPTION,
144 | 'UPDATE_TIME': UPDATE_TIME
145 | })
146 | return PocOrExps
147 |
148 | def parse_arg():
149 | parser = argparse.ArgumentParser(
150 | description='CVE Details and Collect PocOrExp in Github')
151 | parser.add_argument('-y', '--year',required=False,default=None, choices=list(map(str,range(1999,datetime.datetime.now().year+1)))+['all'],
152 | help="get Poc or CVE of certain year or all years")
153 | parser.add_argument('-i','--init',required=False,default='n',choices=['y','n'],help = "init or not")
154 | parser.add_argument('-w','--watch',required=False,default='n',choices = ['y','n'],help = "keep an eye on them or not")
155 | args = parser.parse_args()
156 | return args
157 |
158 | def is_prefix(cve_ids,CVE_ID):
159 | for cve_id in cve_ids:
160 | if cve_id!= CVE_ID and cve_id.startswith(CVE_ID):
161 | return True
162 | return False
163 |
164 | def get_all_startswith_CVE_ID(cve_ids,CVE_ID):
165 | result = []
166 | for cve_id in cve_ids:
167 | if cve_id!= CVE_ID and cve_id.startswith(CVE_ID):
168 | result.append(cve_id)
169 | return result
170 |
171 | async def process_single_cve(cve_ids,item,token):
172 | CVE_ID = item['CVE_ID']
173 | year = item['CVE_ID'].split("-")[1]
174 | dump_file = os.path.join(year, CVE_ID + '.json')
175 | PocOrExps = []
176 | if(not is_prefix(cve_ids,CVE_ID)):
177 | PocOrExps = await get_PocOrExp_in_github(CVE_ID,None,token)
178 | else:
179 | PocOrExps = await get_PocOrExp_in_github(CVE_ID,None,token)
180 | if(len(PocOrExps)!=0):
181 | other_ids = get_all_startswith_CVE_ID(cve_ids,CVE_ID)
182 | PocOrExps = await get_PocOrExp_in_github(CVE_ID,None,token)
183 | for other_id in other_ids:
184 | tmp = await get_PocOrExp_in_github(CVE_ID,other_id,token)
185 | urls_CVE_ID = []
186 | urls_Other_ID = []
187 | for PocOrExp in PocOrExps:
188 | urls_CVE_ID.append(PocOrExp['URL'])
189 | for PocOrExp in tmp:
190 | urls_Other_ID.append(PocOrExp['URL'])
191 | urls_CVE_ID = list(set(urls_CVE_ID) & set(urls_Other_ID))
192 | tmp = PocOrExps
193 | PocOrExps = []
194 | for PocOrExp in tmp:
195 | if(PocOrExp['URL'] in urls_CVE_ID):
196 | PocOrExps.append(PocOrExp)
197 | cve_info = {}
198 | cve_info['CVE_ID'] = item['CVE_ID']
199 | cve_info['CVE_DESCRIPTION'] = item['CVE_DESCRIPTION']
200 | cve_info['PocOrExp_NUM'] = len(PocOrExps)
201 | cve_info['PocOrExp'] = PocOrExps
202 | with open(dump_file, 'w') as f:
203 | json.dump(cve_info, f)
204 |
205 |
206 |
207 | async def process_single_cve_async(cve_ids,cve,token,sema):
208 | async with sema:
209 | await process_single_cve(cve_ids,cve,token)
210 |
211 |
212 | def process_cve(cve_infos,cve_ids,init = True):
213 | tasks = []
214 | sema = asyncio.Semaphore(len(tokens))
215 | for i in range(len(cve_infos)):
216 | tasks.append(asyncio.ensure_future(process_single_cve_async(cve_ids,cve_infos[i],tokens[i % len(tokens)],sema)))
217 | loop = asyncio.get_event_loop()
218 | loop.run_until_complete(asyncio.wait(tasks))
219 |
220 | def process_cve_year(year,init = True):
221 | filename = "allitems-cvrf-year-%d.xml"%year
222 | download_cve_xml(filename)
223 | cve_infos = parse_cve_xml(filename)
224 | cve_ids = []
225 | for item in cve_infos:
226 | cve_ids.append(item['CVE_ID'])
227 | tmp = []
228 | if(init):
229 | for item in cve_infos:
230 | CVE_ID = item['CVE_ID']
231 | year = item['CVE_ID'].split("-")[1]
232 | dump_file = os.path.join(year, CVE_ID + '.json')
233 | if(init and os.path.exists(dump_file)):
234 | continue
235 | else:
236 | tmp.append(item)
237 | cve_infos = tmp
238 | process_cve(cve_infos,cve_ids,init)
239 | generate_markdown()
240 |
241 | def process_cve_all(init = True):
242 | for year in list(range(1999,datetime.datetime.now().year+1))[::-1]:
243 | process_cve_year(year,init)
244 |
245 | def init():
246 | logger.add('PocOrExps.log',format="{time} {level} {message}",rotation="1000 MB")
247 | if(not os.path.exists(DOWNLOAD_DIR)):
248 | os.mkdir(DOWNLOAD_DIR)
249 | for year in range(1999, datetime.datetime.now().year+1):
250 | if(not os.path.exists(str(year))):
251 | os.mkdir(str(year))
252 | if(not os.path.exists(TOKEN_FILE)):
253 | logger.error("TOKEN FILE NOT EXISTS!")
254 | exit(-1)
255 |
256 | global tokens
257 | with open(TOKEN_FILE) as f:
258 | content = f.readlines()
259 | for line in content:
260 | line = line.strip()
261 | if line.startswith("token:"):
262 | tokens.append(line.split(":")[-1])
263 | logger.info(tokens)
264 | if(len(tokens)==0):
265 | logger.error("NO TOKEN IN TOKEN FILE")
266 | exit(-1)
267 |
268 | global blacklist
269 | with open(BLACKLIST_FILE) as f:
270 | content = f.readlines()
271 | for line in content:
272 | line = line.strip()
273 | if(line!=""):
274 | blacklist.append(line)
275 |
276 | def update_year(year):
277 | filenames = os.listdir('%d'%year)
278 | filenames = [filename for filename in filenames if filename.startswith('CVE')]
279 | cve_ids = []
280 | cve_infos = []
281 | for filename in filenames:
282 | with open(os.path.join(str(year),filename)) as f:
283 | cve_info = json.load(f)
284 | cve_ids.append(cve_info['CVE_ID'])
285 | if(cve_info['PocOrExp_NUM']!=0):
286 | cve_infos.append({'CVE_ID':cve_info['CVE_ID'],'CVE_DESCRIPTION':cve_info['CVE_DESCRIPTION']})
287 | process_cve(cve_infos,cve_ids,init)
288 |
289 | def watch():
290 | '''
291 | 对今年以前的有Exp的CVE进行更新
292 | 对今年的CVE全部更新
293 | '''
294 | for year in list(range(1999,datetime.datetime.now().year+1))[::-1]:
295 | update_year(year)
296 | generate_markdown()
297 | process_cve_year(datetime.datetime.now().year,False)
298 | generate_markdown()
299 |
300 |
301 |
302 | def main():
303 | args = parse_arg()
304 | init()
305 | print(args)
306 | if(args.year == "all"):
307 | if(args.init == "y"):
308 | process_cve_all()
309 | elif(args.init == "n"):
310 | process_cve_all(False)
311 | elif(args.year):
312 | if(args.init == "y"):
313 | process_cve_year(int(args.year))
314 | elif(args.init == "n"):
315 | process_cve_year(int(args.year),False)
316 | if(args.watch == "y"):
317 | watch()
318 |
319 | if __name__=="__main__":
320 | main()
321 |
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | aiohttp_requests==0.1.3
2 | tqdm==4.61.0
3 | loguru==0.5.3
4 | requests==2.22.0
5 |
--------------------------------------------------------------------------------
/today.py:
--------------------------------------------------------------------------------
1 | import os
2 | import subprocess
3 | import datetime
4 |
5 | def render_today(update):
6 | string = []
7 | string.append("# Update %s"%datetime.datetime.now().strftime('%Y-%m-%d'))
8 | if(len(update)==0):
9 | string.append('No Update Today!')
10 | for item in update:
11 | string.append("## %s"%item['CVE_ID'])
12 | string.append("%s" % item['CVE_DESCRIPTION'])
13 | string.append("")
14 | for URL in item['PocOrExp']:
15 | AUTHOR = URL.split('/')[-2]
16 | PROJECT_NAME = URL.split('/')[-1]
17 | link = "- [%s](%s) : " % (URL,URL)
18 | stars = "" %(AUTHOR,PROJECT_NAME)
19 | forks = "" %(AUTHOR,PROJECT_NAME)
20 | string.append(" ".join([link,stars,forks]))
21 | string.append('\n')
22 | with open("Today.md",'w') as f:
23 | f.write("\n".join(string))
24 | return string
25 |
26 | def parse_readme(content):
27 | poc_or_exps = {}
28 | CVE_ID = ""
29 | cve_ids = []
30 | for line in content:
31 | if line.startswith('## CVE'):
32 | CVE_ID = "CVE"+line.split('CVE')[-1]
33 | cve_ids.append(CVE_ID)
34 | poc_or_exps[CVE_ID] = {}
35 | poc_or_exps[CVE_ID]['CVE_ID'] = CVE_ID
36 | poc_or_exps[CVE_ID]['CVE_DESCRIPTION'] = ""
37 | poc_or_exps[CVE_ID]['URL'] = []
38 | elif line.startswith('- ['):
39 | url = line.split('[')[1].split(']')[0]
40 | poc_or_exps[CVE_ID]['URL'].append(url)
41 | elif line.startswith('##'):
42 | continue
43 | else:
44 | poc_or_exps[CVE_ID]['CVE_DESCRIPTION'] = line
45 | return poc_or_exps,cve_ids
46 |
47 | def get_today_update():
48 | status,output = subprocess.getstatusoutput('rm -rf PocOrExp_in_Github')
49 | status,output = subprocess.getstatusoutput('git clone git@github.com:ycdxsb/PocOrExp_in_Github.git PocOrExp_in_Github')
50 | status,output = subprocess.getstatusoutput('cd PocOrExp_in_Github && git tag --sort=committerdate')
51 | tags = output.split('\n')
52 | print(tags)
53 | if(tags[-1]!=datetime.datetime.now().strftime('%Y%m%d')):
54 | print('date info error')
55 | exit(-1)
56 | old_poc_or_exps = []
57 | new_poc_or_exps = []
58 | status,output = subprocess.getstatusoutput('cd PocOrExp_in_Github && git checkout %s' % tags[-2])
59 | with open('PocOrExp_in_Github/PocOrExp.md') as f:
60 | content = f.read().split('\n')
61 | content = [line for line in content if line!='']
62 | old_poc_or_exps,old_cve_ids = parse_readme(content)
63 | status,output = subprocess.getstatusoutput('cd PocOrExp_in_Github && git checkout %s' % tags[-1])
64 | with open('PocOrExp_in_Github/PocOrExp.md') as f:
65 | content = f.read().split('\n')
66 | content = [line for line in content if line!='']
67 | new_poc_or_exps,new_cve_ids = parse_readme(content)
68 | update = []
69 | for CVE_ID in new_cve_ids:
70 | if CVE_ID not in old_cve_ids:
71 | d = {}
72 | d['CVE_ID'] = CVE_ID
73 | d['CVE_DESCRIPTION'] = new_poc_or_exps[CVE_ID]['CVE_DESCRIPTION']
74 | d['PocOrExp'] = new_poc_or_exps[CVE_ID]['URL']
75 | update.append(d)
76 | else:
77 | old_urls = old_poc_or_exps[CVE_ID]['URL']
78 | new_urls = new_poc_or_exps[CVE_ID]['URL']
79 | diff = list(set(new_urls)-set(old_urls))
80 | if(len(diff)==0):
81 | continue
82 | d = {}
83 | d['CVE_ID'] = CVE_ID
84 | d['CVE_DESCRIPTION'] = new_poc_or_exps[CVE_ID]['CVE_DESCRIPTION']
85 | d['PocOrExp'] = []
86 | for url in new_urls:
87 | if url in diff:
88 | d['PocOrExp'].append(url)
89 | update.append(d)
90 | return render_today(update)
91 |
92 | if __name__=="__main__":
93 | update_today = get_today_update()
94 |
--------------------------------------------------------------------------------
/token_rate.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import sys
3 | import json
4 |
5 | def get_rate(token):
6 | url = "https://api.github.com/rate_limit"
7 | headers = {
8 | "Authorization": f"token {token}"
9 | }
10 |
11 | response = requests.get(url, headers=headers)
12 |
13 | if response.status_code == 200:
14 | rate_limit_info = response.json()
15 | print(token,rate_limit_info['rate']['limit'])
16 | else:
17 | print(token,response.text)
18 |
19 | if __name__=="__main__":
20 | with open(sys.argv[1]) as f:
21 | content = f.read().split("\n")
22 | for line in content:
23 | if line.strip()=="":
24 | continue
25 | token = line.split(":")[1]
26 | get_rate(token)
27 |
--------------------------------------------------------------------------------